好友
阅读权限40
听众
最后登录1970-1-1
|
小生我怕怕
发表于 2008-11-8 02:35
本不想玩的,但是楼主点名叫我玩下,那我也就来丢下人
大概的分析了一下,太久都不搞破解啦,有错误的地方请别见笑
00453D94 55 push ebp ; 按钮事件
00453D95 8BEC mov ebp,esp
00453D97 B9 05000000 mov ecx,5
00453D9C 6A 00 /push 0
00453D9E 6A 00 |push 0
00453DA0 49 |dec ecx
00453DA1 ^ 75 F9 \jnz short Crackme.00453D9C
00453DA3 51 push ecx
00453DA4 53 push ebx
00453DA5 8BD8 mov ebx,eax
00453DA7 33C0 xor eax,eax
00453DA9 55 push ebp
00453DAA 68 FE3E4500 push Crackme.00453EFE
00453DAF 64:FF30 push dword ptr fs:[eax]
00453DB2 64:8920 mov dword ptr fs:[eax],esp
00453DB5 8D55 FC lea edx,dword ptr ss:[ebp-4]
00453DB8 8B83 04030000 mov eax,dword ptr ds:[ebx+304]
00453DBE E8 89ECFDFF call Crackme.00432A4C ; 取假码
00453DC3 837D FC 00 cmp dword ptr ss:[ebp-4],0 ; 比较注册码是否为0
00453DC7 0F84 E4000000 je Crackme.00453EB1 ; 为0则跳
00453DCD 8D55 F8 lea edx,dword ptr ss:[ebp-8]
00453DD0 8B83 00030000 mov eax,dword ptr ds:[ebx+300]
00453DD6 E8 71ECFDFF call Crackme.00432A4C ; 取注册名
00453DDB 837D F8 00 cmp dword ptr ss:[ebp-8],0 ; 比较注册名是否为0
00453DDF 0F84 CC000000 je Crackme.00453EB1 ; 为0则跳
00453DE5 8D55 F4 lea edx,dword ptr ss:[ebp-C]
00453DE8 8B83 04030000 mov eax,dword ptr ds:[ebx+304]
00453DEE E8 59ECFDFF call Crackme.00432A4C
00453DF3 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 计算注册码位数
00453DF6 E8 1103FBFF call Crackme.0040410C
00453DFB 83F8 0B cmp eax,0B ; 比较注册码是否为11位
00453DFE 0F85 A1000000 jnz Crackme.00453EA5 ; 不等于11则跳或小于则跳
00453E04 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00453E07 8B83 04030000 mov eax,dword ptr ds:[ebx+304]
00453E0D E8 3AECFDFF call Crackme.00432A4C
00453E12 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; 计算注册码第6位
00453E15 8078 05 2D cmp byte ptr ds:[eax+5],2D ; 比较注册码第6位是够为"-"
00453E19 0F85 86000000 jnz Crackme.00453EA5 ; 不是则跳
00453E1F 8D55 E8 lea edx,dword ptr ss:[ebp-18]
00453E22 8B83 04030000 mov eax,dword ptr ds:[ebx+304]
00453E28 E8 1FECFDFF call Crackme.00432A4C
00453E2D 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00453E30 8D55 EC lea edx,dword ptr ss:[ebp-14]
00453E33 E8 8CFCFFFF call Crackme.00453AC4
00453E38 8D55 E0 lea edx,dword ptr ss:[ebp-20]
00453E3B 8B83 04030000 mov eax,dword ptr ds:[ebx+304]
00453E41 E8 06ECFDFF call Crackme.00432A4C
00453E46 8B45 E0 mov eax,dword ptr ss:[ebp-20]
00453E49 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
00453E4C E8 73FCFFFF call Crackme.00453AC4 ; 关键第一算法CALL]
00453E51 |. 8B45 E4 mov eax,[local.7]
00453E54 |. 50 push eax
00453E55 |. 8D55 DC lea edx,[local.9]
00453E58 |. 8B83 00030000 mov eax,dword ptr ds:[ebx+300]
00453E5E |. E8 E9EBFDFF call Crackme.00432A4C
00453E63 |. 8B45 DC mov eax,[local.9]
00453E66 |. 5A pop edx
00453E67 |. E8 ECFDFFFF call Crackme.00453C58 ; 关键第二算法CALL
00453E6C |. 3C 72 cmp al,72 ; 爆破的话下面的跳不跳就可以啦,但是第六位必须为-
00453E6E |. 75 27 jnz short Crackme.00453E97 ; 关键跳
━━━━━━━━━━━━━━━━━━━━━━━━━━
第一算法CALL内容
00453AC4 55 push ebp
00453AC5 8BEC mov ebp,esp
00453AC7 B9 04000000 mov ecx,4
00453ACC 6A 00 /push 0
00453ACE 6A 00 |push 0
00453AD0 49 |dec ecx
00453AD1 ^ 75 F9 \jnz short Crackme.00453ACC
00453AD3 51 push ecx
00453AD4 53 push ebx
00453AD5 56 push esi
00453AD6 8BF2 mov esi,edx
00453AD8 8945 FC mov dword ptr ss:[ebp-4],eax ; 假注册码传送EAX
00453ADB 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 假码之间进行传递
00453ADE E8 1908FBFF call Crackme.004042FC
00453AE3 33C0 xor eax,eax ; 清空假码
00453AE5 55 push ebp
00453AE6 68 4A3C4500 push Crackme.00453C4A
00453AEB 64:FF30 push dword ptr fs:[eax]
00453AEE 64:8920 mov dword ptr fs:[eax],esp
00453AF1 BB 01000000 mov ebx,1
00453AF6 8D45 F0 /lea eax,dword ptr ss:[ebp-10]
00453AF9 8B55 FC |mov edx,dword ptr ss:[ebp-4] ; 在次取假码
00453AFC 8A541A FF |mov dl,byte ptr ds:[edx+ebx-1] ; 逐位取假码
00453B00 E8 2F05FBFF |call Crackme.00404034
00453B05 8B55 F0 |mov edx,dword ptr ss:[ebp-10]
00453B08 8D45 F4 |lea eax,dword ptr ss:[ebp-C]
00453B0B E8 0406FBFF |call Crackme.00404114
00453B10 43 |inc ebx ; 累加次数
00453B11 83FB 07 |cmp ebx,7 ; 比较次数
00453B14 ^ 75 E0 \jnz short Crackme.00453AF6 ; 不为7则跳
00453B16 BB 01000000 mov ebx,1
00453B1B 8BC3 /mov eax,ebx ; 计算此数与下面的跳相互辉映
00453B1D 83F8 05 |cmp eax,5 ; 比较位数; Switch (cases 1..5)
00453B20 0F87 F2000000 |ja Crackme.00453C18 ; 相等则不跳
00453B26 FF2485 2D3B4500 |jmp dword ptr ds:[eax*4+453B2D]
00453B2D 183C45 00453B45 |sbb byte ptr ds:[eax*2+453B4500],bh ; Switch table used at 00453B26
00453B34 0072 3B add byte ptr ds:[edx+3B],dh
00453B37 45 inc ebp
00453B38 009C3B 4500C63B add byte ptr ds:[ebx+edi+3BC60045],bl
00453B3F 45 inc ebp
00453B40 00F0 add al,dh
00453B42 3B45 00 cmp eax,dword ptr ss:[ebp]
00453B45 8D45 EC |lea eax,dword ptr ss:[ebp-14] ; Case 1 of switch 00453B1D
00453B48 8B55 FC |mov edx,dword ptr ss:[ebp-4]
00453B4B 0FB6541A 05 |movzx edx,byte ptr ds:[edx+ebx+5] ; 计算注册码第七位
00453B50 8B4D FC |mov ecx,dword ptr ss:[ebp-4]
00453B53 0FB64C19 FF |movzx ecx,byte ptr ds:[ecx+ebx-1] ; 第七位和第一位计算
00453B58 03D1 |add edx,ecx ; 相加
00453B5A 83EA 5A |sub edx,5A ; 相减
00453B5D E8 D204FBFF |call Crackme.00404034
00453B62 8B55 EC |mov edx,dword ptr ss:[ebp-14]
00453B65 8D45 F8 |lea eax,dword ptr ss:[ebp-8]
00453B68 E8 A705FBFF |call Crackme.00404114
00453B6D E9 A6000000 |jmp Crackme.00453C18
00453B72 8D45 E8 |lea eax,dword ptr ss:[ebp-18] ; Case 2 of switch 00453B1D
00453B75 8B55 FC |mov edx,dword ptr ss:[ebp-4]
00453B78 0FB6541A 05 |movzx edx,byte ptr ds:[edx+ebx+5] ; 计算注册码第八位
00453B7D 8B4D FC |mov ecx,dword ptr ss:[ebp-4]
00453B80 0FB64C19 FF |movzx ecx,byte ptr ds:[ecx+ebx-1] ; 第八位和第二位计算
00453B85 03D1 |add edx,ecx ; 相加
00453B87 83EA 5A |sub edx,5A ; 相减
00453B8A E8 A504FBFF |call Crackme.00404034
00453B8F 8B55 E8 |mov edx,dword ptr ss:[ebp-18]
00453B92 8D45 F8 |lea eax,dword ptr ss:[ebp-8]
00453B95 E8 7A05FBFF |call Crackme.00404114
00453B9A EB 7C |jmp short Crackme.00453C18
00453B9C 8D45 E4 |lea eax,dword ptr ss:[ebp-1C] ; Case 3 of switch 00453B1D
00453B9F 8B55 FC |mov edx,dword ptr ss:[ebp-4]
00453BA2 0FB6541A 05 |movzx edx,byte ptr ds:[edx+ebx+5] ; 计算注册码第九位
00453BA7 8B4D FC |mov ecx,dword ptr ss:[ebp-4]
00453BAA 0FB64C19 FF |movzx ecx,byte ptr ds:[ecx+ebx-1] ; 第九位和第三位计算
00453BAF 03D1 |add edx,ecx ; 相加
00453BB1 83EA 5A |sub edx,5A ; 相减
00453BB4 E8 7B04FBFF |call Crackme.00404034
00453BB9 8B55 E4 |mov edx,dword ptr ss:[ebp-1C]
00453BBC 8D45 F8 |lea eax,dword ptr ss:[ebp-8]
00453BBF E8 5005FBFF |call Crackme.00404114
00453BC4 EB 52 |jmp short Crackme.00453C18
00453BC6 8D45 E0 |lea eax,dword ptr ss:[ebp-20] ; Case 4 of switch 00453B1D
00453BC9 8B55 FC |mov edx,dword ptr ss:[ebp-4]
00453BCC 0FB6541A 05 |movzx edx,byte ptr ds:[edx+ebx+5] ; 计算注册码第十位
00453BD1 8B4D FC |mov ecx,dword ptr ss:[ebp-4]
00453BD4 0FB64C19 FF |movzx ecx,byte ptr ds:[ecx+ebx-1] ; 第十位和第四位计算
00453BD9 03D1 |add edx,ecx ; 相加
00453BDB 83EA 5A |sub edx,5A ; 相减
00453BDE E8 5104FBFF |call Crackme.00404034
00453BE3 8B55 E0 |mov edx,dword ptr ss:[ebp-20]
00453BE6 8D45 F8 |lea eax,dword ptr ss:[ebp-8]
00453BE9 E8 2605FBFF |call Crackme.00404114
00453BEE EB 28 |jmp short Crackme.00453C18
00453BF0 8D45 DC |lea eax,dword ptr ss:[ebp-24] ; Case 5 of switch 00453B1D
00453BF3 8B55 FC |mov edx,dword ptr ss:[ebp-4]
00453BF6 0FB6541A 05 |movzx edx,byte ptr ds:[edx+ebx+5] ; 计算注册码第十一位
00453BFB 8B4D FC |mov ecx,dword ptr ss:[ebp-4]
00453BFE 0FB64C19 FF |movzx ecx,byte ptr ds:[ecx+ebx-1] ; 第十一位和第五位计算
00453C03 03D1 |add edx,ecx ; 相加
00453C05 83EA 5A |sub edx,5A ; 相减
00453C08 E8 2704FBFF |call Crackme.00404034
00453C0D 8B55 DC |mov edx,dword ptr ss:[ebp-24]
00453C10 8D45 F8 |lea eax,dword ptr ss:[ebp-8]
00453C13 E8 FC04FBFF |call Crackme.00404114
00453C18 43 |inc ebx ; 加1; Default case of switch 00453B1D
00453C19 83FB 06 |cmp ebx,6 ; 比较次数
00453C1C ^ 0F85 F9FEFFFF \jnz Crackme.00453B1B ; 为6则不跳
00453C22 8BC6 mov eax,esi
00453C24 8B4D F8 mov ecx,dword ptr ss:[ebp-8] ; 取用户名第2位到末尾第2位
00453C27 8B55 F4 mov edx,dword ptr ss:[ebp-C] ; 完成前6位假码计算
━━━━━━━━━━━━━━━━━━━━━━━━━━
00453C58 55 push ebp
00453C59 8BEC mov ebp,esp
00453C5B 33C9 xor ecx,ecx
00453C5D 51 push ecx
00453C5E 51 push ecx
00453C5F 51 push ecx
00453C60 51 push ecx
00453C61 51 push ecx
00453C62 51 push ecx
00453C63 53 push ebx
00453C64 56 push esi
00453C65 8955 F8 mov dword ptr ss:[ebp-8],edx
00453C68 8945 FC mov dword ptr ss:[ebp-4],eax ; 取用户名
00453C6B 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 用户名与用户名之间传递
00453C6E E8 8906FBFF call Crackme.004042FC
00453C73 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 用户名放入EAX
00453C76 E8 8106FBFF call Crackme.004042FC
00453C7B 33C0 xor eax,eax ; 清空用户名
00453C7D 55 push ebp
00453C7E 68 163D4500 push Crackme.00453D16
00453C83 64:FF30 push dword ptr fs:[eax]
00453C86 64:8920 mov dword ptr fs:[eax],esp
00453C89 BB 01000000 mov ebx,1
00453C8E 8D45 EC lea eax,dword ptr ss:[ebp-14]
00453C91 8B55 FC mov edx,dword ptr ss:[ebp-4] ; 在次取用户名
00453C94 8A541A FF mov dl,byte ptr ds:[edx+ebx-1] ; 逐位取用户名计算
00453C98 E8 9703FBFF call Crackme.00404034
00453C9D 8B55 EC mov edx,dword ptr ss:[ebp-14]
00453CA0 8D45 F4 lea eax,dword ptr ss:[ebp-C]
00453CA3 E8 6C04FBFF call Crackme.00404114
00453CA8 43 inc ebx ; 计算位数
00453CA9 83FB 06 cmp ebx,6 ; 比较是否为6
00453CAC ^ 75 E0 jnz short Crackme.00453C8E ; 为6则不跳
00453CAE 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00453CB1 E8 5604FBFF call Crackme.0040410C
00453CB6 8BD8 mov ebx,eax
00453CB8 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00453CBB E8 4C04FBFF call Crackme.0040410C
00453CC0 8BF0 mov esi,eax ; 计算注册码位数
00453CC2 83EE 04 sub esi,4 ; 为ESI+4处理
00453CC5 2BF3 sub esi,ebx ; EBX和ESI相加进行下面的计算
00453CC7 7F 1F jg short Crackme.00453CE8
00453CC9 4E dec esi
00453CCA 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00453CCD 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00453CD0 8A541A FF mov dl,byte ptr ds:[edx+ebx-1]
00453CD4 E8 5B03FBFF call Crackme.00404034
00453CD9 8B55 E8 mov edx,dword ptr ss:[ebp-18]
00453CDC 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00453CDF E8 3004FBFF call Crackme.00404114
00453CE4 4B dec ebx ; 执行减一指令
00453CE5 46 inc esi ; 执行加一指令
00453CE6 ^ 75 E2 jnz short Crackme.00453CCA ; ESI为0时则不跳
00453CE8 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00453CEB 8B55 F4 mov edx,dword ptr ss:[ebp-C] ; 取用户名正数第2位和倒数第3位
00453CEE E8 6505FBFF call Crackme.00404258 ; 放入EDX
|
|
发表于 2008-11-7 23:57
|
发表于 2008-11-8 10:04
