- UID
- 6867
注册时间2006-1-12
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
发表于 2006-8-1 13:10:06
|
显示全部楼层
来个完整些的算法分析
UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo的壳,OD脱壳,ESP定律脱,第一个不能运行,第二个可以
00457BB1 51 push ecx 下断
********
注册码:MINGBIN 试验码:789789789
00457BBA 8BD8 mov ebx,eax
00457BBC 33C0 xor eax,eax
00457BBE 55 push ebp
00457BBF 68 8A7E4500 push 22.00457E8A
00457BC4 64:FF30 push dword ptr fs:[eax]
00457BC7 64:8920 mov dword ptr fs:[eax],esp
00457BCA 8D55 FC lea edx,dword ptr ss:[ebp-4]
00457BCD 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457BD3 E8 08C3FCFF call 22.00423EE0
00457BD8 837D FC 00 cmp dword ptr ss:[ebp-4],0 ; 比较是否输入用户名
00457BDC 75 18 jnz short 22.00457BF6 ; 不为空时跳,否则提示输入用户名
00457BDE 6A 00 push 0 ; 以下是提示输入用户名
00457BE0 B9 987E4500 mov ecx,22.00457E98 ; ASCII "Enter your Name !"
00457BE5 BA AC7E4500 mov edx,22.00457EAC ; ASCII "You must enter your Name !"
00457BEA A1 98A54500 mov eax,dword ptr ds:[45A598]
00457BEF 8B00 mov eax,dword ptr ds:[eax]
00457BF1 E8 3A85FEFF call 22.00440130
00457BF6 8D55 FC lea edx,dword ptr ss:[ebp-4]
00457BF9 8B83 DC020000 mov eax,dword ptr ds:[ebx+2DC] ; 用户名的位数eax=7
00457BFF E8 DCC2FCFF call 22.00423EE0
00457C04 837D FC 00 cmp dword ptr ss:[ebp-4],0 ; 比较是否输入试验码
00457C08 75 18 jnz short 22.00457C22 ; 不为空时则跳,否则提示输入试验码
00457C0A 6A 00 push 0 ; 以下是提示输入试验码
00457C0C B9 C87E4500 mov ecx,22.00457EC8 ; ASCII "Enter a Serial !"
00457C11 BA DC7E4500 mov edx,22.00457EDC ; ASCII "You must enter a Serial !"
00457C16 A1 98A54500 mov eax,dword ptr ds:[45A598]
00457C1B 8B00 mov eax,dword ptr ds:[eax]
00457C1D E8 0E85FEFF call 22.00440130
00457C22 33C0 xor eax,eax ; eax=0
00457C24 A3 40B84500 mov dword ptr ds:[45B840],eax
00457C29 8D55 FC lea edx,dword ptr ss:[ebp-4]
00457C2C 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457C32 E8 A9C2FCFF call 22.00423EE0
00457C37 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 用户名的位数送入eax=7
00457C3A E8 F9BFFAFF call 22.00403C38
00457C3F A3 44B84500 mov dword ptr ds:[45B844],eax
00457C44 A1 44B84500 mov eax,dword ptr ds:[45B844]
00457C49 E8 82FDFAFF call 22.004079D0
00457C4E 83F8 06 cmp eax,6 ; eax=eax-6比较用户名的位数是否为6
00457C51 73 1D jnb short 22.00457C70 ; 不小于6则跳,否则向下执行
00457C53 6A 00 push 0 ; 以下是提示用户名必须是不小于6
00457C55 B9 F87E4500 mov ecx,22.00457EF8 ; ASCII "Name too short !"
00457C5A BA 0C7F4500 mov edx,22.00457F0C ; ASCII "Your Name must be at least 6 Chars long
!"
00457C5F A1 98A54500 mov eax,dword ptr ds:[45A598]
00457C64 8B00 mov eax,dword ptr ds:[eax]
00457C66 E8 C584FEFF call 22.00440130
00457C6B E9 59010000 jmp 22.00457DC9
00457C70 8D55 FC lea edx,dword ptr ss:[ebp-4]
00457C73 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457C79 E8 62C2FCFF call 22.00423EE0
00457C7E 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 用户名的位数送入eax=7
00457C81 BA 01000000 mov edx,1 ; edx=1
00457C86 4A dec edx ; edx=edx-1=0
00457C87 3B50 FC cmp edx,dword ptr ds:[eax-4]
00457C8A 72 05 jb short 22.00457C91
00457C8C E8 F3AEFAFF call 22.00402B84
00457C91 42 inc edx ; edx+1=2
00457C92 0FB64410 FF movzx eax,byte ptr ds:[eax+edx->; 按位取用户第一位的ascii码送入eax
00457C97 6BF0 02 imul esi,eax,2 ; esi=eax*2=4d*2=9A
00457C9A 71 05 jno short 22.00457CA1 ; 不溢出时转移.
00457C9C E8 EBAEFAFF call 22.00402B8C
00457CA1 8D55 F8 lea edx,dword ptr ss:[ebp-8]
00457CA4 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457CAA E8 31C2FCFF call 22.00423EE0
00457CAF 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 用户名的位数送入eax=7
00457CB2 BA 02000000 mov edx,2 ; edx=2
00457CB7 4A dec edx ; edx=edx-1=1
00457CB8 3B50 FC cmp edx,dword ptr ds:[eax-4] ; 比较是否计算完
00457CBB 72 05 jb short 22.00457CC2 ; 小于则向下跳继续
00457CBD E8 C2AEFAFF call 22.00402B84
00457CC2 42 inc edx ; edx=edx+1
00457CC3 0FB64410 FF movzx eax,byte ptr ds:[eax+edx->; 用户名的第二位送入eax=49
00457CC8 6BC0 02 imul eax,eax,2 ; eax=eax*2=49*2=92
00457CCB 71 05 jno short 22.00457CD2 ; 不溢出时转移.向下跳继续
00457CCD E8 BAAEFAFF call 22.00402B8C
00457CD2 03F0 add esi,eax ; esi=esi+eax=9a+92=12C上面的结果进行累加
00457CD4 71 05 jno short 22.00457CDB ; 不溢出时转移.向下跳继续
00457CD6 E8 B1AEFAFF call 22.00402B8C
00457CDB 8D55 F4 lea edx,dword ptr ss:[ebp-C] ; edx=2
00457CDE 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8] ; eax=92
00457CE4 E8 F7C1FCFF call 22.00423EE0
00457CE9 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 用户名的位数送入eax=7
00457CEC BA 03000000 mov edx,3 ; edx=3
00457CF1 4A dec edx ; edx=edx-1=2
00457CF2 3B50 FC cmp edx,dword ptr ds:[eax-4] ; 比较是否计算完
00457CF5 72 05 jb short 22.00457CFC ; 小于则向下跳继续
00457CF7 E8 88AEFAFF call 22.00402B84
00457CFC 42 inc edx ; edx=edx+1=3
00457CFD 0FB64410 FF movzx eax,byte ptr ds:[eax+edx->; 用户名的第三位送入eax=4e
00457D02 6BC0 02 imul eax,eax,2 ; eax=eax*2=4e*2=9C
00457D05 71 05 jno short 22.00457D0C ; 不溢出时转移.向下跳继续
00457D07 E8 80AEFAFF call 22.00402B8C
00457D0C 03F0 add esi,eax ; esi=esi+eax=12c+9c=1C8上面的结果累加
00457D0E 71 05 jno short 22.00457D15 ; 不溢出时转移.向下跳继续
00457D10 E8 77AEFAFF call 22.00402B8C
00457D15 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00457D18 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457D1E E8 BDC1FCFF call 22.00423EE0
00457D23 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; 用户名的位数送入eax=7
00457D26 BA 04000000 mov edx,4 ; edx=4
00457D2B 4A dec edx ; edx=edx-1=3
00457D2C 3B50 FC cmp edx,dword ptr ds:[eax-4] ; 比较位数是否计算完了,
00457D2F 72 05 jb short 22.00457D36 ; 小于则向下跳继续
00457D31 E8 4EAEFAFF call 22.00402B84
00457D36 42 inc edx ; edx=edx+1=4
00457D37 0FB64410 FF movzx eax,byte ptr ds:[eax+edx->; 用户名第四位送入eax=47
00457D3C 6BC0 02 imul eax,eax,2 ; eax=eax*2=47*2=8E
00457D3F 71 05 jno short 22.00457D46 ; 不溢出时转移.向下跳继续
00457D41 E8 46AEFAFF call 22.00402B8C
00457D46 03F0 add esi,eax ; esi=esi+eax=1c8+8e=256
00457D48 71 05 jno short 22.00457D4F ; 不溢出时转移.向下跳继续
00457D4A E8 3DAEFAFF call 22.00402B8C
00457D4F 8D55 EC lea edx,dword ptr ss:[ebp-14]
00457D52 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457D58 E8 83C1FCFF call 22.00423EE0
00457D5D 8B45 EC mov eax,dword ptr ss:[ebp-14] ; 用户名的位数送入eax=7
00457D60 BA 05000000 mov edx,5 ; edx=5
00457D65 4A dec edx ; edx=edx-1=4
00457D66 3B50 FC cmp edx,dword ptr ds:[eax-4] ; 比较位数是否计算完了,
00457D69 72 05 jb short 22.00457D70 ; 小于则向下跳继续
00457D6B E8 14AEFAFF call 22.00402B84
00457D70 42 inc edx ; edx=edx+1=5
00457D71 0FB64410 FF movzx eax,byte ptr ds:[eax+edx->; 用户名第五位送入eax=42
00457D76 6BC0 02 imul eax,eax,2 ; eax=eax*2=42*2=84
00457D79 71 05 jno short 22.00457D80 ; 不溢出时转移.向下跳继续
00457D7B E8 0CAEFAFF call 22.00402B8C
00457D80 03F0 add esi,eax ; esi=esi+eax=256+84=2DA
00457D82 71 05 jno short 22.00457D89 ; 不溢出时转移.向下跳继续
00457D84 E8 03AEFAFF call 22.00402B8C
00457D89 8D55 E8 lea edx,dword ptr ss:[ebp-18]
00457D8C 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457D92 E8 49C1FCFF call 22.00423EE0
00457D97 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; 用户名的位数送入eax=7
00457D9A BA 06000000 mov edx,6 ; edx=6
00457D9F 4A dec edx ; edx=edx-1=5
00457DA0 3B50 FC cmp edx,dword ptr ds:[eax-4] ; 比较位数是否计算完了,
00457DA3 72 05 jb short 22.00457DAA ; 小于则向下跳继续
00457DA5 E8 DAADFAFF call 22.00402B84
00457DAA 42 inc edx ; edx=edx+1=6
00457DAB 0FB64410 FF movzx eax,byte ptr ds:[eax+edx->; 用户名第六位送入eax=49
00457DB0 6BC0 02 imul eax,eax,2 ; eax=eax*2=49*2=92
00457DB3 71 05 jno short 22.00457DBA ; 不溢出时转移.向下跳继续
00457DB5 E8 D2ADFAFF call 22.00402B8C
00457DBA 03F0 add esi,eax ; esi=esi+eax=2da+92=36C
00457DBC 71 05 jno short 22.00457DC3 ; 不溢出时转移.向下跳继续
00457DBE E8 C9ADFAFF call 22.00402B8C
00457DC3 8935 40B84500 mov dword ptr ds:[45B840],esi
00457DC9 A1 44B84500 mov eax,dword ptr ds:[45B844]
00457DCE E8 FDFBFAFF call 22.004079D0
00457DD3 6BC0 02 imul eax,eax,2 ; eax=eax*2=7*2=e 用户名的位数*2
00457DD6 73 05 jnb short 22.00457DDD ; 大于或等于向下转移
00457DD8 E8 AFADFAFF call 22.00402B8C
00457DDD 33D2 xor edx,edx ; edx=0
00457DDF 52 push edx ; edx入栈
00457DE0 50 push eax ; eax入栈
00457DE1 A1 40B84500 mov eax,dword ptr ds:[45B840] ; eax=e
00457DE6 99 cdq ; 将eax=e进行双字扩展到edx中去.
00457DE7 030424 add eax,dword ptr ss:[esp] ; eax=eax+e=36c+E=37A
00457DEA 135424 04 adc edx,dword ptr ss:[esp+4] ; 带进位加法
00457DEE 71 05 jno short 22.00457DF5 ; 不溢出时转移.向下跳继续
00457DF0 E8 97ADFAFF call 22.00402B8C
00457DF5 83C4 08 add esp,8 ; ESP=ESP+8
00457DF8 50 push eax ; EAX=37A 入栈
00457DF9 C1F8 1F sar eax,1F ; 算术右移1f位
00457DFC 3BC2 cmp eax,edx ; 比较是否为相等
00457DFE 58 pop eax ; EAX=37A 出栈
00457DFF 74 05 je short 22.00457E06 ; 相等则跳
00457E01 E8 7EADFAFF call 22.00402B84
00457E06 A3 40B84500 mov dword ptr ds:[45B840],eax
00457E0B 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
00457E0E A1 40B84500 mov eax,dword ptr ds:[45B840] ; eax=37a
00457E13 E8 2CF9FAFF call 22.00407744
00457E18 8B45 E4 mov eax,dword ptr ss:[ebp-1C] ; 转十进制为注册码
00457E1B 50 push eax ; EAX=37A 入栈
00457E1C 8D55 FC lea edx,dword ptr ss:[ebp-4]
00457E1F 8B83 DC020000 mov eax,dword ptr ds:[ebx+2DC]
00457E25 E8 B6C0FCFF call 22.00423EE0
00457E2A 8B55 FC mov edx,dword ptr ss:[ebp-4] ; 试炼码给EDX
00457E2D 58 pop eax ; EAX=37A 出栈
00457E2E E8 51BDFAFF call 22.00403B84 ; 两码比较
00457E33 75 1A jnz short 22.00457E4F ; 关键比较,注册码错就 over
00457E35 6A 00 push 0
00457E37 B9 387F4500 mov ecx,22.00457F38 ; ASCII "Congratz !"
00457E3C BA 447F4500 mov edx,22.00457F44 ; ASCII "You cracked the CFF CrackMe #4 ! Please
send your solution to [email protected] !"
00457E41 A1 98A54500 mov eax,dword ptr ds:[45A598]
00457E46 8B00 mov eax,dword ptr ds:[eax]
00457E48 E8 E382FEFF call 22.00440130
00457E4D EB 18 jmp short 22.00457E67
00457E4F 6A 00 push 0 ; over了!!!!
00457E51 B9 987F4500 mov ecx,22.00457F98 ; ASCII "Serial not valid"
00457E56 BA AC7F4500 mov edx,22.00457FAC ; ASCII "The Serial you entered is in any case
not valid !"
00457E5B A1 98A54500 mov eax,dword ptr ds:[45A598]
00457E60 8B00 mov eax,dword ptr ds:[eax]
00457E62 E8 C982FEFF call 22.00440130 ; 不动了!!!
计算过程:
注册码:MINGBIN 试验码:789789789
1.用户名不能为空
2.用户名必须是不小于6
3.按位取用户名的ASCII*2进行累加(只取前六位):M:4D*2=9A I:49*2=92 N:4e*2=9C G:47*2=8E B:42*2=84 I:49*2=92
上面的结果进行累加:M+I+N+G+B+I=9A+92+9C+8E+84+92=36C
4.用户名的位数*2=7*2=E
5.再将上面的结果累加:36C+E=37A
6.将37A转为十进制就是890
注册码也就算出来了。-------890 |
|
楼主: fantasy
IP卡
显身卡
发表于 2006-5-26 10:17:27
发表于 2006-6-7 09:26:52
发表于 2006-11-24 22:50:57
发表于 2006-11-25 21:44:37
