欢迎访问 生活随笔!
TAG聚合

生活随笔

当前位置: 首页 > 编程资源 > 编程问答 >内容正文

编程问答

160 - 1 Acid burn

发布时间:2023/12/1 编程问答 63 豆豆
生活随笔 收集整理的这篇文章主要介绍了 160 - 1 Acid burn 小编觉得挺不错的,现在分享给大家,帮大家做个参考.

环境:Windows XP sp3

先打开,看看长什么样:


OD载入,右键->查找->所有参考文本字串

找到Sorry,The serial is incorect

找到后就在反汇编窗口跟随,往上翻:


0042F998 /. 55 push ebp 0042F999 |. 8BEC mov ebp,esp 0042F99B |. 33C9 xor ecx,ecx 0042F99D |. 51 push ecx 0042F99E |. 51 push ecx 0042F99F |. 51 push ecx 0042F9A0 |. 51 push ecx 0042F9A1 |. 51 push ecx 0042F9A2 |. 51 push ecx 0042F9A3 |. 53 push ebx 0042F9A4 |. 56 push esi 0042F9A5 |. 8BD8 mov ebx,eax 0042F9A7 |. 33C0 xor eax,eax 0042F9A9 |. 55 push ebp 0042F9AA |. 68 67FB4200 push Acid_bur.0042FB67 0042F9AF |. 64:FF30 push dword ptr fs:[eax] 0042F9B2 |. 64:8920 mov dword ptr fs:[eax],esp 0042F9B5 |. C705 50174300>mov dword ptr ds:[0x431750],0x29 ;注意这里把0x29放进[431750] 0042F9BF |. 8D55 F0 lea edx,[local.4] 0042F9C2 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC] 0042F9C8 |. E8 8BB0FEFF call Acid_bur.0041AA58 0042F9CD |. 8B45 F0 mov eax,[local.4] 0042F9D0 |. E8 DB40FDFF call Acid_bur.00403AB0 0042F9D5 |. A3 6C174300 mov dword ptr ds:[0x43176C],eax 0042F9DA |. 8D55 F0 lea edx,[local.4] 0042F9DD |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC] 0042F9E3 |. E8 70B0FEFF call Acid_bur.0041AA58 0042F9E8 |. 8B45 F0 mov eax,[local.4] 0042F9EB |. 0FB600 movzx eax,byte ptr ds:[eax] 0042F9EE |. 8BF0 mov esi,eax 0042F9F0 |. C1E6 03 shl esi,0x3 0042F9F3 2BF0 sub esi,eax 0042F9F5 |. 8D55 EC lea edx,[local.5] 0042F9F8 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC] 0042F9FE |. E8 55B0FEFF call Acid_bur.0041AA58 0042FA03 |. 8B45 EC mov eax,[local.5] 0042FA06 |. 0FB640 01 movzx eax,byte ptr ds:[eax+0x1] 0042FA0A |. C1E0 04 shl eax,0x4 0042FA0D |. 03F0 add esi,eax 0042FA0F |. 8935 54174300 mov dword ptr ds:[0x431754],esi 0042FA15 |. 8D55 F0 lea edx,[local.4] 0042FA18 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC] 0042FA1E |. E8 35B0FEFF call Acid_bur.0041AA58 0042FA23 |. 8B45 F0 mov eax,[local.4] 0042FA26 |. 0FB640 03 movzx eax,byte ptr ds:[eax+0x3] 0042FA2A |. 6BF0 0B imul esi,eax,0xB 0042FA2D |. 8D55 EC lea edx,[local.5] 0042FA30 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC] 0042FA36 |. E8 1DB0FEFF call Acid_bur.0041AA58 0042FA3B |. 8B45 EC mov eax,[local.5] 0042FA3E |. 0FB640 02 movzx eax,byte ptr ds:[eax+0x2] 0042FA42 |. 6BC0 0E imul eax,eax,0xE 0042FA45 |. 03F0 add esi,eax 0042FA47 |. 8935 58174300 mov dword ptr ds:[0x431758],esi 0042FA4D |. A1 6C174300 mov eax,dword ptr ds:[0x43176C] ; 拿出输入的名称 0042FA52 |. E8 D96EFDFF call Acid_bur.00406930 0042FA57 |. 83F8 04 cmp eax,0x4 ; 和4比较 0042FA5A |. 7D 1D jge XAcid_bur.0042FA79 ; 长度大于4 0042FA5C |. 6A 00 push 0x0 0042FA5E |. B9 74FB4200 mov ecx,Acid_bur.0042FB74 ; Try Again! 0042FA63 |. BA 80FB4200 mov edx,Acid_bur.0042FB80 ; Sorry , The serial is incorect ! 找到这里来 0042FA68 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48] 0042FA6D |. 8B00 mov eax,dword ptr ds:[eax] 0042FA6F |. E8 FCA6FFFF call Acid_bur.0042A170 0042FA74 |. E9 BE000000 jmp Acid_bur.0042FB37 0042FA79 |> 8D55 F0 lea edx,[local.4] 0042FA7C |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC] 0042FA82 |. E8 D1AFFEFF call Acid_bur.0041AA58 ; 算出输入名称的个数 0042FA87 |. 8B45 F0 mov eax,[local.4] 0042FA8A |. 0FB600 movzx eax,byte ptr ds:[eax] ; 拿出首字母x 0042FA8D |. F72D 50174300 imul dword ptr ds:[0x431750] ; x = x*29 0042FA93 |. A3 50174300 mov dword ptr ds:[0x431750],eax 0042FA98 |. A1 50174300 mov eax,dword ptr ds:[0x431750] 0042FA9D |. 0105 50174300 add dword ptr ds:[0x431750],eax ; x = x*2 0042FAA3 |. 8D45 FC lea eax,[local.1] 0042FAA6 |. BA ACFB4200 mov edx,Acid_bur.0042FBAC ; CW 0042FAAB |. E8 583CFDFF call Acid_bur.00403708 0042FAB0 |. 8D45 F8 lea eax,[local.2] 0042FAB3 |. BA B8FB4200 mov edx,Acid_bur.0042FBB8 ; CRACKED 0042FAB8 |. E8 4B3CFDFF call Acid_bur.00403708 0042FABD |. FF75 FC push [local.1] 0042FAC0 |. 68 C8FB4200 push Acid_bur.0042FBC8 ; - 0042FAC5 |. 8D55 E8 lea edx,[local.6] 0042FAC8 |. A1 50174300 mov eax,dword ptr ds:[0x431750] 0042FACD |. E8 466CFDFF call Acid_bur.00406718 0042FAD2 |. FF75 E8 push [local.6] 0042FAD5 |. 68 C8FB4200 push Acid_bur.0042FBC8 ; - 0042FADA |. FF75 F8 push [local.2] 0042FADD |. 8D45 F4 lea eax,[local.3] 0042FAE0 |. BA 05000000 mov edx,0x5 0042FAE5 |. E8 C23EFDFF call Acid_bur.004039AC ; 将serial拼接生成 0042FAEA |. 8D55 F0 lea edx,[local.4] ; CW-[431750]-CRACKED 0042FAED |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0] ; 这里[431750]的值要转为10进制 0042FAF3 |. E8 60AFFEFF call Acid_bur.0041AA58 ; 拿到输入的serial 0042FAF8 |. 8B55 F0 mov edx,[local.4] 0042FAFB |. 8B45 F4 mov eax,[local.3] 0042FAFE |. E8 F93EFDFF call Acid_bur.004039FC ; 比较生成的和输入的 0042FB03 |. 75 1A jnz XAcid_bur.0042FB1F ; 不对就跳 0042FB05 |. 6A 00 push 0x0 0042FB07 |. B9 CCFB4200 mov ecx,Acid_bur.0042FBCC ; Congratz !! 0042FB0C |. BA D8FB4200 mov edx,Acid_bur.0042FBD8 ; Good job dude =) 0042FB11 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48] 0042FB16 |. 8B00 mov eax,dword ptr ds:[eax] 0042FB18 |. E8 53A6FFFF call Acid_bur.0042A170 0042FB1D |. EB 18 jmp XAcid_bur.0042FB37 0042FB1F |> 6A 00 push 0x0 0042FB21 |. B9 74FB4200 mov ecx,Acid_bur.0042FB74 ; Try Again! 0042FB26 |. BA 80FB4200 mov edx,Acid_bur.0042FB80 ; Sorry , The serial is incorect ! 0042FB2B |. A1 480A4300 mov eax,dword ptr ds:[0x430A48] 0042FB30 |. 8B00 mov eax,dword ptr ds:[eax] 0042FB32 |. E8 39A6FFFF call Acid_bur.0042A170 0042FB37 |> 33C0 xor eax,eax 0042FB39 |. 5A pop edx 0042FB3A |. 59 pop ecx 0042FB3B |. 59 pop ecx 0042FB3C |. 64:8910 mov dword ptr fs:[eax],edx 0042FB3F |. 68 6EFB4200 push Acid_bur.0042FB6E 0042FB44 |> 8D45 E8 lea eax,[local.6] 0042FB47 |. E8 243BFDFF call Acid_bur.00403670 0042FB4C |. 8D45 EC lea eax,[local.5] 0042FB4F |. BA 02000000 mov edx,0x2 0042FB54 |. E8 3B3BFDFF call Acid_bur.00403694 0042FB59 |. 8D45 F4 lea eax,[local.3] 0042FB5C |. BA 03000000 mov edx,0x3 0042FB61 |. E8 2E3BFDFF call Acid_bur.00403694 0042FB66 \. C3 retn


得出serial,取输入首字符x,

k = dec(x)*2*41

serial为:CW-k-CRACKED



2.另一个Serial:


方法也是查找字符串,这里是:

Failed! Try Again!!

只找Try Again的话会有两个的


这次要找的是0042F58C这个字符串:

双击反汇编窗口跟随,分析如下:

0042F470  /.  55            push ebp 0042F471  |.  8BEC          mov ebp,esp 0042F473  |.  33C9          xor ecx,ecx 0042F475  |.  51            push ecx 0042F476  |.  51            push ecx 0042F477  |.  51            push ecx 0042F478  |.  51            push ecx 0042F479  |.  53            push ebx 0042F47A  |.  8BD8          mov ebx,eax 0042F47C  |.  33C0          xor eax,eax 0042F47E  |.  55            push ebp 0042F47F  |.  68 2CF54200   push Acid_bur.0042F52C 0042F484  |.  64:FF30       push dword ptr fs:[eax] 0042F487  |.  64:8920       mov dword ptr fs:[eax],esp 0042F48A  |.  8D45 FC       lea eax,[local.1] 0042F48D  |.  BA 40F54200   mov edx,Acid_bur.0042F540                ;  Hello 0042F492  |.  E8 7142FDFF   call Acid_bur.00403708                   ;  hello跑到local.1这里了 1 0042F497  |.  8D45 F8       lea eax,[local.2] 0042F49A  |.  BA 50F54200   mov edx,Acid_bur.0042F550                ;  Dude! 0042F49F  |.  E8 6442FDFF   call Acid_bur.00403708                   ;  dude!跑到local.2这里了 2 0042F4A4  |.  FF75 FC       push [local.1] 0042F4A7  |.  68 60F54200   push Acid_bur.0042F560                   ;  这个是空格 3 0042F4AC  |.  FF75 F8       push [local.2] 0042F4AF  |.  8D45 F4       lea eax,[local.3] 0042F4B2  |.  BA 03000000   mov edx,0x3 0042F4B7  |.  E8 F044FDFF   call Acid_bur.004039AC                   ;  拼接上面3个 —.— 0042F4BC  |.  8D55 F0       lea edx,[local.4] 0042F4BF  |.  8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0] 0042F4C5  |.  E8 8EB5FEFF   call Acid_bur.0041AA58                   ;  拿到自己输入的 0042F4CA  |.  8B45 F0       mov eax,[local.4] 0042F4CD  |.  8B55 F4       mov edx,[local.3] 0042F4D0  |.  E8 2745FDFF   call Acid_bur.004039FC                   ;  比较 0042F4D5  |.  75 1A         jnz XAcid_bur.0042F4F1                   ;  不同就跳 0042F4D7  |.  6A 00         push 0x0 0042F4D9  |.  B9 64F54200   mov ecx,Acid_bur.0042F564                ;  Congratz! 0042F4DE  |.  BA 70F54200   mov edx,Acid_bur.0042F570                ;  God Job dude !! =) 0042F4E3  |.  A1 480A4300   mov eax,dword ptr ds:[0x430A48] 0042F4E8  |.  8B00          mov eax,dword ptr ds:[eax] 0042F4EA  |.  E8 81ACFFFF   call Acid_bur.0042A170 0042F4EF  |.  EB 18         jmp XAcid_bur.0042F509 0042F4F1  |>  6A 00         push 0x0 0042F4F3  |.  B9 84F54200   mov ecx,Acid_bur.0042F584                ;  Failed! 0042F4F8  |.  BA 8CF54200   mov edx,Acid_bur.0042F58C                ;  Try Again!! 0042F4FD  |.  A1 480A4300   mov eax,dword ptr ds:[0x430A48] 0042F502  |.  8B00          mov eax,dword ptr ds:[eax] 0042F504  |.  E8 67ACFFFF   call Acid_bur.0042A170 0042F509  |>  33C0          xor eax,eax 0042F50B  |.  5A            pop edx 0042F50C  |.  59            pop ecx 0042F50D  |.  59            pop ecx 0042F50E  |.  64:8910       mov dword ptr fs:[eax],edx 0042F511  |.  68 33F54200   push Acid_bur.0042F533 0042F516  |>  8D45 F0       lea eax,[local.4] 0042F519  |.  E8 5241FDFF   call Acid_bur.00403670 0042F51E  |.  8D45 F4       lea eax,[local.3] 0042F521  |.  BA 03000000   mov edx,0x3 0042F526  |.  E8 6941FDFF   call Acid_bur.00403694 0042F52B  \.  C3            retn


所以这里要填的是:

Hello Dude!

记得有个空格


3.去除Nag窗口

打开程序的时候会弹出一个窗口

OD载入,运行,窗口弹出的时候,回到OD

按下F12,然后Alt+F9回到程序领空

程序来到这里:

0042A19C |. 64:8920 mov dword ptr fs:[eax],esp 0042A19F |. 8B45 08 mov eax,[arg.1] 0042A1A2 |. 50 push eax ; /Style 0042A1A3 |. 57 push edi ; |Title 0042A1A4 |. 56 push esi ; |Text 0042A1A5 |. 8B43 24 mov eax,dword ptr ds:[ebx+0x24] ; | 0042A1A8 |. 50 push eax ; |hOwner 0042A1A9 |. E8 FAB5FDFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA 0042A1AE |. 8945 FC mov [local.1],eax ; 来到这里

根据右下角栈的内容,找到了这个:

0012FE1C 0012FE50 指向下一个 SEH 记录的指针 0012FE20 0042A1D0 SE处理程序 0012FE24 0012FE40 0012FE28 7C930228 ntdll.7C930228 0012FE2C 0042F610 Acid_bur.0042F610 0012FE30 009D1DB0 0012FE34 00000000 0012FE38 00000000 0012FE3C 019D207C 0012FE40 0012FF88 0012FE44 0042F79C Acid_bur.0042F79C 0012FE48 00000000 0012FE4C 00425643 返回到 Acid_bur.00425643 ;选到这里按回车 0012FE50 0012FE5C 指向下一个 SEH 记录的指针 0012FE54 0042564D SE处理程序
反汇编窗口来到这里:



00425618 . 55 push ebp 00425619 . 68 4D564200 push Acid_bur.0042564D 0042561E . 64:FF30 push dword ptr fs:[eax] 00425621 . 64:8920 mov dword ptr fs:[eax],esp 00425624 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4] 00425627 . 66:83B8 CE010>cmp word ptr ds:[eax+0x1CE],0x0 0042562F . 74 12 je XAcid_bur.00425643 00425631 . 8B5D FC mov ebx,dword ptr ss:[ebp-0x4] 00425634 . 8B55 FC mov edx,dword ptr ss:[ebp-0x4] 00425637 . 8B83 D0010000 mov eax,dword ptr ds:[ebx+0x1D0] 0042563D . FF93 CC010000 call dword ptr ds:[ebx+0x1CC] ;那就是在这里启动那个Nag窗口的 00425643 > 33C0 xor eax,eax ;回车之后光标停在这里 00425645 . 5A pop edx 00425646 . 59 pop ecx 00425647 . 59 pop ecx


00425637下断点,F7跟进去

call的内容是这样的:

0042F784 6A 00 push 0x0 0042F786 B9 A0F74200 mov ecx,Acid_bur.0042F7A0 ; hello you have to kill me! 0042F78B BA BCF74200 mov edx,Acid_bur.0042F7BC ; Welcome to this Newbies Crackme made by ACiD BuRN [CracKerWoRlD] 0042F790 A1 480A4300 mov eax,dword ptr ds:[0x430A48] 0042F795 8B00 mov eax,dword ptr ds:[eax] 0042F797 E8 D4A9FFFF call Acid_bur.0042A170 0042F79C . C3 retn
0042F797那个Call就是调用MessageBox了,那就在 0042F784 push 0x0这里直接retn 填充


0042F784 C3 retn 0042F785 90 nop 0042F786 B9 A0F74200 mov ecx,Acid_bur.0042F7A0 ; hello you have to kill me! 0042F78B BA BCF74200 mov edx,Acid_bur.0042F7BC ; Welcome to this Newbies Crackme made by ACiD BuRN [CracKerWoRlD] 0042F790 A1 480A4300 mov eax,dword ptr ds:[0x430A48] 0042F795 8B00 mov eax,dword ptr ds:[eax] 0042F797 E8 D4A9FFFF call Acid_bur.0042A170 0042F79C . C3 retn
保存下来就好了



总结

以上是生活随笔为你收集整理的160 - 1 Acid burn的全部内容,希望文章能够帮你解决所遇到的问题。

如果觉得生活随笔网站内容还不错,欢迎将生活随笔推荐给好友。