小学应用题cm算法分析
本帖最后由 missviola 于 2009-12-28 20:45 编辑【破文标题】小学应用题cm算法分析
【破文作者】missviola
【破解工具】PEID OD
【破解平台】Windows XP
【破解声明】只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
------------------------------------------------------------------------
【破解过程】PEID查壳显示为Microsoft Visual C++ 5.0 ,无壳。OD载入,在401EC0处下断点。输入注册名pediy,注册
码123456,F8分析如下:
00401EC0/> \55 push ebp
00401EC1|.8BEC mov ebp, esp
00401EC3|.83EC 4C sub esp, 4C
00401EC6|.53 push ebx
00401EC7|.56 push esi
00401EC8|.57 push edi
00401EC9|.51 push ecx
00401ECA|.8D7D B4 lea edi, dword ptr
00401ECD|.B9 13000000 mov ecx, 13
00401ED2|.B8 CCCCCCCC mov eax, CCCCCCCC
00401ED7|.F3:AB rep stos dword ptr es:
00401ED9|.59 pop ecx
00401EDA|.894D FC mov dword ptr , ecx
00401EDD|.8B45 FC mov eax, dword ptr
00401EE0|.05 98000000 add eax, 98
00401EE5|.8945 F8 mov dword ptr , eax
00401EE8|.8B4D FC mov ecx, dword ptr
00401EEB|.83C1 5C add ecx, 5C
00401EEE|.894D F4 mov dword ptr , ecx
00401EF1|.6A 00 push 0
00401EF3|.6A 00 push 0
00401EF5|.6A 00 push 0
00401EF7|.6A 00 push 0
00401EF9|.8D55 F4 lea edx, dword ptr
00401EFC|.52 push edx
00401EFD|.68 23104000 push 00401023
00401F02|.E8 6E930700 call 0047B275
此cm开辟了7个线程来进行算法流程,401EFD处的401023指向了第一个线程的函数地址:401FD0。此后其他线程的函数的找法也是
这样的,大家可以依次类推。。。
00401FD0/> \55 push ebp
00401FD1|.8BEC mov ebp, esp
00401FD3|.83EC 50 sub esp, 50
00401FD6|.53 push ebx
00401FD7|.56 push esi
00401FD8|.57 push edi
00401FD9|.8D7D B0 lea edi, dword ptr
00401FDC|.B9 14000000 mov ecx, 14
00401FE1|.B8 CCCCCCCC mov eax, CCCCCCCC
00401FE6|.F3:AB rep stos dword ptr es:
00401FE8|.8B45 08 mov eax, dword ptr
00401FEB|.8945 F4 mov dword ptr , eax
00401FEE|.8B4D F4 mov ecx, dword ptr
00401FF1|.8B09 mov ecx, dword ptr
00401FF3|.E8 52480800 call 0048684A 取用户名长度
00401FF8|.8945 FC mov dword ptr , eax
00401FFB|.8B55 F4 mov edx, dword ptr
00401FFE|.8B4A 04 mov ecx, dword ptr
00402001|.E8 44480800 call 0048684A 取注册码长度
00402006|.8945 F8 mov dword ptr , eax
00402009|.8B45 FC mov eax, dword ptr
0040200C|.0345 F8 add eax, dword ptr 两者相加
0040200F|.99 cdq
00402010|.B9 0C000000 mov ecx, 0C 除以0xC
00402015|.F7F9 idiv ecx
00402017|.85D2 test edx, edx 余数要为0
00402019|.75 15 jnz short 00402030
0040201B|.837D FC 00 cmp dword ptr , 0
0040201F|.74 0F je short 00402030
00402021|.837D F8 00 cmp dword ptr , 0
00402025|.74 09 je short 00402030
00402027|.C745 F0 01000>mov dword ptr , 1
0040202E|.EB 07 jmp short 00402037
00402030|>C745 F0 00000>mov dword ptr , 0
00402037|>8B55 F0 mov edx, dword ptr
0040203A|.8915 4CB75E00 mov dword ptr , edx
00402040|.B9 A0B75E00 mov ecx, 005EB7A0
00402045|.E8 84360000 call 004056CE
0040204A|.33C0 xor eax, eax
0040204C|.5F pop edi
0040204D|.5E pop esi
0040204E|.5B pop ebx
0040204F|.83C4 50 add esp, 50
00402052|.3BEC cmp ebp, esp
00402054|.E8 77D20100 call 0041F2D0
00402059|.8BE5 mov esp, ebp
0040205B|.5D pop ebp
0040205C\.C3 retn
第一处线程的算法是(len(name)+len(code)) mod 12 == 0。我们接着看第二处:
00402080/> \55 push ebp
00402081|.8BEC mov ebp, esp
00402083|.6A FF push -1
00402085|.68 997E5300 push 00537E99 ;SE 处理程序安装
0040208A|.64:A1 0000000>mov eax, dword ptr fs:
00402090|.50 push eax
00402091|.64:8925 00000>mov dword ptr fs:, esp
00402098|.83EC 54 sub esp, 54
0040209B|.53 push ebx
0040209C|.56 push esi
0040209D|.57 push edi
0040209E|.8D7D A0 lea edi, dword ptr
004020A1|.B9 15000000 mov ecx, 15
004020A6|.B8 CCCCCCCC mov eax, CCCCCCCC
004020AB|.F3:AB rep stos dword ptr es:
004020AD|.8D4D F0 lea ecx, dword ptr
004020B0|.E8 E2140D00 call 004D3597
004020B5|.C745 FC 00000>mov dword ptr , 0
004020BC|.C745 EC 00000>mov dword ptr , 0
004020C3|.8B45 08 mov eax, dword ptr
004020C6|.8945 E8 mov dword ptr , eax
004020C9|.8D4D F0 lea ecx, dword ptr
004020CC|.51 push ecx
004020CD|.8B55 E8 mov edx, dword ptr
004020D0|.8B0A mov ecx, dword ptr
004020D2|.E8 4AF20700 call 00481321
004020D7|>8D4D F0 /lea ecx, dword ptr
004020DA|.E8 11150D00 |call 004D35F0
004020DF|.3945 EC |cmp dword ptr , eax
004020E2|.7D 58 |jge short 0040213C
004020E4|.8B45 EC |mov eax, dword ptr
004020E7|.50 |push eax
004020E8|.8D4D F0 |lea ecx, dword ptr
004020EB|.E8 BB160D00 |call 004D37AB
004020F0|.0FBEC8 |movsx ecx, al 依次取用户名各位
004020F3|.83F9 30 |cmp ecx, 30 同0比较
004020F6|.7C 14 |jl short 0040210C
004020F8|.8B55 EC |mov edx, dword ptr
004020FB|.52 |push edx
004020FC|.8D4D F0 |lea ecx, dword ptr
004020FF|.E8 A7160D00 |call 004D37AB
00402104|.0FBEC0 |movsx eax, al
00402107|.83F8 39 |cmp eax, 39 同9比较
0040210A|.7E 25 |jle short 00402131
0040210C|>C705 48B75E00>|mov dword ptr , 0
00402116|.C745 E4 00000>|mov dword ptr , 0
0040211D|.C745 FC FFFFF>|mov dword ptr , -1
00402124|.8D4D F0 |lea ecx, dword ptr
00402127|.E8 30530800 |call 0048745C
0040212C|.8B45 E4 |mov eax, dword ptr
0040212F|.EB 38 |jmp short 00402169
00402131|>8B4D EC |mov ecx, dword ptr
00402134|.83C1 01 |add ecx, 1
00402137|.894D EC |mov dword ptr , ecx
0040213A|.^ EB 9B \jmp short 004020D7
0040213C|>C705 48B75E00>mov dword ptr , 1
00402146|.B9 90B75E00 mov ecx, 005EB790
0040214B|.E8 7E350000 call 004056CE
00402150|.C745 E0 00000>mov dword ptr , 0
00402157|.C745 FC FFFFF>mov dword ptr , -1
0040215E|.8D4D F0 lea ecx, dword ptr
00402161|.E8 F6520800 call 0048745C
00402166|.8B45 E0 mov eax, dword ptr
00402169|>8B4D F4 mov ecx, dword ptr
0040216C|.64:890D 00000>mov dword ptr fs:, ecx
00402173|.5F pop edi
00402174|.5E pop esi
00402175|.5B pop ebx
00402176|.83C4 60 add esp, 60
00402179|.3BEC cmp ebp, esp
0040217B|.E8 50D10100 call 0041F2D0
00402180|.8BE5 mov esp, ebp
00402182|.5D pop ebp
00402183\.C3 retn
第二处线程判断用户名各位是否为数字。第三处为:
004021D0/> \55 push ebp
004021D1|.8BEC mov ebp, esp
004021D3|.6A FF push -1
004021D5|.68 B97E5300 push 00537EB9 ;SE 处理程序安装
004021DA|.64:A1 0000000>mov eax, dword ptr fs:
004021E0|.50 push eax
004021E1|.64:8925 00000>mov dword ptr fs:, esp
004021E8|.83EC 54 sub esp, 54
004021EB|.53 push ebx
004021EC|.56 push esi
004021ED|.57 push edi
004021EE|.8D7D A0 lea edi, dword ptr
004021F1|.B9 15000000 mov ecx, 15
004021F6|.B8 CCCCCCCC mov eax, CCCCCCCC
004021FB|.F3:AB rep stos dword ptr es:
004021FD|.8D4D F0 lea ecx, dword ptr
00402200|.E8 92130D00 call 004D3597
00402205|.C745 FC 00000>mov dword ptr , 0
0040220C|.C745 EC 00000>mov dword ptr , 0
00402213|.8B45 08 mov eax, dword ptr
00402216|.8945 E8 mov dword ptr , eax
00402219|.8D4D F0 lea ecx, dword ptr
0040221C|.51 push ecx
0040221D|.8B55 E8 mov edx, dword ptr
00402220|.8B4A 04 mov ecx, dword ptr
00402223|.E8 F9F00700 call 00481321
00402228|>8D4D F0 /lea ecx, dword ptr
0040222B|.E8 C0130D00 |call 004D35F0
00402230|.3945 EC |cmp dword ptr , eax
00402233|.7D 58 |jge short 0040228D
00402235|.8B45 EC |mov eax, dword ptr
00402238|.50 |push eax
00402239|.8D4D F0 |lea ecx, dword ptr
0040223C|.E8 6A150D00 |call 004D37AB
00402241|.0FBEC8 |movsx ecx, al
00402244|.83F9 30 |cmp ecx, 30
00402247|.7C 14 |jl short 0040225D
00402249|.8B55 EC |mov edx, dword ptr
0040224C|.52 |push edx
0040224D|.8D4D F0 |lea ecx, dword ptr
00402250|.E8 56150D00 |call 004D37AB
00402255|.0FBEC0 |movsx eax, al
00402258|.83F8 39 |cmp eax, 39
0040225B|.7E 25 |jle short 00402282
0040225D|>C705 44B75E00>|mov dword ptr , 0
00402267|.C745 E4 00000>|mov dword ptr , 0
0040226E|.C745 FC FFFFF>|mov dword ptr , -1
00402275|.8D4D F0 |lea ecx, dword ptr
00402278|.E8 DF510800 |call 0048745C
0040227D|.8B45 E4 |mov eax, dword ptr
00402280|.EB 38 |jmp short 004022BA
00402282|>8B4D EC |mov ecx, dword ptr
00402285|.83C1 01 |add ecx, 1
00402288|.894D EC |mov dword ptr , ecx
0040228B|.^ EB 9B \jmp short 00402228
0040228D|>C705 44B75E00>mov dword ptr , 1
00402297|.B9 80B75E00 mov ecx, 005EB780
0040229C|.E8 2D340000 call 004056CE
004022A1|.C745 E0 00000>mov dword ptr , 0
004022A8|.C745 FC FFFFF>mov dword ptr , -1
004022AF|.8D4D F0 lea ecx, dword ptr
004022B2|.E8 A5510800 call 0048745C
004022B7|.8B45 E0 mov eax, dword ptr
004022BA|>8B4D F4 mov ecx, dword ptr
004022BD|.64:890D 00000>mov dword ptr fs:, ecx
004022C4|.5F pop edi
004022C5|.5E pop esi
004022C6|.5B pop ebx
004022C7|.83C4 60 add esp, 60
004022CA|.3BEC cmp ebp, esp
004022CC|.E8 FFCF0100 call 0041F2D0
004022D1|.8BE5 mov esp, ebp
004022D3|.5D pop ebp
004022D4\.C3 retn
第三处要求注册码各位也要为数字。第四处线程:
00402320 > \55 push ebp
00402321 .8BEC mov ebp, esp
00402323 .6A FF push -1
00402325 .68 067F5300 push 00537F06 ;SE 处理程序安装
0040232A .64:A1 0000000>mov eax, dword ptr fs:
00402330 .50 push eax
00402331 .64:8925 00000>mov dword ptr fs:, esp
00402338 .51 push ecx
00402339 .81EC 88000000 sub esp, 88
0040233F .53 push ebx
00402340 .56 push esi
00402341 .57 push edi
00402342 .8965 F0 mov dword ptr , esp
00402345 .8DBD 68FFFFFF lea edi, dword ptr
0040234B .B9 22000000 mov ecx, 22
00402350 .B8 CCCCCCCC mov eax, CCCCCCCC
00402355 .F3:AB rep stos dword ptr es:
00402357 .8D4D EC lea ecx, dword ptr
0040235A .E8 38120D00 call 004D3597
0040235F .C745 FC 00000>mov dword ptr , 0
00402366 .8D4D E8 lea ecx, dword ptr
00402369 .E8 29120D00 call 004D3597
0040236E .C645 FC 01 mov byte ptr , 1
00402372 .8D4D E4 lea ecx, dword ptr
00402375 .E8 1D120D00 call 004D3597
0040237A .C645 FC 02 mov byte ptr , 2
0040237E .8D4D E0 lea ecx, dword ptr
00402381 .E8 11120D00 call 004D3597
00402386 .C645 FC 03 mov byte ptr , 3
0040238A .8B45 08 mov eax, dword ptr
0040238D .8945 D4 mov dword ptr , eax
00402390 .C645 FC 04 mov byte ptr , 4
00402394 .8D4D EC lea ecx, dword ptr
00402397 .51 push ecx
00402398 .8B55 D4 mov edx, dword ptr
0040239B .8B0A mov ecx, dword ptr
0040239D .E8 7FEF0700 call 00481321
004023A2 .8D45 E8 lea eax, dword ptr
004023A5 .50 push eax
004023A6 .8B4D D4 mov ecx, dword ptr
004023A9 .8B49 04 mov ecx, dword ptr
004023AC .E8 70EF0700 call 00481321
004023B1 .6A 03 push 3
004023B3 .8D55 D0 lea edx, dword ptr
004023B6 .52 push edx
004023B7 .8D4D EC lea ecx, dword ptr
004023BA .E8 3B150500 call 004538FA
004023BF .8945 C0 mov dword ptr , eax
004023C2 .8B45 C0 mov eax, dword ptr
004023C5 .8945 BC mov dword ptr , eax
004023C8 .C645 FC 05 mov byte ptr , 5
004023CC .8B4D BC mov ecx, dword ptr
004023CF .51 push ecx
004023D0 .8D4D E4 lea ecx, dword ptr
004023D3 .E8 7E520800 call 00487656
004023D8 .C645 FC 04 mov byte ptr , 4
004023DC .8D4D D0 lea ecx, dword ptr
004023DF .E8 78500800 call 0048745C
004023E4 .6A 03 push 3
004023E6 .8D55 CC lea edx, dword ptr
004023E9 .52 push edx
004023EA .8D4D E8 lea ecx, dword ptr
004023ED .E8 49140500 call 0045383B
004023F2 .8945 B8 mov dword ptr , eax
004023F5 .8B45 B8 mov eax, dword ptr
004023F8 .8945 B4 mov dword ptr , eax
004023FB .C645 FC 06 mov byte ptr , 6
004023FF .8B4D B4 mov ecx, dword ptr
00402402 .51 push ecx
00402403 .8D4D E0 lea ecx, dword ptr
00402406 .E8 4B520800 call 00487656
0040240B .C645 FC 04 mov byte ptr , 4
0040240F .8D4D CC lea ecx, dword ptr
00402412 .E8 45500800 call 0048745C
00402417 .6A 00 push 0
00402419 .8D4D E4 lea ecx, dword ptr
0040241C .E8 E7570800 call 00487C08
00402421 .8945 B0 mov dword ptr , eax
00402424 .8B55 B0 mov edx, dword ptr
00402427 .52 push edx
00402428 .E8 E3D50100 call 0041FA10
0040242D .83C4 04 add esp, 4
00402430 .8945 DC mov dword ptr , eax
00402433 .6A 00 push 0
00402435 .8D4D E0 lea ecx, dword ptr
00402438 .E8 CB570800 call 00487C08
0040243D .8945 AC mov dword ptr , eax
00402440 .8B45 AC mov eax, dword ptr
00402443 .50 push eax
00402444 .E8 C7D50100 call 0041FA10
00402449 .83C4 04 add esp, 4
0040244C .8945 D8 mov dword ptr , eax
0040244F .8B4D D8 mov ecx, dword ptr
00402452 .2B4D DC sub ecx, dword ptr ;注册码后3位减去用户名前3位要等于2
00402455 .83F9 02 cmp ecx, 2
00402458 75 27 jnz short 00402481
0040245A .8B45 DC mov eax, dword ptr ;用户名前3位%3 == 0
0040245D .99 cdq
0040245E .B9 03000000 mov ecx, 3
00402463 .F7F9 idiv ecx
00402465 .85D2 test edx, edx
00402467 .75 18 jnz short 00402481
00402469 .8B45 D8 mov eax, dword ptr ;注册码前3位%7 == 0
0040246C .99 cdq
0040246D .B9 07000000 mov ecx, 7
00402472 .F7F9 idiv ecx
00402474 .85D2 test edx, edx
00402476 75 09 jnz short 00402481
00402478 .C745 A8 01000>mov dword ptr , 1
0040247F .EB 07 jmp short 00402488
00402481 >C745 A8 00000>mov dword ptr , 0
00402488 >8B55 A8 mov edx, dword ptr
0040248B .8915 40B75E00 mov dword ptr , edx
00402491 .EB 4F jmp short 004024E2
00402493 .C705 40B75E00>mov dword ptr , 0
0040249D .C745 C8 00000>mov dword ptr , 0
004024A4 .B8 AA244000 mov eax, 004024AA
004024A9 .C3 retn
004024AA .C645 FC 02 mov byte ptr , 2
004024AE .8D4D E0 lea ecx, dword ptr
004024B1 .E8 A64F0800 call 0048745C
004024B6 .C645 FC 01 mov byte ptr , 1
004024BA .8D4D E4 lea ecx, dword ptr
004024BD .E8 9A4F0800 call 0048745C
004024C2 .C645 FC 00 mov byte ptr , 0
004024C6 .8D4D E8 lea ecx, dword ptr
004024C9 .E8 8E4F0800 call 0048745C
004024CE .C745 FC FFFFF>mov dword ptr , -1
004024D5 .8D4D EC lea ecx, dword ptr
004024D8 .E8 7F4F0800 call 0048745C
004024DD .8B45 C8 mov eax, dword ptr
004024E0 .EB 4E jmp short 00402530
004024E2 >C745 FC 03000>mov dword ptr , 3
004024E9 .B9 70B75E00 mov ecx, 005EB770
004024EE .E8 DB310000 call 004056CE
004024F3 .C745 C4 00000>mov dword ptr , 0
004024FA .C645 FC 02 mov byte ptr , 2
004024FE .8D4D E0 lea ecx, dword ptr
00402501 .E8 564F0800 call 0048745C
00402506 .C645 FC 01 mov byte ptr , 1
0040250A .8D4D E4 lea ecx, dword ptr
0040250D .E8 4A4F0800 call 0048745C
00402512 .C645 FC 00 mov byte ptr , 0
00402516 .8D4D E8 lea ecx, dword ptr
00402519 .E8 3E4F0800 call 0048745C
0040251E .C745 FC FFFFF>mov dword ptr , -1
00402525 .8D4D EC lea ecx, dword ptr
00402528 .E8 2F4F0800 call 0048745C
0040252D .8B45 C4 mov eax, dword ptr
00402530 >8B4D F4 mov ecx, dword ptr
00402533 .64:890D 00000>mov dword ptr fs:, ecx
0040253A .5F pop edi
0040253B .5E pop esi
0040253C .5B pop ebx
0040253D .81C4 98000000 add esp, 98
00402543 .3BEC cmp ebp, esp
00402545 .E8 86CD0100 call 0041F2D0
0040254A .8BE5 mov esp, ebp
0040254C .5D pop ebp
0040254D .C3 retn
第五个线程:
004025E0 > \55 push ebp
004025E1 .8BEC mov ebp, esp
004025E3 .6A FF push -1
004025E5 .68 567F5300 push 00537F56 ;SE 处理程序安装
004025EA .64:A1 0000000>mov eax, dword ptr fs:
004025F0 .50 push eax
004025F1 .64:8925 00000>mov dword ptr fs:, esp
004025F8 .51 push ecx
004025F9 .81EC 88000000 sub esp, 88
004025FF .53 push ebx
00402600 .56 push esi
00402601 .57 push edi
00402602 .8965 F0 mov dword ptr , esp
00402605 .8DBD 68FFFFFF lea edi, dword ptr
0040260B .B9 22000000 mov ecx, 22
00402610 .B8 CCCCCCCC mov eax, CCCCCCCC
00402615 .F3:AB rep stos dword ptr es:
00402617 .8D4D EC lea ecx, dword ptr
0040261A .E8 780F0D00 call 004D3597
0040261F .C745 FC 00000>mov dword ptr , 0
00402626 .8D4D E8 lea ecx, dword ptr
00402629 .E8 690F0D00 call 004D3597
0040262E .C645 FC 01 mov byte ptr , 1
00402632 .8D4D E4 lea ecx, dword ptr
00402635 .E8 5D0F0D00 call 004D3597
0040263A .C645 FC 02 mov byte ptr , 2
0040263E .8D4D E0 lea ecx, dword ptr
00402641 .E8 510F0D00 call 004D3597
00402646 .C645 FC 03 mov byte ptr , 3
0040264A .8B45 08 mov eax, dword ptr
0040264D .8945 D4 mov dword ptr , eax
00402650 .C645 FC 04 mov byte ptr , 4
00402654 .8D4D EC lea ecx, dword ptr
00402657 .51 push ecx
00402658 .8B55 D4 mov edx, dword ptr
0040265B .8B0A mov ecx, dword ptr
0040265D .E8 BFEC0700 call 00481321 ;取用户名
00402662 .8D45 E8 lea eax, dword ptr
00402665 .50 push eax
00402666 .8B4D D4 mov ecx, dword ptr
00402669 .8B49 04 mov ecx, dword ptr
0040266C .E8 B0EC0700 call 00481321 ;取注册码
00402671 .6A 03 push 3
00402673 .8D55 D0 lea edx, dword ptr
00402676 .52 push edx
00402677 .8D4D EC lea ecx, dword ptr
0040267A .E8 BC110500 call 0045383B
0040267F .8945 C0 mov dword ptr , eax
00402682 .8B45 C0 mov eax, dword ptr
00402685 .8945 BC mov dword ptr , eax
00402688 .C645 FC 05 mov byte ptr , 5
0040268C .8B4D BC mov ecx, dword ptr
0040268F .51 push ecx
00402690 .8D4D E4 lea ecx, dword ptr
00402693 .E8 BE4F0800 call 00487656
00402698 .C645 FC 04 mov byte ptr , 4
0040269C .8D4D D0 lea ecx, dword ptr
0040269F .E8 B84D0800 call 0048745C
004026A4 .6A 03 push 3
004026A6 .8D55 CC lea edx, dword ptr
004026A9 .52 push edx
004026AA .8D4D E8 lea ecx, dword ptr
004026AD .E8 48120500 call 004538FA
004026B2 .8945 B8 mov dword ptr , eax
004026B5 .8B45 B8 mov eax, dword ptr
004026B8 .8945 B4 mov dword ptr , eax
004026BB .C645 FC 06 mov byte ptr , 6
004026BF .8B4D B4 mov ecx, dword ptr
004026C2 .51 push ecx
004026C3 .8D4D E0 lea ecx, dword ptr
004026C6 .E8 8B4F0800 call 00487656
004026CB .C645 FC 04 mov byte ptr , 4
004026CF .8D4D CC lea ecx, dword ptr
004026D2 .E8 854D0800 call 0048745C
004026D7 .6A 00 push 0
004026D9 .8D4D E4 lea ecx, dword ptr
004026DC .E8 27550800 call 00487C08
004026E1 .8945 B0 mov dword ptr , eax
004026E4 .8B55 B0 mov edx, dword ptr
004026E7 .52 push edx
004026E8 .E8 23D30100 call 0041FA10
004026ED .83C4 04 add esp, 4
004026F0 .8945 D8 mov dword ptr , eax
004026F3 .6A 00 push 0
004026F5 .8D4D E0 lea ecx, dword ptr
004026F8 .E8 0B550800 call 00487C08
004026FD .8945 AC mov dword ptr , eax
00402700 .8B45 AC mov eax, dword ptr
00402703 .50 push eax
00402704 .E8 07D30100 call 0041FA10
00402709 .83C4 04 add esp, 4
0040270C .8945 DC mov dword ptr , eax
0040270F .8B4D D8 mov ecx, dword ptr
00402712 .2B4D DC sub ecx, dword ptr ;用户名后3位减去注册码前3位
00402715 .83F9 FE cmp ecx, -2 ;要等于-2
00402718 75 27 jnz short 00402741
0040271A .8B45 D8 mov eax, dword ptr ;用户名后3位 % 5 == 0
0040271D .99 cdq
0040271E .B9 05000000 mov ecx, 5
00402723 .F7F9 idiv ecx
00402725 .85D2 test edx, edx
00402727 75 18 jnz short 00402741
00402729 .8B45 DC mov eax, dword ptr ;注册码前3位 % 9 == 0
0040272C .99 cdq
0040272D .B9 09000000 mov ecx, 9
00402732 .F7F9 idiv ecx
00402734 .85D2 test edx, edx
00402736 75 09 jnz short 00402741
00402738 .C745 A8 01000>mov dword ptr , 1
0040273F .EB 07 jmp short 00402748
00402741 >C745 A8 00000>mov dword ptr , 0
00402748 >8B55 A8 mov edx, dword ptr
0040274B .8915 3CB75E00 mov dword ptr , edx
00402751 .EB 4F jmp short 004027A2
00402753 .C705 3CB75E00>mov dword ptr , 0
0040275D .C745 C8 00000>mov dword ptr , 0
00402764 .B8 6A274000 mov eax, 0040276A
00402769 .C3 retn
0040276A .C645 FC 02 mov byte ptr , 2
0040276E .8D4D E0 lea ecx, dword ptr
00402771 .E8 E64C0800 call 0048745C
00402776 .C645 FC 01 mov byte ptr , 1
0040277A .8D4D E4 lea ecx, dword ptr
0040277D .E8 DA4C0800 call 0048745C
00402782 .C645 FC 00 mov byte ptr , 0
00402786 .8D4D E8 lea ecx, dword ptr
00402789 .E8 CE4C0800 call 0048745C
0040278E .C745 FC FFFFF>mov dword ptr , -1
00402795 .8D4D EC lea ecx, dword ptr
00402798 .E8 BF4C0800 call 0048745C
0040279D .8B45 C8 mov eax, dword ptr
004027A0 .EB 4E jmp short 004027F0
004027A2 >C745 FC 03000>mov dword ptr , 3
004027A9 .B9 60B75E00 mov ecx, 005EB760
004027AE .E8 1B2F0000 call 004056CE
004027B3 .C745 C4 00000>mov dword ptr , 0
004027BA .C645 FC 02 mov byte ptr , 2
004027BE .8D4D E0 lea ecx, dword ptr
004027C1 .E8 964C0800 call 0048745C
004027C6 .C645 FC 01 mov byte ptr , 1
004027CA .8D4D E4 lea ecx, dword ptr
004027CD .E8 8A4C0800 call 0048745C
004027D2 .C645 FC 00 mov byte ptr , 0
004027D6 .8D4D E8 lea ecx, dword ptr
004027D9 .E8 7E4C0800 call 0048745C
004027DE .C745 FC FFFFF>mov dword ptr , -1
004027E5 .8D4D EC lea ecx, dword ptr
004027E8 .E8 6F4C0800 call 0048745C
004027ED .8B45 C4 mov eax, dword ptr
004027F0 >8B4D F4 mov ecx, dword ptr
004027F3 .64:890D 00000>mov dword ptr fs:, ecx
004027FA .5F pop edi
004027FB .5E pop esi
004027FC .5B pop ebx
004027FD .81C4 98000000 add esp, 98
00402803 .3BEC cmp ebp, esp
00402805 .E8 C6CA0100 call 0041F2D0
0040280A .8BE5 mov esp, ebp
0040280C .5D pop ebp
0040280D .C3 retn
第六个线程:
004028A0 > \55 push ebp
004028A1 .8BEC mov ebp, esp
004028A3 .6A FF push -1
004028A5 .68 A67F5300 push 00537FA6 ;SE 处理程序安装
004028AA .64:A1 0000000>mov eax, dword ptr fs:
004028B0 .50 push eax
004028B1 .64:8925 00000>mov dword ptr fs:, esp
004028B8 .51 push ecx
004028B9 .81EC 88000000 sub esp, 88
004028BF .53 push ebx
004028C0 .56 push esi
004028C1 .57 push edi
004028C2 .8965 F0 mov dword ptr , esp
004028C5 .8DBD 68FFFFFF lea edi, dword ptr
004028CB .B9 22000000 mov ecx, 22
004028D0 .B8 CCCCCCCC mov eax, CCCCCCCC
004028D5 .F3:AB rep stos dword ptr es:
004028D7 .8D4D EC lea ecx, dword ptr
004028DA .E8 B80C0D00 call 004D3597
004028DF .C745 FC 00000>mov dword ptr , 0
004028E6 .8D4D E8 lea ecx, dword ptr
004028E9 .E8 A90C0D00 call 004D3597
004028EE .C645 FC 01 mov byte ptr , 1
004028F2 .8D4D E4 lea ecx, dword ptr
004028F5 .E8 9D0C0D00 call 004D3597
004028FA .C645 FC 02 mov byte ptr , 2
004028FE .8D4D E0 lea ecx, dword ptr
00402901 .E8 910C0D00 call 004D3597
00402906 .C645 FC 03 mov byte ptr , 3
0040290A .8B45 08 mov eax, dword ptr
0040290D .8945 D4 mov dword ptr , eax
00402910 .C645 FC 04 mov byte ptr , 4
00402914 .8D4D EC lea ecx, dword ptr
00402917 .51 push ecx
00402918 .8B55 D4 mov edx, dword ptr
0040291B .8B0A mov ecx, dword ptr
0040291D .E8 FFE90700 call 00481321
00402922 .6A 03 push 3
00402924 .8D45 D0 lea eax, dword ptr
00402927 .50 push eax
00402928 .8D4D EC lea ecx, dword ptr
0040292B .E8 CA0F0500 call 004538FA
00402930 .8945 C0 mov dword ptr , eax
00402933 .8B4D C0 mov ecx, dword ptr
00402936 .894D BC mov dword ptr , ecx
00402939 .C645 FC 05 mov byte ptr , 5
0040293D .8B55 BC mov edx, dword ptr
00402940 .52 push edx
00402941 .8D4D E4 lea ecx, dword ptr
00402944 .E8 0D4D0800 call 00487656
00402949 .C645 FC 04 mov byte ptr , 4
0040294D .8D4D D0 lea ecx, dword ptr
00402950 .E8 074B0800 call 0048745C
00402955 .6A 03 push 3
00402957 .8D45 CC lea eax, dword ptr
0040295A .50 push eax
0040295B .8D4D EC lea ecx, dword ptr
0040295E .E8 D80E0500 call 0045383B
00402963 .8945 B8 mov dword ptr , eax
00402966 .8B4D B8 mov ecx, dword ptr
00402969 .894D B4 mov dword ptr , ecx
0040296C .C645 FC 06 mov byte ptr , 6
00402970 .8B55 B4 mov edx, dword ptr
00402973 .52 push edx
00402974 .8D4D E0 lea ecx, dword ptr
00402977 .E8 DA4C0800 call 00487656
0040297C .C645 FC 04 mov byte ptr , 4
00402980 .8D4D CC lea ecx, dword ptr
00402983 .E8 D44A0800 call 0048745C
00402988 .6A 00 push 0
0040298A .8D4D E4 lea ecx, dword ptr
0040298D .E8 76520800 call 00487C08
00402992 .8945 B0 mov dword ptr , eax
00402995 .8B45 B0 mov eax, dword ptr
00402998 .50 push eax
00402999 .E8 72D00100 call 0041FA10
0040299E .83C4 04 add esp, 4
004029A1 .8945 DC mov dword ptr , eax
004029A4 .6A 00 push 0
004029A6 .8D4D E0 lea ecx, dword ptr
004029A9 .E8 5A520800 call 00487C08
004029AE .8945 AC mov dword ptr , eax
004029B1 .8B4D AC mov ecx, dword ptr
004029B4 .51 push ecx
004029B5 .E8 56D00100 call 0041FA10
004029BA .83C4 04 add esp, 4
004029BD .8945 D8 mov dword ptr , eax
004029C0 .8B55 DC mov edx, dword ptr
004029C3 .2B55 D8 sub edx, dword ptr ;用户名前3位减去用户名后3位
004029C6 .83FA FF cmp edx, -1 ;要等于-1
004029C9 75 27 jnz short 004029F2 ;不等就跳
004029CB .8B45 DC mov eax, dword ptr ;用户名前3位 % 3 == 0
004029CE .99 cdq
004029CF .B9 03000000 mov ecx, 3
004029D4 .F7F9 idiv ecx
004029D6 .85D2 test edx, edx
004029D8 .75 18 jnz short 004029F2
004029DA .8B45 D8 mov eax, dword ptr ;用户名后3位 % 5 == 0
004029DD .99 cdq
004029DE .B9 05000000 mov ecx, 5
004029E3 .F7F9 idiv ecx
004029E5 .85D2 test edx, edx
004029E7 75 09 jnz short 004029F2
004029E9 .C745 A8 01000>mov dword ptr , 1
004029F0 .EB 07 jmp short 004029F9
004029F2 >C745 A8 00000>mov dword ptr , 0
004029F9 >8B55 A8 mov edx, dword ptr
004029FC .8915 38B75E00 mov dword ptr , edx
00402A02 .EB 4F jmp short 00402A53
00402A04 .C705 3CB75E00>mov dword ptr , 0
00402A0E .C745 C8 00000>mov dword ptr , 0
00402A15 .B8 1B2A4000 mov eax, 00402A1B
00402A1A .C3 retn
00402A1B .C645 FC 02 mov byte ptr , 2
00402A1F .8D4D E0 lea ecx, dword ptr
00402A22 .E8 354A0800 call 0048745C
00402A27 .C645 FC 01 mov byte ptr , 1
00402A2B .8D4D E4 lea ecx, dword ptr
00402A2E .E8 294A0800 call 0048745C
00402A33 .C645 FC 00 mov byte ptr , 0
00402A37 .8D4D E8 lea ecx, dword ptr
00402A3A .E8 1D4A0800 call 0048745C
00402A3F .C745 FC FFFFF>mov dword ptr , -1
00402A46 .8D4D EC lea ecx, dword ptr
00402A49 .E8 0E4A0800 call 0048745C
00402A4E .8B45 C8 mov eax, dword ptr
00402A51 .EB 4E jmp short 00402AA1
00402A53 >C745 FC 03000>mov dword ptr , 3
00402A5A .B9 50B75E00 mov ecx, 005EB750
00402A5F .E8 6A2C0000 call 004056CE
00402A64 .C745 C4 00000>mov dword ptr , 0
00402A6B .C645 FC 02 mov byte ptr , 2
00402A6F .8D4D E0 lea ecx, dword ptr
00402A72 .E8 E5490800 call 0048745C
00402A77 .C645 FC 01 mov byte ptr , 1
00402A7B .8D4D E4 lea ecx, dword ptr
00402A7E .E8 D9490800 call 0048745C
00402A83 .C645 FC 00 mov byte ptr , 0
00402A87 .8D4D E8 lea ecx, dword ptr
00402A8A .E8 CD490800 call 0048745C
00402A8F .C745 FC FFFFF>mov dword ptr , -1
00402A96 .8D4D EC lea ecx, dword ptr
00402A99 .E8 BE490800 call 0048745C
00402A9E .8B45 C4 mov eax, dword ptr
00402AA1 >8B4D F4 mov ecx, dword ptr
00402AA4 .64:890D 00000>mov dword ptr fs:, ecx
00402AAB .5F pop edi
00402AAC .5E pop esi
00402AAD .5B pop ebx
00402AAE .81C4 98000000 add esp, 98
00402AB4 .3BEC cmp ebp, esp
00402AB6 .E8 15C80100 call 0041F2D0
00402ABB .8BE5 mov esp, ebp
00402ABD .5D pop ebp
00402ABE .C3 retn
到这里我们总结下算法吧:
1.注册码,用户名各位都要为数字
2.两者长度相加 mod 12 == 0
3.注册码后3位减去用户名前3位要等于2用户名前3位%3=0 注册码后3位%7=0
4.用户名后3位减去注册码前3位要等于-2 用户名后3位%5=0 注册码前3位%9=0
5.用户名前3位减去用户名后3位要为-1 用户名前3位%3=0 用户名后3位%5=0
最后给出一组解:
用户名 159160
注册码 162161
------------------------------------------------------------------------
【破解总结】这个cm算法不是很难,关键在于找到各个线程的位置,看出对应的算法。在算解的过程中,得到了zenix和网络断魂两位大侠的帮助,在此向他们表示感谢~~
------------------------------------------------------------------------
【版权声明】本文原创于52pojie技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
文中用的cm在附件中~~
感谢发布原创作品,因你更精彩! 确实是精华啊。 大B同志,上次你给我的那个CM我还是搞不掉..:dizzy: 本帖最后由 ZeNiX 于 2009-12-29 14:02 编辑
最後更新一下:
用戶名: 315n + 159, 315n +160
注冊碼: 315n + 162, 315n +161
n = 0, 1, 2
315 = 5 x 7 x 9
第一組:
159160
162161
第二組:
474475
477476
第三組:
789790
792791
--- ZeNiX --- 强学习了 这种类型的cm第一次见。。 谢谢,支持下,辛苦了! 看不懂呢.. 很多还看不懂坐下慢慢学习 谢谢 果然是高手啊
页:
[1]
2