[原创] [OCN]破解教学区学员毕业考试Crackme 破解过程(附注册机)

[OCN]破解教学区学员毕业考试Crackme 破解过程
没事..找到一个以前下载的OCN的crackme..没想到要crack..毕竟是毕业考试的…
注册码大于用户名会没有点击验证反映..,开始还以为是有按钮DISENABLE…貌似很多都是注册码会大于用户名的
如果输入注册码错误则会清空用户名以及注册码
1.DEDE找到下断点:0046679C
2.注册码=注册码1+注册码2
注册码2第一位是用户名的长度的十六进制,注册码2第二位是注册码的长度
3.004667E1 |. E8 6EBBFCFF CALL unpacked.00432354 ; 取用户名位数
004667E6 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004667E9 |. 50 PUSH EAX
004667EA |. B9 03000000 MOV ECX,3
004667EF |. BA 01000000 MOV EDX,1
004667F4 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 取用户名
004667F7 |. E8 70DBF9FF CALL unpacked.0040436C
004667FC |. C745 E8 00000>MOV DWORD PTR SS:[EBP-18],0
00466803 |. C745 EC 00000>MOV DWORD PTR SS:[EBP-14],0
0046680A |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
0046680D |. 8B86 08030000 MOV EAX,DWORD PTR DS:[ESI+308]
00466813 |. E8 3CBBFCFF CALL unpacked.00432354
00466818 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 取用户名前三位
0046681B |. E8 ECD8F9FF CALL unpacked.0040410C
00466820 |. 8BD8 MOV EBX,EAX
00466822 |. 85DB TEST EBX,EBX
00466824 |. 7E 39 JLE SHORT unpacked.0046685F
00466826 |. B9 01000000 MOV ECX,1
0046682B |> 8B45 F8 /MOV EAX,DWORD PTR SS:[EBP-8] ; 产生注册码1的循环
0046682E |. 0FB67C08 FF |MOVZX EDI,BYTE PTR DS:[EAX+ECX-1]
00466833 |. 8BC7 |MOV EAX,EDI
00466835 |. C1E0 03 |SHL EAX,3
00466838 |. 33D2 |XOR EDX,EDX
0046683A |. 0345 E8 |ADD EAX,DWORD PTR SS:[EBP-18]
0046683D |. 1355 EC |ADC EDX,DWORD PTR SS:[EBP-14]
00466840 |. 52 |PUSH EDX
00466841 |. 50 |PUSH EAX
00466842 |. 8BC7 |MOV EAX,EDI
00466844 |. 03C0 |ADD EAX,EAX
00466846 |. 8D0440 |LEA EAX,DWORD PTR DS:[EAX+EAX*2]
00466849 |. 33D2 |XOR EDX,EDX
0046684B |. 030424 |ADD EAX,DWORD PTR SS:[ESP]
0046684E |. 135424 04 |ADC EDX,DWORD PTR SS:[ESP+4]
00466852 |. 83C4 08 |ADD ESP,8
00466855 |. 8945 E8 |MOV DWORD PTR SS:[EBP-18],EAX
00466858 |. 8955 EC |MOV DWORD PTR SS:[EBP-14],EDX
0046685B |. 41 |INC ECX
0046685C |. 4B |DEC EBX
0046685D |.^ 75 CC JNZ SHORT unpacked.0046682B
0046685F |> 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
00466862 |. 8B86 00030000 MOV EAX,DWORD PTR DS:[ESI+300]
00466868 |. E8 E7BAFCFF CALL unpacked.00432354
0046686D |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] ; 用户名位数
00466870 |. E8 97D8F9FF CALL unpacked.0040410C
00466875 |. 8BD8 MOV EBX,EAX
00466877 |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
0046687A |. 8B86 08030000 MOV EAX,DWORD PTR DS:[ESI+308]
00466880 |. E8 CFBAFCFF CALL unpacked.00432354 ; 注册码位数
00466885 |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00466888 |. E8 7FD8F9FF CALL unpacked.0040410C
0046688D |. 3BD8 CMP EBX,EAX ; 用户名位数< =注册码位数 则跳 0046688F |. 0F8E C1000000 JLE unpacked.00466956 00466895 |. 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24] 00466898 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 0046689B |. E8 C8FCFFFF CALL unpacked.00466568 004668A0 |. 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] ; 假注册码的 Base64码 004668A3 |. 50 PUSH EAX 004668A4 |. FF75 EC PUSH DWORD PTR SS:[EBP-14] ; /Arg2 004668A7 |. FF75 E8 PUSH DWORD PTR SS:[EBP-18] ; |Arg1 004668AA |. 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30] ; | 004668AD |. 33C0 XOR EAX,EAX ; | 004668AF |. E8 3415FAFF CALL unpacked.00407DE8 ; unpacked.00407DE8 004668B4 |. FF75 D0 PUSH DWORD PTR SS:[EBP-30] 004668B7 |. 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38] 004668BA |. 8B86 00030000 MOV EAX,DWORD PTR DS:[ESI+300] 004668C0 |. E8 8FBAFCFF CALL unpacked.00432354 004668C5 |. 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38] 004668C8 |. E8 3FD8F9FF CALL unpacked.0040410C 004668CD |. 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34] 004668D0 |. 33D2 XOR EDX,EDX 004668D2 |. E8 E914FAFF CALL unpacked.00407DC0 004668D7 |. FF75 CC PUSH DWORD PTR SS:[EBP-34] 004668DA |. 8D55 C0 LEA EDX,DWORD PTR SS:[EBP-40] 004668DD |. 8B86 08030000 MOV EAX,DWORD PTR DS:[ESI+308] 004668E3 |. E8 6CBAFCFF CALL unpacked.00432354 ; 取假注册码 004668E8 |. 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40] 004668EB |. E8 1CD8F9FF CALL unpacked.0040410C 004668F0 |. 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C] 004668F3 |. 33D2 XOR EDX,EDX 004668F5 |. E8 C614FAFF CALL unpacked.00407DC0 004668FA |. FF75 C4 PUSH DWORD PTR SS:[EBP-3C] 004668FD |. 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C] 00466900 |. BA 03000000 MOV EDX,3 00466905 |. E8 C2D8F9FF CALL unpacked.004041CC ; 后注册码2的算法 跟进 0046690A |. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] ; 结果 0046690D |. 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28] 00466910 |. E8 53FCFFFF CALL unpacked.00466568 00466915 |. 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28] ; 结果的Base64 点击下载此文件