CrackMe V2.6

lgjxj · 发表于 2009-12-29 22:19:44

版主不要笑我，再看了看，算法好长，天啊

004B2F14 09 00 00 00 09 00 00 00 05 00 00 00 0A 00 00 00 ...............
004B2F24 09 00 00 00 09 00 00 00 0A 00 00 00 00 00 00 00 ............1...

内存状态如此为注册成功，已经晕倒了一半

[ 本帖最后由 lgjxj 于 2009-12-29 22:23 编辑 ]

小试锋芒 · 发表于 2009-12-29 22:29:44

原帖由 lgjxj 于 2009-12-29 22:19 发表
版主不要笑我，再看了看，算法好长，天啊

004B2F14 09 00 00 00 09 00 00 00 05 00 00 00 0A 00 00 00 ...............
004B2F24 09 00 00 00 09 00 00 00 0A 00 00 00 00 00 00 00 ............1. ...

不管怎样，还是要膜拜下大侠的/:good

luck068 · 发表于 2010-5-6 20:36:14

回帖是种美德








wow gold  wow gold wow gold wow gold wow gold

whypro · 发表于 2010-5-7 22:23:36

【第一步】.先是根据用户名和密码生成3个很长的序列号码
int __fastcall TForm1_Button1Click(int a1)
{
  int v1; // eax@1
  int v2; // ebx@1
  int v3; // ebx@9
  signed int v4; // esi@12
  __int64 v5; // qax@16
  int v6; // eax@22
  int v7; // ecx@27
  int v8; // ecx@27
  int (*v10)(); // ecx@28
  int v11; // ecx@28
  int v12; // [sp-14h] [bp-5Ch]@27
  int (*v13)(); // [sp-10h] [bp-58h]@27
  int v14; // [sp-Ch] [bp-54h]@1
  int (*v15)(); // [sp-8h] [bp-50h]@1
  int *v16; // [sp-4h] [bp-4Ch]@1
  int (*v17)(); // [sp+0h] [bp-48h]@28
  int v18; // [sp+Ch] [bp-3Ch]@27
  int v19; // [sp+10h] [bp-38h]@27
  int v20; // [sp+14h] [bp-34h]@22
  int v21; // [sp+18h] [bp-30h]@22
  int v22; // [sp+1Ch] [bp-2Ch]@20
  int v23; // [sp+20h] [bp-28h]@18
  int v24; // [sp+24h] [bp-24h]@16
  int v25; // [sp+28h] [bp-20h]@15
  int v26; // [sp+2Ch] [bp-1Ch]@15
  int v27; // [sp+30h] [bp-18h]@15
  int v28; // [sp+34h] [bp-14h]@15
  int v29; // [sp+38h] [bp-10h]@17
  int v30; // [sp+3Ch] [bp-Ch]@19
  int v31; // [sp+40h] [bp-8h]@1
  int v32; // [sp+44h] [bp-4h]@1
  int v33; // [sp+48h] [bp+0h]@1

  v2 = a1;
  v16 = &v33;
  v15 = loc_4AB07B;
  v14 = *MK_FP(__FS__, 0);
  *MK_FP(__FS__, 0) = &v14;
  sub_478638(*(_DWORD *)(a1 + 916), &v32);
  sub_478638(*(_DWORD *)(v2 + 920), &v31);
  v1 = v32;
  if ( v32 )
  {
if ( *(_WORD *)(v32 - 10) != 2 )
   v1 = sub_4061E0(&v32, v32);
  }
  if ( v1 )
v1 = *(_DWORD *)(v1 - 4);
  if ( v32 )
  {
if ( v31 )
{
   if ( v1 < 98 )
   {
      do
      {
      sub_406C00(&v32, v32);
      v3 = v32;
      if ( v32 )
      {
         if ( *(_WORD *)(v32 - 10) != 2 )
            v3 = sub_4061E0(&v32, v32);
      }
      v4 = v3;
      if ( v3 )
         v4 = *(_DWORD *)(v3 - 4);
      }
      while ( v4 < 98 );
   }
   sub_406A68(v14);
   sub_40C9D0(v25, 98, &v26);
   System____linkproc___LStrFromWStr(&v32, v26);
   sub_406858(&v28, 0);
   v27 = 1;
   do
   {
      v5 = *(_BYTE *)(v32 + 2 * v27 - 2) - *(_BYTE *)(v31 + 2 * v27 - 2);
      Sysutils__IntToStr((HIDWORD(v5) ^ v5) - HIDWORD(v5), &v24, v27);    //第1个算号
      sub_406C00(&v28, v24);
      ++v27;
   }
   while ( v27 != 99 );
   sub_406858(&v29, 0);
   v27 = 0;
   do
   {
      unknown_libname_58(&v23, *(_WORD *)(v28 + 4 * v27), v28);//第2个算号
      sub_406C00(&v29, v23);
      ++v27;
   }
   while ( v27 != 49 );
   sub_406858(&v30, 0);
   v27 = 1;
   do
   {
      unknown_libname_58(&v22, *(_WORD *)(v28 + 4 * v27 - 2), v28);//第3个算号
      sub_406C00(&v30, v22);
      ++v27;
   }
   while ( v27 != 50 );
   v27 = 1;
   do
   {
      unknown_libname_58(&v21, *(_WORD *)(v30 + 2 * v27 - 2), v27);
      v14 = sub_410EF8(v21);
      unknown_libname_58(&v20, *(_WORD *)(v29 + 2 * v27 - 2), v27);
      v6 = sub_410EF8(v20);
      sub_4AA6A0(v6, v14);//第二步跟进(:funk: 复杂的算号)
      ++v27;
   }
   while ( v27 != 50 );
   if ( dword_4B2F18 == dword_4B2F14 )                //最后的比较
   {
      if ( dword_4B2F18 == dword_4B2F24 )
      {
      if ( dword_4B2F18 == dword_4B2F28 )
      {
         if ( dword_4B2F14 == 9 )
         {
            v14 = (int)&v33;
            v13 = loc_4AB001;
            v12 = *MK_FP(__FS__, 0);
            *MK_FP(__FS__, 0) = &v12;
            v27 /= dword_4B2F30;
            v7 = v14;
            *MK_FP(__FS__, 0) = v12;
            Sysutils__IntToStr(v27, &v19, v7);
            v14 = v19;
            Sysutils__IntToStr(dword_4B2F30, &v18, v8);
            sub_406CC0(&v28, v18, v14);
         }
      }
      }
   }
}
  }
  v10 = v17;
  *MK_FP(__FS__, 0) = v15;
  v17 = loc_4AB082;
  sub_4067FC(&v18, 7, v10);
  System____linkproc___WStrArrayClr(&v25, 2);
  return sub_4067FC(&v28, 5, v11);
}

【第二步】.004AAFA4 .  E8 F7F6FFFF call 复件_Cra.004AA6A0                   ;  算法，真的很长
int __fastcall sub_4AA6A0(int a1, int a2)
{
  signed int v2; // edx@1
  int v3; // ecx@2
  signed int v4; // esi@2
  int v5; // edx@17
  int v6; // edx@35
  int v7; // edx@51
  int v8; // edx@69
  int result; // eax@71
  int v10; // [sp-Ch] [bp-48h]@7
  int (*v11)(); // [sp-8h] [bp-44h]@7
  int *v12; // [sp-4h] [bp-40h]@7
  int v13; // [sp+Ch] [bp-30h]@1
  int v14; // [sp+10h] [bp-2Ch]@57
  int v15; // [sp+14h] [bp-28h]@57
  int v16; // [sp+18h] [bp-24h]@57
  int v17; // [sp+1Ch] [bp-20h]@57
  int v18; // [sp+20h] [bp-1Ch]@25
  int v19; // [sp+24h] [bp-18h]@13
  int v20; // [sp+28h] [bp-14h]@25
  int v21; // [sp+2Ch] [bp-10h]@13
  int v22; // [sp+30h] [bp-Ch]@1
  int v23; // [sp+34h] [bp-8h]@1
  unsigned int v24; // [sp+38h] [bp-4h]@1
  int v25; // [sp+3Ch] [bp+0h]@7

  v24 = a2;                                  // a2=根据很长的字符序列的来
  v23 = 0;
  v22 = 0;
  v2 = 1;
  v13 = (int)dword_4B2EE0;                   //
  do
  {
v4 = 1;
v3 = v13;
do
{
   if ( a1 == *(_DWORD *)v3 )             // a1=根据很长的字符序列的来

   {
      v23 = v4;
      v22 = v2;
      goto LABEL_7;
   }
   ++v4;
   v3 += 4;
}
while ( v4 != 5 );
++v2;
v13 += 16;
  }
  while ( v2 != 6 );
LABEL_7:
  v12 = &v25;
  v11 = loc_4AAD87;
  v10 = *MK_FP(__FS__, 0);
  *MK_FP(__FS__, 0) = &v10;
  switch ( a1 )
  {
case 0:
case 1:
case 2:
case 3:
   if ( v24 < 1 )
   {
      v21 = v23;
      v19 = v22 - 1;
   }
   else
   {
      switch ( v24 )
      {
      case 1u:
         v21 = v23 + 1;
         v19 = v22;
         break;
      case 2u:
         v21 = v23;
         v19 = v22 + 1;
         break;
      case 3u:
         v21 = v23 - 1;
         v19 = v22;
         break;
      default:
         ++dword_4B2F30;
         break;
      }
   }
   v5 = 2 * v19;
   if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * v19 - 5] + v21) == 10 )
   {
      *(_DWORD *)((char *)&dword_4B2EE0[4 * v22 - 5] + v23) = 10;
      *(_DWORD *)((char *)&dword_4B2EE0[2 * v5 - 5] + v21) = a1;
   }
   else
   {
      ++dword_4B2F30;
   }
   break;
case 4:
case 5:
case 6:
case 7:
   if ( v24 < 1 )
   {
      v21 = v23;
      v20 = v23;
      v19 = v22 - 1;
      v18 = v22;
      if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * (v22 - 1) - 5] + v23) != 10 )
      ++dword_4B2F30;
   }
   else
   {
      switch ( v24 )
      {
      case 1u:
         v21 = v23 + 1;
         v20 = v23 + 1;
         v19 = v22;
         v18 = v22 + 1;
         if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * v22 - 4] + v23 - 3) != 10 )
         {
            if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * v18 - 5] + v20) != 10 )
            ++dword_4B2F30;
         }
         break;
      case 2u:
         v21 = v23;
         v20 = v23;
         v19 = v22 + 2;
         v18 = v22 + 1;
         if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * (v22 + 2) - 5] + v23) != 10 )
            ++dword_4B2F30;
         break;
      case 3u:
         v21 = v23 - 1;
         v20 = v23 - 1;
         v19 = v22;
         v18 = v22 + 1;
         if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * v22 - 5] + v23 - 1) != 10 )
         {
            if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * v18 - 5] + v20) != 10 )
            ++dword_4B2F30;
         }
         break;
      default:
         ++dword_4B2F30;
         break;
      }
   }
   v6 = 2 * v22;
   *(_DWORD *)((char *)&dword_4B2EE0[4 * v22 - 5] + v23) = 10;
   *(_DWORD *)((char *)&dword_4B2EE0[2 * v6 - 1] + v23) = 10;
   *(_DWORD *)((char *)&dword_4B2EE0[4 * v19 - 5] + v21) = a1;
   *(_DWORD *)((char *)&dword_4B2EE0[4 * v18 - 5] + v20) = a1;
   break;
case 8:
   if ( v24 < 1 )
   {
      v21 = v23;
      v20 = v23 + 1;
      v19 = v22 - 1;
      v18 = v22 - 1;
      if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * (v22 - 1) - 5] + v23) != 10 )
      {
      if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * v18 - 5] + v20) != 10 )
         ++dword_4B2F30;
      }
   }
   else
   {
      switch ( v24 )
      {
      case 1u:
         v21 = v23 + 2;
         v20 = v23 + 1;
         v19 = v22;
         v18 = v22;
         if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * v22 - 4] + v23 - 2) != 10 )
            ++dword_4B2F30;
         break;
      case 2u:
         v21 = v23;
         v20 = v23 + 1;
         v19 = v22 + 1;
         v18 = v22 + 1;
         if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * (v22 + 1) - 5] + v23) != 10 )
         {
            if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * v18 - 5] + v20) != 10 )
            ++dword_4B2F30;
         }
         break;
      case 3u:
         v21 = v23 - 1;
         v20 = v23;
         v19 = v22;
         v18 = v22;
         if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * v22 - 5] + v23 - 1) != 10 )
            ++dword_4B2F30;
         break;
      default:
         ++dword_4B2F30;
         break;
      }
   }
   v7 = 2 * v22;
   *(_DWORD *)((char *)&dword_4B2EE0[4 * v22 - 5] + v23) = 10;
   *(_DWORD *)((char *)&dword_4B2EE0[2 * v7 - 4] + v23) = 10;
   *(_DWORD *)((char *)&dword_4B2EE0[4 * v19 - 5] + v21) = a1;
   *(_DWORD *)((char *)&dword_4B2EE0[4 * v18 - 5] + v20) = a1;
   break;
case 9:
   if ( v24 < 1 )
   {
      v21 = v23;
      v20 = v23 + 1;
      v17 = v23;
      v15 = v23 + 1;
      v19 = v22 - 1;
      v18 = v22 - 1;
      v16 = v22;
      v14 = v22;
      if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * (v22 - 1) - 5] + v23) != 10 )
      {
      if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * v18 - 5] + v20) != 10 )
         ++dword_4B2F30;
      }
   }
   else
   {
      switch ( v24 )
      {
      case 1u:
         v21 = v23 + 1;
         v20 = v23 + 2;
         v17 = v23 + 1;
         v15 = v23 + 2;
         v19 = v22;
         v18 = v22;
         v16 = v22 + 1;
         v14 = v22 + 1;
         if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * v22 - 4] + v23 - 2) != 10 )
         {
            if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * v14 - 5] + v15) != 10 )
            ++dword_4B2F30;
         }
         break;
      case 2u:
         v21 = v23;
         v20 = v23 + 1;
         v17 = v23;
         v15 = v23 + 1;
         v19 = v22 + 1;
         v18 = v22 + 1;
         v16 = v22 + 2;
         v14 = v22 + 2;
         if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * (v22 + 2) - 5] + v23) != 10 )
         {
            if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * v14 - 5] + v15) != 10 )
            ++dword_4B2F30;
         }
         break;
      case 3u:
         v21 = v23 - 1;
         v20 = v23;
         v17 = v23 - 1;
         v15 = v23;
         v19 = v22;
         v18 = v22;
         v16 = v22 + 1;
         v14 = v22 + 1;
         if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * v22 - 5] + v23 - 1) != 10 )
         {
            if ( *(_DWORD *)((char *)&dword_4B2EE0[4 * v16 - 5] + v17) != 10 )
            ++dword_4B2F30;
         }
         break;
      default:
         ++dword_4B2F30;
         break;
      }
   }
   v8 = 2 * v22;
   *(_DWORD *)((char *)&dword_4B2EE0[4 * v22 - 5] + v23) = 10;
   *(_DWORD *)((char *)&dword_4B2EE0[2 * v8 - 4] + v23) = 10;
   *(_DWORD *)((char *)&dword_4B2EE0[2 * v8 - 1] + v23) = 10;
   *(&dword_4B2EE0[2 * v8] + v23) = 10;
   *(_DWORD *)((char *)&dword_4B2EE0[4 * v19 - 5] + v21) = a1;
   *(_DWORD *)((char *)&dword_4B2EE0[4 * v18 - 5] + v20) = a1;
   *(_DWORD *)((char *)&dword_4B2EE0[4 * v16 - 5] + v17) = a1;
   *(_DWORD *)((char *)&dword_4B2EE0[4 * v14 - 5] + v15) = a1;
   break;
case 10:
   ++dword_4B2F30;
   break;
default:
   break;
  }
  result = 0;
  *MK_FP(__FS__, 0) = v10;
  return result;          //

004AAFB2 .  A1 182F4B00 mov eax,dword ptr ds:[0x4B2F18]
004AAFB7 .  8B15 142F4B00 mov edx,dword ptr ds:[0x4B2F14]
004AAFBD .  3BC2       cmp eax,edx
004AAFBF .  0F85 81000000 jnz CrackMe_.004AB046  //弹出成功

爆破之

我猜是华容道参考网站：http://www.cnblogs.com/zhenyulu/category/14888.html
源码：

[ 本帖最后由 whypro 于 2010-5-8 15:14 编辑 ]

lgjxj · 发表于 2010-5-8 18:52:09

兄弟耐心和技术都很强 /:good

whypro · 发表于 2010-5-8 20:09:53

lgjxj刺穿了人类知识的基础，并像前无古人似的那样质疑它们。没有什么人在其思想的正确性、深度、及彻底性方面能比的上他……。

小试锋芒 · 发表于 2010-5-8 22:41:29

原帖由 whypro 于 2010-5-7 22:23 发表
【第一步】.先是根据用户名和密码生成3个很长的序列号码
int __fastcall TForm1_Button1Click(int a1)
{
  int v1; // eax@1
  int v2; // ebx@1
  int v3; // ebx@9
  signed int v4; // esi@12
  __int64 v ...

猜对了，就是华容道，/:good 见贴：
https://www.chinapyg.com/viewthr ... =%BB%AA%C8%DD%B5%C0

		自动登录	找回密码
密码			加入我们

[原创] CrackMe V2.6

本帖子中包含更多资源