[转载]一个VB的CRACKME算法分析
<P>文章作者:风飘雪</P><P><FONT face=宋体>1)PEID检查,MicrosoftVisualBasic5.0/6.0。无壳<BR>2)试运行程序,任意输入注册信息后有错误提示“重新来过吧”<BR>3)OD载入程序,用OD的超级字符串查找功能找不到相应的内容。<BR>只好在命令行下断。bp__vbaVarTstEqbp__vbaStrCmp都不能成功将程序中断。<BR>只有用bp__vbaLenBstr才可以使程序中断。<BR>4)用bp__vbaLenBstr下断后,任意输入注册信息。<BR>程序中断在这里<BR>6A2A49CE>8B442404MOVEAX,DWORDPTRSS:[ESP+4]<BR>6A2A49D285C0TESTEAX,EAX<BR>6A2A49D47405JESHORTMSVBVM60.6A2A49DB<BR>6A2A49D68B40FCMOVEAX,DWORDPTRDS:[EAX-4]<BR>6A2A49D9D1E8SHREAX,1<BR>6A2A49DBC20400RETN4<BR>ALT+F9返回程序领空:<BR>来到这里。。。<BR>00412EC8.FF150C104000CALLDWORDPTRDS:[<&MSVBVM60.__vbaLenBs>;取注册名位数<BR>00412ECE.8BC8MOVECX,EAX<BR>00412ED0.FF1554104000CALLDWORDPTRDS:[<&MSVBVM60.__vbaI2I4>>;<BR>00412ED6.8D4DC8LEAECX,DWORDPTRSS:[EBP-38];EBP-38=注册名<BR>00412ED9.8BD8MOVEBX,EAX<BR>00412EDB.FF15BC104000CALLDWORDPTRDS:[<&MSVBVM60.__vbaFreeS>;<BR>00412EE1.8D4DB8LEAECX,DWORDPTRSS:[EBP-48]<BR>00412EE4.FF15C0104000CALLDWORDPTRDS:[<&MSVBVM60.__vbaFreeO>;<BR>00412EEA.66:83FB06CMPBX,6;注册名不得小于6位,小于则跳向结束<BR>00412EEE.0F8D81000000JGECrackMe0.00412F75<BR>00412EF4.B90A000000MOVECX,0A<BR>00412EF9.B804000280MOVEAX,80020004<BR>00412EFE.898D78FFFFFFMOVDWORDPTRSS:[EBP-88],ECX<BR>00412F04.894D88MOVDWORDPTRSS:[EBP-78],ECX<BR>00412F07.894D98MOVDWORDPTRSS:[EBP-68],ECX<BR>00412F0A.8D9568FFFFFFLEAEDX,DWORDPTRSS:[EBP-98]<BR>00412F10.8D4DA8LEAECX,DWORDPTRSS:[EBP-58]<BR>00412F13.894580MOVDWORDPTRSS:[EBP-80],EAX<BR>00412F16.894590MOVDWORDPTRSS:[EBP-70],EAX<BR>00412F19.8945A0MOVDWORDPTRSS:[EBP-60],EAX<BR>00412F1C.C78570FFFFFF>MOVDWORDPTRSS:[EBP-90],CrackMe0.00411><BR>00412F26.C78568FFFFFF>MOVDWORDPTRSS:[EBP-98],8<BR>00412F30.FF159C104000CALLDWORDPTRDS:[<&MSVBVM60.__vbaVarDu>;<BR>00412F36.8D8578FFFFFFLEAEAX,DWORDPTRSS:[EBP-88]<BR>00412F3C.8D4D88LEAECX,DWORDPTRSS:[EBP-78]<BR>00412F3F.50PUSHEAX<BR>00412F40.8D5598LEAEDX,DWORDPTRSS:[EBP-68]<BR>00412F43.51PUSHECX<BR>00412F44.52PUSHEDX<BR>00412F45.8D45A8LEAEAX,DWORDPTRSS:[EBP-58]<BR>00412F48.6A00PUSH0<BR>00412F4A.50PUSHEAX<BR>00412F4B.FF1530104000CALLDWORDPTRDS:[<&MSVBVM60.#595>];<BR>00412F51.8D8D78FFFFFFLEAECX,DWORDPTRSS:[EBP-88]<BR>00412F57.8D5588LEAEDX,DWORDPTRSS:[EBP-78]<BR>00412F5A.51PUSHECX<BR>00412F5B.8D4598LEAEAX,DWORDPTRSS:[EBP-68]<BR>00412F5E.52PUSHEDX<BR>00412F5F.8D4DA8LEAECX,DWORDPTRSS:[EBP-58]<BR>00412F62.50PUSHEAX<BR>00412F63.51PUSHECX<BR>00412F64.6A04PUSH4<BR>00412F66.FF1514104000CALLDWORDPTRDS:[<&MSVBVM60.__vbaFreeV>;<BR>00412F6C.83C414ADDESP,14<BR>00412F6F.FF1510104000CALLDWORDPTRDS:[<&MSVBVM60.__vbaEnd>];<BR>00412F75>8B55D4MOVEDX,DWORDPTRSS:[EBP-2C]将小写字母转换相应的大写字母<BR>00412F78.BB02000000MOVEBX,2;<BR>00412F7D.53PUSHEBX<BR>00412F7E.52PUSHEDX<BR>00412F7F.895DB0MOVDWORDPTRSS:[EBP-50],EBX<BR>00412F82.895DA8MOVDWORDPTRSS:[EBP-58],EBX<BR>00412F85.FF15AC104000CALLDWORDPTRDS:[<&MSVBVM60.#618>];取注册名最右边的两位<BR>00412F8B.8BD0MOVEDX,EAX<BR>00412F8D.8D4DC8LEAECX,DWORDPTRSS:[EBP-38]<BR>00412F90.FFD6CALLESI<BR>00412F92.50PUSHEAX<BR>00412F93.8B45D4MOVEAX,DWORDPTRSS:[EBP-2C]<BR>00412F96.53PUSHEBX<BR>00412F97.50PUSHEAX<BR>00412F98>.FF15A0104000CALLDWORDPTRDS:[<&MSVBVM60.#616>];取注册名最左边的两位<BR>00412F9E.8BD0MOVEDX,EAX<BR>00412FA0.8D4DC4LEAECX,DWORDPTRSS:[EBP-3C]<BR>00412FA3.FFD6CALLESI<BR>00412FA5.8B1D20104000MOVEBX,DWORDPTRDS:[<&MSVBVM60.__vbaSt>;<BR>00412FAB.50PUSHEAX<BR>00412FAC.FFD3CALLEBX;最右边两位和最左边两位合并,设为A<BR>00412FAE.8BD0MOVEDX,EAX<BR>00412FB0.8D4DC0LEAECX,DWORDPTRSS:[EBP-40]<BR>00412FB3.FFD6CALLESI<BR>00412FB5.8B55D4MOVEDX,DWORDPTRSS:[EBP-2C]<BR>00412FB8.8D4DA8LEAECX,DWORDPTRSS:[EBP-58]<BR>00412FBB.50PUSHEAX<BR>00412FBC.51PUSHECX<BR>00412FBD.6A02PUSH2<BR>00412FBF.52PUSHEDX<BR>00412FC0.FF1544104000CALLDWORDPTRDS:[<&MSVBVM60.#631>];取注册名的第二和第三位,设为B<BR>00412FC6.8BD0MOVEDX,EAX<BR>00412FC8.8D4DBCLEAECX,DWORDPTRSS:[EBP-44]<BR>00412FCB.FFD6CALLESI<BR>00412FCD.50PUSHEAX<BR>00412FCE.FFD3CALLEBX<BR>00412FD0.8BD0MOVEDX,EAX;A与B合并<BR>00412FD2.8D4DD0LEAECX,DWORDPTRSS:[EBP-30]、<BR>省略一些代码。。。。。。<BR>0041305A.FF1598104000CALLDWORDPTRDS:[<&MSVBVM60.__vbaStrCo>;真假注册码比较<BR>00413060.66:85C0TESTAX,AX<BR>00413063.0F8508010000JNZCrackMe0.00413171不相等就跳向结束<BR>------------------------------------------------------------------------<BR>算法总结:<BR>1)注册名必须大于六位。<BR>2)取注册名的最右边两位(设为甲)。最左边两位(设为乙)。第2和第3位(设为丙)。<BR>3)将甲乙丙合并即为注册码。<BR>例:19860805<BR>取其最右边两位05。最左边两位19。第2和第3位98<BR>所以注册名:19860805<BR>注册码:051998<BR>********************************************注意***********************************************<BR>如果注册名中有小写字母,则程序先将其先转换成相应的大写字母。<BR>例:<BR>注册名aabbccdd对应的注册码是DDAAAb<BR>有错误或疏漏的地方请大家指出</FONT><BR></P>
<P></P>
页:
[1]