这个毕业考核的CrackME最后一关过不去
放上来,希望大家做做,说说为什么?
00404A74 FF15 4C104000 CALL DWORD PTR DS:[<&msvbvm60.rtcInputB>; msvbvm60.rtcInputBox
00404A7A 8BD0 MOV EDX,EAX ;取注册名
00404A7C 8D4D E0 LEA ECX,DWORD PTR SS:
00404A7F FF15 08114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrM>; msvbvm60.__vbaStrMove
00404A85 8BD0 MOV EDX,EAX
00404A87 8BCF MOV ECX,EDI
00404A89 FFD6 CALL ESI
00404A8B 8D4D E0 LEA ECX,DWORD PTR SS:
00404A8E FF15 1C114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFree>; msvbvm60.__vbaFreeStr
00404A94 8D85 68FFFFFF LEA EAX,DWORD PTR SS: ; 可能是算法 dex=20 10进制是32
00404A9A 50 PUSH EAX
00404A9B 8D8D 78FFFFFF LEA ECX,DWORD PTR SS:
00404AA1 51 PUSH ECX
00404AA2 8D55 88 LEA EDX,DWORD PTR SS:
00404AA5 52 PUSH EDX
00404AA6 8D45 98 LEA EAX,DWORD PTR SS:
00404AA9 50 PUSH EAX
00404AAA 8D4D A8 LEA ECX,DWORD PTR SS:
00404AAD 51 PUSH ECX
00404AAE 8D55 B8 LEA EDX,DWORD PTR SS:
00404AB1 52 PUSH EDX
00404AB2 6A 06 PUSH 0x6
00404AB4 FF15 18104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFree>; msvbvm60.__vbaFreeVarList
00404ABA 83C4 1C ADD ESP,0x1C
00404ABD 8B07 MOV EAX,DWORD PTR DS:
00404ABF 50 PUSH EAX
00404AC0 68 202E4000 PUSH PYG_dump.00402E20
00404AC5 FF15 74104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrC>; msvbvm60.__vbaStrCmp
00404ACB 85C0 TEST EAX,EAX
00404ACD 75 0B JNZ SHORT PYG_dump.00404ADA ; 关键点!必须实现
00404ACF FF15 1C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaEnd>>; msvbvm60.__vbaEnd
00404AD5 E9 56020000 JMP PYG_dump.00404D30 ; 前往退出 进程
00404ADA 8B0F MOV ECX,DWORD PTR DS:
00404ADC 51 PUSH ECX
00404ADD FF15 D0104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaR8St>; 得修改 不然不合法
00404AE3 833D 00604000 00 CMP DWORD PTR DS:,0x0
00404AEA 75 08 JNZ SHORT PYG_dump.00404AF4 ; 得实现
00404AEC DC35 78114000 FDIV QWORD PTR DS:
00404AF2 EB 11 JMP SHORT PYG_dump.00404B05 ; 不详
00404AF4 FF35 7C114000 PUSH DWORD PTR DS:
00404AFA FF35 78114000 PUSH DWORD PTR DS:
00404B00 E8 EFC6FFFF CALL <JMP.&msvbvm60._adj_fdiv_m64>
00404B05 DFE0 FSTSW AX
00404B07 A8 0D TEST AL,0xD
00404B09 0F85 DF030000 JNZ PYG_dump.00404EEE ; 前往异常
00404B0F FF15 5C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFpR8>; msvbvm60.__vbaFpR8
00404B15 DD9D A0FBFFFF FSTP QWORD PTR SS:
00404B1B 68 00001C40 PUSH 0x401C0000
00404B20 53 PUSH EBX
00404B21 68 00002440 PUSH 0x40240000
00404B26 53 PUSH EBX
00404B27 FF15 EC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPowe>; msvbvm60.__vbaPowerR8
00404B2D DC0D 70114000 FMUL QWORD PTR DS:
00404B33 DFE0 FSTSW AX
00404B35 A8 0D TEST AL,0xD
00404B37 0F85 B1030000 JNZ PYG_dump.00404EEE ; 前往异常
00404B3D DD9D 98FBFFFF FSTP QWORD PTR SS:
00404B43 68 00002040 PUSH 0x40200000
00404B48 53 PUSH EBX
00404B49 68 00002440 PUSH 0x40240000
00404B4E 53 PUSH EBX
00404B4F FF15 EC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPowe>; msvbvm60.__vbaPowerR8
00404B55 DC85 98FBFFFF FADD QWORD PTR SS:
00404B5B DFE0 FSTSW AX
00404B5D A8 0D TEST AL,0xD
00404B5F 0F85 89030000 JNZ PYG_dump.00404EEE ; 前往异常
00404B65 DD9D 90FBFFFF FSTP QWORD PTR SS:
00404B6B 68 00001840 PUSH 0x40180000
00404B70 53 PUSH EBX
00404B71 68 00002440 PUSH 0x40240000
00404B76 53 PUSH EBX
00404B77 FF15 EC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPowe>; msvbvm60.__vbaPowerR8
00404B7D DC0D 70114000 FMUL QWORD PTR DS:
00404B83 DC85 90FBFFFF FADD QWORD PTR SS:
00404B89 DFE0 FSTSW AX
00404B8B A8 0D TEST AL,0xD
00404B8D 0F85 5B030000 JNZ PYG_dump.00404EEE ; 前往异常
00404B93 DD9D 88FBFFFF FSTP QWORD PTR SS:
00404B99 68 00001440 PUSH 0x40140000
00404B9E 53 PUSH EBX
00404B9F 68 00002440 PUSH 0x40240000
00404BA4 53 PUSH EBX
00404BA5 FF15 EC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPowe>; msvbvm60.__vbaPowerR8
00404BAB DC0D 68114000 FMUL QWORD PTR DS:
00404BB1 DC85 88FBFFFF FADD QWORD PTR SS:
00404BB7 DFE0 FSTSW AX
00404BB9 A8 0D TEST AL,0xD
00404BBB 0F85 2D030000 JNZ PYG_dump.00404EEE ; 前往异常
00404BC1 DD9D 80FBFFFF FSTP QWORD PTR SS:
00404BC7 68 00001040 PUSH 0x40100000
00404BCC 53 PUSH EBX
00404BCD 68 00002440 PUSH 0x40240000
00404BD2 53 PUSH EBX
00404BD3 FF15 EC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPowe>; msvbvm60.__vbaPowerR8
00404BD9 DC0D 60114000 FMUL QWORD PTR DS:
00404BDF DC85 80FBFFFF FADD QWORD PTR SS:
00404BE5 DFE0 FSTSW AX
00404BE7 A8 0D TEST AL,0xD
00404BE9 0F85 FF020000 JNZ PYG_dump.00404EEE ; 前往异常
00404BEF DD9D 78FBFFFF FSTP QWORD PTR SS:
00404BF5 68 00000840 PUSH 0x40080000
00404BFA 53 PUSH EBX
00404BFB 68 00002440 PUSH 0x40240000
00404C00 53 PUSH EBX
00404C01 FF15 EC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPowe>; msvbvm60.__vbaPowerR8
00404C07 DC0D 70114000 FMUL QWORD PTR DS:
00404C0D DC85 78FBFFFF FADD QWORD PTR SS:
00404C13 DFE0 FSTSW AX
00404C15 A8 0D TEST AL,0xD
00404C17 0F85 D1020000 JNZ PYG_dump.00404EEE ; 前往异常
00404C1D DD9D 70FBFFFF FSTP QWORD PTR SS:
00404C23 68 00000040 PUSH 0x40000000
00404C28 53 PUSH EBX
00404C29 68 00002440 PUSH 0x40240000
00404C2E 53 PUSH EBX
00404C2F FF15 EC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPowe>; msvbvm60.__vbaPowerR8
00404C35 DC0D 68114000 FMUL QWORD PTR DS:
00404C3B DC85 70FBFFFF FADD QWORD PTR SS:
00404C41 DFE0 FSTSW AX
00404C43 A8 0D TEST AL,0xD
00404C45 0F85 A3020000 JNZ PYG_dump.00404EEE ; 前往异常
00404C4B DD9D 68FBFFFF FSTP QWORD PTR SS:
00404C51 68 0000F03F PUSH 0x3FF00000
00404C56 53 PUSH EBX
00404C57 68 00002440 PUSH 0x40240000
00404C5C 53 PUSH EBX
00404C5D FF15 EC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPowe>; msvbvm60.__vbaPowerR8
00404C63 DC0D 68114000 FMUL QWORD PTR DS:
00404C69 DC85 68FBFFFF FADD QWORD PTR SS:
00404C6F DFE0 FSTSW AX
00404C71 A8 0D TEST AL,0xD
00404C73 0F85 75020000 JNZ PYG_dump.00404EEE ; 前往异常
00404C79 DD9D 60FBFFFF FSTP QWORD PTR SS:
00404C7F 53 PUSH EBX
00404C80 53 PUSH EBX
00404C81 68 00002440 PUSH 0x40240000
00404C86 53 PUSH EBX
00404C87 FF15 EC104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPowe>; msvbvm60.__vbaPowerR8
00404C8D DC0D 68114000 FMUL QWORD PTR DS:
00404C93 DC85 60FBFFFF FADD QWORD PTR SS:
00404C99 DFE0 FSTSW AX
00404C9B A8 0D TEST AL,0xD
00404C9D 0F85 4B020000 JNZ PYG_dump.00404EEE ; 前往异常~~~~~
00404CA3 FF15 5C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFpR8>; msvbvm60.__vbaFpR8
00404CA9 DC9D A0FBFFFF FCOMP QWORD PTR SS:
00404CAF DFE0 FSTSW AX
00404CB1 F6C4 40 TEST AH,0x40
00404CB4 75 7A JNZ SHORT PYG_dump.00404D30 ; 退出进程
00404CB6 FF15 1C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaEnd>>; msvbvm60.__vbaEnd
00404CBC EB 72 JMP SHORT PYG_dump.00404D30
00404CBE B9 04000280 MOV ECX,0x80020004
00404CC3 894D 90 MOV DWORD PTR SS:,ECX
00404CC6 B8 0A000000 MOV EAX,0xA
00404CCB 8945 88 MOV DWORD PTR SS:,EAX
00404CCE 894D A0 MOV DWORD PTR SS:,ECX
00404CD1 8945 98 MOV DWORD PTR SS:,EAX
00404CD4 894D B0 MOV DWORD PTR SS:,ECX
00404CD7 8945 A8 MOV DWORD PTR SS:,EAX
00404CDA C785 A0FCFFFF 28>MOV DWORD PTR SS:,PYG_dump.0>; 您的输入不合法!
00404CE4 C785 98FCFFFF 08>MOV DWORD PTR SS:,0x8
00404CEE 8D95 98FCFFFF LEA EDX,DWORD PTR SS:
00404CF4 8D4D B8 LEA ECX,DWORD PTR SS:
00404CF7 FF15 00114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarD>; msvbvm60.__vbaVarDup
00404CFD 8D55 88 LEA EDX,DWORD PTR SS:
00404D00 52 PUSH EDX
00404D01 8D45 98 LEA EAX,DWORD PTR SS:
00404D04 50 PUSH EAX
00404D05 8D4D A8 LEA ECX,DWORD PTR SS:
00404D08 51 PUSH ECX
00404D09 6A 00 PUSH 0x0
00404D0B 8D55 B8 LEA EDX,DWORD PTR SS:
00404D0E 52 PUSH EDX
00404D0F FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.rtcMsgBox>; 这可能是正确的
00404D15 8D45 88 LEA EAX,DWORD PTR SS:
00404D18 50 PUSH EAX
00404D19 8D4D 98 LEA ECX,DWORD PTR SS:
00404D1C 51 PUSH ECX
00404D1D 8D55 A8 LEA EDX,DWORD PTR SS:
00404D20 52 PUSH EDX
00404D21 8D45 B8 LEA EAX,DWORD PTR SS:
00404D24 50 PUSH EAX
00404D25 6A 04 PUSH 0x4
00404D27 FF15 18104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFree>; msvbvm60.__vbaFreeVarList
00404D2D 83C4 14 ADD ESP,0x14
00404D30 FF15 3C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaExit>; msvbvm60.__vbaExitProc
00404D0F FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.rtcMsgBox>; 这可能是正确的
菜鸟表示只能到这里了。其它的不会了。
https://www.chinapyg.com/thread-135109-1-1.html
之前有人放过题解 chenrunlin1 发表于 2019-12-20 10:36
https://www.chinapyg.com/thread-135109-1-1.html
之前有人放过题解
@chenrunlin1
不对,你这个是二期
我要的是一期 本帖最后由 solly 于 2019-12-22 00:06 编辑
1. Patch:
E:\Downloads\crack\000\PYG>fc /b PYG_dump_.exe PYG_dump_patched.exe
正在比较文件 PYG_dump_.exe 和 PYG_DUMP_PATCHED.EXE
00003EC1: 0F 90
00003EC2: 8E E9
000045EA: FF 83
000045EB: 15 C4
000045EC: 48 14
000045ED: 10 90
000045EE: 40 90
000045EF: 00 90
000048DF: 7E EB
2. Key Generator:
#include <iostream>
#include <string.h>
#include <math.h>
long getPassWd();
long getSN(char * name);
long getAdv(char * name);
int main(int argc, char** argv) {
long passwd = getPassWd();
printf("Test PassWd: %lu\n\n", (unsigned)passwd);
char name[] = "solly";//// modify here
long sn = getSN(name);
printf("Name: %s\n", name);
printf("SN: %lu\n", (unsigned)sn);
///
getAdv(name);
return 0;
}
long getPassWd() {
//// 188968999
long base = pow(10, 7) * 8 + pow(10, 8) + pow(10, 6) * 8
+ pow(10, 5) * 9 + pow(10, 4) * 6 + pow(10, 3) * 8
+ pow(10, 2) * 9 + pow(10, 1) * 9 + pow(10, 0) * 9;
//// 3401441982
long passwd = base * 18;//// 188968999 * 18
return passwd;
}
long getSN(char * name) {
int n = strlen(name);
long sum1 = 0;
for(int i=0; i<n; i++) {
sum1 += (long)name;
}
sum1 *= 13456; //// 0x3490
long sum2 = 0;
long sum3 = 0;
for(int i=1; i<101; i++) {
sum2 += i;
sum3 += sum2;
}
long sn = (sum1 + sum3 ) ^ 886; //// 0x0376
return sn;
}
const long c1 = 9717;
const long c2 = 41;
const long c3 = 123;
const long c4 = 6613;
long getAdv(char * name) {
int n = strlen(name);
long LBound = 0;
long UBound = n - 1;
long r1 = UBound * c1 + (int)name * c2;//// 0xAA3F
long r2 = (long)name * c1 * c3; //// 0x08314635
long r3 = UBound * (long)name * c4; //// 0x002E6ABC
long r4 = r3 + c1; //// 0x002E90B1
printf(" ADV: %lu-%lu-%lu-%lu\n", r1, r2, r3, r4);
return 0;
}
本帖最后由 solly 于 2019-12-27 00:20 编辑
冥界3大法王 发表于 2019-12-20 12:09
@chenrunlin1
不对,你这个是二期
我要的是一期
你发的附件不是第一期的吧?
显示第二期。
你发的代码只是生成这个考试密码的,还没有进入追码阶段。
页:
[1]