[PYG]算法分析入门第二课
【破文标题】算法分析入门第二课【破文作者】飘云
【破解工具】od二哥修改版
【破解平台】winxp
【作者邮箱】[email protected]
【软件名称】crackme
【保护方式】用户名+注册码
★★★以前分析过的东西,拿出来和大家分享一下,高手勿入,写的不好的请不要见笑,~~^_^~~
试运行程序输入注册信息:
piaoyun
789456123
有错误提示
我们用od载入程序,查找字符参考,来到这里:
0040121A > \68 00200000 push 2000 ; /Style =
MB_OK|MB_TASKMODAL; Default case of switch 004011A4
0040121F .68 01204000 push chap203.00402001 ; |Title =
"Duelist's Crackme #4"
00401224 .68 AE204000 push chap203.004020AE ; |Text = "Your
registration info is invalid... Note that most of the special chars may raise registration
problems!"
00401229 .6A 00 push 0 ; |hOwner = NULL
和容易找到关键点:
00401132 .E8 41020000 call <jmp.&USER32.SendDlgItemMessage>; 取得用户名位数
00401137 .A3 AF214000 mov dword ptr ds:,eax
0040113C .83F8 00 cmp eax,0 是否为0
0040113F .0F84 D5000000 je chap203.0040121A 是则over
00401145 .83F8 08 cmp eax,8 是否大于8位
00401148 .0F8F CC000000 jg chap203.0040121A 大于则出错!
0040114E .8BF0 mov esi,eax 位数送到esi
00401150 .6A 00 push 0
00401152 .6A 00 push 0
00401154 .6A 0E push 0E WM_GETTEXTLENGTH
00401156 .6A 04 push 4
00401158 .FF75 08 push dword ptr ss:
0040115B .E8 18020000 call <jmp.&USER32.SendDlgItemMessage>; 取得假码位数
00401160 .83F8 00 cmp eax,0 是否为0
00401163 .0F84 B1000000 je chap203.0040121A 是则出错
00401169 .3BF0 cmp esi,eax 是否和用户名位数相等
0040116B .0F85 A9000000 jnz chap203.0040121A 不等则出错
00401171 .68 60214000 push chap203.00402160
00401176 .6A 08 push 8
00401178 .6A 0D push 0D
0040117A .6A 03 push 3
0040117C .FF75 08 push dword ptr ss:
0040117F .E8 F4010000 call <jmp.&USER32.SendDlgItemMessage>
00401184 .68 79214000 push chap203.00402179
00401189 .6A 10 push 10
0040118B .6A 0D push 0D
0040118D .6A 04 push 4
0040118F .FF75 08 push dword ptr ss:
00401192 .E8 E1010000 call <jmp.&USER32.SendDlgItemMessage>
00401197 .B9 FFFFFFFF mov ecx,-1 初始化ecx
0040119C >41 inc ecx
0040119D .0FBE81 60214000 movsx eax,byte ptr ds: 逐位取用户名ascii值
004011A4 .83F8 00 cmp eax,0 是否为0
004011A7 .74 32 je short chap203.004011DB
004011A9 .BE FFFFFFFF mov esi,-1
004011AE .83F8 41 cmp eax,41 是否小于41即字母“A”
004011B1 .7C 67 jl short chap203.0040121A 小于则出错
004011B3 .83F8 7A cmp eax,7A 是否大于7A即字母“z”
★★判断用户名是否为字母★★
004011B6 .77 62 ja short chap203.0040121A 大于则出错
004011B8 .83F8 5A cmp eax,5A 是否小于41即字母“Z”
004011BB .7C 03 jl short chap203.004011C0 是则跳
004011BD .83E8 20 sub eax,20 ascii值减去20
★★这里就是将用户名转换成大写字母★★
004011C0 .46 inc esi
004011C1 .0FBE96 17204000 movsx edx,byte ptr ds: 在这里点鼠标右键-转村中跟
随-内存中跟随 可看到这张表:
A1LSK2DJF4HGP3QWO5EIR6UTYZ8MXN7CBV9(这里从第一位开始查找用户名在表中出现的位置)
004011C8 .3BC2 cmp eax,edx 是否相等
004011CA .^ 75 F4 jnz short chap203.004011C0 不想等继续查找
004011CC .0FBE86 3C204000 movsx eax,byte ptr ds: 在这里点鼠标右键-转村中
跟随-内存中跟随 可看到这另一张表:
SU7CSJKF09NCSDO9SDF09SDRLVK7809S4NF(这里把和用户名对应位置的数据放到eax如我的:P对应S)
004011D3 .8981 94214000 mov dword ptr ds:,eax 保存到内存中
004011D9 .EB C1 jmp short chap203.0040119C 循环
004011DB .FF35 AF214000 push dword ptr ds:
004011E1 .68 94214000 push chap203.00402194 真码入栈
004011E6 .68 79214000 push chap203.00402179 假码入栈
004011EB .E8 54000000 call chap203.00401244 比较call,返回值送到eax
004011F0 .83F8 01 cmp eax,1 返回值为1则成功
004011F3 .^ 0F84 DEFEFFFF je chap203.004010D7 此处必须跳
004011F9 .EB 1F jmp short chap203.0040121A 这里跳向死亡
跳动这里就见光明了:
004010D7 > /68 00200000 push 2000 ; /Style =
MB_OK|MB_TASKMODAL
004010DC . |68 01204000 push chap203.00402001 ; |Title =
"Duelist's Crackme #4"
004010E1 . |68 61204000 push chap203.00402061 ; |Text =
"Congratulations! Please send your keygen (working one) to [email protected]!"
004010E6 . |6A 00 push 0 ; |hOwner = NULL
【算法总结】
用户名8位以内的字母
注册码位数要和用户名位数相等
找到两张表上一一对应的字母就是注册码
我的注册信息:
piaoyun
S0SSLD0
你学会了码? 学习中~~~ 学习!!!!!!!