Crackme提供者:KuNgBiM
原帖见:http://bbs.pediy.com/showthread.php?t=12136&page=2
工具:od,winhex
这是一个VB程序,我未能分析清楚程序,因此用了两次爆破。我估计分析清楚流程后应该仅需爆破一次即可。
下面是两个爆破点:
1、爆破点一:
00402CA1 . 52 push edx
00402CA2 . 47 inc edi
00402CA3 . 68 74264000 push 00402674
00402CA8 . F7DF neg edi
00402CAA . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
00402CB0 . F7D8 neg eax
00402CB2 . 1BC0 sbb eax, eax
00402CB4 . 40 inc eax
00402CB5 . F7D8 neg eax
00402CB7 . 0BF8 or edi, eax
00402CB9 . 8D45 D4 lea eax, dword ptr [ebp-2C]
00402CBC . 50 push eax
00402CBD . 8D4D D8 lea ecx, dword ptr [ebp-28]
00402CC0 . 51 push ecx
00402CC1 . 6A 02 push 2
00402CC3 . FF15 B0104000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
00402CC9 . 8D55 C8 lea edx, dword ptr [ebp-38]
00402CCC . 52 push edx
00402CCD . 8D45 CC lea eax, dword ptr [ebp-34]
00402CD0 . 50 push eax
00402CD1 . 6A 02 push 2
00402CD3 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObjList
00402CD9 . 83C4 18 add esp, 18
00402CDC . 66:3BFB cmp di, bx
00402CDF 0F84 91000000 je 00402D76 ;此处爆破
把文件偏移0x2CDF处字节0F8491000000改为E99200000090即可
2、爆破点二:
004030DA . 52 push edx
004030DB . 50 push eax
004030DC . FF15 6C104000 call dword ptr [<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
004030E2 . 8BF8 mov edi, eax
004030E4 . F7DF neg edi
004030E6 . 1BFF sbb edi, edi
004030E8 . 47 inc edi
004030E9 . 8D4D D8 lea ecx, dword ptr [ebp-28]
004030EC . F7DF neg edi
004030EE . FF15 DC104000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
004030F4 . 8D4D CC lea ecx, dword ptr [ebp-34]
004030F7 . FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
004030FD . 66:3BFB cmp di, bx
00403100 0F84 10010000 je 00403216 ;此处爆破
把文件偏移0x3100处字节0F8410010000改为909090909090即可
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
