刚学破解不久,在某论坛回复别人的帖子,
无壳,下GetDlgItemTextA断点很容易找到关键CALL...
写下简单的加密算法...
00401960 /> \55 push ebp
00401961 |. 8BEC mov ebp,esp
00401963 |. 83EC 58 sub esp,58
00401966 |. 53 push ebx
00401967 |. 56 push esi
00401968 |. 57 push edi
00401969 |. 8D7D A8 lea edi,[local.22]
0040196C |. B9 16000000 mov ecx,16
00401971 |. B8 CCCCCCCC mov eax,CCCCCCCC
00401976 |. F3:AB rep stos dword ptr es:[edi]
00401978 |. 8B45 10 mov eax,[arg.3]
0040197B |. 3B45 14 cmp eax,[arg.4]
0040197E |. 7E 08 jle short GUI.00401988
00401980 |. 8B4D 10 mov ecx,[arg.3]
00401983 |. 894D EC mov [local.5],ecx
00401986 |. EB 06 jmp short GUI.0040198E
00401988 |> 8B55 14 mov edx,[arg.4]
0040198B |. 8955 EC mov [local.5],edx
0040198E |> 837D EC 14 cmp [local.5],14 ; 用户名长度必须小于等于20
00401992 |. 7E 04 jle short GUI.00401998
00401994 |. 33C0 xor eax,eax
00401996 |. EB 6A jmp short GUI.00401A02
00401998 |> 8B45 10 mov eax,[arg.3]
0040199B |. 3B45 14 cmp eax,[arg.4]
0040199E |. 7D 08 jge short GUI.004019A8
004019A0 |. 8B4D 10 mov ecx,[arg.3]
004019A3 |. 894D E8 mov [local.6],ecx
004019A6 |. EB 06 jmp short GUI.004019AE
004019A8 |> 8B55 14 mov edx,[arg.4]
004019AB |. 8955 E8 mov [local.6],edx
004019AE |> 837D E8 06 cmp [local.6],6 ; 密码长度必须大于等于6
004019B2 |. 7D 04 jge short GUI.004019B8
004019B4 |. 33C0 xor eax,eax
004019B6 |. EB 4A jmp short GUI.00401A02
004019B8 |> 8B45 10 mov eax,[arg.3]
004019BB |. 50 push eax
004019BC |. 8B4D 0C mov ecx,[arg.2]
004019BF |. 51 push ecx
004019C0 |. E8 72F6FFFF call GUI.00401037 ; 对用户名处理得到一个数值A
004019C5 |. 83C4 08 add esp,8
004019C8 |. 8945 F4 mov [local.3],eax
004019CB |. 837D F4 00 cmp [local.3],0
004019CF |. 7D 04 jge short GUI.004019D5
004019D1 |. 33C0 xor eax,eax
004019D3 |. EB 2D jmp short GUI.00401A02
004019D5 |> 8B55 14 mov edx,[arg.4]
004019D8 |. 52 push edx
004019D9 |. 8B45 08 mov eax,[arg.1]
004019DC |. 50 push eax
004019DD |. E8 5AF6FFFF call GUI.0040103C ; 对密码处理得到一个数值B
004019E2 |. 83C4 08 add esp,8
004019E5 |. 8945 F0 mov [local.4],eax
004019E8 |. 837D F0 00 cmp [local.4],0
004019EC |. 7D 04 jge short GUI.004019F2
004019EE |. 33C0 xor eax,eax
004019F0 |. EB 10 jmp short GUI.00401A02
004019F2 |> 8B4D F0 mov ecx,[local.4]
004019F5 |. 51 push ecx
004019F6 |. 8B55 F4 mov edx,[local.3]
004019F9 |. 52 push edx
004019FA |. E8 33F6FFFF call GUI.00401032 ; A^B = C;,如果C等于0x71则注册成功!
004019FF |. 83C4 08 add esp,8
00401A02 |> 5F pop edi
00401A03 |. 5E pop esi
00401A04 |. 5B pop ebx
00401A05 |. 83C4 58 add esp,58
00401A08 |. 3BEC cmp ebp,esp
00401A0A |. E8 91000000 call GUI.00401AA0
00401A0F |. 8BE5 mov esp,ebp
00401A11 |. 5D pop ebp
00401A12 \. C3 retn
call GUI.00401037 ; 对用户名处理得到一个数值A
对用户名处理,这里需要用户名是字母或数字.
假设用户名字符串为 USERNAME
UINT A = 0;
for(int i = 0;i<USERNAME.LENGTH;i++)
A += (char)USERNAME[i] ^ ((char)(0x30 + i));
call 0040103C 是对密码进行处理得到B
B的要求数值,后一个数字必须必前数字大.
计算方法是
计算所有数值的ACII码的和B
最后如果A^B等于0x71.则注册成功.
给一个注册码: 721243641812146652 ,密码123456
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
