先运行下,是Serial型的,在这里我们用账号aaaaaa 密码bbbbbb
文件载入OD,看起来是汇编写的:
00401016 aescul.<ModuleEntryPoi>push 0 ; /pModule = NULL
00401018 call <jmp.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA
0040101D mov dword ptr ds:[404187],eax
00401022 push 0 ; /lParam = NULL
00401024 push aescul.00403184 ; |DlgProc = aescul.00403184
00401029 push 0 ; |hOwner = NULL
0040102B push 65 ; |pTemplate = 65
0040102D push dword ptr ds:[404187] ; |hInst = FFFFFFFF
00401033 call <jmp.&USER32.DialogBoxParamA> ; \DialogBoxParamA
由参数DlgProc= 00403184来到窗口过程处:
这么多代码,其实东西很少提取出来的信息就是:
[4041BA]=aaaaaa
[404B06]=sizeof("aaaaaa")
[4042BA]=bbbbbb
[404B0A]=sizeof("bbbbbb")
[4043BC]="76487-640-8834005-23751"
[4044BC]=sizeof("76487-640-8834005-23751")
00403184 enter 0,0
00403188 cmp dword ptr ss:[ebp+C],0F
0040318C jnz short aescul.00403195
0040318E call aescul.004031CE
00403193 jmp short aescul.004031C8
00403195 cmp dword ptr ss:[ebp+C],111
0040319C jnz short aescul.004031A5
0040319E call aescul.004031F1
004031A3 db EB
004031A4 and eax,dword ptr ds:[ecx+1100C7D]
004031AA add byte ptr ds:[eax],al
004031AC jnz short aescul.004031B5
004031AE call aescul.004032F1
004031B3 jmp short aescul.004031C8
004031B5 cmp dword ptr ss:[ebp+C],2
004031B9 jnz short aescul.004031C2
004031BB call aescul.00403380
004031C0 jmp short aescul.004031C8
004031C2 xor eax,eax
004031C4 leave
004031C5 retn 10
004031C8 xor eax,eax
004031CA leave
004031CB retn 10
004031CE push aescul.0040407B ; /pPaintstruct = aescul.0040407B
004031D3 push [arg.1] ; |hWnd
004031D6 call <jmp.&USER32.BeginPaint> ; \BeginPaint
004031DB push aescul.0040407B ; /pPaintstruct = aescul.0040407B
004031E0 push [arg.1] ; |hWnd
004031E3 call <jmp.&USER32.EndPaint> ; \EndPaint
004031E8 mov eax,0
004031ED leave
004031EE retn 10
004031F1 cmp dword ptr ss:[ebp+10],1
004031F5 je short aescul.0040320A
004031F7 cmp dword ptr ss:[ebp+10],2
004031FB je aescul.00403380
00403201 mov eax,0
00403206 leave
00403207 retn 10
0040320A cmp dword ptr ds:[4044F6],1
00403211 je short aescul.00403224
00403213 mov esi,aescul.00404000
00403218 mov edi,esi
0040321A mov ecx,0B16
0040321F call aescul.00403465
00403224 push 40 ; /Count = 40 (64.)
00403226 push aescul.004041BA ; |Buffer = aescul.004041BA
0040322B push 3E8 ; |ControlID = 3E8 (1000.)
00403230 push dword ptr ss:[ebp+8] ; |hWnd
00403233 call <jmp.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
00403238 mov edi,aescul.004041BA
0040323D xor eax,eax
0040323F or ecx,FFFFFFFF
00403242 repne scas byte ptr es:[edi]
00403244 not ecx
00403246 sub edi,ecx
00403248 mov dword ptr ds:[404B06],ecx
0040324E cmp byte ptr ds:[4041BA],0
00403255 push 40 ; /Count = 40 (64.)
00403257 push aescul.004042BA ; |Buffer = aescul.004042BA
0040325C push 3E9 ; |ControlID = 3E9 (1001.)
00403261 push dword ptr ss:[ebp+8] ; |hWnd
00403264 call <jmp.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
00403269 mov edi,aescul.004042BA
0040326E xor eax,eax
00403270 or ecx,FFFFFFFF
00403273 repne scas byte ptr es:[edi]
00403275 not ecx
00403277 sub edi,ecx
00403279 mov dword ptr ds:[404B0A],ecx
0040327F cmp byte ptr ds:[4042BA],0
00403286 push aescul.00404B0E ; /pHandle = aescul.00404B0E
0040328B push 1 ; |Access = KEY_QUERY_VALUE
0040328D push 0 ; |Reserved = 0
0040328F push aescul.00404000 ; |Subkey = "矂檘"O?帟i揷H?f\:ト?"d:棦茘5F\歋cF?F??n炸
}墩?鮟H?r\ks?^?bl閝⑸?Z?憈柩?阬?c??B寜?M?z滮6?6???????????????????????????????????????????
?????????????????????????????????????????????????????????????????????
???????????????"...
00403294 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00403299 call <jmp.&ADVAPI32.RegOpenKeyExA> ; \RegOpenKeyExA
0040329E push aescul.00404B12 ; /pBufSize = aescul.00404B12
004032A3 push aescul.004043BC ; |Buffer = aescul.004043BC
004032A8 push 0 ; |pValueType = NULL
004032AA push 0 ; |Reserved = NULL
004032AC push aescul.00404033 ; |ValueName = "鮟H?r\ks?^?bl閝⑸?Z?憈柩?阬?c??B寜?
M?z滮6?6?????????????????????????????????????????????????????????????????
?????????????????????????????????????????????????????????????????????
?????????????????????????????????????????"...
004032B1 push dword ptr ds:[404B0E] ; |hKey = FFFFFFFF
004032B7 call <jmp.&ADVAPI32.RegQueryValueExA> ; \RegQueryValueExA
004032BC mov edi,aescul.004043BA
004032C1 xor eax,eax
004032C3 or ecx,FFFFFFFF
004032C6 repne scas byte ptr es:[edi]
004032C8 not ecx
004032CA sub edi,ecx
004032CC mov dword ptr ds:[4044BC],ecx
004032D2 cmp dword ptr ds:[4044FA],1
004032D9 je short aescul.004032EC
004032DB mov esi,aescul.00403050
004032E0 mov edi,esi
004032E2 mov ecx,134
004032E7 call aescul.0040347A
004032EC jmp aescul.00403380
004032F1 push 10 ; /Index = SM_CXFULLSCREEN
004032F3 call <jmp.&USER32.GetSystemMetrics> ; \GetSystemMetrics
004032F8 mov dword ptr ds:[40419F],eax
004032FD push 11 ; /Index = SM_CYFULLSCREEN
004032FF call <jmp.&USER32.GetSystemMetrics> ; \GetSystemMetrics
00403304 mov dword ptr ds:[40419B],eax
00403309 push aescul.0040406B ; /pRect = aescul.0040406B
0040330E push [arg.1] ; |hWnd
00403311 call <jmp.&USER32.GetWindowRect> ; \GetWindowRect
00403316 mov eax,dword ptr ds:[404077]
0040331B sub eax,dword ptr ds:[40406F]
00403321 mov dword ptr ds:[404193],eax
00403326 mov eax,dword ptr ds:[404073]
0040332B sub eax,dword ptr ds:[40406B]
00403331 mov dword ptr ds:[404197],eax
00403336 mov eax,dword ptr ds:[40419F]
0040333B sub eax,dword ptr ds:[404197]
00403341 shr eax,1
00403343 mov dword ptr ds:[40419F],eax
00403348 mov eax,dword ptr ds:[40419B]
0040334D sub eax,dword ptr ds:[404193]
00403353 shr eax,1
00403355 mov dword ptr ds:[40419B],eax
0040335A push 0 ; /Repaint = FALSE
0040335C push dword ptr ds:[404193] ; |Height = FFFFFFFF (-1.)
00403362 push dword ptr ds:[404197] ; |Width = FFFFFFFF (-1.)
00403368 push dword ptr ds:[40419B] ; |Y = FFFFFFFF (-1.)
0040336E push dword ptr ds:[40419F] ; |X = FFFFFFFF (-1.)
00403374 push [arg.1] ; |hWnd
00403377 call <jmp.&USER32.MoveWindow> ; \MoveWindow
0040337C leave
0040337D retn 10
00403380 push 0 ; /Result = 0
00403382 push [arg.1] ; |hWnd
00403385 call <jmp.&USER32.EndDialog> ; \EndDialog
0040338A mov eax,0
0040338F leave
00403390 retn 10
除了上面提取到的用户名密码存放的信息之外,还有一个很隐晦的非常重要的点在地址004032D2~004032EC处
004032D2 cmp dword ptr ds:[4044FA],1
004032D9 je short aescul.004032EC
004032DB mov esi,aescul.00403050
004032E0 mov edi,esi
004032E2 mov ecx,134
004032E7 call aescul.0040347A
004032EC jmp aescul.00403380
在这里先看了下4044FA里面是不是1,是的话就跳到jmp处,再jmp到别处(EndDialog)
然后
edi=esi=403050
ecx=0x134
然后是一个call
call里面将403050处的代码解密,还原出真正的代码(以下是该call的代码)
00403465 xor eax, eax
00403467 lods byte ptr [esi]
00403468 rol al, cl
0040346A not al
0040346C stos byte ptr es:[edi] ;edi初始等于403050
0040346D loopd short 00403465
0040346F mov dword ptr [4044F6], 1
00403479 retn
如果你在403050附近下断会你发现虽然刚才jmp到了EndDialog,就是结束程序的地方,却还是会绕回403050断下来,这个我也搞不清楚。
现在来到解密后的代码处分析:
00403038 xor eax,eax
0040303A push aescul.00403393
0040303F push dword ptr fs:[eax]
00403042 mov dword ptr fs:[eax],esp
00403045 pushfd
00403046 pushfd
00403047 pop eax
00403048 or eax,100
0040304D push eax
0040304E popfd
0040304F nop
00403050 xor esi,esi
00403052 xor edi,edi
00403054 xor edx,edx
00403056 mov ebp,dword ptr ds:[404B12]
0040305C mov edi,aescul.00404502
00403061 /push ebp
00403062 |push edi
00403063 |push esi
00403064 |mov ebp,aescul.004044C0 ; ASCII "0I5LZ7G123RXCV9OPAS6TBN48YUHJKDF0QWEM"
00403069 |mov ebx,aescul.004043BA ; ASCII "WS76487-640-8834005-23751"
0040306E |mov al,byte ptr ds:[ebx+esi]
00403071 |sar eax,4
00403074 |and eax,0F
00403077 |call aescul.0040313B
0040307C |mov byte ptr ds:[edi],al
0040307E |mov cl,byte ptr ds:[ebx+esi]
00403081 |and ecx,0F
00403084 |mov eax,ecx
00403086 |call aescul.0040313B
0040308B |mov byte ptr ds:[edi+1],al
0040308E |pop esi
0040308F |pop edi
00403090 |pop ebp
00403091 |inc esi
00403092 |add edi,2
00403095 |cmp ebp,esi
00403097 \jnz short aescul.00403061
00403099 xor esi,esi
0040309B mov eax,dword ptr ds:[esi+4042BA]
004030A1 mov ebx,dword ptr ds:[esi+404502]
004030A7 cmp eax,ebx
004030A9 jnz short aescul.004030F0
004030AB add esi,4
004030AE mov eax,dword ptr ds:[esi+4042BA]
004030B4 mov ebx,dword ptr ds:[esi+404502]
004030BA cmp eax,ebx
004030BC jnz short aescul.004030F0
004030BE add esi,4
004030C1 mov eax,dword ptr ds:[esi+4042BA]
004030C7 mov ebx,dword ptr ds:[esi+404502]
004030CD cmp eax,ebx
004030CF jnz short aescul.004030F0
004030D1 add esi,4
004030D4 mov eax,dword ptr ds:[esi+4042BA]
004030DA mov ebx,dword ptr ds:[esi+404502]
004030E0 cmp eax,ebx
004030E2 jnz short aescul.004030F0
004030E4 mov dword ptr ds:[4044F2],1
004030EE jmp short aescul.004030FA
004030F0 mov dword ptr ds:[4044F2],0
004030FA popfd
004030FB xor eax,eax
004030FD pop dword ptr fs:[eax]
00403100 add esp,4
00403103 cmp dword ptr ds:[4044F2],1
0040310A jnz short aescul.00403121
0040310C push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
0040310E push aescul.0040403D ; |Title = "Congratulations..."
00403113 push aescul.004041AB ; |Text = "Registered to: aaaaaa"
00403118 push 0 ; |hOwner = NULL
0040311A call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
0040311F jmp short aescul.00403134
00403121 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00403123 push aescul.00404050 ; |Title = "Error"
00403128 push aescul.00404056 ; |Text = "Wrong Serial Number!"
0040312D push 0 ; |hOwner = NULL
0040312F call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00403134 push 0 ; /ExitCode = 0
00403136 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
这么一大段代码,我们不要盲目地跟,得找出哪里产生了序列号(或者哪里产生了序列号所需的一部分)
多走几次403061~403097处的代码可以发现40307C和40308B处的代码使得从404502开始的地方产生了一个字符串。
现在我们就不用像盲头苍蝇一样撞了。。。
然后就重新开始分析吧:
这个是跟SEH有关,不懂。。跳过。。
00403038 xor eax,eax
0040303A push aescul.00403393
0040303F push dword ptr fs:[eax]
00403042 mov dword ptr fs:[eax],esp
将标志位寄存器与0x100做或操作
00403045 pushfd
00403046 pushfd
00403047 pop eax
00403048 or eax,100
0040304D push eax
0040304E popfd
0040304F nop
略,不讲。
00403050 xor esi,esi
00403052 xor edi,edi
00403054 xor edx,edx
我输入了几次其他的用户密码,发现ds:[404B12]的值一直未0x18(24),然后在这个地址下了个硬件断点,在第二次
断下来的时候是在一个注册表项查询函数里面,然后把查出来的字符串数了一下,也是0x18的长度(加上结束符)
而下句代码的00404502指向一片空区域。
00403056 mov ebp,dword ptr ds:[404B12]
0040305C mov edi,aescul.00404502
--------------------------------------------------这是一个jnz循环---------------------------------------------------
略过
00403061 /push ebp
00403062 |push edi
00403063 |push esi
ebp和ebx分别指向两个字符串,第一个没见过的,第二个是程序从注册表查出来的(还加了WS)
由于太多地址了,不方便看也不方便我写。。所以稍后就称ebp为“字符表”,ebx为“注册表”吧
00403064 |mov ebp,aescul.004044C0 ; ASCII "0I5LZ7G123RXCV9OPAS6TBN48YUHJKDF0QWEM"
00403069 |mov ebx,aescul.004043BA ; ASCII "WS76487-640-8834005-23751"
用esi(初始值为0)作索引,查注册表,得到之后先进行sar操作再进行and操作,然后在下面的call里还要对al进行运算(大概跟了一下,还不知道里面是干了
什么)
0040306E |mov al,byte ptr ds:[ebx+esi]
00403071 |sar eax,4
00403074 |and eax,0F
00403077 |call aescul.0040313B
0040307C |mov byte ptr ds:[edi],al
同上
0040307E |mov cl,byte ptr ds:[ebx+esi]
00403081 |and ecx,0F
00403084 |mov eax,ecx
00403086 |call aescul.0040313B
0040308B |mov byte ptr ds:[edi+1],al
esi指向下一个字符,edi自加2,因为上面的0040307C和0040308B在一次循环里面产生了两个字符(这个edi大概是记录产生的字符串的长度吧)
0040308E |pop esi
0040308F |pop edi
00403090 |pop ebp
00403091 |inc esi
00403092 |add edi,2
00403095 |cmp ebp,esi
00403097 \jnz short aescul.00403061
--------------------------------------------------这是一个jnz循环---------------------------------------------------
现在回过头来仔细看看00403077和00403086处的call(是同一个)到底干了什么吧(以下是该call代码):
ds:[4044EE]和ds:[4044EA]初始值都是00,ds:[4044E6]初始值是0x25(37)正好是字符表的长度-1(我不相信巧合。。。)
还有一点值得注意的是这个ecx在这个call里面永远不会变成其他的什么数,而只是用来比较。
这里有这么多跳转,但是很明显的是构成一个循环的结构是地址00403153~00403170
0040313B mov dword ptr ds:[4044EE],esi
00403141 mov edx,dword ptr ds:[4044EA]
00403147 mov ecx,dword ptr ds:[4044E6]
0040314D cmp edx,ecx
0040314F jb short aescul.00403153
00403151 xor edx,edx
00403153 /movsx esi,byte ptr ss:[ebp+edx]
00403158 |and esi,8000000F
0040315E |jns short aescul.00403165
00403160 |dec esi
00403161 |or esi,FFFFFFF0
00403164 |inc esi
00403165 |cmp esi,eax
00403167 |je short aescul.00403172
00403169 |inc edx
0040316A |cmp edx,ecx
0040316C |jl short aescul.00403153
0040316E |xor edx,edx
00403170 \jmp short aescul.00403153
00403172 mov dword ptr ds:[4044EA],edx
00403178 mov esi,dword ptr ds:[4044EE]
0040317E movsx eax,byte ptr ds:[edx+ebp]
00403182 inc edx
00403183 retn
这里是第一个跳转附近,在这里判断了edx小于ecx的话就直接跳转到循环的第一条指令处,否则就edx清0再到那里去
0040313B mov dword ptr ds:[4044EE],esi
00403141 mov edx,dword ptr ds:[4044EA]
00403147 mov ecx,dword ptr ds:[4044E6]
0040314D cmp edx,ecx
0040314F jb short aescul.00403153
00403151 xor edx,edx
00403153 /movsx esi,byte ptr ss:[ebp+edx]
先用edx查表ebp,得到的数放在esi,然后对esi进行and操作,若esi是负数还要进行以下操作
dec esi
or esi,FFFFFFF0
inc esi
00403153 /movsx esi,byte ptr ss:[ebp+edx]
00403158 |and esi,8000000F
0040315E |jns short aescul.00403165
00403160 |dec esi
00403161 |or esi,FFFFFFF0
00403164 |inc esi
如果此时的esi和eax已经相等(eax是从call的外部得出的),则跳出循环,否则edx++
00403165 |> \3BF0 |cmp esi,eax
00403167 |. 74 09 |je short aescul.00403172
00403169 |. 42 |inc edx
再比较edx和ecx(恒为0x25),小于则跳回循环的第一句,否则就先清0再跳回,这一点跟第一个跳转jb是一致的。
0040316A |cmp edx,ecx
0040316C |jl short aescul.00403153
0040316E |xor edx,edx
00403170 \jmp short aescul.00403153
把edx放到4044EA,下一次进入这个call的时候还要取出来再用的,然后第二句我们发现在这个call的开头有一句跟这个刚好相反的。就是说在这个call中的循环
我们要用到esi的值,但是又不能让他的值改变(以免影响call外面的代码执行),所以就这样处理了。然后用edx在ebp中查表得到的值给eax(remember?,我说
过这个call是用来计算al/eax的值的)。然后edx自增1,不过似乎没什么用,因为在这之前已经将edx保存起来了,然后下一次进call的时候要用的edx的值也是
用保存起来的那个。
00403172 mov dword ptr ds:[4044EA],edx
00403178 mov esi,dword ptr ds:[4044EE]
0040317E movsx eax,byte ptr ds:[edx+ebp]
00403182 inc edx
00403183 retn
好吧,接下来终于要用到我们的账号和密码了,再把之前收集到的账号密码存放信息贴一遍吧:
[4041BA]=aaaaaa
[404B06]=sizeof("aaaaaa")
[4042BA]=bbbbbb
[404B0A]=sizeof("bbbbbb")
[4043BC]="76487-640-8834005-23751"
[4044BC]=sizeof("76487-640-8834005-23751")
00403099 xor esi,esi
0040309B mov eax,dword ptr ds:[esi+4042BA]
004030A1 mov ebx,dword ptr ds:[esi+404502]
004030A7 cmp eax,ebx
004030A9 jnz short aescul.004030F0
004030AB add esi,4
004030AE mov eax,dword ptr ds:[esi+4042BA]
004030B4 mov ebx,dword ptr ds:[esi+404502]
004030BA cmp eax,ebx
004030BC jnz short aescul.004030F0
004030BE add esi,4
004030C1 mov eax,dword ptr ds:[esi+4042BA]
004030C7 mov ebx,dword ptr ds:[esi+404502]
004030CD cmp eax,ebx
004030CF jnz short aescul.004030F0
004030D1 add esi,4
004030D4 mov eax,dword ptr ds:[esi+4042BA]
004030DA mov ebx,dword ptr ds:[esi+404502]
004030E0 cmp eax,ebx
004030E2 jnz short aescul.004030F0
004030E4 mov dword ptr ds:[4044F2],1
004030EE jmp short aescul.004030FA
004030F0 mov dword ptr ds:[4044F2],0
004030FA popfd
004030FB xor eax,eax
004030FD pop dword ptr fs:[eax]
00403100 add esp,4
00403103 cmp dword ptr ds:[4044F2],1
0040310A jnz short aescul.00403121
0040310C push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
0040310E push aescul.0040403D ; |Title = "Congratulations..."
00403113 push aescul.004041AB ; |Text = "Registered to: aaaaaa"
00403118 push 0 ; |hOwner = NULL
0040311A call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
0040311F jmp short aescul.00403134
00403121 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00403123 push aescul.00404050 ; |Title = "Error"
00403128 push aescul.00404056 ; |Text = "Wrong Serial Number!"
0040312D push 0 ; |hOwner = NULL
0040312F call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00403134 push 0 ; /ExitCode = 0
00403136 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
下面一段一段的说,这里先各自从密码和字符表拿出四个字符放到eax和ebx,比较一下,不相等则跳转
00403099 xor esi,esi
0040309B mov eax,dword ptr ds:[esi+4042BA]
004030A1 mov ebx,dword ptr ds:[esi+404502]
004030A7 cmp eax,ebx
004030A9 jnz short aescul.004030F0
esi自增4(因为是以4个字符为单位查表的)
然后的操作就同上了,都是拿出4个字符来比较,不等则跳
004030AB add esi,4
004030AE mov eax,dword ptr ds:[esi+4042BA]
004030B4 mov ebx,dword ptr ds:[esi+404502]
004030BA cmp eax,ebx
004030BC jnz short aescul.004030F0
004030BE add esi,4
004030C1 mov eax,dword ptr ds:[esi+4042BA]
004030C7 mov ebx,dword ptr ds:[esi+404502]
004030CD cmp eax,ebx
004030CF jnz short aescul.004030F0
004030D1 add esi,4
004030D4 mov eax,dword ptr ds:[esi+4042BA]
004030DA mov ebx,dword ptr ds:[esi+404502]
004030E0 cmp eax,ebx
004030E2 jnz short aescul.004030F0
如果刚才的4个字符比较都吻合了,则赋值ds:[4044F2]为1 否则为0,后面的四句,popfd到add esp,4对我们没什么用的又是跟SEH有关吧大概。
然后比较了一下[4044F2],如果为1则密码正确
004030E4 mov dword ptr ds:[4044F2],1
004030EE jmp short aescul.004030FA
004030F0 mov dword ptr ds:[4044F2],0
004030FA popfd
004030FB xor eax,eax
004030FD pop dword ptr fs:[eax]
00403100 add esp,4
00403103 cmp dword ptr ds:[4044F2],1
0040310A jnz short aescul.00403121
0040310C push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
0040310E push aescul.0040403D ; |Title = "Congratulations..."
00403113 push aescul.004041AB ; |Text = "Registered to: aaaaaa"
00403118 push 0 ; |hOwner = NULL
0040311A call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
0040311F jmp short aescul.00403134
00403121 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00403123 push aescul.00404050 ; |Title = "Error"
00403128 push aescul.00404056 ; |Text = "Wrong Serial Number!"
0040312D push 0 ; |hOwner = NULL
0040312F call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00403134 push 0 ; /ExitCode = 0
00403136 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
最后总结一句:这个CrackMe其实就是个傻B CrackMe!!!!搞的我跟这么久原来就是个
if 密码="xxxxx"这样的东西!!!!!!!!!
不信的将密码改成57U33W3VST3XCW2M就过了。。。
其实这篇破文写得还算烂了,因为其实404502处的字符串不是每台机都一样,需要从注册表得到的ProductID换算一下,也很简单,忘了分析 。
很久之前的文章了,从旧博客翻出来放到这里,就不计较这个了。