转一个七彩的CrackMe
转一个七彩的CrackMe 有点意思,速度抢沙发!/:018板凳。。。。。
00401460 .A1 30B74000 mov eax, dword ptr
00401465 .6A FF push -1 ; /Timeout = INFINITE
00401467 .50 push eax ; |hObject => 0000007C (window)
00401468 .FF15 14804000 call dword ptr [<&kernel32.WaitForSin>; \WaitForSingleObject
0040146E .68 7C934000 push 0040937C ; /ProcNameOrOrdinal = "MessageBoxA"
00401473 .68 88934000 push 00409388 ; |/pModule = "user32.dll"
00401478 .FF15 20804000 call dword ptr [<&kernel32.GetModuleH>; |\GetModuleHandleA
0040147E .50 push eax ; |hModule
0040147F .FF15 18804000 call dword ptr [<&kernel32.GetProcAdd>; \GetProcAddress
00401485 .33C9 xor ecx, ecx
00401487 >8038 CC cmp byte ptr , 0CC//....................................../:L
0040148A .74 17 je short 004014A3
注册名:a
注册码为十六个3
[ 本帖最后由 creantan 于 2008-10-30 19:38 编辑 ] 搞不定,等楼上两位DX发破文/:L 原帖由 lgjxj 于 2008-10-30 16:48 发表 https://www.chinapyg.com/images/common/back.gif
搞不定,等楼上两位DX发破文/:L
/:017 /:017 /:017
我也和你一样搞不定,就知道注册码是16位的~~~~~~~~~ 期待LS的大牛分析..我好象有这CM的源码样!!/:013 /:013
X88X80 creantan 我们看好你们...2位大侠分析..期待中!!!/:013 强烈要求冷风兄放源码!/:010
呵呵,算法感觉真的很拗人,能力有限描述不清请不要见怪
注册码为16位相信大家都跟出来了,这个程序有点意思,在下面的断点下断相信大家算法看得会比我更清楚.
............
004014D0call crackme.00403C20
004014D5mov eax,crackme.0040B738 ;eax中为用户名"x80x88"
004014DAadd esp,0C
004014DDlea edx,dword ptr ds:
--------------------------------------
004014E0mov cl,byte ptr ds:
004014E2inc eax
004014E3test cl,cl
004014E5jnz short crackme.004014E0 ;这段循环取用户名位数
--------------------------------------
004014E7sub eax,edx
004014E9cmp eax,8
004014ECjge short crackme.00401504
004014EEmov ecx,crackme.0040B741
004014F3sub ecx,eax
**********************************************
004014F5mov dl,byte ptr ds:
004014F7mov byte ptr ds:,dl
004014FDinc eax
004014FEdec ecx
004014FFcmp eax,8
00401502jl short crackme.004014F5
**********************************************
这一小段循环比较有意思,主要是将不足8位的用户名补齐为8位,但补的方式有点意思,不足8位的从用户名的
第(10-n)位开始逆序取字符补齐到8位,n为用户名的位数,如果用户名为abc,内存中的格式为61 62 63 00 00 00 00 00 00 00
则补齐后的用户名为61 62 63 00 00 00 00 63,有点绕,自己跟踪体验一下吧
我的用户名补齐8位为"x80x88x0"
00401504push ebx
00401505push esi
00401506xor ecx,ecx
00401508mov esi,crackme.0040B738 ;esi中为补齐为8位的用户名,我的为x80x88x0
0040150Dlea ecx,dword ptr ds:
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
00401510mov dl,byte ptr ds:
00401512mov al,dl
00401514sar al,4
00401517mov bl,al
00401519cmp al,9
0040151Bjbe short crackme.00401522
0040151Dadd bl,37
00401520jmp short crackme.00401525
00401522add bl,30
00401525shl al,4
00401528mov byte ptr ss:,bl
0040152Cxor al,dl
0040152Einc ecx
0040152Fcmp al,9
00401531jbe short crackme.00401537
00401533add al,37
00401535jmp short crackme.00401539
00401537add al,30
00401539mov byte ptr ss:,al
0040153Dinc ecx
0040153Einc esi
0040153Fcmp ecx,10
00401542jl short crackme.00401510 ;这一段循环将用户名的ASCII码值连接成一个新串,我的为"7838307838387830"
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
00401544xor ecx,ecx
00401546jmp short crackme.00401550
00401548lea esp,dword ptr ss:
0040154Fnop
★★★★★★★★★★★★★★★★★★★★★★★★★★
00401550mov al,byte ptr ds:
00401556cmp al,7A
00401558jg crackme.00401659
0040155Ecmp al,30
00401560jl crackme.00401659
00401566cmp al,39
00401568jle short crackme.00401572
0040156Acmp al,41
0040156Cjl crackme.00401659
00401572cmp al,5A
00401574jle short crackme.0040157E
00401576cmp al,61
00401578jl crackme.00401659
0040157Einc ecx
0040157Fcmp ecx,10
00401582jl short crackme.00401550 ;这一段循环判断注册码的合法性,注册码为{a,z}或{0,9}集合内
★★★★★★★★★★★★★★★★★★★★★★★★★★
00401584mov cl,byte ptr ds: ;ds:中为硬盘的序列号,我的为"NT28T5A282C2",取第1位N---->4E
0040158Axor esi,esi
0040158Clea esp,dword ptr ss:
00401590mov dl,byte ptr ss: ;ss:中为"7838307838387830"
00401594mov al,cl ;CL=4E
00401596mov bl,3 ;BL=3
00401598imul bl ;eax=4E*3=EA
0040159Aadd dl,dl ;DL=37*2=6E
0040159Csub al,dl ;al=EA-6E=7C
0040159Ecmp al,30
004015A0jb short crackme.004015A6
004015A2cmp al,39
004015A4jbe short crackme.004015B6
004015A6cmp al,41
004015A8jb short crackme.004015AE
004015AAcmp al,5A
004015ACjbe short crackme.004015B6
004015AEcmp al,61
004015B0jb short crackme.004015C4
004015B2cmp al,7A
004015B4ja short crackme.004015CC
004015B6movsx edx,byte ptr ds: ;如果结果不大于7a,大于61,则对应位注册码为计算结果对应的ASCII码
004015BDmovzx eax,al
004015C0cmp eax,edx
004015C2jmp short crackme.004015F9
004015C4cmp al,7A
004015C6ja short crackme.004015CC
004015C8cmp al,30
004015CAjnb short crackme.004015D9
004015CCcmp byte ptr ds:,33 ;我的跳到这,ds:中为假码
004015D3jnz crackme.00401659
004015D9mov dl,al
004015DBsub dl,3A
004015DEcmp dl,6
004015E1ja short crackme.004015EC
004015E3cmp byte ptr ds:,35 ;如果计算结果不大于41则对应位注册码为5
004015EAjnz short crackme.00401659
004015ECsub al,5B
004015EEcmp al,5
004015F0ja short crackme.004015FB
004015F2cmp byte ptr ds:,41 ;如果值不大于61则对应注册码为"A"
004015F9jnz short crackme.00401659
004015FBinc esi
004015FCcmp esi,10
004015FFjl short crackme.00401590
00401601push 400
00401606lea eax,dword ptr ss:
0040160Dpush 0
0040160Fpush eax
00401610call crackme.00403C20
00401615mov cl,byte ptr ds:
0040161Badd esp,0C
0040161Etest cl,cl
00401620je short crackme.00401645
00401622xor eax,eax
00401624jmp short crackme.00401630
00401626lea esp,dword ptr ss:
0040162Dlea ecx,dword ptr ds:
00401630xor cl,78
00401633mov byte ptr ss:,cl
0040163Amov cl,byte ptr ds:
00401640inc eax
00401641test cl,cl
00401643jnz short crackme.00401630
00401645push 0 ; /Style = MB_OK|MB_APPLMODAL
00401647lea ecx,dword ptr ss: ; |
0040164Epush ecx ; |Title
0040164Fmov edx,ecx ; |
00401651push edx ; |Text
00401652push edi ; |hOwner
00401653call dword ptr ds:[<&user32.MessageBoxA>>; \MessageBoxA 弹出注册成功对话框
.............
注册码与你的硬盘序列号第1位还有你的用户名有关!
[ 本帖最后由 x80x88 于 2008-10-30 23:42 编辑 ] /:goodLS 太强大了,学习 /:good
原来如此。。学习了。。呵呵。。。。我的取不到序列号。。。为0.。
00401487 >8038 CC cmp byte ptr , 0CC//
0040148A .74 17 je short 004014A3
这里怎么过的呢/:010 。。。 没注意到竟然还有断点检测/:L
我是载入程序然后在004014D0处下断就跟出来了/:012
页:
[1]
2