- UID
- 56035
注册时间2008-9-5
阅读权限10
最后登录1970-1-1
周游历练
TA的每日心情 | 开心
2020-11-10 08:52 |
|---|
签到天数: 3 天 [LV.2]偶尔看看I
|
发表于 2008-9-11 01:15:33
|
显示全部楼层
姓名:nietsme
电邮:[email protected]
密码:bcagbpw7xr9u
截个图
水平有限,搞了很久才搞到密码。
从没搞过算法,就拿这个试试……先占个位
终于搞出来点眉目
以下为不完全算法分析:
一,描述:
此注册码跟姓名无关,是由E-mail地址计算得出,设Email为str,经过几次变换最终得到注册码ser,流程如下:
1,str1=去除str中的'-'及'空'符号;
//'空'符号包括空格、回车、换行和Tab,因为这里是在文本框中输入,所以只能有'-'和空格
//因为有这步,所以在Email地址中可以随意添加'-'和空格。比如[email protected]和n-i e--t [email protected]是一样的
2,str2=将str1处理得到一个int64型值; (此处为猜测,因为下面所用函数_ui64tow中传入的参数为int64型)
3,str3=用_ui64tow()将str2转化为字串;
4,str4=对字串str3前两位进行分析处理,得到str4
5,ser=将str4中的'i''l''o'分别转化为'x''y''z',得到最终注册码ser;
二,代码:
用OD载入程序并运行,打开注册对话框输入相关信息,在OD命令行中输入bp GetDlgItemTextW下断,回到注册窗口点确定,程序断在
7E424305 > 8BFF mov edi, edi
取消断点
F8几步后到达
0040C838 |. 8D9424 240400>lea edx, dword ptr [esp+424]
往上几行找到此段代码开头0040C810 /$ 81EC 1C080000 sub esp, 81C
下断,重新载入进行分析
====代码1====- 0040C810 /$ 81EC 1C080000 sub esp, 81C
- 0040C816 |. 53 push ebx
- 0040C817 |. 55 push ebp
- 0040C818 |. 8B2D 20824100 mov ebp, dword ptr [<&USER32.GetDlgI>; USER32.GetDlgItemTextW
- 0040C81E |. 68 00020000 push 200 ; /Count = 200 (512.)
- 0040C823 |. 8D8424 280400>lea eax, dword ptr [esp+428] ; |
- 0040C82A |. 50 push eax ; |Buffer
- 0040C82B |. 8BD9 mov ebx, ecx ; |
- 0040C82D |. 8B4B 0C mov ecx, dword ptr [ebx+C] ; |
- 0040C830 |. 68 07040000 push 407 ; |ControlID = 407 (1031.)
- 0040C835 |. 51 push ecx ; |hWnd
- 0040C836 |. FFD5 call ebp ; \GetDlgItemTextW
- 0040C838 |. 8D9424 240400>lea edx, dword ptr [esp+424] ; //取邮箱地址放入edx
- 0040C83F |. 52 push edx ; /s
- 0040C840 |. FF15 44814100 call dword ptr [<&MSVCRT.wcslen>] ; \wcslen
- 0040C846 |. 83C4 04 add esp, 4
- 0040C849 |. 83F8 04 cmp eax, 4 ; //邮箱长度如果>=4则继续,否则跳出“电邮错误”的警告
- 0040C84C |. 7D 1A jge short 0040C868
- 0040C84E |. 68 D4070000 push 7D4
- 0040C853 |. 68 07040000 push 407
- 0040C858 |. 8BCB mov ecx, ebx
- 0040C85A |. E8 51FFFFFF call 0040C7B0 ; //警告“电邮错误”
- 0040C85F |. 5D pop ebp
- 0040C860 |. 5B pop ebx
- 0040C861 |. 81C4 1C080000 add esp, 81C
- 0040C867 |. C3 retn
- 0040C868 |> 56 push esi
- 0040C869 |. 57 push edi
- 0040C86A |. 8D4424 10 lea eax, dword ptr [esp+10]
- 0040C86E |. 50 push eax
- 0040C86F |. 8D8C24 300400>lea ecx, dword ptr [esp+430]
- 0040C876 |. 51 push ecx
- 0040C877 |. E8 849BFFFF call 00406400 ;//对邮箱串进行处理得出注册码,见代码2
- 0040C87C |. 8B43 0C mov eax, dword ptr [ebx+C]
- 0040C87F |. 83C4 08 add esp, 8
- 0040C882 |. 68 00020000 push 200
- 0040C887 |. 8D5424 30 lea edx, dword ptr [esp+30]
- 0040C88B |. 52 push edx
- 0040C88C |. 68 F6030000 push 3F6
- 0040C891 |. 50 push eax
- 0040C892 |. FFD5 call ebp
- 0040C894 |. 66:837C24 2C >cmp word ptr [esp+2C], 0 ; //以下对输入的注册码进行处理
- 0040C89A |. 8D7424 2C lea esi, dword ptr [esp+2C]
- 0040C89E |. 8D7C24 2C lea edi, dword ptr [esp+2C]
- 0040C8A2 |. 74 48 je short 0040C8EC
- 0040C8A4 |. 66:833E 00 cmp word ptr [esi], 0
- 0040C8A8 |. 8B2D 88814100 mov ebp, dword ptr [<&MSVCRT.iswspac>; msvcrt.iswspace
- 0040C8AE |. 74 36 je short 0040C8E6
- 0040C8B0 |> 33C0 /xor eax, eax
- 0040C8B2 |. 66:8B06 |mov ax, word ptr [esi]
- 0040C8B5 |. 66:3D 2D00 |cmp ax, 2D ; //'-'
- 0040C8B9 |. 74 0A |je short 0040C8C5
- 0040C8BB |. 50 |push eax
- 0040C8BC |. FFD5 |call ebp ; //'空'字符
- 0040C8BE |. 83C4 04 |add esp, 4
- 0040C8C1 |. 85C0 |test eax, eax
- 0040C8C3 |. 74 0B |je short 0040C8D0
- 0040C8C5 |> 83C6 02 |add esi, 2
- 0040C8C8 |. 66:833E 00 |cmp word ptr [esi], 0
- 0040C8CC |. 74 18 |je short 0040C8E6
- 0040C8CE |.^ EB E0 |jmp short 0040C8B0
- 0040C8D0 |> 85F6 |test esi, esi
- 0040C8D2 |. 74 12 |je short 0040C8E6
- 0040C8D4 |. 66:8B0E |mov cx, word ptr [esi]
- 0040C8D7 |. 66:890F |mov word ptr [edi], cx
- 0040C8DA |. 83C6 02 |add esi, 2
- 0040C8DD |. 83C7 02 |add edi, 2
- 0040C8E0 |. 66:833E 00 |cmp word ptr [esi], 0
- 0040C8E4 |.^ 75 CA \jnz short 0040C8B0
- 0040C8E6 |> 8B2D 20824100 mov ebp, dword ptr [<&USER32.GetDlgI>; USER32.GetDlgItemTextW
- 0040C8EC |> 8D5424 10 lea edx, dword ptr [esp+10] ; //以下为真假注册码比较
- 0040C8F0 |. 52 push edx ; /String2
- 0040C8F1 |. 8D4424 30 lea eax, dword ptr [esp+30] ; |
- 0040C8F5 |. 50 push eax ; |String1
- 0040C8F6 |. 66:C707 0000 mov word ptr [edi], 0 ; |
- 0040C8FB |. FF15 E0804100 call dword ptr [<&KERNEL32.lstrcmpiW>>; \lstrcmpiW
- 0040C901 |. 85C0 test eax, eax
- 0040C903 |. 5F pop edi
- 0040C904 |. 5E pop esi
- 0040C905 |. 74 1A je short 0040C921 ;//注册码为真则跳至0040C921
- 0040C907 |. 68 D2070000 push 7D2
- 0040C90C |. 68 F6030000 push 3F6
- 0040C911 |. 8BCB mov ecx, ebx
- 0040C913 |. E8 98FEFFFF call 0040C7B0 ;//警告“密码错误”
- 0040C918 |. 5D pop ebp
- 0040C919 |. 5B pop ebx
- 0040C91A |. 81C4 1C080000 add esp, 81C
- 0040C920 |. C3 retn
- 0040C921 |> 8B53 0C mov edx, dword ptr [ebx+C] ;//注册成功
- 0040C924 |. 68 00020000 push 200
- 0040C929 |. 8D4C24 28 lea ecx, dword ptr [esp+28]
- 0040C92D |. 51 push ecx
- 0040C92E |. 68 EA030000 push 3EA
- 0040C933 |. 52 push edx
//注册码算法- 00406400 /$ 55 push ebp ; USER32.GetDlgItemTextW
- 00406401 |. 8BEC mov ebp, esp
- 00406403 |. 83EC 50 sub esp, 50
- 00406406 |. 53 push ebx
- 00406407 |. 56 push esi
- 00406408 |. 57 push edi
- 00406409 |. 8B7D 08 mov edi, dword ptr [ebp+8]
- 0040640C |. 57 push edi ; /s
- 0040640D |. FF15 44814100 call dword ptr [<&MSVCRT.wcslen>] ; \wcslen
- 00406413 |. 8BF0 mov esi, eax
- 00406415 |. 83C4 04 add esp, 4
- 00406418 |. 46 inc esi
- 00406419 |. 8BC6 mov eax, esi
- 0040641B |. 83C0 03 add eax, 3
- 0040641E |. 83E0 FC and eax, FFFFFFFC
- 00406421 |. E8 9AFD0000 call 004161C0
- 00406426 |. 8BDC mov ebx, esp
- 00406428 |. 6A 00 push 0 ; /pDefaultCharUsed = NULL
- 0040642A |. 6A 00 push 0 ; |pDefaultChar = NULL
- 0040642C |. 56 push esi ; |MultiByteCount
- 0040642D |. 53 push ebx ; |MultiByteStr
- 0040642E |. 6A FF push -1 ; |WideCharCount = FFFFFFFF (-1.)
- 00406430 |. 57 push edi ; |WideCharStr
- 00406431 |. 6A 00 push 0 ; |Options = 0
- 00406433 |. 6A 00 push 0 ; |CodePage = CP_ACP
- 00406435 |. FF15 80804100 call dword ptr [<&KERNEL32.WideCharTo>; \WideCharToMultiByte
- 0040643B |. 803B 00 cmp byte ptr [ebx], 0
- 0040643E |. 8BF3 mov esi, ebx
- 00406440 |. 8BFB mov edi, ebx
- 00406442 |. 74 37 je short 0040647B
- 00406444 |. 803E 00 cmp byte ptr [esi], 0
- 00406447 |. 74 32 je short 0040647B
- 00406449 |> 8A06 /mov al, byte ptr [esi] ; //挨个取邮箱字符
- 0040644B |. 3C 2D |cmp al, 2D ; //如果是'-'则跳过取下一字符
- 0040644D |. 74 11 |je short 00406460
- 0040644F |. 0FBEC0 |movsx eax, al
- 00406452 |. 50 |push eax
- 00406453 |. FF15 6C814100 |call dword ptr [<&MSVCRT.isspace>] ; //判断如果是'空'字符则跳过取下一字符
- 00406459 |. 83C4 04 |add esp, 4
- 0040645C |. 85C0 |test eax, eax
- 0040645E |. 74 0A |je short 0040646A
- 00406460 |> 8A46 01 |mov al, byte ptr [esi+1]
- 00406463 |. 46 |inc esi
- 00406464 |. 84C0 |test al, al ; //邮箱字串是否结束
- 00406466 |. 74 13 |je short 0040647B
- 00406468 |.^ EB DF |jmp short 00406449
- 0040646A |> 85F6 |test esi, esi ; //是否取完
- 0040646C |. 74 0D |je short 0040647B
- 0040646E |. 8A0E |mov cl, byte ptr [esi]
- 00406470 |. 880F |mov byte ptr [edi], cl
- 00406472 |. 8A46 01 |mov al, byte ptr [esi+1]
- 00406475 |. 47 |inc edi ; //指向下一字符
- 00406476 |. 46 |inc esi
- 00406477 |. 84C0 |test al, al ; //邮箱字串是否结束
- 00406479 |.^ 75 CE \jnz short 00406449
- 0040647B |> 53 push ebx
- 0040647C |. C607 00 mov byte ptr [edi], 0 ; |//添加字符串结束标记'/0'
- 0040647F |. FF15 68814100 call dword ptr [<&MSVCRT._strlwr>] ; \_strlwr
- 00406485 |. 83C9 FF or ecx, FFFFFFFF
- 00406488 |. 33C0 xor eax, eax
- 0040648A |. 8BFB mov edi, ebx
- 0040648C |. F2:AE repne scas byte ptr es:[edi]
- 0040648E |. F7D1 not ecx
- 00406490 |. 49 dec ecx
- 00406491 |. 51 push ecx
- 00406492 |. 53 push ebx
- 00406493 |. E8 58FCFFFF call 004060F0 //关键Call,太菜我看不太懂~
- 00406498 |. 8BDA mov ebx, edx
- 0040649A |. 6A 21 push 21
- 0040649C |. 8D55 B0 lea edx, dword ptr [ebp-50]
- 0040649F |. 52 push edx
- 004064A0 |. 8BF8 mov edi, eax
- 004064A2 |. 53 push ebx
- 004064A3 |. 57 push edi
- 004064A4 |. FF15 64814100 call dword ptr [<&MSVCRT._ui64tow>] ; //关键Call 调用_ui64tow
- 004064AA |. 8D45 B0 lea eax, dword ptr [ebp-50]
- 004064AD |. 50 push eax
- 004064AE |. E8 6D000000 call 00406520 ; //关键Call,对字串前两位进行分析处理,见代码3
- 004064B3 |. 33D2 xor edx, edx
- 004064B5 |. 66:8B10 mov dx, word ptr [eax]
- 004064B8 |. 83C4 20 add esp, 20
- 004064BB |. 66:85D2 test dx, dx
- 004064BE |. 8BF0 mov esi, eax
- 004064C0 |. 74 39 je short 004064FB ; //以下循环将注册码中的'i''l''o'分别转化为'x''y''z'
- 004064C2 |> 8BCA /mov ecx, edx
- 004064C4 |. 81E1 FFFF0000 |and ecx, 0FFFF
- 004064CA |. 83F9 69 |cmp ecx, 69 ; //如果是'i',则变为'x'
- 004064CD |. 74 18 |je short 004064E7
- 004064CF |. 83F9 6C |cmp ecx, 6C ; //如果是'l',则变为'y'
- 004064D2 |. 74 0C |je short 004064E0
- 004064D4 |. 83F9 6F |cmp ecx, 6F ; //如果是'o',则变为'z'
- 004064D7 |. 75 13 |jnz short 004064EC
- 004064D9 |. BA 7A000000 |mov edx, 7A ; 变为'z'
- 004064DE |. EB 0C |jmp short 004064EC
- 004064E0 |> BA 79000000 |mov edx, 79 ; 变为'y'
- 004064E5 |. EB 05 |jmp short 004064EC
- 004064E7 |> BA 78000000 |mov edx, 78 ; 变为'x'
- 004064EC |> 66:8916 |mov word ptr [esi], dx ; Default case of switch 004064CA
- 004064EF |. 66:8B56 02 |mov dx, word ptr [esi+2]
- 004064F3 |. 83C6 02 |add esi, 2
- 004064F6 |. 66:85D2 |test dx, dx
- 004064F9 |.^ 75 C7 \jnz short 004064C2
- 004064FB |> 8B4D 0C mov ecx, dword ptr [ebp+C]
- 004064FE |. 50 push eax ; /src
- 004064FF |. 51 push ecx ; |dest
- 00406500 |. FF15 60814100 call dword ptr [<&MSVCRT.wcscpy>] ; \wcscpy
- 00406506 |. 83C4 08 add esp, 8
- 00406509 |. 8D65 A4 lea esp, dword ptr [ebp-5C]
- 0040650C |. 8BC7 mov eax, edi
- 0040650E |. 5F pop edi
- 0040650F |. 5E pop esi
- 00406510 |. 8BD3 mov edx, ebx
- 00406512 |. 5B pop ebx
- 00406513 |. 8BE5 mov esp, ebp
- 00406515 |. 5D pop ebp
- 00406516 \. C3 retn
//关键Call,对字串前两位分析进行处理- 00406520 /$ 56 push esi
- 00406521 |. 8B7424 08 mov esi, dword ptr [esp+8]
- 00406525 |. 66:8B06 mov ax, word ptr [esi]
- 00406528 |. 66:3D 3000 cmp ax, 30 ; //数字
- 0040652C |. 72 10 jb short 0040653E
- 0040652E |. 66:3D 3900 cmp ax, 39
- 00406532 |. 77 0A ja short 0040653E
- 00406534 |. 25 FFFF0000 and eax, 0FFFF
- 00406539 |. 83E8 30 sub eax, 30
- 0040653C |. EB 12 jmp short 00406550
- 0040653E |> 50 push eax ; /w
- 0040653F |. FF15 70814100 call dword ptr [<&MSVCRT.towlower>] ; \//转化为小写
- 00406545 |. 83C4 04 add esp, 4
- 00406548 |. 25 FFFF0000 and eax, 0FFFF
- 0040654D |. 83E8 57 sub eax, 57
- 00406550 |> 83F8 0B cmp eax, 0B
- 00406553 |. 7F 1D jg short 00406572
- 00406555 |. 66:8B56 02 mov dx, word ptr [esi+2] ; //取下一字符
- 00406559 |. 66:83FA 30 cmp dx, 30 ; //是否为数字
- 0040655D |. 8D4E 02 lea ecx, dword ptr [esi+2]
- 00406560 |. 72 0C jb short 0040656E
- 00406562 |. 66:83FA 39 cmp dx, 39
- 00406566 |. 77 06 ja short 0040656E
- 00406568 |. 83C0 61 add eax, 61
- 0040656B |. 66:8901 mov word ptr [ecx], ax
- 0040656E |> 8BC1 mov eax, ecx
- 00406570 |. 5E pop esi
- 00406571 |. C3 retn
- 00406572 |> 8BC6 mov eax, esi
- 00406574 |. 5E pop esi
- 00406575 \. C3 retn
if(str3首位为字母)
{
str3[0]变小写;
str4=str3;
}
if(str3首位为数字,二位为字母)
str4=str3去首位数字;
if(str3前两位都为数字)
{
str4[0]=str3[0]+0x31; //去掉第二位数字并将第一位数字ascii码加上0x31做为str4首位,
str4[n]=str3[n+1]; //其余copy。
}
三,总结:
由于是第一次跟算法,加上有些方面知识不够所以未能给出完全算法,流程基本是这样的,哪处如有错误请大侠们不吝指点。
以前从来不敢跟算法,当然跟基础差有关,更是因为自己的畏惧,一到算法那块就想,我是菜鸟我不行,以后牛B了再搞。这就给自己加了道心理坎,实在是不利于对加解密的学习。
这次花了很长时间做这个,虽然没有完成,但是学到了不少相关的知识,更学到了一种放弃前再努力一下的精神,愿与大家共勉!
加油了!
[ 本帖最后由 nietsme 于 2008-9-20 23:21 编辑 ] |
评分
-
查看全部评分
|
IP卡
发表于 2008-9-10 15:37:49
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-9-10 16:06:16
发表于 2008-9-10 16:35:41
发表于 2008-9-10 17:34:17
