-
-
[原创]一个vb pcode CrackMe 分析
-
发表于:
2011-7-2 13:21
5003
-
[原创]一个vb pcode CrackMe 分析
过程中用vb explorer反编译后参考,WKTVBDebugger进行调试,菜鸟首发破文,错误之处请大侠指点一下
附有crackme和注册机
button click的处理函数
[Command1.Click]
:00401E2C 0460FF FLdRfVar ;Push LOCAL_00A0
:00401E2F 0474FF FLdRfVar ;Push LOCAL_008C
:00401E32 21 FLdPrThis ;[SR]=[stack2]
:00401E33 0F0803 VCallAd ;Return the control index 04 ;;控件的索引号
:00401E36 1978FF FStAdFunc ;
:00401E39 0878FF FLdPr ;[SR]=[LOCAL_0088]
***********Reference To:[propget]TextBox.Text
|
:00401E3C 0DA0000300 VCallHresult ;Call ptr_004017A4 ;;取文本框内容,此处为识别码文本框
:00401E41 3E74FF FLdZeroAd ;Push DWORD [LOCAL_008C]; [LOCAL_008C]=0
:00401E44 FDC770FF PopTmpLdAdStr ;
***********Reference To:sub_00402084
|
:00401E48 10FC060400 ThisVCallHresult ;Call ptr_00401CAB ;;识别码处理函数
:00401E4D 0460FF FLdRfVar ;Push LOCAL_00A0
:00401E50 6350FF LitVar_TRUE ;
:00401E53 5D HardType ;
:00401E54 FB33 EqVarBool ; ;;??处理后的校验 这是干什么的
:00401E56 2F70FF FFree1Str ;SysFreeString [LOCAL_0090]; [LOCAL_0090]=0
:00401E59 1A78FF FFree1Ad ;Push [LOCAL_0088]; Call [[[LOCAL_0088]]+8]; [[LOCAL_0088]]=0
:00401E5C 3560FF FFree1Var ;Free LOCAL_00A0
:00401E5F 1C6100 BranchF ;If Pop=0 then ESI=00401E8D
:00401E62 043CFF FLdRfVar ;Push LOCAL_00C4
:00401E65 0474FF FLdRfVar ;Push LOCAL_008C
:00401E68 21 FLdPrThis ;[SR]=[stack2]
:00401E69 0F0403 VCallAd ;Return the control index 03 ;;控件的索引号
:00401E6C 1978FF FStAdFunc ;
:00401E6F 0878FF FLdPr ;[SR]=[LOCAL_0088]
***********Reference To:[propget]TextBox.Text
|
:00401E72 0DA0000300 VCallHresult ;Call ptr_004017A4
:00401E77 3E74FF FLdZeroAd ;Push DWORD [LOCAL_008C]; [LOCAL_008C]=0
:00401E7A FDC770FF PopTmpLdAdStr ;
***********Reference To:sub_00402234
|
:00401E7E 1000070400 ThisVCallHresult ;Call ptr_00401CBF ;;取注册码值
:00401E83 32040070FF3CFF FFreeStr ;Do SysFreeString [arg_n]; [arg_n]=0 0004/2 times ~ arg
:00401E8A 1A78FF FFree1Ad ;Push [LOCAL_0088]; Call [[[LOCAL_0088]]+8]; [[LOCAL_0088]]=0
:00401E8D 13 ExitProcHresult ;
:00401E8E 0055 LargeBos ;IDE beginning of line with 55 byte codes
识别码的处理函数
[sub_00402084] ;;识别码的处理函数
:00401FAC FF2E ZeroRetValVar ;
:00401FAE 800C00 ILdI4 ;Push DWORD [STACK_000C]
:00401FB1 4A FnLenStr ;vbaLenBstr ;取识别码位数
:00401FB2 F50A000000 LitI4 ;Push 0000000A ;;Ah 10入栈
:00401FB7 CC NeI4 ; ;;识别码位数与10是否不等
:00401FB8 1C3100 BranchF ;If Pop=0 then ESI=00401FDD ;;不是不等,既相等则跳
:00401FBB 043CFF FLdRfVar ;Push LOCAL_00C4
:00401FBE 284CFF0000 LitVarI2 ;PushVarInteger 0000
***********Reference To:sub_00401F60
|
:00401FC3 10F8060400 ThisVCallHresult ;Call ptr_00401C97 ;;错误则提示对话框
:00401FC8 3604004CFF3CFF FFreeVar ;Free 0004/2 variants
:00401FCF FC665CFF LitVar_FALSE ;
:00401FD3 FCF66CFF FStVar ;
:00401FD7 FF2F10001000 ExitProcCbHresult ;
:00401FDD 280CFF0100 LitVarI2 ;PushVarInteger 0001 ;;,起始值1,到这儿
:00401FE2 042CFF FLdRfVar ;Push LOCAL_00D4 ;;循环变量,
:00401FE5 281CFF0500 LitVarI2 ;PushVarInteger 0005;;循环到5
:00401FEA FE68ECFECB00 ForVar ; ;;循环开始
:00401FF0 284CFF0100 LitVarI2 ;PushVarInteger 0001
:00401FF5 042CFF FLdRfVar ;Push LOCAL_00D4 循环变量
:00401FF8 FC22 CI4Var ;vbaI4Var ;;循环变量作为截取字符串的下标
:00401FFA 6C0C00 ILdRf ;Push DWORD [STACK_000C] ;;识别码入栈
:00401FFD 4D5CFF0840 CVarRef ;
:00402002 043CFF FLdRfVar ;Push LOCAL_00C4
**********Reference To->msvbvm60.rtcMidCharVar ;;截取
|
:00402005 0A05001000 ImpAdCallFPR4 ;Call ptr_00401036; check stack 0010; Push EAX
:0040200A 043CFF FLdRfVar ;Push LOCAL_00C4
:0040200D FDFEE8FE CStrVarVal ;
**********Reference To->msvbvm60.rtcAnsiValueBstr ;;转换类型
|
:00402011 0B06000400 ImpAdCallI2 ;Call ptr_0040103C; check stack 0004; Push EAX
:00402016 28A8FE0100 LitVarI2 ;PushVarInteger 0001
:0040201B 042CFF FLdRfVar ;Push LOCAL_00D4 循环变量入栈
:0040201E 280CFF0200 LitVarI2 ;PushVarInteger 0002 ;;push 2
:00402023 FBB4D8FE MulVar ; ;;循环变量乘2
:00402027 FC22 CI4Var ;vbaI4Var ;;作为截取字符串的下标
:00402029 6C0C00 ILdRf ;Push DWORD [STACK_000C] ;;所要截取的识别码入栈
:0040202C 4DC8FE0840 CVarRef ;
:00402031 0498FE FLdRfVar ;Push LOCAL_0168 ;;截取的字符存入地址
**********Reference To->msvbvm60.rtcMidCharVar ;;截取
|
:00402034 0A05001000 ImpAdCallFPR4 ;Call ptr_00401036; check stack 0010; Push EAX
:00402039 0498FE FLdRfVar ;Push LOCAL_0168 ;;存入
:0040203C FDFE94FE CStrVarVal ;
**********Reference To->msvbvm60.rtcAnsiValueBstr ;;转换
|
:00402040 0B06000400 ImpAdCallI2 ;Call ptr_0040103C; check stack 0004; Push EAX
:00402045 B1 MulI2 ; ;;将取得的两个字符的ascii码相乘
:00402046 E7 CI4UI1 ;
:00402047 042CFF FLdRfVar ;Push LOCAL_00D4 ;;循环变量入栈
:0040204A 2884FE0100 LitVarI2 ;PushVarInteger 0001 ;;push 1
:0040204F FB9C74FE SubVar ; ;;循环变量减1作为存入字符串数组的下标
:00402053 FC22 CI4Var ;vbaI4Var
:00402055 080800 FLdPr ;[SR]=[STACK_0008]
:00402058 063800 MemLdRfVar ;Push [SR]+STACK_0038
:0040205B A3 Ary1StI4 ; ;;相乘的结果存入字符串数组相应的下标下
:0040205C 320400E8FE94FE FFreeStr ;Do SysFreeString [arg_n]; [arg_n]=0 0004/2 times ~ arg
:00402063 3608004CFF3CFFA8 FFreeVar ;Free 0008/2 variants
:0040206E 042CFF FLdRfVar ;Push LOCAL_00D4
:00402071 FE7EECFE4400 NextStepVar ; ;;下一步循环
:00402077 635CFF LitVar_TRUE ;
:0040207A FCF66CFF FStVar ;
:0040207E FF2F10001000 ExitProcCbHresult ;
提示对话框
[sub_00401F60] 弹出提示对话框
:00401ED8 FF2E ZeroRetValVar ;
:00401EDA FD160C004CFF ILdRfDarg ;
:00401EE0 285CFF0000 LitVarI2 ;PushVarInteger 0000
:00401EE5 5D HardType ;
:00401EE6 FB33 EqVarBool ;
:00401EE8 1C3F00 BranchF ;If Pop=0 then ESI=00401F17
:00401EEB 27ECFE LitVar ;PushVar LOCAL_0114
……………………………………
……………………………………
注册码的处理函数
[sub_00402234] ;;注册码的处理函数
:004020E4 FF2D ZeroRetVal ;
:004020E6 F500000000 LitI4 ;Push 00000000
:004020EB F5FFFFFFFF LitI4 ;Push FFFFFFFF
******Possible String Ref To->"-"
|
:004020F0 3A68FF0700 LitVarStr ;PushVarString ptr_004017C4 ;;字符串“-”入栈
:004020F5 4E58FF FStVarCopyObj ;[LOCAL_00A8]=vbaVarDup(Pop)
:004020F8 0458FF FLdRfVar ;Push LOCAL_00A8
:004020FB 800C00 ILdI4 ;Push DWORD [STACK_000C] ;;提取注册码
:004020FE 0448FF FLdRfVar ;Push LOCAL_00B8
**********Reference To->msvbvm60.rtcSplit ;;字符串用‘-’切割
|
:00402101 0A08001400 ImpAdCallFPR4 ;Call ptr_00401042; check stack 0014; Push EAX
:00402106 0448FF FLdRfVar ;Push LOCAL_00B8
:00402109 FCF638FF FStVar ; ;;??存子字符串值
:0040210D 3558FF FFree1Var ;Free LOCAL_00A8
:00402110 0438FF FLdRfVar ;Push LOCAL_00C8;;??字符串数组指针
:00402113 FC35 CRefVarAry ; ;;??字符串数组指针
:00402115 49 PopAdLd4 ;
:00402116 F401 LitI2_Byte ;Push 01
:00402118 FCCB FnUBound ;vbaUbound ;;注册码中‘-’数量
:0040211A F504000000 LitI4 ;Push 00000004 ;;push 4
:0040211F C7 EqI4 ;Push (Pop1 == Pop2)
:00402120 1C3301 BranchF ;If Pop=0 then ESI=00402217 ;;不等则跳
:00402123 2808FF0000 LitVarI2 ;PushVarInteger 0000 ;;起始值
:00402128 0428FF FLdRfVar ;Push LOCAL_00D8 ;;循环变量
:0040212B 2818FF0400 LitVarI2 ;PushVarInteger 0004 ;;终值
:00402130 FE68E8FE9700 ForVar ; ;循环开始
:00402136 0428FF FLdRfVar ;Push LOCAL_00D8 ;;循环变量作为下标
:00402139 FD930C40 CDargRef ;
:0040213D 0438FF FLdRfVar ;Push LOCAL_00C8 ;;??字符串数组指针
:00402140 FEAE58FF0100 VarIndexLdVar ; ;;取出数组中的一个字符串
:00402146 FBEB48FF FnLenVar ;vbaLenVar ;;取取出的字符串的长度
:0040214A 2818FF0500 LitVarI2 ;PushVarInteger 0005 ;;push 5
:0040214F 5D HardType ;
:00402150 FB40 NeVarBool ; ;;是否不等于5
:00402152 3558FF FFree1Var ;Free LOCAL_00A8
:00402155 1C8E00 BranchF ;If Pop=0 then ESI=00402172 ;;不是不等于5,即等于5则跳
:00402158 0448FF FLdRfVar ;Push LOCAL_00B8
:0040215B 2858FF0000 LitVarI2 ;PushVarInteger 0000
***********Reference To:sub_00401F60
:00402160 10F8060400 ThisVCallHresult ;Call ptr_00401C97 ;;错误提示框
:00402165 36040058FF48FF FFreeVar ;Free 0004/2 variants
:0040216C FF2F10000400 ExitProcCbHresult ;
:00402172 0428FF FLdRfVar ;Push LOCAL_00D8
:00402175 FE7EE8FE5200 NextStepVar ; ;;下一步循环
:0040217B 2868FF0000 LitVarI2 ;PushVarInteger 0000
:00402180 FCF6C8FE FStVar ;
:00402184 2808FF0000 LitVarI2 ;PushVarInteger 0000 ;;循环起始值
:00402189 0428FF FLdRfVar ;Push LOCAL_00D8 ;;循环变量
:0040218C 2818FF0400 LitVarI2 ;PushVarInteger 0004 ;;循环终值
:00402191 FE68A8FEEE00 ForVar ; ;;循环开始
:00402197 04C8FE FLdRfVar ;Push LOCAL_0138 ;;给一个值假设result分配空间,??并赋予0
:0040219A 0428FF FLdRfVar ;Push LOCAL_00D8;;循环变量作下标
:0040219D FD930C40 CDargRef ;
:004021A1 0438FF FLdRfVar ;Push LOCAL_00C8 ;;注册码分割后的数组指针
:004021A4 FEAE58FF0100 VarIndexLdVar ; ;;取相应字符串
:004021AA FC46 FnCLngVar ;vbaI4ErrVar
:004021AC 0428FF FLdRfVar ;Push LOCAL_00D8 ;;循环变量做下标
:004021AF FC22 CI4Var ;vbaI4Var
:004021B1 080800 FLdPr ;[SR]=[STACK_0008] ;;识别码处理后的数组基址
:004021B4 063800 MemLdRfVar ;Push [SR]+STACK_0038
:004021B7 9E Ary1LdI4 ; ;;识别码处理后的数组中取相应的值
:004021B8 FB13 XorI4 ; ;;两个数组中相应的值xor
:004021BA FD6918FF CVarI4 ;
:004021BE FB9448FF AddVar ; ;;一个值 result += xor后的值
:004021C2 FCF6C8FE FStVar ; ;;result存入LOCAL_0138
:004021C6 3558FF FFree1Var ;Free LOCAL_00A8
:004021C9 0428FF FLdRfVar ;Push LOCAL_00D8 ;;循环变量+1
:004021CC FE7EA8FEB300 NextStepVar ; ;;下一步循环
:004021D2 04C8FE FLdRfVar ;Push LOCAL_0138 ;;取result值
:004021D5 2868FF0500 LitVarI2 ;PushVarInteger 0005 ;;push5
:004021DA FBBC58FF DivVar ; ;;result / 5
:004021DE 2818FF3930 LitVarI2 ;PushVarInteger 3039
:004021E3 5D HardType ;
:004021E4 FB33 EqVarBool ; ;;是否result / 5??=3039h(12345)
:004021E6 1C1C01 BranchF ;If Pop=0 then ESI=00402200 ;;不等则跳向错误
:004021E9 0448FF FLdRfVar ;Push LOCAL_00B8
:004021EC 2858FF0100 LitVarI2 ;PushVarInteger 0001
***********Reference To:sub_00401F60 ;;成功
|
:004021F1 10F8060400 ThisVCallHresult ;Call ptr_00401C97
:004021F6 36040058FF48FF FFreeVar ;Free 0004/2 variants
:004021FD 1E3001 Branch ;ESI=00402214
:00402200 0448FF FLdRfVar ;Push LOCAL_00B8
:00402203 2858FF0000 LitVarI2 ;PushVarInteger 0000
***********Reference To:sub_00401F60
|
:00402208 10F8060400 ThisVCallHresult ;Call ptr_00401C97
:0040220D 36040058FF48FF FFreeVar ;Free 0004/2 variants
:00402214 1E4701 Branch ;ESI=0040222B
:00402217 0448FF FLdRfVar ;Push LOCAL_00B8
:0040221A 2858FF0000 LitVarI2 ;PushVarInteger 0000
***********Reference To:sub_00401F60
|
:0040221F 10F8060400 ThisVCallHresult ;Call ptr_00401C97
:00402224 36040058FF48FF FFreeVar ;Free 0004/2 variants
:0040222B FF2F10000400 ExitProcCbHresult ;
:00402231 0202 SelectCaseByte ;IDE beginning of line with 02 byte codes
——————————————————————————————————————————
注册机:
static void Main(string[] args)
{
Console.WriteLine("请输入验证码:");
string s = Console.ReadLine();
long code=0;
bool input = true;
while (input)
{
if (s.Length != 10)
{
Console.WriteLine("at least 10 ints");
Console.WriteLine("请输入验证码:");
s = Console.ReadLine();
}
else
{
try
{
code = Convert.ToInt32(s);
}
catch (System.Exception ex)
{
Console.WriteLine("请输入纯数字的识别码!");
Console.WriteLine("请输入验证码:");
s = Console.ReadLine();
}
}
if (code!=0)
{
input = false;
}
}
string res = "";
for (int i = 1; i < 6; i++)
{
res =res+ (s[i-1] * s[2 * i-1] ^ 12345).ToString()+'-';
}
res = res.Substring(0, res.Length - 1);
Console.WriteLine(res);
Console.ReadKey();
}
———————————————————————————————————————————
附件(crackme):
vbpcodecrack.zip
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
