2017-9-6 9:00 四个新鲜的CM
https://pan.baidu.com/s/1qYQDObM 第二个00406889 .8B45 D0 mov eax,dword ptr ss: ;看到一字串 ,估计开始计算
0040688C .50 push eax
0040688D .8D4D C4 lea ecx,dword ptr ss:
00406890 .E8 5EFEFCFF call 2.003D66F3
00406895 .C745 FC 00000>mov dword ptr ss:,0x0
0040689C .A1 10C0B300 mov eax,dword ptr ds: ;¢
004068A1 .83C0 1A add eax,0x1A
004068A4 .50 push eax
004068A5 .68 E8F3A500 push 2.00A5F3E8 ;c:\users\lantie\desktop\crackme\crackme\crackmedlg.cpp
004068AA .68 00080000 push 0x800
004068AF .E8 544DFDFF call 2.003DB608
004068B4 .83C4 0C add esp,0xC
004068B7 .8985 50FEFFFF mov dword ptr ss:,eax
004068BD .8B8D 50FEFFFF mov ecx,dword ptr ss:
004068C3 .894D B8 mov dword ptr ss:,ecx
004068C6 .8BF4 mov esi,esp
004068C8 .68 00040000 push 0x400
004068CD .8B45 B8 mov eax,dword ptr ss:
004068D0 .50 push eax
004068D1 .6A 67 push 0x67
004068D3 .8BFC mov edi,esp
004068D5 .6A 00 push 0x0 ; /pModule = NULL
004068D7 .FF15 C015B500 call near dword ptr ds:[<&KERNEL32.Ge>; \GetModuleHandleW
004068DD .3BFC cmp edi,esp
004068DF .E8 A874FCFF call 2.003CDD8C
004068E4 .50 push eax ; |hInst
004068E5 .FF15 F81AB500 call near dword ptr ds:[<&USER32.Load>; \LoadStringW
004068EB .3BF4 cmp esi,esp
004068ED .E8 9A74FCFF call 2.003CDD8C
004068F2 .8B45 B8 mov eax,dword ptr ss:
004068F5 .50 push eax
004068F6 .8D8D 44FEFFFF lea ecx,dword ptr ss:
004068FC .E8 F2FDFCFF call 2.003D66F3
00406901 .8985 D0FDFFFF mov dword ptr ss:,eax
00406907 .8B8D D0FDFFFF mov ecx,dword ptr ss:
0040690D .898D CCFDFFFF mov dword ptr ss:,ecx
00406913 .C645 FC 01 mov byte ptr ss:,0x1
00406917 .8B95 CCFDFFFF mov edx,dword ptr ss:
0040691D .52 push edx
0040691E .8D4D C4 lea ecx,dword ptr ss:
00406921 .E8 545EFCFF call 2.003CC77A
00406926 .C645 FC 00 mov byte ptr ss:,0x0
0040692A .8D8D 44FEFFFF lea ecx,dword ptr ss:
00406930 .E8 CC21FDFF call 2.003D8B01
00406935 .A1 10C0B300 mov eax,dword ptr ds: ;¢
0040693A .83C0 1D add eax,0x1D
0040693D .50 push eax
0040693E .68 E8F3A500 push 2.00A5F3E8 ;c:\users\lantie\desktop\crackme\crackme\crackmedlg.cpp
00406943 .68 00080000 push 0x800
00406948 .E8 BB4CFDFF call 2.003DB608
0040694D .83C4 0C add esp,0xC
00406950 .8985 38FEFFFF mov dword ptr ss:,eax
00406956 .8B8D 38FEFFFF mov ecx,dword ptr ss:
0040695C .894D AC mov dword ptr ss:,ecx
0040695F .8BF4 mov esi,esp
00406961 .68 00040000 push 0x400
00406966 .8B45 AC mov eax,dword ptr ss:
00406969 .50 push eax
0040696A .6A 68 push 0x68
0040696C .8BFC mov edi,esp
0040696E .6A 00 push 0x0 ; /pModule = NULL
00406970 .FF15 C015B500 call near dword ptr ds:[<&KERNEL32.Ge>; \GetModuleHandleW
00406976 .3BFC cmp edi,esp
00406978 .E8 0F74FCFF call 2.003CDD8C
0040697D .50 push eax ; |hInst
0040697E .FF15 F81AB500 call near dword ptr ds:[<&USER32.Load>; \LoadStringW
00406984 .3BF4 cmp esi,esp
00406986 .E8 0174FCFF call 2.003CDD8C
0040698B .8B45 AC mov eax,dword ptr ss: ;看到0123456789
0040698E .50 push eax
0040698F .8D8D 2CFEFFFF lea ecx,dword ptr ss:
00406995 .E8 59FDFCFF call 2.003D66F3
0040699A .8985 D0FDFFFF mov dword ptr ss:,eax
004069A0 .8B8D D0FDFFFF mov ecx,dword ptr ss:
004069A6 .898D CCFDFFFF mov dword ptr ss:,ecx
004069AC .C645 FC 02 mov byte ptr ss:,0x2
004069B0 .8B95 CCFDFFFF mov edx,dword ptr ss:
004069B6 .52 push edx
004069B7 .8D4D C4 lea ecx,dword ptr ss:
004069BA .E8 BB5DFCFF call 2.003CC77A
004069BF .C645 FC 00 mov byte ptr ss:,0x0
004069C3 .8D8D 2CFEFFFF lea ecx,dword ptr ss:
004069C9 .E8 3321FDFF call 2.003D8B01
004069CE .A1 10C0B300 mov eax,dword ptr ds: ;¢
004069D3 .83C0 20 add eax,0x20
004069D6 .50 push eax
004069D7 .68 E8F3A500 push 2.00A5F3E8 ;c:\users\lantie\desktop\crackme\crackme\crackmedlg.cpp
004069DC .68 00080000 push 0x800
004069E1 .E8 224CFDFF call 2.003DB608
004069E6 .83C4 0C add esp,0xC
004069E9 .8985 20FEFFFF mov dword ptr ss:,eax
004069EF .8B8D 20FEFFFF mov ecx,dword ptr ss:
004069F5 .894D A0 mov dword ptr ss:,ecx
004069F8 .8BF4 mov esi,esp
004069FA .68 00040000 push 0x400
004069FF .8B45 A0 mov eax,dword ptr ss:
00406A02 .50 push eax
00406A03 .6A 69 push 0x69
00406A05 .8BFC mov edi,esp
00406A07 .6A 00 push 0x0 ; /pModule = NULL
00406A09 .FF15 C015B500 call near dword ptr ds:[<&KERNEL32.Ge>; \GetModuleHandleW
00406A0F .3BFC cmp edi,esp
00406A11 .E8 7673FCFF call 2.003CDD8C
00406A16 .50 push eax ; |hInst
00406A17 .FF15 F81AB500 call near dword ptr ds:[<&USER32.Load>; \LoadStringW
00406A1D .3BF4 cmp esi,esp
00406A1F .E8 6873FCFF call 2.003CDD8C
00406A24 .8B45 A0 mov eax,dword ptr ss:
00406A27 .50 push eax
00406A28 .8D8D 14FEFFFF lea ecx,dword ptr ss:
00406A2E .E8 C0FCFCFF call 2.003D66F3
00406A33 .8985 D0FDFFFF mov dword ptr ss:,eax
00406A39 .8B8D D0FDFFFF mov ecx,dword ptr ss:
00406A3F .898D CCFDFFFF mov dword ptr ss:,ecx
00406A45 .C645 FC 03 mov byte ptr ss:,0x3
00406A49 .8B95 CCFDFFFF mov edx,dword ptr ss:
00406A4F .52 push edx
00406A50 .8D4D C4 lea ecx,dword ptr ss:
00406A53 .E8 225DFCFF call 2.003CC77A
00406A58 .C645 FC 00 mov byte ptr ss:,0x0
00406A5C .8D8D 14FEFFFF lea ecx,dword ptr ss:
00406A62 .E8 9A20FDFF call 2.003D8B01
00406A67 .8B4D E8 mov ecx,dword ptr ss:
00406A6A .81C1 D8000000 add ecx,0xD8
00406A70 .E8 00A8FCFF call 2.003D1275
00406A75 .8945 94 mov dword ptr ss:,eax
00406A78 .A1 10C0B300 mov eax,dword ptr ds: ;¢
00406A7D .83C0 26 add eax,0x26
00406A80 .50 push eax
00406A81 .68 E8F3A500 push 2.00A5F3E8 ;c:\users\lantie\desktop\crackme\crackme\crackmedlg.cpp
00406A86 .8B4D 94 mov ecx,dword ptr ss:
00406A89 .83C1 01 add ecx,0x1
00406A8C .51 push ecx
00406A8D .E8 764BFDFF call 2.003DB608
00406A92 .83C4 0C add esp,0xC
00406A95 .8985 08FEFFFF mov dword ptr ss:,eax
00406A9B .8B95 08FEFFFF mov edx,dword ptr ss:
00406AA1 .8955 88 mov dword ptr ss:,edx
00406AA4 .8B45 94 mov eax,dword ptr ss:
00406AA7 .83C0 01 add eax,0x1
00406AAA .50 push eax
00406AAB .6A 00 push 0x0
00406AAD .8B4D 88 mov ecx,dword ptr ss:
00406AB0 .51 push ecx
00406AB1 .E8 5AB1FDFF call 2.003E1C10
00406AB6 .83C4 0C add esp,0xC
00406AB9 .51 push ecx
00406ABA .8BCC mov ecx,esp
00406ABC .89A5 FCFDFFFF mov dword ptr ss:,esp
00406AC2 .8D45 C4 lea eax,dword ptr ss:
00406AC5 .50 push eax
00406AC6 .E8 82FCFCFF call 2.003D674D
00406ACB .8985 D0FDFFFF mov dword ptr ss:,eax
00406AD1 .8B4D 94 mov ecx,dword ptr ss:
00406AD4 .51 push ecx
00406AD5 .8B55 88 mov edx,dword ptr ss:
00406AD8 .52 push edx
00406AD9 .8B4D E8 mov ecx,dword ptr ss:
00406ADC .E8 5FA5FCFF call 2.003D1040
00406AE1 .8B45 94 mov eax,dword ptr ss:
00406AE4 .99 cdq
00406AE5 .83E2 03 and edx,0x3
00406AE8 .03C2 add eax,edx
00406AEA .C1F8 02 sar eax,0x2
00406AED .6BC0 03 imul eax,eax,0x3
00406AF0 .83E8 02 sub eax,0x2
00406AF3 .8985 7CFFFFFF mov dword ptr ss:,eax
00406AF9 .A1 10C0B300 mov eax,dword ptr ds: ;¢
00406AFE .83C0 2B add eax,0x2B
00406B01 .50 push eax
00406B02 .68 E8F3A500 push 2.00A5F3E8 ;c:\users\lantie\desktop\crackme\crackme\crackmedlg.cpp
00406B07 .8B8D 7CFFFFFF mov ecx,dword ptr ss:
00406B0D .83C1 01 add ecx,0x1
00406B10 .51 push ecx
00406B11 .E8 F24AFDFF call 2.003DB608
00406B16 .83C4 0C add esp,0xC
00406B19 .8985 F0FDFFFF mov dword ptr ss:,eax
00406B1F .8B95 F0FDFFFF mov edx,dword ptr ss:
00406B25 .8995 70FFFFFF mov dword ptr ss:,edx
00406B2B .8B85 7CFFFFFF mov eax,dword ptr ss:
00406B31 .83C0 01 add eax,0x1
00406B34 .50 push eax
00406B35 .6A 00 push 0x0
00406B37 .8B8D 70FFFFFF mov ecx,dword ptr ss:
00406B3D .51 push ecx
00406B3E .E8 CDB0FDFF call 2.003E1C10
00406B43 .83C4 0C add esp,0xC
00406B46 .8B85 7CFFFFFF mov eax,dword ptr ss:
00406B4C .50 push eax
00406B4D .8B4D 88 mov ecx,dword ptr ss:
00406B50 .51 push ecx
00406B51 .8B95 70FFFFFF mov edx,dword ptr ss:
00406B57 .52 push edx
00406B58 .8B4D E8 mov ecx,dword ptr ss:
00406B5B .E8 2DFCFDFF call 2.003E678D
00406B60 .6A 04 push 0x4
00406B62 .8D8D 64FFFFFF lea ecx,dword ptr ss:
00406B68 .E8 3E7BFCFF call 2.003CE6AB
00406B6D .8D8D 64FFFFFF lea ecx,dword ptr ss:
00406B73 .E8 1DD2FCFF call 2.003D3D95
00406B78 .C645 FC 04 mov byte ptr ss:,0x4
00406B7C .83BD 70FFFFFF>cmp dword ptr ss:,0x0
00406B83 74 46 je short 2.00406BCB ;修改次试试吧。
00406B85 .6A 04 push 0x4
00406B87 .8D8D 58FFFFFF lea ecx,dword ptr ss:
00406B8D .E8 197BFCFF call 2.003CE6AB
00406B92 .8B85 70FFFFFF mov eax,dword ptr ss:
00406B98 .50 push eax
00406B99 .8D8D 58FFFFFF lea ecx,dword ptr ss:
00406B9F .E8 F513FDFF call 2.003D7F99
00406BA4 .C645 FC 05 mov byte ptr ss:,0x5
00406BA8 .8D85 58FFFFFF lea eax,dword ptr ss:
00406BAE .50 push eax
00406BAF .8D8D 64FFFFFF lea ecx,dword ptr ss:
00406BB5 .E8 C361FDFF call 2.003DCD7D
00406BBA .C645 FC 04 mov byte ptr ss:,0x4
00406BBE .8D8D 58FFFFFF lea ecx,dword ptr ss:
00406BC4 .E8 381FFDFF call 2.003D8B01
00406BC9 .EB 4D jmp short 2.00406C18
00406BCB >6A 04 push 0x4
00406BCD .8D8D 4CFFFFFF lea ecx,dword ptr ss:
00406BD3 .E8 D37AFCFF call 2.003CE6AB
00406BD8 .6A 01 push 0x1
00406BDA .6A 40 push 0x40
00406BDC .8D4D C4 lea ecx,dword ptr ss:
00406BDF .E8 7EE1FCFF call 2.003D4D62
00406BE4 .0FB7C0 movzx eax,ax
00406BE7 .50 push eax
00406BE8 .8D8D 4CFFFFFF lea ecx,dword ptr ss:
00406BEE .E8 B1E0FCFF call 2.003D4CA4
00406BF3 .C645 FC 06 mov byte ptr ss:,0x6
00406BF7 .8D85 4CFFFFFF lea eax,dword ptr ss:
00406BFD .50 push eax
00406BFE .8D8D 64FFFFFF lea ecx,dword ptr ss:
00406C04 .E8 7461FDFF call 2.003DCD7D
00406C09 .C645 FC 04 mov byte ptr ss:,0x4
00406C0D .8D8D 4CFFFFFF lea ecx,dword ptr ss:
00406C13 .E8 E91EFDFF call 2.003D8B01
00406C18 >8D85 64FFFFFF lea eax,dword ptr ss:
00406C1E .50 push eax
00406C1F .8B4D E8 mov ecx,dword ptr ss:
00406C22 .81C1 D4000000 add ecx,0xD4
00406C28 .51 push ecx
00406C29 .E8 C680FDFF call 2.003DECF4
00406C2E .83C4 08 add esp,0x8
00406C31 .0FB6D0 movzx edx,al
00406C34 .85D2 test edx,edx
00406C36 90 nop ;这跳走了?
00406C37 90 nop
之后 就出来了 【你好聪明】 第三个:
0129D074|.A1 686F3401 mov eax,dword ptr ds: ;password:
0129D079|.8945 DC mov ,eax
0129D07C|.8B0D 6C6F3401 mov ecx,dword ptr ds: ;word:
0129D082|.894D E0 mov ,ecx
0129D085|.66:8B15 706F3>mov dx,word ptr ds: ;:
0129D08C|.66:8955 E4 mov word ptr ss:,dx
0129D090|.A0 726F3401 mov al,byte ptr ds:
0129D095|.8845 E6 mov byte ptr ss:,al
0129D098|.A1 746F3401 mov eax,dword ptr ds: ;Yes!
0129D09D|.8945 CC mov ,eax
0129D0A0|.8A0D 786F3401 mov cl,byte ptr ds:
0129D0A6|.884D D0 mov byte ptr ss:,cl
0129D0A9|.A1 7C6F3401 mov eax,dword ptr ds: ;No!
0129D0AE|.8945 C0 mov ,eax
0129D0B1|.6A 50 push 0x50
0129D0B3|.E8 DD7FFFFF call 3.01295095
0129D0B8|.83C4 04 add esp,0x4
0129D0BB|.8945 B4 mov ,eax
0129D0BE|.8D45 F0 lea eax,
0129D0C1|.50 push eax
0129D0C2|.68 806F3401 push 3.01346F80 ;%s
0129D0C7|.E8 17A5FFFF call 3.012975E3
0129D0CC|.83C4 08 add esp,0x8
0129D0CF|.8B45 B4 mov eax,
0129D0D2|.50 push eax
0129D0D3|.68 806F3401 push 3.01346F80 ;%s
0129D0D8|.E8 9494FFFF call 3.01296571
0129D0DD|.83C4 08 add esp,0x8 ;没办法 ,借用此处当第1个切入点
0129D0E0|.8B45 B4 mov eax,
0129D0E3|.50 push eax
0129D0E4|.E8 A27FFFFF call 3.0129508B
0129D0E9|.83C4 04 add esp,0x4
0129D0EC|.83F8 10 cmp eax,0x10
0129D0EF|.76 04 jbe short 3.0129D0F5
0129D0F1|.33C0 xor eax,eax
0129D0F3|.EB 74 jmp short 3.0129D169
0129D0F5|>8D45 DC lea eax,
0129D0F8|.50 push eax
0129D0F9|.68 806F3401 push 3.01346F80 ;%s
0129D0FE|.E8 E0A4FFFF call 3.012975E3
0129D103|.83C4 08 add esp,0x8
0129D106|.B8 01000000 mov eax,0x1
0129D10B|.C1E0 04 shl eax,0x4
0129D10E|.0345 B4 add eax,
0129D111|.50 push eax
0129D112|.68 806F3401 push 3.01346F80 ;%s
0129D117|.E8 5594FFFF call 3.01296571
0129D11C|.83C4 08 add esp,0x8
0129D11F|.8B45 B4 mov eax,
0129D122|.50 push eax
0129D123|.B9 01000000 mov ecx,0x1
0129D128|.C1E1 04 shl ecx,0x4
0129D12B|.034D B4 add ecx,
0129D12E|.51 push ecx ;输入之后 看到了输入的字串 假的密码
0129D12F|.E8 5A72FFFF call 3.0129438E
0129D134|.83C4 08 add esp,0x8
0129D137|.0FB6D0 movzx edx,al
0129D13A|.85D2 test edx,edx
0129D13C 90 nop ;这里很明显有个判断点下面看到两个换行符
0129D13D 90 nop
楼主放点图片来看一下咯‘1 4个就一个可以打开搞不懂 本帖最后由 YShDYH 于 2017-9-6 10:41 编辑
第四个表示只会玩爆破{:1_925:},把je改jnz
第一题答案:112x3x4c5x6n7x
大家努力啊 路过,看看。。 第二个CM:
i?y?
abcdefg/_KaQqi 第三个CM:
_KaQqi
85a705b726662656e255a245 本帖最后由 zbnysjwsnd8 于 2017-9-6 22:57 编辑
再发一个第三个CM的注册机代码
#include <stdio.h>
#include <string.h>
int c(int a)
{
if(a >= 0 && a <= 9)
return a + 0x30;
else if(a >= 0xA && a <= 0xF)
return a + 0x57;
return -1;
}
size_t _strlen(char *s)
{
int len = 0;
do
len++;
while(s != 0);
return len;
}
int main(void)
{
unsigned char _Key[] = {
0x6B,0x45,0x79,0x7B,0x55,0x61,0x72,0x65,0x53,0x30,0x63,0x4C,0x65,0x56,0x65,0x72,
0x7D,0xFD,0xFD,0xFD,0xFD,0xDD,0xDD,0xDD,0x7B,0x43,0xFC,0x73,0x66,0x85,0x00,0x0B,
0x10,0xE2,0xF8,0x00,0xB0,0xFA,0xF8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x01,0x00,0x00,0x00,0x11,0x00,0x00,0x00,0x39,0x00,0x00,0x00,0xFD,0xFD,0xFD,0xFD};
unsigned char __Key[] = {
0x7D,0x72,0x65,0x56,0x65,0x4C,0x63,0x30,0x53,0x65,0x72,0x61,0x55,0x7B,0x79,0x45,
0x6B,0xFD,0xFD,0xFD,0xFD,0xDD,0xDD,0xDD,0x7B,0x43,0xFC,0x73,0x66,0x85,0x00,0x0A,
0x08,0x14,0xF9,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x01,0x00,0x00,0x00,0x12,0x00,0x00,0x00,0x3D,0x00,0x00,0x00,0xFD,0xFD,0xFD,0xFD};
char UserName;
char UserName_Key = {0};
char Key = {0};
scanf("%s",UserName);
if(strlen(UserName) >= 0x10)
return 0;
/* 加密UserName */
for(size_t i = 0;i < strlen(UserName);i++)
{
int a;
int b;
a = c(UserName >> 4);
b = (UserName >> 4) + i;
UserName_Key = _Key ^ a;
a = c(UserName & 0xF);
UserName_Key = __Key ^ a;
}
/* 计算注册码 */
for(size_t i = 0;i < _strlen(UserName_Key);i++)
{
Key = c(UserName_Key & 0xF);
Key = c(UserName_Key >> 4);
}
printf(Key);//输出Key
while(true);
return 0;
} 不懂算法,所以只能爆破,楼主没上成功图,也不知道对不对
页:
[1]
2