- UID
- 30436
注册时间2007-4-1
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 开心
2020-8-30 18:31 |
|---|
签到天数: 52 天 [LV.5]常住居民I
|
发表于 2010-6-3 12:56:26
|
显示全部楼层
【破文标题】杀很大系列CM之0.4版 简单分析
【破文作者】絕戀de煩神
【作者邮箱】[email protected]
【作者主页】http://blog.sina.com.cm/crackbox
【破解工具】OD,PEID
【破解平台】1000%盜版XP系統
【软件名称】杀很大.CrackMe 0.4
【软件大小】233KB
【原版下载】PYG里的CrackMe讨论区有下载
【保护方式】用户名+注册码
【软件简介】杀很大CM系列之0.4版
【破解声明】菜鸟刚入门,游戏一场,分析有误请谅解!
------------------------------------------------------------------------
【破解过程】一、PEID查壳,显示什么也没发现!OD载入后ESP定律可以脱掉外壳!
二、用OD搜索字符串,结果什么也没找到!
三、用万能断点断下后可以返回到关键代码处,当然,还有其他方法!详情可以去看看杀很大做的动画教程!
https://www.chinapyg.com/viewthr ... &extra=page%3D1
四、分析关键代码
004010CB /. 55 PUSH EBP
004010CC |. 8BEC MOV EBP,ESP
004010CE |. 81EC 18000000 SUB ESP,18
004010D4 |. C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
004010DB |. 6A FF PUSH -1
004010DD |. 6A 08 PUSH 8
004010DF |. 68 4E000116 PUSH 1601004E
004010E4 |. 68 01000152 PUSH 52010001
004010E9 |. E8 34070000 CALL 00401822 ; 取出注册码,设为SN
004010EE |. 83C4 10 ADD ESP,10
004010F1 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX ; [EBP-8]=SN
004010F4 |. 68 04000080 PUSH 80000004
004010F9 |. 6A 00 PUSH 0
004010FB |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; EAX=SN
004010FE |. 85C0 TEST EAX,EAX ; SN是否为空?
00401100 |. 75 05 JNZ SHORT 00401107 ; 不是就跳
00401102 |. B8 C8BD4600 MOV EAX,0046BDC8
00401107 |> 50 PUSH EAX ; SN压入堆栈
00401108 |. 68 01000000 PUSH 1
0040110D |. BB 901B4000 MOV EBX,00401B90
00401112 |. E8 E7060000 CALL 004017FE ; SN转为十六进制,设为SNH
00401117 |. 83C4 10 ADD ESP,10
0040111A |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX ; [EBP-C]=SNH
0040111D |. 8B5D F8 MOV EBX,DWORD PTR SS:[EBP-8] ; EBX=SN
00401120 |. 85DB TEST EBX,EBX ; SN是否为空?
00401122 |. 74 09 JE SHORT 0040112D ; 是就跳
00401124 |. 53 PUSH EBX
00401125 |. E8 DA060000 CALL 00401804
0040112A |. 83C4 04 ADD ESP,4
0040112D |> 68 01030080 PUSH 80000301
00401132 |. 6A 00 PUSH 0
00401134 |. FF75 F4 PUSH DWORD PTR SS:[EBP-C]
00401137 |. 68 01000000 PUSH 1
0040113C |. BB 801E4000 MOV EBX,00401E80
00401141 |. E8 B8060000 CALL 004017FE ; 把SNH转为字符串,设为CODE
00401146 |. 83C4 10 ADD ESP,10
00401149 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX ; [EBP-10]=CODE
0040114C |. C745 EC 00000>MOV DWORD PTR SS:[EBP-14],0
00401153 |. 6A 00 PUSH 0
00401155 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00401158 |. 50 PUSH EAX
00401159 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0040115C |. 50 PUSH EAX
0040115D |. E8 FD000000 CALL 0040125F ; SNH
00401162 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX ; [EBP-18]=SNH
00401165 |. 8B5D F0 MOV EBX,DWORD PTR SS:[EBP-10] ; EBX=CODE
00401168 |. 85DB TEST EBX,EBX ; EBX是否为零?
0040116A |. 74 09 JE SHORT 00401175 ; 是就跳
0040116C |. 53 PUSH EBX ; 把CODE压入堆栈保存
0040116D |. E8 92060000 CALL 00401804
00401172 |. 83C4 04 ADD ESP,4
00401175 |> 8B5D EC MOV EBX,DWORD PTR SS:[EBP-14]
00401178 |. 85DB TEST EBX,EBX
0040117A |. 74 09 JE SHORT 00401185
0040117C |. 53 PUSH EBX
0040117D |. E8 82060000 CALL 00401804
00401182 |. 83C4 04 ADD ESP,4
00401185 |> 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] ; EAX=SNH
00401188 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX ; [EBP-4]=SNH
0040118B |. E8 57030000 CALL 004014E7 ; 算法CALL,不懂!
00401190 |. 3945 FC CMP DWORD PTR SS:[EBP-4],EAX ; 真假码比较
00401193 |. 0F85 9B000000 JNZ 00401234 ; 关键跳
00401199 |. 68 010100A0 PUSH A0000101
0040119E |. 6A 00 PUSH 0
004011A0 |. 68 C9BD4600 PUSH 0046BDC9
004011A5 |. 68 01000000 PUSH 1
004011AA |. BB 701D4000 MOV EBX,00401D70
004011AF |. E8 4A060000 CALL 004017FE
004011B4 |. 83C4 10 ADD ESP,10
004011B7 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
004011BA |. 6A FF PUSH -1
004011BC |. 6A 08 PUSH 8
004011BE |. 68 4B000116 PUSH 1601004B
004011C3 |. 68 01000152 PUSH 52010001
004011C8 |. E8 55060000 CALL 00401822
004011CD |. 83C4 10 ADD ESP,10
004011D0 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
004011D3 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8]
004011D6 |. FF75 F4 PUSH DWORD PTR SS:[EBP-C]
004011D9 |. B9 02000000 MOV ECX,2
004011DE |. E8 8CFEFFFF CALL 0040106F
004011E3 |. 83C4 08 ADD ESP,8
004011E6 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
004011E9 |. 8B5D F4 MOV EBX,DWORD PTR SS:[EBP-C]
004011EC |. 85DB TEST EBX,EBX
004011EE |. 74 09 JE SHORT 004011F9
004011F0 |. 53 PUSH EBX
004011F1 |. E8 0E060000 CALL 00401804
004011F6 |. 83C4 04 ADD ESP,4
004011F9 |> 8B5D F8 MOV EBX,DWORD PTR SS:[EBP-8]
004011FC |. 85DB TEST EBX,EBX
004011FE |. 74 09 JE SHORT 00401209
00401200 |. 53 PUSH EBX
00401201 |. E8 FE050000 CALL 00401804
00401206 |. 83C4 04 ADD ESP,4
00401209 |> 6A 00 PUSH 0
0040120B |. FF75 F0 PUSH DWORD PTR SS:[EBP-10]
0040120E |. 6A FF PUSH -1
00401210 |. 6A 08 PUSH 8
00401212 |. 68 00000106 PUSH 6010000
00401217 |. 68 01000152 PUSH 52010001
0040121C |. E8 FB050000 CALL 0040181C
00401221 |. 83C4 18 ADD ESP,18
00401224 |. 8B5D F0 MOV EBX,DWORD PTR SS:[EBP-10]
00401227 |. 85DB TEST EBX,EBX
00401229 |. 74 09 JE SHORT 00401234
0040122B |. 53 PUSH EBX
0040122C |. E8 D3050000 CALL 00401804
00401231 |. 83C4 04 ADD ESP,4
00401234 |> 8BE5 MOV ESP,EBP
00401236 |. 5D POP EBP
00401237 \. C3 RETN
到此简单的分析告一段落!呵呵。尝试跟进去分析算法,可惜看不明白!
------------------------------------------------------------------------
【破解总结】一、爆破点
00401193 |. 0F85 9B000000 JNZ 00401234 ; 把这个跳改为JE或者NOP掉就可以了
二、追码
00401190 |. 3945 FC CMP DWORD PTR SS:[EBP-4],EAX ; 真假码比较,[EBP-4]为真码的16进制,EAX为我们输入注册码的16进制
内存注册机:
中断地址:00401190
中断次数:1
第一字节:39
指令长度:3
寄存器方式→EAX→十进制
------------------------------------------------------------------------
【版权声明】版权所有:絕戀de煩神 感谢PYG!感谢SCS!感谢大家! |
|
楼主: 杀很大
[复制链接]
IP卡
发表于 2010-6-3 09:58:19
显身卡
发表于 2010-6-3 12:41:06
发表于 2010-6-3 18:41:19
楼主
发表于 2010-6-3 20:00:08
