网站 › ≮ CrackMe讨论 ≯ › wxh9833's CrackMe 算法分析

冷血书生 发表于 2006-8-2 15:35:02

wxh9833's CrackMe 算法分析

【破解日期】 2006年8月2日
【破解作者】 冷血书生
【作者邮箱】 [email protected]
【作者主页】 http://www.126sohu.com
【使用工具】 OD
【破解平台】 Win9x/NT/2000/XP
【软件名称】 wxh9833's CrackMe
【下载地址】 本地
【软件大小】 32KB
【加壳方式】 无
【破解声明】 我是一只小菜鸟，偶得一点心得，愿与大家分享：）
--------------------------------------------------------------------------------
【破解内容】



下断bp __vbaStrComp,中断取消并返回


00402FD7call crackme_.00403470                        ; 将用户名用MD5进行四轮运算
00402FDCmov dword ptr ss:,eax               ; 结果传送到
00402FDFlea eax,dword ptr ss:
00402FE2lea ecx,dword ptr ss:
00402FE8push eax
00402FE9push ecx
00402FEAmov dword ptr ss:,8
00402FF1call dword ptr ds:[<&MSVBVM60.#518>]          ; MSVBVM60.rtcLowerCaseVar
00402FF7lea edx,dword ptr ss:
00402FFDlea ebx,dword ptr ds:
00403000push edx
00403001call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>; MSVBVM60.__vbaStrVarMove
00403007mov edx,eax
00403009lea ecx,dword ptr ss:
0040300Ccall edi
0040300Emov edx,eax
00403010mov ecx,ebx
00403012call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>]; MSVBVM60.__vbaStrCopy
00403018lea eax,dword ptr ss:
0040301Blea ecx,dword ptr ss:
0040301Epush eax
0040301Fmov edi,2
00403024push ecx
00403025push edi
00403026call dword ptr ds:[<&MSVBVM60.__vbaFreeStrLis>; MSVBVM60.__vbaFreeStrList
0040302Cadd esp,0C
0040302Flea ecx,dword ptr ss:
00403032call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]; MSVBVM60.__vbaFreeObj
00403038lea edx,dword ptr ss:
0040303Elea eax,dword ptr ss:
00403041push edx
00403042push eax
00403043push edi
00403044call dword ptr ds:[<&MSVBVM60.__vbaFreeVarLis>; MSVBVM60.__vbaFreeVarList
0040304Amov ecx,dword ptr ds:
0040304Cadd esp,0C
0040304Fpush ecx
00403050call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>]; MSVBVM60.__vbaLenBstr
00403056mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarMove>; MSVBVM60.__vbaVarMove
0040305Clea edx,dword ptr ss:
00403062lea ecx,dword ptr ss:
00403065mov dword ptr ss:,eax
0040306Bmov dword ptr ss:,3
00403075call ebx
00403077mov eax,1
0040307Clea edx,dword ptr ss:
00403082mov dword ptr ss:,eax
00403088mov dword ptr ss:,eax
0040308Elea eax,dword ptr ss:
00403091push edx
00403092lea ecx,dword ptr ss:
00403098push eax
00403099lea edx,dword ptr ss:
0040309Fpush ecx
004030A0lea eax,dword ptr ss:
004030A6push edx
004030A7lea ecx,dword ptr ss:
004030AApush eax
004030ABpush ecx
004030ACmov dword ptr ss:,edi
004030B2mov dword ptr ss:,edi
004030B8call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>; MSVBVM60.__vbaVarForInit
004030BEtest eax,eax
004030C0je crackme_.00403196
004030C6mov edx,dword ptr ds:
004030C9lea edi,dword ptr ds:
004030CClea eax,dword ptr ds:
004030CFmov dword ptr ss:,edx
004030D5mov dword ptr ss:,eax
004030DBlea eax,dword ptr ss:
004030DEpush eax
004030DFlea ecx,dword ptr ss:
004030E5push 14
004030E7lea edx,dword ptr ss:
004030EDpush ecx
004030EEpush edx
004030EFmov dword ptr ss:,8
004030F9mov dword ptr ss:,4
00403100mov dword ptr ss:,2
00403107mov dword ptr ss:,4008
00403111call dword ptr ds:[<&MSVBVM60.#632>]          ; MSVBVM60.rtcMidCharVar
00403117lea eax,dword ptr ss:
0040311Dlea ecx,dword ptr ss:
00403123push eax
00403124lea edx,dword ptr ss:
0040312Apush ecx
0040312Bpush edx
0040312Ccall dword ptr ds:[<&MSVBVM60.__vbaVarCat>]   ; MSVBVM60.__vbaVarCat
00403132push eax
00403133call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>; MSVBVM60.__vbaStrVarMove
00403139mov edx,eax                                 ; 取第三轮运算结果后面四位
0040313Blea ecx,dword ptr ss:
0040313Ecall dword ptr ds:[<&MSVBVM60.__vbaStrMove>]; MSVBVM60.__vbaStrMove
00403144mov edx,eax
00403146mov ecx,edi
00403148call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>]; MSVBVM60.__vbaStrCopy
0040314Elea ecx,dword ptr ss:
00403151call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]; MSVBVM60.__vbaFreeStr
00403157lea eax,dword ptr ss:
0040315Dlea ecx,dword ptr ss:
00403163push eax
00403164lea edx,dword ptr ss:
00403167push ecx
00403168push edx
00403169push 3
0040316Bcall dword ptr ds:[<&MSVBVM60.__vbaFreeVarLis>; MSVBVM60.__vbaFreeVarList
00403171add esp,10
00403174lea eax,dword ptr ss:
0040317Alea ecx,dword ptr ss:
00403180lea edx,dword ptr ss:
00403183push eax
00403184push ecx
00403185push edx
00403186call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>; MSVBVM60.__vbaVarForNext
0040318Cmov edi,2
00403191jmp crackme_.004030BE                         ; 循环复制N次,具体不记得,用N代替,这里不是关键
00403196mov eax,1
0040319Blea ecx,dword ptr ss:
004031A1mov dword ptr ss:,eax
004031A7mov dword ptr ss:,eax
004031ADlea eax,dword ptr ss:
004031B3lea edx,dword ptr ss:
004031B9push eax
004031BApush ecx
004031BBlea eax,dword ptr ss:
004031C1push edx
004031C2lea ecx,dword ptr ss:
004031C8push eax
004031C9lea edx,dword ptr ss:
004031CCpush ecx
004031CDpush edx
004031CEmov dword ptr ss:,edi
004031D4mov dword ptr ss:,4
004031DEmov dword ptr ss:,edi
004031E4mov dword ptr ss:,edi
004031EAcall dword ptr ds:[<&MSVBVM60.__vbaVarForInit>; MSVBVM60.__vbaVarForInit
004031F0test eax,eax
004031F2je crackme_.004032E8
004031F8lea ecx,dword ptr ss:
004031FBlea edx,dword ptr ss:
004031FElea eax,dword ptr ds:
00403201push ecx
00403202push edx
00403203mov dword ptr ss:,1
0040320Amov dword ptr ss:,edi
0040320Dmov dword ptr ss:,eax
00403213mov dword ptr ss:,4008
0040321Dcall dword ptr ds:[<&MSVBVM60.__vbaI4Var>]    ; MSVBVM60.__vbaI4Var
00403223push eax
00403224lea eax,dword ptr ss:
0040322Alea ecx,dword ptr ss:
00403230push eax
00403231push ecx
00403232call dword ptr ds:[<&MSVBVM60.#632>]          ; MSVBVM60.rtcMidCharVar
00403238lea edx,dword ptr ss:
0040323Elea eax,dword ptr ss:
00403241push edx
00403242push eax
00403243call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>>; MSVBVM60.__vbaStrVarVal
00403249push eax
0040324Acall dword ptr ds:[<&MSVBVM60.#516>]          ; MSVBVM60.rtcAnsiValueBstr
00403250lea edx,dword ptr ss:
00403256lea ecx,dword ptr ss:
00403259mov word ptr ss:,ax                   ; ax转移到
00403260mov dword ptr ss:,edi
00403266call ebx
00403268lea ecx,dword ptr ss:
0040326Bcall dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]; MSVBVM60.__vbaFreeStr
00403271lea ecx,dword ptr ss:
00403277lea edx,dword ptr ss:
0040327Apush ecx
0040327Bpush edx
0040327Cpush edi
0040327Dcall dword ptr ds:[<&MSVBVM60.__vbaFreeVarLis>; MSVBVM60.__vbaFreeVarList
00403283add esp,0C
00403286lea eax,dword ptr ss:
00403289lea ecx,dword ptr ss:
0040328Flea edx,dword ptr ss:
00403292push eax
00403293push ecx
00403294push edx
00403295mov dword ptr ss:,3
0040329Fmov dword ptr ss:,edi
004032A5call dword ptr ds:[<&MSVBVM60.__vbaVarMul>]   ; MSVBVM60.__vbaVarMul /// 上面的值*3
004032ABmov edx,eax                                 
004032ADlea ecx,dword ptr ss:
004032B0call ebx
004032B2lea eax,dword ptr ss:
004032B5lea ecx,dword ptr ss:
004032B8push eax
004032B9lea edx,dword ptr ss:
004032BCpush ecx
004032BDpush edx
004032BEcall dword ptr ds:[<&MSVBVM60.__vbaVarCat>]   ; MSVBVM60.__vbaVarCat
004032C4mov edx,eax
004032C6lea ecx,dword ptr ss:
004032C9call ebx
004032CBlea eax,dword ptr ss:
004032D1lea ecx,dword ptr ss:
004032D7push eax
004032D8lea edx,dword ptr ss:
004032DBpush ecx
004032DCpush edx
004032DDcall dword ptr ds:[<&MSVBVM60.__vbaVarForNext>; MSVBVM60.__vbaVarForNext
004032E3jmp crackme_.004031F0                         ; 循环四次
004032E8mov eax,dword ptr ds:
004032EApush esi
004032EBcall dword ptr ds:
004032F1mov ebx,dword ptr ds:[<&MSVBVM60.__vbaObjSet>>; MSVBVM60.__vbaObjSet
004032F7lea ecx,dword ptr ss:
004032FApush eax
004032FBpush ecx
004032FCcall ebx
004032FEmov edi,eax
00403300lea eax,dword ptr ss:
00403303push eax
00403304push edi
00403305mov edx,dword ptr ds:
00403307call dword ptr ds:
0040330Dtest eax,eax
0040330Ffclex
00403311jge short crackme_.00403325
00403313push 0A0
00403318push crackme_.0040299C
0040331Dpush edi
0040331Epush eax
0040331Fcall dword ptr ds:[<&MSVBVM60.__vbaHresultChe>; MSVBVM60.__vbaHresultCheckObj
00403325mov eax,dword ptr ss:               ; 假码
00403328lea ecx,dword ptr ss:
0040332Blea edx,dword ptr ss:
0040332Epush ecx
0040332Fpush edx
00403330mov dword ptr ss:,0
00403337mov dword ptr ss:,eax               ; 出现真码
0040333Amov dword ptr ss:,8008
00403341call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; MSVBVM60.__vbaVarTstEq
00403347lea ecx,dword ptr ss:
0040334Amov edi,eax
0040334Ccall dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]; MSVBVM60.__vbaFreeObj
00403352lea ecx,dword ptr ss:


////////////////////////////////////////////////////////////////////////////////////////////


算法总结:

1) 将用户名用MD5进行四轮运算,取第三轮运算结果的后面四位(大写转小写) = A

2) A的每一位*3 =B

3) 将B的每一次计算结果转化为十进制并连接起来 = 注册码


如:

name : leng
code : 144168303297
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

网游难民 发表于 2006-8-2 15:57:44

沙发啊~~
快来学习~~


偶只会用计算器看MD5:L
慢慢研究~

[ 本帖最后由 网游难民 于 2006-8-2 16:00 编辑 ]

caterpilla 发表于 2006-8-2 15:58:22

高手。。。。。。。。

wxh9833 发表于 2006-8-10 16:03:48

查看完整版本: wxh9833's CrackMe 算法分析