任我小行,说行就行
diablo2oo2's Crackme 01 序號算法
上一篇 / 下一篇 2007-08-16 09:42:14 / 个人分类:CRACKER
Step by Step
1. PEDI check have protect ? ( No Protect )
2. OD, Find String
3. 這個 CrackMe 最主要是找出他的註冊碼的算法
00401248 |. 6A 28 PUSH 28 ; /Count = 28 (40.)
0040124A |. 68 8C314000 PUSH d2k2_cra.0040318C ; |Buffer = d2k2_cra.0040318C
0040124F |. 6A 02 PUSH 2 ; |ControlID = 2
00401251 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401254 |. E8 8F010000 CALL <JMP.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
00401259 |. 84C0 TEST AL,AL
0040125B |. 0F84 06010000 JE d2k2_cra.00401367
00401261 |. 3C 20 CMP AL,20
00401263 |. 0F8F 13010000 JG d2k2_cra.0040137C
00401269 |. 3C 05 CMP AL,5
0040126B |. 0F8C 20010000 JL d2k2_cra.00401391
; Get firest 5 byte
00401271 |. 8D1D 8C314000 LEA EBX,DWORD PTR DS:[40318C] ; p = NameBuffer[]
00401277 |. 33C9 XOR ECX,ECX ; Val = 0
00401279 |. B0 05 MOV AL,5 ; AL = 5;
0040127B |. 33D2 XOR EDX,EDX
0040127D |> 8A0C1A MOV CL,BYTE PTR DS:[EDX+EBX] ; Val = *p++
00401280 |. 80F1 29 XOR CL,29 ; Val = (Val^0x29) + loop;
00401283 |. 02C8 ADD CL,AL
00401285 |. 80F9 41 CMP CL,41 ; if (Val <'A' || Val >'Z' ) Val = 0x52 + loop;
00401288 |. 7C 1C JL SHORT d2k2_cra.004012A6
0040128A |. 80F9 5A CMP CL,5A
0040128D |. 7F 17 JG SHORT d2k2_cra.004012A6
0040128F |> 888A 3C314000 MOV BYTE PTR DS:[EDX+40313C],CL ; Save buff[count] = val;
00401295 |. C682 3D314000 >MOV BYTE PTR DS:[EDX+40313D],0 ; Save buff[count+1] = 0;
0040129C |. FEC2 INC DL ; count++;
0040129E |. FEC8 DEC AL ; loop--;
004012A0 |. 3C 00 CMP AL,0 ; if ( Al == 0 ) break;
004012A2 |. 74 08 JE SHORT d2k2_cra.004012AC
004012A4 |.^EB D7 JMP SHORT d2k2_cra.0040127D
004012A6 |> B1 52 MOV CL,52
004012A8 |. 02C8 ADD CL,AL
004012AA |.^EB E3 JMP SHORT d2k2_cra.0040128F
004012AC |> 33D2 XOR EDX,EDX ; Get last 5 byte
004012AE |. B8 05000000 MOV EAX,5
; p = NameBuffer[]
004012B3 |> 8A0C1A MOV CL,BYTE PTR DS:[EDX+EBX] ; Val = *p++;
004012B6 |. 80F1 27 XOR CL,27 ; Val = VAl^0x27 + AL + 1;
004012B9 |. 02C8 ADD CL,AL
004012BB |. 80C1 01 ADD CL,1
004012BE |. 80F9 41 CMP CL,41 ; if ( Val <'A' || Val>'Z') Val = 0x4D+loop;
004012C1 |. 7C 1C JL SHORT d2k2_cra.004012DF
004012C3 |. 80F9 5A CMP CL,5A
004012C6 |. 7F 17 JG SHORT d2k2_cra.004012DF
004012C8 |> 888A 41314000 MOV BYTE PTR DS:[EDX+403141],CL ; Save buff[5+count] = val;
004012CE |. C682 42314000 >MOV BYTE PTR DS:[EDX+403142],0 ; Save buff[5+count+1] = 0;
004012D5 |. FEC2 INC DL ; count++;
004012D7 |. FEC8 DEC AL ; loop--;
004012D9 |. 3C 00 CMP AL,0
004012DB |. 74 08 JE SHORT d2k2_cra.004012E5 ; if ( AL==0) break;
004012DD |.^EB D4 JMP SHORT d2k2_cra.004012B3
004012DF |> B1 4D MOV CL,4D
004012E1 |. 02C8 ADD CL,AL
004012E3 |.^EB E3 JMP SHORT d2k2_cra.004012C8
004012E5 |> 33C0 XOR EAX,EAX
004012E7 |. 6A 28 PUSH 28 ; /Count = 28 (40.)
004012E9 |. 68 B4314000 PUSH d2k2_cra.004031B4 ; |Buffer = d2k2_cra.004031B4
004012EE |. 6A 04 PUSH 4 ; |ControlID = 4
004012F0 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004012F3 |. E8 F0000000 CALL <JMP.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
004012F8 |. 66:85C0 TEST AX,AX
004012FB |. 74 55 JE SHORT d2k2_cra.00401352
004012FD |. 66:83F8 0A CMP AX,0A
00401301 |. 7F 4F JG SHORT d2k2_cra.00401352
00401303 |. 7C 4D JL SHORT d2k2_cra.00401352 ; if ( sn.length != 10 ) show error message;
00401305 |. 33C0 XOR EAX,EAX
00401307 |. 33DB XOR EBX,EBX
00401309 |. 33C9 XOR ECX,ECX ; count
0040130B |. 33D2 XOR EDX,EDX
0040130D |. 8D05 B4314000 LEA EAX,DWORD PTR DS:[4031B4] ; p = NameBuffer[];
00401313 |> 8A1C01 MOV BL,BYTE PTR DS:[ECX+EAX] ; val_sn = SerialBuffer[count];
00401316 |. 8A91 3C314000 MOV DL,BYTE PTR DS:[ECX+40313C] ; val_nm = *(p+count);
0040131C |. 80FB 00 CMP BL,0 ; if (val_sn == 0) break;
0040131F |. 0F84 81000000 JE d2k2_cra.004013A6 ;
00401325 |. 80C2 05 ADD DL,5 ; val_sn += 5
00401328 |. 80FA 5A CMP DL,5A ; if ( val_nm >'Z') then ( val_nm -= 0x0d)
0040132B |. 7F 14 JG SHORT d2k2_cra.00401341
0040132D |> 80F2 0C XOR DL,0C ; val_nm ^= 0x0C
00401330 |. 80FA 41 CMP DL,41 ; if ( val_nm < 'A' ) val_nm = 0x4B+loop;
00401333 |. 7C 11 JL SHORT d2k2_cra.00401346 ;
00401335 |. 80FA 5A CMP DL,5A ; if (val_nm >'Z') val_nm = 0x4b - loop;
00401338 |. 7F 12 JG SHORT d2k2_cra.0040134C
0040133A |> 41 INC ECX
0040133B |. 38DA CMP DL,BL ; val_nm == val_sn ? 註冊碼
0040133D ^74 D4 JE SHORT d2k2_cra.00401313
0040133F |. EB 11 JMP SHORT d2k2_cra.00401352 ; show error message
00401341 |> 80EA 0D SUB DL,0D
00401344 |.^EB E7 JMP SHORT d2k2_cra.0040132D
00401346 |> B2 4B MOV DL,4B
00401348 |. 02D1 ADD DL,CL
0040134A |.^EB EE JMP SHORT d2k2_cra.0040133A
0040134C |> B2 4B MOV DL,4B
0040134E |. 2AD1 SUB DL,CL
00401350 |.^EB E8 JMP SHORT d2k2_cra.0040133A
00401352 |> 6A 00 PUSH 0 ; /Style. = MB_OK|MB_APPLMODAL
00401354 |. 68 49304000 PUSH d2k2_cra.00403049 ; |Title = "Dont give up..."
00401359 |. 68 59304000 PUSH d2k2_cra.00403059 ; |Text = "Wrong Code!Try Again!"
0040135E |. 6A 00 PUSH 0 ; |hOwner = NULL
00401360 |. E8 A1000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
00401365 |. EB 52 JMP SHORT d2k2_cra.004013B9
00401367 |> 6A 00 PUSH 0 ; /Style. = MB_OK|MB_APPLMODAL
00401369 |. 68 6F304000 PUSH d2k2_cra.0040306F ; |Title = "Sorry..."
0040136E |. 68 97304000 PUSH d2k2_cra.00403097 ; |Text = "Enter Name!"
00401373 |. 6A 00 PUSH 0 ; |hOwner = NULL
00401375 |. E8 8C000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
0040137A |. EB 3D JMP SHORT d2k2_cra.004013B9
0040137C |> 6A 00 PUSH 0 ; /Style. = MB_OK|MB_APPLMODAL
0040137E |. 68 6F304000 PUSH d2k2_cra.0040306F ; |Title = "Sorry..."
00401383 |. 68 A3304000 PUSH d2k2_cra.004030A3 ; |Text = "Name can be max 32 Chars long!"
00401388 |. 6A 00 PUSH 0 ; |hOwner = NULL
0040138A |. E8 77000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
0040138F |. EB 28 JMP SHORT d2k2_cra.004013B9
00401391 |> 6A 00 PUSH 0 ; /Style. = MB_OK|MB_APPLMODAL
00401393 |. 68 6F304000 PUSH d2k2_cra.0040306F ; |Title = "Sorry..."
00401398 |. 68 78304000 PUSH d2k2_cra.00403078 ; |Text = "Name must be min 5 Chars long!"
0040139D |. 6A 00 PUSH 0 ; |hOwner = NULL
0040139F |. E8 62000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
004013A4 |. EB 13 JMP SHORT d2k2_cra.004013B9
004013A6 |> 6A 00 PUSH 0 ; /Style. = MB_OK|MB_APPLMODAL
004013A8 |. 68 C2304000 PUSH d2k2_cra.004030C2 ; |Title = "Good Cracker"
004013AD |. 68 CF304000 PUSH d2k2_cra.004030CF ; |Text = "Serial is correct! Now write a keygen + tut and send it to: diablo2oo2@gmx.net !"
004013B2 |. 6A 00 PUSH 0 ; |hOwner = NULL
004013B4 |. E8 4D000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
004013B9 |> EB 15 JMP SHORT d2k2_cra.004013D0
004013BB |> FF75 14 PUSH DWORD PTR SS:[EBP+14] ; /lParam
004013BE |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |wParam
004013C1 |. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; |Message
004013C4 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004013C7 |. E8 10000000 CALL <JMP.&USER32.DefWindowProcA> ; \DefWindowProcA
004013CC |. C9 LEAVE
004013CD |. C2 1000 RETN 10
004013D0 |> 33C0 XOR EAX,EAX
004013D2 |. C9 LEAVE
004013D3 \. C2 1000 RETN 10
//--------------------------------------------------------------------
1. PEDI check have protect ? ( No Protect )
2. OD, Find String
3. 這個 CrackMe 最主要是找出他的註冊碼的算法
00401248 |. 6A 28 PUSH 28 ; /Count = 28 (40.)
0040124A |. 68 8C314000 PUSH d2k2_cra.0040318C ; |Buffer = d2k2_cra.0040318C
0040124F |. 6A 02 PUSH 2 ; |ControlID = 2
00401251 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401254 |. E8 8F010000 CALL <JMP.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
00401259 |. 84C0 TEST AL,AL
0040125B |. 0F84 06010000 JE d2k2_cra.00401367
00401261 |. 3C 20 CMP AL,20
00401263 |. 0F8F 13010000 JG d2k2_cra.0040137C
00401269 |. 3C 05 CMP AL,5
0040126B |. 0F8C 20010000 JL d2k2_cra.00401391
; Get firest 5 byte
00401271 |. 8D1D 8C314000 LEA EBX,DWORD PTR DS:[40318C] ; p = NameBuffer[]
00401277 |. 33C9 XOR ECX,ECX ; Val = 0
00401279 |. B0 05 MOV AL,5 ; AL = 5;
0040127B |. 33D2 XOR EDX,EDX
0040127D |> 8A0C1A MOV CL,BYTE PTR DS:[EDX+EBX] ; Val = *p++
00401280 |. 80F1 29 XOR CL,29 ; Val = (Val^0x29) + loop;
00401283 |. 02C8 ADD CL,AL
00401285 |. 80F9 41 CMP CL,41 ; if (Val <'A' || Val >'Z' ) Val = 0x52 + loop;
00401288 |. 7C 1C JL SHORT d2k2_cra.004012A6
0040128A |. 80F9 5A CMP CL,5A
0040128D |. 7F 17 JG SHORT d2k2_cra.004012A6
0040128F |> 888A 3C314000 MOV BYTE PTR DS:[EDX+40313C],CL ; Save buff[count] = val;
00401295 |. C682 3D314000 >MOV BYTE PTR DS:[EDX+40313D],0 ; Save buff[count+1] = 0;
0040129C |. FEC2 INC DL ; count++;
0040129E |. FEC8 DEC AL ; loop--;
004012A0 |. 3C 00 CMP AL,0 ; if ( Al == 0 ) break;
004012A2 |. 74 08 JE SHORT d2k2_cra.004012AC
004012A4 |.^EB D7 JMP SHORT d2k2_cra.0040127D
004012A6 |> B1 52 MOV CL,52
004012A8 |. 02C8 ADD CL,AL
004012AA |.^EB E3 JMP SHORT d2k2_cra.0040128F
004012AC |> 33D2 XOR EDX,EDX ; Get last 5 byte
004012AE |. B8 05000000 MOV EAX,5
; p = NameBuffer[]
004012B3 |> 8A0C1A MOV CL,BYTE PTR DS:[EDX+EBX] ; Val = *p++;
004012B6 |. 80F1 27 XOR CL,27 ; Val = VAl^0x27 + AL + 1;
004012B9 |. 02C8 ADD CL,AL
004012BB |. 80C1 01 ADD CL,1
004012BE |. 80F9 41 CMP CL,41 ; if ( Val <'A' || Val>'Z') Val = 0x4D+loop;
004012C1 |. 7C 1C JL SHORT d2k2_cra.004012DF
004012C3 |. 80F9 5A CMP CL,5A
004012C6 |. 7F 17 JG SHORT d2k2_cra.004012DF
004012C8 |> 888A 41314000 MOV BYTE PTR DS:[EDX+403141],CL ; Save buff[5+count] = val;
004012CE |. C682 42314000 >MOV BYTE PTR DS:[EDX+403142],0 ; Save buff[5+count+1] = 0;
004012D5 |. FEC2 INC DL ; count++;
004012D7 |. FEC8 DEC AL ; loop--;
004012D9 |. 3C 00 CMP AL,0
004012DB |. 74 08 JE SHORT d2k2_cra.004012E5 ; if ( AL==0) break;
004012DD |.^EB D4 JMP SHORT d2k2_cra.004012B3
004012DF |> B1 4D MOV CL,4D
004012E1 |. 02C8 ADD CL,AL
004012E3 |.^EB E3 JMP SHORT d2k2_cra.004012C8
004012E5 |> 33C0 XOR EAX,EAX
004012E7 |. 6A 28 PUSH 28 ; /Count = 28 (40.)
004012E9 |. 68 B4314000 PUSH d2k2_cra.004031B4 ; |Buffer = d2k2_cra.004031B4
004012EE |. 6A 04 PUSH 4 ; |ControlID = 4
004012F0 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004012F3 |. E8 F0000000 CALL <JMP.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
004012F8 |. 66:85C0 TEST AX,AX
004012FB |. 74 55 JE SHORT d2k2_cra.00401352
004012FD |. 66:83F8 0A CMP AX,0A
00401301 |. 7F 4F JG SHORT d2k2_cra.00401352
00401303 |. 7C 4D JL SHORT d2k2_cra.00401352 ; if ( sn.length != 10 ) show error message;
00401305 |. 33C0 XOR EAX,EAX
00401307 |. 33DB XOR EBX,EBX
00401309 |. 33C9 XOR ECX,ECX ; count
0040130B |. 33D2 XOR EDX,EDX
0040130D |. 8D05 B4314000 LEA EAX,DWORD PTR DS:[4031B4] ; p = NameBuffer[];
00401313 |> 8A1C01 MOV BL,BYTE PTR DS:[ECX+EAX] ; val_sn = SerialBuffer[count];
00401316 |. 8A91 3C314000 MOV DL,BYTE PTR DS:[ECX+40313C] ; val_nm = *(p+count);
0040131C |. 80FB 00 CMP BL,0 ; if (val_sn == 0) break;
0040131F |. 0F84 81000000 JE d2k2_cra.004013A6 ;
00401325 |. 80C2 05 ADD DL,5 ; val_sn += 5
00401328 |. 80FA 5A CMP DL,5A ; if ( val_nm >'Z') then ( val_nm -= 0x0d)
0040132B |. 7F 14 JG SHORT d2k2_cra.00401341
0040132D |> 80F2 0C XOR DL,0C ; val_nm ^= 0x0C
00401330 |. 80FA 41 CMP DL,41 ; if ( val_nm < 'A' ) val_nm = 0x4B+loop;
00401333 |. 7C 11 JL SHORT d2k2_cra.00401346 ;
00401335 |. 80FA 5A CMP DL,5A ; if (val_nm >'Z') val_nm = 0x4b - loop;
00401338 |. 7F 12 JG SHORT d2k2_cra.0040134C
0040133A |> 41 INC ECX
0040133B |. 38DA CMP DL,BL ; val_nm == val_sn ? 註冊碼
0040133D ^74 D4 JE SHORT d2k2_cra.00401313
0040133F |. EB 11 JMP SHORT d2k2_cra.00401352 ; show error message
00401341 |> 80EA 0D SUB DL,0D
00401344 |.^EB E7 JMP SHORT d2k2_cra.0040132D
00401346 |> B2 4B MOV DL,4B
00401348 |. 02D1 ADD DL,CL
0040134A |.^EB EE JMP SHORT d2k2_cra.0040133A
0040134C |> B2 4B MOV DL,4B
0040134E |. 2AD1 SUB DL,CL
00401350 |.^EB E8 JMP SHORT d2k2_cra.0040133A
00401352 |> 6A 00 PUSH 0 ; /Style. = MB_OK|MB_APPLMODAL
00401354 |. 68 49304000 PUSH d2k2_cra.00403049 ; |Title = "Dont give up..."
00401359 |. 68 59304000 PUSH d2k2_cra.00403059 ; |Text = "Wrong Code!Try Again!"
0040135E |. 6A 00 PUSH 0 ; |hOwner = NULL
00401360 |. E8 A1000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
00401365 |. EB 52 JMP SHORT d2k2_cra.004013B9
00401367 |> 6A 00 PUSH 0 ; /Style. = MB_OK|MB_APPLMODAL
00401369 |. 68 6F304000 PUSH d2k2_cra.0040306F ; |Title = "Sorry..."
0040136E |. 68 97304000 PUSH d2k2_cra.00403097 ; |Text = "Enter Name!"
00401373 |. 6A 00 PUSH 0 ; |hOwner = NULL
00401375 |. E8 8C000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
0040137A |. EB 3D JMP SHORT d2k2_cra.004013B9
0040137C |> 6A 00 PUSH 0 ; /Style. = MB_OK|MB_APPLMODAL
0040137E |. 68 6F304000 PUSH d2k2_cra.0040306F ; |Title = "Sorry..."
00401383 |. 68 A3304000 PUSH d2k2_cra.004030A3 ; |Text = "Name can be max 32 Chars long!"
00401388 |. 6A 00 PUSH 0 ; |hOwner = NULL
0040138A |. E8 77000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
0040138F |. EB 28 JMP SHORT d2k2_cra.004013B9
00401391 |> 6A 00 PUSH 0 ; /Style. = MB_OK|MB_APPLMODAL
00401393 |. 68 6F304000 PUSH d2k2_cra.0040306F ; |Title = "Sorry..."
00401398 |. 68 78304000 PUSH d2k2_cra.00403078 ; |Text = "Name must be min 5 Chars long!"
0040139D |. 6A 00 PUSH 0 ; |hOwner = NULL
0040139F |. E8 62000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
004013A4 |. EB 13 JMP SHORT d2k2_cra.004013B9
004013A6 |> 6A 00 PUSH 0 ; /Style. = MB_OK|MB_APPLMODAL
004013A8 |. 68 C2304000 PUSH d2k2_cra.004030C2 ; |Title = "Good Cracker"
004013AD |. 68 CF304000 PUSH d2k2_cra.004030CF ; |Text = "Serial is correct! Now write a keygen + tut and send it to: diablo2oo2@gmx.net !"
004013B2 |. 6A 00 PUSH 0 ; |hOwner = NULL
004013B4 |. E8 4D000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
004013B9 |> EB 15 JMP SHORT d2k2_cra.004013D0
004013BB |> FF75 14 PUSH DWORD PTR SS:[EBP+14] ; /lParam
004013BE |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |wParam
004013C1 |. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; |Message
004013C4 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004013C7 |. E8 10000000 CALL <JMP.&USER32.DefWindowProcA> ; \DefWindowProcA
004013CC |. C9 LEAVE
004013CD |. C2 1000 RETN 10
004013D0 |> 33C0 XOR EAX,EAX
004013D2 |. C9 LEAVE
004013D3 \. C2 1000 RETN 10
//--------------------------------------------------------------------
导入论坛 引用链接 收藏 分享给好友 推荐到圈子 管理 举报
TAG:
