reverse之第九更

#reverse之第九更

转载来自看雪论坛@PEdiy.com

本题出自看雪2016VrackMe第21,程序有壳有花,serial验证部分很容易。

入口出就可以看出程序被加了壳,不过调试之后发现很简单的一个壳,很容易就可以找到OEP,我是直接单步调试下去,找到如下这个跳转,直接就跳转到OEP了。

壳可以脱掉也可以不脱带壳调试也行,在这个位置下断点,之后取消断点,运行到OEP。

接下来 bp ReadFile 断下程序后,不远就能跟到关键过程,花指令影响分析,手工清除对算法分析有干扰的花指令,有耐心慢慢看。

PS:本题花指令很多都是基于变形跳转指令的组合,填充了垃圾代码,就像开车的时候挡风玻璃迷雾了,怎么办?开除雾模式吧。

0040369B   > \68 FF444000   PUSH crackme_.004044FF                   ;  内存访问断点4044FF
004036A0   .  68 03000000   PUSH 0x3
004036A5   .  B8 01000000   MOV EAX,0x1
004036AA   .  BB B0634400   MOV EBX,crackme_.004463B0
004036AF   .  E8 090F0000   CALL crackme_.004045BD                   ;  创建线程子程序
//创建线程子程序,内存访问断点4044FF,跟踪线程

004038A4    F8              CLC
004038A5    73 01           JNB Xcrackme_.004038A8
004038A7    B4 F9           MOV AH,0xF9
004038A9    72 01           JB Xcrackme_.004038AC
004038AB    0FF972 01       PSUBW MM6,QWORD PTR DS:[EDX+0x1]
004038AF    B9 B8D87346     MOV ECX,0x4673D8B8
//花指令 F8 73 01 B4 F9 72 01 0F F9 72 01 B9 NOP掉


004038A4    90              NOP
004038A5    90              NOP
004038A6    90              NOP
004038A7    90              NOP
004038A8    90              NOP
004038A9    90              NOP
004038AA    90              NOP
004038AB    90              NOP
004038AC    90              NOP
004038AD    90              NOP
004038AE    90              NOP
004038AF    90              NOP
004038B0    B8 D8734600     MOV EAX,crackme_.004673D8
//去花指令之后

004038D3    E8 00000000     CALL crackme_.004038D8
004038D8    830424 06       ADD DWORD PTR SS:[ESP],0x6
004038DC    C3              RETN
004038DD    B8 8B1DE840     MOV EAX,0x40E81D8B
004038E2    48              DEC EAX
004038E3    0053 E8         ADD BYTE PTR DS:[EBX-0x18],DL
004038E6    BB 0C000083     MOV EBX,0x8300000C
//花指令 E8 00 00 00 00 83 04 24 06 C3 B8 NOP掉

004038D3    90              NOP
004038D4    90              NOP
004038D5    90              NOP
004038D6    90              NOP
004038D7    90              NOP
004038D8    90              NOP
004038D9    90              NOP
004038DA    90              NOP
004038DB    90              NOP
004038DC    90              NOP
004038DD    90              NOP
004038DE    8B1D E8404800   MOV EBX,DWORD PTR DS:[0x4840E8]
//去花指令之后

004038F3    F9              STC
004038F4    72 01           JB Xcrackme_.004038F7
004038F6    0FF873 01       PSUBB MM6,QWORD PTR DS:[EBX+0x1]
004038FA    7B E8           JPO Xcrackme_.004038E4
004038FC    0000            ADD BYTE PTR DS:[EAX],AL
004038FE    0000            ADD BYTE PTR DS:[EAX],AL
00403900    830424 06       ADD DWORD PTR SS:[ESP],0x6
00403904    C3              RETN
00403905    0F8B 1DE84048   JPO 48812128
0040390B    0033            ADD BYTE PTR DS:[EBX],DH
0040390D    C083 3B007E03 8>ROL BYTE PTR DS:[EBX+0x37E003B],0x8B                       ; 移位常量超出 1..31 的范围
//花指令 F9 72 01 0F F8 73 01 7B E8 00 00 00 00 83 04 24 06 C3 0F NOP掉

004038F3    90              NOP
004038F4    90              NOP
004038F5    90              NOP
004038F6    90              NOP
004038F7    90              NOP
004038F8    90              NOP
004038F9    90              NOP
004038FA    90              NOP
004038FB    90              NOP
004038FC    90              NOP
004038FD    90              NOP
004038FE    90              NOP
004038FF    90              NOP
00403900    90              NOP
00403901    90              NOP
00403902    90              NOP
00403903    90              NOP
00403904    90              NOP
00403905    90              NOP
00403906    8B1D E8404800   MOV EBX,DWORD PTR DS:[0x4840E8]
0040390C    33C0            XOR EAX,EAX
0040390E    833B 00         CMP DWORD PTR DS:[EBX],0x0
//去花指令之后

00403919    F9              STC
0040391A    72 01           JB Xcrackme_.0040391D
0040391C    B7 EB           MOV BH,0xEB
0040391E    010F            ADD DWORD PTR DS:[EDI],ECX
00403920    68 04000080     PUSH 0x80000004
00403925    6A 00           PUSH 0x0
00403927    EB 01           JMP Xcrackme_.0040392A
00403929  ^ 74 A1           JE Xcrackme_.004038CC
0040392B    E0 40           LOOPDNE Xcrackme_.0040396D
0040392D    48              DEC EAX
0040392E    0085 C07505B8   ADD BYTE PTR SS:[EBP+0xB80575C0],AL
00403934    D7              XLAT BYTE PTR DS:[EBX+AL]
00403935    73 46           JNB Xcrackme_.0040397D
//花指令 F9 72 01 B7 EB 01 0F 68 04 00 00 80 6A 00 EB 01 74 NOP掉

00403919    90              NOP
0040391A    90              NOP
0040391B    90              NOP
0040391C    90              NOP
0040391D    90              NOP
0040391E    90              NOP
0040391F    90              NOP
00403920    90              NOP
00403921    90              NOP
00403922    90              NOP
00403923    90              NOP
00403924    90              NOP
00403925    90              NOP
00403926    90              NOP
00403927    90              NOP
00403928    90              NOP
00403929    90              NOP
0040392A    A1 E0404800     MOV EAX,DWORD PTR DS:[0x4840E0]
0040392F    85C0            TEST EAX,EAX
00403931    75 05           JNZ Xcrackme_.00403938
//去花指令之后

0040394E   /EB 01           JMP Xcrackme_.00403951
00403950   |0FE800          PSUBSB MM0,QWORD PTR DS:[EAX]
00403953    0000            ADD BYTE PTR DS:[EAX],AL
00403955    0083 042406C3   ADD BYTE PTR DS:[EBX+0xC3062404],AL
0040395B    B7 F8           MOV BH,0xF8
0040395D    73 01           JNB Xcrackme_.00403960
0040395F    848B 45F43945   TEST BYTE PTR DS:[EBX+0x4539F445],CL
00403965    F8              CLC
//花指令 EB 01 0F E8 00 00 00 00 83 04 24 06 C3 B7 F8 73 01 84 NOP掉

0040394E    90              NOP
0040394F    90              NOP
00403950    90              NOP
00403951    90              NOP
00403952    90              NOP
00403953    90              NOP
00403954    90              NOP
00403955    90              NOP
00403956    90              NOP
00403957    90              NOP
00403958    90              NOP
00403959    90              NOP
0040395A    90              NOP
0040395B    90              NOP
0040395C    90              NOP
0040395D    90              NOP
0040395E    90              NOP
0040395F    90              NOP
00403960    8B45 F4         MOV EAX,DWORD PTR SS:[EBP-0xC]
00403963    3945 F8         CMP DWORD PTR SS:[EBP-0x8],EAX                             ; 比较注册码位数为14位
00403966    0F85 39070000   JNZ crackme_.004040A5
//去花指令之后

0040396C   /EB 01           JMP Xcrackme_.0040396F
0040396E   |88EB            MOV BL,CH
00403970    010F            ADD DWORD PTR DS:[EDI],ECX
00403972    68 04000080     PUSH 0x80000004
00403977    6A 00           PUSH 0x0
00403979    EB 01           JMP Xcrackme_.0040397C
0040397B    B3 A1           MOV BL,0xA1
0040397D    E0 40           LOOPDNE Xcrackme_.004039BF
0040397F    48              DEC EAX
00403980    0085 C07505B8   ADD BYTE PTR SS:[EBP+0xB80575C0],AL
00403986    D7              XLAT BYTE PTR DS:[EBX+AL]
//花指令 EB 01 88 EB 01 0F 68 04 00 00 80 6A 00 EB 01 B3 NOP掉

0040396C    90              NOP
0040396D    90              NOP
0040396E    90              NOP
0040396F    90              NOP
00403970    90              NOP
00403971    90              NOP
00403972    90              NOP
00403973    90              NOP
00403974    90              NOP
00403975    90              NOP
00403976    90              NOP
00403977    90              NOP
00403978    90              NOP
00403979    90              NOP
0040397A    90              NOP
0040397B    90              NOP
0040397C    A1 E0404800     MOV EAX,DWORD PTR DS:[0x4840E0]
00403981    85C0            TEST EAX,EAX
00403983    75 05           JNZ Xcrackme_.0040398A
00403985    B8 D7734600     MOV EAX,crackme_.004673D7
//去花指令之后

0040399A    83C4 10         ADD ESP,0x10
0040399D    F8              CLC
0040399E    73 01           JNB Xcrackme_.004039A1
004039A0    70 33           JO Xcrackme_.004039D5
004039A2    C9              LEAVE
004039A3    50              PUSH EAX
004039A4    F9              STC
004039A5    72 01           JB Xcrackme_.004039A8
004039A7    BB 8D45FC8B     MOV EBX,0x8BFC458D
//花指令 83 C4 10 F8 73 01 70 以及 F9 72 01 BB NOP掉

0040399A    90              NOP
0040399B    90              NOP
0040399C    90              NOP
0040399D    90              NOP
0040399E    90              NOP
0040399F    90              NOP
004039A0    90              NOP
004039A1    33C9            XOR ECX,ECX
004039A3    50              PUSH EAX
004039A4    90              NOP
004039A5    90              NOP
004039A6    90              NOP
004039A7    90              NOP
004039A8    8D45 FC         LEA EAX,DWORD PTR SS:[EBP-0x4]
//去花指令之后

004039BC   /EB 01           JMP Xcrackme_.004039BF
004039BE  ^|74 F9           JE Xcrackme_.004039B9
004039C0    72 01           JB Xcrackme_.004039C3
004039C2    0F6801          PUNPCKHBW MM0,QWORD PTR DS:[ECX]
004039C5    0300            ADD EAX,DWORD PTR DS:[EAX]
004039C7    806A 00 F9      SUB BYTE PTR DS:[EDX],0xF9
004039CB    72 01           JB Xcrackme_.004039CE
004039CD    BB 68010000     MOV EBX,0x168
004039D2    0068 01         ADD BYTE PTR DS:[EAX+0x1],CH
004039D5    0300            ADD EAX,DWORD PTR DS:[EAX]
004039D7    806A 00 F8      SUB BYTE PTR DS:[EDX],0xF8
//花指令 EB 01 74 F9 72 01 0F 以及 F9 72 01 BB NOP掉

004039BC    90              NOP
004039BD    90              NOP
004039BE    90              NOP
004039BF    90              NOP
004039C0    90              NOP
004039C1    90              NOP
004039C2    90              NOP
004039C3    68 01030080     PUSH 0x80000301
004039C8    6A 00           PUSH 0x0
004039CA    90              NOP
004039CB    90              NOP
004039CC    90              NOP
004039CD    90              NOP
004039CE    68 01000000     PUSH 0x1
004039D3    68 01030080     PUSH 0x80000301
004039D8    6A 00           PUSH 0x0
//去花指令之后

004039DA    F8              CLC
004039DB    73 01           JNB Xcrackme_.004039DE
004039DD    0FFF            ???                                                        ; 未知命令
004039DF  ^ 75 FC           JNZ Xcrackme_.004039DD
004039E1    68 04000080     PUSH 0x80000004
004039E6    6A 00           PUSH 0x0
004039E8    EB 01           JMP Xcrackme_.004039EB
004039EA    0FA1            POP FS                                                     ; 段寄存器更改
004039EC    E0 40           LOOPDNE Xcrackme_.00403A2E
004039EE    48              DEC EAX
004039EF    0085 C07505B8   ADD BYTE PTR SS:[EBP+0xB80575C0],AL
//花指令 F8 73 01 0F 以及 EB 01 0F NOP掉

004039DA    90              NOP
004039DB    90              NOP
004039DC    90              NOP
004039DD    90              NOP
004039DE    FF75 FC         PUSH DWORD PTR SS:[EBP-0x4]
004039E1    68 04000080     PUSH 0x80000004
004039E6    6A 00           PUSH 0x0
004039E8    90              NOP
004039E9    90              NOP
004039EA    90              NOP
004039EB    A1 E0404800     MOV EAX,DWORD PTR DS:[0x4840E0]
004039F0    85C0            TEST EAX,EAX
004039F2    75 05           JNZ Xcrackme_.004039F9
004039F4    B8 D7734600     MOV EAX,crackme_.004673D7
//去花指令之后

00403A0F   /EB 01           JMP Xcrackme_.00403A12
00403A11   |828B 1DE84048 0>OR BYTE PTR DS:[EBX+0x4840E81D],0x0
00403A18    E8 93FDFFFF     CALL crackme_.004037B0
// 花指令 EB 01 82 NOP掉

00403A0F    90              NOP
00403A10    90              NOP
00403A11    90              NOP
00403A12    8B1D E8404800   MOV EBX,DWORD PTR DS:[0x4840E8]
00403A18    E8 93FDFFFF     CALL crackme_.004037B0
//去花指令之后

00403A1F    F8              CLC
00403A20    73 01           JNB Xcrackme_.00403A23
00403A22    0FEB01          POR MM0,QWORD PTR DS:[ECX]
00403A25    85EB            TEST EBX,EBP
00403A27    018B 8B1DE840   ADD DWORD PTR DS:[EBX+0x40E81D8B],ECX
00403A2D    48              DEC EAX
00403A2E    0033            ADD BYTE PTR DS:[EBX],DH
00403A30    C083 3B007E03 8>ROL BYTE PTR DS:[EBX+0x37E003B],0x8B                       ; 移位常量超出 1..31 的范围
//花指令 F8 73 01 0F EB 01 85 EB 01 8B NOP掉

00403A1F    90              NOP
00403A20    90              NOP
00403A21    90              NOP
00403A22    90              NOP
00403A23    90              NOP
00403A24    90              NOP
00403A25    90              NOP
00403A26    90              NOP
00403A27    90              NOP
00403A28    90              NOP
00403A29    8B1D E8404800   MOV EBX,DWORD PTR DS:[0x4840E8]
00403A2F    33C0            XOR EAX,EAX
00403A31    833B 00         CMP DWORD PTR DS:[EBX],0x0
00403A34    7E 03           JLE Xcrackme_.00403A39
00403A36    8B43 04         MOV EAX,DWORD PTR DS:[EBX+0x4]
//去花指令之后

00403A3C   /EB 01           JMP Xcrackme_.00403A3F
00403A3E   |0FEB01          POR MM0,QWORD PTR DS:[ECX]
00403A41    8BDB            MOV EBX,EBX
00403A43    45              INC EBP
00403A44    F4              HLT                                                        ; 特权命令
//花指令 EB 01 0F EB 01 8B NOP掉

00403A3C    90              NOP
00403A3D    90              NOP
00403A3E    90              NOP
00403A3F    90              NOP
00403A40    90              NOP
00403A41    90              NOP
00403A42    DB45 F4         FILD DWORD PTR SS:[EBP-0xC]
//去花指令之后

00403A57    F8              CLC
00403A58    73 01           JNB Xcrackme_.00403A5B
00403A5A  ^ 78 E8           JS Xcrackme_.00403A44
00403A5C    0000            ADD BYTE PTR DS:[EAX],AL
00403A5E    0000            ADD BYTE PTR DS:[EAX],AL
00403A60    830424 06       ADD DWORD PTR SS:[ESP],0x6
00403A64    C3              RETN
00403A65    BE DD45DCDC     MOV ESI,0xDCDC45DD
00403A6A    05 18744600     ADD EAX,crackme_.00467418
//花指令 F8 73 01 78 E8 00 00 00 00 83 04 24 06 C3 BE NOP掉

00403A57    90              NOP
00403A58    90              NOP
00403A59    90              NOP
00403A5A    90              NOP
00403A5B    90              NOP
00403A5C    90              NOP
00403A5D    90              NOP
00403A5E    90              NOP
00403A5F    90              NOP
00403A60    90              NOP
00403A61    90              NOP
00403A62    90              NOP
00403A63    90              NOP
00403A64    90              NOP
00403A65    90              NOP
00403A66    DD45 DC         FLD QWORD PTR SS:[EBP-0x24]
00403A69    DC05 18744600   FADD QWORD PTR DS:[0x467418]
00403A6F    DD5D D4         FSTP QWORD PTR SS:[EBP-0x2C]
00403A72    DD45 D4         FLD QWORD PTR SS:[EBP-0x2C]
//去花指令之后

00403A7A   /EB 01           JMP Xcrackme_.00403A7D
00403A7C   |0F4879 0D       CMOVS EDI,DWORD PTR DS:[ECX+0xD]
//花指令 EB 01 0F NOP掉

00403A7A    90              NOP
00403A7B    90              NOP
00403A7C    90              NOP
00403A7D    48              DEC EAX
00403A7E    79 0D           JNS Xcrackme_.00403A8D
//去花指令之后

00403AA8    F9              STC
00403AA9    72 01           JB Xcrackme_.00403AAC
00403AAB    8F              ???                                                        ; 未知命令
00403AAC    F8              CLC
00403AAD    73 01           JNB Xcrackme_.00403AB0
00403AAF    8268 01 01      SUB BYTE PTR DS:[EAX+0x1],0x1
00403AB3    0080 6A00F873   ADD BYTE PTR DS:[EAX+0x73F8006A],AL
//花指令 F9 72 01 8F F8 73 01 82 NOP掉

00403AA8    90              NOP
00403AA9    90              NOP
00403AAA    90              NOP
00403AAB    90              NOP
00403AAC    90              NOP
00403AAD    90              NOP
00403AAE    90              NOP
00403AAF    90              NOP
00403AB0    68 01010080     PUSH 0x80000101
00403AB5    6A 00           PUSH 0x0
//去花指令之后

00403AB7    F8              CLC
00403AB8    73 01           JNB Xcrackme_.00403ABB
00403ABA  ^ 74 8B           JE Xcrackme_.00403A47
00403ABC    5D              POP EBP
00403ABD    D08A 03506801   ROR BYTE PTR DS:[EDX+0x1685003],1
00403AC3    0000            ADD BYTE PTR DS:[EAX],AL
//花指令  F8 73 01 74 NOP掉

00403AB7    90              NOP
00403AB8    90              NOP
00403AB9    90              NOP
00403ABA    90              NOP
00403ABB    8B5D D0         MOV EBX,DWORD PTR SS:[EBP-0x30]                            ; 真正的注册码存放地址
00403ABE    8A03            MOV AL,BYTE PTR DS:[EBX]                                   ; 取真正的注册码按byte
//去花指令之后

//查看[EBX]内容:(正确注册码在这里呀)
0015CCC0  00000074 't'
0015CCC4  00000066 'f'
0015CCC8  0000006F 'o'
0015CCCC  00000073 's'
0015CCD0  00000065 'e'
0015CCD4  00000064 'd'
0015CCD8  00000069 'i'
0015CCDC  00000077 'w'
0015CCE0  00000079 'y'
0015CCE4  00000062 'b'
0015CCE8  00000065 'e'
0015CCEC  00000064 'd'
0015CCF0  0000006F 'o'
0015CCF4  00000063 'c'

00403AD3    8945 CC         MOV DWORD PTR SS:[EBP-0x34],EAX                            ; 正确注册码地址存入内存
00403AD6   /EB 01           JMP Xcrackme_.00403AD9
00403AD8   |0FEB01          POR MM0,QWORD PTR DS:[ECX]
00403ADB    BE E8000000     MOV ESI,0xE8
00403AE0    0083 042406C3   ADD BYTE PTR DS:[EBX+0xC3062404],AL
00403AE6    818B 45CCF873 0>OR DWORD PTR DS:[EBX+0x73F8CC45],0xEB508501
00403AF0    01B1 FF75F8E8   ADD DWORD PTR DS:[ECX+0xE8F875FF],ESI
00403AF6    FD              STD
00403AF7    FC              CLD
00403AF8    FFFF            ???                                                        ; 未知命令
//花指令 EB 01 0F EB 01 BE E8 00 00 00 00 83 04 24 06 C3 81 以及 F8 73 01 85 NOP掉

00403AD3    8945 CC         MOV DWORD PTR SS:[EBP-0x34],EAX                            ; 正确注册码地址存入内存
00403AD6    90              NOP
00403AD7    90              NOP
00403AD8    90              NOP
00403AD9    90              NOP
00403ADA    90              NOP
00403ADB    90              NOP
00403ADC    90              NOP
00403ADD    90              NOP
00403ADE    90              NOP
00403ADF    90              NOP
00403AE0    90              NOP
00403AE1    90              NOP
00403AE2    90              NOP
00403AE3    90              NOP
00403AE4    90              NOP
00403AE5    90              NOP
00403AE6    90              NOP
00403AE7    8B45 CC         MOV EAX,DWORD PTR SS:[EBP-0x34]
00403AEA    90              NOP
00403AEB    90              NOP
00403AEC    90              NOP
00403AED    90              NOP
00403AEE    50              PUSH EAX
00403AEF    EB 01           JMP Xcrackme_.00403AF2
00403AF1    B1 FF           MOV CL,0xFF
00403AF3  ^ 75 F8           JNZ Xcrackme_.00403AED
00403AF5    E8 FDFCFFFF     CALL crackme_.004037F7
//去花指令之后

00403AEF   /EB 01           JMP Xcrackme_.00403AF2
00403AF1   |B1 FF           MOV CL,0xFF
00403AF3  ^ 75 F8           JNZ Xcrackme_.00403AED
00403AF5    E8 FDFCFFFF     CALL crackme_.004037F7
00403AFA    83C4 08         ADD ESP,0x8
00403AFD    83F8 00         CMP EAX,0x0
//花指令 EB 01 B1 NOP掉

00403AEF    90              NOP
00403AF0    90              NOP
00403AF1    90              NOP
00403AF2    FF75 F8         PUSH DWORD PTR SS:[EBP-0x8]
00403AF5    E8 FDFCFFFF     CALL crackme_.004037F7
00403AFA    83C4 08         ADD ESP,0x8
00403AFD    83F8 00         CMP EAX,0x0
//去花指令之后

00403AF2    FF75 F8         PUSH DWORD PTR SS:[EBP-0x8]
00403AF5    E8 FDFCFFFF     CALL crackme_.004037F7                                     ; 关键比较
00403AFA    83C4 08         ADD ESP,0x8
00403AFD    83F8 00         CMP EAX,0x0
//可以跟进 4037F7

00403825    8B02            MOV EAX,DWORD PTR DS:[EDX]
00403827    3A01            CMP AL,BYTE PTR DS:[ECX]                                   ; 核心比较,也可以条件记录断点下这里,记录[ECX]便是每一位正确注册码
00403829    75 2B           JNZ Xcrackme_.00403856
//对比校验注册码,每次只比较一位(失败就不再校验剩余注册码)

//如果前面被花指令干扰没有看到正确注册码,那么在此下条件记录断点,也可以从记录中看到比较值
//Log data 取末尾byte作为字符ascii

地址       消息
00403827   COND: 00150063 'c'
00403827   COND: 0015006F 'o'
00403827   COND: 00150064 'd'
00403827   COND: 00150065 'e'
00403827   COND: 00150062 'b'
00403827   COND: 00150079 'y'
00403827   COND: 00150077 'w'
00403827   COND: 00150069 'i'
00403827   COND: 00150064 'd'
00403827   COND: 00150065 'e'
00403827   COND: 00150073 's'
00403827   COND: 0015006F 'o'
00403827   COND: 00150066 'f'
00403827   COND: 00150074 't'

00403B2B    837D C8 00      CMP DWORD PTR SS:[EBP-0x38],0x0
00403B2F    0F84 0C000000   JE crackme_.00403B41                                       ; 关键跳转
//此处改为JMP那么也就爆破了

00403B35   /EB 01           JMP Xcrackme_.00403B38
00403B37   |B7 F9           MOV BH,0xF9
00403B39    72 01           JB Xcrackme_.00403B3C
00403B3B    86E9            XCHG CL,CH
00403B3D    0800            OR BYTE PTR DS:[EAX],AL
00403B3F    0000            ADD BYTE PTR DS:[EAX],AL
00403B41    58              POP EAX
//花指令 EB 01 B7 F9 72 01 86 NOP掉

00403B35    90              NOP
00403B36    90              NOP
00403B37    90              NOP
00403B38    90              NOP
00403B39    90              NOP
00403B3A    90              NOP
00403B3B    90              NOP
00403B3C    E9 08000000     JMP crackme_.00403B49                                      ; 脱离注册码验证循环体
00403B41    58              POP EAX
//去花指令之后

综上所述:14位连接一起就是注册码,因此注册码为”codebywidesoft”。

文章目录
|