- UID
- 8671
注册时间2006-2-27
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 开心
2018-5-6 16:27 |
|---|
签到天数: 7 天 [LV.3]偶尔看看II
|
算法注册机学习制作中~~~
++++++++++++++++++++++++++++++++++
演示动画请到PYG专用FTP服务器的“野猫III”目录下载!
破解过程:
一、软件查壳壳:Microsoft Visual Basic 5.0 / 6.0程序。
二、OD载入,输入试练信息:
用户名:WildC
试练码:987654321
下命令断点:bp rtcMidCharVar //呵呵...向lhl8730兄学习的!
然后返回Crackme程序,点注册。程序被中断在:
660E64F3 > 55 PUSH EBP //取消断点
660E64F4 8BEC MOV EBP,ESP
660E64F6 83EC 10 SUB ESP,10
660E64F9 56 PUSH ESI
660E64FA 57 PUSH EDI
660E64FB FF35 7CEE1066 PUSH DWORD PTR DS:[6610EE7C]
660E6501 FF15 B8100066 CALL DWORD PTR DS:[<&KERNEL32.TlsGetValu>; kernel32.TlsGetValue
++++++++堆栈友好提示:
0012F404 00402C60 返回到 CrackMe0.00402C60 来自 MSVBVM60.rtcMidCharVar
//右键反汇编窗口中跟随。
++++接着算法分析:
00402B23 . FF15 B8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00402B29 . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] ; 用户名进EDX
00402B2C . 52 PUSH EDX
00402B2D . FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
00402B33 . 33DB XOR EBX,EBX ; 上面的Call取用户名位数
00402B35 . 83F8 0B CMP EAX,0B ; 与11比较
00402B38 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00402B3B . 50 PUSH EAX
00402B3C . 0F9EC3 SETLE BL
00402B3F . FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
00402B45 . 33C9 XOR ECX,ECX ; ECX清零
00402B47 . 8B55 CC MOV EDX,DWORD PTR SS:[EBP-34] ; 试练码放EDX
00402B4A . 83F8 05 CMP EAX,5 ; 用户名位数与5比较
00402B4D . 52 PUSH EDX
00402B4E . 0F9DC1 SETGE CL
00402B51 . 23D9 AND EBX,ECX ; EBX+ECX
00402B53 . F7DB NEG EBX
00402B55 . 1BDB SBB EBX,EBX
00402B57 . F7DB NEG EBX
00402B59 . FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
00402B5F . 33C9 XOR ECX,ECX ; Call取试练码位数
00402B61 . 83F8 09 CMP EAX,9 ; 试练码位数与9比较!
00402B64 . 0F9DC1 SETGE CL
00402B67 . 85D9 TEST ECX,EBX
00402B69 . 0F85 8B000000 JNZ CrackMe0.00402BFA ; 跳!不跳就OVER!
00402B6F . 8B16 MOV EDX,DWORD PTR DS:[ESI]
00402B71 . 56 PUSH ESI
00402B72 . FF92 FC020000 CALL DWORD PTR DS:[EDX+2FC]
00402B78 . 8B1D 30104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaOb>; MSVBVM60.__vbaObjSet
00402B7E . 50 PUSH EAX
00402B7F . 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
00402B82 . 50 PUSH EAX
00402B83 . FFD3 CALL EBX ; <&MSVBVM60.__vbaObjSet>
00402B85 . 8BF8 MOV EDI,EAX
00402B87 . 68 60224000 PUSH CrackMe0.00402260
00402B8C . 57 PUSH EDI
00402B8D . 8B0F MOV ECX,DWORD PTR DS:[EDI]
00402B8F . FF91 A4000000 CALL DWORD PTR DS:[ECX+A4]
00402B95 . 85C0 TEST EAX,EAX
00402B97 . DBE2 FCLEX
00402B99 . 7D 12 JGE SHORT CrackMe0.00402BAD
00402B9B . 68 A4000000 PUSH 0A4
00402BA0 . 68 4C224000 PUSH CrackMe0.0040224C
00402BA5 . 57 PUSH EDI
00402BA6 . 50 PUSH EAX
00402BA7 . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00402BAD > 8B3D B8104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeObj
00402BB3 . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
00402BB6 . FFD7 CALL EDI ; <&MSVBVM60.__vbaFreeObj>
00402BB8 . 8B16 MOV EDX,DWORD PTR DS:[ESI]
00402BBA . 56 PUSH ESI
00402BBB . FF92 0C030000 CALL DWORD PTR DS:[EDX+30C]
00402BC1 . 50 PUSH EAX
00402BC2 . 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
00402BC5 . 50 PUSH EAX
00402BC6 . FFD3 CALL EBX
00402BC8 . 8BF0 MOV ESI,EAX
00402BCA . 68 60224000 PUSH CrackMe0.00402260
00402BCF . 56 PUSH ESI
00402BD0 . 8B0E MOV ECX,DWORD PTR DS:[ESI]
00402BD2 . FF91 A4000000 CALL DWORD PTR DS:[ECX+A4]
00402BD8 . 85C0 TEST EAX,EAX
00402BDA . DBE2 FCLEX
00402BDC . 7D 12 JGE SHORT CrackMe0.00402BF0
00402BDE . 68 A4000000 PUSH 0A4
00402BE3 . 68 4C224000 PUSH CrackMe0.0040224C
00402BE8 . 56 PUSH ESI
00402BE9 . 50 PUSH EAX
00402BEA . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00402BF0 > 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
00402BF3 . FFD7 CALL EDI
00402BF5 . E9 85020000 JMP CrackMe0.00402E7F ; 跳!OVER!
00402BFA > 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] ; 试练码位数大于或等于9位就跳来这~~~
00402BFD . 52 PUSH EDX
00402BFE . FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
00402C04 . 8BC8 MOV ECX,EAX ; Call取用户名位数ECX=EAX
00402C06 . FF15 54104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>>; MSVBVM60.__vbaI2I4
00402C0C . BB 01000000 MOV EBX,1 ; EBX=1
00402C11 . 8985 2CFFFFFF MOV DWORD PTR SS:[EBP-D4],EAX ; EAX放到EPB-D4位置
00402C17 . 8BF3 MOV ESI,EBX ; ESI=EBX
00402C19 > 66:3BB5 2CFFF>CMP SI,WORD PTR SS:[EBP-D4] ; EBP-4与SI比较,进入循环!
00402C20 . 0F8F A3000000 JG CrackMe0.00402CC9 ; 取完用户名及运算完后,才跳出循环!
00402C26 . 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
00402C29 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
00402C2C . 0FBFD6 MOVSX EDX,SI ; 逐位取SI,结果放EDX
00402C2F . 8985 78FFFFFF MOV DWORD PTR SS:[EBP-88],EAX
00402C35 . 51 PUSH ECX
00402C36 . 8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90]
00402C3C . 52 PUSH EDX
00402C3D . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
00402C40 . 50 PUSH EAX
00402C41 . 51 PUSH ECX
00402C42 . C745 B8 04000>MOV DWORD PTR SS:[EBP-48],80020004 ; EBP-48=80020004
00402C49 . C745 B0 0A000>MOV DWORD PTR SS:[EBP-50],0A ; EBP-50=0A
00402C50 . C785 70FFFFFF>MOV DWORD PTR SS:[EBP-90],4008 ; EBP-90=4008
00402C5A . FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
00402C60 . 8D55 A0 LEA EDX,DWORD PTR SS:[EBP-60] ; rtcMidCharVar 返回到这!
00402C63 . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
00402C66 . 52 PUSH EDX
00402C67 . 50 PUSH EAX
00402C68 . FF15 78104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
00402C6E . 50 PUSH EAX ; Call取用户名
00402C6F . FF15 0C104000 CALL DWORD PTR DS:[<&MSVBVM60.#693>] ; MSVBVM60.rtcByteValueBstr
00402C75 . 66:33C9 XOR CX,CX ; Call逐位取用户名,这里CX清零
00402C78 . 8AC8 MOV CL,AL ; CL=AL
00402C7A . 66:6BC9 02 IMUL CX,CX,2 ; CX=CX*2
00402C7E . 0F80 7A020000 JO CrackMe0.00402EFE
00402C84 . 0FBFD1 MOVSX EDX,CX ; 取CX到EDX
00402C87 . 03D7 ADD EDX,EDI ; EDX加上EDI
00402C89 . 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38]
00402C8C . 0F80 6C020000 JO CrackMe0.00402EFE
00402C92 . 83C2 0A ADD EDX,0A ; EDX+0A
00402C95 . 0F80 63020000 JO CrackMe0.00402EFE
00402C9B . 8BFA MOV EDI,EDX
00402C9D . FF15 BC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00402CA3 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
00402CA6 . 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
00402CA9 . 50 PUSH EAX
00402CAA . 51 PUSH ECX
00402CAB . 6A 02 PUSH 2
00402CAD . FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
00402CB3 . 66:8BD3 MOV DX,BX ; DX=BX
00402CB6 . 83C4 0C ADD ESP,0C
00402CB9 . 66:03D6 ADD DX,SI ; DX再加上SI
00402CBC . 0F80 3C020000 JO CrackMe0.00402EFE
00402CC2 . 8BF2 MOV ESI,EDX ; ESI=EDX
00402CC4 .^ E9 50FFFFFF JMP CrackMe0.00402C19 ; 循环!~
00402CC9 > 81C7 2770430B ADD EDI,0B437027 ; EDI加上0B437027,结果就是注册码!
00402CCF . 0F80 29020000 JO CrackMe0.00402EFE
00402CD5 . 8BDF MOV EBX,EDI
00402CD7 . 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
00402CDA . 57 PUSH EDI
00402CDB . 8B07 MOV EAX,DWORD PTR DS:[EDI]
00402CDD . FF90 0C030000 CALL DWORD PTR DS:[EAX+30C]
00402CE3 . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
00402CE6 . 50 PUSH EAX
00402CE7 . 51 PUSH ECX
00402CE8 . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00402CEE . 8BF0 MOV ESI,EAX
00402CF0 . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
00402CF3 . 50 PUSH EAX
00402CF4 . 56 PUSH ESI
00402CF5 . 8B16 MOV EDX,DWORD PTR DS:[ESI]
00402CF7 . FF92 A0000000 CALL DWORD PTR DS:[EDX+A0]
00402CFD . 85C0 TEST EAX,EAX
00402CFF . DBE2 FCLEX
00402D01 . 7D 12 JGE SHORT CrackMe0.00402D15
00402D03 . 68 A0000000 PUSH 0A0
00402D08 . 68 4C224000 PUSH CrackMe0.0040224C
00402D0D . 56 PUSH ESI
00402D0E . 50 PUSH EAX
00402D0F . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00402D15 > 53 PUSH EBX
00402D16 . FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI4>; MSVBVM60.__vbaStrI4
00402D1C . 8BD0 MOV EDX,EAX ; Call进将寄存器里的真码转成Unicode码出现!
00402D1E . 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
00402D21 . FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
00402D27 . 8B4D C8 MOV ECX,DWORD PTR SS:[EBP-38] ; 试练码!
00402D2A . 50 PUSH EAX
00402D2B . 51 PUSH ECX
00402D2C . FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
00402D32 . 8BF0 MOV ESI,EAX
00402D34 . 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
00402D37 . F7DE NEG ESI
00402D39 . 1BF6 SBB ESI,ESI
00402D3B . 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
00402D3E . 52 PUSH EDX
00402D3F . 46 INC ESI
00402D40 . 50 PUSH EAX
00402D41 . 6A 02 PUSH 2
00402D43 . F7DE NEG ESI
00402D45 . FF15 8C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
00402D4B . 8B1D B8104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeObj
00402D51 . 83C4 0C ADD ESP,0C
00402D54 . 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
00402D57 . FFD3 CALL EBX ; <&MSVBVM60.__vbaFreeObj>
00402D59 . 66:85F6 TEST SI,SI
00402D5C . 0F84 9B000000 JE CrackMe0.00402DFD ; 关键跳转!
++++++++++++++++++++++++++++++++++++++
算法总结(从简):
用户名>=5位.
注册码>=9位.
逐位取用户名的16进制值*2的积相加,设为A.
取用户位数*0A,设为B.
A+B+B437027(作者预设值)=C,将C改换成10进制就是注册码.
[ 本帖最后由 野猫III 于 2006-6-26 00:35 编辑 ] |
|
IP卡
发表于 2006-6-23 20:46:54
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-6-23 20:53:04
发表于 2006-6-23 20:54:19
楼主
发表于 2006-6-24 10:13:19
