好友
阅读权限10
听众
最后登录1970-1-1
|
用F12暂停法
004073F0 .FF15 60104000 calldword ptr [<&MSVBVM60.#595>] ;错误提示
向上找:
第一部分
0040714D .FFD7calledi;<&MSVBVM60.__vbaStrMove>
0040714F .8B55 A8 mov edx, dword ptr [ebp-58];用户名给edx
00407152 .8D4D A0 lea ecx, dword ptr [ebp-60]
00407155 .895D A8 mov dword ptr [ebp-58], ebx
00407158 .FFD7calledi
0040715A .8B16mov edx, dword ptr [esi]
0040715C .8D85 10FFFFFF lea eax, dword ptr [ebp-F0]
00407162 .50pusheax
00407163 .8D4D 9C lea ecx, dword ptr [ebp-64]
00407166 .8D45 A0 lea eax, dword ptr [ebp-60]
00407169 .51pushecx
0040716A .50pusheax
0040716B .56pushesi
0040716C .FF92 30070000 calldword ptr [edx+730];算法call进入
00407172 .3BC3cmp eax, ebx
00407174 .7D 12 jge short 00407188
00407176 .68 30070000 push730
0040717B .68 5C334000 push0040335C
00407180 .56pushesi
00407181 .50pusheax
00407182 .FF15 44104000 calldword ptr [<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
00407188 >8D4D 9C lea ecx, dword ptr [ebp-64]
0040718B .8D55 A0 lea edx, dword ptr [ebp-60]
0040718E .51pushecx
0040718F .52pushedx
00407190 .6A 02 push2
00407192 .FF15 10114000 calldword ptr [<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStrList
00407198 .8D45 94 lea eax, dword ptr [ebp-6C]
0040719B .8D4D 98 lea ecx, dword ptr [ebp-68]
0040719E .50pusheax
0040719F .51pushecx
004071A0 .6A 02 push2
004071A2 .FF15 2C104000 calldword ptr [<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObjList
004071A8 .8B16mov edx, dword ptr [esi]
004071AA .83C4 18 add esp, 18
004071AD .56pushesi
004071AE .FF92 04030000 calldword ptr [edx+304]
004071B4 .50pusheax
004071B5 .8D45 98 lea eax, dword ptr [ebp-68]
004071B8 .50pusheax
004071B9 .FF15 5C104000 calldword ptr [<&MSVBVM60.__vbaObjSe>;MSVBVM60.__vbaObjSet
004071BF .8BF8mov edi, eax
004071C1 .8D55 A8 lea edx, dword ptr [ebp-58]
004071C4 .52pushedx
004071C5 .57pushedi
004071C6 .8B0Fmov ecx, dword ptr [edi]
004071C8 .FF91 A0000000 calldword ptr [ecx+A0]
004071CE .3BC3cmp eax, ebx
004071D0 .DBE2fclex
004071D2 .7D 12 jge short 004071E6
004071D4 .68 A0000000 push0A0
004071D9 .68 8C364000 push0040368C
004071DE .57pushedi
004071DF .50pusheax
004071E0 .FF15 44104000 calldword ptr [<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
004071E6 >8B55 A8 mov edx, dword ptr [ebp-58];假码入edx
004071E9 .8D4D A4 lea ecx, dword ptr [ebp-5C]
004071EC .895D A8 mov dword ptr [ebp-58], ebx
004071EF .FF15 30114000 calldword ptr [<&MSVBVM60.__vbaStrMo>;MSVBVM60.__vbaStrMove
004071F5 .8B06mov eax, dword ptr [esi]
004071F7 .8D4D A0 lea ecx, dword ptr [ebp-60]
004071FA .8D55 A4 lea edx, dword ptr [ebp-5C]
004071FD .51pushecx
004071FE .52pushedx
004071FF .56pushesi
00407200 .FF90 14070000 calldword ptr [eax+714]
00407206 .3BC3cmp eax, ebx
00407208 .7D 12 jge short 0040721C
0040720A .68 14070000 push714
0040720F .68 5C334000 push0040335C
00407214 .56pushesi
00407215 .50pusheax
00407216 .FF15 44104000 calldword ptr [<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
0040721C >8B45 A0 mov eax, dword ptr [ebp-60];假码的md5值
0040721F .8D55 84 lea edx, dword ptr [ebp-7C]
00407222 .8D4D AC lea ecx, dword ptr [ebp-54]
00407225 .895D A0 mov dword ptr [ebp-60], ebx
00407228 .8945 8C mov dword ptr [ebp-74], eax
0040722B .C745 84 08000>mov dword ptr [ebp-7C], 8
00407232 .FF15 0C104000 calldword ptr [<&MSVBVM60.__vbaVarMo>;MSVBVM60.__vbaVarMove
00407238 .8D4D A4 lea ecx, dword ptr [ebp-5C]
0040723B .FF15 48114000 calldword ptr [<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
00407241 .8D4D 98 lea ecx, dword ptr [ebp-68]
00407244 .FF15 4C114000 calldword ptr [<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObj
0040724A .B8 02000000 mov eax, 2
0040724F .8D4D AC lea ecx, dword ptr [ebp-54]
00407252 .8985 44FFFFFF mov dword ptr [ebp-BC], eax
00407258 .8985 34FFFFFF mov dword ptr [ebp-CC], eax
0040725E .8D85 44FFFFFF lea eax, dword ptr [ebp-BC]
00407264 .8D55 84 lea edx, dword ptr [ebp-7C]
00407267 .50pusheax; /Step8
00407268 .BE 01000000 mov esi, 1 ; |
0040726D .51pushecx; |/var18
0040726E .52pushedx; ||retBuffer8
0040726F .89B5 4CFFFFFF mov dword ptr [ebp-B4], esi; ||
00407275 .89B5 3CFFFFFF mov dword ptr [ebp-C4], esi; ||
0040727B .FF15 48104000 calldword ptr [<&MSVBVM60.__vbaLenVa>; |\__vbaLenVar
00407281 .50pusheax; |End8
00407282 .8D85 34FFFFFF lea eax, dword ptr [ebp-CC]; |
00407288 .8D8D DCFEFFFF lea ecx, dword ptr [ebp-124] ; |
0040728E .50pusheax; |Start8
0040728F .8D95 ECFEFFFF lea edx, dword ptr [ebp-114] ; |
00407295 .51pushecx; |TMPend8
00407296 .8D45 D8 lea eax, dword ptr [ebp-28]; |
00407299 .52pushedx; |TMPstep8
0040729A .50pusheax; |Counter8
0040729B .FF15 58104000 calldword ptr [<&MSVBVM60.__vbaVarFo>; \__vbaVarForInit
004072A1 .8B3D 20104000 mov edi, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaFreeVarList
004072A7 >3BC3cmp eax, ebx
004072A9 .0F84 B6000000 je00407365
004072AF .8D4D 84 lea ecx, dword ptr [ebp-7C]
004072B2 .8D55 D8 lea edx, dword ptr [ebp-28]
004072B5 .8975 8C mov dword ptr [ebp-74], esi
004072B8 .8B35 20114000 mov esi, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaI4Var
004072BE .51pushecx
004072BF .52pushedx
004072C0 .C745 84 02000>mov dword ptr [ebp-7C], 2
004072C7 .FFD6callesi;<&MSVBVM60.__vbaI4Var>
004072C9 .50pusheax; |Start
004072CA .8D45 AC lea eax, dword ptr [ebp-54]; |
004072CD .8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]; |
004072D3 .50pusheax; |dString8
004072D4 .51pushecx; |RetBUFFER
004072D5 .FF15 80104000 calldword ptr [<&MSVBVM60.#632>] ; \rtcMidCharVar
004072DB .8D55 D8 lea edx, dword ptr [ebp-28]
004072DE .52pushedx
004072DF .FFD6callesi
004072E1 .8BF0mov esi, eax
004072E3 .4Edec esi
004072E4 .83FE 20 cmp esi, 20
004072E7 .72 06 jbshort 004072EF
004072E9 .FF15 98104000 calldword ptr [<&MSVBVM60.__vbaGener>;MSVBVM60.__vbaGenerateBoundsError
004072EF >8B45 CC mov eax, dword ptr [ebp-34]
004072F2 .8D95 74FFFFFF lea edx, dword ptr [ebp-8C]
004072F8 .52pushedx; /var18
004072F9 .8B0CB0mov ecx, dword ptr [eax+esi*4] ; |
004072FC .8D85 34FFFFFF lea eax, dword ptr [ebp-CC]; |
00407302 .50pusheax; |var28
00407303 .898D 3CFFFFFF mov dword ptr [ebp-C4], ecx; |
00407309 .C785 34FFFFFF>mov dword ptr [ebp-CC], 8008 ; |
00407313 .FF15 A4104000 calldword ptr [<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq
00407319 .8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
0040731F .8D55 84 lea edx, dword ptr [ebp-7C]
00407322 .51pushecx
00407323 .52pushedx
00407324 .6A 02 push2
00407326 .8BF0mov esi, eax
00407328 .FFD7calledi
0040732A .83C4 0C add esp, 0C
0040732D .66:3BF3 cmp si, bx
00407330 .74 11 jeshort 00407343
00407332 .66:8B45 E8mov ax, word ptr [ebp-18]
00407336 .66:05 0100add ax, 1
0040733A .0F80 EB010000 jo0040752B
00407340 .8945 E8 mov dword ptr [ebp-18], eax
00407343 >8D8D DCFEFFFF lea ecx, dword ptr [ebp-124]
00407349 .8D95 ECFEFFFF lea edx, dword ptr [ebp-114]
0040734F .51pushecx; /TMPend8
00407350 .8D45 D8 lea eax, dword ptr [ebp-28]; |
00407353 .52pushedx; |TMPstep8
00407354 .50pusheax; |Counter8
00407355 .FF15 40114000 calldword ptr [<&MSVBVM60.__vbaVarFo>; \__vbaVarForNext
0040735B .BE 01000000 mov esi, 1
00407360^ E9 42FFFFFF jmp 004072A7
00407365 >66:837D E8 20 cmp word ptr [ebp-18], 20
0040736A .8B35 24114000 mov esi, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaVarDup
00407370 .B9 04000280 mov ecx, 80020004
00407375 .B8 0A000000 mov eax, 0A
0040737A .898D 5CFFFFFF mov dword ptr [ebp-A4], ecx
00407380 .898D 6CFFFFFF mov dword ptr [ebp-94], ecx
00407386 .8985 54FFFFFF mov dword ptr [ebp-AC], eax
0040738C .8985 64FFFFFF mov dword ptr [ebp-9C], eax
00407392 .C785 3CFFFFFF>mov dword ptr [ebp-C4], 004036F0 ;ASCII "鹼邁衏:y"
0040739C .C785 34FFFFFF>mov dword ptr [ebp-CC], 8
004073A6 .8D95 34FFFFFF lea edx, dword ptr [ebp-CC]
004073AC .8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
004073B274 5D jeshort 00407411 ;关键跳
004073B4 .FFD6callesi;<&MSVBVM60.__vbaVarDup>
004073B6 .8D95 44FFFFFF lea edx, dword ptr [ebp-BC]
004073BC .8D4D 84 lea ecx, dword ptr [ebp-7C]
004073BF .C785 4CFFFFFF>mov dword ptr [ebp-B4], 004036DC
004073C9 .C785 44FFFFFF>mov dword ptr [ebp-BC], 8
004073D3 .FFD6callesi
004073D5 .8D8D 54FFFFFF lea ecx, dword ptr [ebp-AC]
004073DB .8D95 64FFFFFF lea edx, dword ptr [ebp-9C]
004073E1 .51pushecx
004073E2 .8D85 74FFFFFF lea eax, dword ptr [ebp-8C]
004073E8 .52pushedx
004073E9 .50pusheax
004073EA .8D4D 84 lea ecx, dword ptr [ebp-7C]
004073ED .6A 30 push30
004073EF .51pushecx
004073F0 .FF15 60104000 calldword ptr [<&MSVBVM60.#595>] ;错误提示
004073F6 .8D95 54FFFFFF lea edx, dword ptr [ebp-AC]
在0040716C进入
代码如下:
004075B2 .FF91 14070000 calldword ptr [ecx+714];计算出用户名的md5值
004075B8 .3BC7cmp eax, edi
004075BA .7D 12 jge short 004075CE
004075BC .68 14070000 push714
004075C1 .68 5C334000 push0040335C
004075C6 .56pushesi
004075C7 .50pusheax
004075C8 .FF15 44104000 calldword ptr [<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
004075CE >8B45 C0 mov eax, dword ptr [ebp-40];将用户名的md5加密结果入eax
004075D1 .897D C0 mov dword ptr [ebp-40], edi
004075D4 .BF 08000000 mov edi, 8
004075D9 .8D55 B0 lea edx, dword ptr [ebp-50]
004075DC .8D4D C4 lea ecx, dword ptr [ebp-3C]
004075DF .8945 B8 mov dword ptr [ebp-48], eax
004075E2 .897D B0 mov dword ptr [ebp-50], edi
004075E5 .FF15 0C104000 calldword ptr [<&MSVBVM60.__vbaVarMo>;MSVBVM60.__vbaVarMove
004075EB .8B46 34 mov eax, dword ptr [esi+34];一个字符串
004075EE .8D4D 90 lea ecx, dword ptr [ebp-70]
004075F1 .8945 98 mov dword ptr [ebp-68], eax
004075F4 .8945 88 mov dword ptr [ebp-78], eax
004075F7 .8D55 C4 lea edx, dword ptr [ebp-3C]
004075FA .51pushecx
004075FB .8D45 B0 lea eax, dword ptr [ebp-50]
004075FE .897D 90 mov dword ptr [ebp-70], edi
00407601 .897D 80 mov dword ptr [ebp-80], edi
00407604 .8B3D E8104000 mov edi, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaVarCat
0040760A .52pushedx
0040760B .50pusheax
0040760C .FFD7calledi;<&MSVBVM60.__vbaVarCat>
0040760E .8D4D 80 lea ecx, dword ptr [ebp-80]
00407611 .50pusheax
00407612 .8D55 A0 lea edx, dword ptr [ebp-60]
00407615 .51pushecx
00407616 .52pushedx
00407617 .FFD7calledi
00407619 .50pusheax
0040761A .FF15 1C104000 calldword ptr [<&MSVBVM60.__vbaStrVa>;将字符串+用户名的md5值+字符串入eax
00407620 .8B1D 30114000 mov ebx, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaStrMove
00407626 .8BD0mov edx, eax ;相连接的字符串
00407628 .8D4D D4 lea ecx, dword ptr [ebp-2C]
0040762B .FFD3callebx;<&MSVBVM60.__vbaStrMove>
0040762D .8D45 A0 lea eax, dword ptr [ebp-60]
00407630 .8D4D B0 lea ecx, dword ptr [ebp-50]
00407633 .50pusheax
00407634 .51pushecx
00407635 .6A 02 push2
00407637 .FF15 20104000 calldword ptr [<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
0040763D .8B16mov edx, dword ptr [esi]
0040763F .83C4 0C add esp, 0C
00407642 .8D45 C0 lea eax, dword ptr [ebp-40]
00407645 .8D4D D4 lea ecx, dword ptr [ebp-2C]
00407648 .50pusheax
00407649 .51pushecx
0040764A .56pushesi
0040764B .FF92 14070000 calldword ptr [edx+714];计算出真码
00407651 .33FFxor edi, edi
00407653 .3BC7cmp eax, edi
00407655 .7D 12 jge short 00407669
00407657 .68 14070000 push714
0040765C .68 5C334000 push0040335C
00407661 .56pushesi
00407662 .50pusheax
00407663 .FF15 44104000 calldword ptr [<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
00407669 >8B55 C0 mov edx, dword ptr [ebp-40];真码入edx
0040766C .8D4D D8 lea ecx, dword ptr [ebp-28]
0040766F .897D C0 mov dword ptr [ebp-40], edi
我的字符串是:BFEBFBFF00000F41,用户名jcyhlh,计算的注册码是:6167D9216C0761F98B3BB62298515610。
CrackerMe.rar
(12 KB, 下载次数: 4)
|
|
发表于 2008-9-26 14:27
依然看不懂