申请会员ID:zusheng【申请通过】
申请ID:zusheng个人邮箱:1370078017@qq.com
看雪下载的一个CrackMe,以下是学习笔记,用来申请邀请码
首先运行程序得到错误信息。Incorrect!,TryAgain.
好了用W32dsm载入 ,然后 右键 Find Text,输入incorrect 点查找
好了,记下此时的地址:
用od载入Ctrl + G 输入刚才找到的地址
好了,我们上下看看!嘿嘿,错误信息在这里,那么估计重要的东西就在附近了好了找到这个段的开头!F2下断!从新载入程序 F9运行 输入用户名和密码点Check
然后停留在我们所下的断点这里!
我们往下分析。。。。。。。。来到这里 004015C7 |> /8B55 E0 /MOVEDX,DWORD PTR SS:004015CA|.|83C2 01 |ADD EDX,1004015CD|.|8955 E0 |MOV DWORD PTRSS:,EDX004015D0|> |8B45 E0 MOV EAX,DWORD PTR SS:004015D3|. |3B45 E4 |CMP EAX,DWORD PTR SS: ; 密码长度是否大于0004015D6|. |7D 42 |JGE SHORT CHAP204.0040161A004015D8|. |8B4D E0 |MOV ECX,DWORD PTR SS:004015DB|. |51 |PUSH ECX ; /Arg1004015DC|. |8D4D EC |LEA ECX,DWORD PTR SS: ; |004015DF|. |E8 1C030000 |CALL CHAP204.00401900 ; \读取第一个字符到eax{ 00401900/$ 55 PUSH EBP 00401901|. 8BEC MOV EBP,ESP 00401903|. 51 PUSH ECX 00401904|. 894D FC MOV DWORD PTRSS:,ECX 00401907|. 8B45 FC MOV EAX,DWORD PTRSS: 0040190A|. 8B08 MOV ECX,DWORD PTRDS: ;取用户名到ecx中 0040190C|. 8B55 08 MOV EDX,DWORD PTRSS: ;edx=0 0040190F|. 8A0411 MOV AL,BYTE PTRDS: 00401912|. 8BE5 MOV ESP,EBP 00401914|. 5D POP EBP 00401915\.C20400 RETN 4 }004015DF|.E8 1C030000|CALL CHAP204.00401900 ; \读取第一个字符到eax004015E4|.0FBED0 |MOVSX EDX,AL ;此时将eax高位清零,得用户名的第一个字符004015E7|.8B45 F0 |MOV EAX,DWORD PTR SS: ;81276345004015EA|.03C2 |ADD EAX,EDX ;81276345 +a004015EC|.8945 F0 |MOV DWORD PTR SS:,EAX004015EF|.8B4D E0 |MOV ECX,DWORD PTR SS: ;ecx=0004015F2|.C1E1 08 |SHL ECX,8 ;ecx*8004015F5|.8B55 F0 |MOV EDX,DWORD PTR SS: ;edx=a004015F8|.33D1 |XOR EDX,ECX004015FA|.8955 F0 |MOV DWORD PTR SS:,EDX004015FD|.8B45 E0 |MOV EAX,DWORD PTR SS:00401600|.83C0 01 |ADD EAX,100401603|.8B4D E4 |MOV ECX,DWORD PTR SS: ;ecx =8密码长度00401606|.0FAF4D E0 |IMUL ECX,DWORD PTR SS:0040160A|.F7D1 |NOT ECX0040160C|.0FAFC1 |IMUL EAX,ECX0040160F|.8B55 F0 |MOV EDX,DWORD PTR SS:00401612|.0FAFD0 |IMUL EDX,EAX00401615|.8955 F0 |MOV DWORD PTR SS:,EDX00401618|.^ EBAD \JMP SHORT CHAP204.004015C7 这个部分为算法部分,大家可以根据我写的算法来来这里的算法! 0040161A |>8B45 F0 MOV EAX,DWORD PTR SS: ; 取结果到eax中0040161D |.50 PUSH EAX0040161E |.68 54404000 PUSH CHAP204.00404054 ;ASCII "%lu"00401623|.8D4D DC LEA ECX,DWORD PTR SS:00401626|.51 PUSH ECX00401627|.E8 52070000CALL <JMP.&MFC42.#2818>0040162C|.83C4 0C ADD ESP,0C0040162F|.8D4D DC LEA ECX,DWORD PTR SS:00401632|.E8 79020000CALL CHAP204.004018B000401637|.50 PUSH EAX ; /Arg100401638|.8D4D E8 LEA ECX,DWORD PTR SS: ; |0040163B|.E8 80020000CALL CHAP204.004018C0 ; 关键Call跟进去看{004018C0/$55 PUSH EBP004018C1|.8BEC MOV EBP,ESP004018C3|.51 PUSH ECX004018C4|.894D FC MOV DWORD PTR SS:,ECX004018C7|.8B45 08 MOV EAX,DWORD PTR SS:004018CA|.50 PUSH EAX ; /Arg2004018CB|.8B4D FC MOV ECX,DWORD PTR SS: ; |004018CE|.8B11 MOV EDX,DWORD PTR DS: ; |004018D0|.52 PUSH EDX ; |Arg1004018D1|.E8 0A000000CALL CHAP204.004018E0 ; \CHAP204.004018E0004018D6|.83C4 08 ADD ESP,8004018D9|.8BE5 MOV ESP,EBP004018DB|.5D POP EBP004018DC\.C2 0400 RETN 4004018DF CC INT3004018E0/$55 PUSH EBP004018E1|.8BEC MOV EBP,ESP004018E3|.8B45 0C MOV EAX,DWORD PTR SS:004018E6|.50 PUSH EAX ; /s2004018E7|.8B4D 08 MOV ECX,DWORD PTR SS: ; |004018EA 51 PUSH ECX004018EB|.FF15 B4314000 CALL DWORD PTRDS:[<&MSVCRT._mbscmp>] ; \_mbscmp 明码比较 看寄存器得知我们的密码为多少!004018F1|.83C4 08 ADD ESP,8004018F4|.5D POP EBP004018F5\.C3 RETN }00401640|.85C0 TEST EAX,EAX 判断是否用户名转化后的和输入的密码是否相等00401642|.0F85 FF000000 JNZ CHAP204.00401747 关键跳,我们要爆破的话就改为如下//00401642 /0F84 FF000000 JE CHAP204.00401747 则可以成功~ 00401648|.8D8D ACFEFFFF LEA ECX,DWORD PTR SS:0040164E|.E8 19070000CALL <JMP.&MFC42.#540>00401653|.C645 FC 03 MOV BYTE PTR SS:,300401657|.6A 66 PUSH 6600401659|.8D8D ACFEFFFF LEA ECX,DWORD PTR SS:0040165F|.E8 02070000CALL <JMP.&MFC42.#4160>00401664|.B9 07000000MOV ECX,700401669|.BE 58404000MOV ESI,CHAP204.00404058 ;ASCII "Correct!! "0040166E|.8DBD 48FEFFFF LEA EDI,DWORD PTR SS:00401674|.F3:A5 REP MOVS DWORD PTR ES:,DWORD PTR DS>00401676|.66:A5 MOVS WORD PTR ES:,WORD PTR DS:00401678|.A4 MOVS BYTE PTR ES:,BYTE PTR DS:00401679|.B9 11000000MOV ECX,110040167E|.33C0 XOR EAX,EAX00401680|.8DBD 67FEFFFF LEA EDI,DWORD PTR SS:00401686|.F3:AB REP STOS DWORD PTR ES:00401688|.AA STOS BYTE PTR ES:00401689|.B9 07000000MOV ECX,70040168E|.BE 78404000MOV ESI,CHAP204.00404078 ;ASCII"<BrD-SoB> "00401693|.8DBD 14FFFFFF LEA EDI,DWORD PTR SS:00401699|.F3:A5 REP MOVS DWORD PTR ES:,DWORD PTR DS>0040169B|.66:A5 MOVS WORD PTR ES:,WORD PTR DS:0040169D|.B9 11000000MOV ECX,11004016A2|.33C0 XOR EAX,EAX004016A4|.8DBD 32FFFFFF LEA EDI,DWORD PTR SS:004016AA|.F3:AB REP STOS DWORD PTR ES:004016AC|.66:AB STOS WORD PTR ES:004016AE|.B9 06000000MOV ECX,6004016B3|.BE 98404000MOV ESI,CHAP204.00404098 ;ASCII "Incorrect!!, TryAgain."004016B8|.8DBD 78FFFFFF LEA EDI,DWORD PTR SS:004016BE|.F3:A5 REP MOVS DWORD PTR ES:,DWORD PTR DS>004016C0|.B9 13000000MOV ECX,13004016C5|.33C0 XOR EAX,EAX004016C7|.8D7D 90 LEA EDI,DWORD PTR SS:004016CA|.F3:AB REP STOS DWORD PTR ES:004016CC|.B9 07000000MOV ECX,7004016D1|.BEB0404000 MOV ESI,CHAP204.004040B0 ; ASCII "Correct way to go, You Got It.
下面c++写得注册机源码#include <stdio.h>
#include <string.h>
#define SIZE 20
void main()
{
int i,j,k,max;
unsigned long b=0x81276345;
char a="";
printf("please input you CodeName\n");
scanf("%s",a);
for (i=0;i<(max=strlen(a));i++)
{
b=a+b;
j=i;
//j*=256;;
j=j<<8;
b^=j;
k=i;
k+=1;
b=b*(~(max*i))*k;
}
puts("this is your code");
printf("%u\n",b);
getchar();
getchar();
}
作者:zusheng 本文章用于申请吾爱破解论坛邀请码,未经允许静止转载。 问个问题,为啥还用W32dsm查字符串? Hmily 发表于 2014-11-29 23:04
问个问题,为啥还用W32dsm查字符串?
因为我还是看雪的菜鸟,还只会W32dsm。 Hmily 发表于 2014-11-29 23:04
问个问题,为啥还用W32dsm查字符串?
希望你能给我一次来吾爱学习的机会 Hmily 发表于 2014-11-29 23:04
问个问题,为啥还用W32dsm查字符串?
我申请的ID:zusheng 格式复制别人的,所以那个错了,名字本来改了,可以验证码错误,后来回复帖子,前面的忘记改了,很抱歉, 游客 60.168.162.x 发表于 2014-11-30 22:20
因为我还是看雪的菜鸟,还只会W32dsm。
看雪ID是什么?你申请的ID到底是哪个? Hmily 发表于 2014-11-30 23:00
看雪ID是什么?你申请的ID到底是哪个?
我看雪ID:weiyangs 申请的ID:zusheng Hmily 发表于 2014-11-30 23:00
看雪ID是什么?你申请的ID到底是哪个?
我通过了嘛 游客 60.168.162.x 发表于 2014-11-30 23:16
我看雪ID:weiyangs 申请的ID:zusheng
邮箱是weiyangsheng@isbase.cc? Hmily 发表于 2014-11-30 23:36
邮箱是?
换个QQ邮箱吧1370078017@qq.com
页:
[1]
2