013DFFE0 /$ 55 push ebp
013DFFE1 |. 8BEC mov ebp,esp
013DFFE3 |. FF75 08 push [arg.1]
013DFFE6 |. 8F45 08 pop [arg.1]
013DFFE9 |. FF75 0C push [arg.2]
013DFFEC |. 8F05 2EF34201 pop dword ptr ds:[0x142F32E]
013DFFF2 |. FF75 10 push [arg.3]
013DFFF5 |. 8F45 10 pop [arg.3]
013DFFF8 |. FF75 14 push [arg.4]
013DFFFB |. 8F45 14 pop [arg.4]
013DFFFE |. 837D 10 01 cmp [arg.3],0x1
013E0002 |. 75 09 jnz short CrackMe.013E000D
013E0004 |. C745 10 02000>mov [arg.3],0x2
013E000B |. EB 49 jmp short CrackMe.013E0056
013E000D |> 837D 10 02 cmp [arg.3],0x2
013E0011 |. 75 09 jnz short CrackMe.013E001C
013E0013 |. C745 10 04000>mov [arg.3],0x4
013E001A |. EB 3A jmp short CrackMe.013E0056
013E001C |> 837D 10 04 cmp [arg.3],0x4
013E0020 |. 75 09 jnz short CrackMe.013E002B
013E0022 |. C745 10 01000>mov [arg.3],0x1
013E0029 |. EB 2B jmp short CrackMe.013E0056
013E002B |> 837D 10 03 cmp [arg.3],0x3
013E002F |. 75 09 jnz short CrackMe.013E003A
013E0031 |. C745 10 06000>mov [arg.3],0x6
013E0038 |. EB 1C jmp short CrackMe.013E0056
013E003A |> 837D 10 05 cmp [arg.3],0x5
013E003E |. 75 09 jnz short CrackMe.013E0049
013E0040 |. C745 10 03000>mov [arg.3],0x3
013E0047 |. EB 0D jmp short CrackMe.013E0056
013E0049 |> 837D 10 06 cmp [arg.3],0x6
013E004D |. 75 07 jnz short CrackMe.013E0056
013E004F |. C745 10 05000>mov [arg.3],0x5
013E0056 |> 833D 32F34201>cmp dword ptr ds:[0x142F332],0x0
013E005D |. 75 14 jnz short CrackMe.013E0073
013E005F |. 68 8DFF3D01 push CrackMe.013DFF8D ; /NewValue =
0x13DFF8D
013E0064 |. 6A FC push -0x4 ; |Index = GWL_WNDPROC
013E0066 |. FF75 08 push [arg.1] ; |hWnd
013E0069 |. E8 08270000 call <jmp.&USER32.SetWindowLongA> ; \SetWindowLongA
013E006E |. A3 32F34201 mov dword ptr ds:[0x142F332],eax
013E0073 |> FF05 22F34201 inc dword ptr ds:[0x142F322]
013E0079 |. FF05 26F34201 inc dword ptr ds:[0x142F326]
013E007F |. A1 26F34201 mov eax,dword ptr ds:[0x142F326]
013E0084 |. 05 E8800000 add eax,0x80E8
013E0089 |. A3 2AF34201 mov dword ptr ds:[0x142F32A],eax
013E008E |. FF75 14 push [arg.4] ; /Key
013E0091 |. FF75 10 push [arg.3] ; |Modifiers
013E0094 50 push eax
013E0095 FF75 08 push dword ptr ss:[ebp+0x8]
013E0098 |. E8 03270000 call <jmp.&USER32.RegisterHotKey> ; \RegisterHotKey
程序一开始弄了一个检测调试,然后弄了一个热键冲突,使在OD调试中,F8按下没反应。
SetWindowLong
0030F7AC 00130704 |hWnd = 00130704 ('CrackMe-2016',class='WTWindow')
0030F7B0 FFFFFFFC |Index = GWL_WNDPROC
0030F7B4 003BFF8D \NewValue = 0x3BFF8D
SetWindowLong是一个Windows API函数。该函数用来改变指定窗口的属性.函数也将指定的一个32位值设
置在窗口的额外存储空间的指定偏移位置。
GWL_WNDPROC
-4
为窗口过程设定一个新的地址。
RegisterHotKey
0030F7A8 00130704 |hWnd = 00130704 ('CrackMe-2016',class='WTWindow')
0030F7AC 000080E9 |HotKeyID = 0x80E9
0030F7B0 00000000 |Modifiers = 0
0030F7B4 00000077 \Key = VK_F8
注册一个HotKeyID 为0x80E9 使得按F8没反应。
013E0094 50 push eax 修改这里为push 0 即可过这个anti
然后在验证注册码过程中调用了线程
下线程断点
bp BaseThreadInitThunk
定位到线程地址 010F2313
010F2313 . 56 push esi
010F2314 . 57 push edi
010F2315 . 53 push ebx
010F2316 . E8 64F6FFFF call CrackMe1.010F197F
010F231B . 5B pop ebx
010F231C . 5F pop edi
010F231D . 5E pop esi
010F231E . C3 retn
我们拉倒最后一个JE跳转,这里会判断[local.11]的值是否为0
010F21DB |. 83C4 04 add esp,0x4
010F21DE |> 837D D4 00 cmp [local.11],0x0
010F21E2 |. 0F84 9A000000 je CrackMe1.010F2282
010F21E8 |. 6A 00 push 0x0
是的话就跳到下面这段代码,这段代码是用易语言的置入代码命令写的,可以随便写成乱码,使程序
寄存器数值错误,引发程序奔溃。
010F2282 |> \0102 add dword ptr ds:[edx],eax
010F2284 |. 030405 060708>add eax,dword ptr ds:[eax+0x9080706]
010F228B |. 006A 00 add byte ptr ds:[edx],ch
好了,既然是对比[local.11]的值是否为0 我们向上找,找到以下代码段
010F21B8 |. E8 25F7FFFF call CrackMe1.010F18E2
010F21BD |. 83C4 08 add esp,0x8
010F21C0 |. 83F8 00 cmp eax,0x0
010F21C3 |. B8 00000000 mov eax,0x0
010F21C8 |. 0F94C0 sete al
010F21CB |. 8945 D4 mov [local.11],eax
010F21CE |. 8B5D D8 mov ebx,[local.10]
010F21D1 |. 85DB test ebx,ebx
这个是经典的易语言文本对比特征,所以直接定位这里就会出现正确的注册码!
正确的注册码为:33053055C3055C2E3030553055C2
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
