Nullz CrackMe 1.1破解過程 (13千字)

軟體名稱：Nullz CrackMe 1.1
下載地址：http://go6.163.com/ddxia/crackme/Nullz_crackMe1.1.zip
特點：共分五個小過程，難度逐級遞增。

使用工具：TRW2000

我是剛學不久，平時也沒太多時間練習，沒寫過過程，所以不足之處還請多多包涵啊!
好了，廢話少說，我們開始吧！！（廣告詞？……）

1.非常簡單 (only Reg.Key)

bpx hmemcpy
pmodule 就到了下面的地方了

:004019D8 E801120000 Call 00402BDE
:004019DD 8D542410 lea edx, dword ptr [esp+10]
:004019E1 8D44242C lea eax, dword ptr [esp+2C]
:004019E5 52 push edx //註冊碼
:004019E6 50 push eax //你輸入的假碼

* Reference To: KERNEL32.lstrcmpA, Ord:0295h
|
:004019E7 FF1508404000 Call dword ptr [00404008] //比較函式
:004019ED 85C0 test eax, eax
:004019EF 755A jne 00401A4B //跳走就錯
:004019F1 6870434000 push 00404370
:004019F6 8D4C2410 lea ecx, dword ptr [esp+10]

Reg.Key是個字串常量：qJT62aWfviq0P57JGs2FelQkX

2.簡單 (User Name & Reg.Key)

還是bpx hmemcpy,pmodule.

* Reference To: MFC42.Ordinal:0C1A, Ord:0C1Ah
|
:00401AF2 E8E7100000 Call 00402BDE
:00401AF7 8D542414 lea edx, dword ptr [esp+14]
:00401AFB 52 push edx //User Name

* Reference To: KERNEL32.lstrlenA, Ord:02A1h
|
:00401AFC FF1500404000 Call dword ptr [00404000] //取字串長度
:00401B02 8BF0 mov esi, eax
:00401B04 83FE05 cmp esi, 00000005 //User Name長度至少是5
:00401B07 7311 jnb 00401B1A
:00401B09 6A40 push 00000040

* Possible StringData Ref from Data Obj ->"CrackMe"
|
:00401B0B 6804514000 push 00405104

* Possible StringData Ref from Data Obj ->"User Name must have at least 5 "
->"characters."
|
:00401B10 68D8504000 push 004050D8
:00401B15 E9BA000000 jmp 00401BD4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B07(C)
|
:00401B1A B801000000 mov eax, 00000001
:00401B1F 33FF xor edi, edi
:00401B21 3BF0 cmp esi, eax
:00401B23 7211 jb 00401B36

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B34(C)
|
:00401B25 0FBE4C0414 movsx ecx, byte ptr [esp+eax+14] //註冊碼演算法開始
:00401B2A 03CF add ecx, edi
:00401B2C 0FAFC8 imul ecx, eax
:00401B2F 40 inc eax
:00401B30 8BF9 mov edi, ecx
:00401B32 3BC6 cmp eax, esi
:00401B34 76EF jbe 00401B25

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B23(C)
|
:00401B36 33C9 xor ecx, ecx
:00401B38 85F6 test esi, esi
:00401B3A 7620 jbe 00401B5C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B5A(C)
|
:00401B3C 0FBE6C0C14 movsx ebp, byte ptr [esp+ecx+14]
:00401B41 8BC7 mov eax, edi
:00401B43 33D2 xor edx, edx
:00401B45 F7F5 div ebp
:00401B47 33D2 xor edx, edx
:00401B49 BD0A000000 mov ebp, 0000000A
:00401B4E F7F5 div ebp
:00401B50 80C230 add dl, 30
:00401B53 88540C48 mov byte ptr [esp+ecx+48], dl
:00401B57 41 inc ecx
:00401B58 3BCE cmp ecx, esi
:00401B5A 72E0 jb 00401B3C //註冊碼演算法結束

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B3A(C)
|
:00401B5C 8D542448 lea edx, dword ptr [esp+48]
:00401B60 8D44247C lea eax, dword ptr [esp+7C]
:00401B64 52 push edx //註冊碼
:00401B65 50 push eax //你輸入的Reg.Key

* Reference To: KERNEL32.lstrcmpA, Ord:0295h
|
:00401B66 FF1508404000 Call dword ptr [00404008] //比較函式
:00401B6C 85C0 test eax, eax
:00401B6E 7550 jne 00401BC0 //不同跳走
:00401B70 6870434000 push 00404370
:00401B75 8D4C2414 lea ecx, dword ptr [esp+14]

我的註冊碼： User Name: eighth
Reg.Key : 252303

3.一般簡單（User Name & Reg.Key）

老一套bpx hmemcpy,pmodule.

* Reference To: MFC42.Ordinal:0C19, Ord:0C19h
|
:00401C7E E8670F0000 Call 00402BEA
:00401C83 8B6C2418 mov ebp, dword ptr [esp+18] //User Name
:00401C87 8B55F8 mov edx, dword ptr [ebp-08] //User Name長度
:00401C8A 83FA05 cmp edx, 00000005
:00401C8D 7D11 jge 00401CA0 //長度不小於5
:00401C8F 6A40 push 00000040

* Possible StringData Ref from Data Obj ->"CrackMe"
|
:00401C91 6804514000 push 00405104

* Possible StringData Ref from Data Obj ->"User Name must have at least 5 "
->"characters."
|
:00401C96 68D8504000 push 004050D8
:00401C9B E9E2000000 jmp 00401D82

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401C8D(C)
|
:00401CA0 33C0 xor eax, eax
:00401CA2 3BD3 cmp edx, ebx
:00401CA4 7E3C jle 00401CE2
:00401CA6 B901000000 mov ecx, 00000001
:00401CAB 33FF xor edi, edi
:00401CAD 2BCD sub ecx, ebp
:00401CAF 894C241C mov dword ptr [esp+1C], ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401CDA(C)
|
:00401CB3 0FBE5C0500 movsx ebx, byte ptr [ebp+eax] //註冊碼演算法開始
:00401CB8 8D4C0500 lea ecx, dword ptr [ebp+eax]
:00401CBC 03F3 add esi, ebx
:00401CBE 8BD8 mov ebx, eax
:00401CC0 C1E308 shl ebx, 08
:00401CC3 33F3 xor esi, ebx
:00401CC5 8B5C241C mov ebx, dword ptr [esp+1C]
:00401CC9 03D9 add ebx, ecx
:00401CCB 8BCF mov ecx, edi
:00401CCD 0FAFF3 imul esi, ebx
:00401CD0 F7D1 not ecx
:00401CD2 0FAFF1 imul esi, ecx
:00401CD5 40 inc eax
:00401CD6 03FA add edi, edx
:00401CD8 3BC2 cmp eax, edx
:00401CDA 7CD7 jl 00401CB3 //註冊碼演算法結束
:00401CDC 8B7C2420 mov edi, dword ptr [esp+20]
:00401CE0 33DB xor ebx, ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401CA4(C)
|
:00401CE2 56 push esi
:00401CE3 8D542414 lea edx, dword ptr [esp+14]

* Possible StringData Ref from Data Obj ->"%lu"
|
:00401CE7 682C514000 push 0040512C
:00401CEC 52 push edx

* Reference To: MFC42.Ordinal:0B02, Ord:0B02h
|
:00401CED E8F20E0000 Call 00402BE4
:00401CF2 8B74241C mov esi, dword ptr [esp+1C] //真碼
:00401CF6 8B442420 mov eax, dword ptr [esp+20] //假碼
:00401CFA 83C40C add esp, 0000000C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401D1B(C)
|
:00401CFD 8A10 mov dl, byte ptr [eax] //逐位比較，真搞不懂，多此一舉嘛！？
:00401CFF 8ACA mov cl, dl
:00401D01 3A16 cmp dl, byte ptr [esi]
:00401D03 751C jne 00401D21
:00401D05 3ACB cmp cl, bl
:00401D07 7414 je 00401D1D
:00401D09 8A5001 mov dl, byte ptr [eax+01]
:00401D0C 8ACA mov cl, dl
:00401D0E 3A5601 cmp dl, byte ptr [esi+01]
:00401D11 750E jne 00401D21
:00401D13 83C002 add eax, 00000002
:00401D16 83C602 add esi, 00000002
:00401D19 3ACB cmp cl, bl
:00401D1B 75E0 jne 00401CFD

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401D07(C)
|
:00401D1D 33C0 xor eax, eax
:00401D1F EB05 jmp 00401D26

我的註冊碼： User Name: eighth
Reg.Key : 2990909536

4.一般吧（User Name,Company & Reg.Key）

不過Company好像沒用到啊！？
管它呢，bpx hmemcpy，pmodule再說。

* Reference To: MFC42.Ordinal:0C19, Ord:0C19h
|
:00401E43 E8A20D0000 Call 00402BEA
:00401E48 8D542414 lea edx, dword ptr [esp+14]
:00401E4C 8BCD mov ecx, ebp
:00401E4E 52 push edx
:00401E4F 68ED030000 push 000003ED

* Reference To: MFC42.Ordinal:0C19, Ord:0C19h
|
:00401E54 E8910D0000 Call 00402BEA
:00401E59 8B442410 mov eax, dword ptr [esp+10] //User Name
:00401E5D 8B40F8 mov eax, dword ptr [eax-08]
:00401E60 83F805 cmp eax, 00000005
:00401E63 0F8CCD000000 jl 00401F36 //長度不小於5且不大於100
:00401E69 3D00010000 cmp eax, 00000100
:00401E6E 0F8FC2000000 jg 00401F36
:00401E74 8B4C2414 mov ecx, dword ptr [esp+14]
:00401E78 3959F8 cmp dword ptr [ecx-08], ebx
:00401E7B 0F84C8000000 je 00401F49
:00401E81 8D542418 lea edx, dword ptr [esp+18]
:00401E85 8D4C241C lea ecx, dword ptr [esp+1C]
:00401E89 52 push edx
:00401E8A 51 push ecx
:00401E8B 8D542418 lea edx, dword ptr [esp+18]
:00401E8F 50 push eax
:00401E90 52 push edx
:00401E91 8BCD mov ecx, ebp
:00401E93 E8B8010000 call 00402050 //計算註冊碼的call,很簡單，你要是有時間可以
:00401E98 8B442418 mov eax, dword ptr [esp+18] //自己算一算啊。
:00401E9C 8B4C241C mov ecx, dword ptr [esp+1C]
:00401EA0 50 push eax
:00401EA1 51 push ecx
:00401EA2 8D542428 lea edx, dword ptr [esp+28]

* Possible StringData Ref from Data Obj ->"%lu-%X"
|
:00401EA6 6880514000 push 00405180
:00401EAB 52 push edx

* Reference To: USER32.wsprintfA, Ord:0264h
|
:00401EAC FF155C424000 Call dword ptr [0040425C]
:00401EB2 83C410 add esp, 00000010
:00401EB5 8D442420 lea eax, dword ptr [esp+20]
:00401EB9 50 push eax

* Reference To: KERNEL32.lstrlenA, Ord:02A1h
|
:00401EBA FF1500404000 Call dword ptr [00404000]
:00401EC0 8D4C2414 lea ecx, dword ptr [esp+14]
:00401EC4 8BF8 mov edi, eax

* Reference To: MFC42.Ordinal:106B, Ord:106Bh
|
:00401EC6 E8250D0000 Call 00402BF0
:00401ECB 8B442414 mov eax, dword ptr [esp+14] //這裡你可以看到真碼和假碼
:00401ECF 8D542420 lea edx, dword ptr [esp+20] //不過不能直接使用，看下邊
:00401ED3 8B48F8 mov ecx, dword ptr [eax-08]
:00401ED6 2BC2 sub eax, edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401EF0(C)
|
:00401ED8 3BF1 cmp esi, ecx //這裡往下是註冊碼的比較！
:00401EDA 7D0D jge 00401EE9
:00401EDC 8D543420 lea edx, dword ptr [esp+esi+20]
:00401EE0 8A1402 mov dl, byte ptr [edx+eax]
:00401EE3 3A543420 cmp dl, byte ptr [esp+esi+20] //注意：這是一個逆序的比較
:00401EE7 7509 jne 00401EF2 //也就是說，上面得到的的注
//冊碼要反過來寫，呵呵！
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401EDA(C)
|
:00401EE9 8A543421 mov dl, byte ptr [esp+esi+21]
:00401EED 46 inc esi
:00401EEE 3AD3 cmp dl, bl
:00401EF0 7FE6 jg 00401ED8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401EE7(C)
|
:00401EF2 2BF7 sub esi, edi
:00401EF4 752A jne 00401F20
:00401EF6 6870434000 push 00404370
:00401EFB 8D4C2414 lea ecx, dword ptr [esp+14]

我的註冊碼： User Name: eighth
Reg.Key : 7235845622

5.有一點難度，不過文章太長了就沒法看了，所以現在請你自己試試吧！呵呵 :)
注意一下以下四個跳轉就可以了：00402733，00402742，00402751，004027F8.

6.作者還沒寫出來，我也沒有辦法啊！:-(

第一次寫過程，讓大家見笑了，還請多多批評指正。另外這個CrackMe的演算法非常簡單，
初初哥可以用它練習一下寫序號產生器，可以信心倍增啊！初哥我就懶得寫了，呵呵！

Nullz CrackMe 1.1破解過程 (13千字)

相關文章