Crackme 20

首先用PEID检测一下

有壳wwPack32 经典壳，现在接触的带壳程序不多，上次直接脱壳软件搞定，这次跟着教程手动搞了一下
首先单步调试找到跨段跳转

跳入之后下断点（一般跳入之后就是程序开始的地方），但里面的没有反汇编代码，看着比较难受。

首先脱壳

脱壳之后打不开，我看有的题解上脱壳后可以打开····
利用PEID查看什么程序编写

利用dede反编译没有什么成果，直接利用IDR分析Delphi

Unit1::TForm1.Button1Click
 0044A2E8    push       ebp
 0044A2E9    mov        ebp,esp
 0044A2EB    xor        ecx,ecx
 0044A2ED    push       ecx
 0044A2EE    push       ecx
 0044A2EF    push       ecx
 0044A2F0    push       ecx
 0044A2F1    push       ebx
 0044A2F2    push       esi
 0044A2F3    mov        ebx,eax
 0044A2F5    xor        eax,eax
 0044A2F7    push       ebp
 0044A2F8    push       44A3E4
 0044A2FD    push       dword ptr fs:[eax]
 0044A300    mov        dword ptr fs:[eax],esp
 0044A303    lea        edx,[ebp-4]
 0044A306    mov        eax,dword ptr [ebx+2C8]; TForm1.Edit2:TEdit
 0044A30C    call       TControl.GetText
 0044A311    mov        eax,dword ptr [ebp-4]
 0044A314    call       StrToInt
 0044A319    mov        esi,eax
 0044A31B    mov        eax,dword ptr [ebp-4]
 0044A31E    call       StrToInt64
 0044A323    push       edx
 0044A324    push       eax
 0044A325    mov        eax,esi
 0044A327    cdq
 0044A328    add        eax,dword ptr [esp]
 0044A32B    adc        edx,dword ptr [esp+4]
 0044A32F    add        esp,8
 0044A332    push       edx
 0044A333    push       eax
 0044A334    mov        eax,esi
 0044A336    cdq
 0044A337    add        eax,dword ptr [esp]
 0044A33A    adc        edx,dword ptr [esp+4]
 0044A33E    add        esp,8
 0044A341    push       edx
 0044A342    push       eax
 0044A343    lea        edx,[ebp-8]
 0044A346    mov        eax,6
 0044A34B    call       IntToHex
 0044A350    mov        edx,dword ptr [ebp-8]
 0044A353    mov        eax,dword ptr [ebx+2CC]; TForm1.Edit3:TEdit
 0044A359    call       TControl.SetText
 0044A35E    lea        edx,[ebp-0C]
 0044A361    mov        eax,dword ptr [ebx+2CC]; TForm1.Edit3:TEdit
 0044A367    call       TControl.GetText
 0044A36C    mov        eax,dword ptr [ebp-0C]
 0044A36F    push       eax
 0044A370    lea        edx,[ebp-10]
 0044A373    mov        eax,dword ptr [ebx+2F0]; TForm1.Label1:TLabel
 0044A379    call       TControl.GetText
 0044A37E    mov        edx,dword ptr [ebp-10]
 0044A381    pop        eax
 0044A382    call       @LStrCmp
>0044A387    jne        0044A398
 0044A389    mov        dl,1
 0044A38B    mov        eax,dword ptr [ebx+2FC]; TForm1.Label2:TLabel
 0044A391    call       TControl.SetVisible
>0044A396    jmp        0044A3A9
 0044A398    mov        eax,dword ptr [ebx+2D4]; TForm1.Label6:TLabel
 0044A39E    mov        edx,dword ptr [eax+34]; TLabel.Top:Integer
 0044A3A1    sub        edx,0A
 0044A3A4    call       TControl.SetTop
 0044A3A9    mov        eax,dword ptr [ebx+2D4]; TForm1.Label6:TLabel
 0044A3AF    cmp        dword ptr [eax+34],32; TLabel.Top:Integer
>0044A3B3    jge        0044A3BC
 0044A3B5    mov        eax,ebx
 0044A3B7    call       TCustomForm.Close
 0044A3BC    xor        eax,eax
 0044A3BE    pop        edx
 0044A3BF    pop        ecx
 0044A3C0    pop        ecx
 0044A3C1    mov        dword ptr fs:[eax],edx
 0044A3C4    push       44A3EB
 0044A3C9    lea        eax,[ebp-10]
 0044A3CC    mov        edx,2
 0044A3D1    call       @LStrArrayClr
 0044A3D6    lea        eax,[ebp-8]
 0044A3D9    mov        edx,2
 0044A3DE    call       @LStrArrayClr
 0044A3E3    ret
<0044A3E4    jmp        @HandleFinally
<0044A3E9    jmp        0044A3C9
 0044A3EB    pop        esi
 0044A3EC    pop        ebx
 0044A3ED    mov        esp,ebp
 0044A3EF    pop        ebp
 0044A3F0    ret

分析算法

0044A30C  |.  E8 FBA0FDFF   CALL 3.0042440C                          ;  name string
0044A311  |.  8B45 FC       MOV EAX,[LOCAL.1]
0044A314  |.  E8 EFD6FBFF   CALL 3.00407A08                          ;  strtoint
0044A319  |.  8BF0          MOV ESI,EAX
0044A31B  |.  8B45 FC       MOV EAX,[LOCAL.1]
0044A31E  |.  E8 5DD7FBFF   CALL 3.00407A80
0044A323  |.  52            PUSH EDX
0044A324  |.  50            PUSH EAX
0044A325  |.  8BC6          MOV EAX,ESI
0044A327  |.  99            CDQ
0044A328  |.  030424        ADD EAX,DWORD PTR SS:[ESP]               ;  0x7b + 0x7b
0044A32B  |.  135424 04     ADC EDX,DWORD PTR SS:[ESP+4]
0044A32F  |.  83C4 08       ADD ESP,8
0044A332  |.  52            PUSH EDX
0044A333  |.  50            PUSH EAX
0044A334  |.  8BC6          MOV EAX,ESI
0044A336  |.  99            CDQ
0044A337  |.  030424        ADD EAX,DWORD PTR SS:[ESP]               ;  0x7b + 0xf6
0044A33A  |.  135424 04     ADC EDX,DWORD PTR SS:[ESP+4]
0044A33E  |.  83C4 08       ADD ESP,8
0044A341  |.  52            PUSH EDX                                 ; /Arg2
0044A342  |.  50            PUSH EAX                                 ; |Arg1
0044A343  |.  8D55 F8       LEA EDX,[LOCAL.2]                        ; |
0044A346  |.  B8 06000000   MOV EAX,6                                ; |
0044A34B  |.  E8 78D6FBFF   CALL 3.004079C8                          ; \int to hex
0044A350  |.  8B55 F8       MOV EDX,[LOCAL.2]
0044A353  |.  8B83 CC020000 MOV EAX,DWORD PTR DS:[EBX+2CC]
0044A359  |.  E8 DEA0FDFF   CALL 3.0042443C
0044A35E  |.  8D55 F4       LEA EDX,[LOCAL.3]
0044A361  |.  8B83 CC020000 MOV EAX,DWORD PTR DS:[EBX+2CC]
0044A367  |.  E8 A0A0FDFF   CALL 3.0042440C
0044A36C  |.  8B45 F4       MOV EAX,[LOCAL.3]
0044A36F  |.  50            PUSH EAX
0044A370  |.  8D55 F0       LEA EDX,[LOCAL.4]
0044A373  |.  8B83 F0020000 MOV EAX,DWORD PTR DS:[EBX+2F0]
0044A379  |.  E8 8EA0FDFF   CALL 3.0042440C
0044A37E  |.  8B55 F0       MOV EDX,[LOCAL.4]
0044A381  |.  58            POP EAX
0044A382 >|.  E8 6198FBFF   CALL 3.00403BE8                          ;  strcmp

写出注册机

s = '0x3e74984b'
print int(s,16)/3