【文章标题】: ??aCaFeeL's CrackMe V2?? 简单破文
【文章作者】: xiaohui_82
【作者QQ号】: 42956599
【软件名称】: ??aCaFeeL's CrackMe V2??
【下载地址】: 自己搜索下载
【操作平台】: XP
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
OD 载入,字符串查找,到4B6634下断
004B6634 . 55 push ebp
004B6635 . 8BEC mov ebp, esp
004B6637 . B9 09000000 mov ecx, 9
004B663C > 6A 00 push 0
004B663E . 6A 00 push 0
004B6640 . 49 dec ecx
004B6641 .^ 75 F9 jnz short 004B663C
004B6643 . 53 push ebx
004B6644 . 56 push esi
004B6645 . 8BD8 mov ebx, eax
004B6647 . 33C0 xor eax, eax
004B6649 . 55 push ebp
004B664A . 68 F2684B00 push 004B68F2
004B664F . 64:FF30 push dword ptr fs:[eax]
004B6652 . 64:8920 mov dword ptr fs:[eax], esp
004B6655 . 8D55 FC lea edx, dword ptr [ebp-4]
004B6658 . 8B83 EC020000 mov eax, dword ptr [ebx+2EC]
004B665E . E8 05B0F7FF call 00431668
004B6663 . 8B45 FC mov eax, dword ptr [ebp-4] ; 获取注册名
004B6666 . E8 F1D7F4FF call 00403E5C ; 获取注册名长度
004B666B . 83F8 06 cmp eax, 6 ; 注册名长度不大于6的情况
004B666E . 0F8E 09020000 jle 004B687D
004B6674 . 8D55 F8 lea edx, dword ptr [ebp-8]
004B6677 . 8B83 EC020000 mov eax, dword ptr [ebx+2EC]
004B667D . E8 E6AFF7FF call 00431668
004B6682 . 8B55 F8 mov edx, dword ptr [ebp-8]
004B6685 . B8 20E94B00 mov eax, 004BE920 ; ASCII "ti?
004B668A . E8 A1D5F4FF call 00403C30
004B668F . 8D55 F4 lea edx, dword ptr [ebp-C]
004B6692 . 8B83 F0020000 mov eax, dword ptr [ebx+2F0]
004B6698 . E8 CBAFF7FF call 00431668 ; 获取试练码
004B669D . 837D F4 00 cmp dword ptr [ebp-C], 0 ; 没有输入试练码的情况
004B66A1 . 0F84 B1010000 je 004B6858
004B66A7 . 8D55 F0 lea edx, dword ptr [ebp-10]
004B66AA . 8B83 F0020000 mov eax, dword ptr [ebx+2F0]
004B66B0 . E8 B3AFF7FF call 00431668
004B66B5 . 8B55 F0 mov edx, dword ptr [ebp-10]
004B66B8 . B8 24E94B00 mov eax, 004BE924 ; ASCII ",&?
004B66BD . E8 6ED5F4FF call 00403C30
004B66C2 . 8D55 EC lea edx, dword ptr [ebp-14]
004B66C5 . 8B83 04030000 mov eax, dword ptr [ebx+304]
004B66CB . E8 98AFF7FF call 00431668 ; 获取key
004B66D0 . 837D EC 00 cmp dword ptr [ebp-14], 0 ; 没有选择key的情况
004B66D4 . 0F84 72010000 je 004B684C
004B66DA . 8D55 E8 lea edx, dword ptr [ebp-18]
004B66DD . 8B83 EC020000 mov eax, dword ptr [ebx+2EC]
004B66E3 . E8 80AFF7FF call 00431668
004B66E8 . 8B45 E8 mov eax, dword ptr [ebp-18] ; 注册名的长度存于EAX
004B66EB . E8 6CD7F4FF call 00403E5C
004B66F0 . 8BF0 mov esi, eax
004B66F2 . 8B83 04030000 mov eax, dword ptr [ebx+304]
004B66F8 . E8 D72AF7FF call 004291D4 ; 获取key当前项,SD为0,LW为1
004B66FD . 2BF0 sub esi, eax
004B66FF . 83FE 06 cmp esi, 6
004B6702 . 0F8D BC000000 jge 004B67C4 ; 由此可知注册名为7位,key为CZ或者注册名长度为7或8,key为WZ
004B6708 . 8D55 E4 lea edx, dword ptr [ebp-1C]
004B670B . 8B83 F0020000 mov eax, dword ptr [ebx+2F0]
004B6711 . E8 52AFF7FF call 00431668
004B6716 . 8B55 E4 mov edx, dword ptr [ebp-1C]
004B6719 . B8 08694B00 mov eax, 004B6908 ; 79
004B671E . E8 25DAF4FF call 00404148 ; 查看试练码最后是否为79结尾
004B6723 . 85C0 test eax, eax
004B6725 . 0F8E 99000000 jle 004B67C4
004B672B . 8D55 DC lea edx, dword ptr [ebp-24]
004B672E . A1 20E94B00 mov eax, dword ptr [4BE920]
004B6733 . E8 F8FDFFFF call 004B6530 ; 计算出key
004B6738 . FF75 DC push dword ptr [ebp-24] ; 最后得到key
004B673B . 8D55 D4 lea edx, dword ptr [ebp-2C]
004B673E . 8B83 EC020000 mov eax, dword ptr [ebx+2EC]
004B6744 . E8 1FAFF7FF call 00431668
004B6749 . 8B45 D4 mov eax, dword ptr [ebp-2C]
004B674C . E8 0BD7F4FF call 00403E5C
004B6751 . 8D55 D8 lea edx, dword ptr [ebp-28]
004B6754 . E8 6B1FF5FF call 004086C4
004B6759 . FF75 D8 push dword ptr [ebp-28]
004B675C . 8D55 CC lea edx, dword ptr [ebp-34]
004B675F . 8B83 F0020000 mov eax, dword ptr [ebx+2F0]
004B6765 . E8 FEAEF7FF call 00431668
004B676A . 8B45 CC mov eax, dword ptr [ebp-34]
004B676D . E8 EAD6F4FF call 00403E5C
004B6772 . 8D55 D0 lea edx, dword ptr [ebp-30]
004B6775 . E8 4A1FF5FF call 004086C4
004B677A . FF75 D0 push dword ptr [ebp-30]
004B677D . 8D45 E0 lea eax, dword ptr [ebp-20]
004B6780 . BA 03000000 mov edx, 3
004B6785 . E8 92D7F4FF call 00403F1C
004B678A . 8B45 E0 mov eax, dword ptr [ebp-20]
004B678D . 8B15 24E94B00 mov edx, dword ptr [4BE924]
004B6793 . E8 D4D7F4FF call 00403F6C ; 此时eax存放注册码,用内存注册机
004B6798 . 75 2A jnz short 004B67C4
004B679A . 8D55 C8 lea edx, dword ptr [ebp-38]
004B679D . 8B83 EC020000 mov eax, dword ptr [ebx+2EC]
004B67A3 . E8 C0AEF7FF call 00431668
004B67A8 . 8B45 C8 mov eax, dword ptr [ebp-38]
004B67AB . E8 ACD6F4FF call 00403E5C
004B67B0 . 8BF0 mov esi, eax
004B67B2 . 8B83 04030000 mov eax, dword ptr [ebx+304]
004B67B8 . E8 172AF7FF call 004291D4
004B67BD . 2BF0 sub esi, eax
004B67BF . 83FE 04 cmp esi, 4
004B67C2 . 7F 1A jg short 004B67DE
004B67C4 > 6A 00 push 0 ; /Arg1 = 00000000
004B67C6 . 66:8B0D 0C694>mov cx, word ptr [4B690C] ; |
004B67CD . B2 01 mov dl, 1 ; |
004B67CF . B8 18694B00 mov eax, 004B6918 ; |ASCII " Wrong Code!",CR,CR,"Try It Again!"
004B67D4 . E8 7F19FAFF call 00458158 ; \CrackMe.00458158
004B67D9 . E9 C2000000 jmp 004B68A0
004B67DE > 8D55 C4 lea edx, dword ptr [ebp-3C]
004B67E1 . 8B83 EC020000 mov eax, dword ptr [ebx+2EC]
004B67E7 . E8 7CAEF7FF call 00431668
004B67EC . 8B45 C4 mov eax, dword ptr [ebp-3C]
004B67EF . E8 68D6F4FF call 00403E5C
004B67F4 . 83F8 08 cmp eax, 8
004B67F7 .^ 7D CB jge short 004B67C4
004B67F9 . 8B83 04030000 mov eax, dword ptr [ebx+304]
004B67FF . E8 D029F7FF call 004291D4
004B6804 . 83F8 02 cmp eax, 2
004B6807 .^ 75 BB jnz short 004B67C4
004B6809 . 6A 00 push 0
004B680B . 68 3C694B00 push 004B693C ; !good job! registered to:
004B6810 . FF35 20E94B00 push dword ptr [4BE920]
004B6816 . 68 64694B00 push 004B6964 ; ASCII " !Good Job!"
004B681B . 68 7C694B00 push 004B697C ; \n
004B6820 . 68 7C694B00 push 004B697C ; \n
004B6825 . 68 88694B00 push 004B6988 ; you really should congratulate yourself on this job!
004B682A . 8D45 C0 lea eax, dword ptr [ebp-40]
到计算key的子程序
004B6530 /$ 55 push ebp
004B6531 |. 8BEC mov ebp, esp
004B6533 |. 33C9 xor ecx, ecx
004B6535 |. 51 push ecx
004B6536 |. 51 push ecx
004B6537 |. 51 push ecx
004B6538 |. 51 push ecx
004B6539 |. 51 push ecx
004B653A |. 53 push ebx
004B653B |. 56 push esi
004B653C |. 8BF2 mov esi, edx
004B653E |. 8945 FC mov dword ptr [ebp-4], eax
004B6541 |. 8B45 FC mov eax, dword ptr [ebp-4]
004B6544 |. E8 C7DAF4FF call 00404010
004B6549 |. 33C0 xor eax, eax
004B654B |. 55 push ebp
004B654C |. 68 26664B00 push 004B6626
004B6551 |. 64:FF30 push dword ptr fs:[eax]
004B6554 |. 64:8920 mov dword ptr fs:[eax], esp
004B6557 |. 8B45 FC mov eax, dword ptr [ebp-4]
004B655A |. 33DB xor ebx, ebx
004B655C |. 8A18 mov bl, byte ptr [eax]
004B655E |. 8B45 FC mov eax, dword ptr [ebp-4]
004B6561 |. 0FB640 06 movzx eax, byte ptr [eax+6]
004B6565 |. 0FAFD8 imul ebx, eax ; ebx=name[1]*name[7]
004B6568 |. 8B45 FC mov eax, dword ptr [ebp-4]
004B656B |. 0FB640 01 movzx eax, byte ptr [eax+1]
004B656F |. 8B55 FC mov edx, dword ptr [ebp-4]
004B6572 |. 0FB652 05 movzx edx, byte ptr [edx+5]
004B6576 |. F7EA imul edx ; edx=name[2]*name[6]
004B6578 |. 03D8 add ebx, eax ; ebx=ebx+edx
004B657A |. 8B45 FC mov eax, dword ptr [ebp-4]
004B657D |. 0FB640 02 movzx eax, byte ptr [eax+2]
004B6581 |. 8B55 FC mov edx, dword ptr [ebp-4]
004B6584 |. 0FB652 04 movzx edx, byte ptr [edx+4]
004B6588 |. F7EA imul edx ; eax=name[3]*name[5]
004B658A |. 03D8 add ebx, eax ; ebx=ebx+eax
004B658C |. 8BC3 mov eax, ebx
004B658E |. F7EB imul ebx ; eax=ebx*ebx
004B6590 |. 8B55 FC mov edx, dword ptr [ebp-4]
004B6593 |. 0FB652 03 movzx edx, byte ptr [edx+3]
004B6597 |. 33C2 xor eax, edx ; eax=eax xor name[4]
004B6599 |. 8BD8 mov ebx, eax
004B659B |. 8D55 F8 lea edx, dword ptr [ebp-8]
004B659E |. 8BC3 mov eax, ebx
004B65A0 |. E8 1F21F5FF call 004086C4 ; 转为十进制表示
004B65A5 |. 8B45 F8 mov eax, dword ptr [ebp-8] ; 放在[eax]中
004B65A8 |. E8 AFD8F4FF call 00403E5C ; 计算出key的长度
004B65AD |. 83F8 06 cmp eax, 6 ; 不大于6位的情况
004B65B0 |. 7E 1F jle short 004B65D1
004B65B2 |. 56 push esi
004B65B3 |. 8D55 F4 lea edx, dword ptr [ebp-C]
004B65B6 |. 8BC3 mov eax, ebx
004B65B8 |. E8 0721F5FF call 004086C4
004B65BD |. 8B45 F4 mov eax, dword ptr [ebp-C]
004B65C0 |. B9 07000000 mov ecx, 7
004B65C5 |. BA 01000000 mov edx, 1
004B65CA |. E8 95DAF4FF call 00404064
004B65CF |. EB 3A jmp short 004B660B
004B65D1 |> 8BC3 /mov eax, ebx
004B65D3 |. F7EB |imul ebx
004B65D5 |. 8BD8 |mov ebx, eax
004B65D7 |. 8D55 F0 |lea edx, dword ptr [ebp-10]
004B65DA |. 8BC3 |mov eax, ebx
004B65DC |. E8 E320F5FF |call 004086C4
004B65E1 |. 8B45 F0 |mov eax, dword ptr [ebp-10]
004B65E4 |. E8 73D8F4FF |call 00403E5C
004B65E9 |. 83F8 06 |cmp eax, 6
004B65EC |.^ 7E E3 \jle short 004B65D1
004B65EE |. 56 push esi
004B65EF |. 8D55 EC lea edx, dword ptr [ebp-14]
004B65F2 |. 8BC3 mov eax, ebx
004B65F4 |. E8 CB20F5FF call 004086C4
004B65F9 |. 8B45 EC mov eax, dword ptr [ebp-14]
004B65FC |. B9 07000000 mov ecx, 7
004B6601 |. BA 01000000 mov edx, 1
004B6606 |. E8 59DAF4FF call 00404064
004B660B |> 33C0 xor eax, eax
004B660D |. 5A pop edx
004B660E |. 59 pop ecx
004B660F |. 59 pop ecx
004B6610 |. 64:8910 mov dword ptr fs:[eax], edx
004B6613 |. 68 2D664B00 push 004B662D
004B6618 |> 8D45 EC lea eax, dword ptr [ebp-14]
004B661B |. BA 05000000 mov edx, 5
004B6620 |. E8 DBD5F4FF call 00403C00
004B6625 \. C3 retn
004B6626 .^ E9 49D0F4FF jmp 00403674
004B662B .^ EB EB jmp short 004B6618
004B662D . 5E pop esi
004B662E . 5B pop ebx
004B662F . 8BE5 mov esp, ebp
004B6631 . 5D pop ebp
004B6632 . C3 retn
一组可用的注册码 :
用户名:xiaohui
key: CZ
注册码:122311079
by xiaohui_82[DCG]
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年12月15日 下午 04:22:48
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)