【破文标题】OCN CrackMe2004算法分析+VB注册机源码
【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】hrbx@163.com
【破解平台】WinXP
【使用工具】flyOD1.10、Peid
【破解日期】2006-01-01
【软件名称】OCN Crackme2004
【软件大小】44KB
【下载地址】http://ocn.e5v.com/bbs1/viewthread.php?tid=1114&fpage=1&highlight=&page=1
【加壳方式】无
【软件简介】OCN CrackMe2004
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描,显示为:Microsoft Visual Basic 5.0 / 6.0,无壳。
2.试运行CrackMe。输入注册信息后点击Validate按钮,注册信息被清空,无任何提示。
3.OD载入。命令行下断点:bp __vbaLenBstr,回车,F9运行,输入注册信息:
================================
Name:hrbx
Serial:9876543210
================================
点击Validate按钮,立即中断:
660E5F5F MS> 8B4424 04 mov eax,dword ptr ss:[esp+4] ; 中断在这里
660E5F63 85C0 test eax,eax
660E5F65 74 05 je short MSVBVM60.660E5F6C
660E5F67 8B40 FC mov eax,dword ptr ds:[eax-4]
Alt+F9返回,来到:
004052D1 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBst>
004052D7 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8] ; Alt+F9返回到这里
004052DD . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
004052E0 . 8985 50FFFFFF mov dword ptr ss:[ebp-B0],eax
向上查找,来到00405010 处F2下断,同时命令栏:bc __vbaLenBstr,清除断点
CTRL+F2重新载入程序,F9运行,填入注册信息后点击Validate按钮,中断:
00405010 > \55 push ebp ; F2在此下断,中断后F8往下走
00405011 . 8BEC mov ebp,esp
00405013 . 83EC 0C sub esp,0C
00405016 . 68 56124000 push <jmp.&MSVBVM60.__vbaExceptHandler>
0040501B . 64:A1 00000000 mov eax,dword ptr fs:[0]
00405021 . 50 push eax
00405022 . 64:8925 00000000 mov dword ptr fs:[0],esp
.......................................................
省略部分代码
.......................................................
0040536A > \8B45 C0 mov eax,dword ptr ss:[ebp-40] ; 用户名"hrbx"
0040536D . 8D55 88 lea edx,dword ptr ss:[ebp-78]
00405370 . 8945 A0 mov dword ptr ss:[ebp-60],eax
00405373 . 52 push edx
00405374 . 8D45 98 lea eax,dword ptr ss:[ebp-68]
00405377 . 57 push edi
00405378 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
0040537E . 50 push eax
0040537F . 51 push ecx
00405380 . C745 90 01000000 mov dword ptr ss:[ebp-70],1
00405387 . C745 88 02000000 mov dword ptr ss:[ebp-78],2
0040538E . C745 C0 00000000 mov dword ptr ss:[ebp-40],0
00405395 . C745 98 08000000 mov dword ptr ss:[ebp-68],8
0040539C . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.#632>] ; rtcMidCharVar,循环取用户名每一位字符
004053A2 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
004053A8 . 8D45 BC lea eax,dword ptr ss:[ebp-44]
004053AB . 52 push edx
004053AC . 50 push eax
004053AD . FF15 D4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
004053B3 . 50 push eax
004053B4 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符的ASCII值
004053BA . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
004053BD . 66:8985 40FFFFFF mov word ptr ss:[ebp-C0],ax ; EAX=68("h")
004053C4 . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-C8]
004053CA . 51 push ecx
004053CB . 8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]
004053D1 . 52 push edx
004053D2 . 50 push eax
004053D3 . C785 38FFFFFF 02>mov dword ptr ss:[ebp-C8],2
004053DD . FF15 24114000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; 用户名ASCII值累加,0x1B4
004053E3 . 8BD0 mov edx,eax
004053E5 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
004053E8 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
004053EE . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004053F1 . FF15 50114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
004053F7 . 8D4D AC lea ecx,dword ptr ss:[ebp-54]
004053FA . FF15 54114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
00405400 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
00405406 . 8D55 88 lea edx,dword ptr ss:[ebp-78]
00405409 . 51 push ecx
0040540A . 8D45 98 lea eax,dword ptr ss:[ebp-68]
0040540D . 52 push edx
0040540E . 50 push eax
0040540F . 6A 03 push 3
00405411 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
00405417 . B8 01000000 mov eax,1
0040541C . 83C4 10 add esp,10
0040541F . 03C7 add eax,edi
00405421 . 0F80 92070000 jo Crackme2.00405BB9
00405427 . 8BF8 mov edi,eax
00405429 .^ E9 EFFEFFFF jmp Crackme2.0040531D
0040542E > B8 02000000 mov eax,2 ; EAX=2
00405433 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00405436 . 8985 50FFFFFF mov dword ptr ss:[ebp-B0],eax
0040543C . 8985 48FFFFFF mov dword ptr ss:[ebp-B8],eax
00405442 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
00405448 . 51 push ecx
00405449 . 8D45 98 lea eax,dword ptr ss:[ebp-68]
0040544C . 52 push edx
0040544D . 50 push eax
0040544E . FF15 28114000 call dword ptr ds:[<&MSVBVM60.__vbaVarMod>] ; 用户名ASCII值累加值/2,0x1B4/2=0xEA
00405454 . 8BD0 mov edx,eax
00405456 . 8D8D 0CFFFFFF lea ecx,dword ptr ss:[ebp-F4]
0040545C . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
00405462 . 8D8D 0CFFFFFF lea ecx,dword ptr ss:[ebp-F4]
00405468 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
0040546E . 51 push ecx
0040546F . 52 push edx
00405470 . C785 50FFFFFF 00>mov dword ptr ss:[ebp-B0],0
0040547A . C785 48FFFFFF 02>mov dword ptr ss:[ebp-B8],8002
00405484 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 判断余数是否为0
0040548A . 66:85C0 test ax,ax ; 即判断用户名ASCII值累加值是奇数还是偶数
0040548D . 0F84 12030000 je Crackme2.004057A5 ; 用户名ASCII值累加值为奇数则跳
00405493 . 8B06 mov eax,dword ptr ds:[esi]
00405495 . 56 push esi
00405496 . FF90 10030000 call dword ptr ds:[eax+310]
0040549C . 8D4D AC lea ecx,dword ptr ss:[ebp-54]
0040549F . 50 push eax
004054A0 . 51 push ecx
004054A1 . FFD3 call ebx
004054A3 . 8BF8 mov edi,eax
004054A5 . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
004054A8 . 50 push eax
004054A9 . 57 push edi
004054AA . 8B17 mov edx,dword ptr ds:[edi]
004054AC . FF92 A0000000 call dword ptr ds:[edx+A0]
004054B2 . 85C0 test eax,eax
004054B4 . DBE2 fclex
004054B6 . 7D 12 jge short Crackme2.004054CA
004054B8 . 68 A0000000 push 0A0
004054BD . 68 743D4000 push Crackme2.00403D74
004054C2 . 57 push edi
004054C3 . 50 push eax
004054C4 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>; 用户名ASCII值累加为偶数来到这里
004054CA > 8B55 C0 mov edx,dword ptr ss:[ebp-40] ; 用户名"hrbx"
004054CD . 8B3D 38114000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>>
004054D3 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004054D6 . C745 C0 00000000 mov dword ptr ss:[ebp-40],0
004054DD . FFD7 call edi
004054DF . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004054E2 . 51 push ecx
004054E3 . E8 580E0000 call Crackme2.00406340 ; 关键CALL-1,F7进入
004054E8 . 8BD0 mov edx,eax ; 用户名运算后得到字符串"yXJfdD"
004054EA . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
004054ED . FFD7 call edi
004054EF . 8B55 B0 mov edx,dword ptr ss:[ebp-50]
004054F2 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
004054F5 . C785 34FFFFFF 09>mov dword ptr ss:[ebp-CC],9
004054FF . C745 B0 00000000 mov dword ptr ss:[ebp-50],0
00405506 . FFD7 call edi
00405508 . 8D95 34FFFFFF lea edx,dword ptr ss:[ebp-CC] ; 字符串"yXJfdD"
0040550E . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
00405511 . 52 push edx
00405512 . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
00405515 . 50 push eax
00405516 . 51 push ecx
00405517 . E8 341D0000 call Crackme2.00407250 ; 关键call-2,F7进入
0040551C . 8B16 mov edx,dword ptr ds:[esi]
0040551E . 56 push esi
0040551F . FF92 18030000 call dword ptr ds:[edx+318]
00405525 . 50 push eax
00405526 . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
00405529 . 50 push eax
0040552A . FFD3 call ebx
0040552C . 8BF8 mov edi,eax
0040552E . 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
00405531 . 52 push edx
00405532 . 57 push edi
00405533 . 8B0F mov ecx,dword ptr ds:[edi]
00405535 . FF91 A0000000 call dword ptr ds:[ecx+A0]
0040553B . 85C0 test eax,eax
0040553D . DBE2 fclex
0040553F . 7D 12 jge short Crackme2.00405553
00405541 . 68 A0000000 push 0A0
00405546 . 68 743D4000 push Crackme2.00403D74
0040554B . 57 push edi
0040554C . 50 push eax
0040554D . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
00405553 > 8B45 B4 mov eax,dword ptr ss:[ebp-4C] ; 假码"9876543210"
00405556 . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
00405559 . 8945 90 mov dword ptr ss:[ebp-70],eax
0040555C . 8D45 98 lea eax,dword ptr ss:[ebp-68]
0040555F . 50 push eax
00405560 . 51 push ecx
00405561 . C745 B4 00000000 mov dword ptr ss:[ebp-4C],0
00405568 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
0040556F . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 真假码比较
00405575 . 8BF8 mov edi,eax
00405577 . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
0040557A . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
0040557D . 52 push edx
0040557E . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00405581 . 50 push eax
00405582 . 51 push ecx
00405583 . 6A 03 push 3
00405585 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>
0040558B . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
0040558E . 8D45 AC lea eax,dword ptr ss:[ebp-54]
00405591 . 52 push edx
00405592 . 50 push eax
00405593 . 6A 02 push 2
00405595 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>
0040559B . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
0040559E . 8D55 98 lea edx,dword ptr ss:[ebp-68]
004055A1 . 51 push ecx
004055A2 . 52 push edx
004055A3 . 6A 02 push 2
004055A5 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
004055AB . 83C4 28 add esp,28
004055AE . 66:85FF test di,di
004055B1 . 0F84 40010000 je Crackme2.004056F7 ; 暴破点1,NOP掉
004055B7 . A1 10904000 mov eax,dword ptr ds:[409010]
004055BC . 85C0 test eax,eax
004055BE . 75 10 jnz short Crackme2.004055D0
004055C0 . 68 10904000 push Crackme2.00409010
F7进入004054E3处的关键CALL-1,来到:
00406340 $ 55 push ebp
00406341 . 8BEC mov ebp,esp
.......................................................
省略部分代码
.......................................................
004063C8 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
004063CB . 8B08 mov ecx,dword ptr ds:[eax] ; 用户名"hrbx"
004063CD . 51 push ecx
004063CE . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取用户名长度,EAX=4
004063D4 . 8BC8 mov ecx,eax
004063D6 . FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>]
004063DC . 8B35 38114000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>>
004063E2 . 8985 08FFFFFF mov dword ptr ss:[ebp-F8],eax ; 用户名长度4保存
004063E8 . BB 01000000 mov ebx,1 ; EBX赋初值1
004063ED . BF 02000000 mov edi,2
004063F2 > 66:3B9D 08FFFFFF cmp bx,word ptr ss:[ebp-F8] ; BX与用户名名长度比较
004063F9 . 0F8F 31040000 jg Crackme2.00406830 ; 没取完用户名则继续
004063FF . 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00406402 . 8D55 80 lea edx,dword ptr ss:[ebp-80]
00406405 . 0FBFC3 movsx eax,bx
00406408 . 52 push edx
00406409 . 8B11 mov edx,dword ptr ds:[ecx]
0040640B . 50 push eax
0040640C . 52 push edx
0040640D . C745 88 01000000 mov dword ptr ss:[ebp-78],1
00406414 . 897D 80 mov dword ptr ss:[ebp-80],edi
00406417 . FF15 74104000 call dword ptr ds:[<&MSVBVM60.#631>] ; rtcMidCharBstr,取用户名第一位字符"h"
0040641D . 8BD0 mov edx,eax
0040641F . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00406422 . FFD6 call esi
00406424 . 50 push eax
00406425 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取第一位字符的ASCII值
0040642B . 8D95 20FFFFFF lea edx,dword ptr ss:[ebp-E0] ; EAX=0x68("h")
00406431 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00406434 . 66:8985 28FFFFFF mov word ptr ss:[ebp-D8],ax
0040643B . 89BD 20FFFFFF mov dword ptr ss:[ebp-E0],edi
00406441 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
00406447 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040644A . FF15 50114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
00406450 . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
00406453 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
00406459 . 66:8BCB mov cx,bx
0040645C . 8D45 80 lea eax,dword ptr ss:[ebp-80]
0040645F . 66:83C1 01 add cx,1
00406463 . 50 push eax
00406464 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
00406467 . C745 88 01000000 mov dword ptr ss:[ebp-78],1
0040646E . 0F80 64040000 jo Crackme2.004068D8
00406474 . 0FBFD1 movsx edx,cx
00406477 . 8B08 mov ecx,dword ptr ds:[eax] ; 用户名"hrbx"
00406479 . 52 push edx
0040647A . 51 push ecx
0040647B . 897D 80 mov dword ptr ss:[ebp-80],edi
0040647E . FF15 74104000 call dword ptr ds:[<&MSVBVM60.#631>] ; rtcMidCharBstr,取用户名第一位字符"r"
00406484 . 8BD0 mov edx,eax
00406486 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00406489 . FFD6 call esi
0040648B . 50 push eax
0040648C . 6A 00 push 0
0040648E . FF15 E0104000 call dword ptr ds:[<&MSVBVM60.#537>]
00406494 . 8BD0 mov edx,eax
00406496 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00406499 . FFD6 call esi
0040649B . 50 push eax
0040649C . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>]
004064A2 . 8BD0 mov edx,eax
004064A4 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
004064A7 . FFD6 call esi
004064A9 . 50 push eax
004064AA . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取第二位字符的ASCII值
004064B0 . 8D95 20FFFFFF lea edx,dword ptr ss:[ebp-E0] ; EAX=0x72("r")
004064B6 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004064B9 . 66:8985 28FFFFFF mov word ptr ss:[ebp-D8],ax
004064C0 . 89BD 20FFFFFF mov dword ptr ss:[ebp-E0],edi
004064C6 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
004064CC . 8D55 A0 lea edx,dword ptr ss:[ebp-60]
004064CF . 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
004064D2 . 52 push edx
004064D3 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004064D6 . 50 push eax
004064D7 . 51 push ecx
004064D8 . 6A 03 push 3
004064DA . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>
004064E0 . 83C4 10 add esp,10
004064E3 . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
004064E6 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
004064EC . 66:8BC3 mov ax,bx
004064EF . 8D55 80 lea edx,dword ptr ss:[ebp-80]
004064F2 . 66:03C7 add ax,di
004064F5 . 52 push edx
004064F6 . 8B55 08 mov edx,dword ptr ss:[ebp+8]
004064F9 . C745 88 01000000 mov dword ptr ss:[ebp-78],1
00406500 . 0F80 D2030000 jo Crackme2.004068D8
00406506 . 0FBFC8 movsx ecx,ax
00406509 . 8B02 mov eax,dword ptr ds:[edx] ; "hrbx"
0040650B . 51 push ecx
0040650C . 897D 80 mov dword ptr ss:[ebp-80],edi
0040650F . 50 push eax
00406510 . FF15 74104000 call dword ptr ds:[<&MSVBVM60.#631>] ; rtcMidCharBstr,取用户名第三位字符"b"
00406516 . 8BD0 mov edx,eax
00406518 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040651B . FFD6 call esi
0040651D . 50 push eax
0040651E . 6A 00 push 0
00406520 . FF15 E0104000 call dword ptr ds:[<&MSVBVM60.#537>]
00406526 . 8BD0 mov edx,eax
00406528 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
0040652B . FFD6 call esi
0040652D . 50 push eax
0040652E . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>]
00406534 . 8BD0 mov edx,eax
00406536 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00406539 . FFD6 call esi
0040653B . 50 push eax
0040653C . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符的ASCII值
00406542 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60] ; EAX=0x62("b")
00406545 . 8945 B4 mov dword ptr ss:[ebp-4C],eax
00406548 . 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
0040654B . 51 push ecx
0040654C . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
0040654F . 52 push edx
00406550 . 50 push eax
00406551 . 6A 03 push 3
00406553 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>
00406559 . 83C4 10 add esp,10
0040655C . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
0040655F . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
00406565 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00406568 . 8D95 30FFFFFF lea edx,dword ptr ss:[ebp-D0]
0040656E . 51 push ecx
0040656F . 8D45 80 lea eax,dword ptr ss:[ebp-80]
00406572 . 52 push edx
00406573 . 50 push eax
00406574 . C785 38FFFFFF 04>mov dword ptr ss:[ebp-C8],4 ; 常数,4
0040657E . 89BD 30FFFFFF mov dword ptr ss:[ebp-D0],edi ; 用户名第一位字符的ASCII值转为除以4
00406584 . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDiv>] ; 104(0x68)/4=26(0x1A)
0040658A . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-90]
00406590 . 50 push eax
00406591 . 51 push ecx
00406592 . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarInt>] ; 结果取整,得到26(0x1A),记为数值1
00406598 . 50 push eax
00406599 . FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaI2Var>]
0040659F . 8945 E8 mov dword ptr ss:[ebp-18],eax
004065A2 . B8 10000000 mov eax,10 ; EAX赋值,EAX=0x10(16)
004065A7 . 8985 28FFFFFF mov dword ptr ss:[ebp-D8],eax
004065AD . 8985 18FFFFFF mov dword ptr ss:[ebp-E8],eax
004065B3 . 8D55 D0 lea edx,dword ptr ss:[ebp-30]
004065B6 . 8D85 30FFFFFF lea eax,dword ptr ss:[ebp-D0]
004065BC . 52 push edx
004065BD . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
004065C0 . 50 push eax
004065C1 . 51 push ecx
004065C2 . C785 38FFFFFF 03>mov dword ptr ss:[ebp-C8],3 ; 常数,3
004065CC . 89BD 30FFFFFF mov dword ptr ss:[ebp-D0],edi
004065D2 . 89BD 20FFFFFF mov dword ptr ss:[ebp-E0],edi
004065D8 . 89BD 10FFFFFF mov dword ptr ss:[ebp-F0],edi ; 用户名第一位字符的ASCII值 and 3
004065DE . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAnd>] ; 0x68 and 3=0
004065E4 . 50 push eax
004065E5 . 8D95 20FFFFFF lea edx,dword ptr ss:[ebp-E0]
004065EB . 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
004065F1 . 52 push edx
004065F2 . 50 push eax ; AND运算结果与常数0x10相乘
004065F3 . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; 0x10*0,得到0
004065F9 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004065FC . 50 push eax
004065FD . 8D95 10FFFFFF lea edx,dword ptr ss:[ebp-F0]
00406603 . 51 push ecx
00406604 . 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
0040660A . 52 push edx
0040660B . 50 push eax ; 用户名第二位字符"r"的ASCII值除以16(0x10)
0040660C . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarDiv>] ; 114(0x72)/16(0x10)=7.125
00406612 . 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-B0]
00406618 . 50 push eax
00406619 . 51 push ecx
0040661A . FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarInt>] ; 结果取整,得到7
00406620 . 8D95 40FFFFFF lea edx,dword ptr ss:[ebp-C0]
00406626 . 50 push eax
00406627 . 52 push edx
00406628 . FF15 24114000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; 取整后与上面相乘结果相加,7+0=7,记为数值2
0040662E . 50 push eax
0040662F . FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaI2Var>]
00406635 . 8D8D 40FFFFFF lea ecx,dword ptr ss:[ebp-C0]
0040663B . 8945 E0 mov dword ptr ss:[ebp-20],eax
0040663E . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
00406644 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
00406647 . 8B08 mov ecx,dword ptr ds:[eax]
00406649 . 51 push ecx ; 用户名"hrbx"
0040664A . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取用户名长度,EAX=4
00406650 . 66:8BD3 mov dx,bx ; DX=BX=1
00406653 . 66:83C2 01 add dx,1 ; DX=DX+1
00406657 . 0F80 7B020000 jo Crackme2.004068D8
0040665D . 0FBFCA movsx ecx,dx ; ECX=DX=2
00406660 . 3BC1 cmp eax,ecx ; 比较用户名长度是否取完
00406662 . 0F8C D5000000 jl Crackme2.0040673D ; 没取完则继续
00406668 . 0FBF55 B4 movsx edx,word ptr ss:[ebp-4C] ; 用户名第三位字符"b"的ASCII值,0x62("b")
0040666C . 8995 FCFEFFFF mov dword ptr ss:[ebp-104],edx ; EDX=0x62
00406672 . C785 38FFFFFF 0F>mov dword ptr ss:[ebp-C8],0F
0040667C . DB85 FCFEFFFF fild dword ptr ss:[ebp-104] ; 转为10进制实数,98(0x62)
00406682 . 89BD 30FFFFFF mov dword ptr ss:[ebp-D0],edi
00406688 . C785 28FFFFFF 04>mov dword ptr ss:[ebp-D8],4
00406692 . 89BD 20FFFFFF mov dword ptr ss:[ebp-E0],edi
00406698 . DD9D F4FEFFFF fstp qword ptr ss:[ebp-10C] ; st=98.000000000000000000
0040669E . DD85 F4FEFFFF fld qword ptr ss:[ebp-10C]
004066A4 . 833D 00904000 00 cmp dword ptr ds:[409000],0
004066AB . 75 08 jnz short Crackme2.004066B5
004066AD . DC35 F8114000 fdiv qword ptr ds:[4011F8] ; 98/64=1.53125,ds:[4011F8]=64(常数)
004066B3 . EB 11 jmp short Crackme2.004066C6
004066B5 > FF35 FC114000 push dword ptr ds:[4011FC]
004066BB . FF35 F8114000 push dword ptr ds:[4011F8]
004066C1 . E8 AEABFFFF call <jmp.&MSVBVM60._adj_fdiv_m64>
004066C6 > DFE0 fstsw ax
004066C8 . A8 0D test al,0D
004066CA . 0F85 03020000 jnz Crackme2.004068D3
004066D0 . FF15 44114000 call dword ptr ds:[<&MSVBVM60.__vbaFPInt>] ; 除法结果取整
004066D6 . DD9D 18FFFFFF fstp qword ptr ss:[ebp-E8] ; st=1.0000000000000000000
004066DC . 8D45 BC lea eax,dword ptr ss:[ebp-44]
004066DF . 8D8D 30FFFFFF lea ecx,dword ptr ss:[ebp-D0]
004066E5 . 50 push eax
004066E6 . 8D55 80 lea edx,dword ptr ss:[ebp-80]
004066E9 . 51 push ecx
004066EA . 52 push edx
004066EB . C785 10FFFFFF 05>mov dword ptr ss:[ebp-F0],5 ; 用户名第二位字符"r"的ASCII值0x72
004066F5 . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAnd>] ; 0x72 and 0F(常数),得到2
004066FB . 50 push eax
004066FC . 8D85 20FFFFFF lea eax,dword ptr ss:[ebp-E0]
00406702 . 8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-90]
00406708 . 50 push eax
00406709 . 51 push ecx
0040670A . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; (And运算结果)*4,2*4=8
00406710 . 50 push eax
00406711 . 8D95 10FFFFFF lea edx,dword ptr ss:[ebp-F0]
00406717 . 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
0040671D . 52 push edx
0040671E . 50 push eax
0040671F . FF15 24114000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; 除法结果加上乘法结果,1+8=9,记为数值3
00406725 . 50 push eax
00406726 . FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaI2Var>]
0040672C . 8D8D 60FFFFFF lea ecx,dword ptr ss:[ebp-A0]
00406732 . 8945 CC mov dword ptr ss:[ebp-34],eax
00406735 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
0040673B . EB 07 jmp short Crackme2.00406744
0040673D > C745 CC FFFFFFFF mov dword ptr ss:[ebp-34],-1
00406744 > 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00406747 . 8B11 mov edx,dword ptr ds:[ecx] ; 用户名"hrbx"
00406749 . 52 push edx
0040674A . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取用户名长度,EAX=4
00406750 . 66:8BCB mov cx,bx ; CX=BX=1
00406753 . 66:03CF add cx,di ; CX=CX+DI=1+2=3
00406756 . 0F80 7C010000 jo Crackme2.004068D8
0040675C . 0FBFD1 movsx edx,cx ; EDX=CX=3
0040675F . 3BC2 cmp eax,edx ; 比较用户名长度是否取完
00406761 . 7C 0B jl short Crackme2.0040676E ; 没取完则继续
00406763 . 8B45 B4 mov eax,dword ptr ss:[ebp-4C] ; 用户名第三位字符"b"的ASCII值,EAX=0x62
00406766 . 83E0 3F and eax,3F ; EAX=EAX AND 3F=0X22
00406769 . 8945 B8 mov dword ptr ss:[ebp-48],eax ; EAX=0x22保存,记为数值4
0040676C . EB 07 jmp short Crackme2.00406775
0040676E > C745 B8 FFFFFFFF mov dword ptr ss:[ebp-48],-1
00406775 > 8B45 AC mov eax,dword ptr ss:[ebp-54]
00406778 . 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
0040677B . 50 push eax ; 固定字符串"DYEFCGHXIJKVLAMNOPZQBRSTUWy
0040677C . 51 push ecx scxdevpfgwhizjaklmbnoqrtu0123456789+/"
0040677D . E8 5E010000 call Crackme2.004068E0 ; 根据数值1在字符串中取字符,得到"y"
00406782 . 8BD0 mov edx,eax
00406784 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00406787 . FFD6 call esi
00406789 . 50 push eax
0040678A . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; 字符串连接,得到"y"
00406790 . 8BD0 mov edx,eax
00406792 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00406795 . FFD6 call esi
00406797 . 8D55 E0 lea edx,dword ptr ss:[ebp-20]
0040679A . 50 push eax
0040679B . 52 push edx
0040679C . E8 3F010000 call Crackme2.004068E0 ; 根据数值2在字符串中取字符,得到"X"
004067A1 . 8BD0 mov edx,eax
004067A3 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
004067A6 . FFD6 call esi
004067A8 . 50 push eax
004067A9 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; 字符串连接,得到"yX"
004067AF . 8BD0 mov edx,eax
004067B1 . 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
004067B4 . FFD6 call esi
004067B6 . 50 push eax
004067B7 . 8D45 CC lea eax,dword ptr ss:[ebp-34]
004067BA . 50 push eax
004067BB . E8 20010000 call Crackme2.004068E0 ; 根据数值3在字符串中取字符,得到"J"
004067C0 . 8BD0 mov edx,eax
004067C2 . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
004067C5 . FFD6 call esi
004067C7 . 50 push eax
004067C8 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; 字符串连接,得到"yXJ"
004067CE . 8BD0 mov edx,eax
004067D0 . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
004067D3 . FFD6 call esi
004067D5 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
004067D8 . 50 push eax
004067D9 . 51 push ecx
004067DA . E8 01010000 call Crackme2.004068E0 ; 根据数值4在字符串中取字符,得到"f"
004067DF . 8BD0 mov edx,eax
004067E1 . 8D4D 90 lea ecx,dword ptr ss:[ebp-70]
004067E4 . FFD6 call esi
004067E6 . 50 push eax
004067E7 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; 字符串连接,得到"yXJf"
004067ED . 8BD0 mov edx,eax
004067EF . 8D4D AC lea ecx,dword ptr ss:[ebp-54]
004067F2 . FFD6 call esi
004067F4 . 8D55 90 lea edx,dword ptr ss:[ebp-70]
004067F7 . 8D45 94 lea eax,dword ptr ss:[ebp-6C]
004067FA . 52 push edx
004067FB . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
004067FE . 50 push eax
004067FF . 8D55 9C lea edx,dword ptr ss:[ebp-64]
00406802 . 51 push ecx
00406803 . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00406806 . 52 push edx
00406807 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
0040680A . 50 push eax
0040680B . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
0040680E . 51 push ecx
0040680F . 52 push edx
00406810 . 6A 07 push 7
00406812 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>
00406818 . B8 03000000 mov eax,3 ; EAX=3,每次取用户名中的3个字符
0040681D . 83C4 20 add esp,20
00406820 . 66:03C3 add ax,bx ; EAX=EAX+EBX
00406823 . 0F80 AF000000 jo Crackme2.004068D8
00406829 . 8BD8 mov ebx,eax ; EBX=EAX
0040682B .^ E9 C2FBFFFF jmp Crackme2.004063F2 ; 跳回去继续取用户名下一位字符
00406830 > 8B55 AC mov edx,dword ptr ss:[ebp-54] ; 得到字符串"yXJfdD"
00406833 . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
00406836 . FF15 00114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>]
0040683C . 9B wait
0040683D . 68 BD684000 push Crackme2.004068BD
00406842 . EB 5F jmp short Crackme2.004068A3
00406844 . F645 FC 04 test byte ptr ss:[ebp-4],4
00406848 . 74 09 je short Crackme2.00406853
F7进入00405517处的关键call-2,来到:
00407250 $ 55 push ebp
00407251 . 8BEC mov ebp,esp
.......................................................
省略部分代码
.......................................................
0040729B . 51 push ecx ; 字符串"yXJfdD"
0040729C . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取字符串长度,EAX=6
004072A2 . 8BC8 mov ecx,eax ; ECX=EAX=6
004072A4 . FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>]
004072AA . 8B5D 10 mov ebx,dword ptr ss:[ebp+10]
004072AD . 8B35 10104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaVarMove>>
004072B3 . 8B3D 18104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaFreeVar>>
004072B9 . 8985 60FFFFFF mov dword ptr ss:[ebp-A0],eax ; 字符串长度保存
004072BF . C745 C8 01000000 mov dword ptr ss:[ebp-38],1
004072C6 > 66:8B95 60FFFFFF mov dx,word ptr ss:[ebp-A0]
004072CD . 66:3955 C8 cmp word ptr ss:[ebp-38],dx ; 比较是否取完字符串
004072D1 . 0F8F DD120000 jg Crackme2.004085B4
004072D7 . 8B45 0C mov eax,dword ptr ss:[ebp+C]
004072DA . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004072DD . 0FBF55 C8 movsx edx,word ptr ss:[ebp-38]
004072E1 . 8945 90 mov dword ptr ss:[ebp-70],eax
004072E4 . 51 push ecx
004072E5 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
004072E8 . 52 push edx
004072E9 . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
004072EC . 50 push eax
004072ED . 51 push ecx
004072EE . C745 B0 01000000 mov dword ptr ss:[ebp-50],1
004072F5 . C745 A8 02000000 mov dword ptr ss:[ebp-58],2
004072FC . C745 88 08400000 mov dword ptr ss:[ebp-78],4008
00407303 . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.#632>] ; rtcMidCharVar,循环取字符串每一位字符
00407309 . 8D55 98 lea edx,dword ptr ss:[ebp-68] ; 第一位字符"y"
0040730C . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0040730F . FFD6 call esi
00407311 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00407314 . FFD7 call edi
00407316 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
00407319 . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
0040731F . FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCopy>]
00407325 . 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
0040732B . 8D45 88 lea eax,dword ptr ss:[ebp-78]
0040732E . 52 push edx
0040732F . 50 push eax
00407330 . C745 90 60414000 mov dword ptr ss:[ebp-70],Crackme2.00404160
00407337 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
0040733E . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"a"
00407344 . 66:85C0 test ax,ax
00407347 . 74 23 je short Crackme2.0040736C ; 不是则跳
00407349 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040734C . 53 push ebx
0040734D . 51 push ecx
0040734E . E8 EDEEFFFF call Crackme2.00406240
00407353 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00407356 . FFD7 call edi
00407358 . 68 68414000 push Crackme2.00404168 ; 字符若为"a",则取地址00404168的字符"B"
0040735D . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"B"的ASCII值
00407363 . 66:05 B900 add ax,0B9 ; AX=AX+0B9
00407367 . E9 FF110000 jmp Crackme2.0040856B
0040736C > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00407372 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
00407375 . 52 push edx
00407376 . 50 push eax
00407377 . C745 90 70414000 mov dword ptr ss:[ebp-70],Crackme2.00404170
0040737E . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
00407385 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"b"
0040738B . 66:85C0 test ax,ax
0040738E . 74 23 je short Crackme2.004073B3 ; 不是则跳
00407390 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00407393 . 53 push ebx
00407394 . 51 push ecx
00407395 . E8 A6EEFFFF call Crackme2.00406240
0040739A . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040739D . FFD7 call edi
0040739F . 68 78414000 push Crackme2.00404178 ; 字符若为"b",则取地址00404178的字符"8"
004073A4 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"8"的ASCII值
004073AA . 66:05 8C00 add ax,8C ; AX=AX+8C
004073AE . E9 B8110000 jmp Crackme2.0040856B
004073B3 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
004073B9 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
004073BC . 52 push edx
004073BD . 50 push eax
004073BE . C745 90 80414000 mov dword ptr ss:[ebp-70],Crackme2.00404180
004073C5 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
004073CC . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"c"
004073D2 . 66:85C0 test ax,ax
004073D5 . 74 23 je short Crackme2.004073FA ; 不是则跳
004073D7 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004073DA . 53 push ebx
004073DB . 51 push ecx
004073DC . E8 5FEEFFFF call Crackme2.00406240
004073E1 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004073E4 . FFD7 call edi
004073E6 . 68 68414000 push Crackme2.00404168 ; 字符若为"c",则取地址00404168的字符"B"
004073EB . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"B"的ASCII值
004073F1 . 66:05 B500 add ax,0B5 ; AX=AX+0B5
004073F5 . E9 71110000 jmp Crackme2.0040856B
004073FA > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
.......................................................
省略部分代码
.......................................................
00407A74 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"A"
00407A7A . 66:85C0 test ax,ax
00407A7D . 74 23 je short Crackme2.00407AA2 ; 不是则跳
00407A7F . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00407A82 . 53 push ebx
00407A83 . 51 push ecx
00407A84 . E8 B7E7FFFF call Crackme2.00406240
00407A89 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00407A8C . FFD7 call edi
00407A8E . 68 48424000 push Crackme2.00404248 ; 字符若为"A",则取地址00404248的字符"5"
00407A93 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"5"的ASCII值
00407A99 . 66:05 5A00 add ax,5A ; AX=AX+5A
00407A9D . E9 C90A0000 jmp Crackme2.0040856B
00407AA2 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00407AA8 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
00407AAB . 52 push edx
00407AAC . 50 push eax
00407AAD . C745 90 68414000 mov dword ptr ss:[ebp-70],Crackme2.00404168
00407AB4 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
00407ABB . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"B"
00407AC1 . 66:85C0 test ax,ax
00407AC4 . 74 23 je short Crackme2.00407AE9 ; 不是则跳
00407AC6 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00407AC9 . 53 push ebx
00407ACA . 51 push ecx
00407ACB . E8 70E7FFFF call Crackme2.00406240
00407AD0 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00407AD3 . FFD7 call edi
00407AD5 . 68 A03E4000 push Crackme2.00403EA0 ; 字符若为"B",则取地址00403EA0的字符"F"
00407ADA . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"F"的ASCII值
00407AE0 . 66:05 F500 add ax,0F5 ; AX=AX+0F5
00407AE4 . E9 820A0000 jmp Crackme2.0040856B
00407AE9 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00407AEF . 8D45 88 lea eax,dword ptr ss:[ebp-78]
.......................................................
省略部分代码
.......................................................
00408191 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00408197 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
0040819A . 52 push edx
0040819B . 50 push eax
0040819C . C745 90 68424000 mov dword ptr ss:[ebp-70],Crackme2.00404268
004081A3 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
004081AA . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"1"
004081B0 . 66:85C0 test ax,ax
004081B3 . 74 23 je short Crackme2.004081D8 ; 不是则跳
004081B5 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004081B8 . 53 push ebx
004081B9 . 51 push ecx
004081BA . E8 81E0FFFF call Crackme2.00406240
004081BF . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004081C2 . FFD7 call edi
004081C4 . 68 D4404000 push Crackme2.004040D4 ; 字符若为"1",则取地址004040D4的字符"D"
004081C9 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"D"的ASCII值
004081CF . 66:05 DA00 add ax,0DA ; AX=AX+0DA
004081D3 . E9 93030000 jmp Crackme2.0040856B
004081D8 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
004081DE . 8D45 88 lea eax,dword ptr ss:[ebp-78]
004081E1 . 52 push edx
004081E2 . 50 push eax
004081E3 . C745 90 98414000 mov dword ptr ss:[ebp-70],Crackme2.00404198
004081EA . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
004081F1 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"2"
004081F7 . 66:85C0 test ax,ax
004081FA . 74 23 je short Crackme2.0040821F ; 不是则跳
004081FC . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004081FF . 53 push ebx
00408200 . 51 push ecx
00408201 . E8 3AE0FFFF call Crackme2.00406240
00408206 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00408209 . FFD7 call edi
0040820B . 68 90414000 push Crackme2.00404190 ; 字符若为"2",则取地址00404190的字符"3"
00408210 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"3"的ASCII值
00408216 . 66:05 3C00 add ax,3C ; AX=AX+3C
0040821A . E9 4C030000 jmp Crackme2.0040856B
.......................................................
省略部分代码
.......................................................
00408470 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"#"
00408476 . 66:85C0 test ax,ax
00408479 . 74 23 je short Crackme2.0040849E ; 不是则跳
0040847B . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040847E . 53 push ebx
0040847F . 51 push ecx
00408480 . E8 BBDDFFFF call Crackme2.00406240
00408485 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00408488 . FFD7 call edi
0040848A . 68 28424000 push Crackme2.00404228 ; 字符若为"#",则取地址00404228的字符"E"
0040848F . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"E"的ASCII值
00408495 . 66:05 EB00 add ax,0EB ; AX=AX+0EB
00408499 . E9 CD000000 jmp Crackme2.0040856B
0040849E > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
004084A4 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
004084A7 . 52 push edx
004084A8 . 50 push eax
004084A9 . C745 90 08434000 mov dword ptr ss:[ebp-70],Crackme2.00404308
004084B0 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
004084B7 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"^"
004084BD . 66:85C0 test ax,ax
004084C0 . 74 23 je short Crackme2.004084E5 ; 不是则跳
004084C2 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004084C5 . 53 push ebx
004084C6 . 51 push ecx
004084C7 . E8 74DDFFFF call Crackme2.00406240
004084CC . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004084CF . FFD7 call edi
004084D1 . 68 A03E4000 push Crackme2.00403EA0 ; 字符若为"^",则取地址00403EA0的字符"F"
004084D6 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"D"的ASCII值
004084DC . 66:05 FB00 add ax,0FB ; AX=AX+0FB
004084E0 . E9 86000000 jmp Crackme2.0040856B
004084E5 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
004084EB . 8D45 88 lea eax,dword ptr ss:[ebp-78]
004084EE . 52 push edx
004084EF . 50 push eax
004084F0 . C745 90 10434000 mov dword ptr ss:[ebp-70],Crackme2.00404310
004084F7 . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
004084FE . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"$"
00408504 . 66:85C0 test ax,ax
00408507 . 74 20 je short Crackme2.00408529 ; 不是则跳
00408509 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040850C . 53 push ebx
0040850D . 51 push ecx
0040850E . E8 2DDDFFFF call Crackme2.00406240
00408513 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00408516 . FFD7 call edi
00408518 . 68 28424000 push Crackme2.00404228 ; 字符若为"$",则取地址00404228的字符"E"
0040851D . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"E"的ASCII值
00408523 . 66:05 E500 add ax,0E5 ; AX=AX+0E5
00408527 . EB 42 jmp short Crackme2.0040856B
00408529 > 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
0040852F . 8D45 88 lea eax,dword ptr ss:[ebp-78]
00408532 . 52 push edx
00408533 . 50 push eax
00408534 . C745 90 18434000 mov dword ptr ss:[ebp-70],Crackme2.00404318
0040853B . C745 88 08800000 mov dword ptr ss:[ebp-78],8008
00408542 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 比较取出的字符是否为"&"
00408548 . 66:85C0 test ax,ax
0040854B . 74 48 je short Crackme2.00408595 ; 不是则跳
0040854D . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00408550 . 53 push ebx
00408551 . 51 push ecx
00408552 . E8 E9DCFFFF call Crackme2.00406240
00408557 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040855A . FFD7 call edi
0040855C . 68 9C3F4000 push Crackme2.00403F9C ; 字符若为"&",则取地址00403F9C的字符"C"
00408561 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符"C"的ASCII值
00408567 . 66:05 C200 add ax,0C2 ; AX=AX+0C2
0040856B > 0F80 B5000000 jo Crackme2.00408626
00408571 . 66:8945 90 mov word ptr ss:[ebp-70],ax ; AX保存
00408575 . 8D55 DC lea edx,dword ptr ss:[ebp-24]
00408578 . 8D45 88 lea eax,dword ptr ss:[ebp-78]
0040857B . 52 push edx
0040857C . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040857F . 50 push eax
00408580 . 51 push ecx
00408581 . C745 88 02000000 mov dword ptr ss:[ebp-78],2
00408588 . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 取每次AX值的10进制形式转为字符串连接
0040858E . 8BD0 mov edx,eax
00408590 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00408593 . FFD6 call esi
00408595 > 8D55 DC lea edx,dword ptr ss:[ebp-24]
00408598 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
0040859B . FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCopy>]
004085A1 . B8 01000000 mov eax,1
004085A6 . 66:0345 C8 add ax,word ptr ss:[ebp-38]
004085AA . 70 7A jo short Crackme2.00408626
004085AC . 8945 C8 mov dword ptr ss:[ebp-38],eax
004085AF .^ E9 12EDFFFF jmp Crackme2.004072C6
004085B4 > 68 F7854000 push Crackme2.004085F7
004085B9 . EB 23 jmp short Crackme2.004085DE
004085BB . F645 FC 04 test byte ptr ss:[ebp-4],4
004085BF . 74 09 je short Crackme2.004085CA
004085C1 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
004085C4 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
004085CA > 8D55 98 lea edx,dword ptr ss:[ebp-68]
004085CD . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
004085D0 . 52 push edx
004085D1 . 50 push eax
004085D2 . 6A 02 push 2
004085D4 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
004085DA . 83C4 0C add esp,0C
004085DD . C3 retn
004085DE > \8B35 18104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaFreeVar>>
004085E4 . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
004085EA . FFD6 call esi
004085EC . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004085EF . FFD6 call esi
004085F1 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
004085F4 . FFD6 call esi
004085F6 . C3 retn
004085F7 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
004085FA . 8B55 B8 mov edx,dword ptr ss:[ebp-48]
004085FD . 8BC8 mov ecx,eax
004085FF . 5F pop edi
00408600 . 5E pop esi
00408601 . 5B pop ebx
00408602 . 8911 mov dword ptr ds:[ecx],edx
00408604 . 8B55 BC mov edx,dword ptr ss:[ebp-44]
00408607 . 8951 04 mov dword ptr ds:[ecx+4],edx
0040860A . 8B55 C0 mov edx,dword ptr ss:[ebp-40]
0040860D . 8951 08 mov dword ptr ds:[ecx+8],edx ; 真码"283233302113112268",内存注册机
00408610 . 8B55 C4 mov edx,dword ptr ss:[ebp-3C]
00408613 . 8951 0C mov dword ptr ds:[ecx+C],edx
00408616 . 8B4D EC mov ecx,dword ptr ss:[ebp-14]
00408619 . 64:890D 00000000 mov dword ptr fs:[0],ecx
00408620 . 8BE5 mov esp,ebp
00408622 . 5D pop ebp
00408623 . C2 0C00 retn 0C
若用户名ASCII值累加为奇数来到以下位置(设用户名"hrby"):
004057A5 > \8B16 mov edx,dword ptr ds:[esi] ; 用户名ASCII值累加为奇数跳到这里
004057A7 . 56 push esi
004057A8 . FF92 10030000 call dword ptr ds:[edx+310]
004057AE . 50 push eax
004057AF . 8D45 AC lea eax,dword ptr ss:[ebp-54]
004057B2 . 50 push eax
004057B3 . FFD3 call ebx
004057B5 . 8BF8 mov edi,eax
004057B7 . 8D55 C0 lea edx,dword ptr ss:[ebp-40]
004057BA . 52 push edx
004057BB . 57 push edi
004057BC . 8B0F mov ecx,dword ptr ds:[edi]
004057BE . FF91 A0000000 call dword ptr ds:[ecx+A0]
004057C4 . 85C0 test eax,eax
004057C6 . DBE2 fclex
004057C8 . 7D 12 jge short Crackme2.004057DC
004057CA . 68 A0000000 push 0A0
004057CF . 68 743D4000 push Crackme2.00403D74
004057D4 . 57 push edi
004057D5 . 50 push eax
004057D6 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
004057DC > 8B45 C0 mov eax,dword ptr ss:[ebp-40] ; 用户名"hrby"
004057DF . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
004057E2 . 8945 A0 mov dword ptr ss:[ebp-60],eax
004057E5 . 8D45 98 lea eax,dword ptr ss:[ebp-68]
004057E8 . 50 push eax
004057E9 . 51 push ecx
004057EA . C745 C0 00000000 mov dword ptr ss:[ebp-40],0
004057F1 . C745 98 08000000 mov dword ptr ss:[ebp-68],8
004057F8 . E8 B3110000 call Crackme2.004069B0 ; 关键CALL-3,F7进入
004057FD . 8D55 88 lea edx,dword ptr ss:[ebp-78]
00405800 . C785 34FFFFFF 09>mov dword ptr ss:[ebp-CC],9
0040580A . 52 push edx
0040580B . FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>>
00405811 . 8BD0 mov edx,eax ; 得到字符串"27B8066481EB68098F8A0DB8266588"
00405813 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00405816 . FF15 38114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
0040581C . 8D85 34FFFFFF lea eax,dword ptr ss:[ebp-CC]
00405822 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00405825 . 50 push eax
00405826 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
0040582C . 51 push ecx
0040582D . 52 push edx
0040582E . E8 1D1A0000 call Crackme2.00407250 ; 同关键CALL-2,见前面分析
00405833 . 8B06 mov eax,dword ptr ds:[esi]
00405835 . 56 push esi
00405836 . FF90 18030000 call dword ptr ds:[eax+318]
0040583C . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040583F . 50 push eax
00405840 . 51 push ecx
00405841 . FFD3 call ebx
00405843 . 8BF8 mov edi,eax
00405845 . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
00405848 . 50 push eax
00405849 . 57 push edi
0040584A . 8B17 mov edx,dword ptr ds:[edi]
0040584C . FF92 A0000000 call dword ptr ds:[edx+A0]
00405852 . 85C0 test eax,eax
00405854 . DBE2 fclex
00405856 . 7D 12 jge short Crackme2.0040586A
00405858 . 68 A0000000 push 0A0
0040585D . 68 743D4000 push Crackme2.00403D74
00405862 . 57 push edi
00405863 . 50 push eax
00405864 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
0040586A > 8B45 B8 mov eax,dword ptr ss:[ebp-48]
0040586D . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
00405873 . 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00405879 . 51 push ecx
0040587A . 52 push edx
0040587B . C745 B8 00000000 mov dword ptr ss:[ebp-48],0
00405882 . 8985 70FFFFFF mov dword ptr ss:[ebp-90],eax
00405888 . C785 68FFFFFF 08>mov dword ptr ss:[ebp-98],8008
00405892 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 真假码比较
00405898 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
0040589B . 8BF8 mov edi,eax
0040589D . FF15 50114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
004058A3 . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
004058A6 . 8D4D AC lea ecx,dword ptr ss:[ebp-54]
004058A9 . 50 push eax
004058AA . 51 push ecx
004058AB . 6A 02 push 2
004058AD . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>
004058B3 . 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
004058B9 . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-88]
004058BF . 52 push edx
004058C0 . 8D4D 88 lea ecx,dword ptr ss:[ebp-78]
004058C3 . 50 push eax
004058C4 . 8D55 98 lea edx,dword ptr ss:[ebp-68]
004058C7 . 51 push ecx
004058C8 . 52 push edx
004058C9 . 6A 04 push 4
004058CB . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
004058D1 . 83C4 20 add esp,20
004058D4 . 66:85FF test di,di
004058D7 . 0F84 85010000 je Crackme2.00405A62 ; 暴破点2,NOP掉
004058DD . A1 10904000 mov eax,dword ptr ds:[409010]
004058E2 . 85C0 test eax,eax
004058E4 . 75 10 jnz short Crackme2.004058F6
F7进入004057F8处的关键CALL-3,来到:
004069B0 $ 55 push ebp
.......................................................
省略部分代码
.......................................................
00406A62 . 8985 78FEFFFF mov dword ptr ss:[ebp-188],eax
00406A68 . C785 20FFFFFF 14>mov dword ptr ss:[ebp-E0],14 ; 常数,0x14(20)
00406A72 . C785 18FFFFFF 02>mov dword ptr ss:[ebp-E8],2
00406A7C . FFD6 call esi
00406A7E . 8B7D 0C mov edi,dword ptr ss:[ebp+C]
00406A81 . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
00406A87 . 50 push eax
00406A88 . 8BD7 mov edx,edi
00406A8A . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
00406A90 . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaVarVargNofr>
00406A96 . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
00406A9C . 50 push eax
00406A9D . 51 push ecx
00406A9E . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ; 获取用户名"hrby"长度,4
00406AA4 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
00406AAA . 50 push eax
00406AAB . 52 push edx
00406AAC . FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaVarSub>] ; 0x14-4=0x10,0x14-用户名长度
00406AB2 . 8BD0 mov edx,eax
00406AB4 . 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
00406AB7 . FFD6 call esi
00406AB9 . 8D45 9C lea eax,dword ptr ss:[ebp-64]
00406ABC . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
00406AC2 . 50 push eax
00406AC3 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
00406AC9 . BB 01000000 mov ebx,1
00406ACE . 51 push ecx
00406ACF . 52 push edx
00406AD0 . 899D 20FFFFFF mov dword ptr ss:[ebp-E0],ebx
00406AD6 . C785 18FFFFFF 02>mov dword ptr ss:[ebp-E8],8002
00406AE0 . FF15 0C114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCmpLt>]
00406AE6 . 50 push eax
00406AE7 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
00406AED . 50 push eax
00406AEE . FF15 08114000 call dword ptr ds:[<&MSVBVM60.__vbaVarNot>]
00406AF4 . 50 push eax
00406AF5 . FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaBoolVarNull>
00406AFB . 66:85C0 test ax,ax
00406AFE . 0F84 AF000000 je Crackme2.00406BB3
00406B04 . B8 02000000 mov eax,2
00406B09 . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
00406B0F . 8985 18FFFFFF mov dword ptr ss:[ebp-E8],eax
00406B15 . 8985 08FFFFFF mov dword ptr ss:[ebp-F8],eax
00406B1B . 8D55 9C lea edx,dword ptr ss:[ebp-64]
00406B1E . 51 push ecx
00406B1F . 8D85 08FFFFFF lea eax,dword ptr ss:[ebp-F8]
00406B25 . 52 push edx
00406B26 . 8D8D D8FEFFFF lea ecx,dword ptr ss:[ebp-128]
00406B2C . 50 push eax
00406B2D . 8D95 E8FEFFFF lea edx,dword ptr ss:[ebp-118]
00406B33 . 51 push ecx
00406B34 . 8D45 AC lea eax,dword ptr ss:[ebp-54]
00406B37 . 52 push edx
00406B38 . 50 push eax
00406B39 . 899D 20FFFFFF mov dword ptr ss:[ebp-E0],ebx
00406B3F . 899D 10FFFFFF mov dword ptr ss:[ebp-F0],ebx
00406B45 . FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>>
00406B4B . 8B1D 48114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarForNe>
00406B51 > 85C0 test eax,eax
00406B53 . 74 64 je short Crackme2.00406BB9
00406B55 . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
00406B5B . 6A 15 push 15 ; 常数,0x15
00406B5D . 51 push ecx
00406B5E . FF15 C8104000 call dword ptr ds:[<&MSVBVM60.#608>]
00406B64 . 8BD7 mov edx,edi
00406B66 . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
00406B6C . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaVarVargNofr>
00406B72 . 50 push eax
00406B73 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
00406B79 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
00406B7F . 52 push edx
00406B80 . 50 push eax
00406B81 . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 在用户名后连接0x10(16)个常数0x15,
00406B87 . 8BD0 mov edx,eax
00406B89 . 8BCF mov ecx,edi
00406B8B . FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaVargVarMove>
00406B91 . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
00406B97 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
00406B9D . 8D8D D8FEFFFF lea ecx,dword ptr ss:[ebp-128]
00406BA3 . 8D95 E8FEFFFF lea edx,dword ptr ss:[ebp-118]
00406BA9 . 51 push ecx
00406BAA . 8D45 AC lea eax,dword ptr ss:[ebp-54]
00406BAD . 52 push edx
00406BAE . 50 push eax
00406BAF . FFD3 call ebx
00406BB1 .^ EB 9E jmp short Crackme2.00406B51
00406BB3 > 8B1D 48114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarForNe>
00406BB9 > 8D95 18FFFFFF lea edx,dword ptr ss:[ebp-E8]
00406BBF . 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
00406BC2 . C785 20FFFFFF 01>mov dword ptr ss:[ebp-E0],1
00406BCC . C785 18FFFFFF 02>mov dword ptr ss:[ebp-E8],2
00406BD6 . FFD6 call esi
00406BD8 . B9 01000000 mov ecx,1
00406BDD . B8 02000000 mov eax,2
00406BE2 . 898D 20FFFFFF mov dword ptr ss:[ebp-E0],ecx
00406BE8 . 898D 10FFFFFF mov dword ptr ss:[ebp-F0],ecx
00406BEE . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
00406BF4 . 8985 18FFFFFF mov dword ptr ss:[ebp-E8],eax
00406BFA . 8985 08FFFFFF mov dword ptr ss:[ebp-F8],eax
00406C00 . 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84]
00406C06 . 51 push ecx
00406C07 . 8D85 08FFFFFF lea eax,dword ptr ss:[ebp-F8]
00406C0D . 52 push edx
00406C0E . 8D8D B8FEFFFF lea ecx,dword ptr ss:[ebp-148]
00406C14 . 50 push eax
00406C15 . 8D95 C8FEFFFF lea edx,dword ptr ss:[ebp-138]
00406C1B . 51 push ecx
00406C1C . 8D45 BC lea eax,dword ptr ss:[ebp-44]
00406C1F . 52 push edx
00406C20 . 50 push eax
00406C21 . FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>>
00406C27 > 85C0 test eax,eax
00406C29 . 0F84 EE000000 je Crackme2.00406D1D
00406C2F . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
00406C35 . 8D55 BC lea edx,dword ptr ss:[ebp-44]
00406C38 . 51 push ecx
00406C39 . 52 push edx
00406C3A . C785 60FFFFFF 01>mov dword ptr ss:[ebp-A0],1
00406C44 . C785 58FFFFFF 02>mov dword ptr ss:[ebp-A8],2
00406C4E . FF15 20114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
00406C54 . 50 push eax
00406C55 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
00406C5B . 57 push edi
00406C5C . 50 push eax
00406C5D . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.#632>] ; rtcMidCharVar,循环取用户名每一位字符"h"
00406C63 . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
00406C69 . 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
00406C6F . 51 push ecx
00406C70 . 52 push edx
00406C71 . FF15 D4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
00406C77 . 50 push eax
00406C78 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符的ASCII值
00406C7E . 66:8985 10FFFFFF mov word ptr ss:[ebp-F0],ax ; EAX=68("h")
00406C85 . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
00406C8B . 8D8D 08FFFFFF lea ecx,dword ptr ss:[ebp-F8]
00406C91 . 50 push eax
00406C92 . 8D55 BC lea edx,dword ptr ss:[ebp-44]
00406C95 . 51 push ecx
00406C96 . 8D85 38FFFFFF lea eax,dword ptr ss:[ebp-C8]
00406C9C . 52 push edx
00406C9D . 50 push eax
00406C9E . C785 08FFFFFF 02>mov dword ptr ss:[ebp-F8],2
00406CA8 . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; 字符的ASCII值*字符在用户名中的位置
00406CAE . 8D8D 28FFFFFF lea ecx,dword ptr ss:[ebp-D8] ; 0x68*1=0x68
00406CB4 . 50 push eax
00406CB5 . 51 push ecx
00406CB6 . FF15 24114000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; 0x68+0x14=7C,上面的乘法结果加固定数0x14
00406CBC . 8BD0 mov edx,eax
00406CBE . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00406CC1 . FFD6 call esi
00406CC3 . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
00406CC9 . FF15 50114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
00406CCF . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
00406CD5 . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-A8]
00406CDB . 52 push edx
00406CDC . 50 push eax
00406CDD . 6A 02 push 2
00406CDF . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
00406CE5 . 83C4 0C add esp,0C
00406CE8 . 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
00406CEB . 8D55 DC lea edx,dword ptr ss:[ebp-24]
00406CEE . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-A8]
00406CF4 . 51 push ecx
00406CF5 . 52 push edx
00406CF6 . 50 push eax
00406CF7 . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; 用户名连接0x15后的所有字符加法运算结果相乘
00406CFD . 8BD0 mov edx,eax ; 乘法结果转为字符串"2.77760626153406E+48"
00406CFF . 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
00406D02 . FFD6 call esi
00406D04 . 8D8D B8FEFFFF lea ecx,dword ptr ss:[ebp-148]
00406D0A . 8D95 C8FEFFFF lea edx,dword ptr ss:[ebp-138]
00406D10 . 51 push ecx
00406D11 . 8D45 BC lea eax,dword ptr ss:[ebp-44]
00406D14 . 52 push edx
00406D15 . 50 push eax
00406D16 . FFD3 call ebx
00406D18 .^ E9 0AFFFFFF jmp Crackme2.00406C27
00406D1D > 8D55 8C lea edx,dword ptr ss:[ebp-74]
00406D20 . 8BCF mov ecx,edi
00406D22 . FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaVargVarCopy>
00406D28 . 8D95 18FFFFFF lea edx,dword ptr ss:[ebp-E8]
00406D2E . 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
00406D31 . C785 18FFFFFF 00>mov dword ptr ss:[ebp-E8],0
00406D3B . FFD6 call esi
00406D3D . B9 01000000 mov ecx,1
00406D42 . B8 02000000 mov eax,2
00406D47 . 898D 10FFFFFF mov dword ptr ss:[ebp-F0],ecx
00406D4D . 898D 00FFFFFF mov dword ptr ss:[ebp-100],ecx
00406D53 . 8D8D 08FFFFFF lea ecx,dword ptr ss:[ebp-F8]
00406D59 . 8BD7 mov edx,edi
00406D5B . 51 push ecx
00406D5C . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
00406D62 . 8985 08FFFFFF mov dword ptr ss:[ebp-F8],eax
00406D68 . 8985 F8FEFFFF mov dword ptr ss:[ebp-108],eax
00406D6E . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaVarVargNofr>
00406D74 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
00406D7A . 50 push eax
00406D7B . 52 push edx
00406D7C . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ; 获取字符串"2.77760626153406E+48"长度
00406D82 . 50 push eax ; EAX=0X14(20)
00406D83 . 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-108]
00406D89 . 8D8D 98FEFFFF lea ecx,dword ptr ss:[ebp-168]
00406D8F . 50 push eax
00406D90 . 8D95 A8FEFFFF lea edx,dword ptr ss:[ebp-158]
00406D96 . 51 push ecx
00406D97 . 8D85 6CFFFFFF lea eax,dword ptr ss:[ebp-94]
00406D9D . 52 push edx
00406D9E . 50 push eax
00406D9F . FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>>
00406DA5 > 85C0 test eax,eax
00406DA7 . 0F84 A5000000 je Crackme2.00406E52
00406DAD . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
00406DB3 . 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-94]
00406DB9 . 51 push ecx
00406DBA . 52 push edx
00406DBB . C785 60FFFFFF 03>mov dword ptr ss:[ebp-A0],3 ; 常数,3
00406DC5 . C785 58FFFFFF 02>mov dword ptr ss:[ebp-A8],2
00406DCF . FF15 20114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
00406DD5 . 50 push eax
00406DD6 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
00406DDC . 57 push edi
00406DDD . 50 push eax ; "2.77760626153406E+48"
00406DDE . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.#632>] ; rtcMidCharVar,每次取3个字符
00406DE4 . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8] ; 第一次取前3位,"2.7"
00406DEA . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-C8]
00406DF0 . 51 push ecx
00406DF1 . 52 push edx
00406DF2 . E8 59020000 call Crackme2.00407050 ; 关键CALL-4,F7进入
00406DF7 . 8D45 8C lea eax,dword ptr ss:[ebp-74]
00406DFA . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-C8]
00406E00 . 50 push eax
00406E01 . 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-D8]
00406E07 . 51 push ecx
00406E08 . 52 push edx
00406E09 . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 连接每次运算所得的字符串"7B34F71A9387A2387
00406E0F . 8BD0 mov edx,eax ; A22879B8850567684A8511E7B669850B978EF78
00406E11 . 8D4D 8C lea ecx,dword ptr ss:[ebp-74] ; 2A707DCB0802367685D8587FA98506A438148838"
00406E14 . FFD6 call esi
00406E16 . 8D85 38FFFFFF lea eax,dword ptr ss:[ebp-C8]
00406E1C . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
00406E22 . 50 push eax
00406E23 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
00406E29 . 51 push ecx
00406E2A . 52 push edx
00406E2B . 6A 03 push 3
00406E2D . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
00406E33 . 83C4 10 add esp,10
00406E36 . 8D85 98FEFFFF lea eax,dword ptr ss:[ebp-168]
00406E3C . 8D8D A8FEFFFF lea ecx,dword ptr ss:[ebp-158]
00406E42 . 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-94]
00406E48 . 50 push eax
00406E49 . 51 push ecx
00406E4A . 52 push edx
00406E4B . FFD3 call ebx
00406E4D .^ E9 53FFFFFF jmp Crackme2.00406DA5
00406E52 > 8D85 08FFFFFF lea eax,dword ptr ss:[ebp-F8]
00406E58 . 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
00406E5B . 50 push eax
00406E5C . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
00406E62 . BF 02000000 mov edi,2 ; EDI=2
00406E67 . 51 push ecx
00406E68 . 52 push edx
00406E69 . 89BD 10FFFFFF mov dword ptr ss:[ebp-F0],edi
00406E6F . 89BD 08FFFFFF mov dword ptr ss:[ebp-F8],edi
00406E75 . C785 20FFFFFF 12>mov dword ptr ss:[ebp-E0],12 ; 常数,0x12
00406E7F . 89BD 18FFFFFF mov dword ptr ss:[ebp-E8],edi
00406E85 . C785 00FFFFFF 14>mov dword ptr ss:[ebp-100],14 ; 常数,0x14
00406E8F . 89BD F8FEFFFF mov dword ptr ss:[ebp-108],edi ; "7B34F71A9387A2387A22879B8850567684A8511E7B669850B978EF782A707DCB0802367685D8587FA98506A438148838"
00406E95 . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ; 获取字符串长度,0x60
00406E9B . 50 push eax
00406E9C . 8D85 18FFFFFF lea eax,dword ptr ss:[ebp-E8]
00406EA2 . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
00406EA8 . 50 push eax
00406EA9 . 51 push ecx
00406EAA . FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaVarSub>] ; 0x60-0x12=0x4E(78)
00406EB0 . 50 push eax
00406EB1 . 8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-108]
00406EB7 . 8D85 78FEFFFF lea eax,dword ptr ss:[ebp-188]
00406EBD . 52 push edx
00406EBE . 8D8D 88FEFFFF lea ecx,dword ptr ss:[ebp-178]
00406EC4 . 50 push eax
00406EC5 . 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-94]
00406ECB . 51 push ecx
00406ECC . 52 push edx
00406ECD . FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>>
00406ED3 > 85C0 test eax,eax
00406ED5 . 0F84 89000000 je Crackme2.00406F64
00406EDB . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-A8]
00406EE1 . 8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-94]
00406EE7 . 50 push eax
00406EE8 . 51 push ecx
00406EE9 . C785 60FFFFFF 01>mov dword ptr ss:[ebp-A0],1
00406EF3 . 89BD 58FFFFFF mov dword ptr ss:[ebp-A8],edi
00406EF9 . FF15 20114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
00406EFF . 50 push eax ; EAX=0x14
00406F00 . 8D55 8C lea edx,dword ptr ss:[ebp-74]
00406F03 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
00406F09 . 52 push edx
00406F0A . 50 push eax
00406F0B . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.#632>] ; rtcMidCharVar,循环取字符串的字符
00406F11 . 8D4D CC lea ecx,dword ptr ss:[ebp-34] ; 从字符串第0x14(20)位起隔一位取一个字符
00406F14 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8] ; 一直取到第0x60-0x12=0x4E(78)位
00406F1A . 51 push ecx
00406F1B . 8D85 38FFFFFF lea eax,dword ptr ss:[ebp-C8]
00406F21 . 52 push edx
00406F22 . 50 push eax
00406F23 . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 连接每次取出的字符,得到
00406F29 . 8BD0 mov edx,eax ; "27B8066481EB68098F8A0DB8266588"
00406F2B . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00406F2E . FFD6 call esi
F7进入00406DF2处的关键CALL-4,来到:
00407050 $ 55 push ebp
.......................................................
省略部分代码
.......................................................
004070D7 . 51 push ecx
004070D8 . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ; 获取字符串"2.7"的长度,3
004070DE . 50 push eax
004070DF . 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-98]
004070E5 . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-B8]
004070EB . 52 push edx
004070EC . 8D8D 58FFFFFF lea ecx,dword ptr ss:[ebp-A8]
004070F2 . 50 push eax
004070F3 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
004070F6 . 51 push ecx
004070F7 . 52 push edx
004070F8 . FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>>
004070FE . 8B35 10104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaVarMove>>
00407104 > 85C0 test eax,eax
00407106 . 0F84 97000000 je Crackme2.004071A3
0040710C . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
0040710F . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00407112 . 50 push eax
00407113 . 51 push ecx
00407114 . C745 C0 01000000 mov dword ptr ss:[ebp-40],1
0040711B . 895D B8 mov dword ptr ss:[ebp-48],ebx
0040711E . FF15 20114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
00407124 . 50 push eax
00407125 . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
00407128 . 57 push edi
00407129 . 52 push edx
0040712A . FF15 7C104000 call dword ptr ds:[<&MSVBVM60.#632>] ; rtcMidCharVar,循环取字符串每一位字符
00407130 . 8D45 A8 lea eax,dword ptr ss:[ebp-58] ; 字符串"2.7"第一位字符"2"
00407133 . 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
00407136 . 50 push eax
00407137 . 51 push ecx
00407138 . FF15 D4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>]
0040713E . 50 push eax
0040713F . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,获取字符的ASCII值
00407145 . 66:8945 80 mov word ptr ss:[ebp-80],ax ; EAX=32("2")
00407149 . 8D55 DC lea edx,dword ptr ss:[ebp-24]
0040714C . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-88]
00407152 . 52 push edx
00407153 . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
00407156 . 50 push eax
00407157 . 51 push ecx
00407158 . 899D 78FFFFFF mov dword ptr ss:[ebp-88],ebx
0040715E . FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 字符连接,字符的ASCII值转为10进制数后连接
00407164 . 8BD0 mov edx,eax ; 得到504655
00407166 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00407169 . FFD6 call esi
0040716B . 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0040716E . FF15 50114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
00407174 . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
00407177 . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
0040717A . 52 push edx
0040717B . 50 push eax
0040717C . 53 push ebx
0040717D . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
00407183 . 83C4 0C add esp,0C
00407186 . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
0040718C . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-A8]
00407192 . 8D45 CC lea eax,dword ptr ss:[ebp-34]
00407195 . 51 push ecx
00407196 . 52 push edx
00407197 . 50 push eax
00407198 . FF15 48114000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>>
0040719E .^ E9 61FFFFFF jmp Crackme2.00407104
004071A3 > 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004071A6 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
004071A9 . 51 push ecx
004071AA . 52 push edx
004071AB . FF15 04114000 call dword ptr ds:[<&MSVBVM60.#573>] ; rtcHexVarFromVar,结果转为16进制,7B34F
004071B1 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
004071B4 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004071B7 . FFD6 call esi
004071B9 . 68 13724000 push Crackme2.00407213
004071BE . EB 30 jmp short Crackme2.004071F0
004071C0 . F645 FC 04 test byte ptr ss:[ebp-4],4
004071C4 . 74 09 je short Crackme2.004071CF
004071C6 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004071C9 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
004071CF > 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
004071D2 . FF15 50114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
004071D8 . 8D45 98 lea eax,dword ptr ss:[ebp-68]
004071DB . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004071DE . 50 push eax
004071DF . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
004071E2 . 51 push ecx
004071E3 . 52 push edx
004071E4 . 6A 03 push 3
004071E6 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
004071EC . 83C4 10 add esp,10
004071EF . C3 retn
-----------------------------------------------------------------------------------------------
【破解总结】
1.用户名长度最长为10,累加用户名各位字符的ASCII值,记为sum。
2.若为sum为偶数,则对用户名进行运算后在固定字符串st1:"DYEFCGHXIJKVLAMNOPZQBRSTUWyscxdevpfgwhizjaklmbnoqrtu0123456789+/"
中取字符,记为字符串st2。
3.字符串st3:"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890#^$&"中的每个字符对应一个字符,记st3对应的
字符串为st4:"B8B3D3F9C2B6C8C7C3A4F9E2D85F6C5F3C1E1F4F4C7E7A6F2A8AD3BECFB8CFEFEC",对应的数值依次为:
0B9,8C,0B5,3D,0D6,3E,0F1,9A,0C7,2F,0B1,6B,0C4,8E,0C1,7B,0C5,3D,0A3,4B,0F8,9D,0E2,2D,0D7,8D,
5A,0F5,6F,0C9,5D,0F9,3B,0C3,1E,0E9,1A,0F3,4E,0F4,4D,0C6,7A,0E6,7E,0A2,6A,0F7,2B,0A8,8B,0A4,
0DA,3C,0BE,0EC,0CA,0FB,0B3,0ED,0CF,0FD,0EB,0FB,0E5,0C2。
4.根据st2的字符在字符串st3中的位置取st4对应字符的ASCII值加上相应数值转为10进制,依次连接即为注册码。
5.若为sum为奇数,则在用户名后连接(0x14-用户名长度)个常数0x15,然后依次取每个字符的ASCII值相乘结果记为字符串st5。
6.依次从字符串st5每次取3个字符,取每个字符的ASCII值转为10进制数后连接再转为16进制数,连接每次所得的16进制数记为字符串st6。
7.从字符串st6第0x14(20)位开始起隔一位取一个字符,直到取到第(st6长度-0x12)个个字符,记为字符串st7.
8.根据st7的字符在字符串st3中的位置取st4对应字符的ASCII值加上相应数值转为10进制后,依次连接即为注册码。
一组可用注册码:
Name:hrbx
Serial:283233302113112268
内存注册机:
中断地址:40860D
中断次数:1
第一字节:89
指令长度:3
内存方式--->寄存器:EDX 勾选宽字符串
暴破更改以下位置:
004055B1 je Crackme2.004056F7 ; je====>NOP
004058D7 je Crackme2.00405A62 ; je====>NOP
【VB注册机源码】
'VB 6.0+WinXP 编译通过
Private Sub Generate_Click()
Dim Name As String
Dim st1 As String
Dim st3 As String
Dim st2 As String
Dim sum, number As Integer
Dim n, n1, n2, n3, n4 As Integer
Dim length As Integer
Dim temp_num As Integer
Dim dnum1 As Double
Dim dnum2 As Double
Dim i, j As Integer
Dim str1, str2, str3, str4 As String
Dim SerialNo, Serial, Serial1, Serial2, Serial3, Serial4 As String
st1 = "DYEFCGHXIJKVLAMNOPZQBRSTUWyscxdevpfgwhizjaklmbnoqrtu0123456789+/"
st2 = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890#^$&"
st3 = "B8B3D3F9C2B6C8C7C3A4F9E2D85F6C5F3C1E1F4F4C7E7A6F2A8AD3BECFB8CFEFEC"
Dim num(66) As Integer
num(0) = &HB9
num(1) = &H8C
num(2) = &HB5
num(3) = &H3D
num(4) = &HD6
num(5) = &H3E
num(6) = &HF1
num(7) = &H9A
num(8) = &HC7
num(9) = &H2F
num(10) = &HB1
num(11) = &H6B
num(12) = &HC4
num(13) = &H8E
num(14) = &HC1
num(15) = &H7B
num(16) = &HC5
num(17) = &H3D
num(18) = &HA3
num(19) = &H4B
num(20) = &HF8
num(21) = &H9D
num(22) = &HE2
num(23) = &H2D
num(24) = &HD7
num(25) = &H8D
num(26) = &H5A
num(27) = &HF5
num(28) = &H6F
num(29) = &HC9
num(30) = &H5D
num(31) = &HF9
num(32) = &H3B
num(33) = &HC3
num(34) = &H1E
num(35) = &HE9
num(36) = &H1A
num(37) = &HF3
num(38) = &H4E
num(39) = &HF4
num(40) = &H4D
num(41) = &HC6
num(42) = &H7A
num(43) = &HE6
num(44) = &H7E
num(45) = &HA2
num(46) = &H6A
num(47) = &HF7
num(48) = &H2B
num(49) = &HA8
num(50) = &H8B
num(51) = &HA4
num(52) = &HDA
num(53) = &H3C
num(54) = &HBE
num(55) = &HEC
num(56) = &HCA
num(57) = &HFB
num(58) = &HB3
num(59) = &HED
num(60) = &HCF
num(61) = &HFD
num(62) = &HEB
num(63) = &HFB
num(64) = &HE5
num(65) = &HC2
Name = Text1.Text
length = Len(Name)
If length = 0 Then Text1.Text = "Please inter at least one character !"
If length > 10 Then
Text1.Text = "Name should less than 11 characters !"
Else
For i = 1 To length
sum = sum + Asc(Mid(Name, i, 1))
Next i
If (sum Mod 2 = 0) Then
n = 1
For i = 1 To length
If (n <= length) Then
str1 = Mid(Name, n, 1)
n1 = Int(Asc(str1) / 4)
n2 = (Asc(str1) And 3) * 16
If (n + 1) <= length Then
str2 = Mid(Name, n + 1, 1)
n2 = Int(Asc(str2) / 16) + (Asc(str1) And 3) * 16
End If
Serial1 = Mid(st1, n1 + 1, 1)
Serial2 = Mid(st1, n2 + 1, 1)
Serial = Serial & Serial1 & Serial2
If (n + 2) <= length Then
str3 = Mid(Name, n + 2, 1)
n3 = Int(Asc(str3) / 64) + (Asc(str2) And 15) * 4
n4 = Asc(str3) And 63
Serial3 = Mid(st1, n3 + 1, 1)
Serial4 = Mid(st1, n4 + 1, 1)
Serial = Serial & Serial3 & Serial4
End If
End If
n = n + 3
Next i
length = Len(Serial)
For i = 1 To length
For j = 1 To 66
If (Mid(Serial, i, 1) = Mid(st2, j, 1)) Then
temp_num = Asc(Mid(st3, j, 1)) + num(j - 1)
SerialNo = SerialNo & temp_num
End If
Next j
Next i
End If
If (sum Mod 2 <> 0) Then
dnum1 = 1
length = Len(Name)
For i = 1 To length
dnum1 = dnum1 * (Asc(Mid(Name, i, 1)) * i + &H14)
Next i
For i = length + 1 To 20
dnum1 = dnum1 * (&H15 * i + &H14)
Next i
Serial = dnum1
length = Len(Serial)
For i = 1 To length
Serial1 = Mid(Serial, i, 1)
If i + 1 <= length Then
Serial1 = Serial1 & Mid(Serial, i + 1, 1)
End If
If i + 2 <= length Then
Serial1 = Serial1 & Mid(Serial, i + 2, 1)
End If
For j = 1 To Len(Serial1)
number = Asc(Mid(Serial1, j, 1))
Serial2 = Serial2 & number
dnum2 = Serial2
Next j
Serial3 = Serial3 & Hex(dnum2)
Serial2 = ""
Next i
length = Len(Serial3)
For i = 20 To length - &H12 Step 2
Serial4 = Serial4 & Mid(Serial3, i, 1)
Next i
length = Len(Serial4)
For i = 1 To length
For j = 1 To 66
If (Mid(Serial4, i, 1) = Mid(st2, j, 1)) Then
temp_num = Asc(Mid(st3, j, 1)) + num(j - 1)
SerialNo = SerialNo & temp_num
End If
Next j
Next i
End If
Text2 = SerialNo
End If
End Sub
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
