【文章标题】: Am0r's CrackMe的破解(VB)
【文章作者】: bxm
【作者邮箱】: bxm78@163.com
【破解工具】: OD、计算器、VB Decompiler Lite
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
用VB Decompiler Lite查找断点
00402A52 > /C745 FC 04000>mov dword ptr [ebp-4], 4
00402A59 . |8B55 9C mov edx, [ebp-64]
00402A5C . |52 push edx
00402A5D . |FF15 1C104000 call [<&MSVBVM60.__vbaLenBstr>] ; EAX返回name的长度
00402A63 . |8985 A8FEFFFF mov [ebp-158], eax
00402A69 . |C785 A0FEFFFF>mov dword ptr [ebp-160], 3
00402A73 . |8B45 9C mov eax, [ebp-64]
00402A76 . |50 push eax
00402A77 . |FF15 1C104000 call [<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
00402A7D . |8985 B8FEFFFF mov [ebp-148], eax
00402A83 . |C785 B0FEFFFF>mov dword ptr [ebp-150], 3
00402A8D . |8D4D 9C lea ecx, [ebp-64]
00402A90 . |898D 98FEFFFF mov [ebp-168], ecx
00402A96 . |C785 90FEFFFF>mov dword ptr [ebp-170], 4008
00402AA0 . |8D95 A0FEFFFF lea edx, [ebp-160]
00402AA6 . |52 push edx
00402AA7 . |8D85 B0FEFFFF lea eax, [ebp-150]
00402AAD . |50 push eax
00402AAE . |8D4D D0 lea ecx, [ebp-30]
00402AB1 . |51 push ecx
00402AB2 . |8D55 80 lea edx, [ebp-80]
00402AB5 . |52 push edx
00402AB6 . |FF15 04104000 call [<&MSVBVM60.__vbaVarSub>] ; name长度-循环次数
00402ABC . |50 push eax
00402ABD . |8D85 70FFFFFF lea eax, [ebp-90]
00402AC3 . |50 push eax
00402AC4 . |FF15 04104000 call [<&MSVBVM60.__vbaVarSub>] ; MSVBVM60.__vbaVarSub
00402ACA . |50 push eax
00402ACB . |FF15 EC104000 call [<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
00402AD1 . |50 push eax
00402AD2 . |8D8D 90FEFFFF lea ecx, [ebp-170]
00402AD8 . |51 push ecx
00402AD9 . |8D95 60FFFFFF lea edx, [ebp-A0]
00402ADF . |52 push edx
00402AE0 . |FF15 04114000 call [<&MSVBVM60.#617>] ; 取name的前几个字符(循环次数个),结果记为A
00402AE6 . |8B45 9C mov eax, [ebp-64]
00402AE9 . |50 push eax
00402AEA . |FF15 1C104000 call [<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
00402AF0 . |8BF0 mov esi, eax
00402AF2 . |8B4D 9C mov ecx, [ebp-64]
00402AF5 . |51 push ecx
00402AF6 . |FF15 1C104000 call [<&MSVBVM60.__vbaLenBstr>] ; EAX返回name的长度
00402AFC . |83E8 01 sub eax, 1 ; EAX-1
00402AFF . |0F80 34060000 jo 00403139
00402B05 . |2BF0 sub esi, eax
00402B07 . |0F80 2C060000 jo 00403139
00402B0D . |56 push esi
00402B0E . |8D95 60FFFFFF lea edx, [ebp-A0]
00402B14 . |52 push edx
00402B15 . |8D85 50FFFFFF lea eax, [ebp-B0]
00402B1B . |50 push eax
00402B1C . |FF15 14114000 call [<&MSVBVM60.#619>] ; 取A的右边一个字符
00402B22 . |8D8D 50FFFFFF lea ecx, [ebp-B0]
00402B28 . |51 push ecx
00402B29 . |8D55 94 lea edx, [ebp-6C]
00402B2C . |52 push edx
00402B2D . |FF15 B4104000 call [<&MSVBVM60.__vbaStrVarVal>>; MSVBVM60.__vbaStrVarVal
00402B33 . |50 push eax
00402B34 . |FF15 30104000 call [<&MSVBVM60.#516>] ; EAX返回name的上面取得的1个字符
00402B3A . |66:8985 88FEF>mov [ebp-178], ax ; 保存
00402B41 . |C785 80FEFFFF>mov dword ptr [ebp-180], 2
00402B4B . |8D45 A0 lea eax, [ebp-60]
00402B4E . |50 push eax
00402B4F . |8D8D 80FEFFFF lea ecx, [ebp-180]
00402B55 . |51 push ecx
00402B56 . |8D95 40FFFFFF lea edx, [ebp-C0]
00402B5C . |52 push edx
00402B5D . |FF15 B8104000 call [<&MSVBVM60.__vbaVarCat>] ; 连接,连接时把数转换成十进制的字符串,我的最后结果为"981201095556",此最终结果记为B
00402B63 . |8BD0 mov edx, eax
00402B65 . |8D4D A0 lea ecx, [ebp-60]
00402B68 . |FF15 10104000 call [<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove
00402B6E . |8D4D 94 lea ecx, [ebp-6C]
00402B71 . |FF15 28114000 call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00402B77 . |8D85 50FFFFFF lea eax, [ebp-B0]
00402B7D . |50 push eax
00402B7E . |8D8D 60FFFFFF lea ecx, [ebp-A0]
00402B84 . |51 push ecx
00402B85 . |6A 02 push 2
00402B87 . |FF15 24104000 call [<&MSVBVM60.__vbaFreeVarLis>; MSVBVM60.__vbaFreeVarList
00402B8D . |83C4 0C add esp, 0C
00402B90 . |C745 FC 05000>mov dword ptr [ebp-4], 5
00402B97 . |8D95 58FEFFFF lea edx, [ebp-1A8]
00402B9D . |52 push edx
00402B9E . |8D85 68FEFFFF lea eax, [ebp-198]
00402BA4 . |50 push eax
00402BA5 . |8D4D D0 lea ecx, [ebp-30]
00402BA8 . |51 push ecx
00402BA9 . |FF15 20114000 call [<&MSVBVM60.__vbaVarForNext>; MSVBVM60.__vbaVarForNext
00402BAF . |8985 20FEFFFF mov [ebp-1E0], eax
00402BB5 > |83BD 20FEFFFF>cmp dword ptr [ebp-1E0], 0
00402BBC .^\0F85 90FEFFFF jnz 00402A52 ; 循环
上面程序段功能:把输入的name的字符ASCII码转换成十进制字符串,并连接起来,如输入"bxm78",则得到"981201095556",此结果记为B。
=============================================================================
00402BC2 . C745 FC 06000>mov dword ptr [ebp-4], 6
00402BC9 . C785 B8FEFFFF>mov dword ptr [ebp-148], 1
00402BD3 . C785 B0FEFFFF>mov dword ptr [ebp-150], 2
00402BDD . 8B55 98 mov edx, [ebp-68]
00402BE0 . 52 push edx
00402BE1 . FF15 1C104000 call [<&MSVBVM60.__vbaLenBstr>] ; EAX返回字符串"B019EE0A"(此字符串记为C)的长度,其值为8
00402BE7 . 8985 A8FEFFFF mov [ebp-158], eax
00402BED . C785 A0FEFFFF>mov dword ptr [ebp-160], 3
00402BF7 . C785 98FEFFFF>mov dword ptr [ebp-168], 1
00402C01 . C785 90FEFFFF>mov dword ptr [ebp-170], 2
00402C0B . 8D85 B0FEFFFF lea eax, [ebp-150]
00402C11 . 50 push eax ; 步长1
00402C12 . 8D8D A0FEFFFF lea ecx, [ebp-160]
00402C18 . 51 push ecx ; 终值8
00402C19 . 8D95 90FEFFFF lea edx, [ebp-170]
00402C1F . 52 push edx ; 初值1
00402C20 . 8D85 38FEFFFF lea eax, [ebp-1C8]
00402C26 . 50 push eax
00402C27 . 8D8D 48FEFFFF lea ecx, [ebp-1B8]
00402C2D . 51 push ecx
00402C2E . 8D55 D0 lea edx, [ebp-30]
00402C31 . 52 push edx
00402C32 . FF15 50104000 call [<&MSVBVM60.__vbaVarForInit>; MSVBVM60.__vbaVarForInit
00402C38 . 8985 1CFEFFFF mov [ebp-1E4], eax
00402C3E . E9 63010000 jmp 00402DA6
00402C43 > C745 FC 07000>mov dword ptr [ebp-4], 7
00402C4A . 8B45 98 mov eax, [ebp-68]
00402C4D . 50 push eax
00402C4E . FF15 1C104000 call [<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
00402C54 . 8985 A8FEFFFF mov [ebp-158], eax
00402C5A . C785 A0FEFFFF>mov dword ptr [ebp-160], 3
00402C64 . 8B4D 98 mov ecx, [ebp-68]
00402C67 . 51 push ecx
00402C68 . FF15 1C104000 call [<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
00402C6E . 8985 B8FEFFFF mov [ebp-148], eax
00402C74 . C785 B0FEFFFF>mov dword ptr [ebp-150], 3
00402C7E . 8D55 98 lea edx, [ebp-68]
00402C81 . 8995 98FEFFFF mov [ebp-168], edx
00402C87 . C785 90FEFFFF>mov dword ptr [ebp-170], 4008
00402C91 . 8D85 A0FEFFFF lea eax, [ebp-160]
00402C97 . 50 push eax
00402C98 . 8D8D B0FEFFFF lea ecx, [ebp-150]
00402C9E . 51 push ecx
00402C9F . 8D55 D0 lea edx, [ebp-30]
00402CA2 . 52 push edx
00402CA3 . 8D45 80 lea eax, [ebp-80]
00402CA6 . 50 push eax
00402CA7 . FF15 04104000 call [<&MSVBVM60.__vbaVarSub>] ; MSVBVM60.__vbaVarSub
00402CAD . 50 push eax
00402CAE . 8D8D 70FFFFFF lea ecx, [ebp-90]
00402CB4 . 51 push ecx
00402CB5 . FF15 04104000 call [<&MSVBVM60.__vbaVarSub>] ; MSVBVM60.__vbaVarSub
00402CBB . 50 push eax
00402CBC . FF15 EC104000 call [<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
00402CC2 . 50 push eax
00402CC3 . 8D95 90FEFFFF lea edx, [ebp-170]
00402CC9 . 52 push edx
00402CCA . 8D85 60FFFFFF lea eax, [ebp-A0]
00402CD0 . 50 push eax
00402CD1 . FF15 04114000 call [<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar
00402CD7 . 8B4D 98 mov ecx, [ebp-68]
00402CDA . 51 push ecx
00402CDB . FF15 1C104000 call [<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
00402CE1 . 8BF0 mov esi, eax
00402CE3 . 8B55 98 mov edx, [ebp-68]
00402CE6 . 52 push edx
00402CE7 . FF15 1C104000 call [<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
00402CED . 83E8 01 sub eax, 1
00402CF0 . 0F80 43040000 jo 00403139
00402CF6 . 2BF0 sub esi, eax
00402CF8 . 0F80 3B040000 jo 00403139
00402CFE . 56 push esi
00402CFF . 8D85 60FFFFFF lea eax, [ebp-A0]
00402D05 . 50 push eax
00402D06 . 8D8D 50FFFFFF lea ecx, [ebp-B0]
00402D0C . 51 push ecx
00402D0D . FF15 14114000 call [<&MSVBVM60.#619>] ; MSVBVM60.rtcRightCharVar
00402D13 . 8D95 50FFFFFF lea edx, [ebp-B0]
00402D19 . 52 push edx
00402D1A . 8D45 94 lea eax, [ebp-6C]
00402D1D . 50 push eax
00402D1E . FF15 B4104000 call [<&MSVBVM60.__vbaStrVarVal>>; MSVBVM60.__vbaStrVarVal
00402D24 . 50 push eax
00402D25 . FF15 30104000 call [<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
00402D2B . 66:8985 88FEF>mov [ebp-178], ax
00402D32 . C785 80FEFFFF>mov dword ptr [ebp-180], 2
00402D3C . 8D4D C0 lea ecx, [ebp-40]
00402D3F . 51 push ecx
00402D40 . 8D95 80FEFFFF lea edx, [ebp-180]
00402D46 . 52 push edx
00402D47 . 8D85 40FFFFFF lea eax, [ebp-C0]
00402D4D . 50 push eax
00402D4E . FF15 B8104000 call [<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat
00402D54 . 8BD0 mov edx, eax
00402D56 . 8D4D C0 lea ecx, [ebp-40]
00402D59 . FF15 10104000 call [<&MSVBVM60.__vbaVarMove>] ; MSVBVM60.__vbaVarMove
00402D5F . 8D4D 94 lea ecx, [ebp-6C]
00402D62 . FF15 28114000 call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00402D68 . 8D8D 50FFFFFF lea ecx, [ebp-B0]
00402D6E . 51 push ecx
00402D6F . 8D95 60FFFFFF lea edx, [ebp-A0]
00402D75 . 52 push edx
00402D76 . 6A 02 push 2
00402D78 . FF15 24104000 call [<&MSVBVM60.__vbaFreeVarLis>; MSVBVM60.__vbaFreeVarList
00402D7E . 83C4 0C add esp, 0C
00402D81 . C745 FC 08000>mov dword ptr [ebp-4], 8
00402D88 . 8D85 38FEFFFF lea eax, [ebp-1C8]
00402D8E . 50 push eax
00402D8F . 8D8D 48FEFFFF lea ecx, [ebp-1B8]
00402D95 . 51 push ecx
00402D96 . 8D55 D0 lea edx, [ebp-30]
00402D99 . 52 push edx
00402D9A . FF15 20114000 call [<&MSVBVM60.__vbaVarForNext>; MSVBVM60.__vbaVarForNext
00402DA0 . 8985 1CFEFFFF mov [ebp-1E4], eax
00402DA6 > 83BD 1CFEFFFF>cmp dword ptr [ebp-1E4], 0
00402DAD .^ 0F85 90FEFFFF jnz 00402C43 ; 循环
此段程序功能:把固定字符串"B019EE0A"的每个字符ASCII码转换成十进制字符串,并连接起来,得到字符串"6648495769694865",记为L
==============================================================================
00402DB3 . C745 FC 09000>mov dword ptr [ebp-4], 9
00402DBA . C785 B8FEFFFF>mov dword ptr [ebp-148], 2
00402DC4 . C785 B0FEFFFF>mov dword ptr [ebp-150], 2
00402DCE . 8D45 A0 lea eax, [ebp-60]
00402DD1 . 50 push eax
00402DD2 . 8D4D 80 lea ecx, [ebp-80]
00402DD5 . 51 push ecx
00402DD6 . FF15 44104000 call [<&MSVBVM60.__vbaLenVar>] ; EAX返回name运算后得到字符串的长度,记为D
00402DDC . 50 push eax
00402DDD . 8D95 B0FEFFFF lea edx, [ebp-150]
00402DE3 . 52 push edx
00402DE4 . 8D85 70FFFFFF lea eax, [ebp-90]
00402DEA . 50 push eax
00402DEB . FF15 A8104000 call [<&MSVBVM60.__vbaVarDiv>] ; D/2=E
00402DF1 . 50 push eax
00402DF2 . FF15 EC104000 call [<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
00402DF8 . 50 push eax
00402DF9 . 8D4D A0 lea ecx, [ebp-60]
00402DFC . 51 push ecx
00402DFD . 8D95 60FFFFFF lea edx, [ebp-A0]
00402E03 . 52 push edx
00402E04 . FF15 04114000 call [<&MSVBVM60.#617>] ; 取name运算后得到字符串的前E个字符,结果记为I
00402E0A . C785 A8FEFFFF>mov dword ptr [ebp-158], 00401DFC ; username
00402E14 . C785 A0FEFFFF>mov dword ptr [ebp-160], 8
00402E1E . 8D95 A0FEFFFF lea edx, [ebp-160]
00402E24 . 8D8D 50FFFFFF lea ecx, [ebp-B0]
00402E2A . FF15 F8104000 call [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
00402E30 . 8D85 50FFFFFF lea eax, [ebp-B0]
00402E36 . 50 push eax
00402E37 . 8D8D 40FFFFFF lea ecx, [ebp-C0]
00402E3D . 51 push ecx
00402E3E . FF15 4C104000 call [<&MSVBVM60.#666>] ; EAX返回登录的用户名,记为F
00402E44 . 8D95 40FFFFFF lea edx, [ebp-C0]
00402E4A . 52 push edx
00402E4B . FF15 20104000 call [<&MSVBVM60.__vbaStrVarMove>] ; MSVBVM60.__vbaStrVarMove
00402E51 . 8BD0 mov edx, eax
00402E53 . 8D4D 94 lea ecx, [ebp-6C]
00402E56 . FF15 0C114000 call [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
00402E5C . 8D85 30FFFFFF lea eax, [ebp-D0]
00402E62 . 50 push eax
00402E63 . 8D4D 94 lea ecx, [ebp-6C]
00402E66 . 51 push ecx
00402E67 . 8B55 08 mov edx, [ebp+8]
00402E6A . 8B02 mov eax, [edx]
00402E6C . 8B4D 08 mov ecx, [ebp+8]
00402E6F . 51 push ecx
00402E70 . FF90 00070000 call [eax+700] ; 此函数功能:把F的每个字符依次与循环次数(从0开始)除以11的余数异或,直至F的每个字符都运算结束,结果记为G
00402E76 . 8985 7CFEFFFF mov [ebp-184], eax
00402E7C . 83BD 7CFEFFFF>cmp dword ptr [ebp-184], 0
00402E83 . 7D 23 jge short 00402EA8
00402E85 . 68 00070000 push 700
00402E8A . 68 6C1C4000 push 00401C6C
00402E8F . 8B55 08 mov edx, [ebp+8]
00402E92 . 52 push edx
00402E93 . 8B85 7CFEFFFF mov eax, [ebp-184]
00402E99 . 50 push eax
00402E9A . FF15 40104000 call [<&MSVBVM60.__vbaHresultCheckObj>; MSVBVM60.__vbaHresultCheckObj
00402EA0 . 8985 18FEFFFF mov [ebp-1E8], eax
00402EA6 . EB 0A jmp short 00402EB2
00402EA8 > C785 18FEFFFF>mov dword ptr [ebp-1E8], 0
00402EB2 > C785 98FEFFFF>mov dword ptr [ebp-168], 2
00402EBC . C785 90FEFFFF>mov dword ptr [ebp-170], 2
00402EC6 . 8D4D A0 lea ecx, [ebp-60]
00402EC9 . 51 push ecx
00402ECA . 8D95 00FFFFFF lea edx, [ebp-100]
00402ED0 . 52 push edx
00402ED1 . FF15 44104000 call [<&MSVBVM60.__vbaLenVar>] ; MSVBVM60.__vbaLenVar
00402ED7 . 50 push eax
00402ED8 . 8D85 90FEFFFF lea eax, [ebp-170]
00402EDE . 50 push eax
00402EDF . 8D8D F0FEFFFF lea ecx, [ebp-110]
00402EE5 . 51 push ecx
00402EE6 . FF15 A8104000 call [<&MSVBVM60.__vbaVarDiv>] ; MSVBVM60.__vbaVarDiv
00402EEC . 50 push eax
00402EED . FF15 EC104000 call [<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
00402EF3 . 50 push eax
00402EF4 . 8D55 A0 lea edx, [ebp-60]
00402EF7 . 52 push edx
00402EF8 . 8D85 E0FEFFFF lea eax, [ebp-120]
00402EFE . 50 push eax
00402EFF . FF15 14114000 call [<&MSVBVM60.#619>] ; 取字符串B的后E个字符,结果记为H
00402F05 . 8D8D 60FFFFFF lea ecx, [ebp-A0]
00402F0B . 51 push ecx
00402F0C . 8D95 30FFFFFF lea edx, [ebp-D0]
00402F12 . 52 push edx
00402F13 . 8D85 20FFFFFF lea eax, [ebp-E0]
00402F19 . 50 push eax
00402F1A . FF15 B8104000 call [<&MSVBVM60.__vbaVarCat>] ; 连接I与G
00402F20 . 50 push eax
00402F21 . 8D4D C0 lea ecx, [ebp-40]
00402F24 . 51 push ecx
00402F25 . 8D95 10FFFFFF lea edx, [ebp-F0]
00402F2B . 52 push edx
00402F2C . FF15 B8104000 call [<&MSVBVM60.__vbaVarCat>] ; 再连接L
00402F32 . 50 push eax
00402F33 . 8D85 E0FEFFFF lea eax, [ebp-120]
00402F39 . 50 push eax
00402F3A . 8D8D D0FEFFFF lea ecx, [ebp-130]
00402F40 . 51 push ecx
00402F41 . FF15 B8104000 call [<&MSVBVM60.__vbaVarCat>] ; 再连接H,结果记为K
00402F47 . 50 push eax
00402F48 . FF15 20104000 call [<&MSVBVM60.__vbaStrVarMove>] ; MSVBVM60.__vbaStrVarMove
00402F4E . 8BD0 mov edx, eax
00402F50 . 8D4D 90 lea ecx, [ebp-70]
00402F53 . FF15 0C114000 call [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
00402F59 . 8D95 C0FEFFFF lea edx, [ebp-140]
00402F5F . 52 push edx
00402F60 . 8D45 90 lea eax, [ebp-70]
00402F63 . 50 push eax
00402F64 . 8B4D 08 mov ecx, [ebp+8]
00402F67 . 8B11 mov edx, [ecx]
00402F69 . 8B45 08 mov eax, [ebp+8]
00402F6C . 50 push eax
00402F6D . FF92 00070000 call [edx+700] ; 此函数功能:把K的每一个字符依次与循环次数(从0开始)除以11的余数异或,直至K的每个字符都运算结束,运算结果即为正确的serial
下面的代码即是真假码比较,故省略。
算法分析:
1、把name的每个字符转换成十进制的字符串,并分成前后两部分,如长度为偶数,正好一半对一半,如长度为奇数,则丢弃中间的一个字符,记前一部分为A,后一部分为B。
2、取登录的用户名,把它的每个字符依次与循环次数(从0开始)除以11的余数异或,直至它的每个字符都运算结束,结果记为C。
3、连接字符串A,字符串C,字符串"6648495769694865",字符串B,结果记为D。
4、把D的每个字符依次与循环次数(从0开始)除以11的余数异或,直至它的每个字符都运算结束,运算结果即为serial。
附可用的一组信息:
name:bxm78
serial:39393331343430353F303C463734373C313F323F3F333638363B3230363E3D3C3F36
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年10月14日 下午 3:03:51
[培训]科锐软件逆向50期预科班报名即将截止,速来!!! 50期正式班报名火爆招生中!!!
