|
|
1:第一次写算法分析,有些不知所云.见谅.^-^
CrackMe和注册机,注册算法原码下载
http://www.live-share.com/files/42779/bxm_crackme1.rar.html
2.先找关键算法下断点:bp MessageBoxA,输入用户名和密码后断下来,按ALT+F9,查看Bxm_Crac模块,找到关键算法在过程
004023C0开始.算法很短,贴出来
004023C0 /> \55 PUSH EBP
004023C1 |. 8BEC MOV EBP,ESP
004023C3 |. 81EC 90000000 SUB ESP,90
004023C9 |. 53 PUSH EBX
004023CA |. 56 PUSH ESI
004023CB |. 57 PUSH EDI
004023CC |. 51 PUSH ECX
004023CD |. 8DBD 70FFFFFF LEA EDI,[DWORD SS:EBP-90]
004023D3 |. B9 24000000 MOV ECX,24
004023D8 |. B8 CCCCCCCC MOV EAX,CCCCCCCC
004023DD |. F3:AB REP STOS [DWORD ES:EDI]
004023DF |. 59 POP ECX
004023E0 |. 894D FC MOV [DWORD SS:EBP-4],ECX
004023E3 |. 6A 01 PUSH 1
004023E5 |. 8B4D FC MOV ECX,[DWORD SS:EBP-4]
004023E8 |. E8 7DEDFFFF CALL <JMP.&MFC42D.#5056>
004023ED |. C745 F8 00000>MOV [DWORD SS:EBP-8],0
004023F4 |. C745 F0 00000>MOV [DWORD SS:EBP-10],0
004023FB |. 8B4D FC MOV ECX,[DWORD SS:EBP-4]
004023FE |. 83C1 60 ADD ECX,60
00402401 |. E8 8EFBFFFF CALL <JMP.&MFC42D.#880>
00402406 |. 50 PUSH EAX
00402407 |. 8D45 D0 LEA EAX,[DWORD SS:EBP-30]
0040240A |. 50 PUSH EAX
0040240B |. E8 24EDFFFF CALL <JMP.&MSVCRTD.strcpy> ; \COPY用户名
00402410 |. 83C4 08 ADD ESP,8
00402413 |. 8D4D D0 LEA ECX,[DWORD SS:EBP-30]
00402416 |. 51 PUSH ECX
00402417 |. E8 1EEDFFFF CALL <JMP.&MSVCRTD.strlen> ; \strlen
0040241C |. 83C4 04 ADD ESP,4
0040241F |. 8945 E8 MOV [DWORD SS:EBP-18],EAX ; 保存用户名长度
00402422 |. C745 EC 00000>MOV [DWORD SS:EBP-14],0
00402429 |. EB 09 JMP SHORT Bxm_Crac.00402434
0040242B |> 8B55 EC /MOV EDX,[DWORD SS:EBP-14]
0040242E |. 83C2 01 |ADD EDX,1
00402431 |. 8955 EC |MOV [DWORD SS:EBP-14],EDX
00402434 |> 8B45 EC MOV EAX,[DWORD SS:EBP-14]
00402437 |. 3B45 E8 |CMP EAX,[DWORD SS:EBP-18] ; EAX大于用户名长度就跳
0040243A |. 7D 12 |JGE SHORT Bxm_Crac.0040244E
0040243C |. 8B4D EC |MOV ECX,[DWORD SS:EBP-14]
0040243F |. 0FBE540D D0 |MOVSX EDX,[BYTE SS:EBP+ECX-30] ;
00402444 |. 8B45 F8 |MOV EAX,[DWORD SS:EBP-8]
00402447 |. 03C2 |ADD EAX,EDX
00402449 |. 8945 F8 |MOV [DWORD SS:EBP-8],EAX ; 循环运算得到的结果保存到SS:EBP-8
0040244C |.^ EB DD \JMP SHORT Bxm_Crac.0040242B
0040244E |> 8B4D F8 MOV ECX,[DWORD SS:EBP-8]
00402451 |. F7D9 NEG ECX ; ECX取负
00402453 |. 8B55 F8 MOV EDX,[DWORD SS:EBP-8]
00402456 |. 0355 E8 ADD EDX,[DWORD SS:EBP-18] ; EDX+用户名长度
00402459 |. 0FAFCA IMUL ECX,EDX
0040245C |. 894D F4 MOV [DWORD SS:EBP-C],ECX ; ECX的值送EBP-C
0040245F |. 8B4D FC MOV ECX,[DWORD SS:EBP-4]
00402462 |. 83C1 64 ADD ECX,64
00402465 |. E8 2AFBFFFF CALL <JMP.&MFC42D.#880>
0040246A |. 50 PUSH EAX
0040246B |. 8D45 B8 LEA EAX,[DWORD SS:EBP-48]
0040246E |. 50 PUSH EAX
0040246F |. E8 C0ECFFFF CALL <JMP.&MSVCRTD.strcpy> ; \COPY输入的注册码
00402474 |. 83C4 08 ADD ESP,8
00402477 |. C745 B0 01000>MOV [DWORD SS:EBP-50],1 ; EBP-50=1
0040247E |. 8D4D B8 LEA ECX,[DWORD SS:EBP-48]
00402481 |. 51 PUSH ECX ; /s
00402482 |. E8 B3ECFFFF CALL <JMP.&MSVCRTD.strlen> ; \strlen
00402487 |. 83C4 04 ADD ESP,4
0040248A |. 83E8 01 SUB EAX,1
0040248D |. 8945 B4 MOV [DWORD SS:EBP-4C],EAX ; 注册码长度-1送EBP-4C,用于循环
00402490 |. EB 09 JMP SHORT Bxm_Crac.0040249B
00402492 |> 8B55 B4 /MOV EDX,[DWORD SS:EBP-4C]
00402495 |. 83EA 01 |SUB EDX,1
00402498 |. 8955 B4 |MOV [DWORD SS:EBP-4C],EDX
0040249B |> 837D B4 00 CMP [DWORD SS:EBP-4C],0 ; EBP-4C(EBP-4C)小于0就跳出循环
0040249F |. 7C 22 |JL SHORT Bxm_Crac.004024C3
004024A1 |. 8B45 B4 |MOV EAX,[DWORD SS:EBP-4C]
004024A4 |. 0FBE4C05 B8 |MOVSX ECX,[BYTE SS:EBP+EAX-48] ; 注册码[len-1]
004024A9 |. 83E9 30 |SUB ECX,30 ; 注册码[len-1]-30
004024AC |. 0FAF4D B0 |IMUL ECX,[DWORD SS:EBP-50] ; ECX*1,ECX*10,ECX*100,ECX*1000.......
004024B0 |. 8B55 F0 |MOV EDX,[DWORD SS:EBP-10]
004024B3 |. 03D1 |ADD EDX,ECX ; EDX=EDX+假注册码[len-1]-30
004024B5 |. 8955 F0 |MOV [DWORD SS:EBP-10],EDX ; 循环计算结果送入SS:EBP-10
004024B8 |. 8B45 B0 |MOV EAX,[DWORD SS:EBP-50]
004024BB |. 6BC0 0A |IMUL EAX,EAX,0A
004024BE |. 8945 B0 |MOV [DWORD SS:EBP-50],EAX
004024C1 |.^ EB CF \JMP SHORT Bxm_Crac.00402492
004024C3 |> 8B4D F0 MOV ECX,[DWORD SS:EBP-10]
004024C6 |. 6BC9 FF IMUL ECX,ECX,-1
004024C9 |. 894D F0 MOV [DWORD SS:EBP-10],ECX
004024CC |. 837D E8 00 CMP [DWORD SS:EBP-18],0 ;用户名长度为0就跳
004024D0 |. 74 2F JE SHORT Bxm_Crac.00402501
004024D2 |. 8B55 F0 MOV EDX,[DWORD SS:EBP-10]
004024D5 |. 0FAF55 F0 IMUL EDX,[DWORD SS:EBP-10]
004024D9 |. 8B45 F0 MOV EAX,[DWORD SS:EBP-10]
004024DC |. 0FAF45 E8 IMUL EAX,[DWORD SS:EBP-18]
004024E0 |. 8B4D F4 MOV ECX,[DWORD SS:EBP-C]
004024E3 |. 03CA ADD ECX,EDX
004024E5 |. 03C1 ADD EAX,ECX
004024E7 |. 85C0 TEST EAX,EAX ;关键比较,跳就注册失败
004024E9 |. 75 16 JNZ SHORT Bxm_Crac.00402501
004024EB |. 6A 00 PUSH 0
004024ED |. 68 20514100 PUSH Bxm_Crac.00415120
004024F2 |. 68 14514100 PUSH Bxm_Crac.00415114
004024F7 |. 8B4D FC MOV ECX,[DWORD SS:EBP-4]
004024FA |. E8 71ECFFFF CALL <JMP.&MFC42D.#3517> ;注册成功
004024FF |. EB 14 JMP SHORT Bxm_Crac.00402515
00402501 |> 6A 00 PUSH 0
00402503 |. 68 08514100 PUSH Bxm_Crac.00415108
00402508 |. 68 58504100 PUSH Bxm_Crac.00415058
0040250D |. 8B4D FC MOV ECX,[DWORD SS:EBP-4]
00402510 |. E8 5BECFFFF CALL <JMP.&MFC42D.#3517> ;注册失败
00402515 |> 6A 00 PUSH 0
00402517 |. 8B4D FC MOV ECX,[DWORD SS:EBP-4]
0040251A |. E8 4BECFFFF CALL <JMP.&MFC42D.#5056>
0040251F |. 5F POP EDI
00402520 |. 5E POP ESI
00402521 |. 5B POP EBX
00402522 |. 81C4 90000000 ADD ESP,90
00402528 |. 3BEC CMP EBP,ESP
0040252A |. E8 CBFAFFFF CALL <JMP.&MSVCRTD._chkesp>
0040252F |. 8BE5 MOV ESP,EBP
00402531 |. 5D POP EBP
00402532 \. C3 RETN
3:转化为DELPHI代码
procedure TForm1.Button1Click(Sender: TObject);
var
iLen,iLen2:integer;
ebps8,EBPsC,ebps10,ebps50:integer;
ok:integer;
password,username:pchar;
struser,strpass:array[0..254] of char;
i:integer;
begin
ebps8:=0;
ebps10:=0;
username:=pchar(edit1.Text);
ilen:=length(username);
strmove(struser,username,iLen);
for i:=0 to ilen-1 do
begin
EBPs8:=EBPs8+ord(struser[i]);
end;
EBPsC := -EBPs8*(EBPs8+ilen);
password:=pchar(Edit2.text);
ilen2:=length(password);
strmove(strpass,password,iLen2);
EBPs50:=1;
for i:= ilen2-1 downto 0 do
begin
EBPs10:=EBPs10+(ord(strpass[i]) - $30) * EBPs50;
EBPs50:=EBPs50*10;
end;
ok:=(-EBPs10 * ilen)+EBPsC+EBPs10 * EBPs10;
if ok = 0 then showmessage('注册成功')else showmessage('注册失败');
end;
(-EBPs10 * ilen)+EBPsC+EBPs10 * EBPs10 = 0 时注册成功
则(-EBPs10 * ilen)-EBPs8*(EBPs8+ilen)+EBPs10 * EBPs10 = 0 时注册成功
设EBPs10为x,EBPs8为y,ilen为b,那么就是解方程
(-bx)-y(y+b)+xx=0
xx-bx-by=yy
解得 x = -y 和x = y+b,也就是 EBPs10 = -EBPs8 或 EBPs10 = EBPs8+用户名长度时注册成功
4.注册机代码
procedure TForm1.Button2Click(Sender: TObject);
var
ebps8,EBPs10:integer;
username:pchar;
struser:array[0..255] of char;
password:array[0..4] of char; //假设password的长度为4,也可以假设为5,6,其他
i,j:integer;
iLen,iLen2:integer;
iTmp:integer;
begin
ebps8:=0;
username:=pchar(edit1.Text);
ilen:=length(username);
if ilen <=2 then
begin
showmessage('用户名长度太小');
exit;
end;
strmove(struser,username,iLen);
for i:=0 to ilen-1 do
begin
EBPs8:=EBPs8+ord(struser[i]);
end;
EBPs10:=EBPs8+iLen;
iLen2:=5;//假设password的长度为4,也可以假设为5,6,其他
for i:=0 to iLen2-1 do
begin
EBPs10:=EBPs10 + $30 * square10N(i);
end;
j:=0;
for i:= iLen2-1 downto 0 do
begin
if EBps10>100 then
begin
iTmp:= EBPs10 div square10N(i+1);
EBps10 := EBPs10 - iTmp*square10N(i+1);
password[j] := chr(iTmp*10);
end else
begin
password[j] := chr(EBPs10);
end;
inc(j);
end;
edit2.Text:= string(password);
end;
|
|
