- UID
- 1480
注册时间2005-5-8
阅读权限20
最后登录1970-1-1
以武会友
 
TA的每日心情 | 奋斗
2020-3-29 10:44 |
|---|
签到天数: 24 天 [LV.4]偶尔看看III
|
Wicked Crackme 2 by LaFarge 分析
-----一次VB PCode 的PEdiy的尝试
【破解作者】 winndy[FCG][PYG]
【作者邮箱】 [email protected]
【使用工具】 PEID v0.93 OllyDbg v1.10 fly修改版 WKTVBDebugger 14e
【破解平台】 Winxp SP2
【目标 】 Wicked Crackme 2 by LaFarge
【下载地址】 http://www.reversing.be/article.php?story=20050510044959202
【编写语言】 vb Pcode
【破解声明】 For study ,For Fun,
【破解说明】 无壳,算法超简单,关键之处在于把原Crackme DIY成注册机,失误之处还望指出
【破解过程】 PEID查壳,vb 编写
首先,我还不知道它是Pcode的,
于是用OD载入,在00401030 和00401036下断。
后来觉得程序的运行很特别,于是猜测是Pcode的,改用WKTVBDebugger来调试。
这是OD的分析结果:
- 00401030 .- FF25 08104000 jmp dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
- 00401036 .- FF25 0C104000 jmp dword ptr ds:[<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr
- 0040103C .- FF25 04104000 jmp dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
- 00401042 .- FF25 1C104000 jmp dword ptr ds:[<&MSVBVM60.__vbaExceptHa>; MSVBVM60.__vbaExceptHandler
- 00401048 .- FF25 18104000 jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_Qu>; MSVBVM60.EVENT_SINK_QueryInterface
- 0040104E .- FF25 10104000 jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_Ad>; MSVBVM60.EVENT_SINK_AddRef
- 00401054 .- FF25 14104000 jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_Re>; MSVBVM60.EVENT_SINK_Release
- 0040105A .- FF25 00104000 jmp dword ptr ds:[<&MSVBVM60.MethCallEngin>; MSVBVM60.MethCallEngine
- 00401060 $- FF25 20104000 jmp dword ptr ds:[<&MSVBVM60.#100>] ; MSVBVM60.ThunRTMain
- 00401066 00 db 00
- 00401067 00 db 00
- 00401068 Wi> $ 68 D0134000 push Wicked_C.004013D0
中断在00401036,堆栈信息:
0012F3CC 7348F7F5 返回到 MSVBVM60.7348F7F5
0012F3D0 001501B4 UNICODE "winndy"
0012F3D4 00000001
F9,还是中断在00401036,
0012F3CC 7348F7F5 返回到 MSVBVM60.7348F7F5
0012F3D0 001501B4 UNICODE "winndy"
0012F3D4 00000002
...
按5下后,中断在00401030,
0012F3C4 7348F7B7 返回到 MSVBVM60.7348F7B7
0012F3C8 0012F560
0012F3CC 00000010
0012F3D0 0012F500
0012F3D4 0012F4E0
0012F3D8 0012F4C0
0012F3DC 00000008
0012F3E0 00000000
0012F3E4 00156924 UNICODE "1112-915-752-1053-868"
猜测:
Name:winndy
SN:"1112-915-752-1053-868"
校验,猜测成功!
同时,也发现该Crackme是Pcode的。
用WKTVBDE分析看看,载入后,点"Form Manager",选"Form1",
点command,选"cmdCheck",再BPX。
- 00403A34: 04 FLdRfVar 0012F558h
- 00403A37: 21 FLdPrThis 001478D8h
- 00403A38: 0F VCallAd Form1.txtName
- 00403A3B: 19 FStAdFunc
- 00403A3E: 08 FLdPr
- 00403A41: 0D VCallHresult get__ipropTEXTEDIT
//0012F558:A4 A0 15 00
//0015A0A4:77 00 69 00 6E 00 6E 00
//0015A0AC:64 00 79 00 00 00
//执行后堆栈变为 0012F3B0:A4 A0 15 00 00 00 00 00
//执行后堆栈变为 0012F3B0:38 F5 12 00 00 00 00 00
//0012F538:08 00 00 00 00 00 00 00
//0012F540:A4 A0 15 00 00 00 00 00
- 00403A4C: FC Lead1/FStVar
- 00403A50: 1A FFree1Ad
- 00403A53: 04 FLdRfVar 0012F558h
- 00403A56: 21 FLdPrThis 001478D8h
- 00403A57: 0F VCallAd Form1.txtSerial 00404D70
- 00403A5A: 19 FStAdFunc 0012F55C
- 00403A5D: 08 FLdPr 00E00CCCh
- 00403A60: 0D VCallHresult get__ipropTEXTEDIT 00E00D6C
- 00403A65: 3E FLdZeroAd
- 00403A68: 46 CVarStr 0012F538h 00181E24h
打开Memory Dump,输入00181E24,
00181E24:31 00 32 00 33 00 34 00
00181E2C:35 00 36 00 37 00 38 00
00181E34:00 00
- 00403A6B: FC Lead1/FStVar
- 00403A6F: 1A FFree1Ad
- 00403A72: 04 FLdRfVar 0012F548h
- 00403A75: EB FnLenVar
- 00403A79: FC Lead1/FStVar
- 00403A7D: 04 FLdRfVar 0012F528h
- 00403A80: EB FnLenVar
- 00403A84: FC Lead1/FStVar
- 00403A88: 04 FLdRfVar 0012F518h
- 00403A8B: 28 LitVarI2 0h , 0
- 00403A90: 5D HardType
- 00403A91: 33 EqVarBool
- 00403A93: 1C BranchF 00403ACA ?
- 00403A96: 27 LitVar_Missing 0012F498h
- 00403A99: 27 LitVar_Missing 0012F4B8h
- 00403A9C: 3A LitVarStr 'Error in name'
- 00403AA1: 4E FStVarCopyObj 0012F4D8h
- 00403AA4: 04 FLdRfVar 0012F4D8h
- 00403AA7: F5 LitI4: -> 10h 16
- 00403AAC: 3A LitVarStr 'Sorry, U must enter a name !!!'
- 00403AB1: 4E FStVarCopyObj 0012F538h
- 00403AB4: 04 FLdRfVar 0012F538h
- 00403AB7: 0A ImpAdCallFPR4 rtcMsgBox on address 73472F29h
- 00403ABC: 36 FFreeVar -> 4
- 00403AC7: 1E Branch 00403D51 ?
- 00403ACA: 04 FLdRfVar 0012F518h
- 00403ACD: 28 LitVarI2 5h , 5
- 00403AD2: 5D HardType
- 00403AD3: 67 LtVarBool
- 00403AD5: 1C BranchF 00403B0C ?
- 00403AD8: 27 LitVar_Missing 0012F498h
- 00403ADB: 27 LitVar_Missing 0012F4B8h
- 00403ADE: 3A LitVarStr 'Error in name'
- 00403AE3: 4E FStVarCopyObj 0012F4D8h
- 00403AE6: 04 FLdRfVar 0012F4D8h
- 00403AE9: F5 LitI4: -> 10h 16
- 00403AEE: 3A LitVarStr 'Sorry, name must be 5+ characters long!'
- 00403AF3: 4E FStVarCopyObj 0012F538h
- 00403AF6: 04 FLdRfVar 0012F538h
- 00403AF9: 0A ImpAdCallFPR4 rtcMsgBox on address 73472F29h
- 00403AFE: 36 FFreeVar -> 4
- 00403B09: 1E Branch 00403D51 ?
- 00403B0C: 04 FLdRfVar 0012F508h
- 00403B0F: 28 LitVarI2 0h , 0
- 00403B0F: 28 LitVarI2 0h , 0
- 00403B14: 5D HardType
- 00403B15: 33 EqVarBool
- 00403B17: 1C BranchF 00403B4E ? ==>注册码长度为0吗?
- 00403B1A: 27 LitVar_Missing 0012F498h
- 00403B1D: 27 LitVar_Missing 0012F4B8h
- 00403B20: 3A LitVarStr 'Error in serial'
- 00403B25: 4E FStVarCopyObj 0012F4D8h
- 00403B4E: 28 LitVarI2 0012F538h 1h , 1
- 00403B53: F5 LitI4: -> 1h 1
- 00403B58: 04 FLdRfVar 0012F548h
- 00403B5B: FD Lead2/CStrVarVal
- 00403B5F: 0B ImpAdCallI2 rtcMidCharBstr on address 733B48DFh
- 00403B64: 23 FStStrNoPop ===>'w'
- 00403B67: 0B ImpAdCallI2 rtcAnsiValueBstr on address 7347B48Bh
- 00403B6C: FD CStrUI1 ===>119(77h)
- 00403B6E: 31 FStStr
- 00403B71: 32 FFreeStr
- 00403B78: 35 FFree1Var
- 00403B7B: 6C ILdRf 00000000h
- 00403B7E: FC Lead1/CR8Str
- 00403B80: F3 LitI2: -> 3E1h 993 ===>******,1st Const
- 00403B83: EB CR8I2
- 00403B84: AB AddR8
- 00403B85: FD Lead2/CVarR8
- 00403B89: FC Lead1/FStVar
- 00403B8D: 28 LitVarI2 1h , 1
- 00403B92: F5 LitI4: -> 2h 2
- 00403B97: 04 FLdRfVar 0012F548h
- 00403B9A: FD Lead2/CStrVarVal
- 00403B9E: 0B ImpAdCallI2 rtcMidCharBstr on address 733B48DFh
- 00403BA3: 23 FStStrNoPop ===>'i'
; stack:
; 0012F3B0 69 00 00 00
- 00403BA6: 0B ImpAdCallI2 rtcAnsiValueBstr on address 7347B48Bh
- 00403BAB: 44 CVarI2 0012F4E8h
- 00403BAE: FC Lead1/FStVar
- 00403BB2: 32 FFreeStr
- 00403BB9: 35 FFree1Var
- 00403BBC: 04 FLdRfVar 0012F474h
- 00403BBF: 28 LitVarI2 32Ah , 810 ===>******,2nd Const
- 00403BC4: 94 AddVar
- 00403BC8: FC Lead1/FStVar
- 00403BCC: 28 LitVarI2 1h , 1
- 00403BD1: F5 LitI4: -> 3h 3
- 00403BD9: FD Lead2/CStrVarVal
- 00403BDD: 0B ImpAdCallI2 rtcMidCharBstr on address 733B48DFh
- 00403BE2: 23 FStStrNoPop
- 00403BE5: 0B ImpAdCallI2 rtcAnsiValueBstr on address 7347B48Bh
- 00403BEA: 44 CVarI2
- 00403BED: FC Lead1/FStVar
- 00403BF1: 32 FFreeStr
- 00403BF8: 35 FFree1Var
- 00403BFB: 04 FLdRfVar 0012F454h
- 00403BFE: 28 LitVarI2 0012F4F8h 282h , 642 ===>******,3rd Const
- 00403C03: 94 AddVar
- 00403C07: FC Lead1/FStVar
- 00403C0B: 28 LitVarI2 1h , 1
- 00403C10: F5 LitI4: -> 4h 4
- 00403C15: 04 FLdRfVar 0012F548h
- 00403C18: FD Lead2/CStrVarVal
- 00403C1C: 0B ImpAdCallI2 rtcMidCharBstr on address 733B48DFh
- 00403C21: 23 FStStrNoPop
- 00403C24: 0B ImpAdCallI2 rtcAnsiValueBstr on address 7347B48Bh
- 00403C29: 44 CVarI2
- 00403C2C: FC Lead1/FStVar
- 00403C30: 32 FFreeStr
- 00403C37: 35 FFree1Var
- 00403C3A: 04 FLdRfVar 0012F434h
- 00403C3D: 28 LitVarI2 3AFh , 943 ===>******,4th Const
- 00403C42: 94 AddVar
- 00403C46: FC Lead1/FStVar
- 00403C4A: 28 LitVarI2 1h , 1
- 00403C4F: F5 LitI4: -> 5h 5
- 00403C54: 04 FLdRfVar 0012F548h
- 00403C57: FD Lead2/CStrVarVal
- 00403C5B: 0B ImpAdCallI2 rtcMidCharBstr on address 733B48DFh
- 00403C60: 23 FStStrNoPop
- 00403C63: 0B ImpAdCallI2 rtcAnsiValueBstr on address 7347B48Bh
- 00403C68: 44 CVarI2
- 00403C6B: FC Lead1/FStVar
- 00403C6F: 32 FFreeStr
- 00403C76: 35 FFree1Var
- 00403C79: 04 FLdRfVar 0012F414h
- 00403C7C: 28 LitVarI2 300h , 768 ===>******,5th Const
- 00403C81: 94 AddVar
- 00403C85: FC Lead1/FStVar
- 00403C89: 04 FLdRfVar 0012F484h
- 00403C8C: 3A LitVarStr '-'
- 00403C91: EF ConcatVar
- 00403C95: 04 FLdRfVar 0012F464h
- 00403C98: EF ConcatVar
- 00403C9C: 3A LitVarStr '-'
- 00403CA1: EF ConcatVar
- 00403CA5: 04 FLdRfVar 0012F444h
- 00403CBC: 3A LitVarStr '-'
- 00403CC1: EF ConcatVar
- 00403CC5: 04 FLdRfVar 0012F404h ;局部变量0012F404h入栈
- 00403CC8: EF ConcatVar
- 00403CCC: FC Lead1/FStVar
- 00403CD0: 36 FFreeVar -> 7
- 00403CE1: 04 FLdRfVar 0012F528h
//0012F528:08 00 00 00 00 00 00 00
//0012F530:94 A6 15 00 00 00 00 00
//0015A694:31 00 32 00 33 00 34 00
//0015A69c:35 00 36 00 37 00 38 00
//0015A6A4:00 00
- 00403CE4: 04 FLdRfVar 0012F3B4h
//0012F3B4:08 00 00 00 00 00 00 00
//0012F3BC:4C B2 15 00 00 00 00 00
//0015B24C:31 00 31 00 31 00 32 00
//0015B254:2D 00 39 00 31 00 35 00
//0015B25C:2D 00 37 00 35 00 32 00
//0015B264:2D 00 31 00 30 00 35 00
//0015B26C:33 00 2D 00 38 00 36 00
//0015B274:38 00 00 00
- 00403CE7: 40 NeVarBool
- 00403CE9: 1C BranchF 00403D20 (No Jump)
- 00403CEC: 27 LitVar_Missing 0012F498h
- 00403CEF: 27 LitVar_Missing 0012F4B8h
- 00403CF2: 3A LitVarStr 'Wrong serial'
- 00403CF7: 4E FStVarCopyObj 0012F4D8h
- 00403CFA: 04 FLdRfVar 0012F4D8h
- 00403CFD: F5 LitI4: -> 10h 16
- 00403D02: 3A LitVarStr 'I'm sorry, but this serial doesn't match to your name !'
- 00403D07: 4E FStVarCopyObj 0012F538h
- 00403D0A: 04 FLdRfVar 0012F538h
- 00403D51: 13 ExitProcHresult
- 00403D52: FF Lead4/Unknow
- INVALID
- 00403D57: 00 LargeBos
- 00403D59: 00 LargeBos
- 00403D5B: 01 InvalidExcode
- 00403D5C: 20 CRec2Uni
- 00403D5F: 00 LargeBos
- 00403D61: 00 LargeBos
- 00403D63: 00 LargeBos
- 00403D65: 00 LargeBos
- 00403D67: 00 LargeBos
- 00403D69: 00 LargeBos
- 00403D6B: 00 LargeBos
- 00403D6D: 00 LargeBos
- 00403D6F: 00 LargeBos
- 00403D71: 00 LargeBos
- 00403D73: 00 LargeBos
- 00403D75: 00 LargeBos
注册算法简单猜测:
序列号是"1112-915-752-1053-868",而且里面有5个常数,以及
Lead2/CStrVarVal
ImpAdCallI2 rtcMidCharBstr on address 733B48DFh
FStStrNoPop ==>从提示面板可看到一个字符
ImpAdCallI2 rtcAnsiValueBstr on address 7347B48Bh ==>执行后,从堆栈顶部可以看到ascii码。
CVarI2 ==这是转化为十进制
还可以看到
LitVarI2 300h , 768 ===>******,5th Const
AddVar
每个常数后面都是一个加法指令。
于是猜测注册码是由用户名的前5个字符的ascii码的十进制,分别加上对应的5个常数,再用'-'连接而得。
计算器轻松检验!丰富的想象力和猜测力是一个Cracker所不可缺少的啊!
========================Pcode DIY=================================================
就做到这里,太没意思了,于是想办法将它diy成KeyGen.
若不是Pcode程序我们很容易做到,只需用setdlgitema,即可。
但这是pcode...
观察发现,取text1.text使用get__ipropTEXTEDIT,那么把数据放到text1.text用什么函数呢?
通过修改指令(尝试出来的)
发现这种对应关系:
0DA4 == put__ipropTEXTEDIT
0DA1 == get__ipropTEXTEDIT
- 00403A34: 04 FLdRfVar 0012F558h //12F5E8
- 00403A37: 21 FLdPrThis 001478D8h
- 00403A38: 0F VCallAd Form1.txtName
- 00403A3B: 19 FStAdFunc
- 00403A3E: 08 FLdPr
- 00403A41: 0D VCallHresult get__ipropTEXTEDIT
对应的机器码为:
00003a34h: 04 70 FF 21 0F 10 03 19
74 FF 08 74 FF 0D A0 00 ; .p |
|
IP卡
发表于 2005-5-24 07:35:53
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2005-5-25 20:29:08