160crack之051 DueList.6
第一部分:通过dialogbox函数调用callback函数,在callback内检测消息函数并执行窗口事件
CODE:0040102C enter 0, 0
CODE:00401030 mov eax, offset DialogFunc
CODE:00401035 push 0 ; dwInitParam
CODE:00401037 push eax ; lpDialogFunc
CODE:00401038 push 0 ; hWndParent
CODE:0040103A push offset TemplateName ; "MainWindow"
CODE:0040103F push [ebp+hInstance] ; hInstance
CODE:00401042 call DialogBoxParamA
CODE:00401047 leave
CODE:00401048 retn 10h
CODE:004010E8 Paint = tagPAINTSTRUCT ptr -44h
CODE:004010E8 hdc = dword ptr -4
CODE:004010E8 hDlg = dword ptr 8
CODE:004010E8 arg_4 = dword ptr 0Ch
CODE:004010E8 arg_8 = dword ptr 10h
CODE:004010E8
CODE:004010E8 enter 54h, 0
CODE:004010EC mov eax, [ebp+arg_4] ; uMsg
CODE:004010EF cmp eax, 136h
CODE:004010F4 jz loc_40129A
CODE:004010FA cmp eax, 0Fh ; WM_PAINT
CODE:004010FD jz loc_4012AA
CODE:00401103 cmp eax, 2 ; WM_DESTROY
CODE:00401106 jnz short loc_401111 ; WM_INITDIALOG
CODE:00401108 push 0 ; nExitCode
CODE:0040110A call PostQuitMessage
CODE:0040110F xor eax, eax
CODE:00401111
CODE:00401111 loc_401111: ; CODE XREF: DialogFunc+1E↑j
CODE:00401111 cmp eax, 110h ; WM_INITDIALOG
CODE:00401116 jnz loc_4011CA ; WM_CLOSE
CODE:0040111C push 73h ; lpIconName
CODE:0040111E push ds:hInstance ; hInstance
CODE:00401124 call LoadIconA
CODE:00401129 mov ds:lParam, eax
.
.
.第二部分:check点击事件,先检测输入的字符串长度是否为8,然后在调用注册码有效检测函数
ODE:004011ED push 9 ; cchMax
CODE:004011EF push offset dword_402121 ; lpString
CODE:004011F4 push 69h ; nIDDlgItem
CODE:004011F6 push [ebp+hDlg] ; hDlg
CODE:004011F9 call GetDlgItemTextA
CODE:004011FE cmp eax, 8 ; 输入的字符串长度要为8
CODE:00401201 jz short loc_401227
.
.
.
CODE:00401227 loc_401227: ; CODE XREF: DialogFunc+119↑j
CODE:00401227 push [ebp+hDlg] ; hWnd
CODE:0040122A call sub_40104B ; 注册码检测函数
CODE:0040122F cmp eax, 1
CODE:00401232 jnz short loc_40124C第三部分:注册码有效判断,就是一次判断前四位和后四位运算后是否与指定的值相等
CODE:0040104B enter 0, 0
CODE:0040104F push offset String ; "Duelist's Crackme #6 - 0%"
CODE:00401054 push [ebp+hWnd] ; hWnd
CODE:00401057 call SetWindowTextA
CODE:0040105C mov eax, ds:dword_402121
CODE:00401061 mov ecx, 2
CODE:00401066 cdq
CODE:00401067 div ecx
CODE:00401069 mov esi, eax
CODE:0040106B mov eax, 36455544h
CODE:00401070 mov ecx, ds:dword_402121 ; 取前四位
CODE:00401076
CODE:00401076 loc_401076: ; CODE XREF: sub_40104B+33↓j
CODE:00401076 rol eax, 6 ; 循环左移6位
CODE:00401079 xor ah, al ; ah = ah ^ al
CODE:0040107B add al, cl ; al += cl
CODE:0040107D dec ecx ; ecx--
CODE:0040107E jnz short loc_401076
CODE:00401080 cmp eax, 4071885h
CODE:00401085 jnz short loc_4010D5
CODE:00401087 push offset aDuelistSCrackm_2 ; "Duelist's Crackme #6 - 50%"
CODE:0040108C push [ebp+hWnd] ; hWnd
CODE:0040108F call SetWindowTextA
CODE:00401094 mov eax, ds:dword_402125
CODE:00401099 mov ecx, 2
CODE:0040109E cdq
CODE:0040109F div ecx
CODE:004010A1 mov esi, eax
CODE:004010A3 mov eax, 43534952h
CODE:004010A8 mov ecx, ds:dword_402125 ; 取后四位
CODE:004010AE
CODE:004010AE loc_4010AE: ; CODE XREF: sub_40104B+6B↓j
CODE:004010AE rol eax, 6 ; 和上面的算法一致
CODE:004010B1 xor ah, al
CODE:004010B3 add al, cl
CODE:004010B5 dec ecx
CODE:004010B6 jnz short loc_4010AE
CODE:004010B8 cmp eax, 4B00D127h
CODE:004010BD jnz short loc_4010D5
CODE:004010BF push offset aDuelistSCrackm ; "Duelist's Crackme #6 - 100%"
CODE:004010C4 push [ebp+hWnd] ; hWnd
CODE:004010C7 call SetWindowTextA
CODE:004010CC mov eax, 1
CODE:004010D1 leave
CODE:004010D2 retn 4注册码计算代码:
#include
#include
using namespace std;
void getRegistCode(int src, int dst, string* result);
int main()
{
string result, result1;
thread h1(getRegistCode, 0x4071885, 0x36455544, &result);
thread h2(getRegistCode, 0x4b00d127, 0x43534952, &result1);
h1.join();
h2.join();
cout << result + result1 << endl;
}
void getRegistCode(int src, int dst, string* result)
{
int ecx = 0;
while (true)
{
ecx++;
int al = ((src & 0xFF) - (ecx & 0xFF)) & 0xFF;
int ah = ((src >> 8) & 0xFF) ^ al;
src = (src & 0xFFFF0000) + (ah << 8) + al;
src = (src << 26) | ((src >> 6) & 0x3FFFFFF);
if (dst == src)
{
int i = 0;
result->clear();
for (i = 0; i < 4; i++)
{
int temp = (ecx >> (8 * i)) & 0xFF;
if (temp == 0)
continue;
if ((temp < 0x20) || (temp > 0x7E))
break;
result->append(1, temp);
}
if (i == 4)
{
break;
}
}
}
} OutPut:isd4ever
