能力值:
( LV4,RANK:50 )
|
-
-
5 楼
感觉很有意思的一个CrackMe.
看了第一个,也发上来给像我这样的菜菜虫看看.
第一个,用OD载入,查找ASCII:Wrong Password向上来到
0044C3A4 /. 55 PUSH EBP
0044C3A5 |. 8BEC MOV EBP,ESP
0044C3A7 |. B9 06000000 MOV ECX,6
0044C3AC |> 6A 00 /PUSH 0
0044C3AE |. 6A 00 |PUSH 0
0044C3B0 |. 49 |DEC ECX
0044C3B1 |.^ 75 F9 \JNZ SHORT CrackMe_.0044C3AC
0044C3B3 |. 53 PUSH EBX
0044C3B4 |. 8BD8 MOV EBX,EAX
0044C3B6 |. 33C0 XOR EAX,EAX
0044C3B8 |. 55 PUSH EBP
0044C3B9 |. 68 61C54400 PUSH CrackMe_.0044C561
0044C3BE |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0044C3C1 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0044C3C4 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
0044C3C7 |. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C3CD |. E8 5294FDFF CALL CrackMe_.00425824
0044C3D2 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 假码
0044C3D5 |. E8 9A76FBFF CALL CrackMe_.00403A74
0044C3DA |. 83F8 0C CMP EAX,0C ; 注册码是否12位
0044C3DD |. 0F85 53010000 JNZ CrackMe_.0044C536 ; 不等于跳到 Wrong Password
0044C3E3 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
0044C3E6 |. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C3EC |. E8 3394FDFF CALL CrackMe_.00425824
0044C3F1 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0044C3F4 |. 8038 43 CMP BYTE PTR DS:[EAX],43 ; 取假码第1位与43比较
0044C3F7 |. 0F85 27010000 JNZ CrackMe_.0044C524 ; 不等于跳到 Wrong Password
0044C3FD |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
0044C400 |. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C406 |. E8 1994FDFF CALL CrackMe_.00425824
0044C40B |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0044C40E |. 8078 03 6F CMP BYTE PTR DS:[EAX+3],6F ; 取假码第4位与6f比较
0044C412 |. 0F85 0C010000 JNZ CrackMe_.0044C524 ; 不等于跳到 Wrong Password
0044C418 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
0044C41B |. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C421 |. E8 FE93FDFF CALL CrackMe_.00425824
0044C426 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0044C429 |. 8078 08 6F CMP BYTE PTR DS:[EAX+8],6F ; 取假码第9位与6f比较
0044C42D |. 0F85 F1000000 JNZ CrackMe_.0044C524 ; 不等于跳到 Wrong Password
0044C433 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
0044C436 |. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C43C |. E8 E393FDFF CALL CrackMe_.00425824
0044C441 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0044C444 |. 8078 01 6C CMP BYTE PTR DS:[EAX+1],6C ; 取假码第2位与6c比较
0044C448 |. 0F85 D6000000 JNZ CrackMe_.0044C524 ; 不等于跳到 Wrong Password
0044C44E |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
0044C451 |. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C457 |. E8 C893FDFF CALL CrackMe_.00425824
0044C45C |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0044C45F |. 8078 04 20 CMP BYTE PTR DS:[EAX+4],20 ; 取假码第5位与20比较
0044C463 |. 0F85 BB000000 JNZ CrackMe_.0044C524 ; 不等于跳到 Wrong Password
0044C469 |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
0044C46C |. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C472 |. E8 AD93FDFF CALL CrackMe_.00425824
0044C477 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0044C47A |. 8078 0A 52 CMP BYTE PTR DS:[EAX+A],52 ; 取假码第11位与52比较
0044C47E |. 0F85 A0000000 JNZ CrackMe_.0044C524 ; 不等于跳到 Wrong Password
0044C484 |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
0044C487 |. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C48D |. E8 9293FDFF CALL CrackMe_.00425824
0044C492 |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0044C495 |. 8078 07 75 CMP BYTE PTR DS:[EAX+7],75 ; 取假码第8位与75比较
0044C499 |. 0F85 85000000 JNZ CrackMe_.0044C524 ; 不等于跳到 Wrong Password
0044C49F |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
0044C4A2 |. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C4A8 |. E8 7793FDFF CALL CrackMe_.00425824
0044C4AD |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
0044C4B0 |. 8078 09 6E CMP BYTE PTR DS:[EAX+9],6E ; 取假码第10位与6e比较
0044C4B4 |. 75 6E JNZ SHORT CrackMe_.0044C524 ; 不等于跳到 Wrong Password
0044C4B6 |. 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
0044C4B9 |. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C4BF |. E8 6093FDFF CALL CrackMe_.00425824
0044C4C4 |. 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
0044C4C7 |. 8078 02 6E CMP BYTE PTR DS:[EAX+2],6E ; 取假码第3位与6e比较
0044C4CB |. 75 57 JNZ SHORT CrackMe_.0044C524 ; 不等于跳到 Wrong Password
0044C4CD |. 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
0044C4D0 |. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C4D6 |. E8 4993FDFF CALL CrackMe_.00425824
0044C4DB |. 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
0044C4DE |. 8078 05 69 CMP BYTE PTR DS:[EAX+5],69 ; 取假码第6位与69比较
0044C4E2 |. 75 40 JNZ SHORT CrackMe_.0044C524 ; 不等于跳到 Wrong Password
0044C4E4 |. 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
0044C4E7 |. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C4ED |. E8 3293FDFF CALL CrackMe_.00425824
0044C4F2 |. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
0044C4F5 |. 8078 0B 6E CMP BYTE PTR DS:[EAX+B],6E ; 取假码第12位与6e比较
0044C4F9 |. 75 29 JNZ SHORT CrackMe_.0044C524 ; 不等于跳到 Wrong Password
0044C4FB |. 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
0044C4FE |. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C504 |. E8 1B93FDFF CALL CrackMe_.00425824
0044C509 |. 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
0044C50C |. 8078 06 67 CMP BYTE PTR DS:[EAX+6],67 ; 取假码第7位与67比较
0044C510 |. 75 12 JNZ SHORT CrackMe_.0044C524 ; 不等于跳到 Wrong Password
0044C512 |. BA 78C54400 MOV EDX,CrackMe_.0044C578 ; right password
0044C517 |. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C51D |. E8 3293FDFF CALL CrackMe_.00425854
0044C522 |. EB 22 JMP SHORT CrackMe_.0044C546
0044C524 |> BA 90C54400 MOV EDX,CrackMe_.0044C590 ; wrong password
正确的密码:43 6f 6f 6c 20 52 75 6e 6e 69 6e 67
顺序:+0 +3 +8 +1 +4 +a +7 +9 +2 +5 +b +6
得到:Clno iguonRn
|
能力值:
( LV4,RANK:50 )
|
-
-
7 楼
==========================================================================
第二个
查找ASCII:you have found the correct serial向上来到
0044C648 /. 55 PUSH EBP ; 第二个
0044C649 |. 8BEC MOV EBP,ESP
0044C64B |. 83C4 F8 ADD ESP,-8
0044C64E |. 53 PUSH EBX
0044C64F |. 56 PUSH ESI
0044C650 |. 33C9 XOR ECX,ECX
0044C652 |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
0044C655 |. 8BF0 MOV ESI,EAX
0044C657 |. 33C0 XOR EAX,EAX
0044C659 |. 55 PUSH EBP
0044C65A |. 68 83C74400 PUSH CrackMe_.0044C783
0044C65F |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0044C662 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0044C665 |. 33C0 XOR EAX,EAX
0044C667 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0044C66A |. A1 80F84400 MOV EAX,DWORD PTR DS:[44F880]
0044C66F |. E8 0074FBFF CALL CrackMe_.00403A74 ; 取用户名
0044C674 |. 83F8 06 CMP EAX,6
0044C677 |. 0F8E F0000000 JLE CrackMe_.0044C76D ; 是否小于等于6位
0044C67D |. A1 80F84400 MOV EAX,DWORD PTR DS:[44F880]
0044C682 |. E8 ED73FBFF CALL CrackMe_.00403A74 ; 取用户名
0044C687 |. 83F8 14 CMP EAX,14
0044C68A |. 0F8D DD000000 JGE CrackMe_.0044C76D ; 是否大于等于20(14是16进制)位
0044C690 |. A1 80F84400 MOV EAX,DWORD PTR DS:[44F880]
0044C695 |. E8 DA73FBFF CALL CrackMe_.00403A74
0044C69A |. 85C0 TEST EAX,EAX
0044C69C |. 7E 17 JLE SHORT CrackMe_.0044C6B5
0044C69E |. BA 01000000 MOV EDX,1
0044C6A3 |> 8B0D 80F84400 /MOV ECX,DWORD PTR DS:[44F880]
0044C6A9 |. 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1]
0044C6AE |. 014D FC |ADD DWORD PTR SS:[EBP-4],ECX ; acsii值相加
0044C6B1 |. 42 |INC EDX
0044C6B2 |. 48 |DEC EAX
0044C6B3 |.^ 75 EE \JNZ SHORT CrackMe_.0044C6A3
0044C6B5 |> A1 84F84400 MOV EAX,DWORD PTR DS:[44F884]
0044C6BA |. E8 B573FBFF CALL CrackMe_.00403A74 ; 取公司
0044C6BF |. 83F8 02 CMP EAX,2
0044C6C2 |. 7E 18 JLE SHORT CrackMe_.0044C6DC ; 是否小于等于2位
0044C6C4 |. A1 84F84400 MOV EAX,DWORD PTR DS:[44F884]
0044C6C9 |. E8 A673FBFF CALL CrackMe_.00403A74
0044C6CE |. 83F8 08 CMP EAX,8
0044C6D1 |. 7D 09 JGE SHORT CrackMe_.0044C6DC ; 是否大于等于8位
0044C6D3 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 用户名acsii值相加的值
0044C6D6 |. 6BC0 02 IMUL EAX,EAX,2 ; 乘2
0044C6D9 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0044C6DC |> 68 98C74400 PUSH CrackMe_.0044C798 ; i love cracking and
0044C6E1 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
0044C6E4 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0044C6E7 |. E8 68B0FBFF CALL CrackMe_.00407754
0044C6EC |. FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; 乘2的10进制值
0044C6EF |. 68 B8C74400 PUSH CrackMe_.0044C7B8 ; girls ;)
0044C6F4 |. B8 8CF84400 MOV EAX,CrackMe_.0044F88C
0044C6F9 |. BA 03000000 MOV EDX,3
0044C6FE |. E8 3174FBFF CALL CrackMe_.00403B34
0044C703 |. 33C0 XOR EAX,EAX
0044C705 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0044C708 |. A1 88F84400 MOV EAX,DWORD PTR DS:[44F888]
0044C70D |. E8 6273FBFF CALL CrackMe_.00403A74 ; 假序列号
0044C712 |. 8BD8 MOV EBX,EAX
0044C714 |. A1 8CF84400 MOV EAX,DWORD PTR DS:[44F88C]
0044C719 |. E8 5673FBFF CALL CrackMe_.00403A74
0044C71E |. 3BD8 CMP EBX,EAX
0044C720 |. 75 4B JNZ SHORT CrackMe_.0044C76D ; 是否为33位
0044C722 |. A1 88F84400 MOV EAX,DWORD PTR DS:[44F888]
0044C727 |. E8 4873FBFF CALL CrackMe_.00403A74
0044C72C |. 85C0 TEST EAX,EAX
0044C72E |. 7E 27 JLE SHORT CrackMe_.0044C757
0044C730 |. BA 01000000 MOV EDX,1
0044C735 |> 8B0D 88F84400 /MOV ECX,DWORD PTR DS:[44F888] ; 假序列号
0044C73B |. 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1] ; 取一位
0044C740 |. 034D FC |ADD ECX,DWORD PTR SS:[EBP-4]
0044C743 |. 8B1D 8CF84400 |MOV EBX,DWORD PTR DS:[44F88C] ; 公司名生成的正确的序列号
0044C749 |. 0FB65C13 FF |MOVZX EBX,BYTE PTR DS:[EBX+EDX-1]
0044C74E |. 2BCB |SUB ECX,EBX ; 相减
0044C750 |. 894D FC |MOV DWORD PTR SS:[EBP-4],ECX
0044C753 |. 42 |INC EDX
0044C754 |. 48 |DEC EAX
0044C755 |.^ 75 DE \JNZ SHORT CrackMe_.0044C735
0044C757 |> 837D FC 00 CMP DWORD PTR SS:[EBP-4],0
0044C75B |. 75 10 JNZ SHORT CrackMe_.0044C76D ; 是否等于0,等于0成功
0044C75D |. 8B86 14030000 MOV EAX,DWORD PTR DS:[ESI+314]
0044C763 |. BA CCC74400 MOV EDX,CrackMe_.0044C7CC ; you have found the correct serial :)
用户名(bydcse0)的acsii值相加
62+79+64+63+73+65+30=2AA*2=544(10进制等于1364)
序列号等于I Love Cracking and 加上(用户名acsii值相加的值)*2加上 Girls ;)
我的用户名:bydcse0
公司:bydcse
序列号:I Love Cracking and 1364 Girls ;)
=========这序列号有意思===================
|
能力值:
( LV4,RANK:50 )
|
-
-
8 楼
郁闷啊,第三个看了一早上没看明白,结果把钩全钩上居然成功了.... 
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
0 0 1 0 1 1 0 0 1 0 1 1 1 0 1 0 0 0 1 1
324 328 32c 358 364 330 34c 354 35c 33c
3 5 6 9 11 12 13 15 19 20
|
能力值:
( LV9,RANK:330 )
|
-
-
10 楼
参考:http://bbs.chinapyg.com/viewthread.php?tid=5111&extra=page%3D1
|
能力值:
( LV4,RANK:50 )
|
-
-
11 楼
原来第三个我找对了,第四个还不明白,不过找着爆破点了.呵呵,努力啊...
|
