CrackMeIII By glts简单算法分析
【破文标题】CrackMeIII By glts简单算法分析
【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】hrbx@163.com
【破解平台】WinXP
【使用工具】OD1.10、Peid
【破解日期】2007-06-22
【软件名称】CrackMeIII
【软件大小】542KB
【下载地址】https://www.chinapyg.com/viewthread.php?tid=1678
【加壳方式】UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
【软件简介】CrackMeIII By glts
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.脱壳。用PEID扫描,显示为:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo ,Esp定律脱之。
由于程序有附加数据,用Overlay将附加数据粘贴到脱壳后的程序就可以运行了。
再次用PEID扫描,显示为:Microsoft Visual C++ 6.0 ,实际上是易语言的程序,因为调试时可以见到易语言的krnln库。
2.去除对调试器检测。OD载入CrackMe,F9运行,OD和程序都被关掉了。
Ctrl+F2重新载入程序,命令栏输入:bp TerminateProcess,回车,F9运行,立即中断:
7C801E16 k>8BFF mov edi,edi ; 在此中断
7C801E18 55 push ebp
7C801E19 8BEC mov ebp,esp
7C801E1B 837D 08 00 cmp dword ptr ss:,0
7C801E1F 75 09 jnz short kernel32.7C801E2A
7C801E21 6A 06 push 6
7C801E23 E8 98740000 call kernel32.7C8092C0
7C801E28 EB 1B jmp short kernel32.7C801E45
7C801E2A FF75 0C push dword ptr ss:
7C801E2D FF75 08 push dword ptr ss:
7C801E30 FF15 FC13807C call dword ptr ds:[<&ntdll.NtTe>; ntdll.ZwTerminateProcess
7C801E36 85C0 test eax,eax
堆栈友好提示:
0012FA5C 004225BF /CALL 到 TerminateProcess 来自 Unpack.004225BA
0012FA60 00000148 |hProcess = 00000148 (window)
0012FA64 00000000 \ExitCode = 0
上面第一行右键--在反汇编窗口中跟随,来到这里:
00422563 58 pop eax
00422564 8945 F8 mov dword ptr ss:,eax
00422567 68 92074200 push Unpack.00420792 ; ASCII "EXPLORER"
0042256C FF75 F8 push dword ptr ss:
0042256F E8 19FDFFFF call Unpack.0042228D
00422574 83C4 08 add esp,8
00422577 83F8 00 cmp eax,0
0042257A 0F84 20000000 je Unpack.004225A0
00422580 68 9B074200 push Unpack.0042079B ; ASCII "CMD"
00422585 FF75 F8 push dword ptr ss:
00422588 E8 00FDFFFF call Unpack.0042228D
0042258D 83C4 08 add esp,8
00422590 83F8 00 cmp eax,0
00422593 0F84 07000000 je Unpack.004225A0
00422599 B8 01000000 mov eax,1
0042259E EB 02 jmp short Unpack.004225A2
004225A0 33C0 xor eax,eax
004225A2 85C0 test eax,eax
004225A4 0F84 2C000000 je Unpack.004225D6
004225AA 8965 EC mov dword ptr ss:,esp
004225AD 68 00000000 push 0
004225B2 FF75 FC push dword ptr ss:
004225B5 B8 05000000 mov eax,5
004225BA E8 35290000 call Unpack.00424EF4
004225BF 3965 EC cmp dword ptr ss:,esp ; 来到这里
004225C2 74 0D je short Unpack.004225D1
向上查找,来到0042234A处F2下断,Ctrl+F2重新载入程序,F9运行,立即中断:
0042234A 55 push ebp ; F2在此下断
0042234B 8BEC mov ebp,esp
0042234D 81EC 30000000 sub esp,30
00422353 C745 FC 00000000 mov dword ptr ss:,0
堆栈友好提示:
0012FA9C 004221C0 返回到 Unpack.004221C0 来自 Unpack.0042234A
上面第一行右键--在反汇编窗口中跟随,来到这里:
004221B6 68 08000000 push 8
004221BB E8 8A010000 call Unpack.0042234A
004221C0 6A 00 push 0 ; 返回来到
向上查找,来到0042217C处F2下断,Ctrl+F2重新载入程序,F9运行,立即中断:
0042217C 55 push ebp ; F2在此下断
0042217D 8BEC mov ebp,esp
0042217F 81EC 18000000 sub esp,18
00422185 68 08000000 push 8
0042218A E8 592D0000 call Unpack.00424EE8
0042218F 83C4 04 add esp,4
00422192 8945 FC mov dword ptr ss:,eax
00422195 8BD8 mov ebx,eax
00422197 C703 00000000 mov dword ptr ds:,0
0042219D C743 04 00000000 mov dword ptr ds:,0
004221A4 C745 F8 00000000 mov dword ptr ss:,0
004221AB FF35 4021BD00 push dword ptr ds:
004221B1 68 01000000 push 1
004221B6 68 08000000 push 8
004221BB E8 8A010000 call Unpack.0042234A ; F8经过后,OD和程序都被关闭,NOP
004221C0 6A 00 push 0
NOP掉004221BB处的call Unpack.0042234A后,就可以用OD调试了。
3.追出算法。OD载入更改后的CrackMe,F9运行,输入注册信息:
==============================
用户名:hrbx
E-Mail:hrbx@163.com
机器码:13046222237
注册码:1234567890
==============================
在OD中,右键--Ultra字符串参考,查找ASCII:
================================================
00423FDF mov eax,Unpack.00420880 成功
================================================
双击来到:
00423FDF B8 80084200 mov eax,Unpack.00420880 ; 成功
00423FE4 50 push eax
00423FE5 8B5D D0 mov ebx,dword ptr ss:
向上查找,来到00423B97处F2下断,点“确定”按钮,立即中断:
00423B97 55 push ebp ; F2在此下断
00423B98 8BEC mov ebp,esp
00423B9A 81EC 7C000000 sub esp,7C
00423BA0 C745 FC 00000000 mov dword ptr ss:,0
00423BA7 C745 F8 00000000 mov dword ptr ss:,0
00423BAE C745 F4 00000000 mov dword ptr ss:,0
00423BB5 C745 F0 00000000 mov dword ptr ss:,0
00423BBC C745 EC 00000000 mov dword ptr ss:,0
00423BC3 C745 E8 00000000 mov dword ptr ss:,0
00423BCA C745 E4 00000000 mov dword ptr ss:,0
00423BD1 C745 E0 00000000 mov dword ptr ss:,0
00423BD8 C745 DC 00000000 mov dword ptr ss:,0
00423BDF C745 D8 00000000 mov dword ptr ss:,0
00423BE6 C745 D4 00000000 mov dword ptr ss:,0
00423BED C745 D0 00000000 mov dword ptr ss:,0
00423BF4 C745 CC 00000000 mov dword ptr ss:,0
00423BFB C745 C8 00000000 mov dword ptr ss:,0
00423C02 C745 C4 00000000 mov dword ptr ss:,0
00423C09 C745 C0 00000000 mov dword ptr ss:,0
00423C10 C745 BC 00000000 mov dword ptr ss:,0
00423C17 6A FF push -1
00423C19 6A 08 push 8
00423C1B 68 58000116 push 16010058
00423C20 68 01000152 push 52010001
00423C25 E8 E2120000 call Unpack.00424F0C
00423C2A 83C4 10 add esp,10
00423C2D 8945 B8 mov dword ptr ss:,eax ; 用户名"hrbx"
00423C30 68 98054200 push Unpack.00420598
00423C35 FF75 B8 push dword ptr ss:
00423C38 E8 50E6FFFF call Unpack.0042228D ; 检查用户名是否为空
00423C3D 83C4 08 add esp,8
00423C40 83F8 00 cmp eax,0
00423C43 B8 00000000 mov eax,0
00423C48 0F94C0 sete al
00423C4B 8945 B4 mov dword ptr ss:,eax
00423C4E 8B5D B8 mov ebx,dword ptr ss:
00423C51 85DB test ebx,ebx
00423C53 74 09 je short Unpack.00423C5E
00423C55 53 push ebx
00423C56 E8 87120000 call Unpack.00424EE2
00423C5B 83C4 04 add esp,4
00423C5E 837D B4 00 cmp dword ptr ss:,0
00423C62 0F84 05000000 je Unpack.00423C6D
00423C68 E9 90040000 jmp Unpack.004240FD
00423C6D 6A FF push -1
00423C6F 6A 08 push 8
00423C71 68 57000116 push 16010057
00423C76 68 01000152 push 52010001
00423C7B E8 8C120000 call Unpack.00424F0C
00423C80 83C4 10 add esp,10
00423C83 8945 B8 mov dword ptr ss:,eax ; E-Mail:"hrbx@163.com"
00423C86 68 67084200 push Unpack.00420867 ; 固定字符串1"PYG@163.COM"
00423C8B FF75 B8 push dword ptr ss:
00423C8E E8 FAE5FFFF call Unpack.0042228D ; 检查E-Mail与固定字符串1是否一致
00423C93 83C4 08 add esp,8
00423C96 83F8 00 cmp eax,0
00423C99 B8 00000000 mov eax,0
00423C9E 0F95C0 setne al
00423CA1 8945 B4 mov dword ptr ss:,eax
00423CA4 8B5D B8 mov ebx,dword ptr ss:
00423CA7 85DB test ebx,ebx
00423CA9 74 09 je short Unpack.00423CB4
00423CAB 53 push ebx
00423CAC E8 31120000 call Unpack.00424EE2
00423CB1 83C4 04 add esp,4
00423CB4 837D B4 00 cmp dword ptr ss:,0
00423CB8 0F84 05000000 je Unpack.00423CC3 ; E-Mail不对则Over,暴破点1,改为jmp
00423CBE E9 3A040000 jmp Unpack.004240FD
00423CC3 B8 73084200 mov eax,Unpack.00420873 ; 固定字符串2"PYG_"
00423CC8 50 push eax
00423CC9 8B5D FC mov ebx,dword ptr ss:
00423CCC 85DB test ebx,ebx
00423CCE 74 09 je short Unpack.00423CD9
00423CD0 53 push ebx
00423CD1 E8 0C120000 call Unpack.00424EE2
00423CD6 83C4 04 add esp,4
00423CD9 58 pop eax
00423CDA 8945 FC mov dword ptr ss:,eax
00423CDD 6A FF push -1
00423CDF 6A 08 push 8
00423CE1 68 58000116 push 16010058
00423CE6 68 01000152 push 52010001
00423CEB E8 1C120000 call Unpack.00424F0C
00423CF0 83C4 10 add esp,10
00423CF3 8945 B8 mov dword ptr ss:,eax ; 用户名"hrbx"
00423CF6 8B45 B8 mov eax,dword ptr ss:
00423CF9 50 push eax
00423CFA 8B5D F8 mov ebx,dword ptr ss:
00423CFD 85DB test ebx,ebx
00423CFF 74 09 je short Unpack.00423D0A
00423D01 53 push ebx
00423D02 E8 DB110000 call Unpack.00424EE2
00423D07 83C4 04 add esp,4
00423D0A 58 pop eax
00423D0B 8945 F8 mov dword ptr ss:,eax
00423D0E 68 04000080 push 80000004
00423D13 6A 00 push 0
00423D15 8B45 F8 mov eax,dword ptr ss:
00423D18 85C0 test eax,eax
00423D1A 75 05 jnz short Unpack.00423D21
00423D1C B8 98054200 mov eax,Unpack.00420598
00423D21 50 push eax
00423D22 68 01000000 push 1
00423D27 BB 68010000 mov ebx,168
00423D2C E8 CF110000 call Unpack.00424F00
00423D31 83C4 10 add esp,10
00423D34 8945 B8 mov dword ptr ss:,eax
00423D37 8B45 B8 mov eax,dword ptr ss:
00423D3A 50 push eax
00423D3B 8B5D F4 mov ebx,dword ptr ss:
00423D3E 85DB test ebx,ebx
00423D40 74 09 je short Unpack.00423D4B
00423D42 53 push ebx
00423D43 E8 9A110000 call Unpack.00424EE2
00423D48 83C4 04 add esp,4
00423D4B 58 pop eax
00423D4C 8945 F4 mov dword ptr ss:,eax
00423D4F FF75 F4 push dword ptr ss:
00423D52 68 73084200 push Unpack.00420873
00423D57 B9 02000000 mov ecx,2
00423D5C E8 61ECFFFF call Unpack.004229C2 ; 连接固定字符串2与用户名
00423D61 83C4 08 add esp,8
00423D64 8945 B8 mov dword ptr ss:,eax
00423D67 8B45 B8 mov eax,dword ptr ss:
00423D6A 50 push eax
00423D6B 8B5D FC mov ebx,dword ptr ss:
00423D6E 85DB test ebx,ebx
00423D70 74 09 je short Unpack.00423D7B
00423D72 53 push ebx
00423D73 E8 6A110000 call Unpack.00424EE2
00423D78 83C4 04 add esp,4
00423D7B 58 pop eax
00423D7C 8945 FC mov dword ptr ss:,eax
00423D7F 8B45 FC mov eax,dword ptr ss:
00423D82 50 push eax
00423D83 FF75 F8 push dword ptr ss:
00423D86 E8 02E5FFFF call Unpack.0042228D ; 检查连接后的字符串前4位是否为"PYG_"
00423D8B 83C4 08 add esp,8
00423D8E 83F8 00 cmp eax,0
00423D91 0F84 05000000 je Unpack.00423D9C
00423D97 E9 00000000 jmp Unpack.00423D9C
00423D9C 6A FF push -1
00423D9E 6A 08 push 8
00423DA0 68 57000116 push 16010057
00423DA5 68 01000152 push 52010001
00423DAA E8 5D110000 call Unpack.00424F0C
00423DAF 83C4 10 add esp,10
00423DB2 8945 B8 mov dword ptr ss:,eax ; E-Mail:"hrbx@163.com"
00423DB5 8B45 B8 mov eax,dword ptr ss:
00423DB8 50 push eax
00423DB9 8B5D F0 mov ebx,dword ptr ss:
00423DBC 85DB test ebx,ebx
00423DBE 74 09 je short Unpack.00423DC9
00423DC0 53 push ebx
00423DC1 E8 1C110000 call Unpack.00424EE2
00423DC6 83C4 04 add esp,4
00423DC9 58 pop eax
00423DCA 8945 F0 mov dword ptr ss:,eax
00423DCD 68 04000080 push 80000004
00423DD2 6A 00 push 0
00423DD4 8B45 F0 mov eax,dword ptr ss:
00423DD7 85C0 test eax,eax
00423DD9 75 05 jnz short Unpack.00423DE0
00423DDB B8 98054200 mov eax,Unpack.00420598
00423DE0 50 push eax
00423DE1 68 01000000 push 1
00423DE6 BB 30010000 mov ebx,130
00423DEB E8 10110000 call Unpack.00424F00 ; 获取E-Mail长度
00423DF0 83C4 10 add esp,10
00423DF3 8945 EC mov dword ptr ss:,eax ; EAX=0xC(12)
00423DF6 68 00000000 push 0
00423DFB BB C4060000 mov ebx,6C4
00423E00 E8 FB100000 call Unpack.00424F00
00423E05 83C4 04 add esp,4
00423E08 8945 E8 mov dword ptr ss:,eax ; EAX=0x4DC2F49D(1304622237),机器码
00423E0B 68 04000080 push 80000004
00423E10 6A 00 push 0
00423E12 8B45 FC mov eax,dword ptr ss: ; 用户名变换得到的字符串"PYG_hrbx"
00423E15 85C0 test eax,eax
00423E17 75 05 jnz short Unpack.00423E1E
00423E19 B8 98054200 mov eax,Unpack.00420598
00423E1E 50 push eax
00423E1F 68 01000000 push 1
00423E24 BB 30010000 mov ebx,130
00423E29 E8 D2100000 call Unpack.00424F00 ; 获取字符串"PYG_hrbx"长度,EAX=0x8
00423E2E 83C4 10 add esp,10
00423E31 8945 E4 mov dword ptr ss:,eax
00423E34 DB45 E4 fild dword ptr ss:
00423E37 DD5D B4 fstp qword ptr ss:
00423E3A DD45 B4 fld qword ptr ss: ; ss:=8.0,用户名变化后的长度
00423E3D DB45 EC fild dword ptr ss:
00423E40 DD5D AC fstp qword ptr ss: ; st=12.0,E-Mail长度
00423E43 DC45 AC fadd qword ptr ss: ; 两者相加
00423E46 DD5D A4 fstp qword ptr ss: ; st=20.0
00423E49 DD45 A4 fld qword ptr ss:
00423E4C E8 04E3FFFF call Unpack.00422155 ; 相加结果转为16进制表示
00423E51 8945 E4 mov dword ptr ss:,eax ; EAX=0x14
00423E54 68 01030080 push 80000301
00423E59 6A 00 push 0
00423E5B FF75 E8 push dword ptr ss: ; ss:=0x4DC2F49D(1304622237),机器码
00423E5E 68 01030080 push 80000301
00423E63 6A 00 push 0
00423E65 FF75 E4 push dword ptr ss: ; ss:=0x14,相加结果
00423E68 68 02000000 push 2
00423E6D BB CC000000 mov ebx,0CC
00423E72 E8 89100000 call Unpack.00424F00 ; 机器码 xor 相加结果
00423E77 83C4 1C add esp,1C
00423E7A 8945 E4 mov dword ptr ss:,eax ; 0x4DC2F49D xor 0x14=0x4DC2F489
00423E7D 6A FF push -1 ; EAX=0x4DC2F489(1304622217)
00423E7F 6A 08 push 8
00423E81 68 5F000116 push 1601005F
00423E86 68 01000152 push 52010001
00423E8B E8 7C100000 call Unpack.00424F0C
00423E90 83C4 10 add esp,10
00423E93 8945 B8 mov dword ptr ss:,eax ; 注册码"1234567890"
00423E96 8B45 B8 mov eax,dword ptr ss:
00423E99 50 push eax
00423E9A 8B5D E0 mov ebx,dword ptr ss:
00423E9D 85DB test ebx,ebx
00423E9F 74 09 je short Unpack.00423EAA
00423EA1 53 push ebx
00423EA2 E8 3B100000 call Unpack.00424EE2
00423EA7 83C4 04 add esp,4
00423EAA 58 pop eax
00423EAB 8945 E0 mov dword ptr ss:,eax
00423EAE 68 04000080 push 80000004
00423EB3 6A 00 push 0
00423EB5 8B45 E0 mov eax,dword ptr ss:
00423EB8 85C0 test eax,eax
00423EBA 75 05 jnz short Unpack.00423EC1
00423EBC B8 98054200 mov eax,Unpack.00420598
00423EC1 50 push eax
00423EC2 68 01000000 push 1
00423EC7 BB 64010000 mov ebx,164
00423ECC E8 2F100000 call Unpack.00424F00 ; 将注册码转为实数
00423ED1 83C4 10 add esp,10
00423ED4 8945 AC mov dword ptr ss:,eax
00423ED7 8955 B0 mov dword ptr ss:,edx
00423EDA DD45 AC fld qword ptr ss: ; ss:=1234567890.0,注册码
00423EDD E8 73E2FFFF call Unpack.00422155 ; 注册码转为16进制表示
00423EE2 8945 DC mov dword ptr ss:,eax ; EAX=0x499602D2
00423EE5 8145 DC 8E020000 add dword ptr ss:,28E ; 注册码+0x28E=0x49960560(1234568544)
00423EEC DB45 DC fild dword ptr ss:
00423EEF DD5D B4 fstp qword ptr ss: ; st=1234568544.0
00423EF2 68 01060080 push 80000601
00423EF7 FF75 B8 push dword ptr ss:
00423EFA FF75 B4 push dword ptr ss:
00423EFD 68 01000000 push 1
00423F02 BB 5C000000 mov ebx,5C
00423F07 E8 F40F0000 call Unpack.00424F00
00423F0C 83C4 10 add esp,10
00423F0F 8945 A4 mov dword ptr ss:,eax
00423F12 8955 A8 mov dword ptr ss:,edx
00423F15 DD45 A4 fld qword ptr ss:
00423F18 E8 38E2FFFF call Unpack.00422155
00423F1D 8945 DC mov dword ptr ss:,eax
00423F20 68 04000080 push 80000004
00423F25 6A 00 push 0
00423F27 8B45 E0 mov eax,dword ptr ss:
00423F2A 85C0 test eax,eax
00423F2C 75 05 jnz short Unpack.00423F33
00423F2E B8 98054200 mov eax,Unpack.00420598
00423F33 50 push eax ; 注册码"1234567890"
00423F34 68 01000000 push 1
00423F39 BB 30010000 mov ebx,130
00423F3E E8 BD0F0000 call Unpack.00424F00 ; 得到注册码长度
00423F43 83C4 10 add esp,10
00423F46 8945 D8 mov dword ptr ss:,eax ; EAX=0xA(10)
00423F49 DB45 D8 fild dword ptr ss:
00423F4C DD5D B4 fstp qword ptr ss:
00423F4F DD45 B4 fld qword ptr ss:
00423F52 DC0D 78084200 fmul qword ptr ds: ; 注册码长度*1979
00423F58 DD5D AC fstp qword ptr ss:
00423F5B DB45 E8 fild dword ptr ss:
00423F5E DD5D A4 fstp qword ptr ss: ; 机器码:1304622237
00423F61 DD45 A4 fld qword ptr ss: ; st=1304622237.0
00423F64 DB45 E4 fild dword ptr ss:
00423F67 DD5D 9C fstp qword ptr ss: ; ss:=0x4DC2F489,机器码 xor 相加结果
00423F6A DC45 9C fadd qword ptr ss: ; 机器码+(机器码 xor 相加结果)
00423F6D DC45 AC fadd qword ptr ss: ; 机器码+(机器码 xor 相加结果)+注册码长度*1979
00423F70 DD5D 94 fstp qword ptr ss: ; st=2609264244.0
00423F73 68 01060080 push 80000601
00423F78 FF75 98 push dword ptr ss:
00423F7B FF75 94 push dword ptr ss:
00423F7E 68 01000000 push 1
00423F83 BB 64010000 mov ebx,164
00423F88 E8 730F0000 call Unpack.00424F00
00423F8D 83C4 10 add esp,10
00423F90 8945 84 mov dword ptr ss:,eax
00423F93 8955 88 mov dword ptr ss:,edx
00423F96 DD45 84 fld qword ptr ss: ; ss:=2609264244.0
00423F99 E8 B7E1FFFF call Unpack.00422155 ; 转为有符号整数
00423F9E 8945 D4 mov dword ptr ss:,eax ; EAX=0x9B863674(-1685703052)
00423FA1 DB45 D4 fild dword ptr ss:
00423FA4 DD5D B4 fstp qword ptr ss: ; st=-1685703052.0
00423FA7 68 01060080 push 80000601
00423FAC FF75 B8 push dword ptr ss:
00423FAF FF75 B4 push dword ptr ss:
00423FB2 68 01000000 push 1
00423FB7 BB 5C000000 mov ebx,5C
00423FBC E8 3F0F0000 call Unpack.00424F00 ; 取绝对值
00423FC1 83C4 10 add esp,10
00423FC4 8945 A4 mov dword ptr ss:,eax
00423FC7 8955 A8 mov dword ptr ss:,edx
00423FCA DD45 A4 fld qword ptr ss: ; ss:=1685703052.0
00423FCD E8 83E1FFFF call Unpack.00422155 ; 转为16进制表示
00423FD2 8945 D4 mov dword ptr ss:,eax ; EAX=0x6479C98C
00423FD5 837D D8 0A cmp dword ptr ss:,0A ; 数值长度与0xA比较
00423FD9 0F8D 1F000000 jge Unpack.00423FFE ; 大于等于则跳,暴破点2,改为jmp
00423FDF B8 80084200 mov eax,Unpack.00420880 ; 成功
00423FE4 50 push eax
00423FE5 8B5D D0 mov ebx,dword ptr ss:
00423FE8 85DB test ebx,ebx
00423FEA 74 09 je short Unpack.00423FF5
00423FEC 53 push ebx
00423FED E8 F00E0000 call Unpack.00424EE2
00423FF2 83C4 04 add esp,4
00423FF5 58 pop eax
00423FF6 8945 D0 mov dword ptr ss:,eax
00423FF9 E9 FF000000 jmp Unpack.004240FD
00423FFE 8B45 D4 mov eax,dword ptr ss: ; EAX=ss:=0x6479C98C
00424001 3945 DC cmp dword ptr ss:,eax ; 与ss:处的值比较,ss:=0x49960560(1234568544)
00424004 0F85 22000000 jnz Unpack.0042402C ; 不等则Over,暴破点3,改为Nop
0042400A 6A 00 push 0
0042400C 68 01000000 push 1
00424011 6A FF push -1
00424013 6A 05 push 5
00424015 68 5B000116 push 1601005B
0042401A 68 01000152 push 52010001
0042401F E8 E20E0000 call Unpack.00424F06
00424024 83C4 18 add esp,18
00424027 E9 D1000000 jmp Unpack.004240FD
0042402C B8 80084200 mov eax,Unpack.00420880 ; 成功
00424031 50 push eax
00424032 8B5D D0 mov ebx,dword ptr ss:
00424035 85DB test ebx,ebx
00424037 74 09 je short Unpack.00424042
00424039 53 push ebx
0042403A E8 A30E0000 call Unpack.00424EE2
0042403F 83C4 04 add esp,4
00424042 58 pop eax
00424043 8945 D0 mov dword ptr ss:,eax
00424046 B8 85084200 mov eax,Unpack.00420885 ; 失败
-----------------------------------------------------------------------------------------------
【破解总结】
1.E-Mail为固定字符串1"PYG@163.COM",设E-Mail长度为N1。
2.设固定字符串2"PYG_"与用户名连接后的新字符串,设新字符串长度为N2。
3.注册码与常数0x28E相加,结果设为Num1。
4.机器码+(机器码 xor (N1+N2))+注册码长度*1979,结果转为有符号整数,并取绝对值,结果设为Num2。
5.Num1与Num2相等,则注册成功。
一组可用的注册信息:
==============================
用户名:hrbx
E-Mail:PYG@163.COM
机器码:13046222237
注册码:1685702393
==============================
暴破更改以下位置:
00423CB8 je Unpack.00423CC3 ; je====>jmp
00423FD9 jge Unpack.00423FFE ; jge===>jmp
00424004 jnz Unpack.0042402C ; jnz===>Nop
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 hrbx 于 2007-6-22 20:28 编辑 ] 3-1的算法也差不多,截个图。:) 爆风雨-->暴风雨
缨儿-->婴儿
:) 高手。学习一下。我光爆破了(不懂算法),现在好好学习分析一下这算法。 卧虎藏龙啊...... LZ真强~!去反调试,第一次看到~!
飞过海更强,居然可以写出这么牛的Crack Me~!
好长时间没学习了,落后这么多/:02
页:
[1]