风云CM - 算法分析 & genkey实现
2024-10-10 11:39:56
// 风云CM分析 // 计算用户名
00402D8A |> \8D45 F8 LEA EAX, [LOCAL.2]
00402D8D |. 50 PUSH EAX
00402D8E |. E8 8B060000 CALL <Hash_md5> ; // md5(用户名)
00402D93 |. 8945 F4 MOV [LOCAL.3], EAX
00402D96 |. 8B5D F8 MOV EBX, [LOCAL.2]
00402D99 |. 85DB TEST EBX, EBX
00402D9B |. 74 09 JE SHORT 00402DA6
00402D9D |. 53 PUSH EBX
00402D9E |. E8 0C060100 CALL 004133AF
00402DA3 |. 83C4 04 ADD ESP, 0x4
00402DA6 |> 8B45 F4 MOV EAX, [LOCAL.3] // 2cbd779a6d41d9715d259a5d7e8bb93d
00402DBE |. A3 67D04100 MOV DWORD PTR DS:[0x41D067], EAX ; // [0x41D067] = md5(用户名) 00402E29 |. A3 6BD04100 MOV DWORD PTR DS:[0x41D06B], EAX ; // md5(注册码) // 到字节集(md5(user)) 转换成字节集
00402E71 |. A3 6FD04100 MOV DWORD PTR DS:[0x41D06F], EAX // 字节集到文本
00402E76 |. 68 6FD04100 PUSH 0041D06F
00402E7B |. E8 18070000 CALL 00403598 ; 字节集到文本
00402E9B |. A3 73D04100 MOV DWORD PTR DS:[0x41D073], EAX
0018F6C0 002DCBA8 ASCII "3263626437373961366434316439373135643235396135643765386262393364" aEnCode // 保存长度 64
00402EFD |. A3 77D04100 MOV DWORD PTR DS:[0x41D077], EAX // left(aEnCode,0,5)
00402F51 |. A3 7BD04100 MOV DWORD PTR DS:[0x41D07B], EAX // left(aEnCode, 10, 5)
00402FB1 |. A3 7FD04100 MOV DWORD PTR DS:[0x41D07F], EAX // left(aEnCode, 20, 5)
00403011 |. A3 83D04100 MOV DWORD PTR DS:[0x41D083], EAX // left(aEnCode, 30, 5)
00403071 |. A3 87D04100 MOV DWORD PTR DS:[0x41D087], EAX // left(aEnCode, 40, 5)
004030D1 |. A3 8BD04100 MOV DWORD PTR DS:[0x41D08B], EAX // left(aEnCode, 50, 5)
00403131 |. A3 8FD04100 MOV DWORD PTR DS:[0x41D08F], EAX // 再次MD5
00403170 |. 50 PUSH EAX ; // left(aEnCode,0,5)
00403171 |. E8 A8020000 CALL <Hash_md5> // left(MD5(left(aEnCode, 0, 5)), 0 , 5)
004031BB |. 8945 F4 MOV [LOCAL.3], EAX // left(aEnCode, 0, 5)
00403202 |. 8945 F0 MOV [LOCAL.4], EAX // md5(left(aEnCode, 0, 5))
00403209 |. E8 10020000 CALL <Hash_md5>
0040320E |. 8945 EC MOV [LOCAL.5], EAX // right(md5(left(aEnCode, 0, 5)),0, 5)
00403253 |. 8945 E8 MOV [LOCAL.6], EAX // L7 = left(MD5(left(aEnCode, 0, 5)), 0 , 5) + right(md5(left(aEnCode, 0, 5)),0, 5)
00403266 |> \FF75 E8 PUSH [LOCAL.6]
00403269 |. FF75 F4 PUSH [LOCAL.3]
0040326C |. B9 02000000 MOV ECX, 0x2
00403271 |. E8 98F9FFFF CALL 00402C0E ; 组合
00403279 |. 8945 E4 MOV [LOCAL.7], EAX // left(L7,0, 6)
004032DA |. 8945 E0 MOV [LOCAL.8], EAX // upcase(left(L7, 0, 6);
00403313 |. 8945 DC MOV [LOCAL.9], EAX
0040333E |. A3 93D04100 MOV DWORD PTR DS:[0x41D093], EAX // 到了关键的地方了 下面就是关键跳
00403343 |. E8 67050000 CALL 004038AF ; // 关键的俩个函数 into
00403348 |. E8 E0090000 CALL 00403D2D ; //比较eax = 1成功
0040334D |. 8945 F8 MOV [LOCAL.2], EAX
00403350 |. 837D F8 01 CMP [LOCAL.2], 0x1
00403354 |. 0F85 4F000000 JNZ 004033A9
0040335A |. 68 04000080 PUSH 0x80000004
0040335F |. 6A 00 PUSH 0x0
00403361 |. 68 C1924100 PUSH 004192C1
00403366 |. 68 01030080 PUSH 0x80000301
0040336B |. 6A 00 PUSH 0x0
0040336D |. 68 00000000 PUSH 0x0
00403372 |. 68 04000080 PUSH 0x80000004
00403377 |. 6A 00 PUSH 0x0
00403379 |. 68 C6924100 PUSH 004192C6 ; ASCII "注册成功!"
0040337E |. 68 03000000 PUSH 0x3
00403383 |. BB 00030000 MOV EBX, 0x300
00403388 |. E8 630E0100 CALL 004141F0
0040338D |. 83C4 28 ADD ESP, 0x28
00403390 |. 68 64000000 PUSH 0x64
00403395 |. 68 63D04100 PUSH 0041D063
0040339A |. 8B0424 MOV EAX, DWORD PTR SS:[ESP]
0040339D |. 8B00 MOV EAX, DWORD PTR DS:[EAX]
0040339F |. 8B00 MOV EAX, DWORD PTR DS:[EAX]
004033A1 |. FF50 14 CALL DWORD PTR DS:[EAX+0x14]
004033A4 |. E9 36000000 JMP 004033DF // 先进 0x004038AF // UPcase(LEFT(MD5(left(aEnCode,0,5)),2,5))
// UPcase(LEFT(MD5(left(aEnCode, 10, 5),3,5))
// UPcase(LEFT(MD5(left(aEnCode, 20, 5),4,5))
// UPcase(LEFT(MD5(left(aEnCode, 30, 5),5,5))
// UPcase(LEFT(MD5(left(aEnCode, 40, 5),6,5))
// UPcase(LEFT(MD5(left(aEnCode, 50, 5),7,5))
0041D07B 002E0450 ASCII "8F717"
0041D07F 002E03A0 ASCII "1DE45"
0041D083 002E04A0 ASCII "2F035"
0041D087 002E03E0 ASCII "2ED7B"
0041D08B 002E0470 ASCII "46F03"
0041D08F 002E0630 ASCII "DB200" 004038B8 |. 68 7BD04100 PUSH 0041D07B
004038BD |. E8 5CFBFFFF CALL <Hash_md5>
004038C2 |. 8945 FC MOV [LOCAL.1], EAX
004038C5 |. 68 01030080 PUSH 0x80000301
004038CA |. 6A 00 PUSH 0x0
004038CC |. 68 05000000 PUSH 0x5
004038D1 |. 68 01030080 PUSH 0x80000301
004038D6 |. 6A 00 PUSH 0x0
004038D8 |. 68 02000000 PUSH 0x2
004038DD |. 68 04000080 PUSH 0x80000004
004038E2 |. 6A 00 PUSH 0x0
004038E4 |. 8B45 FC MOV EAX, [LOCAL.1] ; 风云CM.0040333A
004038E7 |. 85C0 TEST EAX, EAX
004038E9 |. 75 05 JNZ SHORT 004038F0
004038EB |. B8 37924100 MOV EAX, 00419237
004038F0 |> 50 PUSH EAX
004038F1 |. 68 03000000 PUSH 0x3
004038F6 |. BB 3C010000 MOV EBX, 0x13C
004038FB |. E8 90070100 CALL 00414090
00403900 |. 83C4 28 ADD ESP, 0x28
00403903 |. 8945 F8 MOV [LOCAL.2], EAX
00403934 |. E8 37080100 CALL 00414170 ; upcase
0040393C |. 8945 F4 MOV [LOCAL.3], EAX
00403967 |. A3 7BD04100 MOV DWORD PTR DS:[0x41D07B], EAX // 后面已经懒得分析了 剩下的就是比对了
注册机实现:
#include <iostream>
#include <string>
#include "md5.h" using namespace std; const string& ToUpcase(string &Text){
for(string::size_type i = 0; i < Text.length(); ++i)
if(Text[i] >= 'a' && Text[i] <= 'z') Text[i] = Text[i] & ~0x20;
return Text;
} string MD5ToAscii(const string &Binary){
string HexTable = "0123456789ABCDEF";
string Ascii;
for(string::size_type i = 0; i < Binary.size(); ++i){
char n = Binary.at(i);
while(n){
Ascii.insert(i*2, 1,HexTable.at(n % 16));
n /= 16;
}
}
return Ascii;
} int main()
{
string name;
cout << "Input User Name:";
cin >> name; // 第二部分
string strSn1 = MD5ToAscii(MD5(name).toString());
string strSn2 = MD5(strSn1.substr(0,5)).toString().substr(0,5);
string strSn3 = MD5(strSn1.substr(64 - 5,5)).toString().substr(32 - 5,5);
string strSn4 = strSn2 + strSn3;
strSn4 = strSn4.substr(3,6);
ToUpcase(strSn4); // 转到大写 // 第一部分
string strSn5 = MD5(strSn1.substr(0,5)).toString().substr(1,5);
ToUpcase(strSn5);
string strSn6 = MD5(strSn1.substr(9,5)).toString().substr(2,5);
ToUpcase(strSn6);
string strSn7 = MD5(strSn1.substr(19,5)).toString().substr(3,5);
ToUpcase(strSn7);
string strSn8 = MD5(strSn1.substr(29,5)).toString().substr(4,5);
ToUpcase(strSn8);
string strSn9 = MD5(strSn1.substr(39,5)).toString().substr(5,5);
ToUpcase(strSn9);
string strSn10 = MD5(strSn1.substr(49,5)).toString().substr(6,5);
ToUpcase(strSn10); char regCode[100] = {0}; sprintf(regCode, "64-%s-%s-%s-%s-%s-%s-%s", strSn5.c_str(), strSn6.c_str(), strSn7.c_str(),
strSn8.c_str(), strSn9.c_str(), strSn10.c_str(), strSn4.c_str());
cout << "Your RegCode:" << regCode << endl;
return 0;
}
风云CM分析+md5算法库+Source(genkey)
http://pan.baidu.com/s/1ntzG4m1
最新文章
- 2015-01-16 .Net 中级软件工程师 笔试题
- Java反射机制实例解析
- 用rlwrap使sqlplus可以上下翻页
- android贪吃蛇(超级简陋版)
- arcgis python 更新顺序号
- Python3 ORM hacking
- SecurityManager一:理解AccessController.doPrivileged()
- 【BZOJ】【1027】【JSOI2007】合金
- Python读写文件需要注意的地方 2015-03-31 23:19 69人阅读 评论(0) 收藏
- MySQL的索引
- ORACLE创建OEM是老爱报的错误【weber出品】
- 小红帽5.9 配置静态IP上网问题
- Socket 的理解及实例
- queue的入门
- php的ob函数实现页面静态化
- Elasticsearch简介与实战
- Java中的方法(形参及实参)return返回类型
- 去掉"You are running Vue in development mode"提示
- visualvm监控类是否是多例模式
- .NetCore下利用Jenkins如何将程序自动打包发布到Docker容器中运行
热门文章
- C#关于静态与非静态的区别
- Python3爬虫学习
- Codeforces Round #333 (Div. 2) C. The Two Routes flyod
- Codeforces gym 100685 C. Cinderella 水题
- TC SRM 663 div2 B AABB 逆推
- 改进uboot,添加自定义快捷菜单
- [Angular 2] Create Shareable Angular 2 Components
- [连载]JavaScript讲义(04)--- 函数和闭包
- android UI进阶之实现listview的下拉加载
- 初步认知MySQL metadata lock(MDL)