📄 keygen.asm
字号:
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;一个简单的CrackMe的破解
;文件名: KeGen.asm
;作者: fire
;时间: 2008.6.1
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat, stdcall
option casemap :none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Equ 等值定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ICO_MAIN equ 1000h ;图标
DLG_MAIN equ 1 ;对话框
IDC_BTN_KEYGEN equ 2 ;生成按钮
IDC_EDIT_UN equ 3 ;用户名编辑框
IDC_EDIT_SN equ 4 ;序列号编辑框
UN_SIZE equ 100 ;用户名最大长度
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data?
hInstance dd ?
UserName db UN_SIZE dup(?) ;用户名
SerialNumber db UN_SIZE dup(?) ;序列号
UN_Length dd ? ;用户名长度
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 常量段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.const
cap db '提示',0
tips db '至少要输入5个字符!',0
prefix db 'tsrh-%d-',0
midfix db '%X',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;以下的代码都是从反汇编代码中摘录并修改得出
;这里获取注册码比较简单,通过跟踪反汇编代码就可以得到注册码
_Func1 proc
MOV UN_Length,EAX ; DS:[403514] = 用户名长度
MOV EDI,7D3H ; EDI = 7D3
ADD EDI,UN_Length ; EDI = EDI + 用户名长度
PUSH EDI ; 存EDI
PUSH offset prefix ; ASCII "tsrh-%d-"
PUSH offset SerialNumber ; ASCII "tsrh-2013-"
CALL wsprintf
ADD ESP,0CH
PUSH offset SerialNumber ; ASCII "tsrh-2013-"
CALL lstrlen
MOV EDI,UN_Length ; edi = 用户名长度
MOV ESI,1H ; esi = 1
MOV ECX,EAX ; ecx = "tsrh-2013-"长度
ret
_Func1 endp
_Func2 proc
PUSH ESI
PUSH offset SerialNumber ; ASCII "tsrh-2013-"
CALL lstrlen ; 获取字符串"tsrh-2013-"长度
MOV EDI,UN_Length ; EDI = 用户名长度
MOV ESI,1H ; esi = 1
MOV ECX,EAX ; ecx = 字符串"tsrh-2013-"长度
L1:
MOV EAX,offset UserName ; ASCII "bj20080808"
MOVZX EAX,BYTE PTR DS:[ESI+EAX-1] ; eax = "bj20080808"第一个字节
ADD AL,0CH ; al = al + 0x0C
MOVZX EDX,AL ; edx = al
SUB EDX,11H ; edx = edx - 0x11
ADD EDX,EAX ; edx = edx + eax
SUB EDX,ECX ; edx = edx - ecx
XOR EAX,EDX ; eax = eax ^ edx
PUSH EAX ; 存eax
PUSH offset midfix ; ASCII "%X"
LEA EAX,DWORD PTR DS:[ECX+offset SerialNumber]
PUSH EAX
CALL wsprintf
ADD ESP,0CH
PUSH offset SerialNumber ; ASCII "tsrh-2013-"
CALL lstrlen
MOV ECX,EAX ; ecx = 字符串
INC ESI ; esi = esi + 1
DEC EDI ; edi = 用户名长度-1
JNZ L1
XOR EAX,EAX ; eax = 0
POP ESI ; esi
ret
_Func2 endp
_Func3 proc
PUSH EBX
MOV ESI,1H
L5:
MOV EAX,offset UserName ; ASCII "bj20080808"
MOVZX EAX,BYTE PTR DS:[ESI+EAX-1] ; 获取一个字符>>eax
TEST EAX,EAX ; 如果为结束符
JE L2 ; 跳出循环
INC EAX ; eax = eax + 1
MOV EDX,offset SerialNumber ; ASCII "tsrh-2013-"
MOVZX EDX,BYTE PTR DS:[ESI+EDX+0BH] ; edx = "tsrh-2013-"后面的字符
XOR EAX,EDX ; eax = eax ^ edx
L3:
CMP EAX,41H ; 判断eax与0x41
JGE L4 ; 如果eax >= 0x41
ADD EAX,8H ; 否则eax = eax + 8
JMP L3 ; 跳L3
L4:
CMP EAX,5AH ; 判断eax与0x5A
JLE L6 ; 如果eax <= 0x5A
SUB EAX,3H ; eax = eax - 3
JMP L4
L6:
ADD ESI,9H ; esi = esi + 9
MOV EBX,offset SerialNumber ; ASCII "tsrh-2013-"
MOV DWORD PTR DS:[ESI+EBX],EAX ;
SUB ESI,8H
CMP ESI,10H
JNZ L5 ; 不等于就继续循环
L2:
XOR EAX,EAX
POP EBX
ret
_Func3 endp
_GetUserName proc _hDlg
invoke GetDlgItemText,_hDlg,IDC_EDIT_UN,offset UserName,UN_SIZE
.if eax >= 5
call _Func1 ;call 过程1
mov eax,68727374H
add eax,3220H
push eax
xor eax,eax
call _Func2 ;call 过程2
pop eax
xor eax,edx ;eax = eax ^ edx
mov edx,eax ;edx = eax
mov esi,eax ;esi = eax
xor eax,eax ;eax = 0
call _Func3 ;call 过程3
mov eax,TRUE
.else
invoke MessageBox,_hDlg,offset tips,offset cap,MB_OK
mov eax,FALSE
.endif
ret
_GetUserName endp
_DlgProc proc uses ebx edi esi hWnd,wMsg,wParam,lParam
mov eax,wMsg
.if eax == WM_CLOSE
invoke EndDialog,hWnd,NULL
.elseif eax == WM_INITDIALOG
invoke LoadIcon,hInstance,ICO_MAIN
invoke SendMessage,hWnd,WM_SETICON,ICON_BIG,eax
.elseif eax == WM_COMMAND
mov eax,wParam
.if ax == IDC_BTN_KEYGEN
invoke SetDlgItemText,hWnd,IDC_EDIT_SN,NULL
invoke _GetUserName,hWnd
.if eax
invoke SetDlgItemText,hWnd,IDC_EDIT_SN,offset SerialNumber
.endif
.endif
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
_DlgProc endp
start:
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke DialogBoxParam,hInstance,DLG_MAIN,NULL,offset _DlgProc,NULL
invoke ExitProcess,NULL
end start⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -