【文章标题】: D4ph1_-_Crackme#3的破解
【文章作者】: jdxyw
【软件名称】: D4ph1_-_Crackme#3
【下载地址】: 自己搜索下载
【加壳方式】: 无
【编写语言】: MASM
【使用工具】: OD peid
【操作平台】: XP
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
首先,PEID查壳,无壳
运行,有窗口,也有提示语言
运行后,载入,F9运行,跳出个窗口,说是不能debugger,查看字符串参考,ASCII "Debugger found...I think im gonna kill myself!:("
来到此处的代码,向上看,来到 004011F3 68 D1314000 PUSH Crackme#.004031D1
这个就是检查是否有debugger的开始处,只要跳开此处即可,将 PUSH Crackme#.004031D1,改为 jmp 004012B5
00401106 |. 68 06354000 PUSH Crackme#.00403506 ; /pBufferSize = Crackme#.00403506
0040110B |. 68 F6344000 PUSH Crackme#.004034F6 ; |Buffer = Crackme#.004034F6
00401110 |. E8 67040000 CALL <JMP.&kernel32.GetComputerNameA> ; \GetComputerNameA
由此这段代码,我们可以猜想这个注册码应该是和每个机器的信息是有关的。我们暂时记下
004013BA |. 49 DEC ECX
004013BB |. 33D2 XOR EDX,EDX
004013BD |. 4A DEC EDX
004013BE |. 33F6 XOR ESI,ESI
004013C0 |. 4E DEC ESI
004013C1 |. 33C0 XOR EAX,EAX
004013C3 |. A1 6C324000 MOV EAX,DWORD PTR DS:[40326C]
004013C8 |. 48 DEC EAX
004013C9 |. 50 PUSH EAX
004013CA |> 46 /INC ESI
004013CB |. 41 |INC ECX
004013CC |. 0FBE81 F034400>|MOVSX EAX,BYTE PTR DS:[ECX+4034F0] ;注意4034F0里面的内容,这里就是机器的信息,用来计算注册码的
004013D3 |. 0FBE9E EC31400>|MOVSX EBX,BYTE PTR DS:[ESI+4031EC] ;这里保存着用户名
004013DA |. 83F0 12 |XOR EAX,12
004013DD |. 83C0 34 |ADD EAX,34 ;以下就都是一些计算
004013E0 |. C1E3 03 |SHL EBX,3
004013E3 |. 83EB 20 |SUB EBX,20
004013E6 |. 83F3 66 |XOR EBX,66
004013E9 |. 32C3 |XOR AL,BL
004013EB |. 03C3 |ADD EAX,EBX
004013ED |. E8 5CFDFFFF |CALL Crackme#.0040114E ;这个是个关键,在里面计算并且最终生成注册码保存起来
004013F2 |. 58 |POP EAX
004013F3 |. 3BF0 |CMP ESI,EAX
004013F5 |. 50 |PUSH EAX
004013F6 |. 74 0A |JE SHORT Crackme#.00401402
004013F8 |. 83F9 03 |CMP ECX,3
004013FB |. 75 03 |JNZ SHORT Crackme#.00401400
004013FD |. 33C9 |XOR ECX,ECX
004013FF |. 49 |DEC ECX
00401400 |>^EB C8 \JMP SHORT Crackme#.004013CA
00401402 |> 58 POP EAX
00401403 |. 42 INC EDX
00401404 |. C682 70334000 >MOV BYTE PTR DS:[EDX+403370],2D
0040140B |. 33C9 XOR ECX,ECX
0040140D |. 49 DEC ECX
0040140E |. BB 13000000 MOV EBX,13
00401413 |. 33C0 XOR EAX,EAX
00401415 |> 41 /INC ECX
00401416 |. 0FBEB1 F434400>|MOVSX ESI,BYTE PTR DS:[ECX+4034F4]
0040141D |. 0FBEBB B731400>|MOVSX EDI,BYTE PTR DS:[EBX+4031B7]
00401424 |. 2BFE |SUB EDI,ESI
00401426 |. 03C7 |ADD EAX,EDI
00401428 |. 2BC6 |SUB EAX,ESI
0040142A |. C1E0 04 |SHL EAX,4
0040142D |. 83F9 01 |CMP ECX,1
00401430 |.^75 E3 \JNZ SHORT Crackme#.00401415
00401432 |. C1E8 04 SHR EAX,4
00401435 |. 33C9 XOR ECX,ECX
00401437 |. 49 DEC ECX
00401438 |> 41 /INC ECX
00401439 |. E8 10FDFFFF |CALL Crackme#.0040114E
0040143E |. 8AC4 |MOV AL,AH
00401440 |. 83F9 01 |CMP ECX,1
00401443 |.^75 F3 \JNZ SHORT Crackme#.00401438
00401445 |. 42 INC EDX
00401446 |. C682 70334000 >MOV BYTE PTR DS:[EDX+403370],2D
0040144D |. 33C9 XOR ECX,ECX
0040144F |. 49 DEC ECX
00401450 |. 33FF XOR EDI,EDI
00401452 |. 0FBE35 0635400>MOVSX ESI,BYTE PTR DS:[403506]
00401459 |> 41 /INC ECX
0040145A |. 0FBE81 F634400>|MOVSX EAX,BYTE PTR DS:[ECX+4034F6]
00401461 |. 8B9F 07124000 |MOV EBX,DWORD PTR DS:[EDI+401207]
00401467 |. 33C3 |XOR EAX,EBX
00401469 |. 331D 06354000 |XOR EBX,DWORD PTR DS:[403506]
0040146F |. 2BD8 |SUB EBX,EAX
00401471 |. 2B1D 06354000 |SUB EBX,DWORD PTR DS:[403506]
00401477 |. 03C3 |ADD EAX,EBX
00401479 |. E8 D0FCFFFF |CALL Crackme#.0040114E
0040147E |. 83C7 04 |ADD EDI,4
00401481 |. 4E |DEC ESI
00401482 |.^75 D5 \JNZ SHORT Crackme#.00401459 这个注册码的计算最终将结果保存在00403370,你甚至可以只要在这里下个断点就可以
然后查看00403370的内容就可以了
00401484 |. 68 70334000 PUSH Crackme#.00403370 ; /String = ""
00401489 |. E8 1E010000 CALL <JMP.&kernel32.lstrlenA> ; \lstrlenA
0040148E |. 8BC8 MOV ECX,EAX
00401490 |. 41 INC ECX
00401491 |> 49 /DEC ECX
00401492 |. 0FBE81 7032400>|MOVSX EAX,BYTE PTR DS:[ECX+403270]
00401499 |. 0FBE99 7033400>|MOVSX EBX,BYTE PTR DS:[ECX+403370]
004014A0 |. 3BC3 |CMP EAX,EBX
004014A2 |. 75 1A |JNZ SHORT Crackme#.004014BE
004014A4 |. 83F9 00 |CMP ECX,0
004014A7 |.^75 E8 \JNZ SHORT Crackme#.00401491
004014A9 |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
004014AB |. 68 00304000 PUSH Crackme#.00403000 ; |Title = "Crackme#3 By D4ph1"
004014B0 |. 68 E0304000 PUSH Crackme#.004030E0 ; |Text = "Great work!Hope this is coming from your keygenerator!:)"
004014B5 |. 6A 00 PUSH 0 ; |hOwner = NULL
004014B7 |. E8 90000000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
004014BC |. EB 28 JMP SHORT Crackme#.004014E6
004014BE |> 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004014C0 |. 68 00304000 PUSH Crackme#.00403000 ; |Title = "Crackme#3 By D4ph1"
004014C5 |. 68 19314000 PUSH Crackme#.00403119 ; |Text = "This is not the right serial..."
004014CA |. 6A 00 PUSH 0 ; |hOwner = NULL
004014CC |. E8 7B000000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
004014D1 |. EB 13 JMP SHORT Crackme#.004014E6
004014D3 |> 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004014D5 |. 68 00304000 PUSH Crackme#.00403000 ; |Title = "Crackme#3 By D4ph1"
004014DA |. 68 BB304000 PUSH Crackme#.004030BB ; |Text = "You have to write a Serial first...!"
004014DF |. 6A 00 PUSH 0 ; |hOwner = NULL
004014E1 |. E8 66000000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
004014E6 |> E8 93FCFFFF CALL Crackme#.0040117E
004014EB |. EB 2C JMP SHORT Crackme#.00401519
004014ED |> 0BC0 OR EAX,EAX
004014EF |. 75 15 JNZ SHORT Crackme#.00401506
004014F1 |. 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004014F3 |. 68 00304000 PUSH Crackme#.00403000 ; |Title = "Crackme#3 By D4ph1"
004014F8 |. 68 98304000 PUSH Crackme#.00403098 ; |Text = "You have to write a Name first...!"
004014FD |. 6A 00 PUSH 0 ; |hOwner = NULL
004014FF |. E8 48000000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00401504 |. EB 13 JMP SHORT Crackme#.00401519
00401506 |> 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00401508 |. 68 00304000 PUSH Crackme#.00403000 ; |Title = "Crackme#3 By D4ph1"
0040150D |. 68 75304000 PUSH Crackme#.00403075 ; |Text = "The Name you write is not correct!"
00401512 |. 6A 00 PUSH 0 ; |hOwner = NULL
00401514 |. E8 33000000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00401519 |> EB 09 JMP SHORT Crackme#.00401524
0040151B |> B8 00000000 MOV EAX,0
00401520 |. C9 LEAVE
00401521 |. C2 1000 RETN 10
00401524 |> B8 01000000 MOV EAX,1
00401529 |. C9 LEAVE
0040152A \. C2 1000 RETN 10
我的用户名是yutou注册码7E8606DA7E-3605-6BE980FD5600FE00002F2975F65800
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年08月08日 17:16:17
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
