160 个 CrackMe 之 064 - execution (VB5 Native)算法分析和注册机实现
本帖最后由 solly 于 2019-7-12 10:49 编辑160 个 CrackMe 之 064 - execution 是一个 VB 编译的原生程序,不是 p-code 编译模式,并且没有加壳。
用 OD 载入 CrackMe,F9 直接运行,需要输入用户名和注册码进行验证,随便输入,如下图:
输入完后,按“Register”进行验证,由于输入的信息不对,会弹出错误提示对话框:
既然有字符串信息,先查查字符串资源,对于VB程序,字符资源都是 Unicode 的,所以需要点右键菜单:”Ultra String Reference"-->"2 Find UNICODE",查找程序的字符串资源,如下图,找到我们所需的字符串了:
双击这一条字符串,来到下面所示位置:
具体代码位置如下:
0040DBFC >8B35 10F14000 mov esi, dword ptr [<&MSVBVM50.__vbaStrCat>] ;MSVBVM50.__vbaStrCat
0040DC02 .68 E8D44000 push 0040D4E8 ;you lamer!!! cant crack this?!
0040DC07 .68 6CD34000 push 0040D36C ; /\n\n
0040DC0C .FFD6 call esi ; \__vbaStrCat()
是一个字符串拼接函数使用了这一字符串资源。
我们从这里开始回溯,如下图:
在0x0040DBFC这一行点右键选“转到”菜单中的(je 来自 0040DB9C)回溯到下图所示位置:
可以看到有提示注册成功的字符串引用:“nice going!!! you cracked the crackme!”,如果没有跳转,就表示注册成功,因此这里开始往上的代码就是注册验证的代码了。再往上一点点的位置,就可以找到调用了 VB 的字符串比较函数,如下图所示位置:
具体代码位置:
0040DB4C .8D4D D0 lea ecx, dword ptr
0040DB4F .FFD3 call ebx ;(MSVBVM50.__vbaStrMove)
0040DB51 .50 push eax ;StrCmp 参数1, eax ===> "17190",
0040DB52 .FF15 40F14000 call dword ptr [<&MSVBVM50.__vbaStrCmp>] ;MSVBVM50.__vbaStrCmp
0040DB58 .8BF0 mov esi, eax ;eax == 0, 相等;eax == 1,不相等
这是一个明文比较注册码的操作,可以看到 eax 指向一个字符串:”17190“,这个就是正确的注册码了。
重新回到 CrackMe ,输入正确的注册码:”17190“,如下图:
再次点击”Register“,就会看成功的提示:
至此,我们找到了注册验证的代码了,下面具体分析一下这个注册过程,完整的过程如下:
0040D8F0 > \55 push ebp
0040D8F1 .8BEC mov ebp, esp
0040D8F3 .83EC 0C sub esp, 0C
0040D8F6 .68 36104000 push <jmp.&MSVBVM50.__vbaExceptHandler> ;SE 处理程序安装
0040D8FB .64:A1 00000000 mov eax, dword ptr fs:
0040D901 .50 push eax
0040D902 .64:8925 00000000 mov dword ptr fs:, esp
0040D909 .81EC AC000000 sub esp, 0AC
0040D90F .53 push ebx
0040D910 .8B5D 08 mov ebx, dword ptr
0040D913 .8BC3 mov eax, ebx
0040D915 .56 push esi
0040D916 .83E3 FE and ebx, FFFFFFFE
0040D919 .57 push edi
0040D91A .8965 F4 mov dword ptr , esp
0040D91D .83E0 01 and eax, 1
0040D920 .8B33 mov esi, dword ptr
0040D922 .C745 F8 10104000 mov dword ptr , 00401010
0040D929 .53 push ebx
0040D92A .8945 FC mov dword ptr , eax
0040D92D .895D 08 mov dword ptr , ebx
0040D930 .FF56 04 call dword ptr ;ds:=740C25FE (MSVBVM50.BASIC_CLASS_AddRef)
0040D933 .33FF xor edi, edi ;edi == 0, int sum = 0
0040D935 .53 push ebx
0040D936 .897D E8 mov dword ptr , edi
0040D939 .897D D8 mov dword ptr , edi
0040D93C .897D D4 mov dword ptr , edi
0040D93F .897D D0 mov dword ptr , edi
0040D942 .897D CC mov dword ptr , edi
0040D945 .897D BC mov dword ptr , edi ;name
0040D948 .897D AC mov dword ptr , edi
0040D94B .897D 9C mov dword ptr , edi
0040D94E .897D 8C mov dword ptr , edi
0040D951 .89BD 7CFFFFFF mov dword ptr , edi
0040D957 .FF96 04030000 call dword ptr ;ds:=741CC350 (MSVBVM50.741CC350), Get Object
0040D95D .8D4D BC lea ecx, dword ptr ;Var_0019F18C:09 00 00 00 18 F2 19 00 FC A8 72 02 00 00 00 00
0040D960 .8D55 AC lea edx, dword ptr
0040D963 .51 push ecx ;参数值 ECX
0040D964 .52 push edx ;返回值(VT_BSTR) Var_0019F17C(08 00) 00 00 F4 E2 40 00 (74 48 6C 00) FC A8 72 02,指向大写的用户名
0040D965 .8945 C4 mov dword ptr , eax ;引用地址
0040D968 .C745 BC 09000000 mov dword ptr , 9 ;数据类型: VT_DISPATCH
0040D96F .FF15 3CF14000 call dword ptr [<&MSVBVM50.#528>] ;ds:=7419F8B3 (MSVBVM50.rtcUpperCaseVar),将用户名转换成大写
0040D975 .8D45 AC lea eax, dword ptr
0040D978 .50 push eax ;eax == (VT_BSTR) Var_0019F17C(08 00) 00 00 F4 E2 40 00 (74 48 6C 00) FC A8 72 02,指向大写的用户名
0040D979 .FF15 F4F04000 call dword ptr [<&MSVBVM50.__vbaStrVarMove>] ;(MSVBVM50.__vbaStrVarMove), EAX ===> "SOLLY"
0040D97F .8B1D 8CF14000 mov ebx, dword ptr [<&MSVBVM50.__vbaStrMove>] ;MSVBVM50.__vbaStrMove
0040D985 .8BD0 mov edx, eax ;src (edx)
0040D987 .8D4D D8 lea ecx, dword ptr ;dest (ecx) ecx ===> "SOLLY"
0040D98A .FFD3 call ebx ;(MSVBVM50.__vbaStrVarMove); <&MSVBVM50.__vbaStrMove>
0040D98C .8D4D AC lea ecx, dword ptr
0040D98F .8D55 BC lea edx, dword ptr
0040D992 .51 push ecx
0040D993 .52 push edx
0040D994 .6A 02 push 2
0040D996 .FF15 FCF04000 call dword ptr [<&MSVBVM50.__vbaFreeVarList>] ;MSVBVM50.__vbaFreeVarList
0040D99C .8B45 D8 mov eax, dword ptr ;eax ===> "SOLLY"
0040D99F .83C4 0C add esp, 0C
0040D9A2 .50 push eax ; /String
0040D9A3 .FF15 F8F04000 call dword ptr [<&MSVBVM50.__vbaLenBstr>] ; \__vbaLenBstr,这里取得用户名的长度
0040D9A9 .8BC8 mov ecx, eax ;ecx == 0x00000005,用户名的长度
0040D9AB .FF15 44F14000 call dword ptr [<&MSVBVM50.__vbaI2I4>] ;MSVBVM50.__vbaI2I4
0040D9B1 .8985 48FFFFFF mov dword ptr , eax ;eax == 0x0005,用户名的长度
0040D9B7 .BE 01000000 mov esi, 1 ;int i=1
0040D9BC >66:3BB5 48FFFFFF cmp si, word ptr ;while (i<=len(name)) //// 开始循环计算
0040D9C3 .0F8F 3A010000 jg 0040DB03
0040D9C9 .8D4D D8 lea ecx, dword ptr ; ===> "SOLLY"
0040D9CC .8D55 BC lea edx, dword ptr
0040D9CF .0FBFC6 movsx eax, si ;int index = i
0040D9D2 .894D 84 mov dword ptr , ecx
0040D9D5 .52 push edx ; /Length8, === 0
0040D9D6 .8D8D 7CFFFFFF lea ecx, dword ptr ; |
0040D9DC .50 push eax ; |Start == i
0040D9DD .8D55 AC lea edx, dword ptr ; |
0040D9E0 .51 push ecx ; |dString8, [] ===> "SOLLY"
0040D9E1 .52 push edx ; |RetBUFFER
0040D9E2 .C745 C4 01000000 mov dword ptr , 1 ; |
0040D9E9 .C745 BC 02000000 mov dword ptr , 2 ; |
0040D9F0 .C785 7CFFFFFF 08400>mov dword ptr , 4008 ; |
0040D9FA .FF15 30F14000 call dword ptr [<&MSVBVM50.#632>] ; \rtcMidCharVar(name, i, 1),在循环中依次取出用户名的字符,并取得其 ASCII 码值
0040DA00 .8D45 AC lea eax, dword ptr
0040DA03 .50 push eax ;eax === (0019F17C(08 00) 72 02 02 00 00 00 (CC 43 6C 00) 00 00 00 00) ===> "S"
0040DA04 .FF15 F4F04000 call dword ptr [<&MSVBVM50.__vbaStrVarMove>] ;MSVBVM50.__vbaStrVarMove
0040DA0A .8BD0 mov edx, eax ;eax ===> "S"
0040DA0C .8D4D E8 lea ecx, dword ptr ;ecx ===> "S"
0040DA0F .FFD3 call ebx ;ebx=740DF8DA (MSVBVM50.__vbaStrMove)
0040DA11 .8D4D AC lea ecx, dword ptr
0040DA14 .8D55 BC lea edx, dword ptr
0040DA17 .51 push ecx
0040DA18 .52 push edx
0040DA19 .6A 02 push 2
0040DA1B .FF15 FCF04000 call dword ptr [<&MSVBVM50.__vbaFreeVarList>] ;MSVBVM50.__vbaFreeVarList
0040DA21 .8B45 E8 mov eax, dword ptr ;eax ===> "S",name。
0040DA24 .83C4 0C add esp, 0C
0040DA27 .50 push eax ; /String
0040DA28 .FF15 08F14000 call dword ptr [<&MSVBVM50.#516>] ; \(MSVBVM50.rtcAnsiValueBstr), EAX == ASC(name),取得用户名中字符的 ASCII 码值
0040DA2E .66:2D 4000 sub ax, 40 ;EAX == ASC(name) - 0x40
0040DA32 .0F80 A1020000 jo 0040DCD9
0040DA38 .66:69C0 8200 imul ax, ax, 82 ;AX = ((ASC(name) - 0x40) * 0x82)
0040DA3D .0F80 96020000 jo 0040DCD9
0040DA43 .66:03C7 add ax, di
0040DA46 .0F80 8D020000 jo 0040DCD9
0040DA4C .66:05 5000 add ax, 50
0040DA50 .0F80 83020000 jo 0040DCD9
0040DA56 .66:05 5000 add ax, 50
0040DA5A .0F80 79020000 jo 0040DCD9
0040DA60 .66:05 5000 add ax, 50
0040DA64 .0F80 6F020000 jo 0040DCD9
0040DA6A .66:05 5000 add ax, 50
0040DA6E .0F80 65020000 jo 0040DCD9
0040DA74 .66:05 5000 add ax, 50
0040DA78 .0F80 5B020000 jo 0040DCD9
0040DA7E .66:05 5000 add ax, 50
0040DA82 .0F80 51020000 jo 0040DCD9
0040DA88 .66:05 5000 add ax, 50
0040DA8C .0F80 47020000 jo 0040DCD9
0040DA92 .66:05 5000 add ax, 50
0040DA96 .0F80 3D020000 jo 0040DCD9
0040DA9C .66:05 5000 add ax, 50
0040DAA0 .0F80 33020000 jo 0040DCD9
0040DAA6 .66:05 5000 add ax, 50
0040DAAA .0F80 29020000 jo 0040DCD9
0040DAB0 .66:05 5000 add ax, 50
0040DAB4 .0F80 1F020000 jo 0040DCD9
0040DABA .66:05 5000 add ax, 50
0040DABE .0F80 15020000 jo 0040DCD9
0040DAC4 .66:05 5000 add ax, 50
0040DAC8 .0F80 0B020000 jo 0040DCD9
0040DACE .66:05 5000 add ax, 50
0040DAD2 .0F80 01020000 jo 0040DCD9
0040DAD8 .66:05 5000 add ax, 50
0040DADC .0F80 F7010000 jo 0040DCD9
0040DAE2 .66:05 5000 add ax, 50
0040DAE6 .0F80 ED010000 jo 0040DCD9
0040DAEC .8BF8 mov edi, eax ;sum = sum + ((ASC(name) - 0x40) * 0x82) + 0x50*0x10
0040DAEE .B8 01000000 mov eax, 1
0040DAF3 .66:03C6 add ax, si ;i++
0040DAF6 .0F80 DD010000 jo 0040DCD9
0040DAFC .8BF0 mov esi, eax
0040DAFE .^ E9 B9FEFFFF jmp 0040D9BC ;Wend ///循环结束,计算累加值 sum = sum + 0x50*0x10 + ((ASC(name) - 0x40) * 0x82), 循环次数为用户名长度, edi == sum == 0x00004326 == 17190
0040DB03 >8B45 08 mov eax, dword ptr
0040DB06 .50 push eax
0040DB07 .8B08 mov ecx, dword ptr
0040DB09 .FF91 FC020000 call dword ptr ;ds:=741CC340 (MSVBVM50.741CC340)
0040DB0F .8D55 CC lea edx, dword ptr
0040DB12 .50 push eax
0040DB13 .52 push edx
0040DB14 .FF15 20F14000 call dword ptr [<&MSVBVM50.__vbaObjSet>] ;MSVBVM50.__vbaObjSet
0040DB1A .8BF0 mov esi, eax
0040DB1C .8D4D D4 lea ecx, dword ptr
0040DB1F .51 push ecx
0040DB20 .56 push esi
0040DB21 .8B06 mov eax, dword ptr
0040DB23 .FF90 A0000000 call dword ptr ;ds:=7411A5B6 (MSVBVM50.7411A5B6),Get TextBox.Text
0040DB29 .85C0 test eax, eax
0040DB2B .7D 12 jge short 0040DB3F
0040DB2D .68 A0000000 push 0A0
0040DB32 .68 10D44000 push 0040D410
0040DB37 .56 push esi
0040DB38 .50 push eax
0040DB39 .FF15 14F14000 call dword ptr [<&MSVBVM50.__vbaHresultCheckObj>] ;MSVBVM50.__vbaHresultCheckObj
0040DB3F >8B55 D4 mov edx, dword ptr ;edx ===> "7878787878"
0040DB42 .52 push edx ;StrCmp 参数2, edx ===> "7878787878"
0040DB43 .57 push edi ;str(sum)参数
0040DB44 .FF15 E8F04000 call dword ptr [<&MSVBVM50.__vbaStrI2>] ;MSVBVM50.__vbaStrI2
0040DB4A .8BD0 mov edx, eax ;eax ===> "17190"
0040DB4C .8D4D D0 lea ecx, dword ptr
0040DB4F .FFD3 call ebx ;(MSVBVM50.__vbaStrMove)
0040DB51 .50 push eax ;StrCmp 参数1, eax ===> "17190",
0040DB52 .FF15 40F14000 call dword ptr [<&MSVBVM50.__vbaStrCmp>] ;MSVBVM50.__vbaStrCmp
0040DB58 .8BF0 mov esi, eax ;eax == 0, 相等;eax == 1,不相等
0040DB5A .8D45 D0 lea eax, dword ptr
0040DB5D .F7DE neg esi
0040DB5F .1BF6 sbb esi, esi
0040DB61 .8D4D D4 lea ecx, dword ptr
0040DB64 .50 push eax
0040DB65 .46 inc esi
0040DB66 .51 push ecx
0040DB67 .6A 02 push 2
0040DB69 .F7DE neg esi ;esi == 0,不相等
0040DB6B .FF15 78F14000 call dword ptr [<&MSVBVM50.__vbaFreeStrList>] ;MSVBVM50.__vbaFreeStrList
0040DB71 .83C4 0C add esp, 0C
0040DB74 .8D4D CC lea ecx, dword ptr
0040DB77 .FF15 9CF14000 call dword ptr [<&MSVBVM50.__vbaFreeObj>] ;MSVBVM50.__vbaFreeObj
0040DB7D .B9 04000280 mov ecx, 80020004
0040DB82 .B8 0A000000 mov eax, 0A
0040DB87 .66:85F6 test si, si ;检查注册码校验结果, si == 0,不相等
0040DB8A .894D 94 mov dword ptr , ecx
0040DB8D .8945 8C mov dword ptr , eax
0040DB90 .894D A4 mov dword ptr , ecx
0040DB93 .8945 9C mov dword ptr , eax
0040DB96 .894D B4 mov dword ptr , ecx
0040DB99 .8945 AC mov dword ptr , eax
0040DB9C .74 5E je short 0040DBFC
0040DB9E .8B35 10F14000 mov esi, dword ptr [<&MSVBVM50.__vbaStrCat>] ;MSVBVM50.__vbaStrCat
0040DBA4 .68 24D44000 push 0040D424 ;nice going!!! you cracked the crackme!
0040DBA9 .68 6CD34000 push 0040D36C ; /\n\n
0040DBAE .FFD6 call esi ; \__vbaStrCat
0040DBB0 .8BD0 mov edx, eax
0040DBB2 .8D4D D4 lea ecx, dword ptr
0040DBB5 .FFD3 call ebx
0040DBB7 .50 push eax
0040DBB8 .68 84D44000 push 0040D484 ;contact hackerg or death to get your present...
0040DBBD .FFD6 call esi
0040DBBF .8945 C4 mov dword ptr , eax
0040DBC2 .8D55 8C lea edx, dword ptr
0040DBC5 .8D45 9C lea eax, dword ptr
0040DBC8 .52 push edx
0040DBC9 .8D4D AC lea ecx, dword ptr
0040DBCC .50 push eax
0040DBCD .51 push ecx
0040DBCE .8D55 BC lea edx, dword ptr
0040DBD1 .6A 00 push 0
0040DBD3 .52 push edx
0040DBD4 .C745 BC 08000000 mov dword ptr , 8
0040DBDB .FF15 1CF14000 call dword ptr [<&MSVBVM50.#595>] ;MSVBVM50.rtcMsgBox
0040DBE1 .8D4D D4 lea ecx, dword ptr
0040DBE4 .FF15 A0F14000 call dword ptr [<&MSVBVM50.__vbaFreeStr>] ;MSVBVM50.__vbaFreeStr
0040DBEA .8D45 8C lea eax, dword ptr
0040DBED .8D4D 9C lea ecx, dword ptr
0040DBF0 .50 push eax
0040DBF1 .8D55 AC lea edx, dword ptr
0040DBF4 .51 push ecx
0040DBF5 .8D45 BC lea eax, dword ptr
0040DBF8 .52 push edx
0040DBF9 .50 push eax
0040DBFA .EB 5C jmp short 0040DC58
0040DBFC >8B35 10F14000 mov esi, dword ptr [<&MSVBVM50.__vbaStrCat>] ;MSVBVM50.__vbaStrCat
0040DC02 .68 E8D44000 push 0040D4E8 ;you lamer!!! cant crack this?!
0040DC07 .68 6CD34000 push 0040D36C ; /\n\n
0040DC0C .FFD6 call esi ; \__vbaStrCat()
0040DC0E .8BD0 mov edx, eax
0040DC10 .8D4D D4 lea ecx, dword ptr
0040DC13 .FFD3 call ebx
0040DC15 .50 push eax
0040DC16 .68 2CD54000 push 0040D52C ;try again...
0040DC1B .FFD6 call esi ;__vbaStrCat()
0040DC1D .8D4D 8C lea ecx, dword ptr
0040DC20 .8945 C4 mov dword ptr , eax
0040DC23 .8D55 9C lea edx, dword ptr
0040DC26 .51 push ecx
0040DC27 .8D45 AC lea eax, dword ptr
0040DC2A .52 push edx
0040DC2B .50 push eax
0040DC2C .8D4D BC lea ecx, dword ptr
0040DC2F .6A 00 push 0
0040DC31 .51 push ecx
0040DC32 .C745 BC 08000000 mov dword ptr , 8
0040DC39 .FF15 1CF14000 call dword ptr [<&MSVBVM50.#595>] ;(MSVBVM50.rtcMsgBox)
0040DC3F .8D4D D4 lea ecx, dword ptr
0040DC42 .FF15 A0F14000 call dword ptr [<&MSVBVM50.__vbaFreeStr>] ;MSVBVM50.__vbaFreeStr
0040DC48 .8D55 8C lea edx, dword ptr
0040DC4B .8D45 9C lea eax, dword ptr
0040DC4E .52 push edx
0040DC4F .8D4D AC lea ecx, dword ptr
0040DC52 .50 push eax
0040DC53 .8D55 BC lea edx, dword ptr
0040DC56 .51 push ecx
0040DC57 .52 push edx
0040DC58 >6A 04 push 4
0040DC5A .FF15 FCF04000 call dword ptr [<&MSVBVM50.__vbaFreeVarList>] ;MSVBVM50.__vbaFreeVarList
0040DC60 .83C4 14 add esp, 14
0040DC63 .C745 FC 00000000 mov dword ptr , 0
0040DC6A .68 BADC4000 push 0040DCBA
0040DC6F .EB 38 jmp short 0040DCA9
0040DC71 .8D45 D0 lea eax, dword ptr
0040DC74 .8D4D D4 lea ecx, dword ptr
0040DC77 .50 push eax
0040DC78 .51 push ecx
0040DC79 .6A 02 push 2
0040DC7B .FF15 78F14000 call dword ptr [<&MSVBVM50.__vbaFreeStrList>] ;MSVBVM50.__vbaFreeStrList
0040DC81 .83C4 0C add esp, 0C
0040DC84 .8D4D CC lea ecx, dword ptr
0040DC87 .FF15 9CF14000 call dword ptr [<&MSVBVM50.__vbaFreeObj>] ;MSVBVM50.__vbaFreeObj
0040DC8D .8D55 8C lea edx, dword ptr
0040DC90 .8D45 9C lea eax, dword ptr
0040DC93 .52 push edx
0040DC94 .8D4D AC lea ecx, dword ptr
0040DC97 .50 push eax
0040DC98 .8D55 BC lea edx, dword ptr
0040DC9B .51 push ecx
0040DC9C .52 push edx
0040DC9D .6A 04 push 4
0040DC9F .FF15 FCF04000 call dword ptr [<&MSVBVM50.__vbaFreeVarList>] ;MSVBVM50.__vbaFreeVarList
0040DCA5 .83C4 14 add esp, 14
0040DCA8 .C3 retn
0040DCA9 >8B35 A0F14000 mov esi, dword ptr [<&MSVBVM50.__vbaFreeStr>] ;MSVBVM50.__vbaFreeStr
0040DCAF .8D4D E8 lea ecx, dword ptr
0040DCB2 .FFD6 call esi ;<&MSVBVM50.__vbaFreeStr>
0040DCB4 .8D4D D8 lea ecx, dword ptr
0040DCB7 .FFE6 jmp esi
0040DCB9 .C3 retn
0040DCBA .8B45 08 mov eax, dword ptr
0040DCBD .50 push eax
0040DCBE .8B08 mov ecx, dword ptr
0040DCC0 .FF51 08 call dword ptr
0040DCC3 .8B4D EC mov ecx, dword ptr
0040DCC6 .8B45 FC mov eax, dword ptr
0040DCC9 .5F pop edi
0040DCCA .5E pop esi
0040DCCB .64:890D 00000000 mov dword ptr fs:, ecx
0040DCD2 .5B pop ebx
0040DCD3 .8BE5 mov esp, ebp
0040DCD5 .5D pop ebp
0040DCD6 .C2 0400 retn 4
0040DCD9 >FF15 6CF14000 call dword ptr [<&MSVBVM50.__vbaErrorOverflow>] ;MSVBVM50.__vbaErrorOverflow
0040DCDF .90 nop
0040DCE0 >55 push ebp
0040DCE1 .8BEC mov ebp, esp
0040DCE3 .83EC 0C sub esp, 0C
0040DCE6 .68 36104000 push <jmp.&MSVBVM50.__vbaExceptHandler> ;SE 处理程序安装
0040DCEB .64:A1 00000000 mov eax, dword ptr fs:
0040DCF1 .50 push eax
0040DCF2 .64:8925 00000000 mov dword ptr fs:, esp
0040DCF9 .83EC 08 sub esp, 8
0040DCFC .8B45 08 mov eax, dword ptr
0040DCFF .53 push ebx
0040DD00 .8BC8 mov ecx, eax
0040DD02 .56 push esi
0040DD03 .24 FE and al, 0FE
0040DD05 .57 push edi
0040DD06 .8965 F4 mov dword ptr , esp
0040DD09 .83E1 01 and ecx, 1
0040DD0C .8B10 mov edx, dword ptr
0040DD0E .C745 F8 20104000 mov dword ptr , 00401020
0040DD15 .50 push eax
0040DD16 .894D FC mov dword ptr , ecx
0040DD19 .8945 08 mov dword ptr , eax
0040DD1C .FF52 04 call dword ptr
0040DD1F .FF15 00F14000 call dword ptr [<&MSVBVM50.__vbaEnd>] ;MSVBVM50.__vbaEnd
0040DD25 .C745 FC 00000000 mov dword ptr , 0
0040DD2C .8B45 08 mov eax, dword ptr
0040DD2F .50 push eax
0040DD30 .8B08 mov ecx, dword ptr
0040DD32 .FF51 08 call dword ptr
0040DD35 .8B4D EC mov ecx, dword ptr
0040DD38 .8B45 FC mov eax, dword ptr
0040DD3B .5F pop edi
0040DD3C .5E pop esi
0040DD3D .64:890D 00000000 mov dword ptr fs:, ecx
0040DD44 .5B pop ebx
0040DD45 .8BE5 mov esp, ebp
0040DD47 .5D pop ebp
0040DD48 .C2 0800 retn 8
其中,关键是下面这一段:
0040D99C .8B45 D8 mov eax, dword ptr ;eax ===> "SOLLY"
0040D99F .83C4 0C add esp, 0C
0040D9A2 .50 push eax ; /String
0040D9A3 .FF15 F8F04000 call dword ptr [<&MSVBVM50.__vbaLenBstr>] ; \__vbaLenBstr,这里取得用户名的长度
0040D9A9 .8BC8 mov ecx, eax ;ecx == 0x00000005,用户名的长度
0040D9AB .FF15 44F14000 call dword ptr [<&MSVBVM50.__vbaI2I4>] ;MSVBVM50.__vbaI2I4
0040D9B1 .8985 48FFFFFF mov dword ptr , eax ;eax == 0x0005,用户名的长度
0040D9B7 .BE 01000000 mov esi, 1 ;int i=1
0040D9BC >66:3BB5 48FFFFFF cmp si, word ptr ;While (i<=len(name))//// 开始循环计算
0040D9C3 .0F8F 3A010000 jg 0040DB03
0040D9C9 .8D4D D8 lea ecx, dword ptr ; ===> "SOLLY"
0040D9CC .8D55 BC lea edx, dword ptr
0040D9CF .0FBFC6 movsx eax, si ;int index = i
0040D9D2 .894D 84 mov dword ptr , ecx
0040D9D5 .52 push edx ; /Length8, === 0
0040D9D6 .8D8D 7CFFFFFF lea ecx, dword ptr ; |
0040D9DC .50 push eax ; |Start == i
0040D9DD .8D55 AC lea edx, dword ptr ; |
0040D9E0 .51 push ecx ; |dString8, [] ===> "SOLLY"
0040D9E1 .52 push edx ; |RetBUFFER
0040D9E2 .C745 C4 01000000 mov dword ptr , 1 ; |
0040D9E9 .C745 BC 02000000 mov dword ptr , 2 ; |
0040D9F0 .C785 7CFFFFFF 0840>mov dword ptr , 4008 ; |
0040D9FA .FF15 30F14000 call dword ptr [<&MSVBVM50.#632>] ; \rtcMidCharVar(name, i, 1),在循环中依次取出用户名的字符,并取得其 ASCII 码值
0040DA00 .8D45 AC lea eax, dword ptr
0040DA03 .50 push eax ;eax === (0019F17C(08 00) 72 02 02 00 00 00 (CC 43 6C 00) 00 00 00 00) ===> "S"
0040DA04 .FF15 F4F04000 call dword ptr [<&MSVBVM50.__vbaStrVarMove>] ;MSVBVM50.__vbaStrVarMove
0040DA0A .8BD0 mov edx, eax ;eax ===> "S"
0040DA0C .8D4D E8 lea ecx, dword ptr ;ecx ===> "S"
0040DA0F .FFD3 call ebx ;ebx=740DF8DA (MSVBVM50.__vbaStrMove)
0040DA11 .8D4D AC lea ecx, dword ptr
0040DA14 .8D55 BC lea edx, dword ptr
0040DA17 .51 push ecx
0040DA18 .52 push edx
0040DA19 .6A 02 push 2
0040DA1B .FF15 FCF04000 call dword ptr [<&MSVBVM50.__vbaFreeVarList>] ;MSVBVM50.__vbaFreeVarList
0040DA21 .8B45 E8 mov eax, dword ptr ;eax ===> "S" ,name
0040DA24 .83C4 0C add esp, 0C
0040DA27 .50 push eax ; /String
0040DA28 .FF15 08F14000 call dword ptr [<&MSVBVM50.#516>] ; \(MSVBVM50.rtcAnsiValueBstr),取得用户名中字符的 ASCII 码值
0040DA2E .66:2D 4000 sub ax, 40 ;EAX == ASC(name) - 0x40
0040DA32 .0F80 A1020000 jo 0040DCD9
0040DA38 .66:69C0 8200 imul ax, ax, 82 ;AX = ((ASC(name) - 0x40) * 0x82)
0040DA3D .0F80 96020000 jo 0040DCD9
0040DA43 .66:03C7 add ax, di
0040DA46 .0F80 8D020000 jo 0040DCD9
0040DA4C .66:05 5000 add ax, 50
0040DA50 .0F80 83020000 jo 0040DCD9
0040DA56 .66:05 5000 add ax, 50
0040DA5A .0F80 79020000 jo 0040DCD9
0040DA60 .66:05 5000 add ax, 50
0040DA64 .0F80 6F020000 jo 0040DCD9
0040DA6A .66:05 5000 add ax, 50
0040DA6E .0F80 65020000 jo 0040DCD9
0040DA74 .66:05 5000 add ax, 50
0040DA78 .0F80 5B020000 jo 0040DCD9
0040DA7E .66:05 5000 add ax, 50
0040DA82 .0F80 51020000 jo 0040DCD9
0040DA88 .66:05 5000 add ax, 50
0040DA8C .0F80 47020000 jo 0040DCD9
0040DA92 .66:05 5000 add ax, 50
0040DA96 .0F80 3D020000 jo 0040DCD9
0040DA9C .66:05 5000 add ax, 50
0040DAA0 .0F80 33020000 jo 0040DCD9
0040DAA6 .66:05 5000 add ax, 50
0040DAAA .0F80 29020000 jo 0040DCD9
0040DAB0 .66:05 5000 add ax, 50
0040DAB4 .0F80 1F020000 jo 0040DCD9
0040DABA .66:05 5000 add ax, 50
0040DABE .0F80 15020000 jo 0040DCD9
0040DAC4 .66:05 5000 add ax, 50
0040DAC8 .0F80 0B020000 jo 0040DCD9
0040DACE .66:05 5000 add ax, 50
0040DAD2 .0F80 01020000 jo 0040DCD9
0040DAD8 .66:05 5000 add ax, 50
0040DADC .0F80 F7010000 jo 0040DCD9
0040DAE2 .66:05 5000 add ax, 50
0040DAE6 .0F80 ED010000 jo 0040DCD9
0040DAEC .8BF8 mov edi, eax ;sum = sum + 0x50*0x10 + ((ASC(name) - 0x40) * 0x82)
0040DAEE .B8 01000000 mov eax, 1
0040DAF3 .66:03C6 add ax, si ;i++
0040DAF6 .0F80 DD010000 jo 0040DCD9
0040DAFC .8BF0 mov esi, eax
0040DAFE .^ E9 B9FEFFFF jmp 0040D9BC ;Wend ///循环结束,计算累加值 sum = sum + 0x50*0x10 + ((ASC(name) - 0x40) * 0x82), 循环次数为用户名长度, edi == sum == 0x00004326 == 17190
这一段代码,首先得用户名的长度(call __vbaLenBstr()),然后一个循环,把用户名中的字符转换成大写后,进行计算,并累加后,就得到了注册码,累加公式如下:
sum = sum + &H50*&H10 + ((ASC(name) - &H40) * &H82)
下面是用 C ++ 实现的注册机,用 Dev-C++ 调试通过:
#include <iostream>
#include <string.h>
int getSN(char *name);
int main(int argc, char** argv) {
char name[] = "solly"; /// 名字自定义
getSN(name);
return 0;
}
int getSN(char *name) {
char uprName;
int sum = 0;
int n = strlen(name);
if(n>255) {
n = 255;
}
strncpy(uprName, name, n);
uprName = '\0';
strupr(uprName); /// 转换成大写
for (int i=0; i<n; i++) {
//sum += ((int)uprName - 0x40) * 0x82 + 0x50*0x10;
sum += ((int)uprName - 64) * 130 + 1280;
}
printf("name: %s\ncode: %d", name, sum);
return 0;
}
完毕!!!
厉害,顶一个 老哥,C++学习的可以
页:
[1]