1)PEID查壳,Microsoft Visual Basic 5.0 / 6.0。无壳
2)试运行,任意输入后,有错误提示"you get wrong try again"
3)OD载入程序,用超级字符串查找找错误提示"you get wrong try again"
超级字串参考+ , 条目 5
地址=004025E5
反汇编=PUSH CrackMe1.00401BC8
文本字串=you get wrong
双击来到004025E5,向上找,找程序开始比较注册码的地方。来到00402310处 下断
4)OD重新载入,任意输入后,程序被中断
00402310 > \55 PUSH EBP 断在这里。F8向下
00402311 . 8BEC MOV EBP,ESP
00402313 . 83EC 0C SUB ESP,0C
。。。。。。省略一些代码。
0040240F . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00402412 . 50 PUSH EAX ; 假码入栈
00402413 . 8B1A MOV EBX,DWORD PTR DS:[EDX]
00402415 . FF15 E4404000 CALL DWORD PTR DS:[<&MSVBVM50.__vbaLenBs>; MSVBVM50.__vbaLenBstr
0040241B . 8BF8 MOV EDI,EAX ; EAX=假码位数
0040241D . 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18] ; EBP-18=假码
00402420 . 69FF FB7C0100 IMUL EDI,EDI,17CFB ; EDI=EDI*17CFB
00402426 . 51 PUSH ECX
00402427 . 0F80 91020000 JO CrackMe1.004026BE
0040242D . FF15 F8404000 CALL DWORD PTR DS:[<&MSVBVM50.#516>] ; 注意,先进人这个CALL
00402433 . 0FBFD0 MOVSX EDX,AX ; EAX=32或31,
00402436 . 03FA ADD EDI,EDX ; EDI=EDI+EDX (EDI=D64D3。EDX=32)
00402438 . 0F80 80020000 JO CrackMe1.004026BE ; EDI=D6505
0040243E . 57 PUSH EDI
0040243F . FF15 E0404000 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrI4>; 进!!计算注册码
00402445 . 8BD0 MOV EDX,EAX
00402447 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0040244A . FF15 70414000 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>; MSVBVM50.__vbaStrMove
0040244A . FF15 70414000 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrMo>; MSVBVM50.__vbaStrMove
00402450 . 8BBD 50FFFFFF MOV EDI,DWORD PTR SS:[EBP-B0]
。。。。。。省略一些代码 。
0040251C . 50 PUSH EAX
0040251D . 68 701B4000 PUSH CrackMe1.00401B70 ; aka-
00402522 > . 51 PUSH ECX ; 在计算所得的注册码前+AKA
00402522 > . 51 PUSH ECX ;
00402523 . FFD7 CALL EDI ;
00402525 . 8B1D 70414000 MOV EBX,DWORD PTR DS:[<&MSVBVM50.__vbaSt>;
0040252B . 8BD0 MOV EDX,EAX
0040252D . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00402530 . FFD3 CALL EBX ;
00402532 . 50 PUSH EAX
00402533 . FF15 28414000 CALL DWORD PTR DS:[<&MSVBVM50.__vbaStrCm>;
00402539 . 8BF0 MOV ESI,EAX
0040253B . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
0040253E . F7DE NEG ESI
00402540 . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00402543 . 52 PUSH EDX
00402544 . 1BF6 SBB ESI,ESI
00402546 . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
00402549 . 50 PUSH EAX
0040254A . 46 INC ESI
0040254B . 51 PUSH ECX
0040254C . 6A 03 PUSH 3
0040254E . F7DE NEG ESI
00402550 . FF15 5C414000 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStrList
00402556 . 83C4 10 ADD ESP,10
00402559 . 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
0040255C . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0040255F . 52 PUSH EDX
00402560 . 50 PUSH EAX
00402561 . 6A 02 PUSH 2
00402563 . FF15 F4404000 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObjList
00402569 . 83C4 0C ADD ESP,0C
0040256C . B9 04000280 MOV ECX,80020004
00402571 . B8 0A000000 MOV EAX,0A
00402576 . 894D 9C MOV DWORD PTR SS:[EBP-64],ECX
00402579 . 66:85F6 TEST SI,SI
0040257C . 8945 94 MOV DWORD PTR SS:[EBP-6C],EAX
0040257F . 894D AC MOV DWORD PTR SS:[EBP-54],ECX
00402582 . 8945 A4 MOV DWORD PTR SS:[EBP-5C],EAX
00402585 . 894D BC MOV DWORD PTR SS:[EBP-44],ECX
00402588 . 8945 B4 MOV DWORD PTR SS:[EBP-4C],EAX
0040258B . 74 58 JE SHORT CrackMe1.004025E5 真假注册码比较,相等则跳向成功
以下是各个所进入的CALL的内容
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
进入第一个CALL
762BC89B > 55 PUSH EBP
762BC89C B8 00000000 MOV EAX,0
762BC8A1 8BEC MOV EBP,ESP
762BC8A3 83EC 04 SUB ESP,4
762BC8A6 56 PUSH ESI
762BC8A7 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] EBP+8=注册名
762BC8AA 85F6 TEST ESI,ESI
762BC8AC 74 05 JE SHORT MSVBVM50.762BC8B3
762BC8AE 8B46 FC MOV EAX,DWORD PTR DS:[ESI-4]
762BC8B1 D1E8 SHR EAX,1 EAX*2
762BC8B3 85C0 TEST EAX,EAX
762BC8B5 0F84 D6D20300 JE MSVBVM50.762F9B91
762BC8BB 33C0 XOR EAX,EAX EAX清零
762BC8BD 8D4D FE LEA ECX,DWORD PTR SS:[EBP-2]
762BC8C0 50 PUSH EAX
762BC8C1 50 PUSH EAX
762BC8C2 6A 02 PUSH 2
762BC8C4 51 PUSH ECX
762BC8C5 6A 01 PUSH 1
762BC8C7 56 PUSH ESI
762BC8C8 50 PUSH EAX
762BC8C9 50 PUSH EAX
762BC8CA FF15 00122876 CALL DWORD PTR DS:[<&KERNEL32.WideCharTo>; KERNEL32.WideCharToMultiByte
762BC8D0 83F8 02 CMP EAX,2
762BC8D3 66:0FB645 FE MOVZX AX,BYTE PTR SS:[EBP-2] 取注册名第一位的ASCII值,并放入EAX
762BC8D8 0F84 BAD20300 JE MSVBVM50.762F9B98
762BC8DE 5E POP ESI
762BC8DF 8BE5 MOV ESP,EBP
762BC8E1 5D POP EBP
762BC8E2 C2 0400 RETN 4 计算完后返回
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
进入注册码计算CALL的内容:
7629BECF > 83EC 04 SUB ESP,4
7629BED2 8D4424 00 LEA EAX,DWORD PTR SS:[ESP]
7629BED6 50 PUSH EAX
7629BED7 6A 00 PUSH 0
7629BED9 E8 5BF5FEFF CALL MSVBVM50.7628B439
7629BEDE 50 PUSH EAX
7629BEDF FF7424 14 PUSH DWORD PTR SS:[ESP+14]
7629BEE3 > FF15 641A2876 CALL DWORD PTR DS:[<&OLEAUT32.#110>] ; 进入
7629BEE9 85C0 TEST EAX,EAX
7629BEEB 0F8C E5FE0400 JL MSVBVM50.762EBDD6
7629BEF1 8B4424 00 MOV EAX,DWORD PTR SS:[ESP]
7629BEF5 83C4 04 ADD ESP,4
7629BEF8 C2 0400 RETN 4
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
。。。到这里
779BF080 > 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4]
779BF084 83EC 50 SUB ESP,50
779BF087 8D4424 00 LEA EAX,DWORD PTR SS:[ESP]
779BF08B 50 PUSH EAX
779BF08C 51 PUSH ECX
779BF08D E8 EE33FEFF CALL OLEAUT32.779A2480 进入这里
779BF092 8D4424 00 LEA EAX,DWORD PTR SS:[ESP]
779BF096 8B5424 60 MOV EDX,DWORD PTR SS:[ESP+60]
779BF09A 52 PUSH EDX
779BF09B 50 PUSH EAX
779BF09C E8 AFA3FFFF CALL OLEAUT32.779B9450
779BF0A1 83C4 50 ADD ESP,50
779BF0A4 C2 1000 RETN 10
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
。。。到这里
779A2480 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
779A2484 33C9 XOR ECX,ECX
779A2486 85C0 TEST EAX,EAX
779A2488 56 PUSH ESI
779A2489 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C]
779A248D 0F9CC1 SETL CL
779A2490 51 PUSH ECX
779A2491 56 PUSH ESI
779A2492 50 PUSH EAX
779A2493 E8 48FFFFFF CALL OLEAUT32.779A23E0 进入这个
779A2498 8BC6 MOV EAX,ESI
779A249A 5E POP ESI
779A249B C2 0800 RETN 8
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
。。。到这里,根据注册名来计算注册码!(关键)
779A23E8 53 PUSH EBX
779A23E9 56 PUSH ESI
779A23EA 85C0 TEST EAX,EAX
779A23EC 57 PUSH EDI
779A23ED 74 10 JE SHORT OLEAUT32.779A23FF
779A23EF 8B7424 10 MOV ESI,DWORD PTR SS:[ESP+10]
779A23F3 66:C701 2D00 MOV WORD PTR DS:[ECX],2D
779A23F8 83C1 02 ADD ECX,2
779A23FB F7DE NEG ESI
779A23FD EB 04 JMP SHORT OLEAUT32.779A2403
779A23FF 8B7424 10 MOV ESI,DWORD PTR SS:[ESP+10] ; ESP+10=A
779A2403 8BD9 MOV EBX,ECX
779A2405 8BC6 MOV EAX,ESI ; 把A送进EAX
779A2407 33D2 XOR EDX,EDX ; EDX清零
779A2409 BF 0A000000 MOV EDI,0A ; 令EDI=OA
779A240E 83C1 02 ADD ECX,2 ; 每计算一次EXC的值加2
779A2411 F7F7 DIV EDI ; 用EAX/EDX,商放进EAX,余数放进EDX
779A2413 B8 CDCCCCCC MOV EAX,CCCCCCCD ; 给EAX赋值
779A2418 8BFA MOV EDI,EDX ; EDX=O,既将EDI清零
779A241A F7E6 MUL ESI
779A241C C1EA 03 SHR EDX,3 ; EDX中的值除以8(2的3次方)
779A241F 83C7 30 ADD EDI,30 ; 每计算一次EDI加30
779A2422 8BF2 MOV ESI,EDX ; 将EDX的值赋给ESI
779A2424 66:8979 FE MOV WORD PTR DS:[ECX-2],DI
779A2428 85F6 TEST ESI,ESI ; 计算完了吗?若没有则继续计算
779A242A ^ 77 D9 JA SHORT OLEAUT32.779A2405
779A242C 66:C701 0000 MOV WORD PTR DS:[ECX],0 ; 计算完毕则来到这里
779A2431 83E9 02 SUB ECX,2 ; ECX值减2
779A2434 66:8B13 MOV DX,WORD PTR DS:[EBX]
779A2437 66:8B01 MOV AX,WORD PTR DS:[ECX]
779A243A 66:8911 MOV WORD PTR DS:[ECX],DX
779A243D 66:8903 MOV WORD PTR DS:[EBX],AX
779A2440 83E9 02 SUB ECX,2
779A2443 83C3 02 ADD EBX,2
779A2446 3BD9 CMP EBX,ECX
779A2448 ^ 72 EA JB SHORT OLEAUT32.779A2434 ; 这段代码的意思就是把上面所得的数字倒序
779A244A 5F POP EDI
779A244B 5E POP ESI 寄存器出栈
779A244C 5B POP EBX ; 00CA4B90
779A244D C2 0C00 RETN 0C 返回
------------------------------------------------------------------------
BY 逍遥风
算法总结。
1)取注册名第一位的ASCII码的值(若输入的是数字,则奇数为31,偶数为32),设这个值为A
2)用注册名乘以定值17CFB。得到一个值设为B
3)A+B得到一个值设为C
4)以B的位数为循环次数,用C除以定值OA,得数再除以OA。。。!直到循环结束
例:假设B为5位字符串。
C/0A=Q,余数为W 。Q/OA=E,余数为R。E/OA=T,余数为Y。T/OA=U,余数为I。U/OA=O,余数为P
共计算5次。
5)将5步计算的余数组成一个字符串,例如这里的WRYIP
6)将所得字符串倒序,例如这里PIYRW
7)在倒序后的字符串前合并上AKA-,例如AKA-PIYRW。既得到注册码。
目前就分析到这里了,可能一些细节没有分析到位。有疏漏或不完善的地方请大家指出。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
上传的附件:
