首页
社区
课程
招聘
[原创]发一个中高难度的CrackMe,看谁能破解
发表于: 2009-10-24 12:03 9659

[原创]发一个中高难度的CrackMe,看谁能破解

2009-10-24 12:03
9659

经过几天的时间,终于把这个CrackMe写完了。对于一些大牛来说也许很简单,请各位不要见笑。初学者和菜鸟应该很难破解,想挑战的可以试试。
    1.未加壳,未改导入表
    2.具有一定的反调试能力
    3.注册码破解难度相当大,暴破为主
    4.注册码破解的请回帖注册码
    5.暴力破解的希望能上传附件,因为我后面提供的注册码也能进入界面,光贴界面的图无法证明是否暴力破解
    6.能破解的大牛请贴一下破解过程,谢谢。

提供一组参考注册码:

w+WfnhqrasT6ZIRJMs1UKBAahI3XeY5uGumgsa2MygwapvFjjjZxBcXmLRI3/0gkVA/xjSkGz0xDkXatHHcYGBkeMliN4BtCtiSj0chWoUX5ujFK6skG6SLYKQ4PnV8sbXNDdqTXBPYAjS6cujddDR8adKkxAI2MnQlxT2JxYTZ2ajEPo0/yUv+iTUS6W4cEcDwiCmX+lcu/gMRd1UbZHh7qOIIeirp5R3NxxwHEgSJnpLi147NSoTdo2G39Rqkr


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 7
支持
分享
最新回复 (14)
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
龙虾出品。必属极品。。。看看。。
2009-10-24 12:54
0
雪    币: 101
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
JDF
3
第一次发帖。。发给虾哥了!
2009-10-24 12:57
0
雪    币: 146
活跃值: (33)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
4
哈哈,这不是群里的虾哥吗
      放心,看雪牛人多的是,很快就有人破的
2009-10-24 13:47
0
雪    币: 123
活跃值: (27)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
5
呵呵,这次我还是比较有自信
2009-10-24 14:06
0
雪    币: 347
活跃值: (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
6
下注册按钮的消息断点,竟然还跑飞了,我感觉代码是被加密了,
2009-10-25 12:05
0
雪    币: 97
活跃值: (70)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
7
下来看看,虽然很菜,但喜欢挑战!
2009-10-25 13:12
0
雪    币: 123
活跃值: (27)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
8
代码确实有多处加密,有多重保护
2009-10-25 13:32
0
雪    币: 347
活跃值: (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
9
哇,,,还是没人能破解哦,,,
我只突破了5秒的限制,IsDebuggerPresent可以通过使用OD的HIDEOD功能绕过,具体验证判断还是没有找到
OD载入CM,找到CM调用CreateThread的地方,下此时的线程地址断点,F9运行
可以看到这里有好几个地方调用GetTick比较前后的时间了,NOP掉几个,这样在
主线程PostThreadMessage的时候,调用WaitForSingleObject等待4秒,等待线程为下面的加密的代码解密,再下面:
004032CA  |. /74 51         je      short 0040331D
004032CC  |. |6A 00         push    0                                ; /EventName = NULL
004032CE  |. |6A 00         push    0                                ; |InitiallySignaled = FALSE
004032D0  |. |6A 01         push    1                                ; |ManualReset = TRUE
004032D2  |. |6A 00         push    0                                ; |pSecurity = NULL
004032D4  |. |FF15 B4624300 call    dword ptr [<&KERNEL32.CreateEven>; \CreateEventW
004032DA  |. |8985 68FEFFFF mov     dword ptr [ebp-198], eax
004032E0  |. |68 39300000   push    3039                             ; /lParam = 3039
004032E5  |. |8B85 68FEFFFF mov     eax, dword ptr [ebp-198]         ; |
004032EB  |. |50            push    eax                              ; |wParam
004032EC  |. |68 01040000   push    401                              ; |Message = WM_USER+1
004032F1  |. |8B0D A49C4400 mov     ecx, dword ptr [449CA4]          ; |
004032F7  |. |51            push    ecx                              ; |ThreadId => F90
[COLOR=red][B]004032F8  |. |FF15 34644300 call    dword ptr [<&USER32.PostThreadMe>; \PostThreadMessageW ;等待线程为下面的代码解密[/B][/COLOR]
004032FE  |. |68 A00F0000   push    0FA0                             ; /Timeout = 4000. ms
00403303  |. |8B95 68FEFFFF mov     edx, dword ptr [ebp-198]         ; |
00403309  |. |52            push    edx                              ; |hObject
0040330A  |. |FF15 B0624300 call    dword ptr [<&KERNEL32.WaitForSin>; \WaitForSingleObject
00403310  |. |8B85 68FEFFFF mov     eax, dword ptr [ebp-198]
00403316  |. |50            push    eax                              ; /hObject = 000000B4 (window)
00403317  |. |FF15 AC624300 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle

CTRL+A分析解密的代码,在00403316下一个断点,F8到:
00403423  |.  89A5 9CFDFFFF mov     dword ptr [ebp-264], esp
00403429  |.  8D85 6CFEFFFF lea     eax, dword ptr [ebp-194]
0040342F  |.  50            push    eax
00403430  |.  E8 AB030000   call    004037E0
00403435  |.  8985 70FDFFFF mov     dword ptr [ebp-290], eax
0040343B  |.  68 B49C4400   push    00449CB4
[COLOR=red][B]00403440  |.  E8 FBF2FFFF   call    00402740 ;这里应该是验证部分[/B][/COLOR]
00403445  |.  8985 6CFDFFFF mov     dword ptr [ebp-294], eax
0040344B  |.  83BD 6CFDFFFF>cmp     dword ptr [ebp-294], 0
00403452      0F84 E1000000 je      00403539

要在加密代码里的函数内部下断点,加密代码下断点或者改验证跳转是没可能了
F7跟进 00402740,F8跟踪到
[B][COLOR=red]0040278B   .  8B8424 B40300>mov     eax, dword ptr [esp+3B4] ;用户输入的注册码[/COLOR][/B]
[B][COLOR=red]00402792   .  8178 F4 00010>cmp     dword ptr [eax-C], 100 ;  eax-C是用户输入的注册码的长度,与256比较[/COLOR][/B]
[B][COLOR=red]00402799      74 2E         je      short 004027C9 ;长度不等于256,设置eax=0跳出验证部分[/COLOR][/B]

经过一番计算之后来到如下:
0040343B  |.  68 B49C4400   push    00449CB4
00403440  |.  E8 FBF2FFFF   call    00402740
00403445  |.  8985 6CFDFFFF mov     dword ptr [ebp-294], eax
0040344B  |.  83BD 6CFDFFFF>cmp     dword ptr [ebp-294], 0
[B][COLOR=red]00403452  |.  0F84 E1000000 je      00403539 ;关键跳,如果不为1,跳到设置显示"Error Password!"的代码里[/COLOR][/B]
00403458  |.  8DB5 B4FDFFFF lea     esi, dword ptr [ebp-24C]
0040345E  |.  E8 7DE9FFFF   call    00401DE0

这里的je是不能随便修改的,否则代码下载运行解密的时候就出错了,所以进入之前的位于00403440这个CALL里,修改如下:
00402740 $ 6A FF push -1
00402742 . 68 53584300 push 00435853
00402747 . 64:A1 0000000>mov eax, dword ptr fs:[0]
0040274D . 50 push eax
0040274E . 81EC 8C030000 sub esp, 38C
00402754 . A1 40564400 mov eax, dword ptr [445640]
00402759 . 33C4 xor eax, esp
0040275B . 898424 880300>mov dword ptr [esp+388], eax
00402762 . 53 push ebx
00402763 . 55 push ebp
00402764 . 56 push esi
00402765 . 57 push edi
00402766 . A1 40564400 mov eax, dword ptr [445640]
0040276B . 33C4 xor eax, esp
0040276D . 50 push eax
0040276E . 8D8424 A00300>lea eax, dword ptr [esp+3A0]
00402775 . 64:A3 0000000>mov dword ptr fs:[0], eax
0040277B . 8BAC24 B00300>mov ebp, dword ptr [esp+3B0]
00402782 . 33DB xor ebx, ebx
00402784 . 899C24 A80300>mov dword ptr [esp+3A8], ebx
0040278B . 8B8424 B40300>mov eax, dword ptr [esp+3B4]
00402792 . 8178 F4 00010>cmp dword ptr [eax-C], 100
[B][COLOR=red]00402799 . EB 2E jmp short 004027C9 ;这里必须改成jmp跳过下面的位于004027C4的JMP[/COLOR][/B]
0040279B . C78424 A80300>mov dword ptr [esp+3A8], -1
004027A6 > 83C0 F0 add eax, -10
004027A9 . 8D48 0C lea ecx, dword ptr [eax+C]
004027AC . 83CA FF or edx, FFFFFFFF
004027AF . F0:0FC111 lock xadd dword ptr [ecx], edx
004027B3 . 4A dec edx
004027B4 . 85D2 test edx, edx
004027B6 . 7F 0A jg short 004027C2
004027B8 . 8B08 mov ecx, dword ptr [eax]
004027BA . 8B11 mov edx, dword ptr [ecx]
004027BC . 50 push eax
004027BD . 8B42 04 mov eax, dword ptr [edx+4]
004027C0 . FFD0 call eax
004027C2 > 33C0 xor eax, eax
[B][COLOR=red]004027C4 . E9 80020000 jmp 00402A49 ;这个JMP跳过了最后位于00402A44设置eax=1的机会,所以上面那样改[/COLOR][/B]
004027C9 > 50 push eax
004027CA . 8D4C24 18 lea ecx, dword ptr [esp+18]
004027CE . E8 6D030000 call 00402B40
004027D3 . C68424 A80300>mov byte ptr [esp+3A8], 1
004027DB . 8B4C24 14 mov ecx, dword ptr [esp+14]
004027DF . 8379 FC 01 cmp dword ptr [ecx-4], 1
004027E3 . 7E 11 jle short 004027F6
004027E5 . 8B49 F4 mov ecx, dword ptr [ecx-C]
004027E8 . 51 push ecx
004027E9 . 8D4C24 18 lea ecx, dword ptr [esp+18]
004027ED . E8 7E040000 call 00402C70
004027F2 . 8B4C24 14 mov ecx, dword ptr [esp+14]
004027F6 > 8D8424 DC0200>lea eax, dword ptr [esp+2DC]
004027FD . E8 AEF2FFFF call 00401AB0
00402802 . 68 C0C64300 push 0043C6C0 ; /ResourceType = "DAT"
00402807 . 68 85000000 push 85 ; |ResourceName = 85
0040280C . 53 push ebx ; |hModule
0040280D . FF15 BC624300 call dword ptr [<&KERNEL32.FindResour>; \FindResourceW
00402813 . 3BC3 cmp eax, ebx
00402815 . 75 04 jnz short 0040281B
00402817 . 33C0 xor eax, eax
00402819 . EB 0D jmp short 00402828
0040281B > 8D5424 18 lea edx, dword ptr [esp+18]
0040281F . 52 push edx
00402820 . E8 1B2B0000 call 00405340
00402825 . 83C4 04 add esp, 4
00402828 > 837C24 18 20 cmp dword ptr [esp+18], 20
0040282D . 50 push eax
0040282E . 74 46 je short 00402876
00402830 . E8 AA2C0000 call 004054DF
00402835 . 83C4 04 add esp, 4
00402838 > 889C24 A80300>mov byte ptr [esp+3A8], bl
0040283F . 8B4424 14 mov eax, dword ptr [esp+14]
00402843 . 83C0 F0 add eax, -10
00402846 . 8D48 0C lea ecx, dword ptr [eax+C]
00402849 . 83CA FF or edx, FFFFFFFF
0040284C . F0:0FC111 lock xadd dword ptr [ecx], edx
00402850 . 4A dec edx
00402851 . 85D2 test edx, edx
00402853 . 7F 0A jg short 0040285F
00402855 . 8B08 mov ecx, dword ptr [eax]
00402857 . 8B11 mov edx, dword ptr [ecx]
00402859 . 50 push eax
0040285A . 8B42 04 mov eax, dword ptr [edx+4]
0040285D . FFD0 call eax
0040285F > C78424 A80300>mov dword ptr [esp+3A8], -1
0040286A . 8B8424 B40300>mov eax, dword ptr [esp+3B4]
00402871 .^ E9 30FFFFFF jmp 004027A6
00402876 > 8BF0 mov esi, eax
00402878 . B9 08000000 mov ecx, 8
0040287D . 8DBC24 600200>lea edi, dword ptr [esp+260]
00402884 . F3:A5 rep movs dword ptr es:[edi], dword p>
00402886 . E8 542C0000 call 004054DF
0040288B . 83C4 04 add esp, 4
0040288E . 8D4424 1C lea eax, dword ptr [esp+1C]
00402892 . E8 69E7FFFF call 00401000
00402897 . 8D8424 AC0000>lea eax, dword ptr [esp+AC]
0040289E . E8 5DE7FFFF call 00401000
004028A3 . 8D8424 3C0100>lea eax, dword ptr [esp+13C]
004028AA . E8 51E7FFFF call 00401000
004028AF . 8D8424 CC0100>lea eax, dword ptr [esp+1CC]
004028B6 . E8 45E7FFFF call 00401000
004028BB . 8D8C24 5C0200>lea ecx, dword ptr [esp+25C]
004028C2 . 8D4424 1C lea eax, dword ptr [esp+1C]
004028C6 . E8 E5290000 call 004052B0
004028CB . 8D4C24 18 lea ecx, dword ptr [esp+18]
004028CF . 51 push ecx
004028D0 . 8BD0 mov edx, eax
004028D2 . 52 push edx
004028D3 . 8D8C24 840200>lea ecx, dword ptr [esp+284]
004028DA . 8D9424 E40200>lea edx, dword ptr [esp+2E4]
004028E1 . C74424 20 C00>mov dword ptr [esp+20], 0C0
004028E9 . E8 D22A0000 call 004053C0
004028EE . 85C0 test eax, eax
004028F0 .^ 0F84 42FFFFFF je 00402838
004028F6 . 8D8C24 7C0200>lea ecx, dword ptr [esp+27C]
004028FD . E8 0EF4FFFF call 00401D10
00402902 . 8B9424 D00200>mov edx, dword ptr [esp+2D0]
00402909 . 8B8C24 CC0200>mov ecx, dword ptr [esp+2CC]
00402910 . 8B8424 D40200>mov eax, dword ptr [esp+2D4]
00402917 . 899424 600200>mov dword ptr [esp+260], edx
0040291E . 8D9424 5C0200>lea edx, dword ptr [esp+25C]
00402925 . 898C24 5C0200>mov dword ptr [esp+25C], ecx
0040292C . 8B8C24 D80200>mov ecx, dword ptr [esp+2D8]
00402933 . 52 push edx
00402934 . BA 10000000 mov edx, 10
00402939 . 8DB424 E00200>lea esi, dword ptr [esp+2E0]
00402940 . 898424 680200>mov dword ptr [esp+268], eax
00402947 . 898C24 6C0200>mov dword ptr [esp+26C], ecx
0040294E . C78424 E00200>mov dword ptr [esp+2E0], 0043CD94
00402959 . 899C24 7C0300>mov dword ptr [esp+37C], ebx
00402960 . C78424 E40200>mov dword ptr [esp+2E4], 1
0040296B . 899C24 E80200>mov dword ptr [esp+2E8], ebx
00402972 . E8 E9250000 call 00404F60
00402977 . BF 10000000 mov edi, 10
0040297C . 8D8424 7C0200>lea eax, dword ptr [esp+27C]
00402983 . 33F6 xor esi, esi
00402985 . 2BF8 sub edi, eax
00402987 . EB 07 jmp short 00402990
00402989 . 8DA424 000000>lea esp, dword ptr [esp]
00402990 > 8D8434 7C0200>lea eax, dword ptr [esp+esi+27C]
00402997 . 8D0C07 lea ecx, dword ptr [edi+eax]
0040299A . 83F9 60 cmp ecx, 60
0040299D . 77 17 ja short 004029B6
0040299F . 53 push ebx
004029A0 . 50 push eax
004029A1 . 8D9424 E40200>lea edx, dword ptr [esp+2E4]
004029A8 . 52 push edx
004029A9 . E8 A2260000 call 00405050
004029AE . 83C6 10 add esi, 10
004029B1 . 83FE 60 cmp esi, 60
004029B4 .^ 72 DA jb short 00402990
004029B6 > 8B8424 BC0200>mov eax, dword ptr [esp+2BC]
004029BD . 8B8C24 C00200>mov ecx, dword ptr [esp+2C0]
004029C4 . 8B9424 C40200>mov edx, dword ptr [esp+2C4]
004029CB . 8945 00 mov dword ptr [ebp], eax
004029CE . 8B8424 C80200>mov eax, dword ptr [esp+2C8]
004029D5 . 894D 04 mov dword ptr [ebp+4], ecx
004029D8 . 8D7D 10 lea edi, dword ptr [ebp+10]
004029DB . B9 10000000 mov ecx, 10
004029E0 . 8DB424 7C0200>lea esi, dword ptr [esp+27C]
004029E7 . 8955 08 mov dword ptr [ebp+8], edx
004029EA . F3:A5 rep movs dword ptr es:[edi], dword p>
004029EC . 8945 0C mov dword ptr [ebp+C], eax
004029EF . 889C24 A80300>mov byte ptr [esp+3A8], bl
004029F6 . 8B4424 14 mov eax, dword ptr [esp+14]
004029FA . 83C0 F0 add eax, -10
004029FD . 8D48 0C lea ecx, dword ptr [eax+C]
00402A00 . 83CA FF or edx, FFFFFFFF
00402A03 . F0:0FC111 lock xadd dword ptr [ecx], edx
00402A07 . 4A dec edx
00402A08 . 85D2 test edx, edx
00402A0A . 7F 0A jg short 00402A16
00402A0C . 8B08 mov ecx, dword ptr [eax]
00402A0E . 8B11 mov edx, dword ptr [ecx]
00402A10 . 50 push eax
00402A11 . 8B42 04 mov eax, dword ptr [edx+4]
00402A14 . FFD0 call eax
00402A16 > C78424 A80300>mov dword ptr [esp+3A8], -1
00402A21 . 8B8424 B40300>mov eax, dword ptr [esp+3B4]
00402A28 . 83C0 F0 add eax, -10
00402A2B . 8D48 0C lea ecx, dword ptr [eax+C]
00402A2E . 83CA FF or edx, FFFFFFFF
00402A31 . F0:0FC111 lock xadd dword ptr [ecx], edx
00402A35 . 4A dec edx
00402A36 . 85D2 test edx, edx
00402A38 . 7F 0A jg short 00402A44
00402A3A . 8B08 mov ecx, dword ptr [eax]
00402A3C . 8B11 mov edx, dword ptr [ecx]
00402A3E . 50 push eax
00402A3F . 8B42 04 mov eax, dword ptr [edx+4]
00402A42 . FFD0 call eax
00402A44 > B8 01000000 mov eax, 1
00402A49 > 8B8C24 A00300>mov ecx, dword ptr [esp+3A0]
00402A50 . 64:890D 00000>mov dword ptr fs:[0], ecx
00402A57 . 59 pop ecx
00402A58 . 5F pop edi
00402A59 . 5E pop esi
00402A5A . 5D pop ebp
00402A5B . 5B pop ebx
00402A5C . 8B8C24 880300>mov ecx, dword ptr [esp+388]
00402A63 . 33CC xor ecx, esp
00402A65 . E8 18F30100 call 00421D82
00402A6A . 81C4 98030000 add esp, 398
00402A70 . C2 0800 retn 8


这样修改之后,上面那个je就不会跳走了,继续CTRL+F9返回:
F8继续往下走:
[COLOR=blue]00403477  |.  E8 A4F2FFFF   call    00402720[/COLOR]
0040347C  |.  8B95 58FEFFFF mov     edx, dword ptr [ebp-1A8]
00403482  |.  8915 94984400 mov     dword ptr [449894], edx
00403488  |.  8B85 5CFEFFFF mov     eax, dword ptr [ebp-1A4]
0040348E  |.  A3 98984400   mov     dword ptr [449898], eax
00403493  |.  8B8D 60FEFFFF mov     ecx, dword ptr [ebp-1A0]
00403499  |.  890D 9C984400 mov     dword ptr [44989C], ecx
0040349F  |.  8B95 64FEFFFF mov     edx, dword ptr [ebp-19C]
004034A5  |.  8915 A0984400 mov     dword ptr [4498A0], edx
004034AB  |.  C785 68FDFFFF>mov     dword ptr [ebp-298], 10
004034B5  |.  8D85 58FEFFFF lea     eax, dword ptr [ebp-1A8]
004034BB  |.  8985 64FDFFFF mov     dword ptr [ebp-29C], eax
004034C1  |.  C785 60FDFFFF>mov     dword ptr [ebp-2A0], 00449884
004034CB  |.  EB 27         jmp     short 004034F4
004034CD  |>  8B8D 64FDFFFF /mov     ecx, dword ptr [ebp-29C]
004034D3  |.  8B11          |mov     edx, dword ptr [ecx]
004034D5  |.  8B85 60FDFFFF |mov     eax, dword ptr [ebp-2A0]
004034DB  |.  3910          |cmp     dword ptr [eax], edx
[B][COLOR=red]004034DD  |.  75 4F         |jnz     short 0040352E ;注册码错误必然跳[/COLOR][/B]
004034DF  |.  83AD 68FDFFFF>|sub     dword ptr [ebp-298], 4
004034E6  |.  8385 64FDFFFF>|add     dword ptr [ebp-29C], 4
004034ED  |.  8385 60FDFFFF>|add     dword ptr [ebp-2A0], 4
004034F4  |>  83BD 68FDFFFF> cmp     dword ptr [ebp-298], 4
004034FB  |.^ 73 D0         \jnb     short 004034CD
004034FD  |.  8B95 74FDFFFF mov     edx, dword ptr [ebp-28C]
00403503  |.  83C2 74       add     edx, 74
00403506  |.  A1 B49C4400   mov     eax, dword ptr [449CB4]
0040350B  |.  8902          mov     dword ptr [edx], eax
0040350D  |.  8B0D B89C4400 mov     ecx, dword ptr [449CB8]
00403513  |.  894A 04       mov     dword ptr [edx+4], ecx
00403516  |.  A1 BC9C4400   mov     eax, dword ptr [449CBC]
0040351B  |.  8942 08       mov     dword ptr [edx+8], eax
0040351E  |.  8B0D C09C4400 mov     ecx, dword ptr [449CC0]
00403524  |.  894A 0C       mov     dword ptr [edx+C], ecx
[COLOR=red][B]00403527  |.  C685 43FFFFFF>mov     byte ptr [ebp-BD], 1 ;如果是错误的注册码这里刚好给上面的JNZ跳过[/B][/COLOR]
0040352E  |>  8D8D B4FDFFFF lea     ecx, dword ptr [ebp-24C]
00403534  |.  E8 17E9FFFF   call    00401E50
00403539  |>  0FB695 43FFFF>movzx   edx, byte ptr [ebp-BD]
00403540  |.  85D2          test    edx, edx
[B][COLOR=red]00403542  |.  75 4F         jnz     short 00403593 ;那么这个时候edx=0,不会跳过设置显示"Error Password!"的代码[/COLOR][/B]
00403544  |.  8B85 74FDFFFF mov     eax, dword ptr [ebp-28C]
0040354A  |.  05 84000000   add     eax, 84
0040354F  |.  50            push    eax
00403550  |.  8D8D A0FDFFFF lea     ecx, dword ptr [ebp-260]
00403556  |.  E8 03B00000   call    0040E55E
0040355B  |.  C645 FC 02    mov     byte ptr [ebp-4], 2
0040355F  |.  6A 01         push    1
00403561  |.  8D8D A0FDFFFF lea     ecx, dword ptr [ebp-260]
00403567  |.  E8 17A90000   call    0040DE83
0040356C  |.  6A 0F         push    0F
0040356E  |.  8D8D 74FEFFFF lea     ecx, dword ptr [ebp-18C]
00403574  |.  51            push    ecx
00403575  |.  6A 00         push    0
00403577  |.  6A 00         push    0
00403579  |.  8D8D A0FDFFFF lea     ecx, dword ptr [ebp-260]
0040357F  |.  E8 8C010000   call    00403710
00403584  |.  C645 FC 01    mov     byte ptr [ebp-4], 1
00403588  |.  8D8D A0FDFFFF lea     ecx, dword ptr [ebp-260]
0040358E  |.  E8 1FB00000   call    0040E5B2
00403593  |>  8D85 9CFEFFFF lea     eax, dword ptr [ebp-164]

同样的理由,不能修改解密后的代码,虽然上面有设置[ebp-BD]为1的语句,但是也无法通过修改解密后的跳转代码,所以往上找最近的位于00403534的CALL,F7进去看看:
00401E50  /$  C701 BCC64300 mov     dword ptr [ecx], 0043C6BC
00401E50  /$  C701 BCC64300 mov     dword ptr [ecx], 0043C6BC
[B][COLOR=red]00401E56  |.  C685 43FFFFFF>mov     byte ptr [ebp-BD], 1 ;这句是我添加的,目的就是让[ebp-DB]为1,因为下面有一堆的int3[/COLOR][/B]
[B][COLOR=red]正好不会破坏代码的完整性[/COLOR][/B]
00401E5D  \.  C3            retn
00401E5E      CC            int3
00401E5F      CC            int3

这样通过在CALL增加一条语句,也迫使上面的jnz跳转了

004027ED   .  E8 7E040000   call    00402C70
004027F2   .  8B4C24 14     mov     ecx, dword ptr [esp+14]
004027F6   >  8D8424 DC0200>lea     eax, dword ptr [esp+2DC]
004027FD   .  E8 AEF2FFFF   call    00401AB0
00402802   .  68 C0C64300   push    0043C6C0                         ; /ResourceType = "DAT"
00402807   .  68 85000000   push    85                               ; |ResourceName = 85
0040280C   .  53            push    ebx                              ; |hModule
0040280D   .  FF15 BC624300 call    dword ptr [<&KERNEL32.FindResour>; \FindResourceW
00402813   .  3BC3          cmp     eax, ebx
00402815   .  75 04         jnz     short 0040281B
00402817   .  33C0          xor     eax, eax
00402819   .  EB 0D         jmp     short 00402828


猜测是,用户输入的密码要和保存在资源里的密码进行比较,不知道是不是

未完待续.....
2009-10-26 10:58
0
雪    币: 123
活跃值: (27)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
10
分析得不错,4秒是最大等待时间,一旦解密完会立即返回
2009-10-26 12:28
0
雪    币: 347
活跃值: (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
11
上面我的分析卡住了,观看高手分析了,继续顶强CM
2009-11-5 11:56
0
雪    币: 123
活跃值: (27)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
12
这么多天了,还没有人破解,此贴到此为止吧,我再发一个帖,把编写过程写出来
2009-11-6 12:57
0
雪    币: 133
活跃值: (113)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
13
bp TextOutW 试试。

有个同步事件,本人不会调试线程。期待有人破解。
2009-11-7 21:59
0
雪    币: 123
活跃值: (27)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
14
远不只这么简单
2009-11-8 13:27
0
雪    币: 154
活跃值: (40)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
15
呵呵,我看到注册码就觉得难咯。.~
2009-11-8 20:40
0
游客
登录 | 注册 方可回帖
返回
//