160个练手CrackMe-048

最新推荐文章于 2021-01-18 21:35:19 发布

Mnnk

最新推荐文章于 2021-01-18 21:35:19 发布

阅读量323

点赞数

分类专栏： 160个练手CM 文章标签： CrackMe

本文链接：https://blog.csdn.net/M_N_N/article/details/78938465

版权

160个练手CM 专栏收录该内容

52 篇文章 0 订阅

订阅专栏

1、无壳

2、OD载入

00401139   .  51            push ecx                                 ; /ButtonID
0040113A   .  FF75 08       push dword ptr ss:[ebp+0x8]              ; |hWnd
0040113D   .  E8 D0010000   call <jmp.&USER32.IsDlgButtonChecked>    ; \IsDlgButtonChecked
00401142   .  46            inc esi

先看一下所有选择框的ButtonID，按布局分别为

97 73 94 22 37 38 33 89 83
21 55 49 72 93 12 82 39 29

注册算法部分：

00401117   > /33F6          xor esi,esi
00401119   . |33D2          xor edx,edx
0040111B   . |8935 5E214000 mov dword ptr ds:[0x40215E],esi
00401121   . |8935 62214000 mov dword ptr ds:[0x402162],esi
00401127   > |0FBE8E FE2040>movsx ecx,byte ptr ds:[esi+0x4020FE]
0040112E   . |83F9 4D       cmp ecx,0x4D
00401131   . |74 2F         je XDueList_.00401162
00401133   . |890D 5E214000 mov dword ptr ds:[0x40215E],ecx
00401139   . |51            push ecx                                 ; /ButtonID
0040113A   . |FF75 08       push dword ptr ss:[ebp+0x8]              ; |hWnd
0040113D   . |E8 D0010000   call <jmp.&USER32.IsDlgButtonChecked>    ; \IsDlgButtonChecked
00401142   . |46            inc esi
00401143   . |83F8 00       cmp eax,0x0
00401146   .^|74 DF         je XDueList_.00401127
00401148   . |A1 5E214000   mov eax,dword ptr ds:[0x40215E]
0040114D   . |0FBE8E FE2040>movsx ecx,byte ptr ds:[esi+0x4020FE]
00401154   . |0FAFC1        imul eax,ecx
00401157   . |0FAFC6        imul eax,esi
0040115A   . |0105 62214000 add dword ptr ds:[0x402162],eax
00401160   .^|EB C5         jmp XDueList_.00401127
00401162   > |A1 62214000   mov eax,dword ptr ds:[0x402162]
00401167   . |6BC0 4D       imul eax,eax,0x4D
0040116A   . |3D 6654F300   cmp eax,0xF35466
0040116F   . |75 20         jnz XDueList_.00401191
00401171   . |68 00200000   push 0x2000                              ; /Style = MB_OK|MB_TASKMODAL
00401176   . |68 01204000   push DueList_.00402001                   ; |Duelist's Crackme #3
0040117B   . |68 17204000   push DueList_.00402017                   ; |Congratulations! Please send a screenshot of your solution to duelist@beer.com!
00401180   . |6A 00         push 0x0                                 ; |hOwner = NULL
00401182   . |E8 55010000   call <jmp.&USER32.MessageBoxA>           ; \MessageBoxA
00401187   . |B8 01000000   mov eax,0x1
0040118C   .^|E9 69FFFFFF   jmp DueList_.004010FA
00401191   > |68 00200000   push 0x2000                              ; /Style = MB_OK|MB_TASKMODAL
00401196   . |68 01204000   push DueList_.00402001                   ; |Duelist's Crackme #3
0040119B   . |68 68204000   push DueList_.00402068                   ; |Your registration info is invalid... Please support shareware authors by buying software!
004011A0   . |6A 00         push 0x0                                 ; |hOwner = NULL
004011A2   . |E8 35010000   call <jmp.&USER32.MessageBoxA>           ; \MessageBoxA
004011A7   . |B8 00000000   mov eax,0x0

Decompile:

	int eax = 0;
	vector<int> ButtonID = {22, 73, 94, 21, 39, 38, 33, 37, 29, 89, 83, 55, 49, 72, 93, 12, 97, 82, 77};
	
	for(int eis = 0; eis < ButtonID.size() - 1; eis++){
		if(!IsDlgButtonChecked(ButtonID[esi]))
			continue;
		eax += ButtonID[eis] * ButtonID[eis+1] * (eis + 1);
	} 
	eax *= 0x4D;
//	print(eax);
	if(eax == 0xF35466)
		"Yes";
	else
		"No";

3、注册机

int s[18] = {0};
int value[] = {1606, 13724, 5922, 3276, 7410, 7524, 8547, 8584, 23229, 73870, 50215, 32340, 45864, 93744, 16740, 18624, 135218, 113652};
vector<int> ButtonID = {22, 73, 94, 21, 39, 38, 33, 37, 29, 89, 83, 55, 49, 72, 93, 12, 97, 82, 77};

void re(int n, int i){
	if(n > 0xF35466 / 0x4D)
		return;
	if(n == 0xF35466 / 0x4D)
		for(int j = 0; j < 18; j++){
			if(s[j])
				cout << ButtonID[j] << " ";
		}
	for( ; i < 18; i++){
		s[i] = 1;
		re(n + value[i], i+1);
		s[i] = 0;
	}
	
}

int main(){
	re(0, 0);
	
	return 0;
}

还原结果（已选择的ButtonID）：