好友
阅读权限25
听众
最后登录1970-1-1
|
本帖最后由 hjm666 于 2018-5-17 08:02 编辑
一、基础信息
属于用户名以及验证码的破解,主页面有三个键,两个可用,一个暂时不可用。
点下about 键后的弹窗反馈信息,大概意思是: 这个软件完成破解是输入用户名以及序列号 使得 ok 键可用 并要将Cancella 键点击后一起消失才能算破解了这个软件。如果你做出来了邮箱py交易····
Delphi写的·· 无壳
有四个事件需要关注一下 , (反编译工具 DarkDe 4)
二、强行破解
既然要让这两个键消失,程序的关键运作步骤必然与这两个按键事件有关系
一开始OK键并不可用先从CancellaClick 事件开始
[Asm] 纯文本查看 复制代码 00442EA8 55 push ebp ; CancellaClik
00442EA9 8BEC mov ebp,esp
00442EAB |. 6A 00 push 0x0
00442EAD |. 53 push ebx
00442EAE |. 8BD8 mov ebx,eax
00442EB0 |. 33C0 xor eax,eax
00442EB2 |. 55 push ebp
00442EB3 |. 68 322F4400 push aLoNg3x_.00442F32
00442EB8 |. 64:FF30 push dword ptr fs:[eax]
00442EBB |. 64:8920 mov dword ptr fs:[eax],esp
00442EBE |. 8D55 FC lea edx,[local.1]
00442EC1 |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0]
00442EC7 |. E8 F403FEFF call aLoNg3x_.004232C0
00442ECC |. 8B45 FC mov eax,[local.1]
00442ECF |. E8 9C47FCFF call aLoNg3x_.00407670
00442ED4 |. 50 push eax
00442ED5 |. 8D55 FC lea edx,[local.1]
00442ED8 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442EDE |. E8 DD03FEFF call aLoNg3x_.004232C0
00442EE3 |. 8B45 FC mov eax,[local.1]
00442EE6 |. 5A pop edx ; aLoNg3x_.00424640
00442EE7 |. E8 08FCFFFF call aLoNg3x_.00442AF4 ; 重要call
00442EEC |. 84C0 test al,al
00442EEE |. 74 1C je short aLoNg3x_.00442F0C ; 重要跳转
00442EF0 |. 33D2 xor edx,edx
00442EF2 |. 8B83 D0020000 mov eax,dword ptr ds:[ebx+0x2D0]
00442EF8 |. E8 B302FEFF call aLoNg3x_.004231B0
00442EFD |. B2 01 mov dl,0x1 ; dl =1 时 Cancella键消失
00442EFF |. 8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]
00442F05 |. 8B08 mov ecx,dword ptr ds:[eax] ; aLoNg3x_.0044282C
00442F07 |. FF51 60 call dword ptr ds:[ecx+0x60]
00442F0A |. EB 10 jmp short aLoNg3x_.00442F1C
00442F0C |> BA 482F4400 mov edx,aLoNg3x_.00442F48 ; UNICODE "0"
修改了关键跳转的标志位后,继续运行程序
OK键变得可见了,再点击OK键 尝试破解时断下的两个事件的起始位置,成功断下在OK键的事件下
[Asm] 纯文本查看 复制代码 00442D64 /. 55 push ebp ; OKCilk
00442D65 |. 8BEC mov ebp,esp
00442D67 |. 6A 00 push 0x0
00442D69 |. 53 push ebx
00442D6A |. 8BD8 mov ebx,eax
00442D6C |. 33C0 xor eax,eax
00442D6E |. 55 push ebp
00442D6F |. 68 ED2D4400 push aLoNg3x_.00442DED
00442D74 |. 64:FF30 push dword ptr fs:[eax]
00442D77 |. 64:8920 mov dword ptr fs:[eax],esp
00442D7A |. 8B83 D0020000 mov eax,dword ptr ds:[ebx+0x2D0]
00442D80 |. 8078 47 01 cmp byte ptr ds:[eax+0x47],0x1
00442D84 |. 75 12 jnz short aLoNg3x_.00442D98
00442D86 |. BA 002E4400 mov edx,aLoNg3x_.00442E00 ; UNICODE "0"
00442D8B |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0]
00442D91 |. E8 5A05FEFF call aLoNg3x_.004232F0
00442D96 |. EB 3F jmp short aLoNg3x_.00442DD7 ; 跳空
00442D98 |> 8D55 FC lea edx,[local.1]
00442D9B |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0]
00442DA1 |. E8 1A05FEFF call aLoNg3x_.004232C0
00442DA6 |. 8B45 FC mov eax,[local.1]
00442DA9 |. E8 C248FCFF call aLoNg3x_.00407670
00442DAE |. 50 push eax
00442DAF |. 8D55 FC lea edx,[local.1]
00442DB2 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442DB8 |. E8 0305FEFF call aLoNg3x_.004232C0
00442DBD |. 8B45 FC mov eax,[local.1]
00442DC0 |. 5A pop edx ; aLoNg3x_.00424640
00442DC1 |. E8 DAFDFFFF call aLoNg3x_.00442BA0 ; 重要call
00442DC6 |. 84C0 test al,al
00442DC8 |. 74 0D je short aLoNg3x_.00442DD7 ; 关键跳转
修改关键跳转的标志位后,程序成功破解
三、深入探究
现在来深入探究下验证码与用户名
断下四个可以事件分析
CodiceChange 事件截取了序列号
[Asm] 纯文本查看 复制代码 00442C78 /. 55 push ebp ; CodiceChange 截取序列号
00442C79 |. 8BEC mov ebp,esp
00442C7B |. 33C9 xor ecx,ecx
00442C7D |. 51 push ecx
00442C7E |. 51 push ecx
00442C7F |. 51 push ecx
00442C80 |. 51 push ecx
00442C81 |. 53 push ebx
00442C82 |. 56 push esi
00442C83 |. 8BD8 mov ebx,eax
00442C85 |. 33C0 xor eax,eax
00442C87 |. 55 push ebp
00442C88 |. 68 562D4400 push aLoNg3x_.00442D56
00442C8D |. 64:FF30 push dword ptr fs:[eax]
00442C90 |. 64:8920 mov dword ptr fs:[eax],esp
00442C93 |. 8D55 F8 lea edx,[local.2]
00442C96 |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0]
00442C9C |. E8 1F06FEFF call aLoNg3x_.004232C0
00442CA1 |. 8B45 F8 mov eax,[local.2] ; kernel32.7C817080
00442CA4 |. 8D55 FC lea edx,[local.1]
00442CA7 |. E8 ACFCFBFF call aLoNg3x_.00402958 ; 转换成 16进制
00442CAC |. 8BF0 mov esi,eax
00442CAE |. 837D FC 00 cmp [local.1],0x0
00442CB2 |. 74 18 je short aLoNg3x_.00442CCC
00442CB4 |. 8D55 F4 lea edx,[local.3]
00442CB7 |. 8BC6 mov eax,esi
00442CB9 |. E8 8249FCFF call aLoNg3x_.00407640
00442CBE |. 8B55 F4 mov edx,[local.3] ; kernel32.7C839AD8
00442CC1 |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0]
00442CC7 |. E8 2406FEFF call aLoNg3x_.004232F0
00442CCC |> 8B83 D0020000 mov eax,dword ptr ds:[ebx+0x2D0]
00442CD2 |. 8078 47 00 cmp byte ptr ds:[eax+0x47],0x0
00442CD6 |. 75 0F jnz short aLoNg3x_.00442CE7
00442CD8 |. B2 01 mov dl,0x1
00442CDA |. 8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]
00442CE0 |. 8B08 mov ecx,dword ptr ds:[eax]
00442CE2 |. FF51 60 call dword ptr ds:[ecx+0x60]
00442CE5 |. EB 49 jmp short aLoNg3x_.00442D30
00442CE7 |> 8D55 F8 lea edx,[local.2]
00442CEA |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0]
00442CF0 |. E8 CB05FEFF call aLoNg3x_.004232C0
00442CF5 |. 8B45 F8 mov eax,[local.2] ; kernel32.7C817080
00442CF8 |. 50 push eax ; eax 用户名长度
00442CF9 |. 8D55 F0 lea edx,[local.4]
00442CFC |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442D02 |. E8 B905FEFF call aLoNg3x_.004232C0
00442D07 |. 8B45 F0 mov eax,[local.4] ; local.4 用户名
00442D0A |. 5A pop edx ; kernel32.7C817077
00442D0B |. E8 2CFDFFFF call aLoNg3x_.00442A3C ;关键call
00442D10 |. 84C0 test al,al
00442D12 |. 74 0F je short aLoNg3x_.00442D23 ; 关键跳转
00442D14 |. B2 01 mov dl,0x1 ; dl 等于 1 时 ok键可见
Nomechange 截取了用户名
[Asm] 纯文本查看 复制代码 00442E04 /. 55 push ebp ; Nomechange 截取用户名信息
00442E05 |. 8BEC mov ebp,esp
00442E07 |. 6A 00 push 0x0
00442E09 |. 6A 00 push 0x0
00442E0B |. 53 push ebx
00442E0C |. 8BD8 mov ebx,eax
00442E0E |. 33C0 xor eax,eax
00442E10 |. 55 push ebp
00442E11 |. 68 9B2E4400 push aLoNg3x_.00442E9B
00442E16 |. 64:FF30 push dword ptr fs:[eax]
00442E19 |. 64:8920 mov dword ptr fs:[eax],esp
00442E1C |. 8B83 D0020000 mov eax,dword ptr ds:[ebx+0x2D0]
00442E22 |. 8078 47 00 cmp byte ptr ds:[eax+0x47],0x0
00442E26 |. 75 0F jnz short aLoNg3x_.00442E37
00442E28 |. B2 01 mov dl,0x1
00442E2A |. 8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]
00442E30 |. 8B08 mov ecx,dword ptr ds:[eax]
00442E32 |. FF51 60 call dword ptr ds:[ecx+0x60]
00442E35 |. EB 49 jmp short aLoNg3x_.00442E80
00442E37 |> 8D55 FC lea edx,[local.1]
00442E3A |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0]
00442E40 |. E8 7B04FEFF call aLoNg3x_.004232C0
00442E45 |. 8B45 FC mov eax,[local.1]
00442E48 |. 50 push eax
00442E49 |. 8D55 F8 lea edx,[local.2]
00442E4C |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442E52 |. E8 6904FEFF call aLoNg3x_.004232C0
00442E57 |. 8B45 F8 mov eax,[local.2] ; kernel32.7C817080
00442E5A |. 5A pop edx ; kernel32.7C817077
00442E5B |. E8 DCFBFFFF call aLoNg3x_.00442A3C ; 重要call
00442E60 |. 84C0 test al,al
00442E62 |. 74 0F je short aLoNg3x_.00442E73 ; 主要跳转
00442E64 |. B2 01 mov dl,0x1 ; dl=1时 ok键可见
另两个事件前面有给出也就不贴出来了·
直接进入四个关键call进行分析
Nomechange :
[Asm] 纯文本查看 复制代码 00442A3C /$ 55 push ebp ; 主要事件
00442A3D |. 8BEC mov ebp,esp
00442A3F |. 83C4 F8 add esp,-0x8
00442A42 |. 53 push ebx
00442A43 |. 56 push esi
00442A44 |. 8955 F8 mov [local.2],edx ; ntdll.KiFastSystemCallRet
00442A47 |. 8945 FC mov [local.1],eax
00442A4A |. 8B45 FC mov eax,[local.1]
00442A4D |. E8 9611FCFF call aLoNg3x_.00403BE8
00442A52 |. 8B45 F8 mov eax,[local.2] ; kernel32.7C817080
00442A55 |. E8 8E11FCFF call aLoNg3x_.00403BE8
00442A5A |. 33C0 xor eax,eax
00442A5C |. 55 push ebp
00442A5D |. 68 E52A4400 push aLoNg3x_.00442AE5
00442A62 |. 64:FF30 push dword ptr fs:[eax]
00442A65 |. 64:8920 mov dword ptr fs:[eax],esp
00442A68 |. 8B45 FC mov eax,[local.1] ; local.1 用户名
00442A6B |. E8 C40FFCFF call aLoNg3x_.00403A34
00442A70 |. 83F8 05 cmp eax,0x5 ; 用户名长度大于5
00442A73 |. 7E 53 jle short aLoNg3x_.00442AC8
00442A75 |. 8B45 FC mov eax,[local.1]
00442A78 |. E8 B70FFCFF call aLoNg3x_.00403A34
00442A7D |. 8BD8 mov ebx,eax
00442A7F |. 8B45 FC mov eax,[local.1]
00442A82 |. E8 AD0FFCFF call aLoNg3x_.00403A34
00442A87 |. 8BD0 mov edx,eax
00442A89 |. 4A dec edx ; ntdll.KiFastSystemCallRet
00442A8A |. 85D2 test edx,edx ; ntdll.KiFastSystemCallRet
00442A8C |. 7E 20 jle short aLoNg3x_.00442AAE
00442A8E |. B8 01000000 mov eax,0x1
00442A93 |> 8B4D FC /mov ecx,[local.1]
00442A96 |. 0FB64C01 FF |movzx ecx,byte ptr ds:[ecx+eax-0x1]
00442A9B |. 8B75 FC |mov esi,[local.1]
00442A9E |. 0FB63406 |movzx esi,byte ptr ds:[esi+eax]
00442AA2 |. 0FAFCE |imul ecx,esi
00442AA5 |. 0FAFC8 |imul ecx,eax
00442AA8 |. 03D9 |add ebx,ecx
00442AAA |. 40 |inc eax
00442AAB |. 4A |dec edx ; ntdll.KiFastSystemCallRet
00442AAC |.^ 75 E5 \jnz short aLoNg3x_.00442A93
00442AAE |> 8B45 F8 mov eax,[local.2] ; kernel32.7C817080
00442AB1 |. E8 BA4BFCFF call aLoNg3x_.00407670
00442AB6 |. 2BD8 sub ebx,eax
00442AB8 |. 81FB 9A020000 cmp ebx,0x29A
00442ABE |. 75 04 jnz short aLoNg3x_.00442AC4
CodiceChange :
[Asm] 纯文本查看 复制代码 00442A3C /$ 55 push ebp ; 主要事件
00442A3D |. 8BEC mov ebp,esp
00442A3F |. 83C4 F8 add esp,-0x8
00442A42 |. 53 push ebx
00442A43 |. 56 push esi
00442A44 |. 8955 F8 mov [local.2],edx ; ntdll.KiFastSystemCallRet
00442A47 |. 8945 FC mov [local.1],eax
00442A4A |. 8B45 FC mov eax,[local.1]
00442A4D |. E8 9611FCFF call aLoNg3x_.00403BE8
00442A52 |. 8B45 F8 mov eax,[local.2] ; kernel32.7C817080
00442A55 |. E8 8E11FCFF call aLoNg3x_.00403BE8
00442A5A |. 33C0 xor eax,eax
00442A5C |. 55 push ebp
00442A5D |. 68 E52A4400 push aLoNg3x_.00442AE5
00442A62 |. 64:FF30 push dword ptr fs:[eax]
00442A65 |. 64:8920 mov dword ptr fs:[eax],esp
00442A68 |. 8B45 FC mov eax,[local.1] ; local.1 用户名
00442A6B |. E8 C40FFCFF call aLoNg3x_.00403A34
00442A70 |. 83F8 05 cmp eax,0x5 ; 用户名长度大于5
00442A73 |. 7E 53 jle short aLoNg3x_.00442AC8
00442A75 |. 8B45 FC mov eax,[local.1]
00442A78 |. E8 B70FFCFF call aLoNg3x_.00403A34
00442A7D |. 8BD8 mov ebx,eax
00442A7F |. 8B45 FC mov eax,[local.1]
00442A82 |. E8 AD0FFCFF call aLoNg3x_.00403A34
00442A87 |. 8BD0 mov edx,eax
00442A89 |. 4A dec edx ; ntdll.KiFastSystemCallRet
00442A8A |. 85D2 test edx,edx ; ntdll.KiFastSystemCallRet
00442A8C |. 7E 20 jle short aLoNg3x_.00442AAE
00442A8E |. B8 01000000 mov eax,0x1
00442A93 |> 8B4D FC /mov ecx,[local.1]
00442A96 |. 0FB64C01 FF |movzx ecx,byte ptr ds:[ecx+eax-0x1]
00442A9B |. 8B75 FC |mov esi,[local.1]
00442A9E |. 0FB63406 |movzx esi,byte ptr ds:[esi+eax]
00442AA2 |. 0FAFCE |imul ecx,esi
00442AA5 |. 0FAFC8 |imul ecx,eax
00442AA8 |. 03D9 |add ebx,ecx
00442AAA |. 40 |inc eax
00442AAB |. 4A |dec edx ; ntdll.KiFastSystemCallRet
00442AAC |.^ 75 E5 \jnz short aLoNg3x_.00442A93
00442AAE |> 8B45 F8 mov eax,[local.2] ; kernel32.7C817080
00442AB1 |. E8 BA4BFCFF call aLoNg3x_.00407670
00442AB6 |. 2BD8 sub ebx,eax
00442AB8 |. 81FB 9A020000 cmp ebx,0x29A
CancellaClick:
[Asm] 纯文本查看 复制代码 00442AF4 /$ 55 push ebp
00442AF5 |. 8BEC mov ebp,esp
00442AF7 |. 83C4 F8 add esp,-0x8
00442AFA |. 53 push ebx
00442AFB |. 56 push esi
00442AFC |. 8955 F8 mov [local.2],edx ; ntdll.KiFastSystemCallRet
00442AFF |. 8945 FC mov [local.1],eax
00442B02 |. 8B45 FC mov eax,[local.1]
00442B05 |. E8 DE10FCFF call aLoNg3x_.00403BE8
00442B0A |. 33C0 xor eax,eax
00442B0C |. 55 push ebp
00442B0D |. 68 902B4400 push aLoNg3x_.00442B90
00442B12 |. 64:FF30 push dword ptr fs:[eax]
00442B15 |. 64:8920 mov dword ptr fs:[eax],esp
00442B18 |. 8B45 FC mov eax,[local.1]
00442B1B |. E8 140FFCFF call aLoNg3x_.00403A34
00442B20 |. 83F8 05 cmp eax,0x5 ; 取第五个字符
00442B23 |. 7E 53 jle short aLoNg3x_.00442B78 ; 不够五个字符跳走
00442B25 |. 8B45 FC mov eax,[local.1]
00442B28 |. 0FB640 04 movzx eax,byte ptr ds:[eax+0x4]
00442B2C |. B9 07000000 mov ecx,0x7
00442B31 |. 33D2 xor edx,edx ; ntdll.KiFastSystemCallRet
00442B33 |. F7F1 div ecx ; eax %7
00442B35 |. 8BC2 mov eax,edx ; ntdll.KiFastSystemCallRet
00442B37 |. 83C0 02 add eax,0x2 ; % 7 +2
00442B3A |. E8 E1FEFFFF call aLoNg3x_.00442A20
00442B3F |. 8BF0 mov esi,eax
00442B41 |. 33DB xor ebx,ebx
00442B43 |. 8B45 FC mov eax,[local.1] ; local.1 用户名
00442B46 |. E8 E90EFCFF call aLoNg3x_.00403A34
00442B4B |. 85C0 test eax,eax
00442B4D |. 7E 16 jle short aLoNg3x_.00442B65
00442B4F |. BA 01000000 mov edx,0x1
00442B54 |> 8B4D FC /mov ecx,[local.1]
00442B57 |. 0FB64C11 FF |movzx ecx,byte ptr ds:[ecx+edx-0x1]
00442B5C |. 0FAFCE |imul ecx,esi
00442B5F |. 03D9 |add ebx,ecx
00442B61 |. 42 |inc edx ; ntdll.KiFastSystemCallRet
00442B62 |. 48 |dec eax
00442B63 |.^ 75 EF \jnz short aLoNg3x_.00442B54
00442B65 |> 2B5D F8 sub ebx,[local.2] ; kernel32.7C817080
00442B68 |. 81FB 697A0000 cmp ebx,0x7A69
00442B6E |. 75 04 jnz short aLoNg3x_.00442B74
00442B70 |. B3 01 mov bl,0x1
OKClick:
[Asm] 纯文本查看 复制代码 00442BA0 /$ 55 push ebp
00442BA1 |. 8BEC mov ebp,esp
00442BA3 |. 6A 00 push 0x0
00442BA5 |. 6A 00 push 0x0
00442BA7 |. 6A 00 push 0x0
00442BA9 |. 53 push ebx
00442BAA |. 56 push esi
00442BAB |. 8BF2 mov esi,edx ; ntdll.KiFastSystemCallRet
00442BAD |. 8945 FC mov [local.1],eax
00442BB0 |. 8B45 FC mov eax,[local.1]
00442BB3 |. E8 3010FCFF call aLoNg3x_.00403BE8
00442BB8 |. 33C0 xor eax,eax
00442BBA |. 55 push ebp
00442BBB |. 68 672C4400 push aLoNg3x_.00442C67
00442BC0 |. 64:FF30 push dword ptr fs:[eax]
00442BC3 |. 64:8920 mov dword ptr fs:[eax],esp
00442BC6 |. 33DB xor ebx,ebx
00442BC8 |. 8D55 F8 lea edx,[local.2]
00442BCB |. 8BC6 mov eax,esi
00442BCD |. E8 6E4AFCFF call aLoNg3x_.00407640
00442BD2 |. 8D45 F4 lea eax,[local.3]
00442BD5 |. 8B55 F8 mov edx,[local.2] ; kernel32.7C817080
00442BD8 |. E8 730CFCFF call aLoNg3x_.00403850
00442BDD |. 8B45 F8 mov eax,[local.2] ; kernel32.7C817080
00442BE0 |. E8 4F0EFCFF call aLoNg3x_.00403A34
00442BE5 |. 83F8 05 cmp eax,0x5
00442BE8 |. 7E 60 jle short aLoNg3x_.00442C4A ; 跳空
00442BEA |. 8B45 F8 mov eax,[local.2] ; kernel32.7C817080
00442BED |. E8 420EFCFF call aLoNg3x_.00403A34 ; 计算注册码的长度
00442BF2 |. 8BF0 mov esi,eax
00442BF4 |. 83FE 01 cmp esi,0x1
00442BF7 |. 7C 2F jl short aLoNg3x_.00442C28
00442BF9 |> 8D45 F4 /lea eax,[local.3]
00442BFC |. E8 0310FCFF |call aLoNg3x_.00403C04
00442C01 |. 8D4430 FF |lea eax,dword ptr ds:[eax+esi-0x1]
00442C05 |. 50 |push eax
00442C06 |. 8B45 F8 |mov eax,[local.2] ; kernel32.7C817080
00442C09 |. 0FB64430 FF |movzx eax,byte ptr ds:[eax+esi-0x1]
00442C0E |. F7E8 |imul eax
00442C10 |. 0FBFC0 |movsx eax,ax
00442C13 |. F7EE |imul esi
00442C15 |. B9 19000000 |mov ecx,0x19
00442C1A |. 99 |cdq
00442C1B |. F7F9 |idiv ecx
00442C1D |. 83C2 41 |add edx,0x41
00442C20 |. 58 |pop eax ; kernel32.7C817077
00442C21 |. 8810 |mov byte ptr ds:[eax],dl
00442C23 |. 4E |dec esi
00442C24 |. 85F6 |test esi,esi
00442C26 |.^ 75 D1 \jnz short aLoNg3x_.00442BF9
00442C28 |> 8B45 F4 mov eax,[local.3] ; kernel32.7C839AD8
00442C2B |. 8B55 FC mov edx,[local.1]
接下来来总结这几个事件:
Nomechange :用户名不能小于 5 否则直接跳空,取了name的长度 len,循环len-1 次,每次循环都将name的第n个字符的16进制 乘于 第n+1个字符的16进制再乘于(第几次循环的次数),结果放在len中,循环结束后减去用户名的16进制 ,最后和 0X29A比较,相等的话赋值bl=1。
CodiceChange: 和Nomechange作用一致。
CancellaClik: 遍历用户名取第n个字符的16进制乘于 esi ,将运算的值与ebx相加结果存放在ebx(ebx初始为0)中,遍历结束后运算结果减去序列号的16进制,最后与0x7A69比较
esi: 取用户名的第五个字符的16进制除于7取余放置在edx+2,最后esi =ebx+2的乘积。
OKCilk: 逆序遍历序列号平方后乘于它的下标除于19取余+41 ,转换成字符后替换序列号于用户名进行比较相等既成功。
四、注册机
总结了以上几个重要事件后,接下来就是注册机了,一看时我以为用户名以及序列号要同时满足这三个事件即可成功···思考了后发现这并不可能,后来以为满足OK键和Cancella键的事件中其中一个,那么
生成的用户名和注册码后必然满足这个三个事件,于是我就挑了OK键的事件写了个注册机···
随后卒······
后来明白·····可以按照强行破解 的思路写··
Cancella:
[C] 纯文本查看 复制代码 #include<stdio.h>
#include<string.h>
#include<iostream>
int main ()
{
int len,b=1,x=0;
char name[10]={0};
printf("Enter your name: \n");
scanf("%s",&name);
len=strlen(name);
if(len<5)
{
printf("This name length is less than 5! \n");
}
else
{
int a=name[4]%7+2;
for(int i=1;i<a+1;i++)
{
b=b*i;
}
for(int j=0;j<len;j++)
{
a=name[j] * b;
x=a+x;
}
x=x-31337; //0x7A69
printf("The key is: \n");
printf("%d \n",x);
}
system("pause");
return 0;
}
OKCilk 事件要从序列号进行逆推
[C] 纯文本查看 复制代码 #include<stdio.h>
#include<math.h>
#include<iostream>
#include<string.h>
int main()
{
int len,a;
char key[10]={0};
char name[10]={0};
printf("Enter your key:\n");
scanf("%s",&key);
len=strlen(key);
if(len<6)
{
printf("The key length must be greater than 5 \n");
}
else
{
for(int i=len-1;i>=0;i--)
{
int b =key[i];
a=(pow(b,2))*(i+1);
a =a%25+65;// 19 ->十进制=25 65同···
name[i]=a;
}
}
printf("Then name is: \n")
printf("%s \n",name);
system("pause");
return 0;
}
两个16进制让我迷糊了好久
就此收工!!
如有错误麻烦大佬指出,小生不胜感激!! |
免费评分
-
查看全部评分
|
发表于 2018-5-16 21:29
|
发表于 2018-5-17 08:01
