好友
阅读权限30
听众
最后登录1970-1-1
|
本帖最后由 HPKEr 于 2010-2-9 17:53 编辑
1.PEID查壳显示:Borland Delphi v6.0 - v7.0
2.OD载入,我也偷懒一回利用万能断点断下
用户名:guapi
注册码:123456
算法分析原图:
用户名:guapi
真注册码:879321
输入真注册码之后,注册按钮变成灰色。
注册信息保存在注册表里
位置:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Stephen
说明:楼下说:“不错哦,希望能看到lz更详细的算法分析~~”,由于我先前分析UDD文件被删除,只能重新分析,花费我不少时间!
【文章标题】: CrackMe简单算法分析
【文章作者】: HPKEr
【软件名称】: CrackMe
【软件大小】: 286.09KB
【下载地址】: http://xz.qupan.com/down/945520_5822946.html
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD PEID0.95
【操作平台】: Windows XP SP3
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
OD载入,F9运行,输入Name:guapi和Code:123456,我也偷懒一回利用万能断点断在00439AA4处。
00439A90 |. 57 PUSH EDI ; |Message
00439A91 |. 8B86 80010000 MOV EAX,DWORD PTR DS:[ESI+180] ; |
00439A97 |. 50 PUSH EAX ; |hWnd
00439A98 |. 8B86 74010000 MOV EAX,DWORD PTR DS:[ESI+174] ; |
00439A9E |. 50 PUSH EAX ; |PrevProc
00439A9F |. E8 B8CEFCFF CALL <JMP.&user32.CallWindowProcA> ; \CallWindowProcA
00439AA4 |. 8943 0C MOV DWORD PTR DS:[EBX+C],EAX ; 利用万能断点,断在
00439AA4处。
00439AA7 |> 8B03 MOV EAX,DWORD PTR DS:[EBX]
00439AA9 |. 83F8 0C CMP EAX,0C
00439AAC |. 75 1B JNZ SHORT CrackMe.00439AC9
00439AAE |. 8B53 08 MOV EDX,DWORD PTR DS:[EBX+8]
00439AB1 |. 52 PUSH EDX ; /Arg1
00439AB2 |. 8B4B 04 MOV ECX,DWORD PTR DS:[EBX+4] ; |
00439AB5 |. 8BD0 MOV EDX,EAX ; |
00439AB7 |. 8BC6 MOV EAX,ESI ; |
00439AB9 |. E8 56B7FFFF CALL CrackMe.00435214 ; \CrackMe.00435214
00439ABE |. EB 09 JMP SHORT CrackMe.00439AC9
00439AC0 |> 8BD3 MOV EDX,EBX
00439AC2 |. 8BC6 MOV EAX,ESI
00439AC4 |. E8 B3CFFFFF CALL CrackMe.00436A7C
00439AC9 |> 5D POP EBP
00439ACA |. 5F POP EDI
00439ACB |. 5E POP ESI
00439ACC |. 5B POP EBX
00439ACD \. C3 RETN
一路F8来到:
00480944 50 PUSH EAX
00480945 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
00480948 A1 F43C4800 MOV EAX,DWORD PTR DS:[483CF4]
0048094D E8 224DFBFF CALL CrackMe.00435674 ; 取得注册信息存放路径
00480952 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] ; 注册信息存放路径入EAX
00480955 B9 0C000000 MOV ECX,0C
0048095A BA 02000000 MOV EDX,2
0048095F E8 243EF8FF CALL CrackMe.00404788 ; 取得标题Make in H&&Y
00480964 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ; 标题Make in H&&Y入EDX
00480967 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0048096A 59 POP ECX
0048096B E8 043CF8FF CALL CrackMe.00404574
00480970 837D FC 00 CMP DWORD PTR SS:[EBP-4],0
00480974 0F84 70010000 JE CrackMe.00480AEA ; 用户名为空跳死
0048097A 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
0048097E 0F84 66010000 JE CrackMe.00480AEA ; 注册码为空跳死
00480984 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00480987 E8 C0FAFFFF CALL CrackMe.0048044C ; 读取计算机名,F7跟进
。
0048098C 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
0048098F E8 38FDFFFF CALL CrackMe.004806CC ; 计算机名算法,F7进去
,得到D68C3
00480994 8BF0 MOV ESI,EAX ; 所得计算结果000D68C3
入ESI
00480996 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 用户名guapi入EAX
00480999 E8 F6FBFFFF CALL CrackMe.00480594 ; F7跟进,用户名算法,
F7进去得216.
0048099E 03C6 ADD EAX,ESI ; 用户名相加结果+计算机
名所得余数=000D6AD9
004809A0 8BF0 MOV ESI,EAX
004809A2 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
004809A5 8BC6 MOV EAX,ESI
004809A7 E8 447BF8FF CALL CrackMe.004084F0 ; F7跟进,所得结果转十
进制,000D6AD9=879321
004809AC 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] ; EAX=879321
004809AF E8 E0FBFFFF CALL CrackMe.00480594 ; 这个CALL就不跟进了和
前面计算用户名是同一个CALL,879321各个转化为16进制相加等于13E
004809B4 8BF0 MOV ESI,EAX
004809B6 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 假码123456入EAX
004809B9 E8 D6FBFFFF CALL CrackMe.00480594 ; 这个CALL就不跟进了和
前面计算用户名是同一个CAL,假码计算结果为135
004809BE 3BF0 CMP ESI,EAX ; 真码与假码计算结果比
较
004809C0 0F85 04010000 JNZ CrackMe.00480ACA ; 不相等就跳死,相等就
注册成功。
004809C6 6A 00 PUSH 0
004809C8 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
004809CB 8A15 F83C4800 MOV DL,BYTE PTR DS:[483CF8]
004809D1 8850 01 MOV BYTE PTR DS:[EAX+1],DL
004809D4 C600 01 MOV BYTE PTR DS:[EAX],1
004809D7 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
004809DA 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
004809DD E8 F623F8FF CALL CrackMe.00402DD8
004809E2 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
004809E5 8A15 F93C4800 MOV DL,BYTE PTR DS:[483CF9]
004809EB 8850 01 MOV BYTE PTR DS:[EAX+1],DL
004809EE C600 01 MOV BYTE PTR DS:[EAX],1
004809F1 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34]
004809F4 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
004809F7 B1 02 MOV CL,2
004809F9 E8 AA23F8FF CALL CrackMe.00402DA8
004809FE 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
00480A01 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
00480A04 E8 CF23F8FF CALL CrackMe.00402DD8
00480A09 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
00480987 |. E8 C0FAFFFF CALL CrackMe.0048044C
跟进CALL CrackMe.0048044C
0048044C /$ 53 PUSH EBX
0048044D |. 56 PUSH ESI
0048044E |. 51 PUSH ECX
0048044F |. 8BF0 MOV ESI,EAX
00480451 |. C605 003D4800>MOV BYTE PTR DS:[483D00],4E ; 4E的ASCII码为N
00480458 |. C605 013D4800>MOV BYTE PTR DS:[483D01],6F ; 6F的ASCII码为o
0048045F |. C605 023D4800>MOV BYTE PTR DS:[483D02],20 ; 20的ASCII码为空格
00480466 |. C605 033D4800>MOV BYTE PTR DS:[483D03],21 ; 21的ASCII码为!
0048046D |. C70424 FF0000>MOV DWORD PTR SS:[ESP],0FF
00480474 |. 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00480477 |. E8 BC25F8FF CALL CrackMe.00402A38
0048047C |. 8BD8 MOV EBX,EAX
0048047E |. 54 PUSH ESP ; /pBufferSize
0048047F |. 53 PUSH EBX ; |Buffer
00480480 |. E8 9760F8FF CALL <JMP.&kernel32.GetComputerNameA> ; \读取计算机名称“WWW
-D3261482DE4”
00480485 |. 8BC6 MOV EAX,ESI
00480487 |. 8BD3 MOV EDX,EBX ; WWW-D3261482DE4入EDX
00480489 |. E8 D23FF8FF CALL CrackMe.00404460 ; 读取计算机名称位数
0048048E |. 8BC3 MOV EAX,EBX
00480490 |. E8 D325F8FF CALL CrackMe.00402A68
00480495 |. 5A POP EDX
00480496 |. 5E POP ESI
00480497 |. 5B POP EBX
00480498 \. C3 RETN
跟进CALL CrackMe.00404460
00404460 $ 31C9 XOR ECX,ECX ; ntdll.7C93003D
00404462 . 85D2 TEST EDX,EDX
00404464 . 74 21 JE SHORT CrackMe.00404487 ; 计算机名为空就跳到
00404487处
00404466 . 52 PUSH EDX
00404467 > 3A0A CMP CL,BYTE PTR DS:[EDX] ; 取计算机名称第一个字
符W与00比较
00404469 . 74 17 JE SHORT CrackMe.00404482 ; 为空就跳到00404482处
0040446B . 3A4A 01 CMP CL,BYTE PTR DS:[EDX+1] ; 取计算机名称第二个字
符W与00比较
0040446E . 74 11 JE SHORT CrackMe.00404481 ; 为空就跳到00404481处
00404470 . 3A4A 02 CMP CL,BYTE PTR DS:[EDX+2] ; 取计算机名称第三个字
符W与00比较
00404473 . 74 0B JE SHORT CrackMe.00404480 ; 为空就跳到00404480处
00404475 . 3A4A 03 CMP CL,BYTE PTR DS:[EDX+3] ; 取计算机名称第四个字
符“-”与00比较
00404478 . 74 05 JE SHORT CrackMe.0040447F ; 为空就跳到0040447F处
0040447A . 83C2 04 ADD EDX,4 ; EDX=“D3261482DE4”
EDX=“1482DE4” EDX=“DE4”依次循环三次
0040447D .^ EB E8 JMP SHORT CrackMe.00404467
0040447F > 42 INC EDX ; "DEX"不足四位从
00404478处跳到此处。
00404480 > 42 INC EDX ; EDX=“E4”
00404481 > 42 INC EDX ; EDX=00
00404482 > 89D1 MOV ECX,EDX ; ECX=00FAE373
00404484 . 5A POP EDX ; 计算机名称"WWW-
D3261482DE4"出栈
00404485 . 29D1 SUB ECX,EDX ; 取得计算机名称位数为
15位
00404487 >^ E9 CCFEFFFF JMP CrackMe.00404358
0040448C . C3 RETN
0040448D 8D40 00 LEA EAX,DWORD PTR DS:[EAX]
00404490 $ 31C9 XOR ECX,ECX
00404492 . 85D2 TEST EDX,EDX
0048098F |. E8 38FDFFFF CALL CrackMe.004806CC
跟进CALL CrackMe.004806CC
004806CC 55 PUSH EBP
004806CD 8BEC MOV EBP,ESP
004806CF 33C9 XOR ECX,ECX
004806D1 51 PUSH ECX
004806D2 51 PUSH ECX
004806D3 51 PUSH ECX
004806D4 51 PUSH ECX
004806D5 53 PUSH EBX
004806D6 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004806D9 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004806DC E8 3740F8FF CALL CrackMe.00404718
004806E1 33C0 XOR EAX,EAX
004806E3 55 PUSH EBP
004806E4 68 58074800 PUSH CrackMe.00480758
004806E9 64:FF30 PUSH DWORD PTR FS:[EAX]
004806EC 64:8920 MOV DWORD PTR FS:[EAX],ESP
004806EF 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004806F2 E8 713BF8FF CALL CrackMe.00404268
004806F7 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004806FA 50 PUSH EAX
004806FB B9 03000000 MOV ECX,3 ; 取三位
00480700 BA 01000000 MOV EDX,1 ; 计数器EDX
00480705 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 计算机名称入EAX
00480708 E8 7B40F8FF CALL CrackMe.00404788 ; 取计算机名称前三位字
符WWW
0048070D BB 01000000 MOV EBX,1
00480712 8D55 F0 /LEA EDX,DWORD PTR SS:[EBP-10] ; 分配空间
00480715 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] ; 计算机名称"WWW-
D3261482DE4"入EAX
00480718 0FB64418 FF |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1] ; 取第一个字符W符号扩展
入EAX
0048071D E8 CE7DF8FF |CALL CrackMe.004084F0 ; F7跟进,这是个计算
CALL。
00480722 8B55 F0 |MOV EDX,DWORD PTR SS:[EBP-10] ; 字符串“87”入EDX
00480725 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8]
00480728 E8 033EF8FF |CALL CrackMe.00404530 ; 取第二个字符W
0048072D 43 |INC EBX ; 计数器加1
0048072E 83FB 04 |CMP EBX,4
00480731 ^ 75 DF \JNZ SHORT CrackMe.00480712 ; 小于4继续循环
00480733 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 字符串“878787”入EAX
00480736 E8 F17EF8FF CALL CrackMe.0040862C ; 关键CALL,F7进入
0048073B 8BD8 MOV EBX,EAX
0048073D 33C0 XOR EAX,EAX
0048073F 5A POP EDX
00480740 59 POP ECX
00480741 59 POP ECX
00480742 64:8910 MOV DWORD PTR FS:[EAX],EDX
00480745 68 5F074800 PUSH CrackMe.0048075F
0048074A 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0048074D BA 04000000 MOV EDX,4
00480752 E8 353BF8FF CALL CrackMe.0040428C
00480757 C3 RETN
00480758 ^ E9 E734F8FF JMP CrackMe.00403C44
0048075D ^ EB EB JMP SHORT CrackMe.0048074A
0048075F 8BC3 MOV EAX,EBX
00480761 5B POP EBX
00480762 8BE5 MOV ESP,EBP
00480764 5D POP EBP
00480765 C3 RETN
0048071D |. E8 CE7DF8FF |CALL CrackMe.004084F0 ; F7跟进,这是个计算
CALL。
F7跟进CALL CrackMe.004084F0
004084A4 /$ 08C9 OR CL,CL
004084A6 |. 75 17 JNZ SHORT CrackMe.004084BF
004084A8 |. 09C0 OR EAX,EAX
004084AA |. 79 0E JNS SHORT CrackMe.004084BA
004084AC |. F7D8 NEG EAX
004084AE |. E8 07000000 CALL CrackMe.004084BA
004084B3 |. B0 2D MOV AL,2D
004084B5 |. 41 INC ECX
004084B6 |. 4E DEC ESI
004084B7 |. 8806 MOV BYTE PTR DS:[ESI],AL
004084B9 |. C3 RETN
004084BA |$ B9 0A000000 MOV ECX,0A ; 0A入ECX
004084BF |> 52 PUSH EDX
004084C0 |. 56 PUSH ESI
004084C1 |> 31D2 /XOR EDX,EDX
004084C3 |. F7F1 |DIV ECX ; EAX商8,EDX余7.
004084C5 |. 4E |DEC ESI ; ESI-1
004084C6 |. 80C2 30 |ADD DL,30 ; 十进制7转化为十六进
制37
004084C9 |. 80FA 3A |CMP DL,3A ; 37与3A比较
004084CC |. 72 03 |JB SHORT CrackMe.004084D1 ; 低于跳到004084D1处
004084CE |. 80C2 07 |ADD DL,7
004084D1 |> 8816 |MOV BYTE PTR DS:[ESI],DL
004084D3 |. 09C0 |OR EAX,EAX
004084D5 |.^ 75 EA \JNZ SHORT CrackMe.004084C1 ; 不为0继续循环
004084D7 |. 59 POP ECX
004084D8 |. 5A POP EDX
004084D9 |. 29F1 SUB ECX,ESI
004084DB |. 29CA SUB EDX,ECX
004084DD |. 76 10 JBE SHORT CrackMe.004084EF
004084DF |. 01D1 ADD ECX,EDX
004084E1 |. B0 30 MOV AL,30
004084E3 |. 29D6 SUB ESI,EDX
004084E5 |. EB 03 JMP SHORT CrackMe.004084EA
004084E7 |> 880432 /MOV BYTE PTR DS:[EDX+ESI],AL
004084EA |> 4A DEC EDX
004084EB |.^ 75 FA \JNZ SHORT CrackMe.004084E7
004084ED |. 8806 MOV BYTE PTR DS:[ESI],AL
004084EF \> C3 RETN
F7跟进CALL CrackMe.0040862C
0040862C /$ 53 PUSH EBX
0040862D |. 56 PUSH ESI
0040862E |. 83C4 F4 ADD ESP,-0C
00408631 |. 8BD8 MOV EBX,EAX
00408633 |. 8BD4 MOV EDX,ESP
00408635 |. 8BC3 MOV EAX,EBX
00408637 |. E8 D8A8FFFF CALL CrackMe.00402F14 ; 关键CALL,F7跟进。
0040863C |. 8BF0 MOV ESI,EAX
0040863E |. 833C24 00 CMP DWORD PTR SS:[ESP],0
00408642 |. 74 19 JE SHORT CrackMe.0040865D
00408644 |. 895C24 04 MOV DWORD PTR SS:[ESP+4],EBX
00408648 |. C64424 08 0B MOV BYTE PTR SS:[ESP+8],0B
0040864D |. 8D5424 04 LEA EDX,DWORD PTR SS:[ESP+4]
00408651 |. A1 B8214800 MOV EAX,DWORD PTR DS:[4821B8]
00408656 |. 33C9 XOR ECX,ECX
00408658 |. E8 13FAFFFF CALL CrackMe.00408070
0040865D |> 8BC6 MOV EAX,ESI
0040865F |. 83C4 0C ADD ESP,0C
00408662 |. 5E POP ESI
00408663 |. 5B POP EBX
00408664 \. C3 RETN
00408637 |. E8 D8A8FFFF CALL CrackMe.00402F14 ; 关键CALL,F7跟进。
F7跟进CALL CrackMe.00402F14
00402F14 /$ 53 PUSH EBX
00402F15 |. 56 PUSH ESI
00402F16 |. 57 PUSH EDI
00402F17 |. 89C6 MOV ESI,EAX
00402F19 |. 50 PUSH EAX
00402F1A |. 85C0 TEST EAX,EAX
00402F1C |. 74 6C JE SHORT CrackMe.00402F8A
00402F1E |. 31C0 XOR EAX,EAX
00402F20 |. 31DB XOR EBX,EBX
00402F22 |. BF CCCCCC0C MOV EDI,0CCCCCCC
00402F27 |> 8A1E /MOV BL,BYTE PTR DS:[ESI] ; BL=38
00402F29 |. 46 |INC ESI ; ESI+1=00FAE449D
00402F2A |. 80FB 20 |CMP BL,20
00402F2D |.^ 74 F8 \JE SHORT CrackMe.00402F27 ; 等于空格就跳到
00402F27处
00402F2F |. B5 00 MOV CH,0
00402F31 |. 80FB 2D CMP BL,2D
00402F34 |. 74 62 JE SHORT CrackMe.00402F98 ; 等于“-”就跳
00402F98处
00402F36 |. 80FB 2B CMP BL,2B
00402F39 |. 74 5F JE SHORT CrackMe.00402F9A ; 等于“+”就跳
00402F9A处
00402F3B |> 80FB 24 CMP BL,24
00402F3E |. 74 5F JE SHORT CrackMe.00402F9F ; 等于“$”就跳
00402F9F处
00402F40 |. 80FB 78 CMP BL,78
00402F43 |. 74 5A JE SHORT CrackMe.00402F9F ; 等于“x”就跳
00402F9F处
00402F45 |. 80FB 58 CMP BL,58
00402F48 |. 74 55 JE SHORT CrackMe.00402F9F ; 等于“X”就跳
00402F9F处
00402F4A |. 80FB 30 CMP BL,30
00402F4D |. 75 13 JNZ SHORT CrackMe.00402F62 ; 不等于0就跳到
00402F62处
00402F4F |. 8A1E MOV BL,BYTE PTR DS:[ESI]
00402F51 |. 46 INC ESI
00402F52 |. 80FB 78 CMP BL,78
00402F55 |. 74 48 JE SHORT CrackMe.00402F9F
00402F57 |. 80FB 58 CMP BL,58
00402F5A |. 74 43 JE SHORT CrackMe.00402F9F
00402F5C |. 84DB TEST BL,BL
00402F5E |. 74 20 JE SHORT CrackMe.00402F80
00402F60 |. EB 04 JMP SHORT CrackMe.00402F66
00402F62 |> 84DB TEST BL,BL
00402F64 |. 74 2D JE SHORT CrackMe.00402F93
00402F66 |> 80EB 30 /SUB BL,30
00402F69 |. 80FB 09 |CMP BL,9
00402F6C |. 77 25 |JA SHORT CrackMe.00402F93 ; 大于9就跳00402F93处
00402F6E |. 39F8 |CMP EAX,EDI
00402F70 |. 77 21 |JA SHORT CrackMe.00402F93 ; 大于就跳00402F93处
00402F72 |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4] ; EAX+4EAX=?这句就是
计算出来的值入EAX
00402F75 |. 01C0 |ADD EAX,EAX ; EAX+EAX=?从上一指
令得到的值
00402F77 |. 01D8 |ADD EAX,EBX ; 计算得到的值加自身的
数值
00402F79 |. 8A1E |MOV BL,BYTE PTR DS:[ESI] ; 取字符串“878787”第
二位7入BL
00402F7B |. 46 |INC ESI ; ESI+1
00402F7C |. 84DB |TEST BL,BL
00402F7E |.^ 75 E6 \JNZ SHORT CrackMe.00402F66 ; 不为空就继续循环
00402F80 |> FECD DEC CH
00402F82 |. 74 09 JE SHORT CrackMe.00402F8D
00402F84 |. 85C0 TEST EAX,EAX
00402F86 |. 7D 54 JGE SHORT CrackMe.00402FDC
00402F88 |. EB 09 JMP SHORT CrackMe.00402F93
00402F8A |> 46 INC ESI
00402F8B |. EB 06 JMP SHORT CrackMe.00402F93
00402F8D |> F7D8 NEG EAX
00402F8F |. 7E 4B JLE SHORT CrackMe.00402FDC
00402F91 |. 78 49 JS SHORT CrackMe.00402FDC
00402F93 |> 5B POP EBX ; 分支 00402FB3 默认案
例
00402F94 |. 29DE SUB ESI,EBX
00402F96 |. EB 47 JMP SHORT CrackMe.00402FDF
00402F98 |> FEC5 INC CH
00402F9A |> 8A1E MOV BL,BYTE PTR DS:[ESI]
00402F9C |. 46 INC ESI
00402F9D |.^ EB 9C JMP SHORT CrackMe.00402F3B
00402F9F |> BF FFFFFF0F MOV EDI,0FFFFFFF
00402FA4 |. 8A1E MOV BL,BYTE PTR DS:[ESI]
00402FA6 |. 46 INC ESI
00402FA7 |. 84DB TEST BL,BL
00402FA9 |.^ 74 DF JE SHORT CrackMe.00402F8A
00402FAB |> 80FB 61 /CMP BL,61
00402FAE |. 72 03 |JB SHORT CrackMe.00402FB3
00402FB0 |. 80EB 20 |SUB BL,20
00402FB3 |> 80EB 30 |SUB BL,30 ; 分支 (案例 30..46)
00402FB6 |. 80FB 09 |CMP BL,9
00402FB9 |. 76 0B |JBE SHORT CrackMe.00402FC6
00402FBB |. 80EB 11 |SUB BL,11
00402FBE |. 80FB 05 |CMP BL,5
00402FC1 |.^ 77 D0 |JA SHORT CrackMe.00402F93
00402FC3 |. 80C3 0A |ADD BL,0A ; 案例 41 ('A'),42
('B'),43 ('C'),44 ('D'),45 ('E'),46 ('F') --> 分支 00402FB3
00402FC6 |> 39F8 |CMP EAX,EDI ; 案例 30 ('0'),31
('1'),32 ('2'),33 ('3'),34 ('4'),35 ('5'),36 ('6'),37 ('7'),38 ('8'),39 ('9') --> 分支
00402FB3
00402FC8 |.^ 77 C9 |JA SHORT CrackMe.00402F93
00402FCA |. C1E0 04 |SHL EAX,4
00402FCD |. 01D8 |ADD EAX,EBX
00402FCF |. 8A1E |MOV BL,BYTE PTR DS:[ESI]
00402FD1 |. 46 |INC ESI
00402FD2 |. 84DB |TEST BL,BL
00402FD4 |.^ 75 D5 \JNZ SHORT CrackMe.00402FAB
00402FD6 |. FECD DEC CH
00402FD8 |. 75 02 JNZ SHORT CrackMe.00402FDC
00402FDA |. F7D8 NEG EAX
00402FDC |> 59 POP ECX
00402FDD |. 31F6 XOR ESI,ESI
00402FDF |> 8932 MOV DWORD PTR DS:[EDX],ESI
00402FE1 |. 5F POP EDI
00402FE2 |. 5E POP ESI
00402FE3 |. 5B POP EBX
00402FE4 \. C3 RETN
00480999 |. E8 F6FBFFFF CALL CrackMe.00480594
F7跟进 CALL CrackMe.00480594
00480594 /$ 55 PUSH EBP
00480595 |. 8BEC MOV EBP,ESP
00480597 |. 51 PUSH ECX
00480598 |. 53 PUSH EBX
00480599 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0048059C |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0048059F |. E8 7441F8FF CALL CrackMe.00404718
004805A4 |. 33C0 XOR EAX,EAX
004805A6 |. 55 PUSH EBP
004805A7 |. 68 E9054800 PUSH CrackMe.004805E9
004805AC |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004805AF |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004805B2 |. 33DB XOR EBX,EBX
004805B4 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 用户名guapi入EAX
004805B7 |. E8 6C3FF8FF CALL CrackMe.00404528 ; 取得用户名位数
00000005
004805BC |. 85C0 TEST EAX,EAX
004805BE |. 7E 13 JLE SHORT CrackMe.004805D3 ; 低于5或者等于0跳到
004805D3处
004805C0 |. BA 01000000 MOV EDX,1
004805C5 |> 8B4D FC /MOV ECX,DWORD PTR SS:[EBP-4] ; 用户名guapi入ECX
004805C8 |. 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1] ; 取用户名第一个字符g
的十六进制数,符号扩展至ECX
004805CD |. 03D9 |ADD EBX,ECX ; 相加结果放到EBX中,
EBX=216
004805CF |. 42 |INC EDX ; 计数器加1
004805D0 |. 48 |DEC EAX ; 计数器减1
004805D1 |.^ 75 F2 \JNZ SHORT CrackMe.004805C5
004805D3 |> 33C0 XOR EAX,EAX
004805D5 |. 5A POP EDX
004805D6 |. 59 POP ECX
004805D7 |. 59 POP ECX
004805D8 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004805DB |. 68 F0054800 PUSH CrackMe.004805F0
004805E0 |> 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004805E3 |. E8 803CF8FF CALL CrackMe.00404268
004805E8 \. C3 RETN
004805E9 .^\E9 5636F8FF JMP CrackMe.00403C44
004805EE .^ EB F0 JMP SHORT CrackMe.004805E0
004805F0 . 8BC3 MOV EAX,EBX
004805F2 . 5B POP EBX
004805F3 . 59 POP ECX
004805F4 . 5D POP EBP ; 0012FDA4
004805F5 . C3 RETN
004809A7 |. E8 447BF8FF CALL CrackMe.004084F0
F7跟进CALL CrackMe.004084F0
004084F0 /$ 56 PUSH ESI
004084F1 |. 89E6 MOV ESI,ESP
004084F3 |. 83EC 10 SUB ESP,10
004084F6 |. 31C9 XOR ECX,ECX
004084F8 |. 52 PUSH EDX
004084F9 |. 31D2 XOR EDX,EDX
004084FB |. E8 A4FFFFFF CALL CrackMe.004084A4 ; 逆运算,将十六进制结
果转化为原始数据。
00408500 |. 89F2 MOV EDX,ESI
00408502 |. 58 POP EAX
00408503 |. E8 50BEFFFF CALL CrackMe.00404358 ; 逆运算,将十六进制结
果转化十进制879321。
00408508 |. 83C4 10 ADD ESP,10
0040850B |. 5E POP ESI
0040850C \. C3 RETN
004809AF |. E8 E0FBFFFF CALL CrackMe.00480594 ; F7跟进,879321各个转
化为16进制相加等于13E
可用序列号:
Name:guapi
Code:879321
--------------------------------------------------------------------------------
【经验总结】
感觉这个CrackMe比较简单,只要有耐心都可以Crack它。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于HPKEr, 转载请注明作者并保持文章的完整, 谢谢! |
|
发表于 2010-1-3 22:01
发表于 2010-1-4 19:14
|
发表于 2010-1-5 12:48
不错,学习了.呵呵
