系统 : Windows xp
程序 : CM1 by Bad Sector
程序下载地址 :http://pan.baidu.com/s/1c3e2a6
要求 : 注册机编写
使用工具 : OD
可在“PEDIY CrackMe 2007”中查找关于此程序的讨论,标题为“再来一个CRACKME算法分析(适合新手)【讨论】”。
这世道居然能找到这么蠢萌的CrackMe。。。
00401139 $ 6A 32 push 32 ; /Count = 32 (50.)
0040113B . 68 F3204000 push 004020F3 ; |Buffer = CrackMe.004020F3
00401140 . 68 C8000000 push 0C8 ; |ControlID = C8 (200.)
00401145 . FF75 08 push dword ptr [ebp+8] ; |hWnd
00401148 . E8 DE000000 call <jmp.&USER32.GetDlgItemTextA> ; GetDlgItemTextA
0040114D . 83F8 00 cmp eax, 0 ; 用户名字符串为空?
00401150 . 0F84 99000000 je 004011EF
00401156 . 83F8 04 cmp eax, 4 ; 长度低于4?
00401159 . 0F82 90000000 jb 004011EF
0040115F . 33C9 xor ecx, ecx
00401161 . 33DB xor ebx, ebx
00401163 . 33F6 xor esi, esi
00401165 . 8945 FC mov dword ptr [ebp-4], eax
00401168 > 0FBE81 F32040>movsx eax, byte ptr [ecx+4020F3] ; 遍历用户名字符串
0040116F . 83F8 20 cmp eax, 20 ; 是空格?
00401172 . 74 07 je short 0040117B ; continue
00401174 . 6BC0 04 imul eax, eax, 4
00401177 . 03D8 add ebx, eax
00401179 . 8BF3 mov esi, ebx
0040117B > 41 inc ecx ; 循环变量自鞥
0040117C . 3B4D FC cmp ecx, dword ptr [ebp-4] ; 是否迭代完成?
0040117F .^ 75 E7 jnz short 00401168
00401181 . 83FE 00 cmp esi, 0 ; 结果为空?
00401184 . 74 69 je short 004011EF ; 则跳转出错代码
00401186 . BB 89476500 mov ebx, 654789
0040118B 0FBE81 F22040>movsx eax, byte ptr [ecx+4020F2] ; 倒序遍历字符串
00401192 . 4B dec ebx
00401193 . 6BC3 02 imul eax, ebx, 2
00401196 . 03D8 add ebx, eax
00401198 . 4B dec ebx
00401199 . 49 dec ecx
0040119A .^ 75 EF jnz short 0040118B
0040119C . 56 push esi ; /<%lu>
0040119D . 53 push ebx ; |<%lX>
0040119E . 68 C7204000 push 004020C7 ; |Format = "BS-%lX-%lu"
004011A3 . 68 BB214000 push 004021BB ; |s = CrackMe.004021BB
004011A8 . E8 6C000000 call <jmp.&USER32.wsprintfA> ; wsprintfA
004011AD . 58 pop eax
004011AE . 58 pop eax
004011AF . 58 pop eax
004011B0 . 58 pop eax
004011B1 . E8 01000000 call 004011B7
004011B6 . C3 retn
004011B7 $ 33C9 xor ecx, ecx
004011B9 . 6A 32 push 32 ; /Count = 32 (50.)
004011BB . 68 57214000 push 00402157 ; |Buffer = CrackMe.00402157
004011C0 . 68 C9000000 push 0C9 ; |ControlID = C9 (201.)
004011C5 . FF75 08 push dword ptr [ebp+8] ; |hWnd
004011C8 . E8 5E000000 call <jmp.&USER32.GetDlgItemTextA> ; GetDlgItemTextA
004011CD . 83F8 00 cmp eax, 0 ; 长度为空?
004011D0 . 74 1D je short 004011EF
004011D2 . 33C9 xor ecx, ecx
004011D4 > 0FBE81 572140>movsx eax, byte ptr [ecx+402157] ; 取出序列号
004011DB . 0FBE99 BB2140>movsx ebx, byte ptr [ecx+4021BB] ; 取出密码
004011E2 . 3BC3 cmp eax, ebx ; 是否相等?
004011E4 . 75 09 jnz short 004011EF
004011E6 . 83F8 00 cmp eax, 0
004011E9 . 74 19 je short 00401204
004011EB . 41 inc ecx
004011EC .^ EB E6 jmp short 004011D4
004011EE . C3 retn
004011EF > 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004011F1 . 68 E4204000 push 004020E4 ; |Title = "Nope"
004011F6 . 68 E9204000 push 004020E9 ; |Text = "Try again"
004011FB . FF75 08 push dword ptr [ebp+8] ; |hOwner
004011FE . E8 34000000 call <jmp.&USER32.MessageBoxA> ; MessageBoxA
00401203 . C3 retn
00401204 > 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00401206 . 68 D2204000 push 004020D2 ; |Title = "Solved"
0040120B . 68 D9204000 push 004020D9 ; |Text = "Well done."
00401210 . FF75 08 push dword ptr [ebp+8] ; |hOwner
00401213 . E8 1F000000 call <jmp.&USER32.MessageBoxA> ; MessageBoxA
00401218 . C3 retn
打开http://www.cnblogs.com/ZRBYYXDM/p/5115596.html中搭建的框架,将OnBtnDecrypt函数编辑如下:
void CKengen_TemplateDlg::OnBtnDecrypt()
{
// TODO: Add your control notification handler code here
CString str;
GetDlgItemText( IDC_EDIT_NAME,str ); //获取用户名字串基本信息。
int len = str.GetLength();
DWORD Res = 0;
if ( len >= 4 ){ //格式控制。
SetDlgItemText( IDC_EDIT_PASSWORD,str );
for ( int i = 0 ; i != len ; i++ ){
if ( str.GetAt( i ) == 0x20 )
continue;
Res += str.GetAt( i ) * 4;
}
DWORD ReverseRes = 0x654789;
for ( i = len - 1 ; i != -1 ; i-- ){
--ReverseRes;
ReverseRes += ( ReverseRes * 2 );
--ReverseRes;
}
CString PassWord;
PassWord.Format( "BS-%lX-%lu",ReverseRes,Res );
SetDlgItemText( IDC_EDIT_PASSWORD,PassWord );
}
else
MessageBox( "用户名格式错误!" );
}
再在OnInitDialog中添加此代码修改标题:SetWindowText(_T("Keygen"));
运行效果:
