今天去http://www.crackmes.de/下了个 KeyGenMe #1 by JoJo - easy Windows 2000/XP only crackme by JoJo。挺简单,所以放出来了。也不知道有人弄过没有。不管了。
1、下断bp rtcMsgBox.断下后往上找就可以得到下面:
00402CC0 > \55 push ebp ///////我们下断点在这里吧。F2
00402CC1 . 8BEC mov ebp, esp
00402CC3 . 83EC 0C sub esp, 0C
00402CC6 . 68 6611>push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
00402CCB . 64:A1 0>mov eax, dword ptr fs:[0]
00402CD1 . 50 push eax
00402CD2 . 64:8925>mov dword ptr fs:[0], esp
00402CD9 . 81EC A0>sub esp, 0A0
00402CDF . 53 push ebx
00402CE0 . 56 push esi
00402CE1 . 57 push edi
00402CE2 . 8965 F4 mov dword ptr [ebp-C], esp
00402CE5 . C745 F8>mov dword ptr [ebp-8], 00401108
00402CEC . 8B75 08 mov esi, dword ptr [ebp+8]
00402CEF . 8BC6 mov eax, esi
00402CF1 . 83E0 01 and eax, 1
00402CF4 . 8945 FC mov dword ptr [ebp-4], eax
00402CF7 . 83E6 FE and esi, FFFFFFFE
00402CFA . 56 push esi
00402CFB . 8975 08 mov dword ptr [ebp+8], esi
00402CFE . 8B0E mov ecx, dword ptr [esi]
00402D00 . FF51 04 call dword ptr [ecx+4]
00402D03 . 8B16 mov edx, dword ptr [esi]
00402D05 . 33DB xor ebx, ebx
00402D07 . 56 push esi
00402D08 . 895D E8 mov dword ptr [ebp-18], ebx
00402D0B . 895D E4 mov dword ptr [ebp-1C], ebx
00402D0E . 895D D4 mov dword ptr [ebp-2C], ebx
00402D11 . 895D C4 mov dword ptr [ebp-3C], ebx
00402D14 . 895D B4 mov dword ptr [ebp-4C], ebx
00402D17 . 895D A4 mov dword ptr [ebp-5C], ebx
00402D1A . 895D 94 mov dword ptr [ebp-6C], ebx
00402D1D . 895D 84 mov dword ptr [ebp-7C], ebx
00402D20 . FF92 04>call dword ptr [edx+304]
00402D26 . 50 push eax
00402D27 . 8D45 E4 lea eax, dword ptr [ebp-1C]
00402D2A . 50 push eax
00402D2B . FF15 3C>call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00402D31 . 8BF8 mov edi, eax
00402D33 . 8D55 E8 lea edx, dword ptr [ebp-18]
00402D36 . 52 push edx
00402D37 . 57 push edi
00402D38 . 8B0F mov ecx, dword ptr [edi]
00402D3A . FF91 A0>call dword ptr [ecx+A0]
00402D40 . 3BC3 cmp eax, ebx
00402D42 . DBE2 fclex
00402D44 . 7D 12 jge short 00402D58
00402D46 . 68 A000>push 0A0
00402D4B . 68 C41E>push 00401EC4
00402D50 . 57 push edi
00402D51 . 50 push eax
00402D52 . FF15 2C>call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00402D58 > 8B45 E8 mov eax, dword ptr [ebp-18] ; 假码出现了。
00402D5B . 83C6 34 add esi, 34 ; VB的程序很喜欢这样读取用户名啊,假码等,
00402D5E . 8945 BC mov dword ptr [ebp-44], eax
00402D61 . 8D45 B4 lea eax, dword ptr [ebp-4C]
00402D64 . 50 push eax
00402D65 . 8D4D 94 lea ecx, dword ptr [ebp-6C]
00402D68 . 56 push esi
00402D69 . 8D55 D4 lea edx, dword ptr [ebp-2C]
00402D6C . 51 push ecx
00402D6D . 52 push edx
00402D6E . 895D E8 mov dword ptr [ebp-18], ebx ; 这里是存储假码到临时变量【ebp-18】
00402D71 . C745 B4>mov dword ptr [ebp-4C], 8008
00402D78 . C745 9C>mov dword ptr [ebp-64], 7 ; 这个值要记住。【ebp-64】
00402D7F . C745 94>mov dword ptr [ebp-6C], 2
00402D86 . C745 8C>mov dword ptr [ebp-74], 4CB27 ; 这个值要也要记住。【ebp-74】
00402D8D . C745 84>mov dword ptr [ebp-7C], 3
00402D94 . FF15 78>call dword ptr [<&MSVBVM60.__vbaVarMu>; (MSVBVM60.__vbaVarMul)。这里我们跟进去。因为它很明显是作乘法运算
00402D9A . 50 push eax
00402D9B . 8D45 84 lea eax, dword ptr [ebp-7C]
00402D9E . 8D4D C4 lea ecx, dword ptr [ebp-3C]
00402DA1 . 50 push eax
00402DA2 . 51 push ecx
00402DA3 . FF15 BC>call dword ptr [<&MSVBVM60.__vbaVarAd>; (MSVBVM60.__vbaVarAdd)这里很明显要加。加甚么呢,就是上面的4CB27。进去就知道了
00402DA9 . 50 push eax
00402DAA . FF15 5C>call dword ptr [<&MSVBVM60.__vbaVarTs>; MSVBVM60.__vbaVarTstEq
00402DB0 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00402DB3 . 8BF8 mov edi, eax
00402DB5 . FF15 EC>call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00402DBB . 8B35 10>mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeVarList
00402DC1 . 8D55 C4 lea edx, dword ptr [ebp-3C]
00402DC4 . 8D45 B4 lea eax, dword ptr [ebp-4C]
00402DC7 . 52 push edx
00402DC8 . 50 push eax
00402DC9 . 6A 02 push 2
00402DCB . FFD6 call esi ; <&MSVBVM60.__vbaFreeVarList>
00402DCD . 83C4 0C add esp, 0C
00402DD0 . B9 0400>mov ecx, 80020004
00402DD5 . B8 0A00>mov eax, 0A
00402DDA . 66:3BFB cmp di, bx
00402DDD . 894D AC mov dword ptr [ebp-54], ecx
00402DE0 . 8945 A4 mov dword ptr [ebp-5C], eax
00402DE3 . 894D BC mov dword ptr [ebp-44], ecx
00402DE6 . 8945 B4 mov dword ptr [ebp-4C], eax
00402DE9 74 5C je short 00402E47 ; 这里就是关键跳了。爆破
00402DEB . 8B3D C4>mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaVarDup
00402DF1 . 8D55 84 lea edx, dword ptr [ebp-7C]
00402DF4 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
00402DF7 . C745 8C>mov dword ptr [ebp-74], 00401F14 ; g
00402DFE . C745 84>mov dword ptr [ebp-7C], 8
00402E05 . FFD7 call edi ; <&MSVBVM60.__vbaVarDup>
00402E07 . 8D55 94 lea edx, dword ptr [ebp-6C]
00402E0A . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00402E0D . C745 9C>mov dword ptr [ebp-64], 00401ED8 ; g
00402E14 . C745 94>mov dword ptr [ebp-6C], 8
00402E1B . FFD7 call edi
00402E1D . 8D4D A4 lea ecx, dword ptr [ebp-5C]
00402E20 . 8D55 B4 lea edx, dword ptr [ebp-4C]
00402E23 . 51 push ecx
00402E24 . 8D45 C4 lea eax, dword ptr [ebp-3C]
00402E27 . 52 push edx
00402E28 . 50 push eax
00402E29 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00402E2C . 6A 40 push 40
00402E2E . 51 push ecx
00402E2F . FF15 40>call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
00402E35 . 8D55 A4 lea edx, dword ptr [ebp-5C] ; 成功的信息框
00402E38 . 8D45 B4 lea eax, dword ptr [ebp-4C]
00402E3B . 52 push edx
00402E3C . 8D4D C4 lea ecx, dword ptr [ebp-3C]
00402E3F . 50 push eax
00402E40 . 8D55 D4 lea edx, dword ptr [ebp-2C]
00402E43 . 51 push ecx
00402E44 . 52 push edx
00402E45 . EB 5A jmp short 00402EA1
00402E47 > 8B3D C4>mov edi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaVarDup
00402E4D . 8D55 84 lea edx, dword ptr [ebp-7C]
00402E50 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
00402E53 . C745 8C>mov dword ptr [ebp-74], 00401F4C ; s
00402E5A . C745 84>mov dword ptr [ebp-7C], 8
00402E61 . FFD7 call edi ; <&MSVBVM60.__vbaVarDup>
00402E63 . 8D55 94 lea edx, dword ptr [ebp-6C]
00402E66 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00402E69 . C745 9C>mov dword ptr [ebp-64], 00401F24 ; s
00402E70 . C745 94>mov dword ptr [ebp-6C], 8
00402E77 . FFD7 call edi
00402E79 . 8D45 A4 lea eax, dword ptr [ebp-5C]
00402E7C . 8D4D B4 lea ecx, dword ptr [ebp-4C]
00402E7F . 50 push eax
00402E80 . 8D55 C4 lea edx, dword ptr [ebp-3C]
00402E83 . 51 push ecx
00402E84 . 52 push edx
00402E85 . 8D45 D4 lea eax, dword ptr [ebp-2C]
00402E88 . 6A 10 push 10
00402E8A . 50 push eax /// 断点断在这里,向上找。另外下断点
00402E8B . FF15 40>call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
00402E91 . 8D4D A4 lea ecx, dword ptr [ebp-5C] ; 失败的信息框
2、跟进00402D94的call,。看看甚么东西相乘。得到
73499ECC > FF7424 04 push dword ptr [esp+4]
73499ED0 FF7424 0C push dword ptr [esp+C]
73499ED4 FF7424 14 push dword ptr [esp+14]
73499ED8 FF15 440E>call dword ptr [734A0E44] ; (OLEAUT32.VarMul) 这里也跟进
........跟进(OLEAUT32.VarMul)可以找到................
77169FD5 0FBF47 08 movsx eax, word ptr [edi+8] ; 这里就是取得上面的那个7
77169FD9 8945 10 mov dword ptr [ebp+10], eax ; 存储7
77169FDC DB45 10 fild dword ptr [ebp+10] ; 成为实数。准备运算
77169FDF EB 18 jmp short 77169FF9
77169FE1 DB47 08 fild dword ptr [edi+8]
77169FE4 EB 13 jmp short 77169FF9
77169FE6 DF6F 08 fild qword ptr [edi+8]
77169FE9 EB 0E jmp short 77169FF9
77169FEB DF6F 08 fild qword ptr [edi+8]
77169FEE DC35 303F>fdiv qword ptr [77173F30]
77169FF4 EB 03 jmp short 77169FF9
77169FF6 D947 08 fld dword ptr [edi+8]
77169FF9 DC4E 08 fmul qword ptr [esi+8] ; 这里就是乘法运算了,我们看提示知道是7*机器码
77169FFC EB 54 jmp short 7716A052 ; 乘完跳走
77169FFE 0FB646 08 movzx eax, byte ptr [esi+8]
7716A002 8945 10 mov dword ptr [ebp+10], eax
7716A005 DB45 10 fild dword ptr [ebp+10]
7716A008 EB 45 jmp short 7716A04F
7716A00A 0FBF46 08 movsx eax, word ptr [esi+8]
7716A00E 8945 10 mov dword ptr [ebp+10], eax
7716A011 DB45 10 fild dword ptr [ebp+10]
7716A014 EB 39 jmp short 7716A04F
7716A016 DB46 08 fild dword ptr [esi+8]
7716A019 EB 34 jmp short 7716A04F
7716A01B DF6E 08 fild qword ptr [esi+8]
7716A01E EB 2F jmp short 7716A04F
7716A020 DF6E 08 fild qword ptr [esi+8]
7716A023 DC35 303F>fdiv qword ptr [77173F30]
7716A029 EB 24 jmp short 7716A04F
7716A02B D946 08 fld dword ptr [esi+8]
7716A02E EB 1F jmp short 7716A04F
7716A030 DF6F 08 fild qword ptr [edi+8]
7716A033 DC35 303F>fdiv qword ptr [77173F30]
7716A039 D84E 08 fmul dword ptr [esi+8]
7716A03C EB 14 jmp short 7716A052
7716A03E DF6E 08 fild qword ptr [esi+8]
7716A041 DC35 303F>fdiv qword ptr [77173F30]
7716A047 D84F 08 fmul dword ptr [edi+8]
7716A04A EB 06 jmp short 7716A052
7716A04C DD46 08 fld qword ptr [esi+8]
7716A04F DC4F 08 fmul qword ptr [edi+8]
7716A052 DD55 F0 fst qword ptr [ebp-10] ; 结果在这里了
7716A055 B8 0000F0>mov eax, 7FF00000
7716A05A 8B4D F4 mov ecx, dword ptr [ebp-C]
7716A05D 23C8 and ecx, eax
7716A05F 3BC8 cmp ecx, eax
7716A061 6A 05 push 5
3、跟进00402DA3的call,。看看甚么东西相加。得到
7349A02D > FF7424 04 push dword ptr [esp+4]
7349A031 FF7424 0C push dword ptr [esp+C]
7349A035 FF7424 14 push dword ptr [esp+14]
7349A039 FF15 240E>call dword ptr [734A0E24] ; (OLEAUT32.VarAdd)这里进去了
............跟进(OLEAUT32.VarAdd)得到下面........
770FFD1E DB47 08 fild dword ptr [edi+8] ; 这里就是4CB27(314151)
770FFD21 EB 08 jmp short 770FFD2B
770FFD23 DF6F 08 fild qword ptr [edi+8]
770FFD26 EB 03 jmp short 770FFD2B
770FFD28 D947 08 fld dword ptr [edi+8]
770FFD2B DC46 08 fadd qword ptr [esi+8] ; 看下面的提示看到了吧。两个数加
770FFD2E EB 2D jmp short 770FFD5D
770FFD30 0FB646 08 movzx eax, byte ptr [esi+8]
770FFD34 8945 0C mov dword ptr [ebp+C], eax
770FFD37 DB45 0C fild dword ptr [ebp+C]
770FFD3A EB 1E jmp short 770FFD5A
770FFD3C 0FBF46 08 movsx eax, word ptr [esi+8]
770FFD40 8945 0C mov dword ptr [ebp+C], eax
770FFD43 DB45 0C fild dword ptr [ebp+C]
770FFD46 EB 12 jmp short 770FFD5A
770FFD48 DB46 08 fild dword ptr [esi+8]
770FFD4B EB 0D jmp short 770FFD5A
770FFD4D DF6E 08 fild qword ptr [esi+8]
770FFD50 EB 08 jmp short 770FFD5A
770FFD52 D946 08 fld dword ptr [esi+8]
770FFD55 EB 03 jmp short 770FFD5A
770FFD57 DD46 08 fld qword ptr [esi+8]
770FFD5A DC47 08 fadd qword ptr [edi+8]
770FFD5D DD55 F8 fst qword ptr [ebp-8] ; 结果出现了,也就是我们的注册码了。真码
770FFD60 B8 0000F0>mov eax, 7FF00000
770FFD65 8B4D FC mov ecx, dword ptr [ebp-4]
.版本 2
.程序集 窗口程序集1
.子程序 _按钮1_被单击
.局部变量 jiqima, 长整数型
.局部变量 code, 长整数型
jiqima = 到数值 (编辑框1.内容)
code = jiqima × 7 + 314151
编辑框2.内容 = 到文本 (code)
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
