今天来追出一个cm的注册码,呵呵!
今天来追出一个cm的注册码,呵呵!incorrect!,try again,这个是成功注册信息
004013bc call messageboxa
0040218e 用户名,还用到的地址:00401228,004012b7
用户名的处理:
0040137E/$8B7424 04 mov esi, dword ptr ;esp+4结果影响了下面的mb的跳出,esp+4是拥护名
00401382|.56 push esi
00401383|>8A06 /mov al, byte ptr ;等于0就好
00401385|.84C0 |test al, al
00401387|.74 13 |je short 0040139C ;跳了就不可以了
00401389|.3C 41 |cmp al, 41 ;65
0040138B|.72 1F |jb short 004013AC ;跳了就完
0040138D|.3C 5A |cmp al, 5A ;90
0040138F|.73 03 |jnb short 00401394 ;对字符进行简单过滤
00401391|.46 |inc esi
00401392|.^ EB EF |jmp short 00401383
00401394|>E8 39000000 |call 004013D2 ;-20
00401399|.46 |inc esi ;crackme.00402193
0040139A|.^ EB E7 \jmp short 00401383
0040139C|>5E pop esi
004013C2/$33FF xor edi, edi ;这个要保存返回的
004013C4|.33DB xor ebx, ebx
004013C6|>8A1E /mov bl, byte ptr ;用户名
004013C8|.84DB |test bl, bl
004013CA|.74 05 |je short 004013D1
004013CC|.03FB |add edi, ebx ;加起来
004013CE|.46 |inc esi
004013CF|.^ EB F5 \jmp short 004013C6
004013D1\>C3 retn
0040139D|.E8 20000000 call 004013C2
004013A2|.81F7 78560000 xor edi, 5678
004013A8|.8BC7 mov eax, edi
if(yh<41)
exit;
else
{
if(yh>5a)
yh=yh-20;
}
for(i=0;i<len(yh);i++)
s=s+yh;//各位都加起来
re=s xor 5678
0040217e 密码
对密码的处理
004013D8/$33C0 xor eax, eax
004013DA|.33FF xor edi, edi
004013DC|.33DB xor ebx, ebx
004013DE|.8B7424 04 mov esi, dword ptr ;密码
004013E2|>B0 0A /mov al, 0A
004013E4|.8A1E |mov bl, byte ptr
004013E6|.84DB |test bl, bl
004013E8|.74 0B |je short 004013F5
004013EA|.80EB 30 |sub bl, 30
004013ED|.0FAFF8 |imul edi, eax;x10
004013F0|.03FB |add edi, ebx
004013F2|.46 |inc esi
004013F3|.^ EB ED \jmp short 004013E2
004013F5|>81F7 34120000 xor edi, 1234
004013FB|.8BDF mov ebx, edi
004013FD\.C3 retn
for(i=0;i<=len(mima);i++)
s=sx10+mima-30;
re=s xor 1234;
===============至此,算法全部逆了出来,那么做注册机也就很简单了,先算出加密的用户名,在解密密码部分就可以了!
它用了双加密也就是:加密过的用户名=加密过的密码,这种模式来的!
edit by nbboy
www.cnblog.com/nbboy
页:
[1]