追码CM破解笔记

原帖地址:http://www.xuepojie.com/thread-25295-1-1.html

CM下载:http://www.vdisk.cn/down/index/19539563

因为最近在研究算法,所以玩了一下群里的朋友一个追码CM,其实这个也不算追码吧,有些追出密码的感觉,追码是每个电脑的注册码都不一样的才叫追码,好吧,还是不扯这些了,不管它是不是追码,只要能破解出来就好了。

 

这个CM输入错误没有任何提示,所以不能下message box 断点

 

不过知道是易语言写的,我们直接下 FF55fc5f5e 就能找到关键位置了

 

 

004010CB /. 55 push ebp

004010CC |. 8BEC mov ebp,esp

004010CE |. 81EC 14000000 sub esp,0x14

004010D4 |. 68 00000000 push 0x0

004010D9 |. BB B0164000 mov ebx,追码CM.004016B0

004010DE |. E8 43040000 call 追码CM.00401526

004010E3 |. 83C4 04 add esp,0x4

004010E6 |. 8945 FC mov [local.1],eax

004010E9 |. 68 00000000 push 0x0

004010EE |. BB D0164000 mov ebx,追码CM.004016D0

004010F3 |. E8 2E040000 call 追码CM.00401526

004010F8 |. 83C4 04 add esp,0x4

004010FB |. 8945 F8 mov [local.2],eax

004010FE |. FF75 F8 push [local.2]

00401101 |. 68 D0D54700 push 追码CM.0047D5D0

00401106 |. FF75 FC push [local.1]

00401109 |. B9 03000000 mov ecx,0x3

0040110E |. E8 5CFFFFFF call 追码CM.0040106F

00401113 |. 83C4 0C add esp,0xC

00401116 |. 8945 F4 mov [local.3],eax

00401119 |. 8B5D FC mov ebx,[local.1]

0040111C |. 85DB test ebx,ebx

0040111E |. 74 09 je short 追码CM.00401129

00401120 |. 53 push ebx

00401121 |. E8 FA030000 call 追码CM.00401520

00401126 |. 83C4 04 add esp,0x4

00401129 |> 8B5D F8 mov ebx,[local.2]

0040112C |. 85DB test ebx,ebx

0040112E |. 74 09 je short 追码CM.00401139

00401130 |. 53 push ebx

00401131 |. E8 EA030000 call 追码CM.00401520

00401136 |. 83C4 04 add esp,0x4

00401139 |> 8B45 F4 mov eax,[local.3]

0040113C |. 50 push eax

0040113D |. 8B1D 80D56C00 mov ebx,dword ptr ds:[0x6CD580]

00401143 |. 85DB test ebx,ebx

00401145 |. 74 09 je short 追码CM.00401150

00401147 |. 53 push ebx

00401148 |. E8 D3030000 call 追码CM.00401520

0040114D |. 83C4 04 add esp,0x4

00401150 |> 58 pop eax ; 追码CM.006D96B0

00401151 |. A3 80D56C00 mov dword ptr ds:[0x6CD580],eax

00401156 |. 68 010100A0 push 0xA0000101

0040115B |. 6A 00 push 0x0

0040115D |. 68 D2D54700 push 追码CM.0047D5D2

00401162 |. 68 01000000 push 0x1

00401167 |. BB B0174000 mov ebx,追码CM.004017B0

0040116C |. E8 B5030000 call 追码CM.00401526

00401171 |. 83C4 10 add esp,0x10

00401174 |. 8945 FC mov [local.1],eax

00401177 |. 68 010100A0 push 0xA0000101

0040117C |. 6A 00 push 0x0

0040117E |. 68 E4D54700 push 追码CM.0047D5E4

00401183 |. 68 01000000 push 0x1

00401188 |. BB B0174000 mov ebx,追码CM.004017B0

0040118D |. E8 94030000 call 追码CM.00401526

00401192 |. 83C4 10 add esp,0x10

00401195 |. 8945 F8 mov [local.2],eax

00401198 |. FF75 F8 push [local.2]

0040119B |. FF75 FC push [local.1]

0040119E |. B9 02000000 mov ecx,0x2

004011A3 |. E8 C7FEFFFF call 追码CM.0040106F

004011A8 |. 83C4 08 add esp,0x8

004011AB |. 8945 F4 mov [local.3],eax

004011AE |. 8B5D FC mov ebx,[local.1]

004011B1 |. 85DB test ebx,ebx

004011B3 |. 74 09 je short 追码CM.004011BE

004011B5 |. 53 push ebx

004011B6 |. E8 65030000 call 追码CM.00401520

004011BB |. 83C4 04 add esp,0x4

004011BE |> 8B5D F8 mov ebx,[local.2]

004011C1 |. 85DB test ebx,ebx

004011C3 |. 74 09 je short 追码CM.004011CE

004011C5 |. 53 push ebx

004011C6 |. E8 55030000 call 追码CM.00401520

004011CB |. 83C4 04 add esp,0x4

004011CE |> 68 04000080 push 0x80000004

004011D3 |. 6A 00 push 0x0

004011D5 |. 8B45 F4 mov eax,[local.3]

004011D8 |. 85C0 test eax,eax

004011DA |. 75 05 jnz short 追码CM.004011E1

004011DC |. B8 F4D54700 mov eax,追码CM.0047D5F4

004011E1 |> 50 push eax

004011E2 |. 68 01000000 push 0x1

004011E7 |. BB C0184000 mov ebx,追码CM.004018C0

004011EC |. E8 35030000 call 追码CM.00401526

004011F1 |. 83C4 10 add esp,0x10

004011F4 |. 8945 F0 mov [local.4],eax

004011F7 |. 8B5D F4 mov ebx,[local.3]

004011FA |. 85DB test ebx,ebx

004011FC |. 74 09 je short 追码CM.00401207

004011FE |. 53 push ebx

004011FF |. E8 1C030000 call 追码CM.00401520

00401204 |. 83C4 04 add esp,0x4

00401207 |> 837D F0 00 cmp [local.4],0x0

0040120B |. 0F85 DA010000 jnz 追码CM.004013EB 这个大的跳转不用管它 我们也不需要知道这里判断了什么

00401211 |. 68 010100A0 push 0xA0000101

00401216 |. 6A 00 push 0x0

00401218 |. 68 D2D54700 push 追码CM.0047D5D2

0040121D |. 68 01000000 push 0x1

00401222 |. BB B0174000 mov ebx,追码CM.004017B0

00401227 |. E8 FA020000 call 追码CM.00401526

0040122C |. 83C4 10 add esp,0x10

 

 

004013EB |> \68 010100A0 push 0xA0000101

004013F0 |. 6A 00 push 0x0

004013F2 |. 68 D2D54700 push 追码CM.0047D5D2

004013F7 |. 68 01000000 push 0x1

004013FC |. BB B0174000 mov ebx,追码CM.004017B0

00401401 |. E8 20010000 call 追码CM.00401526

00401406 |. 83C4 10 add esp,0x10

00401409 |. 8945 FC mov [local.1],eax

0040140C |. 68 010100A0 push 0xA0000101

00401411 |. 6A 00 push 0x0

00401413 |. 68 E4D54700 push 追码CM.0047D5E4

00401418 |. 68 01000000 push 0x1

0040141D |. BB B0174000 mov ebx,追码CM.004017B0

00401422 |. E8 FF000000 call 追码CM.00401526

00401427 |. 83C4 10 add esp,0x10

0040142A |. 8945 F8 mov [local.2],eax

0040142D |. FF75 F8 push [local.2]

00401430 |. FF75 FC push [local.1] ; 追码CM.004010CB

00401433 |. B9 02000000 mov ecx,0x2

00401438 |. E8 32FCFFFF call 追码CM.0040106F

0040143D |. 83C4 08 add esp,0x8

00401440 |. 8945 F4 mov [local.3],eax

00401443 |. 8B5D FC mov ebx,[local.1] ; 追码CM.004010CB

00401446 |. 85DB test ebx,ebx

00401448 |. 74 09 je short 追码CM.00401453

0040144A |. 53 push ebx

0040144B |. E8 D0000000 call 追码CM.00401520

00401450 |. 83C4 04 add esp,0x4

00401453 |> 8B5D F8 mov ebx,[local.2]

00401456 |. 85DB test ebx,ebx

00401458 |. 74 09 je short 追码CM.00401463

0040145A |. 53 push ebx

0040145B |. E8 C0000000 call 追码CM.00401520

00401460 |. 83C4 04 add esp,0x4

00401463 |> 8965 F0 mov [local.4],esp

00401466 |. FF75 F4 push [local.3]

00401469 |. B8 00000000 mov eax,0x0

0040146E |. E8 BF000000 call 追码CM.00401532 ; 调用了 LoadLibraryA

00401473 |. 3965 F0 cmp [local.4],esp

00401476 |. 74 0D je short 追码CM.00401485

00401478 |. 68 06000000 push 0x6

0040147D |. E8 AA000000 call 追码CM.0040152C

00401482 |. 83C4 04 add esp,0x4

00401485 |> 8B5D F4 mov ebx,[local.3]

00401488 |. 85DB test ebx,ebx

0040148A |. 74 09 je short 追码CM.00401495

0040148C |. 53 push ebx

0040148D |. E8 8E000000 call 追码CM.00401520

00401492 |. 83C4 04 add esp,0x4

00401495 |> 6A 00 push 0x0

00401497 |. 6A 00 push 0x0

00401499 |. 6A 00 push 0x0

0040149B |. 68 01000100 push 0x10001

004014A0 |. 68 00000106 push 0x6010000

004014A5 |. 68 01000152 push 0x52010001

004014AA |. 68 02000000 push 0x2

004014AF |. BB E0194000 mov ebx,追码CM.004019E0

004014B4 |. E8 6D000000 call 追码CM.00401526

004014B9 |. 83C4 1C add esp,0x1C

004014BC |> 8BE5 mov esp,ebp

004014BE |. 5D pop ebp ; 追码CM.00416A70

004014BF \. C3 retn

 

 

 

0012FCD8 00401473 /CALL LoadLibraryA 来自 追码CM.0040146E

0012FCDC 001F7EA0 \FileName = "C:\Windows\dcb.dll"

0012FCE0 006D96B0 ASCII "j"

 

我们可以看到程序调用了一个dll 这个就是破解关键,因为算法什么的都在里面。

 
 

所以我们来到这个dll处 下易语言的按钮事件 不这样做的话,是断不下来的。

 

 

输入图一的假码,然后开始跟踪分析!

 

 

 

05D410F1 55 push ebp

05D410F2 8BEC mov ebp,esp

05D410F4 81EC 08000000 sub esp,0x8

05D410FA E8 B4020000 call dcb.05D413B3

05D410FF 68 010100A0 push 0xA0000101

05D41104 6A 00 push 0x0

05D41106 68 3439DC05 push dcb.05DC3934

05D4110B 68 01000000 push 0x1

05D41110 BB 1040D405 mov ebx,dcb.05D44010

05D41115 E8 AC2B0000 call dcb.05D43CC6

05D4111A 83C4 10 add esp,0x10

05D4111D 8945 FC mov dword ptr ss:[ebp-0x4],eax

05D41120 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

05D41123 50 push eax

05D41124 8B1D C035F505 mov ebx,dword ptr ds:[0x5F535C0]

05D4112A 85DB test ebx,ebx

05D4112C 74 09 je short dcb.05D41137

05D4112E 53 push ebx

05D4112F E8 8C2B0000 call dcb.05D43CC0

05D41134 83C4 04 add esp,0x4

05D41137 58 pop eax

05D41138 A3 C035F505 mov dword ptr ds:[0x5F535C0],eax

05D4113D 68 010100A0 push 0xA0000101

05D41142 6A 00 push 0x0

05D41144 68 3439DC05 push dcb.05DC3934

05D41149 68 01000000 push 0x1

05D4114E BB 1040D405 mov ebx,dcb.05D44010

05D41153 E8 6E2B0000 call dcb.05D43CC6

05D41158 83C4 10 add esp,0x10

05D4115B 8945 FC mov dword ptr ss:[ebp-0x4],eax

05D4115E 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

05D41161 50 push eax

05D41162 8B1D C035F505 mov ebx,dword ptr ds:[0x5F535C0]

05D41168 85DB test ebx,ebx

05D4116A 74 09 je short dcb.05D41175

05D4116C 53 push ebx

05D4116D E8 4E2B0000 call dcb.05D43CC0

05D41172 83C4 04 add esp,0x4

05D41175 58 pop eax

05D41176 A3 C035F505 mov dword ptr ds:[0x5F535C0],eax

05D4117B 68 010100A0 push 0xA0000101

05D41180 6A 00 push 0x0

05D41182 68 3439DC05 push dcb.05DC3934

05D41187 68 01000000 push 0x1

05D4118C BB 1040D405 mov ebx,dcb.05D44010

05D41191 E8 302B0000 call dcb.05D43CC6

05D41196 83C4 10 add esp,0x10

05D41199 8945 FC mov dword ptr ss:[ebp-0x4],eax

05D4119C 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

05D4119F 50 push eax

05D411A0 8B1D C035F505 mov ebx,dword ptr ds:[0x5F535C0]

05D411A6 85DB test ebx,ebx

05D411A8 74 09 je short dcb.05D411B3

05D411AA 53 push ebx

05D411AB E8 102B0000 call dcb.05D43CC0

05D411B0 83C4 04 add esp,0x4

05D411B3 58 pop eax

05D411B4 A3 C035F505 mov dword ptr ds:[0x5F535C0],eax

05D411B9 68 01030080 push 0x80000301

05D411BE 6A 00 push 0x0

05D411C0 68 01000000 push 0x1

05D411C5 68 01000000 push 0x1

05D411CA BB 1040D405 mov ebx,dcb.05D44010

05D411CF E8 F22A0000 call dcb.05D43CC6

05D411D4 83C4 10 add esp,0x10

05D411D7 8945 FC mov dword ptr ss:[ebp-0x4],eax

05D411DA 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

05D411DD 50 push eax

05D411DE FF35 C035F505 push dword ptr ds:[0x5F535C0]

05D411E4 E8 6BFEFFFF call dcb.05D41054

05D411E9 83C4 08 add esp,0x8

05D411EC 83F8 00 cmp eax,0x0

05D411EF B8 00000000 mov eax,0x0

05D411F4 0f94c0 sete al

05D411F7 8945 F8 mov dword ptr ss:[ebp-0x8],eax

05D411FA 8B5D FC mov ebx,dword ptr ss:[ebp-0x4]

05D411FD 85DB test ebx,ebx

05D411FF 74 09 je short dcb.05D4120A

05D41201 53 push ebx

05D41202 E8 B92A0000 call dcb.05D43CC0

05D41207 83C4 04 add esp,0x4

05D4120A 837D F8 00 cmp dword ptr ss:[ebp-0x8],0x0

05D4120E 0F84 00000000 je dcb.05D41214

05D41214 E8 DD020000 call dcb.05D414F6 ; F7进入

05D41219 68 010100A0 push 0xA0000101

05D4121E 6A 00 push 0x0

05D41220 68 3439DC05 push dcb.05DC3934

05D41225 68 01000000 push 0x1

05D4122A BB 1040D405 mov ebx,dcb.05D44010

 

 

调试期间可以看到很多123123123 这个我们先不用管他

 

05C81649 83C4 04 add esp,0x4

05C8164C 58 pop eax

05C8164D A3 C035E905 mov dword ptr ds:[0x5E935C0],eax

05C81652 6A FF push -0x1

05C81654 6A 08 push 0x8

05C81656 68 05000116 push 0x16010005

05C8165B 68 04000152 push 0x52010004

05C81660 E8 79260000 call dcb.05C83CDE

05C81665 83C4 10 add esp,0x10 ; 假码

05C81668 8945 FC mov dword ptr ss:[ebp-0x4],eax

05C8166B 68 04000080 push 0x80000004

05C81670 6A 00 push 0x0

05C81672 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

05C81675 85C0 test eax,eax

05C81677 75 05 jnz short dcb.05C8167E

05C81679 B8 4539D005 mov eax,dcb.05D03945

05C8167E 50 push eax

05C8167F 68 01000000 push 0x1

05C81684 BB B03DC805 mov ebx,dcb.05C83DB0

05C81689 E8 38260000 call dcb.05C83CC6

05C8168E 83C4 10 add esp,0x10 ; 获得假码长度

05C81691 8945 F8 mov dword ptr ss:[ebp-0x8],eax

05C81694 8B5D FC mov ebx,dword ptr ss:[ebp-0x4]

05C81697 85DB test ebx,ebx ; dcb.05C83DB0

05C81699 74 09 je short dcb.05C816A4

05C8169B 53 push ebx ; dcb.05C83DB0

05C8169C E8 1F260000 call dcb.05C83CC0

05C816A1 83C4 04 add esp,0x4

05C816A4 837D F8 12 cmp dword ptr ss:[ebp-0x8],0x12 ; 对比长度是否等于18

05C816A8 0F84 0A000000 je dcb.05C816B8

05C816AE /E9 5D010000 jmp dcb.05C81810

05C816B3 |E9 05000000 jmp dcb.05C816BD

05C816B8 |E8 57010000 call dcb.05C81814 F7进入这个call

05C816BD |68 010100A0 push 0xA0000101

05C816C2 |6A 00 push 0x0

05C816C4 |68 3439D005 push dcb.05D03934

05C816C9 |68 01000000 push 0x1

05C816CE |BB 1040C805 mov ebx,dcb.05C84010

05C816D3 |E8 EE250000 call dcb.05C83CC6

 

长度这个不用多说了,肯定长度要有18位数

 

 

05C818A2 83C4 04 add esp,0x4

05C818A5 58 pop eax

05C818A6 A3 C035E905 mov dword ptr ds:[0x5E935C0],eax

05C818AB 68 010100A0 push 0xA0000101

05C818B0 6A 00 push 0x0

05C818B2 68 4639D005 push dcb.05D03946

05C818B7 68 01000000 push 0x1

05C818BC BB 1040C805 mov ebx,dcb.05C84010

05C818C1 E8 00240000 call dcb.05C83CC6

05C818C6 83C4 10 add esp,0x10 ; 521

05C818C9 8945 FC mov dword ptr ss:[ebp-0x4],eax

05C818CC 6A FF push -0x1

05C818CE 6A 08 push 0x8

05C818D0 68 05000116 push 0x16010005

05C818D5 68 04000152 push 0x52010004

05C818DA E8 FF230000 call dcb.05C83CDE

05C818DF 83C4 10 add esp,0x10 ; 假码

05C818E2 8945 F8 mov dword ptr ss:[ebp-0x8],eax

05C818E5 68 02000080 push 0x80000002

05C818EA 6A 00 push 0x0

05C818EC 68 01000000 push 0x1

05C818F1 68 01030080 push 0x80000301

05C818F6 6A 00 push 0x0

05C818F8 68 03000000 push 0x3

05C818FD 68 04000080 push 0x80000004

05C81902 6A 00 push 0x0

05C81904 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

05C81907 85C0 test eax,eax

05C81909 75 05 jnz short dcb.05C81910

05C8190B B8 4539D005 mov eax,dcb.05D03945

05C81910 50 push eax

05C81911 68 04000080 push 0x80000004

05C81916 6A 00 push 0x0

05C81918 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]

05C8191B 85C0 test eax,eax

05C8191D 75 05 jnz short dcb.05C81924

05C8191F B8 4539D005 mov eax,dcb.05D03945

05C81924 50 push eax

05C81925 68 04000000 push 0x4

05C8192A BB 303FC805 mov ebx,dcb.05C83F30

05C8192F E8 92230000 call dcb.05C83CC6 ; 这个call是关键的对比函数 如果不相等的话会返回-1

05C81934 83C4 34 add esp,0x34

05C81937 8945 F4 mov dword ptr ss:[ebp-0xC],eax

05C8193A 8B5D F8 mov ebx,dword ptr ss:[ebp-0x8]

05C8193D 85DB test ebx,ebx ; dcb.05C83F30

05C8193F 74 09 je short dcb.05C8194A

05C81941 53 push ebx ; dcb.05C83F30

05C81942 E8 79230000 call dcb.05C83CC0

 

但是我们不知道“521”和哪几位对比

 

其实前面也有这个对比函数,我刚才不是说了前面很多123123123之类的东西,然后如果对比不正确的话就返回-1吗,然而上面和程序所对比的不一样也不会返回-1,所以假码前面几位肯定是可以随便输入的

 

其实大家可以测试下,前面随便填几位数,然后后面接上521,看看什么时候经过不返回-1,这样就说明你填对了。

 

经过反复调试,假码前8位可以随便填,接着填上521 他这个CM是一步走对了才会进入下一步,不然某个情节错误了,他就直接返回无任何提示。

 

 

05C8192F E8 92230000 call dcb.05C83CC6 ; 这个call是关键的对比函数

05C81934 83C4 34 add esp,0x34

05C81937 8945 F4 mov dword ptr ss:[ebp-0xC],eax

05C8193A 8B5D F8 mov ebx,dword ptr ss:[ebp-0x8]

05C8193D 85DB test ebx,ebx

05C8193F 74 09 je short dcb.05C8194A

05C81941 53 push ebx

05C81942 E8 79230000 call dcb.05C83CC0

05C81947 83C4 04 add esp,0x4

05C8194A 8B5D FC mov ebx,dword ptr ss:[ebp-0x4]

05C8194D 85DB test ebx,ebx

05C8194F 74 09 je short dcb.05C8195A

05C81951 53 push ebx

05C81952 E8 69230000 call dcb.05C83CC0

05C81957 83C4 04 add esp,0x4

05C8195A 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]

05C8195D A3 C435E905 mov dword ptr ds:[0x5E935C4],eax -1给了这个全局变量

05C81962 68 010100A0 push 0xA0000101

05C81967 6A 00 push 0x0

05C81969 68 3439D005 push dcb.05D03934

05C8196E 68 01000000 push 0x1

05C81973 BB 1040C805 mov ebx,dcb.05C84010

05C81978 E8 49230000 call dcb.05C83CC6

 

 

 

05C819D5 83C4 04 add esp,0x4

05C819D8 58 pop eax

05C819D9 A3 C035E905 mov dword ptr ds:[0x5E935C0],eax

05C819DE 833D C435E905 F>cmp dword ptr ds:[0x5E935C4],-0x1 和刚才得出的-1进行对比

05C819E5 0F84 0A000000 je dcb.05C819F5 相等的话就跳过call

05C819EB E8 71010000 call dcb.05C81B61 这个call是继续执行验证的下一步

05C819F0 E9 05000000 jmp dcb.05C819FA

05C819F5 E9 63010000 jmp dcb.05C81B5D

05C819FA EB 0E jmp short dcb.05C81A0A

05C819FC 56 push esi ; dcb.05E9F700

05C819FD 4D dec ebp

05C819FE 50 push eax

 

所以这里的跳转是不能跳的。

 

其实分析到这里后面基本不用怎么分析,因为都是一样的流程

 

 

 

05C81BEF 83C4 04 add esp,0x4

05C81BF2 58 pop eax ; dcb.05C9B721

05C81BF3 A3 C035E905 mov dword ptr ds:[0x5E935C0],eax

05C81BF8 68 010100A0 push 0xA0000101

05C81BFD 6A 00 push 0x0

05C81BFF 68 5139D005 push dcb.05D03951

05C81C04 68 01000000 push 0x1

05C81C09 BB 1040C805 mov ebx,dcb.05C84010

05C81C0E E8 B3200000 call dcb.05C83CC6

05C81C13 83C4 10 add esp,0x10 ; 4204

05C81C16 8945 FC mov dword ptr ss:[ebp-0x4],eax

05C81C19 6A FF push -0x1

05C81C1B 6A 08 push 0x8

05C81C1D 68 05000116 push 0x16010005

05C81C22 68 04000152 push 0x52010004

05C81C27 E8 B2200000 call dcb.05C83CDE

05C81C2C 83C4 10 add esp,0x10 ; 假码

05C81C2F 8945 F8 mov dword ptr ss:[ebp-0x8],eax

05C81C32 68 02000080 push 0x80000002

05C81C37 6A 00 push 0x0

05C81C39 68 01000000 push 0x1

05C81C3E 68 01030080 push 0x80000301

05C81C43 6A 00 push 0x0

05C81C45 68 06000000 push 0x6

05C81C4A 68 04000080 push 0x80000004

05C81C4F 6A 00 push 0x0

05C81C51 8B45 FC mov eax,dword ptr ss:[ebp-0x4]

05C81C54 85C0 test eax,eax

05C81C56 75 05 jnz short dcb.05C81C5D

05C81C58 B8 4539D005 mov eax,dcb.05D03945

05C81C5D 50 push eax

05C81C5E 68 04000080 push 0x80000004

05C81C63 6A 00 push 0x0

05C81C65 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]

05C81C68 85C0 test eax,eax

05C81C6A 75 05 jnz short dcb.05C81C71

05C81C6C B8 4539D005 mov eax,dcb.05D03945

05C81C71 50 push eax

05C81C72 68 04000000 push 0x4

05C81C77 BB 303FC805 mov ebx,dcb.05C83F30

05C81C7C E8 45200000 call dcb.05C83CC6 ; 对比函数

05C81C81 83C4 34 add esp,0x34

05C81C84 8945 F4 mov dword ptr ss:[ebp-0xC],eax

05C81C87 8B5D F8 mov ebx,dword ptr ss:[ebp-0x8]

05C81C8A 85DB test ebx,ebx ; dcb.05C83F30

05C81C8C 74 09 je short dcb.05C81C97

05C81C8E 53 push ebx ; dcb.05C83F30

05C81C8F E8 2C200000 call dcb.05C83CC0

05C81C94 83C4 04 add esp,0x4

05C81C97 8B5D FC mov ebx,dword ptr ss:[ebp-0x4]

05C81C9A 85DB test ebx,ebx ; dcb.05C83F30

05C81C9C 74 09 je short dcb.05C81CA7

05C81C9E 53 push ebx ; dcb.05C83F30

05C81C9F E8 1C200000 call dcb.05C83CC0

05C81CA4 83C4 04 add esp,0x4

05C81CA7 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]

05C81CAA A3 C835E905 mov dword ptr ds:[0x5E935C8],eax

05C81CAF 68 010100A0 push 0xA0000101

05C81CB4 6A 00 push 0x0

05C81CB6 68 3439D005 push dcb.05D03934

05C81CBB 68 01000000 push 0x1

05C81CC0 BB 1040C805 mov ebx,dcb.05C84010

05C81CC5 E8 FC1F0000 call dcb.05C83CC6

 

标记红色的为关键

 
 

看到了吧,继续下面和4204进行对比,正确了继续执行下一个对比,错误就直接over

 

05C81D22 83C4 04 add esp,0x4

05C81D25 58 pop eax ; dcb.05C9B721

05C81D26 A3 C035E905 mov dword ptr ds:[0x5E935C0],eax

05C81D2B 833D C835E905 F>cmp dword ptr ds:[0x5E935C8],-0x1

05C81D32 0F84 0A000000 je dcb.05C81D42

05C81D38 E8 71010000 call dcb.05C81EAE

05C81D3D E9 05000000 jmp dcb.05C81D47

05C81D42 E9 63010000 jmp dcb.05C81EAA

05C81D47 68 010100A0 push 0xA0000101

05C81D4C 6A 00 push 0x0

05C81D4E 68 3439D005 push dcb.05D03934

05C81D53 68 01000000 push 0x1

05C81D58 BB 1040C805 mov ebx,dcb.05C84010

 

 

继续下一个对比

 

 

今次不会直接显示出和什么对比了,所以我们数据窗口中跟随,可以看到是和“/”这个进行对比后面的对比也是一样,所以我不再阐述了,看图吧
 
 

 

D对比

 
 

接着和A对比

 

好了,这个CM的密码就出来了

 

总结:

1.前面8位可以任意填写

2.后面必须是5214204/DA

 

 
 
 
posted @ 2018-09-06 20:47  Sendige  阅读(1165)  评论(0编辑  收藏  举报