sn:806344284
我比较菜,所以用OD加载后直接用串式参考,看见“Correct!!”就双击,
0040163B |.E8 80020000 call CRACKME3.004018C0 ; \CRACKME3.004018C0
00401640 |.85C0 test eax,eax
00401642 0F85 FF000000 jnz CRACKME3.00401747
00401648 |.8D8D ACFEFFFF lea ecx,dword ptr ss:[ebp>
0040164E |.E8 19070000 call <jmp.&MFC42.#540>
00401653 |.C645 FC 03 mov byte ptr ss:,3
00401657 |.6A 66 push 66
00401659 |.8D8D ACFEFFFF lea ecx,dword ptr ss:[ebp>
0040165F |.E8 02070000 call <jmp.&MFC42.#4160>
00401664 |.B9 07000000 mov ecx,7
00401669 |.BE 58404000 mov esi,CRACKME3.00404058 ;ASCII "Correct!! "
呵呵,往上看,找到关键跳,马上在 00401642 /0F85 FF000000 jnz CRACKME3.00401747
下断,运行程序后输入用户名,假注册码,中断后在右下角看到
0063F638 6C40FAE8offset MFC42.#4234
0063F63C 00000001
0063F640 006542A0ASCII "112233445" ←假码
0063F644 00000019
0063F648 FFFFFFFF
0063F64C 0063F83C
0063F650 00401643CRACKME3.00401643
0063F654 00000167
0063F658 00200286
0063F65C 0063F674
0063F660 0000016F
0063F664 0063F824
0063F668 0063F83C
0063F66C 00401640CRACKME3.00401640
0063F670 006542F0ASCII "806344284" ←真码
0063F674 0063FD04
"
SO,PASS IT~~~~~
我怎么感觉比CRACK2.0简单啊,用这个测试我就能申请成员了。 算法......我编程都还不会 kerfier
3192326038 算法:
void CKeyDlg::OnOk()
{
// TODO: Add your control notification handler code here
int dd;
int i,length;
unsigned long tt1=0x81276345;
char ch={""};
UpdateData(TRUE);
length=m_strName.GetLength();
for (i=0;i<length; i++)
{
dd=(int)m_strName;
tt1=tt1+m_strName;
tt1 = tt1^(i<<8);
dd= 0xffffffff-(7*i);
dd= (i+1) * dd;
tt1 = tt1 * dd;
}
for (i=0; i<10; i++)
{
ch = tt1 % 10 + 0x30;
tt1 = tt1 / 10;
}
m_strCode=ch;
UpdateData(FALSE);
} 看懂了!谢谢! 请问程序是怎么跟踪的?谢谢~! 哈哈,我也来灌灌!!
用户名:ababababab
密码:4153712882
我用WinHex找到的。
呵呵
爆破行么??
:00401565 E820080000 Call 00401D8A:0040156A 8D4DEC lea ecx, dword ptr
:0040156D E8DE020000 call 00401850
:00401572 8945E4 mov dword ptr , eax
:00401575 837DE405 cmp dword ptr , 00000005
:00401579 EB43 jmp 004015BE <=========================改成强跳,逃过“5个字符以上”限制
:0040157B 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"CrackMe"
|
:0040157D 6820404000 push 00404020
* Possible StringData Ref from Data Obj ->"User Name must have at least 5 "
->"characters."
|
:00401582 6828404000 push 00404028
:00401587 8B8D40FEFFFF mov ecx, dword ptr
* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:0040158D E8F2070000 Call 00401D84
:00401592 C645FC01 mov , 01
:00401596 8D4DDC lea ecx, dword ptr
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:00401599 E8C2070000 Call 00401D60
:0040159E C645FC00 mov , 00
:004015A2 8D4DE8 lea ecx, dword ptr
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:004015A5 E8B6070000 Call 00401D60
:004015AA C745FCFFFFFFFF mov , FFFFFFFF
:004015B1 8D4DEC lea ecx, dword ptr
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:004015B4 E8A7070000 Call 00401D60
:004015B9 E9F9010000 jmp 004017B7
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401579(U)
|
:004015BE C745E000000000 mov , 00000000
:004015C5 EB09 jmp 004015D0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401618(U)
|
:004015C7 8B55E0 mov edx, dword ptr
:004015CA 83C201 add edx, 00000001
:004015CD 8955E0 mov dword ptr , edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015C5(U)
|
:004015D0 8B45E0 mov eax, dword ptr
:004015D3 3B45E4 cmp eax, dword ptr
:004015D6 7D42 jge 0040161A
:004015D8 8B4DE0 mov ecx, dword ptr
:004015DB 51 push ecx
:004015DC 8D4DEC lea ecx, dword ptr
:004015DF E81C030000 call 00401900
:004015E4 0FBED0 movsx edx, al
:004015E7 8B45F0 mov eax, dword ptr
:004015EA 03C2 add eax, edx
:004015EC 8945F0 mov dword ptr , eax
:004015EF 8B4DE0 mov ecx, dword ptr
:004015F2 C1E108 shl ecx, 08
:004015F5 8B55F0 mov edx, dword ptr
:004015F8 33D1 xor edx, ecx
:004015FA 8955F0 mov dword ptr , edx
:004015FD 8B45E0 mov eax, dword ptr
:00401600 83C001 add eax, 00000001
:00401603 8B4DE4 mov ecx, dword ptr
:00401606 0FAF4DE0 imul ecx, dword ptr
:0040160A F7D1 not ecx
:0040160C 0FAFC1 imul eax, ecx
:0040160F 8B55F0 mov edx, dword ptr
:00401612 0FAFD0 imul edx, eax
:00401615 8955F0 mov dword ptr , edx
:00401618 EBAD jmp 004015C7
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015D6(C)
|
:0040161A 8B45F0 mov eax, dword ptr
:0040161D 50 push eax
* Possible StringData Ref from Data Obj ->"%lu"
|
:0040161E 6854404000 push 00404054
:00401623 8D4DDC lea ecx, dword ptr
:00401626 51 push ecx
* Reference To: MFC42.Ordinal:0B02, Ord:0B02h
|
:00401627 E852070000 Call 00401D7E
:0040162C 83C40C add esp, 0000000C
:0040162F 8D4DDC lea ecx, dword ptr
:00401632 E879020000 call 004018B0
:00401637 50 push eax
:00401638 8D4DE8 lea ecx, dword ptr
:0040163B E880020000 call 004018C0
:00401640 85C0 test eax, eax
:00401642 90 nop 《=============废掉jne,否则跳向死亡* Possible Reference to String Resource ID=00103: "Incorrect!!, Try Again."
:00401643 90 nop
:00401644 90 nop
:00401645 90 nop
:00401646 90 nop
:00401647 90 nop
:00401648 8D8DACFEFFFF lea ecx, dword ptr
* Reference To: MFC42.Ordinal:021C, Ord:021Ch
|
:0040164E E819070000 Call 00401D6C
:00401653 C645FC03 mov , 03
* Possible Reference to Dialog: DialogID_0066
|
* Possible Reference to String Resource ID=00102: "Good!!, Way To Go."
|
:00401657 6A66 push 00000066
:00401659 8D8DACFEFFFF lea ecx, dword ptr