-
-
原创]以其之道还之其身,jxdyxg的CrackMe简要分析加注册机编写
-
发表于: 2009-3-11 13:54
-
呵呵,对VB一直有点害怕,看到sessiondiy大侠一会就追出了注册码,而自己单单只是找到了关键点,心中有些不甘,于是呼,嘿嘿,看书+百度+请教论坛里的高手,终于把这个我认为十分头疼的VB版的CM给搞定啦,哈哈!
首先是找关键点,bp __vbaVarTstEq,输入用户名和密码,一点注册,立马拦下!
00407D7D . 8D95 2CFFFFFF lea edx, dword ptr [ebp-D4] ; 取用户名
00407D83 . 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
00407D89 . 52 push edx
00407D8A . 50 push eax ; 计算用户名长度
00407D8B . FF15 34104 000 call dword ptr [<&MSVBVM60.__vbaLenVa>; MSVBVM60.__vbaLenVar
00407D91 . 8BD0 mov edx, eax
00407D93 . 8D4D 9C lea ecx, dword ptr [ebp-64]
00407D96 . FF15 08104 000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
00407D9C . 8D4D 9C lea ecx, dword ptr [ebp-64]
00407D9F . 8D95 CCFBFFFF lea edx, dword ptr [ebp-434]
00407DA5 . 51 push ecx
00407DA6 . 52 push edx
00407DA7 . 89BD D4FBFFFF mov dword ptr [ebp-42C], edi
00407DAD . C785 CCFBFFFF>mov dword ptr [ebp-434], 8 002
00407DB7 . FF15 74104 000 call dword ptr [<&MSVBVM60.__vbaVarTs>; MSVBVM60.__vbaVarTstEq
通过测试,用户名长度至少为4位,注册码长度至少1位,所以继续向下,如果合符要求,经过一大跳就来到这里:
0040834D > \8D95 CCFBFFFF lea edx, dword ptr [ebp-434]
00408353 . 8D8D FCFEFFFF lea ecx, dword ptr [ebp-104]
00408359 . C785 F4FEFFFF>mov dword ptr [ebp-10C], 17
00408363 . C785 ECFEFFFF>mov dword ptr [ebp-114], 2
0040836D . C785 D4FBFFFF>mov dword ptr [ebp-42C], 004029EC ; UNICODE "$%#%$#this is the first time)^&*(^*&"
00408377 . 899D CCFBFFFF mov dword ptr [ebp-434], ebx
0040837D . FFD6 call esi
0040837F . 8D8D ECFEFFFF lea ecx, dword ptr [ebp-114]
00408385 . 8D95 FCFEFFFF lea edx, dword ptr [ebp-104]
0040838B . 51 push ecx ; ECX=17h=23D
0040838C . 6A 07 push 7
0040838E . 8D85 DCFEFFFF lea eax, dword ptr [ebp-124]
00408394 . 52 push edx
00408395 . 50 push eax ; 从上面的密串第7位取23位字串
00408396 . FF15 60104000 call dword ptr [<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
0040839C . 8D4D BC lea ecx, dword ptr [ebp-44]
0040839F . 8D95 DCFEFFFF lea edx, dword ptr [ebp-124]
004083A5 . 51 push ecx ; 用户名大写字串
004083A6 . 8D85 CCFEFFFF lea eax, dword ptr [ebp-134]
004083AC . 52 push edx
004083AD . 50 push eax ; 与前面的字串相连接
004083AE . FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaVarAd>; MSVBVM60.__vbaVarAdd
004083B4 . 8BD0 mov edx, eax ; "BWNSthis is the first time)"
004083B6 . 8D4D BC lea ecx, dword ptr [ebp-44]
004083B9 . FF15 08104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
004083BF . 8D8D DCFEFFFF lea ecx, dword ptr [ebp-124]
004083C5 . 8D95 ECFEFFFF lea edx, dword ptr [ebp-114]
004083CB . 51 push ecx
004083CC . 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
004083D2 . 52 push edx
004083D3 . 50 push eax
004083D4 . 6A 03 push 3
004083D6 . FF15 14104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
004083DC . 83C4 10 add esp, 10
004083DF . 8D4D BC lea ecx, dword ptr [ebp-44]
004083E2 . 8D95 FCFEFFFF lea edx, dword ptr [ebp-104]
004083E8 . 51 push ecx
004083E9 . 52 push edx ; 得到用户名加密串的总长17h+4h=1Bh
004083EA . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaLenVa>; MSVBVM60.__vbaLenVar
呵呵,上面这一大片如果用C来写也就是strcat(username, "this is the first time)"); len(username);这两句,由此可见VB是多么的
“强大”,嘿嘿,好长的代码啊,别怕,后面还有更长的呢!继续向下看,发现一循环,这就是计算注册码的关键部分了,大家振作精神啊:
00408447 . FF15 44104000 call dword ptr [<&MSVBVM60.__vbaVarFo>; MSVBVM60.__vbaVarForInit
0040844D > 3BC7 cmp eax, edi
0040844F . 0F84 C2020000 je 00408717
00408455 . 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
0040845B . 8D4D DC lea ecx, dword ptr [ebp-24]
0040845E . 50 push eax
0040845F . 51 push ecx
00408460 . C785 04FFFFFF>mov dword ptr [ebp-FC], 1
0040846A . C785 FCFEFFFF>mov dword ptr [ebp-104], 2 ; i++
00408474 . FF15 DC104000 call dword ptr [<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
0040847A . 50 push eax ; 取第i个字符
0040847B . 8D55 BC lea edx, dword ptr [ebp-44]
0040847E . 8D85 ECFEFFFF lea eax, dword ptr [ebp-114]
00408484 . 52 push edx ; "BWNSthis is the first time)"
00408485 . 50 push eax
00408486 . FF15 60104000 call dword ptr [<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar
0040848C . 8D95 ECFEFFFF lea edx, dword ptr [ebp-114]
00408492 . 8D8D 1CFFFFFF lea ecx, dword ptr [ebp-E4]
00408498 . FF15 08104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0040849E . 8D8D FCFEFFFF lea ecx, dword ptr [ebp-104]
004084A4 . FF15 0C104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
004084AA . 8D8D 1CFFFFFF lea ecx, dword ptr [ebp-E4]
004084B0 . 8D95 18FFFFFF lea edx, dword ptr [ebp-E8]
004084B6 . 51 push ecx
004084B7 . 52 push edx
004084B8 . FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
004084BE . 50 push eax
004084BF . FF15 24104000 call dword ptr [<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
004084C5 . 0FBFC0 movsx eax, ax ; 这么长一串代码实际上就是取密串s[i]
004084C8 . 8D8D 18FFFFFF lea ecx, dword ptr [ebp-E8]
004084CE . 8945 98 mov dword ptr [ebp-68], eax
004084D1 . FF15 1C114000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
004084D7 . 8B4D 98 mov ecx, dword ptr [ebp-68]
004084DA . 8D95 CCFBFFFF lea edx, dword ptr [ebp-434]
004084E0 . 898D D4FBFFFF mov dword ptr [ebp-42C], ecx
004084E6 . 8D45 DC lea eax, dword ptr [ebp-24]
004084E9 . 52 push edx
004084EA . 8D8D FCFEFFFF lea ecx, dword ptr [ebp-104]
004084F0 . 50 push eax
004084F1 . 51 push ecx ; s[i]*i
004084F2 . C785 CCFBFFFF>mov dword ptr [ebp-434], 3
004084FC . FF15 94104000 call dword ptr [<&MSVBVM60.__vbaVarMu>; MSVBVM60.__vbaVarMul
00408502 . 50 push eax
00408503 . FF15 DC104000 call dword ptr [<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
00408509 . 8BC8 mov ecx, eax
0040850B . C785 CCFBFFFF>mov dword ptr [ebp-434], 3
00408515 . 0FBF85 3CFFFF>movsx eax, word ptr [ebp-C4] ; 前面的19849的数字 4D89
0040851C . 03C1 add eax, ecx ; s[i]*i+19849D
0040851E . B9 C4010000 mov ecx, 1C4
00408523 . 0F80 3F110000 jo 00409668
00408529 . 99 cdq
0040852A . F7F9 idiv ecx ; (s[i]*i+19849D)/452D(1C4h)
0040852C . 8D85 54FFFFFF lea eax, dword ptr [ebp-AC] ; 123h
00408532 . 8D8D FCFEFFFF lea ecx, dword ptr [ebp-104] ; 1c4h
00408538 . 8995 D4FBFFFF mov dword ptr [ebp-42C], edx ; 保存余数
0040853E . 8D95 CCFBFFFF lea edx, dword ptr [ebp-434]
00408544 . 52 push edx
00408545 . 50 push eax ; m=XOR(((s[i]*i+19849D)/452D),123h)
00408546 . 51 push ecx
00408547 . FF15 40104000 call dword ptr [<&MSVBVM60.__vbaVarXo>; MSVBVM60.__vbaVarXor
0040854D . 50 push eax ; =138h,将结果变为长整
0040854E . FF15 DC104000 call dword ptr [<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
00408554 . 8985 D4FBFFFF mov dword ptr [ebp-42C], eax ; [ebp-42c]=m
0040855A . 8D95 CCFBFFFF lea edx, dword ptr [ebp-434] ; 再取上面结果m
00408560 . 8D85 40FFFFFF lea eax, dword ptr [ebp-C0]
00408566 . 52 push edx
00408567 . 8D8D FCFEFFFF lea ecx, dword ptr [ebp-104]
0040856D . 50 push eax ; 456h
0040856E . 51 push ecx
0040856F . C785 CCFBFFFF>mov dword ptr [ebp-434], 3 ; x=OR(m,456h)
00408579 . FF15 7C104000 call dword ptr [<&MSVBVM60.__vbaVarOr>; MSVBVM60.__vbaVarOr
0040857F . 50 push eax
00408580 . FF15 DC104000 call dword ptr [<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
00408586 . 8945 98 mov dword ptr [ebp-68], eax
00408589 . 68 00000040 push 40000000
0040858E . DB45 98 fild dword ptr [ebp-68] ; x
00408591 . 57 push edi
00408592 . DD9D 04FAFFFF fstp qword ptr [ebp-5FC]
00408598 . 8B95 08FAFFFF mov edx, dword ptr [ebp-5F8]
0040859E . 8B85 04FAFFFF mov eax, dword ptr [ebp-5FC]
004085A4 . 52 push edx
004085A5 . 50 push eax ; 计算y=x^2
004085A6 . FF15 D0104000 call dword ptr [<&MSVBVM60.__vbaPower>; MSVBVM60.__vbaPowerR8
004085AC . FF15 F4104000 call dword ptr [<&MSVBVM60.__vbaFpI4>>; MSVBVM60.__vbaFpI4
004085B2 . 8D4D CC lea ecx, dword ptr [ebp-34]
004085B5 . 8985 D4FBFFFF mov dword ptr [ebp-42C], eax ; 保存y
004085BB . 8D95 CCFBFFFF lea edx, dword ptr [ebp-434]
004085C1 . 51 push ecx
004085C2 . 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
004085C8 . 52 push edx
004085C9 . 50 push eax
004085CA . C785 CCFBFFFF>mov dword ptr [ebp-434], 3
004085D4 . FF15 E0104000 call dword ptr [<&MSVBVM60.__vbaVarAd>; MSVBVM60.__vbaVarAdd
004085DA . 8BD0 mov edx, eax ; sum +=y
004085DC . 8D4D CC lea ecx, dword ptr [ebp-34]
004085DF . FF15 08104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
004085E5 . 8D4D CC lea ecx, dword ptr [ebp-34]
004085E8 . 8D95 CCFBFFFF lea edx, dword ptr [ebp-434]
004085EE . 51 push ecx
004085EF . 52 push edx
004085F0 . C785 D4FBFFFF>mov dword ptr [ebp-42C], 0CCCCC8C
004085FA . C785 CCFBFFFF>mov dword ptr [ebp-434], 8003
00408604 . FF15 F8104000 call dword ptr [<&MSVBVM60.__vbaVarTs>; MSVBVM60.__vbaVarTstGe
0040860A . 66:85C0 test ax, ax ; sum是否大于等于0CCCCC8C
0040860D . 0F84 8E000000 je 004086A1 大于就要见鬼啦!:)
哈哈,强大吧,这里就是计算注册码的关键了。大家结合上面的注释,很容易就能明白这是怎样一个的公式:
我用VB来描述上面的代码如下:
for i=1 to len(a) step 1
sum = sum + ((((Asc(Mid(a, i, 1)) * i + 19849) Mod 452) Xor &H123) Or &H456) ^ 2
next i
然后判断sum的结果不能大于0x0ccccc8c,大于就完蛋了,不大于继续运算。如果不大于,就继续,累加,
后面若干垃圾代码省略之:
0040870C . FF15 14114000 call dword ptr [<&MSVBVM60.__vbaVarFo>; MSVBVM60.__vbaVarForNext
00408712 .^ E9 36FDFFFF jmp 0040844D
00408717 > 8D4D CC lea ecx, dword ptr [ebp-34]
0040871A . 8D95 FCFEFFFF lea edx, dword ptr [ebp-104]
00408720 . 51 push ecx ; 将sum转化为字串
00408721 . 52 push edx
00408722 . FF15 E8104000 call dword ptr [<&MSVBVM60.#613>] ; MSVBVM60.rtcVarStrFromVar
00408728 . 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
0040872E . 8D8D ECFEFFFF lea ecx, dword ptr [ebp-114]
这里实际上是将上面的和转化为字串的形式如sum=12345,那么就转化成为了"12345"。再往后看,我发现看VB有时候就
得学会一目十行,嘿嘿,中间省略若干垃圾,汗,如下:
0040878E . 83C4 10 add esp, 10
00408791 . 8D45 88 lea eax, dword ptr [ebp-78] ;上面转化以后得到的真正的注册码
00408794 . 8D8D 2CFFFFFF lea ecx, dword ptr [ebp-D4] ;我们输入的假码
0040879A . 8D95 FCFEFFFF lea edx, dword ptr [ebp-104]
004087A0 . 50 push eax
004087A1 . 51 push ecx
004087A2 . 57 push edi
004087A3 . 52 push edx
004087A4 . FF15 A8104000 call dword ptr [<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCompVar
004087AA . 50 push eax
004087AB . FF15 B0104000 call dword ptr [<&MSVBVM60.__vbaI2Var>; MSVBVM60.__vbaI2Var
004087B1 . 8D8D FCFEFFFF lea ecx, dword ptr [ebp-104]
004087B7 . 8985 74FFFFFF mov dword ptr [ebp-8C], eax ;将判断的结果保存为整数
004087BD . FF15 0C104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
004087C3 . 66:39BD 74FFF>cmp word ptr [ebp-8C], di ;比较两者是否相等
004087CA . 0F85 510C0000 jnz 00409421 ;不相等就见鬼去吧,嘿嘿!
004087D0 . 8D95 CCFBFFFF lea edx, dword ptr [ebp-434]
004087D6 . 8D8D FCFEFFFF lea ecx, dword ptr [ebp-104]
004087DC . C785 D4FBFFFF>mov dword ptr [ebp-42C], 00402A3C ; UNICODE "Goodby"
004087E6 . 899D CCFBFFFF mov dword ptr [ebp-434], ebx
综上所述可得到VB版的注册机代码如下,以B之道还之B身嘛,嘿嘿:
Dim a As String, x As Variant, i As Long
x = 0
a = "this is the first time)"
If Len(Text1) < 4 Then MsgBox "你也太懒了吧,至少要4个字符才行!"
a = UCase(Text1) + a
For i = 1 To Len(a)
x = x + ((((Asc(Mid(a, i, 1)) * i + 19849) Mod 452) Xor &H123) Or &H456) ^ 2
Next
If x < &HCCCCC8C Then
Text2 = x
Else
MsgBox "数字太大,不能放下!嘿嘿!"
End If
以上如果有什么不对之处还请大家多多批评,VB写的程序的确是太吓人了,考验耐心,没有耐心是不行的啊,我深刻地理解这一点,其实做任何事也是这样,所以大家不要害怕,勇敢地上吧,嘿嘿!
最后,感谢一下CCTV,MTV,还有帮助过我的看雪上的兄弟姐妹们,谢谢你们,没有你们,就没有不问年少的今天!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
多谢兄台指教,小弟感谢涕零!
确实是这样的,要有大局观念才行,不能老在一处转悠,这是从逆向VB以及MFC程序中得到的教训。 
|
|
|
|
|
|
|
|
|
楼主分析得不错,我也得到结果了!
 |
|
|
嗯,非常佩服楼主~
为了隐藏字符串,所以垃圾代码非常多~ 顶一个~ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
