PYG 5.4 Cracker 小组 课外练习21
PYG 5.4 Cracker 小组 课外练习21要求
1)爆破
2)追码
3)内存注册机
4)算法分析
[ 本帖最后由 geae 于 2006-6-24 13:51 编辑 ] HoHo~~~小黑如果对这个Delphi Crackme分析出算法及写出注册机,做出演示,就可毕业!
对小黑要求当然要高点. 先标记一下,大伙别和我争啊。。。。。 xhw
堆栈 SS:=00D555DC, (ASCII "I Love Vegetable40600")
我也来报个到!
rcrackerI Love Vegetable97018
下班回家后边看世界杯边研究一下算法,真是爽爽爽啊!
算法简单分析
注册名:rcracker
假码:78787878
`004538E9|. /7D 0F JGE SHORT CRACKME1.004538FA
004538EB|. |B8 E4394500 MOV EAX,CRACKME1.004539E4 ;请输入用户名...
004538F0|. |E8 773AFDFF CALL CRACKME1.0042736C
004538F5|. |E9 A2000000 JMP CRACKME1.0045399C
004538FA|> \33DB XOR EBX,EBX
004538FC|.8B7D F8 MOV EDI,DWORD PTR SS: ;
004538FF|.85FF TEST EDI,EDI
00453901|.7E 2A JLE SHORT CRACKME1.0045392D
00453903|.BE 01000000 MOV ESI,1 ;
00453908|>8D55 F0 LEA EDX,DWORD PTR SS:
0045390B|.8B45 FC MOV EAX,DWORD PTR SS:
0045390E|.8B80 04030000MOV EAX,DWORD PTR DS:
00453914|.E8 33F1FDFF CALL CRACKME1.00432A4C
00453919|.8B45 F0 MOV EAX,DWORD PTR SS:
0045391C|.8A4430 FF MOV AL,BYTE PTR DS:
依次取用户名的HEX值
1、AL=72
2、AL=63
.......省略........
8、AL=72
00453920|.25 FF000000 AND EAX,0FF
00453925|.03D8 ADD EBX,EAX
1、EBX=72+0=72
2、EBX=63+73=D6
.......省略........
8、EBX=72+2F7=369
00453927|.03DE ADD EBX,ESI
1、EBX=72+1=73
2、EBX=D6+2=D8
.......省略........
8、EBX=369+8=371
00453929|.46 INC ESI
0045392A|.4F DEC EDI
0045392B|.^ 75 DB JNZ SHORT CRACKME1.00453908
有没有取完,没有继续。
0045392D|>8BC3 MOV EAX,EBX
0045392F|.F7EB IMUL EBX
EAX=EAX*EBX=EBX*EBX=371*371=BD7E1
00453931|.83C0 05 ADD EAX,5
EAX=BD7E1+5=BD7E6=776166(十进制)
00453934|.8945 EC MOV DWORD PTR SS:,EAX
00453937|.DB45 EC FILD DWORD PTR SS:
0045393A|.DB45 F8 FILD DWORD PTR SS:
取用户名位数8
0045393D|.DEF9 FDIVP ST(1),ST
776166/8=97020.75
0045393F|.D825 F4394500 FSUB DWORD PTR DS:
97020.75-2=97018.75
00453945|.E8 D2EFFAFF CALL CRACKME1.0040291C
0045394A|.8BD8 MOV EBX,EAX
0045394C|.8D55 E8 LEA EDX,DWORD PTR SS:
0045394F|.8B45 FC MOV EAX,DWORD PTR SS:
00453952|.8B80 08030000 MOV EAX,DWORD PTR DS:
00453958|.E8 EFF0FDFF CALL CRACKME1.00432A4C
0045395D|.8B45 E8 MOV EAX,DWORD PTR SS:
00453960|.50 PUSH EAX
00453961|.8D55 E0 LEA EDX,DWORD PTR SS:
00453964|.8BC3 MOV EAX,EBX
00453966|.E8 7543FBFF CALL CRACKME1.00407CE0
0045396B|.8B4D E0 MOV ECX,DWORD PTR SS:
0045396E|.8D45 E4 LEA EAX,DWORD PTR SS:
00453971|.BA 003A4500 MOV EDX,CRACKME1.00453A00 ;i love vegetable
00453976|.E8 DD07FBFF CALL CRACKME1.00404158
字符串i love vegetable与上一步算出的97018.75整数部分转化为字符串I Love Vegetable97018即真注册码
0045397B|.8B55 E4 MOV EDX,DWORD PTR SS:
0045397E|.58 POP EAX
0045397F|.E8 D408FBFF CALL CRACKME1.00404258
真假码比较
00453984|.75 0C JNZ SHORT CRACKME1.00453992
00453986|.B8 1C3A4500 MOV EAX,CRACKME1.00453A1C ;注册成功...
0045398B|.E8 DC39FDFF CALL CRACKME1.0042736C
00453990|.EB 0A JMP SHORT CRACKME1.0045399C
00453992|>B8 303A4500 MOV EAX,CRACKME1.00453A30 ;注册失败...
00453997|.E8 D039FDFF CALL CRACKME1.0042736C
[ 本帖最后由 Rcracker 于 2006-6-25 08:30 编辑 ] 分析了一下:
004538DD|.E8 2A08FBFF CALL CRACKME1.0040410C
004538E2|.8945 F8 MOV DWORD PTR SS:,EAX
004538E5|.837D F8 01 CMP DWORD PTR SS:,1
004538E9|.7D 0F JGE SHORT CRACKME1.004538FA
004538EB|.B8 E4394500 MOV EAX,CRACKME1.004539E4 ;请输入用户名...
004538F0|.E8 773AFDFF CALL CRACKME1.0042736C
004538F5|.E9 A2000000 JMP CRACKME1.0045399C
004538FA|>33DB XOR EBX,EBX
004538FC|.8B7D F8 MOV EDI,DWORD PTR SS:
004538FF|.85FF TEST EDI,EDI
00453901|.7E 2A JLE SHORT CRACKME1.0045392D
00453903|.BE 01000000 MOV ESI,1
00453908|>8D55 F0 /LEA EDX,DWORD PTR SS:
0045390B|.8B45 FC |MOV EAX,DWORD PTR SS:
0045390E|.8B80 04030000 |MOV EAX,DWORD PTR DS:
00453914|.E8 33F1FDFF |CALL CRACKME1.00432A4C
00453919|.8B45 F0 |MOV EAX,DWORD PTR SS: ;用户名
0045391C|.8A4430 FF |MOV AL,BYTE PTR DS: ;循环取ASCII码
00453920|.25 FF000000 |AND EAX,0FF
00453925|.03D8 |ADD EBX,EAX
00453927|.03DE |ADD EBX,ESI
00453929|.46 |INC ESI
0045392A|.4F |DEC EDI
0045392B|.^ 75 DB \JNZ SHORT CRACKME1.00453908
0045392D|>8BC3 MOV EAX,EBX ;将EBX值入EAX
0045392F|.F7EB IMUL EBX ;EBX*EAX=50930
00453931|.83C0 05 ADD EAX,5 ;+5
00453934|.8945 EC MOV DWORD PTR SS:,EAX ;入EAX=214374
00453937|.DB45 EC FILD DWORD PTR SS: ;十进制214374
0045393A|.DB45 F8 FILD DWORD PTR SS: ;十进制4
0045393D|.DEF9 FDIVP ST(1),ST
0045393F|.D825 F4394500 FSUB DWORD PTR DS:
00453945|.E8 D2EFFAFF CALL CRACKME1.0040291C
0045394A|.8BD8 MOV EBX,EAX ;值入EBX,EAX=53591
0045394C|.8D55 E8 LEA EDX,DWORD PTR SS: ;将值传入EDX
0045394F|.8B45 FC MOV EAX,DWORD PTR SS:
00453952|.8B80 08030000 MOV EAX,DWORD PTR DS:
00453958|.E8 EFF0FDFF CALL CRACKME1.00432A4C
0045395D|.8B45 E8 MOV EAX,DWORD PTR SS: ;看到试练码
00453960|.50 PUSH EAX ;试练码传入EAX
00453961|.8D55 E0 LEA EDX,DWORD PTR SS:
00453964|.8BC3 MOV EAX,EBX ;试练码
00453966|.E8 7543FBFF CALL CRACKME1.00407CE0
0045396B|.8B4D E0 MOV ECX,DWORD PTR SS: ;注册码再入ECX
0045396E|.8D45 E4 LEA EAX,DWORD PTR SS: ;又传入ECX
00453971|.BA 003A4500 MOV EDX,CRACKME1.00453A00 ;i love vegetable
00453976|.E8 DD07FBFF CALL CRACKME1.00404158
0045397B|.8B55 E4 MOV EDX,DWORD PTR SS: ;最终放到EDX
0045397E|.58 POP EAX ;完整注册码,存放EDX
0045397F|.E8 D408FBFF CALL CRACKME1.00404258 ;关键CALL
00453984 75 0C JNZ SHORT CRACKME1.00453992 ;暴点
00453986|.B8 1C3A4500 MOV EAX,CRACKME1.00453A1C ;注册成功...
0045398B|.E8 DC39FDFF CALL CRACKME1.0042736C
00453990|.EB 0A JMP SHORT CRACKME1.0045399C
00453992|>B8 303A4500 MOV EAX,CRACKME1.00453A30 ;注册失败... Rcracker 兄弟,这是我猫给我的作业,你怎能出手比我快呀。。。。。 呵呵。。。都是高手呀~~~
小黑,没事的,你可以把算法弄懂咯。
写出它的Delphi算法注册机.
然后做个演示,咱们菜鸟有福咯。。。
最后给兄弟的话:其实分析了这个软件的算法后,你已经有所提高了~~~ 原帖由 野猫III 于 2006-6-27 00:41 发表
呵呵。。。都是高手呀~~~
小黑,没事的,你可以把算法弄懂咯。
写出它的Delphi算法注册机.
然后做个演示,咱们菜鸟有福咯。。。
最后给兄弟的话:其实分析了这个软件的算法后,你已经有所提高了~ ...
看来偶也有提高拉~~
偶独立完成算法分析拉~~~
一会发出来~~~
惭愧
/:L /:L /:L 俺只能跟出码,算法看不太懂lixy8888
I Love Vegetable63723
页:
[1]
2