所以说上面几位兄弟都没有成功,只是过了第一个验证,兄弟们加油呀
如果重启后还是能够输入表示没有成功 不早说嘛,再研究下,哈哈~~ 我的:注册名:zbkzj 注册码:2615j
刚看了,我再试试
[ 本帖最后由 zbkzj 于 2007-5-10 21:24 编辑 ] 下载地址和注册成功画面已经贴出来了,大家加油 od不行。。 呵呵,我早说过了,只用OD是无法解决这个crackme的 谢谢!下来试试 开源,就两个字~
算法分析!
C32Asm打开crackme.exe查找字符串%04d找到3处!401726,4019be,401b84.
来到401726
XOR ECX,ECX
::00401703::33C0 XOR EAX,EAX
::00401705::EB 09 JMP SHORT 00401710 \:JMPDOWN
::00401707::8DA424 00000000 LEA ESP,
::0040170E::8BFF MOV EDI,EDI
::00401710::0FBE5404 14 MOVSX EDX,BYTE PTR --》取用户名每位的asc码
::00401705,00401723,
::00401715::81F2 82000000 XOR EDX,82 //XOR $82
::0040171B::83C0 01 ADD EAX,1
::0040171E::03CA ADD ECX,EDX //累加
::00401720::83F8 10 CMP EAX,10 //是否10位
::00401723::7C EB JL SHORT 00401710 \:JMPUP
::00401725::51 PUSH ECX //ecx是注册码的1-4位
::00401726::68 048C4200 PUSH 428C04 \->: %04d
-----------------------
在目录下建立key.txt
在40143A下断
断下后会生成HELLO.EXE
copy HELLO.EXE 为ok.exe
--------------------------
用tr加载ok.exe
跟踪来到:
:0001.02F6 3D1000 cmp ax, 0010 //比较注册码是否等于或大于16位
:0001.02F9 7D03 jge 02FE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.02EC(C)
|
:0001.02FB E893FF call 0291//不是就DEL KEY.TXT
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.02F9(C)
|
:0001.02FE 33F6 xor si, si
:0001.0300 EB19 jmp 031B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.031E(C)
|
:0001.0302 8A84AA01 mov al , //取注册码的第一位起的asc
:0001.0306 98 cbw
:0001.0307 50 push ax
:0001.0308 8A84B201 mov al , //取注册码的第九位起的asc
:0001.030C 98 cbw
:0001.030D BA6900 mov dx, 0069
:0001.0310 2BD0 sub dx, ax //$69-九位起的asc
:0001.0312 58 pop ax
:0001.0313 3BC2 cmp ax, dx //第一位起的asc 是否等于 ($69-九位起的asc)
:0001.0315 7403 je 031A
:0001.0317 E877FF call 0291 //不是DEL key.txt
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.0315(C)
|
:0001.031A 46 inc si
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.0300(U)
|
:0001.031B 83FE08 cmp si, 0008 //循环8次 ,就是说注册码应该为16位!
:0001.031E 7CE2 jl 0302
------------------------------------------
开始漏了第5-8位注册码的算法
补上:
::00401B50::33C0 XOR EAX, EAX
::00401B52::0FBE5404 14 MOVSX EDX, BYTE PTR \:BYJMP JmpBy:00401B81,
::00401B57::0FBE4C04 15 MOVSX ECX, BYTE PTR
::00401B5C::83F1 28 XOR ECX, 28
::00401B5F::83F2 28 XOR EDX, 28
::00401B62::03D1 ADD EDX, ECX
::00401B64::0FBE4C04 17 MOVSX ECX, BYTE PTR
::00401B69::83F1 28 XOR ECX, 28
::00401B6C::03D1 ADD EDX, ECX
::00401B6E::0FBE4C04 16 MOVSX ECX, BYTE PTR
::00401B73::83F1 28 XOR ECX, 28
::00401B76::03CF ADD ECX, EDI
::00401B78::83C0 04 ADD EAX, 4
::00401B7B::83F8 10 CMP EAX, 10
::00401B7E::8D3C11 LEA EDI, DWORD PTR
::00401B81::7C CF JL SHORT 00401B52 \:JMPUP
用户名:johnroot
注册码:2939091570609084
注册机DELPHI代码:
procedure TForm1.Button1Click(Sender: TObject);
var
nameok,pp,gg,gg2,mm,mm2:pchar;
i,j,j2,k:integer;
begin
getmem(nameok,$10);
ZeroMemory(nameok,$10);
getmem(mm,5);
ZeroMemory(mm,5);
getmem(mm2,5);
ZeroMemory(mm2,5);
pp:=pchar(edit1.Text);
for i:=0 to (length(pp)-1) do
begin
nameok:=pp;
end;
j:=0;
for i:=0 to $f do
begin
k:=ord(nameok) xor $82;
j:=j + k;
end;
gg := pchar(inttostr(j));
j:=0;
for i:=0 to $f do
begin
k:=ord(nameok) xor $28;
j2:=j2 + k;
end;
gg2 := pchar(inttostr(j2));
if length(gg2)<4 then
begin
gg2:=pchar('0' + string(gg2));
end;
for i:=0 to 3 do
begin
mm:= char($69 - ord(gg));
end;
for i:=0 to 3 do
begin
mm2:= char($69 - ord(gg2));
end;
edit2.text:=string(gg) + string(gg2) + string(mm) + string(mm2);
end;
[ 本帖最后由 johnroot 于 2007-5-12 15:20 编辑 ]
成功图片
成功图片!!![ 本帖最后由 johnroot 于 2007-5-12 10:15 编辑 ]