- UID
- 7440
注册时间2006-1-25
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
目标软件:
破解方式:寻注册码
难易等级:初
相关工具:peid0.94 ollydbg
首先查壳无,用od载入,搜索注册失败信息,有。在00401064处设断。重新载入,添入试炼码,中断在00401064处:
00401064 . E8 C7010000 CALL ncrackme.00401230 进入
00401069 . 85C0 TEST EAX,EAX
0040106B . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
0040106D . 68 80504000 PUSH ncrackme.00405080 ; |ncrackme
00401072 . 75 1B JNZ SHORT ncrackme.0040108F ; |
00401074 . A1 B8564000 MOV EAX,DWORD PTR DS:[4056B8] ; |
00401079 . 68 64504000 PUSH ncrackme.00405064 ; |registration successful.
00401230 /$ 8B0D BC564000 MOV ECX,DWORD PTR DS:[4056BC]
00401236 |. 83EC 30 SUB ESP,30
00401239 |. 8D4424 00 LEA EAX,DWORD PTR SS:[ESP]
0040123D |. 53 PUSH EBX
0040123E |. 56 PUSH ESI
0040123F |. 8B35 94404000 MOV ESI,DWORD PTR DS:[<&USER32.GetDlgIte>; USER32.GetDlgItemTextA
00401245 |. 6A 10 PUSH 10 ; /Count = 10 (16.)
00401247 |. 50 PUSH EAX ; |Buffer
00401248 |. 68 E8030000 PUSH 3E8 ; |ControlID = 3E8 (1000.)
0040124D |. 51 PUSH ECX ; |hWnd => 000E0496 (class='#32770',parent=000D0520)
0040124E |. 33DB XOR EBX,EBX ; |
00401250 |. FFD6 CALL ESI ; \GetDlgItemTextA
00401252 |. 83F8 03 CMP EAX,3 ; 注册名位数大于3
00401255 |. 73 0B JNB SHORT ncrackme.00401262
00401257 |. 5E POP ESI
00401258 |. B8 01000000 MOV EAX,1
0040125D |. 5B POP EBX
0040125E |. 83C4 30 ADD ESP,30
00401261 |. C3 RETN
00401262 |> A1 BC564000 MOV EAX,DWORD PTR DS:[4056BC]
00401267 |. 8D5424 28 LEA EDX,DWORD PTR SS:[ESP+28]
0040126B |. 6A 10 PUSH 10
0040126D |. 52 PUSH EDX
0040126E |. 68 E9030000 PUSH 3E9
00401273 |. 50 PUSH EAX
00401274 |. FFD6 CALL ESI ; 假注册码位数
00401276 |. 0FBE4424 08 MOVSX EAX,BYTE PTR SS:[ESP+8] ; 注册名第一个字母
0040127B |. 0FBE4C24 09 MOVSX ECX,BYTE PTR SS:[ESP+9] ; 第二个字母
00401280 |. 99 CDQ
00401281 |. F7F9 IDIV ECX ; eax=eax/ecx(余数放在edx
00401283 |. 8BCA MOV ECX,EDX ; ecx=edx
00401285 |. 83C8 FF OR EAX,FFFFFFFF ; eax=eax||ffffffff
00401288 |. 0FBE5424 0A MOVSX EDX,BYTE PTR SS:[ESP+A] ; 取第三个字母
0040128D |. 0FAFCA IMUL ECX,EDX ; ecx=ecx*edx
00401290 |. 41 INC ECX ; ecx=ecx+1
00401291 |. 33D2 XOR EDX,EDX
00401293 |. F7F1 DIV ECX ; eax=eax/ecx
00401295 |. 50 PUSH EAX
00401296 |. E8 A5000000 CALL ncrackme.00401340
0040129B |. 83C4 04 ADD ESP,4
0040129E |. 33F6 XOR ESI,ESI
004012A0 |> E8 A5000000 /CALL ncrackme.0040134A ; 以下计算一长串(16个字母)重要
004012A5 |. 99 |CDQ
004012A6 |. B9 1A000000 |MOV ECX,1A
004012AB |. F7F9 |IDIV ECX ; eax=eax/ecx
004012AD |. 80C2 41 |ADD DL,41 ; edx=edx+41
004012B0 |. 885434 18 |MOV BYTE PTR SS:[ESP+ESI+18],DL
004012B4 |. 46 |INC ESI
004012B5 |. 83FE 0F |CMP ESI,0F
004012B8 |.^ 72 E6 \JB SHORT ncrackme.004012A0
004012BA |. 57 PUSH EDI
004012BB |. 8D7C24 0C LEA EDI,DWORD PTR SS:[ESP+C]
004012BF |. 83C9 FF OR ECX,FFFFFFFF
004012C2 |. 33C0 XOR EAX,EAX
004012C4 |. 33F6 XOR ESI,ESI
004012C6 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004012C8 |. F7D1 NOT ECX
004012CA |. 49 DEC ECX
004012CB |. 74 59 JE SHORT ncrackme.00401326
004012CD |> 8A4434 0C /MOV AL,BYTE PTR SS:[ESP+ESI+C] ; 依次取注册名
004012D1 |. C0F8 05 |SAR AL,5 ; al=al>>5
004012D4 |. 0FBEC0 |MOVSX EAX,AL
004012D7 |. 8D1480 |LEA EDX,DWORD PTR DS:[EAX+EAX*4] ; edx=eax+eax*4
004012DA |. 8D04D0 |LEA EAX,DWORD PTR DS:[EAX+EDX*8] ; eax=eax+edx*8
004012DD |. 8D0440 |LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; eax=eax+eax*2
004012E0 |. 85C0 |TEST EAX,EAX
004012E2 |. 7E 0A |JLE SHORT ncrackme.004012EE
004012E4 |. 8BF8 |MOV EDI,EAX
004012E6 |> E8 5F000000 |/CALL ncrackme.0040134A ; 计算eax值
004012EB |. 4F ||DEC EDI
004012EC |.^ 75 F8 |\JNZ SHORT ncrackme.004012E6
004012EE |> E8 57000000 |CALL ncrackme.0040134A
004012F3 |. 99 |CDQ
004012F4 |. B9 1A000000 |MOV ECX,1A ; ecx=1a
004012F9 |. 8D7C24 0C |LEA EDI,DWORD PTR SS:[ESP+C]
004012FD |. F7F9 |IDIV ECX ; eax=eax/ecx
004012FF |. 0FBE4C34 2C |MOVSX ECX,BYTE PTR SS:[ESP+ESI+2C] ; 取假注册码一位
00401304 |. 80C2 41 |ADD DL,41 ; dl=dl+41
00401307 |. 0FBEC2 |MOVSX EAX,DL ; eax=dl
0040130A |. 2BC1 |SUB EAX,ECX ; eax=eax-ecx
0040130C |. 885434 1C |MOV BYTE PTR SS:[ESP+ESI+1C],DL ; 此处赋到内存的是注册码(前四位字母)dl
00401310 |. 99 |CDQ
00401311 |. 33C2 |XOR EAX,EDX
00401313 |. 83C9 FF |OR ECX,FFFFFFFF
00401316 |. 2BC2 |SUB EAX,EDX
00401318 |. 03D8 |ADD EBX,EAX
0040131A |. 33C0 |XOR EAX,EAX
0040131C |. 46 |INC ESI
0040131D |. F2:AE |REPNE SCAS BYTE PTR ES:[EDI]
0040131F |. F7D1 |NOT ECX
00401321 |. 49 |DEC ECX 循环次数
00401322 |. 3BF1 |CMP ESI,ECX
00401324 |.^ 72 A7 \JB SHORT ncrackme.004012CD
00401326 |> 5F POP EDI
00401327 |. 8BC3 MOV EAX,EBX
00401329 |. 5E POP ESI
0040132A |. 5B POP EBX
0040132B |. 83C4 30 ADD ESP,30
0040132E \. C3 RETN
算法:1、以用户名计算一个16位的长串
2、经过计算dl值,并将其赋给长串前四位,此时长串前四位为注册码,后面可以任意加。(算得较麻烦)
如:name:tong
sn:MDED
[ 本帖最后由 hongxin2005 于 2006-3-15 09:22 编辑 ] |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
|
IP卡
发表于 2006-3-15 17:20:13
提升卡
置顶卡
变色卡
千斤顶
显身卡