好友 阅读权限 40
听众 最后登录 1970-1-1
我是用户
发表于 2013-6-21 16:17
本帖最后由 我是用户 于 2013-7-4 00:58 编辑 【软件名称】: VB Crack1 2714608453@qq.com 【下载地址】: 见附件 【软件语言】: VB 【使用工具】: OD 【操作平台】: XP SP2 【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教! 前言: OK!今天第一课,大家好,先自我介绍一下,大家可以叫我小Y,也不懂当初为什么会取"我是用户"这个名,现在感觉怪怪的,好吧,言归正传,本教程面向新手,这里的新手是指会使用OD,有一定汇编基础的新手,如果你什么都不了解,建议你可以先看恒大的新手教程,写的很详细. 1.查壳。 因为这一系列的Crack都是VB,所以不用查,闭着眼睛想都是VB写的,不过如果是拿到一个陌生的软件,记得第一步就是查壳。 .收集信息,开搞。 打开VBCrack1。 如图1:
我们输入用户名和错误的注册码,没反应,怎么办?我们可以下断vbaLenBstr。 如图2:
重新输入用户名和错误的注册码,OD断点。 如图3:
我们向前找到函数头部,下断。 [AppleScript] 纯文本查看 复制代码
00408390 > \55 push ebp 具体分析代码如下: [C++] 纯文本查看 复制代码
00408390 > \55 push ebp
00408391 . 8BEC mov ebp,esp
00408393 . 83EC 14 sub esp,0x14
00408396 . 68 46164000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
0040839B . 64:A1 0000000>mov eax,dword ptr fs:[0]
004083A1 . 50 push eax ; Unpacked.00404B05
004083A2 . 64:8925 00000>mov dword ptr fs:[0],esp
004083A9 . 81EC E8000000 sub esp,0xE8
004083AF . 53 push ebx
004083B0 . 56 push esi
004083B1 . 57 push edi
004083B2 . 8965 EC mov dword ptr ss:[ebp-0x14],esp
004083B5 . C745 F0 70114>mov dword ptr ss:[ebp-0x10],Unpacked.00401170
004083BC . 8B75 08 mov esi,dword ptr ss:[ebp+0x8]
004083BF . 8BC6 mov eax,esi
004083C1 . 83E0 01 and eax,0x1
004083C4 . 8945 F4 mov dword ptr ss:[ebp-0xC],eax ; Unpacked.00404B05
004083C7 . 83E6 FE and esi,-0x2
004083CA . 8975 08 mov dword ptr ss:[ebp+0x8],esi
004083CD . 33FF xor edi,edi
004083CF . 897D F8 mov dword ptr ss:[ebp-0x8],edi
004083D2 . 8B0E mov ecx,dword ptr ds:[esi] ; MSVBVM60.7347B406
004083D4 . 56 push esi
004083D5 . FF51 04 call dword ptr ds:[ecx+0x4]
004083D8 . 897D D4 mov dword ptr ss:[ebp-0x2C],edi
004083DB . 897D D8 mov dword ptr ss:[ebp-0x28],edi
004083DE . 897D D0 mov dword ptr ss:[ebp-0x30],edi
004083E1 . 897D C0 mov dword ptr ss:[ebp-0x40],edi
004083E4 . 897D BC mov dword ptr ss:[ebp-0x44],edi
004083E7 . 897D B8 mov dword ptr ss:[ebp-0x48],edi
004083EA . 897D B4 mov dword ptr ss:[ebp-0x4C],edi
004083ED . 897D B0 mov dword ptr ss:[ebp-0x50],edi
004083F0 . 897D A0 mov dword ptr ss:[ebp-0x60],edi
004083F3 . 897D 90 mov dword ptr ss:[ebp-0x70],edi
004083F6 . 897D 80 mov dword ptr ss:[ebp-0x80],edi
004083F9 . 89BD 70FFFFFF mov dword ptr ss:[ebp-0x90],edi
004083FF . 89BD 60FFFFFF mov dword ptr ss:[ebp-0xA0],edi
00408405 . 6A 01 push 0x1 ; /OnErrEvent = Goto Address
00408407 . FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaOnError>] ; \__vbaOnError
0040840D . 8B16 mov edx,dword ptr ds:[esi] ; MSVBVM60.7347B406
0040840F . 56 push esi
00408410 . FF92 FC020000 call dword ptr ds:[edx+0x2FC]
00408416 . 50 push eax ; Unpacked.00404B05
00408417 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
0040841A . 50 push eax ; Unpacked.00404B05
0040841B . 8B1D 60104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00408421 . FFD3 call ebx ; <&MSVBVM60.__vbaObjSet>
00408423 . 8BF8 mov edi,eax ; Unpacked.00404B05
00408425 . 8B0F mov ecx,dword ptr ds:[edi]
00408427 . 8D55 C0 lea edx,dword ptr ss:[ebp-0x40]
0040842A . 52 push edx
0040842B . 57 push edi
0040842C . FF91 A0000000 call dword ptr ds:[ecx+0xA0] ; 取用户名
00408432 . DBE2 fclex
00408434 . 85C0 test eax,eax ; Unpacked.00404B05
00408436 . 7D 12 jge short Unpacked.0040844A
00408438 . 68 A0000000 push 0xA0
0040843D . 68 D05A4000 push Unpacked.00405AD0
00408442 . 57 push edi
00408443 . 50 push eax ; Unpacked.00404B05
00408444 . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj
0040844A > 8B45 C0 mov eax,dword ptr ss:[ebp-0x40] ; eax为用户名
0040844D . 50 push eax ; Unpacked.00404B05
0040844E . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#rtcTrimBstr_519>] ; 去用户名中的空格
00408454 . 8BD0 mov edx,eax ; Unpacked.00404B05
00408456 . 8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]
00408459 . FF15 3C114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
0040845F . 8D4D C0 lea ecx,dword ptr ss:[ebp-0x40]
00408462 . FF15 54114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00408468 . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
0040846B . FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00408471 . 8B4D D0 mov ecx,dword ptr ss:[ebp-0x30]
00408474 . 51 push ecx ; /String = NULL
00408475 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; \__vbaLenBstr
0040847B . 8BC8 mov ecx,eax ; 取用户名长度
0040847D . FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; 4字节转成2字节
00408483 . 8945 DC mov dword ptr ss:[ebp-0x24],eax ; Unpacked.00404B05
00408486 . BF 01000000 mov edi,0x1
0040848B > 66:3B7D DC cmp di,word ptr ss:[ebp-0x24]
0040848F . 0F8F 31010000 jg Unpacked.004085C6
00408495 . 0FBFD7 movsx edx,di
00408498 . 8995 14FFFFFF mov dword ptr ss:[ebp-0xEC],edx
0040849E . DB85 14FFFFFF fild dword ptr ss:[ebp-0xEC]
004084A4 . DD9D 0CFFFFFF fstp qword ptr ss:[ebp-0xF4]
004084AA . DD85 0CFFFFFF fld qword ptr ss:[ebp-0xF4]
004084B0 . DC0D 98114000 fmul qword ptr ds:[0x401198] ; 数据1=i乘以760046(i的范围为1和len(用户名)之间)
004084B6 . DD5D C8 fstp qword ptr ss:[ebp-0x38]
004084B9 . DFE0 fstsw ax
004084BB . A8 0D test al,0xD
004084BD . 0F85 AA040000 jnz Unpacked.0040896D
004084C3 . 8B06 mov eax,dword ptr ds:[esi] ; MSVBVM60.7347B406
004084C5 . 56 push esi
004084C6 . FF90 FC020000 call dword ptr ds:[eax+0x2FC]
004084CC . 50 push eax ; Unpacked.00404B05
004084CD . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
004084D0 . 51 push ecx
004084D1 . FFD3 call ebx
004084D3 . 8BD8 mov ebx,eax ; Unpacked.00404B05
004084D5 . 8B13 mov edx,dword ptr ds:[ebx]
004084D7 . 8D45 C0 lea eax,dword ptr ss:[ebp-0x40]
004084DA . 50 push eax ; Unpacked.00404B05
004084DB . 53 push ebx
004084DC . FF92 A0000000 call dword ptr ds:[edx+0xA0] ; 取用户名
004084E2 . DBE2 fclex
004084E4 . 85C0 test eax,eax ; Unpacked.00404B05
004084E6 . 7D 12 jge short Unpacked.004084FA
004084E8 . 68 A0000000 push 0xA0
004084ED . 68 D05A4000 push Unpacked.00405AD0
004084F2 . 53 push ebx
004084F3 . 50 push eax ; Unpacked.00404B05
004084F4 . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj
004084FA > C745 A8 01000>mov dword ptr ss:[ebp-0x58],0x1
00408501 . C745 A0 02000>mov dword ptr ss:[ebp-0x60],0x2
00408508 . 8D4D A0 lea ecx,dword ptr ss:[ebp-0x60]
0040850B . 51 push ecx
0040850C . 8B95 14FFFFFF mov edx,dword ptr ss:[ebp-0xEC] ; USER32.77D28EB0
00408512 . 52 push edx
00408513 . 8B45 C0 mov eax,dword ptr ss:[ebp-0x40]
00408516 . 50 push eax ; Unpacked.00404B05
00408517 . FF15 84104000 call dword ptr ds:[<&MSVBVM60.#rtcMidCharBstr_631>] ; 分别取用户名第一位
0040851D . 8BD0 mov edx,eax ; Unpacked.00404B05
0040851F . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44]
00408522 . 8B1D 3C114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
00408528 . FFD3 call ebx ; <&MSVBVM60.__vbaStrMove>
0040852A . 50 push eax ; /String = "乴$�7"
0040852B . FF15 28104000 call dword ptr ds:[<&MSVBVM60.#rtcAnsiValueBstr_516>] ; \rtcAnsiValueBstr
00408531 . 0FBFC8 movsx ecx,ax ; 将字符转成ASCII码(相当于VB的ASC函数)
00408534 . 898D 08FFFFFF mov dword ptr ss:[ebp-0xF8],ecx
0040853A . DB85 08FFFFFF fild dword ptr ss:[ebp-0xF8]
00408540 . DD9D 00FFFFFF fstp qword ptr ss:[ebp-0x100]
00408546 . DD85 00FFFFFF fld qword ptr ss:[ebp-0x100]
0040854C . DC4D C8 fmul qword ptr ss:[ebp-0x38] ; 上一步转换成的ASCC码乘以数据1
0040854F . DFE0 fstsw ax
00408551 . A8 0D test al,0xD
00408553 . 0F85 14040000 jnz Unpacked.0040896D
00408559 . 83EC 08 sub esp,0x8
0040855C . DD1C24 fstp qword ptr ss:[esp]
0040855F . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrR8>] ; MSVBVM60.__vbaStrR8
00408565 . 8BD0 mov edx,eax ; 将浮点转成字符串
00408567 . 8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]
0040856A . FFD3 call ebx
0040856C . 8D55 BC lea edx,dword ptr ss:[ebp-0x44]
0040856F . 52 push edx
00408570 . 8D45 C0 lea eax,dword ptr ss:[ebp-0x40]
00408573 . 50 push eax ; Unpacked.00404B05
00408574 . 6A 02 push 0x2
00408576 . FF15 08114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
0040857C . 83C4 0C add esp,0xC
0040857F . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
00408582 . FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00408588 . 8D4D A0 lea ecx,dword ptr ss:[ebp-0x60]
0040858B . FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
00408591 . 8B4D D0 mov ecx,dword ptr ss:[ebp-0x30]
00408594 . 51 push ecx ; 字符转成浮点
00408595 . FF15 F8104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
0040859B . DC45 D4 fadd qword ptr ss:[ebp-0x2C] ; 累加
0040859E . DD5D D4 fstp qword ptr ss:[ebp-0x2C]
004085A1 . DFE0 fstsw ax
004085A3 . A8 0D test al,0xD
004085A5 . 0F85 C2030000 jnz Unpacked.0040896D
004085AB . B8 01000000 mov eax,0x1 ; eax=1
004085B0 . 66:03C7 add ax,di ; ax=ax+di
004085B3 . 0F80 B9030000 jo Unpacked.00408972
004085B9 . 8BF8 mov edi,eax ; Unpacked.00404B05
004085BB . 8B1D 60104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
004085C1 .^ E9 C5FEFFFF jmp Unpacked.0040848B
004085C6 > 8B16 mov edx,dword ptr ds:[esi] ; MSVBVM60.7347B406
004085C8 . 56 push esi
004085C9 . FF92 00030000 call dword ptr ds:[edx+0x300]
004085CF . 50 push eax ; Unpacked.00404B05
004085D0 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
004085D3 . 50 push eax ; Unpacked.00404B05
004085D4 . FFD3 call ebx
004085D6 . 8BF8 mov edi,eax ; Unpacked.00404B05
004085D8 . 8B0F mov ecx,dword ptr ds:[edi]
004085DA . 8D55 C0 lea edx,dword ptr ss:[ebp-0x40]
004085DD . 52 push edx
004085DE . 57 push edi
004085DF . FF91 A0000000 call dword ptr ds:[ecx+0xA0] ; 取注册码
004085E5 . DBE2 fclex
004085E7 . 85C0 test eax,eax ; Unpacked.00404B05
004085E9 . 7D 12 jge short Unpacked.004085FD
004085EB . 68 A0000000 push 0xA0
004085F0 . 68 D05A4000 push Unpacked.00405AD0
004085F5 . 57 push edi
004085F6 . 50 push eax ; Unpacked.00404B05
004085F7 . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj
004085FD > 8B45 C0 mov eax,dword ptr ss:[ebp-0x40]
00408600 . 50 push eax ; Unpacked.00404B05
00408601 . FF15 F8104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ; 将注册码转成浮点数
00408607 . DC5D D4 fcomp qword ptr ss:[ebp-0x2C] ; 真码和假码比较
0040860A . DFE0 fstsw ax
0040860C . F6C4 40 test ah,0x40
0040860F . 74 07 je short Unpacked.00408618
00408611 . B8 01000000 mov eax,0x1 ; 如果相等 ,标志位赋值eax=1
00408616 . EB 02 jmp short Unpacked.0040861A
00408618 > 33C0 xor eax,eax ; 否则标志位赋值0
0040861A > F7D8 neg eax ; Unpacked.00404B05
0040861C . 66:8BF8 mov di,ax
0040861F . 8D4D C0 lea ecx,dword ptr ss:[ebp-0x40]
00408622 . FF15 54114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00408628 . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
0040862B . FF15 58114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00408631 . 66:85FF test di,di
00408634 . 0F84 B9020000 je Unpacked.004088F3 ; 关键跳
0040863A . 8B0E mov ecx,dword ptr ds:[esi] ; MSVBVM60.7347B406
0040863C . 56 push esi
0040863D . FF91 00030000 call dword ptr ds:[ecx+0x300]
00408643 . 50 push eax ; Unpacked.00404B05
00408644 . 8D55 B0 lea edx,dword ptr ss:[ebp-0x50]
00408647 . 52 push edx
00408648 . FFD3 call ebx
0040864A . 8985 34FFFFFF mov dword ptr ss:[ebp-0xCC],eax ; Unpacked.00404B05
00408650 . 8B06 mov eax,dword ptr ds:[esi] ; MSVBVM60.7347B406
00408652 . 56 push esi
00408653 . FF90 FC020000 call dword ptr ds:[eax+0x2FC] 这个程序是明码比较,我们可以直接跟出注册码,具体的函数和流程分析,我都注释在代码后面了,大家可以看着代码跟,我就不再累述了。 爆破点为: [C++] 纯文本查看 复制代码
00408634 . 0F84 B9020000 je Unpacked.004088F3. 注册成功如图4所示:
今天的作业就是用自己的ID算出正确的注册码,并截图跟贴在下面,前三名有加分哦. 附正确的Key: ID:我是用户 Key:-109296894938 如实在跟不出的话,也可以参照我写的注册机,程序源码如下: [Visual Basic] 纯文本查看 复制代码
Private Sub Command1_Click()
Dim User As String
Dim UserLen, i As Long
Dim Temp, Sum As Double
Sum = 0
User = Text1.Text
UserLen = Len(User)
If UserLen <> 0 Then
For i = 1 To UserLen
Temp = i * 760046#
Sum = Sum + Asc(Mid(User, i, 1)) * Temp
Next
Text2.Text = Sum
Else
End If
End Sub http://www.52pojie.cn/thread-200996-1-1.html http://www.52pojie.cn/thread-201358-1-1.html http://www.52pojie.cn/thread-201748-1-1.html http://www.52pojie.cn/thread-202544-1-1.html http://www.52pojie.cn/thread-202545-1-1.html
查看全部评分
[复制链接]
