以Rulz写的一个CrackMe文件为例学习破解的三种简单招式:
1.暴力破解
2.内存注册机制作
3.算法注册机写作
文件:ex604.exe
===================================================================================
用ollydb1.09中文版载入ex604.exe,由于没加壳,所以停在真正的入口处
00441A48 > $ 55 PUSH EBP ;无用指令,要通过关键字串设断点
00441A49 . 8BEC MOV EBP,ESP
00441A4B . 83C4 F4 ADD ESP,-0C
00441A4E . B8 40194400 MOV EAX,ex604.00441940
00441A53 . E8 4C41FCFF CALL ex604.00405BA4
00441A58 . A1 302C4400 MOV EAX,DWORD PTR DS:[442C30]
00441A5D . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00441A5F . E8 A0D2FFFF CALL ex604.0043ED04
00441A64 . 8B0D 002D4400 MOV ECX,DWORD PTR DS:[442D00] ; ex604.0044382C
00441A6A . A1 302C4400 MOV EAX,DWORD PTR DS:[442C30]
00441A6F . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00441A71 . 8B15 18154400 MOV EDX,DWORD PTR DS:[441518] ; ex604.00441564
00441A77 . E8 A0D2FFFF CALL ex604.0043ED1C
00441A7C . A1 302C4400 MOV EAX,DWORD PTR DS:[442C30]
00441A81 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00441A83 . E8 14D3FFFF CALL ex604.0043ED9C
00441A88 . E8 FB1BFCFF CALL ex604.00403688
00441A8D . 8D40 00 LEA EAX,DWORD PTR DS:[EAX]
00441A90 . 0000 ADD BYTE PTR DS:[EAX],AL
00441A92 . 0000 ADD BYTE PTR DS:[EAX],AL
00441A94 . 0000 ADD BYTE PTR DS:[EAX],AL
00441A96 . 0000 ADD BYTE PTR DS:[EAX],AL
00441A98 . 0000 ADD BYTE PTR DS:[EAX],AL
但是入口处看上去都不知是什么意思,不用慌,在程序中填入注册名和注册码随便注册,找到出错字符串,在ollydb中下断.下断后分析一下,来到如下部分:
004417B8 /. 55 PUSH EBP ; 注册计算部分
004417B9 |. 8BEC MOV EBP,ESP
004417BB |. 6A 00 PUSH 0
004417BD |. 6A 00 PUSH 0
004417BF |. 6A 00 PUSH 0
004417C1 |. 53 PUSH EBX
004417C2 |. 8BD8 MOV EBX,EAX
004417C4 |. 33C0 XOR EAX,EAX
004417C6 |. 55 PUSH EBP
004417C7 |. 68 60184400 PUSH ex604.00441860
004417CC |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004417CF |. 64:8920 MOV DWORD PTR FS:[EAX],ES