• 标 题:rOYALaCCEZZ Trial Crackme 3.2 算法分析 (10千字)
  • 作 者:DiKeN
  • 时 间:2002-2-27 21:28:28
  • 链 接:http://bbs.pediy.com

:00401093 FF7508                  push [ebp+08]

* Reference To: USER32.GetDlgItemTextA, Ord:0102h
                                  |
:00401096 E8A1020000              Call 0040133C========>获取Code
:0040109B 8BD8                    mov ebx, eax
:0040109D 6A40                    push 00000040
:0040109F 6844304000              push 00403044
:004010A4 68E8030000              push 000003E8
:004010A9 FF7508                  push [ebp+08]

* Reference To: USER32.GetDlgItemTextA, Ord:0102h
                                  |
:004010AC E88B020000              Call 0040133C=======>获取Name
:004010B1 83F805                  cmp eax, 00000005
:004010B4 7228                    jb 004010DE=======>出错了!
:004010B6 83F820                  cmp eax, 00000020
:004010B9 7723                    ja 004010DE
:004010BB 0BDB                    or ebx, ebx
:004010BD 741F                    je 004010DE
:004010BF 53                      push ebx
:004010C0 50                      push eax
:004010C1 E87B000000              call 00401141========>计算,注册码就在此
:004010C6 83F801                  cmp eax, 00000001
:004010C9 7513                    jne 004010DE=======>出错了!
....................
===================================================================
:00401141 55                      push ebp
:00401142 8BEC                    mov ebp, esp
:00401144 8B4508                  mov eax, dword ptr [ebp+08]
:00401147 C705C430400000000000    mov dword ptr [004030C4], 00000000
:00401151 BB01000000              mov ebx, 00000001
:00401156 EB1D                    jmp 00401175

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401177(C)
|
[403044]====>UName

:00401158 48                      dec eax
:00401159 0FB69044304000          movzx edx, byte ptr [eax+00403044]
:00401160 33D3                    xor edx, ebx
:00401162 0FAFD3                  imul edx, ebx
:00401165 83C305                  add ebx, 00000005
:00401168 3115C4304000            xor dword ptr [004030C4], edx
:0040116E C105C430400005          rol dword ptr [004030C4], 05
Pre:=0;
ebx:=1;
for index:=LenName

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401156(U)
|
:00401175 0BC0                    or eax, eax
:00401177 75DF                    jne 00401158
:00401179 F715C4304000            not dword ptr [004030C4]
===========>>>>注册用户名>>>>>[004030C4] - 45a16b5f  _k.E
:0040117F 33C9                    xor ecx, ecx
:00401181 8B4D08                  mov ecx, dword ptr [ebp+08]===>ULen
:00401184 D30DC4304000            ror dword ptr [004030C4], cl

===========>>>>注册用户名>>>>>[004030C4] - fa2d0b5a  Z.-.

:0040118A 33C0                    xor eax, eax
:0040118C C605C830400000          mov byte ptr [004030C8], 00
:00401193 EB17                    jmp 004011AC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011AF(C)
|
[00403084]====>UCode
:00401195 0FB69084304000          movzx edx, byte ptr [eax+00403084]
:0040119C 40                      inc eax
:0040119D 83FA2D                  cmp edx, 0000002D'-'号吗?
:004011A0 750A                    jne 004011AC
:004011A2 FEC8                    dec al
:004011A4 A2C8304000              mov byte ptr [004030C8], al
:004011A9 8B450C                  mov eax, dword ptr [ebp+0C]

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401193(U), :004011A0(C)
|
:004011AC 3B450C                  cmp eax, dword ptr [ebp+0C]
:004011AF 75E4                    jne 00401195
:004011B1 803DC830400000          cmp byte ptr [004030C8], 00
:004011B8 7506                    jne 004011C0====>必须存在'-',否则出错
:004011BA 33C0                    xor eax, eax====>且不能在第一个
:004011BC C9                      leave
:004011BD C20800                  ret 0008



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011B8(C)
|
:004011C0 33C9                    xor ecx, ecx
:004011C2 8A0DC8304000            mov cl, byte ptr [004030C8]===>-的索引,0
:004011C8 33C0                    xor eax, eax
:004011CA 33DB                    xor ebx, ebx
:004011CC EB14                    jmp 004011E2

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011E4(C)
|
:004011CE FEC9                    dec cl
:004011D0 0FB69184304000          movzx edx, byte ptr [ecx+00403084]
:004011D7 83FA3F                  cmp edx, 0000003F
:004011DA 760E                    jbe 004011EA
:004011DC 83FA5B                  cmp edx, 0000005B
:004011DF 7309                    jnb 004011EA
:004011E1 90                      nop
=================-前的字符,必须($3F,$5B)[40-5A]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011CC(U)
|
:004011E2 0AC9                    or cl, cl
:004011E4 75E8                    jne 004011CE
:004011E6 90                      nop
:004011E7 90                      nop
:004011E8 EB06                    jmp 004011F0

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004011DA(C), :004011DF(C)
|
:004011EA 33C0                    xor eax, eax
:004011EC C9                      leave
:004011ED C20800                  ret 0008



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011E8(U)
|
:004011F0 33C9                    xor ecx, ecx
:004011F2 8A0DC8304000            mov cl, byte ptr [004030C8]
:004011F8 33C0                    xor eax, eax
:004011FA 33DB                    xor ebx, ebx
:004011FC EB11                    jmp 0040120F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401211(C)
|
:004011FE FEC9                    dec cl
:00401200 6BDB1A                  imul ebx, 0000001A
:00401203 0FB69184304000          movzx edx, byte ptr [ecx+00403084]
:0040120A 83EA41                  sub edx, 00000041
:0040120D 03DA                    add ebx, edx
===========================计算-好前的注册码
fa2d0b5a
mmebx=0;
for index:=Aindex downto 1 do
begin
  mmebx:=mmebx*26;
  mmebx:=mmebx+(ord(strCode[index])-$41)
  //40-5A==>-1,0..25
end;
......
==============//因此,你运算可以使用Mod,DIV运算就可以完成前半部分
01234567890123456789012345
ABCDEFGHIJKLMNOPQRSTUVWXYZ
fa2d0b5a mod 26=2=C
      16=Q
      2=C
  16H=22=W
6=G
F=15=P
D=13=N
CQCWGPN

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011FC(U)
|
:0040120F 0AC9                    or cl, cl
:00401211 75EB                    jne 004011FE
:00401213 3B1DC4304000            cmp ebx, dword ptr [004030C4]===>必须相等
:00401219 7406                    je 00401221
:0040121B 33C0                    xor eax, eax
:0040121D C9                      leave
:0040121E C20800                  ret 0008



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401219(C)
|
:00401221 8B450C                  mov eax, dword ptr [ebp+0C]==>CLen
:00401224 2A05C8304000            sub al, byte ptr [004030C8]==>SIndex
:0040122A 83F804                  cmp eax, 00000004=====>So,Len=3
:0040122D 7406                    je 00401235
:0040122F 33C0                    xor eax, eax
:00401231 C9                      leave
:00401232 C20800                  ret 0008



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040122D(C)
|
:00401235 33DB                    xor ebx, ebx
:00401237 8A1DC8304000            mov bl, byte ptr [004030C8]
:0040123D FEC3                    inc bl
:0040123F 0FB69384304000          movzx edx, byte ptr [ebx+00403084]
:00401246 8815C9304000            mov byte ptr [004030C9], dl====>C1
:0040124C FEC3                    inc bl
:0040124E 0FB69384304000          movzx edx, byte ptr [ebx+00403084]
:00401255 8815CA304000            mov byte ptr [004030CA], dl====>C2
:0040125B FEC3                    inc bl
:0040125D 0FB69384304000          movzx edx, byte ptr [ebx+00403084]
:00401264 8815CB304000            mov byte ptr [004030CB], dl====>C3
:0040126A 33C0                    xor eax, eax
:0040126C A0C9304000              mov al, byte ptr [004030C9]
:00401271 6BC003                  imul eax, 00000003
:00401274 A3CC304000              mov dword ptr [004030CC], eax===>C1*3
:00401279 33C0                    xor eax, eax
:0040127B 8A1DC9304000            mov bl, byte ptr [004030C9]
:00401281 6BDB07                  imul ebx, 00000007      ==>0-(C1*7)
:00401284 2BC3                    sub eax, ebx
:00401286 A3D0304000              mov dword ptr [004030D0], eax==>-C1*7
:0040128B 33C0                    xor eax, eax
:0040128D A0C9304000              mov al, byte ptr [004030C9]
:00401292 A3D4304000              mov dword ptr [004030D4], eax===>C1
:00401297 33C0                    xor eax, eax
:00401299 A0CA304000              mov al, byte ptr [004030CA]
:0040129E 2905CC304000            sub dword ptr [004030CC], eax===>Here==>C1*3-C2
:004012A4 33C0                    xor eax, eax
:004012A6 A0CA304000              mov al, byte ptr [004030CA]
:004012AB 6BC002                  imul eax, 00000002
:004012AE 0105D0304000            add dword ptr [004030D0], eax==>(-C1*7)+(C2*2)
:004012B4 33C0                    xor eax, eax
:004012B6 A0CA304000              mov al, byte ptr [004030CA]
:004012BB 0105D4304000            add dword ptr [004030D4], eax==>C1+C2
:004012C1 33C0                    xor eax, eax
:004012C3 A0CB304000              mov al, byte ptr [004030CB]
:004012C8 6BC005                  imul eax, 00000005
:004012CB 0105CC304000            add dword ptr [004030CC], eax===>Here==>(C1*3-C2)+C3*5
:004012D1 33C0                    xor eax, eax
:004012D3 A0CB304000              mov al, byte ptr [004030CB]
:004012D8 6BC007                  imul eax, 00000007
:004012DB 0105D0304000            add dword ptr [004030D0], eax===>((-C1*7)+(C2*2))+C3*7=19
:004012E1 33C0                    xor eax, eax
:004012E3 A0CB304000              mov al, byte ptr [004030CB]
:004012E8 6BC002                  imul eax, 00000002
:004012EB 2905D4304000            sub dword ptr [004030D4], eax===>C1+C2-C3*2=D
:004012F1 813DCC30400004020000    cmp dword ptr [004030CC], 00000204===>Must=204=(C1*3-C2)+C3*5
:004012FB 7406                    je 00401303
:004012FD 33C0                    xor eax, eax
:004012FF C9                      leave
:00401300 C20800                  ret 0008

-23C
======================//
so,we
204=(C1*3-C2)+C3*5
C1+C2-C3*2=D
((-C1*7)+(C2*2))+C3*7=19

3*C1  -C2+5C3=516
  C1+  C2-2C3=13
-7C1+2*C2+7C3=25
解方程得到
C1=82=52=R
C2=65=41=A
C3=67=43=C
=========
DiKeN
CQCWGPN-RAC