作者：selph

??051-Keygenning4newbies1

??052-tc.22

??053-devilz KeyGen me#33

??054-vcrkme014

??055-BCG Crackme5

??056-diablo2oo2's Crackme 016

??057-bbbs-crackme047

??058-CZG-crackme18

??059-Dope2112.19

??060-snake10

1.??????056-diablo2oo2's Crackme 01

???????????算法難度：????

???????????爆破難度：?

????????????信息收集

????????????運(yùn)行情況：

??????????

????????????查殼與脫殼：

?????

?????

????????????調(diào)試分析

???????????IDA走起~

???????????一開始調(diào)用了一個(gè)call，跟進(jìn)去

??????

????

???????????這個(gè)call在是創(chuàng)建窗口的，這里一開始就在填充窗口類，這里有個(gè)窗口函數(shù)，跟進(jìn)

??????????

???????????老樣子，在窗口函數(shù)里找nMsg=0x111，wParam=3（通過xspy查的）的分支：

???????????首先是獲取Name，判斷長(zhǎng)度，合法長(zhǎng)度是5--0x20字節(jié)

??????????

???????????緊接著是一個(gè)循環(huán)，處理前5個(gè)字節(jié)，生成5個(gè)字節(jié)填充到字符數(shù)組里，這里有一堆跳轉(zhuǎn)就是確保生成的字節(jié)滿足大小要求

??????????

???????????接下來：再次循環(huán)前五字節(jié)，以類似的方法生成另外5字節(jié)數(shù)字填充到字符數(shù)組的后面

?

?????????

???????????再往下就是獲取序列號(hào)了：

???????????序列號(hào)長(zhǎng)度必須滿足10字節(jié)要求

??????????

???????????最后就是比對(duì)環(huán)節(jié)：

???????????取一位序列號(hào)，取一位生成字符數(shù)組，對(duì)生成數(shù)組的字符進(jìn)行處理，處理完成之后，和序列號(hào)做對(duì)比，相同則判斷下一位，全部相同則成功~

??????????

????????????注冊(cè)機(jī)

???????????注冊(cè)碼生成算法：

?????string? name = Console.ReadLine();
char[] nameCheck = new char[11];
if(name!=null && name.Length >= 5 && name.Length<=0x20)
{
??? //?處理前5字節(jié)
??? byte i = 5;
??? while (i >0)
??? {
??????? byte cl = (byte)name[5 - i];
??????? cl ^= 0x29;
??????? cl += i;
??????? if(cl<0x41 || cl > 0x5A)
??????? {
??????????? cl = 0x52;
??????????? cl += i;
??????? }
??????? nameCheck[5 - i] = (char)cl;
??????? i--;
??? }

??? //?處理后五字節(jié)
??? i = 5;
??? while (i > 0)
??? {
??????? byte cl = (byte)name[5 - i];
??????? cl ^= 0x27;
??????? cl += i;
??????? cl += 1;
??????? if (cl < 0x41 || cl > 0x5A)
??????? {
??????????? cl = 0x4D;
??????????? cl += i;
??????? }
??????? nameCheck[10 - i] = (char)cl;
??????? i--;
??? }

??? //?生成序列號(hào)
??? char[] serial = new char[11];
??? i = 0;
??? while (i < 10)
?? ?{
??????? byte dl = (byte)nameCheck[i];
??????? dl += 5;
??????? if (dl > 0x5A) dl -= 0x0d;
??????? dl ^= 0x0c;
??????? if (dl < 0x41)
??????? {
??????????? dl = 0x4B;
??????????? dl += i;
??????? }
??????? if (dl > 0x5A)
??????? {
??????????? dl = 0x4B;
??????????? dl -= i;
??????? }
??????? serial[i] = (char)dl;
??????? i++;
??? }

??? Console.WriteLine(serial);
}

???????????效果：

??????????

2.??????057-bbbs-crackme04

???????????算法難度：??

???????????爆破難度：?

???????????反調(diào)試：？

????????????信息收集

????????????運(yùn)行情況：

???????????虛擬機(jī)打開提示反調(diào)試

??????????

????????????查殼與脫殼：

???????????有殼，殼拖完了還是看不到導(dǎo)入函數(shù)名稱，算了，直接帶殼調(diào)試

??????????

????????????調(diào)試分析

????????????反調(diào)試？

???????????沒錯(cuò)，這里我就是要打一個(gè)問號(hào)，我還以為用了啥反調(diào)試，搞得我不知道是咋回事，程序就是跑不起來，最后發(fā)現(xiàn)，這tm就是硬編碼的彈窗有調(diào)試器然后退出進(jìn)程，把那個(gè)函數(shù)nop掉即可

???????????首先是放在調(diào)試器里跑，不管殼，直接跑，跑到彈窗，然后點(diǎn)擊暫停，找到彈窗函數(shù)調(diào)用的地方：

??????????

???????????在網(wǎng)上追一層，找到最上面的函數(shù)頭：是我們熟悉的窗口過程函數(shù)，這里是eax保存的是消息碼

??????????

???????????在cmp eax,133這一行下斷點(diǎn)，然后不斷運(yùn)行斷下觀察，在eax的值為多少之后程序彈窗，過程就不演示了，結(jié)果是eax=47時(shí)彈的窗

???????????再次運(yùn)行，從eax=47這個(gè)分支跟下去，單步跟蹤，找到跑飛的地方：

??????????

???????????程序在這里的int 2b之后，立馬就跑飛了，這里進(jìn)入內(nèi)核系統(tǒng)調(diào)用了，不知道返回到哪里了，這里在執(zhí)行該指令之前，在內(nèi)存布局視圖中直接給代碼段下斷點(diǎn)，然后執(zhí)行：

??????????

???????????發(fā)現(xiàn)程序停在了剛剛會(huì)彈窗提示反調(diào)試的函數(shù)前面?。∵@個(gè)彈窗call的功能只有一個(gè)就是彈窗并退出進(jìn)程

???????????所以這里想要不彈窗正常啟動(dòng)軟件，就需要把這個(gè)call給nop掉！然后跑起來就能進(jìn)入程序界面了：

??????????

????????????注冊(cè)算法分析

???????????直接就動(dòng)態(tài)分析吧，這次

???????????老樣子，找窗口函數(shù)里控制碼是111，參數(shù)為3eb的分支：

???????????邏輯簡(jiǎn)單明了，獲取UserId，獲取Password，然后一個(gè)call，非0表示成功

???

???????

???????????跟進(jìn)call看看，接下來就用IDA來分析：

???????????首先是判斷輸入情況，UserId不能為空，Pasword長(zhǎng)度為8位

?

?????????

???????????接下來用UserId計(jì)算一個(gè)值，用Password計(jì)算一個(gè)值（atoi），然后異或一個(gè)固定值，最后進(jìn)行比較

??????????

????????????注冊(cè)機(jī)

???????????注冊(cè)碼生成算法：

?????#include
int main()
{
??? char UserId[100] = { 0 };
??? std::cin >> UserId;

??? unsigned int check = 0x12345678;
??? for (size_t i = 0; i < strlen(UserId); i++)
??????? check = ((check * 2) | (check >> 7)) ^ UserId[i];

??? check ^= 0xDDDDDDD0;
??? std::cout << std::hex << check;
}

???????????效果：

??????????

3.??????058-CZG-crackme1

???????????算法難度：???

???????????爆破難度：?

????????????信息收集

????????????運(yùn)行情況：

??????????

????????????查殼與脫殼：

???????????無殼

????

??????

????????????調(diào)試分析

???????????直接IDA打開，找到窗口函數(shù)，0x111，3eb分支：

???????????首先是獲取輸入的兩個(gè)值

??????????

???????????然后這里使用UserName計(jì)算了一個(gè)數(shù)組出來

??????????

???????????然后就是計(jì)算比較環(huán)節(jié)，這里很奇怪，這里把數(shù)組的地址轉(zhuǎn)成十進(jìn)制，變成字符串，然后去計(jì)算校驗(yàn)碼，合著剛剛算的一大堆沒用是吧?。?！

??????????

???????????校驗(yàn)碼的計(jì)算：

???????????首先是第一段循環(huán)：循環(huán)100h次，計(jì)算一個(gè)數(shù)組，數(shù)組有100h字節(jié)

??

????????

???????????然后是第二段循環(huán)：

???????????給eax賦初值FFFFFFFFh，然后取一個(gè)字節(jié)，和ff異或，然后eax右移8位，和數(shù)組中的一個(gè)4字節(jié)異或

???????????emmm，256個(gè)成員的數(shù)組，全F的初值，每次循環(huán)位移8位，這不就是CRC32算法嘛

??????????

????????????注冊(cè)機(jī)

???????????程序跑起來之后，在生成crc32的數(shù)組之后斷下來，復(fù)制出來直接用，就不用再手動(dòng)計(jì)算數(shù)組了

???????????注冊(cè)碼生成算法：

?????#define? _CRT_SECURE_NO_WARNINGS
#include
unsigned char arr1[8] = {
??? 0x63, 0x72, 0x61, 0x63, 0x6B, 0x6D, 0x65, 0x00
};

unsigned char arr2[67] = {
?? ?0x36, 0x35, 0x37, 0x75, 0x74, 0x68, 0x75, 0x74, 0x64, 0x75, 0x65, 0x68, 0x64, 0x68, 0x64, 0x68,
??? 0x64, 0x2C, 0x6C, 0x6A, 0x68, 0x67, 0x73, 0x34, 0x73, 0x67, 0x66, 0x34, 0x73, 0x35, 0x73, 0x35,
??? 0x67, 0x73, 0x35, 0x73, 0x67, 0x35, 0x67, 0x34, 0x35, 0x73, 0x34, 0x67, 0x35, 0x64, 0x67, 0x79,
??? 0x73, 0x68, 0x73, 0x74, 0x65, 0x5D, 0x5B, 0x67, 0x66, 0x5D, 0x66, 0x67, 0x5D, 0x66, 0x5D, 0x64,
??? 0x5D, 0x00, 0x00
};

//------------------------------------------------------------
//-----------?????? Created with 010 Editor??????? -----------
//------???????? www.sweetscape.com/010editor/????????? ------
//
// File??? : Untitled1
// Address : 0 (0x0)
// Size??? : 1024 (0x400)
//------------------------------------------------------------
unsigned char hexData[1024] = {
??? 0x00, 0x00, 0x00, 0x00, 0x96, 0x30, 0x07, 0x77, 0x2C, 0x61, 0x0E, 0xEE, 0xBA, 0x51, 0x09, 0x99,
??? 0x19, 0xC4, 0x6D, 0x07, 0x8F, 0xF4, 0x6A, 0x70, 0x35, 0xA5, 0x63, 0xE9, 0xA3, 0x95, 0x64, 0x9E,
??? 0x32, 0x88, 0xDB, 0x0E, 0xA4, 0xB8, 0xDC, 0x79, 0x1E, 0xE9, 0xD5, 0xE0, 0x88, 0xD9, 0xD2, 0x97,
??? 0x2B, 0x4C, 0xB6, 0x09, 0xBD, 0x7C, 0xB1, 0x7E, 0x07, 0x2D, 0xB8, 0xE7, 0x91, 0x1D, 0xBF, 0x90,
??? 0x64, 0x10, 0xB7, 0x1D, 0xF2, 0x20, 0xB0, 0x6A, 0x48, 0x71, 0xB9, 0xF3, 0xDE, 0x41, 0xBE, 0x84,
??? 0x7D, 0xD4, 0xDA, 0x1A, 0xEB, 0xE4, 0xDD, 0x6D, 0x51, 0xB5, 0xD4, 0xF4, 0xC7, 0x85, 0xD3, 0x83,
??? 0x56, 0x98, 0x6C, 0x13, 0xC0, 0xA8, 0x6B, 0x64, 0x7A, 0xF9, 0x62, 0xFD, 0xEC, 0xC9, 0x65, 0x8A,
??? 0x4F, 0x5C, 0x01, 0x14, 0xD9, 0x6C, 0x06, 0x63, 0x63, 0x3D, 0x0F, 0xFA, 0xF5, 0x0D, 0x08, 0x8D,
??? 0xC8, 0x20, 0x6E, 0x3B, 0x5E, 0x10, 0x69, 0x4C, 0xE4, 0x41, 0x60, 0xD5, 0x72, 0x71, 0x67, 0xA2,
??? 0xD1, 0xE4, 0x03, 0x3C, 0x47, 0xD4, 0x04, 0x4B, 0xFD, 0x85, 0x0D, 0xD2, 0x6B, 0xB5, 0x0A, 0xA5,
??? 0xFA, 0xA8, 0xB5, 0x35, 0x6C, 0x98, 0xB2, 0x42, 0xD6, 0xC9, 0xBB, 0xDB, 0x40, 0xF9, 0xBC, 0xAC,
??? 0xE3, 0x6C, 0xD8, 0x32, 0x75, 0x5C, 0xDF, 0x45, 0xCF, 0x0D, 0xD6, 0xDC, 0x59, 0x3D, 0xD1, 0xAB,
??? 0xAC, 0x30, 0xD9, 0x26, 0x3A, 0x00, 0xDE, 0x51, 0x80, 0x51, 0xD7, 0xC8, 0x16, 0x61, 0xD0, 0xBF,
??? 0xB5, 0xF4, 0xB4, 0x21, 0x23, 0xC4, 0xB3, 0x56, 0x99, 0x95, 0xBA, 0xCF, 0x0F, 0xA5, 0xBD, 0xB8,
??? 0x9E, 0xB8, 0x02, 0x28, 0x08, 0x88, 0x05, 0x5F, 0xB2, 0xD9, 0x0C, 0xC6, 0x24, 0xE9, 0x0B, 0xB1,
??? 0x87, 0x7C, 0x6F, 0x2F, 0x11, 0x4C, 0x68, 0x58, 0xAB, 0x1D, 0x61, 0xC1, 0x3D, 0x2D, 0x66, 0xB6,
??? 0x90, 0x41, 0xDC, 0x76, 0x06, 0x71, 0xDB, 0x01, 0xBC, 0x20, 0xD2, 0x98, 0x2A, 0x10, 0xD5, 0xEF,
??? 0x89, 0x85, 0xB1, 0x71, 0x1F, 0xB5, 0xB6, 0x06, 0xA5, 0xE4, 0xBF, 0x9F, 0x33, 0xD4, 0xB8, 0xE8,
??? 0xA2, 0xC9, 0x07, 0x78, 0x34, 0xF9, 0x00, 0x0F, 0x8E, 0xA8, 0x09, 0x96, 0x18, 0x98, 0x0E, 0xE1,
??? 0xBB, 0x0D, 0x6A, 0x7F, 0x2D, 0x3D, 0x6D, 0x08, 0x97, 0x6C, 0x64, 0x91, 0x01, 0x5C, 0x63, 0xE6,
??? 0xF4, 0x51, 0x6B, 0x6B, 0x62, 0x61, 0x6C, 0x1C, 0xD8, 0x30, 0x65, 0x85, 0x4E, 0x00, 0x62, 0xF2,
??? 0xED, 0x95, 0x06, 0x6C, 0x7B, 0xA5, 0x01, 0x1B, 0xC1, 0xF4, 0x08, 0x82, 0x57, 0xC4, 0x0F, 0xF5,
??? 0xC6, 0xD9, 0xB0, 0x65, 0x50, 0xE9, 0xB7, 0x12, 0xEA, 0xB8, 0xBE, 0x8B, 0x7C, 0x88, 0xB9, 0xFC,
??? 0xDF, 0x1D, 0xDD, 0x62, 0x49, 0x2D, 0xDA, 0x15, 0xF3, 0x7C, 0xD3, 0x8C, 0x65, 0x4C, 0xD4, 0xFB,
??? 0x58, 0x61, 0xB2, 0x4D, 0xCE, 0x51, 0xB5, 0x3A, 0x74, 0x00, 0xBC, 0xA3, 0xE2, 0x30, 0xBB, 0xD4,
??? 0x41, 0xA5, 0xDF, 0x4A, 0xD7, 0x95, 0xD8, 0x3D, 0x6D, 0xC4, 0xD1, 0xA4, 0xFB, 0xF4, 0xD6, 0xD3,
??? 0x6A, 0xE9, 0x69, 0x43, 0xFC, 0xD9, 0x6E, 0x34, 0x46, 0x88, 0x67, 0xAD, 0xD0, 0xB8, 0x60, 0xDA,
??? 0x73, 0x2D, 0x04, 0x44, 0xE5, 0x1D, 0x03, 0x33, 0x5F, 0x4C, 0x0A, 0xAA, 0xC9, 0x7C, 0x0D, 0xDD,
??? 0x3C, 0x71, 0x05, 0x50, 0xAA, 0x41, 0x02, 0x27, 0x10, 0x10, 0x0B, 0xBE, 0x86, 0x20, 0x0C, 0xC9,
??? 0x25, 0xB5, 0x68, 0x57, 0xB3, 0x85, 0x6F, 0x20, 0x09, 0xD4, 0x66, 0xB9, 0x9F, 0xE4, 0x61, 0xCE,
??? 0x0E, 0xF9, 0xDE, 0x5E, 0x98, 0xC9, 0xD9, 0x29, 0x22, 0x98, 0xD0, 0xB0, 0xB4, 0xA8, 0xD7, 0xC7,
??? 0x17, 0x3D, 0xB3, 0x59, 0x81, 0x0D, 0xB4, 0x2E, 0x3B, 0x5C, 0xBD, 0xB7, 0xAD, 0x6C, 0xBA, 0xC0,
??? 0x20, 0x83, 0xB8, 0xED, 0xB6, 0xB3, 0xBF, 0x9A, 0x0C, 0xE2, 0xB6, 0x03, 0x9A, 0xD2, 0xB1, 0x74,
??? 0x39, 0x47, 0xD5, 0xEA, 0xAF, 0x77, 0xD2, 0x9D, 0x15, 0x26, 0xDB, 0x04, 0x83, 0x16, 0xDC, 0x73,
??? 0x12, 0x0B, 0x63, 0xE3, 0x84, 0x3B, 0x64, 0x94, 0x3E, 0x6A, 0x6D, 0x0D, 0xA8, 0x5A, 0x6A, 0x7A,
??? 0x0B, 0xCF, 0x0E, 0xE4, 0x9D, 0xFF, 0x09, 0x93, 0x27, 0xAE, 0x00, 0x0A, 0xB1, 0x9E, 0x07, 0x7D,
??? 0x44, 0x93, 0x0F, 0xF0, 0xD2, 0xA3, 0x08, 0x87, 0x68, 0xF2, 0x01, 0x1E, 0xFE, 0xC2, 0x06, 0x69,
??? 0x5D, 0x57, 0x62, 0xF7, 0xCB, 0x67, 0x65, 0x80, 0x71, 0x36, 0x6C, 0x19, 0xE7, 0x06, 0x6B, 0x6E,
??? 0x76, 0x1B, 0xD4, 0xFE, 0xE0, 0x2B, 0xD3, 0x89, 0x5A, 0x7A, 0xDA, 0x10, 0xCC, 0x4A, 0xDD, 0x67,
??? 0x6F, 0xDF, 0xB9, 0xF9, 0xF9, 0xEF, 0xBE, 0x8E, 0x43, 0xBE, 0xB7, 0x17, 0xD5, 0x8E, 0xB0, 0x60,
??? 0xE8, 0xA3, 0xD6, 0xD6, 0x7E, 0x93, 0xD1, 0xA1, 0xC4, 0xC2, 0xD8, 0x38, 0x52, 0xF2, 0xDF, 0x4F,
??? 0xF1, 0x67, 0xBB, 0xD1, 0x67, 0x57, 0xBC, 0xA6, 0xDD, 0x06, 0xB5, 0x3F, 0x4B, 0x36, 0xB2, 0x48,
??? 0xDA, 0x2B, 0x0D, 0xD8, 0x4C, 0x1B, 0x0A, 0xAF, 0xF6, 0x4A, 0x03, 0x36, 0x60, 0x7A, 0x04, 0x41,
??? 0xC3, 0xEF, 0x60, 0xDF, 0x55, 0xDF, 0x67, 0xA8, 0xEF, 0x8E, 0x6E, 0x31, 0x79, 0xBE, 0x69, 0x46,
??? 0x8C, 0xB3, 0x61, 0xCB, 0x1A, 0x83, 0x66, 0xBC, 0xA0, 0xD2, 0x6F, 0x25, 0x36, 0xE2, 0x68, 0x52,
??? 0x95, 0x77, 0x0C, 0xCC, 0x03, 0x47, 0x0B, 0xBB, 0xB9, 0x16, 0x02, 0x22, 0x2F, 0x26, 0x05, 0x55,
??? 0xBE, 0x3B, 0xBA, 0xC5, 0x28, 0x0B, 0xBD, 0xB2, 0x92, 0x5A, 0xB4, 0x2B, 0x04, 0x6A, 0xB3, 0x5C,
??? 0xA7, 0xFF, 0xD7, 0xC2, 0x31, 0xCF, 0xD0, 0xB5, 0x8B, 0x9E, 0xD9, 0x2C, 0x1D, 0xAE, 0xDE, 0x5B,
??? 0xB0, 0xC2, 0x64, 0x9B, 0x26, 0xF2, 0x63, 0xEC, 0x9C, 0xA3, 0x6A, 0x75, 0x0A, 0x93, 0x6D, 0x02,
??? 0xA9, 0x06, 0x09, 0x9C, 0x3F, 0x36, 0x0E, 0xEB, 0x85, 0x67, 0x07, 0x72, 0x13, 0x57, 0x00, 0x05,
??? 0x82, 0x4A, 0xBF, 0x95, 0x14, 0x7A, 0xB8, 0xE2, 0xAE, 0x2B, 0xB1, 0x7B, 0x38, 0x1B, 0xB6, 0x0C,
??? 0x9B, 0x8E, 0xD2, 0x92, 0x0D, 0xBE, 0xD5, 0xE5, 0xB7, 0xEF, 0xDC, 0x7C, 0x21, 0xDF, 0xDB, 0x0B,
??? 0xD4, 0xD2, 0xD3, 0x86, 0x42, 0xE2, 0xD4, 0xF1, 0xF8, 0xB3, 0xDD, 0x68, 0x6E, 0x83, 0xDA, 0x1F,
??? 0xCD, 0x16, 0xBE, 0x81, 0x5B, 0x26, 0xB9, 0xF6, 0xE1, 0x77, 0xB0, 0x6F, 0x77, 0x47, 0xB7, 0x18,
??? 0xE6, 0x5A, 0x08, 0x88, 0x70, 0x6A, 0x0F, 0xFF, 0xCA, 0x3B, 0x06, 0x66, 0x5C, 0x0B, 0x01, 0x11,
??? 0xFF, 0x9E, 0x65, 0x8F, 0x69, 0xAE, 0x62, 0xF8, 0xD3, 0xFF, 0x6B, 0x61, 0x45, 0xCF, 0x6C, 0x16,
??? 0x78, 0xE2, 0x0A, 0xA0, 0xEE, 0xD2, 0x0D, 0xD7, 0x54, 0x83, 0x04, 0x4E, 0xC2, 0xB3, 0x03, 0x39,
??? 0x61, 0x26, 0x67, 0xA7, 0xF7, 0x16, 0x60, 0xD0, 0x4D, 0x47, 0x69, 0x49, 0xDB, 0x77, 0x6E, 0x3E,
??? 0x4A, 0x6A, 0xD1, 0xAE, 0xDC, 0x5A, 0xD6, 0xD9, 0x66, 0x0B, 0xDF, 0x40, 0xF0, 0x3B, 0xD8, 0x37,
??? 0x53, 0xAE, 0xBC, 0xA9, 0xC5, 0x9E, 0xBB, 0xDE, 0x7F, 0xCF, 0xB2, 0x47, 0xE9, 0xFF, 0xB5, 0x30,
??? 0x1C, 0xF2, 0xBD, 0xBD, 0x8A, 0xC2, 0xBA, 0xCA, 0x30, 0x93, 0xB3, 0x53, 0xA6, 0xA3, 0xB4, 0x24,
??? 0x05, 0x36, 0xD0, 0xBA, 0x93, 0x06, 0xD7, 0xCD, 0x29, 0x57, 0xDE, 0x54, 0xBF, 0x67, 0xD9, 0x23,
??? 0x2E, 0x7A, 0x66, 0xB3, 0xB8, 0x4A, 0x61, 0xC4, 0x02, 0x1B, 0x68, 0x5D, 0x94, 0x2B, 0x6F, 0x2A,
??? 0x37, 0xBE, 0x0B, 0xB4, 0xA1, 0x8E, 0x0C, 0xC3, 0x1B, 0xDF, 0x05, 0x5A, 0x8D, 0xEF, 0x02, 0x2D
};


int main()
{
??? char name[100] = { 0 };
??? std::cin >> name;
??? int len = strlen("plmm: 0xAAAAAAAA");

??? //?沒用?。。?！
??? //char str[100] = { 0 };
??? //for (size_t i = 0; i < 6; i++)
??? //{
??? //? char tmp = arr1[i] & arr2[i];
??? //? name[i] = tmp;
??? //? name[i] &= arr1[i];
??? //? name[i] ^= arr2[i];
??? //? name[i] += i;
??? //? str[i] = name[i];
??? //}

??? const char* str1 = "4339744";
??? unsigned int eax = 0xFFFFFFFF;
??? for (int i = 0; i < 6; i++)
??? {
??????? unsigned char edx = str1[i];
??????? edx ^= eax;
??????? eax >>= 8;
??????? eax ^= *(unsigned int*)(hexData +edx*4);
??? }
??? eax ^= 0xffffffff;
?????
??? char check_code[100] = { 0 };
??? sprintf(check_code,"plmm: 0x%08X",eax);
??? std::cout << check_code;
}

???????????效果：

??

????????

????????????總結(jié)

???????????應(yīng)該是代碼寫錯(cuò)了，按理說應(yīng)該是用Name生成一個(gè)數(shù)組，然后用生成的這個(gè)數(shù)組計(jì)算crc，程序員寫成了用生成數(shù)組的地址計(jì)算crc，一下子變成硬編碼了

4.??????059-Dope2112.1

???????????算法難度：???（跳轉(zhuǎn)表）

???????????爆破難度：?

????????????信息收集

????????????運(yùn)行情況：

??????????

????????????查殼與脫殼：

??????????

????????????調(diào)試分析

???????????老版本delphi程序

???????????輸入錯(cuò)誤信息，看提示：

??????????

???????????通過x86dbg去搜索字符串，找到這個(gè)校驗(yàn)函數(shù)：sub_421B84，去IDA里搜索這個(gè)位置，然后同時(shí)用DelphiDecompiler打開這個(gè)程序輔助分析

???????????首先是處理一下輸入，用戶名需要大于等于6字符，然后全部變成小寫

????

??????

???????????然后是進(jìn)入循環(huán)了，取一個(gè)字節(jié)，減去'a'，然后以此為索引去跳轉(zhuǎn)，這就是switch-case語句的跳轉(zhuǎn)表的形式，每個(gè)分支都有不同的處理

???????

???????????跳轉(zhuǎn)分支里的內(nèi)容是賦值，然后出來之后就是把賦值的值累加到1字節(jié)里，總共循環(huán)6次

??????????

???????????再往下就是常規(guī)的字符串拼接和對(duì)比了：

???????

???

????????????注冊(cè)機(jī)

???????????注冊(cè)碼生成算法：

?????#include
#include
#include
using namespace std;
int main()
{
??? string? name="";
??? string serial="";
??? int len;

??? std::cin >> name;
??? len = name.length();
??? transform(name.begin(), name.end(), name.begin(), ::tolower);

??? uint8_t dl;
??? uint8_t bl=0;
??? for (int i = 0; i != 6; ++i)
??? {
??? ????switch (name[i])
??????? {
??????? case 'a':
??????????? dl = 24;
??????????? break;
??????? case 'b':
??????????? dl = 37;
??????????? break;
??????? case 'c':
??????????? dl = 66;
??????????? break;
??????? case 'd':
??????????? dl = 12;
??????????? break;
??????? case 'e':
??????????? dl = 13;
??????????? break;
??????? case 'f':
??????????? dl = 6;
??????????? break;
??????? case 'g':
??????????? dl = 54;
??????????? break;
??????? case 'h':
??????????? dl = 43;
??????????? break;
??????? case 'i':
??????????? dl = 23;
??????????? break;
??????? case 'j':
??????????? dl = 47;
??????????? break;
??????? case 'k':
??????????? dl = 19;
??????????? break;
??????? case 'l':
??????????? dl = -126;
??????????? break;
??????? case 'm':
??????????? dl = -101;
??????????? break;
??????? case 'n':
??????????? dl = -110;
??????????? break;
??????? case 'o':
??????????? dl = 3;
??????????? break;
??????? case 'p':
??????????? dl = 99;
??????????? break;
??????? case 'q':
??????????? dl = 33;
??????????? break;
?? ?????case 'r':
??????????? dl = 66;
??????????? break;
??????? case 's':
??????????? dl = 92;
??????????? break;
??????? case 't':
??????????? dl = 41;
??????????? break;
??????? case 'u':
??????????? dl = -57;
??????????? break;
??????? case 'v':
??????? ????dl = 102;
??????????? break;
??????? case 'w':
??????????? dl = 88;
??????????? break;
??????? case 'x':
??????????? dl = 10;
??????????? break;
??????? case 'y':
??????????? dl = 40;
??????????? break;
??????? case 'z':
??????????? dl = 80;
????????? ??break;
??????? default:
??????????? dl = 93;
??????????? break;
??????? }
??????? bl += dl;
??? }
??? cout << (int)bl << "-" << len * 0x4a7e;
}

???????????效果：

? ?

?? ? ??

5.??????060-snake

???????????算法難度：?????

???????????爆破難度：?

????????????信息收集

????????????運(yùn)行情況：

??????????

????????????查殼與脫殼：

??????????

????????????調(diào)試分析

????????????Check按鈕事件

???????????老樣子，IDA打開，找到Check按鈕的事件分支：

???????????首先是獲取Name和Serial，為空會(huì)提示

?????????

?

???????????然后一個(gè)call驗(yàn)證Serial合法性，不行就彈窗提示

??????????

???????????這個(gè)call的內(nèi)容如下：判斷內(nèi)容要由數(shù)字和大寫字母組成

?????

?????

???????????再往下就是三個(gè)call和彈窗提示驗(yàn)證是否成功了：

? ? ? ? ??

????????????驗(yàn)證過程--第1個(gè)Call

???????????驗(yàn)證過程主要是3個(gè)call

???????????首先是第一個(gè)call：

???????????內(nèi)容較少，簡(jiǎn)單來說就是填充數(shù)組

???????????填充16個(gè)FF，然后填充16*16個(gè)00，然后再填充16個(gè)FF

??????????

????????????驗(yàn)證過程--第2個(gè)Call

???????????第2個(gè)Call內(nèi)容多點(diǎn)

???????????首先是對(duì)輸入的Name進(jìn)行處理，累加每一個(gè)字符，得到一個(gè)累加值，保存到dl

??????????

???????????接下來生成CC，通過累加值dl和取出來的字節(jié)進(jìn)行異或，得到數(shù)組索引，該位置是0就往該位置填充CC，計(jì)數(shù)CC的數(shù)量

???????????累加值異或字節(jié)，然后用過的累加值再減去字節(jié)值，來使得CC隨機(jī)分布，但最終取決于輸入的Name

??????????

???????????再往下就是填充DD，總共填充一個(gè)，接著用剛剛填充CC的位置計(jì)算方法進(jìn)行

??????????

???????????再往后就是填充99：

???????????直接用計(jì)算到最后的dl作為索引進(jìn)行，如果是00，就填充為99，否則就往前挪一格再次判斷，最后保存99的地址

??????????

???????????使用字符串selph生成一個(gè)地圖看看：

??????????

????????????驗(yàn)證過程--第3個(gè)Call

???????????到這里已經(jīng)很明顯的感覺到了，16*16的地圖，生成了很多CC，然后有一個(gè)DD，一個(gè)99，再加上程序名snake，這就是一個(gè)貪吃蛇啊

???????????第一個(gè)call開辟空間，第二個(gè)call布置場(chǎng)地，第三個(gè)call理所應(yīng)當(dāng)就是開始游戲了！

???????????首先獲取當(dāng)前位置和序列號(hào)，通過序列號(hào)的輸入來進(jìn)行移動(dòng)

???????????首先是判斷輸入是否是數(shù)字，是數(shù)字則直接進(jìn)行移動(dòng)，這里的移動(dòng)是通過加減數(shù)組的索引進(jìn)行的

???????????判斷方式是這樣進(jìn)行的：取數(shù)字的后兩位：

–?00：向下一格

–?01：向上一格

–?10：向左一格

–?11：向右一格

???????????如果數(shù)字不只是后兩位有值，則執(zhí)行完用前兩位再次走一遍判斷，比如9，就是1001，就是上左移動(dòng)一格，如果輸入的是大寫字母的話，也是類似的，具體可見反匯編這一段的計(jì)算過程

??????????

???????????計(jì)算完移動(dòng)方向之后，該進(jìn)行移動(dòng)判斷了：

???????????如果下一個(gè)位置是0，或者CC，都跳轉(zhuǎn)去執(zhí)行，如果是99則返回0失敗，如果是DD且沒吃完CC，也返回0失敗，如果是CC吃完了，就是返回1成功

??????????

???????????首先看如果下一個(gè)位置是00怎么處理：

???????????調(diào)用一個(gè)call，就是走格子用的，然后判斷是否有高2位，有的話再按高2位走一遍，沒有的話，獲取下一個(gè)字符進(jìn)入下一個(gè)循環(huán)

??????????

???????????接下來看看這個(gè)走格子的call：

???????????首先是獲取當(dāng)前格子的新位置，起始位置，把新位置寫入99，把當(dāng)前位置寫入00

???????????然后edi+4進(jìn)行判斷，edi里裝的是個(gè)數(shù)組，數(shù)組成員是當(dāng)前蛇的身子的位置，當(dāng)長(zhǎng)度大于1的時(shí)候，edi+4就是第二個(gè)位置，有值的時(shí)候，把剛剛寫入0的位置作為新位置，把身子的位置作為當(dāng)前位置，再次進(jìn)行相同的操作

???????????視覺效果就是，身子跟著頭一起移動(dòng)了

??????????

???????????回到剛剛的循環(huán)里，如果移動(dòng)遇到了CC則再次執(zhí)行這個(gè)移動(dòng)的函數(shù)，同時(shí)給count計(jì)數(shù)-1，這個(gè)count變量保存的是當(dāng)前場(chǎng)上CC的數(shù)量

???????????然后把這個(gè)函數(shù)清零的位置變成99，也就是讓蛇身子最后一個(gè)位置本來清零了，結(jié)果又填充回99，同時(shí)把新的位置加入到身子數(shù)組里

? ? ? ? ??

???????????到這里，整個(gè)程序的邏輯分析完整了，就是貪吃蛇，吃完所有CC走到DD即可驗(yàn)證通過

????????????注冊(cè)機(jī)

???????????注冊(cè)碼生成算法：

?????#include
#include
using namespace std;

uint8_t areas[18][16] = {0};
uint8_t countCC = 0;
uint8_t snake[10][2] = {0};
uint8_t pos[10][2] = { 0 };

void GenerateAreas(string str) {
??? //?場(chǎng)地生成
??? memset(&areas[0], 0xFF, 0x10);
??? memset(&areas[1], 0, 0x100);
??? memset(&areas[17], 0xFF, 0x10);

??? //?填充CC
??? uint8_t* areasBegin = (uint8_t*)&areas[1];
??? uint8_t sum = 0;
??? uint8_t tmp = 0;
??? for (auto var : str) sum += var;
??? for (auto var : str) {
??????? tmp = var ^ sum;
??????? sum -= tmp;
??????? *(areasBegin + tmp) = 0xCC;
??????? //?保存坐標(biāo)
??????? pos[countCC][0] = tmp / 16;
??????? pos[countCC][1] = tmp % 16;
??????? countCC++;
??? }

??? //?填充DD
??? sum ^= tmp;
??? for (; *(areasBegin + (tmp -= sum)) == 0xCC; sum--);
??? *(areasBegin + tmp) = 0xDD;
??? pos[countCC][0] = tmp / 16;
??? pos[countCC][1] = tmp % 16;;

??? //?填充99
??? tmp = sum;
??? for (; *(areasBegin + tmp) == 0xCC || *(areasBegin + tmp) == 0xDD; tmp--);
??? *(areasBegin + tmp) = 0x99;
??? snake[0][0] = tmp / 16;
??? snake[0][1] = tmp % 16;
??? countCC++;
}

int main()
{
??? GenerateAreas("selph");

??? //?生成注冊(cè)碼：長(zhǎng)度短的情況下，不用考慮自己咬到自己
??? uint8_t x = snake[0][0];
??? uint8_t y = snake[0][1];
??? for (int i = 0; i???????? uint8_t xCC = pos[i][0];
??????? uint8_t yCC = pos[i][1];
??????? if (yCC - y >= 0) for (int i = 0; i < yCC - y; i++)cout << "3";
??????? else for (int i = 0; i < y - yCC; i++)cout << "2";

??????? if (xCC - x >= 0) for (int i = 0; i < xCC - x; i++)cout << "0";
??????? else for (int i = 0; i < x - xCC; i++)cout << "1";

??????? x = xCC;
??????? y = yCC;
??? }
}

???????????效果：

?????selph
33333333333333311222222200000031111333111111222200000000000

??????????

????????????總結(jié)

有趣的驗(yàn)證方式，通過輸入的用戶名生成貪吃蛇地圖，通過密碼來進(jìn)行移動(dòng)，吃完豆子CC，走到終點(diǎn)DD算驗(yàn)證通過，很有趣的一次逆向體驗(yàn)