今天完成了第一个KeygenMe的破解,并写出了算法器,虽然算法非常简单,但对于新手的我,却是一个难关。花了一天时间。
开始以为这个CALL
00402568 . FF15 80104000 call dword ptr [<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
是算序列号的,但调来调去,没看出来。后来看领空的概念,发现进去后就不是程序的领空了,是一个叫VB虚拟机的东西。于是往上找。终于看出算法,写了一个算号器,心里那叫乐呀。。。
发个文章,与大家分享一下心情
004024A2 . BF 01000000 mov edi, 1
004024A7 . 8BF7 mov esi, edi
004024A9 . 8B1D 0C104000 mov ebx, dword ptr [<&MSVBVM60.__vbaFreeVarLis>; MSVBVM60.__vbaFreeVarList
004024AF > 66:3B75 D0 cmp si, word ptr [ebp-30] ; 是否大于用户名长度
004024B3 . 0F8F 93000000 jg 0040254C
004024B9 . C745 BC 01000>mov dword ptr [ebp-44], 1
004024C0 . C745 B4 02000>mov dword ptr [ebp-4C], 2
004024C7 . 8D45 CC lea eax, dword ptr [ebp-34]
004024CA . 8985 7CFFFFFF mov dword ptr [ebp-84], eax
004024D0 . C785 74FFFFFF>mov dword ptr [ebp-8C], 4008
004024DA . 8D4D B4 lea ecx, dword ptr [ebp-4C]
004024DD . 51 push ecx ; /Length8
004024DE . 0FBFD6 movsx edx, si ; |
004024E1 . 52 push edx ; |Start
004024E2 . 8D85 74FFFFFF lea eax, dword ptr [ebp-8C] ; |
004024E8 . 50 push eax ; |dString8
004024E9 . 8D4D A4 lea ecx, dword ptr [ebp-5C] ; |
004024EC . 51 push ecx ; |RetBUFFER
004024ED . FF15 44104000 call dword ptr [<&MSVBVM60.#632>] ; \rtcMidCharVar
004024F3 . 8D55 A4 lea edx, dword ptr [ebp-5C]
004024F6 . 52 push edx ; /String8
004024F7 . 8D45 C8 lea eax, dword ptr [ebp-38] ; |
004024FA . 50 push eax ; |ARG2
004024FB . FF15 74104000 call dword ptr [<&MSVBVM60.__vbaStrVarVal>] ; \__vbaStrVarVal
00402501 . 50 push eax ; /String
00402502 . FF15 18104000 call dword ptr [<&MSVBVM60.#516>] ; \rtcAnsiValueBstr
00402508 . 66:0FAFC6 imul ax, si ; 字符ASCII乘以当前循环次数
0040250C . 0F80 5F010000 jo 00402671 ; 检查溢出
00402512 . 0FBFC8 movsx ecx, ax
00402515 . 03CF add ecx, edi ; 累加
00402517 . 0F80 54010000 jo 00402671
0040251D . 8BF9 mov edi, ecx ; 保存
0040251F . 8D4D C8 lea ecx, dword ptr [ebp-38]
00402522 . FF15 B4104000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00402528 . 8D55 A4 lea edx, dword ptr [ebp-5C]
0040252B . 52 push edx
0040252C . 8D45 B4 lea eax, dword ptr [ebp-4C]
0040252F . 50 push eax
00402530 . 6A 02 push 2
00402532 . FFD3 call ebx
00402534 . 83C4 0C add esp, 0C
00402537 . B8 01000000 mov eax, 1
0040253C . 66:03C6 add ax, si ; 准备下次循环
0040253F . 0F80 2C010000 jo 00402671
00402545 . 8BF0 mov esi, eax
00402547 .^ E9 63FFFFFF jmp 004024AF
0040254C > 69FF 96740100 imul edi, edi, 17496
00402552 . 0F80 19010000 jo 00402671
00402558 . 897D D8 mov dword ptr [ebp-28], edi
0040255B . DB45 D8 fild dword ptr [ebp-28]
0040255E . DD9D 14FFFFFF fstp qword ptr [ebp-EC]
00402564 . 8B4D DC mov ecx, dword ptr [ebp-24]
00402567 . 51 push ecx
00402568 . FF15 80104000 call dword ptr [<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
0040256E . DC9D 14FFFFFF fcomp qword ptr [ebp-EC]
00402574 . DFE0 fstsw ax
00402576 F6C4 40 test ah, 40
00402579 0F84 86000000 je 00402605
0040257F . B9 04000280 mov ecx, 80020004
00402584 . 894D 8C mov dword ptr [ebp-74], ecx
00402587 . B8 0A000000 mov eax, 0A
0040258C . 8945 84 mov dword ptr [ebp-7C], eax
0040258F . 894D 9C mov dword ptr [ebp-64], ecx
00402592 . 8945 94 mov dword ptr [ebp-6C], eax
00402595 . C785 6CFFFFFF>mov dword ptr [ebp-94], 00401C74 ; UNICODE "Congratulations"
0040259F . BF 08000000 mov edi, 8
004025A4 . 89BD 64FFFFFF mov dword ptr [ebp-9C], edi
004025AA . 8D95 64FFFFFF lea edx, dword ptr [ebp-9C]
004025B0 . 8D4D A4 lea ecx, dword ptr [ebp-5C]
004025B3 . 8B35 98104000 mov esi, dword ptr [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课