|
作者:佚名 责任编辑:左决 点击数: 更新时间:2008-2-17 0:12:13 |
 |
这里是冰毒大侠抓取的一段代码,我换算了一下,假定我们的数字长度是在
:0041337F DC1D98104000 fcomp qword ptr [00401098]处比较
但不能计算出整数长度数字,结果为102.5,此时输入102位和103位数字都不能成功,难到该CrackMe没有序列号?好吧让我们仔细分析这段代码。
第一段:
* Reference To: MSVBVM50.__vbaLenBstr, Ord:0000h
|
:0041333E E8A1DEFEFF Call 004011E4
:00413343 69C04D010000 imul eax, 0000014D <-字串的长度乘以333
:00413349 898560FFFFFF mov dword ptr [ebp+FFFFFF60], eax
<-这里用WF打开浮点寄存器窗,好象TRW2000不行
:0041334F DB8560FFFFFF fild dword ptr [ebp+FFFFFF60]<--将结果放入浮点寄存器
:00413355 DC3560104000 fdiv qword ptr [00401060] <--除以(401060内的值,用dl看)这里除8
:0041335B DC3568104000 fdiv qword ptr [00401068] <--除以60
:00413361 DC2570104000 fsub qword ptr [00401070] <--加2(实际是-(-2))
:00413367 DC2578104000 fsub qword ptr [00401078] <--减0.375
:0041336D DC2590104000 fsub qword ptr [00401090] <--减0.8375
:00413373 DD1D4C404100 fstp qword ptr [0041404C] 储存结果于41404c
:00413379 DD0544404100 fld qword ptr [00414044]
:0041337F DC1D98104000 fcomp qword ptr [00401098]<-这里[00401098]为72,结果却不是和[0041404C]刚才计算的数据比较,因此刚才是白算一场了。而是和它的上一行处的[00414044] 比较,此时你令e 00414044 72即可注册成功。[00414044]并不在上面一段程序计算的,在你来到:00413343处,它的结果早已计算好。
因此我们要找到[00414044]的值何处计算处!向上看看,你会发现如下代码:
第二段
————————————————————————————————————————————
* Referenced by a (U)ncondITional or (C)ondITional Jump at Address:
|:0041326F(C)
|
:004132E2 DD45E0 fld qword ptr [ebp-20]<--第三段传来的S放入浮点寄存器
:004132E5 DC3558104000 fdiv qword ptr [00401058]
:004132EB FF75E8 push [ebp-18]
:004132EE DD5DE0 fstp qword ptr [ebp-20]--这里的值和本段下面的ebp-20(1处)值相同 你们观察一下会发现S的最后的零没有了,就成了上面的ebp-18的值,即:此处=S/10
* Reference To: MSVBVM50.__vbaLenBstr, Ord:0000h
|
:004132F1 E8EEDEFEFF Call 004011E4
:004132F6 69C09A020000 imul eax, 0000029A
:004132FC 898564FFFFFF mov dword ptr [ebp+FFFFFF64], eax
:00413302 FF75E8 push [ebp-18]
:00413305 DB8564FFFFFF fild dword ptr [ebp+FFFFFF64]
:0041330B DC3560104000 fdiv qword ptr [00401060]
:00413311 DC3568104000 fdiv qword ptr [00401068]
:00413317 DC2570104000 fsub qword ptr [00401070]
:0041331D DC2578104000 fsub qword ptr [00401078]
:00413323 DD1D3C404100 fstp qword ptr [0041403C]
:00413329 DD45E0 fld qword ptr [ebp-20] <--装入ebp-20的值计算 <--1
:0041332C DC3580104000 fdiv qword ptr [00401080]<--除以 [00401080]的值,其定值:6780496716
:00413332 DC0D88104000 fmul qword ptr [00401088]<--乘以 [00401088]的值,其定值:3
:00413338 DD1D44404100 fstp qword ptr [00414044]将结果放入[00414044]!!!!
经过多试几次,发现只有[ebp-20] 的值和我们输入的序列号有关,因此我们将注意力放在何处使[ebp-20] 的值变化。
第三段
——————————————————————————————————————————
在W32dsm89里向上看看,就会看到下面的计算序列号核心处:
:0041326B 663B7580 cmp si, word ptr [ebp-80]<--si是你的序列号的个数n
:0041326F 7F71 jg 004132E2 <--有几个就循环几次,计算完就跳出,此时ebp-20=1627319211840就成功
:00413271 8D45E8 lea eax, dword ptr [ebp-18]
* Possible Reference to String Resource ID=00001: "Thank you for registering"
|
:00413274 C745CC01000000 mov [ebp-34], 00000001
:0041327B 8945AC mov dword ptr [ebp-54], eax
:0041327E 8D45C4 lea eax, dword ptr [ebp-3C]
:00413281 50 push eax
:00413282 897DC4 mov dword ptr [ebp-3C], edi
:00413285 0FBFC6 movsx eax, si
:00413288 50 push eax
:00413289 8D45A4 lea eax, dword ptr [ebp-5C]
:0041328C 50 push eax
:0041328D 8D45B4 lea eax, dword ptr [ebp-4C]
:00413290 50 push eax
:00413291 C745A408400000 mov [ebp-5C], 00004008
* Reference To: MSVBVM50.rtcMidCharVar, Ord:0278h
|
:00413298 E835DFFEFF Call 004011D2
:0041329D 8D45B4 lea eax, dword ptr [ebp-4C]
:004132A0 50 push eax
:004132A1 8D45D8 lea eax, dword ptr [ebp-28]
:004132A4 50 push eax
* Reference To: MSVBVM50.__vbaStrVarVal, Ord:0000h
|
:004132A5 E82EDFFEFF Call 004011D8
:004132AA 50 push eax
* Reference To: MSVBVM50.rtcAnsiValueBstr, Ord:0204h
|
:004132AB E82EDFFEFF Call 004011DE
:004132B0 0FBFC0 movsx eax, ax <-- 此处循环依次取你的序列号
:004132B3 898568FFFFFF mov dword ptr [ebp+FFFFFF68], eax
:004132B9 8D4DD8 lea ecx, dword ptr [ebp-28]
:004132BC DB8568FFFFFF fild dword ptr [ebp+FFFFFF68]<--依次将你的各个序列号的值放入
:004132C2 DC4DE0 fmul qword ptr [ebp-20]< --[ebp-20]的初值为定值2,依次乘以
你的第n个序列号的ascii码的十进制。
:004132C5 DD5DE0 fstp qword ptr [ebp-20]
* Reference To: MSVBVM50.__vbaFreeStr, Ord:0000h
|
:004132C8 E8FFDEFEFF Call 004011CC
:004132CD 8D45B4 lea eax, dword ptr [ebp-4C]
:004132D0 50 push eax
:004132D1 8D45C4 lea eax, dword ptr [ebp-3C]
:004132D4 50 push eax
:004132D5 57 push edi
* Reference To: MSVBVM50.__vbaFreeVarList, Ord:0000h
|
:004132D6 E8EBDEFEFF Call 004011C6
:004132DB 83C40C add esp, 0000000C
:004132DE 03F3 add esi, ebx
:004132E0 EB89 jmp 0041326B
假设我们的序列号为4位,如:a1 a2 a3 a4则:上述计算式为:
a1*2*a3*a4=s :其中:a1,a2...都是Ascii码的十进制。
计算完后,由:0041326F jg 004132E2 处跳出,把S放入ebp-20送入:004132E2处进行计算。
在第二段00413329 处,计算为:
[(S/10)/(6780496716)]*3=72
经过计算:s= 1627319211840
*************************************************************************
a1*a2*a3*a4*....*a(n)=s/2=813659605920 其中:a1,a2...都是Ascii码的十进制。
这是该程序的序列号计算式.
*************************************************************************
打个比方:假如序列号是1234;
则:49*50*51*52...=s/2后,程序就注册成功。
要反推出序列号还真不容易,我试了一下没推算出来。(序列号不限于数字,只要是可见的ascii就可) |
|
|
|
|
 |
最进更新 |
|
|
|
|
推荐文章 |
|
|
|
|
