【吾爱2013CM大赛解答】 苏紫方璇CrackMe FYWY分析
本帖最后由 fywy 于 2013-12-15 15:47 编辑【破文标题】 【吾爱2013CM大赛题目】-- CrackMe -- 苏紫方璇分析
【破文作者】fywy
【作者邮箱】1349718927@qq.com
【破解工具】OD CALCULATOR
【破解平台】winxp
【原版下载】http://www.52pojie.cn/thread-228417-1-1.html
------------------------------------------------------------------------
【破解过程】一、OD载入如图1
二、下万能断点如图2
然后确定
三次F9后CM出现
输入用户名和注册码点确定,如图3
此时断下来了
4次F9后,在寄存器中看到输入的假注册码
如图4:
此时按F8返回
到如图5:
返回到程序领空
继续F8
00401757 .E8 36060000 call <jmp.&MFC42.#6334>
0040175C .8B8D C4FEFFFF mov ecx,dword ptr ss:
00401762 .8B51 60 mov edx,dword ptr ds:
00401765 .8995 CCFEFFFF mov dword ptr ss:,edx ;读用户名
0040176B .8D85 E4FEFFFF lea eax,dword ptr ss:
00401771 .50 push eax
00401772 .8B8D CCFEFFFF mov ecx,dword ptr ss:
00401778 .51 push ecx
00401779 .E8 92FDFFFF call CrackMe.00401510 ;关键CALL
此CALL进入(F7)看看
00401510/$83EC 08 sub esp,0x8
00401513|.53 push ebx
00401514|.8B5C24 10 mov ebx,dword ptr ss:
00401518|.57 push edi
00401519|.8BFB mov edi,ebx
0040151B|.83C9 FF or ecx,0xFFFFFFFF
0040151E|.33C0 xor eax,eax
00401520|.F2:AE repne scas byte ptr es:
00401522|.F7D1 not ecx
00401524|.49 dec ecx
00401525|.C64424 08 25mov byte ptr ss:,0x25
0040152A|.85C9 test ecx,ecx
0040152C|.C64424 09 30mov byte ptr ss:,0x30
00401531|.C64424 0A 32mov byte ptr ss:,0x32
00401536|.C64424 0B 58mov byte ptr ss:,0x58
0040153B|.C64424 0C 00mov byte ptr ss:,0x0
00401540|.7E 34 jle XCrackMe.00401576
00401542|.55 push ebp
00401543|.8B2D C8314000 mov ebp,dword ptr ds:[<&MSVCRT.sprintf>] ;msvcrt.sprintf
00401549|.56 push esi
0040154A|.8B7424 20 mov esi,dword ptr ss:
0040154E|.8BF9 mov edi,ecx
00401550|>33C0 /xor eax,eax
00401552|.8A03 |mov al,byte ptr ds: ;取用户名第I位
00401554|.8D0440 |lea eax,dword ptr ds: ;用户名第I位的ACSII+(用户名第I位的ACSII*2)
00401557|.99 |cdq
00401558|.2BC2 |sub eax,edx ;EAX-EDX
0040155A|.D1F8 |sar eax,1 ;EAX算术右移指令1位
0040155C|.25 FF000000 |and eax,0xFF ;EAX逻辑与运算0XFF
00401561|.50 |push eax
00401562|.8D4424 14 |lea eax,dword ptr ss:
00401566|.50 |push eax
00401567|.56 |push esi
00401568|.FFD5 |call ebp
0040156A|.83C4 0C |add esp,0xC
0040156D|.83C6 02 |add esi,0x2
00401570|.43 |inc ebx
00401571|.4F |dec edi
00401572|.^ 75 DC \jnz XCrackMe.00401550
00401574|.5E pop esi
00401575|.5D pop ebp
00401576|>5F pop edi
00401577|.5B pop ebx
00401578|.83C4 08 add esp,0x8
0040157B\.C3 retn
此CALL为算法CALL
此时算出注册码如图6
往下就是真假码比较了
0040177E .83C4 08 add esp,0x8
00401781 .8B95 C4FEFFFF mov edx,dword ptr ss:
00401787 .8B42 64 mov eax,dword ptr ds:
0040178A .8985 C8FEFFFF mov dword ptr ss:,eax
00401790 .8B8D C8FEFFFF mov ecx,dword ptr ss:
00401796 .898D A8FEFFFF mov dword ptr ss:,ecx
0040179C .8D95 E4FEFFFF lea edx,dword ptr ss:
004017A2 .8995 A4FEFFFF mov dword ptr ss:,edx
004017A8 >8B85 A4FEFFFF mov eax,dword ptr ss:
004017AE .8A08 mov cl,byte ptr ds:
004017B0 .888D A3FEFFFF mov byte ptr ss:,cl
004017B6 .8B95 A8FEFFFF mov edx,dword ptr ss:
004017BC .3A0A cmp cl,byte ptr ds:
004017BE .75 46 jnz XCrackMe.00401806
004017C0 .80BD A3FEFFFF>cmp byte ptr ss:,0x0
004017C7 .74 31 je XCrackMe.004017FA
004017C9 .8B85 A4FEFFFF mov eax,dword ptr ss:
004017CF .8A48 01 mov cl,byte ptr ds:
004017D2 .888D A2FEFFFF mov byte ptr ss:,cl
004017D8 .8B95 A8FEFFFF mov edx,dword ptr ss:
004017DE .3A4A 01 cmp cl,byte ptr ds:
004017E1 .75 23 jnz XCrackMe.00401806
004017E3 .8385 A4FEFFFF>add dword ptr ss:,0x2
004017EA .8385 A8FEFFFF>add dword ptr ss:,0x2
004017F1 .80BD A2FEFFFF>cmp byte ptr ss:,0x0
004017F8 .^ 75 AE jnz XCrackMe.004017A8
004017FA >C785 9CFEFFFF>mov dword ptr ss:,0x0
00401804 .EB 0B jmp XCrackMe.00401811
00401806 >1BC0 sbb eax,eax
00401808 .83D8 FF sbb eax,-0x1
0040180B .8985 9CFEFFFF mov dword ptr ss:,eax
00401811 >8B8D 9CFEFFFF mov ecx,dword ptr ss:
00401817 .898D 98FEFFFF mov dword ptr ss:,ecx
0040181D .83BD 98FEFFFF>cmp dword ptr ss:,0x0
00401824 .75 07 jnz XCrackMe.0040182D
00401826 .^ E9 11FEFFFF jmp CrackMe.0040163C
0040182B .EB 05 jmp XCrackMe.00401832
0040182D >^ E9 06FFFFFF jmp CrackMe.00401738
00401832 >8B4D F0 mov ecx,dword ptr ss:
00401835 .64:890D 00000>mov dword ptr fs:,ecx
0040183C .5F pop edi
0040183D .5E pop esi
0040183E .5B pop ebx
0040183F .8BE5 mov esp,ebp
00401841 .5D pop ebp
00401842 .C3 retn
不再描述。
算法总结:
1、取用户名第I位
2、用户名第I位的ASCII + (用户名第I位的ASCII *2 ) 记为M
3、M >>1 记为N
4、N ANDFF记为K
以此类推,直到用户名取完,所有连接在一起即为注册码
------------------------------------------------------------------------
【破解总结】算法总结:
1、取用户名第I位
2、用户名第I位的ASCII + (用户名第I位的ASCII *2 ) 记为M
3、M >>1 记为N
4、N ANDFF记为K
以此类推,直到用户名取完,所有连接在一起即为注册码
注册机运行结果
注册机VB源码:
Private Sub Command1_Click()
If Text1.Text = "" Then
MsgBox "用户名为空!太有才了,请重新输入", vbOKCancel + vbCritical, "错误"
Else
yhm = Text1.Text
xx = ""
For i = 1 To Len(yhm)
x = Asc(Mid(yhm, i, 1)) + Asc(Mid(yhm, i, 1)) * 2
xx = Hex(x \ 2 And 255)
yy = yy & xx
Next i
Text2.Text = yy
Clipboard.Clear
Clipboard.SetText Text2.Text
MsgBox "已复制到粘贴板上,请直接粘贴注册码注册即可!", vbOKOnly + vbInformation, "已复制"
End If
End Sub
Private Sub Command2_Click()
End
End Sub
------------------------------------------------------------------------
注册机及源码下载:
使用吾爱破解专用注册机生成器生成的注册机
下载
厉害.膜拜算法牛. 好像很牛B !!
页:
[1]