能力值:
( LV2,RANK:10 )
|
-
-
2 楼
代码如下
004096A2 /$ 56 PUSH ESI
004096A3 |. 57 PUSH EDI
004096A4 |. C8 040000 ENTER 4,0
004096A8 |. 50 PUSH EAX
004096A9 |. 89D7 MOV EDI,EDX
004096AB |. 89DE MOV ESI,EBX
004096AD |. 89CB MOV EBX,ECX
004096AF |. 68 02030000 PUSH 302 ; /MemSize = 302 (770.)
004096B4 |. 6A 42 PUSH 42 ; |Flags = GHND
004096B6 |. 2E:FF15 E8514>CALL DWORD PTR CS:[<&kernel32.GlobalAlloc>] ; \GlobalAlloc
004096BD |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004096C0 |. 50 PUSH EAX ; /hMem
004096C1 |. 2E:FF15 F0514>CALL DWORD PTR CS:[<&kernel32.GlobalLock>] ; \GlobalLock
004096C8 |. 89C1 MOV ECX,EAX
004096CA |. 89FA MOV EDX,EDI
004096CC |. E8 EFDC0000 CALL de_RARmi.004173C0
004096D1 |. 8D81 00010000 LEA EAX,DWORD PTR DS:[ECX+100]
004096D7 |. 89F2 MOV EDX,ESI
004096D9 |. E8 E2DC0000 CALL de_RARmi.004173C0
004096DE |. 8DB1 00020000 LEA ESI,DWORD PTR DS:[ECX+200]
004096E4 |. 89DA MOV EDX,EBX
004096E6 |. 89F0 MOV EAX,ESI
004096E8 |. E8 D3DC0000 CALL de_RARmi.004173C0
004096ED |. 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
004096F0 |. 66:8981 00030>MOV WORD PTR DS:[ECX+300],AX
004096F7 |. 51 PUSH ECX ; /lParam
004096F8 |. 68 19954000 PUSH de_RARmi.00409519 ; |DlgProc = de_RARmi.00409519
004096FD |. FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; |hOwner
00409700 |. 68 99D34300 PUSH de_RARmi.0043D399 ; |pTemplate = "INPUT"
00409705 |. 6A 00 PUSH 0 ; |/pModule = NULL
00409707 |. 2E:FF15 A0514>CALL DWORD PTR CS:[<&kernel32.GetModuleHand>; |\GetModuleHandleA
0040970E |. 50 PUSH EAX ; |hInst
0040970F |. 2E:FF15 18534>CALL DWORD PTR CS:[<&user32.DialogBoxParamA>; \DialogBoxParamA
00409716 |. 89C7 MOV EDI,EAX
00409718 |. 83F8 01 CMP EAX,1
0040971B |. 75 0D JNZ SHORT de_RARmi.0040972A
0040971D |. 85DB TEST EBX,EBX
0040971F |. 74 09 JE SHORT de_RARmi.0040972A
00409721 |. 89F2 MOV EDX,ESI
00409723 |. 89D8 MOV EAX,EBX
00409725 |. E8 96DC0000 CALL de_RARmi.004173C0
0040972A |> 83FF FF CMP EDI,-1
0040972D |. 75 05 JNZ SHORT de_RARmi.00409734
0040972F |. BF 02000000 MOV EDI,2
00409734 |> FF75 FC PUSH DWORD PTR SS:[EBP-4] ; /hMem
00409737 |. 2E:FF15 F8514>CALL DWORD PTR CS:[<&kernel32.GlobalUnlock>>; \GlobalUnlock
0040973E |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; /hMem
00409741 |. 2E:FF15 EC514>CALL DWORD PTR CS:[<&kernel32.GlobalFree>] ; \GlobalFree
00409748 |. 89F8 MOV EAX,EDI
0040974A |. C9 LEAVE
0040974B |. 5F POP EDI
0040974C |. 5E POP ESI
0040974D \. C2 0400 RETN 4
00409750 /$ 53 PUSH EBX
00409751 |. 56 PUSH ESI
00409752 |. 57 PUSH EDI
00409753 |. C8 000100 ENTER 100,0
00409757 |. B9 40000000 MOV ECX,40
0040975C |. 8DBD 00FFFFFF LEA EDI,DWORD PTR SS:[EBP-100]
00409762 |. BE D0FD4300 MOV ESI,de_RARmi.0043FDD0
00409767 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[E>
00409769 |. 68 00010000 PUSH 100 ; /Arg1 = 00000100
0040976E |. A1 C4674400 MOV EAX,DWORD PTR DS:[4467C4] ; |
00409773 |. 8B98 A4050000 MOV EBX,DWORD PTR DS:[EAX+5A4] ; |
00409779 |. 8BB0 A0050000 MOV ESI,DWORD PTR DS:[EAX+5A0] ; |
0040977F |. 2E:FF15 6C534>CALL DWORD PTR CS:[<&user32.GetFocus>] ; |[GetFocus
00409786 |. 8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100] ; |
0040978C |. 89F2 MOV EDX,ESI ; |
0040978E |. E8 0FFFFFFF CALL de_RARmi.004096A2 ; \de_RARmi.004096A2
00409793 |. 83F8 01 CMP EAX,1
00409796 |. 75 68 JNZ SHORT de_RARmi.00409800
00409798 |. 8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100]
0040979E |. E8 5CFBFFFF CALL de_RARmi.004092FF
004097A3 |. 85C0 TEST EAX,EAX
—— Crack Tutorial 说“TEST 测试.(两操作数作与运算,仅修改标志位,不回送结果)”. 可是我发现,执行完TEST后,标志位并未改变啊。不过执行TEST前,EAX已经是0了。
004097A5 |. 75 37 JNZ SHORT de_RARmi.004097DE
——JZ、JNZ到底是依据哪个寄存器跳转的呢?Crack Tutorial 说依据Z标志位跳,可是似乎应该是依据EAX的值跳的?
004097A7 |. 8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100]
004097AD |. E8 85FCFFFF CALL de_RARmi.00409437
004097B2 |. 6A 40 PUSH 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
004097B4 |. A1 C4674400 MOV EAX,DWORD PTR DS:[4467C4] ; |
004097B9 |. FFB0 A0050000 PUSH DWORD PTR DS:[EAX+5A0] ; |Title
004097BF |. FFB0 A8050000 PUSH DWORD PTR DS:[EAX+5A8] ; |Text
004097C5 |. 2E:FF15 6C534>CALL DWORD PTR CS:[<&user32.GetFocus>] ; |[GetFocus
004097CC |. 50 PUSH EAX ; |hOwner
004097CD |. 2E:FF15 C8534>CALL DWORD PTR CS:[<&user32.MessageBoxA>] ; \MessageBoxA
——此处下断后,如果F9能跳出一个MessageBox,但如果F8就走不下去了。
004097D4 |. B8 01000000 MOV EAX,1
004097D9 |. C9 LEAVE
004097DA |. 5F POP EDI
004097DB |. 5E POP ESI
004097DC |. 5B POP EBX
004097DD |. C3 RETN
004097DE |> 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
004097E0 |. A1 C4674400 MOV EAX,DWORD PTR DS:[4467C4] ; |
004097E5 |. FFB0 A0050000 PUSH DWORD PTR DS:[EAX+5A0] ; |Title
004097EB |. FFB0 AC050000 PUSH DWORD PTR DS:[EAX+5AC] ; |Text
004097F1 |. 2E:FF15 6C534>CALL DWORD PTR CS:[<&user32.GetFocus>] ; |[GetFocus
004097F8 |. 50 PUSH EAX ; |hOwner
004097F9 |. 2E:FF15 C8534>CALL DWORD PTR CS:[<&user32.MessageBoxA>] ; \MessageBoxA
00409800 |> 31C0 XOR EAX,EAX
00409802 |. C9 LEAVE
00409803 |. 5F POP EDI
00409804 |. 5E POP ESI
00409805 |. 5B POP EBX
00409806 \. C3 RETN
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
想破解4位的RAR密码,可惜这个软件不注册的话只能破3位。于是正好又可以试试我的破解技术。脱壳,bp messagebox,断下来了,改JE为JNE就可以显示注册成功,可惜他还是不给你算。不知道还有什么诀窍,高人指点一二。
|
