160个练手CrackMe-044

1、Delphi，无壳

2、OD载入。德文程序，搜字符串。能定位到关键函数

00421B84 /. 55 push ebp
00421B85 |. 8BEC mov ebp,esp
00421B87 |. 33C9 xor ecx,ecx
00421B89 |. 51 push ecx
00421B8A |. 51 push ecx
00421B8B |. 51 push ecx
00421B8C |. 51 push ecx
00421B8D |. 51 push ecx
00421B8E |. 51 push ecx
00421B8F |. 51 push ecx
00421B90 |. 53 push ebx
00421B91 |. 56 push esi
00421B92 |. 57 push edi
00421B93 |. 8BF0 mov esi,eax
00421B95 |. 33C0 xor eax,eax
00421B97 |. 55 push ebp
00421B98 |. 68 8F1D4200 push Dope2112.00421D8F
00421B9D |. 64:FF30 push dword ptr fs:[eax]
00421BA0 |. 64:8920 mov dword ptr fs:[eax],esp
00421BA3 |. 33DB xor ebx,ebx
00421BA5 |. 8D55 E8 lea edx,[local.6]
00421BA8 |. 8B86 AC010000 mov eax,dword ptr ds:[esi+0x1AC]
00421BAE |. E8 45FCFEFF call Dope2112.004117F8
00421BB3 |. 8B45 E8 mov eax,[local.6]
00421BB6 |. 8D55 FC lea edx,[local.1]
00421BB9 |. E8 8A36FEFF call Dope2112.00405248
00421BBE |. 8D55 F8 lea edx,[local.2]
00421BC1 |. 8B86 B0010000 mov eax,dword ptr ds:[esi+0x1B0]
00421BC7 |. E8 2CFCFEFF call Dope2112.004117F8
00421BCC |. 8B45 FC mov eax,[local.1]
00421BCF |. E8 9017FEFF call Dope2112.00403364
00421BD4 |. 8845 EF mov byte ptr ss:[ebp-0x11],al
00421BD7 |. 807D EF 06 cmp byte ptr ss:[ebp-0x11],0x6
00421BDB |. 73 15 jnb XDope2112.00421BF2
00421BDD |. 8B86 C0010000 mov eax,dword ptr ds:[esi+0x1C0]
00421BE3 |. BA A81D4200 mov edx,Dope2112.00421DA8 ; Der Name muss min. 6 Zeichen lang sein
00421BE8 |. E8 3BFCFEFF call Dope2112.00411828
00421BED |. E9 72010000 jmp Dope2112.00421D64
00421BF2 |> 33C0 xor eax,eax
00421BF4 |> 33D2 /xor edx,edx
00421BF6 |. 8AD0 |mov dl,al
00421BF8 |. 8B4D FC |mov ecx,[local.1]
00421BFB |. 0FB65411 FF |movzx edx,byte ptr ds:[ecx+edx-0x1]
00421C00 |. 83C2 9F |add edx,-0x61 ; Switch (cases 61..7A)
00421C03 |. 83FA 19 |cmp edx,0x19
00421C06 |. 0F87 D7000000 |ja Dope2112.00421CE3
00421C0C |. FF2495 131C42>|jmp dword ptr ds:[edx*4+0x421C13]
00421C13 |. 7B1C4200 |dd Dope2112.00421C7B ; 分支表 被用于 00421C0C
00421C17 |. 7F1C4200 |dd Dope2112.00421C7F
00421C1B |. 831C4200 |dd Dope2112.00421C83
00421C1F |. 871C4200 |dd Dope2112.00421C87
00421C23 |. 8B1C4200 |dd Dope2112.00421C8B
00421C27 |. 8F1C4200 |dd Dope2112.00421C8F
00421C2B |. 931C4200 |dd Dope2112.00421C93
00421C2F |. 971C4200 |dd Dope2112.00421C97
00421C33 |. 9B1C4200 |dd Dope2112.00421C9B
00421C37 |. 9F1C4200 |dd Dope2112.00421C9F
00421C3B |. A31C4200 |dd Dope2112.00421CA3
00421C3F |. A71C4200 |dd Dope2112.00421CA7
00421C43 |. AB1C4200 |dd Dope2112.00421CAB
00421C47 |. AF1C4200 |dd Dope2112.00421CAF
00421C4B |. B31C4200 |dd Dope2112.00421CB3
00421C4F |. B71C4200 |dd Dope2112.00421CB7
00421C53 |. BB1C4200 |dd Dope2112.00421CBB
00421C57 |. BF1C4200 |dd Dope2112.00421CBF
00421C5B |. C31C4200 |dd Dope2112.00421CC3
00421C5F |. C71C4200 |dd Dope2112.00421CC7
00421C63 |. CB1C4200 |dd Dope2112.00421CCB
00421C67 |. CF1C4200 |dd Dope2112.00421CCF
00421C6B |. D31C4200 |dd Dope2112.00421CD3
00421C6F |. D71C4200 |dd Dope2112.00421CD7
00421C73 |. DB1C4200 |dd Dope2112.00421CDB
00421C77 |. DF1C4200 |dd Dope2112.00421CDF
00421C7B |> B2 18 |mov dl,0x18 ; Case 61 ('a') of switch 00421C00
00421C7D |. EB 66 |jmp XDope2112.00421CE5
00421C7F |> B2 25 |mov dl,0x25 ; Case 62 ('b') of switch 00421C00
00421C81 |. EB 62 |jmp XDope2112.00421CE5
00421C83 |> B2 42 |mov dl,0x42 ; Case 63 ('c') of switch 00421C00
00421C85 |. EB 5E |jmp XDope2112.00421CE5
00421C87 |> B2 0C |mov dl,0xC ; Case 64 ('d') of switch 00421C00
00421C89 |. EB 5A |jmp XDope2112.00421CE5
00421C8B |> B2 0D |mov dl,0xD ; Case 65 ('e') of switch 00421C00
00421C8D |. EB 56 |jmp XDope2112.00421CE5
00421C8F |> B2 06 |mov dl,0x6 ; Case 66 ('f') of switch 00421C00
00421C91 |. EB 52 |jmp XDope2112.00421CE5
00421C93 |> B2 36 |mov dl,0x36 ; Case 67 ('g') of switch 00421C00
00421C95 |. EB 4E |jmp XDope2112.00421CE5
00421C97 |> B2 2B |mov dl,0x2B ; Case 68 ('h') of switch 00421C00
00421C99 |. EB 4A |jmp XDope2112.00421CE5
00421C9B |> B2 17 |mov dl,0x17 ; Case 69 ('i') of switch 00421C00
00421C9D |. EB 46 |jmp XDope2112.00421CE5
00421C9F |> B2 2F |mov dl,0x2F ; Case 6A ('j') of switch 00421C00
00421CA1 |. EB 42 |jmp XDope2112.00421CE5
00421CA3 |> B2 13 |mov dl,0x13 ; Case 6B ('k') of switch 00421C00
00421CA5 |. EB 3E |jmp XDope2112.00421CE5
00421CA7 |> B2 82 |mov dl,0x82 ; Case 6C ('l') of switch 00421C00
00421CA9 |. EB 3A |jmp XDope2112.00421CE5
00421CAB |> B2 9B |mov dl,0x9B ; Case 6D ('m') of switch 00421C00
00421CAD |. EB 36 |jmp XDope2112.00421CE5
00421CAF |> B2 92 |mov dl,0x92 ; Case 6E ('n') of switch 00421C00
00421CB1 |. EB 32 |jmp XDope2112.00421CE5
00421CB3 |> B2 03 |mov dl,0x3 ; Case 6F ('o') of switch 00421C00
00421CB5 |. EB 2E |jmp XDope2112.00421CE5
00421CB7 |> B2 63 |mov dl,0x63 ; Case 70 ('p') of switch 00421C00
00421CB9 |. EB 2A |jmp XDope2112.00421CE5
00421CBB |> B2 21 |mov dl,0x21 ; Case 71 ('q') of switch 00421C00
00421CBD |. EB 26 |jmp XDope2112.00421CE5
00421CBF |> B2 42 |mov dl,0x42 ; Case 72 ('r') of switch 00421C00
00421CC1 |. EB 22 |jmp XDope2112.00421CE5
00421CC3 |> B2 5C |mov dl,0x5C ; Case 73 ('s') of switch 00421C00
00421CC5 |. EB 1E |jmp XDope2112.00421CE5
00421CC7 |> B2 29 |mov dl,0x29 ; Case 74 ('t') of switch 00421C00
00421CC9 |. EB 1A |jmp XDope2112.00421CE5
00421CCB |> B2 C7 |mov dl,0xC7 ; Case 75 ('u') of switch 00421C00
00421CCD |. EB 16 |jmp XDope2112.00421CE5
00421CCF |> B2 66 |mov dl,0x66 ; Case 76 ('v') of switch 00421C00
00421CD1 |. EB 12 |jmp XDope2112.00421CE5
00421CD3 |> B2 58 |mov dl,0x58 ; Case 77 ('w') of switch 00421C00
00421CD5 |. EB 0E |jmp XDope2112.00421CE5
00421CD7 |> B2 0A |mov dl,0xA ; Case 78 ('x') of switch 00421C00
00421CD9 |. EB 0A |jmp XDope2112.00421CE5
00421CDB |> B2 28 |mov dl,0x28 ; Case 79 ('y') of switch 00421C00
00421CDD |. EB 06 |jmp XDope2112.00421CE5
00421CDF |> B2 50 |mov dl,0x50 ; Case 7A ('z') of switch 00421C00
00421CE1 |. EB 02 |jmp XDope2112.00421CE5
00421CE3 |> B2 5D |mov dl,0x5D ; Default case of switch 00421C00
00421CE5 |> 02DA |add bl,dl
00421CE7 |. 40 |inc eax
00421CE8 |. 3C 06 |cmp al,0x6
00421CEA |.^ 0F85 04FFFFFF \jnz Dope2112.00421BF4
00421CF0 |. 8D55 F0 lea edx,[local.4]
00421CF3 |. 33C0 xor eax,eax
00421CF5 |. 8A45 EF mov al,byte ptr ss:[ebp-0x11]
00421CF8 |. 69C0 7E4A0000 imul eax,eax,0x4A7E ; strlen(name) * 0x4A7E
00421CFE |. E8 7136FEFF call Dope2112.00405374
00421D03 |. 8D55 E4 lea edx,[local.7]
00421D06 |. 33C0 xor eax,eax
00421D08 |. 8AC3 mov al,bl
00421D0A |. E8 6536FEFF call Dope2112.00405374 ; itoa()
00421D0F |. FF75 E4 push [local.7]
00421D12 |. 68 D81D4200 push Dope2112.00421DD8 ; -
00421D17 |. FF75 F0 push [local.4]
00421D1A |. 8D45 F4 lea eax,[local.3]
00421D1D |. BA 03000000 mov edx,0x3
00421D22 |. E8 FD16FEFF call Dope2112.00403424
00421D27 |. 8D55 E8 lea edx,[local.6]
00421D2A |. 8B86 B0010000 mov eax,dword ptr ds:[esi+0x1B0]
00421D30 |. E8 C3FAFEFF call Dope2112.004117F8
00421D35 |. 8B55 E8 mov edx,[local.6]
00421D38 |. 8B45 F4 mov eax,[local.3]
00421D3B |. E8 3417FEFF call Dope2112.00403474 ; strcmp()
00421D40 |. 75 12 jnz XDope2112.00421D54
00421D42 |. 8B86 C0010000 mov eax,dword ptr ds:[esi+0x1C0]
00421D48 |. BA E41D4200 mov edx,Dope2112.00421DE4 ; Hey du hast es geschaft ! 成功
00421D4D |. E8 D6FAFEFF call Dope2112.00411828
00421D52 |. EB 10 jmp XDope2112.00421D64
00421D54 |> 8B86 C0010000 mov eax,dword ptr ds:[esi+0x1C0]
00421D5A |. BA 081E4200 mov edx,Dope2112.00421E08 ; Leider nicht versuchs noch mal ! 失败
00421D5F |. E8 C4FAFEFF call Dope2112.00411828
00421D64 |> 33C0 xor eax,eax
00421D66 |. 5A pop edx
00421D67 |. 59 pop ecx
00421D68 |. 59 pop ecx
00421D69 |. 64:8910 mov dword ptr fs:[eax],edx
00421D6C |. 68 961D4200 push Dope2112.00421D96
00421D71 |> 8D45 E4 lea eax,[local.7]
00421D74 |. E8 7714FEFF call Dope2112.004031F0
00421D79 |. 8D45 E8 lea eax,[local.6]
00421D7C |. E8 6F14FEFF call Dope2112.004031F0
00421D81 |. 8D45 F0 lea eax,[local.4]
00421D84 |. BA 04000000 mov edx,0x4
00421D89 |. E8 8214FEFF call Dope2112.00403210
00421D8E \. C3 retn

3、内存注册机工具（Keygen Creator 2.1）

运行到00421D3B处时正确的Serial地址在Eax中，制作内存注册工具。



运行内存工具。获取序列号。



然后想办法让程序执行到补丁地址。正确的Serial就出来了。