- UID
- 10304
注册时间2006-3-30
阅读权限20
最后登录1970-1-1
以武会友
该用户从未签到
|
【破文标题】wzwgp兄的CARCK ME
【破文作者】OBI-ONE
【作者邮箱】OBI-ONE@126.COM
【作者主页】
【破解工具】PEiD,W32DASM,UC32,OD
【破解平台】Windows 2K&XP
【软件名称】
【软件大小】
【原版下载】https://www.chinapyg.com/viewthr ... a=page%3D1#pid37515
【保护方式】注册码
【软件简介】WZWGP兄的第一个CRACK ME
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:-)
------------------------------------------------------------------------
1)首先试运行,随便输入提示注册码不正确,好的记下关键字串,
2)查壳,没壳,真是感动!
3)OD载入,下BP MESSAGEBOXA断点,运行程序,输入试验码19820421,用户名OBIONE点确定,程序被断下,返回到汇编窗口,记下地址00450289 |. E8 823BFBFF CALL CrackMe1.00403E10
0045028E |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00450291 |. E8 3A3EFBFF CALL CrackMe1.004040D0
00450296 |. 8BD8 MOV EBX,EAX
00450298 |. 83EB 02 SUB EBX,2
0045029B |. 7C 36 JL SHORT CrackMe1.004502D3
4)在0045028E下断,再次确定,程序被断下!
004501BC /. 55 PUSH EBP
004501BD |. 8BEC MOV EBP,ESP
004501BF |. B9 0D000000 MOV ECX,0D
004501C4 |> 6A 00 /PUSH 0
004501C6 |. 6A 00 |PUSH 0
004501C8 |. 49 |DEC ECX
004501C9 |.^ 75 F9 \JNZ SHORT CrackMe1.004501C4
004501CB |. 53 PUSH EBX
004501CC |. 56 PUSH ESI
004501CD |. 57 PUSH EDI
004501CE |. 8BF8 MOV EDI,EAX
004501D0 |. 33C0 XOR EAX,EAX
004501D2 |. 55 PUSH EBP
004501D3 |. 68 DC044500 PUSH CrackMe1.004504DC
004501D8 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004501DB |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004501DE |. 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
004501E1 |. 8B87 F8020000 MOV EAX,DWORD PTR DS:[EDI+2F8]
004501E7 |. E8 30F2FDFF CALL CrackMe1.0042F41C
004501EC |. 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
004501EF |. E8 DC3EFBFF CALL CrackMe1.004040D0 测试有没有用户名
004501F4 |. 85C0 TEST EAX,EAX
004501F6 |. 75 18 JNZ SHORT CrackMe1.00450210 没有就提示:请输入用户名
004501F8 |. 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
004501FA |. 68 EC044500 PUSH CrackMe1.004504EC ; |Title = "提示"
004501FF |. 68 F4044500 PUSH CrackMe1.004504F4 ; |Text = "请输入用户名!"
00450204 |. 6A 00 PUSH 0 ; |hOwner = NULL
00450206 |. E8 8D62FBFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0045020B |. E9 C3000000 JMP CrackMe1.004502D3
00450210 |> 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
00450213 |. 8B87 FC020000 MOV EAX,DWORD PTR DS:[EDI+2FC]
00450219 |. E8 FEF1FDFF CALL CrackMe1.0042F41C
0045021E |. 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
00450221 |. E8 AA3EFBFF CALL CrackMe1.004040D0
00450226 |. 83F8 06 CMP EAX,6 测试注册码是否小于6位,小于就出错
00450229 |. 7D 18 JGE SHORT CrackMe1.00450243
0045022B |. 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0045022D |. 68 EC044500 PUSH CrackMe1.004504EC ; |Title = "提示"
00450232 |. 68 04054500 PUSH CrackMe1.00450504 ; |Text = "输入的注册码位数不够!"
00450237 |. 6A 00 PUSH 0 ; |hOwner = NULL
00450239 |. E8 5A62FBFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00450261 |. BA 38054500 MOV EDX,CrackMe1.00450538 ; ASCII "pygs5jd3klxt" 一看就是PYG的兄弟哦,呵呵!!
00450266 |. E8 3D3CFBFF CALL CrackMe1.00403EA8
0045026B |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0045026E |. BA 50054500 MOV EDX,CrackMe1.00450550
00450273 |. E8 303CFBFF CALL CrackMe1.00403EA8
00450278 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0045027B |. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
0045027E |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00450281 |. E8 963EFBFF CALL CrackMe1.0040411C
00450286 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00450289 |. E8 823BFBFF CALL CrackMe1.00403E10
0045028E |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00450291 |. E8 3A3EFBFF CALL CrackMe1.004040D0
00450296 |. 8BD8 MOV EBX,EAX
00450298 |. 83EB 02 SUB EBX,2
0045029B |. 7C 36 JL SHORT CrackMe1.004502D3
0045029D |. 43 INC EBX
0045029E |. BE 02000000 MOV ESI,2
004502A3 |> 8BC6 /MOV EAX,ESI 一组循环,不知什么作用,同结果好像没关系!应该是马夹!
004502A5 |. 25 01000080 |AND EAX,80000001
004502AA |. 79 05 |JNS SHORT CrackMe1.004502B1
004502AC |. 48 |DEC EAX
004502AD |. 83C8 FE |OR EAX,FFFFFFFE
004502B0 |. 40 |INC EAX
004502B1 |> 85C0 |TEST EAX,EAX
004502B3 |. 75 1A |JNZ SHORT CrackMe1.004502CF
004502B5 |. 8D45 C0 |LEA EAX,DWORD PTR SS:[EBP-40]
004502B8 |. 8B55 F4 |MOV EDX,DWORD PTR SS:[EBP-C]
004502BB |. 8A5432 FF |MOV DL,BYTE PTR DS:[EDX+ESI-1]
004502BF |. E8 343DFBFF |CALL CrackMe1.00403FF8
004502C4 |. 8B55 C0 |MOV EDX,DWORD PTR SS:[EBP-40]
004502C7 |. 8D45 F0 |LEA EAX,DWORD PTR SS:[EBP-10]
004502CA |. E8 093EFBFF |CALL CrackMe1.004040D8
004502CF |> 46 |INC ESI
004502D0 |. 4B |DEC EBX
004502D1 |.^ 75 D0 \JNZ SHORT CrackMe1.004502A3
004502D3 |> 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004502D6 |. E8 F53DFBFF CALL CrackMe1.004040D0 取用户名的2.4.6位+pygs5jd3klxt里的2.4.6.8.10.12位 得到结果boeysj3lt,
004502DB |. 8BD8 MOV EBX,EAX
004502DD |. 85DB TEST EBX,EBX 确实不知有什么用,
004502DF |. 7E 29 JLE SHORT CrackMe1.0045030A
004502E1 |. BE 01000000 MOV ESI,1
004502E6 |> 8D4D BC /LEA ECX,DWORD PTR SS:[EBP-44]
004502E9 |. 8B45 F0 |MOV EAX,DWORD PTR SS:[EBP-10] 好像又是一件马夹!
004502EC |. 0FB64430 FF |MOVZX EAX,BYTE PTR DS:[EAX+ESI-1]
004502F1 |. BA 02000000 |MOV EDX,2
004502F6 |. E8 6179FBFF |CALL CrackMe1.00407C5C
004502FB |. 8B55 BC |MOV EDX,DWORD PTR SS:[EBP-44]
004502FE |. 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C]
00450301 |. E8 D23DFBFF |CALL CrackMe1.004040D8
00450306 |. 46 |INC ESI
00450307 |. 4B |DEC EBX
00450308 |.^ 75 DC \JNZ SHORT CrackMe1.004502E6
0045030A |> 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
0045030D |. 50 PUSH EAX
0045030E |. B9 01000000 MOV ECX,1
00450313 |. BA 01000000 MOV EDX,1
00450318 |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0045031B |. E8 1040FBFF CALL CrackMe1.00404330
00450320 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00450323 |. 50 PUSH EAX
00450324 |. B9 01000000 MOV ECX,1
00450329
中间省略…………
00450411 |. 83EB 02 SUB EBX,2
00450414 7C 44 JL SHORT CrackMe1.0045045A
00450416 |. 43 INC EBX
00450417 |. BE 02000000 MOV ESI,2 重要的循环,分别取假码的2.4.6位
0045041C |> 8BC6 /MOV EAX,ESI
0045041E |. 25 01000080 |AND EAX,80000001
00450423 |. 79 05 |JNS SHORT CrackMe1.0045042A
00450425 |. 48 |DEC EAX
00450426 |. 83C8 FE |OR EAX,FFFFFFFE
00450429 |. 40 |INC EAX
0045042A |> 85C0 |TEST EAX,EAX
0045042C |. 75 28 |JNZ SHORT CrackMe1.00450456
0045042E |. 8D55 98 |LEA EDX,DWORD PTR SS:[EBP-68]
00450431 |. 8B87 FC020000 |MOV EAX,DWORD PTR DS:[EDI+2FC]
00450437 |. E8 E0EFFDFF |CALL CrackMe1.0042F41C
0045043C |. 8B45 98 |MOV EAX,DWORD PTR SS:[EBP-68]
0045043F |. 8A5430 FF |MOV DL,BYTE PTR DS:[EAX+ESI-1]
00450443 |. 8D45 9C |LEA EAX,DWORD PTR SS:[EBP-64]
00450446 |. E8 AD3BFBFF |CALL CrackMe1.00403FF8
0045044B |. 8B55 9C |MOV EDX,DWORD PTR SS:[EBP-64]
0045044E |. 8D45 D4 |LEA EAX,DWORD PTR SS:[EBP-2C]
00450451 |. E8 823CFBFF |CALL CrackMe1.004040D8
00450456 |> 46 |INC ESI
00450457 |. 4B |DEC EBX
00450458 |.^ 75 C2 \JNZ SHORT CrackMe1.0045041C
0045045A |> 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30] 取到2.4.6位同119进行比较
0045045D |. 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C]
00450460 |. E8 B73DFBFF CALL CrackMe1.0040421C 关键CALL,
00450465 75 15 JNZ SHORT CrackMe1.0045047C 关键跳,成功就OVER,爆破就NOP掉
00450467 |. 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00450469 |. 68 EC044500 PUSH CrackMe1.004504EC ; |Title = "提示"
0045046E |. 68 68054500 PUSH CrackMe1.00450568 ; |Text = "你真棒!"
00450473 |. 6A 00 PUSH 0 ; |hOwner = NULL
00450475 |. E8 1E60FBFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0045047A |. EB 13 JMP SHORT CrackMe1.0045048F
0045047C |> 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0045047E |. 68 EC044500 PUSH CrackMe1.004504EC ; |Title = "提示"
00450483 |. 68 74054500 PUSH CrackMe1.00450574 ; |Text = "继续努力!"
00450488 |. 6A 00 PUSH 0 ; |hOwner = NULL
0045048A |. E8 0960FBFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
到此注册成功,注册码类似于这种形式的都 行:
用户名:obione
注册码:*1*1*9,如111199
另:如果用户名是大写的话就会同997进行比较,如果用户名是数字的话就会同779进行比较!中文就同999比较!
------------------------------------------------------------------------
这只是我一点不成熟的看法,如有更好的方法请赐教!谢谢!!
QQ:171003683
------------------------------------------------------------------------
【版权声明】本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 野猫III 于 2006-7-19 12:35 编辑 ] |
|