0040110D |. 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
00401110 |. 52 PUSH EDX
00401111 |. E8 8A050000 CALL Crakene2.004016A0
取注册名位数
00401116 |. 83C4 04 ADD ESP,4
00401119 |. 83F8 02 CMP EAX,2
0040111C |. 74 59 JE SHORT Crakene2.00401177
判断注册名是否为两位数,是则跳转
0040111E |. 68 3C504200 PUSH Crakene2.0042503C ; /用户名必须为两个字符,且不能包含中文和特殊符号!\n
00401123 |. E8 58060000 CALL Crakene2.00401780 ; \Crakene2.00401780
00401128 |. 83C4 04 ADD ESP,4
0040112B |. A1 347A4200 MOV EAX,DWORD PTR DS:[427A34]
00401130 |. 83E8 01 SUB EAX,1
00401133 |. A3 347A4200 MOV DWORD PTR DS:[427A34],EAX
00401138 |. 833D 347A4200>CMP DWORD PTR DS:[427A34],0
0040113F |. 7C 21 JL SHORT Crakene2.00401162
00401141 |. 8B0D 307A4200 MOV ECX,DWORD PTR DS:[427A30] ; Crakene2.0042B608
00401147 |. 0FBE11 MOVSX EDX,BYTE PTR DS:[ECX]
0040114A |. 81E2 FF000000 AND EDX,0FF
00401150 |. 8955 9C MOV DWORD PTR SS:[EBP-64],EDX
00401153 |. A1 307A4200 MOV EAX,DWORD PTR DS:[427A30]
00401158 |. 83C0 01 ADD EAX,1
0040115B |. A3 307A4200 MOV DWORD PTR DS:[427A30],EAX
00401160 |. EB 10 JMP SHORT Crakene2.00401172
00401162 |> 68 307A4200 PUSH Crakene2.00427A30 ; /Arg1 = 00427A30
00401167 |. E8 04020000 CALL Crakene2.00401370 ; \Crakene2.00401370
0040116C |. 83C4 04 ADD ESP,4
0040116F |. 8945 9C MOV DWORD PTR SS:[EBP-64],EAX
00401172 |> E9 56010000 JMP Crakene2.004012CD
00401177 |> C745 EC 00000>MOV DWORD PTR SS:[EBP-14],0
SS:[EBP-14]清零
0040117E |. 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
ECX清零
00401181 |. 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
SS:[EBP-10] 清零
00401184 |. 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
EDX清零
00401187 |. 8955 F4 MOV DWORD PTR SS:[EBP-C],EDX
SS:[EBP-C] 清零
0040118A |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
EAX清零
0040118D |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
SS:[EBP-8] 清零
00401190 |. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
ECX清零
00401193 |. 894D FC MOV DWORD PTR SS:[EBP-4],ECX
SS:[EBP-4]清零
00401196 |. C745 E8 00000>MOV DWORD PTR SS:[EBP-18],0 SS:[EBP-18]
0040119D |. EB 09 JMP SHORT Crakene2.004011A8
蓝色区域是计算 SS:[EBP-4]等于注册名各位上ASC码值的和,
SS:[EBP-8]等于注册码第一位和第二位的ASC码之和,
SS:[EBP-C]等于注册码每三和第四位ASC码值之和,
SS:[EBP-10]为注册码第五和第六位ASC码值之和,
SS:[EBP-14等于注册码每七和第八位ASC码值之和
0040119F |> 8B55 E8 /MOV EDX,DWORD PTR SS:[EBP-18]
004011A2 |. 83C2 01 |ADD EDX,1
004011A5 |. 8955 E8 |MOV DWORD PTR SS:[EBP-18],EDX
004011A8 |> 837D E8 02 CMP DWORD PTR SS:[EBP-18],2
004011AC |. 7D 52 |JGE SHORT Crakene2.00401200
004011AE |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
004011B1 |. 0FBE4C05 D4 |MOVSX ECX,BYTE PTR SS:[EBP+EAX-2C]
004011B6 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4]
004011B9 |. 03D1 |ADD EDX,ECX
004011BB |. 8955 FC |MOV DWORD PTR SS:[EBP-4],EDX
004011BE |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
004011C1 |. 0FBE4C05 A0 |MOVSX ECX,BYTE PTR SS:[EBP+EAX-60]
004011C6 |. 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8]
004011C9 |. 03D1 |ADD EDX,ECX
004011CB |. 8955 F8 |MOV DWORD PTR SS:[EBP-8],EDX
004011CE |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
004011D1 |. 0FBE4C05 A2 |MOVSX ECX,BYTE PTR SS:[EBP+EAX-5E]
004011D6 |. 8B55 F4 |MOV EDX,DWORD PTR SS:[EBP-C]
004011D9 |. 03D1 |ADD EDX,ECX
004011DB |. 8955 F4 |MOV DWORD PTR SS:[EBP-C],EDX
004011DE |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
004011E1 |. 0FBE4C05 A4 |MOVSX ECX,BYTE PTR SS:[EBP+EAX-5C]
004011E6 |. 8B55 F0 |MOV EDX,DWORD PTR SS:[EBP-10]
004011E9 |. 03D1 |ADD EDX,ECX
004011EB |. 8955 F0 |MOV DWORD PTR SS:[EBP-10],EDX
004011EE |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
004011F1 |. 0FBE4C05 A6 |MOVSX ECX,BYTE PTR SS:[EBP+EAX-5A]
004011F6 |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]
004011F9 |. 03D1 |ADD EDX,ECX
004011FB |. 8955 EC |MOV DWORD PTR SS:[EBP-14],EDX
004011FE |.^ EB 9F \JMP SHORT Crakene2.0040119F
00401200 |> 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00401203 |. 2B45 F4 SUB EAX,DWORD PTR SS:[EBP-C]
00401206 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
计算注册码第五和第六位,
与第三和第四们ASC码值之差,把值存入SS:[EBP-10]
00401209 |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
0040120C |. 83C1 1E ADD ECX,1E
0040120F |. 894D FC MOV DWORD PTR SS:[EBP-4],ECX
把注册名各位之各加上1E
判断第5,6位与3,4位的差是否在0~5之间
00401212 |. 837D F0 00 CMP DWORD PTR SS:[EBP-10],0
00401216 |. 7C 06 JL SHORT Crakene2.0040121E
小于0跳转
00401218 |. 837D F0 05 CMP DWORD PTR SS:[EBP-10],5
0040121C |. 7E 0F JLE SHORT Crakene2.0040122D
小于等于5跳转
0040121E |> 68 2C504200 PUSH Crakene2.0042502C ; /注册码错误!\n
00401223 |. E8 58050000 CALL Crakene2.00401780 ; \Crakene2.00401780
00401228 |. 83C4 04 ADD ESP,4
0040122B |. EB 56 JMP SHORT Crakene2.00401283
设K为第5,6位与第3,4位的差值
计算ESI的值,等于注册名各位ASC码值之和的K次方
0040122D |> 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
00401230 |. 52 PUSH EDX
00401231 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00401234 |. 50 PUSH EAX
00401235 |. E8 D0FDFFFF CALL Crakene2.0040100A
0040123A |. 83C4 08 ADD ESP,8
0040123D |. 8BF0 MOV ESI,EAX
计算EAX的值,等于注册码第1,2位ASC码值之和的K次方
0040123F |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
00401242 |. 51 PUSH ECX
00401243 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00401246 |. 52 PUSH EDX
00401247 |. E8 BEFDFFFF CALL Crakene2.0040100A
0040124C |. 83C4 08 ADD ESP,8
0040124F |. 8BF8 MOV EDI,EAX
计算EDI的值,等于注册码第7,8位ASC码值之和的K次方与EAX的和
00401251 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00401254 |. 50 PUSH EAX
00401255 |. 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
00401258 |. 51 PUSH ECX
00401259 |. E8 ACFDFFFF CALL Crakene2.0040100A
0040125E |. 83C4 08 ADD ESP,8
00401261 |. 03F8 ADD EDI,EAX
00401263 |. 3BF7 CMP ESI,EDI
比较ESI与EDI,不等则跳转
00401265 75 0F JNZ SHORT Crakene2.00401276
00401267 |. 68 1C504200 PUSH Crakene2.0042501C ; /注册成功!\n
0040126C |. E8 0F050000 CALL Crakene2.00401780 ; \Crakene2.00401780
00401271 |. 83C4 04 ADD ESP,4
00401274 |. EB 0D JMP SHORT Crakene2.00401283
00401276 |> 68 2C504200 PUSH Crakene2.0042502C ; /注册码错误!\n
0040127B |. E8 00050000 CALL Crakene2.00401780 ; \Crakene2.00401780
00401280 |. 83C4 04 ADD ESP,4
[这是本人的处女作有些做不好的地方,希望大家谅解。
总结: 这是一个非常简单的CrakeMe,算法很简单。
1) 取注册名上各位的ASCII码值相加后,再加上30,得到甲。
2) 取注册码上第五位与第六位的ASCII码值相加之和,减去第三位与第四位的ASCII码值相加之和, 得到数K。
3) 取注册码的第一位与第二位ASCII码值相加之和,得到乙。
4) 取注册码的第七位与第八位ASCII码值相加之和,得到丙。
5) 比较甲的K次方是否等于乙的K次方与丙的K次方之和。
相等则注册成功。
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
