两个CrackMe献给PYG 5.4 Cracker! ---- By PiaoYun[PYG]
程序会提示你,该怎么做~~~呵呵~~ 基本是爆破了~
PYG成员在10天内不得给予提示``` 原帖由 飘云 于 2006-5-31 01:04 发表
程序会提示你,改怎么做~~~
呵呵~~ 基本是爆破了~
成员在10天内不得给予提示```
感动ing!
谢谢老大!
+++++++++++++++++++++
印象中好像是程序多开。。。
[ 本帖最后由 野猫III 于 2006-5-31 18:26 编辑 ] 呵呵,好东西。。。。。。。。 谢老大 努力去! 第二个解决了。。。。。。。。。。。。。 谢谢老大,下来玩玩 偶发个CrackMe #3 For PYG5.4 Cracker的吧;/:D可能跟要求有出入.
* Reference To: kernel32.kernel32.dll, Ord:748Dh
|
:00401020 FF1508504000 Call dword ptr
:00401026 8BF0 mov esi, eax
:00401028 85F6 test esi, esi
:0040102A 7421 je 0040104D //nop掉
* Reference To: kernel32.kernel32.dll, Ord:C95Fh
|
:0040102C FF1504504000 Call dword ptr
:00401032 3DB7000000 cmp eax, 000000B7
:00401037 7414 je 0040104D //nop掉
:00401039 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"CrackMe #3 For PYG5.4 Cracker"
|
:0040103B 685C604000 push 0040605C
* Possible StringData Ref from Data Obj ->"要求:利用Loader技术使程序可以同时运行多个"
|
:00401040 6830604000 push 00406030
:00401045 6A00 push 00000000
* Reference To: kernel32.kernel32.dll, Ord:0000h
|
:00401047 FF15A8504000 Call dword ptr
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040102A(C), :00401037(C)
|
:0040104D 56 push esi
* Reference To: kernel32.kernel32.dll, Ord:0000h
|
:0040104E FF1500504000 Call dword ptr
:00401054 5F pop edi
:00401055 83C8FF or eax, FFFFFFFF
:00401058 5E pop esi
:00401059 83C420 add esp, 00000020
:0040105C C21000 ret 0010
|
[ 本帖最后由 ZHOU2X 于 2006-5-31 13:10 编辑 ] 原帖由 ZHOU2X 于 2006-5-31 12:47 发表
偶发个CrackMe #3 For PYG5.4 Cracker的吧;/:D可能跟要求有出入.
2344
* Reference To: kernel32.kernel32.dll, Ord:748Dh
|
:00401020 FF1508504000 Call dwo ...
把loader发上了才算成功~~ ;P
不是要你脱壳后破解~~ 呵呵 CrackMe#2 For PYG5.4 Cracker 俺也可能跟要求有出入
要求是SMC技术。但我还是没搞明白,要求是让程序执行释放互斥体代码让程序运行多个。还是怎么地!!
但俺看来看到,还是爆破最简单了!
0044DE84 > $55 push ebp
0044DE85 .8BEC mov ebp, esp
0044DE87 .83C4 F0 add esp, -10
0044DE8A .53 push ebx
0044DE8B .B8 9CDC4400 mov eax, 0044DC9C ;<
0044DE90 .E8 337DFBFF call 00405BC8 ;//取句柄
0044DE95 .A1 C8EF4400 mov eax,
0044DE9A .8B00 mov eax,
0044DE9C .E8 F3E4FFFF call 0044C394
0044DEA1 .68 00DF4400 push 0044DF00 ; /onlyone
0044DEA6 .6A 00 push 0 ; |Arg2 = 00000000
0044DEA8 .6A 00 push 0 ; |Arg1 = 00000000
0044DEAA .E8 197FFBFF call 00405DC8 ; \//创建一个互斥体,使程序只能运行一次
0044DEAF .8BD8 mov ebx, eax
0044DEB1 .85DB test ebx, ebx
0044DEB3 .74 42 je short 0044DEF7
0044DEB5 .85DB test ebx, ebx
0044DEB7 .74 14 je short 0044DECD
0044DEB9 .E8 AA7FFBFF call <jmp.&kernel32.GetLastError> ; [GetLastError
0044DEBE .3D B7000000 cmp eax, 0B7
0044DEC3 .75 08 jnz short 0044DECD
0044DEC5 $53 push ebx ; /hObject
0044DEC6 .E8 D57EFBFF call <jmp.&kernel32.CloseHandle> ; \CloseHandle
0044DECB EB 2A jmp short 0044DEF7 ;//爆破的话把这里的跳转跳到下一行就OK了
//上面代码的意思是,如果程序检测到已运行,就跳到0044DEF7(这里向下执行就是程序退出)
0044DECD 8B0D A4F04400 mov ecx, ;TEST.00450BD4
0044DED3 .A1 C8EF4400 mov eax,
0044DED8 .8B00 mov eax,
0044DEDA .8B15 18DA4400 mov edx, ;TEST.0044DA64
0044DEE0 .E8 C7E4FFFF call 0044C3AC ;//跟进,去掉提示框,呵呵。这里老是跟飞, 地址004450A1
0044DEE5 .A1 C8EF4400 mov eax,
0044DEEA .8B00 mov eax,
0044DEEC .E8 3BE5FFFF call 0044C42C ;//这个跟进看了看。可能检测的条件多还是什么的。跟到最
后也没搞明白
0044DEF1 .53 push ebx ; /hObject
0044DEF2 .E8 A97EFBFF call <jmp.&kernel32.CloseHandle> ; \CloseHandle
0044DEF7 >5B pop ebx
0044DEF8 .E8 235EFBFF call 00403D20 //执行程序退出,可能用SMC技术的话,要在这里面动手吧!
0044DEFD .0000 add , al
0044DEFF .004F 6E add , cl
0044DF02 .6C ins byte ptr es:, dx
0044DF03 .79 4F jns short 0044DF54
0044DF05 .6E outs dx, byte ptr es:
0044DF06 .65:0000 add gs:, al
0044DF09 .0000 add , al
0044DF0B .0000 add , al
0044DF0D .0000 add , al
0044DF0F .0000 add , al
SMC “CrackMe#2 For PYG5.4 Cracker.exe”
查壳:ASPack 2.12 -> Alexey Solodovnikov
OD载入,停在入口点:
00461001 >60 pushad ; f8
00461002 E8 03000000 call 0046100A ; hr esp + F9
00461007- E9 EB045D45 jmp 45A314F7
0046100C 55 push ebp
0046100D C3 retn
0046100E E8 01000000 call 00461014
到此:
004613AF 61 popad ; 壳在此已全解压
004613B0 75 08 jnz short 004613BA ; 补丁地址选在此处
004613B2 B8 01000000 mov eax, 1
004613B7 C2 0C00 retn 0C
004613BA 68 84DE4400 push 0044DE84
作如下修改:
004613B0 /E9 5C190000 jmp 00462D11 ; 跳到补丁数据00462D11处
004613B5 |90 nop
004613B6 |90 nop
004613B7 |90 nop
004613B8 |90 nop
004613B9 |90 nop
004613BA |68 84DE4400 push 0044DE84
004613BF |C3 retn
在00462D11处写入如下代码:
00462D11 66:C705 DCDB4400 9090 mov word ptr , 9090
00462D1A C705 DEDB4400 90909090 mov dword ptr , 90909090
00462D24 C705 E3DB4400 90909090 mov dword ptr , 90909090
00462D2E 66:C705 E8DB4400 9090 mov word ptr , 9090
00462D37 C705 EADB4400 90909090 mov dword ptr , 90909090; 去除提示框
00462D41 C705 A1DE4400 68000044 mov dword ptr , 44000068 ; 去除不能多次运行限制
00462D4B^ E9 6AE6FFFF jmp 004613BA ; 返回OEP处
不知这样是否算做完了?
[ 本帖最后由 wzwgp 于 2006-6-1 23:56 编辑 ]