2019-04-01 CrackMe 4

Delphi程序，主要看到三个窗口:

用户名
注册码
一片空白区域

DeDe查看：

看到Edit2的关键处理函数chkcode
找到chkcode位置并下断：

chkcode

当编辑的时候即会在断下来：

00457C40  /.  55            push ebp
00457C41  |.  8BEC          mov ebp,esp
00457C43  |.  51            push ecx
00457C44  |.  B9 05000000   mov ecx,0x5
00457C49  |>  6A 00         /push 0x0
00457C4B  |.  6A 00         |push 0x0
00457C4D  |.  49            |dec ecx
00457C4E  |.^ 75 F9         \jnz XCKme.00457C49
00457C50  |.  51            push ecx
00457C51  |.  874D FC       xchg [local.1],ecx
00457C54  |.  53            push ebx
00457C55  |.  56            push esi
00457C56  |.  8BD8          mov ebx,eax
00457C58  |.  33C0          xor eax,eax
00457C5A  |.  55            push ebp
00457C5B  |.  68 3D7E4500   push CKme.00457E3D
00457C60  |.  64:FF30       push dword ptr fs:[eax]
00457C63  |.  64:8920       mov dword ptr fs:[eax],esp
00457C66  |.  8BB3 F8020000 mov esi,dword ptr ds:[ebx+0x2F8]
00457C6C  |.  83C6 05       add esi,0x5
00457C6F  |.  FFB3 10030000 push dword ptr ds:[ebx+0x310]
00457C75  |.  8D55 F8       lea edx,[local.2]
00457C78  |.  8BC6          mov eax,esi
00457C7A  |.  E8 85FEFAFF   call CKme.00407B04
00457C7F  |.  FF75 F8       push [local.2]
00457C82  |.  FFB3 14030000 push dword ptr ds:[ebx+0x314]
00457C88  |.  8D55 F4       lea edx,[local.3]
00457C8B  |.  8B83 D4020000 mov eax,dword ptr ds:[ebx+0x2D4]
00457C91  |.  E8 B2B6FCFF   call CKme.00423348
00457C96  |.  FF75 F4       push [local.3]
00457C99  |.  8D83 18030000 lea eax,dword ptr ds:[ebx+0x318]
00457C9F  |.  BA 04000000   mov edx,0x4
00457CA4  |.  E8 93BFFAFF   call CKme.00403C3C
00457CA9  |.  33D2          xor edx,edx
00457CAB  |.  8B83 F4020000 mov eax,dword ptr ds:[ebx+0x2F4]
00457CB1  |.  E8 AAB5FCFF   call CKme.00423260
00457CB6  |.  8B93 18030000 mov edx,dword ptr ds:[ebx+0x318]
00457CBC  |.  8B83 F4020000 mov eax,dword ptr ds:[ebx+0x2F4]
00457CC2  |.  E8 B1B6FCFF   call CKme.00423378
00457CC7  |.  33F6          xor esi,esi
00457CC9  |>  8D55 EC       /lea edx,[local.5]
00457CCC  |.  8B83 D4020000 |mov eax,dword ptr ds:[ebx+0x2D4]
00457CD2  |.  E8 71B6FCFF   |call CKme.00423348
00457CD7  |.  8B45 EC       |mov eax,[local.5]
00457CDA  |.  E8 9DBEFAFF   |call CKme.00403B7C
00457CDF  |.  83C0 03       |add eax,0x3
00457CE2  |.  8D55 F0       |lea edx,[local.4]
00457CE5  |.  E8 1AFEFAFF   |call CKme.00407B04
00457CEA  |.  FF75 F0       |push [local.4]
00457CED  |.  8D55 E8       |lea edx,[local.6]
00457CF0  |.  8B83 D4020000 |mov eax,dword ptr ds:[ebx+0x2D4]
00457CF6  |.  E8 4DB6FCFF   |call CKme.00423348
00457CFB  |.  FF75 E8       |push [local.6]
00457CFE  |.  8D55 E4       |lea edx,[local.7]
00457D01  |.  8BC6          |mov eax,esi
00457D03  |.  E8 FCFDFAFF   |call CKme.00407B04
00457D08  |.  FF75 E4       |push [local.7]
00457D0B  |.  8D45 FC       |lea eax,[local.1]
00457D0E  |.  BA 03000000   |mov edx,0x3
00457D13  |.  E8 24BFFAFF   |call CKme.00403C3C
00457D18  |.  46            |inc esi
00457D19  |.  83FE 13       |cmp esi,0x13
00457D1C  |.^ 75 AB         \jnz XCKme.00457CC9
00457D1E  |.  8D55 E0       lea edx,[local.8]
00457D21  |.  8B83 D8020000 mov eax,dword ptr ds:[ebx+0x2D8]
00457D27  |.  E8 1CB6FCFF   call CKme.00423348
00457D2C  |.  8B45 E0       mov eax,[local.8]
00457D2F  |.  8B93 18030000 mov edx,dword ptr ds:[ebx+0x318]
00457D35  |.  E8 52BFFAFF   call CKme.00403C8C
00457D3A  |. /75 0A         jnz XCKme.00457D46
00457D3C  |. |C783 0C030000>mov dword ptr ds:[ebx+0x30C],0x3E
00457D46  |> \8B83 0C030000 mov eax,dword ptr ds:[ebx+0x30C]

在0x0457D1C前会循环0x13次，没太追流程，看不太懂他的意思
不过看到：

00457D2C  |.  8B45 E0       mov eax,[local.8]
00457D2F  |.  8B93 18030000 mov edx,dword ptr ds:[ebx+0x318]
00457D35  |.  E8 52BFFAFF   call CKme.00403C8C

看到前面应该是一个拼接
根据name生成真正的序列号：

"黑头Sun Bird"+str(len(name)+5)+"dseloffc-012-OK"+name

比较序列号如果相同后会设置一个标志位：

00457D3C  |.  C783 0C030000>mov dword ptr ds:[ebx+0x30C],0x3E

跟踪一下panel1click(单击),看到关键部分：

00458031  |.  81BE 0C030000>cmp dword ptr ds:[esi+0x30C],0x85
0045803B  |.  75 76         jnz XCKme.004580B3
0045803D  |.  33DB          xor ebx,ebx

对此标志位的判断0x85，没有作用，因为前面判断过后设置为0x3E
再看双击函数：panel1Dblclick：

00457EF5  |.  83BE 0C030000>cmp dword ptr ds:[esi+0x30C],0x3E
00457EFC  |.  75 0A         jnz XCKme.00457F08
00457EFE  |.  C786 0C030000>mov dword ptr ds:[esi+0x30C],0x85

会判断标志位是否为0x3E，并设置为0x85
所以我们正确的破解顺序：

输入name
输入序列号："黑头Sun Bird"+str(len(name)+5)+"dseloffc-012-OK"+name
双击空白
单击空白

最后破解成功：

Success

2019-04-01 CrackMe 4

你可能感兴趣的:(2019-04-01 CrackMe 4)