这个crackme的破文在那里麻烦那位发个链接，谢谢了！-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

最新回复 (7)
hrbx 雪币： 267 活跃值： (44) 能力值： ( LV9，RANK：330 ) 在线值：发帖 11 回帖 195 粉丝 1 关注私信	hrbx 8 2 楼供参考： http://bbs.chinapyg.com/viewthread.php?tid=5111 2007-3-22 22:46 0
大笨猫雪币： 390 活跃值： (37) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 69 粉丝 0 关注私信	大笨猫 3 楼最初由 hrbx* 发布* 供参考： http://bbs.chinapyg.com/viewthread.php?tid=5111 进不去啊！ 2007-3-23 13:34 0
szubach 雪币： 207 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 8 回帖 29 粉丝 0 关注私信	szubach 4 楼看了许多次,才会爆破第一个password,好像call特别多. 2007-3-23 14:48 0
大笨猫雪币： 390 活跃值： (37) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 69 粉丝 0 关注私信	大笨猫 5 楼最初由 szubach* 发布* 看了许多次,才会爆破第一个password,好像call特别多. 我觉得是个很好的CRACKME，自己搞不定，破文找不到了，哎！ 2007-3-23 14:52 0
小剑雪币： 110 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 375 粉丝 1 关注私信	小剑 6 楼其实这个 CM 的难度不高，我刚下很容易过了两关，后面的慢慢补上 00441CD2 /74 06 JE SHORT CrackMe_.00441CDA 把这句改为，就可以去除了对话框 00441CD2 /74 06 jmp 00441cf7 下面一段高度的明码比较（太简单了） 0044C3D5 \|. E8 9A76FBFF CALL CrackMe_.00403A74 0044C3DA \|. 83F8 0C CMP EAX,0C 0044C3DD \|. 0F85 53010000 JNZ CrackMe_.0044C536 0044C3E3 \|. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4] 0044C3E6 \|. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8] 0044C3EC \|. E8 3394FDFF CALL CrackMe_.00425824 0044C3F1 \|. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 0044C3F4 \|. 8038 43 CMP BYTE PTR DS:[EAX],43 0044C3F7 \|. 0F85 27010000 JNZ CrackMe_.0044C524 0044C3FD \|. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8] 0044C400 \|. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8] 0044C406 \|. E8 1994FDFF CALL CrackMe_.00425824 0044C40B \|. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 0044C40E \|. 8078 03 6F CMP BYTE PTR DS:[EAX+3],6F 0044C412 \|. 0F85 0C010000 JNZ CrackMe_.0044C524 0044C418 \|. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C] 0044C41B \|. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8] 0044C421 \|. E8 FE93FDFF CALL CrackMe_.00425824 0044C426 \|. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 0044C429 \|. 8078 08 6F CMP BYTE PTR DS:[EAX+8],6F 0044C42D \|. 0F85 F1000000 JNZ CrackMe_.0044C524 0044C433 \|. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10] 0044C436 \|. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8] 0044C43C \|. E8 E393FDFF CALL CrackMe_.00425824 0044C441 \|. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] 0044C444 \|. 8078 01 6C CMP BYTE PTR DS:[EAX+1],6C 0044C448 \|. 0F85 D6000000 JNZ CrackMe_.0044C524 0044C44E \|. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14] 0044C451 \|. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8] 0044C457 \|. E8 C893FDFF CALL CrackMe_.00425824 0044C45C \|. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 0044C45F \|. 8078 04 20 CMP BYTE PTR DS:[EAX+4],20 0044C463 \|. 0F85 BB000000 JNZ CrackMe_.0044C524 0044C469 \|. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18] 0044C46C \|. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8] 0044C472 \|. E8 AD93FDFF CALL CrackMe_.00425824 0044C477 \|. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] 0044C47A \|. 8078 0A 52 CMP BYTE PTR DS:[EAX+A],52 0044C47E \|. 0F85 A0000000 JNZ CrackMe_.0044C524 0044C484 \|. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C] 0044C487 \|. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8] 0044C48D \|. E8 9293FDFF CALL CrackMe_.00425824 0044C492 \|. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 0044C495 \|. 8078 07 75 CMP BYTE PTR DS:[EAX+7],75 0044C499 \|. 0F85 85000000 JNZ CrackMe_.0044C524 0044C49F \|. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20] 0044C4A2 \|. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8] 0044C4A8 \|. E8 7793FDFF CALL CrackMe_.00425824 0044C4AD \|. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] 0044C4B0 \|. 8078 09 6E CMP BYTE PTR DS:[EAX+9],6E 0044C4B4 \|. 75 6E JNZ SHORT CrackMe_.0044C524 0044C4B6 \|. 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24] 0044C4B9 \|. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8] 0044C4BF \|. E8 6093FDFF CALL CrackMe_.00425824 0044C4C4 \|. 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] 0044C4C7 \|. 8078 02 6E CMP BYTE PTR DS:[EAX+2],6E 0044C4CB \|. 75 57 JNZ SHORT CrackMe_.0044C524 0044C4CD \|. 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28] 0044C4D0 \|. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8] 0044C4D6 \|. E8 4993FDFF CALL CrackMe_.00425824 0044C4DB \|. 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28] 0044C4DE \|. 8078 05 69 CMP BYTE PTR DS:[EAX+5],69 0044C4E2 \|. 75 40 JNZ SHORT CrackMe_.0044C524 0044C4E4 \|. 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C] 0044C4E7 \|. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8] 0044C4ED \|. E8 3293FDFF CALL CrackMe_.00425824 0044C4F2 \|. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] 0044C4F5 \|. 8078 0B 6E CMP BYTE PTR DS:[EAX+B],6E 0044C4F9 \|. 75 29 JNZ SHORT CrackMe_.0044C524 0044C4FB \|. 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30] 0044C4FE \|. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8] 0044C504 \|. E8 1B93FDFF CALL CrackMe_.00425824 0044C509 \|. 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30] 0044C50C \|. 8078 06 67 CMP BYTE PTR DS:[EAX+6],67 所以很容易就结束了第二关，密码是： Clno iguonRn 2007-3-23 21:48 0
hrbx 雪币： 267 活跃值： (44) 能力值： ( LV9，RANK：330 ) 在线值：发帖 11 回帖 195 粉丝 1 关注私信	hrbx 8 7 楼 [CODE]【破文标题】CrackMe Nr.7简单算法分析【破解作者】hrbx 【作者主页】hrbx.ys168.com 【作者邮箱】hrbx@163.com 【破解平台】WinXP 【使用工具】flyOD1.10、Peid 【破解日期】2006-05-29 【软件名称】CrackMe Nr.7 【软件大小】383KB 【下载地址】见附件【加壳方式】无【软件简介】CrackMe Nr.7 ----------------------------------------------------------------------------------------------- 【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：） ----------------------------------------------------------------------------------------------- 【破解过程】 1.查壳。用Peid扫描，显示为：Borland Delphi 4.0 - 5.0，无壳。 2.试运行CrackMe。CrackMe分为5个等级：Nag、Password、Serial、CheckBox、TrackBar。 3.开始各个击破吧。 3-1.去掉启动时的Nag提示。 OD载入CrackMe,命令栏下断点：bp MessageBoxA，回车，F9运行，中断： 77D36476 u> 833D D0C3D677 00 cmp dword ptr ds:[77D6C3D0],0 77D3647D 0F85 885B0100 jnz user32.77D4C00B 77D36483 6A 00 push 0 77D36485 FF7424 14 push dword ptr ss:[esp+14] 堆栈友好提示： 0012FF20 00441CF7 /CALL 到 MessageBoxA 来自 CrackMe_.00441CF2 0012FF24 000805FE \|hOwner = 000805FE ('Crackme_7',class='TApplication') 0012FF28 00A93544 \|Text = "Hello, I'm a NAG.Please kill me...." 0012FF2C 00A93578 \|Title = "Sorry..." 0012FF30 00000000 \Style = MB_OK\|MB_APPLMODAL 0012FF34 0012FFA8 指针到下一个 SEH 记录 0012FF38 00441D59 SE 句柄 Alt+F9返回，弹出Nag提示窗体，点击"确定"按钮，来到： 00441CF1 \|. 50 push eax 00441CF2 \|. E8 5946FCFF call <jmp.&user32.MessageBoxA> 00441CF7 \|. 8945 F8 mov dword ptr ss:[ebp-8],eax ; Alt+F9返回到这里 00441CFA \|. 33C0 xor eax,eax 00441CFC \|. 5A pop edx F8几步，经过retn后，来到： 0044D09C . 59 pop ecx 0044D09D E8 724BFFFF call CrackMe_.00441C14 ; 调用Nag窗体，Nop掉 0044D0A2 . A1 A0ED4400 mov eax,dword ptr ds:[44EDA0] ; F8直到这里 0044D0A7 . 8B00 mov eax,dword ptr ds:[eax] 0044D0A9 . E8 7649FFFF call CrackMe_.00441A24 0044D0AE . A1 A0ED4400 mov eax,dword ptr ds:[44EDA0] Nop掉0044D09D处的Call,就去掉了启动时的Nag提示。 3-2.寻找Password. OD载入CrackMe，右键--Ultra String Reference--Find ASCII,查找“right password”，找到后双击，来到： 0044C512 \|. BA 78C54400 mov edx,CrackMe_.0044C578 ; right password，双击后来到这里 0044C517 \|. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8] 0044C51D \|. E8 3293FDFF call CrackMe_.00425854 0044C522 \|. EB 22 jmp short CrackMe_.0044C546 0044C524 \|> BA 90C54400 mov edx,CrackMe_.0044C590 ; wrong password 向上查找，来到0044C3A4处F2下断，Ctrl+F2重新载入CrackMe，F9运行，输入Password: ========================== Password:9876543210 ========================== 点击"Check"标签，立即中断： 0044C3A4 /. 55 push ebp ; F2在此下断，中断后F8往下走 0044C3A5 \|. 8BEC mov ebp,esp 0044C3A7 \|. B9 06000000 mov ecx,6 0044C3AC \|> 6A 00 /push 0 0044C3AE \|. 6A 00 \|push 0 0044C3B0 \|. 49 \|dec ecx 0044C3B1 \|.^ 75 F9 \jnz short CrackMe_.0044C3AC 0044C3B3 \|. 53 push ebx 0044C3B4 \|. 8BD8 mov ebx,eax 0044C3B6 \|. 33C0 xor eax,eax 0044C3B8 \|. 55 push ebp 0044C3B9 \|. 68 61C54400 push CrackMe_.0044C561 0044C3BE \|. 64:FF30 push dword ptr fs:[eax] 0044C3C1 \|. 64:8920 mov dword ptr fs:[eax],esp 0044C3C4 \|. 8D55 FC lea edx,dword ptr ss:[ebp-4] 0044C3C7 \|. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8] 0044C3CD \|. E8 5294FDFF call CrackMe_.00425824 0044C3D2 \|. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 假码"9876543210" 0044C3D5 \|. E8 9A76FBFF call CrackMe_.00403A74 ; 获取假码长度，EAX＝0xA 0044C3DA \|. 83F8 0C cmp eax,0C ; 假码长度与0xC比较 0044C3DD \|. 0F85 53010000 jnz CrackMe_.0044C536 ; 不等则Over,暴破点1，Nop掉 0044C3E3 \|. 8D55 FC lea edx,dword ptr ss:[ebp-4] 0044C3E6 \|. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8] 0044C3EC \|. E8 3394FDFF call CrackMe_.00425824 0044C3F1 \|. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 假码"9876543210" 0044C3F4 \|. 8038 43 cmp byte ptr ds:[eax],43 ; 假码第1位与0x43('C')比较 0044C3F7 \|. 0F85 27010000 jnz CrackMe_.0044C524 ; 不等则Over,暴破点2，Nop掉 0044C3FD \|. 8D55 F8 lea edx,dword ptr ss:[ebp-8] 0044C400 \|. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8] 0044C406 \|. E8 1994FDFF call CrackMe_.00425824 0044C40B \|. 8B45 F8 mov eax,dword ptr ss:[ebp-8] 0044C40E \|. 8078 03 6F cmp byte ptr ds:[eax+3],6F ; 假码第4位与0x6F('o')比较 0044C412 \|. 0F85 0C010000 jnz CrackMe_.0044C524 ; 不等则Over,暴破点3，Nop掉 0044C418 \|. 8D55 F4 lea edx,dword ptr ss:[ebp-C] 0044C41B \|. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8] 0044C421 \|. E8 FE93FDFF call CrackMe_.00425824 0044C426 \|. 8B45 F4 mov eax,dword ptr ss:[ebp-C] 0044C429 \|. 8078 08 6F cmp byte ptr ds:[eax+8],6F ; 假码第9位与0x6F('o')比较 0044C42D \|. 0F85 F1000000 jnz CrackMe_.0044C524 ; 不等则Over,暴破点4，Nop掉 0044C433 \|. 8D55 F0 lea edx,dword ptr ss:[ebp-10] 0044C436 \|. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8] 0044C43C \|. E8 E393FDFF call CrackMe_.00425824 0044C441 \|. 8B45 F0 mov eax,dword ptr ss:[ebp-10] 0044C444 \|. 8078 01 6C cmp byte ptr ds:[eax+1],6C ; 假码第2位与0x6C('l')比较 0044C448 \|. 0F85 D6000000 jnz CrackMe_.0044C524 ; 不等则Over,暴破点5，Nop掉 0044C44E \|. 8D55 EC lea edx,dword ptr ss:[ebp-14] 0044C451 \|. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8] 0044C457 \|. E8 C893FDFF call CrackMe_.00425824 0044C45C \|. 8B45 EC mov eax,dword ptr ss:[ebp-14] 0044C45F \|. 8078 04 20 cmp byte ptr ds:[eax+4],20 ; 假码第5位与0x20(' ')比较 0044C463 \|. 0F85 BB000000 jnz CrackMe_.0044C524 ; 不等则Over,暴破点6，Nop掉 0044C469 \|. 8D55 E8 lea edx,dword ptr ss:[ebp-18] 0044C46C \|. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8] 0044C472 \|. E8 AD93FDFF call CrackMe_.00425824 0044C477 \|. 8B45 E8 mov eax,dword ptr ss:[ebp-18] 0044C47A \|. 8078 0A 52 cmp byte ptr ds:[eax+A],52 ; 假码第11位与0x52('R')比较 0044C47E \|. 0F85 A0000000 jnz CrackMe_.0044C524 ; 不等则Over,暴破点7，Nop掉 0044C484 \|. 8D55 E4 lea edx,dword ptr ss:[ebp-1C] 0044C487 \|. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8] 0044C48D \|. E8 9293FDFF call CrackMe_.00425824 0044C492 \|. 8B45 E4 mov eax,dword ptr ss:[ebp-1C] 0044C495 \|. 8078 07 75 cmp byte ptr ds:[eax+7],75 ; 假码第8位与0x75('u')比较 0044C499 \|. 0F85 85000000 jnz CrackMe_.0044C524 ; 不等则Over,暴破点8，Nop掉 0044C49F \|. 8D55 E0 lea edx,dword ptr ss:[ebp-20] 0044C4A2 \|. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8] 0044C4A8 \|. E8 7793FDFF call CrackMe_.00425824 0044C4AD \|. 8B45 E0 mov eax,dword ptr ss:[ebp-20] 0044C4B0 \|. 8078 09 6E cmp byte ptr ds:[eax+9],6E ; 假码第10位与0x6E('n')比较 0044C4B4 \|. 75 6E jnz short CrackMe_.0044C524 ; 不等则Over,暴破点9，Nop掉 0044C4B6 \|. 8D55 DC lea edx,dword ptr ss:[ebp-24] 0044C4B9 \|. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8] 0044C4BF \|. E8 6093FDFF call CrackMe_.00425824 0044C4C4 \|. 8B45 DC mov eax,dword ptr ss:[ebp-24] 0044C4C7 \|. 8078 02 6E cmp byte ptr ds:[eax+2],6E ; 假码第3位与0x6E('n')比较 0044C4CB \|. 75 57 jnz short CrackMe_.0044C524 ; 不等则Over,暴破点10，Nop掉 0044C4CD \|. 8D55 D8 lea edx,dword ptr ss:[ebp-28] 0044C4D0 \|. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8] 0044C4D6 \|. E8 4993FDFF call CrackMe_.00425824 0044C4DB \|. 8B45 D8 mov eax,dword ptr ss:[ebp-28] 0044C4DE \|. 8078 05 69 cmp byte ptr ds:[eax+5],69 ; 假码第6位与0x69('i')比较 0044C4E2 \|. 75 40 jnz short CrackMe_.0044C524 ; 不等则Over,暴破点11，Nop掉 0044C4E4 \|. 8D55 D4 lea edx,dword ptr ss:[ebp-2C] 0044C4E7 \|. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8] 0044C4ED \|. E8 3293FDFF call CrackMe_.00425824 0044C4F2 \|. 8B45 D4 mov eax,dword ptr ss:[ebp-2C] 0044C4F5 \|. 8078 0B 6E cmp byte ptr ds:[eax+B],6E ; 假码第12位与0x6E('n')比较 0044C4F9 \|. 75 29 jnz short CrackMe_.0044C524 ; 不等则Over,暴破点12，Nop掉 0044C4FB \|. 8D55 D0 lea edx,dword ptr ss:[ebp-30] 0044C4FE \|. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8] 0044C504 \|. E8 1B93FDFF call CrackMe_.00425824 0044C509 \|. 8B45 D0 mov eax,dword ptr ss:[ebp-30] 0044C50C \|. 8078 06 67 cmp byte ptr ds:[eax+6],67 ; 假码第7位与0x67('g')比较 0044C510 \|. 75 12 jnz short CrackMe_.0044C524 ; 不等则Over,暴破点13，Nop掉 0044C512 \|. BA 78C54400 mov edx,CrackMe_.0044C578 ; right password 0044C517 \|. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8] 0044C51D \|. E8 3293FDFF call CrackMe_.00425854 0044C522 \|. EB 22 jmp short CrackMe_.0044C546 0044C524 \|> BA 90C54400 mov edx,CrackMe_.0044C590 ; wrong password 0044C529 \|. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8] 0044C52F \|. E8 2093FDFF call CrackMe_.00425854 0044C534 \|. EB 10 jmp short CrackMe_.0044C546 0044C536 \|> BA 90C54400 mov edx,CrackMe_.0044C590 ; wrong password 0044C53B \|. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8] 0044C541 \|. E8 0E93FDFF call CrackMe_.00425854 0044C546 \|> 33C0 xor eax,eax 0044C548 \|. 5A pop edx 0044C549 \|. 59 pop ecx 程序逐位取输入的Password与固定字符比较，相等则通过。Password为固定值：Clno iguonRn。 3-3.Serial简单算法分析。 OD载入CrackMe，右键--Ultra String Reference--Find ASCII,查找"You have found the correct Serial :)"，找到后双击，来到： 0044C763 \|. BA CCC74400 mov edx,CrackMe_.0044C7CC ; you have found the correct serial :) 0044C768 \|. E8 E790FDFF call CrackMe_.00425854 0044C76D \|> 33C0 xor eax,eax 向上查找，来到0044C648处F2下断，Ctrl+F2重新载入CrackMe，F9运行，输入注册信息: ========================== Name:hrbxhui Company:h2h Studios Serial:9876543210 ========================== 点击"Check"标签，立即中断： 0044C648 /. 55 push ebp ; F2在此下断，中断后F8往下走 0044C649 \|. 8BEC mov ebp,esp 0044C64B \|. 83C4 F8 add esp,-8 0044C64E \|. 53 push ebx 0044C64F \|. 56 push esi 0044C650 \|. 33C9 xor ecx,ecx 0044C652 \|. 894D F8 mov dword ptr ss:[ebp-8],ecx 0044C655 \|. 8BF0 mov esi,eax 0044C657 \|. 33C0 xor eax,eax 0044C659 \|. 55 push ebp 0044C65A \|. 68 83C74400 push CrackMe_.0044C783 0044C65F \|. 64:FF30 push dword ptr fs:[eax] 0044C662 \|. 64:8920 mov dword ptr fs:[eax],esp 0044C665 \|. 33C0 xor eax,eax 0044C667 \|. 8945 FC mov dword ptr ss:[ebp-4],eax 0044C66A \|. A1 80F84400 mov eax,dword ptr ds:[44F880] 0044C66F \|. E8 0074FBFF call CrackMe_.00403A74 ; 获取用户名长度，EAX＝7 0044C674 \|. 83F8 06 cmp eax,6 ; 用户名长度与6比较 0044C677 \|. 0F8E F0000000 jle CrackMe_.0044C76D ; 小于等于则Over,暴破点1，Nop掉 0044C67D \|. A1 80F84400 mov eax,dword ptr ds:[44F880] 0044C682 \|. E8 ED73FBFF call CrackMe_.00403A74 ; 获取用户名长度，EAX＝7 0044C687 \|. 83F8 14 cmp eax,14 ; 用户名长度与0x14(20)比较 0044C68A \|. 0F8D DD000000 jge CrackMe_.0044C76D ; 大于等于则Over,暴破点2，Nop掉 0044C690 \|. A1 80F84400 mov eax,dword ptr ds:[44F880] 0044C695 \|. E8 DA73FBFF call CrackMe_.00403A74 0044C69A \|. 85C0 test eax,eax 0044C69C \|. 7E 17 jle short CrackMe_.0044C6B5 0044C69E \|. BA 01000000 mov edx,1 0044C6A3 \|> 8B0D 80F84400 /mov ecx,dword ptr ds:[44F880] ; 用户名"hrbxhui" 0044C6A9 \|. 0FB64C11 FF \|movzx ecx,byte ptr ds:[ecx+edx-1] ; 依次取用户名每一位字符的ASCII值 0044C6AE \|. 014D FC \|add dword ptr ss:[ebp-4],ecx ; 将用户名所有字符的ASCII值累加 0044C6B1 \|. 42 \|inc edx ; ASCII值累加之和为0x2FA(762) 0044C6B2 \|. 48 \|dec eax 0044C6B3 \|.^ 75 EE \jnz short CrackMe_.0044C6A3 0044C6B5 \|> A1 84F84400 mov eax,dword ptr ds:[44F884] 0044C6BA \|. E8 B573FBFF call CrackMe_.00403A74 ; 获取公司名称长度，EAX=0xB 0044C6BF \|. 83F8 02 cmp eax,2 ; 公司名称长度与2比较 0044C6C2 \|. 7E 18 jle short CrackMe_.0044C6DC ; 小于等于则Over,暴破点3，Nop掉 0044C6C4 \|. A1 84F84400 mov eax,dword ptr ds:[44F884] 0044C6C9 \|. E8 A673FBFF call CrackMe_.00403A74 ; 获取公司名称长度，EAX=0xB 0044C6CE \|. 83F8 08 cmp eax,8 ; 公司名称长度与8比较 0044C6D1 \|. 7D 09 jge short CrackMe_.0044C6DC ; 大于等于则跳 0044C6D3 \|. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 公司名称长度若小于8 0044C6D6 \|. 6BC0 02 imul eax,eax,2 ; 则将公司名称长度乘2,EAX=EAX2 0044C6D9 \|. 8945 FC mov dword ptr ss:[ebp-4],eax 0044C6DC \|> 68 98C74400 push CrackMe_.0044C798 ; i love cracking and 0044C6E1 \|. 8D55 F8 lea edx,dword ptr ss:[ebp-8] 0044C6E4 \|. 8B45 FC mov eax,dword ptr ss:[ebp-4] 0044C6E7 \|. E8 68B0FBFF call CrackMe_.00407754 ; ASCII值累加之和10进制形式转为字符串 0044C6EC \|. FF75 F8 push dword ptr ss:[ebp-8] ; 0x2FA(762)-->"762" 0044C6EF \|. 68 B8C74400 push CrackMe_.0044C7B8 ; girls ;) 0044C6F4 \|. B8 8CF84400 mov eax,CrackMe_.0044F88C ; 连接成字符串str1"I Love Cracking and 762 Girls ;)" 0044C6F9 \|. BA 03000000 mov edx,3 0044C6FE \|. E8 3174FBFF call CrackMe_.00403B34 0044C703 \|. 33C0 xor eax,eax 0044C705 \|. 8945 FC mov dword ptr ss:[ebp-4],eax 0044C708 \|. A1 88F84400 mov eax,dword ptr ds:[44F888] 0044C70D \|. E8 6273FBFF call CrackMe_.00403A74 ; 获取假码"9876543210"长度，EAX＝0xA(10) 0044C712 \|. 8BD8 mov ebx,eax ; EBX=EAX=0xA 0044C714 \|. A1 8CF84400 mov eax,dword ptr ds:[44F88C] 0044C719 \|. E8 5673FBFF call CrackMe_.00403A74 ; 获取字符串str1长度，EAX＝0x20(32) 0044C71E \|. 3BD8 cmp ebx,eax ; 比较假码与字符串长度是否相等 0044C720 \|. 75 4B jnz short CrackMe_.0044C76D ; 不等则Over,暴破点4，Nop掉 0044C722 \|. A1 88F84400 mov eax,dword ptr ds:[44F888] 0044C727 \|. E8 4873FBFF call CrackMe_.00403A74 0044C72C \|. 85C0 test eax,eax 0044C72E \|. 7E 27 jle short CrackMe_.0044C757 0044C730 \|. BA 01000000 mov edx,1 0044C735 \|> 8B0D 88F84400 /mov ecx,dword ptr ds:[44F888] ; 假码"9876543210"长度 0044C73B \|. 0FB64C11 FF \|movzx ecx,byte ptr ds:[ecx+edx-1] ; 依次取假码每一位字符的ASCII值 0044C740 \|. 034D FC \|add ecx,dword ptr ss:[ebp-4] ; 将地址ss:[ebp-4]处的值加到字符的ASCII值 0044C743 \|. 8B1D 8CF84400 \|mov ebx,dword ptr ds:[44F88C] ; 字符串str1"I Love Cracking and 762 Girls ;)" 0044C749 \|. 0FB65C13 FF \|movzx ebx,byte ptr ds:[ebx+edx-1] ; 依次取字符串str1每一位字符的ASCII值 0044C74E \|. 2BCB \|sub ecx,ebx ; 依次减去字符串str中取出的字符的ASCII值 0044C750 \|. 894D FC \|mov dword ptr ss:[ebp-4],ecx ; 将相减的差保存在ss:[ebp-4]中 0044C753 \|. 42 \|inc edx 0044C754 \|. 48 \|dec eax 0044C755 \|.^ 75 DE \jnz short CrackMe_.0044C735 0044C757 \|> 837D FC 00 cmp dword ptr ss:[ebp-4],0 ; 比较地址ss:[ebp-4]处的值是否为0 0044C75B \|. 75 10 jnz short CrackMe_.0044C76D ; 不等则Over,暴破点5，Nop掉 0044C75D \|. 8B86 14030000 mov eax,dword ptr ds:[esi+314] 0044C763 \|. BA CCC74400 mov edx,CrackMe_.0044C7CC ; you have found the correct serial :) 0044C768 \|. E8 E790FDFF call CrackMe_.00425854 用户名和公司长度有一定限制，取用户名各位字符的ASCII值累加，结果与固定字符串连接，再与输入的注册码比较。 3-4.心形CheckBoxes之旅。由于CrackMe是用Delphi编写的，还是用Dede分析一下吧。 Dede载入CrackMe，很容易找到CheckBoxes对应的SpeedButton3Click,双击来到如下位置： 0044C7F4 55 push ebp 0044C7F5 8BEC mov ebp, esp 0044C7F7 6A00 push $00 0044C7F9 53 push ebx 0044C7FA 8BD8 mov ebx, eax 0044C7FC 33C0 xor eax, eax 0044C7FE 55 push ebp Possible String Reference to: '?i?腽[Y]? \| 0044C7FF 6820C94400 push $0044C920 ***** TRY \| 0044C804 64FF30 push dword ptr fs:[eax] 0044C807 648920 mov fs:[eax], esp * Reference to control TForm1.cb3 : TCheckBox <====CheckBox3 \| 0044C80A 8B8324030000 mov eax, [ebx+$0324] 0044C810 8B10 mov edx, [eax] * Reference to method TCheckBox.GetChecked() \| 0044C812 FF92B8000000 call dword ptr [edx+$00B8] 0044C818 84C0 test al, al 0044C81A 0F84CD000000 jz 0044C8ED * Reference to control TForm1.cb5 : TCheckBox <====CheckBox5 \| 0044C820 8B8328030000 mov eax, [ebx+$0328] 0044C826 8B10 mov edx, [eax] * Reference to method TCheckBox.GetChecked() \| 0044C828 FF92B8000000 call dword ptr [edx+$00B8] 0044C82E 84C0 test al, al 0044C830 0F84B7000000 jz 0044C8ED * Reference to control TForm1.cb6 : TCheckBox <====CheckBox6 \| 0044C836 8B832C030000 mov eax, [ebx+$032C] 0044C83C 8B10 mov edx, [eax] * Reference to method TCheckBox.GetChecked() \| 0044C83E FF92B8000000 call dword ptr [edx+$00B8] 0044C844 84C0 test al, al 0044C846 0F84A1000000 jz 0044C8ED * Reference to control TForm1.cb12 : TCheckBox <====CheckBox12 \| 0044C84C 8B8358030000 mov eax, [ebx+$0358] 0044C852 8B10 mov edx, [eax] * Reference to method TCheckBox.GetChecked() \| 0044C854 FF92B8000000 call dword ptr [edx+$00B8] 0044C85A 84C0 test al, al 0044C85C 0F848B000000 jz 0044C8ED * Reference to control TForm1.cb15 : TCheckBox <====CheckBox15 \| 0044C862 8B8364030000 mov eax, [ebx+$0364] 0044C868 8B10 mov edx, [eax] * Reference to method TCheckBox.GetChecked() \| 0044C86A FF92B8000000 call dword ptr [edx+$00B8] 0044C870 84C0 test al, al 0044C872 7479 jz 0044C8ED * Reference to control TForm1.cb20 : TCheckBox <====CheckBox20 \| 0044C874 8B8330030000 mov eax, [ebx+$0330] 0044C87A 8B10 mov edx, [eax] * Reference to method TCheckBox.GetChecked() \| 0044C87C FF92B8000000 call dword ptr [edx+$00B8] 0044C882 84C0 test al, al 0044C884 7467 jz 0044C8ED * Reference to control TForm1.cb9 : TCheckBox <====CheckBox9 \| 0044C886 8B834C030000 mov eax, [ebx+$034C] 0044C88C 8B10 mov edx, [eax] * Reference to method TCheckBox.GetChecked() \| 0044C88E FF92B8000000 call dword ptr [edx+$00B8] 0044C894 84C0 test al, al 0044C896 7455 jz 0044C8ED * Reference to control TForm1.cb11 : TCheckBox <====CheckBox11 \| 0044C898 8B8354030000 mov eax, [ebx+$0354] 0044C89E 8B10 mov edx, [eax] * Reference to method TCheckBox.GetChecked() \| 0044C8A0 FF92B8000000 call dword ptr [edx+$00B8] 0044C8A6 84C0 test al, al 0044C8A8 7443 jz 0044C8ED * Reference to control TForm1.cb13 : TCheckBox <====CheckBox13 \| 0044C8AA 8B835C030000 mov eax, [ebx+$035C] 0044C8B0 8B10 mov edx, [eax] * Reference to method TCheckBox.GetChecked() \| 0044C8B2 FF92B8000000 call dword ptr [edx+$00B8] 0044C8B8 84C0 test al, al 0044C8BA 7431 jz 0044C8ED * Reference to control TForm1.cb19 : TCheckBox <====CheckBox19 \| 0044C8BC 8B833C030000 mov eax, [ebx+$033C] 0044C8C2 8B10 mov edx, [eax] * Reference to method TCheckBox.GetChecked() \| 0044C8C4 FF92B8000000 call dword ptr [edx+$00B8] 0044C8CA 84C0 test al, al 0044C8CC 741F jz 0044C8ED 0044C8CE 8D45FC lea eax, [ebp-$04] * Possible String Reference to: '条舾鲼辚螭哨榔材驸忸噤抖' <====加密的成功提示"You are a GOOD Cracker!!" \| 0044C8D1 BA34C94400 mov edx, $0044C934 * Reference to: System.Proc_00403890 \| 0044C8D6 E8B56FFBFF call 00403890 0044C8DB 8D45FC lea eax, [ebp-$04] * Reference to: crack.Proc_0044BF00 \| 0044C8DE E81DF6FFFF call 0044BF00 0044C8E3 8B45FC mov eax, [ebp-$04] * Reference to: dialogs.ShowMessage(AnsiString); \| 0044C8E6 E80989FFFF call 004451F4 0044C8EB EB1D jmp 0044C90A 0044C8ED 8D45FC lea eax, [ebp-$04] * Possible String Reference to: '?骝琛?帙?赙甬?ろ?铊?' <====加密的错误提示"Sorry,but this is wrong!" \| 0044C8F0 BA58C94400 mov edx, $0044C958 * Reference to: System.Proc_00403890 \| 0044C8F5 E8966FFBFF call 00403890 0044C8FA 8D45FC lea eax, [ebp-$04] * Reference to: crack.Proc_0044BF00 \| 0044C8FD E8FEF5FFFF call 0044BF00 0044C902 8B45FC mov eax, [ebp-$04] * Reference to: dialogs.ShowMessage(AnsiString); \| 0044C905 E8EA88FFFF call 004451F4 0044C90A 33C0 xor eax, eax 0044C90C 5A pop edx 0044C90D 59 pop ecx 0044C90E 59 pop ecx 0044C90F 648910 mov fs:[eax], edx ****** FINALLY Dede已经分析得很清楚了，需要选中10个CheckBox。 OD载入CrackMe，Ctrl+G,输入：0044C7F4，回车，直接到0044C7F4处F2下断，F9运行，逐个点击CheckBox，直到使0044C81A处的跳转实现，则点击的CheckBox即为CheckBox3，接着只需再使0044C830处的跳转实现，其它的CheckBox即可全部推测出来。 0044C7F4 /. 55 push ebp 0044C7F5 \|. 8BEC mov ebp,esp 0044C7F7 \|. 6A 00 push 0 0044C7F9 \|. 53 push ebx 0044C7FA \|. 8BD8 mov ebx,eax 0044C7FC \|. 33C0 xor eax,eax 0044C7FE \|. 55 push ebp 0044C7FF \|. 68 20C94400 push CrackMe_.0044C920 0044C804 \|. 64:FF30 push dword ptr fs:[eax] 0044C807 \|. 64:8920 mov dword ptr fs:[eax],esp 0044C80A \|. 8B83 24030000 mov eax,dword ptr ds:[ebx+324] 0044C810 \|. 8B10 mov edx,dword ptr ds:[eax] 0044C812 \|. FF92 B8000000 call dword ptr ds:[edx+B8] ; 检查CheckBox3是否选中 0044C818 \|. 84C0 test al,al 0044C81A \|. 0F84 CD000000 je CrackMe_.0044C8ED ; 暴破点1，Nop掉 0044C820 \|. 8B83 28030000 mov eax,dword ptr ds:[ebx+328] 0044C826 \|. 8B10 mov edx,dword ptr ds:[eax] 0044C828 \|. FF92 B8000000 call dword ptr ds:[edx+B8] ; 检查CheckBox5是否选中 0044C82E \|. 84C0 test al,al 0044C830 \|. /0F84 B7000000 je CrackMe_.0044C8ED ; 暴破点2，Nop掉 0044C836 \|. 8B83 2C030000 mov eax,dword ptr ds:[ebx+32C] 0044C83C \|. 8B10 mov edx,dword ptr ds:[eax] 以心形CheckBoxes第1列上面那个CheckBox作为第1个，顺时针方向从1至20编号. 分别选中编号为3、5、6、9、11、12、13、15、19、20的CheckBox即可过关。 3-5.TrackBar浮点运算。同样，用Dede分析得知TrackBar对应SpeedButton4Click. TForm1.SpeedButton4Click对应事件为： 0044CB40 E807F6FFFF call 0044C14C OD载入CrackMe，Ctrl+G,输入：0044C14C，回车，直接到0044C14C处F2下断，F9运行，依次拖动TrackBar,使Serial为12345,点击"Check"标签，立即中断： 0044C14C /$ 55 push ebp 0044C14D \|. 8BEC mov ebp,esp 0044C14F \|. 83C4 98 add esp,-68 0044C152 \|. 53 push ebx 0044C153 \|. 33D2 xor edx,edx 0044C155 \|. 8955 C4 mov dword ptr ss:[ebp-3C],edx 0044C158 \|. 8955 FC mov dword ptr ss:[ebp-4],edx 0044C15B \|. 8955 F8 mov dword ptr ss:[ebp-8],edx 0044C15E \|. 8BD8 mov ebx,eax 0044C160 \|. 33C0 xor eax,eax 0044C162 \|. 55 push ebp 0044C163 \|. 68 44C34400 push CrackMe_.0044C344 0044C168 \|. 64:FF30 push dword ptr fs:[eax] 0044C16B \|. 64:8920 mov dword ptr fs:[eax],esp 0044C16E \|. 8D55 C4 lea edx,dword ptr ss:[ebp-3C] 0044C171 \|. 8B83 80030000 mov eax,dword ptr ds:[ebx+380] 0044C177 \|. E8 A896FDFF call CrackMe_.00425824 0044C17C \|. 8B45 C4 mov eax,dword ptr ss:[ebp-3C] 0044C17F \|. E8 B0C0FBFF call CrackMe_.00408234 0044C184 \|. DD5D E8 fstp qword ptr ss:[ebp-18] ; 第1个数1.0 0044C187 \|. 9B wait 0044C188 \|. 8D55 C4 lea edx,dword ptr ss:[ebp-3C] 0044C18B \|. 8B83 98030000 mov eax,dword ptr ds:[ebx+398] 0044C191 \|. E8 8E96FDFF call CrackMe_.00425824 0044C196 \|. 8B45 C4 mov eax,dword ptr ss:[ebp-3C] 0044C199 \|. E8 96C0FBFF call CrackMe_.00408234 0044C19E \|. DD5D E0 fstp qword ptr ss:[ebp-20] ; 第2个数2.0 0044C1A1 \|. 9B wait 0044C1A2 \|. 8D55 C4 lea edx,dword ptr ss:[ebp-3C] 0044C1A5 \|. 8B83 9C030000 mov eax,dword ptr ds:[ebx+39C] 0044C1AB \|. E8 7496FDFF call CrackMe_.00425824 0044C1B0 \|. 8B45 C4 mov eax,dword ptr ss:[ebp-3C] 0044C1B3 \|. E8 7CC0FBFF call CrackMe_.00408234 0044C1B8 \|. DD5D D8 fstp qword ptr ss:[ebp-28] ; 第3个数3.0 0044C1BB \|. 9B wait 0044C1BC \|. 8D55 C4 lea edx,dword ptr ss:[ebp-3C] 0044C1BF \|. 8B83 A0030000 mov eax,dword ptr ds:[ebx+3A0] 0044C1C5 \|. E8 5A96FDFF call CrackMe_.00425824 0044C1CA \|. 8B45 C4 mov eax,dword ptr ss:[ebp-3C] 0044C1CD \|. E8 62C0FBFF call CrackMe_.00408234 0044C1D2 \|. DD5D D0 fstp qword ptr ss:[ebp-30] ; 第4个数4.0 0044C1D5 \|. 9B wait 0044C1D6 \|. 8D55 C4 lea edx,dword ptr ss:[ebp-3C] 0044C1D9 \|. 8B83 A4030000 mov eax,dword ptr ds:[ebx+3A4] 0044C1DF \|. E8 4096FDFF call CrackMe_.00425824 0044C1E4 \|. 8B45 C4 mov eax,dword ptr ss:[ebp-3C] 0044C1E7 \|. E8 48C0FBFF call CrackMe_.00408234 0044C1EC \|. DD5D C8 fstp qword ptr ss:[ebp-38] ; 第5个数5.0 0044C1EF \|. 9B wait 0044C1F0 \|. DD45 E0 fld qword ptr ss:[ebp-20] ; 第2个数字，2.0 0044C1F3 \|. 83C4 F4 add esp,-0C 0044C1F6 \|. DB3C24 fstp tbyte ptr ss:[esp] 0044C1F9 \|. 9B wait 0044C1FA \|. B8 03000000 mov eax,3 ; EAX＝3 0044C1FF \|. E8 ECF6FCFF call CrackMe_.0041B8F0 ; 第2个数字的3次方，2^3=8 0044C204 \|. D805 50C34400 fadd dword ptr ds:[44C350] ; 结果加上第1个常数5.0(ds:[44C350]＝5.0),8.0+5.0＝13.0 0044C20A \|. D9FA fsqrt ; 13开平方=3.60555127546398929 0044C20C \|. E8 F365FBFF call CrackMe_.00402804 ; fcos=cos(3.605555127546398929) 0044C211 \|. DB7D B8 fstp tbyte ptr ss:[ebp-48] ; st=-0.8942880585582759936 0044C214 \|. 9B wait 0044C215 \|. D905 54C34400 fld dword ptr ds:[44C354] ; 第2个常数1.0(ds:[44C354]=1.0) 0044C21B \|. DC45 E8 fadd qword ptr ss:[ebp-18] ; 第2个常数加上第1个数字,1.0+1.0＝2.0 0044C21E \|. D9FA fsqrt ; st=2.0,相加结果开平方，st=1.4142135623730951680 0044C220 \|. D9E0 fchs ; 取相反数，st=-1.4142135623730951680 0044C222 \|. DB6D B8 fld tbyte ptr ss:[ebp-48] ; 装载第2个数字运算结果,ss:[0012FBCC]=-0.8942880585582759936 0044C225 \|. DEC1 faddp st(1),st ; 两数相加 0044C227 \|. DB7D AC fstp tbyte ptr ss:[ebp-54] ; st=-2.3085016209313710080 0044C22A \|. 9B wait 0044C22B \|. D905 58C34400 fld dword ptr ds:[44C358] ; 第3个常数3.0(ds:[0044C358]=3.0) 0044C231 \|. DC4D D8 fmul qword ptr ss:[ebp-28] ; 第3个常数乘以第3个数字，3.03.0＝9.0 0044C234 \|. D805 54C34400 fadd dword ptr ds:[44C354] ; 乘法结果加上第2个常数1.0，9.0+1.0＝10.0 0044C23A \|. D9ED fldln2 ; st0=1n2=0.6931471805599453184,st1=10 0044C23C \|. D9C9 fxch st(1) ; fxch,st(0),st(1)互相交换,交换后st0=10.0,st1=0.6931471805599453184 0044C23E \|. D9F1 fyl2x ; fyl2x指令:st(0)<--st(0)log2(st(1)),st(0)=2.3025850929940456960 ,即求ln(st(1))=ln10 0044C240 \|. DB6D AC fld tbyte ptr ss:[ebp-54] ; ss:[0012FBC0]=-2.3085016209313710080,st(0)=-2.3085016209313710080 0044C243 \|. DEC1 faddp st(1),st ; st(1)+st,上面两浮点数相加 0044C245 \|. DB7D A0 fstp tbyte ptr ss:[ebp-60] ; st=-0.0059165279373252168 0044C248 \|. 9B wait 0044C249 \|. D905 5CC34400 fld dword ptr ds:[44C35C] ; 第4个常数2.0(ds:[0044C35C]=2.0) 0044C24F \|. DC45 D0 fadd qword ptr ss:[ebp-30] ; 第4个常数加上第4个数字4.0，4.02.0＝6.0 0044C252 \|. D9FA fsqrt ; 相加结果开平方，st=2.4494897427831777280 0044C254 \|. DB6D A0 fld tbyte ptr ss:[ebp-60] ; ss:[0012FBB4]=-0.0059165279373252168 0044C257 \|. DEE1 fsubrp st(1),st ; 减去开平方的结果=-2.4554062707205027840 0044C259 \|. D905 58C34400 fld dword ptr ds:[44C358] ; 第3个常数3.0(ds:[0044C358]=3.0) 0044C25F \|. DC4D C8 fmul qword ptr ss:[ebp-38] ; 第3个数字乘发第5个数字5.0，3.05.0＝15.0 0044C262 \|. D835 5CC34400 fdiv dword ptr ds:[44C35C] ; 乘法结果除以第4个常数2.0,15.0/2.0=7.5 0044C268 \|. DEC1 faddp st(1),st ; 7.5+(-2.4554062707205027840)=5.0445937292794972160 0044C26A \|. DB2D 60C34400 fld tbyte ptr ds:[44C360] ; 第5个常数0.37(ds:[0044C360]=0.37) 0044C270 \|. DEC1 faddp st(1),st ; 0.37+5.044593729279497216=5.4145937292794972160 0044C272 \|. D80D 6CC34400 fmul dword ptr ds:[44C36C] ; 乘以第6个常数1000.0(ds:[0044C36C]=1000.000) 0044C278 \|. DD5D F0 fstp qword ptr ss:[ebp-10] ; 得到st=5414.5937292794972160 0044C27B \|. 9B wait 0044C27C \|. DD45 F0 fld qword ptr ss:[ebp-10] 0044C27F \|. E8 9065FBFF call CrackMe_.00402814 ; 乘法结果取整转为16进制形式，5415-->0x1527 0044C284 \|. 8945 98 mov dword ptr ss:[ebp-68],eax ; EAX=00001527 0044C287 \|. 8955 9C mov dword ptr ss:[ebp-64],edx 0044C28A \|. DF6D 98 fild qword ptr ss:[ebp-68] 0044C28D \|. 83C4 F4 add esp,-0C 0044C290 \|. DB3C24 fstp tbyte ptr ss:[esp] ; st=5415.0000000000000000 0044C293 \|. 9B wait 0044C294 \|. 8D45 FC lea eax,dword ptr ss:[ebp-4] 0044C297 \|. E8 68BFFBFF call CrackMe_.00408204 ; 运算结果转为字符串，取字符串长度，EAX＝4 0044C29C \|. 8D45 FC lea eax,dword ptr ss:[ebp-4] 0044C29F \|. E8 5CFCFFFF call CrackMe_.0044BF00 ; 关键Call-1,F7进入 0044C2A4 \|. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 结果赋给EAX，D EAX,为00A95630 B5 B5 BC BB 档蓟 0044C2A7 \|. BA 78C34400 mov edx,CrackMe_.0044C378 ; 字符串"岛埠",D EDX,为0044C378 B5 BA B2 BA 岛埠 0044C2AC \|. E8 D378FBFF call CrackMe_.00403B84 ; 比较两者是否相等 0044C2B1 \|. 75 38 jnz short CrackMe_.0044C2EB ; 不等则Over,暴破点，Nop掉 0044C2B3 \|. 8D45 F8 lea eax,dword ptr ss:[ebp-8] F7进入0044C29F处的关键Call-1,来到： 0044BF00 /$ 53 push ebx 0044BF01 \|. 56 push esi 0044BF02 \|. 57 push edi 0044BF03 \|. 51 push ecx 0044BF04 \|. 8BF0 mov esi,eax 0044BF06 \|. 8B06 mov eax,dword ptr ds:[esi] ; "5415" 0044BF08 \|. E8 677BFBFF call CrackMe_.00403A74 0044BF0D \|. 8B15 98EE4400 mov edx,dword ptr ds:[44EE98] 0044BF13 \|. 8902 mov dword ptr ds:[edx],eax 0044BF15 \|. 8B06 mov eax,dword ptr ds:[esi] 0044BF17 \|. E8 587BFBFF call CrackMe_.00403A74 0044BF1C \|. 84C0 test al,al 0044BF1E \|. 76 38 jbe short CrackMe_.0044BF58 0044BF20 \|. 880424 mov byte ptr ss:[esp],al 0044BF23 \|. B3 01 mov bl,1 0044BF25 \|> B8 1C000000 /mov eax,1C ; EAX＝0x1C 0044BF2A \|. E8 516AFBFF \|call CrackMe_.00402980 ; 关键Call-2,F7进入 0044BF2F \|. 0D 80000000 \|or eax,80 ; EAX=EAX or 0x80 0044BF34 \|. 8BFB \|mov edi,ebx 0044BF36 \|. 81E7 FF000000 \|and edi,0FF 0044BF3C \|. 8B16 \|mov edx,dword ptr ds:[esi] ; 运算结果"5415" 0044BF3E \|. 0FB6543A FF \|movzx edx,byte ptr ds:[edx+edi-1] ; 依次取运算结果"5415"每一位字符的ASCII值 0044BF43 \|. 33C2 \|xor eax,edx ; EAX=EAX xor EDX 0044BF45 \|. 50 \|push eax ; xor结果保存 0044BF46 \|. 8BC6 \|mov eax,esi 0044BF48 \|. E8 F77CFBFF \|call CrackMe_.00403C44 0044BF4D \|. 5A \|pop edx 0044BF4E \|. 885438 FF \|mov byte ptr ds:[eax+edi-1],dl 0044BF52 \|. 43 \|inc ebx 0044BF53 \|. FE0C24 \|dec byte ptr ss:[esp] 0044BF56 \|.^ 75 CD \jnz short CrackMe_.0044BF25 0044BF58 \|> 5A pop edx 0044BF59 \|. 5F pop edi 0044BF5A \|. 5E pop esi 0044BF5B \|. 5B pop ebx 0044BF5C \. C3 retn F7进入0044BF2A处的关键Call-2,来到： 00402980 /$ 6915 40F04400 >imul edx,dword ptr ds:[44F040],8088405 ; ds:[0044F040]=4，初值为运算结果的长度 0040298A \|. 42 inc edx ; EDX=EDX+1 0040298B \|. 8915 40F04400 mov dword ptr ds:[44F040],edx ; EDX保存 00402991 \|. F7E2 mul edx ; EAX=EAXEDX,EAX初值为0x1C 00402993 \|. 89D0 mov eax,edx ; EAX=EDX 00402995 \. C3 retn 浮点运算结果转为字符串后依次取每位字符串的ASCII值进行运算，最终结果与固定值B5 BA B2 BA 比较，相等则成功。反推浮点运算结果所得数值(设为4位)，经0044BF2A处的CALL以后，到0044BF2F处时EAX依次为83，89,86,8D，于是 83 xor B5 = 36('6') 89 xor BA = 33('3') 86 xor B2 = 34('4') 8D xor BA = 37('7') 故只需浮点运算最终结果为6347.0最可注册成功。 ----------------------------------------------------------------------------------------------- 【破解总结】 1.Nag采用下断MessageBoxA即可轻松去除。 2.Password为固定值：Clno iguonRn。 3.Serial计算时，用户名和公司长度有一定限制，取用户名各位字符的ASCII值累加，结果与固定字符串连接，记为str1. 注册码长度必须与字符串str1长度相等；注册码各位字符的ASCII值累加之和必须与字符串str1各位字符的ASCII值累加之和相等。 4.先确定CheckBox3及CheckBox5,其它CheckBoxes即可确定。以心形CheckBoxes第1列上面那个CheckBox作为第1个，顺时针方向从1至20编号，分别选中编号为3、5、6、9、11、12、13、15、19、20的CheckBox即可过关。 5.TrackBar采用简单浮点运算，运算结果经xor后与固定值B5BAB2BA比较，相等则成功。注册信息： ======================================== Password:Clno iguonRn ======================================== Name:hrbxhui Company:h2h Studios Serial:I Love Cracking and 762 Girls ;) ======================================== TrackBar Serial:14435 ======================================== 【VB注册机源码】(For TrackBar Serial) Private Sub KeyGen_Click() Dim n1 As Double Dim n2 As Double Dim n3 As Double Dim n4 As Double Dim n5 As Double Dim sum As Long Dim temp As Long sum = 0 temp = (99999 - 10000) Rnd() + 10000 For i = temp To 99999 n1 = Int(i / 10000) n2 = Int((i Mod 10000) / 1000) n3 = Int((i Mod 1000) / 100) n4 = Int((i Mod 100) / 10) n5 = i Mod 10 n1 = Sqr(n1 + 1) * (-1) n2 = Cos(Sqr(n2 * n2 * n2 + 5)) n3 = Log(n3 * 3 + 1) n4 = Sqr(n4 + 2) n5 = n5 * 3# / 2# sum = Int((n1 + n2 + n3 - n4 + n5 + 0.37) * 100000) / 100 If sum = 6347 Then GoTo Success: Next i Success: Text1 = i End Sub ----------------------------------------------------------------------------------------------- 【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! 2007-3-23 23:27 0
大笨猫雪币： 390 活跃值： (37) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 69 粉丝 0 关注私信	大笨猫 8 楼太谢谢楼上的大哥了! 2007-3-27 09:12 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

hrbx

雪币： 267

活跃值： (44)

能力值：

( LV9，RANK：330 )

在线值：

发帖

11

回帖

195

粉丝

1

关注

私信

hrbx 8: 2 楼

供参考：
http://bbs.chinapyg.com/viewthread.php?tid=5111

2007-3-22 22:46

0

大笨猫

雪币： 390

活跃值： (37)

能力值：

( LV2，RANK：10 )

在线值：

发帖

5

回帖

69

粉丝

0

关注

私信

大笨猫: 3 楼

最初由 hrbx 发布
供参考：
http://bbs.chinapyg.com/viewthread.php?tid=5111

进不去啊！

2007-3-23 13:34

0

szubach

雪币： 207

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

8

回帖

29

粉丝

0

关注

私信

szubach: 4 楼

看了许多次,才会爆破第一个password,好像call特别多.

2007-3-23 14:48

0

大笨猫

雪币： 390

活跃值： (37)

能力值：

( LV2，RANK：10 )

在线值：

发帖

5

回帖

69

粉丝

0

关注

私信

大笨猫: 5 楼

最初由 szubach 发布
看了许多次,才会爆破第一个password,好像call特别多.

我觉得是个很好的CRACKME，自己搞不定，破文找不到了，哎！

2007-3-23 14:52

0

小剑

雪币： 110

活跃值： (13)

能力值：

( LV2，RANK：10 )

在线值：

发帖

7

回帖

375

粉丝

1

关注

私信

小剑: 6 楼

其实这个 CM 的难度不高，我刚下很容易过了两关，后面的慢慢补上

00441CD2    /74 06       JE SHORT CrackMe_.00441CDA

把这句改为，就可以去除了对话框

00441CD2    /74 06       jmp 00441cf7

下面一段高度的明码比较（太简单了）

0044C3D5  |.  E8 9A76FBFF CALL CrackMe_.00403A74
0044C3DA  |.  83F8 0C    CMP EAX,0C
0044C3DD  |.  0F85 53010000 JNZ CrackMe_.0044C536
0044C3E3  |.  8D55 FC    LEA EDX,DWORD PTR SS:[EBP-4]
0044C3E6  |.  8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C3EC  |.  E8 3394FDFF CALL CrackMe_.00425824
0044C3F1  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
0044C3F4  |.  8038 43    CMP BYTE PTR DS:[EAX],43
0044C3F7  |.  0F85 27010000 JNZ CrackMe_.0044C524
0044C3FD  |.  8D55 F8    LEA EDX,DWORD PTR SS:[EBP-8]
0044C400  |.  8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C406  |.  E8 1994FDFF CALL CrackMe_.00425824
0044C40B  |.  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
0044C40E  |.  8078 03 6F CMP BYTE PTR DS:[EAX+3],6F
0044C412  |.  0F85 0C010000 JNZ CrackMe_.0044C524
0044C418  |.  8D55 F4    LEA EDX,DWORD PTR SS:[EBP-C]
0044C41B  |.  8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C421  |.  E8 FE93FDFF CALL CrackMe_.00425824
0044C426  |.  8B45 F4    MOV EAX,DWORD PTR SS:[EBP-C]
0044C429  |.  8078 08 6F CMP BYTE PTR DS:[EAX+8],6F
0044C42D  |.  0F85 F1000000 JNZ CrackMe_.0044C524
0044C433  |.  8D55 F0    LEA EDX,DWORD PTR SS:[EBP-10]
0044C436  |.  8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C43C  |.  E8 E393FDFF CALL CrackMe_.00425824
0044C441  |.  8B45 F0    MOV EAX,DWORD PTR SS:[EBP-10]
0044C444  |.  8078 01 6C CMP BYTE PTR DS:[EAX+1],6C
0044C448  |.  0F85 D6000000 JNZ CrackMe_.0044C524
0044C44E  |.  8D55 EC    LEA EDX,DWORD PTR SS:[EBP-14]
0044C451  |.  8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C457  |.  E8 C893FDFF CALL CrackMe_.00425824
0044C45C  |.  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
0044C45F  |.  8078 04 20 CMP BYTE PTR DS:[EAX+4],20
0044C463  |.  0F85 BB000000 JNZ CrackMe_.0044C524
0044C469  |.  8D55 E8    LEA EDX,DWORD PTR SS:[EBP-18]
0044C46C  |.  8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C472  |.  E8 AD93FDFF CALL CrackMe_.00425824
0044C477  |.  8B45 E8    MOV EAX,DWORD PTR SS:[EBP-18]
0044C47A  |.  8078 0A 52 CMP BYTE PTR DS:[EAX+A],52
0044C47E  |.  0F85 A0000000 JNZ CrackMe_.0044C524
0044C484  |.  8D55 E4    LEA EDX,DWORD PTR SS:[EBP-1C]
0044C487  |.  8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C48D  |.  E8 9293FDFF CALL CrackMe_.00425824
0044C492  |.  8B45 E4    MOV EAX,DWORD PTR SS:[EBP-1C]
0044C495  |.  8078 07 75 CMP BYTE PTR DS:[EAX+7],75
0044C499  |.  0F85 85000000 JNZ CrackMe_.0044C524
0044C49F  |.  8D55 E0    LEA EDX,DWORD PTR SS:[EBP-20]
0044C4A2  |.  8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C4A8  |.  E8 7793FDFF CALL CrackMe_.00425824
0044C4AD  |.  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
0044C4B0  |.  8078 09 6E CMP BYTE PTR DS:[EAX+9],6E
0044C4B4  |.  75 6E       JNZ SHORT CrackMe_.0044C524
0044C4B6  |.  8D55 DC    LEA EDX,DWORD PTR SS:[EBP-24]
0044C4B9  |.  8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C4BF  |.  E8 6093FDFF CALL CrackMe_.00425824
0044C4C4  |.  8B45 DC    MOV EAX,DWORD PTR SS:[EBP-24]
0044C4C7  |.  8078 02 6E CMP BYTE PTR DS:[EAX+2],6E
0044C4CB  |.  75 57       JNZ SHORT CrackMe_.0044C524
0044C4CD  |.  8D55 D8    LEA EDX,DWORD PTR SS:[EBP-28]
0044C4D0  |.  8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C4D6  |.  E8 4993FDFF CALL CrackMe_.00425824
0044C4DB  |.  8B45 D8    MOV EAX,DWORD PTR SS:[EBP-28]
0044C4DE  |.  8078 05 69 CMP BYTE PTR DS:[EAX+5],69
0044C4E2  |.  75 40       JNZ SHORT CrackMe_.0044C524
0044C4E4  |.  8D55 D4    LEA EDX,DWORD PTR SS:[EBP-2C]
0044C4E7  |.  8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C4ED  |.  E8 3293FDFF CALL CrackMe_.00425824
0044C4F2  |.  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]
0044C4F5  |.  8078 0B 6E CMP BYTE PTR DS:[EAX+B],6E
0044C4F9  |.  75 29       JNZ SHORT CrackMe_.0044C524
0044C4FB  |.  8D55 D0    LEA EDX,DWORD PTR SS:[EBP-30]
0044C4FE  |.  8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
0044C504  |.  E8 1B93FDFF CALL CrackMe_.00425824
0044C509  |.  8B45 D0    MOV EAX,DWORD PTR SS:[EBP-30]
0044C50C  |.  8078 06 67 CMP BYTE PTR DS:[EAX+6],67

所以很容易就结束了第二关，密码是： Clno iguonRn

2007-3-23 21:48

0

hrbx

雪币： 267

活跃值： (44)

能力值：

( LV9，RANK：330 )

在线值：

发帖

11

回帖

195

粉丝

1

关注

私信

hrbx 8: 7 楼

[CODE]【破文标题】CrackMe Nr.7简单算法分析
【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】hrbx@163.com
【破解平台】WinXP
【使用工具】flyOD1.10、Peid
【破解日期】2006-05-29
【软件名称】CrackMe Nr.7
【软件大小】383KB
【下载地址】见附件
【加壳方式】无
【软件简介】CrackMe Nr.7
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：）
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描，显示为：Borland Delphi 4.0 - 5.0，无壳。
2.试运行CrackMe。CrackMe分为5个等级：Nag、Password、Serial、CheckBox、TrackBar。
3.开始各个击破吧。

3-1.去掉启动时的Nag提示。
OD载入CrackMe,命令栏下断点：bp MessageBoxA，回车，F9运行，中断：

77D36476 u>  833D D0C3D677 00 cmp dword ptr ds:[77D6C3D0],0
77D3647D    0F85 885B0100 jnz user32.77D4C00B
77D36483    6A 00          push 0
77D36485    FF7424 14       push dword ptr ss:[esp+14]

堆栈友好提示：

0012FF20 00441CF7 /CALL 到 MessageBoxA 来自 CrackMe_.00441CF2
0012FF24 000805FE |hOwner = 000805FE ('Crackme_7',class='TApplication')
0012FF28 00A93544 |Text = "Hello, I'm a NAG.Please kill me...."
0012FF2C 00A93578 |Title = "Sorry..."
0012FF30 00000000 \Style = MB_OK|MB_APPLMODAL
0012FF34 0012FFA8 指针到下一个 SEH 记录
0012FF38 00441D59 SE 句柄

Alt+F9返回，弹出Nag提示窗体，点击"确定"按钮，来到：

00441CF1 |.  50          push eax
00441CF2 |.  E8 5946FCFF call <jmp.&user32.MessageBoxA>
00441CF7 |.  8945 F8       mov dword ptr ss:[ebp-8],eax          ;  Alt+F9返回到这里
00441CFA |.  33C0          xor eax,eax
00441CFC |.  5A          pop edx

F8几步，经过retn后，来到：

0044D09C .  59          pop ecx
0044D09D    E8 724BFFFF call CrackMe_.00441C14                ;  调用Nag窗体，Nop掉
0044D0A2 .  A1 A0ED4400 mov eax,dword ptr ds:[44EDA0]          ;  F8直到这里
0044D0A7 .  8B00          mov eax,dword ptr ds:[eax]
0044D0A9 .  E8 7649FFFF call CrackMe_.00441A24
0044D0AE .  A1 A0ED4400 mov eax,dword ptr ds:[44EDA0]

Nop掉0044D09D处的Call,就去掉了启动时的Nag提示。

3-2.寻找Password.
OD载入CrackMe，右键--Ultra String Reference--Find ASCII,查找“right password”，
找到后双击，来到：

0044C512 |.  BA 78C54400 mov edx,CrackMe_.0044C578                ;  right password，双击后来到这里
0044C517 |.  8B83 E8020000  mov eax,dword ptr ds:[ebx+2E8]
0044C51D |.  E8 3293FDFF call CrackMe_.00425854
0044C522 |.  EB 22       jmp short CrackMe_.0044C546
0044C524 |>  BA 90C54400 mov edx,CrackMe_.0044C590                ;  wrong password

向上查找，来到0044C3A4处F2下断，Ctrl+F2重新载入CrackMe，F9运行，输入Password:

==========================
Password:9876543210
==========================

点击"Check"标签，立即中断：

0044C3A4 /.  55          push ebp                                  ;  F2在此下断，中断后F8往下走
0044C3A5 |.  8BEC          mov ebp,esp
0044C3A7 |.  B9 06000000 mov ecx,6
0044C3AC |>  6A 00       /push 0
0044C3AE |.  6A 00       |push 0
0044C3B0 |.  49          |dec ecx
0044C3B1 |.^ 75 F9       \jnz short CrackMe_.0044C3AC
0044C3B3 |.  53          push ebx
0044C3B4 |.  8BD8          mov ebx,eax
0044C3B6 |.  33C0          xor eax,eax
0044C3B8 |.  55          push ebp
0044C3B9 |.  68 61C54400 push CrackMe_.0044C561
0044C3BE |.  64:FF30       push dword ptr fs:[eax]
0044C3C1 |.  64:8920       mov dword ptr fs:[eax],esp
0044C3C4 |.  8D55 FC       lea edx,dword ptr ss:[ebp-4]
0044C3C7 |.  8B83 E8020000  mov eax,dword ptr ds:[ebx+2E8]
0044C3CD |.  E8 5294FDFF call CrackMe_.00425824
0044C3D2 |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]             ;  假码"9876543210"
0044C3D5 |.  E8 9A76FBFF call CrackMe_.00403A74                   ;  获取假码长度，EAX＝0xA
0044C3DA |.  83F8 0C       cmp eax,0C                               ;  假码长度与0xC比较
0044C3DD |.  0F85 53010000  jnz CrackMe_.0044C536                      ;  不等则Over,暴破点1，Nop掉
0044C3E3 |.  8D55 FC       lea edx,dword ptr ss:[ebp-4]
0044C3E6 |.  8B83 E8020000  mov eax,dword ptr ds:[ebx+2E8]
0044C3EC |.  E8 3394FDFF call CrackMe_.00425824
0044C3F1 |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]             ;  假码"9876543210"
0044C3F4 |.  8038 43       cmp byte ptr ds:[eax],43                   ;  假码第1位与0x43('C')比较
0044C3F7 |.  0F85 27010000  jnz CrackMe_.0044C524                      ;  不等则Over,暴破点2，Nop掉
0044C3FD |.  8D55 F8       lea edx,dword ptr ss:[ebp-8]
0044C400 |.  8B83 E8020000  mov eax,dword ptr ds:[ebx+2E8]
0044C406 |.  E8 1994FDFF call CrackMe_.00425824
0044C40B |.  8B45 F8       mov eax,dword ptr ss:[ebp-8]
0044C40E |.  8078 03 6F    cmp byte ptr ds:[eax+3],6F                ;  假码第4位与0x6F('o')比较
0044C412 |.  0F85 0C010000  jnz CrackMe_.0044C524                      ;  不等则Over,暴破点3，Nop掉
0044C418 |.  8D55 F4       lea edx,dword ptr ss:[ebp-C]
0044C41B |.  8B83 E8020000  mov eax,dword ptr ds:[ebx+2E8]
0044C421 |.  E8 FE93FDFF call CrackMe_.00425824
0044C426 |.  8B45 F4       mov eax,dword ptr ss:[ebp-C]
0044C429 |.  8078 08 6F    cmp byte ptr ds:[eax+8],6F                ;  假码第9位与0x6F('o')比较
0044C42D |.  0F85 F1000000  jnz CrackMe_.0044C524                      ;  不等则Over,暴破点4，Nop掉
0044C433 |.  8D55 F0       lea edx,dword ptr ss:[ebp-10]
0044C436 |.  8B83 E8020000  mov eax,dword ptr ds:[ebx+2E8]
0044C43C |.  E8 E393FDFF call CrackMe_.00425824
0044C441 |.  8B45 F0       mov eax,dword ptr ss:[ebp-10]
0044C444 |.  8078 01 6C    cmp byte ptr ds:[eax+1],6C                ;  假码第2位与0x6C('l')比较
0044C448 |.  0F85 D6000000  jnz CrackMe_.0044C524                      ;  不等则Over,暴破点5，Nop掉
0044C44E |.  8D55 EC       lea edx,dword ptr ss:[ebp-14]
0044C451 |.  8B83 E8020000  mov eax,dword ptr ds:[ebx+2E8]
0044C457 |.  E8 C893FDFF call CrackMe_.00425824
0044C45C |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
0044C45F |.  8078 04 20    cmp byte ptr ds:[eax+4],20                ;  假码第5位与0x20(' ')比较
0044C463 |.  0F85 BB000000  jnz CrackMe_.0044C524                      ;  不等则Over,暴破点6，Nop掉
0044C469 |.  8D55 E8       lea edx,dword ptr ss:[ebp-18]
0044C46C |.  8B83 E8020000  mov eax,dword ptr ds:[ebx+2E8]
0044C472 |.  E8 AD93FDFF call CrackMe_.00425824
0044C477 |.  8B45 E8       mov eax,dword ptr ss:[ebp-18]
0044C47A |.  8078 0A 52    cmp byte ptr ds:[eax+A],52                ;  假码第11位与0x52('R')比较
0044C47E |.  0F85 A0000000  jnz CrackMe_.0044C524                      ;  不等则Over,暴破点7，Nop掉
0044C484 |.  8D55 E4       lea edx,dword ptr ss:[ebp-1C]
0044C487 |.  8B83 E8020000  mov eax,dword ptr ds:[ebx+2E8]
0044C48D |.  E8 9293FDFF call CrackMe_.00425824
0044C492 |.  8B45 E4       mov eax,dword ptr ss:[ebp-1C]
0044C495 |.  8078 07 75    cmp byte ptr ds:[eax+7],75                ;  假码第8位与0x75('u')比较
0044C499 |.  0F85 85000000  jnz CrackMe_.0044C524                      ;  不等则Over,暴破点8，Nop掉
0044C49F |.  8D55 E0       lea edx,dword ptr ss:[ebp-20]
0044C4A2 |.  8B83 E8020000  mov eax,dword ptr ds:[ebx+2E8]
0044C4A8 |.  E8 7793FDFF call CrackMe_.00425824
0044C4AD |.  8B45 E0       mov eax,dword ptr ss:[ebp-20]
0044C4B0 |.  8078 09 6E    cmp byte ptr ds:[eax+9],6E                ;  假码第10位与0x6E('n')比较
0044C4B4 |.  75 6E       jnz short CrackMe_.0044C524                ;  不等则Over,暴破点9，Nop掉
0044C4B6 |.  8D55 DC       lea edx,dword ptr ss:[ebp-24]
0044C4B9 |.  8B83 E8020000  mov eax,dword ptr ds:[ebx+2E8]
0044C4BF |.  E8 6093FDFF call CrackMe_.00425824
0044C4C4 |.  8B45 DC       mov eax,dword ptr ss:[ebp-24]
0044C4C7 |.  8078 02 6E    cmp byte ptr ds:[eax+2],6E                ;  假码第3位与0x6E('n')比较
0044C4CB |.  75 57       jnz short CrackMe_.0044C524                ;  不等则Over,暴破点10，Nop掉
0044C4CD |.  8D55 D8       lea edx,dword ptr ss:[ebp-28]
0044C4D0 |.  8B83 E8020000  mov eax,dword ptr ds:[ebx+2E8]
0044C4D6 |.  E8 4993FDFF call CrackMe_.00425824
0044C4DB |.  8B45 D8       mov eax,dword ptr ss:[ebp-28]
0044C4DE |.  8078 05 69    cmp byte ptr ds:[eax+5],69                ;  假码第6位与0x69('i')比较
0044C4E2 |.  75 40       jnz short CrackMe_.0044C524                ;  不等则Over,暴破点11，Nop掉
0044C4E4 |.  8D55 D4       lea edx,dword ptr ss:[ebp-2C]
0044C4E7 |.  8B83 E8020000  mov eax,dword ptr ds:[ebx+2E8]
0044C4ED |.  E8 3293FDFF call CrackMe_.00425824
0044C4F2 |.  8B45 D4       mov eax,dword ptr ss:[ebp-2C]
0044C4F5 |.  8078 0B 6E    cmp byte ptr ds:[eax+B],6E                ;  假码第12位与0x6E('n')比较
0044C4F9 |.  75 29       jnz short CrackMe_.0044C524                ;  不等则Over,暴破点12，Nop掉
0044C4FB |.  8D55 D0       lea edx,dword ptr ss:[ebp-30]
0044C4FE |.  8B83 E8020000  mov eax,dword ptr ds:[ebx+2E8]
0044C504 |.  E8 1B93FDFF call CrackMe_.00425824
0044C509 |.  8B45 D0       mov eax,dword ptr ss:[ebp-30]
0044C50C |.  8078 06 67    cmp byte ptr ds:[eax+6],67                ;  假码第7位与0x67('g')比较
0044C510 |.  75 12       jnz short CrackMe_.0044C524                ;  不等则Over,暴破点13，Nop掉
0044C512 |.  BA 78C54400 mov edx,CrackMe_.0044C578                ;  right password
0044C517 |.  8B83 E8020000  mov eax,dword ptr ds:[ebx+2E8]
0044C51D |.  E8 3293FDFF call CrackMe_.00425854
0044C522 |.  EB 22       jmp short CrackMe_.0044C546
0044C524 |>  BA 90C54400 mov edx,CrackMe_.0044C590                ;  wrong password
0044C529 |.  8B83 E8020000  mov eax,dword ptr ds:[ebx+2E8]
0044C52F |.  E8 2093FDFF call CrackMe_.00425854
0044C534 |.  EB 10       jmp short CrackMe_.0044C546
0044C536 |>  BA 90C54400 mov edx,CrackMe_.0044C590                ;  wrong password
0044C53B |.  8B83 E8020000  mov eax,dword ptr ds:[ebx+2E8]
0044C541 |.  E8 0E93FDFF call CrackMe_.00425854
0044C546 |>  33C0          xor eax,eax
0044C548 |.  5A          pop edx
0044C549 |.  59          pop ecx

程序逐位取输入的Password与固定字符比较，相等则通过。Password为固定值：Clno iguonRn。

3-3.Serial简单算法分析。
OD载入CrackMe，右键--Ultra String Reference--Find ASCII,查找"You have found the correct Serial :)"，
找到后双击，来到：

0044C763 |.  BA CCC74400 mov edx,CrackMe_.0044C7CC             ;  you have found the correct serial :)
0044C768 |.  E8 E790FDFF call CrackMe_.00425854
0044C76D |>  33C0          xor eax,eax

向上查找，来到0044C648处F2下断，Ctrl+F2重新载入CrackMe，F9运行，输入注册信息:

==========================
Name:hrbxhui
Company:h2h Studios
Serial:9876543210
==========================

点击"Check"标签，立即中断：

0044C648 /.  55          push ebp                               ;  F2在此下断，中断后F8往下走
0044C649 |.  8BEC          mov ebp,esp
0044C64B |.  83C4 F8       add esp,-8
0044C64E |.  53          push ebx
0044C64F |.  56          push esi
0044C650 |.  33C9          xor ecx,ecx
0044C652 |.  894D F8       mov dword ptr ss:[ebp-8],ecx
0044C655 |.  8BF0          mov esi,eax
0044C657 |.  33C0          xor eax,eax
0044C659 |.  55          push ebp
0044C65A |.  68 83C74400 push CrackMe_.0044C783
0044C65F |.  64:FF30       push dword ptr fs:[eax]
0044C662 |.  64:8920       mov dword ptr fs:[eax],esp
0044C665 |.  33C0          xor eax,eax
0044C667 |.  8945 FC       mov dword ptr ss:[ebp-4],eax
0044C66A |.  A1 80F84400 mov eax,dword ptr ds:[44F880]
0044C66F |.  E8 0074FBFF call CrackMe_.00403A74                ;  获取用户名长度，EAX＝7
0044C674 |.  83F8 06       cmp eax,6                               ;  用户名长度与6比较
0044C677 |.  0F8E F0000000  jle CrackMe_.0044C76D                   ;  小于等于则Over,暴破点1，Nop掉
0044C67D |.  A1 80F84400 mov eax,dword ptr ds:[44F880]
0044C682 |.  E8 ED73FBFF call CrackMe_.00403A74                ;  获取用户名长度，EAX＝7
0044C687 |.  83F8 14       cmp eax,14                            ;  用户名长度与0x14(20)比较
0044C68A |.  0F8D DD000000  jge CrackMe_.0044C76D                   ;  大于等于则Over,暴破点2，Nop掉
0044C690 |.  A1 80F84400 mov eax,dword ptr ds:[44F880]
0044C695 |.  E8 DA73FBFF call CrackMe_.00403A74
0044C69A |.  85C0          test eax,eax
0044C69C |.  7E 17       jle short CrackMe_.0044C6B5
0044C69E |.  BA 01000000 mov edx,1
0044C6A3 |>  8B0D 80F84400  /mov ecx,dword ptr ds:[44F880]          ;  用户名"hrbxhui"
0044C6A9 |.  0FB64C11 FF |movzx ecx,byte ptr ds:[ecx+edx-1]    ;  依次取用户名每一位字符的ASCII值
0044C6AE |.  014D FC       |add dword ptr ss:[ebp-4],ecx          ;  将用户名所有字符的ASCII值累加
0044C6B1 |.  42          |inc edx                               ;  ASCII值累加之和为0x2FA(762)
0044C6B2 |.  48          |dec eax
0044C6B3 |.^ 75 EE       \jnz short CrackMe_.0044C6A3
0044C6B5 |>  A1 84F84400 mov eax,dword ptr ds:[44F884]
0044C6BA |.  E8 B573FBFF call CrackMe_.00403A74                ;  获取公司名称长度，EAX=0xB
0044C6BF |.  83F8 02       cmp eax,2                               ;  公司名称长度与2比较
0044C6C2 |.  7E 18       jle short CrackMe_.0044C6DC             ;  小于等于则Over,暴破点3，Nop掉
0044C6C4 |.  A1 84F84400 mov eax,dword ptr ds:[44F884]
0044C6C9 |.  E8 A673FBFF call CrackMe_.00403A74                ;  获取公司名称长度，EAX=0xB
0044C6CE |.  83F8 08       cmp eax,8                               ;  公司名称长度与8比较
0044C6D1 |.  7D 09       jge short CrackMe_.0044C6DC             ;  大于等于则跳
0044C6D3 |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]          ;  公司名称长度若小于8
0044C6D6 |.  6BC0 02       imul eax,eax,2                         ;  则将公司名称长度乘2,EAX=EAX*2
0044C6D9 |.  8945 FC       mov dword ptr ss:[ebp-4],eax
0044C6DC |>  68 98C74400 push CrackMe_.0044C798                ;  i love cracking and
0044C6E1 |.  8D55 F8       lea edx,dword ptr ss:[ebp-8]
0044C6E4 |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
0044C6E7 |.  E8 68B0FBFF call CrackMe_.00407754                ;  ASCII值累加之和10进制形式转为字符串
0044C6EC |.  FF75 F8       push dword ptr ss:[ebp-8]             ;  0x2FA(762)-->"762"
0044C6EF |.  68 B8C74400 push CrackMe_.0044C7B8                ; girls ;)
0044C6F4 |.  B8 8CF84400 mov eax,CrackMe_.0044F88C             ;  连接成字符串str1"I Love Cracking and 762 Girls ;)"
0044C6F9 |.  BA 03000000 mov edx,3
0044C6FE |.  E8 3174FBFF call CrackMe_.00403B34
0044C703 |.  33C0          xor eax,eax
0044C705 |.  8945 FC       mov dword ptr ss:[ebp-4],eax
0044C708 |.  A1 88F84400 mov eax,dword ptr ds:[44F888]
0044C70D |.  E8 6273FBFF call CrackMe_.00403A74                ;  获取假码"9876543210"长度，EAX＝0xA(10)
0044C712 |.  8BD8          mov ebx,eax                            ;  EBX=EAX=0xA
0044C714 |.  A1 8CF84400 mov eax,dword ptr ds:[44F88C]
0044C719 |.  E8 5673FBFF call CrackMe_.00403A74                ;  获取字符串str1长度，EAX＝0x20(32)
0044C71E |.  3BD8          cmp ebx,eax                            ;  比较假码与字符串长度是否相等
0044C720 |.  75 4B       jnz short CrackMe_.0044C76D             ;  不等则Over,暴破点4，Nop掉
0044C722 |.  A1 88F84400 mov eax,dword ptr ds:[44F888]
0044C727 |.  E8 4873FBFF call CrackMe_.00403A74
0044C72C |.  85C0          test eax,eax
0044C72E |.  7E 27       jle short CrackMe_.0044C757
0044C730 |.  BA 01000000 mov edx,1
0044C735 |>  8B0D 88F84400  /mov ecx,dword ptr ds:[44F888]          ;  假码"9876543210"长度
0044C73B |.  0FB64C11 FF |movzx ecx,byte ptr ds:[ecx+edx-1]    ;  依次取假码每一位字符的ASCII值
0044C740 |.  034D FC       |add ecx,dword ptr ss:[ebp-4]          ;  将地址ss:[ebp-4]处的值加到字符的ASCII值
0044C743 |.  8B1D 8CF84400  |mov ebx,dword ptr ds:[44F88C]          ;  字符串str1"I Love Cracking and 762 Girls ;)"
0044C749 |.  0FB65C13 FF |movzx ebx,byte ptr ds:[ebx+edx-1]    ;  依次取字符串str1每一位字符的ASCII值
0044C74E |.  2BCB          |sub ecx,ebx                            ;  依次减去字符串str中取出的字符的ASCII值
0044C750 |.  894D FC       |mov dword ptr ss:[ebp-4],ecx          ;  将相减的差保存在ss:[ebp-4]中
0044C753 |.  42          |inc edx
0044C754 |.  48          |dec eax
0044C755 |.^ 75 DE       \jnz short CrackMe_.0044C735
0044C757 |>  837D FC 00    cmp dword ptr ss:[ebp-4],0             ;  比较地址ss:[ebp-4]处的值是否为0
0044C75B |.  75 10       jnz short CrackMe_.0044C76D             ;  不等则Over,暴破点5，Nop掉
0044C75D |.  8B86 14030000  mov eax,dword ptr ds:[esi+314]
0044C763 |.  BA CCC74400 mov edx,CrackMe_.0044C7CC             ;  you have found the correct serial :)
0044C768 |.  E8 E790FDFF call CrackMe_.00425854

用户名和公司长度有一定限制，取用户名各位字符的ASCII值累加，结果与固定字符串连接，再与输入的注册码比较。

3-4.心形CheckBoxes之旅。由于CrackMe是用Delphi编写的，还是用Dede分析一下吧。
Dede载入CrackMe，很容易找到CheckBoxes对应的SpeedButton3Click,双击来到如下位置：

0044C7F4 55                   push ebp
0044C7F5 8BEC                mov    ebp, esp
0044C7F7 6A00                push $00
0044C7F9 53                   push ebx
0044C7FA 8BD8                mov    ebx, eax
0044C7FC 33C0                xor    eax, eax
0044C7FE 55                   push ebp

* Possible String Reference to: '?i?腽[Y]?
|
0044C7FF 6820C94400          push $0044C920

***** TRY
|
0044C804 64FF30                push dword ptr fs:[eax]
0044C807 648920                mov    fs:[eax], esp

* Reference to control TForm1.cb3 : TCheckBox                <====CheckBox3
|
0044C80A 8B8324030000          mov    eax, [ebx+$0324]
0044C810 8B10                mov    edx, [eax]

* Reference to method TCheckBox.GetChecked()
|
0044C812 FF92B8000000          call dword ptr [edx+$00B8]
0044C818 84C0                test al, al
0044C81A 0F84CD000000          jz    0044C8ED

* Reference to control TForm1.cb5 : TCheckBox                <====CheckBox5
|
0044C820 8B8328030000          mov    eax, [ebx+$0328]
0044C826 8B10                mov    edx, [eax]

* Reference to method TCheckBox.GetChecked()
|
0044C828 FF92B8000000          call dword ptr [edx+$00B8]
0044C82E 84C0                test al, al
0044C830 0F84B7000000          jz    0044C8ED

* Reference to control TForm1.cb6 : TCheckBox                <====CheckBox6
|
0044C836 8B832C030000          mov    eax, [ebx+$032C]
0044C83C 8B10                mov    edx, [eax]

* Reference to method TCheckBox.GetChecked()
|
0044C83E FF92B8000000          call dword ptr [edx+$00B8]
0044C844 84C0                test al, al
0044C846 0F84A1000000          jz    0044C8ED

* Reference to control TForm1.cb12 : TCheckBox             <====CheckBox12
|
0044C84C 8B8358030000          mov    eax, [ebx+$0358]
0044C852 8B10                mov    edx, [eax]

* Reference to method TCheckBox.GetChecked()
|
0044C854 FF92B8000000          call dword ptr [edx+$00B8]
0044C85A 84C0                test al, al
0044C85C 0F848B000000          jz    0044C8ED

* Reference to control TForm1.cb15 : TCheckBox             <====CheckBox15
|
0044C862 8B8364030000          mov    eax, [ebx+$0364]
0044C868 8B10                mov    edx, [eax]

* Reference to method TCheckBox.GetChecked()
|
0044C86A FF92B8000000          call dword ptr [edx+$00B8]
0044C870 84C0                test al, al
0044C872 7479                jz    0044C8ED

* Reference to control TForm1.cb20 : TCheckBox             <====CheckBox20
|
0044C874 8B8330030000          mov    eax, [ebx+$0330]
0044C87A 8B10                mov    edx, [eax]

* Reference to method TCheckBox.GetChecked()
|
0044C87C FF92B8000000          call dword ptr [edx+$00B8]
0044C882 84C0                test al, al
0044C884 7467                jz    0044C8ED

* Reference to control TForm1.cb9 : TCheckBox                <====CheckBox9
|
0044C886 8B834C030000          mov    eax, [ebx+$034C]
0044C88C 8B10                mov    edx, [eax]

* Reference to method TCheckBox.GetChecked()
|
0044C88E FF92B8000000          call dword ptr [edx+$00B8]
0044C894 84C0                test al, al
0044C896 7455                jz    0044C8ED

* Reference to control TForm1.cb11 : TCheckBox             <====CheckBox11
|
0044C898 8B8354030000          mov    eax, [ebx+$0354]
0044C89E 8B10                mov    edx, [eax]

* Reference to method TCheckBox.GetChecked()
|
0044C8A0 FF92B8000000          call dword ptr [edx+$00B8]
0044C8A6 84C0                test al, al
0044C8A8 7443                jz    0044C8ED

* Reference to control TForm1.cb13 : TCheckBox             <====CheckBox13
|
0044C8AA 8B835C030000          mov    eax, [ebx+$035C]
0044C8B0 8B10                mov    edx, [eax]

* Reference to method TCheckBox.GetChecked()
|
0044C8B2 FF92B8000000          call dword ptr [edx+$00B8]
0044C8B8 84C0                test al, al
0044C8BA 7431                jz    0044C8ED

* Reference to control TForm1.cb19 : TCheckBox             <====CheckBox19
|
0044C8BC 8B833C030000          mov    eax, [ebx+$033C]
0044C8C2 8B10                mov    edx, [eax]

* Reference to method TCheckBox.GetChecked()
|
0044C8C4 FF92B8000000          call dword ptr [edx+$00B8]
0044C8CA 84C0                test al, al
0044C8CC 741F                jz    0044C8ED
0044C8CE 8D45FC                lea    eax, [ebp-$04]

* Possible String Reference to: '条舾鲼辚螭哨榔材驸忸噤抖'    <====加密的成功提示"You are a GOOD Cracker!!"
|
0044C8D1 BA34C94400          mov    edx, $0044C934

* Reference to: System.Proc_00403890
|
0044C8D6 E8B56FFBFF          call 00403890
0044C8DB 8D45FC                lea    eax, [ebp-$04]

* Reference to: crack.Proc_0044BF00
|
0044C8DE E81DF6FFFF          call 0044BF00
0044C8E3 8B45FC                mov    eax, [ebp-$04]

* Reference to: dialogs.ShowMessage(AnsiString);
|
0044C8E6 E80989FFFF          call 004451F4
0044C8EB EB1D                jmp    0044C90A
0044C8ED 8D45FC                lea    eax, [ebp-$04]

* Possible String Reference to: '?骝琛?帙?赙甬?ろ?铊?'    <====加密的错误提示"Sorry,but this is wrong!"
|
0044C8F0 BA58C94400          mov    edx, $0044C958

* Reference to: System.Proc_00403890
|
0044C8F5 E8966FFBFF          call 00403890
0044C8FA 8D45FC                lea    eax, [ebp-$04]

* Reference to: crack.Proc_0044BF00
|
0044C8FD E8FEF5FFFF          call 0044BF00
0044C902 8B45FC                mov    eax, [ebp-$04]

* Reference to: dialogs.ShowMessage(AnsiString);
|
0044C905 E8EA88FFFF          call 004451F4
0044C90A 33C0                xor    eax, eax
0044C90C 5A                   pop    edx
0044C90D 59                   pop    ecx
0044C90E 59                   pop    ecx
0044C90F 648910                mov    fs:[eax], edx

****** FINALLY

Dede已经分析得很清楚了，需要选中10个CheckBox。

OD载入CrackMe，Ctrl+G,输入：0044C7F4，回车，直接到0044C7F4处F2下断，F9运行，逐个点击CheckBox，直到使0044C81A处的跳转实现，
则点击的CheckBox即为CheckBox3，接着只需再使0044C830处的跳转实现，其它的CheckBox即可全部推测出来。

0044C7F4 /.  55          push ebp
0044C7F5 |.  8BEC          mov ebp,esp
0044C7F7 |.  6A 00       push 0
0044C7F9 |.  53          push ebx
0044C7FA |.  8BD8          mov ebx,eax
0044C7FC |.  33C0          xor eax,eax
0044C7FE |.  55          push ebp
0044C7FF |.  68 20C94400 push CrackMe_.0044C920
0044C804 |.  64:FF30       push dword ptr fs:[eax]
0044C807 |.  64:8920       mov dword ptr fs:[eax],esp
0044C80A |.  8B83 24030000  mov eax,dword ptr ds:[ebx+324]
0044C810 |.  8B10          mov edx,dword ptr ds:[eax]
0044C812 |.  FF92 B8000000  call dword ptr ds:[edx+B8]             ;  检查CheckBox3是否选中
0044C818 |.  84C0          test al,al
0044C81A |.  0F84 CD000000  je CrackMe_.0044C8ED                   ;  暴破点1，Nop掉
0044C820 |.  8B83 28030000  mov eax,dword ptr ds:[ebx+328]
0044C826 |.  8B10          mov edx,dword ptr ds:[eax]
0044C828 |.  FF92 B8000000  call dword ptr ds:[edx+B8]             ;  检查CheckBox5是否选中
0044C82E |.  84C0          test al,al
0044C830 |. /0F84 B7000000  je CrackMe_.0044C8ED                   ;  暴破点2，Nop掉
0044C836 |.  8B83 2C030000  mov eax,dword ptr ds:[ebx+32C]
0044C83C |.  8B10          mov edx,dword ptr ds:[eax]

以心形CheckBoxes第1列上面那个CheckBox作为第1个，顺时针方向从1至20编号.
分别选中编号为3、5、6、9、11、12、13、15、19、20的CheckBox即可过关。

3-5.TrackBar浮点运算。同样，用Dede分析得知TrackBar对应SpeedButton4Click.
TForm1.SpeedButton4Click对应事件为：

0044CB40 E807F6FFFF          call 0044C14C

OD载入CrackMe，Ctrl+G,输入：0044C14C，回车，直接到0044C14C处F2下断，F9运行，
依次拖动TrackBar,使Serial为12345,点击"Check"标签，立即中断：

0044C14C /$  55          push ebp
0044C14D |.  8BEC          mov ebp,esp
0044C14F |.  83C4 98       add esp,-68
0044C152 |.  53          push ebx
0044C153 |.  33D2          xor edx,edx
0044C155 |.  8955 C4       mov dword ptr ss:[ebp-3C],edx
0044C158 |.  8955 FC       mov dword ptr ss:[ebp-4],edx
0044C15B |.  8955 F8       mov dword ptr ss:[ebp-8],edx
0044C15E |.  8BD8          mov ebx,eax
0044C160 |.  33C0          xor eax,eax
0044C162 |.  55          push ebp
0044C163 |.  68 44C34400 push CrackMe_.0044C344
0044C168 |.  64:FF30       push dword ptr fs:[eax]
0044C16B |.  64:8920       mov dword ptr fs:[eax],esp
0044C16E |.  8D55 C4       lea edx,dword ptr ss:[ebp-3C]
0044C171 |.  8B83 80030000  mov eax,dword ptr ds:[ebx+380]
0044C177 |.  E8 A896FDFF call CrackMe_.00425824
0044C17C |.  8B45 C4       mov eax,dword ptr ss:[ebp-3C]
0044C17F |.  E8 B0C0FBFF call CrackMe_.00408234
0044C184 |.  DD5D E8       fstp qword ptr ss:[ebp-18]             ;  第1个数1.0
0044C187 |.  9B          wait
0044C188 |.  8D55 C4       lea edx,dword ptr ss:[ebp-3C]
0044C18B |.  8B83 98030000  mov eax,dword ptr ds:[ebx+398]
0044C191 |.  E8 8E96FDFF call CrackMe_.00425824
0044C196 |.  8B45 C4       mov eax,dword ptr ss:[ebp-3C]
0044C199 |.  E8 96C0FBFF call CrackMe_.00408234
0044C19E |.  DD5D E0       fstp qword ptr ss:[ebp-20]             ;  第2个数2.0
0044C1A1 |.  9B          wait
0044C1A2 |.  8D55 C4       lea edx,dword ptr ss:[ebp-3C]
0044C1A5 |.  8B83 9C030000  mov eax,dword ptr ds:[ebx+39C]
0044C1AB |.  E8 7496FDFF call CrackMe_.00425824
0044C1B0 |.  8B45 C4       mov eax,dword ptr ss:[ebp-3C]
0044C1B3 |.  E8 7CC0FBFF call CrackMe_.00408234
0044C1B8 |.  DD5D D8       fstp qword ptr ss:[ebp-28]             ;  第3个数3.0
0044C1BB |.  9B          wait
0044C1BC |.  8D55 C4       lea edx,dword ptr ss:[ebp-3C]
0044C1BF |.  8B83 A0030000  mov eax,dword ptr ds:[ebx+3A0]
0044C1C5 |.  E8 5A96FDFF call CrackMe_.00425824
0044C1CA |.  8B45 C4       mov eax,dword ptr ss:[ebp-3C]
0044C1CD |.  E8 62C0FBFF call CrackMe_.00408234
0044C1D2 |.  DD5D D0       fstp qword ptr ss:[ebp-30]             ;  第4个数4.0
0044C1D5 |.  9B          wait
0044C1D6 |.  8D55 C4       lea edx,dword ptr ss:[ebp-3C]
0044C1D9 |.  8B83 A4030000  mov eax,dword ptr ds:[ebx+3A4]
0044C1DF |.  E8 4096FDFF call CrackMe_.00425824
0044C1E4 |.  8B45 C4       mov eax,dword ptr ss:[ebp-3C]
0044C1E7 |.  E8 48C0FBFF call CrackMe_.00408234
0044C1EC |.  DD5D C8       fstp qword ptr ss:[ebp-38]             ;  第5个数5.0
0044C1EF |.  9B          wait
0044C1F0 |.  DD45 E0       fld qword ptr ss:[ebp-20]             ;  第2个数字，2.0
0044C1F3 |.  83C4 F4       add esp,-0C
0044C1F6 |.  DB3C24       fstp tbyte ptr ss:[esp]
0044C1F9 |.  9B          wait
0044C1FA |.  B8 03000000 mov eax,3                               ; EAX＝3
0044C1FF |.  E8 ECF6FCFF call CrackMe_.0041B8F0                ; 第2个数字的3次方，2^3=8
0044C204 |.  D805 50C34400  fadd dword ptr ds:[44C350]             ;  结果加上第1个常数5.0(ds:[44C350]＝5.0),8.0+5.0＝13.0
0044C20A |.  D9FA          fsqrt                                  ;  13开平方=3.60555127546398929
0044C20C |.  E8 F365FBFF call CrackMe_.00402804                ;  fcos=cos(3.605555127546398929)
0044C211 |.  DB7D B8       fstp tbyte ptr ss:[ebp-48]             ;  st=-0.8942880585582759936
0044C214 |.  9B          wait
0044C215 |.  D905 54C34400  fld dword ptr ds:[44C354]             ;  第2个常数1.0(ds:[44C354]=1.0)
0044C21B |.  DC45 E8       fadd qword ptr ss:[ebp-18]             ;  第2个常数加上第1个数字,1.0+1.0＝2.0
0044C21E |.  D9FA          fsqrt                                  ;  st=2.0,相加结果开平方，st=1.4142135623730951680
0044C220 |.  D9E0          fchs                                  ;  取相反数，st=-1.4142135623730951680
0044C222 |.  DB6D B8       fld tbyte ptr ss:[ebp-48]             ;  装载第2个数字运算结果,ss:[0012FBCC]=-0.8942880585582759936
0044C225 |.  DEC1          faddp st(1),st                         ;  两数相加
0044C227 |.  DB7D AC       fstp tbyte ptr ss:[ebp-54]             ;  st=-2.3085016209313710080
0044C22A |.  9B          wait
0044C22B |.  D905 58C34400  fld dword ptr ds:[44C358]             ;  第3个常数3.0(ds:[0044C358]=3.0)
0044C231 |.  DC4D D8       fmul qword ptr ss:[ebp-28]             ;  第3个常数乘以第3个数字，3.0*3.0＝9.0
0044C234 |.  D805 54C34400  fadd dword ptr ds:[44C354]             ;  乘法结果加上第2个常数1.0，9.0+1.0＝10.0
0044C23A |.  D9ED          fldln2                                  ;  st0=1n2=0.6931471805599453184,st1=10
0044C23C |.  D9C9          fxch st(1)                            ;  fxch,st(0),st(1)互相交换,交换后st0=10.0,st1=0.6931471805599453184
0044C23E |.  D9F1          fyl2x                                  ;  fyl2x指令:st(0)<--st(0)*log2(st(1)),st(0)=2.3025850929940456960 ,即求ln(st(1))=ln10
0044C240 |.  DB6D AC       fld tbyte ptr ss:[ebp-54]             ;  ss:[0012FBC0]=-2.3085016209313710080,st(0)=-2.3085016209313710080
0044C243 |.  DEC1          faddp st(1),st                         ;  st(1)+st,上面两浮点数相加
0044C245 |.  DB7D A0       fstp tbyte ptr ss:[ebp-60]             ;  st=-0.0059165279373252168
0044C248 |.  9B          wait
0044C249 |.  D905 5CC34400  fld dword ptr ds:[44C35C]             ;  第4个常数2.0(ds:[0044C35C]=2.0)
0044C24F |.  DC45 D0       fadd qword ptr ss:[ebp-30]             ;  第4个常数加上第4个数字4.0，4.0*2.0＝6.0
0044C252 |.  D9FA          fsqrt                                  ;  相加结果开平方，st=2.4494897427831777280
0044C254 |.  DB6D A0       fld tbyte ptr ss:[ebp-60]             ;  ss:[0012FBB4]=-0.0059165279373252168
0044C257 |.  DEE1          fsubrp st(1),st                         ;  减去开平方的结果=-2.4554062707205027840
0044C259 |.  D905 58C34400  fld dword ptr ds:[44C358]             ;  第3个常数3.0(ds:[0044C358]=3.0)
0044C25F |.  DC4D C8       fmul qword ptr ss:[ebp-38]             ;  第3个数字乘发第5个数字5.0，3.0*5.0＝15.0
0044C262 |.  D835 5CC34400  fdiv dword ptr ds:[44C35C]             ;  乘法结果除以第4个常数2.0,15.0/2.0=7.5
0044C268 |.  DEC1          faddp st(1),st                         ;  7.5+(-2.4554062707205027840)=5.0445937292794972160
0044C26A |.  DB2D 60C34400  fld tbyte ptr ds:[44C360]             ;  第5个常数0.37(ds:[0044C360]=0.37)
0044C270 |.  DEC1          faddp st(1),st                         ;  0.37+5.044593729279497216=5.4145937292794972160
0044C272 |.  D80D 6CC34400  fmul dword ptr ds:[44C36C]             ;  乘以第6个常数1000.0(ds:[0044C36C]=1000.000)
0044C278 |.  DD5D F0       fstp qword ptr ss:[ebp-10]             ;  得到st=5414.5937292794972160
0044C27B |.  9B          wait
0044C27C |.  DD45 F0       fld qword ptr ss:[ebp-10]
0044C27F |.  E8 9065FBFF call CrackMe_.00402814                ;  乘法结果取整转为16进制形式，5415-->0x1527
0044C284 |.  8945 98       mov dword ptr ss:[ebp-68],eax          ;  EAX=00001527
0044C287 |.  8955 9C       mov dword ptr ss:[ebp-64],edx
0044C28A |.  DF6D 98       fild qword ptr ss:[ebp-68]
0044C28D |.  83C4 F4       add esp,-0C
0044C290 |.  DB3C24       fstp tbyte ptr ss:[esp]                ; st=5415.0000000000000000
0044C293 |.  9B          wait
0044C294 |.  8D45 FC       lea eax,dword ptr ss:[ebp-4]
0044C297 |.  E8 68BFFBFF call CrackMe_.00408204                ;  运算结果转为字符串，取字符串长度，EAX＝4
0044C29C |.  8D45 FC       lea eax,dword ptr ss:[ebp-4]
0044C29F |.  E8 5CFCFFFF call CrackMe_.0044BF00                ;  关键Call-1,F7进入
0044C2A4 |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]          ;  结果赋给EAX，D EAX,为00A95630  B5 B5 BC BB 档蓟
0044C2A7 |.  BA 78C34400 mov edx,CrackMe_.0044C378             ;  字符串"岛埠",D EDX,为0044C378  B5 BA B2 BA 岛埠
0044C2AC |.  E8 D378FBFF call CrackMe_.00403B84                ;  比较两者是否相等
0044C2B1 |.  75 38       jnz short CrackMe_.0044C2EB             ;  不等则Over,暴破点，Nop掉
0044C2B3 |.  8D45 F8       lea eax,dword ptr ss:[ebp-8]

F7进入0044C29F处的关键Call-1,来到：

0044BF00 /$  53          push ebx
0044BF01 |.  56          push esi
0044BF02 |.  57          push edi
0044BF03 |.  51          push ecx
0044BF04 |.  8BF0          mov esi,eax
0044BF06 |.  8B06          mov eax,dword ptr ds:[esi]             ;  "5415"
0044BF08 |.  E8 677BFBFF call CrackMe_.00403A74
0044BF0D |.  8B15 98EE4400  mov edx,dword ptr ds:[44EE98]
0044BF13 |.  8902          mov dword ptr ds:[edx],eax
0044BF15 |.  8B06          mov eax,dword ptr ds:[esi]
0044BF17 |.  E8 587BFBFF call CrackMe_.00403A74
0044BF1C |.  84C0          test al,al
0044BF1E |.  76 38       jbe short CrackMe_.0044BF58
0044BF20 |.  880424       mov byte ptr ss:[esp],al
0044BF23 |.  B3 01       mov bl,1
0044BF25 |>  B8 1C000000 /mov eax,1C                            ;  EAX＝0x1C
0044BF2A |.  E8 516AFBFF |call CrackMe_.00402980                ;  关键Call-2,F7进入
0044BF2F |.  0D 80000000 |or eax,80                            ;  EAX=EAX or 0x80
0044BF34 |.  8BFB          |mov edi,ebx
0044BF36 |.  81E7 FF000000  |and edi,0FF
0044BF3C |.  8B16          |mov edx,dword ptr ds:[esi]             ;  运算结果"5415"
0044BF3E |.  0FB6543A FF |movzx edx,byte ptr ds:[edx+edi-1]    ;  依次取运算结果"5415"每一位字符的ASCII值
0044BF43 |.  33C2          |xor eax,edx                            ;  EAX=EAX xor EDX
0044BF45 |.  50          |push eax                               ;  xor结果保存
0044BF46 |.  8BC6          |mov eax,esi
0044BF48 |.  E8 F77CFBFF |call CrackMe_.00403C44
0044BF4D |.  5A          |pop edx
0044BF4E |.  885438 FF    |mov byte ptr ds:[eax+edi-1],dl
0044BF52 |.  43          |inc ebx
0044BF53 |.  FE0C24       |dec byte ptr ss:[esp]
0044BF56 |.^ 75 CD       \jnz short CrackMe_.0044BF25
0044BF58 |>  5A          pop edx
0044BF59 |.  5F          pop edi
0044BF5A |.  5E          pop esi
0044BF5B |.  5B          pop ebx
0044BF5C \.  C3          retn

F7进入0044BF2A处的关键Call-2,来到：

00402980 /$  6915 40F04400 >imul edx,dword ptr ds:[44F040],8088405 ;  ds:[0044F040]=4，初值为运算结果的长度
0040298A |.  42          inc edx                               ;  EDX=EDX+1
0040298B |.  8915 40F04400  mov dword ptr ds:[44F040],edx          ;  EDX保存
00402991 |.  F7E2          mul edx                               ;  EAX=EAX*EDX,EAX初值为0x1C
00402993 |.  89D0          mov eax,edx                            ;  EAX=EDX
00402995 \.  C3          retn

浮点运算结果转为字符串后依次取每位字符串的ASCII值进行运算，最终结果与固定值B5 BA B2 BA 比较，相等则成功。
反推浮点运算结果所得数值(设为4位)，经0044BF2A处的CALL以后，到0044BF2F处时EAX依次为83，89,86,8D，于是
83 xor B5 = 36('6')
89 xor BA = 33('3')
86 xor B2 = 34('4')
8D xor BA = 37('7')

故只需浮点运算最终结果为6347.0最可注册成功。

-----------------------------------------------------------------------------------------------
【破解总结】
1.Nag采用下断MessageBoxA即可轻松去除。
2.Password为固定值：Clno iguonRn。
3.Serial计算时，用户名和公司长度有一定限制，取用户名各位字符的ASCII值累加，结果与固定字符串连接，记为str1.
注册码长度必须与字符串str1长度相等；
注册码各位字符的ASCII值累加之和必须与字符串str1各位字符的ASCII值累加之和相等。
4.先确定CheckBox3及CheckBox5,其它CheckBoxes即可确定。以心形CheckBoxes第1列上面那个CheckBox作为第1个，
顺时针方向从1至20编号，分别选中编号为3、5、6、9、11、12、13、15、19、20的CheckBox即可过关。
5.TrackBar采用简单浮点运算，运算结果经xor后与固定值B5BAB2BA比较，相等则成功。

注册信息：

========================================
Password:Clno iguonRn
========================================
Name:hrbxhui
Company:h2h Studios
Serial:I Love Cracking and 762 Girls ;)
========================================
TrackBar Serial:14435
========================================

【VB注册机源码】(For TrackBar Serial)

Private Sub KeyGen_Click()

Dim n1 As Double
Dim n2 As Double
Dim n3 As Double
Dim n4 As Double
Dim n5 As Double
Dim sum As Long
Dim temp As Long

sum = 0
temp = (99999 - 10000) * Rnd() + 10000

For i = temp To 99999

n1 = Int(i / 10000)
n2 = Int((i Mod 10000) / 1000)
n3 = Int((i Mod 1000) / 100)
n4 = Int((i Mod 100) / 10)
n5 = i Mod 10

n1 = Sqr(n1 + 1) * (-1)

n2 = Cos(Sqr(n2 * n2 * n2 + 5))

n3 = Log(n3 * 3 + 1)

n4 = Sqr(n4 + 2)

n5 = n5 * 3# / 2#

sum = Int((n1 + n2 + n3 - n4 + n5 + 0.37) * 100000) / 100


If sum = 6347 Then GoTo Success:

Next i

Success:
Text1 = i

End Sub

-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

2007-3-23 23:27

0

大笨猫

雪币： 390

活跃值： (37)

能力值：

( LV2，RANK：10 )

在线值：

发帖

5

回帖

69

粉丝

0

关注

私信

大笨猫: 8 楼

太谢谢楼上的大哥了!

2007-3-27 09:12

0