【答案提交】【吾爱破解2014CrackMe大赛】【第八组】
本帖最后由 L4Nce 于 2014-11-1 15:03 编辑这个CM比较简单哈……
找按钮事件用了Delphi按钮事件脚本, 断在了00431C14
00431C14|.FF93 20010000 call dword ptr ds:
F7跟进找到了验证。。。
00451F1C .55 push ebp
00451F1D .8BEC mov ebp,esp
00451F1F .B9 06000000 mov ecx,0x6
00451F24 >6A 00 push 0x0
00451F26 .6A 00 push 0x0
00451F28 .49 dec ecx
00451F29 ^ 75 F9 jnz XCrackMe.00451F24
00451F2B 53 push ebx
00451F2C 56 push esi
00451F2D 57 push edi
00451F2E .8BD8 mov ebx,eax
00451F30 .BF 243D4500 mov edi,CrackMe.00453D24
00451F35 .33C0 xor eax,eax
00451F37 .55 push ebp
00451F38 .68 00214500 push CrackMe.00452100
00451F3D .64:FF30 push dword ptr fs:
00451F40 .64:8920 mov dword ptr fs:,esp
00451F43 .8D55 FC lea edx,dword ptr ss:
00451F46 .8B83 04030000 mov eax,dword ptr ds:
00451F4C .E8 1BE7FDFF call CrackMe.0043066C
00451F51 .8D55 F8 lea edx,dword ptr ss:
00451F54 .8B83 08030000 mov eax,dword ptr ds:
00451F5A .E8 0DE7FDFF call CrackMe.0043066C
00451F5F .8B45 F8 mov eax,dword ptr ss:
00451F62 .E8 3925FBFF call CrackMe.004044A0
00451F67 .8BF0 mov esi,eax
00451F69 .D1FE sar esi,1
00451F6B .79 03 jns XCrackMe.00451F70
00451F6D .83D6 00 adc esi,0x0
00451F70 >33C9 xor ecx,ecx
00451F72 .55 push ebp
00451F73 .68 CE204500 push CrackMe.004520CE
00451F78 .64:FF31 push dword ptr fs:
00451F7B .64:8921 mov dword ptr fs:,esp
00451F7E .8D45 F0 lea eax,dword ptr ss:
00451F81 .E8 5A22FBFF call CrackMe.004041E0
00451F86 .8BDE mov ebx,esi
00451F88 .4B dec ebx
00451F89 .85DB test ebx,ebx
00451F8B .7C 2C jl XCrackMe.00451FB9
00451F8D .43 inc ebx
00451F8E .C745 E8 00000>mov dword ptr ss:,0x0
00451F95 >8D45 E4 lea eax,dword ptr ss:
00451F98 .8B55 E8 mov edx,dword ptr ss:
00451F9B .03D2 add edx,edx
00451F9D .8B4D F8 mov ecx,dword ptr ss:
00451FA0 .8A1411 mov dl,byte ptr ds:
00451FA3 .E8 2024FBFF call CrackMe.004043C8
00451FA8 .8B55 E4 mov edx,dword ptr ss:
00451FAB .8D45 F0 lea eax,dword ptr ss:
00451FAE .E8 F524FBFF call CrackMe.004044A8
00451FB3 .FF45 E8 inc dword ptr ss:
00451FB6 .4B dec ebx
00451FB7 .^ 75 DC jnz XCrackMe.00451F95
00451FB9 >8D45 F4 lea eax,dword ptr ss:
00451FBC .E8 1F22FBFF call CrackMe.004041E0
00451FC1 .8BDE mov ebx,esi
00451FC3 .85DB test ebx,ebx
00451FC5 .7E 2C jle XCrackMe.00451FF3
00451FC7 .C745 E8 01000>mov dword ptr ss:,0x1
00451FCE >8D45 E0 lea eax,dword ptr ss:
00451FD1 .8B55 E8 mov edx,dword ptr ss:
00451FD4 .03D2 add edx,edx
00451FD6 .8B4D F8 mov ecx,dword ptr ss:
00451FD9 .8A5411 FF mov dl,byte ptr ds:
00451FDD .E8 E623FBFF call CrackMe.004043C8
00451FE2 .8B55 E0 mov edx,dword ptr ss:
00451FE5 .8D45 F4 lea eax,dword ptr ss:
00451FE8 .E8 BB24FBFF call CrackMe.004044A8
00451FED .FF45 E8 inc dword ptr ss:
00451FF0 .4B dec ebx
00451FF1 .^ 75 DB jnz XCrackMe.00451FCE
00451FF3 >8BDE mov ebx,esi
00451FF5 .85DB test ebx,ebx
00451FF7 .7E 48 jle XCrackMe.00452041
00451FF9 .C745 E8 01000>mov dword ptr ss:,0x1
00452000 >8D45 DC lea eax,dword ptr ss:
00452003 .8B55 F4 mov edx,dword ptr ss:
00452006 .8B4D E8 mov ecx,dword ptr ss:
00452009 .8A540A FF mov dl,byte ptr ds:
0045200D .E8 B623FBFF call CrackMe.004043C8
00452012 .8B45 DC mov eax,dword ptr ss:
00452015 .E8 5E61FBFF call CrackMe.00408178
0045201A .50 push eax
0045201B .8D45 D8 lea eax,dword ptr ss:
0045201E .8B55 F0 mov edx,dword ptr ss:
00452021 .8B4D E8 mov ecx,dword ptr ss:
00452024 .8A540A FF mov dl,byte ptr ds:
00452028 .E8 9B23FBFF call CrackMe.004043C8
0045202D .8B45 D8 mov eax,dword ptr ss:
00452030 .E8 4361FBFF call CrackMe.00408178
00452035 .5A pop edx
00452036 .E8 E9F7FFFF call CrackMe.00451824
0045203B .FF45 E8 inc dword ptr ss:
0045203E .4B dec ebx
0045203F .^ 75 BF jnz XCrackMe.00452000
00452041 >8B47 38 mov eax,dword ptr ds:
00452044 .8B57 34 mov edx,dword ptr ds:
00452047 .3BC2 cmp eax,edx
00452049 .75 79 jnz XCrackMe.004520C4
0045204B .3B47 44 cmp eax,dword ptr ds:
0045204E .75 74 jnz XCrackMe.004520C4
00452050 .3B47 48 cmp eax,dword ptr ds:
00452053 .75 6F jnz XCrackMe.004520C4
00452055 .83FA 09 cmp edx,0x9
00452058 .75 6A jnz XCrackMe.004520C4
0045205A .33C0 xor eax,eax
0045205C .55 push ebp
0045205D .68 7F204500 push CrackMe.0045207F
00452062 .64:FF30 push dword ptr fs:
00452065 .64:8920 mov dword ptr fs:,esp
00452068 .8B45 E8 mov eax,dword ptr ss:
0045206B .99 cdq
0045206C .F73D 743D4500 idiv dword ptr ds:
00452072 .8945 E8 mov dword ptr ss:,eax
00452075 .33C0 xor eax,eax
00452077 .5A pop edx
00452078 .59 pop ecx
00452079 .59 pop ecx
0045207A .64:8910 mov dword ptr fs:,edx
0045207D .EB 1D jmp XCrackMe.0045209C
0045207F .^ E9 8418FBFF jmp CrackMe.00403908
00452084 .6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
00452086 .68 10214500 push CrackMe.00452110 ; |提示
0045208B .68 18214500 push CrackMe.00452118 ; |注册成功!
00452090 .6A 00 push 0x0 ; |hOwner = NULL
00452092 .E8 BD48FBFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00452097 E8 D41BFBFF call CrackMe.00403C70
0045209C >8D55 D4 lea edx,dword ptr ss:
0045209F .8B45 E8 mov eax,dword ptr ss:
004520A2 .E8 955FFBFF call CrackMe.0040803C
004520A7 .8B45 D4 mov eax,dword ptr ss:
004520AA .50 push eax
004520AB .8D55 D0 lea edx,dword ptr ss:
004520AE .A1 743D4500 mov eax,dword ptr ds:
004520B3 .E8 845FFBFF call CrackMe.0040803C
004520B8 .8B55 D0 mov edx,dword ptr ss:
004520BB .8D45 EC lea eax,dword ptr ss:
004520BE .59 pop ecx
004520BF .E8 2824FBFF call CrackMe.004044EC
004520C4 >33C0 xor eax,eax
004520C6 .5A pop edx
004520C7 .59 pop ecx
004520C8 .59 pop ecx
004520C9 .64:8910 mov dword ptr fs:,edx
004520CC .EB 0A jmp XCrackMe.004520D8
004520CE .^ E9 3518FBFF jmp CrackMe.00403908
004520D3 .E8 981BFBFF call CrackMe.00403C70
004520D8 >33C0 xor eax,eax
004520DA .5A pop edx
004520DB .59 pop ecx
004520DC .59 pop ecx
004520DD .64:8910 mov dword ptr fs:,edx
004520E0 .68 07214500 push CrackMe.00452107
004520E5 >8D45 D0 lea eax,dword ptr ss:
004520E8 .BA 06000000 mov edx,0x6
004520ED .E8 1221FBFF call CrackMe.00404204
004520F2 .8D45 EC lea eax,dword ptr ss:
004520F5 .BA 05000000 mov edx,0x5
004520FA .E8 0521FBFF call CrackMe.00404204
004520FF .C3 retn
00452100 .^ E9 B71AFBFF jmp CrackMe.00403BBC
00452105 .^ EB DE jmp XCrackMe.004520E5
00452107 .5F pop edi
00452108 .5E pop esi
00452109 .5B pop ebx
0045210A .8BE5 mov esp,ebp
0045210C .5D pop ebp
0045210D .C3 retn
直接jmp到提示注册成功的地方却报错,于是再想办法,
跳转nop掉也不行。。
最后找到方法
00451F8B /7C 2C jl XCrackMe.00451FB9 ; 改为jmp
00451FC5 /7E 2C jle XCrackMe.00451FF3 ; 改为jmp
00451FF7 /7E 48 jle XCrackMe.00452041 ; 改为jmp
00452049 .75 79 jnz XCrackMe.004520C4 ; nop掉
0045204E .75 74 jnz XCrackMe.004520C4 ; nop掉
00452053 .75 6F jnz XCrackMe.004520C4 ; nop掉
00452058 .75 6A jnz XCrackMe.004520C4 ; nop掉
0045207D . /EB 1D jmp XCrackMe.0045209C ; 改为jmp 00452084
运行发现还是报错
终于发现
00452097 E8 D41BFBFF call CrackMe.00403C70 ; 改为retn
完美运行无报错。
爆破后的附件:
爆破有效
得分:6
在后续题目中继续加油! 厉害学习了。{:301_999:} 直接jmp到提示注册成功的地方却报错,于是再想办法,
跳转nop掉也不行。。
最后找到方法
00451F8B /7C 2C jl XCrackMe.00451FB9 ; 改为jmp
00451FC5 /7E 2C jle XCrackMe.00451FF3 ; 改为jmp
00451FF7 /7E 48 jle XCrackMe.00452041 ; 改为jmp
00452049 .75 79 jnz XCrackMe.004520C4 ; nop掉
0045204E .75 74 jnz XCrackMe.004520C4 ; nop掉
00452053 .75 6F jnz XCrackMe.004520C4 ; nop掉
00452058 .75 6A jnz XCrackMe.004520C4 ; nop掉
0045207D . /EB 1D jmp XCrackMe.0045209C ; 改为jmp 00452084 看了很多帖,一点点都不懂 感谢发帖 感谢分享
页:
[1]