【破解日期】 2006年11月19日
【破解作者】 冷血书生
【作者邮箱】 MEIYOU
【作者主页】 hxxp://www.126sohu.com/
【使用工具】 OD
【破解平台】 Win9x/NT/2000/XP
【软件名称】 f3rgo_chl1's Crackme 分析
【下载地址】 本地
【软件大小】 68k
【加壳方式】 无
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
------------------------------------------------------------------------
--------
【破解内容】
因为有NAG出现,所以先把下面的CALL给NOP掉,再保存分析
00408A4D FF15 5C104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
/////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////
00408248 52 push edx ; 用户名压栈
00408249 FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLe>; MSVBVM60.__vbaLenBstr
0040824F 33C9 xor ecx,ecx
00408251 83F8 04 cmp eax,4 ; 与4比较
00408254 0F9FC1 setg cl
00408257 F7D9 neg ecx
00408259 66:898D 74FFFFFF mov word ptr ss:[ebp-8C],cx
00408260 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
00408263 FF15 2C114000 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeStr
00408269 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0040826C FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeObj
00408272 66:39B5 74FFFFFF cmp word ptr ss:[ebp-8C],si
00408279 0F84 53030000 je f3rgo_ch.004085D2 ; 相等就OVER
0040827F 8B17 mov edx,dword ptr ds:[edi]
00408281 57 push edi
00408282 FF92 08030000 call dword ptr ds:[edx+308]
00408288 50 push eax
00408289 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
0040828C 50 push eax
0040828D FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaOb>; MSVBVM60.__vbaObjSet
00408293 8B08 mov ecx,dword ptr ds:[eax]
00408295 8D55 D8 lea edx,dword ptr ss:[ebp-28]
00408298 52 push edx
00408299 50 push eax
0040829A 8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax
004082A0 FF91 A0000000 call dword ptr ds:[ecx+A0]
004082A6 3BC6 cmp eax,esi
004082A8 DBE2 fclex
004082AA 7D 18 jge short f3rgo_ch.004082C4
004082AC 8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-84]
004082B2 68 A0000000 push 0A0
004082B7 68 00794000 push f3rgo_ch.00407900
004082BC 51 push ecx
004082BD 50 push eax
004082BE FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHr>; MSVBVM60.__vbaHresultCheckObj
004082C4 8B55 D8 mov edx,dword ptr ss:[ebp-28]
004082C7 52 push edx
004082C8 FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLe>; MSVBVM60.__vbaLenBstr
004082CE 8BC8 mov ecx,eax ; 获得用户名长度
004082D0 FF15 94104000 call dword ptr ds:[<&MSVBVM60.__vbaI2>; MSVBVM60.__vbaI2I4
004082D6 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
004082D9 8985 68FFFFFF mov dword ptr ss:[ebp-98],eax ; 转移
004082DF BE 01000000 mov esi,1
004082E4 FF15 2C114000 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeStr
004082EA 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
004082ED FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeObj
004082F3 66:3BB5 68FFFFFF cmp si,word ptr ss:[ebp-98] ; 比较是否取完
004082FA 0F8F F0000000 jg f3rgo_ch.004083F0 ; 取完就走闪
00408300 8B07 mov eax,dword ptr ds:[edi]
00408302 57 push edi
00408303 FF90 08030000 call dword ptr ds:[eax+308]
00408309 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
0040830C 50 push eax
0040830D 51 push ecx
0040830E FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaOb>; MSVBVM60.__vbaObjSet
00408314 8BD8 mov ebx,eax
00408316 8D45 D8 lea eax,dword ptr ss:[ebp-28]
00408319 50 push eax
0040831A 53 push ebx
0040831B 8B13 mov edx,dword ptr ds:[ebx]
0040831D FF92 A0000000 call dword ptr ds:[edx+A0]
00408323 85C0 test eax,eax
00408325 DBE2 fclex
00408327 7D 12 jge short f3rgo_ch.0040833B
00408329 68 A0000000 push 0A0
0040832E 68 00794000 push f3rgo_ch.00407900
00408333 53 push ebx
00408334 50 push eax
00408335 FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHr>; MSVBVM60.__vbaHresultCheckObj
0040833B 8B45 D8 mov eax,dword ptr ss:[ebp-28]
0040833E 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00408341 0FBFD6 movsx edx,si
00408344 8945 B8 mov dword ptr ss:[ebp-48],eax
00408347 51 push ecx
00408348 8D45 B0 lea eax,dword ptr ss:[ebp-50]
0040834B 52 push edx
0040834C 8D4D 90 lea ecx,dword ptr ss:[ebp-70]
0040834F 50 push eax
00408350 51 push ecx
00408351 C745 A8 01000000 mov dword ptr ss:[ebp-58],1
00408358 C745 A0 02000000 mov dword ptr ss:[ebp-60],2
0040835F C745 D8 00000000 mov dword ptr ss:[ebp-28],0
00408366 C745 B0 08000000 mov dword ptr ss:[ebp-50],8
0040836D FF15 74104000 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
00408373 8D55 90 lea edx,dword ptr ss:[ebp-70]
00408376 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
00408379 52 push edx
0040837A 50 push eax
0040837B FF15 CC104000 call dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrVarVal
00408381 50 push eax
00408382 FF15 28104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
00408388 8B4D E4 mov ecx,dword ptr ss:[ebp-1C]
0040838B 66:8BD8 mov bx,ax ;
0040838E 51 push ecx
0040838F FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaI2>; MSVBVM60.__vbaI2Str
00408395 66:03D8 add bx,ax ; 累加
00408398 0F80 B7020000 jo f3rgo_ch.00408655
0040839E 53 push ebx
0040839F FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrI2
004083A5 8B1D 18114000 mov ebx,dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaStrMove
004083AB 8BD0 mov edx,eax ;
004083AD 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
004083B0 FFD3 call ebx
004083B2 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
004083B5 FF15 2C114000 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeStr
004083BB 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
004083BE FF15 30114000 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeObj
004083C4 8D55 90 lea edx,dword ptr ss:[ebp-70]
004083C7 8D45 A0 lea eax,dword ptr ss:[ebp-60]
004083CA 52 push edx
004083CB 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
004083CE 50 push eax
004083CF 51 push ecx
004083D0 6A 03 push 3
004083D2 FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeVarList
004083D8 B8 01000000 mov eax,1
004083DD 83C4 10 add esp,10
004083E0 66:03C6 add ax,si
004083E3 0F80 6C020000 jo f3rgo_ch.00408655
004083E9 8BF0 mov esi,eax
004083EB ^ E9 03FFFFFF jmp f3rgo_ch.004082F3 ; 循环计算
004083F0 8B55 E4 mov edx,dword ptr ss:[ebp-1C] ;
004083F3 8B35 C4104000 mov esi,dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaI2Str
004083F9 52 push edx
004083FA FFD6 call esi
004083FC 35 9A020000 xor eax,29A ; eax xor 29A
00408401 50 push eax ;
00408402 FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrI2
00408408 8BD0 mov edx,eax ; 保存结果
0040840A 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0040840D FFD3 call ebx
0040840F 8B45 E0 mov eax,dword ptr ss:[ebp-20]
00408412 50 push eax
00408413 FFD6 call esi
00408415 83F0 7B xor eax,7B ; eax xor 7B
00408418 50 push eax
00408419 FF15 00104000 call dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrI2
0040841F 8BD0 mov edx,eax
00408421 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00408424 FFD3 call ebx
00408426 8B0F mov ecx,dword ptr ds:[edi]
00408428 57 push edi
00408429 FF91 04030000 call dword ptr ds:[ecx+304]
0040842F 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
00408432 50 push eax
00408433 52 push edx
00408434 FF15 58104000 call dword ptr ds:[<&MSVBVM60.__vbaOb>; MSVBVM60.__vbaObjSet
0040843A 8BF0 mov esi,eax
0040843C 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
0040843F 51 push ecx
00408440 56 push esi
00408441 8B06 mov eax,dword ptr ds:[esi]
00408443 FF90 A0000000 call dword ptr ds:[eax+A0]
00408449 85C0 test eax,eax
0040844B DBE2 fclex
0040844D 7D 12 jge short f3rgo_ch.00408461
0040844F 68 A0000000 push 0A0
00408454 68 00794000 push f3rgo_ch.00407900
00408459 56 push esi
0040845A 50 push eax
0040845B FF15 44104000 call dword ptr ds:[<&MSVBVM60.__vbaHr>; MSVBVM60.__vbaHresultCheckObj
00408461 8B55 D8 mov edx,dword ptr ss:[ebp-28]
00408464 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
00408467 8B35 38104000 mov esi,dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaStrCat
0040846D 52 push edx
0040846E 50 push eax
0040846F 68 14794000 push f3rgo_ch.00407914
00408474 FFD6 call esi
00408476 8BD0 mov edx,eax ;
00408478 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
0040847B FFD3 call ebx
0040847D 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
00408480 50 push eax
00408481 51 push ecx
00408482 FFD6 call esi
00408484 8BD0 mov edx,eax ;
00408486 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00408489 FFD3 call ebx
0040848B 50 push eax
0040848C 68 14794000 push f3rgo_ch.00407914
00408491 FFD6 call esi
00408493 8BD0 mov edx,eax
00408495 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00408498 FFD3 call ebx
0040849A 8B55 DC mov edx,dword ptr ss:[ebp-24]
0040849D 50 push eax
0040849E 52 push edx
0040849F FFD6 call esi
004084A1 8BD0 mov edx,eax ; 保存注册码
004084A3 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
004084A6 FFD3 call ebx ; MSVBVM60.__vbaStrMove
004084A8 50 push eax
004084A9 FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrCmp
004084AF 8BF0 mov esi,eax ; 经典比较
004084B1 8D45 C8 lea eax,dword ptr ss:[ebp-38]
/////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////
算法总结:
累加用户名ASCII值 = A (用户名要大于4位)
A xor 29A = B
B xor 7B = C
"A"-"B"-"C" = 注册码
name: lengxue
code: 760-98-25
------------------------------------------------------------------------
--------
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
