扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
在本页阅读全文(共2页)
呵呵,程序在启动时还有校验。爆破顺手也就看看。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402238(C)
|
:0040221F 33C0 xor eax, eax
:00402221 8D7C2420 lea edi, dword ptr [esp+20]
:00402225 8A441420 mov al, byte ptr [esp+edx+20]
:00402229 83C9FF or ecx, FFFFFFFF
:0040222C 03F0 add esi, eax
:0040222E 33C0 xor eax, eax
:00402230 42 inc edx
:00402231 F2 repnz
:00402232 AE scasb
:00402233 F7D1 not ecx
:00402235 49 dec ecx
:00402236 3BD1 cmp edx, ecx
:00402238 72E5 jb 0040221F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040221D(C)
|
:0040223A 8D4C2454 lea ecx, dword ptr [esp+54]
:0040223E 51 push ecx
* Reference To: MSVCRT.atol, Ord:023Eh
|
:0040223F FF1578424000 Call dword ptr [00404278]
:00402245 83C404 add esp, 00000004
:00402248 3BF0 cmp esi, eax
====>呵呵,再比较一次!
:0040224A 753A jne 00402286
:0040224C 8D7C2420 lea edi, dword ptr [esp+20]
:00402250 83C9FF or ecx, FFFFFFFF
:00402253 33C0 xor eax, eax
:00402255 F2 repnz
:00402256 AE scasb
:00402257 F7D1 not ecx
:00402259 49 dec ecx
:0040225A 83F901 cmp ecx, 00000001
====>呵呵,再比较一次!
:0040225D 7627 jbe 00402286
:0040225F 8D7C2454 lea edi, dword ptr [esp+54]
:00402263 83C9FF or ecx, FFFFFFFF
:00402266 F2 repnz
:00402267 AE scasb
:00402268 F7D1 not ecx
:0040226A 49 dec ecx
:0040226B 83F901 cmp ecx, 00000001
====>呵呵,再比较一次!
:0040226E 7616 jbe 00402286
:00402270 8B54240C mov edx, dword ptr [esp+0C]
:00402274 B301 mov bl, 01
====>置1则OK!
:00402276 52 push edx
* Reference To: ADVAPI32.RegCloseKey, Ord:015Bh
|
:00402277 FF150C404000 Call dword ptr [0040400C]
:0040227D 5F pop edi
:0040227E 8AC3 mov al, bl
:00402280 5E pop esi
:00402281 5B pop ebx
:00402282 83C47C add esp, 0000007C
:00402285 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040224A(C), :0040225D(C), :0040226E(C)
|
:00402286 8B54240C mov edx, dword ptr [esp+0C]
:0040228A 32DB xor bl, bl
====>清0则OVER!呵呵, 爆破点 ④
:0040228C 52 push edx
* Reference To: ADVAPI32.RegCloseKey, Ord:015Bh
|
:0040228D FF150C404000 Call dword ptr [0040400C]
:00402293 5F pop edi
:00402294 8AC3 mov al, bl
:00402296 5E pop esi
:00402297 5B pop ebx
:00402298 83C47C add esp, 0000007C
:0040229B C3 ret
—————————————————————————————————
【算 法 总 结】:
1、用户名和注册码长度要至少1位。
2、用户名字符HEX值累加的之和应等于注册码数字的HEX值
简单求逆:
fly=66 + 6C + 79=14B
14B(H)=331(D)
呵呵,所以我的注册码就是331
—————————————————————————————————
【完 美 爆 破】:
1、004026A8 7577 jne 00402721
改为: 9090 NOP掉
2、004026AD 7672 jbe 00402721
改为: 9090 NOP掉
3、004026B2 766D jbe 00402721
改为: 9090 NOP掉
4、0040228A 32DB xor bl, bl
改为: B301 mov bl, 01
—————————————————————————————————
【KeyMake之{64th}内存注册机】:
中断地址:4026A6
中断次数:1
第一字节:3B
指令长度:2
寄存器方式:ECX
十进制
—————————————————————————————————
【注册信息保存】:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\HZBH]
"UserName"="fly"
"PassWord"="331"
—————————————————————————————————
【整 理】:
用户名:FLY
注册码:331
—————————————————————————————————
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
现场直击|2021世界人工智能大会
直击5G创新地带,就在2021MWC上海
5G已至 转型当时——服务提供商如何把握转型的绝佳时机
寻找自己的Flag
华为开发者大会2020(Cloud)- 科技行者
京公网安备 11010802021500号