【吾爱2013CM大赛解答】--KeyGenMe2013 -- loudy思星分析
本帖最后由 Chief 于 2013-12-14 17:42 编辑【文章标题】: 吾爱2013CM大赛解答--KeyGenMe2013 -- loudy思星分析
【文章作者】: Crack_Qs
【作者主页】: www.reversesec.com
【软件名称】: KeyGenMe2013 -- loudy
【下载地址】: http://www.52pojie.cn/thread-228429-1-1.html
【操作平台】: win xp
【作者声明】: 我是打酱油的,失误之处敬请诸位大侠赐教! 技术支持:Peace、kido
--------------------------------------------------------------------------------
【详细过程】
用户名 Crack_Qs
注册码 WMUH-YEPO-KQQZ-CLAB
机器码 87552884
38 37 35 35 32 38 38 34
43 72 61 63 6B 5F 51 73
WMUHYEPOKQQZCLAB
WMUH YEPO KQQZ CLAB
57 4d 55 48 59 45 50 4F 4B 51 51 5A 434C 41 42
0040164A .E8 F1010000 call KeyGenMe.00401840 ;算法call
00401840/$55 push ebp
00401841|.8BEC mov ebp,esp
00401843|.83E4 F8 and esp,0xFFFFFFF8
00401846|.83EC 28 sub esp,0x28
00401849|.53 push ebx
0040184A|.55 push ebp
0040184B|.56 push esi
0040184C|.57 push edi
0040184D|.8BF1 mov esi,ecx
0040184F|.6A 00 push 0x0
00401851|.E8 0D6D0100 call KeyGenMe.00418563 ;读取机器码
00401856|.6A 00 push 0x0
00401858|.8D4E 08 lea ecx,dword ptr ds:
0040185B|.8BD8 mov ebx,eax
0040185D|.E8 016D0100 call KeyGenMe.00418563 ;读用户名
00401862|.6A 00 push 0x0
00401864|.8D4E 04 lea ecx,dword ptr ds:
00401867|.8BF8 mov edi,eax
00401869|.E8 F56C0100 call KeyGenMe.00418563 ;读假码
0040186E|.8BE8 mov ebp,eax
00401870|.6A 01 push 0x1
00401872|.896C24 20 mov dword ptr ss:,ebp
00401876|.E8 E85F0100 call KeyGenMe.00417863
0040187B|.8BF0 mov esi,eax
0040187D|.8A03 mov al,byte ptr ds: ;取机器码首位ascii值给al
0040187F|.83C4 04 add esp,0x4
00401882|.C74424 20 000>mov dword ptr ss:,0x0
0040188A|.84C0 test al,al
0040188C|.C74424 24 000>mov dword ptr ss:,0x0
00401894|.C74424 28 000>mov dword ptr ss:,0x0
0040189C|.C74424 2C 000>mov dword ptr ss:,0x0 ;清空了16个字节的值
004018A4|.74 7C je XKeyGenMe.00401922 ;取机器码ascii值
004018A6|>0FBE4B 01 /movsx ecx,byte ptr ds: ;第二位的ascii值给ecx
004018AA|.0FBEC0 |movsx eax,al ;al值给eax,即机器码首位ascii
004018AD|.894424 10 |mov dword ptr ss:,eax
004018B1|.DB4424 10 |fild dword ptr ss:
004018B5|.894C24 10 |mov dword ptr ss:,ecx
004018B9|.DD5C24 30 |fstp qword ptr ss:
004018BD|.DB4424 10 |fild dword ptr ss:
004018C1|.8B4C24 34 |mov ecx,dword ptr ss:
004018C5|.DD5C24 10 |fstp qword ptr ss:
004018C9|.8B5424 14 |mov edx,dword ptr ss:
004018CD|.8B4424 10 |mov eax,dword ptr ss:
004018D1|.52 |push edx
004018D2|.8B5424 34 |mov edx,dword ptr ss:
004018D6|.50 |push eax
004018D7|.68 32545E40 |push 0x405E5432
004018DC|.68 87A757CA |push 0xCA57A787
004018E1|.51 |push ecx
004018E2|.52 |push edx
004018E3|.8BCE |mov ecx,esi
004018E5|.E8 D6030000 |call KeyGenMe.00401CC0
004018EA|.83EC 08 |sub esp,0x8
004018ED|.8BCE |mov ecx,esi
004018EF|.DD1C24 |fstp qword ptr ss:
004018F2|.E8 19020000 |call KeyGenMe.00401B10
004018F7|.DD5C24 30 |fstp qword ptr ss:
004018FB|.8B4424 34 |mov eax,dword ptr ss:
004018FF|.8B4C24 30 |mov ecx,dword ptr ss:
00401903|.8B5424 24 |mov edx,dword ptr ss:
00401907|.50 |push eax
00401908|.8B4424 24 |mov eax,dword ptr ss:
0040190C|.51 |push ecx
0040190D|.52 |push edx
0040190E|.50 |push eax
0040190F|.8BCE |mov ecx,esi
00401911|.E8 FA010000 |call KeyGenMe.00401B10
00401916|.8A43 01 |mov al,byte ptr ds:
00401919|.43 |inc ebx
0040191A|.DD5C24 20 |fstp qword ptr ss:
0040191E|.84C0 |test al,al
00401920|.^ 75 84 \jnz XKeyGenMe.004018A6
00401922|> \8A07 mov al,byte ptr ds: ;用户名给al开始取ascii值
00401924|.84C0 test al,al
00401926|.74 7C je XKeyGenMe.004019A4 ;以下与第一段相同,取用户名ascii值
00401928|>0FBE57 01 /movsx edx,byte ptr ds:
0040192C|.0FBEC8 |movsx ecx,al
0040192F|.894C24 10 |mov dword ptr ss:,ecx
00401933|.DB4424 10 |fild dword ptr ss:
00401937|.895424 10 |mov dword ptr ss:,edx
0040193B|.DD5C24 30 |fstp qword ptr ss:
0040193F|.DB4424 10 |fild dword ptr ss:
00401943|.8B5424 34 |mov edx,dword ptr ss:
00401947|.DD5C24 10 |fstp qword ptr ss:
0040194B|.8B4424 14 |mov eax,dword ptr ss:
0040194F|.8B4C24 10 |mov ecx,dword ptr ss:
00401953|.50 |push eax
00401954|.8B4424 34 |mov eax,dword ptr ss:
00401958|.51 |push ecx
00401959|.68 9EEE9240 |push 0x4092EE9E
0040195E|.68 17B7D100 |push 0xD1B717
00401963|.52 |push edx
00401964|.50 |push eax
00401965|.8BCE |mov ecx,esi
00401967|.E8 54030000 |call KeyGenMe.00401CC0
0040196C|.83EC 08 |sub esp,0x8
0040196F|.8BCE |mov ecx,esi
00401971|.DD1C24 |fstp qword ptr ss:
00401974|.E8 97010000 |call KeyGenMe.00401B10
00401979|.DD5C24 30 |fstp qword ptr ss:
0040197D|.8B4C24 34 |mov ecx,dword ptr ss:
00401981|.8B5424 30 |mov edx,dword ptr ss:
00401985|.8B4424 2C |mov eax,dword ptr ss:
00401989|.51 |push ecx
0040198A|.8B4C24 2C |mov ecx,dword ptr ss:
0040198E|.52 |push edx
0040198F|.50 |push eax
00401990|.51 |push ecx
00401991|.8BCE |mov ecx,esi
00401993|.E8 78010000 |call KeyGenMe.00401B10
00401998|.8A47 01 |mov al,byte ptr ds:
0040199B|.47 |inc edi
0040199C|.DD5C24 28 |fstp qword ptr ss:
004019A0|.84C0 |test al,al
004019A2|.^ 75 84 \jnz XKeyGenMe.00401928
004019ED|> /8D7E 07 /lea edi,dword ptr ds: ;比较前5位真假码ascii值
004019F0|. |8BC1 |mov eax,ecx
004019F2|. |33D2 |xor edx,edx
004019F4|. |F7F7 |div edi
004019F6|. |33D2 |xor edx,edx
004019F8|. |8BF8 |mov edi,eax
004019FA|. |8BC1 |mov eax,ecx
004019FC|. |F7F6 |div esi
004019FE|. |33D2 |xor edx,edx
00401A00|. |03C7 |add eax,edi
00401A02|. |BF 1A000000 |mov edi,0x1A
00401A07|. |F7F7 |div edi
00401A09|. |8A442E F8 |mov al,byte ptr ds:
00401A0D|. |80C2 41 |add dl,0x41
00401A10|. |3AC2 |cmp al,dl
00401A12 |0F85 AC000000 |jnz KeyGenMe.00401AC4
00401A18|. |46 |inc esi
00401A19|. |8D56 F8 |lea edx,dword ptr ds:
00401A1C|. |83FA 04 |cmp edx,0x4
00401A1F|.^\7C CC \jl XKeyGenMe.004019ED
00401A3D|.8D75 05 lea esi,dword ptr ss: ;假码第六位开始给esi
00401A40|.8D3C89 lea edi,dword ptr ds:
00401A43|.894424 10 mov dword ptr ss:,eax
00401A47|.EB 04 jmp XKeyGenMe.00401A4D
00401A49|>8B4424 10 /mov eax,dword ptr ss: ;假码位数不够“0”补位
00401A4D|>8D2C30 lea ebp,dword ptr ds: ;假码给ebp
00401A50|.8BC1 |mov eax,ecx
00401A52|.33D2 |xor edx,edx
00401A54|.F7F5 |div ebp
00401A56|.BD 1A000000 |mov ebp,0x1A
00401A5B|.8BC2 |mov eax,edx
00401A5D|.33D2 |xor edx,edx
00401A5F|.03C7 |add eax,edi
00401A61|.F7F5 |div ebp
00401A63|.8A06 |mov al,byte ptr ds:
00401A65|.80C2 41 |add dl,0x41
00401A68|.3AC2 |cmp al,dl
00401A6A 90 |nop
00401A6B 90 nop
00401A6C|.43 |inc ebx
00401A6D|.03F9 |add edi,ecx
00401A6F|.46 |inc esi
00401A70|.83FB 09 |cmp ebx,0x9
00401A73|.^ 7C D4 \jl XKeyGenMe.00401A49
00401A8E|> /8D5E 02 /lea ebx,dword ptr ds: ;第九位开始的真假码比较
00401A91|. |8BC1 |mov eax,ecx
00401A93|. |33D2 |xor edx,edx
00401A95|. |F7F3 |div ebx
00401A97|. |8BC1 |mov eax,ecx
00401A99|. |8BDA |mov ebx,edx
00401A9B|. |33D2 |xor edx,edx
00401A9D|. |F7F6 |div esi
00401A9F|. |33D2 |xor edx,edx
00401AA1|. |03C3 |add eax,ebx
00401AA3|. |BB 1A000000 |mov ebx,0x1A
00401AA8|. |F7F3 |div ebx
00401AAA|. |8A4437 AD |mov al,byte ptr ds:
00401AAE|. |80C2 41 |add dl,0x41
00401AB1|. |3AC2 |cmp al,dl
00401AB3 |75 0F |jnz XKeyGenMe.00401AC4
00401AB5|. |46 |inc esi
00401AB6|. |8D46 AD |lea eax,dword ptr ds:
00401AB9|. |83F8 0E |cmp eax,0xE
00401ABC|.^\7C D0 \jl XKeyGenMe.00401A8E
00401AD3|> /8BC1 mov eax,ecx ;第13位开始的真假码比较
00401AD5|. |33D2 xor edx,edx
00401AD7|. |F7F6 div esi
00401AD9|. |8BC1 mov eax,ecx
00401ADB|. |8BDA mov ebx,edx
00401ADD|. |33D2 xor edx,edx
00401ADF|. |F7F6 div esi
00401AE1|. |33D2 xor edx,edx
00401AE3|. |03C3 add eax,ebx
00401AE5|. |BB 1A000000 mov ebx,0x1A
00401AEA|. |F7F3 div ebx
00401AEC|. |8A043E mov al,byte ptr ds:
00401AEF|. |80C2 41 add dl,0x41
00401AF2|. |3AC2 cmp al,dl
00401AF4 ^|75 CE jnz XKeyGenMe.00401AC4
00401AF6|. |46 inc esi
00401AF7|. |83FE 13 cmp esi,0x13
00401AFA|.^\7C D7 jl XKeyGenMe.00401AD3
--------------------------------------------------------------------------------
【版权声明】: 本文原创于Crack_Qs, 转载请注明作者并保持文章的完整, 谢谢!
2013年12月14日 12:42:26
Qs师傅你这是要通杀所有? 1354669803 发表于 2013-12-14 13:01 static/image/common/back.gif
Qs师傅你这是要通杀所有?
{:1_900:} 好久没玩了 练练手
Liquor 发表于 2013-12-14 13:23 static/image/common/back.gif
好久没玩了 练练手
第一名非你莫属了
1354669803 发表于 2013-12-14 13:24 static/image/common/back.gif
第一名非你莫属了
{:1_910:} 怎么可能 我这小菜
Liquor 发表于 2013-12-14 13:40 static/image/common/back.gif
怎么可能 我这小菜
得了吧 你看看你多疯狂
页:
[1]