近日练习时调试飘云阁的CrackMe#1,它有2点要求:
1. 给1个注册码;
2. 去掉关闭时的Nag和飘云阁网站登录。
用WKTVBDE和VBExplorer,第1个任务已经完成了。
可是第2个任务,却是试来试去也不成功。在OD中修改N-code的VB程序或者其它语言的程序易如反掌,可在WKTVBDE中却是步步险滩,连简单地Nop掉一个字节都难,一有修改就运行出错(旧的NAG还没去,新的又来了),而且修改后图标也没有了,特发贴求助,希望知道的朋友能提供些资料和参考。
附上分析出来的算法:
算法总结:
1. 常数7BF(1983);
2. val1 = 2537h(9527);
3. val2 = Name各位相加的和(hud:0x141);
4. val1 %= val2;
5. val1 *= len(Name);
6. val1 *= Name[0];
7. val1 += 094D1159;
8. val1 = 094E1B09 (156113673);
9. 试练码取左边9位,化为数字,val2;
10.val1 / val2 < 2;
11.如果val1 % val2 = 7BF,就成功了。
VC注册机:
void CKeygenDlg::OnOK()
{
UpdateData(true);
int nLen = m_szName.GetLength();
if (nLen<1)
return;
DWORD a = 0;
for (int i=0; i<nLen; ++i)
a += m_szName[i];
a = ( 0x2537 % a ) * nLen * m_szName[0] + 0x094D1159 + 0x7BF;
char s[30];
sprintf(s, "%lu", a);
m_szSN = s;
UpdateData(false);
}
由于WKTVBDE中调试不方便,以下反汇编代码是调试后用VBExplorer中的反汇编代码加上注释的,可能有些地方不完全相符。
[Command1.Click]
:004039D4 28DCFEBF07 LitVarI2 ;PushVarInteger 07BF 常数7BFh
:004039D9 FCF6FCFE FStVar ;
:004039DD FEC1DCFE59114D09 LitVarI4 ;
:004039E5 FCF60CFF FStVar ;
:004039E9 28DCFE3725 LitVarI2 ;PushVarInteger 2537
常数2357h
:004039EE FCF61CFF FStVar ;
:004039F2 04D4FE FLdRfVar ;Push LOCAL_012C
:004039F5 21 FLdPrThis ;[SR]=[stack2]
:004039F6 0F0003 VCallAd ;Return the control index 02
:004039F9 19D8FE FStAdFunc ;
:004039FC 08D8FE FLdPr ;[SR]=[LOCAL_0128]
***********Reference To:[propget]TextBox.Text 取得Name
:004039FF 0DA0000000 VCallHresult ;Call ptr_004023A4
:00403A04 3ED4FE FLdZeroAd ;Push DWORD [LOCAL_012C]; [LOCAL_012C]=0
:00403A07 46C4FE CVarStr ;
:00403A0A 04B4FE FLdRfVar ;Push LOCAL_014C
**********Reference To->msvbvm60.rtcTrimVar Trim用户名
:00403A0D 0A01000800 ImpAdCallFPR4 ;Call ptr_00401046; check stack 0008; Push EAX
:00403A12 04B4FE FLdRfVar ;Push LOCAL_014C
:00403A15 FCF66CFF FStVar ;
:00403A19 1AD8FE FFree1Ad ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0
:00403A1C 35C4FE FFree1Var ;Free LOCAL_013C
:00403A1F 04D4FE FLdRfVar ;Push LOCAL_012C
:00403A22 21 FLdPrThis ;[SR]=[stack2]
:00403A23 0F0403 VCallAd ;Return the control index 03
:00403A26 19D8FE FStAdFunc ;
:00403A29 08D8FE FLdPr ;[SR]=[LOCAL_0128]
***********Reference To:[propget]TextBox.Text 取得试练码
:00403A2C 0DA0000000 VCallHresult ;Call ptr_004023A4
:00403A31 3ED4FE FLdZeroAd ;Push DWORD [LOCAL_012C]; [LOCAL_012C]=0
:00403A34 46C4FE CVarStr ;
:00403A37 04B4FE FLdRfVar ;Push LOCAL_014C
**********Reference To->msvbvm60.rtcTrimVar Trim试练码
:00403A3A 0A01000800 ImpAdCallFPR4 ;Call ptr_00401046; check stack 0008; Push EAX
:00403A3F 04B4FE FLdRfVar ;Push LOCAL_014C
:00403A42 FCF65CFF FStVar ;
:00403A46 1AD8FE FFree1Ad ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0
:00403A49 35C4FE FFree1Var ;Free LOCAL_013C
:00403A4C 046CFF FLdRfVar ;Push LOCAL_0094
******Possible String Ref To->"" Name不能为空
:00403A4F 3ADCFE0200 LitVarStr ;PushVarString ptr_004023B8
:00403A54 5D HardType ;
:00403A55 FB2FC4FE EqVar ;
:00403A59 045CFF FLdRfVar ;Push LOCAL_00A4
******Possible String Ref To->"" 试练码不能为空
:00403A5C 3AA4FE0200 LitVarStr ;PushVarString ptr_004023B8
:00403A61 5D HardType ;
:00403A62 FB2FB4FE EqVar ;
:00403A66 FB1F94FE OrVar ;
:00403A6A FF1B CBoolVarNull ;vbaBoolVarNull
:00403A6C 1CC300 BranchF ;If Pop=0 then ESI=00403A97
:00403A6F F4FF LitI2_Byte ;Push FF
:00403A71 21 FLdPrThis ;[SR]=[stack2]
:00403A72 0F2403 VCallAd ;Return the control index 0b
:00403A75 19D8FE FStAdFunc ;
:00403A78 08D8FE FLdPr ;[SR]=[LOCAL_0128]
***********Reference To:[propput]Label.Visible 为空则Label可见,显示失败信息
:00403A7B 0D9C000300 VCallHresult ;Call ptr_004023BC
:00403A80 1AD8FE FFree1Ad ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0
:00403A83 F400 LitI2_Byte ;Push 00
:00403A85 21 FLdPrThis ;[SR]=[stack2]
:00403A86 0F2003 VCallAd ;Return the control index 0a
:00403A89 19D8FE FStAdFunc ;
:00403A8C 08D8FE FLdPr ;[SR]=[LOCAL_0128]
***********Reference To:[propput]Label.Visible 为空则Label可见,显示失败信息
:00403A8F 0D9C000300 VCallHresult ;Call ptr_004023BC
:00403A94 1AD8FE FFree1Ad ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0
:00403A97 046CFF FLdRfVar ;Push LOCAL_0094
******Possible String Ref To->""
|
:00403A9A 3ADCFE0200 LitVarStr ;PushVarString ptr_004023B8
:00403A9F 5D HardType ;
:00403AA0 FB3CC4FE NeVar ;
:00403AA4 045CFF FLdRfVar ;Push LOCAL_00A4
******Possible String Ref To->""
|
:00403AA7 3AA4FE0200 LitVarStr ;PushVarString ptr_004023B8
:00403AAC 5D HardType ;
:00403AAD FB3CB4FE NeVar ;
:00403AB1 FB2794FE AndVar ;
:00403AB5 FF1B CBoolVarNull ;vbaBoolVarNull
:00403AB7 1C7202 BranchF ;If Pop=0 then ESI=00403C46
:00403ABA 28DCFE0000 LitVarI2 ;PushVarInteger 0000
:00403ABF FCF62CFF FStVar ;
:00403AC3 28A4FE0100 LitVarI2 ;PushVarInteger 0001 常数1
:00403AC8 043CFF FLdRfVar ;Push LOCAL_00C4
:00403ACB 046CFF FLdRfVar ;Push LOCAL_0094
:00403ACE FBEBC4FE FnLenVar ;vbaLenVar
:00403AD2 FE6874FE4601 ForVar ;
相当于For i = 1 To Len(Name)
:00403AD8 042CFF FLdRfVar ;Push LOCAL_00D4
:00403ADB 28C4FE0100 LitVarI2 ;PushVarInteger 0001
:00403AE0 043CFF FLdRfVar ;Push LOCAL_00C4
:00403AE3 FC22 CI4Var ;vbaI4Var
:00403AE5 046CFF FLdRfVar ;Push LOCAL_0094
:00403AE8 04B4FE FLdRfVar ;Push LOCAL_014C
**********Reference To->msvbvm60.rtcMidCharVar 相当于c = Mid(Name, i, 1)
:00403AEB 0A04001000 ImpAdCallFPR4 ;Call ptr_0040104C; check stack 0010; Push EAX
:00403AF0 04B4FE FLdRfVar ;Push LOCAL_014C
:00403AF3 FDFED4FE CStrVarVal ;
**********Reference To->msvbvm60.rtcAnsiValueBstr val = Asc(c)
:00403AF7 0B05000400 ImpAdCallI2 ;Call ptr_00401052; check stack 0004; Push EAX
:00403AFC 44A4FE CVarI2 ;
:00403AFF FB9494FE AddVar ; val累加
:00403B03 FCF62CFF FStVar ;
:00403B07 2FD4FE FFree1Str ;SysFreeString [LOCAL_012C]; [LOCAL_012C]=0
:00403B0A 360400C4FEB4FE FFreeVar ;Free 0004/2 variants
:00403B11 043CFF FLdRfVar ;Push LOCAL_00C4
:00403B14 FE7E74FE0401 NextStepVar ; 循环回去
:00403B1A 041CFF FLdRfVar ;Push LOCAL_00E4 val1 = 2537h(9527)
:00403B1D 042CFF FLdRfVar ;Push LOCAL_00D4 val2 = Name各位和
:00403B20 FBA4C4FE ModVar ; val3 = val1 Mod val2
:00403B24 046CFF FLdRfVar ;Push LOCAL_0094
:00403B27 FBEBB4FE FnLenVar ;vbaLenVar Len(Name)
:00403B2B FBB494FE MulVar ; val3 = val3 * Len(Name)
:00403B2F 046CFF FLdRfVar ;Push LOCAL_0094 Mid(Name, 1, 1)
:00403B32 FDFED4FE CStrVarVal ;
**********Reference To->msvbvm60.rtcAnsiValueBstr Asc( Mid(Name, 1, 1) )
:00403B36 0B05000400 ImpAdCallI2 ;Call ptr_00401052; check stack 0004; Push EAX
:00403B3B 44DCFE CVarI2 ;
:00403B3E FBB464FE MulVar ; val3 = val3 * Asc( Mid(Name, 1, 1) )
:00403B42 040CFF FLdRfVar ;Push LOCAL_00F4
:00403B45 FB9454FE AddVar ; val3 = val3 + &H094D1159
:00403B49 FCF6ECFE FStVar ;
:00403B4D 2FD4FE FFree1Str ;SysFreeString [LOCAL_012C]; [LOCAL_012C]=0
:00403B50 04D4FE FLdRfVar ;Push LOCAL_012C
:00403B53 21 FLdPrThis ;[SR]=[stack2]
:00403B54 0F0403 VCallAd ;Return the control index 03
:00403B57 19D8FE FStAdFunc ;
:00403B5A 08D8FE FLdPr ;[SR]=[LOCAL_0128]
***********Reference To:[propget]TextBox.Text 取得试练码
:00403B5D 0DA0000000 VCallHresult ;Call ptr_004023A4
:00403B62 F509000000 LitI4 ;Push 00000009 常数9
:00403B67 3ED4FE FLdZeroAd ;Push DWORD [LOCAL_012C]; [LOCAL_012C]=0
:00403B6A 46C4FE CVarStr ;
:00403B6D 04B4FE FLdRfVar ;Push LOCAL_014C
**********Reference To->msvbvm60.rtcLeftCharVar str = Left(SN, 9)
:00403B70 0A06000C00 ImpAdCallFPR4 ;Call ptr_00401058; check stack 000C; Push EAX
:00403B75 04B4FE FLdRfVar ;Push LOCAL_014C
:00403B78 FDFE50FE CStrVarVal ;
**********Reference To->msvbvm60.rtcR8ValFromBstr val4 = CDbl(str)
:00403B7C 0A07000400 ImpAdCallFPR4 ;Call ptr_0040105E; check stack 0004; Push EAX
:00403B81 FD6BDCFE CVarR8 ;
:00403B85 FCF64CFF FStVar ;
:00403B89 2F50FE FFree1Str ;SysFreeString [LOCAL_01B0]; [LOCAL_01B0]=0
:00403B8C 1AD8FE FFree1Ad ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0
:00403B8F 360400C4FEB4FE FFreeVar ;Free 0004/2 variants
:00403B96 044CFF FLdRfVar ;Push LOCAL_00B4 val3
:00403B99 04ECFE FLdRfVar ;Push LOCAL_0114 val4
:00403B9C FB67 LtVarBool ;Push (Pop1 < Pop2) If val4 < val3 Then Continue
:00403B9E 1CF801 BranchF ;If Pop=0 then ESI=00403BCC
:00403BA1 F400 LitI2_Byte ;Push 00
:00403BA3 21 FLdPrThis ;[SR]=[stack2]
:00403BA4 0F2003 VCallAd ;Return the control index 0a
:00403BA7 19D8FE FStAdFunc ;
:00403BAA 08D8FE FLdPr ;[SR]=[LOCAL_0128]
***********Reference To:[propput]Label.Visible 显示失败信息
:00403BAD 0D9C000300 VCallHresult ;Call ptr_004023BC
:00403BB2 1AD8FE FFree1Ad ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0
:00403BB5 F4FF LitI2_Byte ;Push FF
:00403BB7 21 FLdPrThis ;[SR]=[stack2]
:00403BB8 0F2403 VCallAd ;Return the control index 0b
:00403BBB 19D8FE FStAdFunc ;
:00403BBE 08D8FE FLdPr ;[SR]=[LOCAL_0128]
***********Reference To:[propput]Label.Visible
|
:00403BC1 0D9C000300 VCallHresult ;Call ptr_004023BC
:00403BC6 1AD8FE FFree1Ad ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0
:00403BC9 1E7202 Branch ;ESI=00403C46 如果跳到这里则继续
:00403BCC 044CFF FLdRfVar ;Push LOCAL_00B4 val3
:00403BCF 04ECFE FLdRfVar ;Push LOCAL_0114 val4
:00403BD2 FBACC4FE IDvVar ; val3 / val4
:00403BD6 28DCFE0200 LitVarI2 ;PushVarInteger 0002
:00403BDB 5D HardType ;
:00403BDC FB5A GeVarBool ; If val3 / val4 >=2 Then GameOver
:00403BDE 1C3802 BranchF ;If Pop=0 then ESI=00403C0C
:00403BE1 F400 LitI2_Byte ;Push 00
:00403BE3 21 FLdPrThis ;[SR]=[stack2]
:00403BE4 0F2003 VCallAd ;Return the control index 0a
:00403BE7 19D8FE FStAdFunc ;
:00403BEA 08D8FE FLdPr ;[SR]=[LOCAL_0128]
***********Reference To:[propput]Label.Visible 显示失败信息
:00403BED 0D9C000300 VCallHresult ;Call ptr_004023BC
:00403BF2 1AD8FE FFree1Ad ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0
:00403BF5 F4FF LitI2_Byte ;Push FF
:00403BF7 21 FLdPrThis ;[SR]=[stack2]
:00403BF8 0F2403 VCallAd ;Return the control index 0b
:00403BFB 19D8FE FStAdFunc ;
:00403BFE 08D8FE FLdPr ;[SR]=[LOCAL_0128]
***********Reference To:[propput]Label.Visible
|
:00403C01 0D9C000300 VCallHresult ;Call ptr_004023BC
:00403C06 1AD8FE FFree1Ad ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0
:00403C09 1E7202 Branch ;ESI=00403C46 跳到这里继续
:00403C0C 044CFF FLdRfVar ;Push LOCAL_00B4 val3
:00403C0F 04ECFE FLdRfVar ;Push LOCAL_0114 val4
:00403C12 FBA4C4FE ModVar ; val3 Mod val4
:00403C16 04FCFE FLdRfVar ;Push LOCAL_0104 常数7BF
:00403C19 FB33 EqVarBool ;
:00403C1B 1C7202 BranchF ;If Pop=0 then ESI=00403C46 If val3 Mod val4 = 7BF Then NoJump And Success!
:00403C1E F4FF LitI2_Byte ;Push FF
:00403C20 21 FLdPrThis ;[SR]=[stack2]
:00403C21 0F2003 VCallAd ;Return the control index 0a
:00403C24 19D8FE FStAdFunc ;
:00403C27 08D8FE FLdPr ;[SR]=[LOCAL_0128]
***********Reference To:[propput]Label.Visible 显示成功
:00403C2A 0D9C000300 VCallHresult ;Call ptr_004023BC
:00403C2F 1AD8FE FFree1Ad ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0
:00403C32 F400 LitI2_Byte ;Push 00
:00403C34 21 FLdPrThis ;[SR]=[stack2]
:00403C35 0F2403 VCallAd ;Return the control index 0b
:00403C38 19D8FE FStAdFunc ;
:00403C3B 08D8FE FLdPr ;[SR]=[LOCAL_0128]
***********Reference To:[propput]Label.Visible
|
:00403C3E 0D9C000300 VCallHresult ;Call ptr_004023BC
:00403C43 1AD8FE FFree1Ad ;Push [LOCAL_0128]; Call [[[LOCAL_0128]]+8]; [[LOCAL_0128]]=0
:00403C46 13 ExitProcHresult ;
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!