- UID
- 13801
注册时间2006-5-22
阅读权限40
最后登录1970-1-1
独步武林
 
该用户从未签到
|
发表于 2006-5-26 20:11:49
|
显示全部楼层
根据ESP定律,设SP-4处硬件断点,中断两次,看到
0046DFA2 - E9 F926FEFF jmp Crackme1.004506A0
再F8一次,就看到OEP了
004506A0 /> /55 push ebp
004506A1 |. |8BEC mov ebp, esp
004506A3 |. |83C4 F0 add esp, -10
004506A6 |. |B8 30054500 mov eax, Crackme1.00450530
004506AB |. |E8 C85EFBFF call Crackme1.00406578
004506B0 |. |A1 241E4500 mov eax, [451E24]
004506B5 |. |8B00 mov eax, [eax]
。。。。。。。。。。。。。
在4506A0处右键DUMP PROCESS就可以保存了,存为DUMP。EXE。很幸运,脱壳后直接可运行。
用DEDE反编译DEDE,找到BUTTON1CLICK处理方法,可看到如下代码。
004502B4 55 push ebp
004502B5 8BEC mov ebp, esp
004502B7 33C9 xor ecx, ecx
004502B9 51 push ecx
004502BA 51 push ecx
004502BB 51 push ecx
004502BC 51 push ecx
004502BD 51 push ecx
004502BE 51 push ecx
004502BF 51 push ecx
004502C0 53 push ebx
004502C1 56 push esi
004502C2 57 push edi
004502C3 8BF0 mov esi, eax
004502C5 33C0 xor eax, eax
004502C7 55 push ebp
004502C8 6818044500 push $00450418
***** TRY
|
004502CD 64FF30 push dword ptr fs:[eax]
004502D0 648920 mov fs:[eax], esp
004502D3 8D55F4 lea edx, [ebp-$0C]
* Reference to control Edit1 : N.A.
|
004502D6 8B86F8020000 mov eax, [esi+$02F8]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004502DC E817F2FDFF call 0042F4F8
004502E1 837DF400 cmp dword ptr [ebp-$0C], +$00
004502E5 751E jnz 00450305
004502E7 6A30 push $30
* Possible String Reference to: 'Error:'
|
004502E9 6828044500 push $00450428
* Possible String Reference to: '请输入用户名和序列号!'
|
004502EE 6830044500 push $00450430
004502F3 8BC6 mov eax, esi
* Reference to: Controls.TWinControl.GetHandle(TWinControl):HWND;
| or: QComCtrls.TTrackBar.GetHandle(TTrackBar):QClxSliderH;
| or: QComCtrls.TCustomViewControl.GetHandle(TCustomViewControl):QListViewH;
| or: QComCtrls.TCustomViewControl.ViewportHandle(TCustomViewControl):QWidgetH;
| or: QComCtrls.TCustomHeaderControl.GetHandle(TCustomHeaderControl):QHeaderH;
| or: QComCtrls.TCustomSpinEdit.GetHandle(TCustomSpinEdit):QClxSpinBoxH;
|
004502F5 E87258FEFF call 00435B6C
004502FA 50 push eax
|
004502FB E83C6AFBFF call 00406D3C
00450300 E9DB000000 jmp 004503E0
00450305 8D55F0 lea edx, [ebp-$10]
* Reference to control Edit1 : N.A.
|
00450308 8B86F8020000 mov eax, [esi+$02F8]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
0045030E E8E5F1FDFF call 0042F4F8
00450313 8B45F0 mov eax, [ebp-$10]
* Reference to: System.@LStrLen(String):Integer;
| or: System.@DynArrayLength;
| or: System.DynArraySize(Pointer):Integer;
| or: Variants.DynArraySize(Pointer):Integer;
|
00450316 E8A941FBFF call 004044C4
0045031B 83F804 cmp eax, +$04
0045031E 7D1E jnl 0045033E
00450320 6A30 push $30
* Possible String Reference to: 'Error:'
|
00450322 6828044500 push $00450428
* Possible String Reference to: '用户名至少四个字符!'
|
00450327 6848044500 push $00450448
0045032C 8BC6 mov eax, esi
* Reference to: Controls.TWinControl.GetHandle(TWinControl):HWND;
| or: QComCtrls.TTrackBar.GetHandle(TTrackBar):QClxSliderH;
| or: QComCtrls.TCustomViewControl.GetHandle(TCustomViewControl):QListViewH;
| or: QComCtrls.TCustomViewControl.ViewportHandle(TCustomViewControl):QWidgetH;
| or: QComCtrls.TCustomHeaderControl.GetHandle(TCustomHeaderControl):QHeaderH;
| or: QComCtrls.TCustomSpinEdit.GetHandle(TCustomSpinEdit):QClxSpinBoxH;
|
0045032E E83958FEFF call 00435B6C
00450333 50 push eax
|
00450334 E8036AFBFF call 00406D3C
00450339 E9A2000000 jmp 004503E0
0045033E 8D55F8 lea edx, [ebp-$08]
* Reference to control Edit1 : N.A.
|
00450341 8B86F8020000 mov eax, [esi+$02F8]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00450347 E8ACF1FDFF call 0042F4F8
0045034C 8D55EC lea edx, [ebp-$14]
* Reference to control Edit1 : N.A.
|
0045034F 8B86F8020000 mov eax, [esi+$02F8]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00450355 E89EF1FDFF call 0042F4F8
0045035A 8B45EC mov eax, [ebp-$14]
* Reference to: System.@LStrLen(String):Integer;
| or: System.@DynArrayLength;
| or: System.DynArraySize(Pointer):Integer;
| or: Variants.DynArraySize(Pointer):Integer;
|
0045035D E86241FBFF call 004044C4
00450362 8BD8 mov ebx, eax
00450364 85DB test ebx, ebx
00450366 7E29 jle 00450391
00450368 BF01000000 mov edi, $00000001
0045036D 8B45F8 mov eax, [ebp-$08]
00450370 0FB64438FF movzx eax, byte ptr [eax+edi-$01]
00450375 8D4DE8 lea ecx, [ebp-$18]
00450378 BA02000000 mov edx, $00000002
* Reference to: SysUtils.IntToHex(Integer;Integer):AnsiString;overload;
|
0045037D E88E7FFBFF call 00408310
00450382 8B55E8 mov edx, [ebp-$18]
00450385 8D45FC lea eax, [ebp-$04]
* Reference to: System.@LStrCat;
|
00450388 E83F41FBFF call 004044CC
0045038D 47 inc edi
0045038E 4B dec ebx
0045038F 75DC jnz 0045036D
00450391 8D55E4 lea edx, [ebp-$1C]
* Reference to control Edit2 : N.A.
|
00450394 8B8600030000 mov eax, [esi+$0300]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
0045039A E859F1FDFF call 0042F4F8
0045039F 8B45E4 mov eax, [ebp-$1C]
004503A2 8B55FC mov edx, [ebp-$04]
* Reference to: System.@LStrCmp;
|
004503A5 E85E42FBFF call 00404608
004503AA 751B jnz 004503C7
004503AC 6A40 push $40
* Possible String Reference to: 'ok:'
|
004503AE 6860044500 push $00450460
* Possible String Reference to: '恭喜你,注册成功!'
|
004503B3 6864044500 push $00450464
004503B8 8BC6 mov eax, esi
* Reference to: Controls.TWinControl.GetHandle(TWinControl):HWND;
| or: QComCtrls.TTrackBar.GetHandle(TTrackBar):QClxSliderH;
| or: QComCtrls.TCustomViewControl.GetHandle(TCustomViewControl):QListViewH;
| or: QComCtrls.TCustomViewControl.ViewportHandle(TCustomViewControl):QWidgetH;
| or: QComCtrls.TCustomHeaderControl.GetHandle(TCustomHeaderControl):QHeaderH;
| or: QComCtrls.TCustomSpinEdit.GetHandle(TCustomSpinEdit):QClxSpinBoxH;
|
004503BA E8AD57FEFF call 00435B6C
004503BF 50 push eax
|
004503C0 E87769FBFF call 00406D3C
004503C5 EB19 jmp 004503E0
004503C7 6A30 push $30
* Possible String Reference to: 'Error:'
|
004503C9 6828044500 push $00450428
* Possible String Reference to: '序列号不对呀,请再试试!'
|
004503CE 6878044500 push $00450478
004503D3 8BC6 mov eax, esi
* Reference to: Controls.TWinControl.GetHandle(TWinControl):HWND;
| or: QComCtrls.TTrackBar.GetHandle(TTrackBar):QClxSliderH;
| or: QComCtrls.TCustomViewControl.GetHandle(TCustomViewControl):QListViewH;
| or: QComCtrls.TCustomViewControl.ViewportHandle(TCustomViewControl):QWidgetH;
| or: QComCtrls.TCustomHeaderControl.GetHandle(TCustomHeaderControl):QHeaderH;
| or: QComCtrls.TCustomSpinEdit.GetHandle(TCustomSpinEdit):QClxSpinBoxH;
|
004503D5 E89257FEFF call 00435B6C
004503DA 50 push eax
|
004503DB E85C69FBFF call 00406D3C
004503E0 33C0 xor eax, eax
004503E2 5A pop edx
004503E3 59 pop ecx
004503E4 59 pop ecx
004503E5 648910 mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: '_^[嬪]?
|
004503E8 681F044500 push $0045041F
004503ED 8D45E4 lea eax, [ebp-$1C]
* Reference to: System.@LStrClr(void;void);
|
004503F0 E8173EFBFF call 0040420C
004503F5 8D45E8 lea eax, [ebp-$18]
* Reference to: System.@LStrClr(void;void);
|
004503F8 E80F3EFBFF call 0040420C
004503FD 8D45EC lea eax, [ebp-$14]
00450400 BA03000000 mov edx, $00000003
* Reference to: System.@LStrArrayClr(void;void;Integer);
|
00450405 E8263EFBFF call 00404230
0045040A 8D45F8 lea eax, [ebp-$08]
0045040D BA02000000 mov edx, $00000002
* Reference to: System.@LStrArrayClr(void;void;Integer);
|
00450412 E8193EFBFF call 00404230
00450417 C3 ret
* Reference to: System.@HandleFinally;
|
00450418 E91738FBFF jmp 00403C34
0045041D EBCE jmp 004503ED
****** END
|
0045041F 5F pop edi
00450420 5E pop esi
00450421 5B pop ebx
00450422 8BE5 mov esp, ebp
00450424 5D pop ebp
00450425 C3 ret
分析后,猜测注册码的生成是根据用户名转成十六进制而成的。
用OD载入DUMP。EXE,在比较处下断
004503A5 |. E8 5E42FBFF call dump13.00404608
执行到时可看到寄存器值为
EAX 00D8541C ASCII "78787878"
ECX 77D187FF user32.77D187FF
EDX 00D85404 ASCII "6A746A74"
EAX为输入的注册码,EDX为实际注册码,确实是用户名16进制码。
可在4503A5处用做内存注册机,中断一次,读出EDX就可以了。也可写自己的用户名转16进制的程序。 |
|
楼主: 野猫III
IP卡
显身卡
发表于 2006-5-27 07:46:32
发表于 2006-6-7 13:10:55
发表于 2006-6-8 00:38:03
发表于 2006-8-4 15:50:50