- UID
- 346
注册时间2005-3-21
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 奋斗
2016-10-21 20:30 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
- 【破文标题】Piao Yun's CrackMe003简单算法分析+VB注册机源码
- 【破解作者】hrbx
- 【作者主页】hrbx.ys168.com
- 【作者邮箱】[email protected]
- 【破解平台】WinXP
- 【使用工具】flyOD1.10、Peid
- 【破解日期】2006-03-27
- 【软件名称】Piao Yun's CrackMe003
- 【软件大小】56.5KB
- 【下载地址】https://www.chinapyg.com/viewthread.php?tid=4214&extra=page%3D1
- 【加壳方式】UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
- 【软件简介】Piao Yun's CrackMe003
- -----------------------------------------------------------------------------------------------
- 【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
- -----------------------------------------------------------------------------------------------
- 【破解过程】
- 1.脱壳。用Peid扫描,显示为:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo,直接用PEID自带的
- 脱壳插件脱之。再次用用Peid扫描,显示为:Microsoft Visual Basic 5.0 / 6.0。
- 2.试运行crackme。输入注册信息:
- ====================================================================
- Hard Code:16856497051497056666666666666653371299410299411333333333333330
- Serial:9876543210
- ====================================================================
- 点击Check按钮,主窗体关闭,弹出一个"Bye!Dear Cracker!"提示窗体。
- 3.找出Hard Code的由来。OD载入,命令行下断点:bp __vbaLenBstr,回车,F9运行,中断:
- 660E5F5F MS> 8B4424 04 mov eax,dword ptr ss:[esp+4] ; 在此中断
- 660E5F63 85C0 test eax,eax
- 660E5F65 74 05 je short MSVBVM60.660E5F6C
- 660E5F67 8B40 FC mov eax,dword ptr ds:[eax-4]
- 660E5F6A D1E8 shr eax,1
- 观察堆栈友好提示:
- 0012F9A0 660E5FAD 返回到 MSVBVM60.660E5FAD 来自 MSVBVM60.__vbaLenBstr
- 0012F9A4 0015DE64 UNICODE "D81F31F8"
- 堆栈中的 "D81F31F8"是C盘卷标号:D81F-31F8去掉中间的"-"得到的字符串,ALT+F9返回,来到:
- 0041023B FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ; 获取字符串"D81F31F8"长度,EAX=8
- 00410241 50 push eax ; 返回到这里
- 00410242 FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaI2Var>]
- 00410248 8985 58FFFFFF mov dword ptr ss:[ebp-A8],eax ; 字符串长度EAX=8保存
- 0041024E 66:C746 68 0100 mov word ptr ds:[esi+68],1
- 00410254 66:8B46 68 mov ax,word ptr ds:[esi+68] ; 循环次数给AX
- 00410258 66:3B85 58FFFFF>cmp ax,word ptr ss:[ebp-A8] ; 循环次数与字符串长度比较
- 0041025F 0F8F 97000000 jg CrackMe0.004102FC ; 大于则跳,否则继续
- 00410265 0FBFD0 movsx edx,ax
- 00410268 8D4D CC lea ecx,dword ptr ss:[ebp-34]
- 0041026B 8D46 6C lea eax,dword ptr ds:[esi+6C]
- 0041026E 51 push ecx
- 0041026F 52 push edx
- 00410270 50 push eax
- 00410271 8D45 BC lea eax,dword ptr ss:[ebp-44]
- 00410274 BF 02000000 mov edi,2
- 00410279 50 push eax
- 0041027A C745 D4 0100000>mov dword ptr ss:[ebp-2C],1
- 00410281 897D CC mov dword ptr ss:[ebp-34],edi
- 00410284 FF15 AC104000 call dword ptr ds:[<&MSVBVM60.rtcMidCharVar>] ; 从字符串"D81F31F8"第1位开始取1位字符
- 0041028A 8D4D BC lea ecx,dword ptr ss:[ebp-44]
- 0041028D 8D55 E8 lea edx,dword ptr ss:[ebp-18]
- 00410290 51 push ecx
- 00410291 52 push edx
- 00410292 FF15 4C114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
- 00410298 50 push eax
- 00410299 FF15 44104000 call dword ptr ds:[<&MSVBVM60.rtcAnsiValueBstr>] ; 取字符的ASCII值,EAX=0X44("D")
- 0041029F 89BD 7CFFFFFF mov dword ptr ss:[ebp-84],edi
- 004102A5 66:8945 84 mov word ptr ss:[ebp-7C],ax ; AX=0X44("D"),字符的ASCII值保存
- 004102A9 8D7E 34 lea edi,dword ptr ds:[esi+34]
- 004102AC 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
- 004102B2 57 push edi
- 004102B3 8D4D AC lea ecx,dword ptr ss:[ebp-54]
- 004102B6 50 push eax
- 004102B7 51 push ecx
- 004102B8 FF15 54114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 字符的ASCII值转为10进制后依次连接
- 004102BE 8BD0 mov edx,eax ; 最后得到字符串"6856497051497056"
- 004102C0 8BCF mov ecx,edi
- 004102C2 FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
- 004102C8 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
- 004102CB FF15 E4114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
- 004102D1 8D55 AC lea edx,dword ptr ss:[ebp-54]
- 004102D4 8D45 BC lea eax,dword ptr ss:[ebp-44]
- 004102D7 52 push edx
- 004102D8 8D4D CC lea ecx,dword ptr ss:[ebp-34]
- 004102DB 50 push eax
- 004102DC 51 push ecx
- 004102DD 6A 03 push 3
- 004102DF FFD3 call ebx
- 004102E1 B8 01000000 mov eax,1
- 004102E6 83C4 10 add esp,10
- 004102E9 66:0346 68 add ax,word ptr ds:[esi+68]
- 004102ED 0F80 77020000 jo CrackMe0.0041056A
- 004102F3 66:8946 68 mov word ptr ds:[esi+68],ax
- 004102F7 ^ E9 58FFFFFF jmp CrackMe0.00410254 ; 跳回去继续取一位字符
- 004102FC 8D7E 34 lea edi,dword ptr ds:[esi+34]
- 004102FF 8D55 8C lea edx,dword ptr ss:[ebp-74]
- 00410302 57 push edi
- 00410303 52 push edx
- 00410304 8D45 CC lea eax,dword ptr ss:[ebp-34]
- 00410307 57 push edi
- 00410308 50 push eax
- 00410309 C745 94 1E00000>mov dword ptr ss:[ebp-6C],1E ; 常数0x1E(30)
- 00410310 C745 8C 0200000>mov dword ptr ss:[ebp-74],2
- 00410317 FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ; 获取字符串"6856497051497056"长度0x10
- 0041031D 8D4D BC lea ecx,dword ptr ss:[ebp-44]
- 00410320 50 push eax
- 00410321 51 push ecx
- 00410322 FF15 04104000 call dword ptr ds:[<&MSVBVM60.__vbaVarSub>] ; 0x1E-x10=0xE
- 00410328 50 push eax
- 00410329 FF15 94114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
- 0041032F 8D55 AC lea edx,dword ptr ss:[ebp-54] ; EAX=0xE
- 00410332 50 push eax
- 00410333 52 push edx
- 00410334 FF15 38114000 call dword ptr ds:[<&MSVBVM60.rtcStringVar>] ; 内置字符串"66666666666666"
- 0041033A 8D45 AC lea eax,dword ptr ss:[ebp-54] ; 字符串长度为上面相减得到的差(0xE)
- 0041033D 57 push edi
- 0041033E 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
- 00410341 50 push eax
- 00410342 51 push ecx
- 00410343 FF15 54114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 连接字符串"6856497051497056"
- ; 与"66666666666666"
- 00410349 8BD0 mov edx,eax ; 得到"685649705149705666666666666666"
- 0041034B 8BCF mov ecx,edi
- 0041034D FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
- 00410353 8D55 9C lea edx,dword ptr ss:[ebp-64]
- 00410356 8D45 AC lea eax,dword ptr ss:[ebp-54]
- 00410359 52 push edx
- 0041035A 50 push eax
- 0041035B 6A 02 push 2
- 0041035D FFD3 call ebx
- 0041035F 83C4 0C add esp,0C
- 00410362 8D4D CC lea ecx,dword ptr ss:[ebp-34]
- 00410365 8D55 BC lea edx,dword ptr ss:[ebp-44]
- 00410368 C745 D4 3900000>mov dword ptr ss:[ebp-2C],39
- 0041036F 51 push ecx
- 00410370 6A 1E push 1E ; 0x1E(30)
- 00410372 52 push edx
- 00410373 C745 CC 0200000>mov dword ptr ss:[ebp-34],2
- 0041037A FF15 38114000 call dword ptr ds:[<&MSVBVM60.rtcStringVar>] ; 内置固定字符串,长度为0x1E(30)
- 00410380 8D4E 44 lea ecx,dword ptr ds:[esi+44] ; "999999999999999999999999999999"
- 00410383 8D55 BC lea edx,dword ptr ss:[ebp-44]
- 00410386 FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
- 0041038C 8D45 BC lea eax,dword ptr ss:[ebp-44]
- 0041038F 8D4D CC lea ecx,dword ptr ss:[ebp-34]
- 00410392 50 push eax
- 00410393 51 push ecx
- 00410394 6A 02 push 2
- 00410396 FFD3 call ebx
- 00410398 8B1D 48104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaStrErrVarCo>
- 0041039E 83C4 0C add esp,0C
- 004103A1 8D46 44 lea eax,dword ptr ds:[esi+44]
- 004103A4 50 push eax
- 004103A5 FFD3 call ebx
- 004103A7 8BD0 mov edx,eax
- 004103A9 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
- 004103AC FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
- 004103B2 57 push edi
- 004103B3 FFD3 call ebx
- 004103B5 8BD0 mov edx,eax
- 004103B7 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
- 004103BA FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
- 004103C0 8B16 mov edx,dword ptr ds:[esi]
- 004103C2 8D45 CC lea eax,dword ptr ss:[ebp-34]
- 004103C5 50 push eax
- 004103C6 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
- 004103C9 8D45 E8 lea eax,dword ptr ss:[ebp-18]
- 004103CC 51 push ecx
- 004103CD 50 push eax
- 004103CE 56 push esi
- 004103CF FF92 00070000 call dword ptr ds:[edx+700] ; 关键CALL,F7进入
- 004103D5 85C0 test eax,eax
- 004103D7 7D 12 jge short CrackMe0.004103EB
- 004103D9 68 00070000 push 700
- 004103DE 68 C43B4000 push CrackMe0.00403BC4
- 004103E3 56 push esi
- 004103E4 50 push eax
- 004103E5 FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>
- 004103EB 8D7E 54 lea edi,dword ptr ds:[esi+54]
- 004103EE 8D55 CC lea edx,dword ptr ss:[ebp-34]
- 004103F1 8BCF mov ecx,edi
- 004103F3 FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
- 004103F9 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
- 004103FC 8D55 E8 lea edx,dword ptr ss:[ebp-18]
- 004103FF 51 push ecx
- 00410400 52 push edx
- 00410401 6A 02 push 2
- 00410403 FF15 7C114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>]
- 00410409 83C4 0C add esp,0C
- 0041040C 8D4D CC lea ecx,dword ptr ss:[ebp-34]
- 0041040F FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
- 00410415 8B06 mov eax,dword ptr ds:[esi]
- 00410417 56 push esi
- 00410418 FF90 00030000 call dword ptr ds:[eax+300]
- 0041041E 8D4D DC lea ecx,dword ptr ss:[ebp-24]
- 00410421 50 push eax
- 00410422 51 push ecx
- 00410423 FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
- 00410429 57 push edi
- 0041042A 8985 74FFFFFF mov dword ptr ss:[ebp-8C],eax
- 00410430 FFD3 call ebx
- 00410432 57 push edi
- 00410433 8945 C4 mov dword ptr ss:[ebp-3C],eax ; 字符串"1685649705149705666666666666665"
- 00410436 C745 BC 0800000>mov dword ptr ss:[ebp-44],8
- 0041043D FFD3 call ebx
- 0041043F 8BD0 mov edx,eax
- 00410441 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
- 00410444 FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
- 0041044A 57 push edi
- 0041044B FFD3 call ebx
- 0041044D 8BD0 mov edx,eax ; 字符串"1685649705149705666666666666665"
- 0041044F 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
- 00410452 FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
- 00410458 8B16 mov edx,dword ptr ds:[esi]
- 0041045A 8D45 CC lea eax,dword ptr ss:[ebp-34]
- 0041045D 50 push eax
- 0041045E 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
- 00410461 8D45 E8 lea eax,dword ptr ss:[ebp-18]
- 00410464 51 push ecx
- 00410465 50 push eax
- 00410466 56 push esi
- 00410467 FF92 00070000 call dword ptr ds:[edx+700] ; 同上面关键CALL,参加运算的两个字符串都变成
- 0041046D 85C0 test eax,eax ; "1685649705149705666666666666665"
- 0041046F 7D 12 jge short CrackMe0.00410483 ; 运算结果得到字符串
- 00410471 68 00070000 push 700 ; "3371299410299411333333333333330"
- 00410476 68 C43B4000 push CrackMe0.00403BC4
- 0041047B 56 push esi
- 0041047C 50 push eax
- 0041047D FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckOb>
- 00410483 8BB5 74FFFFFF mov esi,dword ptr ss:[ebp-8C]
- 00410489 8D4D BC lea ecx,dword ptr ss:[ebp-44]
- 0041048C 8D55 CC lea edx,dword ptr ss:[ebp-34]
- 0041048F 51 push ecx
- 00410490 8B3E mov edi,dword ptr ds:[esi]
- 00410492 8D45 AC lea eax,dword ptr ss:[ebp-54]
- 00410495 52 push edx
- 00410496 50 push eax
- 00410497 FF15 54114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 连接两次运算得到的字符串
- 0041049D 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
- 004104A0 50 push eax
- 004104A1 51 push ecx
- 004104A2 FF15 4C114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
- 004104A8 50 push eax ; 得到Hard Code"168564970514970566666666
- 004104A9 56 push esi ; 66666653371299410299411333333333333330"
- F7进入004103D5处的关键CALL,来到:
- 00402E9D /E9 CED60000 jmp CrackMe0.00410570
- 00402EA2 |816C24 04 B7000>sub dword ptr ss:[esp+4],0B7
- 00402EAA |E9 11DE0000 jmp CrackMe0.00410CC0
- 再F8一次,来到:
- 00410570 55 push ebp
- 00410571 8BEC mov ebp,esp
- .......................................................
- 省略部分代码
- .......................................................
- 00410617 8B35 2C104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
- 0041061D 50 push eax ; 字符串1"649705149705666666666666665337"
- 0041061E FFD6 call esi ; 获取字符串1长度,EAX=0x1E(30)
- 00410620 8B1D 20104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
- 00410626 8D95 10FFFFFF lea edx,dword ptr ss:[ebp-F0]
- 0041062C 8D4D CC lea ecx,dword ptr ss:[ebp-34]
- 0041062F 8985 18FFFFFF mov dword ptr ss:[ebp-E8],eax ; 字符串1长度EAX=0x1E(30)保存
- 00410635 C785 10FFFFFF 0>mov dword ptr ss:[ebp-F0],3
- 0041063F FFD3 call ebx
- 00410641 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
- 00410644 8B11 mov edx,dword ptr ds:[ecx]
- 00410646 52 push edx ; 字符串2"999999999999999999999999999999"
- 00410647 FFD6 call esi ; 获取字符串2长度,EAX=0x1E(30)
- 00410649 8D95 10FFFFFF lea edx,dword ptr ss:[ebp-F0]
- 0041064F 8D4D AC lea ecx,dword ptr ss:[ebp-54]
- 00410652 8985 18FFFFFF mov dword ptr ss:[ebp-E8],eax ; 字符串2长度EAX=0x1E(30)保存
- 00410658 C785 10FFFFFF 0>mov dword ptr ss:[ebp-F0],3
- .......................................................
- 省略部分代码
- .......................................................
- 0041084B 52 push edx
- 0041084C C785 00FFFFFF 0>mov dword ptr ss:[ebp-100],4008
- 00410856 FF15 04104000 call dword ptr ds:[<&MSVBVM60.__vbaVarSub>] ; 字符串1长度(0x1E)-循环次数
- 0041085C 50 push eax
- 0041085D 8D85 10FFFFFF lea eax,dword ptr ss:[ebp-F0]
- 00410863 8D8D 40FFFFFF lea ecx,dword ptr ss:[ebp-C0]
- 00410869 50 push eax
- 0041086A 51 push ecx
- 0041086B FFD6 call esi ; 再加上1,准备从字符串1最后一位开始取
- 0041086D 50 push eax
- 0041086E FF15 94114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
- 00410874 50 push eax ; EAX=0x1E
- 00410875 8D95 00FFFFFF lea edx,dword ptr ss:[ebp-100]
- 0041087B 8D85 20FFFFFF lea eax,dword ptr ss:[ebp-E0]
- 00410881 52 push edx
- 00410882 50 push eax
- 00410883 FF15 AC104000 call dword ptr ds:[<&MSVBVM60.rtcMidCharVar>] ; 字符串1"685649705149705666666666666666"
- 00410889 8D8D 20FFFFFF lea ecx,dword ptr ss:[ebp-E0] ; 从字符串1最后一位开始倒序取一位字符
- 0041088F 8D95 60FFFFFF lea edx,dword ptr ss:[ebp-A0]
- 00410895 51 push ecx
- 00410896 52 push edx
- 00410897 FF15 4C114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
- 0041089D 50 push eax
- 0041089E FF15 EC114000 call dword ptr ds:[<&MSVBVM60.rtcR8ValFromBstr>] ; 取出的字符转为实数,"6"-->6.0
- 004108A4 DD9D E8FEFFFF fstp qword ptr ss:[ebp-118] ; st=6.0000000000000000000
- 004108AA 8D95 E0FEFFFF lea edx,dword ptr ss:[ebp-120]
- 004108B0 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
- 004108B3 C785 E0FEFFFF 0>mov dword ptr ss:[ebp-120],5
- 004108BD FFD3 call ebx
- 004108BF 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-A0]
- 004108C5 FF15 E4114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
- 004108CB 8D85 20FFFFFF lea eax,dword ptr ss:[ebp-E0]
- 004108D1 8D8D 30FFFFFF lea ecx,dword ptr ss:[ebp-D0]
- 004108D7 50 push eax
- 004108D8 8D95 40FFFFFF lea edx,dword ptr ss:[ebp-C0]
- 004108DE 51 push ecx
- 004108DF 52 push edx
- 004108E0 6A 03 push 3
- 004108E2 FFD7 call edi
- 004108E4 B8 02000000 mov eax,2
- 004108E9 B9 01000000 mov ecx,1
- 004108EE 8985 30FFFFFF mov dword ptr ss:[ebp-D0],eax
- 004108F4 8985 10FFFFFF mov dword ptr ss:[ebp-F0],eax
- 004108FA 8B45 10 mov eax,dword ptr ss:[ebp+10]
- 004108FD 83C4 10 add esp,10
- 00410900 898D 38FFFFFF mov dword ptr ss:[ebp-C8],ecx
- 00410906 898D 18FFFFFF mov dword ptr ss:[ebp-E8],ecx
- 0041090C 8D8D 30FFFFFF lea ecx,dword ptr ss:[ebp-D0]
- 00410912 8985 08FFFFFF mov dword ptr ss:[ebp-F8],eax
- 00410918 8D55 BC lea edx,dword ptr ss:[ebp-44]
- 0041091B 51 push ecx
- 0041091C 8D45 DC lea eax,dword ptr ss:[ebp-24]
- 0041091F 52 push edx
- 00410920 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-B0]
- 00410926 50 push eax
- 00410927 51 push ecx
- 00410928 C785 00FFFFFF 0>mov dword ptr ss:[ebp-100],4008
- 00410932 FF15 04104000 call dword ptr ds:[<&MSVBVM60.__vbaVarSub>] ; 字符串2长度(0x1E)-循环次数
- 00410938 50 push eax
- 00410939 8D95 10FFFFFF lea edx,dword ptr ss:[ebp-F0]
- 0041093F 8D85 40FFFFFF lea eax,dword ptr ss:[ebp-C0]
- 00410945 52 push edx
- 00410946 50 push eax
- 00410947 FFD6 call esi ; 再加上1,准备从字符串2最后一位开始取
- 00410949 50 push eax
- 0041094A FF15 94114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
- 00410950 8D8D 00FFFFFF lea ecx,dword ptr ss:[ebp-100]
- 00410956 50 push eax
- 00410957 8D95 20FFFFFF lea edx,dword ptr ss:[ebp-E0]
- 0041095D 51 push ecx
- 0041095E 52 push edx
- 0041095F FF15 AC104000 call dword ptr ds:[<&MSVBVM60.rtcMidCharVar>] ; 字符串2"999999999999999999999999999999"
- 00410965 8D85 20FFFFFF lea eax,dword ptr ss:[ebp-E0] ; 从字符串2最后一位开始倒序取一位字符
- 0041096B 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-A0]
- 00410971 50 push eax
- 00410972 51 push ecx
- 00410973 FF15 4C114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
- 00410979 50 push eax
- 0041097A FF15 EC114000 call dword ptr ds:[<&MSVBVM60.rtcR8ValFromBstr>] ; 取出的字符转为实数,"9"-->9.0
- 00410980 DD9D E8FEFFFF fstp qword ptr ss:[ebp-118] ; st=9.0000000000000000000
- 00410986 8D95 E0FEFFFF lea edx,dword ptr ss:[ebp-120]
- 0041098C 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
- 00410992 C785 E0FEFFFF 0>mov dword ptr ss:[ebp-120],5
- 0041099C FFD3 call ebx
- 0041099E 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-A0]
- 004109A4 FF15 E4114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
- 004109AA 8D95 20FFFFFF lea edx,dword ptr ss:[ebp-E0]
- 004109B0 8D85 30FFFFFF lea eax,dword ptr ss:[ebp-D0]
- 004109B6 52 push edx
- 004109B7 8D8D 40FFFFFF lea ecx,dword ptr ss:[ebp-C0]
- 004109BD 50 push eax
- 004109BE 51 push ecx
- 004109BF 6A 03 push 3
- 004109C1 FFD7 call edi
- 004109C3 83C4 10 add esp,10
- 004109C6 8D55 88 lea edx,dword ptr ss:[ebp-78]
- 004109C9 8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]
- 004109CF 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-B0]
- 004109D5 52 push edx
- 004109D6 50 push eax
- 004109D7 51 push ecx
- 004109D8 FFD6 call esi ; MSVBVM60.__vbaVarAdd,取出的两个实数相加
- 004109DA 50 push eax ; 9.0+6.0=15.0
- 004109DB 8D55 98 lea edx,dword ptr ss:[ebp-68]
- 004109DE 8D85 40FFFFFF lea eax,dword ptr ss:[ebp-C0]
- 004109E4 52 push edx
- 004109E5 50 push eax
- 004109E6 FFD6 call esi ; __vbaVarAdd,前一次运算结果若大于9则再加上1
- 004109E8 50 push eax
- 004109E9 FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaI2Var>]
- 004109EF 8D8D 40FFFFFF lea ecx,dword ptr ss:[ebp-C0]
- 004109F5 8D95 50FFFFFF lea edx,dword ptr ss:[ebp-B0]
- 004109FB 51 push ecx
- 004109FC 52 push edx
- 004109FD 6A 02 push 2
- 004109FF 8985 64FFFFFF mov dword ptr ss:[ebp-9C],eax
- 00410A05 FFD7 call edi
- 00410A07 8B85 64FFFFFF mov eax,dword ptr ss:[ebp-9C]
- 00410A0D 83C4 0C add esp,0C
- 00410A10 66:3D 0900 cmp ax,9 ; 相加之和与9比较,AX=0xF(15)
- 00410A14 7E 1C jle short CrackMe0.00410A32 ; 若小于等于9则跳
- 00410A16 66:2D 0A00 sub ax,0A ; 否则AX=AX-0xA=5
- 00410A1A C785 18FFFFFF 0>mov dword ptr ss:[ebp-E8],1 ; 将数字1放入地址ss:[ebp-E8],加到下次运算中
- 00410A24 0F80 86020000 jo CrackMe0.00410CB0
- 00410A2A 8985 64FFFFFF mov dword ptr ss:[ebp-9C],eax ; 保存AX
- 00410A30 EB 0A jmp short CrackMe0.00410A3C
- 00410A32 C785 18FFFFFF 0>mov dword ptr ss:[ebp-E8],0
- 00410A3C 8D95 10FFFFFF lea edx,dword ptr ss:[ebp-F0]
- 00410A42 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
- 00410A45 C785 10FFFFFF 0>mov dword ptr ss:[ebp-F0],2
- 00410A4F FFD3 call ebx
- 00410A51 8D8D 10FFFFFF lea ecx,dword ptr ss:[ebp-F0]
- 00410A57 8D95 50FFFFFF lea edx,dword ptr ss:[ebp-B0]
- 00410A5D 8D85 64FFFFFF lea eax,dword ptr ss:[ebp-9C]
- 00410A63 51 push ecx
- 00410A64 52 push edx
- 00410A65 8985 18FFFFFF mov dword ptr ss:[ebp-E8],eax
- 00410A6B C785 10FFFFFF 0>mov dword ptr ss:[ebp-F0],4002
- 00410A75 FF15 A8114000 call dword ptr ds:[<&MSVBVM60.rtcVarStrFromVar>] ; 将相减之后所得的数字转为字符串,5-->"5"
- 00410A7B 8D85 50FFFFFF lea eax,dword ptr ss:[ebp-B0]
- 00410A81 6A 01 push 1
- 00410A83 8D8D 40FFFFFF lea ecx,dword ptr ss:[ebp-C0]
- 00410A89 50 push eax
- 00410A8A 51 push ecx
- 00410A8B FF15 C8114000 call dword ptr ds:[<&MSVBVM60.rtcRightCharVar>] ; 取字符串"5"右边一位字符"5"
- 00410A91 8B55 A8 mov edx,dword ptr ss:[ebp-58]
- 00410A94 8D85 40FFFFFF lea eax,dword ptr ss:[ebp-C0]
- 00410A9A 8995 08FFFFFF mov dword ptr ss:[ebp-F8],edx
- 00410AA0 8D8D 00FFFFFF lea ecx,dword ptr ss:[ebp-100]
- 00410AA6 50 push eax
- 00410AA7 8D95 30FFFFFF lea edx,dword ptr ss:[ebp-D0]
- 00410AAD 51 push ecx
- 00410AAE 52 push edx
- 00410AAF C785 00FFFFFF 0>mov dword ptr ss:[ebp-100],8
- 00410AB9 FFD6 call esi ; VarBstrCat,连接每次得到的字符
- 00410ABB 50 push eax
- 00410ABC FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>]
- 00410AC2 8BD0 mov edx,eax
- 00410AC4 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 00410AC7 FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
- 00410ACD 8D85 30FFFFFF lea eax,dword ptr ss:[ebp-D0]
- 00410AD3 8D8D 40FFFFFF lea ecx,dword ptr ss:[ebp-C0]
- 00410AD9 50 push eax
- 00410ADA 8D95 50FFFFFF lea edx,dword ptr ss:[ebp-B0]
- 00410AE0 51 push ecx
- 00410AE1 52 push edx
- 00410AE2 6A 03 push 3
- 00410AE4 FFD7 call edi
- 00410AE6 83C4 10 add esp,10
- 00410AE9 8D85 C0FEFFFF lea eax,dword ptr ss:[ebp-140]
- 00410AEF 8D8D D0FEFFFF lea ecx,dword ptr ss:[ebp-130]
- 00410AF5 8D55 DC lea edx,dword ptr ss:[ebp-24]
- 00410AF8 50 push eax
- 00410AF9 51 push ecx
- 00410AFA 52 push edx
- 00410AFB FF15 DC114000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>]
- 00410B01 ^ E9 FDFCFFFF jmp CrackMe0.00410803
- 00410B06 8D45 98 lea eax,dword ptr ss:[ebp-68]
- 00410B09 8D8D 10FFFFFF lea ecx,dword ptr ss:[ebp-F0]
- 00410B0F 50 push eax
- 00410B10 51 push ecx
- 00410B11 C785 18FFFFFF 0>mov dword ptr ss:[ebp-E8],0
- 00410B1B C785 10FFFFFF 0>mov dword ptr ss:[ebp-F0],8002
- 00410B25 FF15 90114000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstNe>]
- 00410B2B 66:85C0 test ax,ax
- 00410B2E 74 7F je short CrackMe0.00410BAF
- 00410B30 8D55 98 lea edx,dword ptr ss:[ebp-68]
- 00410B33 8D85 50FFFFFF lea eax,dword ptr ss:[ebp-B0]
- 00410B39 52 push edx
- 00410B3A 50 push eax
- 00410B3B FF15 A8114000 call dword ptr ds:[<&MSVBVM60.rtcVarStrFromVar>]
- 00410B41 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-B0]
- 00410B47 6A 01 push 1
- 00410B49 8D95 40FFFFFF lea edx,dword ptr ss:[ebp-C0]
- 00410B4F 51 push ecx
- 00410B50 52 push edx
- 00410B51 FF15 C8114000 call dword ptr ds:[<&MSVBVM60.rtcRightCharVar>]
- 00410B57 8B45 A8 mov eax,dword ptr ss:[ebp-58] ; 得到字符串"685649705149705666666666666665"
- 00410B5A 8D8D 40FFFFFF lea ecx,dword ptr ss:[ebp-C0]
- 00410B60 8985 18FFFFFF mov dword ptr ss:[ebp-E8],eax
- 00410B66 8D95 10FFFFFF lea edx,dword ptr ss:[ebp-F0]
- 00410B6C 51 push ecx
- 00410B6D 8D85 30FFFFFF lea eax,dword ptr ss:[ebp-D0]
- 00410B73 52 push edx
- 00410B74 50 push eax
- 00410B75 C785 10FFFFFF 0>mov dword ptr ss:[ebp-F0],8
- 00410B7F FFD6 call esi ; VarBstrCat,最后一次运算结果大于9
- ; 所以在字符串前再连接字符"1"
- 00410B81 50 push eax ; 得到字符串"1685649705149705666666666666665"
- 00410B82 FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>]
- 4.追出算法。OD载入,F9运行程序,输入注册信息后,命令栏下断点:bp rtcMidCharBstr,回车,点Check按钮,中断:
- 660E64A6 MS> 55 push ebp ; 在此中断
- 660E64A7 8BEC mov ebp,esp
- 660E64A9 83EC 10 sub esp,10
- 660E64AC 8B45 10 mov eax,dword ptr ss:[ebp+10]
- 命令栏输入:bc rtcMidCharBstr,回车,清除断点,ALT+F9返回,来到:
- 0040F72C FF15 AC104000 call dword ptr ds:[<&MSVBVM60.rtcMidCharVar>] ; MSVBVM60.rtcMidCharVar
- 0040F732 8D5E 34 lea ebx,dword ptr ds:[esi+34] ; 返回来到这里
- 0040F735 8D55 A8 lea edx,dword ptr ss:[ebp-58]
- 0040F738 8BCB mov ecx,ebx
- 0040F73A FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
- 向上查找,来到0040F650 处F2下断,Ctrl+F2重新载入程序,输入注册信息后点Check按钮,立即中断:
- 0040F650 55 push ebp ; 在此下断
- 0040F651 8BEC mov ebp,esp
- .......................................................
- 省略部分代码
- .......................................................
- 0040F706 8945 D0 mov dword ptr ss:[ebp-30],eax ; 硬盘号"1685649705149705666666666666665337
- 0040F709 8D45 B8 lea eax,dword ptr ss:[ebp-48] ; 1299410299411333333333333330"
- 0040F70C 50 push eax
- 0040F70D 6A 05 push 5 ; 常数5
- 0040F70F 8D55 A8 lea edx,dword ptr ss:[ebp-58]
- 0040F712 51 push ecx
- 0040F713 52 push edx
- 0040F714 C745 C0 1E00000>mov dword ptr ss:[ebp-40],1E ; 常数0x1E(30)
- 0040F71B C745 B8 0200000>mov dword ptr ss:[ebp-48],2
- 0040F722 895D E0 mov dword ptr ss:[ebp-20],ebx
- 0040F725 C745 C8 0800000>mov dword ptr ss:[ebp-38],8
- 0040F72C FF15 AC104000 call dword ptr ds:[<&MSVBVM60.rtcMidCharVar>] ; 从字符串第5位开始取0x1E(30)位字符
- 0040F732 8D5E 34 lea ebx,dword ptr ds:[esi+34] ; 得到字符串"649705149705666666666666665337"
- 0040F735 8D55 A8 lea edx,dword ptr ss:[ebp-58]
- 0040F738 8BCB mov ecx,ebx
- 0040F73A FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
- 0040F740 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
- 0040F743 FF15 E8114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
- 0040F749 8D45 A8 lea eax,dword ptr ss:[ebp-58]
- 0040F74C 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
- 0040F74F 50 push eax
- 0040F750 8D55 C8 lea edx,dword ptr ss:[ebp-38]
- 0040F753 51 push ecx
- 0040F754 52 push edx
- 0040F755 6A 03 push 3
- 0040F757 FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
- 0040F75D 8B06 mov eax,dword ptr ds:[esi]
- 0040F75F 83C4 10 add esp,10
- 0040F762 56 push esi
- 0040F763 FF90 00030000 call dword ptr ds:[eax+300]
- 0040F769 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
- 0040F76C 50 push eax
- 0040F76D 51 push ecx
- 0040F76E FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
- 0040F774 8BF8 mov edi,eax
- 0040F776 8D45 E0 lea eax,dword ptr ss:[ebp-20]
- 0040F779 50 push eax
- 0040F77A 57 push edi
- 0040F77B 8B17 mov edx,dword ptr ds:[edi]
- 0040F77D FF92 A0000000 call dword ptr ds:[edx+A0]
- 0040F783 85C0 test eax,eax
- 0040F785 DBE2 fclex
- 0040F787 7D 12 jge short CrackMe0.0040F79B
- 0040F789 68 A0000000 push 0A0
- 0040F78E 68 743E4000 push CrackMe0.00403E74
- 0040F793 57 push edi
- 0040F794 50 push eax
- 0040F795 FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
- 0040F79B 8B45 E0 mov eax,dword ptr ss:[ebp-20] ; 硬盘号"1685649705149705666666666666665337
- 0040F79E 8D4D C8 lea ecx,dword ptr ss:[ebp-38] ; 1299410299411333333333333330"
- 0040F7A1 6A 1E push 1E ; 常数0x1E(30)
- 0040F7A3 8D55 B8 lea edx,dword ptr ss:[ebp-48]
- 0040F7A6 51 push ecx
- 0040F7A7 52 push edx
- 0040F7A8 C745 E0 0000000>mov dword ptr ss:[ebp-20],0
- 0040F7AF 8945 D0 mov dword ptr ss:[ebp-30],eax
- 0040F7B2 C745 C8 0800000>mov dword ptr ss:[ebp-38],8
- 0040F7B9 FF15 C8114000 call dword ptr ds:[<&MSVBVM60.rtcRightCharVar>>; 取字符串右边30位字符
- 0040F7BF 8D7E 44 lea edi,dword ptr ds:[esi+44] ; 得到字符串"371299410299411333333333333330"
- 0040F7C2 8D55 B8 lea edx,dword ptr ss:[ebp-48]
- 0040F7C5 8BCF mov ecx,edi
- 0040F7C7 FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
- 0040F7CD 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
- 0040F7D0 FF15 E8114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
- 0040F7D6 8D45 B8 lea eax,dword ptr ss:[ebp-48]
- 0040F7D9 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
- 0040F7DC 50 push eax
- 0040F7DD 51 push ecx
- 0040F7DE 6A 02 push 2
- 0040F7E0 FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>;
- 0040F7E6 83C4 0C add esp,0C
- 0040F7E9 57 push edi
- 0040F7EA FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaStrErrVarCo>
- 0040F7F0 8B3D C4114000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>>
- 0040F7F6 8BD0 mov edx,eax
- 0040F7F8 8D4D DC lea ecx,dword ptr ss:[ebp-24]
- 0040F7FB FFD7 call edi
- 0040F7FD 53 push ebx
- 0040F7FE FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaStrErrVarCo>
- 0040F804 8BD0 mov edx,eax
- 0040F806 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
- 0040F809 FFD7 call edi
- 0040F80B 8B16 mov edx,dword ptr ds:[esi]
- 0040F80D 8D45 C8 lea eax,dword ptr ss:[ebp-38]
- 0040F810 50 push eax
- 0040F811 8D4D DC lea ecx,dword ptr ss:[ebp-24]
- 0040F814 8D45 E0 lea eax,dword ptr ss:[ebp-20]
- 0040F817 51 push ecx
- 0040F818 50 push eax
- 0040F819 56 push esi
- 0040F81A FF92 00070000 call dword ptr ds:[edx+700] ; 同关键CALL,运算的字符串换成上面两个字符串
- 0040F820 85C0 test eax,eax ; 得到字符串"1021004560005078000000000000459"
- 0040F822 7D 12 jge short CrackMe0.0040F836
- 0040F824 68 00070000 push 700
- 0040F829 68 C43B4000 push CrackMe0.00403BC4
- 0040F82E 56 push esi
- 0040F82F 50 push eax
- 0040F830 FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
- 0040F836 8D5E 54 lea ebx,dword ptr ds:[esi+54]
- 0040F839 8D55 C8 lea edx,dword ptr ss:[ebp-38]
- 0040F83C 8BCB mov ecx,ebx
- 0040F83E FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
- 0040F844 8D4D DC lea ecx,dword ptr ss:[ebp-24]
- 0040F847 8D55 E0 lea edx,dword ptr ss:[ebp-20]
- 0040F84A 51 push ecx
- 0040F84B 52 push edx
- 0040F84C 6A 02 push 2
- 0040F84E FF15 7C114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>;
- 0040F854 83C4 0C add esp,0C
- 0040F857 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
- 0040F85A FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
- 0040F860 66:8B86 8200000>mov ax,word ptr ds:[esi+82] ; ax=0x300(768),ds:[esi+80]=0x400(1024)
- 0040F867 66:0386 8000000>add ax,word ptr ds:[esi+80] ; ax=ax+ds:[esi+80]=0x300+0x400=x700
- 0040F86E 0F80 42040000 jo CrackMe0.0040FCB6
- 0040F874 50 push eax ; eax=0x700(1792)
- 0040F875 FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI2>] ; 整数转为字符串"1792",1792-->"1792"
- 0040F87B 8BD0 mov edx,eax
- 0040F87D 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
- 0040F880 FFD7 call edi
- 0040F882 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
- 0040F885 8D4D DC lea ecx,dword ptr ss:[ebp-24]
- 0040F888 FF15 74114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>]
- 0040F88E 53 push ebx
- 0040F88F FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaStrErrVarCo>
- 0040F895 8BD0 mov edx,eax
- 0040F897 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
- 0040F89A FFD7 call edi
- 0040F89C 8B0E mov ecx,dword ptr ds:[esi]
- 0040F89E 8D55 C8 lea edx,dword ptr ss:[ebp-38]
- 0040F8A1 52 push edx
- 0040F8A2 8D45 DC lea eax,dword ptr ss:[ebp-24]
- 0040F8A5 8D55 E0 lea edx,dword ptr ss:[ebp-20]
- 0040F8A8 50 push eax
- 0040F8A9 52 push edx
- 0040F8AA 56 push esi
- 0040F8AB FF91 00070000 call dword ptr ds:[ecx+700] ; 同关键CALL,运算的字符串换成上面两个字符串
- 0040F8B1 85C0 test eax,eax ; 得到字符串"1021004560005078000000000000459"
- 0040F8B3 7D 12 jge short CrackMe0.0040F8C7
- 0040F8B5 68 00070000 push 700
- 0040F8BA 68 C43B4000 push CrackMe0.00403BC4
- 0040F8BF 56 push esi
- 0040F8C0 50 push eax
- 0040F8C1 FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
- 0040F8C7 8D45 C8 lea eax,dword ptr ss:[ebp-38]
- 0040F8CA 50 push eax
- 0040F8CB FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>>
- 0040F8D1 8BD0 mov edx,eax ; 真码"1021004560005078000000000000459"
- 0040F8D3 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
- 0040F8D6 FFD7 call edi
- 0040F8D8 8D4D DC lea ecx,dword ptr ss:[ebp-24]
- 0040F8DB 8D55 E0 lea edx,dword ptr ss:[ebp-20]
- 0040F8DE 51 push ecx
- 0040F8DF 52 push edx
- 0040F8E0 6A 02 push 2
- 0040F8E2 FF15 7C114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>
- 0040F8E8 83C4 0C add esp,0C
- 0040F8EB 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
- 0040F8EE FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
- 0040F8F4 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
- 0040F8F7 50 push eax
- 0040F8F8 FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取真码长度,EAX=0x1F(31)
- 0040F8FE 8BC8 mov ecx,eax
- 0040F900 FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>]
- 0040F906 8B1D 90114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarTstNe>
- 0040F90C 66:8946 68 mov word ptr ds:[esi+68],ax
- 0040F910 B8 01000000 mov eax,1
- 0040F915 66:3946 68 cmp word ptr ds:[esi+68],ax
- 0040F919 0F8C 10010000 jl CrackMe0.0040FA2F
- 0040F91F 8B0E mov ecx,dword ptr ds:[esi]
- 0040F921 56 push esi
- 0040F922 FF91 04030000 call dword ptr ds:[ecx+304]
- 0040F928 8D55 D8 lea edx,dword ptr ss:[ebp-28]
- 0040F92B 50 push eax
- 0040F92C 52 push edx
- 0040F92D FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
- 0040F933 8BF8 mov edi,eax
- 0040F935 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
- 0040F938 51 push ecx
- 0040F939 57 push edi
- 0040F93A 8B07 mov eax,dword ptr ds:[edi]
- 0040F93C FF90 A0000000 call dword ptr ds:[eax+A0]
- 0040F942 85C0 test eax,eax
- 0040F944 DBE2 fclex
- 0040F946 7D 12 jge short CrackMe0.0040F95A
- 0040F948 68 A0000000 push 0A0
- 0040F94D 68 743E4000 push CrackMe0.00403E74
- 0040F952 57 push edi
- 0040F953 50 push eax
- 0040F954 FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
- 0040F95A 8B45 E0 mov eax,dword ptr ss:[ebp-20] ; 假码"9876543210"
- 0040F95D 8B3D AC104000 mov edi,dword ptr ds:[<&MSVBVM60.rtcMidCharVar>
- 0040F963 8945 D0 mov dword ptr ss:[ebp-30],eax
- 0040F966 8D55 B8 lea edx,dword ptr ss:[ebp-48]
- 0040F969 0FBF46 68 movsx eax,word ptr ds:[esi+68]
- 0040F96D 52 push edx
- 0040F96E 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
- 0040F971 50 push eax
- 0040F972 8D55 A8 lea edx,dword ptr ss:[ebp-58]
- 0040F975 51 push ecx
- 0040F976 52 push edx
- 0040F977 C745 C0 0100000>mov dword ptr ss:[ebp-40],1
- 0040F97E C745 B8 0200000>mov dword ptr ss:[ebp-48],2
- 0040F985 C745 E0 0000000>mov dword ptr ss:[ebp-20],0
- 0040F98C C745 C8 0800000>mov dword ptr ss:[ebp-38],8
- 0040F993 FFD7 call edi ; rtcMidCharVar,循环取假码每一个字符
- 0040F995 0FBF56 68 movsx edx,word ptr ds:[esi+68]
- 0040F999 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
- 0040F99C 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
- 0040F99F 8985 60FFFFFF mov dword ptr ss:[ebp-A0],eax
- 0040F9A5 51 push ecx
- 0040F9A6 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-A8]
- 0040F9AC 52 push edx
- 0040F9AD 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
- 0040F9B0 50 push eax
- 0040F9B1 51 push ecx
- 0040F9B2 C745 A0 0100000>mov dword ptr ss:[ebp-60],1
- 0040F9B9 C745 98 0200000>mov dword ptr ss:[ebp-68],2
- 0040F9C0 C785 58FFFFFF 0>mov dword ptr ss:[ebp-A8],4008
- 0040F9CA FFD7 call edi ; rtcMidCharVar,循环取真码每一个字符
- 0040F9CC 8D55 A8 lea edx,dword ptr ss:[ebp-58]
- 0040F9CF 8D45 88 lea eax,dword ptr ss:[ebp-78]
- 0040F9D2 52 push edx
- 0040F9D3 50 push eax
- 0040F9D4 FFD3 call ebx ; __vbaVarTstNe,真假码逐位字符进行比较
- 0040F9D6 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
- 0040F9D9 8BF8 mov edi,eax
- 0040F9DB FF15 E8114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
- 0040F9E1 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
- 0040F9E4 8D55 A8 lea edx,dword ptr ss:[ebp-58]
- 0040F9E7 51 push ecx
- 0040F9E8 8D45 98 lea eax,dword ptr ss:[ebp-68]
- 0040F9EB 52 push edx
- 0040F9EC 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
- 0040F9EF 50 push eax
- 0040F9F0 8D55 C8 lea edx,dword ptr ss:[ebp-38]
- 0040F9F3 51 push ecx
- 0040F9F4 52 push edx
- 0040F9F5 6A 05 push 5
- 0040F9F7 FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
- 0040F9FD 83C4 18 add esp,18
- 0040FA00 66:85FF test di,di
- 0040FA03 75 11 jnz short CrackMe0.0040FA16
- 0040FA05 66:8B45 E8 mov ax,word ptr ss:[ebp-18]
- 0040FA09 66:05 0100 add ax,1
- 0040FA0D 0F80 A3020000 jo CrackMe0.0040FCB6
- 0040FA13 8945 E8 mov dword ptr ss:[ebp-18],eax
- 0040FA16 66:8B4E 68 mov cx,word ptr ds:[esi+68]
- 0040FA1A 83C8 FF or eax,FFFFFFFF
- 0040FA1D 66:03C8 add cx,ax
- 0040FA20 0F80 90020000 jo CrackMe0.0040FCB6
- 0040FA26 66:894E 68 mov word ptr ds:[esi+68],cx
- 0040FA2A ^ E9 E1FEFFFF jmp CrackMe0.0040F910
- 0040FA2F 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
- 0040FA32 52 push edx
- 0040FA33 FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>]
- 0040FA39 8BC8 mov ecx,eax
- 0040FA3B FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>]
- 0040FA41 8B4D E8 mov ecx,dword ptr ss:[ebp-18]
- 0040FA44 66:3BC8 cmp cx,ax
- 0040FA47 0F85 21010000 jnz CrackMe0.0040FB6E ; 暴破点1,NOP掉
- 0040FA4D 8B06 mov eax,dword ptr ds:[esi]
- 0040FA4F 56 push esi
- 0040FA50 FF90 08030000 call dword ptr ds:[eax+308]
- 0040FA56 8B1D 8C104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
- 0040FA5C 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
- 0040FA5F 50 push eax
- 0040FA60 51 push ecx
- 0040FA61 FFD3 call ebx
- 0040FA63 8BF8 mov edi,eax
- 0040FA65 68 883E4000 push CrackMe0.00403E88 ; UNICODE "^OK^"
- 0040FA6A 57 push edi
- 0040FA6B 8B17 mov edx,dword ptr ds:[edi]
- 0040FA6D FF52 54 call dword ptr ds:[edx+54]
- 0040FA70 85C0 test eax,eax
- 0040FA72 DBE2 fclex
- 0040FA74 7D 0F jge short CrackMe0.0040FA85
- .......................................................
- 省略部分代码
- .......................................................
- 0040FB99 A1 38E04100 mov eax,dword ptr ds:[41E038]
- 0040FB9E 85C0 test eax,eax
- 0040FBA0 75 10 jnz short CrackMe0.0040FBB2 ; 暴破点2,NOP掉
- 5.屏幕分辨率问题。找出0040F860处的mov ax,word ptr ds:[esi+82]中,地址ds:[esi+82]和ds:[esi+80]中的数值的来源。
- 由于ds:[esi+82]=0015C06A,Ctrl+F2重新载入程序,F9运行,
- 命令栏输入D 0015C06A,然后在0015C06A下内存写入断点,切换到程序窗口,中断:
- 00410EEB 66:8982 8200000>mov word ptr ds:[edx+82],ax ; 中断在这里
- 00410EF2 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
- 00410EF5 50 push eax
- 00410EF6 51 push ecx
- 向上查找,来到00410CC0处F2下断,Ctrl+F2重新载入程序,F9运行,中断:
- 00410CC0 55 push ebp
- 00410CC1 8BEC mov ebp,esp
- .......................................................
- 省略部分代码
- .......................................................
- 00410D93 8B35 08E54100 mov esi,dword ptr ds:[41E508]
- 00410D99 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
- 00410D9C 50 push eax
- 00410D9D 56 push esi
- 00410D9E 8B16 mov edx,dword ptr ds:[esi]
- 00410DA0 FF52 18 call dword ptr ds:[edx+18] ; 关键CALL-1,F7进入
- 00410DA3 3BC3 cmp eax,ebx
- 00410DA5 DBE2 fclex
- 00410DA7 7D 0B jge short CrackMe0.00410DB4
- 00410DA9 6A 18 push 18
- 00410DAB 68 50404000 push CrackMe0.00404050
- 00410DB0 56 push esi
- 00410DB1 50 push eax
- 00410DB2 FFD7 call edi
- 00410DB4 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
- 00410DB7 8D55 DC lea edx,dword ptr ss:[ebp-24]
- 00410DBA 52 push edx
- 00410DBB 50 push eax
- 00410DBC 8B08 mov ecx,dword ptr ds:[eax]
- 00410DBE 8BF0 mov esi,eax
- 00410DC0 FF91 80000000 call dword ptr ds:[ecx+80]
- 00410DC6 3BC3 cmp eax,ebx
- 00410DC8 DBE2 fclex
- 00410DCA 7D 0E jge short CrackMe0.00410DDA
- 00410DCC 68 80000000 push 80
- 00410DD1 68 70404000 push CrackMe0.00404070
- 00410DD6 56 push esi
- 00410DD7 50 push eax
- 00410DD8 FFD7 call edi
- 00410DDA D945 DC fld dword ptr ss:[ebp-24] ; 载入实数,ss:[0012F918]=15.00000
- 00410DDD 8B1D B4114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaFpI4>]
- 00410DE3 FFD3 call ebx ; 15.00000转为长整型0xF
- 00410DE5 D945 E0 fld dword ptr ss:[ebp-20] ; 载入实数,ss:[0012F91C]=15360.00
- 00410DE8 8BF0 mov esi,eax ; ESI=EAX=0xF
- 00410DEA FFD3 call ebx ; 15360.00转成长整型0x3C00,EAX=0x3C00
- 00410DEC 99 cdq
- 00410DED F7FE idiv esi ; EAX/ESI,商给EAX,余数给EDX
- 00410DEF 8BC8 mov ecx,eax ; EAX=0x400,VB默认单位为Twip,转为以像素为单位
- 00410DF1 FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>]
- 00410DF7 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
- 00410DFA 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
- 00410DFD 52 push edx
- 00410DFE 66:8981 8000000>mov word ptr ds:[ecx+80],ax ; AX=0x400保存在地址ds:[ecx+80]处
- 00410E05 8D45 E8 lea eax,dword ptr ss:[ebp-18]
- 00410E08 50 push eax
- .......................................................
- 省略部分代码
- .......................................................
- 00410EC0 68 88000000 push 88
- 00410EC5 68 70404000 push CrackMe0.00404070
- 00410ECA 56 push esi
- 00410ECB 50 push eax
- 00410ECC FFD7 call edi
- 00410ECE D945 DC fld dword ptr ss:[ebp-24] ; 载入实数,ss:[0012F918]=15.00000
- 00410ED1 FFD3 call ebx ; 15.00000转为长整型0xF
- 00410ED3 D945 E0 fld dword ptr ss:[ebp-20] ; 载入实数,ss:[0012F91C]=11520.00
- 00410ED6 8BF0 mov esi,eax
- 00410ED8 FFD3 call ebx ; 15360.00转成长整型0x2D00,EAX=0x2D00
- 00410EDA 99 cdq
- 00410EDB F7FE idiv esi ; EAX/ESI,商给EAX,余数给EDX
- 00410EDD 8BC8 mov ecx,eax ; ECX=EAX=0x300
- 00410EDF FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
- 00410EE5 8B55 08 mov edx,dword ptr ss:[ebp+8]
- 00410EE8 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
- 00410EEB 66:8982 8200000>mov word ptr ds:[edx+82],ax ; AX=0x300保存在地址ds:[ecx+80]处
- 00410EF2 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
- 00410EF5 50 push eax
- 00410EF6 51 push ecx
- 进入00410DA0处的关键CALL-1,来到:
- 660C8643 8B4C24 04 mov ecx,dword ptr ss:[esp+4]
- 660C8647 E8 D4FEFFFF call MSVBVM60.660C8520 ; 关键CALL-2,F7进入
- 660C864C 8B4C24 08 mov ecx,dword ptr ss:[esp+8]
- 660C8650 50 push eax
- 660C8651 8901 mov dword ptr ds:[ecx],eax
- 660C8653 8B08 mov ecx,dword ptr ds:[eax]
- 进入660C8647 处的关键CALL-1,来到:
- 660C8520 55 push ebp
- 660C8521 8BEC mov ebp,esp
- 660C8523 51 push ecx
- 660C8524 8379 40 00 cmp dword ptr ds:[ecx+40],0
- 660C8528 56 push esi
- 660C8529 8D71 40 lea esi,dword ptr ds:[ecx+40]
- 660C852C 75 2F jnz short MSVBVM60.660C855D
- 660C852E 6A 01 push 1
- 660C8530 6A FF push -1
- 660C8532 6A 02 push 2
- 660C8534 8D45 FE lea eax,dword ptr ss:[ebp-2]
- 660C8537 6A 00 push 0
- 660C8539 50 push eax
- 660C853A 68 201B0166 push MSVBVM60.66011B20 ; ASCII "Screen",屏幕分辨率
- 660C853F 8065 FF 00 and byte ptr ss:[ebp-1],0
- 660C8543 FF71 0C push dword ptr ds:[ecx+C]
- 660C8546 C645 FE 0E mov byte ptr ss:[ebp-2],0E
- 660C854A 56 push esi
- 660C854B FF71 34 push dword ptr ds:[ecx+34]
- 660C854E E8 0C1FF9FF call MSVBVM60.6605A45F
- 660C8553 85C0 test eax,eax
- 660C8555 74 06 je short MSVBVM60.660C855D
- 660C8557 50 push eax
- 660C8558 E8 4198F8FF call MSVBVM60.66051D9E
- 660C855D 8B06 mov eax,dword ptr ds:[esi]
- 660C855F 5E pop esi
- 660C8560 C9 leave
- 660C8561 C3 retn
- -----------------------------------------------------------------------------------------------
- 【破解总结】
- 1.取系统所在盘的卷标号,去掉中间的"-",得到字符串st1.
- 2.循环取字符串st1中每一位字符的ASCII值的10进制形式,形成新的字符串st2.
- 3.在字符串st2后面补上6,直到补足0x1E(30)位,形成新的字符串st3.
- 4.内置长度为0x1E(30)位的字符串"99999……",记为字符串st4.
- 5.取字符串st3和st4上的数值进行相加,形成新字符串st5,作为硬盘号前半部分.
- 6.取字符串st5的数值*2形成新字符串st6,作为硬盘号后半部分.
- 7.从硬盘号第5位开始取0x1E(30)位字符,记为字符串st7.
- 8.取硬盘号右边0x1E(30)位字符,记为字符串st8.
- 9.取字符串st7和st8上的数值进行相加,结果再加上屏幕分辨率的两个数值(以像素为单位)即为注册码.
- 一组可用注册码:
- Hard Code:16856497051497056666666666666653371299410299411333333333333330
- Serial:1021004560005078000000000000459
- 暴破更改以下位置:
- 0040FA47 jnz CrackMe0.0040FB6E ; jnz====>NOP
- 0040FBA0 jnz short CrackMe0.0040FBB2 ; jnz====>NOP
- 内存注册机:
- 中断地址:0040F8D3
- 中断次数:1
- 第一字节:8D
- 指令长度:3
- 内存方式--->寄存器:EDX,同时勾选"宽字符串"
- 【VB注册机源码】
- Private Sub Generate_Click()
- Dim HardCode As String
- Dim Serial As String
- Dim str1 As String
- Dim str2 As String
- Dim str3 As String
- Dim str4 As String
- Dim i As Integer
- Dim length As Integer
- Dim Number As Integer
- Dim Number1 As Integer
- Dim Number2 As Integer
- Dim Number3 As Integer
- Dim ResWidth As Integer
- Dim ResHeight As Integer
- Dim ResPixel As Integer
- HardCode = Text1.Text
- Number3 = 0
- str1 = Mid(HardCode, 5, 30)
- str2 = Right(HardCode, 30)
- For i = 1 To 30
- Number1 = Mid(str1, 30 - i + 1, 1)
- Number2 = Mid(str2, 30 - i + 1, 1)
- Number = Number1 + Number2 + Number3
-
- If (Number > 9) Then
- Number = Number - 10
- Number3 = 1
- Else
- Number3 = 0
- End If
-
- str3 = Number & str3
- Next i
- If (Number3 = 1) Then str3 = Number3 & str3
- Number3 = 0
- length = Len(str3)
- ResWidth = Screen.Width \ Screen.TwipsPerPixelX
- ResHeight = Screen.Height \ Screen.TwipsPerPixelY
- ResPixel = ResWidth + ResHeight
- str4 = ResPixel
- For i = 1 To length - 4
- str4 = "0" & str4
- Next i
- For i = 1 To length
- Number1 = Mid(str3, length - i + 1, 1)
- Number2 = Mid(str4, length - i + 1, 1)
- Number = Number1 + Number2 + Number3
-
- If (Number > 9) Then
- Number = Number - 10
- Number3 = 1
- Else
- Number3 = 0
- End If
-
- Serial = Number & Serial
- Next i
- If (Number3 = 1) Then Serial = Number3 & Serial
- Text2.Text = Serial
- End Sub
- -----------------------------------------------------------------------------------------------
- 【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 hrbx 于 2006-3-29 04:22 编辑 ] |
|
IP卡
发表于 2006-3-27 10:37:40
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-3-27 12:37:57
楼主