N久没写东西,那个简单的恢复恢复元气(别说我骗经验)
【文章标题】: 飘云阁Crackme 1.0破解
【文章作者】: qxtianlong
【作者邮箱】: kk5910@sina.com
【作者主页】: http://qxtianlong.77169.com
【作者QQ号】: 249935058
【软件名称】: Crackme 1.0
【软件大小】: 28k
【下载地址】: http://bbs.chinapyg.com/attachment.php?aid=10
【加壳方式】: 无
【保护方式】: 无
【编写语言】: VB6
【使用工具】: OD
【操作平台】: WINXP SP2
【软件介绍】: 适合新手练习之用
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
qxtianlong
1093
载入OD,隐藏OD
设断点bp __vbaLenBstr、__vbaStrCmp、rtcMsgBox
F9运行,输入qxtianlong,78787878后中断在
733B49CE MS> 8B4424 04 mov eax,dword ptr ss:[esp+4]
下方提示信息为
堆栈 ss:[0012F384]=00150C84, (UNICODE "qxtianlong")
eax=00150C84, (UNICODE "qxtianlong")
然后F8继续跟进,注意这里
733B49D6 8B40 FC mov eax,dword ptr ds:[eax-4]
733B49D9 D1E8 shr eax,1
他的功能是计算qxtianlong的长度(A)也就是10
F8继续跟进到这里
004045F5 83F8 05 cmp eax,5
004045F8 /0F8D 85000000 jge crackme1.00404683
他的功能估计是看输入的为数是否大于5,大于就继续..(跳到00404683)否则-_-!
00404683 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
00404686 50 push eax
在00404583看到ebp=0012F468、[ebp-1c]=0012F4FC中数值为00150C84
可以看到和前面的一样,也就是存放qxtianlong的地址
push eax把00150C84压入堆栈0012F384
继续在这里看到
00404687 FFD6 call esi ; MSVBVM60.__vbaLenBstr
这里应该也是计算字符串长度的..
00404689 8BC8 mov ecx,eax
把EAX中的值送到ECX中(ECX=A)
0040468B FF15 50104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; MSVBVM60.__vbaI2I4
00404691 8B1D 14104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaFreeVarLis>; MSVBVM60.__vbaFreeVarList
这里估计就该那用户名做手脚了,跟进CALL看看,free根据字眼来看应该是释放东西用的...
跟进后到
733B49DE MS> 56 push esi
733B49DF 8BF1 mov esi,ecx
733B49E1 0FBFC6 movsx eax,si
733B49E4 3BC6 cmp eax,esi
733B49E6 0F85 3D1F0200 jnz MSVBVM60.733D6929
733B49EC 66:8BC6 mov ax,si
733B49EF 5E pop esi
733B49F0 C3 retn
push esi 函数地址压栈
0012F380 733B49CE MSVBVM60.__vbaLenBstr
mov esi,ecx
是把ECX中的值送到ESI(A)也就是10
movsx eax,si
cmp eax,esi
比较eax,esi,不等则跳..
mov ax,si
pop esi从堆栈弹出函数地址到ESI
返回后把ds:[00401014]=73491073 (MSVBVM60.__vbaFreeVarList)送到ebx(ebx=73491073)
00404697 8985 3CFFFFFF mov dword ptr ss:[ebp-C4],eax
eax中的值放到ebp-c4(12f3c4)值为(A)
0040469D BE 01000000 mov esi,1
004046A2 66:3BB5 3CFFFFFF cmp si,word ptr ss:[ebp-C4]
si和ebp-c4比较
004046A9 /0F8F 82000000 jg crackme1.00404731
大于就跳
004046AF 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
004046B2 8D55 C0 lea edx,dword ptr ss:[ebp-40]
ecx=0012f44c edx=0012f428
004046B5 0FBFC6 movsx eax,si
eax=1
004046B8 894D 88 mov dword ptr ss:[ebp-78],ecx
ecx送到ebp-78
0012F3F0 0012F44C
004046BB 52 push edx
004046BC 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
ecx=0012f3e8
004046BF 50 push eax
004046C0 8D55 B0 lea edx,dword ptr ss:[ebp-50]
edx=0012f418
004046C3 51 push ecx
004046C4 52 push edx
004046C5 C745 C8 04000280 mov dword ptr ss:[ebp-38],80020004
004046CC C745 C0 0A000000 mov dword ptr ss:[ebp-40],0A
004046D3 C745 80 08400000 mov dword ptr ss:[ebp-80],4008
ebp-38 0012F430 80020004
ebp-40 0012F428 0000000A
ebp-80 0012F3E8 00004008
004046DA FF15 40104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
跟进
7347B403 MS> 55 push ebp
7347B404 8BEC mov ebp,esp
7347B406 83EC 10 sub esp,10
7347B409 56 push esi 1
7347B40A 57 push edi 0
7347B40B FF35 C00E4A73 push dword ptr ds:[734A0EC0] 10
7347B411 FF15 B8103973 call dword ptr ds:[<&KERNEL32.TlsGetValue>] ; kernel32.TlsGetValue
7347B417 8D70 50 lea esi,dword ptr ds:[eax+50]
7347B41A 56 push esi
7347B41B FF75 0C push dword ptr ss:[ebp+C]
7347B41E E8 5096F3FF call MSVBVM60.733B4A73
7347B423 83F8 FF cmp eax,-1
7347B426 74 3A je short MSVBVM60.7347B462
7347B428 FF75 14 push dword ptr ss:[ebp+14]
7347B42B FF75 10 push dword ptr ss:[ebp+10]
7347B42E 50 push eax
7347B42F E8 AB94F3FF call MSVBVM60.rtcMidCharBstr
...................................
...................................
...................................
...................................
004046E8 FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
004046EE 50 push eax
004046EF FF15 0C104000 call dword ptr ds:[<&MSVBVM60.#693>] ; MSVBVM60.rtcByteValueBstr
取第一个字母的ASC码值71
004046F5 25 FF000000 and eax,0FF
004046FA 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
004046FD 03C7 add eax,edi
004046FF /0F80 04020000 jo crackme1.00404909
00404705 8BF8 mov edi,eax
edi=71
00404707 FF15 B8104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
...............
...............
...............
00404719 B8 01000000 mov eax,1
0040471E 83C4 0C add esp,0C
00404721 66:03C6 add ax,si
SI作为计数器
..........................
..........................
..........................
以下这段是循环以上功能
004046A2 66:3BB5 3CFFFFFF cmp si,word ptr ss:[ebp-C4]
004046A9 0F8F 82000000 jg crackme1.00404731
004046AF 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
004046B2 8D55 C0 lea edx,dword ptr ss:[ebp-40]
004046B5 0FBFC6 movsx eax,si
004046B8 894D 88 mov dword ptr ss:[ebp-78],ecx
004046BB 52 push edx
004046BC 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
004046BF 50 push eax
004046C0 8D55 B0 lea edx,dword ptr ss:[ebp-50]
004046C3 51 push ecx
004046C4 52 push edx
004046C5 C745 C8 04000280 mov dword ptr ss:[ebp-38],80020004
004046CC C745 C0 0A000000 mov dword ptr ss:[ebp-40],0A
004046D3 C745 80 08400000 mov dword ptr ss:[ebp-80],4008
004046DA FF15 40104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
004046E0 8D45 B0 lea eax,dword ptr ss:[ebp-50]
004046E3 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
004046E6 50 push eax
004046E7 51 push ecx
004046E8 FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
004046EE 50 push eax
004046EF FF15 0C104000 call dword ptr ds:[<&MSVBVM60.#693>] ; MSVBVM60.rtcByteValueBstr
004046F5 25 FF000000 and eax,0FF
004046FA 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
004046FD 03C7 add eax,edi
004046FF 0F80 04020000 jo crackme1.00404909
00404705 8BF8 mov edi,eax
00404707 FF15 B8104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0040470D 8D55 B0 lea edx,dword ptr ss:[ebp-50]
00404710 8D45 C0 lea eax,dword ptr ss:[ebp-40]
00404713 52 push edx
00404714 50 push eax
00404715 6A 02 push 2
00404717 FFD3 call ebx
00404719 B8 01000000 mov eax,1
0040471E 83C4 0C add esp,0C
00404721 66:03C6 add ax,si
00404724 0F80 DF010000 jo crackme1.00404909
0040472A 8BF0 mov esi,eax
0040472C ^ E9 71FFFFFF jmp crackme1.004046A2
当条件成立时,调到
00404731 8B45 08 mov eax,dword ptr ss:[ebp+8]
此时EDI为445
00404768 50 push eax
00404769 FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckO>; MSVBVM60.__vbaHresultCheckObj
0040476F 57 push edi
00404770 FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI4>] ; MSVBVM60.__vbaStrI4
这里注意一下
00404776 8BD0 mov edx,eax
在00404770时已经可以看到注册码了
00404776 8BD0 mov edx,eax
00404778 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0040477B FF15 A4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
00404781 8B55 D8 mov edx,dword ptr ss:[ebp-28]
00404784 50 push eax 正确注册码
00404785 52 push edx 试练码
00404786 FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
比较
完结 于2006/09/27
--------------------------------------------------------------------------------
【经验总结】
好久没玩Debug,今天休息到论坛看看,就那它下手了,希望对别人用帮助吧,经验就是我们站在巨人们的肩上.
多来看雪论坛看看,VB只要不是p-code还是比较好跟....
抽空写了个Kengen包含在附件中,打开后能听到一首好听的歌曲^_^..
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年09月29日 10:17:55
上传不了附件,大家请到我个人主页下载
http://blog.77169.com/UploadFiles/2006-9/929567245.rar
http://blog.77169.com/UploadFiles/2006-9/929569497.rar
http://blog.77169.com/UploadFiles/2006-9/929359274.rar
http://blog.77169.com/UploadFiles/2006-9/929916500.rar
http://blog.77169.com/UploadFiles/2006-9/929120376.rar
分别保存为1、2、3、4、5即可..
编译好的上传不了,主要源码都在本帖附件中了
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课