-
-
[原创]Kain的第一个CrackMe简单算法分析+VB注册机源码
-
发表于: 2007-11-18 13:17 6050
-
【破文标题】Kain的第一个CrackMe简单算法分析+VB注册机源码
【破解作者】hrbx
【使用工具】OllDbg1.10、Peid
【破解日期】2007-11-18
【下载地址】见附件,相关链接:http://bbs.pediy.com/showthread.php?t=55020
【软件简介】Kain的第一个CrackMe
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.脱壳。用PEID扫描,显示为:示为:Microsoft Visual Basic 5.0 / 6.0,无壳。输入假码后有错误提示窗体。
2.追出算法。OD载入CrackMe,F9运行,命令栏输入:bp rtcMsgBox,回车,输入注册信息后点击"确定"按钮,立即中断:
660DC5F3 M> 55 push ebp ; 在此中断
660DC5F4 8BEC mov ebp,esp
660DC5F6 83EC 4C sub esp,4C
660DC5F9 8B4D 14 mov ecx,dword ptr ss:[ebp+14]
Alt+F9,弹出错误提示窗体,点击"确定"按钮后返回,来到:
00405AF2 . FF15 6C104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
00405AF8 . 8D95 24FEFFFF lea edx,dword ptr ss:[ebp-1DC] ; Alt+F9返回到这里
00405AFE . 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
向上查找,在00405070处F2下断,Ctrl+F2重新载入程序,F9运行,输入注册信息:
====================================================
注册名:hrbx
注册码:abcd1234
====================================================
点击"确定"按钮,立即中断:
00405070 > \55 push ebp ; F2在此下断,中断后F8往下走
00405071 . 8BEC mov ebp,esp
00405073 . 83EC 0C sub esp,0C
00405076 . 68 C6124000 push <jmp.&MSVBVM60.__vbaExceptH>
---------------------------------------------------------------------
省略部分代码
---------------------------------------------------------------------
00405286 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
0040528C > 8B45 9C mov eax,dword ptr ss:[ebp-64] ; 假码"abcd1234"
0040528F . 50 push eax
00405290 . 68 741E4000 push crackme.00401E74
00405295 . FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__>; 检查注册码是否为空
0040529B . 8B4D A0 mov ecx,dword ptr ss:[ebp-60] ; 用户名"hrbx"
0040529E . 8BD8 mov ebx,eax
004052A0 . F7DB neg ebx
004052A2 . 1BDB sbb ebx,ebx
004052A4 . 51 push ecx
004052A5 . 43 inc ebx
004052A6 . 68 741E4000 push crackme.00401E74
004052AB . F7DB neg ebx
004052AD . FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__>; 检查用户名是否为空
004052B3 . F7D8 neg eax
004052B5 . 1BC0 sbb eax,eax
004052B7 . 8D55 9C lea edx,dword ptr ss:[ebp-64]
004052BA . 40 inc eax
004052BB . 52 push edx
004052BC . F7D8 neg eax
004052BE . 0BD8 or ebx,eax
004052C0 . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
004052C3 . 50 push eax
004052C4 . 6A 02 push 2
004052C6 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__>
004052CC . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84]
004052D2 . 8D55 80 lea edx,dword ptr ss:[ebp-80]
004052D5 . 51 push ecx
004052D6 . 52 push edx
004052D7 . 6A 02 push 2
004052D9 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.__>
004052DF . 83C4 18 add esp,18
004052E2 . 66:3BDF cmp bx,di
004052E5 . 74 0A je short crackme.004052F1 ; 用户名或注册码为空则Over,暴破点1,改为Jmp
004052E7 . B8 01000000 mov eax,1
004052EC . E9 E1060000 jmp crackme.004059D2
004052F1 > 8B06 mov eax,dword ptr ds:[esi]
004052F3 . 56 push esi
004052F4 . FF90 00030000 call dword ptr ds:[eax+300]
004052FA . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
004052FD . 50 push eax
004052FE . 51 push ecx
004052FF . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__>
00405305 . 8BD8 mov ebx,eax
00405307 . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
0040530A . 50 push eax
0040530B . 53 push ebx
0040530C . 8B13 mov edx,dword ptr ds:[ebx]
0040530E . FF92 A0000000 call dword ptr ds:[edx+A0]
00405314 . 3BC7 cmp eax,edi
00405316 . DBE2 fclex
00405318 . 7D 12 jge short crackme.0040532C
0040531A . 68 A0000000 push 0A0
0040531F . 68 901E4000 push crackme.00401E90
00405324 . 53 push ebx
00405325 . 50 push eax
00405326 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
0040532C > 8B4D A0 mov ecx,dword ptr ss:[ebp-60] ; 假码"abcd1234"
0040532F . 51 push ecx
00405330 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__>; 获取假码长度,EAX=0x8
00405336 . 33DB xor ebx,ebx
00405338 . 83F8 04 cmp eax,4 ; 假码长度与4比较
0040533B . 0F9EC3 setle bl
0040533E . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00405341 . F7DB neg ebx
00405343 . FF15 64114000 call dword ptr ds:[<&MSVBVM60.__>
00405349 . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
0040534C . FF15 6C114000 call dword ptr ds:[<&MSVBVM60.__>
00405352 . 66:3BDF cmp bx,di
00405355 . 74 0A je short crackme.00405361 ; 假码长度若为4,则Over,暴破点2,改为Jmp
00405357 . B8 02000000 mov eax,2
0040535C . E9 71060000 jmp crackme.004059D2
00405361 > 8B16 mov edx,dword ptr ds:[esi]
00405363 . 56 push esi
00405364 . FF92 00030000 call dword ptr ds:[edx+300]
0040536A . 50 push eax
0040536B . 8D45 80 lea eax,dword ptr ss:[ebp-80]
0040536E . 50 push eax
0040536F . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__>
00405375 . 8BD8 mov ebx,eax
00405377 . 8D55 A0 lea edx,dword ptr ss:[ebp-60]
0040537A . 52 push edx
0040537B . 53 push ebx
0040537C . 8B0B mov ecx,dword ptr ds:[ebx]
0040537E . FF91 A0000000 call dword ptr ds:[ecx+A0]
00405384 . 3BC7 cmp eax,edi
00405386 . DBE2 fclex
00405388 . 7D 12 jge short crackme.0040539C
0040538A . 68 A0000000 push 0A0
0040538F . 68 901E4000 push crackme.00401E90
00405394 . 53 push ebx
00405395 . 50 push eax
00405396 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
0040539C > 8B06 mov eax,dword ptr ds:[esi]
0040539E . 56 push esi
0040539F . FF90 00030000 call dword ptr ds:[eax+300]
004053A5 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84]
004053AB . 50 push eax
004053AC . 51 push ecx
004053AD . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__>
004053B3 . 8BD8 mov ebx,eax
004053B5 . 8D45 98 lea eax,dword ptr ss:[ebp-68]
004053B8 . 50 push eax
004053B9 . 53 push ebx
004053BA . 8B13 mov edx,dword ptr ds:[ebx]
004053BC . FF92 A0000000 call dword ptr ds:[edx+A0]
004053C2 . 3BC7 cmp eax,edi
004053C4 . DBE2 fclex
004053C6 . 7D 12 jge short crackme.004053DA
004053C8 . 68 A0000000 push 0A0
004053CD . 68 901E4000 push crackme.00401E90
004053D2 . 53 push ebx
004053D3 . 50 push eax
004053D4 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
004053DA > 8B0E mov ecx,dword ptr ds:[esi]
004053DC . 56 push esi
004053DD . FF91 00030000 call dword ptr ds:[ecx+300]
004053E3 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
004053E9 . 50 push eax
004053EA . 52 push edx
004053EB . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__>
004053F1 . 8BD8 mov ebx,eax
004053F3 . 8D4D 90 lea ecx,dword ptr ss:[ebp-70]
004053F6 . 51 push ecx
004053F7 . 53 push ebx
004053F8 . 8B03 mov eax,dword ptr ds:[ebx]
004053FA . FF90 A0000000 call dword ptr ds:[eax+A0]
00405400 . 3BC7 cmp eax,edi
00405402 . DBE2 fclex
00405404 . 7D 12 jge short crackme.00405418
00405406 . 68 A0000000 push 0A0
0040540B . 68 901E4000 push crackme.00401E90
00405410 . 53 push ebx
00405411 . 50 push eax
00405412 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
00405418 > 8B16 mov edx,dword ptr ds:[esi]
0040541A . 56 push esi
0040541B . FF92 00030000 call dword ptr ds:[edx+300]
00405421 . 50 push eax
00405422 . 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-8C]
00405428 . 50 push eax
00405429 . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__>
0040542F . 8BD8 mov ebx,eax
00405431 . 8D55 88 lea edx,dword ptr ss:[ebp-78]
00405434 . 52 push edx
00405435 . 53 push ebx
00405436 . 8B0B mov ecx,dword ptr ds:[ebx]
00405438 . FF91 A0000000 call dword ptr ds:[ecx+A0]
0040543E . 3BC7 cmp eax,edi
00405440 . DBE2 fclex
00405442 . 7D 12 jge short crackme.00405456
00405444 . 68 A0000000 push 0A0
00405449 . 68 901E4000 push crackme.00401E90
0040544E . 53 push ebx
0040544F . 50 push eax
00405450 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
00405456 > 8B45 A0 mov eax,dword ptr ss:[ebp-60] ; 假码"abcd1234"
00405459 . 8B1D 8C104000 mov ebx,dword ptr ds:[<&MSVBVM60>
0040545F . 8985 6CFFFFFF mov dword ptr ss:[ebp-94],eax
00405465 . 8D85 54FFFFFF lea eax,dword ptr ss:[ebp-AC]
0040546B . 50 push eax
0040546C . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C]
00405472 . 6A 01 push 1
00405474 . 8D95 44FFFFFF lea edx,dword ptr ss:[ebp-BC]
0040547A . 51 push ecx
0040547B . 52 push edx
0040547C . C785 5CFFFFFF 0>mov dword ptr ss:[ebp-A4],1
00405486 . C785 54FFFFFF 0>mov dword ptr ss:[ebp-AC],2
00405490 . 897D A0 mov dword ptr ss:[ebp-60],edi
00405493 . C785 64FFFFFF 0>mov dword ptr ss:[ebp-9C],8
0040549D . FFD3 call ebx ; MSVBVM60.rtcMidCharVar
0040549F . 8D85 44FFFFFF lea eax,dword ptr ss:[ebp-BC] ; 取假码第1位字符
004054A5 . 8D8D 34FFFFFF lea ecx,dword ptr ss:[ebp-CC]
004054AB . 50 push eax
004054AC . 51 push ecx
004054AD . FF15 9C104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcUpperCaseVar
004054B3 . 8B45 98 mov eax,dword ptr ss:[ebp-68] ; 假码第1位字符转为大写
004054B6 . 8D95 14FFFFFF lea edx,dword ptr ss:[ebp-EC]
004054BC . 8985 2CFFFFFF mov dword ptr ss:[ebp-D4],eax
004054C2 . 52 push edx
004054C3 . 8D85 24FFFFFF lea eax,dword ptr ss:[ebp-DC]
004054C9 . 6A 02 push 2
004054CB . 8D8D 04FFFFFF lea ecx,dword ptr ss:[ebp-FC]
004054D1 . 50 push eax
004054D2 . 51 push ecx
004054D3 . C785 1CFFFFFF 0>mov dword ptr ss:[ebp-E4],1
004054DD . C785 14FFFFFF 0>mov dword ptr ss:[ebp-EC],2
004054E7 . 897D 98 mov dword ptr ss:[ebp-68],edi
004054EA . C785 24FFFFFF 0>mov dword ptr ss:[ebp-DC],8
004054F4 . FFD3 call ebx ; MSVBVM60.rtcMidCharVar
004054F6 . 8D95 04FFFFFF lea edx,dword ptr ss:[ebp-FC] ; 取假码第2位字符
004054FC . 8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-10C]
00405502 . 52 push edx
00405503 . 50 push eax
00405504 . FF15 9C104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcUpperCaseVar
0040550A . 8B45 90 mov eax,dword ptr ss:[ebp-70] ; 假码第2位字符转为大写
0040550D . 8D8D D4FEFFFF lea ecx,dword ptr ss:[ebp-12C]
00405513 . 8985 ECFEFFFF mov dword ptr ss:[ebp-114],eax
00405519 . 51 push ecx
0040551A . 8D95 E4FEFFFF lea edx,dword ptr ss:[ebp-11C]
00405520 . 6A 03 push 3
00405522 . 8D85 C4FEFFFF lea eax,dword ptr ss:[ebp-13C]
00405528 . 52 push edx
00405529 . 50 push eax
0040552A . C785 DCFEFFFF 0>mov dword ptr ss:[ebp-124],1
00405534 . C785 D4FEFFFF 0>mov dword ptr ss:[ebp-12C],2
0040553E . 897D 90 mov dword ptr ss:[ebp-70],edi
00405541 . C785 E4FEFFFF 0>mov dword ptr ss:[ebp-11C],8
0040554B . FFD3 call ebx ; MSVBVM60.rtcMidCharVar
0040554D . 8D8D C4FEFFFF lea ecx,dword ptr ss:[ebp-13C] ; 取假码第3位字符
00405553 . 8D95 B4FEFFFF lea edx,dword ptr ss:[ebp-14C]
00405559 . 51 push ecx
0040555A . 52 push edx
0040555B . FF15 9C104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcUpperCaseVar
00405561 . 8B45 88 mov eax,dword ptr ss:[ebp-78] ; 假码第3位字符转为大写
00405564 . 8D8D A4FEFFFF lea ecx,dword ptr ss:[ebp-15C]
0040556A . 8985 ACFEFFFF mov dword ptr ss:[ebp-154],eax
00405570 . 8D85 94FEFFFF lea eax,dword ptr ss:[ebp-16C]
00405576 . 50 push eax
00405577 . 6A 04 push 4
00405579 . 8D95 84FEFFFF lea edx,dword ptr ss:[ebp-17C]
0040557F . 51 push ecx
00405580 . 52 push edx
00405581 . C785 9CFEFFFF 0>mov dword ptr ss:[ebp-164],1
0040558B . C785 94FEFFFF 0>mov dword ptr ss:[ebp-16C],2
00405595 . 897D 88 mov dword ptr ss:[ebp-78],edi
00405598 . C785 A4FEFFFF 0>mov dword ptr ss:[ebp-15C],8
004055A2 . FFD3 call ebx ; MSVBVM60.rtcMidCharVar
004055A4 . 8D85 84FEFFFF lea eax,dword ptr ss:[ebp-17C] ; 取假码第4位字符
004055AA . 8D8D 74FEFFFF lea ecx,dword ptr ss:[ebp-18C]
004055B0 . 50 push eax
004055B1 . 51 push ecx
004055B2 . FF15 9C104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcUpperCaseVar
004055B8 . 8D95 F4FEFFFF lea edx,dword ptr ss:[ebp-10C] ; 假码第4位字符转为大写
004055BE . 8D45 94 lea eax,dword ptr ss:[ebp-6C]
004055C1 . 52 push edx
004055C2 . 50 push eax
004055C3 . 8B1D E8104000 mov ebx,dword ptr ds:[<&MSVBVM60>
004055C9 . FFD3 call ebx
004055CB . 50 push eax
004055CC . FF15 38104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcAnsiValueBstr
004055D2 . 66:8BD0 mov dx,ax ; 取假码第1位字符转为大写后的ASCII值
004055D5 . 8D8D 34FFFFFF lea ecx,dword ptr ss:[ebp-CC] ; DX=AX=0x42
004055DB . 8D45 9C lea eax,dword ptr ss:[ebp-64]
004055DE . 51 push ecx
004055DF . 50 push eax
004055E0 . 66:8995 CEFDFFF>mov word ptr ss:[ebp-232],dx
004055E7 . FFD3 call ebx
004055E9 . 50 push eax
004055EA . FF15 38104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcAnsiValueBstr
004055F0 . 66:8B9D CEFDFFF>mov bx,word ptr ss:[ebp-232] ; 取假码第2位字符转为大写后的ASCII值
004055F7 . 8D8D B4FEFFFF lea ecx,dword ptr ss:[ebp-14C] ; Ax=0x41
004055FD . 8D55 8C lea edx,dword ptr ss:[ebp-74]
00405600 . 66:03D8 add bx,ax ; 前2位字符转为大写后的ASCII值相加
00405603 . 51 push ecx
00405604 . 52 push edx
00405605 . 0F80 06080000 jo crackme.00405E11
0040560B . FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__>
00405611 . 50 push eax
00405612 . FF15 38104000 call dword ptr ds:[<&MSVBVM60.#5>
00405618 . 66:03D8 add bx,ax ; 取假码第3位字符转为大写后的ASCII值
0040561B . 8D85 74FEFFFF lea eax,dword ptr ss:[ebp-18C] ; 前3位字符转为大写后的ASCII值相加
00405621 . 8D4D 84 lea ecx,dword ptr ss:[ebp-7C]
00405624 . 50 push eax
00405625 . 51 push ecx
00405626 . 0F80 E5070000 jo crackme.00405E11
0040562C . FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__>
00405632 . 50 push eax
00405633 . FF15 38104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcAnsiValueBstr
00405639 . 66:03D8 add bx,ax ; 取假码第3位字符转为大写后的ASCII值
0040563C . 8D45 84 lea eax,dword ptr ss:[ebp-7C] ; 前4位字符转为大写后的ASCII值相加
0040563F . 0F80 CC070000 jo crackme.00405E11
00405645 . 66:81EB 0401 sub bx,104 ; ASCII值相加值减去0x104
0040564A . 8D4D 8C lea ecx,dword ptr ss:[ebp-74]
0040564D . 0F80 BE070000 jo crackme.00405E11
00405653 . 33D2 xor edx,edx
00405655 . 66:83FB 1F cmp bx,1F ; ASCII值相加值减去0x104结果与0x1F比较
00405659 . 0F94C2 sete dl
0040565C . F7DA neg edx
0040565E . 8BDA mov ebx,edx
00405660 . 50 push eax
00405661 . 8D55 94 lea edx,dword ptr ss:[ebp-6C]
00405664 . 51 push ecx
00405665 . 8D45 9C lea eax,dword ptr ss:[ebp-64]
00405668 . 52 push edx
00405669 . 50 push eax
0040566A . 6A 04 push 4
0040566C . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__>
00405672 . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-8C]
00405678 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
0040567E . 51 push ecx
0040567F . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
00405685 . 52 push edx
00405686 . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
00405689 . 50 push eax
0040568A . 51 push ecx
0040568B . 6A 04 push 4
0040568D . FF15 34104000 call dword ptr ds:[<&MSVBVM60.__>
00405693 . 8D95 74FEFFFF lea edx,dword ptr ss:[ebp-18C]
00405699 . 8D85 84FEFFFF lea eax,dword ptr ss:[ebp-17C]
0040569F . 52 push edx
004056A0 . 8D8D 94FEFFFF lea ecx,dword ptr ss:[ebp-16C]
004056A6 . 50 push eax
004056A7 . 8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-15C]
004056AD . 51 push ecx
004056AE . 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C]
004056B4 . 52 push edx
004056B5 . 8D8D C4FEFFFF lea ecx,dword ptr ss:[ebp-13C]
004056BB . 50 push eax
004056BC . 8D95 D4FEFFFF lea edx,dword ptr ss:[ebp-12C]
004056C2 . 51 push ecx
004056C3 . 8D85 E4FEFFFF lea eax,dword ptr ss:[ebp-11C]
004056C9 . 52 push edx
004056CA . 8D8D F4FEFFFF lea ecx,dword ptr ss:[ebp-10C]
004056D0 . 50 push eax
004056D1 . 8D95 04FFFFFF lea edx,dword ptr ss:[ebp-FC]
004056D7 . 51 push ecx
004056D8 . 52 push edx
004056D9 . 8D85 14FFFFFF lea eax,dword ptr ss:[ebp-EC]
004056DF . 8D8D 24FFFFFF lea ecx,dword ptr ss:[ebp-DC]
004056E5 . 50 push eax
004056E6 . 8D95 34FFFFFF lea edx,dword ptr ss:[ebp-CC]
004056EC . 51 push ecx
004056ED . 8D85 44FFFFFF lea eax,dword ptr ss:[ebp-BC]
004056F3 . 52 push edx
004056F4 . 8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-AC]
004056FA . 50 push eax
004056FB . 8D95 64FFFFFF lea edx,dword ptr ss:[ebp-9C]
00405701 . 51 push ecx
00405702 . 52 push edx
00405703 . 6A 10 push 10
00405705 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__>
0040570B . 83C4 6C add esp,6C
0040570E . 66:3BDF cmp bx,di
00405711 . 0F84 2E020000 je crackme.00405945 ; 不相等则Over,暴破点3,Nop掉
00405717 . 8B06 mov eax,dword ptr ds:[esi]
00405719 . 56 push esi
0040571A . FF90 00030000 call dword ptr ds:[eax+300]
00405720 . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
00405723 . 50 push eax
00405724 . 51 push ecx
00405725 . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__>
0040572B . 8BD8 mov ebx,eax
0040572D . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00405730 . 50 push eax
00405731 . 53 push ebx
00405732 . 8B13 mov edx,dword ptr ds:[ebx]
00405734 . FF92 A0000000 call dword ptr ds:[edx+A0]
0040573A . 3BC7 cmp eax,edi
0040573C . DBE2 fclex
0040573E . 7D 12 jge short crackme.00405752
00405740 . 68 A0000000 push 0A0
00405745 . 68 901E4000 push crackme.00401E90
0040574A . 53 push ebx
0040574B . 50 push eax
0040574C . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
00405752 > 8B0E mov ecx,dword ptr ds:[esi]
00405754 . 56 push esi
00405755 . FF91 00030000 call dword ptr ds:[ecx+300]
0040575B . 8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84]
00405761 . 50 push eax
00405762 . 52 push edx
00405763 . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__>
00405769 . 8BD8 mov ebx,eax
0040576B . 8D4D 9C lea ecx,dword ptr ss:[ebp-64]
0040576E . 51 push ecx
0040576F . 53 push ebx
00405770 . 8B03 mov eax,dword ptr ds:[ebx]
00405772 . FF90 A0000000 call dword ptr ds:[eax+A0]
00405778 . 3BC7 cmp eax,edi
0040577A . DBE2 fclex
0040577C . 7D 12 jge short crackme.00405790
0040577E . 68 A0000000 push 0A0
00405783 . 68 901E4000 push crackme.00401E90
00405788 . 53 push ebx
00405789 . 50 push eax
0040578A . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
00405790 > 8B55 9C mov edx,dword ptr ss:[ebp-64]
00405793 . 52 push edx
00405794 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__>
0040579A . 83E8 01 sub eax,1
0040579D . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C]
004057A3 . 0F80 68060000 jo crackme.00405E11
004057A9 . 8985 5CFFFFFF mov dword ptr ss:[ebp-A4],eax
004057AF . 8B45 A0 mov eax,dword ptr ss:[ebp-60]
004057B2 . 8985 6CFFFFFF mov dword ptr ss:[ebp-94],eax
004057B8 . 8D85 54FFFFFF lea eax,dword ptr ss:[ebp-AC]
004057BE . 50 push eax
004057BF . 6A 05 push 5 ; 常数,5
004057C1 . 8D95 44FFFFFF lea edx,dword ptr ss:[ebp-BC]
004057C7 . 51 push ecx
004057C8 . 52 push edx
004057C9 . C785 54FFFFFF 0>mov dword ptr ss:[ebp-AC],3
004057D3 . 897D A0 mov dword ptr ss:[ebp-60],edi
004057D6 . C785 64FFFFFF 0>mov dword ptr ss:[ebp-9C],8
004057E0 . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.#6>; MSVBVM60.rtcMidCharVar
004057E6 . 8D85 44FFFFFF lea eax,dword ptr ss:[ebp-BC] ; 从假码第5位字符开始起取后半部分字符串
004057EC . 50 push eax ; 假码后半部分字符串"1234"
004057ED . FF15 20104000 call dword ptr ds:[<&MSVBVM60.__>
004057F3 . 8B1D 48114000 mov ebx,dword ptr ds:[<&MSVBVM60>
004057F9 . 8BD0 mov edx,eax
004057FB . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
004057FE . FFD3 call ebx
00405800 . 8B0E mov ecx,dword ptr ds:[esi]
00405802 . 8D55 94 lea edx,dword ptr ss:[ebp-6C]
00405805 . 8D45 98 lea eax,dword ptr ss:[ebp-68]
00405808 . 52 push edx
00405809 . 50 push eax
0040580A . 56 push esi
0040580B . FF91 14070000 call dword ptr ds:[ecx+714] ; 00402B11,关键CALL-1,F7进入
00405811 . 8B55 94 mov edx,dword ptr ss:[ebp-6C]
00405814 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00405817 . 897D 94 mov dword ptr ss:[ebp-6C],edi
0040581A . FFD3 call ebx
0040581C . 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
0040581F . 8D55 9C lea edx,dword ptr ss:[ebp-64]
00405822 . 51 push ecx
00405823 . 52 push edx
00405824 . 6A 02 push 2
00405826 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__>
0040582C . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
00405832 . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
00405835 . 50 push eax
00405836 . 51 push ecx
00405837 . 6A 02 push 2
00405839 . FF15 34104000 call dword ptr ds:[<&MSVBVM60.__>
0040583F . 8D95 44FFFFFF lea edx,dword ptr ss:[ebp-BC]
00405845 . 8D85 54FFFFFF lea eax,dword ptr ss:[ebp-AC]
0040584B . 52 push edx
0040584C . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C]
00405852 . 50 push eax
00405853 . 51 push ecx
00405854 . 6A 03 push 3
00405856 . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__>
0040585C . 8B55 A4 mov edx,dword ptr ss:[ebp-5C]
0040585F . 83C4 28 add esp,28
00405862 . 52 push edx
00405863 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaLenBstr
00405869 . 8BC8 mov ecx,eax ; 获取关键CALL-1得到的字符串的长度
0040586B . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__>
00405871 . 8945 A8 mov dword ptr ss:[ebp-58],eax ; EAX=0x3
00405874 . 8B06 mov eax,dword ptr ds:[esi]
00405876 . 56 push esi
00405877 . FF90 FC020000 call dword ptr ds:[eax+2FC]
0040587D . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
00405880 . 50 push eax
00405881 . 51 push ecx
00405882 . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__>
00405888 . 8BD8 mov ebx,eax
0040588A . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
0040588D . 50 push eax
0040588E . 53 push ebx
0040588F . 8B13 mov edx,dword ptr ds:[ebx]
00405891 . FF92 A0000000 call dword ptr ds:[edx+A0]
00405897 . 3BC7 cmp eax,edi
00405899 . DBE2 fclex
0040589B . 7D 12 jge short crackme.004058AF
0040589D . 68 A0000000 push 0A0
004058A2 . 68 901E4000 push crackme.00401E90
004058A7 . 53 push ebx
004058A8 . 50 push eax
004058A9 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
004058AF > 8B4D A0 mov ecx,dword ptr ss:[ebp-60] ; 用户名"hrbx"
004058B2 . 51 push ecx
004058B3 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__>; 获取用户名长度
004058B9 . 8BC8 mov ecx,eax ; EAX=0x4
004058BB . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__>
004058C1 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
004058C4 . 8BD8 mov ebx,eax
004058C6 . FF15 64114000 call dword ptr ds:[<&MSVBVM60.__>
004058CC . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
004058CF . FF15 6C114000 call dword ptr ds:[<&MSVBVM60.__>
004058D5 . 0FBF55 A8 movsx edx,word ptr ss:[ebp-58]
004058D9 . 8995 C8FDFFFF mov dword ptr ss:[ebp-238],edx
004058DF . DB85 C8FDFFFF fild dword ptr ss:[ebp-238]
004058E5 . 0FBFC3 movsx eax,bx
004058E8 . DD9D C0FDFFFF fstp qword ptr ss:[ebp-240]
004058EE . 8985 BCFDFFFF mov dword ptr ss:[ebp-244],eax
004058F4 . DB85 BCFDFFFF fild dword ptr ss:[ebp-244]
004058FA . DD9D B4FDFFFF fstp qword ptr ss:[ebp-24C]
00405900 . DD85 C0FDFFFF fld qword ptr ss:[ebp-240] ; 关键CALL-1得到的字符串的长度
00405906 . 833D 00704000 0>cmp dword ptr ds:[407000],0
0040590D . 75 08 jnz short crackme.00405917
0040590F . DCB5 B4FDFFFF fdiv qword ptr ss:[ebp-24C] ; 除以用户名长度
00405915 . EB 11 jmp short crackme.00405928
00405917 > FFB5 B8FDFFFF push dword ptr ss:[ebp-248]
0040591D . FFB5 B4FDFFFF push dword ptr ss:[ebp-24C]
00405923 . E8 BCB9FFFF call <jmp.&MSVBVM60._adj_fdiv_m6>
00405928 > DFE0 fstsw ax
0040592A . A8 0D test al,0D
0040592C . 0F85 DA040000 jnz crackme.00405E0C
00405932 . FF15 80104000 call dword ptr ds:[<&MSVBVM60.__>
00405938 . DC1D A8124000 fcomp qword ptr ds:[4012A8]
0040593E . DFE0 fstsw ax
00405940 . F6C4 40 test ah,40
00405943 . 75 0A jnz short crackme.0040594F ; 不能整除则Over,暴破点4,改为Jmp
00405945 > B8 03000000 mov eax,3
0040594A . E9 83000000 jmp crackme.004059D2
0040594F > 66:2B5D A8 sub bx,word ptr ss:[ebp-58] ; 关键CALL-1得到的字符串的长度-用户名长度
00405953 . 0F80 B8040000 jo crackme.00405E11
00405959 . 66:85DB test bx,bx
0040595C . 75 71 jnz short crackme.004059CF ; 不等于0则Over,暴破点5,改为NOP
0040595E . 8B0E mov ecx,dword ptr ds:[esi]
00405960 . 56 push esi
00405961 . FF91 FC020000 call dword ptr ds:[ecx+2FC]
00405967 . 8D55 80 lea edx,dword ptr ss:[ebp-80]
0040596A . 50 push eax
0040596B . 52 push edx
0040596C . FF15 68104000 call dword ptr ds:[<&MSVBVM60.__>
00405972 . 8BF0 mov esi,eax
00405974 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00405977 . 51 push ecx
00405978 . 56 push esi
00405979 . 8B06 mov eax,dword ptr ds:[esi]
0040597B . FF90 A0000000 call dword ptr ds:[eax+A0]
00405981 . 3BC7 cmp eax,edi
00405983 . DBE2 fclex
00405985 . 7D 12 jge short crackme.00405999
00405987 . 68 A0000000 push 0A0
0040598C . 68 901E4000 push crackme.00401E90
00405991 . 56 push esi
00405992 . 50 push eax
00405993 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
00405999 > 8B55 A4 mov edx,dword ptr ss:[ebp-5C]
0040599C . 8B45 A0 mov eax,dword ptr ss:[ebp-60]
0040599F . 52 push edx
004059A0 . 50 push eax
004059A1 . FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__>; 比较用户名和关键CALL-1得到的字符串
004059A7 . 8BF0 mov esi,eax
004059A9 . 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
004059AC . F7DE neg esi
004059AE . 1BF6 sbb esi,esi
004059B0 . 46 inc esi
004059B1 . F7DE neg esi
004059B3 . FF15 64114000 call dword ptr ds:[<&MSVBVM60.__>
004059B9 . 8D4D 80 lea ecx,dword ptr ss:[ebp-80]
004059BC . FF15 6C114000 call dword ptr ds:[<&MSVBVM60.__>
004059C2 . 33C0 xor eax,eax
004059C4 . 66:3BF7 cmp si,di
004059C7 0F95C0 setne al ; 不相等则Over,暴破点6,改为sete
004059CA . 83C0 03 add eax,3
004059CD . EB 03 jmp short crackme.004059D2
F7进入0040580B处的关键CALL-1,来到:
00402B11 . /E9 7A130000 jmp crackme.00403E90 ; 来到这里
00402B16 . |816C24 04 FFFF0>sub dword ptr ss:[esp+4],0FFFF
F8单步,来到:
00403E90 > \55 push ebp ; F8单步来到这里
00403E91 . 8BEC mov ebp,esp
00403E93 . 83EC 0C sub esp,0C
00403E96 . 68 C6124000 push <jmp.&MSVBVM60.__vbaExceptH>; SE 句柄安装
00403E9B . 64:A1 00000000 mov eax,dword ptr fs:[0]
00403EA1 . 50 push eax
00403EA2 . 64:8925 0000000>mov dword ptr fs:[0],esp
00403EA9 . 81EC 98000000 sub esp,98
00403EAF . 53 push ebx
00403EB0 . 56 push esi
00403EB1 . 57 push edi
00403EB2 . 8965 F4 mov dword ptr ss:[ebp-C],esp
00403EB5 . C745 F8 2012400>mov dword ptr ss:[ebp-8],crackme>
00403EBC . 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
00403EBF . 8B55 0C mov edx,dword ptr ss:[ebp+C]
00403EC2 . 33C0 xor eax,eax
00403EC4 . 8945 D4 mov dword ptr ss:[ebp-2C],eax
00403EC7 . 8945 D0 mov dword ptr ss:[ebp-30],eax
00403ECA . 8945 CC mov dword ptr ss:[ebp-34],eax
00403ECD . 8945 C8 mov dword ptr ss:[ebp-38],eax
00403ED0 . 8945 B8 mov dword ptr ss:[ebp-48],eax
00403ED3 . 8945 A4 mov dword ptr ss:[ebp-5C],eax
00403ED6 . 8901 mov dword ptr ds:[ecx],eax
00403ED8 . 8B02 mov eax,dword ptr ds:[edx]
00403EDA . 50 push eax ; 假码后半部分字符串"1234"
00403EDB . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaLenBstr
00403EE1 . 8BC8 mov ecx,eax ; 获取字符串长度,Eax=0x4
00403EE3 . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaI2I4
00403EE9 . 8B7D 08 mov edi,dword ptr ss:[ebp+8]
00403EEC . 8B35 48114000 mov esi,dword ptr ds:[<&MSVBVM60>
00403EF2 . BB 01000000 mov ebx,1
00403EF7 . 8945 9C mov dword ptr ss:[ebp-64],eax
00403EFA . 895D E4 mov dword ptr ss:[ebp-1C],ebx
00403EFD > 66:3B5D 9C cmp bx,word ptr ss:[ebp-64]
00403F01 . 0F8F A2030000 jg crackme.004042A9
00403F07 . 8B45 0C mov eax,dword ptr ss:[ebp+C]
00403F0A . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
00403F0D . 0FBFD3 movsx edx,bx
00403F10 . 51 push ecx
00403F11 . 8B08 mov ecx,dword ptr ds:[eax]
00403F13 . 52 push edx
00403F14 . 51 push ecx
00403F15 . C745 C0 0100000>mov dword ptr ss:[ebp-40],1
00403F1C . C745 B8 0200000>mov dword ptr ss:[ebp-48],2
00403F23 . FF15 88104000 call dword ptr ds:[<&MSVBVM60.#6>; MSVBVM60.rtcMidCharBstr
00403F29 . 8BD0 mov edx,eax ; 取字符串"1234"第1位字符,"1"
00403F2B . 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
00403F2E . FFD6 call esi
00403F30 . 8B55 C8 mov edx,dword ptr ss:[ebp-38]
00403F33 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00403F36 . C745 C8 0000000>mov dword ptr ss:[ebp-38],0
00403F3D . FFD6 call esi
00403F3F . 8B17 mov edx,dword ptr ds:[edi]
00403F41 . 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
00403F44 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00403F47 . 50 push eax
00403F48 . 51 push ecx
00403F49 . 57 push edi
00403F4A . FF92 1C070000 call dword ptr ds:[edx+71C] ; 关键CALL-2,F7进入
00403F50 . 8B55 A4 mov edx,dword ptr ss:[ebp-5C] ; EDX=0x35(53),记为Num1
00403F53 . 8D45 C8 lea eax,dword ptr ss:[ebp-38]
00403F56 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00403F59 . 50 push eax
00403F5A . 51 push ecx
00403F5B . 6A 02 push 2
00403F5D . 8955 E8 mov dword ptr ss:[ebp-18],edx
00403F60 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__>
00403F66 . 83C4 0C add esp,0C
00403F69 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
00403F6C . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__>
00403F72 . 66:8BC3 mov ax,bx
00403F75 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
00403F78 . 66:05 0100 add ax,1
00403F7C . 52 push edx
00403F7D . 8B55 0C mov edx,dword ptr ss:[ebp+C]
00403F80 . C745 C0 0100000>mov dword ptr ss:[ebp-40],1
00403F87 . 0F80 88030000 jo crackme.00404315
00403F8D . 0FBFC8 movsx ecx,ax
00403F90 . 8B02 mov eax,dword ptr ds:[edx]
00403F92 . 51 push ecx
00403F93 . 50 push eax
00403F94 . C745 B8 0200000>mov dword ptr ss:[ebp-48],2
00403F9B . FF15 88104000 call dword ptr ds:[<&MSVBVM60.#6>; MSVBVM60.rtcMidCharBstr
00403FA1 . 8BD0 mov edx,eax ; 取字符串"1234"第2位字符,"2"
00403FA3 . 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
00403FA6 . FFD6 call esi
00403FA8 . 8B55 C8 mov edx,dword ptr ss:[ebp-38]
00403FAB . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00403FAE . C745 C8 0000000>mov dword ptr ss:[ebp-38],0
00403FB5 . FFD6 call esi
00403FB7 . 8B0F mov ecx,dword ptr ds:[edi]
00403FB9 . 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
00403FBC . 8D45 CC lea eax,dword ptr ss:[ebp-34]
00403FBF . 52 push edx
00403FC0 . 50 push eax
00403FC1 . 57 push edi
00403FC2 . FF91 1C070000 call dword ptr ds:[ecx+71C] ; 同关键CALL-2
00403FC8 . 8B4D A4 mov ecx,dword ptr ss:[ebp-5C] ; ECX=0x36(54),记为Num2
00403FCB . 8D55 C8 lea edx,dword ptr ss:[ebp-38]
00403FCE . 8D45 CC lea eax,dword ptr ss:[ebp-34]
00403FD1 . 52 push edx
00403FD2 . 50 push eax
00403FD3 . 6A 02 push 2
00403FD5 . 894D E0 mov dword ptr ss:[ebp-20],ecx
00403FD8 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__>
00403FDE . 83C4 0C add esp,0C
00403FE1 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
00403FE4 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__>
00403FEA . 66:83C3 02 add bx,2
00403FEE . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
00403FF1 . 0F80 1E030000 jo crackme.00404315
00403FF7 . 0FBFD3 movsx edx,bx
00403FFA . 51 push ecx
00403FFB . C745 C0 0100000>mov dword ptr ss:[ebp-40],1
00404002 . C745 B8 0200000>mov dword ptr ss:[ebp-48],2
00404009 . 52 push edx
0040400A . 8B45 0C mov eax,dword ptr ss:[ebp+C]
0040400D . 8B08 mov ecx,dword ptr ds:[eax]
0040400F . 51 push ecx
00404010 . FF15 88104000 call dword ptr ds:[<&MSVBVM60.#6>; MSVBVM60.rtcMidCharBstr
00404016 . 8BD0 mov edx,eax ; 取字符串"1234"第3位字符,"3"
00404018 . 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0040401B . FFD6 call esi
0040401D . 8B55 C8 mov edx,dword ptr ss:[ebp-38]
00404020 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00404023 . C745 C8 0000000>mov dword ptr ss:[ebp-38],0
0040402A . FFD6 call esi
0040402C . 8B17 mov edx,dword ptr ds:[edi]
0040402E . 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
00404031 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00404034 . 50 push eax
00404035 . 51 push ecx
00404036 . 57 push edi
00404037 . FF92 1C070000 call dword ptr ds:[edx+71C] ; 同关键CALL-2
0040403D . 8B5D A4 mov ebx,dword ptr ss:[ebp-5C] ; EBX=0x37(55),记为Num3
00404040 . 8D55 C8 lea edx,dword ptr ss:[ebp-38]
00404043 . 8D45 CC lea eax,dword ptr ss:[ebp-34]
00404046 . 52 push edx
00404047 . 50 push eax
00404048 . 6A 02 push 2
0040404A . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__>
00404050 . 83C4 0C add esp,0C
00404053 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
00404056 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__>
0040405C . 66:8B55 E4 mov dx,word ptr ss:[ebp-1C]
00404060 . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
00404063 . 66:83C2 03 add dx,3
00404067 . 51 push ecx
00404068 . 8B4D 0C mov ecx,dword ptr ss:[ebp+C]
0040406B . C745 C0 0100000>mov dword ptr ss:[ebp-40],1
00404072 . 0F80 9D020000 jo crackme.00404315
00404078 . 0FBFC2 movsx eax,dx
0040407B . 8B11 mov edx,dword ptr ds:[ecx]
0040407D . 50 push eax
0040407E . 52 push edx
0040407F . C745 B8 0200000>mov dword ptr ss:[ebp-48],2
00404086 . FF15 88104000 call dword ptr ds:[<&MSVBVM60.#6>; MSVBVM60.rtcMidCharBstr
0040408C . 8BD0 mov edx,eax ; 取字符串"1234"第4位字符,"4"
0040408E . 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
00404091 . FFD6 call esi
00404093 . 8B55 C8 mov edx,dword ptr ss:[ebp-38]
00404096 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00404099 . C745 C8 0000000>mov dword ptr ss:[ebp-38],0
004040A0 . FFD6 call esi
004040A2 . 8B07 mov eax,dword ptr ds:[edi]
004040A4 . 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
004040A7 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
004040AA . 51 push ecx
004040AB . 52 push edx
004040AC . 57 push edi
004040AD . FF90 1C070000 call dword ptr ds:[eax+71C] ; 同关键CALL-2
004040B3 . 8B45 A4 mov eax,dword ptr ss:[ebp-5C] ; EAX=0x38(56),记为Num4
004040B6 . 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
004040B9 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
004040BC . 51 push ecx
004040BD . 52 push edx
004040BE . 6A 02 push 2
004040C0 . 8945 D8 mov dword ptr ss:[ebp-28],eax
004040C3 . FF15 10114000 call dword ptr ds:[<&MSVBVM60.__>
004040C9 . 83C4 0C add esp,0C
004040CC . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
004040CF . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__>
004040D5 . 8B45 E0 mov eax,dword ptr ss:[ebp-20]
004040D8 . 66:85C0 test ax,ax
004040DB . 0F8C AD000000 jl crackme.0040418E
004040E1 . 0FBFD0 movsx edx,ax
004040E4 . 8955 80 mov dword ptr ss:[ebp-80],edx ; EDX=0x36(54),Num2
004040E7 . 8B4D D0 mov ecx,dword ptr ss:[ebp-30]
004040EA . DB45 80 fild dword ptr ss:[ebp-80]
004040ED . 51 push ecx
004040EE . DD9D 78FFFFFF fstp qword ptr ss:[ebp-88] ; st=54.0
004040F4 . DD85 78FFFFFF fld qword ptr ss:[ebp-88]
004040FA . 833D 00704000 0>cmp dword ptr ds:[407000],0
00404101 . 75 08 jnz short crackme.0040410B
00404103 . DC35 18124000 fdiv qword ptr ds:[401218] ; Num2/16.0,ds:[00401218]=16.0
00404109 . EB 11 jmp short crackme.0040411C
0040410B > FF35 1C124000 push dword ptr ds:[40121C]
00404111 . FF35 18124000 push dword ptr ds:[401218]
00404117 . E8 C8D1FFFF call <jmp.&MSVBVM60._adj_fdiv_m6>
0040411C > DFE0 fstsw ax
0040411E . A8 0D test al,0D
00404120 . 0F85 EA010000 jnz crackme.00404310
00404126 . FF15 58114000 call dword ptr ds:[<&MSVBVM60.__>; 商取整数,Int(Num2/16.0),ST0=3.0
0040412C . 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; EAX=0x35,Num1
0040412F . 66:6BC0 04 imul ax,ax,4 ; AX=Num1*4
00404133 . 0F80 DC010000 jo crackme.00404315
00404139 . 0FBFC0 movsx eax,ax
0040413C . 8985 74FFFFFF mov dword ptr ss:[ebp-8C],eax
00404142 . DB85 74FFFFFF fild dword ptr ss:[ebp-8C]
00404148 . DD9D 6CFFFFFF fstp qword ptr ss:[ebp-94]
0040414E . DC85 6CFFFFFF fadd qword ptr ss:[ebp-94] ; Num1*4+Int(Num2/16.0)
00404154 . DFE0 fstsw ax
00404156 . A8 0D test al,0D
00404158 . 0F85 B2010000 jnz crackme.00404310
0040415E . FF15 3C114000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaFpI4
00404164 . 25 FF000000 and eax,0FF ; EAX=EAX and 0xFF
00404169 . 50 push eax ; EAX=0xD7
0040416A . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcBstrFromAnsi
00404170 . 8BD0 mov edx,eax ; 取ASCII值对应的字符
00404172 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00404175 . FFD6 call esi
00404177 . 50 push eax
00404178 . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaStrCat
0040417E . 8BD0 mov edx,eax ; 字符串连接
00404180 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00404183 . FFD6 call esi
00404185 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00404188 . FF15 64114000 call dword ptr ds:[<&MSVBVM60.__>
0040418E > 66:85DB test bx,bx
00404191 . 0F8C B3000000 jl crackme.0040424A
00404197 . 0FBFD3 movsx edx,bx
0040419A . 8995 68FFFFFF mov dword ptr ss:[ebp-98],edx ; EDX=0x37(55),Num3
004041A0 . 8B4D D0 mov ecx,dword ptr ss:[ebp-30]
004041A3 . DB85 68FFFFFF fild dword ptr ss:[ebp-98]
004041A9 . 51 push ecx
004041AA . DD9D 60FFFFFF fstp qword ptr ss:[ebp-A0] ; st=55.0
004041B0 . DD85 60FFFFFF fld qword ptr ss:[ebp-A0]
004041B6 . 833D 00704000 0>cmp dword ptr ds:[407000],0
004041BD . 75 08 jnz short crackme.004041C7
004041BF . DC35 10124000 fdiv qword ptr ds:[401210] ; Num3/4.0,ds:[00401210]=4.0
004041C5 . EB 11 jmp short crackme.004041D8
004041C7 > FF35 14124000 push dword ptr ds:[401214]
004041CD . FF35 10124000 push dword ptr ds:[401210]
004041D3 . E8 0CD1FFFF call <jmp.&MSVBVM60._adj_fdiv_m6>
004041D8 > DFE0 fstsw ax
004041DA . A8 0D test al,0D
004041DC . 0F85 2E010000 jnz crackme.00404310
004041E2 . FF15 58114000 call dword ptr ds:[<&MSVBVM60.__>; 商取整数,Int(Num3/4.0),ST0=13.0
004041E8 . 8B45 E0 mov eax,dword ptr ss:[ebp-20] ; EAX=0x36,Num2
004041EB . 66:6BC0 10 imul ax,ax,10 ; AX=Num2*0x10
004041EF . 0F80 20010000 jo crackme.00404315
004041F5 . 0FBFC0 movsx eax,ax
004041F8 . 8985 5CFFFFFF mov dword ptr ss:[ebp-A4],eax
004041FE . DB85 5CFFFFFF fild dword ptr ss:[ebp-A4]
00404204 . DD9D 54FFFFFF fstp qword ptr ss:[ebp-AC]
0040420A . DC85 54FFFFFF fadd qword ptr ss:[ebp-AC] ; Num2*0x10+Int(Num3/4.0)
00404210 . DFE0 fstsw ax
00404212 . A8 0D test al,0D
00404214 . 0F85 F6000000 jnz crackme.00404310
0040421A . FF15 3C114000 call dword ptr ds:[<&MSVBVM60.__>
00404220 . 25 FF000000 and eax,0FF ; EAX=EAX and 0xFF
00404225 . 50 push eax ; EAX=0x6D
00404226 . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcBstrFromAnsi
0040422C . 8BD0 mov edx,eax ; 取ASCII值对应的字符
0040422E . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00404231 . FFD6 call esi
00404233 . 50 push eax
00404234 . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaStrCat
0040423A . 8BD0 mov edx,eax ; 字符串连接
0040423C . 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
0040423F . FFD6 call esi
00404241 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00404244 . FF15 64114000 call dword ptr ds:[<&MSVBVM60.__>
0040424A > 8B45 D8 mov eax,dword ptr ss:[ebp-28] ; EDX=0x38(56),Num4
0040424D . 66:85C0 test ax,ax
00404250 . 7C 42 jl short crackme.00404294
00404252 . 66:6BDB 40 imul bx,bx,40 ; BX=Num4*0x40
00404256 . 8B4D D0 mov ecx,dword ptr ss:[ebp-30]
00404259 . 0F80 B6000000 jo crackme.00404315
0040425F . 66:03D8 add bx,ax ; BX=Num4*0x40+Num4
00404262 . 51 push ecx
00404263 . 0F80 AC000000 jo crackme.00404315
00404269 . 81E3 FF000000 and ebx,0FF ; EBX=EBX and 0xFF
0040426F . 53 push ebx ; EAX=0xF8
00404270 . FF15 F0104000 call dword ptr ds:[<&MSVBVM60.#5>; MSVBVM60.rtcBstrFromAnsi
00404276 . 8BD0 mov edx,eax ; 取ASCII值对应的字符
00404278 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0040427B . FFD6 call esi
0040427D . 50 push eax
0040427E . FF15 40104000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaStrCat
00404284 . 8BD0 mov edx,eax ; 字符串连接
F7进入00403F4A处的关键CALL-2,来到:
00402B2B . /E9 D0180000 jmp crackme.00404400 ; 来到这里
00402B30 . |816C24 04 FFFF0>sub dword ptr ss:[esp+4],0FFFF
F8单步,来到:
00404400 > \56 push esi
00404401 . 8B7424 0C mov esi,dword ptr ss:[esp+C]
00404405 . 8B06 mov eax,dword ptr ds:[esi]
00404407 . 50 push eax
00404408 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaLenBstr
0040440E . 85C0 test eax,eax
00404410 . 75 10 jnz short crackme.00404422
00404412 . 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
00404416 . 83C8 FF or eax,FFFFFFFF
00404419 . 5E pop esi
0040441A . 66:8901 mov word ptr ds:[ecx],ax
0040441D . 33C0 xor eax,eax
0040441F . C2 0C00 retn 0C
00404422 > 8B16 mov edx,dword ptr ds:[esi]
00404424 . 6A 01 push 1
00404426 . 68 201C4000 push crackme.00401C20 ; 固定字符串"ABCDEFGHIJKLMNOPQRSTUVWXYZ
; abcdefghijklmnopqrstuvwxyz0123456789+/"
0040442B . 52 push edx ; 字符串"1234"第1位字符,"1"
0040442C . 6A 00 push 0
0040442E . FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaInStr
00404434 . 8BC8 mov ecx,eax ; 查找字符"1"在固定字符串中的位置
00404436 . 83E9 01 sub ecx,1 ; ECX=ECX-1
00404439 . 70 13 jo short crackme.0040444E
0040443B . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__>
00404441 . 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
00404445 . 5E pop esi
00404446 . 66:8901 mov word ptr ds:[ecx],ax ; AX=0x35
00404449 . 33C0 xor eax,eax
0040444B . C2 0C00 retn 0C
-----------------------------------------------------------------------------------------------
【破解总结】
1.用户名长度必须为3的倍数,注册长度必须为4的倍数。
2.注册码前4位字符的ASCII值之和必须等于0x123。
3.从注册码第5位字符开始,每4位字符为一组,分别记为S[i],S[i+1],S[i+2],S[i+3]。
4.从用户名第1位字符开始,每3位字符为一组,分别记为N[i],N[i+1],N[i+2]。
5.计算(S[i]*4+Int(S[i+1]/16)) And 0xFF,(S[i+1]*16+Int(S[i+2]/4)) And 0xFF,(S[i+2]*0x40+S[i+3]) And 0xFF。
6.第5步计算结果若分别与N[i],N[i+1],N[i+2]相等则注册成功。
一组可用注册信息:
====================================================
注册名:hrbhui
注册码:HRBGaHJiaHVp
====================================================
暴破更改以下位置:(输入3位以上注册码,用户名不为空)
004052E5 je short crackme.004052F1 ; je=====>Jmp
00405355 je short crackme.00405361 ; je=====>Jmp
00405711 je crackme.00405945 ; je=====>Nop
00405943 jnz short crackme.0040594F ; jnz====>Jmp
0040595C jnz short crackme.004059CF ; jnz====>Nop
004059C7 setne al ; setne==>sete
-----------------------------------------------------------------------------------------------
【VB注册机源码】
Private Sub Generate_Click()
Dim UserName As String
Dim Serial As String
Dim TmpStr As String
Dim TmpStr1 As Integer
Dim TmpStr2 As Integer
Dim TmpStr3 As Integer
Dim i As Integer
Dim Length As Integer
Dim TmpNum1 As Integer
Dim TmpNum2 As Integer
Dim TmpNum3 As Integer
Dim Num1 As Integer
Dim Num2 As Integer
Dim Num3 As Integer
Dim Num4 As Integer
On Error Resume Next
TmpStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
If Text1.Text = "" Then
Text2.Text = "请输入用户名!"
Else
UserName = Trim(Text1.Text)
Length = Len(UserName)
For i = 1 To Length - 2 Step 3
TmpStr1 = Asc(Mid$(UserName, i, 1))
TmpStr2 = Asc(Mid$(UserName, i + 1, 1))
TmpStr3 = Asc(Mid$(UserName, i + 2, 1))
For Num2 = 0 To 63
For Num1 = 0 To 63
For Num3 = 0 To 63
TmpNum1 = (Num1 * 4 + Int(Num2 / 16)) And &HFF
TmpNum2 = (Num2 * 16 + Int(Num3 / 4)) And &HFF
For Num4 = 0 To 63
TmpNum3 = (Num3 * 64 + Num4) And &HFF
If (TmpNum1 = TmpStr1) And (TmpNum2 = TmpStr2) And (TmpNum3 = TmpStr3) Then
Serial = Serial & Mid(TmpStr, Num1 + 1, 1) & Mid(TmpStr, Num2 + 1, 1) &_
Mid(TmpStr, Num3 + 1, 1) & Mid(TmpStr, Num4 + 1, 1)
End If
Next Num4
Next Num3
Next Num1
Next Num2
Next i
Text2.Text = "HRBG" & Serial
End If
End Sub
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课