首页
社区
课程
招聘
Wicked Crackme 2 --VB Pcode的PEDIY
发表于: 2005-5-24 07:28 9798

Wicked Crackme 2 --VB Pcode的PEDIY

2005-5-24 07:28
9798

Wicked Crackme 2 by LaFarge 分析
                                                -----一次VB PCode 的PEdiy的尝试
【破解作者】 winndy
【作者邮箱】 CNwinndy@hotmail.com
【使用工具】 PEID v0.93  OllyDbg v1.10 fly修改版 WKTVBDebugger 14e
【破解平台】 Winxp SP2
【目标    】 Wicked Crackme 2 by LaFarge
【下载地址】 http://www.reversing.be/article.php?story=20050510044959202
【编写语言】 vb Pcode
【破解声明】 For study ,For Fun,
【破解说明】 无壳,算法超简单,关键之处在于把原Crackme DIY成注册机,失误之处还望指出
【破解过程】 PEID查壳,vb 编写
   
首先,我还不知道它是Pcode的,
于是用OD载入,在00401030 和00401036下断。
后来觉得程序的运行很特别,于是猜测是Pcode的,改用WKTVBDebugger来调试。

这是OD的分析结果:


00401030     .- FF25 08104000    jmp dword ptr ds:[<&MSVBVM60.#595>]        ;  MSVBVM60.rtcMsgBox
00401036     .- FF25 0C104000    jmp dword ptr ds:[<&MSVBVM60.#631>]        ;  MSVBVM60.rtcMidCharBstr
0040103C     .- FF25 04104000    jmp dword ptr ds:[<&MSVBVM60.#516>]        ;  MSVBVM60.rtcAnsiValueBstr
00401042     .- FF25 1C104000    jmp dword ptr ds:[<&MSVBVM60.__vbaExceptHa>;  MSVBVM60.__vbaExceptHandler
00401048     .- FF25 18104000    jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_Qu>;  MSVBVM60.EVENT_SINK_QueryInterface
0040104E     .- FF25 10104000    jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_Ad>;  MSVBVM60.EVENT_SINK_AddRef
00401054     .- FF25 14104000    jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_Re>;  MSVBVM60.EVENT_SINK_Release
0040105A     .- FF25 00104000    jmp dword ptr ds:[<&MSVBVM60.MethCallEngin>;  MSVBVM60.MethCallEngine
00401060     $- FF25 20104000    jmp dword ptr ds:[<&MSVBVM60.#100>]        ;  MSVBVM60.ThunRTMain
00401066        00               db 00
00401067        00               db 00
00401068 Wi> $  68 D0134000      push Wicked_C.004013D0


00403A34: 04 FLdRfVar 0012F558h
00403A37: 21 FLdPrThis 001478D8h
00403A38: 0F VCallAd Form1.txtName
00403A3B: 19 FStAdFunc
00403A3E: 08 FLdPr
00403A41: 0D VCallHresult get__ipropTEXTEDIT


00403A46: 3E FLdZeroAd


00403A49: 46 CVarStr


00403A4C: FC Lead1/FStVar
00403A50: 1A FFree1Ad
00403A53: 04 FLdRfVar 0012F558h
00403A56: 21 FLdPrThis 001478D8h
00403A57: 0F VCallAd Form1.txtSerial  00404D70
00403A5A: 19 FStAdFunc 0012F55C
00403A5D: 08 FLdPr 00E00CCCh
00403A60: 0D VCallHresult get__ipropTEXTEDIT 00E00D6C
00403A65: 3E FLdZeroAd
00403A68: 46 CVarStr 0012F538h 00181E24h

00403A6B: FC Lead1/FStVar
00403A6F: 1A FFree1Ad
00403A72: 04 FLdRfVar 0012F548h
00403A75: EB FnLenVar
00403A79: FC Lead1/FStVar
00403A7D: 04 FLdRfVar 0012F528h
00403A80: EB FnLenVar
00403A84: FC Lead1/FStVar
00403A88: 04 FLdRfVar 0012F518h
00403A8B: 28 LitVarI2 0h , 0
00403A90: 5D HardType
00403A91: 33 EqVarBool
00403A93: 1C BranchF 00403ACA ?
00403A96: 27 LitVar_Missing 0012F498h
00403A99: 27 LitVar_Missing 0012F4B8h
00403A9C: 3A LitVarStr 'Error in name'
00403AA1: 4E FStVarCopyObj 0012F4D8h
00403AA4: 04 FLdRfVar 0012F4D8h
00403AA7: F5 LitI4: -> 10h 16
00403AAC: 3A LitVarStr 'Sorry, U must enter a name !!!'
00403AB1: 4E FStVarCopyObj 0012F538h
00403AB4: 04 FLdRfVar 0012F538h
00403AB7: 0A ImpAdCallFPR4 rtcMsgBox on address 73472F29h
00403ABC: 36 FFreeVar -> 4
00403AC7: 1E Branch 00403D51 ?
00403ACA: 04 FLdRfVar 0012F518h
00403ACD: 28 LitVarI2 5h , 5
00403AD2: 5D HardType
00403AD3: 67 LtVarBool
00403AD5: 1C BranchF 00403B0C ?
00403AD8: 27 LitVar_Missing 0012F498h
00403ADB: 27 LitVar_Missing 0012F4B8h
00403ADE: 3A LitVarStr 'Error in name'
00403AE3: 4E FStVarCopyObj 0012F4D8h
00403AE6: 04 FLdRfVar 0012F4D8h
00403AE9: F5 LitI4: -> 10h 16
00403AEE: 3A LitVarStr 'Sorry, name must be 5+ characters long!'
00403AF3: 4E FStVarCopyObj 0012F538h
00403AF6: 04 FLdRfVar 0012F538h
00403AF9: 0A ImpAdCallFPR4 rtcMsgBox on address 73472F29h
00403AFE: 36 FFreeVar -> 4
00403B09: 1E Branch 00403D51 ?
00403B0C: 04 FLdRfVar 0012F508h
00403B0F: 28 LitVarI2 0h , 0
00403B0F: 28 LitVarI2 0h , 0
00403B14: 5D HardType
00403B15: 33 EqVarBool
00403B17: 1C BranchF 00403B4E ?                ==>注册码长度为0吗?
00403B1A: 27 LitVar_Missing 0012F498h
00403B1D: 27 LitVar_Missing 0012F4B8h
00403B20: 3A LitVarStr 'Error in serial'
00403B25: 4E FStVarCopyObj 0012F4D8h

00403B4E: 28 LitVarI2 0012F538h 1h , 1
00403B53: F5 LitI4: -> 1h 1
00403B58: 04 FLdRfVar 0012F548h
00403B5B: FD Lead2/CStrVarVal
00403B5F: 0B ImpAdCallI2 rtcMidCharBstr on address 733B48DFh
00403B64: 23 FStStrNoPop                                           ===>'w'
00403B67: 0B ImpAdCallI2 rtcAnsiValueBstr on address 7347B48Bh
00403B6C: FD CStrUI1                                              ===>119(77h)
00403B6E: 31 FStStr
00403B71: 32 FFreeStr
00403B78: 35 FFree1Var
00403B7B: 6C ILdRf 00000000h
00403B7E: FC Lead1/CR8Str
00403B80: F3 LitI2: -> 3E1h 993                                 ===>******,1st Const
00403B83: EB CR8I2
00403B84: AB AddR8
00403B85: FD Lead2/CVarR8
00403B89: FC Lead1/FStVar
00403B8D: 28 LitVarI2 1h , 1
00403B92: F5 LitI4: -> 2h 2
00403B97: 04 FLdRfVar 0012F548h
00403B9A: FD Lead2/CStrVarVal
00403B9E: 0B ImpAdCallI2 rtcMidCharBstr on address 733B48DFh
00403BA3: 23 FStStrNoPop                                         ===>'i'


00403BA6: 0B ImpAdCallI2 rtcAnsiValueBstr on address 7347B48Bh
00403BAB: 44 CVarI2 0012F4E8h
00403BAE: FC Lead1/FStVar
00403BB2: 32 FFreeStr
00403BB9: 35 FFree1Var
00403BBC: 04 FLdRfVar 0012F474h
00403BBF: 28 LitVarI2 32Ah , 810                           ===>******,2nd Const
00403BC4: 94 AddVar
00403BC8: FC Lead1/FStVar
00403BCC: 28 LitVarI2 1h , 1
00403BD1: F5 LitI4: -> 3h 3


00403BD9: FD Lead2/CStrVarVal
00403BDD: 0B ImpAdCallI2 rtcMidCharBstr on address 733B48DFh
00403BE2: 23 FStStrNoPop
00403BE5: 0B ImpAdCallI2 rtcAnsiValueBstr on address 7347B48Bh
00403BEA: 44 CVarI2
00403BED: FC Lead1/FStVar
00403BF1: 32 FFreeStr
00403BF8: 35 FFree1Var
00403BFB: 04 FLdRfVar 0012F454h
00403BFE: 28 LitVarI2 0012F4F8h 282h , 642         ===>******,3rd Const
00403C03: 94 AddVar
00403C07: FC Lead1/FStVar
00403C0B: 28 LitVarI2 1h , 1
00403C10: F5 LitI4: -> 4h 4
00403C15: 04 FLdRfVar 0012F548h
00403C18: FD Lead2/CStrVarVal
00403C1C: 0B ImpAdCallI2 rtcMidCharBstr on address 733B48DFh
00403C21: 23 FStStrNoPop
00403C24: 0B ImpAdCallI2 rtcAnsiValueBstr on address 7347B48Bh
00403C29: 44 CVarI2
00403C2C: FC Lead1/FStVar
00403C30: 32 FFreeStr
00403C37: 35 FFree1Var
00403C3A: 04 FLdRfVar 0012F434h
00403C3D: 28 LitVarI2 3AFh , 943                ===>******,4th Const
00403C42: 94 AddVar
00403C46: FC Lead1/FStVar
00403C4A: 28 LitVarI2 1h , 1
00403C4F: F5 LitI4: -> 5h 5
00403C54: 04 FLdRfVar 0012F548h
00403C57: FD Lead2/CStrVarVal
00403C5B: 0B ImpAdCallI2 rtcMidCharBstr on address 733B48DFh
00403C60: 23 FStStrNoPop
00403C63: 0B ImpAdCallI2 rtcAnsiValueBstr on address 7347B48Bh
00403C68: 44 CVarI2
00403C6B: FC Lead1/FStVar
00403C6F: 32 FFreeStr
00403C76: 35 FFree1Var
00403C79: 04 FLdRfVar 0012F414h
00403C7C: 28 LitVarI2 300h , 768             ===>******,5th Const
00403C81: 94 AddVar
00403C85: FC Lead1/FStVar
00403C89: 04 FLdRfVar 0012F484h
00403C8C: 3A LitVarStr '-'
00403C91: EF ConcatVar
00403C95: 04 FLdRfVar 0012F464h
00403C98: EF ConcatVar
00403C9C: 3A LitVarStr '-'
00403CA1: EF ConcatVar
00403CA5: 04 FLdRfVar 0012F444h


00403CBC: 3A LitVarStr '-'
00403CC1: EF ConcatVar
00403CC5: 04 FLdRfVar 0012F404h    ;局部变量0012F404h入栈
00403CC8: EF ConcatVar
00403CCC: FC Lead1/FStVar
00403CD0: 36 FFreeVar -> 7
00403CE1: 04 FLdRfVar 0012F528h


[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 7
支持
分享
最新回复 (8)
雪    币: 107
活跃值: (54)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
顶……
2005-5-24 08:02
0
雪    币: 110
活跃值: (13)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2005-5-24 08:30
0
雪    币: 603
活跃值: (617)
能力值: ( LV12,RANK:660 )
在线值:
发帖
回帖
粉丝
4
支持~
2005-5-24 09:08
0
雪    币: 328
活跃值: (925)
能力值: ( LV9,RANK:1010 )
在线值:
发帖
回帖
粉丝
5
支持一下!
2005-5-24 11:48
0
雪    币: 300
活跃值: (412)
能力值: ( LV9,RANK:410 )
在线值:
发帖
回帖
粉丝
6
pcode的diy,学习
2005-5-24 13:14
0
雪    币: 214
活跃值: (70)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
7
厉害厉害啊~~
2005-5-25 12:44
0
雪    币: 458
活跃值: (41)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
Compiled with VB6
Adress of table 1: 401c5c
Searching current directory....
-->VM Located inside the current folder.
This VM version is unsupported ...

在VBDE中遇到这种程序.是P-CODE吗?
2005-5-30 12:16
0
雪    币: 427
活跃值: (412)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
是否P-CODE不需要猜测,只需要查看它的API调用是否存在pro预处理,英文不记得了。这样的VB都是P-CODE。
2005-5-30 12:37
0
游客
登录 | 注册 方可回帖
返回
//