您现在的位置是:首页 >综合资讯 > 2022-12-03 17:58:24 来源:

keymaker什么意思(keymake)

导读 大家好,小霞来为大家解答以上的问题。keymaker什么意思,keymake这个很多人还不知道,现在让我们一起来看看吧!1、* Reference T USER32

大家好,小霞来为大家解答以上的问题。keymaker什么意思,keymake这个很多人还不知道,现在让我们一起来看看吧!

1、* Reference T USER32.GetDlgItem, Ord:0000h|:00401088 E8159C0000 Call 0040ACA2 ;得到文本框句柄:0040108D 6A64 push 00000064 ;得到字符串的最大长度:0040108F 8D9548FFFFFF lea edx, dword ptr [ebp+FFFFFF48]:00401095 52 push edx ;EDX是存取字符串的地址:00401096 50 push eax ;EAX是上面得到的文本框句柄* Reference T USER32.GetWindowTextA, Ord:0000h|:00401097 E8129C0000 Call 0040ACAE ;得到用户名,在[ebp+FFFFFF48]* Possible Reference to Dialog: DialogID_0001, CONTROL_ID:0068, ""|:0040109C 6A68 push 00000068 ;同样的操作,输入注册码的文本框ID:0040109E 53 push ebx* Reference T USER32.GetDlgItem, Ord:0000h|:0040109F E8FE9B0000 Call 0040ACA2:004010A4 6A64 push 00000064:004010A6 8D8DE4FEFFFF lea ecx, dword ptr [ebp+FFFFFEE4]:004010AC 51 push ecx:004010AD 50 push eax* Reference T USER32.GetWindowTextA, Ord:0000h|:004010AE E8FB9B0000 Call 0040ACAE ;得到注册码,在[ebp+FFFFFEE4]* Possible Reference to Dialog: DialogID_0001, CONTROL_ID:0067, ""|:004010B3 6A67 push 00000067 ;这个是最下面的提示的文本框的ID:004010B5 53 push ebx7* Reference T USER32.GetDlgItem, Ord:0000h|:004010B6 E8E79B0000 Call 0040ACA2 ;得到句柄:004010BB 8BF0 mov esi, eax ;放在ESI备用:004010BD 8D8548FFFFFF lea eax, dword ptr [ebp+FFFFFF48]:004010C3 50 push eax ;指向用户名:004010C4 E867050000 call 00401630 ;得到用户名长度:004010C9 59 pop ecx:004010CA 8945D8 mov dword ptr [ebp-28], eax ;长度放在[ebp-28]:004010CD 8D95E4FEFFFF lea edx, dword ptr [ebp+FFFFFEE4]:004010D3 52 push edx ;指向注册码:004010D4 E857050000 call 00401630 ;得到注册码长度:004010D9 59 pop ecx:004010DA 68EAB04000 push 0040B0EA:004010DF E84C050000 call 00401630:004010E4 59 pop ecx:004010E5 680EB14000 push 0040B10E:004010EA E841050000 call 00401630:004010EF 59 pop ecx:004010F0 837DD803 cmp dword ptr [ebp-28], 00000003:004010F4 7E7B jle 00401171 ;用户名长度不能小于等于3:004010F6 90 nop:004010F7 90 nop:004010F8 90 nop:004010F9 90 nop:004010FA 33C9 xor ecx, ecx:004010FC 33D2 xor edx, edx:004010FE 33DB xor ebx, ebx:00401100 33C0 xor eax, eax:00401102 837DD832 cmp dword ptr [ebp-28], 00000032:00401106 7D69 jge 00401171 ;用户名长度不能大于等于32h:00401108 90 nop:00401109 90 nop:0040110A 90 nop:0040110B 90 nop* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:0040111C(C)|:0040110C 0FBE840D48FFFFFF movsx eax, byte ptr [ebp+ecx-000000B8];依次取用户名的字符:00401114 41 inc ecx ;ECX为循环变量:00401115 33C1 xor eax, ecx ;取的字符与循环变量XOR:00401117 03D8 add ebx, eax ;把结果累加到EBX:00401119 3B4DD8 cmp ecx, dword ptr [ebp-28] ;循环变量与用户名长度相比:0040111C 75EE jne 0040110C ;如果未取完就跳回继续:0040111E 6BC006 imul eax, 00000006 ;最后一轮计算的结果在EAX, 乘6:00401121 C1E307 shl ebx, 07 ;前面累加结果左移7位:00401124 03C3 add eax, ebx ;相加:00401126 8945C8 mov dword ptr [ebp-38], eax:00401129 FF75C8 push [ebp-38] ;把上面结果压栈* Possible StringData Ref from Data Obj ->"%lX"|:0040112C 6838B44000 push 0040B438 ;一个转换的标识:00401131 8D8D80FEFFFF lea ecx, dword ptr [ebp+FFFFFE80]:00401137 51 push ecx ;存放转换结果的地址:00401138 E8873D0000 call 00404EC4 ;数字转为十六进制字串:0040113D 83C40C add esp, 0000000C:00401140 8D8580FEFFFF lea eax, dword ptr [ebp+FFFFFE80]:00401146 50 push eax ;上面转换的字串:00401147 8D95E4FEFFFF lea edx, dword ptr [ebp+FFFFFEE4]:0040114D 52 push edx ;假注册码* Reference T KERNEL32.lstrcmpA, Ord:0000h|:0040114E E8339C0000 Call 0040AD86 ;比较:00401153 85C0 test eax, eax:00401155 750D jne 00401164 ;这里就是关键的跳转* Possible StringData Ref from Data Obj ->"Congratulations! IF this number "->"comes *FROM YOUR* keygen, Write "->"a tutorial dude ;)."|:00401157 683CB44000 push 0040B43C ;指向表示成功的字符串:0040115C 56 push esi ;ESI还记得么?那个提示文本框的句柄* Reference T USER32.SetWindowTextA, Ord:0000h|:0040115D E8289B0000 Call 0040AC8A ;显示出来:00401162 EB18 jmp 0040117C* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00401155(C)|* Possible StringData Ref from Data Obj ->"This serial is *NOT* Valid!! Try "->"again... : UNREGISTERED"|:00401164 6890B44000 push 0040B490 ;开始时停在这句,向上找跳转:00401169 56 push esi ;ESI提示文本框的句柄* Reference T USER32.SetWindowTextA, Ord:0000h|:0040116A E81B9B0000 Call 0040AC8A:0040116F EB0B jmp 0040117C* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:|:004010F4(C), :00401106(C)|* Possible StringData Ref from Data Obj ->"Name must contain more than 4 "->"chars and less than 50 chars !!"|:00401171 68C9B44000 push 0040B4C9 ;用户名不符合要求跳到这里:00401176 56 push esi ;ESI提示文本框的句柄* Reference T USER32.SetWindowTextA, Ord:0000h|:00401177 E80E9B0000 Call 0040AC8A* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:|:00401162(U), :0040116F(U)|:0040117C 5F pop edi:0040117D 5E pop esi:0040117E 5B pop ebx:0040117F 8BE5 mov esp, ebp:00401181 5D pop ebp ;整理一下返回了。

2、(这是找爆破点时的基本思想)向上找找看,找到了::00401155 750D jne 00401164正好跳到401164错误信息那一句。

3、呵呵,如果你想爆破的话,只要把750D改成740D(je,把条件反过来,注册码错误就显示正确信息:D)或者改成EB0D(jmp,无条件跳转,不管三七二十一就正确)。

本文到此分享完毕,希望对大家有所帮助。