简单cm一个

z26650 发表于 2010-6-11 18:18

不是我不想发有难度的。。而是没有能力写有难度的。。
算法啊，很简单的..
菜鸟来练习还是不错的
so 本cm玩玩就好了

iceway 发表于 2010-6-11 18:34

像是快手写的程序.

demoscene 发表于 2010-6-11 18:56

爆了算不。哇卡卡:lol

syy111 发表于 2010-6-11 19:11

做什么用的啊，楼主

z26650 发表于 2010-6-11 19:13

回复 2# iceway

快手是什么啊。。
这是vc2010写的。。

z26650 发表于 2010-6-11 19:15

回复 4# syy111

练习破解用的。。

null119 发表于 2010-6-12 21:42

算法分析：

004019FE . E8 ADFDFFFF call cm.004017B0
00401A03 . 8945 E4 mov dword ptr ss:,eax
00401A06 . 68 40174000 push cm.00401740
00401A0B . 68 B0484200 push cm.004248B0 ; /输入用户名
00401A10 . 68 E0574200 push cm.004257E0 ; |Arg1 = 004257E0
00401A15 . E8 D6410000 call cm.00405BF0 ; \cm.00405BF0
00401A1A . 83C4 08 add esp,8
00401A1D . E8 7E010000 call cm.00401BA0 ; \cm.00401BA0
00401A22 . 8D45 C0 lea eax,dword ptr ss:
00401A25 . B9 98584200 mov ecx,cm.00425898 ; a
00401A2A . E8 41440000 call cm.00405E70 ; 获取用户名
00401A2F . 0FBE55 C1 movsx edx,byte ptr ss: ; 取第2位ASCII放入EDX
00401A33 . 8955 D8 mov dword ptr ss:,edx
00401A36 . 0FBE45 C0 movsx eax,byte ptr ss: ; 取第1位ASCII放入EAX
00401A3A . 8945 BC mov dword ptr ss:,eax
00401A3D . 8B4D D8 mov ecx,dword ptr ss: ; 取第2位ASCII值
00401A40 . 334D BC xor ecx,dword ptr ss: ; 第1位ASCII与第2位ASCII异或
00401A43 . 894D D8 mov dword ptr ss:,ecx
00401A46 . 8B55 D8 mov edx,dword ptr ss: ; 将异或后的值放入EDX
00401A49 . D1E2 shl edx,1 ; EDX*2
00401A4B . 8955 D8 mov dword ptr ss:,edx
00401A4E . 68 40174000 push cm.00401740
00401A53 . 8B45 E8 mov eax,dword ptr ss:
00401A56 . 50 push eax ; /Arg2
00401A57 . 68 E0574200 push cm.004257E0 ; |Arg1 = 004257E0
00401A5C . E8 8F410000 call cm.00405BF0 ; \cm.00405BF0
00401A61 . 83C4 08 add esp,8
00401A64 . E8 37010000 call cm.00401BA0 ; \cm.00401BA0
00401A69 . 8D4D F4 lea ecx,dword ptr ss:
00401A6C . 51 push ecx
00401A6D . 68 98584200 push cm.00425898 ; a
00401A72 . E8 79020000 call cm.00401CF0 ; 获取Key
00401A77 . 8B55 D8 mov edx,dword ptr ss:
00401A7A . 83C2 01 add edx,1 ; EDX*2+1
00401A7D . 3955 F4 cmp dword ptr ss:,edx ; 比较
00401A80 . 75 2B jnz short cm.00401AAD
00401A82 . 68 40174000 push cm.00401740
00401A87 . 8B45 E0 mov eax,dword ptr ss:
00401A8A . 50 push eax ; /Arg2
00401A8B . 68 E0574200 push cm.004257E0 ; |Arg1 = 004257E0
00401A90 . E8 5B410000 call cm.00405BF0 ; \cm.00405BF0
00401A95 . 83C4 08 add esp,8
00401A98 . E8 03010000 call cm.00401BA0 ; \cm.00401BA0
00401A9D . 8B4D E4 mov ecx,dword ptr ss:
00401AA0 . 51 push ecx
00401AA1 . E8 3D570000 call cm.004071E3
00401AA6 . 83C4 04 add esp,4
00401AA9 . EB 43 jmp short cm.00401AEE
00401AAB . EB 41 jmp short cm.00401AEE
00401AAD > 68 40174000 push cm.00401740

VBS实现写注册机：

X=InputBox("用户名","输入","")
If Len(X)>=2 Then
A1=Asc(Mid(X,1,1))
A2=Asc(Mid(X,2,1))
MsgBox (A1 Xor A2)*2+1
Else
MsgBox Asc(X)*2+1
End IF

太虚伪了 发表于 2010-6-12 23:06

本帖最后由太虚伪了于 2010-6-12 23:10 编辑

ls的兄弟贴了算法，那我就贴下这个cm的反调试吧~~

调用CheckRemoteDebuggerPresent：

.text:00401853 loc_401853:          ; "CheckRemoteDebuggerPresent"
.text:00401853 push offset ProcName
.text:00401858 mov eax, hModule
.text:0040185D push eax          ; hModule
.text:0040185E call ds:GetProcAddress
.text:00401864 mov , eax
.text:00401867 call ds:GetCurrentProcess
.text:0040186D mov dword_425A80, eax
.text:00401872 push offset dword_425AD0
.text:00401877 mov ecx, dword_425A80
.text:0040187D push ecx
.text:0040187E call
.text:00401881 cmp dword_425AD0, 1
.text:00401888 jnz short loc_4018A2

调用getstartupinfo检查：

.text:004018A2 loc_4018A2:          ; lpStartupInfo
.text:004018A2 push offset StartupInfo
.text:004018A7 call ds:GetStartupInfoW
.text:004018AD jmp loc_401808

.text:0040195B loc_40195B:                         ; CODE XREF: sub_4017E0+16Cj
.text:0040195B             cmp StartupInfo.dwX, 0
.text:00401962             jnz short loc_40199A
.text:00401964             cmp StartupInfo.dwY, 0
.text:0040196B             jnz short loc_40199A
.text:0040196D             cmp StartupInfo.dwXCountChars, 0
.text:00401974             jnz short loc_40199A
.text:00401976             cmp StartupInfo.dwYCountChars, 0
.text:0040197D             jnz short loc_40199A
.text:0040197F             cmp StartupInfo.dwFillAttribute, 0
.text:00401986             jnz short loc_40199A
.text:00401988             cmp StartupInfo.dwXSize, 0
.text:0040198F             jnz short loc_40199A
.text:00401991             cmp StartupInfo.dwYSize, 0
.text:00401998             jz    short loc_4019A7
.text:0040199A
.text:0040199A loc_40199A:                         ; CODE XREF: sub_4017E0+182j
.text:0040199A                                     ; sub_4017E0+18Bj ...
.text:0040199A             push 0             ; uExitCode
.text:0040199C             call ds:ExitProcess

还有一处用PEB进行检测的：

.text:00401935 loc_401935:
.text:00401935 mov , 1
.text:00401939 call sub_4017A0    <-这里跟进
.text:0040193E test eax, eax
.text:00401940 setnz dl
.text:00401943 mov , dl
.text:00401946 movzx eax,
.text:0040194A test eax, eax
.text:0040194C jz    short loc_40195B

.text:004017A0 sub_4017A0    proc near             ; CODE XREF: sub_4017E0+159p
.text:004017A0             mov eax, large fs:30h
.text:004017A6             movzx eax, byte ptr
.text:004017AA             retn
.text:004017AA sub_4017A0    endp

PEB结构如下：

lkd> dt!_PEB
nt!_PEB
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged : UChar
+0x003 SpareBool    : UChar
+0x004 Mutant       : Ptr32 Void
+0x008 ImageBaseAddress : Ptr32 Void
+0x00c Ldr          : Ptr32 _PEB_LDR_DATA
+0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : Ptr32 Void
+0x018 ProcessHeap    : Ptr32 Void
+0x01c FastPebLock    : Ptr32 _RTL_CRITICAL_SECTION
+0x020 FastPebLockRoutine : Ptr32 Void
+0x024 FastPebUnlockRoutine : Ptr32 Void
+0x028 EnvironmentUpdateCount : Uint4B
+0x02c KernelCallbackTable : Ptr32 Void
+0x030 SystemReserved : Uint4B
+0x034 AtlThunkSListPtr32 : Uint4B
+0x038 FreeList       : Ptr32 _PEB_FREE_BLOCK
+0x03c TlsExpansionCounter : Uint4B
+0x040 TlsBitmap    : Ptr32 Void
+0x044 TlsBitmapBits : Uint4B

偏移+2处为BeingDebugged标志

inconsole 发表于 2010-6-13 11:37

好像有个互斥的操作..

上次没事看了下...

用户名第二位和第一位异或 ,然后shl; 最后 +1

页: [1]

吾爱破解 - 52pojie.cn's Archiver

简单cm一个