-
-
[CrackMe]abexcm5的分析
-
发表于:
2011-2-1 14:56
7745
-
【破文标题】abexcm5的分析
【破文作者】FCrane
【作者邮箱】delcpp@gmail.com
【破解工具】OD
【破解平台】windows xp sp3
【软件名称】abexcm5.exe
【软件大小】8K
【保护方式】无
【软件简介】软件来自FpX的CrackMe
【破解说明】非常简单的一个Crackme,高手请无视....
------------------------------------------------------------------------------------------------
【破解过程】
0040106C |> \6A 25 push 25 ; /Count = 25 (37.)
0040106E |. 68 24234000 push 00402324 ; |Buffer = abexcm5.00402324
00401073 |. 6A 68 push 68 ; |ControlID = 68 (104.)
00401075 |. FF75 08 push dword ptr [ebp+8] ; |hWnd
00401078 |. E8 F4000000 call <jmp.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
0040107D |. 6A 00 push 0 ; /pFileSystemNameSize = NULL
0040107F |. 6A 00 push 0 ; |pFileSystemNameBuffer = NULL
00401081 |. 68 C8204000 push 004020C8 ; |pFileSystemFlags = abexcm5.004020C8
00401086 |. 68 90214000 push 00402190 ; |pMaxFilenameLength = abexcm5.00402190
0040108B |. 68 94214000 push 00402194 ; |pVolumeSerialNumber = abexcm5.00402194
00401090 |. 6A 32 push 32 ; |MaxVolumeNameSize = 32 (50.)
00401092 |. 68 5C224000 push 0040225C ; |VolumeNameBuffer = abexcm5.0040225C //此处获取盘符
00401097 |. 6A 00 push 0 ; |RootPathName = NULL
00401099 |. E8 B5000000 call <jmp.&KERNEL32.GetVolumeInformat>; \GetVolumeInformationA
0040109E |. 68 F3234000 push 004023F3 ; /StringToAdd = "4562-ABEX"
004010A3 |. 68 5C224000 push 0040225C ; |ConcatString = "" //盘符在此处使用
004010A8 |. E8 94000000 call <jmp.&KERNEL32.lstrcatA> ; \lstrcatA //字符串合并
004010AD |. B2 02 mov dl, 2
004010AF |> 8305 5C224000>/add dword ptr [40225C], 1
004010B6 |. 8305 5D224000>|add dword ptr [40225D], 1
004010BD |. 8305 5E224000>|add dword ptr [40225E], 1
004010C4 |. 8305 5F224000>|add dword ptr [40225F], 1
004010CB |. FECA |dec dl
004010CD |.^ 75 E0 \jnz short 004010AF
004010CF |. 68 FD234000 push 004023FD ; /StringToAdd = "L2C-5781"
004010D4 |. 68 00204000 push 00402000 ; |ConcatString = ""
004010D9 |. E8 63000000 call <jmp.&KERNEL32.lstrcatA> ; \lstrcatA //字符串合并
004010DE |. 68 5C224000 push 0040225C ; /StringToAdd = ""
004010E3 |. 68 00204000 push 00402000 ; |ConcatString = ""
004010E8 |. E8 54000000 call <jmp.&KERNEL32.lstrcatA> ; \lstrcatA //字符串再合并,得到正确的注册码
004010ED |. 68 24234000 push 00402324 ; /String2 = ""
004010F2 |. 68 00204000 push 00402000 ; |String1 = ""
004010F7 |. E8 51000000 call <jmp.&KERNEL32.lstrcmpiA> ; \lstrcmpiA //比较输入的字符串和计算出的注册码
004010FC |. 83F8 00 cmp eax, 0
004010FF |. 74 16 je short 00401117
00401101 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401103 |. 68 34244000 push 00402434 ; |Title = "Error!"
00401108 |. 68 3B244000 push 0040243B ; |Text = "The serial you entered is not correct!"
0040110D |. FF75 08 push dword ptr [ebp+8] ; |hOwner
00401110 |. E8 56000000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00401115 |. EB 16 jmp short 0040112D
00401117 |> 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401119 |. 68 06244000 push 00402406 ; |Title = "Well Done!"
0040111E |. 68 11244000 push 00402411 ; |Text = "Yep, you entered a correct serial!"
00401123 |. FF75 08 push dword ptr [ebp+8] ; |hOwner
00401126 |. E8 40000000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
0040112B |. EB 00 jmp short 0040112D
0040112D |$ 6A 00 push 0 ; /Result = 0
0040112F |. FF75 08 push dword ptr [ebp+8] ; |hWnd
00401132 |. E8 22000000 call <jmp.&USER32.EndDialog> ; \EndDialog
00401137 |. C9 leave
00401138 \. C2 1000 retn 10
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课