一款 AfKayAs CrackMe #1 的算法分析
本帖最后由 wbz_007 于 2019-6-18 10:54 编辑AfKayAs CrackMe #1
vb 无壳
追码,发现是明码,无聊!
如果只是一味想追明码,技能永远不能提高,何况现在的软件有几个明码,所以,分析算法才是硬道理,此 AfKayAs CrackMe #1 ,适合练手,分析如下:
vb程序,查找字符或者下断BP rtcMsgBox,输入假码运行程序,断下,堆锥窗口右键返回,找到段首,程序如下:
00402310 > \55 push ebp
00402311 .8BEC mov ebp, esp
00402313 .83EC 0C sub esp, 0xC
00402316 .68 26104000 push <jmp.&MSVBVM50.__vbaExceptHandle>;SE 处理程序安装
0040231B .64:A1 0000000>mov eax, dword ptr fs:
00402321 .50 push eax
00402322 .64:8925 00000>mov dword ptr fs:, esp
00402329 .81EC B0000000 sub esp, 0xB0
0040232F .53 push ebx
00402330 .56 push esi
00402331 .8B75 08 mov esi, dword ptr ss:
00402334 .57 push edi
00402335 .8BC6 mov eax, esi
00402337 .83E6 FE and esi, 0xFFFFFFFE
0040233A .8965 F4 mov dword ptr ss:, esp
0040233D .83E0 01 and eax, 0x1
00402340 .8B1E mov ebx, dword ptr ds:
00402342 .C745 F8 08104>mov dword ptr ss:, AfKayAs_>
00402349 .56 push esi
0040234A .8945 FC mov dword ptr ss:, eax
0040234D .8975 08 mov dword ptr ss:, esi
00402350 .FF53 04 call near dword ptr ds:
00402353 .8B83 10030000 mov eax, dword ptr ds:
00402359 .33FF xor edi, edi
0040235B .56 push esi
0040235C .897D E8 mov dword ptr ss:, edi
0040235F .897D E4 mov dword ptr ss:, edi
00402362 .897D E0 mov dword ptr ss:, edi
00402365 .897D DC mov dword ptr ss:, edi
00402368 .897D D8 mov dword ptr ss:, edi
0040236B .897D D4 mov dword ptr ss:, edi
0040236E .897D C4 mov dword ptr ss:, edi
00402371 .897D B4 mov dword ptr ss:, edi
00402374 .897D A4 mov dword ptr ss:, edi
00402377 .897D 94 mov dword ptr ss:, edi
0040237A .8985 40FFFFFF mov dword ptr ss:, eax
00402380 .FFD0 call near eax
00402382 .8D4D D4 lea ecx, dword ptr ss:
00402385 .50 push eax
00402386 .51 push ecx
00402387 .FF15 0C414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaObjSet
0040238D .8B9B 00030000 mov ebx, dword ptr ds:
00402393 .56 push esi
00402394 .8985 50FFFFFF mov dword ptr ss:, eax
0040239A .899D 3CFFFFFF mov dword ptr ss:, ebx
004023A0 .FFD3 call near ebx
004023A2 .8D55 DC lea edx, dword ptr ss:
004023A5 .50 push eax
004023A6 .52 push edx
004023A7 .FF15 0C414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaObjSet
004023AD .8BD8 mov ebx, eax
004023AF .8D4D E8 lea ecx, dword ptr ss:
004023B2 .51 push ecx
004023B3 .53 push ebx
004023B4 .8B03 mov eax, dword ptr ds:
004023B6 .FF90 A0000000 call near dword ptr ds:
004023BC .3BC7 cmp eax, edi
004023BE .7D 12 jge short AfKayAs_.004023D2
004023C0 .68 A0000000 push 0xA0
004023C5 .68 5C1B4000 push AfKayAs_.00401B5C
004023CA .53 push ebx
004023CB .50 push eax
004023CC .FF15 04414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaHresultCheckObj
004023D2 >56 push esi
004023D3 .FF95 3CFFFFFF call near dword ptr ss:
004023D9 .8D55 D8 lea edx, dword ptr ss:
004023DC .50 push eax
004023DD .52 push edx
004023DE .FF15 0C414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaObjSet
004023E4 .8BD8 mov ebx, eax
004023E6 .8D4D E4 lea ecx, dword ptr ss:
004023E9 .51 push ecx
004023EA .53 push ebx
004023EB .8B03 mov eax, dword ptr ds:
004023ED .FF90 A0000000 call near dword ptr ds:
004023F3 .3BC7 cmp eax, edi
004023F5 .7D 12 jge short AfKayAs_.00402409
004023F7 .68 A0000000 push 0xA0
004023FC .68 5C1B4000 push AfKayAs_.00401B5C
00402401 .53 push ebx
00402402 .50 push eax
00402403 .FF15 04414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaHresultCheckObj
00402409 >8B95 50FFFFFF mov edx, dword ptr ss:
0040240F .8B45 E4 mov eax, dword ptr ss: ;用户名
00402412 .50 push eax ; /String
00402413 .8B1A mov ebx, dword ptr ds: ; |
00402415 .FF15 E4404000 call near dword ptr ds:[<&MSVBVM50.__>; \__vbaLenBstr
0040241B .8BF8 mov edi, eax ;取用户名位数放edi=eax
0040241D .8B4D E8 mov ecx, dword ptr ss: ;用户名放ecx
00402420 .69FF FB7C0100 imul edi, edi, 0x17CFB ;edi=用户名长度的十六进制乘以17cfb
00402426 .51 push ecx ; /String
00402427 .0F80 91020000 jo AfKayAs_.004026BE ; |
0040242D .FF15 F8404000 call near dword ptr ds:[<&MSVBVM50.#5>; \rtcAnsiValueBstr
00402433 .0FBFD0 movsx edx, ax ;ax=edx取用户名的第一位字符的十六进制
00402436 .03FA add edi, edx ;edi=edi+edx(用户名长度的十六进制乘以17cfb后 再加上用户名的第一位字符十六进制值)
00402438 .0F80 80020000 jo AfKayAs_.004026BE
0040243E .57 push edi
0040243F .FF15 E0404000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaStrI4
00402445 .8BD0 mov edx, eax
00402447 .8D4D E0 lea ecx, dword ptr ss:
0040244A .FF15 70414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaStrMove
00402450 .8BBD 50FFFFFF mov edi, dword ptr ss:
00402456 .50 push eax
00402457 .57 push edi
00402458 .FF93 A4000000 call near dword ptr ds:
0040245E .85C0 test eax, eax
00402460 .7D 12 jge short AfKayAs_.00402474
00402462 .68 A4000000 push 0xA4
00402467 .68 5C1B4000 push AfKayAs_.00401B5C
0040246C .57 push edi
0040246D .50 push eax
0040246E .FF15 04414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaHresultCheckObj
00402474 >8D45 E0 lea eax, dword ptr ss:
00402477 .8D4D E4 lea ecx, dword ptr ss:
0040247A .50 push eax
0040247B .8D55 E8 lea edx, dword ptr ss:
0040247E .51 push ecx
0040247F .52 push edx
00402480 .6A 03 push 0x3
00402482 .FF15 5C414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaFreeStrList
00402488 .83C4 10 add esp, 0x10 ;esp加10=esp
0040248B .8D45 D4 lea eax, dword ptr ss:
0040248E .8D4D D8 lea ecx, dword ptr ss:
00402491 .8D55 DC lea edx, dword ptr ss:
00402494 .50 push eax
00402495 .51 push ecx
00402496 .52 push edx
00402497 .6A 03 push 0x3 ;压入3
00402499 .FF15 F4404000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaFreeObjList
0040249F .8B06 mov eax, dword ptr ds:
004024A1 .83C4 10 add esp, 0x10 ;esp加10=esp
004024A4 .56 push esi
004024A5 .FF90 04030000 call near dword ptr ds:
004024AB .8B1D 0C414000 mov ebx, dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaObjSet
004024B1 .50 push eax
004024B2 .8D45 DC lea eax, dword ptr ss:
004024B5 .50 push eax
004024B6 .FFD3 call near ebx ;<&MSVBVM50.__vbaObjSet>
004024B8 .8BF8 mov edi, eax
004024BA .8D55 E8 lea edx, dword ptr ss:
004024BD .52 push edx
004024BE .57 push edi
004024BF .8B0F mov ecx, dword ptr ds:
004024C1 .FF91 A0000000 call near dword ptr ds:
004024C7 .85C0 test eax, eax
004024C9 .7D 12 jge short AfKayAs_.004024DD
004024CB .68 A0000000 push 0xA0
004024D0 .68 5C1B4000 push AfKayAs_.00401B5C
004024D5 .57 push edi
004024D6 .50 push eax
004024D7 .FF15 04414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaHresultCheckObj
004024DD >56 push esi
004024DE .FF95 40FFFFFF call near dword ptr ss:
004024E4 .50 push eax
004024E5 .8D45 D8 lea eax, dword ptr ss:
004024E8 .50 push eax
004024E9 .FFD3 call near ebx
004024EB .8BF0 mov esi, eax
004024ED .8D55 E4 lea edx, dword ptr ss:
004024F0 .52 push edx
004024F1 .56 push esi
004024F2 .8B0E mov ecx, dword ptr ds:
004024F4 .FF91 A0000000 call near dword ptr ds:
004024FA .85C0 test eax, eax
004024FC .7D 12 jge short AfKayAs_.00402510
004024FE .68 A0000000 push 0xA0
00402503 .68 5C1B4000 push AfKayAs_.00401B5C
00402508 .56 push esi
00402509 .50 push eax
0040250A .FF15 04414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaHresultCheckObj
00402510 >8B45 E8 mov eax, dword ptr ss: ;假码给eax
00402513 .8B4D E4 mov ecx, dword ptr ss: ;ecx=edi=用户名长度的十六进制乘以17cfb 再加用户名的第一位字符十六进制值
00402516 .8B3D 00414000 mov edi, dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaStrCat
0040251C .50 push eax ;压入假码
0040251D .68 701B4000 push AfKayAs_.00401B70 ;压入AKA-(作者的预设字符)
00402522 .51 push ecx ; /压入用户名长度的十六进制乘以17cfb 再加用户名的第一位字符十六进制值(真码)
00402523 .FFD7 call near edi ; \__vbaStrCat
00402525 .8B1D 70414000 mov ebx, dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaStrMove
0040252B .8BD0 mov edx, eax
0040252D .8D4D E0 lea ecx, dword ptr ss:
00402530 .FFD3 call near ebx ;<&MSVBVM50.__vbaStrMove>
00402532 .50 push eax
00402533 .FF15 28414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaStrCmp
00402539 .8BF0 mov esi, eax
0040253B .8D55 E0 lea edx, dword ptr ss:
0040253E .F7DE neg esi
00402540 .8D45 E8 lea eax, dword ptr ss:
00402543 .52 push edx
00402544 .1BF6 sbb esi, esi
00402546 .8D4D E4 lea ecx, dword ptr ss:
00402549 .50 push eax
0040254A .46 inc esi
0040254B .51 push ecx
0040254C .6A 03 push 0x3
0040254E .F7DE neg esi
00402550 .FF15 5C414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaFreeStrList
00402556 .83C4 10 add esp, 0x10
00402559 .8D55 D8 lea edx, dword ptr ss:
0040255C .8D45 DC lea eax, dword ptr ss:
0040255F .52 push edx
00402560 .50 push eax
00402561 .6A 02 push 0x2
00402563 .FF15 F4404000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaFreeObjList
00402569 .83C4 0C add esp, 0xC
0040256C .B9 04000280 mov ecx, 0x80020004
00402571 .B8 0A000000 mov eax, 0xA
00402576 .894D 9C mov dword ptr ss:, ecx
00402579 .66:85F6 test si, si
0040257C .8945 94 mov dword ptr ss:, eax
0040257F .894D AC mov dword ptr ss:, ecx
00402582 .8945 A4 mov dword ptr ss:, eax
00402585 .894D BC mov dword ptr ss:, ecx
00402588 .8945 B4 mov dword ptr ss:, eax
0040258B .74 58 je short AfKayAs_.004025E5 ;爆破点,跳就挂
0040258D .68 801B4000 push AfKayAs_.00401B80 ;UNICODE "You Get It"
00402592 .68 9C1B4000 push AfKayAs_.00401B9C ;ASCII "\r"
00402597 .FFD7 call near edi
00402599 .8BD0 mov edx, eax
算法:
第一部分:作者预设字符:AKA-
第二部分:也就是真码:用户名长度的十六进制乘以17cfb再加用户名的第一位字符的十六进制的值,最后的结果取10进制就是注册码。(注用户名不要用汉子)
两部分加在一起,便是注册码
付上练习文件 AfKayAs CrackMe #1 和 注册机 及易语言的 注册机工程文件
附件:
谢谢分享! 大佬。 谢谢分享/ 谢谢分享 {:1_918:},很不错 学习了 谢谢 感觉好高深 谢谢老大支持
谢谢分享!
页:
[1]