- UID
- 1132
注册时间2005-4-20
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 无聊
2020-4-10 17:02 |
|---|
签到天数: 5 天 [LV.2]偶尔看看I
|
【破解日期】 2006年11月19日
【破解作者】 冷血书生
【作者邮箱】 MEIYOU
【作者主页】 hxxp://www.126sohu.com/
【使用工具】 OD
【破解平台】 Win9x/NT/2000/XP
【软件名称】 f3rgo_chl1's Crackme 分析
【下载地址】 本地
【软件大小】 68k
【加壳方式】 无
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
------------------------------------------------------------------------
--------
【破解内容】
- 因为有NAG出现,所以先把下面的CALL给NOP掉,再保存分析
- 00408A4D FF15 5C104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
- /////////////////////////////////////////////////////////////////////////
- /////////////////////////////////////////////////////////////////////////
- 00408248 52 push edx ; 用户名压栈
- 00408249 FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLe>; MSVBVM60.__vbaLenBstr
- 0040824F 33C9 xor ecx,ecx
- 00408251 83F8 04 cmp eax,4 ; 与4比较
- 00408254 0F9FC1 setg cl
- 00408257 F7D9 neg ecx
- 00408259 66:898D 74FFFFFF mov word ptr ss:[ebp-8C],cx
- 00408260 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
- 00408263 FF15 2C114000 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeStr
- 00408269 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
- 0040826C FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeObj
- 00408272 66:39B5 74FFFFFF cmp word ptr ss:[ebp-8C],si
- 00408279 0F84 53030000 je f3rgo_ch.004085D2 ; 相等就OVER
- 0040827F 8B17 mov edx,dword ptr ds:[edi]
- 00408281 57 push edi
- 00408282 FF92 08030000 call dword ptr ds:[edx+308]
- 00408288 50 push eax
- 00408289 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
- 0040828C 50 push eax
- 0040828D FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaOb>; MSVBVM60.__vbaObjSet
- 00408293 8B08 mov ecx,dword ptr ds:[eax]
- 00408295 8D55 D8 lea edx,dword ptr ss:[ebp-28]
- 00408298 52 push edx
- 00408299 50 push eax
- 0040829A 8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax
- 004082A0 FF91 A0000000 call dword ptr ds:[ecx+A0]
- 004082A6 3BC6 cmp eax,esi
- 004082A8 DBE2 fclex
- 004082AA 7D 18 jge short f3rgo_ch.004082C4
- 004082AC 8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-84]
- 004082B2 68 A0000000 push 0A0
- 004082B7 68 00794000 push f3rgo_ch.00407900
- 004082BC 51 push ecx
- 004082BD 50 push eax
- 004082BE FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHr>; MSVBVM60.__vbaHresultCheckObj
- 004082C4 8B55 D8 mov edx,dword ptr ss:[ebp-28]
- 004082C7 52 push edx
- 004082C8 FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLe>; MSVBVM60.__vbaLenBstr
- 004082CE 8BC8 mov ecx,eax ; 获得用户名长度
- 004082D0 FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaI2>; MSVBVM60.__vbaI2I4
- 004082D6 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
- 004082D9 8985 68FFFFFF mov dword ptr ss:[ebp-98],eax ; 转移
- 004082DF BE 01000000 mov esi,1
- 004082E4 FF15 2C114000 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeStr
- 004082EA 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
- 004082ED FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeObj
- 004082F3 66:3BB5 68FFFFFF cmp si,word ptr ss:[ebp-98] ; 比较是否取完
- 004082FA 0F8F F0000000 jg f3rgo_ch.004083F0 ; 取完就走闪
- 00408300 8B07 mov eax,dword ptr ds:[edi]
- 00408302 57 push edi
- 00408303 FF90 08030000 call dword ptr ds:[eax+308]
- 00408309 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
- 0040830C 50 push eax
- 0040830D 51 push ecx
- 0040830E FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaOb>; MSVBVM60.__vbaObjSet
- 00408314 8BD8 mov ebx,eax
- 00408316 8D45 D8 lea eax,dword ptr ss:[ebp-28]
- 00408319 50 push eax
- 0040831A 53 push ebx
- 0040831B 8B13 mov edx,dword ptr ds:[ebx]
- 0040831D FF92 A0000000 call dword ptr ds:[edx+A0]
- 00408323 85C0 test eax,eax
- 00408325 DBE2 fclex
- 00408327 7D 12 jge short f3rgo_ch.0040833B
- 00408329 68 A0000000 push 0A0
- 0040832E 68 00794000 push f3rgo_ch.00407900
- 00408333 53 push ebx
- 00408334 50 push eax
- 00408335 FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHr>; MSVBVM60.__vbaHresultCheckObj
- 0040833B 8B45 D8 mov eax,dword ptr ss:[ebp-28]
- 0040833E 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
- 00408341 0FBFD6 movsx edx,si
- 00408344 8945 B8 mov dword ptr ss:[ebp-48],eax
- 00408347 51 push ecx
- 00408348 8D45 B0 lea eax,dword ptr ss:[ebp-50]
- 0040834B 52 push edx
- 0040834C 8D4D 90 lea ecx,dword ptr ss:[ebp-70]
- 0040834F 50 push eax
- 00408350 51 push ecx
- 00408351 C745 A8 01000000 mov dword ptr ss:[ebp-58],1
- 00408358 C745 A0 02000000 mov dword ptr ss:[ebp-60],2
- 0040835F C745 D8 00000000 mov dword ptr ss:[ebp-28],0
- 00408366 C745 B0 08000000 mov dword ptr ss:[ebp-50],8
- 0040836D FF15 74104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
- 00408373 8D55 90 lea edx,dword ptr ss:[ebp-70]
- 00408376 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
- 00408379 52 push edx
- 0040837A 50 push eax
- 0040837B FF15 CC104000 call dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrVarVal
- 00408381 50 push eax
- 00408382 FF15 28104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
- 00408388 8B4D E4 mov ecx,dword ptr ss:[ebp-1C]
- 0040838B 66:8BD8 mov bx,ax ;
- 0040838E 51 push ecx
- 0040838F FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI2>; MSVBVM60.__vbaI2Str
- 00408395 66:03D8 add bx,ax ; 累加
- 00408398 0F80 B7020000 jo f3rgo_ch.00408655
- 0040839E 53 push ebx
- 0040839F FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrI2
- 004083A5 8B1D 18114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaStrMove
- 004083AB 8BD0 mov edx,eax ;
- 004083AD 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
- 004083B0 FFD3 call ebx
- 004083B2 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
- 004083B5 FF15 2C114000 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeStr
- 004083BB 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
- 004083BE FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeObj
- 004083C4 8D55 90 lea edx,dword ptr ss:[ebp-70]
- 004083C7 8D45 A0 lea eax,dword ptr ss:[ebp-60]
- 004083CA 52 push edx
- 004083CB 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
- 004083CE 50 push eax
- 004083CF 51 push ecx
- 004083D0 6A 03 push 3
- 004083D2 FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeVarList
- 004083D8 B8 01000000 mov eax,1
- 004083DD 83C4 10 add esp,10
- 004083E0 66:03C6 add ax,si
- 004083E3 0F80 6C020000 jo f3rgo_ch.00408655
- 004083E9 8BF0 mov esi,eax
- 004083EB ^ E9 03FFFFFF jmp f3rgo_ch.004082F3 ; 循环计算
- 004083F0 8B55 E4 mov edx,dword ptr ss:[ebp-1C] ;
- 004083F3 8B35 C4104000 mov esi,dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaI2Str
- 004083F9 52 push edx
- 004083FA FFD6 call esi
- 004083FC 35 9A020000 xor eax,29A ; eax xor 29A
- 00408401 50 push eax ;
- 00408402 FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrI2
- 00408408 8BD0 mov edx,eax ; 保存结果
- 0040840A 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
- 0040840D FFD3 call ebx
- 0040840F 8B45 E0 mov eax,dword ptr ss:[ebp-20]
- 00408412 50 push eax
- 00408413 FFD6 call esi
- 00408415 83F0 7B xor eax,7B ; eax xor 7B
- 00408418 50 push eax
- 00408419 FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrI2
- 0040841F 8BD0 mov edx,eax
- 00408421 8D4D DC lea ecx,dword ptr ss:[ebp-24]
- 00408424 FFD3 call ebx
- 00408426 8B0F mov ecx,dword ptr ds:[edi]
- 00408428 57 push edi
- 00408429 FF91 04030000 call dword ptr ds:[ecx+304]
- 0040842F 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
- 00408432 50 push eax
- 00408433 52 push edx
- 00408434 FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaOb>; MSVBVM60.__vbaObjSet
- 0040843A 8BF0 mov esi,eax
- 0040843C 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
- 0040843F 51 push ecx
- 00408440 56 push esi
- 00408441 8B06 mov eax,dword ptr ds:[esi]
- 00408443 FF90 A0000000 call dword ptr ds:[eax+A0]
- 00408449 85C0 test eax,eax
- 0040844B DBE2 fclex
- 0040844D 7D 12 jge short f3rgo_ch.00408461
- 0040844F 68 A0000000 push 0A0
- 00408454 68 00794000 push f3rgo_ch.00407900
- 00408459 56 push esi
- 0040845A 50 push eax
- 0040845B FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHr>; MSVBVM60.__vbaHresultCheckObj
- 00408461 8B55 D8 mov edx,dword ptr ss:[ebp-28]
- 00408464 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
- 00408467 8B35 38104000 mov esi,dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaStrCat
- 0040846D 52 push edx
- 0040846E 50 push eax
- 0040846F 68 14794000 push f3rgo_ch.00407914
- 00408474 FFD6 call esi
- 00408476 8BD0 mov edx,eax ;
- 00408478 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
- 0040847B FFD3 call ebx
- 0040847D 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
- 00408480 50 push eax
- 00408481 51 push ecx
- 00408482 FFD6 call esi
- 00408484 8BD0 mov edx,eax ;
- 00408486 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
- 00408489 FFD3 call ebx
- 0040848B 50 push eax
- 0040848C 68 14794000 push f3rgo_ch.00407914
- 00408491 FFD6 call esi
- 00408493 8BD0 mov edx,eax
- 00408495 8D4D CC lea ecx,dword ptr ss:[ebp-34]
- 00408498 FFD3 call ebx
- 0040849A 8B55 DC mov edx,dword ptr ss:[ebp-24]
- 0040849D 50 push eax
- 0040849E 52 push edx
- 0040849F FFD6 call esi
- 004084A1 8BD0 mov edx,eax ; 保存注册码
- 004084A3 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
- 004084A6 FFD3 call ebx ; MSVBVM60.__vbaStrMove
- 004084A8 50 push eax
- 004084A9 FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrCmp
- 004084AF 8BF0 mov esi,eax ; 经典比较
- 004084B1 8D45 C8 lea eax,dword ptr ss:[ebp-38]
- /////////////////////////////////////////////////////////////////////////
- /////////////////////////////////////////////////////////////////////////
- 算法总结:
- 累加用户名ASCII值 = A (用户名要大于4位)
- A xor 29A = B
- B xor 7B = C
- "A"-"B"-"C" = 注册码
- name: lengxue
- code: 760-98-25
- ------------------------------------------------------------------------
- --------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
评分
-
查看全部评分
|
IP卡
发表于 2006-11-19 10:56:36
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-11-19 17:42:47
发表于 2006-11-19 20:00:39
