新CrackMe160之033 - dccrackme1

  1. 去NAG
    OD载入程序,单步运行可知弹框在004433EC处,F7跟踪进去在0043F251处再跟进去是一大堆代码,我们用IDR,查看源码可知,这一大堆代码是在FormCreate事件中的
    在最下面看到了004431A6 call ShowMessage, OD中直接定位到这行,F9,再F8确定是这行弹的框,nop掉这行便成功了, 保存运行测试正常

  2. 破解
    IDR点击事件源码: (跟OD也差不多,多了一丢丢备注)

   Unit1::TForm1.Button1Click
 00441C08    push       ebp
 00441C09    mov        ebp,esp
 00441C0B    xor        ecx,ecx
 00441C0D    push       ecx
 00441C0E    push       ecx
 00441C0F    push       ecx
 00441C10    push       ecx
 00441C11    push       ebx
 00441C12    push       esi
 00441C13    mov        dword ptr [ebp-4],eax
 00441C16    xor        eax,eax
 00441C18    push       ebp
 00441C19    push       441CCD
 00441C1E    push       dword ptr fs:[eax]
 00441C21    mov        dword ptr fs:[eax],esp
 00441C24    xor        esi,esi
 00441C26    lea        edx,[ebp-8]
 00441C29    mov        eax,dword ptr [ebp-4]
 00441C2C    mov        eax,dword ptr [eax+2C8]; TForm1.Edit1:TEdit
 00441C32    call       TControl.GetText
 00441C37    mov        eax,dword ptr [ebp-8]
 00441C3A    call       @LStrLen
 00441C3F    mov        edx,eax
 00441C41    test       edx,edx
>00441C43    jle        00441C67
 00441C45    mov        ecx,1
 00441C4A    mov        eax,dword ptr [ebp-8]     ;;; 算法开始
 00441C4D    mov        al,byte ptr [eax+ecx-1]
 00441C51    and        eax,0FF
 00441C56    mov        ebx,eax
 00441C58    sub        ebx,17
 00441C5B    sub        eax,11
 00441C5E    imul       ebx,eax
 00441C61    add        esi,ebx
 00441C63    inc        ecx
 00441C64    dec        edx
<00441C65    jne        00441C4A      ;;; 算法结束
 00441C67    lea        edx,[ebp-0C]
 00441C6A    mov        eax,dword ptr [ebp-4]
 00441C6D    mov        eax,dword ptr [eax+2CC]; TForm1.Edit2:TEdit
 00441C73    call       TControl.GetText
 00441C78    mov        eax,dword ptr [ebp-0C]
 00441C7B    push       eax
 00441C7C    lea        edx,[ebp-10]
 00441C7F    mov        eax,esi
 00441C81    call       IntToStr      ;;; 计算结果转数字字符串
 00441C86    mov        edx,dword ptr [ebp-10]
 00441C89    pop        eax
 00441C8A    call       @LStrCmp      ;;; 关键对比
>00441C8F    jne        00441C9D
 00441C91    mov        eax,[00445830]; gvar_00445830:AnsiString
 00441C96    call       ShowMessage
>00441C9B    jmp        00441CA7
 00441C9D    mov        eax,[00445834]; gvar_00445834:AnsiString
 00441CA2    call       ShowMessage
 00441CA7    xor        eax,eax
 00441CA9    pop        edx
 00441CAA    pop        ecx
 00441CAB    pop        ecx
 00441CAC    mov        dword ptr fs:[eax],edx
 00441CAF    push       441CD4
 00441CB4    lea        eax,[ebp-10]
 00441CB7    call       @LStrClr
 00441CBC    lea        eax,[ebp-0C]
 00441CBF    call       @LStrClr
 00441CC4    lea        eax,[ebp-8]
 00441CC7    call       @LStrClr
 00441CCC    ret
<00441CCD    jmp        @HandleFinally
<00441CD2    jmp        00441CB4
 00441CD4    pop        esi
 00441CD5    pop        ebx
 00441CD6    mov        esp,ebp
 00441CD8    pop        ebp
 00441CD9    ret

看完代码算法也清晰了,直接上注册机

#include <stdio.h>
#include <string.h>
int main() {
	char user[21] = {0};
	printf("用户名: ");
	fgets(user, sizeof(user), stdin);
	unsigned int ebx, eax, esi = 0;
	int i, len = strlen(user) - 1; //最后一个\n
	
	for(i=0; i<len; i++){
		eax = user[i];
		ebx = eax - 0x17;
		eax -= 0x11;
		ebx *= eax;
		esi += ebx;
	}
	printf("系列号: %d\n", esi);
	getchar();
	return 0;
}

运行示例:
用户名: abc
系列号: 18227

 
 
本节高手录制的视频,点击前往查看

 
 
 

使用的工具连接(工具有点多有点大,可以先下OD,其它的后面慢慢下) 点击前往下载

下面是我的OD的界面布局,我觉得这4个是最常用的界面,其它的我基本上没用到~
OD界面布局

posted @ 2024-12-10 09:16  hankerstudio  阅读(4)  评论(0)    收藏  举报