【文章标题】: 一个CRACKME的算法分析
【文章作者】: sam
【作者邮箱】: gzny@263.net
【作者QQ号】: 53175650
【软件名称】: CRACKME
【加壳方式】: 无
【保护方式】: MD5
【编写语言】: VB
【作者声明】: 巴西输球.十分悲痛.诅咒法国.冠军无望.必给德国,送回老家!!!!
--------------------------------------------------------------------------------
【详细过程】
小弟在看雪混了一年多.一直没写过破文.
近日看到个CRACKME是MD5加密.就动手练练了
程式无壳.加载后按F9运行 打开OD的窗口对注册按纽下202的条件断点.用CODE区段下内存访问断点.定位得知地址 到达这里.
004036E0 > 55 push ebp
004036E1 . 8BEC mov ebp,esp
004036E3 . 83EC 0C sub esp,0C
004036E6 . 68 A6134000 push <jmp.&MSVBVM60.__vbaExceptHandler>; SE 处理程序安装
004036EB . 64:A1 00000000 mov eax,dword ptr fs:[0]
004036F1 . 50 push eax
004036F2 . 64:8925 0000000>mov dword ptr fs:[0],esp
004036F9 . 81EC 28010000 sub esp,128
004036FF . 53 push ebx
00403700 . 56 push esi
略过无用代码
004038F1 > \BA A4284000 mov edx,测试水平.004028A4 ; UNICODE "C:\"
004038F6 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
004038F9 . FF15 44114000 call dword ptr ds:[<&MSVBVM60.__vbaStr>; MSVBVM60.__vbaStrCopy
004038FF . 8D55 C0 lea edx,dword ptr ss:[ebp-40]
00403902 . 52 push edx
00403903 . E8 18370000 call 测试水平.00407020 ; 用"C:\"字符串经过16进制与10进制数次变换后.因是固定数值.里面都是一些生成机器码.后面有用1215495429,因篇幅问题.不在这里详写.不然看不下去了
00403908 . 50 push eax
00403909 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaStr>; MSVBVM60.__vbaStrI4
0040390F . 8B35 7C114000 mov esi,dword ptr ds:[<&MSVBVM60.__vba>; MSVBVM60.__vbaStrMove
00403915 . 8BD0 mov edx,eax
00403917 . 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0040391A . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
0040391C . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
0040391F . FF15 98114000 call dword ptr ds:[<&MSVBVM60.__vbaFre>; MSVBVM60.__vbaFreeStr
00403925 . 8D45 C8 lea eax,dword ptr ss:[ebp-38]
00403928 . 50 push eax
00403929 . E8 92380000 call 测试水平.004071C0 ; 取得机器码头5位
0040392E . 8BD0 mov edx,eax
00403930 . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
00403933 . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
00403935 . 8B0F mov ecx,dword ptr ds:[edi]
00403937 . 57 push edi
00403938 . FF91 04030000 call dword ptr ds:[ecx+304]
0040393E . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
00403941 . 50 push eax
00403942 . 52 push edx
00403943 . FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaObj>; MSVBVM60.__vbaObjSet
00403949 . 8B08 mov ecx,dword ptr ds:[eax]
0040394B . 8D55 C0 lea edx,dword ptr ss:[ebp-40]
0040394E . 52 push edx
0040394F . 50 push eax
00403950 . 8985 20FFFFFF mov dword ptr ss:[ebp-E0],eax
00403956 . FF91 A0000000 call dword ptr ds:[ecx+A0]
0040395C . 3BC3 cmp eax,ebx
0040395E . DBE2 fclex
00403960 . 7D 18 jge short 测试水平.0040397A
00403962 . 8B8D 20FFFFFF mov ecx,dword ptr ss:[ebp-E0]
00403968 . 68 A0000000 push 0A0
0040396D . 68 68284000 push 测试水平.00402868
00403972 . 51 push ecx
00403973 . 50 push eax
00403974 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHre>; MSVBVM60.__vbaHresultCheckObj
0040397A > 8B45 C0 mov eax,dword ptr ss:[ebp-40]
0040397D . 8D55 94 lea edx,dword ptr ss:[ebp-6C]
00403980 . 8945 9C mov dword ptr ss:[ebp-64],eax ; 用户名
00403983 . 8D45 84 lea eax,dword ptr ss:[ebp-7C]
00403986 . 52 push edx
00403987 . 50 push eax
00403988 . 895D C0 mov dword ptr ss:[ebp-40],ebx
0040398B . C745 94 0800000>mov dword ptr ss:[ebp-6C],8
00403992 . FF15 70104000 call dword ptr ds:[<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
00403998 . 8D4D 84 lea ecx,dword ptr ss:[ebp-7C]
0040399B . 51 push ecx
0040399C . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaStr>; MSVBVM60.__vbaStrVarMove
004039A2 . 8BD0 mov edx,eax
004039A4 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
004039A7 . FFD6 call esi
004039A9 . 8B55 B0 mov edx,dword ptr ss:[ebp-50]
004039AC . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004039AF . 895D B0 mov dword ptr ss:[ebp-50],ebx
004039B2 . FFD6 call esi
004039B4 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
004039B7 . 8D45 BC lea eax,dword ptr ss:[ebp-44]
004039BA . 52 push edx
004039BB . 50 push eax
004039BC . E8 6F3B0000 call 测试水平.00407530 ; 第一组字符串MD5加密前处理F7跟进
004039C1 . 8BD0 mov edx,eax
004039C3 . 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
004039C6 . FFD6 call esi
004039C8 . 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
004039CB . 51 push ecx
004039CC . E8 9F3A0000 call 测试水平.00407470 ; MD5加密
004039D1 . 8BD0 mov edx,eax ; 计算结果保存在EDX
004039D3 . 8D4D AC lea ecx,dword ptr ss:[ebp-54]
004039D6 . FFD6 call esi
004039D8 . 8B45 AC mov eax,dword ptr ss:[ebp-54]
004039DB . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-8C]
004039E1 . 8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax
004039E7 . 6A 0A push 0A
004039E9 . 8D85 64FFFFFF lea eax,dword ptr ss:[ebp-9C]
004039EF . 52 push edx
004039F0 . 50 push eax
004039F1 . 895D AC mov dword ptr ss:[ebp-54],ebx
004039F4 . C785 74FFFFFF 0>mov dword ptr ss:[ebp-8C],8
004039FE . FF15 74114000 call dword ptr ds:[<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar
00403A04 . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C] ; 从左边拿10位MD5结果值
00403A0A . 51 push ecx
00403A0B . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaStr>; MSVBVM60.__vbaStrVarMove
00403A11 . 8BD0 mov edx,eax
00403A13 . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00403A16 . FFD6 call esi ; 装箱保存.一会用
00403A18 . 8D55 AC lea edx,dword ptr ss:[ebp-54]
00403A1B . 8D45 B0 lea eax,dword ptr ss:[ebp-50]
00403A1E . 52 push edx
00403A1F . 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
00403A22 . 50 push eax
00403A23 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
00403A26 . 51 push ecx
00403A27 . 8D45 BC lea eax,dword ptr ss:[ebp-44]
00403A2A . 52 push edx
00403A2B . 50 push eax
00403A2C . 6A 05 push 5
00403A2E . FF15 48114000 call dword ptr ds:[<&MSVBVM60.__vbaFre>; MSVBVM60.__vbaFreeStrList
00403A34 . 83C4 18 add esp,18
00403A37 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00403A3A . FF15 94114000 call dword ptr ds:[<&MSVBVM60.__vbaFre>; MSVBVM60.__vbaFreeObj
00403A40 . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C]
00403A46 . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-8C]
00403A4C . 51 push ecx
00403A4D . 8D45 84 lea eax,dword ptr ss:[ebp-7C]
00403A50 . 52 push edx
00403A51 . 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
00403A54 . 50 push eax
00403A55 . 51 push ecx
00403A56 . 6A 04 push 4
00403A58 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFre>; MSVBVM60.__vbaFreeVarList
00403A5E . 83C4 14 add esp,14
00403A61 . 8D55 C8 lea edx,dword ptr ss:[ebp-38]
00403A64 . 52 push edx
00403A65 . E8 76380000 call 测试水平.004072E0 ; 取得机器码后5位
00403A6A . 8BD0 mov edx,eax
00403A6C . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
00403A6F . FFD6 call esi
00403A71 . 8B07 mov eax,dword ptr ds:[edi]
00403A73 . 57 push edi
00403A74 . FF90 04030000 call dword ptr ds:[eax+304]
00403A7A . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00403A7D . 50 push eax
00403A7E . 51 push ecx
00403A7F . FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaObj>; MSVBVM60.__vbaObjSet
00403A85 . 8B10 mov edx,dword ptr ds:[eax]
00403A87 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00403A8A . 51 push ecx
00403A8B . 50 push eax
00403A8C . 8985 20FFFFFF mov dword ptr ss:[ebp-E0],eax
00403A92 . FF92 A0000000 call dword ptr ds:[edx+A0]
00403A98 . 3BC3 cmp eax,ebx
00403A9A . DBE2 fclex
00403A9C . 7D 18 jge short 测试水平.00403AB6
00403A9E . 8B95 20FFFFFF mov edx,dword ptr ss:[ebp-E0]
00403AA4 . 68 A0000000 push 0A0
00403AA9 . 68 68284000 push 测试水平.00402868
00403AAE . 52 push edx
00403AAF . 50 push eax
00403AB0 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHre>; MSVBVM60.__vbaHresultCheckObj
00403AB6 > 8B45 C0 mov eax,dword ptr ss:[ebp-40]
00403AB9 . 8D4D 84 lea ecx,dword ptr ss:[ebp-7C]
00403ABC . 8945 9C mov dword ptr ss:[ebp-64],eax
00403ABF . 8D45 94 lea eax,dword ptr ss:[ebp-6C]
00403AC2 . 50 push eax
00403AC3 . 51 push ecx
00403AC4 . 895D C0 mov dword ptr ss:[ebp-40],ebx
00403AC7 . C745 94 0800000>mov dword ptr ss:[ebp-6C],8
00403ACE . FF15 70104000 call dword ptr ds:[<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
00403AD4 . 8D55 84 lea edx,dword ptr ss:[ebp-7C]
00403AD7 . 52 push edx
00403AD8 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaStr>; MSVBVM60.__vbaStrVarMove
00403ADE . 8BD0 mov edx,eax
00403AE0 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
00403AE3 . FFD6 call esi
00403AE5 . 8B55 B0 mov edx,dword ptr ss:[ebp-50]
00403AE8 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00403AEB . 895D B0 mov dword ptr ss:[ebp-50],ebx
00403AEE . FFD6 call esi
00403AF0 . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
00403AF3 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00403AF6 . 50 push eax
00403AF7 . 51 push ecx
00403AF8 . E8 F33C0000 call 测试水平.004077F0 ; 加密前处理.与上一组处理大?相同.唯一不同就是4075cf处把OR换成了AND
00403AFD . 8BD0 mov edx,eax
00403AFF . 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
00403B02 . FFD6 call esi
00403B04 . 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
00403B07 . 52 push edx
00403B08 . E8 63390000 call 测试水平.00407470 ; MD5加密
00403B0D . 8BD0 mov edx,eax ; 第二节密钥结果
00403B0F . 8D4D AC lea ecx,dword ptr ss:[ebp-54]
00403B12 . FFD6 call esi
00403B14 . 8B45 AC mov eax,dword ptr ss:[ebp-54]
00403B17 . 6A 0A push 0A
00403B19 . 8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax
00403B1F . 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-8C]
00403B25 . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C]
00403B2B . 50 push eax
00403B2C . 51 push ecx
00403B2D . 895D AC mov dword ptr ss:[ebp-54],ebx
00403B30 . C785 74FFFFFF 0>mov dword ptr ss:[ebp-8C],8
00403B3A . FF15 80114000 call dword ptr ds:[<&MSVBVM60.#619>] ; MSVBVM60.rtcRightCharVar
00403B40 . 8D95 64FFFFFF lea edx,dword ptr ss:[ebp-9C] ; 从右边拿10位MD5结果值
00403B46 . 52 push edx
00403B47 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaStr>; MSVBVM60.__vbaStrVarMove
00403B4D . 8BD0 mov edx,eax ; 装箱空运
00403B4F . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00403B52 . FFD6 call esi
00403B54 . 8D45 AC lea eax,dword ptr ss:[ebp-54]
00403B57 . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
00403B5A . 50 push eax
00403B5B . 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
00403B5E . 51 push ecx
00403B5F . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
00403B62 . 52 push edx
00403B63 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00403B66 . 50 push eax
00403B67 . 51 push ecx
00403B68 . 6A 05 push 5
00403B6A . FF15 48114000 call dword ptr ds:[<&MSVBVM60.__vbaFre>; MSVBVM60.__vbaFreeStrList
00403B70 . 83C4 18 add esp,18
00403B73 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00403B76 . FF15 94114000 call dword ptr ds:[<&MSVBVM60.__vbaFre>; MSVBVM60.__vbaFreeObj
00403B7C . 8D95 64FFFFFF lea edx,dword ptr ss:[ebp-9C]
00403B82 . 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-8C]
00403B88 . 52 push edx
00403B89 . 8D4D 84 lea ecx,dword ptr ss:[ebp-7C]
00403B8C . 50 push eax
00403B8D . 8D55 94 lea edx,dword ptr ss:[ebp-6C]
00403B90 . 51 push ecx
00403B91 . 52 push edx
00403B92 . 6A 04 push 4
00403B94 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFre>; MSVBVM60.__vbaFreeVarList
00403B9A . 8B07 mov eax,dword ptr ds:[edi]
00403B9C . 83C4 14 add esp,14
00403B9F . 57 push edi
00403BA0 . FF90 00030000 call dword ptr ds:[eax+300]
00403BA6 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00403BA9 . 50 push eax
00403BAA . 51 push ecx
00403BAB . FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaObj>; MSVBVM60.__vbaObjSet
00403BB1 . 8B10 mov edx,dword ptr ds:[eax]
00403BB3 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00403BB6 . 51 push ecx
00403BB7 . 50 push eax
00403BB8 . 8985 20FFFFFF mov dword ptr ss:[ebp-E0],eax
00403BBE . FF92 A0000000 call dword ptr ds:[edx+A0]
00403BC4 . 3BC3 cmp eax,ebx
00403BC6 . DBE2 fclex
00403BC8 . 7D 18 jge short 测试水平.00403BE2
00403BCA . 8B95 20FFFFFF mov edx,dword ptr ss:[ebp-E0]
00403BD0 . 68 A0000000 push 0A0
00403BD5 . 68 68284000 push 测试水平.00402868
00403BDA . 52 push edx
00403BDB . 50 push eax
00403BDC . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHre>; MSVBVM60.__vbaHresultCheckObj
00403BE2 > 8B07 mov eax,dword ptr ds:[edi]
00403BE4 . 57 push edi
00403BE5 . FF90 FC020000 call dword ptr ds:[eax+2FC]
00403BEB . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00403BEE . 50 push eax
00403BEF . 51 push ecx
00403BF0 . FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaObj>; MSVBVM60.__vbaObjSet
00403BF6 . 8B10 mov edx,dword ptr ds:[eax]
00403BF8 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00403BFB . 51 push ecx
00403BFC . 50 push eax
00403BFD . 8985 18FFFFFF mov dword ptr ss:[ebp-E8],eax
00403C03 . FF92 A0000000 call dword ptr ds:[edx+A0]
00403C09 . 3BC3 cmp eax,ebx
00403C0B . DBE2 fclex
00403C0D . 7D 18 jge short 测试水平.00403C27
00403C0F . 8B95 18FFFFFF mov edx,dword ptr ss:[ebp-E8]
00403C15 . 68 A0000000 push 0A0
00403C1A . 68 68284000 push 测试水平.00402868
00403C1F . 52 push edx
00403C20 . 50 push eax
00403C21 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHre>; MSVBVM60.__vbaHresultCheckObj
00403C27 > 8B45 D0 mov eax,dword ptr ss:[ebp-30]
00403C2A . 8B4D BC mov ecx,dword ptr ss:[ebp-44]
00403C2D . 50 push eax
00403C2E . 51 push ecx
00403C2F . FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__vbaStr>; MSVBVM60.__vbaStrCmp
00403C35 . F7D8 neg eax ; 取第二组MD5加密组比码比较
00403C37 . 8B55 D4 mov edx,dword ptr ss:[ebp-2C]
00403C3A . 1BC0 sbb eax,eax
00403C3C . 52 push edx
00403C3D . 40 inc eax
00403C3E . F7D8 neg eax
00403C40 . 66:8985 CCFEFFF>mov word ptr ss:[ebp-134],ax
00403C47 . 8B45 C0 mov eax,dword ptr ss:[ebp-40]
00403C4A . 50 push eax
00403C4B . FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__vbaStr>; MSVBVM60.__vbaStrCmp
00403C51 . 8B8D CCFEFFFF mov ecx,dword ptr ss:[ebp-134] ; 取第一组MD5加密组比码比较
00403C57 . 8D55 BC lea edx,dword ptr ss:[ebp-44]
00403C5A . F7D8 neg eax
00403C5C . 1BC0 sbb eax,eax
00403C5E . 52 push edx
00403C5F . 40 inc eax
00403C60 . F7D8 neg eax
00403C62 . 23C8 and ecx,eax
00403C64 . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
00403C67 . 50 push eax
00403C68 . 6A 02 push 2
00403C6A . 898D 10FFFFFF mov dword ptr ss:[ebp-F0],ecx
00403C70 . FF15 48114000 call dword ptr ds:[<&MSVBVM60.__vbaFre>; MSVBVM60.__vbaFreeStrList
00403C76 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00403C79 . 8D55 A8 lea edx,dword ptr ss:[ebp-58]
00403C7C . 51 push ecx
00403C7D . 52 push edx
00403C7E . 6A 02 push 2
00403C80 . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaFre>; MSVBVM60.__vbaFreeObjList
00403C86 . 83C4 18 add esp,18
00403C89 . 66:399D 10FFFFF>cmp word ptr ss:[ebp-F0],bx
00403C90 . 0F84 07050000 je 测试水平.0040419D ; 等于完蛋.JNE.成功
00403C96 . 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
00403C99 . 53 push ebx
00403C9A . 50 push eax
___________________________________________________________________________________________________________
跟进407530
00407530 $ 55 push ebp
00407531 . 8BEC mov ebp,esp
00407533 . 83EC 0C sub esp,0C
00407536 . 68 A6134000 push <jmp.&MSVBVM60.__vbaExceptHandler>; SE 处理程序安装
0040753B . 64:A1 00000000 mov eax,dword ptr fs:[0]
00407541 . 50 push eax
00407542 . 64:8925 0000000>mov dword ptr fs:[0],esp
00407549 . 81EC B0000000 sub esp,0B0
0040754F . 53 push ebx
00407550 . 56 push esi
00407551 . 57 push edi
00407552 . 8965 F4 mov dword ptr ss:[ebp-C],esp
00407555 . C745 F8 2813400>mov dword ptr ss:[ebp-8],测试水平.00401328
0040755C . 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
0040755F . 8B35 20104000 mov esi,dword ptr ds:[<&MSVBVM60.__vba>; MSVBVM60.__vbaLenBstr
00407565 . 33C0 xor eax,eax
00407567 . 8945 E4 mov dword ptr ss:[ebp-1C],eax
0040756A . 8945 DC mov dword ptr ss:[ebp-24],eax
0040756D . 8945 D8 mov dword ptr ss:[ebp-28],eax
00407570 . 8945 D4 mov dword ptr ss:[ebp-2C],eax
00407573 . 8945 D0 mov dword ptr ss:[ebp-30],eax
00407576 . 8945 C0 mov dword ptr ss:[ebp-40],eax
00407579 . 8945 B0 mov dword ptr ss:[ebp-50],eax
0040757C . 8945 A0 mov dword ptr ss:[ebp-60],eax
0040757F . 8945 90 mov dword ptr ss:[ebp-70],eax
00407582 . 8945 80 mov dword ptr ss:[ebp-80],eax
00407585 . 8985 60FFFFFF mov dword ptr ss:[ebp-A0],eax
0040758B . 8B03 mov eax,dword ptr ds:[ebx]
0040758D . 50 push eax ; 机器码入栈
0040758E . FFD6 call esi ; <&MSVBVM60.__vbaLenBstr>
00407590 . 8B4D 0C mov ecx,dword ptr ss:[ebp+C] ; 取得位数
00407593 . 8BF8 mov edi,eax
00407595 . 8B11 mov edx,dword ptr ds:[ecx]
00407597 . 52 push edx ; 取得用户名
00407598 . FFD6 call esi ; <&MSVBVM60.__vbaLenBstr>
0040759A . 3BF8 cmp edi,eax ; 比较用户位数与常数第一组的位数
0040759C . 7C 5F jl short 测试水平.004075FD ; 如果用户名位数大于5.直接跳过补位处理.没有就进行补位
0040759E . 8B03 mov eax,dword ptr ds:[ebx] ; 读入常数头5位
004075A0 . 50 push eax
004075A1 . FFD6 call esi ; <&MSVBVM60.__vbaLenBstr>
004075A3 . 8B4D 0C mov ecx,dword ptr ss:[ebp+C] ; 得到常数位数
004075A6 . 8BF8 mov edi,eax
004075A8 . 897D E0 mov dword ptr ss:[ebp-20],edi
004075AB . C745 80 0800000>mov dword ptr ss:[ebp-80],8
004075B2 . 8B01 mov eax,dword ptr ds:[ecx]
004075B4 . 50 push eax
004075B5 . 8945 88 mov dword ptr ss:[ebp-78],eax
004075B8 . FFD6 call esi ; <&MSVBVM60.__vbaLenBstr>
004075BA . 2BF8 sub edi,eax ; 把用名字与常数头5位相减.得出要补的位数
004075BC . 8D55 C0 lea edx,dword ptr ss:[ebp-40]
004075BF . 0F80 1C020000 jo 测试水平.004077E1
004075C5 . 57 push edi ; 保存位置入栈
004075C6 . 52 push edx ; 补位数入栈 .下面就对字符串补空格
004075C7 . FF15 88104000 call dword ptr ds:[<&MSVBVM60.#526>] ; MSVBVM60.rtcSpaceVar
004075CD . 8D45 80 lea eax,dword ptr ss:[ebp-80]
004075D0 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
004075D3 . 50 push eax
004075D4 . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
004075D7 . 51 push ecx
004075D8 . 52 push edx
004075D9 . FF15 64114000 call dword ptr ds:[<&MSVBVM60.__vbaVar>; MSVBVM60.__vbaVarAdd
004075DF . 50 push eax ; 累加
004075E0 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaStr>; MSVBVM60.__vbaStrVarMove
004075E6 . 8B4D 0C mov ecx,dword ptr ss:[ebp+C] ; 5位减3位.补够5位.不足用空格补回
004075E9 . 8B3D 7C114000 mov edi,dword ptr ds:[<&MSVBVM60.__vba>; MSVBVM60.__vbaStrMove
004075EF . 8BD0 mov edx,eax ; 补完结果
004075F1 . FFD7 call edi ; <&MSVBVM60.__vbaStrMove>
004075F3 . 8D45 B0 lea eax,dword ptr ss:[ebp-50]
004075F6 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
004075F9 . 50 push eax
004075FA . 51 push ecx
004075FB . EB 5C jmp short 测试水平.00407659
004075FD > 8B55 0C mov edx,dword ptr ss:[ebp+C]
00407600 . 8B02 mov eax,dword ptr ds:[edx]
00407602 . 50 push eax
00407603 . FFD6 call esi
00407605 . 8BF8 mov edi,eax
00407607 . 8B03 mov eax,dword ptr ds:[ebx]
00407609 . 50 push eax ; 机器码头5位入栈
0040760A . 897D E0 mov dword ptr ss:[ebp-20],edi
0040760D . 8945 88 mov dword ptr ss:[ebp-78],eax
00407610 . C745 80 0800000>mov dword ptr ss:[ebp-80],8
00407617 . FFD6 call esi ; 得到机器码的位数
00407619 . 2BF8 sub edi,eax ; 用户名位数与机器码位数相减.得出要补的差
0040761B . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
0040761E . 0F80 BD010000 jo 测试水平.004077E1
00407624 . 57 push edi
00407625 . 51 push ecx
00407626 . FF15 88104000 call dword ptr ds:[<&MSVBVM60.#526>] ; MSVBVM60.rtcSpaceVar
0040762C . 8D55 80 lea edx,dword ptr ss:[ebp-80] ; 补空格
0040762F . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
00407632 . 52 push edx
00407633 . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
00407636 . 50 push eax
00407637 . 51 push ecx
00407638 . FF15 64114000 call dword ptr ds:[<&MSVBVM60.__vbaVar>; MSVBVM60.__vbaVarAdd
0040763E . 50 push eax ; 机器码补位累加
0040763F . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaStr>; MSVBVM60.__vbaStrVarMove
00407645 . 8B3D 7C114000 mov edi,dword ptr ds:[<&MSVBVM60.__vba>; MSVBVM60.__vbaStrMove
0040764B . 8BD0 mov edx,eax
0040764D . 8BCB mov ecx,ebx
0040764F . FFD7 call edi ; <&MSVBVM60.__vbaStrMove>
00407651 . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
00407654 . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
00407657 . 52 push edx
00407658 . 50 push eax
00407659 > 6A 02 push 2
0040765B . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFre>; MSVBVM60.__vbaFreeVarList
00407661 . 83C4 0C add esp,0C
00407664 . BE 01000000 mov esi,1 ; 开始处理字符串.从1开始循环
00407669 > 3B75 E0 cmp esi,dword ptr ss:[ebp-20]
0040766C . 0F8F FD000000 jg 测试水平.0040776F ; 处理完了吗?字节处理完.跳出循环
00407672 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00407675 . 8D55 80 lea edx,dword ptr ss:[ebp-80]
00407678 . 51 push ecx ; 机器码入栈//如果上面的方式为用户名补空格.这里是空的
00407679 . 56 push esi ; 当前个数
0040767A . 8D45 B0 lea eax,dword ptr ss:[ebp-50]
0040767D . 895D 88 mov dword ptr ss:[ebp-78],ebx
00407680 . 8B1D 80104000 mov ebx,dword ptr ds:[<&MSVBVM60.#632>>; MSVBVM60.rtcMidCharVar
00407686 . 52 push edx
00407687 . 50 push eax
00407688 . C745 C8 0100000>mov dword ptr ss:[ebp-38],1
0040768F . C745 C0 0200000>mov dword ptr ss:[ebp-40],2
00407696 . C745 80 0840000>mov dword ptr ss:[ebp-80],4008
0040769D . FFD3 call ebx ; <&MSVBVM60.#632>
0040769F . 8B4D 0C mov ecx,dword ptr ss:[ebp+C] ; 取得指定字符做变换
004076A2 . 8D55 A0 lea edx,dword ptr ss:[ebp-60]
004076A5 . 898D 68FFFFFF mov dword ptr ss:[ebp-98],ecx
004076AB . 52 push edx
004076AC . 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
004076B2 . 56 push esi ; 当前个数
004076B3 . 8D4D 90 lea ecx,dword ptr ss:[ebp-70]
004076B6 . 50 push eax
004076B7 . 51 push ecx
004076B8 . C745 A8 0100000>mov dword ptr ss:[ebp-58],1
004076BF . C745 A0 0200000>mov dword ptr ss:[ebp-60],2 ; 用户名处理
004076C6 . C785 60FFFFFF 0>mov dword ptr ss:[ebp-A0],4008
004076D0 . FFD3 call ebx ; <&MSVBVM60.#632>
004076D2 . 8B55 DC mov edx,dword ptr ss:[ebp-24] ; 取指定的字符串
004076D5 . 8B1D 0C114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vba>; MSVBVM60.__vbaStrVarVal
004076DB . 8D45 90 lea eax,dword ptr ss:[ebp-70] ; 把用户名字符串转换成数字
004076DE . 52 push edx
004076DF . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
004076E2 . 50 push eax
004076E3 . 51 push ecx
004076E4 . FFD3 call ebx ; <&MSVBVM60.__vbaStrVarVal>
004076E6 . 50 push eax ; 把用户名字符串转换成ASCII码
004076E7 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
004076ED . 66:8BD0 mov dx,ax ; 用户名转换成16进制码
004076F0 . 8D45 B0 lea eax,dword ptr ss:[ebp-50]
004076F3 . 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
004076F6 . 50 push eax ; 机器码处理
004076F7 . 51 push ecx
004076F8 . 66:8995 3EFFFFF>mov word ptr ss:[ebp-C2],dx
004076FF . FFD3 call ebx ; <&MSVBVM60.__vbaStrVarVal>
00407701 . 50 push eax ; 把用户名字符串转换成数字
00407702 . FF15 30104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
00407708 . 66:8B95 3EFFFFF>mov dx,word ptr ss:[ebp-C2] ; 把用户名字符串转换成ASCII码
0040770F . 0BD0 or edx,eax ; 与机码第一位做或运算
00407711 . 52 push edx ; 把结果回10进制数
00407712 . FF15 04104000 call dword ptr ds:[<&MSVBVM60.__vbaStr>; MSVBVM60.__vbaStrI2
00407718 . 8BD0 mov edx,eax ; 结果出来了
0040771A . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
0040771D . FFD7 call edi
0040771F . 50 push eax
00407720 . FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaStr>; MSVBVM60.__vbaStrCat
00407726 . 8BD0 mov edx,eax ; 保存
00407728 . 8D4D DC lea ecx,dword ptr ss:[ebp-24]
0040772B . FFD7 call edi
0040772D . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
00407730 . 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00407733 . 50 push eax
00407734 . 8D55 D8 lea edx,dword ptr ss:[ebp-28]
00407737 . 51 push ecx
00407738 . 52 push edx
00407739 . 6A 03 push 3
0040773B . FF15 48114000 call dword ptr ds:[<&MSVBVM60.__vbaFre>; MSVBVM60.__vbaFreeStrList
00407741 . 8D45 90 lea eax,dword ptr ss:[ebp-70]
00407744 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00407747 . 50 push eax
00407748 . 8D55 B0 lea edx,dword ptr ss:[ebp-50]
0040774B . 51 push ecx
0040774C . 8D45 C0 lea eax,dword ptr ss:[ebp-40]
0040774F . 52 push edx
00407750 . 50 push eax
00407751 . 6A 04 push 4
00407753 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFre>; MSVBVM60.__vbaFreeVarList
00407759 . 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
0040775C . B8 01000000 mov eax,1
00407761 . 83C4 24 add esp,24
00407764 . 03C6 add eax,esi
00407766 . 70 79 jo short 测试水平.004077E1
00407768 . 8BF0 mov esi,eax
0040776A .^ E9 FAFEFFFF jmp 测试水平.00407669 ; 循环JMP
0040776F > 8B55 DC mov edx,dword ptr ss:[ebp-24] ; 这里就是用户名转换好的结果
00407772 . 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00407775 . FF15 44114000 call dword ptr ds:[<&MSVBVM60.__vbaStr>; MSVBVM60.__vbaStrCopy
0040777B . 68 CB774000 push 测试水平.004077CB
00407780 . EB 3F jmp short 测试水平.004077C1
00407782 . F645 FC 04 test byte ptr ss:[ebp-4],4
00407786 . 74 09 je short 测试水平.00407791
____________________________________________________________________________________________________________________________
输入用户名分两种可能.用户名位数-机器位数)>5 机器码后面补空格 <5 用户名后面补空格 确保后面的与或运算 空格为20&H
如果结果是:
<5位的办法是用户名后面补空格.
>5位的是机器码后面补空格.
下面是用小于5位做计算
用户名steak换成HEX
S T E A K
73 74 65 61 6B
用户名位数-机器位数 =0 不用做补空格处理
第一组机器码HEX
1 2 1 5 4
31 32 31 35 34
把HEX值 转换成DEC
73 OR 31 = &H73 = 115
74 OR 32 = &H76 = 118
65 OR 31 = &H75 = 117
61 OR 35 = &H75 = 117
6B OR 34 = &H7F = 127
115118117117127 MD5加密 dec944dd : f2bf56c31f1b4ec4 : 3db212db
从左边开始取得10位
dec944ddf2 得到第一组注册码
第二组机器码HEX
9 5 4 2 9
39 25 34 32 39
73 AND 39 = &H31 = 49
74 AND 25 = &H34 = 52
65 AND 34 = &H24 = 36
61 AND 32 = &H20 = 32
6B AND 39 = &H29 = 41
4952363241 MD5加密 d977330b : 7ebe21f5 : c532670ed9a46a65 : 9df6ec27
从右边开始取10位
659df6ec27 得到第二组注册码
结果
用户名:steak
注册码:dec944ddf2+659df6ec27
这个CRACKME的下载地址
http://www2.pc2n.com/other/2006/7/2/exe/30056-1151791309316.exe
有空大家玩玩.这个不是我写的.是在QQ群里下载的.
小弟第一次写破文.如有错漏.请指出改正.谢谢
--------------------------------------------------------------------------------
【经验总结】
MD5算法不可逆大家都知道了.如果用公用的MD5模版造的所以没必要对MD5算法CALL进行解构.关键就是MD5加密前与加密后的
处理.
--------------------------------------------------------------------------------
【版权声明】: 转载请注明作者并保持文章的完整, 谢谢!
2006年07月02日 6:09:04
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课