-
-
crackme4-lx简单算法分析
-
发表于: 2006-5-13 02:00 5766
-
【破文标题】crackme4-lx简单算法分析
【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】hrbx@163.com
【破解平台】WinXP
【使用工具】flyOD1.10、Peid
【破解日期】2006-05-13
【软件名称】crackme4-lx
【软件大小】104KB
【下载地址】http://bbs.pediy.com/showthread.php?s=&threadid=25412
【加壳方式】无
【软件简介】crackme4-lx
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描,显示为:Microsoft Visual Basic 5.0 / 6.0 [Overlay],无壳。
2.试运行CrackMe。输入注册信息后点击"确定"按钮,无任何提示。
3.追出注册码。OD载入,命令栏下断点:bp __vbaLenBstr,回车,F9运行,输入注册信息后点击"确定"按钮,立即中断:
660E5F5F M> 8B4424 04 mov eax,dword ptr ss:[esp+4] ; 断在这里
660E5F63 85C0 test eax,eax
660E5F65 74 05 je short MSVBVM60.660E5F6C
660E5F67 8B40 FC mov eax,dword ptr ds:[eax-4]
660E5F6A D1E8 shr eax,1
660E5F6C C2 0400 retn 4
堆栈友好提示:
0012F748 0040F4BA 返回到 crackme4.0040F4BA 来自 MSVBVM60.__vbaLenBstr
0012F74C 0016835C UNICODE "hrbx"
命令栏输入:bc __vbaLenBstr,回车,消除断点。ALT+F9返回,来到:
0040F4B4 . FF15 18104>call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>]
0040F4BA . 8B95 94FEF>mov edx,dword ptr ss:[ebp-16C] ; ALT+F9返回,来到这里
0040F4C0 . 33DB xor ebx,ebx
向上查找,来到0040F260处F2下断,Ctrl+F2重新载入程序,输入注册信息:
================================
机器码:58964765534353
用户名: hrbx
E-mail: HRBX@163.com
注册码:9876543210
================================
点击"确定"按钮,立即中断:
0040F260 > \55 push ebp ; 在此F2下断, 中断后F8往下走
0040F261 . 8BEC mov ebp,esp
0040F263 . 83EC 0C sub esp,0C
0040F266 . 68 36144000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 句柄安装
.......................................................
省略部分代码
.......................................................
0040F3D1 . C785 F8FDFFFF B4>mov dword ptr ss:[ebp-208],crackme4.0040C2B4 ; 固定字符串"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ",记为str1
0040F3DB . C785 F0FDFFFF 08>mov dword ptr ss:[ebp-210],8
0040F3E5 . FFD3 call ebx
0040F3E7 . 8D95 F0FDFFFF lea edx,dword ptr ss:[ebp-210]
0040F3ED . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
0040F3F3 . C785 F8FDFFFF 24>mov dword ptr ss:[ebp-208],crackme4.0040C324 ; 固定字符串"www.mybetwin.com(welcometoyou!)www.mybetwin.com langxang",记为st2
0040F3FD . C785 F0FDFFFF 08>mov dword ptr ss:[ebp-210],8
0040F407 . FFD3 call ebx
0040F409 . 8D95 F0FDFFFF lea edx,dword ptr ss:[ebp-210]
0040F40F . 8D8D 14FFFFFF lea ecx,dword ptr ss:[ebp-EC]
0040F415 . C785 F8FDFFFF A0>mov dword ptr ss:[ebp-208],crackme4.0040C3A0
0040F41F . C785 F0FDFFFF 08>mov dword ptr ss:[ebp-210],8
0040F429 . FFD3 call ebx
0040F42B . 8B16 mov edx,dword ptr ds:[esi]
0040F42D . 56 push esi
0040F42E . FF92 0C030000 call dword ptr ds:[edx+30C]
0040F434 . 50 push eax
0040F435 . 8D85 84FEFFFF lea eax,dword ptr ss:[ebp-17C]
0040F43B . 50 push eax
0040F43C . FF15 70104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
0040F442 . 8BD8 mov ebx,eax
0040F444 . 8D95 94FEFFFF lea edx,dword ptr ss:[ebp-16C]
0040F44A . 52 push edx
0040F44B . 53 push ebx
0040F44C . 8B0B mov ecx,dword ptr ds:[ebx]
0040F44E . FF91 A0000000 call dword ptr ds:[ecx+A0]
0040F454 . 3BC7 cmp eax,edi
0040F456 . DBE2 fclex
0040F458 . 7D 12 jge short crackme4.0040F46C
0040F45A . 68 A0000000 push 0A0
0040F45F . 68 B4C34000 push crackme4.0040C3B4
0040F464 . 53 push ebx
0040F465 . 50 push eax
0040F466 . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
0040F46C > 8B06 mov eax,dword ptr ds:[esi]
0040F46E . 56 push esi
0040F46F . FF90 0C030000 call dword ptr ds:[eax+30C]
0040F475 . 8D8D 80FEFFFF lea ecx,dword ptr ss:[ebp-180]
0040F47B . 50 push eax
0040F47C . 51 push ecx
0040F47D . FF15 70104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
0040F483 . 8BD8 mov ebx,eax
0040F485 . 8D85 90FEFFFF lea eax,dword ptr ss:[ebp-170]
0040F48B . 50 push eax
0040F48C . 53 push ebx
0040F48D . 8B13 mov edx,dword ptr ds:[ebx]
0040F48F . FF92 A0000000 call dword ptr ds:[edx+A0]
0040F495 . 3BC7 cmp eax,edi
0040F497 . DBE2 fclex
0040F499 . 7D 12 jge short crackme4.0040F4AD
0040F49B . 68 A0000000 push 0A0
0040F4A0 . 68 B4C34000 push crackme4.0040C3B4
0040F4A5 . 53 push ebx
0040F4A6 . 50 push eax
0040F4A7 . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
0040F4AD > 8B8D 90FEFFFF mov ecx,dword ptr ss:[ebp-170] ; 用户名"hrbx"
0040F4B3 . 51 push ecx
0040F4B4 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取用户名长度,EAX=4
0040F4BA . 8B95 94FEFFFF mov edx,dword ptr ss:[ebp-16C]
0040F4C0 . 33DB xor ebx,ebx
0040F4C2 . 83F8 09 cmp eax,9 ; 用户名长度与9比较
0040F4C5 . 52 push edx ; 用户名"hrbx"
0040F4C6 . 0F9FC3 setg bl
0040F4C9 . F7DB neg ebx
0040F4CB . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取用户名长度,EAX=4
0040F4D1 . 33C9 xor ecx,ecx
0040F4D3 . 83F8 04 cmp eax,4 ; 用户名长度与4比较
0040F4D6 . 8D95 90FEFFFF lea edx,dword ptr ss:[ebp-170]
0040F4DC . 8D85 94FEFFFF lea eax,dword ptr ss:[ebp-16C]
0040F4E2 . 0F9CC1 setl cl
0040F4E5 . 52 push edx
0040F4E6 . 50 push eax
0040F4E7 . F7D9 neg ecx
0040F4E9 . 6A 02 push 2
0040F4EB . 0BD9 or ebx,ecx
0040F4ED . FF15 7C114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>
0040F4F3 . 8D8D 80FEFFFF lea ecx,dword ptr ss:[ebp-180]
0040F4F9 . 8D95 84FEFFFF lea edx,dword ptr ss:[ebp-17C]
0040F4FF . 51 push ecx
0040F500 . 52 push edx
0040F501 . 6A 02 push 2
0040F503 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>
0040F509 . 83C4 18 add esp,18
0040F50C . 66:3BDF cmp bx,di
0040F50F . 0F84 B9000000 je crackme4.0040F5CE ; 用户名长度必须为4-9,暴破点1,改为jmp
0040F515 . 8B35 A4114000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaVarDup>]
0040F51B . B9 04000280 mov ecx,80020004
0040F520 . 898D 48FEFFFF mov dword ptr ss:[ebp-1B8],ecx
0040F526 . B8 0A000000 mov eax,0A
0040F52B . 898D 58FEFFFF mov dword ptr ss:[ebp-1A8],ecx
0040F531 . BB 08000000 mov ebx,8
0040F536 . 8D95 E0FDFFFF lea edx,dword ptr ss:[ebp-220]
0040F53C . 8D8D 60FEFFFF lea ecx,dword ptr ss:[ebp-1A0]
0040F542 . 8985 40FEFFFF mov dword ptr ss:[ebp-1C0],eax
0040F548 . 8985 50FEFFFF mov dword ptr ss:[ebp-1B0],eax
0040F54E . C785 E8FDFFFF E0>mov dword ptr ss:[ebp-218],crackme4.0040C3E0
0040F558 . 899D E0FDFFFF mov dword ptr ss:[ebp-220],ebx
0040F55E . FFD6 call esi
0040F560 . 8D95 F0FDFFFF lea edx,dword ptr ss:[ebp-210]
0040F566 . 8D8D 70FEFFFF lea ecx,dword ptr ss:[ebp-190]
0040F56C . C785 F8FDFFFF C8>mov dword ptr ss:[ebp-208],crackme4.0040C3C8
0040F576 . 899D F0FDFFFF mov dword ptr ss:[ebp-210],ebx
0040F57C . FFD6 call esi
0040F57E . 8D85 40FEFFFF lea eax,dword ptr ss:[ebp-1C0]
0040F584 . 8D8D 50FEFFFF lea ecx,dword ptr ss:[ebp-1B0]
0040F58A . 50 push eax
0040F58B . 8D95 60FEFFFF lea edx,dword ptr ss:[ebp-1A0]
0040F591 . 51 push ecx
0040F592 . 52 push edx
0040F593 . 6A 30 push 30
0040F595 > 8D85 70FEFFFF lea eax,dword ptr ss:[ebp-190]
0040F59B . 50 push eax
0040F59C . FF15 74104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
0040F5A2 . 8D8D 40FEFFFF lea ecx,dword ptr ss:[ebp-1C0]
0040F5A8 . 8D95 50FEFFFF lea edx,dword ptr ss:[ebp-1B0]
0040F5AE . 51 push ecx
0040F5AF . 8D85 60FEFFFF lea eax,dword ptr ss:[ebp-1A0]
0040F5B5 . 52 push edx
0040F5B6 . 8D8D 70FEFFFF lea ecx,dword ptr ss:[ebp-190]
0040F5BC . 50 push eax
0040F5BD . 51 push ecx
0040F5BE . 6A 04 push 4
0040F5C0 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
0040F5C6 . 83C4 14 add esp,14
0040F5C9 . E9 46100000 jmp crackme4.00410614
0040F5CE > 8B16 mov edx,dword ptr ds:[esi]
0040F5D0 . 56 push esi
0040F5D1 . FF92 08030000 call dword ptr ds:[edx+308]
0040F5D7 . 50 push eax
0040F5D8 . 8D85 84FEFFFF lea eax,dword ptr ss:[ebp-17C]
0040F5DE . 50 push eax
0040F5DF . FF15 70104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
0040F5E5 . 8BD8 mov ebx,eax
0040F5E7 . 8D95 94FEFFFF lea edx,dword ptr ss:[ebp-16C]
0040F5ED . 52 push edx
0040F5EE . 53 push ebx
0040F5EF . 8B0B mov ecx,dword ptr ds:[ebx]
0040F5F1 . FF91 A0000000 call dword ptr ds:[ecx+A0]
0040F5F7 . 3BC7 cmp eax,edi
0040F5F9 . DBE2 fclex
0040F5FB . 7D 12 jge short crackme4.0040F60F
0040F5FD . 68 A0000000 push 0A0
0040F602 . 68 B4C34000 push crackme4.0040C3B4
0040F607 . 53 push ebx
0040F608 . 50 push eax
0040F609 . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
0040F60F > 8B85 94FEFFFF mov eax,dword ptr ss:[ebp-16C] ; 邮箱"HRBX@163.com"
0040F615 . 50 push eax
0040F616 . 68 F0C34000 push crackme4.0040C3F0
0040F61B . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; 检查邮箱格式是否正确
0040F621 . 8BD8 mov ebx,eax
0040F623 . 8D8D 94FEFFFF lea ecx,dword ptr ss:[ebp-16C]
0040F629 . F7DB neg ebx
0040F62B . 1BDB sbb ebx,ebx
0040F62D . 43 inc ebx
0040F62E . F7DB neg ebx
0040F630 . FF15 F0114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
0040F636 . 8D8D 84FEFFFF lea ecx,dword ptr ss:[ebp-17C]
0040F63C . FF15 EC114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
0040F642 . 66:3BDF cmp bx,di
0040F645 . 0F84 B9000000 je crackme4.0040F704 ; 邮箱格式正确则跳,暴破点2,改为jmp
0040F64B . 8B35 A4114000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaVarDup>]
0040F651 . B9 04000280 mov ecx,80020004
0040F656 . 898D 48FEFFFF mov dword ptr ss:[ebp-1B8],ecx
0040F65C . B8 0A000000 mov eax,0A
0040F661 . 898D 58FEFFFF mov dword ptr ss:[ebp-1A8],ecx
0040F667 . BB 08000000 mov ebx,8
0040F66C . 8D95 E0FDFFFF lea edx,dword ptr ss:[ebp-220]
0040F672 . 8D8D 60FEFFFF lea ecx,dword ptr ss:[ebp-1A0]
0040F678 . 8985 40FEFFFF mov dword ptr ss:[ebp-1C0],eax
0040F67E . 8985 50FEFFFF mov dword ptr ss:[ebp-1B0],eax
0040F684 . C785 E8FDFFFF 10>mov dword ptr ss:[ebp-218],crackme4.0040C410
0040F68E . 899D E0FDFFFF mov dword ptr ss:[ebp-220],ebx
0040F694 . FFD6 call esi
0040F696 . 8D95 F0FDFFFF lea edx,dword ptr ss:[ebp-210]
0040F69C . 8D8D 70FEFFFF lea ecx,dword ptr ss:[ebp-190]
0040F6A2 . C785 F8FDFFFF F8>mov dword ptr ss:[ebp-208],crackme4.0040C3F8
0040F6AC . 899D F0FDFFFF mov dword ptr ss:[ebp-210],ebx
0040F6B2 . FFD6 call esi
0040F6B4 . 8D8D 40FEFFFF lea ecx,dword ptr ss:[ebp-1C0]
0040F6BA . 8D95 50FEFFFF lea edx,dword ptr ss:[ebp-1B0]
0040F6C0 . 51 push ecx
0040F6C1 . 8D85 60FEFFFF lea eax,dword ptr ss:[ebp-1A0]
0040F6C7 . 52 push edx
0040F6C8 . 50 push eax
0040F6C9 . 8D8D 70FEFFFF lea ecx,dword ptr ss:[ebp-190]
0040F6CF . 6A 40 push 40
0040F6D1 . 51 push ecx
0040F6D2 . FF15 74104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
0040F6D8 . 8D95 40FEFFFF lea edx,dword ptr ss:[ebp-1C0]
0040F6DE . 8D85 50FEFFFF lea eax,dword ptr ss:[ebp-1B0]
0040F6E4 . 52 push edx
0040F6E5 . 8D8D 60FEFFFF lea ecx,dword ptr ss:[ebp-1A0]
0040F6EB . 50 push eax
0040F6EC . 8D95 70FEFFFF lea edx,dword ptr ss:[ebp-190]
0040F6F2 . 51 push ecx
0040F6F3 . 52 push edx
0040F6F4 . 6A 04 push 4
0040F6F6 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
0040F6FC . 83C4 14 add esp,14
0040F6FF . E9 100F0000 jmp crackme4.00410614
0040F704 > 8B06 mov eax,dword ptr ds:[esi]
0040F706 . 56 push esi
0040F707 . FF90 08030000 call dword ptr ds:[eax+308]
0040F70D . 8D8D 84FEFFFF lea ecx,dword ptr ss:[ebp-17C]
0040F713 . 50 push eax
0040F714 . 51 push ecx
0040F715 . FF15 70104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
0040F71B . 8BD8 mov ebx,eax
0040F71D . 8D85 94FEFFFF lea eax,dword ptr ss:[ebp-16C]
0040F723 . 50 push eax
0040F724 . 53 push ebx
0040F725 . 8B13 mov edx,dword ptr ds:[ebx]
0040F727 . FF92 A0000000 call dword ptr ds:[edx+A0]
0040F72D . 3BC7 cmp eax,edi
0040F72F . DBE2 fclex
0040F731 . 7D 12 jge short crackme4.0040F745
0040F733 . 68 A0000000 push 0A0
0040F738 . 68 B4C34000 push crackme4.0040C3B4
0040F73D . 53 push ebx
0040F73E . 50 push eax
0040F73F . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
0040F745 > 8B85 94FEFFFF mov eax,dword ptr ss:[ebp-16C]
0040F74B . 8B0E mov ecx,dword ptr ds:[esi]
0040F74D . 8D95 BCFDFFFF lea edx,dword ptr ss:[ebp-244]
0040F753 . 52 push edx
0040F754 . 50 push eax
0040F755 . 56 push esi
0040F756 . FF91 FC060000 call dword ptr ds:[ecx+6FC]
0040F75C . 3BC7 cmp eax,edi
0040F75E . 7D 12 jge short crackme4.0040F772
0040F760 . 68 FC060000 push 6FC
0040F765 . 68 98BD4000 push crackme4.0040BD98
0040F76A . 56 push esi
0040F76B . 50 push eax
0040F76C . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
0040F772 > 8B0E mov ecx,dword ptr ds:[esi]
0040F774 . 56 push esi
0040F775 . FF91 08030000 call dword ptr ds:[ecx+308]
0040F77B . 8D95 80FEFFFF lea edx,dword ptr ss:[ebp-180]
0040F781 . 50 push eax
0040F782 . 52 push edx
0040F783 . FF15 70104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
0040F789 . 8BD8 mov ebx,eax
0040F78B . 8D8D 90FEFFFF lea ecx,dword ptr ss:[ebp-170]
0040F791 . 51 push ecx
0040F792 . 53 push ebx
0040F793 . 8B03 mov eax,dword ptr ds:[ebx]
0040F795 . FF90 A0000000 call dword ptr ds:[eax+A0]
0040F79B . 3BC7 cmp eax,edi
0040F79D . DBE2 fclex
0040F79F . 7D 12 jge short crackme4.0040F7B3
0040F7A1 . 68 A0000000 push 0A0
0040F7A6 . 68 B4C34000 push crackme4.0040C3B4
0040F7AB . 53 push ebx
0040F7AC . 50 push eax
0040F7AD . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
0040F7B3 > 8B95 90FEFFFF mov edx,dword ptr ss:[ebp-170] ; 邮箱"HRBX@163.com"
0040F7B9 . 52 push edx
0040F7BA . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取邮箱长度,EAX=0xC
0040F7C0 . 33DB xor ebx,ebx
0040F7C2 . 83F8 0E cmp eax,0E ; 邮箱长度与0xE比较
0040F7C5 . 0F9FC3 setg bl
0040F7C8 . F7DB neg ebx
0040F7CA . 33C0 xor eax,eax
0040F7CC . 66:39BD BCFDFFFF cmp word ptr ss:[ebp-244],di
0040F7D3 . 8D8D 90FEFFFF lea ecx,dword ptr ss:[ebp-170]
0040F7D9 . 8D95 94FEFFFF lea edx,dword ptr ss:[ebp-16C]
0040F7DF . 0F94C0 sete al
0040F7E2 . 51 push ecx
0040F7E3 . 52 push edx
0040F7E4 . F7D8 neg eax
0040F7E6 . 6A 02 push 2
0040F7E8 . 0BD8 or ebx,eax
0040F7EA . FF15 7C114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>
0040F7F0 . 8D85 80FEFFFF lea eax,dword ptr ss:[ebp-180]
0040F7F6 . 8D8D 84FEFFFF lea ecx,dword ptr ss:[ebp-17C]
0040F7FC . 50 push eax
0040F7FD . 51 push ecx
0040F7FE . 6A 02 push 2
0040F800 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>
0040F806 . 83C4 18 add esp,18
0040F809 . 66:3BDF cmp bx,di
0040F80C . 0F84 A3000000 je crackme4.0040F8B5 ; 邮箱长度符合要求则跳,暴破点3,改为jmp
0040F812 . B9 04000280 mov ecx,80020004
0040F817 . B8 0A000000 mov eax,0A
0040F81C . 898D 48FEFFFF mov dword ptr ss:[ebp-1B8],ecx
0040F822 . 898D 58FEFFFF mov dword ptr ss:[ebp-1A8],ecx
0040F828 . 898D 68FEFFFF mov dword ptr ss:[ebp-198],ecx
0040F82E . 8D95 F0FDFFFF lea edx,dword ptr ss:[ebp-210]
0040F834 . 8D8D 70FEFFFF lea ecx,dword ptr ss:[ebp-190]
0040F83A . 8985 40FEFFFF mov dword ptr ss:[ebp-1C0],eax
0040F840 . 8985 50FEFFFF mov dword ptr ss:[ebp-1B0],eax
0040F846 . 8985 60FEFFFF mov dword ptr ss:[ebp-1A0],eax
0040F84C . C785 F8FDFFFF 1C>mov dword ptr ss:[ebp-208],crackme4.0040C41C
0040F856 . C785 F0FDFFFF 08>mov dword ptr ss:[ebp-210],8
0040F860 . FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaVarDup>]
0040F866 . 8D95 40FEFFFF lea edx,dword ptr ss:[ebp-1C0]
0040F86C . 8D85 50FEFFFF lea eax,dword ptr ss:[ebp-1B0]
0040F872 . 52 push edx
0040F873 . 8D8D 60FEFFFF lea ecx,dword ptr ss:[ebp-1A0]
0040F879 . 50 push eax
0040F87A . 51 push ecx
0040F87B . 8D95 70FEFFFF lea edx,dword ptr ss:[ebp-190]
0040F881 . 57 push edi
0040F882 . 52 push edx
0040F883 . FF15 74104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
0040F889 . 8D85 40FEFFFF lea eax,dword ptr ss:[ebp-1C0]
0040F88F . 8D8D 50FEFFFF lea ecx,dword ptr ss:[ebp-1B0]
0040F895 . 50 push eax
0040F896 . 8D95 60FEFFFF lea edx,dword ptr ss:[ebp-1A0]
0040F89C . 51 push ecx
0040F89D . 8D85 70FEFFFF lea eax,dword ptr ss:[ebp-190]
0040F8A3 . 52 push edx
0040F8A4 . 50 push eax
0040F8A5 . 6A 04 push 4
0040F8A7 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
0040F8AD . 83C4 14 add esp,14
0040F8B0 . E9 5F0D0000 jmp crackme4.00410614
0040F8B5 > 8B0E mov ecx,dword ptr ds:[esi]
0040F8B7 . 56 push esi
0040F8B8 . FF91 FC020000 call dword ptr ds:[ecx+2FC]
0040F8BE . 8D95 84FEFFFF lea edx,dword ptr ss:[ebp-17C]
0040F8C4 . 50 push eax
0040F8C5 . 52 push edx
0040F8C6 . FF15 70104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
0040F8CC . 8BD8 mov ebx,eax
0040F8CE . 8D8D 94FEFFFF lea ecx,dword ptr ss:[ebp-16C]
0040F8D4 . 51 push ecx
0040F8D5 . 53 push ebx
0040F8D6 . 8B03 mov eax,dword ptr ds:[ebx]
0040F8D8 . FF90 A0000000 call dword ptr ds:[eax+A0]
0040F8DE . 3BC7 cmp eax,edi
0040F8E0 . DBE2 fclex
0040F8E2 . 7D 12 jge short crackme4.0040F8F6
0040F8E4 . 68 A0000000 push 0A0
0040F8E9 . 68 B4C34000 push crackme4.0040C3B4
0040F8EE . 53 push ebx
0040F8EF . 50 push eax
0040F8F0 . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
0040F8F6 > 8B95 94FEFFFF mov edx,dword ptr ss:[ebp-16C] ; 假码"9876543210"
0040F8FC . 52 push edx
0040F8FD . 68 F0C34000 push crackme4.0040C3F0
0040F902 . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; 检查注册码是否为空
0040F908 . 8BD8 mov ebx,eax
0040F90A . 8D8D 94FEFFFF lea ecx,dword ptr ss:[ebp-16C]
0040F910 . F7DB neg ebx
0040F912 . 1BDB sbb ebx,ebx
0040F914 . 43 inc ebx
0040F915 . F7DB neg ebx
0040F917 . FF15 F0114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
0040F91D . 8D8D 84FEFFFF lea ecx,dword ptr ss:[ebp-17C]
0040F923 . FF15 EC114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
0040F929 . 66:3BDF cmp bx,di
0040F92C . 74 6F je short crackme4.0040F99D ; 注册码不为空则继续,暴破点4,改为jmp
0040F92E . B9 04000280 mov ecx,80020004
0040F933 . B8 0A000000 mov eax,0A
0040F938 . 898D 48FEFFFF mov dword ptr ss:[ebp-1B8],ecx
0040F93E . 898D 58FEFFFF mov dword ptr ss:[ebp-1A8],ecx
0040F944 . 898D 68FEFFFF mov dword ptr ss:[ebp-198],ecx
0040F94A . 8D95 F0FDFFFF lea edx,dword ptr ss:[ebp-210]
0040F950 . 8D8D 70FEFFFF lea ecx,dword ptr ss:[ebp-190]
0040F956 . 8985 40FEFFFF mov dword ptr ss:[ebp-1C0],eax
0040F95C . 8985 50FEFFFF mov dword ptr ss:[ebp-1B0],eax
0040F962 . 8985 60FEFFFF mov dword ptr ss:[ebp-1A0],eax
0040F968 . C785 F8FDFFFF 38>mov dword ptr ss:[ebp-208],crackme4.0040C438
0040F972 . C785 F0FDFFFF 08>mov dword ptr ss:[ebp-210],8
0040F97C . FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaVarDup>]
0040F982 . 8D85 40FEFFFF lea eax,dword ptr ss:[ebp-1C0]
0040F988 . 8D8D 50FEFFFF lea ecx,dword ptr ss:[ebp-1B0]
0040F98E . 50 push eax
0040F98F . 8D95 60FEFFFF lea edx,dword ptr ss:[ebp-1A0]
0040F995 . 51 push ecx
0040F996 . 52 push edx
0040F997 . 57 push edi
0040F998 .^ E9 F8FBFFFF jmp crackme4.0040F595
0040F99D > 8B16 mov edx,dword ptr ds:[esi]
0040F99F . BB 02000000 mov ebx,2
0040F9A4 . 56 push esi
0040F9A5 . C785 F8FDFFFF 01>mov dword ptr ss:[ebp-208],1
0040F9AF . 899D F0FDFFFF mov dword ptr ss:[ebp-210],ebx
0040F9B5 . FF92 0C030000 call dword ptr ds:[edx+30C]
0040F9BB . 50 push eax
0040F9BC . 8D85 84FEFFFF lea eax,dword ptr ss:[ebp-17C]
0040F9C2 . 50 push eax
0040F9C3 . FF15 70104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
0040F9C9 . 8BF0 mov esi,eax
0040F9CB . 8D95 94FEFFFF lea edx,dword ptr ss:[ebp-16C]
0040F9D1 . 52 push edx
0040F9D2 . 56 push esi
0040F9D3 . 8B0E mov ecx,dword ptr ds:[esi]
0040F9D5 . FF91 A0000000 call dword ptr ds:[ecx+A0]
0040F9DB . 3BC7 cmp eax,edi
0040F9DD . DBE2 fclex
0040F9DF . 7D 12 jge short crackme4.0040F9F3
0040F9E1 . 68 A0000000 push 0A0
0040F9E6 . 68 B4C34000 push crackme4.0040C3B4
0040F9EB . 56 push esi
0040F9EC . 50 push eax
0040F9ED . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
0040F9F3 > 8B85 94FEFFFF mov eax,dword ptr ss:[ebp-16C] ; 用户名"hrbx"
0040F9F9 . 50 push eax
0040F9FA . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取用户名长度,EAX=4
0040FA00 . 8D8D F0FDFFFF lea ecx,dword ptr ss:[ebp-210]
0040FA06 . 8985 E8FDFFFF mov dword ptr ss:[ebp-218],eax ; 用户名长度保存
0040FA0C . 8D95 E0FDFFFF lea edx,dword ptr ss:[ebp-220]
.......................................................
省略部分代码
.......................................................
0040FB02 . 8D8D 70FEFFFF lea ecx,dword ptr ss:[ebp-190]
0040FB08 . 50 push eax
0040FB09 . 8D95 50FEFFFF lea edx,dword ptr ss:[ebp-1B0] ; 用户名"hrbx"
0040FB0F . 51 push ecx
0040FB10 . 52 push edx
0040FB11 . FFD6 call esi ; rtcMidCharVar,循环取用户名每一位字符
0040FB13 . 8D85 30FEFFFF lea eax,dword ptr ss:[ebp-1D0]
0040FB19 . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-98]
0040FB1F . 50 push eax
0040FB20 . 6A 01 push 1
0040FB22 . 8D95 50FEFFFF lea edx,dword ptr ss:[ebp-1B0]
0040FB28 . 51 push ecx
0040FB29 . 52 push edx
0040FB2A . 8D85 40FEFFFF lea eax,dword ptr ss:[ebp-1C0]
0040FB30 . 57 push edi
0040FB31 . 50 push eax
0040FB32 . C785 38FEFFFF 01>mov dword ptr ss:[ebp-1C8],1
0040FB3C . C785 30FEFFFF 02>mov dword ptr ss:[ebp-1D0],2
0040FB46 . FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaInStrVar>]
0040FB4C . 50 push eax
0040FB4D . FFD3 call ebx
0040FB4F . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
0040FB55 . 50 push eax
0040FB56 . 8D95 20FEFFFF lea edx,dword ptr ss:[ebp-1E0]
0040FB5C . 51 push ecx
0040FB5D . 52 push edx
0040FB5E . FFD6 call esi ; rtcMidCharVar,根据用户名在字符串str1中的位置取str2相应位置的字符
0040FB60 . 8D85 A4FEFFFF lea eax,dword ptr ss:[ebp-15C]
0040FB66 . 8D8D 20FEFFFF lea ecx,dword ptr ss:[ebp-1E0]
0040FB6C . 50 push eax
0040FB6D . 8D95 10FEFFFF lea edx,dword ptr ss:[ebp-1F0]
0040FB73 . 51 push ecx
0040FB74 . 52 push edx
0040FB75 . FF15 40114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 连接取出的字符,得到字符串"ewwe",记为str3
0040FB7B . 8BD0 mov edx,eax
0040FB7D . 8D8D A4FEFFFF lea ecx,dword ptr ss:[ebp-15C]
.......................................................
省略部分代码
.......................................................
0040FD6A . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
0040FD70 > 8B85 94FEFFFF mov eax,dword ptr ss:[ebp-16C] ; 邮箱"HRBX@163.com"
0040FD76 . 8D95 60FEFFFF lea edx,dword ptr ss:[ebp-1A0]
0040FD7C . 8985 78FEFFFF mov dword ptr ss:[ebp-188],eax
0040FD82 . 8D45 DC lea eax,dword ptr ss:[ebp-24]
0040FD85 . 52 push edx
0040FD86 . 50 push eax
0040FD87 . C785 68FEFFFF 01>mov dword ptr ss:[ebp-198],1
0040FD91 . C785 60FEFFFF 02>mov dword ptr ss:[ebp-1A0],2
0040FD9B . 89BD 94FEFFFF mov dword ptr ss:[ebp-16C],edi
0040FDA1 . C785 70FEFFFF 08>mov dword ptr ss:[ebp-190],8
0040FDAB . FF15 98114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
0040FDB1 . 8D8D 70FEFFFF lea ecx,dword ptr ss:[ebp-190]
0040FDB7 . 50 push eax
0040FDB8 . 8D95 50FEFFFF lea edx,dword ptr ss:[ebp-1B0]
0040FDBE . 51 push ecx
0040FDBF . 52 push edx
0040FDC0 . FFD6 call esi ; rtcMidCharVar,依次取邮箱每一个字符
0040FDC2 . 8B85 8CFEFFFF mov eax,dword ptr ss:[ebp-174] ; 机器码"5896349264250"
0040FDC8 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0040FDCB . 8985 48FEFFFF mov dword ptr ss:[ebp-1B8],eax
0040FDD1 . 8D85 30FEFFFF lea eax,dword ptr ss:[ebp-1D0]
0040FDD7 . 50 push eax
0040FDD8 . 51 push ecx
0040FDD9 . C785 38FEFFFF 01>mov dword ptr ss:[ebp-1C8],1
0040FDE3 . C785 30FEFFFF 02>mov dword ptr ss:[ebp-1D0],2
0040FDED . 89BD 8CFEFFFF mov dword ptr ss:[ebp-174],edi
0040FDF3 . C785 40FEFFFF 08>mov dword ptr ss:[ebp-1C0],8
0040FDFD . FF15 98114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
0040FE03 . 50 push eax
0040FE04 . 8D95 40FEFFFF lea edx,dword ptr ss:[ebp-1C0]
0040FE0A . 8D85 20FEFFFF lea eax,dword ptr ss:[ebp-1E0]
0040FE10 . 52 push edx
0040FE11 . 50 push eax
0040FE12 . FFD6 call esi ; rtcMidCharVar,依次取机器码每一个字符
0040FE14 . 8D8D 20FEFFFF lea ecx,dword ptr ss:[ebp-1E0]
0040FE1A . 8D95 88FEFFFF lea edx,dword ptr ss:[ebp-178]
0040FE20 . 51 push ecx
0040FE21 . 52 push edx
0040FE22 . FFD3 call ebx
0040FE24 . 50 push eax
0040FE25 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,取机器码字符的ASCII值
0040FE2B . 66:8BD0 mov dx,ax ; DX=AX=0x35('5')
0040FE2E . 8D85 50FEFFFF lea eax,dword ptr ss:[ebp-1B0]
0040FE34 . 8D8D 90FEFFFF lea ecx,dword ptr ss:[ebp-170]
0040FE3A . 50 push eax
0040FE3B . 51 push ecx
0040FE3C . 66:8995 F6FCFFFF mov word ptr ss:[ebp-30A],dx
0040FE43 . FFD3 call ebx
0040FE45 . 50 push eax
0040FE46 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,取邮箱字符的ASCII值
0040FE4C . 66:8B95 F6FCFFFF mov dx,word ptr ss:[ebp-30A] ; AX=0x48('H')
0040FE53 . 8D8D 10FEFFFF lea ecx,dword ptr ss:[ebp-1F0]
0040FE59 . 66:03D0 add dx,ax ; DX=DX+AX,机器码字符与邮箱字符的ASCII值相加
0040FE5C . 0F80 57090000 jo crackme4.004107B9
0040FE62 . 66:83EA 5A sub dx,5A ; DX=DX-0x5A
0040FE66 . 0F80 4D090000 jo crackme4.004107B9
0040FE6C . 0FBFC2 movsx eax,dx ; EAX=DX
0040FE6F . 50 push eax
0040FE70 . 51 push ecx
0040FE71 . FF15 24114000 call dword ptr ds:[<&MSVBVM60.#608>] ; rtcVarBstrFromAnsi,结果转为字符串
0040FE77 . 8D95 D4FEFFFF lea edx,dword ptr ss:[ebp-12C]
0040FE7D . 8D85 10FEFFFF lea eax,dword ptr ss:[ebp-1F0]
0040FE83 . 52 push edx
0040FE84 . 8D8D 00FEFFFF lea ecx,dword ptr ss:[ebp-200]
0040FE8A . 50 push eax
0040FE8B . 51 push ecx
0040FE8C . FF15 40114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 字符串连接,记为字符串str4
0040FE92 . 8BD0 mov edx,eax
//字符串str4如下:
==========================================================================
0016C354 23 00 30 00 21 00 34 00 1A 00 0E 00 12 00 0E 00 #.0.!.4.....
0016C364 09 00 3C 00 49 00 46 00 ..<.I.F.
==========================================================================
0040FF20 . 8985 10FDFFFF mov dword ptr ss:[ebp-2F0],eax
0040FF26 .^ E9 95FDFFFF jmp crackme4.0040FCC0
0040FF2B > 8D8D D4FEFFFF lea ecx,dword ptr ss:[ebp-12C]
0040FF31 . 6A 03 push 3 ; 常数,3
0040FF33 . 8D95 70FEFFFF lea edx,dword ptr ss:[ebp-190]
0040FF39 . 51 push ecx
0040FF3A . 52 push edx
0040FF3B . FF15 C0114000 call dword ptr ds:[<&MSVBVM60.#617>] ; rtcLeftCharVar,取字符串str4左边3个字符
0040FF41 . 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-12C] ; 得到字符串"#0!"
0040FF47 . 6A 03 push 3 ; 常数,3
0040FF49 . 8D8D 60FEFFFF lea ecx,dword ptr ss:[ebp-1A0]
0040FF4F . 50 push eax
0040FF50 . 51 push ecx
0040FF51 . FF15 D0114000 call dword ptr ds:[<&MSVBVM60.#619>] ; rtcRightCharVar,,取字符串右边3个字符
0040FF57 . 8D95 70FEFFFF lea edx,dword ptr ss:[ebp-190] ; 得到字符串"<IF"
0040FF5D . 8D85 60FEFFFF lea eax,dword ptr ss:[ebp-1A0]
0040FF63 . 52 push edx
0040FF64 . 8D8D 50FEFFFF lea ecx,dword ptr ss:[ebp-1B0]
0040FF6A . 50 push eax
0040FF6B . 51 push ecx
0040FF6C . FF15 40114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 连接左右两边取得的字符串
0040FF72 . 8BD0 mov edx,eax ; 得到"#0!<IF",记为str5
0040FF74 . 8D8D C4FEFFFF lea ecx,dword ptr ss:[ebp-13C]
0040FF7A . FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
0040FF80 . 8D95 60FEFFFF lea edx,dword ptr ss:[ebp-1A0]
0040FF86 . 8D85 70FEFFFF lea eax,dword ptr ss:[ebp-190]
0040FF8C . 52 push edx
0040FF8D . 50 push eax
0040FF8E . 6A 02 push 2
0040FF90 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
0040FF96 . 83C4 0C add esp,0C
0040FF99 . 8D8D A4FEFFFF lea ecx,dword ptr ss:[ebp-15C]
0040FF9F . 8D95 F0FDFFFF lea edx,dword ptr ss:[ebp-210]
0040FFA5 . 8D85 70FEFFFF lea eax,dword ptr ss:[ebp-190]
0040FFAB . 51 push ecx
0040FFAC . 52 push edx
0040FFAD . 50 push eax
0040FFAE . C785 F8FDFFFF 4C>mov dword ptr ss:[ebp-208],crackme4.0040C44C
0040FFB8 . C785 F0FDFFFF 08>mov dword ptr ss:[ebp-210],8
0040FFC2 . FF15 40114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; "ewwe"与"-"连接,得到字符串"ewwe-"
0040FFC8 . 8D8D C4FEFFFF lea ecx,dword ptr ss:[ebp-13C]
0040FFCE . 50 push eax
0040FFCF . 8D95 60FEFFFF lea edx,dword ptr ss:[ebp-1A0]
0040FFD5 . 51 push ecx
0040FFD6 . 52 push edx
0040FFD7 . FF15 40114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 字符串"ewwe-"与"#0!<IF"连接
0040FFDD . 50 push eax ; 得到"ewwe-#0!<IF"
0040FFDE . 8D85 50FEFFFF lea eax,dword ptr ss:[ebp-1B0]
0040FFE4 . 50 push eax
0040FFE5 . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.#520>] ; rtcTrimVar,去掉字符串左右空格
0040FFEB . 8D8D 50FEFFFF lea ecx,dword ptr ss:[ebp-1B0]
0040FFF1 . 51 push ecx
0040FFF2 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>>
0040FFF8 . 8BD0 mov edx,eax ; 得到字符串"ewwe-#0!<IF",记为str6
0040FFFA . 8D8D A0FEFFFF lea ecx,dword ptr ss:[ebp-160]
00410000 . FF15 CC114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
00410006 . 8D95 50FEFFFF lea edx,dword ptr ss:[ebp-1B0]
0041000C . 8D85 60FEFFFF lea eax,dword ptr ss:[ebp-1A0]
00410012 . 52 push edx
00410013 . 8D8D 70FEFFFF lea ecx,dword ptr ss:[ebp-190]
00410019 . 50 push eax
0041001A . 51 push ecx
0041001B . 6A 03 push 3
0041001D . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
00410023 . 8B95 A0FEFFFF mov edx,dword ptr ss:[ebp-160]
00410029 . 83C4 10 add esp,10
0041002C . C785 F8FDFFFF 01>mov dword ptr ss:[ebp-208],1
00410036 . C785 F0FDFFFF 02>mov dword ptr ss:[ebp-210],2
00410040 . 52 push edx
00410041 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取字符串str6长度
00410047 . 8985 E8FDFFFF mov dword ptr ss:[ebp-218],eax
0041004D . 8D85 F0FDFFFF lea eax,dword ptr ss:[ebp-210]
00410053 . 8D8D E0FDFFFF lea ecx,dword ptr ss:[ebp-220]
00410059 . 50 push eax
0041005A . 8D95 D0FDFFFF lea edx,dword ptr ss:[ebp-230]
00410060 . 51 push ecx
00410061 . 8D85 44FDFFFF lea eax,dword ptr ss:[ebp-2BC]
00410067 . 52 push edx
00410068 . C785 E0FDFFFF 03>mov dword ptr ss:[ebp-220],3
00410072 . C785 D8FDFFFF 01>mov dword ptr ss:[ebp-228],1
0041007C . C785 D0FDFFFF 02>mov dword ptr ss:[ebp-230],2
00410086 . 50 push eax
00410087 . 8D8D 54FDFFFF lea ecx,dword ptr ss:[ebp-2AC]
0041008D . 8D95 F4FEFFFF lea edx,dword ptr ss:[ebp-10C]
00410093 . 51 push ecx
00410094 . 52 push edx
00410095 . FF15 64104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>>
0041009B > 3BC7 cmp eax,edi
0041009D . 0F84 DF010000 je crackme4.00410282
004100A3 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
004100A6 . 50 push eax
004100A7 . 8B08 mov ecx,dword ptr ds:[eax]
004100A9 . FF91 08030000 call dword ptr ds:[ecx+308]
004100AF . 8D95 84FEFFFF lea edx,dword ptr ss:[ebp-17C]
004100B5 . 50 push eax
004100B6 . 52 push edx
004100B7 . FF15 70104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
004100BD . 8B08 mov ecx,dword ptr ds:[eax]
004100BF . 8D95 90FEFFFF lea edx,dword ptr ss:[ebp-170]
004100C5 . 52 push edx
004100C6 . 50 push eax
004100C7 . 8985 B8FDFFFF mov dword ptr ss:[ebp-248],eax
004100CD . FF91 A0000000 call dword ptr ds:[ecx+A0]
004100D3 . 3BC7 cmp eax,edi
004100D5 . DBE2 fclex
004100D7 . 7D 18 jge short crackme4.004100F1
004100D9 . 8B8D B8FDFFFF mov ecx,dword ptr ss:[ebp-248]
004100DF . 68 A0000000 push 0A0
004100E4 . 68 B4C34000 push crackme4.0040C3B4
004100E9 . 51 push ecx
004100EA . 50 push eax
004100EB . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
004100F1 > 8D85 70FEFFFF lea eax,dword ptr ss:[ebp-190]
004100F7 . 8D8D F4FEFFFF lea ecx,dword ptr ss:[ebp-10C]
004100FD . 8D95 A0FEFFFF lea edx,dword ptr ss:[ebp-160]
00410103 . 50 push eax
00410104 . 51 push ecx
00410105 . C785 78FEFFFF 01>mov dword ptr ss:[ebp-188],1
0041010F . C785 70FEFFFF 02>mov dword ptr ss:[ebp-190],2
00410119 . 8995 F8FDFFFF mov dword ptr ss:[ebp-208],edx
0041011F . C785 F0FDFFFF 08>mov dword ptr ss:[ebp-210],4008
00410129 . FF15 98114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
0041012F . 50 push eax
00410130 . 8D95 F0FDFFFF lea edx,dword ptr ss:[ebp-210]
00410136 . 8D85 60FEFFFF lea eax,dword ptr ss:[ebp-1A0]
0041013C . 52 push edx
0041013D . 50 push eax
0041013E . FFD6 call esi ; rtcMidCharVar,取字符串"ewwe-#0!<IF"字符
00410140 . 8B85 90FEFFFF mov eax,dword ptr ss:[ebp-170] ; 邮箱"hrbx@163.com"
00410146 . 8D8D 40FEFFFF lea ecx,dword ptr ss:[ebp-1C0]
0041014C . 8985 58FEFFFF mov dword ptr ss:[ebp-1A8],eax
00410152 . 51 push ecx
00410153 . 8D95 50FEFFFF lea edx,dword ptr ss:[ebp-1B0]
00410159 . 6A 03 push 3
0041015B . 8D85 30FEFFFF lea eax,dword ptr ss:[ebp-1D0]
00410161 . 52 push edx
00410162 . 50 push eax
00410163 . C785 48FEFFFF 01>mov dword ptr ss:[ebp-1B8],1
0041016D . C785 40FEFFFF 02>mov dword ptr ss:[ebp-1C0],2 ; 常数,2
00410177 . 89BD 90FEFFFF mov dword ptr ss:[ebp-170],edi
0041017D . C785 50FEFFFF 08>mov dword ptr ss:[ebp-1B0],8
00410187 . FFD6 call esi ; rtcMidCharVar,固定取邮箱字符第2个字符
00410189 . 8D8D 30FEFFFF lea ecx,dword ptr ss:[ebp-1D0]
0041018F . 8D95 8CFEFFFF lea edx,dword ptr ss:[ebp-174]
00410195 . 51 push ecx
00410196 . 52 push edx
00410197 . FFD3 call ebx
00410199 . 50 push eax
0041019A . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; 取邮箱第2个字符的ASCII值
004101A0 . 0FBFD0 movsx edx,ax ; EDX=AX=0x62
004101A3 . 8D85 60FEFFFF lea eax,dword ptr ss:[ebp-1A0]
004101A9 . 8D8D 94FEFFFF lea ecx,dword ptr ss:[ebp-16C]
004101AF . 50 push eax
004101B0 . 51 push ecx
004101B1 . 8995 F0FCFFFF mov dword ptr ss:[ebp-310],edx
004101B7 . FFD3 call ebx
004101B9 . 50 push eax
004101BA . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; 位次取字符串str6字符的ASCII值
004101C0 . 0FBFD0 movsx edx,ax ; EDX=AX=0x65
004101C3 . 8B85 F0FCFFFF mov eax,dword ptr ss:[ebp-310]
004101C9 . 8D8D 20FEFFFF lea ecx,dword ptr ss:[ebp-1E0]
004101CF . 33C2 xor eax,edx ; EAX=EAX xor EDX
004101D1 . 50 push eax
004101D2 . 51 push ecx
004101D3 . FF15 24114000 call dword ptr ds:[<&MSVBVM60.#608>] ; rtcVarBstrFromAnsi,取xor结果的字符
004101D9 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
004101DF . 8D85 20FEFFFF lea eax,dword ptr ss:[ebp-1E0]
004101E5 . 52 push edx
004101E6 . 8D8D 10FEFFFF lea ecx,dword ptr ss:[ebp-1F0]
004101EC . 50 push eax
004101ED . 51 push ecx
004101EE . FF15 A0114000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; 连接每次取得的字符,记为字符串str7
004101F4 . 8BD0 mov edx,eax ; 得到字符串如下所示
//字符串str7如下:
==========================================================================
0016C28C 27 00 35 00 35 00 27 00 6F 00 61 00 72 00 63 00 '.5.5.'.o.a.r.c.
0016C29C 7E 00 0B 00 04 ~..
==========================================================================
004101F6 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
004101FC . FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
00410202 . 8D95 8CFEFFFF lea edx,dword ptr ss:[ebp-174]
00410208 . 8D85 94FEFFFF lea eax,dword ptr ss:[ebp-16C]
0041020E . 52 push edx
0041020F . 50 push eax
00410210 . 6A 02 push 2
00410212 . FF15 7C114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>
00410218 . 83C4 0C add esp,0C
0041021B . 8D8D 84FEFFFF lea ecx,dword ptr ss:[ebp-17C]
00410221 . FF15 EC114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
00410227 . 8D8D 20FEFFFF lea ecx,dword ptr ss:[ebp-1E0]
0041022D . 8D95 30FEFFFF lea edx,dword ptr ss:[ebp-1D0]
00410233 . 51 push ecx
00410234 . 8D85 40FEFFFF lea eax,dword ptr ss:[ebp-1C0]
0041023A . 52 push edx
0041023B . 8D8D 50FEFFFF lea ecx,dword ptr ss:[ebp-1B0]
00410241 . 50 push eax
00410242 . 51 push ecx
00410243 . 8D95 60FEFFFF lea edx,dword ptr ss:[ebp-1A0]
00410249 . 8D85 70FEFFFF lea eax,dword ptr ss:[ebp-190]
0041024F . 52 push edx
00410250 . 50 push eax
00410251 . 6A 06 push 6
00410253 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
00410259 . 83C4 1C add esp,1C
0041025C . 8D8D 44FDFFFF lea ecx,dword ptr ss:[ebp-2BC]
00410262 . 8D95 54FDFFFF lea edx,dword ptr ss:[ebp-2AC]
00410268 . 8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-10C]
0041026E . 51 push ecx
0041026F . 52 push edx
00410270 . 50 push eax
00410271 . FF15 E4114000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>>
00410277 . 8B1D 3C114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaStrVarVa>
0041027D .^ E9 19FEFFFF jmp crackme4.0041009B
00410282 > 8B8D A0FEFFFF mov ecx,dword ptr ss:[ebp-160] ; 字符串str6"ewwe-#0!<IF"
00410288 . 8D95 70FEFFFF lea edx,dword ptr ss:[ebp-190]
0041028E . 898D E8FDFFFF mov dword ptr ss:[ebp-218],ecx
00410294 . 52 push edx
00410295 . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-88]
0041029B . 6A 02 push 2
0041029D . 8D8D 60FEFFFF lea ecx,dword ptr ss:[ebp-1A0]
004102A3 . 50 push eax
004102A4 . 51 push ecx
004102A5 . C785 E0FDFFFF 08>mov dword ptr ss:[ebp-220],8 ; 常数,8
004102AF . C785 78FEFFFF 03>mov dword ptr ss:[ebp-188],3 ; 常数,3
004102B9 . C785 70FEFFFF 02>mov dword ptr ss:[ebp-190],2
004102C3 . FFD6 call esi ; rtcMidCharVar,从字符串str7右起第8位开始取3个字符
004102C5 . 8D95 E0FDFFFF lea edx,dword ptr ss:[ebp-220] ; 得到"55'"
004102CB . 8D85 60FEFFFF lea eax,dword ptr ss:[ebp-1A0]
004102D1 . 52 push edx
004102D2 . 8D8D 50FEFFFF lea ecx,dword ptr ss:[ebp-1B0]
004102D8 . 50 push eax
004102D9 . 51 push ecx
004102DA . FF15 40114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 字符串str6与取出的3个字符连接
004102E0 . 8D95 40FEFFFF lea edx,dword ptr ss:[ebp-1C0] ; 得到"ewwe-#0!<IF55'"
004102E6 . 50 push eax
004102E7 . 52 push edx
004102E8 . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.#520>] ; 去掉字符串左右的空格
004102EE . 8D85 40FEFFFF lea eax,dword ptr ss:[ebp-1C0]
004102F4 . 50 push eax
004102F5 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>>
004102FB . 8BD0 mov edx,eax ; 得到"ewwe-#0!<IF55'",记为str8
004102FD . 8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-BC]
00410303 . FF15 CC114000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>]
00410309 . 8D8D 40FEFFFF lea ecx,dword ptr ss:[ebp-1C0]
0041030F . 8D95 50FEFFFF lea edx,dword ptr ss:[ebp-1B0]
00410315 . 51 push ecx
00410316 . 8D85 60FEFFFF lea eax,dword ptr ss:[ebp-1A0]
0041031C . 52 push edx
0041031D . 8D8D 70FEFFFF lea ecx,dword ptr ss:[ebp-190]
00410323 . 50 push eax
00410324 . 51 push ecx
00410325 . 6A 04 push 4
00410327 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
0041032D . B8 02000000 mov eax,2
00410332 . 83C4 14 add esp,14
00410335 . 8985 F0FDFFFF mov dword ptr ss:[ebp-210],eax
0041033B . 8985 E0FDFFFF mov dword ptr ss:[ebp-220],eax
00410341 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
00410344 . C785 F8FDFFFF FF>mov dword ptr ss:[ebp-208],-1
0041034E . 50 push eax
0041034F . C785 E8FDFFFF 01>mov dword ptr ss:[ebp-218],1
00410359 . 8B10 mov edx,dword ptr ds:[eax]
0041035B . FF92 FC020000 call dword ptr ds:[edx+2FC]
00410361 . 50 push eax
00410362 . 8D85 84FEFFFF lea eax,dword ptr ss:[ebp-17C]
00410368 . 50 push eax
00410369 . FF15 70104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
0041036F . 8B08 mov ecx,dword ptr ds:[eax]
00410371 . 8D95 94FEFFFF lea edx,dword ptr ss:[ebp-16C]
00410377 . 52 push edx
00410378 . 50 push eax
00410379 . 8985 B8FDFFFF mov dword ptr ss:[ebp-248],eax
0041037F . FF91 A0000000 call dword ptr ds:[ecx+A0]
00410385 . 3BC7 cmp eax,edi
00410387 . DBE2 fclex
00410389 . 7D 18 jge short crackme4.004103A3
0041038B . 8B8D B8FDFFFF mov ecx,dword ptr ss:[ebp-248]
00410391 . 68 A0000000 push 0A0
00410396 . 68 B4C34000 push crackme4.0040C3B4
0041039B . 51 push ecx
0041039C . 50 push eax
0041039D . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
004103A3 > 8B95 94FEFFFF mov edx,dword ptr ss:[ebp-16C] ; 假码"9876543210"
004103A9 . 52 push edx
004103AA . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; 获取假码长度,EAX=0xA
004103B0 . 8985 D8FDFFFF mov dword ptr ss:[ebp-228],eax
004103B6 . 8D85 F0FDFFFF lea eax,dword ptr ss:[ebp-210]
004103BC . 8D8D E0FDFFFF lea ecx,dword ptr ss:[ebp-220]
004103C2 . 50 push eax
004103C3 . 8D95 D0FDFFFF lea edx,dword ptr ss:[ebp-230]
004103C9 . 51 push ecx
004103CA . 8D85 24FDFFFF lea eax,dword ptr ss:[ebp-2DC]
004103D0 . 52 push edx
004103D1 . 8D8D 34FDFFFF lea ecx,dword ptr ss:[ebp-2CC]
004103D7 . 50 push eax
004103D8 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
004103DB . 51 push ecx
004103DC . 52 push edx
004103DD . C785 D0FDFFFF 03>mov dword ptr ss:[ebp-230],3
004103E7 . FF15 64104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>>
004103ED . 8D8D 94FEFFFF lea ecx,dword ptr ss:[ebp-16C]
004103F3 . 8985 FCFCFFFF mov dword ptr ss:[ebp-304],eax
004103F9 . FF15 F0114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
004103FF . 8D8D 84FEFFFF lea ecx,dword ptr ss:[ebp-17C]
00410405 . FF15 EC114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
0041040B > 39BD FCFCFFFF cmp dword ptr ss:[ebp-304],edi
00410411 . 0F84 5D010000 je crackme4.00410574
00410417 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
0041041A . 50 push eax
0041041B . 8B08 mov ecx,dword ptr ds:[eax]
0041041D . FF91 FC020000 call dword ptr ds:[ecx+2FC]
00410423 . 8D95 84FEFFFF lea edx,dword ptr ss:[ebp-17C]
00410429 . 50 push eax
0041042A . 52 push edx
0041042B . FF15 70104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>]
00410431 . 8B08 mov ecx,dword ptr ds:[eax]
00410433 . 8D95 94FEFFFF lea edx,dword ptr ss:[ebp-16C]
00410439 . 52 push edx
0041043A . 50 push eax
0041043B . 8985 B8FDFFFF mov dword ptr ss:[ebp-248],eax
00410441 . FF91 A0000000 call dword ptr ds:[ecx+A0]
00410447 . 3BC7 cmp eax,edi
00410449 . DBE2 fclex
0041044B . 7D 18 jge short crackme4.00410465
0041044D . 8B8D B8FDFFFF mov ecx,dword ptr ss:[ebp-248]
00410453 . 68 A0000000 push 0A0
00410458 . 68 B4C34000 push crackme4.0040C3B4
0041045D . 51 push ecx
0041045E . 50 push eax
0041045F . FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultChec>
00410465 > 8B85 94FEFFFF mov eax,dword ptr ss:[ebp-16C] ; 假码"9876543210"
0041046B . 8D95 60FEFFFF lea edx,dword ptr ss:[ebp-1A0]
00410471 . 8985 78FEFFFF mov dword ptr ss:[ebp-188],eax
00410477 . 8D45 CC lea eax,dword ptr ss:[ebp-34]
0041047A . 52 push edx
0041047B . 50 push eax
0041047C . C785 68FEFFFF 01>mov dword ptr ss:[ebp-198],1
00410486 . C785 60FEFFFF 02>mov dword ptr ss:[ebp-1A0],2
00410490 . 89BD 94FEFFFF mov dword ptr ss:[ebp-16C],edi
00410496 . C785 70FEFFFF 08>mov dword ptr ss:[ebp-190],8
004104A0 . FF15 98114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
004104A6 . 8D8D 70FEFFFF lea ecx,dword ptr ss:[ebp-190]
004104AC . 50 push eax
004104AD . 8D95 50FEFFFF lea edx,dword ptr ss:[ebp-1B0]
004104B3 . 51 push ecx
004104B4 . 52 push edx
004104B5 . FFD6 call esi ; rtcMidCharVar,倒序取假码"9876543210"字符
004104B7 . 8D85 50FEFFFF lea eax,dword ptr ss:[ebp-1B0]
004104BD . 8D8D 90FEFFFF lea ecx,dword ptr ss:[ebp-170]
004104C3 . 50 push eax
004104C4 . 51 push ecx
004104C5 . FFD3 call ebx
004104C7 . 50 push eax
004104C8 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.#516>] ; rtcAnsiValueBstr,取假码字符的ASCII值
004104CE . 66:2D 0500 sub ax,5 ; AX=AX-5
004104D2 . 0F80 E1020000 jo crackme4.004107B9
004104D8 . 0FBFD0 movsx edx,ax ; EDX=AX
004104DB . 8D85 40FEFFFF lea eax,dword ptr ss:[ebp-1C0]
004104E1 . 52 push edx
004104E2 . 50 push eax
004104E3 . FF15 24114000 call dword ptr ds:[<&MSVBVM60.#608>] ; 取ASCII值对应的字符
004104E9 . 8D8D 34FFFFFF lea ecx,dword ptr ss:[ebp-CC]
004104EF . 8D95 40FEFFFF lea edx,dword ptr ss:[ebp-1C0]
004104F5 . 51 push ecx
004104F6 . 8D85 30FEFFFF lea eax,dword ptr ss:[ebp-1D0]
004104FC . 52 push edx
004104FD . 50 push eax
004104FE . FF15 40114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 连接每次得到的字符,得到字符串"+,-./01234"
00410504 . 8BD0 mov edx,eax
00410506 . 8D8D 34FFFFFF lea ecx,dword ptr ss:[ebp-CC]
0041050C . FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>]
00410512 . 8D8D 90FEFFFF lea ecx,dword ptr ss:[ebp-170]
00410518 . FF15 F0114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
0041051E . 8D8D 84FEFFFF lea ecx,dword ptr ss:[ebp-17C]
00410524 . FF15 EC114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]
0041052A . 8D8D 40FEFFFF lea ecx,dword ptr ss:[ebp-1C0]
00410530 . 8D95 50FEFFFF lea edx,dword ptr ss:[ebp-1B0]
00410536 . 51 push ecx
00410537 . 8D85 60FEFFFF lea eax,dword ptr ss:[ebp-1A0]
0041053D . 52 push edx
0041053E . 8D8D 70FEFFFF lea ecx,dword ptr ss:[ebp-190]
00410544 . 50 push eax
00410545 . 51 push ecx
00410546 . 6A 04 push 4
00410548 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>
0041054E . 83C4 14 add esp,14
00410551 . 8D95 24FDFFFF lea edx,dword ptr ss:[ebp-2DC]
00410557 . 8D85 34FDFFFF lea eax,dword ptr ss:[ebp-2CC]
0041055D . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00410560 . 52 push edx
00410561 . 50 push eax
00410562 . 51 push ecx
00410563 . FF15 E4114000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>>
00410569 . 8985 FCFCFFFF mov dword ptr ss:[ebp-304],eax
0041056F .^ E9 97FEFFFF jmp crackme4.0041040B
00410574 > 8B95 44FFFFFF mov edx,dword ptr ss:[ebp-BC] ; 字符串str8"ewwe-#0!<IF55'"
0041057A . 8D85 34FFFFFF lea eax,dword ptr ss:[ebp-CC]
00410580 . 8D8D F0FDFFFF lea ecx,dword ptr ss:[ebp-210]
00410586 . 50 push eax
00410587 . 51 push ecx
00410588 . 8995 F8FDFFFF mov dword ptr ss:[ebp-208],edx
0041058E . C785 F0FDFFFF 08>mov dword ptr ss:[ebp-210],8008
00410598 . FF15 CC104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 与假码运算所得的字符比较
0041059E . 66:85C0 test ax,ax
004105A1 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
004105A4 . 50 push eax
004105A5 . 8B10 mov edx,dword ptr ds:[eax]
004105A7 . 74 29 je short crackme4.004105D2 ; 暴破点5,NOP掉
4.为了暴破,必须去除程序对文件大小和文件名的检测。
Ctrl+F2重新载入程序,命令栏下断点:bp CreateFileA,回车,F9运行,中断:
77E5B476 k> 55 push ebp ; 中断在此
77E5B477 8BEC mov ebp,esp
77E5B479 FF75 08 push dword ptr ss:[ebp+8]
77E5B47C E8 11FFFFFF call kernel32.77E5B392
77E5B481 85C0 test eax,eax
77E5B483 0F84 A3FF0100 je kernel32.77E7B42C
堆栈友好提示:
0012F734 660EC6D7 /CALL 到 CreateFileA 来自 MSVBVM60.660EC6D1
0012F738 0012F7AC |FileName = "C:\Documents and Settings\hrbx\桌面\crackme4-lx.exe"
0012F73C C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012F740 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
命令栏输入:bc CreateFileA,回车,消除断点,3次ALT+F9返回,来到:
0040EFC7 . 83C4 20 add esp,20
0040EFCA . 52 push edx
0040EFCB . FF15 90114000 call dword ptr ds:[<&MSVBVM60.#578>] ; rtcFileLen,获取文件大小
0040EFD1 . 8945 D8 mov dword ptr ss:[ebp-28],eax
0040EFD4 . 83E8 08 sub eax,8
0040EFD7 . 0F80 71020000 jo crackme4.0040F24E
0040EFDD . 83E8 01 sub eax,1
0040EFE0 . 6A 00 push 0
0040EFE2 . 0F80 66020000 jo crackme4.0040F24E
0040EFE8 . 50 push eax
0040EFE9 . 6A 01 push 1
0040EFEB . 8D45 DC lea eax,dword ptr ss:[ebp-24]
0040EFEE . 6A 11 push 11
0040EFF0 . 50 push eax
0040EFF1 . 6A 01 push 1
0040EFF3 . 68 80000000 push 80
0040EFF8 . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaRedim>]
0040EFFE . 83C4 1C add esp,1C
0040F001 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040F004 . C745 B0 04000280 mov dword ptr ss:[ebp-50],80020004
0040F00B . C745 A8 0A000000 mov dword ptr ss:[ebp-58],0A
0040F012 . 51 push ecx
0040F013 . FF15 60114000 call dword ptr ds:[<&MSVBVM60.#648>]
0040F019 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
0040F01C . 0FBFF0 movsx esi,ax
0040F01F . FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>]
0040F025 . 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
0040F028 . 8B3D D0104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaI2I4>]
0040F02E . 52 push edx
0040F02F . 8BCE mov ecx,esi
0040F031 . FFD7 call edi
0040F033 . 50 push eax
0040F034 . 6A FF push -1
0040F036 . 6A 20 push 20
0040F038 . FF15 50114000 call dword ptr ds:[<&MSVBVM60.__vbaFileOpen>]
0040F03E . 8BCE mov ecx,esi ; ALT+F9返回来到这里
0040F040 . FFD7 call edi
0040F042 . 50 push eax
0040F043 . 8D45 DC lea eax,dword ptr ss:[ebp-24]
0040F046 . 50 push eax
0040F047 . 68 7CC24000 push crackme4.0040C27C
0040F04C . FF15 38114000 call dword ptr ds:[<&MSVBVM60.__vbaGetOwner3>]
0040F052 . 8BCE mov ecx,esi
0040F054 . FFD7 call edi
0040F056 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
0040F059 . 50 push eax
0040F05A . 51 push ecx
0040F05B . 6A 08 push 8
0040F05D . FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaGet3>]
0040F063 . 8BCE mov ecx,esi
0040F065 . FFD7 call edi
0040F067 . 50 push eax
0040F068 . FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaFileClose>]
0040F06E . 817D D0 26127600 cmp dword ptr ss:[ebp-30],761226 ; 文件大小与0x761226比较
0040F075 . 75 4B jnz short crackme4.0040F0C2 ; 不相等则Over,暴破点6,改为NOP
0040F175 > \8B45 BC mov eax,dword ptr ss:[ebp-44]
0040F178 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
0040F17B . 52 push edx
0040F17C . 50 push eax
0040F17D . 8B08 mov ecx,dword ptr ds:[eax]
0040F17F . 8BF0 mov esi,eax
0040F081 . 53 push ebx
0040F082 . FF92 F8060000 call dword ptr ds:[edx+6F8]
0040F088 . 85C0 test eax,eax
0040F08A . 7D 16 jge short crackme4.0040F0A2
0040F08C . 8B3D 48104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaHresultC>
0040F092 . 68 F8060000 push 6F8
0040F097 . 68 98BD4000 push crackme4.0040BD98
0040F09C . 53 push ebx
0040F09D . 50 push eax
0040F09E . FFD7 call edi
0040F0A0 . EB 06 jmp short crackme4.0040F0A8
0040F0A2 > 8B3D 48104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaHresultC>
0040F0A8 > 8B55 90 mov edx,dword ptr ss:[ebp-70]
0040F0AB . 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
0040F0AE . 3BD0 cmp edx,eax
0040F0B0 75 08 jnz short crackme4.0040F0BA ; 不相等则Over,暴破点7,改为NOP
0040F0B2 . FF15 88104000 call dword ptr ds:[<&MSVBVM60.#598>]
0040F0B8 . EB 0E jmp short crackme4.0040F0C8
0040F0BA > FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaEnd>]
0040F0C0 . EB 06 jmp short crackme4.0040F0C8
0040F0C2 > 8B3D 48104000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaHresultC>
0040F0C8 > A1 54854100 mov eax,dword ptr ds:[418554]
0040F0CD . 85C0 test eax,eax
0040F0CF . 75 10 jnz short crackme4.0040F0E1
0040F0D1 . 68 54854100 push crackme4.00418554
0040F0D6 . 68 40C24000 push crackme4.0040C240
0040F0DB . FF15 5C114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>]
0040F0E1 > 8B35 54854100 mov esi,dword ptr ds:[418554]
0040F0E7 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
0040F0EA . 51 push ecx
0040F0EB . 56 push esi
0040F0EC . 8B06 mov eax,dword ptr ds:[esi]
0040F0EE . FF50 14 call dword ptr ds:[eax+14]
0040F0F1 . 85C0 test eax,eax
0040F0F3 . DBE2 fclex
0040F0F5 . 7D 0B jge short crackme4.0040F102
0040F0F7 . 6A 14 push 14
0040F0F9 . 68 30C24000 push crackme4.0040C230
0040F0FE . 56 push esi
0040F0FF . 50 push eax
0040F100 . FFD7 call edi
0040F102 > 8B45 BC mov eax,dword ptr ss:[ebp-44]
0040F105 . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
0040F108 . 51 push ecx
0040F109 . 50 push eax
0040F10A . 8B10 mov edx,dword ptr ds:[eax]
0040F10C . 8BF0 mov esi,eax
0040F10E . FF52 68 call dword ptr ds:[edx+68]
0040F111 . 85C0 test eax,eax
0040F113 . DBE2 fclex
0040F115 . 7D 0B jge short crackme4.0040F122
0040F117 . 6A 68 push 68
0040F119 . 68 50C24000 push crackme4.0040C250
0040F11E . 56 push esi
0040F11F . 50 push eax
0040F120 . FFD7 call edi
0040F122 > 8B1D EC114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaFreeObj>>
0040F128 . 8B75 94 mov esi,dword ptr ss:[ebp-6C]
0040F12B . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
0040F12E . FFD3 call ebx
0040F130 . 66:85F6 test si,si
0040F133 74 06 je short crackme4.0040F13B ; 不相等则Over,暴破点8,改为jmp
0040F135 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaEnd>]
0040F13B > A1 54854100 mov eax,dword ptr ds:[418554]
0040F140 . 85C0 test eax,eax
0040F142 . 75 10 jnz short crackme4.0040F154
0040F144 . 68 54854100 push crackme4.00418554
0040F149 . 68 40C24000 push crackme4.0040C240
0040F14E . FF15 5C114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>]
0040F154 > 8B35 54854100 mov esi,dword ptr ds:[418554]
0040F15A . 8D45 BC lea eax,dword ptr ss:[ebp-44]
0040F15D . 50 push eax
0040F15E . 56 push esi
0040F15F . 8B16 mov edx,dword ptr ds:[esi]
0040F161 . FF52 14 call dword ptr ds:[edx+14]
0040F164 . 85C0 test eax,eax
0040F166 . DBE2 fclex
0040F168 . 7D 0B jge short crackme4.0040F175
0040F16A . 6A 14 push 14
0040F16C . 68 30C24000 push crackme4.0040C230
0040F171 . 56 push esi
0040F172 . 50 push eax
0040F173 . FFD7 call edi
0040F175 > 8B45 BC mov eax,dword ptr ss:[ebp-44]
0040F178 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
0040F17B . 52 push edx
0040F17C . 50 push eax
0040F17D . 8B08 mov ecx,dword ptr ds:[eax]
0040F17F . 8BF0 mov esi,eax
0040F181 . FF51 58 call dword ptr ds:[ecx+58]
0040F184 . 85C0 test eax,eax
0040F186 . DBE2 fclex
0040F188 . 7D 0B jge short crackme4.0040F195
0040F18A . 6A 58 push 58
0040F18C . 68 50C24000 push crackme4.0040C250
0040F191 . 56 push esi
0040F192 . 50 push eax
0040F193 . FFD7 call edi
0040F195 > 8B45 CC mov eax,dword ptr ss:[ebp-34] ; 文件名"crackme4-lx"
0040F198 . 50 push eax
0040F199 . 68 98C24000 push crackme4.0040C298 ; UNICODE "crackme4-lx"
0040F19E . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; 文件名与"crackme4-lx"比较
0040F1A4 . 8BF0 mov esi,eax
0040F1A6 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0040F1A9 . F7DE neg esi
0040F1AB . 1BF6 sbb esi,esi
0040F1AD . F7DE neg esi
0040F1AF . F7DE neg esi
0040F1B1 . FF15 F0114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>]
0040F1B7 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
0040F1BA . FFD3 call ebx
0040F1BC . 66:85F6 test si,si
0040F1BF 74 06 je short crackme4.0040F1C7 ; 不相等则Over,暴破点9,改为jmp
0040F1C1 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaEnd>]
0040F1C7 > 817D D8 08A00100 cmp dword ptr ss:[ebp-28],1A008 ; 比较是否为0x1A008
0040F1CE 74 06 je short crackme4.0040F1D6 ; 相等则跳,暴破点10,改为jmp
0040F1D0 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaEnd>]
0040F1D6 > C745 FC 00000000 mov dword ptr ss:[ebp-4],0
-----------------------------------------------------------------------------------------------
【破解总结】
1.用户名长度必须为4-9个字符,邮箱格式必须正确且长度小于0xE(15)。
2.内置固定字符串str1:"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ",
str2:"www.mybetwin.com(welcometoyou!)www.mybetwin.com langxang".
3.根据用户名每个字符在字符串str1中的位置在字符串str2中取相应位置的字符连接成字符串,记为str3.
4.根据邮箱长度,依次取邮箱和机器码每一位字符的ASCII值相加结果减去0x5A,取其差所对应的字符连接成字符串,记为str4.
5.依次将字符串str3,"-",字符串str4左边3位,右边3位连接,记为str6.
6.依次取字符串str6每一位字符的ASCII值与邮箱的第2位字符的ASCII值进行xor运算,取运算结果所对应的字符连接成字符串,记为str7.
7.从字符串str7右边第8位开始取3个字符,将取得的3个字符连接到字符串str6,记为str8.
8.倒序取注册码每一位字符的ASCII值减去5,取相应的字符连接成字符串,结果与str8比较,相等则注册成功。
一组可用的注册码:
机器码:58964765534353
用户名:hrbx
E-mail:HRBX@163.com
注册码:,::KNA&5(2j||j
暴破更改以下位置:
0040F50F je crackme4.0040F5CE ; je====>jmp
0040F645 je crackme4.0040F704 ; je====>jmp
0040F80C je crackme4.0040F8B5 ; je====>jmp
0040F92C je short crackme4.0040F99D ; je====>jmp
004105A7 je short crackme4.004105D2 ; je====>NOP
0040F075 jnz short crackme4.0040F0C2 ; jnz===>NOP
0040F0B0 jnz short crackme4.0040F0BA ; jnz===>NOP
0040F133 je short crackme4.0040F13B ; je====>jmp
0040F1BF je short crackme4.0040F1C7 ; je====>jmp
0040F1CE je short crackme4.0040F1D6 ; je====>jmp
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
