PYG 5.4 Cracker 小组课外练习10

野猫III · 发表于 2006-5-21 14:09:37

+++++++++++++++++++++++++++++
要求
1)爆破
2)追码
3)内存注册机
4)算法分析(选做)
练习的目的只在于巩固学习成果.
希望大家积极相互交流相.互讨论.

＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＝

练手的8-10提取于刘建英大师的Keymake软件Example目录。
这次放到论坛，让大家交流交流。

特此感谢刘建英大师。

godhack · 发表于 2006-5-21 21:46:30

爆破加追码！

ZHOU2X · 发表于 2006-5-22 13:39:47

贴个自报注册码的/:D

ZHOU2X · 发表于 2006-5-22 17:29:53

0040102F 55             push ebp
00401030 8BEC          mov ebp,esp
00401032 53             push ebx
00401033 57             push edi
00401034 56             push esi
00401035 8B45 0C       mov eax,dword ptr ss:[ebp+C]
00401038 83F8 10       cmp eax,10
0040103B 75 0F          jnz short Crackme1.0040104C
0040103D 6A 00          push 0
0040103F FF75 08       push dword ptr ss:[ebp+8]
00401042 E8 81010000    call <jmp.&USER32.EndDialog>
00401047 E9 63010000    jmp Crackme1.004011AF
0040104C 3D 10010000    cmp eax,110
00401051 0F85 85000000 jnz Crackme1.004010DC
00401057 68 E8030000    push 3E8
0040105C FF35 50304000 push dword ptr ds:[403050]          ; Crackme1.00400000
00401062 E8 6D010000    call <jmp.&USER32.LoadIconA>
00401067 50             push eax
00401068 6A 01          push 1
0040106A 68 80000000    push 80
0040106F FF75 08       push dword ptr ss:[ebp+8]
00401072 E8 6F010000    call <jmp.&USER32.SendMessageA>
00401077 E8 7C010000    call <jmp.&KERNEL32.GetCommandLineA>
0040107C 8038 22       cmp byte ptr ds:[eax],22
0040107F 75 01          jnz short Crackme1.00401082
00401081 40             inc eax
00401082 66:8B08       mov cx,word ptr ds:[eax]
00401085 66:890D 6C30400>mov word ptr ds:[40306C],cx
0040108C 66:C705 6E30400>mov word ptr ds:[40306E],5C
00401095 6A 00          push 0
00401097 6A 00          push 0
00401099 6A 00          push 0
0040109B 6A 00          push 0
0040109D 68 58304000    push Crackme1.00403058
004010A2 6A 00          push 0
004010A4 6A 00          push 0
004010A6 68 6C304000    push Crackme1.0040306C             ; ASCII "ZHOU2X" //试炼码
004010AB E8 54010000    call <jmp.&KERNEL32.GetVolumeInforma>
004010B0 A1 58304000    mov eax,dword ptr ds:[403058]
004010B5 50             push eax
004010B6 68 3E304000    push Crackme1.0040303E             ; %1x
004010BB 68 5C304000    push Crackme1.0040305C             ; ASCII "8236DBD6"  //序列号！
004010C0 E8 F7000000    call <jmp.&USER32.wsprintfA>
004010C5 83C4 0C       add esp,0C
004010C8 68 5C304000    push Crackme1.0040305C             ; ASCII "8236DBD6"
004010CD 6A 67          push 67
004010CF FF75 08       push dword ptr ss:[ebp+8]
004010D2 E8 15010000    call <jmp.&USER32.SetDlgItemTextA>
004010D7 E9 D3000000    jmp Crackme1.004011AF
004010DC 3D 11010000    cmp eax,111
004010E1 0F85 BC000000 jnz Crackme1.004011A3
004010E7 837D 10 01    cmp dword ptr ss:[ebp+10],1
004010EB 0F85 A0000000 jnz Crackme1.00401191
004010F1 6A 50          push 50
004010F3 68 6C304000    push Crackme1.0040306C             ; ASCII "ZHOU2X"
004010F8 6A 68          push 68
004010FA FF75 08       push dword ptr ss:[ebp+8]
004010FD E8 CC000000    call <jmp.&USER32.GetDlgItemTextA>
00401102 803D 6C304000 0>cmp byte ptr ds:[40306C],0          ;判断是否没有输入
00401109 74 69          je short Crackme1.00401174          ;
0040110B 68 18304000    push Crackme1.00403018             ; 输入的序列号不正确！
00401110 68 6C304000    push Crackme1.0040306C             ; ASCII "ZHOU2X"
00401115 E8 F0000000    call <jmp.&KERNEL32.lstrcmpA>
0040111A 85C0          test eax,eax
0040111C 74 56          je short Crackme1.00401174          ;如果注册码为"输入的序列号不正确！"就跳不正确提示
0040111E B8 01000000    mov eax,1
00401123 0FA2          cpuid
00401125 8B0D 58304000 mov ecx,dword ptr ds:[403058]
0040112B 33D2          xor edx,edx
0040112D F7E1          mul ecx
0040112F 03C2          add eax,edx
00401131 50             push eax
00401132 68 3E304000    push Crackme1.0040303E             ; %1x
00401137 68 5C304000    push Crackme1.0040305C             ; ASCII "8236DBD6"
0040113C E8 7B000000    call <jmp.&USER32.wsprintfA>       ; 真注册码计算;经过此CALL后 0040305C 的值有变化
00401141 83C4 0C       add esp,0C
00401144 68 6C304000    push Crackme1.0040306C             ; ASCII "ZHOU2X"
00401149 68 5C304000    push Crackme1.0040305C             ; ASCII "46CF6318";真注册码
0040114E E8 B7000000    call <jmp.&KERNEL32.lstrcmpA>
00401153 85C0          test eax,eax
00401155 75 1D          jnz short Crackme1.00401174       ; 输入序列号错误，跳不正确提示
00401157 6A 10          push 10
00401159 E8 7C000000    call <jmp.&USER32.MessageBeep>
0040115E 6A 00          push 0
00401160 68 00304000    push Crackme1.00403000             ; 注册成功
00401165 68 09304000    push Crackme1.00403009             ; 谢谢你的注册！
0040116A FF75 08       push dword ptr ss:[ebp+8]
0040116D E8 6E000000    call <jmp.&USER32.MessageBoxA>
00401172 EB 0F          jmp short Crackme1.00401183
00401174 68 18304000    push Crackme1.00403018             ; 输入的序列号不正确！修改为 push 40305C,那么输入任意注册码,都会将真注册码显示给你:)
00401179 6A 68          push 68
0040117B FF75 08       push dword ptr ss:[ebp+8]
0040117E E8 69000000    call <jmp.&USER32.SetDlgItemTextA>
00401183 B8 00000000    mov eax,0
00401188 5E             pop esi
00401189 5F             pop edi
0040118A 5B             pop ebx
0040118B C9             leave
0040118C C2 1000       retn 10

就是追码过程,没有具体分析

野猫III · 发表于 2006-5-22 19:57:48

原帖由 ZHOU2X 于 2006-5-22 17:29 发表
0040102F 55             push ebp
00401030 8BEC          mov ebp,esp
00401032 53             push ebx
00401033 57             push edi
00401034 56             push esi
0040 ...

已经很不错的啦！ :victory: :victory:

p1b234 · 发表于 2006-5-22 23:27:59

太简单了，一分钟搞定，我也想加入啊，不知道怎么才能加入组织啊？

p1b234 · 发表于 2006-5-22 23:33:34

004010FD    E8 CC000000       call <jmp.&USER32.GetDlgItemTextA>　　//断点下在此
00401102    803D 6C304000 00    cmp byte ptr ds:[40306C],0
00401109    74 69             je short Crackme1.00401174
0040110B    68 18304000       push Crackme1.00403018
00401110    68 6C304000       push Crackme1.0040306C                         ; ASCII "94AB8945"
00401115    E8 F0000000       call <jmp.&KERNEL32.lstrcmpA>
0040111A    85C0                test eax,eax
0040111C    74 56             je short Crackme1.00401174
0040111E    B8 01000000       mov eax,1
00401123    0FA2                cpuid
00401125    8B0D 58304000       mov ecx,dword ptr ds:[403058]
0040112B    33D2                xor edx,edx
0040112D    F7E1                mul ecx
0040112F    03C2                add eax,edx
00401131    50                push eax
00401132    68 3E304000       push Crackme1.0040303E                         ; ASCII "%1X"
00401137    68 5C304000       push Crackme1.0040305C                         ; ASCII "94AB8945"
0040113C    E8 7B000000       call <jmp.&USER32.wsprintfA>
00401141    83C4 0C             add esp,0C
00401144    68 6C304000       push Crackme1.0040306C                         ; ASCII "94AB8945"　　　
00401149    68 5C304000       push Crackme1.0040305C                         ; ASCII "94AB8945"　　－－注册码
0040114E    E8 B7000000       call <jmp.&KERNEL32.lstrcmpA>
00401153    85C0                test eax,eax
00401155    75 1D             jnz short Crackme1.00401174

Nisy · 发表于 2006-5-23 07:06:14

原帖由 p1b234 于 2006-5-22 23:27 发表
太简单了，一分钟搞定，我也想加入啊，不知道怎么才能加入组织啊？

万物皆从简单开始~

野猫III · 发表于 2006-5-23 09:09:36

原帖由 p1b234 于 2006-5-22 23:27 发表
太简单了，一分钟搞定，我也想加入啊，不知道怎么才能加入组织啊？

报名帖：

https://www.chinapyg.com/viewthr ... a=page%3D1#pid27444

vacant · 发表于 2006-5-26 14:35:07

我又来一个自动报注册码

		自动登录	找回密码
密码			加入我们

PYG 5.4 Cracker 小组课外练习10

本帖子中包含更多资源

相关帖子

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

PYG 5.4 Cracker 小组 课外练习10

本帖子中包含更多资源

相关帖子

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

PYG 5.4 Cracker 小组课外练习10