软件名称:Nullz CrackMe 1.1
下载地址:http://go6.163.com/ddxia/crackme/Nullz_crackMe1.1.zip
特点:共分五个小过程,难度逐级递增。
使用工具:TRW2000
我是刚学不久,平时也没太多时间练习,没写过过程,所以不足之处还请多多包涵啊!
好了,废话少说,我们开始吧!!(广告词?……)
1.非常简单 (only Reg.Key)
bpx hmemcpy
pmodule
就到了下面的地方了
:004019D8 E801120000
Call 00402BDE
:004019DD 8D542410
lea edx, dword ptr [esp+10]
:004019E1 8D44242C
lea eax, dword ptr [esp+2C]
:004019E5 52
push edx //注册码
:004019E6 50
push eax //你输入的假码
* Reference To: KERNEL32.lstrcmpA, Ord:0295h
|
:004019E7 FF1508404000
Call dword ptr [00404008] //比较函数
:004019ED 85C0
test eax, eax
:004019EF 755A
jne 00401A4B //跳走就错
:004019F1 6870434000
push 00404370
:004019F6 8D4C2410
lea ecx, dword ptr [esp+10]
Reg.Key是个字符串常量:qJT62aWfviq0P57JGs2FelQkX
2.简单 (User Name &
Reg.Key)
还是bpx hmemcpy,pmodule.
* Reference
To: MFC42.Ordinal:0C1A, Ord:0C1Ah
|
:00401AF2 E8E7100000 Call
00402BDE
:00401AF7 8D542414
lea edx, dword ptr [esp+14]
:00401AFB 52
push edx //User
Name
* Reference To: KERNEL32.lstrlenA, Ord:02A1h
|
:00401AFC FF1500404000
Call dword ptr [00404000] //取字符串长度
:00401B02 8BF0
mov esi, eax
:00401B04 83FE05
cmp esi, 00000005 //User Name长度至少是5
:00401B07 7311
jnb 00401B1A
:00401B09
6A40 push
00000040
* Possible StringData Ref from Data Obj ->"CrackMe"
|
:00401B0B 6804514000
push 00405104
* Possible StringData Ref from Data
Obj ->"User Name must have at least 5 "
->"characters."
|
:00401B10 68D8504000 push
004050D8
:00401B15 E9BA000000
jmp 00401BD4
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00401B07(C)
|
:00401B1A B801000000
mov eax, 00000001
:00401B1F 33FF
xor edi, edi
:00401B21
3BF0 cmp
esi, eax
:00401B23 7211
jb 00401B36
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00401B34(C)
|
:00401B25 0FBE4C0414
movsx ecx, byte ptr [esp+eax+14]
//注册码算法开始
:00401B2A 03CF
add ecx, edi
:00401B2C 0FAFC8
imul ecx, eax
:00401B2F 40
inc eax
:00401B30
8BF9 mov
edi, ecx
:00401B32 3BC6
cmp eax, esi
:00401B34 76EF
jbe 00401B25
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00401B23(C)
|
:00401B36 33C9
xor ecx, ecx
:00401B38 85F6
test esi, esi
:00401B3A 7620
jbe 00401B5C
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00401B5A(C)
|
:00401B3C 0FBE6C0C14
movsx ebp, byte ptr [esp+ecx+14]
:00401B41 8BC7
mov eax, edi
:00401B43 33D2
xor edx, edx
:00401B45 F7F5
div ebp
:00401B47 33D2
xor edx, edx
:00401B49
BD0A000000 mov ebp, 0000000A
:00401B4E F7F5
div ebp
:00401B50 80C230
add dl, 30
:00401B53 88540C48
mov byte ptr [esp+ecx+48], dl
:00401B57 41
inc ecx
:00401B58
3BCE cmp
ecx, esi
:00401B5A 72E0
jb 00401B3C //注册码算法结束
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00401B3A(C)
|
:00401B5C 8D542448
lea edx, dword ptr [esp+48]
:00401B60 8D44247C lea
eax, dword ptr [esp+7C]
:00401B64 52
push edx //注册码
:00401B65
50
push eax //你输入的Reg.Key
* Reference To: KERNEL32.lstrcmpA,
Ord:0295h
|
:00401B66 FF1508404000
Call dword ptr [00404008] //比较函数
:00401B6C 85C0
test eax, eax
:00401B6E 7550
jne 00401BC0 //不同跳走
:00401B70 6870434000
push 00404370
:00401B75 8D4C2414
lea ecx, dword ptr [esp+14]
我的注册码: User Name: eighth
Reg.Key
: 252303
3.一般简单 (User Name & Reg.Key)
老一套bpx hmemcpy,pmodule.
* Reference To: MFC42.Ordinal:0C19, Ord:0C19h
|
:00401C7E E8670F0000
Call 00402BEA
:00401C83 8B6C2418
mov ebp, dword ptr [esp+18]
//User Name
:00401C87 8B55F8
mov edx, dword ptr [ebp-08] //User Name长度
:00401C8A 83FA05
cmp edx, 00000005
:00401C8D 7D11
jge 00401CA0
//长度不小于5
:00401C8F 6A40
push 00000040
* Possible StringData
Ref from Data Obj ->"CrackMe"
|
:00401C91
6804514000 push 00405104
* Possible StringData Ref from Data Obj ->"User Name must have at least 5
"
->"characters."
|
:00401C96 68D8504000
push 004050D8
:00401C9B E9E2000000
jmp 00401D82
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00401C8D(C)
|
:00401CA0 33C0
xor eax, eax
:00401CA2 3BD3
cmp edx, ebx
:00401CA4 7E3C
jle 00401CE2
:00401CA6 B901000000
mov ecx, 00000001
:00401CAB 33FF
xor edi, edi
:00401CAD 2BCD
sub ecx, ebp
:00401CAF 894C241C
mov dword ptr [esp+1C], ecx
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00401CDA(C)
|
:00401CB3 0FBE5C0500
movsx ebx, byte ptr [ebp+eax]
//注册码算法开始
:00401CB8 8D4C0500
lea ecx, dword ptr [ebp+eax]
:00401CBC 03F3
add esi, ebx
:00401CBE 8BD8
mov ebx, eax
:00401CC0 C1E308
shl ebx, 08
:00401CC3 33F3
xor esi, ebx
:00401CC5 8B5C241C
mov ebx, dword ptr [esp+1C]
:00401CC9
03D9 add
ebx, ecx
:00401CCB 8BCF
mov ecx, edi
:00401CCD 0FAFF3
imul esi, ebx
:00401CD0 F7D1
not ecx
:00401CD2 0FAFF1
imul esi, ecx
:00401CD5
40
inc eax
:00401CD6 03FA
add edi, edx
:00401CD8 3BC2
cmp eax, edx
:00401CDA 7CD7
jl 00401CB3
//注册码算法结束
:00401CDC 8B7C2420
mov edi, dword ptr [esp+20]
:00401CE0 33DB
xor ebx, ebx
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00401CA4(C)
|
:00401CE2 56
push esi
:00401CE3 8D542414
lea edx, dword ptr [esp+14]
* Possible StringData
Ref from Data Obj ->"%lu"
|
:00401CE7
682C514000 push 0040512C
:00401CEC 52
push edx
* Reference To: MFC42.Ordinal:0B02, Ord:0B02h
|
:00401CED E8F20E0000
Call 00402BE4
:00401CF2 8B74241C
mov esi, dword ptr [esp+1C] //真码
:00401CF6 8B442420
mov eax, dword ptr [esp+20] //假码
:00401CFA 83C40C
add esp, 0000000C
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401D1B(C)
|
:00401CFD 8A10
mov dl, byte ptr [eax] //逐位比较,真搞不懂,多此一举嘛!?
:00401CFF
8ACA mov
cl, dl
:00401D01 3A16
cmp dl, byte ptr [esi]
:00401D03 751C
jne 00401D21
:00401D05 3ACB
cmp cl, bl
:00401D07 7414
je 00401D1D
:00401D09 8A5001
mov dl, byte ptr [eax+01]
:00401D0C 8ACA
mov cl, dl
:00401D0E 3A5601
cmp dl, byte ptr [esi+01]
:00401D11 750E
jne 00401D21
:00401D13 83C002
add eax, 00000002
:00401D16 83C602
add esi, 00000002
:00401D19 3ACB
cmp cl, bl
:00401D1B 75E0
jne 00401CFD
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00401D07(C)
|
:00401D1D 33C0
xor eax, eax
:00401D1F EB05
jmp 00401D26
我的注册码: User Name: eighth
Reg.Key
: 2990909536
4.一般吧 (User Name,Company & Reg.Key)
不过Company好像没用到啊!?
管它呢,bpx hmemcpy,pmodule再说。
* Reference To: MFC42.Ordinal:0C19,
Ord:0C19h
|
:00401E43 E8A20D0000
Call 00402BEA
:00401E48 8D542414
lea edx, dword ptr [esp+14]
:00401E4C 8BCD
mov ecx, ebp
:00401E4E 52
push edx
:00401E4F 68ED030000
push 000003ED
* Reference To: MFC42.Ordinal:0C19,
Ord:0C19h
|
:00401E54 E8910D0000
Call 00402BEA
:00401E59 8B442410
mov eax, dword ptr [esp+10]
//User Name
:00401E5D 8B40F8
mov eax, dword ptr [eax-08]
:00401E60 83F805
cmp eax, 00000005
:00401E63 0F8CCD000000 jl 00401F36
//长度不小于5且不大于100
:00401E69 3D00010000 cmp
eax, 00000100
:00401E6E 0F8FC2000000
jg 00401F36
:00401E74 8B4C2414
mov ecx, dword ptr [esp+14]
:00401E78 3959F8
cmp dword ptr [ecx-08], ebx
:00401E7B
0F84C8000000 je 00401F49
:00401E81
8D542418 lea edx, dword
ptr [esp+18]
:00401E85 8D4C241C
lea ecx, dword ptr [esp+1C]
:00401E89 52
push edx
:00401E8A
51
push ecx
:00401E8B 8D542418
lea edx, dword ptr [esp+18]
:00401E8F 50
push eax
:00401E90 52
push edx
:00401E91 8BCD
mov ecx, ebp
:00401E93 E8B8010000
call 00402050 //计算注册码的call,很简单,你要是有时间可以
:00401E98
8B442418 mov eax, dword
ptr [esp+18] //自己算一算啊。
:00401E9C 8B4C241C
mov ecx, dword ptr [esp+1C]
:00401EA0
50
push eax
:00401EA1 51
push ecx
:00401EA2 8D542428
lea edx, dword ptr [esp+28]
* Possible StringData
Ref from Data Obj ->"%lu-%X"
|
:00401EA6
6880514000 push 00405180
:00401EAB 52
push edx
* Reference To: USER32.wsprintfA, Ord:0264h
|
:00401EAC FF155C424000
Call dword ptr [0040425C]
:00401EB2 83C410
add esp, 00000010
:00401EB5
8D442420 lea eax, dword
ptr [esp+20]
:00401EB9 50
push eax
* Reference To: KERNEL32.lstrlenA,
Ord:02A1h
|
:00401EBA FF1500404000
Call dword ptr [00404000]
:00401EC0 8D4C2414
lea ecx, dword ptr [esp+14]
:00401EC4 8BF8
mov edi, eax
* Reference To: MFC42.Ordinal:106B, Ord:106Bh
|
:00401EC6 E8250D0000
Call 00402BF0
:00401ECB 8B442414
mov eax, dword ptr [esp+14] //这里你可以看到真码和假码
:00401ECF 8D542420
lea edx, dword ptr [esp+20] //不过不能直接使用,看下边
:00401ED3 8B48F8
mov ecx, dword ptr [eax-08]
:00401ED6 2BC2
sub eax, edx
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00401EF0(C)
|
:00401ED8 3BF1
cmp esi, ecx
//这里往下是注册码的比较!
:00401EDA 7D0D
jge 00401EE9
:00401EDC 8D543420
lea edx, dword ptr [esp+esi+20]
:00401EE0
8A1402 mov dl, byte
ptr [edx+eax]
:00401EE3 3A543420
cmp dl, byte ptr [esp+esi+20] //注意:这是一个逆序的比较
:00401EE7
7509 jne
00401EF2
//也就是说,上面得到的的注
//册码要反过来写,呵呵!
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:00401EDA(C)
|
:00401EE9 8A543421
mov dl, byte ptr [esp+esi+21]
:00401EED
46
inc esi
:00401EEE 3AD3
cmp dl, bl
:00401EF0 7FE6
jg 00401ED8
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00401EE7(C)
|
:00401EF2 2BF7
sub esi, edi
:00401EF4 752A
jne 00401F20
:00401EF6 6870434000
push 00404370
:00401EFB 8D4C2414
lea ecx, dword ptr [esp+14]
我的注册码: User Name: eighth
Reg.Key : 7235845622
5.有一点难度,不过文章太长了就没法看了,所以现在请你自己试试吧!呵呵 :)
注意一下以下四个跳转就可以了:00402733,00402742,00402751,004027F8.
6.作者还没写出来,我也没有办法啊!:-(
第一次写过程,让大家见笑了,还请多多批评指正。另外这个CrackMe的算法非常简单,
初初哥可以用它练习一下写注册机,可以信心倍增啊!初哥我就懒得写了,呵呵!
- 标 题:Nullz CrackMe 1.1破解过程 (13千字)
- 作 者:eighth
- 时 间:2001-9-18 10:40:02
- 链 接:http://bbs.pediy.com