好友
阅读权限10
听众
最后登录1970-1-1
|
本帖最后由 就是随便看看 于 2021-8-25 19:36 编辑
[C] 纯文本查看 复制代码
#include <iostream>
#include<stdio.h>
int main()
{
char szBuff[30] = { 0 };
char CoBuff[30] = { 0 };
unsigned long int Regcode = 0;
int a = 1;
int Temp = 0x37B;
int Sum = 0;
printf("CrackeMe007注册机使用说明:\n");
printf("输入纯字母的注册码,关闭报错弹窗后填入计算出的正确注册码\n");
printf("请输入不少于6位的全字母注册码:\n");
scanf_s("%s", szBuff, 30);
for (int i = 0; i < strlen(szBuff) - 1; i++)
{
Temp = Temp + (szBuff[i + 1] % 0x11 + 1)*szBuff[i];
}
Temp = Temp % 0x7148;
printf("请输入CrackeMe007的用户名:不少于5位的纯数字\n");
scanf_s("%s", CoBuff, 30);
for (int i = 0; i < strlen(CoBuff); i++)
{
Sum = Sum + CoBuff[i];
}
Sum = (Sum * Sum*Temp) % 0XA2C2A;
for (int i = 0; i < 0X50; i++)
{
Regcode = (Sum - i - 1) * 0X59;
for (int j = 0; j < 0X50; j++)
{
Temp = (Regcode + j) % 0X50;
if (Temp == i)
{
printf("用户名:%s对应的第%d个可用的注册码:%d\n", CoBuff, a, Regcode + j);
a = a + 1;
}
Temp = 0x60;
}
}
system("pause");
}
[Asm] 纯文本查看 复制代码 00442F28 >/. 55 push ebp ; _TPrincipale_RegisterzClick
00442F29 |. 8BEC mov ebp,esp
00442F2B |. 83C4 F8 add esp,-0x8
00442F2E |. 53 push ebx
00442F2F |. 56 push esi
00442F30 |. 33C9 xor ecx,ecx
00442F32 |. 894D F8 mov [local.2],ecx
00442F35 |. 8BD8 mov ebx,eax ; kernel32.BaseThreadInitThunk
00442F37 |. 33C0 xor eax,eax ; kernel32.BaseThreadInitThunk
00442F39 |. 55 push ebp
00442F3A |. 68 22304400 push <aLoNg3x_.loc_443022>
00442F3F |. 64:FF30 push dword ptr fs:[eax]
00442F42 |. 64:8920 mov dword ptr fs:[eax],esp
00442F45 |. 8D55 F8 lea edx,[local.2]
00442F48 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC] ; 判断假码第一个字符是不是空格、+、-、X、x、$等特殊字符,最后得到假码的16进制数值存入eax中
00442F4E |. E8 ED02FEFF call <aLoNg3x_.TControl::GetText(void)> ; //获取注册码 长度保存在EAX中
00442F53 |. 8B45 F8 mov eax,[local.2] ; kernel32.7743343D
00442F56 |. 8D55 FC lea edx,[local.1]
00442F59 |. E8 FAF9FBFF call <aLoNg3x_.进制转换> ; //十进制的密码转换成16进制,保存在EAX中
00442F5E |. 8BF0 mov esi,eax ; kernel32.BaseThreadInitThunk
00442F60 |. 837D FC 00 cmp [local.1],0x0 ; 第一个判断:此处的地址存入的值应该是判断注册码输入正误的值
00442F64 |. 74 37 je short <aLoNg3x_.loc_442F9D> ; //假码输入格式正确则跳,错误不跳,不用动
00442F66 |. B8 38304400 mov eax,aLoNg3x_.00443038 ; You MUST insert a valid Long Integer Value in the Code Editor... Thank you :)
00442F6B |. E8 00F6FFFF call <aLoNg3x_.Dialogs::ShowMessage(Syst>
00442F70 |. 8D55 F8 lea edx,[local.2]
00442F73 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442F79 |. E8 C202FEFF call <aLoNg3x_.TControl::GetText(void)>
00442F7E |. 8B45 F8 mov eax,[local.2] ; kernel32.7743343D
00442F81 |. E8 06FBFFFF call <aLoNg3x_.关键> ; //关键赋值
00442F86 |. A3 30584400 mov dword ptr ds:[<dword_445830>],eax ; eax=ds:[0x445830],再去找这个堆栈被赋值的地方!
00442F8B |. BA 90304400 mov edx,aLoNg3x_.00443090 ; 0
00442F90 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442F96 |. E8 D502FEFF call <aLoNg3x_.Controls::TControl::SetTe>
00442F9B |. EB 6F jmp short <aLoNg3x_.loc_44300C> ; //跳过了隐藏注册按钮
00442F9D >|> 85F6 test esi,esi ; loc_442F9D
00442F9F |. 7E 5A jle short <aLoNg3x_.loc_442FFB> ; //第二个判断处 不能跳转
00442FA1 |. 8D55 F8 lea edx,[local.2]
00442FA4 |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+0x2D8]
00442FAA |. E8 9102FEFF call <aLoNg3x_.TControl::GetText(void)> ; //获取用户名 长度保存在EAX中
00442FAF |. 8B4D F8 mov ecx,[local.2] ; //局部变量2中保存的是用户名
00442FB2 |. 8BD6 mov edx,esi ; //ESI中保存的是转换为16进制的注册码
00442FB4 |. A1 30584400 mov eax,dword ptr ds:[<dword_445830>]
00442FB9 |. E8 EAF9FFFF call <aLoNg3x_.关键call> ; ****关键call了****
00442FBE |. 84C0 test al,al
00442FC0 |. 74 30 je short <aLoNg3x_.loc_442FF2> ; //第三个判断跳过了隐藏注册按钮,显示again 不能跳转
00442FC2 |. 33D2 xor edx,edx ; <aLoNg3x_.start>
00442FC4 |. 8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]
00442FCA |. E8 6101FEFF call <aLoNg3x_.TControl::SetVisible>
00442FCF |. B2 01 mov dl,0x1 ; //再次按钮关键位置
00442FD1 |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+0x2E8]
00442FD7 |. E8 5401FEFF call <aLoNg3x_.TControl::SetVisible>
00442FDC |. 33D2 xor edx,edx ; <aLoNg3x_.start>
00442FDE |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+0x2D8]
00442FE4 |. 8B08 mov ecx,dword ptr ds:[eax]
00442FE6 |. FF51 60 call dword ptr ds:[ecx+0x60]
00442FE9 |. 33C0 xor eax,eax ; 不能执行
00442FEB |. A3 30584400 mov dword ptr ds:[<dword_445830>],eax ; kernel32.BaseThreadInitThunk
00442FF0 |. EB 1A jmp short <aLoNg3x_.loc_44300C>
00442FF2 >|> 33C0 xor eax,eax ; loc_442FF2
00442FF4 |. A3 30584400 mov dword ptr ds:[<dword_445830>],eax ; kernel32.BaseThreadInitThunk
00442FF9 |. EB 11 jmp short <aLoNg3x_.loc_44300C>
00442FFB >|> B8 9C304400 mov eax,aLoNg3x_.0044309C ; Please... The Code Must be > 0
00443000 |. E8 6BF5FFFF call <aLoNg3x_.Dialogs::ShowMessage(Syst>
00443005 |. 33C0 xor eax,eax ; kernel32.BaseThreadInitThunk
00443007 |. A3 30584400 mov dword ptr ds:[<dword_445830>],eax ; kernel32.BaseThreadInitThunk
0044300C >|> 33C0 xor eax,eax ; loc_44300C
0044300E |. 5A pop edx ; kernel32.7743343D
0044300F |. 59 pop ecx ; kernel32.7743343D
00443010 |. 59 pop ecx ; kernel32.7743343D
00443011 |. 64:8910 mov dword ptr fs:[eax],edx ; <aLoNg3x_.start>
00443014 |. 68 29304400 push <aLoNg3x_.loc_443029>
00443019 >|> 8D45 F8 lea eax,[local.2] ; loc_443019
0044301C |. E8 9707FCFF call <aLoNg3x_.System::__linkproc__ LStr>
00443021 \. C3 retn
[Asm] 纯文本查看 复制代码 004429A8 >/$ 55 push ebp ; 关键Call,计算与判断注册码
004429A9 |. 8BEC mov ebp,esp ; mov al,0x1
004429AB |. 83C4 F4 add esp,-0xC
004429AE |. 53 push ebx
004429AF |. 56 push esi
004429B0 |. 57 push edi
004429B1 |. 894D F8 mov [local.2],ecx ; //用户名
004429B4 |. 8955 FC mov [local.1],edx ; <aLoNg3x_.start>
004429B7 |. 8BF8 mov edi,eax ; 此处注释为:“edi=ds:[0x445830] ///////////
004429B9 |. 8B45 F8 mov eax,[local.2] ; kernel32.7743343D
004429BC |. E8 2712FCFF call <aLoNg3x_.System::__linkproc__ LStr>
004429C1 |. 33C0 xor eax,eax ; kernel32.BaseThreadInitThunk
004429C3 |. 55 push ebp
004429C4 |. 68 7A2A4400 push <aLoNg3x_.loc_442A7A>
004429C9 |. 64:FF30 push dword ptr fs:[eax]
004429CC |. 64:8920 mov dword ptr fs:[eax],esp
004429CF |. 8B45 F8 mov eax,[local.2] ; 取用户名
004429D2 |. E8 5D10FCFF call <aLoNg3x_.__linkproc__ LStrLen> ; //用户名长度不能小于4位
004429D7 |. 83F8 04 cmp eax,0x4
004429DA |. 0F8E 82000000 jle <aLoNg3x_.loc_442A62>
004429E0 |. 33DB xor ebx,ebx
004429E2 |. 8B45 F8 mov eax,[local.2] ; 取用户名
004429E5 |. E8 4A10FCFF call <aLoNg3x_.__linkproc__ LStrLen> ; 取用户名长度,返回eax中
004429EA |. 85C0 test eax,eax ; kernel32.BaseThreadInitThunk
004429EC |. 7E 38 jle short <aLoNg3x_.loc_442A26>
004429EE |. 8945 F4 mov [local.3],eax ; kernel32.BaseThreadInitThunk
004429F1 |. BE 01000000 mov esi,0x1 ; esi=1,循环的起始序号
004429F6 >|> 8B45 F8 /mov eax,[local.2] ; 取用户名
004429F9 |. E8 3610FCFF |call <aLoNg3x_.__linkproc__ LStrLen> ; 取用户名长度
004429FE |. 83F8 01 |cmp eax,0x1
00442A01 |. 7C 1D |jl short <aLoNg3x_.loc_442A20>
00442A03 >|> 8B55 F8 |/mov edx,[local.2] ; loc_442A03
00442A06 |. 0FB65432 FF ||movzx edx,byte ptr ds:[edx+esi-0x1] ; //首位
00442A0B |. 8B4D F8 ||mov ecx,[local.2] ; kernel32.7743343D
00442A0E |. 0FB64C01 FF ||movzx ecx,byte ptr ds:[ecx+eax-0x1] ; //末位
00442A13 |. 0FAFD1 ||imul edx,ecx
00442A16 |. 0FAFD7 ||imul edx,edi ; ////////////////edi==0
00442A19 |. 03DA ||add ebx,edx ; <aLoNg3x_.start>
00442A1B |. 48 ||dec eax ; kernel32.BaseThreadInitThunk
00442A1C |. 85C0 ||test eax,eax ; kernel32.BaseThreadInitThunk
00442A1E |.^ 75 E3 |\jnz short <aLoNg3x_.loc_442A03>
00442A20 >|> 46 |inc esi ; loc_442A20
00442A21 |. FF4D F4 |dec [local.3]
00442A24 |.^ 75 D0 \jnz short <aLoNg3x_.loc_4429F6>
00442A26 >|> 8BC3 mov eax,ebx ; loc_442A26
00442A28 |. 99 cdq
00442A29 |. 33C2 xor eax,edx ; /////////////////
00442A2B |. 2BC2 sub eax,edx ; //////////////////
00442A2D |. B9 2A2C0A00 mov ecx,0xA2C2A
00442A32 |. 99 cdq
00442A33 |. F7F9 idiv ecx ; **之前的代码似乎没用到
00442A35 |. 8BDA mov ebx,edx ; **ebx的来源1 ***************
00442A37 |. 8B45 FC mov eax,[local.1] ; //注册码的16进制形式
00442A3A |. B9 59000000 mov ecx,0x59
00442A3F |. 99 cdq ; /59的商是0X2DF余数11
00442A40 |. F7F9 idiv ecx
00442A42 |. 8BC8 mov ecx,eax ; kernel32.BaseThreadInitThunk
00442A44 |. 8B45 FC mov eax,[local.1]
00442A47 |. BE 50000000 mov esi,0x50 ; //注册码的16进制
00442A4C |. 99 cdq ; /50商0x331余数48
00442A4D |. F7FE idiv esi
00442A4F |. 03CA add ecx,edx ; edx=余数48
00442A51 |. 41 inc ecx
00442A52 |. 894D FC mov [local.1],ecx
00442A55 |. 3B5D FC cmp ebx,[local.1] ; //查找ebx的来源*************
00442A58 |. 75 04 jnz short <aLoNg3x_.loc_442A5E>
00442A5A |. B3 01 mov bl,0x1
00442A5C |. EB 06 jmp short <aLoNg3x_.loc_442A64>
00442A5E >|> 33DB xor ebx,ebx ; loc_442A5E
00442A60 |. EB 02 jmp short <aLoNg3x_.loc_442A64>
00442A62 >|> 33DB xor ebx,ebx ; loc_442A62
00442A64 >|> 33C0 xor eax,eax ; loc_442A64
00442A66 |. 5A pop edx ; kernel32.7743343D
00442A67 |. 59 pop ecx ; kernel32.7743343D
00442A68 |. 59 pop ecx ; kernel32.7743343D
00442A69 |. 64:8910 mov dword ptr fs:[eax],edx ; <aLoNg3x_.start>
00442A6C |. 68 812A4400 push <aLoNg3x_.loc_442A81>
00442A71 >|> 8D45 F8 lea eax,[local.2] ; loc_442A71
00442A74 |. E8 3F0DFCFF call <aLoNg3x_.System::__linkproc__ LStr>
00442A79 \. C3 retn
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2021-8-19 11:44
|
发表于 2021-8-20 07:32
