⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 lesson503.htm

📁 为所有对破解感兴趣的朋友准备的礼物。希望大家能够喜欢。
💻 HTM
📖 第 1 页 / 共 2 页
字号:
🔍
12 
  0167:00401569  837DF001            CMP  
      DWORD PTR [EBP-10],01            
  &nbsp; <br>
  0167:0040156D&nbsp; 7316&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  JAE&nbsp; &nbsp; &nbsp; 00401585&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
  0167:0040156F&nbsp; 6A40&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  PUSH&nbsp; &nbsp; &nbsp; 40&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
  0167:00401571&nbsp; 682C304000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
  &nbsp; &nbsp; 0040302C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
  0167:00401576&nbsp; 6834304000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
  &nbsp; &nbsp; 00403034&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
  0167:0040157B&nbsp; 8B4DE0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; 
  &nbsp; &nbsp; ECX,[EBP-20]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; <br>
  0167:0040157E&nbsp; E87B050000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
  &nbsp; &nbsp; 00401AFE&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
  0167:00401583&nbsp; EB3C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  JMP&nbsp; &nbsp; &nbsp; 004015C1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
  0167:00401585&nbsp; 8D4DE4&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; LEA&nbsp; 
  &nbsp; &nbsp; ECX,[EBP-1C]<br>
                     ^^^^^^^^^^^^^^^^^^^^^^ <br>
  //此时用<font color="#FF6666">F10过了这一行</font>,再下命令: d ecx&nbsp; ;在<font color="#FF6666">数据窗口</font>【<a href="#1">如图一</a>】:看到正确的序列号 
  &lt;BrD-SoB>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; <br>
  0167:00401588&nbsp; 51&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; PUSH&nbsp; &nbsp; &nbsp; ECX&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
  0167:00401589&nbsp; 8D55F4&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; LEA&nbsp; 
  &nbsp; &nbsp; EDX,[EBP-0C]<br>
                     ^^^^^^^^^^^^^^^^^^^^^^ <br>
  //此时用<font color="#FF6666">F10过了这一行</font>,再下命令:d edx ;在<font color="#FF6666">数据窗口</font>【<a href="#2">如图二</a>】: 
  我们刚输入的序列号12345678<br>
  <br>
  0167:0040158C&nbsp; 52&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; PUSH&nbsp; &nbsp; &nbsp; EDX&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
  0167:0040158D&nbsp; FF1500204000&nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; &nbsp; 
  &nbsp; [KERNEL32!<font color="#FF6666">lstrcmp</font>] //用函数lstrcmp来比较序列号<br>
  0167:00401593&nbsp; 85C0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  TEST&nbsp; &nbsp; &nbsp; EAX,EAX//相等 eax 返回 0<br>
  0167:00401595&nbsp; 7516&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  JNZ&nbsp; &nbsp; &nbsp; 004015AD&nbsp; //此处如不跳可躲过下面的出错的CALL<br>
  0167:00401597&nbsp; 6A40&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  PUSH&nbsp; &nbsp; &nbsp; 40&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
  0167:00401599&nbsp; 6850304000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
  &nbsp; &nbsp; 00403050&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; <br>
  0167:0040159E&nbsp; 6858304000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
  &nbsp; &nbsp; 00403058&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
  0167:004015A3&nbsp; 8B4DE0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; 
  &nbsp; &nbsp; ECX,[EBP-20]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; <br>
  0167:004015A6&nbsp; E853050000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
  &nbsp; &nbsp; 00401AFE&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
  0167:004015AB&nbsp; EB14&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  JMP&nbsp; &nbsp; &nbsp; 004015C1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
  0167:004015AD&nbsp; 6A40&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  PUSH&nbsp; &nbsp; &nbsp; 40&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
  0167:004015AF&nbsp; 686C304000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
  &nbsp; &nbsp; 0040306C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
  0167:004015B4&nbsp; 6874304000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
  &nbsp; &nbsp; 00403074&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
  0167:004015B9&nbsp; 8B4DE0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; 
  &nbsp; &nbsp; ECX,[EBP-20]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; <br>
  0167:004015BC&nbsp; E83D050000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
  &nbsp; &nbsp; 00401AFE //用F10一带过此就跳出注册失败的窗口<br>
  0167:004015C1&nbsp; 8BE5&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  MOV&nbsp; &nbsp; &nbsp; ESP,EBP&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
  0167:004015C3&nbsp; 5D&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; POP&nbsp; &nbsp; &nbsp; EBP&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
  0167:004015C4&nbsp; C3&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; RET&nbsp;</p>
<p class="p9">14、图示:</p>
<p class="p9" align="center"><img src="lesson5-eg-1-02.gif" tppabs="http://toye.dihou.org/exercise/lesson5-eg-1-02.gif" width="662" height="238"><a name="1"></a> 
  <br>
  图一</p>
<p class="p9" align="center"><img src="lesson5-eg-1-03.gif" tppabs="http://toye.dihou.org/exercise/lesson5-eg-1-03.gif" width="662" height="238"> 
  <a name="2"></a><br>
  图二 </p>
<p class="p9" align="left"><b>方法二、利用函数messageboxa来破解</b>&nbsp;</p>
<p class="p9" align="left">1、我们输入假的序列号时,按Check按钮时,程序跳出如下对话框:</p>
<p class="p9" align="center"><img src="lesson5-eg-1-04.gif" tppabs="http://toye.dihou.org/exercise/lesson5-eg-1-04.gif" width="254" height="133"> 
</p>
<p class="p9" align="center">图三 </p>
<p class="p9" align="left">windows系统是利用函数<font color="#FF6699">messageboxa</font>来实现这个对话框的,因此我们用此函数设断拦截这个对话框;</p>
<p class="p9" align="left">2、输入假的序列号于crackme里,再按Check按钮前,按CTRL+D切换到SOFTICE环境下;</p>
<p class="p9" align="left">3、在SOFTICE里下命令:bpx messageboxa ;</p>
<p class="p9" align="left">4、按F5返回到windows&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;,按Check按钮,SOFTICE将中断;</p>
<p class="p9" align="left">5、BD *清除断点,按F11程序会回到windows环境(不要按F5),跳出如图三的错误框,点击OK后,SOFTICE将再次中断;</p>
<p class="p9" align="left">6、然后再按1~2下F12,就会回到象方法一程序代码处,其它步骤类似方法一。</p>
<p class="p9" align="left"><b>方法三,利用TRW2000来破解</b></p>
<p class="p9" align="left">1、TRW2000的操作完全和SOFTICE一样,你完全依照SOFTICE的步骤用TRW2000来操作;</p>
<p class="p9" align="left">2、但TRW2000有一些自己特色的命令,下面简单描述一下;</p>
<p class="p9" align="left">3、在对话内Registration输入:12345678 (随意填些数字);</p>
<p class="p9" align="left">4、按CTRL+N切换到TRW2000的跟踪调试环境里;</p>
<p class="p9" align="left">5、下命令:bpx hmemcpy;</p>
<p class="p9" align="left">6、按F5(或按CTRL+N)切换到windows环境里;</p>
<p class="p9" align="left">7、直接点击刚才的练习软件Cracme的Check按钮;TRW2000将中断,中断的位置与SOFTICE一样;</p>
<p class="p9" align="left">8、此时可用TRW2000特有命令:pmodule (快速回到Crackme的领空);这个命令很好用,可以不用象SOFTICE一样按多次F12才能回到Crackme的领空;</p>
<p class="p9" align="left">9、以后的操作与SOFTICE一样。</p>
<p class="p9" align="left">另外,TRW2000还有一命令:suspend(挂起Crackme程序,回到windows下,你可自由操作其它东西,再将按CTRL+N又可回到刚才中断点);这个命令很适用。<br>
  TRW2000中的G命令和SOFTICE里的也不太一样,SOFTICE必须在当前的段址CS下才可中断(也就是说G命令起作用的条件是在当前的段地址CS下,IP 
  等于设定的 OFFSET ,SOFTICE才中断);而TRW2000中,只要程序执行中 IP 等于设定的 OFFSET ,就会停下。你不用担心段址在哪儿,代码是否动态生成。只要知道它会经过那儿,就会停下。 
</p>
<p class="p9" align="left"><b>四、小结</b></p>
<p class="p9" align="left">在这个程序里我们发现程序是利用函数:<font color="#FF6666">lstrcmp</font>来比较序列号的,因此我们也可用此函数设断;另外也可用getdlgitemtexta、getwindowtexta等函数,它们作用:把文字框中的内容读出来。</p>
<p class="p9" align="left">本题中也可用如下函数设断: <br>
  1、bpx hmemcpy<br>
  2、bpx messageboxa<br>
  3、bpx getdlgitemtexta <br>
  4、bpx getwindowtexta <br>
  5、bpx lstrcmp</p>
<p class="p9" align="left">以上这几个函数断点很常用,应牢记。</p>
<table width="80%" border="1" cellspacing="0" cellpadding="0" align="center" bgcolor="#99CCFF" bordercolorlight="#99CCFF" bordercolordark="#99CCFF">
  <tr> 
    <td width="82%" class="p8" height="34">Copyright @看雪 2000 All rights reserved 
        <a href="mailto:toye@126.com">与我联系</a></td>
    <td width="10%" class="p9" height="34"><a href="index.htm" tppabs="http://toye.dihou.org/index.htm">返回<br>
      首页</a></td>
    <td width="8%" class="p8" height="34"><a href="molu.htm" tppabs="http://toye.dihou.org/molu.htm" class="p9">返回<br>
      目录</a></td>
  </tr>
</table>
</body>
</html>
12

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -