[PYG]CrackMe#1脱壳+去检测+算法分析+VB注册机源码
【破文标题】CrackMe#1脱壳+去检测+算法分析+VB注册机源码【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】[email protected]
【破解平台】WinXP
【使用工具】flyOD1.10、Peid
【破解日期】2005-11-27
【软件名称】CrackMe#1
【软件大小】74KB
【下载地址】PYG论坛
【加壳方式】ASPack 2.12 -> Alexey Solodovnikov
【软件简介】PYG论坛的CrackMe#1
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1、脱壳。用PEID扫描,显示为ASPack 2.12 -> Alexey Solodovnikov。手动脱壳吧:
OD载入程序:
00425001 >60 pushad ;ASPack 2.12标准壳入口,F8一次
00425002 E8 03000000 call Cra.0042500A
00425007- E9 EB045D45 jmp 459F54F7
0042500C 55 push ebp
0042500D C3 retn
F8一次后,观察寄存器:
EAX 00000000
ECX 0012FFB0
EDX 7FFE0304
EBX 7FFDF000
ESP 0012FFA4 <========ESP变成0012FFA4
EBP 0012FFF0
ESI 004323D4
EDI 00000021
EIP 00425002 Cra.00425002
根据ESP定律,命令栏下断 hr 0012ffa4,回车,F9运行:
004253B0 /75 08 jnz short Cra.004253BA ; F9运行后来到这里,继续F8
004253B2 |B8 01000000 mov eax,1
004253B7 |C2 0C00 retn 0C
004253BA \68 90174000 push Cra.00401790
004253BF C3 retn
00401790 68 C0044100 push Cra.004104C0 ; 3下F8后来到这里,VB程序典型入口,Dump
00401795 E8 F0FFFFFF call Cra.0040178A ; jmp to msvbvm60.ThunRTMain
0040179A 0000 add byte ptr ds:,al
0040179C 0000 add byte ptr ds:,al
0040179E 0000 add byte ptr ds:,al
在00401790处,右键----脱壳在当前调试的进程----脱壳之。脱壳后程序可以运行,不用修复。
2、去检测。OD载入脱壳后的程序,F9运行,OD被悄无声息的关闭了,程序对调试器进行检测。
OD重新载入程序,命令栏下断点:bp FindWindowA ,回车,F9运行,中断了,
77D1B633 US>33C0 xor eax,eax ; USER32.FindWindowA
77D1B635 50 push eax
77D1B636 FF7424 0C push dword ptr ss:
看堆栈友好提示:
0012F784 00417881/CALL 到 FindWindowA 来自 Unpacked.0041787C
0012F788 0014DF14|Class = "OLLYDBG"
0012F78C 00000000\Title = NULL
ALT+F9返回,来到:
00417881 8985 7CFEFFFF mov dword ptr ss:,eax ; 来到这里
00417887 FF15 58104000 call dword ptr ds:[<&msvbvm60.__vbaSet>
0041788D 83FE 09 cmp esi,9
00417890 72 06 jb short Unpacked.00417898
向上查找,来到00415EA0处F2下断,同时命令栏:bc FindWindowA ,清除断点
CTRL+F2重新载入程序,F9运行,立即中断:
00415EA0 55 push ebp ; 在此下断,中断后F8往下走
00415EA1 8BEC mov ebp,esp
00415EA3 83EC 08 sub esp,8
00415EA6 68 C6144000 push <jmp.&msvbvm60.__vbaExceptHandler>
.......................................................
省略N行代码
.......................................................
0041769A 8B35 C0114000 mov esi,dword ptr ds:[<&msvbvm60.__vbaStrVarCop>; N次F8直到这里,继续F8
004176A0 8D45 D8 lea eax,dword ptr ss:
004176A3 50 push eax
004176A4 FFD6 call esi
004176A6 8BD0 mov edx,eax ; eax="OLLYDBG"
004176A8 8D8D 24FFFFFF lea ecx,dword ptr ss:
004176AE FF15 BC114000 call dword ptr ds:[<&msvbvm60.__vbaStrMove>]
004176B4 8B8D 60FFFFFF mov ecx,dword ptr ss:
004176BA 8BD0 mov edx,eax
004176BC FF15 74114000 call dword ptr ds:[<&msvbvm60.__vbaStrCopy>]
004176C2 8B3D D4114000 mov edi,dword ptr ds:[<&msvbvm60.__vbaFreeStr>]
004176C8 8D8D 24FFFFFF lea ecx,dword ptr ss:
004176CE FFD7 call edi
004176D0 8D4D C8 lea ecx,dword ptr ss:
004176D3 51 push ecx
004176D4 FFD6 call esi
004176D6 8BD0 mov edx,eax ; eax= "UkillOD"
004176D8 8D8D 24FFFFFF lea ecx,dword ptr ss:
004176DE FF15 BC114000 call dword ptr ds:[<&msvbvm60.__vbaStrMove>]
004176E4 8BD0 mov edx,eax
004176E6 8B85 60FFFFFF mov eax,dword ptr ss:
004176EC 8D48 04 lea ecx,dword ptr ds:
004176EF FF15 74114000 call dword ptr ds:[<&msvbvm60.__vbaStrCopy>]
004176F5 8D8D 24FFFFFF lea ecx,dword ptr ss:
004176FB FFD7 call edi
004176FD 8D4D B0 lea ecx,dword ptr ss:
00417700 51 push ecx
00417701 FFD6 call esi
00417703 8BD0 mov edx,eax ; eax="FuckAll"
00417705 8D8D 24FFFFFF lea ecx,dword ptr ss:
0041770B FF15 BC114000 call dword ptr ds:[<&msvbvm60.__vbaStrMove>]
00417711 8BD0 mov edx,eax
00417713 8B85 60FFFFFF mov eax,dword ptr ss:
00417719 8D48 08 lea ecx,dword ptr ds:
0041771C FF15 74114000 call dword ptr ds:[<&msvbvm60.__vbaStrCopy>]
00417722 8D8D 24FFFFFF lea ecx,dword ptr ss:
00417728 FFD7 call edi
0041772A 8D4D A0 lea ecx,dword ptr ss:
0041772D 51 push ecx
0041772E FFD6 call esi
00417730 8BD0 mov edx,eax
00417732 8D8D 24FFFFFF lea ecx,dword ptr ss:
00417738 FF15 BC114000 call dword ptr ds:[<&msvbvm60.__vbaStrMove>]
0041773E 8BD0 mov edx,eax
00417740 8B85 60FFFFFF mov eax,dword ptr ss:
00417746 8D48 0C lea ecx,dword ptr ds:
00417749 FF15 74114000 call dword ptr ds:[<&msvbvm60.__vbaStrCopy>]
0041774F 8D8D 24FFFFFF lea ecx,dword ptr ss:
00417755 FFD7 call edi
00417757 8D4D 90 lea ecx,dword ptr ss:
0041775A 51 push ecx
0041775B FFD6 call esi
0041775D 8BD0 mov edx,eax ; eax="WHXMDIO"
0041775F 8D8D 24FFFFFF lea ecx,dword ptr ss:
00417765 FF15 BC114000 call dword ptr ds:[<&msvbvm60.__vbaStrMove>]
0041776B 8BD0 mov edx,eax
0041776D 8B85 60FFFFFF mov eax,dword ptr ss:
00417773 8D48 10 lea ecx,dword ptr ds:
00417776 FF15 74114000 call dword ptr ds:[<&msvbvm60.__vbaStrCopy>]
0041777C 8D8D 24FFFFFF lea ecx,dword ptr ss:
00417782 FFD7 call edi
00417784 8D8D 7CFFFFFF lea ecx,dword ptr ss:
0041778A 51 push ecx
0041778B FFD6 call esi
0041778D 8BD0 mov edx,eax ; eax="NMSCMW50"
0041778F 8D8D 24FFFFFF lea ecx,dword ptr ss:
00417795 FF15 BC114000 call dword ptr ds:[<&msvbvm60.__vbaStrMove>]
0041779B 8BD0 mov edx,eax
0041779D 8B85 60FFFFFF mov eax,dword ptr ss:
004177A3 8D48 14 lea ecx,dword ptr ds:
004177A6 FF15 74114000 call dword ptr ds:[<&msvbvm60.__vbaStrCopy>]
004177AC 8D8D 24FFFFFF lea ecx,dword ptr ss:
004177B2 FFD7 call edi
004177B4 8D8D 6CFFFFFF lea ecx,dword ptr ss:
004177BA 51 push ecx
004177BB FFD6 call esi
004177BD 8BD0 mov edx,eax ; eax="flyODBG"
004177BF 8D8D 24FFFFFF lea ecx,dword ptr ss:
004177C5 FF15 BC114000 call dword ptr ds:[<&msvbvm60.__vbaStrMove>]
004177CB 8BD0 mov edx,eax
004177CD 8B85 60FFFFFF mov eax,dword ptr ss:
004177D3 8D48 18 lea ecx,dword ptr ds:
004177D6 FF15 74114000 call dword ptr ds:[<&msvbvm60.__vbaStrCopy>]
004177DC 8D8D 24FFFFFF lea ecx,dword ptr ss:
004177E2 FFD7 call edi
004177E4 8D8D 3CFFFFFF lea ecx,dword ptr ss:
004177EA 51 push ecx
004177EB FFD6 call esi
004177ED 8BD0 mov edx,eax ; eax="OD"
004177EF 8D8D 24FFFFFF lea ecx,dword ptr ss:
004177F5 FF15 BC114000 call dword ptr ds:[<&msvbvm60.__vbaStrMove>]
004177FB 8B35 74114000 mov esi,dword ptr ds:[<&msvbvm60.__vbaStrCopy>]
00417801 8BD0 mov edx,eax
00417803 8B85 60FFFFFF mov eax,dword ptr ss:
00417809 8D48 1C lea ecx,dword ptr ds:
0041780C FFD6 call esi
0041780E 8D8D 24FFFFFF lea ecx,dword ptr ss:
00417814 FFD7 call edi
00417816 8B8D 60FFFFFF mov ecx,dword ptr ss:
0041781C 8B95 38FFFFFF mov edx,dword ptr ss: ; ss:="pediy"
00417822 83C1 20 add ecx,20
00417825 FFD6 call esi
00417827 8B35 F0104000 mov esi,dword ptr ds:[<&msvbvm60.__vbaUI1I2>]
0041782D B9 08000000 mov ecx,8
00417832 FFD6 call esi
00417834 33C9 xor ecx,ecx
00417836 8885 6CFEFFFF mov byte ptr ss:,al
0041783C FFD6 call esi
0041783E 8845 EC mov byte ptr ss:,al
00417841 8AD0 mov dl,al
00417843 3A95 6CFEFFFF cmp dl,byte ptr ss:
00417849 0F87 94000000 ja Unpacked.004178E3 ; 直接将这里改为JMP,避开检测
0041784F 8B75 EC mov esi,dword ptr ss:
00417852 81E6 FF000000 and esi,0FF
00417858 83FE 09 cmp esi,9
0041785B 72 06 jb short Unpacked.00417863
0041785D FF15 B4104000 call dword ptr ds:[<&msvbvm60.__vbaGenerateBoun>
00417863 8B85 60FFFFFF mov eax,dword ptr ss:
00417869 53 push ebx
0041786A 8D95 24FFFFFF lea edx,dword ptr ss:
00417870 8B0CB0 mov ecx,dword ptr ds: ; ds:=0014DE5C, (UNICODE "OLLYDBG")
00417873 51 push ecx
00417874 52 push edx
00417875 FF15 9C114000 call dword ptr ds:[<&msvbvm60.__vbaStrToAnsi>]
0041787B 50 push eax
0041787C E8 9BA5FFFF call Unpacked.00411E1C
直接将00417849处的ja改为jmp,避开程序对调试器的检测。
3、跟踪算法。OD载入修改后的程序,命令栏下断点:bp __vbaLenBstr, 回车,F9运行,输入注册信息,点击Check标签后,中断:
660E5F5F ms>8B4424 04 mov eax,dword ptr ss: ;中断在这里
660E5F63 85C0 test eax,eax
660E5F65 74 05 je short msvbvm60.660E5F6C
660E5F67 8B40 FC mov eax,dword ptr ds:
660E5F6A D1E8 shr eax,1
660E5F6C C2 0400 retn 4
堆栈友好提示:
0012F760 660E5FAD返回到 msvbvm60.660E5FAD 来自 msvbvm60.__vbaLenBstr
0012F764 001572D4UNICODE "hrbx"
0012F768 00000002
0012F76C 66106B2Emsvbvm60.__vbaVarMove
0012F770 0041D467返回到 Unpacked.0041D467 来自 msvbvm60.__vbaLenVar
ALT+F9返回,来到:
0041D461 FF15 60104000 call dword ptr ds:[<&msvbvm60.__vbaLenVar>] ; msvbvm60.__vbaLenVar
0041D467 50 push eax ; 返回到这里
0041D468 8D85 00FFFFFF lea eax,dword ptr ss:
0041D46E 50 push eax
0041D46F FF15 C0104000 call dword ptr ds:[<&msvbvm60.__vbaVarTstEq>]; msvbvm60.__vbaVarTstEq
向上查找,来到0041C320处F2下断,同时命令栏:bc __vbaLenBstr,清除断点
CTRL+F2重新载入程序,F9运行,填入注册信息:
============================
Name:hrbx
Serial:9876543210
===========================
点击Check标签后,立即中断:
0041C320 55 push ebp ; 在此下断,中断后F8往下走
0041C321 8BEC mov ebp,esp
0041C323 83EC 0C sub esp,0C
0041C326 68 C6144000 push <jmp.&msvbvm60.__vbaExceptHandler>
0041C32B 64:A1 00000000 mov eax,dword ptr fs:
0041C331 50 push eax
0041C332 64:8925 00000000 mov dword ptr fs:,esp
.......................................................
省略N行代码
.......................................................
0041D337 8B45 8Cmov eax,dword ptr ss: ; 用户名"hrbx"
0041D33A 8D95 64F>lea edx,dword ptr ss:
0041D340 8985 7CF>mov dword ptr ss:,eax
0041D346 52 push edx
0041D347 8D85 74F>lea eax,dword ptr ss:
0041D34D 6A 01 push 1
0041D34F 8D8D 54F>lea ecx,dword ptr ss:
0041D355 50 push eax
0041D356 51 push ecx
0041D357 C785 6CF>mov dword ptr ss:,12
0041D361 89BD 64F>mov dword ptr ss:,edi
0041D367 895D 8Cmov dword ptr ss:,ebx
0041D36A C785 74F>mov dword ptr ss:,8
0041D374 FF15 A01>call dword ptr ds:[<&msvbvm60.rtcMidCharVar>]
0041D37A 8D95 54F>lea edx,dword ptr ss:
0041D380 8D4D DClea ecx,dword ptr ss:
0041D383 FFD6 call esi
0041D385 8D4D 84lea ecx,dword ptr ss:
0041D388 FF15 D81>call dword ptr ds:[<&msvbvm60.__vbaFreeObj>]
0041D38E 8D95 64F>lea edx,dword ptr ss:
0041D394 8D85 74F>lea eax,dword ptr ss:
0041D39A 52 push edx
0041D39B 50 push eax
0041D39C 57 push edi
0041D39D FF15 281>call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
0041D3A3 8B45 08mov eax,dword ptr ss:
0041D3A6 83C4 0Cadd esp,0C
0041D3A9 8B08 mov ecx,dword ptr ds:
0041D3AB 50 push eax
0041D3AC FF91 100>call dword ptr ds:
0041D3B2 8D55 84lea edx,dword ptr ss:
0041D3B5 50 push eax
0041D3B6 52 push edx
0041D3B7 FF15 741>call dword ptr ds:[<&msvbvm60.__vbaObjSet>]
0041D3BD 8B08 mov ecx,dword ptr ds:
0041D3BF 8D55 8Clea edx,dword ptr ss:
0041D3C2 52 push edx
0041D3C3 50 push eax
0041D3C4 8985 7CF>mov dword ptr ss:,eax
0041D3CA FF91 A00>call dword ptr ds:
0041D3D0 3BC3 cmp eax,ebx
0041D3D2 DBE2 fclex
0041D3D4 7D 18 jge short Unpacked.0041D3EE
0041D3D6 8B8D 7CF>mov ecx,dword ptr ss:
0041D3DC 68 A0000>push 0A0
0041D3E1 68 10204>push Unpacked.00412010
0041D3E6 51 push ecx
0041D3E7 50 push eax
0041D3E8 FF15 5C1>call dword ptr ds:[<&msvbvm60.__vbaHresultCheckO>
0041D3EE 8B55 8Cmov edx,dword ptr ss: ; 假码"987123456789"
0041D3F1 8D4D A0lea ecx,dword ptr ss:
0041D3F4 895D 8Cmov dword ptr ss:,ebx
0041D3F7 FF15 BC1>call dword ptr ds:[<&msvbvm60.__vbaStrMove>]
0041D3FD 8D4D 84lea ecx,dword ptr ss:
0041D400 FF15 D81>call dword ptr ds:[<&msvbvm60.__vbaFreeObj>]
0041D406 8D95 00F>lea edx,dword ptr ss:
0041D40C 8D4D B8lea ecx,dword ptr ss:
0041D40F 899D 08F>mov dword ptr ss:,ebx
0041D415 89BD 00F>mov dword ptr ss:,edi
0041D41B FFD6 call esi
0041D41D 53 push ebx
0041D41E FF15 041>call dword ptr ds:[<&msvbvm60.__vbaStrI2>]
0041D424 8BD0 mov edx,eax
0041D426 8D4D 8Clea ecx,dword ptr ss:
0041D429 FF15 BC1>call dword ptr ds:[<&msvbvm60.__vbaStrMove>]
0041D42F 8BD0 mov edx,eax
0041D431 8B45 08mov eax,dword ptr ss:
0041D434 8D48 6Clea ecx,dword ptr ds:
0041D437 FF15 741>call dword ptr ds:[<&msvbvm60.__vbaStrCopy>]
0041D43D 8D4D 8Clea ecx,dword ptr ss:
0041D440 FF15 D41>call dword ptr ds:[<&msvbvm60.__vbaFreeStr>]
0041D446 8D4D DClea ecx,dword ptr ss:
0041D449 8D95 74F>lea edx,dword ptr ss:
0041D44F 51 push ecx
0041D450 52 push edx
0041D451 899D 08F>mov dword ptr ss:,ebx
0041D457 C785 00F>mov dword ptr ss:,8002
0041D461 FF15 601>call dword ptr ds:[<&msvbvm60.__vbaLenVar>] ; 获取用户名长度
0041D467 50 push eax
0041D468 8D85 00F>lea eax,dword ptr ss:
0041D46E 50 push eax
0041D46F FF15 C01>call dword ptr ds:[<&msvbvm60.__vbaVarTstEq>] ; 用户名是否为空
0041D475 66:85C0test ax,ax
0041D478 74 25 je short Unpacked.0041D49F
0041D47A 8B75 08mov esi,dword ptr ss:
0041D47D 8D95 74F>lea edx,dword ptr ss:
0041D483 52 push edx
0041D484 56 push esi
0041D485 8B0E mov ecx,dword ptr ds:
0041D487 FF91 FC0>call dword ptr ds:
0041D48D 3BC3 cmp eax,ebx
0041D48F 0F8D 010>jge Unpacked.0041DC96
0041D495 68 FC060>push 6FC
0041D49A E9 EA070>jmp Unpacked.0041DC89
0041D49F 8B45 08mov eax,dword ptr ss:
0041D4A2 8958 34mov dword ptr ds:,ebx
0041D4A5 8B4D 08mov ecx,dword ptr ss:
0041D4A8 8B41 34mov eax,dword ptr ds: ; 循环次数
0041D4AB B9 03000>mov ecx,3 ; ECX=3
0041D4B0 3BC1 cmp eax,ecx
0041D4B2 0F8F 5A0>jg Unpacked.0041D612 ; 大于则跳,共循环4次,只取用户名前4位
0041D4B8 8B55 C8mov edx,dword ptr ss:
0041D4BB 8D8D 74F>lea ecx,dword ptr ss:
0041D4C1 83C0 01add eax,1
0041D4C4 8995 F8F>mov dword ptr ss:,edx
0041D4CA 51 push ecx
0041D4CB 8D55 DClea edx,dword ptr ss:
0041D4CE 0F80 9D0>jo Unpacked.0041DD71
0041D4D4 50 push eax
0041D4D5 8D85 64F>lea eax,dword ptr ss:
0041D4DB 52 push edx
0041D4DC 50 push eax
0041D4DD C785 F0F>mov dword ptr ss:,8
0041D4E7 C785 7CF>mov dword ptr ss:,1
0041D4F1 89BD 74F>mov dword ptr ss:,edi
0041D4F7 FF15 A01>call dword ptr ds:[<&msvbvm60.rtcMidCharVar>] ; Mid(str,i,1),依次取用户名每位的ASCII值
0041D4FD 8B4D 08mov ecx,dword ptr ss:
0041D500 8D41 64lea eax,dword ptr ds:
0041D503 8B41 64mov eax,dword ptr ds:
0041D506 3BC3 cmp eax,ebx
0041D508 74 30 je short Unpacked.0041D53A
0041D50A 66:8338 >cmp word ptr ds:,1
0041D50E 75 2A jnz short Unpacked.0041D53A
0041D510 8BD1 mov edx,ecx
0041D512 8B4A 34mov ecx,dword ptr ds:
0041D515 8B50 14mov edx,dword ptr ds:
0041D518 2BCA sub ecx,edx
0041D51A 8B50 10mov edx,dword ptr ds:
0041D51D 3BCA cmp ecx,edx
0041D51F 898D 7CF>mov dword ptr ss:,ecx
0041D525 72 0C jb short Unpacked.0041D533
0041D527 FF15 B41>call dword ptr ds:[<&msvbvm60.__vbaGenerateBound>
0041D52D 8B8D 7CF>mov ecx,dword ptr ss:
0041D533 C1E1 04shl ecx,4
0041D536 8BC1 mov eax,ecx
0041D538 EB 06 jmp short Unpacked.0041D540
0041D53A FF15 B41>call dword ptr ds:[<&msvbvm60.__vbaGenerateBound>
0041D540 8B4D 08mov ecx,dword ptr ss:
0041D543 C785 E8F>mov dword ptr ss:,0AC
0041D54D 83C1 64add ecx,64
0041D550 89BD E0F>mov dword ptr ss:,edi
0041D556 8B11 mov edx,dword ptr ds:
0041D558 8B4A 0Cmov ecx,dword ptr ds:
0041D55B 8D95 E0F>lea edx,dword ptr ss:
0041D561 03C8 add ecx,eax
0041D563 8D85 44F>lea eax,dword ptr ss:
0041D569 51 push ecx
0041D56A 52 push edx
0041D56B 50 push eax
0041D56C FF15 701>call dword ptr ds:[<&msvbvm60.__vbaVarXor>]
0041D572 50 push eax
0041D573 FF15 901>call dword ptr ds:[<&msvbvm60.__vbaI4Var>]
0041D579 8D8D 34F>lea ecx,dword ptr ss:
0041D57F 50 push eax ; EAX=63,用户名"hrbx",第一位的ASCII值63
0041D580 51 push ecx
0041D581 FF15 1C1>call dword ptr ds:[<&msvbvm60.rtcVarBstrFromAnsi>; ASCII值转为字符,63-->"h"
0041D587 8D95 F0F>lea edx,dword ptr ss:
0041D58D 8D85 64F>lea eax,dword ptr ss:
0041D593 52 push edx
0041D594 8D8D 54F>lea ecx,dword ptr ss:
0041D59A 50 push eax
0041D59B 51 push ecx
0041D59C FF15 341>call dword ptr ds:[<&msvbvm60.__vbaVarCat>]
0041D5A2 50 push eax
0041D5A3 8D95 34F>lea edx,dword ptr ss:
0041D5A9 8D85 24F>lea eax,dword ptr ss:
0041D5AF 52 push edx
0041D5B0 50 push eax
0041D5B1 FF15 341>call dword ptr ds:[<&msvbvm60.__vbaVarCat>] ; 字符串连接
0041D5B7 50 push eax
0041D5B8 FF15 201>call dword ptr ds:[<&msvbvm60.__vbaStrVarMove>]
0041D5BE 8BD0 mov edx,eax ; eax="hc"
0041D5C0 8D4D C8lea ecx,dword ptr ss:
0041D5C3 FF15 BC1>call dword ptr ds:[<&msvbvm60.__vbaStrMove>]
0041D5C9 8D8D 24F>lea ecx,dword ptr ss:
0041D5CF 8D95 34F>lea edx,dword ptr ss:
0041D5D5 51 push ecx
0041D5D6 8D85 54F>lea eax,dword ptr ss:
0041D5DC 52 push edx
0041D5DD 8D8D 64F>lea ecx,dword ptr ss:
0041D5E3 50 push eax
0041D5E4 8D95 74F>lea edx,dword ptr ss:
0041D5EA 51 push ecx
0041D5EB 52 push edx
0041D5EC 6A 05 push 5
0041D5EE FF15 281>call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
0041D5F4 8B4D 08mov ecx,dword ptr ss:
0041D5F7 B8 01000>mov eax,1
0041D5FC 83C4 18add esp,18
0041D5FF 8B51 34mov edx,dword ptr ds:
0041D602 03D0 add edx,eax
0041D604 0F80 670>jo Unpacked.0041DD71
0041D60A 8951 34mov dword ptr ds:,edx
0041D60D ^ E9 93FEF>jmp Unpacked.0041D4A5 ; 跳回去继续取用户名下一位
0041D612 8B45 C8mov eax,dword ptr ss: ; 变化的用户名"hcrhbixn"
0041D615 50 push eax
0041D616 FF15 241>call dword ptr ds:[<&msvbvm60.__vbaLenBstr>] ; 获取变化的用户名长度
0041D61C 8B4D 08mov ecx,dword ptr ss: ; EAX=8
0041D61F 8985 64F>mov dword ptr ss:,eax ; 变化的用户名长度保存
0041D625 C741 34 >mov dword ptr ds:,1
0041D62C 8B55 08mov edx,dword ptr ss:
0041D62F 8B8D 64F>mov ecx,dword ptr ss: ; 变化的用户名长度
0041D635 8B42 34mov eax,dword ptr ds: ; 循环次数
0041D638 3BC1 cmp eax,ecx ; 循环次数与变化的用户名长度比较
0041D63A 0F8F BF0>jg Unpacked.0041D6FF ; 大于则跳
0041D640 8D95 74F>lea edx,dword ptr ss:
0041D646 8D4D C8lea ecx,dword ptr ss:
0041D649 52 push edx
0041D64A 50 push eax
0041D64B 898D 08F>mov dword ptr ss:,ecx
0041D651 8D85 00F>lea eax,dword ptr ss:
0041D657 8D8D 64F>lea ecx,dword ptr ss:
0041D65D 50 push eax
0041D65E 51 push ecx
0041D65F C785 7CF>mov dword ptr ss:,1
0041D669 89BD 74F>mov dword ptr ss:,edi
0041D66F C785 00F>mov dword ptr ss:,4008
0041D679 FF15 A01>call dword ptr ds:[<&msvbvm60.rtcMidCharVar>] ; Mid(str,i,1),依次取变化后的用户名字符
0041D67F 8D95 64F>lea edx,dword ptr ss:
0041D685 8D45 8Clea eax,dword ptr ss:
0041D688 52 push edx
0041D689 50 push eax
0041D68A FF15 301>call dword ptr ds:[<&msvbvm60.__vbaStrVarVal>]
0041D690 50 push eax
0041D691 FF15 381>call dword ptr ds:[<&msvbvm60.rtcAnsiValueBstr>] ; 取字符的ASCII值
0041D697 8D4D B8lea ecx,dword ptr ss:
0041D69A 66:8985 >mov word ptr ss:,ax
0041D6A1 8D95 E0F>lea edx,dword ptr ss:
0041D6A7 51 push ecx
0041D6A8 8D85 54F>lea eax,dword ptr ss:
0041D6AE 52 push edx
0041D6AF 50 push eax
0041D6B0 89BD E0F>mov dword ptr ss:,edi
0041D6B6 FF15 981>call dword ptr ds:[<&msvbvm60.__vbaVarAdd>] ; ASCII值累加
0041D6BC 8BD0 mov edx,eax
0041D6BE 8D4D B8lea ecx,dword ptr ss:
0041D6C1 FFD6 call esi
0041D6C3 8D4D 8Clea ecx,dword ptr ss:
0041D6C6 FF15 D41>call dword ptr ds:[<&msvbvm60.__vbaFreeStr>]
0041D6CC 8D8D 64F>lea ecx,dword ptr ss:
0041D6D2 8D95 74F>lea edx,dword ptr ss:
0041D6D8 51 push ecx
0041D6D9 52 push edx
0041D6DA 57 push edi
0041D6DB FF15 281>call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
0041D6E1 8B4D 08mov ecx,dword ptr ss:
0041D6E4 B8 01000>mov eax,1
0041D6E9 83C4 0Cadd esp,0C
0041D6EC 8B51 34mov edx,dword ptr ds:
0041D6EF 03D0 add edx,eax
0041D6F1 0F80 7A0>jo Unpacked.0041DD71
0041D6F7 8951 34mov dword ptr ds:,edx
0041D6FA ^ E9 2DFFF>jmp Unpacked.0041D62C
0041D6FF 8B45 A0mov eax,dword ptr ss: ; 假码"9876543210"
0041D702 50 push eax
0041D703 FF15 241>call dword ptr ds:[<&msvbvm60.__vbaLenBstr>] ; 获取假码长度,EAX=A
0041D709 83F8 20cmp eax,20 ; EAX与0X20比较,假码必须为0X20(32)位
0041D70C 0F85 640>jnz Unpacked.0041D976 ; 暴破点1,改为NOP
0041D712 8D45 B8lea eax,dword ptr ss:
0041D715 8D4D 88lea ecx,dword ptr ss:
0041D718 50 push eax
0041D719 51 push ecx
0041D71A FF15 301>call dword ptr ds:[<&msvbvm60.__vbaStrVarVal>] ; 用户名各位的ASCII值累加后转为10进制
0041D720 50 push eax ; EAX="854"
0041D721 FF15 DC1>call dword ptr ds:[<&msvbvm60.rtcR8ValFromBstr>] ; 转为浮点数
0041D727 DD9D 80F>fstp qword ptr ss: ; st=854.00000000000000000
0041D72D 8D55 B8lea edx,dword ptr ss:
0041D730 8D85 74F>lea eax,dword ptr ss:
0041D736 52 push edx
0041D737 50 push eax
0041D738 FF15 601>call dword ptr ds:[<&msvbvm60.__vbaLenVar>] ; 获取累加后和"854"的长度
0041D73E 8BD0 mov edx,eax ; EDX=EAX=3
0041D740 8D8D 64F>lea ecx,dword ptr ss:
0041D746 FFD6 call esi
0041D748 8D4D A0lea ecx,dword ptr ss:
0041D74B 8D95 64F>lea edx,dword ptr ss:
0041D751 898D 08F>mov dword ptr ss:,ecx
0041D757 52 push edx
0041D758 8D85 00F>lea eax,dword ptr ss:
0041D75E 6A 01 push 1
0041D760 8D8D 54F>lea ecx,dword ptr ss:
0041D766 50 push eax
0041D767 51 push ecx
0041D768 C785 00F>mov dword ptr ss:,4008
0041D772 FF15 A01>call dword ptr ds:[<&msvbvm60.rtcMidCharVar>] ; 取假码前3位
0041D778 8D95 54F>lea edx,dword ptr ss:
0041D77E 8D45 8Clea eax,dword ptr ss:
0041D781 52 push edx
0041D782 50 push eax
0041D783 FF15 301>call dword ptr ds:[<&msvbvm60.__vbaStrVarVal>] ; 假码前3位转为字符
0041D789 50 push eax ; EAX= "987"
0041D78A FF15 DC1>call dword ptr ds:[<&msvbvm60.rtcR8ValFromBstr>] ; 转为浮点数
0041D790 FF15 941>call dword ptr ds:[<&msvbvm60.__vbaFpR8>]
0041D796 DD9D 28F>fstp qword ptr ss: ; st=987.00000000000000000
0041D79C DD85 80F>fld qword ptr ss: ; 装入实数到st,854.00000000000000000
0041D7A2 FF15 941>call dword ptr ds:[<&msvbvm60.__vbaFpR8>]
0041D7A8 DC9D 28F>fcomp qword ptr ss: ; 比较注册码前3位与用户名各位的ASCII值累加之和
0041D7AE C785 24F>mov dword ptr ss:,1
0041D7B8 DFE0 fstsw ax
0041D7BA F6C4 40test ah,40
0041D7BD 74 06 je short Unpacked.0041D7C5
0041D7BF 899D 24F>mov dword ptr ss:,ebx
0041D7C5 8D4D 88lea ecx,dword ptr ss:
0041D7C8 8D55 8Clea edx,dword ptr ss:
0041D7CB 51 push ecx
0041D7CC 52 push edx
0041D7CD 57 push edi
0041D7CE FF15 781>call dword ptr ds:[<&msvbvm60.__vbaFreeStrList>]
0041D7D4 8D85 54F>lea eax,dword ptr ss:
0041D7DA 8D8D 64F>lea ecx,dword ptr ss:
0041D7E0 50 push eax
0041D7E1 51 push ecx
0041D7E2 57 push edi
0041D7E3 FF15 281>call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
0041D7E9 8B85 24F>mov eax,dword ptr ss:
0041D7EF 83C4 18add esp,18
0041D7F2 F7D8 neg eax
0041D7F4 66:85C0test ax,ax
0041D7F7 74 25 je short Unpacked.0041D81E ; 比较上面两个实数,暴破点2,改为JMP
0041D7F9 8B75 08mov esi,dword ptr ss:
0041D7FC 8D85 74F>lea eax,dword ptr ss:
0041D802 50 push eax
0041D803 56 push esi
0041D804 8B16 mov edx,dword ptr ds:
0041D806 FF92 F80>call dword ptr ds:
0041D80C 3BC3 cmp eax,ebx
0041D80E 0F8D 820>jge Unpacked.0041DC96
0041D814 68 F8060>push 6F8
0041D819 E9 6B040>jmp Unpacked.0041DC89
0041D81E 8D4D DClea ecx,dword ptr ss:
0041D821 8D95 34F>lea edx,dword ptr ss:
0041D827 51 push ecx
0041D828 52 push edx
0041D829 89BD D8F>mov dword ptr ss:,edi ; EDI=2
0041D82F 89BD D0F>mov dword ptr ss:,edi
0041D835 FF15 601>call dword ptr ds:[<&msvbvm60.__vbaLenVar>] ; 获取用户名长度
0041D83B 50 push eax
0041D83C 8D85 D0F>lea eax,dword ptr ss:
0041D842 8D8D 24F>lea ecx,dword ptr ss:
0041D848 50 push eax
0041D849 51 push ecx
0041D84A FF15 181>call dword ptr ds:[<&msvbvm60.__vbaVarDiv>] ; 用户名长度除2
0041D850 8D95 14F>lea edx,dword ptr ss:
0041D856 50 push eax
0041D857 52 push edx
0041D858 FF15 641>call dword ptr ds:[<&msvbvm60.__vbaVarInt>] ; 商取整
0041D85E 50 push eax
0041D85F 8D45 88lea eax,dword ptr ss:
0041D862 50 push eax
0041D863 FF15 301>call dword ptr ds:[<&msvbvm60.__vbaStrVarVal>]
0041D869 50 push eax
0041D86A FF15 DC1>call dword ptr ds:[<&msvbvm60.rtcR8ValFromBstr>]
0041D870 DD9D 80F>fstp qword ptr ss: ; 商取整转为实数保存,st=2.0000000000000000000
0041D876 B8 01000>mov eax,1
0041D87B 8D4D A0lea ecx,dword ptr ss:
0041D87E 8985 5CF>mov dword ptr ss:,eax
0041D884 8985 08F>mov dword ptr ss:,eax
0041D88A 8D95 54F>lea edx,dword ptr ss:
0041D890 898D F8F>mov dword ptr ss:,ecx
0041D896 8D45 B8lea eax,dword ptr ss:
0041D899 52 push edx
0041D89A 8D8D 74F>lea ecx,dword ptr ss:
0041D8A0 50 push eax
0041D8A1 51 push ecx
0041D8A2 89BD 54F>mov dword ptr ss:,edi
0041D8A8 89BD 00F>mov dword ptr ss:,edi
0041D8AE C785 F0F>mov dword ptr ss:,4008
0041D8B8 FF15 601>call dword ptr ds:[<&msvbvm60.__vbaLenVar>]
0041D8BE 50 push eax
0041D8BF 8D95 00F>lea edx,dword ptr ss:
0041D8C5 8D85 64F>lea eax,dword ptr ss:
0041D8CB 52 push edx
0041D8CC 50 push eax
0041D8CD FF15 981>call dword ptr ds:[<&msvbvm60.__vbaVarAdd>]
0041D8D3 50 push eax
0041D8D4 FF15 901>call dword ptr ds:[<&msvbvm60.__vbaI4Var>]
0041D8DA 8D8D F0F>lea ecx,dword ptr ss:
0041D8E0 50 push eax
0041D8E1 8D95 44F>lea edx,dword ptr ss:
0041D8E7 51 push ecx
0041D8E8 52 push edx
0041D8E9 FF15 A01>call dword ptr ds:[<&msvbvm60.rtcMidCharVar>] ; 取假码"9876543210"第4位,"6"
0041D8EF 8D85 44F>lea eax,dword ptr ss:
0041D8F5 8D4D 8Clea ecx,dword ptr ss:
0041D8F8 50 push eax
0041D8F9 51 push ecx
0041D8FA FF15 301>call dword ptr ds:[<&msvbvm60.__vbaStrVarVal>]
0041D900 50 push eax
0041D901 FF15 DC1>call dword ptr ds:[<&msvbvm60.rtcR8ValFromBstr>] ; 假码第4位转为实数
0041D907 FF15 941>call dword ptr ds:[<&msvbvm60.__vbaFpR8>]
0041D90D DD9D 1CF>fstp qword ptr ss: ; st=6.0000000000000000000
0041D913 DD85 80F>fld qword ptr ss: ; 装入实数到st,ss:=2.000000000000000
0041D919 FF15 941>call dword ptr ds:[<&msvbvm60.__vbaFpR8>]
0041D91F DC9D 1CF>fcomp qword ptr ss: ; 比较,注册码第4位必须为用户名长度/2
0041D925 DFE0 fstsw ax
0041D927 F6C4 40test ah,40
0041D92A 75 07 jnz short Unpacked.0041D933
0041D92C B8 01000>mov eax,1
0041D931 EB 02 jmp short Unpacked.0041D935
0041D933 33C0 xor eax,eax
0041D935 F7D8 neg eax
0041D937 66:8985 >mov word ptr ss:,ax
0041D93E 8D55 88lea edx,dword ptr ss:
0041D941 8D45 8Clea eax,dword ptr ss:
0041D944 52 push edx
0041D945 50 push eax
0041D946 57 push edi
0041D947 FF15 781>call dword ptr ds:[<&msvbvm60.__vbaFreeStrList>]
0041D94D 8D8D 44F>lea ecx,dword ptr ss:
0041D953 8D95 54F>lea edx,dword ptr ss:
0041D959 51 push ecx
0041D95A 8D85 64F>lea eax,dword ptr ss:
0041D960 52 push edx
0041D961 50 push eax
0041D962 6A 03 push 3
0041D964 FF15 281>call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
0041D96A 83C4 1Cadd esp,1C
0041D96D 66:399D >cmp word ptr ss:,bx
0041D974 74 25 je short Unpacked.0041D99B ; 比较上面两个实数,暴破点3,改为JMP
0041D976 8B75 08mov esi,dword ptr ss:
0041D979 8D95 74F>lea edx,dword ptr ss:
0041D97F 52 push edx
0041D980 56 push esi
0041D981 8B0E mov ecx,dword ptr ds:
0041D983 FF91 F80>call dword ptr ds:
0041D989 3BC3 cmp eax,ebx
0041D98B 0F8D 050>jge Unpacked.0041DC96
0041D991 68 F8060>push 6F8
0041D996 E9 EE020>jmp Unpacked.0041DC89
0041D99B 8B45 A0mov eax,dword ptr ss: ; 假码"9876543210"
0041D99E 50 push eax
0041D99F FF15 241>call dword ptr ds:[<&msvbvm60.__vbaLenBstr>] ; 获取假码长度,EAX=A
0041D9A5 8D4D B8lea ecx,dword ptr ss:
0041D9A8 8D95 74F>lea edx,dword ptr ss:
0041D9AE 51 push ecx
0041D9AF 52 push edx
0041D9B0 8985 5CF>mov dword ptr ss:,eax
0041D9B6 89BD 08F>mov dword ptr ss:,edi
0041D9BC 89BD 00F>mov dword ptr ss:,edi
0041D9C2 FF15 601>call dword ptr ds:[<&msvbvm60.__vbaLenVar>] ; 获取累加后和"854"的长度
0041D9C8 50 push eax
0041D9C9 8D85 00F>lea eax,dword ptr ss:
0041D9CF 8D8D 64F>lea ecx,dword ptr ss:
0041D9D5 50 push eax
0041D9D6 51 push ecx
0041D9D7 FF15 981>call dword ptr ds:[<&msvbvm60.__vbaVarAdd>] ; 加2,准备从假码第5位开始取下一位
0041D9DD 50 push eax
0041D9DE FF15 901>call dword ptr ds:[<&msvbvm60.__vbaI4Var>]
0041D9E4 8B55 08mov edx,dword ptr ss:
0041D9E7 8D8D 64F>lea ecx,dword ptr ss:
0041D9ED 8942 34mov dword ptr ds:,eax
0041D9F0 FF15 1C1>call dword ptr ds:[<&msvbvm60.__vbaFreeVar>]
0041D9F6 8B45 08mov eax,dword ptr ss:
0041D9F9 8B8D 5CF>mov ecx,dword ptr ss:
0041D9FF 3948 34cmp dword ptr ds:,ecx ; 比较取的位数与假码长度
0041DA02 0F8F 1C0>jg Unpacked.0041DC24 ; 取完假码则跳
0041DA08 8B55 A0mov edx,dword ptr ss: ; 假码"9876543210"
0041DA0B 52 push edx
0041DA0C FF15 241>call dword ptr ds:[<&msvbvm60.__vbaLenBstr>]
0041DA12 8985 08F>mov dword ptr ss:,eax ; 获取假码长度,EAX=A
0041DA18 8D85 00F>lea eax,dword ptr ss:
0041DA1E 8D4D B8lea ecx,dword ptr ss:
0041DA21 50 push eax
0041DA22 8D95 74F>lea edx,dword ptr ss:
0041DA28 51 push ecx
0041DA29 52 push edx
0041DA2A C785 00F>mov dword ptr ss:,3
0041DA34 C785 F8F>mov dword ptr ss:,1
0041DA3E 89BD F0F>mov dword ptr ss:,edi
0041DA44 FF15 601>call dword ptr ds:[<&msvbvm60.__vbaLenVar>]
0041DA4A 50 push eax
0041DA4B 8D85 64F>lea eax,dword ptr ss:
0041DA51 50 push eax
0041DA52 FF15 001>call dword ptr ds:[<&msvbvm60.__vbaVarSub>]
0041DA58 8D8D F0F>lea ecx,dword ptr ss:
0041DA5E 50 push eax
0041DA5F 8D95 54F>lea edx,dword ptr ss:
0041DA65 51 push ecx
0041DA66 52 push edx
0041DA67 FF15 001>call dword ptr ds:[<&msvbvm60.__vbaVarSub>]
0041DA6D 8BD0 mov edx,eax
0041DA6F 8D4D CClea ecx,dword ptr ss:
0041DA72 FFD6 call esi
0041DA74 8B55 08mov edx,dword ptr ss:
0041DA77 8D45 A0lea eax,dword ptr ss:
0041DA7A 8D8D 74F>lea ecx,dword ptr ss:
0041DA80 8985 08F>mov dword ptr ss:,eax
0041DA86 8B42 34mov eax,dword ptr ds:
0041DA89 51 push ecx
0041DA8A 8D8D 00F>lea ecx,dword ptr ss:
0041DA90 50 push eax
0041DA91 8D95 64F>lea edx,dword ptr ss:
0041DA97 51 push ecx
0041DA98 52 push edx
0041DA99 C785 7CF>mov dword ptr ss:,1
0041DAA3 89BD 74F>mov dword ptr ss:,edi
0041DAA9 C785 00F>mov dword ptr ss:,4008
0041DAB3 FF15 A01>call dword ptr ds:[<&msvbvm60.rtcMidCharVar>] ; Mid(str,i,1),从假码第5位开始依次取每位字符
0041DAB9 8D85 64F>lea eax,dword ptr ss: ; 假码"9876543210"第5位,"5"
0041DABF 8D4D 8Clea ecx,dword ptr ss:
0041DAC2 50 push eax
0041DAC3 51 push ecx
0041DAC4 FF15 301>call dword ptr ds:[<&msvbvm60.__vbaStrVarVal>]
0041DACA 50 push eax
0041DACB FF15 381>call dword ptr ds:[<&msvbvm60.rtcAnsiValueBstr>] ; 取假码第5位字符的ASCII值,"5"-->35
0041DAD1 8D95 E0F>lea edx,dword ptr ss:
0041DAD7 8D4D 90lea ecx,dword ptr ss:
0041DADA 66:8985 >mov word ptr ss:,ax
0041DAE1 89BD E0F>mov dword ptr ss:,edi
0041DAE7 FFD6 call esi
0041DAE9 8D4D 8Clea ecx,dword ptr ss:
0041DAEC FF15 D41>call dword ptr ds:[<&msvbvm60.__vbaFreeStr>]
0041DAF2 8D95 64F>lea edx,dword ptr ss:
0041DAF8 8D85 74F>lea eax,dword ptr ss:
0041DAFE 52 push edx
0041DAFF 50 push eax
0041DB00 57 push edi
0041DB01 FF15 281>call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
0041DB07 8B45 08mov eax,dword ptr ss:
0041DB0A 83C4 0Cadd esp,0C
0041DB0D 8D8D 74F>lea ecx,dword ptr ss:
0041DB13 C785 7CF>mov dword ptr ss:,1
0041DB1D 8B50 34mov edx,dword ptr ds:
0041DB20 51 push ecx
0041DB21 83C0 48add eax,48
0041DB24 52 push edx
0041DB25 50 push eax
0041DB26 8D85 64F>lea eax,dword ptr ss:
0041DB2C 50 push eax
0041DB2D 89BD 74F>mov dword ptr ss:,edi
0041DB33 FF15 A01>call dword ptr ds:[<&msvbvm60.rtcMidCharVar>] ; Mid(str,i,1),从字符串第5位开始依次取每位字符
0041DB39 8D8D 64F>lea ecx,dword ptr ss: ; 字符串为"7A11458A1941DDC97BD7A019F4EE79ED"
0041DB3F 8D55 8Clea edx,dword ptr ss:
0041DB42 51 push ecx
0041DB43 52 push edx
0041DB44 FF15 301>call dword ptr ds:[<&msvbvm60.__vbaStrVarVal>]
0041DB4A 50 push eax
0041DB4B FF15 381>call dword ptr ds:[<&msvbvm60.rtcAnsiValueBstr>] ; 取字符串第5位字符的ASCII值,"4"-->34
0041DB51 8D95 F0F>lea edx,dword ptr ss:
0041DB57 8D4D A8lea ecx,dword ptr ss:
0041DB5A 66:8985 >mov word ptr ss:,ax
0041DB61 89BD F0F>mov dword ptr ss:,edi
0041DB67 FFD6 call esi
0041DB69 8D4D 8Clea ecx,dword ptr ss:
0041DB6C FF15 D41>call dword ptr ds:[<&msvbvm60.__vbaFreeStr>]
0041DB72 8D85 64F>lea eax,dword ptr ss:
0041DB78 8D8D 74F>lea ecx,dword ptr ss:
0041DB7E 50 push eax
0041DB7F 51 push ecx
0041DB80 57 push edi
0041DB81 FF15 281>call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]
0041DB87 83C4 0Cadd esp,0C
0041DB8A 8D55 90lea edx,dword ptr ss:
0041DB8D 8D45 A8lea eax,dword ptr ss:
0041DB90 52 push edx
0041DB91 50 push eax
0041DB92 FF15 8C1>call dword ptr ds:[<&msvbvm60.__vbaVarTstNe>] ; 比较是否相等
0041DB98 66:85C0test ax,ax
0041DB9B 75 69 jnz short Unpacked.0041DC06 ; 暴破点4,改为NOP
0041DB9D 8B4D 08mov ecx,dword ptr ss:
0041DBA0 8B51 6Cmov edx,dword ptr ds:
0041DBA3 8D41 6Clea eax,dword ptr ds:
0041DBA6 52 push edx
0041DBA7 FF15 5C1>call dword ptr ds:[<&msvbvm60.__vbaR8Str>]
0041DBAD DC05 301>fadd qword ptr ds:
0041DBB3 83EC 08sub esp,8
0041DBB6 DFE0 fstsw ax
0041DBB8 A8 0D test al,0D
0041DBBA 0F85 AC0>jnz Unpacked.0041DD6C
0041DBC0 DD1C24 fstp qword ptr ss:
0041DBC3 FF15 DC1>call dword ptr ds:[<&msvbvm60.__vbaStrR8>]
0041DBC9 8BD0 mov edx,eax
0041DBCB 8D4D 8Clea ecx,dword ptr ss:
0041DBCE FF15 BC1>call dword ptr ds:[<&msvbvm60.__vbaStrMove>]
0041DBD4 8BD0 mov edx,eax
0041DBD6 8B45 08mov eax,dword ptr ss:
0041DBD9 8D48 6Clea ecx,dword ptr ds:
0041DBDC FF15 741>call dword ptr ds:[<&msvbvm60.__vbaStrCopy>]
0041DBE2 8D4D 8Clea ecx,dword ptr ss:
0041DBE5 FF15 D41>call dword ptr ds:[<&msvbvm60.__vbaFreeStr>]
0041DBEB 8B4D 08mov ecx,dword ptr ss:
0041DBEE B8 01000>mov eax,1
0041DBF3 8B51 34mov edx,dword ptr ds:
0041DBF6 03D0 add edx,eax
0041DBF8 0F80 730>jo Unpacked.0041DD71
0041DBFE 8951 34mov dword ptr ds:,edx
0041DC01 ^\E9 F0FDF>jmp Unpacked.0041D9F6 ; 跳回去继续循环
4.找出字符串"7A11458A1941DDC97BD7A019F4EE79ED"的由来。由于字符串是在程序启动时就已经生成的,所以开始一直不知如何入手,
后经论坛busheler兄指点,字符串是由硬盘序列号变换得到的。于是,
Ctrl+F2重新载入Crackme,命令栏输入:bp GetVolumeInformationA,回车,F9运行,中断:
77E52E83 k>6A 44 push 44
77E52E85 68 D82FE677 push kernel32.77E62FD8
77E52E8A E8 49740000 call kernel32.77E5A2D8
77E52E8F 33F6 xor esi,esi
77E52E91 3975 08 cmp dword ptr ss:,esi
观察堆栈友好提示:
0012F988 0041A668 /CALL 到 GetVolumeInformationA 来自 Unpacked.0041A663
0012F98C 0014E0BC |RootPathName = "c:\"
0012F990 0014DD0C |VolumeNameBuffer = 0014DD0C
0012F994 0000007F |MaxVolumeNameSize = 7F (127.)
0012F998 0012F9F4 |pVolumeSerialNumber = 0012F9F4
0012F99C 0012F9F0 |pMaxFilenameLength = 0012F9F0
0012F9A0 0012F9EC |pFileSystemFlags = 0012F9EC
0012F9A4 00000000 |pFileSystemNameBuffer = NULL
0012F9A8 0000007F \pFileSystemNameSize = 0000007F
ALT+F9返回,来到:
0041A662 .50 push eax
0041A663 .E8 0475FFFF call Unpacked.00411B6C ;kernel32.GetVolumeInformationA
0041A668 .FF15 58104000 call dword ptr ds:[<&msvbvm60.__vbaSetSystem>;ALT+F9返回来到这里
0041A66E .8B95 E0FEFFFF mov edx,dword ptr ss: ;ss:=D81F31F8,C盘卷标号
0041A674 .BB 03000000 mov ebx,3
0041A679 .8995 0CFFFFFF mov dword ptr ss:,edx ;EDX=0xD81F31F8(-669044232)
0041A67F .8D95 04FFFFFF lea edx,dword ptr ss:
0041A685 .8D4D C8 lea ecx,dword ptr ss:
0041A688 .899D 04FFFFFF mov dword ptr ss:,ebx
0041A68E .FFD7 call edi
0041A690 .8B85 DCFEFFFF mov eax,dword ptr ss:
0041A696 .8D95 F4FEFFFF lea edx,dword ptr ss:
0041A69C .8D4D AC lea ecx,dword ptr ss:
0041A69F .8985 FCFEFFFF mov dword ptr ss:,eax
0041A6A5 .899D F4FEFFFF mov dword ptr ss:,ebx
0041A6AB .FFD7 call edi
0041A6AD .8B8D D8FEFFFF mov ecx,dword ptr ss:
0041A6B3 .8D95 E4FEFFFF lea edx,dword ptr ss:
0041A6B9 .898D ECFEFFFF mov dword ptr ss:,ecx
0041A6BF .8D4D D8 lea ecx,dword ptr ss:
0041A6C2 .899D E4FEFFFF mov dword ptr ss:,ebx
0041A6C8 .FFD7 call edi
0041A6CA .8B95 60FFFFFF mov edx,dword ptr ss:
0041A6D0 .8D45 88 lea eax,dword ptr ss:
0041A6D3 .52 push edx
0041A6D4 .50 push eax
0041A6D5 .FF15 08114000 call dword ptr ds:[<&msvbvm60.__vbaStrToUnic>
0041A6DB .8D8D 60FFFFFF lea ecx,dword ptr ss:
0041A6E1 .8D95 64FFFFFF lea edx,dword ptr ss:
0041A6E7 .51 push ecx
0041A6E8 .52 push edx
0041A6E9 .8D85 68FFFFFF lea eax,dword ptr ss:
0041A6EF .8D8D 6CFFFFFF lea ecx,dword ptr ss:
0041A6F5 .50 push eax
0041A6F6 .8D95 70FFFFFF lea edx,dword ptr ss:
0041A6FC .51 push ecx
0041A6FD .52 push edx
0041A6FE .6A 05 push 5
0041A700 .FF15 78114000 call dword ptr ds:[<&msvbvm60.__vbaFreeStrLi>
0041A706 .83C4 18 add esp,18
0041A709 .8D7E 38 lea edi,dword ptr ds:
0041A70C .68 34084100 push Unpacked.00410834
0041A711 .FF15 E8104000 call dword ptr ds:[<&msvbvm60.__vbaNew>]
0041A717 .50 push eax
0041A718 .8D85 5CFFFFFF lea eax,dword ptr ss:
0041A71E .50 push eax
0041A71F .FF15 74104000 call dword ptr ds:[<&msvbvm60.__vbaObjSet>]
0041A725 .50 push eax
0041A726 .57 push edi
0041A727 .FF15 B0114000 call dword ptr ds:[<&msvbvm60.__vbaVarSetObj>
0041A72D .8D8D 5CFFFFFF lea ecx,dword ptr ss:
0041A733 .FF15 D8114000 call dword ptr ds:[<&msvbvm60.__vbaFreeObj>]
0041A739 .B8 02000000 mov eax,2 ;EAX=2
0041A73E .8D4D C8 lea ecx,dword ptr ss:
0041A741 .8985 0CFFFFFF mov dword ptr ss:,eax
0041A747 .8985 04FFFFFF mov dword ptr ss:,eax
0041A74D .8D95 04FFFFFF lea edx,dword ptr ss:
0041A753 .51 push ecx
0041A754 .8D85 48FFFFFF lea eax,dword ptr ss:
0041A75A .52 push edx
0041A75B .50 push eax
0041A75C .C785 FCFEFFFF 1>mov dword ptr ss:,75BCD15 ;ss:=0x75BCD15(123456789)
0041A766 .899D F4FEFFFF mov dword ptr ss:,ebx
0041A76C .FF15 18114000 call dword ptr ds:[<&msvbvm60.__vbaVarDiv>];C盘卷标号十进制数0xD81F31F8除2
0041A772 .8D8D 38FFFFFF lea ecx,dword ptr ss: ;(-669044232)/2=-334522116
0041A778 .50 push eax
0041A779 .51 push ecx
0041A77A .FF15 64114000 call dword ptr ds:[<&msvbvm60.__vbaVarInt>];结果取整
0041A780 .50 push eax
0041A781 .8D95 F4FEFFFF lea edx,dword ptr ss:
0041A787 .8D85 28FFFFFF lea eax,dword ptr ss:
0041A78D .52 push edx
0041A78E .50 push eax
0041A78F .FF15 98114000 call dword ptr ds:[<&msvbvm60.__vbaVarAdd>];结果取整后加上0x75BCD15(123456789)
0041A795 .8B10 mov edx,dword ptr ds: ;-334522116+123456789=-211065327
0041A797 .83EC 10 sub esp,10
0041A79A .8BCC mov ecx,esp
0041A79C .6A 01 push 1
0041A79E .68 C4214100 push Unpacked.004121C4 ;UNICODE "YUN"
0041A7A3 .8911 mov dword ptr ds:,edx
0041A7A5 .8B50 04 mov edx,dword ptr ds:
0041A7A8 .57 push edi
0041A7A9 .8951 04 mov dword ptr ds:,edx
0041A7AC .8B50 08 mov edx,dword ptr ds:
0041A7AF .8B40 0C mov eax,dword ptr ds:
0041A7B2 .8951 08 mov dword ptr ds:,edx
0041A7B5 .8941 0C mov dword ptr ds:,eax
0041A7B8 .8D8D 18FFFFFF lea ecx,dword ptr ss:
0041A7BE .51 push ecx
0041A7BF .FF15 AC114000 call dword ptr ds:[<&msvbvm60.__vbaVarLateMe>;取加法运算结果的MD5值,MD5(-211065327)
0041A7C5 .83C4 20 add esp,20 ;"7A11458A1941DDC97BD7A019F4EE79ED"
0041A7C8 .8BD0 mov edx,eax
-----------------------------------------------------------------------------------------------
【破解总结】
1、如果用户名长度不大于4,则用户名全部参与运算,否则,只取前4位参与运算,记为str.
2、注册码必须为32位。
3、注册码前3位为str的ASCII值与"chin"各位的ASCII值之和(程序依次将"chin"每一个字符与用户名各位连接)。
4、如果用户名长度不大于17位,则注册码第4位为用户名长度/2,否则,注册码第4位固定为9。
5、取C盘序列号转为10进制数,除2取整加上123456789,转为字符串形式后取其MD5值。将前面运算所得的4个字符替换掉MD5值的前4个
字符即为真码。
一组可用注册码:
Name:hrbx
Serial:8542458A1941DDC97BD7A019F4EE79ED
去除检测调试器更改以下位置:
00417849 ja Unpacked.004178E3 ;ja====>JMP
暴破更改以下位置:
0041D70C jnz Unpacked.0041D976 ;jnz===>NOP
0041D7F7 je short Unpacked.0041D81E ;je====>JMP
0041D974 je short Unpacked.0041D99B ;je====>JMP
0041DB9B jnz short Unpacked.0041DC06 ;jnz===>NOP
暴破后,输入5位以上注册码就可注册成功。
-----------------------------------------------------------------------------------------------
【VB注册机源码】
Private Sub Generate_Click()
'取硬盘卷标号的函数和取字符串Md5值的函数代码略
Dim UserName As String
Dim Serial As String
Dim lSerial As String
Dim st As String
Dim stringA As String
Dim stringB As String
Dim stringC As String
Dim sum As Integer
Dim Length As Integer
Dim I As Integer
Dim CSerialNum As Long
lSerial = GetSerialNumber("c:\") '自定义的取硬盘卷标号函数
CSerialNum = Int(lSerial / 2) + 123456789
st = Md5_String_Calc(CStr(CSerialNum)) '取字符串Md5值函数
sum = 418 '418 = Int(Asc("c") + Asc("h") + Asc("i") + Asc("n"))
UserName = Text1.Text
If Text1.Text = "" Then
Text1.Text = "Please input at least one character!"
Else
Length = Len(UserName)
If (Length < 4) Then
For I = 1 To Length
sum = sum + Asc(Mid(UserName, I, 1))
Next I
Else
For I = 1 To 4
sum = sum + Asc(Mid(UserName, I, 1))
Next I
End If
stringA = Trim(Str(sum))
If (Length < 17) Then
stringB = Trim(Str(Int(Length / 2)))
Else
stringB = "9"
End If
Length = Len(stringA)
stringC = Trim(Right(st, 32 - (Length + 1)))
Serial = stringA & stringB & stringC
Text2.Text = Serial
End If
End Sub
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 hrbx 于 2006-4-26 23:41 编辑 ] 帖子粘上去,格式全变了,晕
[ Last edited by hrbx on 2005-11-27 at 11:23 PM ] 恩!不错!
再深入分析算法。
这个注册机有误。
Name:hrbx
Serial:8542458A1941DDC97BD7A019F4EE79ED
===Wrong Serial,try again!! 好文,虽然注册机有误,但文章写的很精彩,思路很清晰,支持. 不错,分析得很详细```
支持&学习```加油啊 Name:hrbx
Serial:8542458A1941DDC97BD7A019F4EE79ED
应该没错吧?为什么在我机子上可以?
没办法上传截图,可否请飘云兄指点一下,正确的注册码是多少?
谢谢 Originally posted by hrbx at 2005-11-28 11:35 AM:
Name:hrbx
Serial:8542458A1941DDC97BD7A019F4EE79ED
应该没错吧?为什么在我机子上可以?
没办法上传截图,可否请飘云兄指点一下,正确的注册码是多少?
谢谢
你给注册机要别人测试就知道了~~
再深入分析。。祝你成功!
BTW:不能以偏概全! 谢谢!再看看 谢了~~~ 经典,我正需要这样的文章,学到了很多
页:
[1]
2