[原创]Kain的第一个CrackMe简单算法分析+VB注册机源码-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]Kain的第一个CrackMe简单算法分析+VB注册机源码

2007-11-18 13:17 5630

[原创]Kain的第一个CrackMe简单算法分析+VB注册机源码

hrbx

2007-11-18 13:17

5630

【破文标题】Kain的第一个CrackMe简单算法分析+VB注册机源码
【破解作者】hrbx
【使用工具】OllDbg1.10、Peid
【破解日期】2007-11-18
【下载地址】见附件，相关链接:http://bbs.pediy.com/showthread.php?t=55020
【软件简介】Kain的第一个CrackMe
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.脱壳。用PEID扫描，显示为：示为：Microsoft Visual Basic 5.0 / 6.0，无壳。输入假码后有错误提示窗体。
2.追出算法。OD载入CrackMe，F9运行，命令栏输入：bp rtcMsgBox，回车，输入注册信息后点击"确定"按钮，立即中断：

660DC5F3 M>  55             push ebp                               ; 在此中断
660DC5F4    8BEC             mov ebp,esp
660DC5F6    83EC 4C          sub esp,4C
660DC5F9    8B4D 14          mov ecx,dword ptr ss:[ebp+14]

Alt+F9，弹出错误提示窗体，点击"确定"按钮后返回，来到：

00405AF2 .  FF15 6C104000 call dword ptr ds:[<&MSVBVM60.#595>] ;  MSVBVM60.rtcMsgBox
00405AF8 .  8D95 24FEFFFF lea edx,dword ptr ss:[ebp-1DC]       ;  Alt+F9返回到这里
00405AFE .  8D4D B0       lea ecx,dword ptr ss:[ebp-50]

向上查找，在00405070处F2下断，Ctrl+F2重新载入程序，F9运行，输入注册信息：

====================================================
注册名:hrbx
注册码:abcd1234
====================================================

点击"确定"按钮，立即中断：

00405070 > \55             push ebp                      ;  F2在此下断，中断后F8往下走
00405071 .  8BEC          mov ebp,esp
00405073 .  83EC 0C       sub esp,0C
00405076 .  68 C6124000    push <jmp.&MSVBVM60.__vbaExceptH>

---------------------------------------------------------------------

省略部分代码

---------------------------------------------------------------------

00405286 .  FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
0040528C >  8B45 9C       mov eax,dword ptr ss:[ebp-64] ;  假码"abcd1234"
0040528F .  50             push eax
00405290 .  68 741E4000    push crackme.00401E74
00405295 .  FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__>;  检查注册码是否为空
0040529B .  8B4D A0       mov ecx,dword ptr ss:[ebp-60] ;  用户名"hrbx"
0040529E .  8BD8          mov ebx,eax
004052A0 .  F7DB          neg ebx
004052A2 .  1BDB          sbb ebx,ebx
004052A4 .  51             push ecx
004052A5 .  43             inc ebx
004052A6 .  68 741E4000    push crackme.00401E74
004052AB .  F7DB          neg ebx
004052AD .  FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__>;  检查用户名是否为空
004052B3 .  F7D8          neg eax
004052B5 .  1BC0          sbb eax,eax
004052B7 .  8D55 9C       lea edx,dword ptr ss:[ebp-64]
004052BA .  40             inc eax
004052BB .  52             push edx
004052BC .  F7D8          neg eax
004052BE .  0BD8          or ebx,eax
004052C0 .  8D45 A0       lea eax,dword ptr ss:[ebp-60]
004052C3 .  50             push eax
004052C4 .  6A 02          push 2
004052C6 .  FF15 10114000 call dword ptr ds:[<&MSVBVM60.__>
004052CC .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84]
004052D2 .  8D55 80       lea edx,dword ptr ss:[ebp-80]
004052D5 .  51             push ecx
004052D6 .  52             push edx
004052D7 .  6A 02          push 2
004052D9 .  FF15 34104000 call dword ptr ds:[<&MSVBVM60.__>
004052DF .  83C4 18       add esp,18
004052E2 .  66:3BDF       cmp bx,di
004052E5 .  74 0A          je short crackme.004052F1       ;  用户名或注册码为空则Over,暴破点1，改为Jmp
004052E7 .  B8 01000000    mov eax,1
004052EC .  E9 E1060000    jmp crackme.004059D2
004052F1 >  8B06          mov eax,dword ptr ds:[esi]
004052F3 .  56             push esi
004052F4 .  FF90 00030000 call dword ptr ds:[eax+300]
004052FA .  8D4D 80       lea ecx,dword ptr ss:[ebp-80]
004052FD .  50             push eax
004052FE .  51             push ecx
004052FF .  FF15 68104000 call dword ptr ds:[<&MSVBVM60.__>
00405305 .  8BD8          mov ebx,eax
00405307 .  8D45 A0       lea eax,dword ptr ss:[ebp-60]
0040530A .  50             push eax
0040530B .  53             push ebx
0040530C .  8B13          mov edx,dword ptr ds:[ebx]
0040530E .  FF92 A0000000 call dword ptr ds:[edx+A0]
00405314 .  3BC7          cmp eax,edi
00405316 .  DBE2          fclex
00405318 .  7D 12          jge short crackme.0040532C
0040531A .  68 A0000000    push 0A0
0040531F .  68 901E4000    push crackme.00401E90
00405324 .  53             push ebx
00405325 .  50             push eax
00405326 .  FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
0040532C >  8B4D A0       mov ecx,dword ptr ss:[ebp-60] ;  假码"abcd1234"
0040532F .  51             push ecx
00405330 .  FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__>;  获取假码长度,EAX=0x8
00405336 .  33DB          xor ebx,ebx
00405338 .  83F8 04       cmp eax,4                      ;  假码长度与4比较
0040533B .  0F9EC3       setle bl
0040533E .  8D4D A0       lea ecx,dword ptr ss:[ebp-60]
00405341 .  F7DB          neg ebx
00405343 .  FF15 64114000 call dword ptr ds:[<&MSVBVM60.__>
00405349 .  8D4D 80       lea ecx,dword ptr ss:[ebp-80]
0040534C .  FF15 6C114000 call dword ptr ds:[<&MSVBVM60.__>
00405352 .  66:3BDF       cmp bx,di
00405355 .  74 0A          je short crackme.00405361       ;  假码长度若为4,则Over,暴破点2，改为Jmp
00405357 .  B8 02000000    mov eax,2
0040535C .  E9 71060000    jmp crackme.004059D2
00405361 >  8B16          mov edx,dword ptr ds:[esi]
00405363 .  56             push esi
00405364 .  FF92 00030000 call dword ptr ds:[edx+300]
0040536A .  50             push eax
0040536B .  8D45 80       lea eax,dword ptr ss:[ebp-80]
0040536E .  50             push eax
0040536F .  FF15 68104000 call dword ptr ds:[<&MSVBVM60.__>
00405375 .  8BD8          mov ebx,eax
00405377 .  8D55 A0       lea edx,dword ptr ss:[ebp-60]
0040537A .  52             push edx
0040537B .  53             push ebx
0040537C .  8B0B          mov ecx,dword ptr ds:[ebx]
0040537E .  FF91 A0000000 call dword ptr ds:[ecx+A0]
00405384 .  3BC7          cmp eax,edi
00405386 .  DBE2          fclex
00405388 .  7D 12          jge short crackme.0040539C
0040538A .  68 A0000000    push 0A0
0040538F .  68 901E4000    push crackme.00401E90
00405394 .  53             push ebx
00405395 .  50             push eax
00405396 .  FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
0040539C >  8B06          mov eax,dword ptr ds:[esi]
0040539E .  56             push esi
0040539F .  FF90 00030000 call dword ptr ds:[eax+300]
004053A5 .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-84]
004053AB .  50             push eax
004053AC .  51             push ecx
004053AD .  FF15 68104000 call dword ptr ds:[<&MSVBVM60.__>
004053B3 .  8BD8          mov ebx,eax
004053B5 .  8D45 98       lea eax,dword ptr ss:[ebp-68]
004053B8 .  50             push eax
004053B9 .  53             push ebx
004053BA .  8B13          mov edx,dword ptr ds:[ebx]
004053BC .  FF92 A0000000 call dword ptr ds:[edx+A0]
004053C2 .  3BC7          cmp eax,edi
004053C4 .  DBE2          fclex
004053C6 .  7D 12          jge short crackme.004053DA
004053C8 .  68 A0000000    push 0A0
004053CD .  68 901E4000    push crackme.00401E90
004053D2 .  53             push ebx
004053D3 .  50             push eax
004053D4 .  FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
004053DA >  8B0E          mov ecx,dword ptr ds:[esi]
004053DC .  56             push esi
004053DD .  FF91 00030000 call dword ptr ds:[ecx+300]
004053E3 .  8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
004053E9 .  50             push eax
004053EA .  52             push edx
004053EB .  FF15 68104000 call dword ptr ds:[<&MSVBVM60.__>
004053F1 .  8BD8          mov ebx,eax
004053F3 .  8D4D 90       lea ecx,dword ptr ss:[ebp-70]
004053F6 .  51             push ecx
004053F7 .  53             push ebx
004053F8 .  8B03          mov eax,dword ptr ds:[ebx]
004053FA .  FF90 A0000000 call dword ptr ds:[eax+A0]
00405400 .  3BC7          cmp eax,edi
00405402 .  DBE2          fclex
00405404 .  7D 12          jge short crackme.00405418
00405406 .  68 A0000000    push 0A0
0040540B .  68 901E4000    push crackme.00401E90
00405410 .  53             push ebx
00405411 .  50             push eax
00405412 .  FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
00405418 >  8B16          mov edx,dword ptr ds:[esi]
0040541A .  56             push esi
0040541B .  FF92 00030000 call dword ptr ds:[edx+300]
00405421 .  50             push eax
00405422 .  8D85 74FFFFFF lea eax,dword ptr ss:[ebp-8C]
00405428 .  50             push eax
00405429 .  FF15 68104000 call dword ptr ds:[<&MSVBVM60.__>
0040542F .  8BD8          mov ebx,eax
00405431 .  8D55 88       lea edx,dword ptr ss:[ebp-78]
00405434 .  52             push edx
00405435 .  53             push ebx
00405436 .  8B0B          mov ecx,dword ptr ds:[ebx]
00405438 .  FF91 A0000000 call dword ptr ds:[ecx+A0]
0040543E .  3BC7          cmp eax,edi
00405440 .  DBE2          fclex
00405442 .  7D 12          jge short crackme.00405456
00405444 .  68 A0000000    push 0A0
00405449 .  68 901E4000    push crackme.00401E90
0040544E .  53             push ebx
0040544F .  50             push eax
00405450 .  FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
00405456 >  8B45 A0       mov eax,dword ptr ss:[ebp-60] ;  假码"abcd1234"
00405459 .  8B1D 8C104000 mov ebx,dword ptr ds:[<&MSVBVM60>
0040545F .  8985 6CFFFFFF mov dword ptr ss:[ebp-94],eax
00405465 .  8D85 54FFFFFF lea eax,dword ptr ss:[ebp-AC]
0040546B .  50             push eax
0040546C .  8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C]
00405472 .  6A 01          push 1
00405474 .  8D95 44FFFFFF lea edx,dword ptr ss:[ebp-BC]
0040547A .  51             push ecx
0040547B .  52             push edx
0040547C .  C785 5CFFFFFF 0>mov dword ptr ss:[ebp-A4],1
00405486 .  C785 54FFFFFF 0>mov dword ptr ss:[ebp-AC],2
00405490 .  897D A0       mov dword ptr ss:[ebp-60],edi
00405493 .  C785 64FFFFFF 0>mov dword ptr ss:[ebp-9C],8
0040549D .  FFD3          call ebx                      ;  MSVBVM60.rtcMidCharVar
0040549F .  8D85 44FFFFFF lea eax,dword ptr ss:[ebp-BC] ;  取假码第1位字符
004054A5 .  8D8D 34FFFFFF lea ecx,dword ptr ss:[ebp-CC]
004054AB .  50             push eax
004054AC .  51             push ecx
004054AD .  FF15 9C104000 call dword ptr ds:[<&MSVBVM60.#5>;  MSVBVM60.rtcUpperCaseVar
004054B3 .  8B45 98       mov eax,dword ptr ss:[ebp-68] ;  假码第1位字符转为大写
004054B6 .  8D95 14FFFFFF lea edx,dword ptr ss:[ebp-EC]
004054BC .  8985 2CFFFFFF mov dword ptr ss:[ebp-D4],eax
004054C2 .  52             push edx
004054C3 .  8D85 24FFFFFF lea eax,dword ptr ss:[ebp-DC]
004054C9 .  6A 02          push 2
004054CB .  8D8D 04FFFFFF lea ecx,dword ptr ss:[ebp-FC]
004054D1 .  50             push eax
004054D2 .  51             push ecx
004054D3 .  C785 1CFFFFFF 0>mov dword ptr ss:[ebp-E4],1
004054DD .  C785 14FFFFFF 0>mov dword ptr ss:[ebp-EC],2
004054E7 .  897D 98       mov dword ptr ss:[ebp-68],edi
004054EA .  C785 24FFFFFF 0>mov dword ptr ss:[ebp-DC],8
004054F4 .  FFD3          call ebx                      ;  MSVBVM60.rtcMidCharVar
004054F6 .  8D95 04FFFFFF lea edx,dword ptr ss:[ebp-FC] ;  取假码第2位字符
004054FC .  8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-10C]
00405502 .  52             push edx
00405503 .  50             push eax
00405504 .  FF15 9C104000 call dword ptr ds:[<&MSVBVM60.#5>;  MSVBVM60.rtcUpperCaseVar
0040550A .  8B45 90       mov eax,dword ptr ss:[ebp-70] ;  假码第2位字符转为大写
0040550D .  8D8D D4FEFFFF lea ecx,dword ptr ss:[ebp-12C]
00405513 .  8985 ECFEFFFF mov dword ptr ss:[ebp-114],eax
00405519 .  51             push ecx
0040551A .  8D95 E4FEFFFF lea edx,dword ptr ss:[ebp-11C]
00405520 .  6A 03          push 3
00405522 .  8D85 C4FEFFFF lea eax,dword ptr ss:[ebp-13C]
00405528 .  52             push edx
00405529 .  50             push eax
0040552A .  C785 DCFEFFFF 0>mov dword ptr ss:[ebp-124],1
00405534 .  C785 D4FEFFFF 0>mov dword ptr ss:[ebp-12C],2
0040553E .  897D 90       mov dword ptr ss:[ebp-70],edi
00405541 .  C785 E4FEFFFF 0>mov dword ptr ss:[ebp-11C],8
0040554B .  FFD3          call ebx                      ;  MSVBVM60.rtcMidCharVar
0040554D .  8D8D C4FEFFFF lea ecx,dword ptr ss:[ebp-13C] ;  取假码第3位字符
00405553 .  8D95 B4FEFFFF lea edx,dword ptr ss:[ebp-14C]
00405559 .  51             push ecx
0040555A .  52             push edx
0040555B .  FF15 9C104000 call dword ptr ds:[<&MSVBVM60.#5>;  MSVBVM60.rtcUpperCaseVar
00405561 .  8B45 88       mov eax,dword ptr ss:[ebp-78] ;  假码第3位字符转为大写
00405564 .  8D8D A4FEFFFF lea ecx,dword ptr ss:[ebp-15C]
0040556A .  8985 ACFEFFFF mov dword ptr ss:[ebp-154],eax
00405570 .  8D85 94FEFFFF lea eax,dword ptr ss:[ebp-16C]
00405576 .  50             push eax
00405577 .  6A 04          push 4
00405579 .  8D95 84FEFFFF lea edx,dword ptr ss:[ebp-17C]
0040557F .  51             push ecx
00405580 .  52             push edx
00405581 .  C785 9CFEFFFF 0>mov dword ptr ss:[ebp-164],1
0040558B .  C785 94FEFFFF 0>mov dword ptr ss:[ebp-16C],2
00405595 .  897D 88       mov dword ptr ss:[ebp-78],edi
00405598 .  C785 A4FEFFFF 0>mov dword ptr ss:[ebp-15C],8
004055A2 .  FFD3          call ebx                      ;  MSVBVM60.rtcMidCharVar
004055A4 .  8D85 84FEFFFF lea eax,dword ptr ss:[ebp-17C] ;  取假码第4位字符
004055AA .  8D8D 74FEFFFF lea ecx,dword ptr ss:[ebp-18C]
004055B0 .  50             push eax
004055B1 .  51             push ecx
004055B2 .  FF15 9C104000 call dword ptr ds:[<&MSVBVM60.#5>;  MSVBVM60.rtcUpperCaseVar
004055B8 .  8D95 F4FEFFFF lea edx,dword ptr ss:[ebp-10C] ;  假码第4位字符转为大写
004055BE .  8D45 94       lea eax,dword ptr ss:[ebp-6C]
004055C1 .  52             push edx
004055C2 .  50             push eax
004055C3 .  8B1D E8104000 mov ebx,dword ptr ds:[<&MSVBVM60>
004055C9 .  FFD3          call ebx
004055CB .  50             push eax
004055CC .  FF15 38104000 call dword ptr ds:[<&MSVBVM60.#5>;  MSVBVM60.rtcAnsiValueBstr
004055D2 .  66:8BD0       mov dx,ax                      ;  取假码第1位字符转为大写后的ASCII值
004055D5 .  8D8D 34FFFFFF lea ecx,dword ptr ss:[ebp-CC] ;  DX=AX=0x42
004055DB .  8D45 9C       lea eax,dword ptr ss:[ebp-64]
004055DE .  51             push ecx
004055DF .  50             push eax
004055E0 .  66:8995 CEFDFFF>mov word ptr ss:[ebp-232],dx
004055E7 .  FFD3          call ebx
004055E9 .  50             push eax
004055EA .  FF15 38104000 call dword ptr ds:[<&MSVBVM60.#5>;  MSVBVM60.rtcAnsiValueBstr
004055F0 .  66:8B9D CEFDFFF>mov bx,word ptr ss:[ebp-232]    ;  取假码第2位字符转为大写后的ASCII值
004055F7 .  8D8D B4FEFFFF lea ecx,dword ptr ss:[ebp-14C] ;  Ax=0x41
004055FD .  8D55 8C       lea edx,dword ptr ss:[ebp-74]
00405600 .  66:03D8       add bx,ax                      ;  前2位字符转为大写后的ASCII值相加
00405603 .  51             push ecx
00405604 .  52             push edx
00405605 .  0F80 06080000 jo crackme.00405E11
0040560B .  FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__>
00405611 .  50             push eax
00405612 .  FF15 38104000 call dword ptr ds:[<&MSVBVM60.#5>
00405618 .  66:03D8       add bx,ax                      ;  取假码第3位字符转为大写后的ASCII值
0040561B .  8D85 74FEFFFF lea eax,dword ptr ss:[ebp-18C] ;  前3位字符转为大写后的ASCII值相加
00405621 .  8D4D 84       lea ecx,dword ptr ss:[ebp-7C]
00405624 .  50             push eax
00405625 .  51             push ecx
00405626 .  0F80 E5070000 jo crackme.00405E11
0040562C .  FF15 E8104000 call dword ptr ds:[<&MSVBVM60.__>
00405632 .  50             push eax
00405633 .  FF15 38104000 call dword ptr ds:[<&MSVBVM60.#5>;  MSVBVM60.rtcAnsiValueBstr
00405639 .  66:03D8       add bx,ax                      ;  取假码第3位字符转为大写后的ASCII值
0040563C .  8D45 84       lea eax,dword ptr ss:[ebp-7C] ;  前4位字符转为大写后的ASCII值相加
0040563F .  0F80 CC070000 jo crackme.00405E11
00405645 .  66:81EB 0401 sub bx,104                      ;  ASCII值相加值减去0x104
0040564A .  8D4D 8C       lea ecx,dword ptr ss:[ebp-74]
0040564D .  0F80 BE070000 jo crackme.00405E11
00405653 .  33D2          xor edx,edx
00405655 .  66:83FB 1F    cmp bx,1F                      ;  ASCII值相加值减去0x104结果与0x1F比较
00405659 .  0F94C2       sete dl
0040565C .  F7DA          neg edx
0040565E .  8BDA          mov ebx,edx
00405660 .  50             push eax
00405661 .  8D55 94       lea edx,dword ptr ss:[ebp-6C]
00405664 .  51             push ecx
00405665 .  8D45 9C       lea eax,dword ptr ss:[ebp-64]
00405668 .  52             push edx
00405669 .  50             push eax
0040566A .  6A 04          push 4
0040566C .  FF15 10114000 call dword ptr ds:[<&MSVBVM60.__>
00405672 .  8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-8C]
00405678 .  8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
0040567E .  51             push ecx
0040567F .  8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
00405685 .  52             push edx
00405686 .  8D4D 80       lea ecx,dword ptr ss:[ebp-80]
00405689 .  50             push eax
0040568A .  51             push ecx
0040568B .  6A 04          push 4
0040568D .  FF15 34104000 call dword ptr ds:[<&MSVBVM60.__>
00405693 .  8D95 74FEFFFF lea edx,dword ptr ss:[ebp-18C]
00405699 .  8D85 84FEFFFF lea eax,dword ptr ss:[ebp-17C]
0040569F .  52             push edx
004056A0 .  8D8D 94FEFFFF lea ecx,dword ptr ss:[ebp-16C]
004056A6 .  50             push eax
004056A7 .  8D95 A4FEFFFF lea edx,dword ptr ss:[ebp-15C]
004056AD .  51             push ecx
004056AE .  8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C]
004056B4 .  52             push edx
004056B5 .  8D8D C4FEFFFF lea ecx,dword ptr ss:[ebp-13C]
004056BB .  50             push eax
004056BC .  8D95 D4FEFFFF lea edx,dword ptr ss:[ebp-12C]
004056C2 .  51             push ecx
004056C3 .  8D85 E4FEFFFF lea eax,dword ptr ss:[ebp-11C]
004056C9 .  52             push edx
004056CA .  8D8D F4FEFFFF lea ecx,dword ptr ss:[ebp-10C]
004056D0 .  50             push eax
004056D1 .  8D95 04FFFFFF lea edx,dword ptr ss:[ebp-FC]
004056D7 .  51             push ecx
004056D8 .  52             push edx
004056D9 .  8D85 14FFFFFF lea eax,dword ptr ss:[ebp-EC]
004056DF .  8D8D 24FFFFFF lea ecx,dword ptr ss:[ebp-DC]
004056E5 .  50             push eax
004056E6 .  8D95 34FFFFFF lea edx,dword ptr ss:[ebp-CC]
004056EC .  51             push ecx
004056ED .  8D85 44FFFFFF lea eax,dword ptr ss:[ebp-BC]
004056F3 .  52             push edx
004056F4 .  8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-AC]
004056FA .  50             push eax
004056FB .  8D95 64FFFFFF lea edx,dword ptr ss:[ebp-9C]
00405701 .  51             push ecx
00405702 .  52             push edx
00405703 .  6A 10          push 10
00405705 .  FF15 28104000 call dword ptr ds:[<&MSVBVM60.__>
0040570B .  83C4 6C       add esp,6C
0040570E .  66:3BDF       cmp bx,di
00405711 .  0F84 2E020000 je crackme.00405945             ;  不相等则Over,暴破点3，Nop掉
00405717 .  8B06          mov eax,dword ptr ds:[esi]
00405719 .  56             push esi
0040571A .  FF90 00030000 call dword ptr ds:[eax+300]
00405720 .  8D4D 80       lea ecx,dword ptr ss:[ebp-80]
00405723 .  50             push eax
00405724 .  51             push ecx
00405725 .  FF15 68104000 call dword ptr ds:[<&MSVBVM60.__>
0040572B .  8BD8          mov ebx,eax
0040572D .  8D45 A0       lea eax,dword ptr ss:[ebp-60]
00405730 .  50             push eax
00405731 .  53             push ebx
00405732 .  8B13          mov edx,dword ptr ds:[ebx]
00405734 .  FF92 A0000000 call dword ptr ds:[edx+A0]
0040573A .  3BC7          cmp eax,edi
0040573C .  DBE2          fclex
0040573E .  7D 12          jge short crackme.00405752
00405740 .  68 A0000000    push 0A0
00405745 .  68 901E4000    push crackme.00401E90
0040574A .  53             push ebx
0040574B .  50             push eax
0040574C .  FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
00405752 >  8B0E          mov ecx,dword ptr ds:[esi]
00405754 .  56             push esi
00405755 .  FF91 00030000 call dword ptr ds:[ecx+300]
0040575B .  8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84]
00405761 .  50             push eax
00405762 .  52             push edx
00405763 .  FF15 68104000 call dword ptr ds:[<&MSVBVM60.__>
00405769 .  8BD8          mov ebx,eax
0040576B .  8D4D 9C       lea ecx,dword ptr ss:[ebp-64]
0040576E .  51             push ecx
0040576F .  53             push ebx
00405770 .  8B03          mov eax,dword ptr ds:[ebx]
00405772 .  FF90 A0000000 call dword ptr ds:[eax+A0]
00405778 .  3BC7          cmp eax,edi
0040577A .  DBE2          fclex
0040577C .  7D 12          jge short crackme.00405790
0040577E .  68 A0000000    push 0A0
00405783 .  68 901E4000    push crackme.00401E90
00405788 .  53             push ebx
00405789 .  50             push eax
0040578A .  FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
00405790 >  8B55 9C       mov edx,dword ptr ss:[ebp-64]
00405793 .  52             push edx
00405794 .  FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__>
0040579A .  83E8 01       sub eax,1
0040579D .  8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C]
004057A3 .  0F80 68060000 jo crackme.00405E11
004057A9 .  8985 5CFFFFFF mov dword ptr ss:[ebp-A4],eax
004057AF .  8B45 A0       mov eax,dword ptr ss:[ebp-60]
004057B2 .  8985 6CFFFFFF mov dword ptr ss:[ebp-94],eax
004057B8 .  8D85 54FFFFFF lea eax,dword ptr ss:[ebp-AC]
004057BE .  50             push eax
004057BF .  6A 05          push 5                         ;  常数,5
004057C1 .  8D95 44FFFFFF lea edx,dword ptr ss:[ebp-BC]
004057C7 .  51             push ecx
004057C8 .  52             push edx
004057C9 .  C785 54FFFFFF 0>mov dword ptr ss:[ebp-AC],3
004057D3 .  897D A0       mov dword ptr ss:[ebp-60],edi
004057D6 .  C785 64FFFFFF 0>mov dword ptr ss:[ebp-9C],8
004057E0 .  FF15 8C104000 call dword ptr ds:[<&MSVBVM60.#6>;  MSVBVM60.rtcMidCharVar
004057E6 .  8D85 44FFFFFF lea eax,dword ptr ss:[ebp-BC] ;  从假码第5位字符开始起取后半部分字符串
004057EC .  50             push eax                      ;  假码后半部分字符串"1234"
004057ED .  FF15 20104000 call dword ptr ds:[<&MSVBVM60.__>
004057F3 .  8B1D 48114000 mov ebx,dword ptr ds:[<&MSVBVM60>
004057F9 .  8BD0          mov edx,eax
004057FB .  8D4D 98       lea ecx,dword ptr ss:[ebp-68]
004057FE .  FFD3          call ebx
00405800 .  8B0E          mov ecx,dword ptr ds:[esi]
00405802 .  8D55 94       lea edx,dword ptr ss:[ebp-6C]
00405805 .  8D45 98       lea eax,dword ptr ss:[ebp-68]
00405808 .  52             push edx
00405809 .  50             push eax
0040580A .  56             push esi
0040580B .  FF91 14070000 call dword ptr ds:[ecx+714]    ;  00402B11,关键CALL-1,F7进入
00405811 .  8B55 94       mov edx,dword ptr ss:[ebp-6C]
00405814 .  8D4D A4       lea ecx,dword ptr ss:[ebp-5C]
00405817 .  897D 94       mov dword ptr ss:[ebp-6C],edi
0040581A .  FFD3          call ebx
0040581C .  8D4D 98       lea ecx,dword ptr ss:[ebp-68]
0040581F .  8D55 9C       lea edx,dword ptr ss:[ebp-64]
00405822 .  51             push ecx
00405823 .  52             push edx
00405824 .  6A 02          push 2
00405826 .  FF15 10114000 call dword ptr ds:[<&MSVBVM60.__>
0040582C .  8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
00405832 .  8D4D 80       lea ecx,dword ptr ss:[ebp-80]
00405835 .  50             push eax
00405836 .  51             push ecx
00405837 .  6A 02          push 2
00405839 .  FF15 34104000 call dword ptr ds:[<&MSVBVM60.__>
0040583F .  8D95 44FFFFFF lea edx,dword ptr ss:[ebp-BC]
00405845 .  8D85 54FFFFFF lea eax,dword ptr ss:[ebp-AC]
0040584B .  52             push edx
0040584C .  8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C]
00405852 .  50             push eax
00405853 .  51             push ecx
00405854 .  6A 03          push 3
00405856 .  FF15 28104000 call dword ptr ds:[<&MSVBVM60.__>
0040585C .  8B55 A4       mov edx,dword ptr ss:[ebp-5C]
0040585F .  83C4 28       add esp,28
00405862 .  52             push edx
00405863 .  FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__>; MSVBVM60.__vbaLenBstr
00405869 .  8BC8          mov ecx,eax                   ; 获取关键CALL-1得到的字符串的长度
0040586B .  FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__>
00405871 .  8945 A8       mov dword ptr ss:[ebp-58],eax ; EAX=0x3
00405874 .  8B06          mov eax,dword ptr ds:[esi]
00405876 .  56             push esi
00405877 .  FF90 FC020000 call dword ptr ds:[eax+2FC]
0040587D .  8D4D 80       lea ecx,dword ptr ss:[ebp-80]
00405880 .  50             push eax
00405881 .  51             push ecx
00405882 .  FF15 68104000 call dword ptr ds:[<&MSVBVM60.__>
00405888 .  8BD8          mov ebx,eax
0040588A .  8D45 A0       lea eax,dword ptr ss:[ebp-60]
0040588D .  50             push eax
0040588E .  53             push ebx
0040588F .  8B13          mov edx,dword ptr ds:[ebx]
00405891 .  FF92 A0000000 call dword ptr ds:[edx+A0]
00405897 .  3BC7          cmp eax,edi
00405899 .  DBE2          fclex
0040589B .  7D 12          jge short crackme.004058AF
0040589D .  68 A0000000    push 0A0
004058A2 .  68 901E4000    push crackme.00401E90
004058A7 .  53             push ebx
004058A8 .  50             push eax
004058A9 .  FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
004058AF >  8B4D A0       mov ecx,dword ptr ss:[ebp-60] ;  用户名"hrbx"
004058B2 .  51             push ecx
004058B3 .  FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__>;  获取用户名长度
004058B9 .  8BC8          mov ecx,eax                   ;  EAX=0x4
004058BB .  FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__>
004058C1 .  8D4D A0       lea ecx,dword ptr ss:[ebp-60]
004058C4 .  8BD8          mov ebx,eax
004058C6 .  FF15 64114000 call dword ptr ds:[<&MSVBVM60.__>
004058CC .  8D4D 80       lea ecx,dword ptr ss:[ebp-80]
004058CF .  FF15 6C114000 call dword ptr ds:[<&MSVBVM60.__>
004058D5 .  0FBF55 A8    movsx edx,word ptr ss:[ebp-58]
004058D9 .  8995 C8FDFFFF mov dword ptr ss:[ebp-238],edx
004058DF .  DB85 C8FDFFFF fild dword ptr ss:[ebp-238]
004058E5 .  0FBFC3       movsx eax,bx
004058E8 .  DD9D C0FDFFFF fstp qword ptr ss:[ebp-240]
004058EE .  8985 BCFDFFFF mov dword ptr ss:[ebp-244],eax
004058F4 .  DB85 BCFDFFFF fild dword ptr ss:[ebp-244]
004058FA .  DD9D B4FDFFFF fstp qword ptr ss:[ebp-24C]
00405900 .  DD85 C0FDFFFF fld qword ptr ss:[ebp-240]    ;  关键CALL-1得到的字符串的长度
00405906 .  833D 00704000 0>cmp dword ptr ds:[407000],0
0040590D .  75 08          jnz short crackme.00405917
0040590F .  DCB5 B4FDFFFF fdiv qword ptr ss:[ebp-24C]    ;  除以用户名长度
00405915 .  EB 11          jmp short crackme.00405928
00405917 >  FFB5 B8FDFFFF push dword ptr ss:[ebp-248]
0040591D .  FFB5 B4FDFFFF push dword ptr ss:[ebp-24C]
00405923 .  E8 BCB9FFFF    call <jmp.&MSVBVM60._adj_fdiv_m6>
00405928 >  DFE0          fstsw ax
0040592A .  A8 0D          test al,0D
0040592C .  0F85 DA040000 jnz crackme.00405E0C
00405932 .  FF15 80104000 call dword ptr ds:[<&MSVBVM60.__>
00405938 .  DC1D A8124000 fcomp qword ptr ds:[4012A8]
0040593E .  DFE0          fstsw ax
00405940 .  F6C4 40       test ah,40
00405943 .  75 0A          jnz short crackme.0040594F    ;  不能整除则Over,暴破点4,改为Jmp
00405945 >  B8 03000000    mov eax,3
0040594A .  E9 83000000    jmp crackme.004059D2
0040594F >  66:2B5D A8    sub bx,word ptr ss:[ebp-58]    ;  关键CALL-1得到的字符串的长度-用户名长度
00405953 .  0F80 B8040000 jo crackme.00405E11
00405959 .  66:85DB       test bx,bx
0040595C .  75 71          jnz short crackme.004059CF    ;  不等于0则Over,暴破点5,改为NOP
0040595E .  8B0E          mov ecx,dword ptr ds:[esi]
00405960 .  56             push esi
00405961 .  FF91 FC020000 call dword ptr ds:[ecx+2FC]
00405967 .  8D55 80       lea edx,dword ptr ss:[ebp-80]
0040596A .  50             push eax
0040596B .  52             push edx
0040596C .  FF15 68104000 call dword ptr ds:[<&MSVBVM60.__>
00405972 .  8BF0          mov esi,eax
00405974 .  8D4D A0       lea ecx,dword ptr ss:[ebp-60]
00405977 .  51             push ecx
00405978 .  56             push esi
00405979 .  8B06          mov eax,dword ptr ds:[esi]
0040597B .  FF90 A0000000 call dword ptr ds:[eax+A0]
00405981 .  3BC7          cmp eax,edi
00405983 .  DBE2          fclex
00405985 .  7D 12          jge short crackme.00405999
00405987 .  68 A0000000    push 0A0
0040598C .  68 901E4000    push crackme.00401E90
00405991 .  56             push esi
00405992 .  50             push eax
00405993 .  FF15 44104000 call dword ptr ds:[<&MSVBVM60.__>
00405999 >  8B55 A4       mov edx,dword ptr ss:[ebp-5C]
0040599C .  8B45 A0       mov eax,dword ptr ss:[ebp-60]
0040599F .  52             push edx
004059A0 .  50             push eax
004059A1 .  FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__>;  比较用户名和关键CALL-1得到的字符串
004059A7 .  8BF0          mov esi,eax
004059A9 .  8D4D A0       lea ecx,dword ptr ss:[ebp-60]
004059AC .  F7DE          neg esi
004059AE .  1BF6          sbb esi,esi
004059B0 .  46             inc esi
004059B1 .  F7DE          neg esi
004059B3 .  FF15 64114000 call dword ptr ds:[<&MSVBVM60.__>
004059B9 .  8D4D 80       lea ecx,dword ptr ss:[ebp-80]
004059BC .  FF15 6C114000 call dword ptr ds:[<&MSVBVM60.__>
004059C2 .  33C0          xor eax,eax
004059C4 .  66:3BF7       cmp si,di
004059C7    0F95C0       setne al                      ;  不相等则Over,暴破点6,改为sete
004059CA .  83C0 03       add eax,3
004059CD .  EB 03          jmp short crackme.004059D2

F7进入0040580B处的关键CALL-1,来到:

00402B11 . /E9 7A130000    jmp crackme.00403E90          ;  来到这里
00402B16 . |816C24 04 FFFF0>sub dword ptr ss:[esp+4],0FFFF

F8单步，来到：

00403E90 > \55             push ebp                      ;  F8单步来到这里
00403E91 .  8BEC          mov ebp,esp
00403E93 .  83EC 0C       sub esp,0C
00403E96 .  68 C6124000    push <jmp.&MSVBVM60.__vbaExceptH>;  SE 句柄安装
00403E9B .  64:A1 00000000  mov eax,dword ptr fs:[0]
00403EA1 .  50             push eax
00403EA2 .  64:8925 0000000>mov dword ptr fs:[0],esp
00403EA9 .  81EC 98000000 sub esp,98
00403EAF .  53             push ebx
00403EB0 .  56             push esi
00403EB1 .  57             push edi
00403EB2 .  8965 F4       mov dword ptr ss:[ebp-C],esp
00403EB5 .  C745 F8 2012400>mov dword ptr ss:[ebp-8],crackme>
00403EBC .  8B4D 10       mov ecx,dword ptr ss:[ebp+10]
00403EBF .  8B55 0C       mov edx,dword ptr ss:[ebp+C]
00403EC2 .  33C0          xor eax,eax
00403EC4 .  8945 D4       mov dword ptr ss:[ebp-2C],eax
00403EC7 .  8945 D0       mov dword ptr ss:[ebp-30],eax
00403ECA .  8945 CC       mov dword ptr ss:[ebp-34],eax
00403ECD .  8945 C8       mov dword ptr ss:[ebp-38],eax
00403ED0 .  8945 B8       mov dword ptr ss:[ebp-48],eax
00403ED3 .  8945 A4       mov dword ptr ss:[ebp-5C],eax
00403ED6 .  8901          mov dword ptr ds:[ecx],eax
00403ED8 .  8B02          mov eax,dword ptr ds:[edx]
00403EDA .  50             push eax                      ;  假码后半部分字符串"1234"
00403EDB .  FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__>;  MSVBVM60.__vbaLenBstr
00403EE1 .  8BC8          mov ecx,eax                   ;  获取字符串长度,Eax=0x4
00403EE3 .  FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__>;  MSVBVM60.__vbaI2I4
00403EE9 .  8B7D 08       mov edi,dword ptr ss:[ebp+8]
00403EEC .  8B35 48114000 mov esi,dword ptr ds:[<&MSVBVM60>
00403EF2 .  BB 01000000    mov ebx,1
00403EF7 .  8945 9C       mov dword ptr ss:[ebp-64],eax
00403EFA .  895D E4       mov dword ptr ss:[ebp-1C],ebx
00403EFD >  66:3B5D 9C    cmp bx,word ptr ss:[ebp-64]
00403F01 .  0F8F A2030000 jg crackme.004042A9
00403F07 .  8B45 0C       mov eax,dword ptr ss:[ebp+C]
00403F0A .  8D4D B8       lea ecx,dword ptr ss:[ebp-48]
00403F0D .  0FBFD3       movsx edx,bx
00403F10 .  51             push ecx
00403F11 .  8B08          mov ecx,dword ptr ds:[eax]
00403F13 .  52             push edx
00403F14 .  51             push ecx
00403F15 .  C745 C0 0100000>mov dword ptr ss:[ebp-40],1
00403F1C .  C745 B8 0200000>mov dword ptr ss:[ebp-48],2
00403F23 .  FF15 88104000 call dword ptr ds:[<&MSVBVM60.#6>;  MSVBVM60.rtcMidCharBstr
00403F29 .  8BD0          mov edx,eax                   ;  取字符串"1234"第1位字符，"1"
00403F2B .  8D4D C8       lea ecx,dword ptr ss:[ebp-38]
00403F2E .  FFD6          call esi
00403F30 .  8B55 C8       mov edx,dword ptr ss:[ebp-38]
00403F33 .  8D4D CC       lea ecx,dword ptr ss:[ebp-34]
00403F36 .  C745 C8 0000000>mov dword ptr ss:[ebp-38],0
00403F3D .  FFD6          call esi
00403F3F .  8B17          mov edx,dword ptr ds:[edi]
00403F41 .  8D45 A4       lea eax,dword ptr ss:[ebp-5C]
00403F44 .  8D4D CC       lea ecx,dword ptr ss:[ebp-34]
00403F47 .  50             push eax
00403F48 .  51             push ecx
00403F49 .  57             push edi
00403F4A .  FF92 1C070000 call dword ptr ds:[edx+71C]    ;  关键CALL-2,F7进入
00403F50 .  8B55 A4       mov edx,dword ptr ss:[ebp-5C] ;  EDX=0x35(53),记为Num1
00403F53 .  8D45 C8       lea eax,dword ptr ss:[ebp-38]
00403F56 .  8D4D CC       lea ecx,dword ptr ss:[ebp-34]
00403F59 .  50             push eax
00403F5A .  51             push ecx
00403F5B .  6A 02          push 2
00403F5D .  8955 E8       mov dword ptr ss:[ebp-18],edx
00403F60 .  FF15 10114000 call dword ptr ds:[<&MSVBVM60.__>
00403F66 .  83C4 0C       add esp,0C
00403F69 .  8D4D B8       lea ecx,dword ptr ss:[ebp-48]
00403F6C .  FF15 18104000 call dword ptr ds:[<&MSVBVM60.__>
00403F72 .  66:8BC3       mov ax,bx
00403F75 .  8D55 B8       lea edx,dword ptr ss:[ebp-48]
00403F78 .  66:05 0100    add ax,1
00403F7C .  52             push edx
00403F7D .  8B55 0C       mov edx,dword ptr ss:[ebp+C]
00403F80 .  C745 C0 0100000>mov dword ptr ss:[ebp-40],1
00403F87 .  0F80 88030000 jo crackme.00404315
00403F8D .  0FBFC8       movsx ecx,ax
00403F90 .  8B02          mov eax,dword ptr ds:[edx]
00403F92 .  51             push ecx
00403F93 .  50             push eax
00403F94 .  C745 B8 0200000>mov dword ptr ss:[ebp-48],2
00403F9B .  FF15 88104000 call dword ptr ds:[<&MSVBVM60.#6>;  MSVBVM60.rtcMidCharBstr
00403FA1 .  8BD0          mov edx,eax                   ;  取字符串"1234"第2位字符，"2"
00403FA3 .  8D4D C8       lea ecx,dword ptr ss:[ebp-38]
00403FA6 .  FFD6          call esi
00403FA8 .  8B55 C8       mov edx,dword ptr ss:[ebp-38]
00403FAB .  8D4D CC       lea ecx,dword ptr ss:[ebp-34]
00403FAE .  C745 C8 0000000>mov dword ptr ss:[ebp-38],0
00403FB5 .  FFD6          call esi
00403FB7 .  8B0F          mov ecx,dword ptr ds:[edi]
00403FB9 .  8D55 A4       lea edx,dword ptr ss:[ebp-5C]
00403FBC .  8D45 CC       lea eax,dword ptr ss:[ebp-34]
00403FBF .  52             push edx
00403FC0 .  50             push eax
00403FC1 .  57             push edi
00403FC2 .  FF91 1C070000 call dword ptr ds:[ecx+71C]    ;  同关键CALL-2
00403FC8 .  8B4D A4       mov ecx,dword ptr ss:[ebp-5C] ;  ECX=0x36(54),记为Num2
00403FCB .  8D55 C8       lea edx,dword ptr ss:[ebp-38]
00403FCE .  8D45 CC       lea eax,dword ptr ss:[ebp-34]
00403FD1 .  52             push edx
00403FD2 .  50             push eax
00403FD3 .  6A 02          push 2
00403FD5 .  894D E0       mov dword ptr ss:[ebp-20],ecx
00403FD8 .  FF15 10114000 call dword ptr ds:[<&MSVBVM60.__>
00403FDE .  83C4 0C       add esp,0C
00403FE1 .  8D4D B8       lea ecx,dword ptr ss:[ebp-48]
00403FE4 .  FF15 18104000 call dword ptr ds:[<&MSVBVM60.__>
00403FEA .  66:83C3 02    add bx,2
00403FEE .  8D4D B8       lea ecx,dword ptr ss:[ebp-48]
00403FF1 .  0F80 1E030000 jo crackme.00404315
00403FF7 .  0FBFD3       movsx edx,bx
00403FFA .  51             push ecx
00403FFB .  C745 C0 0100000>mov dword ptr ss:[ebp-40],1
00404002 .  C745 B8 0200000>mov dword ptr ss:[ebp-48],2
00404009 .  52             push edx
0040400A .  8B45 0C       mov eax,dword ptr ss:[ebp+C]
0040400D .  8B08          mov ecx,dword ptr ds:[eax]
0040400F .  51             push ecx
00404010 .  FF15 88104000 call dword ptr ds:[<&MSVBVM60.#6>;  MSVBVM60.rtcMidCharBstr
00404016 .  8BD0          mov edx,eax                   ;  取字符串"1234"第3位字符，"3"
00404018 .  8D4D C8       lea ecx,dword ptr ss:[ebp-38]
0040401B .  FFD6          call esi
0040401D .  8B55 C8       mov edx,dword ptr ss:[ebp-38]
00404020 .  8D4D CC       lea ecx,dword ptr ss:[ebp-34]
00404023 .  C745 C8 0000000>mov dword ptr ss:[ebp-38],0
0040402A .  FFD6          call esi
0040402C .  8B17          mov edx,dword ptr ds:[edi]
0040402E .  8D45 A4       lea eax,dword ptr ss:[ebp-5C]
00404031 .  8D4D CC       lea ecx,dword ptr ss:[ebp-34]
00404034 .  50             push eax
00404035 .  51             push ecx
00404036 .  57             push edi
00404037 .  FF92 1C070000 call dword ptr ds:[edx+71C]    ;  同关键CALL-2
0040403D .  8B5D A4       mov ebx,dword ptr ss:[ebp-5C] ;  EBX=0x37(55),记为Num3
00404040 .  8D55 C8       lea edx,dword ptr ss:[ebp-38]
00404043 .  8D45 CC       lea eax,dword ptr ss:[ebp-34]
00404046 .  52             push edx
00404047 .  50             push eax
00404048 .  6A 02          push 2
0040404A .  FF15 10114000 call dword ptr ds:[<&MSVBVM60.__>
00404050 .  83C4 0C       add esp,0C
00404053 .  8D4D B8       lea ecx,dword ptr ss:[ebp-48]
00404056 .  FF15 18104000 call dword ptr ds:[<&MSVBVM60.__>
0040405C .  66:8B55 E4    mov dx,word ptr ss:[ebp-1C]
00404060 .  8D4D B8       lea ecx,dword ptr ss:[ebp-48]
00404063 .  66:83C2 03    add dx,3
00404067 .  51             push ecx
00404068 .  8B4D 0C       mov ecx,dword ptr ss:[ebp+C]
0040406B .  C745 C0 0100000>mov dword ptr ss:[ebp-40],1
00404072 .  0F80 9D020000 jo crackme.00404315
00404078 .  0FBFC2       movsx eax,dx
0040407B .  8B11          mov edx,dword ptr ds:[ecx]
0040407D .  50             push eax
0040407E .  52             push edx
0040407F .  C745 B8 0200000>mov dword ptr ss:[ebp-48],2
00404086 .  FF15 88104000 call dword ptr ds:[<&MSVBVM60.#6>;  MSVBVM60.rtcMidCharBstr
0040408C .  8BD0          mov edx,eax                   ;  取字符串"1234"第4位字符，"4"
0040408E .  8D4D C8       lea ecx,dword ptr ss:[ebp-38]
00404091 .  FFD6          call esi
00404093 .  8B55 C8       mov edx,dword ptr ss:[ebp-38]
00404096 .  8D4D CC       lea ecx,dword ptr ss:[ebp-34]
00404099 .  C745 C8 0000000>mov dword ptr ss:[ebp-38],0
004040A0 .  FFD6          call esi
004040A2 .  8B07          mov eax,dword ptr ds:[edi]
004040A4 .  8D4D A4       lea ecx,dword ptr ss:[ebp-5C]
004040A7 .  8D55 CC       lea edx,dword ptr ss:[ebp-34]
004040AA .  51             push ecx
004040AB .  52             push edx
004040AC .  57             push edi
004040AD .  FF90 1C070000 call dword ptr ds:[eax+71C]    ;  同关键CALL-2
004040B3 .  8B45 A4       mov eax,dword ptr ss:[ebp-5C] ;  EAX=0x38(56),记为Num4
004040B6 .  8D4D C8       lea ecx,dword ptr ss:[ebp-38]
004040B9 .  8D55 CC       lea edx,dword ptr ss:[ebp-34]
004040BC .  51             push ecx
004040BD .  52             push edx
004040BE .  6A 02          push 2
004040C0 .  8945 D8       mov dword ptr ss:[ebp-28],eax
004040C3 .  FF15 10114000 call dword ptr ds:[<&MSVBVM60.__>
004040C9 .  83C4 0C       add esp,0C
004040CC .  8D4D B8       lea ecx,dword ptr ss:[ebp-48]
004040CF .  FF15 18104000 call dword ptr ds:[<&MSVBVM60.__>
004040D5 .  8B45 E0       mov eax,dword ptr ss:[ebp-20]
004040D8 .  66:85C0       test ax,ax
004040DB .  0F8C AD000000 jl crackme.0040418E
004040E1 .  0FBFD0       movsx edx,ax
004040E4 .  8955 80       mov dword ptr ss:[ebp-80],edx ;  EDX=0x36(54),Num2
004040E7 .  8B4D D0       mov ecx,dword ptr ss:[ebp-30]
004040EA .  DB45 80       fild dword ptr ss:[ebp-80]
004040ED .  51             push ecx
004040EE .  DD9D 78FFFFFF fstp qword ptr ss:[ebp-88]    ;  st=54.0
004040F4 .  DD85 78FFFFFF fld qword ptr ss:[ebp-88]
004040FA .  833D 00704000 0>cmp dword ptr ds:[407000],0
00404101 .  75 08          jnz short crackme.0040410B
00404103 .  DC35 18124000 fdiv qword ptr ds:[401218]    ;  Num2/16.0,ds:[00401218]=16.0
00404109 .  EB 11          jmp short crackme.0040411C
0040410B >  FF35 1C124000 push dword ptr ds:[40121C]
00404111 .  FF35 18124000 push dword ptr ds:[401218]
00404117 .  E8 C8D1FFFF    call <jmp.&MSVBVM60._adj_fdiv_m6>
0040411C >  DFE0          fstsw ax
0040411E .  A8 0D          test al,0D
00404120 .  0F85 EA010000 jnz crackme.00404310
00404126 .  FF15 58114000 call dword ptr ds:[<&MSVBVM60.__>;  商取整数，Int(Num2/16.0),ST0=3.0
0040412C .  8B45 E8       mov eax,dword ptr ss:[ebp-18] ;  EAX=0x35,Num1
0040412F .  66:6BC0 04    imul ax,ax,4                   ;  AX=Num1*4
00404133 .  0F80 DC010000 jo crackme.00404315
00404139 .  0FBFC0       movsx eax,ax
0040413C .  8985 74FFFFFF mov dword ptr ss:[ebp-8C],eax
00404142 .  DB85 74FFFFFF fild dword ptr ss:[ebp-8C]
00404148 .  DD9D 6CFFFFFF fstp qword ptr ss:[ebp-94]
0040414E .  DC85 6CFFFFFF fadd qword ptr ss:[ebp-94]    ;  Num1*4+Int(Num2/16.0)
00404154 .  DFE0          fstsw ax
00404156 .  A8 0D          test al,0D
00404158 .  0F85 B2010000 jnz crackme.00404310
0040415E .  FF15 3C114000 call dword ptr ds:[<&MSVBVM60.__>;  MSVBVM60.__vbaFpI4
00404164 .  25 FF000000    and eax,0FF                   ;  EAX=EAX and 0xFF
00404169 .  50             push eax                      ;  EAX=0xD7
0040416A .  FF15 F0104000 call dword ptr ds:[<&MSVBVM60.#5>;  MSVBVM60.rtcBstrFromAnsi
00404170 .  8BD0          mov edx,eax                   ;  取ASCII值对应的字符
00404172 .  8D4D CC       lea ecx,dword ptr ss:[ebp-34]
00404175 .  FFD6          call esi
00404177 .  50             push eax
00404178 .  FF15 40104000 call dword ptr ds:[<&MSVBVM60.__>;  MSVBVM60.__vbaStrCat
0040417E .  8BD0          mov edx,eax                   ;  字符串连接
00404180 .  8D4D D0       lea ecx,dword ptr ss:[ebp-30]
00404183 .  FFD6          call esi
00404185 .  8D4D CC       lea ecx,dword ptr ss:[ebp-34]
00404188 .  FF15 64114000 call dword ptr ds:[<&MSVBVM60.__>
0040418E >  66:85DB       test bx,bx
00404191 .  0F8C B3000000 jl crackme.0040424A
00404197 .  0FBFD3       movsx edx,bx
0040419A .  8995 68FFFFFF mov dword ptr ss:[ebp-98],edx ;  EDX=0x37(55),Num3
004041A0 .  8B4D D0       mov ecx,dword ptr ss:[ebp-30]
004041A3 .  DB85 68FFFFFF fild dword ptr ss:[ebp-98]
004041A9 .  51             push ecx
004041AA .  DD9D 60FFFFFF fstp qword ptr ss:[ebp-A0]    ;  st=55.0
004041B0 .  DD85 60FFFFFF fld qword ptr ss:[ebp-A0]
004041B6 .  833D 00704000 0>cmp dword ptr ds:[407000],0
004041BD .  75 08          jnz short crackme.004041C7
004041BF .  DC35 10124000 fdiv qword ptr ds:[401210]    ;  Num3/4.0,ds:[00401210]=4.0
004041C5 .  EB 11          jmp short crackme.004041D8
004041C7 >  FF35 14124000 push dword ptr ds:[401214]
004041CD .  FF35 10124000 push dword ptr ds:[401210]
004041D3 .  E8 0CD1FFFF    call <jmp.&MSVBVM60._adj_fdiv_m6>
004041D8 >  DFE0          fstsw ax
004041DA .  A8 0D          test al,0D
004041DC .  0F85 2E010000 jnz crackme.00404310
004041E2 .  FF15 58114000 call dword ptr ds:[<&MSVBVM60.__>;  商取整数，Int(Num3/4.0),ST0=13.0
004041E8 .  8B45 E0       mov eax,dword ptr ss:[ebp-20] ;  EAX=0x36,Num2
004041EB .  66:6BC0 10    imul ax,ax,10                   ;  AX=Num2*0x10
004041EF .  0F80 20010000 jo crackme.00404315
004041F5 .  0FBFC0       movsx eax,ax
004041F8 .  8985 5CFFFFFF mov dword ptr ss:[ebp-A4],eax
004041FE .  DB85 5CFFFFFF fild dword ptr ss:[ebp-A4]
00404204 .  DD9D 54FFFFFF fstp qword ptr ss:[ebp-AC]
0040420A .  DC85 54FFFFFF fadd qword ptr ss:[ebp-AC]    ;  Num2*0x10+Int(Num3/4.0)
00404210 .  DFE0          fstsw ax
00404212 .  A8 0D          test al,0D
00404214 .  0F85 F6000000 jnz crackme.00404310
0040421A .  FF15 3C114000 call dword ptr ds:[<&MSVBVM60.__>
00404220 .  25 FF000000    and eax,0FF                   ;  EAX=EAX and 0xFF
00404225 .  50             push eax                      ;  EAX=0x6D
00404226 .  FF15 F0104000 call dword ptr ds:[<&MSVBVM60.#5>;  MSVBVM60.rtcBstrFromAnsi
0040422C .  8BD0          mov edx,eax                   ;  取ASCII值对应的字符
0040422E .  8D4D CC       lea ecx,dword ptr ss:[ebp-34]
00404231 .  FFD6          call esi
00404233 .  50             push eax
00404234 .  FF15 40104000 call dword ptr ds:[<&MSVBVM60.__>;  MSVBVM60.__vbaStrCat
0040423A .  8BD0          mov edx,eax                   ;  字符串连接
0040423C .  8D4D D0       lea ecx,dword ptr ss:[ebp-30]
0040423F .  FFD6          call esi
00404241 .  8D4D CC       lea ecx,dword ptr ss:[ebp-34]
00404244 .  FF15 64114000 call dword ptr ds:[<&MSVBVM60.__>
0040424A >  8B45 D8       mov eax,dword ptr ss:[ebp-28] ;  EDX=0x38(56),Num4
0040424D .  66:85C0       test ax,ax
00404250 .  7C 42          jl short crackme.00404294
00404252 .  66:6BDB 40    imul bx,bx,40                   ;  BX=Num4*0x40
00404256 .  8B4D D0       mov ecx,dword ptr ss:[ebp-30]
00404259 .  0F80 B6000000 jo crackme.00404315
0040425F .  66:03D8       add bx,ax                      ;  BX=Num4*0x40+Num4
00404262 .  51             push ecx
00404263 .  0F80 AC000000 jo crackme.00404315
00404269 .  81E3 FF000000 and ebx,0FF                   ;  EBX=EBX and 0xFF
0040426F .  53             push ebx                      ;  EAX=0xF8
00404270 .  FF15 F0104000 call dword ptr ds:[<&MSVBVM60.#5>;  MSVBVM60.rtcBstrFromAnsi
00404276 .  8BD0          mov edx,eax                   ;  取ASCII值对应的字符
00404278 .  8D4D CC       lea ecx,dword ptr ss:[ebp-34]
0040427B .  FFD6          call esi
0040427D .  50             push eax
0040427E .  FF15 40104000 call dword ptr ds:[<&MSVBVM60.__>;  MSVBVM60.__vbaStrCat
00404284 .  8BD0          mov edx,eax                   ;  字符串连接

F7进入00403F4A处的关键CALL-2,来到:

00402B2B . /E9 D0180000    jmp crackme.00404400          ;  来到这里
00402B30 . |816C24 04 FFFF0>sub dword ptr ss:[esp+4],0FFFF

F8单步，来到：
00404400 > \56             push esi
00404401 .  8B7424 0C    mov esi,dword ptr ss:[esp+C]
00404405 .  8B06          mov eax,dword ptr ds:[esi]
00404407 .  50             push eax
00404408 .  FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__>;  MSVBVM60.__vbaLenBstr
0040440E .  85C0          test eax,eax
00404410 .  75 10          jnz short crackme.00404422
00404412 .  8B4C24 10    mov ecx,dword ptr ss:[esp+10]
00404416 .  83C8 FF       or eax,FFFFFFFF
00404419 .  5E             pop esi
0040441A .  66:8901       mov word ptr ds:[ecx],ax
0040441D .  33C0          xor eax,eax
0040441F .  C2 0C00       retn 0C
00404422 >  8B16          mov edx,dword ptr ds:[esi]
00404424 .  6A 01          push 1
00404426 .  68 201C4000    push crackme.00401C20          ;  固定字符串"ABCDEFGHIJKLMNOPQRSTUVWXYZ
                                                            ;  abcdefghijklmnopqrstuvwxyz0123456789+/"
0040442B .  52             push edx                      ;  字符串"1234"第1位字符，"1"
0040442C .  6A 00          push 0
0040442E .  FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__>;  MSVBVM60.__vbaInStr
00404434 .  8BC8          mov ecx,eax                   ;  查找字符"1"在固定字符串中的位置
00404436 .  83E9 01       sub ecx,1                      ;  ECX＝ECX-1
00404439 .  70 13          jo short crackme.0040444E
0040443B .  FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__>
00404441 .  8B4C24 10    mov ecx,dword ptr ss:[esp+10]
00404445 .  5E             pop esi
00404446 .  66:8901       mov word ptr ds:[ecx],ax       ;  AX=0x35
00404449 .  33C0          xor eax,eax
0040444B .  C2 0C00       retn 0C

-----------------------------------------------------------------------------------------------
【破解总结】
1.用户名长度必须为3的倍数，注册长度必须为4的倍数。
2.注册码前4位字符的ASCII值之和必须等于0x123。
3.从注册码第5位字符开始，每4位字符为一组，分别记为S[i]，S[i+1]，S[i+2]，S[i+3]。
4.从用户名第1位字符开始，每3位字符为一组，分别记为N[i]，N[i+1]，N[i+2]。
5.计算(S[i]*4+Int(S[i+1]/16)) And 0xFF，(S[i+1]*16+Int(S[i+2]/4)) And 0xFF，(S[i+2]*0x40+S[i+3]) And 0xFF。
6.第5步计算结果若分别与N[i]，N[i+1]，N[i+2]相等则注册成功。

一组可用注册信息：
====================================================
注册名:hrbhui
注册码:HRBGaHJiaHVp
====================================================

暴破更改以下位置：(输入3位以上注册码,用户名不为空)

004052E5          je short crackme.004052F1       ;  je=====>Jmp
00405355          je short crackme.00405361       ;  je=====>Jmp
00405711          je crackme.00405945             ;  je=====>Nop
00405943          jnz short crackme.0040594F    ;  jnz====>Jmp
0040595C          jnz short crackme.004059CF    ;  jnz====>Nop
004059C7          setne al                      ;  setne==>sete

-----------------------------------------------------------------------------------------------
【VB注册机源码】

Private Sub Generate_Click()

Dim UserName As String
Dim Serial As String
Dim TmpStr As String
Dim TmpStr1  As Integer
Dim TmpStr2  As Integer
Dim TmpStr3  As Integer
Dim i       As Integer
Dim Length As Integer
Dim TmpNum1  As Integer
Dim TmpNum2  As Integer
Dim TmpNum3  As Integer
Dim Num1    As Integer
Dim Num2    As Integer
Dim Num3    As Integer
Dim Num4    As Integer

On Error Resume Next

TmpStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

If Text1.Text = "" Then
      Text2.Text = "请输入用户名！"
Else
      UserName = Trim(Text1.Text)
      Length = Len(UserName)

      For i = 1 To Length - 2 Step 3
         TmpStr1 = Asc(Mid$(UserName, i, 1))
         TmpStr2 = Asc(Mid$(UserName, i + 1, 1))
         TmpStr3 = Asc(Mid$(UserName, i + 2, 1))

         For Num2 = 0 To 63
            For Num1 = 0 To 63
                  For Num3 = 0 To 63
                     TmpNum1 = (Num1 * 4 + Int(Num2 / 16)) And &HFF
                     TmpNum2 = (Num2 * 16 + Int(Num3 / 4)) And &HFF

                     For Num4 = 0 To 63
                        TmpNum3 = (Num3 * 64 + Num4) And &HFF

                        If (TmpNum1 = TmpStr1) And (TmpNum2 = TmpStr2) And (TmpNum3 = TmpStr3) Then
                              Serial = Serial & Mid(TmpStr, Num1 + 1, 1) & Mid(TmpStr, Num2 + 1, 1) &_
                                       Mid(TmpStr, Num3 + 1, 1) & Mid(TmpStr, Num4 + 1, 1)
                        End If

                     Next Num4
                  Next Num3
            Next Num1
         Next Num2

      Next i

      Text2.Text = "HRBG" & Serial

End If

End Sub
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

阿里云助力开发者！2核2G 3M带宽不限流量！6.18限时价，开发者可享99元/年，续费同价！

上传的附件：

crackme.rar （9.12kb，35次下载）

收藏・1

点赞・7

打赏

最新回复 (1)
manandgod 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 6 粉丝 0 关注私信	manandgod 2007-11-18 15:05 2 楼 0 学习学习看得我眼花厉害
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复

hrbx

发帖

195

回帖

330

RANK

关注

私信

他的文章

[原创]Riijj VB CrackMe 01不完全算法分析

第二个CrackMe by deletex简单算法分析+VB注册机源码

[原创]Kain的第一个CrackMe简单算法分析+VB注册机源码

[原创]易课堂之CrackMe简单算法分析+VB注册机源码

[已解决]脱ASPack加壳的DLL,脱壳后修改异常。

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
manandgod 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 6 粉丝 0 关注私信	manandgod 2007-11-18 15:05 2 楼 0 学习学习看得我眼花厉害
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复