好友
阅读权限25
听众
最后登录1970-1-1
|
本帖最后由 wbz_007 于 2019-6-18 10:54 编辑
AfKayAs CrackMe #1
vb 无壳
追码,发现是明码,无聊!
如果只是一味想追明码,技能永远不能提高,何况现在的软件有几个明码,所以,分析算法才是硬道理,此 AfKayAs CrackMe #1 ,适合练手,分析如下:
vb程序,查找字符或者下断BP rtcMsgBox,输入假码运行程序,断下,堆锥窗口右键返回,找到段首,程序如下:
00402310 > \55 push ebp
00402311 . 8BEC mov ebp, esp
00402313 . 83EC 0C sub esp, 0xC
00402316 . 68 26104000 push <jmp.&MSVBVM50.__vbaExceptHandle>; SE 处理程序安装
0040231B . 64:A1 0000000>mov eax, dword ptr fs:[0]
00402321 . 50 push eax
00402322 . 64:8925 00000>mov dword ptr fs:[0], esp
00402329 . 81EC B0000000 sub esp, 0xB0
0040232F . 53 push ebx
00402330 . 56 push esi
00402331 . 8B75 08 mov esi, dword ptr ss:[ebp+0x8]
00402334 . 57 push edi
00402335 . 8BC6 mov eax, esi
00402337 . 83E6 FE and esi, 0xFFFFFFFE
0040233A . 8965 F4 mov dword ptr ss:[ebp-0xC], esp
0040233D . 83E0 01 and eax, 0x1
00402340 . 8B1E mov ebx, dword ptr ds:[esi]
00402342 . C745 F8 08104>mov dword ptr ss:[ebp-0x8], AfKayAs_>
00402349 . 56 push esi
0040234A . 8945 FC mov dword ptr ss:[ebp-0x4], eax
0040234D . 8975 08 mov dword ptr ss:[ebp+0x8], esi
00402350 . FF53 04 call near dword ptr ds:[ebx+0x4]
00402353 . 8B83 10030000 mov eax, dword ptr ds:[ebx+0x310]
00402359 . 33FF xor edi, edi
0040235B . 56 push esi
0040235C . 897D E8 mov dword ptr ss:[ebp-0x18], edi
0040235F . 897D E4 mov dword ptr ss:[ebp-0x1C], edi
00402362 . 897D E0 mov dword ptr ss:[ebp-0x20], edi
00402365 . 897D DC mov dword ptr ss:[ebp-0x24], edi
00402368 . 897D D8 mov dword ptr ss:[ebp-0x28], edi
0040236B . 897D D4 mov dword ptr ss:[ebp-0x2C], edi
0040236E . 897D C4 mov dword ptr ss:[ebp-0x3C], edi
00402371 . 897D B4 mov dword ptr ss:[ebp-0x4C], edi
00402374 . 897D A4 mov dword ptr ss:[ebp-0x5C], edi
00402377 . 897D 94 mov dword ptr ss:[ebp-0x6C], edi
0040237A . 8985 40FFFFFF mov dword ptr ss:[ebp-0xC0], eax
00402380 . FFD0 call near eax
00402382 . 8D4D D4 lea ecx, dword ptr ss:[ebp-0x2C]
00402385 . 50 push eax
00402386 . 51 push ecx
00402387 . FF15 0C414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaObjSet
0040238D . 8B9B 00030000 mov ebx, dword ptr ds:[ebx+0x300]
00402393 . 56 push esi
00402394 . 8985 50FFFFFF mov dword ptr ss:[ebp-0xB0], eax
0040239A . 899D 3CFFFFFF mov dword ptr ss:[ebp-0xC4], ebx
004023A0 . FFD3 call near ebx
004023A2 . 8D55 DC lea edx, dword ptr ss:[ebp-0x24]
004023A5 . 50 push eax
004023A6 . 52 push edx
004023A7 . FF15 0C414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaObjSet
004023AD . 8BD8 mov ebx, eax
004023AF . 8D4D E8 lea ecx, dword ptr ss:[ebp-0x18]
004023B2 . 51 push ecx
004023B3 . 53 push ebx
004023B4 . 8B03 mov eax, dword ptr ds:[ebx]
004023B6 . FF90 A0000000 call near dword ptr ds:[eax+0xA0]
004023BC . 3BC7 cmp eax, edi
004023BE . 7D 12 jge short AfKayAs_.004023D2
004023C0 . 68 A0000000 push 0xA0
004023C5 . 68 5C1B4000 push AfKayAs_.00401B5C
004023CA . 53 push ebx
004023CB . 50 push eax
004023CC . FF15 04414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaHresultCheckObj
004023D2 > 56 push esi
004023D3 . FF95 3CFFFFFF call near dword ptr ss:[ebp-0xC4]
004023D9 . 8D55 D8 lea edx, dword ptr ss:[ebp-0x28]
004023DC . 50 push eax
004023DD . 52 push edx
004023DE . FF15 0C414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaObjSet
004023E4 . 8BD8 mov ebx, eax
004023E6 . 8D4D E4 lea ecx, dword ptr ss:[ebp-0x1C]
004023E9 . 51 push ecx
004023EA . 53 push ebx
004023EB . 8B03 mov eax, dword ptr ds:[ebx]
004023ED . FF90 A0000000 call near dword ptr ds:[eax+0xA0]
004023F3 . 3BC7 cmp eax, edi
004023F5 . 7D 12 jge short AfKayAs_.00402409
004023F7 . 68 A0000000 push 0xA0
004023FC . 68 5C1B4000 push AfKayAs_.00401B5C
00402401 . 53 push ebx
00402402 . 50 push eax
00402403 . FF15 04414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaHresultCheckObj
00402409 > 8B95 50FFFFFF mov edx, dword ptr ss:[ebp-0xB0]
0040240F . 8B45 E4 mov eax, dword ptr ss:[ebp-0x1C] ; 用户名
00402412 . 50 push eax ; /String
00402413 . 8B1A mov ebx, dword ptr ds:[edx] ; |
00402415 . FF15 E4404000 call near dword ptr ds:[<&MSVBVM50.__>; \__vbaLenBstr
0040241B . 8BF8 mov edi, eax ; 取用户名位数放edi=eax
0040241D . 8B4D E8 mov ecx, dword ptr ss:[ebp-0x18] ; 用户名放ecx
00402420 . 69FF FB7C0100 imul edi, edi, 0x17CFB ; edi=用户名长度的十六进制乘以17cfb
00402426 . 51 push ecx ; /String
00402427 . 0F80 91020000 jo AfKayAs_.004026BE ; |
0040242D . FF15 F8404000 call near dword ptr ds:[<&MSVBVM50.#5>; \rtcAnsiValueBstr
00402433 . 0FBFD0 movsx edx, ax ; ax=edx取用户名的第一位字符的十六进制
00402436 . 03FA add edi, edx ; edi=edi+edx(用户名长度的十六进制乘以17cfb后 再加上用户名的第一位字符十六进制值)
00402438 . 0F80 80020000 jo AfKayAs_.004026BE
0040243E . 57 push edi
0040243F . FF15 E0404000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaStrI4
00402445 . 8BD0 mov edx, eax
00402447 . 8D4D E0 lea ecx, dword ptr ss:[ebp-0x20]
0040244A . FF15 70414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaStrMove
00402450 . 8BBD 50FFFFFF mov edi, dword ptr ss:[ebp-0xB0]
00402456 . 50 push eax
00402457 . 57 push edi
00402458 . FF93 A4000000 call near dword ptr ds:[ebx+0xA4]
0040245E . 85C0 test eax, eax
00402460 . 7D 12 jge short AfKayAs_.00402474
00402462 . 68 A4000000 push 0xA4
00402467 . 68 5C1B4000 push AfKayAs_.00401B5C
0040246C . 57 push edi
0040246D . 50 push eax
0040246E . FF15 04414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaHresultCheckObj
00402474 > 8D45 E0 lea eax, dword ptr ss:[ebp-0x20]
00402477 . 8D4D E4 lea ecx, dword ptr ss:[ebp-0x1C]
0040247A . 50 push eax
0040247B . 8D55 E8 lea edx, dword ptr ss:[ebp-0x18]
0040247E . 51 push ecx
0040247F . 52 push edx
00402480 . 6A 03 push 0x3
00402482 . FF15 5C414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaFreeStrList
00402488 . 83C4 10 add esp, 0x10 ; esp加10=esp
0040248B . 8D45 D4 lea eax, dword ptr ss:[ebp-0x2C]
0040248E . 8D4D D8 lea ecx, dword ptr ss:[ebp-0x28]
00402491 . 8D55 DC lea edx, dword ptr ss:[ebp-0x24]
00402494 . 50 push eax
00402495 . 51 push ecx
00402496 . 52 push edx
00402497 . 6A 03 push 0x3 ; 压入3
00402499 . FF15 F4404000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaFreeObjList
0040249F . 8B06 mov eax, dword ptr ds:[esi]
004024A1 . 83C4 10 add esp, 0x10 ; esp加10=esp
004024A4 . 56 push esi
004024A5 . FF90 04030000 call near dword ptr ds:[eax+0x304]
004024AB . 8B1D 0C414000 mov ebx, dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaObjSet
004024B1 . 50 push eax
004024B2 . 8D45 DC lea eax, dword ptr ss:[ebp-0x24]
004024B5 . 50 push eax
004024B6 . FFD3 call near ebx ; <&MSVBVM50.__vbaObjSet>
004024B8 . 8BF8 mov edi, eax
004024BA . 8D55 E8 lea edx, dword ptr ss:[ebp-0x18]
004024BD . 52 push edx
004024BE . 57 push edi
004024BF . 8B0F mov ecx, dword ptr ds:[edi]
004024C1 . FF91 A0000000 call near dword ptr ds:[ecx+0xA0]
004024C7 . 85C0 test eax, eax
004024C9 . 7D 12 jge short AfKayAs_.004024DD
004024CB . 68 A0000000 push 0xA0
004024D0 . 68 5C1B4000 push AfKayAs_.00401B5C
004024D5 . 57 push edi
004024D6 . 50 push eax
004024D7 . FF15 04414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaHresultCheckObj
004024DD > 56 push esi
004024DE . FF95 40FFFFFF call near dword ptr ss:[ebp-0xC0]
004024E4 . 50 push eax
004024E5 . 8D45 D8 lea eax, dword ptr ss:[ebp-0x28]
004024E8 . 50 push eax
004024E9 . FFD3 call near ebx
004024EB . 8BF0 mov esi, eax
004024ED . 8D55 E4 lea edx, dword ptr ss:[ebp-0x1C]
004024F0 . 52 push edx
004024F1 . 56 push esi
004024F2 . 8B0E mov ecx, dword ptr ds:[esi]
004024F4 . FF91 A0000000 call near dword ptr ds:[ecx+0xA0]
004024FA . 85C0 test eax, eax
004024FC . 7D 12 jge short AfKayAs_.00402510
004024FE . 68 A0000000 push 0xA0
00402503 . 68 5C1B4000 push AfKayAs_.00401B5C
00402508 . 56 push esi
00402509 . 50 push eax
0040250A . FF15 04414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaHresultCheckObj
00402510 > 8B45 E8 mov eax, dword ptr ss:[ebp-0x18] ; 假码给eax
00402513 . 8B4D E4 mov ecx, dword ptr ss:[ebp-0x1C] ; ecx=edi=用户名长度的十六进制乘以17cfb 再加用户名的第一位字符十六进制值
00402516 . 8B3D 00414000 mov edi, dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaStrCat
0040251C . 50 push eax ; 压入假码
0040251D . 68 701B4000 push AfKayAs_.00401B70 ; 压入AKA-(作者的预设字符)
00402522 . 51 push ecx ; /压入用户名长度的十六进制乘以17cfb 再加用户名的第一位字符十六进制值(真码)
00402523 . FFD7 call near edi ; \__vbaStrCat
00402525 . 8B1D 70414000 mov ebx, dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaStrMove
0040252B . 8BD0 mov edx, eax
0040252D . 8D4D E0 lea ecx, dword ptr ss:[ebp-0x20]
00402530 . FFD3 call near ebx ; <&MSVBVM50.__vbaStrMove>
00402532 . 50 push eax
00402533 . FF15 28414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaStrCmp
00402539 . 8BF0 mov esi, eax
0040253B . 8D55 E0 lea edx, dword ptr ss:[ebp-0x20]
0040253E . F7DE neg esi
00402540 . 8D45 E8 lea eax, dword ptr ss:[ebp-0x18]
00402543 . 52 push edx
00402544 . 1BF6 sbb esi, esi
00402546 . 8D4D E4 lea ecx, dword ptr ss:[ebp-0x1C]
00402549 . 50 push eax
0040254A . 46 inc esi
0040254B . 51 push ecx
0040254C . 6A 03 push 0x3
0040254E . F7DE neg esi
00402550 . FF15 5C414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaFreeStrList
00402556 . 83C4 10 add esp, 0x10
00402559 . 8D55 D8 lea edx, dword ptr ss:[ebp-0x28]
0040255C . 8D45 DC lea eax, dword ptr ss:[ebp-0x24]
0040255F . 52 push edx
00402560 . 50 push eax
00402561 . 6A 02 push 0x2
00402563 . FF15 F4404000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaFreeObjList
00402569 . 83C4 0C add esp, 0xC
0040256C . B9 04000280 mov ecx, 0x80020004
00402571 . B8 0A000000 mov eax, 0xA
00402576 . 894D 9C mov dword ptr ss:[ebp-0x64], ecx
00402579 . 66:85F6 test si, si
0040257C . 8945 94 mov dword ptr ss:[ebp-0x6C], eax
0040257F . 894D AC mov dword ptr ss:[ebp-0x54], ecx
00402582 . 8945 A4 mov dword ptr ss:[ebp-0x5C], eax
00402585 . 894D BC mov dword ptr ss:[ebp-0x44], ecx
00402588 . 8945 B4 mov dword ptr ss:[ebp-0x4C], eax
0040258B . 74 58 je short AfKayAs_.004025E5 ; 爆破点,跳就挂
0040258D . 68 801B4000 push AfKayAs_.00401B80 ; UNICODE "You Get It"
00402592 . 68 9C1B4000 push AfKayAs_.00401B9C ; ASCII "\r"
00402597 . FFD7 call near edi
00402599 . 8BD0 mov edx, eax
算法:
第一部分:作者预设字符 :AKA-
第二部分:也就是真码:用户名长度的十六进制乘以17cfb再加用户名的第一位字符的十六进制的值,最后的结果取10进制就是注册码。(注用户名不要用汉子)
两部分加在一起,便是注册码
付上练习文件 AfKayAs CrackMe #1 和 注册机 及易语言的 注册机工程文件
附件:
CrackMe#1and注册机及易语言工程文件.rar
(8.04 KB, 下载次数: 6)
|
免费评分
-
| 参与人数 3 | 威望 +1 |
吾爱币 +8 |
热心值 +3 |
收起
理由
|
 Hmily
| + 1 |
+ 7 |
+ 1 |
感谢发布原创作品,吾爱破解论坛因你更精彩! |
 笙若
| |
+ 1 |
+ 1 |
谢谢@Thanks! |
 flylove
| |
|
+ 1 |
我很赞同! |
查看全部评分
|
发表于 2019-6-18 10:50
,很不错
