超级简单的VB crackme算法 "破解爱好者crackme"-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

超级简单的VB crackme算法 "破解爱好者crackme"

2005-9-11 13:07 4457

超级简单的VB crackme算法 "破解爱好者crackme"

killl

2005-9-11 13:07

4457

献给所有爱好破解的初学者的Crackme - by 破解爱好者

crackme:http://bbs.pediy.com/upload/2005/37/files/cm1.rar

原来KuNgBiM老大已经在看雪贴了。没有注意。
帖子连接：
http://bbs.pediy.com/showthread.php?s=&threadid=15209

下断方法：__vbaLenBstr

00403582 .  51             push ecx                                     ; /Arg1
00403583 .  FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; \__vbaLenBstr
00403589 .  8D4E 70       lea ecx,dword ptr ds:[esi+70]
0040358C .  8D55 A0       lea edx,dword ptr ss:[ebp-60]
0040358F .  8945 A8       mov dword ptr ss:[ebp-58],eax
00403592 .  C745 A0 0300000>mov dword ptr ss:[ebp-60],3
00403599 .  FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>] ;  MSVBVM60.__vbaVarMove
0040359F .  8D4D D8       lea ecx,dword ptr ss:[ebp-28]
004035A2 .  FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;  MSVBVM60.__vbaFreeStr
004035A8 .  8D4D D0       lea ecx,dword ptr ss:[ebp-30]
004035AB .  FF15 E0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ;  MSVBVM60.__vbaFreeObj
004035B1 >  8B96 80000000 mov edx,dword ptr ds:[esi+80]                ;  循环开始
004035B7 .  8D45 A0       lea eax,dword ptr ss:[ebp-60]
004035BA .  50             push eax
004035BB .  8D46 70       lea eax,dword ptr ds:[esi+70]
004035BE .  50             push eax
004035BF .  8955 A8       mov dword ptr ss:[ebp-58],edx
004035C2 .  C745 A0 0380000>mov dword ptr ss:[ebp-60],8003
004035C9 .  FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstLe>]  ;  MSVBVM60.__vbaVarTstLe
004035CF .  66:85C0       test ax,ax
004035D2 .  0F84 AA010000 je 献给所有.00403782                         ;  循环是否结束
004035D8 .  8B96 80000000 mov edx,dword ptr ds:[esi+80]
004035DE .  8D4D C0       lea ecx,dword ptr ss:[ebp-40]
004035E1 .  51             push ecx
004035E2 .  8D46 6C       lea eax,dword ptr ds:[esi+6C]
004035E5 .  8945 A8       mov dword ptr ss:[ebp-58],eax
004035E8 .  52             push edx
004035E9 .  8D45 A0       lea eax,dword ptr ss:[ebp-60]
004035EC .  50             push eax
004035ED .  8D4D B0       lea ecx,dword ptr ss:[ebp-50]
004035F0 .  51             push ecx
004035F1 .  C745 C8 0100000>mov dword ptr ss:[ebp-38],1
004035F8 .  C745 C0 0200000>mov dword ptr ss:[ebp-40],2
004035FF .  C745 A0 0840000>mov dword ptr ss:[ebp-60],4008
00403606 .  FF15 5C104000 call dword ptr ds:[<&MSVBVM60.#632>]          ;  MSVBVM60.rtcMidCharVar
0040360C .  8BBE 80000000 mov edi,dword ptr ds:[esi+80]
00403612 .  81FF 00010000 cmp edi,100
00403618 .  72 06          jb short 献给所有.00403620
0040361A .  FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaGenerateBou>;  MSVBVM60.__vbaGenerateBoundsError
00403620 >  8B46 60       mov eax,dword ptr ds:[esi+60]
00403623 .  8BCF          mov ecx,edi
00403625 .  C1E1 04       shl ecx,4
00403628 .  8D55 B0       lea edx,dword ptr ss:[ebp-50]
0040362B .  03C8          add ecx,eax
0040362D .  FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>] ;  MSVBVM60.__vbaVarMove
00403633 .  8D55 B0       lea edx,dword ptr ss:[ebp-50]
00403636 .  52             push edx
00403637 .  8D45 C0       lea eax,dword ptr ss:[ebp-40]
0040363A .  50             push eax
0040363B .  6A 02          push 2
0040363D .  FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>;  MSVBVM60.__vbaFreeVarList
00403643 .  8BBE 80000000 mov edi,dword ptr ds:[esi+80]
00403649 .  83C4 0C       add esp,0C
0040364C .  81FF 00010000 cmp edi,100
00403652 .  72 06          jb short 献给所有.0040365A
00403654 .  FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaGenerateBou>;  MSVBVM60.__vbaGenerateBoundsError
0040365A >  8B9E 80000000 mov ebx,dword ptr ds:[esi+80]
00403660 .  81FB 00010000 cmp ebx,100
00403666 .  72 06          jb short 献给所有.0040366E
00403668 .  FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaGenerateBou>;  MSVBVM60.__vbaGenerateBoundsError
0040366E >  8B4E 60       mov ecx,dword ptr ds:[esi+60]
00403671 .  C1E7 04       shl edi,4
00403674 .  03F9          add edi,ecx
00403676 .  57             push edi
00403677 .  8D4D D8       lea ecx,dword ptr ss:[ebp-28]
0040367A .  51             push ecx
0040367B .  FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ;  MSVBVM60.__vbaStrVarVal
00403681 .  50             push eax
00403682 .  FF15 30104000 call dword ptr ds:[<&MSVBVM60.#516>]          ;  MSVBVM60.rtcAnsiValueBstr
00403688 .  0FBFD0       movsx edx,ax                                  ;  获得ascii
0040368B .  8B86 80000000 mov eax,dword ptr ds:[esi+80]                ;  位数
00403691 .  6BC0 08       imul eax,eax,8                               ;  eax＝eax*8
00403694 .  0F80 68010000 jo 献给所有.00403802
0040369A .  33D0          xor edx,eax                                  ;  ASCII xor 位数*8
0040369C .  52             push edx                                     ; /Arg1
0040369D .  FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI4>]    ; \__vbaStrI4
004036A3 .  8BD0          mov edx,eax
004036A5 .  8D4D D4       lea ecx,dword ptr ss:[ebp-2C]
004036A8 .  FF15 CC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ;  MSVBVM60.__vbaStrMove
004036AE .  8B4E 44       mov ecx,dword ptr ds:[esi+44]
004036B1 .  8BD0          mov edx,eax
004036B3 .  8D0C99       lea ecx,dword ptr ds:[ecx+ebx*4]
004036B6 .  FF15 A8104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ;  MSVBVM60.__vbaStrCopy
004036BC .  8D55 D4       lea edx,dword ptr ss:[ebp-2C]
004036BF .  52             push edx
004036C0 .  8D45 D8       lea eax,dword ptr ss:[ebp-28]
004036C3 .  50             push eax
004036C4 .  6A 02          push 2
004036C6 .  FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>;  MSVBVM60.__vbaFreeStrList
004036CC .  8BBE 80000000 mov edi,dword ptr ds:[esi+80]
004036D2 .  83C4 0C       add esp,0C
004036D5 .  81FF 00010000 cmp edi,100
004036DB .  72 06          jb short 献给所有.004036E3
004036DD .  FF15 68104000 call dword ptr ds:[<&MSVBVM60.__vbaGenerateBou>;  MSVBVM60.__vbaGenerateBoundsError
004036E3 >  8B4E 44       mov ecx,dword ptr ds:[esi+44]
004036E6 .  8B14B9       mov edx,dword ptr ds:[ecx+edi*4]
004036E9 .  52             push edx                                     ; /Arg1
004036EA .  FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Str>]    ; \__vbaI4Str
004036F0 .  50             push eax                                     ;  转成16进制
004036F1 .  8D45 C0       lea eax,dword ptr ss:[ebp-40]
004036F4 .  50             push eax
004036F5 .  FF15 8C104000 call dword ptr ds:[<&MSVBVM60.#608>]          ;  MSVBVM60.rtcVarBstrFromAnsi
004036FB .  8DBE 84000000 lea edi,dword ptr ds:[esi+84]
00403701 .  8D55 C0       lea edx,dword ptr ss:[ebp-40]
00403704 .  8BCF          mov ecx,edi
00403706 .  FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>] ;  MSVBVM60.__vbaVarMove
0040370C .  8D4D C0       lea ecx,dword ptr ss:[ebp-40]
0040370F .  FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>] ;  MSVBVM60.__vbaFreeVar
00403715 .  8B8E 94000000 mov ecx,dword ptr ds:[esi+94]
0040371B .  57             push edi
0040371C .  8D55 A0       lea edx,dword ptr ss:[ebp-60]
0040371F .  8D9E 94000000 lea ebx,dword ptr ds:[esi+94]
00403725 .  52             push edx
00403726 .  8D45 C0       lea eax,dword ptr ss:[ebp-40]
00403729 .  50             push eax
0040372A .  894D A8       mov dword ptr ss:[ebp-58],ecx
0040372D .  C745 A0 0800000>mov dword ptr ss:[ebp-60],8
00403734 .  FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ;  MSVBVM60.__vbaVarAdd
0040373A .  50             push eax
0040373B .  FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>>;  MSVBVM60.__vbaStrVarMove
00403741 .  8BD0          mov edx,eax                                  ;  得到字符chr()
00403743 .  8D4D D8       lea ecx,dword ptr ss:[ebp-28]
00403746 .  FF15 CC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ;  MSVBVM60.__vbaStrMove
0040374C .  8BD0          mov edx,eax
0040374E .  8BCB          mov ecx,ebx
00403750 .  FF15 A8104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ;  MSVBVM60.__vbaStrCopy
00403756 .  8D4D D8       lea ecx,dword ptr ss:[ebp-28]
00403759 .  FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ;  MSVBVM60.__vbaFreeStr
0040375F .  8D4D C0       lea ecx,dword ptr ss:[ebp-40]
00403762 .  FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>] ;  MSVBVM60.__vbaFreeVar
00403768 .  8B8E 80000000 mov ecx,dword ptr ds:[esi+80]
0040376E .  83C1 01       add ecx,1
00403771 .  0F80 8B000000 jo 献给所有.00403802
00403777 .  898E 80000000 mov dword ptr ds:[esi+80],ecx
0040377D .^ E9 2FFEFFFF    jmp 献给所有.004035B1                         ;  继续循环
00403782 >  68 C9374000    push 献给所有.004037C9

很简单，取ascii，xor位数*8，然后转换为16进制，逆序既可以得到注册码：

for i=1 to len(name)
sn=chr(cint("&H" & hex(asc(mid(name,i,1)) xor i*8 ))) & sn
next

没有浮点，适合vb入手。

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

打赏