原贴地址http://bbs.pediy.com/showthread.php?s=&threadid=23582
用C32Asm查找“关于”对话框,来到地址
00403F31 . C745 94 E4234>MOV DWORD PTR SS:[EBP-6C],CrackMe_.00402>; 谢谢大家支持...
往上来到
00403E90 > \55 PUSH EBP ;关于对话框的调用入口
00403E91 . 8BEC MOV EBP,ESP
00403E93 . 83EC 0C SUB ESP,0C
00403E96 . 68 16114000 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE 句柄安装
00403E9B . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00403EA1 . 50 PUSH EAX ; CrackMe_.00402AB4
00403EA2 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00403EA9 . 81EC A8000000 SUB ESP,0A8
00403EAF . 53 PUSH EBX
00403EB0 . 56 PUSH ESI
00403EB1 . 57 PUSH EDI
00403EB2 . 8965 F4 MOV DWORD PTR SS:[EBP-C],ESP
00403EB5 . C745 F8 F8104>MOV DWORD PTR SS:[EBP-8],CrackMe_.004010>
00403EBC . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00403EBF . 8BC8 MOV ECX,EAX ; CrackMe_.00402AB4
00403EC1 . 83E1 01 AND ECX,1
00403EC4 . 894D FC MOV DWORD PTR SS:[EBP-4],ECX
00403EC7 . 24 FE AND AL,0FE
00403EC9 . 50 PUSH EAX ; CrackMe_.00402AB4
00403ECA . 8945 08 MOV DWORD PTR SS:[EBP+8],EAX ; CrackMe_.00402AB4
00403ECD . 8B10 MOV EDX,DWORD PTR DS:[EAX]
00403ECF . FF52 04 CALL DWORD PTR DS:[EDX+4]
00403ED2 . 8B3D B8104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaVa>; MSVBVM60.__vbaVarDup
00403ED8 . B9 04000280 MOV ECX,80020004
00403EDD . 33F6 XOR ESI,ESI
00403EDF . 894D A4 MOV DWORD PTR SS:[EBP-5C],ECX
00403EE2 . B8 0A000000 MOV EAX,0A
00403EE7 . 894D B4 MOV DWORD PTR SS:[EBP-4C],ECX
00403EEA . BB 08000000 MOV EBX,8
00403EEF . 8975 AC MOV DWORD PTR SS:[EBP-54],ESI
00403EF2 . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
00403EF5 . 89B5 7CFFFFFF MOV DWORD PTR SS:[EBP-84],ESI
00403EFB . 8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
00403F01 . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
00403F04 . 8975 DC MOV DWORD PTR SS:[EBP-24],ESI
00403F07 . 8975 CC MOV DWORD PTR SS:[EBP-34],ESI
00403F0A . 8975 BC MOV DWORD PTR SS:[EBP-44],ESI
00403F0D . 8975 8C MOV DWORD PTR SS:[EBP-74],ESI
00403F10 . 89B5 4CFFFFFF MOV DWORD PTR SS:[EBP-B4],ESI
00403F16 . 8945 9C MOV DWORD PTR SS:[EBP-64],EAX ; CrackMe_.00402AB4
00403F19 . 8945 AC MOV DWORD PTR SS:[EBP-54],EAX ; CrackMe_.00402AB4
00403F1C . C745 84 08244>MOV DWORD PTR SS:[EBP-7C],CrackMe_.00402>
00403F23 . 899D 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EBX
00403F29 . FFD7 CALL EDI ; <&MSVBVM60.__vbaVarDup>
00403F2B . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00403F2E . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
00403F31 . C745 94 E4234>MOV DWORD PTR SS:[EBP-6C],CrackMe_.00402>; 谢谢大家支持...
...............................................................................................
...............................................................................................
00403E90处由00402AC9跳转而来
00402ABC /E9 CF000000 JMP CrackMe_.00402B90 ; 开始验证
00402AC1 |816C24 04 330>SUB DWORD PTR SS:[ESP+4],33
00402AC9 . |E9 C2130000 JMP CrackMe_.00403E90 ; 跳到关于对话框
在00402ABC处下断,F9运行,中断以后F8来到00402B90
00402B90 > \55 PUSH EBP
继续F8往下走,可以看到一些UNICODE数据
00402D4E . 8B35 9C104000 MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaI4>; MSVBVM60.__vbaI4Str
00402D54 . 68 C8224000 PUSH CrackMe_.004022C8 ; UNICODE "54" 即 6 的ASCII的十进制
...............................................................................................
00402DA1 . 68 D4224000 PUSH CrackMe_.004022D4 ; UNICODE "70" 即 F 的ASCII的十进制
...............................................................................................
00402DB2 . 68 E0224000 PUSH CrackMe_.004022E0 ; UNICODE "77" 即 M 的ASCII的十进制
...............................................................................................
00402DC3 . 68 EC224000 PUSH CrackMe_.004022EC ; UNICODE "82" 即 R 的ASCII的十进制
...............................................................................................
00402DD4 . 68 F8224000 PUSH CrackMe_.004022F8 ; UNICODE "74" 即 J 的ASCII的十进制
...............................................................................................
00402DE5 . 68 04234000 PUSH CrackMe_.00402304 ; UNICODE "76" 即 L 的ASCII的十进制
...............................................................................................
组合成字符串"6FMRJL",往下来到00402F51
00402F51 . /0F84 26030000 je CrackMe_.0040327D
00402F57 . |8D8D 90FDFFFF lea ecx,dword ptr ss:[ebp-270]
00402F5D . |8D55 BC lea edx,dword ptr ss:[ebp-44]
00402F60 . |51 push ecx
00402F61 . |52 push edx
00402F62 . |C785 98FDFFFF 01>mov dword ptr ss:[ebp-268],1
00402F6C . |899D 90FDFFFF mov dword ptr ss:[ebp-270],ebx
00402F72 . |FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
00402F78 . |50 push eax ; EAX=1,2,3,4,5,6
00402F79 . |8D85 BCFEFFFF lea eax,dword ptr ss:[ebp-144]
00402F7F . |8D8D 80FDFFFF lea ecx,dword ptr ss:[ebp-280]
00402F85 . |50 push eax
00402F86 . |51 push ecx
00402F87 . |FF15 50104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
00402F8D . |8D95 80FDFFFF lea edx,dword ptr ss:[ebp-280] ; EAX=6(36),F(46),M(4D),R(52),J(4A),L(4C)
00402F93 . |8D85 A8FDFFFF lea eax,dword ptr ss:[ebp-258]
00402F99 . |52 push edx
00402F9A . |50 push eax
00402F9B . |FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
00402FA1 . |50 push eax
00402FA2 . |FF15 1C104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
00402FA8 . |8D95 B0FBFFFF lea edx,dword ptr ss:[ebp-450]
00402FAE . |8D8D 9CFEFFFF lea ecx,dword ptr ss:[ebp-164]
00402FB4 . |66:8985 B8FBFFFF mov word ptr ss:[ebp-448],ax
00402FBB . |899D B0FBFFFF mov dword ptr ss:[ebp-450],ebx
00402FC1 . |FFD6 call esi
00402FC3 . |8D8D A8FDFFFF lea ecx,dword ptr ss:[ebp-258]
00402FC9 . |FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00402FCF . |8D8D 80FDFFFF lea ecx,dword ptr ss:[ebp-280]
00402FD5 . |8D95 90FDFFFF lea edx,dword ptr ss:[ebp-270]
00402FDB . |51 push ecx
00402FDC . |52 push edx
00402FDD . |53 push ebx
00402FDE . |FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>; MSVBVM60.__vbaFreeVarList
00402FE4 . |83C4 0C add esp,0C
00402FE7 . |8D85 8CFEFFFF lea eax,dword ptr ss:[ebp-174]
00402FED . |8D8D C0FBFFFF lea ecx,dword ptr ss:[ebp-440]
00402FF3 . |8D95 90FDFFFF lea edx,dword ptr ss:[ebp-270]
00402FF9 . |50 push eax
00402FFA . |51 push ecx
00402FFB . |52 push edx
00402FFC . |C785 C8FBFFFF 01>mov dword ptr ss:[ebp-438],1
00403006 . |899D C0FBFFFF mov dword ptr ss:[ebp-440],ebx
0040300C . |FFD7 call edi ; EAX=1,2,3,4,5,6
0040300E . |8BD0 mov edx,eax
00403010 . |8D8D 8CFEFFFF lea ecx,dword ptr ss:[ebp-174]
00403016 . |FFD6 call esi
00403018 . |8D85 6CFEFFFF lea eax,dword ptr ss:[ebp-194]
0040301E . |8D8D C0FBFFFF lea ecx,dword ptr ss:[ebp-440]
00403024 . |50 push eax
00403025 . |8D95 90FDFFFF lea edx,dword ptr ss:[ebp-270]
0040302B . |51 push ecx
0040302C . |52 push edx
0040302D . |C785 C8FBFFFF 01>mov dword ptr ss:[ebp-438],1
00403037 . |899D C0FBFFFF mov dword ptr ss:[ebp-440],ebx
0040303D . |FFD7 call edi
0040303F . |8BD0 mov edx,eax
00403041 . |8D8D 6CFEFFFF lea ecx,dword ptr ss:[ebp-194]
00403047 . |FFD6 call esi
00403049 . |8D85 8CFEFFFF lea eax,dword ptr ss:[ebp-174]
0040304F . |8D8D C0FBFFFF lea ecx,dword ptr ss:[ebp-440]
00403055 . |50 push eax
00403056 . |8D95 90FDFFFF lea edx,dword ptr ss:[ebp-270]
0040305C . |51 push ecx
0040305D . |52 push edx
0040305E . |C785 C8FBFFFF 03>mov dword ptr ss:[ebp-438],3
00403068 . |899D C0FBFFFF mov dword ptr ss:[ebp-440],ebx
0040306E . |FF15 34104000 call dword ptr ds:[<&MSVBVM60.__vbaVarPow>] ; MSVBVM60.__vbaVarPow
00403074 . |8BD0 mov edx,eax ; EAX=0
00403076 . |8D8D 3CFEFFFF lea ecx,dword ptr ss:[ebp-1C4]
0040307C . |FFD6 call esi
0040307E . |8D85 8CFEFFFF lea eax,dword ptr ss:[ebp-174] ; 从堆中取出计数值放入EAX
00403084 . |8D8D C0FBFFFF lea ecx,dword ptr ss:[ebp-440] ; EAX=1,2,3,4,5,6
0040308A . |50 push eax
0040308B . |8D95 90FDFFFF lea edx,dword ptr ss:[ebp-270]
00403091 . |51 push ecx
00403092 . |52 push edx
00403093 . |C785 C8FBFFFF 14>mov dword ptr ss:[ebp-438],14 ; +14
0040309D . |899D C0FBFFFF mov dword ptr ss:[ebp-440],ebx
004030A3 . |FFD7 call edi ; EAX=15,16,17,18,19,20
004030A5 . |8BD0 mov edx,eax
004030A7 . |8D8D 1CFEFFFF lea ecx,dword ptr ss:[ebp-1E4]
004030AD . |FFD6 call esi
004030AF . |8D85 3CFEFFFF lea eax,dword ptr ss:[ebp-1C4] ; EAX=0
004030B5 . |8D8D 1CFEFFFF lea ecx,dword ptr ss:[ebp-1E4] ; ECX=15,16,17,18,19,20
004030BB . |50 push eax
004030BC . |8D95 90FDFFFF lea edx,dword ptr ss:[ebp-270] ; EDX=15,16,17,18,19,20
004030C2 . |51 push ecx
004030C3 . |52 push edx
004030C4 . |FF15 BC104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMod>] ; MSVBVM60.__vbaVarMod
004030CA . |8BD0 mov edx,eax ; EAX=1,8,4,10,0,8
004030CC . |8D8D FCFDFFFF lea ecx,dword ptr ss:[ebp-204]
004030D2 . |FFD6 call esi
004030D4 . |8D85 8CFEFFFF lea eax,dword ptr ss:[ebp-174] ; 取出EAX的值=计数值
004030DA . |8D8D C0FBFFFF lea ecx,dword ptr ss:[ebp-440] ; EAX=1,2,3,4,5,6
004030E0 . |50 push eax
004030E1 . |8D95 90FDFFFF lea edx,dword ptr ss:[ebp-270]
004030E7 . |51 push ecx
004030E8 . |52 push edx
004030E9 . |C785 C8FBFFFF 0A>mov dword ptr ss:[ebp-438],0A ; +0A
004030F3 . |899D C0FBFFFF mov dword ptr ss:[ebp-440],ebx
004030F9 . |FFD7 call edi ; 相加以后EAX=0B,0C,0D,0E,0F,10
004030FB . |8BD0 mov edx,eax
004030FD . |8D8D DCFDFFFF lea ecx,dword ptr ss:[ebp-224]
00403103 . |FFD6 call esi
00403105 . |8D85 8CFEFFFF lea eax,dword ptr ss:[ebp-174]
0040310B . |8D8D C0FBFFFF lea ecx,dword ptr ss:[ebp-440]
00403111 . |50 push eax
00403112 . |8D95 90FDFFFF lea edx,dword ptr ss:[ebp-270]
00403118 . |51 push ecx
00403119 . |52 push edx
0040311A . |899D C8FBFFFF mov dword ptr ss:[ebp-438],ebx
00403120 . |899D C0FBFFFF mov dword ptr ss:[ebp-440],ebx
00403126 . |FF15 34104000 call dword ptr ds:[<&MSVBVM60.__vbaVarPow>] ; MSVBVM60.__vbaVarPow
0040312C . |8BD0 mov edx,eax ; EAX=0
0040312E . |8D8D ACFDFFFF lea ecx,dword ptr ss:[ebp-254]
00403134 . |FFD6 call esi
00403136 . |8D85 ACFDFFFF lea eax,dword ptr ss:[ebp-254]
0040313C . |8D8D DCFDFFFF lea ecx,dword ptr ss:[ebp-224]
00403142 . |50 push eax
00403143 . |8D95 90FDFFFF lea edx,dword ptr ss:[ebp-270]
00403149 . |51 push ecx
0040314A . |52 push edx
0040314B . |FF15 BC104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMod>] ; MSVBVM60.__vbaVarMod
00403151 . |8BD0 mov edx,eax
00403153 . |8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84]
00403159 . |FFD6 call esi
0040315B . |8D85 FCFDFFFF lea eax,dword ptr ss:[ebp-204] ; EAX=1,8,4,10,0,8
00403161 . |8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84] ; ECX=1,4,9,2,A,4
00403167 . |50 push eax
00403168 . |8D95 90FDFFFF lea edx,dword ptr ss:[ebp-270] ; EDX=1,4,9,2,A,4
0040316E . |51 push ecx
0040316F . |52 push edx
00403170 . |FFD7 call edi
00403172 . |8BD0 mov edx,eax ; EAX=2,0C,0D,12,A,c
00403174 . |8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-A4]
0040317A . |FFD6 call esi
0040317C . |8D85 6CFEFFFF lea eax,dword ptr ss:[ebp-194]
00403182 . |8D8D 6CFEFFFF lea ecx,dword ptr ss:[ebp-194]
00403188 . |50 push eax
00403189 . |8D95 90FDFFFF lea edx,dword ptr ss:[ebp-270]
0040318F . |51 push ecx
00403190 . |52 push edx
00403191 . |FFD7 call edi
00403193 . |8BD0 mov edx,eax
00403195 . |8D8D 3CFFFFFF lea ecx,dword ptr ss:[ebp-C4]
0040319B . |FFD6 call esi
0040319D . |8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-A4]
004031A3 . |8D8D 3CFFFFFF lea ecx,dword ptr ss:[ebp-C4]
004031A9 . |50 push eax
004031AA . |8D95 90FDFFFF lea edx,dword ptr ss:[ebp-270]
004031B0 . |51 push ecx
004031B1 . |52 push edx
004031B2 . |FFD7 call edi
004031B4 . |8BD0 mov edx,eax ; EAX=4,10,13,1A,14,18
004031B6 . |8D8D 1CFFFFFF lea ecx,dword ptr ss:[ebp-E4]
004031BC . |FFD6 call esi
004031BE . |8D85 1CFFFFFF lea eax,dword ptr ss:[ebp-E4]
004031C4 . |8D8D C0FBFFFF lea ecx,dword ptr ss:[ebp-440]
004031CA . |50 push eax
004031CB . |C785 C8FBFFFF 01>mov dword ptr ss:[ebp-438],1
004031D5 . |899D C0FBFFFF mov dword ptr ss:[ebp-440],ebx
004031DB . |51 push ecx
004031DC . |8D95 90FDFFFF lea edx,dword ptr ss:[ebp-270]
004031E2 . |52 push edx
004031E3 . |FFD7 call edi
004031E5 . |8BD0 mov edx,eax ; EAX=5,11,14,1B,15,19
004031E7 . |8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-104]
004031ED . |FFD6 call esi
004031EF . |8D85 9CFEFFFF lea eax,dword ptr ss:[ebp-164]
004031F5 . |8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-104]
004031FB . |50 push eax
004031FC . |8D95 90FDFFFF lea edx,dword ptr ss:[ebp-270]
00403202 . |51 push ecx
00403203 . |52 push edx
00403204 . |FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaVarSub>] ; MSVBVM60.__vbaVarSub
0040320A . |8BD0 mov edx,eax ; EAX=1(31),5(35),9(39),7(37),5(35),3(33)
0040320C . |8D8D DCFEFFFF lea ecx,dword ptr ss:[ebp-124]
00403212 . |FFD6 call esi
00403214 . |8D85 DCFEFFFF lea eax,dword ptr ss:[ebp-124]
0040321A . |50 push eax
0040321B . |FF15 B0104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
00403221 . |8D8D 90FDFFFF lea ecx,dword ptr ss:[ebp-270]
00403227 . |50 push eax
00403228 . |51 push ecx
00403229 . |FF15 7C104000 call dword ptr ds:[<&MSVBVM60.#608>] ; MSVBVM60.rtcVarBstrFromAnsi
0040322F . |8D95 CCFEFFFF lea edx,dword ptr ss:[ebp-134]
00403235 . |8D85 90FDFFFF lea eax,dword ptr ss:[ebp-270]
0040323B . |52 push edx
0040323C . |8D8D 80FDFFFF lea ecx,dword ptr ss:[ebp-280]
00403242 . |50 push eax
00403243 . |51 push ecx
00403244 . |FF15 88104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat
0040324A . |8BD0 mov edx,eax ; 连接字符串
0040324C . |8D8D CCFEFFFF lea ecx,dword ptr ss:[ebp-134]
00403252 . |FFD6 call esi
00403254 . |8D8D 90FDFFFF lea ecx,dword ptr ss:[ebp-270]
0040325A . |FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
00403260 . |8D95 50FBFFFF lea edx,dword ptr ss:[ebp-4B0]
00403266 . |8D85 60FBFFFF lea eax,dword ptr ss:[ebp-4A0]
0040326C . |52 push edx
0040326D . |8D4D BC lea ecx,dword ptr ss:[ebp-44]
00403270 . |50 push eax
00403271 . |51 push ecx
00403272 . |FF15 D0104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>>; MSVBVM60.__vbaVarForNext
00403278 .^|E9 D2FCFFFF jmp CrackMe_.00402F4F
0040327D > \8D95 C0FBFFFF lea edx,dword ptr ss:[ebp-440]
处理完以后可以得到注册码"159753"
总结:程序在验证注册码的时候,如果不对就退出,给破解带来了一点困难。但是点“关于”按钮可以跳出一个对话框。
有一些文字提示信息。可以从此处入手,查找字符串的位置后,往上走就可以相应地找到按钮事件的处理地址。
偶然地发现,“注册”按钮的事件处理就在附近,这就很容易地找到了断点。
耐心的分析代码,花不了多长时间就可以找到爆破点:
004037BB > \8D55 9C LEA EDX,DWORD PTR SS:[EBP-64]
004037BE . 8D85 CCFEFFFF LEA EAX,DWORD PTR SS:[EBP-134]
004037C4 . 52 PUSH EDX
004037C5 . 50 PUSH EAX
004037C6 . FFD7 CALL EDI ; MSVBVM60.__vbaVarAdd
004037C8 . 66:85C0 TEST AX,AX
004037CB 0F84 91030000 JE CrackMe_.00403B62 ;此处NOP掉就OK
算法部分基本推出来了。只是想不通里面的两处MOD运算结果为什么会是那样。
VB代码跟C代码生成的反汇编不同,在VB中,像EAX,EDX,ECX这样的寄存器中如果存放的是一些地址。这些地址数据是12字节长的(跟一般的8字节有区别),找到这些地址以后再在OD中用D命令查看,才可以得到真正的数据。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌
握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
