本帖最后由 L4Nce 于 2014-10-24 22:26 编辑
首先看图标应该是vc mfc程序,打开程序,输入任意注册名和注册码,按下reg键,没有反应。
使用od载入程序,在入口点断下后,查找字符串,没发现任何有用的字符串。下断GetWindowTextA,输入任意注册名和注册码,按下reg键,程序断下。
返回到程序领空后,再返回一层,进入算法验证的代码段。
[Asm] 纯文本查看 复制代码 00401B50 /. 55 push ebp ; 算法验证
00401B51 |. 8BEC mov ebp,esp
00401B53 |. 83E4 F8 and esp,0xFFFFFFF8
00401B56 |. 6A FF push -0x1
00401B58 |. 68 162C5200 push CrackMe.00522C16
00401B5D |. 64:A1 0000000>mov eax,dword ptr fs:[0]
00401B63 |. 50 push eax
00401B64 |. 81EC A8070000 sub esp,0x7A8
00401B6A |. A1 00CC5600 mov eax,dword ptr ds:[0x56CC00]
00401B6F |. 33C4 xor eax,esp
00401B71 |. 898424 A00700>mov dword ptr ss:[esp+0x7A0],eax
00401B78 |. 53 push ebx
00401B79 |. 56 push esi
00401B7A |. 57 push edi
00401B7B |. A1 00CC5600 mov eax,dword ptr ds:[0x56CC00]
00401B80 |. 33C4 xor eax,esp
00401B82 |. 50 push eax
00401B83 |. 8D8424 B80700>lea eax,dword ptr ss:[esp+0x7B8]
00401B8A |. 64:A3 0000000>mov dword ptr fs:[0],eax
00401B90 |. 68 50214000 push CrackMe.00402150
00401B95 |. 68 40214000 push CrackMe.00402140
00401B9A |. 6A 51 push 0x51
00401B9C |. 6A 14 push 0x14
00401B9E |. 8D4424 4C lea eax,dword ptr ss:[esp+0x4C]
00401BA2 |. 50 push eax
00401BA3 |. 8BF1 mov esi,ecx
00401BA5 |. E8 DBEE0F00 call CrackMe.00500A85
00401BAA |. C78424 C00700>mov dword ptr ss:[esp+0x7C0],0x0
00401BB5 |. 60 pushad
00401BB6 |. 9C pushfd
00401BB7 |. 8F4424 58 pop dword ptr ss:[esp+0x58]
00401BBB |. 8F4424 50 pop dword ptr ss:[esp+0x50]
00401BBF |. 8F4424 48 pop dword ptr ss:[esp+0x48]
00401BC3 |. 8F4424 40 pop dword ptr ss:[esp+0x40]
00401BC7 |. 8F4424 38 pop dword ptr ss:[esp+0x38]
00401BCB |. 8F4424 30 pop dword ptr ss:[esp+0x30]
00401BCF |. 8F4424 28 pop dword ptr ss:[esp+0x28]
00401BD3 |. 8F4424 20 pop dword ptr ss:[esp+0x20]
00401BD7 |. 8F4424 18 pop dword ptr ss:[esp+0x18]
00401BDB |. 6A 0A push 0xA
00401BDD |. 8D8C24 9C0600>lea ecx,dword ptr ss:[esp+0x69C]
00401BE4 |. 51 push ecx
00401BE5 |. 68 EB030000 push 0x3EB
00401BEA |. 8BCE mov ecx,esi
00401BEC |. C74424 34 140>mov dword ptr ss:[esp+0x34],0x14
00401BF4 |. E8 2E060100 call CrackMe.00412227 ; GetDlgxxxx获取注册名
00401BF9 |. 68 04010000 push 0x104
00401BFE |. 8D9424 A80600>lea edx,dword ptr ss:[esp+0x6A8]
00401C05 |. 52 push edx
00401C06 |. 8BF8 mov edi,eax
00401C08 |. 68 EC030000 push 0x3EC
00401C0D |. 8BCE mov ecx,esi
00401C0F |. 897C24 20 mov dword ptr ss:[esp+0x20],edi
00401C13 |. E8 0F060100 call CrackMe.00412227 ; GetDlgxxxx获取注册码
00401C18 |. 8BF0 mov esi,eax
向下单步可以看到算法,水平太菜了,用IDA+f5都没看懂
一直往下到
[Asm] 纯文本查看 复制代码 00401E51 |. 81F9 4EFA9EFA cmp ecx,0xFA9EFA4E ; 比较
00401E57 |. 75 12 jnz XCrackMe.00401E6B ; 跳转
00401E59 |. 52 push edx ; /Style
00401E5A |. 68 70D95400 push CrackMe.0054D970 ; |Title = "0"
00401E5F |. 68 74D95400 push CrackMe.0054D974 ; |Text = "good"
00401E64 |. 52 push edx ; |hOwner
00401E65 |. FF15 40585200 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
将00401E57 |. 75 12 jnz XCrackMe.00401E6B 改成nop就可以进行爆破
这样爆破,用户名必须大于三位
在这段代码的开始部分可以看到
[Asm] 纯文本查看 复制代码 00401C3B |. 83FF 03 cmp edi,0x3
00401C3E 77 1B ja XCrackMe.00401C5B ; 注册名位数大于3就跳转
00401C40 |. 8D46 FC lea eax,dword ptr ds:[esi-0x4]
00401C43 |. 83F8 03 cmp eax,0x3
00401C46 |. 77 13 ja XCrackMe.00401C5B
00401C48 |. 68 50214000 push CrackMe.00402150
00401C4D |. 6A 51 push 0x51
00401C4F |. 6A 14 push 0x14
00401C51 |. 8D4C24 48 lea ecx,dword ptr ss:[esp+0x48]
00401C55 |. 51 push ecx
00401C56 |. E9 1E020000 jmp CrackMe.00401E79
00401C5B |> 8D4424 3C lea eax,dword ptr ss:[esp+0x3C]
00401C5F |. E8 4C020000 call CrackMe.00401EB0
将00401C3E 77 1B ja XCrackMe.00401C5B 改成 jmp CrackMe.00401C5B,让他无条件跳转就可以跳过注册名的检测
爆破后程序
CrackMe1.rar
(686.66 KB, 下载次数: 8)
| 
[复制链接]
发表于 2014-10-24 12:49
