- UID
- 6867
注册时间2006-1-12
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
发表于 2006-8-3 13:38:34
|
显示全部楼层
爆破:
004011FC /74 1D jne short Crackme9.0040121B
改为
004011FC /74 1D je short Crackme9.0040121B
追码:
下断点,项目 0
地址=004010FF
模块=Crackme9
激活=永远
反汇编=call <jmp.&USER32.GetDlgItemTextA>
注释=取得注册框的文本
序列号:A8C562F6/40102F
注册码:789789789
004010FF E8 70010000 call <jmp.&USER32.GetDlgItemTextA> ; 取得注册框的文本
00401104 803D AC304000 0>cmp byte ptr ds:[4030AC],0 ; 注册框的文本是否为空
0040110B 0F84 0A010000 je Crackme9.0040121B ; 是则跳走,不是则向下继续
00401111 68 18304000 push Crackme9.00403018
00401116 68 AC304000 push Crackme9.004030AC
0040111B E8 A2010000 call <jmp.&KERNEL32.lstrcmpA> ; 字符比较
00401120 85C0 test eax,eax ; 测试eax
00401122 0F84 F3000000 je Crackme9.0040121B ; 相等则跳
00401128 68 FA000000 push 0FA ;
0040112D 8D85 06FFFFFF lea eax,dword ptr ss:[ebp-FA]
00401133 50 push eax ; eax=0012FA12
00401134 E8 83010000 call <jmp.&KERNEL32.RtlZeroMemory>
00401139 C785 06FFFFFF F>mov dword ptr ss:[ebp-FA],0FA
00401143 8D85 06FFFFFF lea eax,dword ptr ss:[ebp-FA]
00401149 50 push eax ; eax=0012FA12
0040114A 8D85 0AFFFFFF lea eax,dword ptr ss:[ebp-F6]
00401150 50 push eax
00401151 E8 48010000 call <jmp.&KERNEL32.GetComputerNameA>
00401156 A1 58304000 mov eax,dword ptr ds:[403058] ; 序列号前8位送入eax=A8C562F6
0040115B 3185 0AFFFFFF xor dword ptr ss:[ebp-F6],eax
00401161 3185 0EFFFFFF xor dword ptr ss:[ebp-F2],eax
00401167 8B8D 06FFFFFF mov ecx,dword ptr ss:[ebp-FA] ; ecx=7c93056d
0040116D 8B85 0AFFFFFF mov eax,dword ptr ss:[ebp-F6] ; eax=A8C562F6
00401173 33D2 xor edx,edx
00401175 F7E1 mul ecx
00401177 0185 0AFFFFFF add dword ptr ss:[ebp-F6],eax ; eax=9d875bc12
0040117D 8395 0EFFFFFF 0>adc dword ptr ss:[ebp-F2],0 ; 堆栈 ss:[0012FA1A]=EBF027C7
00401184 FFB5 0EFFFFFF push dword ptr ss:[ebp-F2] ; 堆栈 ss:[0012FA1A]=EBF027C7压栈(后)
0040118A FFB5 0AFFFFFF push dword ptr ss:[ebp-F6] ; 堆栈 ss:[0012FA16]=D875BC10压栈(前)
00401190 68 3E304000 push Crackme9.0040303E ; ASCII "%1X%1X"
00401195 68 5C304000 push Crackme9.0040305C ; ASCII "A8C562F640102F"序列号
0040119A E8 C3000000 call <jmp.&USER32.wsprintfA> ; 前后形成注册码
0040119F 83C4 10 add esp,10 ; esp=0012F8FC+10=12F90C
004011A2 68 FA000000 push 0FA
004011A7 8D85 06FFFFFF lea eax,dword ptr ss:[ebp-FA]
004011AD 50 push eax ; eax=0012FA12
004011AE 6A FF push -1
004011B0 68 5C304000 push Crackme9.0040305C ; ASCII "A8C562F640102F"
004011B5 6A 00 push 0
004011B7 6A 00 push 0
004011B9 E8 F8000000 call <jmp.&KERNEL32.MultiByteToWideC>
004011BE 68 FA000000 push 0FA
004011C3 8D85 0CFEFFFF lea eax,dword ptr ss:[ebp-1F4]
004011C9 50 push eax
004011CA 6A FF push -1
004011CC 68 AC304000 push Crackme9.004030AC
004011D1 6A 00 push 0
004011D3 6A 00 push 0
004011D5 E8 DC000000 call <jmp.&KERNEL32.MultiByteToWideC>
004011DA 8D85 06FFFFFF lea eax,dword ptr ss:[ebp-FA] ; 载入真码"D875BC10EBF027C7"
004011E0 A3 06314000 mov dword ptr ds:[403106],eax ; eax=D875BC10EBF027C7
004011E5 8D05 FC304000 lea eax,dword ptr ds:[4030FC]
004011EB 8D8D 0CFEFFFF lea ecx,dword ptr ss:[ebp-1F4] ; ecx=789789789
004011F1 51 push ecx ; 压入试验码
004011F2 FF70 0A push dword ptr ds:[eax+A] ; 压入真码
004011F5 E8 C8000000 call <jmp.&KERNEL32.lstrcmpA> ; 两码比较
004011FA 85C0 test eax,eax ; eax=1
004011FC 75 1D jnz short Crackme9.0040121B ; 不为1则跳走,为1则相等向下继续
004011FE 6A 10 push 10
00401200 E8 7B000000 call <jmp.&USER32.MessageBeep>
00401205 6A 00 push 0
00401207 68 00304000 push Crackme9.00403000
0040120C 68 09304000 push Crackme9.00403009
00401211 FF75 08 push dword ptr ss:[ebp+8]
00401214 E8 6D000000 call <jmp.&USER32.MessageBoxA>
00401219 EB 0F jmp short Crackme9.0040122A
0040121B 68 18304000 push Crackme9.00403018
00401220 6A 68 push 68
00401222 FF75 08 push dword ptr ss:[ebp+8]
00401225 E8 68000000 call <jmp.&USER32.SetDlgItemTextA> ; 出错对话框
0040122A B8 00000000 mov eax,0
真码:D875BC10EBF027C7
还有许多不明白,请高手指教! |
|
楼主: 野猫III
IP卡
发表于 2006-6-9 23:07:25
显身卡
发表于 2006-6-16 06:28:46
发表于 2006-7-4 02:12:41
发表于 2007-1-16 09:18:32