- UID
- 6257
注册时间2006-1-2
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
发表于 2006-1-7 22:07:54
|
显示全部楼层
这个破文是用“破文圣手[2006新年特别版]”做的,呵呵!!
【破文标题】CrackMe002算法分析
【破文作者】Busheler
【作者邮箱】[email protected]
【作者主页】
【破解工具】odbg110,win32dasm,PEiD v0.94,LordPE Deluxe V1.4,Import REConstructor V1.6
【破解平台】Windows2000
【软件名称】CrackMe002 By PiaoYun[PYG]
【软件大小】87.0KB
【原版下载】https://www.chinapyg.com/attachment.php?aid=541
【保护方式】
【软件简介】算法简单,但是比较长,用到了最常用的指令,非常适合初学者练习希望你能够有耐心(不要暴力),把算法分析出来,并写出完美注册机~~
------------------------------------------------------------------------
一、脱壳:
PEiD v0.94查壳无发现,但可以找到OEP,试用LordPE Deluxe V1.4+Import REConstructor V1.6脱之,成功运行。
二、找资源:
win32dasm载入找到如下信息:
:0040172A 8B4664 mov eax, dword ptr [esi+64]
:0040172D 50 push eax
:0040172E FF15C4214000 call dword ptr [004021C4]
:00401734 83C438 add esp, 00000038
:00401737 85C0 test eax, eax
:00401739 7512 jne 0040174D
:0040173B 50 push eax
* Possible StringData Ref from Data Obj ->"恭喜"
|
:0040173C 682C304000 push 0040302C
* Possible StringData Ref from Data Obj ->"注册成功!"
|
:00401741 6820304000 push 00403020
:00401746 8BCE mov ecx, esi
:00401748 E8BD020000 call 00401A0A
三、踏上破解之路:
odbg110载入:
很容易找到关键点,因为是明码比较注册码很容易交出了!
用户名:busheler
注册码:817547681632518459232612948
004015A0 . 81EC FC010000 SUB ESP,1FC
004015A6 . 53 PUSH EBX
004015A7 . 55 PUSH EBP
004015A8 . 56 PUSH ESI
004015A9 . 57 PUSH EDI
004015AA . 8BD9 MOV EBX,ECX
004015AC . 6A 01 PUSH 1
004015AE . 895C24 18 MOV DWORD PTR SS:[ESP+18],EBX
004015B2 . E8 59040000 CALL <JMP.&mfc42.#6334>
004015B7 . 8B53 60 MOV EDX,DWORD PTR DS:[EBX+60]
004015BA . 83C9 FF OR ECX,FFFFFFFF
004015BD . 8BFA MOV EDI,EDX
004015BF . 33C0 XOR EAX,EAX
004015C1 . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004015C3 . F7D1 NOT ECX
004015C5 . 2BF9 SUB EDI,ECX
004015C7 . 8DAC24 4401000>LEA EBP,DWORD PTR SS:[ESP+144]
004015CE . 8BC1 MOV EAX,ECX
004015D0 . 8BF7 MOV ESI,EDI
004015D2 . 8BFD MOV EDI,EBP
004015D4 . 8B52 F8 MOV EDX,DWORD PTR DS:[EDX-8]
004015D7 . C1E9 02 SHR ECX,2
004015DA . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
004015DC . 8BC8 MOV ECX,EAX
004015DE . 83E1 03 AND ECX,3
004015E1 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
004015E3 . 0FBEB424 44010>MOVSX ESI,BYTE PTR SS:[ESP+144]
004015EB . 85D2 TEST EDX,EDX
004015ED . 75 1D JNZ SHORT dumped_.0040160C
004015EF . 52 PUSH EDX
004015F0 . 68 44304000 PUSH dumped_.00403044
004015F5 . 68 34304000 PUSH dumped_.00403034
004015FA . 8BCB MOV ECX,EBX
004015FC . E8 09040000 CALL <JMP.&mfc42.#4224>
00401601 . 5F POP EDI
00401602 . 5E POP ESI
00401603 . 5D POP EBP
00401604 . 5B POP EBX
00401605 . 81C4 FC010000 ADD ESP,1FC
0040160B . C3 RET
0040160C > 8BC2 MOV EAX,EDX ; 第三组算码开始!
0040160E . 6A 0A PUSH 0A ; /radix = A (10.)
00401610 . 0FAFC6 IMUL EAX,ESI ; |
00401613 . 8BC8 MOV ECX,EAX ; |
00401615 . 8B3D D0214000 MOV EDI,DWORD PTR DS:[<&msvcrt._itoa>] ; |MSVCRT._itoa
0040161B . C1E1 04 SHL ECX,4 ; |
0040161E . 03C8 ADD ECX,EAX ; |
00401620 . 8D0C88 LEA ECX,DWORD PTR DS:[EAX+ECX*4] ; |
00401623 . C1E1 03 SHL ECX,3 ; |
00401626 . 2BC8 SUB ECX,EAX ; |
00401628 . 8D0C49 LEA ECX,DWORD PTR DS:[ECX+ECX*2] ; |
0040162B . 8D1C88 LEA EBX,DWORD PTR DS:[EAX+ECX*4] ; |
0040162E . 8D8424 AC01000>LEA EAX,DWORD PTR SS:[ESP+1AC] ; |第三组算码结束!
00401635 . 50 PUSH EAX ; |string
00401636 . 8D0492 LEA EAX,DWORD PTR DS:[EDX+EDX*4] ; |第一组算码开始!
00401639 . C1E0 04 SHL EAX,4 ; |
0040163C . 2BC2 SUB EAX,EDX ; |
0040163E . 8D0C46 LEA ECX,DWORD PTR DS:[ESI+EAX*2] ; |
00401641 . 03C1 ADD EAX,ECX ; |
00401643 . 8D1480 LEA EDX,DWORD PTR DS:[EAX+EAX*4] ; |
00401646 . 8D04D0 LEA EAX,DWORD PTR DS:[EAX+EDX*8] ; |第一组算码结束!
00401649 . 50 PUSH EAX ; |value
0040164A . FFD7 CALL EDI ; \_itoa
0040164C . 8D04B6 LEA EAX,DWORD PTR DS:[ESI+ESI*4] ; 第二组码开始!
0040164F . 8D8C24 EC00000>LEA ECX,DWORD PTR SS:[ESP+EC]
00401656 . 6A 0A PUSH 0A
00401658 . 51 PUSH ECX
00401659 . 8D1480 LEA EDX,DWORD PTR DS:[EAX+EAX*4]
0040165C . 8D0456 LEA EAX,DWORD PTR DS:[ESI+EDX*2]
0040165F . C1E0 05 SHL EAX,5
00401662 . 03C6 ADD EAX,ESI
00401664 . 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2]
00401667 . C1E0 04 SHL EAX,4 ; 第二组码结束!
0040166A . 50 PUSH EAX
0040166B . FFD7 CALL EDI
0040166D . 8D8C24 9400000>LEA ECX,DWORD PTR SS:[ESP+94]
00401674 . 6A 0A PUSH 0A
00401676 . 51 PUSH ECX
00401677 . 53 PUSH EBX
00401678 . FFD7 CALL EDI
0040167A . 81C3 20170000 ADD EBX,1720 ; 第四组开始!
00401680 . 8D5424 3C LEA EDX,DWORD PTR SS:[ESP+3C]
00401684 . 895C24 34 MOV DWORD PTR SS:[ESP+34],EBX
00401688 . 6A 0A PUSH 0A
0040168A . DB4424 38 FILD DWORD PTR SS:[ESP+38]
0040168E . 52 PUSH EDX
0040168F . DC0D 38254000 FMUL QWORD PTR DS:[402538] ; 第四组结束!
00401695 . E8 D6030000 CALL <JMP.&msvcrt._ftol>
0040169A . 50 PUSH EAX
0040169B . FFD7 CALL EDI
0040169D . 8D7C24 48 LEA EDI,DWORD PTR SS:[ESP+48]
004016A1 . 83C9 FF OR ECX,FFFFFFFF
004016A4 . 33C0 XOR EAX,EAX
004016A6 . 8D9424 AC00000>LEA EDX,DWORD PTR SS:[ESP+AC]
004016AD . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004016AF . F7D1 NOT ECX
004016B1 . 2BF9 SUB EDI,ECX
004016B3 . 8BF7 MOV ESI,EDI
004016B5 . 8BD9 MOV EBX,ECX
004016B7 . 8BFA MOV EDI,EDX
004016B9 . 83C9 FF OR ECX,FFFFFFFF
004016BC . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004016BE . 8BCB MOV ECX,EBX
004016C0 . 4F DEC EDI
004016C1 . C1E9 02 SHR ECX,2
004016C4 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
004016C6 . 8BCB MOV ECX,EBX
004016C8 . 8D9C24 D801000>LEA EBX,DWORD PTR SS:[ESP+1D8]
004016CF . 83E1 03 AND ECX,3
004016D2 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
004016D4 . 8DBC24 1001000>LEA EDI,DWORD PTR SS:[ESP+110]
004016DB . 83C9 FF OR ECX,FFFFFFFF
004016DE . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004016E0 . F7D1 NOT ECX
004016E2 . 2BF9 SUB EDI,ECX
004016E4 . 8BF7 MOV ESI,EDI
004016E6 . 8BE9 MOV EBP,ECX
004016E8 . 8BFB MOV EDI,EBX
004016EA . 83C9 FF OR ECX,FFFFFFFF
004016ED . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004016EF . 4F DEC EDI
004016F0 . 8BCD MOV ECX,EBP
004016F2 . C1E9 02 SHR ECX,2
004016F5 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
004016F7 . 8BCD MOV ECX,EBP
004016F9 . 83E1 03 AND ECX,3
004016FC . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
004016FE . 8BFA MOV EDI,EDX
00401700 . 83C9 FF OR ECX,FFFFFFFF
00401703 . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00401705 . F7D1 NOT ECX
00401707 . 2BF9 SUB EDI,ECX
00401709 . 8BF7 MOV ESI,EDI
0040170B . 8BFB MOV EDI,EBX
0040170D . 8BE9 MOV EBP,ECX
0040170F . 8BD7 MOV EDX,EDI
00401711 . 83C9 FF OR ECX,FFFFFFFF
00401714 . 52 PUSH EDX ; /s2
00401715 . F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; |
00401717 . 8BCD MOV ECX,EBP ; |
00401719 . 4F DEC EDI ; |
0040171A . C1E9 02 SHR ECX,2 ; |
0040171D . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; |
0040171F . 8BCD MOV ECX,EBP ; |
00401721 . 83E1 03 AND ECX,3 ; |
00401724 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; |
00401726 . 8B7424 48 MOV ESI,DWORD PTR SS:[ESP+48] ; |
0040172A . 8B46 64 MOV EAX,DWORD PTR DS:[ESI+64] ; |
0040172D . 50 PUSH EAX ; |s1
0040172E . FF15 C4214000 CALL DWORD PTR DS:[<&msvcrt._mbscmp>] ; \注册码比较,这里下断可直接看到注册码!
四、算法分析
a:用户名长度;
b:用户名第一个字符ASCII码十进制值。
x1 = ((a × 5 × 16 - a) × 3 + b) × 41
x2 = (((b + b × 4) × 5 × 2 + b) × 32 + b) × 3 × 16
x3 = (((a × b × 16 + a × b) × 4 + a × b) × 8 - a × b) × 3 × 4 + a × b
x4 = fix ((x3 + 5920) × 6.2831852)
算法虽然不复杂,还是有点繁琐,算啊。。。。算啊。。。。算啊。。。。算啊。。。。晕!
[ 本帖最后由 busheler 于 2006-1-8 14:31 编辑 ] |
|
IP卡
发表于 2005-12-15 07:00:38
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2005-12-21 17:35:06
楼主
