好友
阅读权限30
听众
最后登录1970-1-1
|
本帖最后由 海天一色001 于 2019-4-28 09:57 编辑
第21个CM,一看图标是应该还是Delphi的,打开程序看看:
这次是一个用户名两个密码,先不同组合试试:Name=“52pojie”,Serial 1=“12345”、Serial 2=“67890”:
什么都不输、只输入Name、输入Name/Serial 1、输入Name/Serial 2均弹出“Fill all boxes first dumb!”提示栏,
输入Name/Serial 1/Serial 2,提示“Nice try...but is incorrect...Dumb..”的提示。
好了,错误提示信息有了。
先查壳:无壳,用Delphi编程的。
第一步、爆破:
OD载入Cabeca.exe:老习惯,用智能搜索查找字符串,上次没找到,这一次再试试:
向下快到窗口底部,找到了,不仅有错误提示,还有正确的提示!
双击0042D4D6这一行正确提示,返回CPU窗口:
上一句0042D4D4跳转到0042D4E5,刚好跳过了正确提示,肯定是跳向失败,而跳转前面一句call,根据经验应该是判断注册码正确与否的,因为不正确所以要跳走。
点了一下0042D4E5这一行,信息栏中看到“跳转来自 0042D477, 0042D480, 0042D4AA, 0042D4D4”,那么这4个地址追过去nop掉不就行了吗?
先在信息栏中右键点击,先跳转到第一个地址0042D477处:
这里与0042D480挨得很近,这两个都nop掉:
再向下找到0042D4AA与0042D4D4,也给nop掉,将所有修改保存为可执行文件Cabeca_nop.exe,运行生成的这个nop程序,不对!除了三个文本框都填写内容后才显示成功,否则就显示失败!
重新观察这段代码,感觉从0042D3C4到0042D5AC处应该是按钮事件的代码,一步步往下,看到0042D3DE处一个比较,猜测是什么都不输入,这里的ds:[0x42F714]=0,那么会转到第一个错误提示处,继续向下,到0042D46B处,jmp Cabeca.0042D58A,跳过了成功,让程序始终是失败状态。
所以,在这里我感觉将这一句也nop掉!再将修改后的代码保存为Cabeca_nop1.exe,一运行,竟然先弹出错误提示,点掉提示后,三个文本框清零,同时弹出正确提示!!
回到OD中仔细观察三个提示处的代码,发现加载提示后都有一个call Cabeca.0042CA8C,猜测这个call可能就是弹出提示框了,再修改一下看看,在0042D431处也nop掉:
运行保存好的Cabeca_nop2.exe,这次终于成功了!
但这样的修改太麻烦了!一不小心就要出错!刚才看到0042D3D5处是有条件地跳到了错误提示处,那么我直接用jmp跳到正确提示处不就行了吗?
马上操作:读取正确提示的语句是0042D4D6处,在这里将je short 0042D42C改成jmp 0042D4D6,存为可执行文件Cabeca_jmp.exe。
执行一下,这次怎么输入也都成功了!
第二步、追码:
Delphi程序还要用Darkde4,很快从中看到有两个事件,一个是Edit1Keypress事件,一个是Button1Click事件,Button1Click事件的起始地址是0042D3C4,和刚才爆破时的判断相同。
双击这一行,进入反编译窗口,大概看了一下,里面注释将控件都标示了出来。
在DarkDe4中选择导出到IDA/Softice选项,
点击创建导出文件,再回到OD中,利用插件mapimp导入刚才的文件,似乎没什么动静。
Ctrl+G转到Button1Click的起始地址0042D3C4,马上看到注释中出现了Darkde4的内容,好了!这下分析就轻松多了。
双击下断点于0042D3C4处,重新加载程序,F9运行,输入Name=“52pojie”,Serial1=“12345”、Serial2=“67890”,点击按钮,程序中断;F8单步向下运行,
在OD中反复运行这段代码,出了不少错误才慢慢弄明白里面一些call及几个数据段的作用,将call的地址处做上标签,结合DeDe4加载的标签与注释,让自己更清楚地程序的运行过程,基本上可以看出这是一个比较简单的流程:
程序先判断Name文本框是否为空,空则提示“Fill all boxes first dumb!”,将三个文本框清零,等待重新输入;
不空,再去判断Serial1是否为空,空则提示“Fill all boxes first dumb!”, 将三个文本框清零,等待重新输入;
不空则判断Serial2是否为空,空则提示“Fill all boxes first dumb!”, 将三个文本框都清零,等待重新输入;
不空则跳到判断Serial1、Serial2是否为0,只要有一个Serial为0则提示“Nice try...but is incorrect...Dumb..”,清零文本框,等待重新输入;
都不为0则再判断输入的Serial1、Serial2是否正确,只要有一个Serial错误则提示“Nice try...but is incorrect...Dumb..”,清零文本框,等待重新输入;
两个Serial都正确,才提示“Hmmm.... Cracked... Congratulations idiot! :-)”。
根据分析的情况,我从中也找到了一些call和数据段的作用,给它们加上标签,如THintWindow._PROC_00419DE0()是给文本框填写内容的,基本上输入什么就是什么,标签设成SetTEdit(Strings);THintWindow._PROC_00419E10()则是将文本框清空,不知怎么用英文写直接将标签写成了“清零文本框”; 0042CA8C处设成LoadStr,运行几次后发现应该是弹出提示框而不仅是加载了字符串,后面又改成了Showmsgbox;00406550处的call作用是数字转化成字符串,而我开始以为是在这里计算出的Sn,,所以标签是GETSn,后来更改为InttoStr;004038D0处开始的call作用是比较字符串,用CmpStr更好一些,我直接用了IsorNot标签等,ds:[0x42F714]与ds:[0x42F718]中存储Serial1和Serial2的真码等等。
程序的运行情况就非常清楚了:
[Asm] 纯文本查看 复制代码 0042D3C4 <Cabec>/. 55 push ebp ; <-TForm1@Button1Click
。。。。。。。
0042D3DE |. 833D 14F74200 00 cmp dword ptr ds:[0x42F714],0x0 ; cmp([0x42F714],0):[0x42F714]与[0x42F718]经常出现
0042D3E5 74 45 je short Cabeca.0042D42C ; 失败
0042D3E7 833D 18F74200 00 cmp dword ptr ds:[0x42F718],0x0 ; cmp([0x42F718],0)多次运行后看出[714]=Serial1,[718]=Serial2
0042D3EE |. 74 3C je short Cabeca.0042D42C
0042D3F0 |. 8D55 FC lea edx,[local.1]
0042D3F3 <Cabec>|. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0] ; *Edit1:TEdit
0042D3F9 <Cabec>|. E8 E2C9FEFF call <Cabeca.SetTEdit(Strings)> ; ->:THintWindow._PROC_00419DE0()
0042D3FE |. 837D FC 00 cmp [local.1],0x0 ; Name是否为空
0042D402 |. 74 28 je short Cabeca.0042D42C
0042D404 |. 8D55 F8 lea edx,[local.2]
0042D407 <Cabec>|. 8B83 E4010000 mov eax,dword ptr ds:[ebx+0x1E4] ; *Edit2:TEdit
0042D40D <Cabec>|. E8 CEC9FEFF call <Cabeca.SetTEdit(Strings)> ; ->:THintWindow._PROC_00419DE0()
0042D412 |. 837D F8 00 cmp [local.2],0x0 ; Serial1是否为空
0042D416 |. 74 14 je short Cabeca.0042D42C
0042D418 |. 8D55 F4 lea edx,[local.3]
0042D41B <Cabec>|. 8B83 EC010000 mov eax,dword ptr ds:[ebx+0x1EC] ; *Edit3:TEdit
0042D421 <Cabec>|. E8 BAC9FEFF call <Cabeca.SetTEdit(Strings)> ; ->:THintWindow._PROC_00419DE0()
0042D426 |. 837D F4 00 cmp [local.3],0x0 ; Serial2是否为空
0042D42A 75 44 jnz short Cabeca.0042D470
0042D42C |> B8 C4D54200 mov eax,Cabeca.0042D5C4 ; Fill all boxes first dumb!
0042D431 <Cabec>|. E8 56F6FFFF call <Cabeca.LoadStr> ; 装载字符串后弹提示框
0042D436 |. 33C0 xor eax,eax
0042D438 |. A3 14F74200 mov dword ptr ds:[0x42F714],eax ; [0x42F714]=0
0042D43D |. 33C0 xor eax,eax
0042D43F |. A3 18F74200 mov dword ptr ds:[0x42F718],eax ; [0x42F718]=0
0042D444 |. 33D2 xor edx,edx
0042D446 <Cabec>|. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0] ; *Edit1:TEdit
0042D44C <Cabec>|. E8 BFC9FEFF call <Cabeca.清零文本框> ; ->:THintWindow._PROC_00419E10()设置文本框内容
0042D451 |. 33D2 xor edx,edx
0042D453 <Cabec>|. 8B83 E4010000 mov eax,dword ptr ds:[ebx+0x1E4] ; *Edit2:TEdit
0042D459 <Cabec>|. E8 B2C9FEFF call <Cabeca.清零文本框> ; ->:THintWindow._PROC_00419E10()
0042D45E |. 33D2 xor edx,edx
0042D460 <Cabec>|. 8B83 EC010000 mov eax,dword ptr ds:[ebx+0x1EC] ; *Edit3:TEdit
0042D466 <Cabec>|. E8 A5C9FEFF call <Cabeca.清零文本框> ; ->:THintWindow._PROC_00419E10()以上猜测是三个edit清零
0042D46B |. E9 1A010000 jmp Cabeca.0042D58A
0042D470 |> 833D 14F74200 00 cmp dword ptr ds:[0x42F714],0x0 ; cmp([0x42F714],0)
0042D477 |. 74 6C je short Cabeca.0042D4E5
0042D479 |. 833D 18F74200 00 cmp dword ptr ds:[0x42F718],0x0 ; cmp([0x42F718],0)
0042D480 |. 74 63 je short Cabeca.0042D4E5
0042D482 |. 8D55 F0 lea edx,[local.4] ; [edx]=[local.4]
0042D485 |. A1 14F74200 mov eax,dword ptr ds:[0x42F714] ; [eax]=[0x42F714]=0x9B69E
0042D48A |. E8 C190FDFF call <Cabeca.GETSn> ; call应该是计算Serial1的
0042D48F |. 8B45 F0 mov eax,[local.4] ; 得到真码636574(10进制数)
0042D492 |. 50 push eax
0042D493 |. 8D55 FC lea edx,[local.1]
0042D496 <Cabec>|. 8B83 E4010000 mov eax,dword ptr ds:[ebx+0x1E4] ; *Edit2:TEdit
0042D49C <Cabec>|. E8 3FC9FEFF call <Cabeca.SetTEdit(Strings)> ; ->:THintWindow._PROC_00419DE0()
0042D4A1 |. 8B55 FC mov edx,[local.1] ; 输入的Serial1假码
0042D4A4 |. 58 pop eax ; 程序计算出的Serial1
0042D4A5 |. E8 2664FDFF call <Cabeca.ISorNOT> ; call应该是判断真假码的地方,真不跳,假跳向失败
0042D4AA |. 75 39 jnz short Cabeca.0042D4E5
0042D4AC |. 8D55 F0 lea edx,[local.4]
0042D4AF |. A1 18F74200 mov eax,dword ptr ds:[0x42F718] ; [0x42F718]=Searial2真码
0042D4B4 |. E8 9790FDFF call <Cabeca.GETSn>
0042D4B9 |. 8B45 F0 mov eax,[local.4]
0042D4BC |. 50 push eax
0042D4BD |. 8D55 FC lea edx,[local.1]
0042D4C0 <Cabec>|. 8B83 EC010000 mov eax,dword ptr ds:[ebx+0x1EC] ; *Edit3:TEdit
0042D4C6 <Cabec>|. E8 15C9FEFF call <Cabeca.SetTEdit(Strings)> ; ->:THintWindow._PROC_00419DE0()
0042D4CB |. 8B55 FC mov edx,[local.1]
0042D4CE |. 58 pop eax ; 0012FA98
0042D4CF |. E8 FC63FDFF call <Cabeca.ISorNOT>
0042D4D4 75 0F jnz short Cabeca.0042D4E5
0042D4D6 |. B8 E8D54200 mov eax,Cabeca.0042D5E8 ; Hmmm.... Cracked... Congratulations idiot! :-)
0042D4DB <Cabec>|. E8 ACF5FFFF call <Cabeca.LoadStr> ; ->:TMessageForm._PROC_0042CA8C()
0042D4E0 |. E9 A5000000 jmp Cabeca.0042D58A ; 弹出提示框
0042D4E5 |> 833D 14F74200 00 cmp dword ptr ds:[0x42F714],0x0
0042D4EC |. 74 33 je short Cabeca.0042D521
0042D4EE |. 833D 18F74200 00 cmp dword ptr ds:[0x42F718],0x0
0042D4F5 |. 74 2A je short Cabeca.0042D521
0042D4F7 |. 8D55 F0 lea edx,[local.4]
0042D4FA |. A1 14F74200 mov eax,dword ptr ds:[0x42F714]
0042D4FF |. E8 4C90FDFF call <Cabeca.GETSn>
0042D504 |. 8B45 F0 mov eax,[local.4]
0042D507 |. 50 push eax
0042D508 |. 8D55 FC lea edx,[local.1]
0042D50B <Cabec>|. 8B83 E4010000 mov eax,dword ptr ds:[ebx+0x1E4] ; *Edit2:TEdit
0042D511 <Cabec>|. E8 CAC8FEFF call <Cabeca.SetTEdit(Strings)> ; ->:THintWindow._PROC_00419DE0()
0042D516 |. 8B55 FC mov edx,[local.1]
0042D519 |. 58 pop eax ; 0012FA98
0042D51A |. E8 B163FDFF call <Cabeca.ISorNOT>
0042D51F 75 2A jnz short Cabeca.0042D54B
0042D521 |> 8D55 F0 lea edx,[local.4]
0042D524 |. A1 18F74200 mov eax,dword ptr ds:[0x42F718]
0042D529 |. E8 2290FDFF call <Cabeca.GETSn>
0042D52E |. 8B45 F0 mov eax,[local.4]
0042D531 |. 50 push eax
0042D532 |. 8D55 FC lea edx,[local.1]
0042D535 <Cabec>|. 8B83 EC010000 mov eax,dword ptr ds:[ebx+0x1EC] ; *Edit3:TEdit
0042D53B <Cabec>|. E8 A0C8FEFF call <Cabeca.SetTEdit(Strings)> ; ->:THintWindow._PROC_00419DE0()
0042D540 |. 8B55 FC mov edx,[local.1]
0042D543 |. 58 pop eax ; 0012FA98
0042D544 |. E8 8763FDFF call <Cabeca.ISorNOT>
0042D549 74 3F je short Cabeca.0042D58A
0042D54B |> B8 20D64200 mov eax,Cabeca.0042D620 ; Nice try... but is incorrect... Dumb..
0042D550 <Cabec>|. E8 37F5FFFF call <Cabeca.LoadStr> ; ->:TMessageForm._PROC_0042CA8C()
0042D555 |. 33C0 xor eax,eax
0042D557 A3 14F74200 mov dword ptr ds:[0x42F714],eax ; ds:[0x42F714]清零
0042D55C |. 33C0 xor eax,eax
0042D55E |. A3 18F74200 mov dword ptr ds:[0x42F718],eax ; ds:[0x42F718]清零
0042D563 |. 33D2 xor edx,edx
0042D565 <Cabec>|. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0] ; *Edit1:TEdit
0042D56B <Cabec>|. E8 A0C8FEFF call <Cabeca.清零文本框> ; ->:THintWindow._PROC_00419E10()
0042D570 |. 33D2 xor edx,edx
0042D572 <Cabec>|. 8B83 E4010000 mov eax,dword ptr ds:[ebx+0x1E4] ; *Edit2:TEdit
0042D578 <Cabec>|. E8 93C8FEFF call <Cabeca.清零文本框> ; ->:THintWindow._PROC_00419E10()
0042D57D |. 33D2 xor edx,edx
0042D57F <Cabec>|. 8B83 EC010000 mov eax,dword ptr ds:[ebx+0x1EC] ; *Edit3:TEdit
0042D585 <Cabec>|. E8 86C8FEFF call <Cabeca.清零文本框> ; ->:THintWindow._PROC_00419E10()
0042D58A |> 33C0 xor eax,eax
0042D58C |. 5A pop edx ; 0012FA98
0042D58D |. 59 pop ecx ; 0012FA98
0042D58E |. 59 pop ecx ; 0012FA98
0042D58F |. 64:8910 mov dword ptr fs:[eax],edx
0042D592 |. 68 B4D54200 push Cabeca.0042D5B4
0042D597 |> 8D45 F0 lea eax,[local.4]
0042D59A |. E8 A55FFDFF call Cabeca.00403544
0042D59F |. 8D45 F4 lea eax,[local.3]
0042D5A2 |. BA 03000000 mov edx,0x3
0042D5A7 |. E8 BC5FFDFF call Cabeca.00403568
0042D5AC \. C3 retn
以上代码是按钮事件代码,我开始以为是在这个事件中用Name计算出的注册码,后来发现ds:[0x42F714]与ds:[0x42F718]中存储Serial1和Serial2的真码,按钮事件一开始就有了:
OD重新加载程序,F9运行,输入Name=“52pojie”,Serial1=“12345”、Serial2=“67890”,点击按钮,程序中断于按钮事件段首0042D3C4处,此时分别点击0042D3DE和0042D3E7这两行,信息框中已经出现了ds:[0042F714]=0009B69E和ds:[0042F718]=0008E908的提示,这两个值正是计算出的注册码16进制形式。
所以,注册码的计算就只能在按键事件里去找了!
Darkde4中看到按键事件开始于0042CE30处,Ctrl+G转过去下断,并将原来的断点先禁用掉,
重新加载程序,F9运行,刚在Name框中填了一个“5”,程序就中断了,F8单步:
这一段edx中存储输入的字符,第一句先将eax清零;
第二句取输入的字符“5”的ASCII16进制数值35;
第三、四、五句限定输入字符的ASCII16进制数值在0x8-0x7A之间,超过直接返回,要求重新输入字符。这里0x35-0x8=0x2D;0x2D<0x72;第五句不跳,到下一句;
第六句取[dl]=ds:[(0x2D+0x42CE4D=)0x42CE7A]=0x0;
第七句jmp dword ptr ds:[(edx*4+0x42CEC0=)0x42CEC0],retn到0041CC75处,F8继续下一句,又retn,这一次返回到0041CCC7了;
继续耐心地向下,认真地注释了这几句,一路retn,到了系统领空,继续F8走;好,出来了,继续走,直到00428589处,跳回0042857A,形成了一个小小的死循环,出不去了!
无奈之下F9了一次,OD显示“运行”二字,点一下Cabeca.exe,程序界面出现,光标在“5”后面闪烁:再输入“2”,重新进行了一遍,又到了0042857A ~00428589处的死循环,怎么没找到给ds:[0042F714]和ds:[0042F718]赋值的地方?
再F9运行,输入“p”,F8单步,这次跳到0042D0B5处,见到了ds:[0042F714]和ds:[0042F718]!
此时信息栏中ds:[0042F714]=0,F8运行,再点击这一行,ds:[0042F714]=0x9A670;
下一行,信息栏中显示ds:[0042F718]=0,F8运行,再点击这一行,ds:[0042F718]= 0x8C7F3;
再往下,retn到retn到0041CC75处,F8继续下一句,又retn,再次进入0042857A ~00428589处的死循环,还得F9继续!
就这样输入完整“52pojie”5个字符,死循环了5次!可能是调试的原因吧。这样循环的结果,每次两个数据段存储的内容都进行了改变,输入“o、j、i、e”4个字母后,ds:[0042F714] 和ds:[0042F718]的值分别等于0x9A6FE/0x8E51F、0x9AE62/0x8E897、0x9B29E/0x8E8FA、0x9B69E/0x8E908,最后这两个值转成10进制形式就是Serial1和Serial2了!
按键事件里面很简单,首先它要对每个输入的字符进行判断,Asc(Name)小于0x8时正常输入,不进行任何计算,Asc(Name)大于0x7A时会重新回到输入框,符合条件的字符进行存入两个变量ds:[0042F714]和ds:[0042F718]中累加。加的时候应该是一个数组或者是选择(select case)吧,数量比较多,很麻烦!
注册机用VB编写,没用keypress事件,直接在按钮事件中进行了计算,源码如下:
[Visual Basic] 纯文本查看 复制代码 Option Explicit
Private Sub Command1_Click()
Dim UserName As String
Dim Serial1, Serial2, i, n As Integer
Dim NameOne()
UserName = Text1.Text
ReDim NameOne(1 To Len(UserName))
For n = 1 To Len(UserName)
NameOne(n) = Mid(UserName, n, 1)
i = Asc(NameOne(n))
Select Case i
Case &H61
Serial1 = Serial1 + &H427
Serial2 = Serial2 + &H79
Case &H62
Serial1 = Serial1 + &H6BC
Serial2 = Serial2 + &H6F
Case &H63
Serial1 = Serial1 + &H491
Serial2 = Serial2 + &H2E2
Case &H64
Serial1 = Serial1 + &H474D
Serial2 = Serial2 + &H2FA
Case &H65
Serial1 = Serial1 + &H400
Serial2 = Serial2 + &HE
Case &H66
Serial1 = Serial1 + &H6D0
Serial2 = Serial2 + &HD
Case &H67
Serial1 = Serial1 + &H67D
Serial2 = Serial2 + &HC
Case &H68
Serial1 = Serial1 + &H750
Serial2 = Serial2 + &HB
Case &H69
Serial1 = Serial1 + &H43C
Serial2 = Serial2 + &H63
Case &H6A
Serial1 = Serial1 + &H764
Serial2 = Serial2 + &H378
Case &H6B
Serial1 = Serial1 + &HC0
Serial2 = Serial2 + &H4D
Case &H6C
Serial1 = Serial1 + &H277D
Serial2 = Serial2 + &H22B
Case &H6D
Serial1 = Serial1 + &H81E
Serial2 = Serial2 + &H5A
Case &H6E
Serial1 = Serial1 + &HE07
Serial2 = Serial2 + &H62
Case &H6F
Serial1 = Serial1 + &H8E
Serial2 = Serial2 + &H1D2C
Case &H70
Serial1 = Serial1 + &H9A670
Serial2 = Serial2 + &H8C7F3
Case &H71
Serial1 = Serial1 + &HD57
Serial2 = Serial2 + &H288
Case &H72
Serial1 = Serial1 + &H5FEB
Serial2 = Serial2 + &H21A
Case &H73
Serial1 = Serial1 + &H8B0
Serial2 = Serial2 + &H1
Case &H74
Serial1 = Serial1 + &H4BB
Serial2 = Serial2 + &H40
Case &H75
Serial1 = Serial1 + &H8C2
Serial2 = Serial2 + &H4B
Case &H76
Serial1 = Serial1 + &H1CA6
Serial2 = Serial2 + &H4E
Case &H78
Serial1 = Serial1 + &H395
Serial2 = Serial2 + &H26
Case &H77
Serial1 = Serial1 + &H251E
Serial2 = Serial2 + &H5
Case &H79
Serial1 = Serial1 + &H2D13
Serial2 = Serial2 + &H8
Case &H7A
Serial1 = Serial1 + &H1900
Serial2 = Serial2 + &H1C8
Case &H41
Serial1 = Serial1 + &H428
Serial2 = Serial2 + &H1610
Case &H42
Serial1 = Serial1 + &HB1630
Serial2 = Serial2 + &H2
Case &H43
Serial1 = Serial1 + &HD86
Serial2 = Serial2 + &H270F
Case &H44
Serial1 = Serial1 + &H11A4
Serial2 = Serial2 + &H46FF33C
Case &H45
Serial1 = Serial1 + &H11F0A
Serial2 = Serial2 + &H8B3C
Case &H46
Serial1 = Serial1 + &H3CC2
Serial2 = Serial2 + &H8618
Case &H47
Serial1 = Serial1 + &H3E1A8
Serial2 = Serial2 + &H6C81C
Case &H48
Serial1 = Serial1 + &H91E4
Serial2 = Serial2 + &H27E945
Case &H49
Serial1 = Serial1 + &H6B42
Serial2 = Serial2 + &H2FC7C3
Case &H4A
Serial1 = Serial1 + &H516A4
Serial2 = Serial2 + &HB8F47C
Case &H4B
Serial1 = Serial1 + &H4345A
Serial2 = Serial2 + &H115C7
Case &H4C
Serial1 = Serial1 + &H1BFDD9
Serial2 = Serial2 + &H12B54
Case &H4D
Serial1 = Serial1 + &H286D
Serial2 = Serial2 + &HB348C
Case &H4E
Serial1 = Serial1 + &H401
Serial2 = Serial2 + &H357CE174
Case &H4F
Serial1 = Serial1 + &H674
Serial2 = Serial2 + &H317CD7
Case &H50
Serial1 = Serial1 + &H9C
Serial2 = Serial2 + &H7DD834
Case &H51
Serial1 = Serial1 + &H156
Serial2 = Serial2 + &H39CD0
Case &H52
Serial1 = Serial1 + &H8627
Serial2 = Serial2 + &HBF44A
Case &H53
Serial1 = Serial1 + &H748190
Serial2 = Serial2 + &H854686
Case &H54
Serial1 = Serial1 + &HA568
Serial2 = Serial2 + &H13220
Case &H55
Serial1 = Serial1 + &H15592
Serial2 = Serial2 + &H302E
Case &H56
Serial1 = Serial1 + &H1DD9
Serial2 = Serial2 + &H1C43
Case &H58
Serial1 = Serial1 + &H266A
Serial2 = Serial2 + &H2BA96C08
Case &H57
Serial1 = Serial1 + &H3CC0
Serial2 = Serial2 + &H4EFC8
Case &H59
Serial1 = Serial1 + &H8311
Serial2 = Serial2 + &H1C46
Case &H5A
Serial1 = Serial1 + &HCE1B
Serial2 = Serial2 + &HB1664
End Select
Next n
Text2.Text = Serial1
Text3.Text = Serial2
End Sub
建议使用注册机后回到CM021中进行验证时,Name框要自行输入每个字符, Serial1和Serial2可以从注册机中粘贴进来。原因是CM021中用的是keypress事件,粘贴进去的字符没有触发事件,所以Serial1、Serial2为0,程序会弹出错误提示!
附件
021.zip
(984.08 KB, 下载次数: 6)
,含CM原程序、脱壳后的程序、爆破后的程序、注册机、OD的调试文件等。
百度链接是:http://pan.baidu.com/s/1skMkJY9密码: 86pm,160个CM、我已练习过的前21个crackme程序(不含012)都在里面。
|
免费评分
-
| 参与人数 8 | 威望 +1 |
吾爱币 +13 |
热心值 +8 |
收起
理由
|
 Hmily
| + 1 |
+ 6 |
+ 1 |
感谢发布原创作品,吾爱破解论坛因你更精彩! |
 Dwiml-浩
| |
+ 1 |
+ 1 |
谢谢@Thanks! |
 zzcl558
| |
+ 1 |
+ 1 |
感谢发布原创作品,吾爱破解论坛因你更精彩! |
 duguquba
| |
+ 1 |
+ 1 |
谢谢@Thanks! |
 Pear
| |
+ 1 |
+ 1 |
吾爱破解论坛因你更精彩! |
 狂飙の蜗牛
| |
+ 1 |
+ 1 |
谢谢@Thanks! |
 笙若
| |
+ 1 |
+ 1 |
谢谢@Thanks! |
 朱朱你堕落了
| |
+ 1 |
+ 1 |
感谢发布原创作品,吾爱破解论坛因你更精彩! |
查看全部评分
|
[复制链接]
发表于 2019-4-28 09:54
|
发表于 2019-4-30 09:41
