好友
阅读权限10
听众
最后登录1970-1-1
|
枫笑九洲
发表于 2016-3-24 14:06
本帖最后由 枫笑九洲 于 2016-3-24 14:11 编辑
【文章标题】: 160个CrackMe之086
【文章作者】: 枫笑九洲
【下载地址】: 自己搜索下载
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
以前一直不敢搞P-Code,今天刚好有空,就静下心来调试下。
1、如何判断一个VB程序是不是为P-Code,主要看他入口函数中有没有msvbvm60.MethCallEngine这个函数
2、调试P-Code的工具,这里我主要用到的是OD和Exdec,这两款工具
3、P-Code简介:我个人认为,P-Code就是画了一张命令表,然后用一个一个的字节码去取中间的命令,
进行相关的操作,不知道这样理解对不对
下载086,用OD载入吧:
0040107C - FF25 00104000 jmp dword ptr ds:[<&MSVBVM60.MethCallEng>; msvbvm60.MethCallEngine
00401082 - FF25 2C104000 jmp dword ptr ds:[<&MSVBVM60.#100>] ; msvbvm60.ThunRTMain
00401088 > 68 FCA54200 push zerocool.0042A5FC
0040108D E8 F0FFFFFF call <jmp.&MSVBVM60.#100>
00401092 0000 add byte ptr ds:[eax],al
然后运行起来,同时我们用Exdec也载入
Proc: 42d59c
42D508: 04 FLdRfVar local_0088
42D50B: 05 ImpAdLdRf: 42e4fc
42D50E: 24 NewIfNullPr 42bf78
42D511: 0d VCallHresult CVBApplication::get_Clipboard
42D516: 08 FLdPr local_0088
42D519: 0d VCallHresult CVBApplication::ge88寞��仵�
42D51E: 1a FFree1Ad local_0088
42D521: f5 LitI4: 0x0 0 (....)
42D526: 1b LitStr: NMSCMW50
42D529: 04 FLdRfVar local_0090
42D52C: 34 CStr2Ansi
我们在exdec中向下看,找找看有没有可用的东西:
Proc: 42d818
42D5D4: 04 FLdRfVar local_008C
42D5D7: 21 FLdPrThis
42D5D8: 0f VCallAd text
42D5DB: 19 FStAdFunc local_0088
42D5DE: 08 FLdPr local_0088
42D5E1: 0d VCallHresult get__ipropTEXTEDIT
看到42D5E1就是读取输入框的信息,(别问我是为什么,我也是靠猜的,大牛说过,破解靠的50%的技术,50%的猜测。)
Proc: 42d818 这个应该就是那个按钮事件
我们在数据窗口定位到0042D5D4,在04上下个内存访问断点,点“Check”按钮,我们来到这:
7348D153 8A06 mov al,byte ptr ds:[esi]
7348D155 46 inc esi ; zerocool.0042D5D4
7348D156 FF2485 5CD44873 jmp dword ptr ds:[eax*4+0x7348D45C] ; msvbvm60.7348EABB
7348D15D 0FB736 movzx esi,word ptr ds:[esi]
7348D160 0375 A8 add esi,dword ptr ss:[ebp-0x58] ; zerocool.0042D5D4
这里就是一个一个的读字节码去进行相关的操作,
42D5DB: 19 FStAdFunc local_0088
42D5DE: 08 FLdPr local_0088
42D5E1: 0d VCallHresult get__ipropTEXTEDIT
42D5E6: 6c ILdRf local_008C '得注册名
42D5E9: 1b LitStr:
42D5EC: Lead0/30 EqStr
42D5EE: 2f FFree1Str local_008C
42D5F1: 1a FFree1Ad local_0088
42D5F4: 1c BranchF: 42D62B '注册名为空则出错误提示,不为空跳转
42D5F7: 27 LitVar_Missing
42D5FA: 27 LitVar_Missing
42D5FD: 3a LitVarStr: ( local_00BC ) Name required!
42D602: 4e FStVarCopyObj local_00CC
42D605: 04 FLdRfVar local_00CC
42D608: f5 LitI4: 0x30 48 (...0)
42D60D: 3a LitVarStr: ( local_009C ) Entering a name would help!
42D612: 4e FStVarCopyObj local_00AC
42D615: 04 FLdRfVar local_00AC
42D618: 0a ImpAdCallFPR4: rtcMsgBox
42D61D: 36 FFreeVar
42D628: 1e Branch: 42d815
42D62B: 28 LitVarI2: ( local_00DC ) 0x1 (1) mov [ebp-DC],2
42D630: 04 FLdRfVar local_011C
42D633: 04 FLdRfVar local_008C
42D636: 21 FLdPrThis
42D637: 0f VCallAd text 获得句柄
42D63A: 19 FStAdFunc local_0088
42D63D: 08 FLdPr local_0088
42D640: 0d VCallHresult get__ipropTEXTEDIT ‘得注册名
42D645: 6c ILdRf local_008C
42D648: 4a FnLenStr ’注册名长度
42D649: Lead2/69 CVarI4 local_00BC
42D64D: 2f FFree1Str local_008C
42D650: 1a FFree1Ad local_0088
42D653: Lead3/68 ForVar: (when done) 42D6B5 ,for循环
42D659: 04 FLdRfVar local_008C
42D65C: 21 FLdPrThis
42D65D: 0f VCallAd text
42D660: 19 FStAdFunc local_0088
42D663: 08 FLdPr local_0088
42D666: 0d VCallHresult get__ipropTEXTEDIT
42D66B: 04 FLdRfVar local_014C
42D66E: 28 LitVarI2: ( local_00CC ) 0x1 (1)
42D673: 04 FLdRfVar local_011C mov [ebp-11c],0x2
42D676: Lead1/22 CI4Var call vbai4var
42D678: 3e FLdZeroAd local_008C ,注册名入栈
42D67B: 46 CVarStr local_00AC 注册名长度入栈
42D67E: 04 FLdRfVar local_00EC
42D681: 0a ImpAdCallFPR4: rtcMidCharVar
42D686: 04 FLdRfVar local_00EC
42D689: Lead2/fe CStrVarVal local_0150
42D68D: 0b ImpAdCallI2 rtcAnsiValueBstr 得ascii码
42D692: 44 CVarI2 local_00BC
42D695: Lead0/94 AddVar local_010C 注册名ascii码相加
42D699: Lead1/f6 FStVar local_014C ....
42D69D: 2f FFree1Str local_0150
42D6A0: 1a FFree1Ad local_0088
42D6A3: 36 FFreeVar
42D6AC: 04 FLdRfVar local_011C
42D6AF: Lead3/7e NextStepVar: (continue) 42D659 注册名ascii码累加
42D6B5: 04 FLdRfVar local_014C 0012f50c
42D6B8: 04 FLdRfVar local_008C
42D6BB: 21 FLdPrThis
42D6BC: 0f VCallAd text
42D6BF: 19 FStAdFunc local_0088
42D6C2: 08 FLdPr local_0088
42D6C5: 0d VCallHresult get__ipropTEXTEDIT 得注册名
42D6CA: 6c ILdRf local_008C
42D6CD: 4a FnLenStr '注册名长度
42D6CE: Lead2/69 CVarI4 local_009C
42D6D2: Lead0/ef ConcatVar ‘字符串连接,上面累加的和与注册名长度相连
42D6D6: Lead1/f6 FStVar local_014C‘结果A保存在[ebp-14C] A=8718
42D6DA: 2f FFree1Str local_008C
42D6DD: 1a FFree1Ad local_0088
42D6E0: 04 FLdRfVar local_014C
42D6E3: Lead3/c4 LitVarR8
42D6EF: Lead0/b4 MulVar ‘B=Ax1.7=14820.4
42D6F3: fa LitDate: 2.10000 弹2.1到ST0 ST2
42D6FC: fa LitDate: 3.34000 弹3.34到ST0 ST1
42D705: fa LitDate: 2.70000 弹2.7到ST0 ST0
42D70E: Lead0/cf PwrR8R8 求3.34^2.7次方到ST0 ST1=2.1
42D710: b3 MulR8 ST0=ST0*ST1=54.49
42D711: Lead2/6b CVarR8 保存结果到0012f55c
42D715: Lead0/ac IDvVar 14820除54=274 存0012f54c
42D719: Lead1/f6 FStVar local_0160
42D71D: 04 FLdRfVar local_014C
42D720: 04 FLdRfVar local_0160
42D723: Lead3/c4 LitVarR8
42D72F: Lead0/b4 MulVar 'C=274x2.918=799.532 存0012f56c
42D733: Lead0/94 AddVar local_00CC D=C+A=9517.532
42D737: Lead1/f6 FStVar local_0170 保存结果D到0012f4a8
42D73B: 04 FLdRfVar local_014C
42D73E: 04 FLdRfVar local_0160
42D741: Lead0/94 AddVar local_00AC 274+A=8992
42D745: 04 FLdRfVar local_0170
42D748: Lead0/94 AddVar local_00CC 8992+D=18509.532
42D74C: Lead1/f6 FStVar local_0180 保存结果
42D750: 35 FFree1Var local_00AC
42D753: 04 FLdRfVar local_014C
42D756: 04 FLdRfVar local_0160
42D759: Lead0/94 AddVar local_00AC ‘274+A=8992
42D75D: 04 FLdRfVar local_0170
42D760: Lead3/c4 LitVarR8
42D76C: Lead0/ac IDvVar 9517.532除1.213 四舍五入 9518除1=9518
42D770: Lead0/94 AddVar local_00EC 9518+8992=E
42D774: Lead1/f6 FStVar local_0190
42D778: 35 FFree1Var local_00AC
42D77B: 04 FLdRfVar local_014C
42D77E: 04 FLdRfVar local_0160
42D781: Lead0/94 AddVar local_00AC '274+A=8992
42D785: 04 FLdRfVar local_0170
42D788: Lead0/94 AddVar local_00CC D+8992=18509.532
42D78C: 04 FLdRfVar local_0180
42D78F: 04 FLdRfVar local_0190
42D792: Lead0/b4 MulVar E*18509.532=342611437.32
42D796: Lead0/94 AddVar local_010C 18509.532+342611437.32=342629946.852
42D79A: 3a LitVarStr: ( local_009C ) ]qcc[
42D79F: Lead0/ef ConcatVar 字符相连 342629946.852与]qcc[相连
42D7A3: Lead1/f6 FStVar local_014C
42D7A7: 36 FFreeVar
42D7B0: 04 FLdRfVar local_008C
42D7B3: 21 FLdPrThis
42D7B4: 0f VCallAd text
42D7B7: 19 FStAdFunc local_0088
42D7BA: 08 FLdPr local_0088
42D7BD: 0d VCallHresult get__ipropTEXTEDIT 获得注册码
42D7C2: 3e FLdZeroAd local_008C
42D7C5: 46 CVarStr local_00AC [ebp-AC]入栈,假码地址[ebp-AC+8]
42D7C8: 5d HardType
42D7C9: 04 FLdRfVar local_014C [ebp-14C]入栈,真码地址[ebp-14C+8]
42D7CC: Lead0/40 NeVarBool 真码假码比较,
42D7CE: 1a FFree1Ad local_0088
42D7D1: 35 FFree1Var local_00AC
42D7D4: 1c BranchF: 42D802 相等则跳向注册成功,爆破在此,1c改1e
注册名:qianyicy
注册码:342629946.852]qcc[
算法在上面,自己整理下就好
--------------------------------------------------------------------------------
【版权声明】: 本文原创于枫笑九洲, 转载请注明作者并保持文章的完整, 谢谢!
2016年03月24日 13:59:09
|
-
-
注册机.rar
361.83 KB, 下载次数: 2, 下载积分: 吾爱币 -1 CB
免费评分
-
查看全部评分
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
