Wicked Crackme 2 --VB Pcode的PEDIY
Wicked Crackme 2 by LaFarge 分析-----一次VB PCode 的PEdiy的尝试
【破解作者】 winndy
【作者邮箱】 [email protected]
【使用工具】 PEID v0.93OllyDbg v1.10 fly修改版 WKTVBDebugger 14e
【破解平台】 Winxp SP2
【目标 】 Wicked Crackme 2 by LaFarge
【下载地址】 http://www.reversing.be/article.php?story=20050510044959202
【编写语言】 vb Pcode
【破解声明】 For study ,For Fun,
【破解说明】 无壳,算法超简单,关键之处在于把原Crackme DIY成注册机,失误之处还望指出
【破解过程】 PEID查壳,vb 编写
首先,我还不知道它是Pcode的,
于是用OD载入,在00401030 和00401036下断。
后来觉得程序的运行很特别,于是猜测是Pcode的,改用WKTVBDebugger来调试。
这是OD的分析结果:
00401030 .- FF25 08104000 jmp dword ptr ds:[<&MSVBVM60.#595>] ;MSVBVM60.rtcMsgBox
00401036 .- FF25 0C104000 jmp dword ptr ds:[<&MSVBVM60.#631>] ;MSVBVM60.rtcMidCharBstr
0040103C .- FF25 04104000 jmp dword ptr ds:[<&MSVBVM60.#516>] ;MSVBVM60.rtcAnsiValueBstr
00401042 .- FF25 1C104000 jmp dword ptr ds:[<&MSVBVM60.__vbaExceptHa>;MSVBVM60.__vbaExceptHandler
00401048 .- FF25 18104000 jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_Qu>;MSVBVM60.EVENT_SINK_QueryInterface
0040104E .- FF25 10104000 jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_Ad>;MSVBVM60.EVENT_SINK_AddRef
00401054 .- FF25 14104000 jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_Re>;MSVBVM60.EVENT_SINK_Release
0040105A .- FF25 00104000 jmp dword ptr ds:[<&MSVBVM60.MethCallEngin>;MSVBVM60.MethCallEngine
00401060 $- FF25 20104000 jmp dword ptr ds:[<&MSVBVM60.#100>] ;MSVBVM60.ThunRTMain
00401066 00 db 00
00401067 00 db 00
00401068 Wi> $68 D0134000 push Wicked_C.004013D0
中断在00401036,堆栈信息:
0012F3CC 7348F7F5返回到 MSVBVM60.7348F7F5
0012F3D0 001501B4UNICODE "winndy"
0012F3D4 00000001
F9,还是中断在00401036,
0012F3CC 7348F7F5返回到 MSVBVM60.7348F7F5
0012F3D0 001501B4UNICODE "winndy"
0012F3D4 00000002
...
按5下后,中断在00401030,
0012F3C4 7348F7B7返回到 MSVBVM60.7348F7B7
0012F3C8 0012F560
0012F3CC 00000010
0012F3D0 0012F500
0012F3D4 0012F4E0
0012F3D8 0012F4C0
0012F3DC 00000008
0012F3E0 00000000
0012F3E4 00156924UNICODE "1112-915-752-1053-868"
猜测:
Name:winndy
SN:"1112-915-752-1053-868"
校验,猜测成功!
同时,也发现该Crackme是Pcode的。
用WKTVBDE分析看看,载入后,点"Form Manager",选"Form1",
点command,选"cmdCheck",再BPX。
00403A34: 04 FLdRfVar 0012F558h
00403A37: 21 FLdPrThis 001478D8h
00403A38: 0F VCallAd Form1.txtName
00403A3B: 19 FStAdFunc
00403A3E: 08 FLdPr
00403A41: 0D VCallHresult get__ipropTEXTEDIT
//0012F558:A4 A0 15 00
//0015A0A4:77 00 69 00 6E 00 6E 00
//0015A0AC:64 00 79 00 00 00
00403A46: 3E FLdZeroAd
//执行后堆栈变为 0012F3B0:A4 A0 15 00 00 00 00 00
00403A49: 46 CVarStr
//执行后堆栈变为 0012F3B0:38 F5 12 00 00 00 00 00
//0012F538:08 00 00 00 00 00 00 00
//0012F540:A4 A0 15 00 00 00 00 00
00403A4C: FC Lead1/FStVar
00403A50: 1A FFree1Ad
00403A53: 04 FLdRfVar 0012F558h
00403A56: 21 FLdPrThis 001478D8h
00403A57: 0F VCallAd Form1.txtSerial00404D70
00403A5A: 19 FStAdFunc 0012F55C
00403A5D: 08 FLdPr 00E00CCCh
00403A60: 0D VCallHresult get__ipropTEXTEDIT 00E00D6C
00403A65: 3E FLdZeroAd
00403A68: 46 CVarStr 0012F538h 00181E24h
打开Memory Dump,输入00181E24,
00181E24:31 00 32 00 33 00 34 00
00181E2C:35 00 36 00 37 00 38 00
00181E34:00 00
00403A6B: FC Lead1/FStVar
00403A6F: 1A FFree1Ad
00403A72: 04 FLdRfVar 0012F548h
00403A75: EB FnLenVar
00403A79: FC Lead1/FStVar
00403A7D: 04 FLdRfVar 0012F528h
00403A80: EB FnLenVar
00403A84: FC Lead1/FStVar
00403A88: 04 FLdRfVar 0012F518h
00403A8B: 28 LitVarI2 0h , 0
00403A90: 5D HardType
00403A91: 33 EqVarBool
00403A93: 1C BranchF 00403ACA ?
00403A96: 27 LitVar_Missing 0012F498h
00403A99: 27 LitVar_Missing 0012F4B8h
00403A9C: 3A LitVarStr 'Error in name'
00403AA1: 4E FStVarCopyObj 0012F4D8h
00403AA4: 04 FLdRfVar 0012F4D8h
00403AA7: F5 LitI4: -> 10h 16
00403AAC: 3A LitVarStr 'Sorry, U must enter a name !!!'
00403AB1: 4E FStVarCopyObj 0012F538h
00403AB4: 04 FLdRfVar 0012F538h
00403AB7: 0A ImpAdCallFPR4 rtcMsgBox on address 73472F29h
00403ABC: 36 FFreeVar -> 4
00403AC7: 1E Branch 00403D51 ?
00403ACA: 04 FLdRfVar 0012F518h
00403ACD: 28 LitVarI2 5h , 5
00403AD2: 5D HardType
00403AD3: 67 LtVarBool
00403AD5: 1C BranchF 00403B0C ?
00403AD8: 27 LitVar_Missing 0012F498h
00403ADB: 27 LitVar_Missing 0012F4B8h
00403ADE: 3A LitVarStr 'Error in name'
00403AE3: 4E FStVarCopyObj 0012F4D8h
00403AE6: 04 FLdRfVar 0012F4D8h
00403AE9: F5 LitI4: -> 10h 16
00403AEE: 3A LitVarStr 'Sorry, name must be 5+ characters long!'
00403AF3: 4E FStVarCopyObj 0012F538h
00403AF6: 04 FLdRfVar 0012F538h
00403AF9: 0A ImpAdCallFPR4 rtcMsgBox on address 73472F29h
00403AFE: 36 FFreeVar -> 4
00403B09: 1E Branch 00403D51 ?
00403B0C: 04 FLdRfVar 0012F508h
00403B0F: 28 LitVarI2 0h , 0
00403B0F: 28 LitVarI2 0h , 0
00403B14: 5D HardType
00403B15: 33 EqVarBool
00403B17: 1C BranchF 00403B4E ? ==>注册码长度为0吗?
00403B1A: 27 LitVar_Missing 0012F498h
00403B1D: 27 LitVar_Missing 0012F4B8h
00403B20: 3A LitVarStr 'Error in serial'
00403B25: 4E FStVarCopyObj 0012F4D8h
00403B4E: 28 LitVarI2 0012F538h 1h , 1
00403B53: F5 LitI4: -> 1h 1
00403B58: 04 FLdRfVar 0012F548h
00403B5B: FD Lead2/CStrVarVal
00403B5F: 0B ImpAdCallI2 rtcMidCharBstr on address 733B48DFh
00403B64: 23 FStStrNoPop ===>'w'
00403B67: 0B ImpAdCallI2 rtcAnsiValueBstr on address 7347B48Bh
00403B6C: FD CStrUI1 ===>119(77h)
00403B6E: 31 FStStr
00403B71: 32 FFreeStr
00403B78: 35 FFree1Var
00403B7B: 6C ILdRf 00000000h
00403B7E: FC Lead1/CR8Str
00403B80: F3 LitI2: -> 3E1h 993 ===>******,1st Const
00403B83: EB CR8I2
00403B84: AB AddR8
00403B85: FD Lead2/CVarR8
00403B89: FC Lead1/FStVar
00403B8D: 28 LitVarI2 1h , 1
00403B92: F5 LitI4: -> 2h 2
00403B97: 04 FLdRfVar 0012F548h
00403B9A: FD Lead2/CStrVarVal
00403B9E: 0B ImpAdCallI2 rtcMidCharBstr on address 733B48DFh
00403BA3: 23 FStStrNoPop ===>'i'
; stack:
; 0012F3B0 69 00 00 00
00403BA6: 0B ImpAdCallI2 rtcAnsiValueBstr on address 7347B48Bh
00403BAB: 44 CVarI2 0012F4E8h
00403BAE: FC Lead1/FStVar
00403BB2: 32 FFreeStr
00403BB9: 35 FFree1Var
00403BBC: 04 FLdRfVar 0012F474h
00403BBF: 28 LitVarI2 32Ah , 810 ===>******,2nd Const
00403BC4: 94 AddVar
00403BC8: FC Lead1/FStVar
00403BCC: 28 LitVarI2 1h , 1
00403BD1: F5 LitI4: -> 3h 3
00403BD9: FD Lead2/CStrVarVal
00403BDD: 0B ImpAdCallI2 rtcMidCharBstr on address 733B48DFh
00403BE2: 23 FStStrNoPop
00403BE5: 0B ImpAdCallI2 rtcAnsiValueBstr on address 7347B48Bh
00403BEA: 44 CVarI2
00403BED: FC Lead1/FStVar
00403BF1: 32 FFreeStr
00403BF8: 35 FFree1Var
00403BFB: 04 FLdRfVar 0012F454h
00403BFE: 28 LitVarI2 0012F4F8h 282h , 642 ===>******,3rd Const
00403C03: 94 AddVar
00403C07: FC Lead1/FStVar
00403C0B: 28 LitVarI2 1h , 1
00403C10: F5 LitI4: -> 4h 4
00403C15: 04 FLdRfVar 0012F548h
00403C18: FD Lead2/CStrVarVal
00403C1C: 0B ImpAdCallI2 rtcMidCharBstr on address 733B48DFh
00403C21: 23 FStStrNoPop
00403C24: 0B ImpAdCallI2 rtcAnsiValueBstr on address 7347B48Bh
00403C29: 44 CVarI2
00403C2C: FC Lead1/FStVar
00403C30: 32 FFreeStr
00403C37: 35 FFree1Var
00403C3A: 04 FLdRfVar 0012F434h
00403C3D: 28 LitVarI2 3AFh , 943 ===>******,4th Const
00403C42: 94 AddVar
00403C46: FC Lead1/FStVar
00403C4A: 28 LitVarI2 1h , 1
00403C4F: F5 LitI4: -> 5h 5
00403C54: 04 FLdRfVar 0012F548h
00403C57: FD Lead2/CStrVarVal
00403C5B: 0B ImpAdCallI2 rtcMidCharBstr on address 733B48DFh
00403C60: 23 FStStrNoPop
00403C63: 0B ImpAdCallI2 rtcAnsiValueBstr on address 7347B48Bh
00403C68: 44 CVarI2
00403C6B: FC Lead1/FStVar
00403C6F: 32 FFreeStr
00403C76: 35 FFree1Var
00403C79: 04 FLdRfVar 0012F414h
00403C7C: 28 LitVarI2 300h , 768 ===>******,5th Const
00403C81: 94 AddVar
00403C85: FC Lead1/FStVar
00403C89: 04 FLdRfVar 0012F484h
00403C8C: 3A LitVarStr '-'
00403C91: EF ConcatVar
00403C95: 04 FLdRfVar 0012F464h
00403C98: EF ConcatVar
00403C9C: 3A LitVarStr '-'
00403CA1: EF ConcatVar
00403CA5: 04 FLdRfVar 0012F444h
00403CBC: 3A LitVarStr '-'
00403CC1: EF ConcatVar
00403CC5: 04 FLdRfVar 0012F404h ;局部变量0012F404h入栈
00403CC8: EF ConcatVar
00403CCC: FC Lead1/FStVar
00403CD0: 36 FFreeVar -> 7
00403CE1: 04 FLdRfVar 0012F528h
//0012F528:08 00 00 00 00 00 00 00
//0012F530:94 A6 15 00 00 00 00 00
//0015A694:31 00 32 00 33 00 34 00
//0015A69c:35 00 36 00 37 00 38 00
//0015A6A4:00 00
00403CE4: 04 FLdRfVar 0012F3B4h
//0012F3B4:08 00 00 00 00 00 00 00
//0012F3BC:4C B2 15 00 00 00 00 00
//0015B24C:31 00 31 00 31 00 32 00
//0015B254:2D 00 39 00 31 00 35 00
//0015B25C:2D 00 37 00 35 00 32 00
//0015B264:2D 00 31 00 30 00 35 00
//0015B26C:33 00 2D 00 38 00 36 00
//0015B274:38 00 00 00
00403CE7: 40 NeVarBool
00403CE9: 1C BranchF 00403D20 (No Jump)
00403CEC: 27 LitVar_Missing 0012F498h
00403CEF: 27 LitVar_Missing 0012F4B8h
00403CF2: 3A LitVarStr 'Wrong serial'
00403CF7: 4E FStVarCopyObj 0012F4D8h
00403CFA: 04 FLdRfVar 0012F4D8h
00403CFD: F5 LitI4: -> 10h 16
00403D02: 3A LitVarStr 'I'm sorry, but this serial doesn't match to your name !'
00403D07: 4E FStVarCopyObj 0012F538h
00403D0A: 04 FLdRfVar 0012F538h
00403D51: 13 ExitProcHresult
00403D52: FF Lead4/Unknow
INVALID
00403D57: 00 LargeBos
00403D59: 00 LargeBos
00403D5B: 01 InvalidExcode
00403D5C: 20 CRec2Uni
00403D5F: 00 LargeBos
00403D61: 00 LargeBos
00403D63: 00 LargeBos
00403D65: 00 LargeBos
00403D67: 00 LargeBos
00403D69: 00 LargeBos
00403D6B: 00 LargeBos
00403D6D: 00 LargeBos
00403D6F: 00 LargeBos
00403D71: 00 LargeBos
00403D73: 00 LargeBos
00403D75: 00 LargeBos
注册算法简单猜测:
序列号是"1112-915-752-1053-868",而且里面有5个常数,以及
Lead2/CStrVarVal
ImpAdCallI2 rtcMidCharBstr on address 733B48DFh
FStStrNoPop ==>从提示面板可看到一个字符
ImpAdCallI2 rtcAnsiValueBstr on address 7347B48Bh ==>执行后,从堆栈顶部可以看到ascii码。
CVarI2 ==这是转化为十进制
还可以看到
LitVarI2 300h , 768 ===>******,5th Const
AddVar
每个常数后面都是一个加法指令。
于是猜测注册码是由用户名的前5个字符的ascii码的十进制,分别加上对应的5个常数,再用'-'连接而得。
计算器轻松检验!丰富的想象力和猜测力是一个Cracker所不可缺少的啊!
========================Pcode DIY=================================================
就做到这里,太没意思了,于是想办法将它diy成keygen.
若不是Pcode程序我们很容易做到,只需用setdlgitema,即可。
但这是pcode...
观察发现,取text1.text使用get__ipropTEXTEDIT,那么把数据放到text1.text用什么函数呢?
通过修改指令(尝试出来的)
发现这种对应关系:
0DA4 == put__ipropTEXTEDIT
0DA1 == get__ipropTEXTEDIT
00403A34: 04 FLdRfVar 0012F558h //12F5E8
00403A37: 21 FLdPrThis 001478D8h
00403A38: 0F VCallAd Form1.txtName
00403A3B: 19 FStAdFunc
00403A3E: 08 FLdPr
00403A41: 0D VCallHresult get__ipropTEXTEDIT
对应的机器码为:
00003a34h: 04 70 FF 21 0F 1003 19
74 FF 08 74 FF 0DA0 00 ; .p 好文,顶一下。
页:
[1]