菜青虫的一个VBCrackme3算法分析
下__vbaStrCmp断点,断在这>>>>....
0042355F 50 PUSH EAX
00423560 68 581F4200 PUSH Crackme1.00421F58
00423565 FF15 70104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
省略部分代码。。。。。
004237C0 7D 26 JGE SHORT Crackme1.004237E8
004237C2 68 A0000000 PUSH 0A0
004237C7 68 B01E4200 PUSH Crackme1.00421EB0
004237CC 8B95 2CFFFFFF MOV EDX,DWORD PTR SS:
004237D2 52 PUSH EDX
004237D3 8B85 28FFFFFF MOV EAX,DWORD PTR SS:
004237D9 50 PUSH EAX
004237DA FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
004237E0 8985 E0FEFFFF MOV DWORD PTR SS:,EAX
004237E6 EB 0A JMP SHORT Crackme1.004237F2
004237E8 C785 E0FEFFFF 0>MOV DWORD PTR SS:,0
004237F2 8B4D CC MOV ECX,DWORD PTR SS:
004237F5 51 PUSH ECX ; 机器码
004237F6 FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; 得机器码长度
004237FC 8BF0 MOV ESI,EAX
004237FE 6BF6 02 IMUL ESI,ESI,2 ; 机器码长度乖2
00423801 0F80 38080000 JO Crackme1.0042403F
00423807 8B55 C8 MOV EDX,DWORD PTR SS: ; 注册码
0042380A 52 PUSH EDX
0042380B FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; 得注册码长度
00423811 33C9 XOR ECX,ECX
00423813 3BF0 CMP ESI,EAX ; 比较注册码长度是否为机器码长度的2倍
00423815 0F95C1 SETNE CL
00423818 F7D9 NEG ECX
0042381A 66:898D 24FFFFF>MOV WORD PTR SS:,CX
00423821 8D55 C8 LEA EDX,DWORD PTR SS:
00423824 52 PUSH EDX
00423825 8D45 CC LEA EAX,DWORD PTR SS:
00423828 50 PUSH EAX
00423829 6A 02 PUSH 2
0042382B FF15 C4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
00423831 83C4 0C ADD ESP,0C
00423834 8D4D C0 LEA ECX,DWORD PTR SS:
00423837 51 PUSH ECX
00423838 8D55 C4 LEA EDX,DWORD PTR SS:
0042383B 52 PUSH EDX
0042383C 6A 02 PUSH 2
0042383E FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObjList
00423844 83C4 0C ADD ESP,0C
00423847 0FBF85 24FFFFFF MOVSX EAX,WORD PTR SS:
0042384E 85C0 TEST EAX,EAX
00423850 0F84 58010000 JE Crackme1.004239AE
00423856 C745 FC 0700000>MOV DWORD PTR SS:,7
0042385D 833D EC524200 0>CMP DWORD PTR DS:,0
00423864 75 1C JNZ SHORT Crackme1.00423882
00423866 68 EC524200 PUSH Crackme1.004252EC
0042386B 68 7C1F4200 PUSH Crackme1.00421F7C
00423870 FF15 B4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
00423876 C785 DCFEFFFF E>MOV DWORD PTR SS:,Crackme1.0042>
00423880 EB 0A JMP SHORT Crackme1.0042388C
00423882 C785 DCFEFFFF E>MOV DWORD PTR SS:,Crackme1.0042>
0042388C 8B8D DCFEFFFF MOV ECX,DWORD PTR SS:
00423892 8B11 MOV EDX,DWORD PTR DS:
00423894 8995 34FFFFFF MOV DWORD PTR SS:,EDX
0042389A 8B45 08 MOV EAX,DWORD PTR SS:
0042389D 50 PUSH EAX
0042389E 8D4D C4 LEA ECX,DWORD PTR SS:
004238A1 51 PUSH ECX
004238A2 FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSetAddref
004238A8 50 PUSH EAX
004238A9 8B95 34FFFFFF MOV EDX,DWORD PTR SS:
004238AF 8B02 MOV EAX,DWORD PTR DS:
004238B1 8B8D 34FFFFFF MOV ECX,DWORD PTR SS:
004238B7 51 PUSH ECX
004238B8 FF50 10 CALL DWORD PTR DS:
004238BB DBE2 FCLEX
004238BD 8985 30FFFFFF MOV DWORD PTR SS:,EAX
004238C3 83BD 30FFFFFF 0>CMP DWORD PTR SS:,0
004238CA 7D 23 JGE SHORT Crackme1.004238EF
004238CC 6A 10 PUSH 10
004238CE 68 6C1F4200 PUSH Crackme1.00421F6C
004238D3 8B95 34FFFFFF MOV EDX,DWORD PTR SS:
004238D9 52 PUSH EDX
004238DA 8B85 30FFFFFF MOV EAX,DWORD PTR SS:
004238E0 50 PUSH EAX
004238E1 FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
004238E7 8985 D8FEFFFF MOV DWORD PTR SS:,EAX
004238ED EB 0A JMP SHORT Crackme1.004238F9
004238EF C785 D8FEFFFF 0>MOV DWORD PTR SS:,0
004238F9 8D4D C4 LEA ECX,DWORD PTR SS:
004238FC FF15 F8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00423902 C745 FC 0800000>MOV DWORD PTR SS:,8
00423909 833D EC524200 0>CMP DWORD PTR DS:,0
00423910 75 1C JNZ SHORT Crackme1.0042392E
00423912 68 EC524200 PUSH Crackme1.004252EC
00423917 68 7C1F4200 PUSH Crackme1.00421F7C
0042391C FF15 B4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
00423922 C785 D4FEFFFF E>MOV DWORD PTR SS:,Crackme1.0042>
0042392C EB 0A JMP SHORT Crackme1.00423938
0042392E C785 D4FEFFFF E>MOV DWORD PTR SS:,Crackme1.0042>
00423938 8B8D D4FEFFFF MOV ECX,DWORD PTR SS:
0042393E 8B11 MOV EDX,DWORD PTR DS:
00423940 8995 34FFFFFF MOV DWORD PTR SS:,EDX
00423946 8B45 08 MOV EAX,DWORD PTR SS:
00423949 50 PUSH EAX
0042394A 8D4D C4 LEA ECX,DWORD PTR SS:
0042394D 51 PUSH ECX
0042394E FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSetAddref
00423954 50 PUSH EAX
00423955 8B95 34FFFFFF MOV EDX,DWORD PTR SS:
0042395B 8B02 MOV EAX,DWORD PTR DS:
0042395D 8B8D 34FFFFFF MOV ECX,DWORD PTR SS:
00423963 51 PUSH ECX
00423964 FF50 0C CALL DWORD PTR DS:
00423967 DBE2 FCLEX
00423969 8985 30FFFFFF MOV DWORD PTR SS:,EAX
0042396F 83BD 30FFFFFF 0>CMP DWORD PTR SS:,0
00423976 7D 23 JGE SHORT Crackme1.0042399B
00423978 6A 0C PUSH 0C
0042397A 68 6C1F4200 PUSH Crackme1.00421F6C
0042397F 8B95 34FFFFFF MOV EDX,DWORD PTR SS:
00423985 52 PUSH EDX
00423986 8B85 30FFFFFF MOV EAX,DWORD PTR SS:
0042398C 50 PUSH EAX
0042398D FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00423993 8985 D0FEFFFF MOV DWORD PTR SS:,EAX
00423999 EB 0A JMP SHORT Crackme1.004239A5
0042399B C785 D0FEFFFF 0>MOV DWORD PTR SS:,0
004239A5 8D4D C4 LEA ECX,DWORD PTR SS:
004239A8 FF15 F8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
004239AE C745 FC 0A00000>MOV DWORD PTR SS:,0A
004239B5 8B4D 08 MOV ECX,DWORD PTR SS:
004239B8 8B11 MOV EDX,DWORD PTR DS:
004239BA 8B45 08 MOV EAX,DWORD PTR SS:
004239BD 50 PUSH EAX
004239BE FF92 00030000 CALL DWORD PTR DS:
004239C4 50 PUSH EAX
004239C5 8D4D C4 LEA ECX,DWORD PTR SS:
004239C8 51 PUSH ECX
004239C9 FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
004239CF 8985 34FFFFFF MOV DWORD PTR SS:,EAX
004239D5 8D55 CC LEA EDX,DWORD PTR SS:
004239D8 52 PUSH EDX
004239D9 8B85 34FFFFFF MOV EAX,DWORD PTR SS:
004239DF 8B08 MOV ECX,DWORD PTR DS:
004239E1 8B95 34FFFFFF MOV EDX,DWORD PTR SS:
004239E7 52 PUSH EDX
004239E8 FF91 A0000000 CALL DWORD PTR DS:
004239EE DBE2 FCLEX
004239F0 8985 30FFFFFF MOV DWORD PTR SS:,EAX
004239F6 83BD 30FFFFFF 0>CMP DWORD PTR SS:,0
004239FD 7D 26 JGE SHORT Crackme1.00423A25
004239FF 68 A0000000 PUSH 0A0
00423A04 68 B01E4200 PUSH Crackme1.00421EB0
00423A09 8B85 34FFFFFF MOV EAX,DWORD PTR SS:
00423A0F 50 PUSH EAX
00423A10 8B8D 30FFFFFF MOV ECX,DWORD PTR SS:
00423A16 51 PUSH ECX
00423A17 FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00423A1D 8985 CCFEFFFF MOV DWORD PTR SS:,EAX
00423A23 EB 0A JMP SHORT Crackme1.00423A2F
00423A25 C785 CCFEFFFF 0>MOV DWORD PTR SS:,0
00423A2F 8B55 CC MOV EDX,DWORD PTR SS:
00423A32 52 PUSH EDX
00423A33 FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
00423A39 8BC8 MOV ECX,EAX
00423A3B FF15 74104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>>; MSVBVM60.__vbaI2I4
00423A41 66:8985 1CFFFFF>MOV WORD PTR SS:,AX
00423A48 66:C785 20FFFFF>MOV WORD PTR SS:,2
00423A51 66:C745 DC 0100 MOV WORD PTR SS:,1
00423A57 8D4D CC LEA ECX,DWORD PTR SS:
00423A5A FF15 F4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00423A60 8D4D C4 LEA ECX,DWORD PTR SS:
00423A63 FF15 F8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00423A69 EB 15 JMP SHORT Crackme1.00423A80
00423A6B 66:8B45 DC MOV AX,WORD PTR SS:
00423A6F 66:0385 20FFFFF>ADD AX,WORD PTR SS:
00423A76 0F80 C3050000 JO Crackme1.0042403F
00423A7C 66:8945 DC MOV WORD PTR SS:,AX
00423A80 66:8B4D DC MOV CX,WORD PTR SS:
00423A84 66:3B8D 1CFFFFF>CMP CX,WORD PTR SS:
00423A8B 0F8F 26020000 JG Crackme1.00423CB7
00423A91 C745 FC 0B00000>MOV DWORD PTR SS:,0B
00423A98 8B55 08 MOV EDX,DWORD PTR SS:
00423A9B 8B02 MOV EAX,DWORD PTR DS:
00423A9D 8B4D 08 MOV ECX,DWORD PTR SS:
00423AA0 51 PUSH ECX
00423AA1 FF90 00030000 CALL DWORD PTR DS:
00423AA7 50 PUSH EAX
00423AA8 8D55 C4 LEA EDX,DWORD PTR SS:
00423AAB 52 PUSH EDX
00423AAC FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00423AB2 8985 34FFFFFF MOV DWORD PTR SS:,EAX
00423AB8 8D45 CC LEA EAX,DWORD PTR SS:
00423ABB 50 PUSH EAX
00423ABC 8B8D 34FFFFFF MOV ECX,DWORD PTR SS:
00423AC2 8B11 MOV EDX,DWORD PTR DS:
00423AC4 8B85 34FFFFFF MOV EAX,DWORD PTR SS:
00423ACA 50 PUSH EAX
00423ACB FF92 A0000000 CALL DWORD PTR DS:
00423AD1 DBE2 FCLEX
00423AD3 8985 30FFFFFF MOV DWORD PTR SS:,EAX
00423AD9 83BD 30FFFFFF 0>CMP DWORD PTR SS:,0
00423AE0 7D 26 JGE SHORT Crackme1.00423B08
00423AE2 68 A0000000 PUSH 0A0
00423AE7 68 B01E4200 PUSH Crackme1.00421EB0
00423AEC 8B8D 34FFFFFF MOV ECX,DWORD PTR SS:
00423AF2 51 PUSH ECX
00423AF3 8B95 30FFFFFF MOV EDX,DWORD PTR SS:
00423AF9 52 PUSH EDX
00423AFA FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00423B00 8985 C8FEFFFF MOV DWORD PTR SS:,EAX
00423B06 EB 0A JMP SHORT Crackme1.00423B12
00423B08 C785 C8FEFFFF 0>MOV DWORD PTR SS:,0
00423B12 C745 A8 0200000>MOV DWORD PTR SS:,2
00423B19 C745 A0 0200000>MOV DWORD PTR SS:,2
00423B20 8B45 CC MOV EAX,DWORD PTR SS:
00423B23 8985 FCFEFFFF MOV DWORD PTR SS:,EAX
00423B29 C745 CC 0000000>MOV DWORD PTR SS:,0
00423B30 8B8D FCFEFFFF MOV ECX,DWORD PTR SS:
00423B36 894D B8 MOV DWORD PTR SS:,ECX
00423B39 C745 B0 0800000>MOV DWORD PTR SS:,8
00423B40 8D55 A0 LEA EDX,DWORD PTR SS:
00423B43 52 PUSH EDX
00423B44 0FBF45 DC MOVSX EAX,WORD PTR SS:
00423B48 50 PUSH EAX
00423B49 8D4D B0 LEA ECX,DWORD PTR SS:
00423B4C 51 PUSH ECX
00423B4D 8D55 90 LEA EDX,DWORD PTR SS:
00423B50 52 PUSH EDX
00423B51 FF15 60104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; 取注册码第一二位,循环后为三四位,依次类推。
00423B57 8D45 90 LEA EAX,DWORD PTR SS:
00423B5A 50 PUSH EAX
00423B5B FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove
00423B61 8BD0 MOV EDX,EAX
00423B63 8D4D D0 LEA ECX,DWORD PTR SS:
00423B66 FF15 E4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
00423B6C 8D4D C4 LEA ECX,DWORD PTR SS:
00423B6F FF15 F8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00423B75 8D4D 90 LEA ECX,DWORD PTR SS:
00423B78 51 PUSH ECX
00423B79 8D55 A0 LEA EDX,DWORD PTR SS:
00423B7C 52 PUSH EDX
00423B7D 8D45 B0 LEA EAX,DWORD PTR SS:
00423B80 50 PUSH EAX
00423B81 6A 03 PUSH 3
00423B83 FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
00423B89 83C4 10 ADD ESP,10
00423B8C C745 FC 0C00000>MOV DWORD PTR SS:,0C
00423B93 66:C785 14FFFFF>MOV WORD PTR SS:,9
00423B9C 66:C785 18FFFFF>MOV WORD PTR SS:,1
00423BA5 66:C745 D8 0000 MOV WORD PTR SS:,0
00423BAB EB 15 JMP SHORT Crackme1.00423BC2
00423BAD 66:8B4D D8 MOV CX,WORD PTR SS:
00423BB1 66:038D 18FFFFF>ADD CX,WORD PTR SS:
00423BB8 0F80 81040000 JO Crackme1.0042403F
00423BBE 66:894D D8 MOV WORD PTR SS:,CX
00423BC2 66:8B55 D8 MOV DX,WORD PTR SS:
00423BC6 66:3B95 14FFFFF>CMP DX,WORD PTR SS:
00423BCD 0F8F D8000000 JG Crackme1.00423CAB
00423BD3 C745 FC 0D00000>MOV DWORD PTR SS:,0D
00423BDA 0FBF45 D8 MOVSX EAX,WORD PTR SS:
00423BDE 8985 34FFFFFF MOV DWORD PTR SS:,EAX
00423BE4 83BD 34FFFFFF 0>CMP DWORD PTR SS:,0A
00423BEB 73 0C JNB SHORT Crackme1.00423BF9
00423BED C785 C4FEFFFF 0>MOV DWORD PTR SS:,0
00423BF7 EB 0C JMP SHORT Crackme1.00423C05
00423BF9 FF15 6C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaGener>; MSVBVM60.__vbaGenerateBoundsError
00423BFF 8985 C4FEFFFF MOV DWORD PTR SS:,EAX
00423C05 8B4D D0 MOV ECX,DWORD PTR SS:
00423C08 51 PUSH ECX
00423C09 8B55 08 MOV EDX,DWORD PTR SS:
00423C0C 8B42 44 MOV EAX,DWORD PTR DS:
00423C0F 8B8D 34FFFFFF MOV ECX,DWORD PTR SS:
00423C15 8B1488 MOV EDX,DWORD PTR DS: ; 这里有固定字符串,XU hb jm ZB OY PV bs ge wd RT
00423C18 52 PUSH EDX
00423C19 FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrLi>; 第一二位跟上面第一个字符串XU比较,
不等跟第二个比较,依次类推。
00423C1F 66:3D FFFF CMP AX,0FFFF ; 如果跟第二个相等则后面得一个数字2
00423C23 75 7A JNZ SHORT Crackme1.00423C9F
00423C25 C745 FC 0E00000>MOV DWORD PTR SS:,0E
00423C2C 8B45 D4 MOV EAX,DWORD PTR SS:
00423C2F 8985 68FFFFFF MOV DWORD PTR SS:,EAX
00423C35 C785 60FFFFFF 0>MOV DWORD PTR SS:,8
00423C3F 8D4D D8 LEA ECX,DWORD PTR SS:
00423C42 898D 78FFFFFF MOV DWORD PTR SS:,ECX
00423C48 C785 70FFFFFF 0>MOV DWORD PTR SS:,4002
00423C52 8D95 70FFFFFF LEA EDX,DWORD PTR SS:
00423C58 52 PUSH EDX
00423C59 8D45 B0 LEA EAX,DWORD PTR SS:
00423C5C 50 PUSH EAX
00423C5D FF15 DC104000 CALL DWORD PTR DS:[<&MSVBVM60.#613>] ; MSVBVM60.rtcVarStrFromVar
00423C63 8D8D 60FFFFFF LEA ECX,DWORD PTR SS:
00423C69 51 PUSH ECX
00423C6A 8D55 B0 LEA EDX,DWORD PTR SS:
00423C6D 52 PUSH EDX
00423C6E 8D45 A0 LEA EAX,DWORD PTR SS:
00423C71 50 PUSH EAX
00423C72 FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat
00423C78 50 PUSH EAX
00423C79 FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove
00423C7F 8BD0 MOV EDX,EAX ; 这里就是得到的数字
00423C81 8D4D D4 LEA ECX,DWORD PTR SS: ; 最后得到的这个数字要与机器码相等就OK了
00423C84 FF15 E4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
00423C8A 8D4D A0 LEA ECX,DWORD PTR SS:
00423C8D 51 PUSH ECX
00423C8E 8D55 B0 LEA EDX,DWORD PTR SS:
00423C91 52 PUSH EDX
00423C92 6A 02 PUSH 2
00423C94 FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
00423C9A 83C4 0C ADD ESP,0C
00423C9D EB 0C JMP SHORT Crackme1.00423CAB
总结:
1、注册码长度为机器码的2倍。
2、里面有固定字符串XU相当于0 hb相当于1 jm相当于2 ZB相当于3 OY相当于4
PV相当于5 bs相当于6 ge相当于7 wd相当于8 RT相当于9
3、注册码就是机器码转为相应字符来表示。
如我的机器码为1760012932,我的注册码就为hbgebsXUXUhbjmRTZBjm
[ 本帖最后由 lhl8730 于 2006-5-10 20:32 编辑 ] 原来如此~学习了~ 原帖由 冷血书生 于 2006-5-10 21:13 发表
原来如此~学习了~
跟着来学习!
页:
[1]