CrackMe 3.0出来啦!
CrackMe 3.0出来啦!不知1.0和2.0有人搞出来没有,不妨把思路写出来啊!
这样才有意思! name: lucktigersn:351004526 兄弟!我知道用OD很快能跟出来,可是大家想要的是分析过程啊!能否写写? TMD的破网吧,禁止下载了! :)赚积分
用户名:tianbian
密码:3926419352
用GetDlgItem下断
跟踪到这里,对用户名循环运算
004015C7|> 8B55 E0 /MOV EDX,DWORD PTR SS:
004015CA|. 83C2 01 |ADD EDX,1
004015CD|. 8955 E0 |MOV DWORD PTR SS:,EDX
004015D0|> 8B45 E0 MOV EAX,DWORD PTR SS:
004015D3|. 3B45 E4 |CMP EAX,DWORD PTR SS:
004015D6|. 7D 42 |JGE SHORT crackme3.0040161A
004015D8|. 8B4D E0 |MOV ECX,DWORD PTR SS:
004015DB|. 51 |PUSH ECX ; /Arg1
004015DC|. 8D4D EC |LEA ECX,DWORD PTR SS: ; |
004015DF|. E8 1C030000 |CALL crackme3.00401900 ; \crackme3.00401900
004015E4|. 0FBED0 |MOVSX EDX,AL
004015E7|. 8B45 F0 |MOV EAX,DWORD PTR SS:
004015EA|. 03C2 |ADD EAX,EDX
004015EC|. 8945 F0 |MOV DWORD PTR SS:,EAX
004015EF|. 8B4D E0 |MOV ECX,DWORD PTR SS:
004015F2|. C1E1 08 |SHL ECX,8
004015F5|. 8B55 F0 |MOV EDX,DWORD PTR SS:
004015F8|. 33D1 |XOR EDX,ECX
004015FA|. 8955 F0 |MOV DWORD PTR SS:,EDX
004015FD|. 8B45 E0 |MOV EAX,DWORD PTR SS:
00401600|. 83C0 01 |ADD EAX,1
00401603|. 8B4D E4 |MOV ECX,DWORD PTR SS:
00401606|. 0FAF4D E0 |IMUL ECX,DWORD PTR SS:
0040160A|. F7D1 |NOT ECX
0040160C|. 0FAFC1 |IMUL EAX,ECX
0040160F|. 8B55 F0 |MOV EDX,DWORD PTR SS:
00401612|. 0FAFD0 |IMUL EDX,EAX
00401615|. 8955 F0 |MOV DWORD PTR SS:,EDX
00401618|.^EB AD \JMP SHORT crackme3.004015C7
0040161A|> 8B45 F0 MOV EAX,DWORD PTR SS:
0040161D|. 50 PUSH EAX
0040161E|. 68 54404000 PUSH crackme3.00404054 ;ASCII "%lu"
00401623|. 8D4D DC LEA ECX,DWORD PTR SS:
00401626|. 51 PUSH ECX
00401627|. E8 52070000 CALL <JMP.&MFC42.#2818>
0040162C|. 83C4 0C ADD ESP,0C ------这里出现可能是正确注册码
0040162F|. 8D4D DC LEA ECX,DWORD PTR SS:
00401632|. E8 79020000 CALL crackme3.004018B0
00401637|. 50 PUSH EAX ; /Arg1
00401638|. 8D4D E8 LEA ECX,DWORD PTR SS: ; |
0040163B|. E8 80020000 CALL crackme3.004018C0 ; \crackme3.004018C0-----这个子程序内比较两个注册码,确 上面的判断
00401640|. 85C0 TEST EAX,EAX
00401642|. 0F85 FF000000JNZ crackme3.00401747 呵呵,爆破点 楼上的!爆破简单的
你贴的这个我看不懂!能不能解释下?
主要是这个crackme的算法 ytsnow//4214443872 灌水.哈哈
00401542 |.8D45 EC lea eax,dword ptr ss:
00401545 |.50 push eax
00401546 |.68 E8030000 push 3E8
0040154B |.8B8D 40FEFFFF mov ecx,dword ptr ss:
00401551 |.E8 34080000 call <jmp.&MFC42.#3097_CWnd::GetDlgItemTextA> ;取用户名
00401556 |.8D4D E8 lea ecx,dword ptr ss:
00401559 |.51 push ecx
0040155A |.68 E9030000 push 3E9
0040155F |.8B8D 40FEFFFF mov ecx,dword ptr ss:
00401565 |.E8 20080000 call <jmp.&MFC42.#3097_CWnd::GetDlgItemTextA> ;取假码
0040156A |.8D4D EC lea ecx,dword ptr ss:
0040156D |.E8 DE020000 call crackme3.00401850 ;计算name长度
00401572 |.8945 E4 mov dword ptr ss:,eax ;len
00401575 |.837D E4 05 cmp dword ptr ss:,5 ;name长度要求大于5
00401579 |.7D 43 jge short crackme3.004015BE
0040157B |.6A 40 push 40
0040157D |.68 20404000 push crackme3.00404020 ;ASCII "CrackMe"
00401582 |.68 28404000 push crackme3.00404028 ;ASCII "User Name must have at least 5 characters."
00401587 |.8B8D 40FEFFFF mov ecx,dword ptr ss:
0040158D |.E8 F2070000 call <jmp.&MFC42.#4224_CWnd::MessageBoxA>
00401592 |.C645 FC 01 mov byte ptr ss:,1
00401596 |.8D4D DC lea ecx,dword ptr ss:
00401599 |.E8 C2070000 call <jmp.&MFC42.#800_CString::~CString>
0040159E |.C645 FC 00 mov byte ptr ss:,0
004015A2 |.8D4D E8 lea ecx,dword ptr ss:
004015A5 |.E8 B6070000 call <jmp.&MFC42.#800_CString::~CString>
004015AA |.C745 FC FFFFFFFF mov dword ptr ss:,-1
004015B1 |.8D4D EC lea ecx,dword ptr ss:
004015B4 |.E8 A7070000 call <jmp.&MFC42.#800_CString::~CString>
004015B9 |.E9 F9010000 jmp crackme3.004017B7
004015BE |>C745 E0 00000000 mov dword ptr ss:,0 ;初始化=0
004015C5 |.EB 09 jmp short crackme3.004015D0
004015C7 |>8B55 E0 /mov edx,dword ptr ss:
004015CA |.83C2 01 |add edx,1 ;i=i+1
004015CD |.8955 E0 |mov dword ptr ss:,edx
004015D0 |>8B45 E0 mov eax,dword ptr ss: ;i 循环变量,0开始
004015D3 |.3B45 E4 |cmp eax,dword ptr ss: ;循环条件
004015D6 |.7D 42 |jge short crackme3.0040161A
004015D8 |.8B4D E0 |mov ecx,dword ptr ss:
004015DB |.51 |push ecx ; /Arg1
004015DC |.8D4D EC |lea ecx,dword ptr ss: ; |
004015DF |.E8 1C030000 |call crackme3.00401900 ; \顺次取name的ascii
004015E4 |.0FBED0 |movsx edx,al ;n1,n2,...
004015E7 |.8B45 F0 |mov eax,dword ptr ss: ;0x81276345-->eax(第1次循环) ;result-->eax(第2次循环);...
004015EA |.03C2 |add eax,edx ;temp1=eax+n1;eax+n2;...
004015EC |.8945 F0 |mov dword ptr ss:,eax ;save temp1
004015EF |.8B4D E0 |mov ecx,dword ptr ss: ;i
004015F2 |.C1E1 08 |shl ecx,8 ;i>>8即 * 2^8
004015F5 |.8B55 F0 |mov edx,dword ptr ss:
004015F8 |.33D1 |xor edx,ecx ;temp2=temp1 xor (i>>8)
004015FA |.8955 F0 |mov dword ptr ss:,edx ;save temp2
004015FD |.8B45 E0 |mov eax,dword ptr ss: ;i
00401600 |.83C0 01 |add eax,1 ;x=i+1
00401603 |.8B4D E4 |mov ecx,dword ptr ss: ;len
00401606 |.0FAF4D E0 |imul ecx,dword ptr ss: ;y=len*i
0040160A |.F7D1 |not ecx ;!y
0040160C |.0FAFC1 |imul eax,ecx ;z=x*y
0040160F |.8B55 F0 |mov edx,dword ptr ss: ;
00401612 |.0FAFD0 |imul edx,eax ;result=temp2*z
00401615 |.8955 F0 |mov dword ptr ss:,edx ;save result
00401618 |.^ EB AD \jmp short crackme3.004015C7
0040161A |>8B45 F0 mov eax,dword ptr ss:
0040161D |.50 push eax
0040161E |.68 54404000 push crackme3.00404054 ;ASCII "%lu"
00401623 |.8D4D DC lea ecx,dword ptr ss:
00401626 |.51 push ecx
00401627 |.E8 52070000 call <jmp.&MFC42.#2818_CString::Format> ;无符号数输出
0040162C |.83C4 0C add esp,0C
0040162F |.8D4D DC lea ecx,dword ptr ss:
00401632 |.E8 79020000 call crackme3.004018B0
00401637 |.50 push eax ; /真码
00401638 |.8D4D E8 lea ecx,dword ptr ss: ; |
0040163B |.E8 80020000 call crackme3.004018C0 ; \比较
00401640 |.85C0 test eax,eax
00401642 |.0F85 FF000000 jnz crackme3.00401747 //关键跳
[ Last edited by ytsnow on 2005-2-15 at 06:00 PM ] name:pyg-winipcfg
sn: 2738313756
偶很菜,不知道怎么分析算法,只会用OD下断。
懵着找注册码。还得用功学习才行啊! dddddd 小菜鸟也来一贴!
name:雷刃
sn:1012317523