好的,学习啦,很不错哦,算法很特别.
不说啦,发个图吧.
谢谢....
不错,,谢谢
搞了半天原来藏在那个上面一点点的地方
3536150740102F
41B454B0D0E5640
请大家详细讲讲算法!!!
我的水平还不到家,算法更不行了!
:victory:
:victory:
算法还不会~~
嘿嘿~~
偶要学习哦~~
爆破:
004011FC /74 1D jne short Crackme9.0040121B
改为
004011FC /74 1D je short Crackme9.0040121B
追码:
下断点,项目 0
地址=004010FF
模块=Crackme9
激活=永远
反汇编=call <jmp.&USER32.GetDlgItemTextA>
注释=取得注册框的文本
序列号:A8C562F6/40102F
注册码:789789789
004010FF E8 70010000 call <jmp.&USER32.GetDlgItemTextA> ; 取得注册框的文本
00401104 803D AC304000 0>cmp byte ptr ds:,0 ; 注册框的文本是否为空
0040110B 0F84 0A010000 je Crackme9.0040121B ; 是则跳走,不是则向下继续
00401111 68 18304000 push Crackme9.00403018
00401116 68 AC304000 push Crackme9.004030AC
0040111B E8 A2010000 call <jmp.&KERNEL32.lstrcmpA> ; 字符比较
00401120 85C0 test eax,eax ;测试eax
00401122 0F84 F3000000 je Crackme9.0040121B ; 相等则跳
00401128 68 FA000000 push 0FA ;
0040112D 8D85 06FFFFFF lea eax,dword ptr ss:
00401133 50 push eax ; eax=0012FA12
00401134 E8 83010000 call <jmp.&KERNEL32.RtlZeroMemory>
00401139 C785 06FFFFFF F>mov dword ptr ss:,0FA
00401143 8D85 06FFFFFF lea eax,dword ptr ss:
00401149 50 push eax ; eax=0012FA12
0040114A 8D85 0AFFFFFF lea eax,dword ptr ss:
00401150 50 push eax
00401151 E8 48010000 call <jmp.&KERNEL32.GetComputerNameA>
00401156 A1 58304000 mov eax,dword ptr ds: ; 序列号前8位送入eax=A8C562F6
0040115B 3185 0AFFFFFF xor dword ptr ss:,eax
00401161 3185 0EFFFFFF xor dword ptr ss:,eax
00401167 8B8D 06FFFFFF mov ecx,dword ptr ss: ; ecx=7c93056d
0040116D 8B85 0AFFFFFF mov eax,dword ptr ss: ; eax=A8C562F6
00401173 33D2 xor edx,edx
00401175 F7E1 mul ecx
00401177 0185 0AFFFFFF add dword ptr ss:,eax ; eax=9d875bc12
0040117D 8395 0EFFFFFF 0>adc dword ptr ss:,0 ; 堆栈 ss:=EBF027C7
00401184 FFB5 0EFFFFFF push dword ptr ss: ; 堆栈 ss:=EBF027C7压栈(后)
0040118A FFB5 0AFFFFFF push dword ptr ss: ; 堆栈 ss:=D875BC10压栈(前)
00401190 68 3E304000 push Crackme9.0040303E ; ASCII "%1X%1X"
00401195 68 5C304000 push Crackme9.0040305C ; ASCII "A8C562F640102F"序列号
0040119A E8 C3000000 call <jmp.&USER32.wsprintfA> ; 前后形成注册码
0040119F 83C4 10 add esp,10 ; esp=0012F8FC+10=12F90C
004011A2 68 FA000000 push 0FA
004011A7 8D85 06FFFFFF lea eax,dword ptr ss:
004011AD 50 push eax ; eax=0012FA12
004011AE 6A FF push -1
004011B0 68 5C304000 push Crackme9.0040305C ; ASCII "A8C562F640102F"
004011B5 6A 00 push 0
004011B7 6A 00 push 0
004011B9 E8 F8000000 call <jmp.&KERNEL32.MultiByteToWideC>
004011BE 68 FA000000 push 0FA
004011C3 8D85 0CFEFFFF lea eax,dword ptr ss:
004011C9 50 push eax
004011CA 6A FF push -1
004011CC 68 AC304000 push Crackme9.004030AC
004011D1 6A 00 push 0
004011D3 6A 00 push 0
004011D5 E8 DC000000 call <jmp.&KERNEL32.MultiByteToWideC>
004011DA 8D85 06FFFFFF lea eax,dword ptr ss: ; 载入真码"D875BC10EBF027C7"
004011E0 A3 06314000 mov dword ptr ds:,eax ; eax=D875BC10EBF027C7
004011E5 8D05 FC304000 lea eax,dword ptr ds:
004011EB 8D8D 0CFEFFFF lea ecx,dword ptr ss: ; ecx=789789789
004011F1 51 push ecx ; 压入试验码
004011F2 FF70 0A push dword ptr ds: ; 压入真码
004011F5 E8 C8000000 call <jmp.&KERNEL32.lstrcmpA> ; 两码比较
004011FA 85C0 test eax,eax ; eax=1
004011FC 75 1D jnz short Crackme9.0040121B ; 不为1则跳走,为1则相等向下继续
004011FE 6A 10 push 10
00401200 E8 7B000000 call <jmp.&USER32.MessageBeep>
00401205 6A 00 push 0
00401207 68 00304000 push Crackme9.00403000
0040120C 68 09304000 push Crackme9.00403009
00401211 FF75 08 push dword ptr ss:
00401214 E8 6D000000 call <jmp.&USER32.MessageBoxA>
00401219 EB 0F jmp short Crackme9.0040122A
0040121B 68 18304000 push Crackme9.00403018
00401220 6A 68 push 68
00401222 FF75 08 push dword ptr ss:
00401225 E8 68000000 call <jmp.&USER32.SetDlgItemTextA> ; 出错对话框
0040122A B8 00000000 mov eax,0
真码:D875BC10EBF027C7
还有许多不明白,请高手指教!
下载学习,多谢:P