[转载]一个VB，CRACKME的算法分析，适合新手

文章作者:逍遥风

1）PEID查壳，MicrosoftVisualBasic5.0/6.0。无壳
2）试运行，任意输入后，有错误提示"yougetwrongtryagain"
3）OD载入程序，用超级字符串查找找错误提示"yougetwrongtryagain"
超级字串参考＋,条目5
地址=004025E5
反汇编=PUSHCrackMe1.00401BC8
文本字串=yougetwrong
双击来到004025E5，向上找，找程序开始比较注册码的地方。来到00402310处下断
4）OD重新载入，任意输入后，程序被中断
00402310>\55PUSHEBP断在这里。F8向下
00402311.8BECMOVEBP,ESP
00402313.83EC0CSUBESP,0C
。。。。。。省略一些代码。
0040240F.8B45E4MOVEAX,DWORDPTRSS:[EBP-1C]
00402412.50PUSHEAX;假码入栈
00402413.8B1AMOVEBX,DWORDPTRDS:[EDX]
00402415.FF15E4404000CALLDWORDPTRDS:[<&MSVBVM50.__vbaLenBs>;MSVBVM50.__vbaLenBstr
0040241B.8BF8MOVEDI,EAX;EAX=假码位数
0040241D.8B4DE8MOVECX,DWORDPTRSS:[EBP-18];EBP-18=假码
00402420.69FFFB7C0100IMULEDI,EDI,17CFB;EDI=EDI*17CFB
00402426.51PUSHECX
00402427.0F8091020000JOCrackMe1.004026BE
0040242D.FF15F8404000CALLDWORDPTRDS:[<&MSVBVM50.#516>];注意，先进人这个CALL
00402433.0FBFD0MOVSXEDX,AX;EAX=32或31，
00402436.03FAADDEDI,EDX;EDI=EDI+EDX（EDI=D64D3。EDX=32）
00402438.0F8080020000JOCrackMe1.004026BE;EDI=D6505
0040243E.57PUSHEDI
0040243F.FF15E0404000CALLDWORDPTRDS:[<&MSVBVM50.__vbaStrI4>;进！！计算注册码
00402445.8BD0MOVEDX,EAX
00402447.8D4DE0LEAECX,DWORDPTRSS:[EBP-20]
0040244A.FF1570414000CALLDWORDPTRDS:[<&MSVBVM50.__vbaStrMo>;MSVBVM50.__vbaStrMove
0040244A.FF1570414000CALLDWORDPTRDS:[<&MSVBVM50.__vbaStrMo>;MSVBVM50.__vbaStrMove
00402450.8BBD50FFFFFFMOVEDI,DWORDPTRSS:[EBP-B0]
。。。。。。省略一些代码。
0040251C.50PUSHEAX
0040251D.68701B4000PUSHCrackMe1.00401B70;aka-
00402522>.51PUSHECX;在计算所得的注册码前+AKA
00402522>.51PUSHECX;
00402523.FFD7CALLEDI;
00402525.8B1D70414000MOVEBX,DWORDPTRDS:[<&MSVBVM50.__vbaSt>;
0040252B.8BD0MOVEDX,EAX
0040252D.8D4DE0LEAECX,DWORDPTRSS:[EBP-20]
00402530.FFD3CALLEBX;
00402532.50PUSHEAX
00402533.FF1528414000CALLDWORDPTRDS:[<&MSVBVM50.__vbaStrCm>;
00402539.8BF0MOVESI,EAX
0040253B.8D55E0LEAEDX,DWORDPTRSS:[EBP-20]
0040253E.F7DENEGESI
00402540.8D45E8LEAEAX,DWORDPTRSS:[EBP-18]
00402543.52PUSHEDX
00402544.1BF6SBBESI,ESI
00402546.8D4DE4LEAECX,DWORDPTRSS:[EBP-1C]
00402549.50PUSHEAX
0040254A.46INCESI
0040254B.51PUSHECX
0040254C.6A03PUSH3
0040254E.F7DENEGESI
00402550.FF155C414000CALLDWORDPTRDS:[<&MSVBVM50.__vbaFreeS>;MSVBVM50.__vbaFreeStrList
00402556.83C410ADDESP,10
00402559.8D55D8LEAEDX,DWORDPTRSS:[EBP-28]
0040255C.8D45DCLEAEAX,DWORDPTRSS:[EBP-24]
0040255F.52PUSHEDX
00402560.50PUSHEAX
00402561.6A02PUSH2
00402563.FF15F4404000CALLDWORDPTRDS:[<&MSVBVM50.__vbaFreeO>;MSVBVM50.__vbaFreeObjList
00402569.83C40CADDESP,0C
0040256C.B904000280MOVECX,80020004
00402571.B80A000000MOVEAX,0A
00402576.894D9CMOVDWORDPTRSS:[EBP-64],ECX
00402579.66:85F6TESTSI,SI
0040257C.894594MOVDWORDPTRSS:[EBP-6C],EAX
0040257F.894DACMOVDWORDPTRSS:[EBP-54],ECX
00402582.8945A4MOVDWORDPTRSS:[EBP-5C],EAX
00402585.894DBCMOVDWORDPTRSS:[EBP-44],ECX
00402588.8945B4MOVDWORDPTRSS:[EBP-4C],EAX
0040258B.7458JESHORTCrackMe1.004025E5真假注册码比较，相等则跳向成功
以下是各个所进入的CALL的内容
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
进入第一个CALL
762BC89B>55PUSHEBP
762BC89CB800000000MOVEAX,0
762BC8A18BECMOVEBP,ESP
762BC8A383EC04SUBESP,4
762BC8A656PUSHESI
762BC8A78B7508MOVESI,DWORDPTRSS:[EBP+8]EBP+8=注册名
762BC8AA85F6TESTESI,ESI
762BC8AC7405JESHORTMSVBVM50.762BC8B3
762BC8AE8B46FCMOVEAX,DWORDPTRDS:[ESI-4]
762BC8B1D1E8SHREAX,1EAX*2
762BC8B385C0TESTEAX,EAX
762BC8B50F84D6D20300JEMSVBVM50.762F9B91
762BC8BB33C0XOREAX,EAXEAX清零
762BC8BD8D4DFELEAECX,DWORDPTRSS:[EBP-2]
762BC8C050PUSHEAX
762BC8C150PUSHEAX
762BC8C26A02PUSH2
762BC8C451PUSHECX
762BC8C56A01PUSH1
762BC8C756PUSHESI
762BC8C850PUSHEAX
762BC8C950PUSHEAX
762BC8CAFF1500122876CALLDWORDPTRDS:[<&KERNEL32.WideCharTo>;KERNEL32.WideCharToMultiByte
762BC8D083F802CMPEAX,2
762BC8D366:0FB645FEMOVZXAX,BYTEPTRSS:[EBP-2]取注册名第一位的ASCII值，并放入EAX
762BC8D80F84BAD20300JEMSVBVM50.762F9B98
762BC8DE5EPOPESI
762BC8DF8BE5MOVESP,EBP
762BC8E15DPOPEBP
762BC8E2C20400RETN4计算完后返回
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
进入注册码计算CALL的内容：
7629BECF>83EC04SUBESP,4
7629BED28D442400LEAEAX,DWORDPTRSS:[ESP]
7629BED650PUSHEAX
7629BED76A00PUSH0
7629BED9E85BF5FEFFCALLMSVBVM50.7628B439
7629BEDE50PUSHEAX
7629BEDFFF742414PUSHDWORDPTRSS:[ESP+14]
7629BEE3>FF15641A2876CALLDWORDPTRDS:[<&OLEAUT32.#110>];进入
7629BEE985C0TESTEAX,EAX
7629BEEB0F8CE5FE0400JLMSVBVM50.762EBDD6
7629BEF18B442400MOVEAX,DWORDPTRSS:[ESP]
7629BEF583C404ADDESP,4
7629BEF8C20400RETN4
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
。。。到这里
779BF080>8B4C2404MOVECX,DWORDPTRSS:[ESP+4]
779BF08483EC50SUBESP,50
779BF0878D442400LEAEAX,DWORDPTRSS:[ESP]
779BF08B50PUSHEAX
779BF08C51PUSHECX
779BF08DE8EE33FEFFCALLOLEAUT32.779A2480进入这里
779BF0928D442400LEAEAX,DWORDPTRSS:[ESP]
779BF0968B542460MOVEDX,DWORDPTRSS:[ESP+60]
779BF09A52PUSHEDX
779BF09B50PUSHEAX
779BF09CE8AFA3FFFFCALLOLEAUT32.779B9450
779BF0A183C450ADDESP,50
779BF0A4C21000RETN10
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
。。。到这里
779A24808B442404MOVEAX,DWORDPTRSS:[ESP+4]
779A248433C9XORECX,ECX
779A248685C0TESTEAX,EAX
779A248856PUSHESI
779A24898B74240CMOVESI,DWORDPTRSS:[ESP+C]
779A248D0F9CC1SETLCL
779A249051PUSHECX
779A249156PUSHESI
779A249250PUSHEAX
779A2493E848FFFFFFCALLOLEAUT32.779A23E0进入这个
779A24988BC6MOVEAX,ESI
779A249A5EPOPESI
779A249BC20800RETN8
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
。。。到这里，根据注册名来计算注册码！（关键）
779A23E853PUSHEBX
779A23E956PUSHESI
779A23EA85C0TESTEAX,EAX
779A23EC57PUSHEDI
779A23ED7410JESHORTOLEAUT32.779A23FF
779A23EF8B742410MOVESI,DWORDPTRSS:[ESP+10]
779A23F366:C7012D00MOVWORDPTRDS:[ECX],2D
779A23F883C102ADDECX,2
779A23FBF7DENEGESI
779A23FDEB04JMPSHORTOLEAUT32.779A2403
779A23FF8B742410MOVESI,DWORDPTRSS:[ESP+10];ESP+10=A
779A24038BD9MOVEBX,ECX
779A24058BC6MOVEAX,ESI;把A送进EAX
779A240733D2XOREDX,EDX;EDX清零
779A2409BF0A000000MOVEDI,0A;令EDI=OA
779A240E83C102ADDECX,2;每计算一次EXC的值加2
779A2411F7F7DIVEDI;用EAX/EDX,商放进EAX,余数放进EDX
779A2413B8CDCCCCCCMOVEAX,CCCCCCCD;给EAX赋值
779A24188BFAMOVEDI,EDX;EDX=O,既将EDI清零
779A241AF7E6MULESI
779A241CC1EA03SHREDX,3;EDX中的值除以8(2的3次方)
779A241F83C730ADDEDI,30;每计算一次EDI加30
779A24228BF2MOVESI,EDX;将EDX的值赋给ESI
779A242466:8979FEMOVWORDPTRDS:[ECX-2],DI
779A242885F6TESTESI,ESI;计算完了吗?若没有则继续计算
779A242A^77D9JASHORTOLEAUT32.779A2405
779A242C66:C7010000MOVWORDPTRDS:[ECX],0;计算完毕则来到这里
779A243183E902SUBECX,2;ECX值减2
779A243466:8B13MOVDX,WORDPTRDS:[EBX]
779A243766:8B01MOVAX,WORDPTRDS:[ECX]
779A243A66:8911MOVWORDPTRDS:[ECX],DX
779A243D66:8903MOVWORDPTRDS:[EBX],AX
779A244083E902SUBECX,2
779A244383C302ADDEBX,2
779A24463BD9CMPEBX,ECX
779A2448^72EAJBSHORTOLEAUT32.779A2434;这段代码的意思就是把上面所得的数字倒序
779A244A5FPOPEDI
779A244B5EPOPESI寄存器出栈
779A244C5BPOPEBX;00CA4B90
779A244DC20C00RETN0C返回

------------------------------------------------------------------------
算法总结。
1）取注册名第一位的ASCII码的值（若输入的是数字，则奇数为31，偶数为32），设这个值为A
2）用注册名乘以定值17CFB。得到一个值设为B
3）A+B得到一个值设为C
4）以B的位数为循环次数，用C除以定值OA，得数再除以OA。。。！直到循环结束
例：假设B为5位字符串。
C/0A=Q，余数为W。Q/OA=E，余数为R。E/OA=T，余数为Y。T/OA=U，余数为I。U/OA=O，余数为P
共计算5次。
5）将5步计算的余数组成一个字符串，例如这里的WRYIP
6）将所得字符串倒序，例如这里PIYRW
7）在倒序后的字符串前合并上AKA-，例如AKA-PIYRW。既得到注册码。
目前就分析到这里了，可能一些细节没有分析到位。有疏漏或不完善的地方请大家指出。