CrackMe下载
破解Crackme7(Falcon CrackMe):
又是一个用BD写的,同样用HMEMCPY设断,按几次F12到程序领空后再用几次F10(我是这样的^-^)到达核心:
...
:00456966 A120984500 mov eax, dword ptr [00459820]
:0045696B 8B80D4020000 mov eax, dword ptr [eax+000002D4]
:00456971 E836C9FCFF call 004232AC
:00456976 8B45FC mov eax, dword ptr [ebp-04]
:00456979 E8FED1FAFF call 00403B7C /*取得NUM.*/
:0045697E 83F804 cmp eax, 00000004 /*NUM.要>4*/
:00456981 7E3D jle 004569C0
:00456983 803D2498450000 cmp byte ptr [00459824], 00
:0045698A 7514 jne 004569A0
:0045698C 8B45FC mov eax, dword ptr [ebp-04]
:0045698F E868FFFFFF call 004568FC /*处理NUM.*/
:00456994 83F902 cmp ecx, 00000002
:00456997 7507 jne 004569A0
:00456999 C6052498450001 mov byte ptr [00459824], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045698A(C), :00456997(C)
|
:004569A0 FE0525984500 inc byte ptr [00459825]
:004569A6 803D2498450001 cmp byte ptr [00459824], 01
:004569AD 7511 jne 004569C0
:004569AF 803D2598450002 cmp byte ptr [00459825], 02
:004569B6 7508 jne 004569C0
:004569B8 8B45FC mov eax, dword ptr [ebp-04]
:004569BB E8FCFEFFFF call 004568BC
...
一看便知道,要进入:004598F CALL去,找出正确的NUM.或找出算法,VERY GOOD!是这样的,可是...这个程序是有点特别的,那样我们找到了一个NUM.后,用上去还是不行的,好像那个NUM.不工作!其实我要检讨一下,在破这个程序时,该看一看它的README了解一下它是如何工作的!(这东东很那个,出错了没反应,正确了只是标题出现'已注册'的E文字样,没有MESSAGEBOX!)...那些老外CRACK高手说这是有趣的CRACKME,我看,这是坑我们这些小菜的东东...
它是这样工作的:
你输入第一个NUM.正确时,没反应(错了也没反应!),不过在程式里则是00459824置)1,然后输入第二个NUM.要正确了,就把窗口的标题变成:RegisTeRed...(无声无息地...不小心看还以为不正确!)并00459825置2.
好了,你上面那样找到的只是第一个NUM.,那个CALL是:
...
* Referenced by a CALL at Address:
|:0045698F
|
:004568FC 55 push ebp
:004568FD 31C9 xor ecx, ecx
:004568FF 8D30 lea esi, dword ptr [eax]
:00456901 83C604 add esi, 00000004
:00456904 BB998F3337 mov ebx, 37338F99
:00456909 AD lodsd
:0045690A 31C3 xor ebx, eax
:0045690C C1C330 rol ebx, 30
:0045690F 81F300009999 xor ebx, 99990000
:00456915 C1CB50 ror ebx, 50
:00456918 83EE08 sub esi, 00000008
:0045691B AD lodsd
:0045691C 01C3 add ebx, eax
:0045691E 81F399999999 xor ebx, 99999999
:00456924 C1C370 rol ebx, 70
:00456927 81FB75533D53 cmp ebx, 533D5375
:0045692D 751C jne 0045694B
:0045692F 41 inc ecx
:00456930 83EE04 sub esi, 00000004
:00456933 AD lodsd
:00456934 89C3 mov ebx, eax
:00456936 AD lodsd
:00456937 C1CB80 ror ebx, 80
:0045693A 81F399990000 xor ebx, 00009999
:00456940 31C3 xor ebx, eax
:00456942 81FB998F3337 cmp ebx, 37338F99
:00456948 7501 jne 0045694B
:0045694A 41 inc ecx
...
这里就是计算NUM.的代码了,算法是这样的,它将输入的NUM.分成前后两部分,将对应的每部分计算,然后就分别和对应的数字CPM,可知NUM.是唯一的.
算法较烦,我还是用例子吧!(我还用了方程来解!好在高中学数学学得还可以.呵呵...->后的数是上个计算式的得数.)
我输入了:1234abcd
它先取'dcba'->64636261H XOR 37338F99H->5350EDF8H ROL 30->EDF85350H XOR 99990000H->74615350H ROR 50->53507461H + 34333231H('4321')->8783A692H XOR 99999999H->1E1A3F0BH ROL 70->3F0B1E1AH CMP 533D5375H
然后取'4321'->34333231H ROR 80->34333231H XOR 00009999H->3433ABA8H XOR 64636261H('dcba')->5050C9C9H CMP 37338F99H
好了,这就是它的算法,好烦,好多的移位,不能用算术运算,要用逻辑运算...其实也不然,逻辑运算的用眼看,它怎么移你就怎么移回去呵呵...不过你会发现,两个计算要交叉运算,对于我就要用方程了...我算设'4321'为X,'dcba'为Y:
你细心看:
64636261H XOR 37338F99H->5350EDF8H ROL 30->EDF85350H XOR 99990000H->74615350H ROR 50->53507461H + 34333231H('4321')就等于:Y XOR 37338F99H XOR 9999H + X=8783A692H XOR 99999999H->1E1A3F0BH ROL 70->533D5375H--1
'4321'->34333231H ROR 80->34333231H XOR 00009999H->3433ABA8H XOR 64636261H('dcba')->5050C9C9H CMP 37338F99H变成:
X XOR 00009999H XOR Y=37338F99H->X=37338F99H XOR 00009999H XOR Y--2
把1式=后面的计算出来得:Y XOR 37338F99H XOR 9999H + X=CAECCAA4H--3
把2式代入3式:
Y XOR 37338F99H XOR 9999H=CAECCAA4H/2
这样Y=52457352H='REsR',容易算出:X=65766552H='eveR'.
所以NUM.1=ReveRsER
然后将NUM.1输入,(程序最好重新LOAD一次)按CHECK,再输入'1234abcd',在SICE里用HMEMCPY设断,按CHECK,中断后,同样按几次F12和F10会回到,熟悉的地方:
...
:00456966 A120984500 mov eax, dword ptr [00459820]
:0045696B 8B80D4020000 mov eax, dword ptr [eax+000002D4]
:00456971 E836C9FCFF call 004232AC
:00456976 8B45FC mov eax, dword ptr [ebp-04]
:00456979 E8FED1FAFF call 00403B7C /*取得NUM.*/
:0045697E 83F804 cmp eax, 00000004 /*NUM.要>4*/
:00456981 7E3D jle 004569C0
:00456983 803D2498450000 cmp byte ptr [00459824], 00
:0045698A 7514 jne 004569A0 /*这次这里会跳*/
:0045698C 8B45FC mov eax, dword ptr [ebp-04]
:0045698F E868FFFFFF call 004568FC
:00456994 83F902 cmp ecx, 00000002
:00456997 7507 jne 004569A0
:00456999 C6052498450001 mov byte ptr [00459824], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045698A(C), :00456997(C)
|
:004569A0 FE0525984500 inc byte ptr [00459825]
:004569A6 803D2498450001 cmp byte ptr [00459824], 01
:004569AD 7511 jne 004569C0
:004569AF 803D2598450002 cmp byte ptr [00459825], 02
:004569B6 7508 jne 004569C0
:004569B8 8B45FC mov eax, dword ptr [ebp-04]
:004569BB E8FCFEFFFF call 004568BC
...
跳到这里:
...
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045698A(C), :00456997(C)
|
:004569A0 FE0525984500 inc byte ptr [00459825]
:004569A6 803D2498450001 cmp byte ptr [00459824], 01
:004569AD 7511 jne 004569C0
:004569AF 803D2598450002 cmp byte ptr [00459825], 02
:004569B6 7508 jne 004569C0
:004569B8 8B45FC mov eax, dword ptr [ebp-04]
:004569BB E8FCFEFFFF call 004568BC/*会进这个CALL计算NUM.2*/
...
进入CALL:
...
* Referenced by a CALL at Address:
|:004569BB
|
:004568BC 89C6 mov esi, eax
:004568BE 31DB xor ebx, ebx
:004568C0 31D2 xor edx, edx
:004568C2 BB66563412 mov ebx, 12345666
:004568C7 AD lodsd
:004568C8 81F312505500 xor ebx, 00555012
:004568CE C1C350 rol ebx, 50
:004568D1 F7D3 not ebx
:004568D3 31C3 xor ebx, eax
:004568D5 F7D3 not ebx
:004568D7 81C3636C6146 add ebx, 46616C63
:004568DD 81FB85CC768B cmp ebx, 8B76CC85
:004568E3 7514 jne 004568F9
:004568E5 AD lodsd
:004568E6 F7D0 not eax
:004568E8 2D00000050 sub eax, 50000000
:004568ED 3D9496B168 cmp eax, 68B19694
:004568F2 7505 jne 004568F9
:004568F4 E877FFFFFF call 00456870
...
上面就是计算NUM.2的代码,一样是分两部分算,这次比较简单了(可能作者认为到了这,那个CRACKER是高手就不用再用麻烦的算法算NUM.了吧!):
12345666H XOR 0055592H->12610674H ROL 50->06741261H NOT->F98BED9EH XOR 34333231H('4321')->CDB8DFAFH NOT->32472050H + 46616C63H->78A88CB3 CMP 8B76CC85H
64636261H('dcba') NOT->9B9C9D9EH + 50000000->4B9C9D9EH CMP 68B19694H
好了,一看就知是可以立即用反过来计算就可以找出NUM.2:CraCkiNG
行了,再来一次,你会发现标题已无声无息地变了...
OK!
NUM.1:ReveRsER
NUM.2:CraCkiNG
Vitamin C[抗坏血酸].2002.2.10.HY.GD.CHI.
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
热门文章 去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>