算法详解02==PYG5.4教学第14轮密码学专题 CrackMe 练习题（更新02）

shaoge · 发表于 2017-6-3 19:41:33

本帖最后由 shaoge 于 2017-6-4 13:29 编辑

实在不懂脱壳，还好算法位置基本没变：
那就分析分析，学习学习：

先写小结：
1、中间结果对比
用户名结果：标准MD5（用户名）的32位16进制值。
注册码结果：一、典型的变形BASE64算法1+二、古典算法,换位密码1+三、变形BASE64算法2（与1同）+四、换位查表（单字节前后4位换位，并查表，表长256）+五、古典算法,换位密码2
2、相关信息
1）、注册码必须32位长度，包含0-9，A-Z，a-z；也就是base64字符范围；
2）、循环不少，太耗电了。。。

3）、大神们多指点，斧正！这次练习，学习和巩固

CryptoMe_02.exe:00408A83 sub    esp, 304h
CryptoMe_02.exe:00408A89 mov    eax, dword_414570
CryptoMe_02.exe:00408A8E xor    eax, ebp
CryptoMe_02.exe:00408A90 mov    [ebp+var_68], eax
CryptoMe_02.exe:00408A93 mov    [ebp+var_304], ecx
CryptoMe_02.exe:00408A99 mov    [ebp+var_2E4], 0
CryptoMe_02.exe:00408AA3 lea    eax, [ebp+var_1D8]
CryptoMe_02.exe:00408AA9 push eax
CryptoMe_02.exe:00408AAA call sub_4075F0                   ; md5常数表
CryptoMe_02.exe:00408AAF add    esp, 4
CryptoMe_02.exe:00408AB2 mov    ecx, [ebp+arg_0]
CryptoMe_02.exe:00408AB5 push ecx
CryptoMe_02.exe:00408AB6 call sub_4094D0
CryptoMe_02.exe:00408ABB add    esp, 4
CryptoMe_02.exe:00408ABE push eax
CryptoMe_02.exe:00408ABF mov    edx, [ebp+arg_0]
CryptoMe_02.exe:00408AC2 push edx
CryptoMe_02.exe:00408AC3 lea    eax, [ebp+var_1D8]
CryptoMe_02.exe:00408AC9 push eax
CryptoMe_02.exe:00408ACA call sub_407630
CryptoMe_02.exe:00408ACF add    esp, 0Ch
CryptoMe_02.exe:00408AD2 lea    ecx, [ebp+var_180]
CryptoMe_02.exe:00408AD8 push ecx
CryptoMe_02.exe:00408AD9 lea    edx, [ebp+var_1D8]
CryptoMe_02.exe:00408ADF push edx
CryptoMe_02.exe:00408AE0 call sub_408560                   ; 用户名算法：标准MD5核心
CryptoMe_02.exe:00408AE5 add    esp, 8
CryptoMe_02.exe:00408AE8 mov    [ebp+var_5C], 104h
CryptoMe_02.exe:00408AEF lea    eax, [ebp+var_5C]
CryptoMe_02.exe:00408AF2 push eax
CryptoMe_02.exe:00408AF3 lea    ecx, [ebp+var_2E0]

‘=变形Base64算法===============================================
CryptoMe_02.exe:00408AF3 lea    ecx, [ebp+var_2E0]
CryptoMe_02.exe:00408AF9 push ecx
CryptoMe_02.exe:00408AFA mov    edx, [ebp+arg_4]
CryptoMe_02.exe:00408AFD push edx                            ; 注册码算法1、变形base64解密1
CryptoMe_02.exe:00408AFE call sub_408E40
CryptoMe_02.exe:00408B03 add    esp, 12
CryptoMe_02.exe:00408B06 test eax, eax
CryptoMe_02.exe:00408B08 jnz    short loc_408B11
CryptoMe_02.exe:00408B0A xor    eax, eax
CryptoMe_02.exe:00408B0C jmp    loc_408E30

’------------------------------------------------------------------------------------
CryptoMe_02.exe:00408E8E mov    eax, [ebp+var_4]
CryptoMe_02.exe:00408E91 cmp    eax, [ebp+var_10]
CryptoMe_02.exe:00408E94 jge    loc_40900E
CryptoMe_02.exe:00408E9A mov    ecx, [ebp+arg_0]
CryptoMe_02.exe:00408E9D movsx edx, byte ptr [ecx]
CryptoMe_02.exe:00408EA0 cmp    edx, 0Dh
CryptoMe_02.exe:00408EA3 jz    loc_408FF7
CryptoMe_02.exe:00408EA9 mov    eax, [ebp+arg_0]
CryptoMe_02.exe:00408EAC movsx ecx, byte ptr [eax]
CryptoMe_02.exe:00408EAF cmp    ecx, 0Ah
CryptoMe_02.exe:00408EB2 jz    loc_408FF7
CryptoMe_02.exe:00408EB8 mov    edx, [ebp+arg_0]             ; 变形base64的核心
CryptoMe_02.exe:00408EBB movsx eax, byte ptr [edx]          ; 先计算前2字节
CryptoMe_02.exe:00408EBE movsx ecx, byte_414350[eax]    ;byte_414350，变形字符表，逆算后可得："zdTWmCuoyL53IvrBt4Zb/Ep92e7KRYj+hiJVfsOUa08QqxgHGPDk61XMSFwAnlcN"
CryptoMe_02.exe:00408EC5 shl    ecx, 16
CryptoMe_02.exe:00408EC8 mov    [ebp+var_8], ecx
CryptoMe_02.exe:00408ECB mov    edx, [ebp+arg_0]
CryptoMe_02.exe:00408ECE add    edx, 1
CryptoMe_02.exe:00408ED1 mov    [ebp+arg_0], edx
CryptoMe_02.exe:00408ED4 mov    eax, [ebp+arg_0]
CryptoMe_02.exe:00408ED7 movsx ecx, byte ptr [eax]
CryptoMe_02.exe:00408EDA movsx edx, byte_414350[ecx]
CryptoMe_02.exe:00408EE1 mov    [ebp+var_14], edx
CryptoMe_02.exe:00408EE4 mov    eax, [ebp+arg_0]
CryptoMe_02.exe:00408EE7 add    eax, 1
CryptoMe_02.exe:00408EEA mov    [ebp+arg_0], eax
CryptoMe_02.exe:00408EED mov    ecx, [ebp+var_14]
CryptoMe_02.exe:00408EF0 and    ecx, 3                         ; 与3
CryptoMe_02.exe:00408EF3 shl    ecx, 22
CryptoMe_02.exe:00408EF6 add    ecx, [ebp+var_8]
CryptoMe_02.exe:00408EF9 mov    [ebp+var_8], ecx
CryptoMe_02.exe:00408EFC mov    edx, [ebp+var_14]
CryptoMe_02.exe:00408EFF and    edx, 60                      ; 与60
CryptoMe_02.exe:00408F02 shl    edx, 6
CryptoMe_02.exe:00408F05 add    edx, [ebp+var_8]             ; 相加
CryptoMe_02.exe:00408F08 mov    [ebp+var_8], edx
CryptoMe_02.exe:00408F0B mov    eax, [ebp+var_8]
CryptoMe_02.exe:00408F0E and    eax, 0FF0000h
CryptoMe_02.exe:00408F13 sar    eax, 16
CryptoMe_02.exe:00408F16 mov    ecx, [ebp+arg_4]
CryptoMe_02.exe:00408F19 mov    [ecx], al
CryptoMe_02.exe:00408F1B mov    edx, [ebp+arg_4]
CryptoMe_02.exe:00408F1E add    edx, 1
CryptoMe_02.exe:00408F21 mov    [ebp+arg_4], edx
CryptoMe_02.exe:00408F24 mov    eax, [ebp+var_C]
CryptoMe_02.exe:00408F27 add    eax, 1
CryptoMe_02.exe:00408F2A mov    [ebp+var_C], eax
CryptoMe_02.exe:00408F2D mov    ecx, [ebp+arg_0]
CryptoMe_02.exe:00408F30 movsx edx, byte ptr [ecx]
CryptoMe_02.exe:00408F33 movsx eax, byte_414348
CryptoMe_02.exe:00408F3A cmp    edx, eax
CryptoMe_02.exe:00408F3C jz    loc_408FEC
CryptoMe_02.exe:00408F42 mov    ecx, [ebp+arg_0]
CryptoMe_02.exe:00408F45 movsx edx, byte ptr [ecx]          ; 计算第3字节
CryptoMe_02.exe:00408F48 movsx eax, byte_414350[edx]
CryptoMe_02.exe:00408F4F mov    [ebp+var_18], eax
CryptoMe_02.exe:00408F52 mov    ecx, [ebp+arg_0]
CryptoMe_02.exe:00408F55 add    ecx, 1
CryptoMe_02.exe:00408F58 mov    [ebp+arg_0], ecx
CryptoMe_02.exe:00408F5B mov    edx, [ebp+var_18]
CryptoMe_02.exe:00408F5E and    edx, 15                      ; 与15
CryptoMe_02.exe:00408F61 shl    edx, 0Ch
CryptoMe_02.exe:00408F64 add    edx, [ebp+var_8]
CryptoMe_02.exe:00408F67 mov    [ebp+var_8], edx
CryptoMe_02.exe:00408F6A mov    eax, [ebp+var_18]
CryptoMe_02.exe:00408F6D and    eax, 48                      ; 与48
CryptoMe_02.exe:00408F70 sar    eax, 4
CryptoMe_02.exe:00408F73 add    eax, [ebp+var_8]             ; 相加
CryptoMe_02.exe:00408F76 mov    [ebp+var_8], eax
CryptoMe_02.exe:00408F79 mov    ecx, [ebp+var_8]
CryptoMe_02.exe:00408F7C and    ecx, 0FF00h
CryptoMe_02.exe:00408F82 sar    ecx, 8
CryptoMe_02.exe:00408F85 mov    edx, [ebp+arg_4]
CryptoMe_02.exe:00408F88 mov    [edx], cl
CryptoMe_02.exe:00408F8A mov    eax, [ebp+arg_4]
CryptoMe_02.exe:00408F8D add    eax, 1
CryptoMe_02.exe:00408F90 mov    [ebp+arg_4], eax
CryptoMe_02.exe:00408F93 mov    ecx, [ebp+var_C]
CryptoMe_02.exe:00408F96 add    ecx, 1
CryptoMe_02.exe:00408F99 mov    [ebp+var_C], ecx
CryptoMe_02.exe:00408F9C mov    edx, [ebp+arg_0]
CryptoMe_02.exe:00408F9F movsx eax, byte ptr [edx]
CryptoMe_02.exe:00408FA2 movsx ecx, byte_414348
CryptoMe_02.exe:00408FA9 cmp    eax, ecx
CryptoMe_02.exe:00408FAB jz    short loc_408FEC
CryptoMe_02.exe:00408FAD mov    edx, [ebp+arg_0]
CryptoMe_02.exe:00408FB0 movsx eax, byte ptr [edx]          ; 第4字节
CryptoMe_02.exe:00408FB3 movsx ecx, byte_414350[eax]
CryptoMe_02.exe:00408FBA mov    edx, [ebp+var_8]
CryptoMe_02.exe:00408FBD lea    eax, [edx+ecx*4]             ; 乘4，相加
CryptoMe_02.exe:00408FC0 mov    [ebp+var_8], eax
CryptoMe_02.exe:00408FC3 mov    ecx, [ebp+arg_0]
CryptoMe_02.exe:00408FC6 add    ecx, 1
CryptoMe_02.exe:00408FC9 mov    [ebp+arg_0], ecx
CryptoMe_02.exe:00408FCC mov    edx, [ebp+var_8]
CryptoMe_02.exe:00408FCF and    edx, 255                      ; 与255
CryptoMe_02.exe:00408FD5 mov    eax, [ebp+arg_4]
CryptoMe_02.exe:00408FD8 mov    [eax], dl
CryptoMe_02.exe:00408FDA mov    ecx, [ebp+arg_4]
CryptoMe_02.exe:00408FDD add    ecx, 1
CryptoMe_02.exe:00408FE0 mov    [ebp+arg_4], ecx
CryptoMe_02.exe:00408FE3 mov    edx, [ebp+var_C]
CryptoMe_02.exe:00408FE6 add    edx, 1
CryptoMe_02.exe:00408FE9 mov    [ebp+var_C], edx
CryptoMe_02.exe:00408FEC
CryptoMe_02.exe:00408FEC loc_408FEC:                            ; CODE XREF: sub_408E40+FCj
CryptoMe_02.exe:00408FEC                                        ; sub_408E40+16Bj
CryptoMe_02.exe:00408FEC mov    eax, [ebp+var_4]
CryptoMe_02.exe:00408FEF add    eax, 4
CryptoMe_02.exe:00408FF2 mov    [ebp+var_4], eax
CryptoMe_02.exe:00408FF5 jmp    short loc_409009
CryptoMe_02.exe:00408FF7 ; ---------------------------------------------------------------------------
CryptoMe_02.exe:00408FF7
CryptoMe_02.exe:00408FF7 loc_408FF7:                            ; CODE XREF: sub_408E40+63j
CryptoMe_02.exe:00408FF7                                        ; sub_408E40+72j
CryptoMe_02.exe:00408FF7 mov    ecx, [ebp+arg_0]
CryptoMe_02.exe:00408FFA add    ecx, 1
CryptoMe_02.exe:00408FFD mov    [ebp+arg_0], ecx
CryptoMe_02.exe:00409000 mov    edx, [ebp+var_4]
CryptoMe_02.exe:00409003 add    edx, 1
CryptoMe_02.exe:00409006 mov    [ebp+var_4], edx
CryptoMe_02.exe:00409009
CryptoMe_02.exe:00409009 loc_409009:                            ; CODE XREF: sub_408E40+1B5j
CryptoMe_02.exe:00409009 jmp    loc_408E8E

’======================================================
CryptoMe_02.exe:00408B35 mov    [ebp+var_60], 0                ; 换位密码表1，4位一换
CryptoMe_02.exe:00408B3C mov    [ebp+var_58], 2
CryptoMe_02.exe:00408B43 mov    [ebp+var_54], 0
CryptoMe_02.exe:00408B4A mov    [ebp+var_50], 3
CryptoMe_02.exe:00408B51 mov    [ebp+var_4C], 1
CryptoMe_02.exe:00408B58 mov    [ebp+var_2EC], 0
CryptoMe_02.exe:00408B62 jmp    short loc_408B7C
CryptoMe_02.exe:00408B64 ; ---------------------------------------------------------------------------
CryptoMe_02.exe:00408B64
CryptoMe_02.exe:00408B64 loc_408B64:                            ; CODE XREF: sub_408A80+186j
CryptoMe_02.exe:00408B64 mov    ecx, [ebp+var_2EC]
CryptoMe_02.exe:00408B6A add    ecx, 4
CryptoMe_02.exe:00408B6D mov    [ebp+var_2EC], ecx
CryptoMe_02.exe:00408B73 mov    edx, [ebp+var_60]
CryptoMe_02.exe:00408B76 add    edx, 1
CryptoMe_02.exe:00408B79 mov    [ebp+var_60], edx
CryptoMe_02.exe:00408B7C
CryptoMe_02.exe:00408B7C loc_408B7C:                            ; CODE XREF: sub_408A80+E2j
CryptoMe_02.exe:00408B7C mov    eax, [ebp+var_60]
CryptoMe_02.exe:00408B7F cmp    eax, [ebp+var_2E8]
CryptoMe_02.exe:00408B85 jge    loc_408C0B
CryptoMe_02.exe:00408B8B push 4                            ; 注册码算法：二、换位密码1
CryptoMe_02.exe:00408B8D mov    ecx, [ebp+var_2EC]
CryptoMe_02.exe:00408B93 lea    edx, [ebp+ecx+var_2E0]
CryptoMe_02.exe:00408B9A push edx
CryptoMe_02.exe:00408B9B lea    eax, [ebp+var_2F0]
CryptoMe_02.exe:00408BA1 push eax
CryptoMe_02.exe:00408BA2 call sub_409E20
CryptoMe_02.exe:00408BA7 add    esp, 0Ch
CryptoMe_02.exe:00408BAA mov    ecx, [ebp+var_2EC]
CryptoMe_02.exe:00408BB0 mov    edx, [ebp+var_58]
CryptoMe_02.exe:00408BB3 mov    al, [ebp+edx+var_2F0]
CryptoMe_02.exe:00408BBA mov    [ebp+ecx+var_2E0], al
CryptoMe_02.exe:00408BC1 mov    ecx, [ebp+var_2EC]
CryptoMe_02.exe:00408BC7 mov    edx, [ebp+var_54]
CryptoMe_02.exe:00408BCA mov    al, [ebp+edx+var_2F0]
CryptoMe_02.exe:00408BD1 mov    [ebp+ecx+var_2DF], al
CryptoMe_02.exe:00408BD8 mov    ecx, [ebp+var_2EC]
CryptoMe_02.exe:00408BDE mov    edx, [ebp+var_50]
CryptoMe_02.exe:00408BE1 mov    al, [ebp+edx+var_2F0]
CryptoMe_02.exe:00408BE8 mov    [ebp+ecx+var_2DE], al
CryptoMe_02.exe:00408BEF mov    ecx, [ebp+var_2EC]
CryptoMe_02.exe:00408BF5 mov    edx, [ebp+var_4C]
CryptoMe_02.exe:00408BF8 mov    al, [ebp+edx+var_2F0]
CryptoMe_02.exe:00408BFF mov    [ebp+ecx+var_2DD], al
CryptoMe_02.exe:00408C06 jmp    loc_408B64

‘===============================================
CryptoMe_02.exe:00408C0B mov    [ebp+var_5C], 104h
CryptoMe_02.exe:00408C12 lea    ecx, [ebp+var_5C]
CryptoMe_02.exe:00408C15 push ecx
CryptoMe_02.exe:00408C16 lea    edx, [ebp+var_170]
CryptoMe_02.exe:00408C1C push edx
CryptoMe_02.exe:00408C1D lea    eax, [ebp+var_2E0]
CryptoMe_02.exe:00408C23 push eax
CryptoMe_02.exe:00408C24 call sub_408E40                   ; 注册码算法：三、变形Base64解密2
CryptoMe_02.exe:00408C29 add    esp, 0Ch
CryptoMe_02.exe:00408C2C mov    [ebp+var_5C], eax
CryptoMe_02.exe:00408C2F cmp    [ebp+var_5C], 16             ; 检查长度是否为16，不是16跳错
CryptoMe_02.exe:00408C33 jz    short loc_408C3C
CryptoMe_02.exe:00408C35 xor    eax, eax
CryptoMe_02.exe:00408C37 jmp    loc_408E30

’===================================================
CryptoMe_02.exe:00408CB8 loc_408CB8:                            ; CODE XREF: sub_408A80:loc_408DB3j
CryptoMe_02.exe:00408CB8 mov    ecx, [ebp+var_2F4]
CryptoMe_02.exe:00408CBE add    ecx, 1
CryptoMe_02.exe:00408CC1 mov    [ebp+var_2F4], ecx
CryptoMe_02.exe:00408CC7
CryptoMe_02.exe:00408CC7 loc_408CC7:                            ; CODE XREF: sub_408A80+236j
CryptoMe_02.exe:00408CC7 cmp    [ebp+var_2F4], 4
CryptoMe_02.exe:00408CCE jge    loc_408DB8
CryptoMe_02.exe:00408CD4 lea    edx, [ebp+var_170]
CryptoMe_02.exe:00408CDA push edx
CryptoMe_02.exe:00408CDB call sub_409020                   ; 注册码算法：四、换位+查表
CryptoMe_02.exe:00408CE0 add    esp, 4
CryptoMe_02.exe:00408CE3 mov    [ebp+var_2F8], 0
CryptoMe_02.exe:00408CED jmp    short loc_408CFE

‘-------换位查表子函数，分2轮循环完成--------------------------------------------------------------------------------------------
CryptoMe_02.exe:00409051 cmp    [ebp+var_10], 4
CryptoMe_02.exe:00409055 jge    short loc_4090A9
CryptoMe_02.exe:00409057 mov    edx, [ebp+var_8]
CryptoMe_02.exe:0040905A mov    eax, [ebp+var_10]
CryptoMe_02.exe:0040905D lea    ecx, [eax+edx*4]
CryptoMe_02.exe:00409060 mov    edx, [ebp+arg_0]
CryptoMe_02.exe:00409063 movsx eax, byte ptr [edx+ecx]
CryptoMe_02.exe:00409067 and    eax, 0F0h                      ; 取字节左
CryptoMe_02.exe:0040906C sar    eax, 4
CryptoMe_02.exe:0040906F mov    [ebp+var_4], eax
CryptoMe_02.exe:00409072 mov    ecx, [ebp+var_8]
CryptoMe_02.exe:00409075 mov    edx, [ebp+var_10]
CryptoMe_02.exe:00409078 lea    eax, [edx+ecx*4]
CryptoMe_02.exe:0040907B mov    ecx, [ebp+arg_0]
CryptoMe_02.exe:0040907E movsx edx, byte ptr [ecx+eax]
CryptoMe_02.exe:00409082 and    edx, 0Fh                      ; 取字节右
CryptoMe_02.exe:00409085 mov    [ebp+var_C], edx
CryptoMe_02.exe:00409088 mov    eax, [ebp+var_C]
CryptoMe_02.exe:0040908B shl    eax, 4
CryptoMe_02.exe:0040908E mov    ecx, [ebp+var_8]
CryptoMe_02.exe:00409091 mov    edx, [ebp+var_10]
CryptoMe_02.exe:00409094 lea    ecx, [edx+ecx*4]
CryptoMe_02.exe:00409097 mov    edx, [ebp+arg_0]
CryptoMe_02.exe:0040909A mov    esi, [ebp+var_4]
CryptoMe_02.exe:0040909D mov    al, byte_414450[eax+esi]       ; 换位+查表。byte_414450表长256
CryptoMe_02.exe:004090A4 mov    [edx+ecx], al
CryptoMe_02.exe:004090A7 jmp    short loc_409048

‘-----byte_414450表------------------------------------------------------------------------------------------------------
E2D681A62AFEC53CBDAF540A75D85120E9BBED7A92EE48A46E03B56DB8A5597D
DF4A391A4DD3C722EC50DEFCF3C95CC8899183D7F4438874C06A589602083772
0C7C0DA92F7E6980684C352D40BE9A36F72C8FC6B6DBCE09BCEB04D0A8C411B2
0552B1D415A2972E90642963318AE8CA873E762321D20B257824E034A1D90EAC
8D0060E4AA5D0FEA3827BA7FA3703216FB66DA06653DBF3B2871E162F8AD9F4E
9D42F2CF1285A04F672B93F0824B01561C9CE513C2FAFFDC9B9498E3F684EF77
E76B10465EB386B0F9176F73D1AE7B446CAB1ED55B9E265FC33A14181B3F79F1
FD8EB7C1CC55F5455357A747958BCD6149198C1F305A99411D33B4E6CB07DDB9

’======================================================
CryptoMe_02.exe:00408C3C mov    [ebp+var_48], 3                ; 换位密码表2
CryptoMe_02.exe:00408C43 mov    [ebp+var_44], 0
CryptoMe_02.exe:00408C4A mov    [ebp+var_40], 1
CryptoMe_02.exe:00408C51 mov    [ebp+var_3C], 2
CryptoMe_02.exe:00408C58 mov    [ebp+var_38], 2
CryptoMe_02.exe:00408C5F mov    [ebp+var_34], 1
CryptoMe_02.exe:00408C66 mov    [ebp+var_30], 0
CryptoMe_02.exe:00408C6D mov    [ebp+var_2C], 3
CryptoMe_02.exe:00408C74 mov    [ebp+var_28], 3
CryptoMe_02.exe:00408C7B mov    [ebp+var_24], 0
CryptoMe_02.exe:00408C82 mov    [ebp+var_20], 2
CryptoMe_02.exe:00408C89 mov    [ebp+var_1C], 1
CryptoMe_02.exe:00408C90 mov    [ebp+var_18], 1
CryptoMe_02.exe:00408C97 mov    [ebp+var_14], 3
CryptoMe_02.exe:00408C9E mov    [ebp+var_10], 0
CryptoMe_02.exe:00408CA5 mov    [ebp+var_C], 2
CryptoMe_02.exe:00408CAC mov    [ebp+var_2F4], 0
CryptoMe_02.exe:00408CB6 jmp    short loc_408CC7

‘--------------------------------------------------------------------------------------------
CryptoMe_02.exe:00408CEF mov    eax, [ebp+var_2F8]
CryptoMe_02.exe:00408CF5 add    eax, 1
CryptoMe_02.exe:00408CF8 mov    [ebp+var_2F8], eax
CryptoMe_02.exe:00408CFE
CryptoMe_02.exe:00408CFE loc_408CFE:                            ; CODE XREF: sub_408A80+26Dj
CryptoMe_02.exe:00408CFE cmp    [ebp+var_2F8], 4
CryptoMe_02.exe:00408D05 jge    loc_408DB3
CryptoMe_02.exe:00408D0B push 4                            ; 注册码算法：五、换位密码2
CryptoMe_02.exe:00408D0D mov    ecx, [ebp+var_2F8]
CryptoMe_02.exe:00408D13 lea    edx, [ebp+ecx*4+var_170]
CryptoMe_02.exe:00408D1A push edx
CryptoMe_02.exe:00408D1B lea    eax, [ebp+var_2FC]
CryptoMe_02.exe:00408D21 push eax
CryptoMe_02.exe:00408D22 call sub_409E20
CryptoMe_02.exe:00408D27 add    esp, 0Ch
CryptoMe_02.exe:00408D2A mov    ecx, [ebp+var_2F4]
CryptoMe_02.exe:00408D30 shl    ecx, 2
CryptoMe_02.exe:00408D33 mov    edx, [ebp+ecx*4+var_48]
CryptoMe_02.exe:00408D37 mov    eax, [ebp+var_2F8]
CryptoMe_02.exe:00408D3D mov    cl, [ebp+edx+var_2FC]
CryptoMe_02.exe:00408D44 mov    [ebp+eax*4+var_170], cl
CryptoMe_02.exe:00408D4B mov    edx, [ebp+var_2F4]
CryptoMe_02.exe:00408D51 shl    edx, 2
CryptoMe_02.exe:00408D54 mov    eax, [ebp+edx*4+var_44]
CryptoMe_02.exe:00408D58 mov    ecx, [ebp+var_2F8]
CryptoMe_02.exe:00408D5E mov    dl, [ebp+eax+var_2FC]
CryptoMe_02.exe:00408D65 mov    [ebp+ecx*4+var_16F], dl
CryptoMe_02.exe:00408D6C mov    eax, [ebp+var_2F4]
CryptoMe_02.exe:00408D72 shl    eax, 2
CryptoMe_02.exe:00408D75 mov    ecx, [ebp+eax*4+var_40]
CryptoMe_02.exe:00408D79 mov    edx, [ebp+var_2F8]
CryptoMe_02.exe:00408D7F mov    al, [ebp+ecx+var_2FC]
CryptoMe_02.exe:00408D86 mov    [ebp+edx*4+var_16E], al
CryptoMe_02.exe:00408D8D mov    ecx, [ebp+var_2F4]
CryptoMe_02.exe:00408D93 shl    ecx, 2
CryptoMe_02.exe:00408D96 mov    edx, [ebp+ecx*4+var_3C]
CryptoMe_02.exe:00408D9A mov    eax, [ebp+var_2F8]
CryptoMe_02.exe:00408DA0 mov    cl, [ebp+edx+var_2FC]
CryptoMe_02.exe:00408DA7 mov    [ebp+eax*4+var_16D], cl
CryptoMe_02.exe:00408DAE jmp    loc_408CEF

3、正函数

4、逆函数

PYG官方论坛 · 发表于 2017-6-4 13:40:27

perfect ～

zwc123xyz · 发表于 2017-6-5 19:01:11

每一次破解分析都是思想的碰撞！

jfaumt · 发表于 2017-6-5 20:49:46

vb写的注册机，好长时间没用VB啦

zeknight · 发表于 2017-6-8 13:45:04

涉及算法部分我感觉非常头痛~~

lhp462 · 发表于 2017-6-10 14:49:32

感谢楼主的分享学习一下

dwcxb · 发表于 2017-6-10 15:39:20

这个算法分析我什么时候才能达到呢，真是牛人

		自动登录	找回密码
密码			加入我们

[分析] 算法详解02==PYG5.4教学第14轮密码学专题 CrackMe 练习题（更新02）

本帖子中包含更多资源

评分