【文章标题】: 一个VBCrackMe的简单分析
【下载地址】: 自己搜索下载
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
这个CrackMe主要有两个检测分支:
1,点击确定按钮时对输入的注册码进行验证(只用于第1关的验证)
2,在注册码框输入时,实时验证是否为正确的注册码(这里有个小小的前置检测,稍后会提到)(2-5关的验证)
先来看看分支1,这个算法比较简单(第1关)
0040D617 FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>; MSVBVM60.__vbaVarForInit
0040D61D 8B1D 28114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarCat>>; MSVBVM60.__vbaVarCat
0040D623 85C0 test eax,eax
....
....
....
0040D746 51 push ecx
0040D747 52 push edx
0040D748 FF15 CC114000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>; MSVBVM60.__vbaVarForNext
0040D74E ^ E9 D0FEFFFF jmp VBCrackM.0040D623
上面循环的作用是得到固定数据:
D8 98 91 4E 01 96 6C 00 68 00 6C 00 38 00 37 00 ???.h.l.8.7.
33 00 30 00 3.0.
的逆序16进制字符串:
303337386C686CB8F3D4C6C6AE
(0378lhl阁云飘)
0040D7C2 FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>; MSVBVM60.__vbaVarForInit
0040D7C8 85C0 test eax,eax
0040D7CA 0F84 2E010000 je VBCrackM.0040D8FE
0040D7D0 B8 01000000 mov eax,1
0040D7D5 8D95 FCFEFFFF lea edx,dword ptr ss:[ebp-104]
0040D7DB 8985 04FFFFFF mov dword ptr ss:[ebp-FC],eax
......
......
0040D8F1 52 push edx
0040D8F2 50 push eax
0040D8F3 FF15 CC114000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>; MSVBVM60.__vbaVarForNext
0040D8F9 ^ E9 CAFEFFFF jmp VBCrackM.0040D7C8
上面循环的作用是得到userName(例:"ikk")的逆序16进制字符串:
6B6B69
(kki)
0040D907 51 push ecx ; /
0040D908 8D85 1CFFFFFF lea eax,dword ptr ss:[ebp-E4] ; 把循环2得到的结果连接
0040D90E 52 push edx ; 到循环1的结果之后
0040D90F 50 push eax ; 得到注册码
0040D910 FFD3 call ebx ; MSVBVM60.__vbaVarCat
0040D912 8BD0 mov edx,eax ; \
0040D97A 52 push edx ; /
0040D97B 50 push eax ; 用变换得到的注册码和输入的注册码作比较
0040D97C C785 34FFFFFF 0000000>mov dword ptr ss:[ebp-CC],0 ; 相等则OK
0040D986 C785 1CFFFFFF 0880000>mov dword ptr ss:[ebp-E4],8008
0040D990 FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; MSVBVM60.__vbaVarTstEq
0040D996 8D8D 2CFFFFFF lea ecx,dword ptr ss:[ebp-D4] ; \
name:
1234
regcode:
303337386C686CB8F3D4C6C6AE6B6B69
(0378lhl阁云飘kki)
分支2(2-5关):
0040E5FA FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForInit>; MSVBVM60.__vbaVarForInit
0040E600 85C0 test eax,eax
0040E602 0F84 32010000 je VBCrackM.0040E73A
......
......
0040E72D 50 push eax
0040E72E 51 push ecx
0040E72F FF15 CC114000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNext>; MSVBVM60.__vbaVarForNext
0040E735 ^ E9 C6FEFFFF jmp VBCrackM.0040E600
上面循环的作用是得到固定数据:
D8 98 91 4E 01 96 6C 00 68 00 6C 00 38 00 37 00 ???.h.l.8.7.
33 00 30 00 3.0.
的逆序16进制字符串:
303337386C686CB8F3D4C6C6AE
(0378lhl阁云飘)
//注意这里
0040E73A 8B55 0C mov edx,dword ptr ss:[ebp+C] ; 检查是不是按了F2键,
0040E73D 66:833A 71 cmp word ptr ds:[edx],71 ; 如是,则验证注册码
0040E741 0F85 58220000 jnz VBCrackM.0041099F ; 所以2-5关填完注册码之后要在注册码框按一次F2键
0040E7BC FF15 6C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForIn>; MSVBVM60.__vbaVarForInit
0040E7C2 85C0 test eax,eax ;
0040E7C4 0F84 38010000 je VBCrackM.0040E902 ;
0040E7CA B8 01000000 mov eax,1
.....
.....
0040E8F5 52 push edx
0040E8F6 50 push eax
0040E8F7 FF15 CC114000 call dword ptr ds:[<&MSVBVM60.__vbaVarForNe>; MSVBVM60.__vbaVarForNext
0040E8FD ^ E9 C0FEFFFF jmp VBCrackM.0040E7C2 ;
上面循环的作用是得到userName(例:"ikk")的逆序16进制字符串:
6B6B69
(kki)
0040E915 52 push edx
0040E916 50 push eax ; 把循环2得到的字符串
0040E917 FF15 28114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; 连接到循环1得到的字符串后面
0040E91D 8BD0 mov edx,eax ; (就是分支1的注册码)
0040E91F 8D8D 4CFEFFFF lea ecx,dword ptr ss:[ebp-1B4]
303337386C686CB8F3D4C6C6AE6B6B69
0040E948 51 push ecx
0040E949 52 push edx
0040E94A C785 5CFDFFFF 0800000>mov dword ptr ss:[ebp-2A4],8 ; mid长度参数
0040E954 89BD 54FDFFFF mov dword ptr ss:[ebp-2AC],edi
0040E95A C785 5CFCFFFF 1E00000>mov dword ptr ss:[ebp-3A4],1E ; ADD 运算参数
0040E964 89BD 54FCFFFF mov dword ptr ss:[ebp-3AC],edi
0040E96A 89BD 6CFCFFFF mov dword ptr ss:[ebp-394],edi
0040E970 89BD 64FCFFFF mov dword ptr ss:[ebp-39C],edi
0040E976 C785 4CFCFFFF 1F00000>mov dword ptr ss:[ebp-3B4],1F ; SUB 运算参数
0040E980 89BD 44FCFFFF mov dword ptr ss:[ebp-3BC],edi
0040E986 FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; 2 * length(userName)
0040E98C 50 push eax
0040E98D 8D85 74FDFFFF lea eax,dword ptr ss:[ebp-28C]
0040E993 50 push eax
0040E994 FF15 8C114000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; ADD 0x1E
0040E99A 8D8D 44FCFFFF lea ecx,dword ptr ss:[ebp-3BC]
0040E9A0 50 push eax
0040E9A1 8D95 64FDFFFF lea edx,dword ptr ss:[ebp-29C]
0040E9A7 51 push ecx
0040E9A8 52 push edx
0040E9A9 FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaVarSub>] ; SUB 0x1F
0040E9AF 50 push eax
0040E9B0 FF15 88114000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
0040E9B6 50 push eax
0040E9B7 8D85 4CFEFFFF lea eax,dword ptr ss:[ebp-1B4]
0040E9BD 8D8D C4FDFFFF lea ecx,dword ptr ss:[ebp-23C]
0040E9C3 50 push eax
0040E9C4 51 push ecx
0040E9C5 FF15 24114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVa>; MSVBVM60.__vbaStrVarVal
0040E9CB 50 push eax
0040E9CC FF15 98104000 call dword ptr ds:[<&MSVBVM60.#631>] ; 上面运算的结果为MID函数的起始地址参数
0040E9D2 8D95 44FDFFFF lea edx,dword ptr ss:[ebp-2BC]
0040E9D8 8D8D DCFEFFFF lea ecx,dword ptr ss:[ebp-124]
0040E9DE 8985 4CFDFFFF mov dword ptr ss:[ebp-2B4],eax
2 * 3 + 0x1E -0x1F =5
mid("303337386C686CB8F3D4C6C6AE6B6B69", 5, 8) = "37386C68"
0040EA36 C785 5CFDFFFF 0800000>mov dword ptr ss:[ebp-2A4],8
0040EA40 89BD 54FDFFFF mov dword ptr ss:[ebp-2AC],edi
0040EA46 C785 5CFCFFFF 1E00000>mov dword ptr ss:[ebp-3A4],1E
0040EA50 89BD 54FCFFFF mov dword ptr ss:[ebp-3AC],edi
0040EA56 89BD 6CFCFFFF mov dword ptr ss:[ebp-394],edi
0040EA5C 89BD 64FCFFFF mov dword ptr ss:[ebp-39C],edi
0040EA62 C785 4CFCFFFF 1700000>mov dword ptr ss:[ebp-3B4],17
0040EA6C 89BD 44FCFFFF mov dword ptr ss:[ebp-3BC],edi
0040EA72 52 push edx
0040EA73 FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; MSVBVM60.__vbaVarMul
......
0040EAB9 FF15 98104000 call dword ptr ds:[<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr
0040EABF 8D95 44FDFFFF lea edx,dword ptr ss:[ebp-2BC]
0040EAC5 8D8D ACFEFFFF lea ecx,dword ptr ss:[ebp-154]
mid("303337386C686CB8F3D4C6C6AE6B6B69", 13, 8) = "6CB8F3D4"
0040EB24 C785 5CFDFFFF 0800000>mov dword ptr ss:[ebp-2A4],8
0040EB2E 89BD 54FDFFFF mov dword ptr ss:[ebp-2AC],edi
0040EB34 C785 5CFCFFFF 1E00000>mov dword ptr ss:[ebp-3A4],1E
0040EB3E 89BD 54FCFFFF mov dword ptr ss:[ebp-3AC],edi
0040EB44 89BD 6CFCFFFF mov dword ptr ss:[ebp-394],edi
0040EB4A 89BD 64FCFFFF mov dword ptr ss:[ebp-39C],edi
0040EB50 C785 4CFCFFFF 0F00000>mov dword ptr ss:[ebp-3B4],0F
0040EB5A 89BD 44FCFFFF mov dword ptr ss:[ebp-3BC],edi
0040EB60 FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; MSVBVM60.__vbaVarMul
.......
0040EBA5 50 push eax
0040EBA6 FF15 98104000 call dword ptr ds:[<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr
mid("303337386C686CB8F3D4C6C6AE6B6B69", 21, 8) = "C6C6AE6B"
0040EC11 C785 5CFDFFFF 0800000>mov dword ptr ss:[ebp-2A4],8
0040EC1B 89BD 54FDFFFF mov dword ptr ss:[ebp-2AC],edi
0040EC21 C785 5CFCFFFF 1E00000>mov dword ptr ss:[ebp-3A4],1E ;
0040EC2B 89BD 54FCFFFF mov dword ptr ss:[ebp-3AC],edi
0040EC31 89BD 6CFCFFFF mov dword ptr ss:[ebp-394],edi
0040EC37 89BD 64FCFFFF mov dword ptr ss:[ebp-39C],edi
0040EC3D C785 4CFCFFFF 0700000>mov dword ptr ss:[ebp-3B4],7 ;
0040EC47 89BD 44FCFFFF mov dword ptr ss:[ebp-3BC],edi
0040EC4D FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; MSVBVM60.__vbaVarMul
......
0040EC93 FF15 98104000 call dword ptr ds:[<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr
mid("303337386C686CB8F3D4C6C6AE6B6B69", 29, 8) = "6B69"
0040ECFE C785 5CFDFFFF 0800000>mov dword ptr ss:[ebp-2A4],8
0040ED08 89BD 54FDFFFF mov dword ptr ss:[ebp-2AC],edi
0040ED0E C785 5CFCFFFF 1E00000>mov dword ptr ss:[ebp-3A4],1E
0040ED18 89BD 54FCFFFF mov dword ptr ss:[ebp-3AC],edi
0040ED1E 89BD 6CFCFFFF mov dword ptr ss:[ebp-394],edi
0040ED24 89BD 64FCFFFF mov dword ptr ss:[ebp-39C],edi
0040ED2A C785 4CFCFFFF 0F00000>mov dword ptr ss:[ebp-3B4],0F
0040ED34 89BD 44FCFFFF mov dword ptr ss:[ebp-3BC],edi
0040ED3A FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; MSVBVM60.__vbaVarMul
......
0040ED80 FF15 98104000 call dword ptr ds:[<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr
mid("303337386C686CB8F3D4C6C6AE6B6B69", 21, 8) = "C6C6AE6B"
0040EDB7 C785 1CFDFFFF 0800000>mov dword ptr ss:[ebp-2E4],8
0040EDC1 89BD 14FDFFFF mov dword ptr ss:[ebp-2EC],edi
0040EDC7 C785 1CFCFFFF 1E00000>mov dword ptr ss:[ebp-3E4],1E
0040EDD1 89BD 14FCFFFF mov dword ptr ss:[ebp-3EC],edi
0040EDD7 89BD 2CFCFFFF mov dword ptr ss:[ebp-3D4],edi
0040EDDD 89BD 24FCFFFF mov dword ptr ss:[ebp-3DC],edi
0040EDE3 C785 0CFCFFFF 1700000>mov dword ptr ss:[ebp-3F4],17
0040EDED 89BD 04FCFFFF mov dword ptr ss:[ebp-3FC],edi
0040EDF3 FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; MSVBVM60.__vbaVarMul
......
0040EE39 FF15 98104000 call dword ptr ds:[<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr
mid("303337386C686CB8F3D4C6C6AE6B6B69", 13, 8) = "6CB8F3D4"
0040EE71 8D95 B4FDFFFF lea edx,dword ptr ss:[ebp-24C] ; EDX->6CB8F3D4
0040EE77 51 push ecx
0040EE78 52 push edx
0040EE79 56 push esi
0040EE7A FF90 00070000 call dword ptr ds:[eax+700] ; VBCrackM.0040A4E6
0040EE80 85C0 test eax,eax
0040EE82 7D 12 jge short VBCrackM.0040EE96
------------------
0040EE7A FF90 00070000 call dword ptr ds:[eax+700] ; VBCrackM.0040A4E6
这个CALL的计算是这样的:
char str[] = "6CB8F3D4";
char referTbl[] = "0123456789ABCDEF";
int table [] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15};
double result = 0;
for(int i = 0, j = strlen(str)-1; i < strlen(str); i++)
{
for(int index = 0; index < strlen(referTbl); index++)
{
if(str[i] == referTbl[index])
{
result += pow(16.0, j) * table[index];
break;
}
}
j--;
}
result += 13588629.00000000;
---------------------
记做
A("6CB8F3D4") = 1.8379153980045399040E+14
0040EECC C785 DCFCFFFF 0800000>mov dword ptr ss:[ebp-324],8
0040EED6 89BD D4FCFFFF mov dword ptr ss:[ebp-32C],edi
0040EEDC C785 DCFBFFFF 1E00000>mov dword ptr ss:[ebp-424],1E
0040EEE6 89BD D4FBFFFF mov dword ptr ss:[ebp-42C],edi
0040EEEC 89BD ECFBFFFF mov dword ptr ss:[ebp-414],edi
0040EEF2 89BD E4FBFFFF mov dword ptr ss:[ebp-41C],edi
0040EEF8 C785 CCFBFFFF 1F00000>mov dword ptr ss:[ebp-434],1F
0040EF02 89BD C4FBFFFF mov dword ptr ss:[ebp-43C],edi
0040EF08 FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; MSVBVM60.__vbaVarMul
......
0040EF4E FF15 98104000 call dword ptr ds:[<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr
0040EF54 8BD0 mov edx,eax
mid("303337386C686CB8F3D4C6C6AE6B6B69", 5, 8) = "37386C68"
0040EF7E 8B16 mov edx,dword ptr ds:[esi]
0040EF80 8D85 A4FDFFFF lea eax,dword ptr ss:[ebp-25C] ; eax=0016600C, (UNICODE "37386C68")
0040EF86 8D8D A8FDFFFF lea ecx,dword ptr ss:[ebp-258]
0040EF8C 50 push eax
0040EF8D 51 push ecx
0040EF8E 56 push esi
0040EF8F FF92 00070000 call dword ptr ds:[edx+700]
0040EF95 85C0 test eax,eax
0040EF97 7D 12 jge short VBCrackM.0040EFAB
A("37386C68") = 940033277
0040EFDA 8B06 mov eax,dword ptr ds:[esi]
0040EFDC 8D8D BCFDFFFF lea ecx,dword ptr ss:[ebp-244]
0040EFE2 8D95 C0FDFFFF lea edx,dword ptr ss:[ebp-240] ; edx=00164494, (UNICODE "C6C6AE6B")
0040EFE8 51 push ecx
0040EFE9 52 push edx
0040EFEA 56 push esi
0040EFEB FF90 00070000 call dword ptr ds:[eax+700]
0040EFF1 85C0 test eax,eax
0040EFF3 7D 12 jge short VBCrackM.0040F007
A("C6C6AE6B") = 3348498176
0040F014 DC85 98FBFFFF fadd qword ptr ss:[ebp-468]
0040F01A 8D95 A4FBFFFF lea edx,dword ptr ss:[ebp-45C]
0040F020 8D8D DCFEFFFF lea ecx,dword ptr ss:[ebp-124]
0040F026 C785 A4FBFFFF 0500000>mov dword ptr ss:[ebp-45C],5
0040F030 DC85 90FBFFFF fadd qword ptr ss:[ebp-470]
0040F036 DC0D 80124000 fmul qword ptr ds:[401280] ; * 30001.00000000000
(3348498176.0000000000 + 1837649001.000000 + 940033277.0000000) *30001.00000000000 = 1.8379153980045399040e+14
0040F0FC 50 push eax
0040F0FD 56 push esi
0040F0FE FF93 0C070000 call dword ptr ds:[ebx+70C] ; str->HEX
0040F104 85C0 test eax,eax
0040F106 7D 12 jge short VBCrackM.0040F11A
183791539800454 -> A7284D714986
0040F11A 8B8D C0FDFFFF mov ecx,dword ptr ss:[ebp-240]
0040F120 BB 08000000 mov ebx,8
0040F125 53 push ebx
0040F126 51 push ecx
0040F127 FF15 B8114000 call dword ptr ds:[<&MSVBVM60.#618>] ; MSVBVM60.rtcRightCharBstr
0040F12D 8D95 84FDFFFF lea edx,dword ptr ss:[ebp-27C]
Right("A7284D714986", 8) = "4D714986"
0040F197 50 push eax ; 0x6B69
0040F198 FF15 14114000 call dword ptr ds:[<&MSVBVM60.__vbaR8ErrVar>; MSVBVM60.__vbaR8ErrVar
0040F19E DC0D 80124000 fmul qword ptr ds:[401280] ; * 30001.00000000000
0040F1A4 83EC 08 sub esp,8
0x6B69 * 30001.00000000000 = 824937497.00000000000
0040F1C8 50 push eax
0040F1C9 56 push esi
0040F0FE FF93 0C070000 call dword ptr ds:[ebx+70C] ; str->HEX
0040F1D0 85C0 test eax,eax
0040F1D2 7D 12 jge short VBCrackM.0040F1E6
824937497 ->"312B8C19"
0040F1EC BB 08000000 mov ebx,8
0040F1F1 53 push ebx
0040F1F2 52 push edx
0040F1F3 FF15 B8114000 call dword ptr ds:[<&MSVBVM60.#618>] ; MSVBVM60.rtcRightCharBstr
0040F1F9 8D95 74FDFFFF lea edx,dword ptr ss:[ebp-28C]
Right("312B8C19", 8) = "312B8C19"
0040F2A7 50 push eax
0040F2A8 52 push edx
0040F2A9 FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaVarSub>] ; MSVBVM60.__vbaVarSub
0040F2AF 50 push eax
0040F2B0 8D85 C4FDFFFF lea eax,dword ptr ss:[ebp-23C]
824937497.00000000000 - 1299270022.000000 = -474332525.000000
0040F2BD 50 push eax
0040F2BE 56 push esi
0040F0FE FF93 0C070000 call dword ptr ds:[ebx+70C] ; str->HEX
0040F2C5 85C0 test eax,eax
-474332525 -> "1C45BD6D"
0040F36A 52 push edx
0040F36B 50 push eax
0040F36C 56 push esi
0040F36D FF91 00070000 call dword ptr ds:[ecx+700]
0040F373 85C0 test eax,eax
0040F375 7D 12 jge short VBCrackM.0040F389
A("1C45BD6D") = "487921154"
0040F395 51 push ecx
0040F396 52 push edx
0040F397 FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; 计算得到的注册码和输入注册码进行比较
0040F39D 8BD8 mov ebx,eax
0040F39F 8D85 C0FDFFFF lea eax,dword ptr ss:[ebp-240]
name:ikk
code:487921154
第3关:
0040F40B 8B46 78 mov eax,dword ptr ds:[esi+78]
0040F40E 66:8B50 04 mov dx,word ptr ds:[eax+4]
0040F412 66:83C2 01 add dx,1
...
0040F66F FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; MSVBVM60.__vbaVarTstEq
0040F675 F7D0 not eax
0040F677 8D8D 74FDFFFF lea ecx,dword ptr ss:[ebp-28C]
0040F67D 66:8985 8CFBFFFF mov word ptr ss:[ebp-474],ax
0040F684 FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0040F68A 66:83BD 8CFBFFFF 00 cmp word ptr ss:[ebp-474],0
0040F692 ^ 0F85 73FDFFFF jnz VBCrackM.0040F40B
以上循环的作用是用不带参数的Rnd函数生成4个(0, 100)内的随机数字,并连接,循环userName的长度 * 0x58 + 0x2DA次,保留最后一次的结果
我这里循环次数是len("ikk") * 0x58 + 0x2DA = 0x3E2次,结果是:
"21259584"
用VB来表示,大概是这样
-----------
Dim i As Integer
Dim count As Integer
Dim a1 As Integer
Dim a2 As Integer
Dim a3 As Integer
Dim a4 As Integer
Dim result As String count = len(userName) * &H58 + &H2DA
For i = 1 To count
a1 = Rnd() * 100.0
a2 = Rnd() * 100.0
a3 = Rnd() * 100.0
a4 = Rnd() * 100.0
Next i result = Trim(Str(a1)) + Trim(Str(a2)) + Trim(Str(a3)) + Trim(Str(a4))
----------
不会VB,临时翻的MSDN,大家看个大概的意思就行了.
0040F6FA 8D85 C0FDFFFF lea eax,dword ptr ss:[ebp-240]
0040F700 8D8D D8FDFFFF lea ecx,dword ptr ss:[ebp-228] ; ECX=00164ACC("1C45BD6D")
0040F706 50 push eax
0040F707 51 push ecx
0040F708 56 push esi
0040F709 C785 C4FDFFFF 0000000>mov dword ptr ss:[ebp-23C],0
0040F713 C785 74FDFFFF 0880000>mov dword ptr ss:[ebp-28C],8008
0040F71D FF92 00070000 call dword ptr ds:[edx+700] ; VBCrackM.0040A4E6
0040F723 85C0 test eax,eax
0040F725 7D 12 jge short VBCrackM.0040F739
A("1C45BD6D") = "487921154"
0040F739 8B95 C0FDFFFF mov edx,dword ptr ss:[ebp-240]
0040F73F 52 push edx
0040F740 FF15 50114000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
0040F746 DC05 70124000 fadd qword ptr ds:[401270]
0040F74C 8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-104]
0040F752 8D95 64FCFFFF lea edx,dword ptr ss:[ebp-39C]
487921154.00000000000 + 8730.000000000000 = 487929884.00000000000
0040F780 52 push edx
0040F781 50 push eax
0040F782 FF15 28114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat
0040F788 50 push eax
"21259584" + "487929884" = "21259584487929884"
userName:
ikk
code:
21259584487929884
第4关:
0040F825 52 push edx
0040F826 56 push esi
0040F827 FF90 10070000 call dword ptr ds:[eax+710] ; 取D盘的SerialNumber
0040F82D 85C0 test eax,eax
0040F82F 7D 12 jge short VBCrackM.0040F843
D盘的SerialNum:6CE2-CC00
0040F87B 8D85 D8FDFFFF lea eax,dword ptr ss:[ebp-228] ; EAX=00164ACC("1C45BD6D")
0040F881 52 push edx
0040F882 50 push eax
0040F883 56 push esi
0040F884 FF91 00070000 call dword ptr ds:[ecx+700]
0040F88A 85C0 test eax,eax
0040F88C 7D 12 jge short VBCrackM.0040F8A0
A("1C45BD6D") = "487921154"
0040F8A6 51 push ecx
0040F8A7 FF15 50114000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
0040F8AD DC0D 70124000 fmul qword ptr ds:[401270] ; ds:[00401270]=8730.000000000000
0040F8B3 8D95 64FCFFFF lea edx,dword ptr ss:[ebp-39C]
0040F8B9 8D8D 84FDFFFF lea ecx,dword ptr ss:[ebp-27C]
487921154.00000000000 * 8730.000000000000 = 4.2595516744199997440e+12
0040F8E0 50 push eax
0040F8E1 51 push ecx
0040F8E2 FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaVarSub>] ; MSVBVM60.__vbaVarSub
0040F8E8 8BD0 mov edx,eax
0040F8EA 8D8D 2CFEFFFF lea ecx,dword ptr ss:[ebp-1D4]
4259551674420.000 - 21259584.00000000 = 4.2595304148359997440E+12
0040F912 50 push eax
0040F913 FF15 04114000 call dword ptr ds:[<&MSVBVM60.#713>] ; MSVBVM60.rtcStrReverse
0040F919 8BD0 mov edx,eax
Reverse("4259530414836") = "6384140359524"
0040F934 51 push ecx
0040F935 52 push edx
0040F936 FF15 24114000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
0040F93C 50 push eax
D盘SerialNum转换为10进制字符串
6CE2-CC00 -> 1826802688
0040F93C 50 push eax
0040F93D FF15 04114000 call dword ptr ds:[<&MSVBVM60.#713>] ; MSVBVM60.rtcStrReverse
0040F943 8BD0 mov edx,eax
0040F945 8D8D B8FDFFFF lea ecx,dword ptr ss:[ebp-248]
Reverse("1826802688") = "8862086281"
0040F951 50 push eax
0040F952 FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; MSVBVM60.__vbaStrCat
0040F958 8BD0 mov edx,eax
0040F95A 8D8D B4FDFFFF lea ecx,dword ptr ss:[ebp-24C]
"6384140359524" + "8862086281" -> "63841403595248862086281"
0040F966 50 push eax
0040F967 FF15 04114000 call dword ptr ds:[<&MSVBVM60.#713>] ; MSVBVM60.rtcStrReverse
0040F96D 8D95 84FDFFFF lea edx,dword ptr ss:[ebp-27C]
0040F973 8D8D DCFDFFFF lea ecx,dword ptr ss:[ebp-224]
Reverse("63841403595248862086281") = "18268026884259530414836"
0040FA0B 68 18AF4000 push VBCrackM.0040AF18 ; UNICODE "PYG"
0040FA10 68 24AF4000 push VBCrackM.0040AF24
0040FA15 FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; MSVBVM60.__vbaStrCat
0040FA1B 8BD0 mov edx,eax
0040FA92 50 push eax
0040FA93 6A 01 push 1
0040FA95 FF15 04104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI2>] ; MSVBVM60.__vbaStrI2
0040FA9B 8BD0 mov edx,eax
1 -> "1"
0040FAA9 50 push eax
0040FAAA FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; MSVBVM60.__vbaStrCat
0040FAB0 8BD0 mov edx,eax
0040FAB2 8D8D A8FDFFFF lea ecx,dword ptr ss:[ebp-258]
"63841403595248862086281" + "1" -> "638414035952488620862811"
0040FABE 50 push eax
0040FABF FF15 04114000 call dword ptr ds:[<&MSVBVM60.#713>] ; MSVBVM60.rtcStrReverse
0040FAC5 8BD0 mov edx,eax
Reverse("638414035952488620862811") = "118268026884259530414836"
0040FAD3 50 push eax
0040FAD4 FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; MSVBVM60.__vbaStrCat
0040FADA 8BD0 mov edx,eax
0040FADC 8D8D 9CFDFFFF lea ecx,dword ptr ss:[ebp-264]
"PYG-" + "118268026884259530414836" -> "PYG-118268026884259530414836"
0040FAE8 50 push eax
0040FAE9 FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0040FAEF F7D8 neg eax
计算得到的注册码和输入的注册码做比较
name:
ikk
code:
PYG-118268026884259530414836
第5关:
0040FBF3 8D85 C0FDFFFF lea eax,dword ptr ss:[ebp-240]
0040FBF9 50 push eax
0040FBFA E8 A12D0000 call VBCrackM.004129A0 ; MD5(userName),04129A0处是标准MD5运算
0040FBFF 8D95 84FDFFFF lea edx,dword ptr ss:[ebp-27C]
0040FC05 8D8D C8FDFFFF lea ecx,dword ptr ss:[ebp-238]
MD5("ikk") = "B5FCA0B63C6347B443180B87696BF5BE"
0040FC4A 89BD 6CFCFFFF mov dword ptr ss:[ebp-394],edi
0040FC50 89BD 64FCFFFF mov dword ptr ss:[ebp-39C],edi
0040FC56 FF15 8C114000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>] ; MSVBVM60.__vbaVarAdd
0040FC5C 50 push eax
1.8268026884259530240E+22 + 2 =
0040FC71 8D8D C4FDFFFF lea ecx,dword ptr ss:[ebp-23C]
0040FC77 51 push ecx
0040FC78 E8 232D0000 call VBCrackM.004129A0 ; 对上面得到的以科学计数法纪录的浮点数做MD5运算
0040FC7D 8D95 74FDFFFF lea edx,dword ptr ss:[ebp-28C]
0040FC83 8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-94]
MD5("1.82680268842595E+22") -> "2B07D3ADFBC6EC263B9BEF82CC0E7699"
0040FCBF 52 push edx
0040FCC0 8D85 C8FDFFFF lea eax,dword ptr ss:[ebp-238]
0040FCC6 6A 01 push 1
0040FCC8 8D8D 74FDFFFF lea ecx,dword ptr ss:[ebp-28C]
0040FCCE 50 push eax
0040FCCF 51 push ecx
0040FCD0 C785 8CFDFFFF 0800000>mov dword ptr ss:[ebp-274],8
0040FCDA 89BD 84FDFFFF mov dword ptr ss:[ebp-27C],edi
0040FCE0 FFD3 call ebx ; MSVBVM60.rtcMidCharVar
0040FCE2 8D95 64FDFFFF lea edx,dword ptr ss:[ebp-29C]
mid("B5FCA0B63C6347B443180B87696BF5BE", 1, 8) = "B5FCA0B6"
0040FCEE 52 push edx
0040FCEF 6A 1C push 1C
0040FCF1 8D8D 54FDFFFF lea ecx,dword ptr ss:[ebp-2AC]
0040FCF7 50 push eax
0040FCF8 51 push ecx
0040FCF9 C785 6CFDFFFF 0500000>mov dword ptr ss:[ebp-294],5
0040FD03 89BD 64FDFFFF mov dword ptr ss:[ebp-29C],edi
0040FD09 FFD3 call ebx ; MSVBVM60.rtcMidCharVar
0040FD0B 8D95 74FDFFFF lea edx,dword ptr ss:[ebp-28C]
mid("2B07D3ADFBC6EC263B9BEF82CC0E7699", 28, 8) = "E7699"
0040FD17 52 push edx
0040FD18 8D8D 44FDFFFF lea ecx,dword ptr ss:[ebp-2BC]
0040FD1E 50 push eax
0040FD1F 51 push ecx
0040FD20 FF15 28114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat
0040FD26 8D95 C4FDFFFF lea edx,dword ptr ss:[ebp-23C]
"B5FCA0B6" + "E7699" -> "B5FCA0B6E7699"
0040FD34 50 push eax
0040FD35 FF15 04114000 call dword ptr ds:[<&MSVBVM60.#713>] ; MSVBVM60.rtcStrReverse
0040FD3B 8985 1CFDFFFF mov dword ptr ss:[ebp-2E4],eax
Reverse("B5FCA0B6E7699") = "9967E6B0ACF5B"
0040FD68 6A 07 push 7
0040FD6A 8D95 24FDFFFF lea edx,dword ptr ss:[ebp-2DC]
0040FD70 51 push ecx
0040FD71 52 push edx
0040FD72 FFD3 call ebx ; MSVBVM60.rtcMidCharVar
0040FD74 8B1D 24114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaStrVarVa>; MSVBVM60.__vbaStrVarVal
0040FD7A 8D85 6CFFFFFF lea eax,dword ptr ss:[ebp-94]
mid("B5FCA0B63C6347B443180B87696BF5BE", 7, 8) = "B63C6347B443180B87696"
0040FD8A 50 push eax
0040FD8B FF15 04114000 call dword ptr ds:[<&MSVBVM60.#713>] ; MSVBVM60.rtcStrReverse
0040FD91 8985 FCFCFFFF mov dword ptr ss:[ebp-304],eax
Reverse("9967E0CC28FEB9B362CE6CBFDA3D70B2") = "9967E0CC28FEB9B362CE6CBFDA3D70B2"
0040FDD7 50 push eax
0040FDD8 56 push esi
0040FDD9 FF91 0C070000 call dword ptr ds:[ecx+70C]
0040FDDF 85C0 test eax,eax
0040FDE1 7D 12 jge short VBCrackM.0040FDF5
183791539800454 -> A7284D714986
(数字的来历请参考前面的部分,这个CrackMe2-5关其实是一个连贯的过程,后面的计算往往用到前面的结果)
0040FE16 C785 B8FDFFFF 0000000>mov dword ptr ss:[ebp-248],0
0040FE20 C785 C4FCFFFF 0800000>mov dword ptr ss:[ebp-33C],8
0040FE2A 89BD 2CFCFFFF mov dword ptr ss:[ebp-3D4],edi
0040FE30 89BD 24FCFFFF mov dword ptr ss:[ebp-3DC],edi
0040FE36 C785 1CFCFFFF 0500000>mov dword ptr ss:[ebp-3E4],5
0040FE40 89BD 14FCFFFF mov dword ptr ss:[ebp-3EC],edi
0040FE46 FF15 F4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMul>] ; MSVBVM60.__vbaVarMul
......
0040FE77 FF15 BC114000 call dword ptr ds:[<&MSVBVM60.#619>] ; MSVBVM60.rtcRightCharVar
0040FE7D 8B1D 28114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat
mid ("303337386C686CB8F3D4C6C6AE6B6B69", 9, 8) = "6C6AE6B6B69"
9967E6B0ACF5B
0040FE96 51 push ecx
0040FE97 52 push edx
0040FE98 FFD3 call ebx ; MSVBVM60.__vbaVarCat
0040FE9A 50 push eax
"9967E6B0ACF5B" + "B63C6347B443180B87696" -> "9967E6B0ACF5BB63C6347B443180B87696"?
0040FEA1 8D8D E4FCFFFF lea ecx,dword ptr ss:[ebp-31C]
0040FEA7 50 push eax
0040FEA8 51 push ecx
0040FEA9 FFD3 call ebx ; MSVBVM60.__vbaVarCat
0040FEAB 50 push eax
0040FEAC 8D95 34FCFFFF lea edx,dword ptr ss:[ebp-3CC]
"9967E6B0ACF5BB63C6347B443180B87696" + "9967E0CC28FEB9B362CE6CBFDA3D70B2"
->
"9967E6B0ACF5BB63C6347B443180B876969967E0CC28FEB9B362CE6CBFDA3D70B2"
0040FEB2 8D85 D4FCFFFF lea eax,dword ptr ss:[ebp-32C]
0040FEB8 52 push edx
0040FEB9 50 push eax
0040FEBA FFD3 call ebx ; MSVBVM60.__vbaVarCat
0040FEBC 8D8D C4FCFFFF lea ecx,dword ptr ss:[ebp-33C]
0040FEC2 50 push eax
"9967E6B0ACF5BB63C6347B443180B876969967E0CC28FEB9B362CE6CBFDA3D70B2" + "8730"
->
"9967E6B0ACF5BB63C6347B443180B876969967E0CC28FEB9B362CE6CBFDA3D70B28730"
0040FEC2 50 push eax
0040FEC3 8D95 B4FCFFFF lea edx,dword ptr ss:[ebp-34C]
0040FEC9 51 push ecx
0040FECA 52 push edx
0040FECB FFD3 call ebx ; MSVBVM60.__vbaVarCat
0040FECD 50 push eax
"9967E6B0ACF5BB63C6347B443180B876969967E0CC28FEB9B362CE6CBFDA3D70B28730" + "A7284D714986"
->
"9967E6B0ACF5BB63C6347B443180B876969967E0CC28FEB9B362CE6CBFDA3D70B28730A7284D714986"
0040FEDA 50 push eax
0040FEDB 51 push ecx
0040FEDC FFD3 call ebx ; MSVBVM60.__vbaVarCat
0040FEDE 8B1D 14104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarMove>>; MSVBVM60.__vbaVarMove
0040FEE4 8BD0 mov edx,eax
"9967E6B0ACF5BB63C6347B443180B876969967E0CC28FEB9B362CE6CBFDA3D70B28730A7284D714986" + "6C6AE6B6B69"
->
"9967E6B0ACF5BB63C6347B443180B876969967E0CC28FEB9B362CE6CBFDA3D70B28730A7284D7149866C6AE6B6B69"
0040FF8C 50 push eax
0040FF8D 51 push ecx
0040FF8E FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
0040FF94 8BD0 mov edx,eax
strlen("9967E6B0ACF5BB63C6347B443180B876969967E0CC28FEB9B362CE6CBFDA3D70B28730A7284D7149866C6AE6B6B69")
= 0x5D
0040FFE5 50 push eax
0040FFE6 FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
0040FFEC 8D95 64FCFFFF lea edx,dword ptr ss:[ebp-39C]
strlen(inputCode)
00410032 51 push ecx ; /
00410033 52 push edx
00410034 FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstEq>] ; 输入字符串长度=计算得到的注册码的长度?
0041003A 66:85C0 test ax,ax
0041003D 0F84 5C090000 je VBCrackM.0041099F ; \
name:
ikk
code:
9967E6B0ACF5BB63C6347B443180B876969967E0CC28FEB9B362CE6CBFDA3D70B28730A7284D7149866C6AE6B6B69
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年08月12日 20:52:03
----------------
过程写的看起来又长又乱,其实自己动手跟一遍就会发现是很简单的.
crackMe下载:
http://bbs.pediy.com/showthread.php?s=&threadid=29803
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课