好友
阅读权限10
听众
最后登录1970-1-1
|
CM是什么?Crackme是什么?这是什么东西?楼主发的什么?
他们都是一些公开给别人尝试破解的小程序,制作 Crackme 的人可能是程序员,想测试一下自己的软件保护技术,也可能是一位 Cracker,想挑战一下其它 Cracker 的破解实力,也可能是一些正在学习破解的人,自己编一些小程序给自己破解,KeyGenMe是要求别人做出它的 keygen (序号产生器), ReverseMe 要求别人把它的算法做出逆向分析, UnpackMe 是要求别人把它成功脱壳,本版块禁止回复非技术无关水贴。
【文章标题】: 吾爱破解六周年小玩具---书生破解过程(爆破)
【文章作者】: 书生
【软件名称】: 吾爱破解六周年小玩具-大叔的草莓CM20140313
【下载地址】: 自己搜索下载
【加壳方式】: UPX
【编写语言】: E语言
【使用工具】: OD
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
--------------------------
吾爱破解六周年小玩具-大叔的草莓CM20140313
http://www.52pojie.cn/thread-240878-1-1.html
(出处: 吾爱破解论坛 - LCG - LSG |软件安全|病毒分析|破解软件|软件论坛|www.52pojie.cn)
搞了4小时 快把自动弄死了 这得死多少脑细胞 这是要闹哪样
过程坎坷 结果还是不错滴 哈哈
像我这样的菜鸟让我追码 还不如 杀了我 受不鸟
利用MistHill大大UPX脱壳脚本 借用现成的工具省的麻烦0.0
脱壳后 完美运行 会弹出信息框 提示检测到程序被非法篡改 0.0 下MessageBoxA断点
断后回溯几下后 到达
004016E2 /$ 55 push ebp ; CM201403.00476C3A
004016E3 |. 8BEC mov ebp,esp
004016E5 |. 81EC 34000000 sub esp,0x34
004016EB |. C745 FC 00000>mov [local.1],0x0
004016F2 |. C745 F8 00000>mov [local.2],0x0
004016F9 |. 68 14000000 push 0x14
004016FE |. E8 961C0000 call CM201403.00403399
就是这里了
然后
004016E2 /$ 55 push ebp ; CM201403.00476C3A
004016E3 |. 8BEC mov ebp,esp
004016E5 |. 81EC 34000000 sub esp,0x34
004016EB |. C745 FC 00000>mov [local.1],0x0
004016F2 |. C745 F8 00000>mov [local.2],0x0
004016F9 |. 68 14000000 push 0x14
004016FE |. E8 961C0000 call CM201403.00403399
00401703 |. 83C4 04 add esp,0x4
00401706 |. 8945 F4 mov [local.3],eax
00401709 |. 8BF8 mov edi,eax
0040170B |. BE 0B6F4700 mov esi,CM201403.00476F0B
00401710 |. AD lods dword ptr ds:[esi]
00401711 |. AB stos dword ptr es:[edi]
00401712 |. AD lods dword ptr ds:[esi]
00401713 |. AB stos dword ptr es:[edi]
00401714 |. 33C0 xor eax,eax
00401716 |. AB stos dword ptr es:[edi]
00401717 |. AB stos dword ptr es:[edi]
00401718 |. AB stos dword ptr es:[edi]
00401719 |. C745 F0 00000>mov [local.4],0x0
00401720 |. C745 EC 00000>mov [local.5],0x0
00401727 |. 68 04000080 push 0x80000004
0040172C |. 6A 00 push 0x0
0040172E |. A1 18EA4900 mov eax,dword ptr ds:[0x49EA18]
00401733 |. 85C0 test eax,eax
00401735 |. 75 05 jnz short CM201403.0040173C
00401737 |. B8 C06C4700 mov eax,CM201403.00476CC0
0040173C |> 50 push eax
0040173D |. 68 04000080 push 0x80000004
00401742 |. 6A 00 push 0x0
00401744 |. 68 D06C4700 push CM201403.00476CD0 ; ASCII "AD04E9F801BF0DB6"
00401749 |. 68 02000000 push 0x2
0040174E |. B8 01000000 mov eax,0x1
00401753 |. BB C0AD4400 mov ebx,CM201403.0044ADC0
00401758 |. E8 541C0000 call CM201403.004033B1
0040175D |. 83C4 1C add esp,0x1C
00401760 |. 8945 E8 mov [local.6],eax
00401763 |. 68 04000080 push 0x80000004
00401768 |. 6A 00 push 0x0
0040176A |. 8B45 E8 mov eax,[local.6]
0040176D |. 85C0 test eax,eax
0040176F |. 75 05 jnz short CM201403.00401776
00401771 |. B8 C06C4700 mov eax,CM201403.00476CC0
00401776 |> 50 push eax
00401777 |. 68 01000000 push 0x1
0040177C |. BB 40374000 mov ebx,CM201403.00403740
00401781 |. E8 1F1C0000 call CM201403.004033A5
00401786 |. 83C4 10 add esp,0x10
00401789 |. 8945 E4 mov [local.7],eax
0040178C |. 8B5D E8 mov ebx,[local.6]
0040178F |. 85DB test ebx,ebx
00401791 |. 74 09 je short CM201403.0040179C
00401793 |. 53 push ebx
00401794 |. E8 FA1B0000 call CM201403.00403393
00401799 |. 83C4 04 add esp,0x4
0040179C |> 8B45 E4 mov eax,[local.7]
0040179F |. A3 14EA4900 mov dword ptr ds:[0x49EA14],eax
004017A4 |. 68 00000000 push 0x0
004017A9 |. BB 20344000 mov ebx,CM201403.00403420
004017AE |. E8 F21B0000 call CM201403.004033A5
004017B3 |. 83C4 04 add esp,0x4
004017B6 |. 8945 E8 mov [local.6],eax
004017B9 |. 68 04000080 push 0x80000004
004017BE |. 6A 00 push 0x0
004017C0 |. A1 18EA4900 mov eax,dword ptr ds:[0x49EA18]
004017C5 |. 85C0 test eax,eax
004017C7 |. 75 05 jnz short CM201403.004017CE
004017C9 |. B8 C06C4700 mov eax,CM201403.00476CC0
004017CE |> 50 push eax
004017CF |. 68 04000080 push 0x80000004
004017D4 |. 6A 00 push 0x0
004017D6 |. 68 E16C4700 push CM201403.00476CE1 ; ASCII "C3C67669019F120876D61E59C4CEC2FD"
004017DB |. 68 02000000 push 0x2
004017E0 |. B8 01000000 mov eax,0x1
004017E5 |. BB C0AD4400 mov ebx,CM201403.0044ADC0
004017EA |. E8 C21B0000 call CM201403.004033B1 ; 查找文件
004017EF |. 83C4 1C add esp,0x1C
004017F2 |. 8945 E4 mov [local.7],eax
004017F5 |. FF75 E4 push [local.7]
004017F8 |. FF75 E8 push [local.6]
004017FB |. B9 02000000 mov ecx,0x2
00401800 |. E8 BDFDFFFF call CM201403.004015C2 ; 字符串拼接
00401805 |. 83C4 08 add esp,0x8
00401808 |. 8945 E0 mov [local.8],eax
0040180B |. 8B5D E8 mov ebx,[local.6]
0040180E |. 85DB test ebx,ebx
00401810 |. 74 09 je short CM201403.0040181B
00401812 |. 53 push ebx
00401813 |. E8 7B1B0000 call CM201403.00403393 ; 返回1可能就是不存在吧
00401818 |. 83C4 04 add esp,0x4
0040181B |> 8B5D E4 mov ebx,[local.7]
0040181E |. 85DB test ebx,ebx
00401820 |. 74 09 je short CM201403.0040182B
00401822 |. 53 push ebx
00401823 |. E8 6B1B0000 call CM201403.00403393
00401828 |. 83C4 04 add esp,0x4
0040182B |> 8B45 E0 mov eax,[local.8] ; 8=地址
0040182E |. 50 push eax
0040182F |. 8B5D FC mov ebx,[local.1] ; 1果然没错 存在就读取
00401832 |. 85DB test ebx,ebx
00401834 |. 74 09 je short CM201403.0040183F
00401836 |. 53 push ebx
00401837 |. E8 571B0000 call CM201403.00403393
0040183C |. 83C4 04 add esp,0x4
0040183F |> 58 pop eax
00401840 |. 8945 FC mov [local.1],eax ; 1=地址=002A0F68
00401843 |. 68 00000000 push 0x0
00401848 |. BB 40344000 mov ebx,CM201403.00403440
0040184D |. E8 531B0000 call CM201403.004033A5
00401852 |. 83C4 04 add esp,0x4
00401855 |. 8945 E8 mov [local.6],eax ; 6=文件名
00401858 |. 68 04000080 push 0x80000004
0040185D |. 6A 00 push 0x0
0040185F |. 8B45 E8 mov eax,[local.6] ; eax=文件名
00401862 |. 85C0 test eax,eax
00401864 |. 75 05 jnz short CM201403.0040186B
00401866 |. B8 C06C4700 mov eax,CM201403.00476CC0
0040186B |> 50 push eax ; 文件名入栈
0040186C |. 68 01000000 push 0x1 ; 1入栈
00401871 |. B8 01000000 mov eax,0x1 ; eax=1
00401876 |. BB 30AE4400 mov ebx,CM201403.0044AE30 ; ebx=830CEC83
0040187B |. E8 311B0000 call CM201403.004033B1
00401880 |. 83C4 10 add esp,0x10 ; eax=EE45E211
00401883 |. 8945 E4 mov [local.7],eax ; 7=EE45E211
00401886 |. 8B5D E8 mov ebx,[local.6] ; ebx=文件名
00401889 |. 85DB test ebx,ebx ; 判断
0040188B |. 74 09 je short CM201403.00401896
0040188D |. 53 push ebx
0040188E |. E8 001B0000 call CM201403.00403393 ; 调用查找文件
00401893 |. 83C4 04 add esp,0x4 ; eax=1
00401896 |> 68 01030080 push 0x80000301
0040189B |. 6A 00 push 0x0
0040189D |. FF75 E4 push [local.7] ; EE45E211
004018A0 |. 68 01000000 push 0x1
004018A5 |. BB C03B4000 mov ebx,CM201403.00403BC0 ; ebx=0x403BC0
004018AA |. E8 F61A0000 call CM201403.004033A5
004018AF |. 83C4 10 add esp,0x10 ; eax=EE45E211 不知道干嘛的
004018B2 |. 8945 E0 mov [local.8],eax ; 把0x403BC0给8
004018B5 |. 8B45 E0 mov eax,[local.8]
004018B8 |. 50 push eax
004018B9 |. 8B1D 1CEA4900 mov ebx,dword ptr ds:[0x49EA1C] ; 0x49EA1C文件是否存在 绝对是
004018BF |. 85DB test ebx,ebx
004018C1 |. 74 09 je short CM201403.004018CC
004018C3 |. 53 push ebx
004018C4 |. E8 CA1A0000 call CM201403.00403393 ; 读取文件call
004018C9 |. 83C4 04 add esp,0x4
004018CC |> 58 pop eax ; EE45E211
004018CD |. A3 1CEA4900 mov dword ptr ds:[0x49EA1C],eax ; 常量=EE45E211
004018D2 |. 68 01030080 push 0x80000301
004018D7 |. 6A 00 push 0x0
004018D9 |. 68 00000000 push 0x0
004018DE |. 68 01000000 push 0x1
004018E3 |. B8 01000000 mov eax,0x1
004018E8 |. BB 30AC4400 mov ebx,CM201403.0044AC30
004018ED |. E8 BF1A0000 call CM201403.004033B1 ; 取硬盘数据 WD-WXN1A91K0174
004018F2 |. 83C4 10 add esp,0x10
004018F5 |. 8945 E8 mov [local.6],eax ; 把硬盘数据给6
004018F8 |. 8B45 E8 mov eax,[local.6] ; 把6给eax
004018FB |. 50 push eax
004018FC |. 8B1D 20EA4900 mov ebx,dword ptr ds:[0x49EA20]
00401902 |. 85DB test ebx,ebx
00401904 |. 74 09 je short CM201403.0040190F
00401906 |. 53 push ebx
00401907 |. E8 871A0000 call CM201403.00403393 ; 文件读取
0040190C |. 83C4 04 add esp,0x4
0040190F |> 58 pop eax
00401910 |. A3 20EA4900 mov dword ptr ds:[0x49EA20],eax ; 常量=硬盘数据
00401915 |. 68 C06C4700 push CM201403.00476CC0 ; 这个数据很重要
0040191A |. FF35 20EA4900 push dword ptr ds:[0x49EA20] ; 硬盘数据
00401920 |. E8 F9FCFFFF call CM201403.0040161E ; 好像是文本操作
00401925 |. 83C4 08 add esp,0x8 ; eax=1
00401928 |. 83F8 00 cmp eax,0x0
0040192B |. 0F85 3B000000 jnz CM201403.0040196C ; 00476D02 D5 E6 D2 C5 BA B6重要 00 C4 E3 B5 C4 CF B5 CD B3 B2 真遗憾.你的系统?
00401931 |. 68 04000080 push 0x80000004
00401936 |. 6A 00 push 0x0
00401938 |. 68 026D4700 push CM201403.00476D02
0040193D |. 68 01030080 push 0x80000301
00401942 |. 6A 00 push 0x0
00401944 |. 68 00000000 push 0x0
00401949 |. 68 04000080 push 0x80000004
0040194E |. 6A 00 push 0x0
00401950 |. 68 096D4700 push CM201403.00476D09
00401955 |. 68 03000000 push 0x3
0040195A |. BB 303D4000 mov ebx,CM201403.00403D30
0040195F |. E8 411A0000 call CM201403.004033A5
00401964 |. 83C4 28 add esp,0x28
00401967 |. E9 44090000 jmp CM201403.004022B0
0040196C |> 68 04000080 push 0x80000004
00401971 |. 6A 00 push 0x0
00401973 |. A1 18EA4900 mov eax,dword ptr ds:[0x49EA18] ; 0x49EA18=PeaceWorld
00401978 |. 85C0 test eax,eax
0040197A |. 75 05 jnz short CM201403.00401981
0040197C |. B8 C06C4700 mov eax,CM201403.00476CC0
00401981 |> 50 push eax ; eax入栈 PeaceWorld
00401982 |. 68 04000080 push 0x80000004
00401987 |. 6A 00 push 0x0
00401989 |. A1 20EA4900 mov eax,dword ptr ds:[0x49EA20] ; 硬盘数据给eax
0040198E |. 85C0 test eax,eax
00401990 |. 75 05 jnz short CM201403.00401997
00401992 |. B8 C06C4700 mov eax,CM201403.00476CC0
00401997 |> 50 push eax ; 硬盘数据给eax
00401998 |. 68 02000000 push 0x2
0040199D |. B8 01000000 mov eax,0x1
004019A2 |. BB 50AD4400 mov ebx,CM201403.0044AD50 ; ebx=0044AD50
004019A7 |. E8 051A0000 call CM201403.004033B1 ; 取得什么鸟数据 不懂
004019AC |. 83C4 1C add esp,0x1C
004019AF |. 8945 E8 mov [local.6],eax ; 鸟数据给6
004019B2 |. 68 04000080 push 0x80000004
004019B7 |. 6A 00 push 0x0
004019B9 |. 8B45 E8 mov eax,[local.6] ; 6给eax
004019BC |. 85C0 test eax,eax
004019BE |. 75 05 jnz short CM201403.004019C5
004019C0 |. B8 C06C4700 mov eax,CM201403.00476CC0
004019C5 |> 50 push eax ; 鸟数据入栈
004019C6 |. 68 01000000 push 0x1 ; 1入栈
004019CB |. BB A03C4000 mov ebx,CM201403.00403CA0 ; ebx=00403CA0
004019D0 |. E8 D0190000 call CM201403.004033A5
004019D5 |. 83C4 10 add esp,0x10 ; eax=1
004019D8 |. 8B5D E8 mov ebx,[local.6]
004019DB |. 85DB test ebx,ebx
004019DD |. 74 09 je short CM201403.004019E8
004019DF |. 53 push ebx
004019E0 |. E8 AE190000 call CM201403.00403393
004019E5 |. 83C4 04 add esp,0x4 ; eax=1
004019E8 |> 68 04000080 push 0x80000004
004019ED |. 6A 00 push 0x0
004019EF |. 8B45 FC mov eax,[local.1] ; eax=1 1=路径地址
004019F2 |. 85C0 test eax,eax
004019F4 |. 75 05 jnz short CM201403.004019FB
004019F6 |. B8 C06C4700 mov eax,CM201403.00476CC0
004019FB |> 50 push eax ; 路径地址入栈
004019FC |. 68 01000000 push 0x1 ; 1入栈
00401A01 |. BB F03B4000 mov ebx,CM201403.00403BF0 ; ebx=00403BF0
00401A06 |. E8 9A190000 call CM201403.004033A5
00401A0B |. 83C4 10 add esp,0x10 ; eax=0
00401A0E |. 8945 E4 mov [local.7],eax ; 7=EE45E211
00401A11 |. 837D E4 01 cmp [local.7],0x1 ; 和1比较
00401A15 0F85 F0050000 jnz CM201403.0040200B ; 这个跳很重要 不让他跳
00401A1B |. 68 04000080 push 0x80000004
00401A20 |. 6A 00 push 0x0
00401A22 |. 8B45 FC mov eax,[local.1] ; 取出文件路径给eax
00401A25 |. 85C0 test eax,eax
00401A27 |. 75 05 jnz short CM201403.00401A2E
00401A29 |. B8 C06C4700 mov eax,CM201403.00476CC0
00401A2E |> 50 push eax
00401A2F |. 68 01000000 push 0x1
00401A34 |. BB 103C4000 mov ebx,CM201403.00403C10
00401A39 |. E8 67190000 call CM201403.004033A5
00401A3E |. 83C4 10 add esp,0x10 ; eax=002A2698
00401A41 |. 8945 E8 mov [local.6],eax ; 002A2698=6
00401A44 |. FF35 20EA4900 push dword ptr ds:[0x49EA20]
00401A4A |. FF35 1CEA4900 push dword ptr ds:[0x49EA1C]
00401A50 |. B9 02000000 mov ecx,0x2
00401A55 |. E8 68FBFFFF call CM201403.004015C2 ; 拼接
00401A5A |. 83C4 08 add esp,0x8
00401A5D |. 8945 E4 mov [local.7],eax ; EE45E211WD-WXN1A91K0174给7
00401A60 |. 68 04000080 push 0x80000004
00401A65 |. 6A 00 push 0x0
00401A67 |. 8B45 E4 mov eax,[local.7] ; 7=eax
00401A6A |. 85C0 test eax,eax
00401A6C |. 75 05 jnz short CM201403.00401A73
00401A6E |. B8 C06C4700 mov eax,CM201403.00476CC0
00401A73 |> 50 push eax
00401A74 |. 68 05000080 push 0x80000005
00401A79 |. 6A 00 push 0x0
00401A7B |. 8B45 E8 mov eax,[local.6] ; eax=002A2698 =6
00401A7E |. 85C0 test eax,eax
00401A80 |. 75 05 jnz short CM201403.00401A87
00401A82 |. B8 226D4700 mov eax,CM201403.00476D22
00401A87 |> 50 push eax
00401A88 |. 68 02000000 push 0x2
00401A8D |. B8 01000000 mov eax,0x1
00401A92 |. BB 70AC4400 mov ebx,CM201403.0044AC70
00401A97 |. E8 15190000 call CM201403.004033B1
00401A9C |. 83C4 1C add esp,0x1C ; eax=0
00401A9F |. 8945 E0 mov [local.8],eax ; 8=0
00401AA2 |. 8B5D E8 mov ebx,[local.6]
00401AA5 |. 85DB test ebx,ebx
00401AA7 |. 74 09 je short CM201403.00401AB2
00401AA9 |. 53 push ebx
00401AAA |. E8 E4180000 call CM201403.00403393
00401AAF |. 83C4 04 add esp,0x4 ; eax=1
00401AB2 |> 8B5D E4 mov ebx,[local.7] ; ebx=EE45E211WD...
00401AB5 |. 85DB test ebx,ebx
00401AB7 |. 74 09 je short CM201403.00401AC2
00401AB9 |. 53 push ebx
00401ABA |. E8 D4180000 call CM201403.00403393
00401ABF |. 83C4 04 add esp,0x4
00401AC2 |> 68 05000080 push 0x80000005
00401AC7 |. 6A 00 push 0x0
00401AC9 |. 8B45 E0 mov eax,[local.8] ; eax=8=0
00401ACC |. 85C0 test eax,eax
00401ACE |. 75 05 jnz short CM201403.00401AD5
00401AD0 |. B8 226D4700 mov eax,CM201403.00476D22
00401AD5 |> 50 push eax
00401AD6 |. 68 01000000 push 0x1
00401ADB |. BB B03A4000 mov ebx,CM201403.00403AB0
00401AE0 |. E8 C0180000 call CM201403.004033A5
00401AE5 |. 83C4 10 add esp,0x10
00401AE8 |. 8945 DC mov [local.9],eax
00401AEB |. 8B5D E0 mov ebx,[local.8]
00401AEE |. 85DB test ebx,ebx
00401AF0 |. 74 09 je short CM201403.00401AFB
00401AF2 |. 53 push ebx
00401AF3 |. E8 9B180000 call CM201403.00403393
00401AF8 |. 83C4 04 add esp,0x4
00401AFB |> 8B45 DC mov eax,[local.9]
00401AFE |. 50 push eax
00401AFF |. 8B5D F8 mov ebx,[local.2]
00401B02 |. 85DB test ebx,ebx
00401B04 |. 74 09 je short CM201403.00401B0F
00401B06 |. 53 push ebx
00401B07 |. E8 87180000 call CM201403.00403393
00401B0C |. 83C4 04 add esp,0x4
00401B0F |> 58 pop eax
00401B10 |. 8945 F8 mov [local.2],eax
00401B13 |. 6A 00 push 0x0
00401B15 |. 6A 00 push 0x0
00401B17 |. 6A 00 push 0x0
00401B19 |. 68 04000080 push 0x80000004
00401B1E |. 6A 00 push 0x0
00401B20 |. 68 2A6D4700 push CM201403.00476D2A
00401B25 |. 68 04000080 push 0x80000004
00401B2A |. 6A 00 push 0x0
00401B2C |. 8B45 F8 mov eax,[local.2]
00401B2F |. 85C0 test eax,eax
00401B31 |. 75 05 jnz short CM201403.00401B38
00401B33 |. B8 C06C4700 mov eax,CM201403.00476CC0
00401B38 |> 50 push eax
00401B39 |. 68 03000000 push 0x3
00401B3E |. BB 70384000 mov ebx,CM201403.00403870
00401B43 |. E8 5D180000 call CM201403.004033A5
00401B48 |. 83C4 28 add esp,0x28
00401B4B |. 8945 E8 mov [local.6],eax
00401B4E |. 8B45 E8 mov eax,[local.6]
00401B51 |. 50 push eax
00401B52 |. 8B5D F4 mov ebx,[local.3]
00401B55 |. 53 push ebx
00401B56 |. 8B0B mov ecx,dword ptr ds:[ebx]
00401B58 |. 83C3 04 add ebx,0x4
00401B5B |. 85C9 test ecx,ecx
00401B5D |. 74 11 je short CM201403.00401B70
00401B5F |. 8B03 mov eax,dword ptr ds:[ebx]
00401B61 |> 83C3 04 /add ebx,0x4
00401B64 |. 49 |dec ecx
00401B65 |. 74 05 |je short CM201403.00401B6C
00401B67 |. 0FAF03 |imul eax,dword ptr ds:[ebx]
00401B6A |.^ EB F5 \jmp short CM201403.00401B61
00401B6C |> 8BC8 mov ecx,eax
00401B6E |. 85C9 test ecx,ecx
00401B70 |> 0F84 19000000 je CM201403.00401B8F
00401B76 |> 51 /push ecx
00401B77 |. 8B03 |mov eax,dword ptr ds:[ebx]
00401B79 |. 85C0 |test eax,eax
00401B7B |. 74 0B |je short CM201403.00401B88
00401B7D |. 53 |push ebx
00401B7E |. 50 |push eax
00401B7F |. E8 0F180000 |call CM201403.00403393
00401B84 |. 83C4 04 |add esp,0x4
00401B87 |. 5B |pop ebx
00401B88 |> 83C3 04 |add ebx,0x4
00401B8B |. 59 |pop ecx
00401B8C |. 49 |dec ecx
00401B8D |.^ 75 E7 \jnz short CM201403.00401B76
00401B8F |> E8 FF170000 call CM201403.00403393
00401B94 |. 83C4 04 add esp,0x4
00401B97 |. 58 pop eax
00401B98 |. 8945 F4 mov [local.3],eax
00401B9B |. 8B5D F4 mov ebx,[local.3]
00401B9E |. E8 61F4FFFF call CM201403.00401004
00401BA3 |. B8 00000000 mov eax,0x0
00401BA8 |. 3BC1 cmp eax,ecx
00401BAA /7C 0D jl short CM201403.00401BB9
00401BAC |. |68 01000000 push 0x1
00401BB1 |. |E8 F5170000 call CM201403.004033AB
00401BB6 |. |83C4 04 add esp,0x4
00401BB9 |> \C1E0 02 shl eax,0x2
//00401BAA /7C 0D jl short CM201403.00401BB9这个位置如果不跳的话 就会提示 检测到程序被非法篡改 改成jmp继续单步
00401BBC |. 03D8 add ebx,eax
00401BBE |. 895D E8 mov [local.6],ebx
00401BC1 |. 68 04000080 push 0x80000004
00401BC6 |. 6A 00 push 0x0
00401BC8 |. A1 20EA4900 mov eax,dword ptr ds:[0x49EA20]
00401BCD |. 85C0 test eax,eax
00401BCF |. 75 05 jnz short CM201403.00401BD6
00401BD1 |. B8 C06C4700 mov eax,CM201403.00476CC0
00401BD6 |> 50 push eax
00401BD7 |. 68 04000080 push 0x80000004
00401BDC |. 6A 00 push 0x0
00401BDE |. 8B5D E8 mov ebx,[local.6]
00401BE1 |. 8B03 mov eax,dword ptr ds:[ebx]
00401BE3 |. 85C0 test eax,eax
00401BE5 |. 75 05 jnz short CM201403.00401BEC
00401BE7 |. B8 C06C4700 mov eax,CM201403.00476CC0
00401BEC |> 50 push eax
00401BED |. 68 02000000 push 0x2
00401BF2 |. B8 01000000 mov eax,0x1
00401BF7 |. BB C0AD4400 mov ebx,CM201403.0044ADC0
00401BFC E8 B0170000 call CM201403.004033B1 ; 到这里程序直接死了 然后直接结束 管他神马鸟玩意直接Nop掉 继续跑
继续
00401C48 |. BB 20374000 mov ebx,CM201403.00403720
00401C4D E8 53170090 call 904033A5 ; sile 这里又死了直接Nop掉
00401C52 |. 83C4 34 add esp,0x34
00401C55 |. 8945 E0 mov [local.8],eax
00401C58 |. 8B5D E4 mov ebx,[local.7]
00401C5B |. 85DB test ebx,ebx
00401C5D |. 74 09 je short CM201403.00401C68
00401C5F |. 53 push ebx
00401C60 |. E8 2E170000 call CM201403.00403393
00401C65 |. 83C4 04 add esp,0x4
00401C68 |> 8B45 E0 mov eax,[local.8]
00401C6B |. 8945 F0 mov [local.4],eax
00401C6E |. DB05 14EA4900 fild dword ptr ds:[0x49EA14]
00401C74 |. DD5D E4 fstp qword ptr ss:[ebp-0x1C]
00401C77 |. DD45 E4 fld qword ptr ss:[ebp-0x1C]
00401C7A |. DB45 F0 fild [local.4]
00401C7D |. DD5D DC fstp qword ptr ss:[ebp-0x24]
00401C80 |. DC45 DC fadd qword ptr ss:[ebp-0x24]
00401C83 |. DD5D D4 fstp qword ptr ss:[ebp-0x2C]
00401C86 |. DD45 D4 fld qword ptr ss:[ebp-0x2C]
00401C89 |. E8 2DFAFFFF call CM201403.004016BB
00401C8E |. A3 14EA4900 mov dword ptr ds:[0x49EA14],eax
00401C93 |. 8B5D F4 mov ebx,[local.3]
00401C96 |. E8 69F3FFFF call CM201403.00401004
00401C9B |. B8 02000000 mov eax,0x2
00401CA0 |. 3BC1 cmp eax,ecx
继续
00401CA2 /7C 0D jl short CM201403.00401CB1 ; 这里改成jmp
00401CA4 |. |68 01000000 push 0x1
00401CA9 |. |E8 FD160000 call CM201403.004033AB
00401CAE |. |83C4 04 add esp,0x4
00401CB1 |> \C1E0 02 shl eax,0x2
00401CB4 |. 03D8 add ebx,eax
00401CB6 |. 895D E8 mov [local.6],ebx
00401CB9 |. FF35 20EA4900 push dword ptr ds:[0x49EA20]
00401CBF |. FF35 1CEA4900 push dword ptr ds:[0x49EA1C]
00401CC5 |. B9 02000000 mov ecx,0x2
00401CCA |. E8 F3F8FFFF call CM201403.004015C2
00401CCF |. 83C4 08 add esp,0x8
00401CD2 |. 8945 E4 mov [local.7],eax
00401CD5 |. 68 01030080 push 0x80000301
00401CDA |. 6A 00 push 0x0
00401CDC |. 68 10000000 push 0x10
00401CE1 |. 68 04000080 push 0x80000004
00401CE6 |. 6A 00 push 0x0
00401CE8 |. 8B45 E4 mov eax,[local.7]
00401CEB |. 85C0 test eax,eax
00401CED |. 75 05 jnz short CM201403.00401CF4
00401CEF |. B8 C06C4700 mov eax,CM201403.00476CC0
00401CF4 |> 50 push eax
00401CF5 |. 68 02000000 push 0x2
00401CFA |. BB 80354000 mov ebx,CM201403.00403580
00401CFF |. E8 A1160000 call CM201403.004033A5
00401D04 |. 83C4 1C add esp,0x1C
00401D07 |. 8945 E0 mov [local.8],eax
00401D0A |. 8B5D E4 mov ebx,[local.7]
00401D0D |. 85DB test ebx,ebx
00401D0F |. 74 09 je short CM201403.00401D1A
00401D11 |. 53 push ebx
00401D12 |. E8 7C160000 call CM201403.00403393
00401D17 |. 83C4 04 add esp,0x4
00401D1A |> 68 04000080 push 0x80000004
00401D1F |. 6A 00 push 0x0
00401D21 |. 8B45 E0 mov eax,[local.8]
00401D24 |. 85C0 test eax,eax
00401D26 |. 75 05 jnz short CM201403.00401D2D
00401D28 |. B8 C06C4700 mov eax,CM201403.00476CC0
00401D2D |> 50 push eax
00401D2E |. 68 04000080 push 0x80000004
00401D33 |. 6A 00 push 0x0
00401D35 |. 8B5D E8 mov ebx,[local.6]
00401D38 |. 8B03 mov eax,dword ptr ds:[ebx]
00401D3A |. 85C0 test eax,eax
00401D3C |. 75 05 jnz short CM201403.00401D43
00401D3E |. B8 C06C4700 mov eax,CM201403.00476CC0
00401D43 |> 50 push eax
00401D44 |. 68 02000000 push 0x2
00401D49 |. B8 01000000 mov eax,0x1
00401D4E |. BB C0AD4400 mov ebx,CM201403.0044ADC0
继续
00401D53 E8 59160000 call CM201403.004033B1 ; 死了Nop掉
00401D58 |. 83C4 1C add esp,0x1C
00401D5B |. 8945 DC mov [local.9],eax
00401D5E |. 8B5D E0 mov ebx,[local.8]
00401D61 |. 85DB test ebx,ebx
00401D63 |. 74 09 je short CM201403.00401D6E
00401D65 |. 53 push ebx
00401D66 |. E8 28160000 call CM201403.00403393
00401D6B |. 83C4 04 add esp,0x4
00401D6E |> 68 02000080 push 0x80000002
00401D73 |. 6A 00 push 0x0
00401D75 |. 68 00000000 push 0x0
00401D7A |. 6A 00 push 0x0
00401D7C |. 6A 00 push 0x0
00401D7E |. 6A 00 push 0x0
00401D80 |. 68 04000080 push 0x80000004
00401D85 |. 6A 00 push 0x0
00401D87 |. A1 20EA4900 mov eax,dword ptr ds:[0x49EA20]
00401D8C |. 85C0 test eax,eax
00401D8E |. 75 05 jnz short CM201403.00401D95
00401D90 |. B8 C06C4700 mov eax,CM201403.00476CC0
00401D95 |> 50 push eax
00401D96 |. 68 04000080 push 0x80000004
00401D9B |. 6A 00 push 0x0
00401D9D |. 8B45 DC mov eax,[local.9]
00401DA0 |. 85C0 test eax,eax
00401DA2 |. 75 05 jnz short CM201403.00401DA9
00401DA4 |. B8 C06C4700 mov eax,CM201403.00476CC0
00401DA9 |> 50 push eax
00401DAA |. 68 04000000 push 0x4
00401DAF |. BB 20374000 mov ebx,CM201403.00403720
00401DB4 E8 EC150090 call 904033A5 ; 死了Nop掉
继续
00401DB9 |. 83C4 34 add esp,0x34
00401DBC |. 8945 D8 mov [local.10],eax
00401DBF |. 8B5D DC mov ebx,[local.9]
00401DC2 |. 85DB test ebx,ebx
00401DC4 |. 74 09 je short CM201403.00401DCF
00401DC6 |. 53 push ebx
00401DC7 |. E8 C7150000 call CM201403.00403393
00401DCC |. 83C4 04 add esp,0x4
00401DCF |> 8B45 D8 mov eax,[local.10]
00401DD2 |. 8945 EC mov [local.5],eax
00401DD5 |. DB05 14EA4900 fild dword ptr ds:[0x49EA14]
00401DDB |. DD5D E4 fstp qword ptr ss:[ebp-0x1C]
00401DDE |. DD45 E4 fld qword ptr ss:[ebp-0x1C]
00401DE1 |. DB45 EC fild [local.5]
00401DE4 |. DD5D DC fstp qword ptr ss:[ebp-0x24]
00401DE7 |. DC45 DC fadd qword ptr ss:[ebp-0x24]
00401DEA |. DC05 2C6D4700 fadd qword ptr ds:[0x476D2C]
00401DF0 |. DD5D D4 fstp qword ptr ss:[ebp-0x2C]
00401DF3 |. DD45 D4 fld qword ptr ss:[ebp-0x2C]
00401DF6 |. E8 C0F8FFFF call CM201403.004016BB
00401DFB A3 14EA4900 mov dword ptr ds:[0x49EA14],eax ; 这里是赋值出几道题目 直接把eax改成0A也就是十进制10
00401E00 837D F0 01 cmp dword ptr ss:[ebp-0x10],0x1
00401E04 0F9090 909090>seto byte ptr ds:[eax+0x68909090]
继续
00401DFB C705 14EA4900>mov dword ptr ds:[0x49EA14],0xA
00401E05 90 nop
00401E06 90 nop
00401E07 90 nop
00401E08 90 nop
00401E09 90 nop
00401E0A 90 nop
00401E0B |? 04 00 add al,0x0
00401E0D |? 0080 6A006834 add byte ptr ds:[eax+0x3468006A],al
00401E13 |? 6D ins dword ptr es:[edi],dx
00401E14 |? 47 inc edi
00401E15 |? 0068 01 add byte ptr ds:[eax+0x1],ch
00401E18 |? 0300 add eax,dword ptr ds:[eax]
00401E1A |? 806A 00 68 sub byte ptr ds:[edx],0x68
00401E1E |? 0000 add byte ptr ds:[eax],al
00401E20 |? 0000 add byte ptr ds:[eax],al
00401E22 |. 68 04000080 push 0x80000004
00401E27 |. 6A 00 push 0x0
00401E29 |. 68 3D6D4700 push CM201403.00476D3D ;
00401E2E |. 68 03000000 push 0x3
00401E33 |. BB 303D4000 mov ebx,CM201403.00403D30
00401E38 |. E8 68150000 call CM201403.004033A5 这里就提示注册成功了
00401E3D |. 83C4 28 add esp,0x28
00401E40 |> 837D EC 01 cmp [local.5],0x1
继续
00401EC4 /0F85 36000000 jnz CM201403.00401F00
00401ECA |. |68 04000080 push 0x80000004
00401ECF |. |6A 00 push 0x0
00401ED1 |. |68 346D4700 push CM201403.00476D34
00401ED6 |. |68 01030080 push 0x80000301
00401EDB |. |6A 00 push 0x0
00401EDD |. |68 00000000 push 0x0
00401EE2 |. |68 04000080 push 0x80000004
00401EE7 |. |6A 00 push 0x0
00401EE9 |. |68 3D6D4700 push CM201403.00476D3D
00401EEE |. |68 03000000 push 0x3
00401EF3 |. |BB 303D4000 mov ebx,CM201403.00403D30
00401EF8 |. |E8 A8140000 call CM201403.004033A5
00401EFD |. |83C4 28 add esp,0x28
00401F00 |> \8B5D F4 mov ebx,[local.3]
00401F03 |. E8 FCF0FFFF call CM201403.00401004
00401F08 |. B8 01000000 mov eax,0x1
00401F0D |. 3BC1 cmp eax,ecx
00401F0F EB 0D jl short CM201403.00401F1E ; jmp让他跳过去
00401F11 |. 68 01000000 push 0x1
00401F16 |. E8 90140000 call CM201403.004033AB
00401F1B |. 83C4 04 add esp,0x4
00401F1E |> C1E0 02 shl eax,0x2
00401F21 |. 03D8 add ebx,eax
00401F23 |. 895D E8 mov [local.6],ebx
00401F26 |. FF35 20EA4900 push dword ptr ds:[0x49EA20]
00401F2C |. FF35 1CEA4900 push dword ptr ds:[0x49EA1C]
00401F32 |. B9 02000000 mov ecx,0x2
00401F37 |. E8 86F6FFFF call CM201403.004015C2
继续
00401FB6 |. B8 01000000 mov eax,0x1
00401FBB |. BB C0AD4400 mov ebx,CM201403.0044ADC0
00401FC0 E8 EC130000 call CM201403.004033B1 ; 死了 Nop掉 这里会不一样的 注册成功的字样我实在找不到 就用的patch数据 改成mov eax,0x47593F 在0x47593F处patch数据注册成功0.0 光找这个注册成功研究了1小时都没找到
实在没办法了 不折手段了0.0
00401FC5 |. 83C4 1C add esp,0x1C
00401FC8 |. 8945 DC mov [local.9],eax
00401FCB |. 8B5D E0 mov ebx,[local.8]
----------------------------------
Patch数据
数据窗口转到0x47593F
二进制编辑 注册成功0.0
然后整个程序就OK了
--------------------------------------------------------------------------------
【经验总结】
此CM虽然花费了4小时爆破 但是受益匪浅0.0 破文写的不好 希望大牛们抓紧把这程序破了 让我们菜鸟分析分析思路
--------------------------------------------------------------------------------
【版权声明】: 本文原创于书生, 转载请注明作者并保持文章的完整, 谢谢!
2014年03月10日 23:27:10
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2014-3-11 06:48
