160 - 1 Acid burn
来源:互联网 发布:flinders大学 知乎 编辑:程序博客网 时间:2024/05/27 06:16
环境:Windows XP sp3
先打开,看看长什么样:
OD载入,右键->查找->所有参考文本字串
找到Sorry,The serial is incorect
找到后就在反汇编窗口跟随,往上翻:
0042F998 /. 55 push ebp0042F999 |. 8BEC mov ebp,esp0042F99B |. 33C9 xor ecx,ecx0042F99D |. 51 push ecx0042F99E |. 51 push ecx0042F99F |. 51 push ecx0042F9A0 |. 51 push ecx0042F9A1 |. 51 push ecx0042F9A2 |. 51 push ecx0042F9A3 |. 53 push ebx0042F9A4 |. 56 push esi0042F9A5 |. 8BD8 mov ebx,eax0042F9A7 |. 33C0 xor eax,eax0042F9A9 |. 55 push ebp0042F9AA |. 68 67FB4200 push Acid_bur.0042FB670042F9AF |. 64:FF30 push dword ptr fs:[eax]0042F9B2 |. 64:8920 mov dword ptr fs:[eax],esp0042F9B5 |. C705 50174300>mov dword ptr ds:[0x431750],0x29 ;注意这里把0x29放进[431750]0042F9BF |. 8D55 F0 lea edx,[local.4]0042F9C2 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]0042F9C8 |. E8 8BB0FEFF call Acid_bur.0041AA580042F9CD |. 8B45 F0 mov eax,[local.4]0042F9D0 |. E8 DB40FDFF call Acid_bur.00403AB00042F9D5 |. A3 6C174300 mov dword ptr ds:[0x43176C],eax0042F9DA |. 8D55 F0 lea edx,[local.4]0042F9DD |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]0042F9E3 |. E8 70B0FEFF call Acid_bur.0041AA580042F9E8 |. 8B45 F0 mov eax,[local.4]0042F9EB |. 0FB600 movzx eax,byte ptr ds:[eax]0042F9EE |. 8BF0 mov esi,eax0042F9F0 |. C1E6 03 shl esi,0x30042F9F3 2BF0 sub esi,eax0042F9F5 |. 8D55 EC lea edx,[local.5]0042F9F8 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]0042F9FE |. E8 55B0FEFF call Acid_bur.0041AA580042FA03 |. 8B45 EC mov eax,[local.5]0042FA06 |. 0FB640 01 movzx eax,byte ptr ds:[eax+0x1]0042FA0A |. C1E0 04 shl eax,0x40042FA0D |. 03F0 add esi,eax0042FA0F |. 8935 54174300 mov dword ptr ds:[0x431754],esi0042FA15 |. 8D55 F0 lea edx,[local.4]0042FA18 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]0042FA1E |. E8 35B0FEFF call Acid_bur.0041AA580042FA23 |. 8B45 F0 mov eax,[local.4]0042FA26 |. 0FB640 03 movzx eax,byte ptr ds:[eax+0x3]0042FA2A |. 6BF0 0B imul esi,eax,0xB0042FA2D |. 8D55 EC lea edx,[local.5]0042FA30 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]0042FA36 |. E8 1DB0FEFF call Acid_bur.0041AA580042FA3B |. 8B45 EC mov eax,[local.5]0042FA3E |. 0FB640 02 movzx eax,byte ptr ds:[eax+0x2]0042FA42 |. 6BC0 0E imul eax,eax,0xE0042FA45 |. 03F0 add esi,eax0042FA47 |. 8935 58174300 mov dword ptr ds:[0x431758],esi0042FA4D |. A1 6C174300 mov eax,dword ptr ds:[0x43176C] ; 拿出输入的名称0042FA52 |. E8 D96EFDFF call Acid_bur.004069300042FA57 |. 83F8 04 cmp eax,0x4 ; 和4比较0042FA5A |. 7D 1D jge XAcid_bur.0042FA79 ; 长度大于40042FA5C |. 6A 00 push 0x00042FA5E |. B9 74FB4200 mov ecx,Acid_bur.0042FB74 ; Try Again!0042FA63 |. BA 80FB4200 mov edx,Acid_bur.0042FB80 ; Sorry , The serial is incorect ! 找到这里来0042FA68 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]0042FA6D |. 8B00 mov eax,dword ptr ds:[eax]0042FA6F |. E8 FCA6FFFF call Acid_bur.0042A1700042FA74 |. E9 BE000000 jmp Acid_bur.0042FB370042FA79 |> 8D55 F0 lea edx,[local.4]0042FA7C |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]0042FA82 |. E8 D1AFFEFF call Acid_bur.0041AA58 ; 算出输入名称的个数0042FA87 |. 8B45 F0 mov eax,[local.4]0042FA8A |. 0FB600 movzx eax,byte ptr ds:[eax] ; 拿出首字母x0042FA8D |. F72D 50174300 imul dword ptr ds:[0x431750] ; x = x*290042FA93 |. A3 50174300 mov dword ptr ds:[0x431750],eax0042FA98 |. A1 50174300 mov eax,dword ptr ds:[0x431750]0042FA9D |. 0105 50174300 add dword ptr ds:[0x431750],eax ; x = x*20042FAA3 |. 8D45 FC lea eax,[local.1]0042FAA6 |. BA ACFB4200 mov edx,Acid_bur.0042FBAC ; CW0042FAAB |. E8 583CFDFF call Acid_bur.004037080042FAB0 |. 8D45 F8 lea eax,[local.2]0042FAB3 |. BA B8FB4200 mov edx,Acid_bur.0042FBB8 ; CRACKED0042FAB8 |. E8 4B3CFDFF call Acid_bur.004037080042FABD |. FF75 FC push [local.1]0042FAC0 |. 68 C8FB4200 push Acid_bur.0042FBC8 ; -0042FAC5 |. 8D55 E8 lea edx,[local.6]0042FAC8 |. A1 50174300 mov eax,dword ptr ds:[0x431750]0042FACD |. E8 466CFDFF call Acid_bur.004067180042FAD2 |. FF75 E8 push [local.6]0042FAD5 |. 68 C8FB4200 push Acid_bur.0042FBC8 ; -0042FADA |. FF75 F8 push [local.2]0042FADD |. 8D45 F4 lea eax,[local.3]0042FAE0 |. BA 05000000 mov edx,0x50042FAE5 |. E8 C23EFDFF call Acid_bur.004039AC ; 将serial拼接生成0042FAEA |. 8D55 F0 lea edx,[local.4] ; CW-[431750]-CRACKED0042FAED |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0] ; 这里[431750]的值要转为10进制0042FAF3 |. E8 60AFFEFF call Acid_bur.0041AA58 ; 拿到输入的serial0042FAF8 |. 8B55 F0 mov edx,[local.4]0042FAFB |. 8B45 F4 mov eax,[local.3]0042FAFE |. E8 F93EFDFF call Acid_bur.004039FC ; 比较生成的和输入的0042FB03 |. 75 1A jnz XAcid_bur.0042FB1F ; 不对就跳0042FB05 |. 6A 00 push 0x00042FB07 |. B9 CCFB4200 mov ecx,Acid_bur.0042FBCC ; Congratz !!0042FB0C |. BA D8FB4200 mov edx,Acid_bur.0042FBD8 ; Good job dude =)0042FB11 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]0042FB16 |. 8B00 mov eax,dword ptr ds:[eax]0042FB18 |. E8 53A6FFFF call Acid_bur.0042A1700042FB1D |. EB 18 jmp XAcid_bur.0042FB370042FB1F |> 6A 00 push 0x00042FB21 |. B9 74FB4200 mov ecx,Acid_bur.0042FB74 ; Try Again!0042FB26 |. BA 80FB4200 mov edx,Acid_bur.0042FB80 ; Sorry , The serial is incorect !0042FB2B |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]0042FB30 |. 8B00 mov eax,dword ptr ds:[eax]0042FB32 |. E8 39A6FFFF call Acid_bur.0042A1700042FB37 |> 33C0 xor eax,eax0042FB39 |. 5A pop edx0042FB3A |. 59 pop ecx0042FB3B |. 59 pop ecx0042FB3C |. 64:8910 mov dword ptr fs:[eax],edx0042FB3F |. 68 6EFB4200 push Acid_bur.0042FB6E0042FB44 |> 8D45 E8 lea eax,[local.6]0042FB47 |. E8 243BFDFF call Acid_bur.004036700042FB4C |. 8D45 EC lea eax,[local.5]0042FB4F |. BA 02000000 mov edx,0x20042FB54 |. E8 3B3BFDFF call Acid_bur.004036940042FB59 |. 8D45 F4 lea eax,[local.3]0042FB5C |. BA 03000000 mov edx,0x30042FB61 |. E8 2E3BFDFF call Acid_bur.004036940042FB66 \. C3 retn
得出serial,取输入首字符x,
k = dec(x)*2*41
serial为:CW-k-CRACKED
2.另一个Serial:
方法也是查找字符串,这里是:
Failed! Try Again!!
只找Try Again的话会有两个的
这次要找的是0042F58C这个字符串:
双击反汇编窗口跟随,分析如下:
0042F470 /. 55 push ebp0042F471 |. 8BEC mov ebp,esp0042F473 |. 33C9 xor ecx,ecx0042F475 |. 51 push ecx0042F476 |. 51 push ecx0042F477 |. 51 push ecx0042F478 |. 51 push ecx0042F479 |. 53 push ebx0042F47A |. 8BD8 mov ebx,eax0042F47C |. 33C0 xor eax,eax0042F47E |. 55 push ebp0042F47F |. 68 2CF54200 push Acid_bur.0042F52C0042F484 |. 64:FF30 push dword ptr fs:[eax]0042F487 |. 64:8920 mov dword ptr fs:[eax],esp0042F48A |. 8D45 FC lea eax,[local.1]0042F48D |. BA 40F54200 mov edx,Acid_bur.0042F540 ; Hello0042F492 |. E8 7142FDFF call Acid_bur.00403708 ; hello跑到local.1这里了 10042F497 |. 8D45 F8 lea eax,[local.2]0042F49A |. BA 50F54200 mov edx,Acid_bur.0042F550 ; Dude!0042F49F |. E8 6442FDFF call Acid_bur.00403708 ; dude!跑到local.2这里了 20042F4A4 |. FF75 FC push [local.1]0042F4A7 |. 68 60F54200 push Acid_bur.0042F560 ; 这个是空格 30042F4AC |. FF75 F8 push [local.2]0042F4AF |. 8D45 F4 lea eax,[local.3]0042F4B2 |. BA 03000000 mov edx,0x30042F4B7 |. E8 F044FDFF call Acid_bur.004039AC ; 拼接上面3个 —.—0042F4BC |. 8D55 F0 lea edx,[local.4]0042F4BF |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]0042F4C5 |. E8 8EB5FEFF call Acid_bur.0041AA58 ; 拿到自己输入的0042F4CA |. 8B45 F0 mov eax,[local.4]0042F4CD |. 8B55 F4 mov edx,[local.3]0042F4D0 |. E8 2745FDFF call Acid_bur.004039FC ; 比较0042F4D5 |. 75 1A jnz XAcid_bur.0042F4F1 ; 不同就跳0042F4D7 |. 6A 00 push 0x00042F4D9 |. B9 64F54200 mov ecx,Acid_bur.0042F564 ; Congratz!0042F4DE |. BA 70F54200 mov edx,Acid_bur.0042F570 ; God Job dude !! =)0042F4E3 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]0042F4E8 |. 8B00 mov eax,dword ptr ds:[eax]0042F4EA |. E8 81ACFFFF call Acid_bur.0042A1700042F4EF |. EB 18 jmp XAcid_bur.0042F5090042F4F1 |> 6A 00 push 0x00042F4F3 |. B9 84F54200 mov ecx,Acid_bur.0042F584 ; Failed!0042F4F8 |. BA 8CF54200 mov edx,Acid_bur.0042F58C ; Try Again!!0042F4FD |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]0042F502 |. 8B00 mov eax,dword ptr ds:[eax]0042F504 |. E8 67ACFFFF call Acid_bur.0042A1700042F509 |> 33C0 xor eax,eax0042F50B |. 5A pop edx0042F50C |. 59 pop ecx0042F50D |. 59 pop ecx0042F50E |. 64:8910 mov dword ptr fs:[eax],edx0042F511 |. 68 33F54200 push Acid_bur.0042F5330042F516 |> 8D45 F0 lea eax,[local.4]0042F519 |. E8 5241FDFF call Acid_bur.004036700042F51E |. 8D45 F4 lea eax,[local.3]0042F521 |. BA 03000000 mov edx,0x30042F526 |. E8 6941FDFF call Acid_bur.004036940042F52B \. C3 retn
所以这里要填的是:
Hello Dude!
记得有个空格
3.去除Nag窗口
打开程序的时候会弹出一个窗口
OD载入,运行,窗口弹出的时候,回到OD
按下F12,然后Alt+F9回到程序领空
程序来到这里:
0042A19C |. 64:8920 mov dword ptr fs:[eax],esp0042A19F |. 8B45 08 mov eax,[arg.1]0042A1A2 |. 50 push eax ; /Style0042A1A3 |. 57 push edi ; |Title0042A1A4 |. 56 push esi ; |Text0042A1A5 |. 8B43 24 mov eax,dword ptr ds:[ebx+0x24] ; |0042A1A8 |. 50 push eax ; |hOwner0042A1A9 |. E8 FAB5FDFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA0042A1AE |. 8945 FC mov [local.1],eax ; 来到这里
根据右下角栈的内容,找到了这个:
0012FE1C 0012FE50 指向下一个 SEH 记录的指针0012FE20 0042A1D0 SE处理程序0012FE24 0012FE400012FE28 7C930228 ntdll.7C9302280012FE2C 0042F610 Acid_bur.0042F6100012FE30 009D1DB00012FE34 000000000012FE38 000000000012FE3C 019D207C0012FE40 0012FF880012FE44 0042F79C Acid_bur.0042F79C0012FE48 000000000012FE4C 00425643 返回到 Acid_bur.00425643;选到这里按回车0012FE50 0012FE5C 指向下一个 SEH 记录的指针0012FE54 0042564D SE处理程序
反汇编窗口来到这里:
00425618 . 55 push ebp00425619 . 68 4D564200 push Acid_bur.0042564D0042561E . 64:FF30 push dword ptr fs:[eax]00425621 . 64:8920 mov dword ptr fs:[eax],esp00425624 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]00425627 . 66:83B8 CE010>cmp word ptr ds:[eax+0x1CE],0x00042562F . 74 12 je XAcid_bur.0042564300425631 . 8B5D FC mov ebx,dword ptr ss:[ebp-0x4]00425634 . 8B55 FC mov edx,dword ptr ss:[ebp-0x4]00425637 . 8B83 D0010000 mov eax,dword ptr ds:[ebx+0x1D0]0042563D . FF93 CC010000 call dword ptr ds:[ebx+0x1CC] ;那就是在这里启动那个Nag窗口的00425643 > 33C0 xor eax,eax ;回车之后光标停在这里00425645 . 5A pop edx00425646 . 59 pop ecx00425647 . 59 pop ecx
call的内容是这样的:
0042F784 6A 00 push 0x00042F786 B9 A0F74200 mov ecx,Acid_bur.0042F7A0 ; hello you have to kill me!0042F78B BA BCF74200 mov edx,Acid_bur.0042F7BC ; Welcome to this Newbies Crackme made by ACiD BuRN [CracKerWoRlD]0042F790 A1 480A4300 mov eax,dword ptr ds:[0x430A48]0042F795 8B00 mov eax,dword ptr ds:[eax]0042F797 E8 D4A9FFFF call Acid_bur.0042A1700042F79C . C3 retn
0042F797那个Call就是调用MessageBox了,那就在 0042F784 push 0x0这里直接retn 填充
0042F784 C3 retn0042F785 90 nop0042F786 B9 A0F74200 mov ecx,Acid_bur.0042F7A0 ; hello you have to kill me!0042F78B BA BCF74200 mov edx,Acid_bur.0042F7BC ; Welcome to this Newbies Crackme made by ACiD BuRN [CracKerWoRlD]0042F790 A1 480A4300 mov eax,dword ptr ds:[0x430A48]0042F795 8B00 mov eax,dword ptr ds:[eax]0042F797 E8 D4A9FFFF call Acid_bur.0042A1700042F79C . C3 retn
保存下来就好了
0 0
- 160 - 1 Acid burn
- 160个破解练习之1-Acid burn.exe
- 160crackme第一个Acid burn
- 160个CrackMe 001 Acid burn
- 160CrackMe之001Acid burn
- 160个破解练习之CrackMe 001 Acid burn
- Target - Neewbie shool 1cme(Acid Burn cme)
- cracked me.1. Acid burn
- CrackMe 之 Acid Burn 破解
- 逆向工程实战--Acid burn
- 破解练习之Acid burn.exe
- [破解实例][OllyDbg] CrackMe001-Acid burn
- ACID
- ACID
- ACID
- ACID
- acid
- ACID
- 单链表的初始化、插入、删除——C语言
- hdu 2002 计算球的体积C语言
- (Mac)myEclipse 更改jre版本
- javascript笔记--(第五章)运算符
- java并发编程实践学习(2)共享对象
- 160 - 1 Acid burn
- 数据结构——树的遍历
- 字符串匹配 & KMP算法
- C语言利用Windows api创建文件打开对话框模板
- Maven安装和Eclipse配置
- LeetCode_453. Minimum Moves to Equal Array Elements
- JDK和JRE的区别
- markdown语法测试3
- HTTP GET/POST/PUT/DELETE小结