初学算法分析_寒湖鹤影_CrackMe No.7算法分析
发一篇破文,证明自已还活着~~~【文章标题】: 寒湖鹤影_CrackMe No.7算法分析(附注算机源码)
【文章作者】: 黑夜彩虹
【软件名称】: 寒湖鹤影_CrackMe No.7.exe
【下载地址】: https://www.chinapyg.com/viewthread.php?tid=7622&extra=page%3D2
【作者声明】: 失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1、很少写算法分析,有些不知所云.见谅.^-^
2、此CM加了壳---ASPack 2.12 ESP定律脱之(略)
3、此CM是 Microsoft Visual Basic 5.0 / 6.0 编写的
4、下断bp __vbaStrComp
00407F4F 50 push eax
00407F50 FF51 20 call dword ptr ds: ; 取硬件ID
00407F53 3BC7 cmp eax,edi ; 2操作数相减,进行比较
00407F55 DBE2 fclex
00407F57 7D 15 jge short 14B0.00407F6E ; 跳至 00407f7e
00407F59 8B8D 60FFFFFFmov ecx,dword ptr ss:
00407F5F 6A 20 push 20
00407F61 68 38774000 push 14B0.00407738
00407F66 51 push ecx
00407F67 50 push eax
00407F68 FF15 4C104000call dword ptr ds:[<&msvbvm60.__vb>; msvbvm60.__vbaHresultCheckObj
00407F6E 8B85 58FFFFFFmov eax,dword ptr ss: ; ss:移入eax
00407F74 8D95 44FFFFFFlea edx,dword ptr ss: ; ss:传送edx
00407F7A 8D4D 84 lea ecx,dword ptr ss: ; ss:传送ecx
00407F7D 89BD 58FFFFFFmov dword ptr ss:,edi ; ss:=0016F7E4 IC25N040ATMR04-0
00407F83 8985 4CFFFFFFmov dword ptr ss:,eax ; eax移ss:
00407F89 C785 44FFFFFF >mov dword ptr ss:,8 ; ss:=8
00407F93 FFD6 call esi
00407F95 8D8D 5CFFFFFFlea ecx,dword ptr ss: ; ss:传ecx
00407F9B FF15 70114000call dword ptr ds:[<&msvbvm60.__vb>; msvbvm60.__vbaFreeStr
00407FA1 8B35 F4104000mov esi,dword ptr ds:[<&msvbvm60._>; msvbvm60.__vbaVarCat
00407FA7 8D95 44FEFFFFlea edx,dword ptr ss: ; ss:入edx
00407FAD 8D45 84 lea eax,dword ptr ss:
00407FB0 52 push edx ; 压栈
00407FB1 8D8D 44FFFFFFlea ecx,dword ptr ss:
00407FB7 50 push eax
00407FB8 51 push ecx
00407FB9 C785 4CFEFFFF >mov dword ptr ss:,14B0.00>
00407FC3 C785 44FEFFFF >mov dword ptr ss:,8
00407FCD FFD6 call esi
00407FCF 50 push eax
00407FD0 FF15 1C104000call dword ptr ds:[<&msvbvm60.__vb>; msvbvm60.__vbaStrVarMove
00407FD6 8BD0 mov edx,eax ; eax=0016A50C, (UNICODE "IC25N040ATMR04-0")
00407FD8 8D8D 5CFFFFFFlea ecx,dword ptr ss: ; ecx=0
00407FDE FF15 58114000call dword ptr ds:[<&msvbvm60.__vb>; msvbvm60.__vbaStrMove
00407FE4 8D95 5CFFFFFFlea edx,dword ptr ss: ; ss:传edx = IC25N040ATMR04-0
00407FEA 52 push edx ; 入栈
00407FEB E8 100B0000 call 14B0.00408B00 ; md5算法
00407FF0 8D95 34FFFFFFlea edx,dword ptr ss: ; ss:入edx
00407FF6 8D4D B8 lea ecx,dword ptr ss: ; ecx=ss:
00407FF9 8985 3CFFFFFFmov dword ptr ss:,eax ; eax=725D829A7B70514430E40320F795B2DC
00407FFF C785 34FFFFFF >mov dword ptr ss:,8
00408009 FF15 10104000call dword ptr ds:[<&msvbvm60.__vb>; msvbvm60.__vbaVarMove
0040800F 8D8D 5CFFFFFFlea ecx,dword ptr ss:
00408015 FF15 70114000call dword ptr ds:[<&msvbvm60.__vb>; msvbvm60.__vbaFreeStr
0040801B 8D8D 44FFFFFFlea ecx,dword ptr ss:
00408021 FF15 18104000call dword ptr ds:[<&msvbvm60.__vb>; msvbvm60.__vbaFreeVar
00408027 8D85 74FFFFFFlea eax,dword ptr ss:
0040802D 8D8D 44FEFFFFlea ecx,dword ptr ss:
00408033 50 push eax
00408034 51 push ecx
00408035 C785 4CFEFFFF >mov dword ptr ss:,6
0040803F C785 44FEFFFF >mov dword ptr ss:,8002
00408049 FF15 50114000call dword ptr ds:[<&msvbvm60.__vb>; msvbvm60.__vbaVarTstGe
0040804F 66:85C0 test ax,ax
00408052 0F84 1C030000je 14B0.00408374
00408058 8D95 44FFFFFFlea edx,dword ptr ss:
0040805E 8D45 B8 lea eax,dword ptr ss:
00408061 52 push edx
00408062 6A 1B push 1B
00408064 8D8D 34FFFFFFlea ecx,dword ptr ss:
0040806A 50 push eax
0040806B 51 push ecx
0040806C C785 4CFFFFFF >mov dword ptr ss:,6 ; 堆栈 ss:=0016A50C, (UNICODE "IC25N040ATMR04-0")
00408076 C785 44FFFFFF >mov dword ptr ss:,2
00408080 FF15 74104000call dword ptr ds:[<&msvbvm60.rtcM>; msvbvm60.rtcMidCharVar
00408086 8D95 34FFFFFFlea edx,dword ptr ss:
0040808C 8D85 24FFFFFFlea eax,dword ptr ss:
00408092 52 push edx
00408093 50 push eax
00408094 FF15 38104000call dword ptr ds:[<&msvbvm60.rtcL>; msvbvm60.rtcLowerCaseVar
0040809A B8 02000000 mov eax,2
0040809F 8D8D E4FEFFFFlea ecx,dword ptr ss:
004080A5 8985 E4FEFFFFmov dword ptr ss:,eax
004080AB 8985 24FEFFFFmov dword ptr ss:,eax
004080B1 8D55 B8 lea edx,dword ptr ss:
004080B4 51 push ecx
004080B5 8D85 04FFFFFFlea eax,dword ptr ss:
004080BB 52 push edx
004080BC 50 push eax
004080BD C785 3CFEFFFF >mov dword ptr ss:,14B0.00>; 连接符:-
..................................略N行................................
0004081A7 50 push eax
004081A8 8D8D B4FEFFFFlea ecx,dword ptr ss: ; ecx=ss:
004081AE 51 push ecx ; 入栈
004081AF FFD6 call esi
004081B1 50 push eax
004081B2 8D55 CC lea edx,dword ptr ss:
004081B5 8D85 A4FEFFFFlea eax,dword ptr ss:
004081BB 52 push edx
004081BC 50 push eax
004081BD FFD6 call esi
004081BF 8D8D F4FDFFFFlea ecx,dword ptr ss:
004081C5 50 push eax
004081C6 8D95 94FEFFFFlea edx,dword ptr ss:
004081CC 51 push ecx
004081CD 52 push edx
004081CE FFD6 call esi
004081D0 50 push eax
004081D1 8D85 64FEFFFFlea eax,dword ptr ss: ; eax=ss:
004081D7 8D8D 54FEFFFFlea ecx,dword ptr ss:
004081DD 50 push eax
004081DE 51 push ecx
004081DF FFD6 call esi
004081E1 50 push eax
004081E2 FF15 1C104000call dword ptr ds:[<&msvbvm60.__vb>; F7跟进
004081E8 8BD0 mov edx,eax ; eax=0016A50C, (UNICODE "95b2dc-795B-joe-lu-a7b70514")
004081EA 8D4D 94 lea ecx,dword ptr ss:
004081ED FF15 58114000call dword ptr ds:[<&msvbvm60.__vb>; msvbvm60.__vbaStrMove
===================================算法======================================
6A2A540D msvbvm60>56 push esi ; 压栈
6A2A540E 8B7424 08 mov esi,dword ptr ss: ; ss:入esi
6A2A5412 66:833E 08 cmp word ptr ds:,8 ; 两数进行相减,进行比较
6A2A5416 0F85 FF140200jnz msvbvm60.6A2C691B
6A2A541C 66:8326 00 and word ptr ds:,0 ; 逻辑与运算
6A2A5420 8B46 08 mov eax,dword ptr ds: ; 堆栈 ds:=0016A50C, (UNICODE "95b2dc-795B-joe-lu-a7b70514")
6A2A5423 5E pop esi ; msvbvm60.__vbaVarCat
6A2A5424 C2 0400 retn 4
==================================================================================
算法总结:
1、取硬件ID=IC25N040ATMR04-0 设为 CodeA
2、硬件ID(IC25N040ATMR04-0)MD5加密=725D829A7B70514430E40320F795B2DC 设为 CodeB
3、重新分解CodeB= 95B2DC(code1) + 795B(code2) +用户名+a7b70514(code3)
注册机:
procedure TForm1.Button1Click(Sender: TObject);
var code1,code2,code3:string;
begin
if length(Edit_Name.Text)>5 then
begin
code1:=RightStr(MD5Print(MD5String(Edit_ID.text)),6);
Code2:=RightStr(MD5Print(MD5String(Edit_ID.text)),7);
Code2:=LeftStr(code2,4);
Code3:=copy(MD5Print(MD5String(Edit_ID.text)),7,9);
Edit_No.Text:=(code1+'-'+code2+'-'+Edit_Name.Text+'-'+code3);
end;
end; 在看雪里.就顶过了! 学习!希望能经常学习兄弟的精彩破文。 MD5,小黑,教偶加密算法~~ 原帖由 网游难民 于 2006-10-14 19:34 发表
MD5,小黑,教偶加密算法~~
http://bbs.pediy.com/showthread.php?s=&threadid=33289
第一次浅析MD5算法
页:
[1]