ECX=00000005
Jump from 004015B9
0040162B /74 07 JnE SHORT CrackMe.00401634
004015B9 /75 2B JZ SHORT CrackMe.004015E6
现在还没入门,正在学习如何下断点,,谢谢楼主提供的练习题! LZ
能把CM的源码贴出来吗?
学习一下,谢谢 老贴子又顶上来了....00401480SUB ESP,2C
00401483PUSH EBX
00401484PUSH EBP
00401485PUSH ESI
00401486PUSH EDI
00401487MOV EDI,ECX
00401489PUSH 64
0040148BMOV DWORD PTR SS:,EDI
0040148FCALL <JMP.&MFC42.#??2@YAPAXI@Z_823>
00401494PUSH 64
00401496MOV EBX,EAX
00401498CALL <JMP.&MFC42.#??2@YAPAXI@Z_823>
0040149DADD ESP,8
004014A0MOV ESI,EAX
004014A2MOV ECX,EDI
004014A4MOV DWORD PTR SS:,ESI
004014A8PUSH 64
004014AAPUSH EBX
004014ABPUSH 3EA
004014B0CALL <JMP.&MFC42.#?GetDlgItem@CWnd@@QBEPAV1@H@Z_3092>
004014B5MOV ECX,EAX
004014B7CALL <JMP.&MFC42.#?GetWindowTextA@CWnd@@QBEHPADH@Z_38>
004014BCPUSH 64
004014BEPUSH ESI
004014BFPUSH 3EB
004014C4MOV ECX,EDI
004014C6CALL <JMP.&MFC42.#?GetDlgItem@CWnd@@QBEPAV1@H@Z_3092>
004014CBMOV ECX,EAX
004014CDCALL <JMP.&MFC42.#?GetWindowTextA@CWnd@@QBEHPADH@Z_38>
004014D2MOV EDI,EBX
004014D4OR ECX,FFFFFFFF
004014D7XOR EAX,EAX
004014D9REPNE SCAS BYTE PTR ES:
004014DBNOT ECX
004014DDPUSH ECX
004014DECALL <JMP.&MFC42.#??2@YAPAXI@Z_823>
004014E3MOV EBP,EAX
004014E5MOV EDI,ESI
004014E7OR ECX,FFFFFFFF
004014EAXOR EAX,EAX
004014ECREPNE SCAS BYTE PTR ES:
004014EENOT ECX
004014F0PUSH ECX
004014F1CALL <JMP.&MFC42.#??2@YAPAXI@Z_823>
004014F6MOV ECX,DWORD PTR DS:
004014FCMOV EDX,EAX
004014FEMOV EAX,DWORD PTR DS: ;常量:"yangbing1990"
00401503MOV DWORD PTR SS:,ECX
00401507MOV CL,BYTE PTR DS:
0040150DMOV DWORD PTR SS:,EAX
00401511MOV EAX,DWORD PTR DS:
00401516MOV BYTE PTR SS:,CL
0040151AMOV DWORD PTR SS:,EAX
0040151EMOV EDI,EBX ;name
00401520OR ECX,FFFFFFFF
00401523XOR EAX,EAX
00401525MOV BYTE PTR SS:,57 ;"win"
0040152AMOV BYTE PTR SS:,69
0040152FMOV BYTE PTR SS:,6E
00401534MOV BYTE PTR SS:,0
00401539MOV BYTE PTR SS:,4C ;"lost"
0040153EMOV BYTE PTR SS:,6F
00401543MOV BYTE PTR SS:,73
00401548MOV BYTE PTR SS:,74
0040154DMOV BYTE PTR SS:,0
00401552MOV DWORD PTR SS:,EDX
00401556REPNE SCAS BYTE PTR ES:
00401558NOT ECX
0040155ASUB EDI,ECX
0040155CMOV DWORD PTR SS:,0
00401564MOV EAX,ECX
00401566MOV ESI,EDI
00401568MOV EDI,EBP
0040156ASHR ECX,2
0040156DREP MOVS DWORD PTR ES:,DWORD PTR DS:
0040156FMOV ECX,EAX
00401571XOR EAX,EAX
00401573AND ECX,3
00401576REP MOVS BYTE PTR ES:,BYTE PTR DS:
00401578MOV EDI,DWORD PTR SS:
0040157COR ECX,FFFFFFFF
0040157FREPNE SCAS BYTE PTR ES:
00401581NOT ECX
00401583SUB EDI,ECX
00401585PUSH EBX ; /block
00401586MOV EAX,ECX ; |
00401588MOV ESI,EDI ; |
0040158AMOV EDI,EDX ; |
0040158CSHR ECX,2 ; |
0040158FREP MOVS DWORD PTR ES:,DWORD PTR DS: ; |
00401591MOV ECX,EAX ; |
00401593AND ECX,3 ; |
00401596REP MOVS BYTE PTR ES:,BYTE PTR DS: ; |
00401598CALL <JMP.&MFC42.#??3@YAXPAX@Z_825> ; \free
0040159DMOV ECX,DWORD PTR SS:
004015A1PUSH ECX ; /block
004015A2CALL <JMP.&MFC42.#??3@YAXPAX@Z_825> ; \free
004015A7MOV EDI,EBP
004015A9OR ECX,FFFFFFFF
004015ACXOR EAX,EAX
004015AEADD ESP,10
004015B1REPNE SCAS BYTE PTR ES:
004015B3NOT ECX
004015B5DEC ECX
004015B6CMP ECX,0C ;用户名长度为 0xC
004015B9JE SHORT CrackMe.004015E6
004015BBMOV ECX,DWORD PTR SS:
004015BFPUSH EAX
004015C0LEA EDX,DWORD PTR SS:
004015C4PUSH EAX
004015C5PUSH EDX
004015C6CALL <JMP.&MFC42.#?MessageBoxA@CWnd@@QAEHPBD0I@Z_4224>
004015CBPUSH EBP ; /block
004015CCCALL <JMP.&MFC42.#??3@YAXPAX@Z_825> ; \free
004015D1MOV EAX,DWORD PTR SS:
004015D5PUSH EAX ; /block
004015D6CALL <JMP.&MFC42.#??3@YAXPAX@Z_825> ; \free
004015DBADD ESP,8
004015DEPOP EDI
004015DFPOP ESI
004015E0POP EBP
004015E1POP EBX
004015E2ADD ESP,2C
004015E5RETN
004015E6LEA ECX,DWORD PTR SS: ; T = (ASCII "yangbing1990")
004015EAMOV EAX,EBP ;用户名
004015ECSUB ECX,EBP
004015EEMOV ESI,0C ;循环次数
004015F3MOV DL,BYTE PTR DS: ;T
004015F6MOV BL,BYTE PTR DS: ;Name
004015F8ADD BL,DL ;T + Name
004015FAMOV BYTE PTR DS:,BL ;写回去
004015FCINC EAX ;用户名下一位
004015FDDEC ESI ;循环次数递减
004015FEJNZ SHORT CrackMe.004015F3 ;是否循环完毕?
00401600MOV EDI,DWORD PTR SS: ;循环完后得到key
00401604MOV EAX,EBP ;key
00401606MOV ECX,EDI ;sn(输入的假码)
00401608MOV ESI,0C ;循环次数
0040160DSUB ECX,EBP
0040160FMOV DL,BYTE PTR DS: ;key
00401611MOV BL,BYTE PTR DS: ;sn
00401614CMP DL,BL ;逐字节比较
00401616JNZ SHORT CrackMe.0040161C ;game over!爆破点A!
00401618INC DWORD PTR SS: ;成功则计数器+1
0040161CINC EAX ;下一位
0040161DDEC ESI ;循环次数递减
0040161EJNZ SHORT CrackMe.0040160F ;是否循环完毕?
00401620MOV EAX,DWORD PTR SS: ;取计数器的值
00401624PUSH 0
00401626CMP EAX,0C ;如果计数器不等于0xC 则验证不成功~
00401629PUSH 0
0040162BJNZ SHORT CrackMe.00401634 ;game over! 爆破点B!
0040162DLEA EAX,DWORD PTR SS: ;"Win"
00401631PUSH EAX
00401632JMP SHORT CrackMe.00401639
00401634LEA ECX,DWORD PTR SS: ;"Lost"
00401638PUSH ECX
00401639MOV ECX,DWORD PTR SS:
0040163DCALL <JMP.&MFC42.#?MessageBoxA@CWnd@@QAEHPBD0I@Z_4224>;MessageBoxA
00401642PUSH EBP ; /block
00401643CALL <JMP.&MFC42.#??3@YAXPAX@Z_825> ; \free
00401648PUSH EDI ; /block
00401649CALL <JMP.&MFC42.#??3@YAXPAX@Z_825> ; \free
0040164EADD ESP,8
00401651POP EDI
00401652POP ESI
00401653POP EBP
00401654POP EBX
00401655ADD ESP,2C
00401658RETN注册机代码://////////////////////////////////////////////////////////////////////////
/************************************************************************/
/* KeyGen.cpp */
/* Code By PiaoYun */
/* WWW.CHINAPYG.COM */
/* 2011-1-11 */
/************************************************************************/
#include <windows.h>
#include <iostream.h>
void main()
{
char szT[] = "yangbing1990";
char szName = {0};
char szKey = {0};
cout<<"**************************\n";
cout<<"* Code By PiaoYun *\n";
cout<<"* web:www.chinapyg.com *\n";
cout<<"* date:2011-1-11 *\n";
cout<<"**************************\n";
cout<<"请输入12位长度的用户名:\n";
cin>>szName;
int len = int(strlen(szName));
if(len!=0 && len==0xC)
{
for(int i=0;i<len;i++)
{
szKey = char(szName + szT);
}
cout<<"注册码为:"<<szKey<<endl;
}else
{
cout<<"用户名长度不符合规则!"<<endl;
}
cout<<"***********************\n";
}
页:
1
[2]