日常暖手

系统 ： Windows xp

程序 ： CM1 by Bad Sector

程序下载地址 ：http://pan.baidu.com/s/1c3e2a6

要求 ： 注册机编写 

使用工具 ： OD

可在“PEDIY CrackMe 2007”中查找关于此程序的讨论，标题为“再来一个CRACKME算法分析（适合新手）【讨论】”。

 

这世道居然能找到这么蠢萌的CrackMe。。。

00401139   $  6A 32         push    32                               ; /Count = 32 (50.)
0040113B   .  68 F3204000   push    004020F3                         ; |Buffer = CrackMe.004020F3
00401140   .  68 C8000000   push    0C8                              ; |ControlID = C8 (200.)
00401145   .  FF75 08       push    dword ptr [ebp+8]                ; |hWnd
00401148   .  E8 DE000000   call    <jmp.&USER32.GetDlgItemTextA>    ; \GetDlgItemTextA
0040114D   .  83F8 00       cmp     eax, 0                           ;  用户名字符串为空？
00401150   .  0F84 99000000 je      004011EF
00401156   .  83F8 04       cmp     eax, 4                           ;  长度低于4？
00401159   .  0F82 90000000 jb      004011EF
0040115F   .  33C9          xor     ecx, ecx
00401161   .  33DB          xor     ebx, ebx
00401163   .  33F6          xor     esi, esi
00401165   .  8945 FC       mov     dword ptr [ebp-4], eax
00401168   >  0FBE81 F32040>movsx   eax, byte ptr [ecx+4020F3]       ;  遍历用户名字符串
0040116F   .  83F8 20       cmp     eax, 20                          ;  是空格？
00401172   .  74 07         je      short 0040117B                   ;  continue
00401174   .  6BC0 04       imul    eax, eax, 4
00401177   .  03D8          add     ebx, eax
00401179   .  8BF3          mov     esi, ebx
0040117B   >  41            inc     ecx                              ;  循环变量自鞥
0040117C   .  3B4D FC       cmp     ecx, dword ptr [ebp-4]           ;  是否迭代完成？
0040117F   .^ 75 E7         jnz     short 00401168
00401181   .  83FE 00       cmp     esi, 0                           ;  结果为空？
00401184   .  74 69         je      short 004011EF                   ;  则跳转出错代码
00401186   .  BB 89476500   mov     ebx, 654789
0040118B      0FBE81 F22040>movsx   eax, byte ptr [ecx+4020F2]       ;  倒序遍历字符串
00401192   .  4B            dec     ebx
00401193   .  6BC3 02       imul    eax, ebx, 2
00401196   .  03D8          add     ebx, eax
00401198   .  4B            dec     ebx
00401199   .  49            dec     ecx
0040119A   .^ 75 EF         jnz     short 0040118B
0040119C   .  56            push    esi                              ; /<%lu>
0040119D   .  53            push    ebx                              ; |<%lX>
0040119E   .  68 C7204000   push    004020C7                         ; |Format = "BS-%lX-%lu"
004011A3   .  68 BB214000   push    004021BB                         ; |s = CrackMe.004021BB
004011A8   .  E8 6C000000   call    <jmp.&USER32.wsprintfA>          ; \wsprintfA
004011AD   .  58            pop     eax
004011AE   .  58            pop     eax
004011AF   .  58            pop     eax
004011B0   .  58            pop     eax
004011B1   .  E8 01000000   call    004011B7
004011B6   .  C3            retn
004011B7   $  33C9          xor     ecx, ecx
004011B9   .  6A 32         push    32                               ; /Count = 32 (50.)
004011BB   .  68 57214000   push    00402157                         ; |Buffer = CrackMe.00402157
004011C0   .  68 C9000000   push    0C9                              ; |ControlID = C9 (201.)
004011C5   .  FF75 08       push    dword ptr [ebp+8]                ; |hWnd
004011C8   .  E8 5E000000   call    <jmp.&USER32.GetDlgItemTextA>    ; \GetDlgItemTextA
004011CD   .  83F8 00       cmp     eax, 0                           ;  长度为空？
004011D0   .  74 1D         je      short 004011EF
004011D2   .  33C9          xor     ecx, ecx
004011D4   >  0FBE81 572140>movsx   eax, byte ptr [ecx+402157]       ;  取出序列号
004011DB   .  0FBE99 BB2140>movsx   ebx, byte ptr [ecx+4021BB]       ;  取出密码
004011E2   .  3BC3          cmp     eax, ebx                         ;  是否相等？
004011E4   .  75 09         jnz     short 004011EF
004011E6   .  83F8 00       cmp     eax, 0
004011E9   .  74 19         je      short 00401204
004011EB   .  41            inc     ecx
004011EC   .^ EB E6         jmp     short 004011D4
004011EE   .  C3            retn
004011EF   >  6A 10         push    10                               ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004011F1   .  68 E4204000   push    004020E4                         ; |Title = "Nope"
004011F6   .  68 E9204000   push    004020E9                         ; |Text = "Try again"
004011FB   .  FF75 08       push    dword ptr [ebp+8]                ; |hOwner
004011FE   .  E8 34000000   call    <jmp.&USER32.MessageBoxA>        ; \MessageBoxA
00401203   .  C3            retn
00401204   >  6A 40         push    40                               ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00401206   .  68 D2204000   push    004020D2                         ; |Title = "Solved"
0040120B   .  68 D9204000   push    004020D9                         ; |Text = "Well done."
00401210   .  FF75 08       push    dword ptr [ebp+8]                ; |hOwner
00401213   .  E8 1F000000   call    <jmp.&USER32.MessageBoxA>        ; \MessageBoxA
00401218   .  C3            retn

打开http://www.cnblogs.com/ZRBYYXDM/p/5115596.html中搭建的框架，将OnBtnDecrypt函数编辑如下：

void CKengen_TemplateDlg::OnBtnDecrypt() 
{
    // TODO: Add your control notification handler code here
    CString str;
    GetDlgItemText( IDC_EDIT_NAME,str );                    //获取用户名字串基本信息。
    int len = str.GetLength();

    DWORD Res = 0;
    if ( len >= 4 ){                                        //格式控制。
        SetDlgItemText( IDC_EDIT_PASSWORD,str );

        for ( int i = 0 ; i != len ; i++ ){
            if ( str.GetAt( i ) == 0x20 )
                continue;

            Res += str.GetAt( i ) * 4;
        }

        DWORD ReverseRes = 0x654789;
        for ( i = len - 1 ; i != -1 ; i-- ){
            --ReverseRes;
            ReverseRes += ( ReverseRes * 2 );
            --ReverseRes;
        }

        CString PassWord;
        PassWord.Format( "BS-%lX-%lu",ReverseRes,Res );
        SetDlgItemText( IDC_EDIT_PASSWORD,PassWord );
    }
    else
        MessageBox( "用户名格式错误！" );
}

再在OnInitDialog中添加此代码修改标题：SetWindowText(_T("Keygen"));

运行效果：