- UID
- 346
注册时间2005-3-21
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 奋斗
2016-10-21 20:30 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
- 【破文标题】OCN CrackMe2004算法分析+VB注册机源码
- 【破解作者】hrbx
- 【作者主页】hrbx.ys168.com
- 【作者邮箱】[email protected]
- 【破解平台】WinXP
- 【使用工具】flyOD1.10、Peid
- 【破解日期】2006-01-01
- 【软件名称】OCN Crackme2004
- 【软件大小】44KB
- 【下载地址】http://ocn.e5v.com/bbs1/viewthread.php?tid=1114&fpage=1&highlight=&page=1
- 【加壳方式】无
- 【软件简介】OCN Crackme2004
- -----------------------------------------------------------------------------------------------
- 【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
- -----------------------------------------------------------------------------------------------
- 【破解过程】
- 1.查壳。用Peid扫描,显示为:Microsoft Visual Basic 5.0 / 6.0,无壳。
- 2.试运行CrackMe。输入注册信息后点击Validate按钮,注册信息被清空,无任何提示。
- 3.OD载入。命令行下断点:bp __vbaLenBstr,回车,F9运行,输入注册信息:
- ================================
- Name:hrbx
- Serial:9876543210
- ================================
- 点击Validate按钮,立即中断:
- 660E5F5F MS> 8B4424 04 mov eax,dword ptr ss:[esp+4] ; 中断在这里
- 660E5F63 85C0 test eax,eax
- 660E5F65 74 05 je short MSVBVM60.660E5F6C
- 660E5F67 8B40 FC mov eax,dword ptr ds:[eax-4]
- Alt+F9返回,来到:
- 004052D1 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBst>
- 004052D7 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8] ; Alt+F9返回到这里
- 004052DD . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
- 004052E0 . 8985 50FFFFFF mov dword ptr ss:[ebp-B0],eax
- 向上查找,来到00405010 处F2下断,同时命令栏:bc __vbaLenBstr,清除断点
- CTRL+F2重新载入程序,F9运行,填入注册信息后点击Validate按钮,中断:
- 00405010 > \55 push ebp ; F2在此下断,中断后F8往下走
- 00405011 . 8BEC mov ebp,esp
- 00405013 . 83EC 0C sub esp,0C
- 00405016 . 68 56124000 push <jmp.&MSVBVM60.__vbaExceptHandler>
- 0040501B . 64:A1 00000000 mov eax,dword ptr fs:[0]
- 00405021 . 50 push eax
- 00405022 . 64:8925 00000000 mov dword ptr fs:[0],esp
- .......................................................
- 省略部分代码
- .......................................................
- 0040536A > \8B45 C0 mov eax,dword ptr ss:[ebp-40] ; 用户名"hrbx"
- 0040536D . 8D55 88 lea edx,dword ptr ss:[ebp-78]
- 00405370 . 8945 A0 mov dword ptr ss:[ebp-60],eax
- 00405373 . 52 push edx
- 00405374 . 8D45 98 lea eax,dword ptr ss:[ebp-68]
- 00405377 . 57 push edi
- 00405378 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
- 0040537E . 50 push eax
- 0040537F . 51 push ecx
- 00405380 . C745 90 01000000 mov dword ptr ss:[ebp-70],1
- 00405387 . C745 88 02000000 mov dword ptr ss:[ebp-78],2
- 0040538E . C745 C0 00000000 mov dword ptr ss:[ebp-40],0
- 00405395 . C745 98 08000000 mov dword ptr ss:[ebp-68],8
- 0040539C . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.#632>] ; rtcMidCharVar,循环取用户名每一位字符
- 004053A2 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
- 004053A8 . 8D45 BC lea eax,dword ptr ss:[ebp-44]
- 004053AB . 52 push edx
- 004053AC . 50 push eax
- 004053AD . FF15 D4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
- 004053B3 . 50 push eax
- 004053B4 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符的ASCII值
- 004053BA . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
- 004053BD . 66:8985 40FFFFFF mov word ptr ss:[ebp-C0],ax ; EAX=68("h")
- 004053C4 . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-C8]
- 004053CA . 51 push ecx
- 004053CB . 8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]
- 004053D1 . 52 push edx
- 004053D2 . 50 push eax
- 004053D3 . C785 38FFFFFF 02>mov dword ptr ss:[ebp-C8],2
- 004053DD . FF15 24114000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; 用户名ASCII值累加,0x1B4
- 004053E3 . 8BD0 mov edx,eax
- 004053E5 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
- 004053E8 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
- 004053EE . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
- 004053F1 . FF15 50114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
- 004053F7 . 8D4D AC lea ecx,dword ptr ss:[ebp-54]
- 004053FA . FF15 54114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
- 00405400 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
- 00405406 . 8D55 88 lea edx,dword ptr ss:[ebp-78]
- 00405409 . 51 push ecx
- 0040540A . 8D45 98 lea eax,dword ptr ss:[ebp-68]
- 0040540D . 52 push edx
- 0040540E . 50 push eax
- 0040540F . 6A 03 push 3
- 00405411 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
- 00405417 . B8 01000000 mov eax,1
- 0040541C . 83C4 10 add esp,10
- 0040541F . 03C7 add eax,edi
- 00405421 . 0F80 92070000 jo Crackme2.00405BB9
- 00405427 . 8BF8 mov edi,eax
- 00405429 .^ E9 EFFEFFFF jmp Crackme2.0040531D
- 0040542E > B8 02000000 mov eax,2 ; EAX=2
- 00405433 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
- 00405436 . 8985 50FFFFFF mov dword ptr ss:[ebp-B0],eax
- 0040543C . 8985 48FFFFFF mov dword ptr ss:[ebp-B8],eax
- 00405442 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
- 00405448 . 51 push ecx
- 00405449 . 8D45 98 lea eax,dword ptr ss:[ebp-68]
- 0040544C . 52 push edx
- 0040544D . 50 push eax
- 0040544E . FF15 28114000 call dword ptr ds:[<&MSVBVM60.__vbaVarMod>] ; 用户名ASCII值累加值/2,0x1B4/2=0xEA
- 00405454 . 8BD0 mov edx,eax
- 00405456 . 8D8D 0CFFFFFF lea ecx,dword ptr ss:[ebp-F4]
- 0040545C . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
- 00405462 . 8D8D 0CFFFFFF lea ecx,dword ptr ss:[ebp-F4]
- 00405468 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
- 0040546E . 51 push ecx
- 0040546F . 52 push edx
- 00405470 . C785 50FFFFFF 00>mov dword ptr ss:[ebp-B0],0
- 0040547A . C785 48FFFFFF 02>mov dword ptr ss:[ebp-B8],8002
- 00405484 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 判断余数是否为0
- 0040548A . 66:85C0 test ax,ax ; 即判断用户名ASCII值累加值是奇数还是偶数
- 0040548D . 0F84 12030000 je Crackme2.004057A5 ; 用户名ASCII值累加值为奇数则跳
- 00405493 . 8B06 mov eax,dword ptr ds:[esi]
- 00405495 . 56 push esi
- 00405496 . FF90 10030000 call dword ptr ds:[eax+310]
- 0040549C . 8D4D AC lea ecx,dword ptr ss:[ebp-54]
- 0040549F . 50 push eax
- 004054A0 . 51 push ecx
- 004054A1 . FFD3 call ebx
- 004054A3 . 8BF8 mov edi,eax
- 004054A5 . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
- 004054A8 . 50 push eax
- 004054A9 . 57 push edi
- 004054AA . 8B17 mov edx,dword ptr ds:[edi]
- 004054AC . FF92 A0000000 call dword ptr ds:[edx+A0]
- 004054B2 . 85C0 test eax,eax
- 004054B4 . DBE2 fclex
- 004054B6 . 7D 12 jge short Crackme2.004054CA
- 004054B8 . 68 A0000000 push 0A0
- 004054BD . 68 743D4000 push Crackme2.00403D74
- 004054C2 . 57 push edi
- 004054C3 . 50 push eax
- 004054C4 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>; 用户名ASCII值累加为偶数来到这里
- 004054CA > 8B55 C0 mov edx,dword ptr ss:[ebp-40] ; 用户名"hrbx"
- 004054CD . 8B3D 38114000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>>
- 004054D3 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
- 004054D6 . C745 C0 00000000 mov dword ptr ss:[ebp-40],0
- 004054DD . FFD7 call edi
- 004054DF . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
- 004054E2 . 51 push ecx
- 004054E3 . E8 580E0000 call Crackme2.00406340 ; 关键CALL-1,F7进入
- 004054E8 . 8BD0 mov edx,eax ; 用户名运算后得到字符串"yXJfdD"
- 004054EA . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
- 004054ED . FFD7 call edi
- 004054EF . 8B55 B0 mov edx,dword ptr ss:[ebp-50]
- 004054F2 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
- 004054F5 . C785 34FFFFFF 09>mov dword ptr ss:[ebp-CC],9
- 004054FF . C745 B0 00000000 mov dword ptr ss:[ebp-50],0
- 00405506 . FFD7 call edi
- 00405508 . 8D95 34FFFFFF lea edx,dword ptr ss:[ebp-CC] ; 字符串"yXJfdD"
- 0040550E . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
- 00405511 . 52 push edx
- 00405512 . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
- 00405515 . 50 push eax
- 00405516 . 51 push ecx
- 00405517 . E8 341D0000 call Crackme2.00407250 ; 关键call-2,F7进入
- 0040551C . 8B16 mov edx,dword ptr ds:[esi]
- 0040551E . 56 push esi
- 0040551F . FF92 18030000 call dword ptr ds:[edx+318]
- 00405525 . 50 push eax
- 00405526 . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
- 00405529 . 50 push eax
- 0040552A . FFD3 call ebx
- 0040552C . 8BF8 mov edi,eax
- 0040552E . 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
- 00405531 . 52 push edx
- 00405532 . 57 push edi
- 00405533 . 8B0F mov ecx,dword ptr ds:[edi]
- 00405535 . FF91 A0000000 call dword ptr ds:[ecx+A0]
- 0040553B . 85C0 test eax,eax
- 0040553D . DBE2 fclex
- 0040553F . 7D 12 jge short Crackme2.00405553
- 00405541 . 68 A0000000 push 0A0
- 00405546 . 68 743D4000 push Crackme2.00403D74
- 0040554B . 57 push edi
- 0040554C . 50 push eax
- 0040554D . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
- 00405553 > 8B45 B4 mov eax,dword ptr ss:[ebp-4C] ; 假码"9876543210"
- 00405556 . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
- 00405559 . 8945 90 mov dword ptr ss:[ebp-70],eax
- 0040555C . 8D45 98 lea eax,dword ptr ss:[ebp-68]
- 0040555F . 50 push eax
- 00405560 . 51 push ecx
- 00405561 . C745 B4 00000000 mov dword ptr ss:[ebp-4C],0
- 00405568 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
- 0040556F . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 真假码比较
- 00405575 . 8BF8 mov edi,eax
- 00405577 . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
- 0040557A . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
- 0040557D . 52 push edx
- 0040557E . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
- 00405581 . 50 push eax
- 00405582 . 51 push ecx
- 00405583 . 6A 03 push 3
- 00405585 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>
- 0040558B . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
- 0040558E . 8D45 AC lea eax,dword ptr ss:[ebp-54]
- 00405591 . 52 push edx
- 00405592 . 50 push eax
- 00405593 . 6A 02 push 2
- 00405595 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>
- 0040559B . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
- 0040559E . 8D55 98 lea edx,dword ptr ss:[ebp-68]
- 004055A1 . 51 push ecx
- 004055A2 . 52 push edx
- 004055A3 . 6A 02 push 2
- 004055A5 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
- 004055AB . 83C4 28 add esp,28
- 004055AE . 66:85FF test di,di
- 004055B1 . 0F84 40010000 je Crackme2.004056F7 ; 暴破点1,NOP掉
- 004055B7 . A1 10904000 mov eax,dword ptr ds:[409010]
- 004055BC . 85C0 test eax,eax
- 004055BE . 75 10 jnz short Crackme2.004055D0
- 004055C0 . 68 10904000 push Crackme2.00409010
- F7进入004054E3处的关键CALL-1,来到:
- 00406340 $ 55 push ebp
- 00406341 . 8BEC mov ebp,esp
- .......................................................
- 省略部分代码
- .......................................................
- 004063C8 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
- 004063CB . 8B08 mov ecx,dword ptr ds:[eax] ; 用户名"hrbx"
- 004063CD . 51 push ecx
- 004063CE . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取用户名长度,EAX=4
- 004063D4 . 8BC8 mov ecx,eax
- 004063D6 . FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>]
- 004063DC . 8B35 38114000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>>
- 004063E2 . 8985 08FFFFFF mov dword ptr ss:[ebp-F8],eax ; 用户名长度4保存
- 004063E8 . BB 01000000 mov ebx,1 ; EBX赋初值1
- 004063ED . BF 02000000 mov edi,2
- 004063F2 > 66:3B9D 08FFFFFF cmp bx,word ptr ss:[ebp-F8] ; BX与用户名名长度比较
- 004063F9 . 0F8F 31040000 jg Crackme2.00406830 ; 没取完用户名则继续
- 004063FF . 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
- 00406402 . 8D55 80 lea edx,dword ptr ss:[ebp-80]
- 00406405 . 0FBFC3 movsx eax,bx
- 00406408 . 52 push edx
- 00406409 . 8B11 mov edx,dword ptr ds:[ecx]
- 0040640B . 50 push eax
- 0040640C . 52 push edx
- 0040640D . C745 88 01000000 mov dword ptr ss:[ebp-78],1
- 00406414 . 897D 80 mov dword ptr ss:[ebp-80],edi
- 00406417 . FF15 74104000 call dword ptr ds:[<&MSVBVM60.#631>] ; rtcMidCharBstr,取用户名第一位字符"h"
- 0040641D . 8BD0 mov edx,eax
- 0040641F . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 00406422 . FFD6 call esi
- 00406424 . 50 push eax
- 00406425 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取第一位字符的ASCII值
- 0040642B . 8D95 20FFFFFF lea edx,dword ptr ss:[ebp-E0] ; EAX=0x68("h")
- 00406431 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
- 00406434 . 66:8985 28FFFFFF mov word ptr ss:[ebp-D8],ax
- 0040643B . 89BD 20FFFFFF mov dword ptr ss:[ebp-E0],edi
- 00406441 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
- 00406447 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 0040644A . FF15 50114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
- 00406450 . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
- 00406453 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
- 00406459 . 66:8BCB mov cx,bx
- 0040645C . 8D45 80 lea eax,dword ptr ss:[ebp-80]
- 0040645F . 66:83C1 01 add cx,1
- 00406463 . 50 push eax
- 00406464 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
- 00406467 . C745 88 01000000 mov dword ptr ss:[ebp-78],1
- 0040646E . 0F80 64040000 jo Crackme2.004068D8
- 00406474 . 0FBFD1 movsx edx,cx
- 00406477 . 8B08 mov ecx,dword ptr ds:[eax] ; 用户名"hrbx"
- 00406479 . 52 push edx
- 0040647A . 51 push ecx
- 0040647B . 897D 80 mov dword ptr ss:[ebp-80],edi
- 0040647E . FF15 74104000 call dword ptr ds:[<&MSVBVM60.#631>] ; rtcMidCharBstr,取用户名第一位字符"r"
- 00406484 . 8BD0 mov edx,eax
- 00406486 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 00406489 . FFD6 call esi
- 0040648B . 50 push eax
- 0040648C . 6A 00 push 0
- 0040648E . FF15 E0104000 call dword ptr ds:[<&MSVBVM60.#537>]
- 00406494 . 8BD0 mov edx,eax
- 00406496 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
- 00406499 . FFD6 call esi
- 0040649B . 50 push eax
- 0040649C . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>]
- 004064A2 . 8BD0 mov edx,eax
- 004064A4 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
- 004064A7 . FFD6 call esi
- 004064A9 . 50 push eax
- 004064AA . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取第二位字符的ASCII值
- 004064B0 . 8D95 20FFFFFF lea edx,dword ptr ss:[ebp-E0] ; EAX=0x72("r")
- 004064B6 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
- 004064B9 . 66:8985 28FFFFFF mov word ptr ss:[ebp-D8],ax
- 004064C0 . 89BD 20FFFFFF mov dword ptr ss:[ebp-E0],edi
- 004064C6 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
- 004064CC . 8D55 A0 lea edx,dword ptr ss:[ebp-60]
- 004064CF . 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
- 004064D2 . 52 push edx
- 004064D3 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 004064D6 . 50 push eax
- 004064D7 . 51 push ecx
- 004064D8 . 6A 03 push 3
- 004064DA . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>
- 004064E0 . 83C4 10 add esp,10
- 004064E3 . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
- 004064E6 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
- 004064EC . 66:8BC3 mov ax,bx
- 004064EF . 8D55 80 lea edx,dword ptr ss:[ebp-80]
- 004064F2 . 66:03C7 add ax,di
- 004064F5 . 52 push edx
- 004064F6 . 8B55 08 mov edx,dword ptr ss:[ebp+8]
- 004064F9 . C745 88 01000000 mov dword ptr ss:[ebp-78],1
- 00406500 . 0F80 D2030000 jo Crackme2.004068D8
- 00406506 . 0FBFC8 movsx ecx,ax
- 00406509 . 8B02 mov eax,dword ptr ds:[edx] ; "hrbx"
- 0040650B . 51 push ecx
- 0040650C . 897D 80 mov dword ptr ss:[ebp-80],edi
- 0040650F . 50 push eax
- 00406510 . FF15 74104000 call dword ptr ds:[<&MSVBVM60.#631>] ; rtcMidCharBstr,取用户名第三位字符"b"
- 00406516 . 8BD0 mov edx,eax
- 00406518 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 0040651B . FFD6 call esi
- 0040651D . 50 push eax
- 0040651E . 6A 00 push 0
- 00406520 . FF15 E0104000 call dword ptr ds:[<&MSVBVM60.#537>]
- 00406526 . 8BD0 mov edx,eax
- 00406528 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
- 0040652B . FFD6 call esi
- 0040652D . 50 push eax
- 0040652E . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>]
- 00406534 . 8BD0 mov edx,eax
- 00406536 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
- 00406539 . FFD6 call esi
- 0040653B . 50 push eax
- 0040653C . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符的ASCII值
- 00406542 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60] ; EAX=0x62("b")
- 00406545 . 8945 B4 mov dword ptr ss:[ebp-4C],eax
- 00406548 . 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
- 0040654B . 51 push ecx
- 0040654C . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
- 0040654F . 52 push edx
- 00406550 . 50 push eax
- 00406551 . 6A 03 push 3
- 00406553 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>
- 00406559 . 83C4 10 add esp,10
- 0040655C . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
- 0040655F . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
- 00406565 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
- 00406568 . 8D95 30FFFFFF lea edx,dword ptr ss:[ebp-D0]
- 0040656E . 51 push ecx
- 0040656F . 8D45 80 lea eax,dword ptr ss:[ebp-80]
- 00406572 . 52 push edx
- 00406573 . 50 push eax
- 00406574 . C785 38FFFFFF 04>mov dword ptr ss:[ebp-C8],4 ; 常数,4
- 0040657E . 89BD 30FFFFFF mov dword ptr ss:[ebp-D0],edi ; 用户名第一位字符的ASCII值转为除以4
- 00406584 . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDiv>] ; 104(0x68)/4=26(0x1A)
- 0040658A . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-90]
- 00406590 . 50 push eax
- 00406591 . 51 push ecx
- 00406592 . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarInt>] ; 结果取整,得到26(0x1A),记为数值1
- 00406598 . 50 push eax
- 00406599 . FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaI2Var>]
- 0040659F . 8945 E8 mov dword ptr ss:[ebp-18],eax
- 004065A2 . B8 10000000 mov eax,10 ; EAX赋值,EAX=0x10(16)
- 004065A7 . 8985 28FFFFFF mov dword ptr ss:[ebp-D8],eax
- 004065AD . 8985 18FFFFFF mov dword ptr ss:[ebp-E8],eax
- 004065B3 . 8D55 D0 lea edx,dword ptr ss:[ebp-30]
- 004065B6 . 8D85 30FFFFFF lea eax,dword ptr ss:[ebp-D0]
- 004065BC . 52 push edx
- 004065BD . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
- 004065C0 . 50 push eax
- 004065C1 . 51 push ecx
- 004065C2 . C785 38FFFFFF 03>mov dword ptr ss:[ebp-C8],3 ; 常数,3
- 004065CC . 89BD 30FFFFFF mov dword ptr ss:[ebp-D0],edi
- 004065D2 . 89BD 20FFFFFF mov dword ptr ss:[ebp-E0],edi
- 004065D8 . 89BD 10FFFFFF mov dword ptr ss:[ebp-F0],edi ; 用户名第一位字符的ASCII值 and 3
- 004065DE . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAnd>] ; 0x68 and 3=0
- 004065E4 . 50 push eax
- 004065E5 . 8D95 20FFFFFF lea edx,dword ptr ss:[ebp-E0]
- 004065EB . 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
- 004065F1 . 52 push edx
- 004065F2 . 50 push eax ; AND运算结果与常数0x10相乘
- 004065F3 . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; 0x10*0,得到0
- 004065F9 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
- 004065FC . 50 push eax
- 004065FD . 8D95 10FFFFFF lea edx,dword ptr ss:[ebp-F0]
- 00406603 . 51 push ecx
- 00406604 . 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
- 0040660A . 52 push edx
- 0040660B . 50 push eax ; 用户名第二位字符"r"的ASCII值除以16(0x10)
- 0040660C . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDiv>] ; 114(0x72)/16(0x10)=7.125
- 00406612 . 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-B0]
- 00406618 . 50 push eax
- 00406619 . 51 push ecx
- 0040661A . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarInt>] ; 结果取整,得到7
- 00406620 . 8D95 40FFFFFF lea edx,dword ptr ss:[ebp-C0]
- 00406626 . 50 push eax
- 00406627 . 52 push edx
- 00406628 . FF15 24114000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; 取整后与上面相乘结果相加,7+0=7,记为数值2
- 0040662E . 50 push eax
- 0040662F . FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaI2Var>]
- 00406635 . 8D8D 40FFFFFF lea ecx,dword ptr ss:[ebp-C0]
- 0040663B . 8945 E0 mov dword ptr ss:[ebp-20],eax
- 0040663E . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
- 00406644 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
- 00406647 . 8B08 mov ecx,dword ptr ds:[eax]
- 00406649 . 51 push ecx ; 用户名"hrbx"
- 0040664A . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取用户名长度,EAX=4
- 00406650 . 66:8BD3 mov dx,bx ; DX=BX=1
- 00406653 . 66:83C2 01 add dx,1 ; DX=DX+1
- 00406657 . 0F80 7B020000 jo Crackme2.004068D8
- 0040665D . 0FBFCA movsx ecx,dx ; ECX=DX=2
- 00406660 . 3BC1 cmp eax,ecx ; 比较用户名长度是否取完
- 00406662 . 0F8C D5000000 jl Crackme2.0040673D ; 没取完则继续
- 00406668 . 0FBF55 B4 movsx edx,word ptr ss:[ebp-4C] ; 用户名第三位字符"b"的ASCII值,0x62("b")
- 0040666C . 8995 FCFEFFFF mov dword ptr ss:[ebp-104],edx ; EDX=0x62
- 00406672 . C785 38FFFFFF 0F>mov dword ptr ss:[ebp-C8],0F
- 0040667C . DB85 FCFEFFFF fild dword ptr ss:[ebp-104] ; 转为10进制实数,98(0x62)
- 00406682 . 89BD 30FFFFFF mov dword ptr ss:[ebp-D0],edi
- 00406688 . C785 28FFFFFF 04>mov dword ptr ss:[ebp-D8],4
- 00406692 . 89BD 20FFFFFF mov dword ptr ss:[ebp-E0],edi
- 00406698 . DD9D F4FEFFFF fstp qword ptr ss:[ebp-10C] ; st=98.000000000000000000
- 0040669E . DD85 F4FEFFFF fld qword ptr ss:[ebp-10C]
- 004066A4 . 833D 00904000 00 cmp dword ptr ds:[409000],0
- 004066AB . 75 08 jnz short Crackme2.004066B5
- 004066AD . DC35 F8114000 fdiv qword ptr ds:[4011F8] ; 98/64=1.53125,ds:[4011F8]=64(常数)
- 004066B3 . EB 11 jmp short Crackme2.004066C6
- 004066B5 > FF35 FC114000 push dword ptr ds:[4011FC]
- 004066BB . FF35 F8114000 push dword ptr ds:[4011F8]
- 004066C1 . E8 AEABFFFF call <jmp.&MSVBVM60._adj_fdiv_m64>
- 004066C6 > DFE0 fstsw ax
- 004066C8 . A8 0D test al,0D
- 004066CA . 0F85 03020000 jnz Crackme2.004068D3
- 004066D0 . FF15 44114000 call dword ptr ds:[<&MSVBVM60.__vbaFPInt>] ; 除法结果取整
- 004066D6 . DD9D 18FFFFFF fstp qword ptr ss:[ebp-E8] ; st=1.0000000000000000000
- 004066DC . 8D45 BC lea eax,dword ptr ss:[ebp-44]
- 004066DF . 8D8D 30FFFFFF lea ecx,dword ptr ss:[ebp-D0]
- 004066E5 . 50 push eax
- 004066E6 . 8D55 80 lea edx,dword ptr ss:[ebp-80]
- 004066E9 . 51 push ecx
- 004066EA . 52 push edx
- 004066EB . C785 10FFFFFF 05>mov dword ptr ss:[ebp-F0],5 ; 用户名第二位字符"r"的ASCII值0x72
- 004066F5 . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAnd>] ; 0x72 and 0F(常数),得到2
- 004066FB . 50 push eax
- 004066FC . 8D85 20FFFFFF lea eax,dword ptr ss:[ebp-E0]
- 00406702 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-90]
- 00406708 . 50 push eax
- 00406709 . 51 push ecx
- 0040670A . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; (And运算结果)*4,2*4=8
- 00406710 . 50 push eax
- 00406711 . 8D95 10FFFFFF lea edx,dword ptr ss:[ebp-F0]
- 00406717 . 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
- 0040671D . 52 push edx
- 0040671E . 50 push eax
- 0040671F . FF15 24114000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; 除法结果加上乘法结果,1+8=9,记为数值3
- 00406725 . 50 push eax
- 00406726 . FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaI2Var>]
- 0040672C . 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-A0]
- 00406732 . 8945 CC mov dword ptr ss:[ebp-34],eax
- 00406735 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
- 0040673B . EB 07 jmp short Crackme2.00406744
- 0040673D > C745 CC FFFFFFFF mov dword ptr ss:[ebp-34],-1
- 00406744 > 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
- 00406747 . 8B11 mov edx,dword ptr ds:[ecx] ; 用户名"hrbx"
- 00406749 . 52 push edx
- 0040674A . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取用户名长度,EAX=4
- 00406750 . 66:8BCB mov cx,bx ; CX=BX=1
- 00406753 . 66:03CF add cx,di ; CX=CX+DI=1+2=3
- 00406756 . 0F80 7C010000 jo Crackme2.004068D8
- 0040675C . 0FBFD1 movsx edx,cx ; EDX=CX=3
- 0040675F . 3BC2 cmp eax,edx ; 比较用户名长度是否取完
- 00406761 . 7C 0B jl short Crackme2.0040676E ; 没取完则继续
- 00406763 . 8B45 B4 mov eax,dword ptr ss:[ebp-4C] ; 用户名第三位字符"b"的ASCII值,EAX=0x62
- 00406766 . 83E0 3F and eax,3F ; EAX=EAX AND 3F=0X22
- 00406769 . 8945 B8 mov dword ptr ss:[ebp-48],eax ; EAX=0x22保存,记为数值4
- 0040676C . EB 07 jmp short Crackme2.00406775
- 0040676E > C745 B8 FFFFFFFF mov dword ptr ss:[ebp-48],-1
- 00406775 > 8B45 AC mov eax,dword ptr ss:[ebp-54]
- 00406778 . 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
- 0040677B . 50 push eax ; 固定字符串"DYEFCGHXIJKVLAMNOPZQBRSTUWy
- 0040677C . 51 push ecx scxdevpfgwhizjaklmbnoqrtu0123456789+/"
- 0040677D . E8 5E010000 call Crackme2.004068E0 ; 根据数值1在字符串中取字符,得到"y"
- 00406782 . 8BD0 mov edx,eax
- 00406784 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 00406787 . FFD6 call esi
- 00406789 . 50 push eax
- 0040678A . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; 字符串连接,得到"y"
- 00406790 . 8BD0 mov edx,eax
- 00406792 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
- 00406795 . FFD6 call esi
- 00406797 . 8D55 E0 lea edx,dword ptr ss:[ebp-20]
- 0040679A . 50 push eax
- 0040679B . 52 push edx
- 0040679C . E8 3F010000 call Crackme2.004068E0 ; 根据数值2在字符串中取字符,得到"X"
- 004067A1 . 8BD0 mov edx,eax
- 004067A3 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
- 004067A6 . FFD6 call esi
- 004067A8 . 50 push eax
- 004067A9 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; 字符串连接,得到"yX"
- 004067AF . 8BD0 mov edx,eax
- 004067B1 . 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
- 004067B4 . FFD6 call esi
- 004067B6 . 50 push eax
- 004067B7 . 8D45 CC lea eax,dword ptr ss:[ebp-34]
- 004067BA . 50 push eax
- 004067BB . E8 20010000 call Crackme2.004068E0 ; 根据数值3在字符串中取字符,得到"J"
- 004067C0 . 8BD0 mov edx,eax
- 004067C2 . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
- 004067C5 . FFD6 call esi
- 004067C7 . 50 push eax
- 004067C8 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; 字符串连接,得到"yXJ"
- 004067CE . 8BD0 mov edx,eax
- 004067D0 . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
- 004067D3 . FFD6 call esi
- 004067D5 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
- 004067D8 . 50 push eax
- 004067D9 . 51 push ecx
- 004067DA . E8 01010000 call Crackme2.004068E0 ; 根据数值4在字符串中取字符,得到"f"
- 004067DF . 8BD0 mov edx,eax
- 004067E1 . 8D4D 90 lea ecx,dword ptr ss:[ebp-70]
- 004067E4 . FFD6 call esi
- 004067E6 . 50 push eax
- 004067E7 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; 字符串连接,得到"yXJf"
- 004067ED . 8BD0 mov edx,eax
- 004067EF . 8D4D AC lea ecx,dword ptr ss:[ebp-54]
- 004067F2 . FFD6 call esi
- 004067F4 . 8D55 90 lea edx,dword ptr ss:[ebp-70]
- 004067F7 . 8D45 94 lea eax,dword ptr ss:[ebp-6C]
- 004067FA . 52 push edx
- 004067FB . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
- 004067FE . 50 push eax
- 004067FF . 8D55 9C lea edx,dword ptr ss:[ebp-64]
- 00406802 . 51 push ecx
- 00406803 . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
- 00406806 . 52 push edx
- 00406807 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
- 0040680A . 50 push eax
- 0040680B . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
- 0040680E . 51 push ecx
- 0040680F . 52 push edx
- 00406810 . 6A 07 push 7
- 00406812 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>
- 00406818 . B8 03000000 mov eax,3 ; EAX=3,每次取用户名中的3个字符
- 0040681D . 83C4 20 add esp,20
- 00406820 . 66:03C3 add ax,bx ; EAX=EAX+EBX
- 00406823 . 0F80 AF000000 jo Crackme2.004068D8
- 00406829 . 8BD8 mov ebx,eax ; EBX=EAX
- 0040682B .^ E9 C2FBFFFF jmp Crackme2.004063F2 ; 跳回去继续取用户名下一位字符
- 00406830 > 8B55 AC mov edx,dword ptr ss:[ebp-54] ; 得到字符串"yXJfdD"
- 00406833 . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
- 00406836 . FF15 00114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>]
- 0040683C . 9B wait
- 0040683D . 68 BD684000 push Crackme2.004068BD
- 00406842 . EB 5F jmp short Crackme2.004068A3
- 00406844 . F645 FC 04 test byte ptr ss:[ebp-4],4
- 00406848 . 74 09 je short Crackme2.00406853
- F7进入00405517处的关键call-2,来到:
- 00407250 $ 55 push ebp
- 00407251 . 8BEC mov ebp,esp
- .......................................................
- 省略部分代码
- .......................................................
- 0040729B . 51 push ecx ; 字符串"yXJfdD"
- 0040729C . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取字符串长度,EAX=6
- 004072A2 . 8BC8 mov ecx,eax ; ECX=EAX=6
- 004072A4 . FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>]
- 004072AA . 8B5D 10 mov ebx,dword ptr ss:[ebp+10]
- 004072AD . 8B35 10104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaVarMove>>
- 004072B3 . 8B3D 18104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaFreeVar>>
- 004072B9 . 8985 60FFFFFF mov dword ptr ss:[ebp-A0],eax ; 字符串长度保存
- 004072BF . C745 C8 01000000 mov dword ptr ss:[ebp-38],1
- 004072C6 > 66:8B95 60FFFFFF mov dx,word ptr ss:[ebp-A0]
- 004072CD . 66:3955 C8 cmp word ptr ss:[ebp-38],dx ; 比较是否取完字符串
- 004072D1 . 0F8F DD120000 jg Crackme2.004085B4
- 004072D7 . 8B45 0C mov eax,dword ptr ss:[ebp+C]
- 004072DA . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 004072DD . 0FBF55 C8 movsx edx,word ptr ss:[ebp-38]
- 004072E1 . 8945 90 mov dword ptr ss:[ebp-70],eax
- 004072E4 . 51 push ecx
- 004072E5 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
- 004072E8 . 52 push edx
- 004072E9 . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
- 004072EC . 50 push eax
- 004072ED . 51 push ecx
- 004072EE . C745 B0 01000000 mov dword ptr ss:[ebp-50],1
- 004072F5 . C745 A8 02000000 mov dword ptr ss:[ebp-58],2
- 004072FC . C745 88 08400000 mov dword ptr ss:[ebp-78],4008
- 00407303 . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.#632>] ; rtcMidCharVar,循环取字符串每一位字符
- 00407309 . 8D55 98 lea edx,dword ptr ss:[ebp-68] ; 第一位字符"y"
- 0040730C . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
- 0040730F . FFD6 call esi
- 00407311 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 00407314 . FFD7 call edi
- 00407316 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
- 00407319 . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
- 0040731F . FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCopy>]
- 00407325 . 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
- 0040732B . 8D45 88 lea eax,dword ptr ss:[ebp-78]
- 0040732E . 52 push edx
- 0040732F . 50 push eax
- 00407330 . C745 90 60414000 mov dword ptr ss:[ebp-70],Crackme2.00404160
- 00407337 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
- 0040733E . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"a"
- 00407344 . 66:85C0 test ax,ax
- 00407347 . 74 23 je short Crackme2.0040736C ; 不是则跳
- 00407349 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 0040734C . 53 push ebx
- 0040734D . 51 push ecx
- 0040734E . E8 EDEEFFFF call Crackme2.00406240
- 00407353 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 00407356 . FFD7 call edi
- 00407358 . 68 68414000 push Crackme2.00404168 ; 字符若为"a",则取地址00404168的字符"B"
- 0040735D . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"B"的ASCII值
- 00407363 . 66:05 B900 add ax,0B9 ; AX=AX+0B9
- 00407367 . E9 FF110000 jmp Crackme2.0040856B
- 0040736C > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
- 00407372 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
- 00407375 . 52 push edx
- 00407376 . 50 push eax
- 00407377 . C745 90 70414000 mov dword ptr ss:[ebp-70],Crackme2.00404170
- 0040737E . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
- 00407385 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"b"
- 0040738B . 66:85C0 test ax,ax
- 0040738E . 74 23 je short Crackme2.004073B3 ; 不是则跳
- 00407390 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 00407393 . 53 push ebx
- 00407394 . 51 push ecx
- 00407395 . E8 A6EEFFFF call Crackme2.00406240
- 0040739A . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 0040739D . FFD7 call edi
- 0040739F . 68 78414000 push Crackme2.00404178 ; 字符若为"b",则取地址00404178的字符"8"
- 004073A4 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"8"的ASCII值
- 004073AA . 66:05 8C00 add ax,8C ; AX=AX+8C
- 004073AE . E9 B8110000 jmp Crackme2.0040856B
- 004073B3 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
- 004073B9 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
- 004073BC . 52 push edx
- 004073BD . 50 push eax
- 004073BE . C745 90 80414000 mov dword ptr ss:[ebp-70],Crackme2.00404180
- 004073C5 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
- 004073CC . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"c"
- 004073D2 . 66:85C0 test ax,ax
- 004073D5 . 74 23 je short Crackme2.004073FA ; 不是则跳
- 004073D7 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 004073DA . 53 push ebx
- 004073DB . 51 push ecx
- 004073DC . E8 5FEEFFFF call Crackme2.00406240
- 004073E1 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 004073E4 . FFD7 call edi
- 004073E6 . 68 68414000 push Crackme2.00404168 ; 字符若为"c",则取地址00404168的字符"B"
- 004073EB . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"B"的ASCII值
- 004073F1 . 66:05 B500 add ax,0B5 ; AX=AX+0B5
- 004073F5 . E9 71110000 jmp Crackme2.0040856B
- 004073FA > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
- .......................................................
- 省略部分代码
- .......................................................
- 00407A74 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"A"
- 00407A7A . 66:85C0 test ax,ax
- 00407A7D . 74 23 je short Crackme2.00407AA2 ; 不是则跳
- 00407A7F . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 00407A82 . 53 push ebx
- 00407A83 . 51 push ecx
- 00407A84 . E8 B7E7FFFF call Crackme2.00406240
- 00407A89 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 00407A8C . FFD7 call edi
- 00407A8E . 68 48424000 push Crackme2.00404248 ; 字符若为"A",则取地址00404248的字符"5"
- 00407A93 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"5"的ASCII值
- 00407A99 . 66:05 5A00 add ax,5A ; AX=AX+5A
- 00407A9D . E9 C90A0000 jmp Crackme2.0040856B
- 00407AA2 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
- 00407AA8 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
- 00407AAB . 52 push edx
- 00407AAC . 50 push eax
- 00407AAD . C745 90 68414000 mov dword ptr ss:[ebp-70],Crackme2.00404168
- 00407AB4 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
- 00407ABB . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"B"
- 00407AC1 . 66:85C0 test ax,ax
- 00407AC4 . 74 23 je short Crackme2.00407AE9 ; 不是则跳
- 00407AC6 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 00407AC9 . 53 push ebx
- 00407ACA . 51 push ecx
- 00407ACB . E8 70E7FFFF call Crackme2.00406240
- 00407AD0 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 00407AD3 . FFD7 call edi
- 00407AD5 . 68 A03E4000 push Crackme2.00403EA0 ; 字符若为"B",则取地址00403EA0的字符"F"
- 00407ADA . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"F"的ASCII值
- 00407AE0 . 66:05 F500 add ax,0F5 ; AX=AX+0F5
- 00407AE4 . E9 820A0000 jmp Crackme2.0040856B
- 00407AE9 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
- 00407AEF . 8D45 88 lea eax,dword ptr ss:[ebp-78]
- .......................................................
- 省略部分代码
- .......................................................
- 00408191 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
- 00408197 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
- 0040819A . 52 push edx
- 0040819B . 50 push eax
- 0040819C . C745 90 68424000 mov dword ptr ss:[ebp-70],Crackme2.00404268
- 004081A3 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
- 004081AA . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"1"
- 004081B0 . 66:85C0 test ax,ax
- 004081B3 . 74 23 je short Crackme2.004081D8 ; 不是则跳
- 004081B5 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 004081B8 . 53 push ebx
- 004081B9 . 51 push ecx
- 004081BA . E8 81E0FFFF call Crackme2.00406240
- 004081BF . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 004081C2 . FFD7 call edi
- 004081C4 . 68 D4404000 push Crackme2.004040D4 ; 字符若为"1",则取地址004040D4的字符"D"
- 004081C9 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"D"的ASCII值
- 004081CF . 66:05 DA00 add ax,0DA ; AX=AX+0DA
- 004081D3 . E9 93030000 jmp Crackme2.0040856B
- 004081D8 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
- 004081DE . 8D45 88 lea eax,dword ptr ss:[ebp-78]
- 004081E1 . 52 push edx
- 004081E2 . 50 push eax
- 004081E3 . C745 90 98414000 mov dword ptr ss:[ebp-70],Crackme2.00404198
- 004081EA . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
- 004081F1 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"2"
- 004081F7 . 66:85C0 test ax,ax
- 004081FA . 74 23 je short Crackme2.0040821F ; 不是则跳
- 004081FC . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 004081FF . 53 push ebx
- 00408200 . 51 push ecx
- 00408201 . E8 3AE0FFFF call Crackme2.00406240
- 00408206 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 00408209 . FFD7 call edi
- 0040820B . 68 90414000 push Crackme2.00404190 ; 字符若为"2",则取地址00404190的字符"3"
- 00408210 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"3"的ASCII值
- 00408216 . 66:05 3C00 add ax,3C ; AX=AX+3C
- 0040821A . E9 4C030000 jmp Crackme2.0040856B
- .......................................................
- 省略部分代码
- .......................................................
- 00408470 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"#"
- 00408476 . 66:85C0 test ax,ax
- 00408479 . 74 23 je short Crackme2.0040849E ; 不是则跳
- 0040847B . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 0040847E . 53 push ebx
- 0040847F . 51 push ecx
- 00408480 . E8 BBDDFFFF call Crackme2.00406240
- 00408485 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 00408488 . FFD7 call edi
- 0040848A . 68 28424000 push Crackme2.00404228 ; 字符若为"#",则取地址00404228的字符"E"
- 0040848F . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"E"的ASCII值
- 00408495 . 66:05 EB00 add ax,0EB ; AX=AX+0EB
- 00408499 . E9 CD000000 jmp Crackme2.0040856B
- 0040849E > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
- 004084A4 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
- 004084A7 . 52 push edx
- 004084A8 . 50 push eax
- 004084A9 . C745 90 08434000 mov dword ptr ss:[ebp-70],Crackme2.00404308
- 004084B0 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
- 004084B7 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"^"
- 004084BD . 66:85C0 test ax,ax
- 004084C0 . 74 23 je short Crackme2.004084E5 ; 不是则跳
- 004084C2 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 004084C5 . 53 push ebx
- 004084C6 . 51 push ecx
- 004084C7 . E8 74DDFFFF call Crackme2.00406240
- 004084CC . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 004084CF . FFD7 call edi
- 004084D1 . 68 A03E4000 push Crackme2.00403EA0 ; 字符若为"^",则取地址00403EA0的字符"F"
- 004084D6 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"D"的ASCII值
- 004084DC . 66:05 FB00 add ax,0FB ; AX=AX+0FB
- 004084E0 . E9 86000000 jmp Crackme2.0040856B
- 004084E5 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
- 004084EB . 8D45 88 lea eax,dword ptr ss:[ebp-78]
- 004084EE . 52 push edx
- 004084EF . 50 push eax
- 004084F0 . C745 90 10434000 mov dword ptr ss:[ebp-70],Crackme2.00404310
- 004084F7 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
- 004084FE . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"$"
- 00408504 . 66:85C0 test ax,ax
- 00408507 . 74 20 je short Crackme2.00408529 ; 不是则跳
- 00408509 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 0040850C . 53 push ebx
- 0040850D . 51 push ecx
- 0040850E . E8 2DDDFFFF call Crackme2.00406240
- 00408513 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 00408516 . FFD7 call edi
- 00408518 . 68 28424000 push Crackme2.00404228 ; 字符若为"$",则取地址00404228的字符"E"
- 0040851D . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"E"的ASCII值
- 00408523 . 66:05 E500 add ax,0E5 ; AX=AX+0E5
- 00408527 . EB 42 jmp short Crackme2.0040856B
- 00408529 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
- 0040852F . 8D45 88 lea eax,dword ptr ss:[ebp-78]
- 00408532 . 52 push edx
- 00408533 . 50 push eax
- 00408534 . C745 90 18434000 mov dword ptr ss:[ebp-70],Crackme2.00404318
- 0040853B . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
- 00408542 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"&"
- 00408548 . 66:85C0 test ax,ax
- 0040854B . 74 48 je short Crackme2.00408595 ; 不是则跳
- 0040854D . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 00408550 . 53 push ebx
- 00408551 . 51 push ecx
- 00408552 . E8 E9DCFFFF call Crackme2.00406240
- 00408557 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 0040855A . FFD7 call edi
- 0040855C . 68 9C3F4000 push Crackme2.00403F9C ; 字符若为"&",则取地址00403F9C的字符"C"
- 00408561 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"C"的ASCII值
- 00408567 . 66:05 C200 add ax,0C2 ; AX=AX+0C2
- 0040856B > 0F80 B5000000 jo Crackme2.00408626
- 00408571 . 66:8945 90 mov word ptr ss:[ebp-70],ax ; AX保存
- 00408575 . 8D55 DC lea edx,dword ptr ss:[ebp-24]
- 00408578 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
- 0040857B . 52 push edx
- 0040857C . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 0040857F . 50 push eax
- 00408580 . 51 push ecx
- 00408581 . C745 88 02000000 mov dword ptr ss:[ebp-78],2
- 00408588 . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 取每次AX值的10进制形式转为字符串连接
- 0040858E . 8BD0 mov edx,eax
- 00408590 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
- 00408593 . FFD6 call esi
- 00408595 > 8D55 DC lea edx,dword ptr ss:[ebp-24]
- 00408598 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
- 0040859B . FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCopy>]
- 004085A1 . B8 01000000 mov eax,1
- 004085A6 . 66:0345 C8 add ax,word ptr ss:[ebp-38]
- 004085AA . 70 7A jo short Crackme2.00408626
- 004085AC . 8945 C8 mov dword ptr ss:[ebp-38],eax
- 004085AF .^ E9 12EDFFFF jmp Crackme2.004072C6
- 004085B4 > 68 F7854000 push Crackme2.004085F7
- 004085B9 . EB 23 jmp short Crackme2.004085DE
- 004085BB . F645 FC 04 test byte ptr ss:[ebp-4],4
- 004085BF . 74 09 je short Crackme2.004085CA
- 004085C1 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
- 004085C4 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
- 004085CA > 8D55 98 lea edx,dword ptr ss:[ebp-68]
- 004085CD . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
- 004085D0 . 52 push edx
- 004085D1 . 50 push eax
- 004085D2 . 6A 02 push 2
- 004085D4 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
- 004085DA . 83C4 0C add esp,0C
- 004085DD . C3 retn
- 004085DE > \8B35 18104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaFreeVar>>
- 004085E4 . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
- 004085EA . FFD6 call esi
- 004085EC . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
- 004085EF . FFD6 call esi
- 004085F1 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
- 004085F4 . FFD6 call esi
- 004085F6 . C3 retn
- 004085F7 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
- 004085FA . 8B55 B8 mov edx,dword ptr ss:[ebp-48]
- 004085FD . 8BC8 mov ecx,eax
- 004085FF . 5F pop edi
- 00408600 . 5E pop esi
- 00408601 . 5B pop ebx
- 00408602 . 8911 mov dword ptr ds:[ecx],edx
- 00408604 . 8B55 BC mov edx,dword ptr ss:[ebp-44]
- 00408607 . 8951 04 mov dword ptr ds:[ecx+4],edx
- 0040860A . 8B55 C0 mov edx,dword ptr ss:[ebp-40]
- 0040860D . 8951 08 mov dword ptr ds:[ecx+8],edx ; 真码"283233302113112268",内存注册机
- 00408610 . 8B55 C4 mov edx,dword ptr ss:[ebp-3C]
- 00408613 . 8951 0C mov dword ptr ds:[ecx+C],edx
- 00408616 . 8B4D EC mov ecx,dword ptr ss:[ebp-14]
- 00408619 . 64:890D 00000000 mov dword ptr fs:[0],ecx
- 00408620 . 8BE5 mov esp,ebp
- 00408622 . 5D pop ebp
- 00408623 . C2 0C00 retn 0C
- 若用户名ASCII值累加为奇数来到以下位置(设用户名"hrby"):
- 004057A5 > \8B16 mov edx,dword ptr ds:[esi] ; 用户名ASCII值累加为奇数跳到这里
- 004057A7 . 56 push esi
- 004057A8 . FF92 10030000 call dword ptr ds:[edx+310]
- 004057AE . 50 push eax
- 004057AF . 8D45 AC lea eax,dword ptr ss:[ebp-54]
- 004057B2 . 50 push eax
- 004057B3 . FFD3 call ebx
- 004057B5 . 8BF8 mov edi,eax
- 004057B7 . 8D55 C0 lea edx,dword ptr ss:[ebp-40]
- 004057BA . 52 push edx
- 004057BB . 57 push edi
- 004057BC . 8B0F mov ecx,dword ptr ds:[edi]
- 004057BE . FF91 A0000000 call dword ptr ds:[ecx+A0]
- 004057C4 . 85C0 test eax,eax
- 004057C6 . DBE2 fclex
- 004057C8 . 7D 12 jge short Crackme2.004057DC
- 004057CA . 68 A0000000 push 0A0
- 004057CF . 68 743D4000 push Crackme2.00403D74
- 004057D4 . 57 push edi
- 004057D5 . 50 push eax
- 004057D6 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
- 004057DC > 8B45 C0 mov eax,dword ptr ss:[ebp-40] ; 用户名"hrby"
- 004057DF . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
- 004057E2 . 8945 A0 mov dword ptr ss:[ebp-60],eax
- 004057E5 . 8D45 98 lea eax,dword ptr ss:[ebp-68]
- 004057E8 . 50 push eax
- 004057E9 . 51 push ecx
- 004057EA . C745 C0 00000000 mov dword ptr ss:[ebp-40],0
- 004057F1 . C745 98 08000000 mov dword ptr ss:[ebp-68],8
- 004057F8 . E8 B3110000 call Crackme2.004069B0 ; 关键CALL-3,F7进入
- 004057FD . 8D55 88 lea edx,dword ptr ss:[ebp-78]
- 00405800 . C785 34FFFFFF 09>mov dword ptr ss:[ebp-CC],9
- 0040580A . 52 push edx
- 0040580B . FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>>
- 00405811 . 8BD0 mov edx,eax ; 得到字符串"27B8066481EB68098F8A0DB8266588"
- 00405813 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
- 00405816 . FF15 38114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
- 0040581C . 8D85 34FFFFFF lea eax,dword ptr ss:[ebp-CC]
- 00405822 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
- 00405825 . 50 push eax
- 00405826 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
- 0040582C . 51 push ecx
- 0040582D . 52 push edx
- 0040582E . E8 1D1A0000 call Crackme2.00407250 ; 同关键CALL-2,见前面分析
- 00405833 . 8B06 mov eax,dword ptr ds:[esi]
- 00405835 . 56 push esi
- 00405836 . FF90 18030000 call dword ptr ds:[eax+318]
- 0040583C . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 0040583F . 50 push eax
- 00405840 . 51 push ecx
- 00405841 . FFD3 call ebx
- 00405843 . 8BF8 mov edi,eax
- 00405845 . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
- 00405848 . 50 push eax
- 00405849 . 57 push edi
- 0040584A . 8B17 mov edx,dword ptr ds:[edi]
- 0040584C . FF92 A0000000 call dword ptr ds:[edx+A0]
- 00405852 . 85C0 test eax,eax
- 00405854 . DBE2 fclex
- 00405856 . 7D 12 jge short Crackme2.0040586A
- 00405858 . 68 A0000000 push 0A0
- 0040585D . 68 743D4000 push Crackme2.00403D74
- 00405862 . 57 push edi
- 00405863 . 50 push eax
- 00405864 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
- 0040586A > 8B45 B8 mov eax,dword ptr ss:[ebp-48]
- 0040586D . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
- 00405873 . 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
- 00405879 . 51 push ecx
- 0040587A . 52 push edx
- 0040587B . C745 B8 00000000 mov dword ptr ss:[ebp-48],0
- 00405882 . 8985 70FFFFFF mov dword ptr ss:[ebp-90],eax
- 00405888 . C785 68FFFFFF 08>mov dword ptr ss:[ebp-98],8008
- 00405892 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 真假码比较
- 00405898 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
- 0040589B . 8BF8 mov edi,eax
- 0040589D . FF15 50114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
- 004058A3 . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
- 004058A6 . 8D4D AC lea ecx,dword ptr ss:[ebp-54]
- 004058A9 . 50 push eax
- 004058AA . 51 push ecx
- 004058AB . 6A 02 push 2
- 004058AD . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>
- 004058B3 . 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
- 004058B9 . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-88]
- 004058BF . 52 push edx
- 004058C0 . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
- 004058C3 . 50 push eax
- 004058C4 . 8D55 98 lea edx,dword ptr ss:[ebp-68]
- 004058C7 . 51 push ecx
- 004058C8 . 52 push edx
- 004058C9 . 6A 04 push 4
- 004058CB . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
- 004058D1 . 83C4 20 add esp,20
- 004058D4 . 66:85FF test di,di
- 004058D7 . 0F84 85010000 je Crackme2.00405A62 ; 暴破点2,NOP掉
- 004058DD . A1 10904000 mov eax,dword ptr ds:[409010]
- 004058E2 . 85C0 test eax,eax
- 004058E4 . 75 10 jnz short Crackme2.004058F6
- F7进入004057F8处的关键CALL-3,来到:
- 004069B0 $ 55 push ebp
- .......................................................
- 省略部分代码
- .......................................................
- 00406A62 . 8985 78FEFFFF mov dword ptr ss:[ebp-188],eax
- 00406A68 . C785 20FFFFFF 14>mov dword ptr ss:[ebp-E0],14 ; 常数,0x14(20)
- 00406A72 . C785 18FFFFFF 02>mov dword ptr ss:[ebp-E8],2
- 00406A7C . FFD6 call esi
- 00406A7E . 8B7D 0C mov edi,dword ptr ss:[ebp+C]
- 00406A81 . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
- 00406A87 . 50 push eax
- 00406A88 . 8BD7 mov edx,edi
- 00406A8A . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
- 00406A90 . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaVarVargNofr>
- 00406A96 . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
- 00406A9C . 50 push eax
- 00406A9D . 51 push ecx
- 00406A9E . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ; 获取用户名"hrby"长度,4
- 00406AA4 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
- 00406AAA . 50 push eax
- 00406AAB . 52 push edx
- 00406AAC . FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaVarSub>] ; 0x14-4=0x10,0x14-用户名长度
- 00406AB2 . 8BD0 mov edx,eax
- 00406AB4 . 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
- 00406AB7 . FFD6 call esi
- 00406AB9 . 8D45 9C lea eax,dword ptr ss:[ebp-64]
- 00406ABC . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
- 00406AC2 . 50 push eax
- 00406AC3 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
- 00406AC9 . BB 01000000 mov ebx,1
- 00406ACE . 51 push ecx
- 00406ACF . 52 push edx
- 00406AD0 . 899D 20FFFFFF mov dword ptr ss:[ebp-E0],ebx
- 00406AD6 . C785 18FFFFFF 02>mov dword ptr ss:[ebp-E8],8002
- 00406AE0 . FF15 0C114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCmpLt>]
- 00406AE6 . 50 push eax
- 00406AE7 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
- 00406AED . 50 push eax
- 00406AEE . FF15 08114000 call dword ptr ds:[<&MSVBVM60.__vbaVarNot>]
- 00406AF4 . 50 push eax
- 00406AF5 . FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaBoolVarNull>
- 00406AFB . 66:85C0 test ax,ax
- 00406AFE . 0F84 AF000000 je Crackme2.00406BB3
- 00406B04 . B8 02000000 mov eax,2
- 00406B09 . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
- 00406B0F . 8985 18FFFFFF mov dword ptr ss:[ebp-E8],eax
- 00406B15 . 8985 08FFFFFF mov dword ptr ss:[ebp-F8],eax
- 00406B1B . 8D55 9C lea edx,dword ptr ss:[ebp-64]
- 00406B1E . 51 push ecx
- 00406B1F . 8D85 08FFFFFF lea eax,dword ptr ss:[ebp-F8]
- 00406B25 . 52 push edx
- 00406B26 . 8D8D D8FEFFFF lea ecx,dword ptr ss:[ebp-128]
- 00406B2C . 50 push eax
- 00406B2D . 8D95 E8FEFFFF lea edx,dword ptr ss:[ebp-118]
- 00406B33 . 51 push ecx
- 00406B34 . 8D45 AC lea eax,dword ptr ss:[ebp-54]
- 00406B37 . 52 push edx
- 00406B38 . 50 push eax
- 00406B39 . 899D 20FFFFFF mov dword ptr ss:[ebp-E0],ebx
- 00406B3F . 899D 10FFFFFF mov dword ptr ss:[ebp-F0],ebx
- 00406B45 . FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>>
- 00406B4B . 8B1D 48114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarForNe>
- 00406B51 > 85C0 test eax,eax
- 00406B53 . 74 64 je short Crackme2.00406BB9
- 00406B55 . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
- 00406B5B . 6A 15 push 15 ; 常数,0x15
- 00406B5D . 51 push ecx
- 00406B5E . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.#608>]
- 00406B64 . 8BD7 mov edx,edi
- 00406B66 . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
- 00406B6C . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaVarVargNofr>
- 00406B72 . 50 push eax
- 00406B73 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
- 00406B79 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
- 00406B7F . 52 push edx
- 00406B80 . 50 push eax
- 00406B81 . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 在用户名后连接0x10(16)个常数0x15,
- 00406B87 . 8BD0 mov edx,eax
- 00406B89 . 8BCF mov ecx,edi
- 00406B8B . FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaVargVarMove>
- 00406B91 . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
- 00406B97 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
- 00406B9D . 8D8D D8FEFFFF lea ecx,dword ptr ss:[ebp-128]
- 00406BA3 . 8D95 E8FEFFFF lea edx,dword ptr ss:[ebp-118]
- 00406BA9 . 51 push ecx
- 00406BAA . 8D45 AC lea eax,dword ptr ss:[ebp-54]
- 00406BAD . 52 push edx
- 00406BAE . 50 push eax
- 00406BAF . FFD3 call ebx
- 00406BB1 .^ EB 9E jmp short Crackme2.00406B51
- 00406BB3 > 8B1D 48114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarForNe>
- 00406BB9 > 8D95 18FFFFFF lea edx,dword ptr ss:[ebp-E8]
- 00406BBF . 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
- 00406BC2 . C785 20FFFFFF 01>mov dword ptr ss:[ebp-E0],1
- 00406BCC . C785 18FFFFFF 02>mov dword ptr ss:[ebp-E8],2
- 00406BD6 . FFD6 call esi
- 00406BD8 . B9 01000000 mov ecx,1
- 00406BDD . B8 02000000 mov eax,2
- 00406BE2 . 898D 20FFFFFF mov dword ptr ss:[ebp-E0],ecx
- 00406BE8 . 898D 10FFFFFF mov dword ptr ss:[ebp-F0],ecx
- 00406BEE . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
- 00406BF4 . 8985 18FFFFFF mov dword ptr ss:[ebp-E8],eax
- 00406BFA . 8985 08FFFFFF mov dword ptr ss:[ebp-F8],eax
- 00406C00 . 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84]
- 00406C06 . 51 push ecx
- 00406C07 . 8D85 08FFFFFF lea eax,dword ptr ss:[ebp-F8]
- 00406C0D . 52 push edx
- 00406C0E . 8D8D B8FEFFFF lea ecx,dword ptr ss:[ebp-148]
- 00406C14 . 50 push eax
- 00406C15 . 8D95 C8FEFFFF lea edx,dword ptr ss:[ebp-138]
- 00406C1B . 51 push ecx
- 00406C1C . 8D45 BC lea eax,dword ptr ss:[ebp-44]
- 00406C1F . 52 push edx
- 00406C20 . 50 push eax
- 00406C21 . FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>>
- 00406C27 > 85C0 test eax,eax
- 00406C29 . 0F84 EE000000 je Crackme2.00406D1D
- 00406C2F . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
- 00406C35 . 8D55 BC lea edx,dword ptr ss:[ebp-44]
- 00406C38 . 51 push ecx
- 00406C39 . 52 push edx
- 00406C3A . C785 60FFFFFF 01>mov dword ptr ss:[ebp-A0],1
- 00406C44 . C785 58FFFFFF 02>mov dword ptr ss:[ebp-A8],2
- 00406C4E . FF15 20114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
- 00406C54 . 50 push eax
- 00406C55 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
- 00406C5B . 57 push edi
- 00406C5C . 50 push eax
- 00406C5D . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.#632>] ; rtcMidCharVar,循环取用户名每一位字符"h"
- 00406C63 . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
- 00406C69 . 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
- 00406C6F . 51 push ecx
- 00406C70 . 52 push edx
- 00406C71 . FF15 D4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
- 00406C77 . 50 push eax
- 00406C78 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符的ASCII值
- 00406C7E . 66:8985 10FFFFFF mov word ptr ss:[ebp-F0],ax ; EAX=68("h")
- 00406C85 . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
- 00406C8B . 8D8D 08FFFFFF lea ecx,dword ptr ss:[ebp-F8]
- 00406C91 . 50 push eax
- 00406C92 . 8D55 BC lea edx,dword ptr ss:[ebp-44]
- 00406C95 . 51 push ecx
- 00406C96 . 8D85 38FFFFFF lea eax,dword ptr ss:[ebp-C8]
- 00406C9C . 52 push edx
- 00406C9D . 50 push eax
- 00406C9E . C785 08FFFFFF 02>mov dword ptr ss:[ebp-F8],2
- 00406CA8 . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; 字符的ASCII值*字符在用户名中的位置
- 00406CAE . 8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-D8] ; 0x68*1=0x68
- 00406CB4 . 50 push eax
- 00406CB5 . 51 push ecx
- 00406CB6 . FF15 24114000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; 0x68+0x14=7C,上面的乘法结果加固定数0x14
- 00406CBC . 8BD0 mov edx,eax
- 00406CBE . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
- 00406CC1 . FFD6 call esi
- 00406CC3 . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
- 00406CC9 . FF15 50114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
- 00406CCF . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
- 00406CD5 . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-A8]
- 00406CDB . 52 push edx
- 00406CDC . 50 push eax
- 00406CDD . 6A 02 push 2
- 00406CDF . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
- 00406CE5 . 83C4 0C add esp,0C
- 00406CE8 . 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
- 00406CEB . 8D55 DC lea edx,dword ptr ss:[ebp-24]
- 00406CEE . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-A8]
- 00406CF4 . 51 push ecx
- 00406CF5 . 52 push edx
- 00406CF6 . 50 push eax
- 00406CF7 . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; 用户名连接0x15后的所有字符加法运算结果相乘
- 00406CFD . 8BD0 mov edx,eax ; 乘法结果转为字符串"2.77760626153406E+48"
- 00406CFF . 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
- 00406D02 . FFD6 call esi
- 00406D04 . 8D8D B8FEFFFF lea ecx,dword ptr ss:[ebp-148]
- 00406D0A . 8D95 C8FEFFFF lea edx,dword ptr ss:[ebp-138]
- 00406D10 . 51 push ecx
- 00406D11 . 8D45 BC lea eax,dword ptr ss:[ebp-44]
- 00406D14 . 52 push edx
- 00406D15 . 50 push eax
- 00406D16 . FFD3 call ebx
- 00406D18 .^ E9 0AFFFFFF jmp Crackme2.00406C27
- 00406D1D > 8D55 8C lea edx,dword ptr ss:[ebp-74]
- 00406D20 . 8BCF mov ecx,edi
- 00406D22 . FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaVargVarCopy>
- 00406D28 . 8D95 18FFFFFF lea edx,dword ptr ss:[ebp-E8]
- 00406D2E . 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
- 00406D31 . C785 18FFFFFF 00>mov dword ptr ss:[ebp-E8],0
- 00406D3B . FFD6 call esi
- 00406D3D . B9 01000000 mov ecx,1
- 00406D42 . B8 02000000 mov eax,2
- 00406D47 . 898D 10FFFFFF mov dword ptr ss:[ebp-F0],ecx
- 00406D4D . 898D 00FFFFFF mov dword ptr ss:[ebp-100],ecx
- 00406D53 . 8D8D 08FFFFFF lea ecx,dword ptr ss:[ebp-F8]
- 00406D59 . 8BD7 mov edx,edi
- 00406D5B . 51 push ecx
- 00406D5C . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
- 00406D62 . 8985 08FFFFFF mov dword ptr ss:[ebp-F8],eax
- 00406D68 . 8985 F8FEFFFF mov dword ptr ss:[ebp-108],eax
- 00406D6E . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaVarVargNofr>
- 00406D74 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
- 00406D7A . 50 push eax
- 00406D7B . 52 push edx
- 00406D7C . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ; 获取字符串"2.77760626153406E+48"长度
- 00406D82 . 50 push eax ; EAX=0X14(20)
- 00406D83 . 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-108]
- 00406D89 . 8D8D 98FEFFFF lea ecx,dword ptr ss:[ebp-168]
- 00406D8F . 50 push eax
- 00406D90 . 8D95 A8FEFFFF lea edx,dword ptr ss:[ebp-158]
- 00406D96 . 51 push ecx
- 00406D97 . 8D85 6CFFFFFF lea eax,dword ptr ss:[ebp-94]
- 00406D9D . 52 push edx
- 00406D9E . 50 push eax
- 00406D9F . FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>>
- 00406DA5 > 85C0 test eax,eax
- 00406DA7 . 0F84 A5000000 je Crackme2.00406E52
- 00406DAD . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
- 00406DB3 . 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-94]
- 00406DB9 . 51 push ecx
- 00406DBA . 52 push edx
- 00406DBB . C785 60FFFFFF 03>mov dword ptr ss:[ebp-A0],3 ; 常数,3
- 00406DC5 . C785 58FFFFFF 02>mov dword ptr ss:[ebp-A8],2
- 00406DCF . FF15 20114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
- 00406DD5 . 50 push eax
- 00406DD6 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
- 00406DDC . 57 push edi
- 00406DDD . 50 push eax ; "2.77760626153406E+48"
- 00406DDE . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.#632>] ; rtcMidCharVar,每次取3个字符
- 00406DE4 . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8] ; 第一次取前3位,"2.7"
- 00406DEA . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-C8]
- 00406DF0 . 51 push ecx
- 00406DF1 . 52 push edx
- 00406DF2 . E8 59020000 call Crackme2.00407050 ; 关键CALL-4,F7进入
- 00406DF7 . 8D45 8C lea eax,dword ptr ss:[ebp-74]
- 00406DFA . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-C8]
- 00406E00 . 50 push eax
- 00406E01 . 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-D8]
- 00406E07 . 51 push ecx
- 00406E08 . 52 push edx
- 00406E09 . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 连接每次运算所得的字符串"7B34F71A9387A2387
- 00406E0F . 8BD0 mov edx,eax ; A22879B8850567684A8511E7B669850B978EF78
- 00406E11 . 8D4D 8C lea ecx,dword ptr ss:[ebp-74] ; 2A707DCB0802367685D8587FA98506A438148838"
- 00406E14 . FFD6 call esi
- 00406E16 . 8D85 38FFFFFF lea eax,dword ptr ss:[ebp-C8]
- 00406E1C . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
- 00406E22 . 50 push eax
- 00406E23 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
- 00406E29 . 51 push ecx
- 00406E2A . 52 push edx
- 00406E2B . 6A 03 push 3
- 00406E2D . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
- 00406E33 . 83C4 10 add esp,10
- 00406E36 . 8D85 98FEFFFF lea eax,dword ptr ss:[ebp-168]
- 00406E3C . 8D8D A8FEFFFF lea ecx,dword ptr ss:[ebp-158]
- 00406E42 . 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-94]
- 00406E48 . 50 push eax
- 00406E49 . 51 push ecx
- 00406E4A . 52 push edx
- 00406E4B . FFD3 call ebx
- 00406E4D .^ E9 53FFFFFF jmp Crackme2.00406DA5
- 00406E52 > 8D85 08FFFFFF lea eax,dword ptr ss:[ebp-F8]
- 00406E58 . 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
- 00406E5B . 50 push eax
- 00406E5C . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
- 00406E62 . BF 02000000 mov edi,2 ; EDI=2
- 00406E67 . 51 push ecx
- 00406E68 . 52 push edx
- 00406E69 . 89BD 10FFFFFF mov dword ptr ss:[ebp-F0],edi
- 00406E6F . 89BD 08FFFFFF mov dword ptr ss:[ebp-F8],edi
- 00406E75 . C785 20FFFFFF 12>mov dword ptr ss:[ebp-E0],12 ; 常数,0x12
- 00406E7F . 89BD 18FFFFFF mov dword ptr ss:[ebp-E8],edi
- 00406E85 . C785 00FFFFFF 14>mov dword ptr ss:[ebp-100],14 ; 常数,0x14
- 00406E8F . 89BD F8FEFFFF mov dword ptr ss:[ebp-108],edi ; "7B34F71A9387A2387A22879B8850567684A8511E7B669850B978EF782A707DCB0802367685D8587FA98506A438148838"
- 00406E95 . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ; 获取字符串长度,0x60
- 00406E9B . 50 push eax
- 00406E9C . 8D85 18FFFFFF lea eax,dword ptr ss:[ebp-E8]
- 00406EA2 . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
- 00406EA8 . 50 push eax
- 00406EA9 . 51 push ecx
- 00406EAA . FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaVarSub>] ; 0x60-0x12=0x4E(78)
- 00406EB0 . 50 push eax
- 00406EB1 . 8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-108]
- 00406EB7 . 8D85 78FEFFFF lea eax,dword ptr ss:[ebp-188]
- 00406EBD . 52 push edx
- 00406EBE . 8D8D 88FEFFFF lea ecx,dword ptr ss:[ebp-178]
- 00406EC4 . 50 push eax
- 00406EC5 . 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-94]
- 00406ECB . 51 push ecx
- 00406ECC . 52 push edx
- 00406ECD . FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>>
- 00406ED3 > 85C0 test eax,eax
- 00406ED5 . 0F84 89000000 je Crackme2.00406F64
- 00406EDB . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-A8]
- 00406EE1 . 8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-94]
- 00406EE7 . 50 push eax
- 00406EE8 . 51 push ecx
- 00406EE9 . C785 60FFFFFF 01>mov dword ptr ss:[ebp-A0],1
- 00406EF3 . 89BD 58FFFFFF mov dword ptr ss:[ebp-A8],edi
- 00406EF9 . FF15 20114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
- 00406EFF . 50 push eax ; EAX=0x14
- 00406F00 . 8D55 8C lea edx,dword ptr ss:[ebp-74]
- 00406F03 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
- 00406F09 . 52 push edx
- 00406F0A . 50 push eax
- 00406F0B . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.#632>] ; rtcMidCharVar,循环取字符串的字符
- 00406F11 . 8D4D CC lea ecx,dword ptr ss:[ebp-34] ; 从字符串第0x14(20)位起隔一位取一个字符
- 00406F14 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8] ; 一直取到第0x60-0x12=0x4E(78)位
- 00406F1A . 51 push ecx
- 00406F1B . 8D85 38FFFFFF lea eax,dword ptr ss:[ebp-C8]
- 00406F21 . 52 push edx
- 00406F22 . 50 push eax
- 00406F23 . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 连接每次取出的字符,得到
- 00406F29 . 8BD0 mov edx,eax ; "27B8066481EB68098F8A0DB8266588"
- 00406F2B . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
- 00406F2E . FFD6 call esi
- F7进入00406DF2处的关键CALL-4,来到:
- 00407050 $ 55 push ebp
- .......................................................
- 省略部分代码
- .......................................................
- 004070D7 . 51 push ecx
- 004070D8 . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ; 获取字符串"2.7"的长度,3
- 004070DE . 50 push eax
- 004070DF . 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
- 004070E5 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
- 004070EB . 52 push edx
- 004070EC . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
- 004070F2 . 50 push eax
- 004070F3 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
- 004070F6 . 51 push ecx
- 004070F7 . 52 push edx
- 004070F8 . FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>>
- 004070FE . 8B35 10104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaVarMove>>
- 00407104 > 85C0 test eax,eax
- 00407106 . 0F84 97000000 je Crackme2.004071A3
- 0040710C . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
- 0040710F . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
- 00407112 . 50 push eax
- 00407113 . 51 push ecx
- 00407114 . C745 C0 01000000 mov dword ptr ss:[ebp-40],1
- 0040711B . 895D B8 mov dword ptr ss:[ebp-48],ebx
- 0040711E . FF15 20114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
- 00407124 . 50 push eax
- 00407125 . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
- 00407128 . 57 push edi
- 00407129 . 52 push edx
- 0040712A . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.#632>] ; rtcMidCharVar,循环取字符串每一位字符
- 00407130 . 8D45 A8 lea eax,dword ptr ss:[ebp-58] ; 字符串"2.7"第一位字符"2"
- 00407133 . 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
- 00407136 . 50 push eax
- 00407137 . 51 push ecx
- 00407138 . FF15 D4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
- 0040713E . 50 push eax
- 0040713F . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符的ASCII值
- 00407145 . 66:8945 80 mov word ptr ss:[ebp-80],ax ; EAX=32("2")
- 00407149 . 8D55 DC lea edx,dword ptr ss:[ebp-24]
- 0040714C . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-88]
- 00407152 . 52 push edx
- 00407153 . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
- 00407156 . 50 push eax
- 00407157 . 51 push ecx
- 00407158 . 899D 78FFFFFF mov dword ptr ss:[ebp-88],ebx
- 0040715E . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 字符连接,字符的ASCII值转为10进制数后连接
- 00407164 . 8BD0 mov edx,eax ; 得到504655
- 00407166 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
- 00407169 . FFD6 call esi
- 0040716B . 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
- 0040716E . FF15 50114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
- 00407174 . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
- 00407177 . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
- 0040717A . 52 push edx
- 0040717B . 50 push eax
- 0040717C . 53 push ebx
- 0040717D . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
- 00407183 . 83C4 0C add esp,0C
- 00407186 . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
- 0040718C . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
- 00407192 . 8D45 CC lea eax,dword ptr ss:[ebp-34]
- 00407195 . 51 push ecx
- 00407196 . 52 push edx
- 00407197 . 50 push eax
- 00407198 . FF15 48114000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>>
- 0040719E .^ E9 61FFFFFF jmp Crackme2.00407104
- 004071A3 > 8D4D DC lea ecx,dword ptr ss:[ebp-24]
- 004071A6 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
- 004071A9 . 51 push ecx
- 004071AA . 52 push edx
- 004071AB . FF15 04114000 call dword ptr ds:[<&MSVBVM60.#573>] ; rtcHexVarFromVar,结果转为16进制,7B34F
- 004071B1 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
- 004071B4 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
- 004071B7 . FFD6 call esi
- 004071B9 . 68 13724000 push Crackme2.00407213
- 004071BE . EB 30 jmp short Crackme2.004071F0
- 004071C0 . F645 FC 04 test byte ptr ss:[ebp-4],4
- 004071C4 . 74 09 je short Crackme2.004071CF
- 004071C6 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
- 004071C9 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
- 004071CF > 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
- 004071D2 . FF15 50114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
- 004071D8 . 8D45 98 lea eax,dword ptr ss:[ebp-68]
- 004071DB . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 004071DE . 50 push eax
- 004071DF . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
- 004071E2 . 51 push ecx
- 004071E3 . 52 push edx
- 004071E4 . 6A 03 push 3
- 004071E6 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
- 004071EC . 83C4 10 add esp,10
- 004071EF . C3 retn
- -----------------------------------------------------------------------------------------------
- 【破解总结】
- 1.用户名长度最长为10,累加用户名各位字符的ASCII值,记为sum。
- 2.若为sum为偶数,则对用户名进行运算后在固定字符串st1:"DYEFCGHXIJKVLAMNOPZQBRSTUWyscxdevpfgwhizjaklmbnoqrtu0123456789+/"
- 中取字符,记为字符串st2。
- 3.字符串st3:"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890#^$&"中的每个字符对应一个字符,记st3对应的
- 字符串为st4:"B8B3D3F9C2B6C8C7C3A4F9E2D85F6C5F3C1E1F4F4C7E7A6F2A8AD3BECFB8CFEFEC",对应的数值依次为:
- 0B9,8C,0B5,3D,0D6,3E,0F1,9A,0C7,2F,0B1,6B,0C4,8E,0C1,7B,0C5,3D,0A3,4B,0F8,9D,0E2,2D,0D7,8D,
- 5A,0F5,6F,0C9,5D,0F9,3B,0C3,1E,0E9,1A,0F3,4E,0F4,4D,0C6,7A,0E6,7E,0A2,6A,0F7,2B,0A8,8B,0A4,
- 0DA,3C,0BE,0EC,0CA,0FB,0B3,0ED,0CF,0FD,0EB,0FB,0E5,0C2。
- 4.根据st2的字符在字符串st3中的位置取st4对应字符的ASCII值加上相应数值转为10进制,依次连接即为注册码。
- 5.若为sum为奇数,则在用户名后连接(0x14-用户名长度)个常数0x15,然后依次取每个字符的ASCII值相乘结果记为字符串st5。
- 6.依次从字符串st5每次取3个字符,取每个字符的ASCII值转为10进制数后连接再转为16进制数,连接每次所得的16进制数记为字符串st6。
- 7.从字符串st6第0x14(20)位开始起隔一位取一个字符,直到取到第(st6长度-0x12)个字符,记为字符串st7.
- 8.根据st7的字符在字符串st3中的位置取st4对应字符的ASCII值加上相应数值转为10进制后,依次连接即为注册码。
- 一组可用注册码:
- Name:hrbx
- Serial:283233302113112268
- 内存注册机:
- 中断地址:40860D
- 中断次数:1
- 第一字节:89
- 指令长度:3
- 内存方式--->寄存器:EDX 勾选宽字符串
- 暴破更改以下位置:
- 004055B1 je Crackme2.004056F7 ; je====>NOP
- 004058D7 je Crackme2.00405A62 ; je====>NOP
- 【VB注册机源码】
- 'VB 6.0+WinXP 编译通过
- Private Sub Generate_Click()
- Dim Name As String
- Dim st1 As String
- Dim st3 As String
- Dim st2 As String
- Dim sum, number As Integer
- Dim n, n1, n2, n3, n4 As Integer
- Dim length As Integer
- Dim temp_num As Integer
- Dim dnum1 As Double
- Dim dnum2 As Double
- Dim i, j As Integer
- Dim str1, str2, str3, str4 As String
- Dim SerialNo, Serial, Serial1, Serial2, Serial3, Serial4 As String
- st1 = "DYEFCGHXIJKVLAMNOPZQBRSTUWyscxdevpfgwhizjaklmbnoqrtu0123456789+/"
- st2 = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890#^$&"
- st3 = "B8B3D3F9C2B6C8C7C3A4F9E2D85F6C5F3C1E1F4F4C7E7A6F2A8AD3BECFB8CFEFEC"
- Dim num(66) As Integer
- num(0) = &HB9
- num(1) = &H8C
- num(2) = &HB5
- num(3) = &H3D
- num(4) = &HD6
- num(5) = &H3E
- num(6) = &HF1
- num(7) = &H9A
- num(8) = &HC7
- num(9) = &H2F
- num(10) = &HB1
- num(11) = &H6B
- num(12) = &HC4
- num(13) = &H8E
- num(14) = &HC1
- num(15) = &H7B
- num(16) = &HC5
- num(17) = &H3D
- num(18) = &HA3
- num(19) = &H4B
- num(20) = &HF8
- num(21) = &H9D
- num(22) = &HE2
- num(23) = &H2D
- num(24) = &HD7
- num(25) = &H8D
- num(26) = &H5A
- num(27) = &HF5
- num(28) = &H6F
- num(29) = &HC9
- num(30) = &H5D
- num(31) = &HF9
- num(32) = &H3B
- num(33) = &HC3
- num(34) = &H1E
- num(35) = &HE9
- num(36) = &H1A
- num(37) = &HF3
- num(38) = &H4E
- num(39) = &HF4
- num(40) = &H4D
- num(41) = &HC6
- num(42) = &H7A
- num(43) = &HE6
- num(44) = &H7E
- num(45) = &HA2
- num(46) = &H6A
- num(47) = &HF7
- num(48) = &H2B
- num(49) = &HA8
- num(50) = &H8B
- num(51) = &HA4
- num(52) = &HDA
- num(53) = &H3C
- num(54) = &HBE
- num(55) = &HEC
- num(56) = &HCA
- num(57) = &HFB
- num(58) = &HB3
- num(59) = &HED
- num(60) = &HCF
- num(61) = &HFD
- num(62) = &HEB
- num(63) = &HFB
- num(64) = &HE5
- num(65) = &HC2
- Name = Text1.Text
- length = Len(Name)
- If length = 0 Then Text1.Text = "Please inter at least one character !"
- If length > 10 Then
- Text1.Text = "Name should less than 11 characters !"
- Else
- For i = 1 To length
- sum = sum + Asc(Mid(Name, i, 1))
- Next i
- If (sum Mod 2 = 0) Then
- n = 1
- For i = 1 To length
-
- If (n <= length) Then
- str1 = Mid(Name, n, 1)
- n1 = Int(Asc(str1) / 4)
- n2 = (Asc(str1) And 3) * 16
-
- If (n + 1) <= length Then
- str2 = Mid(Name, n + 1, 1)
- n2 = Int(Asc(str2) / 16) + (Asc(str1) And 3) * 16
- End If
-
- Serial1 = Mid(st1, n1 + 1, 1)
- Serial2 = Mid(st1, n2 + 1, 1)
- Serial = Serial & Serial1 & Serial2
-
- If (n + 2) <= length Then
-
- str3 = Mid(Name, n + 2, 1)
- n3 = Int(Asc(str3) / 64) + (Asc(str2) And 15) * 4
- n4 = Asc(str3) And 63
-
- Serial3 = Mid(st1, n3 + 1, 1)
- Serial4 = Mid(st1, n4 + 1, 1)
- Serial = Serial & Serial3 & Serial4
-
- End If
-
- End If
-
- n = n + 3
-
- Next i
-
- length = Len(Serial)
- For i = 1 To length
- For j = 1 To 66
-
- If (Mid(Serial, i, 1) = Mid(st2, j, 1)) Then
- temp_num = Asc(Mid(st3, j, 1)) + num(j - 1)
- SerialNo = SerialNo & temp_num
- End If
-
- Next j
-
- Next i
-
- End If
- If (sum Mod 2 <> 0) Then
- dnum1 = 1
- length = Len(Name)
- For i = 1 To length
- dnum1 = dnum1 * (Asc(Mid(Name, i, 1)) * i + &H14)
- Next i
- For i = length + 1 To 20
- dnum1 = dnum1 * (&H15 * i + &H14)
- Next i
- Serial = dnum1
- length = Len(Serial)
- For i = 1 To length
- Serial1 = Mid(Serial, i, 1)
-
- If i + 1 <= length Then
- Serial1 = Serial1 & Mid(Serial, i + 1, 1)
- End If
- If i + 2 <= length Then
- Serial1 = Serial1 & Mid(Serial, i + 2, 1)
- End If
- For j = 1 To Len(Serial1)
- number = Asc(Mid(Serial1, j, 1))
- Serial2 = Serial2 & number
- dnum2 = Serial2
- Next j
-
- Serial3 = Serial3 & Hex(dnum2)
- Serial2 = ""
- Next i
- length = Len(Serial3)
- For i = 20 To length - &H12 Step 2
- Serial4 = Serial4 & Mid(Serial3, i, 1)
- Next i
- length = Len(Serial4)
- For i = 1 To length
- For j = 1 To 66
- If (Mid(Serial4, i, 1) = Mid(st2, j, 1)) Then
- temp_num = Asc(Mid(st3, j, 1)) + num(j - 1)
- SerialNo = SerialNo & temp_num
- End If
- Next j
- Next i
- End If
- Text2 = SerialNo
- End If
- End Sub
- -----------------------------------------------------------------------------------------------
- 【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 hrbx 于 2006-1-2 00:15 编辑 ] |
|
IP卡
发表于 2006-1-2 00:10:44
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-1-3 20:53:51
发表于 2006-1-4 13:44:53
