KuNgBiM推荐的“献给所有爱好破解的初学者的Crackme”的算法分析
【文章标题】: KuNgBiM推荐的“献给所有爱好破解的初学者的Crackme”的算法分析【文章作者】: dewar
【软件名称】: 献给所有爱好破解的初学者的Crackme
【下载地址】: 见附件
【加壳方式】: 无
【保护方式】: 无
【编写语言】: VB
【使用工具】: OD
【操作平台】: WINXP
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【详细过程】
这本是我得到注册邀请码的一篇破文,纯属菜菜级,高手请飘过,否则浪费了你的时间我可不负责^_^,现在将它贴出来希望能对象我一样的菜鸟有所帮助.
本人属初入门级的菜鸟,为了让和我一样的菜鸟能看懂,我尽量写详细点。如有什么不明白的地方,可以提问,我会尽我知道的回答你!有意思和
我一起玩破解的可加我的QQ,希望大家一起进步^_^
好了,废话少说,言归正传。
1.首先,OD载入,按ALT+E打开模块窗口,双击MSVBVM60.DLL,再按CTRL+N,然后找到“vbaStrCmp”,这是VB用于比较字符串的函数,
在这个函数上下F2断点。F9运行,输入注册名:huazi0745 注册码:1234 ,点注册。我们看到程序被断下,断在模块MSVBVM60内,这里我们
是不能动的,你要是动了这里,极有可能导致所有VB程序运行不正常^&^好,我们ALT+F9,返回我们程序的领空,到了00402C98处。
2.这时你可以取消前面设的断点,然后单步跟踪,当跟到004040DC处你可看到右上EAX中的内容就是真正的注册码,而EDX中是我们输入的假码。
再单步向下到00403100处,这里就是关键跳转了,把JE改为JMP就可爆破。一路跟下来,我们并没有发现计算注册码的地方,可见程序在
00402C98前就已经计算出了正确的注册码。于是向前观察各个CALL,只要是CALL向系统代码的都应该不是计算注册码的。当来到00402BEE时,
我们发现它CALL向本程序的一个地址,极有可能是关键CALL,在这里下F2断点,重新载入,运行,输入。。。。。
......
00402BEE .FF90 F8060000 CALL DWORD PTR DS: ;<===计算注册码(关键CALL),F7进入
00402BF4 .3BC3 CMP EAX, EBX
00402BF6 .7D 12 JGE SHORT 00402C0A
00402BF8 .68 F8060000 PUSH 6F8 ; /Arg4 = 000006F8
00402BFD .68 D8244000 PUSH 004024D8 ; |Arg3 = 004024D8
00402C02 .56 PUSH ESI ; |Arg2
00402C03 .50 PUSH EAX ; |Arg1
00402C04 .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultChec>; \__vbaHresultCheckObj
00402C0A >8D4D B8 LEA ECX, DWORD PTR SS:
00402C0D .FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ;MSVBVM60.__vbaFreeVar
00402C13 .8B16 MOV EDX, DWORD PTR DS:
00402C15 .56 PUSH ESI
00402C16 .FF92 08030000 CALL DWORD PTR DS:
00402C1C .50 PUSH EAX ; /Arg2
00402C1D .8D45 CC LEA EAX, DWORD PTR SS: ; |
00402C20 .50 PUSH EAX ; |Arg1
00402C21 .FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; \__vbaObjSet
00402C27 .8D55 D8 LEA EDX, DWORD PTR SS:
00402C2A .8BF8 MOV EDI, EAX
00402C2C .8B0F MOV ECX, DWORD PTR DS:
00402C2E .52 PUSH EDX
00402C2F .57 PUSH EDI
00402C30 .FF91 A0000000 CALL DWORD PTR DS: ;获取用户名
00402C36 .DBE2 FCLEX
00402C38 .3BC3 CMP EAX, EBX
00402C3A .7D 12 JGE SHORT 00402C4E
00402C3C .68 A0000000 PUSH 0A0 ; /Arg4 = 000000A0
00402C41 .68 60264000 PUSH 00402660 ; |Arg3 = 00402660
00402C46 .57 PUSH EDI ; |Arg2
00402C47 .50 PUSH EAX ; |Arg1
00402C48 .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultChec>; \__vbaHresultCheckObj
00402C4E >8B06 MOV EAX, DWORD PTR DS:
00402C50 .56 PUSH ESI
00402C51 .FF90 00030000 CALL DWORD PTR DS:
00402C57 .50 PUSH EAX ; /Arg2
00402C58 .8D4D C8 LEA ECX, DWORD PTR SS: ; |
00402C5B .51 PUSH ECX ; |Arg1
00402C5C .FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; \__vbaObjSet
00402C62 .8BF8 MOV EDI, EAX
00402C64 .8B17 MOV EDX, DWORD PTR DS:
00402C66 .8D45 D4 LEA EAX, DWORD PTR SS:
00402C69 .50 PUSH EAX
00402C6A .57 PUSH EDI
00402C6B .FF92 A0000000 CALL DWORD PTR DS: ;获取注册码
00402C71 .DBE2 FCLEX
00402C73 .3BC3 CMP EAX, EBX
00402C75 .7D 12 JGE SHORT 00402C89
00402C77 .68 A0000000 PUSH 0A0 ; /Arg4 = 000000A0
00402C7C .68 60264000 PUSH 00402660 ; |Arg3 = 00402660
00402C81 .57 PUSH EDI ; |Arg2
00402C82 .50 PUSH EAX ; |Arg1
00402C83 .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultChec>; \__vbaHresultCheckObj
00402C89 >8B4D D4 MOV ECX, DWORD PTR SS:
00402C8C .51 PUSH ECX ; /Arg2
00402C8D .68 74264000 PUSH 00402674 ; |Arg1 = 00402674
00402C92 .FF15 6C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>] ; \注册码是否为空
00402C98 .8B55 D8 MOV EDX, DWORD PTR SS: ;<====ALT+F9后返回这里
00402C9B .8BF8 MOV EDI, EAX
00402C9D .F7DF NEG EDI
00402C9F .1BFF SBB EDI, EDI
00402CA1 .52 PUSH EDX ; /Arg2
00402CA2 .47 INC EDI ; |
00402CA3 .68 74264000 PUSH 00402674 ; |Arg1 = 00402674
00402CA8 .F7DF NEG EDI ; |
00402CAA .FF15 6C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>] ; \注册名是否为空
00402CB0 .F7D8 NEG EAX
00402CB2 .1BC0 SBB EAX, EAX
00402CB4 .40 INC EAX
00402CB5 .F7D8 NEG EAX
00402CB7 .0BF8 OR EDI, EAX ;两次比较结果相或
00402CB9 .8D45 D4 LEA EAX, DWORD PTR SS:
00402CBC .50 PUSH EAX
00402CBD .8D4D D8 LEA ECX, DWORD PTR SS:
00402CC0 .51 PUSH ECX
00402CC1 .6A 02 PUSH 2
00402CC3 .FF15 B0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStrList>;MSVBVM60.__vbaFreeStrList
00402CC9 .8D55 C8 LEA EDX, DWORD PTR SS:
00402CCC .52 PUSH EDX
00402CCD .8D45 CC LEA EAX, DWORD PTR SS:
00402CD0 .50 PUSH EAX
00402CD1 .6A 02 PUSH 2
00402CD3 .FF15 2C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObjList>;MSVBVM60.__vbaFreeObjList
00402CD9 .83C4 18 ADD ESP, 18
00402CDC .66:3BFB CMP DI, BX
00402CDF 0F84 91000000 JE 00402D76 ;注册名和注册码都有输入就不跳
00402CE5 .B9 0A000000 MOV ECX, 0A ;否则显示“忘记了什么”
00402CEA .B8 04000280 MOV EAX, 80020004
00402CEF .894D 88 MOV DWORD PTR SS:, ECX
00402CF2 .894D 98 MOV DWORD PTR SS:, ECX
00402CF5 .BF 08000000 MOV EDI, 8
00402CFA .8D95 F8FEFFFF LEA EDX, DWORD PTR SS:
00402D00 .8D4D A8 LEA ECX, DWORD PTR SS:
00402D03 .8945 90 MOV DWORD PTR SS:, EAX
00402D06 .8945 A0 MOV DWORD PTR SS:, EAX
00402D09 .C785 00FFFFFF>MOV DWORD PTR SS:, 004026A4
00402D13 .89BD F8FEFFFF MOV DWORD PTR SS:, EDI
00402D19 .FF15 C4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ;MSVBVM60.__vbaVarDup
00402D1F .8D95 08FFFFFF LEA EDX, DWORD PTR SS:
00402D25 .8D4D B8 LEA ECX, DWORD PTR SS:
00402D28 .C785 10FFFFFF>MOV DWORD PTR SS:, 0040267C
00402D32 .89BD 08FFFFFF MOV DWORD PTR SS:, EDI
00402D38 .FF15 C4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ;MSVBVM60.__vbaVarDup
00402D3E .8D4D 88 LEA ECX, DWORD PTR SS:
00402D41 .51 PUSH ECX
00402D42 .8D55 98 LEA EDX, DWORD PTR SS:
00402D45 .52 PUSH EDX
00402D46 .8D45 A8 LEA EAX, DWORD PTR SS:
00402D49 .50 PUSH EAX
00402D4A .6A 30 PUSH 30
00402D4C .8D4D B8 LEA ECX, DWORD PTR SS:
00402D4F .51 PUSH ECX
00402D50 .FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.#595>] ;显示“忘记了点什么”
00402D56 .8D55 88 LEA EDX, DWORD PTR SS:
00402D59 .52 PUSH EDX
00402D5A .8D45 98 LEA EAX, DWORD PTR SS:
00402D5D .50 PUSH EAX
00402D5E .8D4D A8 LEA ECX, DWORD PTR SS:
00402D61 .51 PUSH ECX
00402D62 .8D55 B8 LEA EDX, DWORD PTR SS:
00402D65 .52 PUSH EDX
00402D66 .6A 04 PUSH 4
00402D68 .FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>;MSVBVM60.__vbaFreeVarList
00402D6E .83C4 14 ADD ESP, 14
00402D71 .E9 64060000 JMP 004033DA
00402D76 >8B06 MOV EAX, DWORD PTR DS: ;都有输入就到这里
00402D78 .56 PUSH ESI
00402D79 .FF90 00030000 CALL DWORD PTR DS:
00402D7F .50 PUSH EAX ; /Arg2
00402D80 .8D4D CC LEA ECX, DWORD PTR SS: ; |
00402D83 .51 PUSH ECX ; |Arg1
00402D84 .FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; \__vbaObjSet
00402D8A .8BF8 MOV EDI, EAX
00402D8C .8B17 MOV EDX, DWORD PTR DS:
00402D8E .8D45 D8 LEA EAX, DWORD PTR SS:
00402D91 .50 PUSH EAX
00402D92 .57 PUSH EDI
00402D93 .FF92 A0000000 CALL DWORD PTR DS: ;获取注册码
00402D99 .DBE2 FCLEX
00402D9B .3BC3 CMP EAX, EBX
00402D9D .7D 12 JGE SHORT 00402DB1
00402D9F .68 A0000000 PUSH 0A0 ; /Arg4 = 000000A0
00402DA4 .68 60264000 PUSH 00402660 ; |Arg3 = 00402660
00402DA9 .57 PUSH EDI ; |Arg2
00402DAA .50 PUSH EAX ; |Arg1
00402DAB .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultChec>; \__vbaHresultCheckObj
00402DB1 >8B4D D8 MOV ECX, DWORD PTR SS:
00402DB4 .51 PUSH ECX ; /Arg2
00402DB5 .68 B4264000 PUSH 004026B4 ; |Arg1 = 004026B4
00402DBA .FF15 6C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>] ; \注册码与[004026B4]处值进行比较
00402DC0 .8BF8 MOV EDI, EAX
00402DC2 .F7DF NEG EDI
00402DC4 .1BFF SBB EDI, EDI
00402DC6 .47 INC EDI
00402DC7 .8D4D D8 LEA ECX, DWORD PTR SS:
00402DCA .F7DF NEG EDI
00402DCC .FF15 DC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
00402DD2 .8D4D CC LEA ECX, DWORD PTR SS:
00402DD5 .FF15 E0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ;MSVBVM60.__vbaFreeObj
00402DDB .66:3BFB CMP DI, BX
00402DDE 0F84 4F010000 JE 00402F33 ;不等就跳
00402DE4 .B9 0A000000 MOV ECX, 0A ;相等就判断为名字太长
00402DE9 .B8 04000280 MOV EAX, 80020004
00402DEE .898D 58FFFFFF MOV DWORD PTR SS:, ECX
00402DF4 .898D 68FFFFFF MOV DWORD PTR SS:, ECX
00402DFA .BF 08000000 MOV EDI, 8
00402DFF .8D95 D8FEFFFF LEA EDX, DWORD PTR SS:
00402E05 .8D8D 78FFFFFF LEA ECX, DWORD PTR SS:
00402E0B .8985 60FFFFFF MOV DWORD PTR SS:, EAX
00402E11 .8985 70FFFFFF MOV DWORD PTR SS:, EAX
00402E17 .C785 E0FEFFFF>MOV DWORD PTR SS:, 004026A4
00402E21 .89BD D8FEFFFF MOV DWORD PTR SS:, EDI
00402E27 .FF15 C4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ;MSVBVM60.__vbaVarDup
00402E2D .8D95 58FFFFFF LEA EDX, DWORD PTR SS:
00402E33 .52 PUSH EDX
00402E34 .8D85 68FFFFFF LEA EAX, DWORD PTR SS:
00402E3A .50 PUSH EAX
00402E3B .8D8D 78FFFFFF LEA ECX, DWORD PTR SS:
00402E41 .51 PUSH ECX
00402E42 .6A 30 PUSH 30
00402E44 .8D95 08FFFFFF LEA EDX, DWORD PTR SS:
00402E4A .52 PUSH EDX
00402E4B .8D45 DC LEA EAX, DWORD PTR SS:
00402E4E .50 PUSH EAX
00402E4F .8D4D B8 LEA ECX, DWORD PTR SS:
00402E52 .89BD 08FFFFFF MOV DWORD PTR SS:, EDI
00402E58 .89BD F8FEFFFF MOV DWORD PTR SS:, EDI
00402E5E .89BD E8FEFFFF MOV DWORD PTR SS:, EDI
00402E64 .8B3D C0104000 MOV EDI, DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>;MSVBVM60.__vbaVarAdd
00402E6A .51 PUSH ECX
00402E6B .C785 10FFFFFF>MOV DWORD PTR SS:, 004026D4
00402E75 .C785 00FFFFFF>MOV DWORD PTR SS:, 004026EC
00402E7F .C785 F0FEFFFF>MOV DWORD PTR SS:, 00402718
00402E89 .FFD7 CALL EDI ;<&MSVBVM60.__vbaVarAdd>
00402E8B .50 PUSH EAX
00402E8C .8D95 F8FEFFFF LEA EDX, DWORD PTR SS:
00402E92 .52 PUSH EDX
00402E93 .8D45 A8 LEA EAX, DWORD PTR SS:
00402E96 .50 PUSH EAX
00402E97 .FFD7 CALL EDI
00402E99 .50 PUSH EAX
00402E9A .8D4D DC LEA ECX, DWORD PTR SS:
00402E9D .51 PUSH ECX
00402E9E .8D55 98 LEA EDX, DWORD PTR SS:
00402EA1 .52 PUSH EDX
00402EA2 .FFD7 CALL EDI
00402EA4 .50 PUSH EAX
00402EA5 .8D85 E8FEFFFF LEA EAX, DWORD PTR SS:
00402EAB .50 PUSH EAX
00402EAC .8D4D 88 LEA ECX, DWORD PTR SS:
00402EAF .51 PUSH ECX
00402EB0 .FFD7 CALL EDI
00402EB2 .50 PUSH EAX
00402EB3 .FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.#595>] ; 显示“输入的注册名太长了”
00402EB9 .8D95 58FFFFFF LEA EDX, DWORD PTR SS:
00402EBF .52 PUSH EDX
00402EC0 .8D85 68FFFFFF LEA EAX, DWORD PTR SS:
00402EC6 .50 PUSH EAX
00402EC7 .8D8D 78FFFFFF LEA ECX, DWORD PTR SS:
00402ECD .51 PUSH ECX
00402ECE .8D55 88 LEA EDX, DWORD PTR SS:
00402ED1 .52 PUSH EDX
00402ED2 .8D45 98 LEA EAX, DWORD PTR SS:
00402ED5 .50 PUSH EAX
00402ED6 .8D4D A8 LEA ECX, DWORD PTR SS:
00402ED9 .51 PUSH ECX
00402EDA .8D55 B8 LEA EDX, DWORD PTR SS:
00402EDD .52 PUSH EDX
00402EDE .6A 07 PUSH 7
00402EE0 .FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>;MSVBVM60.__vbaFreeVarList
00402EE6 .8B06 MOV EAX, DWORD PTR DS:
00402EE8 .83C4 20 ADD ESP, 20
00402EEB .56 PUSH ESI
00402EEC .FF90 08030000 CALL DWORD PTR DS:
00402EF2 .50 PUSH EAX ; /Arg2
00402EF3 .8D4D CC LEA ECX, DWORD PTR SS: ; |
00402EF6 .51 PUSH ECX ; |Arg1
00402EF7 .FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; \__vbaObjSet
00402EFD .8BF8 MOV EDI, EAX
00402EFF .8B17 MOV EDX, DWORD PTR DS:
00402F01 .68 74264000 PUSH 00402674
00402F06 .57 PUSH EDI
00402F07 .FF92 A4000000 CALL DWORD PTR DS:
00402F0D .DBE2 FCLEX
00402F0F .3BC3 CMP EAX, EBX
00402F11 .7D 12 JGE SHORT 00402F25
00402F13 .68 A4000000 PUSH 0A4 ; /Arg4 = 000000A4
00402F18 .68 60264000 PUSH 00402660 ; |Arg3 = 00402660
00402F1D .57 PUSH EDI ; |Arg2
00402F1E .50 PUSH EAX ; |Arg1
00402F1F .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultChec>; \__vbaHresultCheckObj
00402F25 >8D4D CC LEA ECX, DWORD PTR SS:
00402F28 .FF15 E0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ;MSVBVM60.__vbaFreeObj
00402F2E .E9 A7040000 JMP 004033DA
00402F33 >8B06 MOV EAX, DWORD PTR DS:
00402F35 .56 PUSH ESI
00402F36 .FF90 08030000 CALL DWORD PTR DS:
00402F3C .50 PUSH EAX ; /Arg2
00402F3D .8D4D CC LEA ECX, DWORD PTR SS: ; |
00402F40 .51 PUSH ECX ; |Arg1
00402F41 .FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; \__vbaObjSet
00402F47 .8BF8 MOV EDI, EAX
00402F49 .8B17 MOV EDX, DWORD PTR DS:
00402F4B .8D45 D8 LEA EAX, DWORD PTR SS:
00402F4E .50 PUSH EAX
00402F4F .57 PUSH EDI
00402F50 .FF92 A0000000 CALL DWORD PTR DS:
00402F56 .DBE2 FCLEX
00402F58 .3BC3 CMP EAX, EBX
00402F5A .7D 12 JGE SHORT 00402F6E
00402F5C .68 A0000000 PUSH 0A0 ; /Arg4 = 000000A0
00402F61 .68 60264000 PUSH 00402660 ; |Arg3 = 00402660
00402F66 .57 PUSH EDI ; |Arg2
00402F67 .50 PUSH EAX ; |Arg1
00402F68 .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultChec>; \__vbaHresultCheckObj
00402F6E >8B0E MOV ECX, DWORD PTR DS:
00402F70 .56 PUSH ESI
00402F71 .FF91 00030000 CALL DWORD PTR DS:
00402F77 .50 PUSH EAX ; /Arg2
00402F78 .8D55 C8 LEA EDX, DWORD PTR SS: ; |
00402F7B .52 PUSH EDX ; |Arg1
00402F7C .FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; \__vbaObjSet
00402F82 .8D4D D4 LEA ECX, DWORD PTR SS:
00402F85 .8BF8 MOV EDI, EAX
00402F87 .8B07 MOV EAX, DWORD PTR DS:
00402F89 .51 PUSH ECX
00402F8A .57 PUSH EDI
00402F8B .FF90 A0000000 CALL DWORD PTR DS:
00402F91 .DBE2 FCLEX
00402F93 .3BC3 CMP EAX, EBX
00402F95 .7D 12 JGE SHORT 00402FA9
00402F97 .68 A0000000 PUSH 0A0 ; /Arg4 = 000000A0
00402F9C .68 60264000 PUSH 00402660 ; |Arg3 = 00402660
00402FA1 .57 PUSH EDI ; |Arg2
00402FA2 .50 PUSH EAX ; |Arg1
00402FA3 .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultChec>; \__vbaHresultCheckObj
00402FA9 >8B55 D4 MOV EDX, DWORD PTR SS:
00402FAC .52 PUSH EDX ; /Arg2
00402FAD .68 48274000 PUSH 00402748 ; |Arg1 = 00402748
00402FB2 .FF15 6C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>] ; \注册码与[00402748]处内容比较
00402FB8 .8BF8 MOV EDI, EAX
00402FBA .8B45 D8 MOV EAX, DWORD PTR SS:
00402FBD .F7DF NEG EDI
00402FBF .1BFF SBB EDI, EDI
00402FC1 .50 PUSH EAX ; /Arg2
00402FC2 .47 INC EDI ; |
00402FC3 .68 38274000 PUSH 00402738 ; |Arg1 = 00402738
00402FC8 .F7DF NEG EDI ; |
00402FCA .FF15 6C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>] ; \注册名与[00402738]处内容比较
00402FD0 .F7D8 NEG EAX
00402FD2 .1BC0 SBB EAX, EAX
00402FD4 .8D4D D4 LEA ECX, DWORD PTR SS:
00402FD7 .51 PUSH ECX
00402FD8 .8D55 D8 LEA EDX, DWORD PTR SS:
00402FDB .40 INC EAX
00402FDC .52 PUSH EDX
00402FDD .F7D8 NEG EAX
00402FDF .6A 02 PUSH 2
00402FE1 .23F8 AND EDI, EAX ;两次比较结果相与
00402FE3 .FF15 B0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStrList>;MSVBVM60.__vbaFreeStrList
00402FE9 .8D45 C8 LEA EAX, DWORD PTR SS:
00402FEC .50 PUSH EAX
00402FED .8D4D CC LEA ECX, DWORD PTR SS:
00402FF0 .51 PUSH ECX
00402FF1 .6A 02 PUSH 2
00402FF3 .FF15 2C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObjList>;MSVBVM60.__vbaFreeObjList
00402FF9 .83C4 18 ADD ESP, 18
00402FFC .66:3BFB CMP DI, BX
00402FFF 0F84 91000000 JE 00403096 ;有一处不等就跳
00403005 .B9 0A000000 MOV ECX, 0A ;两处都相等就不跳(试用注册信息)
0040300A .B8 04000280 MOV EAX, 80020004
0040300F .894D 88 MOV DWORD PTR SS:, ECX
00403012 .894D 98 MOV DWORD PTR SS:, ECX
00403015 .BF 08000000 MOV EDI, 8
0040301A .8D95 F8FEFFFF LEA EDX, DWORD PTR SS:
00403020 .8D4D A8 LEA ECX, DWORD PTR SS:
00403023 .8945 90 MOV DWORD PTR SS:, EAX
00403026 .8945 A0 MOV DWORD PTR SS:, EAX
00403029 .C785 00FFFFFF>MOV DWORD PTR SS:, 00402788
00403033 .89BD F8FEFFFF MOV DWORD PTR SS:, EDI
00403039 .FF15 C4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ;MSVBVM60.__vbaVarDup
0040303F .8D95 08FFFFFF LEA EDX, DWORD PTR SS:
00403045 .8D4D B8 LEA ECX, DWORD PTR SS:
00403048 .C785 10FFFFFF>MOV DWORD PTR SS:, 00402758
00403052 .89BD 08FFFFFF MOV DWORD PTR SS:, EDI
00403058 .FF15 C4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ;MSVBVM60.__vbaVarDup
0040305E .8D55 88 LEA EDX, DWORD PTR SS:
00403061 .52 PUSH EDX
00403062 .8D45 98 LEA EAX, DWORD PTR SS:
00403065 .50 PUSH EAX
00403066 .8D4D A8 LEA ECX, DWORD PTR SS:
00403069 .51 PUSH ECX
0040306A .6A 40 PUSH 40
0040306C .8D55 B8 LEA EDX, DWORD PTR SS:
0040306F .52 PUSH EDX
00403070 .FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.#595>] ;显示试用注册信息成功
00403076 .8D45 88 LEA EAX, DWORD PTR SS:
00403079 .50 PUSH EAX
0040307A .8D4D 98 LEA ECX, DWORD PTR SS:
0040307D .51 PUSH ECX
0040307E .8D55 A8 LEA EDX, DWORD PTR SS:
00403081 .52 PUSH EDX
00403082 .8D45 B8 LEA EAX, DWORD PTR SS:
00403085 .50 PUSH EAX
00403086 .6A 04 PUSH 4
00403088 .FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>;MSVBVM60.__vbaFreeVarList
0040308E .83C4 14 ADD ESP, 14
00403091 .E9 44030000 JMP 004033DA
00403096 >8B0E MOV ECX, DWORD PTR DS:
00403098 .56 PUSH ESI
00403099 .FF91 00030000 CALL DWORD PTR DS:
0040309F .50 PUSH EAX ; /Arg2
004030A0 .8D55 CC LEA EDX, DWORD PTR SS: ; |
004030A3 .52 PUSH EDX ; |Arg1
004030A4 .FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; \__vbaObjSet
004030AA .8D4D D8 LEA ECX, DWORD PTR SS:
004030AD .8BF8 MOV EDI, EAX
004030AF .8B07 MOV EAX, DWORD PTR DS:
004030B1 .51 PUSH ECX
004030B2 .57 PUSH EDI
004030B3 .FF90 A0000000 CALL DWORD PTR DS: ;获取输入的注册码
004030B9 .DBE2 FCLEX
004030BB .3BC3 CMP EAX, EBX
004030BD .7D 12 JGE SHORT 004030D1
004030BF .68 A0000000 PUSH 0A0 ; /Arg4 = 000000A0
004030C4 .68 60264000 PUSH 00402660 ; |Arg3 = 00402660
004030C9 .57 PUSH EDI ; |Arg2
004030CA .50 PUSH EAX ; |Arg1
004030CB .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultChec>; \__vbaHresultCheckObj
004030D1 >8B55 D8 MOV EDX, DWORD PTR SS: ;输入的注册码(假码)
004030D4 .8B86 94000000 MOV EAX, DWORD PTR DS: ;计算出的注册码(真码)
004030DA .52 PUSH EDX ; /Arg2
004030DB .50 PUSH EAX ; |这里d eax 可看见真正的注册码
004030DC .FF15 6C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>] ; \真假码比较
004030E2 .8BF8 MOV EDI, EAX
004030E4 .F7DF NEG EDI
004030E6 .1BFF SBB EDI, EDI
004030E8 .47 INC EDI
004030E9 .8D4D D8 LEA ECX, DWORD PTR SS:
004030EC .F7DF NEG EDI
004030EE .FF15 DC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
004030F4 .8D4D CC LEA ECX, DWORD PTR SS:
004030F7 .FF15 E0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ;MSVBVM60.__vbaFreeObj
004030FD .66:3BFB CMP DI, BX
00403100 0F84 10010000 JE 00403216 ;关键跳,不同就跳向出错(爆破点)
00403106 .8B0E MOV ECX, DWORD PTR DS:
00403108 .56 PUSH ESI
00403109 .FF91 08030000 CALL DWORD PTR DS:
0040310F .50 PUSH EAX ; /Arg2
00403110 .8D55 CC LEA EDX, DWORD PTR SS: ; |
00403113 .52 PUSH EDX ; |Arg1
00403114 .FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; \__vbaObjSet
0040311A .8D4D D8 LEA ECX, DWORD PTR SS:
0040311D .8BF8 MOV EDI, EAX
0040311F .8B07 MOV EAX, DWORD PTR DS:
00403121 .51 PUSH ECX
00403122 .57 PUSH EDI
00403123 .FF90 A0000000 CALL DWORD PTR DS:
00403129 .DBE2 FCLEX
0040312B .3BC3 CMP EAX, EBX
0040312D .7D 12 JGE SHORT 00403141
0040312F .68 A0000000 PUSH 0A0 ; /Arg4 = 000000A0
00403134 .68 60264000 PUSH 00402660 ; |Arg3 = 00402660
00403139 .57 PUSH EDI ; |Arg2
0040313A .50 PUSH EAX ; |Arg1
0040313B .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultChec>; \__vbaHresultCheckObj
00403141 >B9 0A000000 MOV ECX, 0A
00403146 .B8 04000280 MOV EAX, 80020004
0040314B .894D 88 MOV DWORD PTR SS:, ECX
0040314E .894D 98 MOV DWORD PTR SS:, ECX
00403151 .BF 08000000 MOV EDI, 8
00403156 .8D95 08FFFFFF LEA EDX, DWORD PTR SS:
0040315C .8D4D A8 LEA ECX, DWORD PTR SS:
0040315F .8945 90 MOV DWORD PTR SS:, EAX
00403162 .8945 A0 MOV DWORD PTR SS:, EAX
00403165 .C785 10FFFFFF>MOV DWORD PTR SS:, 004027DC
0040316F .89BD 08FFFFFF MOV DWORD PTR SS:, EDI
00403175 .FF15 C4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ;MSVBVM60.__vbaVarDup
0040317B .8B55 D8 MOV EDX, DWORD PTR SS:
0040317E .68 A0274000 PUSH 004027A0
00403183 .52 PUSH EDX
00403184 .FF15 38104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>] ;MSVBVM60.__vbaStrCat
0040318A .8BD0 MOV EDX, EAX
0040318C .8D4D D4 LEA ECX, DWORD PTR SS:
0040318F .FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ;MSVBVM60.__vbaStrMove
00403195 .50 PUSH EAX
00403196 .68 A8274000 PUSH 004027A8
0040319B .FF15 38104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>] ;MSVBVM60.__vbaStrCat
004031A1 .8BD0 MOV EDX, EAX
004031A3 .8D4D D0 LEA ECX, DWORD PTR SS:
004031A6 .FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ;MSVBVM60.__vbaStrMove
004031AC .50 PUSH EAX
004031AD .68 B4274000 PUSH 004027B4
004031B2 .FF15 38104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>] ;MSVBVM60.__vbaStrCat
004031B8 .8945 C0 MOV DWORD PTR SS:, EAX
004031BB .8D45 88 LEA EAX, DWORD PTR SS:
004031BE .50 PUSH EAX
004031BF .8D4D 98 LEA ECX, DWORD PTR SS:
004031C2 .51 PUSH ECX
004031C3 .8D55 A8 LEA EDX, DWORD PTR SS:
004031C6 .52 PUSH EDX
004031C7 .6A 40 PUSH 40
004031C9 .8D45 B8 LEA EAX, DWORD PTR SS:
004031CC .50 PUSH EAX
004031CD .897D B8 MOV DWORD PTR SS:, EDI
004031D0 .FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.#595>] ;显示注册成功
004031D6 .8D4D D0 LEA ECX, DWORD PTR SS:
004031D9 .51 PUSH ECX
004031DA .8D55 D4 LEA EDX, DWORD PTR SS:
004031DD .52 PUSH EDX
004031DE .8D45 D8 LEA EAX, DWORD PTR SS:
004031E1 .50 PUSH EAX
004031E2 .6A 03 PUSH 3
004031E4 .FF15 B0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStrList>;MSVBVM60.__vbaFreeStrList
004031EA .83C4 10 ADD ESP, 10
004031ED .8D4D CC LEA ECX, DWORD PTR SS:
004031F0 .FF15 E0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ;MSVBVM60.__vbaFreeObj
004031F6 .8D4D 88 LEA ECX, DWORD PTR SS:
004031F9 .51 PUSH ECX
004031FA .8D55 98 LEA EDX, DWORD PTR SS:
004031FD .52 PUSH EDX
004031FE .8D45 A8 LEA EAX, DWORD PTR SS:
00403201 .50 PUSH EAX
00403202 .8D4D B8 LEA ECX, DWORD PTR SS:
00403205 .51 PUSH ECX
00403206 .6A 04 PUSH 4
00403208 .FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>;MSVBVM60.__vbaFreeVarList
0040320E .83C4 14 ADD ESP, 14
00403211 .E9 C4010000 JMP 004033DA
00403216 >8B16 MOV EDX, DWORD PTR DS:
00403218 .56 PUSH ESI
00403219 .FF92 08030000 CALL DWORD PTR DS:
0040321F .50 PUSH EAX ; /Arg2
00403220 .8D45 CC LEA EAX, DWORD PTR SS: ; |
00403223 .50 PUSH EAX ; |Arg1
00403224 .FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; \__vbaObjSet
0040322A .8D55 D8 LEA EDX, DWORD PTR SS:
0040322D .8BF8 MOV EDI, EAX
0040322F .8B0F MOV ECX, DWORD PTR DS:
00403231 .52 PUSH EDX
00403232 .57 PUSH EDI
00403233 .FF91 A0000000 CALL DWORD PTR DS:
00403239 .DBE2 FCLEX
0040323B .3BC3 CMP EAX, EBX
0040323D .7D 12 JGE SHORT 00403251
0040323F .68 A0000000 PUSH 0A0 ; /Arg4 = 000000A0
00403244 .68 60264000 PUSH 00402660 ; |Arg3 = 00402660
00403249 .57 PUSH EDI ; |Arg2
0040324A .50 PUSH EAX ; |Arg1
0040324B .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultChec>; \__vbaHresultCheckObj
00403251 >B9 0A000000 MOV ECX, 0A
00403256 .B8 04000280 MOV EAX, 80020004
0040325B .898D 18FFFFFF MOV DWORD PTR SS:, ECX
00403261 .898D 28FFFFFF MOV DWORD PTR SS:, ECX
00403267 .BF 08000000 MOV EDI, 8
0040326C .8D95 B8FEFFFF LEA EDX, DWORD PTR SS:
00403272 .8D8D 38FFFFFF LEA ECX, DWORD PTR SS:
00403278 .8985 20FFFFFF MOV DWORD PTR SS:, EAX
0040327E .8985 30FFFFFF MOV DWORD PTR SS:, EAX
00403284 .C785 C0FEFFFF>MOV DWORD PTR SS:, 00402844
0040328E .89BD B8FEFFFF MOV DWORD PTR SS:, EDI
00403294 .FF15 C4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ;MSVBVM60.__vbaVarDup
0040329A .8B45 D8 MOV EAX, DWORD PTR SS:
0040329D .8945 A0 MOV DWORD PTR SS:, EAX
004032A0 .8D85 18FFFFFF LEA EAX, DWORD PTR SS:
004032A6 .50 PUSH EAX
004032A7 .8D8D 28FFFFFF LEA ECX, DWORD PTR SS:
004032AD .51 PUSH ECX
004032AE .8D95 38FFFFFF LEA EDX, DWORD PTR SS:
004032B4 .52 PUSH EDX
004032B5 .6A 10 PUSH 10
004032B7 .8D85 08FFFFFF LEA EAX, DWORD PTR SS:
004032BD .50 PUSH EAX
004032BE .8D4D DC LEA ECX, DWORD PTR SS:
004032C1 .51 PUSH ECX
004032C2 .8D55 B8 LEA EDX, DWORD PTR SS:
004032C5 .89BD 08FFFFFF MOV DWORD PTR SS:, EDI
004032CB .89BD F8FEFFFF MOV DWORD PTR SS:, EDI
004032D1 .897D 98 MOV DWORD PTR SS:, EDI
004032D4 .89BD E8FEFFFF MOV DWORD PTR SS:, EDI
004032DA .89BD D8FEFFFF MOV DWORD PTR SS:, EDI
004032E0 .89BD C8FEFFFF MOV DWORD PTR SS:, EDI
004032E6 .8B3D C0104000 MOV EDI, DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>;MSVBVM60.__vbaVarAdd
004032EC .52 PUSH EDX
004032ED .C785 10FFFFFF>MOV DWORD PTR SS:, 004027E8
004032F7 .C785 00FFFFFF>MOV DWORD PTR SS:, 004027A0
00403301 .895D D8 MOV DWORD PTR SS:, EBX
00403304 .C785 F0FEFFFF>MOV DWORD PTR SS:, 004027A8
0040330E .C785 E0FEFFFF>MOV DWORD PTR SS:, 00402804 ;ASCII "骮ZPC"
00403318 .C785 D0FEFFFF>MOV DWORD PTR SS:, 00402830
00403322 .FFD7 CALL EDI ;<&MSVBVM60.__vbaVarAdd>
00403324 .50 PUSH EAX
00403325 .8D85 F8FEFFFF LEA EAX, DWORD PTR SS:
0040332B .50 PUSH EAX
0040332C .8D4D A8 LEA ECX, DWORD PTR SS:
0040332F .51 PUSH ECX
00403330 .FFD7 CALL EDI
00403332 .50 PUSH EAX
00403333 .8D55 98 LEA EDX, DWORD PTR SS:
00403336 .52 PUSH EDX
00403337 .8D45 88 LEA EAX, DWORD PTR SS:
0040333A .50 PUSH EAX
0040333B .FFD7 CALL EDI
0040333D .50 PUSH EAX
0040333E .8D8D E8FEFFFF LEA ECX, DWORD PTR SS:
00403344 .51 PUSH ECX
00403345 .8D95 78FFFFFF LEA EDX, DWORD PTR SS:
0040334B .52 PUSH EDX
0040334C .FFD7 CALL EDI
0040334E .50 PUSH EAX
0040334F .8D85 D8FEFFFF LEA EAX, DWORD PTR SS:
00403355 .50 PUSH EAX
00403356 .8D8D 68FFFFFF LEA ECX, DWORD PTR SS:
0040335C .51 PUSH ECX
0040335D .FFD7 CALL EDI
0040335F .50 PUSH EAX
00403360 .8D55 DC LEA EDX, DWORD PTR SS:
00403363 .52 PUSH EDX
00403364 .8D85 58FFFFFF LEA EAX, DWORD PTR SS:
0040336A .50 PUSH EAX
0040336B .FFD7 CALL EDI
0040336D .50 PUSH EAX
0040336E .8D8D C8FEFFFF LEA ECX, DWORD PTR SS:
00403374 .51 PUSH ECX
00403375 .8D95 48FFFFFF LEA EDX, DWORD PTR SS:
0040337B .52 PUSH EDX
0040337C .FFD7 CALL EDI
0040337E .50 PUSH EAX
0040337F .FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.#595>] ;显示输入的注册码不对
00403385 .8D4D CC LEA ECX, DWORD PTR SS:
......
3.断在了00402BEE处,我们F7进入。进入后是一个JMP 00403490,单步过去,来到这里:
......
00403490 > \55 PUSH EBP ;<====JMP到这里
00403491 .8BEC MOV EBP, ESP
00403493 .83EC 0C SUB ESP, 0C
......
00403561 .FF92 A0000000 CALL DWORD PTR DS: ;取得注册名
00403567 .DBE2 FCLEX
00403569 .3BC3 CMP EAX, EBX
0040356B .7D 12 JGE SHORT 0040357F
0040356D .68 A0000000 PUSH 0A0 ; /Arg4 = 000000A0
00403572 .68 60264000 PUSH 00402660 ; |Arg3 = 00402660
00403577 .57 PUSH EDI ; |Arg2
00403578 .50 PUSH EAX ; |Arg1
00403579 .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultChec>; \__vbaHresultCheckObj
0040357F >8B4D D8 MOV ECX, DWORD PTR SS:
00403582 .51 PUSH ECX ; /Arg1
00403583 .FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>] ; \取得注册名长度
00403589 .8D4E 70 LEA ECX, DWORD PTR DS:
0040358C .8D55 A0 LEA EDX, DWORD PTR SS:
0040358F .8945 A8 MOV DWORD PTR SS:, EAX
00403592 .C745 A0 03000>MOV DWORD PTR SS:, 3
00403599 .FF15 0C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMove>] ;MSVBVM60.__vbaVarMove
0040359F .8D4D D8 LEA ECX, DWORD PTR SS:
004035A2 .FF15 DC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
004035A8 .8D4D D0 LEA ECX, DWORD PTR SS:
004035AB .FF15 E0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeObj>] ;MSVBVM60.__vbaFreeObj
004035B1 >8B96 80000000 MOV EDX, DWORD PTR DS: ;EDX=循环变量(初始为1)
004035B7 .8D45 A0 LEA EAX, DWORD PTR SS:
004035BA .50 PUSH EAX
004035BB .8D46 70 LEA EAX, DWORD PTR DS:
004035BE .50 PUSH EAX
004035BF .8955 A8 MOV DWORD PTR SS:, EDX
004035C2 .C745 A0 03800>MOV DWORD PTR SS:, 8003
004035C9 .FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTstLe>];循环变量是否小于等于注册名长度
004035CF .66:85C0 TEST AX, AX
004035D2 0F84 AA010000 JE 00403782 ;不是就跳
004035D8 .8B96 80000000 MOV EDX, DWORD PTR DS: ;是就向下继续计算注册码
004035DE .8D4D C0 LEA ECX, DWORD PTR SS:
004035E1 .51 PUSH ECX ; /Arg4
004035E2 .8D46 6C LEA EAX, DWORD PTR DS: ; |
004035E5 .8945 A8 MOV DWORD PTR SS:, EAX ; |
004035E8 .52 PUSH EDX ; |Arg3
004035E9 .8D45 A0 LEA EAX, DWORD PTR SS: ; |
004035EC .50 PUSH EAX ; |Arg2
004035ED .8D4D B0 LEA ECX, DWORD PTR SS: ; |
004035F0 .51 PUSH ECX ; |Arg1
004035F1 .C745 C8 01000>MOV DWORD PTR SS:, 1 ; |
004035F8 .C745 C0 02000>MOV DWORD PTR SS:, 2 ; |
004035FF .C745 A0 08400>MOV DWORD PTR SS:, 4008 ; |
00403606 .FF15 5C104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; \依次取注册名的各个字符
0040360C .8BBE 80000000 MOV EDI, DWORD PTR DS:
00403612 .81FF 00010000 CMP EDI, 100
00403618 .72 06 JB SHORT 00403620
0040361A .FF15 68104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGenerateBou>;MSVBVM60.__vbaGenerateBoundsError
00403620 >8B46 60 MOV EAX, DWORD PTR DS:
00403623 .8BCF MOV ECX, EDI
00403625 .C1E1 04 SHL ECX, 4
00403628 .8D55 B0 LEA EDX, DWORD PTR SS:
0040362B .03C8 ADD ECX, EAX
0040362D .FF15 0C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMove>] ;MSVBVM60.__vbaVarMove
00403633 .8D55 B0 LEA EDX, DWORD PTR SS:
00403636 .52 PUSH EDX
00403637 .8D45 C0 LEA EAX, DWORD PTR SS:
0040363A .50 PUSH EAX
0040363B .6A 02 PUSH 2
0040363D .FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>;MSVBVM60.__vbaFreeVarList
00403643 .8BBE 80000000 MOV EDI, DWORD PTR DS:
00403649 .83C4 0C ADD ESP, 0C
0040364C .81FF 00010000 CMP EDI, 100
00403652 .72 06 JB SHORT 0040365A
00403654 .FF15 68104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGenerateBou>;MSVBVM60.__vbaGenerateBoundsError
0040365A >8B9E 80000000 MOV EBX, DWORD PTR DS:
00403660 .81FB 00010000 CMP EBX, 100
00403666 .72 06 JB SHORT 0040366E
00403668 .FF15 68104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGenerateBou>;MSVBVM60.__vbaGenerateBoundsError
0040366E >8B4E 60 MOV ECX, DWORD PTR DS:
00403671 .C1E7 04 SHL EDI, 4
00403674 .03F9 ADD EDI, ECX
00403676 .57 PUSH EDI ; /Arg2
00403677 .8D4D D8 LEA ECX, DWORD PTR SS: ; |
0040367A .51 PUSH ECX ; |Arg1
0040367B .FF15 94104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVarVal>] ; \__vbaStrVarVal
00403681 .50 PUSH EAX ; /Arg1
00403682 .FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; \得到相应字符的ASCII码
00403688 .0FBFD0 MOVSX EDX, AX ;符号扩展到EDX,得数A
0040368B .8B86 80000000 MOV EAX, DWORD PTR DS: ;EAX=循环变量的值(当前所取字符在注册名中的位置)
00403691 .6BC0 08 IMUL EAX, EAX, 8 ;EAX=EAX×8,得数B
00403694 .0F80 68010000 JO 00403802
0040369A .33D0 XOR EDX, EAX ;A、B异或,得结果C
0040369C .52 PUSH EDX ; /Arg1
0040369D .FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI4>] ; \__vbaStrI4
004036A3 .8BD0 MOV EDX, EAX
004036A5 .8D4D D4 LEA ECX, DWORD PTR SS:
004036A8 .FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ;MSVBVM60.__vbaStrMove
004036AE .8B4E 44 MOV ECX, DWORD PTR DS:
004036B1 .8BD0 MOV EDX, EAX
004036B3 .8D0C99 LEA ECX, DWORD PTR DS:
004036B6 .FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCopy>] ;MSVBVM60.__vbaStrCopy
004036BC .8D55 D4 LEA EDX, DWORD PTR SS:
004036BF .52 PUSH EDX
004036C0 .8D45 D8 LEA EAX, DWORD PTR SS:
004036C3 .50 PUSH EAX
004036C4 .6A 02 PUSH 2
004036C6 .FF15 B0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStrList>;MSVBVM60.__vbaFreeStrList
004036CC .8BBE 80000000 MOV EDI, DWORD PTR DS:
004036D2 .83C4 0C ADD ESP, 0C
004036D5 .81FF 00010000 CMP EDI, 100
004036DB .72 06 JB SHORT 004036E3
004036DD .FF15 68104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGenerateBou>;MSVBVM60.__vbaGenerateBoundsError
004036E3 >8B4E 44 MOV ECX, DWORD PTR DS:
004036E6 .8B14B9 MOV EDX, DWORD PTR DS:
004036E9 .52 PUSH EDX
004036EA .FF15 AC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Str>] ;MSVBVM60.__vbaI4Str
004036F0 .50 PUSH EAX ; /Arg2
004036F1 .8D45 C0 LEA EAX, DWORD PTR SS: ; |
004036F4 .50 PUSH EAX ; |Arg1
004036F5 .FF15 8C104000 CALL DWORD PTR DS:[<&MSVBVM60.#608>] ; \ASCII码(C)转化为相应字符
004036FB .8DBE 84000000 LEA EDI, DWORD PTR DS:
00403701 .8D55 C0 LEA EDX, DWORD PTR SS:
00403704 .8BCF MOV ECX, EDI
00403706 .FF15 0C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMove>] ;MSVBVM60.__vbaVarMove
0040370C .8D4D C0 LEA ECX, DWORD PTR SS:
0040370F .FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ;MSVBVM60.__vbaFreeVar
00403715 .8B8E 94000000 MOV ECX, DWORD PTR DS:
0040371B .57 PUSH EDI ; /Arg3
0040371C .8D55 A0 LEA EDX, DWORD PTR SS: ; |
0040371F .8D9E 94000000 LEA EBX, DWORD PTR DS: ; |
00403725 .52 PUSH EDX ; |Arg2
00403726 .8D45 C0 LEA EAX, DWORD PTR SS: ; |
00403729 .50 PUSH EAX ; |Arg1
0040372A .894D A8 MOV DWORD PTR SS:, ECX ; |
0040372D .C745 A0 08000>MOV DWORD PTR SS:, 8 ; |
00403734 .FF15 C0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAdd>] ; \和上次得到的字符串相加
0040373A .50 PUSH EAX
0040373B .FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVarMove>>;MSVBVM60.__vbaStrVarMove
00403741 .8BD0 MOV EDX, EAX
00403743 .8D4D D8 LEA ECX, DWORD PTR SS:
00403746 .FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ;MSVBVM60.__vbaStrMove
0040374C .8BD0 MOV EDX, EAX
0040374E .8BCB MOV ECX, EBX
00403750 .FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCopy>] ;MSVBVM60.__vbaStrCopy
00403756 .8D4D D8 LEA ECX, DWORD PTR SS:
00403759 .FF15 DC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
0040375F .8D4D C0 LEA ECX, DWORD PTR SS:
00403762 .FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ;MSVBVM60.__vbaFreeVar
00403768 .8B8E 80000000 MOV ECX, DWORD PTR DS:
0040376E .83C1 01 ADD ECX, 1 ;循环变量加1
00403771 .0F80 8B000000 JO 00403802
00403777 .898E 80000000 MOV DWORD PTR DS:, ECX
0040377D .^ E9 2FFEFFFF JMP 004035B1 ;循环
..........
4.算法分析
(1)依次取注册名的各位字符的ASCII码
注册名 :h u a z i 0 7 4 5
ASCII码:68 75 61 7A 69 30 37 34 35
(2)与各字符所在位数与8的乘积进行或(都是十六进制数)
注 册 名:h u a z i 0 7 4 5
注册名ASCII码 :68 75 61 7A 69 30 37 34 35
位数与8的乘积 : 8 10 18 20 28 30 38 40 48
异或结果 :60 65 79 5A 41 00 F 74 7D
正 确 注 册 码:` e y Z A t }
(3)正确注册码
由于注册名中的数字计算出的注册码输入和显示都有问题,故将注册名后的数字都去掉.
第1步行字符:`第1步得字符串:`
第2步行字符:e第2步得字符串:e+`=e`
第3步行字符:y第3步得字符串:y+e`=ye`
第4步行字符:Z第4步得字符串:Z+ye`=Zye`
第5步行字符:A第5步得字符串:A+Zye`=AZye`
所以一组正确的注册名和注册码为:
注册名:huazi
注册码:AZye`
(4)本Crackme之所以有注册名位数的限制,我猜原因就是位数多了后,乘积就大了,异或出的结果就不全是可显示的英文字母或数字或其它可显示的字符了。
全文完,谢谢你能看完^_^ 本人属初入门级的菜鸟,为了让和我一样的菜鸟能看懂,我尽量写详细点。
能写算法的在本人眼就不是菜鸟,对算法不懂:L
要有视频教程就好 ,是不是要求太高:P
我尽量写详细点,跟着试试看:P 附件下不了,积分太少:L 原帖由 qq500com 于 2007-1-21 20:34 发表
附件下不了,积分太少:L
用这个下载地址试试:http://bbs.pediy.com/upload/2005/37/files/cm1.rar 下了,学学算法。 我也想学学算法了~ :LKuNgBiM
效率很高..VB... 啊哈。一定下下来研究 讲解的很详细,好东东 很好的东西,谢谢!
页:
[1]
2