(已破解)我也发一个CM
本帖最后由 zbnysjwsnd8 于 2017-8-13 11:04 编辑爆破追码随意
爆破需要发爆破点
追码需要发注册码
@dazong
已被大牛破解。注册码:1009 zbnysjwsnd8 发表于 2017-8-12 16:30
说一下怎么改的把。
自慰的 ,破不掉。 00401000 > $E8 0D010000 call <jmp.&kernel32.AllocConsole> ; [AllocConsole
00401005 .6A F6 push -0xA ; /DevType = STD_INPUT_HANDLE
00401007 .E8 0C010000 call <jmp.&kernel32.GetStdHandle> ; \GetStdHandle
0040100C .A3 18304000 mov dword ptr ds:,eax ;获取标准输入句柄
00401011 .6A F5 push -0xB ; /DevType = STD_OUTPUT_HANDLE
00401013 .E8 00010000 call <jmp.&kernel32.GetStdHandle> ; \GetStdHandle
00401018 .A3 1C304000 mov dword ptr ds:,eax ;获取标准输出句柄
0040101D .6A 00 push 0x0 ; /pOverlapped = NULL
0040101F .68 20304000 push CrackMe.00403020 ; |pBytesWritten = CrackMe.00403020
00401024 .6A 05 push 0x5 ; |nBytesToWrite = 0x5
00401026 .68 00304000 push CrackMe.00403000 ; |Buffer = CrackMe.00403000
0040102B .FF35 1C304000 push dword ptr ds: ; |hFile = 00000007
00401031 .E8 EE000000 call <jmp.&kernel32.WriteFile> ; \WriteFile
00401036 .6A 00 push 0x0 ; /pOverlapped = NULL
00401038 .68 20304000 push CrackMe.00403020 ; |pBytesRead = CrackMe.00403020
0040103D .68 00020000 push 0x200 ; |BytesToRead = 200 (512.)
00401042 .68 28304000 push CrackMe.00403028 ; |Buffer = CrackMe.00403028
00401047 .FF35 18304000 push dword ptr ds: ; |hFile = 00000003
0040104D .E8 CC000000 call <jmp.&kernel32.ReadFile> ; \ReadFile
00401052 .68 28304000 push CrackMe.00403028 ;ASCII "123456"
00401057 .E8 9D000000 call CrackMe.004010F9 ;获取长度
0040105C .8D1D 28304000 lea ebx,dword ptr ds:
00401062 .66:C74418 FE >mov word ptr ds:,0x0 ;去换行符
00401069 .53 push ebx
0040106A .E8 8A000000 call CrackMe.004010F9 ;从新获取长度
0040106F .8BC8 mov ecx,eax ;ecx = 长度
00401071 .8D3D 28304000 lea edi,dword ptr ds: ;edi->字符串
00401077 .33C0 xor eax,eax ;eax = 0
00401079 .33DB xor ebx,ebx ;ebx=0
0040107B .33D2 xor edx,edx ;edx=0
0040107D >8A3C07 mov bh,byte ptr ds: ;逐个获取字符
00401080 .C1CB 08 ror ebx,0x8 ;循环移动8位
00401083 .03D3 add edx,ebx
00401085 .40 inc eax
00401086 .3BC1 cmp eax,ecx ;是否读取完毕
00401088 .74 02 je short CrackMe.0040108C ;结果edx,经过and后的结果
0040108A .^ EB F1 jmp short CrackMe.0040107D ;结果ebx保存最后四个字符顺序3214
0040108C >33C9 xor ecx,ecx ;ecx = 0
0040108E .8915 24304000 mov dword ptr ds:,edx ;存放edx到输入字符串内存-4位置
00401094 .33F6 xor esi,esi
00401096 .EB 1A jmp short CrackMe.004010B2
00401098 >8A81 05304000 mov al,byte ptr ds: ;y7!
0040109E .3281 24304000 xor al,byte ptr ds: ;刚刚的edx
004010A4 .8881 05304000 mov byte ptr ds:,al ;逐个异或填充
004010AA .25 FF000000 and eax,0xFF ;好像没啥用
004010AF .03F0 add esi,eax ;累加
004010B1 .41 inc ecx ;循环四次
004010B2 >83F9 04 cmp ecx,0x4 ;判断长度是否为4 肯定不==4上面清零
004010B5 .^ 75 E1 jnz short CrackMe.00401098
004010B7 .81FE DB020000 cmp esi,0x2DB ;判断累加和是否等于2DB
004010BD .74 1B je short CrackMe.004010DA ;输出失败
004010BF .6A 00 push 0x0 ; /pOverlapped = NULL
004010C1 .68 20304000 push CrackMe.00403020 ; |pBytesWritten = CrackMe.00403020
004010C6 .6A 0A push 0xA ; |nBytesToWrite = A (10.)
004010C8 .68 0B304000 push CrackMe.0040300B ; |Buffer = CrackMe.0040300B
004010CD .FF35 1C304000 push dword ptr ds: ; |hFile = 00000007
004010D3 .E8 4C000000 call <jmp.&kernel32.WriteFile> ; \WriteFile
004010D8 .EB 19 jmp short CrackMe.004010F3 ;输出刚刚异或后的内容,,,,(ーー゛)
004010DA >6A 00 push 0x0 ; /pOverlapped = NULL
004010DC .68 20304000 push CrackMe.00403020 ; |pBytesWritten = CrackMe.00403020
004010E1 .6A 06 push 0x6 ; |nBytesToWrite = 0x6
004010E3 .68 05304000 push CrackMe.00403005 ; |Buffer = CrackMe.00403005
004010E8 .FF35 1C304000 push dword ptr ds: ; |hFile = 00000007
004010EE .E8 31000000 call <jmp.&kernel32.WriteFile> ; \WriteFile
004010F3 >68 F3104000 push CrackMe.004010F3
004010F8 .C3 retn ;RET 用作跳转到 004010F3
等会再试试 根本不是我这个小菜能玩的,太难了 dazong 发表于 2017-8-12 16:29
说一下怎么改的把。 正确的字符应该是[成功]
一共循环四次,注册码应该是成功的16进制码,逐个叠加值,判断最终的值是否为731也就是成功两字的十六进制码:B3 C9 B9 A6
其实注册码也就是字符串编码应该。。前面没去看,应该不难。。
楼下大神上。。。。吃饭去了。。 看都看不懂哦|!1!!! SeriousSnow 发表于 2017-8-12 21:08
00401000 > $E8 0D010000 call ; [AllocConsole
00401005 .6A F6...
{:1_932:}分析的很详细 注册码是什么?