CrackME逆向算法
写出算法就OK
http://www.newrbl.com/attachment/Mon_1011/14_65_4c6e8e2a9a9f446.jpg
参考
PECompact v2.xx秒脱
http://hi.baidu.com/hack8k/blog/item/d9621ddf717c4b196327988e.html 留位置试试~ 留位置试试算法 本帖最后由 海天绯红 于 2010-11-24 15:41 编辑
看着头晕了。
我只知道。
先把数据转换10进制。再用10进制的数不知道干什么。主算法那里我看不懂。看的懂的就给注释吧
004029D0 55 PUSH EBP
004029D1 8BEC MOV EBP,ESP
004029D3 83EC 0C SUB ESP,0C
004029D6 68 16114000 PUSH <JMP.&msvbvm60.__vbaExceptHandler> ; SE 处理程序安装
004029DB 64:A1 00000000 MOV EAX,DWORD PTR FS:
004029E1 50 PUSH EAX
004029E2 64:8925 00000000 MOV DWORD PTR FS:,ESP
004029E9 83EC 58 SUB ESP,58 ; ESP=1298
004029EC 53 PUSH EBX
004029ED 56 PUSH ESI
004029EE 57 PUSH EDI
004029EF 8965 F4 MOV DWORD PTR SS:,ESP
004029F2 C745 F8 E8104000 MOV DWORD PTR SS:,004010E8
004029F9 8B55 08 MOV EDX,DWORD PTR SS:
004029FC 8B35 90104000 MOV ESI,DWORD PTR DS:[<&msvbvm60.__vbaStrCopy>>; msvbvm60.__vbaStrCopy
00402A02 33C0 XOR EAX,EAX
00402A04 8D4D E4 LEA ECX,DWORD PTR SS:
00402A07 8945 E4 MOV DWORD PTR SS:,EAX
00402A0A 8945 E0 MOV DWORD PTR SS:,EAX
00402A0D 8945 D8 MOV DWORD PTR SS:,EAX
00402A10 8945 D4 MOV DWORD PTR SS:,EAX
00402A13 8945 CC MOV DWORD PTR SS:,EAX
00402A16 8945 C8 MOV DWORD PTR SS:,EAX
00402A19 8945 B8 MOV DWORD PTR SS:,EAX
00402A1C 8945 A8 MOV DWORD PTR SS:,EAX
00402A1F FFD6 CALL ESI ; <&msvbvm60.__vbaStrCopy>
00402A21 8B55 0C MOV EDX,DWORD PTR SS:
00402A24 8D4D D8 LEA ECX,DWORD PTR SS:
00402A27 FFD6 CALL ESI
00402A29 8B45 E4 MOV EAX,DWORD PTR SS:
00402A2C 50 PUSH EAX
00402A2D E8 DE010000 CALL 00402C10
00402A32 8D4D B8 LEA ECX,DWORD PTR SS:
00402A35 8945 E0 MOV DWORD PTR SS:,EAX
00402A38 51 PUSH ECX
00402A39 C745 C0 FFFFFFFF MOV DWORD PTR SS:,-1
00402A40 C745 B8 02000000 MOV DWORD PTR SS:,2
00402A47 FF15 30104000 CALL DWORD PTR DS:[<&msvbvm60.rtcRandomNext>]; msvbvm60.rtcRandomNext
00402A4D 8B1D 0C104000 MOV EBX,DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>>; msvbvm60.__vbaFreeVar
00402A53 8D4D B8 LEA ECX,DWORD PTR SS:
00402A56 DDD8 FSTP ST
00402A58 FFD3 CALL EBX ; <&msvbvm60.__vbaFreeVar>
00402A5A 8D45 A8 LEA EAX,DWORD PTR SS:
00402A5D 8D55 E0 LEA EDX,DWORD PTR SS:
00402A60 50 PUSH EAX
00402A61 8955 B0 MOV DWORD PTR SS:,EDX
00402A64 C745 A8 03400000 MOV DWORD PTR SS:,4003
00402A6B FF15 34104000 CALL DWORD PTR DS:[<&msvbvm60.rtcRandomize>] ; msvbvm60.rtcRandomize
00402A71 8B4D D8 MOV ECX,DWORD PTR SS:
00402A74 51 PUSH ECX
00402A75 FF15 10104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaLenBstr>] ; msvbvm60.__vbaLenBstr
00402A7B 8BC8 MOV ECX,EAX ; 取注册码长度
00402A7D FF15 54104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4
00402A83 8B3D B4104000 MOV EDI,DWORD PTR DS:[<&msvbvm60.__vbaStrMove>>; msvbvm60.__vbaStrMove
00402A89 8945 DC MOV DWORD PTR SS:,EAX
00402A8C B8 01000000 MOV EAX,1 ; 附初值,准备循环
00402A91 8945 E8 MOV DWORD PTR SS:,EAX
00402A94 66:3B45 DC CMP AX,WORD PTR SS: ; 判断循环次数
00402A98 0F8F FF000000 JG 00402B9D ; 大于就跳
00402A9E 8B4D D8 MOV ECX,DWORD PTR SS: ; 1298
00402AA1 8D55 B8 LEA EDX,DWORD PTR SS:
00402AA4 0FBFC0 MOVSX EAX,AX
00402AA7 52 PUSH EDX ; 0013F438
00402AA8 50 PUSH EAX ;
00402AA9 51 PUSH ECX ;
00402AAA C745 C0 01000000 MOV DWORD PTR SS:,1
00402AB1 C745 B8 02000000 MOV DWORD PTR SS:,2
00402AB8 FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.rtcMidCharBstr>] ; msvbvm60.rtcMidCharBstr
00402ABE 8BD0 MOV EDX,EAX
00402AC0 8D4D C8 LEA ECX,DWORD PTR SS:
00402AC3 FFD7 CALL EDI
00402AC5 50 PUSH EAX
00402AC6 FF15 1C104000 CALL DWORD PTR DS:[<&msvbvm60.rtcAnsiValueBstr>; msvbvm60.rtcAnsiValueBstr
00402ACC 8D4D C8 LEA ECX,DWORD PTR SS:
00402ACF 8BF0 MOV ESI,EAX
00402AD1 FF15 C8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
00402AD7 8D4D B8 LEA ECX,DWORD PTR SS:
00402ADA FFD3 CALL EBX
00402ADC 66:83FE 30 CMP SI,30 ;和下面的判断是不是30-39之间的数字,是ACSII。其实就是0-9。
00402AE0 0F8C A4000000 JL 00402B8A
00402AE6 66:83FE 39 CMP SI,39
00402AEA 0F8F 9A000000 JG 00402B8A
00402AF0 8D55 B8 LEA EDX,DWORD PTR SS:
00402AF3 66:83EE 30 SUB SI,30 ;之后再减去30.就是多少就是多少。
00402AF7 52 PUSH EDX
00402AF8 C745 C0 04000280 MOV DWORD PTR SS:,80020004
00402AFF 0F80 FF000000 JO 00402C04
00402B05 C745 B8 0A000000 MOV DWORD PTR SS:,0A
00402B0C FF15 30104000 CALL DWORD PTR DS:[<&msvbvm60.rtcRandomNext>]; msvbvm60.rtcRandomNext
00402B12 D95D A4 FSTP DWORD PTR SS:
00402B15 D945 A4 FLD DWORD PTR SS:
00402B18 D80D E0104000 FMUL DWORD PTR DS:
00402B1E DFE0 FSTSW AX
00402B20 A8 0D TEST AL,0D
00402B22 0F85 D7000000 JNZ 00402BFF
00402B28 FF15 B8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaR8IntI4>] ; msvbvm60.__vbaR8IntI4
00402B2E 8D4D B8 LEA ECX,DWORD PTR SS:
00402B31 8945 E0 MOV DWORD PTR SS:,EAX
00402B34 FFD3 CALL EBX
00402B36 8B55 E0 MOV EDX,DWORD PTR SS:
00402B39 B9 0A000000 MOV ECX,0A
00402B3E 0FBFC6 MOVSX EAX,SI
00402B41 03C2 ADD EAX,EDX
00402B43 0F80 BB000000 JO 00402C04
00402B49 99 CDQ
00402B4A F7F9 IDIV ECX ; /A
00402B4C 8BCA MOV ECX,EDX
00402B4E FF15 54104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4
00402B54 8B55 D4 MOV EDX,DWORD PTR SS:
00402B57 66:05 3000 ADD AX,30
00402B5B 0F80 A3000000 JO 00402C04
00402B61 0FBFC0 MOVSX EAX,AX ; 32
00402B64 52 PUSH EDX
00402B65 50 PUSH EAX
00402B66 FF15 78104000 CALL DWORD PTR DS:[<&msvbvm60.rtcBstrFromAnsi>>; msvbvm60.rtcBstrFromAnsi
00402B6C 8BD0 MOV EDX,EAX
00402B6E 8D4D C8 LEA ECX,DWORD PTR SS:
00402B71 FFD7 CALL EDI
00402B73 50 PUSH EAX
00402B74 FF15 24104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCat>] ; msvbvm60.__vbaStrCat
00402B7A 8BD0 MOV EDX,EAX
00402B7C 8D4D D4 LEA ECX,DWORD PTR SS:
00402B7F FFD7 CALL EDI
00402B81 8D4D C8 LEA ECX,DWORD PTR SS:
00402B84 FF15 C8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
00402B8A B8 01000000 MOV EAX,1
00402B8F 66:0345 E8 ADD AX,WORD PTR SS:
00402B93 70 6F JO SHORT 00402C04
00402B95 8945 E8 MOV DWORD PTR SS:,EAX
00402B98^ E9 F7FEFFFF JMP 00402A94
00402B9D 8B55 D4 MOV EDX,DWORD PTR SS:
00402BA0 8D4D CC LEA ECX,DWORD PTR SS:
00402BA3 FF15 90104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCopy>] ; msvbvm60.__vbaStrCopy
00402BA9 9B WAIT
00402BAA 68 E92B4000 PUSH 00402BE9
00402BAF EB 22 JMP SHORT 00402BD3
00402BB1 F645 FC 04 TEST BYTE PTR SS:,4
00402BB5 74 09 JE SHORT 00402BC0
00402BB7 8D4D CC LEA ECX,DWORD PTR SS:
00402BBA FF15 C8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
00402BC0 8D4D C8 LEA ECX,DWORD PTR SS:
00402BC3 FF15 C8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
00402BC9 8D4D B8 LEA ECX,DWORD PTR SS:
00402BCC FF15 0C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>] ; msvbvm60.__vbaFreeVar
00402BD2 C3 RETN
00402BD3 8B35 C8104000 MOV ESI,DWORD PTR DS:[<&msvbvm60.__vbaFreeStr>>; msvbvm60.__vbaFreeStr
00402BD9 8D4D E4 LEA ECX,DWORD PTR SS:
00402BDC FFD6 CALL ESI ; <&msvbvm60.__vbaFreeStr>
00402BDE 8D4D D8 LEA ECX,DWORD PTR SS:
00402BE1 FFD6 CALL ESI
00402BE3 8D4D D4 LEA ECX,DWORD PTR SS:
00402BE6 FFD6 CALL ESI
00402BE8 C3 RETN
00402BE9 8B4D EC MOV ECX,DWORD PTR SS:
00402BEC 8B45 CC MOV EAX,DWORD PTR SS:
00402BEF 5F POP EDI
00402BF0 5E POP ESI
00402BF1 64:890D 00000000 MOV DWORD PTR FS:,ECX
00402BF8 5B POP EBX
00402BF9 8BE5 MOV ESP,EBP
00402BFB 5D POP EBP
00402BFC C2 0800 RETN 8
贴出来,有空再慢慢看
得出来的数再转回16进。之后还要加00。就得出加密数据了
页:
[1]