1 004016D5 . 83C4 1C add esp,0x1C 2 004016D8 . 52 push edx ; |FileName => "KwazyWeb.bit" 3 004016D9 . E8 1C010000 call <jmp.&KERNEL32.CreateFileA> ; CreateFileA 4 004016DE . 83F8 FF cmp eax,-0x1 5 004016E1 . 74 64 je short PacMe.00401747 6 004016E3 . A3 44344000 mov dword ptr ds:[0x403444],eax 7 004016E8 . 6A 00 push 0x0 ; /pOverlapped = NULL 8 004016EA . 68 48344000 push PacMe.00403448 ; |pBytesRead = PacMe.00403448 9 004016EF . 6A 01 push 0x1 ; |BytesToRead = 0x1 10 004016F1 . 68 FA344000 push PacMe.004034FA ; |Buffer = PacMe.004034FA 11 004016F6 . FF35 44344000 push dword ptr ds:[0x403444] ; |hFile = 00000264 (window) 12 004016FC . E8 11010000 call <jmp.&KERNEL32.ReadFile> ; ReadFile 设读取出的为number 13 00401701 . 0FB605 FA344000 movzx eax,byte ptr ds:[0x4034FA] ; 文件中第一个字符指明个数eax=number 14 00401708 . 85C0 test eax,eax 15 0040170A . 74 3B je short PacMe.00401747 ; 如果文件内容空 退出 16 0040170C . 6A 00 push 0x0 ; /pOverlapped = NULL 17 0040170E . 68 48344000 push PacMe.00403448 ; |pBytesRead = PacMe.00403448 18 00401713 . 50 push eax ; |BytesToRead 19 00401714 . 68 88324000 push PacMe.00403288 ; |Buffer = PacMe.00403288 20 00401719 . FF35 44344000 push dword ptr ds:[0x403444] ; |hFile = 00000264 (window) 21 0040171F . E8 EE000000 call <jmp.&KERNEL32.ReadFile> ; ReadFile 22 00401724 . E8 D7F8FFFF call PacMe.00401000 ; 根据上面的eax=number读取number个字符 23 { 24 00401000 /$ 33C0 xor eax,eax 25 00401002 |. 33D2 xor edx,edx 26 00401004 |. 33C9 xor ecx,ecx 27 00401006 |. 8A0D FA344000 mov cl,byte ptr ds:[0x4034FA] 28 0040100C |. BE 88324000 mov esi,PacMe.00403288 ; ASCII 29 00401011 |> AC /lods byte ptr ds:[esi] ; 从esi指向的空间取出一个字符 30 00401012 |. 03D0 |add edx,eax ; 相加 31 00401014 |.^ E2 FB loopd short PacMe.00401011 32 00401016 |. 8815 FB344000 mov byte ptr ds:[0x4034FB],dl ;将number个字符相加最后得到的低8位(设为k1)放到4034FB中 33 0040101C . C3 retn 34 } 35 00401729 . 6A 00 push 0x0 ; /pOverlapped = NULL 36 0040172B . 68 48344000 push PacMe.00403448 ; |pBytesRead = PacMe.00403448 37 00401730 . 6A 12 push 0x12 ; |BytesToRead = 12 (18.) 38 00401732 . 68 E8344000 push PacMe.004034E8 ; |Buffer = PacMe.004034E8 39 00401737 . FF35 44344000 push dword ptr ds:[0x403444] ; |hFile = 00000264 (window) 40 0040173D . E8 D0000000 call <jmp.&KERNEL32.ReadFile> ; ReadFile 此处读取的是在number之后的字符串
1 ;这里可以猜测key的组成为 : n(指代后面有n位username) n位字符 18个要跟n位进行异或的字符 2 00401742 . E8 82F9FFFF call PacMe.004010C9 ; 验证核心 3 { 4 004010C9 /$ 55 push ebp 5 004010CA |. 8BEC mov ebp,esp 6 004010CC |. 83C4 FC add esp,-0x4 7 004010CF |. 68 65334000 push PacMe.00403365 8 ; /String2 = 9 ; **************** 10 ; C*......*...**** 11 ; .*.****...*....* 12 ; .*..**********.* 13 ; ..*....*...*...* 14 ; *.****.*.*...*** 15 ; *.*....*.******* 16 ; ..*.***..*.....* 17 ; .*..***.**.***.* 18 ; ...****....*X..* 19 ; **************** 20 004010D4 |. 68 BC314000 push PacMe.004031BC ; |String1 = PacMe.004031BC 21 004010D9 |. E8 3A070000 call <jmp.&KERNEL32.lstrcpyA> ; lstrcpyA 22 004010DE |. C705 84314000 CC3>mov dword ptr ds:[0x403184],PacMe.004031CC ; ASCII 23 ; C*......*...**** 24 ; .*.****...*....* 25 ; .*..**********.* 26 ; ..*....*...*...* 27 ; *.****.*.*...*** 28 ; *.*....*.******* 29 ; ..*.***..*.....* 30 ; .*..***.**.***.* 31 ; ...****....*X..* 32 004010E8 |. E8 30FFFFFF call PacMe.0040101D ; 对上面的字符串和文件内容字符的和作异或 33 { 34 0040101D /$ 8A15 FB344000 mov dl,byte ptr ds:[0x4034FB] ; 第二次求和的值放到dl中 35 00401023 |. B9 12000000 mov ecx,0x12 36 00401028 |. B8 E8344000 mov eax,PacMe.004034E8 ; eax指向第三次读取的数据 37 0040102D |> 3010 /xor byte ptr ds:[eax],dl ; ds:[eax] xor k1 38 0040102F |. 40 |inc eax 39 00401030 |.^ E2 FB loopd short PacMe.0040102D 40 00401032 . C3 retn 41 } 42 004010ED |. C645 FE 00 mov byte ptr ss:[ebp-0x2],0x0 ; y=0 43 004010F1 |. 33C0 xor eax,eax 44 004010F3 |. 33C9 xor ecx,ecx ; 清零 45 004010F5 |> C645 FF 08 /mov byte ptr ss:[ebp-0x1],0x8 ; x=8 46 004010F9 |> 806D FF 02 |/sub byte ptr ss:[ebp-0x1],0x2 ; x=x-2=6 47 004010FD |. 0FB64D FE ||movzx ecx,byte ptr ss:[ebp-0x2] ; ecx=y=0 48 ; 每次这里拿异或后的字符其中两位(从高到低)作为移动方向 49 00401101 |. 81C1 E8344000 ||add ecx,PacMe.004034E8 ; ecx+第三次处理后字符串首地址 s 50 00401107 |. 8A01 ||mov al,byte ptr ds:[ecx] ; al = s[ecx] 51 00401109 |. 8A4D FF ||mov cl,byte ptr ss:[ebp-0x1] 52 0040110C |. D2E8 ||shr al,cl ; al >> x 53 0040110E |. 24 03 ||and al,0x3 ; al & 3 这个时候al取值有四种 代表四种方向 54 00401110 |. E8 1EFFFFFF ||call PacMe.00401033 ; 根据al的值进行移动 55 { 56 ; 0: 向上移 57 ; 1: 向右移 58 ; 2: 向下移 59 ; 3: 向左移 60 00401033 $ 55 push ebp 61 00401034 . 8BEC mov ebp,esp 62 00401036 . 83C4 F8 add esp,-0x8 63 00401039 . 8B15 84314000 mov edx,dword ptr ds:[0x403184] ; PacMe.004031CC 64 0040103F . 8955 FC mov dword ptr ss:[ebp-0x4],edx 65 00401042 . 0AC0 or al,al ; Switch (cases 0..2) 66 00401044 . 75 09 jnz short PacMe.0040104F 67 00401046 . 832D 84314000 10 sub dword ptr ds:[0x403184],0x10 ; c - 10h; Case 0 of switch 00401042 68 0040104D . EB 1F jmp short PacMe.0040106E 69 0040104F > 3C 01 cmp al,0x1 70 00401051 . 75 08 jnz short PacMe.0040105B 71 00401053 . FF05 84314000 inc dword ptr ds:[0x403184] ; c + 1; Case 1 of switch 00401042 72 00401059 . EB 13 jmp short PacMe.0040106E 73 0040105B > 3C 02 cmp al,0x2 74 0040105D . 75 09 jnz short PacMe.00401068 75 0040105F . 8305 84314000 10 add dword ptr ds:[0x403184],0x10 ; c + 10h; Case 2 of switch 00401042 76 00401066 . EB 06 jmp short PacMe.0040106E 77 00401068 > FF0D 84314000 dec dword ptr ds:[0x403184] ; c - 1; Default case of switch 00401042 78 0040106E > 8B15 84314000 mov edx,dword ptr ds:[0x403184] ; edx指向移动后的位置 79 00401074 . 8A02 mov al,byte ptr ds:[edx] 80 00401076 . 3C 2A cmp al,0x2A ; 检查al是否为* 81 00401078 . 75 06 jnz short PacMe.00401080 ; 是* 则不移动 返回0 82 0040107A . 33C0 xor eax,eax 83 0040107C . C9 leave 84 0040107D . C3 retn 85 0040107E . EB 33 jmp short PacMe.004010B3 86 00401080 > 3C 58 cmp al,0x58 ; 看al是不是X 87 00401082 75 2F jnz short PacMe.004010B3 ; 是X就注册成功 否则跳转 88 00401084 . 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL 89 00401086 . 8D15 59334000 lea edx,dword ptr ds:[0x403359] ; | 90 0040108C . 52 push edx ; |Title => "Success.." 91 0040108D . 8D15 EC324000 lea edx,dword ptr ds:[0x4032EC] ; | 92 00401093 . 52 push edx ; |Text => "Congratulations! 93 00401094 . 6A 00 push 0x0 ; |hOwner = NULL 94 00401096 . 8D15 AC174000 lea edx,dword ptr ds:[0x4017AC] ; | 95 0040109C . FFD2 call edx ; MessageBoxA 96 0040109E . 8D15 7B324000 lea edx,dword ptr ds:[0x40327B] 97 004010A4 . 52 push edx ; /Text => "Cracked by : uuuuuuu" 98 004010A5 . FF35 20344000 push dword ptr ds:[0x403420] ; |hWnd = 001E01D0 ('UNREGISTERED!',class='Edit',parent=001B0394) 99 004010AB . 8D15 DC174000 lea edx,dword ptr ds:[0x4017DC] ; | 100 004010B1 . FFD2 call edx ; SetWindowTextA 101 004010B3 > 8B15 84314000 mov edx,dword ptr ds:[0x403184] ; 当前位置记录为C 102 004010B9 . C602 43 mov byte ptr ds:[edx],0x43 103 004010BC . 8B55 FC mov edx,dword ptr ss:[ebp-0x4] 104 004010BF . C602 20 mov byte ptr ds:[edx],0x20 ; 刚刚走的位置记录为空格 105 004010C2 . B8 01000000 mov eax,0x1 ; 返回1代表没有结束 106 004010C7 . C9 leave 107 004010C8 . C3 retn 108 } 109 00401115 |. 85C0 ||test eax,eax ; eax如果返回0 则注册成功 110 00401117 |. 74 11 ||je short PacMe.0040112A 111 00401119 |. 0FB655 FF ||movzx edx,byte ptr ss:[ebp-0x1] ; 不为0 则 edx=x 112 0040111D |. 85D2 ||test edx,edx ; 如果四个方向遍历了,就结束内层循环 113 0040111F |.^ 75 D8 |jnz short PacMe.004010F9 ; 否则再小循环,往其他方向走 114 00401121 |. FE45 FE |inc byte ptr ss:[ebp-0x2] ; y+1 115 00401124 |. 807D FE 12 |cmp byte ptr ss:[ebp-0x2],0x12 ; if y>18 结束外层循环 116 00401128 |.^ 75 CB jnz short PacMe.004010F5 ; 外层循环18次 117 ;总共循环 18*4 次 在这个范围内必须走到X 118 0040112A |> C9 leave 119 0040112B . C3 retn 120 } 121 122 00401754 > FF75 14 push dword ptr ss:[ebp+0x14] ; /lParam; Default case of switch 004012D8 123 00401757 . FF75 10 push dword ptr ss:[ebp+0x10] ; |wParam 124 0040175A . FF75 0C push dword ptr ss:[ebp+0xC] ; |Message 125 0040175D . FF75 08 push dword ptr ss:[ebp+0x8] ; |hWnd 126 00401760 . E8 17000000 call <jmp.&USER32.DefWindowProcA> ; DefWindowProcA 127 00401765 . C9 leave 128 00401766 . C2 1000 retn 0x10 129 00401769 > 33C0 xor eax,eax 130 0040176B . C9 leave 131 0040176C . C2 1000 retn 0x10
这个程序主要就是进行一个深搜 - - 保证在 18*4内搜索到X就好
1 #include <iostream> 2 #include <fstream> 3 #include <iomanip> 4 using namespace std; 5 #define ROW 9 6 #define COL 16 7 #define TIMES 18*4 8 9 unsigned char key[TIMES] = { 0 }; 10 int des[4][2]= 11 { 12 {-1,0},//上 13 {0,1},//右 14 {1,0},//下 15 {0,-1}//左 16 }; 17 bool keygen(char g[ROW][COL],int x,int y,int keyn) 18 { 19 if (g[x][y] == 'X') 20 return true; 21 if (keyn > TIMES) 22 return false; 23 g[x][y] = ' '; 24 for (int i = 0;i < 4;i++) 25 { 26 int nx = des[i][0] + x; 27 int ny = des[i][1] + y; 28 if (nx >= 0 && ny >= 0 && (nx < ROW) && (ny < COL)&&g[nx][ny]!='*'&&g[nx][ny] != ' ') 29 { 30 key[keyn] = i; 31 if (keyn == 70) 32 cout << ' '; 33 if (keygen(g, nx, ny, keyn + 1)) 34 return true; 35 g[nx][ny] = '.'; 36 key[keyn] = -1; 37 } 38 } 39 } 40 41 int main() 42 { 43 unsigned char name[8] = { 0 }; 44 char g[ROW][COL] = { 0 }; 45 unsigned char kk[TIMES / 4] = { 0 }; 46 for (int i = 0;i < TIMES;i++) 47 key[i] = -1; 48 for (int i = 0;i < ROW;i++) 49 for (int j = 0; j < COL; j++) 50 cin >> g[i][j]; 51 ofstream outfile; 52 outfile.open("KwazyWeb.bit"); 53 if (keygen(g, 0, 0, 0)) 54 { 55 for (int i = 0;i < TIMES;i += 4) 56 { 57 char kx = key[i]; 58 kx = (kx << 2) | key[i + 1]; 59 kx = (kx << 2) | key[i + 2]; 60 kx = (kx << 2) | key[i + 3]; 61 cout << hex<< kx << ' '; 62 kk[i / 4] = kx; 63 } 64 cout << endl; 65 } 66 unsigned int number; 67 cout << "请输入用户名字符个数"; 68 cin >> number; 69 outfile << hex << unsigned char(number); 70 cout << "请输入用户名"; 71 cin >> name; 72 unsigned int c = 0; 73 for (int i = 0;i < number;i++) 74 { 75 c += name[i]; 76 outfile << hex << name[i]; 77 } 78 cout << unsigned char(c); 79 for (int i = 0;i < TIMES / 4;i++) 80 { 81 kk[i] ^= unsigned char(c); 82 cout << hex << kk[i]<<' '; 83 outfile << hex << kk[i]; 84 } 85 outfile.close(); 86 system("pause"); 87 return 0; 88 }
嗯 基本对了 0 0 .。 之后看python怎么样。。。C++不是太会字符处理
----------------------------------之后终于改好了---------------------------------------效果如下:
还好很好玩的 - - 不过本人愚笨,弄了一天