【破文标题】Riijj VB CrackMe 01不完全算法分析
【破解作者】hrbx
【使用工具】OllDbg1.10、Peid
【破解日期】2007-11-28
【下载地址】http://bbs.pediy.com/showthread.php?t=53588
【软件简介】Riijj VB CrackMe 01
-----------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------
【破解过程】
0.前言。CrackMe的大致算法是利用注册名算出8个数值,然后分别与滚动条的数值比较,相等则注册成功。
但是算出的数值不是依次与第1~第8个滚动条的数值比较,而是按一定的顺序,如4-3-8-7-1-2-5-6、
8-7-1-2-3-4-6-5、3-4-7-8-1-2-5-6等,由于没找出具体的顺序,所以只是不完全分析。希望知道的兄弟指点一下,谢谢!
在Timer控件代码中,如果检测到没有点击"Register"按钮,则会触发异常,因此必须先点击"Register"按钮,
然后再使程序中断在Timer控件代码。"Register"按钮事件地址:00402DF0,Timer控件事件地址:00403A10。
1.查壳。用Peid扫描程序,显示为:Microsoft Visual Basic 5.0 / 6.0,无壳。
2.试运行。运行程序,输入注册信息后,点"Register"按钮没有任何提示。
3.追出算法。OD载入CrackMe,F9运行,输入注册信息:
====================================================
RegName:hrbx
RegCode:12345678(分别表示各个滚动条的数值)
====================================================
Ctrl+G,输入:00402DF0,确定后F2下断,点击"Register"按钮,立即中断:
00402DF0 55 push ebp ; 在此中断
00402DF1 8BEC mov ebp,esp
00402DF3 83EC 0C sub esp,0C
Ctrl+G,输入:00403A10,确定后F2下断,F9运行,立即中断:
00403A10 55 push ebp ; 在此中断
00403A11 8BEC mov ebp,esp
00403A13 83EC 14 sub esp,14
00403A16 68 A6114000 push <riijjvbc.__vbaExceptHandler>
00403A1B 64:A1 00000000 mov eax,dword ptr fs:[0]
00403A21 50 push eax
00403A22 64:8925 0000000>mov dword ptr fs:[0],esp
00403A29 81EC D8000000 sub esp,0D8
00403A2F 53 push ebx
00403A30 56 push esi
00403A31 57 push edi
00403A32 8965 EC mov dword ptr ss:[ebp-14],esp
00403A35 C745 F0 3811400>mov dword ptr ss:[ebp-10],riijjvbc.0040113>
00403A3C 8B75 08 mov esi,dword ptr ss:[ebp+8]
00403A3F 8BC6 mov eax,esi
00403A41 83E0 01 and eax,1
00403A44 8945 F4 mov dword ptr ss:[ebp-C],eax
00403A47 83E6 FE and esi,FFFFFFFE
00403A4A 8975 08 mov dword ptr ss:[ebp+8],esi
00403A4D 33FF xor edi,edi
00403A4F 897D F8 mov dword ptr ss:[ebp-8],edi
00403A52 8B0E mov ecx,dword ptr ds:[esi]
00403A54 56 push esi
00403A55 FF51 04 call dword ptr ds:[ecx+4]
00403A58 897D D4 mov dword ptr ss:[ebp-2C],edi
00403A5B 897D C4 mov dword ptr ss:[ebp-3C],edi
00403A5E 897D B4 mov dword ptr ss:[ebp-4C],edi
00403A61 897D B0 mov dword ptr ss:[ebp-50],edi
00403A64 897D AC mov dword ptr ss:[ebp-54],edi
00403A67 897D A8 mov dword ptr ss:[ebp-58],edi
00403A6A 897D 98 mov dword ptr ss:[ebp-68],edi
00403A6D 897D 88 mov dword ptr ss:[ebp-78],edi
00403A70 89BD 78FFFFFF mov dword ptr ss:[ebp-88],edi
00403A76 89BD 64FFFFFF mov dword ptr ss:[ebp-9C],edi
00403A7C 6A 01 push 1
00403A7E FF15 50104000 call dword ptr ds:[<&MSVBVM60.__vbaOnError>
00403A84 897D D8 mov dword ptr ss:[ebp-28],edi
00403A87 8B16 mov edx,dword ptr ds:[esi]
00403A89 56 push esi
00403A8A FF92 04030000 call dword ptr ds:[edx+304]
00403A90 50 push eax
00403A91 8D45 AC lea eax,dword ptr ss:[ebp-54]
00403A94 50 push eax
00403A95 FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>>
00403A9B 8BF0 mov esi,eax
00403A9D 8B0E mov ecx,dword ptr ds:[esi]
00403A9F 8D55 B0 lea edx,dword ptr ss:[ebp-50]
00403AA2 52 push edx
00403AA3 56 push esi
00403AA4 FF91 A0000000 call dword ptr ds:[ecx+A0]
00403AAA DBE2 fclex
00403AAC 3BC7 cmp eax,edi
00403AAE 7D 12 jge short riijjvbc.00403AC2
00403AB0 68 A0000000 push 0A0
00403AB5 68 68284000 push riijjvbc.00402868
00403ABA 56 push esi
00403ABB 50 push eax
00403ABC FF15 34104000 call dword ptr ds:[<&MSVBVM60.__vbaHresult>
00403AC2 8B55 B0 mov edx,dword ptr ss:[ebp-50] ; 用户名"hrbx"
00403AC5 897D B0 mov dword ptr ss:[ebp-50],edi
00403AC8 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00403ACB FF15 E4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>
00403AD1 8D4D AC lea ecx,dword ptr ss:[ebp-54]
00403AD4 FF15 F8104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>
00403ADA 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
00403ADD 50 push eax
00403ADE FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>; 获取用户名长度
00403AE4 8945 80 mov dword ptr ss:[ebp-80],eax ; EAX=0x4
00403AE7 C785 78FFFFFF 0>mov dword ptr ss:[ebp-88],3
00403AF1 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-88]
00403AF7 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
00403AFA 8B1D 0C104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaVarM>
00403B00 FFD3 call ebx
00403B02 BF DB020000 mov edi,2DB ; EDI=0x2DB(731),常数,记为N
00403B07 897D E0 mov dword ptr ss:[ebp-20],edi
00403B0A 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
00403B0D 51 push ecx
00403B0E FF15 D0104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
00403B14 8985 48FFFFFF mov dword ptr ss:[ebp-B8],eax
00403B1A BE 01000000 mov esi,1
00403B1F 8975 DC mov dword ptr ss:[ebp-24],esi
00403B22 3BB5 48FFFFFF cmp esi,dword ptr ss:[ebp-B8]
00403B28 0F8F 07010000 jg riijjvbc.00403C35
00403B2E C745 A0 0100000>mov dword ptr ss:[ebp-60],1
00403B35 C745 98 0200000>mov dword ptr ss:[ebp-68],2
00403B3C 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
00403B3F 8955 80 mov dword ptr ss:[ebp-80],edx
00403B42 C785 78FFFFFF 0>mov dword ptr ss:[ebp-88],4008
00403B4C 8D45 98 lea eax,dword ptr ss:[ebp-68]
00403B4F 50 push eax
00403B50 56 push esi
00403B51 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
00403B57 51 push ecx
00403B58 8D55 88 lea edx,dword ptr ss:[ebp-78]
00403B5B 52 push edx
00403B5C FF15 60104000 call dword ptr ds:[<&MSVBVM60.#632>] ; rtcMidCharVar
00403B62 8D55 88 lea edx,dword ptr ss:[ebp-78] ; 依次取用户名每一位字符的ASCII值,记为N[i]
00403B65 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00403B68 FFD3 call ebx
00403B6A 8D4D 98 lea ecx,dword ptr ss:[ebp-68]
00403B6D FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>
00403B73 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
00403B76 50 push eax
00403B77 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
00403B7A 51 push ecx
00403B7B FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarV>; MSVBVM60.__vbaStrVarVal
00403B81 50 push eax
00403B82 FF15 2C104000 call dword ptr ds:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
00403B88 8985 64FFFFFF mov dword ptr ss:[ebp-9C],eax ; EAX=0x68
00403B8E 8BD6 mov edx,esi ; EDI=ESI,取出的字符在用户名中的位置,记为i
00403B90 83C2 79 add edx,79 ; EDX=EDX+0x79,i+0x79
00403B93 0F80 8B020000 jo riijjvbc.00403E24
00403B99 0FBFC0 movsx eax,ax
00403B9C 0FAFD0 imul edx,eax ; EDX=EDX*EAX,N[i]*(i+0x79)
00403B9F 0F80 7F020000 jo riijjvbc.00403E24
00403BA5 8995 28FFFFFF mov dword ptr ss:[ebp-D8],edx ; EDX保存
00403BAB DB85 28FFFFFF fild dword ptr ss:[ebp-D8]
00403BB1 DD9D 20FFFFFF fstp qword ptr ss:[ebp-E0] ; 取出EDX的值
00403BB7 DB45 DC fild dword ptr ss:[ebp-24]
00403BBA DD9D 18FFFFFF fstp qword ptr ss:[ebp-E8] ; 字符在用户名中的位置i
00403BC0 DD85 20FFFFFF fld qword ptr ss:[ebp-E0]
00403BC6 833D 00504000 0>cmp dword ptr ds:[405000],0
00403BCD 75 08 jnz short riijjvbc.00403BD7
00403BCF DCB5 18FFFFFF fdiv qword ptr ss:[ebp-E8] ; 乘积结果除以i,N[i]*(i+0x79)/i
00403BD5 EB 11 jmp short riijjvbc.00403BE8
00403BD7 FFB5 1CFFFFFF push dword ptr ss:[ebp-E4]
00403BDD FFB5 18FFFFFF push dword ptr ss:[ebp-E8]
00403BE3 E8 DCD5FFFF call <riijjvbc._adj_fdiv_m64>
00403BE8 DB45 E0 fild dword ptr ss:[ebp-20] ; ss:[0012FB58]=0x2DB(731),常数N
00403BEB DD9D 10FFFFFF fstp qword ptr ss:[ebp-F0]
00403BF1 DC85 10FFFFFF fadd qword ptr ss:[ebp-F0] ; 除法结果加上常数,N[i]*(i+0x79)/i+N
00403BF7 DFE0 fstsw ax
00403BF9 A8 0D test al,0D
00403BFB 0F85 1E020000 jnz riijjvbc.00403E1F
00403C01 FF15 DC104000 call dword ptr ds:[<&MSVBVM60.__vbaFpI4>] ; 结果转为16进制整数
00403C07 8BF8 mov edi,eax
00403C09 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
00403C0C FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>
00403C12 8BC7 mov eax,edi ; EAX=EDI=0x346B
00403C14 99 cdq
00403C15 B9 80380100 mov ecx,13880 ; ECX=0x13880
00403C1A F7F9 idiv ecx ; EAX/ECX,商给EAX,余数给EDX
00403C1C 8BFA mov edi,edx ; EDI=EDX=余数,(N[i]*(i+0x79)/i+N) Mod 0x13880
00403C1E 897D E0 mov dword ptr ss:[ebp-20],edi ; 余数保存,替换掉常数N
00403C21 B8 01000000 mov eax,1
00403C26 03C6 add eax,esi
00403C28 0F80 F6010000 jo riijjvbc.00403E24
00403C2E 8BF0 mov esi,eax
00403C30 ^ E9 EAFEFFFF jmp riijjvbc.00403B1F
00403C35 B9 01000000 mov ecx,1
00403C3A 8B45 08 mov eax,dword ptr ss:[ebp+8]
00403C3D 3948 6C cmp dword ptr ds:[eax+6C],ecx
00403C40 7E 0E jle short riijjvbc.00403C50
00403C42 C740 6C 0000000>mov dword ptr ds:[eax+6C],0
00403C49 C745 D8 1600000>mov dword ptr ss:[ebp-28],16 ; ss:[ebp-28]=0x16
00403C50 B8 1D000000 mov eax,1D ; EAX=0x1D
00403C55 8B55 D8 mov edx,dword ptr ss:[ebp-28] ; EDX=0x16
00403C58 2BC2 sub eax,edx ; EAX=EAX-EDX
00403C5A 0F80 C4010000 jo riijjvbc.00403E24
00403C60 8985 40FFFFFF mov dword ptr ss:[ebp-C0],eax
00403C66 898D 44FFFFFF mov dword ptr ss:[ebp-BC],ecx
00403C6C BB 16000000 mov ebx,16 ; EBX=0x16
00403C71 8BCA mov ecx,edx ; EDX=0x16
00403C73 2BD9 sub ebx,ecx ; EBX=EBX-ECX
00403C75 0F80 A9010000 jo riijjvbc.00403E24
00403C7B 895D DC mov dword ptr ss:[ebp-24],ebx
00403C7E 3BD8 cmp ebx,eax
00403C80 0F8F D9000000 jg riijjvbc.00403D5F
00403C86 8BC7 mov eax,edi ; EAX=EDI,余数,(N[i]*(i+0x79)/i+N) Mod 0x13880
00403C88 69C0 591B0000 imul eax,eax,1B59 ; EAX=EAX*0x1B59
00403C8E 0F80 90010000 jo riijjvbc.00403E24
00403C94 99 cdq
00403C95 B9 FF000000 mov ecx,0FF ; ECX=0xFF
00403C9A F7F9 idiv ecx ; EAX/ECX,商给EAX,余数给EDX
00403C9C 8BFA mov edi,edx ; EDX=0x56
00403C9E 8B45 08 mov eax,dword ptr ss:[ebp+8]
00403CA1 8B10 mov edx,dword ptr ds:[eax]
00403CA3 50 push eax
00403CA4 FF92 08030000 call dword ptr ds:[edx+308]
00403CAA 50 push eax
00403CAB 8D45 AC lea eax,dword ptr ss:[ebp-54]
00403CAE 50 push eax
00403CAF FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>>
00403CB5 8BF0 mov esi,eax
00403CB7 8B16 mov edx,dword ptr ds:[esi]
00403CB9 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00403CBC 51 push ecx
00403CBD 8BCB mov ecx,ebx
00403CBF 8995 0CFFFFFF mov dword ptr ss:[ebp-F4],edx
00403CC5 FF15 74104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>]
00403CCB 50 push eax
00403CCC 56 push esi
00403CCD 8B95 0CFFFFFF mov edx,dword ptr ss:[ebp-F4]
00403CD3 FF52 40 call dword ptr ds:[edx+40] ; "VB.VScrollBar"
00403CD6 DBE2 fclex ; 判断VScrollBar的数值是否溢出
00403CD8 85C0 test eax,eax
00403CDA 7D 0F jge short riijjvbc.00403CEB ; 正确则跳,错则进入__vbaHresultCheckObj
00403CDC 6A 40 push 40
00403CDE 68 38284000 push riijjvbc.00402838
00403CE3 56 push esi
00403CE4 50 push eax
00403CE5 FF15 34104000 call dword ptr ds:[<&MSVBVM60.__vbaHresult>; MSVBVM60.__vbaHresultCheckObj
00403CEB 8B45 A8 mov eax,dword ptr ss:[ebp-58]
00403CEE 8BF0 mov esi,eax
00403CF0 8B08 mov ecx,dword ptr ds:[eax]
00403CF2 8D95 64FFFFFF lea edx,dword ptr ss:[ebp-9C]
00403CF8 52 push edx
00403CF9 50 push eax
00403CFA FF91 B8000000 call dword ptr ds:[ecx+B8] ; 判断是否点击了"Register"按钮
00403D00 DBE2 fclex
00403D02 85C0 test eax,eax
00403D04 7D 12 jge short riijjvbc.00403D18 ; ///唯一的关键之处///
00403D06 68 B8000000 push 0B8 ; 点击了则跳,没有点击则进入__vbaHresultCheckObj
00403D0B 68 48284000 push riijjvbc.00402848
00403D10 56 push esi
00403D11 50 push eax
00403D12 FF15 34104000 call dword ptr ds:[<&MSVBVM60.__vbaHresult>; MSVBVM60.__vbaHresultCheckObj
00403D18 0FBF85 64FFFFFF movsx eax,word ptr ss:[ebp-9C] ; ss:[0012FADC]=0x4,VScrollBar的数值
00403D1F 33C9 xor ecx,ecx
00403D21 3BC7 cmp eax,edi ; 比较VScrollBar的数值与计算结果是否相等
00403D23 0F95C1 setne cl ; 暴破点,改为sete cl
00403D26 F7D9 neg ecx
00403D28 8BF1 mov esi,ecx
00403D2A 8D55 A8 lea edx,dword ptr ss:[ebp-58]
00403D2D 52 push edx
00403D2E 8D45 AC lea eax,dword ptr ss:[ebp-54]
00403D31 50 push eax
00403D32 6A 02 push 2
00403D34 FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>
00403D3A 83C4 0C add esp,0C
00403D3D 66:85F6 test si,si
00403D40 75 69 jnz short riijjvbc.00403DAB ; 不等则Over
00403D42 8B9D 44FFFFFF mov ebx,dword ptr ss:[ebp-BC]
00403D48 035D DC add ebx,dword ptr ss:[ebp-24]
00403D4B 0F80 D3000000 jo riijjvbc.00403E24
00403D51 895D DC mov dword ptr ss:[ebp-24],ebx
00403D54 8B85 40FFFFFF mov eax,dword ptr ss:[ebp-C0]
00403D5A ^ E9 1FFFFFFF jmp riijjvbc.00403C7E ; 跳回到00403C7E继续循环
00403D5F 8B45 08 mov eax,dword ptr ss:[ebp+8]
00403D62 8B08 mov ecx,dword ptr ds:[eax]
00403D64 50 push eax
00403D65 FF91 0C070000 call dword ptr ds:[ecx+70C] ; 调用MsgBox窗体
00403D6B A1 24504000 mov eax,dword ptr ds:[405024]
00403D70 85C0 test eax,eax
00403D72 75 10 jnz short riijjvbc.00403D84
00403D74 68 24504000 push riijjvbc.00405024
00403D79 68 EC1D4000 push riijjvbc.00401DEC
00403D7E FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2
00403D84 8B35 24504000 mov esi,dword ptr ds:[405024]
00403D8A 8B16 mov edx,dword ptr ds:[esi]
00403D8C 56 push esi
00403D8D FF92 F8060000 call dword ptr ds:[edx+6F8] ; 显示注册成功信息
00403D93 DBE2 fclex
00403D95 85C0 test eax,eax
00403D97 7D 12 jge short riijjvbc.00403DAB
4.注册成功信息。注册成功后会提示"Registration successful !",但在字符串参考中是查找不到成功提示信息的,
看一下注册成功信息是如何来的。输入正确的注册信息或将00403D23处的代码更改为sete cl,F8至00403D65处,F7进入,来到:
00402555 /E9 D6180000 jmp riijjvbc.00403E30 ; MsgBox
0040255A |816C24 04 8B000>sub dword ptr ss:[esp+4],8B
00402562 |E9 291C0000 jmp riijjvbc.00404190
00402567 |816C24 04 8B000>sub dword ptr ss:[esp+4],8B
F8单步,来到:
00403E30 55 push ebp ; F8单步,来到这里
00403E31 8BEC mov ebp,esp
00403E33 83EC 08 sub esp,8
00403E36 68 A6114000 push <riijjvbc.__vbaExceptHandler>
00403E3B 64:A1 00000000 mov eax,dword ptr fs:[0]
00403E41 50 push eax
00403E42 64:8925 0000000>mov dword ptr fs:[0],esp
00403E49 81EC D0000000 sub esp,0D0
00403E4F 53 push ebx
00403E50 56 push esi
00403E51 57 push edi
00403E52 8965 F8 mov dword ptr ss:[ebp-8],esp
00403E55 C745 FC 6011400>mov dword ptr ss:[ebp-4],riijjvbc.00401160
00403E5C A1 24504000 mov eax,dword ptr ds:[405024]
00403E61 33FF xor edi,edi
00403E63 3BC7 cmp eax,edi
00403E65 897D E0 mov dword ptr ss:[ebp-20],edi
00403E68 897D D0 mov dword ptr ss:[ebp-30],edi
00403E6B 897D CC mov dword ptr ss:[ebp-34],edi
00403E6E 897D BC mov dword ptr ss:[ebp-44],edi
00403E71 897D B4 mov dword ptr ss:[ebp-4C],edi
00403E74 897D B0 mov dword ptr ss:[ebp-50],edi
00403E77 897D A8 mov dword ptr ss:[ebp-58],edi
00403E7A 897D A4 mov dword ptr ss:[ebp-5C],edi
00403E7D 897D 94 mov dword ptr ss:[ebp-6C],edi
00403E80 897D 84 mov dword ptr ss:[ebp-7C],edi
00403E83 89BD 74FFFFFF mov dword ptr ss:[ebp-8C],edi
00403E89 89BD 64FFFFFF mov dword ptr ss:[ebp-9C],edi
00403E8F 89BD 54FFFFFF mov dword ptr ss:[ebp-AC],edi
00403E95 89BD 3CFFFFFF mov dword ptr ss:[ebp-C4],edi
00403E9B 89BD 2CFFFFFF mov dword ptr ss:[ebp-D4],edi
00403EA1 75 15 jnz short riijjvbc.00403EB8
00403EA3 68 24504000 push riijjvbc.00405024
00403EA8 68 EC1D4000 push riijjvbc.00401DEC
00403EAD FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>]
00403EB3 A1 24504000 mov eax,dword ptr ds:[405024]
00403EB8 8B08 mov ecx,dword ptr ds:[eax]
00403EBA 50 push eax
00403EBB FF91 FC020000 call dword ptr ds:[ecx+2FC]
00403EC1 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
00403EC4 50 push eax
00403EC5 52 push edx
00403EC6 FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>>
00403ECC 8BF0 mov esi,eax
00403ECE 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00403ED1 51 push ecx
00403ED2 56 push esi
00403ED3 8B06 mov eax,dword ptr ds:[esi]
00403ED5 FF90 30010000 call dword ptr ds:[eax+130]
00403EDB 3BC7 cmp eax,edi
00403EDD DBE2 fclex
00403EDF 7D 12 jge short riijjvbc.00403EF3
00403EE1 68 30010000 push 130
00403EE6 68 58284000 push riijjvbc.00402858
00403EEB 56 push esi
00403EEC 50 push eax
00403EED FF15 34104000 call dword ptr ds:[<&MSVBVM60.__vbaHresult>
00403EF3 8B45 A8 mov eax,dword ptr ss:[ebp-58] ; 固定字符串"08210110310511511611409711610511 ; 1110032115117099099101115115102117108032033"
00403EF6 8B35 0C104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaVarM>
00403EFC 8D55 94 lea edx,dword ptr ss:[ebp-6C]
00403EFF 8D4D D0 lea ecx,dword ptr ss:[ebp-30]
00403F02 897D A8 mov dword ptr ss:[ebp-58],edi
00403F05 8945 9C mov dword ptr ss:[ebp-64],eax
00403F08 C745 94 0800000>mov dword ptr ss:[ebp-6C],8
00403F0F FFD6 call esi
00403F11 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00403F14 FF15 F8104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>
00403F1A 8D55 D0 lea edx,dword ptr ss:[ebp-30]
00403F1D 8D45 94 lea eax,dword ptr ss:[ebp-6C]
00403F20 52 push edx
00403F21 50 push eax
00403F22 FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVar>>; 获取固定字符串长度
00403F28 50 push eax
00403F29 FF15 D0104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
00403F2F B9 01000000 mov ecx,1
00403F34 8985 6CFFFFFF mov dword ptr ss:[ebp-94],eax
00403F3A 898D 7CFFFFFF mov dword ptr ss:[ebp-84],ecx
00403F40 898D 5CFFFFFF mov dword ptr ss:[ebp-A4],ecx
00403F46 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-8C]
00403F4C 8D95 64FFFFFF lea edx,dword ptr ss:[ebp-9C]
00403F52 51 push ecx
00403F53 8D85 54FFFFFF lea eax,dword ptr ss:[ebp-AC]
00403F59 52 push edx
00403F5A 8D8D 2CFFFFFF lea ecx,dword ptr ss:[ebp-D4]
00403F60 50 push eax
00403F61 8D95 3CFFFFFF lea edx,dword ptr ss:[ebp-C4]
00403F67 51 push ecx
00403F68 8D45 E0 lea eax,dword ptr ss:[ebp-20]
00403F6B BB 02000000 mov ebx,2
00403F70 52 push edx
00403F71 50 push eax
00403F72 899D 74FFFFFF mov dword ptr ss:[ebp-8C],ebx
00403F78 C785 64FFFFFF 0>mov dword ptr ss:[ebp-9C],3
00403F82 899D 54FFFFFF mov dword ptr ss:[ebp-AC],ebx
00403F88 FF15 40104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForI>
00403F8E 3BC7 cmp eax,edi
00403F90 0F84 01010000 je riijjvbc.00404097
00403F96 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
00403F99 8D55 E0 lea edx,dword ptr ss:[ebp-20]
00403F9C 51 push ecx
00403F9D 52 push edx
00403F9E C745 9C 0300000>mov dword ptr ss:[ebp-64],3
00403FA5 895D 94 mov dword ptr ss:[ebp-6C],ebx
00403FA8 FF15 D0104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>]
00403FAE 50 push eax
00403FAF 8D45 D0 lea eax,dword ptr ss:[ebp-30]
00403FB2 8D4D 84 lea ecx,dword ptr ss:[ebp-7C]
00403FB5 50 push eax
00403FB6 51 push ecx
00403FB7 FF15 60104000 call dword ptr ds:[<&MSVBVM60.#632>] ; rtcMidCharVar,依次取固定字符串中的3个字符
00403FBD 8D55 84 lea edx,dword ptr ss:[ebp-7C]
00403FC0 8D45 A8 lea eax,dword ptr ss:[ebp-58]
00403FC3 52 push edx
00403FC4 50 push eax
00403FC5 FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarV>; MSVBVM60.__vbaStrVarVal
00403FCB 50 push eax ; 取出的字符串"082"
00403FCC FF15 00114000 call dword ptr ds:[<&MSVBVM60.#581>] ; rtcR8ValFromBstr,字符转为变量
00403FD2 FF15 D8104000 call dword ptr ds:[<&MSVBVM60.__vbaFpI2>] ; MSVBVM60.__vbaFpI2
00403FD8 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00403FDB 8BF8 mov edi,eax
00403FDD FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>
00403FE3 8D4D 84 lea ecx,dword ptr ss:[ebp-7C]
00403FE6 8D55 94 lea edx,dword ptr ss:[ebp-6C]
00403FE9 51 push ecx
00403FEA 52 push edx
00403FEB 53 push ebx
00403FEC FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>
00403FF2 0FBFC7 movsx eax,di
00403FF5 83C4 0C add esp,0C
00403FF8 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
00403FFB 50 push eax
00403FFC 51 push ecx
00403FFD FF15 98104000 call dword ptr ds:[<&MSVBVM60.#608>] ; rtcVarBstrFromAnsi,转为字符
00404003 8D55 94 lea edx,dword ptr ss:[ebp-6C]
00404006 52 push edx
00404007 FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarM>
0040400D 8BD0 mov edx,eax ; d EAX 082--->0x52--->R
0040400F 8D4D B0 lea ecx,dword ptr ss:[ebp-50]
00404012 FF15 E4104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>
00404018 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
0040401B FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>
00404021 8B45 B0 mov eax,dword ptr ss:[ebp-50]
00404024 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00404027 8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax
0040402D 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-8C]
00404033 51 push ecx
00404034 8D45 94 lea eax,dword ptr ss:[ebp-6C]
00404037 52 push edx
00404038 50 push eax
00404039 C785 74FFFFFF 0>mov dword ptr ss:[ebp-8C],8
00404043 FF15 A4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCat>>; 连接每次得到的字符即为注册成功信息
00404049 8BD0 mov edx,eax
0040404B 8D4D BC lea ecx,dword ptr ss:[ebp-44]
0040404E FFD6 call esi
00404050 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00404053 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-8C]
00404059 51 push ecx
0040405A 8D45 94 lea eax,dword ptr ss:[ebp-6C]
0040405D 52 push edx
0040405E 50 push eax
0040405F 899D 7CFFFFFF mov dword ptr ss:[ebp-84],ebx
00404065 899D 74FFFFFF mov dword ptr ss:[ebp-8C],ebx
0040406B FF15 D4104000 call dword ptr ds:[<&MSVBVM60.__vbaVarAdd>>; MSVBVM60.__vbaVarAdd
00404071 8BD0 mov edx,eax
00404073 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00404076 FFD6 call esi
00404078 8D8D 2CFFFFFF lea ecx,dword ptr ss:[ebp-D4]
0040407E 8D95 3CFFFFFF lea edx,dword ptr ss:[ebp-C4]
00404084 51 push ecx
00404085 8D45 E0 lea eax,dword ptr ss:[ebp-20]
00404088 52 push edx
00404089 50 push eax
0040408A FF15 F0104000 call dword ptr ds:[<&MSVBVM60.__vbaVarForN>; 继续下一次循环
00404090 33FF xor edi,edi
00404092 ^ E9 F7FEFFFF jmp riijjvbc.00403F8E
00404097 A1 24504000 mov eax,dword ptr ds:[405024]
0040409C 3BC7 cmp eax,edi
0040409E 75 15 jnz short riijjvbc.004040B5
004040A0 68 24504000 push riijjvbc.00405024
004040A5 68 EC1D4000 push riijjvbc.00401DEC
004040AA FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2
004040B0 A1 24504000 mov eax,dword ptr ds:[405024]
004040B5 8B08 mov ecx,dword ptr ds:[eax]
004040B7 50 push eax
004040B8 FF91 FC020000 call dword ptr ds:[ecx+2FC]
004040BE 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
004040C1 50 push eax
004040C2 52 push edx
004040C3 FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>>
004040C9 8BF0 mov esi,eax
004040CB 8D45 BC lea eax,dword ptr ss:[ebp-44]
004040CE 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004040D1 50 push eax
004040D2 8B1E mov ebx,dword ptr ds:[esi]
004040D4 51 push ecx
004040D5 FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarV>; MSVBVM60.__vbaStrVarVal
004040DB 50 push eax
004040DC 56 push esi
004040DD FF53 54 call dword ptr ds:[ebx+54]
004040E0 3BC7 cmp eax,edi
004040E2 DBE2 fclex
004040E4 7D 0F jge short riijjvbc.004040F5
004040E6 6A 54 push 54
004040E8 68 58284000 push riijjvbc.00402858
004040ED 56 push esi
004040EE 50 push eax
004040EF FF15 34104000 call dword ptr ds:[<&MSVBVM60.__vbaHresult>
004040F5 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004040F8 FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>
004040FE 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
00404101 FF15 F8104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>
00404107 9B wait
00404108 68 79414000 push riijjvbc.00404179
0040410D EB 26 jmp short riijjvbc.00404135
0040410F 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00404112 FF15 FC104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>
00404118 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
0040411B FF15 F8104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>
00404121 8D55 84 lea edx,dword ptr ss:[ebp-7C]
00404124 8D45 94 lea eax,dword ptr ss:[ebp-6C]
00404127 52 push edx
00404128 50 push eax
00404129 6A 02 push 2
0040412B FF15 1C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVar>
00404131 83C4 0C add esp,0C
00404134 C3 retn
-----------------------------------------------------------------------------------------
【破解总结】
1.依次取用户名每一位字符的ASCII值,记为S[i]。字符在用户名中的位置记为i。
2.程序内置一常数,记为N=0x2DB,计算(N[i]*(i+0x79)/i+N) Mod 0x13880,结果替换掉N。
循环运算至取完用户名所有字符,最终运算结果记为Num。
3.计算(Num*0x1B59) Mod 0x56,结果替换掉Num,循环运算8次。
将各次运算结果分别与滚动条的数值比较,相等则注册成功。
一组可用注册信息:
====================================================
RegName:hrbx
RegCode:251-46-31-86-236-91-211-26
====================================================
暴破更改以下位置:
00403D23 setne al ; setne==>sete
-----------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
