【答案提交】【吾爱破解2014CrackMe大赛】【第二组】
本帖最后由 L4Nce 于 2014-10-24 22:26 编辑首先看图标应该是vc mfc程序,打开程序,输入任意注册名和注册码,按下reg键,没有反应。
使用od载入程序,在入口点断下后,查找字符串,没发现任何有用的字符串。下断GetWindowTextA,输入任意注册名和注册码,按下reg键,程序断下。
返回到程序领空后,再返回一层,进入算法验证的代码段。
00401B50/.55 push ebp ;算法验证
00401B51|.8BEC mov ebp,esp
00401B53|.83E4 F8 and esp,0xFFFFFFF8
00401B56|.6A FF push -0x1
00401B58|.68 162C5200 push CrackMe.00522C16
00401B5D|.64:A1 0000000>mov eax,dword ptr fs:
00401B63|.50 push eax
00401B64|.81EC A8070000 sub esp,0x7A8
00401B6A|.A1 00CC5600 mov eax,dword ptr ds:
00401B6F|.33C4 xor eax,esp
00401B71|.898424 A00700>mov dword ptr ss:,eax
00401B78|.53 push ebx
00401B79|.56 push esi
00401B7A|.57 push edi
00401B7B|.A1 00CC5600 mov eax,dword ptr ds:
00401B80|.33C4 xor eax,esp
00401B82|.50 push eax
00401B83|.8D8424 B80700>lea eax,dword ptr ss:
00401B8A|.64:A3 0000000>mov dword ptr fs:,eax
00401B90|.68 50214000 push CrackMe.00402150
00401B95|.68 40214000 push CrackMe.00402140
00401B9A|.6A 51 push 0x51
00401B9C|.6A 14 push 0x14
00401B9E|.8D4424 4C lea eax,dword ptr ss:
00401BA2|.50 push eax
00401BA3|.8BF1 mov esi,ecx
00401BA5|.E8 DBEE0F00 call CrackMe.00500A85
00401BAA|.C78424 C00700>mov dword ptr ss:,0x0
00401BB5|.60 pushad
00401BB6|.9C pushfd
00401BB7|.8F4424 58 pop dword ptr ss:
00401BBB|.8F4424 50 pop dword ptr ss:
00401BBF|.8F4424 48 pop dword ptr ss:
00401BC3|.8F4424 40 pop dword ptr ss:
00401BC7|.8F4424 38 pop dword ptr ss:
00401BCB|.8F4424 30 pop dword ptr ss:
00401BCF|.8F4424 28 pop dword ptr ss:
00401BD3|.8F4424 20 pop dword ptr ss:
00401BD7|.8F4424 18 pop dword ptr ss:
00401BDB|.6A 0A push 0xA
00401BDD|.8D8C24 9C0600>lea ecx,dword ptr ss:
00401BE4|.51 push ecx
00401BE5|.68 EB030000 push 0x3EB
00401BEA|.8BCE mov ecx,esi
00401BEC|.C74424 34 140>mov dword ptr ss:,0x14
00401BF4|.E8 2E060100 call CrackMe.00412227 ;GetDlgxxxx获取注册名
00401BF9|.68 04010000 push 0x104
00401BFE|.8D9424 A80600>lea edx,dword ptr ss:
00401C05|.52 push edx
00401C06|.8BF8 mov edi,eax
00401C08|.68 EC030000 push 0x3EC
00401C0D|.8BCE mov ecx,esi
00401C0F|.897C24 20 mov dword ptr ss:,edi
00401C13|.E8 0F060100 call CrackMe.00412227 ;GetDlgxxxx获取注册码
00401C18|.8BF0 mov esi,eax
向下单步可以看到算法,水平太菜了,用ida+f5都没看懂
一直往下到
00401E51|.81F9 4EFA9EFA cmp ecx,0xFA9EFA4E ;比较
00401E57|.75 12 jnz XCrackMe.00401E6B ;跳转
00401E59|.52 push edx ; /Style
00401E5A|.68 70D95400 push CrackMe.0054D970 ; |Title = "0"
00401E5F|.68 74D95400 push CrackMe.0054D974 ; |Text = "good"
00401E64|.52 push edx ; |hOwner
00401E65|.FF15 40585200 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
将00401E57 |. 75 12 jnz XCrackMe.00401E6B 改成nop就可以进行爆破
这样爆破,用户名必须大于三位
在这段代码的开始部分可以看到
00401C3B|.83FF 03 cmp edi,0x3
00401C3E 77 1B ja XCrackMe.00401C5B ;注册名位数大于3就跳转
00401C40|.8D46 FC lea eax,dword ptr ds:
00401C43|.83F8 03 cmp eax,0x3
00401C46|.77 13 ja XCrackMe.00401C5B
00401C48|.68 50214000 push CrackMe.00402150
00401C4D|.6A 51 push 0x51
00401C4F|.6A 14 push 0x14
00401C51|.8D4C24 48 lea ecx,dword ptr ss:
00401C55|.51 push ecx
00401C56|.E9 1E020000 jmp CrackMe.00401E79
00401C5B|>8D4424 3C lea eax,dword ptr ss:
00401C5F|.E8 4C020000 call CrackMe.00401EB0
将00401C3E 77 1B ja XCrackMe.00401C5B 改成 jmp CrackMe.00401C5B,让他无条件跳转就可以跳过注册名的检测
爆破后程序
最后成绩:28
爆破有效。
继续加油取得好成绩
页:
[1]