好友
阅读权限35
听众
最后登录1970-1-1
|
本帖最后由 solly 于 2019-7-12 10:49 编辑
160 个 CrackMe 之 064 - execution 是一个 VB 编译的原生程序,不是 p-code 编译模式,并且没有加壳。
用 OD 载入 CrackMe,F9 直接运行,需要输入用户名和注册码进行验证,随便输入,如下图:
输入完后,按“Register”进行验证,由于输入的信息不对,会弹出错误提示对话框:
既然有字符串信息,先查查字符串资源,对于VB程序,字符资源都是 Unicode 的,所以需要点右键菜单:”Ultra String Reference"-->"2 Find UNICODE",查找程序的字符串资源,如下图,找到我们所需的字符串了:
双击这一条字符串,来到下面所示位置:
具体代码位置如下:
[Asm] 纯文本查看 复制代码 0040DBFC > 8B35 10F14000 mov esi, dword ptr [<&MSVBVM50.__vbaStrCat>] ; MSVBVM50.__vbaStrCat
0040DC02 . 68 E8D44000 push 0040D4E8 ; you lamer!!! cant crack this?!
0040DC07 . 68 6CD34000 push 0040D36C ; /\n\n
0040DC0C . FFD6 call esi ; \__vbaStrCat()
是一个字符串拼接函数使用了这一字符串资源。
我们从这里开始回溯,如下图:
在0x0040DBFC这一行点右键选“转到”菜单中的(je 来自 0040DB9C)回溯到下图所示位置:
可以看到有提示注册成功的字符串引用:“nice going!!! you cracked the crackme!”,如果没有跳转,就表示注册成功,因此这里开始往上的代码就是注册验证的代码了。再往上一点点的位置,就可以找到调用了 VB 的字符串比较函数,如下图所示位置:
具体代码位置:
[Asm] 纯文本查看 复制代码 0040DB4C . 8D4D D0 lea ecx, dword ptr [ebp-30]
0040DB4F . FFD3 call ebx ; (MSVBVM50.__vbaStrMove)
0040DB51 . 50 push eax ; StrCmp 参数1, eax ===> "17190",
0040DB52 . FF15 40F14000 call dword ptr [<&MSVBVM50.__vbaStrCmp>] ; MSVBVM50.__vbaStrCmp
0040DB58 . 8BF0 mov esi, eax ; eax == 0, 相等;eax == 1,不相等
这是一个明文比较注册码的操作,可以看到 eax 指向一个字符串:”17190“,这个就是正确的注册码了。
重新回到 CrackMe ,输入正确的注册码:”17190“,如下图:
再次点击”Register“,就会看成功的提示:
至此,我们找到了注册验证的代码了,下面具体分析一下这个注册过程,完整的过程如下:
[Asm] 纯文本查看 复制代码 0040D8F0 > \55 push ebp
0040D8F1 . 8BEC mov ebp, esp
0040D8F3 . 83EC 0C sub esp, 0C
0040D8F6 . 68 36104000 push <jmp.&MSVBVM50.__vbaExceptHandler> ; SE 处理程序安装
0040D8FB . 64:A1 00000000 mov eax, dword ptr fs:[0]
0040D901 . 50 push eax
0040D902 . 64:8925 00000000 mov dword ptr fs:[0], esp
0040D909 . 81EC AC000000 sub esp, 0AC
0040D90F . 53 push ebx
0040D910 . 8B5D 08 mov ebx, dword ptr [ebp+8]
0040D913 . 8BC3 mov eax, ebx
0040D915 . 56 push esi
0040D916 . 83E3 FE and ebx, FFFFFFFE
0040D919 . 57 push edi
0040D91A . 8965 F4 mov dword ptr [ebp-C], esp
0040D91D . 83E0 01 and eax, 1
0040D920 . 8B33 mov esi, dword ptr [ebx]
0040D922 . C745 F8 10104000 mov dword ptr [ebp-8], 00401010
0040D929 . 53 push ebx
0040D92A . 8945 FC mov dword ptr [ebp-4], eax
0040D92D . 895D 08 mov dword ptr [ebp+8], ebx
0040D930 . FF56 04 call dword ptr [esi+4] ; ds:[0040E2F8]=740C25FE (MSVBVM50.BASIC_CLASS_AddRef)
0040D933 . 33FF xor edi, edi ; edi == 0, int sum = 0
0040D935 . 53 push ebx
0040D936 . 897D E8 mov dword ptr [ebp-18], edi
0040D939 . 897D D8 mov dword ptr [ebp-28], edi
0040D93C . 897D D4 mov dword ptr [ebp-2C], edi
0040D93F . 897D D0 mov dword ptr [ebp-30], edi
0040D942 . 897D CC mov dword ptr [ebp-34], edi
0040D945 . 897D BC mov dword ptr [ebp-44], edi ; name
0040D948 . 897D AC mov dword ptr [ebp-54], edi
0040D94B . 897D 9C mov dword ptr [ebp-64], edi
0040D94E . 897D 8C mov dword ptr [ebp-74], edi
0040D951 . 89BD 7CFFFFFF mov dword ptr [ebp-84], edi
0040D957 . FF96 04030000 call dword ptr [esi+304] ; ds:[0040E5F8]=741CC350 (MSVBVM50.741CC350), Get Object
0040D95D . 8D4D BC lea ecx, dword ptr [ebp-44] ; Var_0019F18C: 09 00 00 00 18 F2 19 00 FC A8 72 02 00 00 00 00
0040D960 . 8D55 AC lea edx, dword ptr [ebp-54]
0040D963 . 51 push ecx ; 参数值 ECX
0040D964 . 52 push edx ; 返回值(VT_BSTR) Var_0019F17C (08 00) 00 00 F4 E2 40 00 (74 48 6C 00) FC A8 72 02,指向大写的用户名
0040D965 . 8945 C4 mov dword ptr [ebp-3C], eax ; 引用地址
0040D968 . C745 BC 09000000 mov dword ptr [ebp-44], 9 ; 数据类型: VT_DISPATCH
0040D96F . FF15 3CF14000 call dword ptr [<&MSVBVM50.#528>] ; ds:[0040F13C]=7419F8B3 (MSVBVM50.rtcUpperCaseVar),将用户名转换成大写
0040D975 . 8D45 AC lea eax, dword ptr [ebp-54]
0040D978 . 50 push eax ; eax == (VT_BSTR) Var_0019F17C (08 00) 00 00 F4 E2 40 00 (74 48 6C 00) FC A8 72 02,指向大写的用户名
0040D979 . FF15 F4F04000 call dword ptr [<&MSVBVM50.__vbaStrVarMove>] ; (MSVBVM50.__vbaStrVarMove), EAX ===> "SOLLY"
0040D97F . 8B1D 8CF14000 mov ebx, dword ptr [<&MSVBVM50.__vbaStrMove>] ; MSVBVM50.__vbaStrMove
0040D985 . 8BD0 mov edx, eax ; src (edx)
0040D987 . 8D4D D8 lea ecx, dword ptr [ebp-28] ; dest (ecx) ecx ===> "SOLLY"
0040D98A . FFD3 call ebx ; (MSVBVM50.__vbaStrVarMove); <&MSVBVM50.__vbaStrMove>
0040D98C . 8D4D AC lea ecx, dword ptr [ebp-54]
0040D98F . 8D55 BC lea edx, dword ptr [ebp-44]
0040D992 . 51 push ecx
0040D993 . 52 push edx
0040D994 . 6A 02 push 2
0040D996 . FF15 FCF04000 call dword ptr [<&MSVBVM50.__vbaFreeVarList>] ; MSVBVM50.__vbaFreeVarList
0040D99C . 8B45 D8 mov eax, dword ptr [ebp-28] ; eax ===> "SOLLY"
0040D99F . 83C4 0C add esp, 0C
0040D9A2 . 50 push eax ; /String
0040D9A3 . FF15 F8F04000 call dword ptr [<&MSVBVM50.__vbaLenBstr>] ; \__vbaLenBstr,这里取得用户名的长度
0040D9A9 . 8BC8 mov ecx, eax ; ecx == 0x00000005,用户名的长度
0040D9AB . FF15 44F14000 call dword ptr [<&MSVBVM50.__vbaI2I4>] ; MSVBVM50.__vbaI2I4
0040D9B1 . 8985 48FFFFFF mov dword ptr [ebp-B8], eax ; eax == 0x0005,用户名的长度
0040D9B7 . BE 01000000 mov esi, 1 ; int i=1
0040D9BC > 66:3BB5 48FFFFFF cmp si, word ptr [ebp-B8] ; while (i<=len(name)) //// 开始循环计算
0040D9C3 . 0F8F 3A010000 jg 0040DB03
0040D9C9 . 8D4D D8 lea ecx, dword ptr [ebp-28] ; [ecx] ===> "SOLLY"
0040D9CC . 8D55 BC lea edx, dword ptr [ebp-44]
0040D9CF . 0FBFC6 movsx eax, si ; int index = i
0040D9D2 . 894D 84 mov dword ptr [ebp-7C], ecx
0040D9D5 . 52 push edx ; /Length8, [edx] === 0
0040D9D6 . 8D8D 7CFFFFFF lea ecx, dword ptr [ebp-84] ; |
0040D9DC . 50 push eax ; |Start == i
0040D9DD . 8D55 AC lea edx, dword ptr [ebp-54] ; |
0040D9E0 . 51 push ecx ; |dString8, [[eax]] ===> "SOLLY"
0040D9E1 . 52 push edx ; |RetBUFFER
0040D9E2 . C745 C4 01000000 mov dword ptr [ebp-3C], 1 ; |
0040D9E9 . C745 BC 02000000 mov dword ptr [ebp-44], 2 ; |
0040D9F0 . C785 7CFFFFFF 08400>mov dword ptr [ebp-84], 4008 ; |
0040D9FA . FF15 30F14000 call dword ptr [<&MSVBVM50.#632>] ; \rtcMidCharVar(name, i, 1),在循环中依次取出用户名的字符,并取得其 ASCII 码值
0040DA00 . 8D45 AC lea eax, dword ptr [ebp-54]
0040DA03 . 50 push eax ; eax === (0019F17C (08 00) 72 02 02 00 00 00 (CC 43 6C 00) 00 00 00 00) ===> "S"
0040DA04 . FF15 F4F04000 call dword ptr [<&MSVBVM50.__vbaStrVarMove>] ; MSVBVM50.__vbaStrVarMove
0040DA0A . 8BD0 mov edx, eax ; eax ===> "S"
0040DA0C . 8D4D E8 lea ecx, dword ptr [ebp-18] ; ecx ===> "S"
0040DA0F . FFD3 call ebx ; ebx=740DF8DA (MSVBVM50.__vbaStrMove)
0040DA11 . 8D4D AC lea ecx, dword ptr [ebp-54]
0040DA14 . 8D55 BC lea edx, dword ptr [ebp-44]
0040DA17 . 51 push ecx
0040DA18 . 52 push edx
0040DA19 . 6A 02 push 2
0040DA1B . FF15 FCF04000 call dword ptr [<&MSVBVM50.__vbaFreeVarList>] ; MSVBVM50.__vbaFreeVarList
0040DA21 . 8B45 E8 mov eax, dword ptr [ebp-18] ; eax ===> "S",name[i]。
0040DA24 . 83C4 0C add esp, 0C
0040DA27 . 50 push eax ; /String
0040DA28 . FF15 08F14000 call dword ptr [<&MSVBVM50.#516>] ; \(MSVBVM50.rtcAnsiValueBstr), EAX == ASC(name[i]),取得用户名中字符的 ASCII 码值
0040DA2E . 66:2D 4000 sub ax, 40 ; EAX == ASC(name[i]) - 0x40
0040DA32 . 0F80 A1020000 jo 0040DCD9
0040DA38 . 66:69C0 8200 imul ax, ax, 82 ; AX = ((ASC(name[i]) - 0x40) * 0x82)
0040DA3D . 0F80 96020000 jo 0040DCD9
0040DA43 . 66:03C7 add ax, di
0040DA46 . 0F80 8D020000 jo 0040DCD9
0040DA4C . 66:05 5000 add ax, 50
0040DA50 . 0F80 83020000 jo 0040DCD9
0040DA56 . 66:05 5000 add ax, 50
0040DA5A . 0F80 79020000 jo 0040DCD9
0040DA60 . 66:05 5000 add ax, 50
0040DA64 . 0F80 6F020000 jo 0040DCD9
0040DA6A . 66:05 5000 add ax, 50
0040DA6E . 0F80 65020000 jo 0040DCD9
0040DA74 . 66:05 5000 add ax, 50
0040DA78 . 0F80 5B020000 jo 0040DCD9
0040DA7E . 66:05 5000 add ax, 50
0040DA82 . 0F80 51020000 jo 0040DCD9
0040DA88 . 66:05 5000 add ax, 50
0040DA8C . 0F80 47020000 jo 0040DCD9
0040DA92 . 66:05 5000 add ax, 50
0040DA96 . 0F80 3D020000 jo 0040DCD9
0040DA9C . 66:05 5000 add ax, 50
0040DAA0 . 0F80 33020000 jo 0040DCD9
0040DAA6 . 66:05 5000 add ax, 50
0040DAAA . 0F80 29020000 jo 0040DCD9
0040DAB0 . 66:05 5000 add ax, 50
0040DAB4 . 0F80 1F020000 jo 0040DCD9
0040DABA . 66:05 5000 add ax, 50
0040DABE . 0F80 15020000 jo 0040DCD9
0040DAC4 . 66:05 5000 add ax, 50
0040DAC8 . 0F80 0B020000 jo 0040DCD9
0040DACE . 66:05 5000 add ax, 50
0040DAD2 . 0F80 01020000 jo 0040DCD9
0040DAD8 . 66:05 5000 add ax, 50
0040DADC . 0F80 F7010000 jo 0040DCD9
0040DAE2 . 66:05 5000 add ax, 50
0040DAE6 . 0F80 ED010000 jo 0040DCD9
0040DAEC . 8BF8 mov edi, eax ; sum = sum + ((ASC(name[i]) - 0x40) * 0x82) + 0x50*0x10
0040DAEE . B8 01000000 mov eax, 1
0040DAF3 . 66:03C6 add ax, si ; i++
0040DAF6 . 0F80 DD010000 jo 0040DCD9
0040DAFC . 8BF0 mov esi, eax
0040DAFE .^ E9 B9FEFFFF jmp 0040D9BC ; Wend ///循环结束,计算累加值 sum = sum + 0x50*0x10 + ((ASC(name[i]) - 0x40) * 0x82), 循环次数为用户名长度, edi == sum == 0x00004326 == 17190
0040DB03 > 8B45 08 mov eax, dword ptr [ebp+8]
0040DB06 . 50 push eax
0040DB07 . 8B08 mov ecx, dword ptr [eax]
0040DB09 . FF91 FC020000 call dword ptr [ecx+2FC] ; ds:[0040E5F0]=741CC340 (MSVBVM50.741CC340)
0040DB0F . 8D55 CC lea edx, dword ptr [ebp-34]
0040DB12 . 50 push eax
0040DB13 . 52 push edx
0040DB14 . FF15 20F14000 call dword ptr [<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet
0040DB1A . 8BF0 mov esi, eax
0040DB1C . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0040DB1F . 51 push ecx
0040DB20 . 56 push esi
0040DB21 . 8B06 mov eax, dword ptr [esi]
0040DB23 . FF90 A0000000 call dword ptr [eax+A0] ; ds:[02723378]=7411A5B6 (MSVBVM50.7411A5B6),Get TextBox.Text
0040DB29 . 85C0 test eax, eax
0040DB2B . 7D 12 jge short 0040DB3F
0040DB2D . 68 A0000000 push 0A0
0040DB32 . 68 10D44000 push 0040D410
0040DB37 . 56 push esi
0040DB38 . 50 push eax
0040DB39 . FF15 14F14000 call dword ptr [<&MSVBVM50.__vbaHresultCheckObj>] ; MSVBVM50.__vbaHresultCheckObj
0040DB3F > 8B55 D4 mov edx, dword ptr [ebp-2C] ; edx ===> "7878787878"
0040DB42 . 52 push edx ; StrCmp 参数2, edx ===> "7878787878"
0040DB43 . 57 push edi ; str(sum)参数
0040DB44 . FF15 E8F04000 call dword ptr [<&MSVBVM50.__vbaStrI2>] ; MSVBVM50.__vbaStrI2
0040DB4A . 8BD0 mov edx, eax ; eax ===> "17190"
0040DB4C . 8D4D D0 lea ecx, dword ptr [ebp-30]
0040DB4F . FFD3 call ebx ; (MSVBVM50.__vbaStrMove)
0040DB51 . 50 push eax ; StrCmp 参数1, eax ===> "17190",
0040DB52 . FF15 40F14000 call dword ptr [<&MSVBVM50.__vbaStrCmp>] ; MSVBVM50.__vbaStrCmp
0040DB58 . 8BF0 mov esi, eax ; eax == 0, 相等;eax == 1,不相等
0040DB5A . 8D45 D0 lea eax, dword ptr [ebp-30]
0040DB5D . F7DE neg esi
0040DB5F . 1BF6 sbb esi, esi
0040DB61 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0040DB64 . 50 push eax
0040DB65 . 46 inc esi
0040DB66 . 51 push ecx
0040DB67 . 6A 02 push 2
0040DB69 . F7DE neg esi ; esi == 0,不相等
0040DB6B . FF15 78F14000 call dword ptr [<&MSVBVM50.__vbaFreeStrList>] ; MSVBVM50.__vbaFreeStrList
0040DB71 . 83C4 0C add esp, 0C
0040DB74 . 8D4D CC lea ecx, dword ptr [ebp-34]
0040DB77 . FF15 9CF14000 call dword ptr [<&MSVBVM50.__vbaFreeObj>] ; MSVBVM50.__vbaFreeObj
0040DB7D . B9 04000280 mov ecx, 80020004
0040DB82 . B8 0A000000 mov eax, 0A
0040DB87 . 66:85F6 test si, si ; 检查注册码校验结果, si == 0,不相等
0040DB8A . 894D 94 mov dword ptr [ebp-6C], ecx
0040DB8D . 8945 8C mov dword ptr [ebp-74], eax
0040DB90 . 894D A4 mov dword ptr [ebp-5C], ecx
0040DB93 . 8945 9C mov dword ptr [ebp-64], eax
0040DB96 . 894D B4 mov dword ptr [ebp-4C], ecx
0040DB99 . 8945 AC mov dword ptr [ebp-54], eax
0040DB9C . 74 5E je short 0040DBFC
0040DB9E . 8B35 10F14000 mov esi, dword ptr [<&MSVBVM50.__vbaStrCat>] ; MSVBVM50.__vbaStrCat
0040DBA4 . 68 24D44000 push 0040D424 ; nice going!!! you cracked the crackme!
0040DBA9 . 68 6CD34000 push 0040D36C ; /\n\n
0040DBAE . FFD6 call esi ; \__vbaStrCat
0040DBB0 . 8BD0 mov edx, eax
0040DBB2 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0040DBB5 . FFD3 call ebx
0040DBB7 . 50 push eax
0040DBB8 . 68 84D44000 push 0040D484 ; contact hackerg or death to get your present...
0040DBBD . FFD6 call esi
0040DBBF . 8945 C4 mov dword ptr [ebp-3C], eax
0040DBC2 . 8D55 8C lea edx, dword ptr [ebp-74]
0040DBC5 . 8D45 9C lea eax, dword ptr [ebp-64]
0040DBC8 . 52 push edx
0040DBC9 . 8D4D AC lea ecx, dword ptr [ebp-54]
0040DBCC . 50 push eax
0040DBCD . 51 push ecx
0040DBCE . 8D55 BC lea edx, dword ptr [ebp-44]
0040DBD1 . 6A 00 push 0
0040DBD3 . 52 push edx
0040DBD4 . C745 BC 08000000 mov dword ptr [ebp-44], 8
0040DBDB . FF15 1CF14000 call dword ptr [<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox
0040DBE1 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0040DBE4 . FF15 A0F14000 call dword ptr [<&MSVBVM50.__vbaFreeStr>] ; MSVBVM50.__vbaFreeStr
0040DBEA . 8D45 8C lea eax, dword ptr [ebp-74]
0040DBED . 8D4D 9C lea ecx, dword ptr [ebp-64]
0040DBF0 . 50 push eax
0040DBF1 . 8D55 AC lea edx, dword ptr [ebp-54]
0040DBF4 . 51 push ecx
0040DBF5 . 8D45 BC lea eax, dword ptr [ebp-44]
0040DBF8 . 52 push edx
0040DBF9 . 50 push eax
0040DBFA . EB 5C jmp short 0040DC58
0040DBFC > 8B35 10F14000 mov esi, dword ptr [<&MSVBVM50.__vbaStrCat>] ; MSVBVM50.__vbaStrCat
0040DC02 . 68 E8D44000 push 0040D4E8 ; you lamer!!! cant crack this?!
0040DC07 . 68 6CD34000 push 0040D36C ; /\n\n
0040DC0C . FFD6 call esi ; \__vbaStrCat()
0040DC0E . 8BD0 mov edx, eax
0040DC10 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0040DC13 . FFD3 call ebx
0040DC15 . 50 push eax
0040DC16 . 68 2CD54000 push 0040D52C ; try again...
0040DC1B . FFD6 call esi ; __vbaStrCat()
0040DC1D . 8D4D 8C lea ecx, dword ptr [ebp-74]
0040DC20 . 8945 C4 mov dword ptr [ebp-3C], eax
0040DC23 . 8D55 9C lea edx, dword ptr [ebp-64]
0040DC26 . 51 push ecx
0040DC27 . 8D45 AC lea eax, dword ptr [ebp-54]
0040DC2A . 52 push edx
0040DC2B . 50 push eax
0040DC2C . 8D4D BC lea ecx, dword ptr [ebp-44]
0040DC2F . 6A 00 push 0
0040DC31 . 51 push ecx
0040DC32 . C745 BC 08000000 mov dword ptr [ebp-44], 8
0040DC39 . FF15 1CF14000 call dword ptr [<&MSVBVM50.#595>] ; (MSVBVM50.rtcMsgBox)
0040DC3F . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0040DC42 . FF15 A0F14000 call dword ptr [<&MSVBVM50.__vbaFreeStr>] ; MSVBVM50.__vbaFreeStr
0040DC48 . 8D55 8C lea edx, dword ptr [ebp-74]
0040DC4B . 8D45 9C lea eax, dword ptr [ebp-64]
0040DC4E . 52 push edx
0040DC4F . 8D4D AC lea ecx, dword ptr [ebp-54]
0040DC52 . 50 push eax
0040DC53 . 8D55 BC lea edx, dword ptr [ebp-44]
0040DC56 . 51 push ecx
0040DC57 . 52 push edx
0040DC58 > 6A 04 push 4
0040DC5A . FF15 FCF04000 call dword ptr [<&MSVBVM50.__vbaFreeVarList>] ; MSVBVM50.__vbaFreeVarList
0040DC60 . 83C4 14 add esp, 14
0040DC63 . C745 FC 00000000 mov dword ptr [ebp-4], 0
0040DC6A . 68 BADC4000 push 0040DCBA
0040DC6F . EB 38 jmp short 0040DCA9
0040DC71 . 8D45 D0 lea eax, dword ptr [ebp-30]
0040DC74 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0040DC77 . 50 push eax
0040DC78 . 51 push ecx
0040DC79 . 6A 02 push 2
0040DC7B . FF15 78F14000 call dword ptr [<&MSVBVM50.__vbaFreeStrList>] ; MSVBVM50.__vbaFreeStrList
0040DC81 . 83C4 0C add esp, 0C
0040DC84 . 8D4D CC lea ecx, dword ptr [ebp-34]
0040DC87 . FF15 9CF14000 call dword ptr [<&MSVBVM50.__vbaFreeObj>] ; MSVBVM50.__vbaFreeObj
0040DC8D . 8D55 8C lea edx, dword ptr [ebp-74]
0040DC90 . 8D45 9C lea eax, dword ptr [ebp-64]
0040DC93 . 52 push edx
0040DC94 . 8D4D AC lea ecx, dword ptr [ebp-54]
0040DC97 . 50 push eax
0040DC98 . 8D55 BC lea edx, dword ptr [ebp-44]
0040DC9B . 51 push ecx
0040DC9C . 52 push edx
0040DC9D . 6A 04 push 4
0040DC9F . FF15 FCF04000 call dword ptr [<&MSVBVM50.__vbaFreeVarList>] ; MSVBVM50.__vbaFreeVarList
0040DCA5 . 83C4 14 add esp, 14
0040DCA8 . C3 retn
0040DCA9 > 8B35 A0F14000 mov esi, dword ptr [<&MSVBVM50.__vbaFreeStr>] ; MSVBVM50.__vbaFreeStr
0040DCAF . 8D4D E8 lea ecx, dword ptr [ebp-18]
0040DCB2 . FFD6 call esi ; <&MSVBVM50.__vbaFreeStr>
0040DCB4 . 8D4D D8 lea ecx, dword ptr [ebp-28]
0040DCB7 . FFE6 jmp esi
0040DCB9 . C3 retn
0040DCBA . 8B45 08 mov eax, dword ptr [ebp+8]
0040DCBD . 50 push eax
0040DCBE . 8B08 mov ecx, dword ptr [eax]
0040DCC0 . FF51 08 call dword ptr [ecx+8]
0040DCC3 . 8B4D EC mov ecx, dword ptr [ebp-14]
0040DCC6 . 8B45 FC mov eax, dword ptr [ebp-4]
0040DCC9 . 5F pop edi
0040DCCA . 5E pop esi
0040DCCB . 64:890D 00000000 mov dword ptr fs:[0], ecx
0040DCD2 . 5B pop ebx
0040DCD3 . 8BE5 mov esp, ebp
0040DCD5 . 5D pop ebp
0040DCD6 . C2 0400 retn 4
0040DCD9 > FF15 6CF14000 call dword ptr [<&MSVBVM50.__vbaErrorOverflow>] ; MSVBVM50.__vbaErrorOverflow
0040DCDF . 90 nop
0040DCE0 > 55 push ebp
0040DCE1 . 8BEC mov ebp, esp
0040DCE3 . 83EC 0C sub esp, 0C
0040DCE6 . 68 36104000 push <jmp.&MSVBVM50.__vbaExceptHandler> ; SE 处理程序安装
0040DCEB . 64:A1 00000000 mov eax, dword ptr fs:[0]
0040DCF1 . 50 push eax
0040DCF2 . 64:8925 00000000 mov dword ptr fs:[0], esp
0040DCF9 . 83EC 08 sub esp, 8
0040DCFC . 8B45 08 mov eax, dword ptr [ebp+8]
0040DCFF . 53 push ebx
0040DD00 . 8BC8 mov ecx, eax
0040DD02 . 56 push esi
0040DD03 . 24 FE and al, 0FE
0040DD05 . 57 push edi
0040DD06 . 8965 F4 mov dword ptr [ebp-C], esp
0040DD09 . 83E1 01 and ecx, 1
0040DD0C . 8B10 mov edx, dword ptr [eax]
0040DD0E . C745 F8 20104000 mov dword ptr [ebp-8], 00401020
0040DD15 . 50 push eax
0040DD16 . 894D FC mov dword ptr [ebp-4], ecx
0040DD19 . 8945 08 mov dword ptr [ebp+8], eax
0040DD1C . FF52 04 call dword ptr [edx+4]
0040DD1F . FF15 00F14000 call dword ptr [<&MSVBVM50.__vbaEnd>] ; MSVBVM50.__vbaEnd
0040DD25 . C745 FC 00000000 mov dword ptr [ebp-4], 0
0040DD2C . 8B45 08 mov eax, dword ptr [ebp+8]
0040DD2F . 50 push eax
0040DD30 . 8B08 mov ecx, dword ptr [eax]
0040DD32 . FF51 08 call dword ptr [ecx+8]
0040DD35 . 8B4D EC mov ecx, dword ptr [ebp-14]
0040DD38 . 8B45 FC mov eax, dword ptr [ebp-4]
0040DD3B . 5F pop edi
0040DD3C . 5E pop esi
0040DD3D . 64:890D 00000000 mov dword ptr fs:[0], ecx
0040DD44 . 5B pop ebx
0040DD45 . 8BE5 mov esp, ebp
0040DD47 . 5D pop ebp
0040DD48 . C2 0800 retn 8
其中,关键是下面这一段:
[Asm] 纯文本查看 复制代码 0040D99C . 8B45 D8 mov eax, dword ptr [ebp-28] ; eax ===> "SOLLY"
0040D99F . 83C4 0C add esp, 0C
0040D9A2 . 50 push eax ; /String
0040D9A3 . FF15 F8F04000 call dword ptr [<&MSVBVM50.__vbaLenBstr>] ; \__vbaLenBstr,这里取得用户名的长度
0040D9A9 . 8BC8 mov ecx, eax ; ecx == 0x00000005,用户名的长度
0040D9AB . FF15 44F14000 call dword ptr [<&MSVBVM50.__vbaI2I4>] ; MSVBVM50.__vbaI2I4
0040D9B1 . 8985 48FFFFFF mov dword ptr [ebp-B8], eax ; eax == 0x0005,用户名的长度
0040D9B7 . BE 01000000 mov esi, 1 ; int i=1
0040D9BC > 66:3BB5 48FFFFFF cmp si, word ptr [ebp-B8] ; While (i<=len(name)) //// 开始循环计算
0040D9C3 . 0F8F 3A010000 jg 0040DB03
0040D9C9 . 8D4D D8 lea ecx, dword ptr [ebp-28] ; [ecx] ===> "SOLLY"
0040D9CC . 8D55 BC lea edx, dword ptr [ebp-44]
0040D9CF . 0FBFC6 movsx eax, si ; int index = i
0040D9D2 . 894D 84 mov dword ptr [ebp-7C], ecx
0040D9D5 . 52 push edx ; /Length8, [edx] === 0
0040D9D6 . 8D8D 7CFFFFFF lea ecx, dword ptr [ebp-84] ; |
0040D9DC . 50 push eax ; |Start == i
0040D9DD . 8D55 AC lea edx, dword ptr [ebp-54] ; |
0040D9E0 . 51 push ecx ; |dString8, [[eax]] ===> "SOLLY"
0040D9E1 . 52 push edx ; |RetBUFFER
0040D9E2 . C745 C4 01000000 mov dword ptr [ebp-3C], 1 ; |
0040D9E9 . C745 BC 02000000 mov dword ptr [ebp-44], 2 ; |
0040D9F0 . C785 7CFFFFFF 0840>mov dword ptr [ebp-84], 4008 ; |
0040D9FA . FF15 30F14000 call dword ptr [<&MSVBVM50.#632>] ; \rtcMidCharVar(name, i, 1),在循环中依次取出用户名的字符,并取得其 ASCII 码值
0040DA00 . 8D45 AC lea eax, dword ptr [ebp-54]
0040DA03 . 50 push eax ; eax === (0019F17C (08 00) 72 02 02 00 00 00 (CC 43 6C 00) 00 00 00 00) ===> "S"
0040DA04 . FF15 F4F04000 call dword ptr [<&MSVBVM50.__vbaStrVarMove>] ; MSVBVM50.__vbaStrVarMove
0040DA0A . 8BD0 mov edx, eax ; eax ===> "S"
0040DA0C . 8D4D E8 lea ecx, dword ptr [ebp-18] ; ecx ===> "S"
0040DA0F . FFD3 call ebx ; ebx=740DF8DA (MSVBVM50.__vbaStrMove)
0040DA11 . 8D4D AC lea ecx, dword ptr [ebp-54]
0040DA14 . 8D55 BC lea edx, dword ptr [ebp-44]
0040DA17 . 51 push ecx
0040DA18 . 52 push edx
0040DA19 . 6A 02 push 2
0040DA1B . FF15 FCF04000 call dword ptr [<&MSVBVM50.__vbaFreeVarList>] ; MSVBVM50.__vbaFreeVarList
0040DA21 . 8B45 E8 mov eax, dword ptr [ebp-18] ; eax ===> "S" ,name[i]
0040DA24 . 83C4 0C add esp, 0C
0040DA27 . 50 push eax ; /String
0040DA28 . FF15 08F14000 call dword ptr [<&MSVBVM50.#516>] ; \(MSVBVM50.rtcAnsiValueBstr),取得用户名中字符的 ASCII 码值
0040DA2E . 66:2D 4000 sub ax, 40 ; EAX == ASC(name[i]) - 0x40
0040DA32 . 0F80 A1020000 jo 0040DCD9
0040DA38 . 66:69C0 8200 imul ax, ax, 82 ; AX = ((ASC(name[i]) - 0x40) * 0x82)
0040DA3D . 0F80 96020000 jo 0040DCD9
0040DA43 . 66:03C7 add ax, di
0040DA46 . 0F80 8D020000 jo 0040DCD9
0040DA4C . 66:05 5000 add ax, 50
0040DA50 . 0F80 83020000 jo 0040DCD9
0040DA56 . 66:05 5000 add ax, 50
0040DA5A . 0F80 79020000 jo 0040DCD9
0040DA60 . 66:05 5000 add ax, 50
0040DA64 . 0F80 6F020000 jo 0040DCD9
0040DA6A . 66:05 5000 add ax, 50
0040DA6E . 0F80 65020000 jo 0040DCD9
0040DA74 . 66:05 5000 add ax, 50
0040DA78 . 0F80 5B020000 jo 0040DCD9
0040DA7E . 66:05 5000 add ax, 50
0040DA82 . 0F80 51020000 jo 0040DCD9
0040DA88 . 66:05 5000 add ax, 50
0040DA8C . 0F80 47020000 jo 0040DCD9
0040DA92 . 66:05 5000 add ax, 50
0040DA96 . 0F80 3D020000 jo 0040DCD9
0040DA9C . 66:05 5000 add ax, 50
0040DAA0 . 0F80 33020000 jo 0040DCD9
0040DAA6 . 66:05 5000 add ax, 50
0040DAAA . 0F80 29020000 jo 0040DCD9
0040DAB0 . 66:05 5000 add ax, 50
0040DAB4 . 0F80 1F020000 jo 0040DCD9
0040DABA . 66:05 5000 add ax, 50
0040DABE . 0F80 15020000 jo 0040DCD9
0040DAC4 . 66:05 5000 add ax, 50
0040DAC8 . 0F80 0B020000 jo 0040DCD9
0040DACE . 66:05 5000 add ax, 50
0040DAD2 . 0F80 01020000 jo 0040DCD9
0040DAD8 . 66:05 5000 add ax, 50
0040DADC . 0F80 F7010000 jo 0040DCD9
0040DAE2 . 66:05 5000 add ax, 50
0040DAE6 . 0F80 ED010000 jo 0040DCD9
0040DAEC . 8BF8 mov edi, eax ; sum = sum + 0x50*0x10 + ((ASC(name[i]) - 0x40) * 0x82)
0040DAEE . B8 01000000 mov eax, 1
0040DAF3 . 66:03C6 add ax, si ; i++
0040DAF6 . 0F80 DD010000 jo 0040DCD9
0040DAFC . 8BF0 mov esi, eax
0040DAFE .^ E9 B9FEFFFF jmp 0040D9BC ; Wend ///循环结束,计算累加值 sum = sum + 0x50*0x10 + ((ASC(name[i]) - 0x40) * 0x82), 循环次数为用户名长度, edi == sum == 0x00004326 == 17190
这一段代码,首先得用户名的长度(call __vbaLenBstr()),然后一个循环,把用户名中的字符转换成大写后,进行计算,并累加后,就得到了注册码,累加公式如下:
[Visual Basic] 纯文本查看 复制代码
sum = sum + &H50*&H10 + ((ASC(name[i]) - &H40) * &H82)
下面是用 C ++ 实现的注册机,用 Dev-C++ 调试通过:
[C++] 纯文本查看 复制代码 #include <iostream>
#include <string.h>
int getSN(char *name);
int main(int argc, char** argv) {
char name[] = "solly"; /// 名字自定义
getSN(name);
return 0;
}
int getSN(char *name) {
char uprName[256];
int sum = 0;
int n = strlen(name);
if(n>255) {
n = 255;
}
strncpy(uprName, name, n);
uprName[n] = '\0';
strupr(uprName); /// 转换成大写
for (int i=0; i<n; i++) {
//sum += ((int)uprName[i] - 0x40) * 0x82 + 0x50*0x10;
sum += ((int)uprName[i] - 64) * 130 + 1280;
}
printf("name: %s\ncode: %d", name, sum);
return 0;
}
完毕!!!
|
免费评分
-
| 参与人数 2 | 吾爱币 +8 |
热心值 +2 |
收起
理由
|
 Hmily
| + 7 |
+ 1 |
感谢发布原创作品,吾爱破解论坛因你更精彩! |
 天空藍
| + 1 |
+ 1 |
欢迎分析讨论交流,吾爱破解论坛有你更精彩! |
查看全部评分
|
发表于 2019-7-13 11:44
收藏
淘帖
有用
分享到朋友圈
