好友
阅读权限20
听众
最后登录1970-1-1
|
【破文标题】PYG一CM算法分析+简单爆破
【破文作者】pengpeng
【破解工具】PEiD,OD
【破解平台】XP SP2
【软件名称】CM
【保护方式】注册码
【破解声明】此CM是是PYG发的,但它的算法有两个地方不对,我从新分析一下,此算法分析决无抄袭。
我也是刚开始学算法分析,有不对的地方请大家纠正。
提示:One ofthe Details you entered was wrong
经检查无壳,先查找字串断下,算法如下。
004014C955PUSH EBP
004014CA56PUSH ESI
004014CB8BF1MOV ESI,ECX
004014CD57PUSH EDI
004014CE8DBE A0000000 LEA EDI,DWORD PTR DS:[ESI+A0]
004014D48BCFMOV ECX,EDI
004014D6E8 6F030000 CALL <JMP.&MFC42.#3876_?GetWindowTextLengthA@CWnd@@QB>; 取用户名长度
004014DB8B1D FC214000 MOV EBX,DWORD PTR DS:[<&USER32.PostQuitMessage>]; USER32.PostQuitMessage
004014E183F8 05 CMP EAX,5 ; EAX与5比较
004014E47E 50 JLE SHORT chap202.00401536; 小于等于5就跳(跳了就死)
004014E68D6E 60 LEA EBP,DWORD PTR DS:[ESI+60]
004014E98BCDMOV ECX,EBP
004014EBE8 5A030000 CALL <JMP.&MFC42.#3876_?GetWindowTextLengthA@CWnd@@QB>; 取假注册码长度
004014F083F8 05 CMP EAX,5 ; EAX与5比较
004014F37E 41 JLE SHORT chap202.00401536 ; 小于等于5就跳(跳了就死)
004014F58D86 E0000000 LEA EAX,DWORD PTR DS:[ESI+E0]
004014FB8BCFMOV ECX,EDI
004014FD50PUSH EAX
004014FEE8 41030000 CALL <JMP.&MFC42.#3874_?GetWindowTextA@CWnd@@QBEXAAVC>; 取用户名
004015038DBE E4000000 LEA EDI,DWORD PTR DS:[ESI+E4]
004015098BCDMOV ECX,EBP
0040150B57PUSH EDI
0040150CE8 33030000 CALL <JMP.&MFC42.#3874_?GetWindowTextA@CWnd@@QBEXAAVC>; 取假注册码
004015118B07MOV EAX,DWORD PTR DS:[EDI] ; 把假注册码送到EAX
004015138038 36 CMP BYTE PTR DS:[EAX],36 ; 比较假注册码的第1位是不是16进制的36(ASCII的6)
0040151675 1E JNZ SHORT chap202.00401536
004015188078 01 32CMP BYTE PTR DS:[EAX+1],32; 比较假注册码的第2为是不是16进制的32(ASCII的2)
0040151C75 18 JNZ SHORT chap202.00401536
0040151E8078 02 38CMP BYTE PTR DS:[EAX+2],38; 比较假注册码的第3位是不是16进制的38(ASCII的8)
0040152275 12 JNZ SHORT chap202.00401536
004015248078 03 37CMP BYTE PTR DS:[EAX+3],37; 比较假注册码的第4位是不是16进制的37(ASCII的7)
0040152875 0C JNZ SHORT chap202.00401536
0040152A8078 04 2DCMP BYTE PTR DS:[EAX+4],2D; 比较假注册码的第5位是不是16进制的2D(ASCII的-)
0040152E75 06 JNZ SHORT chap202.00401536
004015308078 05 41CMP BYTE PTR DS:[EAX+5],41; 比较假注册码的第6位是不是16进制的41(ASCII的A)
0040153474 17 JE SHORT chap202.0040154D ; 相等则跳向光明之颠
004015366A 00 PUSH 0
0040153868 64304000 PUSH chap202.00403064 ; ERROR
0040153D68 38304000 PUSH chap202.00403038 ; One of the Details you entered was wrong
004015428BCEMOV ECX,ESI
00401544E8 F5020000 CALL <JMP.&MFC42.#4224_?MessageBoxA@CWnd@@QAEHPBD0I@Z>
004015496A 00 PUSH 0
0040154BFFD3CALL EBX
0040154D8D8E E0000000 LEA ECX,DWORD PTR DS:[ESI+E0]
004015538D5424 14 LEA EDX,DWORD PTR SS:[ESP+14]
0040155751PUSH ECX
0040155868 2C304000 PUSH chap202.0040302C ; Well done,
0040155D52PUSH EDX
0040155EE8 D5020000 CALL <JMP.&MFC42.#926_??H@YG?AVCString@@PBDABV0@@Z>
0040156368 3C314000 PUSH chap202.0040313C
0040156850PUSH EAX
004015698D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
0040156DC74424 28 00000>MOV DWORD PTR SS:[ESP+28],0
0040157550PUSH EAX
00401576E8 B7020000 CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
0040157B8B00MOV EAX,DWORD PTR DS:[EAX]
0040157D6A 00 PUSH 0
0040157F68 20304000 PUSH chap202.00403020 ; YOU DID IT
0040158450PUSH EAX
004015858BCEMOV ECX,ESI
00401587C64424 2C 01MOV BYTE PTR SS:[ESP+2C],1
0040158CE8 AD020000 CALL <JMP.&MFC42.#4224_?MessageBoxA@CWnd@@QAEHPBD0I@Z>
004015918D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
00401595C64424 20 00MOV BYTE PTR SS:[ESP+20],0
0040159AE8 67010000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
0040159F8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
004015A3C74424 20 FFFFF>MOV DWORD PTR SS:[ESP+20],-1
004015ABE8 56010000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004015B06A 01 PUSH 1
004015B2FFD3CALL EBX
004015B48B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
004015B85FPOP EDI
004015B95EPOP ESI
004015BA5DPOP EBP
004015BB5BPOP EBX
004015BC64:890D 0000000>MOV DWORD PTR FS:[0],ECX
004015C383C4 14 ADD ESP,14
004015C6C3RETN
爆破法:004014E4 004014F300401516 0040151C 00401522 00401528 0040152E JNZ改NOP
00401534JE改JMP
分析得到:用户名必须大于5
注册码必须大于5
NAME:PENGPENG
Serial:6287-A
学算法的要找我交流一下 |
-
-
CM.rar
5 KB, 下载次数: 29, 下载积分: 吾爱币 -1 CB
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|