为了完成PYG的月度作业,从http://www.crackmes.de/ 下载一个Crackme,作者说它的难度中级。
注册码错误,则不会有任何提示。
Delphi编写,却不反DeDe,可见作者是个新手,它是个超级简单的Crackme。
所以一下子就用DeDe找到OK按钮的单击事件:
在这里,OD载入,F2下断就行:
00458814 55 push ebp
……
看它的算法过程跟看中文书一样。
请高手务必略过,这只是在完成PYG的作业。顺便给初学者看看。
00458840 E8 A79EFDFF call CrackMe_.004326EC ; 取得注册名wofan ===来到这里
00458845 8B45 FC mov eax,dword ptr ss:[ebp-4]
00458848 E8 87B9FAFF call CrackMe_.004041D4 ; 注册名长度5
0045884D 8BF0 mov esi,eax
0045884F 83FE 01 cmp esi,1 ; 注册名长度的下限是:1
00458852 7D 12 jge short CrackMe_.00458866
00458854 33D2 xor edx,edx
00458856 8B83 44030000 mov eax,dword ptr ds:[ebx+344]
0045885C E8 BB9EFDFF call CrackMe_.0043271C
00458861 E9 09010000 jmp CrackMe_.0045896F
00458866 83FE 63 cmp esi,63 ; 注册名长度的上限是:0x63
00458869 7E 12 jle short CrackMe_.0045887D
0045886B 33D2 xor edx,edx
0045886D 8B83 44030000 mov eax,dword ptr ds:[ebx+344]
00458873 E8 A49EFDFF call CrackMe_.0043271C
00458878 E9 F2000000 jmp CrackMe_.0045896F
0045887D 6BFE 75 imul edi,esi,75 ; 注册名长度 imul 0x75
00458880 81C7 3E150000 add edi,153E ; 加上0x153E
00458886 81EF 74150000 sub edi,1574 ; 保存结果于EDI中,再减去0x1574
0045888C 8BC6 mov eax,esi
0045888E 83E8 22 sub eax,22 ; 再减去0x22
00458891 69C0 F0110000 imul eax,eax,11F0 ; 乘以0x11F0
00458897 03F8 add edi,eax ; EDI+EAX=FFFDF9E3
00458899 81C7 4C520E00 add edi,0E524C ; 加上0x0E524C=C4C2F
0045889F 68 BC894500 push CrackMe_.004589BC ; push 一个字串:668r9\5233
004588A4 8D55 EC lea edx,dword ptr ss:[ebp-14]
004588A7 8BC7 mov eax,edi
004588A9 E8 C6F5FAFF call CrackMe_.00407E74 ; 获取EDI中数据的十进制形式:805935
004588AE FF75 EC push dword ptr ss:[ebp-14]
004588B1 68 D0894500 push CrackMe_.004589D0
004588B6 68 DC894500 push CrackMe_.004589DC ; ASCII "k329[43}"
004588BB 8D45 F0 lea eax,dword ptr ss:[ebp-10]
004588BE BA 04000000 mov edx,4
004588C3 E8 CCB9FAFF call CrackMe_.00404294 ; 连接:668r9\5233805935-k329[43}
004588C8 8B55 F0 mov edx,dword ptr ss:[ebp-10]
004588CB 8B83 44030000 mov eax,dword ptr ds:[ebx+344]
004588D1 E8 469EFDFF call CrackMe_.0043271C
004588D6 85F6 test esi,esi
004588D8 0F8E 91000000 jle CrackMe_.0045896F
004588DE BF 01000000 mov edi,1
004588E3 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 注册名:wofan
004588E6 0FB64438 FF movzx eax,byte ptr ds:[eax+edi-1] ; 取得注册名的第一个字符的ASCII码:77
004588EB 8945 F4 mov dword ptr ss:[ebp-C],eax
004588EE 8D4D F8 lea ecx,dword ptr ss:[ebp-8]
004588F1 BA 02000000 mov edx,2
004588F6 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004588F9 E8 8AF6FAFF call CrackMe_.00407F88
004588FE 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
00458901 8B83 44030000 mov eax,dword ptr ds:[ebx+344]
00458907 E8 E09DFDFF call CrackMe_.004326EC
0045890C FF75 E4 push dword ptr ss:[ebp-1C]
0045890F FF75 F8 push dword ptr ss:[ebp-8]
00458912 68 F0894500 push CrackMe_.004589F0
00458917 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0045891A BA 03000000 mov edx,3
0045891F E8 70B9FAFF call CrackMe_.00404294 ; 连接字符串:即加上:77$ 就是真注册码
00458924 8B55 E8 mov edx,dword ptr ss:[ebp-18]
00458927 8B83 44030000 mov eax,dword ptr ds:[ebx+344]
0045892D E8 EA9DFDFF call CrackMe_.0043271C
00458932 8D55 E0 lea edx,dword ptr ss:[ebp-20]
00458935 8B83 34030000 mov eax,dword ptr ds:[ebx+334]
0045893B E8 AC9DFDFF call CrackMe_.004326EC ; 取得假的注册码123456
00458940 8B45 E0 mov eax,dword ptr ss:[ebp-20]
00458943 50 push eax
00458944 8D55 DC lea edx,dword ptr ss:[ebp-24]
00458947 8B83 44030000 mov eax,dword ptr ds:[ebx+344]
0045894D E8 9A9DFDFF call CrackMe_.004326EC
00458952 8B55 DC mov edx,dword ptr ss:[ebp-24] ; 真的注册码
00458955 58 pop eax ; 假的注册码
00458956 E8 C5B9FAFF call CrackMe_.00404320 ; 比较
0045895B 75 0A jnz short CrackMe_.00458967
0045895D B8 FC894500 mov eax,CrackMe_.004589FC ; ASCII "Very good! You solved this crackme! Mail me!"
注册算法与注册名长度及第一个注册名字符的ASCII码有关。
提供可用注册码一组:
name:wofan
code:668r9\5233805935-k329[43}77$
20:01 2006-10-2
by wofan[OCN][PYG]
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
