一个Crackme,先是查壳,显示是Delphi6.0~7.0的壳,然后打开OD,按照注册的提示查找到文本字符段,
00408057 |. 68 34814000 push 00408134 ; /Text = "Registred Version"
0040805C |. 68 F1030000 push 3F1 ; |ControlID = 3F1 (1009.)
00408061 |. 53 push ebx ; |hWnd
00408062 |. E8 11C6FFFF call <jmp.&USER32.SetDlgItemText>; \SetDlgItemTextA
00408067 |. 68 48814000 push 00408148 ; /Text = "Prolixe KeygenMe #1 by Fabsys -Registred-"
0040806C |. 53 push ebx ; |hWnd
0040806D |. E8 1EC6FFFF call <jmp.&USER32.SetWindowTextA>; \SetWindowTextA
00408072 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00408074 |. 68 74814000 push 00408174 ; |Title = "Winner"
00408079 |. 68 7C814000 push 0040817C ; |Text = "GooD BoY"
0040807E |. 53 push ebx ; |hOwner
0040807F |. E8 ECC5FFFF call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00408084 |. EB 20 jmp short 004080A6
00408086 |> 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00408088 |. 68 88814000 push 00408188 ; |Title = "Wrong Way"
0040808D |. 68 94814000 push 00408194 ; |Text = "BaD BoY"
00408092 |. 53 push ebx ; |hOwner
00408093 |. E8 D8C5FFFF call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
然后是该跟随到USER32.MassageBoxA呢,还是在提示处处分析?!接下来该怎么做呢?(哇~怎么上传图片啊!!急死了!)
[课程]FART 脱壳王!加量不加价!FART作者讲授!