-
-
PYG_CrackMe2005认证试题[VB-PCODE]算法简单分析
-
2006-1-28 22:04 6328
-
没有加壳,是VB-PCODE。试题已经做废,飘云允许公开讨论。
下载:http://bbs.chinapyg.cn/viewthread.php?tid=262&extra=page%3D1
我最初的调试环境是win2000+sp4,让WKTVBDE调试器能正常工作浪费我大量的时间,真郁闷。
如果你也遇到类似问题可以试试下面的方法:
1、被调试的程序要把只读属性去掉。
2、MSVBVM60.DLL的版本太低,建议从microsoft的Service Pack 6 for Visual Studio6.0中的Msvbvm60.cab中提取,
或用其它版本高些的,复制到\windir\system32目录。好象用2001年以后的版本就不会有问题。
3、安装目录的bdasmdll.dll,WKTVBDE.dll复制到\windir\system32目录。
4、安装程序建立的快捷方式有问题,到安装目录直接运行。
下面的代码从[ VBExplorer1.0.1 ]中复制得来的。
用WKTVBDE打开程序,Action->Run。Ctrl+E打开Current Bpx对话框下断点40B04C,F5运行程序。
输入用户名和注册码单击确定就会中断在断点处。
[Label1.Click]
******Possible String Ref To->"5201314896788888888888888888888888"
|
:0040B04C 3A9CFE0400 LitVarStr ;PushVarString ptr_00408C5C
上面一行F8过后,Stack显示0013F790: 0013F8DC ,Ctrl+M打开内存编辑输入13F8DC可以看到值是 08
这表示字符串类型,第8个字节之后是字符串的地址,13F8E4: 00408C5C,所以输入408C5C之后就会看到加载
到内存的字符串了,vb-pcode类型在调试的时候多注意观察栈,又比如 02 表示整型,第8个字节之后放
的是该整型数值的地址。以下类似内容略。
:0040B051 FD006CFF FStVarCopy ;[LOCAL_0094]=vbaVarCopy(Pop)
******Possible String Ref To->"chinapygabcdefghijklmopqrstuvwxyza"
|
:0040B055 3A9CFE0500 LitVarStr ;PushVarString ptr_00408CA8
:0040B05A FD005CFF FStVarCopy ;[LOCAL_00A4]=vbaVarCopy(Pop)
******Possible String Ref To->"piaoyunge"
|
:0040B05E 3A9CFE0600 LitVarStr ;PushVarString ptr_00408CF4
:0040B063 FD00DCFE FStVarCopy ;[LOCAL_0124]=vbaVarCopy(Pop)
:0040B067 0494FE FLdRfVar ;Push LOCAL_016C
:0040B06A 21 FLdPrThis ;[SR]=[stack2]
:0040B06B 0F0003 VCallAd ;Return the control index 02
:0040B06E 1998FE FStAdFunc ;
:0040B071 0898FE FLdPr ;[SR]=[LOCAL_0168]
***********Reference To:[propget]TextBox.Text取机器码
|
:0040B074 0DA0000000 VCallHresult ;Call ptr_00408BC0
:0040B079 3E94FE FLdZeroAd ;Push DWORD [LOCAL_016C]; [LOCAL_016C]=0
:0040B07C 4684FE CVarStr ;
:0040B07F FCF6BCFE FStVar ;
:0040B083 1A98FE FFree1Ad ;Push [LOCAL_0168]; Call [[[LOCAL_0168]]+8]; [[LOCAL_0168]]=0
:0040B086 0494FE FLdRfVar ;Push LOCAL_016C
:0040B089 21 FLdPrThis ;[SR]=[stack2]
:0040B08A 0F0C03 VCallAd ;Return the control index 05
:0040B08D 1998FE FStAdFunc ;
:0040B090 0898FE FLdPr ;[SR]=[LOCAL_0168]
***********Reference To:[propget]TextBox.Text取用户名
|
:0040B093 0DA0000000 VCallHresult ;Call ptr_00408BC0
:0040B098 3E94FE FLdZeroAd ;Push DWORD [LOCAL_016C]; [LOCAL_016C]=0
:0040B09B 4684FE CVarStr ;
:0040B09E 04DCFE FLdRfVar ;Push LOCAL_0124**********"piaoyunge"
:0040B0A1 FBEF74FE ConcatVar ;*************************"piaoyunge"加到用户名后面
:0040B0A5 0464FE FLdRfVar ;Push LOCAL_019C
**********Reference To->msvbvm60.rtcUpperCaseVar**********S1*********************************将用户名加上piaoyunge之后变成大写宽字串S1
|
:0040B0A8 0A07000800 ImpAdCallFPR4 ;Call ptr_0040105C; check stack 0008; Push EAX
:0040B0AD 0464FE FLdRfVar ;Push LOCAL_019C
:0040B0B0 FCF6CCFE FStVar ;
:0040B0B4 1A98FE FFree1Ad ;Push [LOCAL_0168]; Call [[[LOCAL_0168]]+8]; [[LOCAL_0168]]=0
:0040B0B7 36040084FE74FE FFreeVar ;Free 0004/2 variants
:0040B0BE 0494FE FLdRfVar ;Push LOCAL_016C
:0040B0C1 21 FLdPrThis ;[SR]=[stack2]
:0040B0C2 0F0803 VCallAd ;Return the control index 04
:0040B0C5 1998FE FStAdFunc ;
:0040B0C8 0898FE FLdPr ;[SR]=[LOCAL_0168]
***********Reference To:[propget]TextBox.Text取输入的注册码
|
:0040B0CB 0DA0000000 VCallHresult ;Call ptr_00408BC0
:0040B0D0 3E94FE FLdZeroAd ;Push DWORD [LOCAL_016C]; [LOCAL_016C]=0
:0040B0D3 4684FE CVarStr ;
:0040B0D6 FCF654FE FStVar ;
:0040B0DA 1A98FE FFree1Ad ;Push [LOCAL_0168]; Call [[[LOCAL_0168]]+8]; [[LOCAL_0168]]=0
:0040B0DD 04CCFE FLdRfVar ;Push LOCAL_0134************S1入栈
:0040B0E0 FBEB84FE FnLenVar ;vbaLenVar********************求S1长度
******Possible String Ref To->""
|
:0040B0E4 3A9CFE0800 LitVarStr ;PushVarString ptr_00408D0C
:0040B0E9 5D HardType ;
:0040B0EA FB3C74FE NeVar ;
:0040B0EE 0454FE FLdRfVar ;Push LOCAL_01AC***********输入的注册码入栈
:0040B0F1 FBEB64FE FnLenVar ;vbaLenVar*****************输入的注册码长度
此时stack显示 13f78c:13f8a4 13f8a4值是03表示长整型,13f8ac内就是长度。
******Possible String Ref To->""
|
:0040B0F5 3A44FE0800 LitVarStr ;PushVarString ptr_00408D0C
:0040B0FA 5D HardType ;
:0040B0FB FB3C34FE NeVar ;
:0040B0FF FB2724FE AndVar ;
:0040B103 FF1B CBoolVarNull ;vbaBoolVarNull
:0040B105 1C2403 BranchF ;If Pop=0 then ESI=0040B370没有输入注册码跳走
:0040B108 2844FE0100 LitVarI2 ;PushVarInteger 0001
:0040B10D 0414FE FLdRfVar ;Push LOCAL_01EC 13f854
第一步,这一部分,用机器码每一位数字做为索引值取5201314896788888888888888888888888中数字得到一个字符串s2
{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{
:0040B110 04BCFE FLdRfVar ;Push LOCAL_0144***********取机器码
:0040B113 FBEB84FE FnLenVar ;vbaLenVar*****************机器码长度
:0040B117 FE68F4FD2E01 ForVar ;
:0040B11D 2884FE0100 LitVarI2 ;PushVarInteger 0001
:0040B122 0414FE FLdRfVar ;Push LOCAL_01EC***********计数
:0040B125 FC22 CI4Var ;vbaI4Var
:0040B127 04BCFE FLdRfVar ;Push LOCAL_0144***********机器码地址入栈
:0040B12A 0474FE FLdRfVar ;Push LOCAL_018C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B12D 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B132 0474FE FLdRfVar ;Push LOCAL_018C***********取一个机器码
:0040B135 FCF64CFF FStVar ;
:0040B139 3584FE FFree1Var ;Free LOCAL_017C
:0040B13C 040CFF FLdRfVar ;Push LOCAL_00F4
:0040B13F 2874FE0100 LitVarI2 ;PushVarInteger 0001
:0040B144 044CFF FLdRfVar ;Push LOCAL_00B4
:0040B147 289CFE0100 LitVarI2 ;PushVarInteger 0001
:0040B14C FB9484FE AddVar ;
:0040B150 FC22 CI4Var ;vbaI4Var
:0040B152 046CFF FLdRfVar ;Push LOCAL_0094****"5201314896788888888888888888888888"
:0040B155 0464FE FLdRfVar ;Push LOCAL_019C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B158 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX用机器码作为索引从上面的字串取一个字符
:0040B15D 0464FE FLdRfVar ;Push LOCAL_019C
:0040B160 FBEF34FE ConcatVar ;把字符连接成字符串
:0040B164 FCF60CFF FStVar ;
:0040B168 36060084FE74FE64 FFreeVar ;Free 0006/2 variants
:0040B171 0414FE FLdRfVar ;Push LOCAL_01EC
:0040B174 FE7EF4FDD100 NextStepVar ;*****************循环0040B110
}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
:0040B17A 2844FE0100 LitVarI2 ;PushVarInteger 0001
:0040B17F 04E4FD FLdRfVar ;Push LOCAL_021C
:0040B182 04CCFE FLdRfVar ;Push LOCAL_0134
:0040B185 FBEB84FE FnLenVar ;vbaLenVar***********取S1长度
:0040B189 FE68C4FD9001 ForVar ;
这里又是一个循环用字符串S1继续下面,
将首个字母的ASCII十六进制值跟0x3异或之后的结果,加上下一个字母的ASCII十六进制值
再跟0x3异或,循环完后得到一个十六进制值,变成十进制与第一步得到的字符串变成十进
制数字相加,结果保存为一个字符串。
{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{
:0040B18F 04ECFE FLdRfVar ;Push LOCAL_0114
:0040B192 2884FE0100 LitVarI2 ;PushVarInteger 0001
:0040B197 04E4FD FLdRfVar ;Push LOCAL_021C*******用户名位置序数。
:0040B19A FC22 CI4Var ;vbaI4Var
:0040B19C 04CCFE FLdRfVar ;Push LOCAL_0134*******S1
:0040B19F 0474FE FLdRfVar ;Push LOCAL_018C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B1A2 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B1A7 0474FE FLdRfVar ;Push LOCAL_018C
:0040B1AA FDFE94FE CStrVarVal ;
**********Reference To->msvbvm60.rtcAnsiValueBstr取 S1 中的每个字符的ASCII值
|
:0040B1AE 0B0A000400 ImpAdCallI2 ;Call ptr_00401068; check stack 0004; Push EAX
:0040B1B3 4444FE CVarI2 ;
:0040B1B6 FB9464FE AddVar ;与上次结果相加
:0040B1BA 28B4FD0300 LitVarI2 ;PushVarInteger 0003
:0040B1BF FB1734FE XorVar ;用户名字符ansi值与0x3 xor,,,,,,,相加之后异或
:0040B1C3 FCF6ECFE FStVar ;
:0040B1C7 2F94FE FFree1Str ;SysFreeString [LOCAL_016C]; [LOCAL_016C]=0
:0040B1CA 36060084FE74FE64 FFreeVar ;Free 0006/2 variants
:0040B1D3 04E4FD FLdRfVar ;Push LOCAL_021C
:0040B1D6 FE7EC4FD4301 NextStepVar ;
}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
:0040B1DC 040CFF FLdRfVar ;Push LOCAL_00F4***************s2
:0040B1DF 04ECFE FLdRfVar ;Push LOCAL_0114***************循环完后的结果
:0040B1E2 FB9484FE AddVar ;相加
:0040B1E6 FCF6FCFE FStVar ;
:0040B1EA 2844FE0100 LitVarI2 ;PushVarInteger 0001
机器码的每一位数字加1后从"chinapygabcdefghijklmopqrstuvwxyza"取相应位置的字母连
接成字符串.要注意变成大写的哦!
把这个字符串加到第二步等到的字符串的后面,将生成的字符串长度被24减,得数是几就在
末尾加几个上"0",最后第五位后面加上"-",得到的这个字符串就是中间结果,
{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{
:0040B1EF 04A4FD FLdRfVar ;Push LOCAL_025C
:0040B1F2 04FCFE FLdRfVar ;Push LOCAL_0104
:0040B1F5 FBEB84FE FnLenVar ;vbaLenVar
:0040B1F9 FE6884FD1D02 ForVar ;
:0040B1FF 2884FE0100 LitVarI2 ;PushVarInteger 0001
:0040B204 04A4FD FLdRfVar ;Push LOCAL_025C
:0040B207 FC22 CI4Var ;vbaI4Var
:0040B209 04BCFE FLdRfVar ;Push LOCAL_0144
:0040B20C 0474FE FLdRfVar ;Push LOCAL_018C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B20F 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B214 0474FE FLdRfVar ;Push LOCAL_018C
:0040B217 FCF63CFF FStVar ;
:0040B21B 3584FE FFree1Var ;Free LOCAL_017C
:0040B21E 04FCFE FLdRfVar ;Push LOCAL_0104
:0040B221 2874FE0100 LitVarI2 ;PushVarInteger 0001
:0040B226 043CFF FLdRfVar ;Push LOCAL_00C4
:0040B229 289CFE0100 LitVarI2 ;PushVarInteger 0001
:0040B22E FB9484FE AddVar ;
:0040B232 FC22 CI4Var ;vbaI4Var
:0040B234 045CFF FLdRfVar ;Push LOCAL_00A4"chinapygabcdefghijklmopqrstuvwxyza"
:0040B237 0464FE FLdRfVar ;Push LOCAL_019C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B23A 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B23F 0464FE FLdRfVar ;Push LOCAL_019C
:0040B242 0434FE FLdRfVar ;Push LOCAL_01CC
**********Reference To->msvbvm60.rtcUpperCaseVar
|
:0040B245 0A07000800 ImpAdCallFPR4 ;Call ptr_0040105C; check stack 0008; Push EAX
:0040B24A 0434FE FLdRfVar ;Push LOCAL_01CC
:0040B24D FBEF24FE ConcatVar ;
:0040B251 FCF6FCFE FStVar ;
:0040B255 36080084FE74FE64 FFreeVar ;Free 0008/2 variants
:0040B260 04A4FD FLdRfVar ;Push LOCAL_025C
:0040B263 FE7E84FDB301 NextStepVar ;
}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
:0040B269 04FCFE FLdRfVar ;Push LOCAL_0104
:0040B26C FBEB84FE FnLenVar ;vbaLenVar
:0040B270 289CFE1900 LitVarI2 ;PushVarInteger 0019
:0040B275 5D HardType ;
:0040B276 FB67 LtVarBool ;Push (Pop1 < Pop2)
:0040B278 1CB702 BranchF ;If Pop=0 then ESI=0040B303
:0040B27B 04FCFE FLdRfVar ;Push LOCAL_0104
******Possible String Ref To->"0"将生成的字符串长度被24减,得数是几就在末尾加几个上"0"
|
:0040B27E 3A44FE0B00 LitVarStr ;PushVarString ptr_00408D14
:0040B283 4E64FE FStVarCopyObj ;[LOCAL_019C]=vbaVarDup(Pop)
:0040B286 0464FE FLdRfVar ;Push LOCAL_019C
:0040B289 289CFE1800 LitVarI2 ;PushVarInteger 0018 *****24减去上面连接成字符串的长度得L
:0040B28E 04FCFE FLdRfVar ;Push LOCAL_0104
:0040B291 FBEB84FE FnLenVar ;vbaLenVar
:0040B295 FB9C74FE SubVar ;
:0040B299 FC22 CI4Var ;vbaI4Var
**********Reference To->msvbvm60.rtcStringBstr
|
:0040B29B 0B0C000800 ImpAdCallI2 ;Call ptr_0040106E; check stack 0008; Push EAX
:0040B2A0 4634FE CVarStr ;
:0040B2A3 FB9424FE AddVar ;**************************加L个0
:0040B2A7 FCF6FCFE FStVar ;
:0040B2AB 36040064FE34FE FFreeVar ;Free 0004/2 variants
:0040B2B2 2884FE0500 LitVarI2 ;PushVarInteger 0005
:0040B2B7 F501000000 LitI4 ;Push 00000001
:0040B2BC 04FCFE FLdRfVar ;Push LOCAL_0104
:0040B2BF 0474FE FLdRfVar ;Push LOCAL_018C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B2C2 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B2C7 0474FE FLdRfVar ;Push LOCAL_018C
******Possible String Ref To->"-"最后第五位后面加上"-",得到的这个字符串就是中间结果,
|
:0040B2CA 3A44FE0D00 LitVarStr ;PushVarString ptr_00408D1C
:0040B2CF FB9464FE AddVar ;第五位后面加个-
:0040B2D3 2834FE1400 LitVarI2 ;PushVarInteger 0014
:0040B2D8 F506000000 LitI4 ;Push 00000006
:0040B2DD 04FCFE FLdRfVar ;Push LOCAL_0104
:0040B2E0 0424FE FLdRfVar ;Push LOCAL_01DC
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B2E3 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B2E8 0424FE FLdRfVar ;Push LOCAL_01DC
:0040B2EB FB9474FD AddVar ;和原来的接起来,相当于原来的串5位后加个-
:0040B2EF FCF6ACFE FStVar ;
:0040B2F3 360A0084FE74FE34 FFreeVar ;Free 000A/2 variants
:0040B300 1E2403 Branch ;ESI=0040B370
:0040B303 2884FE1800 LitVarI2 ;PushVarInteger 0018<--要够24位
:0040B308 F501000000 LitI4 ;Push 00000001
:0040B30D 04FCFE FLdRfVar ;Push LOCAL_0104
:0040B310 0474FE FLdRfVar ;Push LOCAL_018C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B313 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B318 0474FE FLdRfVar ;Push LOCAL_018C
:0040B31B FCF6FCFE FStVar ;
:0040B31F 3584FE FFree1Var ;Free LOCAL_017C
:0040B322 2884FE0500 LitVarI2 ;PushVarInteger 0005<--第五位后加'-'
:0040B327 F501000000 LitI4 ;Push 00000001
:0040B32C 04FCFE FLdRfVar ;Push LOCAL_0104
:0040B32F 0474FE FLdRfVar ;Push LOCAL_018C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B332 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B337 0474FE FLdRfVar ;Push LOCAL_018C
******Possible String Ref To->"-"
|
:0040B33A 3A44FE0D00 LitVarStr ;PushVarString ptr_00408D1C
:0040B33F FB9464FE AddVar ;
:0040B343 2834FE1400 LitVarI2 ;PushVarInteger 0014
:0040B348 F506000000 LitI4 ;Push 00000006
:0040B34D 04FCFE FLdRfVar ;Push LOCAL_0104
:0040B350 0424FE FLdRfVar ;Push LOCAL_01DC
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B353 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B358 0424FE FLdRfVar ;Push LOCAL_01DC
:0040B35B FB9474FD AddVar ;
:0040B35F FCF6ACFE FStVar ;
:0040B363 360A0084FE74FE34 FFreeVar ;Free 000A/2 variants
:0040B370 289CFE0100 LitVarI2 ;PushVarInteger 0001
:0040B375 FCF62CFF FStVar ;
:0040B379 0454FE FLdRfVar ;Push LOCAL_01AC
:0040B37C FBEB84FE FnLenVar ;vbaLenVar
:0040B380 289CFE0000 LitVarI2 ;PushVarInteger 0000
:0040B385 5D HardType ;
:0040B386 FB3C74FE NeVar ;
:0040B38A 04CCFE FLdRfVar ;Push LOCAL_0134
:0040B38D FBEB64FE FnLenVar ;vbaLenVar
:0040B391 2844FE0000 LitVarI2 ;PushVarInteger 0000
:0040B396 5D HardType ;
:0040B397 FB3C34FE NeVar ;
:0040B39B FB2724FE AndVar ;
:0040B39F FF1B CBoolVarNull ;vbaBoolVarNull
:0040B3A1 1C4404 BranchF ;If Pop=0 then ESI=0040B490
:0040B3A4 2884FE0100 LitVarI2 ;PushVarInteger 0001
:0040B3A9 042CFF FLdRfVar ;Push LOCAL_00D4
:0040B3AC FC22 CI4Var ;vbaI4Var
:0040B3AE 0454FE FLdRfVar ;Push LOCAL_01AC输入的注册号地址入栈
:0040B3B1 0474FE FLdRfVar ;Push LOCAL_018C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B3B4 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B3B9 0474FE FLdRfVar ;Push LOCAL_018C取一个注册号值为16进制
:0040B3BC FCF61CFF FStVar ;
:0040B3C0 3584FE FFree1Var ;Free LOCAL_017C
:0040B3C3 041CFF FLdRfVar ;Push LOCAL_00E4
:0040B3C6 FDFE94FE CStrVarVal ;
**********Reference To->msvbvm60.rtcAnsiValueBstr
|
:0040B3CA 0B0A000400 ImpAdCallI2 ;Call ptr_00401068; check stack 0004; Push EAX
:0040B3CF F404 LitI2_Byte ;Push 04
:0040B3D1 A9 AddI2 ;取一个注册号加4
:0040B3D2 449CFE CVarI2 ;
:0040B3D5 042CFF FLdRfVar ;Push LOCAL_00D4
:0040B3D8 FB9484FE AddVar ;加上位置的序号
:0040B3DC FCF61CFF FStVar ;
:0040B3E0 2F94FE FFree1Str ;SysFreeString [LOCAL_016C]; [LOCAL_016C]=0
:0040B3E3 041CFF FLdRfVar ;Push LOCAL_00E4
:0040B3E6 F501000000 LitI4 ;Push 00000001
:0040B3EB 0484FE FLdRfVar ;Push LOCAL_017C
**********Reference To->msvbvm60.rtcStringVar
|
:0040B3EE 0A0E000C00 ImpAdCallFPR4 ;Call ptr_00401074; check stack 000C; Push EAX
:0040B3F3 0484FE FLdRfVar ;Push LOCAL_017C
:0040B3F6 FCF61CFF FStVar ;
:0040B3FA 0464FD FLdRfVar ;Push LOCAL_029C
:0040B3FD 041CFF FLdRfVar ;Push LOCAL_00E4
:0040B400 FBEF84FE ConcatVar ;
:0040B404 FCF664FD FStVar ;
:0040B408 042CFF FLdRfVar ;Push LOCAL_00D4
:0040B40B 289CFE0100 LitVarI2 ;PushVarInteger 0001
:0040B410 FB9484FE AddVar ;
:0040B414 FCF62CFF FStVar ;
:0040B418 042CFF FLdRfVar ;Push LOCAL_00D4
:0040B41B 0454FE FLdRfVar ;Push LOCAL_01AC注册号地址
:0040B41E FBEB84FE FnLenVar ;vbaLenVar
:0040B422 FB4D LeVarBool ;
:0040B424 1D5803 BranchT ;If Pop<>0 then ESI=0040B3A4
这里是关键的比较处,
***********************************************************************************************
:0040B427 0464FD FLdRfVar ;Push LOCAL_029C
:0040B42A 04ACFE FLdRfVar ;Push LOCAL_0154
:0040B42D FB33 EqVarBool ;
:0040B42F 1C1A04 BranchF ;If Pop=0 then ESI=0040B466把1c改为1d就爆了~_~
************************************************************************************************
:0040B432 2734FE LitVar ;PushVar LOCAL_01CC
:0040B435 2764FE LitVar ;PushVar LOCAL_019C
******Possible String Ref To->"??"
|
:0040B438 3A44FE0F00 LitVarStr ;PushVarString ptr_00408D3C
:0040B43D 4E74FE FStVarCopyObj ;[LOCAL_018C]=vbaVarDup(Pop)
:0040B440 0474FE FLdRfVar ;Push LOCAL_018C
:0040B443 F540000000 LitI4 ;Push 00000040
******Possible String Ref To->"??键?
PYG?"
|
:0040B448 3A9CFE1000 LitVarStr ;PushVarString ptr_00408D24
:0040B44D 4E84FE FStVarCopyObj ;[LOCAL_017C]=vbaVarDup(Pop)
:0040B450 0484FE FLdRfVar ;Push LOCAL_017C
**********Reference To->msvbvm60.rtcMsgBox
|
:0040B453 0A11001400 ImpAdCallFPR4 ;Call ptr_0040107A; check stack 0014; Push EAX
:0040B458 36080084FE74FE64 FFreeVar ;Free 0008/2 variants
:0040B463 1E4404 Branch ;ESI=0040B490
******Possible String Ref To->""
|
:0040B466 1B0800 LitStr ;Push ptr_00408D0C
:0040B469 21 FLdPrThis ;[SR]=[stack2]
:0040B46A 0F0C03 VCallAd ;Return the control index 05
:0040B46D 1998FE FStAdFunc ;
:0040B470 0898FE FLdPr ;[SR]=[LOCAL_0168]
***********Reference To:[propput]TextBox.Text
|
:0040B473 0DA4000000 VCallHresult ;Call ptr_00408BC0
:0040B478 1A98FE FFree1Ad ;Push [LOCAL_0168]; Call [[[LOCAL_0168]]+8]; [[LOCAL_0168]]=0
******Possible String Ref To->""
|
:0040B47B 1B0800 LitStr ;Push ptr_00408D0C
:0040B47E 21 FLdPrThis ;[SR]=[stack2]
:0040B47F 0F0803 VCallAd ;Return the control index 04
:0040B482 1998FE FStAdFunc ;
:0040B485 0898FE FLdPr ;[SR]=[LOCAL_0168]
***********Reference To:[propput]TextBox.Text
|
:0040B488 0DA4000000 VCallHresult ;Call ptr_00408BC0
:0040B48D 1A98FE FFree1Ad ;Push [LOCAL_0168]; Call [[[LOCAL_0168]]+8]; [[LOCAL_0168]]=0
:0040B490 13 ExitProcHresult ;
:0040B491 0000 LargeBos ;IDE beginning of line with 00 byte codes
==============================================================================
PYG_CrackMe2005认证试题算法总结:
第一步:
机器码为索引值从"5201314896788888888888888888888888"取相应位置的数字连
接成字符串。该数组下标按C语言标准是从0开始的。
第二步:
用户名加上字符串"piaoyunge"之后全部变成大写字母,得到一个字符串继续下面,
将首个字母的ASCII十六进制值跟0x3异或之后的结果,
加上下一个字母的ASCII十六进制值再跟0x3异或,
循环完后得到一个十六进制值,
变成十进制与第一步得到的字符串变成十进制数字相加,结果保存为一个字符串。
第三步:
机器码为索引值从"chinapygabcdefghijklmopqrstuvwxyza"取相应位置的字母连
接成字符串,变成大写。如果上一步得到的串长度比机器码长度少,那么少几位
就把这个串最后几位变为'0'。
把这个字符串加到第二步等到的字符串的后面,末尾加几个'0'补足24位。
第五位后面加上'-',得到的这个字符串就是中间结果。
第四步:
注册码每一位ASCII十六进制值加上4,加上所在位置的序号,得到的这个字符串就是中间结
果,与第三步得到的中间结果相等就OK。
-------------------------------------------------------------------
说明:做注册机到第三步中间结果时,对第四步进行逆变换,每一位减4,再减所在位置序号就是注册码.
void key(char * machinecode,char * username,char * key)
{
char s0[]="piaoyunge";
char s1[]="5201314896788888888888888888888888";
char s2[]="chinapygabcdefghijklmopqrstuvwxyza";
char s3[]="- ";
int i,j,k;
unsigned long int m;
char k1[34]={0};
char k2[34]={0};
/*通过机器码查表得到一个数字k1串一个字母串k2*/
j = lstrlen(machinecode);
for (i=0; i<j; i++)
{
k1[i]=s1[machinecode[i]-'0'];
k2[i]=s2[machinecode[i]-'0'];
}
lstrcat(username,s0);//用户名加piaoyunge
CharUpper(username);//变成大写串
for (i=0,k=0; i<lstrlen(username); i++)
{
k = (k+username[i])^3;
}
m = atol(k1) + k;
wsprintf(key,"%lu",m);
/*---------------------------------------------------*/
j=strlen(machinecode)-strlen(key);
if (j)
{
for(i=(strlen(k2)-1);j>0;j--)
k2[i]='0';
}
/*---------------------------------------------------*/
strcat(key,k2);
j = 24 - lstrlen(key);
for(i=0;i<j;i++)
{
lstrcat(key,"0");//加'0'补足24位
}
lstrcpy(s3+1,key+5);//第五位后加'-'
lstrcpy(key+5,s3);
CharUpper(key);//变成大写串
//------------------------------
//逆变换出注册码
j=lstrlen(key);
for(i=0;i<j;i++)
{
key[i] = key[i]-i-5;
}
}
surge[PYG]
surgefree@163.com
写于河北衡水
下载:http://bbs.chinapyg.cn/viewthread.php?tid=262&extra=page%3D1
我最初的调试环境是win2000+sp4,让WKTVBDE调试器能正常工作浪费我大量的时间,真郁闷。
如果你也遇到类似问题可以试试下面的方法:
1、被调试的程序要把只读属性去掉。
2、MSVBVM60.DLL的版本太低,建议从microsoft的Service Pack 6 for Visual Studio6.0中的Msvbvm60.cab中提取,
或用其它版本高些的,复制到\windir\system32目录。好象用2001年以后的版本就不会有问题。
3、安装目录的bdasmdll.dll,WKTVBDE.dll复制到\windir\system32目录。
4、安装程序建立的快捷方式有问题,到安装目录直接运行。
下面的代码从[ VBExplorer1.0.1 ]中复制得来的。
用WKTVBDE打开程序,Action->Run。Ctrl+E打开Current Bpx对话框下断点40B04C,F5运行程序。
输入用户名和注册码单击确定就会中断在断点处。
[Label1.Click]
******Possible String Ref To->"5201314896788888888888888888888888"
|
:0040B04C 3A9CFE0400 LitVarStr ;PushVarString ptr_00408C5C
上面一行F8过后,Stack显示0013F790: 0013F8DC ,Ctrl+M打开内存编辑输入13F8DC可以看到值是 08
这表示字符串类型,第8个字节之后是字符串的地址,13F8E4: 00408C5C,所以输入408C5C之后就会看到加载
到内存的字符串了,vb-pcode类型在调试的时候多注意观察栈,又比如 02 表示整型,第8个字节之后放
的是该整型数值的地址。以下类似内容略。
:0040B051 FD006CFF FStVarCopy ;[LOCAL_0094]=vbaVarCopy(Pop)
******Possible String Ref To->"chinapygabcdefghijklmopqrstuvwxyza"
|
:0040B055 3A9CFE0500 LitVarStr ;PushVarString ptr_00408CA8
:0040B05A FD005CFF FStVarCopy ;[LOCAL_00A4]=vbaVarCopy(Pop)
******Possible String Ref To->"piaoyunge"
|
:0040B05E 3A9CFE0600 LitVarStr ;PushVarString ptr_00408CF4
:0040B063 FD00DCFE FStVarCopy ;[LOCAL_0124]=vbaVarCopy(Pop)
:0040B067 0494FE FLdRfVar ;Push LOCAL_016C
:0040B06A 21 FLdPrThis ;[SR]=[stack2]
:0040B06B 0F0003 VCallAd ;Return the control index 02
:0040B06E 1998FE FStAdFunc ;
:0040B071 0898FE FLdPr ;[SR]=[LOCAL_0168]
***********Reference To:[propget]TextBox.Text取机器码
|
:0040B074 0DA0000000 VCallHresult ;Call ptr_00408BC0
:0040B079 3E94FE FLdZeroAd ;Push DWORD [LOCAL_016C]; [LOCAL_016C]=0
:0040B07C 4684FE CVarStr ;
:0040B07F FCF6BCFE FStVar ;
:0040B083 1A98FE FFree1Ad ;Push [LOCAL_0168]; Call [[[LOCAL_0168]]+8]; [[LOCAL_0168]]=0
:0040B086 0494FE FLdRfVar ;Push LOCAL_016C
:0040B089 21 FLdPrThis ;[SR]=[stack2]
:0040B08A 0F0C03 VCallAd ;Return the control index 05
:0040B08D 1998FE FStAdFunc ;
:0040B090 0898FE FLdPr ;[SR]=[LOCAL_0168]
***********Reference To:[propget]TextBox.Text取用户名
|
:0040B093 0DA0000000 VCallHresult ;Call ptr_00408BC0
:0040B098 3E94FE FLdZeroAd ;Push DWORD [LOCAL_016C]; [LOCAL_016C]=0
:0040B09B 4684FE CVarStr ;
:0040B09E 04DCFE FLdRfVar ;Push LOCAL_0124**********"piaoyunge"
:0040B0A1 FBEF74FE ConcatVar ;*************************"piaoyunge"加到用户名后面
:0040B0A5 0464FE FLdRfVar ;Push LOCAL_019C
**********Reference To->msvbvm60.rtcUpperCaseVar**********S1*********************************将用户名加上piaoyunge之后变成大写宽字串S1
|
:0040B0A8 0A07000800 ImpAdCallFPR4 ;Call ptr_0040105C; check stack 0008; Push EAX
:0040B0AD 0464FE FLdRfVar ;Push LOCAL_019C
:0040B0B0 FCF6CCFE FStVar ;
:0040B0B4 1A98FE FFree1Ad ;Push [LOCAL_0168]; Call [[[LOCAL_0168]]+8]; [[LOCAL_0168]]=0
:0040B0B7 36040084FE74FE FFreeVar ;Free 0004/2 variants
:0040B0BE 0494FE FLdRfVar ;Push LOCAL_016C
:0040B0C1 21 FLdPrThis ;[SR]=[stack2]
:0040B0C2 0F0803 VCallAd ;Return the control index 04
:0040B0C5 1998FE FStAdFunc ;
:0040B0C8 0898FE FLdPr ;[SR]=[LOCAL_0168]
***********Reference To:[propget]TextBox.Text取输入的注册码
|
:0040B0CB 0DA0000000 VCallHresult ;Call ptr_00408BC0
:0040B0D0 3E94FE FLdZeroAd ;Push DWORD [LOCAL_016C]; [LOCAL_016C]=0
:0040B0D3 4684FE CVarStr ;
:0040B0D6 FCF654FE FStVar ;
:0040B0DA 1A98FE FFree1Ad ;Push [LOCAL_0168]; Call [[[LOCAL_0168]]+8]; [[LOCAL_0168]]=0
:0040B0DD 04CCFE FLdRfVar ;Push LOCAL_0134************S1入栈
:0040B0E0 FBEB84FE FnLenVar ;vbaLenVar********************求S1长度
******Possible String Ref To->""
|
:0040B0E4 3A9CFE0800 LitVarStr ;PushVarString ptr_00408D0C
:0040B0E9 5D HardType ;
:0040B0EA FB3C74FE NeVar ;
:0040B0EE 0454FE FLdRfVar ;Push LOCAL_01AC***********输入的注册码入栈
:0040B0F1 FBEB64FE FnLenVar ;vbaLenVar*****************输入的注册码长度
此时stack显示 13f78c:13f8a4 13f8a4值是03表示长整型,13f8ac内就是长度。
******Possible String Ref To->""
|
:0040B0F5 3A44FE0800 LitVarStr ;PushVarString ptr_00408D0C
:0040B0FA 5D HardType ;
:0040B0FB FB3C34FE NeVar ;
:0040B0FF FB2724FE AndVar ;
:0040B103 FF1B CBoolVarNull ;vbaBoolVarNull
:0040B105 1C2403 BranchF ;If Pop=0 then ESI=0040B370没有输入注册码跳走
:0040B108 2844FE0100 LitVarI2 ;PushVarInteger 0001
:0040B10D 0414FE FLdRfVar ;Push LOCAL_01EC 13f854
第一步,这一部分,用机器码每一位数字做为索引值取5201314896788888888888888888888888中数字得到一个字符串s2
{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{
:0040B110 04BCFE FLdRfVar ;Push LOCAL_0144***********取机器码
:0040B113 FBEB84FE FnLenVar ;vbaLenVar*****************机器码长度
:0040B117 FE68F4FD2E01 ForVar ;
:0040B11D 2884FE0100 LitVarI2 ;PushVarInteger 0001
:0040B122 0414FE FLdRfVar ;Push LOCAL_01EC***********计数
:0040B125 FC22 CI4Var ;vbaI4Var
:0040B127 04BCFE FLdRfVar ;Push LOCAL_0144***********机器码地址入栈
:0040B12A 0474FE FLdRfVar ;Push LOCAL_018C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B12D 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B132 0474FE FLdRfVar ;Push LOCAL_018C***********取一个机器码
:0040B135 FCF64CFF FStVar ;
:0040B139 3584FE FFree1Var ;Free LOCAL_017C
:0040B13C 040CFF FLdRfVar ;Push LOCAL_00F4
:0040B13F 2874FE0100 LitVarI2 ;PushVarInteger 0001
:0040B144 044CFF FLdRfVar ;Push LOCAL_00B4
:0040B147 289CFE0100 LitVarI2 ;PushVarInteger 0001
:0040B14C FB9484FE AddVar ;
:0040B150 FC22 CI4Var ;vbaI4Var
:0040B152 046CFF FLdRfVar ;Push LOCAL_0094****"5201314896788888888888888888888888"
:0040B155 0464FE FLdRfVar ;Push LOCAL_019C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B158 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX用机器码作为索引从上面的字串取一个字符
:0040B15D 0464FE FLdRfVar ;Push LOCAL_019C
:0040B160 FBEF34FE ConcatVar ;把字符连接成字符串
:0040B164 FCF60CFF FStVar ;
:0040B168 36060084FE74FE64 FFreeVar ;Free 0006/2 variants
:0040B171 0414FE FLdRfVar ;Push LOCAL_01EC
:0040B174 FE7EF4FDD100 NextStepVar ;*****************循环0040B110
}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
:0040B17A 2844FE0100 LitVarI2 ;PushVarInteger 0001
:0040B17F 04E4FD FLdRfVar ;Push LOCAL_021C
:0040B182 04CCFE FLdRfVar ;Push LOCAL_0134
:0040B185 FBEB84FE FnLenVar ;vbaLenVar***********取S1长度
:0040B189 FE68C4FD9001 ForVar ;
这里又是一个循环用字符串S1继续下面,
将首个字母的ASCII十六进制值跟0x3异或之后的结果,加上下一个字母的ASCII十六进制值
再跟0x3异或,循环完后得到一个十六进制值,变成十进制与第一步得到的字符串变成十进
制数字相加,结果保存为一个字符串。
{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{
:0040B18F 04ECFE FLdRfVar ;Push LOCAL_0114
:0040B192 2884FE0100 LitVarI2 ;PushVarInteger 0001
:0040B197 04E4FD FLdRfVar ;Push LOCAL_021C*******用户名位置序数。
:0040B19A FC22 CI4Var ;vbaI4Var
:0040B19C 04CCFE FLdRfVar ;Push LOCAL_0134*******S1
:0040B19F 0474FE FLdRfVar ;Push LOCAL_018C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B1A2 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B1A7 0474FE FLdRfVar ;Push LOCAL_018C
:0040B1AA FDFE94FE CStrVarVal ;
**********Reference To->msvbvm60.rtcAnsiValueBstr取 S1 中的每个字符的ASCII值
|
:0040B1AE 0B0A000400 ImpAdCallI2 ;Call ptr_00401068; check stack 0004; Push EAX
:0040B1B3 4444FE CVarI2 ;
:0040B1B6 FB9464FE AddVar ;与上次结果相加
:0040B1BA 28B4FD0300 LitVarI2 ;PushVarInteger 0003
:0040B1BF FB1734FE XorVar ;用户名字符ansi值与0x3 xor,,,,,,,相加之后异或
:0040B1C3 FCF6ECFE FStVar ;
:0040B1C7 2F94FE FFree1Str ;SysFreeString [LOCAL_016C]; [LOCAL_016C]=0
:0040B1CA 36060084FE74FE64 FFreeVar ;Free 0006/2 variants
:0040B1D3 04E4FD FLdRfVar ;Push LOCAL_021C
:0040B1D6 FE7EC4FD4301 NextStepVar ;
}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
:0040B1DC 040CFF FLdRfVar ;Push LOCAL_00F4***************s2
:0040B1DF 04ECFE FLdRfVar ;Push LOCAL_0114***************循环完后的结果
:0040B1E2 FB9484FE AddVar ;相加
:0040B1E6 FCF6FCFE FStVar ;
:0040B1EA 2844FE0100 LitVarI2 ;PushVarInteger 0001
机器码的每一位数字加1后从"chinapygabcdefghijklmopqrstuvwxyza"取相应位置的字母连
接成字符串.要注意变成大写的哦!
把这个字符串加到第二步等到的字符串的后面,将生成的字符串长度被24减,得数是几就在
末尾加几个上"0",最后第五位后面加上"-",得到的这个字符串就是中间结果,
{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{
:0040B1EF 04A4FD FLdRfVar ;Push LOCAL_025C
:0040B1F2 04FCFE FLdRfVar ;Push LOCAL_0104
:0040B1F5 FBEB84FE FnLenVar ;vbaLenVar
:0040B1F9 FE6884FD1D02 ForVar ;
:0040B1FF 2884FE0100 LitVarI2 ;PushVarInteger 0001
:0040B204 04A4FD FLdRfVar ;Push LOCAL_025C
:0040B207 FC22 CI4Var ;vbaI4Var
:0040B209 04BCFE FLdRfVar ;Push LOCAL_0144
:0040B20C 0474FE FLdRfVar ;Push LOCAL_018C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B20F 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B214 0474FE FLdRfVar ;Push LOCAL_018C
:0040B217 FCF63CFF FStVar ;
:0040B21B 3584FE FFree1Var ;Free LOCAL_017C
:0040B21E 04FCFE FLdRfVar ;Push LOCAL_0104
:0040B221 2874FE0100 LitVarI2 ;PushVarInteger 0001
:0040B226 043CFF FLdRfVar ;Push LOCAL_00C4
:0040B229 289CFE0100 LitVarI2 ;PushVarInteger 0001
:0040B22E FB9484FE AddVar ;
:0040B232 FC22 CI4Var ;vbaI4Var
:0040B234 045CFF FLdRfVar ;Push LOCAL_00A4"chinapygabcdefghijklmopqrstuvwxyza"
:0040B237 0464FE FLdRfVar ;Push LOCAL_019C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B23A 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B23F 0464FE FLdRfVar ;Push LOCAL_019C
:0040B242 0434FE FLdRfVar ;Push LOCAL_01CC
**********Reference To->msvbvm60.rtcUpperCaseVar
|
:0040B245 0A07000800 ImpAdCallFPR4 ;Call ptr_0040105C; check stack 0008; Push EAX
:0040B24A 0434FE FLdRfVar ;Push LOCAL_01CC
:0040B24D FBEF24FE ConcatVar ;
:0040B251 FCF6FCFE FStVar ;
:0040B255 36080084FE74FE64 FFreeVar ;Free 0008/2 variants
:0040B260 04A4FD FLdRfVar ;Push LOCAL_025C
:0040B263 FE7E84FDB301 NextStepVar ;
}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
:0040B269 04FCFE FLdRfVar ;Push LOCAL_0104
:0040B26C FBEB84FE FnLenVar ;vbaLenVar
:0040B270 289CFE1900 LitVarI2 ;PushVarInteger 0019
:0040B275 5D HardType ;
:0040B276 FB67 LtVarBool ;Push (Pop1 < Pop2)
:0040B278 1CB702 BranchF ;If Pop=0 then ESI=0040B303
:0040B27B 04FCFE FLdRfVar ;Push LOCAL_0104
******Possible String Ref To->"0"将生成的字符串长度被24减,得数是几就在末尾加几个上"0"
|
:0040B27E 3A44FE0B00 LitVarStr ;PushVarString ptr_00408D14
:0040B283 4E64FE FStVarCopyObj ;[LOCAL_019C]=vbaVarDup(Pop)
:0040B286 0464FE FLdRfVar ;Push LOCAL_019C
:0040B289 289CFE1800 LitVarI2 ;PushVarInteger 0018 *****24减去上面连接成字符串的长度得L
:0040B28E 04FCFE FLdRfVar ;Push LOCAL_0104
:0040B291 FBEB84FE FnLenVar ;vbaLenVar
:0040B295 FB9C74FE SubVar ;
:0040B299 FC22 CI4Var ;vbaI4Var
**********Reference To->msvbvm60.rtcStringBstr
|
:0040B29B 0B0C000800 ImpAdCallI2 ;Call ptr_0040106E; check stack 0008; Push EAX
:0040B2A0 4634FE CVarStr ;
:0040B2A3 FB9424FE AddVar ;**************************加L个0
:0040B2A7 FCF6FCFE FStVar ;
:0040B2AB 36040064FE34FE FFreeVar ;Free 0004/2 variants
:0040B2B2 2884FE0500 LitVarI2 ;PushVarInteger 0005
:0040B2B7 F501000000 LitI4 ;Push 00000001
:0040B2BC 04FCFE FLdRfVar ;Push LOCAL_0104
:0040B2BF 0474FE FLdRfVar ;Push LOCAL_018C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B2C2 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B2C7 0474FE FLdRfVar ;Push LOCAL_018C
******Possible String Ref To->"-"最后第五位后面加上"-",得到的这个字符串就是中间结果,
|
:0040B2CA 3A44FE0D00 LitVarStr ;PushVarString ptr_00408D1C
:0040B2CF FB9464FE AddVar ;第五位后面加个-
:0040B2D3 2834FE1400 LitVarI2 ;PushVarInteger 0014
:0040B2D8 F506000000 LitI4 ;Push 00000006
:0040B2DD 04FCFE FLdRfVar ;Push LOCAL_0104
:0040B2E0 0424FE FLdRfVar ;Push LOCAL_01DC
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B2E3 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B2E8 0424FE FLdRfVar ;Push LOCAL_01DC
:0040B2EB FB9474FD AddVar ;和原来的接起来,相当于原来的串5位后加个-
:0040B2EF FCF6ACFE FStVar ;
:0040B2F3 360A0084FE74FE34 FFreeVar ;Free 000A/2 variants
:0040B300 1E2403 Branch ;ESI=0040B370
:0040B303 2884FE1800 LitVarI2 ;PushVarInteger 0018<--要够24位
:0040B308 F501000000 LitI4 ;Push 00000001
:0040B30D 04FCFE FLdRfVar ;Push LOCAL_0104
:0040B310 0474FE FLdRfVar ;Push LOCAL_018C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B313 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B318 0474FE FLdRfVar ;Push LOCAL_018C
:0040B31B FCF6FCFE FStVar ;
:0040B31F 3584FE FFree1Var ;Free LOCAL_017C
:0040B322 2884FE0500 LitVarI2 ;PushVarInteger 0005<--第五位后加'-'
:0040B327 F501000000 LitI4 ;Push 00000001
:0040B32C 04FCFE FLdRfVar ;Push LOCAL_0104
:0040B32F 0474FE FLdRfVar ;Push LOCAL_018C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B332 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B337 0474FE FLdRfVar ;Push LOCAL_018C
******Possible String Ref To->"-"
|
:0040B33A 3A44FE0D00 LitVarStr ;PushVarString ptr_00408D1C
:0040B33F FB9464FE AddVar ;
:0040B343 2834FE1400 LitVarI2 ;PushVarInteger 0014
:0040B348 F506000000 LitI4 ;Push 00000006
:0040B34D 04FCFE FLdRfVar ;Push LOCAL_0104
:0040B350 0424FE FLdRfVar ;Push LOCAL_01DC
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B353 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B358 0424FE FLdRfVar ;Push LOCAL_01DC
:0040B35B FB9474FD AddVar ;
:0040B35F FCF6ACFE FStVar ;
:0040B363 360A0084FE74FE34 FFreeVar ;Free 000A/2 variants
:0040B370 289CFE0100 LitVarI2 ;PushVarInteger 0001
:0040B375 FCF62CFF FStVar ;
:0040B379 0454FE FLdRfVar ;Push LOCAL_01AC
:0040B37C FBEB84FE FnLenVar ;vbaLenVar
:0040B380 289CFE0000 LitVarI2 ;PushVarInteger 0000
:0040B385 5D HardType ;
:0040B386 FB3C74FE NeVar ;
:0040B38A 04CCFE FLdRfVar ;Push LOCAL_0134
:0040B38D FBEB64FE FnLenVar ;vbaLenVar
:0040B391 2844FE0000 LitVarI2 ;PushVarInteger 0000
:0040B396 5D HardType ;
:0040B397 FB3C34FE NeVar ;
:0040B39B FB2724FE AndVar ;
:0040B39F FF1B CBoolVarNull ;vbaBoolVarNull
:0040B3A1 1C4404 BranchF ;If Pop=0 then ESI=0040B490
:0040B3A4 2884FE0100 LitVarI2 ;PushVarInteger 0001
:0040B3A9 042CFF FLdRfVar ;Push LOCAL_00D4
:0040B3AC FC22 CI4Var ;vbaI4Var
:0040B3AE 0454FE FLdRfVar ;Push LOCAL_01AC输入的注册号地址入栈
:0040B3B1 0474FE FLdRfVar ;Push LOCAL_018C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0040B3B4 0A09001000 ImpAdCallFPR4 ;Call ptr_00401062; check stack 0010; Push EAX
:0040B3B9 0474FE FLdRfVar ;Push LOCAL_018C取一个注册号值为16进制
:0040B3BC FCF61CFF FStVar ;
:0040B3C0 3584FE FFree1Var ;Free LOCAL_017C
:0040B3C3 041CFF FLdRfVar ;Push LOCAL_00E4
:0040B3C6 FDFE94FE CStrVarVal ;
**********Reference To->msvbvm60.rtcAnsiValueBstr
|
:0040B3CA 0B0A000400 ImpAdCallI2 ;Call ptr_00401068; check stack 0004; Push EAX
:0040B3CF F404 LitI2_Byte ;Push 04
:0040B3D1 A9 AddI2 ;取一个注册号加4
:0040B3D2 449CFE CVarI2 ;
:0040B3D5 042CFF FLdRfVar ;Push LOCAL_00D4
:0040B3D8 FB9484FE AddVar ;加上位置的序号
:0040B3DC FCF61CFF FStVar ;
:0040B3E0 2F94FE FFree1Str ;SysFreeString [LOCAL_016C]; [LOCAL_016C]=0
:0040B3E3 041CFF FLdRfVar ;Push LOCAL_00E4
:0040B3E6 F501000000 LitI4 ;Push 00000001
:0040B3EB 0484FE FLdRfVar ;Push LOCAL_017C
**********Reference To->msvbvm60.rtcStringVar
|
:0040B3EE 0A0E000C00 ImpAdCallFPR4 ;Call ptr_00401074; check stack 000C; Push EAX
:0040B3F3 0484FE FLdRfVar ;Push LOCAL_017C
:0040B3F6 FCF61CFF FStVar ;
:0040B3FA 0464FD FLdRfVar ;Push LOCAL_029C
:0040B3FD 041CFF FLdRfVar ;Push LOCAL_00E4
:0040B400 FBEF84FE ConcatVar ;
:0040B404 FCF664FD FStVar ;
:0040B408 042CFF FLdRfVar ;Push LOCAL_00D4
:0040B40B 289CFE0100 LitVarI2 ;PushVarInteger 0001
:0040B410 FB9484FE AddVar ;
:0040B414 FCF62CFF FStVar ;
:0040B418 042CFF FLdRfVar ;Push LOCAL_00D4
:0040B41B 0454FE FLdRfVar ;Push LOCAL_01AC注册号地址
:0040B41E FBEB84FE FnLenVar ;vbaLenVar
:0040B422 FB4D LeVarBool ;
:0040B424 1D5803 BranchT ;If Pop<>0 then ESI=0040B3A4
这里是关键的比较处,
***********************************************************************************************
:0040B427 0464FD FLdRfVar ;Push LOCAL_029C
:0040B42A 04ACFE FLdRfVar ;Push LOCAL_0154
:0040B42D FB33 EqVarBool ;
:0040B42F 1C1A04 BranchF ;If Pop=0 then ESI=0040B466把1c改为1d就爆了~_~
************************************************************************************************
:0040B432 2734FE LitVar ;PushVar LOCAL_01CC
:0040B435 2764FE LitVar ;PushVar LOCAL_019C
******Possible String Ref To->"??"
|
:0040B438 3A44FE0F00 LitVarStr ;PushVarString ptr_00408D3C
:0040B43D 4E74FE FStVarCopyObj ;[LOCAL_018C]=vbaVarDup(Pop)
:0040B440 0474FE FLdRfVar ;Push LOCAL_018C
:0040B443 F540000000 LitI4 ;Push 00000040
******Possible String Ref To->"??键?
PYG?"
|
:0040B448 3A9CFE1000 LitVarStr ;PushVarString ptr_00408D24
:0040B44D 4E84FE FStVarCopyObj ;[LOCAL_017C]=vbaVarDup(Pop)
:0040B450 0484FE FLdRfVar ;Push LOCAL_017C
**********Reference To->msvbvm60.rtcMsgBox
|
:0040B453 0A11001400 ImpAdCallFPR4 ;Call ptr_0040107A; check stack 0014; Push EAX
:0040B458 36080084FE74FE64 FFreeVar ;Free 0008/2 variants
:0040B463 1E4404 Branch ;ESI=0040B490
******Possible String Ref To->""
|
:0040B466 1B0800 LitStr ;Push ptr_00408D0C
:0040B469 21 FLdPrThis ;[SR]=[stack2]
:0040B46A 0F0C03 VCallAd ;Return the control index 05
:0040B46D 1998FE FStAdFunc ;
:0040B470 0898FE FLdPr ;[SR]=[LOCAL_0168]
***********Reference To:[propput]TextBox.Text
|
:0040B473 0DA4000000 VCallHresult ;Call ptr_00408BC0
:0040B478 1A98FE FFree1Ad ;Push [LOCAL_0168]; Call [[[LOCAL_0168]]+8]; [[LOCAL_0168]]=0
******Possible String Ref To->""
|
:0040B47B 1B0800 LitStr ;Push ptr_00408D0C
:0040B47E 21 FLdPrThis ;[SR]=[stack2]
:0040B47F 0F0803 VCallAd ;Return the control index 04
:0040B482 1998FE FStAdFunc ;
:0040B485 0898FE FLdPr ;[SR]=[LOCAL_0168]
***********Reference To:[propput]TextBox.Text
|
:0040B488 0DA4000000 VCallHresult ;Call ptr_00408BC0
:0040B48D 1A98FE FFree1Ad ;Push [LOCAL_0168]; Call [[[LOCAL_0168]]+8]; [[LOCAL_0168]]=0
:0040B490 13 ExitProcHresult ;
:0040B491 0000 LargeBos ;IDE beginning of line with 00 byte codes
==============================================================================
PYG_CrackMe2005认证试题算法总结:
第一步:
机器码为索引值从"5201314896788888888888888888888888"取相应位置的数字连
接成字符串。该数组下标按C语言标准是从0开始的。
第二步:
用户名加上字符串"piaoyunge"之后全部变成大写字母,得到一个字符串继续下面,
将首个字母的ASCII十六进制值跟0x3异或之后的结果,
加上下一个字母的ASCII十六进制值再跟0x3异或,
循环完后得到一个十六进制值,
变成十进制与第一步得到的字符串变成十进制数字相加,结果保存为一个字符串。
第三步:
机器码为索引值从"chinapygabcdefghijklmopqrstuvwxyza"取相应位置的字母连
接成字符串,变成大写。如果上一步得到的串长度比机器码长度少,那么少几位
就把这个串最后几位变为'0'。
把这个字符串加到第二步等到的字符串的后面,末尾加几个'0'补足24位。
第五位后面加上'-',得到的这个字符串就是中间结果。
第四步:
注册码每一位ASCII十六进制值加上4,加上所在位置的序号,得到的这个字符串就是中间结
果,与第三步得到的中间结果相等就OK。
-------------------------------------------------------------------
说明:做注册机到第三步中间结果时,对第四步进行逆变换,每一位减4,再减所在位置序号就是注册码.
void key(char * machinecode,char * username,char * key)
{
char s0[]="piaoyunge";
char s1[]="5201314896788888888888888888888888";
char s2[]="chinapygabcdefghijklmopqrstuvwxyza";
char s3[]="- ";
int i,j,k;
unsigned long int m;
char k1[34]={0};
char k2[34]={0};
/*通过机器码查表得到一个数字k1串一个字母串k2*/
j = lstrlen(machinecode);
for (i=0; i<j; i++)
{
k1[i]=s1[machinecode[i]-'0'];
k2[i]=s2[machinecode[i]-'0'];
}
lstrcat(username,s0);//用户名加piaoyunge
CharUpper(username);//变成大写串
for (i=0,k=0; i<lstrlen(username); i++)
{
k = (k+username[i])^3;
}
m = atol(k1) + k;
wsprintf(key,"%lu",m);
/*---------------------------------------------------*/
j=strlen(machinecode)-strlen(key);
if (j)
{
for(i=(strlen(k2)-1);j>0;j--)
k2[i]='0';
}
/*---------------------------------------------------*/
strcat(key,k2);
j = 24 - lstrlen(key);
for(i=0;i<j;i++)
{
lstrcat(key,"0");//加'0'补足24位
}
lstrcpy(s3+1,key+5);//第五位后加'-'
lstrcpy(key+5,s3);
CharUpper(key);//变成大写串
//------------------------------
//逆变换出注册码
j=lstrlen(key);
for(i=0;i<j;i++)
{
key[i] = key[i]-i-5;
}
}
surge[PYG]
surgefree@163.com
写于河北衡水
[培训]《安卓高级研修班(网课)》月薪三万计划,掌 握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
|
|
|---|---|
|
|
他的文章
