本帖最后由 zcl0317 于 2018-4-11 20:59 编辑
CrackMe160之第一个,分析算法并写出注册机!还请高手指点。不废话,下面开始!新手,只能找点小CM欺负一下。
载入OD,输入用户名,假码。下的断点是MessageBoxA!回溯到关键CALL处。
此处下断点,遂一分析!
[Asm] 纯文本查看 复制代码 0042FA52 |. E8 D96EFDFF call Acid_bur.00406930
0042FA57 |. 83F8 04 cmp eax,0x4 ; 用户名至少4位
0042FA5A |. 7D 1D jge short Acid_bur.0042FA79 ; JGE为不小于则跳。
0042FA5C |. 6A 00 push 0x0
0042FA5E |. B9 74FB4200 mov ecx,Acid_bur.0042FB74 ; ASCII 54,"ry Again!"
0042FA63 |. BA 80FB4200 mov edx,Acid_bur.0042FB80 ; ASCII 53,"orry , The serial is incorect !"
0042FA68 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042FA6D |. 8B00 mov eax,dword ptr ds:[eax]
0042FA6F |. E8 FCA6FFFF call Acid_bur.0042A170
0042FA74 |. E9 BE000000 jmp Acid_bur.0042FB37
0042FA79 |> 8D55 F0 lea edx,[local.4]
0042FA7C |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042FA82 |. E8 D1AFFEFF call Acid_bur.0041AA58 ; 计算出用户位数
0042FA87 |. 8B45 F0 mov eax,[local.4]
0042FA8A |. 0FB600 movzx eax,byte ptr ds:[eax] ; 用户名第一位的ASSIC码给EAX
0042FA8D |. F72D 50174300 imul dword ptr ds:[0x431750] ; 用户名第一位78H*29H=1338H
0042FA93 |. A3 50174300 mov dword ptr ds:[0x431750],eax ; 把相乘的结果给0x431750
0042FA98 |. A1 50174300 mov eax,dword ptr ds:[0x431750]
0042FA9D |. 0105 50174300 add dword ptr ds:[0x431750],eax ; 1338H+1338H=2670H
0042FAA3 |. 8D45 FC lea eax,[local.1] ; ebp-0x4的地址传送到EAX中
0042FAA6 |. BA ACFB4200 mov edx,Acid_bur.0042FBAC
0042FAAB |. E8 583CFDFF call Acid_bur.00403708
0042FAB0 |. 8D45 F8 lea eax,[local.2] ; ebp-0x8的地址传送到EAX中
0042FAB3 |. BA B8FB4200 mov edx,Acid_bur.0042FBB8
0042FAB8 |. E8 4B3CFDFF call Acid_bur.00403708
0042FABD |. FF75 FC push [local.1] ;
0042FAC0 |. 68 C8FB4200 push Acid_bur.0042FBC8 ;
0042FAC5 |. 8D55 E8 lea edx,[local.6]
0042FAC8 |. A1 50174300 mov eax,dword ptr ds:[0x431750]
0042FACD |. E8 466CFDFF call Acid_bur.00406718 ; 把运算出来的十六进制序列号换算成10进制的9840
0042FAD2 |. FF75 E8 push [local.6]
0042FAD5 |. 68 C8FB4200 push Acid_bur.0042FBC8 ;
0042FADA |. FF75 F8 push [local.2] ;
0042FADD |. 8D45 F4 lea eax,[local.3]
0042FAE0 |. BA 05000000 mov edx,0x5
0042FAE5 |. E8 C23EFDFF call Acid_bur.004039AC ; 此CALL里面会把序列号连接成这样"CW-9840-CRACKED"
0042FAEA |. 8D55 F0 lea edx,[local.4]
0042FAED |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]
0042FAF3 |. E8 60AFFEFF call Acid_bur.0041AA58 ; 提取假码进行校对
0042FAF8 |. 8B55 F0 mov edx,[local.4] ; 到此算法分析完成。
0042FAFB |. 8B45 F4 mov eax,[local.3]
0042FAFE |. E8 F93EFDFF call Acid_bur.004039FC
0042FB03 |. 75 1A jnz short Acid_bur.0042FB1F
0042FB05 |. 6A 00 push 0x0
0042FB07 |. B9 CCFB4200 mov ecx,Acid_bur.0042FBCC
0042FB0C |. BA D8FB4200 mov edx,Acid_bur.0042FBD8
0042FB11 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042FB16 |. 8B00 mov eax,dword ptr ds:[eax]
0042FB18 |. E8 53A6FFFF call Acid_bur.0042A170
0042FB1D |. EB 18 jmp short Acid_bur.0042FB37
0042FB1F |> 6A 00 push 0x0
0042FB21 |. B9 74FB4200 mov ecx,Acid_bur.0042FB74 ; ASCII 54,"ry Again!"
0042FB26 |. BA 80FB4200 mov edx,Acid_bur.0042FB80 ; ASCII 53,"orry , The serial is incorect !"
0042FB2B |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042FB30 |. 8B00 mov eax,dword ptr ds:[eax]
0042FB32 |. E8 39A6FFFF call Acid_bur.0042A170 ;
下面总结算法,写注册机!
分析算法为:用户名至少4位,提取用户名第一位的16进制ASCII码乘以29H,再把结果相加一次后。转成10进制。连接字符串"CW-****-CRACKED"
以用户名xuepojie为例:(78H*29H)+(78H*29H)=2670H 转成10进制为9840.则xuepojie对应的序列号为"CW-9840-CRACKED"
CM.rar
(738.14 KB, 下载次数: 17)
| 
[复制链接]
|RSS|手机版|小黑屋|帮助|吾爱汇编
( 
京公网安备11011502005403号 , 京ICP备20003498号-6 )|网站地图
窥视卡
雷达卡
