文章标题】: elance's crackme.NO1 算法分析
【文章作者】: 网游难民
【作者邮箱】: goqq2008@qq.com
【作者主页】: http://bbs.chinapyg.com
【作者QQ号】: 8587365
【软件名称】: elance's crackme.NO1
【软件大小】: 24K
【下载地址】: 本地
【加壳方式】: 无
【保护方式】: 注册码
【编写语言】: Microsoft Visual Basic 5.0 / 6.0
【使用工具】: OD,PEID
【操作平台】: Win9x/NT/2000/XP
【作者声明】: 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【详细过程】
一,用PEID查壳为Microsoft Visual Basic 5.0 / 6.0,无壳。
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
二,运行软件,开始有NAG,弹出对话框,提示:"This is my first~~~~~~"
在注册窗口进行注册,输入错误的注册信息进行检测!软件有尾巴!
提示说:“hehe,try again”
关闭软件,突然打开一个网站主页:http://bbs.crsky.com/
开始动手:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
用OD载入了,下 bp rtcMsgBox 断点(拦截对话框),然后点F9运行,来到这里:
++++++++++++++++++++++++++++++++++++++++++++++++++++
堆栈窗口友好提示:
0012F990 00402D47 crackme_.00402D47----这里点右键-反汇编窗口中跟随。
0012F994 0012FA6C
0012F998 00000000
0012F99C 0012FA5C
0012F9A0 0012FA4C
0012F9A4 0012FA3C
0012F9A8 0012FB20
来到下面的地方:
+++++++++++++++++++++++++++++++++++=
00402D40 . 50 PUSH EAX
00402D41 FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox----这个就是那个NGA窗口调用函数,在此处汇编,改为nop.
00402D47 . 8D85 28FFFFFF LEA EAX,DWORD PTR SS:[EBP-D8]------------------------------------来到这里
00402D4D . 8D8D 38FFFFFF LEA ECX,DWORD PTR SS:[EBP-C8]
00402D53 . 50 PUSH EAX
++++++++++++++++++++++++++++==
然后右键--超级字串参考+----查找UNICODE:http://bbs.crsky.com/
00402946 MOV DWORD PTR SS:[EBP-7C],c000rack.00401 please input your sn
004029BC PUSH c000rack.00401FF8 good job
004029E5 PUSH c000rack.00402010 hehe,try again
00402B14 PUSH c000rack.00402044 http://bbs.crsky.com------------这次点这个~~,来到下面
00402B20 PUSH c000rack.00402034 open
00402C65 MOV DWORD PTR SS:[EBP-E0],c000rack.00402 this is my first crackme for
00402C81 MOV DWORD PTR SS:[EBP-F0],c000rack.00402 crack learning,i hope
+++++++++++++++++++++++++++++++++++++++++++++++++
00402B10 . 57 PUSH EDI
00402B11 . 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
00402B14 . 68 44204000 PUSH crackme_.00402044 ; http://bbs.crsky.com
00402B19 . 52 PUSH EDX
00402B1A . FFD6 CALL ESI ; <&MSVBVM60.__vbaStrToAnsi>
00402B1C . 50 PUSH EAX
00402B1D . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00402B20 . 68 34204000 PUSH crackme_.00402034 ; open
00402B25 . 50 PUSH EAX
00402B26 . FFD6 CALL ESI
00402B28 . 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
00402B2B . 50 PUSH EAX
00402B2C . 51 PUSH ECX
00402B2D E8 7AF5FFFF CALL crackme_.004020AC------------------------------把这个NOP掉
00402B32 . FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaSetSy>; MSVBVM60.__vbaSetSystemError
00402B38 . 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
右键--超级字串参考+----查找UNICODE。找到这里:
超级字串参考+
地址 反汇编 文本字串
00401244 PUSH c000rack.00401514 (初始 cpu 选择)
00402484 MOV DWORD PTR SS:[EBP-7C],c000rack.00401 elance
00402833 MOV DWORD PTR SS:[EBP-8C],c000rack.00401 warning
0040284E MOV DWORD PTR SS:[EBP-7C],c000rack.00401 please input your name
0040292B MOV DWORD PTR SS:[EBP-8C],c000rack.00401 warning
00402946 MOV DWORD PTR SS:[EBP-7C],c000rack.00401 please input your sn
004029BC PUSH c000rack.00401FF8 good job--------------应该是注册成功信息
004029E5 PUSH c000rack.00402010 hehe,try again----------注册错误信息,这里双击来到下面:
00402B14 PUSH c000rack.00402044 http://bbs.crsky.com
++++++++++++++++++++++++++++++++++++++++++++++
来到这里:
004029A1 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
004029A4 . 50 PUSH EAX
004029A5 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
004029A7 . 75 29 JNZ SHORT c000rack.004029D2-----------------------这里关键跳转,直接把JNZ改为JZ,就可以爆破了。
004029A9 . FF91 04030000 CALL DWORD PTR DS:[ECX+304]
004029AF . 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34]
004029B2 . 50 PUSH EAX
004029B3 . 52 PUSH EDX
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
继续分析,搜索第一个“waring”,往上找个适当的地方下断点,来到下面:
040245F > /B8 06000000 MOV EAX,6
00402464 . |66:3BF0 CMP SI,AX
00402467 . |0F8F 97000000 JG crackme_.00402504
0040246D . |8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
00402473 . |8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
00402476 . |C745 B4 01000>MOV DWORD PTR SS:[EBP-4C],1
0040247D . |C745 AC 02000>MOV DWORD PTR SS:[EBP-54],2
00402484 . |C745 84 541F4>MOV DWORD PTR SS:[EBP-7C],crackme_.00401>; elance
0040248B . |C785 7CFFFFFF>MOV DWORD PTR SS:[EBP-84],8
00402495 . |FF15 AC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
0040249B . |0FBFCE MOVSX ECX,SI
0040249E . |8D45 AC LEA EAX,DWORD PTR SS:[EBP-54]
004024A1 . |8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
004024A4 . |50 PUSH EAX
004024A5 . |51 PUSH ECX
004024A6 . |8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
004024A9 . |52 PUSH EDX
004024AA . |50 PUSH EAX
004024AB . |FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
004024B1 . |8D4D 9C LEA ECX,DWORD PTR SS:[EBP-64]
004024B4 . |8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
004024B7 . |51 PUSH ECX
004024B8 . |52 PUSH EDX
004024B9 . |FF15 80104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
004024BF . |50 PUSH EAX
004024C0 . |FFD3 CALL EBX
004024C2 . |8B4D D8 MOV ECX,DWORD PTR SS:[EBP-28] ; 把上次的结果放入ECX
004024C5 . |0FBFC0 MOVSX EAX,AX ; elance的ASCII码,放入EAX
004024C8 . |03C1 ADD EAX,ECX ; elance的ASCII码的和,放入EAX
004024CA . |8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
004024CD . |0F80 A3050000 JO crackme_.00402A76
004024D3 . |8945 D8 MOV DWORD PTR SS:[EBP-28],EAX ; 放入SS:[EBP-28]
004024D6 . |FFD7 CALL EDI
004024D8 . |8D4D 9C LEA ECX,DWORD PTR SS:[EBP-64]
004024DB . |8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
004024DE . |51 PUSH ECX
004024DF . |8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
004024E2 . |52 PUSH EDX
004024E3 . |50 PUSH EAX
004024E4 . |6A 03 PUSH 3
004024E6 . |FF15 0C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
004024EC . |B8 01000000 MOV EAX,1 ; EAX置一
004024F1 . |83C4 10 ADD ESP,10
004024F4 . |66:03C6 ADD AX,SI ; 求第几次回旋,控制
004024F7 . |0F80 79050000 JO crackme_.00402A76
004024FD . |8BF0 MOV ESI,EAX
004024FF .^\E9 5BFFFFFF JMP crackme_.0040245F--------------------------循环取elance的ASCII累加和。
00402504 > 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00402507 . 50 PUSH EAX
00402508 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
0040250A . FF91 08030000 CALL DWORD PTR DS:[ECX+308]
\\\\\\\\\\\\\\\\\\\\\省略N行\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
0040253B . 50 PUSH EAX
0040253C . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00402542 > 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C] ; 用户名放入EDX中~~
00402545 . 52 PUSH EDX
00402546 . FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
0040254C . 8BC8 MOV ECX,EAX ; 求出注册名长度,放入ECX中
0040254E . FF15 54104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>>; MSVBVM60.__vbaI2I4
00402554 . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00402557 . 8985 30FFFFFF MOV DWORD PTR SS:[EBP-D0],EAX ; 用户名长度放入EBP-D0
0040255D . BE 01000000 MOV ESI,1
00402562 . FFD7 CALL EDI
00402564 . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
00402567 . FF15 C8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0040256D > 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00402570 . 66:3BB5 30FFF>CMP SI,WORD PTR SS:[EBP-D0] ; 循环次数和用户名位数比较
00402577 . 50 PUSH EAX
00402578 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
0040257A . 0F8F D6000000 JG crackme_.00402656 ; 大于就跳
00402580 . FF91 08030000 CALL DWORD PTR DS:[ECX+308]
00402586 . 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34]
00402589 . 50 PUSH EAX
0040258A . 52 PUSH EDX
0040258B . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00402591 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
00402593 . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
00402596 . 52 PUSH EDX
00402597 . 50 PUSH EAX
00402598 . 8985 48FFFFFF MOV DWORD PTR SS:[EBP-B8],EAX
0040259E . FF91 A0000000 CALL DWORD PTR DS:[ECX+A0]
004025A4 . 85C0 TEST EAX,EAX
004025A6 . DBE2 FCLEX
004025A8 . 7D 18 JGE SHORT crackme_.004025C2
004025AA . 8B8D 48FFFFFF MOV ECX,DWORD PTR SS:[EBP-B8]
004025B0 . 68 A0000000 PUSH 0A0
004025B5 . 68 641F4000 PUSH crackme_.00401F64
004025BA . 51 PUSH ECX
004025BB . 50 PUSH EAX
004025BC . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
004025C2 > 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] ; 用户名
004025C5 . 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
004025C8 . 8945 C4 MOV DWORD PTR SS:[EBP-3C],EAX ; 用户名放入SS:[EBP-3C]
004025CB . 52 PUSH EDX
004025CC . 0FBFC6 MOVSX EAX,SI
004025CF . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
004025D2 . 50 PUSH EAX
004025D3 . 8D55 9C LEA EDX,DWORD PTR SS:[EBP-64]
004025D6 . 51 PUSH ECX
004025D7 . 52 PUSH EDX
004025D8 . C745 B4 01000>MOV DWORD PTR SS:[EBP-4C],1
004025DF . C745 AC 02000>MOV DWORD PTR SS:[EBP-54],2
004025E6 . C745 D4 00000>MOV DWORD PTR SS:[EBP-2C],0
004025ED . C745 BC 08000>MOV DWORD PTR SS:[EBP-44],8
004025F4 . FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
004025FA . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
004025FD . 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
00402600 . 50 PUSH EAX
00402601 . 51 PUSH ECX
00402602 . FF15 80104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
00402608 . 50 PUSH EAX
00402609 . FFD3 CALL EBX
0040260B . 0FBFD0 MOVSX EDX,AX ; 求出用户名的ASCII码AX放入EDX
0040260E . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00402611 . 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
00402614 . 03D0 ADD EDX,EAX ; 用户名ASCII码循环相加,值放入EDX
00402616 . 0F80 5A040000 JO crackme_.00402A76
0040261C . 8955 DC MOV DWORD PTR SS:[EBP-24],EDX ; 把上面加的结果放入EBP-24
0040261F . FFD7 CALL EDI
00402621 . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
00402624 . FF15 C8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0040262A . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
0040262D . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
00402630 . 50 PUSH EAX
00402631 . 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
00402634 . 51 PUSH ECX
00402635 . 52 PUSH EDX
00402636 . 6A 03 PUSH 3
00402638 . FF15 0C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0040263E . B8 01000000 MOV EAX,1
00402643 . 83C4 10 ADD ESP,10
00402646 . 66:03C6 ADD AX,SI ; 算出第几次循环,控制循环次数
00402649 . 0F80 27040000 JO crackme_.00402A76
0040264F . 8BF0 MOV ESI,EAX
00402651 .^ E9 17FFFFFF JMP crackme_.0040256D------------------循环取用户名的ASCII累加和。
00402656 > FF91 04030000 CALL DWORD PTR DS:[ECX+304]
0040265C . 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34]
0040265F . 50 PUSH EAX
\\\\\\\\\\\\\\\\\\\\\\\\\中间省略N行\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
00402687 . 50 PUSH EAX
00402688 . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040268E > 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C] ; 注册码放入EDX
00402691 . 52 PUSH EDX
00402692 . FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
00402698 . 8BC8 MOV ECX,EAX ; 上面CALL求出注册码位数放入EAC送进ECX中
0040269A . FF15 54104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>>; MSVBVM60.__vbaI2I4
004026A0 . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
004026A3 . 8985 28FFFFFF MOV DWORD PTR SS:[EBP-D8],EAX ; 注册码位数房入EBP-D8
004026A9 . BE 01000000 MOV ESI,1
004026AE . FFD7 CALL EDI
004026B0 . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
004026B3 . FF15 C8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
004026B9 > 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
004026BC . 66:3BB5 28FFF>CMP SI,WORD PTR SS:[EBP-D8] ; 循环次数和用户名位数相比较
004026C3 . 50 PUSH EAX
004026C4 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
004026C6 . 0F8F D6000000 JG crackme_.004027A2 ; 大于就跳
004026CC . FF91 04030000 CALL DWORD PTR DS:[ECX+304]
004026D2 . 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34]
004026D5 . 50 PUSH EAX
004026D6 . 52 PUSH EDX
004026D7 . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
004026DD . 8B08 MOV ECX,DWORD PTR DS:[EAX]
004026DF . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
004026E2 . 52 PUSH EDX
004026E3 . 50 PUSH EAX
004026E4 . 8985 48FFFFFF MOV DWORD PTR SS:[EBP-B8],EAX
004026EA . FF91 A0000000 CALL DWORD PTR DS:[ECX+A0]
004026F0 . 85C0 TEST EAX,EAX
004026F2 . DBE2 FCLEX
004026F4 . 7D 18 JGE SHORT crackme_.0040270E
004026F6 . 8B8D 48FFFFFF MOV ECX,DWORD PTR SS:[EBP-B8]
004026FC . 68 A0000000 PUSH 0A0
00402701 . 68 641F4000 PUSH crackme_.00401F64
00402706 . 51 PUSH ECX
00402707 . 50 PUSH EAX
00402708 . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040270E > 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] ; 注册码放入EAX
00402711 . 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
00402714 . 8945 C4 MOV DWORD PTR SS:[EBP-3C],EAX ; 注册码放入SS:[EBP-3C]
00402717 . 52 PUSH EDX
00402718 . 0FBFC6 MOVSX EAX,SI
0040271B . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
0040271E . 50 PUSH EAX
0040271F . 8D55 9C LEA EDX,DWORD PTR SS:[EBP-64]
00402722 . 51 PUSH ECX
00402723 . 52 PUSH EDX
00402724 . C745 B4 01000>MOV DWORD PTR SS:[EBP-4C],1
0040272B . C745 AC 02000>MOV DWORD PTR SS:[EBP-54],2
00402732 . C745 D4 00000>MOV DWORD PTR SS:[EBP-2C],0
00402739 . C745 BC 08000>MOV DWORD PTR SS:[EBP-44],8
00402740 . FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
00402746 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
00402749 . 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
0040274C . 50 PUSH EAX
0040274D . 51 PUSH ECX
0040274E . FF15 80104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
00402754 . 50 PUSH EAX
00402755 . FFD3 CALL EBX ; 去相对应注册码的ASCII码放入AX
00402757 . 0FBFD0 MOVSX EDX,AX ; 放入EDX中
0040275A . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] ; 把注册码的累加和放入EAX
0040275D . 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
00402760 . 03D0 ADD EDX,EAX
00402762 . 0F80 0E030000 JO crackme_.00402A76
00402768 . 8955 E0 MOV DWORD PTR SS:[EBP-20],EDX ; 把上个注册码的累加和放入EBP-20
0040276B . FFD7 CALL EDI
0040276D . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
00402770 . FF15 C8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00402776 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
00402779 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
0040277C . 50 PUSH EAX
0040277D . 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
00402780 . 51 PUSH ECX
00402781 . 52 PUSH EDX
00402782 . 6A 03 PUSH 3
00402784 . FF15 0C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0040278A . B8 01000000 MOV EAX,1
0040278F . 83C4 10 ADD ESP,10
00402792 . 66:03C6 ADD AX,SI ; 算出循环次数
00402795 . 0F80 DB020000 JO crackme_.00402A76
0040279B . 8BF0 MOV ESI,EAX ; 把循环次数放入ESI
0040279D .^ E9 17FFFFFF JMP crackme_.004026B9 -------------------------循环取试练码的ASCII累加和。
004027A2 > FF91 08030000 CALL DWORD PTR DS:[ECX+308]
004027A8 . 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34]
004027AB . 50 PUSH EAX
004027AC . 52 PUSH EDX
\\\\\\\\\\\\\\\\\\\\\\\\\\中间省略N行\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
040297D . 6A 04 PUSH 4
0040297F . FF15 0C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
00402985 . 83C4 14 ADD ESP,14
00402988 > 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20] ; 注册码的ASCII码之和放入ECX
0040298B . 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24] ; 注册名ASCII累加和放入EDX
0040298E . 2BCA SUB ECX,EDX ; 上面两个数相减,记为A
00402990 . 0F80 E0000000 JO crackme_.00402A76
00402996 . FF15 2C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Abs>; MSVBVM60.__vbaI4Abs
0040299C . 8B4D D8 MOV ECX,DWORD PTR SS:[EBP-28] ; elanceASCII码累加和放入ECX
0040299F . 3BC1 CMP EAX,ECX ; elanceASCII码累加和与A比较
004029A1 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
004029A4 . 50 PUSH EAX
004029A5 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
004029A7 . 75 29 JNZ SHORT crackme_.004029D2--------------------不相等就跳向死亡,GameOver!
004029A9 . FF91 04030000 CALL DWORD PTR DS:[ECX+304]
004029AF . 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34]
004029B2 . 50 PUSH EAX
004029B3 . 52 PUSH EDX
--------------------------------------------------------------------------------
【经验总结】
////////////////////////////////////////////////////////////////////////////////////////////
总结:
1) NOP掉00402D41可以去掉对话框
2) NOP掉00402B2D可以去掉地址调用
3) 004029A7 ---》爆破点
4) 算法:注册码ASCII累加值-用户名ASCII累加值, 结果再与lanceASCII码累加值比较,相等就注册成功
5) 一组可用注册信息:name: goqq2008
code: NNNNNNNNNNNNNNNX
偶不能发附件,需要下的朋友请到这里下:
http://bbs.chinapyg.com/viewthread.php?tid=6323&extra=page%3D1
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)