再发一个简单的crack
目标软件:破解方式:寻注册码
难易等级:初
相关工具:peid0.94 ollydbg
首先查壳无,用od载入,搜索注册失败信息,有。在00401064处设断。重新载入,添入试炼码,中断在00401064处:
00401064 .E8 C7010000 CALL ncrackme.00401230 进入
00401069 .85C0 TEST EAX,EAX
0040106B .6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
0040106D .68 80504000 PUSH ncrackme.00405080 ; |ncrackme
00401072 .75 1B JNZ SHORT ncrackme.0040108F ; |
00401074 .A1 B8564000 MOV EAX,DWORD PTR DS: ; |
00401079 .68 64504000 PUSH ncrackme.00405064 ; |registration successful.
00401230/$8B0D BC564000 MOV ECX,DWORD PTR DS:
00401236|.83EC 30 SUB ESP,30
00401239|.8D4424 00 LEA EAX,DWORD PTR SS:
0040123D|.53 PUSH EBX
0040123E|.56 PUSH ESI
0040123F|.8B35 94404000 MOV ESI,DWORD PTR DS:[<&USER32.GetDlgIte>;USER32.GetDlgItemTextA
00401245|.6A 10 PUSH 10 ; /Count = 10 (16.)
00401247|.50 PUSH EAX ; |Buffer
00401248|.68 E8030000 PUSH 3E8 ; |ControlID = 3E8 (1000.)
0040124D|.51 PUSH ECX ; |hWnd => 000E0496 (class='#32770',parent=000D0520)
0040124E|.33DB XOR EBX,EBX ; |
00401250|.FFD6 CALL ESI ; \GetDlgItemTextA
00401252|.83F8 03 CMP EAX,3 ;注册名位数大于3
00401255|.73 0B JNB SHORT ncrackme.00401262
00401257|.5E POP ESI
00401258|.B8 01000000 MOV EAX,1
0040125D|.5B POP EBX
0040125E|.83C4 30 ADD ESP,30
00401261|.C3 RETN
00401262|>A1 BC564000 MOV EAX,DWORD PTR DS:
00401267|.8D5424 28 LEA EDX,DWORD PTR SS:
0040126B|.6A 10 PUSH 10
0040126D|.52 PUSH EDX
0040126E|.68 E9030000 PUSH 3E9
00401273|.50 PUSH EAX
00401274|.FFD6 CALL ESI ;假注册码位数
00401276|.0FBE4424 08 MOVSX EAX,BYTE PTR SS: ;注册名第一个字母
0040127B|.0FBE4C24 09 MOVSX ECX,BYTE PTR SS: ;第二个字母
00401280|.99 CDQ
00401281|.F7F9 IDIV ECX ;eax=eax/ecx(余数放在edx
00401283|.8BCA MOV ECX,EDX ;ecx=edx
00401285|.83C8 FF OR EAX,FFFFFFFF ;eax=eax||ffffffff
00401288|.0FBE5424 0A MOVSX EDX,BYTE PTR SS: ;取第三个字母
0040128D|.0FAFCA IMUL ECX,EDX ;ecx=ecx*edx
00401290|.41 INC ECX ;ecx=ecx+1
00401291|.33D2 XOR EDX,EDX
00401293|.F7F1 DIV ECX ;eax=eax/ecx
00401295|.50 PUSH EAX
00401296|.E8 A5000000 CALL ncrackme.00401340
0040129B|.83C4 04 ADD ESP,4
0040129E|.33F6 XOR ESI,ESI
004012A0|>E8 A5000000 /CALL ncrackme.0040134A ;以下计算一长串(16个字母)重要
004012A5|.99 |CDQ
004012A6|.B9 1A000000 |MOV ECX,1A
004012AB|.F7F9 |IDIV ECX ;eax=eax/ecx
004012AD|.80C2 41 |ADD DL,41 ;edx=edx+41
004012B0|.885434 18 |MOV BYTE PTR SS:,DL
004012B4|.46 |INC ESI
004012B5|.83FE 0F |CMP ESI,0F
004012B8|.^ 72 E6 \JB SHORT ncrackme.004012A0
004012BA|.57 PUSH EDI
004012BB|.8D7C24 0C LEA EDI,DWORD PTR SS:
004012BF|.83C9 FF OR ECX,FFFFFFFF
004012C2|.33C0 XOR EAX,EAX
004012C4|.33F6 XOR ESI,ESI
004012C6|.F2:AE REPNE SCAS BYTE PTR ES:
004012C8|.F7D1 NOT ECX
004012CA|.49 DEC ECX
004012CB|.74 59 JE SHORT ncrackme.00401326
004012CD|>8A4434 0C /MOV AL,BYTE PTR SS: ;依次取注册名
004012D1|.C0F8 05 |SAR AL,5 ;al=al>>5
004012D4|.0FBEC0 |MOVSX EAX,AL
004012D7|.8D1480 |LEA EDX,DWORD PTR DS: ;edx=eax+eax*4
004012DA|.8D04D0 |LEA EAX,DWORD PTR DS: ;eax=eax+edx*8
004012DD|.8D0440 |LEA EAX,DWORD PTR DS: ;eax=eax+eax*2
004012E0|.85C0 |TEST EAX,EAX
004012E2|.7E 0A |JLE SHORT ncrackme.004012EE
004012E4|.8BF8 |MOV EDI,EAX
004012E6|>E8 5F000000 |/CALL ncrackme.0040134A ;计算eax值
004012EB|.4F ||DEC EDI
004012EC|.^ 75 F8 |\JNZ SHORT ncrackme.004012E6
004012EE|>E8 57000000 |CALL ncrackme.0040134A
004012F3|.99 |CDQ
004012F4|.B9 1A000000 |MOV ECX,1A ;ecx=1a
004012F9|.8D7C24 0C |LEA EDI,DWORD PTR SS:
004012FD|.F7F9 |IDIV ECX ;eax=eax/ecx
004012FF|.0FBE4C34 2C |MOVSX ECX,BYTE PTR SS: ;取假注册码一位
00401304|.80C2 41 |ADD DL,41 ;dl=dl+41
00401307|.0FBEC2 |MOVSX EAX,DL ;eax=dl
0040130A|.2BC1 |SUB EAX,ECX ;eax=eax-ecx
0040130C|.885434 1C |MOV BYTE PTR SS:,DL ;此处赋到内存的是注册码(前四位字母)dl
00401310|.99 |CDQ
00401311|.33C2 |XOR EAX,EDX
00401313|.83C9 FF |OR ECX,FFFFFFFF
00401316|.2BC2 |SUB EAX,EDX
00401318|.03D8 |ADD EBX,EAX
0040131A|.33C0 |XOR EAX,EAX
0040131C|.46 |INC ESI
0040131D|.F2:AE |REPNE SCAS BYTE PTR ES:
0040131F|.F7D1 |NOT ECX
00401321|.49 |DEC ECX 循环次数
00401322|.3BF1 |CMP ESI,ECX
00401324|.^ 72 A7 \JB SHORT ncrackme.004012CD
00401326|>5F POP EDI
00401327|.8BC3 MOV EAX,EBX
00401329|.5E POP ESI
0040132A|.5B POP EBX
0040132B|.83C4 30 ADD ESP,30
0040132E\.C3 RETN
算法:1、以用户名计算一个16位的长串
2、经过计算dl值,并将其赋给长串前四位,此时长串前四位为注册码,后面可以任意加。(算得较麻烦)
如:name:tong
sn:MDED
[ 本帖最后由 hongxin2005 于 2006-3-15 09:22 编辑 ]
页:
[1]