|
教菜鸟写注册机——高级篇(1)
教菜鸟写注册机——高级篇(注意我这里说的高级只是对偶辈菜鸟来说是难一些)
HEYA,我又来灌喽!还是那个系列的第3位CRACKME。下载:
http://opencrackmes.crackmes.de/ope...ackmes/k4n3.zip
用W32DASM来反,(可以先看后面说明)
代码:
:004011BF 6A45 push 00000045:004011C1 50 push eax:004011C2 A4 movsb* Reference To: USER32.GetDlgItemTextA, Ord:0104h :004011C3 8B3DA8404000 mov edi, dWord ptr [004040A8] ;注意这里把地址放在EDI* Possible Reference to Dialog: DialogID_0065, CONTROL_ID:03E8, "" :004011C9 68E8030000 push 000003E8:004011CE 51 push ecx:004011CF FFD7 call edi ;实际是CALL GetDlgItemTextA,得到用户名:004011D1 8BF0 mov esi, eax:004011D3 85F6 test esi, esi:004011D5 0F844B010000 je 00401326:004011DB 83FE40 cmp esi, 00000040:004011DE 0F8742010000 ja 00401326:004011E4 8B4508 mov eax, dword ptr [ebp+08]:004011E7 8D5594 lea edx, dword ptr [ebp-6C]:004011EA 6A13 push 00000013:004011EC 52 push edx* Possible Reference to Dialog: DialogID_0065, CONTROL_ID:03E9, "" :004011ED 68E9030000 push 000003E9:004011F2 50 push eax:004011F3 FFD7 call edi ;再次调用GetDlgItemText,得到注册码:004011F5 6BC003 imul eax, 00000003 ;EAX是注册码的长度:004011F8 C1E002 shl eax, 02 ;左移二位:004011FB 05CD000000 add eax, 000000CD ;加上0CD:00401200 8945FC mov dword ptr [ebp-04], eax:00401203 817DFCA5010000 cmp dword ptr [ebp-04], 000001A5;看看计算结果是不是1A5:0040120A 0F85BC000000 jne 004012CC ;不是就死,可以逆算出(1A5-0CD)>>2=12:00401210 33C0 xor eax, eax ;即注册码不能小于12h位:00401212 8A4594 mov al, byte ptr [ebp-6C]:00401215 84C0 test al, al:00401217 7413 je 0040122C:00401219 8D4D94 lea ecx, dword ptr [ebp-6C]* Referenced by a (U)nconditional or (C)onditional Jump at Address::0040122A(C):0040121C 3C30 cmp al, 30:0040121E 0F82C6000000 jb 004012EA ;注册码每位不能小于30h,即'0':00401224 8A4101 mov al, byte ptr [ecx+01]:00401227 41 inc ecx:00401228 84C0 test al, al:0040122A 75F0 jne 0040121C* Referenced by a (U)nconditional or (C)onditional Jump at Address::00401217(C):0040122C E8CFFDFFFF call 00401000 ;这是什么呀?好像很重要哟,进去看看! :00401231 8D852CFFFFFF lea eax, dword ptr [ebp+FFFFFF2C]:00401237 50 push eax:00401238 E843FEFFFF call 00401080 ;转换过程一,跟进:0040123D 8945FC mov dword ptr [ebp-04], eax:00401240 E8BBFDFFFF call 00401000 ;还进去不?呀....别打我!:00401245 8D8D2CFFFFFF lea ecx, dword ptr [ebp+FFFFFF2C]:0040124B 56 push esi:0040124C 51 push ecx:0040124D E8BEFDFFFF call 00401010:00401252 83C40C add esp, 0000000C:00401255 33C9 xor ecx, ecx* Referenced by a (U)nconditional or (C)onditional Jump at Address::00401284(C):00401257 8B45FC mov eax, dword ptr [ebp-04] \:0040125A 33D2 xor edx, edx :0040125C BE1A000000 mov esi, 0000001A :00401261 F7F6 div esi :00401263 8A941510FFFFFF mov dl, byte ptr [ebp+edx-000000F0]:0040126A 88540DC8 mov byte ptr [ebp+ecx-38], dl:0040126E 8B45FC mov eax, dword ptr [ebp-04] :00401271 C1E003 shl eax, 03 ---转换过程二:00401274 BA45230100 mov edx, 00012345 :00401279 F7E8 imul eax :0040127B 03C2 add eax, edx :0040127D 8945FC mov dword ptr [ebp-04], eax :00401280 41 inc ecx :00401281 83F912 cmp ecx, 00000012 :00401284 72D1 jb 00401257 /:00401286 E875FDFFFF call 00401000 :0040128B 33C0 xor eax, eax* Referenced by a (U)nconditional or (C)onditional Jump at Address::004012A2(C):0040128D 8A4C0594 mov cl, byte ptr [ebp+eax-6C] \:00401291 8A5405C8 mov dl, byte ptr [ebp+eax-38] :00401295 80E930 sub cl, 30 :00401298 32D1 xor dl, cl ---转换过程三:0040129A 885405C8 mov byte ptr [ebp+eax-38], dl :0040129E 40 inc eax :0040129F 83F812 cmp eax, 00000012 :004012A2 72E9 jb 0040128D /:004012A4 E857FDFFFF call 00401000:004012A9 8D55C8 lea edx, dword ptr [ebp-38]:004012AC 52 push edx:004012AD E85EFEFFFF call 00401110 ;转换过程四:004012B2 E849FDFFFF call 00401000 :004012B7 8D45C8 lea eax, dword ptr [ebp-38]* Possible StringData Ref from Data Obj ->"KEYGENNING4NEWBIES" :004012BA 6814514000 push 00405114 ;固定字串"KEYGENNING4NEWBIES":004012BF 50 push eax ;上面转换而来的字串:004012C0 E86BFEFFFF call 00401130 ;进行比较:004012C5 83C40C add esp, 0000000C:004012C8 85C0 test eax, eax:004012CA 753C jne 00401308 ;关键跳转
|
