我也提供一个标准的TraceMe给大家玩玩
我也提供一个标准的TraceMe给大家玩玩本帖最后由 missviola 于 2010-1-12 20:33 编辑
name:pediy
code:2470
void CTrackMeDlg::OnBnClickedButton1()
{
int i,j,k,sum,length;
int tempnum={0x0C,0x0A,0x13,0x09,0x0C,0x0B,0x0A,0x08,};
CString code;
CString name;
sum = 0;
if (GetDlgItemText(IDC_EDIT1,name)==0)
{
MessageBox("请输入用户名!");
}
else
{
length = name.GetLength();
if (length < 4)
{
MessageBox("name的长度要大于4!");
}
for(j=3;j<=length;j++)
{
i = name;
k = tempnum;
i = i * k;
sum = sum + i;
}
code.Format("%d",sum);
SetDlgItemText(IDC_EDIT2,code);
}
} 呵呵希望大家弄个追吗或者爆破的教程哇 好象在哪看到过 呵呵 这个是看雪加密解密第三版里的 我也提供一个标准的TraceMe给大家玩玩
紫色 发表于 2010-1-12 16:57 http://www.52pojie.cn/images/common/back.gif
【文章标题】: TraceMe完美爆破+算法分析
【文章作者】: HPKEr
【软件名称】: TraceMe
【软件大小】: 9.94KB
【下载地址】: http://xz.qupan.com/down/945520_5623478.html
【编写语言】: Microsoft Visual C++ v6.0
【使用工具】: PEID OD
【操作平台】: Windows XP SP3
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
OD载入,下bp GetDlgItemTextA断点,断在77D6B05E处,此时在系统领空,按ALT+F9返回程序领空,断在004011B6处。
0040119C > \8BB424 000100>MOV ESI,DWORD PTR SS: ;Case 3F5 of switch 0040115E
004011A3 .8B3D A0404000 MOV EDI,DWORD PTR DS:[<&USER32.GetDlgIte>;USER32.GetDlgItemTextA
004011A9 .53 PUSH EBX
004011AA .8D4424 4C LEA EAX,DWORD PTR SS:
004011AE .6A 51 PUSH 51 ; /Count = 51 (81.)
004011B0 .50 PUSH EAX ; |Buffer
004011B1 .6A 6E PUSH 6E ; |ControlID = 6E (110.)
004011B3 .56 PUSH ESI ; |hWnd
004011B4 .FFD7 CALL EDI ; \取得用户名:guapi
004011B6 .8D8C24 9C0000>LEA ECX,DWORD PTR SS:
004011BD .6A 65 PUSH 65 ; /Count = 65 (101.)
004011BF .51 PUSH ECX ; |Buffer
004011C0 .68 E8030000 PUSH 3E8 ; |ControlID = 3E8 (1000.)
004011C5 .56 PUSH ESI ; |hWnd
004011C6 .8BD8 MOV EBX,EAX ; |
004011C8 .FFD7 CALL EDI ; \取得注册码:123456
004011CA .8A4424 4C MOV AL,BYTE PTR SS:
004011CE .84C0 TEST AL,AL
004011D0 .74 76 JE SHORT TraceMe.00401248 ;用户名为空Game Over!
004011D2 .83FB 05 CMP EBX,5
004011D5 .7C 71 JL SHORT TraceMe.00401248 ;用户名字符数低于5,Game Over!
004011D7 .8D5424 4C LEA EDX,DWORD PTR SS: ;EDX=guapi
004011DB .53 PUSH EBX
004011DC .8D8424 A00000>LEA EAX,DWORD PTR SS: ;EAX=123456
004011E3 .52 PUSH EDX
004011E4 .50 PUSH EAX
004011E5 .E8 56010000 CALL TraceMe.00401340 ;关键CALL,F7进入。
004011EA .8B3D BC404000 MOV EDI,DWORD PTR DS:[<&USER32.GetDlgIte>;USER32.GetDlgItem
004011F0 .83C4 0C ADD ESP,0C
004011F3 .85C0 TEST EAX,EAX
004011F5 .74 37 JE SHORT TraceMe.0040122E ;CALL 00401340中EAX返回为0跳到0040122E处注册失败!
004011F7 .8D4C24 0C LEA ECX,DWORD PTR SS:
004011FB .51 PUSH ECX ; /恭喜你!成功!
004011FC .68 E4544000 PUSH TraceMe.004054E4 ; |String1 = TraceMe.004054E4
00401201 .FF15 60404000 CALL DWORD PTR DS:[<&KERNEL32.lstrcpyA>] ; \lstrcpyA
00401207 .6A 00 PUSH 0 ; /Enable = FALSE
00401209 .6A 6E PUSH 6E ; |/ControlID = 6E (110.)
0040120B .56 PUSH ESI ; ||hWnd
0040120C .FFD7 CALL EDI ; |\GetDlgItem
0040120E .8B1D A4404000 MOV EBX,DWORD PTR DS:[<&USER32.EnableWin>; |USER32.EnableWindow
00401214 .50 PUSH EAX ; |hWnd
00401215 .FFD3 CALL EBX ; \EnableWindow
00401217 .6A 00 PUSH 0 ; /Enable = FALSE
00401219 .68 E8030000 PUSH 3E8 ; |/ControlID = 3E8 (1000.)
0040121E .56 PUSH ESI ; ||hWnd
0040121F .FFD7 CALL EDI ; |\GetDlgItem
00401221 .50 PUSH EAX ; |hWnd
00401222 .FFD3 CALL EBX ; \EnableWindow
00401224 .68 E8030000 PUSH 3E8 ; /ControlID = 3E8 (1000.)
00401229 .56 PUSH ESI ; |hWnd
0040122A .FFD7 CALL EDI ; \GetDlgItem
0040122C .EB 33 JMP SHORT TraceMe.00401261
0040122E >8D5424 34 LEA EDX,DWORD PTR SS:
00401232 .52 PUSH EDX ; /序列号错误,再来一次!
00401233 .68 E4544000 PUSH TraceMe.004054E4 ; |String1 = TraceMe.004054E4
00401238 .FF15 60404000 CALL DWORD PTR DS:[<&KERNEL32.lstrcpyA>] ; \lstrcpyA
0040123E .68 E8030000 PUSH 3E8
00401243 .56 PUSH ESI
00401244 .FFD7 CALL EDI
00401246 .EB 19 JMP SHORT TraceMe.00401261
00401248 >8D4424 1C LEA EAX,DWORD PTR SS:
跟进 CALL TraceMe.00401340
00401340/$55 PUSH EBP
00401341|.8B6C24 0C MOV EBP,DWORD PTR SS: ;用户名:guapi入EBP
00401345|.56 PUSH ESI
00401346|.57 PUSH EDI
00401347|.8B7C24 18 MOV EDI,DWORD PTR SS: ;用户名字符数5入EDI
0040134B|.B9 03000000 MOV ECX,3
00401350|.33F6 XOR ESI,ESI
00401352|.33C0 XOR EAX,EAX
00401354|.3BF9 CMP EDI,ECX
00401356|.7E 21 JLE SHORT TraceMe.00401379 ;如果低于或者等于0就跳到00401379处
00401358|.53 PUSH EBX
00401359|>83F8 07 /CMP EAX,7
0040135C|.7E 02 |JLE SHORT TraceMe.00401360 ;低于等于7就跳到00401235C处
0040135E|.33C0 |XOR EAX,EAX
00401360|>33D2 |XOR EDX,EDX
00401362|.33DB |XOR EBX,EBX
00401364|.8A1429 |MOV DL,BYTE PTR DS: ;取用户名第四个字符p的ASCII码十六进制70入DL
00401367|.8A98 30504000 |MOV BL,BYTE PTR DS: ;0C入BL
0040136D|.0FAFD3 |IMUL EDX,EBX ;EDX*EBX=?中间环节,最终结果保存在ESI中。
00401370|.03F2 |ADD ESI,EDX ;ESI保存最终计算结果
00401372|.41 |INC ECX ;计数器ECX加1
00401373|.40 |INC EAX ;计数器EAX加1
00401374|.3BCF |CMP ECX,EDI
00401376|.^ 7C E1 \JL SHORT TraceMe.00401359 ;如果ECX的值低于EDI中的值,继续跳到00401359处循环。
00401378|.5B POP EBX
00401379|>56 PUSH ESI ; /<%ld>
0040137A|.68 78504000 PUSH TraceMe.00405078 ; |%ld
0040137F|.55 PUSH EBP ; |s
00401380|.FF15 9C404000 CALL DWORD PTR DS:[<&USER32.wsprintfA>]; \将十六进制95A转换为十进制2394
00401386|.8B4424 1C MOV EAX,DWORD PTR SS: ;假码:123456入EAX
0040138A|.83C4 0C ADD ESP,0C
0040138D|.55 PUSH EBP ; /真码:2394
0040138E|.50 PUSH EAX ; |假码:123456
0040138F|.FF15 04404000 CALL DWORD PTR DS:[<&KERNEL32.lstrcmpA>] ; \真码与假码比较
00401395|.F7D8 NEG EAX
00401397|.1BC0 SBB EAX,EAX
00401399|.5F POP EDI
0040139A|.5E POP ESI
0040139B|.40 INC EAX
0040139C|.5D POP EBP
0040139D\.C3 RETN
可用序列号:
用户名:guapi
序列号:2394
TraceMe真码注册原图:
TraceMe完美爆破原图:
--------------------------------------------------------------------------------
【经验总结】
1.程序检测用户名第三位以后的字符,并将其从原来的十六进制转换为十进制。
2.完美爆破很简单,只要将004011D0 、004011D5和004011F5这三行反汇编代码NOP掉即可。
TraceMe原版下载地址:http://xz.qupan.com/down/945520_5623478.html
TraceMe完美爆破下载地址:http://xz.qupan.com/down/945520_5623774.html
--------------------------------------------------------------------------------
【版权声明】: 本文原创于吾爱技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2010年01月13日 13:25:46 谢谢楼主,分享........... 下载试玩 name:pediy
code:2470
void CTrackMeDlg::OnBnClickedButton1()
{
int i,j,k,sum,length;
i ...
missviola 发表于 2010-1-12 17:16 http://www.52pojie.cn/images/common/back.gif
这个强了呵呵 试试这个:name:000000
key:1968
页:
[1]
2