請教再OCN做的一个初级算法的练习的疑問
破解分析过程】填入用户名 yezhihuin 注册码 123456789 下断BP GetDlgItemTextA,断下后来到
0040150C |.FF75 08 push dword ptr ss: ; |hWnd
0040150F |.E8 4A010000 call <jmp.&user32.GetDlgItemTex>; \GetDlgItemTextA
00401514 |.8D0D 20304000 lea ecx,dword ptr ds: ;获得用户名的位数,这里我用的是yezhihun 8位
0040151A |.890D A0304000 mov dword ptr ds:,ecx
00401520 |.A3 A4304000 mov dword ptr ds:,eax
00401525 |.833D A4304000 0>cmp dword ptr ds:,4 ;比较用户名是否大于四位
0040152C |.73 04 jnb short CrackMe.00401532 ;大于或等于转移
0040152E |.C9 leave
0040152F |.C2 1000 retn 10
00401532 |>68 00010000 push 100 ; /Count = 100 (256.)
00401537 |.68 AC304000 push CrackMe.004030AC ; |Buffer = CrackMe.004030AC
0040153C |.68 ED030000 push 3ED ; |ControlID = 3ED (1005.)
00401541 |.FF75 08 push dword ptr ss: ; |hWnd
00401544 |.E8 15010000 call <jmp.&user32.GetDlgItemTex>; \GetDlgItemTextA
00401549 |.A3 A8304000 mov dword ptr ds:,eax ;注册码的位数进mov dword ptr ds:
0040154E |.83F8 10 cmp eax,10 ;比较是否等于16位
00401551 74 04 je short CrackMe.00401557 ;相等则跳
00401553 |.C9 leave
00401554 |.C2 1000 retn 10
00401557 |>8D0D AC304000 lea ecx,dword ptr ds: ;载入注册码
0040155D |.890D AC314000 mov dword ptr ds:,ecx
00401563 |.E8 00FBFFFF call CrackMe.00401068 ;比较第一位注册码是否为H
00401568 |.33C0 xor eax,eax ;eax 清零
0040156A |.E8 2EFBFFFF call CrackMe.0040109D ;比较第二位注册码
0040156F |.0BC2 or eax,edx ;OR后EAX0014060B
00401571 |.E8 5CFBFFFF call CrackMe.004010D2 ;比较的三位注册码
00401576 |.85C0 test eax,eax
00401578 |.E8 8AFBFFFF call CrackMe.00401107 ;比较第四位注册码
0040157D |.33C8 xor ecx,eax
0040157F |.E8 B8FBFFFF call CrackMe.0040113C ;第五位,第七位,第十一位和第十位注册码
00401584 |.F7D1 not ecx
00401586 |.FF35 A4304000 push dword ptr ds:
0040158C |.FF35 AC314000 push dword ptr ds:
00401592 |.E8 77FCFFFF call CrackMe.0040120E ;第六位注册码
00401597 |.030D A4304000 add ecx,dword ptr ds:
0040159D |.E8 FFFBFFFF call CrackMe.004011A1 ;第八位和第九位注册码
004015A2 |.91 xchg eax,ecx ;交换
004015A3 |.D1E0 shl eax,1 ;位移
004015A5 |.8BD0 mov edx,eax
004015A7 |.E8 A6FCFFFF call CrackMe.00401252 ;第十位和第十一位的和能将2整除
004015AC |.B8 78563412 mov eax,12345678
004015B1 |.E8 EDFCFFFF call CrackMe.004012A3 ;第十二位,好像是任意数
004015B6 |.03C1 add eax,ecx
004015B8 |.E8 32FDFFFF call CrackMe.004012EF ;第十三位的值加上第六位的值后和是奇数
004015BD |.33C9 xor ecx,ecx
004015BF |.FF35 A0304000 push dword ptr ds:
004015C5 |.E8 63FAFFFF call CrackMe.0040102D ;取用户名的和
004015CA |.E8 71FDFFFF call CrackMe.00401340 ;第十四,十五的值
004015CF |.03CB add ecx,ebx
004015D1 |.68 00010000 push 100 ; /Count = 100 (256.)
004015D6 |.68 AC304000 push CrackMe.004030AC ; |Buffer = CrackMe.004030AC
004015DB |.68 ED030000 push 3ED ; |ControlID = 3ED (1005.)
004015E0 |.FF75 08 push dword ptr ss: ; |hWnd
004015E3 |.E8 76000000 call <jmp.&user32.GetDlgItemTex>; \GetDlgItemTextA
004015E8 |.8BC8 mov ecx,eax
004015EA |.C1C1 05 rol ecx,5
004015ED |.8BC1 mov eax,ecx
004015EF |.E8 ACFDFFFF call CrackMe.004013A0 ;这里是用户名的第十六位,和用户名的第六位相同
004015F4 |.2BC1 sub eax,ecx
004015F6 |.813D B0314000 F>cmp dword ptr ds:,0FFF
00401600 75 14 jnz short CrackMe.00401616 ;爆破点
00401602 |.6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00401604 |.68 D0204000 push CrackMe.004020D0 ; |Title = "Congratulations"
00401609 |.68 C1204000 push CrackMe.004020C1 ; |Text = "GOOD JOB, MAN!"成功标志
0040160E |.FF75 08 push dword ptr ss: ; |hOwner
00401611 |.E8 5A000000 call <jmp.&user32.MessageBoxA>; \MessageBoxA
00401616 |>C705 B0314000 0>mov dword ptr ds:,0
一下是各个CALL的内容
--------------------------------------------------------------------------------------------------------------------
00401068 $53 push ebx
00401069 56 db 56 ;CHAR 'V'
0040106A 57 db 57 ;CHAR 'W'
0040106B 6A db 6A ;CHAR 'j'
0040106C 00 db 00
0040106D .FF35 AC314000 push dword ptr ds:
00401073 .E8 D8FFFFFF call CrackMe.00401050 ;这里提取假注册码的第一个字节
00401078 .83F8 48 cmp eax,48 ;与48比较(48的ASC为H)
0040107B .74 0F je short CrackMe.0040108C
0040107D .6A 00 push 0
0040107F .FF35 B0314000 push dword ptr ds:
00401085 .E8 76FFFFFF call CrackMe.00401000
0040108A .EB 0D jmp short CrackMe.00401099
0040108C >6A 01 push 1
0040108E .FF35 B0314000 push dword ptr ds:
00401094 .E8 67FFFFFF call CrackMe.00401000
00401099 >5F pop edi
0040109A .5E pop esi
0040109B .5B pop ebx
0040109C .C3 retn
--------------------------------------------------------------------------------------------------------------------
0040109D /$53 push ebx
0040109E |.56 push esi
0040109F |.57 push edi
004010A0 |.6A 01 push 1
004010A2 |.FF35 AC314000 push dword ptr ds:
004010A8 |.E8 A3FFFFFF call CrackMe.00401050 ;提取第二位注册码
004010AD |.83F8 54 cmp eax,54 ;与54比较(54的ASC码为T)
004010B0 74 0F je short CrackMe.004010C1
004010B2 |.6A 00 push 0
004010B4 |.FF35 B0314000 push dword ptr ds:
004010BA |.E8 41FFFFFF call CrackMe.00401000
004010BF |.EB 0D jmp short CrackMe.004010CE
004010C1 |>6A 02 push 2
004010C3 |.FF35 B0314000 push dword ptr ds:
004010C9 |.E8 32FFFFFF call CrackMe.00401000
004010CE |>5F pop edi
004010CF |.5E pop esi
004010D0 |.5B pop ebx
004010D1 \.C3 retn
--------------------------------------------------------------------------------------------------------------------
004010D2 /$53 push ebx
004010D3 |.56 push esi
004010D4 |.57 push edi
004010D5 |.6A 02 push 2
004010D7 |.FF35 AC314000 push dword ptr ds:
004010DD |.E8 6EFFFFFF call CrackMe.00401050 ;获得的三位注册码
004010E2 |.83F8 2D cmp eax,2D ;比较
004010E5 |.74 0F je short CrackMe.004010F6
004010E7 |.6A 00 push 0
004010E9 |.FF35 B0314000 push dword ptr ds:
004010EF |.E8 0CFFFFFF call CrackMe.00401000
004010F4 |.EB 0D jmp short CrackMe.00401103
004010F6 |>6A 04 push 4
004010F8 |.FF35 B0314000 push dword ptr ds:
004010FE |.E8 FDFEFFFF call CrackMe.00401000
00401103 |>5F pop edi
00401104 |.5E pop esi
00401105 |.5B pop ebx
00401106 \.C3 retn
--------------------------------------------------------------------------------------------------------------------
00401107 /$53 push ebx
00401108 |.56 push esi
00401109 |.57 push edi
0040110A |.6A 03 push 3
0040110C |.FF35 AC314000 push dword ptr ds:
00401112 |.E8 39FFFFFF call CrackMe.00401050 ;提取第四位注册码
00401117 |.83F8 37 cmp eax,37 ;比较是否是:“7”
0040111A 74 0F je short CrackMe.0040112B
0040111C |.6A 00 push 0
0040111E |.FF35 B0314000 push dword ptr ds:
00401124 |.E8 D7FEFFFF call CrackMe.00401000
00401129 |.EB 0D jmp short CrackMe.00401138
0040112B |>6A 08 push 8
0040112D |.FF35 B0314000 push dword ptr ds:
00401133 |.E8 C8FEFFFF call CrackMe.00401000
00401138 |>5F pop edi
00401139 |.5E pop esi
0040113A |.5B pop ebx
0040113B \.C3 retn
--------------------------------------------------------------------------------------------------------------------
0040113C /$53 push ebx
0040113D |.56 push esi
0040113E |.57 push edi
0040113F |.6A 04 push 4
00401141 |.FF35 AC314000 push dword ptr ds:
00401147 |.E8 04FFFFFF call CrackMe.00401050 ;提取第五位注册码
0040114C |.8BD8 mov ebx,eax ;注册码的值进EBX
0040114E |.6A 06 push 6
00401150 |.FF35 AC314000 push dword ptr ds:
00401156 |.E8 F5FEFFFF call CrackMe.00401050 ;提取第七位注册码
0040115B |.03D8 add ebx,eax ;第五位的ASC码和第七位的相加进EBX
0040115D |.6A 09 push 9
0040115F |.FF35 AC314000 push dword ptr ds:
00401165 |.E8 E6FEFFFF call CrackMe.00401050 ;提取第十位注册码
0040116A |.8BD0 mov edx,eax ;注册码的值进EDX
0040116C |.6A 0A push 0A
0040116E |.FF35 AC314000 push dword ptr ds:
00401174 |.E8 D7FEFFFF call CrackMe.00401050 ;第十一位注册码
00401179 |.03D0 add edx,eax ;第十一位的ASC码和第十位的相加进EDX
0040117B |.33DA xor ebx,edx ;异或运算的值进EBX,主要看是否为零
0040117D |.0BDB or ebx,ebx ;或运算,如果是零就跳转
0040117F |.74 0F je short CrackMe.00401190
00401181 |.6A 00 push 0
00401183 |.FF35 B0314000 push dword ptr ds:
00401189 |.E8 72FEFFFF call CrackMe.00401000
0040118E |.EB 0D jmp short CrackMe.0040119D
00401190 |>6A 10 push 10
00401192 |.FF35 B0314000 push dword ptr ds:
00401198 |.E8 63FEFFFF call CrackMe.00401000
0040119D |>5F pop edi
0040119E |.5E pop esi
0040119F |.5B pop ebx
004011A0 \.C3 retn
--------------------------------------------------------------------------------------------------------------------
004011A1 /$53 push ebx
004011A2 |.56 push esi
004011A3 |.57 push edi
004011A4 |.6A 07 push 7
004011A6 |.FF35 AC314000 push dword ptr ds:
004011AC |.E8 9FFEFFFF call CrackMe.00401050 ;取第八位注册码
004011B1 |.8BD8 mov ebx,eax
004011B3 |.6A 08 push 8
004011B5 |.FF35 AC314000 push dword ptr ds:
004011BB |.E8 90FEFFFF call CrackMe.00401050 ;取第九位注册码
004011C0 |.03D8 add ebx,eax
004011C2 |.6A 01 push 1
004011C4 |.FF35 A0304000 push dword ptr ds:
004011CA |.E8 81FEFFFF call CrackMe.00401050 ;取用户名第二位
004011CF |.8BD0 mov edx,eax
004011D1 |.8B0D A4304000 mov ecx,dword ptr ds:
004011D7 |.83E9 02 sub ecx,2
004011DA |.51 push ecx
004011DB |.FF35 A0304000 push dword ptr ds:
004011E1 |.E8 6AFEFFFF call CrackMe.00401050 ;取用户名七位
004011E6 |.03D0 add edx,eax ;取的用户名的两位ASC码之和
004011E8 |.33DA xor ebx,edx ;看是否相等
004011EA |.0BDB or ebx,ebx
004011EC 74 0F je short CrackMe.004011FD ;相等则跳
004011EE |.6A 00 push 0
004011F0 |.FF35 B0314000 push dword ptr ds:
004011F6 |.E8 05FEFFFF call CrackMe.00401000
004011FB |.EB 0D jmp short CrackMe.0040120A
004011FD |>6A 40 push 40
004011FF |.FF35 B0314000 push dword ptr ds:
00401205 |.E8 F6FDFFFF call CrackMe.00401000
0040120A |>5F pop edi
0040120B |.5E pop esi
0040120C |.5B pop ebx
0040120D \.C3 retn
--------------------------------------------------------------------------------------------------------------------
0040120E /$55 push ebp
0040120F |.8BEC mov ebp,esp
00401211 |.53 push ebx
00401212 |.56 push esi
00401213 |.57 push edi
00401214 |.68 20304000 push CrackMe.00403020 ;ASCII "3424r"
00401219 |.E8 0FFEFFFF call CrackMe.0040102D ;取注册码的ASC码之和
0040121E |.F77D 0C idiv dword ptr ss: ;注册码之和除以位数
00401221 |.8B0D AC314000 mov ecx,dword ptr ds:
00401227 |.0FB649 05 movzx ecx,byte ptr ds: ;这里取注册码的第六位
0040122B |.3BC1 cmp eax,ecx ;从这里来看,这第六位注册码就是用户名的ASC的值与位数的商
0040122D 74 0F je short CrackMe.0040123E
0040122F |.6A 00 push 0
00401231 |.FF35 B0314000 push dword ptr ds:
00401237 |.E8 C4FDFFFF call CrackMe.00401000
0040123C |.EB 0D jmp short CrackMe.0040124B
0040123E |>6A 20 push 20
00401240 |.FF35 B0314000 push dword ptr ds:
00401246 |.E8 B5FDFFFF call CrackMe.00401000
0040124B |>5F pop edi
0040124C |.5E pop esi
0040124D |.5B pop ebx
0040124E |.C9 leave
0040124F \.C2 0800 retn 8
--------------------------------------------------------------------------------------------------------------------
00401252 /$53 push ebx
00401253 |.56 push esi
00401254 |.57 push edi
00401255 |.6A 09 push 9
00401257 |.FF35 AC314000 push dword ptr ds:
0040125D |.E8 EEFDFFFF call CrackMe.00401050 ;取第十位注册码
00401262 |.8BD8 mov ebx,eax
00401264 |.6A 0A push 0A
00401266 |.FF35 AC314000 push dword ptr ds:
0040126C |.E8 DFFDFFFF call CrackMe.00401050 ;取第十一位注册码
00401271 |.03C3 add eax,ebx ;第十位和第十一位的和
00401273 |.B9 02000000 mov ecx,2
00401278 |.33D2 xor edx,edx
0040127A |.F7F9 idiv ecx ;看是否有余数
0040127C |.0BD2 or edx,edx
0040127E |.74 0F je short CrackMe.0040128F
00401280 |.6A 00 push 0
00401282 |.FF35 B0314000 push dword ptr ds:
00401288 |.E8 73FDFFFF call CrackMe.00401000
0040128D |.EB 10 jmp short CrackMe.0040129F
0040128F |>68 80000000 push 80
00401294 |.FF35 B0314000 push dword ptr ds:
0040129A |.E8 61FDFFFF call CrackMe.00401000
0040129F |>5F pop edi
004012A0 |.5E pop esi
004012A1 |.5B pop ebx
004012A2 \.C3 retn
--------------------------------------------------------------------------------------------------------------------
004012A3 /$53 push ebx
004012A4 |.56 push esi
004012A5 |.57 push edi
004012A6 |.33D2 xor edx,edx ;EDX清零
004012A8 |.A1 A4304000 mov eax,dword ptr ds: ;注册码位数进EAX
004012AD |.B9 03000000 mov ecx,3
004012B2 |.F7F9 idiv ecx
004012B4 |.8BF2 mov esi,edx ;余数进ESI
004012B6 |.6A 0B push 0B
004012B8 |.FF35 AC314000 push dword ptr ds:
004012BE |.E8 8DFDFFFF call CrackMe.00401050
004012C3 |.83E8 30 sub eax,30 ;第十二位的值减去30】,没发现什么作用
004012C6 |.33D6 xor edx,esi
004012C8 |.0BD2 or edx,edx
004012CA |.74 0F je short CrackMe.004012DB
004012CC |.6A 00 push 0
004012CE |.FF35 B0314000 push dword ptr ds:
004012D4 |.E8 27FDFFFF call CrackMe.00401000
004012D9 |.EB 10 jmp short CrackMe.004012EB
004012DB |>68 00010000 push 100
004012E0 |.FF35 B0314000 push dword ptr ds:
004012E6 |.E8 15FDFFFF call CrackMe.00401000
004012EB |>5F pop edi
004012EC |.5E pop esi
004012ED |.5B pop ebx
004012EE \.C3 retn
--------------------------------------------------------------------------------------------------------------------
004012EF /$53 push ebx
004012F0 |.56 push esi
004012F1 |.57 push edi
004012F2 |.6A 0C push 0C
004012F4 |.FF35 AC314000 push dword ptr ds:
004012FA |.E8 51FDFFFF call CrackMe.00401050 ;取第十三位
004012FF |.8BD8 mov ebx,eax ;取得字符进EBX
00401301 |.6A 05 push 5
00401303 |.FF35 AC314000 push dword ptr ds:
00401309 |.E8 42FDFFFF call CrackMe.00401050 ;取第六位注册码
0040130E |.03C3 add eax,ebx ;第十三位和第六位的和
00401310 |.B9 02000000 mov ecx,2
00401315 |.33D2 xor edx,edx ;清零,位余数腾空,嘿嘿
00401317 |.F7F9 idiv ecx
00401319 |.0BD2 or edx,edx ;看是否能够整除
0040131B |.75 0F jnz short CrackMe.0040132C ;不能整除则跳
0040131D |.6A 00 push 0
0040131F |.FF35 B0314000 push dword ptr ds:
00401325 |.E8 D6FCFFFF call CrackMe.00401000
0040132A |.EB 10 jmp short CrackMe.0040133C
0040132C |>68 00020000 push 200
00401331 |.FF35 B0314000 push dword ptr ds:
00401337 |.E8 C4FCFFFF call CrackMe.00401000
0040133C |>5F pop edi
0040133D |.5E pop esi
0040133E |.5B pop ebx
0040133F \.C3 retn
--------------------------------------------------------------------------------------------------------------------
00401340 /$53 push ebx
00401341 |.56 push esi
00401342 |.57 push edi
00401343 |.6A 0C push 0C
00401345 |.FF35 AC314000 push dword ptr ds:
0040134B |.E8 00FDFFFF call CrackMe.00401050 ;取第十三位
00401350 |.8BD8 mov ebx,eax
00401352 |.6A 0D push 0D
00401354 |.FF35 AC314000 push dword ptr ds:
0040135A |.E8 F1FCFFFF call CrackMe.00401050 ;取第十四位
0040135F |.03D8 add ebx,eax ;第十三位和第十四位的和
00401361 |.6A 0E push 0E
00401363 |.FF35 AC314000 push dword ptr ds:
00401369 |.E8 E2FCFFFF call CrackMe.00401050 ;取第十五位
0040136E |.03C3 add eax,ebx ;到这里是将十三,十四,十五的和进EAX
00401370 |.0305 A4304000 add eax,dword ptr ds: ;十三,十四,十五的和再加上用户名的位数
00401376 |.3D 0A010000 cmp eax,10A ;是否等于10A
0040137B 74 0F je short CrackMe.0040138C
0040137D |.6A 00 push 0
0040137F |.FF35 B0314000 push dword ptr ds:
00401385 |.E8 76FCFFFF call CrackMe.00401000
0040138A |.EB 10 jmp short CrackMe.0040139C
0040138C |>68 00040000 push 400
00401391 |.FF35 B0314000 push dword ptr ds:
00401397 |.E8 64FCFFFF call CrackMe.00401000
0040139C |>5F pop edi
0040139D |.5E pop esi
0040139E |.5B pop ebx
0040139F \.C3 retn
--------------------------------------------------------------------------------------------------------------------
004013A0 /$53 push ebx
004013A1 |.56 push esi
004013A2 |.57 push edi
004013A3 |.6A 0F push 0F
004013A5 |.FF35 AC314000 push dword ptr ds:
004013AB |.E8 A0FCFFFF call CrackMe.00401050 ;取第十六位
004013B0 |.8BD8 mov ebx,eax
004013B2 |.8B0D A4304000 mov ecx,dword ptr ds:
004013B8 |.49 dec ecx
004013B9 |.49 dec ecx
004013BA |.51 push ecx
004013BB |.FF35 A0304000 push dword ptr ds:
004013C1 |.E8 8AFCFFFF call CrackMe.00401050 ;取用户名第六位
004013C6 |.33C3 xor eax,ebx ;注册码的第十六位与用户名的第六位比较
004013C8 |.0BC0 or eax,eax
004013CA 74 0F je short CrackMe.004013DB
004013CC |.6A 00 push 0
004013CE |.FF35 B0314000 push dword ptr ds:
004013D4 |.E8 27FCFFFF call CrackMe.00401000
004013D9 |.EB 10 jmp short CrackMe.004013EB
004013DB |>68 00080000 push 800
004013E0 |.FF35 B0314000 push dword ptr ds:
004013E6 |.E8 15FCFFFF call CrackMe.00401000
004013EB |>5F pop edi
004013EC |.5E pop esi
004013ED |.5B pop ebx
004013EE \.C3 retn
--------------------------------------------------------------------------------------------------------------------
============================================================
【破解分析过程总结】
z这个软件不难,断到后立刻来到关键算法,非常适合象我这种菜鸟!嘿嘿!
主要算法:
前四位是固定的HT-7
第五位的ASC码+第七位=第十位+第十一位
第六位注册码就是用户名的ASC的值与位数的商
第八位+第九位的注册码的ASC值=用户名的第二位ASC值+用户名第七位的值
第十位和第十一位的和能将2整除 注意:这里限制了第五位和第七位
第十二位是任意数
注册码第十三位和注册码第六位的和不是偶数,即和不能整除2
第十三,十四,十五的和再加上用户名的位数等于10A
第十六位为用户名的第六位
我的注册码
yezhihun
HT-71n3ln3101Yxu
00401563 |.E8 00FBFFFF call CrackMe.00401068 ;比较第一位注册码是否为H
我进入00401563 之后只看到
00401068 $53 push ebx
00401069 56 db 56 ;CHAR 'V'
0040106A 57 db 57 ;CHAR 'W'
0040106B 6A db 6A ;CHAR 'j'
0040106C 00 db 00
0040106D .FF35 AC314000 push dword ptr ds: ;CrackMe.004030AC
比较第一位注册码是否为H;我在的窗口看到如上的数据,并没有看到H,请问大大您是如何判断的
我输输入的用户名是CHUAN
试验码是:1234567890123456
谢谢
页:
[1]