環境:Windows XP sp3
先打開,看看長什么樣:
OD載入,右鍵->查找->所有參考文本字串
找到Sorry,The serial is incorect
找到后就在反匯編窗口跟隨,往上翻:
0042F998 /. 55 push ebp
0042F999 |. 8BEC mov ebp,esp
0042F99B |. 33C9 xor ecx,ecx
0042F99D |. 51 push ecx
0042F99E |. 51 push ecx
0042F99F |. 51 push ecx
0042F9A0 |. 51 push ecx
0042F9A1 |. 51 push ecx
0042F9A2 |. 51 push ecx
0042F9A3 |. 53 push ebx
0042F9A4 |. 56 push esi
0042F9A5 |. 8BD8 mov ebx,eax
0042F9A7 |. 33C0 xor eax,eax
0042F9A9 |. 55 push ebp
0042F9AA |. 68 67FB4200 push Acid_bur.0042FB67
0042F9AF |. 64:FF30 push dword ptr fs:[eax]
0042F9B2 |. 64:8920 mov dword ptr fs:[eax],esp
0042F9B5 |. C705 50174300>mov dword ptr ds:[0x431750],0x29 ;注意這里把0x29放進[431750]
0042F9BF |. 8D55 F0 lea edx,[local.4]
0042F9C2 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042F9C8 |. E8 8BB0FEFF call Acid_bur.0041AA58
0042F9CD |. 8B45 F0 mov eax,[local.4]
0042F9D0 |. E8 DB40FDFF call Acid_bur.00403AB0
0042F9D5 |. A3 6C174300 mov dword ptr ds:[0x43176C],eax
0042F9DA |. 8D55 F0 lea edx,[local.4]
0042F9DD |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042F9E3 |. E8 70B0FEFF call Acid_bur.0041AA58
0042F9E8 |. 8B45 F0 mov eax,[local.4]
0042F9EB |. 0FB600 movzx eax,byte ptr ds:[eax]
0042F9EE |. 8BF0 mov esi,eax
0042F9F0 |. C1E6 03 shl esi,0x3
0042F9F3 2BF0 sub esi,eax
0042F9F5 |. 8D55 EC lea edx,[local.5]
0042F9F8 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042F9FE |. E8 55B0FEFF call Acid_bur.0041AA58
0042FA03 |. 8B45 EC mov eax,[local.5]
0042FA06 |. 0FB640 01 movzx eax,byte ptr ds:[eax+0x1]
0042FA0A |. C1E0 04 shl eax,0x4
0042FA0D |. 03F0 add esi,eax
0042FA0F |. 8935 54174300 mov dword ptr ds:[0x431754],esi
0042FA15 |. 8D55 F0 lea edx,[local.4]
0042FA18 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042FA1E |. E8 35B0FEFF call Acid_bur.0041AA58
0042FA23 |. 8B45 F0 mov eax,[local.4]
0042FA26 |. 0FB640 03 movzx eax,byte ptr ds:[eax+0x3]
0042FA2A |. 6BF0 0B imul esi,eax,0xB
0042FA2D |. 8D55 EC lea edx,[local.5]
0042FA30 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042FA36 |. E8 1DB0FEFF call Acid_bur.0041AA58
0042FA3B |. 8B45 EC mov eax,[local.5]
0042FA3E |. 0FB640 02 movzx eax,byte ptr ds:[eax+0x2]
0042FA42 |. 6BC0 0E imul eax,eax,0xE
0042FA45 |. 03F0 add esi,eax
0042FA47 |. 8935 58174300 mov dword ptr ds:[0x431758],esi
0042FA4D |. A1 6C174300 mov eax,dword ptr ds:[0x43176C] ; 拿出輸入的名稱
0042FA52 |. E8 D96EFDFF call Acid_bur.00406930
0042FA57 |. 83F8 04 cmp eax,0x4 ; 和4比較
0042FA5A |. 7D 1D jge XAcid_bur.0042FA79 ; 長度大于4
0042FA5C |. 6A 00 push 0x0
0042FA5E |. B9 74FB4200 mov ecx,Acid_bur.0042FB74 ; Try Again!
0042FA63 |. BA 80FB4200 mov edx,Acid_bur.0042FB80 ; Sorry , The serial is incorect ! 找到這里來
0042FA68 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042FA6D |. 8B00 mov eax,dword ptr ds:[eax]
0042FA6F |. E8 FCA6FFFF call Acid_bur.0042A170
0042FA74 |. E9 BE000000 jmp Acid_bur.0042FB37
0042FA79 |> 8D55 F0 lea edx,[local.4]
0042FA7C |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042FA82 |. E8 D1AFFEFF call Acid_bur.0041AA58 ; 算出輸入名稱的個數
0042FA87 |. 8B45 F0 mov eax,[local.4]
0042FA8A |. 0FB600 movzx eax,byte ptr ds:[eax] ; 拿出首字母x
0042FA8D |. F72D 50174300 imul dword ptr ds:[0x431750] ; x = x*29
0042FA93 |. A3 50174300 mov dword ptr ds:[0x431750],eax
0042FA98 |. A1 50174300 mov eax,dword ptr ds:[0x431750]
0042FA9D |. 0105 50174300 add dword ptr ds:[0x431750],eax ; x = x*2
0042FAA3 |. 8D45 FC lea eax,[local.1]
0042FAA6 |. BA ACFB4200 mov edx,Acid_bur.0042FBAC ; CW
0042FAAB |. E8 583CFDFF call Acid_bur.00403708
0042FAB0 |. 8D45 F8 lea eax,[local.2]
0042FAB3 |. BA B8FB4200 mov edx,Acid_bur.0042FBB8 ; CRACKED
0042FAB8 |. E8 4B3CFDFF call Acid_bur.00403708
0042FABD |. FF75 FC push [local.1]
0042FAC0 |. 68 C8FB4200 push Acid_bur.0042FBC8 ; -
0042FAC5 |. 8D55 E8 lea edx,[local.6]
0042FAC8 |. A1 50174300 mov eax,dword ptr ds:[0x431750]
0042FACD |. E8 466CFDFF call Acid_bur.00406718
0042FAD2 |. FF75 E8 push [local.6]
0042FAD5 |. 68 C8FB4200 push Acid_bur.0042FBC8 ; -
0042FADA |. FF75 F8 push [local.2]
0042FADD |. 8D45 F4 lea eax,[local.3]
0042FAE0 |. BA 05000000 mov edx,0x5
0042FAE5 |. E8 C23EFDFF call Acid_bur.004039AC ; 將serial拼接生成
0042FAEA |. 8D55 F0 lea edx,[local.4] ; CW-[431750]-CRACKED
0042FAED |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0] ; 這里[431750]的值要轉為10進制
0042FAF3 |. E8 60AFFEFF call Acid_bur.0041AA58 ; 拿到輸入的serial
0042FAF8 |. 8B55 F0 mov edx,[local.4]
0042FAFB |. 8B45 F4 mov eax,[local.3]
0042FAFE |. E8 F93EFDFF call Acid_bur.004039FC ; 比較生成的和輸入的
0042FB03 |. 75 1A jnz XAcid_bur.0042FB1F ; 不對就跳
0042FB05 |. 6A 00 push 0x0
0042FB07 |. B9 CCFB4200 mov ecx,Acid_bur.0042FBCC ; Congratz !!
0042FB0C |. BA D8FB4200 mov edx,Acid_bur.0042FBD8 ; Good job dude =)
0042FB11 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042FB16 |. 8B00 mov eax,dword ptr ds:[eax]
0042FB18 |. E8 53A6FFFF call Acid_bur.0042A170
0042FB1D |. EB 18 jmp XAcid_bur.0042FB37
0042FB1F |> 6A 00 push 0x0
0042FB21 |. B9 74FB4200 mov ecx,Acid_bur.0042FB74 ; Try Again!
0042FB26 |. BA 80FB4200 mov edx,Acid_bur.0042FB80 ; Sorry , The serial is incorect !
0042FB2B |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042FB30 |. 8B00 mov eax,dword ptr ds:[eax]
0042FB32 |. E8 39A6FFFF call Acid_bur.0042A170
0042FB37 |> 33C0 xor eax,eax
0042FB39 |. 5A pop edx
0042FB3A |. 59 pop ecx
0042FB3B |. 59 pop ecx
0042FB3C |. 64:8910 mov dword ptr fs:[eax],edx
0042FB3F |. 68 6EFB4200 push Acid_bur.0042FB6E
0042FB44 |> 8D45 E8 lea eax,[local.6]
0042FB47 |. E8 243BFDFF call Acid_bur.00403670
0042FB4C |. 8D45 EC lea eax,[local.5]
0042FB4F |. BA 02000000 mov edx,0x2
0042FB54 |. E8 3B3BFDFF call Acid_bur.00403694
0042FB59 |. 8D45 F4 lea eax,[local.3]
0042FB5C |. BA 03000000 mov edx,0x3
0042FB61 |. E8 2E3BFDFF call Acid_bur.00403694
0042FB66 \. C3 retn
得出serial,取輸入首字符x,
k = dec(x)*2*41
serial為:CW-k-CRACKED
2.另一個Serial:
方法也是查找字符串,這里是:
Failed! Try Again!!
只找Try Again的話會有兩個的
這次要找的是0042F58C這個字符串:
雙擊反匯編窗口跟隨,分析如下:
0042F470 ?/. ?55 ? ? ? ? ? ?push ebp
0042F471 ?|. ?8BEC ? ? ? ? ?mov ebp,esp
0042F473 ?|. ?33C9 ? ? ? ? ?xor ecx,ecx
0042F475 ?|. ?51 ? ? ? ? ? ?push ecx
0042F476 ?|. ?51 ? ? ? ? ? ?push ecx
0042F477 ?|. ?51 ? ? ? ? ? ?push ecx
0042F478 ?|. ?51 ? ? ? ? ? ?push ecx
0042F479 ?|. ?53 ? ? ? ? ? ?push ebx
0042F47A ?|. ?8BD8 ? ? ? ? ?mov ebx,eax
0042F47C ?|. ?33C0 ? ? ? ? ?xor eax,eax
0042F47E ?|. ?55 ? ? ? ? ? ?push ebp
0042F47F ?|. ?68 2CF54200 ? push Acid_bur.0042F52C
0042F484 ?|. ?64:FF30 ? ? ? push dword ptr fs:[eax]
0042F487 ?|. ?64:8920 ? ? ? mov dword ptr fs:[eax],esp
0042F48A ?|. ?8D45 FC ? ? ? lea eax,[local.1]
0042F48D ?|. ?BA 40F54200 ? mov edx,Acid_bur.0042F540 ? ? ? ? ? ? ? ?; ?Hello
0042F492 ?|. ?E8 7142FDFF ? call Acid_bur.00403708 ? ? ? ? ? ? ? ? ? ; ?hello跑到local.1這里了
1
0042F497 ?|. ?8D45 F8 ? ? ? lea eax,[local.2]
0042F49A ?|. ?BA 50F54200 ? mov edx,Acid_bur.0042F550 ? ? ? ? ? ? ? ?; ?Dude!
0042F49F ?|. ?E8 6442FDFF ? call Acid_bur.00403708 ? ? ? ? ? ? ? ? ? ; ?dude!跑到local.2這里了
2
0042F4A4 ?|. ?FF75 FC ? ? ? push [local.1]
0042F4A7 ?|. ?68 60F54200 ? push Acid_bur.0042F560 ? ? ? ? ? ? ? ? ? ; ?這個是空格
3
0042F4AC ?|. ?FF75 F8 ? ? ? push [local.2]
0042F4AF ?|. ?8D45 F4 ? ? ? lea eax,[local.3]
0042F4B2 ?|. ?BA 03000000 ? mov edx,0x3
0042F4B7 ?|. ?E8 F044FDFF ? call Acid_bur.004039AC ? ? ? ? ? ? ? ? ? ; ?拼接上面3個 —.—
0042F4BC ?|. ?8D55 F0 ? ? ? lea edx,[local.4]
0042F4BF ?|. ?8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]
0042F4C5 ?|. ?E8 8EB5FEFF ? call Acid_bur.0041AA58 ? ? ? ? ? ? ? ? ? ; ?拿到自己輸入的
0042F4CA ?|. ?8B45 F0 ? ? ? mov eax,[local.4]
0042F4CD ?|. ?8B55 F4 ? ? ? mov edx,[local.3]
0042F4D0 ?|. ?E8 2745FDFF ? call Acid_bur.004039FC ? ? ? ? ? ? ? ? ? ; ?比較
0042F4D5 ?|. ?75 1A ? ? ? ? jnz XAcid_bur.0042F4F1 ? ? ? ? ? ? ? ? ? ; ?不同就跳
0042F4D7 ?|. ?6A 00 ? ? ? ? push 0x0
0042F4D9 ?|. ?B9 64F54200 ? mov ecx,Acid_bur.0042F564 ? ? ? ? ? ? ? ?; ?Congratz!
0042F4DE ?|. ?BA 70F54200 ? mov edx,Acid_bur.0042F570 ? ? ? ? ? ? ? ?; ?God Job dude !! =)
0042F4E3 ?|. ?A1 480A4300 ? mov eax,dword ptr ds:[0x430A48]
0042F4E8 ?|. ?8B00 ? ? ? ? ?mov eax,dword ptr ds:[eax]
0042F4EA ?|. ?E8 81ACFFFF ? call Acid_bur.0042A170
0042F4EF ?|. ?EB 18 ? ? ? ? jmp XAcid_bur.0042F509
0042F4F1 ?|> ?6A 00 ? ? ? ? push 0x0
0042F4F3 ?|. ?B9 84F54200 ? mov ecx,Acid_bur.0042F584 ? ? ? ? ? ? ? ?; ?Failed!
0042F4F8 ?|. ?BA 8CF54200 ? mov edx,Acid_bur.0042F58C ? ? ? ? ? ? ? ?; ?Try Again!!
0042F4FD ?|. ?A1 480A4300 ? mov eax,dword ptr ds:[0x430A48]
0042F502 ?|. ?8B00 ? ? ? ? ?mov eax,dword ptr ds:[eax]
0042F504 ?|. ?E8 67ACFFFF ? call Acid_bur.0042A170
0042F509 ?|> ?33C0 ? ? ? ? ?xor eax,eax
0042F50B ?|. ?5A ? ? ? ? ? ?pop edx
0042F50C ?|. ?59 ? ? ? ? ? ?pop ecx
0042F50D ?|. ?59 ? ? ? ? ? ?pop ecx
0042F50E ?|. ?64:8910 ? ? ? mov dword ptr fs:[eax],edx
0042F511 ?|. ?68 33F54200 ? push Acid_bur.0042F533
0042F516 ?|> ?8D45 F0 ? ? ? lea eax,[local.4]
0042F519 ?|. ?E8 5241FDFF ? call Acid_bur.00403670
0042F51E ?|. ?8D45 F4 ? ? ? lea eax,[local.3]
0042F521 ?|. ?BA 03000000 ? mov edx,0x3
0042F526 ?|. ?E8 6941FDFF ? call Acid_bur.00403694
0042F52B ?\. ?C3 ? ? ? ? ? ?retn
所以這里要填的是:
Hello Dude!
記得有個空格
3.去除Nag窗口
打開程序的時候會彈出一個窗口
OD載入,運行,窗口彈出的時候,回到OD
按下F12,然后Alt+F9回到程序領空
程序來到這里:
0042A19C |. 64:8920 mov dword ptr fs:[eax],esp
0042A19F |. 8B45 08 mov eax,[arg.1]
0042A1A2 |. 50 push eax ; /Style
0042A1A3 |. 57 push edi ; |Title
0042A1A4 |. 56 push esi ; |Text
0042A1A5 |. 8B43 24 mov eax,dword ptr ds:[ebx+0x24] ; |
0042A1A8 |. 50 push eax ; |hOwner
0042A1A9 |. E8 FAB5FDFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0042A1AE |. 8945 FC mov [local.1],eax
; 來到這里
根據右下角棧的內容,找到了這個:
0012FE1C 0012FE50 指向下一個 SEH 記錄的指針
0012FE20 0042A1D0 SE處理程序
0012FE24 0012FE40
0012FE28 7C930228 ntdll.7C930228
0012FE2C 0042F610 Acid_bur.0042F610
0012FE30 009D1DB0
0012FE34 00000000
0012FE38 00000000
0012FE3C 019D207C
0012FE40 0012FF88
0012FE44 0042F79C Acid_bur.0042F79C
0012FE48 00000000
0012FE4C 00425643 返回到 Acid_bur.00425643
;選到這里按回車
0012FE50 0012FE5C 指向下一個 SEH 記錄的指針
0012FE54 0042564D SE處理程序
反匯編窗口來到這里:
00425618 . 55 push ebp
00425619 . 68 4D564200 push Acid_bur.0042564D
0042561E . 64:FF30 push dword ptr fs:[eax]
00425621 . 64:8920 mov dword ptr fs:[eax],esp
00425624 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
00425627 . 66:83B8 CE010>cmp word ptr ds:[eax+0x1CE],0x0
0042562F . 74 12 je XAcid_bur.00425643
00425631 . 8B5D FC mov ebx,dword ptr ss:[ebp-0x4]
00425634 . 8B55 FC mov edx,dword ptr ss:[ebp-0x4]
00425637 . 8B83 D0010000 mov eax,dword ptr ds:[ebx+0x1D0]
0042563D . FF93 CC010000 call dword ptr ds:[ebx+0x1CC]
;那就是在這里啟動那個Nag窗口的
00425643 > 33C0 xor eax,eax
;回車之后光標停在這里
00425645 . 5A pop edx
00425646 . 59 pop ecx
00425647 . 59 pop ecx
00425637下斷點,F7跟進去
call的內容是這樣的:
0042F784 6A 00 push 0x0
0042F786 B9 A0F74200 mov ecx,Acid_bur.0042F7A0 ; hello you have to kill me!
0042F78B BA BCF74200 mov edx,Acid_bur.0042F7BC ; Welcome to this Newbies Crackme made by ACiD BuRN [CracKerWoRlD]
0042F790 A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042F795 8B00 mov eax,dword ptr ds:[eax]
0042F797 E8 D4A9FFFF call Acid_bur.0042A170
0042F79C . C3 retn
0042F797那個Call就是調用MessageBox了,那就在 0042F784 push 0x0這里直接retn 填充
0042F784 C3 retn
0042F785 90 nop
0042F786 B9 A0F74200 mov ecx,Acid_bur.0042F7A0 ; hello you have to kill me!
0042F78B BA BCF74200 mov edx,Acid_bur.0042F7BC ; Welcome to this Newbies Crackme made by ACiD BuRN [CracKerWoRlD]
0042F790 A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042F795 8B00 mov eax,dword ptr ds:[eax]
0042F797 E8 D4A9FFFF call Acid_bur.0042A170
0042F79C . C3 retn
保存下來就好了
總結
以上是生活随笔為你收集整理的160 - 1 Acid burn的全部內容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔網站內容還不錯,歡迎將生活随笔推薦給好友。
