[原创]写的一个CRACEME，大家有空试试-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]写的一个CRACEME，大家有空试试

2006-4-16 12:56 8959

[原创]写的一个CRACEME，大家有空试试

laomms

2006-4-16 12:56

8959

VB写的CRACEME，非常简单。要求至少爆破，争取分析出算法，最好能写出注册机。修改了一下，明码的。

[培训]二进制漏洞攻防（第3期）；满10人开班；模糊测试与工具使用二次开发；网络协议漏洞挖掘；Linux内核漏洞挖掘与利用；AOSP漏洞挖掘与利用；代码审计。

上传的附件：

crackme1-lx.rar （11.43kb，22次下载）

收藏・0

点赞・7

打赏

最新回复 (26) 1 2 ▶
Winter-Night 雪币： 296 活跃值： (250) 能力值： ( LV9，RANK：210 ) 在线值：发帖 31 回帖 726 粉丝 1 关注私信	Winter-Night 5 2006-4-19 22:05 2 楼 0 只会爆的:) 00403D2F /74 67 JE SHORT CRACKME1.00403D98 //nop
alpsdew 雪币： 235 活跃值： (41) 能力值： ( LV9，RANK：170 ) 在线值：发帖 9 回帖 111 粉丝 0 关注私信	alpsdew 4 2006-4-19 22:22 3 楼 0 能给点提示不? 试了参考.消息和RUN跟踪 ... 不知道怎么办了?
icow 雪币： 222 活跃值： (26) 能力值： ( LV8，RANK：130 ) 在线值：发帖 5 回帖 64 粉丝 0 关注私信	icow 3 2006-4-19 23:02 4 楼 0 先下了试试.
alpsdew 雪币： 235 活跃值： (41) 能力值： ( LV9，RANK：170 ) 在线值：发帖 9 回帖 111 粉丝 0 关注私信	alpsdew 4 2006-4-20 13:24 5 楼 0 不知道在哪里下断啊 ?
虫的传人雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	虫的传人 2006-4-22 14:53 6 楼 0 下回去研究研究..
coolc 雪币： 206 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 29 粉丝 0 关注私信	coolc 2006-4-22 16:56 7 楼 0 已破了的哥哥，可以写个教程吗？？？
johnflj 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 3 粉丝 0 关注私信	johnflj 2006-4-24 10:49 8 楼 0 testdfsadsafads
geae 雪币： 218 活跃值： (40) 能力值： ( LV4，RANK：50 ) 在线值：发帖 9 回帖 89 粉丝 0 关注私信	geae 1 2006-4-24 11:00 9 楼 0 00404D86 . 66:3BF3 CMP SI,BX ; 比较 00404D89 . 898D 78FFFFFF MOV DWORD PTR SS:[EBP-88],ECX 00404D8F . 8985 70FFFFFF MOV DWORD PTR SS:[EBP-90],EAX 00404D95 . 894D 88 MOV DWORD PTR SS:[EBP-78],ECX 00404D98 . 8945 80 MOV DWORD PTR SS:[EBP-80],EAX 00404D9B . 894D 98 MOV DWORD PTR SS:[EBP-68],ECX ; 注册码 00404D9E . 8945 90 MOV DWORD PTR SS:[EBP-70],EAX 00404DA1 . 74 52 JE SHORT CRACKME1.00404DF5 用户名:123456789 注册码:B36F7130 唉,算法看不明白啊
地球人雪币： 213 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 -2 回帖 29 粉丝 0 关注私信	地球人 2006-4-24 11:11 10 楼 0 我也看不懂算法，什么不明白的！可以查看明码的吗？如果这样就对我简单了！
johnflj 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 3 粉丝 0 关注私信	johnflj 2006-4-24 13:59 11 楼 0 1234 6C2FA0B6
firecho 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 5 粉丝 0 关注私信	firecho 2006-4-24 21:18 12 楼 0 破了,但是得不到算法,好像跟MD5有关
crackmefly 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 5 粉丝 0 关注私信	crackmefly 2006-4-24 22:17 13 楼 0 做了个内存注册机好像等级不够不能上传！
inraining 雪币： 234 活跃值： (10) 能力值： ( LV6，RANK：90 ) 在线值：发帖 15 回帖 411 粉丝 0 关注私信	inraining 2 2006-4-24 23:34 14 楼 0 00404AA1 . 50 push eax ; 机器码入栈 00404AA2 . FF15 08114000 call [<&MSVBVM60.__vbaI4Str>] ; MSVBVM60.__vbaI4Str 00404AA8 . 8985 C0FEFFFF mov [ebp-140], eax ; 机器码之hex值入eax 00404AAE . DB85 C0FEFFFF fild dword ptr [ebp-140] 00404AB4 . DD9D B8FEFFFF fstp qword ptr [ebp-148] 00404ABA . DD85 B8FEFFFF fld qword ptr [ebp-148] 00404AC0 . 833D 00904000 00 cmp dword ptr [409000], 0 00404AC7 . 75 08 jnz short 00404AD1 00404AC9 . DC35 70114000 fdiv qword ptr [401170] ; 机器码/4=224527246.5 00404ACF . EB 11 jmp short 00404AE2 00404AD1 > FF35 74114000 push dword ptr [401174] 00404AD7 . FF35 70114000 push dword ptr [401170] 00404ADD . E8 F2C7FFFF call <jmp.&MSVBVM60._adj_fdiv_m64> 00404AE2 > DC0D 68114000 fmul qword ptr [401168] ; 以上结果X3=673581739.5 00404AE8 . DC05 60114000 fadd qword ptr [401160] ; 以上结果+987654321=1661236060.5 00404AEE . DFE0 fstsw ax 00404AF0 . A8 0D test al, 0D 00404AF2 . 0F85 1D030000 jnz 00404E15 00404AF8 . FF15 54104000 call [<&MSVBVM60.__vbaFPFix>] ; MSVBVM60.__vbaFPFix 00404AFE . 8B95 1CFFFFFF mov edx, [ebp-E4] ; 以上将最终计算结果求整数=1661236060 00404B04 . 83EC 10 sub esp, 10 00404B07 . DD9D 20FFFFFF fstp qword ptr [ebp-E0] 00404B0D . 8BCC mov ecx, esp 00404B0F . B8 05000000 mov eax, 5 00404B14 . 8985 18FFFFFF mov [ebp-E8], eax 00404B1A . 6A 01 push 1 00404B1C . 8901 mov [ecx], eax 00404B1E . 8B85 20FFFFFF mov eax, [ebp-E0] 00404B24 . 68 B83D4000 push 00403DB8 ; UNICODE "Md5_String_Calc" 00404B29 . 8D5F 34 lea ebx, [edi+34] 00404B2C . 8951 04 mov [ecx+4], edx 00404B2F . 8B95 24FFFFFF mov edx, [ebp-DC] 00404B35 . 8941 08 mov [ecx+8], eax 00404B38 . 8D45 B8 lea eax, [ebp-48] 00404B3B . 50 push eax 00404B3C . 8951 0C mov [ecx+C], edx 00404B3F . 8D8D 58FFFFFF lea ecx, [ebp-A8] 00404B45 . 51 push ecx 00404B46 . FF15 38114000 call [<&MSVBVM60.__vbaVarLateMemCallLd>] ; MSVBVM60.__vbaVarLateMemCallLd 00404B4C . 83C4 20 add esp, 20 ; 以上CALL为取整结果之MD5计算 00404B4F . 8BD0 mov edx, eax 00404B51 . 8BCB mov ecx, ebx 00404B53 . FF15 08104000 call [<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove 00404B59 . 8D8D 7CFFFFFF lea ecx, [ebp-84] 00404B5F . FF15 54114000 call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr 00404B65 . 8D8D 68FFFFFF lea ecx, [ebp-98] 00404B6B . FF15 58114000 call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 00404B71 . 8D8D 58FFFFFF lea ecx, [ebp-A8] 00404B77 . FF15 14104000 call [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar 00404B7D . 8D95 58FFFFFF lea edx, [ebp-A8] 00404B83 . 8D85 48FFFFFF lea eax, [ebp-B8] 00404B89 . 52 push edx 00404B8A . 6A 06 push 6 00404B8C . 53 push ebx 00404B8D . 50 push eax 00404B8E . C785 60FFFFFF 080000>mov dword ptr [ebp-A0], 8 00404B98 . C785 58FFFFFF 020000>mov dword ptr [ebp-A8], 2 00404BA2 . FF15 60104000 call [<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar 00404BA8 . 8D8D 48FFFFFF lea ecx, [ebp-B8] ; 以上MID(STR,6,8) 00404BAE . 51 push ecx 00404BAF . FF15 18104000 call [<&MSVBVM60.__vbaStrVarMove>] ; MSVBVM60.__vbaStrVarMove 00404BB5 . 8BD0 mov edx, eax 00404BB7 . 8D4D 90 lea ecx, [ebp-70] 00404BBA . FF15 40114000 call [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove 00404BC0 . 8B1D 1C104000 mov ebx, [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList 00404BC6 . 8D95 48FFFFFF lea edx, [ebp-B8] 00404BCC . 8D85 58FFFFFF lea eax, [ebp-A8] 00404BD2 . 52 push edx 00404BD3 . 50 push eax 00404BD4 . 6A 02 push 2 00404BD6 . FFD3 call ebx ; <&MSVBVM60.__vbaFreeVarList> 00404BD8 . 8B0F mov ecx, [edi] 00404BDA . 83C4 0C add esp, 0C 00404BDD . 57 push edi 00404BDE . FF91 10030000 call [ecx+310] 00404BE4 . 8D95 68FFFFFF lea edx, [ebp-98] 00404BEA . 50 push eax 00404BEB . 52 push edx 00404BEC . FF15 40104000 call [<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet 00404BF2 . 8BF8 mov edi, eax 00404BF4 . 8D8D 7CFFFFFF lea ecx, [ebp-84] 00404BFA . 51 push ecx 00404BFB . 57 push edi 00404BFC . 8B07 mov eax, [edi] 00404BFE . FF90 A0000000 call [eax+A0] 00404C04 . 3BC6 cmp eax, esi 00404C06 . DBE2 fclex 00404C08 . 7D 12 jge short 00404C1C 00404C0A . 68 A0000000 push 0A0 00404C0F . 68 FC3B4000 push 00403BFC 00404C14 . 57 push edi 00404C15 . 50 push eax 00404C16 . FF15 34104000 call [<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj 00404C1C > 8B95 7CFFFFFF mov edx, [ebp-84] ; 注册码入edx 00404C22 . 8B45 90 mov eax, [ebp-70] ; 真码MID(MD5,6,8)入eax 00404C25 . 52 push edx 00404C26 . 50 push eax 00404C27 . FF15 78104000 call [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp 00404C2D . 8BF8 mov edi, eax ; 比较 00404C2F . 8D8D 7CFFFFFF lea ecx, [ebp-84] 00404C35 . F7DF neg edi 00404C37 . 1BFF sbb edi, edi 00404C39 . 47 inc edi 00404C3A . F7DF neg edi 00404C3C . FF15 54114000 call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr 00404C42 . 8D8D 68FFFFFF lea ecx, [ebp-98] 00404C48 . FF15 58114000 call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 00404C4E . B9 04000280 mov ecx, 80020004 00404C53 . B8 0A000000 mov eax, 0A 00404C58 . 66:3BFE cmp di, si 00404C5B . 898D 30FFFFFF mov [ebp-D0], ecx 00404C61 . 8985 28FFFFFF mov [ebp-D8], eax 00404C67 . 898D 40FFFFFF mov [ebp-C0], ecx 00404C6D . 8985 38FFFFFF mov [ebp-C8], eax 00404C73 . 898D 50FFFFFF mov [ebp-B0], ecx 00404C79 . 8985 48FFFFFF mov [ebp-B8], eax 00404C7F . 74 67 je short 00404CE8 注册码即:MID(MD5(int(机器码*3/4+987654321)),6,8) 注册机自己写吧~
baboo 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	baboo 2006-4-25 00:31 15 楼 0 赞楼主^_^
laomms 雪币： 560 活跃值： (309) 能力值： ( LV13，RANK：1370 ) 在线值：发帖 83 回帖 384 粉丝 7 关注私信	laomms 34 2006-4-25 07:29 16 楼 0 最初由 inraining* 发布* 00404AA1 . 50 push eax ; 机器码入栈 00404AA2 . FF15 08114000 call [<&MSVBVM60.__vbaI4Str>] ; MSVBVM60.__vbaI4Str 00404AA8 . 8985 C0FEFFFF mov [ebp-140], eax ; 机器码之hex值入eax 00404AAE . DB85 C0FEFFFF fild dword ptr [ebp-140] 00404AB4 . DD9D B8FEFFFF fstp qword ptr [ebp-148] ........ 分析的非常不错。 Private Sub Command1_Click() Dim regid, zcm As String Set C1 = New Class1 If Text1.Text = "" Or Not IsNumeric(Text1.Text) Then MsgBox "机器码由数字构成" Else zcm = Fix(CLng(Text1.Text) / 4 * 3 + 987654321) regid = C1.Md5_String_Calc(zcm) Text2.Text = Mid(regid, 6, 8) End If End Sub ======================MD5类模块============== Option Explicit Private Const OFFSET_4 = 4294967296# Private Const MAXINT_4 = 2147483647 Private State(4) As Long Private ByteCounter As Long Private ByteBuffer(63) As Byte Private Const S11 = 7 Private Const S12 = 12 Private Const S13 = 17 Private Const S14 = 22 Private Const S21 = 5 Private Const S22 = 9 Private Const S23 = 14 Private Const S24 = 20 Private Const S31 = 4 Private Const S32 = 11 Private Const S33 = 16 Private Const S34 = 23 Private Const S41 = 6 Private Const S42 = 10 Private Const S43 = 15 Private Const S44 = 21 Property Get RegisterA() As String RegisterA = State(1) End Property Property Get RegisterB() As String RegisterB = State(2) End Property Property Get RegisterC() As String RegisterC = State(3) End Property Property Get RegisterD() As String RegisterD = State(4) End Property Public Function Md5_String_Calc(SourceString As String) As String MD5Init MD5Update LenB(StrConv(SourceString, vbFromUnicode)), StringToArray(SourceString) MD5Final Md5_String_Calc = GetValues End Function Public Function Md5_File_Calc(InFile As String) As String On Error GoTo errorhandler GoSub begin errorhandler: Md5_File_Calc = "" Exit Function begin: Dim FileO As Integer FileO = FreeFile Call FileLen(InFile) Open InFile For Binary Access Read As #FileO MD5Init Do While Not EOF(FileO) Get #FileO, , ByteBuffer If Loc(FileO) < LOF(FileO) Then ByteCounter = ByteCounter + 64 MD5Transform ByteBuffer End If Loop ByteCounter = ByteCounter + (LOF(FileO) Mod 64) Close #FileO MD5Final Md5_File_Calc = GetValues End Function Private Function StringToArray(InString As String) As Byte() Dim I As Integer, bytBuffer() As Byte ReDim bytBuffer(LenB(StrConv(InString, vbFromUnicode))) bytBuffer = StrConv(InString, vbFromUnicode) StringToArray = bytBuffer End Function Public Function GetValues() As String GetValues = LongToString(State(1)) & LongToString(State(2)) & LongToString(State(3)) & LongToString(State(4)) End Function Private Function LongToString(Num As Long) As String Dim A As Byte, B As Byte, C As Byte, d As Byte A = Num And &HFF& If A < 16 Then LongToString = "0" & Hex(A) Else LongToString = Hex(A) B = (Num And &HFF00&) \ 256 If B < 16 Then LongToString = LongToString & "0" & Hex(B) Else LongToString = LongToString & Hex(B) C = (Num And &HFF0000) \ 65536 If C < 16 Then LongToString = LongToString & "0" & Hex(C) Else LongToString = LongToString & Hex(C) If Num < 0 Then d = ((Num And &H7F000000) \ 16777216) Or &H80& Else d = (Num And &HFF000000) \ 16777216 If d < 16 Then LongToString = LongToString & "0" & Hex(d) Else LongToString = LongToString & Hex(d) End Function Public Sub MD5Init() ByteCounter = 0 State(1) = UnsignedToLong(1732584193#) State(2) = UnsignedToLong(4023233417#) State(3) = UnsignedToLong(2562383102#) State(4) = UnsignedToLong(271733878#) End Sub Public Sub MD5Final() Dim dblBits As Double, padding(72) As Byte, lngBytesBuffered As Long padding(0) = &H80 dblBits = ByteCounter * 8 lngBytesBuffered = ByteCounter Mod 64 If lngBytesBuffered <= 56 Then MD5Update 56 - lngBytesBuffered, padding Else MD5Update 120 - ByteCounter, padding padding(0) = UnsignedToLong(dblBits) And &HFF& padding(1) = UnsignedToLong(dblBits) \ 256 And &HFF& padding(2) = UnsignedToLong(dblBits) \ 65536 And &HFF& padding(3) = UnsignedToLong(dblBits) \ 16777216 And &HFF& padding(4) = 0 padding(5) = 0 padding(6) = 0 padding(7) = 0 MD5Update 8, padding End Sub Public Sub MD5Update(InputLen As Long, InputBuffer() As Byte) Dim II As Integer, I As Integer, J As Integer, K As Integer, lngBufferedBytes As Long, lngBufferRemaining As Long, lngRem As Long lngBufferedBytes = ByteCounter Mod 64 lngBufferRemaining = 64 - lngBufferedBytes ByteCounter = ByteCounter + InputLen If InputLen >= lngBufferRemaining Then For II = 0 To lngBufferRemaining - 1 ByteBuffer(lngBufferedBytes + II) = InputBuffer(II) Next II MD5Transform ByteBuffer lngRem = (InputLen) Mod 64 For I = lngBufferRemaining To InputLen - II - lngRem Step 64 For J = 0 To 63 ByteBuffer(J) = InputBuffer(I + J) Next J MD5Transform ByteBuffer Next I lngBufferedBytes = 0 Else I = 0 End If For K = 0 To InputLen - I - 1 ByteBuffer(lngBufferedBytes + K) = InputBuffer(I + K) Next K End Sub Private Sub MD5Transform(Buffer() As Byte) Dim X(16) As Long, A As Long, B As Long, C As Long, d As Long A = State(1) B = State(2) C = State(3) d = State(4) Decode 64, X, Buffer FF A, B, C, d, X(0), S11, -680876936 FF d, A, B, C, X(1), S12, -389564586 FF C, d, A, B, X(2), S13, 606105819 FF B, C, d, A, X(3), S14, -1044525330 FF A, B, C, d, X(4), S11, -176418897 FF d, A, B, C, X(5), S12, 1200080426 FF C, d, A, B, X(6), S13, -1473231341 FF B, C, d, A, X(7), S14, -45705983 FF A, B, C, d, X(8), S11, 1770035416 FF d, A, B, C, X(9), S12, -1958414417 FF C, d, A, B, X(10), S13, -42063 FF B, C, d, A, X(11), S14, -1990404162 FF A, B, C, d, X(12), S11, 1804603682 FF d, A, B, C, X(13), S12, -40341101 FF C, d, A, B, X(14), S13, -1502002290 FF B, C, d, A, X(15), S14, 1236535329 GG A, B, C, d, X(1), S21, -165796510 GG d, A, B, C, X(6), S22, -1069501632 GG C, d, A, B, X(11), S23, 643717713 GG B, C, d, A, X(0), S24, -373897302 GG A, B, C, d, X(5), S21, -701558691 GG d, A, B, C, X(10), S22, 38016083 GG C, d, A, B, X(15), S23, -660478335 GG B, C, d, A, X(4), S24, -405537848 GG A, B, C, d, X(9), S21, 568446438 GG d, A, B, C, X(14), S22, -1019803690 GG C, d, A, B, X(3), S23, -187363961 GG B, C, d, A, X(8), S24, 1163531501 GG A, B, C, d, X(13), S21, -1444681467 GG d, A, B, C, X(2), S22, -51403784 GG C, d, A, B, X(7), S23, 1735328473 GG B, C, d, A, X(12), S24, -1926607734 HH A, B, C, d, X(5), S31, -378558 HH d, A, B, C, X(8), S32, -2022574463 HH C, d, A, B, X(11), S33, 1839030562 HH B, C, d, A, X(14), S34, -35309556 HH A, B, C, d, X(1), S31, -1530992060 HH d, A, B, C, X(4), S32, 1272893353 HH C, d, A, B, X(7), S33, -155497632 HH B, C, d, A, X(10), S34, -1094730640 HH A, B, C, d, X(13), S31, 681279174 HH d, A, B, C, X(0), S32, -358537222 HH C, d, A, B, X(3), S33, -722521979 HH B, C, d, A, X(6), S34, 76029189 HH A, B, C, d, X(9), S31, -640364487 HH d, A, B, C, X(12), S32, -421815835 HH C, d, A, B, X(15), S33, 530742520 HH B, C, d, A, X(2), S34, -995338651 II A, B, C, d, X(0), S41, -198630844 II d, A, B, C, X(7), S42, 1126891415 II C, d, A, B, X(14), S43, -1416354905 II B, C, d, A, X(5), S44, -57434055 II A, B, C, d, X(12), S41, 1700485571 II d, A, B, C, X(3), S42, -1894986606 II C, d, A, B, X(10), S43, -1051523 II B, C, d, A, X(1), S44, -2054922799 II A, B, C, d, X(8), S41, 1873313359 II d, A, B, C, X(15), S42, -30611744 II C, d, A, B, X(6), S43, -1560198380 II B, C, d, A, X(13), S44, 1309151649 II A, B, C, d, X(4), S41, -145523070 II d, A, B, C, X(11), S42, -1120210379 II C, d, A, B, X(2), S43, 718787259 II B, C, d, A, X(9), S44, -343485551 State(1) = LongOverflowAdd(State(1), A) State(2) = LongOverflowAdd(State(2), B) State(3) = LongOverflowAdd(State(3), C) State(4) = LongOverflowAdd(State(4), d) End Sub Private Sub Decode(Length As Integer, OutputBuffer() As Long, InputBuffer() As Byte) Dim intDblIndex As Integer, intByteIndex As Integer, dblSum As Double For intByteIndex = 0 To Length - 1 Step 4 dblSum = InputBuffer(intByteIndex) + InputBuffer(intByteIndex + 1) * 256# + InputBuffer(intByteIndex + 2) * 65536# + InputBuffer(intByteIndex + 3) * 16777216# OutputBuffer(intDblIndex) = UnsignedToLong(dblSum) intDblIndex = intDblIndex + 1 Next intByteIndex End Sub Private Function FF(A As Long, B As Long, C As Long, d As Long, X As Long, S As Long, ac As Long) As Long A = LongOverflowAdd4(A, (B And C) Or (Not (B) And d), X, ac) A = LongLeftRotate(A, S) A = LongOverflowAdd(A, B) End Function Private Function GG(A As Long, B As Long, C As Long, d As Long, X As Long, S As Long, ac As Long) As Long A = LongOverflowAdd4(A, (B And d) Or (C And Not (d)), X, ac) A = LongLeftRotate(A, S) A = LongOverflowAdd(A, B) End Function Private Function HH(A As Long, B As Long, C As Long, d As Long, X As Long, S As Long, ac As Long) As Long A = LongOverflowAdd4(A, B Xor C Xor d, X, ac) A = LongLeftRotate(A, S) A = LongOverflowAdd(A, B) End Function Private Function II(A As Long, B As Long, C As Long, d As Long, X As Long, S As Long, ac As Long) As Long A = LongOverflowAdd4(A, C Xor (B Or Not (d)), X, ac) A = LongLeftRotate(A, S) A = LongOverflowAdd(A, B) End Function Function LongLeftRotate(value As Long, Bits As Long) As Long Dim lngSign As Long, lngI As Long Bits = Bits Mod 32 If Bits = 0 Then LongLeftRotate = value: Exit Function For lngI = 1 To Bits lngSign = value And &HC0000000 value = (value And &H3FFFFFFF) * 2 value = value Or ((lngSign < 0) And 1) Or (CBool(lngSign And &H40000000) And &H80000000) Next LongLeftRotate = value End Function Private Function LongOverflowAdd(Val1 As Long, Val2 As Long) As Long Dim lngHighWord As Long, lngLowWord As Long, lngOverflow As Long lngLowWord = (Val1 And &HFFFF&) + (Val2 And &HFFFF&) lngOverflow = lngLowWord \ 65536 lngHighWord = (((Val1 And &HFFFF0000) \ 65536) + ((Val2 And &HFFFF0000) \ 65536) + lngOverflow) And &HFFFF& LongOverflowAdd = UnsignedToLong((lngHighWord * 65536#) + (lngLowWord And &HFFFF&)) End Function Private Function LongOverflowAdd4(Val1 As Long, Val2 As Long, val3 As Long, val4 As Long) As Long Dim lngHighWord As Long, lngLowWord As Long, lngOverflow As Long lngLowWord = (Val1 And &HFFFF&) + (Val2 And &HFFFF&) + (val3 And &HFFFF&) + (val4 And &HFFFF&) lngOverflow = lngLowWord \ 65536 lngHighWord = (((Val1 And &HFFFF0000) \ 65536) + ((Val2 And &HFFFF0000) \ 65536) + ((val3 And &HFFFF0000) \ 65536) + ((val4 And &HFFFF0000) \ 65536) + lngOverflow) And &HFFFF& LongOverflowAdd4 = UnsignedToLong((lngHighWord * 65536#) + (lngLowWord And &HFFFF&)) End Function Private Function UnsignedToLong(value As Double) As Long If value < 0 Or value >= OFFSET_4 Then Error 6 If value <= MAXINT_4 Then UnsignedToLong = value Else UnsignedToLong = value - OFFSET_4 End Function Private Function LongToUnsigned(value As Long) As Double If value < 0 Then LongToUnsigned = value + OFFSET_4 Else LongToUnsigned = value End Function
inraining 雪币： 234 活跃值： (10) 能力值： ( LV6，RANK：90 ) 在线值：发帖 15 回帖 411 粉丝 0 关注私信	inraining 2 2006-4-25 07:54 17 楼 0 最初由 laomms* 发布* 分析的非常不错。 Private Sub Command1_Click() Dim regid, zcm As String Set C1 = New Class1 ........ 其实如果MD5用成MD5(MD5(LeftStr(Str,x,x)),MD5(RightStr(Str,x,x))),或者修改一下MD5的常数值，就不好算啦，呵呵。
iioouu 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	iioouu 2006-4-27 09:31 18 楼 0 好东西，下来看看
godhack 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 21 回帖 141 粉丝 0 关注私信	godhack 2006-4-27 15:33 19 楼 0 能写个全一点的破文吗？谢谢了
sqsxwu 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	sqsxwu 2006-4-28 20:30 20 楼 0 好好学习下，我刚接触破解
powermancc 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	powermancc 2006-4-29 15:54 21 楼 0 谢谢楼主 , 我是个菜鸟 , 先下来练习?!!
九公子雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 3 粉丝 0 关注私信	九公子 2006-4-30 08:50 22 楼 0 哎~~先看着~~刚刚来噻
wpfde 雪币： 101 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 8 粉丝 0 关注私信	wpfde 2006-5-1 00:37 23 楼 0 由于错误提示信息是中文，在字符串参考中找不到，因而一开始不知道怎么下断，刚巧看到逍遥风的CRACKME分析文集在Visual Basic系列中看到了在这种情况下下断点方法――在命令行里“bp __vbaStrCmp"成功找到明码。至于详细的分析，还没到这个水平。
归谷客雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	归谷客 2006-5-1 09:41 24 楼 0 强烈支持~可惜不能下~郁闷
zhsnqi 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	zhsnqi 2006-5-2 22:06 25 楼 0 下来试试!!~
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复

laomms

发帖

384

回帖

1370

RANK

关注

私信

他的文章

虚拟键盘、虚拟鼠标驱动

[转帖]Antonis Kyprianou写的MiniDBG

[求助]写DLL脱壳机中获取某一模块上下文内容的问题

[分享]微狗驱动模拟程序（MASM源码）

[己解决]关于在VMWARE虚拟机中使用摄像头

关于我们

联系我们

企业服务

看雪公众号

最新回复 (26) 1 2 ▶
Winter-Night 雪币： 296 活跃值： (250) 能力值： ( LV9，RANK：210 ) 在线值：发帖 31 回帖 726 粉丝 1 关注私信	Winter-Night 5 2006-4-19 22:05 2 楼 0 只会爆的:) 00403D2F /74 67 JE SHORT CRACKME1.00403D98 //nop
alpsdew 雪币： 235 活跃值： (41) 能力值： ( LV9，RANK：170 ) 在线值：发帖 9 回帖 111 粉丝 0 关注私信	alpsdew 4 2006-4-19 22:22 3 楼 0 能给点提示不? 试了参考.消息和RUN跟踪 ... 不知道怎么办了?
icow 雪币： 222 活跃值： (26) 能力值： ( LV8，RANK：130 ) 在线值：发帖 5 回帖 64 粉丝 0 关注私信	icow 3 2006-4-19 23:02 4 楼 0 先下了试试.
alpsdew 雪币： 235 活跃值： (41) 能力值： ( LV9，RANK：170 ) 在线值：发帖 9 回帖 111 粉丝 0 关注私信	alpsdew 4 2006-4-20 13:24 5 楼 0 不知道在哪里下断啊 ?
虫的传人雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	虫的传人 2006-4-22 14:53 6 楼 0 下回去研究研究..
coolc 雪币： 206 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 29 粉丝 0 关注私信	coolc 2006-4-22 16:56 7 楼 0 已破了的哥哥，可以写个教程吗？？？
johnflj 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 3 粉丝 0 关注私信	johnflj 2006-4-24 10:49 8 楼 0 testdfsadsafads
geae 雪币： 218 活跃值： (40) 能力值： ( LV4，RANK：50 ) 在线值：发帖 9 回帖 89 粉丝 0 关注私信	geae 1 2006-4-24 11:00 9 楼 0 00404D86 . 66:3BF3 CMP SI,BX ; 比较 00404D89 . 898D 78FFFFFF MOV DWORD PTR SS:[EBP-88],ECX 00404D8F . 8985 70FFFFFF MOV DWORD PTR SS:[EBP-90],EAX 00404D95 . 894D 88 MOV DWORD PTR SS:[EBP-78],ECX 00404D98 . 8945 80 MOV DWORD PTR SS:[EBP-80],EAX 00404D9B . 894D 98 MOV DWORD PTR SS:[EBP-68],ECX ; 注册码 00404D9E . 8945 90 MOV DWORD PTR SS:[EBP-70],EAX 00404DA1 . 74 52 JE SHORT CRACKME1.00404DF5 用户名:123456789 注册码:B36F7130 唉,算法看不明白啊
地球人雪币： 213 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 -2 回帖 29 粉丝 0 关注私信	地球人 2006-4-24 11:11 10 楼 0 我也看不懂算法，什么不明白的！可以查看明码的吗？如果这样就对我简单了！
johnflj 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 3 粉丝 0 关注私信	johnflj 2006-4-24 13:59 11 楼 0 1234 6C2FA0B6
firecho 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 5 粉丝 0 关注私信	firecho 2006-4-24 21:18 12 楼 0 破了,但是得不到算法,好像跟MD5有关
crackmefly 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 5 粉丝 0 关注私信	crackmefly 2006-4-24 22:17 13 楼 0 做了个内存注册机好像等级不够不能上传！
inraining 雪币： 234 活跃值： (10) 能力值： ( LV6，RANK：90 ) 在线值：发帖 15 回帖 411 粉丝 0 关注私信	inraining 2 2006-4-24 23:34 14 楼 0 00404AA1 . 50 push eax ; 机器码入栈 00404AA2 . FF15 08114000 call [<&MSVBVM60.__vbaI4Str>] ; MSVBVM60.__vbaI4Str 00404AA8 . 8985 C0FEFFFF mov [ebp-140], eax ; 机器码之hex值入eax 00404AAE . DB85 C0FEFFFF fild dword ptr [ebp-140] 00404AB4 . DD9D B8FEFFFF fstp qword ptr [ebp-148] 00404ABA . DD85 B8FEFFFF fld qword ptr [ebp-148] 00404AC0 . 833D 00904000 00 cmp dword ptr [409000], 0 00404AC7 . 75 08 jnz short 00404AD1 00404AC9 . DC35 70114000 fdiv qword ptr [401170] ; 机器码/4=224527246.5 00404ACF . EB 11 jmp short 00404AE2 00404AD1 > FF35 74114000 push dword ptr [401174] 00404AD7 . FF35 70114000 push dword ptr [401170] 00404ADD . E8 F2C7FFFF call <jmp.&MSVBVM60._adj_fdiv_m64> 00404AE2 > DC0D 68114000 fmul qword ptr [401168] ; 以上结果X3=673581739.5 00404AE8 . DC05 60114000 fadd qword ptr [401160] ; 以上结果+987654321=1661236060.5 00404AEE . DFE0 fstsw ax 00404AF0 . A8 0D test al, 0D 00404AF2 . 0F85 1D030000 jnz 00404E15 00404AF8 . FF15 54104000 call [<&MSVBVM60.__vbaFPFix>] ; MSVBVM60.__vbaFPFix 00404AFE . 8B95 1CFFFFFF mov edx, [ebp-E4] ; 以上将最终计算结果求整数=1661236060 00404B04 . 83EC 10 sub esp, 10 00404B07 . DD9D 20FFFFFF fstp qword ptr [ebp-E0] 00404B0D . 8BCC mov ecx, esp 00404B0F . B8 05000000 mov eax, 5 00404B14 . 8985 18FFFFFF mov [ebp-E8], eax 00404B1A . 6A 01 push 1 00404B1C . 8901 mov [ecx], eax 00404B1E . 8B85 20FFFFFF mov eax, [ebp-E0] 00404B24 . 68 B83D4000 push 00403DB8 ; UNICODE "Md5_String_Calc" 00404B29 . 8D5F 34 lea ebx, [edi+34] 00404B2C . 8951 04 mov [ecx+4], edx 00404B2F . 8B95 24FFFFFF mov edx, [ebp-DC] 00404B35 . 8941 08 mov [ecx+8], eax 00404B38 . 8D45 B8 lea eax, [ebp-48] 00404B3B . 50 push eax 00404B3C . 8951 0C mov [ecx+C], edx 00404B3F . 8D8D 58FFFFFF lea ecx, [ebp-A8] 00404B45 . 51 push ecx 00404B46 . FF15 38114000 call [<&MSVBVM60.__vbaVarLateMemCallLd>] ; MSVBVM60.__vbaVarLateMemCallLd 00404B4C . 83C4 20 add esp, 20 ; 以上CALL为取整结果之MD5计算 00404B4F . 8BD0 mov edx, eax 00404B51 . 8BCB mov ecx, ebx 00404B53 . FF15 08104000 call [<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove 00404B59 . 8D8D 7CFFFFFF lea ecx, [ebp-84] 00404B5F . FF15 54114000 call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr 00404B65 . 8D8D 68FFFFFF lea ecx, [ebp-98] 00404B6B . FF15 58114000 call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 00404B71 . 8D8D 58FFFFFF lea ecx, [ebp-A8] 00404B77 . FF15 14104000 call [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar 00404B7D . 8D95 58FFFFFF lea edx, [ebp-A8] 00404B83 . 8D85 48FFFFFF lea eax, [ebp-B8] 00404B89 . 52 push edx 00404B8A . 6A 06 push 6 00404B8C . 53 push ebx 00404B8D . 50 push eax 00404B8E . C785 60FFFFFF 080000>mov dword ptr [ebp-A0], 8 00404B98 . C785 58FFFFFF 020000>mov dword ptr [ebp-A8], 2 00404BA2 . FF15 60104000 call [<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar 00404BA8 . 8D8D 48FFFFFF lea ecx, [ebp-B8] ; 以上MID(STR,6,8) 00404BAE . 51 push ecx 00404BAF . FF15 18104000 call [<&MSVBVM60.__vbaStrVarMove>] ; MSVBVM60.__vbaStrVarMove 00404BB5 . 8BD0 mov edx, eax 00404BB7 . 8D4D 90 lea ecx, [ebp-70] 00404BBA . FF15 40114000 call [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove 00404BC0 . 8B1D 1C104000 mov ebx, [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList 00404BC6 . 8D95 48FFFFFF lea edx, [ebp-B8] 00404BCC . 8D85 58FFFFFF lea eax, [ebp-A8] 00404BD2 . 52 push edx 00404BD3 . 50 push eax 00404BD4 . 6A 02 push 2 00404BD6 . FFD3 call ebx ; <&MSVBVM60.__vbaFreeVarList> 00404BD8 . 8B0F mov ecx, [edi] 00404BDA . 83C4 0C add esp, 0C 00404BDD . 57 push edi 00404BDE . FF91 10030000 call [ecx+310] 00404BE4 . 8D95 68FFFFFF lea edx, [ebp-98] 00404BEA . 50 push eax 00404BEB . 52 push edx 00404BEC . FF15 40104000 call [<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet 00404BF2 . 8BF8 mov edi, eax 00404BF4 . 8D8D 7CFFFFFF lea ecx, [ebp-84] 00404BFA . 51 push ecx 00404BFB . 57 push edi 00404BFC . 8B07 mov eax, [edi] 00404BFE . FF90 A0000000 call [eax+A0] 00404C04 . 3BC6 cmp eax, esi 00404C06 . DBE2 fclex 00404C08 . 7D 12 jge short 00404C1C 00404C0A . 68 A0000000 push 0A0 00404C0F . 68 FC3B4000 push 00403BFC 00404C14 . 57 push edi 00404C15 . 50 push eax 00404C16 . FF15 34104000 call [<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj 00404C1C > 8B95 7CFFFFFF mov edx, [ebp-84] ; 注册码入edx 00404C22 . 8B45 90 mov eax, [ebp-70] ; 真码MID(MD5,6,8)入eax 00404C25 . 52 push edx 00404C26 . 50 push eax 00404C27 . FF15 78104000 call [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp 00404C2D . 8BF8 mov edi, eax ; 比较 00404C2F . 8D8D 7CFFFFFF lea ecx, [ebp-84] 00404C35 . F7DF neg edi 00404C37 . 1BFF sbb edi, edi 00404C39 . 47 inc edi 00404C3A . F7DF neg edi 00404C3C . FF15 54114000 call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr 00404C42 . 8D8D 68FFFFFF lea ecx, [ebp-98] 00404C48 . FF15 58114000 call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj 00404C4E . B9 04000280 mov ecx, 80020004 00404C53 . B8 0A000000 mov eax, 0A 00404C58 . 66:3BFE cmp di, si 00404C5B . 898D 30FFFFFF mov [ebp-D0], ecx 00404C61 . 8985 28FFFFFF mov [ebp-D8], eax 00404C67 . 898D 40FFFFFF mov [ebp-C0], ecx 00404C6D . 8985 38FFFFFF mov [ebp-C8], eax 00404C73 . 898D 50FFFFFF mov [ebp-B0], ecx 00404C79 . 8985 48FFFFFF mov [ebp-B8], eax 00404C7F . 74 67 je short 00404CE8 注册码即:MID(MD5(int(机器码*3/4+987654321)),6,8) 注册机自己写吧~
baboo 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	baboo 2006-4-25 00:31 15 楼 0 赞楼主^_^
laomms 雪币： 560 活跃值： (309) 能力值： ( LV13，RANK：1370 ) 在线值：发帖 83 回帖 384 粉丝 7 关注私信	laomms 34 2006-4-25 07:29 16 楼 0 最初由 inraining* 发布* 00404AA1 . 50 push eax ; 机器码入栈 00404AA2 . FF15 08114000 call [<&MSVBVM60.__vbaI4Str>] ; MSVBVM60.__vbaI4Str 00404AA8 . 8985 C0FEFFFF mov [ebp-140], eax ; 机器码之hex值入eax 00404AAE . DB85 C0FEFFFF fild dword ptr [ebp-140] 00404AB4 . DD9D B8FEFFFF fstp qword ptr [ebp-148] ........ 分析的非常不错。 Private Sub Command1_Click() Dim regid, zcm As String Set C1 = New Class1 If Text1.Text = "" Or Not IsNumeric(Text1.Text) Then MsgBox "机器码由数字构成" Else zcm = Fix(CLng(Text1.Text) / 4 * 3 + 987654321) regid = C1.Md5_String_Calc(zcm) Text2.Text = Mid(regid, 6, 8) End If End Sub ======================MD5类模块============== Option Explicit Private Const OFFSET_4 = 4294967296# Private Const MAXINT_4 = 2147483647 Private State(4) As Long Private ByteCounter As Long Private ByteBuffer(63) As Byte Private Const S11 = 7 Private Const S12 = 12 Private Const S13 = 17 Private Const S14 = 22 Private Const S21 = 5 Private Const S22 = 9 Private Const S23 = 14 Private Const S24 = 20 Private Const S31 = 4 Private Const S32 = 11 Private Const S33 = 16 Private Const S34 = 23 Private Const S41 = 6 Private Const S42 = 10 Private Const S43 = 15 Private Const S44 = 21 Property Get RegisterA() As String RegisterA = State(1) End Property Property Get RegisterB() As String RegisterB = State(2) End Property Property Get RegisterC() As String RegisterC = State(3) End Property Property Get RegisterD() As String RegisterD = State(4) End Property Public Function Md5_String_Calc(SourceString As String) As String MD5Init MD5Update LenB(StrConv(SourceString, vbFromUnicode)), StringToArray(SourceString) MD5Final Md5_String_Calc = GetValues End Function Public Function Md5_File_Calc(InFile As String) As String On Error GoTo errorhandler GoSub begin errorhandler: Md5_File_Calc = "" Exit Function begin: Dim FileO As Integer FileO = FreeFile Call FileLen(InFile) Open InFile For Binary Access Read As #FileO MD5Init Do While Not EOF(FileO) Get #FileO, , ByteBuffer If Loc(FileO) < LOF(FileO) Then ByteCounter = ByteCounter + 64 MD5Transform ByteBuffer End If Loop ByteCounter = ByteCounter + (LOF(FileO) Mod 64) Close #FileO MD5Final Md5_File_Calc = GetValues End Function Private Function StringToArray(InString As String) As Byte() Dim I As Integer, bytBuffer() As Byte ReDim bytBuffer(LenB(StrConv(InString, vbFromUnicode))) bytBuffer = StrConv(InString, vbFromUnicode) StringToArray = bytBuffer End Function Public Function GetValues() As String GetValues = LongToString(State(1)) & LongToString(State(2)) & LongToString(State(3)) & LongToString(State(4)) End Function Private Function LongToString(Num As Long) As String Dim A As Byte, B As Byte, C As Byte, d As Byte A = Num And &HFF& If A < 16 Then LongToString = "0" & Hex(A) Else LongToString = Hex(A) B = (Num And &HFF00&) \ 256 If B < 16 Then LongToString = LongToString & "0" & Hex(B) Else LongToString = LongToString & Hex(B) C = (Num And &HFF0000) \ 65536 If C < 16 Then LongToString = LongToString & "0" & Hex(C) Else LongToString = LongToString & Hex(C) If Num < 0 Then d = ((Num And &H7F000000) \ 16777216) Or &H80& Else d = (Num And &HFF000000) \ 16777216 If d < 16 Then LongToString = LongToString & "0" & Hex(d) Else LongToString = LongToString & Hex(d) End Function Public Sub MD5Init() ByteCounter = 0 State(1) = UnsignedToLong(1732584193#) State(2) = UnsignedToLong(4023233417#) State(3) = UnsignedToLong(2562383102#) State(4) = UnsignedToLong(271733878#) End Sub Public Sub MD5Final() Dim dblBits As Double, padding(72) As Byte, lngBytesBuffered As Long padding(0) = &H80 dblBits = ByteCounter * 8 lngBytesBuffered = ByteCounter Mod 64 If lngBytesBuffered <= 56 Then MD5Update 56 - lngBytesBuffered, padding Else MD5Update 120 - ByteCounter, padding padding(0) = UnsignedToLong(dblBits) And &HFF& padding(1) = UnsignedToLong(dblBits) \ 256 And &HFF& padding(2) = UnsignedToLong(dblBits) \ 65536 And &HFF& padding(3) = UnsignedToLong(dblBits) \ 16777216 And &HFF& padding(4) = 0 padding(5) = 0 padding(6) = 0 padding(7) = 0 MD5Update 8, padding End Sub Public Sub MD5Update(InputLen As Long, InputBuffer() As Byte) Dim II As Integer, I As Integer, J As Integer, K As Integer, lngBufferedBytes As Long, lngBufferRemaining As Long, lngRem As Long lngBufferedBytes = ByteCounter Mod 64 lngBufferRemaining = 64 - lngBufferedBytes ByteCounter = ByteCounter + InputLen If InputLen >= lngBufferRemaining Then For II = 0 To lngBufferRemaining - 1 ByteBuffer(lngBufferedBytes + II) = InputBuffer(II) Next II MD5Transform ByteBuffer lngRem = (InputLen) Mod 64 For I = lngBufferRemaining To InputLen - II - lngRem Step 64 For J = 0 To 63 ByteBuffer(J) = InputBuffer(I + J) Next J MD5Transform ByteBuffer Next I lngBufferedBytes = 0 Else I = 0 End If For K = 0 To InputLen - I - 1 ByteBuffer(lngBufferedBytes + K) = InputBuffer(I + K) Next K End Sub Private Sub MD5Transform(Buffer() As Byte) Dim X(16) As Long, A As Long, B As Long, C As Long, d As Long A = State(1) B = State(2) C = State(3) d = State(4) Decode 64, X, Buffer FF A, B, C, d, X(0), S11, -680876936 FF d, A, B, C, X(1), S12, -389564586 FF C, d, A, B, X(2), S13, 606105819 FF B, C, d, A, X(3), S14, -1044525330 FF A, B, C, d, X(4), S11, -176418897 FF d, A, B, C, X(5), S12, 1200080426 FF C, d, A, B, X(6), S13, -1473231341 FF B, C, d, A, X(7), S14, -45705983 FF A, B, C, d, X(8), S11, 1770035416 FF d, A, B, C, X(9), S12, -1958414417 FF C, d, A, B, X(10), S13, -42063 FF B, C, d, A, X(11), S14, -1990404162 FF A, B, C, d, X(12), S11, 1804603682 FF d, A, B, C, X(13), S12, -40341101 FF C, d, A, B, X(14), S13, -1502002290 FF B, C, d, A, X(15), S14, 1236535329 GG A, B, C, d, X(1), S21, -165796510 GG d, A, B, C, X(6), S22, -1069501632 GG C, d, A, B, X(11), S23, 643717713 GG B, C, d, A, X(0), S24, -373897302 GG A, B, C, d, X(5), S21, -701558691 GG d, A, B, C, X(10), S22, 38016083 GG C, d, A, B, X(15), S23, -660478335 GG B, C, d, A, X(4), S24, -405537848 GG A, B, C, d, X(9), S21, 568446438 GG d, A, B, C, X(14), S22, -1019803690 GG C, d, A, B, X(3), S23, -187363961 GG B, C, d, A, X(8), S24, 1163531501 GG A, B, C, d, X(13), S21, -1444681467 GG d, A, B, C, X(2), S22, -51403784 GG C, d, A, B, X(7), S23, 1735328473 GG B, C, d, A, X(12), S24, -1926607734 HH A, B, C, d, X(5), S31, -378558 HH d, A, B, C, X(8), S32, -2022574463 HH C, d, A, B, X(11), S33, 1839030562 HH B, C, d, A, X(14), S34, -35309556 HH A, B, C, d, X(1), S31, -1530992060 HH d, A, B, C, X(4), S32, 1272893353 HH C, d, A, B, X(7), S33, -155497632 HH B, C, d, A, X(10), S34, -1094730640 HH A, B, C, d, X(13), S31, 681279174 HH d, A, B, C, X(0), S32, -358537222 HH C, d, A, B, X(3), S33, -722521979 HH B, C, d, A, X(6), S34, 76029189 HH A, B, C, d, X(9), S31, -640364487 HH d, A, B, C, X(12), S32, -421815835 HH C, d, A, B, X(15), S33, 530742520 HH B, C, d, A, X(2), S34, -995338651 II A, B, C, d, X(0), S41, -198630844 II d, A, B, C, X(7), S42, 1126891415 II C, d, A, B, X(14), S43, -1416354905 II B, C, d, A, X(5), S44, -57434055 II A, B, C, d, X(12), S41, 1700485571 II d, A, B, C, X(3), S42, -1894986606 II C, d, A, B, X(10), S43, -1051523 II B, C, d, A, X(1), S44, -2054922799 II A, B, C, d, X(8), S41, 1873313359 II d, A, B, C, X(15), S42, -30611744 II C, d, A, B, X(6), S43, -1560198380 II B, C, d, A, X(13), S44, 1309151649 II A, B, C, d, X(4), S41, -145523070 II d, A, B, C, X(11), S42, -1120210379 II C, d, A, B, X(2), S43, 718787259 II B, C, d, A, X(9), S44, -343485551 State(1) = LongOverflowAdd(State(1), A) State(2) = LongOverflowAdd(State(2), B) State(3) = LongOverflowAdd(State(3), C) State(4) = LongOverflowAdd(State(4), d) End Sub Private Sub Decode(Length As Integer, OutputBuffer() As Long, InputBuffer() As Byte) Dim intDblIndex As Integer, intByteIndex As Integer, dblSum As Double For intByteIndex = 0 To Length - 1 Step 4 dblSum = InputBuffer(intByteIndex) + InputBuffer(intByteIndex + 1) * 256# + InputBuffer(intByteIndex + 2) * 65536# + InputBuffer(intByteIndex + 3) * 16777216# OutputBuffer(intDblIndex) = UnsignedToLong(dblSum) intDblIndex = intDblIndex + 1 Next intByteIndex End Sub Private Function FF(A As Long, B As Long, C As Long, d As Long, X As Long, S As Long, ac As Long) As Long A = LongOverflowAdd4(A, (B And C) Or (Not (B) And d), X, ac) A = LongLeftRotate(A, S) A = LongOverflowAdd(A, B) End Function Private Function GG(A As Long, B As Long, C As Long, d As Long, X As Long, S As Long, ac As Long) As Long A = LongOverflowAdd4(A, (B And d) Or (C And Not (d)), X, ac) A = LongLeftRotate(A, S) A = LongOverflowAdd(A, B) End Function Private Function HH(A As Long, B As Long, C As Long, d As Long, X As Long, S As Long, ac As Long) As Long A = LongOverflowAdd4(A, B Xor C Xor d, X, ac) A = LongLeftRotate(A, S) A = LongOverflowAdd(A, B) End Function Private Function II(A As Long, B As Long, C As Long, d As Long, X As Long, S As Long, ac As Long) As Long A = LongOverflowAdd4(A, C Xor (B Or Not (d)), X, ac) A = LongLeftRotate(A, S) A = LongOverflowAdd(A, B) End Function Function LongLeftRotate(value As Long, Bits As Long) As Long Dim lngSign As Long, lngI As Long Bits = Bits Mod 32 If Bits = 0 Then LongLeftRotate = value: Exit Function For lngI = 1 To Bits lngSign = value And &HC0000000 value = (value And &H3FFFFFFF) * 2 value = value Or ((lngSign < 0) And 1) Or (CBool(lngSign And &H40000000) And &H80000000) Next LongLeftRotate = value End Function Private Function LongOverflowAdd(Val1 As Long, Val2 As Long) As Long Dim lngHighWord As Long, lngLowWord As Long, lngOverflow As Long lngLowWord = (Val1 And &HFFFF&) + (Val2 And &HFFFF&) lngOverflow = lngLowWord \ 65536 lngHighWord = (((Val1 And &HFFFF0000) \ 65536) + ((Val2 And &HFFFF0000) \ 65536) + lngOverflow) And &HFFFF& LongOverflowAdd = UnsignedToLong((lngHighWord * 65536#) + (lngLowWord And &HFFFF&)) End Function Private Function LongOverflowAdd4(Val1 As Long, Val2 As Long, val3 As Long, val4 As Long) As Long Dim lngHighWord As Long, lngLowWord As Long, lngOverflow As Long lngLowWord = (Val1 And &HFFFF&) + (Val2 And &HFFFF&) + (val3 And &HFFFF&) + (val4 And &HFFFF&) lngOverflow = lngLowWord \ 65536 lngHighWord = (((Val1 And &HFFFF0000) \ 65536) + ((Val2 And &HFFFF0000) \ 65536) + ((val3 And &HFFFF0000) \ 65536) + ((val4 And &HFFFF0000) \ 65536) + lngOverflow) And &HFFFF& LongOverflowAdd4 = UnsignedToLong((lngHighWord * 65536#) + (lngLowWord And &HFFFF&)) End Function Private Function UnsignedToLong(value As Double) As Long If value < 0 Or value >= OFFSET_4 Then Error 6 If value <= MAXINT_4 Then UnsignedToLong = value Else UnsignedToLong = value - OFFSET_4 End Function Private Function LongToUnsigned(value As Long) As Double If value < 0 Then LongToUnsigned = value + OFFSET_4 Else LongToUnsigned = value End Function
inraining 雪币： 234 活跃值： (10) 能力值： ( LV6，RANK：90 ) 在线值：发帖 15 回帖 411 粉丝 0 关注私信	inraining 2 2006-4-25 07:54 17 楼 0 最初由 laomms* 发布* 分析的非常不错。 Private Sub Command1_Click() Dim regid, zcm As String Set C1 = New Class1 ........ 其实如果MD5用成MD5(MD5(LeftStr(Str,x,x)),MD5(RightStr(Str,x,x))),或者修改一下MD5的常数值，就不好算啦，呵呵。
iioouu 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	iioouu 2006-4-27 09:31 18 楼 0 好东西，下来看看
godhack 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 21 回帖 141 粉丝 0 关注私信	godhack 2006-4-27 15:33 19 楼 0 能写个全一点的破文吗？谢谢了
sqsxwu 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	sqsxwu 2006-4-28 20:30 20 楼 0 好好学习下，我刚接触破解
powermancc 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	powermancc 2006-4-29 15:54 21 楼 0 谢谢楼主 , 我是个菜鸟 , 先下来练习?!!
九公子雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 3 粉丝 0 关注私信	九公子 2006-4-30 08:50 22 楼 0 哎~~先看着~~刚刚来噻
wpfde 雪币： 101 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 8 粉丝 0 关注私信	wpfde 2006-5-1 00:37 23 楼 0 由于错误提示信息是中文，在字符串参考中找不到，因而一开始不知道怎么下断，刚巧看到逍遥风的CRACKME分析文集在Visual Basic系列中看到了在这种情况下下断点方法――在命令行里“bp __vbaStrCmp"成功找到明码。至于详细的分析，还没到这个水平。
归谷客雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	归谷客 2006-5-1 09:41 24 楼 0 强烈支持~可惜不能下~郁闷
zhsnqi 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	zhsnqi 2006-5-2 22:06 25 楼 0 下来试试!!~
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复