rackMe v.a01 简易 注册号
http://wocy.top263.net/crackme/crackmea01.zip
这个crackme很早就有人cracks可是一时之间又找不出他的破解文章:
好自己试一试:
我在win2000也很早就暴力成功!
String Resource ID=00101: "s?CrakeMe(&A)..."
"Registed. Good job."
"Unregister"
* Reference To: MSVCRT._mbscmp, Ord:0159h
|
:0040165B FF15B0214000 Call dword
ptr [004021B0]
:00401661 83C408
add esp, 00000008
:00401664 85C0
test eax, eax
:00401666 750D
jne 00401675//->je(暴力ok!)
* Possible StringData Ref from Data Obj ->"Registed. Good job."
|
:00401668 682C304000 push
0040302C
:0040166D 8D4E68
lea ecx, dword ptr [esi+68]
* Reference To: MFC42.Ordinal:035C, Ord:035Ch
|
:00401670 E853020000 Call
004018C8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401666(C)
|
:00401675 6A00
push 00000000
:00401677 8BCE
mov ecx, esi
* Reference To: MFC42.Ordinal:18BE, Ord:18BEh
|
:00401679 E85C020000 Call
004018DA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040163D(C)
|
:0040167E 8D4C2404
lea ecx, dword ptr [esp+04]
:00401682 C7442410FFFFFFFF mov [esp+10], FFFFFFFF
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0040168A E861010000 Call
004017F0
:0040168F 8B4C2408
mov ecx, dword ptr [esp+08]
:00401693 5E
pop esi
:00401694 64890D00000000 mov dword ptr fs:[00000000],
ecx
:0040169B 83C410
add esp, 00000010
:0040169E C3
ret
:0040169F 90
nop
:004016A0 56
push esi
:004016A1 8BF1
mov esi, ecx
:004016A3 680C314000 push
0040310C
:004016A8 8D4E60
lea ecx, dword ptr [esi+60]
* Reference To: MFC42.Ordinal:035C, Ord:035Ch
|
:004016AB E818020000 Call
004018C8
:004016B0 680C314000 push
0040310C
:004016B5 8D4E64
lea ecx, dword ptr [esi+64]
* Reference To: MFC42.Ordinal:035C, Ord:035Ch
|
:004016B8 E80B020000 Call
004018C8
* Possible StringData Ref from Data Obj ->"Unregister"
|
:004016BD 6820304000 push
00403020
:004016C2 8D4E68
lea ecx, dword ptr [esi+68]
从汇编可知它是先跳过正确窗再运行错误窗,所以我很早就想破解它应该从中正确窗
入手比较好!
:0040165B FF15B0214000 Call dword
ptr [004021B0]
看过几篇教程在关键call也能找到注册码,我想注册码可能放在这儿?
进入win98后用trw2000
bpx 40165b
d eax or d ecx 果然注册码出来了!(不会吧?一分钟都不用?)
好试一下用trw2000直接破解:
输入name和code
bpx hmemcpy
x
bd *
0167:00401342 CALL `MFC42!ord_00000942`
拦截到:
0167:00401347 LEA ECX,[ESI+64] //->d ecx=name
ds:[63fd65]=006542f0
d 006542f0=code
0167:0040134A PUSH ECX
0167:0040134B PUSH DWORD 03E9
0167:00401350 PUSH EDI
0167:00401351 CALL `MFC42!ord_00000942`
0167:00401356 ADD ESI,BYTE +68
0167:00401359 PUSH ESI
0167:0040135A PUSH DWORD 03EB
0167:0040135F PUSH EDI
0167:00401360 CALL `MFC42!ord_00000942`
0167:00401365 POP EDI
0167:00401366 POP ESI
离目标不远?
不久来到这里:
0167:0040162E CALL `MFC42!ord_000018BE`
0167:00401633 MOV ECX,[ESI+60] d ecx=name
0167:00401636 LEA EAX,[ESI+60] d eax=name
0167:00401639 CMP DWORD [ECX-08],BYTE +04 code位数为4
0167:0040163D JL 0040167E 呵呵这里就是比较code是否小于4位如果是就
跳走就没戏了?
0167:0040163F PUSH EAX
0167:00401640 LEA ECX,[ESP+08]
0167:00401644 CALL `MFC42!ord_0000035A`
0167:00401649 LEA ECX,[ESP+04]
0167:0040164D CALL `MFC42!ord_0000106B`
0167:00401652 MOV EAX,[ESI+64] \
0167:00401655 MOV EDX,[ESP+04]
\real code!(good!)
0167:00401659 PUSH EAX
/
0167:0040165A PUSH EDX
/
0167:0040165B CALL `MSVCRT!_mbscmp`/
0167:00401661 ADD ESP,BYTE +08
0167:00401664 TEST EAX,EAX
0167:00401666 JNZ 00401675
0167:00401668 PUSH DWORD 0040302C
0167:0040166D LEA ECX,[ESI+68]
........................................
0167:0040165B CALL `MSVCRT!_mbscmp`
到这儿eax=00654340 ecx=00654340
还有stack prot32 x
0063f908 ->00654340
看到没有再一次证明stack prot32 x窗口在找注册码时还是一些用?
1212
这个CALL `MSVCRT!_mbscmp就对应strcmp( )函数啊
PeterCheN:
name:peterchen
code:nehcretep
name与code为什么哪么相似了?
name:chen
code:nehc
name:chens
code:snech
总结算法:
chen 1234
nehc 4321
chens 12345
snehc 54321
原来是这样把name位数倒还来排就是read code!真容易?!
用trw2000来破解到算码也不用三分钟!呵呵!初学者试一试?
- 标 题:Crackme rackMe v.a01 简易 注册号(5千字)
- 作 者:peterchen
- 时 间:2001-3-14 22:46:32
- 链 接:http://bbs.pediy.com