【文章标题】: CrackMe.qwgboy2000.VC5.00n
【文章作者】: fonge
【作者邮箱】: fonge520@163.com
【作者QQ号】: 170247260
【作者声明】: 一只小鸟
--------------------------------------------------------------------------------
【详细过程】
字符串查找找到这里
00401069 |. 6A 00 push 0 ; /hTemplateFile = NULL
0040106B |. 68 80000000 push 80 ; |Attributes = NORMAL
00401070 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
00401072 |. 6A 00 push 0 ; |pSecurity = NULL
00401074 |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
00401076 |. 68 00000080 push 80000000 ; |Access = GENERIC_READ
0040107B |. 68 A8004200 push 004200A8 ; |keyfile.qwg 读取keyfile.qwg文件
00401080 |. FF15 9C514200 call [<&KERNEL32.CreateFileA>] ; \CreateFileA
00401086 |. 3BF4 cmp esi, esp
00401088 |. E8 33210000 call 004031C0
0040108D |. 8945 F8 mov [ebp-8], eax
00401090 |. 837D F8 FF cmp dword ptr [ebp-8], -1
00401094 |. 75 24 jnz short 004010BA keyfile为空即不跳,不跳OVER
00401096 |. 8BF4 mov esi, esp
00401098 |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0040109A |. 68 A0004200 push 004200A0 ; |失败
0040109F |. 68 88004200 push 00420088 ; |很遗憾验证失败了!
004010A4 |. 6A 00 push 0 ; |hOwner = NULL
004010A6 |. FF15 B4524200 call [<&USER32.MessageBoxA>] ; \MessageBoxA
004010AC |. 3BF4 cmp esi, esp
004010AE |. E8 0D210000 call 004031C0
004010B3 |. 33C0 xor eax, eax
004010B5 |. E9 A8010000 jmp 00401262
004010BA |> 8BF4 mov esi, esp
004010BC |. 6A 00 push 0 ; /pFileSizeHigh = NULL
004010BE |. 8B45 F8 mov eax, [ebp-8] ; |
004010C1 |. 50 push eax ; |hFile
004010C2 |. FF15 98514200 call [<&KERNEL32.GetFileSize>] ; \GetFileSize
004010C8 |. 3BF4 cmp esi, esp
004010CA |. E8 F1200000 call 004031C0
004010CF |. 8945 F0 mov [ebp-10], eax
004010D2 |. 837D F0 FF cmp dword ptr [ebp-10], -1
004010D6 |. 75 1D jnz short 004010F5 这里要跳
004010D8 |. 8BF4 mov esi, esp
004010DA |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004010DC |. 68 80004200 push 00420080 ; |出错了
004010E1 |. 68 64004200 push 00420064 ; |读文件时发生未知错误!
004010E6 |. 6A 00 push 0 ; |hOwner = NULL
004010E8 |. FF15 B4524200 call [<&USER32.MessageBoxA>] ; \MessageBoxA
004010EE |. 3BF4 cmp esi, esp
004010F0 |. E8 CB200000 call 004031C0
004010F5 |> 837D F0 14 cmp dword ptr [ebp-10], 14 内容长度为14HEX
004010F9 |. 0F85 44010000 jnz 00401243 这里要跳才行
004010FF |. 8B4D F0 mov ecx, [ebp-10]
00401102 |. 83C1 02 add ecx, 2
00401105 |. 51 push ecx ; /Arg1
00401106 |. E8 25020000 call 00401330 ; \qwgboy20.00401330
0040110B |. 83C4 04 add esp, 4
0040110E |. 8945 D0 mov [ebp-30], eax
00401111 |. 8BF4 mov esi, esp
00401113 |. 6A 00 push 0 ; /pOverlapped = NULL
00401115 |. 8D55 FC lea edx, [ebp-4] ; |
00401118 |. 52 push edx ; |pBytesRead
00401119 |. 8B45 F0 mov eax, [ebp-10] ; |
0040111C |. 50 push eax ; |BytesToRead
0040111D |. 8B4D D0 mov ecx, [ebp-30] ; |
00401120 |. 51 push ecx ; |Buffer
00401121 |. 8B55 F8 mov edx, [ebp-8] ; |
00401124 |. 52 push edx ; |hFile
00401125 |. FF15 94514200 call [<&KERNEL32.ReadFile>] ; \ReadFile
0040112B |. 3BF4 cmp esi, esp
0040112D |. E8 8E200000 call 004031C0
00401132 |. 8BF4 mov esi, esp
00401134 |. 8B45 F8 mov eax, [ebp-8]
00401137 |. 50 push eax ; /hObject
00401138 |. FF15 90514200 call [<&KERNEL32.CloseHandle>] ; \CloseHandle
0040113E |. 3BF4 cmp esi, esp
00401140 |. E8 7B200000 call 004031C0
00401145 |. 8B4D D0 mov ecx, [ebp-30]
00401148 |. 034D F0 add ecx, [ebp-10]
0040114B |. C601 00 mov byte ptr [ecx], 0
0040114E |. 8B55 D0 mov edx, [ebp-30]
00401151 |. 0355 F0 add edx, [ebp-10]
00401154 |. C642 01 00 mov byte ptr [edx+1], 0
00401158 |. C745 F4 00000>mov dword ptr [ebp-C], 0
0040115F |. EB 09 jmp short 0040116A
00401161 |> 8B45 F4 /mov eax, [ebp-C]
00401164 |. 83C0 01 |add eax, 1
00401167 |. 8945 F4 |mov [ebp-C], eax
0040116A |> 837D F4 0A cmp dword ptr [ebp-C], 0A 这里是计数器
0040116E |. 7D 21 |jge short 00401191
00401170 |. 8B4D D0 |mov ecx, [ebp-30]
00401173 |. 034D F4 |add ecx, [ebp-C]
00401176 |. 33D2 |xor edx, edx
00401178 |. 8A11 |mov dl, [ecx]
0040117A |. 8B45 F4 |mov eax, [ebp-C]
0040117D |. 0FBE4C05 E0 |movsx ecx, byte ptr [ebp+eax-20] 这里是取表[qwgboy2000!!!!!!cool]前A位比较
00401182 |. 3BD1 |cmp edx, ecx
00401184 |. 75 09 |jnz short 0040118F
00401186 |. 8B55 EC |mov edx, [ebp-14]
00401189 |. 83C2 01 |add edx, 1
0040118C |. 8955 EC |mov [ebp-14], edx
0040118F |>^ EB D0 \jmp short 00401161
00401191 |> EB 09 jmp short 0040119C
00401193 |> 8B45 F4 /mov eax, [ebp-C]
00401196 |. 83C0 01 |add eax, 1
00401199 |. 8945 F4 |mov [ebp-C], eax
0040119C |> 837D F4 10 cmp dword ptr [ebp-C], 10 这里跟上面差不多功能,前A后到10
004011A0 |. 7D 2B |jge short 004011CD
004011A2 |. 8B4D D0 |mov ecx, [ebp-30]
004011A5 |. 034D F4 |add ecx, [ebp-C]
004011A8 |. 33D2 |xor edx, edx
004011AA |. 8A11 |mov dl, [ecx]
004011AC |. 8B45 F4 |mov eax, [ebp-C]
004011AF |. 0FBE4C05 D6 |movsx ecx, byte ptr [ebp+eax-2A]
004011B4 |. 8B45 F4 |mov eax, [ebp-C]
004011B7 |. 0FBE4405 CE |movsx eax, byte ptr [ebp+eax-32]
004011BC |. 2BC8 |sub ecx, eax
004011BE |. 3BD1 |cmp edx, ecx
004011C0 |. 75 09 |jnz short 004011CB
004011C2 |. 8B4D EC |mov ecx, [ebp-14]
004011C5 |. 83C1 01 |add ecx, 1
004011C8 |. 894D EC |mov [ebp-14], ecx
004011CB |>^ EB C6 \jmp short 00401193
004011CD |> EB 09 jmp short 004011D8
004011CF |> 8B55 F4 /mov edx, [ebp-C]
004011D2 |. 83C2 01 |add edx, 1
004011D5 |. 8955 F4 |mov [ebp-C], edx
004011D8 |> 837D F4 14 cmp dword ptr [ebp-C], 14 这里跟上面差不多功能,前10后到结束
004011DC |. 7D 21 |jge short 004011FF
004011DE |. 8B45 D0 |mov eax, [ebp-30]
004011E1 |. 0345 F4 |add eax, [ebp-C]
004011E4 |. 33C9 |xor ecx, ecx
004011E6 |. 8A08 |mov cl, [eax]
004011E8 |. 8B55 F4 |mov edx, [ebp-C]
004011EB |. 0FBE4415 C4 |movsx eax, byte ptr [ebp+edx-3C]
004011F0 |. 3BC8 |cmp ecx, eax
004011F2 |. 75 09 |jnz short 004011FD
004011F4 |. 8B4D EC |mov ecx, [ebp-14]
004011F7 |. 83C1 01 |add ecx, 1
004011FA |. 894D EC |mov [ebp-14], ecx
004011FD |>^ EB D0 \jmp short 004011CF
004011FF |> 837D EC 14 cmp dword ptr [ebp-14], 14
00401203 |. 75 1F jnz short 00401224 这里不能跳
00401205 |. 8BF4 mov esi, esp
00401207 |. 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00401209 |. 68 58004200 push 00420058 ; |成功了!
0040120E |. 68 40004200 push 00420040 ; |哇!你真是太厉害了!
00401213 |. 6A 00 push 0 ; |hOwner = NULL
00401215 |. FF15 B4524200 call [<&USER32.MessageBoxA>] ; \MessageBoxA
0040121B |. 3BF4 cmp esi, esp
0040121D |. E8 9E1F0000 call 004031C0
00401222 |. EB 1D jmp short 00401241
00401224 |> 8BF4 mov esi, esp
00401226 |. 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00401228 |. 68 38004200 push 00420038 ; |加油
0040122D |. 68 1C004200 push 0042001C ; |继续努力,你会成功的!
00401232 |. 6A 00 push 0 ; |hOwner = NULL
00401234 |. FF15 B4524200 call [<&USER32.MessageBoxA>] ; \MessageBoxA
0040123A |. 3BF4 cmp esi, esp
0040123C |. E8 7F1F0000 call 004031C0
00401241 |> EB 1D jmp short 00401260
00401243 |> 8BF4 mov esi, esp
00401245 |. 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00401247 |. 68 38004200 push 00420038 ; |加油
0040124C |. 68 1C004200 push 0042001C ; |继续努力,你会成功的!
00401251 |. 6A 00 push 0 ; |hOwner = NULL
00401253 |. FF15 B4524200 call [<&USER32.MessageBoxA>] ; \MessageBoxA
00401259 |. 3BF4 cmp esi, esp
0040125B |. E8 601F0000 call 004031C0
00401260 |> 33C0 xor eax, eax
00401262 |> 5F pop edi
00401263 |. 5E pop esi
00401264 |. 5B pop ebx
00401265 |. 83C4 70 add esp, 70
00401268 |. 3BEC cmp ebp, esp
0040126A |. E8 511F0000 call 004031C0
0040126F |. 8BE5 mov esp, ebp
00401271 |. 5D pop ebp
00401272 \. C2 1000 retn 10
--------------------------------------------------------------------------------
【经验总结】
固定码比较
用TXT新建一个内容为qwgboy2000!!!!!!cool的keyfile.qwg即可通过
--------------------------------------------------------------------------------
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)