吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 8181|回复: 19
收起左侧

PYG一CM算法分析

[复制链接]
shaopeng 发表于 2008-9-28 14:40
【破文标题】PYG一CM算法分析
【破文作者】a13639875277 (鹏鹏♂)
破解工具】PEiD,OD
【破解平台】DB.XP SP2
【软件名称】CM
【保护方式】注册码
【破解声明】我是小菜菜,只为学习,高人见谅了!
试输入:pengpengSN:12345678 出现错误提示,载入OD,查找字串,下断,来到关键地
00401127 > /6A 00 PUSH 0 ; /lParam = 0
00401129 . |6A 00 PUSH 0 ; |wParam = 0
0040112B . |6A 0E PUSH 0E; |Message = WM_GETTEXTLENGTH
0040112D . |6A 03 PUSH 3 ; |ControlID = 3
0040112F . |FF75 08 PUSH DWORD PTR SS:[EBP+8]; |hWnd
00401132 . |E8 41020000 CALL <JMP.&USER32.SendDlgItemMessageA> ; \取用户名的位数
00401137 . |A3 AF214000 MOV DWORD PTR DS:[4021AF],EAX
0040113C . |83F8 00 CMP EAX,0;看用户名位数是不是0
0040113F . |0F84 D5000000 JE chap203.0040121A;相等就OVER
00401145 . |83F8 08 CMP EAX,8
00401148 . |0F8F CC000000 JG chap203.0040121A;大于就跳
0040114E . |8BF0MOV ESI,EAX;eax=esi
00401150 . |6A 00 PUSH 0 ; /lParam = 0
00401152 . |6A 00 PUSH 0 ; |wParam = 0
00401154 . |6A 0E PUSH 0E; |Message = WM_GETTEXTLENGTH
00401156 . |6A 04 PUSH 4 ; |ControlID = 4
00401158 . |FF75 08 PUSH DWORD PTR SS:[EBP+8]; |hWnd
0040115B . |E8 18020000 CALL <JMP.&USER32.SendDlgItemMessageA> ; \取假码位数
00401160 . |83F8 00 CMP EAX,0;与0比较
00401163 . |0F84 B1000000 JE chap203.0040121A;相等则跳,over
00401169 . |3BF0CMP ESI,EAX;用户名位数必须跟注册码位数相等
0040116B . |0F85 A9000000 JNZ chap203.0040121A ;不等OVER
00401171 . |68 60214000 PUSH chap203.00402160; /pengpen
00401176 . |6A 08 PUSH 8 ; |wParam = 8
00401178 . |6A 0D PUSH 0D; |Message = WM_GETTEXT
0040117A . |6A 03 PUSH 3 ; |ControlID = 3
0040117C . |FF75 08 PUSH DWORD PTR SS:[EBP+8]; |hWnd
0040117F . |E8 F4010000 CALL <JMP.&USER32.SendDlgItemMessageA> ; \SendDlgItemMessageA
00401184 . |68 79214000 PUSH chap203.00402179; /12345678
00401189 . |6A 10 PUSH 10; |wParam = 10
0040118B . |6A 0D PUSH 0D; |Message = WM_GETTEXT
0040118D . |6A 04 PUSH 4 ; |ControlID = 4
0040118F . |FF75 08 PUSH DWORD PTR SS:[EBP+8]; |hWnd
00401192 . |E8 E1010000 CALL <JMP.&USER32.SendDlgItemMessageA> ; \SendDlgItemMessageA
00401197 . |B9 FFFFFFFF MOV ECX,-1 ;ECX初始化
0040119C > |41INC ECX
0040119D . |0FBE81 602140>MOVSX EAX,BYTE PTR DS:[ECX+402160] ;逐步取用户名的ASCII
004011A4 . |83F8 00 CMP EAX,0;是否为0; Switch (cases 0..7A)
004011A7 . |74 32 JE SHORT chap203.004011DB
004011A9 . |BE FFFFFFFF MOV ESI,-1
004011AE . |83F8 41 CMP EAX,41 ;是否小于41(A)
004011B1 . |7C 67 JL SHORT chap203.0040121A;小于就OVER
004011B3 . |83F8 7A CMP EAX,7A ;是否大于Z
004011B6 . |77 62 JA SHORT chap203.0040121A;大于就跳
004011B8 . |83F8 5A CMP EAX,5A ;是否小于Z
004011BB . |7C 03 JL SHORT chap203.004011C0;小于则跳
004011BD . |83E8 20 SUB EAX,20 ;EAX=70-20; Cases 5A (&#39;Z&#39;),5B (&#39;[&#39;),5C (&#39;\&#39;),5D (&#39;]&#39;),5E (&#39;^&#39;),5F (&#39;_&#39;),60 (&#39;`&#39;),61 (&#39;a&#39;),62 (&#39;b&#39;),63 (&#39;c&#39;),64 (&#39;d&#39;),65 (&#39;e&#39;),66 (&#39;f&#39;),67 (&#39;g&#39;),68 (&#39;h&#39;),69 (&#39;i&#39;),6A (&#39;j&#39;),6B (&#39;k&#39;),6C (&#39;l&#39;),6D (&#39;m&#39;)... of switch 004011A4
004011C0 > |46INC ESI;Cases 41 (&#39;A&#39;),42 (&#39;B&#39;),43 (&#39;C&#39;),44 (&#39;D&#39;),45 (&#39;E&#39;),46 (&#39;F&#39;),47 (&#39;G&#39;),48 (&#39;H&#39;),49 (&#39;I&#39;),4A (&#39;J&#39;),4B (&#39;K&#39;),4C (&#39;L&#39;),4D (&#39;M&#39;),4E (&#39;N&#39;),4F (&#39;O&#39;),50 (&#39;P&#39;),51 (&#39;Q&#39;),52 (&#39;R&#39;),53 (&#39;S&#39;),54 (&#39;T&#39;)... of switch 004011A4
004011C1 . |0FBE96 172040>MOVSX EDX,BYTE PTR DS:[ESI+402017]
004011C8 . |3BC2CMP EAX,EDX
004011CA .^|75 F4 JNZ SHORT chap203.004011C0
004011CC . |0FBE86 3C2040>MOVSX EAX,BYTE PTR DS:[ESI+40203C]
004011D3 . |8981 94214000 MOV DWORD PTR DS:[ECX+402194],EAX
004011D9 .^|EB C1 JMP SHORT chap203.0040119C
004011DB > |FF35 AF214000 PUSH DWORD PTR DS:[4021AF] ;Case 0 of switch 004011A4
004011E1 . |68 94214000 PUSH chap203.00402194;SF0CSF0
004011E6 . |68 79214000 PUSH chap203.00402179;12345678
004011EB . |E8 54000000 CALL chap203.00401244
004011F0 . |83F8 01 CMP EAX,1
004011F3 .^|0F84 DEFEFFFF JE chap203.004010D7
004011F9 |EB 1F JMP SHORT chap203.0040121A
004011FB > |837D 10 01CMP DWORD PTR SS:[EBP+10],1; |
004011FF .^\0F84 22FFFFFF JE chap203.00401127; |
00401205 .837D 10 02CMP DWORD PTR SS:[EBP+10],2; |
00401209 .75 2F JNZ SHORT chap203.0040123A ; |
0040120B >E8 B4000000 CALL <JMP.&KERNEL32.ExitProcess> ; \ExitProcess
00401210 .B8 01000000 MOV EAX,1
00401215 .^ E9 FFFEFFFF JMP chap203.00401119
0040121A >68 00200000 PUSH 2000; /Style = MB_OK|MB_TASKMODAL; Default case of switch 004011A4
0040121F .68 01204000 PUSH chap203.00402001; |Duelist&#39;s Crackme #4
00401224 .68 AE204000 PUSH chap203.004020AE; |Your registration info is invalid... Note that most of the special chars may raise registration problems!
00401229 .6A 00 PUSH 0 ; |hOwner = NULL
0040122B .E8 36010000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
00401230 .B8 00000000 MOV EAX,0
00401235 .^ E9 DFFEFFFF JMP chap203.00401119
0040123A >B8 00000000 MOV EAX,0
0040123F .^ E9 D5FEFFFF JMP chap203.00401119
00401244/$C8 000000 ENTER 0,0
00401248|.B8 01000000 MOV EAX,1
0040124D|.8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
00401250|.8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]
00401253|.8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
00401256|.F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:>
00401258|.67:E3 05JCXZ SHORT chap203.00401260
0040125B|.B8 00000000 MOV EAX,0
00401260|>C9LEAVE
00401261\.C2 0C00 RETN 0C

分析得:
用户名和注册码不能为0
用户名和注册码的为数必须相等
用户名拆开进行循环,对应每个注册码
例子:
用户名:pengpeng
注册码:SF0CSF0C

PYG.rar

4 KB, 下载次数: 21, 下载积分: 吾爱币 -1 CB

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

封心锁爱 发表于 2008-9-28 15:14
学习拉。。看看 [s:40]
nv21 发表于 2008-9-28 15:17
小看一下~!!!!!!!!!!!!!!!!!!!!!
小糊涂虫 发表于 2008-9-28 15:28
又是隐藏的...........看看先.......
qq513701092 发表于 2008-9-28 16:56
好东西总是要隐藏的嘛
fox2006 发表于 2008-9-28 18:36
学习算法,看看 [s:43]
maloushan 发表于 2008-9-28 18:47
不懂就要学哦. [s:40]
uzcool 发表于 2008-9-28 21:58
学习。。。。。 [s:40]
tianxj 发表于 2008-9-28 22:04
高手 [s:39][s:39][s:39][s:39][s:39]
zhaoqingp 发表于 2008-9-29 00:28
wa ~~~高手吖~~~~前辈 ~~~~我想看看吖不知道能不能看懂
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-24 08:42

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表