请大家帮忙看看一个风飘雪的crackme!
我怎么都搞不定它,用api断点插件想看看程序的导入函数,结果只有一个函数。比较函数一个都断不下来,请哪位朋友帮忙看下,指导一下,感激不尽!P-CODE编译的`
自行搜索论坛 “与 P-CODE亲密接触”~ 参看详细资料~~~
简单静态分析
按钮事件:0040276C: F5 00 00 00 00 LitI4: Push 00000000
00402771: 71 68 FF FStR4 Pop#4
00402774: F5 00 00 00 00 LitI4: Push 00000000
00402779: 71 64 FF FStR4 Pop#4
0040277C: 04 5C FF FLdRfVar Push local_A4
0040277F: 21 FLdPrThis =
00402780: 0F 0C 03 VCallAd
00402783: 19 60 FF FStAdFunc
00402786: 08 60 FF FLdPr =
00402789: 0D A0 00 02 00 VCallHresult
0040278E: 3E 5C FF FLdZeroAd Push#4 ; =0
00402791: 31 70 FF FStStr SysFreeString ; =Pop
00402794: 1A 60 FF FFree1Ad Push ; Call [[]+8]; []=0
00402797: 04 5C FF FLdRfVar Push local_A4
0040279A: 21 FLdPrThis =
0040279B: 0F 08 03 VCallAd
0040279E: 19 60 FF FStAdFunc
004027A1: 08 60 FF FLdPr =
004027A4: 0D A0 00 02 00 VCallHresult
004027A9: 3E 5C FF FLdZeroAd Push#4 ; =0
004027AC: 31 6C FF FStStr SysFreeString ; =Pop
004027AF: 1A 60 FF FFree1Ad Push ; Call [[]+8]; []=0
004027B2: 6C 70 FF ILdRf Push#4 //★姓名压栈!
004027B5: 4A FnLenStr vbaLenBstr //★用户名长度
004027B6: F5 09 00 00 00 LitI4: Push 00000009 //★参数:9
004027BB: D1 LtI4
004027BC: 6C 70 FF ILdRf Push#4
004027BF: 4A FnLenStr vbaLenBstr //★再次取长度
004027C0: F5 0B 00 00 00 LitI4: Push 0000000B //★参数:11(0x0B的十进制)
004027C5: DB GtI4 Push (Pop1 > Pop2) //★作者的原意应该是限制用户名在9-11之间,但是实际
却没起作用,估计是逻辑符号用混了~~ 不管它啦~~~ 就按照原意分析之,后面的注册机也如此
0=False, -1=True (#4 comparison)
004027C6: C4 AndI4
004027C7: 6C 6C FF ILdRf Push#4 //★注册码压栈!
004027CA: 4A FnLenStr vbaLenBstr //★取注册码长度
004027CB: F5 09 00 00 00 LitI4: Push 00000009 //★参数:9
004027D0: D1 LtI4 //★同理分析出注册码最少为9位
004027D1: C5 OrI4
004027D2: 1C 6E 00 BranchF If Pop=0 then ESI=ProcPC+006E
004027D5: 10 F8 06 03 00 ThisVCallHresult
004027DA: F4 01 LitI2_Byte: Push 01 //★压入参数:1//循环的步进值
004027DC: 04 76 FF FLdRfVar Push local_8A
004027DF: 6C 70 FF ILdRf Push#4 //★姓名压栈!
004027E2: 4A FnLenStr vbaLenBstr //★取长度//循环条件
004027E3: E4 CI2I4 Verify high word is 0000, ECX=
004027E4: FE 63 58 FF BD 00ForI2:
004027EA: 27 38 FF LitVar_Missing PushVarError 80020004 (missing)//★for循环,次数由用户名长度决定
VT_ERROR signifies an optional argument that is missing
004027ED: 6B 76 FF FLdI2 Push#2 //★下面逐位取得用户名ASCII值
004027F0: E7 CI4UI1
004027F1: 6C 70 FF ILdRf Push#4
004027F4: 0B 04 00 0C 00 ImpAdCallI2 Call Ptr_00401036; check stack 000C; Push EAX
004027F9: 23 5C FF FStStrNoPop SysFreeString ; =
004027FC: 0B 05 00 04 00 ImpAdCallI2 Call Ptr_0040103C; check stack 0004; Push EAX
00402801: E7 CI4UI1
00402802: 71 78 FF FStR4 Pop#4
00402805: 2F 5C FF FFree1Str SysFreeString ; =0
00402808: 35 38 FF FFree1Var
0040280B: 6C 68 FF ILdRf Push#4
0040280E: 6C 78 FF ILdRf Push#4
00402811: F5 04 00 00 00 LitI4: Push 00000004 //★参数:4
00402816: B2 MulI4 //★用户名ASCII值*4
00402817: AA AddI4
00402818: F5 12 00 00 00 LitI4: Push 00000012 //★参数:18(0x12的十进制)
0040281D: AA AddI4 //★上面的结果+18
0040281E: 71 68 FF FStR4 Pop#4
00402821: 04 76 FF FLdRfVar Push local_8A
00402824: 64 58 FF 7E 00 NextI2: //★(for....)Next//循环完毕得到累加和
00402829: 6C 68 FF ILdRf Push#4
0040282C: F5 B0 FD 17 08 LitI4: Push 0817FDB0 //★参数:135790000(0x0817FDB0的十进制)
00402831: AA AddI4 //★和前面累加的结果相加
00402832: 71 68 FF FStR4 Pop#4
00402835: 6C 6C FF ILdRf Push#4 //★注册码压栈!
00402838: 0A 06 00 04 00 ImpAdCallFPR4 Call Ptr_00401042; check stack 0004 (no return value)
0040283D: F4 18 LitI2_Byte: Push 18 //★参数:24(0x18的十进制)
0040283F: EB CR8I2
00402840: AB AddR8 //★注册码+24
00402841: E8 CI4R8
00402842: 71 64 FF FStR4 Pop#4
00402845: 6C 68 FF ILdRf Push#4
00402848: 6C 64 FF ILdRf Push#4
0040284B: C7 EqI4 //★关键比较~~
0040284C: 1C FB 00 BranchF If Pop=0 then ESI=ProcPC+00FB //★关键跳转 爆破改为1D FB 00
0040284F: 1B 07 00 LitStr: Push Ptr_00402080
00402852: 21 FLdPrThis =
00402853: 0F 00 03 VCallAd
00402856: 19 60 FF FStAdFunc
00402859: 08 60 FF FLdPr =
0040285C: 0D 54 00 08 00 VCallHresult
00402861: 1A 60 FF FFree1Ad Push ; Call [[]+8]; []=0
00402864: 1E 00 01 Branch ESI=ProcPC+0100
00402867: 10 F8 06 03 00 ThisVCallHresult
0040286C: 13 ExitProcHresult
0040286D: 00 00 LargeBos IDE beginning of line with 00 byte codes
0040286F: 00 C4 LargeBos IDE beginning of line with C4 byte codes
算法这样就出来了~~
*******************VB注册机*************************
Private Sub Command1_Click()
Dim Name As String
Dim LenName As Integer
Dim Sum As Long
Name = Text1.Text
LenName = Len(Name)
' If LenName >= 9 And LenName <= 11 Then
For i = 1 To LenName Step 1
Sum = Sum + (Asc(Mid(Name, i, 1)) * 4) + 18
Next
Sum = Sum + 135790000
Text2.Text = Sum - 24 '注册码求逆
' Else
' Text2.Text = "用户名在9-11位之间"
' End If
End Sub 飘云老大,我想请问两个问题
1、如何判断一个软件是p-code编译的
2、这个crackme可否用od调试破解? 1.API断不下来或者断下后不能回到程序领空,则可判断程序为P-CODE
2.可以用OD辅助调试(目光锁定在数据窗口)需要使用硬件断点/内存断点总之非常的烦琐~ 老大,能否劳烦您老人家在您有一点时间的时候,用od解剖它一下? 原帖由 rsice 于 2007-6-17 08:33 发表 https://www.chinapyg.com/images/common/back.gif
老大,能否劳烦您老人家在您有一点时间的时候,用od解剖它一下?
心脏都挖出来了,还剖析什么哦?
待会我再放一篇稍难的P-CODE文章出来,你自行参考~~~
P-CODE多练习几十次就会了! 先参考2楼的那些文章~~ 一看就头疼,哎~~
页:
[1]