160CrackMe~001
dword ptr 表示占用两个字节的大小
ds:[esi+62c] 表示内存的地址 其中ds是段地址 [esi+62c]是偏移地址
edi 它就是寄存器了
所以 MOV DWORD PTR DS:[ESI+62C],EDI 就是将 edi 中的数据存储到内存中 地址为ds:[esi+62c]到 ds:[esi+62e]
在OD里,[local.1] 是 ebp-4 , [local.2] 是 ebp-8 , 以每4个字节递增,这[ebp-18]的18换算十进制为24.可在OD-调试设置-分析1中改。
byte ptr:以字节为单位
word ptr:以字为单位
EAX:累加器
EBP:基址指针
EBX:基地址寄存器
1 0042F9B5 |. C705 50174300>mov dword ptr ds:[0x431750],0x29 ;此处将0x29赋值于地址0x431750 2 0042F9BF |. 8D55 F0 lea edx,[local.4] 3 0042F9C2 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC] 4 0042F9C8 |. E8 8BB0FEFF call dsdasdas.0041AA58 5 0042F9CD |. 8B45 F0 mov eax,[local.4] 6 0042F9D0 |. E8 DB40FDFF call dsdasdas.00403AB0 7 0042F9D5 |. A3 6C174300 mov dword ptr ds:[0x43176C],eax 8 0042F9DA |. 8D55 F0 lea edx,[local.4] 9 0042F9DD |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC] 10 0042F9E3 |. E8 70B0FEFF call dsdasdas.0041AA58 11 0042F9E8 |. 8B45 F0 mov eax,[local.4] 12 0042F9EB |. 0FB600 movzx eax,byte ptr ds:[eax] 13 0042F9EE |. 8BF0 mov esi,eax 14 0042F9F0 |. C1E6 03 shl esi,0x3 15 0042F9F3 |. 2BF0 sub esi,eax 16 0042F9F5 |. 8D55 EC lea edx,[local.5] 17 0042F9F8 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC] 18 0042F9FE |. E8 55B0FEFF call dsdasdas.0041AA58 19 0042FA03 |. 8B45 EC mov eax,[local.5] 20 0042FA06 |. 0FB640 01 movzx eax,byte ptr ds:[eax+0x1] 21 0042FA0A |. C1E0 04 shl eax,0x4 22 0042FA0D |. 03F0 add esi,eax 23 0042FA0F |. 8935 54174300 mov dword ptr ds:[0x431754],esi 24 0042FA15 |. 8D55 F0 lea edx,[local.4] 25 0042FA18 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC] 26 0042FA1E |. E8 35B0FEFF call dsdasdas.0041AA58 27 0042FA23 |. 8B45 F0 mov eax,[local.4] 28 0042FA26 |. 0FB640 03 movzx eax,byte ptr ds:[eax+0x3] 29 0042FA2A |. 6BF0 0B imul esi,eax,0xB 30 0042FA2D |. 8D55 EC lea edx,[local.5] 31 0042FA30 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC] 32 0042FA36 |. E8 1DB0FEFF call dsdasdas.0041AA58 33 0042FA3B |. 8B45 EC mov eax,[local.5] 34 0042FA3E |. 0FB640 02 movzx eax,byte ptr ds:[eax+0x2] 35 0042FA42 |. 6BC0 0E imul eax,eax,0xE 36 0042FA45 |. 03F0 add esi,eax 37 0042FA47 |. 8935 58174300 mov dword ptr ds:[0x431758],esi 38 0042FA4D |. A1 6C174300 mov eax,dword ptr ds:[0x43176C] 39 0042FA52 |. E8 D96EFDFF call dsdasdas.00406930 40 0042FA57 |. 83F8 04 cmp eax,0x4 ;字符小于4后面则跳转 41 0042FA5A |. 7D 1D jge short dsdasdas.0042FA79 42 0042FA5C |. 6A 00 push 0x0 43 0042FA5E |. B9 74FB4200 mov ecx,dsdasdas.0042FB74 ; ASCII 54,"ry Again!" 44 0042FA63 |. BA 80FB4200 mov edx,dsdasdas.0042FB80 ; ASCII 53,"orry , The serial is incorect !" 45 0042FA68 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48] 46 0042FA6D |. 8B00 mov eax,dword ptr ds:[eax] ; dsdasdas.00424090 47 0042FA6F |. E8 FCA6FFFF call dsdasdas.0042A170 48 0042FA74 |. E9 BE000000 jmp dsdasdas.0042FB37 49 0042FA79 |> 8D55 F0 lea edx,[local.4] ;local.4=EBP(基址指针)-16 50 0042FA7C |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC] 51 0042FA82 |. E8 D1AFFEFF call dsdasdas.0041AA58 52 0042FA87 |. 8B45 F0 mov eax,[local.4] 53 0042FA8A |. 0FB600 movzx eax,byte ptr ds:[eax] ;取eax地址中第一个字节赋值给eax 54 0042FA8D |. F72D 50174300 imul dword ptr ds:[0x431750] ;*=0x29(0x431750的值)赋值eax 55 0042FA93 |. A3 50174300 mov dword ptr ds:[0x431750],eax ;将eax的值再次赋值给地址(0x431750) 56 0042FA98 |. A1 50174300 mov eax,dword ptr ds:[0x431750] ;将地址(0x431750)赋值给eax 57 0042FA9D |. 0105 50174300 add dword ptr ds:[0x431750],eax ;相当于eax*=2 58 0042FAA3 |. 8D45 FC lea eax,[local.1] 59 0042FAA6 |. BA ACFB4200 mov edx,dsdasdas.0042FBAC 60 0042FAAB |. E8 583CFDFF call dsdasdas.00403708 61 0042FAB0 |. 8D45 F8 lea eax,[local.2] 62 0042FAB3 |. BA B8FB4200 mov edx,dsdasdas.0042FBB8 63 0042FAB8 |. E8 4B3CFDFF call dsdasdas.00403708 64 0042FABD |. FF75 FC push [local.1] ; dsdasdas.0042FBAC 65 0042FAC0 |. 68 C8FB4200 push dsdasdas.0042FBC8 ; UNICODE "-" 66 0042FAC5 |. 8D55 E8 lea edx,[local.6] 67 0042FAC8 |. A1 50174300 mov eax,dword ptr ds:[0x431750] 68 0042FACD |. E8 466CFDFF call dsdasdas.00406718 69 0042FAD2 |. FF75 E8 push [local.6] 70 0042FAD5 |. 68 C8FB4200 push dsdasdas.0042FBC8 ; UNICODE "-" 71 0042FADA |. FF75 F8 push [local.2] ; dsdasdas.0042FBB8 72 0042FADD |. 8D45 F4 lea eax,[local.3] 73 0042FAE0 |. BA 05000000 mov edx,0x5 74 0042FAE5 |. E8 C23EFDFF call dsdasdas.004039AC 75 0042FAEA |. 8D55 F0 lea edx,[local.4] 76 0042FAED |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0] 77 0042FAF3 |. E8 60AFFEFF call dsdasdas.0041AA58 78 0042FAF8 |. 8B55 F0 mov edx,[local.4] 79 0042FAFB |. 8B45 F4 mov eax,[local.3] 80 0042FAFE |. E8 F93EFDFF call dsdasdas.004039FC 81 0042FB03 |. 75 1A jnz short dsdasdas.0042FB1F 82 0042FB05 |. 6A 00 push 0x0 83 0042FB07 |. B9 CCFB4200 mov ecx,dsdasdas.0042FBCC 84 0042FB0C |. BA D8FB4200 mov edx,dsdasdas.0042FBD8 85 0042FB11 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48] 86 0042FB16 |. 8B00 mov eax,dword ptr ds:[eax] ; dsdasdas.00424090 87 0042FB18 |. E8 53A6FFFF call dsdasdas.0042A170 88 0042FB1D |. EB 18 jmp short dsdasdas.0042FB37 89 0042FB1F |> 6A 00 push 0x0 90 0042FB21 |. B9 74FB4200 mov ecx,dsdasdas.0042FB74 ; ASCII 54,"ry Again!" 91 0042FB26 |. BA 80FB4200 mov edx,dsdasdas.0042FB80 ; ASCII 53,"orry , The serial is incorect !" 92 0042FB2B |. A1 480A4300 mov eax,dword ptr ds:[0x430A48] 93 0042FB30 |. 8B00 mov eax,dword ptr ds:[eax] ; dsdasdas.00424090 94 0042FB32 |. E8 39A6FFFF call dsdasdas.0042A170 95 0042FB37 |> 33C0 xor eax,eax
这段大概意思是将name的第一个字节的ASCII值*=0x29再*=2,转化为10进制,再加上CW-%d-CRACKED,eg:CW-1234-CRACKED
注册机:
1 #include<iostream> 2 #include<stdlib.h> 3 using namespace std; 4 int main() 5 { 6 printf("Input name\r\n"); 7 int cName = getchar(); 8 cName *= 0x29; 9 cName *= 2; 10 printf("CW-%d-CRACKED\n", cName); 11 system("pause"); 12 return 0; 13 }
Nags与Serial直接搜索爆破即可
----vincebye---