- UID
- 346
注册时间2005-3-21
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 奋斗
2016-10-21 20:30 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
- 【破文标题】CrackMeIII By glts简单算法分析
- 【破解作者】hrbx
- 【作者主页】hrbx.ys168.com
- 【作者邮箱】[email][email protected][/email]
- 【破解平台】WinXP
- 【使用工具】OD1.10、Peid
- 【破解日期】2007-06-22
- 【软件名称】CrackMeIII
- 【软件大小】542KB
- 【下载地址】[url]https://www.chinapyg.com/viewthread.php?tid=1678[/url]
- 【加壳方式】UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]
- 【软件简介】CrackMeIII By glts
- -----------------------------------------------------------------------------------------------
- 【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
- -----------------------------------------------------------------------------------------------
- 【破解过程】
- 1.脱壳。用PEID扫描,显示为:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay],Esp定律脱之。
- 由于程序有附加数据,用Overlay将附加数据粘贴到脱壳后的程序就可以运行了。
- 再次用PEID扫描,显示为:Microsoft Visual C++ 6.0 [Overlay],实际上是易语言的程序,因为调试时可以见到易语言的krnln库。
- 2.去除对调试器检测。OD载入CrackMe,F9运行,OD和程序都被关掉了。
- Ctrl+F2重新载入程序,命令栏输入:bp TerminateProcess,回车,F9运行,立即中断:
- 7C801E16 k> 8BFF mov edi,edi ; 在此中断
- 7C801E18 55 push ebp
- 7C801E19 8BEC mov ebp,esp
- 7C801E1B 837D 08 00 cmp dword ptr ss:[ebp+8],0
- 7C801E1F 75 09 jnz short kernel32.7C801E2A
- 7C801E21 6A 06 push 6
- 7C801E23 E8 98740000 call kernel32.7C8092C0
- 7C801E28 EB 1B jmp short kernel32.7C801E45
- 7C801E2A FF75 0C push dword ptr ss:[ebp+C]
- 7C801E2D FF75 08 push dword ptr ss:[ebp+8]
- 7C801E30 FF15 FC13807C call dword ptr ds:[<&ntdll.NtTe>; ntdll.ZwTerminateProcess
- 7C801E36 85C0 test eax,eax
- 堆栈友好提示:
- 0012FA5C 004225BF /CALL 到 TerminateProcess 来自 Unpack.004225BA
- 0012FA60 00000148 |hProcess = 00000148 (window)
- 0012FA64 00000000 \ExitCode = 0
- 上面第一行右键--在反汇编窗口中跟随,来到这里:
- 00422563 58 pop eax
- 00422564 8945 F8 mov dword ptr ss:[ebp-8],eax
- 00422567 68 92074200 push Unpack.00420792 ; ASCII "EXPLORER"
- 0042256C FF75 F8 push dword ptr ss:[ebp-8]
- 0042256F E8 19FDFFFF call Unpack.0042228D
- 00422574 83C4 08 add esp,8
- 00422577 83F8 00 cmp eax,0
- 0042257A 0F84 20000000 je Unpack.004225A0
- 00422580 68 9B074200 push Unpack.0042079B ; ASCII "CMD"
- 00422585 FF75 F8 push dword ptr ss:[ebp-8]
- 00422588 E8 00FDFFFF call Unpack.0042228D
- 0042258D 83C4 08 add esp,8
- 00422590 83F8 00 cmp eax,0
- 00422593 0F84 07000000 je Unpack.004225A0
- 00422599 B8 01000000 mov eax,1
- 0042259E EB 02 jmp short Unpack.004225A2
- 004225A0 33C0 xor eax,eax
- 004225A2 85C0 test eax,eax
- 004225A4 0F84 2C000000 je Unpack.004225D6
- 004225AA 8965 EC mov dword ptr ss:[ebp-14],esp
- 004225AD 68 00000000 push 0
- 004225B2 FF75 FC push dword ptr ss:[ebp-4]
- 004225B5 B8 05000000 mov eax,5
- 004225BA E8 35290000 call Unpack.00424EF4
- 004225BF 3965 EC cmp dword ptr ss:[ebp-14],esp ; 来到这里
- 004225C2 74 0D je short Unpack.004225D1
- 向上查找,来到0042234A处F2下断,Ctrl+F2重新载入程序,F9运行,立即中断:
- 0042234A 55 push ebp ; F2在此下断
- 0042234B 8BEC mov ebp,esp
- 0042234D 81EC 30000000 sub esp,30
- 00422353 C745 FC 00000000 mov dword ptr ss:[ebp-4],0
- 堆栈友好提示:
- 0012FA9C 004221C0 返回到 Unpack.004221C0 来自 Unpack.0042234A
- 上面第一行右键--在反汇编窗口中跟随,来到这里:
- 004221B6 68 08000000 push 8
- 004221BB E8 8A010000 call Unpack.0042234A
- 004221C0 6A 00 push 0 ; 返回来到
- 向上查找,来到0042217C处F2下断,Ctrl+F2重新载入程序,F9运行,立即中断:
- 0042217C 55 push ebp ; F2在此下断
- 0042217D 8BEC mov ebp,esp
- 0042217F 81EC 18000000 sub esp,18
- 00422185 68 08000000 push 8
- 0042218A E8 592D0000 call Unpack.00424EE8
- 0042218F 83C4 04 add esp,4
- 00422192 8945 FC mov dword ptr ss:[ebp-4],eax
- 00422195 8BD8 mov ebx,eax
- 00422197 C703 00000000 mov dword ptr ds:[ebx],0
- 0042219D C743 04 00000000 mov dword ptr ds:[ebx+4],0
- 004221A4 C745 F8 00000000 mov dword ptr ss:[ebp-8],0
- 004221AB FF35 4021BD00 push dword ptr ds:[BD2140]
- 004221B1 68 01000000 push 1
- 004221B6 68 08000000 push 8
- 004221BB E8 8A010000 call Unpack.0042234A ; F8经过后,OD和程序都被关闭,NOP
- 004221C0 6A 00 push 0
- NOP掉004221BB处的call Unpack.0042234A后,就可以用OD调试了。
- 3.追出算法。OD载入更改后的CrackMe,F9运行,输入注册信息:
- ==============================
- 用户名:hrbx
- E-Mail:[email protected]
- 机器码:13046222237
- 注册码:1234567890
- ==============================
- 在OD中,右键--Ultra字符串参考,查找ASCII:
- ================================================
- 00423FDF mov eax,Unpack.00420880 成功
- ================================================
- 双击来到:
- 00423FDF B8 80084200 mov eax,Unpack.00420880 ; 成功
- 00423FE4 50 push eax
- 00423FE5 8B5D D0 mov ebx,dword ptr ss:[ebp-30]
- 向上查找,来到00423B97处F2下断,点“确定”按钮,立即中断:
- 00423B97 55 push ebp ; F2在此下断
- 00423B98 8BEC mov ebp,esp
- 00423B9A 81EC 7C000000 sub esp,7C
- 00423BA0 C745 FC 00000000 mov dword ptr ss:[ebp-4],0
- 00423BA7 C745 F8 00000000 mov dword ptr ss:[ebp-8],0
- 00423BAE C745 F4 00000000 mov dword ptr ss:[ebp-C],0
- 00423BB5 C745 F0 00000000 mov dword ptr ss:[ebp-10],0
- 00423BBC C745 EC 00000000 mov dword ptr ss:[ebp-14],0
- 00423BC3 C745 E8 00000000 mov dword ptr ss:[ebp-18],0
- 00423BCA C745 E4 00000000 mov dword ptr ss:[ebp-1C],0
- 00423BD1 C745 E0 00000000 mov dword ptr ss:[ebp-20],0
- 00423BD8 C745 DC 00000000 mov dword ptr ss:[ebp-24],0
- 00423BDF C745 D8 00000000 mov dword ptr ss:[ebp-28],0
- 00423BE6 C745 D4 00000000 mov dword ptr ss:[ebp-2C],0
- 00423BED C745 D0 00000000 mov dword ptr ss:[ebp-30],0
- 00423BF4 C745 CC 00000000 mov dword ptr ss:[ebp-34],0
- 00423BFB C745 C8 00000000 mov dword ptr ss:[ebp-38],0
- 00423C02 C745 C4 00000000 mov dword ptr ss:[ebp-3C],0
- 00423C09 C745 C0 00000000 mov dword ptr ss:[ebp-40],0
- 00423C10 C745 BC 00000000 mov dword ptr ss:[ebp-44],0
- 00423C17 6A FF push -1
- 00423C19 6A 08 push 8
- 00423C1B 68 58000116 push 16010058
- 00423C20 68 01000152 push 52010001
- 00423C25 E8 E2120000 call Unpack.00424F0C
- 00423C2A 83C4 10 add esp,10
- 00423C2D 8945 B8 mov dword ptr ss:[ebp-48],eax ; 用户名"hrbx"
- 00423C30 68 98054200 push Unpack.00420598
- 00423C35 FF75 B8 push dword ptr ss:[ebp-48]
- 00423C38 E8 50E6FFFF call Unpack.0042228D ; 检查用户名是否为空
- 00423C3D 83C4 08 add esp,8
- 00423C40 83F8 00 cmp eax,0
- 00423C43 B8 00000000 mov eax,0
- 00423C48 0F94C0 sete al
- 00423C4B 8945 B4 mov dword ptr ss:[ebp-4C],eax
- 00423C4E 8B5D B8 mov ebx,dword ptr ss:[ebp-48]
- 00423C51 85DB test ebx,ebx
- 00423C53 74 09 je short Unpack.00423C5E
- 00423C55 53 push ebx
- 00423C56 E8 87120000 call Unpack.00424EE2
- 00423C5B 83C4 04 add esp,4
- 00423C5E 837D B4 00 cmp dword ptr ss:[ebp-4C],0
- 00423C62 0F84 05000000 je Unpack.00423C6D
- 00423C68 E9 90040000 jmp Unpack.004240FD
- 00423C6D 6A FF push -1
- 00423C6F 6A 08 push 8
- 00423C71 68 57000116 push 16010057
- 00423C76 68 01000152 push 52010001
- 00423C7B E8 8C120000 call Unpack.00424F0C
- 00423C80 83C4 10 add esp,10
- 00423C83 8945 B8 mov dword ptr ss:[ebp-48],eax ; E-Mail:"[email protected]"
- 00423C86 68 67084200 push Unpack.00420867 ; 固定字符串1"[email protected]"
- 00423C8B FF75 B8 push dword ptr ss:[ebp-48]
- 00423C8E E8 FAE5FFFF call Unpack.0042228D ; 检查E-Mail与固定字符串1是否一致
- 00423C93 83C4 08 add esp,8
- 00423C96 83F8 00 cmp eax,0
- 00423C99 B8 00000000 mov eax,0
- 00423C9E 0F95C0 setne al
- 00423CA1 8945 B4 mov dword ptr ss:[ebp-4C],eax
- 00423CA4 8B5D B8 mov ebx,dword ptr ss:[ebp-48]
- 00423CA7 85DB test ebx,ebx
- 00423CA9 74 09 je short Unpack.00423CB4
- 00423CAB 53 push ebx
- 00423CAC E8 31120000 call Unpack.00424EE2
- 00423CB1 83C4 04 add esp,4
- 00423CB4 837D B4 00 cmp dword ptr ss:[ebp-4C],0
- 00423CB8 0F84 05000000 je Unpack.00423CC3 ; E-Mail不对则Over,暴破点1,改为jmp
- 00423CBE E9 3A040000 jmp Unpack.004240FD
- 00423CC3 B8 73084200 mov eax,Unpack.00420873 ; 固定字符串2"PYG_"
- 00423CC8 50 push eax
- 00423CC9 8B5D FC mov ebx,dword ptr ss:[ebp-4]
- 00423CCC 85DB test ebx,ebx
- 00423CCE 74 09 je short Unpack.00423CD9
- 00423CD0 53 push ebx
- 00423CD1 E8 0C120000 call Unpack.00424EE2
- 00423CD6 83C4 04 add esp,4
- 00423CD9 58 pop eax
- 00423CDA 8945 FC mov dword ptr ss:[ebp-4],eax
- 00423CDD 6A FF push -1
- 00423CDF 6A 08 push 8
- 00423CE1 68 58000116 push 16010058
- 00423CE6 68 01000152 push 52010001
- 00423CEB E8 1C120000 call Unpack.00424F0C
- 00423CF0 83C4 10 add esp,10
- 00423CF3 8945 B8 mov dword ptr ss:[ebp-48],eax ; 用户名"hrbx"
- 00423CF6 8B45 B8 mov eax,dword ptr ss:[ebp-48]
- 00423CF9 50 push eax
- 00423CFA 8B5D F8 mov ebx,dword ptr ss:[ebp-8]
- 00423CFD 85DB test ebx,ebx
- 00423CFF 74 09 je short Unpack.00423D0A
- 00423D01 53 push ebx
- 00423D02 E8 DB110000 call Unpack.00424EE2
- 00423D07 83C4 04 add esp,4
- 00423D0A 58 pop eax
- 00423D0B 8945 F8 mov dword ptr ss:[ebp-8],eax
- 00423D0E 68 04000080 push 80000004
- 00423D13 6A 00 push 0
- 00423D15 8B45 F8 mov eax,dword ptr ss:[ebp-8]
- 00423D18 85C0 test eax,eax
- 00423D1A 75 05 jnz short Unpack.00423D21
- 00423D1C B8 98054200 mov eax,Unpack.00420598
- 00423D21 50 push eax
- 00423D22 68 01000000 push 1
- 00423D27 BB 68010000 mov ebx,168
- 00423D2C E8 CF110000 call Unpack.00424F00
- 00423D31 83C4 10 add esp,10
- 00423D34 8945 B8 mov dword ptr ss:[ebp-48],eax
- 00423D37 8B45 B8 mov eax,dword ptr ss:[ebp-48]
- 00423D3A 50 push eax
- 00423D3B 8B5D F4 mov ebx,dword ptr ss:[ebp-C]
- 00423D3E 85DB test ebx,ebx
- 00423D40 74 09 je short Unpack.00423D4B
- 00423D42 53 push ebx
- 00423D43 E8 9A110000 call Unpack.00424EE2
- 00423D48 83C4 04 add esp,4
- 00423D4B 58 pop eax
- 00423D4C 8945 F4 mov dword ptr ss:[ebp-C],eax
- 00423D4F FF75 F4 push dword ptr ss:[ebp-C]
- 00423D52 68 73084200 push Unpack.00420873
- 00423D57 B9 02000000 mov ecx,2
- 00423D5C E8 61ECFFFF call Unpack.004229C2 ; 连接固定字符串2与用户名
- 00423D61 83C4 08 add esp,8
- 00423D64 8945 B8 mov dword ptr ss:[ebp-48],eax
- 00423D67 8B45 B8 mov eax,dword ptr ss:[ebp-48]
- 00423D6A 50 push eax
- 00423D6B 8B5D FC mov ebx,dword ptr ss:[ebp-4]
- 00423D6E 85DB test ebx,ebx
- 00423D70 74 09 je short Unpack.00423D7B
- 00423D72 53 push ebx
- 00423D73 E8 6A110000 call Unpack.00424EE2
- 00423D78 83C4 04 add esp,4
- 00423D7B 58 pop eax
- 00423D7C 8945 FC mov dword ptr ss:[ebp-4],eax
- 00423D7F 8B45 FC mov eax,dword ptr ss:[ebp-4]
- 00423D82 50 push eax
- 00423D83 FF75 F8 push dword ptr ss:[ebp-8]
- 00423D86 E8 02E5FFFF call Unpack.0042228D ; 检查连接后的字符串前4位是否为"PYG_"
- 00423D8B 83C4 08 add esp,8
- 00423D8E 83F8 00 cmp eax,0
- 00423D91 0F84 05000000 je Unpack.00423D9C
- 00423D97 E9 00000000 jmp Unpack.00423D9C
- 00423D9C 6A FF push -1
- 00423D9E 6A 08 push 8
- 00423DA0 68 57000116 push 16010057
- 00423DA5 68 01000152 push 52010001
- 00423DAA E8 5D110000 call Unpack.00424F0C
- 00423DAF 83C4 10 add esp,10
- 00423DB2 8945 B8 mov dword ptr ss:[ebp-48],eax ; E-Mail:"[email protected]"
- 00423DB5 8B45 B8 mov eax,dword ptr ss:[ebp-48]
- 00423DB8 50 push eax
- 00423DB9 8B5D F0 mov ebx,dword ptr ss:[ebp-10]
- 00423DBC 85DB test ebx,ebx
- 00423DBE 74 09 je short Unpack.00423DC9
- 00423DC0 53 push ebx
- 00423DC1 E8 1C110000 call Unpack.00424EE2
- 00423DC6 83C4 04 add esp,4
- 00423DC9 58 pop eax
- 00423DCA 8945 F0 mov dword ptr ss:[ebp-10],eax
- 00423DCD 68 04000080 push 80000004
- 00423DD2 6A 00 push 0
- 00423DD4 8B45 F0 mov eax,dword ptr ss:[ebp-10]
- 00423DD7 85C0 test eax,eax
- 00423DD9 75 05 jnz short Unpack.00423DE0
- 00423DDB B8 98054200 mov eax,Unpack.00420598
- 00423DE0 50 push eax
- 00423DE1 68 01000000 push 1
- 00423DE6 BB 30010000 mov ebx,130
- 00423DEB E8 10110000 call Unpack.00424F00 ; 获取E-Mail长度
- 00423DF0 83C4 10 add esp,10
- 00423DF3 8945 EC mov dword ptr ss:[ebp-14],eax ; EAX=0xC(12)
- 00423DF6 68 00000000 push 0
- 00423DFB BB C4060000 mov ebx,6C4
- 00423E00 E8 FB100000 call Unpack.00424F00
- 00423E05 83C4 04 add esp,4
- 00423E08 8945 E8 mov dword ptr ss:[ebp-18],eax ; EAX=0x4DC2F49D(1304622237),机器码
- 00423E0B 68 04000080 push 80000004
- 00423E10 6A 00 push 0
- 00423E12 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 用户名变换得到的字符串"PYG_hrbx"
- 00423E15 85C0 test eax,eax
- 00423E17 75 05 jnz short Unpack.00423E1E
- 00423E19 B8 98054200 mov eax,Unpack.00420598
- 00423E1E 50 push eax
- 00423E1F 68 01000000 push 1
- 00423E24 BB 30010000 mov ebx,130
- 00423E29 E8 D2100000 call Unpack.00424F00 ; 获取字符串"PYG_hrbx"长度,EAX=0x8
- 00423E2E 83C4 10 add esp,10
- 00423E31 8945 E4 mov dword ptr ss:[ebp-1C],eax
- 00423E34 DB45 E4 fild dword ptr ss:[ebp-1C]
- 00423E37 DD5D B4 fstp qword ptr ss:[ebp-4C]
- 00423E3A DD45 B4 fld qword ptr ss:[ebp-4C] ; ss:[0012F454]=8.0,用户名变化后的长度
- 00423E3D DB45 EC fild dword ptr ss:[ebp-14]
- 00423E40 DD5D AC fstp qword ptr ss:[ebp-54] ; st=12.0,E-Mail长度
- 00423E43 DC45 AC fadd qword ptr ss:[ebp-54] ; 两者相加
- 00423E46 DD5D A4 fstp qword ptr ss:[ebp-5C] ; st=20.0
- 00423E49 DD45 A4 fld qword ptr ss:[ebp-5C]
- 00423E4C E8 04E3FFFF call Unpack.00422155 ; 相加结果转为16进制表示
- 00423E51 8945 E4 mov dword ptr ss:[ebp-1C],eax ; EAX=0x14
- 00423E54 68 01030080 push 80000301
- 00423E59 6A 00 push 0
- 00423E5B FF75 E8 push dword ptr ss:[ebp-18] ; ss:[ebp-18]=0x4DC2F49D(1304622237),机器码
- 00423E5E 68 01030080 push 80000301
- 00423E63 6A 00 push 0
- 00423E65 FF75 E4 push dword ptr ss:[ebp-1C] ; ss:[ebp-1C]=0x14,相加结果
- 00423E68 68 02000000 push 2
- 00423E6D BB CC000000 mov ebx,0CC
- 00423E72 E8 89100000 call Unpack.00424F00 ; 机器码 xor 相加结果
- 00423E77 83C4 1C add esp,1C
- 00423E7A 8945 E4 mov dword ptr ss:[ebp-1C],eax ; 0x4DC2F49D xor 0x14=0x4DC2F489
- 00423E7D 6A FF push -1 ; EAX=0x4DC2F489(1304622217)
- 00423E7F 6A 08 push 8
- 00423E81 68 5F000116 push 1601005F
- 00423E86 68 01000152 push 52010001
- 00423E8B E8 7C100000 call Unpack.00424F0C
- 00423E90 83C4 10 add esp,10
- 00423E93 8945 B8 mov dword ptr ss:[ebp-48],eax ; 注册码"1234567890"
- 00423E96 8B45 B8 mov eax,dword ptr ss:[ebp-48]
- 00423E99 50 push eax
- 00423E9A 8B5D E0 mov ebx,dword ptr ss:[ebp-20]
- 00423E9D 85DB test ebx,ebx
- 00423E9F 74 09 je short Unpack.00423EAA
- 00423EA1 53 push ebx
- 00423EA2 E8 3B100000 call Unpack.00424EE2
- 00423EA7 83C4 04 add esp,4
- 00423EAA 58 pop eax
- 00423EAB 8945 E0 mov dword ptr ss:[ebp-20],eax
- 00423EAE 68 04000080 push 80000004
- 00423EB3 6A 00 push 0
- 00423EB5 8B45 E0 mov eax,dword ptr ss:[ebp-20]
- 00423EB8 85C0 test eax,eax
- 00423EBA 75 05 jnz short Unpack.00423EC1
- 00423EBC B8 98054200 mov eax,Unpack.00420598
- 00423EC1 50 push eax
- 00423EC2 68 01000000 push 1
- 00423EC7 BB 64010000 mov ebx,164
- 00423ECC E8 2F100000 call Unpack.00424F00 ; 将注册码转为实数
- 00423ED1 83C4 10 add esp,10
- 00423ED4 8945 AC mov dword ptr ss:[ebp-54],eax
- 00423ED7 8955 B0 mov dword ptr ss:[ebp-50],edx
- 00423EDA DD45 AC fld qword ptr ss:[ebp-54] ; ss:[0012F44C]=1234567890.0,注册码
- 00423EDD E8 73E2FFFF call Unpack.00422155 ; 注册码转为16进制表示
- 00423EE2 8945 DC mov dword ptr ss:[ebp-24],eax ; EAX=0x499602D2
- 00423EE5 8145 DC 8E020000 add dword ptr ss:[ebp-24],28E ; 注册码+0x28E=0x49960560(1234568544)
- 00423EEC DB45 DC fild dword ptr ss:[ebp-24]
- 00423EEF DD5D B4 fstp qword ptr ss:[ebp-4C] ; st=1234568544.0
- 00423EF2 68 01060080 push 80000601
- 00423EF7 FF75 B8 push dword ptr ss:[ebp-48]
- 00423EFA FF75 B4 push dword ptr ss:[ebp-4C]
- 00423EFD 68 01000000 push 1
- 00423F02 BB 5C000000 mov ebx,5C
- 00423F07 E8 F40F0000 call Unpack.00424F00
- 00423F0C 83C4 10 add esp,10
- 00423F0F 8945 A4 mov dword ptr ss:[ebp-5C],eax
- 00423F12 8955 A8 mov dword ptr ss:[ebp-58],edx
- 00423F15 DD45 A4 fld qword ptr ss:[ebp-5C]
- 00423F18 E8 38E2FFFF call Unpack.00422155
- 00423F1D 8945 DC mov dword ptr ss:[ebp-24],eax
- 00423F20 68 04000080 push 80000004
- 00423F25 6A 00 push 0
- 00423F27 8B45 E0 mov eax,dword ptr ss:[ebp-20]
- 00423F2A 85C0 test eax,eax
- 00423F2C 75 05 jnz short Unpack.00423F33
- 00423F2E B8 98054200 mov eax,Unpack.00420598
- 00423F33 50 push eax ; 注册码"1234567890"
- 00423F34 68 01000000 push 1
- 00423F39 BB 30010000 mov ebx,130
- 00423F3E E8 BD0F0000 call Unpack.00424F00 ; 得到注册码长度
- 00423F43 83C4 10 add esp,10
- 00423F46 8945 D8 mov dword ptr ss:[ebp-28],eax ; EAX=0xA(10)
- 00423F49 DB45 D8 fild dword ptr ss:[ebp-28]
- 00423F4C DD5D B4 fstp qword ptr ss:[ebp-4C]
- 00423F4F DD45 B4 fld qword ptr ss:[ebp-4C]
- 00423F52 DC0D 78084200 fmul qword ptr ds:[420878] ; 注册码长度*1979
- 00423F58 DD5D AC fstp qword ptr ss:[ebp-54]
- 00423F5B DB45 E8 fild dword ptr ss:[ebp-18]
- 00423F5E DD5D A4 fstp qword ptr ss:[ebp-5C] ; 机器码:1304622237
- 00423F61 DD45 A4 fld qword ptr ss:[ebp-5C] ; st=1304622237.0
- 00423F64 DB45 E4 fild dword ptr ss:[ebp-1C]
- 00423F67 DD5D 9C fstp qword ptr ss:[ebp-64] ; ss:[ebp-64]=0x4DC2F489,机器码 xor 相加结果
- 00423F6A DC45 9C fadd qword ptr ss:[ebp-64] ; 机器码+(机器码 xor 相加结果)
- 00423F6D DC45 AC fadd qword ptr ss:[ebp-54] ; 机器码+(机器码 xor 相加结果)+注册码长度*1979
- 00423F70 DD5D 94 fstp qword ptr ss:[ebp-6C] ; st=2609264244.0
- 00423F73 68 01060080 push 80000601
- 00423F78 FF75 98 push dword ptr ss:[ebp-68]
- 00423F7B FF75 94 push dword ptr ss:[ebp-6C]
- 00423F7E 68 01000000 push 1
- 00423F83 BB 64010000 mov ebx,164
- 00423F88 E8 730F0000 call Unpack.00424F00
- 00423F8D 83C4 10 add esp,10
- 00423F90 8945 84 mov dword ptr ss:[ebp-7C],eax
- 00423F93 8955 88 mov dword ptr ss:[ebp-78],edx
- 00423F96 DD45 84 fld qword ptr ss:[ebp-7C] ; ss:[0012F420]=2609264244.0
- 00423F99 E8 B7E1FFFF call Unpack.00422155 ; 转为有符号整数
- 00423F9E 8945 D4 mov dword ptr ss:[ebp-2C],eax ; EAX=0x9B863674(-1685703052)
- 00423FA1 DB45 D4 fild dword ptr ss:[ebp-2C]
- 00423FA4 DD5D B4 fstp qword ptr ss:[ebp-4C] ; st=-1685703052.0
- 00423FA7 68 01060080 push 80000601
- 00423FAC FF75 B8 push dword ptr ss:[ebp-48]
- 00423FAF FF75 B4 push dword ptr ss:[ebp-4C]
- 00423FB2 68 01000000 push 1
- 00423FB7 BB 5C000000 mov ebx,5C
- 00423FBC E8 3F0F0000 call Unpack.00424F00 ; 取绝对值
- 00423FC1 83C4 10 add esp,10
- 00423FC4 8945 A4 mov dword ptr ss:[ebp-5C],eax
- 00423FC7 8955 A8 mov dword ptr ss:[ebp-58],edx
- 00423FCA DD45 A4 fld qword ptr ss:[ebp-5C] ; ss:[0012F440]=1685703052.0
- 00423FCD E8 83E1FFFF call Unpack.00422155 ; 转为16进制表示
- 00423FD2 8945 D4 mov dword ptr ss:[ebp-2C],eax ; EAX=0x6479C98C
- 00423FD5 837D D8 0A cmp dword ptr ss:[ebp-28],0A ; 数值长度与0xA比较
- 00423FD9 0F8D 1F000000 jge Unpack.00423FFE ; 大于等于则跳,暴破点2,改为jmp
- 00423FDF B8 80084200 mov eax,Unpack.00420880 ; 成功
- 00423FE4 50 push eax
- 00423FE5 8B5D D0 mov ebx,dword ptr ss:[ebp-30]
- 00423FE8 85DB test ebx,ebx
- 00423FEA 74 09 je short Unpack.00423FF5
- 00423FEC 53 push ebx
- 00423FED E8 F00E0000 call Unpack.00424EE2
- 00423FF2 83C4 04 add esp,4
- 00423FF5 58 pop eax
- 00423FF6 8945 D0 mov dword ptr ss:[ebp-30],eax
- 00423FF9 E9 FF000000 jmp Unpack.004240FD
- 00423FFE 8B45 D4 mov eax,dword ptr ss:[ebp-2C] ; EAX=ss:[0012F470]=0x6479C98C
- 00424001 3945 DC cmp dword ptr ss:[ebp-24],eax ; 与ss:[ebp-24]处的值比较,ss:[0012F478]=0x49960560(1234568544)
- 00424004 0F85 22000000 jnz Unpack.0042402C ; 不等则Over,暴破点3,改为Nop
- 0042400A 6A 00 push 0
- 0042400C 68 01000000 push 1
- 00424011 6A FF push -1
- 00424013 6A 05 push 5
- 00424015 68 5B000116 push 1601005B
- 0042401A 68 01000152 push 52010001
- 0042401F E8 E20E0000 call Unpack.00424F06
- 00424024 83C4 18 add esp,18
- 00424027 E9 D1000000 jmp Unpack.004240FD
- 0042402C B8 80084200 mov eax,Unpack.00420880 ; 成功
- 00424031 50 push eax
- 00424032 8B5D D0 mov ebx,dword ptr ss:[ebp-30]
- 00424035 85DB test ebx,ebx
- 00424037 74 09 je short Unpack.00424042
- 00424039 53 push ebx
- 0042403A E8 A30E0000 call Unpack.00424EE2
- 0042403F 83C4 04 add esp,4
- 00424042 58 pop eax
- 00424043 8945 D0 mov dword ptr ss:[ebp-30],eax
- 00424046 B8 85084200 mov eax,Unpack.00420885 ; 失败
- -----------------------------------------------------------------------------------------------
- 【破解总结】
- 1.E-Mail为固定字符串1"[email protected]",设E-Mail长度为N1。
- 2.设固定字符串2"PYG_"与用户名连接后的新字符串,设新字符串长度为N2。
- 3.注册码与常数0x28E相加,结果设为Num1。
- 4.机器码+(机器码 xor (N1+N2))+注册码长度*1979,结果转为有符号整数,并取绝对值,结果设为Num2。
- 5.Num1与Num2相等,则注册成功。
- 一组可用的注册信息:
- ==============================
- 用户名:hrbx
- E-Mail:[email protected]
- 机器码:13046222237
- 注册码:1685702393
- ==============================
- 暴破更改以下位置:
- 00423CB8 je Unpack.00423CC3 ; je====>jmp
- 00423FD9 jge Unpack.00423FFE ; jge===>jmp
- 00424004 jnz Unpack.0042402C ; jnz===>Nop
- -----------------------------------------------------------------------------------------------
- 【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 hrbx 于 2007-6-22 20:28 编辑 ] |
|
IP卡
发表于 2007-6-22 20:04:17
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2007-6-22 22:27:32
发表于 2007-6-23 10:34:47
发表于 2007-6-23 16:00:34