lesson14061.htm

为所有对破解感兴趣的朋友准备的礼物。希望大家能够喜欢。

          第二步必须是10B <br>
          第三步必须是10B <br>
          第四步必须是01B <br>
          <br>
          那么这个字节是: 10101001B=A9H-->169D <br>
          <br>
          这是所有的移动: <br>
          10101001&nbsp; = A9H&nbsp; &nbsp;&nbsp;=169d&nbsp; &nbsp;&nbsp;;12H个字符是被DL异或后的值 
          <br>
          10101011&nbsp; = ABH&nbsp; &nbsp;&nbsp;=171d&nbsp; &nbsp;&nbsp;;这个结果存在[4034E8]中 
          <br>
          10100101&nbsp; = A5H&nbsp; &nbsp;&nbsp;=165d&nbsp; &nbsp;&nbsp;; <br>
          00010000&nbsp; = 10H&nbsp; &nbsp;&nbsp;= 16d&nbsp; &nbsp;&nbsp; <br>
          01010100&nbsp; = 54H&nbsp; &nbsp;&nbsp;= 84d&nbsp; &nbsp; <br>
          00111111&nbsp; = 3FH&nbsp; &nbsp;&nbsp;= 63d <br>
          00110000&nbsp; = 30H&nbsp; &nbsp;&nbsp;= 48d <br>
          01010101&nbsp; = 55H&nbsp; &nbsp;&nbsp;= 85d <br>
          01100101&nbsp; = 65H&nbsp; &nbsp;&nbsp;=101d <br>
          00010110&nbsp; = 16H&nbsp; &nbsp;&nbsp;= 22d <br>
          01010110&nbsp; = 56H&nbsp; &nbsp;&nbsp;= 86d <br>
          10111110&nbsp; = BEH&nbsp; &nbsp;&nbsp;=190d <br>
          11110011&nbsp; = F3H&nbsp; &nbsp;&nbsp;=243d <br>
          11101010&nbsp; = EAH&nbsp; &nbsp;&nbsp;=234d <br>
          11101001&nbsp; = E9H&nbsp; &nbsp;&nbsp;=233d <br>
          01010000&nbsp; = 50H&nbsp; &nbsp;&nbsp;= 80d <br>
          01010101&nbsp; = 55H&nbsp; &nbsp;&nbsp;= 85d <br>
          10101111&nbsp; = AFH&nbsp; &nbsp;&nbsp;=175d <br>
          <br>
          这些就是12H个移动指针的字节.但是,这12H个字节还不能直接写入KwazyWeb.bit文件.这些值还没有跟DL的值异或.如果首字节是01H它就会读出另一个字节.那么这另一个字节就是DL的值.那么就用它逐个的与这12H个字节异或,然后将12H个字节写入文件.那么你就注册成功了. 
          <br>
          <br>
          当它第二次使用READFILE时,就读出了第一个字节的值,其实就是名字的长度.然后计算DL.再用它与上面的12H个字符异或.最后再写入KwazyWeb.bit文件中. 
          <br>
          我编了一个Pascal程序.你有时间可以看看. <br>
          感谢你的阅读! <br>
          <br>
          <br>
          <br>
          <br>
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; 译于2000年9月 <br>
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; garfield cat <br>
          <br>
          <br>
          老外真是粗心,到了最后也没有把他举的例子的结果写出来: <br>
          0C 67 61 72 66 69 65 6C 64 20 63 61 74 3F 3D 33 86 C2 A9 A6 C3 F3 80 
          C0 28 65 7C 7F C6 C3 39 <br>
          |&nbsp; \&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; / \&nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; /&nbsp; <br>
          |&nbsp; ---------------------------------&nbsp; -------------------------------------------------- 
          <br>
          |&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; garfield cat&nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          这是移动针指的12H(18)个字节(这是异或后的) <br>
          |&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; <br>
          |&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          |&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          |&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          名字的长度共12位 <br>
          <br>
          先算DL: <br>
          将名字加起来:67+61+72+66+69+65+6C+64+20+63+61+74=496H <br>
          取后两个字节就是:96H 所以DL就是96&nbsp; 然后用96H与 A9 AB A5 10 54 3F 30 55 65 16 56 
          BE F3 EA E9 50 55 AF逐个进行异或后就得3F 3D 33 86 C2 A9 A6 C3 F3 80 C0 28 65 
          7C 7F C6 C3 39 </span></blockquote>
        </td>
    </tr>
  </table>
</div>
<div id="KB5Parent" class="parent"> <span class="p9"><a href="#" onClick="expandIt('KB5'); return false"> 
  5、习题五 答案</a> </span></div>
<div id="KB5Child" class="child"> <span class="p9">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>
  <table width="100%" cellspacing="0" align="center">
    <tr bgcolor="#EFEFEF"> 
      <td> 
        <p class="p9">I.&nbsp; 介绍 <br>
          I.1 这篇教程所需的工具 <br>
          II. 破解 <br>
          <br>
          <br>
          I.欢迎看我的第21篇教程.这次我将写我破的第一个KEYFILE :)&nbsp; 虽然它很简单,但是我还是很高兴写这篇文章. <br>
          I.1 <br>
          <br>
          &nbsp; &nbsp; &nbsp; W32Dasm 8.9 <br>
          &nbsp; &nbsp; Cruehead's CrackMe 3.0 <br>
          <br>
          II.破解: <br>
          <br>
          当你反编译后,你会看到一个很像文件名的字符串:Crackme3.key .很幸运这个就是真正的KEYFILE. <br>
          <br>
          那么,让我们开始－你应该看这： <br>
          <br>
          <br>
          &nbsp; &nbsp; :00401021 6A03&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; push 00000003 <br>
          &nbsp; &nbsp; :00401023 68000000C0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; push C0000000 <br>
          <br>
          &nbsp; &nbsp; * Possible StringData Ref from Data Obj ->"CRACKME3.KEY" 
          <br>
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
          &nbsp; &nbsp; :00401028 68D7204000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; push 004020D7 <br>
          <br>
          &nbsp; &nbsp; * Reference To: KERNEL32.CreateFileA, Ord:0000h <br>
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
          &nbsp; &nbsp; :0040102D E876040000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; Call 004014A8&nbsp; ;;寻找这个文件的CALL <br>
          &nbsp; &nbsp; :00401032 83F8FF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; cmp eax, FFFFFFFF ;; 如果文件存在 <br>
          &nbsp; &nbsp; :00401035 750C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; jne 00401043&nbsp; &nbsp; &nbsp; ;; 就跳 <br>
          <br>
          &nbsp; &nbsp; ---省略了一部分---&nbsp; ;;显示信息Uncracked <br>
          <br>
          &nbsp; &nbsp; :00401052 6A00&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; push 00000000 <br>
          &nbsp; &nbsp; :00401054 68A0214000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; push 004021A0 <br>
          &nbsp; &nbsp; :00401059 50&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push eax <br>
          &nbsp; &nbsp; :0040105A 53&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push ebx <br>
          &nbsp; &nbsp; :0040105B FF35F5204000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; push dword ptr [004020F5] <br>
          <br>
          &nbsp; &nbsp; * Reference To: KERNEL32.ReadFile, Ord:0000h <br>
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
          &nbsp; &nbsp; :00401061 E830040000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; Call 00401496 ;;开始读这个文件 <br>
          &nbsp; &nbsp; :00401066 833DA021400012&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          cmp dword ptr [004021A0], 00000012 ;;大小是否为18字节 <br>
          &nbsp; &nbsp; :0040106D 75C8&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; jne 00401037&nbsp; ;; 如果不是,则显示Uncracked 
          <br>
          &nbsp; &nbsp; :0040106F 6808204000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; push 00402008 ;; 保存文件内容 <br>
          &nbsp; &nbsp; :00401074 E898020000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; call 00401311 ;; 进行计算 <br>
          &nbsp; &nbsp; :00401079 8135F920400078563412&nbsp; &nbsp; xor dword 
          ptr [004020F9], 12345678 ;;与12345678做异或 <br>
          &nbsp; &nbsp; :00401083 83C404&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; add esp, 00000004 <br>
          &nbsp; &nbsp; :00401086 6808204000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; push 00402008 <br>
          &nbsp; &nbsp; :0040108B E8AC020000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; call 0040133C <br>
          &nbsp; &nbsp; :00401090 83C404&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; add esp, 00000004 <br>
          &nbsp; &nbsp; :00401093 3B05F9204000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; cmp eax, dword ptr [004020F9] ;; 比较两个的值 <br>
          &nbsp; &nbsp; :00401099 0F94C0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; sete al&nbsp; ;; 如果相同,则在AL中做标志 <br>
          &nbsp; &nbsp; :0040109C 50&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push eax ;; 保存 eax <br>
          &nbsp; &nbsp; :0040109D 84C0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; test al, al&nbsp; ;;测试标志 <br>
          &nbsp; &nbsp; :0040109F 7496&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; je 00401037 ;; 如果为零就跳 <br>
          <br>
          那好,创建一个CrackMe3.key大小为18 bytes.创建后让我们看看call 00401311. <br>
          <br>
          &nbsp; * Referenced by a CALL at Address: <br>
          &nbsp; &nbsp; |:00401074&nbsp; <br>
          &nbsp; &nbsp; | <br>
          &nbsp; &nbsp; :00401311 33C9&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; xor ecx, ecx&nbsp; ;; 清零 <br>
          &nbsp; &nbsp; :00401313 33C0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; xor eax, eax&nbsp; ;; 清零 <br>
          &nbsp; &nbsp; :00401315 8B742404&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; mov esi, dword ptr [esp+04]&nbsp; ;; esi 是文件内容 <br>
          &nbsp; &nbsp; :00401319 B341&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; mov bl, 41 ;; bl =41h <br>
          <br>
          &nbsp; &nbsp; * Referenced by a (U)nconditional or (C)onditional Jump 
          at Address: <br>
          &nbsp; &nbsp; |:00401333(C) <br>
          &nbsp; &nbsp; | <br>
          &nbsp; &nbsp; :0040131B 8A06&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; mov al, byte ptr [esi]&nbsp; ;; al = 文件的第一个字节 
          <br>
          &nbsp; &nbsp; :0040131D 32C3&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; xor al, bl&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; ;; 第一个字节与41h做异或 <br>
          &nbsp; &nbsp; :0040131F 8806&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; mov byte ptr [esi], al&nbsp; ;; 然后再存入ESI 
          <br>
          &nbsp; &nbsp; :00401321 46&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; inc esi&nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; ;; 下一个字节 <br>
          &nbsp; &nbsp; :00401322 FEC3&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nb