Advanced Email Searcher1.1
我很想加入bcg,所以赶快写破文。看到老大crackabc需要邮件群发软件,我也来试试。
注册码,大家都说了,比较容易。但是它在后面还有检测,我没有找到比较正确的注册码的地方,所以只有爆破了!^_^
注册码的关键的call就在
:0049A3B0 8B4DF8
mov ecx, dword ptr [ebp-08]
:0049A3B3 8B55FC
mov edx, dword ptr [ebp-04]
:0049A3B6 8BC3
mov eax, ebx
:0049A3B8 E8F7000000 call 0049A4B4
<----这个就是关键的地方,里面有假的注册码哦!进入看看。
:0049A3BD 84C0
test al, al
|:0049A3B8 , :0049A648
|
:0049A4B4 55
push ebp
:0049A4B5 8BEC
mov ebp, esp
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049A467(C)
|
:0049A4B7 83C4F0
add esp, FFFFFFF0
:0049A4BA 53
push ebx
:0049A4BB 33DB
xor ebx, ebx
:0049A4BD 895DF4
mov dword ptr [ebp-0C], ebx
:0049A4C0 895DF0
mov dword ptr [ebp-10], ebx
:0049A4C3 894DF8
mov dword ptr [ebp-08], ecx
:0049A4C6 8955FC
mov dword ptr [ebp-04], edx
:0049A4C9 8B45FC
mov eax, dword ptr [ebp-04]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049A465(C)
|
:0049A4CC E8AF9AF6FF call 00403F80
:0049A4D1 8B45F8
mov eax, dword ptr [ebp-08]
:0049A4D4 E8A79AF6FF call 00403F80
:0049A4D9 8B4508
mov eax, dword ptr [ebp+08]
:0049A4DC E89F9AF6FF call 00403F80
:0049A4E1 33C0
xor eax, eax
:0049A4E3 55
push ebp
:0049A4E4 683EA54900 push 0049A53E
:0049A4E9 64FF30
push dword ptr fs:[eax]
:0049A4EC 648920
mov dword ptr fs:[eax], esp
:0049A4EF 8D45F0
lea eax, dword ptr [ebp-10]
:0049A4F2 8B4DF8
mov ecx, dword ptr [ebp-08]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049A47C(C)
|
:0049A4F5 8B55FC
mov edx, dword ptr [ebp-04]
:0049A4F8 E81B99F6FF call 00403E18
:0049A4FD 8B45F0
mov eax, dword ptr [ebp-10]
:0049A500 8D55F4
lea edx, dword ptr [ebp-0C]
:0049A503 E8F07AFEFF call 00481FF8
:0049A508 8B55F4
mov edx, dword ptr [ebp-0C]
:0049A50B 8B4508
mov eax, dword ptr [ebp+08]
:0049A50E E8C999F6FF call 00403EDC
<---就是这里
:0049A513 7504
jne 0049A519
:0049A515 B301
mov bl, 01
:0049A517 EB02
jmp 0049A51B
:00403EDC 53
push ebx
:00403EDD 56
push esi
:00403EDE 57
push edi
:00403EDF 89C6
mov esi, eax
:00403EE1 89D7
mov edi, edx
:00403EE3 39D0
cmp eax, edx <----比较了,两个假的。^_^
:00403EE5 0F848F000000 je 00403F7A
:00403EEB 85F6
test esi, esi
:00403EED 7468
je 00403F57
:00403EEF 85FF
test edi, edi
:00403EF1 746B
je 00403F5E
:00403EF3 8B46FC
mov eax, dword ptr [esi-04]
:00403EF6 8B57FC
mov edx, dword ptr [edi-04]
:00403EF9 29D0
sub eax, edx
:00403EFB 7702
ja 00403EFF
:00403EFD 01C2
add edx, eax
:0049A3BD 84C0
test al, al <---修改下面的跳转就行了。
修改后就出现了老大说的那个现象了,可以肯定下面还有校验的地方,接着先下看看。
:0049A659 E86A3FF9FF call 0042E5C8
:0049A65E 33D2
xor edx, edx
:0049A660 8B8384030000 mov eax, dword
ptr [ebx+00000384]
:0049A666 E85922FEFF call 0047C8C4
<----这个可能就是验证的call
:0049A66B C60538024A0000 mov byte ptr [004A0238],
00 <---注册的标志变成零了
:0049A672 EB21
jmp 0049A695
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049A64F(C)
|
:0049A674 8B15D44D4E00 mov edx, dword
ptr [004E4DD4]
:0049A67A 8BC3
mov eax, ebx
:0049A67C E8473FF9FF call 0042E5C8
:0049A681 B201
mov dl, 01
:0049A683 8B8384030000 mov eax, dword
ptr [ebx+00000384]
:0049A689 E83622FEFF call 0047C8C4
:0049A68E C60538024A0000 mov byte ptr [004A0238],
00
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049A672(U)
|
:0049A695 803D38024A0000 cmp byte ptr [004A0238],
00 <---这里验证
:0049A69C 7507
jne 0049A6A5 <----这里要改为je
:0049A69E 8BC3
mov eax, ebx
:0049A6A0 E89B010000 call 0049A840
<----就是那个出错的call
这样改完,就可以成功的注册了,但是在启动的时候他还是要检验一个地方:
* Possible StringData Ref from Data Obj ->"default.aes"
|
:00499E3F 8B152C024A00 mov edx, dword
ptr [004A022C]
:00499E45 8BC3
mov eax, ebx
:00499E47 E848F1FFFF call 00498F94
:00499E4C 33C0
xor eax, eax
:00499E4E A334024A00 mov dword
ptr [004A0234], eax
:00499E53 8BC3
mov eax, ebx
:00499E55 E8F6060000 call 0049A550
:00499E5A 803D3C024A0000 cmp byte ptr [004A023C],
00 <---这里验证
:00499E61 7509
jne 00499E6C <---改为je
:00499E63 8BD3
mov edx, ebx
:00499E65 8BC3
mov eax, ebx
:00499E67 E828030000 call 0049A194
<----注册的对话框
"default.aes",就是这个文件里有注册的校验。
到次就完全搞定了!
希望我可以加入BCG!
- 标 题:希望我可以加入BCG! (5千字)
- 作 者:注册码
- 时 间:2001-7-31 16:09:40
- 链 接:http://bbs.pediy.com