Mre521 KeyGenMe#2算法分析
程序员文章站
2022-03-12 16:57:03
作 者: 无常pl
软件名:Mre521 KeyGenMe#2
这是crackmes.de上的一个2j难度的程序,作者给出了包含源码的程序,得出name为crackmes.de的Ser...
作 者: 无常pl
软件名:Mre521 KeyGenMe#2
这是crackmes.de上的一个2j难度的程序,作者给出了包含源码的程序,得出name为crackmes.de的Serial(不要爆破哦),就可以得到源码。
不过我还是自己分析了一下算法,写出了注册机。
查找字符串很容易找到下面这段代码
00401C09 |. 59 POP ECX
00401C0A |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00401C0D |. C700 00000000 MOV DWORD PTR DS:[EAX],0
00401C13 |. 68 A40F0000 PUSH 0FA4 ; /ControlID = FA4 (4004.)
00401C18 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
00401C1B |. 50 PUSH EAX ; |hWnd
00401C1C |. FF15 E09B4000 CALL DWORD PTR DS:[<&USER32.GetDlgItem>] ; \GetDlgItem
00401C22 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00401C25 |. 8902 MOV DWORD PTR DS:[EDX],EAX
00401C27 |. 68 A50F0000 PUSH 0FA5 ; /ControlID = FA5 (4005.)
00401C2C |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
00401C2F |. 50 PUSH EAX ; |hWnd
00401C30 |. FF15 E09B4000 CALL DWORD PTR DS:[<&USER32.GetDlgItem>] ; \GetDlgItem
00401C36 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
00401C39 |. 8902 MOV DWORD PTR DS:[EDX],EAX
00401C3B |. 53 PUSH EBX ; /(初始CPU 选择)
00401C3C |. 68 00010000 PUSH 100 ; |wParam = 100
00401C41 |. 6A 0D PUSH 0D ; |Message = WM_GETTEXT
00401C43 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; |
00401C46 |. 8B00 MOV EAX,DWORD PTR DS:[EAX] ; |
00401C48 |. 50 PUSH EAX ; |hWnd
00401C49 |. FF15 E49B4000 CALL DWORD PTR DS:[<&USER32.SendMessageA>] ; \SendMessageA
00401C4F |. 83F8 05 CMP EAX,5 ; name>5
00401C52 |. 7D 1B JGE SHORT KeyGenMe.00401C6F
00401C54 |. 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00401C56 |. 68 27714000 PUSH KeyGenMe.00407127 ; |Error
00401C5B |. 68 2D714000 PUSH KeyGenMe.0040712D ; |Name must be at least 5 characters.
00401C60 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
00401C63 |. 50 PUSH EAX ; |hOwner
00401C64 |. FF15 DC9B4000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
00401C6A |. E9 A1020000 JMP KeyGenMe.00401F10
00401C6F |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00401C72 |. 50 PUSH EAX ; /lParam
00401C73 |. 6A 1D PUSH 1D ; |wParam = 1D
00401C75 |. 6A 0D PUSH 0D ; |Message = WM_GETTEXT
00401C77 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; |
00401C7A |. 8B00 MOV EAX,DWORD PTR DS:[EAX] ; |
00401C7C |. 50 PUSH EAX ; |hWnd
00401C7D |. FF15 E49B4000 CALL DWORD PTR DS:[<&USER32.SendMessageA>] ; \SendMessageA
00401C83 |. 83F8 1C CMP EAX,1C ; serial长度必须等于28
00401C86 |. 74 1C JE SHORT KeyGenMe.00401CA4
00401C88 |. 31F6 XOR ESI,ESI
00401C8A |. C745 F0 00000>MOV DWORD PTR SS:[EBP-10],0
00401C91 |. C745 EC 00000>MOV DWORD PTR SS:[EBP-14],0
00401C98 |. C745 E8 00000>MOV DWORD PTR SS:[EBP-18],0
00401C9F |. E9 11010000 JMP KeyGenMe.00401DB5
00401CA4 |> 6A 1C PUSH 1C
00401CA6 |. E8 D5080000 CALL KeyGenMe.00402580
00401CAB |. 59 POP ECX
00401CAC |. 89C6 MOV ESI,EAX
00401CAE |. C706 00104000 MOV DWORD PTR DS:[ESI],KeyGenMe.00401000 ; 入口地址
00401CB4 |. C746 04 30104>MOV DWORD PTR DS:[ESI+4],KeyGenMe.00401030
00401CBB |. C746 08 80124>MOV DWORD PTR DS:[ESI+8],KeyGenMe.00401280
00401CC2 |. C746 0C 10114>MOV DWORD PTR DS:[ESI+C],KeyGenMe.00401110
00401CC9 |. C746 10 70134>MOV DWORD PTR DS:[ESI+10],KeyGenMe.00401370
00401CD0 |. C746 14 E0144>MOV DWORD PTR DS:[ESI+14],KeyGenMe.004014E0
00401CD7 |. C746 18 90164>MOV DWORD PTR DS:[ESI+18],KeyGenMe.00401690
00401CDE |. 56 PUSH ESI
00401CDF |. E8 FCFBFFFF CALL KeyGenMe.004018E0
00401CE4 |. 8845 E7 MOV BYTE PTR SS:[EBP-19],AL
00401CE7 |. 6A 04 PUSH 4
00401CE9 |. E8 92080000 CALL KeyGenMe.00402580
00401CEE |. 59 POP ECX
00401CEF |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
00401CF2 |. C700 00000000 MOV DWORD PTR DS:[EAX],0
00401CF8 |. 6A 04 PUSH 4
00401CFA |. E8 81080000 CALL KeyGenMe.00402580
00401CFF |. 59 POP ECX
00401D00 |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
00401D03 |. C700 00000000 MOV DWORD PTR DS:[EAX],0
00401D09 |. 6A 01 PUSH 1
00401D0B |. E8 70080000 CALL KeyGenMe.00402580
00401D10 |. 59 POP ECX
00401D11 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
00401D14 |. C600 00 MOV BYTE PTR DS:[EAX],0
00401D17 |. 0FB645 E7 MOVZX EAX,BYTE PTR SS:[EBP-19]
00401D1B |. 50 PUSH EAX
00401D1C |. 56 PUSH ESI
00401D1D |. E8 0EFCFFFF CALL KeyGenMe.00401930
00401D22 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] ; a4
00401D25 |. 50 PUSH EAX
00401D26 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ; a3
00401D29 |. 50 PUSH EAX
00401D2A |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; a2
00401D2D |. 50 PUSH EAX
00401D2E |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00401D31 |. 50 PUSH EAX
00401D32 |. FF56 18 CALL DWORD PTR DS:[ESI+18] ; 对Serial进行初步判断00401690
00401D35 |. 83F8 FF CMP EAX,-1
00401D38 |. 74 7B JE SHORT KeyGenMe.00401DB5
00401D3A |. 56 PUSH ESI
00401D3B |. E8 A0FBFFFF CALL KeyGenMe.004018E0
00401D40 |. 0FB6C0 MOVZX EAX,AL
00401D43 |. 50 PUSH EAX
00401D44 |. 56 PUSH ESI
00401D45 |. E8 E6FBFFFF CALL KeyGenMe.00401930
00401D4A |. 53 PUSH EBX
00401D4B |. FF16 CALL DWORD PTR DS:[ESI]
00401D4D |. 89C7 MOV EDI,EAX
00401D4F |. 56 PUSH ESI
00401D50 |. E8 8BFBFFFF CALL KeyGenMe.004018E0
00401D55 |. 0FB6C0 MOVZX EAX,AL
00401D58 |. 50 PUSH EAX
00401D59 |. 56 PUSH ESI
00401D5A |. E8 D1FBFFFF CALL KeyGenMe.00401930
00401D5F |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; a3
00401D62 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00401D64 |. 50 PUSH EAX
00401D65 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] ; a4
00401D68 |. 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]
00401D6B |. 50 PUSH EAX
00401D6C |. 53 PUSH EBX
00401D6D |. FF56 0C CALL DWORD PTR DS:[ESI+C] ; 用a3,a4 进一步判断,返回的值不是name之和,后面的验证将会失败00401100
00401D70 |. 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
00401D73 |. 56 PUSH ESI
00401D74 |. E8 67FBFFFF CALL KeyGenMe.004018E0
00401D79 |. 0FB6C0 MOVZX EAX,AL
00401D7C |. 50 PUSH EAX
00401D7D |. 56 PUSH ESI
00401D7E |. E8 ADFBFFFF CALL KeyGenMe.00401930
00401D83 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ; a2
00401D86 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00401D88 |. 50 PUSH EAX
00401D89 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] ; a4
00401D8C |. 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]
00401D8F |. 50 PUSH EAX
00401D90 |. 53 PUSH EBX
00401D91 |. FF56 10 CALL DWORD PTR DS:[ESI+10] ; 用a2,a4进一步判断,返回的值不是name之和,后面的验证将会失败 00401370
00401D94 |. 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
00401D97 |. 56 PUSH ESI
00401D98 |. E8 43FBFFFF CALL KeyGenMe.004018E0
00401D9D |. 0FB6C0 MOVZX EAX,AL
00401DA0 |. 50 PUSH EAX
00401DA1 |. 56 PUSH ESI
00401DA2 |. E8 89FBFFFF CALL KeyGenMe.00401930
00401DA7 |. 3B7D E0 CMP EDI,DWORD PTR SS:[EBP-20]
00401DAA |. 75 09 JNZ SHORT KeyGenMe.00401DB5 ; 不等于name之和,失败
00401DAC |. 3B7D DC CMP EDI,DWORD PTR SS:[EBP-24]
00401DAF |. 0F84 89000000 JE KeyGenMe.00401E3E ; 等于name之和,成功
00401DB5 |> 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00401DB7 |. 68 27714000 PUSH KeyGenMe.00407127 ; |Error
00401DBC |. 68 17714000 PUSH KeyGenMe.00407117 ; |Invalid Serial.
00401DC1 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
00401DC4 |. 50 PUSH EAX ; |hOwner
00401DC5 |. FF15 DC9B4000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
上面是程序的整体流程
下面仔细分析一下 对Serial进行初步判断 的这个call
00401690 . 53 PUSH EBX
00401691 . 56 PUSH ESI
00401692 . 57 PUSH EDI
00401693 . 8B5C24 10 MOV EBX,DWORD PTR SS:[ESP+10]
00401697 . 8B7424 14 MOV ESI,DWORD PTR SS:[ESP+14]
0040169B . 8B7C24 18 MOV EDI,DWORD PTR SS:[ESP+18]
0040169F . 89DA MOV EDX,EBX
004016A1 . 83C8 FF OR EAX,FFFFFFFF
004016A4 > 40 INC EAX
004016A5 . 803C02 00 CMP BYTE PTR DS:[EDX+EAX],0
004016A9 .^ 75 F9 JNZ SHORT KeyGenMe.004016A4
004016AB . BA DEC0ADDE MOV EDX,DEADC0DE
004016B0 . 29C2 SUB EDX,EAX
004016B2 . 81FA C2C0ADDE CMP EDX,DEADC0C2
004016B8 . 0F85 A9000000 JNZ KeyGenMe.00401767
004016BE . B8 EFBEADDE MOV EAX,DEADBEEF
004016C3 . 0FBE13 MOVSX EDX,BYTE PTR DS:[EBX] ; pass[0]=M
004016C6 . 29D0 SUB EAX,EDX
004016C8 . 3D A2BEADDE CMP EAX,DEADBEA2
004016CD . 0F85 94000000 JNZ KeyGenMe.00401767
004016D3 . B8 EFBEADDE MOV EAX,DEADBEEF
004016D8 . 0FBE53 01 MOVSX EDX,BYTE PTR DS:[EBX+1] ; pass[1]=R
004016DC . 29D0 SUB EAX,EDX
004016DE . 3D 9DBEADDE CMP EAX,DEADBE9D
004016E3 . 0F85 7E000000 JNZ KeyGenMe.00401767
004016E9 . B8 EFBEADDE MOV EAX,DEADBEEF
004016EE . 0FBE53 02 MOVSX EDX,BYTE PTR DS:[EBX+2] ; pass[3]=E
004016F2 . 29D0 SUB EAX,EDX
004016F4 . 3D AABEADDE CMP EAX,DEADBEAA
004016F9 . 75 6C JNZ SHORT KeyGenMe.00401767
004016FB . B8 0DF0ADDE MOV EAX,DEADF00D
00401700 . 0FBE53 03 MOVSX EDX,BYTE PTR DS:[EBX+3]
00401704 . 0FBE4B 0C MOVSX ECX,BYTE PTR DS:[EBX+C]
00401708 . 01CA ADD EDX,ECX
0040170A . 0FBE4B 13 MOVSX ECX,BYTE PTR DS:[EBX+13]
0040170E . 01CA ADD EDX,ECX
00401710 . 0FBE4B 18 MOVSX ECX,BYTE PTR DS:[EBX+18]
00401714 . 01CA ADD EDX,ECX
00401716 . 29D0 SUB EAX,EDX ; pass[3]+pass[12]+pass[19]+pass[24]=180
00401718 . 3D 59EFADDE CMP EAX,DEADEF59
0040171D . 75 48 JNZ SHORT KeyGenMe.00401767
0040171F . B8 EFBEADDE MOV EAX,DEADBEEF
00401724 . 0FBE53 19 MOVSX EDX,BYTE PTR DS:[EBX+19] ; pass[25]=5
00401728 . 29D0 SUB EAX,EDX
0040172A . 3D BABEADDE CMP EAX,DEADBEBA
0040172F . 75 36 JNZ SHORT KeyGenMe.00401767
00401731 . B8 EFBEADDE MOV EAX,DEADBEEF
00401736 . 0FBE53 1A MOVSX EDX,BYTE PTR DS:[EBX+1A] ; pass[26]=2
0040173A . 29D0 SUB EAX,EDX
0040173C . 3D BDBEADDE CMP EAX,DEADBEBD
00401741 . 75 24 JNZ SHORT KeyGenMe.00401767
00401743 . B8 EFBEADDE MOV EAX,DEADBEEF
00401748 . 0FBE53 1B MOVSX EDX,BYTE PTR DS:[EBX+1B] ; pass[27]=1
0040174C . 29D0 SUB EAX,EDX
0040174E . 3D BEBEADDE CMP EAX,DEADBEBE
00401753 . 75 12 JNZ SHORT KeyGenMe.00401767
00401755 . B8 EFBEADDE MOV EAX,DEADBEEF
0040175A . 0FBE53 1C MOVSX EDX,BYTE PTR DS:[EBX+1C] ; 第29位为0
0040175E . 29D0 SUB EAX,EDX
00401760 . 3D EFBEADDE CMP EAX,DEADBEEF
00401765 . 74 08 JE SHORT KeyGenMe.0040176F ; (初始CPU 选择)
00401767 > 83C8 FF OR EAX,FFFFFFFF
0040176A . E9 6B010000 JMP KeyGenMe.004018DA
0040176F > 0FB643 04 MOVZX EAX,BYTE PTR DS:[EBX+4]
00401773 . 50 PUSH EAX
00401774 . E8 E7FEFFFF CALL KeyGenMe.00401660
00401779 . 0FB6C0 MOVZX EAX,AL
0040177C . C1E0 1C SHL EAX,1C ; pass[4]<<28
0040177F . 0B07 OR EAX,DWORD PTR DS:[EDI]
00401781 . 8907 MOV DWORD PTR DS:[EDI],EAX
00401783 . 0FB643 05 MOVZX EAX,BYTE PTR DS:[EBX+5]
00401787 . 50 PUSH EAX
00401788 . E8 D3FEFFFF CALL KeyGenMe.00401660
0040178D . 0FB6C0 MOVZX EAX,AL
00401790 . C1E0 18 SHL EAX,18 ; pass[5]<<24
00401793 . 0B07 OR EAX,DWORD PTR DS:[EDI] ; pass[4]<<28|pass[5]<<24
00401795 . 8907 MOV DWORD PTR DS:[EDI],EAX
00401797 . 0FB643 06 MOVZX EAX,BYTE PTR DS:[EBX+6]
0040179B . 50 PUSH EAX
0040179C . E8 BFFEFFFF CALL KeyGenMe.00401660
004017A1 . 0FB6C0 MOVZX EAX,AL
004017A4 . C1E0 1C SHL EAX,1C ; pass[6]<<28
004017A7 . 0B06 OR EAX,DWORD PTR DS:[ESI]
004017A9 . 8906 MOV DWORD PTR DS:[ESI],EAX
004017AB . 0FB643 07 MOVZX EAX,BYTE PTR DS:[EBX+7]
004017AF . 50 PUSH EAX
004017B0 . E8 ABFEFFFF CALL KeyGenMe.00401660
004017B5 . 0FB6C0 MOVZX EAX,AL
004017B8 . C1E0 18 SHL EAX,18 ; pass[7]<<24
004017BB . 0B06 OR EAX,DWORD PTR DS:[ESI] ; pass[6]<<28|pass[7]<<24
004017BD . 8906 MOV DWORD PTR DS:[ESI],EAX
004017BF . 0FB643 08 MOVZX EAX,BYTE PTR DS:[EBX+8]
004017C3 . 50 PUSH EAX
004017C4 . E8 97FEFFFF CALL KeyGenMe.00401660
004017C9 . 0FB6C0 MOVZX EAX,AL
004017CC . C1E0 14 SHL EAX,14 ; pass[8]<<20
004017CF . 0B07 OR EAX,DWORD PTR DS:[EDI] ; pass[4]<<28|pass[5]<<24|pass[8]<<20
004017D1 . 8907 MOV DWORD PTR DS:[EDI],EAX
004017D3 . 0FB643 09 MOVZX EAX,BYTE PTR DS:[EBX+9]
004017D7 . 50 PUSH EAX
004017D8 . E8 83FEFFFF CALL KeyGenMe.00401660
004017DD . 0FB6C0 MOVZX EAX,AL
004017E0 . C1E0 10 SHL EAX,10 ; pass[9]<<16
004017E3 . 0B07 OR EAX,DWORD PTR DS:[EDI] ; pass[4]<<28|pass[5]<<24|pass[8]<<20|pass[9]<<16
004017E5 . 8907 MOV DWORD PTR DS:[EDI],EAX
004017E7 . 0FB643 0A MOVZX EAX,BYTE PTR DS:[EBX+A]
004017EB . 50 PUSH EAX
004017EC . E8 6FFEFFFF CALL KeyGenMe.00401660
004017F1 . 8B5424 1C MOV EDX,DWORD PTR SS:[ESP+1C]
004017F5 . 0FB6C0 MOVZX EAX,AL
004017F8 . C1E0 04 SHL EAX,4 ; pass[10]<<4
004017FB . 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
004017FF . 0FB609 MOVZX ECX,BYTE PTR DS:[ECX]
00401802 . 09C8 OR EAX,ECX ; pass[10]<<4|pass[11]
00401804 . 8802 MOV BYTE PTR DS:[EDX],AL ; 放到a4里
00401806 . 0FB643 0B MOVZX EAX,BYTE PTR DS:[EBX+B]
0040180A . 50 PUSH EAX
0040180B . E8 50FEFFFF CALL KeyGenMe.00401660
00401810 . 8B5424 1C MOV EDX,DWORD PTR SS:[ESP+1C]
00401814 . 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
00401818 . 0801 OR BYTE PTR DS:[ECX],AL
0040181A . 0FB643 0D MOVZX EAX,BYTE PTR DS:[EBX+D]
0040181E . 50 PUSH EAX
0040181F . E8 3CFEFFFF CALL KeyGenMe.00401660
00401824 . 0FB6C0 MOVZX EAX,AL
00401827 . C1E0 14 SHL EAX,14 ; pass[13]<<20
0040182A . 0B06 OR EAX,DWORD PTR DS:[ESI] ; pass[6]<<28|pass[7]<<24|pass[13]<<20
0040182C . 8906 MOV DWORD PTR DS:[ESI],EAX
0040182E . 0FB643 0E MOVZX EAX,BYTE PTR DS:[EBX+E]
00401832 . 50 PUSH EAX
00401833 . E8 28FEFFFF CALL KeyGenMe.00401660
00401838 . 0FB6C0 MOVZX EAX,AL
0040183B . C1E0 10 SHL EAX,10 ; pass[14]<<16
0040183E . 0B06 OR EAX,DWORD PTR DS:[ESI] ; pass[6]<<28|pass[7]<<24|pass[13]<<20|pass[14]<<16
00401840 . 8906 MOV DWORD PTR DS:[ESI],EAX
00401842 . 0FB643 0F MOVZX EAX,BYTE PTR DS:[EBX+F]
00401846 . 50 PUSH EAX
00401847 . E8 14FEFFFF CALL KeyGenMe.00401660
0040184C . 0FB6C0 MOVZX EAX,AL
0040184F . C1E0 0C SHL EAX,0C ; pass[15]<<12
00401852 . 0B07 OR EAX,DWORD PTR DS:[EDI] ; pass[4]<<28|pass[5]<<24|pass[8]<<20|pass[9]<<16
00401854 . 8907 MOV DWORD PTR DS:[EDI],EAX ; |pass[15]<<12
00401856 . 0FB643 10 MOVZX EAX,BYTE PTR DS:[EBX+10]
0040185A . 50 PUSH EAX
0040185B . E8 00FEFFFF CALL KeyGenMe.00401660
00401860 . 0FB6C0 MOVZX EAX,AL
00401863 . C1E0 08 SHL EAX,8 ; pass[16]<<8
00401866 . 0B07 OR EAX,DWORD PTR DS:[EDI] ; pass[4]<<28|pass[5]<<24|pass[8]<<20|pass[9]<<16
00401868 . 8907 MOV DWORD PTR DS:[EDI],EAX ; |pass[15]<<12|pass[16]<<8
0040186A . 0FB643 11 MOVZX EAX,BYTE PTR DS:[EBX+11]
0040186E . 50 PUSH EAX
0040186F . E8 ECFDFFFF CALL KeyGenMe.00401660
00401874 . 0FB6C0 MOVZX EAX,AL
00401877 . C1E0 0C SHL EAX,0C ; pass[17]<<12
0040187A . 0B06 OR EAX,DWORD PTR DS:[ESI] ; pass[6]<<28|pass[7]<<24|pass[13]<<20|pass[14]<<16
0040187C . 8906 MOV DWORD PTR DS:[ESI],EAX ; |pass[17]<<12
0040187E . 0FB643 12 MOVZX EAX,BYTE PTR DS:[EBX+12]
00401882 . 50 PUSH EAX
00401883 . E8 D8FDFFFF CALL KeyGenMe.00401660
00401888 . 0FB6C0 MOVZX EAX,AL
0040188B . C1E0 08 SHL EAX,8 ; pass[18]<<8
0040188E . 0B06 OR EAX,DWORD PTR DS:[ESI] ; pass[6]<<28|pass[7]<<24|pass[13]<<20|pass[14]<<16
00401890 . 8906 MOV DWORD PTR DS:[ESI],EAX ; |pass[17]<<12|pass[18]<<8
00401892 . 0FB643 14 MOVZX EAX,BYTE PTR DS:[EBX+14]
00401896 . 50 PUSH EAX
00401897 . E8 C4FDFFFF CALL KeyGenMe.00401660
0040189C . 0FB6C0 MOVZX EAX,AL
0040189F . C1E0 04 SHL EAX,4 ; pass[20]<<4
004018A2 . 0B06 OR EAX,DWORD PTR DS:[ESI] ; pass[6]<<28|pass[7]<<24|pass[13]<<20|pass[14]<<16
004018A4 . 8906 MOV DWORD PTR DS:[ESI],EAX ; |pass[17]<<12|pass[18]<<8|pass[20]<<4 放到a3里
004018A6 . 0FB643 15 MOVZX EAX,BYTE PTR DS:[EBX+15]
004018AA . 50 PUSH EAX
004018AB . E8 B0FDFFFF CALL KeyGenMe.00401660
004018B0 . 0FB6C0 MOVZX EAX,AL
004018B3 . 0906 OR DWORD PTR DS:[ESI],EAX ; pass[6]<<28|pass[7]<<24|pass[13]<<20|pass[14]<<16
004018B5 . 0FB643 16 MOVZX EAX,BYTE PTR DS:[EBX+16] ; |pass[17]<<12|pass[18]<<8|pass[20]<<4|pass[21]
004018B9 . 50 PUSH EAX
004018BA . E8 A1FDFFFF CALL KeyGenMe.00401660
004018BF . 0FB6C0 MOVZX EAX,AL
004018C2 . C1E0 04 SHL EAX,4 ; pass[22]<<4
004018C5 . 0B07 OR EAX,DWORD PTR DS:[EDI] ; pass[4]<<28|pass[5]<<24|pass[8]<<20|pass[9]<<16
004018C7 . 8907 MOV DWORD PTR DS:[EDI],EAX ; |pass[15]<<12|pass[16]<<8|pass[22]<<4 放到a2里
004018C9 . 0FB643 17 MOVZX EAX,BYTE PTR DS:[EBX+17]
004018CD . 50 PUSH EAX
004018CE . E8 8DFDFFFF CALL KeyGenMe.00401660
004018D3 . 0FB6C0 MOVZX EAX,AL
004018D6 . 0907 OR DWORD PTR DS:[EDI],EAX ; pass[4]<<28|pass[5]<<24|pass[8]<<20|pass[9]<<16
004018D8 . 31C0 XOR EAX,EAX ; |pass[15]<<12|pass[16]<<8|pass[22]<<4|pass[23]
004018DA > 5F POP EDI
004018DB . 5E POP ESI
004018DC . 5B POP EBX
004018DD . C2 1000 RETN 10
这个call验证了
pass[0] = 'M';
pass[1] = 'R';
pass[2] = 'E';
pass[3]+pass[12]+pass[19]+pass[24]=180;
pass[25] = '5';
pass[26] = '2';
pass[27] = '1';
不满足上面的条件,函数返回-1验证失败。
还计算了a2,a3,a4的值用于后面进一步的验证,
a2 = pass[4]<<28|pass[5]<<24|pass[8]<<20|pass[9]<<16|
pass[15]<<12|pass[16]<<8|pass[22]<<4|pass[23];
a3 = pass[6]<<28|pass[7]<<24|pass[13]<<20|pass[14]<<16|
pass[17]<<12|pass[18]<<8|pass[20]<<4|pass[21];
a4 = pass[10]<<4|pass[11];
a2是由pass的5,6,9,10,16,17,23,24位,组成的8位16进制数
a3是由pass的7,8,14,15,17,18,19,21,22位,组成的8位16进制数
a4是由pass的11,12位,组成的2位16进制数。
再看用a3,a4进一步验证的函数
00401110 /. 55 PUSH EBP
00401111 |. 89E5 MOV EBP,ESP
00401113 |. 83EC 04 SUB ESP,4
00401116 |. 53 PUSH EBX
00401117 |. 56 PUSH ESI
00401118 |. 57 PUSH EDI
00401119 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
0040111C |. 8A5D 0C MOV BL,BYTE PTR SS:[EBP+C]
0040111F |. 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00401122 |. 89C6 MOV ESI,EAX
00401124 |. 85C9 TEST ECX,ECX
00401126 |. 0F84 3E010000 JE KeyGenMe.0040126A
0040112C |. 89CA MOV EDX,ECX
0040112E |. 83C8 FF OR EAX,FFFFFFFF
00401131 |> 40 /INC EAX
00401132 |. 803C02 00 |CMP BYTE PTR DS:[EDX+EAX],0
00401136 |.^ 75 F9 \JNZ SHORT KeyGenMe.00401131
00401138 |. 8845 FF MOV BYTE PTR SS:[EBP-1],AL ; name的长度
0040113B |. 51 PUSH ECX
0040113C |. E8 BFFEFFFF CALL KeyGenMe.00401000 ; 计算name的字符之和
00401141 |. 0FB6D3 MOVZX EDX,BL
00401144 |. 89F1 MOV ECX,ESI ; -----------
00401146 |. 81E1 000000FF AND ECX,FF000000
0040114C |. 89D3 MOV EBX,EDX
0040114E |. C1E3 18 SHL EBX,18
00401151 |. 31D9 XOR ECX,EBX
00401153 |. 89F3 MOV EBX,ESI
00401155 |. 81E3 0000FF00 AND EBX,0FF0000
0040115B |. 89D7 MOV EDI,EDX ; 这段进行的运算是
0040115D |. C1E7 10 SHL EDI,10 ; a3 & 0xFF000000 ^ (a4 << 24) | a3 & 0xFF0000 ^ (a4 << 16)
00401160 |. 31FB XOR EBX,EDI ; | a3 & 0xFF00 ^ (a4 << 8) | a4 ^ a3
00401162 |. 09D9 OR ECX,EBX
00401164 |. 89F3 MOV EBX,ESI
00401166 |. 81E3 00FF0000 AND EBX,0FF00
0040116C |. 89D7 MOV EDI,EDX
0040116E |. C1E7 08 SHL EDI,8
00401171 |. 31FB XOR EBX,EDI
00401173 |. 09D9 OR ECX,EBX
00401175 |. 81E6 FF000000 AND ESI,0FF
0040117B |. 31D6 XOR ESI,EDX
0040117D |. 09F1 OR ECX,ESI ; ----------
0040117F |. 0FB655 FF MOVZX EDX,BYTE PTR SS:[EBP-1]
00401183 |. 01D1 ADD ECX,EDX ; 上面的结果+name的长度v7
00401185 |. F7D0 NOT EAX
00401187 |. C1E0 09 SHL EAX,9 ; name之和取反,左移9位v8
0040118A |. 89CA MOV EDX,ECX ; ---------
0040118C |. C1EA 18 SHR EDX,18
0040118F |. 89CB MOV EBX,ECX
00401191 |. C1EB 08 SHR EBX,8
00401194 |. 81E3 00FF0000 AND EBX,0FF00
0040119A |. 09DA OR EDX,EBX ; (v7 << 24) & 0xFF000000|(v7 << 8) & 0xFF0000|(v7 >> 8)&0xFF00| (v7 >> 24)
0040119C |. 89CB MOV EBX,ECX
0040119E |. C1E3 08 SHL EBX,8
004011A1 |. 81E3 0000FF00 AND EBX,0FF0000
004011A7 |. 09DA OR EDX,EBX
004011A9 |. 89CB MOV EBX,ECX
004011AB |. C1E3 18 SHL EBX,18
004011AE |. 81E3 000000FF AND EBX,FF000000
004011B4 |. 09DA OR EDX,EBX ; ---------
004011B6 |. 31C2 XOR EDX,EAX ; 与v8异或
004011B8 |. C1EA 18 SHR EDX,18 ; >>24
004011BB |. 89CB MOV EBX,ECX ; ---------
004011BD |. C1EB 18 SHR EBX,18
004011C0 |. 89CE MOV ESI,ECX
004011C2 |. C1EE 08 SHR ESI,8
004011C5 |. 81E6 00FF0000 AND ESI,0FF00
004011CB |. 09F3 OR EBX,ESI ; (v7 << 24) & 0xFF000000|(v7 << 8) & 0xFF0000|(v7 >> 8)&0xFF00| (v7 >> 24)
004011CD |. 89CE MOV ESI,ECX
004011CF |. C1E6 08 SHL ESI,8
004011D2 |. 81E6 0000FF00 AND ESI,0FF0000
004011D8 |. 09F3 OR EBX,ESI
004011DA |. 89CE MOV ESI,ECX
004011DC |. C1E6 18 SHL ESI,18
004011DF |. 81E6 000000FF AND ESI,FF000000
004011E5 |. 09F3 OR EBX,ESI ; --------
004011E7 |. 31C3 XOR EBX,EAX ; 与v8异或
004011E9 |. C1EB 08 SHR EBX,8 ; >>8
004011EC |. 81E3 00FF0000 AND EBX,0FF00 &n
软件名:Mre521 KeyGenMe#2
这是crackmes.de上的一个2j难度的程序,作者给出了包含源码的程序,得出name为crackmes.de的Serial(不要爆破哦),就可以得到源码。
不过我还是自己分析了一下算法,写出了注册机。
查找字符串很容易找到下面这段代码
00401C09 |. 59 POP ECX
00401C0A |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00401C0D |. C700 00000000 MOV DWORD PTR DS:[EAX],0
00401C13 |. 68 A40F0000 PUSH 0FA4 ; /ControlID = FA4 (4004.)
00401C18 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
00401C1B |. 50 PUSH EAX ; |hWnd
00401C1C |. FF15 E09B4000 CALL DWORD PTR DS:[<&USER32.GetDlgItem>] ; \GetDlgItem
00401C22 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00401C25 |. 8902 MOV DWORD PTR DS:[EDX],EAX
00401C27 |. 68 A50F0000 PUSH 0FA5 ; /ControlID = FA5 (4005.)
00401C2C |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
00401C2F |. 50 PUSH EAX ; |hWnd
00401C30 |. FF15 E09B4000 CALL DWORD PTR DS:[<&USER32.GetDlgItem>] ; \GetDlgItem
00401C36 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
00401C39 |. 8902 MOV DWORD PTR DS:[EDX],EAX
00401C3B |. 53 PUSH EBX ; /(初始CPU 选择)
00401C3C |. 68 00010000 PUSH 100 ; |wParam = 100
00401C41 |. 6A 0D PUSH 0D ; |Message = WM_GETTEXT
00401C43 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; |
00401C46 |. 8B00 MOV EAX,DWORD PTR DS:[EAX] ; |
00401C48 |. 50 PUSH EAX ; |hWnd
00401C49 |. FF15 E49B4000 CALL DWORD PTR DS:[<&USER32.SendMessageA>] ; \SendMessageA
00401C4F |. 83F8 05 CMP EAX,5 ; name>5
00401C52 |. 7D 1B JGE SHORT KeyGenMe.00401C6F
00401C54 |. 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00401C56 |. 68 27714000 PUSH KeyGenMe.00407127 ; |Error
00401C5B |. 68 2D714000 PUSH KeyGenMe.0040712D ; |Name must be at least 5 characters.
00401C60 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
00401C63 |. 50 PUSH EAX ; |hOwner
00401C64 |. FF15 DC9B4000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
00401C6A |. E9 A1020000 JMP KeyGenMe.00401F10
00401C6F |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00401C72 |. 50 PUSH EAX ; /lParam
00401C73 |. 6A 1D PUSH 1D ; |wParam = 1D
00401C75 |. 6A 0D PUSH 0D ; |Message = WM_GETTEXT
00401C77 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; |
00401C7A |. 8B00 MOV EAX,DWORD PTR DS:[EAX] ; |
00401C7C |. 50 PUSH EAX ; |hWnd
00401C7D |. FF15 E49B4000 CALL DWORD PTR DS:[<&USER32.SendMessageA>] ; \SendMessageA
00401C83 |. 83F8 1C CMP EAX,1C ; serial长度必须等于28
00401C86 |. 74 1C JE SHORT KeyGenMe.00401CA4
00401C88 |. 31F6 XOR ESI,ESI
00401C8A |. C745 F0 00000>MOV DWORD PTR SS:[EBP-10],0
00401C91 |. C745 EC 00000>MOV DWORD PTR SS:[EBP-14],0
00401C98 |. C745 E8 00000>MOV DWORD PTR SS:[EBP-18],0
00401C9F |. E9 11010000 JMP KeyGenMe.00401DB5
00401CA4 |> 6A 1C PUSH 1C
00401CA6 |. E8 D5080000 CALL KeyGenMe.00402580
00401CAB |. 59 POP ECX
00401CAC |. 89C6 MOV ESI,EAX
00401CAE |. C706 00104000 MOV DWORD PTR DS:[ESI],KeyGenMe.00401000 ; 入口地址
00401CB4 |. C746 04 30104>MOV DWORD PTR DS:[ESI+4],KeyGenMe.00401030
00401CBB |. C746 08 80124>MOV DWORD PTR DS:[ESI+8],KeyGenMe.00401280
00401CC2 |. C746 0C 10114>MOV DWORD PTR DS:[ESI+C],KeyGenMe.00401110
00401CC9 |. C746 10 70134>MOV DWORD PTR DS:[ESI+10],KeyGenMe.00401370
00401CD0 |. C746 14 E0144>MOV DWORD PTR DS:[ESI+14],KeyGenMe.004014E0
00401CD7 |. C746 18 90164>MOV DWORD PTR DS:[ESI+18],KeyGenMe.00401690
00401CDE |. 56 PUSH ESI
00401CDF |. E8 FCFBFFFF CALL KeyGenMe.004018E0
00401CE4 |. 8845 E7 MOV BYTE PTR SS:[EBP-19],AL
00401CE7 |. 6A 04 PUSH 4
00401CE9 |. E8 92080000 CALL KeyGenMe.00402580
00401CEE |. 59 POP ECX
00401CEF |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
00401CF2 |. C700 00000000 MOV DWORD PTR DS:[EAX],0
00401CF8 |. 6A 04 PUSH 4
00401CFA |. E8 81080000 CALL KeyGenMe.00402580
00401CFF |. 59 POP ECX
00401D00 |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
00401D03 |. C700 00000000 MOV DWORD PTR DS:[EAX],0
00401D09 |. 6A 01 PUSH 1
00401D0B |. E8 70080000 CALL KeyGenMe.00402580
00401D10 |. 59 POP ECX
00401D11 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
00401D14 |. C600 00 MOV BYTE PTR DS:[EAX],0
00401D17 |. 0FB645 E7 MOVZX EAX,BYTE PTR SS:[EBP-19]
00401D1B |. 50 PUSH EAX
00401D1C |. 56 PUSH ESI
00401D1D |. E8 0EFCFFFF CALL KeyGenMe.00401930
00401D22 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] ; a4
00401D25 |. 50 PUSH EAX
00401D26 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ; a3
00401D29 |. 50 PUSH EAX
00401D2A |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; a2
00401D2D |. 50 PUSH EAX
00401D2E |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00401D31 |. 50 PUSH EAX
00401D32 |. FF56 18 CALL DWORD PTR DS:[ESI+18] ; 对Serial进行初步判断00401690
00401D35 |. 83F8 FF CMP EAX,-1
00401D38 |. 74 7B JE SHORT KeyGenMe.00401DB5
00401D3A |. 56 PUSH ESI
00401D3B |. E8 A0FBFFFF CALL KeyGenMe.004018E0
00401D40 |. 0FB6C0 MOVZX EAX,AL
00401D43 |. 50 PUSH EAX
00401D44 |. 56 PUSH ESI
00401D45 |. E8 E6FBFFFF CALL KeyGenMe.00401930
00401D4A |. 53 PUSH EBX
00401D4B |. FF16 CALL DWORD PTR DS:[ESI]
00401D4D |. 89C7 MOV EDI,EAX
00401D4F |. 56 PUSH ESI
00401D50 |. E8 8BFBFFFF CALL KeyGenMe.004018E0
00401D55 |. 0FB6C0 MOVZX EAX,AL
00401D58 |. 50 PUSH EAX
00401D59 |. 56 PUSH ESI
00401D5A |. E8 D1FBFFFF CALL KeyGenMe.00401930
00401D5F |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; a3
00401D62 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00401D64 |. 50 PUSH EAX
00401D65 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] ; a4
00401D68 |. 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]
00401D6B |. 50 PUSH EAX
00401D6C |. 53 PUSH EBX
00401D6D |. FF56 0C CALL DWORD PTR DS:[ESI+C] ; 用a3,a4 进一步判断,返回的值不是name之和,后面的验证将会失败00401100
00401D70 |. 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
00401D73 |. 56 PUSH ESI
00401D74 |. E8 67FBFFFF CALL KeyGenMe.004018E0
00401D79 |. 0FB6C0 MOVZX EAX,AL
00401D7C |. 50 PUSH EAX
00401D7D |. 56 PUSH ESI
00401D7E |. E8 ADFBFFFF CALL KeyGenMe.00401930
00401D83 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ; a2
00401D86 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00401D88 |. 50 PUSH EAX
00401D89 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] ; a4
00401D8C |. 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]
00401D8F |. 50 PUSH EAX
00401D90 |. 53 PUSH EBX
00401D91 |. FF56 10 CALL DWORD PTR DS:[ESI+10] ; 用a2,a4进一步判断,返回的值不是name之和,后面的验证将会失败 00401370
00401D94 |. 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
00401D97 |. 56 PUSH ESI
00401D98 |. E8 43FBFFFF CALL KeyGenMe.004018E0
00401D9D |. 0FB6C0 MOVZX EAX,AL
00401DA0 |. 50 PUSH EAX
00401DA1 |. 56 PUSH ESI
00401DA2 |. E8 89FBFFFF CALL KeyGenMe.00401930
00401DA7 |. 3B7D E0 CMP EDI,DWORD PTR SS:[EBP-20]
00401DAA |. 75 09 JNZ SHORT KeyGenMe.00401DB5 ; 不等于name之和,失败
00401DAC |. 3B7D DC CMP EDI,DWORD PTR SS:[EBP-24]
00401DAF |. 0F84 89000000 JE KeyGenMe.00401E3E ; 等于name之和,成功
00401DB5 |> 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00401DB7 |. 68 27714000 PUSH KeyGenMe.00407127 ; |Error
00401DBC |. 68 17714000 PUSH KeyGenMe.00407117 ; |Invalid Serial.
00401DC1 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
00401DC4 |. 50 PUSH EAX ; |hOwner
00401DC5 |. FF15 DC9B4000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
上面是程序的整体流程
下面仔细分析一下 对Serial进行初步判断 的这个call
00401690 . 53 PUSH EBX
00401691 . 56 PUSH ESI
00401692 . 57 PUSH EDI
00401693 . 8B5C24 10 MOV EBX,DWORD PTR SS:[ESP+10]
00401697 . 8B7424 14 MOV ESI,DWORD PTR SS:[ESP+14]
0040169B . 8B7C24 18 MOV EDI,DWORD PTR SS:[ESP+18]
0040169F . 89DA MOV EDX,EBX
004016A1 . 83C8 FF OR EAX,FFFFFFFF
004016A4 > 40 INC EAX
004016A5 . 803C02 00 CMP BYTE PTR DS:[EDX+EAX],0
004016A9 .^ 75 F9 JNZ SHORT KeyGenMe.004016A4
004016AB . BA DEC0ADDE MOV EDX,DEADC0DE
004016B0 . 29C2 SUB EDX,EAX
004016B2 . 81FA C2C0ADDE CMP EDX,DEADC0C2
004016B8 . 0F85 A9000000 JNZ KeyGenMe.00401767
004016BE . B8 EFBEADDE MOV EAX,DEADBEEF
004016C3 . 0FBE13 MOVSX EDX,BYTE PTR DS:[EBX] ; pass[0]=M
004016C6 . 29D0 SUB EAX,EDX
004016C8 . 3D A2BEADDE CMP EAX,DEADBEA2
004016CD . 0F85 94000000 JNZ KeyGenMe.00401767
004016D3 . B8 EFBEADDE MOV EAX,DEADBEEF
004016D8 . 0FBE53 01 MOVSX EDX,BYTE PTR DS:[EBX+1] ; pass[1]=R
004016DC . 29D0 SUB EAX,EDX
004016DE . 3D 9DBEADDE CMP EAX,DEADBE9D
004016E3 . 0F85 7E000000 JNZ KeyGenMe.00401767
004016E9 . B8 EFBEADDE MOV EAX,DEADBEEF
004016EE . 0FBE53 02 MOVSX EDX,BYTE PTR DS:[EBX+2] ; pass[3]=E
004016F2 . 29D0 SUB EAX,EDX
004016F4 . 3D AABEADDE CMP EAX,DEADBEAA
004016F9 . 75 6C JNZ SHORT KeyGenMe.00401767
004016FB . B8 0DF0ADDE MOV EAX,DEADF00D
00401700 . 0FBE53 03 MOVSX EDX,BYTE PTR DS:[EBX+3]
00401704 . 0FBE4B 0C MOVSX ECX,BYTE PTR DS:[EBX+C]
00401708 . 01CA ADD EDX,ECX
0040170A . 0FBE4B 13 MOVSX ECX,BYTE PTR DS:[EBX+13]
0040170E . 01CA ADD EDX,ECX
00401710 . 0FBE4B 18 MOVSX ECX,BYTE PTR DS:[EBX+18]
00401714 . 01CA ADD EDX,ECX
00401716 . 29D0 SUB EAX,EDX ; pass[3]+pass[12]+pass[19]+pass[24]=180
00401718 . 3D 59EFADDE CMP EAX,DEADEF59
0040171D . 75 48 JNZ SHORT KeyGenMe.00401767
0040171F . B8 EFBEADDE MOV EAX,DEADBEEF
00401724 . 0FBE53 19 MOVSX EDX,BYTE PTR DS:[EBX+19] ; pass[25]=5
00401728 . 29D0 SUB EAX,EDX
0040172A . 3D BABEADDE CMP EAX,DEADBEBA
0040172F . 75 36 JNZ SHORT KeyGenMe.00401767
00401731 . B8 EFBEADDE MOV EAX,DEADBEEF
00401736 . 0FBE53 1A MOVSX EDX,BYTE PTR DS:[EBX+1A] ; pass[26]=2
0040173A . 29D0 SUB EAX,EDX
0040173C . 3D BDBEADDE CMP EAX,DEADBEBD
00401741 . 75 24 JNZ SHORT KeyGenMe.00401767
00401743 . B8 EFBEADDE MOV EAX,DEADBEEF
00401748 . 0FBE53 1B MOVSX EDX,BYTE PTR DS:[EBX+1B] ; pass[27]=1
0040174C . 29D0 SUB EAX,EDX
0040174E . 3D BEBEADDE CMP EAX,DEADBEBE
00401753 . 75 12 JNZ SHORT KeyGenMe.00401767
00401755 . B8 EFBEADDE MOV EAX,DEADBEEF
0040175A . 0FBE53 1C MOVSX EDX,BYTE PTR DS:[EBX+1C] ; 第29位为0
0040175E . 29D0 SUB EAX,EDX
00401760 . 3D EFBEADDE CMP EAX,DEADBEEF
00401765 . 74 08 JE SHORT KeyGenMe.0040176F ; (初始CPU 选择)
00401767 > 83C8 FF OR EAX,FFFFFFFF
0040176A . E9 6B010000 JMP KeyGenMe.004018DA
0040176F > 0FB643 04 MOVZX EAX,BYTE PTR DS:[EBX+4]
00401773 . 50 PUSH EAX
00401774 . E8 E7FEFFFF CALL KeyGenMe.00401660
00401779 . 0FB6C0 MOVZX EAX,AL
0040177C . C1E0 1C SHL EAX,1C ; pass[4]<<28
0040177F . 0B07 OR EAX,DWORD PTR DS:[EDI]
00401781 . 8907 MOV DWORD PTR DS:[EDI],EAX
00401783 . 0FB643 05 MOVZX EAX,BYTE PTR DS:[EBX+5]
00401787 . 50 PUSH EAX
00401788 . E8 D3FEFFFF CALL KeyGenMe.00401660
0040178D . 0FB6C0 MOVZX EAX,AL
00401790 . C1E0 18 SHL EAX,18 ; pass[5]<<24
00401793 . 0B07 OR EAX,DWORD PTR DS:[EDI] ; pass[4]<<28|pass[5]<<24
00401795 . 8907 MOV DWORD PTR DS:[EDI],EAX
00401797 . 0FB643 06 MOVZX EAX,BYTE PTR DS:[EBX+6]
0040179B . 50 PUSH EAX
0040179C . E8 BFFEFFFF CALL KeyGenMe.00401660
004017A1 . 0FB6C0 MOVZX EAX,AL
004017A4 . C1E0 1C SHL EAX,1C ; pass[6]<<28
004017A7 . 0B06 OR EAX,DWORD PTR DS:[ESI]
004017A9 . 8906 MOV DWORD PTR DS:[ESI],EAX
004017AB . 0FB643 07 MOVZX EAX,BYTE PTR DS:[EBX+7]
004017AF . 50 PUSH EAX
004017B0 . E8 ABFEFFFF CALL KeyGenMe.00401660
004017B5 . 0FB6C0 MOVZX EAX,AL
004017B8 . C1E0 18 SHL EAX,18 ; pass[7]<<24
004017BB . 0B06 OR EAX,DWORD PTR DS:[ESI] ; pass[6]<<28|pass[7]<<24
004017BD . 8906 MOV DWORD PTR DS:[ESI],EAX
004017BF . 0FB643 08 MOVZX EAX,BYTE PTR DS:[EBX+8]
004017C3 . 50 PUSH EAX
004017C4 . E8 97FEFFFF CALL KeyGenMe.00401660
004017C9 . 0FB6C0 MOVZX EAX,AL
004017CC . C1E0 14 SHL EAX,14 ; pass[8]<<20
004017CF . 0B07 OR EAX,DWORD PTR DS:[EDI] ; pass[4]<<28|pass[5]<<24|pass[8]<<20
004017D1 . 8907 MOV DWORD PTR DS:[EDI],EAX
004017D3 . 0FB643 09 MOVZX EAX,BYTE PTR DS:[EBX+9]
004017D7 . 50 PUSH EAX
004017D8 . E8 83FEFFFF CALL KeyGenMe.00401660
004017DD . 0FB6C0 MOVZX EAX,AL
004017E0 . C1E0 10 SHL EAX,10 ; pass[9]<<16
004017E3 . 0B07 OR EAX,DWORD PTR DS:[EDI] ; pass[4]<<28|pass[5]<<24|pass[8]<<20|pass[9]<<16
004017E5 . 8907 MOV DWORD PTR DS:[EDI],EAX
004017E7 . 0FB643 0A MOVZX EAX,BYTE PTR DS:[EBX+A]
004017EB . 50 PUSH EAX
004017EC . E8 6FFEFFFF CALL KeyGenMe.00401660
004017F1 . 8B5424 1C MOV EDX,DWORD PTR SS:[ESP+1C]
004017F5 . 0FB6C0 MOVZX EAX,AL
004017F8 . C1E0 04 SHL EAX,4 ; pass[10]<<4
004017FB . 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
004017FF . 0FB609 MOVZX ECX,BYTE PTR DS:[ECX]
00401802 . 09C8 OR EAX,ECX ; pass[10]<<4|pass[11]
00401804 . 8802 MOV BYTE PTR DS:[EDX],AL ; 放到a4里
00401806 . 0FB643 0B MOVZX EAX,BYTE PTR DS:[EBX+B]
0040180A . 50 PUSH EAX
0040180B . E8 50FEFFFF CALL KeyGenMe.00401660
00401810 . 8B5424 1C MOV EDX,DWORD PTR SS:[ESP+1C]
00401814 . 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
00401818 . 0801 OR BYTE PTR DS:[ECX],AL
0040181A . 0FB643 0D MOVZX EAX,BYTE PTR DS:[EBX+D]
0040181E . 50 PUSH EAX
0040181F . E8 3CFEFFFF CALL KeyGenMe.00401660
00401824 . 0FB6C0 MOVZX EAX,AL
00401827 . C1E0 14 SHL EAX,14 ; pass[13]<<20
0040182A . 0B06 OR EAX,DWORD PTR DS:[ESI] ; pass[6]<<28|pass[7]<<24|pass[13]<<20
0040182C . 8906 MOV DWORD PTR DS:[ESI],EAX
0040182E . 0FB643 0E MOVZX EAX,BYTE PTR DS:[EBX+E]
00401832 . 50 PUSH EAX
00401833 . E8 28FEFFFF CALL KeyGenMe.00401660
00401838 . 0FB6C0 MOVZX EAX,AL
0040183B . C1E0 10 SHL EAX,10 ; pass[14]<<16
0040183E . 0B06 OR EAX,DWORD PTR DS:[ESI] ; pass[6]<<28|pass[7]<<24|pass[13]<<20|pass[14]<<16
00401840 . 8906 MOV DWORD PTR DS:[ESI],EAX
00401842 . 0FB643 0F MOVZX EAX,BYTE PTR DS:[EBX+F]
00401846 . 50 PUSH EAX
00401847 . E8 14FEFFFF CALL KeyGenMe.00401660
0040184C . 0FB6C0 MOVZX EAX,AL
0040184F . C1E0 0C SHL EAX,0C ; pass[15]<<12
00401852 . 0B07 OR EAX,DWORD PTR DS:[EDI] ; pass[4]<<28|pass[5]<<24|pass[8]<<20|pass[9]<<16
00401854 . 8907 MOV DWORD PTR DS:[EDI],EAX ; |pass[15]<<12
00401856 . 0FB643 10 MOVZX EAX,BYTE PTR DS:[EBX+10]
0040185A . 50 PUSH EAX
0040185B . E8 00FEFFFF CALL KeyGenMe.00401660
00401860 . 0FB6C0 MOVZX EAX,AL
00401863 . C1E0 08 SHL EAX,8 ; pass[16]<<8
00401866 . 0B07 OR EAX,DWORD PTR DS:[EDI] ; pass[4]<<28|pass[5]<<24|pass[8]<<20|pass[9]<<16
00401868 . 8907 MOV DWORD PTR DS:[EDI],EAX ; |pass[15]<<12|pass[16]<<8
0040186A . 0FB643 11 MOVZX EAX,BYTE PTR DS:[EBX+11]
0040186E . 50 PUSH EAX
0040186F . E8 ECFDFFFF CALL KeyGenMe.00401660
00401874 . 0FB6C0 MOVZX EAX,AL
00401877 . C1E0 0C SHL EAX,0C ; pass[17]<<12
0040187A . 0B06 OR EAX,DWORD PTR DS:[ESI] ; pass[6]<<28|pass[7]<<24|pass[13]<<20|pass[14]<<16
0040187C . 8906 MOV DWORD PTR DS:[ESI],EAX ; |pass[17]<<12
0040187E . 0FB643 12 MOVZX EAX,BYTE PTR DS:[EBX+12]
00401882 . 50 PUSH EAX
00401883 . E8 D8FDFFFF CALL KeyGenMe.00401660
00401888 . 0FB6C0 MOVZX EAX,AL
0040188B . C1E0 08 SHL EAX,8 ; pass[18]<<8
0040188E . 0B06 OR EAX,DWORD PTR DS:[ESI] ; pass[6]<<28|pass[7]<<24|pass[13]<<20|pass[14]<<16
00401890 . 8906 MOV DWORD PTR DS:[ESI],EAX ; |pass[17]<<12|pass[18]<<8
00401892 . 0FB643 14 MOVZX EAX,BYTE PTR DS:[EBX+14]
00401896 . 50 PUSH EAX
00401897 . E8 C4FDFFFF CALL KeyGenMe.00401660
0040189C . 0FB6C0 MOVZX EAX,AL
0040189F . C1E0 04 SHL EAX,4 ; pass[20]<<4
004018A2 . 0B06 OR EAX,DWORD PTR DS:[ESI] ; pass[6]<<28|pass[7]<<24|pass[13]<<20|pass[14]<<16
004018A4 . 8906 MOV DWORD PTR DS:[ESI],EAX ; |pass[17]<<12|pass[18]<<8|pass[20]<<4 放到a3里
004018A6 . 0FB643 15 MOVZX EAX,BYTE PTR DS:[EBX+15]
004018AA . 50 PUSH EAX
004018AB . E8 B0FDFFFF CALL KeyGenMe.00401660
004018B0 . 0FB6C0 MOVZX EAX,AL
004018B3 . 0906 OR DWORD PTR DS:[ESI],EAX ; pass[6]<<28|pass[7]<<24|pass[13]<<20|pass[14]<<16
004018B5 . 0FB643 16 MOVZX EAX,BYTE PTR DS:[EBX+16] ; |pass[17]<<12|pass[18]<<8|pass[20]<<4|pass[21]
004018B9 . 50 PUSH EAX
004018BA . E8 A1FDFFFF CALL KeyGenMe.00401660
004018BF . 0FB6C0 MOVZX EAX,AL
004018C2 . C1E0 04 SHL EAX,4 ; pass[22]<<4
004018C5 . 0B07 OR EAX,DWORD PTR DS:[EDI] ; pass[4]<<28|pass[5]<<24|pass[8]<<20|pass[9]<<16
004018C7 . 8907 MOV DWORD PTR DS:[EDI],EAX ; |pass[15]<<12|pass[16]<<8|pass[22]<<4 放到a2里
004018C9 . 0FB643 17 MOVZX EAX,BYTE PTR DS:[EBX+17]
004018CD . 50 PUSH EAX
004018CE . E8 8DFDFFFF CALL KeyGenMe.00401660
004018D3 . 0FB6C0 MOVZX EAX,AL
004018D6 . 0907 OR DWORD PTR DS:[EDI],EAX ; pass[4]<<28|pass[5]<<24|pass[8]<<20|pass[9]<<16
004018D8 . 31C0 XOR EAX,EAX ; |pass[15]<<12|pass[16]<<8|pass[22]<<4|pass[23]
004018DA > 5F POP EDI
004018DB . 5E POP ESI
004018DC . 5B POP EBX
004018DD . C2 1000 RETN 10
这个call验证了
pass[0] = 'M';
pass[1] = 'R';
pass[2] = 'E';
pass[3]+pass[12]+pass[19]+pass[24]=180;
pass[25] = '5';
pass[26] = '2';
pass[27] = '1';
不满足上面的条件,函数返回-1验证失败。
还计算了a2,a3,a4的值用于后面进一步的验证,
a2 = pass[4]<<28|pass[5]<<24|pass[8]<<20|pass[9]<<16|
pass[15]<<12|pass[16]<<8|pass[22]<<4|pass[23];
a3 = pass[6]<<28|pass[7]<<24|pass[13]<<20|pass[14]<<16|
pass[17]<<12|pass[18]<<8|pass[20]<<4|pass[21];
a4 = pass[10]<<4|pass[11];
a2是由pass的5,6,9,10,16,17,23,24位,组成的8位16进制数
a3是由pass的7,8,14,15,17,18,19,21,22位,组成的8位16进制数
a4是由pass的11,12位,组成的2位16进制数。
再看用a3,a4进一步验证的函数
00401110 /. 55 PUSH EBP
00401111 |. 89E5 MOV EBP,ESP
00401113 |. 83EC 04 SUB ESP,4
00401116 |. 53 PUSH EBX
00401117 |. 56 PUSH ESI
00401118 |. 57 PUSH EDI
00401119 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
0040111C |. 8A5D 0C MOV BL,BYTE PTR SS:[EBP+C]
0040111F |. 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00401122 |. 89C6 MOV ESI,EAX
00401124 |. 85C9 TEST ECX,ECX
00401126 |. 0F84 3E010000 JE KeyGenMe.0040126A
0040112C |. 89CA MOV EDX,ECX
0040112E |. 83C8 FF OR EAX,FFFFFFFF
00401131 |> 40 /INC EAX
00401132 |. 803C02 00 |CMP BYTE PTR DS:[EDX+EAX],0
00401136 |.^ 75 F9 \JNZ SHORT KeyGenMe.00401131
00401138 |. 8845 FF MOV BYTE PTR SS:[EBP-1],AL ; name的长度
0040113B |. 51 PUSH ECX
0040113C |. E8 BFFEFFFF CALL KeyGenMe.00401000 ; 计算name的字符之和
00401141 |. 0FB6D3 MOVZX EDX,BL
00401144 |. 89F1 MOV ECX,ESI ; -----------
00401146 |. 81E1 000000FF AND ECX,FF000000
0040114C |. 89D3 MOV EBX,EDX
0040114E |. C1E3 18 SHL EBX,18
00401151 |. 31D9 XOR ECX,EBX
00401153 |. 89F3 MOV EBX,ESI
00401155 |. 81E3 0000FF00 AND EBX,0FF0000
0040115B |. 89D7 MOV EDI,EDX ; 这段进行的运算是
0040115D |. C1E7 10 SHL EDI,10 ; a3 & 0xFF000000 ^ (a4 << 24) | a3 & 0xFF0000 ^ (a4 << 16)
00401160 |. 31FB XOR EBX,EDI ; | a3 & 0xFF00 ^ (a4 << 8) | a4 ^ a3
00401162 |. 09D9 OR ECX,EBX
00401164 |. 89F3 MOV EBX,ESI
00401166 |. 81E3 00FF0000 AND EBX,0FF00
0040116C |. 89D7 MOV EDI,EDX
0040116E |. C1E7 08 SHL EDI,8
00401171 |. 31FB XOR EBX,EDI
00401173 |. 09D9 OR ECX,EBX
00401175 |. 81E6 FF000000 AND ESI,0FF
0040117B |. 31D6 XOR ESI,EDX
0040117D |. 09F1 OR ECX,ESI ; ----------
0040117F |. 0FB655 FF MOVZX EDX,BYTE PTR SS:[EBP-1]
00401183 |. 01D1 ADD ECX,EDX ; 上面的结果+name的长度v7
00401185 |. F7D0 NOT EAX
00401187 |. C1E0 09 SHL EAX,9 ; name之和取反,左移9位v8
0040118A |. 89CA MOV EDX,ECX ; ---------
0040118C |. C1EA 18 SHR EDX,18
0040118F |. 89CB MOV EBX,ECX
00401191 |. C1EB 08 SHR EBX,8
00401194 |. 81E3 00FF0000 AND EBX,0FF00
0040119A |. 09DA OR EDX,EBX ; (v7 << 24) & 0xFF000000|(v7 << 8) & 0xFF0000|(v7 >> 8)&0xFF00| (v7 >> 24)
0040119C |. 89CB MOV EBX,ECX
0040119E |. C1E3 08 SHL EBX,8
004011A1 |. 81E3 0000FF00 AND EBX,0FF0000
004011A7 |. 09DA OR EDX,EBX
004011A9 |. 89CB MOV EBX,ECX
004011AB |. C1E3 18 SHL EBX,18
004011AE |. 81E3 000000FF AND EBX,FF000000
004011B4 |. 09DA OR EDX,EBX ; ---------
004011B6 |. 31C2 XOR EDX,EAX ; 与v8异或
004011B8 |. C1EA 18 SHR EDX,18 ; >>24
004011BB |. 89CB MOV EBX,ECX ; ---------
004011BD |. C1EB 18 SHR EBX,18
004011C0 |. 89CE MOV ESI,ECX
004011C2 |. C1EE 08 SHR ESI,8
004011C5 |. 81E6 00FF0000 AND ESI,0FF00
004011CB |. 09F3 OR EBX,ESI ; (v7 << 24) & 0xFF000000|(v7 << 8) & 0xFF0000|(v7 >> 8)&0xFF00| (v7 >> 24)
004011CD |. 89CE MOV ESI,ECX
004011CF |. C1E6 08 SHL ESI,8
004011D2 |. 81E6 0000FF00 AND ESI,0FF0000
004011D8 |. 09F3 OR EBX,ESI
004011DA |. 89CE MOV ESI,ECX
004011DC |. C1E6 18 SHL ESI,18
004011DF |. 81E6 000000FF AND ESI,FF000000
004011E5 |. 09F3 OR EBX,ESI ; --------
004011E7 |. 31C3 XOR EBX,EAX ; 与v8异或
004011E9 |. C1EB 08 SHR EBX,8 ; >>8
004011EC |. 81E3 00FF0000 AND EBX,0FF00 &n
上一篇: iOS刷新table跳第一行