|
作者: yongmin [yongmin] 论坛用户 | 登录 |
转贴自:一蓑烟雨 Kain的第一个CrackMe简单算法分析+VB注册机源码【破文标题】Kain的第一个CrackMe简单算法分析+VB注册机源码 【破解作者】hrbx 【使用工具】OllDbg1.10、Peid 【破解日期】2007-11-18 【下载地址】http://www.unpack.cn/attachment.php?aid=13043 【软件简介】Kain的第一个CrackMe ----------------------------------------------------------------------------------------------- 【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享 ----------------------------------------------------------------------------------------------- 【破解过程】 1.脱壳。用PEID扫描,显示为:示为:Microsoft Visual Basic 5.0 / 6.0,无壳。输入假码后有错误提示窗体。 2.追出算法。OD载入CrackMe,F9运行,命令栏输入:bp rtcMsgBox,回车,输入注册信息后点击"确定"按钮,立即中断: 660DC5F3 M> 55 push ebp ; 在此中断 660DC5F4 8BEC mov ebp,esp 660DC5F6 83EC 4C sub esp,4C 660DC5F9 8B4D 14 mov ecx,dword ptr ss:[ebp+14] Alt+F9,弹出错误提示窗体,点击"确定"按钮后返回,来到: 00405AF2 . FF15 6C104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox 00405AF8 . 8D95 24FEFFFF lea edx,dword ptr ss:[ebp-1DC] ; Alt+F9返回到这里 00405AFE . 8D4D B0 lea ecx,dword ptr ss:[ebp-50] 向上查找,在00405070处F2下断,Ctrl+F2重新载入程序,F9运行,输入注册信息: ==================================================== 注册名:hrbx 注册码:abcd1234 ==================================================== 点击"确定"按钮,立即中断: 00405070 > \55 push ebp ; F2在此下断,中断后F8往下走 00405071 . 8BEC mov ebp,esp 00405073 . 83EC 0C sub esp,0C 00405076 . 68 C6124000 push <jmp.&MSVBVM60.__vbaExceptH> --------------------------------------------------------------------- 省略部分代码 --------------------------------------------------------------------- 00405286 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__> 0040528C > 8B45 9C mov eax,dword ptr ss:[ebp-64] ; 假码"abcd1234" 0040528F . 50 push eax 00405290 . 68 741E4000 push crackme.00401E74 00405295 . FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__>; 检查注册码是否为空 0040529B . 8B4D A0 mov ecx,dword ptr ss:[ebp-60] ; 用户名"hrbx" 0040529E . 8BD8 mov ebx,eax 004052A0 . F7DB neg ebx 004052A2 . 1BDB sbb ebx,ebx 004052A4 . 51 push ecx 004052A5 . 43 inc ebx 004052A6 . 68 741E4000 push crackme.00401E74 004052AB . F7DB neg ebx 004052AD . FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__>; 检查用户名是否为空 004052B3 . F7D8 neg eax 004052B5 . 1BC0 sbb eax,eax 004052B7 . 8D55 9C lea edx,dword ptr ss:[ebp-64] 004052BA . 40 inc eax 004052BB . 52 push edx 004052BC . F7D8 neg eax 004052BE . 0BD8 or ebx,eax 004052C0 . 8D45 A0 lea eax,dword ptr ss:[ebp-60] 004052C3 . 50 push eax 004052C4 . 6A 02 push 2 004052C6 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__> 004052CC . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84] 004052D2 . 8D55 80 lea edx,dword ptr ss:[ebp-80] 004052D5 . 51 push ecx 004052D6 . 52 push edx 004052D7 . 6A 02 push 2 004052D9 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.__> 004052DF . 83C4 18 add esp,18 004052E2 . 66:3BDF cmp bx,di 004052E5 . 74 0A je short crackme.004052F1 ; 用户名或注册码为空则Over,暴破点1,改为Jmp 004052E7 . B8 01000000 mov eax,1 004052EC . E9 E1060000 jmp crackme.004059D2 004052F1 > 8B06 mov eax,dword ptr ds:[esi] 004052F3 . 56 push esi 004052F4 . FF90 00030000 call dword ptr ds:[eax+300] 004052FA . 8D4D 80 lea ecx,dword ptr ss:[ebp-80] 004052FD . 50 push eax 004052FE . 51 push ecx 004052FF . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__> 00405305 . 8BD8 mov ebx,eax 00405307 . 8D45 A0 lea eax,dword ptr ss:[ebp-60] 0040530A . 50 push eax 0040530B . 53 push ebx 0040530C . 8B13 mov edx,dword ptr ds:[ebx] 0040530E . FF92 A0000000 call dword ptr ds:[edx+A0] 00405314 . 3BC7 cmp eax,edi 00405316 . DBE2 fclex 00405318 . 7D 12 jge short crackme.0040532C 0040531A . 68 A0000000 push 0A0 0040531F . 68 901E4000 push crackme.00401E90 00405324 . 53 push ebx 00405325 . 50 push eax 00405326 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__> 0040532C > 8B4D A0 mov ecx,dword ptr ss:[ebp-60] ; 假码"abcd1234" 0040532F . 51 push ecx 00405330 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__>; 获取假码长度,EAX=0x8 00405336 . 33DB xor ebx,ebx 00405338 . 83F8 04 cmp eax,4 ; 假码长度与4比较 0040533B . 0F9EC3 setle bl 0040533E . 8D4D A0 lea ecx,dword ptr ss:[ebp-60] 00405341 . F7DB neg ebx 00405343 . FF15 64114000 call dword ptr ds:[<&MSVBVM60.__> 00405349 . 8D4D 80 lea ecx,dword ptr ss:[ebp-80] 0040534C . FF15 6C114000 call dword ptr ds:[<&MSVBVM60.__> 00405352 . 66:3BDF cmp bx,di 00405355 . 74 0A je short crackme.00405361 ; 假码长度若为4,则Over,暴破点2,改为Jmp 00405357 . B8 02000000 mov eax,2 0040535C . E9 71060000 jmp crackme.004059D2 00405361 > 8B16 mov edx,dword ptr ds:[esi] 00405363 . 56 push esi 00405364 . FF92 00030000 call dword ptr ds:[edx+300] 0040536A . 50 push eax 0040536B . 8D45 80 lea eax,dword ptr ss:[ebp-80] 0040536E . 50 push eax 0040536F . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__> 00405375 . 8BD8 mov ebx,eax 00405377 . 8D55 A0 lea edx,dword ptr ss:[ebp-60] 0040537A . 52 push edx 0040537B . 53 push ebx 0040537C . 8B0B mov ecx,dword ptr ds:[ebx] 0040537E . FF91 A0000000 call dword ptr ds:[ecx+A0] 00405384 . 3BC7 cmp eax,edi 00405386 . DBE2 fclex 00405388 . 7D 12 jge short crackme.0040539C 0040538A . 68 A0000000 push 0A0 0040538F . 68 901E4000 push crackme.00401E90 00405394 . 53 push ebx 00405395 . 50 push eax 00405396 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__> 0040539C > 8B06 mov eax,dword ptr ds:[esi] 0040539E . 56 push esi 0040539F . FF90 00030000 call dword ptr ds:[eax+300] 004053A5 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84] 004053AB . 50 push eax 004053AC . 51 push ecx 004053AD . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__> 004053B3 . 8BD8 mov ebx,eax 004053B5 . 8D45 98 lea eax,dword ptr ss:[ebp-68] 004053B8 . 50 push eax 004053B9 . 53 push ebx 004053BA . 8B13 mov edx,dword ptr ds:[ebx] 004053BC . FF92 A0000000 call dword ptr ds:[edx+A0] 004053C2 . 3BC7 cmp eax,edi 004053C4 . DBE2 fclex 004053C6 . 7D 12 jge short crackme.004053DA 004053C8 . 68 A0000000 push 0A0 004053CD . 68 901E4000 push crackme.00401E90 004053D2 . 53 push ebx 004053D3 . 50 push eax 004053D4 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__> 004053DA > 8B0E mov ecx,dword ptr ds:[esi] 004053DC . 56 push esi 004053DD . FF91 00030000 call dword ptr ds:[ecx+300] 004053E3 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88] 004053E9 . 50 push eax 004053EA . 52 push edx 004053EB . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__> 004053F1 . 8BD8 mov ebx,eax 004053F3 . 8D4D 90 lea ecx,dword ptr ss:[ebp-70] 004053F6 . 51 push ecx 004053F7 . 53 push ebx 004053F8 . 8B03 mov eax,dword ptr ds:[ebx] 004053FA . FF90 A0000000 call dword ptr ds:[eax+A0] 00405400 . 3BC7 cmp eax,edi 00405402 . DBE2 fclex 00405404 . 7D 12 jge short crackme.00405418 00405406 . 68 A0000000 push 0A0 0040540B . 68 901E4000 push crackme.00401E90 00405410 . 53 push ebx 00405411 . 50 push eax 00405412 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__> 00405418 > 8B16 mov edx,dword ptr ds:[esi] 0040541A . 56 push esi 0040541B . FF92 00030000 call dword ptr ds:[edx+300] 00405421 . 50 push eax 00405422 . 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-8C] 00405428 . 50 push eax 00405429 . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__> 0040542F . 8BD8 mov ebx,eax 00405431 . 8D55 88 lea edx,dword ptr ss:[ebp-78] 00405434 . 52 push edx 00405435 . 53 push ebx 00405436 . 8B0B mov ecx,dword ptr ds:[ebx] 00405438 . FF91 A0000000 call dword ptr ds:[ecx+A0] 0040543E . 3BC7 cmp eax,edi 00405440 . DBE2 fclex 00405442 . 7D 12 jge short crackme.00405456 00405444 . 68 A0000000 push 0A0 00405449 . 68 901E4000 push crackme.00401E90 0040544E . 53 push ebx 0040544F . 50 push eax 00405450 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__> 00405456 > 8B45 A0 mov eax,dword ptr ss:[ebp-60] ; 假码"abcd1234" 00405459 . 8B1D 8C104000 mov ebx,dword ptr ds:[<&MSVBVM60> 0040545F . 8985 6CFFFFFF mov dword ptr ss:[ebp-94],eax 00405465 . 8D85 54FFFFFF lea eax,dword ptr ss:[ebp-AC] 0040546B . 50 push eax 0040546C . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C] 00405472 . 6A 01 push 1 00405474 . 8D95 44FFFFFF lea edx,dword ptr ss:[ebp-BC] 0040547A . 51 push ecx 0040547B . 52 push edx 0040547C . C785 5CFFFFFF 0>mov dword ptr ss:[ebp-A4],1 00405486 . C785 54FFFFFF 0>mov dword ptr ss:[ebp-AC],2 00405490 . 897D A0 mov dword ptr ss:[ebp-60],edi 00405493 . C785 64FFFFFF 0>mov dword ptr ss:[ebp-9C],8 0040549D . FFD3 call ebx ; MSVBVM60.rtcMidCharVar 0040549F . 8D85 44FFFFFF lea eax,dword ptr ss:[ebp-BC] ; 取假码第1位字符 004054A5 . 8D8D 34FFFFFF lea ecx,dword ptr ss:[ebp-CC] 004054AB . 50 push eax 004054AC . 51 push ecx 004054AD . FF15 9C104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcUpperCaseVar 004054B3 . 8B45 98 mov eax,dword ptr ss:[ebp-68] ; 假码第1位字符转为大写 004054B6 . 8D95 14FFFFFF lea edx,dword ptr ss:[ebp-EC] 004054BC . 8985 2CFFFFFF mov dword ptr ss:[ebp-D4],eax 004054C2 . 52 push edx 004054C3 . 8D85 24FFFFFF lea eax,dword ptr ss:[ebp-DC] 004054C9 . 6A 02 push 2 004054CB . 8D8D 04FFFFFF lea ecx,dword ptr ss:[ebp-FC] 004054D1 . 50 push eax 004054D2 . 51 push ecx 004054D3 . C785 1CFFFFFF 0>mov dword ptr ss:[ebp-E4],1 004054DD . C785 14FFFFFF 0>mov dword ptr ss:[ebp-EC],2 004054E7 . 897D 98 mov dword ptr ss:[ebp-68],edi 004054EA . C785 24FFFFFF 0>mov dword ptr ss:[ebp-DC],8 004054F4 . FFD3 call ebx ; MSVBVM60.rtcMidCharVar 004054F6 . 8D95 04FFFFFF lea edx,dword ptr ss:[ebp-FC] ; 取假码第2位字符 004054FC . 8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-10C] 00405502 . 52 push edx 00405503 . 50 push eax 00405504 . FF15 9C104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcUpperCaseVar 0040550A . 8B45 90 mov eax,dword ptr ss:[ebp-70] ; 假码第2位字符转为大写 0040550D . 8D8D D4FEFFFF lea ecx,dword ptr ss:[ebp-12C] 00405513 . 8985 ECFEFFFF mov dword ptr ss:[ebp-114],eax 00405519 . 51 push ecx 0040551A . 8D95 E4FEFFFF lea edx,dword ptr ss:[ebp-11C] 00405520 . 6A 03 push 3 00405522 . 8D85 C4FEFFFF lea eax,dword ptr ss:[ebp-13C] 00405528 . 52 push edx 00405529 . 50 push eax 0040552A . C785 DCFEFFFF 0>mov dword ptr ss:[ebp-124],1 00405534 . C785 D4FEFFFF 0>mov dword ptr ss:[ebp-12C],2 0040553E . 897D 90 mov dword ptr ss:[ebp-70],edi 00405541 . C785 E4FEFFFF 0>mov dword ptr ss:[ebp-11C],8 0040554B . FFD3 call ebx ; MSVBVM60.rtcMidCharVar 0040554D . 8D8D C4FEFFFF lea ecx,dword ptr ss:[ebp-13C] ; 取假码第3位字符 00405553 . 8D95 B4FEFFFF lea edx,dword ptr ss:[ebp-14C] 00405559 . 51 push ecx 0040555A . 52 push edx 0040555B . FF15 9C104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcUpperCaseVar 00405561 . 8B45 88 mov eax,dword ptr ss:[ebp-78] ; 假码第3位字符转为大写 00405564 . 8D8D A4FEFFFF lea ecx,dword ptr ss:[ebp-15C] 0040556A . 8985 ACFEFFFF mov dword ptr ss:[ebp-154],eax 00405570 . 8D85 94FEFFFF lea eax,dword ptr ss:[ebp-16C] 00405576 . 50 push eax 00405577 . 6A 04 push 4 00405579 . 8D95 84FEFFFF lea edx,dword ptr ss:[ebp-17C] 0040557F . 51 push ecx 00405580 . 52 push edx 00405581 . C785 9CFEFFFF 0>mov dword ptr ss:[ebp-164],1 0040558B . C785 94FEFFFF 0>mov dword ptr ss:[ebp-16C],2 00405595 . 897D 88 mov dword ptr ss:[ebp-78],edi 00405598 . C785 A4FEFFFF 0>mov dword ptr ss:[ebp-15C],8 004055A2 . FFD3 call ebx ; MSVBVM60.rtcMidCharVar 004055A4 . 8D85 84FEFFFF lea eax,dword ptr ss:[ebp-17C] ; 取假码第4位字符 004055AA . 8D8D 74FEFFFF lea ecx,dword ptr ss:[ebp-18C] 004055B0 . 50 push eax 004055B1 . 51 push ecx 004055B2 . FF15 9C104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcUpperCaseVar 004055B8 . 8D95 F4FEFFFF lea edx,dword ptr ss:[ebp-10C] ; 假码第4位字符转为大写 004055BE . 8D45 94 lea eax,dword ptr ss:[ebp-6C] 004055C1 . 52 push edx 004055C2 . 50 push eax 004055C3 . 8B1D E8104000 mov ebx,dword ptr ds:[<&MSVBVM60> 004055C9 . FFD3 call ebx 004055CB . 50 push eax 004055CC . FF15 38104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcAnsiValueBstr 004055D2 . 66:8BD0 mov dx,ax ; 取假码第1位字符转为大写后的ASCII值 004055D5 . 8D8D 34FFFFFF lea ecx,dword ptr ss:[ebp-CC] ; DX=AX=0x42 004055DB . 8D45 9C lea eax,dword ptr ss:[ebp-64] 004055DE . 51 push ecx 004055DF . 50 push eax 004055E0 . 66:8995 CEFDFFF>mov word ptr ss:[ebp-232],dx 004055E7 . FFD3 call ebx 004055E9 . 50 push eax 004055EA . FF15 38104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcAnsiValueBstr 004055F0 . 66:8B9D CEFDFFF>mov bx,word ptr ss:[ebp-232] ; 取假码第2位字符转为大写后的ASCII值 004055F7 . 8D8D B4FEFFFF lea ecx,dword ptr ss:[ebp-14C] ; Ax=0x41 004055FD . 8D55 8C lea edx,dword ptr ss:[ebp-74] 00405600 . 66:03D8 add bx,ax ; 前2位字符转为大写后的ASCII值相加 00405603 . 51 push ecx 00405604 . 52 push edx 00405605 . 0F80 06080000 jo crackme.00405E11 0040560B . FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__> 00405611 . 50 push eax 00405612 . FF15 38104000 call dword ptr ds:[<&MSVBVM60.#5> 00405618 . 66:03D8 add bx,ax ; 取假码第3位字符转为大写后的ASCII值 0040561B . 8D85 74FEFFFF lea eax,dword ptr ss:[ebp-18C] ; 前3位字符转为大写后的ASCII值相加 00405621 . 8D4D 84 lea ecx,dword ptr ss:[ebp-7C] 00405624 . 50 push eax 00405625 . 51 push ecx 00405626 . 0F80 E5070000 jo crackme.00405E11 0040562C . FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__> 00405632 . 50 push eax 00405633 . FF15 38104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcAnsiValueBstr 00405639 . 66:03D8 add bx,ax ; 取假码第3位字符转为大写后的ASCII值 0040563C . 8D45 84 lea eax,dword ptr ss:[ebp-7C] ; 前4位字符转为大写后的ASCII值相加 0040563F . 0F80 CC070000 jo crackme.00405E11 00405645 . 66:81EB 0401 sub bx,104 ; ASCII值相加值减去0x104 0040564A . 8D4D 8C lea ecx,dword ptr ss:[ebp-74] 0040564D . 0F80 BE070000 jo crackme.00405E11 00405653 . 33D2 xor edx,edx 00405655 . 66:83FB 1F cmp bx,1F ; ASCII值相加值减去0x104结果与0x1F比较 00405659 . 0F94C2 sete dl 0040565C . F7DA neg edx 0040565E . 8BDA mov ebx,edx 00405660 . 50 push eax 00405661 . 8D55 94 lea edx,dword ptr ss:[ebp-6C] 00405664 . 51 push ecx 00405665 . 8D45 9C lea eax,dword ptr ss:[ebp-64] 00405668 . 52 push edx 00405669 . 50 push eax 0040566A . 6A 04 push 4 0040566C . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__> 00405672 . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-8C] 00405678 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88] 0040567E . 51 push ecx 0040567F . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84] 00405685 . 52 push edx 00405686 . 8D4D 80 lea ecx,dword ptr ss:[ebp-80] 00405689 . 50 push eax 0040568A . 51 push ecx 0040568B . 6A 04 push 4 0040568D . FF15 34104000 call dword ptr ds:[<&MSVBVM60.__> 00405693 . 8D95 74FEFFFF lea edx,dword ptr ss:[ebp-18C] 00405699 . 8D85 84FEFFFF lea eax,dword ptr ss:[ebp-17C] 0040569F . 52 push edx 004056A0 . 8D8D 94FEFFFF lea ecx,dword ptr ss:[ebp-16C] 004056A6 . 50 push eax 004056A7 . 8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-15C] 004056AD . 51 push ecx 004056AE . 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C] 004056B4 . 52 push edx 004056B5 . 8D8D C4FEFFFF lea ecx,dword ptr ss:[ebp-13C] 004056BB . 50 push eax 004056BC . 8D95 D4FEFFFF lea edx,dword ptr ss:[ebp-12C] 004056C2 . 51 push ecx 004056C3 . 8D85 E4FEFFFF lea eax,dword ptr ss:[ebp-11C] 004056C9 . 52 push edx 004056CA . 8D8D F4FEFFFF lea ecx,dword ptr ss:[ebp-10C] 004056D0 . 50 push eax 004056D1 . 8D95 04FFFFFF lea edx,dword ptr ss:[ebp-FC] 004056D7 . 51 push ecx 004056D8 . 52 push edx 004056D9 . 8D85 14FFFFFF lea eax,dword ptr ss:[ebp-EC] 004056DF . 8D8D 24FFFFFF lea ecx,dword ptr ss:[ebp-DC] 004056E5 . 50 push eax 004056E6 . 8D95 34FFFFFF lea edx,dword ptr ss:[ebp-CC] 004056EC . 51 push ecx 004056ED . 8D85 44FFFFFF lea eax,dword ptr ss:[ebp-BC] 004056F3 . 52 push edx 004056F4 . 8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-AC] 004056FA . 50 push eax 004056FB . 8D95 64FFFFFF lea edx,dword ptr ss:[ebp-9C] 00405701 . 51 push ecx 00405702 . 52 push edx 00405703 . 6A 10 push 10 00405705 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__> 0040570B . 83C4 6C add esp,6C 0040570E . 66:3BDF cmp bx,di 00405711 . 0F84 2E020000 je crackme.00405945 ; 不相等则Over,暴破点3,Nop掉 00405717 . 8B06 mov eax,dword ptr ds:[esi] 00405719 . 56 push esi 0040571A . FF90 00030000 call dword ptr ds:[eax+300] 00405720 . 8D4D 80 lea ecx,dword ptr ss:[ebp-80] 00405723 . 50 push eax 00405724 . 51 push ecx 00405725 . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__> 0040572B . 8BD8 mov ebx,eax 0040572D . 8D45 A0 lea eax,dword ptr ss:[ebp-60] 00405730 . 50 push eax 00405731 . 53 push ebx 00405732 . 8B13 mov edx,dword ptr ds:[ebx] 00405734 . FF92 A0000000 call dword ptr ds:[edx+A0] 0040573A . 3BC7 cmp eax,edi 0040573C . DBE2 fclex 0040573E . 7D 12 jge short crackme.00405752 00405740 . 68 A0000000 push 0A0 00405745 . 68 901E4000 push crackme.00401E90 0040574A . 53 push ebx 0040574B . 50 push eax 0040574C . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__> 00405752 > 8B0E mov ecx,dword ptr ds:[esi] 00405754 . 56 push esi 00405755 . FF91 00030000 call dword ptr ds:[ecx+300] 0040575B . 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84] 00405761 . 50 push eax 00405762 . 52 push edx 00405763 . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__> 00405769 . 8BD8 mov ebx,eax 0040576B . 8D4D 9C lea ecx,dword ptr ss:[ebp-64] 0040576E . 51 push ecx 0040576F . 53 push ebx 00405770 . 8B03 mov eax,dword ptr ds:[ebx] 00405772 . FF90 A0000000 call dword ptr ds:[eax+A0] 00405778 . 3BC7 cmp eax,edi 0040577A . DBE2 fclex 0040577C . 7D 12 jge short crackme.00405790 0040577E . 68 A0000000 push 0A0 00405783 . 68 901E4000 push crackme.00401E90 00405788 . 53 push ebx 00405789 . 50 push eax 0040578A . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__> 00405790 > 8B55 9C mov edx,dword ptr ss:[ebp-64] 00405793 . 52 push edx 00405794 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__> 0040579A . 83E8 01 sub eax,1 0040579D . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C] 004057A3 . 0F80 68060000 jo crackme.00405E11 004057A9 . 8985 5CFFFFFF mov dword ptr ss:[ebp-A4],eax 004057AF . 8B45 A0 mov eax,dword ptr ss:[ebp-60] 004057B2 . 8985 6CFFFFFF mov dword ptr ss:[ebp-94],eax 004057B8 . 8D85 54FFFFFF lea eax,dword ptr ss:[ebp-AC] 004057BE . 50 push eax 004057BF . 6A 05 push 5 ; 常数,5 004057C1 . 8D95 44FFFFFF lea edx,dword ptr ss:[ebp-BC] 004057C7 . 51 push ecx 004057C8 . 52 push edx 004057C9 . C785 54FFFFFF 0>mov dword ptr ss:[ebp-AC],3 004057D3 . 897D A0 mov dword ptr ss:[ebp-60],edi 004057D6 . C785 64FFFFFF 0>mov dword ptr ss:[ebp-9C],8 004057E0 . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.#6>; MSVBVM60.rtcMidCharVar 004057E6 . 8D85 44FFFFFF lea eax,dword ptr ss:[ebp-BC] ; 从假码第5位字符开始起取后半部分字符串 004057EC . 50 push eax ; 假码后半部分字符串"1234" 004057ED . FF15 20104000 call dword ptr ds:[<&MSVBVM60.__> 004057F3 . 8B1D 48114000 mov ebx,dword ptr ds:[<&MSVBVM60> 004057F9 . 8BD0 mov edx,eax 004057FB . 8D4D 98 lea ecx,dword ptr ss:[ebp-68] 004057FE . FFD3 call ebx 00405800 . 8B0E mov ecx,dword ptr ds:[esi] 00405802 . 8D55 94 lea edx,dword ptr ss:[ebp-6C] 00405805 . 8D45 98 lea eax,dword ptr ss:[ebp-68] 00405808 . 52 push edx 00405809 . 50 push eax 0040580A . 56 push esi 0040580B . FF91 14070000 call dword ptr ds:[ecx+714] ; 00402B11,关键CALL-1,F7进入 00405811 . 8B55 94 mov edx,dword ptr ss:[ebp-6C] 00405814 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C] 00405817 . 897D 94 mov dword ptr ss:[ebp-6C],edi 0040581A . FFD3 call ebx 0040581C . 8D4D 98 lea ecx,dword ptr ss:[ebp-68] 0040581F . 8D55 9C lea edx,dword ptr ss:[ebp-64] 00405822 . 51 push ecx 00405823 . 52 push edx 00405824 . 6A 02 push 2 00405826 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__> 0040582C . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84] 00405832 . 8D4D 80 lea ecx,dword ptr ss:[ebp-80] 00405835 . 50 push eax 00405836 . 51 push ecx 00405837 . 6A 02 push 2 00405839 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.__> 0040583F . 8D95 44FFFFFF lea edx,dword ptr ss:[ebp-BC] 00405845 . 8D85 54FFFFFF lea eax,dword ptr ss:[ebp-AC] 0040584B . 52 push edx 0040584C . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C] 00405852 . 50 push eax 00405853 . 51 push ecx 00405854 . 6A 03 push 3 00405856 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__> 0040585C . 8B55 A4 mov edx,dword ptr ss:[ebp-5C] 0040585F . 83C4 28 add esp,28 00405862 . 52 push edx 00405863 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaLenBstr 00405869 . 8BC8 mov ecx,eax ; 获取关键CALL-1得到的字符串的长度 0040586B . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__> 00405871 . 8945 A8 mov dword ptr ss:[ebp-58],eax ; EAX=0x3 00405874 . 8B06 mov eax,dword ptr ds:[esi] 00405876 . 56 push esi 00405877 . FF90 FC020000 call dword ptr ds:[eax+2FC] 0040587D . 8D4D 80 lea ecx,dword ptr ss:[ebp-80] 00405880 . 50 push eax 00405881 . 51 push ecx 00405882 . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__> 00405888 . 8BD8 mov ebx,eax 0040588A . 8D45 A0 lea eax,dword ptr ss:[ebp-60] 0040588D . 50 push eax 0040588E . 53 push ebx 0040588F . 8B13 mov edx,dword ptr ds:[ebx] 00405891 . FF92 A0000000 call dword ptr ds:[edx+A0] 00405897 . 3BC7 cmp eax,edi 00405899 . DBE2 fclex 0040589B . 7D 12 jge short crackme.004058AF 0040589D . 68 A0000000 push 0A0 004058A2 . 68 901E4000 push crackme.00401E90 004058A7 . 53 push ebx 004058A8 . 50 push eax 004058A9 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__> 004058AF > 8B4D A0 mov ecx,dword ptr ss:[ebp-60] ; 用户名"hrbx" 004058B2 . 51 push ecx 004058B3 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__>; 获取用户名长度 004058B9 . 8BC8 mov ecx,eax ; EAX=0x4 004058BB . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__> 004058C1 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60] 004058C4 . 8BD8 mov ebx,eax 004058C6 . FF15 64114000 call dword ptr ds:[<&MSVBVM60.__> 004058CC . 8D4D 80 lea ecx,dword ptr ss:[ebp-80] 004058CF . FF15 6C114000 call dword ptr ds:[<&MSVBVM60.__> 004058D5 . 0FBF55 A8 movsx edx,word ptr ss:[ebp-58] 004058D9 . 8995 C8FDFFFF mov dword ptr ss:[ebp-238],edx 004058DF . DB85 C8FDFFFF fild dword ptr ss:[ebp-238] 004058E5 . 0FBFC3 movsx eax,bx 004058E8 . DD9D C0FDFFFF fstp qword ptr ss:[ebp-240] 004058EE . 8985 BCFDFFFF mov dword ptr ss:[ebp-244],eax 004058F4 . DB85 BCFDFFFF fild dword ptr ss:[ebp-244] 004058FA . DD9D B4FDFFFF fstp qword ptr ss:[ebp-24C] 00405900 . DD85 C0FDFFFF fld qword ptr ss:[ebp-240] ; 关键CALL-1得到的字符串的长度 00405906 . 833D 00704000 0>cmp dword ptr ds:[407000],0 0040590D . 75 08 jnz short crackme.00405917 0040590F . DCB5 B4FDFFFF fdiv qword ptr ss:[ebp-24C] ; 除以用户名长度 00405915 . EB 11 jmp short crackme.00405928 00405917 > FFB5 B8FDFFFF push dword ptr ss:[ebp-248] 0040591D . FFB5 B4FDFFFF push dword ptr ss:[ebp-24C] 00405923 . E8 BCB9FFFF call <jmp.&MSVBVM60._adj_fdiv_m6> 00405928 > DFE0 fstsw ax 0040592A . A8 0D test al,0D 0040592C . 0F85 DA040000 jnz crackme.00405E0C 00405932 . FF15 80104000 call dword ptr ds:[<&MSVBVM60.__> 00405938 . DC1D A8124000 fcomp qword ptr ds:[4012A8] 0040593E . DFE0 fstsw ax 00405940 . F6C4 40 test ah,40 00405943 . 75 0A jnz short crackme.0040594F ; 不能整除则Over,暴破点4,改为Jmp 00405945 > B8 03000000 mov eax,3 0040594A . E9 83000000 jmp crackme.004059D2 0040594F > 66:2B5D A8 sub bx,word ptr ss:[ebp-58] ; 关键CALL-1得到的字符串的长度-用户名长度 00405953 . 0F80 B8040000 jo crackme.00405E11 00405959 . 66:85DB test bx,bx 0040595C . 75 71 jnz short crackme.004059CF ; 不等于0则Over,暴破点5,改为NOP 0040595E . 8B0E mov ecx,dword ptr ds:[esi] 00405960 . 56 push esi 00405961 . FF91 FC020000 call dword ptr ds:[ecx+2FC] 00405967 . 8D55 80 lea edx,dword ptr ss:[ebp-80] 0040596A . 50 push eax 0040596B . 52 push edx 0040596C . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__> 00405972 . 8BF0 mov esi,eax 00405974 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60] 00405977 . 51 push ecx 00405978 . 56 push esi 00405979 . 8B06 mov eax,dword ptr ds:[esi] 0040597B . FF90 A0000000 call dword ptr ds:[eax+A0] 00405981 . 3BC7 cmp eax,edi 00405983 . DBE2 fclex 00405985 . 7D 12 jge short crackme.00405999 00405987 . 68 A0000000 push 0A0 0040598C . 68 901E4000 push crackme.00401E90 00405991 . 56 push esi 00405992 . 50 push eax 00405993 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__> 00405999 > 8B55 A4 mov edx,dword ptr ss:[ebp-5C] 0040599C . 8B45 A0 mov eax,dword ptr ss:[ebp-60] 0040599F . 52 push edx 004059A0 . 50 push eax 004059A1 . FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__>; 比较用户名和关键CALL-1得到的字符串 004059A7 . 8BF0 mov esi,eax 004059A9 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60] 004059AC . F7DE neg esi 004059AE . 1BF6 sbb esi,esi 004059B0 . 46 inc esi 004059B1 . F7DE neg esi 004059B3 . FF15 64114000 call dword ptr ds:[<&MSVBVM60.__> 004059B9 . 8D4D 80 lea ecx,dword ptr ss:[ebp-80] 004059BC . FF15 6C114000 call dword ptr ds:[<&MSVBVM60.__> 004059C2 . 33C0 xor eax,eax 004059C4 . 66:3BF7 cmp si,di 004059C7 0F95C0 setne al ; 不相等则Over,暴破点6,改为sete 004059CA . 83C0 03 add eax,3 004059CD . EB 03 jmp short crackme.004059D2 F7进入0040580B处的关键CALL-1,来到: 00402B11 . /E9 7A130000 jmp crackme.00403E90 ; 来到这里 00402B16 . |816C24 04 FFFF0>sub dword ptr ss:[esp+4],0FFFF F8单步,来到: 00403E90 > \55 push ebp ; F8单步来到这里 00403E91 . 8BEC mov ebp,esp 00403E93 . 83EC 0C sub esp,0C 00403E96 . 68 C6124000 push <jmp.&MSVBVM60.__vbaExceptH>; SE 句柄安装 00403E9B . 64:A1 00000000 mov eax,dword ptr fs:[0] 00403EA1 . 50 push eax 00403EA2 . 64:8925 0000000>mov dword ptr fs:[0],esp 00403EA9 . 81EC 98000000 sub esp,98 00403EAF . 53 push ebx 00403EB0 . 56 push esi 00403EB1 . 57 push edi 00403EB2 . 8965 F4 mov dword ptr ss:[ebp-C],esp 00403EB5 . C745 F8 2012400>mov dword ptr ss:[ebp-8],crackme> 00403EBC . 8B4D 10 mov ecx,dword ptr ss:[ebp+10] 00403EBF . 8B55 0C mov edx,dword ptr ss:[ebp+C] 00403EC2 . 33C0 xor eax,eax 00403EC4 . 8945 D4 mov dword ptr ss:[ebp-2C],eax 00403EC7 . 8945 D0 mov dword ptr ss:[ebp-30],eax 00403ECA . 8945 CC mov dword ptr ss:[ebp-34],eax 00403ECD . 8945 C8 mov dword ptr ss:[ebp-38],eax 00403ED0 . 8945 B8 mov dword ptr ss:[ebp-48],eax 00403ED3 . 8945 A4 mov dword ptr ss:[ebp-5C],eax 00403ED6 . 8901 mov dword ptr ds:[ecx],eax 00403ED8 . 8B02 mov eax,dword ptr ds:[edx] 00403EDA . 50 push eax ; 假码后半部分字符串"1234" 00403EDB . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaLenBstr 00403EE1 . 8BC8 mov ecx,eax ; 获取字符串长度,Eax=0x4 00403EE3 . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaI2I4 00403EE9 . 8B7D 08 mov edi,dword ptr ss:[ebp+8] 00403EEC . 8B35 48114000 mov esi,dword ptr ds:[<&MSVBVM60> 00403EF2 . BB 01000000 mov ebx,1 00403EF7 . 8945 9C mov dword ptr ss:[ebp-64],eax 00403EFA . 895D E4 mov dword ptr ss:[ebp-1C],ebx 00403EFD > 66:3B5D 9C cmp bx,word ptr ss:[ebp-64] 00403F01 . 0F8F A2030000 jg crackme.004042A9 00403F07 . 8B45 0C mov eax,dword ptr ss:[ebp+C] 00403F0A . 8D4D B8 lea ecx,dword ptr ss:[ebp-48] 00403F0D . 0FBFD3 movsx edx,bx 00403F10 . 51 push ecx 00403F11 . 8B08 mov ecx,dword ptr ds:[eax] 00403F13 . 52 push edx 00403F14 . 51 push ecx 00403F15 . C745 C0 0100000>mov dword ptr ss:[ebp-40],1 00403F1C . C745 B8 0200000>mov dword ptr ss:[ebp-48],2 00403F23 . FF15 88104000 call dword ptr ds:[<&MSVBVM60.#6>; MSVBVM60.rtcMidCharBstr 00403F29 . 8BD0 mov edx,eax ; 取字符串"1234"第1位字符,"1" 00403F2B . 8D4D C8 lea ecx,dword ptr ss:[ebp-38] 00403F2E . FFD6 call esi 00403F30 . 8B55 C8 mov edx,dword ptr ss:[ebp-38] 00403F33 . 8D4D CC lea ecx,dword ptr ss:[ebp-34] 00403F36 . C745 C8 0000000>mov dword ptr ss:[ebp-38],0 00403F3D . FFD6 call esi 00403F3F . 8B17 mov edx,dword ptr ds:[edi] 00403F41 . 8D45 A4 lea eax,dword ptr ss:[ebp-5C] 00403F44 . 8D4D CC lea ecx,dword ptr ss:[ebp-34] 00403F47 . 50 push eax 00403F48 . 51 push ecx 00403F49 . 57 push edi 00403F4A . FF92 1C070000 call dword ptr ds:[edx+71C] ; 关键CALL-2,F7进入 00403F50 . 8B55 A4 mov edx,dword ptr ss:[ebp-5C] ; EDX=0x35(53),记为Num1 00403F53 . 8D45 C8 lea eax,dword ptr ss:[ebp-38] 00403F56 . 8D4D CC lea ecx,dword ptr ss:[ebp-34] 00403F59 . 50 push eax 00403F5A . 51 push ecx 00403F5B . 6A 02 push 2 00403F5D . 8955 E8 mov dword ptr ss:[ebp-18],edx 00403F60 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__> 00403F66 . 83C4 0C add esp,0C 00403F69 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48] 00403F6C . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__> 00403F72 . 66:8BC3 mov ax,bx 00403F75 . 8D55 B8 lea edx,dword ptr ss:[ebp-48] 00403F78 . 66:05 0100 add ax,1 00403F7C . 52 push edx 00403F7D . 8B55 0C mov edx,dword ptr ss:[ebp+C] 00403F80 . C745 C0 0100000>mov dword ptr ss:[ebp-40],1 00403F87 . 0F80 88030000 jo crackme.00404315 00403F8D . 0FBFC8 movsx ecx,ax 00403F90 . 8B02 mov eax,dword ptr ds:[edx] 00403F92 . 51 push ecx 00403F93 . 50 push eax 00403F94 . C745 B8 0200000>mov dword ptr ss:[ebp-48],2 00403F9B . FF15 88104000 call dword ptr ds:[<&MSVBVM60.#6>; MSVBVM60.rtcMidCharBstr 00403FA1 . 8BD0 mov edx,eax ; 取字符串"1234"第2位字符,"2" 00403FA3 . 8D4D C8 lea ecx,dword ptr ss:[ebp-38] 00403FA6 . FFD6 call esi 00403FA8 . 8B55 C8 mov edx,dword ptr ss:[ebp-38] 00403FAB . 8D4D CC lea ecx,dword ptr ss:[ebp-34] 00403FAE . C745 C8 0000000>mov dword ptr ss:[ebp-38],0 00403FB5 . FFD6 call esi 00403FB7 . 8B0F mov ecx,dword ptr ds:[edi] 00403FB9 . 8D55 A4 lea edx,dword ptr ss:[ebp-5C] 00403FBC . 8D45 CC lea eax,dword ptr ss:[ebp-34] 00403FBF . 52 push edx 00403FC0 . 50 push eax 00403FC1 . 57 push edi 00403FC2 . FF91 1C070000 call dword ptr ds:[ecx+71C] ; 同关键CALL-2 00403FC8 . 8B4D A4 mov ecx,dword ptr ss:[ebp-5C] ; ECX=0x36(54),记为Num2 00403FCB . 8D55 C8 lea edx,dword ptr ss:[ebp-38] 00403FCE . 8D45 CC lea eax,dword ptr ss:[ebp-34] 00403FD1 . 52 push edx 00403FD2 . 50 push eax 00403FD3 . 6A 02 push 2 00403FD5 . 894D E0 mov dword ptr ss:[ebp-20],ecx 00403FD8 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__> 00403FDE . 83C4 0C add esp,0C 00403FE1 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48] 00403FE4 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__> 00403FEA . 66:83C3 02 add bx,2 00403FEE . 8D4D B8 lea ecx,dword ptr ss:[ebp-48] 00403FF1 . 0F80 1E030000 jo crackme.00404315 00403FF7 . 0FBFD3 movsx edx,bx 00403FFA . 51 push ecx 00403FFB . C745 C0 0100000>mov dword ptr ss:[ebp-40],1 00404002 . C745 B8 0200000>mov dword ptr ss:[ebp-48],2 00404009 . 52 push edx 0040400A . 8B45 0C mov eax,dword ptr ss:[ebp+C] 0040400D . 8B08 mov ecx,dword ptr ds:[eax] 0040400F . 51 push ecx 00404010 . FF15 88104000 call dword ptr ds:[<&MSVBVM60.#6>; MSVBVM60.rtcMidCharBstr 00404016 . 8BD0 mov edx,eax ; 取字符串"1234"第3位字符,"3" 00404018 . 8D4D C8 lea ecx,dword ptr ss:[ebp-38] 0040401B . FFD6 call esi 0040401D . 8B55 C8 mov edx,dword ptr ss:[ebp-38] 00404020 . 8D4D CC lea ecx,dword ptr ss:[ebp-34] 00404023 . C745 C8 0000000>mov dword ptr ss:[ebp-38],0 0040402A . FFD6 call esi 0040402C . 8B17 mov edx,dword ptr ds:[edi] 0040402E . 8D45 A4 lea eax,dword ptr ss:[ebp-5C] 00404031 . 8D4D CC lea ecx,dword ptr ss:[ebp-34] 00404034 . 50 push eax 00404035 . 51 push ecx 00404036 . 57 push edi 00404037 . FF92 1C070000 call dword ptr ds:[edx+71C] ; 同关键CALL-2 0040403D . 8B5D A4 mov ebx,dword ptr ss:[ebp-5C] ; EBX=0x37(55),记为Num3 00404040 . 8D55 C8 lea edx,dword ptr ss:[ebp-38] 00404043 . 8D45 CC lea eax,dword ptr ss:[ebp-34] 00404046 . 52 push edx 00404047 . 50 push eax 00404048 . 6A 02 push 2 0040404A . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__> 00404050 . 83C4 0C add esp,0C 00404053 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48] 00404056 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__> 0040405C . 66:8B55 E4 mov dx,word ptr ss:[ebp-1C] 00404060 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48] 00404063 . 66:83C2 03 add dx,3 00404067 . 51 push ecx 00404068 . 8B4D 0C mov ecx,dword ptr ss:[ebp+C] 0040406B . C745 C0 0100000>mov dword ptr ss:[ebp-40],1 00404072 . 0F80 9D020000 jo crackme.00404315 00404078 . 0FBFC2 movsx eax,dx 0040407B . 8B11 mov edx,dword ptr ds:[ecx] 0040407D . 50 push eax 0040407E . 52 push edx 0040407F . C745 B8 0200000>mov dword ptr ss:[ebp-48],2 00404086 . FF15 88104000 call dword ptr ds:[<&MSVBVM60.#6>; MSVBVM60.rtcMidCharBstr 0040408C . 8BD0 mov edx,eax ; 取字符串"1234"第4位字符,"4" 0040408E . 8D4D C8 lea ecx,dword ptr ss:[ebp-38] 00404091 . FFD6 call esi 00404093 . 8B55 C8 mov edx,dword ptr ss:[ebp-38] 00404096 . 8D4D CC lea ecx,dword ptr ss:[ebp-34] 00404099 . C745 C8 0000000>mov dword ptr ss:[ebp-38],0 004040A0 . FFD6 call esi 004040A2 . 8B07 mov eax,dword ptr ds:[edi] 004040A4 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C] 004040A7 . 8D55 CC lea edx,dword ptr ss:[ebp-34] 004040AA . 51 push ecx 004040AB . 52 push edx 004040AC . 57 push edi 004040AD . FF90 1C070000 call dword ptr ds:[eax+71C] ; 同关键CALL-2 004040B3 . 8B45 A4 mov eax,dword ptr ss:[ebp-5C] ; EAX=0x38(56),记为Num4 004040B6 . 8D4D C8 lea ecx,dword ptr ss:[ebp-38] 004040B9 . 8D55 CC lea edx,dword ptr ss:[ebp-34] 004040BC . 51 push ecx 004040BD . 52 push edx 004040BE . 6A 02 push 2 004040C0 . 8945 D8 mov dword ptr ss:[ebp-28],eax 004040C3 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__> 004040C9 . 83C4 0C add esp,0C 004040CC . 8D4D B8 lea ecx,dword ptr ss:[ebp-48] 004040CF . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__> 004040D5 . 8B45 E0 mov eax,dword ptr ss:[ebp-20] 004040D8 . 66:85C0 test ax,ax 004040DB . 0F8C AD000000 jl crackme.0040418E 004040E1 . 0FBFD0 movsx edx,ax 004040E4 . 8955 80 mov dword ptr ss:[ebp-80],edx ; EDX=0x36(54),Num2 004040E7 . 8B4D D0 mov ecx,dword ptr ss:[ebp-30] 004040EA . DB45 80 fild dword ptr ss:[ebp-80] 004040ED . 51 push ecx 004040EE . DD9D 78FFFFFF fstp qword ptr ss:[ebp-88] ; st=54.0 004040F4 . DD85 78FFFFFF fld qword ptr ss:[ebp-88] 004040FA . 833D 00704000 0>cmp dword ptr ds:[407000],0 00404101 . 75 08 jnz short crackme.0040410B 00404103 . DC35 18124000 fdiv qword ptr ds:[401218] ; Num2/16.0,ds:[00401218]=16.0 00404109 . EB 11 jmp short crackme.0040411C 0040410B > FF35 1C124000 push dword ptr ds:[40121C] 00404111 . FF35 18124000 push dword ptr ds:[401218] 00404117 . E8 C8D1FFFF call <jmp.&MSVBVM60._adj_fdiv_m6> 0040411C > DFE0 fstsw ax 0040411E . A8 0D test al,0D 00404120 . 0F85 EA010000 jnz crackme.00404310 00404126 . FF15 58114000 call dword ptr ds:[<&MSVBVM60.__>; 商取整数,Int(Num2/16.0),ST0=3.0 0040412C . 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; EAX=0x35,Num1 0040412F . 66:6BC0 04 imul ax,ax,4 ; AX=Num1*4 00404133 . 0F80 DC010000 jo crackme.00404315 00404139 . 0FBFC0 movsx eax,ax 0040413C . 8985 74FFFFFF mov dword ptr ss:[ebp-8C],eax 00404142 . DB85 74FFFFFF fild dword ptr ss:[ebp-8C] 00404148 . DD9D 6CFFFFFF fstp qword ptr ss:[ebp-94] 0040414E . DC85 6CFFFFFF fadd qword ptr ss:[ebp-94] ; Num1*4+Int(Num2/16.0) 00404154 . DFE0 fstsw ax 00404156 . A8 0D test al,0D 00404158 . 0F85 B2010000 jnz crackme.00404310 0040415E . FF15 3C114000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaFpI4 00404164 . 25 FF000000 and eax,0FF ; EAX=EAX and 0xFF 00404169 . 50 push eax ; EAX=0xD7 0040416A . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcBstrFromAnsi 00404170 . 8BD0 mov edx,eax ; 取ASCII值对应的字符 00404172 . 8D4D CC lea ecx,dword ptr ss:[ebp-34] 00404175 . FFD6 call esi 00404177 . 50 push eax 00404178 . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaStrCat 0040417E . 8BD0 mov edx,eax ; 字符串连接 00404180 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30] 00404183 . FFD6 call esi 00404185 . 8D4D CC lea ecx,dword ptr ss:[ebp-34] 00404188 . FF15 64114000 call dword ptr ds:[<&MSVBVM60.__> 0040418E > 66:85DB test bx,bx 00404191 . 0F8C B3000000 jl crackme.0040424A 00404197 . 0FBFD3 movsx edx,bx 0040419A . 8995 68FFFFFF mov dword ptr ss:[ebp-98],edx ; EDX=0x37(55),Num3 004041A0 . 8B4D D0 mov ecx,dword ptr ss:[ebp-30] 004041A3 . DB85 68FFFFFF fild dword ptr ss:[ebp-98] 004041A9 . 51 push ecx 004041AA . DD9D 60FFFFFF fstp qword ptr ss:[ebp-A0] ; st=55.0 004041B0 . DD85 60FFFFFF fld qword ptr ss:[ebp-A0] 004041B6 . 833D 00704000 0>cmp dword ptr ds:[407000],0 004041BD . 75 08 jnz short crackme.004041C7 004041BF . DC35 10124000 fdiv qword ptr ds:[401210] ; Num3/4.0,ds:[00401210]=4.0 004041C5 . EB 11 jmp short crackme.004041D8 004041C7 > FF35 14124000 push dword ptr ds:[401214] 004041CD . FF35 10124000 push dword ptr ds:[401210] 004041D3 . E8 0CD1FFFF call <jmp.&MSVBVM60._adj_fdiv_m6> 004041D8 > DFE0 fstsw ax 004041DA . A8 0D test al,0D 004041DC . 0F85 2E010000 jnz crackme.00404310 004041E2 . FF15 58114000 call dword ptr ds:[<&MSVBVM60.__>; 商取整数,Int(Num3/4.0),ST0=13.0 004041E8 . 8B45 E0 mov eax,dword ptr ss:[ebp-20] ; EAX=0x36,Num2 004041EB . 66:6BC0 10 imul ax,ax,10 ; AX=Num2*0x10 004041EF . 0F80 20010000 jo crackme.00404315 004041F5 . 0FBFC0 movsx eax,ax 004041F8 . 8985 5CFFFFFF mov dword ptr ss:[ebp-A4],eax 004041FE . DB85 5CFFFFFF fild dword ptr ss:[ebp-A4] 00404204 . DD9D 54FFFFFF fstp qword ptr ss:[ebp-AC] 0040420A . DC85 54FFFFFF fadd qword ptr ss:[ebp-AC] ; Num2*0x10+Int(Num3/4.0) 00404210 . DFE0 fstsw ax 00404212 . A8 0D test al,0D 00404214 . 0F85 F6000000 jnz crackme.00404310 0040421A . FF15 3C114000 call dword ptr ds:[<&MSVBVM60.__> 00404220 . 25 FF000000 and eax,0FF ; EAX=EAX and 0xFF 00404225 . 50 push eax ; EAX=0x6D 00404226 . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcBstrFromAnsi 0040422C . 8BD0 mov edx,eax ; 取ASCII值对应的字符 0040422E . 8D4D CC lea ecx,dword ptr ss:[ebp-34] 00404231 . FFD6 call esi 00404233 . 50 push eax 00404234 . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaStrCat 0040423A . 8BD0 mov edx,eax ; 字符串连接 0040423C . 8D4D D0 lea ecx,dword ptr ss:[ebp-30] 0040423F . FFD6 call esi 00404241 . 8D4D CC lea ecx,dword ptr ss:[ebp-34] 00404244 . FF15 64114000 call dword ptr ds:[<&MSVBVM60.__> 0040424A > 8B45 D8 mov eax,dword ptr ss:[ebp-28] ; EDX=0x38(56),Num4 0040424D . 66:85C0 test ax,ax 00404250 . 7C 42 jl short crackme.00404294 00404252 . 66:6BDB 40 imul bx,bx,40 ; BX=Num4*0x40 00404256 . 8B4D D0 mov ecx,dword ptr ss:[ebp-30] 00404259 . 0F80 B6000000 jo crackme.00404315 0040425F . 66:03D8 add bx,ax ; BX=Num4*0x40+Num4 00404262 . 51 push ecx 00404263 . 0F80 AC000000 jo crackme.00404315 00404269 . 81E3 FF000000 and ebx,0FF ; EBX=EBX and 0xFF 0040426F . 53 push ebx ; EAX=0xF8 00404270 . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcBstrFromAnsi 00404276 . 8BD0 mov edx,eax ; 取ASCII值对应的字符 00404278 . 8D4D CC lea ecx,dword ptr ss:[ebp-34] 0040427B . FFD6 call esi 0040427D . 50 push eax 0040427E . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaStrCat 00404284 . 8BD0 mov edx,eax ; 字符串连接 F7进入00403F4A处的关键CALL-2,来到: 00402B2B . /E9 D0180000 jmp crackme.00404400 ; 来到这里 00402B30 . |816C24 04 FFFF0>sub dword ptr ss:[esp+4],0FFFF F8单步,来到: 00404400 > \56 push esi 00404401 . 8B7424 0C mov esi,dword ptr ss:[esp+C] 00404405 . 8B06 mov eax,dword ptr ds:[esi] 00404407 . 50 push eax 00404408 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaLenBstr 0040440E . 85C0 test eax,eax 00404410 . 75 10 jnz short crackme.00404422 00404412 . 8B4C24 10 mov ecx,dword ptr ss:[esp+10] 00404416 . 83C8 FF or eax,FFFFFFFF 00404419 . 5E pop esi 0040441A . 66:8901 mov word ptr ds:[ecx],ax 0040441D . 33C0 xor eax,eax 0040441F . C2 0C00 retn 0C 00404422 > 8B16 mov edx,dword ptr ds:[esi] 00404424 . 6A 01 push 1 00404426 . 68 201C4000 push crackme.00401C20 ; 固定字符串"ABCDEFGHIJKLMNOPQRSTUVWXYZ ; abcdefghijklmnopqrstuvwxyz0123456789+/" 0040442B . 52 push edx ; 字符串"1234"第1位字符,"1" 0040442C . 6A 00 push 0 0040442E . FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaInStr 00404434 . 8BC8 mov ecx,eax ; 查找字符"1"在固定字符串中的位置 00404436 . 83E9 01 sub ecx,1 ; ECX=ECX-1 00404439 . 70 13 jo short crackme.0040444E 0040443B . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__> 00404441 . 8B4C24 10 mov ecx,dword ptr ss:[esp+10] 00404445 . 5E pop esi 00404446 . 66:8901 mov word ptr ds:[ecx],ax ; AX=0x35 00404449 . 33C0 xor eax,eax 0040444B . C2 0C00 retn 0C ----------------------------------------------------------------------------------------------- 【破解总结】 1.用户名长度必须为3的倍数,注册长度必须为4的倍数。 2.注册码前4位字符的ASCII值之和必须等于0x123。 3.从注册码第5位字符开始,每4位字符为一组,分别记为S[I],S[I+1],S[I+2],S[I+3]。 4.从用户名第1位字符开始,每3位字符为一组,分别记为N[I],N[I+1],N[I+2]。 5.计算(S[I]*4+Int(S[I+1]/16)) And 0xFF,(S[I+1]*16+Int(S[I+2]/4)) And 0xFF,(S[I+2]*0x40+S[I+3]) And 0xFF。 6.第5步计算结果若分别与N[I],N[I+1],N[I+2]相等则注册成功。 一组可用注册信息: ==================================================== 注册名:hrbhui 注册码:HRBGaHJiaHVp ==================================================== 暴破更改以下位置:(输入3位以上注册码,用户名不为空) 004052E5 je short crackme.004052F1 ; je=====>Jmp 00405355 je short crackme.00405361 ; je=====>Jmp 00405711 je crackme.00405945 ; je=====>Nop 00405943 jnz short crackme.0040594F ; jnz====>Jmp 0040595C jnz short crackme.004059CF ; jnz====>Nop 004059C7 setne al ; setne==>sete ----------------------------------------------------------------------------------------------- 【VB注册机源码】 Private Sub Generate_Click() Dim UserName As String Dim Serial As String Dim TmpStr As String Dim TmpStr1 As Integer Dim TmpStr2 As Integer Dim TmpStr3 As Integer Dim i As Integer Dim Length As Integer Dim TmpNum1 As Integer Dim TmpNum2 As Integer Dim TmpNum3 As Integer Dim Num1 As Integer Dim Num2 As Integer Dim Num3 As Integer Dim Num4 As Integer On Error Resume Next TmpStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" If Text1.Text = "" Then Text2.Text = "请输入用户名!" Else UserName = Trim(Text1.Text) Length = Len(UserName) For i = 1 To Length - 2 Step 3 TmpStr1 = Asc(Mid$(UserName, i, 1)) TmpStr2 = Asc(Mid$(UserName, i + 1, 1)) TmpStr3 = Asc(Mid$(UserName, i + 2, 1)) For Num2 = 0 To 63 For Num1 = 0 To 63 For Num3 = 0 To 63 TmpNum1 = (Num1 * 4 + Int(Num2 / 16)) And &HFF TmpNum2 = (Num2 * 16 + Int(Num3 / 4)) And &HFF For Num4 = 0 To 63 TmpNum3 = (Num3 * 64 + Num4) And &HFF If (TmpNum1 = TmpStr1) And (TmpNum2 = TmpStr2) And (TmpNum3 = TmpStr3) Then Serial = Serial & Mid(TmpStr, Num1 + 1, 1) & Mid(TmpStr, Num2 + 1, 1) &_ Mid(TmpStr, Num3 + 1, 1) & Mid(TmpStr, Num4 + 1, 1) End If Next Num4 Next Num3 Next Num1 Next Num2 Next i Text2.Text = "HRBG" & Serial End If End Sub |
地主 发表时间: 07-11-27 10:34 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号