呵呵!写个过程!看看能不能混点分!!
crackme1.0跟踪分析过程下载后,试用W32Dasm10.0分析,发现可以反汇编!
查看可参考“串式参考内容”发现只有”GOOD”,没有发现文字直接参考捷径!!(其实利用好了也是捷径,只是我不行啦!!)
认为应该是利用显示函数显示
又察看“函数”中“导入”
发现“MSVBVM60.rtcMsgBox”双击跟踪发现“明文”调用此函数有三处
0040465D
00404816
00404878
用0D在这三个地方下断点!
发现名字什么也不填写断在0040465D
显示为“名字太短”(只有大与5个字符才行)
随便填2个试练码(怕万一蒙上了怎么办^-*),可以发现是断在00404878
提示为“继续加油”
只有00407816没用到-------------这就是成功啦!!发现离它很近就是那个“GOOD”
好了!在0040465D往上找在004045F5发现
* Reference To: MSVBVM60.__vbaLenBstr, Ord:0000h
|
:004045EC 8B3510104000 mov esi, dword ptr
:004045F2 50 push eax
:004045F3 FFD6 call esi
:004045F5 83F805 cmp eax, 00000005
:004045F8 0F8D85000000 jnl 00404683
呵呵就可以跳过显示“名字太短” (只有大与5个字符才行)
* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:0040465D FF1530104000 Call dword ptr
显示“名字太短”
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004045F8(C)
|
:00404683 8B45E4 mov eax, dword ptr
:00404686 50 push eax
:00404687 FFD6 call esi
:00404689 8BC8 mov ecx, eax
* Reference To: MSVBVM60.__vbaI2I4, Ord:0000h
|
:0040468B FF1550104000 Call dword ptr
* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:00404691 8B1D14104000 mov ebx, dword ptr
:00404697 89853CFFFFFF mov dword ptr , eax
跳过后在00404687再此求名字长度后(用“abcdef”,长度为6)
00404697 名字长度 6送ss:用做计算比较值了
:0040469D BE01000000 mov esi, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040472C(U)
|
:004046A2 663BB53CFFFFFF cmp si, word ptr
:004046A9 0F8F82000000 jg 00404731
这就是开始循环计数开始处理名字串了
:004046AF 8D4DE4 lea ecx, dword ptr
:004046B2 8D55C0 lea edx, dword ptr
:004046B5 0FBFC6 movsx eax, si
:004046B8 894D88 mov dword ptr , ecx
:004046BB 52 push edx
:004046BC 8D4D80 lea ecx, dword ptr
:004046BF 50 push eax
:004046C0 8D55B0 lea edx, dword ptr
:004046C3 51 push ecx
:004046C4 52 push edx
:004046C5 C745C804000280 mov , 80020004
:004046CC C745C00A000000 mov , 0000000A
:004046D3 C7458008400000 mov , 00004008
* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
|
:004046DA FF1540104000 Call dword ptr
:004046E0 8D45B0 lea eax, dword ptr
:004046E3 8D4DD8 lea ecx, dword ptr
:004046E6 50 push eax
:004046E7 51 push ecx
* Reference To: MSVBVM60.__vbaStrVarVal, Ord:0000h
|
:004046E8 FF1574104000 Call dword ptr
名字串放Eax的地址里=“abcdef”
:004046EE 50 push eax
* Reference To: MSVBVM60.rtcByteValueBstr, Ord:02B5h
|
:004046EF FF150C104000 Call dword ptr
从名字串前面第一字符取,计算的ascii 值a=61,放在eax中
:004046F5 25FF000000 and eax, 000000FF
去掉高位
:004046FA 8D4DD8 lea ecx, dword ptr
:004046FD 03C7 add eax, edi
开始累加(第一次累加初值edi=0)
:004046FF 0F8004020000 jo 00404909
:00404705 8BF8 mov edi, eax
累加值送edi
* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
|
:00404707 FF15B8104000 Call dword ptr
:0040470D 8D55B0 lea edx, dword ptr
:00404710 8D45C0 lea eax, dword ptr
:00404713 52 push edx
:00404714 50 push eax
:00404715 6A02 push 00000002
:00404717 FFD3 call ebx
:00404719 B801000000 mov eax, 00000001
:0040471E 83C40C add esp, 0000000C
:00404721 6603C6 add ax, si
:00404724 0F80DF010000 jo 00404909
:0040472A 8BF0 mov esi, eax
:0040472C E971FFFFFF jmp 004046A2
去判断处理完名字串没有??
“名字串ASCII累加值”=255H(十六进制)=597(十进制)
然后对输入的注册码进行处理
* Reference To: MSVBVM60.__vbaStrI4, Ord:0000h
|
:00404770 FF1508104000 Call dword ptr
eax=计算出的值“597”
:00404776 8BD0 mov edx, eax
:00404778 8D4DD4 lea ecx, dword ptr
* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:0040477B FF15A4104000 Call dword ptr
:00404781 8B55D8 mov edx, dword ptr
edx=1111输入的试练码
:00404784 50 push eax
:00404785 52 push edx
* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
|
:00404786 FF154C104000 Call dword ptr
两值明码比较
:0040478C 8BF0 mov esi, eax
:0040478E 8D45D8 lea eax, dword ptr
:00404791 F7DE neg esi
:00404793 1BF6 sbb esi, esi
:00404795 8D4DD4 lea ecx, dword ptr
:00404798 50 push eax
:00404799 46 inc esi
:0040479A 51 push ecx
:0040479B 6A02 push 00000002
:0040479D F7DE neg esi
* Reference To: MSVBVM60.__vbaFreeStrList, Ord:0000h
|
:0040479F FF158C104000 Call dword ptr
:004047A5 83C40C add esp, 0000000C
:004047A8 8D4DD0 lea ecx, dword ptr
* Reference To: MSVBVM60.__vbaFreeObj, Ord:0000h
|
:004047AB FF15B4104000 Call dword ptr
:004047B1 B904000280 mov ecx, 80020004
:004047B6 B80A000000 mov eax, 0000000A
:004047BB 6685F6 test si, si
两值不等。就跳到显示“继续加油”
如果名字是“abcdef”,注册码输入“597”,两个值相同,就不会跳转
:004047BE 894D98 mov dword ptr , ecx
:004047C1 894590 mov dword ptr , eax
:004047C4 894DA8 mov dword ptr , ecx
:004047C7 8945A0 mov dword ptr , eax
:004047CA 7462 je 0040482E
* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
|
:004047CC 8B3D9C104000 mov edi, dword ptr
:004047D2 BE08000000 mov esi, 00000008
:004047D7 8D9570FFFFFF lea edx, dword ptr
:004047DD 8D4DB0 lea ecx, dword ptr
:004047E0 C78578FFFFFFC8224000 mov dword ptr , 004022C8
:004047EA 89B570FFFFFF mov dword ptr , esi
:004047F0 FFD7 call edi
:004047F2 8D5580 lea edx, dword ptr
:004047F5 8D4DC0 lea ecx, dword ptr
* Possible StringData Ref from Code Obj ->"GOOD"
|
:004047F8 C74588AC224000 mov , 004022AC
:004047FF 897580 mov dword ptr , esi
:00404802 FFD7 call edi
:00404804 8D5590 lea edx, dword ptr
:00404807 8D45A0 lea eax, dword ptr
:0040480A 52 push edx
:0040480B 8D4DB0 lea ecx, dword ptr
:0040480E 50 push eax
:0040480F 51 push ecx
:00404810 8D55C0 lea edx, dword ptr
:00404813 6A00 push 00000000
:00404815 52 push edx
* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:00404816 FF1530104000 Call dword ptr
显示“GOOD!你成功了!”
注册机。。。。。。。。就免了吧!直接从输入的名字前面往后取,累加就是注册码!!(呵呵,我是什么语言也不精通呀!嘿嘿)
[ Last edited by ζ lengxue
760
内存注册机!
中断地址:6A2A4841
中断次数:1
第一字节:FF
指令长度:6
寄存器,内存方式,EAX,宽字符! 老大我只会爆破怎么,呵呵。 分析一下,练练手。 试试看,能不能搞定 wgf4242
528
哇.虽然是简单不过自己弄出来还是蛮开心的. 我也发个内存注册机上来,呵呵
内存地址:00404784
中断次数:1
第一字节:50
指令长度:1
保存类型为:内存方式EAX,宽字符-选上
过分,这么久都没个注册机
/:D /:D :lol: :lol: 其实我最喜欢这种 Crackme 了:lol:#include<stdio.h>
#include<string.h>
main()
{
int i,sum=0,len;
char name;
printf("请输入你的大名:");
gets(name);
len=strlen(name);
for(i=0;i<len;i++)
sum+=name;
printf("你的注册码是:");
printf("%d\n",sum);
} godhack
721
继续研究。。。
[ 本帖最后由 godhack 于 2006-9-10 16:04 编辑 ]