第一次暴力破解,算法分析得头痛 了 ,回头再说,爆破就爆破吧.
先用OD打开ncrackme.exe,然后F9运行下来,程序断到用户名和密码处,我输入了name: zhkza99c,key:0123cat,好象对爆破没啥作用哈,管他,弹出Registration fail,好的,用字符串查找定位到:00401095 向上看看,关键跳转找到~
00401072 75 1B JNZ SHORT ncrackme.0040108F
NOP掉就完成了.
00401050 . 817C24 08 110>CMP DWORD PTR SS:[ESP+8],111
00401058 . 75 74 JNZ SHORT ncrackme.004010CE
0040105A . 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
0040105E . 66:3D EA03 CMP AX,3EA
00401062 . 75 42 JNZ SHORT ncrackme.004010A6
00401064 . E8 C7010000 CALL ncrackme.00401230
00401069 . 85C0 TEST EAX,EAX
0040106B . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
0040106D . 68 80504000 PUSH ncrackme.00405080 ; |Title = "ncrackme"
00401072 75 1B JNZ SHORT ncrackme.0040108F
00401074 . A1 B8564000 MOV EAX,DWORD PTR DS:[4056B8] ; |
00401079 . 68 64504000 PUSH ncrackme.00405064 ; |Text = "Registration successful."
0040107E . 50 PUSH EAX ; |hOwner => NULL
0040107F . FF15 C0404000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>> ; /MessageBoxA
00401085 . E8 A6020000 CALL ncrackme.00401330
0040108A . 33C0 XOR EAX,EAX
0040108C . C2 1000 RET 10
0040108F > 8B0D B8564000 MOV ECX,DWORD PTR DS:[4056B8] ; |
00401095 . 68 50504000 PUSH ncrackme.00405050 ; |Text = "Registration fail."
0040109A . 51 PUSH ECX ; |hOwner => NULL
0040109B . FF15 C0404000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; /MessageBoxA
004010A1 . 33C0 XOR EAX,EAX
004010A3 . C2 1000 RET 10
004010A6 > 66:3D EB03 CMP AX,3EB
004010AA . 75 22 JNZ SHORT ncrackme.004010CE
004010AC . A1 C0564000 MOV EAX,DWORD PTR DS:[4056C0]
004010B1 . 85C0 TEST EAX,EAX
004010B3 . 74 19 JE SHORT ncrackme.004010CE
004010B5 . 8B15 B8564000 MOV EDX,DWORD PTR DS:[4056B8]
004010BB . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
004010BD . 68 80504000 PUSH ncrackme.00405080 ; |Title = "ncrackme"
004010C2 . 68 30504000 PUSH ncrackme.00405030 ; |Text = "good function, i was cracked"
004010C7 . 52 PUSH EDX ; |hOwner => NULL
004010C8 . FF15 C0404000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>> ; /MessageBoxA
004010CE > 33C0 XOR EAX,EAX
004010D0 . C2 1000 RET 10
反正这是练手,爆破也不算什么坏打算啊,算法攻击中 .....