Mikl0ƽ̳ 
Ŀ꣺Kwazy_W's PacMe 
ߣSoftICE 

,ÿʲô.ῴһ:UNREGISTERED!ܸĶ.滹ťEXITCHECK.CHECKʱ,ûʲô·.ûпκα仯.Ӧ֪ͨname/serialע.һkeyfile.SOFTICECREATEFILEA.CHECK,SOFTICEж.ȻֱӼ D EDX ʲôļ.ῴݴʾKwazyWeb.bit .F11صCALL. 

ᵽ: 

:004016D9 E81C010000              Call 004017FA  <== 
:004016DE 83F8FF                  cmp eax, -01 
:004016E1 7464                    je 00401747 
:004016E3 A344344000              mov dword ptr [00403444], eax 
:004016E8 6A00                    push 00000000 
:004016EA 6848344000              push 00403448 
:004016EF 6A01                    push 00000001 
:004016F1 68FA344000              push 004034FA 
:004016F6 FF3544344000            push dword ptr [00403444] 
:004016FC E811010000              Call Kernel32! ReadFile 

CALLĺ,EAX-01Ƚ,ȷļǷ.ļھͻ.,뿪SOFTICEKwazyWeb.bitļ,Ȼٷ,ֵJUMPʱ,ʱNO JUMP,֤ǵĵһѾɹ! 

һREADFILECALL.  push 00000001  Ƕļֽ  .  push dword ptr [00403444]  ֽڵĻַ. 

Ĵ: 
:00401701 0FB605FA344000          movzx eax, byte ptr [004034FA] ;ֽڷEAX 
:00401708 85C0                    test eax, eax                  ;Ƿ 
:0040170A 743B                    je 00401747             ;ûо 
:0040170C 6A00                    push 00000000                  
:0040170E 6848344000              push 00403448 
:00401713 50                      push eax 
:00401714 6888324000              push 00403288 
:00401719 FF3544344000            push dword ptr [00403444] 
:0040171F E8EE000000              Call Kernel32! ReadFile 
:00401724 E8D7F8FFFF              Call 00401000 

ĳʹREADFILE.ֽɵһζֵֽ.Ȼ403288(ҵһֽ'M',4DHֽ). 
ֵREADFILE.һCALL,Ǿ׷ȥ: 

:00401000 33C0                    xor eax, eax 
:00401002 33D2                    xor edx, edx 
:00401004 33C9                    xor ecx, ecx 
:00401006 8A0DFA344000            mov cl, byte ptr [004034FA] ;һζֽڶCL 
:0040100C BE88324000              mov esi, 00403288          ;ڶζֽڵĵַESI 
:00401011 AC                      lodsb                      ;ESIֽڶAL 
:00401012 03D0                    add edx, eax                ;ټEDX 
:00401014 E2FB                    loop 00401011              ;ѭֽڵֵ 
:00401016 8815FB344000            mov byte ptr [004034FB], dl ;DL 
:0040101C C3                      ret 

Ǹֽڵֵеļ.ȻDLԺʹ.Ȼ󷵻صô. 
: 

:00401729 6A00                    push 00000000 
:0040172B 6848344000              push 00403448 
:00401730 6A12                    push 00000012  ;12(18)ֽ 
:00401732 68E8344000              push 004034E8  ; 
:00401737 FF3544344000            push dword ptr [00403444] 
:0040173D E8D0000000              Call Kernel32! ReadFile  ;ʼ 
:00401742 E882F9FFFF              Call 004010C9            ;һɵCALL 
:00401747 FF3544344000            push dword ptr [00403444] 
:0040174D E8A2000000              Call Kernel32! CloseHandle ;رļ 


һεREADFILE.ȻͶ18ֽ.͹رļ.401742CALLͺܿ. 
ô,Ǿ: 

:004010C9 55                      push ebp 
:004010CA 8BEC                    mov ebp, esp 
:004010CC 83C4FC                  add esp, FFFFFFFC 
:004010CF 6865334000              push 00403365    ;һַ 
:004010D4 68BC314000              push 004031BC    ;һַ 
:004010D9 E83A070000              Call Kernel32! lstrcpy  ; 
:004010DE C70584314000CC314000    mov dword ptr [00403184], 004031CC ; 403184 
:004010E8 E830FFFFFF              call 0040101D                      ;һCALL? 

 D 403365  D 4031BC ַ. һַ.һЩַ(UNREGISTERED! Cracked by: )ַῴһַ'C'. 
һCALL.F8׷: 
:0040101D 8A15FB344000            mov dl, byte ptr [004034FB] ;¶DL 
:00401023 B912000000              mov ecx, 00000012          ;ecxǸΪ12H(18) 
:00401028 B8E8344000              mov eax, 004034E8          ;12HEAX 
:0040102D 3010                    xor byte ptr [eax], dl      ;ÿֽDL 
:0040102F 40                      inc eax                    ;EAX=EAX+1 
:00401030 E2FB                    loop 0040102D              ;ѭ18 
:00401032 C3                      ret 

DLеֵļеֽΪݵ.ECXǼ(18).EAXǶȡ18ֽڵƫ.,12HֽÿDL. 

:004010ED C645FE00                mov [ebp-02], 00            ;ebp-02 = 0 
:004010F1 33C0                    xor eax, eax                ; 
:004010F3 33C9                    xor ecx, ecx                ; 
:004010F5 C645FF08  ѭʼ->mov [ebp-01], 08            ;ebp-01 = 8 
:004010F9 806DFF02  Сѭʼ->sub byte ptr [ebp-01], 02    ;ebp-01  8-2=6 
:004010FD 0FB64DFE                movzx ecx, byte ptr [ebp-02] ;ECX 
:00401101 81C1E8344000            add ecx, 004034E8            ;ֽڵĵַ 
:00401107 8A01                    mov al, byte ptr [ecx]      ;ֽڷAL 
:00401109 8A4DFF                  mov cl, byte ptr [ebp-01]    ;CL=6  
:0040110C D2E8                    shr al, cl                  ;6 BIT 
:0040110E 2403                    and al, 03                  ;ʹõֽ 
:00401110 E81EFFFFFF              call 00401033                ;call!!!! 
:00401115 85C0                    test eax, eax                ;eax=0 
:00401117 7411                    je 0040112A                  ;Ϊδע 
:00401119 0FB655FF                movzx edx, byte ptr [ebp-01] ;edx = ebp-01 
:0040111D 85D2      Сѭ->test edx, edx                ;Ϊ 
:0040111F 75D8                    jne 004010F9----->粻Ϊ,ʼСѭ                
:00401121 FE45FE                  inc [ebp-02]                ;ebp-02  0+1=1 
:00401124 807DFE12  ѭ->cmp byte ptr [ebp-02], 12    ;ebp-02Ƿ12h 
:00401128 75CB                    jne 004010F5                ;粻,ʼѭ 
:0040112A C9                      leave 
:0040112B C3                      ret 

CRACKMEҪһγ.Һܿ.ῴһѭǶ.,˫ѭ.ҰСѭѭ.СѭĿʼEBP-1=8.ÿִһѭ2.һֱѭEBP-1Ϊ.Ǿ(8-2-2-2-2=0) 4.Ȼ뿪Сѭ.СѭиCALL.ڱȽһЩ.EAX=0,ͻǰѭ.ǸCALLEAX=1ܼ.EBP-021.ֱѭ12HβŻѭ. 

ῴAL6,4,2,0.ÿζʹ͵λ.һֽ8λ.,ʹߵֽ,Ȼʹмƫֽ,ʹмƫҵֽ,ʹұߵֽ.ǲǺȤ?һֽڽ10.Խܰ:00  01  10  11  . 
00b () = 00 (ʮ) 
01b () = 01 (ʮ) 
10b () = 02 (ʮ) 
11b () = 03 (ʮ) 


ǿCALL: 
:00401033 55                      push ebp 
:00401034 8BEC                    mov ebp, esp 
:00401036 83C4F8                  add esp, FFFFFFF8 
:00401039 8B1584314000            mov edx, dword ptr [00403184]  ;edx=16ƫ.'C'! 
:0040103F 8955FC                  mov dword ptr [ebp-04], edx    ;ebp-04 
:00401042 0AC0                    or al, al                      ;al0? 
:00401044 7509                    jne 0040104F                  ;粻Ϊ0 
:00401046 832D8431400010          sub dword ptr [00403184], 00000010  ;ڼȥ16 
:0040104D EB1F                    jmp 0040106E 
:0040104F 3C01                    cmp al, 01              ;ALΪ0,ѵal=1? 
:00401051 7508                    jne 0040105B            ;粻 
:00401053 FF0584314000            inc dword ptr [00403184] ;1 
:00401059 EB13                    jmp 0040106E 
:0040105B 3C02                    cmp al, 02              ;al10,Ҳ2? 
:0040105D 7509                    jne 00401068            ;粻ͬ 
:0040105F 83058431400010          add dword ptr [00403184], 00000010  ;16 
:00401066 EB06                    jmp 0040106E 
:00401068 FF0D84314000            dec dword ptr [00403184] ;alȲ1Ҳ0,ô϶ 3 
                              ;al=3,ôͼ1 
:0040106E 8B1584314000            mov edx, dword ptr [00403184] ;ȻEDX 
:00401074 8A02                    mov al, byte ptr [edx]        ;AL 
:00401076 3C2A                    cmp al, 2A                    ;ַ 2Ah('*')? 
:00401078 7506                    jne 00401080                  ;Ǿ 
:0040107A 33C0                    xor eax, eax                  ;EAX󷵻 
:0040107C C9                      leave            
:0040107D C3                      ret                        
     
Ϊ1ʱͻ401080 
ALֵ'*'Ļ,ͻ: 

:00401080 3C58                    cmp al, 58                    ;Ƿַ'X' 
:00401082 752F                    jne 004010B3                  ;ھ 
:00401084 6A00                    push 00000000                ;ʾ registered!!!! 
:00401086 8D1559334000            lea edx, dword ptr [00403359] 
:0040108C 52                      push edx 
:0040108D 8D15EC324000            lea edx, dword ptr [004032EC] 
:00401093 52                      push edx 
:00401094 6A00                    push 00000000 
:00401096 8D15AC174000            lea edx, dword ptr [004017AC] 
:0040109C FFD2                    call edx 
:0040109E 8D157B324000            lea edx, dword ptr [0040327B] 
:004010A4 52                      push edx 
:004010A5 FF3520344000            push dword ptr [00403420] 
:004010AB 8D15DC174000            lea edx, dword ptr [004017DC] 
:004010B1 FFD2                    call edx 

:004010B3 8B1584314000            mov edx, dword ptr [00403184] ;Ȳ'*'ֲ'X' 
:004010B9 C60243                  mov byte ptr [edx], 43        ; 'C'  
:004010BC 8B55FC                  mov edx, dword ptr [ebp-04]  
:004010BF C60220                  mov byte ptr [edx], 20 
:004010C2 B801000000              mov eax, 00000001            ;EAX=1󷵻 
:004010C7 C9                      leave                        
:004010C8 C3                      ret                          ;Լѭ 

ܹٵĴ.Թ,CʼXֻһ·. 
->"****************     
->"C*......*...**** 
->".*.****...*....* 
->".*..**********.* 
->"..*....*...*...* 
->"*.****.*.*...*** 
->"*.*....*.******* 
->"..*.***..*.....* 
->".*..***.**.***.* 
->"...****....*X..* 
->"**************** 
ʼ'C'.Ϊ'X'.ѭALȱ.ΪĲ.ÿһָһλ.ALǷΪ0.ǵĻ,ͼ16.ѭ!ȥ16㽫ָƶ㵱ǰַϷ. 
ƶ: 
00B =  
01B =  
10B =  
11B =  

72ָ'X'.ǵǸ12H=18?18ֽڱΪ4. ô4*18=72.,ôж! 
д˵һֽڵĲ.: 
һ 
һ 
һ 
һ 
: 
һ10B 
ڶ10B 
10B 
Ĳ01B 

ôֽ: 10101001B=A9H-->169D 

еƶ: 
10101001  = A9H    =169d    ;12HַǱDLֵ 
10101011  = ABH    =171d    ;[4034E8] 
10100101  = A5H    =165d    ; 
00010000  = 10H    = 16d     
01010100  = 54H    = 84d    
00111111  = 3FH    = 63d 
00110000  = 30H    = 48d 
01010101  = 55H    = 85d 
01100101  = 65H    =101d 
00010110  = 16H    = 22d 
01010110  = 56H    = 86d 
10111110  = BEH    =190d 
11110011  = F3H    =243d 
11101010  = EAH    =234d 
11101001  = E9H    =233d 
01010000  = 50H    = 80d 
01010101  = 55H    = 85d 
10101111  = AFH    =175d 

Щ12Hƶָֽ.,12HֽڻֱдKwazyWeb.bitļ.ЩֵûиDLֵ.ֽ01Hͻһֽ.ôһֽھDLֵ.ô12Hֽ,Ȼ12Hֽдļ.ôעɹ. 

ڶʹREADFILEʱ,Ͷ˵һֽڵֵ,ʵֵĳ.ȻDL.12Hַ.дKwazyWeb.bitļ. 
ұһPascal.ʱԿ. 
лĶ! 




                        20009 
                        garfield cat 


Ǵ,ҲûаٵӵĽд: 
0C 67 61 72 66 69 65 6C 64 20 63 61 74 3F 3D 33 86 C2 A9 A6 C3 F3 80 C0 28 65 7C 7F C6 C3 39 
|  \                                / \                                                  /  
|  ---------------------------------  -------------------------------------------------- 
|          garfield cat                          ƶָ12H(18)ֽ() 
|                                          
|                                      
|                                    
|                                      
ֵĳȹ12λ 

DL: 
ּ:67+61+72+66+69+65+6C+64+20+63+61+74=496H 
ȡֽھ:96H DL96  Ȼ96H A9 AB A5 10 54 3F 30 55 65 16 56 BE F3 EA E9 50 55 AF͵3F 3D 33 86 C2 A9 A6 C3 F3 80 C0 28 65 7C 7F C6 C3 39 