深海游侠crackme^1破解分析(也谈OD插件使用~~)
【破文标题】深海游侠crackme^1破解分析(也谈OD插件使用~~)【破文作者】飘云
【破解平台】WinXP
【作者邮箱】[email protected]
【软件名称】深海游侠crackme^1
【软件大小】200KB
【下载地址】本地下载
【软件说明】本人第一个Crackme,大家试下,不足的地方大家指出!
本人的第一个crackme,毫不夸张的说,我对编程简直白脖,做这个花了我半夜的时间。
此crackme用VB6.0编写,ASPACK2.12的壳,大家放心,我完全是为了自己练习跟踪VB软件来练手的,大家也试下,不足的地方大家尽管提出来。先谢谢了。
另,最好不要暴破,最好追出注册码,算法不算难,只是VB的看起来麻烦了点。
补充一点:因为我编写的时候类型搞错了,所以用户名必须是数字!总的来说只要让注册显示出来那就赢一大半了。
【破解工具】OD
【保护方式】灰色按钮+序列号
【破解目的】学习破解。熟练应用各种工具。
【破解声明】我乃小菜鸟一只,偶得一点心得,愿与大家分享:)
【破解步骤】既然作者已经说了加了aspack2.12壳,那么就先脱掉吧,OD搞定!然后运行程序,看到“注册按钮”灰色,晕!!~ 不要紧,od不是自带了一个插件吗? 嘿嘿!请出他。。。 OD载入程序运行--“插件”--“窗口工具”--“窗口工具”,然后按照提示即可激活 “注册”按钮,当然你也可以用“灰色按钮激活专家”,呵呵~~
通过下断 bp rtcMsgBox 可以来到下面关键(注:判断是否输入用户名和注册码的一些代码我已经省略。只帖出关键算法)
0043690F C785 34FFFFFF 40E>mov dword ptr ss:,1E240 ; 1E240(123456)
00436919 C785 2CFFFFFF 030>mov dword ptr ss:,3
00436923 FF15 B0104000 call dword ptr ds:[<&msvbvm60.__vbaVarAdd>] ; 用户名和123456相加
00436929 50 push eax
0043692A FF15 18104000 call dword ptr ds:[<&msvbvm60.__vbaStrVarMove>]; msvbvm60.__vbaStrVarMove
00436930 8BD0 mov edx,eax ; 计算结果
00436932 8D4D 98 lea ecx,dword ptr ss:
00436935 FF15 C0104000 call dword ptr ds:[<&msvbvm60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
0043693B 8D8D 6CFFFFFF lea ecx,dword ptr ss:
00436941 FF15 14104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVar>] ; msvbvm60.__vbaFreeVar
00436947 8B55 98 mov edx,dword ptr ss:
0043694A 52 push edx
0043694B FF15 A0104000 call dword ptr ds:[<&msvbvm60.__vbaI4Str>] ; 取16进制
00436951 83F0 38 xor eax,38 ; eax xor 38(eax是上面结果的十六进制)
00436954 50 push eax
00436955 FF15 10104000 call dword ptr ds:[<&msvbvm60.__vbaStrI4>] ; 转换成16进制
0043695B 8BD0 mov edx,eax ; 结果回送到edx 设为A
0043695D 8D4D 98 lea ecx,dword ptr ss:
00436960 FF15 C0104000 call dword ptr ds:[<&msvbvm60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
00436966 8D45 84 lea eax,dword ptr ss:
00436969 8D8D 2CFFFFFF lea ecx,dword ptr ss:
0043696F 50 push eax
00436970 51 push ecx
00436971 C785 34FFFFFF 070>mov dword ptr ss:,7
0043697B C785 2CFFFFFF 028>mov dword ptr ss:,8002
00436985 FF15 00104000 call dword ptr ds:[<&msvbvm60.__vbaVarTstGt>] ; msvbvm60.__vbaVarTstGt
0043698E /74 53 je short unpack.004369E3
00436990 |B8 04000280 mov eax,80020004
00436995 |BF 0A000000 mov edi,0A
0043699A |8D95 1CFFFFFF lea edx,dword ptr ss:
004369A0 |8D8D 5CFFFFFF lea ecx,dword ptr ss:
004369A6 |8985 44FFFFFF mov dword ptr ss:,eax
004369AC |89BD 3CFFFFFF mov dword ptr ss:,edi
004369B2 |8985 54FFFFFF mov dword ptr ss:,eax
004369B8 |89BD 4CFFFFFF mov dword ptr ss:,edi
004369BE |C785 24FFFFFF 401>mov dword ptr ss:,unpack.00431E40
004369C8 |899D 1CFFFFFF mov dword ptr ss:,ebx
004369CE |FF15 B4104000 call dword ptr ds:[<&msvbvm60.__vbaVarDup>] ; msvbvm60.__vbaVarDup
004369D4 |C785 34FFFFFF 281>mov dword ptr ss:,unpack.00431E28
004369DE |E9 77010000 jmp unpack.00436B5A
004369E3 \8D4D CC lea ecx,dword ptr ss:
004369E6 8D95 2CFFFFFF lea edx,dword ptr ss:
004369EC 51 push ecx
004369ED 8D85 6CFFFFFF lea eax,dword ptr ss:
004369F3 52 push edx
004369F4 50 push eax
**********************★以下开始就是,作者写的迷惑性代码,具体自己分析★*******************************************
004369F5 C785 34FFFFFF 24F>mov dword ptr ss:,4F724 ; 4F724(十进制325412)
004369FF C785 2CFFFFFF 030>mov dword ptr ss:,3
00436A09 FF15 B0104000 call dword ptr ds:[<&msvbvm60.__vbaVarAdd>] ; msvbvm60.__vbaVarAdd
00436A0F 8BD0 mov edx,eax
00436A11 8D4D CC lea ecx,dword ptr ss:
00436A14 FFD7 call edi
00436A16 8D4D CC lea ecx,dword ptr ss:
00436A19 8D95 2CFFFFFF lea edx,dword ptr ss:
00436A1F 51 push ecx
00436A20 8D85 6CFFFFFF lea eax,dword ptr ss:
00436A26 52 push edx
00436A27 50 push eax
00436A28 C785 34FFFFFF 380>mov dword ptr ss:,38 ; 38
00436A32 C785 2CFFFFFF 020>mov dword ptr ss:,2
00436A3C FF15 38104000 call dword ptr ds:[<&msvbvm60.__vbaVarXor>] ; 4F724(十进制325412) xor 38(十进制56)
00436A42 8BD0 mov edx,eax
00436A44 8D4D CC lea ecx,dword ptr ss:
00436A47 FFD7 call edi
00436A49 8D4D CC lea ecx,dword ptr ss:
00436A4C 8D95 6CFFFFFF lea edx,dword ptr ss:
00436A52 51 push ecx
00436A53 52 push edx
00436A54 FF15 30104000 call dword ptr ds:[<&msvbvm60.__vbaLenVar>] ; msvbvm60.__vbaLenVar
00436A5A 8BD0 mov edx,eax
00436A5C 8D4D BC lea ecx,dword ptr ss:
00436A5F FFD7 call edi
00436A61 8D85 6CFFFFFF lea eax,dword ptr ss:
00436A67 8D4D CC lea ecx,dword ptr ss:
00436A6A 50 push eax
00436A6B 6A 01 push 1
00436A6D 8D95 5CFFFFFF lea edx,dword ptr ss:
00436A73 51 push ecx
00436A74 52 push edx
00436A75 C785 74FFFFFF 040>mov dword ptr ss:,4
00436A7F C785 6CFFFFFF 020>mov dword ptr ss:,2
00436A89 FF15 54104000 call dword ptr ds:[<&msvbvm60.rtcMidCharVar>] ; msvbvm60.rtcMidCharVar
00436A8F 8D95 5CFFFFFF lea edx,dword ptr ss:
00436A95 8D4D CC lea ecx,dword ptr ss:
00436A98 FFD7 call edi
00436A9A 8D8D 6CFFFFFF lea ecx,dword ptr ss:
00436AA0 FF15 14104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVar>] ; msvbvm60.__vbaFreeVar
00436AA6 8D45 CC lea eax,dword ptr ss:
00436AA9 8D4D BC lea ecx,dword ptr ss:
00436AAC 50 push eax
00436AAD 8D95 6CFFFFFF lea edx,dword ptr ss:
00436AB3 51 push ecx
00436AB4 52 push edx
00436AB5 FF15 78104000 call dword ptr ds:[<&msvbvm60.__vbaVarMul>] ; msvbvm60.__vbaVarMul
00436ABB 8BD0 mov edx,eax
00436ABD 8D4D CC lea ecx,dword ptr ss:
00436AC0 FFD7 call edi
00436AC2 8D45 CC lea eax,dword ptr ss:
00436AC5 8D4D BC lea ecx,dword ptr ss:
00436AC8 50 push eax
00436AC9 8D95 6CFFFFFF lea edx,dword ptr ss:
00436ACF 51 push ecx
00436AD0 52 push edx
00436AD1 FF15 38104000 call dword ptr ds:[<&msvbvm60.__vbaVarXor>] ; msvbvm60.__vbaVarXor
00436AD7 8BD0 mov edx,eax
00436AD9 8D4D CC lea ecx,dword ptr ss:
00436ADC FFD7 call edi
00436ADE 8D45 84 lea eax,dword ptr ss:
00436AE1 8D8D 2CFFFFFF lea ecx,dword ptr ss:
00436AE7 50 push eax
00436AE8 51 push ecx
00436AE9 C785 34FFFFFF 060>mov dword ptr ss:,6
00436AF3 C785 2CFFFFFF 028>mov dword ptr ss:,8002
00436AFD FF15 00104000 call dword ptr ds:[<&msvbvm60.__vbaVarTstGt>] ; msvbvm60.__vbaVarTstGt
00436B03 66:85C0 test ax,ax
00436B06 0F84 E6000000 je unpack.00436BF2
00436B0C B8 04000280 mov eax,80020004
00436B11 BF 0A000000 mov edi,0A
00436B16 8D95 1CFFFFFF lea edx,dword ptr ss:
00436B1C 8D8D 5CFFFFFF lea ecx,dword ptr ss:
00436B22 8985 44FFFFFF mov dword ptr ss:,eax
00436B28 89BD 3CFFFFFF mov dword ptr ss:,edi
00436B2E 8985 54FFFFFF mov dword ptr ss:,eax
00436B34 89BD 4CFFFFFF mov dword ptr ss:,edi
00436B3A C785 24FFFFFF 401>mov dword ptr ss:,unpack.00431E40
00436B44 899D 1CFFFFFF mov dword ptr ss:,ebx
00436B4A FF15 B4104000 call dword ptr ds:[<&msvbvm60.__vbaVarDup>] ; msvbvm60.__vbaVarDup
00436B50 C785 34FFFFFF 4C1>mov dword ptr ss:,unpack.00431E4C ; ASCII "+R@w%`,"
00436B5A 8D95 2CFFFFFF lea edx,dword ptr ss:
00436B60 8D8D 6CFFFFFF lea ecx,dword ptr ss:
00436B66 899D 2CFFFFFF mov dword ptr ss:,ebx
00436B6C FF15 B4104000 call dword ptr ds:[<&msvbvm60.__vbaVarDup>] ; msvbvm60.__vbaVarDup
00436B72 8D95 3CFFFFFF lea edx,dword ptr ss:
00436B78 8D85 4CFFFFFF lea eax,dword ptr ss:
00436B7E 52 push edx
00436B7F 8D8D 5CFFFFFF lea ecx,dword ptr ss:
00436B85 50 push eax
00436B86 51 push ecx
00436B87 8D95 6CFFFFFF lea edx,dword ptr ss:
00436B8D 57 push edi
00436B8E 52 push edx
00436B8F FF15 40104000 call dword ptr ds:[<&msvbvm60.rtcMsgBox>] ; "别着急,快成功了!"
************************************可以看到,上面根本就是不相关的代码********************************
00436B95 8D85 3CFFFFFF lea eax,dword ptr ss:
00436B9B 8D8D 4CFFFFFF lea ecx,dword ptr ss:
00436BA1 50 push eax
00436BA2 8D95 5CFFFFFF lea edx,dword ptr ss:
00436BA8 51 push ecx
00436BA9 8D85 6CFFFFFF lea eax,dword ptr ss:
00436BAF 52 push edx
00436BB0 50 push eax
00436BB1 6A 04 push 4
00436BB3 FF15 1C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
00436BB9 8B0E mov ecx,dword ptr ds:
00436BBB 83C4 14 add esp,14
00436BBE 56 push esi
00436BBF FF91 04030000 call dword ptr ds:
00436BC5 8D95 7CFFFFFF lea edx,dword ptr ss:
00436BCB 50 push eax
00436BCC 52 push edx
00436BCD FF15 3C104000 call dword ptr ds:[<&msvbvm60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
00436BD3 8BF0 mov esi,eax
00436BD5 68 DC1D4300 push unpack.00431DDC
00436BDA 56 push esi
00436BDB 8B06 mov eax,dword ptr ds:
00436BDD FF90 A4000000 call dword ptr ds:
00436BE3 85C0 test eax,eax
00436BE5 DBE2 fclex
00436BE7 0F8D 9D020000 jge unpack.00436E8A
00436BED E9 86020000 jmp unpack.00436E78
00436BF2 8B4D 98 mov ecx,dword ptr ss:
00436BF5 51 push ecx
00436BF6 FF15 90104000 call dword ptr ds:[<&msvbvm60.__vbaR8Str>] ; msvbvm60.__vbaR8Str
00436BFC DC05 E8104000 fadd qword ptr ds: ;=1这句是意思就是 A+1 设为 B
00436C02 8B3D 68104000 mov edi,dword ptr ds:[<&msvbvm60.__vbaStrR8>] ; msvbvm60.__vbaStrR8
00436C08 83EC 08 sub esp,8
00436C0B DFE0 fstsw ax
00436C0D A8 0D test al,0D
00436C0F 0F85 1A030000 jnz unpack.00436F2F
00436C15 DD1C24 fstp qword ptr ss:
00436C18 FFD7 call edi
00436C1A 8BD0 mov edx,eax
00436C1C 8D4D 98 lea ecx,dword ptr ss:
00436C1F FF15 C0104000 call dword ptr ds:[<&msvbvm60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
00436C25 8B55 98 mov edx,dword ptr ss:
00436C28 52 push edx
00436C29 FF15 90104000 call dword ptr ds:[<&msvbvm60.__vbaR8Str>] ; msvbvm60.__vbaR8Str
00436C2F DC25 E0104000 fsub qword ptr ds: ; =21这句是意思就是 B-21 设为 C
00436C35 83EC 08 sub esp,8
00436C38 DFE0 fstsw ax
00436C3A A8 0D test al,0D
00436C3C 0F85 ED020000 jnz unpack.00436F2F
00436C42 DD1C24 fstp qword ptr ss:
00436C45 FFD7 call edi
00436C47 8BD0 mov edx,eax
00436C49 8D4D 98 lea ecx,dword ptr ss:
00436C4C FF15 C0104000 call dword ptr ds:[<&msvbvm60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
00436C52 8B45 98 mov eax,dword ptr ss:
00436C55 8D4D 9C lea ecx,dword ptr ss:
00436C58 8D95 2CFFFFFF lea edx,dword ptr ss:
00436C5E 51 push ecx
00436C5F 52 push edx
00436C60 8985 34FFFFFF mov dword ptr ss:,eax
00436C66 C785 2CFFFFFF 088>mov dword ptr ss:,8008
00436C70 FF15 60104000 call dword ptr ds:[<&msvbvm60.__vbaVarTstEq>] ; msvbvm60.__vbaVarTstEq
00436C76 66:85C0 test ax,ax
00436C79 B8 04000280 mov eax,80020004
00436C7E BF 0A000000 mov edi,0A
00436C83 8985 44FFFFFF mov dword ptr ss:,eax
00436C89 89BD 3CFFFFFF mov dword ptr ss:,edi
00436C8F 8985 54FFFFFF mov dword ptr ss:,eax
00436C95 89BD 4CFFFFFF mov dword ptr ss:,edi
00436C9B 0F84 1C010000 je unpack.00436DBD ; ====#####爆破点######====
00436CA1 8D95 1CFFFFFF lea edx,dword ptr ss:
00436CA7 8D8D 5CFFFFFF lea ecx,dword ptr ss:
00436CAD C785 24FFFFFF 881>mov dword ptr ss:,unpack.00431E88
00436CB7 899D 1CFFFFFF mov dword ptr ss:,ebx
00436CBD FF15 B4104000 call dword ptr ds:[<&msvbvm60.__vbaVarDup>] ; msvbvm60.__vbaVarDup
00436CC3 8D95 2CFFFFFF lea edx,dword ptr ss:
00436CC9 8D8D 6CFFFFFF lea ecx,dword ptr ss:
00436CCF C785 34FFFFFF 681>mov dword ptr ss:,unpack.00431E68 ; ASCII "`O/f*N}Yc"
00436CD9 899D 2CFFFFFF mov dword ptr ss:,ebx
00436CDF FF15 B4104000 call dword ptr ds:[<&msvbvm60.__vbaVarDup>] ; msvbvm60.__vbaVarDup
00436CE5 8D85 3CFFFFFF lea eax,dword ptr ss:
00436CEB 8D8D 4CFFFFFF lea ecx,dword ptr ss:
00436CF1 50 push eax
00436CF2 8D95 5CFFFFFF lea edx,dword ptr ss:
00436CF8 51 push ecx
00436CF9 52 push edx
00436CFA 8D85 6CFFFFFF lea eax,dword ptr ss:
00436D00 57 push edi
00436D01 50 push eax
00436D02 FF15 40104000 call dword ptr ds:[<&msvbvm60.rtcMsgBox>] ; "你是一个好cracker" ★光明之颠!★
00436D08 8D8D 3CFFFFFF lea ecx,dword ptr ss:
00436D0E 8D95 4CFFFFFF lea edx,dword ptr ss:
00436D14 51 push ecx
00436D15 8D85 5CFFFFFF lea eax,dword ptr ss:
.
.
.
.
(省略部分代码)
00436E0D 52 push edx
00436E0E 8D8D 5CFFFFFF lea ecx,dword ptr ss:
00436E14 50 push eax
00436E15 51 push ecx
00436E16 8D95 6CFFFFFF lea edx,dword ptr ss:
00436E1C 57 push edi
00436E1D 52 push edx
00436E1E FF15 40104000 call dword ptr ds:[<&msvbvm60.rtcMsgBox>] ; "不要会心,重新来过!"
00436E24 8D85 3CFFFFFF lea eax,dword ptr ss:
00436E2A 8D8D 4CFFFFFF lea ecx,dword ptr ss:
00436E30 50 push eax
00436E31 8D95 5CFFFFFF lea edx,dword ptr ss:
00436E37 51 push ecx
00436E38 8D85 6CFFFFFF lea eax,dword ptr ss:
00436E3E 52 push edx
00436E3F 50 push eax
00436E40 6A 04 push 4
00436E42 FF15 1C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
00436E48 8B0E mov ecx,dword ptr ds:
00436E4A 83C4 14 add esp,14
00436E4D 56 push esi
00436E4E FF91 04030000 call dword ptr ds:
00436E54 8D95 7CFFFFFF lea edx,dword ptr ss:
00436E5A 50 push eax
00436E5B 52 push edx
00436E5C FF15 3C104000 call dword ptr ds:[<&msvbvm60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
00436E62 8BF0 mov esi,eax
00436E64 68 DC1D4300 push unpack.00431DDC
00436E69 56 push esi
00436E6A 8B06 mov eax,dword ptr ds:
00436E6C FF90 A4000000 call dword ptr ds:
00436E72 85C0 test eax,eax
00436E74 DBE2 fclex
00436E76 7D 12 jge short unpack.00436E8A
00436E78 68 A4000000 push 0A4
00436E7D 68 C81D4300 push unpack.00431DC8
00436E82 56 push esi
00436E83 50 push eax
00436E84 FF15 2C104000 call dword ptr ds:[<&msvbvm60.__vbaHresultCheckO>; msvbvm60.__vbaHresultCheckObj
00436E8A 8D8D 7CFFFFFF lea ecx,dword ptr ss:
00436E90 FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
00436E96 C745 FC 00000000mov dword ptr ss:,0
00436E9D 9B wait
00436E9E 68 106F4300 push unpack.00436F10
00436EA3 EB 3D jmp short unpack.00436EE2
00436EA5 8D4D 80 lea ecx,dword ptr ss:
00436EA8 FF15 D4104000 call dword ptr ds:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
00436EAE 8D8D 7CFFFFFF lea ecx,dword ptr ss:
00436EB4 FF15 D0104000 call dword ptr ds:[<&msvbvm60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
00436EBA 8D8D 3CFFFFFF lea ecx,dword ptr ss:
00436EC0 8D95 4CFFFFFF lea edx,dword ptr ss:
00436EC6 51 push ecx
00436EC7 8D85 5CFFFFFF lea eax,dword ptr ss:
00436ECD 52 push edx
00436ECE 8D8D 6CFFFFFF lea ecx,dword ptr ss:
00436ED4 50 push eax
00436ED5 51 push ecx
00436ED6 6A 04 push 4
00436ED8 FF15 1C104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
00436EDE 83C4 14 add esp,14
00436EE1 C3 retn
【算法总结】
前提:用户名必须为数字
1.A=(用户名+123456) xor &H38
2.B=A+1
3.C=B-21
最后得出的C即为注册码~~~
这个CrackMe很有代表性,呵呵~ 一不小心 你就有可能掉入作者的陷阱哦~ 得有火眼金睛的说!
【注册机】
算法注册机 论坛下载~~ 源码不帖了,简单~
【特别说明】不是所有的数字都能注册成功的,不信你试!
【版权声明】本文纯属技术交流, 转载请注明作者信息并保持文章的完整, 谢谢! 学习,(深奥啊!已经有些晕菜了) 看的有点晕。学习算法有没有捷径? 很复杂,好象是到处寻找的,谢谢。 强!
学习+收藏!
记得我当时搞了N遍!
现在终于看到教程了!! 我好象搞了半天呢,哈哈~~~
哎。。最近上班真累人啊~~~~
羡慕上学的人厄~~~~
飘云强厄~~哎~~我P-CODE还是一头雾水不过比以前有点进步
都是自己写个简单的p-code总结的。。
我菜死啦~~
[ Last edited by qxtianlong on 2005-10-31 at 07:30 PM ] 学习了把这个收藏起来 呵呵,灰色按钮那点其实我只是加了一个简单的数字比较,估计断比较函数也能断在前面。具体至于什么数字嘛.嘿嘿... /:D
PS:飘飘这里挺不错,不少好东西呢。我朋友也经常来呢~
[ 本帖最后由 深海游侠 于 2006-1-2 03:43 编辑 ] 学习,一定要学习
页:
[1]
2