Riijj crackme 11-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

最新回复 (32) ◀ 1 2
绫濑遥雪币： 214 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 4 回帖 104 粉丝 0 关注私信	绫濑遥 1 26 楼 riijj姐姐的东西太强大了 2007-1-17 13:19 0
riijj 雪币： 2319 活跃值： (565) 能力值： (RANK：300 ) 在线值：发帖 150 回帖 1307 粉丝 10 关注私信	riijj 7 27 楼 Riijj crackme 11 service pack 2 (第二修正版，所有 anti 全开) 上传的附件： riijjcm11sp2.zip （26.28kb，165次下载） 2007-1-17 13:19 0
hawking 雪币： 1969 活跃值： (46) 能力值： (RANK：550 ) 在线值：发帖 37 回帖 519 粉丝 6 关注私信	hawking 12 28 楼最初由 Ryosuke* 发布* 但是我用未修复bug的crackme od跑不去来，出现堆栈esp=0xffffffff错误。这个错误在CreateDialogParamA里面发生，不用od可以跑起来。修复bug就没有这个问题了。 004019B2 \|. 50 [color=#0000D0]push [color=#FF0000]eax [color=#008000]; /pWndClassEx 004019B3 \|. FF15 E4A04000 [color=#0000D0]call [color=#b000b0]dword [color=#b000b0]ptr [<&USER32.RegisterClassExA>] [color=#008000]; \RegisterClassExA 0012FEAC 0012FEDC \pWndClassEx = 0012FEDC 0012FEB0 0040A218 riijjcra.0040A218 0012FEDC 30 00 00 00 00 00 00 00 90 16 40 00 00 00 00 00 0.......?@..... 00401690 . 56 [color=#0000D0]push [color=#FF0000]esi 00401691 . 8B7424 0C [color=#0000D0]mov [color=#FF0000]esi, [color=#b000b0]dword [color=#b000b0]ptr [[color=#FF0000]esp+C] 00401695 . 8BC6 [color=#0000D0]mov [color=#FF0000]eax, [color=#FF0000]esi 00401697 . 83E8 02 [color=#0000D0]sub [color=#FF0000]eax, 2 [color=#008000]; Switch (cases 2..10) 0040169A . 74 4D [color=#0000D0]je short 004016E9 0040169C . 83E8 0E [color=#0000D0]sub [color=#FF0000]eax, 0E 0040169F . 74 37 [color=#0000D0]je short 004016D8 004016A1 . A1 D8DD4000 [color=#0000D0]mov [color=#FF0000]eax, [color=#b000b0]dword [color=#b000b0]ptr [40DDD8] [color=#008000]; Default case of switch 00401697 004016A6 . 33D2 [color=#0000D0]xor [color=#FF0000]edx, [color=#FF0000]edx 004016A8 . 40 [color=#0000D0]inc [color=#FF0000]eax 004016A9 . B9 05000000 [color=#0000D0]mov [color=#FF0000]ecx, 5 004016AE . A3 D8DD4000 [color=#0000D0]mov [color=#b000b0]dword [color=#b000b0]ptr [40DDD8], [color=#FF0000]eax 004016B3 . F7F1 [color=#0000D0]div [color=#FF0000]ecx 004016B5 . 85D2 [color=#0000D0]test [color=#FF0000]edx, [color=#FF0000]edx 004016B7 75 05 [color=#0000D0]jnz short 004016BE 004016B9 . E8 C2FFFFFF [color=#0000D0]call 00401680 ******问题就出在这里了****** 004016BE > 8B5424 14 [color=#0000D0]mov [color=#FF0000]edx, [color=#b000b0]dword [color=#b000b0]ptr [[color=#FF0000]esp+14] 004016C2 . 8B4424 10 [color=#0000D0]mov [color=#FF0000]eax, [color=#b000b0]dword [color=#b000b0]ptr [[color=#FF0000]esp+10] 004016C6 . 8B4C24 08 [color=#0000D0]mov [color=#FF0000]ecx, [color=#b000b0]dword [color=#b000b0]ptr [[color=#FF0000]esp+8] 004016CA . 52 [color=#0000D0]push [color=#FF0000]edx [color=#008000]; /lParam 004016CB . 50 [color=#0000D0]push [color=#FF0000]eax [color=#008000]; \|wParam 004016CC . 56 [color=#0000D0]push [color=#FF0000]esi [color=#008000]; \|Message 004016CD . 51 [color=#0000D0]push [color=#FF0000]ecx [color=#008000]; \|hWnd 004016CE . FF15 24A14000 [color=#0000D0]call [color=#b000b0]dword [color=#b000b0]ptr [<&USER32.DefWindowProcA>] [color=#008000]; \DefWindowProcA 004016D4 . 5E [color=#0000D0]pop [color=#FF0000]esi 004016D5 . C2 1000 [color=#0000D0]retn 10 004016D8 > 8B5424 08 [color=#0000D0]mov [color=#FF0000]edx, [color=#b000b0]dword [color=#b000b0]ptr [[color=#FF0000]esp+8] [color=#008000]; Case 10 of switch 00401697 004016DC . 52 [color=#0000D0]push [color=#FF0000]edx [color=#008000]; /hWnd 004016DD . FF15 28A14000 [color=#0000D0]call [color=#b000b0]dword [color=#b000b0]ptr [<&USER32.DestroyWindow>] [color=#008000]; \DestroyWindow 004016E3 . 33C0 [color=#0000D0]xor [color=#FF0000]eax, [color=#FF0000]eax 004016E5 . 5E [color=#0000D0]pop [color=#FF0000]esi 004016E6 . C2 1000 [color=#0000D0]retn 10 2007-1-17 13:42 0
yugung 雪币： 220 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 3 回帖 110 粉丝 0 关注私信	yugung 1 29 楼原来是八个，我还以为是anti做到系统调用里面去了 2007-1-17 14:02 0
riijj 雪币： 2319 活跃值： (565) 能力值： (RANK：300 ) 在线值：发帖 150 回帖 1307 粉丝 10 关注私信	riijj 7 30 楼看来大家想把这个 crackme 解剖 2007-1-17 14:06 0
Ryosuke 雪币： 370 活跃值： (78) 能力值： ( LV9，RANK：970 ) 在线值：发帖 26 回帖 195 粉丝 3 关注私信	Ryosuke 24 31 楼 anti的关键地方 004016A0这个call是个窗口处理函数 CreateDialogParamA会callback它 00401690 $ E8 4BFFFFFF call 004015E0->获得"ntdll.dll"+"ZwQueryInformationProcess" 00401695 . E8 86FFFFFF call 00401620->检查调试器 nop掉就可以了。 0040169A .^ E9 61FBFFFF jmp 00401200 0040169F 90 nop 004016A0 . 56 push esi 004016A1 . 8B7424 0C mov esi, dword ptr [esp+C] 004016A5 . 8BC6 mov eax, esi 004016A7 . 83E8 02 sub eax, 2 ; Switch (cases 2..10) 004016AA . 74 4D je short 004016F9 004016AC . 83E8 0E sub eax, 0E 004016AF . 74 37 je short 004016E8 004016B1 . A1 E0DD4000 mov eax, dword ptr [40DDE0] ; Default case of switch 004016A7 004016B6 . 33D2 xor edx, edx 004016B8 . 40 inc eax 004016B9 . B9 05000000 mov ecx, 5 004016BE . A3 E0DD4000 mov dword ptr [40DDE0], eax 004016C3 . F7F1 div ecx 004016C5 . 85D2 test edx, edx 004016C7 . 75 05 jnz short 004016CE 004016C9 . E8 C2FFFFFF call 00401690 004016CE > 8B5424 14 mov edx, dword ptr [esp+14] 004016D2 . 8B4424 10 mov eax, dword ptr [esp+10] 004016D6 . 8B4C24 08 mov ecx, dword ptr [esp+8] 004016DA . 52 push edx ; /lParam 004016DB . 50 push eax ; \|wParam 004016DC . 56 push esi ; \|Message 进入00401620，去掉花后 00401620 $ 55 push ebp 00401621 . 8BEC mov ebp, esp 00401623 . 51 push ecx 00401624 90 nop 00401625 90 nop 00401626 90 nop 00401627 90 nop 00401628 90 nop 00401629 90 nop 0040162A . 64:A1 18000000 mov eax, dword ptr fs:[18] 00401630 . 8B40 30 mov eax, dword ptr [eax+30] 00401633 . 8945 FC mov dword ptr [ebp-4], eax 00401636 . 8B45 FC mov eax, dword ptr [ebp-4] 00401639 . 8A48 02 mov cl, byte ptr [eax+2] //调试位信息 0040163C . 84C9 test cl, cl 0040163E . 74 05 je short 00401645 －》要跳否则出错 00401640 . E8 8BFBFFFF call 004011D0 00401645 > E8 96FEFFFF call 004014E0 0040164A . 8BE5 mov esp, ebp 0040164C . 5D pop ebp 0040164D . C3 retn 在进入004014E0，去花 004014E0 /$ 55 push ebp 004014E1 \|. 8BEC mov ebp, esp 004014E3 \|. 83EC 18 sub esp, 18 004014E6 \|. 8D45 F8 lea eax, dword ptr [ebp-8] 004014E9 \|. 8D4D FC lea ecx, dword ptr [ebp-4] 004014EC \|. 8945 E8 mov dword ptr [ebp-18], eax 004014EF \|. 894D EC mov dword ptr [ebp-14], ecx 004014F2 \|. 90 nop 004014F3 \|. 90 nop 004014F4 \|. 90 nop 004014F5 \|. 90 nop 004014F6 \|. 90 nop 004014F7 \|. 90 nop 004014F8 \|. 90 nop 004014F9 \|. 90 nop 004014FA \|. 90 nop 004014FB \|. 90 nop 004014FC \|. 90 nop 004014FD \|. 90 nop 004014FE \|. 68 A4DD4000 push 0040DDA4 ; ASCII "ntdll.dll" 00401503 \|. E8 48010000 call 00401650 00401508 \|. 8BC8 mov ecx, eax 0040150A \|. 90 nop 0040150B \|. 90 nop 0040150C \|. 90 nop 0040150D \|. 90 nop 0040150E \|. 90 nop 0040150F \|. 90 nop 00401510 \|. 90 nop 00401511 \|. 90 nop 00401512 \|. 90 nop 00401513 \|. 90 nop 00401514 \|. 90 nop 00401515 \|. 90 nop 00401516 \|. 68 78DD4000 push 0040DD78 ; ASCII "ZwQueryInformationProcess" 0040151B \|. 51 push ecx 0040151C \|. E8 4F010000 call 00401670 00401521 \|. 83C4 0C add esp, 0C 00401524 \|. 8945 F4 mov dword ptr [ebp-C], eax 00401527 \|. FF15 0CA04000 call dword ptr [<&KERNEL32.GetCurrentProcess>>; [GetCurrentProcess 0040152D \|. 8945 F0 mov dword ptr [ebp-10], eax 00401530 \|. C745 FC 00000000 mov dword ptr [ebp-4], 0 00401537 \|. FF75 E8 push dword ptr [ebp-18] 0040153A \|. 6A 04 push 4 0040153C \|. FF75 EC push dword ptr [ebp-14] 0040153F \|. 6A 07 push 7 00401541 \|. FF75 F0 push dword ptr [ebp-10] 00401544 \|. FF55 F4 call dword ptr [ebp-C] 调用ZwQueryInfomationProcess 看到7 明显是获得DebugPort 00401547 \|. 8B45 FC mov eax, dword ptr [ebp-4] 0040154A \|. 85C0 test eax, eax 0040154C \|. 74 05 je short 00401553 要跳 0040154E \|. E8 7DFCFFFF call 004011D0 00401553 \|> E8 08FFFFFF call 00401460 00401558 \|. 8BE5 mov esp, ebp 0040155A \|. 5D pop ebp 0040155B \. C3 retn 在进入00401460,去花 00401460 /$ 55 push ebp 00401461 \|. 8BEC mov ebp, esp 00401463 \|. 83EC 10 sub esp, 10 00401466 \|. 8925 A0DD4000 mov dword ptr [40DDA0], esp 0040146C \|. 892D 9CDD4000 mov dword ptr [40DD9C], ebp 00401472 90 nop 00401473 90 nop 00401474 90 nop 00401475 90 nop 00401476 90 nop 00401477 90 nop 00401478 90 nop 00401479 90 nop 0040147A 90 nop 0040147B 90 nop 0040147C 90 nop 0040147D 90 nop 0040147E \|. 68 A4DD4000 push 0040DDA4 ; ASCII "ntdll.dll" 00401483 \|. E8 C8010000 call 00401650 00401488 \|. 8BC8 mov ecx, eax 0040148A 90 nop 0040148B 90 nop 0040148C 90 nop 0040148D 90 nop 0040148E 90 nop 0040148F 90 nop 00401490 90 nop 00401491 90 nop 00401492 90 nop 00401493 90 nop 00401494 90 nop 00401495 90 nop 00401496 \|. 68 78DD4000 push 0040DD78 ; ASCII "ZwQueryInformationProcess" 0040149B \|. 51 push ecx 0040149C \|. E8 CF010000 call 00401670 004014A1 \|. 83C4 0C add esp, 0C 004014A4 \|. 8945 F8 mov dword ptr [ebp-8], eax 004014A7 \|. FF15 08A04000 call dword ptr [<&KERNEL32.GetCurrentThrea>; [GetCurrentThread 004014AD \|. 8945 F4 mov dword ptr [ebp-C], eax 004014B0 \|. 8D45 FC lea eax, dword ptr [ebp-4] 004014B3 \|. C745 FC 00000000 mov dword ptr [ebp-4], 0 004014BA \|. 8945 F0 mov dword ptr [ebp-10], eax 004014BD \|. 6A 04 push 4 004014BF \|. FF75 F0 push dword ptr [ebp-10] 004014C2 \|. 6A 11 push 11 004014C4 \|. FF75 F4 push dword ptr [ebp-C] 004014C7 \|. FF55 F8 call dword ptr [ebp-8] ZwQueryInformationProcess 返回0xC0000003 查询失败 004014CA \|. E8 A1FDFFFF call 00401270 004014CF \|. 8B25 A0DD4000 mov esp, dword ptr [40DDA0] 004014D5 \|. 8B2D 9CDD4000 mov ebp, dword ptr [40DD9C] 004014DB \|. 8BE5 mov esp, ebp 004014DD \|. 5D pop ebp 004014DE \. C3 retn 进入00401270 00401270 $ 55 push ebp 00401271 . 8BEC mov ebp, esp 00401273 . 6A FF push -1 00401275 . 68 50A14000 push 0040A150 0040127A . 68 E81F4000 push 00401FE8 ; SE 处理程序安装 0040127F . 64:A1 00000000 mov eax, dword ptr fs:[0] 00401285 . 50 push eax 00401286 . 64:8925 00000000 mov dword ptr fs:[0], esp 0040128D . 83EC 08 sub esp, 8 00401290 . 53 push ebx 00401291 . 56 push esi 00401292 . 57 push edi 00401293 . 8965 E8 mov dword ptr [ebp-18], esp 00401296 . C745 FC 00000000 mov dword ptr [ebp-4], 0 0040129D . 90 nop 0040129E . 90 nop 0040129F . 90 nop 004012A0 . 90 nop 004012A1 . 90 nop 004012A2 . 90 nop 004012A3 . 90 nop 004012A4 . 90 nop 004012A5 . 90 nop 004012A6 . 90 nop 004012A7 . 6A 00 push 0 ; /pArguments = NULL 004012A9 . 6A 00 push 0 ; \|nArguments = 0 004012AB . 6A 00 push 0 ; \|ExceptionFlags = EXCEPTION_CONTINUABLE 004012AD . 68 06000140 push 40010006 ; \|ExceptionCode = 40010006 004012B2 . FF15 04A04000 call dword ptr [<&KERNEL32.RaiseException>] ; \RaiseException 004012B8 E8 13FFFFFF call 004011D0 这里关键在调试器下raiseexception这个异常code=0x40010006不会跳到异常处理程序，而是直接执行这个004011D0 程序挂掉所以之际nop掉它便可一了。 004012BD . EB 09 jmp short 004012C8 004012BF . B8 01000000 mov eax, 1 004012C4 . C3 retn 004012C5 . 8B65 E8 mov esp, dword ptr [ebp-18] 004012C8 > C745 FC FFFFFFFF mov dword ptr [ebp-4], -1 004012CF . 8B4D F0 mov ecx, dword ptr [ebp-10] 004012D2 . 64:890D 00000000 mov dword ptr fs:[0], ecx 004012D9 . 5F pop edi 004012DA . 5E pop esi 004012DB . 5B pop ebx 004012DC . 8BE5 mov esp, ebp 004012DE . 5D pop ebp 004012DF . C3 retn 2007-1-17 16:27 0
绫濑遥雪币： 214 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 4 回帖 104 粉丝 0 关注私信	绫濑遥 1 32 楼 http://bbs.pediy.com/showthread.php?s=&threadid=38125 2007-1-17 16:30 0
AJISky 雪币： 269 活跃值： (906) 能力值： ( LV12，RANK：345 ) 在线值：发帖 44 回帖 515 粉丝 21 关注私信	AJISky 7 33 楼浮点数运算确实不好整！ Name:AJISky Serial:B850BEFC46DA9140B68FCB818B1F86C084E702195B269DC0A21C10126DAA6FC0 Serial:AF85605C4123854088B4CEBFE12A7AC06B7286EB474091C01E9A1687EEBA62C0 得到两组码可见Name与Serial不一一对应不过这个cm在win7,win8系统下输入上边序号无反应，不知何故还没看原因，估计是个bug 分析文章http://bbs.pediy.com/showthread.php?t=161825 上传的附件： 123.JPG （21.63kb，1次下载） 2013-1-24 00:38 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

绫濑遥

雪币： 214

活跃值： (10)

能力值：

( LV4，RANK：50 )

在线值：

发帖

4

回帖

104

粉丝

0

关注

私信

绫濑遥 1: 26 楼

riijj姐姐的东西太强大了

2007-1-17 13:19

0

riijj

雪币： 2319

活跃值： (565)

能力值： (RANK：300 )

在线值：

发帖

150

回帖

1307

粉丝

10

关注

私信

riijj 7: 27 楼

Riijj crackme 11 service pack 2 (第二修正版，所有 anti 全开)

上传的附件：

riijjcm11sp2.zip （26.28kb，165次下载）

2007-1-17 13:19

0

hawking

雪币： 1969

活跃值： (46)

能力值： (RANK：550 )

在线值：

发帖

37

回帖

519

粉丝

6

关注

私信

hawking 12: 28 楼

最初由 Ryosuke 发布
但是我用未修复bug的crackme od跑不去来，出现堆栈esp=0xffffffff错误。这个错误在CreateDialogParamA里面发生，不用od可以跑起来。修复bug就没有这个问题了。

004019B2  |.  50            [color=#0000D0]push    [color=#FF0000]eax                                            [color=#008000]; /pWndClassEx
004019B3  |.  FF15 E4A04000 [color=#0000D0]call    [color=#b000b0]dword [color=#b000b0]ptr [<&USER32.RegisterClassExA>]         [color=#008000]; \RegisterClassExA

0012FEAC   0012FEDC  \pWndClassEx = 0012FEDC
0012FEB0   0040A218  riijjcra.0040A218

0012FEDC  30 00 00 00 00 00 00 00 90 16 40 00 00 00 00 00  0.......?@.....

00401690   .  56            [color=#0000D0]push    [color=#FF0000]esi
00401691   .  8B7424 0C     [color=#0000D0]mov     [color=#FF0000]esi, [color=#b000b0]dword [color=#b000b0]ptr [[color=#FF0000]esp+C]
00401695   .  8BC6          [color=#0000D0]mov     [color=#FF0000]eax, [color=#FF0000]esi
00401697   .  83E8 02       [color=#0000D0]sub     [color=#FF0000]eax, 2                                         [color=#008000];  Switch (cases 2..10)
0040169A   .  74 4D         [color=#0000D0]je      short 004016E9
0040169C   .  83E8 0E       [color=#0000D0]sub     [color=#FF0000]eax, 0E
0040169F   .  74 37         [color=#0000D0]je      short 004016D8
004016A1   .  A1 D8DD4000   [color=#0000D0]mov     [color=#FF0000]eax, [color=#b000b0]dword [color=#b000b0]ptr [40DDD8]                        [color=#008000];  Default case of switch 00401697
004016A6   .  33D2          [color=#0000D0]xor     [color=#FF0000]edx, [color=#FF0000]edx
004016A8   .  40            [color=#0000D0]inc     [color=#FF0000]eax
004016A9   .  B9 05000000   [color=#0000D0]mov     [color=#FF0000]ecx, 5
004016AE   .  A3 D8DD4000   [color=#0000D0]mov     [color=#b000b0]dword [color=#b000b0]ptr [40DDD8], [color=#FF0000]eax
004016B3   .  F7F1          [color=#0000D0]div     [color=#FF0000]ecx
004016B5   .  85D2          [color=#0000D0]test    [color=#FF0000]edx, [color=#FF0000]edx
004016B7      75 05         [color=#0000D0]jnz     short 004016BE
004016B9   .  E8 C2FFFFFF   [color=#0000D0]call    00401680     ********问题就出在这里了********
004016BE   >  8B5424 14     [color=#0000D0]mov     [color=#FF0000]edx, [color=#b000b0]dword [color=#b000b0]ptr [[color=#FF0000]esp+14]
004016C2   .  8B4424 10     [color=#0000D0]mov     [color=#FF0000]eax, [color=#b000b0]dword [color=#b000b0]ptr [[color=#FF0000]esp+10]
004016C6   .  8B4C24 08     [color=#0000D0]mov     [color=#FF0000]ecx, [color=#b000b0]dword [color=#b000b0]ptr [[color=#FF0000]esp+8]
004016CA   .  52            [color=#0000D0]push    [color=#FF0000]edx                                            [color=#008000]; /lParam
004016CB   .  50            [color=#0000D0]push    [color=#FF0000]eax                                            [color=#008000]; |wParam
004016CC   .  56            [color=#0000D0]push    [color=#FF0000]esi                                            [color=#008000]; |Message
004016CD   .  51            [color=#0000D0]push    [color=#FF0000]ecx                                            [color=#008000]; |hWnd
004016CE   .  FF15 24A14000 [color=#0000D0]call    [color=#b000b0]dword [color=#b000b0]ptr [<&USER32.DefWindowProcA>]           [color=#008000]; \DefWindowProcA
004016D4   .  5E            [color=#0000D0]pop     [color=#FF0000]esi
004016D5   .  C2 1000       [color=#0000D0]retn    10
004016D8   >  8B5424 08     [color=#0000D0]mov     [color=#FF0000]edx, [color=#b000b0]dword [color=#b000b0]ptr [[color=#FF0000]esp+8]                         [color=#008000];  Case 10 of switch 00401697
004016DC   .  52            [color=#0000D0]push    [color=#FF0000]edx                                            [color=#008000]; /hWnd
004016DD   .  FF15 28A14000 [color=#0000D0]call    [color=#b000b0]dword [color=#b000b0]ptr [<&USER32.DestroyWindow>]            [color=#008000]; \DestroyWindow
004016E3   .  33C0          [color=#0000D0]xor     [color=#FF0000]eax, [color=#FF0000]eax
004016E5   .  5E            [color=#0000D0]pop     [color=#FF0000]esi
004016E6   .  C2 1000       [color=#0000D0]retn    10

2007-1-17 13:42

0

yugung

雪币： 220

活跃值： (10)

能力值：

( LV4，RANK：50 )

在线值：

发帖

3

回帖

110

粉丝

0

关注

私信

yugung 1: 29 楼

原来是八个，

我还以为是anti做到系统调用里面去了

2007-1-17 14:02

0

riijj

雪币： 2319

活跃值： (565)

能力值： (RANK：300 )

在线值：

发帖

150

回帖

1307

粉丝

10

关注

私信

riijj 7: 30 楼

看来大家想把这个 crackme 解剖

2007-1-17 14:06

0

Ryosuke

雪币： 370

活跃值： (78)

能力值：

( LV9，RANK：970 )

在线值：

发帖

26

回帖

195

粉丝

3

关注

私信

Ryosuke 24: 31 楼

anti的关键地方
004016A0这个call是个窗口处理函数
CreateDialogParamA会callback它
00401690 $  E8 4BFFFFFF       call 004015E0->获得"ntdll.dll"+"ZwQueryInformationProcess"
00401695 .  E8 86FFFFFF       call 00401620->检查调试器  nop掉就可以了。
0040169A .^ E9 61FBFFFF       jmp    00401200
0040169F    90                nop
004016A0 .  56                push esi
004016A1 .  8B7424 0C       mov    esi, dword ptr [esp+C]
004016A5 .  8BC6             mov    eax, esi
004016A7 .  83E8 02          sub    eax, 2                                  ;  Switch (cases 2..10)
004016AA .  74 4D             je    short 004016F9
004016AC .  83E8 0E          sub    eax, 0E
004016AF .  74 37             je    short 004016E8
004016B1 .  A1 E0DD4000       mov    eax, dword ptr [40DDE0]                ;  Default case of switch 004016A7
004016B6 .  33D2             xor    edx, edx
004016B8 .  40                inc    eax
004016B9 .  B9 05000000       mov    ecx, 5
004016BE .  A3 E0DD4000       mov    dword ptr [40DDE0], eax
004016C3 .  F7F1             div    ecx
004016C5 .  85D2             test edx, edx
004016C7 .  75 05             jnz    short 004016CE
004016C9 .  E8 C2FFFFFF       call 00401690
004016CE >  8B5424 14       mov    edx, dword ptr [esp+14]
004016D2 .  8B4424 10       mov    eax, dword ptr [esp+10]
004016D6 .  8B4C24 08       mov    ecx, dword ptr [esp+8]
004016DA .  52                push edx                                     ; /lParam
004016DB .  50                push eax                                     ; |wParam
004016DC .  56                push esi                                     ; |Message

进入00401620，去掉花后
00401620 $  55                push ebp
00401621 .  8BEC             mov    ebp, esp
00401623 .  51                push ecx
00401624    90                nop
00401625    90                nop
00401626    90                nop
00401627    90                nop
00401628    90                nop
00401629    90                nop
0040162A .  64:A1 18000000    mov    eax, dword ptr fs:[18]
00401630 .  8B40 30          mov    eax, dword ptr [eax+30]
00401633 .  8945 FC          mov    dword ptr [ebp-4], eax
00401636 .  8B45 FC          mov    eax, dword ptr [ebp-4]
00401639 .  8A48 02          mov    cl, byte ptr [eax+2] //调试位信息
0040163C .  84C9             test cl, cl
0040163E .  74 05             je    short 00401645 －》要跳否则出错
00401640 .  E8 8BFBFFFF       call 004011D0
00401645 >  E8 96FEFFFF       call 004014E0
0040164A .  8BE5             mov    esp, ebp
0040164C .  5D                pop    ebp
0040164D .  C3                retn

在进入004014E0，去花
004014E0  /$  55                push ebp
004014E1  |.  8BEC             mov    ebp, esp
004014E3  |.  83EC 18          sub    esp, 18
004014E6  |.  8D45 F8          lea    eax, dword ptr [ebp-8]
004014E9  |.  8D4D FC          lea    ecx, dword ptr [ebp-4]
004014EC  |.  8945 E8          mov    dword ptr [ebp-18], eax
004014EF  |.  894D EC          mov    dword ptr [ebp-14], ecx
004014F2  |.  90                nop
004014F3  |.  90                nop
004014F4  |.  90                nop
004014F5  |.  90                nop
004014F6  |.  90                nop
004014F7  |.  90                nop
004014F8  |.  90                nop
004014F9  |.  90                nop
004014FA  |.  90                nop
004014FB  |.  90                nop
004014FC  |.  90                nop
004014FD  |.  90                nop
004014FE  |.  68 A4DD4000       push 0040DDA4                               ;  ASCII "ntdll.dll"
00401503  |.  E8 48010000       call 00401650
00401508  |.  8BC8             mov    ecx, eax
0040150A  |.  90                nop
0040150B  |.  90                nop
0040150C  |.  90                nop
0040150D  |.  90                nop
0040150E  |.  90                nop
0040150F  |.  90                nop
00401510  |.  90                nop
00401511  |.  90                nop
00401512  |.  90                nop
00401513  |.  90                nop
00401514  |.  90                nop
00401515  |.  90                nop
00401516  |.  68 78DD4000       push 0040DD78                               ;  ASCII "ZwQueryInformationProcess"
0040151B  |.  51                push ecx
0040151C  |.  E8 4F010000       call 00401670
00401521  |.  83C4 0C          add    esp, 0C
00401524  |.  8945 F4          mov    dword ptr [ebp-C], eax
00401527  |.  FF15 0CA04000    call dword ptr [<&KERNEL32.GetCurrentProcess>>; [GetCurrentProcess
0040152D  |.  8945 F0          mov    dword ptr [ebp-10], eax
00401530  |.  C745 FC 00000000 mov    dword ptr [ebp-4], 0
00401537  |.  FF75 E8          push dword ptr [ebp-18]
0040153A  |.  6A 04             push 4
0040153C  |.  FF75 EC          push dword ptr [ebp-14]
0040153F  |.  6A 07             push 7
00401541  |.  FF75 F0          push dword ptr [ebp-10]
00401544  |.  FF55 F4          call dword ptr [ebp-C]
调用ZwQueryInfomationProcess 看到7 明显是获得DebugPort
00401547  |.  8B45 FC          mov    eax, dword ptr [ebp-4]
0040154A  |.  85C0             test eax, eax
0040154C  |.  74 05             je    short 00401553 要跳
0040154E  |.  E8 7DFCFFFF       call 004011D0
00401553  |>  E8 08FFFFFF       call 00401460
00401558  |.  8BE5             mov    esp, ebp
0040155A  |.  5D                pop    ebp
0040155B  \.  C3                retn

在进入00401460,去花
00401460  /$  55                push ebp
00401461  |.  8BEC             mov    ebp, esp
00401463  |.  83EC 10          sub    esp, 10
00401466  |.  8925 A0DD4000    mov    dword ptr [40DDA0], esp
0040146C  |.  892D 9CDD4000    mov    dword ptr [40DD9C], ebp
00401472    90                nop
00401473    90                nop
00401474    90                nop
00401475    90                nop
00401476    90                nop
00401477    90                nop
00401478    90                nop
00401479    90                nop
0040147A    90                nop
0040147B    90                nop
0040147C    90                nop
0040147D    90                nop
0040147E  |.  68 A4DD4000       push 0040DDA4                            ;  ASCII "ntdll.dll"
00401483  |.  E8 C8010000       call 00401650
00401488  |.  8BC8             mov    ecx, eax
0040148A    90                nop
0040148B    90                nop
0040148C    90                nop
0040148D    90                nop
0040148E    90                nop
0040148F    90                nop
00401490    90                nop
00401491    90                nop
00401492    90                nop
00401493    90                nop
00401494    90                nop
00401495    90                nop
00401496  |.  68 78DD4000       push 0040DD78                            ;  ASCII "ZwQueryInformationProcess"
0040149B  |.  51                push ecx
0040149C  |.  E8 CF010000       call 00401670
004014A1  |.  83C4 0C          add    esp, 0C
004014A4  |.  8945 F8          mov    dword ptr [ebp-8], eax
004014A7  |.  FF15 08A04000    call dword ptr [<&KERNEL32.GetCurrentThrea>; [GetCurrentThread
004014AD  |.  8945 F4          mov    dword ptr [ebp-C], eax
004014B0  |.  8D45 FC          lea    eax, dword ptr [ebp-4]
004014B3  |.  C745 FC 00000000 mov    dword ptr [ebp-4], 0
004014BA  |.  8945 F0          mov    dword ptr [ebp-10], eax
004014BD  |.  6A 04             push 4
004014BF  |.  FF75 F0          push dword ptr [ebp-10]
004014C2  |.  6A 11             push 11
004014C4  |.  FF75 F4          push dword ptr [ebp-C]
004014C7  |.  FF55 F8          call dword ptr [ebp-8]
ZwQueryInformationProcess 返回0xC0000003 查询失败
004014CA  |.  E8 A1FDFFFF       call 00401270
004014CF  |.  8B25 A0DD4000    mov    esp, dword ptr [40DDA0]
004014D5  |.  8B2D 9CDD4000    mov    ebp, dword ptr [40DD9C]
004014DB  |.  8BE5             mov    esp, ebp
004014DD  |.  5D                pop    ebp
004014DE  \.  C3                retn

进入00401270
00401270 $  55                push ebp
00401271 .  8BEC             mov    ebp, esp
00401273 .  6A FF             push -1
00401275 .  68 50A14000       push 0040A150
0040127A .  68 E81F4000       push 00401FE8                                  ;  SE 处理程序安装
0040127F .  64:A1 00000000    mov    eax, dword ptr fs:[0]
00401285 .  50                push eax
00401286 .  64:8925 00000000 mov    dword ptr fs:[0], esp
0040128D .  83EC 08          sub    esp, 8
00401290 .  53                push ebx
00401291 .  56                push esi
00401292 .  57                push edi
00401293 .  8965 E8          mov    dword ptr [ebp-18], esp
00401296 .  C745 FC 00000000 mov    dword ptr [ebp-4], 0
0040129D .  90                nop
0040129E .  90                nop
0040129F .  90                nop
004012A0 .  90                nop
004012A1 .  90                nop
004012A2 .  90                nop
004012A3 .  90                nop
004012A4 .  90                nop
004012A5 .  90                nop
004012A6 .  90                nop
004012A7 .  6A 00             push 0                                        ; /pArguments = NULL
004012A9 .  6A 00             push 0                                        ; |nArguments = 0
004012AB .  6A 00             push 0                                        ; |ExceptionFlags = EXCEPTION_CONTINUABLE
004012AD .  68 06000140       push 40010006                                  ; |ExceptionCode = 40010006
004012B2 .  FF15 04A04000    call dword ptr [<&KERNEL32.RaiseException>]    ; \RaiseException
004012B8    E8 13FFFFFF       call 004011D0
这里关键在调试器下raiseexception这个异常code=0x40010006不会跳到异常处理程序，而是直接执行这个004011D0 程序挂掉所以之际nop掉它便可一了。
004012BD .  EB 09             jmp    short 004012C8
004012BF .  B8 01000000       mov    eax, 1
004012C4 .  C3                retn
004012C5 .  8B65 E8          mov    esp, dword ptr [ebp-18]
004012C8 >  C745 FC FFFFFFFF mov    dword ptr [ebp-4], -1
004012CF .  8B4D F0          mov    ecx, dword ptr [ebp-10]
004012D2 .  64:890D 00000000 mov    dword ptr fs:[0], ecx
004012D9 .  5F                pop    edi
004012DA .  5E                pop    esi
004012DB .  5B                pop    ebx
004012DC .  8BE5             mov    esp, ebp
004012DE .  5D                pop    ebp
004012DF .  C3                retn

2007-1-17 16:27

0

绫濑遥

雪币： 214

活跃值： (10)

能力值：

( LV4，RANK：50 )

在线值：

发帖

4

回帖

104

粉丝

0

关注

私信

绫濑遥 1: 32 楼

http://bbs.pediy.com/showthread.php?s=&threadid=38125

2007-1-17 16:30

0

AJISky

雪币： 269

活跃值： (906)

能力值：

( LV12，RANK：345 )

在线值：

发帖

44

回帖

515

粉丝

21

关注

私信

AJISky 7: 33 楼

浮点数运算确实不好整！

Name:AJISky
Serial:B850BEFC46DA9140B68FCB818B1F86C084E702195B269DC0A21C10126DAA6FC0
Serial:AF85605C4123854088B4CEBFE12A7AC06B7286EB474091C01E9A1687EEBA62C0
得到两组码可见Name与Serial不一一对应
不过这个cm在win7,win8系统下输入上边序号无反应，不知何故还没看原因，估计是个bug
分析文章http://bbs.pediy.com/showthread.php?t=161825

上传的附件：

123.JPG （21.63kb，1次下载）

2013-1-24 00:38

0