TraceMe注册机编写

00401340  /$  55            push ebp
00401341  |.  8B6C24 0C     mov ebp,dword ptr ss:[esp+0xC]
00401345  |.  56            push esi
00401346  |.  57            push edi
00401347  |.  8B7C24 18     mov edi,dword ptr ss:[esp+0x18]
0040134B  |.  B9 03000000   mov ecx,0x3
00401350  |.  33F6          xor esi,esi
00401352  |.  33C0          xor eax,eax
00401354  |.  3BF9          cmp edi,ecx
00401356  |.  7E 21         jle short TraceMe.00401379
00401358  |.  53            push ebx
00401359  |>  83F8 07       /cmp eax,0x7
0040135C  |.  7E 02         |jle short TraceMe.00401360
0040135E  |.  33C0          |xor eax,eax
00401360  |>  33D2          |xor edx,edx
00401362  |.  33DB          |xor ebx,ebx
00401364  |.  8A1429        |mov dl,byte ptr ds:[ecx+ebp]
00401367  |.  8A98 30504000 |mov bl,byte ptr ds:[eax+0x405030]
0040136D  |.  0FAFD3        |imul edx,ebx
00401370  |.  03F2          |add esi,edx
00401372  |.  41            |inc ecx
00401373  |.  40            |inc eax
00401374  |.  3BCF          |cmp ecx,edi
00401376  |.^ 7C E1         \jl short TraceMe.00401359
00401378  |.  5B            pop ebx
00401379  |>  56            push esi                                             ; /<%ld> = 0x0
0040137A  |.  68 78504000   push TraceMe.00405078                                ; |Format = "%ld"
0040137F  |.  55            push ebp                                             ; |s = 0019F6B8
00401380  |.  FF15 9C404000 call dword ptr ds:[<&USER32.wsprintfA>]              ; \wsprintfA
00401386  |.  8B4424 1C     mov eax,dword ptr ss:[esp+0x1C]
0040138A  |.  83C4 0C       add esp,0xC
0040138D  |.  55            push ebp                                             ; /String2 = "User123456789"
0040138E  |.  50            push eax                                             ; |String1 = NULL
0040138F  |.  FF15 04404000 call dword ptr ds:[<&KERNEL32.lstrcmpA>]             ; \lstrcmpA
00401395  |.  F7D8          neg eax
00401397  |.  1BC0          sbb eax,eax
00401399  |.  5F            pop edi
0040139A  |.  5E            pop esi
0040139B  |.  40            inc eax
0040139C  |.  5D            pop ebp
0040139D  \.  C3            retn


我们可以看到

00401359  |>  83F8 07       /cmp eax,0x7
0040135C  |.  7E 02         |jle short TraceMe.00401360
0040135E  |.  33C0          |xor eax,eax

发现eax=7为真就清空eax开始循环

00401360  |>  33D2          |xor edx,edx
00401362  |.  33DB          |xor ebx,ebx

清空edx和ebx进行赋值

00401364  |.  8A1429        |mov dl,byte ptr ds:[ecx+ebp]
00401367  |.  8A98 30504000 |mov bl,byte ptr ds:[eax+0x405030]

dl为密码的每个字符 bl为字符表

0040134B  |.  B9 03000000   mov ecx,0x3

因为之前再0040134B赋值过ecx为3 所以从第三个字符开始

0040136D  |.  0FAFD3        |imul edx,ebx

相乘edx和ebx

00401370  |.  03F2          |add esi,edx

赋值到esi寄存器中

00401372  |.  41            |inc ecx

累加字符的位置/循环次数

00401373  |.  40            |inc eax

累字母表次数

00401374  |.  3BCF          |cmp ecx,edi

比较字符是否循环完毕
由此我们可以推断出算法

#include <iostream>
#include <string>
using namespace std;
int main()
{
    string user;
    int pass[8] = { 0x0C,0x0A,0x13,0x09,0x0C,0x0B,0x0A,0x08 };

    cin >> user;
    int retpass=0;

    for (size_t i = 0; i < user.length()-3; i++)
    {
        retpass += user[3+i] * pass[i % 8];
    }
    cout << retpass;

    return 0;

}

留下评论