2019-04-01 CrackMe 4
2019-04-01 本文已影响0人
月夜阑珊
Delphi程序,主要看到三个窗口:
用户名
注册码
一片空白区域
DeDe查看:
看到Edit2的关键处理函数chkcode
找到chkcode位置并下断:
chkcode
当编辑的时候即会在断下来:
00457C40 /. 55 push ebp
00457C41 |. 8BEC mov ebp,esp
00457C43 |. 51 push ecx
00457C44 |. B9 05000000 mov ecx,0x5
00457C49 |> 6A 00 /push 0x0
00457C4B |. 6A 00 |push 0x0
00457C4D |. 49 |dec ecx
00457C4E |.^ 75 F9 \jnz XCKme.00457C49
00457C50 |. 51 push ecx
00457C51 |. 874D FC xchg [local.1],ecx
00457C54 |. 53 push ebx
00457C55 |. 56 push esi
00457C56 |. 8BD8 mov ebx,eax
00457C58 |. 33C0 xor eax,eax
00457C5A |. 55 push ebp
00457C5B |. 68 3D7E4500 push CKme.00457E3D
00457C60 |. 64:FF30 push dword ptr fs:[eax]
00457C63 |. 64:8920 mov dword ptr fs:[eax],esp
00457C66 |. 8BB3 F8020000 mov esi,dword ptr ds:[ebx+0x2F8]
00457C6C |. 83C6 05 add esi,0x5
00457C6F |. FFB3 10030000 push dword ptr ds:[ebx+0x310]
00457C75 |. 8D55 F8 lea edx,[local.2]
00457C78 |. 8BC6 mov eax,esi
00457C7A |. E8 85FEFAFF call CKme.00407B04
00457C7F |. FF75 F8 push [local.2]
00457C82 |. FFB3 14030000 push dword ptr ds:[ebx+0x314]
00457C88 |. 8D55 F4 lea edx,[local.3]
00457C8B |. 8B83 D4020000 mov eax,dword ptr ds:[ebx+0x2D4]
00457C91 |. E8 B2B6FCFF call CKme.00423348
00457C96 |. FF75 F4 push [local.3]
00457C99 |. 8D83 18030000 lea eax,dword ptr ds:[ebx+0x318]
00457C9F |. BA 04000000 mov edx,0x4
00457CA4 |. E8 93BFFAFF call CKme.00403C3C
00457CA9 |. 33D2 xor edx,edx
00457CAB |. 8B83 F4020000 mov eax,dword ptr ds:[ebx+0x2F4]
00457CB1 |. E8 AAB5FCFF call CKme.00423260
00457CB6 |. 8B93 18030000 mov edx,dword ptr ds:[ebx+0x318]
00457CBC |. 8B83 F4020000 mov eax,dword ptr ds:[ebx+0x2F4]
00457CC2 |. E8 B1B6FCFF call CKme.00423378
00457CC7 |. 33F6 xor esi,esi
00457CC9 |> 8D55 EC /lea edx,[local.5]
00457CCC |. 8B83 D4020000 |mov eax,dword ptr ds:[ebx+0x2D4]
00457CD2 |. E8 71B6FCFF |call CKme.00423348
00457CD7 |. 8B45 EC |mov eax,[local.5]
00457CDA |. E8 9DBEFAFF |call CKme.00403B7C
00457CDF |. 83C0 03 |add eax,0x3
00457CE2 |. 8D55 F0 |lea edx,[local.4]
00457CE5 |. E8 1AFEFAFF |call CKme.00407B04
00457CEA |. FF75 F0 |push [local.4]
00457CED |. 8D55 E8 |lea edx,[local.6]
00457CF0 |. 8B83 D4020000 |mov eax,dword ptr ds:[ebx+0x2D4]
00457CF6 |. E8 4DB6FCFF |call CKme.00423348
00457CFB |. FF75 E8 |push [local.6]
00457CFE |. 8D55 E4 |lea edx,[local.7]
00457D01 |. 8BC6 |mov eax,esi
00457D03 |. E8 FCFDFAFF |call CKme.00407B04
00457D08 |. FF75 E4 |push [local.7]
00457D0B |. 8D45 FC |lea eax,[local.1]
00457D0E |. BA 03000000 |mov edx,0x3
00457D13 |. E8 24BFFAFF |call CKme.00403C3C
00457D18 |. 46 |inc esi
00457D19 |. 83FE 13 |cmp esi,0x13
00457D1C |.^ 75 AB \jnz XCKme.00457CC9
00457D1E |. 8D55 E0 lea edx,[local.8]
00457D21 |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+0x2D8]
00457D27 |. E8 1CB6FCFF call CKme.00423348
00457D2C |. 8B45 E0 mov eax,[local.8]
00457D2F |. 8B93 18030000 mov edx,dword ptr ds:[ebx+0x318]
00457D35 |. E8 52BFFAFF call CKme.00403C8C
00457D3A |. /75 0A jnz XCKme.00457D46
00457D3C |. |C783 0C030000>mov dword ptr ds:[ebx+0x30C],0x3E
00457D46 |> \8B83 0C030000 mov eax,dword ptr ds:[ebx+0x30C]
在0x0457D1C前会循环0x13次,没太追流程,看不太懂他的意思
不过看到:
00457D2C |. 8B45 E0 mov eax,[local.8]
00457D2F |. 8B93 18030000 mov edx,dword ptr ds:[ebx+0x318]
00457D35 |. E8 52BFFAFF call CKme.00403C8C
看到前面应该是一个拼接
根据name生成真正的序列号:
"黑头Sun Bird"+str(len(name)+5)+"dseloffc-012-OK"+name
比较序列号如果相同后会设置一个标志位:
00457D3C |. C783 0C030000>mov dword ptr ds:[ebx+0x30C],0x3E
跟踪一下panel1click(单击),看到关键部分:
00458031 |. 81BE 0C030000>cmp dword ptr ds:[esi+0x30C],0x85
0045803B |. 75 76 jnz XCKme.004580B3
0045803D |. 33DB xor ebx,ebx
对此标志位的判断0x85,没有作用,因为前面判断过后设置为0x3E
再看双击函数:panel1Dblclick:
00457EF5 |. 83BE 0C030000>cmp dword ptr ds:[esi+0x30C],0x3E
00457EFC |. 75 0A jnz XCKme.00457F08
00457EFE |. C786 0C030000>mov dword ptr ds:[esi+0x30C],0x85
会判断标志位是否为0x3E,并设置为0x85
所以我们正确的破解顺序:
输入name
输入序列号:"黑头Sun Bird"+str(len(name)+5)+"dseloffc-012-OK"+name
双击空白
单击空白
最后破解成功:
Success
