kingwrcy · August 29, 2015 14:05
diff --git a/cycle crackme b/cycle crackme
 /***
 *[crackme] from http://bbs.pediy.com/showthread.php?t=21532
 *i can not write the keygen,just decompile the code,write the program execute flow.
 ***/

 #include "stdio.h"
 #include "string.h"



 unsigned int savedEdi = 0;
 unsigned int savedEcx = 0;
 unsigned int savedEdx = 0;
 unsigned int esi,edi,tmp,edx,eax,ebx,ecx;

 unsigned int num402182 = 0xfedcba98;

 unsigned int data[100] = {0xff01,0x00401115};
 int arrIndex = 2;
 void fun3(unsigned int);





 int main(int argc, char const *argv[]) {
 	char username[] = {"crackme"};
 	//12345678901234567
 	char password[] = {"09876543210987654"};
 	int len = strlen(username);
 	int lenPassword = strlen(password);
 	int j=0;
 	for (int i = 0 ; j < 0x10 - len; j++) {
 		if (j==len) i = 0 ;
 		*(username+len+j) = *(username+i);
 		i++;
 	}
 	////printf("%s\n", username);
    
 	int k = 0;
 	while(password[k]!=0 && password[k] <= 0x7e && password[k] >= 0x30 ){
 		k++;
 	}
 	////printf("%d\n", k);
 	if(k != 0x11){
 		return 0;
 	}
    
 	eax = (*((int*)username) ^ *((int*)password)) & 0x7f3f1f0f;
 	ebx = (*((int*)(username+4)) ^ *((int*)(password+4))) & 0x7030100;
 	
 	// ////printf("eax:%x\n", eax);
    
 	// ////printf("ebx:%x\n",ebx);
    
 	////printf("===========================================\n");
    
 	
 	while(ecx!=0x8){
 	    esi = (eax << ecx) & 0x80808080;
 		edi = (ebx << ecx) & 0x80808080;
 		edx = esi;
 		////printf("esi:%x,edi:%x,edx:%x\n",esi,edi,edx );
        
 		edx = (edx & (~0xff00)) | (((edx & 0xff00) >> 7) & 0xff00);//高8位右移7位
 		////printf("edx高8位右移7位:%x\n",edx );
        
 		edx = (edx & (~0xffff)) | (((edx & 0xffff) << 7) & 0xffff);  //低16位左移7位
 		////printf("edx低16位左移7位:%x\n",edx );
        
 		edx = edx >> 0x8;
 		////printf("edx右移8位:%x\n",edx );
        
 		edx = (edx & (~0xff00)) | (((edx & 0xff00) >> 7) & 0xff00);//高8位右移7位
 		////printf("edx高8位右移7位:%x\n",edx );
        
 		edx = (edx & (~0xffff)) | (((edx & 0xffff) << 7) & 0xffff);  //低16位左移7位
 		////printf("edx低16位左移7位:%x\n",edx );
        
 		edx = edx >> 0x8;
 		////printf("edx右移8位:%x\n",edx );
        
 		edx = (edx & (~0xff00)) | (((edx & 0xff00) >> 7) & 0xff00);//高8位右移7位
 		////printf("edx高8位右移7位:%x\n",edx );
        
 		edx = (edx & (~0xffff)) | (((edx & 0xffff) >> 1) & 0xffff);  //低16位右移1位
 		////printf("edx低16位右移1位:%x\n",edx );
        
 		esi = edx;
 		edx = edi;
 		////printf("====>esi:%x,edx:%x\n",esi,edx );
        
 		edx = (edx & (~0xff00)) | (((edx & 0xff00) >> 7) & 0xff00);//高8位右移7位
 		////printf("edx高8位右移7位:%x\n",edx );
        
 		edx = (edx & (~0xffff)) | (((edx & 0xffff) << 7) & 0xffff);  //低16位左移7位
 		////printf("edx低16位左移7位:%x\n",edx );
        
 		edx = edx >> 0x8;
 		////printf("edx右移8位:%x\n",edx );
        
 		edx = (edx & (~0xff00)) | (((edx & 0xff00) >> 7) & 0xff00);//高8位右移7位
 		////printf("edx高8位右移7位:%x\n",edx );
        
 		edx = (edx & (~0xffff)) | (((edx & 0xffff) << 7) & 0xffff);  //低16位左移7位
 		////printf("edx低16位左移7位:%x\n",edx );
        
 		edx = edx >> 0x8;
 		////printf("edx右移8位:%x\n",edx );
        
 		edx = (edx & (~0xff00)) | (((edx & 0xff00) >> 7) & 0xff00);//高8位右移7位
 		////printf("edx高8位右移7位:%x\n",edx );
        
 		edx = (edx & (~0xffff)) | (((edx & 0xffff) >> 5) & 0xffff);  //低16位右移5位
 		////printf("edx低16位右移5位:%x\n",edx );
        
 		edi = edx;
 		////printf("edi:%x\n",edi );
        
 		edi = edi ^ esi;
 		////printf("edi xor esi:%x\n",edi );
        
 		edx = edi;
 		edx = edx & 0xFF;
 		////printf("edx and 0xff:%x\n",edx );
        
        
 		savedEcx = ecx;
 		savedEdx = edx;
 		////printf("saved ecx:%x,saved edx:%x\n",ecx,edx );
        
 		edx = 0x8;
 		int tmp;
 		tmp = eax;
 		eax = ecx;
 		ecx = tmp;
        
 		if(eax<=0x3){
 			eax = (eax & 0xffff0000) + ((eax & 0xff) * (edx & 0xff)); //mul dl
 			edx = savedEdx;
 			eax = eax +0x8;
 			////printf("before:eax:%x,ecx:%x\n",eax,ecx );
 			tmp = eax;
 			eax = ecx;
 			ecx = tmp;
 			////printf("after:eax:%x,ecx:%x\n",eax,ecx );
 			/**
 			 * 循环左移n (a>>(N-n))|(a<<n)
             　　循环右移n (a<<(N-n))|(a>>n)
 			 */
 			eax = (eax >> (32-ecx)) | (eax << ecx);//eax循环左移ecx位
 			////printf("eax循环左移%d位:eax:%x\n",ecx,eax );
 			
 			////printf("eax xor edx:%x xor %x:%x\n",eax,edx,eax ^ edx );
 			eax = eax ^ edx;
            
 			eax = (eax << (32-ecx)) | (eax >> ecx);//eax循环右移ecx位
 			////printf("eax循环右移%d位:eax:%x\n",ecx,eax );
 		}else{
 			eax = eax - 0x3;
 			eax = (eax & 0xffff0000) + ((eax & 0xff) * (edx & 0xff)); //mul edx低8位
 			edx = savedEdx;
            
 			tmp = eax;
 			eax = ecx;
 			ecx = tmp;
            
 			ebx = (ebx >> (32-ecx)) | (ebx << ecx);//eax循环左移ecx位
 			ebx = ebx ^ edx;
 			ebx = (ebx << (32-ecx)) | (ebx >> ecx);//eax循环右移ecx位
 		}
        
 		ecx = savedEcx;
 		ecx++;
 		////printf("eax:%x\n",eax );
 		////printf("**********************************\n");
 	}
    
 	// printf("eax:%x,ebx:%x,ecx:%x,esi:%x,edi:%x,edx:%x\n",eax,ebx,ecx,esi,edi,edx );
    
 	fun3(0xff01);
 	printf("===>eax:%x,ebx:%x,ecx:%x,esi:%x,edi:%x,edx:%x,num402182:%x\n",eax,ebx,ecx,esi,edi,edx,num402182 );
    // printf("i:%d\n",i);
    // 
    if(ecx==0x01){
 		eax = *((int*)(username+8));
 		ebx = *((int*)(username+12));
 		eax = eax ^ ebx;
 		eax = eax ^ num402182;
 		eax = eax | 0x40404040;
 		eax = eax & 0x77777777;
 		eax = eax ^ *((int*)(password+8));
 		eax = eax ^ *((int*)(password+12));
 		if(eax == 0){
 			print "success"
 		}
 	}
 	return 0;
 }

 void fun3 (unsigned int a){
    edi = data[--arrIndex];
 	ecx = data[--arrIndex];
    data[arrIndex++] = edi;
    // printf("arrIndex:%d,ecx:%x,edi:%x,num402182:%x\n", arrIndex,ecx,edi,num402182);
    //savedEdi = edi;
 	//printf("ecx:%x\n", ecx);
    
 	if(ecx > 0x80){
        data[arrIndex++] = ecx;
 		//savedEcx = ecx;
 		esi = ecx;
 		ecx = ecx & 0xff;
 		edi = eax;
 		if(ecx > 0x8){
 			edi = ebx;
 			ecx = ecx >> 0x4;
 		}
        
 		do{
 			edi = (edi >> (32-8)) | (edi << 0x8);
 			ecx = ecx >> 1;
 		}
 		while( ecx !=0 );
        
 		esi = esi >> 0x8;
 		edi = edi & esi;
 		edi = edi & 0xff;
        
 		// //printf("esi:%x,edi:%x\n",esi,edi );
        // printf("**arrIndex b:%d\n", arrIndex);
 		ecx = data[--arrIndex];
 		// printf("**arrIndex b:%d,ecx:%x\n", arrIndex,ecx);
 		esi = 0x80;
 		do{
 			
 			//
 			if((esi & edi) !=0){
 				edi =edi ^ esi;
 //				savedEdi = edi;
                data[arrIndex++] = edi;
 				ecx = ecx & 0xff00;
 				//printf("===ecx:%x,esi:%x,edi:%x\n",ecx,esi,edi );
                
 				tmp = esi;
 				esi = ecx;
 				ecx = tmp;
                
 				
                
 				//xor ch,cl
 				ecx = (ecx & 0xffff00ff) | ((((  (ecx & 0xff00)  >>8  ) ^ (ecx & 0x00ff))) << 8);
 				esi = esi ^ ecx;
 				// //printf("---ecx:%x,esi:%x,edi:%x\n",ecx,esi,edi );
                
 				tmp = esi;
 				esi = ecx;
 				ecx = tmp;
                
 				data[arrIndex++] = ecx;
 				//inc dword ptr[0x402182]
 				num402182=num402182+1;
                // printf("===>eax:%x,ebx:%x,ecx:%x,esi:%x,edi:%x,edx:%x,num402182:%x,arrIndex:%d\n",eax,ebx,ecx,esi,edi,edx,num402182,arrIndex );
                data[arrIndex++] = 0x004011E9;
 				fun3(ecx);
                ////printf("---ecx:%x,esi:%x,edi:%x\n",ecx,esi,edi );
 				edi = data[--arrIndex];
                
 				esi = 0x80;
                
 			}else{
 				esi = esi >> 1;
 				////printf("esi:%x,edi:%x\n",esi,edi );
 			}
 			//if(i==8)return;
 			
 		}while(esi != 0);
 	}
 	arrIndex--;
    //////printf("---ecx:%x,esi:%x,edi:%x\n",ecx,esi,edi );
 }

 //0040154B
	/***
	*[crackme] from http://bbs.pediy.com/showthread.php?t=21532
	*i can not write the keygen,just decompile the code,write the program execute flow.
	***/

	#include "stdio.h"
	#include "string.h"



	unsigned int savedEdi = 0;
	unsigned int savedEcx = 0;
	unsigned int savedEdx = 0;
	unsigned int esi,edi,tmp,edx,eax,ebx,ecx;

	unsigned int num402182 = 0xfedcba98;

	unsigned int data[100] = {0xff01,0x00401115};
	int arrIndex = 2;
	void fun3(unsigned int);





	int main(int argc, char const *argv[]) {
	char username[] = {"crackme"};
	//12345678901234567
	char password[] = {"09876543210987654"};
	int len = strlen(username);
	int lenPassword = strlen(password);
	int j=0;
	for (int i = 0 ; j < 0x10 - len; j++) {
	if (j==len) i = 0 ;
	(username+len+j) = (username+i);
	i++;
	}
	////printf("%s\n", username);

	int k = 0;
	while(password[k]!=0 && password[k] <= 0x7e && password[k] >= 0x30 ){
	k++;
	}
	////printf("%d\n", k);
	if(k != 0x11){
	return 0;
	}

	eax = (((int)username) ^ ((int)password)) & 0x7f3f1f0f;
	ebx = (((int)(username+4)) ^ ((int)(password+4))) & 0x7030100;

	// ////printf("eax:%x\n", eax);

	// ////printf("ebx:%x\n",ebx);

	////printf("===========================================\n");


	while(ecx!=0x8){
	esi = (eax << ecx) & 0x80808080;
	edi = (ebx << ecx) & 0x80808080;
	edx = esi;
	////printf("esi:%x,edi:%x,edx:%x\n",esi,edi,edx );

	edx = (edx & (~0xff00)) \| (((edx & 0xff00) >> 7) & 0xff00);//高8位右移7位
	////printf("edx高8位右移7位:%x\n",edx );

	edx = (edx & (~0xffff)) \| (((edx & 0xffff) << 7) & 0xffff); //低16位左移7位
	////printf("edx低16位左移7位:%x\n",edx );

	edx = edx >> 0x8;
	////printf("edx右移8位:%x\n",edx );

	edx = (edx & (~0xff00)) \| (((edx & 0xff00) >> 7) & 0xff00);//高8位右移7位
	////printf("edx高8位右移7位:%x\n",edx );

	edx = (edx & (~0xffff)) \| (((edx & 0xffff) << 7) & 0xffff); //低16位左移7位
	////printf("edx低16位左移7位:%x\n",edx );

	edx = edx >> 0x8;
	////printf("edx右移8位:%x\n",edx );

	edx = (edx & (~0xff00)) \| (((edx & 0xff00) >> 7) & 0xff00);//高8位右移7位
	////printf("edx高8位右移7位:%x\n",edx );

	edx = (edx & (~0xffff)) \| (((edx & 0xffff) >> 1) & 0xffff); //低16位右移1位
	////printf("edx低16位右移1位:%x\n",edx );

	esi = edx;
	edx = edi;
	////printf("====>esi:%x,edx:%x\n",esi,edx );

	edx = (edx & (~0xff00)) \| (((edx & 0xff00) >> 7) & 0xff00);//高8位右移7位
	////printf("edx高8位右移7位:%x\n",edx );

	edx = (edx & (~0xffff)) \| (((edx & 0xffff) << 7) & 0xffff); //低16位左移7位
	////printf("edx低16位左移7位:%x\n",edx );

	edx = edx >> 0x8;
	////printf("edx右移8位:%x\n",edx );

	edx = (edx & (~0xff00)) \| (((edx & 0xff00) >> 7) & 0xff00);//高8位右移7位
	////printf("edx高8位右移7位:%x\n",edx );

	edx = (edx & (~0xffff)) \| (((edx & 0xffff) << 7) & 0xffff); //低16位左移7位
	////printf("edx低16位左移7位:%x\n",edx );

	edx = edx >> 0x8;
	////printf("edx右移8位:%x\n",edx );

	edx = (edx & (~0xff00)) \| (((edx & 0xff00) >> 7) & 0xff00);//高8位右移7位
	////printf("edx高8位右移7位:%x\n",edx );

	edx = (edx & (~0xffff)) \| (((edx & 0xffff) >> 5) & 0xffff); //低16位右移5位
	////printf("edx低16位右移5位:%x\n",edx );

	edi = edx;
	////printf("edi:%x\n",edi );

	edi = edi ^ esi;
	////printf("edi xor esi:%x\n",edi );

	edx = edi;
	edx = edx & 0xFF;
	////printf("edx and 0xff:%x\n",edx );


	savedEcx = ecx;
	savedEdx = edx;
	////printf("saved ecx:%x,saved edx:%x\n",ecx,edx );

	edx = 0x8;
	int tmp;
	tmp = eax;
	eax = ecx;
	ecx = tmp;

	if(eax<=0x3){
	eax = (eax & 0xffff0000) + ((eax & 0xff) * (edx & 0xff)); //mul dl
	edx = savedEdx;
	eax = eax +0x8;
	////printf("before:eax:%x,ecx:%x\n",eax,ecx );
	tmp = eax;
	eax = ecx;
	ecx = tmp;
	////printf("after:eax:%x,ecx:%x\n",eax,ecx );
	/**
	* 循环左移n (a>>(N-n))\|(a<<n)
	循环右移n (a<<(N-n))\|(a>>n)
	*/
	eax = (eax >> (32-ecx)) \| (eax << ecx);//eax循环左移ecx位
	////printf("eax循环左移%d位:eax:%x\n",ecx,eax );

	////printf("eax xor edx:%x xor %x:%x\n",eax,edx,eax ^ edx );
	eax = eax ^ edx;

	eax = (eax << (32-ecx)) \| (eax >> ecx);//eax循环右移ecx位
	////printf("eax循环右移%d位:eax:%x\n",ecx,eax );
	}else{
	eax = eax - 0x3;
	eax = (eax & 0xffff0000) + ((eax & 0xff) * (edx & 0xff)); //mul edx低8位
	edx = savedEdx;

	tmp = eax;
	eax = ecx;
	ecx = tmp;

	ebx = (ebx >> (32-ecx)) \| (ebx << ecx);//eax循环左移ecx位
	ebx = ebx ^ edx;
	ebx = (ebx << (32-ecx)) \| (ebx >> ecx);//eax循环右移ecx位
	}

	ecx = savedEcx;
	ecx++;
	////printf("eax:%x\n",eax );
	////printf("**********************************\n");
	}

	// printf("eax:%x,ebx:%x,ecx:%x,esi:%x,edi:%x,edx:%x\n",eax,ebx,ecx,esi,edi,edx );

	fun3(0xff01);
	printf("===>eax:%x,ebx:%x,ecx:%x,esi:%x,edi:%x,edx:%x,num402182:%x\n",eax,ebx,ecx,esi,edi,edx,num402182 );
	// printf("i:%d\n",i);
	//
	if(ecx==0x01){
	eax = ((int)(username+8));
	ebx = ((int)(username+12));
	eax = eax ^ ebx;
	eax = eax ^ num402182;
	eax = eax \| 0x40404040;
	eax = eax & 0x77777777;
	eax = eax ^ ((int)(password+8));
	eax = eax ^ ((int)(password+12));
	if(eax == 0){
	print "success"
	}
	}
	return 0;
	}

	void fun3 (unsigned int a){
	edi = data[--arrIndex];
	ecx = data[--arrIndex];
	data[arrIndex++] = edi;
	// printf("arrIndex:%d,ecx:%x,edi:%x,num402182:%x\n", arrIndex,ecx,edi,num402182);
	//savedEdi = edi;
	//printf("ecx:%x\n", ecx);

	if(ecx > 0x80){
	data[arrIndex++] = ecx;
	//savedEcx = ecx;
	esi = ecx;
	ecx = ecx & 0xff;
	edi = eax;
	if(ecx > 0x8){
	edi = ebx;
	ecx = ecx >> 0x4;
	}

	do{
	edi = (edi >> (32-8)) \| (edi << 0x8);
	ecx = ecx >> 1;
	}
	while( ecx !=0 );

	esi = esi >> 0x8;
	edi = edi & esi;
	edi = edi & 0xff;

	// //printf("esi:%x,edi:%x\n",esi,edi );
	// printf("**arrIndex b:%d\n", arrIndex);
	ecx = data[--arrIndex];
	// printf("**arrIndex b:%d,ecx:%x\n", arrIndex,ecx);
	esi = 0x80;
	do{

	//
	if((esi & edi) !=0){
	edi =edi ^ esi;
	// savedEdi = edi;
	data[arrIndex++] = edi;
	ecx = ecx & 0xff00;
	//printf("===ecx:%x,esi:%x,edi:%x\n",ecx,esi,edi );

	tmp = esi;
	esi = ecx;
	ecx = tmp;



	//xor ch,cl
	ecx = (ecx & 0xffff00ff) \| (((( (ecx & 0xff00) >>8 ) ^ (ecx & 0x00ff))) << 8);
	esi = esi ^ ecx;
	// //printf("---ecx:%x,esi:%x,edi:%x\n",ecx,esi,edi );

	tmp = esi;
	esi = ecx;
	ecx = tmp;

	data[arrIndex++] = ecx;
	//inc dword ptr[0x402182]
	num402182=num402182+1;
	// printf("===>eax:%x,ebx:%x,ecx:%x,esi:%x,edi:%x,edx:%x,num402182:%x,arrIndex:%d\n",eax,ebx,ecx,esi,edi,edx,num402182,arrIndex );
	data[arrIndex++] = 0x004011E9;
	fun3(ecx);
	////printf("---ecx:%x,esi:%x,edi:%x\n",ecx,esi,edi );
	edi = data[--arrIndex];

	esi = 0x80;

	}else{
	esi = esi >> 1;
	////printf("esi:%x,edi:%x\n",esi,edi );
	}
	//if(i==8)return;

	}while(esi != 0);
	}
	arrIndex--;
	//////printf("---ecx:%x,esi:%x,edi:%x\n",ecx,esi,edi );
	}

	//0040154B