|
|
【文章标题】: Duelist's Crackme #3的算法分析+注册机
【文章作者】: bxm
【作者邮箱】: bxm78@163.com
【下载地址】: 自己搜索下载
【加壳方式】: 无
【保护方式】: 矩阵
【编写语言】: MASM32 / TASM32 [覆盖]
【使用工具】: od,peid,计算器
【操作平台】: winxp
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
检查,用出错提示your registration info is invalid... please support shareware authors by buying software!向上查找,下断在[00401117]:
00401117 > /33F6 xor esi, esi ; 清0
00401119 . |33D2 xor edx, edx
0040111B . |8935 5E214000 mov [40215E], esi
00401121 . |8935 62214000 mov [402162], esi
00401127 > |0FBE8E FE2040>movsx ecx, byte ptr [esi+4020FE] ; [ESI+4020FE]的字符入ECX
0040112E . |83F9 4D cmp ecx, 4D ; ECX=4D ?
00401131 . |74 2F je short 00401162 ; 相等,读取完毕,跳
00401133 . |890D 5E214000 mov [40215E], ecx ; ECX存入[40215E]
00401139 . |51 push ecx ; /ButtonID
0040113A . |FF75 08 push dword ptr [ebp+8] ; |hWnd
0040113D . |E8 D0010000 call <jmp.&USER32.IsDlgButtonChecke>; \IsDlgButtonChecked
00401142 . |46 inc esi ; ESI+1
00401143 . |83F8 00 cmp eax, 0 ; EAX为按钮的返回值,选中返回1,否则返回0
00401146 .^|74 DF je short 00401127
00401148 . |A1 5E214000 mov eax, [40215E] ; [40215E]入EAX
0040114D . |0FBE8E FE2040>movsx ecx, byte ptr [esi+4020FE] ; [ESI+4020FE]的字符入ECX
00401154 . |0FAFC1 imul eax, ecx ; EAX*ECX
00401157 . |0FAFC6 imul eax, esi ; EAX*ESI
0040115A . |0105 62214000 add [402162], eax ; 累加于[402162]
00401160 .^|EB C5 jmp short 00401127
00401162 > |A1 62214000 mov eax, [402162] ; 累加和入EAX
00401167 . |6BC0 4D imul eax, eax, 4D ; EAX*4D
0040116A . |3D 6654F300 cmp eax, 0F35466 ; EAX=0F35466 ?
0040116F . |75 20 jnz short 00401191 ; 不等,则完蛋,否则,成功
00401171 . |68 00200000 push 2000 ; /Style = MB_OK|MB_TASKMODAL
00401176 . |68 01204000 push 00402001 ; |duelist's crackme #3
0040117B . |68 17204000 push 00402017 ; |congratulations! please send a screenshot of your solution to duelist@beer.com!
00401180 . |6A 00 push 0 ; |hOwner = NULL
00401182 . |E8 55010000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00401187 . |B8 01000000 mov eax, 1
0040118C .^|E9 69FFFFFF jmp 004010FA
00401191 > |68 00200000 push 2000 ; /Style = MB_OK|MB_TASKMODAL
00401196 . |68 01204000 push 00402001 ; |duelist's crackme #3
0040119B . |68 68204000 push 00402068 ; |your registration info is invalid... please support shareware authors by buying software!
004011A0 . |6A 00 push 0 ; |hOwner = NULL
004011A2 . |E8 35010000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
算法比较简单,地址[4020FE]处为一个19个字节的表0x16, 0x49, 0x5E, 0x15, 0x27, 0x26, 0x21, 0x25, 0x1D, 0x59, 0x53, 0x37, 0x31, 0x48, 0x5D, 0x0C, 0x61, 0x52, 0x4D。
进一步跟踪发现各按钮对应的代号,为了和注册机一致,我把每个代号都减了1,18个按钮的代号如下:
16 1 2 0 7 5 6 9 10
3 11 12 13 14 15 17 4 8
如我用注册机算出的一个号码为25726,转化为二进制110010001111110,把对应1位的选中就可以了,如
注册机源码如下:
#include<iostream.h>
void main()
{
long unsigned loop=262143;
long unsigned i,itemp,EAX,count,sum;
char table[19]={0x16, 0x49, 0x5E, 0x15, 0x27, 0x26, 0x21, 0x25, 0x1D, 0x59, 0x53, 0x37, 0x31,
0x48, 0x5D, 0x0C, 0x61, 0x52, 0x4D};
for(i=0;i<loop;i++)
{
sum=0;
count=0;itemp=i;
do
{
if(itemp%2==1){EAX=table[count]*table[count+1]*(count+1);sum+=EAX;}
count++;
itemp/=2;
}
while(itemp);
if(sum*0x4d==0xf35466)
{
cout<<i<<endl;
}
}
}
我只找到了一个正确答案,可能也只有一个正确答案。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年08月10日 下午 11:26:39
|
|
