Oh, then I will reappear, wait until two days, I haven't had to be able to take it for a long time, I will not go with Crackme, and some people feel that it is not intentional. This time, we have a practical meaning, huh, a release Soon Software - Mahjong Puzzle V1.04, here: http://skycn.softreg.com.cn/product...be-9524013efada use W32DASM to find a stronger reference "Registration Failure!" (After analysis, after analysis)
Code:
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00402E16 (C)
|
: 00402E3F 8B3D88974000 MOV EDI, DWORD PTR [00409788]
00402, China
: 00402E4A 33C0 xor Eax, EAX
: 00402E4C 8B6C2414 MOV EBP, DWORD PTR [ESP 14]
: 00402E50 F3 REPZ
: 00402E51 AB Stosd
: 00402E52 8B3D7C974000 MOV EDI, DWORD PTR [0040977C]
: 00402E58 B940000000 MOV ECX, 00000040
: 00402E5D F3 REPZ
: 00402E5E AB Stosd
: 00402E5F 8B0D88974000 MOV ECX, DWORD PTR [00409788]
* Reference to: user32.senddlgitemmessagea, ORD: 020FH
|
: 00402E65 8B1D38714000 MOV EBX, DWORD PTR [00407138];
: 00402E6B 51 PUSH ECX; Username Storage Address [409788]
00402E6C 6A10 PUSH 00000010
: 00402E6E 6A0D PUSH 0000000D; WM_GETTEXT
* Possible Reference to Dialog: Dialogid_0070, Control_ID: 03E8, ""
|
: 00402E70 68E8030000 Push 000003E8; Control ID
: 00402E75 55 PUSH EBP
: 00402E76 FFD3 Call EBX; get username
: 00402E78 8B157C974000 MOV EDX, DWORD PTR [0040977C]
: 00402E7E 52 Push EDX; Registration Code Address [40977C]
: 00402E7F 6A10 Push 00000010
: 00402E81 6A0D PUSH 0000000D; WM_GETTEXT
* Possible Reference to Dialog: Dialogid_0070, Control_ID: 03E9, "" |
00402E83 68E9030000 Push 000003E9; Control ID
: 00402E88 55 PUSH EBP
: 00402E89 FFD3 Call EBX; get registration code
: 00402E8B A188974000 MOV Eax, DWORD PTR [00409788]
: 00402E90 803800 CMP BYTE PTR [EAX], 00
0043010000 JE 00402FD1
: 00402E99 8B0D7C974000 MOV ECX, DWORD PTR [0040977C]
: 00402E9F 803900 CMP BYTE PTR [ECX], 00
: 00402EA2 0F8429010000 JE 00402FD1
: 00402EA8 50 Push EAX; pressing user name
: 00402EA9 E822FEFFF CALL 00402CD0; Key CALL
: 00402EAE 8B3D7C974000 MOV EDI, DWORD PTR [0040977C]; Fake Code
: 00402EB4 A188974000 MOV EAX, DWORD PTR [00409788]; Sound code
00402, China
: 00402EBC 8BF7 MOV ESI, EDI
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00402EDC (c)
|
: 00402EBE 8A10 MOV DL, BYTE PTR [EAX]
: 00402EC0 8ACA MOV CL, DL
: 00402EC2 3A16 CMP DL, BYTE PTR [ESI]
00402EC4 751C JNE 00402EE2
: 00402EC6 84C9 TEST CL, CL
0040222EDE
: 00402ECA 8A5001 MOV DL, BYTE PTR [EAX 01]
: 00402ECD 8ACA MOV CL, DL
: 00402ECF 3A5601 CMP DL, BYTE PTR [ESI 01]
00402ED2 750E JNE 00402EE2
: 00402ED4 83C002 Add Eax, 00000002
00402ED7 83C602 Add ESI, 00000002
: 00402eda 84c9 Test CL, Cl
00402EDC 75E0 JNE 00402EBE
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00402EC8 (C)
|
: 00402EDE 33C0 XOR EAX, EAX
00402EE0 EB05 JMP 00402EE7
* Reference by A (u) Nconditional OR (C) OONDitional Jump At Addresses:
| 00402EC4 (C),: 00402ED2 (C)
|
: 00402EE2 1BC0 SBB EAX, EAX
: 00402EE4 83D8FF SBB EAX, Ffffffffff
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00402EE0 (U)
|
: 00402EE7 85C0 Test Eax, EAX
: 00402EE9 0F848D000000 JE 00402F7C
* Possible stringdata ref from data obj -> "52341546"; deceptive
|
: 00402EEF Bea4904000 MOV ESI, 004090A4
: 00402EF4 8BC7 MOV EAX, EDI
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00402F14 (C)
|
: 00402EF6 8A10 MOV DL, BYTE PTR [EAX]
: 00402EF8 8ACA MOV CL, DL
: 00402EFA 3A16 CMP DL, BYTE PTR [ESI]
: 00402EFC 751C JNE 00402F1A
: 00402EFE 84C9 TEST CL, CL
: 00402F00 7414 JE 00402F16
: 00402F02 8A5001 MOV DL, BYTE PTR [EAX 01]
: 00402F05 8ACA MOV CL, DL
: 00402F07 3A5601 CMP DL, BYTE PTR [ESI 01]
: 00402F0A 750E JNE 00402F1A
: 00402F0C 83C002 Add Eax, 00000002
: 00402F0F 83C602 Add ESI, 00000002
: 00402F12 84C9 TEST CL, CL
: 00402F14 75E0 JNE 00402EF6
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00402F00 (C)
|
: 00402F16 33C0 XOR Eax, EAX
: 00402F18 EB05 JMP 00402F1F
* Reference by A (u) Nconditional or (c) ONDITIONAL JUMP AT Addresses: |: 00402EFC (C),: 00402F0A (C)
|
: 00402F1A 1BC0 SBB EAX, EAX
: 00402F1C 83D8FF SBB EAX, FfffffffF
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00402F18 (U)
|
: 00402F1F 85c0 Test Eax, EAX
: 00402F21 7459 JE 00402F7C
: 00402F23 A180974000 MOV EAX, DWORD PTR [00409780]
: 00402F28 6A00 Push 00000000
: 00402F2A 83F803 CMP EAX, 00000003
* Possible StringData Ref from Data Obj -> User Registration
|
: 00402F2D 6898904000 Push 00409098
: 00402F32 7D23 JGE 00402F57
* Possible StringData Ref from Data Obj -> "Registration code error! Please re-enter!"
|
00402, China: 0040707C
: 00402F39 55 PUSH EBP
* Reference to: user32.Messageboxa, ORD: 01BEH
|
: 00402F3A FF1534714000 Call DWORD PTR [00407134]
: 00402F40 A180974000 MOV EAX, DWORD PTR [00409780]
: 00402F45 5F POP EDI
: 00402F46 40 Inc EAX
: 00402F47 5E POP ESI
: 00402F48 A380974000 MOV DWORD PTR [00409780], EAX
: 00402F4D 5D POP EBP
: 00402F4E B801000000 MOV Eax, 00000001
: 00402F53 5B POP EBX
: 00402F54 C21000 RET 0010
Find a string reference according to the error message, it is easy to find these. Then start from the beginning of this function. First, it is worth mentioning that the program takes a text box text. In this program, if you get getWindowText, getDlgitemtext these breakpoints cannot be broken, then what is the way? We can see the address of an API function SenddlgItemMessage to EBX at 402E65 this sentence, then call EBX twice. It can be thought that this is to take the username and registration code. See the specific instructions: long senddlgitemmessage (HWND HDLG, // Dialog Handle INT Niddlgitem, // Control ID UINT MSG, // To send message WPARAM WPARAM, // Message The first additional value LParam lParam // The second addition value; the above program, it can be found that it can be found to the ID 3E8H, 1000 control (using the resource editing tool to find this is the username of the input box) What is the number named 0D? What is this message? There is definition in Winuser.h: #define wm_settext 0x000c # define wm_gettext 0x000D # define wm_gettextLength 0x000E Oh, no 市场 是 料 是 是 是 意 意WM_GETTEXT WPARAM = (WPARAM) cchtextMax; // Number of Characters to copy String length lparam = (lparam) LPSZText; // address of buffer for Text String Added Address The above program is obvious, A Call's WPARAM is 10, the string length, lParam is [409788], this is the location of the username, remember. The second call gets the fake registration code is placed in [40977c]. Very good way, escaped The API, reminds me of Delphi. Next, it is time to judge whether it is empty. Then put the username Push, then call. Hehe ~~~~ Follow: Code: Code:
* Reference by a call at addresses:
| 00402EA9,: 004030ED
|
: 00402CD0 53 PUSH EBX
: 00402CD1 56 PUSH ESI
: 00402CD2 57 Push EDI
: 00402CD3 8B7C2410 MOV EDI, DWORD PTR [ESP 10]; EDI points to the username
: 00402CD7 32DB XOR BL, BL
: 00402CD9 8BCF MOV ECX, EDI
: 00402CDB 8A07 MOV Al, Byte PTR [EDI]
: 00402CDD 84C0 Test Al, Al
: 00402CDF 740A JE 00402CEB
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00402CE9 (C)
|
: 00402CE1 02D8 Add BL, Al; each character accumulated
: 00402CE3 8A4101 MOV Al, Byte PTR [ECX 01]; Cycle Take Character: 00402CE6 41 Inc ECX
: 00402CE7 84C0 Test Al, Al;
: 00402CE9 75F6 JNE 00402CE1; this is a cycle
Pay attention to the calculation of Al, BL, that is, only the low 8 positions of the accumulation result is placed in BL.
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00402CDF (c)
|
: 00402CEB A178974000 MOV EAX, DWORD PTR [00409778]
00402CF0 33F6 XOR ESI, ESI
: 00402CF2 A384974000 MOV DWORD PTR [00409784], EAX
: 00402CF7 A174974000 MOV EAX, DWORD PTR [00409774]
: 00402CFC 85c0 Test Eax, EAX
: 00402CFE 7E2D JLE 00402D2D
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00402D2B (c)
|
: 00402D00 8A0C3E MOV CL, BYTE PTR [ESI EDI]; EDI points to the username, ESI loop variable, taking characters
: 00402D03 32CB XOR CL, BL; Each time the character is added to the above-mentioned result BL or
: 00402D05 51 PUSH ECX; transition or resulting results
: 00402D06 E895FFFFFF CALL 00402CA0; Key Call, follow-up
{
: 00402CA0 0FBE442404 MOVSX EAX, Byte Ptr [ESP 04]; EAX = result
: 00402CA5 030584974000 Add Eax, DWORD PTR [00409784]; [409784] initially 989681h
: 00402CAB 69c0697Dae42 Imul Eax, 42AE7D69
: 00402CB1 0531D40000 Add Eax, 0000d431; D431H = 54321
: 00402CB6 A384974000 MOV DWORD PTR [00409784], EAX; put the result back, the next calculation is used
: 00402CBB C1F810 SAR EAX, 10; Right shift 10
: 00402CBE 83E00F and Eax, 0000000F; only 4 digits only (see after seeing)
: 00402CC1 C3 RET
}
: 00402D0B 83C404 Add ESP, 00000004
: 00402D0E 88043E MOV BYTE PTR [ESI EDI], Al; Al is the result of the above CALL returns: 00402d11 3c0a CMP Al, 0A
: 00402D13 0FBEC0 MOVSX Eax, Al
: 00402D16 7D05 JGE 00402d1d; if Al> = 0A jump
: 00402D18 83C030 Add Eax, 00000030; if Al <0A is adding 30h
: 00402D1B EB03 JMP 00402D20
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00402D16 (C)
|
: 00402D1D 83C041 Add Eax, 00000041; if Al> = 0A plus 41h
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00402D1B (U)
|
00402D20 88043E MOV BYTE PTR [ESI EDI], Al; put the result, this is the last registration code 哟
: 00402D23 A174974000 MOV EAX, DWORD PTR [004774] [409774] is a constant 8
: 00402D28 46 Inc ESI; ESI is a cyclic variable
: 00402D29 3BF0 CMP ESI, EAX
: 00402D2B 7CD3 JL 00402D00; Here is a cycle
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00402CFE (C)
|
: 00402D2D C6043800 MOV BYTE PTR [EAX EDI], 00
: 00402D31 5F POP EDI
00402D32 5E POP ESI
: 00402D33 5B POP EBX
: 00402D34 C3 RET
Let me talk about the operation of the position. There is a SAR above, this and SHR have some differences, on the highest level of processing. I also said that I don't quite understand, for example, 1101100 SHR 4 = 00001101 and 11011100 SAR 4 = 11111101. However, the right shift here, we only take the last 4 digits, so the high 10-bit changes are not affected, and you can use the right shift (>>) to replace it. What else to say is And, there is an AND 000000f, I said that I only take the lowest 4 digits, there may be a rookie doesn't understand, in fact, And as long as there is a operand 0, the result is definitely 0, if an operand is 1, The result is definitely equal to another operand. For example, if we want to "shield" an eight-digit third fourth place, just let it be And 11110011. Similarly, because 0f = 1111, the AND 000000f is equal to only the four digits of the last side. One new string formed after this CALL is still placed in the position of the original user name. The next code takes them, bitbly compared, you must jump. . . Let's take a look, practice, very simple. Finally, it also has a trap, there is a fixed string "52341546", and enter this will prompt to register, but in fact, the next startup is not registered. I have finished thinking, first take the username, and make some calculations each with the result of the user name, get the correct registration code. Is it very simple? Code:
#include
#include
#include
void main ()
{
CHAR Name [20] = {0};
Char Password [20] = {0};
Unsigned int S = 0, k = 0, i;
Printf ("please input your name:");
Scanf ("% s", name);
INT LEN = Strlen (Name);
For (i = 0; i { S = Name [i]; S% = 0x100; // Take 8 digits } INT local = 0x989681; For (i = 0; i <8; i ) { K = s ^ Name [i]; K = (k local) * 0x42ae7d69 0xD431; Local = K; K >> = 0x10; // sar K% = 0x10; // minimum 4 digits IF (k> = 0xa) k = 0x41; ELSE K = 0x30; Password [i] = k; } Printf ("Your Password IS:% S / N", Password); Printf ("Keygen By Roba / Nenjoy CRACKING! / N"); } A available username: ROBA registration code: 0p6n0089
