好友
阅读权限25
听众
最后登录1970-1-1
|
sdzzb
发表于 2012-4-29 23:44
CM是什么?Crackme是什么?这是什么东西?楼主发的什么?
他们都是一些公开给别人尝试破解的小程序,制作 Crackme 的人可能是程序员,想测试一下自己的软件保护技术,也可能是一位 Cracker,想挑战一下其它 Cracker 的破解实力,也可能是一些正在学习破解的人,自己编一些小程序给自己破解,KeyGenMe是要求别人做出它的 keygen (序号产生器), ReverseMe 要求别人把它的算法做出逆向分析, UnpackMe 是要求别人把它成功脱壳,本版块禁止回复非技术无关水贴。
本帖最后由 Peace 于 2012-4-30 08:14 编辑
【文章标题】:吾爱破解2012CM大赛破文
【文章作者】: DZ
【软件名称】:CM_fywy
【难 度】: 易
【下载地址】: http://www.52pojie.cn/thread-146108-1-1.html
【作者声明】: 一个一个来,慢慢分析,直到最难 ^^
--------------------------------------------------------------------------------
【详细过程】
此CM是VB写的,代码看着头疼,没办法,还是硬着 头发看下去了,下面是按钮事件的过程,关键位置已经有注释
00402F50 > \55 push ebp
00402F51 . 8BEC mov ebp,esp
00402F53 . 83EC 0C sub esp,0C
00402F56 . 68 F6104000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE handler installation
00402F5B . 64:A1 00000000 mov eax,dword ptr fs:[0]
....................此处省略10000+字 @(^$^)@ .....................................
00402FEE . 68 A0000000 push 0A0
00402FF3 . 68 74264000 push fywy.00402674
00402FF8 . 53 push ebx
00402FF9 . 50 push eax
00402FFA . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
00403000 > 8B55 D4 mov edx,dword ptr ss:[ebp-2C] ; ★★★★★★★★★★→|| [edx] = [ebp-2c] = 用户名
00403003 . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
00403006 . 8975 D4 mov dword ptr ss:[ebp-2C],esi
00403009 . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
0040300F . 8B1D BC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
00403015 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00403018 . FFD3 call ebx ; <&MSVBVM60.__vbaFreeObj>
0040301A . 8B45 D8 mov eax,dword ptr ss:[ebp-28] ; ★★★★★★★★★★→|| eax = [ebp-28] =用户名
0040301D . 50 push eax
0040301E . 68 88264000 push fywy.00402688
00403023 . FF15 54104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; msvbvm60.__vbaStrCmp
00403029 . 85C0 test eax,eax
0040302B . 75 3C jnz short fywy.00403069
0040302D . 8B0F mov ecx,dword ptr ds:[edi]
0040302F . 57 push edi
00403030 . FF91 08030000 call dword ptr ds:[ecx+308]
00403036 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
00403039 . 50 push eax
0040303A . 52 push edx
0040303B . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
00403041 . 8BF8 mov edi,eax
00403043 . 57 push edi
00403044 . 8B07 mov eax,dword ptr ds:[edi]
00403046 . FF90 04020000 call dword ptr ds:[eax+204]
0040304C . 3BC6 cmp eax,esi
0040304E . DBE2 fclex
00403050 . 7D 12 jge short fywy.00403064
00403052 . 68 04020000 push 204
00403057 . 68 74264000 push fywy.00402674
0040305C . 57 push edi
0040305D . 50 push eax
0040305E . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
00403064 > 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00403067 . FFD3 call ebx
00403069 > 8B4D D8 mov ecx,dword ptr ss:[ebp-28]
0040306C . 51 push ecx ; ★★★★★★★★★★→|| [ecx] =[ebp-28] = 用户名
0040306D . FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; msvbvm60.__vbaLenBstr
00403073 . 8BC8 mov ecx,eax ; ★★★★★★★★★★→|| ecx = 用户名长度
00403075 . FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; msvbvm60.__vbaI2I4
0040307B . 8B3D 20104000 mov edi,dword ptr ds:[<&MSVBVM60.#516>] ; msvbvm60.rtcAnsiValueBstr
00403081 . 8985 2CFFFFFF mov dword ptr ss:[ebp-D4],eax
----------------------------------- 循环1开始 --------------------------------------------------------------
00403087 . B8 01000000 mov eax,1
0040308C . 8945 E8 mov dword ptr ss:[ebp-18],eax
0040308F > 66:3B85 2CFFFFF>cmp ax,word ptr ss:[ebp-D4] ; ★★★★★★★★★★→|| [ebp - 0xD4]=用户名位数, 用ax做计次变量
00403096 . 0F8F 71040000 jg fywy.0040350D
0040309C . 8B1D 48104000 mov ebx,dword ptr ds:[<&MSVBVM60.#632>] ; msvbvm60.rtcMidCharVar
004030A2 . 8D55 D8 lea edx,dword ptr ss:[ebp-28]
004030A5 . 0FBFF0 movsx esi,ax
004030A8 . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
004030AB . 8955 80 mov dword ptr ss:[ebp-80],edx
004030AE . 50 push eax
004030AF . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
004030B5 . 56 push esi
004030B6 . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
004030B9 . 51 push ecx
004030BA . 52 push edx
004030BB . C745 C0 0100000>mov dword ptr ss:[ebp-40],1
004030C2 . C745 B8 0200000>mov dword ptr ss:[ebp-48],2
004030C9 . C785 78FFFFFF 0>mov dword ptr ss:[ebp-88],4008
004030D3 . FFD3 call ebx ; <&MSVBVM60.#632>
004030D5 . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
004030D8 . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
004030DB . 8985 60FFFFFF mov dword ptr ss:[ebp-A0],eax
004030E1 . 51 push ecx
004030E2 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
004030E8 . 56 push esi
004030E9 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
004030EC . 52 push edx
004030ED . 50 push eax
004030EE . C745 A0 0100000>mov dword ptr ss:[ebp-60],1
004030F5 . C745 98 0200000>mov dword ptr ss:[ebp-68],2
004030FC . C785 58FFFFFF 0>mov dword ptr ss:[ebp-A8],4008
00403106 . FFD3 call ebx ; <&MSVBVM60.#632>
00403108 . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0040310B . 8D55 D0 lea edx,dword ptr ss:[ebp-30]
0040310E . 51 push ecx
0040310F . 52 push edx
00403110 . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal
00403116 . 50 push eax ; ★★★★★★★★★★→|| [eax] = 用户名第 i 位
00403117 . FFD7 call edi
00403119 . 33DB xor ebx,ebx
0040311B . 66:3D 3900 cmp ax,39 ; ★★★★★★★★★★→|| 比较用户名第 i 位和 '9'
0040311F . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
00403122 . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00403125 . 0F9EC3 setle bl ; ★★★★★★★★★★→|| 如果用户名第一位 <= '9' ,则 bl =1
00403128 . 50 push eax
00403129 . 51 push ecx
0040312A . F7DB neg ebx
0040312C . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal
00403132 . 50 push eax ; ★★★★★★★★★★→|| [eax] = 用户名第 i 位
00403133 . FFD7 call edi
00403135 . 33D2 xor edx,edx ; ★★★★★★★★★★→|| eax = 用户名第 i 位ASCII
00403137 . 66:3D 3000 cmp ax,30 ; ★★★★★★★★★★→|| 比较 用户名第 i 位和 0
0040313B . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
0040313E . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00403141 . 0F9DC2 setge dl ; ★★★★★★★★★★→|| 如果用户名第 i 位 >= '0' ,则dl = 1
00403144 . 50 push eax
00403145 . 51 push ecx
00403146 . F7DA neg edx
00403148 . 6A 02 push 2
0040314A . 23DA and ebx,edx
0040314C . FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList
00403152 . 8D55 88 lea edx,dword ptr ss:[ebp-78]
00403155 . 8D45 98 lea eax,dword ptr ss:[ebp-68]
00403158 . 52 push edx
00403159 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040315C . 50 push eax
0040315D . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
00403160 . 51 push ecx
00403161 . 52 push edx
00403162 . 6A 04 push 4
00403164 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
0040316A . 83C4 20 add esp,20
0040316D . C745 C0 0100000>mov dword ptr ss:[ebp-40],1
00403174 . 66:85DB test bx,bx ; ★★★★★★★★★★→|| 如果用户名第 i 位 > '9' ,则跳
00403177 . C745 B8 0200000>mov dword ptr ss:[ebp-48],2
0040317E . 0F84 8F000000 je fywy.00403213
00403184 . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
00403187 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
0040318A . 8945 80 mov dword ptr ss:[ebp-80],eax
0040318D . 51 push ecx
0040318E . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
00403194 . 56 push esi
00403195 . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
00403198 . 52 push edx
00403199 . 50 push eax
0040319A . C785 78FFFFFF 0>mov dword ptr ss:[ebp-88],4008
004031A4 . FF15 48104000 call dword ptr ds:[<&MSVBVM60.#632>] ; msvbvm60.rtcMidCharVar
004031AA . 8B4D DC mov ecx,dword ptr ss:[ebp-24]
004031AD . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
004031B0 . 51 push ecx
004031B1 . 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
004031B4 . 52 push edx
004031B5 . 50 push eax
004031B6 . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal
004031BC . 50 push eax
004031BD . FFD7 call edi
004031BF . 66:05 3000 add ax,30 ; ★★★★★★★★★★→|| 用户名第 i 位<='9' 时 [eax] = '用户名各位ASCII(十进制)+ 48再连接起来 ;暂时叫字符串S1
004031C3 . 0F80 CB050000 jo fywy.00403794
004031C9 . 50 push eax
004031CA . FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI2>] ; msvbvm60.__vbaStrI2
004031D0 . 8B35 AC104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
004031D6 . 8BD0 mov edx,eax
004031D8 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
004031DB . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
004031DD . 50 push eax
004031DE . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; msvbvm60.__vbaStrCat
004031E4 . 8BD0 mov edx,eax
004031E6 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004031E9 . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
004031EB . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
004031EE . 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
004031F1 . 51 push ecx
004031F2 . 52 push edx
004031F3 . 6A 02 push 2
004031F5 . FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList
004031FB . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
004031FE . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
00403201 . 50 push eax
00403202 . 51 push ecx
00403203 . 6A 02 push 2
00403205 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
0040320B . 83C4 18 add esp,18
0040320E . E9 E3020000 jmp fywy.004034F6
00403213 > 8B1D 48104000 mov ebx,dword ptr ds:[<&MSVBVM60.#632>] ; msvbvm60.rtcMidCharVar
00403219 . 8D55 D8 lea edx,dword ptr ss:[ebp-28]
0040321C . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
0040321F . 8955 80 mov dword ptr ss:[ebp-80],edx
00403222 . 50 push eax
00403223 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
00403229 . 56 push esi
0040322A . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
0040322D . 51 push ecx
0040322E . 52 push edx
0040322F . C785 78FFFFFF 0>mov dword ptr ss:[ebp-88],4008
00403239 . FFD3 call ebx ; <&MSVBVM60.#632>
0040323B . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0040323E . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
00403241 . 8985 60FFFFFF mov dword ptr ss:[ebp-A0],eax
00403247 . 51 push ecx
00403248 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
0040324E . 56 push esi
0040324F . 8D45 88 lea eax,dword ptr ss:[ebp-78]
00403252 . 52 push edx
00403253 . 50 push eax
00403254 . C745 A0 0100000>mov dword ptr ss:[ebp-60],1
0040325B . C745 98 0200000>mov dword ptr ss:[ebp-68],2
00403262 . C785 58FFFFFF 0>mov dword ptr ss:[ebp-A8],4008
0040326C . FFD3 call ebx ; <&MSVBVM60.#632>
0040326E . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
00403271 . 8D55 D0 lea edx,dword ptr ss:[ebp-30]
00403274 . 51 push ecx
00403275 . 52 push edx
00403276 . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal
0040327C . 50 push eax
0040327D . FFD7 call edi
0040327F . 33DB xor ebx,ebx
00403281 . 66:3D 5A00 cmp ax,5A ; ★★★★★★★★★★→|| 比较用户名第 i 位和 'Z'
00403285 . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
00403288 . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0040328B . 0F9EC3 setle bl ; ★★★★★★★★★★→|| 如果用户名第 i 位 <= ' Z' ,则 bl = 1
0040328E . 50 push eax
0040328F . 51 push ecx
00403290 . F7DB neg ebx
00403292 . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal
00403298 . 50 push eax ; [eax] = 's'
00403299 . FFD7 call edi
0040329B . 33D2 xor edx,edx ; eax = 用户名第一位ASCII
0040329D . 66:3D 4100 cmp ax,41 ; ★★★★★★★★★★→|| 比较用户名第 i 位和 'A'
004032A1 . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
004032A4 . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
004032A7 . 0F9DC2 setge dl ; ★★★★★★★★★★→|| 如果用户名第 i 位 >= 'A',则 dl = 1
004032AA . 50 push eax
004032AB . 51 push ecx
004032AC . F7DA neg edx
004032AE . 6A 02 push 2
004032B0 . 23DA and ebx,edx
004032B2 . FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList
004032B8 . 8D55 88 lea edx,dword ptr ss:[ebp-78]
004032BB . 8D45 98 lea eax,dword ptr ss:[ebp-68]
004032BE . 52 push edx
004032BF . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004032C2 . 50 push eax
004032C3 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
004032C6 . 51 push ecx
004032C7 . 52 push edx
004032C8 . 6A 04 push 4
004032CA . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
004032D0 . 83C4 20 add esp,20
004032D3 . C745 C0 0100000>mov dword ptr ss:[ebp-40],1
004032DA . 66:85DB test bx,bx ; ★★★★★★★★★★→|| 若用户名第 i 位 >' Z ' ,则跳
004032DD . C745 B8 0200000>mov dword ptr ss:[ebp-48],2
004032E4 . 0F84 8F000000 je fywy.00403379
004032EA . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
004032ED . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
004032F0 . 8945 80 mov dword ptr ss:[ebp-80],eax
004032F3 . 51 push ecx
004032F4 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
004032FA . 56 push esi
004032FB . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
004032FE . 52 push edx
004032FF . 50 push eax
00403300 . C785 78FFFFFF 0>mov dword ptr ss:[ebp-88],4008
0040330A . FF15 48104000 call dword ptr ds:[<&MSVBVM60.#632>] ; msvbvm60.rtcMidCharVar
00403310 . 8B4D DC mov ecx,dword ptr ss:[ebp-24]
00403313 . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
00403316 . 51 push ecx
00403317 . 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
0040331A . 52 push edx
0040331B . 50 push eax
0040331C . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal
00403322 . 50 push eax
00403323 . FFD7 call edi
00403325 . 66:05 3200 add ax,32 ; ★★★★★★★★★★→|| 用户名第 i 位 > '9 ' 且 <= 'Z' 时 [eax] = '用户名各位ASCII(十进制)+ 50 ,再连接起来
00403329 . 0F80 65040000 jo fywy.00403794
0040332F . 50 push eax
00403330 . FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI2>] ; msvbvm60.__vbaStrI2
00403336 . 8B35 AC104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
0040333C . 8BD0 mov edx,eax
0040333E . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00403341 . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
00403343 . 50 push eax
00403344 . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; msvbvm60.__vbaStrCat
0040334A . 8BD0 mov edx,eax
0040334C . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0040334F . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
00403351 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00403354 . 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
00403357 . 51 push ecx
00403358 . 52 push edx
00403359 . 6A 02 push 2
0040335B . FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList
00403361 . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
00403364 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
00403367 . 50 push eax
00403368 . 51 push ecx
00403369 . 6A 02 push 2
0040336B . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
00403371 . 83C4 18 add esp,18
00403374 . E9 7D010000 jmp fywy.004034F6
00403379 > 8B1D 48104000 mov ebx,dword ptr ds:[<&MSVBVM60.#632>] ; msvbvm60.rtcMidCharVar
0040337F . 8D55 D8 lea edx,dword ptr ss:[ebp-28]
00403382 . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
00403385 . 8955 80 mov dword ptr ss:[ebp-80],edx
00403388 . 50 push eax
00403389 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
0040338F . 56 push esi
00403390 . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
00403393 . 51 push ecx
00403394 . 52 push edx
00403395 . C785 78FFFFFF 0>mov dword ptr ss:[ebp-88],4008
0040339F . FFD3 call ebx ; <&MSVBVM60.#632>
004033A1 . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
004033A4 . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
004033A7 . 8985 60FFFFFF mov dword ptr ss:[ebp-A0],eax
004033AD . 51 push ecx
004033AE . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
004033B4 . 56 push esi
004033B5 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
004033B8 . 52 push edx
004033B9 . 50 push eax
004033BA . C745 A0 0100000>mov dword ptr ss:[ebp-60],1
004033C1 . C745 98 0200000>mov dword ptr ss:[ebp-68],2
004033C8 . C785 58FFFFFF 0>mov dword ptr ss:[ebp-A8],4008
004033D2 . FFD3 call ebx ; <&MSVBVM60.#632>
004033D4 . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
004033D7 . 8D55 D0 lea edx,dword ptr ss:[ebp-30]
004033DA . 51 push ecx
004033DB . 52 push edx
004033DC . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal
004033E2 . 50 push eax
004033E3 . FFD7 call edi
004033E5 . 33DB xor ebx,ebx ; ★★★★★★★★★★→|| eax = 用户名第 i 位ASCII
004033E7 . 66:3D 7A00 cmp ax,7A ; ★★★★★★★★★★→|| 比较用户名第 i 位和 'z'
004033EB . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
004033EE . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
004033F1 . 0F9EC3 setle bl ; ★★★★★★★★★★→|| 如果用户名第 i 位 <= 'z' ,则 bl = 1
004033F4 . 50 push eax
004033F5 . 51 push ecx
004033F6 . F7DB neg ebx
004033F8 . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal
004033FE . 50 push eax
004033FF . FFD7 call edi
00403401 . 33D2 xor edx,edx ; ★★★★★★★★★★→|| eax = 用户名第 i 位ASCII
00403403 . 66:3D 6100 cmp ax,61 ; ★★★★★★★★★★→|| 比较用户名第 i 位和 'a'
00403407 . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
0040340A . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0040340D . 0F9DC2 setge dl ; ★★★★★★★★★★→|| 如果用户名第 i 位 >= 'a' ,则 dl = 1
00403410 . 50 push eax
00403411 . 51 push ecx
00403412 . F7DA neg edx
00403414 . 6A 02 push 2
00403416 . 23DA and ebx,edx
00403418 . FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList
0040341E . 8D55 88 lea edx,dword ptr ss:[ebp-78]
00403421 . 8D45 98 lea eax,dword ptr ss:[ebp-68]
00403424 . 52 push edx
00403425 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00403428 . 50 push eax
00403429 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
0040342C . 51 push ecx
0040342D . 52 push edx
0040342E . 6A 04 push 4
00403430 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
00403436 . 83C4 20 add esp,20
00403439 . 66:85DB test bx,bx
0040343C . 0F84 9A000000 je fywy.004034DC ; ★★★★★★★★★★→|| 如果用户第i位 > 'z' ,则跳
00403442 . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
00403445 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
00403448 . 8945 80 mov dword ptr ss:[ebp-80],eax
0040344B . 51 push ecx
0040344C . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
00403452 . 56 push esi
00403453 . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
00403456 . 52 push edx
00403457 . 50 push eax
00403458 . C745 C0 0100000>mov dword ptr ss:[ebp-40],1
0040345F . C745 B8 0200000>mov dword ptr ss:[ebp-48],2
00403466 . C785 78FFFFFF 0>mov dword ptr ss:[ebp-88],4008
00403470 . FF15 48104000 call dword ptr ds:[<&MSVBVM60.#632>] ; msvbvm60.rtcMidCharVar
00403476 . 8B4D DC mov ecx,dword ptr ss:[ebp-24]
00403479 . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
0040347C . 51 push ecx
0040347D . 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
00403480 . 52 push edx
00403481 . 50 push eax
00403482 . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal
00403488 . 50 push eax ; ★★★★★★★★★★→|| [eax] = 用户名第 i 位
00403489 . FFD7 call edi
0040348B . 66:05 3400 add ax,34 ; ★★★★★★★★★★→|| 若用户名第 i 位 > 'Z' 且 <= 'z'时, '用户名各位ASCII(十进制)+ 52',再连接起来
0040348F . 0F80 FF020000 jo fywy.00403794 ; 若 OF = 1 则跳
00403495 . 50 push eax
00403496 . FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI2>] ; msvbvm60.__vbaStrI2
0040349C . 8B35 AC104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
004034A2 . 8BD0 mov edx,eax
004034A4 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
004034A7 . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
004034A9 . 50 push eax
004034AA . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; msvbvm60.__vbaStrCat
004034B0 . 8BD0 mov edx,eax
004034B2 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004034B5 . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
004034B7 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
004034BA . 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
004034BD . 51 push ecx
004034BE . 52 push edx
004034BF . 6A 02 push 2
004034C1 . FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList
004034C7 . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
004034CA . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
004034CD . 50 push eax
004034CE . 51 push ecx
004034CF . 6A 02 push 2
004034D1 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
004034D7 . 83C4 18 add esp,18
004034DA . EB 1A jmp short fywy.004034F6
004034DC > 8B55 DC mov edx,dword ptr ss:[ebp-24]
004034DF . 52 push edx
004034E0 . 68 90264000 push fywy.00402690 ; 2012
004034E5 . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; msvbvm60.__vbaStrCat
004034EB . 8BD0 mov edx,eax ; ★★★★★★★★★★→|| 若用户名第 i 位 > 'z' ,则把第 i 位ASCII替换成'2012',再连接起来
004034ED . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004034F0 . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
004034F6 > B8 01000000 mov eax,1
004034FB . 66:0345 E8 add ax,word ptr ss:[ebp-18] ; ★★★★★★★★★★→|| [ebp-18] 保存计次变量
004034FF . 0F80 8F020000 jo fywy.00403794
00403505 . 8945 E8 mov dword ptr ss:[ebp-18],eax
00403508 .^ E9 82FBFFFF jmp fywy.0040308F
0040350D > 8B45 DC mov eax,dword ptr ss:[ebp-24]
----------------------------------- 循环1结束 --------------------------------------------------------------
获取用户名,然后根据用户名每位字符(姑且称作 name(i)吧)所在的范围,对name(i)的ASCII码加上不同的数x,把加后的结果R
作为字符串连接起来得到字符串Str1。
范围大体如下(保守):
'0' <= name <= '9' 时 + 0x30 即:48
'A' <= name <= 'Z' 时 + 0x32 即:50
'a' <= name <= 'z' 时 + 0x34 即:52
name > 'z' 时 String(R) = '2012'
00403510 . 83CB FF or ebx,FFFFFFFF
00403513 . 50 push eax
00403514 . FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; msvbvm60.__vbaLenBstr
0040351A . 8BC8 mov ecx,eax ; ★★★★★★★★★★→|| ecx = eax = 上面字符串S1的长度
0040351C . FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; msvbvm60.__vbaI2I4
00403522 . 8BF0 mov esi,eax
----------------------------------- 循环2开始 --------------------------------------------------------------
00403524 > B8 01000000 mov eax,1
00403529 . 66:3BF0 cmp si,ax ; ★★★★★★★★★★→|| si 做计数变量 ,从S1中倒着取每一个字符
0040352C . 0F8C D4000000 jl fywy.00403606 ; ★★★★★★★★★★→|| 即si 开始为S1的长度 ,每循环一次递减1,当si <1时跳转实现,结束循环
00403532 . 8945 C0 mov dword ptr ss:[ebp-40],eax
00403535 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00403538 . 0FBFC6 movsx eax,si ; ★★★★★★★★★★→|| eax = 字符串S1长度
0040353B . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
0040353E . 894D 80 mov dword ptr ss:[ebp-80],ecx
00403541 . 52 push edx
00403542 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
00403548 . 50 push eax
00403549 . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
0040354C . 51 push ecx
0040354D . 52 push edx
0040354E . C745 B8 0200000>mov dword ptr ss:[ebp-48],2
00403555 . C785 78FFFFFF 0>mov dword ptr ss:[ebp-88],4008
0040355F . FF15 48104000 call dword ptr ds:[<&MSVBVM60.#632>] ; msvbvm60.rtcMidCharVar
00403565 . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
00403568 . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0040356B . 50 push eax
0040356C . 51 push ecx
0040356D . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal
00403573 . 50 push eax
00403574 . FFD7 call edi
00403576 . 66:05 3400 add ax,34 ; ★★★★★★★★★★→|| ax = 倒取每位的ASCII(Hex) + 0x34
0040357A . 8D55 98 lea edx,dword ptr ss:[ebp-68]
0040357D . 0F80 11020000 jo fywy.00403794
00403583 . 66:8945 A0 mov word ptr ss:[ebp-60],ax
00403587 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
0040358A . 52 push edx
0040358B . 50 push eax
0040358C . C745 98 0200000>mov dword ptr ss:[ebp-68],2
00403593 . FF15 94104000 call dword ptr ds:[<&MSVBVM60.#573>] ; msvbvm60.rtcHexVarFromVar
00403599 . 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
0040359C . 8D55 88 lea edx,dword ptr ss:[ebp-78]
0040359F . 51 push ecx
004035A0 . 52 push edx
004035A1 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaStrErrVarCopy>] ; msvbvm60.__vbaStrErrVarCopy
004035A7 . 8BD0 mov edx,eax ; ★★★★★★★★★★→|| 倒取S1每位,转成十六进制,再和 0x34 相加
004035A9 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
004035AC . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
004035B2 . 50 push eax
004035B3 . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; msvbvm60.__vbaStrCat
004035B9 . 8BD0 mov edx,eax
004035BB . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
004035BE . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
004035C4 . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
004035C7 . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
004035CA . 50 push eax
004035CB . 51 push ecx
004035CC . 6A 02 push 2
004035CE . FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList
004035D4 . 8D55 88 lea edx,dword ptr ss:[ebp-78]
004035D7 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
004035DA . 52 push edx
004035DB . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
004035DE . 50 push eax
004035DF . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
004035E2 . 51 push ecx
004035E3 . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
004035E6 . 52 push edx
004035E7 . 50 push eax
004035E8 . 6A 05 push 5
004035EA . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
004035F0 . 66:8BCB mov cx,bx
004035F3 . 83C4 24 add esp,24
004035F6 . 66:03CE add cx,si
004035F9 . 0F80 95010000 jo fywy.00403794
004035FF . 8BF1 mov esi,ecx
00403601 .^ E9 1EFFFFFF jmp fywy.00403524
00403606 > 8B7D 08 mov edi,dword ptr ss:[ebp+8]
----------------------------------- 循环2结束 --------------------------------------------------------------
针对循环1得到的Str1,逆序取每一位字符 Str[Length(str1) -1 + i ] (i 为循环计次变量),把该字符的ASCII码加52得到数N1,把N1转换成十六进制Hex(N1)
然后把Hex(N1)连接成字符串Str2,即为真码啦~
-----------------------------------下面就是对计算出的真码和假码进行比较了,不再叙述--------------------------------------------------------------00403609 . 57 push edi
0040360A . 8B17 mov edx,dword ptr ds:[edi]
0040360C . FF92 08030000 call dword ptr ds:[edx+308]
00403612 . 8B1D 38104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
00403618 . 50 push eax
00403619 . 8D45 CC lea eax,dword ptr ss:[ebp-34]
0040361C . 50 push eax
0040361D . FFD3 call ebx ; <&MSVBVM60.__vbaObjSet>
0040361F . 8BF0 mov esi,eax
00403621 . 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
00403624 . 52 push edx
00403625 . 56 push esi
00403626 . 8B0E mov ecx,dword ptr ds:[esi]
00403628 . FF91 A0000000 call dword ptr ds:[ecx+A0]
0040362E . 85C0 test eax,eax
00403630 . DBE2 fclex
00403632 . 7D 12 jge short fywy.00403646
00403634 . 68 A0000000 push 0A0
00403639 . 68 74264000 push fywy.00402674
0040363E . 56 push esi
0040363F . 50 push eax
00403640 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
00403646 > 8B07 mov eax,dword ptr ds:[edi]
00403648 . 57 push edi
00403649 . FF90 04030000 call dword ptr ds:[eax+304]
0040364F . 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
00403652 . 50 push eax
00403653 . 51 push ecx
00403654 . FFD3 call ebx
00403656 . 8BF0 mov esi,eax
00403658 . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
0040365B . 50 push eax
0040365C . 56 push esi
0040365D . 8B16 mov edx,dword ptr ds:[esi]
0040365F . FF92 A0000000 call dword ptr ds:[edx+A0]
00403665 . 85C0 test eax,eax
00403667 . DBE2 fclex
00403669 . 7D 12 jge short fywy.0040367D
0040366B . 68 A0000000 push 0A0
00403670 . 68 74264000 push fywy.00402674
00403675 . 56 push esi
00403676 . 50 push eax
00403677 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
0040367D > 8B4D D8 mov ecx,dword ptr ss:[ebp-28] ; ★★★★★★★★★★→|| [ecx] = [ebp-28] = 用户名
00403680 . 8B55 D4 mov edx,dword ptr ss:[ebp-2C] ; ★★★★★★★★★★→|| [edx] = [ebp-2c] = 用户名
00403683 . 8B1D 54104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; msvbvm60.__vbaStrCmp
00403689 . 51 push ecx
0040368A . 52 push edx
0040368B . FFD3 call ebx ; <&MSVBVM60.__vbaStrCmp>
0040368D . 8B4D D0 mov ecx,dword ptr ss:[ebp-30] ; ★★★★★★★★★★→|| [ecx] = [ebp-30] = 密码
00403690 . 8BF0 mov esi,eax
00403692 . 8B45 E0 mov eax,dword ptr ss:[ebp-20] ; ★★★★★★★★★★→|| [eax] = [ebp-20] = 上面转换后的字符串
00403695 . F7DE neg esi
00403697 . 1BF6 sbb esi,esi ; ★★★★★★★★★★→|| esi 置 0
00403699 . 50 push eax
0040369A . 46 inc esi ; ★★★★★★★★★★→|| esi = 1
0040369B . 51 push ecx
0040369C . F7DE neg esi
0040369E . FFD3 call ebx ; ★★★★★★★★★★→|| 注意下,关键比较; <&MSVBVM60.__vbaStrCmp>
004036A0 . F7D8 neg eax ; ★★★★★★★★★★→|| 求 eax 补码
004036A2 . 1BC0 sbb eax,eax
004036A4 . 8D55 D0 lea edx,dword ptr ss:[ebp-30]
004036A7 . 40 inc eax
004036A8 . 52 push edx
004036A9 . F7D8 neg eax ; ★★★★★★★★★★→|| 求 eax 补码
004036AB . 23F0 and esi,eax ; ★★★★★★★★★★→|| esi = esi AND eax
004036AD . 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
004036B0 . 50 push eax
004036B1 . 6A 02 push 2
004036B3 . FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList
004036B9 . 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
004036BC . 8D55 CC lea edx,dword ptr ss:[ebp-34]
004036BF . 51 push ecx
004036C0 . 52 push edx
004036C1 . 6A 02 push 2
004036C3 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>] ; msvbvm60.__vbaFreeObjList
004036C9 . 83C4 18 add esp,18
004036CC . 66:85F6 test si,si
004036CF . 74 3F je short fywy.00403710 ; ★★★★★★★★★★→|| esi = 0 则跳向失败 , ==> 爆破点 <==
004036D1 . 8B07 mov eax,dword ptr ds:[edi]
004036D3 . 57 push edi
004036D4 . FF90 10030000 call dword ptr ds:[eax+310]
004036DA . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
004036DD . 50 push eax
004036DE . 51 push ecx
004036DF . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
004036E5 . 8BF0 mov esi,eax
004036E7 . 68 A0264000 push fywy.004026A0 ; 吾爱破解2012CM大赛作品已注册
004036EC . 56 push esi
004036ED . 8B16 mov edx,dword ptr ds:[esi]
--------------------------------------------------------------------------------
2012年04月29日 23:28:31
附件:
|
免费评分
-
查看全部评分
|
发表于 2012-4-29 23:47
膜拜大牛+1 
说实话看不懂也看不明白。
高实在是高,还得多看几次,膜拜
