rOYALaCCEZZ Trial Crackme 3.2 演算法分析 (10千字)
:00401093 FF7508
push [ebp+08]
* Reference To: USER32.GetDlgItemTextA, Ord:0102h
|
:00401096 E8A1020000 Call 0040133C========>獲取Code
:0040109B 8BD8
mov ebx, eax
:0040109D 6A40
push 00000040
:0040109F 6844304000 push 00403044
:004010A4 68E8030000 push 000003E8
:004010A9 FF7508
push [ebp+08]
* Reference To: USER32.GetDlgItemTextA, Ord:0102h
|
:004010AC E88B020000 Call 0040133C=======>獲取Name
:004010B1 83F805
cmp eax, 00000005
:004010B4 7228
jb 004010DE=======>出錯了!
:004010B6 83F820
cmp eax, 00000020
:004010B9 7723
ja 004010DE
:004010BB 0BDB
or ebx, ebx
:004010BD 741F
je 004010DE
:004010BF 53
push ebx
:004010C0 50
push eax
:004010C1 E87B000000 call 00401141========>計算,註冊碼就在此
:004010C6 83F801
cmp eax, 00000001
:004010C9 7513
jne 004010DE=======>出錯了!
....................
===================================================================
:00401141 55
push ebp
:00401142 8BEC
mov ebp, esp
:00401144 8B4508
mov eax, dword ptr [ebp+08]
:00401147 C705C430400000000000 mov dword ptr [004030C4], 00000000
:00401151 BB01000000 mov ebx,
00000001
:00401156 EB1D
jmp 00401175
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401177(C)
|
[403044]====>UName
:00401158 48
dec eax
:00401159 0FB69044304000 movzx edx, byte ptr
[eax+00403044]
:00401160 33D3
xor edx, ebx
:00401162 0FAFD3
imul edx, ebx
:00401165 83C305
add ebx, 00000005
:00401168 3115C4304000 xor dword ptr
[004030C4], edx
:0040116E C105C430400005 rol dword ptr [004030C4],
05
Pre:=0;
ebx:=1;
for index:=LenName
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401156(U)
|
:00401175 0BC0
or eax, eax
:00401177 75DF
jne 00401158
:00401179 F715C4304000 not dword ptr
[004030C4]
===========>>>>註冊使用者名稱>>>>>[004030C4] - 45a16b5f _k.E
:0040117F 33C9
xor ecx, ecx
:00401181 8B4D08
mov ecx, dword ptr [ebp+08]===>ULen
:00401184 D30DC4304000 ror dword ptr
[004030C4], cl
===========>>>>註冊使用者名稱>>>>>[004030C4] - fa2d0b5a Z.-.
:0040118A 33C0
xor eax, eax
:0040118C C605C830400000 mov byte ptr [004030C8],
00
:00401193 EB17
jmp 004011AC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011AF(C)
|
[00403084]====>UCode
:00401195 0FB69084304000 movzx edx, byte ptr
[eax+00403084]
:0040119C 40
inc eax
:0040119D 83FA2D
cmp edx, 0000002D'-'號嗎?
:004011A0 750A
jne 004011AC
:004011A2 FEC8
dec al
:004011A4 A2C8304000 mov byte
ptr [004030C8], al
:004011A9 8B450C
mov eax, dword ptr [ebp+0C]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401193(U), :004011A0(C)
|
:004011AC 3B450C
cmp eax, dword ptr [ebp+0C]
:004011AF 75E4
jne 00401195
:004011B1 803DC830400000 cmp byte ptr [004030C8],
00
:004011B8 7506
jne 004011C0====>必須存在'-',否則出錯
:004011BA 33C0
xor eax, eax====>且不能在第一個
:004011BC C9
leave
:004011BD C20800
ret 0008
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011B8(C)
|
:004011C0 33C9
xor ecx, ecx
:004011C2 8A0DC8304000 mov cl, byte
ptr [004030C8]===>-的索引,0
:004011C8 33C0
xor eax, eax
:004011CA 33DB
xor ebx, ebx
:004011CC EB14
jmp 004011E2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011E4(C)
|
:004011CE FEC9
dec cl
:004011D0 0FB69184304000 movzx edx, byte ptr
[ecx+00403084]
:004011D7 83FA3F
cmp edx, 0000003F
:004011DA 760E
jbe 004011EA
:004011DC 83FA5B
cmp edx, 0000005B
:004011DF 7309
jnb 004011EA
:004011E1 90
nop
=================-前的字元,必須($3F,$5B)[40-5A]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011CC(U)
|
:004011E2 0AC9
or cl, cl
:004011E4 75E8
jne 004011CE
:004011E6 90
nop
:004011E7 90
nop
:004011E8 EB06
jmp 004011F0
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004011DA(C), :004011DF(C)
|
:004011EA 33C0
xor eax, eax
:004011EC C9
leave
:004011ED C20800
ret 0008
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011E8(U)
|
:004011F0 33C9
xor ecx, ecx
:004011F2 8A0DC8304000 mov cl, byte
ptr [004030C8]
:004011F8 33C0
xor eax, eax
:004011FA 33DB
xor ebx, ebx
:004011FC EB11
jmp 0040120F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401211(C)
|
:004011FE FEC9
dec cl
:00401200 6BDB1A
imul ebx, 0000001A
:00401203 0FB69184304000 movzx edx, byte ptr
[ecx+00403084]
:0040120A 83EA41
sub edx, 00000041
:0040120D 03DA
add ebx, edx
===========================計算-好前的註冊碼
fa2d0b5a
mmebx=0;
for index:=Aindex downto 1 do
begin
mmebx:=mmebx*26;
mmebx:=mmebx+(ord(strCode[index])-$41)
//40-5A==>-1,0..25
end;
......
==============//因此,你運算可以使用Mod,DIV運算就可以完成前半部分
01234567890123456789012345
ABCDEFGHIJKLMNOPQRSTUVWXYZ
fa2d0b5a mod 26=2=C
16=Q
2=C
16H=22=W
6=G
F=15=P
D=13=N
CQCWGPN
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011FC(U)
|
:0040120F 0AC9
or cl, cl
:00401211 75EB
jne 004011FE
:00401213 3B1DC4304000 cmp ebx, dword
ptr [004030C4]===>必須相等
:00401219 7406
je 00401221
:0040121B 33C0
xor eax, eax
:0040121D C9
leave
:0040121E C20800
ret 0008
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401219(C)
|
:00401221 8B450C
mov eax, dword ptr [ebp+0C]==>CLen
:00401224 2A05C8304000 sub al, byte
ptr [004030C8]==>SIndex
:0040122A 83F804
cmp eax, 00000004=====>So,Len=3
:0040122D 7406
je 00401235
:0040122F 33C0
xor eax, eax
:00401231 C9
leave
:00401232 C20800
ret 0008
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040122D(C)
|
:00401235 33DB
xor ebx, ebx
:00401237 8A1DC8304000 mov bl, byte
ptr [004030C8]
:0040123D FEC3
inc bl
:0040123F 0FB69384304000 movzx edx, byte ptr
[ebx+00403084]
:00401246 8815C9304000 mov byte ptr
[004030C9], dl====>C1
:0040124C FEC3
inc bl
:0040124E 0FB69384304000 movzx edx, byte ptr
[ebx+00403084]
:00401255 8815CA304000 mov byte ptr
[004030CA], dl====>C2
:0040125B FEC3
inc bl
:0040125D 0FB69384304000 movzx edx, byte ptr
[ebx+00403084]
:00401264 8815CB304000 mov byte ptr
[004030CB], dl====>C3
:0040126A 33C0
xor eax, eax
:0040126C A0C9304000 mov al,
byte ptr [004030C9]
:00401271 6BC003
imul eax, 00000003
:00401274 A3CC304000 mov dword
ptr [004030CC], eax===>C1*3
:00401279 33C0
xor eax, eax
:0040127B 8A1DC9304000 mov bl, byte
ptr [004030C9]
:00401281 6BDB07
imul ebx, 00000007 ==>0-(C1*7)
:00401284 2BC3
sub eax, ebx
:00401286 A3D0304000 mov dword
ptr [004030D0], eax==>-C1*7
:0040128B 33C0
xor eax, eax
:0040128D A0C9304000 mov al,
byte ptr [004030C9]
:00401292 A3D4304000 mov dword
ptr [004030D4], eax===>C1
:00401297 33C0
xor eax, eax
:00401299 A0CA304000 mov al,
byte ptr [004030CA]
:0040129E 2905CC304000 sub dword ptr
[004030CC], eax===>Here==>C1*3-C2
:004012A4 33C0
xor eax, eax
:004012A6 A0CA304000 mov al,
byte ptr [004030CA]
:004012AB 6BC002
imul eax, 00000002
:004012AE 0105D0304000 add dword ptr
[004030D0], eax==>(-C1*7)+(C2*2)
:004012B4 33C0
xor eax, eax
:004012B6 A0CA304000 mov al,
byte ptr [004030CA]
:004012BB 0105D4304000 add dword ptr
[004030D4], eax==>C1+C2
:004012C1 33C0
xor eax, eax
:004012C3 A0CB304000 mov al,
byte ptr [004030CB]
:004012C8 6BC005
imul eax, 00000005
:004012CB 0105CC304000 add dword ptr
[004030CC], eax===>Here==>(C1*3-C2)+C3*5
:004012D1 33C0
xor eax, eax
:004012D3 A0CB304000 mov al,
byte ptr [004030CB]
:004012D8 6BC007
imul eax, 00000007
:004012DB 0105D0304000 add dword ptr
[004030D0], eax===>((-C1*7)+(C2*2))+C3*7=19
:004012E1 33C0
xor eax, eax
:004012E3 A0CB304000 mov al,
byte ptr [004030CB]
:004012E8 6BC002
imul eax, 00000002
:004012EB 2905D4304000 sub dword ptr
[004030D4], eax===>C1C3*2=D
:004012F1 813DCC30400004020000 cmp dword ptr [004030CC], 00000204===>Must=204=(C1*3-C2)+C3*5
:004012FB 7406
je 00401303
:004012FD 33C0
xor eax, eax
:004012FF C9
leave
:00401300 C20800
ret 0008
-23C
======================//
so,we
204=(C1*3-C2)+C3*5
C1C3*2=D
((-C1*7)+(C2*2))+C3*7=19
3*C1 -C2+5C3=516
C1+ C2-2C3=13
-7C1+2*C2+7C3=25
解方程得到
C1=82=52=R
C2=65=41=A
C3=67=43=C
=========
DiKeN
CQCWGPN-RAC
相關文章
- [原創]破解-分析Crackme演算法2009-06-13演算法
- EffeTech HTTP Sniffer 3.2註冊演算法分析 (5千字)2002-06-24HTTP演算法
- Cleaner 3.2註冊分析 (18千字)2001-12-09
- ACDSee 4.0 Trial
Version和FotoCanvas Lite Trial Version時間限制破解 (7千字)2002-03-30Canvas
- duelist crackme 1 破解 (5千字)2000-10-16
- loveasm的crackme演算法分析-----CRC32演算法的妙用2015-11-15ASM演算法
- duelist crackme 2 破解(上) (6千字)2000-10-17
- Fpc大哥crackme的破解。 (4千字)2001-09-22
- The Cleaner 3.2 BUILD 3205的破解(10千字)2001-01-27UI
- crackme破解教程(續) (高手莫入) (2千字)2001-03-17
- 第二個CrackMe的破解 (6千字)2001-08-17
- Nullz CrackMe 1.1破解過程 (13千字)2001-09-18Null
- 破解實錄(四)之 NoteTab Pro Trial 4.81 (3千字)2000-07-18
- UltraEdit-32
10註冊碼演算法分析 (19千字)2003-05-17演算法
- 炒股理財演算法分析 (3千字)2001-03-31演算法
- HappyEO演算法分析
(11千字)2015-11-15APP演算法
- Sitman2.1
演算法分析 (5千字)2015-11-15演算法
- 五筆輸入通1.x註冊演算法分析
(10千字)2015-11-15演算法
- thinkphp3.2.x漏洞分析2024-06-30PHP
- SuperCleaner演算法分析----菜鳥級
(12千字)2015-11-15演算法
- Readbook 1.42版 演算法分析。 (1千字)2015-11-15演算法
- Tray Helper V 3.6演算法分析 (26千字)2015-11-15演算法
- 炒股理財3.1 演算法分析(15千字)2015-11-15演算法
- FolderView 1.7
註冊演算法分析 (14千字)2015-11-15View演算法
- 3.2 公開金鑰演算法2018-08-25演算法
- KeyGhost V3.2 破解實錄 (11千字)2000-08-17
- keygenning4newbies
keygenme #3 註冊演算法,雖然說是初學者的crackme,可是 (9千字)2001-08-18演算法
- MD5演算法研究 (10千字)2015-11-15演算法
- 重新貼過註冊演算法分析 (16千字)2001-10-23演算法
- PC 安全虎[Beta 1]演算法分析 (6千字)2001-12-05演算法
- 屏保自己做2.61版演算法分析! (7千字)2002-02-18演算法
- eLib2.01演算法分析
(31千字)2015-11-15演算法
- 龍文輸入通演算法分析 (27千字)2015-11-15演算法
- HotkeyMaster演算法分析----菜鳥級
(4千字)2015-11-15AST演算法
- 一個CrackMe的破解以及序號產生器的製作
(4千字)2001-08-16
- 簡單演算法:迷你網路電視演算法分析 (8千字)2015-11-15演算法
- Braves the Pocket Elf trial activity on the line2011-11-16
- 一個CrackMe的破解 *KeyFIle保護* (教你如何獲得
KeyFile) (5千字)2001-02-06