|
|
【文章标题】: bxm的第一个CrackMe VS 我的第一篇菜破文
【文章作者】: llydd
【下载地址】: http://bbs1.pediy.com:8081/showthread.php?s=&threadid=32206
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
这是bxm的第一个crackme,也是我的第一次
用OD的查找ASCII码插件找到(程序好像是DEBUG版本的,载了N久才载入,机子N卡N卡的)
004024EB |. 6A 00 push 0
004024ED |. 68 20514100 push 00415120 ; 恭喜你
004024F2 |. 68 14514100 push 00415114 ; 破解成功!
004024F7 |. 8B4D FC mov ecx, dword ptr [ebp-4]
004024FA |. E8 71ECFFFF call <jmp.&MFC42D.#3517>
004024FF |. EB 14 jmp short 00402515
00402501 |> 6A 00 push 0
00402503 |. 68 08514100 push 00415108 ; 破解失败
00402508 |. 68 58504100 push 00415058 ; 重试?
往上拖找到关键算法部分
004023C0 /> \55 push ebp
004023C1 |. 8BEC mov ebp, esp
004023C3 |. 81EC 90000000 sub esp, 90
004023C9 |. 53 push ebx
004023CA |. 56 push esi
004023CB |. 57 push edi
004023CC |. 51 push ecx
004023CD |. 8DBD 70FFFFFF lea edi, dword ptr [ebp-90]
004023D3 |. B9 24000000 mov ecx, 24
004023D8 |. B8 CCCCCCCC mov eax, CCCCCCCC
004023DD |. F3:AB rep stos dword ptr es:[edi]
004023DF |. 59 pop ecx
004023E0 |. 894D FC mov dword ptr [ebp-4], ecx
004023E3 |. 6A 01 push 1
004023E5 |. 8B4D FC mov ecx, dword ptr [ebp-4]
004023E8 |. E8 7DEDFFFF call <jmp.&MFC42D.#5056>
004023ED |. C745 F8 00000>mov dword ptr [ebp-8], 0
004023F4 |. C745 F0 00000>mov dword ptr [ebp-10], 0
004023FB |. 8B4D FC mov ecx, dword ptr [ebp-4]
004023FE |. 83C1 60 add ecx, 60
00402401 |. E8 8EFBFFFF call <jmp.&MFC42D.#880>
00402406 |. 50 push eax ; /src
00402407 |. 8D45 D0 lea eax, dword ptr [ebp-30] ; |
0040240A |. 50 push eax ; |dest
0040240B |. E8 24EDFFFF call <jmp.&MSVCRTD.strcpy> ; \strcpy
00402410 |. 83C4 08 add esp, 8
00402413 |. 8D4D D0 lea ecx, dword ptr [ebp-30]
00402416 |. 51 push ecx ; /s
00402417 |. E8 1EEDFFFF call <jmp.&MSVCRTD.strlen> ; \strlen
0040241C |. 83C4 04 add esp, 4
0040241F |. 8945 E8 mov dword ptr [ebp-18], eax ; 取得用户名的长度
00402422 |. C745 EC 00000>mov dword ptr [ebp-14], 0
00402429 |. EB 09 jmp short 00402434
0040242B |> 8B55 EC /mov edx, dword ptr [ebp-14]
0040242E |. 83C2 01 |add edx, 1
00402431 |. 8955 EC |mov dword ptr [ebp-14], edx
00402434 |> 8B45 EC mov eax, dword ptr [ebp-14]
00402437 |. 3B45 E8 |cmp eax, dword ptr [ebp-18]
0040243A |. 7D 12 |jge short 0040244E
0040243C |. 8B4D EC |mov ecx, dword ptr [ebp-14]
0040243F |. 0FBE540D D0 |movsx edx, byte ptr [ebp+ecx-30] ; 对用户名各位ASCII码进行累加
00402444 |. 8B45 F8 |mov eax, dword ptr [ebp-8]
00402447 |. 03C2 |add eax, edx
00402449 |. 8945 F8 |mov dword ptr [ebp-8], eax ; 最终结果会存到这里
0040244C |.^ EB DD \jmp short 0040242B
0040244E mov ecx, dword ptr [ebp-8]
00402451 neg ecx ; 用户名位ascii码各位相加结果S求补得A
00402453 mov edx, dword ptr [ebp-8] ;
00402456 add edx, dword ptr [ebp-18] ; 用户名位ascii码各位相加结果S与用户名位数相加得B
00402459 >imul ecx, edx
0040245C mov dword ptr [ebp-C], ecx ; 保存A*B结果
0040245F mov ecx, dword ptr [ebp-4]
00402462 add ecx, 64
00402465 call <jmp.&MFC42D.#880>
0040246A push eax ; /src
0040246B lea eax, dword ptr [ebp-48] ; |
0040246E push eax ; |dest
0040246F call <jmp.&MSVCRTD.strcpy> ; \strcpy
00402474 add esp, 8
00402477 mov dword ptr [ebp-50], 1
0040247E lea ecx, dword ptr [ebp-48]
00402481 push ecx ; /s
00402482 call <jmp.&MSVCRTD.strlen> ; \strlen
00402487 add esp, 4
0040248A sub eax, 1
0040248D mov dword ptr [ebp-4C], eax ; serial位数-1
00402490 jmp short 0040249B
00402492 /mov edx, dword ptr [ebp-4C]
00402495 |sub edx, 1
00402498 |mov dword ptr [ebp-4C], edx
0040249B cmp dword ptr [ebp-4C], 0
0040249F |jl short 004024C3
004024A1 |mov eax, dword ptr [ebp-4C]
004024A4 |movsx ecx, byte ptr [ebp+eax-48]
004024A9 |sub ecx, 30 ;
004024AC |imul ecx, dword ptr [ebp-50]
004024B0 |mov edx, dword ptr [ebp-10]
004024B3 |add edx, ecx
004024B5 |mov dword ptr [ebp-10], edx
004024B8 |mov eax, dword ptr [ebp-50]
004024BB |imul eax, eax, 0A
004024BE |mov dword ptr [ebp-50], eax
004024C1 \jmp short 00402492
004024C3 mov ecx, dword ptr [ebp-10] ; 将注册码反变成十进制数如“787878”变成787878
004024C6 imul ecx, ecx, -1 ; 然后乘-1得C
004024C9 mov dword ptr [ebp-10], ecx
004024CC cmp dword ptr [ebp-18], 0 ; 用户名位数与0比
004024D0 je short 00402501
004024D2 mov edx, dword ptr [ebp-10]
004024D5 imul edx, dword ptr [ebp-10] ; D=C*C
004024D9 mov eax, dword ptr [ebp-10]
004024DC imul eax, dword ptr [ebp-18] ; EAX=C乘用户名位数得E
004024E0 mov ecx, dword ptr [ebp-C] ; ECX=A*B
004024E3 add ecx, edx ; ECX=A*B+D得F
004024E5 add eax, ecx ; EAX=E+F
004024E7 test eax, eax ;判断eax是否为零若不为0则注册失败
004024E9 jnz short 00402501
注册算法:
1:将用户名的ASCII码各位相加结果S求补得A,将S加上用户名的位数得B,然后A*B
2:将注册码转化成十进制数然后乘以-1得C
3:求C^2得D
4:C乘用户名位数得E
5:将A*B+D得F
6:E+F得G
7:判断G是否为0为零,为0则注册成功
如:
用户名:llydd
注册码:542
注册机代码如下(写的蛮乱的)
#include "stdio.h"
#include "string.h"
int main(int argc,char* argv[])
{
int nIDlen,n,nIDsum=0;
char id[20];
printf("ID=");
gets(id);
nIDlen=strlen(id);
for(n=0;n<=nIDlen;nIDsum+=id[n],n++);
printf("serial=%d\n",nIDsum+nIDlen);
system("pause");
return 0;
}
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年09月30日 21:22:17 |
|
