elance's crackme.NO3 算法分析

冷血书生 · 发表于 2006-7-22 18:15:56

【破解日期】 2006年7月22日
【破解作者】冷血书生
【作者邮箱】 [email protected]
【作者主页】 http://bbs.126sohu.com
【使用工具】 OD
【破解平台】 Win9x/NT/2000/XP
【软件名称】 elance's crackme.NO3
【下载地址】本地
【软件大小】 180K
【加壳方式】无
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：）
--------------------------------------------------------------------------------
【破解内容】

搜索找到"http://bbs.crsky.com",来到下面:
004297F2 68 60804200 push crackme_.00428060 ; UNICODE "http://bbs.crsky.com" /// 找到这里
004297F7 52 push edx
004297F8 FFD6 call esi
004297FA 50 push eax
004297FB 8D45 E8 lea eax,dword ptr ss:[ebp-18]
004297FE 68 50804200 push crackme_.00428050 ; UNICODE "open"
00429803 50 push eax
00429804 FFD6 call esi
00429806 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00429809 50 push eax
0042980A 51 push ecx
0042980B E8 9CE6FFFF call crackme_.00427EAC /// NOP掉即可
00429810 FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaSetSystem>; MSVBVM60.__vbaSetSystemError
搜索发现有两处,经测试,只要NOP掉第一处即可
////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////
00429940 C785 14FFFFFF C8>mov dword ptr ss:[ebp-EC],crackme_.004280C8 ; UNICODE "This is my third crackme for crack learning,i hope you could enjoy it!"
0042994A 899D 0CFFFFFF mov dword ptr ss:[ebp-F4],ebx
00429950 FFD7 call edi
…………省略部分…………
00429A03 50 push eax
00429A04 FF15 40104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox /// NOP掉这里即可
00429A0A 8D95 1CFFFFFF lea edx,dword ptr ss:[ebp-E4]
////////////////////////////////////////////////////////////////////////////////////////////
0042A09E C785 00FFFFFF C8>mov dword ptr ss:[ebp-100],crackme_.004280C8 ; UNICODE "This is my third crackme for crack learning,i hope you could enjoy it!"
0042A0A8 899D F8FEFFFF mov dword ptr ss:[ebp-108],ebx
0042A0AE FFD6 call esi
…………省略部分…………
0042A165 50 push eax
0042A166 FF15 40104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox /// NOP掉这里即可
0042A16C 8D95 08FFFFFF lea edx,dword ptr ss:[ebp-F8]
////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////
搜索"Congratulations,u've done it!"，往上找个适当的地方下断点，代码如下：
00429F59 8946 48 mov dword ptr ds:[esi+48],eax
00429F5C C746 4C 01000000 mov dword ptr ds:[esi+4C],1
00429F63 8B56 48 mov edx,dword ptr ds:[esi+48] ; 运算后的注册码
00429F66 8B4E 4C mov ecx,dword ptr ds:[esi+4C] ; 运算后的用户名
00429F69 3BD1 cmp edx,ecx ; 比较
00429F6B 0F85 EF000000 jnz crackme_.0042A060 ; 不相等就注册失败
00429F71 83EC 10 sub esp,10
////////////////////////////////////////////////////////////////////////////////////////////
很有意思，竟然有点像加密后的样子（通过key.ini可发现），注册就是加密后的用户名和注册码的ASCII
值相等就可以注册成功了，继续分析，搜索第一个“SN”，往上找个适当的地方下断点，来到下面：
00429212 66:3B85 28FFFFFF cmp ax,word ptr ss:[ebp-D8]
00429219 0F8F C8000000 jg crackme_.004292E7
0042921F 0FBFC0 movsx eax,ax
00429222 8D55 AC lea edx,dword ptr ss:[ebp-54]
00429225 8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-94]
0042922B 52 push edx
0042922C 50 push eax
0042922D 8D55 9C lea edx,dword ptr ss:[ebp-64]
00429230 51 push ecx
00429231 52 push edx
00429232 C745 B4 01000000 mov dword ptr ss:[ebp-4C],1
00429239 C745 AC 02000000 mov dword ptr ss:[ebp-54],2
00429240 89BD 74FFFFFF mov dword ptr ss:[ebp-8C],edi
00429246 C785 6CFFFFFF 08>mov dword ptr ss:[ebp-94],4008
00429250 FF15 50104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
00429256 8D45 9C lea eax,dword ptr ss:[ebp-64]
00429259 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0042925C 50 push eax
0042925D 51 push ecx
0042925E FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>; MSVBVM60.__vbaStrVarVal
00429264 50 push eax
00429265 FF15 20104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
0042926B 66:0346 58 add ax,word ptr ds:[esi+58] ; 用户名第一位+1，第二位+2，如此类推
0042926F 0F80 D0040000 jo crackme_.00429745
00429275 0FBFD0 movsx edx,ax ; 加密后的结果
00429278 8D45 8C lea eax,dword ptr ss:[ebp-74]
0042927B 52 push edx
0042927C 50 push eax
0042927D FF15 8C104000 call dword ptr ds:[<&MSVBVM60.#608>] ; MSVBVM60.rtcVarBstrFromAnsi
00429283 0FBF4E 58 movsx ecx,word ptr ds:[esi+58]
00429287 57 push edi
00429288 51 push ecx
00429289 8D55 8C lea edx,dword ptr ss:[ebp-74]
0042928C 6A 01 push 1
0042928E 52 push edx
0042928F FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMov>; MSVBVM60.__vbaStrVarMove
00429295 8BD0 mov edx,eax
00429297 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0042929A FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
004292A0 50 push eax
004292A1 6A 00 push 0
004292A3 FF15 EC104000 call dword ptr ds:[<&MSVBVM60.__vbaMidStmtBs>; MSVBVM60.__vbaMidStmtBstr
004292A9 8D45 C8 lea eax,dword ptr ss:[ebp-38]
004292AC 8D4D CC lea ecx,dword ptr ss:[ebp-34]
004292AF 50 push eax
004292B0 51 push ecx
004292B1 6A 02 push 2
004292B3 FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrLi>; MSVBVM60.__vbaFreeStrList
004292B9 8D55 8C lea edx,dword ptr ss:[ebp-74]
004292BC 8D45 9C lea eax,dword ptr ss:[ebp-64]
004292BF 52 push edx
004292C0 8D4D AC lea ecx,dword ptr ss:[ebp-54]
004292C3 50 push eax
004292C4 51 push ecx
004292C5 6A 03 push 3
004292C7 FFD3 call ebx
004292C9 66:8B56 58 mov dx,word ptr ds:[esi+58]
004292CD B8 01000000 mov eax,1
004292D2 83C4 1C add esp,1C
004292D5 66:03D0 add dx,ax
004292D8 0F80 67040000 jo crackme_.00429745
004292DE 66:8956 58 mov word ptr ds:[esi+58],dx
004292E2 ^ E9 27FFFFFF jmp crackme_.0042920E ; 循环计算
004292E7 8B46 40 mov eax,dword ptr ds:[esi+40]
004292EA 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
004292ED 50 push eax
004292EE 51 push ecx
004292EF FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrToAnsi>; MSVBVM60.__vbaStrToAnsi
004292F5 8B17 mov edx,dword ptr ds:[edi]
004292F7 50 push eax
004292F8 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
004292FB 52 push edx
004292FC 50 push eax
004292FD FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrToAnsi>; MSVBVM60.__vbaStrToAnsi
00429303 50 push eax
00429304 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
00429307 68 687E4200 push crackme_.00427E68 ; UNICODE "sn"
0042930C 51 push ecx
0042930D FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrToAnsi>; MSVBVM60.__vbaStrToAnsi
00429313 50 push eax
00429314 8D55 CC lea edx,dword ptr ss:[ebp-34]
00429317 68 5C7E4200 push crackme_.00427E5C ; UNICODE "key"
0042931C 52 push edx
0042931D FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrToAnsi>; MSVBVM60.__vbaStrToAnsi
00429323 50 push eax
00429324 E8 3BECFFFF call crackme_.00427F64
00429329 8985 38FFFFFF mov dword ptr ss:[ebp-C8],eax
0042932F FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaSetSystem>; MSVBVM60.__vbaSetSystemError
00429335 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
00429338 50 push eax
00429339 57 push edi
0042933A 8B3D 7C104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrToU>; MSVBVM60.__vbaStrToUnicode
00429340 FFD7 call edi
00429342 8B4D C0 mov ecx,dword ptr ss:[ebp-40]
00429345 8D46 40 lea eax,dword ptr ds:[esi+40]
00429348 51 push ecx
00429349 50 push eax
0042934A FFD7 call edi
0042934C 8B95 38FFFFFF mov edx,dword ptr ss:[ebp-C8]
00429352 8D45 C0 lea eax,dword ptr ss:[ebp-40]
00429355 8956 34 mov dword ptr ds:[esi+34],edx
00429358 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0042935B 50 push eax
0042935C 8D55 C8 lea edx,dword ptr ss:[ebp-38]
0042935F 51 push ecx
00429360 8D45 CC lea eax,dword ptr ss:[ebp-34]
00429363 52 push edx
00429364 50 push eax
00429365 6A 04 push 4
00429367 FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrLi>; MSVBVM60.__vbaFreeStrList
0042936D 8B46 34 mov eax,dword ptr ds:[esi+34]
00429370 83C4 14 add esp,14
00429373 83F8 01 cmp eax,1
00429376 74 77 je short crackme_.004293EF
00429378 B9 04000280 mov ecx,80020004
0042937D B8 0A000000 mov eax,0A
00429382 894D 84 mov dword ptr ss:[ebp-7C],ecx
00429385 894D 94 mov dword ptr ss:[ebp-6C],ecx
00429388 894D A4 mov dword ptr ss:[ebp-5C],ecx
0042938B 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-94]
00429391 8D4D AC lea ecx,dword ptr ss:[ebp-54]
00429394 8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax
0042939A 8945 8C mov dword ptr ss:[ebp-74],eax
0042939D 8945 9C mov dword ptr ss:[ebp-64],eax
004293A0 C785 74FFFFFF 9C>mov dword ptr ss:[ebp-8C],crackme_.00427F9C
004293AA C785 6CFFFFFF 08>mov dword ptr ss:[ebp-94],8
004293B4 FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
004293BA 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84]
004293C0 8D55 8C lea edx,dword ptr ss:[ebp-74]
004293C3 51 push ecx
004293C4 8D45 9C lea eax,dword ptr ss:[ebp-64]
004293C7 52 push edx
004293C8 50 push eax
004293C9 8D4D AC lea ecx,dword ptr ss:[ebp-54]
004293CC 6A 00 push 0
004293CE 51 push ecx
004293CF FF15 40104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
004293D5 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84]
004293DB 8D45 8C lea eax,dword ptr ss:[ebp-74]
004293DE 52 push edx
004293DF 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
004293E2 50 push eax
004293E3 8D55 AC lea edx,dword ptr ss:[ebp-54]
004293E6 51 push ecx
004293E7 52 push edx
004293E8 6A 04 push 4
004293EA FFD3 call ebx
004293EC 83C4 14 add esp,14
004293EF 8B06 mov eax,dword ptr ds:[esi]
004293F1 56 push esi
004293F2 FF90 FC020000 call dword ptr ds:[eax+2FC]
004293F8 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004293FB 50 push eax
004293FC 51 push ecx
004293FD FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00429403 8BF8 mov edi,eax
00429405 8D45 CC lea eax,dword ptr ss:[ebp-34]
00429408 50 push eax
00429409 57 push edi
0042940A 8B17 mov edx,dword ptr ds:[edi]
0042940C FF92 A0000000 call dword ptr ds:[edx+A0]
00429412 85C0 test eax,eax
00429414 DBE2 fclex
00429416 7D 12 jge short crackme_.0042942A
00429418 68 A0000000 push 0A0
0042941D 68 487E4200 push crackme_.00427E48
00429422 57 push edi
00429423 50 push eax
00429424 FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCh>; MSVBVM60.__vbaHresultCheckObj
0042942A 8B55 CC mov edx,dword ptr ss:[ebp-34]
0042942D 8D7E 3C lea edi,dword ptr ds:[esi+3C]
00429430 8BCF mov ecx,edi
00429432 FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
00429438 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0042943B FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00429441 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00429444 FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
0042944A 8B0F mov ecx,dword ptr ds:[edi]
0042944C 51 push ecx
0042944D FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
00429453 8BC8 mov ecx,eax
00429455 FF15 60104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
0042945B 8985 20FFFFFF mov dword ptr ss:[ebp-E0],eax
00429461 66:C746 58 0100 mov word ptr ds:[esi+58],1
00429467 66:8B46 58 mov ax,word ptr ds:[esi+58]
0042946B 66:3B85 20FFFFFF cmp ax,word ptr ss:[ebp-E0]
00429472 0F8F C8000000 jg crackme_.00429540
00429478 0FBFC0 movsx eax,ax
0042947B 8D55 AC lea edx,dword ptr ss:[ebp-54]
0042947E 8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-94]
00429484 52 push edx
00429485 50 push eax
00429486 8D55 9C lea edx,dword ptr ss:[ebp-64]
00429489 51 push ecx
0042948A 52 push edx
0042948B C745 B4 01000000 mov dword ptr ss:[ebp-4C],1
00429492 C745 AC 02000000 mov dword ptr ss:[ebp-54],2
00429499 89BD 74FFFFFF mov dword ptr ss:[ebp-8C],edi
0042949F C785 6CFFFFFF 08>mov dword ptr ss:[ebp-94],4008
004294A9 FF15 50104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
004294AF 8D45 9C lea eax,dword ptr ss:[ebp-64]
004294B2 8D4D CC lea ecx,dword ptr ss:[ebp-34]
004294B5 50 push eax
004294B6 51 push ecx
004294B7 FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>; MSVBVM60.__vbaStrVarVal
004294BD 50 push eax
004294BE FF15 20104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
004294C4 66:2B46 58 sub ax,word ptr ds:[esi+58] ; 注册码第一位-1，第二位-2，如此类推
004294C8 0F80 77020000 jo crackme_.00429745
004294CE 0FBFD0 movsx edx,ax ; 加密后的结果
004294D1 8D45 8C lea eax,dword ptr ss:[ebp-74]
004294D4 52 push edx
004294D5 50 push eax
004294D6 FF15 8C104000 call dword ptr ds:[<&MSVBVM60.#608>] ; MSVBVM60.rtcVarBstrFromAnsi
004294DC 0FBF4E 58 movsx ecx,word ptr ds:[esi+58]
004294E0 57 push edi
004294E1 51 push ecx
004294E2 8D55 8C lea edx,dword ptr ss:[ebp-74]
004294E5 6A 01 push 1
004294E7 52 push edx
004294E8 FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMov>; MSVBVM60.__vbaStrVarMove
004294EE 8BD0 mov edx,eax
004294F0 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
004294F3 FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
004294F9 50 push eax
004294FA 6A 00 push 0
004294FC FF15 EC104000 call dword ptr ds:[<&MSVBVM60.__vbaMidStmtBs>; MSVBVM60.__vbaMidStmtBstr
00429502 8D45 C8 lea eax,dword ptr ss:[ebp-38]
00429505 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00429508 50 push eax
00429509 51 push ecx
0042950A 6A 02 push 2
0042950C FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrLi>; MSVBVM60.__vbaFreeStrList
00429512 8D55 8C lea edx,dword ptr ss:[ebp-74]
00429515 8D45 9C lea eax,dword ptr ss:[ebp-64]
00429518 52 push edx
00429519 8D4D AC lea ecx,dword ptr ss:[ebp-54]
0042951C 50 push eax
0042951D 51 push ecx
0042951E 6A 03 push 3
00429520 FFD3 call ebx
00429522 66:8B56 58 mov dx,word ptr ds:[esi+58]
00429526 B8 01000000 mov eax,1
0042952B 83C4 1C add esp,1C
0042952E 66:03D0 add dx,ax
00429531 0F80 0E020000 jo crackme_.00429745
00429537 66:8956 58 mov word ptr ds:[esi+58],dx
0042953B ^ E9 27FFFFFF jmp crackme_.00429467
00429540 8B46 40 mov eax,dword ptr ds:[esi+40]
00429543 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00429546 50 push eax
00429547 51 push ecx
00429548 FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrToAnsi>; MSVBVM60.__vbaStrToAnsi
0042954E 8B17 mov edx,dword ptr ds:[edi]
00429550 50 push eax
00429551 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
00429554 52 push edx
00429555 50 push eax
00429556 FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrToAnsi>; MSVBVM60.__vbaStrToAnsi
0042955C 50 push eax
0042955D 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
00429560 68 BC7F4200 push crackme_.00427FBC ; UNICODE "name"
00429565 51 push ecx
00429566 FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrToAnsi>; MSVBVM60.__vbaStrToAnsi
0042956C 50 push eax
0042956D 8D55 CC lea edx,dword ptr ss:[ebp-34]
00429570 68 B07F4200 push crackme_.00427FB0 ; UNICODE "usr"
00429575 52 push edx
00429576 FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrToAnsi>; MSVBVM60.__vbaStrToAnsi
0042957C 50 push eax
0042957D E8 E2E9FFFF call crackme_.00427F64
00429582 8985 38FFFFFF mov dword ptr ss:[ebp-C8],eax
00429588 FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaSetSystem>; MSVBVM60.__vbaSetSystemError
0042958E 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
00429591 50 push eax
00429592 57 push edi
00429593 8B3D 7C104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrToU>; MSVBVM60.__vbaStrToUnicode
00429599 FFD7 call edi
0042959B 8B4D C0 mov ecx,dword ptr ss:[ebp-40]
0042959E 8D46 40 lea eax,dword ptr ds:[esi+40]
004295A1 51 push ecx
004295A2 50 push eax
004295A3 FFD7 call edi
004295A5 8B95 38FFFFFF mov edx,dword ptr ss:[ebp-C8]
004295AB 8D45 C0 lea eax,dword ptr ss:[ebp-40]
004295AE 8956 34 mov dword ptr ds:[esi+34],edx
004295B1 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
004295B4 50 push eax
004295B5 8D55 C8 lea edx,dword ptr ss:[ebp-38]
004295B8 51 push ecx
004295B9 8D45 CC lea eax,dword ptr ss:[ebp-34]
004295BC 52 push edx
004295BD 50 push eax
004295BE 6A 04 push 4
004295C0 FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrLi>; MSVBVM60.__vbaFreeStrList
004295C6 8B46 34 mov eax,dword ptr ds:[esi+34]
004295C9 83C4 14 add esp,14
004295CC 83F8 01 cmp eax,1
004295CF BF 04000280 mov edi,80020004
004295D4 74 74 je short crackme_.0042964A
004295D6 BE 0A000000 mov esi,0A
004295DB 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-94]
004295E1 8D4D AC lea ecx,dword ptr ss:[ebp-54]
004295E4 897D 84 mov dword ptr ss:[ebp-7C],edi
004295E7 89B5 7CFFFFFF mov dword ptr ss:[ebp-84],esi
004295ED 897D 94 mov dword ptr ss:[ebp-6C],edi
004295F0 8975 8C mov dword ptr ss:[ebp-74],esi
004295F3 897D A4 mov dword ptr ss:[ebp-5C],edi
004295F6 8975 9C mov dword ptr ss:[ebp-64],esi
004295F9 C785 74FFFFFF 9C>mov dword ptr ss:[ebp-8C],crackme_.00427F9C
00429603 C785 6CFFFFFF 08>mov dword ptr ss:[ebp-94],8
0042960D FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
00429613 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84]
00429619 8D55 8C lea edx,dword ptr ss:[ebp-74]
0042961C 51 push ecx
0042961D 8D45 9C lea eax,dword ptr ss:[ebp-64]
00429620 52 push edx
00429621 50 push eax
00429622 8D4D AC lea ecx,dword ptr ss:[ebp-54]
00429625 6A 00 push 0
00429627 51 push ecx
00429628 FF15 40104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
0042962E 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84]
00429634 8D45 8C lea eax,dword ptr ss:[ebp-74]
00429637 52 push edx
00429638 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
0042963B 50 push eax
0042963C 8D55 AC lea edx,dword ptr ss:[ebp-54]
0042963F 51 push ecx
00429640 52 push edx
00429641 6A 04 push 4
00429643 FFD3 call ebx
00429645 83C4 14 add esp,14
00429648 EB 05 jmp short crackme_.0042964F
0042964A BE 0A000000 mov esi,0A
0042964F 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-94]
00429655 8D4D AC lea ecx,dword ptr ss:[ebp-54]
00429658 897D 84 mov dword ptr ss:[ebp-7C],edi
0042965B 89B5 7CFFFFFF mov dword ptr ss:[ebp-84],esi
00429661 897D 94 mov dword ptr ss:[ebp-6C],edi
00429664 8975 8C mov dword ptr ss:[ebp-74],esi
00429667 897D A4 mov dword ptr ss:[ebp-5C],edi
0042966A 8975 9C mov dword ptr ss:[ebp-64],esi
0042966D C785 74FFFFFF CC>mov dword ptr ss:[ebp-8C],crackme_.00427FCC ; UNICODE "Please restart to wheather u've done a goog job!"
00429677 C785 6CFFFFFF 08>mov dword ptr ss:[ebp-94],8
00429681 FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
00429687 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
0042968D 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
00429690 50 push eax
00429691 8D55 9C lea edx,dword ptr ss:[ebp-64]
00429694 51 push ecx
00429695 52 push edx
00429696 8D45 AC lea eax,dword ptr ss:[ebp-54]
00429699 6A 00 push 0
0042969B 50 push eax
0042969C FF15 40104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
004296A2 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84]
004296A8 8D55 8C lea edx,dword ptr ss:[ebp-74]

复制代码

////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////

总结：

1) NOP掉0042980B可以去掉地址调用

2) NOP掉00429A04和0042A166可以去掉对话框

3) 00429F6B ---》爆破点

4) 算法：用户名分别+1，+2，……和-1，-2，……获得新的两个结果,只要这两个结果的ASCII累加值相等就注成功

5) 一组可用注册信息：name: leng
code: nito
--------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

[ 本帖最后由冷血书生于 2006-7-23 15:21 编辑 ]

网游难民 · 发表于 2006-7-22 23:30:48

呵呵~~
刚才偶还在冷兄基地里看这个文章哦~~
原来这里也有。
非常好的学习文章，多谢拉~~

caterpilla · 发表于 2006-7-23 08:27:55

学习。。。。。。。

网游难民 · 发表于 2006-7-23 15:12:28

指出冷血兄一点笔误的地方：
004294B6 51             push ecx
004294B7 FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>; MSVBVM60.__vbaStrVarVal
004294BD 50             push eax
004294BE FF15 20104000 call dword ptr ds:[<&MSVBVM60.#516>]       ; MSVBVM60.rtcAnsiValueBstr
004294C4 66:2B46 58    sub ax,word ptr ds:[esi+58]                ; 用户名第一位-1，第二位-2，如此类推
004294C8 0F80 77020000 jo crackme_.00429745
004294CE 0FBFD0          movsx edx,ax                               ; 加密后的结果
004294D1 8D45 8C       lea eax,dword ptr ss:[ebp-74]
应该是试练码第一位-1，第二位-2~`~~~~
如果不亲自跟踪遍看这个地方容易迷失~~

冷血书生 · 发表于 2006-7-23 15:21:16

原帖由 网游难民 于 2006-7-23 15:12 发表
指出冷血兄一点笔误的地方：
004294B6 51 push ecx
004294B7 FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>; MSVBVM60.__vbaStrVarVal
004294BD 50 ...

复制后忘记修改了，改一下，呵呵，谢谢指出！！！

ZHOU2X · 发表于 2006-7-23 16:33:31

学习，收藏！！支持！！！！

		自动登录	找回密码
密码			加入我们

elance's crackme.NO3 算法分析

本帖子中包含更多资源

相关帖子