好友
阅读权限40
听众
最后登录1970-1-1
|
我是用户
发表于 2013-6-26 21:50
本帖最后由 我是用户 于 2013-7-4 00:59 编辑
【软件名称】: VB crack3
【作者邮箱】: 2714608453@qq.com
【下载地址】: 见附件
【软件语言】: VB
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
今天带来第三战,第四战我会加大难度,不过对于你们来说应该不然对付.
这次的Crack3也很简单,认真看看我注释的代码找出正确的注册码并不难。
1.查壳。
老样子VB写的。
2.追码
打开今天的Crack3。
如图1:
输入假码1-123456
输入假码2-456789
输入假码3-789012
点击注册,无反应。
如图2:
这时我们应该怎么办,我们可以这样想,既然注册失败无反应,那么成功是不是会有对话框呢,对话框是不是会有“成功“或者"You Get it"等提示字符串呢。
那么好,我们右键搜索字符串,果然我们发现了有"Good Boy"字符串。
如图3:
右键跟随,来到代码处。
如图4:
我们把代码向上拖,找到入口,F2下断。
如图5:
具体分析如下:
[C++] 纯文本查看 复制代码 004027C0 > \55 push ebp
004027C1 . 8BEC mov ebp,esp
004027C3 . 83EC 0C sub esp,0xC
004027C6 . 68 26114000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
004027CB . 64:A1 0000000>mov eax,dword ptr fs:[0]
004027D1 . 50 push eax
004027D2 . 64:8925 00000>mov dword ptr fs:[0],esp
004027D9 . 83EC 68 sub esp,0x68
004027DC . 53 push ebx
004027DD . 56 push esi
004027DE . 57 push edi
004027DF . 8965 F4 mov dword ptr ss:[ebp-0xC],esp
004027E2 . C745 F8 10114>mov dword ptr ss:[ebp-0x8],Crackme.00401>
004027E9 . 33DB xor ebx,ebx
004027EB . 895D FC mov dword ptr ss:[ebp-0x4],ebx
004027EE . 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
004027F1 . 8B08 mov ecx,dword ptr ds:[eax]
004027F3 . 50 push eax
004027F4 . FF51 04 call dword ptr ds:[ecx+0x4]
004027F7 . A1 10304000 mov eax,dword ptr ds:[0x403010]
004027FC . 3BC3 cmp eax,ebx
004027FE . 895D E8 mov dword ptr ss:[ebp-0x18],ebx
00402801 . 895D E4 mov dword ptr ss:[ebp-0x1C],ebx
00402804 . 895D E0 mov dword ptr ss:[ebp-0x20],ebx
00402807 . 895D DC mov dword ptr ss:[ebp-0x24],ebx
0040280A . 895D D8 mov dword ptr ss:[ebp-0x28],ebx
0040280D . 895D D4 mov dword ptr ss:[ebp-0x2C],ebx
00402810 . 895D D0 mov dword ptr ss:[ebp-0x30],ebx
00402813 . 895D CC mov dword ptr ss:[ebp-0x34],ebx
00402816 . 895D C8 mov dword ptr ss:[ebp-0x38],ebx
00402819 . 895D C4 mov dword ptr ss:[ebp-0x3C],ebx
0040281C . 895D B4 mov dword ptr ss:[ebp-0x4C],ebx
0040281F . 895D A4 mov dword ptr ss:[ebp-0x5C],ebx
00402822 . 75 15 jnz short Crackme.00402839
00402824 . 68 10304000 push Crackme.00403010
00402829 . 68 DC184000 push Crackme.004018DC
0040282E . FF15 80104000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
00402834 . A1 10304000 mov eax,dword ptr ds:[0x403010]
00402839 > 8B10 mov edx,dword ptr ds:[eax]
0040283B . 50 push eax
0040283C . FF92 08030000 call dword ptr ds:[edx+0x308] ; MSVBVM60.73494270
00402842 . 8B3D 38104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaOb>; MSVBVM60.__vbaObjSet
00402848 . 50 push eax
00402849 . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
0040284C . 50 push eax
0040284D . FFD7 call edi ; <&MSVBVM60.__vbaObjSet>
0040284F . 8D55 D0 lea edx,dword ptr ss:[ebp-0x30]
00402852 . 8BF0 mov esi,eax
00402854 . 8B0E mov ecx,dword ptr ds:[esi] ; Crackme.00403400
00402856 . 52 push edx ; Crackme.00403400
00402857 . 56 push esi
00402858 . FF91 A0000000 call dword ptr ds:[ecx+0xA0] ; 获取假码3
0040285E . DBE2 fclex
00402860 . 3BC3 cmp eax,ebx
00402862 . 7D 12 jge short Crackme.00402876
00402864 . 68 A0000000 push 0xA0
00402869 . 68 BC214000 push Crackme.004021BC
0040286E . 56 push esi
0040286F . 50 push eax
00402870 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00402876 > 8B55 D0 mov edx,dword ptr ss:[ebp-0x30]
00402879 . 8B35 A8104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
0040287F . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
00402882 . 895D D0 mov dword ptr ss:[ebp-0x30],ebx
00402885 . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
00402887 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
0040288A . FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00402890 . A1 10304000 mov eax,dword ptr ds:[0x403010]
00402895 . 3BC3 cmp eax,ebx
00402897 . 75 15 jnz short Crackme.004028AE
00402899 . 68 10304000 push Crackme.00403010
0040289E . 68 DC184000 push Crackme.004018DC
004028A3 . FF15 80104000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
004028A9 . A1 10304000 mov eax,dword ptr ds:[0x403010]
004028AE > 8B08 mov ecx,dword ptr ds:[eax]
004028B0 . 50 push eax
004028B1 . FF91 FC020000 call dword ptr ds:[ecx+0x2FC]
004028B7 . 50 push eax
004028B8 . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]
004028BB . 52 push edx ; Crackme.00403400
004028BC . FFD7 call edi
004028BE . 8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]
004028C1 . 8BF8 mov edi,eax
004028C3 . 8B07 mov eax,dword ptr ds:[edi]
004028C5 . 51 push ecx
004028C6 . 57 push edi
004028C7 . FF90 A0000000 call dword ptr ds:[eax+0xA0]
004028CD . DBE2 fclex
004028CF . 3BC3 cmp eax,ebx
004028D1 . 7D 12 jge short Crackme.004028E5
004028D3 . 68 A0000000 push 0xA0
004028D8 . 68 BC214000 push Crackme.004021BC
004028DD . 57 push edi
004028DE . 50 push eax
004028DF . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
004028E5 > 8B55 D0 mov edx,dword ptr ss:[ebp-0x30] ; 获取密码1
004028E8 . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
004028EB . 895D D0 mov dword ptr ss:[ebp-0x30],ebx
004028EE . FFD6 call esi
004028F0 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
004028F3 . FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
004028F9 . A1 10304000 mov eax,dword ptr ds:[0x403010]
004028FE . 3BC3 cmp eax,ebx
00402900 . 75 15 jnz short Crackme.00402917
00402902 . 68 10304000 push Crackme.00403010
00402907 . 68 DC184000 push Crackme.004018DC
0040290C . FF15 80104000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
00402912 . A1 10304000 mov eax,dword ptr ds:[0x403010]
00402917 > 8B10 mov edx,dword ptr ds:[eax]
00402919 . 50 push eax
0040291A . FF92 04030000 call dword ptr ds:[edx+0x304] ; MSVBVM60.73494268
00402920 . 50 push eax
00402921 . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
00402924 . 50 push eax
00402925 . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
0040292B . 8D55 D0 lea edx,dword ptr ss:[ebp-0x30]
0040292E . 8BF8 mov edi,eax
00402930 . 8B0F mov ecx,dword ptr ds:[edi]
00402932 . 52 push edx ; Crackme.00403400
00402933 . 57 push edi
00402934 . FF91 A0000000 call dword ptr ds:[ecx+0xA0] ; 获取假码2
0040293A . DBE2 fclex
0040293C . 3BC3 cmp eax,ebx
0040293E . 7D 12 jge short Crackme.00402952
00402940 . 68 A0000000 push 0xA0
00402945 . 68 BC214000 push Crackme.004021BC
0040294A . 57 push edi
0040294B . 50 push eax
0040294C . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00402952 > 8B55 D0 mov edx,dword ptr ss:[ebp-0x30]
00402955 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00402958 . 895D D0 mov dword ptr ss:[ebp-0x30],ebx
0040295B . FFD6 call esi
0040295D . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
00402960 . FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00402966 . 6A 03 push 0x3
00402968 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
0040296B . 51 push ecx
0040296C . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C]
0040296F . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
00402972 . 52 push edx ; Crackme.00403400
00402973 . 8945 AC mov dword ptr ss:[ebp-0x54],eax
00402976 . C745 A4 08400>mov dword ptr ss:[ebp-0x5C],0x4008
0040297D . FF15 A0104000 call dword ptr ds:[<&MSVBVM60.#rtcLeftCh>; 从左往右取假码2的前三位
00402983 . 8B3D 10104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrVarMove
00402989 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
0040298C . 50 push eax
0040298D . FFD7 call edi ; <&MSVBVM60.__vbaStrVarMove>
0040298F . 8BD0 mov edx,eax
00402991 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
00402994 . FFD6 call esi
00402996 . 8B1D 0C104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeVar
0040299C . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
0040299F . FFD3 call ebx ; <&MSVBVM60.__vbaFreeVar>
004029A1 . 6A 03 push 0x3
004029A3 . 8D55 A4 lea edx,dword ptr ss:[ebp-0x5C]
004029A6 . 52 push edx ; Crackme.00403400
004029A7 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
004029AA . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
004029AD . 50 push eax
004029AE . 894D AC mov dword ptr ss:[ebp-0x54],ecx
004029B1 . C745 A4 08400>mov dword ptr ss:[ebp-0x5C],0x4008
004029B8 . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.#rtcRightC>; 从右向左取假码1的前三位(记为Str1)
004029BE . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
004029C1 . 51 push ecx
004029C2 . FFD7 call edi
004029C4 . 8BD0 mov edx,eax
004029C6 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
004029C9 . FFD6 call esi
004029CB . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
004029CE . FFD3 call ebx
004029D0 . 8B55 D4 mov edx,dword ptr ss:[ebp-0x2C]
004029D3 . 8B3D 28104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrCat
004029D9 . 68 D0214000 push Crackme.004021D0 ; SCT-
004029DE . 52 push edx ; /String = "\l9s(l9s�?sXS?s,朎s�烢s獰Es?@"
004029DF . FFD7 call edi ; \__vbaStrCat
004029E1 . 8BD0 mov edx,eax ; SCT-(Str1)合并
004029E3 . 8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]
004029E6 . FFD6 call esi
004029E8 . 50 push eax
004029E9 . 8B45 D8 mov eax,dword ptr ss:[ebp-0x28]
004029EC . 50 push eax ; /String = NULL
004029ED . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>; \__vbaLenBstr
004029F3 . 50 push eax ; 取假码1的长度
004029F4 . FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI4>; MSVBVM60.__vbaStrI4
004029FA . 8BD0 mov edx,eax
004029FC . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
004029FF . FFD6 call esi
00402A01 . 50 push eax
00402A02 . FFD7 call edi
00402A04 . 8BD0 mov edx,eax ; 再与假码1的长度合并
00402A06 . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38]
00402A09 . FFD6 call esi
00402A0B . 8B4D DC mov ecx,dword ptr ss:[ebp-0x24] ; GDI32.77EF76AB
00402A0E . 50 push eax
00402A0F . 51 push ecx
00402A10 . FFD7 call edi
00402A12 . 8BD0 mov edx,eax ; 与123合并
00402A14 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
00402A17 . FFD6 call esi
00402A19 . 8D55 C8 lea edx,dword ptr ss:[ebp-0x38]
00402A1C . 52 push edx ; Crackme.00403400
00402A1D . 8D45 CC lea eax,dword ptr ss:[ebp-0x34]
00402A20 . 50 push eax
00402A21 . 8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]
00402A24 . 51 push ecx
00402A25 . 6A 03 push 0x3
00402A27 . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
00402A2D . 8B55 E0 mov edx,dword ptr ss:[ebp-0x20]
00402A30 . 83C4 10 add esp,0x10
00402A33 . 8B3D 54104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrCmp
00402A39 . 52 push edx ; Crackme.00403400
00402A3A . 68 E0214000 push Crackme.004021E0 ; Shooter
00402A3F . FFD7 call edi ; <&MSVBVM60.__vbaStrCmp>
00402A41 . 85C0 test eax,eax ; 假码3必须为Shooter
00402A43 . 0F85 34010000 jnz Crackme.00402B7D ; 不等就跳向错误
00402A49 . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
00402A4C . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
00402A4F . 50 push eax
00402A50 . 51 push ecx
00402A51 . FFD7 call edi
00402A53 . 85C0 test eax,eax ; SCT-4566123与第二位比较
00402A55 . A1 10304000 mov eax,dword ptr ds:[0x403010]
00402A5A . 75 2D jnz short Crackme.00402A89
00402A5C . 85C0 test eax,eax
00402A5E . 75 10 jnz short Crackme.00402A70
00402A60 . 68 10304000 push Crackme.00403010
00402A65 . 68 DC184000 push Crackme.004018DC
00402A6A . FF15 80104000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
00402A70 > 8B35 10304000 mov esi,dword ptr ds:[0x403010]
00402A76 . 8B16 mov edx,dword ptr ds:[esi] ; Crackme.00403400
00402A78 . 68 F4214000 push Crackme.004021F4 ; GOOD BOY
00402A7D . 56 push esi
00402A7E . FF52 54 call dword ptr ds:[edx+0x54] ; MSVBVM60.73493D08
00402A81 . DBE2 fclex
00402A83 . 85C0 test eax,eax
00402A85 . 7D 3C jge short Crackme.00402AC3
00402A87 . EB 2B jmp short Crackme.00402AB4
00402A89 > 85C0 test eax,eax
00402A8B . 75 10 jnz short Crackme.00402A9D
00402A8D . 68 10304000 push Crackme.00403010
00402A92 . 68 DC184000 push Crackme.004018DC
00402A97 . FF15 80104000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
00402A9D > 8B35 10304000 mov esi,dword ptr ds:[0x403010]
00402AA3 . 8B06 mov eax,dword ptr ds:[esi] ; Crackme.00403400
00402AA5 . 68 0C224000 push Crackme.0040220C ; Bad BOY
00402AAA . 56 push esi
00402AAB . FF50 54 call dword ptr ds:[eax+0x54]
00402AAE . DBE2 fclex
00402AB0 . 85C0 test eax,eax
00402AB2 . 7D 0F jge short Crackme.00402AC3
00402AB4 > 6A 54 push 0x54
00402AB6 . 68 BC1D4000 push Crackme.00401DBC
00402ABB . 56 push esi
00402ABC . 50 push eax
00402ABD . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00402AC3 > A1 10304000 mov eax,dword ptr ds:[0x403010]
00402AC8 . 85C0 test eax,eax
00402ACA . 75 10 jnz short Crackme.00402ADC
00402ACC . 68 10304000 push Crackme.00403010
00402AD1 . 68 DC184000 push Crackme.004018DC
00402AD6 . FF15 80104000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
00402ADC > 8B35 10304000 mov esi,dword ptr ds:[0x403010]
00402AE2 . 8B0E mov ecx,dword ptr ds:[esi] ; Crackme.00403400
00402AE4 . 8D55 D0 lea edx,dword ptr ss:[ebp-0x30]
00402AE7 . 52 push edx ; Crackme.00403400
00402AE8 . 56 push esi
00402AE9 . FF51 50 call dword ptr ds:[ecx+0x50]
00402AEC . DBE2 fclex
00402AEE . 85C0 test eax,eax
00402AF0 . 7D 0F jge short Crackme.00402B01
00402AF2 . 6A 50 push 0x50
00402AF4 . 68 BC1D4000 push Crackme.00401DBC
00402AF9 . 56 push esi
00402AFA . 50 push eax
00402AFB . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00402B01 > 8B45 D0 mov eax,dword ptr ss:[ebp-0x30]
00402B04 . 50 push eax
00402B05 . 68 F4214000 push Crackme.004021F4 ; GOOD BOY
00402B0A . FFD7 call edi
00402B0C . 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C]
00402B0F . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
00402B12 . 8BF0 mov esi,eax
00402B14 . F7DE neg esi
00402B16 . 1BF6 sbb esi,esi
00402B18 . 51 push ecx
00402B19 . 46 inc esi
00402B1A . 52 push edx ; Crackme.00403400
00402B1B . F7DE neg esi
00402B1D . FFD7 call edi
追码:
[C++] 纯文本查看 复制代码 00402A3F . FFD7 call edi ;下断,可得真码3的值必为Shooter
00402A51 . FFD7 call edi ;下断,可得真码2的值(是根据假码1进行计算的)
注册成功如图6:
3.算法分析
真码3必为Shooter
真码2=F(假码1):假码1=123456,真码=“SCT-“+”456(后三位)“+(假码长度)+”123(前三位)“
作业:用自己的ID注册成功,前三名加分奖励。
传送门==============================================================================
Crack实战系列教程-《VB系列-第一课》
http://www.52pojie.cn/thread-200996-1-1.html
Crack实战系列教程-《VB系列-第二课》
http://www.52pojie.cn/thread-201358-1-1.html
Crack实战系列教程-《VB系列-第三课》
http://www.52pojie.cn/thread-201748-1-1.html
Crack实战系列教程-《VB系列-第四课》
http://www.52pojie.cn/thread-202544-1-1.html
Crack实战系列教程-《VB系列-第五课》
http://www.52pojie.cn/thread-202545-1-1.html
|
免费评分
-
查看全部评分
|
[复制链接]
