-
-
[原创]Crakme:Lv3sp1破解分析
-
发表于: 2007-7-3 14:57
-
【破文标题】[原创]注册验证Lv3sp1破解分析【破文作者】吴宗宪(酷子)
【作者邮箱】1183204qq.com
【作者主页】1183204qq.com
【破解工具】peid0.94+OD
【破解平台】XPsp2
【软件名称】crakme《注册验证Lv3sp1》
【软件大小】21.5k
【原版下载】http://bbs.pediy.com/showthread.php?t=47384
【保护方式】壳+自效验
【软件简介】一个crakme
【破解声明】初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
------------------------------------------------------------------------
【破解过程】今天在看雪的 『CrackMe & ReverseMe』看到samisgod 兄弟发的一个vb的crakme,借用来练习一下,以免手生
老规矩peid查壳
ASPack 2.12 -> Alexey Solodovnikov
脱壳就不多说了用esp定律搞定就行了
再查,vb程序,看着vb就头痛
运行,啊!!还有自效验,又多一个当道的(老兄,我初学不用这么难吧)
既然是vb的,就试下这个吧
BP rtcFileLen
alt+f9返回,f8到下面
00405CE3 . DC1D 00114000 FCOMP QWORD PTR DS:[401100] 文件大小做比较
00405CE9 . DFE0 FSTSW AX
00405CEB . F6C4 40 TEST AH,40
00405CEE . 0F84 8A000000 JE a_.00405D7E ; 不能让他跳
00405CF4 . 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18]
00405CF7 . 51 PUSH ECX
00405CF8 . FF15 7CD04000 CALL DWORD PTR DS:[<&msvbvm60.__vbaR8Str>; msvbvm60.__vbaR8Str
00405CFE . DC1D 00114000 FCOMP QWORD PTR DS:[401100]
00405D04 . DFE0 FSTSW AX
00405D06 . F6C4 40 TEST AH,40
00405D09 . 74 73 JE SHORT a_.00405D7E ; 不能让他跳
00405D0B . 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
00405D0E . 52 PUSH EDX
00405D0F . FF15 7CD04000 CALL DWORD PTR DS:[<&msvbvm60.__vbaR8Str>; msvbvm60.__vbaR8Str
00405D15 . DC1D 00114000 FCOMP QWORD PTR DS:[401100]
00405D1B . DFE0 FSTSW AX
00405D1D . F6C4 40 TEST AH,40
00405D20 . 74 5C JE SHORT a_.00405D7E ; 不能让他跳
00405D22 . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00405D25 . 50 PUSH EAX
00405D26 . FF15 7CD04000 CALL DWORD PTR DS:[<&msvbvm60.__vbaR8Str>; msvbvm60.__vbaR8Str
00405D2C . DC1D 00114000 FCOMP QWORD PTR DS:[401100]
00405D32 . DFE0 FSTSW AX
00405D34 . F6C4 40 TEST AH,40
00405D37 . 74 45 JE SHORT a_.00405D7E ; 不能让他跳
00405D39 . 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18]
00405D3C . 51 PUSH ECX
00405D3D . FF15 7CD04000 CALL DWORD PTR DS:[<&msvbvm60.__vbaR8Str>; msvbvm60.__vbaR8Str
00405D43 . DC1D 00114000 FCOMP QWORD PTR DS:[401100]
00405D49 . DFE0 FSTSW AX
00405D4B . F6C4 40 TEST AH,40
00405D4E . 74 2E JE SHORT a_.00405D7E ; 不能让他跳
00405D50 . 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
00405D53 . 52 PUSH EDX
00405D54 . FF15 7CD04000 CALL DWORD PTR DS:[<&msvbvm60.__vbaR8Str>; msvbvm60.__vbaR8Str
00405D5A . DC1D 00114000 FCOMP QWORD PTR DS:[401100]
00405D60 . DFE0 FSTSW AX
00405D62 . F6C4 40 TEST AH,40
00405D65 . 74 17 JE SHORT a_.00405D7E ; 不能让他跳
00405D67 . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00405D6A . 50 PUSH EAX
00405D6B . FF15 7CD04000 CALL DWORD PTR DS:[<&msvbvm60.__vbaR8Str>; msvbvm60.__vbaR8Str
00405D71 . DC1D 00114000 FCOMP QWORD PTR DS:[401100]
00405D77 . DFE0 FSTSW AX
00405D79 . F6C4 40 TEST AH,40
00405D7C . 75 06 JNZ SHORT a_.00405D84 ; 这里跳过去跳过vbaEnd
00405D7E > FF15 14D04000 CALL DWORD PTR DS:[<&msvbvm60.__vbaEnd>] ; msvbvm60.__vbaEnd
00405D84 > 895D FC MOV DWORD PTR SS:[EBP-4],EBX
上面几个跳转修改后,自效验去除
载入修改后的程序,运行
输入用户名112233
注册码87654321
既然是vb的,再试下这个吧
下断点bp __vbaStrCmp
004053DA . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
004053DD . 50 PUSH EAX
004053DE . FF15 7CD04000 CALL DWORD PTR DS:[<&msvbvm60.__vbaR8Str>; 字符112233转成双精度实数
004053E4 . DC0D D8104000 FMUL QWORD PTR DS:[4010D8] ; 112233*3=336699
004053EA . 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18]
004053ED . 51 PUSH ECX
004053EE . DFE0 FSTSW AX
004053F0 . A8 0D TEST AL,0D
004053F2 . 0F85 22020000 JNZ a_.0040561A
004053F8 . DD9D 28FFFFFF FSTP QWORD PTR SS:[EBP-D8]
004053FE . FF15 7CD04000 CALL DWORD PTR DS:[<&msvbvm60.__vbaR8Str>; msvbvm60.__vbaR8Str
00405404 . DC85 28FFFFFF FADD QWORD PTR SS:[EBP-D8] ; 336699+112233=448932
0040540A . 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
0040540D . 52 PUSH EDX
0040540E . DFE0 FSTSW AX
00405410 . A8 0D TEST AL,0D
00405412 . 0F85 02020000 JNZ a_.0040561A
00405418 . DD9D 20FFFFFF FSTP QWORD PTR SS:[EBP-E0]
0040541E . FF15 7CD04000 CALL DWORD PTR DS:[<&msvbvm60.__vbaR8Str>; msvbvm60.__vbaR8Str
00405424 . 833D 00704000>CMP DWORD PTR DS:[407000],0
0040542B . 75 08 JNZ SHORT a_.00405435
0040542D . DC35 D0104000 FDIV QWORD PTR DS:[4010D0] ; 112233除以2=56116.5
00405433 . EB 11 JMP SHORT a_.00405446
00405435 > FF35 D4104000 PUSH DWORD PTR DS:[4010D4]
0040543B . FF35 D0104000 PUSH DWORD PTR DS:[4010D0]
00405441 . E8 FEBCFFFF CALL <JMP.&msvbvm60._adj_fdiv_m64>
00405446 > 83EC 08 SUB ESP,8
00405449 . DC85 20FFFFFF FADD QWORD PTR SS:[EBP-E0] 56116.5+448932=505048.5用户名计算完了
0040544F . DFE0 FSTSW AX
00405451 . A8 0D TEST AL,0D
00405453 . 0F85 C1010000 JNZ a_.0040561A
00405459 . DD1C24 FSTP QWORD PTR SS:[ESP]
0040545C . FF15 58D04000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrR8>; msvbvm60.__vbaStrR8
00405462 . 8BD0 MOV EDX,EAX
00405464 . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
00405467 . FFD7 CALL EDI
00405469 . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
0040546C . 50 PUSH EAX
0040546D . FF15 7CD04000 CALL DWORD PTR DS:[<&msvbvm60.__vbaR8Str>; msvbvm60.__vbaR8Str
00405473 . DC0D C8104000 FMUL QWORD PTR DS:[4010C8] ; 87654321*5=438271605
00405479 . 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
0040547C . 51 PUSH ECX
0040547D . DFE0 FSTSW AX
0040547F . A8 0D TEST AL,0D
00405481 . 0F85 93010000 JNZ a_.0040561A
00405487 . DD9D 18FFFFFF FSTP QWORD PTR SS:[EBP-E8]
0040548D . FF15 7CD04000 CALL DWORD PTR DS:[<&msvbvm60.__vbaR8Str>; msvbvm60.__vbaR8Str
00405493 . 833D 00704000>CMP DWORD PTR DS:[407000],0
0040549A . 75 08 JNZ SHORT a_.004054A4
0040549C . DC35 D0104000 FDIV QWORD PTR DS:[4010D0] ; 87654321除以2=43827160.5
004054A2 . EB 11 JMP SHORT a_.004054B5
004054A4 > FF35 D4104000 PUSH DWORD PTR DS:[4010D4]
004054AA . FF35 D0104000 PUSH DWORD PTR DS:[4010D0]
004054B0 . E8 8FBCFFFF CALL <JMP.&msvbvm60._adj_fdiv_m64>
004054B5 > 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
004054B8 . 52 PUSH EDX
004054B9 . DCAD 18FFFFFF FSUBR QWORD PTR SS:[EBP-E8] 438271605-43827160.5=394444444.5
004054BF . DFE0 FSTSW AX
004054C1 . A8 0D TEST AL,0D
004054C3 . 0F85 51010000 JNZ a_.0040561A
004054C9 . DD9D 10FFFFFF FSTP QWORD PTR SS:[EBP-F0]
004054CF . FF15 7CD04000 CALL DWORD PTR DS:[<&msvbvm60.__vbaR8Str>; msvbvm60.__vbaR8Str
004054D5 . DC85 10FFFFFF FADD QWORD PTR SS:[EBP-F0] 87654321+394444444.5=482098765.5
004054DB . 83EC 08 SUB ESP,8
004054DE . DFE0 FSTSW AX
004054E0 . A8 0D TEST AL,0D
004054E2 . 0F85 32010000 JNZ a_.0040561A
004054E8 . DD1C24 FSTP QWORD PTR SS:[ESP]
004054EB . FF15 58D04000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrR8>; msvbvm60.__vbaStrR8
004054F1 . 8BD0 MOV EDX,EAX
004054F3 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
004054F6 . FFD7 CALL EDI
004054F8 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
004054FB . 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]
004054FE . 8B3D 4CD04000 MOV EDI,DWORD PTR DS:[<&msvbvm60.__vbaSt>; msvbvm60.__vbaStrCmp
00405504 . 50 PUSH EAX ***** ; 505048.5
00405505 . 51 PUSH ECX ***** ; 482098765.5
00405506 . FFD7 CALL EDI ***** ; <&msvbvm60.__vbaStrCmp断在这里
00405508 . 85C0 TEST EAX,EAX ; 上面是比较call
0040550A . 0F85 97000000 JNZ a_.004055A7 ; 关键跳,eax和ecx相等就注册成功
00405510 . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
分析后得出,通过用户名和注册码各算出一个数,再相比较,相等就注册成功
算法如下
(用户名*3+用户名)+用户名/2=(注册码*5-注册码/2)+注册码
简化下来就是
注册码=用户名*0.818181818181818
呵呵,完成了,收工睡觉
------------------------------------------------------------------------
【破解总结】人们常说:熟读唐诗300首 ,不会做诗也会淫
我相信:勤做练习几百个, 不会破解也练成
------------------------------------------------------------------------
【版权声明】转载请注明出处,请注明作者并保持文章的完整, 谢谢!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
顶你.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
