好友 阅读权限 10
听众 最后登录 1970-1-1
新手就从第一开始吧.
起手
先用peid看看,发现是Borland Delphi 3.0,没有壳
任务需要去掉启动对话框,找到注册码
去掉开场的Msgbox
字符参考,找到关键点,90就行了
注意不要90得太深,否则连注册正确的对话框一起没了.
注意堆栈平衡,push 0x0和call <Acid_bur.Msgbox>全部干掉
复制到可执行文件->所有修改->全部->保存到文件.
0042F784 6A 00 push 0x0
0042F786 . B9 A0F74200 mov ecx,Acid_bur.0042F7A0 ; hello you have to kill me!
0042F78B . BA BCF74200 mov edx,Acid_bur.0042F7BC ; Welcome to this Newbies Crackme made by ACiD BuRN [CracKerWoRlD]
0042F790 . A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042F795 . 8B00 mov eax,dword ptr ds:[eax]
0042F797 E8 D4A9FFFF call <Acid_bur.Msgbox>
0042F79C . C3 retn
左边的
打开新的修改文件,点左边按钮
随便输入个名字,注册码有错误提示,那就可以先找找参考字符串,可以到0x0042FB21附近
如果程序没有故意为难你的话,应该这些过程都是一路线性写下来的,比如取得文本框内容,做计算,最后比较
Delphi的程序有一个特点,很整齐的call,一般eax.edx两个易变寄存器参与传递参数,然后一般返回值都在eax指定的参数里头,和fastcall很像,但是又不是
Delphi也有大量的时间是在运行库中转来转去.所以看汇编代码找到关键点后就得有点脑洞了,先跟一个大概,大胆的猜才行,不然会陷入无尽的函数调用中去,根本搞不清方向了.
在一些关键的点按下shift+; 可以给函数,全局地址命名,然后就方便阅读了.没准还能给其他的破解提供信息.
local.3是正确的注册码,local.4是我们的用户名,盯紧这个线就能在0042FA79看到注册码的计算.加上命名函数,这样的汇编看起来应该没有任何难度.
0042FA4D |. A1 6C174300 mov eax,dword ptr ds:[<userName>]
0042FA52 |. E8 D96EFDFF call <Acid_bur.strlen>
0042FA57 |. 83F8 04 cmp eax,0x4 ; uerName长度大于4
0042FA5A |. 7D 1D jge short Acid_bur.0042FA79
0042FA5C |. 6A 00 push 0x0
0042FA5E |. B9 74FB4200 mov ecx,Acid_bur.0042FB74 ; Try Again!
0042FA63 |. BA 80FB4200 mov edx,Acid_bur.0042FB80 ; Sorry , The serial is incorect !
0042FA68 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042FA6D |. 8B00 mov eax,dword ptr ds:[eax]
0042FA6F |. E8 FCA6FFFF call <Acid_bur.Msgbox>
0042FA74 |. E9 BE000000 jmp Acid_bur.0042FB37
0042FA79 |> \8D55 F0 lea edx,[local.4]
0042FA7C |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042FA82 |. E8 D1AFFEFF call <Acid_bur.txt.getText>
0042FA87 |. 8B45 F0 mov eax,[local.4]
0042FA8A |. 0FB600 movzx eax,byte ptr ds:[eax]
0042FA8D |. F72D 50174300 imul dword ptr ds:[<RegCode>] ;初始是0x29
0042FA93 |. A3 50174300 mov dword ptr ds:[<RegCode>],eax ;取第一个字母ascii*0x29*2
0042FA98 |. A1 50174300 mov eax,dword ptr ds:[<RegCode>]
0042FA9D |. 0105 50174300 add dword ptr ds:[<RegCode>],eax
0042FAA3 |. 8D45 FC lea eax,[local.1]
0042FAA6 |. BA ACFB4200 mov edx,Acid_bur.0042FBAC ; CW
0042FAAB |. E8 583CFDFF call <Acid_bur.strCpy>
0042FAB0 |. 8D45 F8 lea eax,[local.2]
0042FAB3 |. BA B8FB4200 mov edx,Acid_bur.0042FBB8 ; CRACKED
0042FAB8 |. E8 4B3CFDFF call <Acid_bur.strCpy>
0042FABD |. FF75 FC push [local.1]
0042FAC0 |. 68 C8FB4200 push Acid_bur.0042FBC8 ; -
0042FAC5 |. 8D55 E8 lea edx,[local.6]
0042FAC8 |. A1 50174300 mov eax,dword ptr ds:[<RegCode>]
0042FACD |. E8 466CFDFF call <Acid_bur.int2Str>
0042FAD2 |. FF75 E8 push [local.6]
0042FAD5 |. 68 C8FB4200 push Acid_bur.0042FBC8 ; -
0042FADA |. FF75 F8 push [local.2]
0042FADD |. 8D45 F4 lea eax,[local.3]
0042FAE0 |. BA 05000000 mov edx,0x5
0042FAE5 |. E8 C23EFDFF call <Acid_bur.strCat>
0042FAEA |. 8D55 F0 lea edx,[local.4]
0042FAED |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]
0042FAF3 |. E8 60AFFEFF call <Acid_bur.txt.getText>
0042FAF8 |. 8B55 F0 mov edx,[local.4] ; 输入的哦
0042FAFB |. 8B45 F4 mov eax,[local.3] ; 对的注册码
0042FAFE |. E8 F93EFDFF call <Acid_bur.strcmp>
0042FB03 |. 75 1A jnz short Acid_bur.0042FB1F
0042FB05 |. 6A 00 push 0x0
0042FB07 |. B9 CCFB4200 mov ecx,Acid_bur.0042FBCC ; Congratz !!
0042FB0C |. BA D8FB4200 mov edx,Acid_bur.0042FBD8 ; Good job dude =)
0042FB11 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042FB16 |. 8B00 mov eax,dword ptr ds:[eax]
0042FB18 |. E8 53A6FFFF call <Acid_bur.Msgbox>
0042FB1D |. EB 18 jmp short Acid_bur.0042FB37
0042FB1F |> 6A 00 push 0x0
0042FB21 |. B9 74FB4200 mov ecx,Acid_bur.0042FB74 ; Try Again!
0042FB26 |. BA 80FB4200 mov edx,Acid_bur.0042FB80 ; Sorry , The serial is incorect !
0042FB2B |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042FB30 |. 8B00 mov eax,dword ptr ds:[eax]
0042FB32 |. E8 39A6FFFF call <Acid_bur.Msgbox>注册码计算
读懂汇编后就可以写个注册机了
Function Regcode(userName As String) As String
If Len(userName) >= 4 Then
Regcode = "CW-" & Asc(Left(userName, 1)) * &H29 * 2 & "-CRACKED"
End If
End Function右边的
有了左边的铺垫,同样用字符串参考来到关键点,都是老熟人了,看着没有任何难度.
就是把两个字串和在一起,结果是Hello Dude!
0042F48A |. 8D45 FC lea eax,[local.1]
0042F48D |. BA 40F54200 mov edx,Acid_bur.0042F540 ; Hello
0042F492 |. E8 7142FDFF call <Acid_bur.strCpy>
0042F497 |. 8D45 F8 lea eax,[local.2]
0042F49A |. BA 50F54200 mov edx,Acid_bur.0042F550 ; Dude!
0042F49F |. E8 6442FDFF call <Acid_bur.strCpy>
0042F4A4 |. FF75 FC push [local.1]
0042F4A7 |. 68 60F54200 push Acid_bur.0042F560
0042F4AC |. FF75 F8 push [local.2]
0042F4AF |. 8D45 F4 lea eax,[local.3]
0042F4B2 |. BA 03000000 mov edx,0x3
0042F4B7 |. E8 F044FDFF call <Acid_bur.strCat>
0042F4BC |. 8D55 F0 lea edx,[local.4]
0042F4BF |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]
0042F4C5 |. E8 8EB5FEFF call <Acid_bur.txt.getText>
0042F4CA |. 8B45 F0 mov eax,[local.4]
0042F4CD |. 8B55 F4 mov edx,[local.3]
0042F4D0 |. E8 2745FDFF call <Acid_bur.strcmp>
0042F4D5 |. 75 1A jnz short Acid_bur.0042F4F1
0042F4D7 |. 6A 00 push 0x0
0042F4D9 |. B9 64F54200 mov ecx,Acid_bur.0042F564 ; Congratz!
0042F4DE |. BA 70F54200 mov edx,Acid_bur.0042F570 ; God Job dude !! =)
0042F4E3 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042F4E8 |. 8B00 mov eax,dword ptr ds:[eax]
0042F4EA |. E8 81ACFFFF call <Acid_bur.Msgbox>
0042F4EF |. EB 18 jmp short Acid_bur.0042F509
0042F4F1 |> 6A 00 push 0x0
0042F4F3 |. B9 84F54200 mov ecx,Acid_bur.0042F584 ; Failed!
0042F4F8 |. BA 8CF54200 mov edx,Acid_bur.0042F58C ; Try Again!!
0042F4FD |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042F502 |. 8B00 mov eax,dword ptr ds:[eax]
0042F504 |. E8 67ACFFFF call <Acid_bur.Msgbox>存在疑问
希望有人可以给我答案.
我用的是吾爱破解6周年纪念版OD,本地变量显示为local.xxx的格式,这是插件的效果吗?我可以改个我自己看得懂的名字吗?比如local.userName
参与人数 1 威望 +1
吾爱币 +20
热心值 +1
收起
理由
Hmily
+ 1
+ 20
+ 1
感谢发布原创作品,吾爱破解论坛因你更精彩!
查看全部评分
发表于 2021-1-11 12:49
|
发表于 2021-1-12 08:12
