160个CrackMe之017
本帖最后由 zbnysjwsnd8 于 2017-8-27 22:26 编辑CM正脸照一张:
我并不是大神 就是一个菜鸟 所以哪里有错误还请大佬们指出来。
0x0 寻找按钮事件
首先PEID查壳:
可以发现这个CM是使用VB编写。
打开CM,随便输入一串注册码,然后点击可以发现程序弹出一个信息框
在OD中给rtcMsgBox下断点 然后回到程序领空,找到函数头00404230即可。
0x1 拆解反调试-时间戳检测
这个CM中有检测是否被单步调试 用的是msvbvm60!rtcGetTimer
检测方法大致是这样的:
a = rtcGetTimer();
... //进行其他操作
b = rtcGetTimer();
if(b - a > 5)
DEBUGGED;
else
NODEBUGGED;
其实这个方法绕过去很简单只需要在判断的地方下断点 然后F9就可以了。
在这个CM中 这个判断是在这里:
00404476 .83F8 05 cmp eax,0x5
那么给这条指令下断 然后F9直接运行到这里就可以了。
0x2 分析算法首先:CM取出用户输入的Serial0040454B .51 push ecx
0040454C .53 push ebx
0040454D .8B03 mov eax,dword ptr ds:
0040454F .FF90 A0000000 call dword ptr ds: ;获取Serial然后取出长度 检测大小是否小于5,如果小于5就失败。0040456D > \8B95 7CFFFFFF mov edx,dword ptr ss:
00404573 .52 push edx ;Serial
00404574 .FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;msvbvm60.__vbaLenBstr
0040457A .33DB xor ebx,ebx
0040457C .83F8 05 cmp eax,0x5
0040457F .0f9cc3 setl bl
00404582 .8D8D 7CFFFFFF lea ecx,dword ptr ss:
00404588 .F7DB neg ebx
0040458A .FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;msvbvm60.__vbaFreeStr
00404590 .8D8D 5CFFFFFF lea ecx,dword ptr ss:
00404596 .FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ;msvbvm60.__vbaFreeObj
0040459C .66:3BDF cmp bx,di ;如果Serial的长度小于5则转移
0040459F .0F85 39090000 jnz BJCM30A.00404EDE ;失败然后检测Serial的每个字节是不是都相等(例如:111111111)(代码中的循环次数是从0开始)00404616 > \8B8D 7CFFFFFF mov ecx,dword ptr ss: ;Serial
0040461C .51 push ecx
0040461D .FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;msvbvm60.__vbaLenBstr
00404623 .8985 00FFFFFF mov dword ptr ss:,eax ;Serial的长度 当做循环总次数
00404629 .8D95 08FFFFFF lea edx,dword ptr ss:
0040462F .8D85 F8FEFFFF lea eax,dword ptr ss:
00404635 .52 push edx
00404636 .8D8D E8FEFFFF lea ecx,dword ptr ss:
0040463C .50 push eax
0040463D .8D95 64FEFFFF lea edx,dword ptr ss:
00404643 .51 push ecx
00404644 .8D85 74FEFFFF lea eax,dword ptr ss:
0040464A .52 push edx
0040464B .8D4D 94 lea ecx,dword ptr ss:
0040464E .50 push eax
0040464F .51 push ecx
00404650 .C785 F8FEFFFF>mov dword ptr ss:,0x3
0040465A .C785 F0FEFFFF>mov dword ptr ss:,0x1
00404664 .C785 E8FEFFFF>mov dword ptr ss:,0x2
0040466E .FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>] ;msvbvm60.__vbaVarForInit
00404674 .8D8D 7CFFFFFF lea ecx,dword ptr ss:
0040467A .8985 30FEFFFF mov dword ptr ss:,eax
00404680 .FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;msvbvm60.__vbaFreeStr
00404686 .8D8D 5CFFFFFF lea ecx,dword ptr ss:
0040468C .FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ;msvbvm60.__vbaFreeObj
00404692 .8B1D DC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ;msvbvm60.__vbaStrMove
00404698 >39BD 30FEFFFF cmp dword ptr ss:,edi ;msvbvm60.rtcMidCharBstr
0040469E .0F84 F5010000 je BJCM30A.00404899
004046A4 .8B16 mov edx,dword ptr ds: ;BJCM30A.00406A74
004046A6 .56 push esi
004046A7 .FF92 08030000 call dword ptr ds:
004046AD .50 push eax
004046AE .8D85 5CFFFFFF lea eax,dword ptr ss:
004046B4 .50 push eax
004046B5 .FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ;msvbvm60.__vbaObjSet
004046BB .8B08 mov ecx,dword ptr ds:
004046BD .8D95 7CFFFFFF lea edx,dword ptr ss:
004046C3 .52 push edx
004046C4 .50 push eax
004046C5 .8985 D4FEFFFF mov dword ptr ss:,eax
004046CB .FF91 A0000000 call dword ptr ds:
004046D1 .3BC7 cmp eax,edi ;msvbvm60.rtcMidCharBstr
004046D3 .DBE2 fclex
004046D5 .7D 18 jge short BJCM30A.004046EF
004046D7 .8B8D D4FEFFFF mov ecx,dword ptr ss:
004046DD .68 A0000000 push 0xA0
004046E2 .68 442B4000 push BJCM30A.00402B44
004046E7 .51 push ecx
004046E8 .50 push eax
004046E9 .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ;msvbvm60.__vbaHresultCheckObj
004046EF >8B16 mov edx,dword ptr ds: ;BJCM30A.00406A74
004046F1 .56 push esi
004046F2 .FF92 08030000 call dword ptr ds:
004046F8 .50 push eax
004046F9 .8D85 58FFFFFF lea eax,dword ptr ss:
004046FF .50 push eax
00404700 .FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ;msvbvm60.__vbaObjSet
00404706 .8B08 mov ecx,dword ptr ds:
00404708 .8D95 78FFFFFF lea edx,dword ptr ss:
0040470E .52 push edx
0040470F .50 push eax
00404710 .8985 CCFEFFFF mov dword ptr ss:,eax
00404716 .FF91 A0000000 call dword ptr ds:
0040471C .3BC7 cmp eax,edi ;msvbvm60.rtcMidCharBstr
0040471E .DBE2 fclex
00404720 .7D 18 jge short BJCM30A.0040473A
00404722 .8B8D CCFEFFFF mov ecx,dword ptr ss:
00404728 .68 A0000000 push 0xA0
0040472D .68 442B4000 push BJCM30A.00402B44
00404732 .51 push ecx
00404733 .50 push eax
00404734 .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ;msvbvm60.__vbaHresultCheckObj
0040473A >B8 01000000 mov eax,0x1
0040473F .8D95 48FFFFFF lea edx,dword ptr ss:
00404745 .8985 50FFFFFF mov dword ptr ss:,eax
0040474B .8985 30FFFFFF mov dword ptr ss:,eax
00404751 .8985 00FFFFFF mov dword ptr ss:,eax
00404757 .8D45 94 lea eax,dword ptr ss:
0040475A .B9 02000000 mov ecx,0x2
0040475F .52 push edx
00404760 .50 push eax
00404761 .898D 48FFFFFF mov dword ptr ss:,ecx
00404767 .898D 28FFFFFF mov dword ptr ss:,ecx
0040476D .898D F8FEFFFF mov dword ptr ss:,ecx
00404773 .FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ;msvbvm60.__vbaI4Var
00404779 .8B8D 7CFFFFFF mov ecx,dword ptr ss: ;Serial
0040477F .8B3D 54104000 mov edi,dword ptr ds:[<&MSVBVM60.#rtcMidCharBstr_631>] ;msvbvm60.rtcMidCharBstr
00404785 .50 push eax
00404786 .51 push ecx
00404787 .FFD7 call edi ;msvbvm60.rtcMidCharBstr
00404789 .8BD0 mov edx,eax ;Serial[循环次数]
0040478B .8D8D 74FFFFFF lea ecx,dword ptr ss:
00404791 .FFD3 call ebx ;msvbvm60.__vbaStrMove
00404793 .50 push eax
00404794 .8D95 28FFFFFF lea edx,dword ptr ss:
0040479A .8D45 94 lea eax,dword ptr ss:
0040479D .52 push edx
0040479E .8D8D F8FEFFFF lea ecx,dword ptr ss:
004047A4 .50 push eax
004047A5 .8D95 38FFFFFF lea edx,dword ptr ss:
004047AB .51 push ecx
004047AC .52 push edx
004047AD .FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ;msvbvm60.__vbaVarAdd
004047B3 .50 push eax
004047B4 .FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ;msvbvm60.__vbaI4Var
004047BA .50 push eax
004047BB .8B85 78FFFFFF mov eax,dword ptr ss:
004047C1 .50 push eax
004047C2 .FFD7 call edi ;msvbvm60.rtcMidCharBstr
004047C4 .8BD0 mov edx,eax ;Serial[循环次数 + 1]
004047C6 .8D8D 70FFFFFF lea ecx,dword ptr ss:
004047CC .FFD3 call ebx ;msvbvm60.__vbaStrMove
004047CE .50 push eax
004047CF .FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ;msvbvm60.__vbaStrCmp
004047D5 .8BF8 mov edi,eax ;如果相等则返回0
004047D7 .8D8D 70FFFFFF lea ecx,dword ptr ss:
004047DD .F7DF neg edi ;msvbvm60.rtcMidCharBstr
004047DF .8D95 74FFFFFF lea edx,dword ptr ss:
004047E5 .51 push ecx
004047E6 .8D85 78FFFFFF lea eax,dword ptr ss:
004047EC .52 push edx
004047ED .1BFF sbb edi,edi ;msvbvm60.rtcMidCharBstr
004047EF .8D8D 7CFFFFFF lea ecx,dword ptr ss:
004047F5 .50 push eax
004047F6 .47 inc edi ;msvbvm60.rtcMidCharBstr
004047F7 .51 push ecx
004047F8 .6A 04 push 0x4
004047FA .F7DF neg edi ;msvbvm60.rtcMidCharBstr
004047FC .FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;msvbvm60.__vbaFreeStrList
00404802 .8D95 58FFFFFF lea edx,dword ptr ss:
00404808 .8D85 5CFFFFFF lea eax,dword ptr ss:
0040480E .52 push edx
0040480F .50 push eax
00404810 .6A 02 push 0x2
00404812 .FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>] ;msvbvm60.__vbaFreeObjList
00404818 .8D8D 28FFFFFF lea ecx,dword ptr ss:
0040481E .8D95 38FFFFFF lea edx,dword ptr ss:
00404824 .51 push ecx
00404825 .8D85 48FFFFFF lea eax,dword ptr ss:
0040482B .52 push edx
0040482C .50 push eax
0040482D .6A 03 push 0x3
0040482F .FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
00404835 .83C4 30 add esp,0x30
00404838 .66:85FF test di,di
0040483B .74 37 je short BJCM30A.00404874 ;不相等则转移
0040483D .8D4D B8 lea ecx,dword ptr ss: ;相等则记录循环次数(从0开始)
00404840 .8D95 08FFFFFF lea edx,dword ptr ss:
00404846 .51 push ecx
00404847 .8D85 48FFFFFF lea eax,dword ptr ss:
0040484D .52 push edx
0040484E .50 push eax
0040484F .C785 10FFFFFF>mov dword ptr ss:,0x1
00404859 .C785 08FFFFFF>mov dword ptr ss:,0x2
00404863 .FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ;msvbvm60.__vbaVarAdd
00404869 .8BD0 mov edx,eax
0040486B .8D4D B8 lea ecx,dword ptr ss:
0040486E .FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>] ;msvbvm60.__vbaVarMove
00404874 >8D8D 64FEFFFF lea ecx,dword ptr ss:
0040487A .8D95 74FEFFFF lea edx,dword ptr ss:
00404880 .51 push ecx
00404881 .8D45 94 lea eax,dword ptr ss:
00404884 .52 push edx
00404885 .50 push eax
00404886 .FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>] ;msvbvm60.__vbaVarForNext
0040488C .8985 30FEFFFF mov dword ptr ss:,eax
00404892 .33FF xor edi,edi ;msvbvm60.rtcMidCharBstr
00404894 .^ E9 FFFDFFFF jmp BJCM30A.00404698然后将之前记录的循环次数和Serial的长度 - 1比较 如果相等则失败(即Serial的每个字节都相等)004048E4 > \8B95 7CFFFFFF mov edx,dword ptr ss: ;Serial
004048EA .52 push edx
004048EB .FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;msvbvm60.__vbaLenBstr
004048F1 .83E8 01 sub eax,0x1 ;Serial的长度 - 1
004048F4 .8D8D 08FFFFFF lea ecx,dword ptr ss:
004048FA .0F80 AA070000 jo BJCM30A.004050AA
00404900 .8985 10FFFFFF mov dword ptr ss:,eax
00404906 .8D45 B8 lea eax,dword ptr ss:
00404909 .50 push eax
0040490A .51 push ecx
0040490B .C785 08FFFFFF>mov dword ptr ss:,0x8003 ;已记录循环的次数和Serial的长度 - 1比较
00404915 .FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ;msvbvm60.__vbaVarTstEq
0040491B .8D8D 7CFFFFFF lea ecx,dword ptr ss:
00404921 .66:8985 CCFEF>mov word ptr ss:,ax ;不相等返回0
00404928 .FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;msvbvm60.__vbaFreeStr
0040492E .8D8D 5CFFFFFF lea ecx,dword ptr ss:
00404934 .FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ;msvbvm60.__vbaFreeObj
0040493A .66:39BD CCFEF>cmp word ptr ss:,di ;di = 0
00404941 .0F85 97050000 jnz BJCM30A.00404EDE ;相等则提示失败然后计算Serial的第一个字节的ASCII码 * Serial的长度和Serial的ASCII码总和(代码中的循环次数是从0开始)004049A6 > \8B95 7CFFFFFF mov edx,dword ptr ss: ;Serial
004049AC .52 push edx ;BJCM30A.00406A74
004049AD .FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;Serial的长度
004049B3 .8985 00FFFFFF mov dword ptr ss:,eax ;当做循环总次数
004049B9 .8D85 08FFFFFF lea eax,dword ptr ss:
004049BF .8D8D F8FEFFFF lea ecx,dword ptr ss:
004049C5 .50 push eax
004049C6 .8D95 E8FEFFFF lea edx,dword ptr ss:
004049CC .51 push ecx
004049CD .8D85 44FEFFFF lea eax,dword ptr ss:
004049D3 .52 push edx ;BJCM30A.00406A74
004049D4 .8D8D 54FEFFFF lea ecx,dword ptr ss:
004049DA .50 push eax
004049DB .8D55 94 lea edx,dword ptr ss:
004049DE .51 push ecx
004049DF .52 push edx ;BJCM30A.00406A74
004049E0 .C785 F8FEFFFF>mov dword ptr ss:,0x3
004049EA .C785 F0FEFFFF>mov dword ptr ss:,0x1
004049F4 .C785 E8FEFFFF>mov dword ptr ss:,0x2
004049FE .FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>] ;msvbvm60.__vbaVarForInit
00404A04 .8D8D 7CFFFFFF lea ecx,dword ptr ss:
00404A0A .8985 2CFEFFFF mov dword ptr ss:,eax
00404A10 .FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;msvbvm60.__vbaFreeStr
00404A16 .8D8D 5CFFFFFF lea ecx,dword ptr ss:
00404A1C .FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ;msvbvm60.__vbaFreeObj
00404A22 >39BD 2CFEFFFF cmp dword ptr ss:,edi
00404A28 .0F84 1D030000 je BJCM30A.00404D4B
00404A2E .8B06 mov eax,dword ptr ds: ;BJCM30A.00406A74
00404A30 .56 push esi
00404A31 .FF90 08030000 call dword ptr ds:
00404A37 .8D8D 5CFFFFFF lea ecx,dword ptr ss:
00404A3D .50 push eax
00404A3E .51 push ecx
00404A3F .FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ;msvbvm60.__vbaObjSet
00404A45 .8B10 mov edx,dword ptr ds:
00404A47 .8D8D 7CFFFFFF lea ecx,dword ptr ss:
00404A4D .51 push ecx
00404A4E .50 push eax
00404A4F .8985 D4FEFFFF mov dword ptr ss:,eax
00404A55 .FF92 A0000000 call dword ptr ds: ;msvbvm60.66103DF8
00404A5B .3BC7 cmp eax,edi
00404A5D .DBE2 fclex
00404A5F .7D 18 jge short BJCM30A.00404A79
00404A61 .8B95 D4FEFFFF mov edx,dword ptr ss:
00404A67 .68 A0000000 push 0xA0
00404A6C .68 442B4000 push BJCM30A.00402B44
00404A71 .52 push edx ;BJCM30A.00406A74
00404A72 .50 push eax
00404A73 .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ;msvbvm60.__vbaHresultCheckObj
00404A79 >8B85 7CFFFFFF mov eax,dword ptr ss: ;Serial
00404A7F .50 push eax
00404A80 .FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ;取出Serial的长度
00404A86 .8D8D 48FFFFFF lea ecx,dword ptr ss:
00404A8C .8985 50FFFFFF mov dword ptr ss:,eax
00404A92 .51 push ecx
00404A93 .C785 48FFFFFF>mov dword ptr ss:,0x3
00404A9D .FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#rtcHexBstrFromVar_572>] ;msvbvm60.rtcHexBstrFromVar
00404AA3 .8BD0 mov edx,eax ;将Serial的长度转换成文本
00404AA5 .8D8D 64FFFFFF lea ecx,dword ptr ss:
00404AAB .FFD3 call ebx ;msvbvm60.__vbaStrMove
00404AAD .8B16 mov edx,dword ptr ds: ;BJCM30A.00406A74
00404AAF .56 push esi
00404AB0 .FF92 08030000 call dword ptr ds: ;msvbvm60.661042C8
00404AB6 .50 push eax
00404AB7 .8D85 58FFFFFF lea eax,dword ptr ss:
00404ABD .50 push eax
00404ABE .FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ;msvbvm60.__vbaObjSet
00404AC4 .8B85 58FFFFFF mov eax,dword ptr ss:
00404ACA .8D8D 38FFFFFF lea ecx,dword ptr ss:
00404AD0 .6A 01 push 0x1
00404AD2 .8D95 28FFFFFF lea edx,dword ptr ss:
00404AD8 .51 push ecx
00404AD9 .52 push edx ;BJCM30A.00406A74
00404ADA .89BD 58FFFFFF mov dword ptr ss:,edi
00404AE0 .8985 40FFFFFF mov dword ptr ss:,eax
00404AE6 .C785 38FFFFFF>mov dword ptr ss:,0x9
00404AF0 .FF15 D4104000 call dword ptr ds:[<&MSVBVM60.#rtcLeftCharVar_617>] ;msvbvm60.rtcLeftCharVar
00404AF6 .8D85 28FFFFFF lea eax,dword ptr ss:
00404AFC .8D8D 78FFFFFF lea ecx,dword ptr ss:
00404B02 .50 push eax
00404B03 .51 push ecx
00404B04 .FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;msvbvm60.__vbaStrVarVal
00404B0A .50 push eax ;Serial
00404B0B .FF15 28104000 call dword ptr ds:[<&MSVBVM60.#rtcAnsiValueBstr_516>] ;msvbvm60.rtcAnsiValueBstr
00404B11 .8D95 18FFFFFF lea edx,dword ptr ss: ;转换成ASCII码
00404B17 .66:8985 20FFF>mov word ptr ss:,ax
00404B1E .52 push edx ;BJCM30A.00406A74
00404B1F .C785 18FFFFFF>mov dword ptr ss:,0x2
00404B29 .FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#rtcHexBstrFromVar_572>] ;msvbvm60.rtcHexBstrFromVar
00404B2F .8BD0 mov edx,eax
00404B31 .8D8D 60FFFFFF lea ecx,dword ptr ss:
00404B37 .FFD3 call ebx ;msvbvm60.__vbaStrMove
00404B39 .BA 6C294000 mov edx,BJCM30A.0040296C ;UNICODE "*"
00404B3E .8D8D 6CFFFFFF lea ecx,dword ptr ss:
00404B44 .FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ;msvbvm60.__vbaStrCopy
00404B4A .8B95 60FFFFFF mov edx,dword ptr ss:
00404B50 .8D8D 70FFFFFF lea ecx,dword ptr ss:
00404B56 .89BD 60FFFFFF mov dword ptr ss:,edi
00404B5C .FFD3 call ebx ;msvbvm60.__vbaStrMove
00404B5E .8B95 64FFFFFF mov edx,dword ptr ss: ;Serial的长度(文本型)
00404B64 .8D8D 74FFFFFF lea ecx,dword ptr ss: ;复制到ebp - 0x8C处
00404B6A .89BD 64FFFFFF mov dword ptr ss:,edi
00404B70 .FFD3 call ebx ;msvbvm60.__vbaStrMove
00404B72 .8B06 mov eax,dword ptr ds: ;BJCM30A.00406A74
00404B74 .8D8D 68FFFFFF lea ecx,dword ptr ss: ;结果保存到ebp - 0x98处
00404B7A .8D95 6CFFFFFF lea edx,dword ptr ss:
00404B80 .51 push ecx
00404B81 .52 push edx ;'*'
00404B82 .8D8D 70FFFFFF lea ecx,dword ptr ss:
00404B88 .8D95 74FFFFFF lea edx,dword ptr ss:
00404B8E .51 push ecx ;Serial的第一个字节的ASCII码
00404B8F .52 push edx ;Serial的长度
00404B90 .56 push esi
00404B91 .FF90 F8060000 call dword ptr ds: ;计算表达式:(Serial * Serial的长度)
00404B97 .3BC7 cmp eax,edi
00404B99 .7D 12 jge short BJCM30A.00404BAD
00404B9B .68 F8060000 push 0x6F8
00404BA0 .68 B4274000 push BJCM30A.004027B4
00404BA5 .56 push esi
00404BA6 .50 push eax
00404BA7 .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ;msvbvm60.__vbaHresultCheckObj
00404BAD >8B95 68FFFFFF mov edx,dword ptr ss:
00404BB3 .8D4D C8 lea ecx,dword ptr ss:
00404BB6 .89BD 68FFFFFF mov dword ptr ss:,edi
00404BBC .FFD3 call ebx ;将运算结果复制到ebp - 0x38处
00404BBE .8D85 60FFFFFF lea eax,dword ptr ss:
00404BC4 .8D8D 64FFFFFF lea ecx,dword ptr ss:
00404BCA .50 push eax
00404BCB .8D95 6CFFFFFF lea edx,dword ptr ss:
00404BD1 .51 push ecx
00404BD2 .8D85 70FFFFFF lea eax,dword ptr ss:
00404BD8 .52 push edx ;BJCM30A.00406A74
00404BD9 .8D8D 74FFFFFF lea ecx,dword ptr ss:
00404BDF .50 push eax
00404BE0 .8D95 78FFFFFF lea edx,dword ptr ss:
00404BE6 .51 push ecx
00404BE7 .8D85 7CFFFFFF lea eax,dword ptr ss:
00404BED .52 push edx ;BJCM30A.00406A74
00404BEE .50 push eax
00404BEF .6A 07 push 0x7
00404BF1 .FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;msvbvm60.__vbaFreeStrList
00404BF7 .8D8D 58FFFFFF lea ecx,dword ptr ss:
00404BFD .8D95 5CFFFFFF lea edx,dword ptr ss:
00404C03 .51 push ecx
00404C04 .52 push edx ;BJCM30A.00406A74
00404C05 .6A 02 push 0x2
00404C07 .FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>] ;msvbvm60.__vbaFreeObjList
00404C0D .8D85 18FFFFFF lea eax,dword ptr ss:
00404C13 .8D8D 28FFFFFF lea ecx,dword ptr ss:
00404C19 .50 push eax
00404C1A .8D95 38FFFFFF lea edx,dword ptr ss:
00404C20 .51 push ecx
00404C21 .8D85 48FFFFFF lea eax,dword ptr ss:
00404C27 .52 push edx ;BJCM30A.00406A74
00404C28 .50 push eax
00404C29 .6A 04 push 0x4
00404C2B .FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
00404C31 .8B0E mov ecx,dword ptr ds: ;BJCM30A.00406A74
00404C33 .83C4 40 add esp,0x40
00404C36 .56 push esi
00404C37 .FF91 08030000 call dword ptr ds:
00404C3D .8D95 5CFFFFFF lea edx,dword ptr ss:
00404C43 .50 push eax
00404C44 .52 push edx ;BJCM30A.00406A74
00404C45 .FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ;msvbvm60.__vbaObjSet
00404C4B .8B08 mov ecx,dword ptr ds:
00404C4D .8D95 7CFFFFFF lea edx,dword ptr ss:
00404C53 .52 push edx ;BJCM30A.00406A74
00404C54 .50 push eax
00404C55 .8985 D4FEFFFF mov dword ptr ss:,eax
00404C5B .FF91 A0000000 call dword ptr ds:
00404C61 .3BC7 cmp eax,edi
00404C63 .DBE2 fclex
00404C65 .7D 18 jge short BJCM30A.00404C7F
00404C67 .8B8D D4FEFFFF mov ecx,dword ptr ss:
00404C6D .68 A0000000 push 0xA0
00404C72 .68 442B4000 push BJCM30A.00402B44
00404C77 .51 push ecx
00404C78 .50 push eax
00404C79 .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ;msvbvm60.__vbaHresultCheckObj
00404C7F >8D95 48FFFFFF lea edx,dword ptr ss:
00404C85 .8D45 94 lea eax,dword ptr ss:
00404C88 .52 push edx ;BJCM30A.00406A74
00404C89 .50 push eax
00404C8A .C785 50FFFFFF>mov dword ptr ss:,0x1
00404C94 .C785 48FFFFFF>mov dword ptr ss:,0x2
00404C9E .FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ;msvbvm60.__vbaI4Var
00404CA4 .8B8D 7CFFFFFF mov ecx,dword ptr ss: ;Serial
00404CAA .50 push eax ;循环次数 + 1
00404CAB .51 push ecx
00404CAC .FF15 54104000 call dword ptr ds:[<&MSVBVM60.#rtcMidCharBstr_631>] ;Serial[循环次数]
00404CB2 .8BD0 mov edx,eax
00404CB4 .8D8D 78FFFFFF lea ecx,dword ptr ss:
00404CBA .FFD3 call ebx ;msvbvm60.__vbaStrMove
00404CBC .50 push eax
00404CBD .FF15 28104000 call dword ptr ds:[<&MSVBVM60.#rtcAnsiValueBstr_516>] ;转换成ASCII码
00404CC3 .66:8985 00FFF>mov word ptr ss:,ax
00404CCA .8D55 CC lea edx,dword ptr ss: ;第一次循环时 结果是0
00404CCD .8D85 F8FEFFFF lea eax,dword ptr ss:
00404CD3 .52 push edx ;BJCM30A.00406A74
00404CD4 .8D8D 38FFFFFF lea ecx,dword ptr ss:
00404CDA .50 push eax ;Serial[循环次数]
00404CDB .51 push ecx
00404CDC .C785 F8FEFFFF>mov dword ptr ss:,0x2
00404CE6 .FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ;msvbvm60.__vbaVarAdd
00404CEC .8BD0 mov edx,eax
00404CEE .8D4D CC lea ecx,dword ptr ss:
00404CF1 .FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>] ;将结果保存到ebp - 0x34处(结果 = 结果 + Serial[循环次数])
00404CF7 .8D95 78FFFFFF lea edx,dword ptr ss:
00404CFD .8D85 7CFFFFFF lea eax,dword ptr ss:
00404D03 .52 push edx ;BJCM30A.00406A74
00404D04 .50 push eax
00404D05 .6A 02 push 0x2
00404D07 .FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;msvbvm60.__vbaFreeStrList
00404D0D .83C4 0C add esp,0xC
00404D10 .8D8D 5CFFFFFF lea ecx,dword ptr ss:
00404D16 .FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ;msvbvm60.__vbaFreeObj
00404D1C .8D8D 48FFFFFF lea ecx,dword ptr ss:
00404D22 .FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>] ;msvbvm60.__vbaFreeVar
00404D28 .8D8D 44FEFFFF lea ecx,dword ptr ss:
00404D2E .8D95 54FEFFFF lea edx,dword ptr ss:
00404D34 .51 push ecx
00404D35 .8D45 94 lea eax,dword ptr ss:
00404D38 .52 push edx ;BJCM30A.00406A74
00404D39 .50 push eax
00404D3A .FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>] ;msvbvm60.__vbaVarForNext
00404D40 .8985 2CFEFFFF mov dword ptr ss:,eax
00404D46 .^ E9 D7FCFFFF jmp BJCM30A.00404A22最后就开始验证:Serial的第一个字节的ASCII码 * Serial的长度是否等于Serial的ASCII码总和,如果相等则成功,不相等则失败00404D4B > \8D4D CC lea ecx,dword ptr ss:
00404D4E .51 push ecx
00404D4F .FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#rtcHexBst>;取出结果(Serial的ASCII码总和)
00404D55 .8BD0 mov edx,eax
00404D57 .8D8D 70FFFFFF lea ecx,dword ptr ss:
00404D5D .FFD3 call ebx
00404D5F .BA 0C294000 mov edx,BJCM30A.0040290C ;UNICODE "="
00404D64 .8D8D 78FFFFFF lea ecx,dword ptr ss:
00404D6A .FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCo>;msvbvm60.__vbaStrCopy
00404D70 .8B95 70FFFFFF mov edx,dword ptr ss:
00404D76 .8D8D 7CFFFFFF lea ecx,dword ptr ss:
00404D7C .89BD 70FFFFFF mov dword ptr ss:,edi
00404D82 .FFD3 call ebx
00404D84 .8B16 mov edx,dword ptr ds:
00404D86 .8D85 74FFFFFF lea eax,dword ptr ss: ;结果保存到ebp - 0x8C处(不相等则是'0' 相等则是'FFFF')
00404D8C .8D8D 78FFFFFF lea ecx,dword ptr ss:
00404D92 .50 push eax
00404D93 .51 push ecx ;'='
00404D94 .8D85 7CFFFFFF lea eax,dword ptr ss:
00404D9A .8D4D C8 lea ecx,dword ptr ss:
00404D9D .50 push eax ;Serial中的ASCII码和
00404D9E .51 push ecx ;Serial * Serial的长度
00404D9F .56 push esi
00404DA0 .FF92 F8060000 call dword ptr ds: ;验证 Serial * Serial的长度 == Serial中的ASCII码和 是否成立
00404DA6 .3BC7 cmp eax,edi
00404DBC > \8B85 74FFFFFF mov eax,dword ptr ss: ;验证结果
00404DC2 .BE 08000000 mov esi,0x8
00404DC7 .8D95 48FFFFFF lea edx,dword ptr ss:
00404DCD .8D4D CC lea ecx,dword ptr ss:
00404DD0 .89BD 74FFFFFF mov dword ptr ss:,edi
00404DD6 .8985 50FFFFFF mov dword ptr ss:,eax
00404DDC .89B5 48FFFFFF mov dword ptr ss:,esi
00404DE2 .FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>] ;将验证结果复制到ecx处
00404DE8 .8D95 70FFFFFF lea edx,dword ptr ss:
00404DEE .8D85 78FFFFFF lea eax,dword ptr ss:
00404DF4 .52 push edx ;BJCM30A.00406A74
00404DF5 .8D8D 7CFFFFFF lea ecx,dword ptr ss:
00404DFB .50 push eax
00404DFC .51 push ecx
00404DFD .6A 03 push 0x3
00404DFF .FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ;msvbvm60.__vbaFreeStrList
00404E05 .83C4 10 add esp,0x10
00404E08 .8D55 CC lea edx,dword ptr ss:
00404E0B .8D85 08FFFFFF lea eax,dword ptr ss:
00404E11 .C785 10FFFFFF>mov dword ptr ss:,BJCM30A.00402B58 ;UNICODE "FFFF"
00404E1B .52 push edx ;BJCM30A.00406A74
00404E1C .50 push eax
00404E1D .C785 08FFFFFF>mov dword ptr ss:,0x8008
00404E27 .FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ;变量比较 不相等返回0
00404E2D .66:85C0 test ax,ax
00404E30 .0F84 AD000000 je BJCM30A.00404EE3 ;失败则转移0x3 计算注册码由上述代码我们可以知道成功的条件是:Serial的第一个字节的ASCII码 * Serial的长度等于Serial的ASCII码总和我们可以随便设一个Serial,然后在这个Serial的基础上添加新的字符串 来达到注册的目的。设:Serial为"_KaQqi" + z(z是后添加的字符串);
Serial的长度为6 + y(6是"_KaQqi"的长度);
Serial的ASCII码和为566 + x(566是"_KaQqi"的ASCII码总和)
其中:Serial的第一个字符是'_' 这个字符的ASCII码是95
则有如下表达式:
95 * (6 + y) = 566 + x(1)
由(1)得:95y = x - 4不妨假设y = 1这时x就等于95 * 1 + 4,即x = 99('c')即z = "c"即Serial为"_KaQqic"
如果假设y = 2那么x = 194
可以将x = 194看成x = 126('~') + 68('D')
即z = "~D"或z = "D~"
即Serial为"_KaQqi~D"或"_KaQqiD~"
不过我比较喜欢"_KaQqi~D"的形式
附:第17个CM(BJCM30A)
顶你这漂亮的帖子 很好很强大 赞一个 都是英文,怎么看得懂 很详细,有时间也研究一下 这种大佬写防破解,那6了 学习了。! 研究了一个下午,就卡在那取第一个字符*字符串长度那,按常理这代码没必要放循环里啊。 pk8900 发表于 2017-11-28 20:42
研究了一个下午,就卡在那取第一个字符*字符串长度那,按常理这代码没必要放循环里啊。
作者就放在这里了。。。你也只能这么看了 那个好像是大数运算。
页:
[1]