- UID
- 6867
注册时间2006-1-12
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
发表于 2006-8-5 13:00:57
|
显示全部楼层
我来个完整的,在家一起学!!
peid查壳是:nSPack 1.3 -> North Star/Liu Xing Ping,手动脱壳方式一,
004506A0 55 push ebp 脱壳处
不能运行,用import修复,可以运行!
peid查是:Borland Delphi 6.0写的
****输入注册信息:用户名:MINGBIN 序列号:789789789 ****
出现错误提示:序列号不对啊,请再试试!
Ultra 字符串参考,项目 202
地址=004503CE
反汇编=push unCrackm.00450478
文本字符串=序列号不对呀,请再试试!
**************************************************************************************************
爆破点:
004503AA /74 1B jne short unCrackm.004503C7 改为:jz 就可以了,随便你输入了!
**************************************************************************************************
追码的过程:
004502C3 8BF0 mov esi,eax
004502C5 33C0 xor eax,eax
004502C7 55 push ebp
004502C8 68 18044500 push unCrackm.00450418
004502CD 64:FF30 push dword ptr fs:[eax]
004502D0 64:8920 mov dword ptr fs:[eax],esp
004502D3 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004502D6 8B86 F8020000 mov eax,dword ptr ds:[esi+2F8]
004502DC E8 17F2FDFF call unCrackm.0042F4F8 ; 取用户名
004502E1 837D F4 00 cmp dword ptr ss:[ebp-C],0 ; 比较用户名是不是为空
004502E5 75 1E jnz short unCrackm.00450305 ; 不为空则跳走,否则向下继续执行
004502E7 6A 30 push 30
004502E9 68 28044500 push unCrackm.00450428 ; ASCII "Error:"
004502EE 68 30044500 push unCrackm.00450430
004502F3 8BC6 mov eax,esi
004502F5 E8 7258FEFF call unCrackm.00435B6C
004502FA 50 push eax
004502FB E8 3C6AFBFF call <jmp.&user32.MessageBoxA> ; 用户名为空出错
00450300 E9 DB000000 jmp unCrackm.004503E0
00450305 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00450308 8B86 F8020000 mov eax,dword ptr ds:[esi+2F8] ; 用户名的位数送eax=7
0045030E E8 E5F1FDFF call unCrackm.0042F4F8
00450313 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; 用户名的位数送eax=7
00450316 E8 A941FBFF call unCrackm.004044C4
0045031B 83F8 04 cmp eax,4 ; 用户名的位数eax=7与4比较
0045031E 7D 1E jge short unCrackm.0045033E ; 大于等于4则跳,否则向下运行
00450320 6A 30 push 30
00450322 68 28044500 push unCrackm.00450428 ; ASCII "Error:"
00450327 68 48044500 push unCrackm.00450448
0045032C 8BC6 mov eax,esi
0045032E E8 3958FEFF call unCrackm.00435B6C
00450333 50 push eax
00450334 E8 036AFBFF call <jmp.&user32.MessageBoxA> ; 小于4出错
00450339 E9 A2000000 jmp unCrackm.004503E0
0045033E 8D55 F8 lea edx,dword ptr ss:[ebp-8]
00450341 8B86 F8020000 mov eax,dword ptr ds:[esi+2F8] ; 用户名的位数eax=7
00450347 E8 ACF1FDFF call unCrackm.0042F4F8
0045034C 8D55 EC lea edx,dword ptr ss:[ebp-14]
0045034F 8B86 F8020000 mov eax,dword ptr ds:[esi+2F8]
00450355 E8 9EF1FDFF call unCrackm.0042F4F8
0045035A 8B45 EC mov eax,dword ptr ss:[ebp-14]
0045035D E8 6241FBFF call unCrackm.004044C4
00450362 8BD8 mov ebx,eax ; ebx=7
00450364 85DB test ebx,ebx ; 测试ebx
00450366 7E 29 jle short unCrackm.00450391 ; 小于或等于转移
00450368 BF 01000000 mov edi,1 ; edi=1
0045036D 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; eax=7
00450370 0FB64438 FF movzx eax,byte ptr ds:[eax+edi-1] ; 逐位取用户名ascii
00450375 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
00450378 BA 02000000 mov edx,2
0045037D E8 8E7FFBFF call unCrackm.00408310
00450382 8B55 E8 mov edx,dword ptr ss:[ebp-18] ; edx=逐位取用户名ascii
00450385 8D45 FC lea eax,dword ptr ss:[ebp-4]
00450388 E8 3F41FBFF call unCrackm.004044CC
0045038D 47 inc edi ; edi=edi+1计数逐渐加
0045038E 4B dec ebx ; ebx=ebx-1位数逐渐减
0045038F ^ 75 DC jnz short unCrackm.0045036D ; edi与ebx不相等循环,相等向下运行
00450391 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
00450394 8B86 00030000 mov eax,dword ptr ds:[esi+300]
0045039A E8 59F1FDFF call unCrackm.0042F4F8
0045039F 8B45 E4 mov eax,dword ptr ss:[ebp-1C] ; 试验码位数送入eax=9
004503A2 8B55 FC mov edx,dword ptr ss:[ebp-4] ; 注册码送入edx=4D494E4742494E
004503A5 E8 5E42FBFF call unCrackm.00404608 ; 两码比较的call
004503AA 75 1B jnz short unCrackm.004503C7 ; 不相等向下跳,否则继续运行
004503AC 6A 40 push 40
004503AE 68 60044500 push unCrackm.00450460 ; ASCII "ok:"
004503B3 68 64044500 push unCrackm.00450464
004503B8 8BC6 mov eax,esi
004503BA E8 AD57FEFF call unCrackm.00435B6C
004503BF 50 push eax
004503C0 E8 7769FBFF call <jmp.&user32.MessageBoxA>
004503C5 EB 19 jmp short unCrackm.004503E0
004503C7 6A 30 push 30
004503C9 68 28044500 push unCrackm.00450428 ; ASCII "Error:"
004503CE 68 78044500 push unCrackm.00450478
004503D3 8BC6 mov eax,esi
004503D5 E8 9257FEFF call unCrackm.00435B6C
004503DA 50 push eax
004503DB E8 5C69FBFF call <jmp.&user32.MessageBoxA> ; 出错信息框
注册机的制作:
004503A5 E8 5E42FBFF call unCrackm.00404608
中断地址:004503A5
中断次数:1
第一字节:E8
指令长度:5
内在方式:寄存器edx
地址指针:1层(否则会出现两次注册码)
注册码形成过程:
注册码=注册名每个字符串的ASC‖相连而成
************我是菜鸟,还有很多不明白,请指教!****************** |
|