【文章标题】: 霏凡首届解密大赛
【文章作者】: xss517
【作者邮箱】: xss5172002@yahoo.com.cn
【作者QQ号】: 251496329
【软件名称】: 霏凡首届解密大赛CRACKME
【下载地址】: 自己搜索下载
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
这次脱壳也有奖励 ASPack 2.12 -> Alexey Solodovnikov
esp定律脱之
f8一次 在esp上右键选择数据窗口跟随
0013ffa4上下硬件访问断点 f9运行
0047F3B0 /75 08 jnz short 0047F3BA 到这里
0047F3B2 |B8 01000000 mov eax, 1
0047F3B7 |C2 0C00 retn 0C
0047F3BA \68 F8754600 push 004675F8
0047F3BF C3 retn
f8继续返回到oep,dump出来,原来是Borland Delphi 6.0 - 7.0
004675F8 55 push ebp oep
004675F9 8BEC mov ebp, esp
004675FB 83C4 F0 add esp, -10
004675FE B8 08744600 mov eax, 00467408
00467603 E8 2CE6F9FF call 00405C34
字符串查看提示到这里,f2,运行输入注册名和假注册码
00467180 /. 55 push ebp
00467181 |. 8BEC mov ebp, esp
00467183 |. B9 04000000 mov ecx, 4
00467188 |> 6A 00 /push 0
0046718A |. 6A 00 |push 0
0046718C |. 49 |dec ecx
0046718D |.^ 75 F9 \jnz short 00467188
0046718F |. 51 push ecx
00467190 |. 53 push ebx
00467191 |. 56 push esi
00467192 |. 57 push edi
00467193 |. 8BD8 mov ebx, eax
00467195 |. 33C0 xor eax, eax
00467197 |. 55 push ebp
00467198 |. 68 0A734600 push 0046730A
0046719D |. 64:FF30 push dword ptr fs:[eax]
004671A0 |. 64:8920 mov dword ptr fs:[eax], esp
004671A3 |. 8D55 F4 lea edx, [local.3]
004671A6 |. 8B83 F8020000 mov eax, dword ptr [ebx+2F8]
004671AC |. E8 CBBCFCFF call 00432E7C
004671B1 |. 8B45 F4 mov eax, [local.3] ; 注册名
004671B4 |. 8D55 F8 lea edx, [local.2]
004671B7 |. E8 F009FAFF call 00407BAC
004671BC |. 8B45 F8 mov eax, [local.2]
004671BF |. E8 48CFF9FF call 0040410C ; 估计是看是否为空的函数,没有f7跟入了
004671C4 |. 85C0 test eax, eax
004671C6 |. 0F8E DE000000 jle 004672AA
004671CC |. 8D55 F0 lea edx, [local.4]
004671CF |. 8B83 F8020000 mov eax, dword ptr [ebx+2F8]
004671D5 |. E8 A2BCFCFF call 00432E7C
004671DA |. 8B45 F0 mov eax, [local.4]
004671DD |. E8 2ACFF9FF call 0040410C
004671E2 |. 8BF8 mov edi, eax
004671E4 |. 85FF test edi, edi
004671E6 |. 7E 63 jle short 0046724B
004671E8 |. BE 01000000 mov esi, 1
004671ED |> FF75 FC /push [local.1]
004671F0 |. 8D55 E8 |lea edx, [local.6]
004671F3 |. 8B83 F8020000 |mov eax, dword ptr [ebx+2F8]
004671F9 |. E8 7EBCFCFF |call 00432E7C
004671FE |. 8B45 E8 |mov eax, [local.6]
00467201 |. 33D2 |xor edx, edx
00467203 |. 8A5430 FF |mov dl, byte ptr [eax+esi-1] ; 取注册名的每一位的asc值
00467207 |. 83C2 03 |add edx, 3 ; asc值加3
0046720A |. 8D45 EC |lea eax, [local.5]
0046720D |. E8 22CEF9FF |call 00404034
00467212 |. FF75 EC |push [local.5]
00467215 |. 8D55 E0 |lea edx, [local.8]
00467218 |. 8B83 F8020000 |mov eax, dword ptr [ebx+2F8]
0046721E |. E8 59BCFCFF |call 00432E7C
00467223 |. 8B45 E0 |mov eax, [local.8]
00467226 |. 33D2 |xor edx, edx
00467228 |. 8A5430 FF |mov dl, byte ptr [eax+esi-1]
0046722C |. 83EA 03 |sub edx, 3 ; asc值减3,再对应asc字母连接起来,就ok
0046722F |. 8D45 E4 |lea eax, [local.7]
00467232 |. E8 FDCDF9FF |call 00404034
00467237 |. FF75 E4 |push [local.7]
0046723A |. 8D45 FC |lea eax, [local.1]
0046723D |. BA 03000000 |mov edx, 3
00467242 |. E8 85CFF9FF |call 004041CC ; strcatn函数,dede的提示
00467247 |. 46 |inc esi
00467248 |. 4F |dec edi
00467249 |.^ 75 A2 \jnz short 004671ED
0046724B |> 68 20734600 push 00467320 ; crsky f4直接来到这里,一些内置字符串
00467250 |. FF75 FC push [local.1] ; 这里我看到提示 堆栈 ss:[0013F628]=00D85FB4, (ASCII "{uvpvp824.:4")
00467253 |. 68 30734600 push 00467330 ; crack
00467258 |. 8D45 FC lea eax, [local.1]
0046725B |. BA 03000000 mov edx, 3
00467260 |. E8 67CFF9FF call 004041CC
00467265 |. 8D55 DC lea edx, [local.9]
00467268 |. 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
0046726E |. E8 09BCFCFF call 00432E7C
00467273 |. 8B45 DC mov eax, [local.9]
00467276 |. 8B55 FC mov edx, [local.1] ; 注册码出现,内置字符串,一个在开头一个在结尾,与loacl1组成注册码
00467279 |. E8 DACFF9FF call 00404258
0046727E |. 75 15 jnz short 00467295
00467280 |. 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00467282 |. 68 38734600 push 00467338 ; |InformationCongratuation! You have successfully registered!
00467287 |. 68 44734600 push 00467344 ; |Congratuation! You have successfully registered!
0046728C |. 6A 00 push 0 ; |hOwner = NULL
0046728E |. E8 E1F2F9FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00467293 |. EB 28 jmp short 004672BD
00467295 |> 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00467297 |. 68 38734600 push 00467338 ; |InformationCongratuation! You have successfully registered!
0046729C |. 68 78734600 push 00467378 ; |Invalid register code! Please retry!
004672A1 |. 6A 00 push 0 ; |hOwner = NULL
004672A3 |. E8 CCF2F9FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004672A8 |. EB 13 jmp short 004672BD
004672AA |> 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004672AC |. 68 38734600 push 00467338 ; |InformationCongratuation! You have successfully registered!
004672B1 |. 68 78734600 push 00467378 ; |Invalid register code! Please retry!
004672B6 |. 6A 00 push 0 ; |hOwner = NULL
004672B8 |. E8 B7F2F9FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004672BD |> 33C0 xor eax, eax
004672BF |. 5A pop edx
004672C0 |. 59 pop ecx
004672C1 |. 59 pop ecx
004672C2 |. 64:8910 mov dword ptr fs:[eax], edx
004672C5 |. 68 11734600 push 00467311
004672CA |> 8D45 DC lea eax, [local.9]
004672CD |. BA 02000000 mov edx, 2
004672D2 |. E8 99CBF9FF call 00403E70
004672D7 |. 8D45 E4 lea eax, [local.7]
004672DA |. E8 6DCBF9FF call 00403E4C
004672DF |. 8D45 E8 lea eax, [local.6]
004672E2 |. E8 65CBF9FF call 00403E4C
004672E7 |. 8D45 EC lea eax, [local.5]
004672EA |. E8 5DCBF9FF call 00403E4C
004672EF |. 8D45 F0 lea eax, [local.4]
004672F2 |. BA 02000000 mov edx, 2
004672F7 |. E8 74CBF9FF call 00403E70
004672FC |. 8D45 F8 lea eax, [local.2]
004672FF |. BA 02000000 mov edx, 2
00467304 |. E8 67CBF9FF call 00403E70
00467309 \. C3 retn
还是dede分析清楚多了
00467180 55 push ebp
00467181 8BEC mov ebp, esp
00467183 B904000000 mov ecx, $00000004
00467188 6A00 push $00
0046718A 6A00 push $00
0046718C 49 dec ecx
0046718D 75F9 jnz 00467188
0046718F 51 push ecx
00467190 53 push ebx
00467191 56 push esi
00467192 57 push edi
00467193 8BD8 mov ebx, eax
00467195 33C0 xor eax, eax
00467197 55 push ebp
00467198 680A734600 push $0046730A
***** TRY
|
0046719D 64FF30 push dword ptr fs:[eax]
004671A0 648920 mov fs:[eax], esp
004671A3 8D55F4 lea edx, [ebp-$0C]
* Reference to control TForm1.Edit1 : TEdit
|
004671A6 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004671AC E8CBBCFCFF call 00432E7C
004671B1 8B45F4 mov eax, [ebp-$0C]
004671B4 8D55F8 lea edx, [ebp-$08]
* Reference to: SysUtils.Trim(AnsiString):AnsiString;overload;
|
004671B7 E8F009FAFF call 00407BAC
004671BC 8B45F8 mov eax, [ebp-$08]
* Reference to: System.@LStrLen(String):Integer;
|
004671BF E848CFF9FF call 0040410C
004671C4 85C0 test eax, eax
004671C6 0F8EDE000000 jle 004672AA
004671CC 8D55F0 lea edx, [ebp-$10]
* Reference to control TForm1.Edit1 : TEdit
|
004671CF 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004671D5 E8A2BCFCFF call 00432E7C
004671DA 8B45F0 mov eax, [ebp-$10]
* Reference to: System.@LStrLen(String):Integer;
|
004671DD E82ACFF9FF call 0040410C
004671E2 8BF8 mov edi, eax
004671E4 85FF test edi, edi
004671E6 7E63 jle 0046724B
004671E8 BE01000000 mov esi, $00000001
004671ED FF75FC push dword ptr [ebp-$04]
004671F0 8D55E8 lea edx, [ebp-$18]
* Reference to control TForm1.Edit1 : TEdit
|
004671F3 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004671F9 E87EBCFCFF call 00432E7C
004671FE 8B45E8 mov eax, [ebp-$18]
00467201 33D2 xor edx, edx
00467203 8A5430FF mov dl, byte ptr [eax+esi-$01]
00467207 83C203 add edx, +$03
0046720A 8D45EC lea eax, [ebp-$14]
* Reference to: System.@LStrFromChar(String;String;Char);
|
0046720D E822CEF9FF call 00404034
00467212 FF75EC push dword ptr [ebp-$14]
00467215 8D55E0 lea edx, [ebp-$20]
* Reference to control TForm1.Edit1 : TEdit
|
00467218 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
0046721E E859BCFCFF call 00432E7C
00467223 8B45E0 mov eax, [ebp-$20]
00467226 33D2 xor edx, edx
00467228 8A5430FF mov dl, byte ptr [eax+esi-$01]
0046722C 83EA03 sub edx, +$03
0046722F 8D45E4 lea eax, [ebp-$1C]
* Reference to: System.@LStrFromChar(String;String;Char);
|
00467232 E8FDCDF9FF call 00404034
00467237 FF75E4 push dword ptr [ebp-$1C]
0046723A 8D45FC lea eax, [ebp-$04]
0046723D BA03000000 mov edx, $00000003
* Reference to: System.@LStrCatN;
|
00467242 E885CFF9FF call 004041CC
00467247 46 inc esi
00467248 4F dec edi
00467249 75A2 jnz 004671ED
* Possible String Reference to: 'crsky'
|
0046724B 6820734600 push $00467320
00467250 FF75FC push dword ptr [ebp-$04]
* Possible String Reference to: 'crack'
|
00467253 6830734600 push $00467330
00467258 8D45FC lea eax, [ebp-$04]
0046725B BA03000000 mov edx, $00000003
* Reference to: System.@LStrCatN;
|
00467260 E867CFF9FF call 004041CC
00467265 8D55DC lea edx, [ebp-$24]
* Reference to control TForm1.Edit2 : TEdit
|
00467268 8B83FC020000 mov eax, [ebx+$02FC]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
0046726E E809BCFCFF call 00432E7C
00467273 8B45DC mov eax, [ebp-$24]
00467276 8B55FC mov edx, [ebp-$04]
* Reference to: System.@LStrCmp;
|
00467279 E8DACFF9FF call 00404258
0046727E 7515 jnz 00467295
00467280 6A40 push $40
* Possible String Reference to: 'Information'
|
00467282 6838734600 push $00467338
* Possible String Reference to: 'Congratuation! You have successfull
| y registered!'
|
00467287 6844734600 push $00467344
0046728C 6A00 push $00
* Reference to: a.MessageBoxA()
|
0046728E E8E1F2F9FF call 00406574
00467293 EB28 jmp 004672BD
00467295 6A10 push $10
* Possible String Reference to: 'Information'
|
00467297 6838734600 push $00467338
* Possible String Reference to: 'Invalid register code! Please retry
| !'
|
0046729C 6878734600 push $00467378
004672A1 6A00 push $00
* Reference to: a.MessageBoxA()
|
004672A3 E8CCF2F9FF call 00406574
004672A8 EB13 jmp 004672BD
004672AA 6A10 push $10
* Possible String Reference to: 'Information'
|
004672AC 6838734600 push $00467338
* Possible String Reference to: 'Invalid register code! Please retry
| !'
|
004672B1 6878734600 push $00467378
004672B6 6A00 push $00
* Reference to: a.MessageBoxA()
|
004672B8 E8B7F2F9FF call 00406574
004672BD 33C0 xor eax, eax
004672BF 5A pop edx
004672C0 59 pop ecx
004672C1 59 pop ecx
004672C2 648910 mov fs:[eax], edx
****** FINALLY
|
004672C5 6811734600 push $00467311
004672CA 8D45DC lea eax, [ebp-$24]
004672CD BA02000000 mov edx, $00000002
* Reference to: System.@LStrArrayClr(void;void;Integer);
|
004672D2 E899CBF9FF call 00403E70
004672D7 8D45E4 lea eax, [ebp-$1C]
* Reference to: System.@LStrClr(void;void);
|
004672DA E86DCBF9FF call 00403E4C
004672DF 8D45E8 lea eax, [ebp-$18]
* Reference to: System.@LStrClr(void;void);
|
004672E2 E865CBF9FF call 00403E4C
004672E7 8D45EC lea eax, [ebp-$14]
* Reference to: System.@LStrClr(void;void);
|
004672EA E85DCBF9FF call 00403E4C
004672EF 8D45F0 lea eax, [ebp-$10]
004672F2 BA02000000 mov edx, $00000002
* Reference to: System.@LStrArrayClr(void;void;Integer);
|
004672F7 E874CBF9FF call 00403E70
004672FC 8D45F8 lea eax, [ebp-$08]
004672FF BA02000000 mov edx, $00000002
* Reference to: System.@LStrArrayClr(void;void;Integer);
|
00467304 E867CBF9FF call 00403E70
00467309 C3 ret
* Reference to: System.@HandleFinally;
|
0046730A E941C5F9FF jmp 00403850
0046730F EBB9 jmp 004672CA
****** END
|
00467311 5F pop edi
00467312 5E pop esi
00467313 5B pop ebx
00467314 8BE5 mov esp, ebp
00467316 5D pop ebp
00467317 C3 ret
xss517 对应 堆栈 ss:[0013F958]=00D85EC4, (ASCII "crsky{uvpvp824.:4crack")
edx=00150608
注册码:crsky{uvpvp824.:4crack
总结:取注册名每位asc值。加3和减3对应的字符,连接起来
注册码格式:crsky+字符串+crack
Option Explicit
Option Explicit
Private Sub Command1_Click()
Dim i As Integer
Dim j As Integer
Dim k As Integer
Dim key As String
For i = 1 To Len(Text1.Text)
k = Ascw(Mid(Text1.Text, i, 1)) + 3
j = Ascw(Mid(Text1.Text, i, 1)) - 3
key = key & Chrw(k) & Chrw(j)
Next
Text2.Text = "crsky" & key & "crack"
End Sub
Private Sub Command2_Click()
End
End Sub
修订了一下,asc改成ascw,但是我仍然无法用中文名注册
希望能够解决这个问题的朋友指教
--------------------------------------------------------------------------------
【版权声明】: 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
2007年08月14日 PM 06:39:56
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
