160个CrackMe之004

cjt included in 逆向
  1156 words 3 minutes 

先中文搜索,发现可疑字符串:“恭喜恭喜!注册成功”,双击进入到达使用字符串的地方。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

00458031  |.  81BE 0C030000>cmp dword ptr ds:[esi+0x30C],0x85
0045803B      75 76         jnz short CKme.004580B3                  ;  关键的跳转
0045803D  |.  33DB          xor ebx,ebx
0045803F  |>  8D55 E4       /lea edx,[local.7]
00458042  |.  8B86 D4020000 |mov eax,dword ptr ds:[esi+0x2D4]
00458048  |.  E8 FBB2FCFF   |call CKme.00423348
0045804D  |.  8B45 E4       |mov eax,[local.7]                       ;  comctl32.5D176074
00458050  |.  E8 27BBFAFF   |call CKme.00403B7C
00458055  |.  83C0 03       |add eax,0x3
00458058  |.  8D55 E8       |lea edx,[local.6]
0045805B  |.  E8 A4FAFAFF   |call CKme.00407B04
00458060  |.  FF75 E8       |push [local.6]
00458063  |.  8D55 E0       |lea edx,[local.8]
00458066  |.  8B86 D4020000 |mov eax,dword ptr ds:[esi+0x2D4]
0045806C  |.  E8 D7B2FCFF   |call CKme.00423348
00458071  |.  FF75 E0       |push [local.8]
00458074  |.  8D55 DC       |lea edx,[local.9]
00458077  |.  8BC3          |mov eax,ebx
00458079  |.  E8 86FAFAFF   |call CKme.00407B04
0045807E  |.  FF75 DC       |push [local.9]
00458081  |.  8D45 FC       |lea eax,[local.1]
00458084  |.  BA 03000000   |mov edx,0x3
00458089  |.  E8 AEBBFAFF   |call CKme.00403C3C
0045808E  |.  43            |inc ebx
0045808F  |.  83FB 13       |cmp ebx,0x13
00458092  |.^ 75 AB         \jnz short CKme.0045803F
00458094  |.  33D2          xor edx,edx
00458096  |.  8B86 F0020000 mov eax,dword ptr ds:[esi+0x2F0]
0045809C  |.  E8 BFB1FCFF   call CKme.00423260
004580A1  |.  A1 20B84500   mov eax,dword ptr ds:[0x45B820]
004580A6  |.  83C0 70       add eax,0x70
004580A9  |.  BA 14814500   mov edx,CKme.00458114                    ;  恭喜恭喜!注册成功
004580AE  |.  E8 9DB8FAFF   call CKme.00403950
004580B3  |>  33C0          xor eax,eax
004580B5  |.  5A            pop edx
004580B6  |.  59            pop ecx

发现一个可疑跳转,0045803B 75 76 jnz short CKme.004580B3,改成jz,尝试成功,说明此处是成功注册的地方。从该段首行调试分析:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

00457C40  /.  55            push ebp
00457C41  |.  8BEC          mov ebp,esp
00457C43  |.  51            push ecx
00457C44  |.  B9 05000000   mov ecx,0x5
00457C49  |>  6A 00         /push 0x0
00457C4B  |.  6A 00         |push 0x0
00457C4D  |.  49            |dec ecx
00457C4E  |.^ 75 F9         \jnz short CKme.00457C49
00457C50  |.  51            push ecx
00457C51  |.  874D FC       xchg [local.1],ecx
00457C54  |.  53            push ebx
00457C55  |.  56            push esi
00457C56  |.  8BD8          mov ebx,eax
00457C58  |.  33C0          xor eax,eax
00457C5A  |.  55            push ebp
00457C5B  |.  68 3D7E4500   push CKme.00457E3D
00457C60  |.  64:FF30       push dword ptr fs:[eax]
00457C63  |.  64:8920       mov dword ptr fs:[eax],esp
00457C66  |.  8BB3 F8020000 mov esi,dword ptr ds:[ebx+0x2F8]         ;  esi = 2  这里是字符串长度
00457C6C  |.  83C6 05       add esi,0x5                              ;  esi = 7
00457C6F  |.  FFB3 10030000 push dword ptr ds:[ebx+0x310]            ;  黑头Sun Bird
00457C75  |.  8D55 F8       lea edx,[local.2]
00457C78  |.  8BC6          mov eax,esi                              ;  eax = 7
00457C7A  |.  E8 85FEFAFF   call CKme.00407B04
00457C7F  |.  FF75 F8       push [local.2]                           ;  7
00457C82  |.  FFB3 14030000 push dword ptr ds:[ebx+0x314]            ;  dseloffc-012-OK
00457C88  |.  8D55 F4       lea edx,[local.3]
00457C8B  |.  8B83 D4020000 mov eax,dword ptr ds:[ebx+0x2D4]         ;  聪A
00457C91  |.  E8 B2B6FCFF   call CKme.00423348
00457C96  |.  FF75 F4       push [local.3]                           ;  输入的账号:12
00457C99  |.  8D83 18030000 lea eax,dword ptr ds:[ebx+0x318]         ;  欢迎光临我的主页
00457C9F  |.  BA 04000000   mov edx,0x4
00457CA4  |.  E8 93BFFAFF   call CKme.00403C3C
00457CA9  |.  33D2          xor edx,edx
00457CAB  |.  8B83 F4020000 mov eax,dword ptr ds:[ebx+0x2F4]
00457CB1  |.  E8 AAB5FCFF   call CKme.00423260
00457CB6  |.  8B93 18030000 mov edx,dword ptr ds:[ebx+0x318]         ;  黑头Sun Bird7dseloffc-012-OK12
00457CBC  |.  8B83 F4020000 mov eax,dword ptr ds:[ebx+0x2F4]
00457CC2  |.  E8 B1B6FCFF   call CKme.00423378
00457CC7  |.  33F6          xor esi,esi
00457CC9  |>  8D55 EC       /lea edx,[local.5]
00457CCC  |.  8B83 D4020000 |mov eax,dword ptr ds:[ebx+0x2D4]        ;  聪A
00457CD2  |.  E8 71B6FCFF   |call CKme.00423348
00457CD7  |.  8B45 EC       |mov eax,[local.5]                       ;  输入的账号:12
00457CDA  |.  E8 9DBEFAFF   |call CKme.00403B7C
00457CDF  |.  83C0 03       |add eax,0x3
00457CE2  |.  8D55 F0       |lea edx,[local.4]
00457CE5  |.  E8 1AFEFAFF   |call CKme.00407B04
00457CEA  |.  FF75 F0       |push [local.4]                          ;  comctl32.5D176041
00457CED  |.  8D55 E8       |lea edx,[local.6]
00457CF0  |.  8B83 D4020000 |mov eax,dword ptr ds:[ebx+0x2D4]
00457CF6  |.  E8 4DB6FCFF   |call CKme.00423348                      ;  聪A
00457CFB  |.  FF75 E8       |push [local.6]                          ;  12
00457CFE  |.  8D55 E4       |lea edx,[local.7]
00457D01  |.  8BC6          |mov eax,esi
00457D03  |.  E8 FCFDFAFF   |call CKme.00407B04
00457D08  |.  FF75 E4       |push [local.7]                          ;  comctl32.5D176074
00457D0B  |.  8D45 FC       |lea eax,[local.1]
00457D0E  |.  BA 03000000   |mov edx,0x3
00457D13  |.  E8 24BFFAFF   |call CKme.00403C3C
00457D18  |.  46            |inc esi
00457D19  |.  83FE 13       |cmp esi,0x13
00457D1C  |.^ 75 AB         \jnz short CKme.00457CC9
00457D1E  |.  8D55 E0       lea edx,[local.8]
00457D21  |.  8B83 D8020000 mov eax,dword ptr ds:[ebx+0x2D8]         ;  聪A
00457D27  |.  E8 1CB6FCFF   call CKme.00423348
00457D2C  |.  8B45 E0       mov eax,[local.8]                        ;  输入的序列号:34
00457D2F  |.  8B93 18030000 mov edx,dword ptr ds:[ebx+0x318]         ;  黑头Sun Bird7dseloffc-012-OK12
00457D35  |.  E8 52BFFAFF   call CKme.00403C8C
00457D3A  |.  75 0A         jnz short CKme.00457D46
00457D3C  |.  C783 0C030000>mov dword ptr ds:[ebx+0x30C],0x3E
00457D46  |>  8B83 0C030000 mov eax,dword ptr ds:[ebx+0x30C]
00457D4C  |.  83C0 10       add eax,0x10
00457D4F  |.  8983 FC020000 mov dword ptr ds:[ebx+0x2FC],eax
00457D55  |.  83C0 23       add eax,0x23

分析得出:输入的账号cname, cname的长度为len, 注册码为:“黑头Sun Bird” + len + “dseloffc-012-OK” + cname

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

#include <iostream>
#include <string>

int main() {
	const char* cname = "12";
	unsigned int len = strlen(cname);

	std::string rs = "黑头Sun Bird";
	rs = rs + std::to_string(len) + "dseloffc-012-OK" + cname;

	std::cout << "Serial: " << rs << std::endl;

	return 0;
}
Updated on 2023-07-30 
CC BY-NC 4.0
160个CrackMe
Back | Home
0%