好难哦。我刚学我要慢慢来哦。
原帖由 GGS0520 于 2005-5-5 09:45 发表
哈哈,我也来灌灌!!
用户名:ababababab
密码:4153712882
我用WinHex找到的。
呵呵
不是吧,这都行?
我来做个内存KEYGEN试试...
UerName:WildCatIII
Code:4283903040
原帖由 GGS0520 于 2005-5-5 09:45 发表
哈哈,我也来灌灌!!
用户名:ababababab
密码:4153712882
我用WinHex找到的。
呵呵
这都行。。。?离题啦。。。
原帖由 GGS0520 于 2005-5-5 09:45 发表
哈哈,我也来灌灌!!
用户名:ababababab
密码:4153712882
我用WinHex找到的。
呵呵
这都行。。。?离题啦。。。
0040156D|.E8 DE020000 call 00401850 ;取用户名
00401572|.8945 E4 mov , eax ;把用户名长度放进
00401575|.837D E4 05 cmp dword ptr , 5 ;检测用户名是否大与或等与5
00401579|.7D 43 jge short 004015BE ;不跳则挂
0040157B|.6A 40 push 40
0040157D|.68 20404000 push 00404020 ;ASCII "CrackMe"
00401582|.68 28404000 push 00404028 ;ASCII "User Name must have at least 5 characters."
00401587|.8B8D 40FEFFFF mov ecx,
0040158D|.E8 F2070000 call <jmp.&MFC42.#4224_CWnd::>
00401592|.C645 FC 01 mov byte ptr , 1
00401596|.8D4D DC lea ecx,
00401599|.E8 C2070000 call <jmp.&MFC42.#800_CString>
0040159E|.C645 FC 00 mov byte ptr , 0
004015A2|.8D4D E8 lea ecx,
004015A5|.E8 B6070000 call <jmp.&MFC42.#800_CString>
004015AA|.C745 FC FFFFF>mov dword ptr , -1
004015B1|.8D4D EC lea ecx,
004015B4|.E8 A7070000 call <jmp.&MFC42.#800_CString>
004015B9|.E9 F9010000 jmp 004017B7
004015BE|>C745 E0 00000>mov dword ptr , 0
004015C5|.EB 09 jmp short 004015D0
004015C7|>8B55 E0 /mov edx,
004015CA|.83C2 01 |add edx, 1 ;次数+1
004015CD|.8955 E0 |mov , edx
004015D0|>8B45 E0 mov eax,
004015D3|.3B45 E4 |cmp eax, ;次数和8比较,大或等则跳(取完所有用户名就跳走)
004015D6|.7D 42 |jge short 0040161A ;取完就跳走
004015D8|.8B4D E0 |mov ecx,
004015DB|.51 |push ecx ; /Arg1
004015DC|.8D4D EC |lea ecx, ; |
004015DF|.E8 1C030000 |call 00401900 ; \再取用户名
004015E4|.0FBED0 |movsx edx, al ;依次把用户名16进制码放进edx
004015E7|.8B45 F0 |mov eax, ;eax=
004015EA|.03C2 |add eax, edx ;eax=+73(我的第一位用户名ascii码为73)
004015EC|.8945 F0 |mov , eax ;把计算结果放进[]
004015EF|.8B4D E0 |mov ecx,
004015F2|.C1E1 08 |shl ecx, 8 ;逻辑左移8位
004015F5|.8B55 F0 |mov edx, ;计算结果放回edx
004015F8|.33D1 |xor edx, ecx ;edx=edx xor ecx
004015FA|.8955 F0 |mov , edx
004015FD|.8B45 E0 |mov eax,
00401600|.83C0 01 |add eax, 1 ;计数器+1
00401603|.8B4D E4 |mov ecx, ;用户名长度放进ecx
00401606|.0FAF4D E0 |imul ecx, ;ecx=ecx*
0040160A|.F7D1 |not ecx ;取反
0040160C|.0FAFC1 |imul eax, ecx ;eax=eax*ecx
0040160F|.8B55 F0 |mov edx,
00401612|.0FAFD0 |imul edx, eax ;edx=eax*edx=7ED89C48
00401615|.8955 F0 |mov , edx ;计算结果放回[]
00401618|.^ EB AD \jmp short 004015C7 ;继续取下一位用户名计算
0040161A|>8B45 F0 mov eax,
0040161D|.50 push eax
0040161E|.68 54404000 push 00404054 ;ASCII "%lu"
00401623|.8D4D DC lea ecx,
00401626|.51 push ecx
00401627|.E8 52070000 call <jmp.&MFC42.#2818_CStrin>
0040162C|.83C4 0C add esp, 0C
0040162F|.8D4D DC lea ecx,
00401632|.E8 79020000 call 004018B0
00401637|.50 push eax ; /真码入栈
00401638|.8D4D E8 lea ecx, ; |
0040163B|.E8 80020000 call 004018C0 ; \crackme3.004018C0
00401640|.85C0 test eax, eax ;真假比较
00401642|.0F85 FF000000 jnz 00401747 ;不正确则跳,跳向死亡
00401648|.8D8D ACFEFFFF lea ecx,
0040164E|.E8 19070000 call <jmp.&MFC42.#540_CString>
00401653|.C645 FC 03 mov byte ptr , 3
00401657|.6A 66 push 66
00401659|.8D8D ACFEFFFF lea ecx,
0040165F|.E8 02070000 call <jmp.&MFC42.#4160_CStrin>
00401664|.B9 07000000 mov ecx, 7
00401669|.BE 58404000 mov esi, 00404058 ;ASCII "Correct!! "
0040166E|.8DBD 48FEFFFF lea edi,
00401674|.F3:A5 rep movs dword ptr es:,>
00401676|.66:A5 movs word ptr es:, word >
00401678|.A4 movs byte ptr es:, byte >
00401679|.B9 11000000 mov ecx, 11
0040167E|.33C0 xor eax, eax
00401680|.8DBD 67FEFFFF lea edi,
00401686|.F3:AB rep stos dword ptr es:
00401688|.AA stos byte ptr es:
00401689|.B9 07000000 mov ecx, 7
0040168E|.BE 78404000 mov esi, 00404078 ;ASCII "<BrD-SoB> "
00401693|.8DBD 14FFFFFF lea edi,
00401699|.F3:A5 rep movs dword ptr es:,>
0040169B|.66:A5 movs word ptr es:, word >
0040169D|.B9 11000000 mov ecx, 11
004016A2|.33C0 xor eax, eax
004016A4|.8DBD 32FFFFFF lea edi,
004016AA|.F3:AB rep stos dword ptr es:
004016AC|.66:AB stos word ptr es:
004016AE|.B9 06000000 mov ecx, 6
004016B3|.BE 98404000 mov esi, 00404098 ;ASCII "Incorrect!!, Try Again."
004016B8|.8DBD 78FFFFFF lea edi,
004016BE|.F3:A5 rep movs dword ptr es:,>
004016C0|.B9 13000000 mov ecx, 13
004016C5|.33C0 xor eax, eax
004016C7|.8D7D 90 lea edi,
004016CA|.F3:AB rep stos dword ptr es:
004016CC|.B9 07000000 mov ecx, 7
004016D1|.BE B0404000 mov esi, 004040B0 ;ASCII "Correct way to go, You Got It."
004016D6|.8DBD B0FEFFFF lea edi,
004016DC|.F3:A5 rep movs dword ptr es:,>
004016DE|.66:A5 movs word ptr es:, word >
004016E0|.A4 movs byte ptr es:, byte >
004016E1|.B9 11000000 mov ecx, 11
004016E6|.33C0 xor eax, eax
004016E8|.8DBD CFFEFFFF lea edi,
004016EE|.F3:AB rep stos dword ptr es:
004016F0|.AA stos byte ptr es:
004016F1|.6A 40 push 40
004016F3|.68 D0404000 push 004040D0 ;ASCII "CrackMe"
004016F8|.8D8D ACFEFFFF lea ecx,
004016FE|.E8 AD010000 call 004018B0
00401703|.50 push eax
00401704|.8B8D 40FEFFFF mov ecx,
0040170A|.E8 75060000 call <jmp.&MFC42.#4224_CWnd::>
0040170F|.C645 FC 02 mov byte ptr , 2
00401713|.8D8D ACFEFFFF lea ecx,
00401719|.E8 42060000 call <jmp.&MFC42.#800_CString>
0040171E|.C645 FC 01 mov byte ptr , 1
00401722|.8D4D DC lea ecx,
00401725|.E8 36060000 call <jmp.&MFC42.#800_CString>
0040172A|.C645 FC 00 mov byte ptr , 0
0040172E|.8D4D E8 lea ecx,
00401731|.E8 2A060000 call <jmp.&MFC42.#800_CString>
00401736|.C745 FC FFFFF>mov dword ptr , -1
0040173D|.8D4D EC lea ecx,
00401740|.E8 1B060000 call <jmp.&MFC42.#800_CString>
00401745|.EB 70 jmp short 004017B7
00401747|>8D8D 44FEFFFF lea ecx, 跳到这里
0040174D|.E8 1A060000 call <jmp.&MFC42.#540_CString>
00401752|.C645 FC 04 mov byte ptr , 4
00401756|.6A 67 push 67
00401758|.8D8D 44FEFFFF lea ecx,
0040175E|.E8 03060000 call <jmp.&MFC42.#4160_CStrin>
00401763|.6A 40 push 40
00401765|.68 D8404000 push 004040D8 ;ASCII "CrackMe"
0040176A|.8D8D 44FEFFFF lea ecx,
00401770|.E8 3B010000 call 004018B0
00401775|.50 push
00401776|.8B8D 40FEFFFF mov ecx,
0040177C|.E8 03060000 call <jmp.&MFC42.#4224_CWnd::>
name:snetluck
code:21034816
汗,第一次算法分析,不完整,希望高手指出错误!
用户名:aqiao
密码:812763A6
00401579 /7D 43 jge short 004015BE-------------->暴破点
没有可以学习的 ? 做些动画吧!!
共享软件注册程序编写实例【VB版】