TA的每日心情 | 开心
2018-3-29 07:24 |
|---|
签到天数: 4 天 [LV.2]偶尔看看I
|
发表于 2008-10-30 20:21:35
|
显示全部楼层
强烈要求冷风兄放源码!/:010
呵呵,算法感觉真的很拗人,能力有限描述不清请不要见怪
注册码为16位相信大家都跟出来了,这个程序有点意思,在下面的断点下断相信大家算法看得会比我更清楚.
............
004014D0 call crackme.00403C20
004014D5 mov eax,crackme.0040B738 ; eax中为用户名"x80x88"
004014DA add esp,0C
004014DD lea edx,dword ptr ds:[eax+1]
--------------------------------------
004014E0 mov cl,byte ptr ds:[eax]
004014E2 inc eax
004014E3 test cl,cl
004014E5 jnz short crackme.004014E0 ; 这段循环取用户名位数
--------------------------------------
004014E7 sub eax,edx
004014E9 cmp eax,8
004014EC jge short crackme.00401504
004014EE mov ecx,crackme.0040B741
004014F3 sub ecx,eax
**********************************************
004014F5 mov dl,byte ptr ds:[ecx]
004014F7 mov byte ptr ds:[eax+40B738],dl
004014FD inc eax
004014FE dec ecx
004014FF cmp eax,8
00401502 jl short crackme.004014F5
**********************************************
这一小段循环比较有意思,主要是将不足8位的用户名补齐为8位,但补的方式有点意思,不足8位的从用户名的
第(10-n)位开始逆序取字符补齐到8位,n为用户名的位数,如果用户名为abc,内存中的格式为61 62 63 00 00 00 00 00 00 00
则补齐后的用户名为61 62 63 00 00 00 00 63,有点绕,自己跟踪体验一下吧
我的用户名补齐8位为"x80x88x0"
00401504 push ebx
00401505 push esi
00401506 xor ecx,ecx
00401508 mov esi,crackme.0040B738 ; esi中为补齐为8位的用户名,我的为x80x88x0
0040150D lea ecx,dword ptr ds:[ecx]
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
00401510 mov dl,byte ptr ds:[esi]
00401512 mov al,dl
00401514 sar al,4
00401517 mov bl,al
00401519 cmp al,9
0040151B jbe short crackme.00401522
0040151D add bl,37
00401520 jmp short crackme.00401525
00401522 add bl,30
00401525 shl al,4
00401528 mov byte ptr ss:[esp+ecx+8],bl
0040152C xor al,dl
0040152E inc ecx
0040152F cmp al,9
00401531 jbe short crackme.00401537
00401533 add al,37
00401535 jmp short crackme.00401539
00401537 add al,30
00401539 mov byte ptr ss:[esp+ecx+8],al
0040153D inc ecx
0040153E inc esi
0040153F cmp ecx,10
00401542 jl short crackme.00401510 ; 这一段循环将用户名的ASCII码值连接成一个新串,我的为"7838307838387830"
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
00401544 xor ecx,ecx
00401546 jmp short crackme.00401550
00401548 lea esp,dword ptr ss:[esp]
0040154F nop
★★★★★★★★★★★★★★★★★★★★★★★★★★
00401550 mov al,byte ptr ds:[ecx+40B800]
00401556 cmp al,7A
00401558 jg crackme.00401659
0040155E cmp al,30
00401560 jl crackme.00401659
00401566 cmp al,39
00401568 jle short crackme.00401572
0040156A cmp al,41
0040156C jl crackme.00401659
00401572 cmp al,5A
00401574 jle short crackme.0040157E
00401576 cmp al,61
00401578 jl crackme.00401659
0040157E inc ecx
0040157F cmp ecx,10
00401582 jl short crackme.00401550 ; 这一段循环判断注册码的合法性,注册码为{a,z}或{0,9}集合内
★★★★★★★★★★★★★★★★★★★★★★★★★★
00401584 mov cl,byte ptr ds:[40B8C8] ; ds:[40b8c8]中为硬盘的序列号,我的为"NT28T5A282C2",取第1位N---->4E
0040158A xor esi,esi
0040158C lea esp,dword ptr ss:[esp]
00401590 mov dl,byte ptr ss:[esp+esi+8] ; ss:[esp+esi+8]中为"7838307838387830"
00401594 mov al,cl ; CL=4E
00401596 mov bl,3 ; BL=3
00401598 imul bl ; eax=4E*3=EA
0040159A add dl,dl ; DL=37*2=6E
0040159C sub al,dl ; al=EA-6E=7C
0040159E cmp al,30
004015A0 jb short crackme.004015A6
004015A2 cmp al,39
004015A4 jbe short crackme.004015B6
004015A6 cmp al,41
004015A8 jb short crackme.004015AE
004015AA cmp al,5A
004015AC jbe short crackme.004015B6
004015AE cmp al,61
004015B0 jb short crackme.004015C4
004015B2 cmp al,7A
004015B4 ja short crackme.004015CC
004015B6 movsx edx,byte ptr ds:[esi+40B800] ; 如果结果不大于7a,大于61,则对应位注册码为计算结果对应的ASCII码
004015BD movzx eax,al
004015C0 cmp eax,edx
004015C2 jmp short crackme.004015F9
004015C4 cmp al,7A
004015C6 ja short crackme.004015CC
004015C8 cmp al,30
004015CA jnb short crackme.004015D9
004015CC cmp byte ptr ds:[esi+40B800],33 ;我的跳到这,ds:[esi+40b800]中为假码
004015D3 jnz crackme.00401659
004015D9 mov dl,al
004015DB sub dl,3A
004015DE cmp dl,6
004015E1 ja short crackme.004015EC
004015E3 cmp byte ptr ds:[esi+40B800],35 ; 如果计算结果不大于41则对应位注册码为5
004015EA jnz short crackme.00401659
004015EC sub al,5B
004015EE cmp al,5
004015F0 ja short crackme.004015FB
004015F2 cmp byte ptr ds:[esi+40B800],41 ; 如果值不大于61则对应注册码为"A"
004015F9 jnz short crackme.00401659
004015FB inc esi
004015FC cmp esi,10
004015FF jl short crackme.00401590
00401601 push 400
00401606 lea eax,dword ptr ss:[esp+D4]
0040160D push 0
0040160F push eax
00401610 call crackme.00403C20
00401615 mov cl,byte ptr ds:[40AC60]
0040161B add esp,0C
0040161E test cl,cl
00401620 je short crackme.00401645
00401622 xor eax,eax
00401624 jmp short crackme.00401630
00401626 lea esp,dword ptr ss:[esp]
0040162D lea ecx,dword ptr ds:[ecx]
00401630 xor cl,78
00401633 mov byte ptr ss:[esp+eax+D0],cl
0040163A mov cl,byte ptr ds:[eax+40AC61]
00401640 inc eax
00401641 test cl,cl
00401643 jnz short crackme.00401630
00401645 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401647 lea ecx,dword ptr ss:[esp+D4] ; |
0040164E push ecx ; |Title
0040164F mov edx,ecx ; |
00401651 push edx ; |Text
00401652 push edi ; |hOwner
00401653 call dword ptr ds:[<&user32.MessageBoxA>>; \MessageBoxA 弹出注册成功对话框
.............
注册码与你的硬盘序列号第1位还有你的用户名有关!
[ 本帖最后由 x80x88 于 2008-10-30 23:42 编辑 ] |
|
IP卡
发表于 2008-10-30 10:18:08
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-10-30 13:24:36
发表于 2008-10-30 16:48:53
