算法我不说了,懒,楼上的你在 40377E 处下好断点
0040377E .66:391C42 cmp word ptr , bx
好,现在你输入你的用户名,然后输入 PYG-123456789,然后点击注册按钮,断下了,^_^
看看内存的值是什么,“注意程序是又第一位开始比较的,打个譬如“现在拿第一位开始,如果比较的值是值 ( 内存的那个)是 5 好你就把 比较的那位数值(1) + 5 看看,成功了,那次的跳转没成功了,表达能力有限啊,总之就是
呵呵,先爆破了,再看下算法,运气好了就把注册码追了,(*^__^*) 嘻嘻……,
我很菜的
原帖由 lgjxj 于 2007-12-31 21:18 发表 https://www.chinapyg.com/images/common/back.gif
算法我不说了,懒,楼上的你在 40377E 处下好断点
0040377E .66:391C42 cmp word ptr , bx
好,现在你输入你的用户名,然后输入 PYG-123456789,然后点击注册按钮,断下了,^_^
看看 ...
在0040377E上下断后,运行程序 并没有断下来啊。。。。按钮也没提示信息。。。如何来做。。。
高手给点方法
支持cm,更支持发布源码
楼主,OD载入后,Alt+N,在下面F2断
名称位于 Crackme, 条目 55
地址=00401064
区段=.text
类型=输入
名称=MSVBVM60.__vbaVarTstEq
弹出一个警告窗口,不理,照断不误,F9运行,输入俺的试炼码,吓了俺一跳,哈哈
截图:
原帖由 cxl0825 于 2007-12-31 23:39 发表 https://www.chinapyg.com/images/common/back.gif
在0040377E上下断后,运行程序 并没有断下来啊。。。。按钮也没提示信息。。。如何来做。。。
高手给点方法
你没有输入 PYG- 吧,记得它有一个 CALL 是判断的,没输入就跳过我给出的地址了
本人乃小菜鸟一个.....如有分析不对, 请高手指正~
00402A50 > \55 PUSH EBP ;在这里下断..
00402A51 .8BEC MOV EBP,ESP
00402A53 .83EC 0C SUB ESP,0C
00402A56 .68 06114000 PUSH <JMP.&MSVBVM60.__vbaExceptHandler>;SE 处理程序安装
.......省略一些代码...........
00402C2E .8985 48FEFFFF MOV DWORD PTR SS:,EAX
00402C34 .FF91 A0000000 CALL DWORD PTR DS: ;获取用户名
00402C3A .3BC3 CMP EAX,EBX
00402C3C .DBE2 FCLEX
00402C3E .7D 18 JGE SHORT Crackme.00402C58
00402C40 .8B8D 48FEFFFF MOV ECX,DWORD PTR SS:
00402C46 .68 A0000000 PUSH 0A0
00402C4B .68 00224000 PUSH Crackme.00402200
00402C50 .51 PUSH ECX
00402C51 .50 PUSH EAX
00402C52 .FF15 2C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;
MSVBVM60.__vbaHresultCheckObj
00402C58 >8B85 3CFFFFFF MOV EAX,DWORD PTR SS:
00402C5E .8D95 20FFFFFF LEA EDX,DWORD PTR SS:
00402C64 .8D4D 9C LEA ECX,DWORD PTR SS:
00402C67 .899D 3CFFFFFF MOV DWORD PTR SS:,EBX
00402C6D .8985 28FFFFFF MOV DWORD PTR SS:,EAX
00402C73 .C785 20FFFFFF>MOV DWORD PTR SS:,8
00402C7D .FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMove
00402C83 .8D8D 30FFFFFF LEA ECX,DWORD PTR SS:
00402C89 .FF15 DC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>;
MSVBVM60.__vbaFreeObj
00402C8F .8B17 MOV EDX,DWORD PTR DS:
00402C91 .57 PUSH EDI
00402C92 .FF92 04030000 CALL DWORD PTR DS:
00402C98 .50 PUSH EAX
00402C99 .8D85 30FFFFFF LEA EAX,DWORD PTR SS:
00402C9F .50 PUSH EAX
00402CA0 .FF15 40104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>;
MSVBVM60.__vbaObjSet
00402CA6 .8B08 MOV ECX,DWORD PTR DS:
00402CA8 .8D95 3CFFFFFF LEA EDX,DWORD PTR SS:
00402CAE .52 PUSH EDX
00402CAF .50 PUSH EAX
00402CB0 .8985 48FEFFFF MOV DWORD PTR SS:,EAX
00402CB6 .FF91 A0000000 CALL DWORD PTR DS: ;获取注册码
00402CBC .3BC3 CMP EAX,EBX
00402CBE .DBE2 FCLEX
00402CC0 .7D 18 JGE SHORT Crackme.00402CDA
00402CC2 .8B8D 48FEFFFF MOV ECX,DWORD PTR SS:
00402CC8 .68 A0000000 PUSH 0A0
00402CCD .68 00224000 PUSH Crackme.00402200
00402CD2 .51 PUSH ECX
00402CD3 .50 PUSH EAX
00402CD4 .FF15 2C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;
MSVBVM60.__vbaHresultCheckObj
00402CDA >8B85 3CFFFFFF MOV EAX,DWORD PTR SS:
00402CE0 .8D95 20FFFFFF LEA EDX,DWORD PTR SS:
00402CE6 .8D4D 8C LEA ECX,DWORD PTR SS:
00402CE9 .899D 3CFFFFFF MOV DWORD PTR SS:,EBX
00402CEF .8985 28FFFFFF MOV DWORD PTR SS:,EAX
00402CF5 .C785 20FFFFFF>MOV DWORD PTR SS:,8
00402CFF .FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMove
00402D05 .8D8D 30FFFFFF LEA ECX,DWORD PTR SS:
00402D0B .FF15 DC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>;
MSVBVM60.__vbaFreeObj
00402D11 .8D55 8C LEA EDX,DWORD PTR SS:
00402D14 .8D85 20FFFFFF LEA EAX,DWORD PTR SS:
00402D1A .52 PUSH EDX
00402D1B .50 PUSH EAX
00402D1C .C785 A8FEFFFF>MOV DWORD PTR SS:,4
00402D26 .C785 A0FEFFFF>MOV DWORD PTR SS:,8002
00402D30 .FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVa>;
MSVBVM60.__vbaLenVar
00402D36 .8D8D A0FEFFFF LEA ECX,DWORD PTR SS:
00402D3C .50 PUSH EAX
00402D3D .51 PUSH ECX
00402D3E .FF15 00104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;
MSVBVM60.__vbaVarTstGt
00402D44 .66:85C0 TEST AX,AX
00402D47 .0F84 BE080000 JE Crackme.0040360B
00402D4D .8D95 20FFFFFF LEA EDX,DWORD PTR SS:
00402D53 .8D45 8C LEA EAX,DWORD PTR SS:
00402D56 .52 PUSH EDX
00402D57 .6A 04 PUSH 4
00402D59 .8D8D 10FFFFFF LEA ECX,DWORD PTR SS:
00402D5F .50 PUSH EAX
00402D60 .51 PUSH ECX
00402D61 .C785 28FFFFFF>MOV DWORD PTR SS:,1
00402D6B .89B5 20FFFFFF MOV DWORD PTR SS:,ESI ;取第4个字母
00402D71 .FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ;
MSVBVM60.rtcMidCharVar
00402D77 .8B3D 8C104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>;
MSVBVM60.__vbaStrVarVal
00402D7D .8D95 10FFFFFF LEA EDX,DWORD PTR SS:
00402D83 .8D85 3CFFFFFF LEA EAX,DWORD PTR SS:
00402D89 .52 PUSH EDX
00402D8A .50 PUSH EAX
00402D8B .FFD7 CALL EDI ;
<&MSVBVM60.__vbaStrVarVal>
00402D8D .50 PUSH EAX ;第4个字母转为字符串
00402D8E .FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
00402D94 .33C9 XOR ECX,ECX ;取第4个字母的ASCII
值
00402D96 .66:3D 2D00 CMP AX,2D ;第4个字母与2D('-')
比较,
00402D9A .0F94C1 SETE CL
00402D9D .F7D9 NEG ECX
00402D9F .66:898D 48FEF>MOV WORD PTR SS:,CX ;取4个字母与2D比较的
结果放在
00402DA6 .8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:
00402DAC .FF15 E0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;
MSVBVM60.__vbaFreeStr
00402DB2 .8D95 10FFFFFF LEA EDX,DWORD PTR SS:
00402DB8 .8D85 20FFFFFF LEA EAX,DWORD PTR SS:
00402DBE .52 PUSH EDX
00402DBF .50 PUSH EAX
00402DC0 .56 PUSH ESI
00402DC1 .FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;
MSVBVM60.__vbaFreeVarList
00402DC7 .83C4 0C ADD ESP,0C
00402DCA .66:399D 48FEF>CMP WORD PTR SS:,BX
00402DD1 .0F84 31080000 JE Crackme.00403608 ;取出结果与
BX比较.由此知第4个字母为2D('-')
00402DD7 .8B1D 50104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.#632>];
MSVBVM60.rtcMidCharVar
00402DDD .8D8D 20FFFFFF LEA ECX,DWORD PTR SS:
00402DE3 .51 PUSH ECX
00402DE4 .8D55 8C LEA EDX,DWORD PTR SS:
00402DE7 .6A 01 PUSH 1
00402DE9 .8D85 10FFFFFF LEA EAX,DWORD PTR SS:
00402DEF .52 PUSH EDX
00402DF0 .50 PUSH EAX
00402DF1 .C785 28FFFFFF>MOV DWORD PTR SS:,1
00402DFB .89B5 20FFFFFF MOV DWORD PTR SS:,ESI
00402E01 .FFD3 CALL EBX ;<&MSVBVM60.#632>
00402E03 .8D8D 00FFFFFF LEA ECX,DWORD PTR SS: ;取注册码第1个字母,
放在
00402E09 .8D55 8C LEA EDX,DWORD PTR SS:
00402E0C .51 PUSH ECX
00402E0D .56 PUSH ESI
00402E0E .8D85 F0FEFFFF LEA EAX,DWORD PTR SS:
00402E14 .52 PUSH EDX
00402E15 .50 PUSH EAX
00402E16 .C785 08FFFFFF>MOV DWORD PTR SS:,1
00402E20 .89B5 00FFFFFF MOV DWORD PTR SS:,ESI
00402E26 .FFD3 CALL EBX ;取注册码第2个字母,
放在
00402E28 .8D8D E0FEFFFF LEA ECX,DWORD PTR SS:
00402E2E .8D55 8C LEA EDX,DWORD PTR SS:
00402E31 .51 PUSH ECX
00402E32 .6A 03 PUSH 3
00402E34 .8D85 D0FEFFFF LEA EAX,DWORD PTR SS:
00402E3A .52 PUSH EDX
00402E3B .50 PUSH EAX
00402E3C .C785 E8FEFFFF>MOV DWORD PTR SS:,1
00402E46 .89B5 E0FEFFFF MOV DWORD PTR SS:,ESI
00402E4C .FFD3 CALL EBX ;取注册码第3个字母,
放在
00402E4E .8D8D F0FEFFFF LEA ECX,DWORD PTR SS:
00402E54 .8D95 38FFFFFF LEA EDX,DWORD PTR SS:
00402E5A .51 PUSH ECX
00402E5B .52 PUSH EDX
00402E5C .FFD7 CALL EDI ;第2个字母转为字符串
00402E5E .50 PUSH EAX
00402E5F .FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
00402E65 .66:8BD8 MOV BX,AX ;第2个字母转为整数
00402E68 .8D85 10FFFFFF LEA EAX,DWORD PTR SS:
00402E6E .8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:
00402E74 .50 PUSH EAX
00402E75 .51 PUSH ECX
00402E76 .FFD7 CALL EDI ;第1个字母转为字符串
00402E78 .50 PUSH EAX ;第1个字母再转为
ASCII码
00402E79 .FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
00402E7F .66:03D8 ADD BX,AX ;第1, 2两个字母的
ASCII码相加
00402E82 .8D95 D0FEFFFF LEA EDX,DWORD PTR SS:
00402E88 .8D85 34FFFFFF LEA EAX,DWORD PTR SS:
00402E8E .52 PUSH EDX
00402E8F .50 PUSH EAX
00402E90 .0F80 950B0000 JO Crackme.00403A2B
00402E96 .FFD7 CALL EDI ;第3个字母转为字符串
00402E98 .50 PUSH EAX ;第3个字母转为ASCII
码
00402E99 .FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
00402E9F .66:03D8 ADD BX,AX ;第1, 2两字母ASCII码
相加后在加上第3个字母ASCII码
00402EA2 .8D95 70FEFFFF LEA EDX,DWORD PTR SS:
00402EA8 .0F80 7D0B0000 JO Crackme.00403A2B
00402EAE .8D4D CC LEA ECX,DWORD PTR SS:
00402EB1 .66:899D 78FEF>MOV WORD PTR SS:,BX
00402EB8 .89B5 70FEFFFF MOV DWORD PTR SS:,ESI
00402EBE .FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMove
00402EC4 .8D8D 34FFFFFF LEA ECX,DWORD PTR SS: ;前3个字母的ASCII码
之和放到
00402ECA .8D95 38FFFFFF LEA EDX,DWORD PTR SS:
00402ED0 .51 PUSH ECX
00402ED1 .8D85 3CFFFFFF LEA EAX,DWORD PTR SS:
00402ED7 .52 PUSH EDX
00402ED8 .50 PUSH EAX
00402ED9 .6A 03 PUSH 3
00402EDB .FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;
MSVBVM60.__vbaFreeStrList
00402EE1 .8D8D D0FEFFFF LEA ECX,DWORD PTR SS: ;变量释放空间
00402EE7 .8D95 E0FEFFFF LEA EDX,DWORD PTR SS:
00402EED .51 PUSH ECX
00402EEE .8D85 F0FEFFFF LEA EAX,DWORD PTR SS:
00402EF4 .52 PUSH EDX
00402EF5 .8D8D 00FFFFFF LEA ECX,DWORD PTR SS:
00402EFB .50 PUSH EAX
00402EFC .8D95 10FFFFFF LEA EDX,DWORD PTR SS:
00402F02 .51 PUSH ECX
00402F03 .52 PUSH EDX
00402F04 .8D85 20FFFFFF LEA EAX,DWORD PTR SS:
00402F0A .50 PUSH EAX
00402F0B .6A 06 PUSH 6 ;变量释放空间
00402F0D .FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;
MSVBVM60.__vbaFreeVarList
00402F13 .8B1D 50104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.#632>];
MSVBVM60.rtcMidCharVar
00402F19 .83C4 2C ADD ESP,2C
00402F1C .8D8D 20FFFFFF LEA ECX,DWORD PTR SS:
00402F22 .8D55 8C LEA EDX,DWORD PTR SS:
00402F25 .51 PUSH ECX
00402F26 .6A 01 PUSH 1
00402F28 .8D85 10FFFFFF LEA EAX,DWORD PTR SS:
00402F2E .52 PUSH EDX ;EDX中为注册码变量地
址
00402F2F .50 PUSH EAX
00402F30 .C785 28FFFFFF>MOV DWORD PTR SS:,1
00402F3A .89B5 20FFFFFF MOV DWORD PTR SS:,ESI ;这里取取注册码第1个
字母放在
00402F40 .FFD3 CALL EBX ;<&MSVBVM60.#632>
00402F42 .8D8D 00FFFFFF LEA ECX,DWORD PTR SS:
00402F48 .8D55 8C LEA EDX,DWORD PTR SS:
00402F4B .51 PUSH ECX
00402F4C .56 PUSH ESI
00402F4D .8D85 F0FEFFFF LEA EAX,DWORD PTR SS:
00402F53 .52 PUSH EDX
00402F54 .50 PUSH EAX
00402F55 .C785 08FFFFFF>MOV DWORD PTR SS:,1
00402F5F .89B5 00FFFFFF MOV DWORD PTR SS:,ESI
00402F65 .FFD3 CALL EBX ;这里取注册码的第2个
字母放在
00402F67 .8D8D E0FEFFFF LEA ECX,DWORD PTR SS:
00402F6D .8D55 8C LEA EDX,DWORD PTR SS:
00402F70 .51 PUSH ECX
00402F71 .6A 03 PUSH 3
00402F73 .8D85 D0FEFFFF LEA EAX,DWORD PTR SS:
00402F79 .52 PUSH EDX
00402F7A .50 PUSH EAX
00402F7B .C785 E8FEFFFF>MOV DWORD PTR SS:,1
00402F85 .89B5 E0FEFFFF MOV DWORD PTR SS:,ESI
00402F8B .FFD3 CALL EBX ;这里取注册码的第3个
字母放在
00402F8D .8D8D F0FEFFFF LEA ECX,DWORD PTR SS:
00402F93 .8D95 38FFFFFF LEA EDX,DWORD PTR SS:
00402F99 .51 PUSH ECX
00402F9A .52 PUSH EDX
00402F9B .FFD7 CALL EDI
00402F9D .50 PUSH EAX ;注册码第2个字母转为
字符串
00402F9E .FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
00402FA4 .66:8BD8 MOV BX,AX ;注册码第2个字母转为
ASCII码
00402FA7 .8D85 10FFFFFF LEA EAX,DWORD PTR SS:
00402FAD .66:6BDB 02 IMUL BX,BX,2 ;注册码第2个字母
ASCII码乘以2
00402FB1 .8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:
00402FB7 .50 PUSH EAX
00402FB8 .51 PUSH ECX
00402FB9 .0F80 6C0A0000 JO Crackme.00403A2B ;注册码第1个字母转为
字符串
00402FBF .FFD7 CALL EDI
00402FC1 .50 PUSH EAX ;注册码第1个字母转为
ASCII码
00402FC2 .FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
00402FC8 .66:03D8 ADD BX,AX ;乘2后的积加上字母1
00402FCB .8D95 D0FEFFFF LEA EDX,DWORD PTR SS:
00402FD1 .8D85 34FFFFFF LEA EAX,DWORD PTR SS:
00402FD7 .52 PUSH EDX
00402FD8 .50 PUSH EAX
00402FD9 .0F80 4C0A0000 JO Crackme.00403A2B
00402FDF .FFD7 CALL EDI
00402FE1 .50 PUSH EAX ;将注册码第3个字母转
为字符串再转为ASCII码
00402FE2 .FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
00402FE8 .66:6BC0 03 IMUL AX,AX,3 ;字母3的值乘以3
00402FEC .0F80 390A0000 JO Crackme.00403A2B
00402FF2 .66:2BD8 SUB BX,AX ;字母1值+字母2值*2-
字母3值*3
00402FF5 .8D95 70FEFFFF LEA EDX,DWORD PTR SS:
00402FFB .0F80 2A0A0000 JO Crackme.00403A2B
00403001 .8D4D BC LEA ECX,DWORD PTR SS:
00403004 .66:899D 78FEF>MOV WORD PTR SS:,BX
0040300B .89B5 70FEFFFF MOV DWORD PTR SS:,ESI ;将字母1值+字母2值
*2-字母3值*3 放在
00403011 .FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMove
00403017 .8D8D 34FFFFFF LEA ECX,DWORD PTR SS:
0040301D .8D95 38FFFFFF LEA EDX,DWORD PTR SS:
00403023 .51 PUSH ECX
00403024 .8D85 3CFFFFFF LEA EAX,DWORD PTR SS:
0040302A .52 PUSH EDX
0040302B .50 PUSH EAX
0040302C .6A 03 PUSH 3
0040302E .FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;
MSVBVM60.__vbaFreeStrList
00403034 .8D8D D0FEFFFF LEA ECX,DWORD PTR SS:
0040303A .8D95 E0FEFFFF LEA EDX,DWORD PTR SS:
00403040 .51 PUSH ECX
00403041 .8D85 F0FEFFFF LEA EAX,DWORD PTR SS:
00403047 .52 PUSH EDX
00403048 .8D8D 00FFFFFF LEA ECX,DWORD PTR SS:
0040304E .50 PUSH EAX
0040304F .8D95 10FFFFFF LEA EDX,DWORD PTR SS:
00403055 .51 PUSH ECX
00403056 .8D85 20FFFFFF LEA EAX,DWORD PTR SS:
0040305C .52 PUSH EDX
0040305D .50 PUSH EAX
0040305E .6A 06 PUSH 6
00403060 .FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;
MSVBVM60.__vbaFreeVarList
00403066 .8B1D 50104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.#632>];
MSVBVM60.rtcMidCharVar
0040306C .83C4 2C ADD ESP,2C
0040306F .8D8D 20FFFFFF LEA ECX,DWORD PTR SS:
00403075 .8D55 8C LEA EDX,DWORD PTR SS:
00403078 .51 PUSH ECX
00403079 .6A 01 PUSH 1
0040307B .8D85 10FFFFFF LEA EAX,DWORD PTR SS:
00403081 .52 PUSH EDX
00403082 .50 PUSH EAX
00403083 .C785 28FFFFFF>MOV DWORD PTR SS:,1
0040308D .89B5 20FFFFFF MOV DWORD PTR SS:,ESI ;取注册码第1个字母放
在
00403093 .FFD3 CALL EBX ;<&MSVBVM60.#632>
00403095 .8D8D 00FFFFFF LEA ECX,DWORD PTR SS:
0040309B .8D55 8C LEA EDX,DWORD PTR SS:
0040309E .51 PUSH ECX
0040309F .56 PUSH ESI
004030A0 .8D85 F0FEFFFF LEA EAX,DWORD PTR SS:
004030A6 .52 PUSH EDX
004030A7 .50 PUSH EAX
004030A8 .C785 08FFFFFF>MOV DWORD PTR SS:,1
004030B2 .89B5 00FFFFFF MOV DWORD PTR SS:,ESI
004030B8 .FFD3 CALL EBX ;取注册码第2个字母放
在
004030BA .8D8D E0FEFFFF LEA ECX,DWORD PTR SS:
004030C0 .8D55 8C LEA EDX,DWORD PTR SS:
004030C3 .51 PUSH ECX
004030C4 .6A 03 PUSH 3
004030C6 .8D85 D0FEFFFF LEA EAX,DWORD PTR SS:
004030CC .52 PUSH EDX
004030CD .50 PUSH EAX
004030CE .C785 E8FEFFFF>MOV DWORD PTR SS:,1
004030D8 .89B5 E0FEFFFF MOV DWORD PTR SS:,ESI
004030DE .FFD3 CALL EBX ;取注册码第3个字母放
在
004030E0 .8D8D F0FEFFFF LEA ECX,DWORD PTR SS:
004030E6 .8D95 38FFFFFF LEA EDX,DWORD PTR SS:
004030EC .51 PUSH ECX
004030ED .52 PUSH EDX
004030EE .FFD7 CALL EDI
004030F0 .50 PUSH EAX
004030F1 .FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
004030F7 .66:8BD8 MOV BX,AX ;第2个字母转为ASCII
码
004030FA .8D85 10FFFFFF LEA EAX,DWORD PTR SS:
00403100 .66:6BDB 04 IMUL BX,BX,4 ;字母2的值*4
00403104 .8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:
0040310A .50 PUSH EAX
0040310B .51 PUSH ECX
0040310C .0F80 19090000 JO Crackme.00403A2B
00403112 .FFD7 CALL EDI
00403114 .50 PUSH EAX
00403115 .FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
0040311B .66:8BD3 MOV DX,BX ;字母1转为ASCII码
0040311E .66:8BD8 MOV BX,AX
00403121 .66:6BDB 03 IMUL BX,BX,3 ;字母1值*3
00403125 .8D85 D0FEFFFF LEA EAX,DWORD PTR SS:
0040312B .0F80 FA080000 JO Crackme.00403A2B
00403131 .8D8D 34FFFFFF LEA ECX,DWORD PTR SS:
00403137 .66:2BDA SUB BX,DX ;字母1值*3 - 字母2值
*4
0040313A .50 PUSH EAX
0040313B .51 PUSH ECX
0040313C .0F80 E9080000 JO Crackme.00403A2B
00403142 .FFD7 CALL EDI
00403144 .50 PUSH EAX
00403145 .FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
0040314B .66:6BC0 06 IMUL AX,AX,6 ;字母3转为ASCII码并
乘以6
0040314F .0F80 D6080000 JO Crackme.00403A2B
00403155 .66:03D8 ADD BX,AX ;字母1值*3 - 字母2值
*4 + 字母3值
00403158 .89B5 70FEFFFF MOV DWORD PTR SS:,ESI
0040315E .0F80 C7080000 JO Crackme.00403A2B
00403164 .66:899D 78FEF>MOV WORD PTR SS:,BX
0040316B .8D95 70FEFFFF LEA EDX,DWORD PTR SS:
00403171 .8B1D 10104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaVa>;
MSVBVM60.__vbaVarMove
00403177 .8D4D AC LEA ECX,DWORD PTR SS: ;字母1值*3 - 字母2值
*4 + 字母3值 放到
0040317A .FFD3 CALL EBX ;
<&MSVBVM60.__vbaVarMove>
0040317C .8D95 34FFFFFF LEA EDX,DWORD PTR SS:
00403182 .8D85 38FFFFFF LEA EAX,DWORD PTR SS:
00403188 .52 PUSH EDX
00403189 .8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:
0040318F .50 PUSH EAX
00403190 .51 PUSH ECX
00403191 .6A 03 PUSH 3
00403193 .FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;
MSVBVM60.__vbaFreeStrList
00403199 .8D95 D0FEFFFF LEA EDX,DWORD PTR SS:
0040319F .8D85 E0FEFFFF LEA EAX,DWORD PTR SS:
004031A5 .52 PUSH EDX
004031A6 .8D8D F0FEFFFF LEA ECX,DWORD PTR SS:
004031AC .50 PUSH EAX
004031AD .8D95 00FFFFFF LEA EDX,DWORD PTR SS:
004031B3 .51 PUSH ECX
004031B4 .8D85 10FFFFFF LEA EAX,DWORD PTR SS:
004031BA .52 PUSH EDX
004031BB .8D8D 20FFFFFF LEA ECX,DWORD PTR SS:
004031C1 .50 PUSH EAX
004031C2 .51 PUSH ECX
004031C3 .6A 06 PUSH 6
004031C5 .FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;
MSVBVM60.__vbaFreeVarList
004031CB .83C4 2C ADD ESP,2C
004031CE .8D55 9C LEA EDX,DWORD PTR SS: ;用户名
004031D1 .8D85 A0FEFFFF LEA EAX,DWORD PTR SS:
004031D7 .8D8D 20FFFFFF LEA ECX,DWORD PTR SS:
004031DD .52 PUSH EDX
004031DE .50 PUSH EAX
004031DF .51 PUSH ECX
004031E0 .C785 A8FEFFFF>MOV DWORD PTR SS:,Crackme.00402>
004031EA .C785 A0FEFFFF>MOV DWORD PTR SS:,8 ;用户名和zjjtr连接为
串1
004031F4 .FF15 90104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCa>;
MSVBVM60.__vbaVarCat
004031FA .8BD0 MOV EDX,EAX
004031FC .8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:
00403202 .FFD3 CALL EBX ;串1放到
00403204 .8D55 8C LEA EDX,DWORD PTR SS:
00403207 .8D85 20FFFFFF LEA EAX,DWORD PTR SS:
0040320D .52 PUSH EDX
0040320E .50 PUSH EAX
0040320F .C785 A8FEFFFF>MOV DWORD PTR SS:,4
00403219 .89B5 A0FEFFFF MOV DWORD PTR SS:,ESI
0040321F .FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVa>;
MSVBVM60.__vbaLenVar
00403225 .8D8D A0FEFFFF LEA ECX,DWORD PTR SS: ;取注册码长度
0040322B .50 PUSH EAX
0040322C .8D95 10FFFFFF LEA EDX,DWORD PTR SS:
00403232 .51 PUSH ECX
00403233 .52 PUSH EDX ;注册码长度减去4
00403234 .FF15 04104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarSu>;
MSVBVM60.__vbaVarSub
0040323A .8B1D B8104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaI4>;MSVBVM60.__vbaI4Var
00403240 .50 PUSH EAX
00403241 .FFD3 CALL EBX ;
<&MSVBVM60.__vbaI4Var>
00403243 .50 PUSH EAX ;注册码长度-4的结果
从var变为整数
00403244 .8D45 8C LEA EAX,DWORD PTR SS:
00403247 .8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:
0040324D .50 PUSH EAX
0040324E .51 PUSH ECX
0040324F .FFD7 CALL EDI
00403251 .50 PUSH EAX ;取注册码前4位后的字
符串, 形成子串2
00403252 .FF15 C8104000 CALL DWORD PTR DS:[<&MSVBVM60.#618>] ;
MSVBVM60.rtcRightCharBstr
00403258 .8D95 00FFFFFF LEA EDX,DWORD PTR SS:
0040325E .8D8D 5CFFFFFF LEA ECX,DWORD PTR SS:
00403264 .8985 08FFFFFF MOV DWORD PTR SS:,EAX
0040326A .C785 00FFFFFF>MOV DWORD PTR SS:,8 ;子串2放到
00403274 .FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMove
0040327A .8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:
00403280 .FF15 E0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;
MSVBVM60.__vbaFreeStr
00403286 .8D95 7CFFFFFF LEA EDX,DWORD PTR SS:
0040328C .8D85 20FFFFFF LEA EAX,DWORD PTR SS:
00403292 .52 PUSH EDX
00403293 .50 PUSH EAX
00403294 .C785 A8FEFFFF>MOV DWORD PTR SS:,4
0040329E .89B5 A0FEFFFF MOV DWORD PTR SS:,ESI ;取串1的长度
004032A4 .FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVa>;
MSVBVM60.__vbaLenVar
004032AA .8D4D 8C LEA ECX,DWORD PTR SS:
004032AD .50 PUSH EAX
004032AE .8D95 10FFFFFF LEA EDX,DWORD PTR SS:
004032B4 .51 PUSH ECX
004032B5 .52 PUSH EDX ;取注册码长度
004032B6 .FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVa>;
MSVBVM60.__vbaLenVar
004032BC .50 PUSH EAX
004032BD .8D85 A0FEFFFF LEA EAX,DWORD PTR SS:
004032C3 .8D8D 00FFFFFF LEA ECX,DWORD PTR SS:
004032C9 .50 PUSH EAX
004032CA .51 PUSH ECX ;注册码长度-4
004032CB .FF15 04104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarSu>;
MSVBVM60.__vbaVarSub
004032D1 .50 PUSH EAX
004032D2 .FF15 64104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;
MSVBVM60.__vbaVarTstEq
004032D8 .66:85C0 TEST AX,AX ;串1长度必须等于注册
码长度-4
004032DB .0F84 25030000 JE Crackme.00403606
004032E1 .B8 01000000 MOV EAX,1
004032E6 .8D95 A0FEFFFF LEA EDX,DWORD PTR SS:
004032EC .8985 A8FEFFFF MOV DWORD PTR SS:,EAX
004032F2 .8985 98FEFFFF MOV DWORD PTR SS:,EAX
004032F8 .8D85 7CFFFFFF LEA EAX,DWORD PTR SS:
004032FE .52 PUSH EDX
004032FF .8D8D 20FFFFFF LEA ECX,DWORD PTR SS:
00403305 .50 PUSH EAX
00403306 .51 PUSH ECX
00403307 .89B5 A0FEFFFF MOV DWORD PTR SS:,ESI
0040330D .89B5 90FEFFFF MOV DWORD PTR SS:,ESI
00403313 .FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVa>;取串1的长度放在
00403319 .50 PUSH EAX ;将串1的长度作为下面
循环变量的上限
0040331A .8D95 90FEFFFF LEA EDX,DWORD PTR SS:
00403320 .8D85 04FEFFFF LEA EAX,DWORD PTR SS:
00403326 .52 PUSH EDX
00403327 .8D8D 14FEFFFF LEA ECX,DWORD PTR SS:
0040332D .50 PUSH EAX
0040332E .8D55 DC LEA EDX,DWORD PTR SS:
00403331 .51 PUSH ECX
00403332 .52 PUSH EDX
00403333 .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>;
MSVBVM60.__vbaVarForInit
00403339 >85C0 TEST EAX,EAX ;这里是一个循环..
0040333B .0F84 C5020000 JE Crackme.00403606
00403341 .8D45 DC LEA EAX,DWORD PTR SS: ;这里是循环变量i, 从
i=1开始每次加1
00403344 .8D8D A0FEFFFF LEA ECX,DWORD PTR SS: ;数字2
0040334A .50 PUSH EAX
0040334B .8D95 20FFFFFF LEA EDX,DWORD PTR SS:
00403351 .51 PUSH ECX
00403352 .52 PUSH EDX
00403353 .89B5 A8FEFFFF MOV DWORD PTR SS:,ESI
00403359 .89B5 A0FEFFFF MOV DWORD PTR SS:,ESI
0040335F .C785 98FEFFFF>MOV DWORD PTR SS:,1
00403369 .C785 90FEFFFF>MOV DWORD PTR SS:,8002 ;循环变量对2取余,判
断是奇是偶
00403373 .FF15 C0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMod
00403379 .50 PUSH EAX
0040337A .8D85 90FEFFFF LEA EAX,DWORD PTR SS:
00403380 .50 PUSH EAX
00403381 .FF15 64104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;
MSVBVM60.__vbaVarTstEq
00403387 .8D8D 20FFFFFF LEA ECX,DWORD PTR SS:
0040338D .8D55 DC LEA EDX,DWORD PTR SS:
00403390 .66:85C0 TEST AX,AX
00403393 .51 PUSH ECX
00403394 .C785 28FFFFFF>MOV DWORD PTR SS:,1
0040339E .89B5 20FFFFFF MOV DWORD PTR SS:,ESI
004033A4 .52 PUSH EDX
004033A5 .0F84 C8000000 JE Crackme.00403473 ;如果循环变量是2的倍
数,则跳转
004033AB .FFD3 CALL EBX
004033AD .50 PUSH EAX
004033AE .8D85 7CFFFFFF LEA EAX,DWORD PTR SS: ;串1, 是用户名和
zjjtr连接得来的
004033B4 .8D8D 10FFFFFF LEA ECX,DWORD PTR SS:
004033BA .50 PUSH EAX
004033BB .51 PUSH ECX
004033BC .FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ;
MSVBVM60.rtcMidCharVar
004033C2 .8D95 10FFFFFF LEA EDX,DWORD PTR SS: ;取串1第i个字母
004033C8 .8D85 3CFFFFFF LEA EAX,DWORD PTR SS:
004033CE .52 PUSH EDX
004033CF .50 PUSH EAX
004033D0 .FFD7 CALL EDI ;转为字符串
004033D2 .50 PUSH EAX
004033D3 .FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
004033D9 .8D8D F0FEFFFF LEA ECX,DWORD PTR SS: ;将串1第i个字母转为
ASCII码
004033DF .8D55 DC LEA EDX,DWORD PTR SS:
004033E2 .51 PUSH ECX
004033E3 .52 PUSH EDX
004033E4 .66:8985 98FEF>MOV WORD PTR SS:,AX ;将串1的ASCII码放
在
004033EB .89B5 90FEFFFF MOV DWORD PTR SS:,ESI
004033F1 .C785 F8FEFFFF>MOV DWORD PTR SS:,1
004033FB .89B5 F0FEFFFF MOV DWORD PTR SS:,ESI
00403401 .FFD3 CALL EBX
00403403 .50 PUSH EAX
00403404 .8D85 5CFFFFFF LEA EAX,DWORD PTR SS:
0040340A .8D8D E0FEFFFF LEA ECX,DWORD PTR SS:
00403410 .50 PUSH EAX
00403411 .51 PUSH ECX ;取串2的第i个字母
00403412 .FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ;
MSVBVM60.rtcMidCharVar
00403418 .8D95 E0FEFFFF LEA EDX,DWORD PTR SS:
0040341E .8D85 38FFFFFF LEA EAX,DWORD PTR SS:
00403424 .52 PUSH EDX
00403425 .50 PUSH EAX
00403426 .FFD7 CALL EDI
00403428 .50 PUSH EAX
00403429 .FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
0040342F .8D4D DC LEA ECX,DWORD PTR SS: ;将串2转为ASCII码
00403432 .66:8985 78FEF>MOV WORD PTR SS:,AX ;将串2放在[ebp-
188]
00403439 .51 PUSH ECX
0040343A .89B5 70FEFFFF MOV DWORD PTR SS:,ESI
00403440 .C785 68FEFFFF>MOV DWORD PTR SS:,41
0040344A .89B5 60FEFFFF MOV DWORD PTR SS:,ESI
00403450 .C785 58FEFFFF>MOV DWORD PTR SS:,1A
0040345A .89B5 50FEFFFF MOV DWORD PTR SS:,ESI
00403460 .FFD3 CALL EBX
00403462 .8BD8 MOV EBX,EAX
00403464 .4B DEC EBX
00403465 .83FB 64 CMP EBX,64
00403468 .0F82 CA000000 JB Crackme.00403538 ;判断是否访问数组越
界
0040346E .E9 BF000000 JMP Crackme.00403532
00403473 >FFD3 CALL EBX
00403475 .50 PUSH EAX
00403476 .8D85 7CFFFFFF LEA EAX,DWORD PTR SS:
0040347C .8D8D 10FFFFFF LEA ECX,DWORD PTR SS:
00403482 .50 PUSH EAX
00403483 .51 PUSH ECX ;取串1第i个字母
00403484 .FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ;
MSVBVM60.rtcMidCharVar
0040348A .8D95 10FFFFFF LEA EDX,DWORD PTR SS:
00403490 .8D85 3CFFFFFF LEA EAX,DWORD PTR SS:
00403496 .52 PUSH EDX
00403497 .50 PUSH EAX
00403498 .FFD7 CALL EDI
0040349A .50 PUSH EAX
0040349B .FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
004034A1 .8D8D F0FEFFFF LEA ECX,DWORD PTR SS: ;得到串1的ASCII码
值
004034A7 .8D55 DC LEA EDX,DWORD PTR SS:
004034AA .51 PUSH ECX
004034AB .52 PUSH EDX
004034AC .66:8985 98FEF>MOV WORD PTR SS:,AX ;串1的ASCII码值放
在
004034B3 .89B5 90FEFFFF MOV DWORD PTR SS:,ESI
004034B9 .C785 F8FEFFFF>MOV DWORD PTR SS:,1
004034C3 .89B5 F0FEFFFF MOV DWORD PTR SS:,ESI
004034C9 .FFD3 CALL EBX
004034CB .50 PUSH EAX
004034CC .8D85 5CFFFFFF LEA EAX,DWORD PTR SS:
004034D2 .8D8D E0FEFFFF LEA ECX,DWORD PTR SS:
004034D8 .50 PUSH EAX
004034D9 .51 PUSH ECX ;取串2第i个字母
004034DA .FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ;
MSVBVM60.rtcMidCharVar
004034E0 .8D95 E0FEFFFF LEA EDX,DWORD PTR SS:
004034E6 .8D85 38FFFFFF LEA EAX,DWORD PTR SS:
004034EC .52 PUSH EDX
004034ED .50 PUSH EAX
004034EE .FFD7 CALL EDI
004034F0 .50 PUSH EAX
004034F1 .FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ;
MSVBVM60.rtcAnsiValueBstr
004034F7 .8D4D DC LEA ECX,DWORD PTR SS: ;得到串2的ASCII码
值
004034FA .66:8985 78FEF>MOV WORD PTR SS:,AX ;串2的ASCII码值放
在
00403501 .51 PUSH ECX
00403502 .89B5 70FEFFFF MOV DWORD PTR SS:,ESI
00403508 .C785 68FEFFFF>MOV DWORD PTR SS:,61
00403512 .89B5 60FEFFFF MOV DWORD PTR SS:,ESI
00403518 .C785 58FEFFFF>MOV DWORD PTR SS:,1A
00403522 .89B5 50FEFFFF MOV DWORD PTR SS:,ESI
00403528 .FFD3 CALL EBX
0040352A .8BD8 MOV EBX,EAX
0040352C .4B DEC EBX
0040352D .83FB 64 CMP EBX,64
00403530 .72 06 JB SHORT Crackme.00403538
00403532 >FF15 5C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGener>;
MSVBVM60.__vbaGenerateBoundsError
00403538 >8D95 90FEFFFF LEA EDX,DWORD PTR SS: ;串1的第i个字母ASCII
码值, 即串1
0040353E .8D45 DC LEA EAX,DWORD PTR SS: ;这里是数字i
00403541 .52 PUSH EDX
00403542 .8D8D 00FFFFFF LEA ECX,DWORD PTR SS:
00403548 .50 PUSH EAX
00403549 .51 PUSH ECX ;串1*i
0040354A .FF15 78104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMu>;
MSVBVM60.__vbaVarMul
00403550 .50 PUSH EAX
00403551 .8D95 70FEFFFF LEA EDX,DWORD PTR SS: ;串2
00403557 .8D85 D0FEFFFF LEA EAX,DWORD PTR SS:
0040355D .52 PUSH EDX
0040355E .50 PUSH EAX ;串1*i - 串2[ i]结
果放在
0040355F .FF15 04104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarSu>;
MSVBVM60.__vbaVarSub
00403565 .8D8D 60FEFFFF LEA ECX,DWORD PTR SS: ;一个字母记做ch, 如
果i为奇数,这里是大写字母A,
0040356B .50 PUSH EAX ; 否则为小写字母a
0040356C .8D95 C0FEFFFF LEA EDX,DWORD PTR SS:
00403572 .51 PUSH ECX
00403573 .52 PUSH EDX ;串1*i - 串2 +
ch
00403574 .FF15 BC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAd>;
MSVBVM60.__vbaVarAdd
0040357A .50 PUSH EAX
0040357B .8D85 50FEFFFF LEA EAX,DWORD PTR SS: ;这里是数字1A
00403581 .8D8D B0FEFFFF LEA ECX,DWORD PTR SS:
00403587 .50 PUSH EAX
00403588 .51 PUSH ECX ;(串1 - 串2 +
ch) MOD (1A)
00403589 .FF15 C0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMod
0040358F .50 PUSH EAX
00403590 .FF15 94104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2Var>;MSVBVM60.__vbaI2Var
00403596 .8B95 50FFFFFF MOV EDX,DWORD PTR SS: ;将结果转为整数
0040359C .8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:
004035A2 .66:89045A MOV WORD PTR DS:,AX ;将计算结果顺序保存
起来处
004035A6 .8D85 38FFFFFF LEA EAX,DWORD PTR SS:
004035AC .50 PUSH EAX
004035AD .51 PUSH ECX
004035AE .56 PUSH ESI
004035AF .FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;
MSVBVM60.__vbaFreeStrList
004035B5 .8D95 C0FEFFFF LEA EDX,DWORD PTR SS:
004035BB .8D85 E0FEFFFF LEA EAX,DWORD PTR SS:
004035C1 .52 PUSH EDX
004035C2 .8D8D F0FEFFFF LEA ECX,DWORD PTR SS:
004035C8 .50 PUSH EAX
004035C9 .8D95 10FFFFFF LEA EDX,DWORD PTR SS:
004035CF .51 PUSH ECX
004035D0 .8D85 20FFFFFF LEA EAX,DWORD PTR SS:
004035D6 .52 PUSH EDX
004035D7 .50 PUSH EAX
004035D8 .6A 05 PUSH 5
004035DA .FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;
MSVBVM60.__vbaFreeVarList
004035E0 .83C4 24 ADD ESP,24
004035E3 .8D8D 04FEFFFF LEA ECX,DWORD PTR SS:
004035E9 .8D95 14FEFFFF LEA EDX,DWORD PTR SS:
004035EF .8D45 DC LEA EAX,DWORD PTR SS:
004035F2 .51 PUSH ECX
004035F3 .52 PUSH EDX
004035F4 .50 PUSH EAX
004035F5 .FF15 D4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>;
MSVBVM60.__vbaVarForNext
004035FB .8B1D B8104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaI4>;MSVBVM60.__vbaI4Var
00403601 .^ E9 33FDFFFF JMP Crackme.00403339
00403606 >33DB XOR EBX,EBX
00403608 >8B7D 08 MOV EDI,DWORD PTR SS:
0040360B >8D95 A0FEFFFF LEA EDX,DWORD PTR SS:
00403611 .8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:
00403617 .899D A8FEFFFF MOV DWORD PTR SS:,EBX
0040361D .89B5 A0FEFFFF MOV DWORD PTR SS:,ESI
00403623 .FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMove
00403629 .8D4D CC LEA ECX,DWORD PTR SS:
0040362C .8D95 A0FEFFFF LEA EDX,DWORD PTR SS:
00403632 .51 PUSH ECX
00403633 .52 PUSH EDX
00403634 .C785 A8FEFFFF>MOV DWORD PTR SS:,0F0 ;前3个字母的ASCII码
之和必须等于F0
0040363E .C785 A0FEFFFF>MOV DWORD PTR SS:,8002
00403648 .FF15 64104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;
MSVBVM60.__vbaVarTstEq
0040364E .66:85C0 TEST AX,AX
00403651 .74 76 JE SHORT Crackme.004036C9
00403653 .8D45 BC LEA EAX,DWORD PTR SS:
00403656 .8D8D A0FEFFFF LEA ECX,DWORD PTR SS:
0040365C .50 PUSH EAX
0040365D .51 PUSH ECX
0040365E .C785 A8FEFFFF>MOV DWORD PTR SS:,2D ;注册码 字母1值+字母
2值*2-字母3值*3 必须等于2D
00403668 .C785 A0FEFFFF>MOV DWORD PTR SS:,8002
00403672 .FF15 64104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;
MSVBVM60.__vbaVarTstEq
00403678 .66:85C0 TEST AX,AX
0040367B .74 4C JE SHORT Crackme.004036C9
0040367D .8D55 AC LEA EDX,DWORD PTR SS:
00403680 .8D85 A0FEFFFF LEA EAX,DWORD PTR SS:
00403686 .52 PUSH EDX
00403687 .50 PUSH EAX
00403688 .C785 A8FEFFFF>MOV DWORD PTR SS:,136 ;字母1值*3 - 字母2值
*4 + 字母3值 必须等于136
00403692 .C785 A0FEFFFF>MOV DWORD PTR SS:,8002
0040369C .FF15 64104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;
MSVBVM60.__vbaVarTstEq
004036A2 .66:85C0 TEST AX,AX
004036A5 .74 22 JE SHORT Crackme.004036C9
004036A7 .8D95 A0FEFFFF LEA EDX,DWORD PTR SS:
004036AD .8D8D 6CFFFFFF LEA ECX,DWORD PTR SS: ;全都比较成功,则将标
志变量置为true
004036B3 .C785 A8FEFFFF>MOV DWORD PTR SS:,1
004036BD .89B5 A0FEFFFF MOV DWORD PTR SS:,ESI
004036C3 .FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMove
004036C9 >8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:
004036CF .8D95 A0FEFFFF LEA EDX,DWORD PTR SS:
004036D5 .51 PUSH ECX
004036D6 .52 PUSH EDX
004036D7 .C785 A8FEFFFF>MOV DWORD PTR SS:,1
004036E1 .C785 A0FEFFFF>MOV DWORD PTR SS:,8002 ;比较标志变量[ebp-
94]为true否.?
004036EB .FF15 64104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;
MSVBVM60.__vbaVarTstEq
004036F1 .66:85C0 TEST AX,AX
004036F4 .0F84 C2000000 JE Crackme.004037BC
004036FA .B8 01000000 MOV EAX,1
004036FF .8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:
00403705 .8985 A8FEFFFF MOV DWORD PTR SS:,EAX
0040370B .8985 98FEFFFF MOV DWORD PTR SS:,EAX
00403711 .8D85 A0FEFFFF LEA EAX,DWORD PTR SS:
00403717 .8D95 20FFFFFF LEA EDX,DWORD PTR SS:
0040371D .50 PUSH EAX
0040371E .51 PUSH ECX
0040371F .52 PUSH EDX
00403720 .89B5 A0FEFFFF MOV DWORD PTR SS:,ESI
00403726 .89B5 90FEFFFF MOV DWORD PTR SS:,ESI ;取串1的长度
0040372C .FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenVa>;
MSVBVM60.__vbaLenVar
00403732 .50 PUSH EAX
00403733 .8D85 90FEFFFF LEA EAX,DWORD PTR SS:
00403739 .8D8D E4FDFFFF LEA ECX,DWORD PTR SS:
0040373F .50 PUSH EAX
00403740 .8D95 F4FDFFFF LEA EDX,DWORD PTR SS:
00403746 .51 PUSH ECX
00403747 .8D45 DC LEA EAX,DWORD PTR SS:
0040374A .52 PUSH EDX
0040374B .50 PUSH EAX ;设置下面循环变量的
上限为串1长度
0040374C .FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>;
MSVBVM60.__vbaVarForInit
00403752 >3BC3 CMP EAX,EBX ;这里又是一个循环..
将循环变量记为j
00403754 .74 66 JE SHORT Crackme.004037BC
00403756 .8D4D DC LEA ECX,DWORD PTR SS:
00403759 .51 PUSH ECX ;取循环变量j
0040375A .FF15 B8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>;MSVBVM60.__vbaI4Var
00403760 .48 DEC EAX
00403761 .83F8 64 CMP EAX,64
00403764 .8985 48FEFFFF MOV DWORD PTR SS:,EAX ;判断数组访问是否越
界
0040376A .72 0C JB SHORT Crackme.00403778
0040376C .FF15 5C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGener>;
MSVBVM60.__vbaGenerateBoundsError
00403772 .8B85 48FEFFFF MOV EAX,DWORD PTR SS:
00403778 >8B95 50FFFFFF MOV EDX,DWORD PTR SS:
0040377E .66:391C42 CMP WORD PTR DS:,BX ;将前面那个循环产生
的结果逐个与0比较
00403782 .75 1A JNZ SHORT Crackme.0040379E
00403784 .8D85 E4FDFFFF LEA EAX,DWORD PTR SS:
0040378A .8D8D F4FDFFFF LEA ECX,DWORD PTR SS:
00403790 .50 PUSH EAX
00403791 .8D55 DC LEA EDX,DWORD PTR SS:
00403794 .51 PUSH ECX
00403795 .52 PUSH EDX
00403796 .FF15 D4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>;
MSVBVM60.__vbaVarForNext
0040379C .^ EB B4 JMP SHORT Crackme.00403752
0040379E >8D95 A0FEFFFF LEA EDX,DWORD PTR SS:
004037A4 .8D8D 6CFFFFFF LEA ECX,DWORD PTR SS: ;如果上面逐个与0比较
时不等,则将标志变量值为false
004037AA .899D A8FEFFFF MOV DWORD PTR SS:,EBX
004037B0 .89B5 A0FEFFFF MOV DWORD PTR SS:,ESI
004037B6 .FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMove
004037BC >8D85 6CFFFFFF LEA EAX,DWORD PTR SS:
004037C2 .8D8D A0FEFFFF LEA ECX,DWORD PTR SS:
004037C8 .50 PUSH EAX
004037C9 .51 PUSH ECX
004037CA .C785 A8FEFFFF>MOV DWORD PTR SS:,1
004037D4 .C785 A0FEFFFF>MOV DWORD PTR SS:,8002
004037DE .FF15 64104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;
MSVBVM60.__vbaVarTstEq
004037E4 .66:85C0 TEST AX,AX
004037E7 .0F84 18010000 JE Crackme.00403905
004037ED .8B17 MOV EDX,DWORD PTR DS:
004037EF .57 PUSH EDI
004037F0 .FF92 0C030000 CALL DWORD PTR DS:
004037F6 .50 PUSH EAX
004037F7 .8D85 30FFFFFF LEA EAX,DWORD PTR SS:
004037FD .50 PUSH EAX
004037FE .FF15 40104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>;
MSVBVM60.__vbaObjSet
00403804 .8BF0 MOV ESI,EAX
00403806 .68 24224000 PUSH Crackme.00402224 ;UNICODE
"Congratulations"
0040380B .56 PUSH ESI
0040380C .8B0E MOV ECX,DWORD PTR DS:
0040380E .FF51 54 CALL DWORD PTR DS:
00403811 .3BC3 CMP EAX,EBX
00403813 .DBE2 FCLEX
00403815 .7D 0F JGE SHORT Crackme.00403826
00403817 .6A 54 PUSH 54
00403819 .68 74224000 PUSH Crackme.00402274
0040381E .56 PUSH ESI
0040381F .50 PUSH EAX
............后面省略..................
总结一下这个算法:
1. regcode+regcode+regcode = F0;
regcode+regcode*2-regcode*3 = 2D;
regcode*3-regcode*4+regcode = 136;
解这个线性方程组可以知道regcode 分别为P, Y, G
另外regcode必须为2D, 也就是'-'
2. 串1 = 用户名 + "zjjtr";
串2 = 注册码去掉前4位
串1长度必须等于串2长度
3. for (i=0; i<串1长度; i++)
{
ch = (i%2==0)?'A':'a'
sum = 串1*(i+1) - 串2 + ch;
sum%1A==0必须为真
}
VC注册机源码(注册机及全部源码见附件):
void CForTempCrackmeDlg::OnOK()
{
// TODO: Add extra validation here
charname;
charcode = {'P', 'Y', 'G', '-', 0};
int namelen = GetDlgItemText(IDC_USER, name, 128);
int i, j;
charch;
unsignedlong temp;
strcpy(name+namelen, "zjjtr");
namelen += 5;
for (i=0; i<namelen; i++)
{
ch = (i%2==0) ? 'A' : 'a';
for (j=0; j<10000; j++)
{
temp = name*(i+1) + ch - j*0x1A;
if ('0'<=temp && 'z'>=temp)
{
code = temp;
break;
}
}
}
SetDlgItemText(IDC_CODE, code);
}
顺便说下在VB的VARIANT类型中如何看真正的数据, 我文中的"保存在"要这么看才对.
看看VC中的VARIANT定义:
structtagVARIANT
{
union
{
struct__tagVARIANT
{
VARTYPE vt;
WORD wReserved1;
WORD wReserved2;
WORD wReserved3;
union
{
LONG lVal;
BYTE bVal;
SHORT iVal;
FLOAT fltVal;
DOUBLE dblVal;
VARIANT_BOOL boolVal;
_VARIANT_BOOL bool;
SCODE scode;
CY cyVal;
DATE date;
BSTR bstrVal;
IUnknown __RPC_FAR *punkVal;
IDispatch __RPC_FAR *pdispVal;
SAFEARRAY __RPC_FAR *parray;
BYTE __RPC_FAR *pbVal;
SHORT __RPC_FAR *piVal;
LONG __RPC_FAR *plVal;
FLOAT __RPC_FAR *pfltVal;
DOUBLE __RPC_FAR *pdblVal;
VARIANT_BOOL __RPC_FAR *pboolVal;
_VARIANT_BOOL __RPC_FAR *pbool;
SCODE __RPC_FAR *pscode;
CY __RPC_FAR *pcyVal;
DATE __RPC_FAR *pdate;
BSTR __RPC_FAR *pbstrVal;
IUnknown __RPC_FAR *__RPC_FAR *ppunkVal;
IDispatch __RPC_FAR *__RPC_FAR *ppdispVal;
SAFEARRAY __RPC_FAR *__RPC_FAR *pparray;
VARIANT __RPC_FAR *pvarVal;
PVOID byref;
CHAR cVal;
USHORT uiVal;
ULONG ulVal;
INT intVal;
UINT uintVal;
DECIMAL __RPC_FAR *pdecVal;
CHAR __RPC_FAR *pcVal;
USHORT __RPC_FAR *puiVal;
ULONG __RPC_FAR *pulVal;
INT __RPC_FAR *pintVal;
UINT __RPC_FAR *puintVal;
struct__tagBRECORD
{
PVOID pvRecord;
IRecordInfo __RPC_FAR *pRecInfo;
} __VARIANT_NAME_4;
} __VARIANT_NAME_3;
} __VARIANT_NAME_2;
DECIMAL decVal;
} __VARIANT_NAME_1;
};
typedef tagVARIANT VARIANT;
大家看VARTYPE vt;
WORD wReserved1;
WORD wReserved2;
WORD wReserved3;
占了8个字节, 也就是说真正的数据是从第9个字节开始的, 当我们在内存中遇到一个VARIANT时. 必须将
眼光然后移到第9个字节才能读到真正的数据..
而前2个字节VARTYPE vt也是很重要的...它指明了这个VARIANT中存放的是什么类型的数据, 是字符串还
是短整, 抑或是长整, 或者别的各种类型. 给出以下类型参考:
VT_EMPTY = 0,
VT_NULL = 1,
VT_I2 = 2,
VT_I4 = 3,
VT_R4 = 4,
VT_R8 = 5,
VT_CY = 6,
VT_DATE = 7,
VT_BSTR = 8,
VT_DISPATCH = 9,
VT_ERROR = 10,
VT_BOOL = 11,
VT_VARIANT = 12,
VT_UNKNOWN = 13,
VT_DECIMAL = 14,
VT_I1 = 16,
VT_UI1 = 17,
VT_UI2 = 18,
VT_UI4 = 19,
VT_I8 = 20,
VT_UI8 = 21,
VT_INT = 22,
VT_UINT = 23,
VT_VOID = 24,
VT_HRESULT = 25,
VT_PTR = 26,
VT_SAFEARRAY = 27,
VT_CARRAY = 28,
VT_USERDEFINED = 29,
VT_LPSTR = 30,
VT_LPWSTR = 31,
VT_RECORD = 36,
VT_FILETIME = 64,
VT_BLOB = 65,
VT_STREAM = 66,
VT_STORAGE = 67,
VT_STREAMED_OBJECT = 68,
VT_STORED_OBJECT = 69,
VT_BLOB_OBJECT = 70,
VT_CF = 71,
VT_CLSID = 72,
VT_BSTR_BLOB = 0xfff,
VT_VECTOR = 0x1000,
VT_ARRAY = 0x2000,
VT_BYREF = 0x4000,
VT_RESERVED = 0x8000,
VT_ILLEGAL = 0xffff,
VT_ILLEGALMASKED = 0xfff,
VT_TYPEMASK = 0xfff
这里指明了VARIANT中数据的类型
所以在内存里如果遇到一个VARIANT数据不懂, 先查查它存放的数据是哪种类型的, 再然后看第9个字节
起存了什么, 基本能弄明白这个VARIANT中数据的含义
这里所写的都是个人心得, 如有不对, 请高手指正~~~~~~~~
[ 本帖最后由 vecri 于 2008-1-1 22:26 编辑 ]
楼上的高手理论和实战并重,牛B
原帖由 vecri 于 2008-1-1 21:50 发表 https://www.chinapyg.com/images/common/back.gif
本人乃小菜鸟一个.....如有分析不对, 请高手指正~
00402A50 > \55 PUSH EBP ;在这里下断..
00402A51 .8BEC MOV EBP,ESP
00402A53 .83EC 0C ...
这还叫简单的话,我真吐血了!
还是菜鸟。继续学习中……