Crack实战系列教程-《VB系列-第三课》

我是用户 发表于 2013-6-26 21:50

本帖最后由我是用户于 2013-7-4 00:59 编辑

【软件名称】: VB crack3
【作者邮箱】: 2714608453@qq.com
【下载地址】: 见附件
【软件语言】: VB
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!

今天带来第三战,第四战我会加大难度,不过对于你们来说应该不然对付.

这次的Crack3也很简单,认真看看我注释的代码找出正确的注册码并不难。

1.查壳。
老样子VB写的。

2.追码
打开今天的Crack3。
如图1：

输入假码1-123456
输入假码2-456789
输入假码3-789012
点击注册，无反应。
如图2：

这时我们应该怎么办，我们可以这样想，既然注册失败无反应，那么成功是不是会有对话框呢，对话框是不是会有“成功“或者"You Get it"等提示字符串呢。
那么好，我们右键搜索字符串，果然我们发现了有"Good Boy"字符串。
如图3：

右键跟随，来到代码处。
如图4：

我们把代码向上拖，找到入口，F2下断。
如图5：

具体分析如下：
004027C0 > \55          push ebp
004027C1 .8BEC       mov ebp,esp
004027C3 .83EC 0C    sub esp,0xC
004027C6 .68 26114000 push <jmp.&MSVBVM60.__vbaExceptHandler>;SE 处理程序安装
004027CB .64:A1 0000000>mov eax,dword ptr fs:
004027D1 .50          push eax
004027D2 .64:8925 00000>mov dword ptr fs:,esp
004027D9 .83EC 68    sub esp,0x68
004027DC .53          push ebx
004027DD .56          push esi
004027DE .57          push edi
004027DF .8965 F4    mov dword ptr ss:,esp
004027E2 .C745 F8 10114>mov dword ptr ss:,Crackme.00401>
004027E9 .33DB       xor ebx,ebx
004027EB .895D FC    mov dword ptr ss:,ebx
004027EE .8B45 08    mov eax,dword ptr ss:
004027F1 .8B08       mov ecx,dword ptr ds:
004027F3 .50          push eax
004027F4 .FF51 04    call dword ptr ds:
004027F7 .A1 10304000 mov eax,dword ptr ds:
004027FC .3BC3       cmp eax,ebx
004027FE .895D E8    mov dword ptr ss:,ebx
00402801 .895D E4    mov dword ptr ss:,ebx
00402804 .895D E0    mov dword ptr ss:,ebx
00402807 .895D DC    mov dword ptr ss:,ebx
0040280A .895D D8    mov dword ptr ss:,ebx
0040280D .895D D4    mov dword ptr ss:,ebx
00402810 .895D D0    mov dword ptr ss:,ebx
00402813 .895D CC    mov dword ptr ss:,ebx
00402816 .895D C8    mov dword ptr ss:,ebx
00402819 .895D C4    mov dword ptr ss:,ebx
0040281C .895D B4    mov dword ptr ss:,ebx
0040281F .895D A4    mov dword ptr ss:,ebx
00402822 .75 15       jnz short Crackme.00402839
00402824 .68 10304000 push Crackme.00403010
00402829 .68 DC184000 push Crackme.004018DC
0040282E .FF15 80104000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>;MSVBVM60.__vbaNew2
00402834 .A1 10304000 mov eax,dword ptr ds:
00402839 >8B10       mov edx,dword ptr ds:
0040283B .50          push eax
0040283C .FF92 08030000 call dword ptr ds:          ;MSVBVM60.73494270
00402842 .8B3D 38104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaOb>;MSVBVM60.__vbaObjSet
00402848 .50          push eax
00402849 .8D45 C4    lea eax,dword ptr ss:
0040284C .50          push eax
0040284D .FFD7       call edi                               ;<&MSVBVM60.__vbaObjSet>
0040284F .8D55 D0    lea edx,dword ptr ss:
00402852 .8BF0       mov esi,eax
00402854 .8B0E       mov ecx,dword ptr ds:             ;Crackme.00403400
00402856 .52          push edx                               ;Crackme.00403400
00402857 .56          push esi
00402858 .FF91 A0000000 call dword ptr ds:          ;获取假码3
0040285E .DBE2       fclex
00402860 .3BC3       cmp eax,ebx
00402862 .7D 12       jge short Crackme.00402876
00402864 .68 A0000000 push 0xA0
00402869 .68 BC214000 push Crackme.004021BC
0040286E .56          push esi
0040286F .50          push eax
00402870 .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
00402876 >8B55 D0    mov edx,dword ptr ss:
00402879 .8B35 A8104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaSt>;MSVBVM60.__vbaStrMove
0040287F .8D4D E0    lea ecx,dword ptr ss:
00402882 .895D D0    mov dword ptr ss:,ebx
00402885 .FFD6       call esi                               ;<&MSVBVM60.__vbaStrMove>
00402887 .8D4D C4    lea ecx,dword ptr ss:
0040288A .FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObj
00402890 .A1 10304000 mov eax,dword ptr ds:
00402895 .3BC3       cmp eax,ebx
00402897 .75 15       jnz short Crackme.004028AE
00402899 .68 10304000 push Crackme.00403010
0040289E .68 DC184000 push Crackme.004018DC
004028A3 .FF15 80104000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>;MSVBVM60.__vbaNew2
004028A9 .A1 10304000 mov eax,dword ptr ds:
004028AE >8B08       mov ecx,dword ptr ds:
004028B0 .50          push eax
004028B1 .FF91 FC020000 call dword ptr ds:
004028B7 .50          push eax
004028B8 .8D55 C4    lea edx,dword ptr ss:
004028BB .52          push edx                               ;Crackme.00403400
004028BC .FFD7       call edi
004028BE .8D4D D0    lea ecx,dword ptr ss:
004028C1 .8BF8       mov edi,eax
004028C3 .8B07       mov eax,dword ptr ds:
004028C5 .51          push ecx
004028C6 .57          push edi
004028C7 .FF90 A0000000 call dword ptr ds:
004028CD .DBE2       fclex
004028CF .3BC3       cmp eax,ebx
004028D1 .7D 12       jge short Crackme.004028E5
004028D3 .68 A0000000 push 0xA0
004028D8 .68 BC214000 push Crackme.004021BC
004028DD .57          push edi
004028DE .50          push eax
004028DF .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
004028E5 >8B55 D0    mov edx,dword ptr ss:       ;获取密码1
004028E8 .8D4D D8    lea ecx,dword ptr ss:
004028EB .895D D0    mov dword ptr ss:,ebx
004028EE .FFD6       call esi
004028F0 .8D4D C4    lea ecx,dword ptr ss:
004028F3 .FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObj
004028F9 .A1 10304000 mov eax,dword ptr ds:
004028FE .3BC3       cmp eax,ebx
00402900 .75 15       jnz short Crackme.00402917
00402902 .68 10304000 push Crackme.00403010
00402907 .68 DC184000 push Crackme.004018DC
0040290C .FF15 80104000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>;MSVBVM60.__vbaNew2
00402912 .A1 10304000 mov eax,dword ptr ds:
00402917 >8B10       mov edx,dword ptr ds:
00402919 .50          push eax
0040291A .FF92 04030000 call dword ptr ds:          ;MSVBVM60.73494268
00402920 .50          push eax
00402921 .8D45 C4    lea eax,dword ptr ss:
00402924 .50          push eax
00402925 .FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>;MSVBVM60.__vbaObjSet
0040292B .8D55 D0    lea edx,dword ptr ss:
0040292E .8BF8       mov edi,eax
00402930 .8B0F       mov ecx,dword ptr ds:
00402932 .52          push edx                               ;Crackme.00403400
00402933 .57          push edi
00402934 .FF91 A0000000 call dword ptr ds:          ;获取假码2
0040293A .DBE2       fclex
0040293C .3BC3       cmp eax,ebx
0040293E .7D 12       jge short Crackme.00402952
00402940 .68 A0000000 push 0xA0
00402945 .68 BC214000 push Crackme.004021BC
0040294A .57          push edi
0040294B .50          push eax
0040294C .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
00402952 >8B55 D0    mov edx,dword ptr ss:
00402955 .8D4D E4    lea ecx,dword ptr ss:
00402958 .895D D0    mov dword ptr ss:,ebx
0040295B .FFD6       call esi
0040295D .8D4D C4    lea ecx,dword ptr ss:
00402960 .FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObj
00402966 .6A 03       push 0x3
00402968 .8D4D A4    lea ecx,dword ptr ss:
0040296B .51          push ecx
0040296C .8D55 B4    lea edx,dword ptr ss:
0040296F .8D45 D8    lea eax,dword ptr ss:
00402972 .52          push edx                               ;Crackme.00403400
00402973 .8945 AC    mov dword ptr ss:,eax
00402976 .C745 A4 08400>mov dword ptr ss:,0x4008
0040297D .FF15 A0104000 call dword ptr ds:[<&MSVBVM60.#rtcLeftCh>;从左往右取假码2的前三位
00402983 .8B3D 10104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaSt>;MSVBVM60.__vbaStrVarMove
00402989 .8D45 B4    lea eax,dword ptr ss:
0040298C .50          push eax
0040298D .FFD7       call edi                               ;<&MSVBVM60.__vbaStrVarMove>
0040298F .8BD0       mov edx,eax
00402991 .8D4D DC    lea ecx,dword ptr ss:
00402994 .FFD6       call esi
00402996 .8B1D 0C104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaFr>;MSVBVM60.__vbaFreeVar
0040299C .8D4D B4    lea ecx,dword ptr ss:
0040299F .FFD3       call ebx                               ;<&MSVBVM60.__vbaFreeVar>
004029A1 .6A 03       push 0x3
004029A3 .8D55 A4    lea edx,dword ptr ss:
004029A6 .52          push edx                               ;Crackme.00403400
004029A7 .8D45 B4    lea eax,dword ptr ss:
004029AA .8D4D D8    lea ecx,dword ptr ss:
004029AD .50          push eax
004029AE .894D AC    mov dword ptr ss:,ecx
004029B1 .C745 A4 08400>mov dword ptr ss:,0x4008
004029B8 .FF15 AC104000 call dword ptr ds:[<&MSVBVM60.#rtcRightC>;从右向左取假码1的前三位(记为Str1)
004029BE .8D4D B4    lea ecx,dword ptr ss:
004029C1 .51          push ecx
004029C2 .FFD7       call edi
004029C4 .8BD0       mov edx,eax
004029C6 .8D4D D4    lea ecx,dword ptr ss:
004029C9 .FFD6       call esi
004029CB .8D4D B4    lea ecx,dword ptr ss:
004029CE .FFD3       call ebx
004029D0 .8B55 D4    mov edx,dword ptr ss:
004029D3 .8B3D 28104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaSt>;MSVBVM60.__vbaStrCat
004029D9 .68 D0214000 push Crackme.004021D0                ;SCT-
004029DE .52          push edx                               ; /String = "\l9s(l9s?sXS?s,朎s烢s獰Es?@"
004029DF .FFD7       call edi                               ; \__vbaStrCat
004029E1 .8BD0       mov edx,eax                            ;SCT-(Str1)合并
004029E3 .8D4D D0    lea ecx,dword ptr ss:
004029E6 .FFD6       call esi
004029E8 .50          push eax
004029E9 .8B45 D8    mov eax,dword ptr ss:
004029EC .50          push eax                               ; /String = NULL
004029ED .FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>; \__vbaLenBstr
004029F3 .50          push eax                               ;取假码1的长度
004029F4 .FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI4>;MSVBVM60.__vbaStrI4
004029FA .8BD0       mov edx,eax
004029FC .8D4D CC    lea ecx,dword ptr ss:
004029FF .FFD6       call esi
00402A01 .50          push eax
00402A02 .FFD7       call edi
00402A04 .8BD0       mov edx,eax                            ;再与假码1的长度合并
00402A06 .8D4D C8    lea ecx,dword ptr ss:
00402A09 .FFD6       call esi
00402A0B .8B4D DC    mov ecx,dword ptr ss:       ;GDI32.77EF76AB
00402A0E .50          push eax
00402A0F .51          push ecx
00402A10 .FFD7       call edi
00402A12 .8BD0       mov edx,eax                            ;与123合并
00402A14 .8D4D E8    lea ecx,dword ptr ss:
00402A17 .FFD6       call esi
00402A19 .8D55 C8    lea edx,dword ptr ss:
00402A1C .52          push edx                               ;Crackme.00403400
00402A1D .8D45 CC    lea eax,dword ptr ss:
00402A20 .50          push eax
00402A21 .8D4D D0    lea ecx,dword ptr ss:
00402A24 .51          push ecx
00402A25 .6A 03       push 0x3
00402A27 .FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStrList
00402A2D .8B55 E0    mov edx,dword ptr ss:
00402A30 .83C4 10    add esp,0x10
00402A33 .8B3D 54104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaSt>;MSVBVM60.__vbaStrCmp
00402A39 .52          push edx                               ;Crackme.00403400
00402A3A .68 E0214000 push Crackme.004021E0                ;Shooter
00402A3F .FFD7       call edi                               ;<&MSVBVM60.__vbaStrCmp>
00402A41 .85C0       test eax,eax                         ;假码3必须为Shooter
00402A43 .0F85 34010000 jnz Crackme.00402B7D                   ;不等就跳向错误
00402A49 .8B45 E4    mov eax,dword ptr ss:
00402A4C .8B4D E8    mov ecx,dword ptr ss:
00402A4F .50          push eax
00402A50 .51          push ecx
00402A51 .FFD7       call edi
00402A53 .85C0       test eax,eax                         ;SCT-4566123与第二位比较
00402A55 .A1 10304000 mov eax,dword ptr ds:
00402A5A .75 2D       jnz short Crackme.00402A89
00402A5C .85C0       test eax,eax
00402A5E .75 10       jnz short Crackme.00402A70
00402A60 .68 10304000 push Crackme.00403010
00402A65 .68 DC184000 push Crackme.004018DC
00402A6A .FF15 80104000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>;MSVBVM60.__vbaNew2
00402A70 >8B35 10304000 mov esi,dword ptr ds:
00402A76 .8B16       mov edx,dword ptr ds:             ;Crackme.00403400
00402A78 .68 F4214000 push Crackme.004021F4                ;GOOD BOY
00402A7D .56          push esi
00402A7E .FF52 54    call dword ptr ds:          ;MSVBVM60.73493D08
00402A81 .DBE2       fclex
00402A83 .85C0       test eax,eax
00402A85 .7D 3C       jge short Crackme.00402AC3
00402A87 .EB 2B       jmp short Crackme.00402AB4
00402A89 >85C0       test eax,eax
00402A8B .75 10       jnz short Crackme.00402A9D
00402A8D .68 10304000 push Crackme.00403010
00402A92 .68 DC184000 push Crackme.004018DC
00402A97 .FF15 80104000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>;MSVBVM60.__vbaNew2
00402A9D >8B35 10304000 mov esi,dword ptr ds:
00402AA3 .8B06       mov eax,dword ptr ds:             ;Crackme.00403400
00402AA5 .68 0C224000 push Crackme.0040220C                ;Bad BOY
00402AAA .56          push esi
00402AAB .FF50 54    call dword ptr ds:
00402AAE .DBE2       fclex
00402AB0 .85C0       test eax,eax
00402AB2 .7D 0F       jge short Crackme.00402AC3
00402AB4 >6A 54       push 0x54
00402AB6 .68 BC1D4000 push Crackme.00401DBC
00402ABB .56          push esi
00402ABC .50          push eax
00402ABD .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
00402AC3 >A1 10304000 mov eax,dword ptr ds:
00402AC8 .85C0       test eax,eax
00402ACA .75 10       jnz short Crackme.00402ADC
00402ACC .68 10304000 push Crackme.00403010
00402AD1 .68 DC184000 push Crackme.004018DC
00402AD6 .FF15 80104000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>;MSVBVM60.__vbaNew2
00402ADC >8B35 10304000 mov esi,dword ptr ds:
00402AE2 .8B0E       mov ecx,dword ptr ds:             ;Crackme.00403400
00402AE4 .8D55 D0    lea edx,dword ptr ss:
00402AE7 .52          push edx                               ;Crackme.00403400
00402AE8 .56          push esi
00402AE9 .FF51 50    call dword ptr ds:
00402AEC .DBE2       fclex
00402AEE .85C0       test eax,eax
00402AF0 .7D 0F       jge short Crackme.00402B01
00402AF2 .6A 50       push 0x50
00402AF4 .68 BC1D4000 push Crackme.00401DBC
00402AF9 .56          push esi
00402AFA .50          push eax
00402AFB .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
00402B01 >8B45 D0    mov eax,dword ptr ss:
00402B04 .50          push eax
00402B05 .68 F4214000 push Crackme.004021F4                ;GOOD BOY
00402B0A .FFD7       call edi
00402B0C .8B4D E4    mov ecx,dword ptr ss:
00402B0F .8B55 E8    mov edx,dword ptr ss:
00402B12 .8BF0       mov esi,eax
00402B14 .F7DE       neg esi
00402B16 .1BF6       sbb esi,esi
00402B18 .51          push ecx
00402B19 .46          inc esi
00402B1A .52          push edx                               ;Crackme.00403400
00402B1B .F7DE       neg esi
00402B1D .FFD7       call edi

追码：
00402A3F .FFD7       call edi    ;下断，可得真码3的值必为Shooter
00402A51 .FFD7       call edi    ;下断，可得真码2的值（是根据假码1进行计算的)

注册成功如图6:

3.算法分析
真码3必为Shooter
真码2=F（假码1）：假码1=123456，真码=“SCT-“+”456（后三位）“+（假码长度)+”123（前三位）“

作业：用自己的ID注册成功，前三名加分奖励。
传送门==============================================================================
Crack实战系列教程-《VB系列-第一课》
http://www.52pojie.cn/thread-200996-1-1.html

Crack实战系列教程-《VB系列-第二课》
http://www.52pojie.cn/thread-201358-1-1.html

Crack实战系列教程-《VB系列-第三课》
http://www.52pojie.cn/thread-201748-1-1.html

Crack实战系列教程-《VB系列-第四课》
http://www.52pojie.cn/thread-202544-1-1.html

Crack实战系列教程-《VB系列-第五课》
http://www.52pojie.cn/thread-202545-1-1.html

52pojie恒大 发表于 2013-6-26 21:52

谢谢大大学习了············

qiusuo 发表于 2013-6-26 21:53

终于抢到沙发了哈

我是用户 发表于 2013-6-26 21:54

qiusuo 发表于 2013-6-26 21:53 static/image/common/back.gif
终于抢到沙发了哈

一楼比你还快,哈哈{:301_986:}

jjwoaini 发表于 2013-6-26 22:03

你能出点视频加密破解的例子吗！我很想学习！

我是用户 发表于 2013-6-26 22:03

jjwoaini 发表于 2013-6-26 22:03 static/image/common/back.gif
你能出点视频加密破解的例子吗！我很想学习！

下个系列会考虑的

qiusuo 发表于 2013-6-26 22:05

我是用户发表于 2013-6-26 21:54 static/image/common/back.gif
一楼比你还快,哈哈

不知道你是怎么知道哪些汇编代码的意思的，是不是系统学过汇编的啊？

jjwoaini 发表于 2013-6-26 22:06

我是用户发表于 2013-6-26 22:03 static/image/common/back.gif
下个系列会考虑的

很期待！你的每个帖子我认真学习过！期待加密视频破解的课程！

qq7156792 发表于 2013-6-26 22:07

不错，谢谢楼主分享

Shark恒 发表于 2013-6-26 22:28

页: [1] 2 3 4

吾爱破解 - 52pojie.cn's Archiver

Crack实战系列教程-《VB系列-第三课》