160个CrackMe之003
为了提高自己对反汇编的熟练程度,打算对这160个CrackMe的爆破点及注册算法都分析一下。
需要练手的朋友可以到这里下载,链接: http://pan.baidu.com/s/1c06fNOW 密码: ht4e
废话不多说,进入正题,第三个CrackMe:
运行程序,找到输入用户名和注册码的地方,输入假码,点击注册,弹窗提示错误。
使用OD载入程序,搜索字符串,很快可以找到关键点。
00408677 /74 62 JE SHORT AfKayAs_.004086DB ; //此处nop掉即可爆破 00408679 |8B35 14B14000 MOV ESI, DWORD PTR DS:[<&MSVBVM50.__>; MSVBVM50.__vbaStrCat 0040867F |68 C06F4000 PUSH AfKayAs_.00406FC0 ; You Get It 00408684 |68 DC6F4000 PUSH AfKayAs_.00406FDC ; \r\n 00408689 |FFD6 CALL NEAR ESI 0040868B |8BD0 MOV EDX, EAX 0040868D |8D4D E8 LEA ECX, DWORD PTR SS:[EBP-18] 00408690 |FF15 94B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__>; MSVBVM50.__vbaStrMove 00408696 |50 PUSH EAX 00408697 |68 E86F4000 PUSH AfKayAs_.00406FE8 ; KeyGen It Now 0040869C |FFD6 CALL NEAR ESI 0040869E |8945 CC MOV DWORD PTR SS:[EBP-34], EAX 004086A1 |8D45 94 LEA EAX, DWORD PTR SS:[EBP-6C] 004086A4 |8D4D A4 LEA ECX, DWORD PTR SS:[EBP-5C] 004086A7 |50 PUSH EAX 004086A8 |8D55 B4 LEA EDX, DWORD PTR SS:[EBP-4C] 004086AB |51 PUSH ECX 004086AC |52 PUSH EDX 004086AD |8D45 C4 LEA EAX, DWORD PTR SS:[EBP-3C] 004086B0 |6A 00 PUSH 0 004086B2 |50 PUSH EAX 004086B3 |C745 C4 0800000>MOV DWORD PTR SS:[EBP-3C], 8 004086BA |FF15 24B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.#5>; MSVBVM50.rtcMsgBox 004086C0 |8D4D E8 LEA ECX, DWORD PTR SS:[EBP-18] 004086C3 |FF15 A8B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__>; MSVBVM50.__vbaFreeStr 004086C9 |8D4D 94 LEA ECX, DWORD PTR SS:[EBP-6C] 004086CC |8D55 A4 LEA EDX, DWORD PTR SS:[EBP-5C] 004086CF |51 PUSH ECX 004086D0 |8D45 B4 LEA EAX, DWORD PTR SS:[EBP-4C] 004086D3 |52 PUSH EDX 004086D4 |8D4D C4 LEA ECX, DWORD PTR SS:[EBP-3C] 004086D7 |50 PUSH EAX 004086D8 |51 PUSH ECX 004086D9 |EB 60 JMP SHORT AfKayAs_.0040873B 004086DB \8B35 14B14000 MOV ESI, DWORD PTR DS:[<&MSVBVM50.__>; MSVBVM50.__vbaStrCat 004086E1 68 08704000 PUSH AfKayAs_.00407008 ; You Get Wrong 004086E6 68 DC6F4000 PUSH AfKayAs_.00406FDC ; \r\n 004086EB FFD6 CALL NEAR ESI 004086ED 8BD0 MOV EDX, EAX 004086EF 8D4D E8 LEA ECX, DWORD PTR SS:[EBP-18] 004086F2 FF15 94B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__>; MSVBVM50.__vbaStrMove 004086F8 50 PUSH EAX 004086F9 68 28704000 PUSH AfKayAs_.00407028 ; Try Again 004086FE FFD6 CALL NEAR ESI 00408700 8945 CC MOV DWORD PTR SS:[EBP-34], EAX 00408703 8D55 94 LEA EDX, DWORD PTR SS:[EBP-6C] 00408706 8D45 A4 LEA EAX, DWORD PTR SS:[EBP-5C] 00408709 52 PUSH EDX 0040870A 8D4D B4 LEA ECX, DWORD PTR SS:[EBP-4C] 0040870D 50 PUSH EAX 0040870E 51 PUSH ECX 0040870F 8D55 C4 LEA EDX, DWORD PTR SS:[EBP-3C] 00408712 6A 00 PUSH 0 00408714 52 PUSH EDX 00408715 C745 C4 0800000>MOV DWORD PTR SS:[EBP-3C], 8 0040871C FF15 24B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.#5>; MSVBVM50.rtcMsgBox
下面看一下程序的注册算法,在断首下断点,重新运行,输入假码,点击注册,断了下来。
004080F0 55 PUSH EBP 004080F1 8BEC MOV EBP, ESP 004080F3 83EC 0C SUB ESP, 0C 004080F6 68 56104000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler> 004080FB 64:A1 00000000 MOV EAX, DWORD PTR FS:[0] 00408101 50 PUSH EAX 00408102 64:8925 00000000 MOV DWORD PTR FS:[0], ESP 00408109 81EC D0000000 SUB ESP, 0D0 0040810F 53 PUSH EBX 00408110 56 PUSH ESI 00408111 8B75 08 MOV ESI, DWORD PTR SS:[EBP+8] 00408114 57 PUSH EDI 00408115 8BC6 MOV EAX, ESI 00408117 83E6 FE AND ESI, FFFFFFFE 0040811A 8965 F4 MOV DWORD PTR SS:[EBP-C], ESP 0040811D 83E0 01 AND EAX, 1 00408120 8B1E MOV EBX, DWORD PTR DS:[ESI] 00408122 C745 F8 30104000 MOV DWORD PTR SS:[EBP-8], AfKayAs_.00401030 00408129 56 PUSH ESI 0040812A 8945 FC MOV DWORD PTR SS:[EBP-4], EAX 0040812D 8975 08 MOV DWORD PTR SS:[EBP+8], ESI 00408130 899D 40FFFFFF MOV DWORD PTR SS:[EBP-C0], EBX 00408136 FF53 04 CALL NEAR DWORD PTR DS:[EBX+4] 00408139 8B83 08030000 MOV EAX, DWORD PTR DS:[EBX+308] 0040813F 33FF XOR EDI, EDI 00408141 56 PUSH ESI 00408142 897D E8 MOV DWORD PTR SS:[EBP-18], EDI 00408145 897D E4 MOV DWORD PTR SS:[EBP-1C], EDI 00408148 897D E0 MOV DWORD PTR SS:[EBP-20], EDI 0040814B 897D DC MOV DWORD PTR SS:[EBP-24], EDI 0040814E 897D D8 MOV DWORD PTR SS:[EBP-28], EDI 00408151 897D D4 MOV DWORD PTR SS:[EBP-2C], EDI 00408154 897D C4 MOV DWORD PTR SS:[EBP-3C], EDI 00408157 897D B4 MOV DWORD PTR SS:[EBP-4C], EDI 0040815A 897D A4 MOV DWORD PTR SS:[EBP-5C], EDI 0040815D 897D 94 MOV DWORD PTR SS:[EBP-6C], EDI 00408160 FFD0 CALL NEAR EAX 00408162 8D4D D4 LEA ECX, DWORD PTR SS:[EBP-2C] 00408165 50 PUSH EAX 00408166 51 PUSH ECX 00408167 FF15 20B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet 0040816D 8B9B 18030000 MOV EBX, DWORD PTR DS:[EBX+318] 00408173 56 PUSH ESI 00408174 8985 50FFFFFF MOV DWORD PTR SS:[EBP-B0], EAX 0040817A 899D 3CFFFFFF MOV DWORD PTR SS:[EBP-C4], EBX 00408180 FFD3 CALL NEAR EBX 00408182 8D55 DC LEA EDX, DWORD PTR SS:[EBP-24] 00408185 50 PUSH EAX 00408186 52 PUSH EDX 00408187 FF15 20B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet 0040818D 8BD8 MOV EBX, EAX 0040818F 8D4D E8 LEA ECX, DWORD PTR SS:[EBP-18] 00408192 51 PUSH ECX 00408193 53 PUSH EBX 00408194 8B03 MOV EAX, DWORD PTR DS:[EBX] 00408196 FF90 A0000000 CALL NEAR DWORD PTR DS:[EAX+A0] ; //得到用户名 0040819C 3BC7 CMP EAX, EDI 0040819E 7D 12 JGE SHORT AfKayAs_.004081B2 004081A0 68 A0000000 PUSH 0A0 004081A5 68 AC6F4000 PUSH AfKayAs_.00406FAC 004081AA 53 PUSH EBX 004081AB 50 PUSH EAX 004081AC FF15 18B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaHresultCh>; MSVBVM50.__vbaHresultCheckObj 004081B2 56 PUSH ESI 004081B3 FF95 3CFFFFFF CALL NEAR DWORD PTR SS:[EBP-C4] 004081B9 8D55 D8 LEA EDX, DWORD PTR SS:[EBP-28] 004081BC 50 PUSH EAX 004081BD 52 PUSH EDX 004081BE FF15 20B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet 004081C4 8BD8 MOV EBX, EAX 004081C6 8D4D E4 LEA ECX, DWORD PTR SS:[EBP-1C] 004081C9 51 PUSH ECX 004081CA 53 PUSH EBX 004081CB 8B03 MOV EAX, DWORD PTR DS:[EBX] 004081CD FF90 A0000000 CALL NEAR DWORD PTR DS:[EAX+A0] ; //得到用户名 004081D3 3BC7 CMP EAX, EDI 004081D5 7D 12 JGE SHORT AfKayAs_.004081E9 004081D7 68 A0000000 PUSH 0A0 004081DC 68 AC6F4000 PUSH AfKayAs_.00406FAC 004081E1 53 PUSH EBX 004081E2 50 PUSH EAX 004081E3 FF15 18B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaHresultCh>; MSVBVM50.__vbaHresultCheckObj 004081E9 8B95 50FFFFFF MOV EDX, DWORD PTR SS:[EBP-B0] 004081EF 8B45 E4 MOV EAX, DWORD PTR SS:[EBP-1C] 004081F2 50 PUSH EAX 004081F3 8B1A MOV EBX, DWORD PTR DS:[EDX] ; //得到用户名长度 004081F5 FF15 F8B04000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaLenBstr>] ; MSVBVM50.__vbaLenBstr 004081FB 8BF8 MOV EDI, EAX ; //长度保存到EDI 004081FD 8B4D E8 MOV ECX, DWORD PTR SS:[EBP-18] 00408200 69FF 385B0100 IMUL EDI, EDI, 15B38 ; //长度(EDI) = EDI * 0x15B38 00408206 51 PUSH ECX 00408207 0F80 B7050000 JO AfKayAs_.004087C4 ; //将字符转成ASCII码 0040820D FF15 0CB14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.#516>] ; MSVBVM50.rtcAnsiValueBstr 00408213 0FBFD0 MOVSX EDX, AX ; //转换好的ASCII码带符号扩展到EDX 00408216 03FA ADD EDI, EDX ; //乘积的结果 + 扩展的ASCII码 00408218 0F80 A6050000 JO AfKayAs_.004087C4 0040821E 57 PUSH EDI ; //将一个字符串转为长整型 0040821F FF15 F4B04000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaStrI4>] ; MSVBVM50.__vbaStrI4 00408225 8BD0 MOV EDX, EAX ; //转好的值给EDX 00408227 8D4D E0 LEA ECX, DWORD PTR SS:[EBP-20] 0040822A FF15 94B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaStrMove>] ; MSVBVM50.__vbaStrMove 00408230 8BBD 50FFFFFF MOV EDI, DWORD PTR SS:[EBP-B0] 00408236 50 PUSH EAX 00408237 57 PUSH EDI 00408238 FF93 A4000000 CALL NEAR DWORD PTR DS:[EBX+A4] 0040823E 85C0 TEST EAX, EAX 00408240 7D 12 JGE SHORT AfKayAs_.00408254 00408242 68 A4000000 PUSH 0A4 00408247 68 AC6F4000 PUSH AfKayAs_.00406FAC 0040824C 57 PUSH EDI 0040824D 50 PUSH EAX 0040824E FF15 18B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaHresultCh>; MSVBVM50.__vbaHresultCheckObj 00408254 8D45 E0 LEA EAX, DWORD PTR SS:[EBP-20] 00408257 8D4D E4 LEA ECX, DWORD PTR SS:[EBP-1C] 0040825A 50 PUSH EAX 0040825B 8D55 E8 LEA EDX, DWORD PTR SS:[EBP-18] 0040825E 51 PUSH ECX 0040825F 52 PUSH EDX 00408260 6A 03 PUSH 3 00408262 FF15 80B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaFreeStrLi>; MSVBVM50.__vbaFreeStrList 00408268 83C4 10 ADD ESP, 10 0040826B 8D45 D4 LEA EAX, DWORD PTR SS:[EBP-2C] 0040826E 8D4D D8 LEA ECX, DWORD PTR SS:[EBP-28] 00408271 8D55 DC LEA EDX, DWORD PTR SS:[EBP-24] 00408274 50 PUSH EAX 00408275 51 PUSH ECX 00408276 52 PUSH EDX 00408277 6A 03 PUSH 3 00408279 FF15 08B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaFreeObjLi>; MSVBVM50.__vbaFreeObjList 0040827F 8B9D 40FFFFFF MOV EBX, DWORD PTR SS:[EBP-C0] 00408285 83C4 10 ADD ESP, 10 00408288 8B83 FC020000 MOV EAX, DWORD PTR DS:[EBX+2FC] 0040828E 56 PUSH ESI 0040828F 8985 38FFFFFF MOV DWORD PTR SS:[EBP-C8], EAX 00408295 FFD0 CALL NEAR EAX 00408297 8B3D 20B14000 MOV EDI, DWORD PTR DS:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet 0040829D 50 PUSH EAX 0040829E 8D45 D8 LEA EAX, DWORD PTR SS:[EBP-28] 004082A1 50 PUSH EAX 004082A2 FFD7 CALL NEAR EDI 004082A4 56 PUSH ESI 004082A5 8985 58FFFFFF MOV DWORD PTR SS:[EBP-A8], EAX 004082AB FF93 08030000 CALL NEAR DWORD PTR DS:[EBX+308] 004082B1 8D4D DC LEA ECX, DWORD PTR SS:[EBP-24] 004082B4 50 PUSH EAX 004082B5 51 PUSH ECX 004082B6 FFD7 CALL NEAR EDI 004082B8 8BD8 MOV EBX, EAX 004082BA 8D45 E8 LEA EAX, DWORD PTR SS:[EBP-18] 004082BD 50 PUSH EAX 004082BE 53 PUSH EBX 004082BF 8B13 MOV EDX, DWORD PTR DS:[EBX] 004082C1 FF92 A0000000 CALL NEAR DWORD PTR DS:[EDX+A0] 004082C7 85C0 TEST EAX, EAX 004082C9 7D 12 JGE SHORT AfKayAs_.004082DD 004082CB 68 A0000000 PUSH 0A0 004082D0 68 AC6F4000 PUSH AfKayAs_.00406FAC 004082D5 53 PUSH EBX 004082D6 50 PUSH EAX 004082D7 FF15 18B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaHresultCh>; MSVBVM50.__vbaHresultCheckObj 004082DD 8B8D 58FFFFFF MOV ECX, DWORD PTR SS:[EBP-A8] 004082E3 8B55 E8 MOV EDX, DWORD PTR SS:[EBP-18] 004082E6 52 PUSH EDX 004082E7 8B19 MOV EBX, DWORD PTR DS:[ECX] ; //字符转成浮点 004082E9 FF15 74B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaR8Str>] ; MSVBVM50.__vbaR8Str 004082EF D905 08104000 FLD DWORD PTR DS:[401008] ; //10.0入ST(0) 004082F5 833D 00904000 00 CMP DWORD PTR DS:[409000], 0 004082FC 75 08 JNZ SHORT AfKayAs_.00408306 004082FE D835 0C104000 FDIV DWORD PTR DS:[40100C] ; //ST(0) /= 5.0 00408304 EB 0B JMP SHORT AfKayAs_.00408311 00408306 FF35 0C104000 PUSH DWORD PTR DS:[40100C] 0040830C E8 578DFFFF CALL <JMP.&MSVBVM50._adj_fdiv_m32> 00408311 83EC 08 SUB ESP, 8 00408314 DFE0 FSTSW AX ; //将FPU状态字保存到AX,检查非屏蔽浮点异常 00408316 A8 0D TEST AL, 0D 00408318 0F85 A1040000 JNZ AfKayAs_.004087BF 0040831E DEC1 FADDP ST(1), ST(0) ; //ST(1) += ST(0), ST(0)出栈 00408320 DFE0 FSTSW AX ; //将FPU状态字保存到AX,检查非屏蔽浮点异常 00408322 A8 0D TEST AL, 0D 00408324 0F85 95040000 JNZ AfKayAs_.004087BF 0040832A DD1C24 FSTP QWORD PTR SS:[ESP] ; //将ST(0)复制到[ESP] 0040832D FF15 48B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaStrR8>] ; MSVBVM50.__vbaStrR8 00408333 8BD0 MOV EDX, EAX ; //结果保存到EDX 00408335 8D4D E4 LEA ECX, DWORD PTR SS:[EBP-1C] 00408338 FF15 94B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaStrMove>] ; MSVBVM50.__vbaStrMove 0040833E 899D 34FFFFFF MOV DWORD PTR SS:[EBP-CC], EBX 00408344 8B9D 58FFFFFF MOV EBX, DWORD PTR SS:[EBP-A8] 0040834A 50 PUSH EAX 0040834B 8B85 34FFFFFF MOV EAX, DWORD PTR SS:[EBP-CC] 00408351 53 PUSH EBX 00408352 FF90 A4000000 CALL NEAR DWORD PTR DS:[EAX+A4] 00408358 85C0 TEST EAX, EAX 0040835A 7D 12 JGE SHORT AfKayAs_.0040836E 0040835C 68 A4000000 PUSH 0A4 00408361 68 AC6F4000 PUSH AfKayAs_.00406FAC 00408366 53 PUSH EBX 00408367 50 PUSH EAX 00408368 FF15 18B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaHresultCh>; MSVBVM50.__vbaHresultCheckObj 0040836E 8D4D E4 LEA ECX, DWORD PTR SS:[EBP-1C] 00408371 8D55 E8 LEA EDX, DWORD PTR SS:[EBP-18] 00408374 51 PUSH ECX 00408375 52 PUSH EDX 00408376 6A 02 PUSH 2 00408378 FF15 80B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaFreeStrLi>; MSVBVM50.__vbaFreeStrList 0040837E 83C4 0C ADD ESP, 0C 00408381 8D45 D8 LEA EAX, DWORD PTR SS:[EBP-28] 00408384 8D4D DC LEA ECX, DWORD PTR SS:[EBP-24] 00408387 50 PUSH EAX 00408388 51 PUSH ECX 00408389 6A 02 PUSH 2 0040838B FF15 08B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaFreeObjLi>; MSVBVM50.__vbaFreeObjList 00408391 8B95 40FFFFFF MOV EDX, DWORD PTR SS:[EBP-C0] 00408397 83C4 0C ADD ESP, 0C 0040839A 8B82 00030000 MOV EAX, DWORD PTR DS:[EDX+300] 004083A0 56 PUSH ESI 004083A1 8985 30FFFFFF MOV DWORD PTR SS:[EBP-D0], EAX 004083A7 FFD0 CALL NEAR EAX 004083A9 50 PUSH EAX 004083AA 8D45 D8 LEA EAX, DWORD PTR SS:[EBP-28] 004083AD 50 PUSH EAX 004083AE FFD7 CALL NEAR EDI 004083B0 56 PUSH ESI 004083B1 8985 58FFFFFF MOV DWORD PTR SS:[EBP-A8], EAX 004083B7 FF95 38FFFFFF CALL NEAR DWORD PTR SS:[EBP-C8] 004083BD 8D4D DC LEA ECX, DWORD PTR SS:[EBP-24] 004083C0 50 PUSH EAX 004083C1 51 PUSH ECX 004083C2 FFD7 CALL NEAR EDI 004083C4 8BD8 MOV EBX, EAX 004083C6 8D45 E8 LEA EAX, DWORD PTR SS:[EBP-18] 004083C9 50 PUSH EAX 004083CA 53 PUSH EBX 004083CB 8B13 MOV EDX, DWORD PTR DS:[EBX] 004083CD FF92 A0000000 CALL NEAR DWORD PTR DS:[EDX+A0] 004083D3 85C0 TEST EAX, EAX 004083D5 7D 12 JGE SHORT AfKayAs_.004083E9 004083D7 68 A0000000 PUSH 0A0 004083DC 68 AC6F4000 PUSH AfKayAs_.00406FAC 004083E1 53 PUSH EBX 004083E2 50 PUSH EAX 004083E3 FF15 18B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaHresultCh>; MSVBVM50.__vbaHresultCheckObj 004083E9 8B8D 58FFFFFF MOV ECX, DWORD PTR SS:[EBP-A8] 004083EF 8B55 E8 MOV EDX, DWORD PTR SS:[EBP-18] ; //真码 004083F2 52 PUSH EDX 004083F3 8B19 MOV EBX, DWORD PTR DS:[ECX] ; //再此转成浮点 004083F5 FF15 74B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaR8Str>] ; MSVBVM50.__vbaR8Str 004083FB DC0D 10104000 FMUL QWORD PTR DS:[401010] ; //ST(0) *= 3.0 00408401 83EC 08 SUB ESP, 8 00408404 DC25 18104000 FSUB QWORD PTR DS:[401018] ; //ST(0) -= 2.0 0040840A DFE0 FSTSW AX ; //将FPU状态字保存到AX,检查非屏蔽浮点异常 0040840C A8 0D TEST AL, 0D 0040840E 0F85 AB030000 JNZ AfKayAs_.004087BF 00408414 DD1C24 FSTP QWORD PTR SS:[ESP] ; //将ST(0)复制到[ESP] 00408417 FF15 48B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaStrR8>] ; MSVBVM50.__vbaStrR8 0040841D 8BD0 MOV EDX, EAX ; //结果保存到EDX 0040841F 8D4D E4 LEA ECX, DWORD PTR SS:[EBP-1C] 00408422 FF15 94B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaStrMove>] ; MSVBVM50.__vbaStrMove 00408428 899D 2CFFFFFF MOV DWORD PTR SS:[EBP-D4], EBX 0040842E 8B9D 58FFFFFF MOV EBX, DWORD PTR SS:[EBP-A8] 00408434 50 PUSH EAX 00408435 8B85 2CFFFFFF MOV EAX, DWORD PTR SS:[EBP-D4] 0040843B 53 PUSH EBX 0040843C FF90 A4000000 CALL NEAR DWORD PTR DS:[EAX+A4] 00408442 85C0 TEST EAX, EAX 00408444 7D 12 JGE SHORT AfKayAs_.00408458 00408446 68 A4000000 PUSH 0A4 0040844B 68 AC6F4000 PUSH AfKayAs_.00406FAC 00408450 53 PUSH EBX 00408451 50 PUSH EAX 00408452 FF15 18B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaHresultCh>; MSVBVM50.__vbaHresultCheckObj 00408458 8D4D E4 LEA ECX, DWORD PTR SS:[EBP-1C] 0040845B 8D55 E8 LEA EDX, DWORD PTR SS:[EBP-18] 0040845E 51 PUSH ECX 0040845F 52 PUSH EDX 00408460 6A 02 PUSH 2 00408462 FF15 80B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaFreeStrLi>; MSVBVM50.__vbaFreeStrList 00408468 83C4 0C ADD ESP, 0C 0040846B 8D45 D8 LEA EAX, DWORD PTR SS:[EBP-28] 0040846E 8D4D DC LEA ECX, DWORD PTR SS:[EBP-24] 00408471 50 PUSH EAX 00408472 51 PUSH ECX 00408473 6A 02 PUSH 2 00408475 FF15 08B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaFreeObjLi>; MSVBVM50.__vbaFreeObjList 0040847B 8B95 40FFFFFF MOV EDX, DWORD PTR SS:[EBP-C0] 00408481 83C4 0C ADD ESP, 0C 00408484 8B82 04030000 MOV EAX, DWORD PTR DS:[EDX+304] 0040848A 56 PUSH ESI 0040848B 8985 28FFFFFF MOV DWORD PTR SS:[EBP-D8], EAX 00408491 FFD0 CALL NEAR EAX 00408493 50 PUSH EAX 00408494 8D45 D8 LEA EAX, DWORD PTR SS:[EBP-28] 00408497 50 PUSH EAX 00408498 FFD7 CALL NEAR EDI 0040849A 56 PUSH ESI 0040849B 8985 58FFFFFF MOV DWORD PTR SS:[EBP-A8], EAX 004084A1 FF95 30FFFFFF CALL NEAR DWORD PTR SS:[EBP-D0] 004084A7 8D4D DC LEA ECX, DWORD PTR SS:[EBP-24] 004084AA 50 PUSH EAX 004084AB 51 PUSH ECX 004084AC FFD7 CALL NEAR EDI 004084AE 8BD8 MOV EBX, EAX 004084B0 8D45 E8 LEA EAX, DWORD PTR SS:[EBP-18] 004084B3 50 PUSH EAX 004084B4 53 PUSH EBX 004084B5 8B13 MOV EDX, DWORD PTR DS:[EBX] 004084B7 FF92 A0000000 CALL NEAR DWORD PTR DS:[EDX+A0] 004084BD 85C0 TEST EAX, EAX 004084BF 7D 12 JGE SHORT AfKayAs_.004084D3 004084C1 68 A0000000 PUSH 0A0 004084C6 68 AC6F4000 PUSH AfKayAs_.00406FAC 004084CB 53 PUSH EBX 004084CC 50 PUSH EAX 004084CD FF15 18B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaHresultCh>; MSVBVM50.__vbaHresultCheckObj 004084D3 8B8D 58FFFFFF MOV ECX, DWORD PTR SS:[EBP-A8] 004084D9 8B55 E8 MOV EDX, DWORD PTR SS:[EBP-18] 004084DC 52 PUSH EDX 004084DD 8B19 MOV EBX, DWORD PTR DS:[ECX] ; //真码再此转换成浮点 004084DF FF15 74B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaR8Str>] ; MSVBVM50.__vbaR8Str 004084E5 DC25 20104000 FSUB QWORD PTR DS:[401020] ; //ST(0) -= -15.0 004084EB 83EC 08 SUB ESP, 8 004084EE DFE0 FSTSW AX ; //将FPU状态字保存到AX,检查非屏蔽浮点异常 004084F0 A8 0D TEST AL, 0D 004084F2 0F85 C7020000 JNZ AfKayAs_.004087BF 004084F8 DD1C24 FSTP QWORD PTR SS:[ESP] ; //将ST(0)复制到[ESP] 004084FB FF15 48B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaStrR8>] ; MSVBVM50.__vbaStrR8 00408501 8BD0 MOV EDX, EAX ; //结果保存到EDX 00408503 8D4D E4 LEA ECX, DWORD PTR SS:[EBP-1C] 00408506 FF15 94B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaStrMove>] ; MSVBVM50.__vbaStrMove 0040850C 899D 24FFFFFF MOV DWORD PTR SS:[EBP-DC], EBX 00408512 8B9D 58FFFFFF MOV EBX, DWORD PTR SS:[EBP-A8] 00408518 50 PUSH EAX 00408519 8B85 24FFFFFF MOV EAX, DWORD PTR SS:[EBP-DC] 0040851F 53 PUSH EBX 00408520 FF90 A4000000 CALL NEAR DWORD PTR DS:[EAX+A4] 00408526 85C0 TEST EAX, EAX 00408528 7D 12 JGE SHORT AfKayAs_.0040853C 0040852A 68 A4000000 PUSH 0A4 0040852F 68 AC6F4000 PUSH AfKayAs_.00406FAC 00408534 53 PUSH EBX 00408535 50 PUSH EAX 00408536 FF15 18B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaHresultCh>; MSVBVM50.__vbaHresultCheckObj 0040853C 8D4D E4 LEA ECX, DWORD PTR SS:[EBP-1C] 0040853F 8D55 E8 LEA EDX, DWORD PTR SS:[EBP-18] 00408542 51 PUSH ECX 00408543 52 PUSH EDX 00408544 6A 02 PUSH 2 00408546 FF15 80B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaFreeStrLi>; MSVBVM50.__vbaFreeStrList 0040854C 83C4 0C ADD ESP, 0C 0040854F 8D45 D8 LEA EAX, DWORD PTR SS:[EBP-28] 00408552 8D4D DC LEA ECX, DWORD PTR SS:[EBP-24] 00408555 50 PUSH EAX 00408556 51 PUSH ECX 00408557 6A 02 PUSH 2 00408559 FF15 08B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaFreeObjLi>; MSVBVM50.__vbaFreeObjList 0040855F 83C4 0C ADD ESP, 0C 00408562 56 PUSH ESI 00408563 FF95 28FFFFFF CALL NEAR DWORD PTR SS:[EBP-D8] 00408569 8D55 D8 LEA EDX, DWORD PTR SS:[EBP-28] 0040856C 50 PUSH EAX 0040856D 52 PUSH EDX 0040856E FFD7 CALL NEAR EDI 00408570 8BD8 MOV EBX, EAX 00408572 8D4D E4 LEA ECX, DWORD PTR SS:[EBP-1C] 00408575 51 PUSH ECX 00408576 53 PUSH EBX 00408577 8B03 MOV EAX, DWORD PTR DS:[EBX] 00408579 FF90 A0000000 CALL NEAR DWORD PTR DS:[EAX+A0] 0040857F 85C0 TEST EAX, EAX 00408581 7D 12 JGE SHORT AfKayAs_.00408595 00408583 68 A0000000 PUSH 0A0 00408588 68 AC6F4000 PUSH AfKayAs_.00406FAC 0040858D 53 PUSH EBX 0040858E 50 PUSH EAX 0040858F FF15 18B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaHresultCh>; MSVBVM50.__vbaHresultCheckObj 00408595 8B95 40FFFFFF MOV EDX, DWORD PTR SS:[EBP-C0] 0040859B 56 PUSH ESI 0040859C FF92 14030000 CALL NEAR DWORD PTR DS:[EDX+314] 004085A2 50 PUSH EAX 004085A3 8D45 DC LEA EAX, DWORD PTR SS:[EBP-24] 004085A6 50 PUSH EAX 004085A7 FFD7 CALL NEAR EDI 004085A9 8BF0 MOV ESI, EAX 004085AB 8D55 E8 LEA EDX, DWORD PTR SS:[EBP-18] 004085AE 52 PUSH EDX 004085AF 56 PUSH ESI 004085B0 8B0E MOV ECX, DWORD PTR DS:[ESI] 004085B2 FF91 A0000000 CALL NEAR DWORD PTR DS:[ECX+A0] ; //得到假码 004085B8 85C0 TEST EAX, EAX 004085BA 7D 12 JGE SHORT AfKayAs_.004085CE 004085BC 68 A0000000 PUSH 0A0 004085C1 68 AC6F4000 PUSH AfKayAs_.00406FAC 004085C6 56 PUSH ESI 004085C7 50 PUSH EAX 004085C8 FF15 18B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaHresultCh>; MSVBVM50.__vbaHresultCheckObj 004085CE 8B45 E8 MOV EAX, DWORD PTR SS:[EBP-18] 004085D1 50 PUSH EAX ; //将假码转成浮点 004085D2 FF15 74B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaR8Str>] ; MSVBVM50.__vbaR8Str 004085D8 8B4D E4 MOV ECX, DWORD PTR SS:[EBP-1C] 004085DB DD9D 1CFFFFFF FSTP QWORD PTR SS:[EBP-E4] ; //将ST(0)复制到局部变量中 004085E1 51 PUSH ECX ; //真码转换成浮点 004085E2 FF15 74B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaR8Str>] ; MSVBVM50.__vbaR8Str 004085E8 833D 00904000 00 CMP DWORD PTR DS:[409000], 0 004085EF 75 08 JNZ SHORT AfKayAs_.004085F9 004085F1 DCBD 1CFFFFFF FDIVR QWORD PTR SS:[EBP-E4] ; //刚才保存的浮点假码除真码ST(0) 004085F7 EB 11 JMP SHORT AfKayAs_.0040860A 004085F9 FFB5 20FFFFFF PUSH DWORD PTR SS:[EBP-E0] 004085FF FFB5 1CFFFFFF PUSH DWORD PTR SS:[EBP-E4] 00408605 E8 888AFFFF CALL <JMP.&MSVBVM50._adj_fdivr_m64> 0040860A DFE0 FSTSW AX ; //将FPU状态字保存到AX,检查非屏蔽浮点异常 0040860C A8 0D TEST AL, 0D 0040860E 0F85 AB010000 JNZ AfKayAs_.004087BF 00408614 FF15 34B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaFpR8>] ; MSVBVM50.__vbaFpR8 0040861A DC1D 28104000 FCOMP QWORD PTR DS:[401028] ; //ST(0)和1.0比较,并执行一次出栈操作 00408620 DFE0 FSTSW AX ; //将FPU状态字保存到AX,检查非屏蔽浮点异常 00408622 F6C4 40 TEST AH, 40 00408625 74 07 JE SHORT AfKayAs_.0040862E 00408627 BE 01000000 MOV ESI, 1 0040862C EB 02 JMP SHORT AfKayAs_.00408630 0040862E 33F6 XOR ESI, ESI 00408630 8D55 E4 LEA EDX, DWORD PTR SS:[EBP-1C] 00408633 8D45 E8 LEA EAX, DWORD PTR SS:[EBP-18] 00408636 52 PUSH EDX 00408637 50 PUSH EAX 00408638 6A 02 PUSH 2 0040863A FF15 80B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaFreeStrLi>; MSVBVM50.__vbaFreeStrList 00408640 83C4 0C ADD ESP, 0C 00408643 8D4D D8 LEA ECX, DWORD PTR SS:[EBP-28] 00408646 8D55 DC LEA EDX, DWORD PTR SS:[EBP-24] 00408649 51 PUSH ECX 0040864A 52 PUSH EDX 0040864B 6A 02 PUSH 2 0040864D FF15 08B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaFreeObjLi>; MSVBVM50.__vbaFreeObjList 00408653 F7DE NEG ESI 00408655 83C4 0C ADD ESP, 0C 00408658 B9 04000280 MOV ECX, 80020004 0040865D B8 0A000000 MOV EAX, 0A 00408662 894D 9C MOV DWORD PTR SS:[EBP-64], ECX 00408665 66:85F6 TEST SI, SI 00408668 8945 94 MOV DWORD PTR SS:[EBP-6C], EAX 0040866B 894D AC MOV DWORD PTR SS:[EBP-54], ECX 0040866E 8945 A4 MOV DWORD PTR SS:[EBP-5C], EAX 00408671 894D BC MOV DWORD PTR SS:[EBP-44], ECX 00408674 8945 B4 MOV DWORD PTR SS:[EBP-4C], EAX 00408677 74 62 JE SHORT AfKayAs_.004086DB ; //此处nop掉即可爆破 00408679 8B35 14B14000 MOV ESI, DWORD PTR DS:[<&MSVBVM50.__vbaStrCat>] ; MSVBVM50.__vbaStrCat 0040867F 68 C06F4000 PUSH AfKayAs_.00406FC0 ; You Get It 00408684 68 DC6F4000 PUSH AfKayAs_.00406FDC ; \r\n 00408689 FFD6 CALL NEAR ESI 0040868B 8BD0 MOV EDX, EAX 0040868D 8D4D E8 LEA ECX, DWORD PTR SS:[EBP-18] 00408690 FF15 94B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaStrMove>] ; MSVBVM50.__vbaStrMove 00408696 50 PUSH EAX 00408697 68 E86F4000 PUSH AfKayAs_.00406FE8 ; KeyGen It Now 0040869C FFD6 CALL NEAR ESI 0040869E 8945 CC MOV DWORD PTR SS:[EBP-34], EAX 004086A1 8D45 94 LEA EAX, DWORD PTR SS:[EBP-6C] 004086A4 8D4D A4 LEA ECX, DWORD PTR SS:[EBP-5C] 004086A7 50 PUSH EAX 004086A8 8D55 B4 LEA EDX, DWORD PTR SS:[EBP-4C] 004086AB 51 PUSH ECX 004086AC 52 PUSH EDX 004086AD 8D45 C4 LEA EAX, DWORD PTR SS:[EBP-3C] 004086B0 6A 00 PUSH 0 004086B2 50 PUSH EAX 004086B3 C745 C4 08000000 MOV DWORD PTR SS:[EBP-3C], 8 004086BA FF15 24B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox 004086C0 8D4D E8 LEA ECX, DWORD PTR SS:[EBP-18] 004086C3 FF15 A8B14000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaFreeStr>] ; MSVBVM50.__vbaFreeStr 004086C9 8D4D 94 LEA ECX, DWORD PTR SS:[EBP-6C] 004086CC 8D55 A4 LEA EDX, DWORD PTR SS:[EBP-5C] 004086CF 51 PUSH ECX 004086D0 8D45 B4 LEA EAX, DWORD PTR SS:[EBP-4C] 004086D3 52 PUSH EDX 004086D4 8D4D C4 LEA ECX, DWORD PTR SS:[EBP-3C] 004086D7 50 PUSH EAX 004086D8 51 PUSH ECX 004086D9 EB 60 JMP SHORT AfKayAs_.0040873B 004086DB 8B35 14B14000 MOV ESI, DWORD PTR DS:[<&MSVBVM50.__vbaStrCat>] ; MSVBVM50.__vbaStrCat
可以看到,该程序的算法比前一个版本相对复杂了一些,取用户名的长度然后乘上0x15B38,然后取用户名的第一位转成ASCII码 + 之前的乘积,结果转成长整型,再转成浮点,加上2.0,再乘上3.0,再减去2.0,再减去-15.0,也就是加上15.0就得到了真正的注册码。
知道了算法,下面可以来写注册机了:
#include <stdio.h> #include <string.h> #include <stdlib.h> int main(int argc, char* argv[]) { char szBuff[32] = {0}; int nNameLength = 0; printf("请输入用户名: "); scanf("%31s", szBuff); nNameLength = strlen(szBuff); nNameLength *= 0x15B38; nNameLength += szBuff[0]; nNameLength = (((nNameLength + 2) * 3) - 2) + 15; printf("注册码: %d\r\n", nNameLength); system("pause"); return 0; }
浙公网安备 33010602011771号