zapline转载CM(第九天)分析
【文章标题】: zapline转载CM(第九天)分析【文章作者】: creantan
【作者邮箱】: creantan@126.com
【作者主页】: www.crack-me.com
【下载地址】: http://bbs.52pojie.cn/thread-18577-1-1.html
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【详细过程】
peid查壳->MASM32 / TASM32
汇编的。。呵呵。。
代码清晰。。。
0040105C .6A 00 push 0 ; |/(initial cpu selection)
0040105E .68 6F214000 push 0040216F ; ||Attributes = READONLY|HIDDEN|SYSTEM|ARCHIVE|TEMPORARY|402048
00401063 .6A 03 push 3 ; ||Mode = OPEN_EXISTING
00401065 .6A 00 push 0 ; ||pSecurity = NULL
00401067 .6A 03 push 3 ; ||ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401069 .68 000000C0 push C0000000 ; ||Access = GENERIC_READ|GENERIC_WRITE
0040106E .68 79204000 push 00402079 ; ||due-cm2.dat
00401073 .E8 0B020000 call <jmp.&KERNEL32.CreateFileA> ; |\CreateFileA
00401078 .83F8 FF cmp eax, -1 ; |打开文件due-cm2.dat文件
0040107B .75 1D jnz short 0040109A ; |不存在则出现过期信息
0040107D .6A 00 push 0 ; |/Style = MB_OK|MB_APPLMODAL
0040107F .68 01204000 push 00402001 ; ||duelist's crackme #2
00401084 .68 17204000 push 00402017 ; ||your time-trial has ended... please register and copy the keyfile sent to you to this directory!
00401089 .6A 00 push 0 ; ||hOwner = NULL
0040108B .E8 D7020000 call <jmp.&USER32.MessageBoxA> ; |\MessageBoxA
00401090 .E8 24020000 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
00401095 .E9 28010000 jmp 004011C2
0040109A >6A 00 push 0 ; /pOverlapped = NULL
0040109C .68 73214000 push 00402173 ; |pBytesRead = DueList_.00402173
004010A1 .6A 46 push 46 ; |读取70个字节
004010A3 .68 1A214000 push 0040211A ; |保存地址
004010A8 .50 push eax ; |hFile
004010A9 .E8 2F020000 call <jmp.&KERNEL32.ReadFile> ; \ReadFile
004010AE .85C0 test eax, eax ;读取文件
004010B0 .75 02 jnz short 004010B4
004010B2 .EB 43 jmp short 004010F7
004010B4 >33DB xor ebx, ebx
004010B6 .33F6 xor esi, esi
004010B8 .833D 73214000>cmp dword ptr , 12 ;文件中字符个数与18比较
004010BF .7C 36 jl short 004010F7 ;小于则弹出无效的Key文件提示
004010C1 >8A83 1A214000 mov al, byte ptr ;逐个取字符
004010C7 .3C 00 cmp al, 0 ;看是否结束
004010C9 .74 08 je short 004010D3
004010CB .3C 01 cmp al, 1 ;字符ASICC值是否为0x1
004010CD .75 01 jnz short 004010D0 ;不等则跳
004010CF .46 inc esi ;ESI++
004010D0 >43 inc ebx ;EBX++
004010D1 .^ EB EE jmp short 004010C1
004010D3 >83FE 02 cmp esi, 2 ;扫描文件中ASCII码值为1的字符个数是否多余2个
004010D6 .7C 1F jl short 004010F7 ;小于的话提示无效的KEY文件提示
004010D8 .33F6 xor esi, esi ;esi = 0
004010DA .33DB xor ebx, ebx ;ebx = 0
004010DC >8A83 1A214000 mov al, byte ptr ;开始从头开始扫描文件
004010E2 .3C 00 cmp al, 0 ;看是否文件结束
004010E4 .74 09 je short 004010EF
004010E6 .3C 01 cmp al, 1 ;比较字符ASCII值是否为0x1
004010E8 .74 05 je short 004010EF
004010EA .03F0 add esi, eax ;从文件开始直到读到ASCII值为0X1且文件没有结束的字符ASCII码求和
004010EC .43 inc ebx
004010ED .^ EB ED jmp short 004010DC
004010EF >81FE D5010000 cmp esi, 1D5 ;所求和与0X1D5比较
004010F5 .74 1D je short 00401114 ;不等提示无效KEY文件
004010F7 >6A 00 push 0 ; |/Style = MB_OK|MB_APPLMODAL
004010F9 .68 01204000 push 00402001 ; ||duelist's crackme #2
004010FE .68 86204000 push 00402086 ; ||your current keyfile is invalid... please obtain a valid one from the software author!
00401103 .6A 00 push 0 ; ||hOwner = NULL
00401105 .E8 5D020000 call <jmp.&USER32.MessageBoxA> ; |\MessageBoxA
0040110A .E8 AA010000 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
0040110F .E9 AE000000 jmp 004011C2
00401114 >33F6 xor esi, esi ;esi = 0
00401116 >43 inc ebx ;ebx++
00401117 .8A83 1A214000 mov al, byte ptr ;取字符file file为地址0x0040211A
0040111D .3C 00 cmp al, 0
0040111F .74 18 je short 00401139 ;判断文件是否结束
00401121 .3C 01 cmp al, 1
00401123 .74 14 je short 00401139 ;判读字符ASICC值是否为0X1
00401125 .83FE 0F cmp esi, 0F ;esi与0x0f比较
00401128 .73 0F jnb short 00401139
0040112A .3286 1A214000 xor al, byte ptr ;al ^= file
00401130 .8986 60214000 mov dword ptr , eax ;这里就是后面注册成功显示的用户名了
00401136 .46 inc esi ;esi++
00401137 .^ EB DD jmp short 00401116
00401139 >43 inc ebx ;ebx++
0040113A .33F6 xor esi, esi ;esi = 0
0040113C >8A83 1A214000 mov al, byte ptr ;取file
00401142 .3C 00 cmp al, 0
00401144 .74 09 je short 0040114F ;判断文件是否结束
00401146 .3C 01 cmp al, 1
00401148 .^ 74 F2 je short 0040113C ;判读字符ASICC值是否为0X1
0040114A .03F0 add esi, eax ;求和
0040114C .43 inc ebx ;ebx++
0040114D .^ EB ED jmp short 0040113C
0040114F >81FE B2010000 cmp esi, 1B2 ;esi与0x1b2比较。。不等跳出无效KEY文件提示
00401155 .^ 75 A0 jnz short 004010F7
00401157 .6A 00 push 0 ; /lParam = NULL
00401159 .68 C9114000 push 004011C9 ; |DlgProc = DueList_.004011C9
0040115E .6A 00 push 0 ; |hOwner = NULL
00401160 .6A 05 push 5 ; |pTemplate = 5
00401162 .FF35 77214000 push dword ptr ; |hInst = NULL
00401168 .E8 42020000 call <jmp.&USER32.DialogBoxParamA> ; \DialogBoxParamA
004011F4 > \68 60214000 push 00402160 ; /用户名
004011F9 .6A 01 push 1 ; |ControlID = 1
004011FB .FF75 08 push dword ptr ; |hWnd
004011FE .E8 5E010000 call <jmp.&USER32.SetDlgItemTextA> ; \SetDlgItemTextA//设置EDIT里值为用户名即授权对象
--------------------------------------------------------------------------------
【经验总结】
汇编的代码比较清晰。。。喜欢。。。提供一个KEY文件。见附件
--------------------------------------------------------------------------------
【版权声明】: 本文原创于creantan, 转载请注明作者并保持文章的完整, 谢谢!
2009年02月05日 9:05:20 真是速度:lol
不给机会啊 真是速度 膜拜加学习 :) 排队膜拜C牛!
[ 本帖最后由 x80x88 于 2009-2-5 10:08 编辑 ] 继续排队膜拜C牛,希望有一天我也能看懂算法!!!!! 太快了,下回晚点发出来啊 看了这么多CM的算法 不明啊 希望zapline能开贴把你发的cm整理下,2楼就放大c分析的...也好让我们菜菜一点点学起... 原帖由 西氏 于 2009-2-5 23:17 发表 http://bbs.52pojie.cn/images/common/back.gif
希望zapline能开贴把你发的cm整理下,2楼就放大c分析的...也好让我们菜菜一点点学起...
到CM板块看 来看看了啊
页:
[1]
2