- UID
- 6867
注册时间2006-1-12
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
发表于 2006-8-5 18:34:13
|
显示全部楼层
菜鸟学算法,还有好多不会!
手动脱壳:
用peid查壳是:PEDiminisher 0.1 -> Teraphy,f8单步到
00401368 55 push ebp 脱壳!
用peid查是:Microsoft Visual C++ 6.0,可以运行!
******输入--reg name:MINGBIN --REG KEY:789789789 --点击REGISTER出错提示:registration fail!******
od载入:
Ultra 字符串参考,项目 2
地址=00401095
反汇编=push Crackme1.00405050
文本字符串=Registration fail.
爆破点:
00401072 /74 1B jne short Crackme1.0040108F 改为jz 就可以随便注册了!
追码过程:
00401062 /75 42 jnz short unCrackm.004010A6
00401064 |E8 C7010000 call unCrackm.00401230 ; 关键,跟入
00401069 |85C0 test eax,eax
0040106B |6A 00 push 0
0040106D |68 80504000 push unCrackm.00405080 ; ASCII "ncrackme"
00401072 |75 1B jnz short unCrackm.0040108F
*********************************call unCrackm.00401230***************************************
00401230 8B0D BC564000 mov ecx,dword ptr ds:[4056BC]
00401236 83EC 30 sub esp,30
00401239 8D4424 00 lea eax,dword ptr ss:[esp]
0040123D 53 push ebx
0040123E 56 push esi
0040123F 8B35 94404000 mov esi,dword ptr ds:[<&USER32.GetDlg>; USER32.GetDlgItemTextA
00401245 6A 10 push 10
00401247 50 push eax
00401248 68 E8030000 push 3E8
0040124D 51 push ecx
0040124E 33DB xor ebx,ebx
00401250 FFD6 call esi ; 用户名的call
00401252 83F8 03 cmp eax,3 ; eax=7与3比较:用户名要大于3位
00401255 73 0B jnb short unCrackm.00401262 ; 大于或等于转移
00401257 5E pop esi
00401258 B8 01000000 mov eax,1
0040125D 5B pop ebx
0040125E 83C4 30 add esp,30
00401261 C3 retn
00401262 A1 BC564000 mov eax,dword ptr ds:[4056BC] ; eax=7
00401267 8D5424 28 lea edx,dword ptr ss:[esp+28]
0040126B 6A 10 push 10
0040126D 52 push edx
0040126E 68 E9030000 push 3E9
00401273 50 push eax
00401274 FFD6 call esi ; 用户名的call
00401276 0FBE4424 08 movsx eax,byte ptr ss:[esp+8] ; 取用户名第一位ascii eax=4d
0040127B 0FBE4C24 09 movsx ecx,byte ptr ss:[esp+9] ; 取第二位ascii ecx=49
00401280 99 cdq ; 双字扩展
00401281 F7F9 idiv ecx ; 有符号除法ecx=49
00401283 8BCA mov ecx,edx ; edx送到ecx=4
00401285 83C8 FF or eax,FFFFFFFF
00401288 0FBE5424 0A movsx edx,byte ptr ss:[esp+A] ; 取第三位ascii edx=4e
0040128D 0FAFCA imul ecx,edx ; ecx=4e*4=138
00401290 41 inc ecx ; ecx=1=139
00401291 33D2 xor edx,edx ; edx清0
00401293 F7F1 div ecx ; 除ecx=139
00401295 50 push eax ; eax=00D16154入栈
00401296 E8 A5000000 call unCrackm.00401340
0040129B 83C4 04 add esp,4
0040129E 33F6 xor esi,esi
004012A0 E8 A5000000 call unCrackm.0040134A ; 以下循环可能是15位注册码的形成
004012A5 99 cdq
004012A6 B9 1A000000 mov ecx,1A ; ecx=1a(26)
004012AB F7F9 idiv ecx ; 除1a
004012AD 80C2 41 add dl,41 ; DL=DL+4F=E+4F=O以下值就是这样算出来的
004012B0 885434 18 mov byte ptr ss:[esp+esi+18],dl ; 0,A,L,B,K,H,D, V,T,D,U,I,C,I,J
004012B4 46 inc esi ; esi加1
004012B5 83FE 0F cmp esi,0F ; esi是否为15
004012B8 ^ 72 E6 jb short unCrackm.004012A0 ; 小于循环,比较完了向下继续运行
004012BA 57 push edi ; edi=0012FB70入栈
004012BB 8D7C24 0C lea edi,dword ptr ss:[esp+C]
004012BF 83C9 FF or ecx,FFFFFFFF
004012C2 33C0 xor eax,eax
004012C4 33F6 xor esi,esi
004012C6 F2:AE repne scas byte ptr es:[edi] ; 串扫描,不等返回
004012C8 F7D1 not ecx
004012CA 49 dec ecx
004012CB 74 59 je short unCrackm.00401326
004012CD 8A4434 0C mov al,byte ptr ss:[esp+esi+C] ; 以下是前七位注册码的验证
004012D1 C0F8 05 sar al,5
004012D4 0FBEC0 movsx eax,al
004012D7 8D1480 lea edx,dword ptr ds:[eax+eax*4]
004012DA 8D04D0 lea eax,dword ptr ds:[eax+edx*8]
004012DD 8D0440 lea eax,dword ptr ds:[eax+eax*2]
004012E0 85C0 test eax,eax
004012E2 7E 0A jle short unCrackm.004012EE
004012E4 8BF8 mov edi,eax
004012E6 E8 5F000000 call unCrackm.0040134A
004012EB 4F dec edi
004012EC ^ 75 F8 jnz short unCrackm.004012E6
004012EE E8 57000000 call unCrackm.0040134A
004012F3 99 cdq
004012F4 B9 1A000000 mov ecx,1A ; ecx=7
004012F9 8D7C24 0C lea edi,dword ptr ss:[esp+C]
004012FD F7F9 idiv ecx
004012FF 0FBE4C34 2C movsx ecx,byte ptr ss:[esp+esi+2C]
00401304 80C2 41 add dl,41 ; DI=DI+41=45=E以下的就是这样算出来的
00401307 0FBEC2 movsx eax,dl ; E,P,N,I,C,S,U
0040130A 2BC1 sub eax,ecx
0040130C 885434 1C mov byte ptr ss:[esp+esi+1C],dl ; O,A,L,B,K,H,D
(前面算出来的前七位与用户的位数有关,我的是七位)
00401310 99 cdq
00401311 33C2 xor eax,edx
00401313 83C9 FF or ecx,FFFFFFFF
00401316 2BC2 sub eax,edx
00401318 03D8 add ebx,eax
0040131A 33C0 xor eax,eax
0040131C 46 inc esi
0040131D F2:AE repne scas byte ptr es:[edi]
0040131F F7D1 not ecx
00401321 49 dec ecx
00401322 3BF1 cmp esi,ecx
00401324 ^ 72 A7 jb short unCrackm.004012CD |
|