160个Crackme之021学习笔记
本帖最后由 海天一色001 于 2019-4-28 09:57 编辑第21个CM,一看图标是应该还是Delphi的,打开程序看看:
这次是一个用户名两个密码,先不同组合试试:Name=“52pojie”,Serial 1=“12345”、Serial 2=“67890”:
什么都不输、只输入Name、输入Name/Serial 1、输入Name/Serial 2均弹出“Fill all boxes first dumb!”提示栏,
输入Name/Serial 1/Serial 2,提示“Nice try...but is incorrect...Dumb..”的提示。
好了,错误提示信息有了。
先查壳:无壳,用Delphi编程的。
第一步、爆破:
OD载入Cabeca.exe:老习惯,用智能搜索查找字符串,上次没找到,这一次再试试:
向下快到窗口底部,找到了,不仅有错误提示,还有正确的提示!
双击0042D4D6这一行正确提示,返回CPU窗口:
上一句0042D4D4跳转到0042D4E5,刚好跳过了正确提示,肯定是跳向失败,而跳转前面一句call,根据经验应该是判断注册码正确与否的,因为不正确所以要跳走。
点了一下0042D4E5这一行,信息栏中看到“跳转来自 0042D477, 0042D480, 0042D4AA, 0042D4D4”,那么这4个地址追过去nop掉不就行了吗?
先在信息栏中右键点击,先跳转到第一个地址0042D477处:
这里与0042D480挨得很近,这两个都nop掉:
再向下找到0042D4AA与0042D4D4,也给nop掉,将所有修改保存为可执行文件Cabeca_nop.exe,运行生成的这个nop程序,不对!除了三个文本框都填写内容后才显示成功,否则就显示失败!
重新观察这段代码,感觉从0042D3C4到0042D5AC处应该是按钮事件的代码,一步步往下,看到0042D3DE处一个比较,猜测是什么都不输入,这里的ds:=0,那么会转到第一个错误提示处,继续向下,到0042D46B处,jmp Cabeca.0042D58A,跳过了成功,让程序始终是失败状态。
所以,在这里我感觉将这一句也nop掉!再将修改后的代码保存为Cabeca_nop1.exe,一运行,竟然先弹出错误提示,点掉提示后,三个文本框清零,同时弹出正确提示!!
回到OD中仔细观察三个提示处的代码,发现加载提示后都有一个call Cabeca.0042CA8C,猜测这个call可能就是弹出提示框了,再修改一下看看,在0042D431处也nop掉:
运行保存好的Cabeca_nop2.exe,这次终于成功了!
但这样的修改太麻烦了!一不小心就要出错!刚才看到0042D3D5处是有条件地跳到了错误提示处,那么我直接用jmp跳到正确提示处不就行了吗?
马上操作:读取正确提示的语句是0042D4D6处,在这里将je short 0042D42C改成jmp 0042D4D6,存为可执行文件Cabeca_jmp.exe。
执行一下,这次怎么输入也都成功了!
第二步、追码:
Delphi程序还要用Darkde4,很快从中看到有两个事件,一个是Edit1Keypress事件,一个是Button1Click事件,Button1Click事件的起始地址是0042D3C4,和刚才爆破时的判断相同。
双击这一行,进入反编译窗口,大概看了一下,里面注释将控件都标示了出来。
在DarkDe4中选择导出到IDA/Softice选项,
点击创建导出文件,再回到OD中,利用插件mapimp导入刚才的文件,似乎没什么动静。
Ctrl+G转到Button1Click的起始地址0042D3C4,马上看到注释中出现了Darkde4的内容,好了!这下分析就轻松多了。
双击下断点于0042D3C4处,重新加载程序,F9运行,输入Name=“52pojie”,Serial1=“12345”、Serial2=“67890”,点击按钮,程序中断;F8单步向下运行,
在OD中反复运行这段代码,出了不少错误才慢慢弄明白里面一些call及几个数据段的作用,将call的地址处做上标签,结合DeDe4加载的标签与注释,让自己更清楚地程序的运行过程,基本上可以看出这是一个比较简单的流程:
程序先判断Name文本框是否为空,空则提示“Fill all boxes first dumb!”,将三个文本框清零,等待重新输入;
不空,再去判断Serial1是否为空,空则提示“Fill all boxes first dumb!”, 将三个文本框清零,等待重新输入;
不空则判断Serial2是否为空,空则提示“Fill all boxes first dumb!”, 将三个文本框都清零,等待重新输入;
不空则跳到判断Serial1、Serial2是否为0,只要有一个Serial为0则提示“Nice try...but is incorrect...Dumb..”,清零文本框,等待重新输入;
都不为0则再判断输入的Serial1、Serial2是否正确,只要有一个Serial错误则提示“Nice try...but is incorrect...Dumb..”,清零文本框,等待重新输入;
两个Serial都正确,才提示“Hmmm.... Cracked... Congratulations idiot! :-)”。
根据分析的情况,我从中也找到了一些call和数据段的作用,给它们加上标签,如THintWindow._PROC_00419DE0()是给文本框填写内容的,基本上输入什么就是什么,标签设成SetTEdit(Strings);THintWindow._PROC_00419E10()则是将文本框清空,不知怎么用英文写直接将标签写成了“清零文本框”; 0042CA8C处设成LoadStr,运行几次后发现应该是弹出提示框而不仅是加载了字符串,后面又改成了Showmsgbox;00406550处的call作用是数字转化成字符串,而我开始以为是在这里计算出的Sn,,所以标签是GETSn,后来更改为InttoStr;004038D0处开始的call作用是比较字符串,用CmpStr更好一些,我直接用了IsorNot标签等,ds:与ds:中存储Serial1和Serial2的真码等等。
程序的运行情况就非常清楚了:
0042D3C4 <Cabec>/.55 push ebp ;<-TForm1@Button1Click
。。。。。。。
0042D3DE |.833D 14F74200 00 cmp dword ptr ds:,0x0 ;cmp(,0):与经常出现
0042D3E5 74 45 je short Cabeca.0042D42C ;失败
0042D3E7 833D 18F74200 00 cmp dword ptr ds:,0x0 ;cmp(,0)多次运行后看出=Serial1,=Serial2
0042D3EE |.74 3C je short Cabeca.0042D42C
0042D3F0 |.8D55 FC lea edx,
0042D3F3 <Cabec>|.8B83 E0010000 mov eax,dword ptr ds: ;*Edit1:TEdit
0042D3F9 <Cabec>|.E8 E2C9FEFF call <Cabeca.SetTEdit(Strings)> ;->:THintWindow._PROC_00419DE0()
0042D3FE |.837D FC 00 cmp ,0x0 ;Name是否为空
0042D402 |.74 28 je short Cabeca.0042D42C
0042D404 |.8D55 F8 lea edx,
0042D407 <Cabec>|.8B83 E4010000 mov eax,dword ptr ds: ;*Edit2:TEdit
0042D40D <Cabec>|.E8 CEC9FEFF call <Cabeca.SetTEdit(Strings)> ;->:THintWindow._PROC_00419DE0()
0042D412 |.837D F8 00 cmp ,0x0 ;Serial1是否为空
0042D416 |.74 14 je short Cabeca.0042D42C
0042D418 |.8D55 F4 lea edx,
0042D41B <Cabec>|.8B83 EC010000 mov eax,dword ptr ds: ;*Edit3:TEdit
0042D421 <Cabec>|.E8 BAC9FEFF call <Cabeca.SetTEdit(Strings)> ;->:THintWindow._PROC_00419DE0()
0042D426 |.837D F4 00 cmp ,0x0 ;Serial2是否为空
0042D42A 75 44 jnz short Cabeca.0042D470
0042D42C |>B8 C4D54200 mov eax,Cabeca.0042D5C4 ;Fill all boxes first dumb!
0042D431 <Cabec>|.E8 56F6FFFF call <Cabeca.LoadStr> ;装载字符串后弹提示框
0042D436 |.33C0 xor eax,eax
0042D438 |.A3 14F74200 mov dword ptr ds:,eax ;=0
0042D43D |.33C0 xor eax,eax
0042D43F |.A3 18F74200 mov dword ptr ds:,eax ;=0
0042D444 |.33D2 xor edx,edx
0042D446 <Cabec>|.8B83 E0010000 mov eax,dword ptr ds: ;*Edit1:TEdit
0042D44C <Cabec>|.E8 BFC9FEFF call <Cabeca.清零文本框> ;->:THintWindow._PROC_00419E10()设置文本框内容
0042D451 |.33D2 xor edx,edx
0042D453 <Cabec>|.8B83 E4010000 mov eax,dword ptr ds: ;*Edit2:TEdit
0042D459 <Cabec>|.E8 B2C9FEFF call <Cabeca.清零文本框> ;->:THintWindow._PROC_00419E10()
0042D45E |.33D2 xor edx,edx
0042D460 <Cabec>|.8B83 EC010000 mov eax,dword ptr ds: ;*Edit3:TEdit
0042D466 <Cabec>|.E8 A5C9FEFF call <Cabeca.清零文本框> ;->:THintWindow._PROC_00419E10()以上猜测是三个edit清零
0042D46B |.E9 1A010000 jmp Cabeca.0042D58A
0042D470 |>833D 14F74200 00 cmp dword ptr ds:,0x0 ;cmp(,0)
0042D477 |.74 6C je short Cabeca.0042D4E5
0042D479 |.833D 18F74200 00 cmp dword ptr ds:,0x0 ;cmp(,0)
0042D480 |.74 63 je short Cabeca.0042D4E5
0042D482 |.8D55 F0 lea edx, ;=
0042D485 |.A1 14F74200 mov eax,dword ptr ds: ;==0x9B69E
0042D48A |.E8 C190FDFF call <Cabeca.GETSn> ;call应该是计算Serial1的
0042D48F |.8B45 F0 mov eax, ;得到真码636574(10进制数)
0042D492 |.50 push eax
0042D493 |.8D55 FC lea edx,
0042D496 <Cabec>|.8B83 E4010000 mov eax,dword ptr ds: ;*Edit2:TEdit
0042D49C <Cabec>|.E8 3FC9FEFF call <Cabeca.SetTEdit(Strings)> ;->:THintWindow._PROC_00419DE0()
0042D4A1 |.8B55 FC mov edx, ;输入的Serial1假码
0042D4A4 |.58 pop eax ;程序计算出的Serial1
0042D4A5 |.E8 2664FDFF call <Cabeca.ISorNOT> ;call应该是判断真假码的地方,真不跳,假跳向失败
0042D4AA |.75 39 jnz short Cabeca.0042D4E5
0042D4AC |.8D55 F0 lea edx,
0042D4AF |.A1 18F74200 mov eax,dword ptr ds: ;=Searial2真码
0042D4B4 |.E8 9790FDFF call <Cabeca.GETSn>
0042D4B9 |.8B45 F0 mov eax,
0042D4BC |.50 push eax
0042D4BD |.8D55 FC lea edx,
0042D4C0 <Cabec>|.8B83 EC010000 mov eax,dword ptr ds: ;*Edit3:TEdit
0042D4C6 <Cabec>|.E8 15C9FEFF call <Cabeca.SetTEdit(Strings)> ;->:THintWindow._PROC_00419DE0()
0042D4CB |.8B55 FC mov edx,
0042D4CE |.58 pop eax ;0012FA98
0042D4CF |.E8 FC63FDFF call <Cabeca.ISorNOT>
0042D4D4 75 0F jnz short Cabeca.0042D4E5
0042D4D6 |.B8 E8D54200 mov eax,Cabeca.0042D5E8 ;Hmmm.... Cracked... Congratulations idiot! :-)
0042D4DB <Cabec>|.E8 ACF5FFFF call <Cabeca.LoadStr> ;->:TMessageForm._PROC_0042CA8C()
0042D4E0 |.E9 A5000000 jmp Cabeca.0042D58A ;弹出提示框
0042D4E5 |>833D 14F74200 00 cmp dword ptr ds:,0x0
0042D4EC |.74 33 je short Cabeca.0042D521
0042D4EE |.833D 18F74200 00 cmp dword ptr ds:,0x0
0042D4F5 |.74 2A je short Cabeca.0042D521
0042D4F7 |.8D55 F0 lea edx,
0042D4FA |.A1 14F74200 mov eax,dword ptr ds:
0042D4FF |.E8 4C90FDFF call <Cabeca.GETSn>
0042D504 |.8B45 F0 mov eax,
0042D507 |.50 push eax
0042D508 |.8D55 FC lea edx,
0042D50B <Cabec>|.8B83 E4010000 mov eax,dword ptr ds: ;*Edit2:TEdit
0042D511 <Cabec>|.E8 CAC8FEFF call <Cabeca.SetTEdit(Strings)> ;->:THintWindow._PROC_00419DE0()
0042D516 |.8B55 FC mov edx,
0042D519 |.58 pop eax ;0012FA98
0042D51A |.E8 B163FDFF call <Cabeca.ISorNOT>
0042D51F 75 2A jnz short Cabeca.0042D54B
0042D521 |>8D55 F0 lea edx,
0042D524 |.A1 18F74200 mov eax,dword ptr ds:
0042D529 |.E8 2290FDFF call <Cabeca.GETSn>
0042D52E |.8B45 F0 mov eax,
0042D531 |.50 push eax
0042D532 |.8D55 FC lea edx,
0042D535 <Cabec>|.8B83 EC010000 mov eax,dword ptr ds: ;*Edit3:TEdit
0042D53B <Cabec>|.E8 A0C8FEFF call <Cabeca.SetTEdit(Strings)> ;->:THintWindow._PROC_00419DE0()
0042D540 |.8B55 FC mov edx,
0042D543 |.58 pop eax ;0012FA98
0042D544 |.E8 8763FDFF call <Cabeca.ISorNOT>
0042D549 74 3F je short Cabeca.0042D58A
0042D54B |>B8 20D64200 mov eax,Cabeca.0042D620 ;Nice try... but is incorrect... Dumb..
0042D550 <Cabec>|.E8 37F5FFFF call <Cabeca.LoadStr> ;->:TMessageForm._PROC_0042CA8C()
0042D555 |.33C0 xor eax,eax
0042D557 A3 14F74200 mov dword ptr ds:,eax ;ds:清零
0042D55C |.33C0 xor eax,eax
0042D55E |.A3 18F74200 mov dword ptr ds:,eax ;ds:清零
0042D563 |.33D2 xor edx,edx
0042D565 <Cabec>|.8B83 E0010000 mov eax,dword ptr ds: ;*Edit1:TEdit
0042D56B <Cabec>|.E8 A0C8FEFF call <Cabeca.清零文本框> ;->:THintWindow._PROC_00419E10()
0042D570 |.33D2 xor edx,edx
0042D572 <Cabec>|.8B83 E4010000 mov eax,dword ptr ds: ;*Edit2:TEdit
0042D578 <Cabec>|.E8 93C8FEFF call <Cabeca.清零文本框> ;->:THintWindow._PROC_00419E10()
0042D57D |.33D2 xor edx,edx
0042D57F <Cabec>|.8B83 EC010000 mov eax,dword ptr ds: ;*Edit3:TEdit
0042D585 <Cabec>|.E8 86C8FEFF call <Cabeca.清零文本框> ;->:THintWindow._PROC_00419E10()
0042D58A |>33C0 xor eax,eax
0042D58C |.5A pop edx ;0012FA98
0042D58D |.59 pop ecx ;0012FA98
0042D58E |.59 pop ecx ;0012FA98
0042D58F |.64:8910 mov dword ptr fs:,edx
0042D592 |.68 B4D54200 push Cabeca.0042D5B4
0042D597 |>8D45 F0 lea eax,
0042D59A |.E8 A55FFDFF call Cabeca.00403544
0042D59F |.8D45 F4 lea eax,
0042D5A2 |.BA 03000000 mov edx,0x3
0042D5A7 |.E8 BC5FFDFF call Cabeca.00403568
0042D5AC \.C3 retn
以上代码是按钮事件代码,我开始以为是在这个事件中用Name计算出的注册码,后来发现ds:与ds:中存储Serial1和Serial2的真码,按钮事件一开始就有了:
OD重新加载程序,F9运行,输入Name=“52pojie”,Serial1=“12345”、Serial2=“67890”,点击按钮,程序中断于按钮事件段首0042D3C4处,此时分别点击0042D3DE和0042D3E7这两行,信息框中已经出现了ds:=0009B69E和ds:=0008E908的提示,这两个值正是计算出的注册码16进制形式。
所以,注册码的计算就只能在按键事件里去找了!
Darkde4中看到按键事件开始于0042CE30处,Ctrl+G转过去下断,并将原来的断点先禁用掉,
重新加载程序,F9运行,刚在Name框中填了一个“5”,程序就中断了,F8单步:
这一段edx中存储输入的字符,第一句先将eax清零;
第二句取输入的字符“5”的ASCII16进制数值35;
第三、四、五句限定输入字符的ASCII16进制数值在0x8-0x7A之间,超过直接返回,要求重新输入字符。这里0x35-0x8=0x2D;0x2D<0x72;第五句不跳,到下一句;
第六句取=ds:[(0x2D+0x42CE4D=)0x42CE7A]=0x0;
第七句jmp dword ptr ds:[(edx*4+0x42CEC0=)0x42CEC0],retn到0041CC75处,F8继续下一句,又retn,这一次返回到0041CCC7了;
继续耐心地向下,认真地注释了这几句,一路retn,到了系统领空,继续F8走;好,出来了,继续走,直到00428589处,跳回0042857A,形成了一个小小的死循环,出不去了!
无奈之下F9了一次,OD显示“运行”二字,点一下Cabeca.exe,程序界面出现,光标在“5”后面闪烁:再输入“2”,重新进行了一遍,又到了0042857A ~00428589处的死循环,怎么没找到给ds:和ds:赋值的地方?
再F9运行,输入“p”,F8单步,这次跳到0042D0B5处,见到了ds:和ds:!
此时信息栏中ds:=0,F8运行,再点击这一行,ds:=0x9A670;
下一行,信息栏中显示ds:=0,F8运行,再点击这一行,ds:= 0x8C7F3;
再往下,retn到retn到0041CC75处,F8继续下一句,又retn,再次进入0042857A ~00428589处的死循环,还得F9继续!
就这样输入完整“52pojie”5个字符,死循环了5次!可能是调试的原因吧。这样循环的结果,每次两个数据段存储的内容都进行了改变,输入“o、j、i、e”4个字母后,ds: 和ds:的值分别等于0x9A6FE/0x8E51F、0x9AE62/0x8E897、0x9B29E/0x8E8FA、0x9B69E/0x8E908,最后这两个值转成10进制形式就是Serial1和Serial2了!
按键事件里面很简单,首先它要对每个输入的字符进行判断,Asc(Name)小于0x8时正常输入,不进行任何计算,Asc(Name)大于0x7A时会重新回到输入框,符合条件的字符进行存入两个变量ds:和ds:中累加。加的时候应该是一个数组或者是选择(select case)吧,数量比较多,很麻烦!
注册机用VB编写,没用keypress事件,直接在按钮事件中进行了计算,源码如下:
Option Explicit
Private Sub Command1_Click()
Dim UserName As String
Dim Serial1, Serial2, i, n As Integer
Dim NameOne()
UserName = Text1.Text
ReDim NameOne(1 To Len(UserName))
For n = 1 To Len(UserName)
NameOne(n) = Mid(UserName, n, 1)
i = Asc(NameOne(n))
Select Case i
Case &H61
Serial1 = Serial1 + &H427
Serial2 = Serial2 + &H79
Case &H62
Serial1 = Serial1 + &H6BC
Serial2 = Serial2 + &H6F
Case &H63
Serial1 = Serial1 + &H491
Serial2 = Serial2 + &H2E2
Case &H64
Serial1 = Serial1 + &H474D
Serial2 = Serial2 + &H2FA
Case &H65
Serial1 = Serial1 + &H400
Serial2 = Serial2 + &HE
Case &H66
Serial1 = Serial1 + &H6D0
Serial2 = Serial2 + &HD
Case &H67
Serial1 = Serial1 + &H67D
Serial2 = Serial2 + &HC
Case &H68
Serial1 = Serial1 + &H750
Serial2 = Serial2 + &HB
Case &H69
Serial1 = Serial1 + &H43C
Serial2 = Serial2 + &H63
Case &H6A
Serial1 = Serial1 + &H764
Serial2 = Serial2 + &H378
Case &H6B
Serial1 = Serial1 + &HC0
Serial2 = Serial2 + &H4D
Case &H6C
Serial1 = Serial1 + &H277D
Serial2 = Serial2 + &H22B
Case &H6D
Serial1 = Serial1 + &H81E
Serial2 = Serial2 + &H5A
Case &H6E
Serial1 = Serial1 + &HE07
Serial2 = Serial2 + &H62
Case &H6F
Serial1 = Serial1 + &H8E
Serial2 = Serial2 + &H1D2C
Case &H70
Serial1 = Serial1 + &H9A670
Serial2 = Serial2 + &H8C7F3
Case &H71
Serial1 = Serial1 + &HD57
Serial2 = Serial2 + &H288
Case &H72
Serial1 = Serial1 + &H5FEB
Serial2 = Serial2 + &H21A
Case &H73
Serial1 = Serial1 + &H8B0
Serial2 = Serial2 + &H1
Case &H74
Serial1 = Serial1 + &H4BB
Serial2 = Serial2 + &H40
Case &H75
Serial1 = Serial1 + &H8C2
Serial2 = Serial2 + &H4B
Case &H76
Serial1 = Serial1 + &H1CA6
Serial2 = Serial2 + &H4E
Case &H78
Serial1 = Serial1 + &H395
Serial2 = Serial2 + &H26
Case &H77
Serial1 = Serial1 + &H251E
Serial2 = Serial2 + &H5
Case &H79
Serial1 = Serial1 + &H2D13
Serial2 = Serial2 + &H8
Case &H7A
Serial1 = Serial1 + &H1900
Serial2 = Serial2 + &H1C8
Case &H41
Serial1 = Serial1 + &H428
Serial2 = Serial2 + &H1610
Case &H42
Serial1 = Serial1 + &HB1630
Serial2 = Serial2 + &H2
Case &H43
Serial1 = Serial1 + &HD86
Serial2 = Serial2 + &H270F
Case &H44
Serial1 = Serial1 + &H11A4
Serial2 = Serial2 + &H46FF33C
Case &H45
Serial1 = Serial1 + &H11F0A
Serial2 = Serial2 + &H8B3C
Case &H46
Serial1 = Serial1 + &H3CC2
Serial2 = Serial2 + &H8618
Case &H47
Serial1 = Serial1 + &H3E1A8
Serial2 = Serial2 + &H6C81C
Case &H48
Serial1 = Serial1 + &H91E4
Serial2 = Serial2 + &H27E945
Case &H49
Serial1 = Serial1 + &H6B42
Serial2 = Serial2 + &H2FC7C3
Case &H4A
Serial1 = Serial1 + &H516A4
Serial2 = Serial2 + &HB8F47C
Case &H4B
Serial1 = Serial1 + &H4345A
Serial2 = Serial2 + &H115C7
Case &H4C
Serial1 = Serial1 + &H1BFDD9
Serial2 = Serial2 + &H12B54
Case &H4D
Serial1 = Serial1 + &H286D
Serial2 = Serial2 + &HB348C
Case &H4E
Serial1 = Serial1 + &H401
Serial2 = Serial2 + &H357CE174
Case &H4F
Serial1 = Serial1 + &H674
Serial2 = Serial2 + &H317CD7
Case &H50
Serial1 = Serial1 + &H9C
Serial2 = Serial2 + &H7DD834
Case &H51
Serial1 = Serial1 + &H156
Serial2 = Serial2 + &H39CD0
Case &H52
Serial1 = Serial1 + &H8627
Serial2 = Serial2 + &HBF44A
Case &H53
Serial1 = Serial1 + &H748190
Serial2 = Serial2 + &H854686
Case &H54
Serial1 = Serial1 + &HA568
Serial2 = Serial2 + &H13220
Case &H55
Serial1 = Serial1 + &H15592
Serial2 = Serial2 + &H302E
Case &H56
Serial1 = Serial1 + &H1DD9
Serial2 = Serial2 + &H1C43
Case &H58
Serial1 = Serial1 + &H266A
Serial2 = Serial2 + &H2BA96C08
Case &H57
Serial1 = Serial1 + &H3CC0
Serial2 = Serial2 + &H4EFC8
Case &H59
Serial1 = Serial1 + &H8311
Serial2 = Serial2 + &H1C46
Case &H5A
Serial1 = Serial1 + &HCE1B
Serial2 = Serial2 + &HB1664
End Select
Next n
Text2.Text = Serial1
Text3.Text = Serial2
End Sub
建议使用注册机后回到CM021中进行验证时,Name框要自行输入每个字符, Serial1和Serial2可以从注册机中粘贴进来。原因是CM021中用的是keypress事件,粘贴进去的字符没有触发事件,所以Serial1、Serial2为0,程序会弹出错误提示!
附件,含CM原程序、脱壳后的程序、爆破后的程序、注册机、OD的调试文件等。
百度链接是:http://pan.baidu.com/s/1skMkJY9密码: 86pm,160个CM、我已练习过的前21个crackme程序(不含012)都在里面。
吾爱师姐! 发表于 2019-4-29 17:31
您的OD用的那个版本?我的WIN10系统开的OD给您的不一样,
我是在XP虚拟机下使用的OD,都是从吾爱论坛的爱盘上下载的,是吾爱破解专用OD,你可以从爱盘上找到。 有点复杂,没懂,感谢分享 鼓励多发此类作品,这才是破解的主题 看了一遍没太明白,得再练练 160个,感谢分享,收藏 我完全看不懂。。。。。 不懂什么时候才能有这技术开始160 个crackme练习!!! 学习了,楼主辛苦了{:1_893:}{:1_893:}{:1_893:} 谢谢分享 有时间过来入门,先插眼