新CrackMe160之007 - Reg
delphi的程序,使用dede查看源码,可知道有个隐藏按钮,left=536当前窗体width=352说明这个按钮在右侧外面去了,所以我们用UE将窗体的宽度改为652(0x28c)
在文件的006D17Fh处,将60 01改为8C 02保存重开程序可以看见隐藏的控件了,到此程序也破解成功了,因为隐藏的控件就是生成系列号的功能
时间格式是6位的yyMMdd,如:240101 => 2024-01-01
上面是取巧的,接下来,就正常来,
DeDe查看源码可知有个FormCreate事件, 源码比较简单, 可以知道,程序从reg.dll文件中读取用户名和系列号, 然后调用 call 0045D0F4关键算法验证
双击进入这个方法, 0045D13F处可知系列号得0x10位(16位), 0045D14D ~ 004516C作者不做了一次不知道干嘛的循环骚操作,我觉得应该是一处假算法,
用于迷惑我们的, 循环17次后发现啥也不是, 继续前进到0045D17F call 0045CC34处, 从系列号中解析出时间串(这也是个关键算法处,需要进入分析), 得到时间串后,
马上进入最关键的算法, 0045D1A1 call 0045C5E0这个方法, 入参是用户名和时间串(根据上面取巧破解的过程可知, 作者隐藏的按键生成系列号的方法
就是调用这个关键call),
接下来我们分别进入下面这两个关键方法进行分析:
0045D17F call 0045CC34
0045D1A1 call 0045C5E0
如下分析使用示例: UserName=Reg, UN=0217C3C4A1B75C26
第一个:
0045CC62 ~ 0045CC94: 从系列号中第5位开始取出2位, 得到: C3, 前面加上$ 转为 数字0xC3, 再转成2进制串 11000011
0045CC9C ~ 0045CCCE: 同理从系列号中第3位开始取出2位得到17, 前面加上$ 转为 数字0x17, 再转成2进制串 00010111
0045CCD5: 将上面两串连接在一起得 0001011111000011 (0x17C3)
标个号对齐下标:
0001011111000011
0123456789abcdef
0045CCE0 ~ 0045 : 将上面的串按位取出再重组:
s[0]+s[1]+s[8]+s[9]+s[a]+s[2]+s[3]+s[4]+s[b]+s[c]+s[5]+s[6]+s[d]+s[e]+s[f]+s[7]
= 0011001000110111
0045CF8B ~ 0045CFBE: 从上面的串第1位开始取7位转数字得到25
0045CFC7 ~ 0045CFFA: 从上面的串第8位开始取4位转数字得到01
0045D003 ~ 0045D036: 从上面的串第c位开始取5位转数字得到23
0045D036: 年25+2000 = 2025
到此就得到时间串了
第二个: 代码有点长, 直接看注释吧_
0045C5E0 /$ 55 push ebp
0045C5E1 |. 8BEC mov ebp,esp
0045C5E3 |. 51 push ecx
0045C5E4 |. B9 1C000000 mov ecx,0x1C
0045C5E9 |> 6A 00 /push 0x0
0045C5EB |. 6A 00 |push 0x0
0045C5ED |. 49 |dec ecx
0045C5EE |.^ 75 F9 \jnz short Reg.0045C5E9
0045C5F0 |. 874D FC xchg [local.1],ecx
0045C5F3 |. 53 push ebx
0045C5F4 |. 56 push esi
0045C5F5 |. 57 push edi ; Reg.0045C3E8
0045C5F6 |. 894D F4 mov [local.3],ecx
0045C5F9 |. 8955 F8 mov [local.2],edx
0045C5FC |. 8945 FC mov [local.1],eax
0045C5FF |. 8B45 FC mov eax,[local.1]
0045C602 |. E8 0982FAFF call Reg.00404810
0045C607 |. 8B45 F8 mov eax,[local.2]
0045C60A |. E8 0182FAFF call Reg.00404810
0045C60F |. 33C0 xor eax,eax
0045C611 |. 55 push ebp
0045C612 |. 68 25CC4500 push Reg.0045CC25
0045C617 |. 64:FF30 push dword ptr fs:[eax]
0045C61A |. 64:8920 mov dword ptr fs:[eax],esp
0045C61D |. 8D55 B8 lea edx,[local.18]
0045C620 |. 8B45 FC mov eax,[local.1]
0045C623 |. E8 14F8FFFF call <Reg.生成MD5串> ; 得到 str1
0045C628 |. 8D45 B8 lea eax,[local.18]
0045C62B |. 8D55 E4 lea edx,[local.7]
0045C62E |. E8 7DF8FFFF call Reg.0045BEB0 ; 16转字符串
0045C633 |. 8D55 B8 lea edx,[local.18]
0045C636 |. 8B45 F8 mov eax,[local.2]
0045C639 |. E8 FEF7FFFF call <Reg.生成MD5串> ; 得到 str2
0045C63E |. 8D45 B8 lea eax,[local.18]
0045C641 |. 8D55 E0 lea edx,[local.8]
0045C644 |. E8 67F8FFFF call Reg.0045BEB0
0045C649 |. 8D45 B4 lea eax,[local.19]
0045C64C |. 8B4D E0 mov ecx,[local.8]
0045C64F |. 8B55 E4 mov edx,[local.7]
0045C652 |. E8 1580FAFF call Reg.0040466C ; str1 + str2
0045C657 |. 8B45 B4 mov eax,[local.19]
0045C65A |. 8D55 B8 lea edx,[local.18]
0045C65D |. E8 DAF7FFFF call <Reg.生成MD5串> ; 得到 str3
0045C662 |. 8D45 B8 lea eax,[local.18]
0045C665 |. 8D55 E8 lea edx,[local.6]
0045C668 |. E8 43F8FFFF call Reg.0045BEB0
0045C66D |. 8D45 F0 lea eax,[local.4]
0045C670 |. 8B55 F8 mov edx,[local.2]
0045C673 |. E8 807DFAFF call Reg.004043F8
0045C678 |. 8D45 B0 lea eax,[local.20]
0045C67B |. 50 push eax
0045C67C |. B9 02000000 mov ecx,0x2
0045C681 |. BA 01000000 mov edx,0x1
0045C686 |. 8B45 F0 mov eax,[local.4]
0045C689 |. E8 F281FAFF call Reg.00404880
0045C68E |. 8B45 B0 mov eax,[local.20] ; 年
0045C691 |. E8 92BEFAFF call Reg.00408528
0045C696 |. 8BD8 mov ebx,eax
0045C698 |. 8D45 AC lea eax,[local.21]
0045C69B |. 50 push eax
0045C69C |. B9 02000000 mov ecx,0x2
0045C6A1 |. BA 03000000 mov edx,0x3
0045C6A6 |. 8B45 F0 mov eax,[local.4]
0045C6A9 |. E8 D281FAFF call Reg.00404880
0045C6AE |. 8B45 AC mov eax,[local.21] ; 月
0045C6B1 |. E8 72BEFAFF call Reg.00408528
0045C6B6 |. 8BF0 mov esi,eax
0045C6B8 |. 8D45 A8 lea eax,[local.22]
0045C6BB |. 50 push eax
0045C6BC |. B9 02000000 mov ecx,0x2
0045C6C1 |. BA 05000000 mov edx,0x5
0045C6C6 |. 8B45 F0 mov eax,[local.4]
0045C6C9 |. E8 B281FAFF call Reg.00404880
0045C6CE |. 8B45 A8 mov eax,[local.22] ; 日
0045C6D1 |. E8 52BEFAFF call Reg.00408528
0045C6D6 |. 8BF8 mov edi,eax
0045C6D8 |. 8D45 A4 lea eax,[local.23]
0045C6DB |. 50 push eax
0045C6DC |. 8D55 A0 lea edx,[local.24]
0045C6DF |. 8BC3 mov eax,ebx
0045C6E1 |. E8 5EF9FFFF call Reg.0045C044
0045C6E6 |. 8B45 A0 mov eax,[local.24] ; 年转2进制 25 = 00011001
0045C6E9 |. B9 07000000 mov ecx,0x7
0045C6EE |. BA 02000000 mov edx,0x2
0045C6F3 |. E8 8881FAFF call Reg.00404880
0045C6F8 |. FF75 A4 push [local.23] ; 年2进制取7位 = 0011001
0045C6FB |. 8D45 9C lea eax,[local.25]
0045C6FE |. 50 push eax
0045C6FF |. 8D55 98 lea edx,[local.26]
0045C702 |. 8BC6 mov eax,esi
0045C704 |. E8 3BF9FFFF call Reg.0045C044
0045C709 |. 8B45 98 mov eax,[local.26] ; 月转2进制 01 = 00000001
0045C70C |. B9 04000000 mov ecx,0x4
0045C711 |. BA 05000000 mov edx,0x5
0045C716 |. E8 6581FAFF call Reg.00404880
0045C71B |. FF75 9C push [local.25] ; 月2进制取后4位 = 0001
0045C71E |. 8D45 94 lea eax,[local.27]
0045C721 |. 50 push eax
0045C722 |. 8D55 90 lea edx,[local.28]
0045C725 |. 8BC7 mov eax,edi ; Reg.0045C3E8
0045C727 |. E8 18F9FFFF call Reg.0045C044
0045C72C |. 8B45 90 mov eax,[local.28] ; 日转2进制 23 = 00010111
0045C72F |. B9 05000000 mov ecx,0x5
0045C734 |. BA 04000000 mov edx,0x4
0045C739 |. E8 4281FAFF call Reg.00404880
0045C73E |. FF75 94 push [local.27] ; 日2进制取5位 = 10111
0045C741 |. 8D45 EC lea eax,[local.5]
0045C744 |. BA 03000000 mov edx,0x3
0045C749 |. E8 927FFAFF call Reg.004046E0
0045C74E |. 8D45 84 lea eax,[local.31]
0045C751 |. 8B55 EC mov edx,[local.5] ; 三者连在一起 = 0011001000110111 (edx)
0045C754 |. 8A52 02 mov dl,byte ptr ds:[edx+0x2]
0045C757 |. 8850 01 mov byte ptr ds:[eax+0x1],dl ; edx[2]
0045C75A |. C600 01 mov byte ptr ds:[eax],0x1
0045C75D |. 8D55 84 lea edx,[local.31]
0045C760 |. 8D45 80 lea eax,[local.32]
0045C763 |. E8 4C66FAFF call Reg.00402DB4
0045C768 |. 8D85 7CFFFFFF lea eax,[local.33]
0045C76E |. 8B55 EC mov edx,[local.5]
0045C771 |. 8A52 03 mov dl,byte ptr ds:[edx+0x3]
0045C774 |. 8850 01 mov byte ptr ds:[eax+0x1],dl ; edx[3]
0045C777 |. C600 01 mov byte ptr ds:[eax],0x1
0045C77A |. 8D95 7CFFFFFF lea edx,[local.33]
0045C780 |. 8D45 80 lea eax,[local.32]
0045C783 |. B1 02 mov cl,0x2
0045C785 |. E8 FA65FAFF call Reg.00402D84
0045C78A |. 8D55 80 lea edx,[local.32]
0045C78D |. 8D85 78FFFFFF lea eax,[local.34]
0045C793 |. E8 1C66FAFF call Reg.00402DB4
0045C798 |. 8D85 7CFFFFFF lea eax,[local.33]
0045C79E |. 8B55 EC mov edx,[local.5]
0045C7A1 |. 8A52 04 mov dl,byte ptr ds:[edx+0x4]
0045C7A4 |. 8850 01 mov byte ptr ds:[eax+0x1],dl ; edx[4]
0045C7A7 |. C600 01 mov byte ptr ds:[eax],0x1
0045C7AA |. 8D95 7CFFFFFF lea edx,[local.33]
0045C7B0 |. 8D85 78FFFFFF lea eax,[local.34]
0045C7B6 |. B1 03 mov cl,0x3
0045C7B8 |. E8 C765FAFF call Reg.00402D84
0045C7BD |. 8D95 78FFFFFF lea edx,[local.34]
0045C7C3 |. 8D85 70FFFFFF lea eax,[local.36]
0045C7C9 |. E8 E665FAFF call Reg.00402DB4
0045C7CE |. 8D85 7CFFFFFF lea eax,[local.33]
0045C7D4 |. 8B55 EC mov edx,[local.5]
0045C7D7 |. 8A52 08 mov dl,byte ptr ds:[edx+0x8]
0045C7DA |. 8850 01 mov byte ptr ds:[eax+0x1],dl ; edx[8]
0045C7DD |. C600 01 mov byte ptr ds:[eax],0x1
0045C7E0 |. 8D95 7CFFFFFF lea edx,[local.33]
0045C7E6 |. 8D85 70FFFFFF lea eax,[local.36]
0045C7EC |. B1 04 mov cl,0x4
0045C7EE |. E8 9165FAFF call Reg.00402D84
0045C7F3 |. 8D95 70FFFFFF lea edx,[local.36]
0045C7F9 |. 8D85 68FFFFFF lea eax,[local.38]
0045C7FF |. E8 B065FAFF call Reg.00402DB4
0045C804 |. 8D85 7CFFFFFF lea eax,[local.33]
0045C80A |. 8B55 EC mov edx,[local.5]
0045C80D |. 8A52 09 mov dl,byte ptr ds:[edx+0x9] ; edx[9]
0045C810 |. 8850 01 mov byte ptr ds:[eax+0x1],dl
0045C813 |. C600 01 mov byte ptr ds:[eax],0x1
0045C816 |. 8D95 7CFFFFFF lea edx,[local.33]
0045C81C |. 8D85 68FFFFFF lea eax,[local.38]
0045C822 |. B1 05 mov cl,0x5
0045C824 |. E8 5B65FAFF call Reg.00402D84
0045C829 |. 8D95 68FFFFFF lea edx,[local.38]
0045C82F |. 8D85 60FFFFFF lea eax,[local.40]
0045C835 |. E8 7A65FAFF call Reg.00402DB4
0045C83A |. 8D85 7CFFFFFF lea eax,[local.33]
0045C840 |. 8B55 EC mov edx,[local.5]
0045C843 |. 8A52 0C mov dl,byte ptr ds:[edx+0xC] ; edx[c]
0045C846 |. 8850 01 mov byte ptr ds:[eax+0x1],dl
0045C849 |. C600 01 mov byte ptr ds:[eax],0x1
0045C84C |. 8D95 7CFFFFFF lea edx,[local.33]
0045C852 |. 8D85 60FFFFFF lea eax,[local.40]
0045C858 |. B1 06 mov cl,0x6
0045C85A |. E8 2565FAFF call Reg.00402D84
0045C85F |. 8D95 60FFFFFF lea edx,[local.40]
0045C865 |. 8D85 58FFFFFF lea eax,[local.42]
0045C86B |. E8 4465FAFF call Reg.00402DB4
0045C870 |. 8D85 7CFFFFFF lea eax,[local.33]
0045C876 |. 8B55 EC mov edx,[local.5]
0045C879 |. 8A52 0D mov dl,byte ptr ds:[edx+0xD] ; edx[d]
0045C87C |. 8850 01 mov byte ptr ds:[eax+0x1],dl
0045C87F |. C600 01 mov byte ptr ds:[eax],0x1
0045C882 |. 8D95 7CFFFFFF lea edx,[local.33]
0045C888 |. 8D85 58FFFFFF lea eax,[local.42]
0045C88E |. B1 07 mov cl,0x7
0045C890 |. E8 EF64FAFF call Reg.00402D84
0045C895 |. 8D95 58FFFFFF lea edx,[local.42]
0045C89B |. 8D85 4CFFFFFF lea eax,[local.45]
0045C8A1 |. E8 0E65FAFF call Reg.00402DB4
0045C8A6 |. 8D85 7CFFFFFF lea eax,[local.33]
0045C8AC |. 8B55 EC mov edx,[local.5]
0045C8AF |. 8A52 0E mov dl,byte ptr ds:[edx+0xE] ; edx[e]
0045C8B2 |. 8850 01 mov byte ptr ds:[eax+0x1],dl
0045C8B5 |. C600 01 mov byte ptr ds:[eax],0x1
0045C8B8 |. 8D95 7CFFFFFF lea edx,[local.33]
0045C8BE |. 8D85 4CFFFFFF lea eax,[local.45]
0045C8C4 |. B1 08 mov cl,0x8
0045C8C6 |. E8 B964FAFF call Reg.00402D84
0045C8CB |. 8D95 4CFFFFFF lea edx,[local.45]
0045C8D1 |. 8D45 88 lea eax,[local.30]
0045C8D4 |. E8 EB7CFAFF call Reg.004045C4
0045C8D9 |. 8B45 88 mov eax,[local.30]
0045C8DC |. E8 B3F6FFFF call Reg.0045BF94
0045C8E1 |. 8D4D 8C lea ecx,[local.29]
0045C8E4 |. BA 02000000 mov edx,0x2
0045C8E9 |. E8 12BCFAFF call Reg.00408500
0045C8EE |. 8B45 8C mov eax,[local.29] ; [2,3,4,8,9,c,d,e] 11000011 = 195 = 0xC3
0045C8F1 |. 50 push eax
0045C8F2 |. 8D45 84 lea eax,[local.31]
0045C8F5 |. 8B55 EC mov edx,[local.5]
0045C8F8 |. 8A12 mov dl,byte ptr ds:[edx] ; edx[0]
0045C8FA |. 8850 01 mov byte ptr ds:[eax+0x1],dl
0045C8FD |. C600 01 mov byte ptr ds:[eax],0x1
0045C900 |. 8D55 84 lea edx,[local.31]
0045C903 |. 8D45 80 lea eax,[local.32]
0045C906 |. E8 A964FAFF call Reg.00402DB4
0045C90B |. 8D85 7CFFFFFF lea eax,[local.33]
0045C911 |. 8B55 EC mov edx,[local.5]
0045C914 |. 8A52 01 mov dl,byte ptr ds:[edx+0x1] ; edx[1]
0045C917 |. 8850 01 mov byte ptr ds:[eax+0x1],dl
0045C91A |. C600 01 mov byte ptr ds:[eax],0x1
0045C91D |. 8D95 7CFFFFFF lea edx,[local.33]
0045C923 |. 8D45 80 lea eax,[local.32]
0045C926 |. B1 02 mov cl,0x2
0045C928 |. E8 5764FAFF call Reg.00402D84
0045C92D |. 8D55 80 lea edx,[local.32]
0045C930 |. 8D85 78FFFFFF lea eax,[local.34]
0045C936 |. E8 7964FAFF call Reg.00402DB4
0045C93B |. 8D85 7CFFFFFF lea eax,[local.33]
0045C941 |. 8B55 EC mov edx,[local.5]
0045C944 |. 8A52 05 mov dl,byte ptr ds:[edx+0x5] ; edx[5]
0045C947 |. 8850 01 mov byte ptr ds:[eax+0x1],dl
0045C94A |. C600 01 mov byte ptr ds:[eax],0x1
0045C94D |. 8D95 7CFFFFFF lea edx,[local.33]
0045C953 |. 8D85 78FFFFFF lea eax,[local.34]
0045C959 |. B1 03 mov cl,0x3
0045C95B |. E8 2464FAFF call Reg.00402D84
0045C960 |. 8D95 78FFFFFF lea edx,[local.34]
0045C966 |. 8D85 70FFFFFF lea eax,[local.36]
0045C96C |. E8 4364FAFF call Reg.00402DB4
0045C971 |. 8D85 7CFFFFFF lea eax,[local.33]
0045C977 |. 8B55 EC mov edx,[local.5]
0045C97A |. 8A52 06 mov dl,byte ptr ds:[edx+0x6] ; edx[6]
0045C97D |. 8850 01 mov byte ptr ds:[eax+0x1],dl
0045C980 |. C600 01 mov byte ptr ds:[eax],0x1
0045C983 |. 8D95 7CFFFFFF lea edx,[local.33]
0045C989 |. 8D85 70FFFFFF lea eax,[local.36]
0045C98F |. B1 04 mov cl,0x4
0045C991 |. E8 EE63FAFF call Reg.00402D84
0045C996 |. 8D95 70FFFFFF lea edx,[local.36]
0045C99C |. 8D85 68FFFFFF lea eax,[local.38]
0045C9A2 |. E8 0D64FAFF call Reg.00402DB4
0045C9A7 |. 8D85 7CFFFFFF lea eax,[local.33]
0045C9AD |. 8B55 EC mov edx,[local.5]
0045C9B0 |. 8A52 07 mov dl,byte ptr ds:[edx+0x7] ; edx[7]
0045C9B3 |. 8850 01 mov byte ptr ds:[eax+0x1],dl
0045C9B6 |. C600 01 mov byte ptr ds:[eax],0x1
0045C9B9 |. 8D95 7CFFFFFF lea edx,[local.33]
0045C9BF |. 8D85 68FFFFFF lea eax,[local.38]
0045C9C5 |. B1 05 mov cl,0x5
0045C9C7 |. E8 B863FAFF call Reg.00402D84
0045C9CC |. 8D95 68FFFFFF lea edx,[local.38]
0045C9D2 |. 8D85 60FFFFFF lea eax,[local.40]
0045C9D8 |. E8 D763FAFF call Reg.00402DB4
0045C9DD |. 8D85 7CFFFFFF lea eax,[local.33]
0045C9E3 |. 8B55 EC mov edx,[local.5]
0045C9E6 |. 8A52 0A mov dl,byte ptr ds:[edx+0xA] ; edx[a]
0045C9E9 |. 8850 01 mov byte ptr ds:[eax+0x1],dl
0045C9EC |. C600 01 mov byte ptr ds:[eax],0x1
0045C9EF |. 8D95 7CFFFFFF lea edx,[local.33]
0045C9F5 |. 8D85 60FFFFFF lea eax,[local.40]
0045C9FB |. B1 06 mov cl,0x6
0045C9FD |. E8 8263FAFF call Reg.00402D84
0045CA02 |. 8D95 60FFFFFF lea edx,[local.40]
0045CA08 |. 8D85 58FFFFFF lea eax,[local.42]
0045CA0E |. E8 A163FAFF call Reg.00402DB4
0045CA13 |. 8D85 7CFFFFFF lea eax,[local.33]
0045CA19 |. 8B55 EC mov edx,[local.5]
0045CA1C |. 8A52 0B mov dl,byte ptr ds:[edx+0xB] ; edx[b]
0045CA1F |. 8850 01 mov byte ptr ds:[eax+0x1],dl
0045CA22 |. C600 01 mov byte ptr ds:[eax],0x1
0045CA25 |. 8D95 7CFFFFFF lea edx,[local.33]
0045CA2B |. 8D85 58FFFFFF lea eax,[local.42]
0045CA31 |. B1 07 mov cl,0x7
0045CA33 |. E8 4C63FAFF call Reg.00402D84
0045CA38 |. 8D95 58FFFFFF lea edx,[local.42]
0045CA3E |. 8D85 4CFFFFFF lea eax,[local.45]
0045CA44 |. E8 6B63FAFF call Reg.00402DB4
0045CA49 |. 8D85 7CFFFFFF lea eax,[local.33]
0045CA4F |. 8B55 EC mov edx,[local.5]
0045CA52 |. 8A52 0F mov dl,byte ptr ds:[edx+0xF] ; edx[f]
0045CA55 |. 8850 01 mov byte ptr ds:[eax+0x1],dl
0045CA58 |. C600 01 mov byte ptr ds:[eax],0x1
0045CA5B |. 8D95 7CFFFFFF lea edx,[local.33]
0045CA61 |. 8D85 4CFFFFFF lea eax,[local.45]
0045CA67 |. B1 08 mov cl,0x8
0045CA69 |. E8 1663FAFF call Reg.00402D84
0045CA6E |. 8D95 4CFFFFFF lea edx,[local.45]
0045CA74 |. 8D85 44FFFFFF lea eax,[local.47]
0045CA7A |. E8 457BFAFF call Reg.004045C4
0045CA7F |. 8B85 44FFFFFF mov eax,[local.47]
0045CA85 |. E8 0AF5FFFF call Reg.0045BF94
0045CA8A |. 8D8D 48FFFFFF lea ecx,[local.46]
0045CA90 |. BA 02000000 mov edx,0x2
0045CA95 |. E8 66BAFAFF call Reg.00408500
0045CA9A |. 8B95 48FFFFFF mov edx,[local.46] ; [0,1,5,6,7,a,b,f] 00010111 = 23 = 0x17
0045CAA0 |. 8D45 DC lea eax,[local.9]
0045CAA3 |. 59 pop ecx ; 0019FD44
0045CAA4 |. E8 C37BFAFF call Reg.0040466C
0045CAA9 |. 8D85 40FFFFFF lea eax,[local.48]
0045CAAF |. 8B4D E4 mov ecx,[local.7]
0045CAB2 |. 8B55 DC mov edx,[local.9] ; 时间密文: 17C3
0045CAB5 |. E8 B27BFAFF call Reg.0040466C
0045CABA |. 8B85 40FFFFFF mov eax,[local.48] ; 时间串与固定串连接
0045CAC0 |. 8D55 D8 lea edx,[local.10]
0045CAC3 |. E8 7CF7FFFF call <Reg.得到2位值> ; 得到2位值 = 02, 功能未知
0045CAC8 |. 8D45 D4 lea eax,[local.11]
0045CACB |. 50 push eax
0045CACC |. 8D85 38FFFFFF lea eax,[local.50]
0045CAD2 |. 8B4D D8 mov ecx,[local.10]
0045CAD5 |. 8B55 DC mov edx,[local.9]
0045CAD8 |. E8 8F7BFAFF call Reg.0040466C
0045CADD |. 8B85 38FFFFFF mov eax,[local.50] ; 连接串 = 17C302
0045CAE3 |. 8D55 B8 lea edx,[local.18]
0045CAE6 |. E8 51F3FFFF call <Reg.生成MD5串> ; 得到 str4
0045CAEB |. 8D45 B8 lea eax,[local.18]
0045CAEE |. 8D95 3CFFFFFF lea edx,[local.49]
0045CAF4 |. E8 B7F3FFFF call Reg.0045BEB0
0045CAF9 |. 8B85 3CFFFFFF mov eax,[local.49] ; str4
0045CAFF |. B9 02000000 mov ecx,0x2
0045CB04 |. BA 08000000 mov edx,0x8
0045CB09 |. E8 727DFAFF call Reg.00404880 ; 得到c4
0045CB0E |. 8D85 34FFFFFF lea eax,[local.51]
0045CB14 |. 8B4D E8 mov ecx,[local.6] ; str1
0045CB17 |. 8B55 E4 mov edx,[local.7] ; str3
0045CB1A |. E8 4D7BFAFF call Reg.0040466C
0045CB1F |. 8B85 34FFFFFF mov eax,[local.51] ; str1 + str3
0045CB25 |. 8D55 D0 lea edx,[local.12]
0045CB28 |. E8 17F7FFFF call <Reg.得到2位值> ; 得到2位值 = B7
0045CB2D |. 8D85 30FFFFFF lea eax,[local.52]
0045CB33 |. 8B4D E8 mov ecx,[local.6]
0045CB36 |. 8B55 E0 mov edx,[local.8] ; str2
0045CB39 |. E8 2E7BFAFF call Reg.0040466C
0045CB3E |. 8B85 30FFFFFF mov eax,[local.52] ; str2 + str3
0045CB44 |. 8D55 CC lea edx,[local.13]
0045CB47 |. E8 F8F6FFFF call <Reg.得到2位值> ; 得到2位值 = 26
0045CB4C |. FF75 D8 push [local.10]
0045CB4F |. FF75 DC push [local.9]
0045CB52 |. FF75 D4 push [local.11]
0045CB55 |. 8D85 28FFFFFF lea eax,[local.54]
0045CB5B |. 8B55 E8 mov edx,[local.6]
0045CB5E |. 8A52 07 mov dl,byte ptr ds:[edx+0x7]
0045CB61 |. E8 E279FAFF call Reg.00404548
0045CB66 |. FFB5 28FFFFFF push [local.54] ; edx[7] = a
0045CB6C |. 8D85 24FFFFFF lea eax,[local.55]
0045CB72 |. 8B55 E8 mov edx,[local.6]
0045CB75 |. 8A52 0E mov dl,byte ptr ds:[edx+0xE] ; edx[e] = 1
0045CB78 |. E8 CB79FAFF call Reg.00404548
0045CB7D |. FFB5 24FFFFFF push [local.55]
0045CB83 |. FF75 D0 push [local.12] ; B7, 应该是上面call来的
0045CB86 |. 8D85 20FFFFFF lea eax,[local.56]
0045CB8C |. 8B55 E8 mov edx,[local.6]
0045CB8F |. 8A52 17 mov dl,byte ptr ds:[edx+0x17] ; edx[17] = 5
0045CB92 |. E8 B179FAFF call Reg.00404548
0045CB97 |. FFB5 20FFFFFF push [local.56]
0045CB9D |. 8D85 1CFFFFFF lea eax,[local.57]
0045CBA3 |. 8B55 E8 mov edx,[local.6]
0045CBA6 |. 8A52 0B mov dl,byte ptr ds:[edx+0xB] ; edx[b] = c
0045CBA9 |. E8 9A79FAFF call Reg.00404548
0045CBAE |. FFB5 1CFFFFFF push [local.57]
0045CBB4 |. FF75 CC push [local.13] ; 26
0045CBB7 |. 8D85 2CFFFFFF lea eax,[local.53]
0045CBBD |. BA 09000000 mov edx,0x9
0045CBC2 |. E8 197BFAFF call Reg.004046E0
0045CBC7 |. 8B85 2CFFFFFF mov eax,[local.53] ; 连接上面所有 = 02 17C3 c4 a1 B7 5c 26
0045CBCD |. 8D55 C8 lea edx,[local.14]
0045CBD0 |. E8 5FB3FAFF call Reg.00407F34
0045CBD5 |. 8B45 F4 mov eax,[local.3]
0045CBD8 |. 8B55 C8 mov edx,[local.14]
0045CBDB |. E8 D477FAFF call Reg.004043B4
0045CBE0 |. 33C0 xor eax,eax
0045CBE2 |. 5A pop edx ; 0019FD44
0045CBE3 |. 59 pop ecx ; 0019FD44
0045CBE4 |. 59 pop ecx ; 0019FD44
0045CBE5 |. 64:8910 mov dword ptr fs:[eax],edx
0045CBE8 |. 68 2CCC4500 push Reg.0045CC2C
0045CBED |> 8D85 1CFFFFFF lea eax,[local.57]
0045CBF3 |. BA 0C000000 mov edx,0xC
0045CBF8 |. E8 8777FAFF call Reg.00404384
0045CBFD |. 8D45 88 lea eax,[local.30]
0045CC00 |. BA 0C000000 mov edx,0xC
0045CC05 |. E8 7A77FAFF call Reg.00404384
0045CC0A |. 8D45 C8 lea eax,[local.14]
0045CC0D |. BA 0B000000 mov edx,0xB
0045CC12 |. E8 6D77FAFF call Reg.00404384
0045CC17 |. 8D45 F8 lea eax,[local.2]
0045CC1A |. BA 02000000 mov edx,0x2
0045CC1F |. E8 6077FAFF call Reg.00404384
0045CC24 \. C3 retn
到此两个关键算法分析完成, 其中MD5算法的确定需要有一定的算法基础, 不然很难解出这个程序, 两个关键性的标志就是,
1.结果是32位的, 2.里有4个方法分别执行了16次
...
FF(a, b, c, D, Block[0], 7, $D76AA478);
FF(D, a, b, c, Block[1], 12, $E8C7B756);
FF(c, D, a, b, Block[2], 17, $242070DB);
FF(b, c, D, a, Block[3], 22, $C1BDCEEE);
FF(a, b, c, D, Block[4], 7, $F57C0FAF);
FF(D, a, b, c, Block[5], 12, $4787C62A);
FF(c, D, a, b, Block[6], 17, $A8304613);
FF(b, c, D, a, Block[7], 22, $FD469501);
FF(a, b, c, D, Block[8], 7, $698098D8);
FF(D, a, b, c, Block[9], 12, $8B44F7AF);
FF(c, D, a, b, Block[10], 17, $FFFF5BB1);
FF(b, c, D, a, Block[11], 22, $895CD7BE);
FF(a, b, c, D, Block[12], 7, $6B901122);
FF(D, a, b, c, Block[13], 12, $FD987193);
FF(c, D, a, b, Block[14], 17, $A679438E);
FF(b, c, D, a, Block[15], 22, $49B40821);
GG(a, b, c, D, Block[1], 5, $F61E2562);
GG(D, a, b, c, Block[6], 9, $C040B340);
GG(c, D, a, b, Block[11], 14, $265E5A51);
GG(b, c, D, a, Block[0], 20, $E9B6C7AA);
GG(a, b, c, D, Block[5], 5, $D62F105D);
GG(D, a, b, c, Block[10], 9, $2441453);
GG(c, D, a, b, Block[15], 14, $D8A1E681);
GG(b, c, D, a, Block[4], 20, $E7D3FBC8);
GG(a, b, c, D, Block[9], 5, $21E1CDE6);
GG(D, a, b, c, Block[14], 9, $C33707D6);
GG(c, D, a, b, Block[3], 14, $F4D50D87);
GG(b, c, D, a, Block[8], 20, $455A14ED);
GG(a, b, c, D, Block[13], 5, $A9E3E905);
GG(D, a, b, c, Block[2], 9, $FCEFA3F8);
GG(c, D, a, b, Block[7], 14, $676F02D9);
GG(b, c, D, a, Block[12], 20, $8D2A4C8A);
HH(a, b, c, D, Block[5], 4, $FFFA3942);
HH(D, a, b, c, Block[8], 11, $8771F681);
HH(c, D, a, b, Block[11], 16, $6D9D6122);
HH(b, c, D, a, Block[14], 23, $FDE5380C);
HH(a, b, c, D, Block[1], 4, $A4BEEA44);
HH(D, a, b, c, Block[4], 11, $4BDECFA9);
HH(c, D, a, b, Block[7], 16, $F6BB4B60);
HH(b, c, D, a, Block[10], 23, $BEBFBC70);
HH(a, b, c, D, Block[13], 4, $289B7EC6);
HH(D, a, b, c, Block[0], 11, $EAA127FA);
HH(c, D, a, b, Block[3], 16, $D4EF3085);
HH(b, c, D, a, Block[6], 23, $4881D05);
HH(a, b, c, D, Block[9], 4, $D9D4D039);
HH(D, a, b, c, Block[12], 11, $E6DB99E5);
HH(c, D, a, b, Block[15], 16, $1FA27CF8);
HH(b, c, D, a, Block[2], 23, $C4AC5665);
II(a, b, c, D, Block[0], 6, $F4292244);
II(D, a, b, c, Block[7], 10, $432AFF97);
II(c, D, a, b, Block[14], 15, $AB9423A7);
II(b, c, D, a, Block[5], 21, $FC93A039);
II(a, b, c, D, Block[12], 6, $655B59C3);
II(D, a, b, c, Block[3], 10, $8F0CCC92);
II(c, D, a, b, Block[10], 15, $FFEFF47D);
II(b, c, D, a, Block[1], 21, $85845DD1);
II(a, b, c, D, Block[8], 6, $6FA87E4F);
II(D, a, b, c, Block[15], 10, $FE2CE6E0);
II(c, D, a, b, Block[6], 15, $A3014314);
II(b, c, D, a, Block[13], 21, $4E0811A1);
II(a, b, c, D, Block[4], 6, $F7537E82);
II(D, a, b, c, Block[11], 10, $BD3AF235);
II(c, D, a, b, Block[2], 15, $2AD7D2BB);
II(b, c, D, a, Block[9], 21, $EB86D391);
...
示例:
UserName=Reg
UN=0217C3C4A1B75C26
注册机就不用写了, 作者自带注册机_
使用的工具连接(工具有点多有点大,可以先下OD,其它的后面慢慢下) 点击前往下载
下面是我的OD的界面布局,我觉得这4个是最常用的界面,其它的我基本上没用到~
浙公网安备 33010602011771号