我按照syrhades大侠的方法在messageboxA下断,却断在了
77D507EA > 8BFF mov edi,edi ; 断 在这
77D507EC 55 push ebp
77D507ED 8BEC mov ebp,esp
77D507EF 833D BC14D777 0>cmp dword ptr ds:[77D714BC],0
77D507F6 74 24 je short user32.77D5081C
而且ALT+F9没法回到源程序领空,试了好几次都这样,于是我想了以下2个思路:
1.下断在GetWindowsTextA.
2.单步跟踪开能找到注册码不。
因为syrhades大侠已经验证了注册码是明码比较我就选择了第2种方法。先OD运行,字符串查找来到这、
1.0048D64D E8 6EEFFFFF call CrackAcc.0048C5C0
0048D652 84C0 test al,al
0048D654 75 2C jnz short CrackAcc.0048D682
0048D656 8D45 FC lea eax,dword ptr ss:[ebp-4]
0048D659 BA 24D74800 mov edx,CrackAcc.0048D724 ; 输入注册码不正确,请检查!
0048D65E E8 ED6CF7FF call CrackAcc.00404350
0048D663 6A 40 push 40
0048D665 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048D668 E8 0B71F7FF call CrackAcc.00404778
0048D66D 8BD0 mov edx,eax
0048D66F B9 40D74800 mov ecx,CrackAcc.0048D740 ; 输入错误
0048D674 A1 7C094900 mov eax,dword ptr ds:[49097C]
0048D679 8B00 mov eax,dword ptr ds:[eax]
0048D67B E8 2019FDFF call CrackAcc.0045EFA0
0048D680 EB 69 jmp short CrackAcc.0048D6EB
0048D682 68 54D74800 push CrackAcc.0048D754 ; 注册成功!\r注册信息为:\r用户名:
0048D687 A1 840A4900 mov eax,dword ptr ds:[490A84]
0048D654 75 2C jnz short CrackAcc.0048D682是关键跳,他直接跳到了注册成功处,把jnz改为je会出现注册成功的提示。但是说是明码比较那我就来看看明码到底是多少。
0048D668 E8 0B71F7FF call CrackAcc.00404778 应该是在进行密码的比较和用户名的处理。F7跟进:
0048C5C0 55 push ebp
0048C5C1 8BEC mov ebp,esp
0048C5C3 83C4 F0 add esp,-10
0048C5C6 53 push ebx
0048C5C7 33DB xor ebx,ebx
0048C5C9 895D F0 mov dword ptr ss:[ebp-10],ebx
0048C5CC 895D F4 mov dword ptr ss:[ebp-C],ebx
0048C5CF 894D F8 mov dword ptr ss:[ebp-8],ecx
0048C5D2 8955 FC mov dword ptr ss:[ebp-4],edx
0048C5D5 8BD8 mov ebx,eax
0048C5D7 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C5DA E8 8981F7FF call CrackAcc.00404768
0048C5DF 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0048C5E2 E8 8181F7FF call CrackAcc.00404768
0048C5E7 8B45 08 mov eax,dword ptr ss:[ebp+8]
0048C5EA E8 7981F7FF call CrackAcc.00404768
0048C5EF 33C0 xor eax,eax
0048C5F1 55 push ebp
0048C5F2 68 AAC64800 push CrackAcc.0048C6AA
0048C5F7 64:FF30 push dword ptr fs:[eax]
0048C5FA 64:8920 mov dword ptr fs:[eax],esp
0048C5FD 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C600 E8 737FF7FF call CrackAcc.00404578
0048C605 3B43 4C cmp eax,dword ptr ds:[ebx+4C]
0048C608 7F 19 jg short CrackAcc.0048C623
0048C60A 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C60D E8 667FF7FF call CrackAcc.00404578
0048C612 3B43 50 cmp eax,dword ptr ds:[ebx+50]
0048C615 7C 0C jl short CrackAcc.0048C623
0048C617 8B45 08 mov eax,dword ptr ss:[ebp+8]
0048C61A E8 597FF7FF call CrackAcc.00404578
0048C61F 85C0 test eax,eax
0048C621 75 04 jnz short CrackAcc.0048C627
0048C623 33DB xor ebx,ebx
0048C625 EB 60 jmp short CrackAcc.0048C687
0048C627 8D55 F4 lea edx,dword ptr ss:[ebp-C]
0048C62A 8B45 08 mov eax,dword ptr ss:[ebp+8]
0048C62D E8 16BDF7FF call CrackAcc.00408348
0048C632 8B55 F4 mov edx,dword ptr ss:[ebp-C]
0048C635 8D45 08 lea eax,dword ptr ss:[ebp+8]
0048C638 E8 137DF7FF call CrackAcc.00404350
0048C63D 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
0048C640 8B55 FC mov edx,dword ptr ss:[ebp-4]
0048C643 8BC3 mov eax,ebx
0048C645 E8 46FBFFFF call CrackAcc.0048C190
0048C64A 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0048C64D 8B55 08 mov edx,dword ptr ss:[ebp+8]
0048C650 E8 93BDF7FF call CrackAcc.004083E8
0048C655 85C0 test eax,eax
0048C657 74 04 je short CrackAcc.0048C65D
0048C659 33DB xor ebx,ebx
0048C65B EB 2A jmp short CrackAcc.0048C687
0048C65D 8D43 48 lea eax,dword ptr ds:[ebx+48]
0048C660 8B55 FC mov edx,dword ptr ss:[ebp-4]
0048C663 E8 A47CF7FF call CrackAcc.0040430C
0048C668 8D43 54 lea eax,dword ptr ds:[ebx+54]
0048C66B 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0048C66E E8 997CF7FF call CrackAcc.0040430C
0048C673 8D43 5C lea eax,dword ptr ds:[ebx+5C]
0048C676 8B55 08 mov edx,dword ptr ss:[ebp+8]
0048C679 E8 8E7CF7FF call CrackAcc.0040430C
0048C67E 8BC3 mov eax,ebx
0048C680 E8 5B020000 call CrackAcc.0048C8E0
0048C685 B3 01 mov bl,1
0048C687 33C0 xor eax,eax
0048C689 5A pop edx
0048C68A 59 pop ecx
0048C68B 59 pop ecx
0048C68C 64:8910 mov dword ptr fs:[eax],edx
0048C68F 68 B1C64800 push CrackAcc.0048C6B1
0048C694 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0048C697 BA 04000000 mov edx,4
0048C69C E8 3B7CF7FF call CrackAcc.004042DC
0048C6A1 8D45 08 lea eax,dword ptr ss:[ebp+8]
0048C6A4 E8 0F7CF7FF call CrackAcc.004042B8
0048C6A9 C3 retn
0048C6AA ^ E9 E575F7FF jmp CrackAcc.00403C94
0048C6AF ^ EB E3 jmp short CrackAcc.0048C694
0048C6B1 8BC3 mov eax,ebx
0048C6B3 5B pop ebx
0048C6B4 8BE5 mov esp,ebp
0048C6B6 5D pop ebp
0048C6B7 C2 0400 retn 4
F8一直跟进幷观察寄存器的值,当F8跟到:
0048C645 E8 46FBFFFF call CrackAcc.0048C190
处时OD右下角的窗口中出现了一串字符:
0012FB50 00AC3CA4 ASCII "00006E610288"
记下这个字符用它来登录成功!那:0048C645 E8 46FBFFFF call CrackAcc.0048C190
应该就是计算注册码的CALL了。有兴趣的朋友就可以进去看看了。在这谢谢syrhades大侠提供的材料。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课