今天试用了一下新工具getvbres 0.9,打开这个CrackMe,最后看到“注册成功”,地址为28B8
OD载入程序,直接查找二进制串“B8 28”到了00404BFC,
往上看,00404BDF,有个跳转,试着在00404B0C处下断,断下了,改00404BDF处的74 45为74 00,OK了!
00404BCF . 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
00404BD2 > 8D4D 84 LEA ECX,DWORD PTR SS:[EBP-7C]
00404BD5 . 51 PUSH ECX
00404BD6 . FF15 58104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaBoolVarNull>] ; MSVBVM60.__vbaBoolVarNull
00404BDC . 66:85C0 TEST AX,AX
00404BDF . 74 45 JE SHORT Crackme2.00404C26 :改这里为74 00 JE SHORT Crackme2.00404BE1
00404BE1 . 8B16 MOV EDX,DWORD PTR DS:[ESI]
00404BE3 . 56 PUSH ESI
00404BE4 . FF92 18030000 CALL DWORD PTR DS:[EDX+318]
00404BEA . 50 PUSH EAX
00404BEB . 8D85 30FFFFFF LEA EAX,DWORD PTR SS:[EBP-D0]
00404BF1 . 50 PUSH EAX
00404BF2 . FF15 48104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00404BF8 . 8BF0 MOV ESI,EAX
00404BFA . 8B0E MOV ECX,DWORD PTR DS:[ESI]
00404BFC . 68 B8284000 PUSH Crackme2.004028B8 :查找后直接到了这里,向上看
00404C01 . 56 PUSH ESI
00404C02 . FF51 54 CALL DWORD PTR DS:[ECX+54]
00404C05 . DBE2 FCLEX
00404C07 . 85C0 TEST EAX,EAX
00404C09 . 7D 0F JGE SHORT Crackme2.00404C1A
00404C0B . 6A 54 PUSH 54
00404C0D . 68 8C274000 PUSH Crackme2.0040278C
Crackme2009_xx.rar
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课