【吾爱2013CM大赛解答】--KeyGenMe2013 -- loudy思星分析

Liquor · 发表于 2013-12-14 12:43

本帖最后由 Chief 于 2013-12-14 17:42 编辑

【文章标题】: 吾爱2013CM大赛解答--KeyGenMe2013 -- loudy思星分析
【文章作者】: Crack_Qs[4st Team]
【作者主页】: www.reversesec.com
【软件名称】: KeyGenMe2013 -- loudy
【下载地址】: http://www.52pojie.cn/thread-228429-1-1.html
【操作平台】: win xp
【作者声明】: 我是打酱油的，失误之处敬请诸位大侠赐教! 技术支持：Peace、kido
--------------------------------------------------------------------------------
【详细过程】

  用户名 Crack_Qs
  注册码 WMUH-YEPO-KQQZ-CLAB
  机器码 87552884

  38 37 35 35 32 38 38 34

  43 72 61 63 6B 5F 51 73

  WMUHYEPOKQQZCLAB
  W  M  U  H    Y  E  P  O    K  Q  Q  Z    C  L  A  B
  57 4d 55 48    59 45 50 4F 4B 51 51 5A 43  4C 41 42
  0040164A .  E8 F1010000 call KeyGenMe.00401840                ;  算法call

  00401840  /$  55          push ebp
  00401841  |.  8BEC       mov ebp,esp
  00401843  |.  83E4 F8    and esp,0xFFFFFFF8
  00401846  |.  83EC 28    sub esp,0x28
  00401849  |.  53          push ebx
  0040184A  |.  55          push ebp
  0040184B  |.  56          push esi
  0040184C  |.  57          push edi
  0040184D  |.  8BF1       mov esi,ecx
  0040184F  |.  6A 00       push 0x0
  00401851  |.  E8 0D6D0100 call KeyGenMe.00418563                ;  读取机器码
  00401856  |.  6A 00       push 0x0
  00401858  |.  8D4E 08    lea ecx,dword ptr ds:[esi+0x8]
  0040185B  |.  8BD8       mov ebx,eax
  0040185D  |.  E8 016D0100 call KeyGenMe.00418563                ;  读用户名
  00401862  |.  6A 00       push 0x0
  00401864  |.  8D4E 04    lea ecx,dword ptr ds:[esi+0x4]
  00401867  |.  8BF8       mov edi,eax
  00401869  |.  E8 F56C0100 call KeyGenMe.00418563                ;  读假码
  0040186E  |.  8BE8       mov ebp,eax
  00401870  |.  6A 01       push 0x1
  00401872  |.  896C24 20    mov dword ptr ss:[esp+0x20],ebp
  00401876  |.  E8 E85F0100 call KeyGenMe.00417863
  0040187B  |.  8BF0       mov esi,eax
  0040187D  |.  8A03       mov al,byte ptr ds:[ebx]                ;  取机器码首位ascii值给al
  0040187F  |.  83C4 04    add esp,0x4
  00401882  |.  C74424 20 000>mov dword ptr ss:[esp+0x20],0x0
  0040188A  |.  84C0       test al,al
  0040188C  |.  C74424 24 000>mov dword ptr ss:[esp+0x24],0x0
  00401894  |.  C74424 28 000>mov dword ptr ss:[esp+0x28],0x0
  0040189C  |.  C74424 2C 000>mov dword ptr ss:[esp+0x2C],0x0       ;  清空了16个字节的值
  004018A4  |.  74 7C       je XKeyGenMe.00401922                   ;  取机器码ascii值
  004018A6  |>  0FBE4B 01    /movsx ecx,byte ptr ds:[ebx+0x1]       ;  第二位的ascii值给ecx
  004018AA  |.  0FBEC0       |movsx eax,al                         ;  al值给eax，即机器码首位ascii
  004018AD  |.  894424 10    |mov dword ptr ss:[esp+0x10],eax
  004018B1  |.  DB4424 10    |fild dword ptr ss:[esp+0x10]
  004018B5  |.  894C24 10    |mov dword ptr ss:[esp+0x10],ecx
  004018B9  |.  DD5C24 30    |fstp qword ptr ss:[esp+0x30]
  004018BD  |.  DB4424 10    |fild dword ptr ss:[esp+0x10]
  004018C1  |.  8B4C24 34    |mov ecx,dword ptr ss:[esp+0x34]
  004018C5  |.  DD5C24 10    |fstp qword ptr ss:[esp+0x10]
  004018C9  |.  8B5424 14    |mov edx,dword ptr ss:[esp+0x14]
  004018CD  |.  8B4424 10    |mov eax,dword ptr ss:[esp+0x10]
  004018D1  |.  52          |push edx
  004018D2  |.  8B5424 34    |mov edx,dword ptr ss:[esp+0x34]
  004018D6  |.  50          |push eax
  004018D7  |.  68 32545E40 |push 0x405E5432
  004018DC  |.  68 87A757CA |push 0xCA57A787
  004018E1  |.  51          |push ecx
  004018E2  |.  52          |push edx
  004018E3  |.  8BCE       |mov ecx,esi
  004018E5  |.  E8 D6030000 |call KeyGenMe.00401CC0
  004018EA  |.  83EC 08    |sub esp,0x8
  004018ED  |.  8BCE       |mov ecx,esi
  004018EF  |.  DD1C24       |fstp qword ptr ss:[esp]
  004018F2  |.  E8 19020000 |call KeyGenMe.00401B10
  004018F7  |.  DD5C24 30    |fstp qword ptr ss:[esp+0x30]
  004018FB  |.  8B4424 34    |mov eax,dword ptr ss:[esp+0x34]
  004018FF  |.  8B4C24 30    |mov ecx,dword ptr ss:[esp+0x30]
  00401903  |.  8B5424 24    |mov edx,dword ptr ss:[esp+0x24]
  00401907  |.  50          |push eax
  00401908  |.  8B4424 24    |mov eax,dword ptr ss:[esp+0x24]
  0040190C  |.  51          |push ecx
  0040190D  |.  52          |push edx
  0040190E  |.  50          |push eax
  0040190F  |.  8BCE       |mov ecx,esi
  00401911  |.  E8 FA010000 |call KeyGenMe.00401B10
  00401916  |.  8A43 01    |mov al,byte ptr ds:[ebx+0x1]
  00401919  |.  43          |inc ebx
  0040191A  |.  DD5C24 20    |fstp qword ptr ss:[esp+0x20]
  0040191E  |.  84C0       |test al,al
  00401920  |.^ 75 84       \jnz XKeyGenMe.004018A6
  00401922  |> \8A07       mov al,byte ptr ds:[edi]                ;  用户名给al开始取ascii值
  00401924  |.  84C0       test al,al
  00401926  |.  74 7C       je XKeyGenMe.004019A4                   ;  以下与第一段相同，取用户名ascii值
  00401928  |>  0FBE57 01    /movsx edx,byte ptr ds:[edi+0x1]
  0040192C  |.  0FBEC8       |movsx ecx,al
  0040192F  |.  894C24 10    |mov dword ptr ss:[esp+0x10],ecx
  00401933  |.  DB4424 10    |fild dword ptr ss:[esp+0x10]
  00401937  |.  895424 10    |mov dword ptr ss:[esp+0x10],edx
  0040193B  |.  DD5C24 30    |fstp qword ptr ss:[esp+0x30]
  0040193F  |.  DB4424 10    |fild dword ptr ss:[esp+0x10]
  00401943  |.  8B5424 34    |mov edx,dword ptr ss:[esp+0x34]
  00401947  |.  DD5C24 10    |fstp qword ptr ss:[esp+0x10]
  0040194B  |.  8B4424 14    |mov eax,dword ptr ss:[esp+0x14]
  0040194F  |.  8B4C24 10    |mov ecx,dword ptr ss:[esp+0x10]
  00401953  |.  50          |push eax
  00401954  |.  8B4424 34    |mov eax,dword ptr ss:[esp+0x34]
  00401958  |.  51          |push ecx
  00401959  |.  68 9EEE9240 |push 0x4092EE9E
  0040195E  |.  68 17B7D100 |push 0xD1B717
  00401963  |.  52          |push edx
  00401964  |.  50          |push eax
  00401965  |.  8BCE       |mov ecx,esi
  00401967  |.  E8 54030000 |call KeyGenMe.00401CC0
  0040196C  |.  83EC 08    |sub esp,0x8
  0040196F  |.  8BCE       |mov ecx,esi
  00401971  |.  DD1C24       |fstp qword ptr ss:[esp]
  00401974  |.  E8 97010000 |call KeyGenMe.00401B10
  00401979  |.  DD5C24 30    |fstp qword ptr ss:[esp+0x30]
  0040197D  |.  8B4C24 34    |mov ecx,dword ptr ss:[esp+0x34]
  00401981  |.  8B5424 30    |mov edx,dword ptr ss:[esp+0x30]
  00401985  |.  8B4424 2C    |mov eax,dword ptr ss:[esp+0x2C]
  00401989  |.  51          |push ecx
  0040198A  |.  8B4C24 2C    |mov ecx,dword ptr ss:[esp+0x2C]
  0040198E  |.  52          |push edx
  0040198F  |.  50          |push eax
  00401990  |.  51          |push ecx
  00401991  |.  8BCE       |mov ecx,esi
  00401993  |.  E8 78010000 |call KeyGenMe.00401B10
  00401998  |.  8A47 01    |mov al,byte ptr ds:[edi+0x1]
  0040199B  |.  47          |inc edi
  0040199C  |.  DD5C24 28    |fstp qword ptr ss:[esp+0x28]
  004019A0  |.  84C0       |test al,al
  004019A2  |.^ 75 84       \jnz XKeyGenMe.00401928

  004019ED  |> /8D7E 07    /lea edi,dword ptr ds:[esi+0x7]       ;  比较前5位真假码ascii值
  004019F0  |. |8BC1       |mov eax,ecx
  004019F2  |. |33D2       |xor edx,edx
  004019F4  |. |F7F7       |div edi
  004019F6  |. |33D2       |xor edx,edx
  004019F8  |. |8BF8       |mov edi,eax
  004019FA  |. |8BC1       |mov eax,ecx
  004019FC  |. |F7F6       |div esi
  004019FE  |. |33D2       |xor edx,edx
  00401A00  |. |03C7       |add eax,edi
  00401A02  |. |BF 1A000000 |mov edi,0x1A
  00401A07  |. |F7F7       |div edi
  00401A09  |. |8A442E F8    |mov al,byte ptr ds:[esi+ebp-0x8]
  00401A0D  |. |80C2 41    |add dl,0x41
  00401A10  |. |3AC2       |cmp al,dl
  00401A12    |0F85 AC000000 |jnz KeyGenMe.00401AC4
  00401A18  |. |46          |inc esi
  00401A19  |. |8D56 F8    |lea edx,dword ptr ds:[esi-0x8]
  00401A1C  |. |83FA 04    |cmp edx,0x4
  00401A1F  |.^\7C CC       \jl XKeyGenMe.004019ED

  00401A3D  |.  8D75 05    lea esi,dword ptr ss:[ebp+0x5]          ;  假码第六位开始给esi
  00401A40  |.  8D3C89       lea edi,dword ptr ds:[ecx+ecx*4]
  00401A43  |.  894424 10    mov dword ptr ss:[esp+0x10],eax
  00401A47  |.  EB 04       jmp XKeyGenMe.00401A4D
  00401A49  |>  8B4424 10    /mov eax,dword ptr ss:[esp+0x10]       ;  假码位数不够“0”补位
  00401A4D  |>  8D2C30       lea ebp,dword ptr ds:[eax+esi]       ;  假码给ebp
  00401A50  |.  8BC1       |mov eax,ecx
  00401A52  |.  33D2       |xor edx,edx
  00401A54  |.  F7F5       |div ebp
  00401A56  |.  BD 1A000000 |mov ebp,0x1A
  00401A5B  |.  8BC2       |mov eax,edx
  00401A5D  |.  33D2       |xor edx,edx
  00401A5F  |.  03C7       |add eax,edi
  00401A61  |.  F7F5       |div ebp
  00401A63  |.  8A06       |mov al,byte ptr ds:[esi]
  00401A65  |.  80C2 41    |add dl,0x41
  00401A68  |.  3AC2       |cmp al,dl
  00401A6A    90          |nop
  00401A6B    90          nop
  00401A6C  |.  43          |inc ebx
  00401A6D  |.  03F9       |add edi,ecx
  00401A6F  |.  46          |inc esi
  00401A70  |.  83FB 09    |cmp ebx,0x9
  00401A73  |.^ 7C D4       \jl XKeyGenMe.00401A49

  00401A8E  |> /8D5E 02    /lea ebx,dword ptr ds:[esi+0x2]       ;  第九位开始的真假码比较
  00401A91  |. |8BC1       |mov eax,ecx
  00401A93  |. |33D2       |xor edx,edx
  00401A95  |. |F7F3       |div ebx
  00401A97  |. |8BC1       |mov eax,ecx
  00401A99  |. |8BDA       |mov ebx,edx
  00401A9B  |. |33D2       |xor edx,edx
  00401A9D  |. |F7F6       |div esi
  00401A9F  |. |33D2       |xor edx,edx
  00401AA1  |. |03C3       |add eax,ebx
  00401AA3  |. |BB 1A000000 |mov ebx,0x1A
  00401AA8  |. |F7F3       |div ebx
  00401AAA  |. |8A4437 AD    |mov al,byte ptr ds:[edi+esi-0x53]
  00401AAE  |. |80C2 41    |add dl,0x41
  00401AB1  |. |3AC2       |cmp al,dl
  00401AB3    |75 0F       |jnz XKeyGenMe.00401AC4
  00401AB5  |. |46          |inc esi
  00401AB6  |. |8D46 AD    |lea eax,dword ptr ds:[esi-0x53]
  00401AB9  |. |83F8 0E    |cmp eax,0xE
  00401ABC  |.^\7C D0       \jl XKeyGenMe.00401A8E

  00401AD3  |> /8BC1       mov eax,ecx                            ;  第13位开始的真假码比较
  00401AD5  |. |33D2       xor edx,edx
  00401AD7  |. |F7F6       div esi
  00401AD9  |. |8BC1       mov eax,ecx
  00401ADB  |. |8BDA       mov ebx,edx
  00401ADD  |. |33D2       xor edx,edx
  00401ADF  |. |F7F6       div esi
  00401AE1  |. |33D2       xor edx,edx
  00401AE3  |. |03C3       add eax,ebx
  00401AE5  |. |BB 1A000000 mov ebx,0x1A
  00401AEA  |. |F7F3       div ebx
  00401AEC  |. |8A043E       mov al,byte ptr ds:[esi+edi]
  00401AEF  |. |80C2 41    add dl,0x41
  00401AF2  |. |3AC2       cmp al,dl
  00401AF4 ^|75 CE       jnz XKeyGenMe.00401AC4
  00401AF6  |. |46          inc esi
  00401AF7  |. |83FE 13    cmp esi,0x13
  00401AFA  |.^\7C D7       jl XKeyGenMe.00401AD3



--------------------------------------------------------------------------------
【版权声明】: 本文原创于Crack_Qs[4st Team], 转载请注明作者并保持文章的完整, 谢谢!

                                                   2013年12月14日 12:42:26

1354669803 · 发表于 2013-12-14 13:01

Qs师傅你这是要通杀所有？

Liquor · 发表于 2013-12-14 13:23

1354669803 发表于 2013-12-14 13:01
Qs师傅你这是要通杀所有？

好久没玩了练练手

1354669803 · 发表于 2013-12-14 13:24

Liquor 发表于 2013-12-14 13:23
好久没玩了练练手

第一名非你莫属了

Liquor · 发表于 2013-12-14 13:40

1354669803 发表于 2013-12-14 13:24
第一名非你莫属了

{:1_910:} 怎么可能我这小菜

1354669803 · 发表于 2013-12-14 13:43

Liquor 发表于 2013-12-14 13:40
怎么可能我这小菜

得了吧你看看你多疯狂

帐号		自动登录	找回密码
密码			注册[Register]

[CrackMe] 【吾爱2013CM大赛解答】--KeyGenMe2013 -- loudy思星分析

本帖子中包含更多资源

免费评分