Crack实战系列教程-《VB系列-第二课》
本帖最后由 我是用户 于 2013-7-4 00:59 编辑【软件名称】: VB crack2
【作者邮箱】: 2714608453@qq.com
【下载地址】: 见附件
【软件语言】: VB
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
由于第一课有些人不懂如何下断点,所以这课的操作会尽量详细.
1.查壳
VB的,这个我们不用多说了,还会有三篇教程是用VB语言的Crack.
2.分析
打开VBCrack2.
如图1:
输入注册名"我是用户"和假码"1234567890",单击Check Serial。弹出错误提示。
如图2:
有错误提示字符串,"bad",我们右键搜索字符串。
如图3:
右键跟随,返回到代码窗口。
如图4:
具体代码如下:
00404740 > \55 push ebp
00404741 .8BEC mov ebp,esp
00404743 .83EC 08 sub esp,0x8
00404746 .68 36114000 push <jmp.&MSVBVM60.__vbaExceptHandler>;SE 处理程序安装
0040474B .64:A1 0000000>mov eax,dword ptr fs:
00404751 .50 push eax
00404752 .64:8925 00000>mov dword ptr fs:,esp
00404759 .81EC A8000000 sub esp,0xA8
0040475F .53 push ebx
00404760 .56 push esi
00404761 .57 push edi ;ntdll.7C930228
00404762 .8965 F8 mov dword ptr ss:,esp
00404765 .C745 FC 18114>mov dword ptr ss:,KeygenMe.0040>
0040476C .8B75 08 mov esi,dword ptr ss: ;KeygenMe.<ModuleEntryPoint>
0040476F .33FF xor edi,edi ;ntdll.7C930228
00404771 .56 push esi
00404772 .897D EC mov dword ptr ss:,edi ;ntdll.7C930228
00404775 .8B06 mov eax,dword ptr ds:
00404777 .897D E8 mov dword ptr ss:,edi ;ntdll.7C930228
0040477A .897D E4 mov dword ptr ss:,edi ;ntdll.7C930228
0040477D .897D E0 mov dword ptr ss:,edi ;ntdll.7C930228
00404780 .897D D0 mov dword ptr ss:,edi ;ntdll.7C930228
00404783 .897D C0 mov dword ptr ss:,edi ;ntdll.7C930228
00404786 .897D B0 mov dword ptr ss:,edi ;ntdll.7C930228
00404789 .897D A0 mov dword ptr ss:,edi ;ntdll.7C930228
0040478C .897D 90 mov dword ptr ss:,edi ;ntdll.7C930228
0040478F .FF90 04030000 call dword ptr ds:
00404795 .8D4D E4 lea ecx,dword ptr ss:
00404798 .50 push eax
00404799 .51 push ecx
0040479A .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>;MSVBVM60.__vbaObjSet
004047A0 .8BD8 mov ebx,eax
004047A2 .8D45 EC lea eax,dword ptr ss:
004047A5 .50 push eax
004047A6 .53 push ebx
004047A7 .8B13 mov edx,dword ptr ds:
004047A9 .FF92 A0000000 call dword ptr ds:
004047AF .3BC7 cmp eax,edi ;ntdll.7C930228
004047B1 .DBE2 fclex
004047B3 .7D 12 jge short KeygenMe.004047C7
004047B5 .68 A0000000 push 0xA0
004047BA .68 A01D4000 push KeygenMe.00401DA0
004047BF .53 push ebx
004047C0 .50 push eax
004047C1 .FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
004047C7 >8B0E mov ecx,dword ptr ds:
004047C9 .56 push esi
004047CA .FF91 0C030000 call dword ptr ds:
004047D0 .8D55 E0 lea edx,dword ptr ss:
004047D3 .50 push eax
004047D4 .52 push edx ;ntdll.KiFastSystemCallRet
004047D5 .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>;MSVBVM60.__vbaObjSet
004047DB .8BF0 mov esi,eax
004047DD .8D4D E8 lea ecx,dword ptr ss:
004047E0 .51 push ecx
004047E1 .56 push esi
004047E2 .8B06 mov eax,dword ptr ds:
004047E4 .FF50 50 call dword ptr ds:
004047E7 .3BC7 cmp eax,edi ;ntdll.7C930228
004047E9 .DBE2 fclex
004047EB .7D 0F jge short KeygenMe.004047FC
004047ED .6A 50 push 0x50
004047EF .68 B01D4000 push KeygenMe.00401DB0
004047F4 .56 push esi
004047F5 .50 push eax
004047F6 .FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
004047FC >8B55 EC mov edx,dword ptr ss: ;edx为假码
004047FF .8B45 E8 mov eax,dword ptr ss:
00404802 .52 push edx ;假码
00404803 .50 push eax ;真码
00404804 .FF15 50104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCm>;真假码比较
0040480A .8BF0 mov esi,eax
0040480C .8D4D E8 lea ecx,dword ptr ss:
0040480F .F7DE neg esi
00404811 .1BF6 sbb esi,esi
00404813 .8D55 EC lea edx,dword ptr ss:
00404816 .51 push ecx
00404817 .46 inc esi
00404818 .52 push edx ;ntdll.KiFastSystemCallRet
00404819 .6A 02 push 0x2
0040481B .F7DE neg esi
0040481D .FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStrList
00404823 .8D45 E0 lea eax,dword ptr ss:
00404826 .8D4D E4 lea ecx,dword ptr ss:
00404829 .50 push eax
0040482A .51 push ecx
0040482B .6A 02 push 0x2
0040482D .FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObjList
00404833 .83C4 18 add esp,0x18
00404836 .B9 04000280 mov ecx,0x80020004
0040483B .B8 0A000000 mov eax,0xA
00404840 .66:3BF7 cmp si,di
00404843 .894D A8 mov dword ptr ss:,ecx
00404846 .8945 A0 mov dword ptr ss:,eax
00404849 .894D B8 mov dword ptr ss:,ecx
0040484C .8945 B0 mov dword ptr ss:,eax
0040484F .894D C8 mov dword ptr ss:,ecx
00404852 .8945 C0 mov dword ptr ss:,eax
00404855 .74 43 je short KeygenMe.0040489A ;跳走则死
00404857 .8D55 90 lea edx,dword ptr ss:
0040485A .8D4D D0 lea ecx,dword ptr ss:
0040485D .C745 98 14204>mov dword ptr ss:,KeygenMe.004>;Good
00404864 .C745 90 08000>mov dword ptr ss:,0x8
0040486B .FF15 A4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>;MSVBVM60.__vbaVarDup
00404871 .8D55 A0 lea edx,dword ptr ss:
00404874 .8D45 B0 lea eax,dword ptr ss:
00404877 .52 push edx ;ntdll.KiFastSystemCallRet
00404878 .8D4D C0 lea ecx,dword ptr ss:
0040487B .50 push eax
0040487C .51 push ecx
0040487D .8D55 D0 lea edx,dword ptr ss:
00404880 .57 push edi ;ntdll.7C930228
00404881 .52 push edx ;ntdll.KiFastSystemCallRet
00404882 .FF15 34104000 call dword ptr ds:[<&MSVBVM60.#rtcMsgBox>;MSVBVM60.rtcMsgBox
00404888 .8D45 A0 lea eax,dword ptr ss:
0040488B .8D4D B0 lea ecx,dword ptr ss:
0040488E .50 push eax
0040488F .8D55 C0 lea edx,dword ptr ss:
00404892 .51 push ecx
00404893 .8D45 D0 lea eax,dword ptr ss:
00404896 .52 push edx ;ntdll.KiFastSystemCallRet
00404897 .50 push eax
00404898 .EB 41 jmp short KeygenMe.004048DB
0040489A >8D55 90 lea edx,dword ptr ss:
0040489D .8D4D D0 lea ecx,dword ptr ss:
004048A0 .C745 98 24204>mov dword ptr ss:,KeygenMe.004>;bad
004048A7 .C745 90 08000>mov dword ptr ss:,0x8
004048AE .FF15 A4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>;MSVBVM60.__vbaVarDup
004048B4 .8D4D A0 lea ecx,dword ptr ss:
004048B7 .8D55 B0 lea edx,dword ptr ss:
004048BA .51 push ecx
004048BB .8D45 C0 lea eax,dword ptr ss:
004048BE .52 push edx ;ntdll.KiFastSystemCallRet
004048BF .50 push eax
004048C0 .8D4D D0 lea ecx,dword ptr ss:
004048C3 .57 push edi ;ntdll.7C930228
004048C4 .51 push ecx
004048C5 .FF15 34104000 call dword ptr ds:[<&MSVBVM60.#rtcMsgBox>;MSVBVM60.rtcMsgBox
004048CB .8D55 A0 lea edx,dword ptr ss:
004048CE .8D45 B0 lea eax,dword ptr ss:
004048D1 .52 push edx ;ntdll.KiFastSystemCallRet
004048D2 .8D4D C0 lea ecx,dword ptr ss:
004048D5 .50 push eax
004048D6 .8D55 D0 lea edx,dword ptr ss:
004048D9 .51 push ecx
004048DA .52 push edx ;ntdll.KiFastSystemCallRet
004048DB >6A 04 push 0x4
004048DD .FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
004048E3 .83C4 14 add esp,0x14
004048E6 .68 2A494000 push KeygenMe.0040492A
004048EB .EB 3C jmp short KeygenMe.00404929
004048ED .8D45 E8 lea eax,dword ptr ss:
004048F0 .8D4D EC lea ecx,dword ptr ss:
004048F3 .50 push eax
004048F4 .51 push ecx
004048F5 .6A 02 push 0x2
004048F7 .FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStrList
004048FD .8D55 E0 lea edx,dword ptr ss:
00404900 .8D45 E4 lea eax,dword ptr ss:
00404903 .52 push edx ;ntdll.KiFastSystemCallRet
00404904 .50 push eax
00404905 .6A 02 push 0x2
00404907 .FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObjList
0040490D .8D4D A0 lea ecx,dword ptr ss:
00404910 .8D55 B0 lea edx,dword ptr ss:
00404913 .51 push ecx
00404914 .8D45 C0 lea eax,dword ptr ss:
00404917 .52 push edx ;ntdll.KiFastSystemCallRet
00404918 .8D4D D0 lea ecx,dword ptr ss:
0040491B .50 push eax
0040491C .51 push ecx
0040491D .6A 04 push 0x4
0040491F .FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
00404925 .83C4 2C add esp,0x2C
00404928 .C3 retn
00404929 >C3 retn ;RET 用作跳转到 0040492A
0040492A >8B4D F0 mov ecx,dword ptr ss:
0040492D .5F pop edi ;kernel32.7C817077
0040492E .5E pop esi ;kernel32.7C817077
0040492F .33C0 xor eax,eax
00404931 .64:890D 00000>mov dword ptr fs:,ecx
00404938 .5B pop ebx ;kernel32.7C817077
00404939 .8BE5 mov esp,ebp
0040493B .5D pop ebp ;kernel32.7C817077
0040493C .C2 0400 retn 0x4
爆破:
00404855 .74 43 je short KeygenMe.0040489A 修改为nop
追码:
00404803 .50 push eax ;下断此地址,eax为真码
注册成功如图5:
3.进阶篇
关于这个程序的算法,很简单,但是很烦人。
注册码是根据用户名来计算的,先取用户名的每一位(字节),将其转成HEX字符,(既"1"转成"31"),然后将其连接,计为注册码1
然后将注册码1中的特殊字符进行替换,用的是VB中的Relace函数,如将7换成H,8换成S,等等,我们可以从字符串搜索窗口找到
这些转换的字符。
如图6:
很多对不对,所以很烦人,有耐心的朋友可以偿试着去写写,我在这就偷偷懒,不写啦,嘿嘿。
注册机@苏紫方璇 写了,在37楼,感谢他!!!
OK,今天的作业和第一课的是一样的,用自己的ID注册成功,并截图下来,前三名有加分的哦。
传送门==============================================================================
Crack实战系列教程-《VB系列-第一课》
http://www.52pojie.cn/thread-200996-1-1.html
Crack实战系列教程-《VB系列-第二课》
http://www.52pojie.cn/thread-201358-1-1.html
Crack实战系列教程-《VB系列-第三课》
http://www.52pojie.cn/thread-201748-1-1.html
Crack实战系列教程-《VB系列-第四课》
http://www.52pojie.cn/thread-202544-1-1.html
Crack实战系列教程-《VB系列-第五课》
http://www.52pojie.cn/thread-202545-1-1.html
刚看了下算法,原来在这:00402520 > \55 push ebp
板凳支持{:1_918:} 学习一下,谢谢楼主 Shark恒 发表于 2013-6-23 14:47 static/image/common/back.gif
抢沙发支持小Y啊!
这二楼抢的真快,我发现像你那样做教程太不容易了,每个步骤都要写出来,真有耐心{:301_1003:}
给力 谢谢 已经关注 Shark恒 发表于 2013-6-23 14:52 static/image/common/back.gif
哎,看来你懂我了。。。。
我觉得太痛苦了...以后我还是搞破解实战吧{:301_1008:} Shark恒 发表于 2013-6-23 14:54 static/image/common/back.gif
我这图文教程比语音视频教程费劲。。。真的。。
语音简单,一步步操作就行了,不懂的话多看几遍,图文其实最主要是的麻烦,做一步截个图,软件越难截的图越多.