我们先看下C++语言的源代码,一般而言,类似于这样的界面,我们可以猜测首先要获得编辑框的句柄,而后根据句柄得到其内容,而后进行比较
所以,对于GetDlgItem(),和GetWindowTextA函数则是我们需要注意的,C++源代码是这样的,
void CCrackMeDlg::OnBnClickedOk()
{
// TODO: 在此添加控件通知处理程序代码
CString con;
GetDlgItem(IDC_EDIT1)->GetWindowTextW(con);
if(con==L"123456")
{
MessageBox(L"恭喜,破解成功",L"提示",0);
}
else
{
MessageBox(L"哎呀,又错了",0,0);
}
}
在OD中打开该程序,而后使用快捷键Ctrl+G转到GetDlgItem下断点,再输入dsaadq121,点击按钮就会在GetDlgItem之下中断
如下:
75C642BB > 6A 0C PUSH 0C
75C642BD 68 1043C675 PUSH USER32.75C64310
75C642C2 E8 5981FEFF CALL USER32.75C4C420
75C642C7 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
75C642CA E8 4182FEFF CALL USER32.75C4C510
75C642CF 85C0 TEST EAX,EAX
75C642D1 74 30 JE SHORT USER32.75C64303
75C642D3 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
75C642D7 FF75 0C PUSH DWORD PTR SS:[EBP+C]
75C642DA 50 PUSH EAX
75C642DB E8 41FCFFFF CALL USER32.75C63F21
75C642E0 85C0 TEST EAX,EAX
75C642E2 ^0F85 2DFCFFFF JNZ USER32.75C63F15
75C642E8 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
75C642EB 85C0 TEST EAX,EAX
75C642ED 75 0A JNZ SHORT USER32.75C642F9
75C642EF 68 8D050000 PUSH 58D
75C642F4 E8 0A86FDFF CALL USER32.75C3C903
75C642F9 C745 FC FEFFFFFF MOV DWORD PTR SS:[EBP-4],-2
75C64300 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
75C64303 E8 6881FEFF CALL USER32.75C4C470
75C64308 C2 0800 RETN 8
在第一行中断,不断摁下F8,
或者直接按Alt+F9,再或者使用Alt+M在调试程序的.text断设置访问断点则可直到跳转回CrackMe的领空即可查看该按钮下的代码
011117D8 |. 8BCE MOV ECX,ESI
011117DA |. C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0
011117E1 |. FF15 58311101 CALL DWORD PTR DS:[<&mfc100u.#4805>] ; GetDlgItem
011117E7 |. 8BC8 MOV ECX,EAX ; 在这儿看下0024F094的内容
011117E9 |. FF15 54311101 CALL DWORD PTR DS:[<&mfc100u.#7006>] ; GetWindowTextA
011117EF |. 68 98371101 PUSH OFFSET CrackMe.??_C@_1O@ODDLNOLO@?$>; UNICODE "123456"//密码所在
011117F4 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
011117F7 |. FF15 5C311101 CALL DWORD PTR DS:[<&mfc100u.#2614>] ; CString的==重载操作符
011117FD |. 6A 00 PUSH 0
011117FF |. 8BCE MOV ECX,ESI
01111801 |. 85C0 TEST EAX,EAX ;测试是否相等的结果放在eax当中
01111803 |. 75 0C JNZ SHORT CrackMe.01111811 ;不相等,即密码错误的处理放在011111811
01111805 |. 68 A8371101 PUSH OFFSET CrackMe.??_C@_15EGCHAEPE@c?P>
0111180A |. 68 B0371101 PUSH OFFSET CrackMe.??_C@_1BA@PFFMMFML@?>
0111180F |. EB 07 JMP SHORT CrackMe.01111818
01111811 |> 6A 00 PUSH 0
01111813 |. 68 C0371101 PUSH OFFSET CrackMe.??_C@_1O@HBCGHOGJ@T?>
01111818 |> FF15 60311101 CALL DWORD PTR DS:[<&mfc100u.#7911>] ; mfc100u.59F7C711
0111181E |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
01111821 |. FF15 14331101 CALL DWORD PTR DS:[<&mfc100u.#902>] ; mfc100u.59DA0BEE
01111827 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
0111182A |. 64:890D 000000>MOV DWORD PTR FS:[0],ECX
01111831 |. 59 POP ECX
01111832 |. 5E POP ESI
01111833 |. 8BE5 MOV ESP,EBP
01111835 |. 5D POP EBP
01111836 \. C3 RETN
01111837 CC INT3
到此,只需将01111803 |. 75 0C JNZ SHORT CrackMe.01111811 ;不相等,即密码错误的处理放在011111811
改成NOP就成,破解成功