|
教菜鸟写注册机——中级篇(1)
上次那篇破文(不是破解文章,是破烂文章)丢了,我补在这贴的后面。这次说是中级,其实只难了一点点而已,cmp You,高手 jz offset NextPage。
好了,再来一篇。还是那个系列的,下载地址:
http://opencrackmes.crackmes.de/ope...ackmes/k4n2.zip
运行一下,呵呵,外观一模一样。反汇编,前面的部分几乎完全一样,GetDlgItem,GetWindowText,我都不写了,直接看下面,注意[ebp-2C]是用户名的长度。(可以先跳过去看后面的说明。)
代码:
:004010ED 837DD403 cmp dWord ptr [ebp-2C], 00000003:004010F1 0F8E38010000 jle 0040122F ;用户名必须大于3位:004010F7 33D2 xor edx, edx:004010F9 33DB xor ebx, ebx:004010FB 8B55D4 mov edx, dword ptr [ebp-2C]:004010FE 0155C4 add dword ptr [ebp-3C], edx:00401101 0155C4 add dword ptr [ebp-3C], edx ;算出[EBP-3C]:00401104 8BC2 mov eax, edx:00401106 83C005 add eax, 00000005:00401109 8945B8 mov dword ptr [ebp-48], eax ;算出[EBP-48]:0040110C 33C0 xor eax, eax:0040110E 8BCF mov ecx, edi:00401110 83C104 add ecx, 00000004:00401113 894DB4 mov dword ptr [ebp-4C], ecx ;算出[EBP-4C]:00401116 33C9 xor ecx, ecx:00401118 0155BC add dword ptr [ebp-44], edx:0040111B 017DBC add dword ptr [ebp-44], edi ;算出[EBP-44]:0040111E 6BFF03 imul edi, 00000003:00401121 897DC0 mov dword ptr [ebp-40], edi ;算出[EBP-40]:00401124 33FF xor edi, edi:00401126 0FBE8C0544FFFFFF movsx ecx, byte ptr [ebp+eax-000000BC]:0040112E 83F961 cmp ecx, 00000061:00401131 7C07 jl 0040113A:00401133 90 nop:00401134 90 nop:00401135 90 nop:00401136 90 nop:00401137 83E920 sub ecx, 00000020* Referenced by a (U)nconditional or (C)onditional Jump at Address::00401131(C):0040113A 8BF1 mov esi, ecx:0040113C 03DE add ebx, esi:0040113E 0FAFD9 imul ebx, ecx:00401141 4A dec edx* Referenced by a (U)nconditional or (C)onditional Jump at Address::00401178(C):00401142 0FBE8C2F44FFFFFF movsx ecx, byte ptr [edi+ebp-000000BC]:0040114A 0FBEB42F45FFFFFF movsx esi, byte ptr [edi+ebp-000000BB]:00401152 83F961 cmp ecx, 00000061:00401155 7D12 jge 00401169:00401157 90 nop:00401158 90 nop:00401159 90 nop:0040115A 90 nop* Referenced by a (U)nconditional or (C)onditional Jump at Address::0040116C(U):0040115B 83FE61 cmp esi, 00000061:0040115E 7D0E jge 0040116E:00401160 90 nop:00401161 90 nop:00401162 90 nop:00401163 90 nop:00401164 EB0B jmp 00401171:00401166 90 nop:00401167 90 nop:00401168 90 nop* Referenced by a (U)nconditional or (C)onditional Jump at Address::00401155(C):00401169 83E920 sub ecx, 00000020:0040116C EBED jmp 0040115B* Referenced by a (U)nconditional or (C)onditional Jump at Address::0040115E(C):0040116E 83EE20 sub esi, 00000020* Referenced by a (U)nconditional or (C)onditional Jump at Address::00401164(U):00401171 47 inc edi:00401172 03DE add ebx, esi:00401174 0FAFD9 imul ebx, ecx:00401177 4A dec edx:00401178 75C8 jne 00401142:0040117A 895DC8 mov dword ptr [ebp-38], ebx ;算出[EBP-38]:0040117D 33C9 xor ecx, ecx:0040117F 33D2 xor edx, edx:00401181 33DB xor ebx, ebx:00401183 33C0 xor eax, eax:00401185 837DD432 cmp dword ptr [ebp-2C], 00000032:00401189 0F8DA0000000 jnl 0040122F* Referenced by a (U)nconditional or (C)onditional Jump at Address::0040119F(C):0040118F 0FBE840D44FFFFFF movsx eax, byte ptr [ebp+ecx-000000BC]:00401197 03C1 add eax, ecx:00401199 03D8 add ebx, eax:0040119B 41 inc ecx:0040119C 3B4DD4 cmp ecx, dword ptr [ebp-2C]:0040119F 75EE jne 0040118F:004011A1 D1C0 rol eax, 1:004011A3 3540E20100 xor eax, 0001E240:004011A8 8945B0 mov dword ptr [ebp-50], eax ;算出[EBP-50]:004011AB 33C9 xor ecx, ecx:004011AD 33D2 xor edx, edx:004011AF 33DB xor ebx, ebx:004011B1 33C0 xor eax, eax* Referenced by a (U)nconditional or (C)onditional Jump at Address::004011C6(C):004011B3 0FBE840D44FFFFFF movsx eax, byte ptr [ebp+ecx-000000BC]:004011BB 6BD006 imul edx, eax, 00000006:004011BE 33C2 xor eax, edx:004011C0 03D8 add ebx, eax:004011C2 41 inc ecx:004011C3 3B4DD4 cmp ecx, dword ptr [ebp-2C]:004011C6 75EB jne 004011B3:004011C8 035DB0 add ebx, dword ptr [ebp-50]:004011CB 895DAC mov dword ptr [ebp-54], ebx ;算出[EBP-54]:004011CE FF75C0 push [ebp-40]:004011D1 FF75C4 push [ebp-3C]:004011D4 FF75BC push [ebp-44]:004011D7 FF75C8 push [ebp-38]:004011DA FF75B4 push [ebp-4C]:004011DD FF75B8 push [ebp-48]:004011E0 FF75AC push [ebp-54]:004011E3 FF75B0 push [ebp-50]* Possible StringData Ref from Data Obj ->"%lX%lu-%lu%lX-%lu%lu-%lX%lX" :004011E6 6838B44000 push 0040B438:004011EB 8D857CFEFFFF lea eax, dword ptr [ebp+FFFFFE7C]:004011F1 50 push eax:004011F2 E88D3D0000 call 00404F84 ;wsprinf():004011F7 83C428 add esp, 00000028:004011FA 8D957CFEFFFF lea edx, dword ptr [ebp+FFFFFE7C]:00401200 52 push edx:00401201 8D8DE0FEFFFF lea ecx, dword ptr [ebp+FFFFFEE0]:00401207 51 push ecx* Reference To: KERNEL32.lstrcmpA, Ord:0000h :00401208 E8399C0000 Call 0040AE46 ;比较:0040120D 85C0 test eax, eax:0040120F 750F jne 00401220 ;关键跳转
|
