好友
阅读权限30
听众
最后登录1970-1-1
|
本帖最后由 zbnysjwsnd8 于 2017-8-27 22:26 编辑
CM正脸照一张:
我并不是大神 就是一个菜鸟 所以哪里有错误还请大佬们指出来。
0x0 寻找按钮事件
首先PEID查壳:
可以发现这个CM是使用VB编写。
打开CM,随便输入一串注册码,然后点击[Check it]可以发现程序弹出一个信息框
在OD中给rtcMsgBox下断点 然后回到程序领空,找到函数头00404230即可。
0x1 拆解反调试-时间戳检测
这个CM中有检测是否被单步调试 用的是msvbvm60!rtcGetTimer
检测方法大致是这样的:
[C] 纯文本查看 复制代码 a = rtcGetTimer();
... //进行其他操作
b = rtcGetTimer();
if(b - a > 5)
DEBUGGED;
else
NODEBUGGED;
其实这个方法绕过去很简单只需要在判断的地方下断点 然后F9就可以了。
在这个CM中 这个判断是在这里:
[Asm] 纯文本查看 复制代码 00404476 . 83F8 05 cmp eax,0x5
那么给这条指令下断 然后F9直接运行到这里就可以了。
0x2 分析算法 首先:CM取出用户输入的Serial [Asm] 纯文本查看 复制代码 0040454B . 51 push ecx
0040454C . 53 push ebx
0040454D . 8B03 mov eax,dword ptr ds:[ebx]
0040454F . FF90 A0000000 call dword ptr ds:[eax+0xA0] ; 获取Serial 然后取出长度 检测大小是否小于5,如果小于5就失败。 [Asm] 纯文本查看 复制代码 0040456D > \8B95 7CFFFFFF mov edx,dword ptr ss:[ebp-0x84]
00404573 . 52 push edx ; Serial
00404574 . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; msvbvm60.__vbaLenBstr
0040457A . 33DB xor ebx,ebx
0040457C . 83F8 05 cmp eax,0x5
0040457F . 0f9cc3 setl bl
00404582 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00404588 . F7DB neg ebx
0040458A . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
00404590 . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
00404596 . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
0040459C . 66:3BDF cmp bx,di ; 如果Serial的长度小于5则转移
0040459F . 0F85 39090000 jnz BJCM30A.00404EDE ; 失败 然后检测Serial的每个字节是不是都相等(例如:111111111) (代码中的循环次数是从0开始) [Asm] 纯文本查看 复制代码 00404616 > \8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-0x84] ; Serial
0040461C . 51 push ecx
0040461D . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; msvbvm60.__vbaLenBstr
00404623 . 8985 00FFFFFF mov dword ptr ss:[ebp-0x100],eax ; Serial的长度 当做循环总次数
00404629 . 8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
0040462F . 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108]
00404635 . 52 push edx
00404636 . 8D8D E8FEFFFF lea ecx,dword ptr ss:[ebp-0x118]
0040463C . 50 push eax
0040463D . 8D95 64FEFFFF lea edx,dword ptr ss:[ebp-0x19C]
00404643 . 51 push ecx
00404644 . 8D85 74FEFFFF lea eax,dword ptr ss:[ebp-0x18C]
0040464A . 52 push edx
0040464B . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C]
0040464E . 50 push eax
0040464F . 51 push ecx
00404650 . C785 F8FEFFFF>mov dword ptr ss:[ebp-0x108],0x3
0040465A . C785 F0FEFFFF>mov dword ptr ss:[ebp-0x110],0x1
00404664 . C785 E8FEFFFF>mov dword ptr ss:[ebp-0x118],0x2
0040466E . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>] ; msvbvm60.__vbaVarForInit
00404674 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
0040467A . 8985 30FEFFFF mov dword ptr ss:[ebp-0x1D0],eax
00404680 . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
00404686 . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
0040468C . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
00404692 . 8B1D DC104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
00404698 > 39BD 30FEFFFF cmp dword ptr ss:[ebp-0x1D0],edi ; msvbvm60.rtcMidCharBstr
0040469E . 0F84 F5010000 je BJCM30A.00404899
004046A4 . 8B16 mov edx,dword ptr ds:[esi] ; BJCM30A.00406A74
004046A6 . 56 push esi
004046A7 . FF92 08030000 call dword ptr ds:[edx+0x308]
004046AD . 50 push eax
004046AE . 8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-0xA4]
004046B4 . 50 push eax
004046B5 . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
004046BB . 8B08 mov ecx,dword ptr ds:[eax]
004046BD . 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-0x84]
004046C3 . 52 push edx
004046C4 . 50 push eax
004046C5 . 8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax
004046CB . FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004046D1 . 3BC7 cmp eax,edi ; msvbvm60.rtcMidCharBstr
004046D3 . DBE2 fclex
004046D5 . 7D 18 jge short BJCM30A.004046EF
004046D7 . 8B8D D4FEFFFF mov ecx,dword ptr ss:[ebp-0x12C]
004046DD . 68 A0000000 push 0xA0
004046E2 . 68 442B4000 push BJCM30A.00402B44
004046E7 . 51 push ecx
004046E8 . 50 push eax
004046E9 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
004046EF > 8B16 mov edx,dword ptr ds:[esi] ; BJCM30A.00406A74
004046F1 . 56 push esi
004046F2 . FF92 08030000 call dword ptr ds:[edx+0x308]
004046F8 . 50 push eax
004046F9 . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8]
004046FF . 50 push eax
00404700 . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
00404706 . 8B08 mov ecx,dword ptr ds:[eax]
00404708 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]
0040470E . 52 push edx
0040470F . 50 push eax
00404710 . 8985 CCFEFFFF mov dword ptr ss:[ebp-0x134],eax
00404716 . FF91 A0000000 call dword ptr ds:[ecx+0xA0]
0040471C . 3BC7 cmp eax,edi ; msvbvm60.rtcMidCharBstr
0040471E . DBE2 fclex
00404720 . 7D 18 jge short BJCM30A.0040473A
00404722 . 8B8D CCFEFFFF mov ecx,dword ptr ss:[ebp-0x134]
00404728 . 68 A0000000 push 0xA0
0040472D . 68 442B4000 push BJCM30A.00402B44
00404732 . 51 push ecx
00404733 . 50 push eax
00404734 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
0040473A > B8 01000000 mov eax,0x1
0040473F . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8]
00404745 . 8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax
0040474B . 8985 30FFFFFF mov dword ptr ss:[ebp-0xD0],eax
00404751 . 8985 00FFFFFF mov dword ptr ss:[ebp-0x100],eax
00404757 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
0040475A . B9 02000000 mov ecx,0x2
0040475F . 52 push edx
00404760 . 50 push eax
00404761 . 898D 48FFFFFF mov dword ptr ss:[ebp-0xB8],ecx
00404767 . 898D 28FFFFFF mov dword ptr ss:[ebp-0xD8],ecx
0040476D . 898D F8FEFFFF mov dword ptr ss:[ebp-0x108],ecx
00404773 . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ; msvbvm60.__vbaI4Var
00404779 . 8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-0x84] ; Serial
0040477F . 8B3D 54104000 mov edi,dword ptr ds:[<&MSVBVM60.#rtcMidCharBstr_631>] ; msvbvm60.rtcMidCharBstr
00404785 . 50 push eax
00404786 . 51 push ecx
00404787 . FFD7 call edi ; msvbvm60.rtcMidCharBstr
00404789 . 8BD0 mov edx,eax ; Serial[循环次数]
0040478B . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C]
00404791 . FFD3 call ebx ; msvbvm60.__vbaStrMove
00404793 . 50 push eax
00404794 . 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8]
0040479A . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
0040479D . 52 push edx
0040479E . 8D8D F8FEFFFF lea ecx,dword ptr ss:[ebp-0x108]
004047A4 . 50 push eax
004047A5 . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
004047AB . 51 push ecx
004047AC . 52 push edx
004047AD . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; msvbvm60.__vbaVarAdd
004047B3 . 50 push eax
004047B4 . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ; msvbvm60.__vbaI4Var
004047BA . 50 push eax
004047BB . 8B85 78FFFFFF mov eax,dword ptr ss:[ebp-0x88]
004047C1 . 50 push eax
004047C2 . FFD7 call edi ; msvbvm60.rtcMidCharBstr
004047C4 . 8BD0 mov edx,eax ; Serial[循环次数 + 1]
004047C6 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90]
004047CC . FFD3 call ebx ; msvbvm60.__vbaStrMove
004047CE . 50 push eax
004047CF . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; msvbvm60.__vbaStrCmp
004047D5 . 8BF8 mov edi,eax ; 如果相等则返回0
004047D7 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90]
004047DD . F7DF neg edi ; msvbvm60.rtcMidCharBstr
004047DF . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
004047E5 . 51 push ecx
004047E6 . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88]
004047EC . 52 push edx
004047ED . 1BFF sbb edi,edi ; msvbvm60.rtcMidCharBstr
004047EF . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
004047F5 . 50 push eax
004047F6 . 47 inc edi ; msvbvm60.rtcMidCharBstr
004047F7 . 51 push ecx
004047F8 . 6A 04 push 0x4
004047FA . F7DF neg edi ; msvbvm60.rtcMidCharBstr
004047FC . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList
00404802 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-0xA8]
00404808 . 8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-0xA4]
0040480E . 52 push edx
0040480F . 50 push eax
00404810 . 6A 02 push 0x2
00404812 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>] ; msvbvm60.__vbaFreeObjList
00404818 . 8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-0xD8]
0040481E . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
00404824 . 51 push ecx
00404825 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8]
0040482B . 52 push edx
0040482C . 50 push eax
0040482D . 6A 03 push 0x3
0040482F . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
00404835 . 83C4 30 add esp,0x30
00404838 . 66:85FF test di,di
0040483B . 74 37 je short BJCM30A.00404874 ; 不相等则转移
0040483D . 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48] ; 相等则记录循环次数(从0开始)
00404840 . 8D95 08FFFFFF lea edx,dword ptr ss:[ebp-0xF8]
00404846 . 51 push ecx
00404847 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8]
0040484D . 52 push edx
0040484E . 50 push eax
0040484F . C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],0x1
00404859 . C785 08FFFFFF>mov dword ptr ss:[ebp-0xF8],0x2
00404863 . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; msvbvm60.__vbaVarAdd
00404869 . 8BD0 mov edx,eax
0040486B . 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48]
0040486E . FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>] ; msvbvm60.__vbaVarMove
00404874 > 8D8D 64FEFFFF lea ecx,dword ptr ss:[ebp-0x19C]
0040487A . 8D95 74FEFFFF lea edx,dword ptr ss:[ebp-0x18C]
00404880 . 51 push ecx
00404881 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
00404884 . 52 push edx
00404885 . 50 push eax
00404886 . FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>] ; msvbvm60.__vbaVarForNext
0040488C . 8985 30FEFFFF mov dword ptr ss:[ebp-0x1D0],eax
00404892 . 33FF xor edi,edi ; msvbvm60.rtcMidCharBstr
00404894 .^ E9 FFFDFFFF jmp BJCM30A.00404698 然后将之前记录的循环次数和Serial的长度 - 1比较 如果相等则失败(即Serial的每个字节都相等) [Asm] 纯文本查看 复制代码 004048E4 > \8B95 7CFFFFFF mov edx,dword ptr ss:[ebp-0x84] ; Serial
004048EA . 52 push edx
004048EB . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; msvbvm60.__vbaLenBstr
004048F1 . 83E8 01 sub eax,0x1 ; Serial的长度 - 1
004048F4 . 8D8D 08FFFFFF lea ecx,dword ptr ss:[ebp-0xF8]
004048FA . 0F80 AA070000 jo BJCM30A.004050AA
00404900 . 8985 10FFFFFF mov dword ptr ss:[ebp-0xF0],eax
00404906 . 8D45 B8 lea eax,dword ptr ss:[ebp-0x48]
00404909 . 50 push eax
0040490A . 51 push ecx
0040490B . C785 08FFFFFF>mov dword ptr ss:[ebp-0xF8],0x8003 ; 已记录循环的次数和Serial的长度 - 1比较
00404915 . FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; msvbvm60.__vbaVarTstEq
0040491B . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00404921 . 66:8985 CCFEF>mov word ptr ss:[ebp-0x134],ax ; 不相等返回0
00404928 . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
0040492E . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
00404934 . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
0040493A . 66:39BD CCFEF>cmp word ptr ss:[ebp-0x134],di ; di = 0
00404941 . 0F85 97050000 jnz BJCM30A.00404EDE ; 相等则提示失败 然后计算Serial的第一个字节的ASCII码 * Serial的长度和Serial的ASCII码总和(代码中的循环次数是从0开始) [Asm] 纯文本查看 复制代码 004049A6 > \8B95 7CFFFFFF mov edx,dword ptr ss:[ebp-0x84] ; Serial
004049AC . 52 push edx ; BJCM30A.00406A74
004049AD . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; Serial的长度
004049B3 . 8985 00FFFFFF mov dword ptr ss:[ebp-0x100],eax ; 当做循环总次数
004049B9 . 8D85 08FFFFFF lea eax,dword ptr ss:[ebp-0xF8]
004049BF . 8D8D F8FEFFFF lea ecx,dword ptr ss:[ebp-0x108]
004049C5 . 50 push eax
004049C6 . 8D95 E8FEFFFF lea edx,dword ptr ss:[ebp-0x118]
004049CC . 51 push ecx
004049CD . 8D85 44FEFFFF lea eax,dword ptr ss:[ebp-0x1BC]
004049D3 . 52 push edx ; BJCM30A.00406A74
004049D4 . 8D8D 54FEFFFF lea ecx,dword ptr ss:[ebp-0x1AC]
004049DA . 50 push eax
004049DB . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
004049DE . 51 push ecx
004049DF . 52 push edx ; BJCM30A.00406A74
004049E0 . C785 F8FEFFFF>mov dword ptr ss:[ebp-0x108],0x3
004049EA . C785 F0FEFFFF>mov dword ptr ss:[ebp-0x110],0x1
004049F4 . C785 E8FEFFFF>mov dword ptr ss:[ebp-0x118],0x2
004049FE . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>] ; msvbvm60.__vbaVarForInit
00404A04 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00404A0A . 8985 2CFEFFFF mov dword ptr ss:[ebp-0x1D4],eax
00404A10 . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
00404A16 . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
00404A1C . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
00404A22 > 39BD 2CFEFFFF cmp dword ptr ss:[ebp-0x1D4],edi
00404A28 . 0F84 1D030000 je BJCM30A.00404D4B
00404A2E . 8B06 mov eax,dword ptr ds:[esi] ; BJCM30A.00406A74
00404A30 . 56 push esi
00404A31 . FF90 08030000 call dword ptr ds:[eax+0x308]
00404A37 . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
00404A3D . 50 push eax
00404A3E . 51 push ecx
00404A3F . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
00404A45 . 8B10 mov edx,dword ptr ds:[eax]
00404A47 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00404A4D . 51 push ecx
00404A4E . 50 push eax
00404A4F . 8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax
00404A55 . FF92 A0000000 call dword ptr ds:[edx+0xA0] ; msvbvm60.66103DF8
00404A5B . 3BC7 cmp eax,edi
00404A5D . DBE2 fclex
00404A5F . 7D 18 jge short BJCM30A.00404A79
00404A61 . 8B95 D4FEFFFF mov edx,dword ptr ss:[ebp-0x12C]
00404A67 . 68 A0000000 push 0xA0
00404A6C . 68 442B4000 push BJCM30A.00402B44
00404A71 . 52 push edx ; BJCM30A.00406A74
00404A72 . 50 push eax
00404A73 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
00404A79 > 8B85 7CFFFFFF mov eax,dword ptr ss:[ebp-0x84] ; Serial
00404A7F . 50 push eax
00404A80 . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 取出Serial的长度
00404A86 . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8]
00404A8C . 8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax
00404A92 . 51 push ecx
00404A93 . C785 48FFFFFF>mov dword ptr ss:[ebp-0xB8],0x3
00404A9D . FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#rtcHexBstrFromVar_572>] ; msvbvm60.rtcHexBstrFromVar
00404AA3 . 8BD0 mov edx,eax ; 将Serial的长度转换成文本
00404AA5 . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-0x9C]
00404AAB . FFD3 call ebx ; msvbvm60.__vbaStrMove
00404AAD . 8B16 mov edx,dword ptr ds:[esi] ; BJCM30A.00406A74
00404AAF . 56 push esi
00404AB0 . FF92 08030000 call dword ptr ds:[edx+0x308] ; msvbvm60.661042C8
00404AB6 . 50 push eax
00404AB7 . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8]
00404ABD . 50 push eax
00404ABE . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
00404AC4 . 8B85 58FFFFFF mov eax,dword ptr ss:[ebp-0xA8]
00404ACA . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]
00404AD0 . 6A 01 push 0x1
00404AD2 . 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8]
00404AD8 . 51 push ecx
00404AD9 . 52 push edx ; BJCM30A.00406A74
00404ADA . 89BD 58FFFFFF mov dword ptr ss:[ebp-0xA8],edi
00404AE0 . 8985 40FFFFFF mov dword ptr ss:[ebp-0xC0],eax
00404AE6 . C785 38FFFFFF>mov dword ptr ss:[ebp-0xC8],0x9
00404AF0 . FF15 D4104000 call dword ptr ds:[<&MSVBVM60.#rtcLeftCharVar_617>] ; msvbvm60.rtcLeftCharVar
00404AF6 . 8D85 28FFFFFF lea eax,dword ptr ss:[ebp-0xD8]
00404AFC . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88]
00404B02 . 50 push eax
00404B03 . 51 push ecx
00404B04 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; msvbvm60.__vbaStrVarVal
00404B0A . 50 push eax ; Serial[0]
00404B0B . FF15 28104000 call dword ptr ds:[<&MSVBVM60.#rtcAnsiValueBstr_516>] ; msvbvm60.rtcAnsiValueBstr
00404B11 . 8D95 18FFFFFF lea edx,dword ptr ss:[ebp-0xE8] ; 转换成ASCII码
00404B17 . 66:8985 20FFF>mov word ptr ss:[ebp-0xE0],ax
00404B1E . 52 push edx ; BJCM30A.00406A74
00404B1F . C785 18FFFFFF>mov dword ptr ss:[ebp-0xE8],0x2
00404B29 . FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#rtcHexBstrFromVar_572>] ; msvbvm60.rtcHexBstrFromVar
00404B2F . 8BD0 mov edx,eax
00404B31 . 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-0xA0]
00404B37 . FFD3 call ebx ; msvbvm60.__vbaStrMove
00404B39 . BA 6C294000 mov edx,BJCM30A.0040296C ; UNICODE "*"
00404B3E . 8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-0x94]
00404B44 . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ; msvbvm60.__vbaStrCopy
00404B4A . 8B95 60FFFFFF mov edx,dword ptr ss:[ebp-0xA0]
00404B50 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90]
00404B56 . 89BD 60FFFFFF mov dword ptr ss:[ebp-0xA0],edi
00404B5C . FFD3 call ebx ; msvbvm60.__vbaStrMove
00404B5E . 8B95 64FFFFFF mov edx,dword ptr ss:[ebp-0x9C] ; Serial的长度(文本型)
00404B64 . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C] ; 复制到ebp - 0x8C处
00404B6A . 89BD 64FFFFFF mov dword ptr ss:[ebp-0x9C],edi
00404B70 . FFD3 call ebx ; msvbvm60.__vbaStrMove
00404B72 . 8B06 mov eax,dword ptr ds:[esi] ; BJCM30A.00406A74
00404B74 . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98] ; 结果保存到ebp - 0x98处
00404B7A . 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94]
00404B80 . 51 push ecx
00404B81 . 52 push edx ; '*'
00404B82 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90]
00404B88 . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
00404B8E . 51 push ecx ; Serial的第一个字节的ASCII码
00404B8F . 52 push edx ; Serial的长度
00404B90 . 56 push esi
00404B91 . FF90 F8060000 call dword ptr ds:[eax+0x6F8] ; 计算表达式:(Serial[0] * Serial的长度)
00404B97 . 3BC7 cmp eax,edi
00404B99 . 7D 12 jge short BJCM30A.00404BAD
00404B9B . 68 F8060000 push 0x6F8
00404BA0 . 68 B4274000 push BJCM30A.004027B4
00404BA5 . 56 push esi
00404BA6 . 50 push eax
00404BA7 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
00404BAD > 8B95 68FFFFFF mov edx,dword ptr ss:[ebp-0x98]
00404BB3 . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38]
00404BB6 . 89BD 68FFFFFF mov dword ptr ss:[ebp-0x98],edi
00404BBC . FFD3 call ebx ; 将运算结果复制到ebp - 0x38处
00404BBE . 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-0xA0]
00404BC4 . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-0x9C]
00404BCA . 50 push eax
00404BCB . 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94]
00404BD1 . 51 push ecx
00404BD2 . 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-0x90]
00404BD8 . 52 push edx ; BJCM30A.00406A74
00404BD9 . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C]
00404BDF . 50 push eax
00404BE0 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]
00404BE6 . 51 push ecx
00404BE7 . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84]
00404BED . 52 push edx ; BJCM30A.00406A74
00404BEE . 50 push eax
00404BEF . 6A 07 push 0x7
00404BF1 . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList
00404BF7 . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-0xA8]
00404BFD . 8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-0xA4]
00404C03 . 51 push ecx
00404C04 . 52 push edx ; BJCM30A.00406A74
00404C05 . 6A 02 push 0x2
00404C07 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>] ; msvbvm60.__vbaFreeObjList
00404C0D . 8D85 18FFFFFF lea eax,dword ptr ss:[ebp-0xE8]
00404C13 . 8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-0xD8]
00404C19 . 50 push eax
00404C1A . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
00404C20 . 51 push ecx
00404C21 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8]
00404C27 . 52 push edx ; BJCM30A.00406A74
00404C28 . 50 push eax
00404C29 . 6A 04 push 0x4
00404C2B . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
00404C31 . 8B0E mov ecx,dword ptr ds:[esi] ; BJCM30A.00406A74
00404C33 . 83C4 40 add esp,0x40
00404C36 . 56 push esi
00404C37 . FF91 08030000 call dword ptr ds:[ecx+0x308]
00404C3D . 8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-0xA4]
00404C43 . 50 push eax
00404C44 . 52 push edx ; BJCM30A.00406A74
00404C45 . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
00404C4B . 8B08 mov ecx,dword ptr ds:[eax]
00404C4D . 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-0x84]
00404C53 . 52 push edx ; BJCM30A.00406A74
00404C54 . 50 push eax
00404C55 . 8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax
00404C5B . FF91 A0000000 call dword ptr ds:[ecx+0xA0]
00404C61 . 3BC7 cmp eax,edi
00404C63 . DBE2 fclex
00404C65 . 7D 18 jge short BJCM30A.00404C7F
00404C67 . 8B8D D4FEFFFF mov ecx,dword ptr ss:[ebp-0x12C]
00404C6D . 68 A0000000 push 0xA0
00404C72 . 68 442B4000 push BJCM30A.00402B44
00404C77 . 51 push ecx
00404C78 . 50 push eax
00404C79 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
00404C7F > 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8]
00404C85 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
00404C88 . 52 push edx ; BJCM30A.00406A74
00404C89 . 50 push eax
00404C8A . C785 50FFFFFF>mov dword ptr ss:[ebp-0xB0],0x1
00404C94 . C785 48FFFFFF>mov dword ptr ss:[ebp-0xB8],0x2
00404C9E . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ; msvbvm60.__vbaI4Var
00404CA4 . 8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-0x84] ; Serial
00404CAA . 50 push eax ; 循环次数 + 1
00404CAB . 51 push ecx
00404CAC . FF15 54104000 call dword ptr ds:[<&MSVBVM60.#rtcMidCharBstr_631>] ; Serial[循环次数]
00404CB2 . 8BD0 mov edx,eax
00404CB4 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88]
00404CBA . FFD3 call ebx ; msvbvm60.__vbaStrMove
00404CBC . 50 push eax
00404CBD . FF15 28104000 call dword ptr ds:[<&MSVBVM60.#rtcAnsiValueBstr_516>] ; 转换成ASCII码
00404CC3 . 66:8985 00FFF>mov word ptr ss:[ebp-0x100],ax
00404CCA . 8D55 CC lea edx,dword ptr ss:[ebp-0x34] ; 第一次循环时 结果是0
00404CCD . 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108]
00404CD3 . 52 push edx ; BJCM30A.00406A74
00404CD4 . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]
00404CDA . 50 push eax ; Serial[循环次数]
00404CDB . 51 push ecx
00404CDC . C785 F8FEFFFF>mov dword ptr ss:[ebp-0x108],0x2
00404CE6 . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; msvbvm60.__vbaVarAdd
00404CEC . 8BD0 mov edx,eax
00404CEE . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
00404CF1 . FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>] ; 将结果保存到ebp - 0x34处(结果 = 结果 + Serial[循环次数])
00404CF7 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]
00404CFD . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84]
00404D03 . 52 push edx ; BJCM30A.00406A74
00404D04 . 50 push eax
00404D05 . 6A 02 push 0x2
00404D07 . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList
00404D0D . 83C4 0C add esp,0xC
00404D10 . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
00404D16 . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
00404D1C . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-0xB8]
00404D22 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>] ; msvbvm60.__vbaFreeVar
00404D28 . 8D8D 44FEFFFF lea ecx,dword ptr ss:[ebp-0x1BC]
00404D2E . 8D95 54FEFFFF lea edx,dword ptr ss:[ebp-0x1AC]
00404D34 . 51 push ecx
00404D35 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
00404D38 . 52 push edx ; BJCM30A.00406A74
00404D39 . 50 push eax
00404D3A . FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>] ; msvbvm60.__vbaVarForNext
00404D40 . 8985 2CFEFFFF mov dword ptr ss:[ebp-0x1D4],eax
00404D46 .^ E9 D7FCFFFF jmp BJCM30A.00404A22 最后就开始验证:Serial的第一个字节的ASCII码 * Serial的长度是否等于Serial的ASCII码总和,如果相等则成功,不相等则失败 [Asm] 纯文本查看 复制代码 00404D4B > \8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
00404D4E . 51 push ecx
00404D4F . FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#rtcHexBst>; 取出结果(Serial的ASCII码总和)
00404D55 . 8BD0 mov edx,eax
00404D57 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-0x90]
00404D5D . FFD3 call ebx
00404D5F . BA 0C294000 mov edx,BJCM30A.0040290C ; UNICODE "="
00404D64 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88]
00404D6A . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCo>; msvbvm60.__vbaStrCopy
00404D70 . 8B95 70FFFFFF mov edx,dword ptr ss:[ebp-0x90]
00404D76 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00404D7C . 89BD 70FFFFFF mov dword ptr ss:[ebp-0x90],edi
00404D82 . FFD3 call ebx
00404D84 . 8B16 mov edx,dword ptr ds:[esi]
00404D86 . 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-0x8C] ; 结果保存到ebp - 0x8C处(不相等则是'0' 相等则是'FFFF')
00404D8C . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88]
00404D92 . 50 push eax
00404D93 . 51 push ecx ; '='
00404D94 . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84]
00404D9A . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38]
00404D9D . 50 push eax ; Serial中的ASCII码和
00404D9E . 51 push ecx ; Serial[0] * Serial的长度
00404D9F . 56 push esi
00404DA0 . FF92 F8060000 call dword ptr ds:[edx+0x6F8] ; 验证 Serial[0] * Serial的长度 == Serial中的ASCII码和 是否成立
00404DA6 . 3BC7 cmp eax,edi [Asm] 纯文本查看 复制代码 00404DBC > \8B85 74FFFFFF mov eax,dword ptr ss:[ebp-0x8C] ; 验证结果
00404DC2 . BE 08000000 mov esi,0x8
00404DC7 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-0xB8]
00404DCD . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
00404DD0 . 89BD 74FFFFFF mov dword ptr ss:[ebp-0x8C],edi
00404DD6 . 8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax
00404DDC . 89B5 48FFFFFF mov dword ptr ss:[ebp-0xB8],esi
00404DE2 . FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>] ; 将验证结果复制到ecx处
00404DE8 . 8D95 70FFFFFF lea edx,dword ptr ss:[ebp-0x90]
00404DEE . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88]
00404DF4 . 52 push edx ; BJCM30A.00406A74
00404DF5 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00404DFB . 50 push eax
00404DFC . 51 push ecx
00404DFD . 6A 03 push 0x3
00404DFF . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList
00404E05 . 83C4 10 add esp,0x10
00404E08 . 8D55 CC lea edx,dword ptr ss:[ebp-0x34]
00404E0B . 8D85 08FFFFFF lea eax,dword ptr ss:[ebp-0xF8]
00404E11 . C785 10FFFFFF>mov dword ptr ss:[ebp-0xF0],BJCM30A.00402B58 ; UNICODE "FFFF"
00404E1B . 52 push edx ; BJCM30A.00406A74
00404E1C . 50 push eax
00404E1D . C785 08FFFFFF>mov dword ptr ss:[ebp-0xF8],0x8008
00404E27 . FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 变量比较 不相等返回0
00404E2D . 66:85C0 test ax,ax
00404E30 . 0F84 AD000000 je BJCM30A.00404EE3 ; 失败则转移 0x3 计算注册码 由上述代码我们可以知道 成功的条件是:Serial的第一个字节的ASCII码 * Serial的长度等于Serial的ASCII码总和 我们可以随便设一个Serial,然后在这个Serial的基础上添加新的字符串 来达到注册的目的。 设:Serial为"_KaQqi" + z(z是后添加的字符串);
Serial的长度为6 + y(6是"_KaQqi"的长度);
Serial的ASCII码和为566 + x(566是"_KaQqi"的ASCII码总和)
其中:Serial的第一个字符是'_' 这个字符的ASCII码是95
则有如下表达式:
95 * (6 + y) = 566 + x(1) 由(1)得: 95y = x - 4 不妨假设y = 1 这时x就等于95 * 1 + 4,即x = 99('c') 即z = "c" 即Serial为"_KaQqic" 
如果假设y = 2那么x = 194
可以将x = 194看成x = 126('~') + 68('D')
即z = "~D"或z = "D~"
即Serial为"_KaQqi~D"或"_KaQqiD~"
不过我比较喜欢"_KaQqi~D"的形式
附:第17个CM(BJCM30A)
BJCM30A.zip
(7.37 KB, 下载次数: 6)
|
免费评分
-
查看全部评分
|
发表于 2017-8-26 17:57
|
发表于 2017-11-28 20:44
