-
-
[原创][原创]坛子里的一个小破解,玩玩
-
发表于: 2013-3-8 23:05
-
004011E6 |. 8B3D 58204000 MOV EDI,DWORD PTR DS:[<&USER32.GetDlgIte>; USER32.GetDlgItem
004011EC |. 68 EC030000 PUSH 3EC ; /ControlID = 3EC (1004.)
004011F1 |. 56 PUSH ESI ; |hWnd
004011F2 |. FFD7 CALL EDI ; \GetDlgItem
004011F4 |. 68 ED030000 PUSH 3ED ; /ControlID = 3ED (1005.)
004011F9 |. 56 PUSH ESI ; |hWnd
004011FA |. A3 24304000 MOV DWORD PTR DS:[403024],EAX ; |
004011FF |. FFD7 CALL EDI ; \GetDlgItem
00401201 |. 6A 00 PUSH 0 ; /pThreadId = NULL
00401203 |. 6A 00 PUSH 0 ; |CreationFlags = 0
00401205 |. 6A 00 PUSH 0 ; |pThreadParm = NULL
00401207 |. 68 B0104000 PUSH CrackMe.004010B0 ; |ThreadFunction = CrackMe.004010B0
0040120C |. 6A 00 PUSH 0 ; |StackSize = 0
0040120E |. 6A 00 PUSH 0 ; |pSecurity = NULL
00401210 |. A3 20304000 MOV DWORD PTR DS:[403020],EAX ; |
00401215 FF15 08204000 CALL DWORD PTR DS:[<&KERNEL32.CreateThre>; \CreateThread
从上面的CreateThread函数中可以发现创建进程的调用函数为CrackMe.004010B0 ,
使用IDA分析该函数发现为Sleep或者ExitProcess函数,故在函数入口处将函数直接返回,搞掉反调试措施,如下所示:
源代码:
004010B0 53 PUSH EBX
004010B1 . 8B1D 10204000 MOV EBX,DWORD PTR DS:[<&KERNEL32.Sleep>] ; kernel32.Sleep
004010B7 . 55 PUSH EBP
004010B8 . 8B2D 14204000 MOV EBP,DWORD PTR DS:[<&KERNEL32.ExitPro>; kernel32.ExitProcess
004010BE . 56 PUSH ESI
004010BF . 57 PUSH EDI
004010C0 . 8B3D 18204000 MOV EDI,DWORD PTR DS:[<&KERNEL32.GetModu>; kernel32.GetModuleHandleA
004010C6 > 6A 00 PUSH 0
004010C8 . FFD7 CALL EDI
修改004010B0 53 PUSH EBX为c3 retn.
继续往下跟踪程序会找到获取注册码的位置为:
00401262 |. 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
00401266 |. 6A 0A PUSH 0A ; /Count = A (10.)
00401268 |. 50 PUSH EAX ; |Buffer
00401269 |. 51 PUSH ECX ; |hWnd => 00130754 (class='Edit',parent=00330770)
0040126A |. FF15 64204000 CALL DWORD PTR DS:[<&USER32.GetWindowTex>; \GetWindowTextA
00401270 |. 68 10304000 PUSH CrackMe.00403010 ; ASCII "Iceberg"
00401275 |. E8 96FEFFFF CALL CrackMe.00401110
0040127A |. 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
0040127E |. 8BF0 MOV ESI,EAX
00401280 |. 52 PUSH EDX
00401281 |. E8 BAFEFFFF CALL CrackMe.00401140
00401286 |. 83C4 08 ADD ESP,8
00401289 |. 3BF0 CMP ESI,EAX
0040128B |. 5E POP ESI
0040128C |. 75 0E JNZ SHORT CrackMe.0040129C
0040128E |. A1 20304000 MOV EAX,DWORD PTR DS:[403020]
00401293 |. 6A 01 PUSH 1 ; /Enable = TRUE
00401295 |. 50 PUSH EAX ; |hWnd => 001A0746 ('注册成功',class='Button',parent=00330770)
00401296 |. FF15 5C204000 CALL DWORD PTR DS:[<&USER32.EnableWindow>; \EnableWindow
具体分析不在陈述:
设注册码为abcd(十进制) ,则算法为d+10*c+100*b+1000*a;注册码为abcde,则算法获得值为:e+10*d+100*c+1000*b+10000*a;以此类推。
而注册码需要满足结果为17853(十进制),最终推出注册码为17853.
第一次发帖,大牛不要拽砖头
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
