CrackMe_01 By黑夜彩虹算法分析

hrbx · 发表于 2006-6-11 02:27:05

【破文标题】CrackMe_01 By黑夜彩虹算法分析
【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】hrbx@163.com
【破解平台】WinXP
【使用工具】flyOD1.10、Peid
【破解日期】2006-06-11
【软件名称】CrackMe_01 By 黑夜彩虹
【软件大小】436KB
【下载地址】https://www.chinapyg.com/viewthread.php?tid=5355&pid=30883&page=1&extra=#pid30883
【加壳方式】无
【软件简介】CrackMe_01 By 黑夜彩虹
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：）
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描，显示为：Microsoft Visual C++，无壳。
2.试运行，输入注册信息点"注册"按钮无任何提示。
3.追出算法。OD载入程序，F9运行，输入注册信息
======================
机器码: 3KC1NBCP
注册码: 9'876543210'
======================
先点击"注册"按钮一下，然后ALT+M内存映射,Ctrl+B搜索，在ASCII栏输入：3KC1NBCP，确定，找到后下"内存访问"断点，
Ctrl+L搜索下一个，找到后全部下"内存访问"断点，接着返回程序，再次点击"注册"按钮，立即中断：
004043CF |. 8B1F |mov ebx,dword ptr ds:[edi] ; 在此中断
004043D1 |. 39D9 |cmp ecx,ebx
004043D3 |. 75 58 |jnz short CrackMe0.0040442D
004043D5 |. 4A |dec edx
004043D6 |. 74 15 |je short CrackMe0.004043ED
004043D8 |. 8B4E 04 |mov ecx,dword ptr ds:[esi+4]
004043DB |. 8B5F 04 |mov ebx,dword ptr ds:[edi+4]
中断后，继续F8，直到返回，来到：
00456567 |. E8 38DEFAFF call CrackMe0.004043A4
0045656C |. 75 31 jnz short CrackMe0.0045659F ; F8直到返回这里
0045656E |. B8 D0654500 mov eax,CrackMe0.004565D0
00456573 |. E8 6410FDFF call CrackMe0.004275DC
向上查找，来到00456524处F2下断， Ctrl+F2重新载入程序，F9运行，输入注册信息：
======================
机器码: 3KC1NBCP
注册码: 9'8765'4'3210'
======================
点击"注册"按钮，立即中断：
00456524 /$ 55 push ebp ; F2在此下断，中断后F8往下走
00456525 |. 8BEC mov ebp,esp
00456527 |. 6A 00 push 0
00456529 |. 6A 00 push 0
0045652B |. 33C0 xor eax,eax
0045652D |. 55 push ebp
0045652E |. 68 BA654500 push CrackMe0.004565BA
00456533 |. 64:FF30 push dword ptr fs:[eax]
00456536 |. 64:8920 mov dword ptr fs:[eax],esp
00456539 |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
0045653C |. A1 049C4500 mov eax,dword ptr ds:[459C04]
00456541 |. 8B80 00030000 mov eax,dword ptr ds:[eax+300]
00456547 |. E8 20E1FDFF call CrackMe0.0043466C
0045654C |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 假码"9'8765'4'3210'"
0045654F |. 50 push eax
00456550 |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]
00456553 |. A1 049C4500 mov eax,dword ptr ds:[459C04]
00456558 |. 8B80 F8020000 mov eax,dword ptr ds:[eax+2F8]
0045655E |. E8 09E1FDFF call CrackMe0.0043466C
00456563 |. 8B55 F8 mov edx,dword ptr ss:[ebp-8] ; 机器码"3KC1NBCP"
00456566 |. 58 pop eax ; 假码"9'8765'4'3210'"
00456567 |. E8 38DEFAFF call CrackMe0.004043A4 ; 假码与机器码比较
0045656C |. 75 31 jnz short CrackMe0.0045659F ; 不等则继续,相等则弹出以下提示窗体
0045656E |. B8 D0654500 mov eax,CrackMe0.004565D0
00456573 |. E8 6410FDFF call CrackMe0.004275DC ; 弹出提示窗体"黑夜彩虹:已成功注册，你真厉害!"
00456578 |. E8 C3FEFFFF call CrackMe0.00456440 ; 弹出提示窗体"黑夜彩虹:其实你没成功,继续努力!"
0045657D |. 68 F4654500 push CrackMe0.004565F4 ; /AtomName = "a random string here"
00456582 |. E8 45FBFAFF call <jmp.&kernel32.GlobalFindAto>; \GlobalFindAtomA
00456587 |. 66:85C0 test ax,ax
0045658A |. 75 0C jnz short CrackMe0.00456598
0045658C |. 68 F4654500 push CrackMe0.004565F4 ; /AtomName = "a random string here"
00456591 |. E8 1EFBFAFF call <jmp.&kernel32.GlobalAddAtom>; \GlobalAddAtomA
00456596 |. EB 07 jmp short CrackMe0.0045659F
00456598 |> 6A 00 push 0 ; /ExitCode = 0
0045659A |. E8 25FAFAFF call <jmp.&kernel32.ExitProcess> ; \ExitProcess
0045659F |> 33C0 xor eax,eax
004565A1 |. 5A pop edx
004565A2 |. 59 pop ecx
004565A3 |. 59 pop ecx
004565A4 |. 64:8910 mov dword ptr fs:[eax],edx
004565A7 |. 68 C1654500 push CrackMe0.004565C1
004565AC |> 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004565AF |. BA 02000000 mov edx,2
004565B4 |. E8 03DAFAFF call CrackMe0.00403FBC
004565B9 \. C3 retn
004565BA .^ E9 DDD3FAFF jmp CrackMe0.0040399C
004565BF .^ EB EB jmp short CrackMe0.004565AC
004565C1 . 59 pop ecx
004565C2 . 59 pop ecx
004565C3 . 5D pop ebp
004565C4 . C3 retn
继续F8，经过几个retn来到这里：
00456944 . 8D55 F4 lea edx,dword ptr ss:[ebp-C]
00456947 . 8B83 00030000 mov eax,dword ptr ds:[ebx+300]
0045694D . E8 1ADDFDFF call CrackMe0.0043466C
00456952 . 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 假码"9'876543210'"
00456955 . 8D55 F8 lea edx,dword ptr ss:[ebp-8]
00456958 . E8 5BF7FFFF call CrackMe0.004560B8 ; 关键CALL-1,F7进入
0045695D . 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 运算结果传给EAX，D ss:[ebp-8](00AC59E0)
00456960 . 8D4D FC lea ecx,dword ptr ss:[ebp-4]
00456963 . 8B15 0C9C4500 mov edx,dword ptr ds:[459C0C] ; 字符串"0a739b5eba9d0ee27f868fec655abcc4"
00456969 . E8 82F6FFFF call CrackMe0.00455FF0 ; 关键CALL-2,F7进入
0045696E . 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 运算结果传给EAX，D ss:[ebp-8],"9Y"
00456971 . 50 push eax
00456972 . 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00456975 . 8B83 F8020000 mov eax,dword ptr ds:[ebx+2F8]
0045697B . E8 ECDCFDFF call CrackMe0.0043466C
00456980 . 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; 机器码"3KC1NBCP"
00456983 . 58 pop eax ; 假码经过两次运算所得结果"9Y"
00456984 . E8 1BDAFAFF call CrackMe0.004043A4 ; 经典比较
00456989 . 75 0D jnz short CrackMe0.00456998 ; 不等则Over，暴破点，NOP掉
0045698B . B2 01 mov dl,1 ; 标志位置为1
0045698D . 8B83 08030000 mov eax,dword ptr ds:[ebx+308]
00456993 . E8 F4DBFDFF call CrackMe0.0043458C
00456998 > 33C0 xor eax,eax
0045699A . 5A pop edx
0045699B . 59 pop ecx
0045699C . 59 pop ecx
0045699D . 64:8910 mov dword ptr fs:[eax],edx
004569A0 . 68 C7694500 push CrackMe0.004569C7
004569A5 > 8D45 F0 lea eax,dword ptr ss:[ebp-10]
004569A8 . BA 02000000 mov edx,2
004569AD . E8 0AD6FAFF call CrackMe0.00403FBC
004569B2 . 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004569B5 . BA 02000000 mov edx,2
004569BA . E8 FDD5FAFF call CrackMe0.00403FBC
004569BF . C3 retn
004569C0 .^ E9 D7CFFAFF jmp CrackMe0.0040399C
004569C5 .^ EB DE jmp short CrackMe0.004569A5
004569C7 . 5B pop ebx
004569C8 . 8BE5 mov esp,ebp
004569CA . 5D pop ebp
004569CB . C3 retn
F7进入00456958处的关键CALL-1,来到：
004560B8 /$ 55 push ebp
004560B9 |. 8BEC mov ebp,esp
004560BB |. 33C9 xor ecx,ecx
004560BD |. 51 push ecx
004560BE |. 51 push ecx
004560BF |. 51 push ecx
004560C0 |. 51 push ecx
004560C1 |. 51 push ecx
004560C2 |. 51 push ecx
004560C3 |. 51 push ecx
004560C4 |. 51 push ecx
004560C5 |. 53 push ebx
004560C6 |. 56 push esi
004560C7 |. 57 push edi
004560C8 |. 8955 F8 mov dword ptr ss:[ebp-8],edx
004560CB |. 8945 FC mov dword ptr ss:[ebp-4],eax
004560CE |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004560D1 |. E8 72E3FAFF call CrackMe0.00404448
004560D6 |. 33C0 xor eax,eax
004560D8 |. 55 push ebp
004560D9 |. 68 6C624500 push CrackMe0.0045626C
004560DE |. 64:FF30 push dword ptr fs:[eax]
004560E1 |. 64:8920 mov dword ptr fs:[eax],esp
004560E4 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004560E7 |. E8 ACDEFAFF call CrackMe0.00403F98
004560EC |. 33DB xor ebx,ebx
004560EE |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
004560F1 |. 8B55 FC mov edx,dword ptr ss:[ebp-4]
004560F4 |. E8 37DFFAFF call CrackMe0.00404030
004560F9 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 假码"9'8765'4'3210'"
004560FC |. E8 57E1FAFF call CrackMe0.00404258 ; 获取假码长度，EAX=0xE(14)
00456101 |. 8BF0 mov esi,eax
00456103 |. 85F6 test esi,esi
00456105 |. 0F8E 3E010000 jle CrackMe0.00456249
0045610B |. BF 01000000 mov edi,1
00456110 |> 84DB /test bl,bl ; BL作Bool判断
00456112 |. 0F84 9C000000 |je CrackMe0.004561B4
00456118 |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
0045611B |. 8A4438 FF |mov al,byte ptr ds:[eax+edi-1]
0045611F |. 2C 27 |sub al,27
00456121 |. 75 72 |jnz short CrackMe0.00456195
00456123 |. 837D F4 00 |cmp dword ptr ss:[ebp-C],0
00456127 |. 74 2A |je short CrackMe0.00456153
00456129 |. A0 7C624500 |mov al,byte ptr ds:[45627C]
0045612E |. 50 |push eax
0045612F |. 8D45 F0 |lea eax,dword ptr ss:[ebp-10]
00456132 |. 50 |push eax
00456133 |. B9 88624500 |mov ecx,CrackMe0.00456288
00456138 |. BA 94624500 |mov edx,CrackMe0.00456294 ; ASCII "''"，注意此关键字符串('')
0045613D |. 8B45 F4 |mov eax,dword ptr ss:[ebp-C]
00456140 |. E8 5B67FBFF |call CrackMe0.0040C8A0
00456145 |. 8B55 F0 |mov edx,dword ptr ss:[ebp-10]
00456148 |. 8B45 F8 |mov eax,dword ptr ss:[ebp-8]
0045614B |. E8 10E1FAFF |call CrackMe0.00404260
00456150 |. 8B45 F8 |mov eax,dword ptr ss:[ebp-8]
00456153 |> 8D45 EC |lea eax,dword ptr ss:[ebp-14]
00456156 |. 50 |push eax
00456157 |. 8D57 01 |lea edx,dword ptr ds:[edi+1]
0045615A |. B9 01000000 |mov ecx,1
0045615F |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
00456162 |. E8 51E3FAFF |call CrackMe0.004044B8
00456167 |. 8B45 EC |mov eax,dword ptr ss:[ebp-14]
0045616A |. BA 88624500 |mov edx,CrackMe0.00456288
0045616F |. E8 30E2FAFF |call CrackMe0.004043A4
00456174 |. 75 10 |jnz short CrackMe0.00456186
00456176 |. 8B45 F8 |mov eax,dword ptr ss:[ebp-8]
00456179 |. BA 88624500 |mov edx,CrackMe0.00456288
0045617E |. E8 DDE0FAFF |call CrackMe0.00404260
00456183 |. 8B45 F8 |mov eax,dword ptr ss:[ebp-8]
00456186 |> 8D45 F4 |lea eax,dword ptr ss:[ebp-C]
00456189 |. E8 0ADEFAFF |call CrackMe0.00403F98
0045618E |. 33DB |xor ebx,ebx
00456190 |. E9 AC000000 |jmp CrackMe0.00456241
00456195 |> 8D45 E8 |lea eax,dword ptr ss:[ebp-18]
00456198 |. 8B55 FC |mov edx,dword ptr ss:[ebp-4]
0045619B |. 8A543A FF |mov dl,byte ptr ds:[edx+edi-1]
0045619F |. E8 DCDFFAFF |call CrackMe0.00404180
004561A4 |. 8B55 E8 |mov edx,dword ptr ss:[ebp-18]
004561A7 |. 8D45 F4 |lea eax,dword ptr ss:[ebp-C]
004561AA |. E8 B1E0FAFF |call CrackMe0.00404260
004561AF |. E9 8D000000 |jmp CrackMe0.00456241
004561B4 |> 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; 假码"9'8765'4'3210'"
004561B7 |. 0FB64438 FF |movzx eax,byte ptr ds:[eax+edi-1] ; 依次取假码每一位字符的ASCII值
004561BC |. 83F8 30 |cmp eax,30 ; Switch (cases 23..66)
004561BF |. 7D 0F |jge short CrackMe0.004561D0 ; //以下过程为对假码中的字符进行查找
004561C1 |. 83E8 23 |sub eax,23 ; //将假码中''(单引号)前的数值以16进制形式保存，
004561C4 |. 74 24 |je short CrackMe0.004561EA ; //将''(单引号)内的字符串仍以字符串形式保存
004561C6 |. 48 |dec eax ; //例如假码为"9'8765'4'3210'"，则保存为
004561C7 |. 74 5E |je short CrackMe0.00456227 ; //09 38 37 36 35 04 33 32 31 30 00 .87653210
004561C9 |. 83E8 03 |sub eax,3
004561CC |. 74 1C |je short CrackMe0.004561EA
004561CE |. EB 71 |jmp short CrackMe0.00456241
004561D0 |> 83C0 D0 |add eax,-30
004561D3 |. 83E8 0A |sub eax,0A
004561D6 |. 72 4F |jb short CrackMe0.00456227
004561D8 |. 83C0 F9 |add eax,-7
004561DB |. 83E8 06 |sub eax,6
004561DE |. 72 47 |jb short CrackMe0.00456227
004561E0 |. 83C0 E6 |add eax,-1A
004561E3 |. 83E8 06 |sub eax,6
004561E6 |. 72 3F |jb short CrackMe0.00456227
004561E8 |. EB 57 |jmp short CrackMe0.00456241
004561EA |> 837D F4 00 |cmp dword ptr ss:[ebp-C],0 ; Cases 23 ('#'),27 (''') of switch 004561BC
004561EE |. 74 22 |je short CrackMe0.00456212
004561F0 |. 33D2 |xor edx,edx
004561F2 |. 8B45 F4 |mov eax,dword ptr ss:[ebp-C]
004561F5 |. E8 EA1DFBFF |call CrackMe0.00407FE4
004561FA |. 8BD0 |mov edx,eax
004561FC |. 8D45 E4 |lea eax,dword ptr ss:[ebp-1C]
004561FF |. E8 7CDFFAFF |call CrackMe0.00404180
00456204 |. 8B55 E4 |mov edx,dword ptr ss:[ebp-1C]
00456207 |. 8B45 F8 |mov eax,dword ptr ss:[ebp-8]
0045620A |. E8 51E0FAFF |call CrackMe0.00404260
0045620F |. 8B45 F8 |mov eax,dword ptr ss:[ebp-8]
00456212 |> 8D45 F4 |lea eax,dword ptr ss:[ebp-C]
00456215 |. E8 7EDDFAFF |call CrackMe0.00403F98
0045621A |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
0045621D |. 807C38 FF 27 |cmp byte ptr ds:[eax+edi-1],27 ; 比较字符是否为0x27(''')
00456222 |. 0F94C3 |sete bl ; BL取反
00456225 |. EB 1A |jmp short CrackMe0.00456241
00456227 |> 8D45 E0 |lea eax,dword ptr ss:[ebp-20] ; Cases 24 ('$'),30 ('0'),31 ('1'),32 ('2'),33
('3'),34 ('4'),35 ('5'),36 ('6'),37 ('7'),38 ('8'),39 ('9'),41 ('A'),42 ('B'),43 ('C'),44 ('D'),45 ('E'),46 ('F'),61 ('a'),62
('b'),63 ('c')... of switch 004561BC
0045622A |. 8B55 FC |mov edx,dword ptr ss:[ebp-4]
0045622D |. 8A543A FF |mov dl,byte ptr ds:[edx+edi-1]
00456231 |. E8 4ADFFAFF |call CrackMe0.00404180
00456236 |. 8B55 E0 |mov edx,dword ptr ss:[ebp-20]
00456239 |. 8D45 F4 |lea eax,dword ptr ss:[ebp-C]
0045623C |. E8 1FE0FAFF |call CrackMe0.00404260
00456241 |> 47 |inc edi ; Default case of switch 004561BC
00456242 |. 4E |dec esi
00456243 |.^ 0F85 C7FEFFFF \jnz CrackMe0.00456110 ; //没取完注册码则跳回去继续
00456249 |> 33C0 xor eax,eax
0045624B |. 5A pop edx
0045624C |. 59 pop ecx
0045624D |. 59 pop ecx
0045624E |. 64:8910 mov dword ptr fs:[eax],edx
00456251 |. 68 73624500 push CrackMe0.00456273
00456256 |> 8D45 E0 lea eax,dword ptr ss:[ebp-20]
00456259 |. BA 06000000 mov edx,6
0045625E |. E8 59DDFAFF call CrackMe0.00403FBC
00456263 |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
00456266 |. E8 2DDDFAFF call CrackMe0.00403F98
0045626B \. C3 retn
F7进入0045696处的关键CALL-2,来到：
00455FF0 /$ 55 push ebp
00455FF1 |. 8BEC mov ebp,esp
00455FF3 |. 83C4 F0 add esp,-10
00455FF6 |. 53 push ebx
00455FF7 |. 56 push esi
00455FF8 |. 57 push edi
00455FF9 |. 33DB xor ebx,ebx
00455FFB |. 895D F0 mov dword ptr ss:[ebp-10],ebx
00455FFE |. 8BF9 mov edi,ecx
00456000 |. 8955 F8 mov dword ptr ss:[ebp-8],edx ; 字符串str2"0a739b5eba9d0ee27f868fec655abcc4"
00456003 |. 8945 FC mov dword ptr ss:[ebp-4],eax ; eax=00AC59E0，假码变化结果的地址,字符串str1
00456006 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00456009 |. E8 3AE4FAFF call CrackMe0.00404448
0045600E |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00456011 |. E8 32E4FAFF call CrackMe0.00404448
00456016 |. 33C0 xor eax,eax
00456018 |. 55 push ebp
00456019 |. 68 AA604500 push CrackMe0.004560AA
0045601E |. 64:FF30 push dword ptr fs:[eax]
00456021 |. 64:8920 mov dword ptr fs:[eax],esp
00456024 |. BB 01000000 mov ebx,1
00456029 |. 8BC7 mov eax,edi
0045602B |. E8 68DFFAFF call CrackMe0.00403F98
00456030 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; eax=00AC59E0，假码变化结果的地址
00456033 |. E8 20E2FAFF call CrackMe0.00404258 ; 获取假码变化结果长度，EAX＝0xA
00456038 |. 8BF0 mov esi,eax
0045603A |. 85F6 test esi,esi
0045603C |. 7E 49 jle short CrackMe0.00456087
0045603E |> C745 F4 01000000 mov dword ptr ss:[ebp-C],1
00456045 |> 8D45 F0 /lea eax,dword ptr ss:[ebp-10]
00456048 |. 8B55 FC |mov edx,dword ptr ss:[ebp-4]
0045604B |. 8B4D F4 |mov ecx,dword ptr ss:[ebp-C]
0045604E |. 8A540A FF |mov dl,byte ptr ds:[edx+ecx-1] ; 依次取假码变化结果str1每一位字符的ASCII值
00456052 |. 8B4D F8 |mov ecx,dword ptr ss:[ebp-8]
00456055 |. 8A4C19 FF |mov cl,byte ptr ds:[ecx+ebx-1] ; 依次取字符串str2每一位字符的ASCII值
00456059 |. 32D1 |xor dl,cl ; 进行xor 运算
0045605B |. E8 20E1FAFF |call CrackMe0.00404180 ; 取xor 结果所对应的字符保存
00456060 |. 8B55 F0 |mov edx,dword ptr ss:[ebp-10]
00456063 |. 8BC7 |mov eax,edi
00456065 |. E8 F6E1FAFF |call CrackMe0.00404260 ; 依次将每次所得字符连接，得到"9Y"
0045606A |. 8B45 F8 |mov eax,dword ptr ss:[ebp-8]
0045606D |. E8 E6E1FAFF |call CrackMe0.00404258
00456072 |. 8D53 01 |lea edx,dword ptr ds:[ebx+1]
00456075 |. 3BC2 |cmp eax,edx
00456077 |. 7C 03 |jl short CrackMe0.0045607C
00456079 |. 43 |inc ebx
0045607A |. EB 05 |jmp short CrackMe0.00456081
0045607C |> BB 01000000 |mov ebx,1
00456081 |> FF45 F4 |inc dword ptr ss:[ebp-C]
00456084 |. 4E |dec esi
00456085 |.^ 75 BE \jnz short CrackMe0.00456045
00456087 |> 33C0 xor eax,eax
00456089 |. 5A pop edx
0045608A |. 59 pop ecx
0045608B |. 59 pop ecx
0045608C |. 64:8910 mov dword ptr fs:[eax],edx
0045608F |. 68 B1604500 push CrackMe0.004560B1
00456094 |> 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00456097 |. E8 FCDEFAFF call CrackMe0.00403F98
0045609C |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0045609F |. BA 02000000 mov edx,2
004560A4 |. E8 13DFFAFF call CrackMe0.00403FBC
004560A9 \. C3 retn
-----------------------------------------------------------------------------------------------
【破解总结】
1.程序取C盘硬盘号作为机器码。
2.注册码中必需包含单引号(''),将单引号前的数值与16进制形式保存，单引号内的字符串保持不变,记为字符串str1。
3.程序内置固定字符串str2"0a739b5eba9d0ee27f868fec655abcc4",依次取字符串str1每一位字符
与字符串str2每一位字符进行xor运算，取运算结果相对应的字符连接，记为字符串str.
4.将字符串str与机器码进行比较，相等则注册成功。
注册成功后"注册"按钮左侧会显示"黑夜彩虹:已成功注册，你真厉害!"提示标签。
一组可用注册码：
======================
机器码: 3KC1NBCP
注册码: 3'*t'2'w'32'v5'
======================
暴破更改以下位置：
00456989 jnz short CrackMe0.00456998 ; jnz====>NOP
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

复制代码

黑夜彩虹 · 发表于 2006-6-11 03:11:21

历害....高人啊。。。。

楼主能否给个建议：此CrackMe的不足　及　应该在哪方面再加强？　该采取什么样的措施来保护？

我将继续写新的CrackMe.......

kplp · 发表于 2006-6-11 06:49:23

　学习中．

飘云 · 发表于 2006-6-11 07:01:42

先点击"注册"按钮一下，然后ALT+M内存映射,Ctrl+B搜索，在ASCII栏输入：3KC1NBCP

各位初学者学习一下：这是模拟Winhex 的操作！:victory:

飘云 · 发表于 2006-6-11 07:22:08

原帖由 hrbx 于 2006-6-11 02:27 发表
1.查壳。用Peid扫描，显示为：Microsoft Visual C++，无壳。

作者添加了一个区段 .topo0 然后进行了伪装～

程序实为 Delphi 编写：
00456C40       55                push ebp       //OEP
00456C41       8BEC                mov ebp,esp
00456C43       83C4 F0             add esp,-10
00456C46       B8 506A4500       mov eax,2.00456A50
00456C4B       E8 5CF1FAFF       call 2.00405DAC

浮云思音 · 发表于 2006-6-11 09:09:45

小黑高，楼主更高，哈哈~~，楼主写破文时能不能照顾一下我等菜鸟，象“确定，找到后下"内存访问"断点”这个内存访问断点是什么我找了半天，如果不碍事直接写出来就好了，老少皆宜。。。

小黑继续出CRACKME，楼主继续破，我继续学，不错~不错~

hrbx · 发表于 2006-6-11 11:35:06

在找到的机器码上点击，然后在OD中，点击右键→断点→内存访问断点
就可以了。

hrbx · 发表于 2006-6-11 11:36:31

原帖由飘云于 2006-6-11 07:22 发表

作者添加了一个区段 .topo0 然后进行了伪装～

程序实为 Delphi 编写：
00456C40 55 push ebp //OEP
00456C41 8BEC mov ebp,esp
00456C43 ...

我也有看了一下区段 .topo0 ，没太留意。:P
呵呵，谢谢指点

caterpilla · 发表于 2006-6-11 15:55:33

佩服楼主，佩服小黑
我的作法是是用UE找到BUTTON1CLICK，然后找到了入口地下，用DEDE反编译出来了，但还有一些不明白，向小黑请教。
1、飘云老大说加了个段，这个段是手工加的，还是有工具完成的？
2、感觉下面这段代码开始有问题，是用了花指令，还有异常这些保护方法？
004567F6 0F842F010000          jz    0045692B
004567FC 0F8529010000          jnz    0045692B

|
00456802 E824000000          call 0045682B

请指点下，谢谢了~~~~~~~~~~~~~~~

Nisy · 发表于 2006-6-11 16:19:35

卡吧这老怪又误报了设置了个5分钟以后在监控系统没想到正调试这个软件呢电脑重启了现在来继续搞~

		自动登录	找回密码
密码			加入我们

CrackMe_01 By黑夜彩虹 算法分析

相关帖子

CrackMe_01 By黑夜彩虹算法分析