zoukankan      html  css  js  c++  java
  • 使用IDA破解TraceMe.exe

    我发现用IDA破解TraceMe.exe比ODeasy多了。

    打开IDA 后。直接搜索“序列号”。得到



    双击跳转到反汇编窗体,按F5转换为类C++代码

     signed int __stdcall DialogFunc(HWND hWnd, int a2, unsigned __int16 a3, int a4)
    {
      signed int v5; // ebx@9
      int v6; // eax@11
      HWND v7; // eax@12
      HWND v8; // eax@12
      HWND v9; // eax@12
      HICON v10; // eax@20
      const CHAR String2[4]; // [sp+8h] [bp-F4h]@1
      int v12; // [sp+Ch] [bp-F0h]@1
      int v13; // [sp+10h] [bp-ECh]@1
      __int16 v14; // [sp+14h] [bp-E8h]@1
      char v15; // [sp+16h] [bp-E6h]@1
      char v16; // [sp+18h] [bp-E4h]@1
      __int16 v17; // [sp+2Ch] [bp-D0h]@1
      char v18; // [sp+2Eh] [bp-CEh]@1
      char v19; // [sp+30h] [bp-CCh]@1
      __int16 v20; // [sp+44h] [bp-B8h]@1
      char v21; // [sp+46h] [bp-B6h]@1
      CHAR String; // [sp+48h] [bp-B4h]@9
      const CHAR String1; // [sp+98h] [bp-64h]@9


      memcpy(&v16, "你输入字符要大于四个。", 0x14u);
      v17 = *(_WORD *)"!";
      v12 = dword_405054;
      v18 = aUFIKGb[22];
      v15 = byte_40505E;
      memcpy(&v19, "序列号错误。再来一次!", 0x14u);
      *(_DWORD *)String2 = dword_405050;
      v20 = *(_WORD *)"!";
      v14 = word_40505C;
      v13 = dword_405058;
      v21 = aAGmGb[22];
      if ( a2 == 16 )
      {
        DestroyWindow(hWnd);
        return 1;
      }
      if ( a2 == 272 )
      {
        v10 = LoadIconA(hInstance, (LPCSTR)0x70);
        SendMessageA(hWnd, 0x80u, 1u, (LPARAM)v10);
        SendDlgItemMessageA(hWnd, 110, 0xC5u, 0x50u, 0);
        return 1;
      }
      if ( a2 != 273 )
        return 0;
      if ( (signed int)a3 > 1013 )
      {
        if ( a3 == 1014 || a3 == 40002 )
          DialogBoxParamA(hInstance, (LPCSTR)0x67, hWnd, sub_401020, 0);
        return 0;
      }
      if ( a3 != 1013 )
      {
        if ( a3 == 2 || a3 == 1002 )
        {
          SendMessageA(hWnd, 0x10u, 0, 0);
          return 0;
        }
        return 0;
      }
      v5 = GetDlgItemTextA(hWnd, 110, &String, 81);//username
      GetDlgItemTextA(hWnd, 1000, (LPSTR)&String1, 101);//序列号
      if ( String && v5 >= 5 )//推断输入的username长度是不是大于5
      {
        LOBYTE(v6) = sub_401340(&String1, &String, v5);//此函数依据username生成序列号。并与输入的序列号进行比較
        if ( v6 )//v6==1,表示username和序列号匹配
        {
          lstrcpyA(::String1, String2);
          v7 = GetDlgItem(hWnd, 110);
          EnableWindow(v7, 0);
          v8 = GetDlgItem(hWnd, 1000);
          EnableWindow(v8, 0);
          v9 = GetDlgItem(hWnd, 1000);
        }
        else
        {
          lstrcpyA(::String1, &v19);
          v9 = GetDlgItem(hWnd, 1000);
        }
      }
      else
      {
        lstrcpyA(::String1, &v16);//username长度小于5。提示“你输入字符要大于四个”
        v9 = GetDlgItem(hWnd, 110);
      }
      SetFocus(v9);
      MessageBeep(0);
      DialogBoxParamA(hInstance, (LPCSTR)0x79, hWnd, sub_401060, 0);
      return 0;
    }


    bool __cdecl sub_401340(LPCSTR lpString1, LPSTR lpString2, signed int a3)
    {
      signed int v3; // ecx@1
      int v4; // esi@1
      signed int i; // eax@1


      v3 = 3;
      v4 = 0;
      for ( i = 0; v3 < a3; ++i )
      {
        if ( i > 7 )
          i = 0;
        v4 += (unsigned __int8)byte_405030[i] * (unsigned __int8)lpString2[v3++];
      }
      wsprintfA(lpString2, "%ld", v4);
      return lstrcmpA(lpString1, lpString2) == 0;
    }

    byte_405030[]数组在.data区:

    char byte_405030[8]={0x0C,0x0A,0x13,0x09,0x0C,0x0B,0x0A,0x08}

    假如我输入username为:tanyo

    v4=121*12+111*10=2562


    输入usernametanyo,序列号2562进行验证:


  • 相关阅读:
    测试方案写作要点
    [loadrunner]通过检查点判定事务是否成功
    【面试】如何进行自我介绍
    【nginx网站性能优化篇(1)】gzip压缩与expire浏览器缓存
    【nginx运维基础(6)】Nginx的Rewrite语法详解
    【PHPsocket编程专题(实战篇①)】php-socket通信演示
    【Linux高频命令专题(22)】gzip
    【nginx运维基础(5)】Nginx的location攻略
    【Linux高频命令专题(21)】df
    【PHPsocket编程专题(理论篇)】初步理解TCP/IP、Http、Socket.md
  • 原文地址:https://www.cnblogs.com/cxchanpin/p/7112523.html
Copyright © 2011-2022 走看看