【小游戏】简单的软件练手(9楼、15楼已给出算法分析)
.小日本的软件 官网早已关闭 无壳 明码比较的 让大家练练手
文件夹透明程序
下载:https://www.chinapyg.com/viewthread.php?tid=38267
游戏时间及要求:
今明两天时间,初级的追码,有时间兴趣可分析下算法。在会帖中给出分析即可,不需要重新开帖。
先放个简单的 回头再送些复杂点的 ~~
注意:邮箱请输入以下格式 论坛名称@PYG.COM
奖励:
跟帖给出符合自己邮箱的注册码 奖励 5PYB
跟帖给出算法分析的朋友 奖励 30~50PYB(既然都OD了 不如算法分析一下 ^_^ ) bhcjl
[email protected]
b5b9bmave1pq
先来坐下.不懂算法,汗
[ 本帖最后由 bhcjl 于 2008-9-10 16:24 编辑 ] 只能说,先看看..... 用户名:crystalsnail
邮箱:[email protected]
密码:j6517u4eafjw
[ 本帖最后由 crystalsnail 于 2008-9-11 20:41 编辑 ] /:001 /:001 /:001
先贴组注册码占个位,稍后给出分析过程.....
用户名:hflywolf
邮箱:[email protected]
密码:dz0n4ka1wt5u
注册表的关键地方
"DefaultFlags"=hex:13,00,00,00
"UserName"="hflywolf"
"Reg0"="[email protected]"
"Reg1"="dz0n4ka1wt5u" 帐号:小生我怕怕
邮箱:[email protected]
SN:gadk541gjbc6 用户名:cdygr
邮箱:[email protected]
密码:xj3j52p2kz16
注册成功!算法搞不来! 用户名:孤漂江湖狼
邮箱:孤漂江湖狼@PYG.COM
注册码:yk911hkvppbf
水平有限,算法就现不搞了,以后在搞吧 姓名:nietsme
电邮:[email protected]
密码:bcagbpw7xr9u
水平有限,搞了很久才搞到密码。
从没搞过算法,就拿这个试试……先占个位
终于搞出来点眉目
以下为不完全算法分析:
一,描述:
此注册码跟姓名无关,是由E-mail地址计算得出,设Email为str,经过几次变换最终得到注册码ser,流程如下:
1,str1=去除str中的'-'及'空'符号;
//'空'符号包括空格、回车、换行和Tab,因为这里是在文本框中输入,所以只能有'-'和空格
//因为有这步,所以在Email地址中可以随意添加'-'和空格。比如[email protected]和n-i e--t [email protected]是一样的
2,str2=将str1处理得到一个int64型值;(此处为猜测,因为下面所用函数_ui64tow中传入的参数为int64型)
3,str3=用_ui64tow()将str2转化为字串;
4,str4=对字串str3前两位进行分析处理,得到str4
5,ser=将str4中的'i''l''o'分别转化为'x''y''z',得到最终注册码ser;
二,代码:
用OD载入程序并运行,打开注册对话框输入相关信息,在OD命令行中输入bp GetDlgItemTextW下断,回到注册窗口点确定,程序断在
7E424305 >8BFF mov edi, edi
取消断点
F8几步后到达
0040C838|.8D9424 240400>lea edx, dword ptr
往上几行找到此段代码开头0040C810/$81EC 1C080000 sub esp, 81C
下断,重新载入进行分析
====代码1====0040C810/$81EC 1C080000 sub esp, 81C
0040C816|.53 push ebx
0040C817|.55 push ebp
0040C818|.8B2D 20824100 mov ebp, dword ptr [<&USER32.GetDlgI>;USER32.GetDlgItemTextW
0040C81E|.68 00020000 push 200 ; /Count = 200 (512.)
0040C823|.8D8424 280400>lea eax, dword ptr ; |
0040C82A|.50 push eax ; |Buffer
0040C82B|.8BD9 mov ebx, ecx ; |
0040C82D|.8B4B 0C mov ecx, dword ptr ; |
0040C830|.68 07040000 push 407 ; |ControlID = 407 (1031.)
0040C835|.51 push ecx ; |hWnd
0040C836|.FFD5 call ebp ; \GetDlgItemTextW
0040C838|.8D9424 240400>lea edx, dword ptr ;//取邮箱地址放入edx
0040C83F|.52 push edx ; /s
0040C840|.FF15 44814100 call dword ptr [<&MSVCRT.wcslen>] ; \wcslen
0040C846|.83C4 04 add esp, 4
0040C849|.83F8 04 cmp eax, 4 ;//邮箱长度如果>=4则继续,否则跳出“电邮错误”的警告
0040C84C|.7D 1A jge short 0040C868
0040C84E|.68 D4070000 push 7D4
0040C853|.68 07040000 push 407
0040C858|.8BCB mov ecx, ebx
0040C85A|.E8 51FFFFFF call 0040C7B0 ;//警告“电邮错误”
0040C85F|.5D pop ebp
0040C860|.5B pop ebx
0040C861|.81C4 1C080000 add esp, 81C
0040C867|.C3 retn
0040C868|>56 push esi
0040C869|.57 push edi
0040C86A|.8D4424 10 lea eax, dword ptr
0040C86E|.50 push eax
0040C86F|.8D8C24 300400>lea ecx, dword ptr
0040C876|.51 push ecx
0040C877|.E8 849BFFFF call 00406400 ;//对邮箱串进行处理得出注册码,见代码2
0040C87C|.8B43 0C mov eax, dword ptr
0040C87F|.83C4 08 add esp, 8
0040C882|.68 00020000 push 200
0040C887|.8D5424 30 lea edx, dword ptr
0040C88B|.52 push edx
0040C88C|.68 F6030000 push 3F6
0040C891|.50 push eax
0040C892|.FFD5 call ebp
0040C894|.66:837C24 2C >cmp word ptr , 0 ;//以下对输入的注册码进行处理
0040C89A|.8D7424 2C lea esi, dword ptr
0040C89E|.8D7C24 2C lea edi, dword ptr
0040C8A2|.74 48 je short 0040C8EC
0040C8A4|.66:833E 00 cmp word ptr , 0
0040C8A8|.8B2D 88814100 mov ebp, dword ptr [<&MSVCRT.iswspac>;msvcrt.iswspace
0040C8AE|.74 36 je short 0040C8E6
0040C8B0|>33C0 /xor eax, eax
0040C8B2|.66:8B06 |mov ax, word ptr
0040C8B5|.66:3D 2D00 |cmp ax, 2D ;//'-'
0040C8B9|.74 0A |je short 0040C8C5
0040C8BB|.50 |push eax
0040C8BC|.FFD5 |call ebp ;//'空'字符
0040C8BE|.83C4 04 |add esp, 4
0040C8C1|.85C0 |test eax, eax
0040C8C3|.74 0B |je short 0040C8D0
0040C8C5|>83C6 02 |add esi, 2
0040C8C8|.66:833E 00 |cmp word ptr , 0
0040C8CC|.74 18 |je short 0040C8E6
0040C8CE|.^ EB E0 |jmp short 0040C8B0
0040C8D0|>85F6 |test esi, esi
0040C8D2|.74 12 |je short 0040C8E6
0040C8D4|.66:8B0E |mov cx, word ptr
0040C8D7|.66:890F |mov word ptr , cx
0040C8DA|.83C6 02 |add esi, 2
0040C8DD|.83C7 02 |add edi, 2
0040C8E0|.66:833E 00 |cmp word ptr , 0
0040C8E4|.^ 75 CA \jnz short 0040C8B0
0040C8E6|>8B2D 20824100 mov ebp, dword ptr [<&USER32.GetDlgI>;USER32.GetDlgItemTextW
0040C8EC|>8D5424 10 lea edx, dword ptr ;//以下为真假注册码比较
0040C8F0|.52 push edx ; /String2
0040C8F1|.8D4424 30 lea eax, dword ptr ; |
0040C8F5|.50 push eax ; |String1
0040C8F6|.66:C707 0000mov word ptr , 0 ; |
0040C8FB|.FF15 E0804100 call dword ptr [<&KERNEL32.lstrcmpiW>>; \lstrcmpiW
0040C901|.85C0 test eax, eax
0040C903|.5F pop edi
0040C904|.5E pop esi
0040C905|.74 1A je short 0040C921 ;//注册码为真则跳至0040C921
0040C907|.68 D2070000 push 7D2
0040C90C|.68 F6030000 push 3F6
0040C911|.8BCB mov ecx, ebx
0040C913|.E8 98FEFFFF call 0040C7B0 ;//警告“密码错误”
0040C918|.5D pop ebp
0040C919|.5B pop ebx
0040C91A|.81C4 1C080000 add esp, 81C
0040C920|.C3 retn
0040C921|>8B53 0C mov edx, dword ptr ;//注册成功
0040C924|.68 00020000 push 200
0040C929|.8D4C24 28 lea ecx, dword ptr
0040C92D|.51 push ecx
0040C92E|.68 EA030000 push 3EA
0040C933|.52 push edx====代码2====
//注册码算法00406400/$55 push ebp ;USER32.GetDlgItemTextW
00406401|.8BEC mov ebp, esp
00406403|.83EC 50 sub esp, 50
00406406|.53 push ebx
00406407|.56 push esi
00406408|.57 push edi
00406409|.8B7D 08 mov edi, dword ptr
0040640C|.57 push edi ; /s
0040640D|.FF15 44814100 call dword ptr [<&MSVCRT.wcslen>] ; \wcslen
00406413|.8BF0 mov esi, eax
00406415|.83C4 04 add esp, 4
00406418|.46 inc esi
00406419|.8BC6 mov eax, esi
0040641B|.83C0 03 add eax, 3
0040641E|.83E0 FC and eax, FFFFFFFC
00406421|.E8 9AFD0000 call 004161C0
00406426|.8BDC mov ebx, esp
00406428|.6A 00 push 0 ; /pDefaultCharUsed = NULL
0040642A|.6A 00 push 0 ; |pDefaultChar = NULL
0040642C|.56 push esi ; |MultiByteCount
0040642D|.53 push ebx ; |MultiByteStr
0040642E|.6A FF push -1 ; |WideCharCount = FFFFFFFF (-1.)
00406430|.57 push edi ; |WideCharStr
00406431|.6A 00 push 0 ; |Options = 0
00406433|.6A 00 push 0 ; |CodePage = CP_ACP
00406435|.FF15 80804100 call dword ptr [<&KERNEL32.WideCharTo>; \WideCharToMultiByte
0040643B|.803B 00 cmp byte ptr , 0
0040643E|.8BF3 mov esi, ebx
00406440|.8BFB mov edi, ebx
00406442|.74 37 je short 0040647B
00406444|.803E 00 cmp byte ptr , 0
00406447|.74 32 je short 0040647B
00406449|>8A06 /mov al, byte ptr ;//挨个取邮箱字符
0040644B|.3C 2D |cmp al, 2D ;//如果是'-'则跳过取下一字符
0040644D|.74 11 |je short 00406460
0040644F|.0FBEC0 |movsx eax, al
00406452|.50 |push eax
00406453|.FF15 6C814100 |call dword ptr [<&MSVCRT.isspace>] ; //判断如果是'空'字符则跳过取下一字符
00406459|.83C4 04 |add esp, 4
0040645C|.85C0 |test eax, eax
0040645E|.74 0A |je short 0040646A
00406460|>8A46 01 |mov al, byte ptr
00406463|.46 |inc esi
00406464|.84C0 |test al, al ;//邮箱字串是否结束
00406466|.74 13 |je short 0040647B
00406468|.^ EB DF |jmp short 00406449
0040646A|>85F6 |test esi, esi ;//是否取完
0040646C|.74 0D |je short 0040647B
0040646E|.8A0E |mov cl, byte ptr
00406470|.880F |mov byte ptr , cl
00406472|.8A46 01 |mov al, byte ptr
00406475|.47 |inc edi ;//指向下一字符
00406476|.46 |inc esi
00406477|.84C0 |test al, al ;//邮箱字串是否结束
00406479|.^ 75 CE \jnz short 00406449
0040647B|>53 push ebx
0040647C|.C607 00 mov byte ptr , 0 ; |//添加字符串结束标记'/0'
0040647F|.FF15 68814100 call dword ptr [<&MSVCRT._strlwr>] ; \_strlwr
00406485|.83C9 FF or ecx, FFFFFFFF
00406488|.33C0 xor eax, eax
0040648A|.8BFB mov edi, ebx
0040648C|.F2:AE repne scas byte ptr es:
0040648E|.F7D1 not ecx
00406490|.49 dec ecx
00406491|.51 push ecx
00406492|.53 push ebx
00406493|.E8 58FCFFFF call 004060F0 //关键Call,太菜我看不太懂~
00406498|.8BDA mov ebx, edx
0040649A|.6A 21 push 21
0040649C|.8D55 B0 lea edx, dword ptr
0040649F|.52 push edx
004064A0|.8BF8 mov edi, eax
004064A2|.53 push ebx
004064A3|.57 push edi
004064A4|.FF15 64814100 call dword ptr [<&MSVCRT._ui64tow>] ;//关键Call 调用_ui64tow
004064AA|.8D45 B0 lea eax, dword ptr
004064AD|.50 push eax
004064AE|.E8 6D000000 call 00406520 ;//关键Call,对字串前两位进行分析处理,见代码3
004064B3|.33D2 xor edx, edx
004064B5|.66:8B10 mov dx, word ptr
004064B8|.83C4 20 add esp, 20
004064BB|.66:85D2 test dx, dx
004064BE|.8BF0 mov esi, eax
004064C0|.74 39 je short 004064FB ;//以下循环将注册码中的'i''l''o'分别转化为'x''y''z'
004064C2|>8BCA /mov ecx, edx
004064C4|.81E1 FFFF0000 |and ecx, 0FFFF
004064CA|.83F9 69 |cmp ecx, 69 ;//如果是'i',则变为'x'
004064CD|.74 18 |je short 004064E7
004064CF|.83F9 6C |cmp ecx, 6C ;//如果是'l',则变为'y'
004064D2|.74 0C |je short 004064E0
004064D4|.83F9 6F |cmp ecx, 6F ;//如果是'o',则变为'z'
004064D7|.75 13 |jnz short 004064EC
004064D9|.BA 7A000000 |mov edx, 7A ;变为'z'
004064DE|.EB 0C |jmp short 004064EC
004064E0|>BA 79000000 |mov edx, 79 ;变为'y'
004064E5|.EB 05 |jmp short 004064EC
004064E7|>BA 78000000 |mov edx, 78 ;变为'x'
004064EC|>66:8916 |mov word ptr , dx ;Default case of switch 004064CA
004064EF|.66:8B56 02 |mov dx, word ptr
004064F3|.83C6 02 |add esi, 2
004064F6|.66:85D2 |test dx, dx
004064F9|.^ 75 C7 \jnz short 004064C2
004064FB|>8B4D 0C mov ecx, dword ptr
004064FE|.50 push eax ; /src
004064FF|.51 push ecx ; |dest
00406500|.FF15 60814100 call dword ptr [<&MSVCRT.wcscpy>] ; \wcscpy
00406506|.83C4 08 add esp, 8
00406509|.8D65 A4 lea esp, dword ptr
0040650C|.8BC7 mov eax, edi
0040650E|.5F pop edi
0040650F|.5E pop esi
00406510|.8BD3 mov edx, ebx
00406512|.5B pop ebx
00406513|.8BE5 mov esp, ebp
00406515|.5D pop ebp
00406516\.C3 retn====代码3====
//关键Call,对字串前两位分析进行处理00406520/$56 push esi
00406521|.8B7424 08 mov esi, dword ptr
00406525|.66:8B06 mov ax, word ptr
00406528|.66:3D 3000 cmp ax, 30 ;//数字
0040652C|.72 10 jb short 0040653E
0040652E|.66:3D 3900 cmp ax, 39
00406532|.77 0A ja short 0040653E
00406534|.25 FFFF0000 and eax, 0FFFF
00406539|.83E8 30 sub eax, 30
0040653C|.EB 12 jmp short 00406550
0040653E|>50 push eax ; /w
0040653F|.FF15 70814100 call dword ptr [<&MSVCRT.towlower>] ; \//转化为小写
00406545|.83C4 04 add esp, 4
00406548|.25 FFFF0000 and eax, 0FFFF
0040654D|.83E8 57 sub eax, 57
00406550|>83F8 0B cmp eax, 0B
00406553|.7F 1D jg short 00406572
00406555|.66:8B56 02 mov dx, word ptr ;//取下一字符
00406559|.66:83FA 30 cmp dx, 30 ;//是否为数字
0040655D|.8D4E 02 lea ecx, dword ptr
00406560|.72 0C jb short 0040656E
00406562|.66:83FA 39 cmp dx, 39
00406566|.77 06 ja short 0040656E
00406568|.83C0 61 add eax, 61
0040656B|.66:8901 mov word ptr , ax
0040656E|>8BC1 mov eax, ecx
00406570|.5E pop esi
00406571|.C3 retn
00406572|>8BC6 mov eax, esi
00406574|.5E pop esi
00406575\.C3 retn代码3作用为
if(str3首位为字母)
{
str3变小写;
str4=str3;
}
if(str3首位为数字,二位为字母)
str4=str3去首位数字;
if(str3前两位都为数字)
{
str4=str3+0x31; //去掉第二位数字并将第一位数字ascii码加上0x31做为str4首位,
str4=str3; //其余copy。
}
三,总结:
由于是第一次跟算法,加上有些方面知识不够所以未能给出完全算法,流程基本是这样的,哪处如有错误请大侠们不吝指点。
以前从来不敢跟算法,当然跟基础差有关,更是因为自己的畏惧,一到算法那块就想,我是菜鸟我不行,以后牛B了再搞。这就给自己加了道心理坎,实在是不利于对加解密的学习。
这次花了很长时间做这个,虽然没有完成,但是学到了不少相关的知识,更学到了一种放弃前再努力一下的精神,愿与大家共勉!
加油了!
[ 本帖最后由 nietsme 于 2008-9-20 23:21 编辑 ] "UserName"="koko"
"Reg0"="[email protected]"
"Reg1"="qppqh90pmpwt"
----------------------------------------
对算法概念还比较模糊/:010