启动od打开crackme
下断点
bp GetWindowTextA
在crackme中随便输入111111111111
ctrl+f9返回4次
来到
00403160 /> \55 push ebp
00403161 |. 8BEC mov ebp,esp
00403163 |. 81EC C0030000 sub esp,0x3C0
00403169 |. 53 push ebx
0040316A |. 56 push esi
0040316B |. 57 push edi
0040316C |. 51 push ecx
0040316D |. 8DBD 40FCFFFF lea edi,[local.240]
00403173 |. B9 F0000000 mov ecx,0xF0
00403178 |. B8 CCCCCCCC mov eax,0xCCCCCCCC
0040317D |. F3:AB rep stos dword ptr es:[edi]
0040317F |. 59 pop ecx
00403180 |. 894D FC mov [local.1],ecx
00403183 |. 6A 01 push 0x1
00403185 |. 8B4D FC mov ecx,[local.1]
00403188 |. E8 FE280800 call Crackme2.00485A8B
0040318D |. 8B4D FC mov ecx,[local.1]
00403190 |. 83C1 5C add ecx,0x5C
00403193 |. E8 A2030D00 call Crackme2.004D353A
00403198 |. 8945 F8 mov [local.2],eax
0040319B |. C745 F4 00000>mov [local.3],0x0
004031A2 |. EB 09 jmp short Crackme2.004031AD
004031A4 |> 8B45 F4 /mov eax,[local.3]
004031A7 |. 83C0 01 |add eax,0x1
004031AA |. 8945 F4 |mov [local.3],eax
004031AD |> 8B4D F8 mov ecx,[local.2]
004031B0 |. 034D F4 |add ecx,[local.3]
004031B3 |. 0FBE11 |movsx edx,byte ptr ds:[ecx]
004031B6 |. 85D2 |test edx,edx
004031B8 |. 74 02 |je short Crackme2.004031BC
004031BA |.^ EB E8 \jmp short Crackme2.004031A4
004031BC |> 837D F4 17 cmp [local.3],0x17 ; 比较注册码长度是否为0x17,不是直接返回
004031C0 |. 74 05 je short Crackme2.004031C7
004031C2 |. E9 CE090000 jmp Crackme2.00403B95
004031C7 |> B9 10000000 mov ecx,0x10
确定注册码是23位
输入11111111111111111111111
此时004031C0 |. /74 05 je short Crackme2.004031C7 ; 如果是就跳转
跳转实现,然后下面一堆算法不看,直接到最下面
00403B2E |> /8B45 F4 /mov eax,[local.3]
00403B31 |. |83C0 01 |add eax,0x1
00403B34 |. |8945 F4 |mov [local.3],eax
00403B37 |> |8B4D F4 mov ecx,[local.3]
00403B3A |. |0FBE940D 94FC>|movsx edx,byte ptr ss:[ebp+ecx-0x36C]
00403B42 |. |85D2 |test edx,edx
00403B44 |. |74 29 |je short Crackme2.00403B6F
00403B46 |. |8B45 F4 |mov eax,[local.3]
00403B49 |. |0FBE8C05 94FC>|movsx ecx,byte ptr ss:[ebp+eax-0x36C]
00403B51 |. |8B15 7C805D00 |mov edx,dword ptr ds:[0x5D807C] ; Crackme2.005B71CC
00403B57 |. |0355 F4 |add edx,[local.3]
00403B5A |. |0FBE02 |movsx eax,byte ptr ds:[edx]
00403B5D |. |3BC8 |cmp ecx,eax
00403B5F |. |74 0C |je short Crackme2.00403B6D
00403B61 |. |C785 88FCFFFF>|mov [local.222],0x0
00403B6B |. |EB 02 |jmp short Crackme2.00403B6F
00403B6D |>^\EB BF \jmp short Crackme2.00403B2E
00403B6F |> 83BD 88FCFFFF>cmp [local.222],0x1 ; 这里段下,看edx指向的值
00403B76 |. 75 1D jnz short Crackme2.00403B95
00403B78 |. 8BF4 mov esi,esp
00403B7A |. 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
00403B7C |. 68 34745B00 push Crackme2.005B7434 ; |Title = "Congratulations"
00403B81 |. 68 28745B00 push Crackme2.005B7428 ; |Text = "Success!"
00403B86 |. 6A 00 push 0x0 ; |hOwner = NULL
00403B88 |. FF15 2C2D5F00 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
00403B8E |. 3BF4 cmp esi,esp
00403B90 |. E8 1BBB0100 call Crackme2.0041F6B0
005B71CC 35 37 41 45 41 36 34 32 44 32 34 45 34 30 38 30 57AEA642D24E4080
005B71DC 42 32 33 31 37 37 42 46 43 43 34 30 38 31 34 45 B23177BFCC40814E
005B71EC 42 37 33 44 42 44 30 31 45 39 32 34 38 30 43 38 B73DBD01E92480C8
005B71FC 35 43 33 43 34 30 34 36 36 36 32 43 31 30 30 30 5C3C4046662C1000
005B720C 30 00 0.
整理下
57AEA642D24E4080B23177BFCC40814EB73DBD01E92480C85C3C4046662C10000
取出前23位注册
sn=57AEA642D24E4080B23177B
成功
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
