西电第四届网络攻防竞赛5个Crackme分析-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

西电第四届网络攻防竞赛5个Crackme分析

发表于: 2013-11-4 11:29 13235

西电第四届网络攻防竞赛5个Crackme分析

softdebug

2013-11-4 11:29

13235

可以使用MessageBoxA，然后找到验证子程序 401332，后面给出涉及到注册码判断，及相关部分程序，注册码分析部分附后

00401332  PUSH    EBP
00401333  MOV    EBP,ESP
00401335  PUSH    EDI
00401336  PUSH    ESI
00401337  PUSH    EBX
00401338  SUB    ESP,7C
0040133B  MOV    EBX,[EBP+08]
0040133E  MOV    WORD PTR [EBP-28],0000
00401344  MOV    BYTE PTR [EBP-26],00
00401348  LEA    EDI,[EBP-58]
0040134B  CLD
0040134C  MOV    ECX,00000008
00401351  MOV    EAX,00000000
00401356  REPZ STOSD
00401358  MOV    BYTE PTR [EDI],00
0040135B  MOV    EDI,EBX
0040135D  MOV    ECX,FFFFFFFF
00401362  REPNZ SCASB
00401364  MOV    EDX,FFFFFFFF
00401369  CMP    ECX,-2D             ;;;长度必须为43
0040136C  JNZ    0040157E
00401372  LEA    EDX,[EBP-58]
00401375  LEA    EAX,[EBP-40]
00401378  MOV    [ESP+18],EAX
0040137C  LEA    EAX,[EBP-48]
0040137F  MOV    [ESP+14],EAX
00401383  LEA    EAX,[EBP-50]
00401386  MOV    [ESP+10],EAX
0040138A  MOV    [ESP+0C],EDX
0040138E  LEA    EAX,[EBP-28]
00401391  MOV    [ESP+08],EAX
00401395  MOV    DWORD PTR [ESP+04],00404000 ; "XDSEC%2s-%8s-%8s-%8s-%8s
0040139D  MOV    [ESP],EBX
004013A0  CALL    00401FB0
004013A5  MOV    EDX,FFFFFFFF
004013AA  CMP    EAX,05
004013AD  JNZ    0040157E             ;;;注册码格式必须是："XDSEC%2s-%8s-%8s-%8s-%8s"
004013B3  MOV    DWORD PTR [ESP+04],004032A4 ; "XDSECJQLWARMZ"
004013BB  MOVSX    EAX,BYTE PTR [EBP-28]
004013BF  MOV    [ESP],EAX
004013C2  CALL    00401656
004013C7  MOV    EDX,FFFFFFFF
004013CC  CMP    EAX,-01
004013CF  JZ       0040157E             ;;;%2s的第一个字符必须是XDSECJQLWARMZ字符串中的字符之一
004013D5  MOV    DWORD PTR [ESP+04],004032B2 ; "VYBFGHIKNOPTU"
004013DD  MOVSX    EAX,BYTE PTR [EBP-27]
004013E1  MOV    [ESP],EAX
004013E4  CALL    00401656
004013E9  MOV    EDX,FFFFFFFF
004013EE  CMP    EAX,-01
004013F1  JZ       0040157E             ;;;%2s的第二个字符必须是VYBFGHIKNOPTU字符串中的字符之一
004013F7  JMP    00401417
004013F9  MOV    EDX,FFFFFFFF
004013FE  JMP    0040157E
00401403  MOV    EDX,FFFFFFFF
00401408  JMP    0040157E
0040140D  MOV    EDX,FFFFFFFF
00401412  JMP    0040157E
00401417  MOV    DWORD PTR [ESP+04],004032A4 ; "XDSECJQLWARMZ"
0040141F  MOVSX    EAX,BYTE PTR [EBP-28]
00401423  MOV    [ESP],EAX
00401426  CALL    0040163A
0040142B  MOV    EDX,EAX                         ;;;
0040142D  MOV    EDI,00000000                      ;;;根据第一个字符在
00401432  MOVZX    EAX,BYTE PTR [EDX+004032A4]       ;;;字符串中的位置进行
00401439  MOV    [EDI+00405018],AL                ;;;循环移位
0040143F  INC    EDX                               ;;;例如：第一个字符为Q则
00401440  CMP    EDX,0D                            ;;;字符串循环移位后是：
00401443  SETNZ    AL                               ;;;QLWARMZXDSECJ
00401446  MOVZX    EAX,AL                            ;;;
00401449  NEG    EAX                               ;;;
0040144B  AND    EDX,EAX                         ;;;
0040144D  INC    EDI                               ;;;
0040144E  CMP    EDI,0C                            ;;;
00401451  JLE    00401432
00401453  MOV    DWORD PTR [ESP+04],004032B2 ; "VYBFGHIKNOPTU"
0040145B  MOVSX    EAX,BYTE PTR [EBP-27]
0040145F  MOV    [ESP],EAX
00401462  CALL    0040163A
00401467  MOV    EDX,EAX                         ;;;
00401469  MOV    EDI,00000000                      ;;;根据第二个字符在
0040146E  MOVZX    EAX,BYTE PTR [EDX+004032B2]       ;;;字符串中的位置进行
00401475  MOV    [EDI+00405026],AL                ;;;循环移位
0040147B  INC    EDX                               ;;;例如：第二个字符为B则
0040147C  CMP    EDX,0D                            ;;;字符串循环移位后是：
0040147F  SETNZ    AL                               ;;;BFGHIKNOPTUVY
00401482  MOVZX    EAX,AL                            ;;;
00401485  NEG    EAX                               ;;;
00401487  AND    EDX,EAX                         ;;;
00401489  INC    EDI                               ;;;
0040148A  CMP    EDI,0C                            ;;;
0040148D  JLE    0040146E
0040148F  LEA    EDI,[EBP-58]
00401492  CLD
00401493  MOV    ECX,FFFFFFFF
00401498  MOV    AL,00
0040149A  REPNZ SCASB
0040149C  NOT    ECX
0040149E  LEA    EBX,[ECX-01]
004014A1  MOV    EDI,00000000
004014A6  CMP    EDI,EBX
004014A8  JGE    004014EC
004014AA  TEST    EDI,00000001
004014B0  JZ       004014C9
004014B2  MOV    DWORD PTR [ESP+04],00405026    ;;;
004014BA  MOVSX    EAX,BYTE PTR [EBP+EDI-58]    ;;;检查后面的”%8s-%8s-%8s-%8s“输入串
004014BF  MOV    [ESP],EAX                      ;;;必须交替出现在整理后字符串
004014C2  CALL    00401656                      ;;;QLWARMZXDSECJ
004014C7  JMP    004014DE                      ;;;与
004014C9  MOV    DWORD PTR [ESP+04],00405018    ;;;BFGHIKNOPTUVY
004014D1  MOVSX    EAX,BYTE PTR [EBP+EDI-58]    ;;;之中。
004014D6  MOV    [ESP],EAX                      ;;;
004014D9  CALL    00401656                      ;;;
004014DE  CMP    EAX,-01                      ;;;
004014E1  JZ       004013F9                      ;;;
004014E7  INC    EDI                            ;;;
004014E8  CMP    EDI,EBX                      ;;;
004014EA  JL       004014AA                      ;;;
004014EC  MOV    DWORD PTR [EBP-5C],FFFFFFFF
004014F3  MOV    DWORD PTR [EBP-60],FFFFFFFF
004014FA  MOV    EDI,00000000
004014FF  MOVSX    EAX,BYTE PTR [EDI*2+EBP-58]
00401504  MOVSX    EBX,BYTE PTR [EDI*2+EBP-57]
00401509  MOV    DWORD PTR [ESP+04],00405018    ;;;再检查后面32个字符是否遵从如下规则
00401511  MOV    [ESP],EAX                      ;;;1：每次检查两位字符，共需检查16次
00401514  CALL    0040163A                      ;;;得到第一个字符在表中的序号
00401519  MOV    ESI,EAX                      ;;;【为了表述方便我们可以看成个位数】
0040151B  MOV    DWORD PTR [ESP+04],00405026    ;;;
00401523  MOV    [ESP],EBX                      ;;;
00401526  CALL    0040163A                      ;;;得到第二个字符在表中的序号
0040152B  MOV    EBX,EAX                      ;;;【为了表述方便我们可以看成十位数】
0040152D  MOV    DWORD PTR [ESP+08],00403000    ;;;
00401535  MOV    [ESP+04],EAX                   ;;;
00401539  MOV    [ESP],ESI                      ;;;
0040153C  CALL    0040161A                      ;;;两个字符组成的13进制数必须在403000表中存在
00401541  CMP    EAX,-01                      ;;;【表中是1】
00401544  JZ       00401403                      ;;;
0040154A  MOV    [ESP+0C],EBX                   ;;;
0040154E  MOV    [ESP+08],ESI                   ;;;
00401552  MOV    EAX,[EBP-60]                   ;;;
00401555  MOV    [ESP+04],EAX                   ;;;
00401559  MOV    EAX,[EBP-5C]                   ;;;
0040155C  MOV    [ESP],EAX                      ;;;
0040155F  CALL    00401588                      ;;;检查与前面两个字符序号的关系。
00401564  CMP    EAX,-01                      ;;;个数的序号相等则，十位数的序号必须是：前面的十位数相邻位置的序号[前面或者后面]代表的字符
00401567  JZ       0040140D                      ;;;个数的序号可以是前面序号的下一序号，但十位数序号必须相同。
0040156D  MOV    [EBP-5C],ESI                   ;;;
00401570  MOV    [EBP-60],EBX                   ;;;根据上面的规则我们可以构造出如下一组注册码
00401573  INC    EDI                            ;;;XDSECXV-XVXYXVXY-XVXYXVXY-XVXYXVXY-XVXYXVXY
00401574  CMP    EDI,0F                         ;;;
00401577  JLE    004014FF                      ;;;
00401579  MOV    EDX,00000000
0040157E  MOV    EAX,EDX
00401580  ADD    ESP,7C
00401583  POP    EBX
00401584  POP    ESI
00401585  POP    EDI
00401586  POP    EBP
00401587  RET
00401588  PUSH    EBP
00401589  MOV    EBP,ESP
0040158B  SUB    ESP,0C
0040158E  MOV    [ESP],EBX
00401591  MOV    [ESP+04],ESI
00401595  MOV    [ESP+08],EDI
00401599  MOV    EBX,[EBP+08]
0040159C  MOV    EDI,[EBP+0C]
0040159F  MOV    ESI,[EBP+10]
004015A2  CMP    EBX,-01
004015A5  SETZ    DL
004015A8  TEST    ESI,ESI
004015AA  SETG    AL
004015AD  MOV    ECX,FFFFFFFF
004015B2  TEST    AL,DL
004015B4  JNZ    00401608
004015B6  CMP    EBX,0C
004015B9  JZ       00401608
004015BB  MOV    EAX,EBX
004015BD  NOT    EAX
004015BF  SHR    EAX,1F
004015C2  MOV    EDX,EDI
004015C4  NOT    EDX
004015C6  SHR    EDX,1F
004015C9  AND    AL,DL
004015CB  MOV    ECX,00000000
004015D0  TEST    AL,AL
004015D2  JZ       00401608
004015D4  CMP    EBX,ESI
004015D6  JNZ    004015EC
004015D8  MOV    EAX,[EBP+14]
004015DB  DEC    EAX
004015DC  CMP    EAX,EDI
004015DE  JZ       00401608
004015E0  CMP    EBX,ESI
004015E2  JNZ    004015EC
004015E4  MOV    EAX,[EBP+14]
004015E7  INC    EAX
004015E8  CMP    EAX,EDI
004015EA  JZ       00401608
004015EC  LEA    EAX,[ESI-01]
004015EF  CMP    EAX,EBX
004015F1  SETZ    DL
004015F4  CMP    EDI,[EBP+14]
004015F7  SETZ    AL
004015FA  MOV    ECX,00000000
004015FF  TEST    AL,DL
00401601  JNZ    00401608
00401603  MOV    ECX,FFFFFFFF
00401608  MOV    EAX,ECX
0040160A  MOV    EBX,[ESP]
0040160D  MOV    ESI,[ESP+04]
00401611  MOV    EDI,[ESP+08]
00401615  MOV    ESP,EBP
00401617  POP    EBP
00401618  RET
00401619  NOP
0040161A  PUSH    EBP
0040161B  MOV    EBP,ESP
0040161D  MOV    EAX,[EBP+0C]
00401620  LEA    EDX,[EAX*2+EAX]
00401623  LEA    EDX,[EDX*4+EAX]
00401626  ADD    EDX,[EBP+08]
00401629  MOV    EAX,[EBP+10]
0040162C  CMP    DWORD PTR [EDX*4+EAX],01
00401630  SETZ    AL
00401633  MOVZX    EAX,AL
00401636  DEC    EAX
00401637  POP    EBP
00401638  RET
00401639  NOP
0040163A  PUSH    EBP
0040163B  MOV    EBP,ESP
0040163D  MOV    ECX,[EBP+0C]
00401640  MOVZX    EDX,BYTE PTR [EBP+08]
00401644  MOV    EAX,00000000
00401649  CMP    [ECX+EAX],DL
0040164C  JZ       00401654
0040164E  INC    EAX
0040164F  CMP    EAX,0C
00401652  JLE    00401649
00401654  POP    EBP
00401655  RET
00401656  PUSH    EBP
00401657  MOV    EBP,ESP
00401659  PUSH    EBX
0040165A  MOV    EAX,[EBP+0C]
0040165D  MOVZX    ECX,BYTE PTR [EBP+08]
00401661  MOV    EBX,FFFFFFFF
00401666  MOV    EDX,00000000
0040166B  CMP    [EAX+EDX],CL
0040166E  JNZ    00401677
00401670  MOV    EBX,00000000
00401675  JMP    0040167D
00401677  INC    EDX
00401678  CMP    EDX,0C
0040167B  JLE    0040166B
0040167D  MOV    EAX,EBX
0040167F  POP    EBX
00401680  POP    EBP
00401681  RET
00401682  PUSH    EBP
00401683  MOV    EBP,ESP
00401685  SUB    ESP,28
00401688  MOV    [EBP-0C],EBX
0040168B  MOV    [EBP-08],ESI
0040168E  MOV    [EBP-04],EDI
00401691  MOV    EDI,[EBP+08]
00401694  MOV    EAX,[EBP+0C]
00401697  MOV    EDX,[EBP+10]
0040169A  CMP    EAX,00000111
0040169F  JZ       00401794
004016A5  CMP    EAX,00000111
004016AA  JA       004016B8
004016AC  CMP    EAX,00000110
004016B1  JZ       004016EF
004016B3  JMP    004018E1
004016B8  CMP    EAX,00000201
004016BD  JNZ    004018E1
004016C3  MOV    EAX,[EBP+14]
004016C6  MOV    [ESP+0C],EAX
004016CA  MOV    DWORD PTR [ESP+08],00000002
004016D2  MOV    DWORD PTR [ESP+04],000000A1
004016DA  MOV    [ESP],EDI
004016DD  CALL    USER32!PostMessageA
004016E2  SUB    ESP,10
004016E5  MOV    EAX,00000000
004016EA  JMP    004018E6
004016EF  MOV    DWORD PTR [ESP+04],00000001
004016F7  MOV    EAX,[00405014]
004016FC  MOV    [ESP],EAX
004016FF  CALL    USER32!LoadIconA
00401704  SUB    ESP,08
00401707  MOV    [ESP+0C],EAX
0040170B  MOV    DWORD PTR [ESP+08],00000001
00401713  MOV    DWORD PTR [ESP+04],00000080
0040171B  MOV    [ESP],EDI
0040171E  CALL    USER32!SendMessageA
00401723  SUB    ESP,10
00401726  MOV    DWORD PTR [ESP+04],00404019 ; "Crackme4-XDSEC"
0040172E  MOV    [ESP],EDI
00401731  CALL    USER32!SetWindowTextA
00401736  SUB    ESP,08
00401739  MOV    DWORD PTR [ESP+08],00404030 ; "Find a valid serial and
00401741  MOV    DWORD PTR [ESP+04],00000066
00401749  MOV    [ESP],EDI
0040174C  CALL    USER32!SetDlgItemTextA
00401751  SUB    ESP,0C
00401754  MOV    DWORD PTR [ESP+08],00404059
0040175C  MOV    DWORD PTR [ESP+04],00000067
00401764  MOV    [ESP],EDI
00401767  CALL    USER32!SetDlgItemTextA
0040176C  SUB    ESP,0C
0040176F  MOV    DWORD PTR [ESP+08],00404070 ; "Not used"
00401777  MOV    DWORD PTR [ESP+04],000003EC
0040177F  MOV    [ESP],EDI
00401782  CALL    USER32!SetDlgItemTextA
00401787  SUB    ESP,0C
0040178A  MOV    EAX,00000000
0040178F  JMP    004018E6
00401794  CMP    EDX,01
00401797  JZ       004017A7
00401799  CMP    EDX,02
0040179C  JZ       004018C7
004017A2  JMP    004018E1
004017A7  MOV    DWORD PTR [ESP+04],000003ED
004017AF  MOV    [ESP],EDI
004017B2  CALL    USER32!GetDlgItem
004017B7  SUB    ESP,08
004017BA  MOV    [EBP-10],EAX
004017BD  MOV    [ESP],EAX
004017C0  CALL    USER32!GetWindowTextLengthA
004017C5  SUB    ESP,04
004017C8  TEST    EAX,EAX
004017CA  JNZ    004017F9
004017CC  MOV    DWORD PTR [ESP+0C],00000010
004017D4  MOV    DWORD PTR [ESP+08],00404079 ; "Error"
004017DC  MOV    DWORD PTR [ESP+04],00404080 ; "Please enter your serial
004017E4  MOV    [ESP],EDI
004017E7  CALL    USER32!MessageBoxA
004017EC  SUB    ESP,10
004017EF  MOV    EAX,FFFFFFFF
004017F4  JMP    004018E6
004017F9  CMP    EAX,63
004017FC  JLE    0040182B
004017FE  MOV    DWORD PTR [ESP+0C],00000010
00401806  MOV    DWORD PTR [ESP+08],00404079 ; "Error"
0040180E  MOV    DWORD PTR [ESP+04],004040A1 ; "Serial is too long..."
00401816  MOV    [ESP],EDI
00401819  CALL    USER32!MessageBoxA
0040181E  SUB    ESP,10
00401821  MOV    EAX,FFFFFFFF
00401826  JMP    004018E6
0040182B  LEA    ESI,[EAX+01]
0040182E  MOV    [ESP],ESI
00401831  CALL    00401FA0
00401836  MOV    EBX,EAX
00401838  MOV    [ESP+08],ESI
0040183C  MOV    DWORD PTR [ESP+04],00000000
00401844  MOV    [ESP],EAX
00401847  CALL    00401F90
0040184C  MOV    DWORD PTR [ESP+08],00000064
00401854  MOV    [ESP+04],EBX
00401858  MOV    EAX,[EBP-10]
0040185B  MOV    [ESP],EAX
0040185E  CALL    USER32!GetWindowTextA
00401863  SUB    ESP,0C
00401866  MOV    [ESP],EBX
00401869  CALL    00401332
0040186E  CMP    EAX,-01
00401871  JNZ    0040189D
00401873  MOV    DWORD PTR [ESP+0C],00000010
0040187B  MOV    DWORD PTR [ESP+08],00404079 ; "Error"
00401883  MOV    DWORD PTR [ESP+04],004040B7 ; "Invalid serial number."
0040188B  MOV    [ESP],EDI
0040188E  CALL    USER32!MessageBoxA
00401893  SUB    ESP,10
00401896  MOV    EAX,FFFFFFFF
0040189B  JMP    004018E6
0040189D  MOV    DWORD PTR [ESP+0C],00000030
004018A5  MOV    DWORD PTR [ESP+08],004040CE ; "Congratulation!"
004018AD  MOV    DWORD PTR [ESP+04],004040E0 ; "You have found a valid s
004018B5  MOV    [ESP],EDI
004018B8  CALL    USER32!MessageBoxA
004018BD  SUB    ESP,10
004018C0  MOV    EAX,FFFFFFFF
004018C5  JMP    004018E6
004018C7  MOV    DWORD PTR [ESP+04],00000000
004018CF  MOV    [ESP],EDI
004018D2  CALL    USER32!EndDialog
004018D7  SUB    ESP,08
004018DA  MOV    EAX,00000000
004018DF  JMP    004018E6
004018E1  MOV    EAX,00000000
004018E6  MOV    EBX,[EBP-0C]
004018E9  MOV    ESI,[EBP-08]
004018EC  MOV    EDI,[EBP-04]
004018EF  MOV    ESP,EBP
004018F1  POP    EBP
004018F2  RET    0010
004018F5  NOP
004018F6  PUSH    EBP
004018F7  MOV    EBP,ESP
004018F9  SUB    ESP,18
004018FC  MOV    EAX,[EBP+08]
004018FF  MOV    [00405014],EAX
00401904  MOV    DWORD PTR [ESP+10],00000000
0040190C  MOV    DWORD PTR [ESP+0C],00401682
00401914  MOV    DWORD PTR [ESP+08],00000000
0040191C  MOV    DWORD PTR [ESP+04],00000064
00401924  MOV    [ESP],EAX
00401927  CALL    USER32!DialogBoxParamA
0040192C  SUB    ESP,14
0040192F  MOV    EAX,00000000
00401934  LEAVE
00401935  RET    0010
0010:00404000 58 44 53 45 43 25 32 73-2D 25 38 73 2D 25 38 73  XDSEC%2s-%8s-%8s
0010:00404010 2D 25 38 73 2D 25 38 73-00 43 72 61 63 6B 6D 65  -%8s-%8s.Crackme

:dd403000 l300
0010:00403000 00000001  00000001  00000001  00000001    ................
0010:00403010 00000001  00000000  00000001  00000001    ................
0010:00403020 00000001  00000001  00000001  00000001    ................
0010:00403030 00000001  00000001  00000001  00000000    ................
0010:00403040 00000000  00000001  00000001  00000001    ................
0010:00403050 00000000  00000000  00000000  00000000    ................
0010:00403060 00000001  00000001  00000000  00000001    ................
0010:00403070 00000001  00000001  00000001  00000000    ................
0010:00403080 00000001  00000001  00000001  00000001    ................
0010:00403090 00000001  00000001  00000001  00000001    ................
0010:004030A0 00000001  00000000  00000000  00000001    ................
0010:004030B0 00000001  00000001  00000001  00000000    ................
0010:004030C0 00000001  00000001  00000001  00000001    ................
0010:004030D0 00000001  00000001  00000000  00000000    ................
0010:004030E0 00000001  00000000  00000001  00000000    ................
0010:004030F0 00000000  00000001  00000001  00000001    ................
0010:00403100 00000001  00000001  00000001  00000001    ................
0010:00403110 00000001  00000001  00000001  00000001    ................
0010:00403120 00000000  00000000  00000001  00000001    ................
0010:00403130 00000000  00000000  00000001  00000001    ................
0010:00403140 00000001  00000001  00000001  00000001    ................
0010:00403150 00000001  00000001  00000001  00000001    ................
0010:00403160 00000001  00000000  00000000  00000000    ................
0010:00403170 00000001  00000000  00000001  00000001    ................
0010:00403180 00000001  00000001  00000000  00000000    ................
0010:00403190 00000000  00000001  00000001  00000001    ................
0010:004031A0 00000001  00000001  00000001  00000001    ................
0010:004031B0 00000000  00000000  00000001  00000001    ................
0010:004031C0 00000001  00000001  00000001  00000000    ................
0010:004031D0 00000001  00000001  00000000  00000001    ................
0010:004031E0 00000001  00000001  00000001  00000001    ................
0010:004031F0 00000001  00000000  00000001  00000001    ................
0010:00403200 00000001  00000001  00000001  00000000    ................
0010:00403210 00000001  00000000  00000000  00000000    ................
0010:00403220 00000001  00000001  00000001  00000001    ................
0010:00403230 00000001  00000001  00000001  00000001    ................
0010:00403240 00000001  00000001  00000001  00000001    ................
0010:00403250 00000001  00000001  00000001  00000001    ................
0010:00403260 00000000  00000001  00000001  00000000    ................
0010:00403270 00000001  00000001  00000001  00000001    ................
0010:00403280 00000001  00000001  00000001  00000000    ................
0010:00403290 00000000  00000000  00000000  00000001    ................
0010:004032A0 00000001  45534458  4C514A43  4D524157    ....XDSECJQLWARM
0010:004032A0 01 00 00 00 58 44 53 45-43 4A 51 4C 57 41 52 4D  ....XDSECJQLWARM
0010:004032B0 5A 00 56 59 42 46 47 48-49 4B 4E 4F 50 54 55 00  Z.VYBFGHIKNOPTU.
0010:004032C0 FF FF FF FF 00 00 00 00-00 00 00 00 00 00 00 00  ................
0010:004032D0 00 40 00 00 00 00 00 00-00 00 00 00 00 00 00 00  .@..............
0010:004032E0 50 21 40 00 00 00 00 00-00 00 00 00 00 00 00 00  P!@.............
0010:004032F0 00 00 00 00 FF FF FF FF-00 00 00 00 FF FF FF FF  ................

登录后可查看完整内容

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

上传的附件：

Crackme4.rar （59.61kb，68次下载）

收藏・3

免费・5

支持

最新回复 (12)
求学磊磊雪币： 458 活跃值： (207) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 5 粉丝 0 关注私信	求学磊磊 2 楼 http://bbs.pediy.com/showthread.php?t=129173&highlight=8s 貌似一模一样 2013-11-4 12:12 0
hunxiaozi 雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 134 粉丝 0 关注私信	hunxiaozi 3 楼好像答案上也是这么写的 2013-11-4 12:51 0
softdebug 雪币： 231 活跃值： (25) 能力值： ( LV12，RANK：250 ) 在线值：发帖 8 回帖 49 粉丝 0 关注私信	softdebug 6 4 楼，前几天，协助网友参加chinaisg的决赛时，他给了我5个crackme，让我没有事时候分析下，N久不碰这些东西，昨天清闲就分析了下，在论坛潜水很久了，所以就简单写了下露个脸。让您见笑了。 2013-11-4 19:52 0
viphack 雪币： 219 活跃值： (783) 能力值： (RANK：290 ) 在线值：发帖 135 回帖 1009 粉丝 42 关注私信	viphack 4 5 楼顶起。。。。 2013-11-4 20:03 0
softdebug 雪币： 231 活跃值： (25) 能力值： ( LV12，RANK：250 ) 在线值：发帖 8 回帖 49 粉丝 0 关注私信	softdebug 6 6 楼第一个crackme 注册码只于输入的字符长度相关。输入的长度最少是4个，为了定位可以输入少于四个字符，这样可以使用messageboxa进入相关部分定位下面是两组注册码，及相关注册码验证，生成部分。 NAMEAA 21347 6685 1111 20010 5348 00401A18 55 PUSH EBP 00401A19 8BEC MOV EBP,ESP 00401A1B 83C494 ADD ESP,-6C 00401A1E 53 PUSH EBX 00401A1F 56 PUSH ESI 00401A20 57 PUSH EDI 00401A21 8BD8 MOV EBX,EAX 00401A23 8D75A4 LEA ESI,[EBP-5C] 00401A26 B8F0724800 MOV EAX,004872F0 00401A2B E838410600 CALL 00465B68 00401A30 66C746101800 MOV WORD PTR [ESI+10],0018 00401A36 8D45FC LEA EAX,[EBP-04] 00401A39 E862030000 CALL 00401DA0 00401A3E 8BD0 MOV EDX,EAX 00401A40 FF461C INC DWORD PTR [ESI+1C] 00401A43 8B8364030000 MOV EAX,[EBX+00000364] 00401A49 E842B40400 CALL 0044CE90 00401A4E 837DFC00 CMP DWORD PTR [EBP-04],00 00401A52 7408 JZ 00401A5C 00401A54 8B55FC MOV EDX,[EBP-04] 00401A57 8B4AFC MOV ECX,[EDX-04] 00401A5A EB02 JMP 00401A5E 00401A5C 33C9 XOR ECX,ECX 00401A5E 8D3C89 LEA EDI,[ECX4+ECX] 00401A61 8D45FC LEA EAX,[EBP-04] 00401A64 BA02000000 MOV EDX,00000002 00401A69 8D3CB9 LEA EDI,[EDI4+ECX] 00401A6C C1E703 SHL EDI,03 00401A6F 2BF9 SUB EDI,ECX 00401A71 8D3CF9 LEA EDI,[EDI*8+ECX] 00401A74 81C7A31C0000 ADD EDI,00001CA3 00401A7A FF4E1C DEC DWORD PTR [ESI+1C] 00401A7D E8D2110700 CALL 00472C54 00401A82 66C746100C00 MOV WORD PTR [ESI+10],000C 00401A88 66C746102400 MOV WORD PTR [ESI+10],0024 00401A8E 8D45F8 LEA EAX,[EBP-08] 00401A91 E80A030000 CALL 00401DA0 00401A96 8BD0 MOV EDX,EAX 00401A98 FF461C INC DWORD PTR [ESI+1C] 00401A9B 8B8370030000 MOV EAX,[EBX+00000370] 00401AA1 E8EAB30400 CALL 0044CE90 00401AA6 8D55F8 LEA EDX,[EBP-08] 00401AA9 52 PUSH EDX 00401AAA 8D45F4 LEA EAX,[EBP-0C] 00401AAD 8B55A0 MOV EDX,[EBP-60] 00401AB0 E85B110700 CALL 00472C10 00401AB5 FF461C INC DWORD PTR [ESI+1C] 00401AB8 8D55F4 LEA EDX,[EBP-0C] 00401ABB 58 POP EAX 00401ABC E8D7110700 CALL 00472C98 00401AC1 50 PUSH EAX 00401AC2 FF4E1C DEC DWORD PTR [ESI+1C] 00401AC5 8D45F4 LEA EAX,[EBP-0C] 00401AC8 BA02000000 MOV EDX,00000002 00401ACD E882110700 CALL 00472C54 00401AD2 FF4E1C DEC DWORD PTR [ESI+1C] 00401AD5 8D45F8 LEA EAX,[EBP-08] 00401AD8 BA02000000 MOV EDX,00000002 00401ADD E872110700 CALL 00472C54 00401AE2 59 POP ECX 00401AE3 84C9 TEST CL,CL 00401AE5 740C JZ 00401AF3 00401AE7 A1CCF44800 MOV EAX,[0048F4CC] 00401AEC 8B00 MOV EAX,[EAX] 00401AEE E89D260400 CALL 00444190 00401AF3 66C746103000 MOV WORD PTR [ESI+10],0030 00401AF9 8D45F0 LEA EAX,[EBP-10] 00401AFC E89F020000 CALL 00401DA0 00401B01 8BD0 MOV EDX,EAX 00401B03 FF461C INC DWORD PTR [ESI+1C] 00401B06 8B8370030000 MOV EAX,[EBX+00000370] 00401B0C E87FB30400 CALL 0044CE90 00401B11 8D55F0 LEA EDX,[EBP-10] 00401B14 52 PUSH EDX 00401B15 8D45EC LEA EAX,[EBP-14] 00401B18 8B559C MOV EDX,[EBP-64] 00401B1B E8F0100700 CALL 00472C10 00401B20 FF461C INC DWORD PTR [ESI+1C] 00401B23 8D55EC LEA EDX,[EBP-14] 00401B26 58 POP EAX 00401B27 E86C110700 CALL 00472C98 00401B2C 50 PUSH EAX 00401B2D FF4E1C DEC DWORD PTR [ESI+1C] 00401B30 8D45EC LEA EAX,[EBP-14] 00401B33 BA02000000 MOV EDX,00000002 00401B38 E817110700 CALL 00472C54 00401B3D FF4E1C DEC DWORD PTR [ESI+1C] 00401B40 8D45F0 LEA EAX,[EBP-10] 00401B43 BA02000000 MOV EDX,00000002 00401B48 E807110700 CALL 00472C54 00401B4D 59 POP ECX 00401B4E 84C9 TEST CL,CL 00401B50 740C JZ 00401B5E 00401B52 A1CCF44800 MOV EAX,[0048F4CC] 00401B57 8B00 MOV EAX,[EAX] 00401B59 E832260400 CALL 00444190 00401B5E 66C746103C00 MOV WORD PTR [ESI+10],003C 00401B64 8D45E8 LEA EAX,[EBP-18] 00401B67 E834020000 CALL 00401DA0 00401B6C 8BD0 MOV EDX,EAX 00401B6E FF461C INC DWORD PTR [ESI+1C] 00401B71 8B8370030000 MOV EAX,[EBX+00000370] 00401B77 E814B30400 CALL 0044CE90 00401B7C 8D55E8 LEA EDX,[EBP-18] 00401B7F 52 PUSH EDX 00401B80 8D45E4 LEA EAX,[EBP-1C] 00401B83 8B5598 MOV EDX,[EBP-68] 00401B86 E885100700 CALL 00472C10 00401B8B FF461C INC DWORD PTR [ESI+1C] 00401B8E 8D55E4 LEA EDX,[EBP-1C] 00401B91 58 POP EAX 00401B92 E801110700 CALL 00472C98 00401B97 50 PUSH EAX 00401B98 FF4E1C DEC DWORD PTR [ESI+1C] 00401B9B 8D45E4 LEA EAX,[EBP-1C] 00401B9E BA02000000 MOV EDX,00000002 00401BA3 E8AC100700 CALL 00472C54 00401BA8 FF4E1C DEC DWORD PTR [ESI+1C] 00401BAB 8D45E8 LEA EAX,[EBP-18] 00401BAE BA02000000 MOV EDX,00000002 00401BB3 E89C100700 CALL 00472C54 00401BB8 59 POP ECX 00401BB9 84C9 TEST CL,CL 00401BBB 740C JZ 00401BC9 00401BBD A1CCF44800 MOV EAX,[0048F4CC] 00401BC2 8B00 MOV EAX,[EAX] 00401BC4 E8C7250400 CALL 00444190 00401BC9 66C746104800 MOV WORD PTR [ESI+10],0048 00401BCF 8D45E0 LEA EAX,[EBP-20] 00401BD2 E8C9010000 CALL 00401DA0 00401BD7 8BD0 MOV EDX,EAX 00401BD9 FF461C INC DWORD PTR [ESI+1C] 00401BDC 8B8370030000 MOV EAX,[EBX+00000370] 00401BE2 E8A9B20400 CALL 0044CE90 00401BE7 8D55E0 LEA EDX,[EBP-20] 00401BEA 52 PUSH EDX 00401BEB 8D45DC LEA EAX,[EBP-24] 00401BEE 8B5594 MOV EDX,[EBP-6C] 00401BF1 E81A100700 CALL 00472C10 00401BF6 FF461C INC DWORD PTR [ESI+1C] 00401BF9 8D55DC LEA EDX,[EBP-24] 00401BFC 58 POP EAX 00401BFD E896100700 CALL 00472C98 00401C02 50 PUSH EAX 00401C03 FF4E1C DEC DWORD PTR [ESI+1C] 00401C06 8D45DC LEA EAX,[EBP-24] 00401C09 BA02000000 MOV EDX,00000002 00401C0E E841100700 CALL 00472C54 00401C13 FF4E1C DEC DWORD PTR [ESI+1C] 00401C16 8D45E0 LEA EAX,[EBP-20] 00401C19 BA02000000 MOV EDX,00000002 00401C1E E831100700 CALL 00472C54 00401C23 59 POP ECX 00401C24 84C9 TEST CL,CL 00401C26 740C JZ 00401C34 00401C28 A1CCF44800 MOV EAX,[0048F4CC] 00401C2D 8B00 MOV EAX,[EAX] 00401C2F E85C250400 CALL 00444190 00401C34 66C746105400 MOV WORD PTR [ESI+10],0054 00401C3A 8D45D8 LEA EAX,[EBP-28] 00401C3D E85E010000 CALL 00401DA0 00401C42 8BD0 MOV EDX,EAX 00401C44 FF461C INC DWORD PTR [ESI+1C] 00401C47 8B8364030000 MOV EAX,[EBX+00000364] 00401C4D E83EB20400 CALL 0044CE90 00401C52 837DD800 CMP DWORD PTR [EBP-28],00 00401C56 7408 JZ 00401C60 00401C58 8B55D8 MOV EDX,[EBP-28] 00401C5B 8B4AFC MOV ECX,[EDX-04] 00401C5E EB02 JMP 00401C62 00401C60 33C9 XOR ECX,ECX 00401C62 83F904 CMP ECX,04 00401C65 BA02000000 MOV EDX,00000002 00401C6A 0F9CC0 SETL AL 00401C6D 83E001 AND EAX,01 00401C70 50 PUSH EAX 00401C71 8D45D8 LEA EAX,[EBP-28] 00401C74 FF4E1C DEC DWORD PTR [ESI+1C] 00401C77 E8D80F0700 CALL 00472C54 00401C7C 59 POP ECX 00401C7D 84C9 TEST CL,CL 00401C7F 7418 JZ 00401C99 ;;;长度低于4个提示 00401C81 6A00 PUSH 00 00401C83 68C4714800 PUSH 004871C4 ; "BEEP!" 00401C88 68A6714800 PUSH 004871A6 ; "At least, more than 4 l 00401C8D 6A00 PUSH 00 00401C8F E8204D0800 CALL USER32!MessageBoxA 00401C94 E9F6000000 JMP 00401D8F 00401C99 66C746106000 MOV WORD PTR [ESI+10],0060 00401C9F 8D45D4 LEA EAX,[EBP-2C] 00401CA2 E8F9000000 CALL 00401DA0 00401CA7 8BD0 MOV EDX,EAX 00401CA9 FF461C INC DWORD PTR [ESI+1C] 00401CAC 8B8370030000 MOV EAX,[EBX+00000370] 00401CB2 E8D9B10400 CALL 0044CE90 00401CB7 8D55D4 LEA EDX,[EBP-2C] 00401CBA 52 PUSH EDX 00401CBB 8D97A31C0000 LEA EDX,[EDI+00001CA3] 00401CC1 8D45D0 LEA EAX,[EBP-30] 00401CC4 E8470F0700 CALL 00472C10 00401CC9 FF461C INC DWORD PTR [ESI+1C] 00401CCC 8D55D0 LEA EDX,[EBP-30] 00401CCF 58 POP EAX 00401CD0 E8C30F0700 CALL 00472C98 00401CD5 50 PUSH EAX 00401CD6 FF4E1C DEC DWORD PTR [ESI+1C] 00401CD9 8D45D0 LEA EAX,[EBP-30] 00401CDC BA02000000 MOV EDX,00000002 00401CE1 E86E0F0700 CALL 00472C54 00401CE6 FF4E1C DEC DWORD PTR [ESI+1C] 00401CE9 8D45D4 LEA EAX,[EBP-2C] 00401CEC BA02000000 MOV EDX,00000002 00401CF1 E85E0F0700 CALL 00472C54 00401CF6 59 POP ECX 00401CF7 84C9 TEST CL,CL 00401CF9 0F8483000000 JZ 00401D82 00401CFF 66C746106C00 MOV WORD PTR [ESI+10],006C 00401D05 8D45CC LEA EAX,[EBP-34] 00401D08 E893000000 CALL 00401DA0 00401D0D 8BD0 MOV EDX,EAX 00401D0F FF461C INC DWORD PTR [ESI+1C] 00401D12 8B8378030000 MOV EAX,[EBX+00000378] 00401D18 E873B10400 CALL 0044CE90 00401D1D 8D55CC LEA EDX,[EBP-34] 00401D20 52 PUSH EDX 00401D21 8D975DE3FFFF LEA EDX,[EDI+FFFFE35D] 00401D27 8D45C8 LEA EAX,[EBP-38] 00401D2A E8E10E0700 CALL 00472C10 00401D2F FF461C INC DWORD PTR [ESI+1C] 00401D32 8D55C8 LEA EDX,[EBP-38] 00401D35 58 POP EAX 00401D36 E85D0F0700 CALL 00472C98 00401D3B 50 PUSH EAX 00401D3C FF4E1C DEC DWORD PTR [ESI+1C] 00401D3F 8D45C8 LEA EAX,[EBP-38] 00401D42 BA02000000 MOV EDX,00000002 00401D47 E8080F0700 CALL 00472C54 00401D4C FF4E1C DEC DWORD PTR [ESI+1C] 00401D4F 8D45CC LEA EAX,[EBP-34] 00401D52 BA02000000 MOV EDX,00000002 00401D57 E8F80E0700 CALL 00472C54 00401D5C 59 POP ECX 00401D5D 84C9 TEST CL,CL 00401D5F 7413 JZ 00401D74 ;;;注册码不正确转移 00401D61 6A00 PUSH 00 00401D63 68EB714800 PUSH 004871EB ; "Correct!" 00401D68 68CA714800 PUSH 004871CA ; "Good!Give us your key!" 00401D6D 6A00 PUSH 00 00401D6F E8404C0800 CALL USER32!MessageBoxA 00401D74 A1CCF44800 MOV EAX,[0048F4CC] 00401D79 8B00 MOV EAX,[EAX] 00401D7B E810240400 CALL 00444190 00401D80 EB0D JMP 00401D8F 00401D82 8B15CCF44800 MOV EDX,[0048F4CC] 00401D88 8B02 MOV EAX,[EDX] 00401D8A E801240400 CALL 00444190 00401D8F 8B16 MOV EDX,[ESI] 00401D91 64891500000000 MOV FS:[00000000],EDX 00401D98 5F POP EDI 00401D99 5E POP ESI 00401D9A 5B POP EBX 00401D9B 8BE5 MOV ESP,EBP 00401D9D 5D POP EBP 00401D9E C3 RET 上传的附件： Crackme1.rar （253.44kb，42次下载） 2013-11-4 21:02 0
softdebug 雪币： 231 活跃值： (25) 能力值： ( LV12，RANK：250 ) 在线值：发帖 8 回帖 49 粉丝 0 关注私信	softdebug 6 7 楼第三个 crackme, 提示信息做的加密，解密后字符串及相关比较生成注册码后面给出。但注册码是把时间作为随机数生成算法的初始值。所以每次都不同的。 :desp+78 l 9 0023:0012FB58 49 6E 63 6F 72 72 65 63-74 00 48 02 21 32 25 3E Incorrect.H.!2%> :desp+1c l 9 0023:0012FAFC 47 72 65 61 74 21 00 42-00 FD 12 00 59 6F 75 00 Great!.B....You. :desp+28 l 9 0023:0012FB08 59 6F 75 00 74 68 65 00-79 70 67 74 00 00 00 00 You.the.ypgt.... :desp+5c l 9 0023:0012FB3C 70 61 73 73 65 64 00 02-50 6C 65 61 73 65 00 02 passed..Please.. :desp+2c l 9 0023:0012FB0C 74 68 65 00 79 70 67 74-00 00 00 00 39 28 3A 3A the.ypgt....9(:: :desp+94 l 9 0023:0012FB74 76 65 72 69 66 69 63 61-74 69 6F 6E 21 00 48 02 verification!.H. :desp+14 l 9 0023:0012FAF4 68 61 76 65 00 00 12 00-47 72 65 61 74 21 00 42 have....Great!.B :desp+48 l 10 0023:0012FB28 50 61 73 73 77 6F 72 64-00 02 48 02 55 49 44 00 Password..H.UID. :d esp+64 l10 0023:0012FB44 50 6C 65 61 73 65 00 02-79 5E 53 5F 42 42 55 53 Please..y^S_BBUS :d esp+c l10 0023:0012FAEC 49 75 70 75 74 00 00 00-7B 47 42 47 46 00 12 00 Iuput...{GBGF... :d esp+48 l10 0023:0012FB28 50 61 73 73 77 6F 72 64-00 02 48 02 55 49 44 00 Password..H.UID. ================ Sun Nov 03 16:58:17 2013 00401300 83EC74 SUB ESP,74 00401303 8D442408 LEA EAX,[ESP+08] 00401307 56 PUSH ESI 00401308 50 PUSH EAX 00401309 FF152C214100 CALL [USER32!GetCursorPos] 0040130F 6A00 PUSH 00 00401311 E8C3430000 CALL 004056D9 00401316 50 PUSH EAX 00401317 E895430000 CALL 004056B1 0040131C 8B0D548C4100 MOV ECX,[00418C54] 00401322 BE09000000 MOV ESI,00000009 00401327 8BC1 MOV EAX,ECX 00401329 83C408 ADD ESP,08 0040132C 99 CDQ 0040132D F7FE IDIV ESI 0040132F 83FA02 CMP EDX,02 00401332 0F85D3000000 JNZ 0040140B 00401338 B8398EE338 MOV EAX,38E38E39 0040133D F7E9 IMUL ECX 0040133F D1FA SAR EDX,1 00401341 8BCA MOV ECX,EDX 00401343 C1E91F SHR ECX,1F 00401346 03D1 ADD EDX,ECX 00401348 83FA17 CMP EDX,17 0040134B 0F85BA000000 JNZ 0040140B 00401351 8B542404 MOV EDX,[ESP+04] 00401355 668B442408 MOV AX,[ESP+08] 0040135A 53 PUSH EBX 0040135B 55 PUSH EBP 0040135C 57 PUSH EDI 0040135D 89542420 MOV [ESP+20],EDX 00401361 6689442424 MOV [ESP+24],AX 00401366 33DB XOR EBX,EBX 00401368 53 PUSH EBX ;;; 00401369 8D4C2414 LEA ECX,[ESP+14] ;;; 0040136D 6A05 PUSH 05 ;;; 0040136F 51 PUSH ECX ;;; 00401370 E8DBFEFFFF CALL 00401250 ;;; 00401375 8B4C2428 MOV ECX,[ESP+28] ;;; 00401379 B81F85EB51 MOV EAX,51EB851F ;;; 0040137E F7E9 IMUL ECX ;;; 00401380 C1FA05 SAR EDX,05 ;;;得到一个特随机数 00401383 8BC2 MOV EAX,EDX ;;;根据这个随机数 00401385 83C40C ADD ESP,0C ;;;生成5个字符 00401388 C1E81F SHR EAX,1F ;;; 0040138B 03D0 ADD EDX,EAX ;;; 0040138D 3BDA CMP EBX,EDX ;;; 0040138F 7512 JNZ 004013A3 ;;; 00401391 8B4C2410 MOV ECX,[ESP+10] ;;; 00401395 668B442414 MOV AX,[ESP+14] ;;; 0040139A 894C2420 MOV [ESP+20],ECX ;;; 0040139E 6689442424 MOV [ESP+24],AX ;;; 004013A3 7E2D JLE 004013D2 ;;; 004013A5 8D7C2410 LEA EDI,[ESP+10] ;;; 004013A9 83C9FF OR ECX,-01 ;;; 004013AC 33C0 XOR EAX,EAX ;;; 004013AE 8D542420 LEA EDX,[ESP+20] ;;; 004013B2 F2AE REPNZ SCASB ;;; 004013B4 F7D1 NOT ECX ;;; 004013B6 2BF9 SUB EDI,ECX ;;; 004013B8 8BF7 MOV ESI,EDI ;;; 004013BA 8BE9 MOV EBP,ECX ;;; 004013BC 8BFA MOV EDI,EDX ;;; 004013BE 83C9FF OR ECX,-01 ;;; 004013C1 F2AE REPNZ SCASB ;;; 004013C3 8BCD MOV ECX,EBP ;;; 004013C5 4F DEC EDI ;;; 004013C6 C1E902 SHR ECX,02 ;;; 004013C9 F3A5 REPZ MOVSD ;;; 004013CB 8BCD MOV ECX,EBP ;;; 004013CD 83E103 AND ECX,03 ;;; 004013D0 F3A4 REPZ MOVSB ;;; 004013D2 43 INC EBX ;;; 004013D3 83FB0A CMP EBX,0A ;;;生成长度为45的串，输入的字符串必须与他相等 004013D6 7C90 JL 00401368 004013D8 8BB42488000000 MOV ESI,[ESP+00000088] 004013DF 56 PUSH ESI 004013E0 68808D4100 PUSH 00418D80 ; "X!A" 004013E5 E8A6070000 CALL 00401B90 004013EA 83C408 ADD ESP,08 004013ED E80EFCFFFF CALL 00401000 004013F2 8D442420 LEA EAX,[ESP+20] 004013F6 50 PUSH EAX 004013F7 56 PUSH ESI 004013F8 FF150C204100 CALL [KERNEL32!lstrcmp] 004013FE F7D8 NEG EAX 00401400 5F POP EDI 00401401 5D POP EBP 00401402 1BC0 SBB EAX,EAX 00401404 5B POP EBX 00401405 40 INC EAX 00401406 5E POP ESI 00401407 83C474 ADD ESP,74 0040140A C3 RET 0040140B 6A00 PUSH 00 0040140D E8CA410000 CALL 004055DC 00401412 90 NOP 00401420 81EC98040000 SUB ESP,00000498 00401426 53 PUSH EBX 00401427 56 PUSH ESI 00401428 57 PUSH EDI 00401429 A148514100 MOV EAX,[00415148] ; "a]TPBT" 0040142E 668B0D4C514100 MOV CX,[0041514C] 00401435 8A154E514100 MOV DL,[0041514E] 0040143B 8944240C MOV [ESP+0C],EAX 0040143F A140514100 MOV EAX,[00415140] ; "{GBGF" 00401444 66894C2410 MOV [ESP+10],CX 00401449 668B0D44514100 MOV CX,[00415144] 00401450 89442414 MOV [ESP+14],EAX 00401454 A138514100 MOV EAX,[00415138] ; "QITB" 00401459 88542412 MOV [ESP+12],DL 0040145D 8B1534514100 MOV EDX,[00415134] 00401463 89442420 MOV [ESP+20],EAX 00401467 A12C514100 MOV EAX,[0041512C] ; "BBUSD" 0040146C 66894C2418 MOV [ESP+18],CX 00401471 8A0D3C514100 MOV CL,[0041513C] 00401477 8954241C MOV [ESP+1C],EDX 0040147B 8B1528514100 MOV EDX,[00415128] 00401481 89442470 MOV [ESP+70],EAX 00401485 66A124514100 MOV AX,[00415124] ; "`5" 0040148B 884C2424 MOV [ESP+24],CL 0040148F 668B0D30514100 MOV CX,[00415130] 00401496 8954246C MOV [ESP+6C],EDX 0040149A 8B1520514100 MOV EDX,[00415120] 004014A0 6689442444 MOV [ESP+44],AX 004014A5 A118514100 MOV EAX,[00415118] ; "ypgt" 004014AA 66894C2474 MOV [ESP+74],CX 004014AF 8A0D26514100 MOV CL,[00415126] 004014B5 89542440 MOV [ESP+40],EDX 004014B9 8B1514514100 MOV EDX,[00415114] 004014BF 89442430 MOV [ESP+30],EAX 004014C3 66A110514100 MOV AX,[00415110] ; ",-" 004014C9 884C2446 MOV [ESP+46],CL 004014CD 8A0D1C514100 MOV CL,[0041511C] 004014D3 89542458 MOV [ESP+58],EDX 004014D7 8B150C514100 MOV EDX,[0041510C] 004014DD 668944243C MOV [ESP+3C],AX 004014E2 A1FC504100 MOV EAX,[004150FC] ; "!2%>1>46#>89v" 004014E7 884C2434 MOV [ESP+34],CL 004014EB 8A0D12514100 MOV CL,[00415112] 004014F1 89542438 MOV [ESP+38],EDX 004014F5 8B15F8504100 MOV EDX,[004150F8] 004014FB 89842484000000 MOV [ESP+00000084],EAX 00401502 66A108514100 MOV AX,[00415108] 00401508 884C243E MOV [ESP+3E],CL 0040150C 8B0D00514100 MOV ECX,[00415100] 00401512 89542454 MOV [ESP+54],EDX 00401516 8B1504514100 MOV EDX,[00415104] 0040151C 6689842490000000 MOV [ESP+00000090],AX 00401524 898C2488000000 MOV [ESP+00000088],ECX 0040152B 8994248C000000 MOV [ESP+0000008C],EDX 00401532 33C0 XOR EAX,EAX 00401534 BB06000000 MOV EBX,00000006 00401539 8A4C040C MOV CL,[EAX+ESP+0C] 0040153D 80F131 XOR CL,31 00401540 884C0464 MOV [EAX+ESP+64],CL 00401544 40 INC EAX 00401545 3BC3 CMP EAX,EBX 00401547 7CF0 JL 00401539 00401549 C644246A00 MOV BYTE PTR [ESP+6A],00 0040154E 33C0 XOR EAX,EAX 00401550 8A540414 MOV DL,[EAX+ESP+14] 00401554 80F232 XOR DL,32 00401557 8854040C MOV [EAX+ESP+0C],DL 0040155B 40 INC EAX 0040155C 83F805 CMP EAX,05 0040155F 7CEF JL 00401550 00401561 C644241100 MOV BYTE PTR [ESP+11],00 00401566 33C0 XOR EAX,EAX 00401568 8A4C041C MOV CL,[EAX+ESP+1C] 0040156C 80F126 XOR CL,26 0040156F 884C0448 MOV [EAX+ESP+48],CL 00401573 40 INC EAX 00401574 83F808 CMP EAX,08 00401577 7CEF JL 00401568 00401579 C644245000 MOV BYTE PTR [ESP+50],00 0040157E E8DDFBFFFF CALL 00401160 00401583 8D542448 LEA EDX,[ESP+48] 00401587 68F4504100 PUSH 004150F4 0040158C 52 PUSH EDX 0040158D 8D442414 LEA EAX,[ESP+14] 00401591 68F0504100 PUSH 004150F0 00401596 50 PUSH EAX 00401597 8D4C2474 LEA ECX,[ESP+74] 0040159B 68F0504100 PUSH 004150F0 004015A0 51 PUSH ECX 004015A1 68F08C4100 PUSH 00418CF0 ; "P!A" 004015A6 E8850E0000 CALL 00402430 004015AB 83C408 ADD ESP,08 004015AE 50 PUSH EAX 004015AF E87C0E0000 CALL 00402430 004015B4 83C408 ADD ESP,08 004015B7 50 PUSH EAX 004015B8 E8730E0000 CALL 00402430 004015BD 83C408 ADD ESP,08 004015C0 50 PUSH EAX 004015C1 E86A0E0000 CALL 00402430 004015C6 83C408 ADD ESP,08 004015C9 50 PUSH EAX 004015CA E8610E0000 CALL 00402430 004015CF 83C408 ADD ESP,08 004015D2 50 PUSH EAX 004015D3 E8580E0000 CALL 00402430 004015D8 83C408 ADD ESP,08 004015DB 8BF0 MOV ESI,EAX 004015DD 8BCE MOV ECX,ESI 004015DF 6A0A PUSH 0A 004015E1 E84A030000 CALL 00401930 004015E6 8B16 MOV EDX,[ESI] 004015E8 33FF XOR EDI,EDI 004015EA 8B4204 MOV EAX,[EDX+04] 004015ED 03C6 ADD EAX,ESI 004015EF 845804 TEST [EAX+04],BL 004015F2 7514 JNZ 00401608 004015F4 8B4028 MOV EAX,[EAX+28] 004015F7 8BC8 MOV ECX,EAX 004015F9 8B10 MOV EDX,[EAX] 004015FB FF522C CALL [EDX+2C] 004015FE 83F8FF CMP EAX,-01 00401601 7505 JNZ 00401608 00401603 BF04000000 MOV EDI,00000004 00401608 8B06 MOV EAX,[ESI] 0040160A 8B4804 MOV ECX,[EAX+04] 0040160D 03CE ADD ECX,ESI 0040160F 85FF TEST EDI,EDI 00401611 7416 JZ 00401629 00401613 8B4104 MOV EAX,[ECX+04] 00401616 8B5128 MOV EDX,[ECX+28] 00401619 0BC7 OR EAX,EDI 0040161B 85D2 TEST EDX,EDX 0040161D 7502 JNZ 00401621 0040161F 0C04 OR AL,04 00401621 6A00 PUSH 00 00401623 50 PUSH EAX 00401624 E8A8210000 CALL 004037D1 00401629 E802FAFFFF CALL 00401030 0040162E 8D8C24A4000000 LEA ECX,[ESP+000000A4] 00401635 51 PUSH ECX 00401636 E8C5FCFFFF CALL 00401300 ;;;根据当前时间生成注册码，并与输入字符串比较 0040163B 83C404 ADD ESP,04 0040163E 8BF0 MOV ESI,EAX 00401640 33C0 XOR EAX,EAX 00401642 8A54046C MOV DL,[EAX+ESP+6C] 00401646 80F230 XOR DL,30 00401649 88540478 MOV [EAX+ESP+78],DL 0040164D 40 INC EAX 0040164E 83F809 CMP EAX,09 00401651 7CEF JL 00401642 00401653 C684248100000000 MOV BYTE PTR [ESP+00000081],00 0040165B 33C0 XOR EAX,EAX 0040165D 8A4C0440 MOV CL,[EAX+ESP+40] 00401661 80F114 XOR CL,14 00401664 884C041C MOV [EAX+ESP+1C],CL 00401668 40 INC EAX 00401669 3BC3 CMP EAX,EBX 0040166B 7CF0 JL 0040165D 0040166D C644242200 MOV BYTE PTR [ESP+22],00 00401672 33C0 XOR EAX,EAX 00401674 8A540458 MOV DL,[EAX+ESP+58] 00401678 80F219 XOR DL,19 0040167B 88540428 MOV [EAX+ESP+28],DL 0040167F 40 INC EAX 00401680 83F803 CMP EAX,03 00401683 7CEF JL 00401674 00401685 C644242B00 MOV BYTE PTR [ESP+2B],00 0040168A 33C0 XOR EAX,EAX 0040168C 8A4C0438 MOV CL,[EAX+ESP+38] 00401690 80F149 XOR CL,49 00401693 884C045C MOV [EAX+ESP+5C],CL 00401697 40 INC EAX 00401698 3BC3 CMP EAX,EBX 0040169A 7CF0 JL 0040168C 0040169C C644246200 MOV BYTE PTR [ESP+62],00 004016A1 33C0 XOR EAX,EAX 004016A3 8A540454 MOV DL,[EAX+ESP+54] 004016A7 80F221 XOR DL,21 004016AA 8854042C MOV [EAX+ESP+2C],DL 004016AE 40 INC EAX 004016AF 83F803 CMP EAX,03 004016B2 7CEF JL 004016A3 004016B4 C644242F00 MOV BYTE PTR [ESP+2F],00 004016B9 33C0 XOR EAX,EAX 004016BB 8A8C0484000000 MOV CL,[EAX+ESP+00000084] 004016C2 80F157 XOR CL,57 004016C5 888C0494000000 MOV [EAX+ESP+00000094],CL 004016CC 40 INC EAX 004016CD 83F80D CMP EAX,0D 004016D0 7CE9 JL 004016BB 004016D2 C68424A100000000 MOV BYTE PTR [ESP+000000A1],00 004016DA 33C0 XOR EAX,EAX 004016DC 8A540430 MOV DL,[EAX+ESP+30] 004016E0 80F211 XOR DL,11 004016E3 88540414 MOV [EAX+ESP+14],DL 004016E7 40 INC EAX 004016E8 83F804 CMP EAX,04 004016EB 7CEF JL 004016DC 004016ED 8B0D548C4100 MOV ECX,[00418C54] 004016F3 BF07000000 MOV EDI,00000007 004016F8 8BC1 MOV EAX,ECX 004016FA C644241800 MOV BYTE PTR [ESP+18],00 004016FF 99 CDQ 00401700 F7FF IDIV EDI 00401702 83FA03 CMP EDX,03 00401705 0F8588010000 JNZ 00401893 0040170B B893244992 MOV EAX,92492493 00401710 F7E9 IMUL ECX 00401712 03D1 ADD EDX,ECX 00401714 C1FA02 SAR EDX,02 00401717 8BC2 MOV EAX,EDX 00401719 C1E81F SHR EAX,1F 0040171C 03D0 ADD EDX,EAX 0040171E 83FA29 CMP EDX,29 00401721 0F856C010000 JNZ 00401893 00401727 85F6 TEST ESI,ESI 00401729 0F84E8000000 JZ 00401817 0040172F 8D8C2494000000 LEA ECX,[ESP+00000094] 00401736 8D54242C LEA EDX,[ESP+2C] 0040173A 51 PUSH ECX 0040173B 68F0504100 PUSH 004150F0 00401740 52 PUSH EDX 00401741 8D442468 LEA EAX,[ESP+68] 00401745 68F0504100 PUSH 004150F0 0040174A 50 PUSH EAX 0040174B 8D4C2428 LEA ECX,[ESP+28] 0040174F 68F0504100 PUSH 004150F0 00401754 51 PUSH ECX 00401755 8D542444 LEA EDX,[ESP+44] 00401759 68F0504100 PUSH 004150F0 0040175E 8D44243C LEA EAX,[ESP+3C] 00401762 52 PUSH EDX 00401763 50 PUSH EAX 00401764 68F08C4100 PUSH 00418CF0 ; "P!A" 00401769 E8C20C0000 CALL 00402430 0040176E 83C408 ADD ESP,08 00401771 50 PUSH EAX 00401772 E8B90C0000 CALL 00402430 00401777 83C408 ADD ESP,08 0040177A 50 PUSH EAX 0040177B E8B00C0000 CALL 00402430 00401780 83C408 ADD ESP,08 00401783 50 PUSH EAX 00401784 E8A70C0000 CALL 00402430 00401789 83C408 ADD ESP,08 0040178C 50 PUSH EAX 0040178D E89E0C0000 CALL 00402430 00401792 83C408 ADD ESP,08 00401795 50 PUSH EAX 00401796 E8950C0000 CALL 00402430 0040179B 83C408 ADD ESP,08 0040179E 50 PUSH EAX 0040179F E88C0C0000 CALL 00402430 004017A4 83C408 ADD ESP,08 004017A7 50 PUSH EAX 004017A8 E8830C0000 CALL 00402430 004017AD 83C408 ADD ESP,08 004017B0 50 PUSH EAX 004017B1 E87A0C0000 CALL 00402430 004017B6 83C408 ADD ESP,08 004017B9 50 PUSH EAX 004017BA E8710C0000 CALL 00402430 004017BF 83C408 ADD ESP,08 004017C2 8BF0 MOV ESI,EAX 004017C4 8BCE MOV ECX,ESI 004017C6 6A0A PUSH 0A 004017C8 E863010000 CALL 00401930 004017CD 8B0E MOV ECX,[ESI] 004017CF 33FF XOR EDI,EDI 004017D1 8B5104 MOV EDX,[ECX+04] 004017D4 8A4C3204 MOV CL,[ESI+EDX+04] 004017D8 84CB TEST BL,CL 004017DA 8D0432 LEA EAX,[ESI+EDX] 004017DD 7514 JNZ 004017F3 004017DF 8B4028 MOV EAX,[EAX+28] 004017E2 8BC8 MOV ECX,EAX 004017E4 8B10 MOV EDX,[EAX] 004017E6 FF522C CALL [EDX+2C] 004017E9 83F8FF CMP EAX,-01 004017EC 7505 JNZ 004017F3 004017EE BF04000000 MOV EDI,00000004 004017F3 8B06 MOV EAX,[ESI] 004017F5 8B4804 MOV ECX,[EAX+04] 004017F8 03CE ADD ECX,ESI 004017FA 85FF TEST EDI,EDI 004017FC 0F8411010000 JZ 00401913 00401802 8B4104 MOV EAX,[ECX+04] 00401805 8B5128 MOV EDX,[ECX+28] 00401808 0BC7 OR EAX,EDI 0040180A 85D2 TEST EDX,EDX 0040180C 0F85F9000000 JNZ 0040190B 00401812 E9F2000000 JMP 00401909 00401817 8D4C2478 LEA ECX,[ESP+78] 0040181B 8D542448 LEA EDX,[ESP+48] 0040181F 51 PUSH ECX 00401820 68F0504100 PUSH 004150F0 00401825 52 PUSH EDX 00401826 68F08C4100 PUSH 00418CF0 ; "P!A" 0040182B E8000C0000 CALL 00402430 00401830 83C408 ADD ESP,08 00401833 50 PUSH EAX 00401834 E8F70B0000 CALL 00402430 00401839 83C408 ADD ESP,08 0040183C 50 PUSH EAX 0040183D E8EE0B0000 CALL 00402430 00401842 83C408 ADD ESP,08 00401845 8BF0 MOV ESI,EAX 00401847 8BCE MOV ECX,ESI 00401849 6A0A PUSH 0A 0040184B E8E0000000 CALL 00401930 00401850 8B06 MOV EAX,[ESI] 00401852 33FF XOR EDI,EDI 00401854 8B4804 MOV ECX,[EAX+04] 00401857 8D0431 LEA EAX,[ESI+ECX] 0040185A 8A4C3104 MOV CL,[ESI+ECX+04] 0040185E 84CB TEST BL,CL 00401860 7514 JNZ 00401876 00401862 8B4028 MOV EAX,[EAX+28] 00401865 8BC8 MOV ECX,EAX 00401867 8B10 MOV EDX,[EAX] 00401869 FF522C CALL [EDX+2C] 0040186C 83F8FF CMP EAX,-01 0040186F 7505 JNZ 00401876 00401871 BF04000000 MOV EDI,00000004 00401876 8B06 MOV EAX,[ESI] 00401878 8B4804 MOV ECX,[EAX+04] 0040187B 03CE ADD ECX,ESI 0040187D 85FF TEST EDI,EDI 0040187F 0F848E000000 JZ 00401913 00401885 8B4104 MOV EAX,[ECX+04] 00401888 8B5128 MOV EDX,[ECX+28] 0040188B 0BC7 OR EAX,EDI 0040188D 85D2 TEST EDX,EDX 0040188F 757A JNZ 0040190B 00401891 EB76 JMP 00401909 00401893 8D4C2478 LEA ECX,[ESP+78] 00401897 8D542448 LEA EDX,[ESP+48] 0040189B 51 PUSH ECX 0040189C 68F0504100 PUSH 004150F0 004018A1 52 PUSH EDX 004018A2 68F08C4100 PUSH 00418CF0 ; "P!A" 004018A7 E8840B0000 CALL 00402430 004018AC 83C408 ADD ESP,08 004018AF 50 PUSH EAX 004018B0 E87B0B0000 CALL 00402430 004018B5 83C408 ADD ESP,08 004018B8 50 PUSH EAX 004018B9 E8720B0000 CALL 00402430 004018BE 83C408 ADD ESP,08 004018C1 8BF0 MOV ESI,EAX 004018C3 8BCE MOV ECX,ESI 004018C5 6A0A PUSH 0A 004018C7 E864000000 CALL 00401930 004018CC 8B06 MOV EAX,[ESI] 004018CE 33FF XOR EDI,EDI 004018D0 8B4804 MOV ECX,[EAX+04] 004018D3 8D0431 LEA EAX,[ESI+ECX] 004018D6 8A4C3104 MOV CL,[ESI+ECX+04] 004018DA 84CB TEST BL,CL 004018DC 7514 JNZ 004018F2 004018DE 8B4028 MOV EAX,[EAX+28] 004018E1 8BC8 MOV ECX,EAX 004018E3 8B10 MOV EDX,[EAX] 004018E5 FF522C CALL [EDX+2C] 004018E8 83F8FF CMP EAX,-01 004018EB 7505 JNZ 004018F2 004018ED BF04000000 MOV EDI,00000004 004018F2 8B06 MOV EAX,[ESI] 004018F4 8B4804 MOV ECX,[EAX+04] 004018F7 03CE ADD ECX,ESI 004018F9 85FF TEST EDI,EDI 004018FB 7416 JZ 00401913 004018FD 8B4104 MOV EAX,[ECX+04] 00401900 8B5128 MOV EDX,[ECX+28] 00401903 0BC7 OR EAX,EDI 00401905 85D2 TEST EDX,EDX 00401907 7502 JNZ 0040190B 00401909 0C04 OR AL,04 0040190B 6A00 PUSH 00 0040190D 50 PUSH EAX 0040190E E8BE1E0000 CALL 004037D1 00401913 68E8504100 PUSH 004150E8 ; "pause" 00401918 E8983E0000 CALL 004057B5 0040191D 83C404 ADD ESP,04 00401920 33C0 XOR EAX,EAX 00401922 5F POP EDI 00401923 5E POP ESI 00401924 5B POP EBX 00401925 81C498040000 ADD ESP,00000498 0040192B C3 RET 我当时生成的注册码为: 0023:0012FA74 6A 6B 6F 64 71 58 56 56-51 42 3B 42 3F 3B 3B 77 jkodqXVVQB;B?;;w 0023:0012FA84 78 66 67 6E 4C 50 54 41-41 30 45 33 47 49 64 79 xfgnLPTAA0E3GIdy 0023:0012FA94 6B 6F 77 48 48 54 4D 45-48 38 37 37 30 00 40 00 kowHHTMEH8770.@. 0023:0012FAA4 32 1A 40 00 33 00 37 00-F0 8C 41 00 06 00 00 00 2.@.3.7...A..... 上传的附件： Crackme3.rar （42.88kb，21次下载） 2013-11-4 21:10 0
softdebug 雪币： 231 活跃值： (25) 能力值： ( LV12，RANK：250 ) 在线值：发帖 8 回帖 49 粉丝 0 关注私信	softdebug 6 8 楼使用 messageboxa 可以找到注册码部分程序如下: 00401F90 55 PUSH EBP 00401F91 8BEC MOV EBP,ESP 00401F93 81ECD0000000 SUB ESP,000000D0 00401F99 A150DD5600 MOV EAX,[0056DD50] 00401F9E 33C5 XOR EAX,EBP 00401FA0 8945FC MOV [EBP-04],EAX 00401FA3 53 PUSH EBX 00401FA4 8BD9 MOV EBX,ECX 00401FA6 56 PUSH ESI 00401FA7 8BC3 MOV EAX,EBX 00401FA9 57 PUSH EDI 00401FAA BF01000000 MOV EDI,00000001 00401FAF 8D5001 LEA EDX,[EAX+01] 00401FB2 8A08 MOV CL,[EAX] 00401FB4 40 INC EAX 00401FB5 84C9 TEST CL,CL 00401FB7 75F9 JNZ 00401FB2 00401FB9 2BC2 SUB EAX,EDX 00401FBB 8BF0 MOV ESI,EAX 00401FBD 85F6 TEST ESI,ESI 00401FBF 7E0E JLE 00401FCF 00401FC1 56 PUSH ESI 00401FC2 8D45C8 LEA EAX,[EBP-38] 00401FC5 53 PUSH EBX 00401FC6 50 PUSH EAX 00401FC7 E804FD0F00 CALL 00501CD0 00401FCC 83C40C ADD ESP,0C 00401FCF 33C0 XOR EAX,EAX 00401FD1 85F6 TEST ESI,ESI 00401FD3 7E0D JLE 00401FE2 00401FD5 0FBE4C05C8 MOVSX ECX,BYTE PTR [EAX+EBP-38] 00401FDA 40 INC EAX 00401FDB 0FAFF9 IMUL EDI,ECX 00401FDE 3BC6 CMP EAX,ESI 00401FE0 7CF3 JL 00401FD5 00401FE2 6A0A PUSH 0A 00401FE4 8D55C8 LEA EDX,[EBP-38] 00401FE7 52 PUSH EDX 00401FE8 57 PUSH EDI 00401FE9 E806581100 CALL 005177F4 00401FEE 8D45C8 LEA EAX,[EBP-38] 00401FF1 83C40C ADD ESP,0C 00401FF4 33C9 XOR ECX,ECX 00401FF6 8D7001 LEA ESI,[EAX+01] 00401FF9 8DA42400000000 LEA ESP,[ESP+00000000] 00402000 8A10 MOV DL,[EAX] 00402002 40 INC EAX 00402003 84D2 TEST DL,DL 00402005 75F9 JNZ 00402000 00402007 2BC6 SUB EAX,ESI 00402009 48 DEC EAX 0040200A 85C0 TEST EAX,EAX 0040200C 7E18 JLE 00402026 0040200E 8BFF MOV EDI,EDI 00402010 8A5C05C8 MOV BL,[EAX+EBP-38] 00402014 8A540DC8 MOV DL,[ECX+EBP-38] 00402018 885C0DC8 MOV [ECX+EBP-38],BL 0040201C 885405C8 MOV [EAX+EBP-38],DL 00402020 41 INC ECX 00402021 48 DEC EAX 00402022 3BC8 CMP ECX,EAX 00402024 7CEA JL 00402010 00402026 8D45C8 LEA EAX,[EBP-38] 00402029 50 PUSH EAX 0040202A E8EBF90F00 CALL 00501A1A 0040202F 6A0A PUSH 0A 00402031 8D8D30FFFFFF LEA ECX,[EBP-00D0] 00402037 03C7 ADD EAX,EDI 00402039 51 PUSH ECX 0040203A 50 PUSH EAX 0040203B E8B4571100 CALL 005177F4 00402040 8B1548DE5400 MOV EDX,[0054DE48] 00402046 66A14CDE5400 MOV AX,[0054DE4C] 0040204C 6A5E PUSH 5E 0040204E 8D8D6AFFFFFF LEA ECX,[EBP-0096] 00402054 6A00 PUSH 00 00402056 51 PUSH ECX 00402057 899564FFFFFF MOV [EBP-009C],EDX 0040205D 66898568FFFFFF MOV [EBP-0098],AX 00402064 E827191000 CALL 00503990 00402069 8D8530FFFFFF LEA EAX,[EBP-00D0] 0040206F 83C41C ADD ESP,1C 00402072 8BC8 MOV ECX,EAX 00402074 8A10 MOV DL,[EAX] 00402076 40 INC EAX 00402077 84D2 TEST DL,DL 00402079 75F9 JNZ 00402074 0040207B 8DBD64FFFFFF LEA EDI,[EBP-009C] 00402081 2BC1 SUB EAX,ECX 00402083 8BF1 MOV ESI,ECX 00402085 4F DEC EDI 00402086 8A4F01 MOV CL,[EDI+01] 00402089 47 INC EDI 0040208A 84C9 TEST CL,CL 0040208C 75F8 JNZ 00402086 0040208E 8BC8 MOV ECX,EAX 00402090 C1E902 SHR ECX,02 00402093 F3A5 REPZ MOVSD 00402095 8BC8 MOV ECX,EAX 00402097 83E103 AND ECX,03 0040209A F3A4 REPZ MOVSB 0040209C 8B4D08 MOV ECX,[EBP+08] 0040209F 5F POP EDI 004020A0 5E POP ESI 004020A1 8D8564FFFFFF LEA EAX,[EBP-009C] 004020A7 5B POP EBX 004020A8 8A10 MOV DL,[EAX] ;;;注册码比较部分 004020AA 3A11 CMP DL,[ECX] ;;; 004020AC 751A JNZ 004020C8 004020AE 84D2 TEST DL,DL 004020B0 7412 JZ 004020C4 004020B2 8A5001 MOV DL,[EAX+01] 004020B5 3A5101 CMP DL,[ECX+01] 004020B8 750E JNZ 004020C8 004020BA 83C002 ADD EAX,02 004020BD 83C102 ADD ECX,02 004020C0 84D2 TEST DL,DL 004020C2 75E4 JNZ 004020A8 004020C4 33C0 XOR EAX,EAX 004020C6 EB05 JMP 004020CD 004020C8 1BC0 SBB EAX,EAX 004020CA 83D8FF SBB EAX,-01 004020CD 6A00 PUSH 00 004020CF 85C0 TEST EAX,EAX 004020D1 750C JNZ 004020DF 004020D3 6850DE5400 PUSH 0054DE50 ; "Cracked!" 004020D8 685CDE5400 PUSH 0054DE5C ; "LOL~" 004020DD EB0A JMP 004020E9 004020DF 6864DE5400 PUSH 0054DE64 ; "Sorry :(" 004020E4 6870DE5400 PUSH 0054DE70 ; "Try Again!" 004020E9 6A00 PUSH 00 004020EB FF1544585200 CALL [USER32!MessageBoxA] 004020F1 8B4DFC MOV ECX,[EBP-04] 004020F4 33CD XOR ECX,EBP 004020F6 E81CE80F00 CALL 00500917 004020FB 8BE5 MOV ESP,EBP 004020FD 5D POP EBP 004020FE C3 RET 输入 crackme 是从内存中得到注册码 :d eax l 10 0010:0012F71C 78 64 73 65 63 2D 32 36-35 34 30 36 34 32 37 00 xdsec-265406427. 胡乱输入的注册码 :d ecx l 10 0010:00DA8750 73 61 64 66 73 64 61 66-73 00 00 00 00 00 00 00 sadfsdafs....... 上传的附件： crackme5.rar （710.24kb，71次下载） 2013-11-4 21:19 0
softdebug 雪币： 231 活跃值： (25) 能力值： ( LV12，RANK：250 ) 在线值：发帖 8 回帖 49 粉丝 0 关注私信	softdebug 6 9 楼这个允许爆破，爆破点如下：据说算法很强悍，想练手的可以分析下。使用messageboxa可以找到这个位置，分析后得到爆破点的。 :ueip l 50 00402133 MOV AL,[ESI+EBP-6C] 00402137 CMP AL,[ESI+EBP-00A0] 0040213E JZ 00402169 ;;;爆破点把74修改为EB后的校验码是：966A91D6校验码放置位置在后面 00402140 PUSH 00 00402142 LEA EAX,[EBP-20] 00402145 PUSH EAX 00402146 LEA EBX,[EBP-18] 00402149 PUSH EBX 0040214A PUSH 00 0040214C MOV EAX,[EBP-02B0] 00402152 CALL EAX 00402154 MOV EAX,[EBP-02BC] 0040215A PUSH 00 0040215C PUSH 00 0040215E PUSH 12 00402160 PUSH DWORD PTR [EAX+20] 00402163 CALL [USER32!PostMessageA] 00402169 INC ESI 0040216A CMP ESI,10 0040216D JL 00402133 0040216F PUSH 00 00402171 LEA EAX,[EBP-28] 00402174 PUSH EAX 00402175 LEA EBX,[EBP-7C] 00402178 PUSH EBX 00402179 PUSH 00 0040217B MOV EAX,[EBP-02B0] 00402181 CALL EAX 该程序对文件进行校验，防止修改现给出校验部分的代码及位置 004024D1 PUSH EBX 004024D2 PUSH 00000080 004024D7 PUSH 03 004024D9 PUSH EBX 004024DA PUSH 01 004024DC PUSH 80000000 004024E1 LEA EAX,[EBP-0108] 004024E7 PUSH EAX 004024E8 CALL [KERNEL32!CreateFileA] ;;;打开crackme2.exe 004024EE PUSH EBX 004024EF PUSH EAX 004024F0 MOV [EBP+FFFFFAF4],EAX 004024F6 CALL [KERNEL32!GetFileSize] ;;;得到文件长度 004024FC MOV ESI,EAX 004024FE PUSH ESI 004024FF CALL 004025FE 00402504 POP ECX 00402505 PUSH EBX 00402506 MOV EDI,EAX 00402508 LEA EAX,[EBP+FFFFFAF0] 0040250E PUSH EAX 0040250F PUSH ESI 00402510 PUSH EDI 00402511 PUSH DWORD PTR [EBP+FFFFFAF4] 00402517 CALL [KERNEL32!ReadFile] 0040251D PUSH DWORD PTR [EBP+FFFFFAF4] 00402523 CALL [KERNEL32!CloseHandle] 00402529 MOV EAX,[EDI+3C] 0040252C SUB ESI,EAX 0040252E ADD EDI,EAX 00402530 MOV [EBP+FFFFFAF4],ESI 00402536 MOV ESI,EDI 00402538 XOR EAX,EAX 0040253A PUSH 08 0040253C MOV ECX,EAX 0040253E POP EDX 0040253F TEST CL,01 00402542 JZ 0040254E 00402544 SHR ECX,1 00402546 XOR ECX,EDB88320 0040254C JMP 00402550 0040254E SHR ECX,1 00402550 DEC EDX 00402551 CMP EDX,EBX 00402553 JG 0040253F 00402555 MOV [EAX4+EBP+FFFFFAF8],ECX 0040255C INC EAX 0040255D CMP EAX,00000100 00402562 JL 0040253A 00402564 OR EAX,-01 00402567 JMP 00402585 00402569 MOVZX ECX,BYTE PTR [ESI] 0040256C DEC DWORD PTR [EBP+FFFFFAF4] 00402572 XOR ECX,EAX 00402574 AND ECX,000000FF 0040257A SHR EAX,08 0040257D XOR EAX,[ECX4+EBP+FFFFFAF8] 00402584 INC ESI 00402585 CMP [EBP+FFFFFAF4],EBX 0040258B JNZ 00402569 0040258D XOR ECX,ECX 0040258F NOT EAX 00402591 CMP [EDI-04],EAX ;;;校验文件是否被修改了 00402594 POP EDI 00402595 SETZ CL 00402598 POP ESI 00402599 POP EBX 0040259A MOV EAX,ECX 0040259C MOV ECX,[EBP-04] 0040259F XOR ECX,EBP 004025A1 CALL 00500784 004025A6 LEAVE 004025A7 RET 004025A8 JMP 00407090 00F80020 00905A4D 00000003 00000004 0000FFFF MZ.............. 00F80030 000000B8 00000000 00000040 00000000 ........@....... 00F80040 00000000 00000000 00000000 00000000 ................ 00F80050 00000000 00000000 00000000 000000F0 ................ 00F80060 0EBA1F0E CD09B400 4C01B821 685421CD ........!..L.!Th 00F80070 70207369 72676F72 63206D61 6F6E6E61 is program canno 00F80080 65622074 6E757220 206E6920 20534F44 t be run in DOS 00F80090 65646F6D 0A0D0D2E 00000024 00000000 mode....$....... 00F800A0 9CA2CFAE CFCCAEEA CFCCAEEA CFCCAEEA ................ 00F800B0 CF4FD6E3 CFCCAEE5 CF5FD6E3 CFCCAEC9 ..O......._..... 00F800C0 CFCDAEEA CFCCAC10 CF52D885 CFCCAEC7 ..........R..... 00F800D0 CF66D885 CFCCAE43 CF67D885 CFCCAF6D ..f.C.....g.m... 00F800E0 CF63D885 CFCCAEEE CF56D885 CFCCAEEB ..c.......V..... 00F800F0 CF51D885 CFCCAEEB 68636952 CFCCAEEA ..Q.....Rich.... 00F80100 00000000 00000000 00000000 914567B7 [保存文件校验DWROD的位置] ---------------文件校验开始位置-------------------------------------- 00F80110 00004550 0005014C 5242C28C 00000000 PE..L.....BR.... 00F80120 00000000 010200E0 000A010B 00123A00 .............:.. 00F80130 00076A00 00000000 00100E5E 00001000 .j......^....... 00F80140 00125000 00400000 00001000 00000200 .P....@......... 00F80150 00010005 00000000 00010005 00000000 ................ 00F80160 001A5000 00000400 001A1F7A 81400002 .P......z.....@. 00F80170 00100000 00001000 00100000 00001000 ................ 00F80180 00000000 00000010 00000000 00000000 ................ 00F80190 00164E3C 00000168 00177000 000045A4 <N..h....p...E.. 00F801A0 00000000 00000000 00000000 00000000 ................ 00F801B0 0017C000 0001A7E8 00125D40 0000001C ........@]...... 00F801C0 00000000 00000000 00000000 00000000 ................ 00F801D0 00000000 00000000 0014E078 00000040 ........x...@... 00F801E0 00000000 00000000 00125000 0000096C .........P..l... 00F801F0 00000000 00000000 00000000 00000000 ................ 00F80200 00000000 00000000 7865742E 00000074 .........text... 00F80210 00123837 00001000 00123A00 00000400 78.......:...... 上传的附件： crackme2.rar （635.08kb，30次下载） 2013-11-4 21:30 0
softdebug 雪币： 231 活跃值： (25) 能力值： ( LV12，RANK：250 ) 在线值：发帖 8 回帖 49 粉丝 0 关注私信	softdebug 6 10 楼以上就是去上海协助网友比赛时，他给的xdsec的5个crackme。到此结束了。 2013-11-4 21:37 0
墨非雪币： 32 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 214 粉丝 0 关注私信	墨非 11 楼膜拜之，很想说私信给我联系方式吧！ 2013-11-25 23:08 0
o丨Reborn 雪币： 5 活跃值： (27) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 6 粉丝 0 关注私信	o丨Reborn 12 楼请问是如何快速定位文件效验这部分的? 经验么... 2014-4-1 18:17 0
hbcld 雪币： 43 活跃值： (40) 能力值： ( LV2，RANK：10 ) 在线值：发帖 8 回帖 238 粉丝 0 关注私信	hbcld 13 楼致谢楼主！ 2014-7-12 09:16 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

softdebug

发帖

回帖

250

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (12)
求学磊磊雪币： 458 活跃值： (207) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 5 粉丝 0 关注私信	求学磊磊 2 楼 http://bbs.pediy.com/showthread.php?t=129173&highlight=8s 貌似一模一样 2013-11-4 12:12 0
hunxiaozi 雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 134 粉丝 0 关注私信	hunxiaozi 3 楼好像答案上也是这么写的 2013-11-4 12:51 0
softdebug 雪币： 231 活跃值： (25) 能力值： ( LV12，RANK：250 ) 在线值：发帖 8 回帖 49 粉丝 0 关注私信	softdebug 6 4 楼，前几天，协助网友参加chinaisg的决赛时，他给了我5个crackme，让我没有事时候分析下，N久不碰这些东西，昨天清闲就分析了下，在论坛潜水很久了，所以就简单写了下露个脸。让您见笑了。 2013-11-4 19:52 0
viphack 雪币： 219 活跃值： (783) 能力值： (RANK：290 ) 在线值：发帖 135 回帖 1009 粉丝 42 关注私信	viphack 4 5 楼顶起。。。。 2013-11-4 20:03 0
softdebug 雪币： 231 活跃值： (25) 能力值： ( LV12，RANK：250 ) 在线值：发帖 8 回帖 49 粉丝 0 关注私信	softdebug 6 6 楼第一个crackme 注册码只于输入的字符长度相关。输入的长度最少是4个，为了定位可以输入少于四个字符，这样可以使用messageboxa进入相关部分定位下面是两组注册码，及相关注册码验证，生成部分。 NAMEAA 21347 6685 1111 20010 5348 00401A18 55 PUSH EBP 00401A19 8BEC MOV EBP,ESP 00401A1B 83C494 ADD ESP,-6C 00401A1E 53 PUSH EBX 00401A1F 56 PUSH ESI 00401A20 57 PUSH EDI 00401A21 8BD8 MOV EBX,EAX 00401A23 8D75A4 LEA ESI,[EBP-5C] 00401A26 B8F0724800 MOV EAX,004872F0 00401A2B E838410600 CALL 00465B68 00401A30 66C746101800 MOV WORD PTR [ESI+10],0018 00401A36 8D45FC LEA EAX,[EBP-04] 00401A39 E862030000 CALL 00401DA0 00401A3E 8BD0 MOV EDX,EAX 00401A40 FF461C INC DWORD PTR [ESI+1C] 00401A43 8B8364030000 MOV EAX,[EBX+00000364] 00401A49 E842B40400 CALL 0044CE90 00401A4E 837DFC00 CMP DWORD PTR [EBP-04],00 00401A52 7408 JZ 00401A5C 00401A54 8B55FC MOV EDX,[EBP-04] 00401A57 8B4AFC MOV ECX,[EDX-04] 00401A5A EB02 JMP 00401A5E 00401A5C 33C9 XOR ECX,ECX 00401A5E 8D3C89 LEA EDI,[ECX4+ECX] 00401A61 8D45FC LEA EAX,[EBP-04] 00401A64 BA02000000 MOV EDX,00000002 00401A69 8D3CB9 LEA EDI,[EDI4+ECX] 00401A6C C1E703 SHL EDI,03 00401A6F 2BF9 SUB EDI,ECX 00401A71 8D3CF9 LEA EDI,[EDI*8+ECX] 00401A74 81C7A31C0000 ADD EDI,00001CA3 00401A7A FF4E1C DEC DWORD PTR [ESI+1C] 00401A7D E8D2110700 CALL 00472C54 00401A82 66C746100C00 MOV WORD PTR [ESI+10],000C 00401A88 66C746102400 MOV WORD PTR [ESI+10],0024 00401A8E 8D45F8 LEA EAX,[EBP-08] 00401A91 E80A030000 CALL 00401DA0 00401A96 8BD0 MOV EDX,EAX 00401A98 FF461C INC DWORD PTR [ESI+1C] 00401A9B 8B8370030000 MOV EAX,[EBX+00000370] 00401AA1 E8EAB30400 CALL 0044CE90 00401AA6 8D55F8 LEA EDX,[EBP-08] 00401AA9 52 PUSH EDX 00401AAA 8D45F4 LEA EAX,[EBP-0C] 00401AAD 8B55A0 MOV EDX,[EBP-60] 00401AB0 E85B110700 CALL 00472C10 00401AB5 FF461C INC DWORD PTR [ESI+1C] 00401AB8 8D55F4 LEA EDX,[EBP-0C] 00401ABB 58 POP EAX 00401ABC E8D7110700 CALL 00472C98 00401AC1 50 PUSH EAX 00401AC2 FF4E1C DEC DWORD PTR [ESI+1C] 00401AC5 8D45F4 LEA EAX,[EBP-0C] 00401AC8 BA02000000 MOV EDX,00000002 00401ACD E882110700 CALL 00472C54 00401AD2 FF4E1C DEC DWORD PTR [ESI+1C] 00401AD5 8D45F8 LEA EAX,[EBP-08] 00401AD8 BA02000000 MOV EDX,00000002 00401ADD E872110700 CALL 00472C54 00401AE2 59 POP ECX 00401AE3 84C9 TEST CL,CL 00401AE5 740C JZ 00401AF3 00401AE7 A1CCF44800 MOV EAX,[0048F4CC] 00401AEC 8B00 MOV EAX,[EAX] 00401AEE E89D260400 CALL 00444190 00401AF3 66C746103000 MOV WORD PTR [ESI+10],0030 00401AF9 8D45F0 LEA EAX,[EBP-10] 00401AFC E89F020000 CALL 00401DA0 00401B01 8BD0 MOV EDX,EAX 00401B03 FF461C INC DWORD PTR [ESI+1C] 00401B06 8B8370030000 MOV EAX,[EBX+00000370] 00401B0C E87FB30400 CALL 0044CE90 00401B11 8D55F0 LEA EDX,[EBP-10] 00401B14 52 PUSH EDX 00401B15 8D45EC LEA EAX,[EBP-14] 00401B18 8B559C MOV EDX,[EBP-64] 00401B1B E8F0100700 CALL 00472C10 00401B20 FF461C INC DWORD PTR [ESI+1C] 00401B23 8D55EC LEA EDX,[EBP-14] 00401B26 58 POP EAX 00401B27 E86C110700 CALL 00472C98 00401B2C 50 PUSH EAX 00401B2D FF4E1C DEC DWORD PTR [ESI+1C] 00401B30 8D45EC LEA EAX,[EBP-14] 00401B33 BA02000000 MOV EDX,00000002 00401B38 E817110700 CALL 00472C54 00401B3D FF4E1C DEC DWORD PTR [ESI+1C] 00401B40 8D45F0 LEA EAX,[EBP-10] 00401B43 BA02000000 MOV EDX,00000002 00401B48 E807110700 CALL 00472C54 00401B4D 59 POP ECX 00401B4E 84C9 TEST CL,CL 00401B50 740C JZ 00401B5E 00401B52 A1CCF44800 MOV EAX,[0048F4CC] 00401B57 8B00 MOV EAX,[EAX] 00401B59 E832260400 CALL 00444190 00401B5E 66C746103C00 MOV WORD PTR [ESI+10],003C 00401B64 8D45E8 LEA EAX,[EBP-18] 00401B67 E834020000 CALL 00401DA0 00401B6C 8BD0 MOV EDX,EAX 00401B6E FF461C INC DWORD PTR [ESI+1C] 00401B71 8B8370030000 MOV EAX,[EBX+00000370] 00401B77 E814B30400 CALL 0044CE90 00401B7C 8D55E8 LEA EDX,[EBP-18] 00401B7F 52 PUSH EDX 00401B80 8D45E4 LEA EAX,[EBP-1C] 00401B83 8B5598 MOV EDX,[EBP-68] 00401B86 E885100700 CALL 00472C10 00401B8B FF461C INC DWORD PTR [ESI+1C] 00401B8E 8D55E4 LEA EDX,[EBP-1C] 00401B91 58 POP EAX 00401B92 E801110700 CALL 00472C98 00401B97 50 PUSH EAX 00401B98 FF4E1C DEC DWORD PTR [ESI+1C] 00401B9B 8D45E4 LEA EAX,[EBP-1C] 00401B9E BA02000000 MOV EDX,00000002 00401BA3 E8AC100700 CALL 00472C54 00401BA8 FF4E1C DEC DWORD PTR [ESI+1C] 00401BAB 8D45E8 LEA EAX,[EBP-18] 00401BAE BA02000000 MOV EDX,00000002 00401BB3 E89C100700 CALL 00472C54 00401BB8 59 POP ECX 00401BB9 84C9 TEST CL,CL 00401BBB 740C JZ 00401BC9 00401BBD A1CCF44800 MOV EAX,[0048F4CC] 00401BC2 8B00 MOV EAX,[EAX] 00401BC4 E8C7250400 CALL 00444190 00401BC9 66C746104800 MOV WORD PTR [ESI+10],0048 00401BCF 8D45E0 LEA EAX,[EBP-20] 00401BD2 E8C9010000 CALL 00401DA0 00401BD7 8BD0 MOV EDX,EAX 00401BD9 FF461C INC DWORD PTR [ESI+1C] 00401BDC 8B8370030000 MOV EAX,[EBX+00000370] 00401BE2 E8A9B20400 CALL 0044CE90 00401BE7 8D55E0 LEA EDX,[EBP-20] 00401BEA 52 PUSH EDX 00401BEB 8D45DC LEA EAX,[EBP-24] 00401BEE 8B5594 MOV EDX,[EBP-6C] 00401BF1 E81A100700 CALL 00472C10 00401BF6 FF461C INC DWORD PTR [ESI+1C] 00401BF9 8D55DC LEA EDX,[EBP-24] 00401BFC 58 POP EAX 00401BFD E896100700 CALL 00472C98 00401C02 50 PUSH EAX 00401C03 FF4E1C DEC DWORD PTR [ESI+1C] 00401C06 8D45DC LEA EAX,[EBP-24] 00401C09 BA02000000 MOV EDX,00000002 00401C0E E841100700 CALL 00472C54 00401C13 FF4E1C DEC DWORD PTR [ESI+1C] 00401C16 8D45E0 LEA EAX,[EBP-20] 00401C19 BA02000000 MOV EDX,00000002 00401C1E E831100700 CALL 00472C54 00401C23 59 POP ECX 00401C24 84C9 TEST CL,CL 00401C26 740C JZ 00401C34 00401C28 A1CCF44800 MOV EAX,[0048F4CC] 00401C2D 8B00 MOV EAX,[EAX] 00401C2F E85C250400 CALL 00444190 00401C34 66C746105400 MOV WORD PTR [ESI+10],0054 00401C3A 8D45D8 LEA EAX,[EBP-28] 00401C3D E85E010000 CALL 00401DA0 00401C42 8BD0 MOV EDX,EAX 00401C44 FF461C INC DWORD PTR [ESI+1C] 00401C47 8B8364030000 MOV EAX,[EBX+00000364] 00401C4D E83EB20400 CALL 0044CE90 00401C52 837DD800 CMP DWORD PTR [EBP-28],00 00401C56 7408 JZ 00401C60 00401C58 8B55D8 MOV EDX,[EBP-28] 00401C5B 8B4AFC MOV ECX,[EDX-04] 00401C5E EB02 JMP 00401C62 00401C60 33C9 XOR ECX,ECX 00401C62 83F904 CMP ECX,04 00401C65 BA02000000 MOV EDX,00000002 00401C6A 0F9CC0 SETL AL 00401C6D 83E001 AND EAX,01 00401C70 50 PUSH EAX 00401C71 8D45D8 LEA EAX,[EBP-28] 00401C74 FF4E1C DEC DWORD PTR [ESI+1C] 00401C77 E8D80F0700 CALL 00472C54 00401C7C 59 POP ECX 00401C7D 84C9 TEST CL,CL 00401C7F 7418 JZ 00401C99 ;;;长度低于4个提示 00401C81 6A00 PUSH 00 00401C83 68C4714800 PUSH 004871C4 ; "BEEP!" 00401C88 68A6714800 PUSH 004871A6 ; "At least, more than 4 l 00401C8D 6A00 PUSH 00 00401C8F E8204D0800 CALL USER32!MessageBoxA 00401C94 E9F6000000 JMP 00401D8F 00401C99 66C746106000 MOV WORD PTR [ESI+10],0060 00401C9F 8D45D4 LEA EAX,[EBP-2C] 00401CA2 E8F9000000 CALL 00401DA0 00401CA7 8BD0 MOV EDX,EAX 00401CA9 FF461C INC DWORD PTR [ESI+1C] 00401CAC 8B8370030000 MOV EAX,[EBX+00000370] 00401CB2 E8D9B10400 CALL 0044CE90 00401CB7 8D55D4 LEA EDX,[EBP-2C] 00401CBA 52 PUSH EDX 00401CBB 8D97A31C0000 LEA EDX,[EDI+00001CA3] 00401CC1 8D45D0 LEA EAX,[EBP-30] 00401CC4 E8470F0700 CALL 00472C10 00401CC9 FF461C INC DWORD PTR [ESI+1C] 00401CCC 8D55D0 LEA EDX,[EBP-30] 00401CCF 58 POP EAX 00401CD0 E8C30F0700 CALL 00472C98 00401CD5 50 PUSH EAX 00401CD6 FF4E1C DEC DWORD PTR [ESI+1C] 00401CD9 8D45D0 LEA EAX,[EBP-30] 00401CDC BA02000000 MOV EDX,00000002 00401CE1 E86E0F0700 CALL 00472C54 00401CE6 FF4E1C DEC DWORD PTR [ESI+1C] 00401CE9 8D45D4 LEA EAX,[EBP-2C] 00401CEC BA02000000 MOV EDX,00000002 00401CF1 E85E0F0700 CALL 00472C54 00401CF6 59 POP ECX 00401CF7 84C9 TEST CL,CL 00401CF9 0F8483000000 JZ 00401D82 00401CFF 66C746106C00 MOV WORD PTR [ESI+10],006C 00401D05 8D45CC LEA EAX,[EBP-34] 00401D08 E893000000 CALL 00401DA0 00401D0D 8BD0 MOV EDX,EAX 00401D0F FF461C INC DWORD PTR [ESI+1C] 00401D12 8B8378030000 MOV EAX,[EBX+00000378] 00401D18 E873B10400 CALL 0044CE90 00401D1D 8D55CC LEA EDX,[EBP-34] 00401D20 52 PUSH EDX 00401D21 8D975DE3FFFF LEA EDX,[EDI+FFFFE35D] 00401D27 8D45C8 LEA EAX,[EBP-38] 00401D2A E8E10E0700 CALL 00472C10 00401D2F FF461C INC DWORD PTR [ESI+1C] 00401D32 8D55C8 LEA EDX,[EBP-38] 00401D35 58 POP EAX 00401D36 E85D0F0700 CALL 00472C98 00401D3B 50 PUSH EAX 00401D3C FF4E1C DEC DWORD PTR [ESI+1C] 00401D3F 8D45C8 LEA EAX,[EBP-38] 00401D42 BA02000000 MOV EDX,00000002 00401D47 E8080F0700 CALL 00472C54 00401D4C FF4E1C DEC DWORD PTR [ESI+1C] 00401D4F 8D45CC LEA EAX,[EBP-34] 00401D52 BA02000000 MOV EDX,00000002 00401D57 E8F80E0700 CALL 00472C54 00401D5C 59 POP ECX 00401D5D 84C9 TEST CL,CL 00401D5F 7413 JZ 00401D74 ;;;注册码不正确转移 00401D61 6A00 PUSH 00 00401D63 68EB714800 PUSH 004871EB ; "Correct!" 00401D68 68CA714800 PUSH 004871CA ; "Good!Give us your key!" 00401D6D 6A00 PUSH 00 00401D6F E8404C0800 CALL USER32!MessageBoxA 00401D74 A1CCF44800 MOV EAX,[0048F4CC] 00401D79 8B00 MOV EAX,[EAX] 00401D7B E810240400 CALL 00444190 00401D80 EB0D JMP 00401D8F 00401D82 8B15CCF44800 MOV EDX,[0048F4CC] 00401D88 8B02 MOV EAX,[EDX] 00401D8A E801240400 CALL 00444190 00401D8F 8B16 MOV EDX,[ESI] 00401D91 64891500000000 MOV FS:[00000000],EDX 00401D98 5F POP EDI 00401D99 5E POP ESI 00401D9A 5B POP EBX 00401D9B 8BE5 MOV ESP,EBP 00401D9D 5D POP EBP 00401D9E C3 RET 上传的附件： Crackme1.rar （253.44kb，42次下载） 2013-11-4 21:02 0
softdebug 雪币： 231 活跃值： (25) 能力值： ( LV12，RANK：250 ) 在线值：发帖 8 回帖 49 粉丝 0 关注私信	softdebug 6 7 楼第三个 crackme, 提示信息做的加密，解密后字符串及相关比较生成注册码后面给出。但注册码是把时间作为随机数生成算法的初始值。所以每次都不同的。 :desp+78 l 9 0023:0012FB58 49 6E 63 6F 72 72 65 63-74 00 48 02 21 32 25 3E Incorrect.H.!2%> :desp+1c l 9 0023:0012FAFC 47 72 65 61 74 21 00 42-00 FD 12 00 59 6F 75 00 Great!.B....You. :desp+28 l 9 0023:0012FB08 59 6F 75 00 74 68 65 00-79 70 67 74 00 00 00 00 You.the.ypgt.... :desp+5c l 9 0023:0012FB3C 70 61 73 73 65 64 00 02-50 6C 65 61 73 65 00 02 passed..Please.. :desp+2c l 9 0023:0012FB0C 74 68 65 00 79 70 67 74-00 00 00 00 39 28 3A 3A the.ypgt....9(:: :desp+94 l 9 0023:0012FB74 76 65 72 69 66 69 63 61-74 69 6F 6E 21 00 48 02 verification!.H. :desp+14 l 9 0023:0012FAF4 68 61 76 65 00 00 12 00-47 72 65 61 74 21 00 42 have....Great!.B :desp+48 l 10 0023:0012FB28 50 61 73 73 77 6F 72 64-00 02 48 02 55 49 44 00 Password..H.UID. :d esp+64 l10 0023:0012FB44 50 6C 65 61 73 65 00 02-79 5E 53 5F 42 42 55 53 Please..y^S_BBUS :d esp+c l10 0023:0012FAEC 49 75 70 75 74 00 00 00-7B 47 42 47 46 00 12 00 Iuput...{GBGF... :d esp+48 l10 0023:0012FB28 50 61 73 73 77 6F 72 64-00 02 48 02 55 49 44 00 Password..H.UID. ================ Sun Nov 03 16:58:17 2013 00401300 83EC74 SUB ESP,74 00401303 8D442408 LEA EAX,[ESP+08] 00401307 56 PUSH ESI 00401308 50 PUSH EAX 00401309 FF152C214100 CALL [USER32!GetCursorPos] 0040130F 6A00 PUSH 00 00401311 E8C3430000 CALL 004056D9 00401316 50 PUSH EAX 00401317 E895430000 CALL 004056B1 0040131C 8B0D548C4100 MOV ECX,[00418C54] 00401322 BE09000000 MOV ESI,00000009 00401327 8BC1 MOV EAX,ECX 00401329 83C408 ADD ESP,08 0040132C 99 CDQ 0040132D F7FE IDIV ESI 0040132F 83FA02 CMP EDX,02 00401332 0F85D3000000 JNZ 0040140B 00401338 B8398EE338 MOV EAX,38E38E39 0040133D F7E9 IMUL ECX 0040133F D1FA SAR EDX,1 00401341 8BCA MOV ECX,EDX 00401343 C1E91F SHR ECX,1F 00401346 03D1 ADD EDX,ECX 00401348 83FA17 CMP EDX,17 0040134B 0F85BA000000 JNZ 0040140B 00401351 8B542404 MOV EDX,[ESP+04] 00401355 668B442408 MOV AX,[ESP+08] 0040135A 53 PUSH EBX 0040135B 55 PUSH EBP 0040135C 57 PUSH EDI 0040135D 89542420 MOV [ESP+20],EDX 00401361 6689442424 MOV [ESP+24],AX 00401366 33DB XOR EBX,EBX 00401368 53 PUSH EBX ;;; 00401369 8D4C2414 LEA ECX,[ESP+14] ;;; 0040136D 6A05 PUSH 05 ;;; 0040136F 51 PUSH ECX ;;; 00401370 E8DBFEFFFF CALL 00401250 ;;; 00401375 8B4C2428 MOV ECX,[ESP+28] ;;; 00401379 B81F85EB51 MOV EAX,51EB851F ;;; 0040137E F7E9 IMUL ECX ;;; 00401380 C1FA05 SAR EDX,05 ;;;得到一个特随机数 00401383 8BC2 MOV EAX,EDX ;;;根据这个随机数 00401385 83C40C ADD ESP,0C ;;;生成5个字符 00401388 C1E81F SHR EAX,1F ;;; 0040138B 03D0 ADD EDX,EAX ;;; 0040138D 3BDA CMP EBX,EDX ;;; 0040138F 7512 JNZ 004013A3 ;;; 00401391 8B4C2410 MOV ECX,[ESP+10] ;;; 00401395 668B442414 MOV AX,[ESP+14] ;;; 0040139A 894C2420 MOV [ESP+20],ECX ;;; 0040139E 6689442424 MOV [ESP+24],AX ;;; 004013A3 7E2D JLE 004013D2 ;;; 004013A5 8D7C2410 LEA EDI,[ESP+10] ;;; 004013A9 83C9FF OR ECX,-01 ;;; 004013AC 33C0 XOR EAX,EAX ;;; 004013AE 8D542420 LEA EDX,[ESP+20] ;;; 004013B2 F2AE REPNZ SCASB ;;; 004013B4 F7D1 NOT ECX ;;; 004013B6 2BF9 SUB EDI,ECX ;;; 004013B8 8BF7 MOV ESI,EDI ;;; 004013BA 8BE9 MOV EBP,ECX ;;; 004013BC 8BFA MOV EDI,EDX ;;; 004013BE 83C9FF OR ECX,-01 ;;; 004013C1 F2AE REPNZ SCASB ;;; 004013C3 8BCD MOV ECX,EBP ;;; 004013C5 4F DEC EDI ;;; 004013C6 C1E902 SHR ECX,02 ;;; 004013C9 F3A5 REPZ MOVSD ;;; 004013CB 8BCD MOV ECX,EBP ;;; 004013CD 83E103 AND ECX,03 ;;; 004013D0 F3A4 REPZ MOVSB ;;; 004013D2 43 INC EBX ;;; 004013D3 83FB0A CMP EBX,0A ;;;生成长度为45的串，输入的字符串必须与他相等 004013D6 7C90 JL 00401368 004013D8 8BB42488000000 MOV ESI,[ESP+00000088] 004013DF 56 PUSH ESI 004013E0 68808D4100 PUSH 00418D80 ; "X!A" 004013E5 E8A6070000 CALL 00401B90 004013EA 83C408 ADD ESP,08 004013ED E80EFCFFFF CALL 00401000 004013F2 8D442420 LEA EAX,[ESP+20] 004013F6 50 PUSH EAX 004013F7 56 PUSH ESI 004013F8 FF150C204100 CALL [KERNEL32!lstrcmp] 004013FE F7D8 NEG EAX 00401400 5F POP EDI 00401401 5D POP EBP 00401402 1BC0 SBB EAX,EAX 00401404 5B POP EBX 00401405 40 INC EAX 00401406 5E POP ESI 00401407 83C474 ADD ESP,74 0040140A C3 RET 0040140B 6A00 PUSH 00 0040140D E8CA410000 CALL 004055DC 00401412 90 NOP 00401420 81EC98040000 SUB ESP,00000498 00401426 53 PUSH EBX 00401427 56 PUSH ESI 00401428 57 PUSH EDI 00401429 A148514100 MOV EAX,[00415148] ; "a]TPBT" 0040142E 668B0D4C514100 MOV CX,[0041514C] 00401435 8A154E514100 MOV DL,[0041514E] 0040143B 8944240C MOV [ESP+0C],EAX 0040143F A140514100 MOV EAX,[00415140] ; "{GBGF" 00401444 66894C2410 MOV [ESP+10],CX 00401449 668B0D44514100 MOV CX,[00415144] 00401450 89442414 MOV [ESP+14],EAX 00401454 A138514100 MOV EAX,[00415138] ; "QITB" 00401459 88542412 MOV [ESP+12],DL 0040145D 8B1534514100 MOV EDX,[00415134] 00401463 89442420 MOV [ESP+20],EAX 00401467 A12C514100 MOV EAX,[0041512C] ; "BBUSD" 0040146C 66894C2418 MOV [ESP+18],CX 00401471 8A0D3C514100 MOV CL,[0041513C] 00401477 8954241C MOV [ESP+1C],EDX 0040147B 8B1528514100 MOV EDX,[00415128] 00401481 89442470 MOV [ESP+70],EAX 00401485 66A124514100 MOV AX,[00415124] ; "`5" 0040148B 884C2424 MOV [ESP+24],CL 0040148F 668B0D30514100 MOV CX,[00415130] 00401496 8954246C MOV [ESP+6C],EDX 0040149A 8B1520514100 MOV EDX,[00415120] 004014A0 6689442444 MOV [ESP+44],AX 004014A5 A118514100 MOV EAX,[00415118] ; "ypgt" 004014AA 66894C2474 MOV [ESP+74],CX 004014AF 8A0D26514100 MOV CL,[00415126] 004014B5 89542440 MOV [ESP+40],EDX 004014B9 8B1514514100 MOV EDX,[00415114] 004014BF 89442430 MOV [ESP+30],EAX 004014C3 66A110514100 MOV AX,[00415110] ; ",-" 004014C9 884C2446 MOV [ESP+46],CL 004014CD 8A0D1C514100 MOV CL,[0041511C] 004014D3 89542458 MOV [ESP+58],EDX 004014D7 8B150C514100 MOV EDX,[0041510C] 004014DD 668944243C MOV [ESP+3C],AX 004014E2 A1FC504100 MOV EAX,[004150FC] ; "!2%>1>46#>89v" 004014E7 884C2434 MOV [ESP+34],CL 004014EB 8A0D12514100 MOV CL,[00415112] 004014F1 89542438 MOV [ESP+38],EDX 004014F5 8B15F8504100 MOV EDX,[004150F8] 004014FB 89842484000000 MOV [ESP+00000084],EAX 00401502 66A108514100 MOV AX,[00415108] 00401508 884C243E MOV [ESP+3E],CL 0040150C 8B0D00514100 MOV ECX,[00415100] 00401512 89542454 MOV [ESP+54],EDX 00401516 8B1504514100 MOV EDX,[00415104] 0040151C 6689842490000000 MOV [ESP+00000090],AX 00401524 898C2488000000 MOV [ESP+00000088],ECX 0040152B 8994248C000000 MOV [ESP+0000008C],EDX 00401532 33C0 XOR EAX,EAX 00401534 BB06000000 MOV EBX,00000006 00401539 8A4C040C MOV CL,[EAX+ESP+0C] 0040153D 80F131 XOR CL,31 00401540 884C0464 MOV [EAX+ESP+64],CL 00401544 40 INC EAX 00401545 3BC3 CMP EAX,EBX 00401547 7CF0 JL 00401539 00401549 C644246A00 MOV BYTE PTR [ESP+6A],00 0040154E 33C0 XOR EAX,EAX 00401550 8A540414 MOV DL,[EAX+ESP+14] 00401554 80F232 XOR DL,32 00401557 8854040C MOV [EAX+ESP+0C],DL 0040155B 40 INC EAX 0040155C 83F805 CMP EAX,05 0040155F 7CEF JL 00401550 00401561 C644241100 MOV BYTE PTR [ESP+11],00 00401566 33C0 XOR EAX,EAX 00401568 8A4C041C MOV CL,[EAX+ESP+1C] 0040156C 80F126 XOR CL,26 0040156F 884C0448 MOV [EAX+ESP+48],CL 00401573 40 INC EAX 00401574 83F808 CMP EAX,08 00401577 7CEF JL 00401568 00401579 C644245000 MOV BYTE PTR [ESP+50],00 0040157E E8DDFBFFFF CALL 00401160 00401583 8D542448 LEA EDX,[ESP+48] 00401587 68F4504100 PUSH 004150F4 0040158C 52 PUSH EDX 0040158D 8D442414 LEA EAX,[ESP+14] 00401591 68F0504100 PUSH 004150F0 00401596 50 PUSH EAX 00401597 8D4C2474 LEA ECX,[ESP+74] 0040159B 68F0504100 PUSH 004150F0 004015A0 51 PUSH ECX 004015A1 68F08C4100 PUSH 00418CF0 ; "P!A" 004015A6 E8850E0000 CALL 00402430 004015AB 83C408 ADD ESP,08 004015AE 50 PUSH EAX 004015AF E87C0E0000 CALL 00402430 004015B4 83C408 ADD ESP,08 004015B7 50 PUSH EAX 004015B8 E8730E0000 CALL 00402430 004015BD 83C408 ADD ESP,08 004015C0 50 PUSH EAX 004015C1 E86A0E0000 CALL 00402430 004015C6 83C408 ADD ESP,08 004015C9 50 PUSH EAX 004015CA E8610E0000 CALL 00402430 004015CF 83C408 ADD ESP,08 004015D2 50 PUSH EAX 004015D3 E8580E0000 CALL 00402430 004015D8 83C408 ADD ESP,08 004015DB 8BF0 MOV ESI,EAX 004015DD 8BCE MOV ECX,ESI 004015DF 6A0A PUSH 0A 004015E1 E84A030000 CALL 00401930 004015E6 8B16 MOV EDX,[ESI] 004015E8 33FF XOR EDI,EDI 004015EA 8B4204 MOV EAX,[EDX+04] 004015ED 03C6 ADD EAX,ESI 004015EF 845804 TEST [EAX+04],BL 004015F2 7514 JNZ 00401608 004015F4 8B4028 MOV EAX,[EAX+28] 004015F7 8BC8 MOV ECX,EAX 004015F9 8B10 MOV EDX,[EAX] 004015FB FF522C CALL [EDX+2C] 004015FE 83F8FF CMP EAX,-01 00401601 7505 JNZ 00401608 00401603 BF04000000 MOV EDI,00000004 00401608 8B06 MOV EAX,[ESI] 0040160A 8B4804 MOV ECX,[EAX+04] 0040160D 03CE ADD ECX,ESI 0040160F 85FF TEST EDI,EDI 00401611 7416 JZ 00401629 00401613 8B4104 MOV EAX,[ECX+04] 00401616 8B5128 MOV EDX,[ECX+28] 00401619 0BC7 OR EAX,EDI 0040161B 85D2 TEST EDX,EDX 0040161D 7502 JNZ 00401621 0040161F 0C04 OR AL,04 00401621 6A00 PUSH 00 00401623 50 PUSH EAX 00401624 E8A8210000 CALL 004037D1 00401629 E802FAFFFF CALL 00401030 0040162E 8D8C24A4000000 LEA ECX,[ESP+000000A4] 00401635 51 PUSH ECX 00401636 E8C5FCFFFF CALL 00401300 ;;;根据当前时间生成注册码，并与输入字符串比较 0040163B 83C404 ADD ESP,04 0040163E 8BF0 MOV ESI,EAX 00401640 33C0 XOR EAX,EAX 00401642 8A54046C MOV DL,[EAX+ESP+6C] 00401646 80F230 XOR DL,30 00401649 88540478 MOV [EAX+ESP+78],DL 0040164D 40 INC EAX 0040164E 83F809 CMP EAX,09 00401651 7CEF JL 00401642 00401653 C684248100000000 MOV BYTE PTR [ESP+00000081],00 0040165B 33C0 XOR EAX,EAX 0040165D 8A4C0440 MOV CL,[EAX+ESP+40] 00401661 80F114 XOR CL,14 00401664 884C041C MOV [EAX+ESP+1C],CL 00401668 40 INC EAX 00401669 3BC3 CMP EAX,EBX 0040166B 7CF0 JL 0040165D 0040166D C644242200 MOV BYTE PTR [ESP+22],00 00401672 33C0 XOR EAX,EAX 00401674 8A540458 MOV DL,[EAX+ESP+58] 00401678 80F219 XOR DL,19 0040167B 88540428 MOV [EAX+ESP+28],DL 0040167F 40 INC EAX 00401680 83F803 CMP EAX,03 00401683 7CEF JL 00401674 00401685 C644242B00 MOV BYTE PTR [ESP+2B],00 0040168A 33C0 XOR EAX,EAX 0040168C 8A4C0438 MOV CL,[EAX+ESP+38] 00401690 80F149 XOR CL,49 00401693 884C045C MOV [EAX+ESP+5C],CL 00401697 40 INC EAX 00401698 3BC3 CMP EAX,EBX 0040169A 7CF0 JL 0040168C 0040169C C644246200 MOV BYTE PTR [ESP+62],00 004016A1 33C0 XOR EAX,EAX 004016A3 8A540454 MOV DL,[EAX+ESP+54] 004016A7 80F221 XOR DL,21 004016AA 8854042C MOV [EAX+ESP+2C],DL 004016AE 40 INC EAX 004016AF 83F803 CMP EAX,03 004016B2 7CEF JL 004016A3 004016B4 C644242F00 MOV BYTE PTR [ESP+2F],00 004016B9 33C0 XOR EAX,EAX 004016BB 8A8C0484000000 MOV CL,[EAX+ESP+00000084] 004016C2 80F157 XOR CL,57 004016C5 888C0494000000 MOV [EAX+ESP+00000094],CL 004016CC 40 INC EAX 004016CD 83F80D CMP EAX,0D 004016D0 7CE9 JL 004016BB 004016D2 C68424A100000000 MOV BYTE PTR [ESP+000000A1],00 004016DA 33C0 XOR EAX,EAX 004016DC 8A540430 MOV DL,[EAX+ESP+30] 004016E0 80F211 XOR DL,11 004016E3 88540414 MOV [EAX+ESP+14],DL 004016E7 40 INC EAX 004016E8 83F804 CMP EAX,04 004016EB 7CEF JL 004016DC 004016ED 8B0D548C4100 MOV ECX,[00418C54] 004016F3 BF07000000 MOV EDI,00000007 004016F8 8BC1 MOV EAX,ECX 004016FA C644241800 MOV BYTE PTR [ESP+18],00 004016FF 99 CDQ 00401700 F7FF IDIV EDI 00401702 83FA03 CMP EDX,03 00401705 0F8588010000 JNZ 00401893 0040170B B893244992 MOV EAX,92492493 00401710 F7E9 IMUL ECX 00401712 03D1 ADD EDX,ECX 00401714 C1FA02 SAR EDX,02 00401717 8BC2 MOV EAX,EDX 00401719 C1E81F SHR EAX,1F 0040171C 03D0 ADD EDX,EAX 0040171E 83FA29 CMP EDX,29 00401721 0F856C010000 JNZ 00401893 00401727 85F6 TEST ESI,ESI 00401729 0F84E8000000 JZ 00401817 0040172F 8D8C2494000000 LEA ECX,[ESP+00000094] 00401736 8D54242C LEA EDX,[ESP+2C] 0040173A 51 PUSH ECX 0040173B 68F0504100 PUSH 004150F0 00401740 52 PUSH EDX 00401741 8D442468 LEA EAX,[ESP+68] 00401745 68F0504100 PUSH 004150F0 0040174A 50 PUSH EAX 0040174B 8D4C2428 LEA ECX,[ESP+28] 0040174F 68F0504100 PUSH 004150F0 00401754 51 PUSH ECX 00401755 8D542444 LEA EDX,[ESP+44] 00401759 68F0504100 PUSH 004150F0 0040175E 8D44243C LEA EAX,[ESP+3C] 00401762 52 PUSH EDX 00401763 50 PUSH EAX 00401764 68F08C4100 PUSH 00418CF0 ; "P!A" 00401769 E8C20C0000 CALL 00402430 0040176E 83C408 ADD ESP,08 00401771 50 PUSH EAX 00401772 E8B90C0000 CALL 00402430 00401777 83C408 ADD ESP,08 0040177A 50 PUSH EAX 0040177B E8B00C0000 CALL 00402430 00401780 83C408 ADD ESP,08 00401783 50 PUSH EAX 00401784 E8A70C0000 CALL 00402430 00401789 83C408 ADD ESP,08 0040178C 50 PUSH EAX 0040178D E89E0C0000 CALL 00402430 00401792 83C408 ADD ESP,08 00401795 50 PUSH EAX 00401796 E8950C0000 CALL 00402430 0040179B 83C408 ADD ESP,08 0040179E 50 PUSH EAX 0040179F E88C0C0000 CALL 00402430 004017A4 83C408 ADD ESP,08 004017A7 50 PUSH EAX 004017A8 E8830C0000 CALL 00402430 004017AD 83C408 ADD ESP,08 004017B0 50 PUSH EAX 004017B1 E87A0C0000 CALL 00402430 004017B6 83C408 ADD ESP,08 004017B9 50 PUSH EAX 004017BA E8710C0000 CALL 00402430 004017BF 83C408 ADD ESP,08 004017C2 8BF0 MOV ESI,EAX 004017C4 8BCE MOV ECX,ESI 004017C6 6A0A PUSH 0A 004017C8 E863010000 CALL 00401930 004017CD 8B0E MOV ECX,[ESI] 004017CF 33FF XOR EDI,EDI 004017D1 8B5104 MOV EDX,[ECX+04] 004017D4 8A4C3204 MOV CL,[ESI+EDX+04] 004017D8 84CB TEST BL,CL 004017DA 8D0432 LEA EAX,[ESI+EDX] 004017DD 7514 JNZ 004017F3 004017DF 8B4028 MOV EAX,[EAX+28] 004017E2 8BC8 MOV ECX,EAX 004017E4 8B10 MOV EDX,[EAX] 004017E6 FF522C CALL [EDX+2C] 004017E9 83F8FF CMP EAX,-01 004017EC 7505 JNZ 004017F3 004017EE BF04000000 MOV EDI,00000004 004017F3 8B06 MOV EAX,[ESI] 004017F5 8B4804 MOV ECX,[EAX+04] 004017F8 03CE ADD ECX,ESI 004017FA 85FF TEST EDI,EDI 004017FC 0F8411010000 JZ 00401913 00401802 8B4104 MOV EAX,[ECX+04] 00401805 8B5128 MOV EDX,[ECX+28] 00401808 0BC7 OR EAX,EDI 0040180A 85D2 TEST EDX,EDX 0040180C 0F85F9000000 JNZ 0040190B 00401812 E9F2000000 JMP 00401909 00401817 8D4C2478 LEA ECX,[ESP+78] 0040181B 8D542448 LEA EDX,[ESP+48] 0040181F 51 PUSH ECX 00401820 68F0504100 PUSH 004150F0 00401825 52 PUSH EDX 00401826 68F08C4100 PUSH 00418CF0 ; "P!A" 0040182B E8000C0000 CALL 00402430 00401830 83C408 ADD ESP,08 00401833 50 PUSH EAX 00401834 E8F70B0000 CALL 00402430 00401839 83C408 ADD ESP,08 0040183C 50 PUSH EAX 0040183D E8EE0B0000 CALL 00402430 00401842 83C408 ADD ESP,08 00401845 8BF0 MOV ESI,EAX 00401847 8BCE MOV ECX,ESI 00401849 6A0A PUSH 0A 0040184B E8E0000000 CALL 00401930 00401850 8B06 MOV EAX,[ESI] 00401852 33FF XOR EDI,EDI 00401854 8B4804 MOV ECX,[EAX+04] 00401857 8D0431 LEA EAX,[ESI+ECX] 0040185A 8A4C3104 MOV CL,[ESI+ECX+04] 0040185E 84CB TEST BL,CL 00401860 7514 JNZ 00401876 00401862 8B4028 MOV EAX,[EAX+28] 00401865 8BC8 MOV ECX,EAX 00401867 8B10 MOV EDX,[EAX] 00401869 FF522C CALL [EDX+2C] 0040186C 83F8FF CMP EAX,-01 0040186F 7505 JNZ 00401876 00401871 BF04000000 MOV EDI,00000004 00401876 8B06 MOV EAX,[ESI] 00401878 8B4804 MOV ECX,[EAX+04] 0040187B 03CE ADD ECX,ESI 0040187D 85FF TEST EDI,EDI 0040187F 0F848E000000 JZ 00401913 00401885 8B4104 MOV EAX,[ECX+04] 00401888 8B5128 MOV EDX,[ECX+28] 0040188B 0BC7 OR EAX,EDI 0040188D 85D2 TEST EDX,EDX 0040188F 757A JNZ 0040190B 00401891 EB76 JMP 00401909 00401893 8D4C2478 LEA ECX,[ESP+78] 00401897 8D542448 LEA EDX,[ESP+48] 0040189B 51 PUSH ECX 0040189C 68F0504100 PUSH 004150F0 004018A1 52 PUSH EDX 004018A2 68F08C4100 PUSH 00418CF0 ; "P!A" 004018A7 E8840B0000 CALL 00402430 004018AC 83C408 ADD ESP,08 004018AF 50 PUSH EAX 004018B0 E87B0B0000 CALL 00402430 004018B5 83C408 ADD ESP,08 004018B8 50 PUSH EAX 004018B9 E8720B0000 CALL 00402430 004018BE 83C408 ADD ESP,08 004018C1 8BF0 MOV ESI,EAX 004018C3 8BCE MOV ECX,ESI 004018C5 6A0A PUSH 0A 004018C7 E864000000 CALL 00401930 004018CC 8B06 MOV EAX,[ESI] 004018CE 33FF XOR EDI,EDI 004018D0 8B4804 MOV ECX,[EAX+04] 004018D3 8D0431 LEA EAX,[ESI+ECX] 004018D6 8A4C3104 MOV CL,[ESI+ECX+04] 004018DA 84CB TEST BL,CL 004018DC 7514 JNZ 004018F2 004018DE 8B4028 MOV EAX,[EAX+28] 004018E1 8BC8 MOV ECX,EAX 004018E3 8B10 MOV EDX,[EAX] 004018E5 FF522C CALL [EDX+2C] 004018E8 83F8FF CMP EAX,-01 004018EB 7505 JNZ 004018F2 004018ED BF04000000 MOV EDI,00000004 004018F2 8B06 MOV EAX,[ESI] 004018F4 8B4804 MOV ECX,[EAX+04] 004018F7 03CE ADD ECX,ESI 004018F9 85FF TEST EDI,EDI 004018FB 7416 JZ 00401913 004018FD 8B4104 MOV EAX,[ECX+04] 00401900 8B5128 MOV EDX,[ECX+28] 00401903 0BC7 OR EAX,EDI 00401905 85D2 TEST EDX,EDX 00401907 7502 JNZ 0040190B 00401909 0C04 OR AL,04 0040190B 6A00 PUSH 00 0040190D 50 PUSH EAX 0040190E E8BE1E0000 CALL 004037D1 00401913 68E8504100 PUSH 004150E8 ; "pause" 00401918 E8983E0000 CALL 004057B5 0040191D 83C404 ADD ESP,04 00401920 33C0 XOR EAX,EAX 00401922 5F POP EDI 00401923 5E POP ESI 00401924 5B POP EBX 00401925 81C498040000 ADD ESP,00000498 0040192B C3 RET 我当时生成的注册码为: 0023:0012FA74 6A 6B 6F 64 71 58 56 56-51 42 3B 42 3F 3B 3B 77 jkodqXVVQB;B?;;w 0023:0012FA84 78 66 67 6E 4C 50 54 41-41 30 45 33 47 49 64 79 xfgnLPTAA0E3GIdy 0023:0012FA94 6B 6F 77 48 48 54 4D 45-48 38 37 37 30 00 40 00 kowHHTMEH8770.@. 0023:0012FAA4 32 1A 40 00 33 00 37 00-F0 8C 41 00 06 00 00 00 2.@.3.7...A..... 上传的附件： Crackme3.rar （42.88kb，21次下载） 2013-11-4 21:10 0
softdebug 雪币： 231 活跃值： (25) 能力值： ( LV12，RANK：250 ) 在线值：发帖 8 回帖 49 粉丝 0 关注私信	softdebug 6 8 楼使用 messageboxa 可以找到注册码部分程序如下: 00401F90 55 PUSH EBP 00401F91 8BEC MOV EBP,ESP 00401F93 81ECD0000000 SUB ESP,000000D0 00401F99 A150DD5600 MOV EAX,[0056DD50] 00401F9E 33C5 XOR EAX,EBP 00401FA0 8945FC MOV [EBP-04],EAX 00401FA3 53 PUSH EBX 00401FA4 8BD9 MOV EBX,ECX 00401FA6 56 PUSH ESI 00401FA7 8BC3 MOV EAX,EBX 00401FA9 57 PUSH EDI 00401FAA BF01000000 MOV EDI,00000001 00401FAF 8D5001 LEA EDX,[EAX+01] 00401FB2 8A08 MOV CL,[EAX] 00401FB4 40 INC EAX 00401FB5 84C9 TEST CL,CL 00401FB7 75F9 JNZ 00401FB2 00401FB9 2BC2 SUB EAX,EDX 00401FBB 8BF0 MOV ESI,EAX 00401FBD 85F6 TEST ESI,ESI 00401FBF 7E0E JLE 00401FCF 00401FC1 56 PUSH ESI 00401FC2 8D45C8 LEA EAX,[EBP-38] 00401FC5 53 PUSH EBX 00401FC6 50 PUSH EAX 00401FC7 E804FD0F00 CALL 00501CD0 00401FCC 83C40C ADD ESP,0C 00401FCF 33C0 XOR EAX,EAX 00401FD1 85F6 TEST ESI,ESI 00401FD3 7E0D JLE 00401FE2 00401FD5 0FBE4C05C8 MOVSX ECX,BYTE PTR [EAX+EBP-38] 00401FDA 40 INC EAX 00401FDB 0FAFF9 IMUL EDI,ECX 00401FDE 3BC6 CMP EAX,ESI 00401FE0 7CF3 JL 00401FD5 00401FE2 6A0A PUSH 0A 00401FE4 8D55C8 LEA EDX,[EBP-38] 00401FE7 52 PUSH EDX 00401FE8 57 PUSH EDI 00401FE9 E806581100 CALL 005177F4 00401FEE 8D45C8 LEA EAX,[EBP-38] 00401FF1 83C40C ADD ESP,0C 00401FF4 33C9 XOR ECX,ECX 00401FF6 8D7001 LEA ESI,[EAX+01] 00401FF9 8DA42400000000 LEA ESP,[ESP+00000000] 00402000 8A10 MOV DL,[EAX] 00402002 40 INC EAX 00402003 84D2 TEST DL,DL 00402005 75F9 JNZ 00402000 00402007 2BC6 SUB EAX,ESI 00402009 48 DEC EAX 0040200A 85C0 TEST EAX,EAX 0040200C 7E18 JLE 00402026 0040200E 8BFF MOV EDI,EDI 00402010 8A5C05C8 MOV BL,[EAX+EBP-38] 00402014 8A540DC8 MOV DL,[ECX+EBP-38] 00402018 885C0DC8 MOV [ECX+EBP-38],BL 0040201C 885405C8 MOV [EAX+EBP-38],DL 00402020 41 INC ECX 00402021 48 DEC EAX 00402022 3BC8 CMP ECX,EAX 00402024 7CEA JL 00402010 00402026 8D45C8 LEA EAX,[EBP-38] 00402029 50 PUSH EAX 0040202A E8EBF90F00 CALL 00501A1A 0040202F 6A0A PUSH 0A 00402031 8D8D30FFFFFF LEA ECX,[EBP-00D0] 00402037 03C7 ADD EAX,EDI 00402039 51 PUSH ECX 0040203A 50 PUSH EAX 0040203B E8B4571100 CALL 005177F4 00402040 8B1548DE5400 MOV EDX,[0054DE48] 00402046 66A14CDE5400 MOV AX,[0054DE4C] 0040204C 6A5E PUSH 5E 0040204E 8D8D6AFFFFFF LEA ECX,[EBP-0096] 00402054 6A00 PUSH 00 00402056 51 PUSH ECX 00402057 899564FFFFFF MOV [EBP-009C],EDX 0040205D 66898568FFFFFF MOV [EBP-0098],AX 00402064 E827191000 CALL 00503990 00402069 8D8530FFFFFF LEA EAX,[EBP-00D0] 0040206F 83C41C ADD ESP,1C 00402072 8BC8 MOV ECX,EAX 00402074 8A10 MOV DL,[EAX] 00402076 40 INC EAX 00402077 84D2 TEST DL,DL 00402079 75F9 JNZ 00402074 0040207B 8DBD64FFFFFF LEA EDI,[EBP-009C] 00402081 2BC1 SUB EAX,ECX 00402083 8BF1 MOV ESI,ECX 00402085 4F DEC EDI 00402086 8A4F01 MOV CL,[EDI+01] 00402089 47 INC EDI 0040208A 84C9 TEST CL,CL 0040208C 75F8 JNZ 00402086 0040208E 8BC8 MOV ECX,EAX 00402090 C1E902 SHR ECX,02 00402093 F3A5 REPZ MOVSD 00402095 8BC8 MOV ECX,EAX 00402097 83E103 AND ECX,03 0040209A F3A4 REPZ MOVSB 0040209C 8B4D08 MOV ECX,[EBP+08] 0040209F 5F POP EDI 004020A0 5E POP ESI 004020A1 8D8564FFFFFF LEA EAX,[EBP-009C] 004020A7 5B POP EBX 004020A8 8A10 MOV DL,[EAX] ;;;注册码比较部分 004020AA 3A11 CMP DL,[ECX] ;;; 004020AC 751A JNZ 004020C8 004020AE 84D2 TEST DL,DL 004020B0 7412 JZ 004020C4 004020B2 8A5001 MOV DL,[EAX+01] 004020B5 3A5101 CMP DL,[ECX+01] 004020B8 750E JNZ 004020C8 004020BA 83C002 ADD EAX,02 004020BD 83C102 ADD ECX,02 004020C0 84D2 TEST DL,DL 004020C2 75E4 JNZ 004020A8 004020C4 33C0 XOR EAX,EAX 004020C6 EB05 JMP 004020CD 004020C8 1BC0 SBB EAX,EAX 004020CA 83D8FF SBB EAX,-01 004020CD 6A00 PUSH 00 004020CF 85C0 TEST EAX,EAX 004020D1 750C JNZ 004020DF 004020D3 6850DE5400 PUSH 0054DE50 ; "Cracked!" 004020D8 685CDE5400 PUSH 0054DE5C ; "LOL~" 004020DD EB0A JMP 004020E9 004020DF 6864DE5400 PUSH 0054DE64 ; "Sorry :(" 004020E4 6870DE5400 PUSH 0054DE70 ; "Try Again!" 004020E9 6A00 PUSH 00 004020EB FF1544585200 CALL [USER32!MessageBoxA] 004020F1 8B4DFC MOV ECX,[EBP-04] 004020F4 33CD XOR ECX,EBP 004020F6 E81CE80F00 CALL 00500917 004020FB 8BE5 MOV ESP,EBP 004020FD 5D POP EBP 004020FE C3 RET 输入 crackme 是从内存中得到注册码 :d eax l 10 0010:0012F71C 78 64 73 65 63 2D 32 36-35 34 30 36 34 32 37 00 xdsec-265406427. 胡乱输入的注册码 :d ecx l 10 0010:00DA8750 73 61 64 66 73 64 61 66-73 00 00 00 00 00 00 00 sadfsdafs....... 上传的附件： crackme5.rar （710.24kb，71次下载） 2013-11-4 21:19 0
softdebug 雪币： 231 活跃值： (25) 能力值： ( LV12，RANK：250 ) 在线值：发帖 8 回帖 49 粉丝 0 关注私信	softdebug 6 9 楼这个允许爆破，爆破点如下：据说算法很强悍，想练手的可以分析下。使用messageboxa可以找到这个位置，分析后得到爆破点的。 :ueip l 50 00402133 MOV AL,[ESI+EBP-6C] 00402137 CMP AL,[ESI+EBP-00A0] 0040213E JZ 00402169 ;;;爆破点把74修改为EB后的校验码是：966A91D6校验码放置位置在后面 00402140 PUSH 00 00402142 LEA EAX,[EBP-20] 00402145 PUSH EAX 00402146 LEA EBX,[EBP-18] 00402149 PUSH EBX 0040214A PUSH 00 0040214C MOV EAX,[EBP-02B0] 00402152 CALL EAX 00402154 MOV EAX,[EBP-02BC] 0040215A PUSH 00 0040215C PUSH 00 0040215E PUSH 12 00402160 PUSH DWORD PTR [EAX+20] 00402163 CALL [USER32!PostMessageA] 00402169 INC ESI 0040216A CMP ESI,10 0040216D JL 00402133 0040216F PUSH 00 00402171 LEA EAX,[EBP-28] 00402174 PUSH EAX 00402175 LEA EBX,[EBP-7C] 00402178 PUSH EBX 00402179 PUSH 00 0040217B MOV EAX,[EBP-02B0] 00402181 CALL EAX 该程序对文件进行校验，防止修改现给出校验部分的代码及位置 004024D1 PUSH EBX 004024D2 PUSH 00000080 004024D7 PUSH 03 004024D9 PUSH EBX 004024DA PUSH 01 004024DC PUSH 80000000 004024E1 LEA EAX,[EBP-0108] 004024E7 PUSH EAX 004024E8 CALL [KERNEL32!CreateFileA] ;;;打开crackme2.exe 004024EE PUSH EBX 004024EF PUSH EAX 004024F0 MOV [EBP+FFFFFAF4],EAX 004024F6 CALL [KERNEL32!GetFileSize] ;;;得到文件长度 004024FC MOV ESI,EAX 004024FE PUSH ESI 004024FF CALL 004025FE 00402504 POP ECX 00402505 PUSH EBX 00402506 MOV EDI,EAX 00402508 LEA EAX,[EBP+FFFFFAF0] 0040250E PUSH EAX 0040250F PUSH ESI 00402510 PUSH EDI 00402511 PUSH DWORD PTR [EBP+FFFFFAF4] 00402517 CALL [KERNEL32!ReadFile] 0040251D PUSH DWORD PTR [EBP+FFFFFAF4] 00402523 CALL [KERNEL32!CloseHandle] 00402529 MOV EAX,[EDI+3C] 0040252C SUB ESI,EAX 0040252E ADD EDI,EAX 00402530 MOV [EBP+FFFFFAF4],ESI 00402536 MOV ESI,EDI 00402538 XOR EAX,EAX 0040253A PUSH 08 0040253C MOV ECX,EAX 0040253E POP EDX 0040253F TEST CL,01 00402542 JZ 0040254E 00402544 SHR ECX,1 00402546 XOR ECX,EDB88320 0040254C JMP 00402550 0040254E SHR ECX,1 00402550 DEC EDX 00402551 CMP EDX,EBX 00402553 JG 0040253F 00402555 MOV [EAX4+EBP+FFFFFAF8],ECX 0040255C INC EAX 0040255D CMP EAX,00000100 00402562 JL 0040253A 00402564 OR EAX,-01 00402567 JMP 00402585 00402569 MOVZX ECX,BYTE PTR [ESI] 0040256C DEC DWORD PTR [EBP+FFFFFAF4] 00402572 XOR ECX,EAX 00402574 AND ECX,000000FF 0040257A SHR EAX,08 0040257D XOR EAX,[ECX4+EBP+FFFFFAF8] 00402584 INC ESI 00402585 CMP [EBP+FFFFFAF4],EBX 0040258B JNZ 00402569 0040258D XOR ECX,ECX 0040258F NOT EAX 00402591 CMP [EDI-04],EAX ;;;校验文件是否被修改了 00402594 POP EDI 00402595 SETZ CL 00402598 POP ESI 00402599 POP EBX 0040259A MOV EAX,ECX 0040259C MOV ECX,[EBP-04] 0040259F XOR ECX,EBP 004025A1 CALL 00500784 004025A6 LEAVE 004025A7 RET 004025A8 JMP 00407090 00F80020 00905A4D 00000003 00000004 0000FFFF MZ.............. 00F80030 000000B8 00000000 00000040 00000000 ........@....... 00F80040 00000000 00000000 00000000 00000000 ................ 00F80050 00000000 00000000 00000000 000000F0 ................ 00F80060 0EBA1F0E CD09B400 4C01B821 685421CD ........!..L.!Th 00F80070 70207369 72676F72 63206D61 6F6E6E61 is program canno 00F80080 65622074 6E757220 206E6920 20534F44 t be run in DOS 00F80090 65646F6D 0A0D0D2E 00000024 00000000 mode....$....... 00F800A0 9CA2CFAE CFCCAEEA CFCCAEEA CFCCAEEA ................ 00F800B0 CF4FD6E3 CFCCAEE5 CF5FD6E3 CFCCAEC9 ..O......._..... 00F800C0 CFCDAEEA CFCCAC10 CF52D885 CFCCAEC7 ..........R..... 00F800D0 CF66D885 CFCCAE43 CF67D885 CFCCAF6D ..f.C.....g.m... 00F800E0 CF63D885 CFCCAEEE CF56D885 CFCCAEEB ..c.......V..... 00F800F0 CF51D885 CFCCAEEB 68636952 CFCCAEEA ..Q.....Rich.... 00F80100 00000000 00000000 00000000 914567B7 [保存文件校验DWROD的位置] ---------------文件校验开始位置-------------------------------------- 00F80110 00004550 0005014C 5242C28C 00000000 PE..L.....BR.... 00F80120 00000000 010200E0 000A010B 00123A00 .............:.. 00F80130 00076A00 00000000 00100E5E 00001000 .j......^....... 00F80140 00125000 00400000 00001000 00000200 .P....@......... 00F80150 00010005 00000000 00010005 00000000 ................ 00F80160 001A5000 00000400 001A1F7A 81400002 .P......z.....@. 00F80170 00100000 00001000 00100000 00001000 ................ 00F80180 00000000 00000010 00000000 00000000 ................ 00F80190 00164E3C 00000168 00177000 000045A4 <N..h....p...E.. 00F801A0 00000000 00000000 00000000 00000000 ................ 00F801B0 0017C000 0001A7E8 00125D40 0000001C ........@]...... 00F801C0 00000000 00000000 00000000 00000000 ................ 00F801D0 00000000 00000000 0014E078 00000040 ........x...@... 00F801E0 00000000 00000000 00125000 0000096C .........P..l... 00F801F0 00000000 00000000 00000000 00000000 ................ 00F80200 00000000 00000000 7865742E 00000074 .........text... 00F80210 00123837 00001000 00123A00 00000400 78.......:...... 上传的附件： crackme2.rar （635.08kb，30次下载） 2013-11-4 21:30 0
softdebug 雪币： 231 活跃值： (25) 能力值： ( LV12，RANK：250 ) 在线值：发帖 8 回帖 49 粉丝 0 关注私信	softdebug 6 10 楼以上就是去上海协助网友比赛时，他给的xdsec的5个crackme。到此结束了。 2013-11-4 21:37 0
墨非雪币： 32 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 214 粉丝 0 关注私信	墨非 11 楼膜拜之，很想说私信给我联系方式吧！ 2013-11-25 23:08 0
o丨Reborn 雪币： 5 活跃值： (27) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 6 粉丝 0 关注私信	o丨Reborn 12 楼请问是如何快速定位文件效验这部分的? 经验么... 2014-4-1 18:17 0
hbcld 雪币： 43 活跃值： (40) 能力值： ( LV2，RANK：10 ) 在线值：发帖 8 回帖 238 粉丝 0 关注私信	hbcld 13 楼致谢楼主！ 2014-7-12 09:16 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复