rackMe v.a01 简易注册号 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → rackMe v.a01 简易注册号

rackMe v.a01 简易注册号 时间：2004/10/15 0:58:00来源：本站整理作者：蓝点我要评论(0): 　http://wocy.top263.net/crackme/crackmea01.zip
这个crackme很早就有人cracks可是一时之间又找不出他的破解文章:
好自己试一试:
我在win2000也很早就暴力成功!
String Resource ID=00101: "s?CrakeMe(&A)..."
"Registed. Good job."
"Unregister"

* Reference To: MSVCRT._mbscmp, Ord:0159h
|
:0040165B FF15B0214000 Call dword ptr [004021B0]
:00401661 83C408 add esp, 00000008
:00401664 85C0 test eax, eax
:00401666 750D jne 00401675//->je(暴力ok!)

* Possible StringData Ref from Data Obj ->"Registed. Good job."
|
:00401668 682C304000 push 0040302C
:0040166D 8D4E68 lea ecx, dword ptr [esi+68]

* Reference To: MFC42.Ordinal:035C, Ord:035Ch
|
:00401670 E853020000 Call 004018C8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401666(C)
|
:00401675 6A00 push 00000000
:00401677 8BCE mov ecx, esi

* Reference To: MFC42.Ordinal:18BE, Ord:18BEh
|
:00401679 E85C020000 Call 004018DA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040163D(C)
|
:0040167E 8D4C2404 lea ecx, dword ptr [esp+04]
:00401682 C7442410FFFFFFFF mov [esp+10], FFFFFFFF

* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:0040168A E861010000 Call 004017F0
:0040168F 8B4C2408 mov ecx, dword ptr [esp+08]
:00401693 5E pop esi
:00401694 64890D00000000 mov dword ptr fs:[00000000], ecx
:0040169B 83C410 add esp, 00000010
:0040169E C3 ret

:0040169F 90 nop
:004016A0 56 push esi
:004016A1 8BF1 mov esi, ecx
:004016A3 680C314000 push 0040310C
:004016A8 8D4E60 lea ecx, dword ptr [esi+60]

* Reference To: MFC42.Ordinal:035C, Ord:035Ch
|
:004016AB E818020000 Call 004018C8
:004016B0 680C314000 push 0040310C
:004016B5 8D4E64 lea ecx, dword ptr [esi+64]

* Reference To: MFC42.Ordinal:035C, Ord:035Ch
|
:004016B8 E80B020000 Call 004018C8

* Possible StringData Ref from Data Obj ->"Unregister"
|
:004016BD 6820304000 push 00403020
:004016C2 8D4E68 lea ecx, dword ptr [esi+68]

从汇编可知它是先跳过正确窗再运行错误窗,所以我很早就想破解它应该从中正确窗
入手比较好!
:0040165B FF15B0214000 Call dword ptr [004021B0]
看过几篇教程在关键call也能找到注册码,我想注册码可能放在这儿?
进入win98后用trw2000
bpx 40165b
d eax or d ecx 果然注册码出来了!(不会吧？一分钟都不用?)
好试一下用trw2000直接破解:
输入name和code
bpx hmemcpy
x
bd *
0167:00401342 CALL `MFC42!ord_00000942`
拦截到:
0167:00401347 LEA ECX,[ESI+64] //->d ecx=name
ds:[63fd65]=006542f0
d 006542f0=code
0167:0040134A PUSH ECX
0167:0040134B PUSH DWORD 03E9
0167:00401350 PUSH EDI
0167:00401351 CALL `MFC42!ord_00000942`
0167:00401356 ADD ESI,BYTE +68
0167:00401359 PUSH ESI
0167:0040135A PUSH DWORD 03EB
0167:0040135F PUSH EDI
0167:00401360 CALL `MFC42!ord_00000942`
0167:00401365 POP EDI
0167:00401366 POP ESI
离目标不远?
不久来到这里:
0167:0040162E CALL `MFC42!ord_000018BE`
0167:00401633 MOV ECX,[ESI+60] d ecx=name
0167:00401636 LEA EAX,[ESI+60] d eax=name
0167:00401639 CMP DWORD [ECX-08],BYTE +04 code位数为4
0167:0040163D JL 0040167E 呵呵这里就是比较code是否小于4位如果是就
跳走就没戏了?
0167:0040163F PUSH EAX
0167:00401640 LEA ECX,[ESP+08]
0167:00401644 CALL `MFC42!ord_0000035A`
0167:00401649 LEA ECX,[ESP+04]
0167:0040164D CALL `MFC42!ord_0000106B`
0167:00401652 MOV EAX,[ESI+64] \
0167:00401655 MOV EDX,[ESP+04] \real code!(good!)
0167:00401659 PUSH EAX /
0167:0040165A PUSH EDX /
0167:0040165B CALL `MSVCRT!_mbscmp`/
0167:00401661 ADD ESP,BYTE +08
0167:00401664 TEST EAX,EAX
0167:00401666 JNZ 00401675
0167:00401668 PUSH DWORD 0040302C
0167:0040166D LEA ECX,[ESI+68]
........................................
0167:0040165B CALL `MSVCRT!_mbscmp`
到这儿eax=00654340 ecx=00654340
还有stack prot32 x
0063f908 ->00654340
看到没有再一次证明stack prot32 x窗口在找注册码时还是一些用?
1212
这个CALL `MSVCRT!_mbscmp就对应strcmp( )函数啊

PeterCheN:
name:peterchen
code:nehcretep
name与code为什么哪么相似了?
name:chen
code:nehc
name:chens
code:snech
总结算法:
chen 1234
nehc 4321

chens 12345
snehc 54321
原来是这样把name位数倒还来排就是read code!真容易?!
用trw2000来破解到算码也不用三分钟!呵呵!初学者试一试?

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法

rackMe v.a01 简易 注册号

rackMe v.a01 简易注册号