elance's crackme.NO2 算法分析

冷血书生 · 发表于 2006-7-22 16:27:28

【破解日期】 2006年7月22日
【破解作者】冷血书生
【作者邮箱】 [email protected]
【作者主页】 http://bbs.126sohu.com
【使用工具】 OD
【破解平台】 Win9x/NT/2000/XP
【软件名称】 elance's crackme.NO2
【下载地址】本地下载
【软件大小】 24K
【加壳方式】无
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：）
--------------------------------------------------------------------------------
【破解内容】

搜索找到"http://bbs.crsky.com",来到下面:
00403404 68 B4204000 push crackme_.004020B4 ; UNICODE "http://bbs.crsky.com" ///找到这里
00403409 52 push edx
0040340A FFD6 call esi
0040340C 50 push eax
0040340D 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00403410 68 A4204000 push crackme_.004020A4 ; UNICODE "open"
00403415 50 push eax
00403416 FFD6 call esi
00403418 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
0040341B 50 push eax
0040341C 51 push ecx
0040341D E8 12EDFFFF call crackme_.00402134 ;此CALL就是调用,NOP掉就不会在关闭时打开非凡论坛了,呵呵
00403422 FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaSetSystem>; MSVBVM60.__vbaSetSystemError
////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////
0040354F C785 10FFFFFF 60>mov dword ptr ss:[ebp-F0],crackme_.00402160 ; UNICODE "This is my second crackme for crack learning,i hope you could enjoy it!" ///搜索找到这里
00403559 C785 08FFFFFF 08>mov dword ptr ss:[ebp-F8],8
00403563 FFD7 call edi
…………中间省略部分………………
0040361E 50 push eax
0040361F FF15 40104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox ///弹出对话框，NOP掉后就不会出现了，OK
00403625 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////
004027D6 C785 90FEFFFF A4>mov dword ptr ss:[ebp-170],crackme_.00401FA4 ; UNICODE "dbfd,ut|$fmhqw" /// 找到这里
004027E0 C785 88FEFFFF 08>mov dword ptr ss:[ebp-178],8
004027EA FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
004027F0 0FBFC3 movsx eax,bx
004027F3 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
004027F9 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-C8]
004027FF 52 push edx
00402800 50 push eax
00402801 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-A8]
00402807 50 push eax
00402808 51 push ecx
00402809 FF15 50104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
0040280F 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-C8]
00402815 8D45 9C lea eax,dword ptr ss:[ebp-64]
00402818 52 push edx
00402819 50 push eax
0040281A FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>; MSVBVM60.__vbaStrVarVal
00402820 50 push eax
00402821 FFD7 call edi
00402823 66:2BC3 sub ax,bx
00402826 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-D8]
0040282C 0F80 300B0000 jo crackme_.00403362
00402832 66:05 0500 add ax,5
00402836 0F80 260B0000 jo crackme_.00403362
0040283C 0FBFC8 movsx ecx,ax
0040283F 51 push ecx
00402840 52 push edx
00402841 FF15 8C104000 call dword ptr ds:[<&MSVBVM60.#608>] ; MSVBVM60.rtcVarBstrFromAnsi
00402847 0FBFC3 movsx eax,bx
0040284A 48 dec eax
0040284B 83F8 0E cmp eax,0E
0040284E 8985 4CFEFFFF mov dword ptr ss:[ebp-1B4],eax
00402854 72 06 jb short crackme_.0040285C
00402856 FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaGenerateB>;MSVBVM60.__vbaGenerateBoundsError
0040285C 8D85 28FFFFFF lea eax,dword ptr ss:[ebp-D8]
00402862 50 push eax
00402863 FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMov>; MSVBVM60.__vbaStrVarMove
00402869 8BD0 mov edx,eax
0040286B 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
0040286E FF15 D0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
00402874 8B4D DC mov ecx,dword ptr ss:[ebp-24]
00402877 8BD0 mov edx,eax
00402879 8B85 4CFEFFFF mov eax,dword ptr ss:[ebp-1B4]
0040287F 8D0C81 lea ecx,dword ptr ds:[ecx+eax*4]
00402882 FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
00402888 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
0040288B 8D55 9C lea edx,dword ptr ss:[ebp-64]
0040288E 51 push ecx
0040288F 52 push edx
00402890 6A 02 push 2
00402892 FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrLi>; MSVBVM60.__vbaFreeStrList
00402898 8D85 28FFFFFF lea eax,dword ptr ss:[ebp-D8]
0040289E 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-C8]
004028A4 50 push eax
004028A5 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
004028AB 51 push ecx
004028AC 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-A8]
004028B2 52 push edx
004028B3 50 push eax
004028B4 6A 04 push 4
004028B6 FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarLi>; MSVBVM60.__vbaFreeVarList
004028BC B8 01000000 mov eax,1
004028C1 83C4 20 add esp,20
004028C4 66:03C3 add ax,bx
004028C7 0F80 950A0000 jo crackme_.00403362
004028CD 8BD8 mov ebx,eax
004028CF ^ E9 D4FEFFFF jmp crackme_.004027A8
004028D4 8B45 08 mov eax,dword ptr ss:[ebp+8]
004028D7 50 push eax
004028D8 8B08 mov ecx,dword ptr ds:[eax]
004028DA FF91 08030000 call dword ptr ds:[ecx+308]
004028E0 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
004028E6 50 push eax
004028E7 52 push edx
004028E8 FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
004028EE 8BD8 mov ebx,eax
004028F0 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
004028F3 51 push ecx
004028F4 53 push ebx
004028F5 8B03 mov eax,dword ptr ds:[ebx]
004028F7 FF90 A0000000 call dword ptr ds:[eax+A0]
004028FD 3BC6 cmp eax,esi
004028FF DBE2 fclex
00402901 7D 12 jge short crackme_.00402915
00402903 68 A0000000 push 0A0
00402908 68 C41F4000 push crackme_.00401FC4
0040290D 53 push ebx
0040290E 50 push eax
0040290F FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCh>; MSVBVM60.__vbaHresultCheckObj
00402915 8B55 9C mov edx,dword ptr ss:[ebp-64]
00402918 52 push edx
00402919 FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
0040291F 8BC8 mov ecx,eax
00402921 FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
00402927 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
0040292A 8985 F8FDFFFF mov dword ptr ss:[ebp-208],eax
00402930 BB 01000000 mov ebx,1
00402935 FF15 E0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0040293B 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
00402941 FF15 E4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00402947 8B45 08 mov eax,dword ptr ss:[ebp+8]
0040294A 66:3B9D F8FDFFFF cmp bx,word ptr ss:[ebp-208]
00402951 50 push eax
00402952 8B08 mov ecx,dword ptr ds:[eax]
00402954 0F8F FD000000 jg crackme_.00402A57
0040295A FF91 08030000 call dword ptr ds:[ecx+308]
00402960 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00402966 50 push eax
00402967 52 push edx
00402968 FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
0040296E 8B08 mov ecx,dword ptr ds:[eax]
00402970 8D55 9C lea edx,dword ptr ss:[ebp-64]
00402973 52 push edx
00402974 50 push eax
00402975 8985 4CFEFFFF mov dword ptr ss:[ebp-1B4],eax
0040297B FF91 A0000000 call dword ptr ds:[ecx+A0]
00402981 3BC6 cmp eax,esi
00402983 DBE2 fclex
00402985 7D 18 jge short crackme_.0040299F
00402987 8B8D 4CFEFFFF mov ecx,dword ptr ss:[ebp-1B4]
0040298D 68 A0000000 push 0A0
00402992 68 C41F4000 push crackme_.00401FC4
00402997 51 push ecx
00402998 50 push eax
00402999 FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCh>; MSVBVM60.__vbaHresultCheckObj
0040299F 8B45 9C mov eax,dword ptr ss:[ebp-64]
004029A2 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
004029A8 8985 60FFFFFF mov dword ptr ss:[ebp-A0],eax
004029AE 52 push edx
004029AF 0FBFC3 movsx eax,bx
004029B2 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
004029B8 50 push eax
004029B9 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-C8]
004029BF 51 push ecx
004029C0 52 push edx
004029C1 C785 50FFFFFF 01>mov dword ptr ss:[ebp-B0],1
004029CB C785 48FFFFFF 02>mov dword ptr ss:[ebp-B8],2
004029D5 8975 9C mov dword ptr ss:[ebp-64],esi
004029D8 C785 58FFFFFF 08>mov dword ptr ss:[ebp-A8],8
004029E2 FF15 50104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
004029E8 8D85 38FFFFFF lea eax,dword ptr ss:[ebp-C8]
004029EE 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
004029F1 50 push eax
004029F2 51 push ecx
004029F3 FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>; MSVBVM60.__vbaStrVarVal
004029F9 50 push eax
004029FA FFD7 call edi
004029FC 0FBFD0 movsx edx,ax
004029FF 8B45 C0 mov eax,dword ptr ss:[ebp-40]
00402A02 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
00402A05 03D0 add edx,eax ; 用户名累加
00402A07 0F80 55090000 jo crackme_.00403362
00402A0D 8955 C0 mov dword ptr ss:[ebp-40],edx
00402A10 FF15 E0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00402A16 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
00402A1C FF15 E4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00402A22 8D85 38FFFFFF lea eax,dword ptr ss:[ebp-C8]
00402A28 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
00402A2E 50 push eax
00402A2F 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
00402A35 51 push ecx
00402A36 52 push edx
00402A37 6A 03 push 3
00402A39 FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarLi>; MSVBVM60.__vbaFreeVarList
00402A3F B8 01000000 mov eax,1
00402A44 83C4 10 add esp,10
00402A47 66:03C3 add ax,bx
00402A4A 0F80 12090000 jo crackme_.00403362
00402A50 8BD8 mov ebx,eax
00402A52 ^ E9 F0FEFFFF jmp crackme_.00402947 ;循环计算
00402A57 FF91 04030000 call dword ptr ds:[ecx+304]
00402A5D 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00402A63 50 push eax
00402A64 52 push edx
00402A65 FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00402A6B 8BD8 mov ebx,eax
00402A6D 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
00402A70 51 push ecx
00402A71 53 push ebx
00402A72 8B03 mov eax,dword ptr ds:[ebx]
00402A74 FF90 A0000000 call dword ptr ds:[eax+A0]
00402A7A 3BC6 cmp eax,esi
00402A7C DBE2 fclex
00402A7E 7D 12 jge short crackme_.00402A92
00402A80 68 A0000000 push 0A0
00402A85 68 C41F4000 push crackme_.00401FC4
00402A8A 53 push ebx
00402A8B 50 push eax
00402A8C FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCh>; MSVBVM60.__vbaHresultCheckObj
00402A92 8B55 9C mov edx,dword ptr ss:[ebp-64]
00402A95 52 push edx
00402A96 FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
00402A9C 8BC8 mov ecx,eax
00402A9E FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
00402AA4 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
00402AA7 8985 F0FDFFFF mov dword ptr ss:[ebp-210],eax
00402AAD BB 01000000 mov ebx,1
00402AB2 FF15 E0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00402AB8 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
00402ABE FF15 E4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00402AC4 8B45 08 mov eax,dword ptr ss:[ebp+8]
00402AC7 66:3B9D F0FDFFFF cmp bx,word ptr ss:[ebp-210]
00402ACE 50 push eax
00402ACF 8B08 mov ecx,dword ptr ds:[eax]
00402AD1 0F8F FD000000 jg crackme_.00402BD4
00402AD7 FF91 04030000 call dword ptr ds:[ecx+304]
00402ADD 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00402AE3 50 push eax
00402AE4 52 push edx
00402AE5 FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00402AEB 8B08 mov ecx,dword ptr ds:[eax]
00402AED 8D55 9C lea edx,dword ptr ss:[ebp-64]
00402AF0 52 push edx
00402AF1 50 push eax
00402AF2 8985 4CFEFFFF mov dword ptr ss:[ebp-1B4],eax
00402AF8 FF91 A0000000 call dword ptr ds:[ecx+A0]
00402AFE 3BC6 cmp eax,esi
00402B00 DBE2 fclex
00402B02 7D 18 jge short crackme_.00402B1C
00402B04 8B8D 4CFEFFFF mov ecx,dword ptr ss:[ebp-1B4]
00402B0A 68 A0000000 push 0A0
00402B0F 68 C41F4000 push crackme_.00401FC4
00402B14 51 push ecx
00402B15 50 push eax
00402B16 FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCh>; MSVBVM60.__vbaHresultCheckObj
00402B1C 8B45 9C mov eax,dword ptr ss:[ebp-64]
00402B1F 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
00402B25 8985 60FFFFFF mov dword ptr ss:[ebp-A0],eax
00402B2B 52 push edx
00402B2C 0FBFC3 movsx eax,bx
00402B2F 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
00402B35 50 push eax
00402B36 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-C8]
00402B3C 51 push ecx
00402B3D 52 push edx
00402B3E C785 50FFFFFF 01>mov dword ptr ss:[ebp-B0],1
00402B48 C785 48FFFFFF 02>mov dword ptr ss:[ebp-B8],2
00402B52 8975 9C mov dword ptr ss:[ebp-64],esi
00402B55 C785 58FFFFFF 08>mov dword ptr ss:[ebp-A8],8
00402B5F FF15 50104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
00402B65 8D85 38FFFFFF lea eax,dword ptr ss:[ebp-C8]
00402B6B 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
00402B6E 50 push eax
00402B6F 51 push ecx
00402B70 FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>; MSVBVM60.__vbaStrVarVal
00402B76 50 push eax
00402B77 FFD7 call edi
00402B79 0FBFD0 movsx edx,ax
00402B7C 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
00402B7F 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
00402B82 03D0 add edx,eax ; 注册码累加
00402B84 0F80 D8070000 jo crackme_.00403362
00402B8A 8955 C4 mov dword ptr ss:[ebp-3C],edx
00402B8D FF15 E0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00402B93 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
00402B99 FF15 E4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00402B9F 8D85 38FFFFFF lea eax,dword ptr ss:[ebp-C8]
00402BA5 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
00402BAB 50 push eax
00402BAC 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
00402BB2 51 push ecx
00402BB3 52 push edx
00402BB4 6A 03 push 3
00402BB6 FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarLi>; MSVBVM60.__vbaFreeVarList
00402BBC B8 01000000 mov eax,1
00402BC1 83C4 10 add esp,10
00402BC4 66:03C3 add ax,bx
00402BC7 0F80 95070000 jo crackme_.00403362
00402BCD 8BD8 mov ebx,eax
00402BCF ^ E9 F0FEFFFF jmp crackme_.00402AC4 ;循环计算
00402BD4 FF91 08030000 call dword ptr ds:[ecx+308]
00402BDA 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00402BE0 50 push eax
00402BE1 52 push edx
00402BE2 FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00402BE8 8BD8 mov ebx,eax
00402BEA 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
00402BED 51 push ecx
00402BEE 53 push ebx
00402BEF 8B03 mov eax,dword ptr ds:[ebx]
00402BF1 FF90 A0000000 call dword ptr ds:[eax+A0]
00402BF7 3BC6 cmp eax,esi
00402BF9 DBE2 fclex
00402BFB 7D 12 jge short crackme_.00402C0F
00402BFD 68 A0000000 push 0A0
00402C02 68 C41F4000 push crackme_.00401FC4
00402C07 53 push ebx
00402C08 50 push eax
00402C09 FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCh>; MSVBVM60.__vbaHresultCheckObj
00402C0F 8B55 9C mov edx,dword ptr ss:[ebp-64]
00402C12 52 push edx
00402C13 68 D81F4000 push crackme_.00401FD8
00402C18 FF15 60104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
00402C1E 8BD8 mov ebx,eax
00402C20 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
00402C23 F7DB neg ebx
00402C25 1BDB sbb ebx,ebx
00402C27 43 inc ebx
00402C28 F7DB neg ebx
00402C2A FF15 E0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00402C30 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
00402C36 FF15 E4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00402C3C 66:3BDE cmp bx,si
00402C3F 0F84 B6000000 je crackme_.00402CFB
00402C45 8B1D C4104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarDup>; MSVBVM60.__vbaVarDup
00402C4B B9 0A000000 mov ecx,0A
00402C50 B8 04000280 mov eax,80020004
00402C55 898D 28FFFFFF mov dword ptr ss:[ebp-D8],ecx
00402C5B 898D 38FFFFFF mov dword ptr ss:[ebp-C8],ecx
00402C61 8D95 78FEFFFF lea edx,dword ptr ss:[ebp-188]
00402C67 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
00402C6D 8985 30FFFFFF mov dword ptr ss:[ebp-D0],eax
00402C73 8985 40FFFFFF mov dword ptr ss:[ebp-C0],eax
00402C79 C785 80FEFFFF 14>mov dword ptr ss:[ebp-180],crackme_.00402014 ; UNICODE "warning"
00402C83 C785 78FEFFFF 08>mov dword ptr ss:[ebp-188],8
00402C8D FFD3 call ebx
00402C8F 8D95 88FEFFFF lea edx,dword ptr ss:[ebp-178]
00402C95 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
00402C9B C785 90FEFFFF E0>mov dword ptr ss:[ebp-170],crackme_.00401FE0 ; UNICODE "please input your name"
00402CA5 C785 88FEFFFF 08>mov dword ptr ss:[ebp-178],8
00402CAF FFD3 call ebx
00402CB1 8D85 28FFFFFF lea eax,dword ptr ss:[ebp-D8]
00402CB7 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-C8]
00402CBD 50 push eax
00402CBE 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
00402CC4 51 push ecx
00402CC5 52 push edx
00402CC6 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-A8]
00402CCC 56 push esi
00402CCD 50 push eax
00402CCE FF15 40104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
00402CD4 8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-D8]
00402CDA 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-C8]
00402CE0 51 push ecx
00402CE1 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
00402CE7 52 push edx
00402CE8 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
00402CEE 50 push eax
00402CEF 51 push ecx
00402CF0 6A 04 push 4
00402CF2 FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarLi>; MSVBVM60.__vbaFreeVarList
00402CF8 83C4 14 add esp,14
00402CFB 8B45 08 mov eax,dword ptr ss:[ebp+8]
00402CFE 50 push eax
00402CFF 8B10 mov edx,dword ptr ds:[eax]
00402D01 FF92 04030000 call dword ptr ds:[edx+304]
00402D07 50 push eax
00402D08 8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]
00402D0E 50 push eax
00402D0F FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00402D15 8BD8 mov ebx,eax
00402D17 8D55 9C lea edx,dword ptr ss:[ebp-64]
00402D1A 52 push edx
00402D1B 53 push ebx
00402D1C 8B0B mov ecx,dword ptr ds:[ebx]
00402D1E FF91 A0000000 call dword ptr ds:[ecx+A0]
00402D24 3BC6 cmp eax,esi
00402D26 DBE2 fclex
00402D28 7D 12 jge short crackme_.00402D3C
00402D2A 68 A0000000 push 0A0
00402D2F 68 C41F4000 push crackme_.00401FC4
00402D34 53 push ebx
00402D35 50 push eax
00402D36 FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCh>; MSVBVM60.__vbaHresultCheckObj
00402D3C 8B45 9C mov eax,dword ptr ss:[ebp-64]
00402D3F 50 push eax
00402D40 68 D81F4000 push crackme_.00401FD8
00402D45 FF15 60104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
00402D4B 8BD8 mov ebx,eax
00402D4D 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
00402D50 F7DB neg ebx
00402D52 1BDB sbb ebx,ebx
00402D54 43 inc ebx
00402D55 F7DB neg ebx
00402D57 FF15 E0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00402D5D 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
00402D63 FF15 E4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00402D69 66:3BDE cmp bx,si
00402D6C 0F84 B6000000 je crackme_.00402E28
00402D72 8B1D C4104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarDup>; MSVBVM60.__vbaVarDup
00402D78 B9 04000280 mov ecx,80020004
00402D7D 898D 30FFFFFF mov dword ptr ss:[ebp-D0],ecx
00402D83 B8 0A000000 mov eax,0A
00402D88 898D 40FFFFFF mov dword ptr ss:[ebp-C0],ecx
00402D8E 8D95 78FEFFFF lea edx,dword ptr ss:[ebp-188]
00402D94 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
00402D9A 8985 28FFFFFF mov dword ptr ss:[ebp-D8],eax
00402DA0 8985 38FFFFFF mov dword ptr ss:[ebp-C8],eax
00402DA6 C785 80FEFFFF 14>mov dword ptr ss:[ebp-180],crackme_.00402014 ; UNICODE "warning"
00402DB0 C785 78FEFFFF 08>mov dword ptr ss:[ebp-188],8
00402DBA FFD3 call ebx
00402DBC 8D95 88FEFFFF lea edx,dword ptr ss:[ebp-178]
00402DC2 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
00402DC8 C785 90FEFFFF 28>mov dword ptr ss:[ebp-170],crackme_.00402028 ; UNICODE "please input your sn"
00402DD2 C785 88FEFFFF 08>mov dword ptr ss:[ebp-178],8
00402DDC FFD3 call ebx
00402DDE 8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-D8]
00402DE4 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-C8]
00402DEA 51 push ecx
00402DEB 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
00402DF1 52 push edx
00402DF2 50 push eax
00402DF3 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
00402DF9 56 push esi
00402DFA 51 push ecx
00402DFB FF15 40104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
00402E01 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-D8]
00402E07 8D85 38FFFFFF lea eax,dword ptr ss:[ebp-C8]
00402E0D 52 push edx
00402E0E 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
00402E14 50 push eax
00402E15 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
00402E1B 51 push ecx
00402E1C 52 push edx
00402E1D 6A 04 push 4
00402E1F FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarLi>; MSVBVM60.__vbaFreeVarList
00402E25 83C4 14 add esp,14
00402E28 8B4D C4 mov ecx,dword ptr ss:[ebp-3C] ; 注册码
00402E2B 8B55 C0 mov edx,dword ptr ss:[ebp-40] ; 用户名
00402E2E 2BCA sub ecx,edx ; 注册码-用户名
00402E30 0F80 2C050000 jo crackme_.00403362
00402E36 FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Abs>] ; MSVBVM60.__vbaI4Abs
00402E3C 8B4D A0 mov ecx,dword ptr ss:[ebp-60]
00402E3F 3BC1 cmp eax,ecx ; 与268比较
00402E41 8B45 08 mov eax,dword ptr ss:[ebp+8]
00402E44 50 push eax
00402E45 8B08 mov ecx,dword ptr ds:[eax]
00402E47 0F85 35020000 jnz crackme_.00403082 ; 爆破点
00402E4D FF91 04030000 call dword ptr ds:[ecx+304]
00402E53 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00402E59 50 push eax
00402E5A 52 push edx

复制代码

////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////

总结：

1) NOP掉0040341D可以去掉地址调用

2) NOP掉0040361F可以去掉对话框

3) 00402E47 ---》爆破点

4) 算法：注册码ASCII累加值-用户名ASCII累加值, 结果再与268比较,相等就注册成功

5) 一组可用注册信息：name: leng
code: lleennxxg9
--------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

网游难民 · 发表于 2006-7-22 16:46:32

很小心的问冷血兄一句:
在算发分析是你是怎么找到:
004027D6 C785 90FEFFFF A4>mov dword ptr ss:[ebp-170],crackme_.00401FA4 ; UNICODE "dbfd,ut|$fmhqw" /// 找到这里
004027E0 C785 88FEFFFF 08>mov dword ptr ss:[ebp-178],8
004027EA FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
004027F0 0FBFC3 movsx eax,bx
找到这里哦???我之前用了好几个断点,没有用:(

冷血书生 · 发表于 2006-7-22 16:54:31

原帖由 网游难民 于 2006-7-22 16:46 发表
很小心的问冷血兄一句:
在算发分析是你是怎么找到:
004027D6 C785 90FEFFFF A4>mov dword ptr ss:,crackme_.00401FA4 ; UNICODE "dbfd,ut|$fmhqw" /// 找到这里
004027E0 C785 88FEFFFF 08 ...

没必要用什么API断点，直接搜索就找到了~~跟上面的搜索是一样的~~呵呵~~

caterpilla · 发表于 2006-7-22 17:42:34

学习。。。。。。。

网游难民 · 发表于 2006-7-22 18:07:05

原帖由 冷血书生 于 2006-7-22 16:54 发表

没必要用什么API断点，直接搜索就找到了~~跟上面的搜索是一样的~~呵呵~~

收到，在这里：

超级字串参考＋

地址    反汇编                                  文本字串
0040127C PUSH crackme_.0040154C                   (初始 cpu 选择)
0040269B MOV DWORD PTR SS:[EBP-170],crackme_.0040  t}prt
004027D6 MOV DWORD PTR SS:[EBP-170],crackme_.0040  dbfd,ut|$fmhqw－－－－－就是这个，在warning上面
00402C79 MOV DWORD PTR SS:[EBP-180],crackme_.0040  warning
00402C9B MOV DWORD PTR SS:[EBP-170],crackme_.0040  please input your name

呵呵～～，多谢冷血兄指点～～偶明天再去玩玩第三个crackme．

冷血书生 · 发表于 2006-7-22 18:20:26

原帖由 网游难民 于 2006-7-22 18:07 发表

收到，在这里：

超级字串参考＋

地址    反汇编                                  文本字串
0040127C PUSH crackme_.0040154C                   (初始 cpu 选择)
0040269B MOV ...

https://www.chinapyg.com/viewthr ... &extra=page%3D1

网游难民 · 发表于 2006-7-23 16:27:55

原帖由 wxh9833 于 2006-7-22 16:49 发表
靠,没看明白,算法不明白啊,能改进一下吗?谢谢

算法挺简单哦~~
是兄弟没有看吧？？？
仔细看下，也就那么几个字

ZHOU2X · 发表于 2006-7-23 17:04:26

学习，收藏！！支持！！！！

obi-one · 发表于 2006-8-14 15:13:11

收藏！！支持！！！！

快雪时晴 · 发表于 2006-8-27 01:28:43

破解要经常练习，我半个月不接触破解，现在看啥都费力，进入不了状态:$

		自动登录	找回密码
密码			加入我们

elance's crackme.NO2 算法分析

本帖子中包含更多资源

相关帖子