能力值:
![]()
(RANK:300 )
|
-
-
3 楼
我看见算法把 “kyc[DFCG]” 和一堆文字进行比较,便跳出失败了,没有检查我输入的文字,硬件断点也是一样
这是正常的,或是别有内情 ? 
|
能力值:
![]()
(RANK: )
|
-
-
4 楼
004010E9 8D4C24 2C lea ecx,dword ptr ss:[esp+2C] //将此处的2C改成08,也显示成功信息,但后来也显示错误信息不知是咋回事。
004010ED . 51 push ecx ; /String2
004010EE . 68 A8504000 push CRACKME1.004050A8 ; |String1 = "kyc[DFCG]"
004010F3 . FF15 00404000 call dword ptr ds:[<&KERNEL32.lstr>; \lstrcmpA
好象就是没有处理输入的名字及CODE,最后的比较也莫名其妙,一楼的能不能给大家一点提示什么的?到底能不能写出注册机?是注册机还是补丁?
|
能力值:
![]()
(RANK:300 )
|
-
-
5 楼
最初由 cracklover 发布
好象就是没有处理输入的名字及CODE,最后的比较也莫名其妙,一楼的能不能给大家一点提示什么的?到底能不能写出注册机?是注册机还是补丁?
........
看来是补丁机
我在序号字符串, 名字字符串设硬件断点,没有反应
单步走了很多遍也没有反应,在IDA 里也看不见特别的地方,而且 OD 显示是单线程
|
能力值:
( LV9,RANK:170 )
|
-
-
6 楼
W32DASM分析
:0040101D 90 nop
:0040101E 90 nop
:0040101F 90 nop
:00401020 83EC74 sub esp, 00000074
:00401023 57 push edi
:00401024 B913000000 mov ecx, 00000013
:00401029 33C0 xor eax, eax
:0040102B 8D7C2429 lea edi, dword ptr [esp+29]
:0040102F C644242800 mov [esp+28], 00
:00401034 668B15B0504000 mov dx, word ptr [004050B0]
:0040103B F3 repz
:0040103C AB stosd
:0040103D 66AB stosw
:0040103F 8B0DAC504000 mov ecx, dword ptr [004050AC]
:00401045 668954240C mov word ptr [esp+0C], dx
:0040104A AA stosb
:0040104B A1A8504000 mov eax, dword ptr [004050A8]
:00401050 894C2408 mov dword ptr [esp+08], ecx
:00401054 89442404 mov dword ptr [esp+04], eax
:00401058 8B842480000000 mov eax, dword ptr [esp+00000080]
:0040105F 2D10010000 sub eax, 00000110
:00401064 66C744240E0000 mov [esp+0E], 0000
:0040106B 0F84D8000000 je 00401149
:00401071 48 dec eax
:00401072 0F85D1000000 jne 00401149
:00401078 8B842484000000 mov eax, dword ptr [esp+00000084]
:0040107F 663D0100 cmp ax, 0001
:00401083 0F85AD000000 jne 00401136
:00401089 8B7C247C mov edi, dword ptr [esp+7C]
:0040108D 56 push esi
* Reference To: USER32.GetDlgItemTextA, Ord:0104h///////--》看来断点应该下GetDlgItemTextA
|
:0040108E 8B35AC404000 mov esi, dword ptr [004040AC]
:00401094 8D442420 lea eax, dword ptr [esp+20]
:00401098 6A0C push 0000000C
:0040109A 50 push eax
* Possible Reference to Dialog: DialogID_0065, CONTROL_ID:03E8, ""
|
:0040109B 68E8030000 push 000003E8
:004010A0 57 push edi
:004010A1 FFD6 call esi
:004010A3 8D4C2414 lea ecx, dword ptr [esp+14]
:004010A7 6800020000 push 00000200
:004010AC 51 push ecx
* Possible Reference to Dialog: DialogID_0065, CONTROL_ID:03E9, ""
|
:004010AD 68E9030000 push 000003E9
:004010B2 57 push edi
:004010B3 FFD6 call esi
:004010B5 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010CF(C)
|
:004010B7 8A4C0408 mov cl, byte ptr [esp+eax+08]
:004010BB 8A9030504000 mov dl, byte ptr [eax+00405030]
:004010C1 F6D1 not cl
:004010C3 22CA and cl, dl
:004010C5 02C8 add cl, al
:004010C7 884C0414 mov byte ptr [esp+eax+14], cl
:004010CB 40 inc eax
:004010CC 83F80C cmp eax, 0000000C
:004010CF 72E6 jb 004010B7
:004010D1 8D542414 lea edx, dword ptr [esp+14]
:004010D5 8D44242C lea eax, dword ptr [esp+2C]
:004010D9 52 push edx
* Possible StringData Ref from Data Obj ->"%ld"
|
:004010DA 68A4504000 push 004050A4
:004010DF 50 push eax
* Reference To: USER32.wsprintfA, Ord:02ACh
|
:004010E0 FF1598404000 Call dword ptr [00404098]
:004010E6 83C40C add esp, 0000000C
:004010E9 8D4C242C lea ecx, dword ptr [esp+2C]
:004010ED 51 push ecx
* Possible StringData Ref from Data Obj ->"kyc[DFCG]"
|
:004010EE 68A8504000 push 004050A8
* Reference To: KERNEL32.lstrcmpA, Ord:02FCh
|
:004010F3 FF1500404000 Call dword ptr [00404000]
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:004010F9 8B359C404000 mov esi, dword ptr [0040409C]
:004010FF 85C0 test eax, eax
:00401101 7512 jne 00401115
:00401103 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"你是"
|
:00401105 689C504000 push 0040509C
* Possible StringData Ref from Data Obj ->"高手!"
|
:0040110A 6894504000 push 00405094
:0040110F 6A00 push 00000000
:00401111 FFD6 call esi
:00401113 EB08 jmp 0040111D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401113(U)
|
:0040111D 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"你"
|
:0040111F 6890504000 push 00405090
* Possible StringData Ref from Data Obj ->"错了!"
-----------------------------------------------------
OD载入,忽略所有异常,命令行下bp GetDlgItemTextA,F9运行,跳出注册窗口
name:encoder
code:123456789
点击ok中断,ctrl+F9返回于此
00401094 . 8D4424 20 lea eax,dword ptr ss:[esp+20]
00401098 . 6A 0C push 0C ; /Count = C (12.)
0040109A . 50 push eax ; |Buffer
0040109B . 68 E8030000 push 3E8 ; |ControlID = 3E8 (1000.)
004010A0 . 57 push edi ; |hWnd
004010A1 . FFD6 call esi ; \GetDlgItemTextA
004010A3 . 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004010A7 . 68 00020000 push 200 ; /Count = 200 (512.)
004010AC . 51 push ecx ; |Buffer
004010AD . 68 E9030000 push 3E9 ; |ControlID = 3E9 (1001.)
004010B2 . 57 push edi ; |hWnd
004010B3 . FFD6 call esi ; \GetDlgItemTextA
004010B5 . 33C0 xor eax,eax
004010B7 > 8A4C04 08 mov cl,byte ptr ss:[esp+eax+8] ;依次取kyc[DFCG]
004010BB . 8A90 30504000 mov dl,byte ptr ds:[eax+405030] ;\\\
004010C1 . F6D1 not cl ; 运算
004010C3 . 22CA and cl,dl ;
004010C5 . 02C8 add cl,al ;///
004010C7 . 884C04 14 mov byte ptr ss:[esp+eax+14],cl
004010CB . 40 inc eax
004010CC . 83F8 0C cmp eax,0C
004010CF .^ 72 E6 jb short CRACKME1.004010B7
004010D1 . 8D5424 14 lea edx,dword ptr ss:[esp+14]
004010D5 . 8D4424 2C lea eax,dword ptr ss:[esp+2C]
004010D9 . 52 push edx ; /<%ld> = 12FA40 (1243712.)
004010DA . 68 A4504000 push CRACKME1.004050A4 ; |Format = "%ld"
004010DF . 50 push eax ; |s
004010E0 . FF15 98404000 call dword ptr ds:[<&USER32.wspri>; \wsprintfA
004010E6 . 83C4 0C add esp,0C
004010E9 . 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
004010ED . 51 push ecx ; /String2=1243712
004010EE . 68 A8504000 push CRACKME1.004050A8 ; |String1 = "kyc[DFCG]"
004010F3 . FF15 00404000 call dword ptr ds:[<&KERNEL32.lst>; \lstrcmpA ///比较是否相等
004010F9 . 8B35 9C404000 mov esi,dword ptr ds:[<&USER32.Me>; USER32.MessageBoxA
004010FF . 85C0 test eax,eax
00401101 . 75 12 jnz short CRACKME1.00401115 ; 爆破点
00401103 . 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401105 . 68 9C504000 push CRACKME1.0040509C ; |Title = "你是"
0040110A . 68 94504000 push CRACKME1.00405094 ; |Text = "高手!"
0040110F . 6A 00 push 0 ; |hOwner = NULL
00401111 . FFD6 call esi ; \MessageBoxA
00401113 . EB 08 jmp short CRACKME1.0040111D
00401115 > 6A 30 push 30 ; /BeepType = MB_ICONEXCLAMATION
00401117 . FF15 A0404000 call dword ptr ds:[<&USER32.Messa>; \MessageBeep
0040111D > 6A 00 push 0
0040111F . 68 90504000 push CRACKME1.00405090
00401124 . 68 88504000 push CRACKME1.00405088
00401129 . 57 push edi
0040112A . FFD6 call esi
0040112C . 5E pop esi
0040112D . 33C0 xor eax,eax
0040112F . 5F pop edi
00401130 . 83C4 74 add esp,74
00401133 . C2 1000 retn 10
00401136 > 66:3D 0200 cmp ax,2
0040113A . 75 0D jnz short CRACKME1.00401149
0040113C . 8B5424 7C mov edx,dword ptr ss:[esp+7C]
00401140 . 6A 00 push 0 ; /Result = 0
00401142 . 52 push edx ; |hWnd
00401143 . FF15 A4404000 call dword ptr ds:[<&USER32.EndDi>; \EndDialog
|
能力值:
( LV9,RANK:770 )
|
-
-
7 楼
不好意思原代码让我改成另一个CRACKME了.
其实破到这个程度可以了。
还有一个CRACKME有兴趣的可以破掉
成功后出现“你是高手”
|
能力值:
( LV2,RANK:10 )
|
-
-
8 楼
不明白为什么要把你错了~~分开呀~~还有你是高手也是~~我只会爆破!!!我只会爆破有弹出错误窗口的
|
能力值:
( LV2,RANK:10 )
|
-
-
9 楼
为什么我爆破后,
我输入1和1然后弹出高手,
我点确定,然后又弹出
错了!!为什么呀!!
|
能力值:
( LV2,RANK:10 )
|
-
-
12 楼
这玩意只能爆根本就没有注册码,而且死活都要出现你错的消息.这个CrackMe有问题.
|
能力值:
( LV2,RANK:10 )
|
-
-
14 楼
到底讨论了个什么啊,上面的不能破????注册码怎么算啊?
我也只分析到了pendan2001 兄弟的那步
|
