|
論壇說明 | 標記討論區已讀 |
歡迎您來到『史萊姆論壇』 ^___^ 您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的! 請點擊這裡:『註冊成為我們的一份子!』 |
|
主題工具 | 顯示模式 |
2003-12-12, 02:42 AM | #1 |
榮譽會員
|
算法分析 -- 某某某析__1.21
=======================================================================================
Yy[CCG] => 算法分析 => 國貨:某某某析 註冊形式:機器碼/註冊碼 限制:頻繁跳出註冊視窗要價一百大元 難度點評:初級(雜亂無章到處亂CALL) ======================================================================================= 旁白:略 ======================================================================================= :004E6494 8D45E8 lea eax, dword ptr [ebp-18] :004E6497 50 push eax :004E6498 6A00 push 00000000 :004E649A 68E7000000 push 000000E7 <= 計算常量 :004E649F 6A00 push 00000000 :004E64A1 68AC000000 push 000000AC <= 計算常量 :004E64A6 8D45E0 lea eax, dword ptr [ebp-20] :004E64A9 E816FFFFFF call 004E63C4 :004E64AE 8B45E0 mov eax, dword ptr [ebp-20] :004E64B1 E8FA30F2FF call 004095B0 <= 機器碼變換==算法1 :004E64B6 E825F6F1FF call 00405AE0 <= 機器碼變換==算法1 :004E64BB E8FCF5F1FF call 00405ABC <= 機器碼變換==算法1 :004E64C0 52 push edx :004E64C1 50 push eax :004E64C2 8D45E4 lea eax, dword ptr [ebp-1C] :004E64C5 E85E30F2FF call 00409528 <= 算法2 :004E64CA 8B45E4 mov eax, dword ptr [ebp-1C] :004E64CD B902000000 mov ecx, 00000002 :004E64D2 8BD3 mov edx, ebx :004E64D4 E8B7E9F1FF call 00404E90 <= 算法2 :004E64D9 8B45E8 mov eax, dword ptr [ebp-18] :004E64DC E87B30F2FF call 0040955C :004E64E1 83F83E cmp eax, 0000003E <= 密碼字串長度 :004E64E4 7F6D jg 004E6553 <= 大於就跳走 :004E64E6 8D45DC lea eax, dword ptr [ebp-24] :004E64E9 50 push eax :004E64EA 8D45D8 lea eax, dword ptr [ebp-28] :004E64ED 50 push eax :004E64EE 6A00 push 00000000 :004E64F0 68E7000000 push 000000E7 <= 計算常量 :004E64F5 6A00 push 00000000 :004E64F7 68AC000000 push 000000AC <= 計算常量 :004E64FC 8D45D0 lea eax, dword ptr [ebp-30] :004E64FF E8C0FEFFFF call 004E63C4 :004E6504 8B45D0 mov eax, dword ptr [ebp-30] :004E6507 E8A430F2FF call 004095B0 :004E650C E8CFF5F1FF call 00405AE0 :004E6511 E8A6F5F1FF call 00405ABC :004E6516 52 push edx :004E6517 50 push eax :004E6518 8D45D4 lea eax, dword ptr [ebp-2C] :004E651B E80830F2FF call 00409528 :004E6520 8B45D4 mov eax, dword ptr [ebp-2C] :004E6523 B902000000 mov ecx, 00000002 :004E6528 8BD3 mov edx, ebx :004E652A E861E9F1FF call 00404E90 :004E652F 8B45D8 mov eax, dword ptr [ebp-28] :004E6532 E82530F2FF call 0040955C <= 算法3 :004E6537 8BD0 mov edx, eax :004E6539 B901000000 mov ecx, 00000001 :004E653E 8B45F8 mov eax, dword ptr [ebp-08] :004E6541 E84AE9F1FF call 00404E90 <= 算法3 :004E6546 8B55DC mov edx, dword ptr [ebp-24] :004E6549 8D45F4 lea eax, dword ptr [ebp-0C] :004E654C E8EFE6F1FF call 00404C40 <= 算法3 :004E6551 EB7E jmp 004E65D1 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E64E4(C) | :004E6553 8D45CC lea eax, dword ptr [ebp-34] :004E6556 50 push eax :004E6557 8D45C4 lea eax, dword ptr [ebp-3C] :004E655A 50 push eax :004E655B 6A00 push 00000000 :004E655D 68E7000000 push 000000E7 :004E6562 6A00 push 00000000 :004E6564 68AC000000 push 000000AC :004E6569 8D45BC lea eax, dword ptr [ebp-44] :004E656C E853FEFFFF call 004E63C4 :004E6571 8B45BC mov eax, dword ptr [ebp-44] :004E6574 E83730F2FF call 004095B0 <= 機器碼變換==算法1 :004E6579 E862F5F1FF call 00405AE0 <= 機器碼變換==算法1 :004E657E E839F5F1FF call 00405ABC <= 機器碼變換==算法1 :004E6583 52 push edx :004E6584 50 push eax :004E6585 8D45C0 lea eax, dword ptr [ebp-40] :004E6588 E89B2FF2FF call 00409528 <= 算法2 :004E658D 8B45C0 mov eax, dword ptr [ebp-40] :004E6590 B902000000 mov ecx, 00000002 :004E6595 8BD3 mov edx, ebx :004E6597 E8F4E8F1FF call 00404E90 :004E659C 8B45C4 mov eax, dword ptr [ebp-3C] :004E659F E8B82FF2FF call 0040955C :004E65A4 83E83E sub eax, 0000003E <= 減去密碼字串長度 :004E65A7 8D55C8 lea edx, dword ptr [ebp-38] :004E65AA E8492FF2FF call 004094F8 :004E65AF 8B45C8 mov eax, dword ptr [ebp-38] :004E65B2 E8A52FF2FF call 0040955C :004E65B7 8BD0 mov edx, eax :004E65B9 B901000000 mov ecx, 00000001 :004E65BE 8B45F8 mov eax, dword ptr [ebp-08] :004E65C1 E8CAE8F1FF call 00404E90 :004E65C6 8B55CC mov edx, dword ptr [ebp-34] :004E65C9 8D45F4 lea eax, dword ptr [ebp-0C] :004E65CC E86FE6F1FF call 00404C40 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E6551(U) | :004E65D1 43 inc ebx :004E65D2 4E dec esi :004E65D3 0F85BBFEFFFF jne 004E6494 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E6489(C) | :004E65D9 8D55B8 lea edx, dword ptr [ebp-48] :004E65DC 8B45FC mov eax, dword ptr [ebp-04] :004E65DF 8B80F4020000 mov eax, dword ptr [eax+000002F4] :004E65E5 E8462BF6FF call 00449130 :004E65EA 8B45B8 mov eax, dword ptr [ebp-48] :004E65ED 8B55F4 mov edx, dword ptr [ebp-0C] <== 註冊碼(記憶體註冊機) :004E65F0 E887E7F1FF call 00404D7C :004E65F5 7542 jne 004E6639 <== 跳走就失敗 ======================================================================================= 算法分析: 1:機器碼 s[]="255920796" 取機器碼長度作為循環數 循環轉換字串串值為長整形值 for(i=1;i<strlen(s);i++) if(i==1) {k=s[i-1]-'0';k*=0xA;k+=s[i]-'0';kk=k;} else {kk*=0xA;kk+=s[i]-'0';} kk/=0xAC; <= 0xf410a9c kk*=0xE7; <= 0x147c8f3 2:循環計算並轉換長整形值(0x147c8f3)為字串串值 s1[]="343707441" for(i=strlen(s)-1;i>=0;i--) {j=kk%0xA;s1[i]='0'+j;kk/=0xA;} s1[strlen(s)]='\0'; 3:循環取值查密碼字串得到註冊碼 "loveyoupasymtlyju6r8y3w4xcwqam5mnbvcdxmokjhg7f821q8w9eiudhuiop" <--62 (0x3E) b--34 h--43 d--37 p--08 <= 0x46-0x3E u--07 m--12 <= 0x4A-0x3E g--44 k--41 l--01 <= 以密碼字串第一位 'l' 補位 註冊碼 <= bhdpumgkl ======================================================================================= 註冊機: #include <stdio.h> #include <string.h> void jm(char *p,int k) { char sm[]="&loveyoupasymtlyju6r8y3w4xcwqam5mnbvcdxmokjhg7f821q8w9eiudhuiop"; *p=sm[k]; } main() { long i,j,k,l; long kk=0; char s[18],s1[18],s2[18],*p; printf("input--機器碼:\n"); gets(s); for(i=1;i<strlen(s);i++) if(i==1) {k=s[i-1]-'0';k*=0xA;k+=s[i]-'0';kk=k;} else {kk*=0xA;kk+=s[i]-'0';} kk/=0xAC; kk*=0xE7; for(i=strlen(s)-1;i>=0;i--) {j=kk%0xA;s1[i]='0'+j;kk/=0xA;} s1[strlen(s)]='\0'; for(l=0,i=1;i<strlen(s1);i++) { j=s1[i-1]-'0';j*=10;k=j+(s1[i]-'0'); if(k<=0x3E) {jm(p,k);s2[l++]=*p;} else {k-=0x3E;jm(p,k);s2[l++]=*p;} if(i==strlen(s1)-1) {jm(p,1);s2[l++]=*p;} } s2[l]='\0'; printf("註冊碼:%s\n",s2); } ======================================================================================= -------------------- Yy -------------------- China Cracking Group -------------------- |
送花文章: 3,
|