【文章标题】: happytown的第四个crackeme分析
【文章作者】: qianyicy
【作者邮箱】: qgnck1999@163.com
【软件名称】: happytown写的keygenme04
【下载地址】: http://bbs.pediy.com/showthread.php?t=33853
【保护方式】: 无
【使用工具】: ollydbg
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
用ollydbg加载
我们查找字符串,"Good job,man!"来到这:
0045015F |. 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00450161 |. 68 98014500 push KeyGenMe.00450198 ; |Title = "Congratulations"
00450166 |. 68 A8014500 push KeyGenMe.004501A8 ; |Text = "Good job,man!"
0045016B |. 6A 00 push 0 ; |hOwner = NULL
0045016D |. E8 2E63FBFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
一路向上走:我们来到这:
0045007F |. 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 用户名送入eax
00450082 |. E8 4940FBFF call KeyGenMe.004040D0 ; 得用户名长度
00450087 |. 8945 F0 mov dword ptr ss:[ebp-10],eax
0045008A |. 837D F0 02 cmp dword ptr ss:[ebp-10],2 ; 用户名长度必须大于2
0045008E |. 0F8C DE000000 jl KeyGenMe.00450172
00450094 |. 8D55 F4 lea edx,dword ptr ss:[ebp-C]
00450097 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
0045009A |. 8B80 08030000 mov eax,dword ptr ds:[eax+308]
004500A0 |. E8 B3F2FDFF call KeyGenMe.0042F358
004500A5 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004500A8 |. E8 2340FBFF call KeyGenMe.004040D0 ; 获得注册码位数
004500AD |. 8945 EC mov dword ptr ss:[ebp-14],eax
004500B0 |. 837D EC 0A cmp dword ptr ss:[ebp-14],0A ; 注册码位数必须为10
004500B4 |. 0F85 B8000000 jnz KeyGenMe.00450172
004500BA |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
004500BD |. 85C0 test eax,eax
004500BF |. 7E 34 jle short KeyGenMe.004500F5
004500C1 |. 8945 E4 mov dword ptr ss:[ebp-1C],eax ; 位数放入ebp-1c
004500C4 |. C745 E8 01000000 mov dword ptr ss:[ebp-18],1
004500CB |> 8B45 F4 /mov eax,dword ptr ss:[ebp-C]
004500CE |. 8B55 E8 |mov edx,dword ptr ss:[ebp-18]
004500D1 |. 807C10 FF 30 |cmp byte ptr ds:[eax+edx-1],30
004500D6 |. 0F82 96000000 |jb KeyGenMe.00450172
004500DC |. 8B45 F4 |mov eax,dword ptr ss:[ebp-C]
004500DF |. 8B55 E8 |mov edx,dword ptr ss:[ebp-18]
004500E2 |. 807C10 FF 39 |cmp byte ptr ds:[eax+edx-1],39
004500E7 |. 0F87 85000000 |ja KeyGenMe.00450172
004500ED |. FF45 E8 |inc dword ptr ss:[ebp-18]
004500F0 |. FF4D E4 |dec dword ptr ss:[ebp-1C]
004500F3 |.^ 75 D6 \jnz short KeyGenMe.004500CB ; 以上循环要求注册码全为数字,否则就跳
004500F5 |> 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004500F8 |. 0FB600 movzx eax,byte ptr ds:[eax] ; 注册码第一位送入eax
004500FB |. 8B55 F4 mov edx,dword ptr ss:[ebp-C]
004500FE |. 0FB652 05 movzx edx,byte ptr ds:[edx+5] ; 注册码第6位送入EDX
00450102 |. 03C2 add eax,edx ; eax+edx
00450104 |. 83F8 6D cmp eax,6D ; 1位ascii码+6位ascii码必须=6D否则就死
00450107 |. 75 69 jnz short KeyGenMe.00450172
00450109 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0045010C |. 0FB640 01 movzx eax,byte ptr ds:[eax+1] ; 注册码第二位送入EAX
00450110 |. 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00450113 |. 0FB652 06 movzx edx,byte ptr ds:[edx+6] ; 注册码第7位送入EDX
00450117 |. 03C2 add eax,edx ; eax+edx
00450119 |. 83F8 67 cmp eax,67 ; 2位ascii码+7位ascii码必须=67否则就死
0045011C |. 75 54 jnz short KeyGenMe.00450172
0045011E |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00450121 |. 0FB640 02 movzx eax,byte ptr ds:[eax+2]
00450125 |. 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00450128 |. 0FB652 07 movzx edx,byte ptr ds:[edx+7]
0045012C |. 03C2 add eax,edx
0045012E |. 83F8 69 cmp eax,69 ; 3位ascii码+8位ascii码必须=69否则就死
00450131 |. 75 3F jnz short KeyGenMe.00450172
00450133 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00450136 |. 0FB640 03 movzx eax,byte ptr ds:[eax+3]
0045013A |. 8B55 F4 mov edx,dword ptr ss:[ebp-C]
0045013D |. 0FB652 08 movzx edx,byte ptr ds:[edx+8]
00450141 |. 03C2 add eax,edx
00450143 |. 83F8 70 cmp eax,70 ; 4位ascii码+9位ascii码必须=70否则就死
00450146 |. 75 2A jnz short KeyGenMe.00450172
00450148 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0045014B |. 0FB640 04 movzx eax,byte ptr ds:[eax+4]
0045014F |. 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00450152 |. 0FB652 09 movzx edx,byte ptr ds:[edx+9]
00450156 |. F7EA imul edx
00450158 |. 3D 8C0A0000 cmp eax,0A8C ; 5位ascii码*10位ascii码必须=0A8C否则就死
追到这,注册码己经出来
下面是用C写的注册机:
main()
{
int i,a[10];
char name[10];
a[4]=6,a[9]=2;
printf("please input your name and the name's character must > 1 and <10 \n");
gets(name);
printf("please input four number from 0 to 9:");
for (i = 0; i < 4; i++)
scanf("%d",&a[i]);
if (a[0] < 4){
printf("The first number must > 3,please input again:");
scanf("%d",&a[0]);
}
if (a[1] > 7){
printf("The second number must < 7,please input again:");
scanf("%d",&a[1]);
}
if (a[3] < 7){
printf("The fourth number must > 7,please input again:");
scanf("%d",&a[3]);
}
a[5] = 13-a[0];
a[6] = 7-a[1];
a[7] = 9-a[2];
a[8] = 16-a[3];
clrscr();
printf("Your name is:");
puts(name);
printf("The Registration code is:");
for (i = 0; i < 10; i++)
printf("%d",a[i]);
getch();
}
完毕
--------------------------------------------------------------------------------
【经验总结】
总的来说,这个程序还是很好破的,查找字符串就可以找到破解点了,
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!