今天看到“密界精华-CrackMe练习-Anti-Crackme1”这里时发现这种比较还不好反算出注册码,所以拿出来和大家讨论一下,大家给点意见吧。
分析:
( name每位 XOR table1每位 )之和要等于 ( sn每位 XOR table2每位)之和
注:table1每位和table2每位这种说法是不对的,应该是和name或sn的位相同。
附件中有原程序和破解了其中程序反调试的程序。破解不成问题,但算法就有点问题了。
附件:CrackMe.rar
原破解文章:
附件:Crackme1.rar
也不知道这样说大家有看懂没,还是看看下面的代码吧。
int main()
{
char *name = "huangke";
char *sn = "123456789";
char *table1 = "dXqdkkjRg3jCnifESjelsJlkeNNGediWPRrt";
char *table2 = "EdjlfFFklciILlIednelaHgebAMO0oO0ese3";
int i = 0;
int x = 0;
for( ; i < strlen(name); i++) x += name[i] ^ table1[i];
printf( "%x\n", x);
}
/*
00403000 64 58 71 64 6B 6B 6A 52 67 33 6A 43 6E 69 66 45 dXqdkkjRg3jCnifE
00403010 53 6A 65 6C 73 4A 6C 6B 65 4E 4E 47 65 64 69 57 SjelsJlkeNNGediW
00403020 50 52 72 74 00 45 64 6A 6C 66 46 46 6B 6C 63 69 PRrt.EdjlfFFklci
00403030 49 4C 6C 49 65 64 6E 65 6C 61 48 67 65 62 41 4D ILlIednelaHgebAM
00403040 4F 30 6F 4F 30 65 73 65 33 00 00 00 00 00 00 00 O0oO0ese3.......
004011EF > \A1 56304000 MOV EAX,DWORD PTR DS:[403056] ; eax = strlen(name)
004011F4 . 83F8 06 CMP EAX,6 ; if eax < 6
004011F7 . 0F8C 97000000 JL XiaoZi'C.00401294 ; go over
004011FD . 50 PUSH EAX
004011FE . 59 POP ECX ; ecx = eax
004011FF . 8D35 00304000 LEA ESI,DWORD PTR DS:[403000] ; esi = &table1
00401205 . 8D3D 74304000 LEA EDI,DWORD PTR DS:[403074] ; edi = &name
0040120B > 33C0 XOR EAX,EAX ; eax = 0 ; LOOP start ===========用name计算
0040120D . 33DB XOR EBX,EBX ; ebx = 0
0040120F . 8B07 MOV EAX,DWORD PTR DS:[EDI] ; eax = name[0,1,2,3]
00401211 . 8B1E MOV EBX,DWORD PTR DS:[ESI] ; ebx = table1[0,1,2,3]
00401213 . 25 FF000000 AND EAX,0FF ; eax & 0FF ; eax = name[i]
00401218 . 81E3 FF000000 AND EBX,0FF ; ebx & 0FF ; ebx = table1[i]
0040121E . 33C3 XOR EAX,EBX ; eax = eax ^ ebx
00401220 . 0305 4E304000 ADD EAX,DWORD PTR DS:[40304E] ; eax += [40304E]
00401226 . A3 4E304000 MOV DWORD PTR DS:[40304E],EAX ; [40304E] = eax
0040122B . 46 INC ESI ; esi++
0040122C . 47 INC EDI ; edi++
0040122D .^ E2 DC LOOPD SHORT XiaoZi'C.0040120B ; go up ; LOOP end
0040122F . 33C9 XOR ECX,ECX ; ecx = 0
00401231 . 8B0D 5A304000 MOV ECX,DWORD PTR DS:[40305A] ; ecx = strlen(sn)
00401237 . 8D35 25304000 LEA ESI,DWORD PTR DS:[403025] ; esi = &table2
0040123D . 8D3D F4304000 LEA EDI,DWORD PTR DS:[4030F4] ; edi = &sn
00401243 > 33C0 XOR EAX,EAX ; eax = 0 ; LOOP start ===========用sn计算
00401245 . 33DB XOR EBX,EBX ; ebx = 0
00401247 . 8B07 MOV EAX,DWORD PTR DS:[EDI] ; eax = sn[i,i+1,i+2,i+3]
00401249 . 8B1E MOV EBX,DWORD PTR DS:[ESI] ; ebx = table2[i,i+1,i+2,i+3]
0040124B . 25 FF000000 AND EAX,0FF ; eax & 0FF ; eax = sn[i]
00401250 . 81E3 FF000000 AND EBX,0FF ; ebx & 0FF ; ebx = table2[i]
00401256 . 33C3 XOR EAX,EBX ; eax = eax ^ ebx
00401258 . 0305 52304000 ADD EAX,DWORD PTR DS:[403052] ; eax += [403052]
0040125E . A3 52304000 MOV DWORD PTR DS:[403052],EAX ; [403052] = eax
00401263 . 46 INC ESI ; esi++
00401264 . 47 INC EDI ; edi++
00401265 .^ E2 DC LOOPD SHORT XiaoZi'C.00401243 ; go up ; LOOP end
00401267 . A1 52304000 MOV EAX,DWORD PTR DS:[403052] ; eax = 用sn计算的值
0040126C . 8B1D 4A304000 MOV EBX,DWORD PTR DS:[40304A] ; ?????这里不知道是什么用的。后面研究发现,程序是定时监察的,在设置了时间后就给了值=1。
00401272 . 85DB TEST EBX,EBX ; 测试[40304A]
00401274 . 75 3A JNZ SHORT XiaoZi'C.004012B0 ; go over
00401276 . 8505 4E304000 TEST DWORD PTR DS:[40304E],EAX ; 测试 sn 和 name 算出来的值。
0040127C . 75 32 JNZ SHORT XiaoZi'C.004012B0 ; if != go over
*/
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
