[反汇编练习] 160个CrackMe之044
[反汇编练习] 160个CrackMe之044首先声明一下,可能很多新手说为什么我发的帖子会跳过好多CM,原因很简单,要么就是CM跟之前的破解方法一样,没有什么新东西,发帖子没什么意义,还有的就是我的能力不够,例如:CM39(好像加了asp壳,我通过打补丁可以爆破按钮,但是还有一个图片按钮验证,感觉好乱。。。)、CM41(修补程序。为程序添加代码。。。其实也不是很难,但是懒得做。。。)那给大家带来CM44的教程,那就意味着肯定会教给大家一些新东西(对于新手来说是新东西!!大牛勿较真啊!)。那教程开始!1. 首先明确破解目的。打开程序,什么都不输入,点击REG..,下面的提示“Der Name muss min. 6 Zeichen lang sein”(名称必须为6个字符。德语)。查一下壳,无壳delphi写的。2. 用DeDe神器打开CM试试。发现无法反汇编。。。。。。3. 今天用一种新方法试试:用另一款神器WinHex。。。打开CM,ctrl+f 搜索Button,如图所示:摁F3向下搜索,直到找到向上图所示ButtonClick字符串,在这里解释一下为什么搜索“Button”关键字,原因其实很简单,就是经常编程的人都知道,习惯给各个组件命名的时候都会加上组件类型的名字:例如Button1 EditText_name 。。。4. 找到上图所示字符串后请看下图图解:5. 找到按钮点击的事件地址了!那么OD载入CM,ctrl+g跳到00421b84中,看OD代码6. 保存程序。运行试试吧。7.教程结束,谢谢大家!(温馨提示:评分不扣分哦!每天都有免费的评分次数,人人献出一点评分,楼主才会更有动力。。^_^)本帖最后由 pk8900 于 2017-12-14 20:17 编辑
算法部分:
00421BCF | E8 90 17 FE FF | call <dope21.sub_403364> |
00421BD4 | 88 45 EF | mov byte ptr ss:, al |
00421BD7 | 80 7D EF 06 | cmp byte ptr ss:, 0x6 |
00421BDB | 73 15 | jae dope21.421BF2 | 用户名必须6位以上
00421BDD | 8B 86 C0 01 00 00 | mov eax, dword ptr ds: |
00421BE3 | BA A8 1D 42 00 | mov edx, <dope21.sub_421DA8> | 421DA8:"Der Name muss min. 6 Zeichen lang sein"
00421BE8 | E8 3B FC FE FF | call dope21.411828 |
00421BED | E9 72 01 00 00 | jmp dope21.421D64 |
00421BF2 | 33 C0 | xor eax, eax |
00421BF4 | 33 D2 | xor edx, edx | EDX逐个取字符
00421BF6 | 8A D0 | mov dl, al | EBX:累加字节运算
00421BF8 | 8B 4D FC | mov ecx, dword ptr ss: | ecx:用户名指针
00421BFB | 0F B6 54 11 FF | movzx edx, byte ptr ds: | 从用户名前一个字符开始:一般为\0空字符
00421C00 | 83 C2 9F | add edx, 0xFFFFFF9F | edx=edx + 0xFFFFFF9F(-97)
00421C03 | 83 FA 19 | cmp edx, 0x19 |
00421C06 | 0F 87 D7 00 00 00 | ja dope21.421CE3 | 大于0x19则跳至最后一个
00421C0C | FF 24 95 13 1C 42 00 | jmp dword ptr ds: | 根据跳转表进行选择跳转
00421C13 | 7B 1C 42 00 | dd 421C7B |
00421C17 | 7F 1C 42 00 | dd 421C7F |
00421C1B | 83 1C 42 00 | dd 421C83 |
00421C1F | 87 1C 42 00 | dd 421C87 |
00421C23 | 8B 1C 42 00 | dd 421C8B |
00421C27 | 8F 1C 42 00 | dd 421C8F |
00421C2B | 93 1C 42 00 | dd 421C93 |
00421C2F | 97 1C 42 00 | dd 421C97 |
00421C33 | 9B 1C 42 00 | dd 421C9B |
00421C37 | 9F 1C 42 00 | dd 421C9F |
00421C3B | A3 1C 42 00 | dd 421CA3 |
00421C3F | A7 1C 42 00 | dd 421CA7 |
00421C43 | AB 1C 42 00 | dd 421CAB |
00421C47 | AF 1C 42 00 | dd 421CAF |
00421C4B | B3 1C 42 00 | dd 421CB3 |
00421C4F | B7 1C 42 00 | dd 421CB7 |
00421C53 | BB 1C 42 00 | dd 421CBB |
00421C57 | BF 1C 42 00 | dd 421CBF |
00421C5B | C3 1C 42 00 | dd 421CC3 |
00421C5F | C7 1C 42 00 | dd 421CC7 |
00421C63 | CB 1C 42 00 | dd 421CCB |
00421C67 | CF 1C 42 00 | dd 421CCF |
00421C6B | D3 1C 42 00 | dd 421CD3 |
00421C6F | D7 1C 42 00 | dd 421CD7 |
00421C73 | DB 1C 42 00 | dd 421CDB |
00421C77 | DF 1C 42 00 | dd 421CDF |
00421C7B | B2 18 | mov dl, 0x18 | 将这些数据保存可用于做出注册机
00421C7D | EB 66 | jmp dope21.421CE5 |
00421C7F | B2 25 | mov dl, 0x25 | 25:'%'
00421C81 | EB 62 | jmp dope21.421CE5 |
00421C83 | B2 42 | mov dl, 0x42 | 42:'B'
00421C85 | EB 5E | jmp dope21.421CE5 |
00421C87 | B2 0C | mov dl, 0xC | C:'\f'
00421C89 | EB 5A | jmp dope21.421CE5 |
00421C8B | B2 0D | mov dl, 0xD | D:'\r'
00421C8D | EB 56 | jmp dope21.421CE5 |
00421C8F | B2 06 | mov dl, 0x6 |
00421C91 | EB 52 | jmp dope21.421CE5 |
00421C93 | B2 36 | mov dl, 0x36 | 36:'6'
00421C95 | EB 4E | jmp dope21.421CE5 |
00421C97 | B2 2B | mov dl, 0x2B | 2B:'+'
00421C99 | EB 4A | jmp dope21.421CE5 |
00421C9B | B2 17 | mov dl, 0x17 |
00421C9D | EB 46 | jmp dope21.421CE5 |
00421C9F | B2 2F | mov dl, 0x2F | 2F:'/'
00421CA1 | EB 42 | jmp dope21.421CE5 |
00421CA3 | B2 13 | mov dl, 0x13 |
00421CA5 | EB 3E | jmp dope21.421CE5 |
00421CA7 | B2 82 | mov dl, 0x82 |
00421CA9 | EB 3A | jmp dope21.421CE5 |
00421CAB | B2 9B | mov dl, 0x9B |
00421CAD | EB 36 | jmp dope21.421CE5 |
00421CAF | B2 92 | mov dl, 0x92 |
00421CB1 | EB 32 | jmp dope21.421CE5 |
00421CB3 | B2 03 | mov dl, 0x3 |
00421CB5 | EB 2E | jmp dope21.421CE5 |
00421CB7 | B2 63 | mov dl, 0x63 | 63:'c'
00421CB9 | EB 2A | jmp dope21.421CE5 |
00421CBB | B2 21 | mov dl, 0x21 | 21:'!'
00421CBD | EB 26 | jmp dope21.421CE5 |
00421CBF | B2 42 | mov dl, 0x42 | 42:'B'
00421CC1 | EB 22 | jmp dope21.421CE5 |
00421CC3 | B2 5C | mov dl, 0x5C | 5C:'\\'
00421CC5 | EB 1E | jmp dope21.421CE5 |
00421CC7 | B2 29 | mov dl, 0x29 | 29:')'
00421CC9 | EB 1A | jmp dope21.421CE5 |
00421CCB | B2 C7 | mov dl, 0xC7 |
00421CCD | EB 16 | jmp dope21.421CE5 |
00421CCF | B2 66 | mov dl, 0x66 | 66:'f'
00421CD1 | EB 12 | jmp dope21.421CE5 |
00421CD3 | B2 58 | mov dl, 0x58 | 58:'X'
00421CD5 | EB 0E | jmp dope21.421CE5 |
00421CD7 | B2 0A | mov dl, 0xA | A:'\n'
00421CD9 | EB 0A | jmp dope21.421CE5 |
00421CDB | B2 28 | mov dl, 0x28 | 28:'('
00421CDD | EB 06 | jmp dope21.421CE5 |
00421CDF | B2 50 | mov dl, 0x50 | 50:'P'
00421CE1 | EB 02 | jmp dope21.421CE5 |
00421CE3 | B2 5D | mov dl, 0x5D | 5D:']'
00421CE5 | 02 DA | add bl, dl | BL累加
00421CE7 | 40 | inc eax |
00421CE8 | 3C 06 | cmp al, 0x6 | 用户名前5个字符
00421CEA | 0F 85 04 FF FF FF | jne dope21.421BF4 |
00421CF0 | 8D 55 F0 | lea edx, dword ptr ss: |
00421CF3 | 33 C0 | xor eax, eax |
00421CF5 | 8A 45 EF | mov al, byte ptr ss: | ebp-11 位数
00421CF8 | 69 C0 7E 4A 00 00 | imul eax, eax, 0x4A7E | 位数*0x4A7E转十进制字符
00421CFE | E8 71 36 FE FF | call <dope21.sub_405374> |
00421D03 | 8D 55 E4 | lea edx, dword ptr ss: |
00421D06 | 33 C0 | xor eax, eax |
00421D08 | 8A C3 | mov al, bl |
00421D0A | E8 65 36 FE FF | call <dope21.sub_405374> | BL累加值转十进制字符
00421D0F | FF 75 E4 | push dword ptr ss: | :"245"
00421D12 | 68 D8 1D 42 00 | push dope21.421DD8 | 421DD8:L"-"
00421D17 | FF 75 F0 | push dword ptr ss: |
00421D1A | 8D 45 F4 | lea eax, dword ptr ss: |
00421D1D | BA 03 00 00 00 | mov edx, 0x3 |
00421D22 | E8 FD 16 FE FF | call <dope21.sub_403424> | 用 - 连起来
00421D27 | 8D 55 E8 | lea edx, dword ptr ss: |
00421D2A | 8B 86 B0 01 00 00 | mov eax, dword ptr ds: |
00421D30 | E8 C3 FA FE FF | call <dope21.sub_4117F8> |
取用户名(存储位置)前一个字符(大多为\0,空字符)开始,+0x97,若大于0x19则跳到最尾,+0x5D,就这样一直累加用户名前5个字符,比如最后为0xAA,转为10进制字符为:170,然后是位数乘0x4A7E,再转为十进制字符,比如为123456,则注册码为170-123456
不是道作者是不是故意写错代码的。 C++注册机代码:
#define _CRT_SECURE_NO_WARNINGS
#include<iostream>
using namespace std;
void main()
{
unsigned char base[] = {
0x70, 0x18, 0xEB, 0x66, 0xB2, 0x25, 0xEB, 0x62, 0xB2, 0x42, 0xEB, 0x5E, 0xB2, 0x0C, 0xEB, 0x5A,
0xB2, 0x0D, 0xEB, 0x56, 0xB2, 0x06, 0xEB, 0x52, 0xB2, 0x36, 0xEB, 0x4E, 0xB2, 0x2B, 0xEB, 0x4A,
0xB2, 0x17, 0xEB, 0x46, 0xB2, 0x2F, 0xEB, 0x42, 0xB2, 0x13, 0xEB, 0x3E, 0xB2, 0x82, 0xEB, 0x3A,
0xB2, 0x9B, 0xEB, 0x36, 0xB2, 0x92, 0xEB, 0x32, 0xB2, 0x03, 0xEB, 0x2E, 0xB2, 0x63, 0xEB, 0x2A,
0xB2, 0x21, 0xEB, 0x26, 0xB2, 0x42, 0xEB, 0x22, 0xB2, 0x5C, 0xEB, 0x1E, 0xB2, 0x29, 0xEB, 0x1A,
0xB2, 0xC7, 0xEB, 0x16, 0xB2, 0x66, 0xEB, 0x12, 0xB2, 0x58, 0xEB, 0x0E, 0xB2, 0x0A, 0xEB, 0x0A,
0xB2, 0x28, 0xEB, 0x06, 0xB2, 0x50, 0xEB, 0x02, 0xB2, 0x5D};
unsigned char key1 = 0x5D;
unsigned char tmp;
char * yourName;
yourName = new char;
memset(yourName, 0, 260);
cout << "Enter your name:";
gets(yourName);
if (strlen(yourName) < 6)
{
cout << "your name less then 6!" << endl;
system("pause");
return;
}
for (int x = 0; x < 5; x++)
{
tmp = yourName - 97;
if (tmp> 0x19)
key1 += 0x5D;
else
key1 += base;
}
cout << "serial is:" << 0 + key1 << "-" << strlen(yourName) * 0x4A7E << endl;
system("pause");
} 灵魂深处 发表于 2015-3-22 15:17
留名学习一下不过这些cm好多都是英文的不懂啊...
呵呵百度翻译时刻准备着 留名学习一下不过这些cm好多都是英文的不懂啊... 还是直接搜索字符串进去方便点,一下搞定,不过楼主说的这个软件可以尝试,算是新学习了
注册码可以追出来“46-114420,是固定的
页:
[1]