简单反汇编之注册机编写

最新推荐文章于 2021-09-05 20:20:24 发布

ms2146

最新推荐文章于 2021-09-05 20:20:24 发布

阅读量1.1k

点赞数

分类专栏：汇编文章标签：汇编 n2 c byte buffer 算法

版权声明：本文为博主原创文章，遵循 CC 4.0 BY-SA 版权协议，转载请附上原文出处链接和本声明。

本文链接：https://blog.csdn.net/ms2146/article/details/5268534

版权

汇编专栏收录该内容

11 篇文章 0 订阅

订阅专栏

初次写注册机，拿了个简单crackme练习，无壳直接可以根据字符提示找到算法call。

汇编算法代码如下：

00401000 /$ 55 PUSH EBP 00401001 |. 8BEC MOV EBP,ESP 00401003 |. 81C4 28FBFFFF ADD ESP,-4D8 00401009 |. 53 PUSH EBX 0040100A |. 56 PUSH ESI 0040100B |. 57 PUSH EDI 0040100C |. 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8] 0040100F |. BE 4AB14000 MOV ESI,k4n2.0040B14A 00401014 |. 8DBD ECFCFFFF LEA EDI,DWORD PTR SS:[EBP-314] 0040101A |. B9 4B000000 MOV ECX,4B 0040101F |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00401021 |. BE 76B24000 MOV ESI,k4n2.0040B276 00401026 |. 8DBD C0FBFFFF LEA EDI,DWORD PTR SS:[EBP-440] 0040102C |. B9 4B000000 MOV ECX,4B 00401031 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00401033 |. BE A2B34000 MOV ESI,k4n2.0040B3A2 00401038 |. 8DBD 8CFBFFFF LEA EDI,DWORD PTR SS:[EBP-474] 0040103E |. B9 0C000000 MOV ECX,0C 00401043 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00401045 |. 66:A5 MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI] 00401047 |. BE D4B34000 MOV ESI,k4n2.0040B3D4 0040104C |. 8DBD 28FBFFFF LEA EDI,DWORD PTR SS:[EBP-4D8] 00401052 |. B9 19000000 MOV ECX,19 00401057 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00401059 |. 33C0 XOR EAX,EAX 0040105B |. 8945 C4 MOV DWORD PTR SS:[EBP-3C],EAX 0040105E |. 33D2 XOR EDX,EDX 00401060 |. 8955 C0 MOV DWORD PTR SS:[EBP-40],EDX 00401063 |. 33C9 XOR ECX,ECX 00401065 |. 894D BC MOV DWORD PTR SS:[EBP-44],ECX 00401068 |. 33C0 XOR EAX,EAX 0040106A |. 8945 B8 MOV DWORD PTR SS:[EBP-48],EAX 0040106D |. 33D2 XOR EDX,EDX 0040106F |. 8955 B4 MOV DWORD PTR SS:[EBP-4C],EDX 00401072 |. 33C9 XOR ECX,ECX 00401074 |. 894D B0 MOV DWORD PTR SS:[EBP-50],ECX 00401077 |. 33C0 XOR EAX,EAX 00401079 |. 8945 AC MOV DWORD PTR SS:[EBP-54],EAX 0040107C |. 33D2 XOR EDX,EDX 0040107E |. 8955 A8 MOV DWORD PTR SS:[EBP-58],EDX 00401081 |. 6A 66 PUSH 66 ; /ControlID = 66 (102.) 00401083 |. 53 PUSH EBX ; |hWnd 00401084 |. E8 D99C0000 CALL <JMP.&USER32.GetDlgItem> ; /GetDlgItem 00401089 |. 6A 64 PUSH 64 ; /Count = 64 (100.) 0040108B |. 8D8D 44FFFFFF LEA ECX,DWORD PTR SS:[EBP-BC] ; | 00401091 |. 51 PUSH ECX ; |Buffer 00401092 |. 50 PUSH EAX ; |hWnd 00401093 |. E8 D69C0000 CALL <JMP.&USER32.GetWindowTextA> ; /GetWindowTextA 00401098 |. 6A 68 PUSH 68 ; /ControlID = 68 (104.) 0040109A |. 53 PUSH EBX ; |hWnd 0040109B |. E8 C29C0000 CALL <JMP.&USER32.GetDlgItem> ; /GetDlgItem 004010A0 |. 6A 64 PUSH 64 ; /Count = 64 (100.) 004010A2 |. 8D95 E0FEFFFF LEA EDX,DWORD PTR SS:[EBP-120] ; | 004010A8 |. 52 PUSH EDX ; |Buffer 004010A9 |. 50 PUSH EAX ; |hWnd 004010AA |. E8 BF9C0000 CALL <JMP.&USER32.GetWindowTextA> ; /GetWindowTextA 004010AF |. 6A 67 PUSH 67 ; /ControlID = 67 (103.) 004010B1 |. 53 PUSH EBX ; |hWnd 004010B2 |. E8 AB9C0000 CALL <JMP.&USER32.GetDlgItem> ; /GetDlgItem 004010B7 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 004010BA |. 8D85 44FFFFFF LEA EAX,DWORD PTR SS:[EBP-BC] 004010C0 |. 50 PUSH EAX 004010C1 |. E8 2A060000 CALL k4n2.004016F0 004010C6 |. 59 POP ECX 004010C7 |. 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX 004010CA |. 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-120] 004010D0 |. 51 PUSH ECX 004010D1 |. E8 1A060000 CALL k4n2.004016F0 004010D6 |. 59 POP ECX 004010D7 |. 68 EAB04000 PUSH k4n2.0040B0EA 004010DC |. E8 0F060000 CALL k4n2.004016F0 004010E1 |. 59 POP ECX 004010E2 |. 68 0EB14000 PUSH k4n2.0040B10E 004010E7 |. E8 04060000 CALL k4n2.004016F0 004010EC |. 59 POP ECX 004010ED |. 837D D4 03 CMP DWORD PTR SS:[EBP-2C],3 004010F1 |. 0F8E 38010000 JLE k4n2.0040122F 004010F7 |. 33D2 XOR EDX,EDX 004010F9 |. 33DB XOR EBX,EBX 004010FB |. 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C] 004010FE |. 0155 C4 ADD DWORD PTR SS:[EBP-3C],EDX 00401101 |. 0155 C4 ADD DWORD PTR SS:[EBP-3C],EDX 00401104 |. 8BC2 MOV EAX,EDX 00401106 |. 83C0 05 ADD EAX,5 00401109 |. 8945 B8 MOV DWORD PTR SS:[EBP-48],EAX 0040110C |. 33C0 XOR EAX,EAX 0040110E |. 8BCF MOV ECX,EDI 00401110 |. 83C1 04 ADD ECX,4 00401113 |. 894D B4 MOV DWORD PTR SS:[EBP-4C],ECX 00401116 |. 33C9 XOR ECX,ECX 00401118 |. 0155 BC ADD DWORD PTR SS:[EBP-44],EDX 0040111B |. 017D BC ADD DWORD PTR SS:[EBP-44],EDI 0040111E |. 6BFF 03 IMUL EDI,EDI,3 00401121 |. 897D C0 MOV DWORD PTR SS:[EBP-40],EDI 00401124 |. 33FF XOR EDI,EDI 00401126 |. 0FBE8C05 44FF>MOVSX ECX,BYTE PTR SS:[EBP+EAX-BC] 0040112E |. 83F9 61 CMP ECX,61 00401131 |. 7C 07 JL SHORT k4n2.0040113A 00401133 |. 90 NOP 00401134 |. 90 NOP 00401135 |. 90 NOP 00401136 |. 90 NOP 00401137 |. 83E9 20 SUB ECX,20 0040113A |> 8BF1 MOV ESI,ECX 0040113C |. 03DE ADD EBX,ESI 0040113E |. 0FAFD9 IMUL EBX,ECX 00401141 |. 4A DEC EDX 00401142 |> 0FBE8C2F 44FF>/MOVSX ECX,BYTE PTR DS:[EDI+EBP-BC] 0040114A |. 0FBEB42F 45FF>|MOVSX ESI,BYTE PTR DS:[EDI+EBP-BB] 00401152 |. 83F9 61 |CMP ECX,61 00401155 |. 7D 12 |JGE SHORT k4n2.00401169 00401157 |. 90 |NOP 00401158 |. 90 |NOP 00401159 |. 90 |NOP 0040115A |. 90 |NOP 0040115B |> 83FE 61 |CMP ESI,61 0040115E |. 7D 0E |JGE SHORT k4n2.0040116E 00401160 |. 90 |NOP 00401161 |. 90 |NOP 00401162 |. 90 |NOP 00401163 |. 90 |NOP 00401164 |. EB 0B |JMP SHORT k4n2.00401171 00401166 | 90 |NOP 00401167 | 90 |NOP 00401168 | 90 |NOP 00401169 |> 83E9 20 |SUB ECX,20 0040116C |.^ EB ED |JMP SHORT k4n2.0040115B 0040116E |> 83EE 20 |SUB ESI,20 00401171 |> 47 |INC EDI 00401172 |. 03DE |ADD EBX,ESI 00401174 |. 0FAFD9 |IMUL EBX,ECX 00401177 |. 4A |DEC EDX 00401178 |.^ 75 C8 /JNZ SHORT k4n2.00401142 0040117A |. 895D C8 MOV DWORD PTR SS:[EBP-38],EBX 0040117D |. 33C9 XOR ECX,ECX 0040117F |. 33D2 XOR EDX,EDX 00401181 |. 33DB XOR EBX,EBX 00401183 |. 33C0 XOR EAX,EAX 00401185 |. 837D D4 32 CMP DWORD PTR SS:[EBP-2C],32 00401189 |. 0F8D A0000000 JGE k4n2.0040122F 0040118F |> 0FBE840D 44FF>/MOVSX EAX,BYTE PTR SS:[EBP+ECX-BC] 00401197 |. 03C1 |ADD EAX,ECX 00401199 |. 03D8 |ADD EBX,EAX 0040119B |. 41 |INC ECX 0040119C |. 3B4D D4 |CMP ECX,DWORD PTR SS:[EBP-2C] 0040119F |.^ 75 EE /JNZ SHORT k4n2.0040118F 004011A1 |. D1C0 ROL EAX,1 004011A3 |. 35 40E20100 XOR EAX,1E240 004011A8 |. 8945 B0 MOV DWORD PTR SS:[EBP-50],EAX 004011AB |. 33C9 XOR ECX,ECX 004011AD |. 33D2 XOR EDX,EDX 004011AF |. 33DB XOR EBX,EBX 004011B1 |. 33C0 XOR EAX,EAX 004011B3 |> 0FBE840D 44FF>/MOVSX EAX,BYTE PTR SS:[EBP+ECX-BC] 004011BB |. 6BD0 06 |IMUL EDX,EAX,6 004011BE |. 33C2 |XOR EAX,EDX 004011C0 |. 03D8 |ADD EBX,EAX 004011C2 |. 41 |INC ECX 004011C3 |. 3B4D D4 |CMP ECX,DWORD PTR SS:[EBP-2C] 004011C6 |.^ 75 EB /JNZ SHORT k4n2.004011B3 004011C8 |. 035D B0 ADD EBX,DWORD PTR SS:[EBP-50] 004011CB |. 895D AC MOV DWORD PTR SS:[EBP-54],EBX 004011CE |. FF75 C0 PUSH DWORD PTR SS:[EBP-40] 004011D1 |. FF75 C4 PUSH DWORD PTR SS:[EBP-3C] 004011D4 |. FF75 BC PUSH DWORD PTR SS:[EBP-44] 004011D7 |. FF75 C8 PUSH DWORD PTR SS:[EBP-38] 004011DA |. FF75 B4 PUSH DWORD PTR SS:[EBP-4C] 004011DD |. FF75 B8 PUSH DWORD PTR SS:[EBP-48] 004011E0 |. FF75 AC PUSH DWORD PTR SS:[EBP-54] 004011E3 |. FF75 B0 PUSH DWORD PTR SS:[EBP-50] 004011E6 |. 68 38B44000 PUSH k4n2.0040B438 ; ASCII "%lX%lu-%lu%lX-%lu%lu-%lX%lX" 004011EB |. 8D85 7CFEFFFF LEA EAX,DWORD PTR SS:[EBP-184] 004011F1 |. 50 PUSH EAX 004011F2 |. E8 8D3D0000 CALL k4n2.00404F84 004011F7 |. 83C4 28 ADD ESP,28 004011FA |. 8D95 7CFEFFFF LEA EDX,DWORD PTR SS:[EBP-184] 00401200 |. 52 PUSH EDX ; /String2 00401201 |. 8D8D E0FEFFFF LEA ECX,DWORD PTR SS:[EBP-120] ; | 00401207 |. 51 PUSH ECX ; |String1 00401208 |. E8 399C0000 CALL <JMP.&KERNEL32.lstrcmpA> ; /lstrcmpA 0040120D |. 85C0 TEST EAX,EAX 0040120F |. 75 0F JNZ SHORT k4n2.00401220 00401211 |. 68 54B44000 PUSH k4n2.0040B454 ; /Text = "Congratulations! IF this number comes *FROM YOUR* keygen, Write a tutorial dude ;)." 00401216 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; |hWnd 00401219 |. E8 2C9B0000 CALL <JMP.&USER32.SetWindowTextA> ; /SetWindowTextA 0040121E |. EB 1C JMP SHORT k4n2.0040123C 00401220 |> 68 A8B44000 PUSH k4n2.0040B4A8 ; /Text = "This serial is *NOT* Valid!! Try again... : UNREGISTERED" 00401225 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; |hWnd 00401228 |. E8 1D9B0000 CALL <JMP.&USER32.SetWindowTextA> ; /SetWindowTextA 0040122D |. EB 0D JMP SHORT k4n2.0040123C 0040122F |> 68 E1B44000 PUSH k4n2.0040B4E1 ; /Text = "Name must contain more than 3 chars!" 00401234 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; |hWnd 00401237 |. E8 0E9B0000 CALL <JMP.&USER32.SetWindowTextA> ; /SetWindowTextA 0040123C |> 5F POP EDI 0040123D |. 5E POP ESI 0040123E |. 5B POP EBX 0040123F |. 8BE5 MOV ESP,EBP 00401241 |. 5D POP EBP 00401242 /. C3 RETN

经过一早上的努力c++源码，写的比较乱

#include "stdafx.h" #include <string.h> int main(int argc, char* argv[]) { int ebp_3c=0,ebp_40=0,ebp_44=0,ebp_48=0,ebp_4c=0,ebp_50=0,ebp_54=0,ebp_58=0,ebp_38=0; printf("please input your name："); //用户名 char name[50]={0}; scanf("%s",name); //ebp_2c,edx int length=strlen(name); if(length>3) { ebp_3c+=length; ebp_3c+=length; ebp_48=length+5; int edi=0x0012F538; ebp_4c=edi+4; ebp_44+=length; ebp_44+=edi; ebp_40=edi*3; edi=0; char test=name[0]; if(test>='a') { test-=0x20; } ebp_38=test*test; int ecx=0; int esi=0; for(int d=0;d<length-1;d++) { ecx=name[d]; esi=name[d+1]; if(ecx>='a') { ecx-=0x20; } if(esi>='a') { esi-=0x20; } ebp_38=ebp_38+esi; ebp_38=ebp_38*ecx; } length=strlen(name); if(length<50) { for(int i=0;i<length;i++) { ebp_50=name[i]; ebp_50+=i; } __asm { push eax mov eax,ebp_50 rol eax,1 XOR eax,1E240h mov ebp_50,eax pop eax } int bx=0; for(int j=0;j<length;j++) { ebp_54=name[j]; ebp_54=(ebp_54*6)^ebp_54; bx=ebp_54+bx; } ebp_54=bx+ebp_50; } } printf("your number: %lX%lu-%lu%lX-%lu%lu-%lX%lX/n", ebp_50, ebp_54, ebp_48, ebp_4c, ebp_38, ebp_44, ebp_3c, ebp_40); return 0; }

样本下载：http://7vbqha.blu.livefilestore.com/y1p7B25_EatzIitb3tx4eNQSJChbd2sGuTjTf6F0Y_sXrAz3lBcS2cumz3nPIFo-m6FeW3FmikpkurIcNhFadcikTboGnK6kECY/k4n2.zip?download

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
简单反汇编之注册机编写

初次写注册机，拿了个简单crackme练习，无壳直接可以根据字符提示找到算法call。汇编算法代码如下：00401000 /$ 55 PUSH EBP00401001 |. 8BEC MOV EBP,ESP00401003 |. 81C4 28FBFFFF ADD ESP,-4D800401009 |. 53
复制链接

扫一扫

专栏目录

评论

被折叠的条评论为什么被折叠?

到【灌水乐园】发言

查看更多评论

添加红包

成就一亿技术人!

hope_wisdom

发出的红包

实付元

使用余额支付

点击重新获取

扫码支付

钱包余额 0

抵扣说明：

1.余额是钱包充值的虚拟货币，按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载，可以购买VIP、付费专栏及课程。