[反汇编练习] 160个CrackMe之057.58.59.60.61.62.63(Eternal Bliss系列)静态分析
本帖最后由 pk8900 于 2017-12-31 08:45 编辑【适合破解新手的160个crackme练手】第57个Eternal Bliss.exe,这个Eternal Bliss.exe系列的都是VB程序,也比较简单,论坛里没人发贴,我在这一帖子中全部写下来,其它的在下面的楼层。
【crackme简介】
下载地址:http://pan.baidu.com/share/link?shareid=541269&uk=4146939145
Microsoft Visual Basic 5.0 / 6.0编写,无壳,共有8个验证,有提示文字。
标注为?,估计难度为1星。
工具:X64dbg,VB Decompiler
【crackme截图】
【分析过程】
既然是VB程序,那就要请出VB Decompiler,通过VB Decompiler中代码分析,并在X64DBG中进行验证,可以得到程序的大体框架信息。
Private Sub Command1_Click() '403604
loc_00403622: var_eax = %y 'Ignore this '__vbaChkstk
loc_0040364D: var_eax = arg_8.AddRef 'Ignore this
loc_00403664: ecx = False
loc_0040368C: If (arg_8 = 1) = 0 Then GoTo loc_004036D2
loc_00403696: var_eax = Me.1784
loc_0040369C: var_98 = Me.1784
loc_004036F5: If (arg_8 = 2) = 0 Then GoTo loc_0040373B
loc_004036FF: var_eax = Me.1788
loc_00403705: var_98 = Me.1788
loc_0040375E: If (arg_8 = 3) = 0 Then GoTo loc_004037A4
loc_00403768: var_eax = Me.1792
loc_0040376E: var_98 = Me.1792
loc_004037C7: If (arg_8 = 4) = 0 Then GoTo loc_0040380D
loc_004037D1: var_eax = Me.1796
loc_004037D7: var_98 = Me.1796
loc_00403830: If (arg_8 = 5) = 0 Then GoTo loc_00403876
loc_0040383A: var_eax = Me.1804
loc_00403840: var_98 = Me.1804
loc_00403899: If (arg_8 = 6) = 0 Then GoTo loc_004038DF
loc_004038A3: var_eax = Me.1808
loc_004038A9: var_98 = Me.1808
loc_00403902: If (arg_8 = 7) = 0 Then GoTo loc_00403948
loc_0040390C: var_eax = Me.1812
loc_00403912: var_98 = Me.1812
loc_0040396B: If (arg_8 = 8) = 0 Then GoTo loc_004039B1
loc_00403975: var_eax = Me.1800
loc_0040397B: var_98 = Me.1800
loc_004039D1: If (arg_8 = False) = 0 Then GoTo loc_00403A5B
loc_00403A07: var_34 = "Error!!"
loc_00403A20: var_24 = "Choose a compare method!!"
loc_00403A37: MsgBox(var_24, 16, var_34, var_44, var_54)
loc_00403A4E: call undef 'Ignore this '__vbaFreeVarList(00000004, var_24, var_34, var_44, var_54, arg_8, arg_8, arg_8, arg_8, arg_8, arg_8, arg_8, arg_8, 0, esi, ebx)
loc_00403A56: GoTo loc_00403B84
loc_00403A5B: 'Referenced from: 004039D1
loc_00403A7E: If (arg_8 = 1) = 0 Then GoTo loc_00403B05
loc_00403AB4: var_34 = "Good Work!"
loc_00403ACD: var_24 = "Well Done! Go to next one!"
loc_00403AE4: MsgBox(var_24, 64, var_34, var_44, var_54)
loc_00403AFB: call undef 'Ignore this '__vbaFreeVarList(00000004, var_24, var_34, var_44, var_54)
loc_00403B03: GoTo loc_00403B84
loc_00403B05: 'Referenced from: 00403A7E
loc_00403B35: var_34 = "Wrong!"
loc_00403B4E: var_24 = "Wrong! Try again!"
loc_00403B65: MsgBox(var_24, 0, var_34, var_44, var_54)
loc_00403B7C: call undef 'Ignore this '__vbaFreeVarList(00000004, var_24, var_34, var_44, var_54)
loc_00403B84: 'Referenced from: 00403A56
loc_00403B90: GoTo loc_00403BAD
loc_00403BA4: call undef 'Ignore this '__vbaFreeVarList(00000004, var_24, var_34, var_44, var_54, var_00403BAE)
loc_00403BAC: Exit Sub
loc_00403BAD: 'Referenced from: 00403B90
End Sub
在CHECK按钮事件代码中,可以看到,程序通过arg_8的值来确定选择了哪一种验证模式,然后验证是否正确。
通过查看各种验证方式对应的代码,方式1和2最简单,明码比较,静态分析就能发现,VB Decompiler中代码如下:
loc_004044E7: var_1C = "String"
loc_004044F4: var_eax = Unknown_VTable_Call
loc_00404513: var_20 = arg_8.MousePointer
loc_0040451B: var_3C = var_20
loc_00404552: var_18 = var_20
loc_0040455A: var_eax = %fobj
loc_0040456C: If (var_1C <> var_18) <> 0 Then GoTo loc_0040458A
loc_00404585: ecx = CInt(1)
loc_0040458A: 'Referenced from: 0040456C
可明显看出var_1C = "String"后,又有(var_1C <> var_18)的比较,经验证方式一String的注册码就是“String”,方式二Variant的注册码为:"Empty",接下来是方式三:long,在VB Decompiler反编译的代码中并未发现固定值,但发现关键比较代码为:var_24 <> 0,这就要进行动态调试了。
loc_00404747: var_eax = %y 'Ignore this '__vbaChkstkloc_0040476F: var_eax = arg_8.AddRef 'Ignore this
loc_00404774: On Error Resume Next
loc_00404788: var_eax = Unknown_VTable_Call
loc_004047A7: var_28 = arg_8.MousePointer
loc_004047AF: var_44 = var_28
loc_004047DE: var_20 = CLng(var_28)
loc_004047EC: var_eax = %fobj
loc_004047F7: If var_24 <> 0 Then GoTo loc_00404815
loc_00404810: ecx = CInt(1)
loc_00404815: 'Referenced from: 004047F7
loc_00404815: GoTo loc_00404830
loc_0040482B: ecx = False
X64DBG中,00404747下断,并查看代码发现如下代码:
我们找到了关键的值:0x2C2FAE(十进制:2895790),2895790就是第三种方式long的注册码。
第四种方式,Currency,按理解应该为货币格式数据,可这里却不同,我们在程序中找到了关键值:0x8180754(十进制:135792468),按说输入数字:135792468就能注册,但这里不行,通过跟踪发现,程序在调用了:VBA_vbaCyStr后,却变成了:1357924680000,也就是将这个值后面补了4个0,经多次尝试发现输入13579.2468的浮点数后,VBA_vbaCyStr处理后内存中的数据为135792468,所以第四种方式的注册码为:13579.2468,(总结:VB中货币数据格式后四位为小数位,没有小数位的用0进行占位),后面的几种就差不多了,分别压入各数据类型的数据,然后和我们输入的值进行比较。第五种:Single:注册码为:9764317691904,第六组:Double:注册码为:147258369789456000,第七种:Integer注册码为:23535,第八种:BYTE:注册码为:239。
通过这个Crackme我们可以学习到VB程序各种数据类型在内存中的存放形式,估计下几个系列CRACKME会和这方面有关系吧。
Eternal Bliss系列共7个,分别在以下楼层。
160个CrackMe之057(Eternal Bliss.exe) 顶楼
160个CrackMe之058(Eternal Bliss.1.exe) 2楼
160个CrackMe之059(Eternal Bliss.2.exe) 3楼
160个CrackMe之060(Eternal Bliss.3.exe) 5楼
160个CrackMe之061(Eternal Bliss.4.exe) 6楼
160个CrackMe之062(Eternal Bliss.9.exe) 7楼
160个CrackMe之063(Eternal Bliss.10.exe)8楼
本帖最后由 pk8900 于 2017-12-30 17:44 编辑
160个CrackMe之060 (Eternal Bliss .03 .exe)静态分析+代码整理
经整理VB Decompiler中的代码,代码如下:
Private Sub Command1_Click()
var_4C = &HAF6DB9
var_48 = &H7FFFFFFF
var_20 = &H52 ' 52:'R'
var_44 = &H65 '65:'e'
var_50 = &H76 ' 76:'v'
var_34 = &H72 ' 72:'r'
var_3C = &H73 ' 73:'s'
var_10C = 1
var_114 = 2
loc_00402B93: var_54 = Text1.Text
loc_00402C27: For var_30 = 1 To Len(var_54) Step 1
loc_00402D0B: var_A4 = Mid(var_54, CLng(var_30), 1)
loc_00402D2C: var_40 = var_40 + Asc(CStr(var_A4))
loc_00402D2E: If Err.Number <> 0 Then GoTo loc_0040382D
loc_00402D78: Next var_30
loc_00402D93: var_20 = var_20 + var_44
loc_00402D96: If Err.Number <> 0 Then GoTo loc_0040382D
loc_00402D9C: var_20 = var_20 + var_50
loc_00402D9F: If Err.Number <> 0 Then GoTo loc_0040382D
loc_00402DA5: var_20 = var_20 + var_44
loc_00402DA8: If Err.Number <> 0 Then GoTo loc_0040382D
loc_00402DAE: var_20 = var_20 + var_34
loc_00402DB1: If Err.Number <> 0 Then GoTo loc_0040382D
loc_00402DB7: var_20 = var_20 + var_3C
loc_00402DBA: If Err.Number <> 0 Then GoTo loc_0040382D
loc_00402DC0: var_20 = var_20 + var_44
loc_00402DC3: If Err.Number <> 0 Then GoTo loc_0040382D
loc_00402DD2: If var_20 <> var_40 Then GoTo Wrong
loc_00402F76: var_A4 = Mid(var_54, 2, 1)
loc_00402FC9: var_D4 = Mid(var_54, 4, 1)
loc_0040301C: var_104 = Mid(var_54, 7, 1)
loc_00403115: If Asc(var_A4) <> var_44 Or Asc(var_D4) <> var_44 Or Asc(var_104) <> var_44 Then GoTo Wrong
loc_0040317E: MsgBox "You have cracked it!!"
loc_0040348C: GoTo loc_0040375C
Wrong: 'Referenced from: 00402DD2
loc_004034C2: MsgBox "Wrong! Try Again!!"
loc_0040375C: Exit Sub
loc_00403766: GoTo loc_004037ED
loc_004037EC: Exit Sub
loc_004037ED: 'Referenced from: 00403766
loc_0040382D:
End Sub
这段中var_20 累加的值分别是R、e、v、e、r、s、e,与我们输入注册码累加值比较,所以最终注册值可以是:Reverse
其中有几处VB Decompiler反编译的不是准确,必须对Crackme动态调试:
loc_00402EC2: var_eax = frmAbout.Label3 'Ignore this
loc_00402EEA: var_64 = frmAbout.Label3.MousePointer
loc_00402EF2: var_14C = var_64
loc_00402F42: var_18C = var_54
loc_00402F52: var_7C = var_18C
loc_00402F76: var_A4 = Mid(var_18C, 2, 1)
loc_00402F92: var_190 = var_5C
loc_00402FA2: var_AC = var_190
loc_00402FC9: var_D4 = Mid(var_190, 4, 1)
loc_00402FE5: var_194 = var_64
loc_00402FF5: var_DC = var_194
loc_0040301C: var_104 = Mid(var_194, 7, 1)
loc_0040302C: var_58 = CStr(var_A4)
loc_0040303A: Asc(var_58) = Asc(var_58) - var_44
loc_00403041: esi = Asc(var_58) + 1
loc_0040304F: var_60 = CStr(var_D4)
loc_0040305D: Asc(var_60) = Asc(var_60) - var_44
loc_00403064: eax = Asc(var_60) + 1
loc_00403075: var_68 = CStr(var_104)
loc_00403083: Asc(var_68) = Asc(var_68) - var_44
loc_0040308A: eax = Asc(var_68) + 1
loc_00403090: var_150 = Asc(var_68) + 1
loc_00403104: call undef 'Ignore this '__vbaFreeVarList(00000009, var_84, var_94, var_A4, var_B4, var_C4, var_D4, var_E4, var_F4, var_104)
loc_00403115: If var_150 = 0 Then GoTo loc_00403491
这段代码:在调试器中代码如下:
0040302C | E8 19 E2 FF FF | call <eterna._vbaStrVarVal> | var_58=CStr(var_A4)
00403031 | 50 | push eax |
00403032 | E8 19 E2 FF FF | call <eterna.rtcAnsiValueBstr> |
00403037 | 0F BF F0 | movsx esi, ax |
0040303A | 2B 75 BC | sub esi, dword ptr ss: |
0040303D | F7 DE | neg esi |
0040303F | 1B F6 | sbb esi, esi |
00403041 | 46 | inc esi | esi=Asc(Asc(var_58)`-`var_44)`+`1
00403042 | F7 DE | neg esi |
00403044 | 8D 85 2C FF FF FF | lea eax, dword ptr ss: |
这段代码就是将:var_A4和var_44进行对比,如果不一样结果为0,一样的话,结果为-1,以下两次比较也是如此,三次结果以 位加法 操作累加,有一次为0则最终结果为0,注册失败。所以说:第2、4、7个字符是e(var_44='e').Reverse满足这个条件。
Crackme中最后那段除法运算比较没有什么意义,跟我们输入的序列号无关可以省略去掉。
本帖最后由 pk8900 于 2017-12-30 17:44 编辑
160个CrackMe之059 (Eternal Bliss .02 .exe)静态分析+代码整理
通过VB Decompiler 中对该Crackme的反编译,程序主要代码集中位于Private Sub Command1_Click()事件中,且反编译的很清析,共有四个循环读取字符后累加并与固定串组合进行对比,固定串共组合5组,通过将其转为ASCII,根据ASCII值找到对应的字符组成字符串:“This is the correct code”,这就是最终的注册码。这种程序可以采用将VB Decompiler中反编译的代码进行整理,然后用VB构建程序,即得到CrackMe的源码,适当修改后,即可做成注册机。
整理后的VB源码如下:
Private Sub Command1_Click()
loc_00402B64: var_6C = "10511532"
loc_00402B89: var_AC = "10132"
loc_00402B90: On Error Resume Next
loc_00402BB2: var_3C = "116104"
loc_00402BD7: var_BC = "1141019911632"
loc_00402BFC: var_DC = CInt(1)
loc_00402C1E: var_4C = "84104"
loc_00402C43: var_8C = "99111"
loc_00402C68: var_9C = "114"
loc_00402C8D: var_CC = "100101"
loc_00402CC8: var_168 = Form1.Text1.Text
loc_00402E34: For var_2C = 1 To 5 Step 1
loc_00402F17: var_118 = Mid(var_168, CLng(var_2C), 1)
loc_00402F2A: var_E4 = CStr(var_118)
loc_00402F62: var_7C = var_7C & Asc(var_E4)
loc_00402FAE: Next var_2C
loc_00402FB3:
loc_00402FEF: var_E4 = CStr(var_4C & var_6C) '8410410511532
loc_00403026: If Err.Number <> 0 Then GoTo loc_004043E9
loc_00403042: var_DC = (Val(CStr(var_7C)) - var_E4)
loc_00403088: 'If (var_DC = False) = 0 Then GoTo loc_004030D0
loc_004030AA: var_DC = CInt(1)
loc_004030C9: var_7C = False
loc_004030CE: GoTo loc_004030D5
loc_004030D0: 'Referenced from: 00403088
loc_004030D1: GoTo loc_0040403E
loc_004030D5: 'Referenced from: 004030CE
loc_00403138: For var_2C = 6 To 8 Step 1
loc_00403186: var_168 = Form1.Text1.Text
loc_0040321B: var_118 = Mid(var_168, CLng(var_2C), 1)
loc_0040322E: var_E4 = CStr(var_118)
loc_00403266: var_7C = var_7C & Asc(var_E4)
loc_004032B2: Next var_2C
loc_004032BD: 'Referenced from: 00403143
loc_004032E0: var_E4 = CStr(var_6C) '10511532
loc_00403317: If Err.Number <> 0 Then GoTo loc_004043E9
loc_00403333: var_DC = (Val(CStr(var_7C)) - var_E4)
loc_00403379: 'If (var_DC = False) = 0 Then GoTo loc_004033C1
loc_0040339B: var_DC = CInt(1)
loc_004033BA: var_7C = False
loc_004033BF: GoTo loc_004033C6
loc_004033C1: GoTo loc_0040403E
loc_004033C6: 'Referenced from: 004033BF
loc_00403429: For var_2C = 9 To 12 Step 1
loc_0040346F: var_E0 = Form1.Text1.Text
loc_00403477: var_168 = var_E0
loc_004034CA: var_234 = var_E0
loc_004034DD: var_F0 = var_234
loc_0040350C: var_118 = Mid(var_234, CLng(var_2C), 1)
loc_0040351F: var_E4 = CStr(var_118)
loc_00403557: var_7C = var_7C & Asc(var_E4)
loc_004035A3: Next var_2C
loc_004035AE: 'Referenced from: 00403434
loc_004035E7: var_E4 = CStr(var_3C & var_AC) '11610410132
loc_0040361E: If Err.Number <> 0 Then GoTo loc_004043E9
loc_0040363A: var_DC = (Val(CStr(var_7C)) - var_E4)
loc_00403680: 'If (var_DC = False) = 0 Then GoTo loc_004036C8
loc_004036A2: var_DC = CInt(1)
loc_004036C1: var_7C = False
loc_004036C6: GoTo loc_004036CD
loc_004036C8: GoTo loc_0040403E
loc_004036CD: 'Referenced from: 004036C6
loc_00403730: For var_2C = 13 To 20 Step 1
loc_00403735:
loc_00403776: var_168 = Form1.Text1.Text
loc_00403813: var_118 = Mid(var_168, CLng(var_2C), 1)
loc_00403826: var_E4 = CStr(var_118)
loc_0040385E: var_7C = var_7C & Asc(var_E4)
loc_004038AA: Next var_2C
loc_00403910: var_E4 = CStr(var_8C & var_9C & var_BC)'991111141141019911632
loc_00403947: If Err.Number <> 0 Then GoTo loc_004043E9
loc_00403963: var_DC = (Val(CStr(var_7C)) - var_E4)
loc_004039A9: 'If (var_DC = False) = 0 Then GoTo loc_004039F1
loc_004039CB: var_DC = CInt(1)
loc_004039EA: var_7C = False
loc_004039EF: GoTo loc_004039F6
loc_004039F1: GoTo loc_0040403E
loc_004039F6: 'Referenced from: 004039EF
loc_00403A40: var_168 = Form1.Text1.Text '
loc_00403AD7: For var_2C = 21 To Len(var_168) Step 1
loc_00403AF8:' GoTo loc_00403C72
loc_00403AFD:
loc_00403BD0: var_118 = Mid(var_168, CLng(var_2C), 1)
loc_00403BE3: var_E4 = CStr(var_118)
loc_00403BEE: var_140 = Asc(var_E4)
loc_00403C1B: var_7C = var_7C & Asc(var_E4)
loc_00403C67: Next var_2C
loc_00403C94: var_F8 = var_8C & var_CC '99111100101
loc_00403CAE: var_E4 = CStr(var_F8)
loc_00403CE5: If Err.Number <> 0 Then GoTo loc_004043E9
loc_00403D01: var_DC = (Val(CStr(var_7C)) - var_E4)
loc_00403D47: If (var_DC = False) = 0 Then GoTo loc_0040403E
loc_00403D55: MsgBox "You have solved it! Good Work!"
loc_00403D89:
loc_0040403E: 'Referenced from: 004030D0 This is the correct code
loc_00404046: MsgBox "Wrong! Try Again!!"
loc_004040BE: 'Referenced from: 00402DCC
loc_004042B0: 'Referenced from: 00404039
loc_00404307: 'Referenced from: 004042BB
loc_004043E9:
End Sub
在此基础上略加改动就可以做出注册机了。 本帖最后由 pk8900 于 2017-12-30 00:26 编辑
160个CrackMe之058(Eternal Bliss.1.exe)
直接用VB Decompiler静态分析
loc_00403101: var_20 = Label3.MousePointer
loc_00403137: var_40 = (var_20 = "use hexeditor to look for hardcoded codes")
loc_00403152: If var_40 = 0 Then GoTo loc_00403555
'.............................................................................................................
loc_00403550: GoTo loc_004036E7
loc_00403555: 'Referenced from: 00403152
loc_00403555: call var_2C(var_00402630, 00000094h, var_2C, var_2C, var_2C, var_2C)
loc_0040355C: Set var_2C = var_2C(var_00402630, 00000094h, var_2C, var_2C, var_2C, var_2C)
loc_00403569: Label4.MousePointer = "Yes! You have solved it!!"
loc_00403592: call var_2C(var_2C)
loc_00403599: Set var_2C = var_2C(var_2C)
loc_004035A2: Label4.Height = 0
通过这句:var_40 = (var_20 = "use hexeditor to look for hardcoded codes")可知:真正的注册码为:"use hexeditor to look for hardcoded codes" 谢谢分享,点赞
160个CrackMe之 061
本帖最后由 pk8900 于 2017-12-30 20:29 编辑这个Crackme在VB Decompiler中的代码可读性非常差,光看VB Decompiler中的代码已不能确定程序的流程。具体分析过程很难理清,写一下程序的注册工作流程吧。
程序共3部分序列号,在程序中分别有三段代码进行处理:
Code -> Form1 -> rout_403625
Code -> Form1 -> rout1_4039E3
Code -> Form1 -> rout2_403D55
这三段分别处理序列号中的三段,第一段:
读入系统日期:
loc_00403679: var_54 = Date
loc_00403698: var_64 = "Short Date"
loc_004036AD: var_74 = Format(var_54, var_64)
第一部分:这段还比较清楚,读入后对读入的日期进行遍历,遇到‘/’则结止,此时取出的为日期中的年(具体要看电脑中时间格式设置,我把电脑中的短时间改为YY/MM/DD格式,当前日期为:17/12/30,如果不带/分隔符的日期格式,程序会触发错误,跳到失败位置),此时程序取出17/12/30中的17,17就是第一部分的序列号了。
第二部分:累加第一部分取出的17和取出的月份12,得到和为29再乘上月份12,即:348
第三部分:为第二部分的值:348加上17/12/30中的日期30=378,再乘日期30,即:11340
序列号连起来就是:17348 11340
另外:在分别判断的代码中,如果我们最后一位输入符号“.”,则返回我们输入的值+1.我们输入16. 就会返回17,因此序列号也可以为:16. 347. 11339.
var_54 = Right(var_2C, 1)
loc_004038F7: var_98 = (var_54 = &H4027B0)
loc_00403901: call undef 'Ignore this '__vbaFreeVar(arg_8, var_AC, var_BC)
loc_0040390F: If var_98 = 0 Then GoTo loc_0040394F
loc_00403937: var_ret_3 = CLng(var_2C + 1)
loc_00403948: call undef 'Ignore this '__vbaFreeVar
loc_0040394D: GoTo loc_00403961
loc_0040394F: 'Referenced from: 0040390F
loc_00403953: var_ret_4 = CLng(var_2C)
这里可以看出:一个返回是:ret_4 = CLng(var_2C),另一个是:ret_3 = CLng(var_2C + 1)
160个CrackMe之 062 整理反汇编代码
本帖最后由 pk8900 于 2017-12-30 21:57 编辑160个CrackMe之 062
VB Decompiler中的反汇编代码进行整理,如下:
Private Sub Command1_Click() '403B40
loc_00403BC2: var_B4 = Text1.Text
loc_00403BCA: var_160 = var_B4
loc_00403C09: var_1B8 = var_B4
loc_00403C1C: var_CC = var_1B8
loc_00403C69: var_B8 = Text2.Text
loc_00403C71: var_168 = var_B8
loc_00403CB0: var_1BC = var_B8
loc_00403CC3: var_EC = var_1BC
loc_00403CEF: var_ret_1 = (var_1B8 = var_124)
loc_00403D22: var_16C = CBool(var_114 Or (var_1BC = var_134))
loc_00403D62: If var_16C = 0 Then GoTo loc_00403E1C
loc_00403DC5: var_11C = var_48
loc_00403DF3: MsgBox "NULL"
loc_00403E17: GoTo loc_004045EF
loc_00403E1C: 'Referenced from: 00403D62
loc_00403EC5: var_68 = Text1.Text
loc_00403F41: For var_7C = 1 To Len(var_68) Step 2
loc_00403FC6: var_44 = CStr(Asc(CStr(Mid(var_68, CLng(var_7C), 1))))
var_28 = 0
loc_0040404B: For var_8C = 1 To Len(var_44) Step 1
loc_004040A4: var_E4 = Mid(var_44, CLng(var_8C), 1)
loc_004040D5: var_28 = var_28 + CInt(var_E4)
loc_004040F8: Next var_8C
loc_004041C6: var_B0 = var_B0 & CStr(var_28) & Mid(var_68, CLng(var_7C + 1), 1)
loc_0040421A: Next var_7C
loc_00404268: var_B4 = Text2.Text
Text2.Text = var_B0
loc_004043A7: If (var_B0 <> CStr(var_B4)) Then GoTo loc_004044D2
MsgBox "Great Work..."
loc_004044CD: GoTo loc_004045EF
loc_004044D2: 'Referenced from: 004043A7
loc_004045CB: MsgBox "Nope. That is not the code to register."
loc_004045EF: 'Referenced from: 00403E17
loc_004045FB: GoTo loc_00404662
loc_00404661: Exit Sub
loc_00404662: 'Referenced from: 004045FB
End Sub
以上代码即可以模拟程序的运行流程,又可以生成注册代码:用户名:52pojie.cn 注册码:824o7i2.18n
160个CrackMe之 063
本帖最后由 pk8900 于 2017-12-30 20:52 编辑160个CrackMe之 063
这个是VC++的程序
没有什么算法可言:
注册码为:“Correct...Error”
比较位置:
004015BD | C6 45 FC 05 | mov byte ptr ss:, 5 |
004015C1 | 8B 00 | mov eax, dword ptr ds: |
004015C3 | 8B 0E | mov ecx, dword ptr ds: |
004015C5 | 50 | push eax |
004015C6 | 51 | push ecx |
004015C7 | FF 15 F8 43 40 00 | call dword ptr ds:[<&mbscmp>] | @pk8900 求x64dbg的皮肤 这只猪 发表于 2017-12-30 09:50
@pk8900 求x64dbg的皮肤
我也是在论坛里搜索到的,你可以搜索一下。
页:
[1]
2