小学应用题cm算法分析

missviola · 发表于 2009-12-28 20:34

本帖最后由 missviola 于 2009-12-28 20:45 编辑

【破文标题】小学应用题cm算法分析
【破文作者】missviola[LCG]
【破解工具】PEID OD
【破解平台】Windows XP
【破解声明】只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
------------------------------------------------------------------------
【破解过程】PEID查壳显示为Microsoft Visual C++ 5.0 [Debug]，无壳。OD载入，在401EC0处下断点。输入注册名pediy，注册

码123456，F8分析如下：

00401EC0  /> \55          push ebp
00401EC1  |.  8BEC       mov    ebp, esp
00401EC3  |.  83EC 4C    sub    esp, 4C
00401EC6  |.  53          push ebx
00401EC7  |.  56          push esi
00401EC8  |.  57          push edi
00401EC9  |.  51          push ecx
00401ECA  |.  8D7D B4    lea    edi, dword ptr [ebp-4C]
00401ECD  |.  B9 13000000 mov    ecx, 13
00401ED2  |.  B8 CCCCCCCC mov    eax, CCCCCCCC
00401ED7  |.  F3:AB       rep    stos dword ptr es:[edi]
00401ED9  |.  59          pop    ecx
00401EDA  |.  894D FC    mov    dword ptr [ebp-4], ecx
00401EDD  |.  8B45 FC    mov    eax, dword ptr [ebp-4]
00401EE0  |.  05 98000000 add    eax, 98
00401EE5  |.  8945 F8    mov    dword ptr [ebp-8], eax
00401EE8  |.  8B4D FC    mov    ecx, dword ptr [ebp-4]
00401EEB  |.  83C1 5C    add    ecx, 5C
00401EEE  |.  894D F4    mov    dword ptr [ebp-C], ecx
00401EF1  |.  6A 00       push 0
00401EF3  |.  6A 00       push 0
00401EF5  |.  6A 00       push 0
00401EF7  |.  6A 00       push 0
00401EF9  |.  8D55 F4    lea    edx, dword ptr [ebp-C]
00401EFC  |.  52          push edx
00401EFD  |.  68 23104000 push 00401023
00401F02  |.  E8 6E930700 call 0047B275

此cm开辟了7个线程来进行算法流程，401EFD处的401023指向了第一个线程的函数地址：401FD0。此后其他线程的函数的找法也是

这样的，大家可以依次类推。。。

00401FD0  /> \55          push ebp
00401FD1  |.  8BEC       mov    ebp, esp
00401FD3  |.  83EC 50    sub    esp, 50
00401FD6  |.  53          push ebx
00401FD7  |.  56          push esi
00401FD8  |.  57          push edi
00401FD9  |.  8D7D B0    lea    edi, dword ptr [ebp-50]
00401FDC  |.  B9 14000000 mov    ecx, 14
00401FE1  |.  B8 CCCCCCCC mov    eax, CCCCCCCC
00401FE6  |.  F3:AB       rep    stos dword ptr es:[edi]
00401FE8  |.  8B45 08    mov    eax, dword ptr [ebp+8]
00401FEB  |.  8945 F4    mov    dword ptr [ebp-C], eax
00401FEE  |.  8B4D F4    mov    ecx, dword ptr [ebp-C]
00401FF1  |.  8B09       mov    ecx, dword ptr [ecx]
00401FF3  |.  E8 52480800 call 0048684A                      取用户名长度
00401FF8  |.  8945 FC    mov    dword ptr [ebp-4], eax
00401FFB  |.  8B55 F4    mov    edx, dword ptr [ebp-C]
00401FFE  |.  8B4A 04    mov    ecx, dword ptr [edx+4]
00402001  |.  E8 44480800 call 0048684A                      取注册码长度
00402006  |.  8945 F8    mov    dword ptr [ebp-8], eax
00402009  |.  8B45 FC    mov    eax, dword ptr [ebp-4]
0040200C  |.  0345 F8    add    eax, dword ptr [ebp-8]       两者相加
0040200F  |.  99          cdq
00402010  |.  B9 0C000000 mov    ecx, 0C                      除以0xC
00402015  |.  F7F9       idiv ecx
00402017  |.  85D2       test edx, edx                      余数要为0
00402019  |.  75 15       jnz    short 00402030
0040201B  |.  837D FC 00 cmp    dword ptr [ebp-4], 0
0040201F  |.  74 0F       je    short 00402030
00402021  |.  837D F8 00 cmp    dword ptr [ebp-8], 0
00402025  |.  74 09       je    short 00402030
00402027  |.  C745 F0 01000>mov    dword ptr [ebp-10], 1
0040202E  |.  EB 07       jmp    short 00402037
00402030  |>  C745 F0 00000>mov    dword ptr [ebp-10], 0
00402037  |>  8B55 F0    mov    edx, dword ptr [ebp-10]
0040203A  |.  8915 4CB75E00 mov    dword ptr [5EB74C], edx
00402040  |.  B9 A0B75E00 mov    ecx, 005EB7A0
00402045  |.  E8 84360000 call 004056CE
0040204A  |.  33C0       xor    eax, eax
0040204C  |.  5F          pop    edi
0040204D  |.  5E          pop    esi
0040204E  |.  5B          pop    ebx
0040204F  |.  83C4 50    add    esp, 50
00402052  |.  3BEC       cmp    ebp, esp
00402054  |.  E8 77D20100 call 0041F2D0
00402059  |.  8BE5       mov    esp, ebp
0040205B  |.  5D          pop    ebp
0040205C  \.  C3          retn

第一处线程的算法是(len(name)+len(code)) mod 12 == 0。我们接着看第二处：

00402080  /> \55          push ebp
00402081  |.  8BEC       mov    ebp, esp
00402083  |.  6A FF       push -1
00402085  |.  68 997E5300 push 00537E99                      ;  SE 处理程序安装
0040208A  |.  64:A1 0000000>mov    eax, dword ptr fs:[0]
00402090  |.  50          push eax
00402091  |.  64:8925 00000>mov    dword ptr fs:[0], esp
00402098  |.  83EC 54    sub    esp, 54
0040209B  |.  53          push ebx
0040209C  |.  56          push esi
0040209D  |.  57          push edi
0040209E  |.  8D7D A0    lea    edi, dword ptr [ebp-60]
004020A1  |.  B9 15000000 mov    ecx, 15
004020A6  |.  B8 CCCCCCCC mov    eax, CCCCCCCC
004020AB  |.  F3:AB       rep    stos dword ptr es:[edi]
004020AD  |.  8D4D F0    lea    ecx, dword ptr [ebp-10]
004020B0  |.  E8 E2140D00 call 004D3597
004020B5  |.  C745 FC 00000>mov    dword ptr [ebp-4], 0
004020BC  |.  C745 EC 00000>mov    dword ptr [ebp-14], 0
004020C3  |.  8B45 08    mov    eax, dword ptr [ebp+8]
004020C6  |.  8945 E8    mov    dword ptr [ebp-18], eax
004020C9  |.  8D4D F0    lea    ecx, dword ptr [ebp-10]
004020CC  |.  51          push ecx
004020CD  |.  8B55 E8    mov    edx, dword ptr [ebp-18]
004020D0  |.  8B0A       mov    ecx, dword ptr [edx]
004020D2  |.  E8 4AF20700 call 00481321
004020D7  |>  8D4D F0    /lea    ecx, dword ptr [ebp-10]
004020DA  |.  E8 11150D00 |call 004D35F0
004020DF  |.  3945 EC    |cmp    dword ptr [ebp-14], eax
004020E2  |.  7D 58       |jge    short 0040213C
004020E4  |.  8B45 EC    |mov    eax, dword ptr [ebp-14]
004020E7  |.  50          |push eax
004020E8  |.  8D4D F0    |lea    ecx, dword ptr [ebp-10]
004020EB  |.  E8 BB160D00 |call 004D37AB
004020F0  |.  0FBEC8       |movsx ecx, al                         依次取用户名各位
004020F3  |.  83F9 30    |cmp    ecx, 30                         同0比较
004020F6  |.  7C 14       |jl    short 0040210C
004020F8  |.  8B55 EC    |mov    edx, dword ptr [ebp-14]
004020FB  |.  52          |push edx
004020FC  |.  8D4D F0    |lea    ecx, dword ptr [ebp-10]
004020FF  |.  E8 A7160D00 |call 004D37AB
00402104  |.  0FBEC0       |movsx eax, al
00402107  |.  83F8 39    |cmp    eax, 39                         同9比较
0040210A  |.  7E 25       |jle    short 00402131
0040210C  |>  C705 48B75E00>|mov    dword ptr [5EB748], 0
00402116  |.  C745 E4 00000>|mov    dword ptr [ebp-1C], 0
0040211D  |.  C745 FC FFFFF>|mov    dword ptr [ebp-4], -1
00402124  |.  8D4D F0    |lea    ecx, dword ptr [ebp-10]
00402127  |.  E8 30530800 |call 0048745C
0040212C  |.  8B45 E4    |mov    eax, dword ptr [ebp-1C]
0040212F  |.  EB 38       |jmp    short 00402169
00402131  |>  8B4D EC    |mov    ecx, dword ptr [ebp-14]
00402134  |.  83C1 01    |add    ecx, 1
00402137  |.  894D EC    |mov    dword ptr [ebp-14], ecx
0040213A  |.^ EB 9B       \jmp    short 004020D7
0040213C  |>  C705 48B75E00>mov    dword ptr [5EB748], 1
00402146  |.  B9 90B75E00 mov    ecx, 005EB790
0040214B  |.  E8 7E350000 call 004056CE
00402150  |.  C745 E0 00000>mov    dword ptr [ebp-20], 0
00402157  |.  C745 FC FFFFF>mov    dword ptr [ebp-4], -1
0040215E  |.  8D4D F0    lea    ecx, dword ptr [ebp-10]
00402161  |.  E8 F6520800 call 0048745C
00402166  |.  8B45 E0    mov    eax, dword ptr [ebp-20]
00402169  |>  8B4D F4    mov    ecx, dword ptr [ebp-C]
0040216C  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
00402173  |.  5F          pop    edi
00402174  |.  5E          pop    esi
00402175  |.  5B          pop    ebx
00402176  |.  83C4 60    add    esp, 60
00402179  |.  3BEC       cmp    ebp, esp
0040217B  |.  E8 50D10100 call 0041F2D0
00402180  |.  8BE5       mov    esp, ebp
00402182  |.  5D          pop    ebp
00402183  \.  C3          retn

第二处线程判断用户名各位是否为数字。第三处为：

004021D0  /> \55          push ebp
004021D1  |.  8BEC       mov    ebp, esp
004021D3  |.  6A FF       push -1
004021D5  |.  68 B97E5300 push 00537EB9                      ;  SE 处理程序安装
004021DA  |.  64:A1 0000000>mov    eax, dword ptr fs:[0]
004021E0  |.  50          push eax
004021E1  |.  64:8925 00000>mov    dword ptr fs:[0], esp
004021E8  |.  83EC 54    sub    esp, 54
004021EB  |.  53          push ebx
004021EC  |.  56          push esi
004021ED  |.  57          push edi
004021EE  |.  8D7D A0    lea    edi, dword ptr [ebp-60]
004021F1  |.  B9 15000000 mov    ecx, 15
004021F6  |.  B8 CCCCCCCC mov    eax, CCCCCCCC
004021FB  |.  F3:AB       rep    stos dword ptr es:[edi]
004021FD  |.  8D4D F0    lea    ecx, dword ptr [ebp-10]
00402200  |.  E8 92130D00 call 004D3597
00402205  |.  C745 FC 00000>mov    dword ptr [ebp-4], 0
0040220C  |.  C745 EC 00000>mov    dword ptr [ebp-14], 0
00402213  |.  8B45 08    mov    eax, dword ptr [ebp+8]
00402216  |.  8945 E8    mov    dword ptr [ebp-18], eax
00402219  |.  8D4D F0    lea    ecx, dword ptr [ebp-10]
0040221C  |.  51          push ecx
0040221D  |.  8B55 E8    mov    edx, dword ptr [ebp-18]
00402220  |.  8B4A 04    mov    ecx, dword ptr [edx+4]
00402223  |.  E8 F9F00700 call 00481321
00402228  |>  8D4D F0    /lea    ecx, dword ptr [ebp-10]
0040222B  |.  E8 C0130D00 |call 004D35F0
00402230  |.  3945 EC    |cmp    dword ptr [ebp-14], eax
00402233  |.  7D 58       |jge    short 0040228D
00402235  |.  8B45 EC    |mov    eax, dword ptr [ebp-14]
00402238  |.  50          |push eax
00402239  |.  8D4D F0    |lea    ecx, dword ptr [ebp-10]
0040223C  |.  E8 6A150D00 |call 004D37AB
00402241  |.  0FBEC8       |movsx ecx, al
00402244  |.  83F9 30    |cmp    ecx, 30
00402247  |.  7C 14       |jl    short 0040225D
00402249  |.  8B55 EC    |mov    edx, dword ptr [ebp-14]
0040224C  |.  52          |push edx
0040224D  |.  8D4D F0    |lea    ecx, dword ptr [ebp-10]
00402250  |.  E8 56150D00 |call 004D37AB
00402255  |.  0FBEC0       |movsx eax, al
00402258  |.  83F8 39    |cmp    eax, 39
0040225B  |.  7E 25       |jle    short 00402282
0040225D  |>  C705 44B75E00>|mov    dword ptr [5EB744], 0
00402267  |.  C745 E4 00000>|mov    dword ptr [ebp-1C], 0
0040226E  |.  C745 FC FFFFF>|mov    dword ptr [ebp-4], -1
00402275  |.  8D4D F0    |lea    ecx, dword ptr [ebp-10]
00402278  |.  E8 DF510800 |call 0048745C
0040227D  |.  8B45 E4    |mov    eax, dword ptr [ebp-1C]
00402280  |.  EB 38       |jmp    short 004022BA
00402282  |>  8B4D EC    |mov    ecx, dword ptr [ebp-14]
00402285  |.  83C1 01    |add    ecx, 1
00402288  |.  894D EC    |mov    dword ptr [ebp-14], ecx
0040228B  |.^ EB 9B       \jmp    short 00402228
0040228D  |>  C705 44B75E00>mov    dword ptr [5EB744], 1
00402297  |.  B9 80B75E00 mov    ecx, 005EB780
0040229C  |.  E8 2D340000 call 004056CE
004022A1  |.  C745 E0 00000>mov    dword ptr [ebp-20], 0
004022A8  |.  C745 FC FFFFF>mov    dword ptr [ebp-4], -1
004022AF  |.  8D4D F0    lea    ecx, dword ptr [ebp-10]
004022B2  |.  E8 A5510800 call 0048745C
004022B7  |.  8B45 E0    mov    eax, dword ptr [ebp-20]
004022BA  |>  8B4D F4    mov    ecx, dword ptr [ebp-C]
004022BD  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
004022C4  |.  5F          pop    edi
004022C5  |.  5E          pop    esi
004022C6  |.  5B          pop    ebx
004022C7  |.  83C4 60    add    esp, 60
004022CA  |.  3BEC       cmp    ebp, esp
004022CC  |.  E8 FFCF0100 call 0041F2D0
004022D1  |.  8BE5       mov    esp, ebp
004022D3  |.  5D          pop    ebp
004022D4  \.  C3          retn

第三处要求注册码各位也要为数字。第四处线程：

00402320 > \55          push ebp
00402321 .  8BEC       mov    ebp, esp
00402323 .  6A FF       push -1
00402325 .  68 067F5300 push 00537F06                      ;  SE 处理程序安装
0040232A .  64:A1 0000000>mov    eax, dword ptr fs:[0]
00402330 .  50          push eax
00402331 .  64:8925 00000>mov    dword ptr fs:[0], esp
00402338 .  51          push ecx
00402339 .  81EC 88000000 sub    esp, 88
0040233F .  53          push ebx
00402340 .  56          push esi
00402341 .  57          push edi
00402342 .  8965 F0    mov    dword ptr [ebp-10], esp
00402345 .  8DBD 68FFFFFF lea    edi, dword ptr [ebp-98]
0040234B .  B9 22000000 mov    ecx, 22
00402350 .  B8 CCCCCCCC mov    eax, CCCCCCCC
00402355 .  F3:AB       rep    stos dword ptr es:[edi]
00402357 .  8D4D EC    lea    ecx, dword ptr [ebp-14]
0040235A .  E8 38120D00 call 004D3597
0040235F .  C745 FC 00000>mov    dword ptr [ebp-4], 0
00402366 .  8D4D E8    lea    ecx, dword ptr [ebp-18]
00402369 .  E8 29120D00 call 004D3597
0040236E .  C645 FC 01 mov    byte ptr [ebp-4], 1
00402372 .  8D4D E4    lea    ecx, dword ptr [ebp-1C]
00402375 .  E8 1D120D00 call 004D3597
0040237A .  C645 FC 02 mov    byte ptr [ebp-4], 2
0040237E .  8D4D E0    lea    ecx, dword ptr [ebp-20]
00402381 .  E8 11120D00 call 004D3597
00402386 .  C645 FC 03 mov    byte ptr [ebp-4], 3
0040238A .  8B45 08    mov    eax, dword ptr [ebp+8]
0040238D .  8945 D4    mov    dword ptr [ebp-2C], eax
00402390 .  C645 FC 04 mov    byte ptr [ebp-4], 4
00402394 .  8D4D EC    lea    ecx, dword ptr [ebp-14]
00402397 .  51          push ecx
00402398 .  8B55 D4    mov    edx, dword ptr [ebp-2C]
0040239B .  8B0A       mov    ecx, dword ptr [edx]
0040239D .  E8 7FEF0700 call 00481321
004023A2 .  8D45 E8    lea    eax, dword ptr [ebp-18]
004023A5 .  50          push eax
004023A6 .  8B4D D4    mov    ecx, dword ptr [ebp-2C]
004023A9 .  8B49 04    mov    ecx, dword ptr [ecx+4]
004023AC .  E8 70EF0700 call 00481321
004023B1 .  6A 03       push 3
004023B3 .  8D55 D0    lea    edx, dword ptr [ebp-30]
004023B6 .  52          push edx
004023B7 .  8D4D EC    lea    ecx, dword ptr [ebp-14]
004023BA .  E8 3B150500 call 004538FA
004023BF .  8945 C0    mov    dword ptr [ebp-40], eax
004023C2 .  8B45 C0    mov    eax, dword ptr [ebp-40]
004023C5 .  8945 BC    mov    dword ptr [ebp-44], eax
004023C8 .  C645 FC 05 mov    byte ptr [ebp-4], 5
004023CC .  8B4D BC    mov    ecx, dword ptr [ebp-44]
004023CF .  51          push ecx
004023D0 .  8D4D E4    lea    ecx, dword ptr [ebp-1C]
004023D3 .  E8 7E520800 call 00487656
004023D8 .  C645 FC 04 mov    byte ptr [ebp-4], 4
004023DC .  8D4D D0    lea    ecx, dword ptr [ebp-30]
004023DF .  E8 78500800 call 0048745C
004023E4 .  6A 03       push 3
004023E6 .  8D55 CC    lea    edx, dword ptr [ebp-34]
004023E9 .  52          push edx
004023EA .  8D4D E8    lea    ecx, dword ptr [ebp-18]
004023ED .  E8 49140500 call 0045383B
004023F2 .  8945 B8    mov    dword ptr [ebp-48], eax
004023F5 .  8B45 B8    mov    eax, dword ptr [ebp-48]
004023F8 .  8945 B4    mov    dword ptr [ebp-4C], eax
004023FB .  C645 FC 06 mov    byte ptr [ebp-4], 6
004023FF .  8B4D B4    mov    ecx, dword ptr [ebp-4C]
00402402 .  51          push ecx
00402403 .  8D4D E0    lea    ecx, dword ptr [ebp-20]
00402406 .  E8 4B520800 call 00487656
0040240B .  C645 FC 04 mov    byte ptr [ebp-4], 4
0040240F .  8D4D CC    lea    ecx, dword ptr [ebp-34]
00402412 .  E8 45500800 call 0048745C
00402417 .  6A 00       push 0
00402419 .  8D4D E4    lea    ecx, dword ptr [ebp-1C]
0040241C .  E8 E7570800 call 00487C08
00402421 .  8945 B0    mov    dword ptr [ebp-50], eax
00402424 .  8B55 B0    mov    edx, dword ptr [ebp-50]
00402427 .  52          push edx
00402428 .  E8 E3D50100 call 0041FA10
0040242D .  83C4 04    add    esp, 4
00402430 .  8945 DC    mov    dword ptr [ebp-24], eax
00402433 .  6A 00       push 0
00402435 .  8D4D E0    lea    ecx, dword ptr [ebp-20]
00402438 .  E8 CB570800 call 00487C08
0040243D .  8945 AC    mov    dword ptr [ebp-54], eax
00402440 .  8B45 AC    mov    eax, dword ptr [ebp-54]
00402443 .  50          push eax
00402444 .  E8 C7D50100 call 0041FA10
00402449 .  83C4 04    add    esp, 4
0040244C .  8945 D8    mov    dword ptr [ebp-28], eax
0040244F .  8B4D D8    mov    ecx, dword ptr [ebp-28]
00402452 .  2B4D DC    sub    ecx, dword ptr [ebp-24]       ;  注册码后3位减去用户名前3位要等于2
00402455 .  83F9 02    cmp    ecx, 2
00402458    75 27       jnz    short 00402481
0040245A .  8B45 DC    mov    eax, dword ptr [ebp-24]       ;  用户名前3位%3 == 0
0040245D .  99          cdq
0040245E .  B9 03000000 mov    ecx, 3
00402463 .  F7F9       idiv ecx
00402465 .  85D2       test edx, edx
00402467 .  75 18       jnz    short 00402481
00402469 .  8B45 D8    mov    eax, dword ptr [ebp-28]       ;  注册码前3位%7 == 0
0040246C .  99          cdq
0040246D .  B9 07000000 mov    ecx, 7
00402472 .  F7F9       idiv ecx
00402474 .  85D2       test edx, edx
00402476    75 09       jnz    short 00402481
00402478 .  C745 A8 01000>mov    dword ptr [ebp-58], 1
0040247F .  EB 07       jmp    short 00402488
00402481 >  C745 A8 00000>mov    dword ptr [ebp-58], 0
00402488 >  8B55 A8    mov    edx, dword ptr [ebp-58]
0040248B .  8915 40B75E00 mov    dword ptr [5EB740], edx
00402491 .  EB 4F       jmp    short 004024E2
00402493 .  C705 40B75E00>mov    dword ptr [5EB740], 0
0040249D .  C745 C8 00000>mov    dword ptr [ebp-38], 0
004024A4 .  B8 AA244000 mov    eax, 004024AA
004024A9 .  C3          retn
004024AA .  C645 FC 02 mov    byte ptr [ebp-4], 2
004024AE .  8D4D E0    lea    ecx, dword ptr [ebp-20]
004024B1 .  E8 A64F0800 call 0048745C
004024B6 .  C645 FC 01 mov    byte ptr [ebp-4], 1
004024BA .  8D4D E4    lea    ecx, dword ptr [ebp-1C]
004024BD .  E8 9A4F0800 call 0048745C
004024C2 .  C645 FC 00 mov    byte ptr [ebp-4], 0
004024C6 .  8D4D E8    lea    ecx, dword ptr [ebp-18]
004024C9 .  E8 8E4F0800 call 0048745C
004024CE .  C745 FC FFFFF>mov    dword ptr [ebp-4], -1
004024D5 .  8D4D EC    lea    ecx, dword ptr [ebp-14]
004024D8 .  E8 7F4F0800 call 0048745C
004024DD .  8B45 C8    mov    eax, dword ptr [ebp-38]
004024E0 .  EB 4E       jmp    short 00402530
004024E2 >  C745 FC 03000>mov    dword ptr [ebp-4], 3
004024E9 .  B9 70B75E00 mov    ecx, 005EB770
004024EE .  E8 DB310000 call 004056CE
004024F3 .  C745 C4 00000>mov    dword ptr [ebp-3C], 0
004024FA .  C645 FC 02 mov    byte ptr [ebp-4], 2
004024FE .  8D4D E0    lea    ecx, dword ptr [ebp-20]
00402501 .  E8 564F0800 call 0048745C
00402506 .  C645 FC 01 mov    byte ptr [ebp-4], 1
0040250A .  8D4D E4    lea    ecx, dword ptr [ebp-1C]
0040250D .  E8 4A4F0800 call 0048745C
00402512 .  C645 FC 00 mov    byte ptr [ebp-4], 0
00402516 .  8D4D E8    lea    ecx, dword ptr [ebp-18]
00402519 .  E8 3E4F0800 call 0048745C
0040251E .  C745 FC FFFFF>mov    dword ptr [ebp-4], -1
00402525 .  8D4D EC    lea    ecx, dword ptr [ebp-14]
00402528 .  E8 2F4F0800 call 0048745C
0040252D .  8B45 C4    mov    eax, dword ptr [ebp-3C]
00402530 >  8B4D F4    mov    ecx, dword ptr [ebp-C]
00402533 .  64:890D 00000>mov    dword ptr fs:[0], ecx
0040253A .  5F          pop    edi
0040253B .  5E          pop    esi
0040253C .  5B          pop    ebx
0040253D .  81C4 98000000 add    esp, 98
00402543 .  3BEC       cmp    ebp, esp
00402545 .  E8 86CD0100 call 0041F2D0
0040254A .  8BE5       mov    esp, ebp
0040254C .  5D          pop    ebp
0040254D .  C3          retn

第五个线程：

004025E0 > \55          push ebp
004025E1 .  8BEC       mov    ebp, esp
004025E3 .  6A FF       push -1
004025E5 .  68 567F5300 push 00537F56                      ;  SE 处理程序安装
004025EA .  64:A1 0000000>mov    eax, dword ptr fs:[0]
004025F0 .  50          push eax
004025F1 .  64:8925 00000>mov    dword ptr fs:[0], esp
004025F8 .  51          push ecx
004025F9 .  81EC 88000000 sub    esp, 88
004025FF .  53          push ebx
00402600 .  56          push esi
00402601 .  57          push edi
00402602 .  8965 F0    mov    dword ptr [ebp-10], esp
00402605 .  8DBD 68FFFFFF lea    edi, dword ptr [ebp-98]
0040260B .  B9 22000000 mov    ecx, 22
00402610 .  B8 CCCCCCCC mov    eax, CCCCCCCC
00402615 .  F3:AB       rep    stos dword ptr es:[edi]
00402617 .  8D4D EC    lea    ecx, dword ptr [ebp-14]
0040261A .  E8 780F0D00 call 004D3597
0040261F .  C745 FC 00000>mov    dword ptr [ebp-4], 0
00402626 .  8D4D E8    lea    ecx, dword ptr [ebp-18]
00402629 .  E8 690F0D00 call 004D3597
0040262E .  C645 FC 01 mov    byte ptr [ebp-4], 1
00402632 .  8D4D E4    lea    ecx, dword ptr [ebp-1C]
00402635 .  E8 5D0F0D00 call 004D3597
0040263A .  C645 FC 02 mov    byte ptr [ebp-4], 2
0040263E .  8D4D E0    lea    ecx, dword ptr [ebp-20]
00402641 .  E8 510F0D00 call 004D3597
00402646 .  C645 FC 03 mov    byte ptr [ebp-4], 3
0040264A .  8B45 08    mov    eax, dword ptr [ebp+8]
0040264D .  8945 D4    mov    dword ptr [ebp-2C], eax
00402650 .  C645 FC 04 mov    byte ptr [ebp-4], 4
00402654 .  8D4D EC    lea    ecx, dword ptr [ebp-14]
00402657 .  51          push ecx
00402658 .  8B55 D4    mov    edx, dword ptr [ebp-2C]
0040265B .  8B0A       mov    ecx, dword ptr [edx]
0040265D .  E8 BFEC0700 call 00481321                      ;  取用户名
00402662 .  8D45 E8    lea    eax, dword ptr [ebp-18]
00402665 .  50          push eax
00402666 .  8B4D D4    mov    ecx, dword ptr [ebp-2C]
00402669 .  8B49 04    mov    ecx, dword ptr [ecx+4]
0040266C .  E8 B0EC0700 call 00481321                      ;  取注册码
00402671 .  6A 03       push 3
00402673 .  8D55 D0    lea    edx, dword ptr [ebp-30]
00402676 .  52          push edx
00402677 .  8D4D EC    lea    ecx, dword ptr [ebp-14]
0040267A .  E8 BC110500 call 0045383B
0040267F .  8945 C0    mov    dword ptr [ebp-40], eax
00402682 .  8B45 C0    mov    eax, dword ptr [ebp-40]
00402685 .  8945 BC    mov    dword ptr [ebp-44], eax
00402688 .  C645 FC 05 mov    byte ptr [ebp-4], 5
0040268C .  8B4D BC    mov    ecx, dword ptr [ebp-44]
0040268F .  51          push ecx
00402690 .  8D4D E4    lea    ecx, dword ptr [ebp-1C]
00402693 .  E8 BE4F0800 call 00487656
00402698 .  C645 FC 04 mov    byte ptr [ebp-4], 4
0040269C .  8D4D D0    lea    ecx, dword ptr [ebp-30]
0040269F .  E8 B84D0800 call 0048745C
004026A4 .  6A 03       push 3
004026A6 .  8D55 CC    lea    edx, dword ptr [ebp-34]
004026A9 .  52          push edx
004026AA .  8D4D E8    lea    ecx, dword ptr [ebp-18]
004026AD .  E8 48120500 call 004538FA
004026B2 .  8945 B8    mov    dword ptr [ebp-48], eax
004026B5 .  8B45 B8    mov    eax, dword ptr [ebp-48]
004026B8 .  8945 B4    mov    dword ptr [ebp-4C], eax
004026BB .  C645 FC 06 mov    byte ptr [ebp-4], 6
004026BF .  8B4D B4    mov    ecx, dword ptr [ebp-4C]
004026C2 .  51          push ecx
004026C3 .  8D4D E0    lea    ecx, dword ptr [ebp-20]
004026C6 .  E8 8B4F0800 call 00487656
004026CB .  C645 FC 04 mov    byte ptr [ebp-4], 4
004026CF .  8D4D CC    lea    ecx, dword ptr [ebp-34]
004026D2 .  E8 854D0800 call 0048745C
004026D7 .  6A 00       push 0
004026D9 .  8D4D E4    lea    ecx, dword ptr [ebp-1C]
004026DC .  E8 27550800 call 00487C08
004026E1 .  8945 B0    mov    dword ptr [ebp-50], eax
004026E4 .  8B55 B0    mov    edx, dword ptr [ebp-50]
004026E7 .  52          push edx
004026E8 .  E8 23D30100 call 0041FA10
004026ED .  83C4 04    add    esp, 4
004026F0 .  8945 D8    mov    dword ptr [ebp-28], eax
004026F3 .  6A 00       push 0
004026F5 .  8D4D E0    lea    ecx, dword ptr [ebp-20]
004026F8 .  E8 0B550800 call 00487C08
004026FD .  8945 AC    mov    dword ptr [ebp-54], eax
00402700 .  8B45 AC    mov    eax, dword ptr [ebp-54]
00402703 .  50          push eax
00402704 .  E8 07D30100 call 0041FA10
00402709 .  83C4 04    add    esp, 4
0040270C .  8945 DC    mov    dword ptr [ebp-24], eax
0040270F .  8B4D D8    mov    ecx, dword ptr [ebp-28]
00402712 .  2B4D DC    sub    ecx, dword ptr [ebp-24]       ;  用户名后3位减去注册码前3位
00402715 .  83F9 FE    cmp    ecx, -2                         ;  要等于-2
00402718    75 27       jnz    short 00402741
0040271A .  8B45 D8    mov    eax, dword ptr [ebp-28]       ;  用户名后3位 % 5 == 0
0040271D .  99          cdq
0040271E .  B9 05000000 mov    ecx, 5
00402723 .  F7F9       idiv ecx
00402725 .  85D2       test edx, edx
00402727    75 18       jnz    short 00402741
00402729 .  8B45 DC    mov    eax, dword ptr [ebp-24]       ;  注册码前3位 % 9 == 0
0040272C .  99          cdq
0040272D .  B9 09000000 mov    ecx, 9
00402732 .  F7F9       idiv ecx
00402734 .  85D2       test edx, edx
00402736    75 09       jnz    short 00402741
00402738 .  C745 A8 01000>mov    dword ptr [ebp-58], 1
0040273F .  EB 07       jmp    short 00402748
00402741 >  C745 A8 00000>mov    dword ptr [ebp-58], 0
00402748 >  8B55 A8    mov    edx, dword ptr [ebp-58]
0040274B .  8915 3CB75E00 mov    dword ptr [5EB73C], edx
00402751 .  EB 4F       jmp    short 004027A2
00402753 .  C705 3CB75E00>mov    dword ptr [5EB73C], 0
0040275D .  C745 C8 00000>mov    dword ptr [ebp-38], 0
00402764 .  B8 6A274000 mov    eax, 0040276A
00402769 .  C3          retn
0040276A .  C645 FC 02 mov    byte ptr [ebp-4], 2
0040276E .  8D4D E0    lea    ecx, dword ptr [ebp-20]
00402771 .  E8 E64C0800 call 0048745C
00402776 .  C645 FC 01 mov    byte ptr [ebp-4], 1
0040277A .  8D4D E4    lea    ecx, dword ptr [ebp-1C]
0040277D .  E8 DA4C0800 call 0048745C
00402782 .  C645 FC 00 mov    byte ptr [ebp-4], 0
00402786 .  8D4D E8    lea    ecx, dword ptr [ebp-18]
00402789 .  E8 CE4C0800 call 0048745C
0040278E .  C745 FC FFFFF>mov    dword ptr [ebp-4], -1
00402795 .  8D4D EC    lea    ecx, dword ptr [ebp-14]
00402798 .  E8 BF4C0800 call 0048745C
0040279D .  8B45 C8    mov    eax, dword ptr [ebp-38]
004027A0 .  EB 4E       jmp    short 004027F0
004027A2 >  C745 FC 03000>mov    dword ptr [ebp-4], 3
004027A9 .  B9 60B75E00 mov    ecx, 005EB760
004027AE .  E8 1B2F0000 call 004056CE
004027B3 .  C745 C4 00000>mov    dword ptr [ebp-3C], 0
004027BA .  C645 FC 02 mov    byte ptr [ebp-4], 2
004027BE .  8D4D E0    lea    ecx, dword ptr [ebp-20]
004027C1 .  E8 964C0800 call 0048745C
004027C6 .  C645 FC 01 mov    byte ptr [ebp-4], 1
004027CA .  8D4D E4    lea    ecx, dword ptr [ebp-1C]
004027CD .  E8 8A4C0800 call 0048745C
004027D2 .  C645 FC 00 mov    byte ptr [ebp-4], 0
004027D6 .  8D4D E8    lea    ecx, dword ptr [ebp-18]
004027D9 .  E8 7E4C0800 call 0048745C
004027DE .  C745 FC FFFFF>mov    dword ptr [ebp-4], -1
004027E5 .  8D4D EC    lea    ecx, dword ptr [ebp-14]
004027E8 .  E8 6F4C0800 call 0048745C
004027ED .  8B45 C4    mov    eax, dword ptr [ebp-3C]
004027F0 >  8B4D F4    mov    ecx, dword ptr [ebp-C]
004027F3 .  64:890D 00000>mov    dword ptr fs:[0], ecx
004027FA .  5F          pop    edi
004027FB .  5E          pop    esi
004027FC .  5B          pop    ebx
004027FD .  81C4 98000000 add    esp, 98
00402803 .  3BEC       cmp    ebp, esp
00402805 .  E8 C6CA0100 call 0041F2D0
0040280A .  8BE5       mov    esp, ebp
0040280C .  5D          pop    ebp
0040280D .  C3          retn

第六个线程：

004028A0 > \55          push ebp
004028A1 .  8BEC       mov    ebp, esp
004028A3 .  6A FF       push -1
004028A5 .  68 A67F5300 push 00537FA6                      ;  SE 处理程序安装
004028AA .  64:A1 0000000>mov    eax, dword ptr fs:[0]
004028B0 .  50          push eax
004028B1 .  64:8925 00000>mov    dword ptr fs:[0], esp
004028B8 .  51          push ecx
004028B9 .  81EC 88000000 sub    esp, 88
004028BF .  53          push ebx
004028C0 .  56          push esi
004028C1 .  57          push edi
004028C2 .  8965 F0    mov    dword ptr [ebp-10], esp
004028C5 .  8DBD 68FFFFFF lea    edi, dword ptr [ebp-98]
004028CB .  B9 22000000 mov    ecx, 22
004028D0 .  B8 CCCCCCCC mov    eax, CCCCCCCC
004028D5 .  F3:AB       rep    stos dword ptr es:[edi]
004028D7 .  8D4D EC    lea    ecx, dword ptr [ebp-14]
004028DA .  E8 B80C0D00 call 004D3597
004028DF .  C745 FC 00000>mov    dword ptr [ebp-4], 0
004028E6 .  8D4D E8    lea    ecx, dword ptr [ebp-18]
004028E9 .  E8 A90C0D00 call 004D3597
004028EE .  C645 FC 01 mov    byte ptr [ebp-4], 1
004028F2 .  8D4D E4    lea    ecx, dword ptr [ebp-1C]
004028F5 .  E8 9D0C0D00 call 004D3597
004028FA .  C645 FC 02 mov    byte ptr [ebp-4], 2
004028FE .  8D4D E0    lea    ecx, dword ptr [ebp-20]
00402901 .  E8 910C0D00 call 004D3597
00402906 .  C645 FC 03 mov    byte ptr [ebp-4], 3
0040290A .  8B45 08    mov    eax, dword ptr [ebp+8]
0040290D .  8945 D4    mov    dword ptr [ebp-2C], eax
00402910 .  C645 FC 04 mov    byte ptr [ebp-4], 4
00402914 .  8D4D EC    lea    ecx, dword ptr [ebp-14]
00402917 .  51          push ecx
00402918 .  8B55 D4    mov    edx, dword ptr [ebp-2C]
0040291B .  8B0A       mov    ecx, dword ptr [edx]
0040291D .  E8 FFE90700 call 00481321
00402922 .  6A 03       push 3
00402924 .  8D45 D0    lea    eax, dword ptr [ebp-30]
00402927 .  50          push eax
00402928 .  8D4D EC    lea    ecx, dword ptr [ebp-14]
0040292B .  E8 CA0F0500 call 004538FA
00402930 .  8945 C0    mov    dword ptr [ebp-40], eax
00402933 .  8B4D C0    mov    ecx, dword ptr [ebp-40]
00402936 .  894D BC    mov    dword ptr [ebp-44], ecx
00402939 .  C645 FC 05 mov    byte ptr [ebp-4], 5
0040293D .  8B55 BC    mov    edx, dword ptr [ebp-44]
00402940 .  52          push edx
00402941 .  8D4D E4    lea    ecx, dword ptr [ebp-1C]
00402944 .  E8 0D4D0800 call 00487656
00402949 .  C645 FC 04 mov    byte ptr [ebp-4], 4
0040294D .  8D4D D0    lea    ecx, dword ptr [ebp-30]
00402950 .  E8 074B0800 call 0048745C
00402955 .  6A 03       push 3
00402957 .  8D45 CC    lea    eax, dword ptr [ebp-34]
0040295A .  50          push eax
0040295B .  8D4D EC    lea    ecx, dword ptr [ebp-14]
0040295E .  E8 D80E0500 call 0045383B
00402963 .  8945 B8    mov    dword ptr [ebp-48], eax
00402966 .  8B4D B8    mov    ecx, dword ptr [ebp-48]
00402969 .  894D B4    mov    dword ptr [ebp-4C], ecx
0040296C .  C645 FC 06 mov    byte ptr [ebp-4], 6
00402970 .  8B55 B4    mov    edx, dword ptr [ebp-4C]
00402973 .  52          push edx
00402974 .  8D4D E0    lea    ecx, dword ptr [ebp-20]
00402977 .  E8 DA4C0800 call 00487656
0040297C .  C645 FC 04 mov    byte ptr [ebp-4], 4
00402980 .  8D4D CC    lea    ecx, dword ptr [ebp-34]
00402983 .  E8 D44A0800 call 0048745C
00402988 .  6A 00       push 0
0040298A .  8D4D E4    lea    ecx, dword ptr [ebp-1C]
0040298D .  E8 76520800 call 00487C08
00402992 .  8945 B0    mov    dword ptr [ebp-50], eax
00402995 .  8B45 B0    mov    eax, dword ptr [ebp-50]
00402998 .  50          push eax
00402999 .  E8 72D00100 call 0041FA10
0040299E .  83C4 04    add    esp, 4
004029A1 .  8945 DC    mov    dword ptr [ebp-24], eax
004029A4 .  6A 00       push 0
004029A6 .  8D4D E0    lea    ecx, dword ptr [ebp-20]
004029A9 .  E8 5A520800 call 00487C08
004029AE .  8945 AC    mov    dword ptr [ebp-54], eax
004029B1 .  8B4D AC    mov    ecx, dword ptr [ebp-54]
004029B4 .  51          push ecx
004029B5 .  E8 56D00100 call 0041FA10
004029BA .  83C4 04    add    esp, 4
004029BD .  8945 D8    mov    dword ptr [ebp-28], eax
004029C0 .  8B55 DC    mov    edx, dword ptr [ebp-24]
004029C3 .  2B55 D8    sub    edx, dword ptr [ebp-28]       ;  用户名前3位减去用户名后3位
004029C6 .  83FA FF    cmp    edx, -1                         ;  要等于-1
004029C9    75 27       jnz    short 004029F2                ;  不等就跳
004029CB .  8B45 DC    mov    eax, dword ptr [ebp-24]       ;  用户名前3位 % 3 == 0
004029CE .  99          cdq
004029CF .  B9 03000000 mov    ecx, 3
004029D4 .  F7F9       idiv ecx
004029D6 .  85D2       test edx, edx
004029D8 .  75 18       jnz    short 004029F2
004029DA .  8B45 D8    mov    eax, dword ptr [ebp-28]       ;  用户名后3位 % 5 == 0
004029DD .  99          cdq
004029DE .  B9 05000000 mov    ecx, 5
004029E3 .  F7F9       idiv ecx
004029E5 .  85D2       test edx, edx
004029E7    75 09       jnz    short 004029F2
004029E9 .  C745 A8 01000>mov    dword ptr [ebp-58], 1
004029F0 .  EB 07       jmp    short 004029F9
004029F2 >  C745 A8 00000>mov    dword ptr [ebp-58], 0
004029F9 >  8B55 A8    mov    edx, dword ptr [ebp-58]
004029FC .  8915 38B75E00 mov    dword ptr [5EB738], edx
00402A02 .  EB 4F       jmp    short 00402A53
00402A04 .  C705 3CB75E00>mov    dword ptr [5EB73C], 0
00402A0E .  C745 C8 00000>mov    dword ptr [ebp-38], 0
00402A15 .  B8 1B2A4000 mov    eax, 00402A1B
00402A1A .  C3          retn
00402A1B .  C645 FC 02 mov    byte ptr [ebp-4], 2
00402A1F .  8D4D E0    lea    ecx, dword ptr [ebp-20]
00402A22 .  E8 354A0800 call 0048745C
00402A27 .  C645 FC 01 mov    byte ptr [ebp-4], 1
00402A2B .  8D4D E4    lea    ecx, dword ptr [ebp-1C]
00402A2E .  E8 294A0800 call 0048745C
00402A33 .  C645 FC 00 mov    byte ptr [ebp-4], 0
00402A37 .  8D4D E8    lea    ecx, dword ptr [ebp-18]
00402A3A .  E8 1D4A0800 call 0048745C
00402A3F .  C745 FC FFFFF>mov    dword ptr [ebp-4], -1
00402A46 .  8D4D EC    lea    ecx, dword ptr [ebp-14]
00402A49 .  E8 0E4A0800 call 0048745C
00402A4E .  8B45 C8    mov    eax, dword ptr [ebp-38]
00402A51 .  EB 4E       jmp    short 00402AA1
00402A53 >  C745 FC 03000>mov    dword ptr [ebp-4], 3
00402A5A .  B9 50B75E00 mov    ecx, 005EB750
00402A5F .  E8 6A2C0000 call 004056CE
00402A64 .  C745 C4 00000>mov    dword ptr [ebp-3C], 0
00402A6B .  C645 FC 02 mov    byte ptr [ebp-4], 2
00402A6F .  8D4D E0    lea    ecx, dword ptr [ebp-20]
00402A72 .  E8 E5490800 call 0048745C
00402A77 .  C645 FC 01 mov    byte ptr [ebp-4], 1
00402A7B .  8D4D E4    lea    ecx, dword ptr [ebp-1C]
00402A7E .  E8 D9490800 call 0048745C
00402A83 .  C645 FC 00 mov    byte ptr [ebp-4], 0
00402A87 .  8D4D E8    lea    ecx, dword ptr [ebp-18]
00402A8A .  E8 CD490800 call 0048745C
00402A8F .  C745 FC FFFFF>mov    dword ptr [ebp-4], -1
00402A96 .  8D4D EC    lea    ecx, dword ptr [ebp-14]
00402A99 .  E8 BE490800 call 0048745C
00402A9E .  8B45 C4    mov    eax, dword ptr [ebp-3C]
00402AA1 >  8B4D F4    mov    ecx, dword ptr [ebp-C]
00402AA4 .  64:890D 00000>mov    dword ptr fs:[0], ecx
00402AAB .  5F          pop    edi
00402AAC .  5E          pop    esi
00402AAD .  5B          pop    ebx
00402AAE .  81C4 98000000 add    esp, 98
00402AB4 .  3BEC       cmp    ebp, esp
00402AB6 .  E8 15C80100 call 0041F2D0
00402ABB .  8BE5       mov    esp, ebp
00402ABD .  5D          pop    ebp
00402ABE .  C3          retn

到这里我们总结下算法吧：
1.注册码，用户名各位都要为数字
2.两者长度相加 mod 12 == 0
3.注册码后3位减去用户名前3位要等于2 用户名前3位%3=0 注册码后3位%7=0
4.用户名后3位减去注册码前3位要等于-2 用户名后3位%5=0 注册码前3位%9=0
5.用户名前3位减去用户名后3位要为-1 用户名前3位%3=0 用户名后3位%5=0

最后给出一组解：
用户名 159160
注册码 162161

------------------------------------------------------------------------
【破解总结】这个cm算法不是很难，关键在于找到各个线程的位置，看出对应的算法。在算解的过程中，得到了zenix和网络断魂两位大侠的帮助，在此向他们表示感谢~~
------------------------------------------------------------------------
【版权声明】本文原创于52pojie技术论坛, 转载请注明作者并保持文章的完整, 谢谢!

文中用的cm在附件中~~

math.rar (377.13 KB, 下载次数: 83)

Hmily · 发表于 2009-12-28 20:53

感谢发布原创作品,[LCG]因你更精彩！

西氏 · 发表于 2009-12-28 21:00

确实是精华啊。

明次 · 发表于 2009-12-29 13:34

大B同志，上次你给我的那个CM我还是搞不掉..

ZeNiX · 发表于 2009-12-29 13:53

本帖最后由 ZeNiX 于 2009-12-29 14:02 编辑

最後更新一下:

用戶名: 315n + 159, 315n +160
注冊碼: 315n + 162, 315n +161
n = 0, 1, 2
315 = 5 x 7 x 9

第一組:
159160
162161

第二組:
474475
477476

第三組:
789790
792791

--- ZeNiX [LCG] ---

Squn · 发表于 2009-12-29 15:09

强学习了这种类型的cm第一次见。。

87jc · 发表于 2009-12-29 21:28

谢谢，支持下，辛苦了！

彬哥 · 发表于 2010-1-3 20:17

看不懂呢 ..

紫色 · 发表于 2010-1-3 20:23

[s:34]很多还看不懂坐下慢慢学习谢谢

chinasmu · 发表于 2010-5-25 21:31

果然是高手啊

帐号		自动登录	找回密码
密码			注册[Register]

[原创] 小学应用题cm算法分析