新CrackMe160之056 - d2k2_crackme01

汇编写的程序,直接OD看源码

00401000 >/$  6A 00         push 0x0                                 ; /pModule = NULL
00401002  |.  E8 35040000   call <jmp.&KERNEL32.GetModuleHandleA>    ; \GetModuleHandleA
00401007  |.  A3 30314000   mov dword ptr ds:[0x403130],eax
0040100C  |.  6A 0A         push 0xA
0040100E  |.  6A 00         push 0x0
00401010  |.  6A 00         push 0x0
00401012  |.  FF35 30314000 push dword ptr ds:[0x403130]
00401018  |.  E8 07000000   call d2k2_cra.00401024
0040101D  |.  6A 00         push 0x0                                 ; /ExitCode = 0x0
0040101F  \.  E8 12040000   call <jmp.&KERNEL32.ExitProcess>         ; \ExitProcess
00401024  /$  55            push ebp
00401025  |.  8BEC          mov ebp,esp
00401027  |.  83C4 B0       add esp,-0x50
0040102A  |.  C745 D0 30000>mov [local.12],0x30
00401031  |.  C745 D4 03000>mov [local.11],0x3
00401038  |.  C745 D8 09114>mov [local.10],d2k2_cra.00401109
0040103F  |.  C745 DC 00000>mov [local.9],0x0
00401046  |.  C745 E0 00000>mov [local.8],0x0
0040104D  |.  FF35 30314000 push dword ptr ds:[0x403130]
00401053  |.  8F45 E4       pop [local.7]                            ;  kernel32.7544FCC9
00401056  |.  C745 F0 17000>mov [local.4],0x17
0040105D  |.  C745 F4 00000>mov [local.3],0x0
00401064  |.  C745 F8 18304>mov [local.2],d2k2_cra.00403018          ;  ASCII "Macintosh"
0040106B  |.  68 007F0000   push 0x7F00                              ; /RsrcName = IDI_APPLICATION
00401070  |.  6A 00         push 0x0                                 ; |hInst = NULL
00401072  |.  E8 89030000   call <jmp.&USER32.LoadIconA>             ; \LoadIconA
00401077  |.  8945 E8       mov [local.6],eax
0040107A  |.  8945 FC       mov [local.1],eax
0040107D  |.  68 007F0000   push 0x7F00                              ; /RsrcName = IDC_ARROW
00401082  |.  6A 00         push 0x0                                 ; |hInst = NULL
00401084  |.  E8 71030000   call <jmp.&USER32.LoadCursorA>           ; \LoadCursorA
00401089  |.  8945 EC       mov [local.5],eax
0040108C  |.  8D45 D0       lea eax,[local.12]
0040108F  |.  50            push eax                                 ; /pWndClassEx = 0019FFCC
00401090  |.  E8 7D030000   call <jmp.&USER32.RegisterClassExA>      ; \RegisterClassExA
00401095  |.  6A 00         push 0x0                                 ; /lParam = NULL
00401097  |.  FF75 08       push [arg.1]                             ; |hInst = 002B8000
0040109A  |.  6A 00         push 0x0                                 ; |hMenu = NULL
0040109C  |.  6A 00         push 0x0                                 ; |hParent = NULL
0040109E  |.  68 00000080   push 0x80000000                          ; |Height = 80000000 (-2147483648.)
004010A3  |.  68 00000080   push 0x80000000                          ; |Width = 80000000 (-2147483648.)
004010A8  |.  6A 78         push 0x78                                ; |Y = 78 (120.)
004010AA  |.  68 2C010000   push 0x12C                               ; |X = 12C (300.)
004010AF  |.  68 00000800   push 0x80000                             ; |Style = WS_OVERLAPPED|WS_SYSMENU
004010B4  |.  68 22304000   push d2k2_cra.00403022                   ; |WindowName = "diablo2oo2's Crackme 1"
004010B9  |.  68 18304000   push d2k2_cra.00403018                   ; |Class = "Macintosh"
004010BE  |.  6A 00         push 0x0                                 ; |ExtStyle = 0
004010C0  |.  E8 11030000   call <jmp.&USER32.CreateWindowExA>       ; \CreateWindowExA
004010C5  |.  8945 B0       mov [local.20],eax
004010C8  |.  FF75 14       push [arg.4]                             ; /ShowState = SW_HIDE
004010CB  |.  FF75 B0       push [local.20]                          ; |hWnd = NULL
004010CE  |.  E8 51030000   call <jmp.&USER32.ShowWindow>            ; \ShowWindow
004010D3  |.  FF75 B0       push [local.20]                          ; /hWnd = NULL
004010D6  |.  E8 55030000   call <jmp.&USER32.UpdateWindow>          ; \UpdateWindow
004010DB  |>  6A 00         /push 0x0                                ; /MsgFilterMax = 0x0
004010DD  |.  6A 00         |push 0x0                                ; |MsgFilterMin = 0x0
004010DF  |.  6A 00         |push 0x0                                ; |hWnd = NULL
004010E1  |.  8D45 B4       |lea eax,[local.19]                      ; |
004010E4  |.  50            |push eax                                ; |pMsg = 0019FFCC
004010E5  |.  E8 04030000   |call <jmp.&USER32.GetMessageA>          ; \GetMessageA
004010EA  |.  0BC0          |or eax,eax
004010EC  |.  74 14         |je short d2k2_cra.00401102
004010EE  |.  8D45 B4       |lea eax,[local.19]
004010F1  |.  50            |push eax                                ; /pMsg = MSG(0x7754B390) hw = 19FFE4 wParam = 0x59A941D3 lParam = 0x0
004010F2  |.  E8 33030000   |call <jmp.&USER32.TranslateMessage>     ; \TranslateMessage
004010F7  |.  8D45 B4       |lea eax,[local.19]
004010FA  |.  50            |push eax                                ; /pMsg = MSG(0x7754B390) hw = 19FFE4 wParam = 0x59A941D3 lParam = 0x0
004010FB  |.  E8 E2020000   |call <jmp.&USER32.DispatchMessageA>     ; \DispatchMessageA
00401100  |.^ EB D9         \jmp short d2k2_cra.004010DB
00401102  |>  8B45 BC       mov eax,[local.17]
00401105  |.  C9            leave
00401106  \.  C2 1000       retn 0x10
00401109  /.  55            push ebp
0040110A  |.  8BEC          mov ebp,esp
0040110C  |.  83C4 F8       add esp,-0x8
0040110F  |.  837D 0C 02    cmp [arg.2],0x2
00401113  |.  75 0C         jnz short d2k2_cra.00401121
00401115  |.  6A 00         push 0x0                                 ; /ExitCode = 0x0
00401117  |.  E8 F0020000   call <jmp.&USER32.PostQuitMessage>       ; \PostQuitMessage
0040111C  |.  E9 AF020000   jmp d2k2_cra.004013D0
00401121  |>  837D 0C 01    cmp [arg.2],0x1
00401125  |.  0F85 F5000000 jnz d2k2_cra.00401220
0040112B  |.  6A 00         push 0x0                                 ; /lParam = NULL
0040112D  |.  FF35 30314000 push dword ptr ds:[0x403130]             ; |hInst = NULL
00401133  |.  6A 02         push 0x2                                 ; |hMenu = 00000002
00401135  |.  FF75 08       push [arg.1]                             ; |hParent = 002B8000
00401138  |.  6A 19         push 0x19                                ; |Height = 19 (25.)
0040113A  |.  68 FF000000   push 0xFF                                ; |Width = FF (255.)
0040113F  |.  6A 0F         push 0xF                                 ; |Y = F (15.)
00401141  |.  6A 0F         push 0xF                                 ; |X = F (15.)
00401143  |.  68 80008050   push 0x50800080                          ; |Style = WS_CHILD|WS_VISIBLE|WS_BORDER|80
00401148  |.  6A 00         push 0x0                                 ; |WindowName = NULL
0040114A  |.  68 39304000   push d2k2_cra.00403039                   ; |Class = "edit"
0040114F  |.  68 00020000   push 0x200                               ; |ExtStyle = WS_EX_CLIENTEDGE
00401154  |.  E8 7D020000   call <jmp.&USER32.CreateWindowExA>       ; \CreateWindowExA
00401159  |.  68 00304000   push d2k2_cra.00403000                   ; /Text = "Enter Name"
0040115E  |.  6A 02         push 0x2                                 ; |ControlID = 0x2
00401160  |.  FF75 08       push [arg.1]                             ; |hWnd = 002B8000
00401163  |.  E8 B0020000   call <jmp.&USER32.SetDlgItemTextA>       ; \SetDlgItemTextA
00401168  |.  A3 34314000   mov dword ptr ds:[0x403134],eax
0040116D  |.  6A 00         push 0x0                                 ; /lParam = NULL
0040116F  |.  FF35 30314000 push dword ptr ds:[0x403130]             ; |hInst = NULL
00401175  |.  6A 04         push 0x4                                 ; |hMenu = 00000004
00401177  |.  FF75 08       push [arg.1]                             ; |hParent = 002B8000
0040117A  |.  6A 19         push 0x19                                ; |Height = 19 (25.)
0040117C  |.  68 FF000000   push 0xFF                                ; |Width = FF (255.)
00401181  |.  6A 32         push 0x32                                ; |Y = 32 (50.)
00401183  |.  6A 0F         push 0xF                                 ; |X = F (15.)
00401185  |.  68 80008050   push 0x50800080                          ; |Style = WS_CHILD|WS_VISIBLE|WS_BORDER|80
0040118A  |.  6A 00         push 0x0                                 ; |WindowName = NULL
0040118C  |.  68 39304000   push d2k2_cra.00403039                   ; |Class = "edit"
00401191  |.  68 00020000   push 0x200                               ; |ExtStyle = WS_EX_CLIENTEDGE
00401196  |.  E8 3B020000   call <jmp.&USER32.CreateWindowExA>       ; \CreateWindowExA
0040119B  |.  68 0B304000   push d2k2_cra.0040300B                   ; /Text = "Enter Serial"
004011A0  |.  6A 04         push 0x4                                 ; |ControlID = 0x4
004011A2  |.  FF75 08       push [arg.1]                             ; |hWnd = 002B8000
004011A5  |.  E8 6E020000   call <jmp.&USER32.SetDlgItemTextA>       ; \SetDlgItemTextA
004011AA  |.  A3 34314000   mov dword ptr ds:[0x403134],eax
004011AF  |.  6A 00         push 0x0                                 ; /lParam = NULL
004011B1  |.  FF35 30314000 push dword ptr ds:[0x403130]             ; |hInst = NULL
004011B7  |.  6A 03         push 0x3                                 ; |hMenu = 00000003
004011B9  |.  FF75 08       push [arg.1]                             ; |hParent = 002B8000
004011BC  |.  6A 19         push 0x19                                ; |Height = 19 (25.)
004011BE  |.  68 FF000000   push 0xFF                                ; |Width = FF (255.)
004011C3  |.  6A 55         push 0x55                                ; |Y = 55 (85.)
004011C5  |.  6A 0F         push 0xF                                 ; |X = F (15.)
004011C7  |.  68 00008050   push 0x50800000                          ; |Style = WS_CHILD|WS_VISIBLE|WS_BORDER
004011CC  |.  68 45304000   push d2k2_cra.00403045                   ; |WindowName = "Try"
004011D1  |.  68 3E304000   push d2k2_cra.0040303E                   ; |Class = "Button"
004011D6  |.  68 00020000   push 0x200                               ; |ExtStyle = WS_EX_CLIENTEDGE
004011DB  |.  E8 F6010000   call <jmp.&USER32.CreateWindowExA>       ; \CreateWindowExA
004011E0  |.  A3 38314000   mov dword ptr ds:[0x403138],eax
004011E5  |.  6A 00         push 0x0                                 ; /Index = SM_CXSCREEN
004011E7  |.  E8 08020000   call <jmp.&USER32.GetSystemMetrics>      ; \GetSystemMetrics
004011EC  |.  2D 22010000   sub eax,0x122
004011F1  |.  D1E8          shr eax,1
004011F3  |.  8BD8          mov ebx,eax
004011F5  |.  6A 01         push 0x1                                 ; /Index = SM_CYSCREEN
004011F7  |.  E8 F8010000   call <jmp.&USER32.GetSystemMetrics>      ; \GetSystemMetrics
004011FC  |.  2D 96000000   sub eax,0x96
00401201  |.  D1E8          shr eax,1
00401203  |.  6A 40         push 0x40                                ; /Flags = SWP_SHOWWINDOW
00401205  |.  68 96000000   push 0x96                                ; |Height = 96 (150.)
0040120A  |.  68 22010000   push 0x122                               ; |Width = 122 (290.)
0040120F  |.  50            push eax                                 ; |Y = 19FFCC (1703884.)
00401210  |.  53            push ebx                                 ; |X = 2B8000 (2850816.)
00401211  |.  6A 00         push 0x0                                 ; |InsertAfter = HWND_TOP
00401213  |.  FF75 08       push [arg.1]                             ; |hWnd = 002B8000
00401216  |.  E8 03020000   call <jmp.&USER32.SetWindowPos>          ; \SetWindowPos
0040121B  |.  E9 B0010000   jmp d2k2_cra.004013D0
00401220  |>  817D 0C 11010>cmp [arg.2],0x111
00401227  |.  0F85 8E010000 jnz d2k2_cra.004013BB
0040122D  |.  8B45 10       mov eax,[arg.3]
00401230  |.  66:83F8 03    cmp ax,0x3
00401234  |.  0F85 96010000 jnz d2k2_cra.004013D0
0040123A  |.  C1E8 10       shr eax,0x10
0040123D  |.  66:0BC0       or ax,ax
00401240  |.  0F85 73010000 jnz d2k2_cra.004013B9
00401246  |.  33C0          xor eax,eax
00401248  |.  6A 28         push 0x28                                ; /Count = 28 (40.)
0040124A  |.  68 8C314000   push d2k2_cra.0040318C                   ; |Buffer = d2k2_cra.0040318C
0040124F  |.  6A 02         push 0x2                                 ; |ControlID = 0x2
00401251  |.  FF75 08       push [arg.1]                             ; |hWnd = 002B8000
00401254  |.  E8 8F010000   call <jmp.&USER32.GetDlgItemTextA>       ; \GetDlgItemTextA
00401259  |.  84C0          test al,al
0040125B  |.  0F84 06010000 je d2k2_cra.00401367
00401261  |.  3C 20         cmp al,0x20
00401263  |.  0F8F 13010000 jg d2k2_cra.0040137C
00401269  |.  3C 05         cmp al,0x5
0040126B  |.  0F8C 20010000 jl d2k2_cra.00401391
00401271  |.  8D1D 8C314000 lea ebx,dword ptr ds:[0x40318C]
00401277  |.  33C9          xor ecx,ecx                              ;  d2k2_cra.<ModuleEntryPoint>
00401279  |.  B0 05         mov al,0x5
0040127B  |.  33D2          xor edx,edx                              ;  d2k2_cra.<ModuleEntryPoint>
0040127D  |>  8A0C1A        mov cl,byte ptr ds:[edx+ebx]
00401280  |.  80F1 29       xor cl,0x29
00401283  |.  02C8          add cl,al
00401285  |.  80F9 41       cmp cl,0x41
00401288  |.  7C 1C         jl short d2k2_cra.004012A6
0040128A  |.  80F9 5A       cmp cl,0x5A
0040128D  |.  7F 17         jg short d2k2_cra.004012A6
0040128F  |>  888A 3C314000 mov byte ptr ds:[edx+0x40313C],cl
00401295  |.  C682 3D314000>mov byte ptr ds:[edx+0x40313D],0x0
0040129C  |.  FEC2          inc dl
0040129E  |.  FEC8          dec al
004012A0  |.  3C 00         cmp al,0x0
004012A2  |.  74 08         je short d2k2_cra.004012AC
004012A4  |.^ EB D7         jmp short d2k2_cra.0040127D
004012A6  |>  B1 52         mov cl,0x52
004012A8  |.  02C8          add cl,al
004012AA  |.^ EB E3         jmp short d2k2_cra.0040128F
004012AC  |>  33D2          xor edx,edx                              ;  d2k2_cra.<ModuleEntryPoint>
004012AE  |.  B8 05000000   mov eax,0x5
004012B3  |>  8A0C1A        mov cl,byte ptr ds:[edx+ebx]
004012B6  |.  80F1 27       xor cl,0x27
004012B9  |.  02C8          add cl,al
004012BB  |.  80C1 01       add cl,0x1
004012BE  |.  80F9 41       cmp cl,0x41
004012C1  |.  7C 1C         jl short d2k2_cra.004012DF
004012C3  |.  80F9 5A       cmp cl,0x5A
004012C6  |.  7F 17         jg short d2k2_cra.004012DF
004012C8  |>  888A 41314000 mov byte ptr ds:[edx+0x403141],cl
004012CE  |.  C682 42314000>mov byte ptr ds:[edx+0x403142],0x0
004012D5  |.  FEC2          inc dl
004012D7  |.  FEC8          dec al
004012D9  |.  3C 00         cmp al,0x0
004012DB  |.  74 08         je short d2k2_cra.004012E5
004012DD  |.^ EB D4         jmp short d2k2_cra.004012B3
004012DF  |>  B1 4D         mov cl,0x4D
004012E1  |.  02C8          add cl,al
004012E3  |.^ EB E3         jmp short d2k2_cra.004012C8
004012E5  |>  33C0          xor eax,eax
004012E7  |.  6A 28         push 0x28                                ; /Count = 28 (40.)
004012E9  |.  68 B4314000   push d2k2_cra.004031B4                   ; |Buffer = d2k2_cra.004031B4
004012EE  |.  6A 04         push 0x4                                 ; |ControlID = 0x4
004012F0  |.  FF75 08       push [arg.1]                             ; |hWnd = 002B8000
004012F3  |.  E8 F0000000   call <jmp.&USER32.GetDlgItemTextA>       ; \GetDlgItemTextA
004012F8  |.  66:85C0       test ax,ax
004012FB  |.  74 55         je short d2k2_cra.00401352
004012FD  |.  66:83F8 0A    cmp ax,0xA
00401301  |.  7F 4F         jg short d2k2_cra.00401352
00401303  |.  7C 4D         jl short d2k2_cra.00401352
00401305  |.  33C0          xor eax,eax
00401307  |.  33DB          xor ebx,ebx
00401309  |.  33C9          xor ecx,ecx                              ;  d2k2_cra.<ModuleEntryPoint>
0040130B  |.  33D2          xor edx,edx                              ;  d2k2_cra.<ModuleEntryPoint>
0040130D  |.  8D05 B4314000 lea eax,dword ptr ds:[0x4031B4]
00401313  |>  8A1C01        mov bl,byte ptr ds:[ecx+eax]
00401316  |.  8A91 3C314000 mov dl,byte ptr ds:[ecx+0x40313C]
0040131C  |.  80FB 00       cmp bl,0x0
0040131F  |.  0F84 81000000 je d2k2_cra.004013A6
00401325  |.  80C2 05       add dl,0x5
00401328  |.  80FA 5A       cmp dl,0x5A
0040132B  |.  7F 14         jg short d2k2_cra.00401341
0040132D  |>  80F2 0C       xor dl,0xC
00401330  |.  80FA 41       cmp dl,0x41
00401333  |.  7C 11         jl short d2k2_cra.00401346
00401335  |.  80FA 5A       cmp dl,0x5A
00401338  |.  7F 12         jg short d2k2_cra.0040134C
0040133A  |>  41            inc ecx                                  ;  d2k2_cra.<ModuleEntryPoint>
0040133B  |.  38DA          cmp dl,bl
0040133D  |.^ 74 D4         je short d2k2_cra.00401313
0040133F  |.  EB 11         jmp short d2k2_cra.00401352
00401341  |>  80EA 0D       sub dl,0xD
00401344  |.^ EB E7         jmp short d2k2_cra.0040132D
00401346  |>  B2 4B         mov dl,0x4B
00401348  |.  02D1          add dl,cl
0040134A  |.^ EB EE         jmp short d2k2_cra.0040133A
0040134C  |>  B2 4B         mov dl,0x4B
0040134E  |.  2AD1          sub dl,cl
00401350  |.^ EB E8         jmp short d2k2_cra.0040133A
00401352  |>  6A 00         push 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
00401354  |.  68 49304000   push d2k2_cra.00403049                   ; |Title = "Dont give up..."
00401359  |.  68 59304000   push d2k2_cra.00403059                   ; |Text = "Wrong Code!Try Again!"
0040135E  |.  6A 00         push 0x0                                 ; |hOwner = NULL
00401360  |.  E8 A1000000   call <jmp.&USER32.MessageBoxA>           ; \MessageBoxA
00401365  |.  EB 52         jmp short d2k2_cra.004013B9
00401367  |>  6A 00         push 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
00401369  |.  68 6F304000   push d2k2_cra.0040306F                   ; |Title = "Sorry..."
0040136E  |.  68 97304000   push d2k2_cra.00403097                   ; |Text = "Enter Name!"
00401373  |.  6A 00         push 0x0                                 ; |hOwner = NULL
00401375  |.  E8 8C000000   call <jmp.&USER32.MessageBoxA>           ; \MessageBoxA
0040137A  |.  EB 3D         jmp short d2k2_cra.004013B9
0040137C  |>  6A 00         push 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
0040137E  |.  68 6F304000   push d2k2_cra.0040306F                   ; |Title = "Sorry..."
00401383  |.  68 A3304000   push d2k2_cra.004030A3                   ; |Text = "Name can be max 32 Chars long!"
00401388  |.  6A 00         push 0x0                                 ; |hOwner = NULL
0040138A  |.  E8 77000000   call <jmp.&USER32.MessageBoxA>           ; \MessageBoxA
0040138F  |.  EB 28         jmp short d2k2_cra.004013B9
00401391  |>  6A 00         push 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
00401393  |.  68 6F304000   push d2k2_cra.0040306F                   ; |Title = "Sorry..."
00401398  |.  68 78304000   push d2k2_cra.00403078                   ; |Text = "Name must be min 5 Chars long!"
0040139D  |.  6A 00         push 0x0                                 ; |hOwner = NULL
0040139F  |.  E8 62000000   call <jmp.&USER32.MessageBoxA>           ; \MessageBoxA
004013A4  |.  EB 13         jmp short d2k2_cra.004013B9
004013A6  |>  6A 00         push 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
004013A8  |.  68 C2304000   push d2k2_cra.004030C2                   ; |Title = "Good Cracker"
004013AD  |.  68 CF304000   push d2k2_cra.004030CF                   ; |Text = "Serial is correct! Now write a keygen + tut and send it to: diablo2oo2@gmx.net !"
004013B2  |.  6A 00         push 0x0                                 ; |hOwner = NULL
004013B4  |.  E8 4D000000   call <jmp.&USER32.MessageBoxA>           ; \MessageBoxA
004013B9  |>  EB 15         jmp short d2k2_cra.004013D0
004013BB  |>  FF75 14       push [arg.4]                             ; /lParam = 0x0
004013BE  |.  FF75 10       push [arg.3]                             ; |wParam = 0x0
004013C1  |.  FF75 0C       push [arg.2]                             ; |Message = MSG(0x2EED7437)
004013C4  |.  FF75 08       push [arg.1]                             ; |hWnd = 002B8000
004013C7  |.  E8 10000000   call <jmp.&USER32.DefWindowProcA>        ; \DefWindowProcA
004013CC  |.  C9            leave
004013CD  |.  C2 1000       retn 0x10
004013D0  |>  33C0          xor eax,eax
004013D2  |.  C9            leave
004013D3  \.  C2 1000       retn 0x10
004013D6   $- FF25 40204000 jmp dword ptr ds:[<&USER32.CreateWindowE>;  user32.CreateWindowExA
004013DC   $- FF25 3C204000 jmp dword ptr ds:[<&USER32.DefWindowProc>;  ntdll.NtdllDefWindowProc_A
004013E2   $- FF25 38204000 jmp dword ptr ds:[<&USER32.DispatchMessa>;  user32.DispatchMessageA
004013E8   $- FF25 20204000 jmp dword ptr ds:[<&USER32.GetDlgItemTex>;  user32.GetDlgItemTextA
004013EE   $- FF25 24204000 jmp dword ptr ds:[<&USER32.GetMessageA>] ;  user32.GetMessageA
004013F4   $- FF25 1C204000 jmp dword ptr ds:[<&USER32.GetSystemMetr>;  user32.GetSystemMetrics
004013FA   $- FF25 0C204000 jmp dword ptr ds:[<&USER32.LoadCursorA>] ;  user32.LoadCursorA
00401400   $- FF25 10204000 jmp dword ptr ds:[<&USER32.LoadIconA>]   ;  user32.LoadIconA
00401406   $- FF25 14204000 jmp dword ptr ds:[<&USER32.MessageBoxA>] ;  user32.MessageBoxA
0040140C   $- FF25 18204000 jmp dword ptr ds:[<&USER32.PostQuitMessa>;  user32.PostQuitMessage
00401412   $- FF25 44204000 jmp dword ptr ds:[<&USER32.RegisterClass>;  user32.RegisterClassExA
00401418   $- FF25 48204000 jmp dword ptr ds:[<&USER32.SetDlgItemTex>;  user32.SetDlgItemTextA
0040141E   $- FF25 28204000 jmp dword ptr ds:[<&USER32.SetWindowPos>>;  user32.SetWindowPos
00401424   $- FF25 2C204000 jmp dword ptr ds:[<&USER32.ShowWindow>]  ;  user32.ShowWindow
0040142A   $- FF25 30204000 jmp dword ptr ds:[<&USER32.TranslateMess>;  user32.TranslateMessage
00401430   $- FF25 34204000 jmp dword ptr ds:[<&USER32.UpdateWindow>>;  user32.UpdateWindow
00401436   .- FF25 04204000 jmp dword ptr ds:[<&KERNEL32.ExitProcess>;  kernel32.ExitProcess
0040143C   $- FF25 00204000 jmp dword ptr ds:[<&KERNEL32.GetModuleHa>;  kernel32.GetModuleHandleA
00401442      00            db 00
00401443      00            db 00

300多行直接一眼看一遍,可以直接找到按钮事件00401259处读取用户名,从这里开始下断点调试,
1). 用户名0x5~0x20位
2). 用户名算法运算后,+5 ^0xC后与系列号对比
注册机如下:

#include <stdio.h>
#include <string.h>

int main() {
	char user[33] = {0};
	char code[11] = {0};
	printf("用户名: ");
	fgets(user, sizeof(user), stdin); //5~32位 
	int i, rnd, len = strlen(user) - 1;
	if(len < 5 || len > 32) {
		printf("用户名5~32位");
		return 0;
	} 
	for(i=0; i<5; i++){ //取用户名前5位运算得到10位结果 
		code[i] = (user[i] ^ 0x29) + 5 - i;
		if((code[i] < 0x41) || (code[i] > 0x5A)) code[i] = 0x52 + 5 - i;
		code[i + 5] = (user[i] ^ 0x27) + 5 - i + 1;
		if((code[i + 5] < 0x41) || (code[i + 5] > 0x5A)) code[i + 5] = 0x4D + 5 - i;
	}
	for(i=0; i<10; i++){
		code[i] += 5;
		if(code[i] > 0x5A) code[i] -= 0xD;
		code[i] ^= 0xC;
		if(code[i] < 0x41) code[i] = 0x4B + i;
		if(code[i] > 0x5A) code[i] = 0x4B - i;
	}
	printf("系列号: %s\r\n", code);
	getchar();
	return 0;
}

运行示例:
用户名: d2k2_crackme01
系列号: KBFUTBZYXB

 
 
本节高手录制的视频,点击前往查看

 
 
 

使用的工具连接(工具有点多有点大,可以先下OD,其它的后面慢慢下) 点击前往下载

下面是我的OD的界面布局,我觉得这4个是最常用的界面,其它的我基本上没用到~
OD界面布局

posted @ 2024-12-19 14:11  hankerstudio  阅读(3)  评论(0)    收藏  举报