能力值:
( LV4,RANK:50 )
|
-
-
2 楼
呵呵,菜鸟只能采取菜鸟的做法!!
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
玩玩!
的确是有些BT!
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
UnhandledExceptionFilter和检测父进程是否是系统目录下的cmd.exe或Explorer.EXE.最后还是用汇编写的吧.
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
呵呵,怎么破啊
我可是个菜菜鸟啊
|
能力值:
( LV9,RANK:170 )
|
-
-
6 楼
还要时间限制(10s),输入都来不及。把时间设长一点。
7E2 6810270000 -> 6810271100
|
能力值:
( LV12,RANK:980 )
|
-
-
7 楼
爆破很简单。
|
能力值:
( LV2,RANK:10 )
|
-
-
8 楼
去掉异常可以将以下指令NOP掉
00401553 68 00104000 PUSH XiaoZi'C.00401000
00401558 E8 F3000000 CALL <JMP.&KERNEL32.SetUnhandledExceptio>
0040155D A3 68304000 MOV DWORD PTR DS:[403068],EAX
00401562 33C0 XOR EAX,EAX
00401564 C700 01000000 MOV DWORD PTR DS:[EAX],1
另外还有检测父进程是否是系统目录下的cmd.exe或Explorer.EXE
代码如下
004010E4 |. /EB 0E JMP SHORT XiaoZi'C.004010F4
004010E6 |. |5C 45 78 70 6>ASCII "\Explorer.EXE",0
004010F4 |> \68 E6104000 PUSH XiaoZi'C.004010E6 ; ASCII "\Explorer.EXE"
004010F9 |. 68 7C364000 PUSH XiaoZi'C.0040367C
004010FE |. E8 59050000 CALL <JMP.&KERNEL32.lstrcatA>
00401103 |. 68 74344000 PUSH XiaoZi'C.00403474
00401108 |. 68 7C364000 PUSH XiaoZi'C.0040367C
0040110D |. E8 50050000 CALL <JMP.&KERNEL32.lstrcmpA>
00401112 |. 85C0 TEST EAX,EAX
00401114 74 68 JE SHORT XiaoZi'C.0040117E将这改为(EB 68 )JMP SHORT XiaoZi'C.0040117E就不会退出程序了.可以好好跟踪了.
00401116 |. EB 12 JMP SHORT XiaoZi'C.0040112A
00401118 |. 5C 53 79 73 7>ASCII "\System32\cmd.ex"
00401128 |. 65 00 ASCII "e",0
0040112A |> 68 18114000 PUSH XiaoZi'C.00401118 ; ASCII "\System32\cmd.exe"
0040112F |. 68 80374000 PUSH XiaoZi'C.00403780
注册码比较因为字串没有加密很容易找到关键处进行爆破或作出注册机.
|
能力值:
( LV2,RANK:10 )
|
-
-
9 楼
另外由于00401220 处的 DWORD PTR DS:[40304E]是全局变量,所以算出来的值会一直变化,所以写出来的注册机也就只能从第一次为0开始算的.用户名的每一位与查表字串dXqdkkjRg3jCnifESjelsJlkeNNGediWPRrt的每一位进行异或的累加和要等于输入的注册码的每一位与另一查表字串EdjlfFFklciILlIednelaHgebAMO0oO0ese3的每一位进行异或的累加和
两值相等,就算注册成功了.
004011FD . 50 PUSH EAX
004011FE . 59 POP ECX
004011FF . 8D35 00304000 LEA ESI,DWORD PTR DS:[403000]
00401205 . 8D3D 74304000 LEA EDI,DWORD PTR DS:[403074]
0040120B > 33C0 XOR EAX,EAX
0040120D . 33DB XOR EBX,EBX
0040120F . 8B07 MOV EAX,DWORD PTR DS:[EDI]
00401211 . 8B1E MOV EBX,DWORD PTR DS:[ESI]
00401213 . 25 FF000000 AND EAX,0FF
00401218 . 81E3 FF000000 AND EBX,0FF
0040121E . 33C3 XOR EAX,EBX
00401220 . 0305 4E304000 ADD EAX,DWORD PTR DS:[40304E]
00401226 . A3 4E304000 MOV DWORD PTR DS:[40304E],EAX
0040122B . 46 INC ESI
0040122C . 47 INC EDI
0040122D .^ E2 DC LOOPD SHORT aaaaaaaa.0040120B
0040122F . 33C9 XOR ECX,ECX
00401231 . 8B0D 5A304000 MOV ECX,DWORD PTR DS:[40305A]
00401237 . 8D35 25304000 LEA ESI,DWORD PTR DS:[403025]
0040123D . 8D3D F4304000 LEA EDI,DWORD PTR DS:[4030F4]
00401243 > 33C0 XOR EAX,EAX
00401245 . 33DB XOR EBX,EBX
00401247 . 8B07 MOV EAX,DWORD PTR DS:[EDI]
00401249 . 8B1E MOV EBX,DWORD PTR DS:[ESI]
0040124B . 25 FF000000 AND EAX,0FF
00401250 . 81E3 FF000000 AND EBX,0FF
00401256 . 33C3 XOR EAX,EBX
00401258 . 0305 52304000 ADD EAX,DWORD PTR DS:[403052]
0040125E . A3 52304000 MOV DWORD PTR DS:[403052],EAX
00401263 . 46 INC ESI
00401264 . 47 INC EDI
00401265 .^ E2 DC LOOPD SHORT aaaaaaaa.00401243
00401267 . A1 52304000 MOV EAX,DWORD PTR DS:[403052]
0040126C . 8B1D 4A304000 MOV EBX,DWORD PTR DS:[40304A]
00401272 . 85DB TEST EBX,EBX
00401274 . 75 3A JNZ SHORT aaaaaaaa.004012B0
00401276 . 8505 4E304000 TEST DWORD PTR DS:[40304E],EAX
0040127C . 75 32 JNZ SHORT aaaaaaaa.004012B0
0040127E . 6A 00 PUSH 0
00401280 . 68 98114000 PUSH aaaaaaaa.00401198 ; ASCII "Yeah"
00401285 . 68 C4114000 PUSH aaaaaaaa.004011C4
0040128A . 6A 00 PUSH 0
|
能力值:
( LV2,RANK:10 )
|
-
-
10 楼
去除了UnhandledExceptionFilter和检测父进程检测的程序如下. 附件:ss.rar
|
能力值:
( LV9,RANK:210 )
|
-
-
11 楼
呵呵,把c:\windows\winx.dll文件删除后,在"EdjlfFFklciILlIednelaHgebAMO0oO0ese3"中从前往后取任意长度的子字符串,都是万能注册码。
|
能力值:
( LV15,RANK:1673 )
|
-
-
12 楼
虽然偶这段时间太忙,没时间去搞这搞那...还是顶顶...;) ;)
|
能力值:
( LV2,RANK:10 )
|
-
-
13 楼
支持
|
能力值:
( LV2,RANK:10 )
|
-
-
14 楼
支持一下,大家共同进步!
|
能力值:
( LV2,RANK:10 )
|
-
-
15 楼
最初由 tane 发布 去掉异常可以将以下指令NOP掉 00401553 68 00104000 PUSH XiaoZi'C.00401000 00401558 E8 F3000000 CALL <JMP.&KERNEL32.SetUnhandledExceptio> 0040155D A3 68304000 MOV DWORD PTR DS:[403068],EAX 00401562 33C0 XOR EAX,EAX ........
这个异常是怎么找到的呢?你怎么知道把那些命令nop掉呢??下什么断点可以得知程序检测父进程是否是系统目录下的cmd.exe或Explorer.EXE呢?请指教!
|
能力值:
( LV2,RANK:10 )
|
-
-
16 楼
不知道对不对,我就用Ultraedit打开文件,在里面就看见这东西了。
|
能力值:
( LV2,RANK:10 )
|
-
-
17 楼
不好意思,刚才图片没上传好。重传一下。
|
能力值:
( LV9,RANK:770 )
|
-
-
18 楼
Olldbg将不能正常发挥作用。
没事,olldbg给了我们另一个选择,这就是Attath(挂接)。请先运行XiaoZi'CrackeMe.exe,再打开olldbg。
在olldbg的File菜单中选择Attach,并在弹出的窗口中选择XiaoZi'CrackeMe.exe文件。OK!敌人再次进入了
我们的包围圈!很快olldbg完成分析并停在了Kernel.dll中,按F9运行,还在Kernel.dll中,没关系
按ALT+E,选择XiaoZi'CrackeMe.exe文件,双击就可以回到XiaoZi'CrackeMe.exe的代码中了,记得再按ctrl+A,对程序
进行分析,这样程序会好看得多!
004013D7 |. 83F8 FF cmp eax,-1
004013DA |. 0F84 1C010000 je XiaoZi'C.004014FC
004013E0 |. 6A 00 push 0 ; /Timerproc = NULL
004013E2 |. 68 10270000 push 2710 ; |Timeout = 10000. ms
004013E7 |. 6A 05 push 5 ; |TimerID = 5
004013E9 |. FF75 08 push dword ptr ss:[ebp+8] ; |hWnd
004013EC |. E8 0B020000 call <jmp.&USER32.SetTimer> ; \SetTimer
004013F1 |. C705 4A304000>mov dword ptr ds:[40304A],1
004013FB |. E9 FC000000 jmp XiaoZi'C.004014FC
00401400 |> 3D 13010000 cmp eax,113
00401405 |. 75 33 jnz short XiaoZi'C.0040143A
00401407 |. 8B45 10 mov eax,dword ptr ss:[ebp+10]
0040140A |. 83F8 05 cmp eax,5--------------------------
0040140D EB 13 jmp short XiaoZi'C.00401422不检测次数JNZ===>JMP
0040140F |. 6A 00 push 0 ; /lParam = 0
00401411 |. 6A 00 push 0 ; |wParam = 0
00401413 |. 6A 10 push 10 ; |Message = WM_CLOSE
00401415 |. FF75 08 push dword ptr ss:[ebp+8] ; |hWnd
00401418 |. E8 D9010000 call <jmp.&USER32.SendMessageA> ; \SendMessageA
0040141D |. E9 DA000000 jmp XiaoZi'C.004014FC
ESI 00403000 ASCII "dXqdkkjRg3jCnifESjelsJlkeNNGediWPRrt"
ESI 00403025 ASCII "EdjlfFFklciILlIednelaHgebAMO0oO0ese3"
004011EF > \A1 56304000 mov eax,dword ptr ds:[403056]
004011F4 . 83F8 06 cmp eax,6
004011F7 . 0F8C 97000000 jl XiaoZi'C.00401294
004011FD . 50 push eax
004011FE . 59 pop ecx
004011FF . 8D35 00304000 lea esi,dword ptr ds:[403000] ; esi=dXqdkkjRg3jCnifESjelsJlkeNNGediWPRrt
00401205 . 8D3D 74304000 lea edi,dword ptr ds:[403074]
0040120B > 33C0 xor eax,eax ; edi=name
0040120D . 33DB xor ebx,ebx
0040120F . 8B07 mov eax,dword ptr ds:[edi]
00401211 . 8B1E mov ebx,dword ptr ds:[esi]
00401213 . 25 FF000000 and eax,0FF
00401218 . 81E3 FF000000 and ebx,0FF
0040121E . 33C3 xor eax,ebx ; name[i]xortmp[i]
00401220 . 0305 4E304000 add eax,dword ptr ds:[40304E]
00401226 . A3 4E304000 mov dword ptr ds:[40304E],eax
0040122B . 46 inc esi
0040122C . 47 inc edi
0040122D .^ E2 DC loopd short XiaoZi'C.0040120B
0040122F . 33C9 xor ecx,ecx
00401231 . 8B0D 5A304000 mov ecx,dword ptr ds:[40305A]
00401237 . 8D35 25304000 lea esi,dword ptr ds:[403025] ; esi=EdjlfFFklciILlIednelaHgebAMO0oO0ese3
0040123D . 8D3D F4304000 lea edi,dword ptr ds:[4030F4]
00401243 > 33C0 xor eax,eax
00401245 . 33DB xor ebx,ebx
00401247 . 8B07 mov eax,dword ptr ds:[edi]
00401249 . 8B1E mov ebx,dword ptr ds:[esi]
0040124B . 25 FF000000 and eax,0FF
00401250 . 81E3 FF000000 and ebx,0FF
00401256 . 33C3 xor eax,ebx
00401258 . 0305 52304000 add eax,dword ptr ds:[403052]
0040125E . A3 52304000 mov dword ptr ds:[403052],eax
00401263 . 46 inc esi
00401264 . 47 inc edi
00401265 .^ E2 DC loopd short XiaoZi'C.00401243
00401267 . A1 52304000 mov eax,dword ptr ds:[403052]
0040126C . 8B1D 4A304000 mov ebx,dword ptr ds:[40304A]
00401272 . 85DB test ebx,ebx
00401274 . 75 3A jnz short XiaoZi'C.004012B0
00401276 . 8505 4E304000 test dword ptr ds:[40304E],eax
0040127C . 75 32 jnz short XiaoZi'C.004012B0
0040127E . 6A 00 push 0
00401280 . 68 98114000 push XiaoZi'C.00401198 ; ASCII "Yeah"
00401285 . 68 C4114000 push XiaoZi'C.004011C4
0040128A . 6A 00 push 0
0040128C . A1 84384000 mov eax,dword ptr ds:[403884]
00401291 . FFD0 call eax
00401293 . C3 retn
00401294 > 68 9A124000 push XiaoZi'C.0040129A
00401299 . C3 retn
0040129A . 6A 00 push 0
0040129C . 68 9F114000 push XiaoZi'C.0040119F ; ASCII "Error"
|
能力值:
( LV9,RANK:770 )
|
-
-
19 楼
#include<iostream>
using namespace std;
string tmp1=("dXqdkkjRg3jCnifESjelsJlkeNNGediWPRrt");
string tmp2=("EdjlfFFklciILlIednelaHgebAMO0oO0ese3");
//string code;
int tmp=0,tmp0=0;
void main()
{
char name[255],p[255],code[255];
cin>>name;
cout<<name<<endl;
for(int i=0;i<strlen(name);i++)
{
tmp+=name[i]^tmp1[i];
code[i]=name[i]^tmp1[i]^tmp2[i];
cout<<code[i];
}
cout<<endl;
for(i=0;i<strlen(name);i++)
{
tmp0+=code[i]^tmp2[i];
//code[i]=name[i]^tmp1[i]^tmp2[i];
cout<<code[i];
}
cout<<endl<<tmp<<endl<<tmp0<<endl;
}
|
能力值:
( LV4,RANK:50 )
|
-
-
20 楼
本来以为这里都是高手没有人会对这感兴趣,没想到大家的热情这么高,这也是对我工作的肯定,谢谢大家的参与~~!
|
能力值:
( LV4,RANK:50 )
|
-
-
21 楼
|
能力值:
( LV2,RANK:10 )
|
-
-
22 楼
看到大神们的分析 我也是醉了。太厉害了。
|
能力值:
( LV5,RANK:65 )
|
-
-
23 楼
挖的是十年前的坟
|
能力值:
( LV9,RANK:175 )
|
-
-
24 楼
楼上有不少老手吖
|
能力值:
( LV9,RANK:175 )
|
-
-
25 楼
。。为什么我没感觉有反调试的存在,是年代太久了估计是插件反反调试了
|
|
|