【破文标题】abexcm5的分析【破文作者】delcpp【作者邮箱】delcpp@gmail.com【破解工具】OD【破解平台】windows xp sp3【软件名称】abexcm5.exe【软件大小】8K【保护方式】无【软件简介】软件来自FpX的CrackMe------------------------------------------------------------------------------------------------【破解过程】
0040106C |> /6A 25 push 25 ; /Count = 25 (37.) 0040106E |. 68 24234000 push 00402324 ; |Buffer = abexcm5.00402324 00401073 |. 6A 68 push 68 ; |ControlID = 68 (104.) 00401075 |. FF75 08 push dword ptr [ebp+8] ; |hWnd 00401078 |. E8 F4000000 call <jmp.&USER32.GetDlgItemTextA> ; /GetDlgItemTextA 0040107D |. 6A 00 push 0 ; /pFileSystemNameSize = NULL 0040107F |. 6A 00 push 0 ; |pFileSystemNameBuffer = NULL 00401081 |. 68 C8204000 push 004020C8 ; |pFileSystemFlags = abexcm5.004020C8 00401086 |. 68 90214000 push 00402190 ; |pMaxFilenameLength = abexcm5.00402190 0040108B |. 68 94214000 push 00402194 ; |pVolumeSerialNumber = abexcm5.00402194 00401090 |. 6A 32 push 32 ; |MaxVolumeNameSize = 32 (50.) 00401092 |. 68 5C224000 push 0040225C ; |VolumeNameBuffer = abexcm5.0040225C 00401097 |. 6A 00 push 0 ; |RootPathName = NULL 00401099 |. E8 B5000000 call <jmp.&KERNEL32.GetVolumeInformat>; /GetVolumeInformationA 0040109E |. 68 F3234000 push 004023F3 ; /StringToAdd = "4562-ABEX" 004010A3 |. 68 5C224000 push 0040225C ; |ConcatString = "" 004010A8 |. E8 94000000 call <jmp.&KERNEL32.lstrcatA> ; /lstrcatA 004010AD |. B2 02 mov dl, 2 004010AF |> 8305 5C224000>/add dword ptr [40225C], 1 004010B6 |. 8305 5D224000>|add dword ptr [40225D], 1 004010BD |. 8305 5E224000>|add dword ptr [40225E], 1 004010C4 |. 8305 5F224000>|add dword ptr [40225F], 1 004010CB |. FECA |dec dl 004010CD |.^ 75 E0 /jnz short 004010AF 004010CF |. 68 FD234000 push 004023FD ; /StringToAdd = "L2C-5781" 004010D4 |. 68 00204000 push 00402000 ; |ConcatString = "" 004010D9 |. E8 63000000 call <jmp.&KERNEL32.lstrcatA> ; /lstrcatA 004010DE |. 68 5C224000 push 0040225C ; /StringToAdd = "" 004010E3 |. 68 00204000 push 00402000 ; |ConcatString = "" 004010E8 |. E8 54000000 call <jmp.&KERNEL32.lstrcatA> ; /lstrcatA 004010ED |. 68 24234000 push 00402324 ; /String2 = "" 004010F2 |. 68 00204000 push 00402000 ; |String1 = "" 004010F7 |. E8 51000000 call <jmp.&KERNEL32.lstrcmpiA> ; /lstrcmpiA 004010FC |. 83F8 00 cmp eax, 0 004010FF |. 74 16 je short 00401117 00401101 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL 00401103 |. 68 34244000 push 00402434 ; |Title = "Error!" 00401108 |. 68 3B244000 push 0040243B ; |Text = "The serial you entered is not correct!" 0040110D |. FF75 08 push dword ptr [ebp+8] ; |hOwner 00401110 |. E8 56000000 call <jmp.&USER32.MessageBoxA> ; /MessageBoxA 00401115 |. EB 16 jmp short 0040112D 00401117 |> 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL 00401119 |. 68 06244000 push 00402406 ; |Title = "Well Done!" 0040111E |. 68 11244000 push 00402411 ; |Text = "Yep, you entered a correct serial!" 00401123 |. FF75 08 push dword ptr [ebp+8] ; |hOwner 00401126 |. E8 40000000 call <jmp.&USER32.MessageBoxA> ; /MessageBoxA 0040112B |. EB 00 jmp short 0040112D 0040112D |$ 6A 00 push 0 ; /Result = 0 0040112F |. FF75 08 push dword ptr [ebp+8] ; |hWnd 00401132 |. E8 22000000 call <jmp.&USER32.EndDialog> ; /EndDialog 00401137 |. C9 leave 00401138 /. C2 1000 retn 10 ------------------------------------------------------------------------------------------------【破解总结】这个CrackMe很简单,大致算法是:1、取出来CrackMe所在盘的盘符,然后和4562-ABEX合并。2、将合并后的字符串前4个字符,依次累加2。算出新字符3、将L2C-5781和步骤2中算出来的字符合并,得出注册码。
使用Delphi XE大致还原了一下算法:
procedure TForm1.btn1Click(Sender: TObject); var lpRootPathName:array[0..255] of ansiChar; str1:array[0..255] of ansiChar; //获取盘符 lpVolumeSerialNumber: DWORD; lpMaximumComponentLength:DWORD; lpFileSystemFlags:DWORD; lpFileSystemNameBuffer: array[0..255] of ansiChar; i:Integer; str2:array[0..255] of ansiChar; begin //lpRootPathName := 'E:/'; GetVolumeInformationA(0,str1,255, @lpVolumeSerialNumber,lpMaximumComponentLength, lpFileSystemFlags,lpFileSystemNameBuffer, 255); lstrcatA(str1,'4562-ABEX'); //和"4562-ABEX"合并 str1[0] := ansiChar(ord(str1[0])+2); //前四个字符,每个加2 str1[1] := ansiChar(ord(str1[1])+2); str1[2] := ansiChar(ord(str1[2])+2); str1[3] := ansiChar(ord(str1[3])+2); str2 := 'L2C-5781'; //再合并L2C_5781字符 lstrcatA(str2,str1); edt1.Text := str2; end;
