【文章标题】: CrakeMe-1
【软件名称】: Acid burn
【软件大小】: 921KB
【下载地址】: 自己搜索下载
【加壳方式】: 无
【保护方式】: Nag,Name/Serial,Serial
【编写语言】: Borland Delphi 3.0
【使用工具】: OD
【操作平台】: xp sp3
【软件介绍】: 简单易懂的CM,作者很调皮.
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
地址 反汇编 文本字符串
0042F48D mov edx,Acid_bur.0042F540 Hello --\
留这两个地址,只是想告诉大家.作者很调皮.
0042F49A mov edx,Acid_bur.0042F550 Dude! --/
0042F4A7 push Acid_bur.0042F560
0042F4D9 mov ecx,Acid_bur.0042F564 Congratz!
0042F4DE mov edx,Acid_bur.0042F570 God Job dude !! =) 就是上面调皮正确的提示
0042F4F3 mov ecx,Acid_bur.0042F584 Failed!
0042F4F8 mov edx,Acid_bur.0042F58C Try Again!!
0042F786 mov ecx,Acid_bur.0042F7A0 hello you have to kill me!
0042F78B mov edx,Acid_bur.0042F7BC Welcome to this Newbies Crackme made by ACiD BuRN [CracKerWoRlD]
0042FA5E mov ecx,Acid_bur.0042FB74 Try Again!
0042FA63 mov edx,Acid_bur.0042FB80 Sorry , The serial is incorect !
0042FAA6 mov edx,Acid_bur.0042FBAC CW
0042FAB3 mov edx,Acid_bur.0042FBB8 CRACKED
0042FAC0 push Acid_bur.0042FBC8 -
0042FAD5 push Acid_bur.0042FBC8 -
0042FB07 mov ecx,Acid_bur.0042FBCC Congratz !!
0042FB0C mov edx,Acid_bur.0042FBD8 Good job dude =) 用户名和注册码正确后的过关提示
0042FB21 mov ecx,Acid_bur.0042FB74 Try Again!
0042FB26 mov edx,Acid_bur.0042FB80 Sorry , The serial is incorect !
0042FDA9 mov edx,dword ptr ds:[0x42F838] x鸟
首先处理第一个Serial:0042F4DE mov edx,Acid_bur.0042F570 God Job dude !! =)双击进入
0042F4D5 /75 1A jnz short Acid_bur.0042F4F1 75 1A改成74 1A ,jnz=>je爆破完成,点右键选择复制到可执行 文件,保存即可.(下面可以看到0042F4D5上下的具体信息)
接下来获取这个位置的注册信息:
0042F47E 55 push ebp 在不知道关键call的情况下,找到段首F2下端.运行程序,正常 输入错误信息点确定
0042F47F 68 2CF54200 push Acid_bur.0042F52C
0042F484 64:FF30 push dword ptr fs:[eax]
0042F487 64:8920 mov dword ptr fs:[eax],esp
0042F48A 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
0042F48D BA 40F54200 mov edx,Acid_bur.0042F540 ; Hello (ASCII 48,"ello")--\
0042F492 E8 7142FDFF call Acid_bur.00403708 过关密码
0042F497 8D45 F8 lea eax,dword ptr ss:[ebp-0x8]
0042F49A BA 50F54200 mov edx,Acid_bur.0042F550 ; Dude! (ASCII 44,"ude!")--/
0042F49F E8 6442FDFF call Acid_bur.00403708
0042F4A4 FF75 FC push dword ptr ss:[ebp-0x4] ASCII 48,"ello" --\
0042F4A7 68 60F54200 push Acid_bur.0042F560 赋值
0042F4AC FF75 F8 push dword ptr ss:[ebp-0x8] ASCII 44,"ude!" --/
0042F4AF 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
0042F4B2 BA 03000000 mov edx,0x3
0042F4B7 E8 F044FDFF call Acid_bur.004039AC
0042F4BC 8D55 F0 lea edx,dword ptr ss:[ebp-0x10]
0042F4BF 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0] (ASCII "店小二")自己输入的假信息
0042F4C5 E8 8EB5FEFF call Acid_bur.0041AA58 关键call,制作内存注册机使用
0042F4CA 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
0042F4CD 8B55 F4 mov edx,dword ptr ss:[ebp-0xC] (ASCII "Hello Dude!")返回的真信息--也就是我们过关的密码
0042F4D0 E8 2745FDFF call Acid_bur.004039FC
0042F4D5 75 1A jnz short Acid_bur.0042F4F1 跳转,信息错误就跳.反之就成功
0042F4D7 6A 00 push 0x0
0042F4D9 B9 64F54200 mov ecx,Acid_bur.0042F564 ; Congratz!
0042F4DE BA 70F54200 mov edx,Acid_bur.0042F570 ; God Job dude !! =)
0042F4E3 A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042F4E8 8B00 mov eax,dword ptr ds:[eax]
0042F4EA E8 81ACFFFF call Acid_bur.0042A170
0042F4EF EB 18 jmp short Acid_bur.0042F509
0042F4F1 6A 00 push 0x0
0042F4F3 B9 84F54200 mov ecx,Acid_bur.0042F584 ; Failed!
0042F4F8 BA 8CF54200 mov edx,Acid_bur.0042F58C ; Try Again!!
0042F4FD A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042F502 8B00 mov eax,dword ptr ds:[eax]
0042F504 E8 67ACFFFF call Acid_bur.0042A170
0042F509 33C0 xor eax,eax
0042F50B 5A pop edx
0042F50C 59 pop ecx
0042F50D 59 pop ecx
0042F50E 64:8910 mov dword ptr fs:[eax],edx
0042F511 68 33F54200 push Acid_bur.0042F533
0042F516 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
0042F519 E8 5241FDFF call Acid_bur.00403670
0042F51E 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
0042F521 BA 03000000 mov edx,0x3
0042F526 E8 6941FDFF call Acid_bur.00403694
0042F52B C3 retn
接着处理第二个Serial:0042FB0C mov edx,Acid_bur.0042FBD8 Good job dude =)双击进入
0042FB03 /75 1A jnz short Acid_bur.0042FB1F 75 1A改成74 1A ,jnz=>je爆破完成,点右键选择复制到可执行文件,保存即可.(下面可以看到0042FB03上下的具体信息)
接下来获取这个位置的注册信息:
0042F9A9 55 push ebp 在不知道关键call的情况下,找到段首F2下端.运行程序,正常输入错误信息点确定
0042F9AA 68 67FB4200 push Acid_bur.0042FB67
0042F9AF 64:FF30 push dword ptr fs:[eax]
0042F9B2 64:8920 mov dword ptr fs:[eax],esp
0042F9B5 C705 50174300 2>mov dword ptr ds:[0x431750],0x29
0042F9BF 8D55 F0 lea edx,dword ptr ss:[ebp-0x10] 用户名(ASCII "店小二")
0042F9C2 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042F9C8 E8 8BB0FEFF call Acid_bur.0041AA58
0042F9CD 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
0042F9D0 E8 DB40FDFF call Acid_bur.00403AB0
0042F9D5 A3 6C174300 mov dword ptr ds:[0x43176C],eax
0042F9DA 8D55 F0 lea edx,dword ptr ss:[ebp-0x10]
0042F9DD 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042F9E3 E8 70B0FEFF call Acid_bur.0041AA58
0042F9E8 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
0042F9EB 0FB600 movzx eax,byte ptr ds:[eax]
0042F9EE 8BF0 mov esi,eax
0042F9F0 C1E6 03 shl esi,0x3
0042F9F3 2BF0 sub esi,eax
0042F9F5 8D55 EC lea edx,dword ptr ss:[ebp-0x14]
0042F9F8 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042F9FE E8 55B0FEFF call Acid_bur.0041AA58
0042FA03 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
0042FA06 0FB640 01 movzx eax,byte ptr ds:[eax+0x1]
0042FA0A C1E0 04 shl eax,0x4
0042FA0D 03F0 add esi,eax
0042FA0F 8935 54174300 mov dword ptr ds:[0x431754],esi
0042FA15 8D55 F0 lea edx,dword ptr ss:[ebp-0x10]
0042FA18 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042FA1E E8 35B0FEFF call Acid_bur.0041AA58
0042FA23 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
0042FA26 0FB640 03 movzx eax,byte ptr ds:[eax+0x3]
0042FA2A 6BF0 0B imul esi,eax,0xB
0042FA2D 8D55 EC lea edx,dword ptr ss:[ebp-0x14]
0042FA30 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042FA36 E8 1DB0FEFF call Acid_bur.0041AA58
0042FA3B 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
0042FA3E 0FB640 02 movzx eax,byte ptr ds:[eax+0x2]
0042FA42 6BC0 0E imul eax,eax,0xE
0042FA45 03F0 add esi,eax
0042FA47 8935 58174300 mov dword ptr ds:[0x431758],esi
0042FA4D A1 6C174300 mov eax,dword ptr ds:[0x43176C]
0042FA52 E8 D96EFDFF call Acid_bur.00406930
0042FA57 83F8 04 cmp eax,0x4
0042FA5A 7D 1D jge short Acid_bur.0042FA79
0042FA5C 6A 00 push 0x0
0042FA5E B9 74FB4200 mov ecx,Acid_bur.0042FB74 ; Try Again!
0042FA63 BA 80FB4200 mov edx,Acid_bur.0042FB80 ; Sorry , The serial is incorect !
0042FA68 A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042FA6D 8B00 mov eax,dword ptr ds:[eax]
0042FA6F E8 FCA6FFFF call Acid_bur.0042A170
0042FA74 E9 BE000000 jmp Acid_bur.0042FB37
0042FA79 8D55 F0 lea edx,dword ptr ss:[ebp-0x10]
0042FA7C 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042FA82 E8 D1AFFEFF call Acid_bur.0041AA58
0042FA87 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
0042FA8A 0FB600 movzx eax,byte ptr ds:[eax]
0042FA8D F72D 50174300 imul dword ptr ds:[0x431750]
0042FA93 A3 50174300 mov dword ptr ds:[0x431750],eax
0042FA98 A1 50174300 mov eax,dword ptr ds:[0x431750]
0042FA9D 0105 50174300 add dword ptr ds:[0x431750],eax
0042FAA3 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
0042FAA6 BA ACFB4200 mov edx,Acid_bur.0042FBAC ; CW 过关密码头部
0042FAAB E8 583CFDFF call Acid_bur.00403708
0042FAB0 8D45 F8 lea eax,dword ptr ss:[ebp-0x8]
0042FAB3 BA B8FB4200 mov edx,Acid_bur.0042FBB8 ; CRACKED 过关密码尾部
0042FAB8 E8 4B3CFDFF call Acid_bur.00403708
0042FABD FF75 FC push dword ptr ss:[ebp-0x4]
0042FAC0 68 C8FB4200 push Acid_bur.0042FBC8 ; - 过关密码链接符
0042FAC5 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
0042FAC8 A1 50174300 mov eax,dword ptr ds:[0x431750]
0042FACD E8 466CFDFF call Acid_bur.00406718
0042FAD2 FF75 E8 push dword ptr ss:[ebp-0x18] (ASCII "14842")过关密码中间数
0042FAD5 68 C8FB4200 push Acid_bur.0042FBC8 ; -
0042FADA FF75 F8 push dword ptr ss:[ebp-0x8]
0042FADD 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
0042FAE0 BA 05000000 mov edx,0x5 unicode"2"
0042FAE5 E8 C23EFDFF call Acid_bur.004039AC
0042FAEA 8D55 F0 lea edx,dword ptr ss:[ebp-0x10]
0042FAED 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]
0042FAF3 E8 60AFFEFF call Acid_bur.0041AA58 关键call,制作内存注册机使用
0042FAF8 8B55 F0 mov edx,dword ptr ss:[ebp-0x10] 假的过关密码:74747474
0042FAFB 8B45 F4 mov eax,dword ptr ss:[ebp-0xC] 真的过关密码:(ASCII "CW-14842-CRACKED")
0042FAFE E8 F93EFDFF call Acid_bur.004039FC
0042FB03 75 1A jnz short Acid_bur.0042FB1F
0042FB05 6A 00 push 0x0
0042FB07 B9 CCFB4200 mov ecx,Acid_bur.0042FBCC ; Congratz !!
0042FB0C BA D8FB4200 mov edx,Acid_bur.0042FBD8 ; Good job dude =)
0042FB11 A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042FB16 8B00 mov eax,dword ptr ds:[eax]
0042FB18 E8 53A6FFFF call Acid_bur.0042A170
0042FB1D EB 18 jmp short Acid_bur.0042FB37
0042FB1F 6A 00 push 0x0
0042FB21 B9 74FB4200 mov ecx,Acid_bur.0042FB74 ; Try Again!
0042FB26 BA 80FB4200 mov edx,Acid_bur.0042FB80 ; Sorry , The serial is incorect !
0042FB2B A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042FB30 8B00 mov eax,dword ptr ds:[eax]
0042FB32 E8 39A6FFFF call Acid_bur.0042A170
0042FB37 33C0 xor eax,eax
0042FB39 5A pop edx
0042FB3A 59 pop ecx
0042FB3B 59 pop ecx
0042FB3C 64:8910 mov dword ptr fs:[eax],edx
0042FB3F 68 6EFB4200 push Acid_bur.0042FB6E
0042FB44 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
0042FB47 E8 243BFDFF call Acid_bur.00403670
0042FB4C 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
0042FB4F BA 02000000 mov edx,0x2
0042FB54 E8 3B3BFDFF call Acid_bur.00403694
0042FB59 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
0042FB5C BA 03000000 mov edx,0x3
0042FB61 E8 2E3BFDFF call Acid_bur.00403694
0042FB66 C3 retn
--------------------------------------------------------------------------------
【经验总结】
一、作者提供了两种不同(serial)的方式过关
二、爆破程序过关
第一个serial过关密码:Hello Dude!
第二个serial过关密码:
Name:店小二
Serial:CW-14842-CRACKED
最简单的CM,却可以加深印象.继续啃汇编去……
--------------------------------------------------------------------------------
【版权声明】: 本文原创于无聊之人, 转载请注明作者并保持文章的完整, 谢谢!
2014年01月09日 下午 08:17:06
|
发表于 2014-1-15 17:24:25