哇。我师傅的是老大。东西。一定要看看。呵呵
晕,逐位用户名ASCII码相加即是注册码~~老大,学习了~
kine36
528
好久没来了,看看
追码很容易,因为是明码,算法也很简单,貌似我以前做过类似的...
很久么写破文都不会写了....
玩了一会就出来了...
qxtianlong
1093
载入OD,隐藏OD
设断点bp __vbaLenBstr、__vbaStrCmp、rtcMsgBox
F9运行,输入qxtianlong,78787878后中断在
733B49CE MS>8B4424 04 mov eax,dword ptr ss:
下方提示信息为
堆栈 ss:=00150C84, (UNICODE "qxtianlong")
eax=00150C84, (UNICODE "qxtianlong")
然后F8继续跟进,注意这里
733B49D6 8B40 FC mov eax,dword ptr ds:
733B49D9 D1E8 shr eax,1
他的功能是计算qxtianlong的长度(A)也就是10
F8继续跟进到这里
004045F5 83F8 05 cmp eax,5
004045F8 /0F8D 85000000 jge crackme1.00404683
他的功能估计是看输入的为数是否大于5,大于就继续..(跳到00404683)否则-_-!
00404683 8B45 E4 mov eax,dword ptr ss:
00404686 50 push eax
在00404583看到ebp=0012F468、=0012F4FC中数值为00150C84
可以看到和前面的一样,也就是存放qxtianlong的地址
push eax把00150C84压入堆栈0012F384
继续在这里看到
00404687 FFD6 call esi ; MSVBVM60.__vbaLenBstr
这里应该也是计算字符串长度的..
00404689 8BC8 mov ecx,eax
把EAX中的值送到ECX中(ECX=A)
0040468B FF15 50104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
00404691 8B1D 14104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaFreeVarLis>; MSVBVM60.__vbaFreeVarList
这里估计就该那用户名做手脚了,跟进CALL看看,free根据字眼来看应该是释放东西用的...
跟进后到
733B49DE MS>56 push esi
733B49DF 8BF1 mov esi,ecx
733B49E1 0FBFC6 movsx eax,si
733B49E4 3BC6 cmp eax,esi
733B49E6 0F85 3D1F0200 jnz MSVBVM60.733D6929
733B49EC 66:8BC6 mov ax,si
733B49EF 5E pop esi
733B49F0 C3 retn
push esi 函数地址压栈
0012F380 733B49CE MSVBVM60.__vbaLenBstr
mov esi,ecx
是把ECX中的值送到ESI(A)也就是10
movsx eax,si
cmp eax,esi
比较eax,esi,不等则跳..
mov ax,si
pop esi从堆栈弹出函数地址到ESI
返回后把ds:=73491073 (MSVBVM60.__vbaFreeVarList)送到ebx(ebx=73491073)
00404697 8985 3CFFFFFF mov dword ptr ss:,eax
eax中的值放到ebp-c4(12f3c4)值为(A)
0040469D BE 01000000 mov esi,1
004046A2 66:3BB5 3CFFFFFFcmp si,word ptr ss:
si和ebp-c4比较
004046A9 /0F8F 82000000 jg crackme1.00404731
大于就跳
004046AF 8D4D E4 lea ecx,dword ptr ss:
004046B2 8D55 C0 lea edx,dword ptr ss:
ecx=0012f44c edx=0012f428
004046B5 0FBFC6 movsx eax,si
eax=1
004046B8 894D 88 mov dword ptr ss:,ecx
ecx送到ebp-78
0012F3F00012F44C
004046BB 52 push edx
004046BC 8D4D 80 lea ecx,dword ptr ss:
ecx=0012f3e8
004046BF 50 push eax
004046C0 8D55 B0 lea edx,dword ptr ss:
edx=0012f418
004046C3 51 push ecx
004046C4 52 push edx
004046C5 C745 C8 04000280mov dword ptr ss:,80020004
004046CC C745 C0 0A000000mov dword ptr ss:,0A
004046D3 C745 80 08400000mov dword ptr ss:,4008
ebp-380012F43080020004
ebp-400012F4280000000A
ebp-800012F3E800004008
004046DA FF15 40104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
跟进
7347B403 MS>55 push ebp
7347B404 8BEC mov ebp,esp
7347B406 83EC 10 sub esp,10
7347B409 56 push esi 1
7347B40A 57 push edi 0
7347B40B FF35 C00E4A73 push dword ptr ds: 10
7347B411 FF15 B8103973 call dword ptr ds:[<&KERNEL32.TlsGetValue>] ; kernel32.TlsGetValue
7347B417 8D70 50 lea esi,dword ptr ds:
7347B41A 56 push esi
7347B41B FF75 0C push dword ptr ss:
7347B41E E8 5096F3FF call MSVBVM60.733B4A73
7347B423 83F8 FF cmp eax,-1
7347B426 74 3A je short MSVBVM60.7347B462
7347B428 FF75 14 push dword ptr ss:
7347B42B FF75 10 push dword ptr ss:
7347B42E 50 push eax
7347B42F E8 AB94F3FF call MSVBVM60.rtcMidCharBstr
...................................
...................................
...................................
...................................
004046E8 FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
004046EE 50 push eax
004046EF FF15 0C104000 call dword ptr ds:[<&MSVBVM60.#693>] ; MSVBVM60.rtcByteValueBstr
取第一个字母的ASC码值71
004046F5 25 FF000000 and eax,0FF
004046FA 8D4D D8 lea ecx,dword ptr ss:
004046FD 03C7 add eax,edi
004046FF /0F80 04020000 jo crackme1.00404909
00404705 8BF8 mov edi,eax
edi=71
00404707 FF15 B8104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
...............
...............
...............
00404719 B8 01000000 mov eax,1
0040471E 83C4 0C add esp,0C
00404721 66:03C6 add ax,si
SI作为计数器
..........................
..........................
..........................
以下这段是循环以上功能
004046A2 66:3BB5 3CFFFFFFcmp si,word ptr ss:
004046A9 0F8F 82000000 jg crackme1.00404731
004046AF 8D4D E4 lea ecx,dword ptr ss:
004046B2 8D55 C0 lea edx,dword ptr ss:
004046B5 0FBFC6 movsx eax,si
004046B8 894D 88 mov dword ptr ss:,ecx
004046BB 52 push edx
004046BC 8D4D 80 lea ecx,dword ptr ss:
004046BF 50 push eax
004046C0 8D55 B0 lea edx,dword ptr ss:
004046C3 51 push ecx
004046C4 52 push edx
004046C5 C745 C8 04000280mov dword ptr ss:,80020004
004046CC C745 C0 0A000000mov dword ptr ss:,0A
004046D3 C745 80 08400000mov dword ptr ss:,4008
004046DA FF15 40104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
004046E0 8D45 B0 lea eax,dword ptr ss:
004046E3 8D4D D8 lea ecx,dword ptr ss:
004046E6 50 push eax
004046E7 51 push ecx
004046E8 FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
004046EE 50 push eax
004046EF FF15 0C104000 call dword ptr ds:[<&MSVBVM60.#693>] ; MSVBVM60.rtcByteValueBstr
004046F5 25 FF000000 and eax,0FF
004046FA 8D4D D8 lea ecx,dword ptr ss:
004046FD 03C7 add eax,edi
004046FF 0F80 04020000 jo crackme1.00404909
00404705 8BF8 mov edi,eax
00404707 FF15 B8104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0040470D 8D55 B0 lea edx,dword ptr ss:
00404710 8D45 C0 lea eax,dword ptr ss:
00404713 52 push edx
00404714 50 push eax
00404715 6A 02 push 2
00404717 FFD3 call ebx
00404719 B8 01000000 mov eax,1
0040471E 83C4 0C add esp,0C
00404721 66:03C6 add ax,si
00404724 0F80 DF010000 jo crackme1.00404909
0040472A 8BF0 mov esi,eax
0040472C ^ E9 71FFFFFF jmp crackme1.004046A2
当条件成立时,调到
00404731 8B45 08 mov eax,dword ptr ss:
此时EDI为445
00404768 50 push eax
00404769 FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckO>; MSVBVM60.__vbaHresultCheckObj
0040476F 57 push edi
00404770 FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI4>] ; MSVBVM60.__vbaStrI4
这里注意一下
00404776 8BD0 mov edx,eax
在00404770时已经可以看到注册码了
00404776 8BD0 mov edx,eax
00404778 8D4D D4 lea ecx,dword ptr ss:
0040477B FF15 A4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
00404781 8B55 D8 mov edx,dword ptr ss:
00404784 50 push eax 正确注册码
00404785 52 push edx 试练码
00404786 FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
比较
完结于2006/09/27
楼上的,有那么长吗,程序是把你输入的用户名累加为结果 ,看下面代码
004046EF FF15 0C104000 CALL DWORD PTR DS:[<&MSVBVM60.#693>] ; 这个 CALL 每次抽取用户名字符送入 EAX
004046F5 25 FF000000 AND EAX,0FF
004046FA 8D4D D8 LEA ECX,DWORD PTR SS:
004046FD 03C7 ADD EAX,EDI ; 累加
呵呵,楼上的,你那个只是用户名的16进制相加后的数,如果你向后追,虽然也能直接看到10进制的值,但是具体怎么换算的,你就没有追了,如果你追一下,会发现很有意思的....
我只是看了看他是如何换算成10进制的而已...;)
学习一下,谢谢
呵呵,正好俺是初学者,谢谢坛主啊!
老办法破的,算法不太懂,呵呵
我只会爆,哎!
明码比较也能跟出来:
iceknife 830
可惜不会分析!哪个老大来点容易懂的教程!
[ 本帖最后由 正在堕落 于 2006-10-25 22:37 编辑 ]