- UID
- 897
注册时间2005-4-13
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
发表于 2005-7-6 10:52:15
|
显示全部楼层
呵呵!写个过程!看看能不能混点分!!
[PYG]crackme1.0跟踪分析过程
下载后,试用W32Dasm10.0分析,发现可以反汇编!
查看可参考“串式参考内容”发现只有”GOOD”,没有发现文字直接参考捷径!!(其实利用好了也是捷径,只是我不行啦!!)
认为应该是利用显示函数显示
又察看“函数”中“导入”
发现“MSVBVM60.rtcMsgBox”双击跟踪发现“明文”调用此函数有三处
0040465D
00404816
00404878
用0D在这三个地方下断点!
发现名字什么也不填写断在0040465D
显示为“名字太短”(只有大与5个字符才行)
随便填2个试练码(怕万一蒙上了怎么办^-*),可以发现是断在00404878
提示为“继续加油”
只有00407816没用到-------------这就是成功啦!!发现离它很近就是那个“GOOD”
好了!在0040465D往上找在004045F5发现
* Reference To: MSVBVM60.__vbaLenBstr, Ord:0000h
|
:004045EC 8B3510104000 mov esi, dword ptr [00401010]
:004045F2 50 push eax
:004045F3 FFD6 call esi
:004045F5 83F805 cmp eax, 00000005
:004045F8 0F8D85000000 jnl 00404683
呵呵就可以跳过显示“名字太短” (只有大与5个字符才行)
* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:0040465D FF1530104000 Call dword ptr [00401030]
显示“名字太短”
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004045F8(C)
|
:00404683 8B45E4 mov eax, dword ptr [ebp-1C]
:00404686 50 push eax
:00404687 FFD6 call esi
:00404689 8BC8 mov ecx, eax
* Reference To: MSVBVM60.__vbaI2I4, Ord:0000h
|
:0040468B FF1550104000 Call dword ptr [00401050]
* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:00404691 8B1D14104000 mov ebx, dword ptr [00401014]
:00404697 89853CFFFFFF mov dword ptr [ebp+FFFFFF3C], eax
跳过后在00404687再此求名字长度后(用“abcdef”,长度为6)
00404697 名字长度 6 送ss:[ebp-c4]用做计算比较值了
:0040469D BE01000000 mov esi, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040472C(U)
|
:004046A2 663BB53CFFFFFF cmp si, word ptr [ebp+FFFFFF3C]
:004046A9 0F8F82000000 jg 00404731
这就是开始循环计数开始处理名字串了
:004046AF 8D4DE4 lea ecx, dword ptr [ebp-1C]
:004046B2 8D55C0 lea edx, dword ptr [ebp-40]
:004046B5 0FBFC6 movsx eax, si
:004046B8 894D88 mov dword ptr [ebp-78], ecx
:004046BB 52 push edx
:004046BC 8D4D80 lea ecx, dword ptr [ebp-80]
:004046BF 50 push eax
:004046C0 8D55B0 lea edx, dword ptr [ebp-50]
:004046C3 51 push ecx
:004046C4 52 push edx
:004046C5 C745C804000280 mov [ebp-38], 80020004
:004046CC C745C00A000000 mov [ebp-40], 0000000A
:004046D3 C7458008400000 mov [ebp-80], 00004008
* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
|
:004046DA FF1540104000 Call dword ptr [00401040]
:004046E0 8D45B0 lea eax, dword ptr [ebp-50]
:004046E3 8D4DD8 lea ecx, dword ptr [ebp-28]
:004046E6 50 push eax
:004046E7 51 push ecx
* Reference To: MSVBVM60.__vbaStrVarVal, Ord:0000h
|
:004046E8 FF1574104000 Call dword ptr [00401074]
名字串放Eax的地址里 [0013b0bc]=“abcdef”
:004046EE 50 push eax
* Reference To: MSVBVM60.rtcByteValueBstr, Ord:02B5h
|
:004046EF FF150C104000 Call dword ptr [0040100C]
从名字串前面第一字符取,计算的ascii 值a=61,放在eax中
:004046F5 25FF000000 and eax, 000000FF
去掉高位
:004046FA 8D4DD8 lea ecx, dword ptr [ebp-28]
:004046FD 03C7 add eax, edi
开始累加(第一次累加初值edi=0)
:004046FF 0F8004020000 jo 00404909
:00404705 8BF8 mov edi, eax
累加值送edi
* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
|
:00404707 FF15B8104000 Call dword ptr [004010B8]
:0040470D 8D55B0 lea edx, dword ptr [ebp-50]
:00404710 8D45C0 lea eax, dword ptr [ebp-40]
:00404713 52 push edx
:00404714 50 push eax
:00404715 6A02 push 00000002
:00404717 FFD3 call ebx
:00404719 B801000000 mov eax, 00000001
:0040471E 83C40C add esp, 0000000C
:00404721 6603C6 add ax, si
:00404724 0F80DF010000 jo 00404909
:0040472A 8BF0 mov esi, eax
:0040472C E971FFFFFF jmp 004046A2
去判断处理完名字串没有??
“名字串ASCII累加值”=255H(十六进制)=597(十进制)
然后对输入的注册码进行处理
* Reference To: MSVBVM60.__vbaStrI4, Ord:0000h
|
:00404770 FF1508104000 Call dword ptr [00401008]
eax=计算出的值“597”
:00404776 8BD0 mov edx, eax
:00404778 8D4DD4 lea ecx, dword ptr [ebp-2C]
* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:0040477B FF15A4104000 Call dword ptr [004010A4]
:00404781 8B55D8 mov edx, dword ptr [ebp-28]
edx=1111输入的试练码
:00404784 50 push eax
:00404785 52 push edx
* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
|
:00404786 FF154C104000 Call dword ptr [0040104C]
两值明码比较
:0040478C 8BF0 mov esi, eax
:0040478E 8D45D8 lea eax, dword ptr [ebp-28]
:00404791 F7DE neg esi
:00404793 1BF6 sbb esi, esi
:00404795 8D4DD4 lea ecx, dword ptr [ebp-2C]
:00404798 50 push eax
:00404799 46 inc esi
:0040479A 51 push ecx
:0040479B 6A02 push 00000002
:0040479D F7DE neg esi
* Reference To: MSVBVM60.__vbaFreeStrList, Ord:0000h
|
:0040479F FF158C104000 Call dword ptr [0040108C]
:004047A5 83C40C add esp, 0000000C
:004047A8 8D4DD0 lea ecx, dword ptr [ebp-30]
* Reference To: MSVBVM60.__vbaFreeObj, Ord:0000h
|
:004047AB FF15B4104000 Call dword ptr [004010B4]
:004047B1 B904000280 mov ecx, 80020004
:004047B6 B80A000000 mov eax, 0000000A
:004047BB 6685F6 test si, si
两值不等。就跳到显示“继续加油”
如果名字是“abcdef”,注册码输入“597”,两个值相同,就不会跳转
:004047BE 894D98 mov dword ptr [ebp-68], ecx
:004047C1 894590 mov dword ptr [ebp-70], eax
:004047C4 894DA8 mov dword ptr [ebp-58], ecx
:004047C7 8945A0 mov dword ptr [ebp-60], eax
:004047CA 7462 je 0040482E
* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
|
:004047CC 8B3D9C104000 mov edi, dword ptr [0040109C]
:004047D2 BE08000000 mov esi, 00000008
:004047D7 8D9570FFFFFF lea edx, dword ptr [ebp+FFFFFF70]
:004047DD 8D4DB0 lea ecx, dword ptr [ebp-50]
:004047E0 C78578FFFFFFC8224000 mov dword ptr [ebp+FFFFFF78], 004022C8
:004047EA 89B570FFFFFF mov dword ptr [ebp+FFFFFF70], esi
:004047F0 FFD7 call edi
:004047F2 8D5580 lea edx, dword ptr [ebp-80]
:004047F5 8D4DC0 lea ecx, dword ptr [ebp-40]
* Possible StringData Ref from Code Obj ->"GOOD"
|
:004047F8 C74588AC224000 mov [ebp-78], 004022AC
:004047FF 897580 mov dword ptr [ebp-80], esi
:00404802 FFD7 call edi
:00404804 8D5590 lea edx, dword ptr [ebp-70]
:00404807 8D45A0 lea eax, dword ptr [ebp-60]
:0040480A 52 push edx
:0040480B 8D4DB0 lea ecx, dword ptr [ebp-50]
:0040480E 50 push eax
:0040480F 51 push ecx
:00404810 8D55C0 lea edx, dword ptr [ebp-40]
:00404813 6A00 push 00000000
:00404815 52 push edx
* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:00404816 FF1530104000 Call dword ptr [00401030]
显示“GOOD!你成功了!”
注册机。。。。。。。。就免了吧!直接从输入的名字前面往后取,累加就是注册码!!(呵呵,我是什么语言也不精通呀!嘿嘿)
[ Last edited by ζ |
|
楼主: 飘云
IP卡
显身卡
发表于 2005-7-8 01:14:57
发表于 2005-9-23 20:05:19
