elance's crackme.NO1 算法分析
标 题: elance's crackme.NO1 算法分析
作 者: 网游难民
时 间: 2006-07-24 18:38
附 件: elance's crackme.rar
链 接: bbs.pediy/showthread.php?threadid=29541
详细信息:
文章标题】: elance's crackme.NO1 算法分析
【文章作者】: 网游难民
【作者邮箱】: goqq2008@qq
【作者主页】: bbs.chinapyg
【作者QQ号】: 8587365
【软件名称】: elance's crackme.NO1
【软件大小】: 24K
【下载地址】: 本地
【加壳方式】: 无
【保护方式】: 注册码
【编写语言】: Microsoft Visual Basic 5.0 / 6.0
【使用工具】: OD,PEID
【操作平台】: Win9x/NT/2000/XP
【作者声明】: 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【详细过程】
一,用PEID查壳为Microsoft Visual Basic 5.0 / 6.0,无壳。
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
二,运行软件,开始有NAG,弹出对话框,提示:"This is my first~~~~~~"
在注册窗口进行注册,输入错误的注册信息进行检测!软件有尾巴!
提示说:“hehe,try again”
关闭软件,突然打开一个网站主页:sky/
开始动手:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
用OD载入了,下 bp rtcMsgBox 断点(拦截对话框),然后点F9运行,来到这里:
++++++++++++++++++++++++++++++++++++++++++++++++++++
堆栈窗口友好提示:
0012F990 00402D47 crackme_.00402D47----这里点右键-反汇编窗口中跟随。
0012F994 0012FA6C
0012F998 00000000
0012F99C 0012FA5C
0012F9A0 0012FA4C
0012F9A4 0012FA3C
0012F9A8 0012FB20
来到下面的地方:
+++++++++++++++++++++++++++++++++++=
00402D40 . 50 PUSH EAX
00402D41 FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.#595>] ; MsgBox----这个就是那个NGA窗口调用函数,在此处汇编,改为nop.
00402D47 . 8D85 28FFFFFF LEA EAX,DWORD PTR SS:[EBP-D8]------------------------------------来到这里
00402D4D . 8D8D 38FFFFFF LEA ECX,DWORD PTR SS:[EBP-C8]
00402D53 . 50 PUSH EAX
++++++++++++++++++++++++++++==
然后右键--超级字串参考+----查UNICODE:sky/
尚雯婕图片00402946 MOV DWORD PTR SS:[EBP-7C],c000rack.00401 please input your sn
004029BC PUSH c000rack.00401FF8 good job
004029E5 PUSH c000rack.00402010 hehe,try again小投资
00402B14 PUSH c000rack.00402044 sky------------这次点这个~~,来到
下面
00402B20 PUSH c000rack.00402034 open
00402C65 MOV DWORD PTR SS:[EBP-E0],c000rack.00402 this is my first crackme for
00402C81 MOV DWORD PTR SS:[EBP-F0],c000rack.00402 crack learning,i hope
+++++++++++++
++++++++++++++++++++++++++++++++++++
00402B10 . 57 PUSH EDI
00402B11 . 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
00402B14 . 68 44204000 PUSH crackme_.00402044 ; sky
00402B19 . 52 PUSH EDX
00402B1A . FFD6 CALL ESI ; <&MSVBVM60.__vbaStrToAnsi>
00402B1C . 50 PUSH EAX
00402B1D . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00402B20 . 68 34204000 PUSH crackme_.00402034 ; open
00402B25 . 50 PUSH EAX
00402B26 . FFD6 CALL ESI
00402B28 . 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
00402B2B . 50 PUSH EAX
00402B2C . 51 PUSH ECX
00402B2D E8 7AF5FFFF CALL crackme_.004020AC------------------------------把这个NOP掉
00402B32 . FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaSetSy>; MSVBVM60.__vbaSetSystemError
00402B38 . 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
右键--超级字串参考+----查UNICODE。到这里:
超级字串参考+
地址 反汇编 文本字串
00401244 PUSH c000rack.00401514 (初始 cpu 选择)
00402484 MOV DWORD PTR SS:[EBP-7C],c000rack.00401 elance
00402833 MOV DWORD PTR SS:[EBP-8C],c000rack.00401 warning
0040284E MOV DWORD PTR SS:[EBP-7C],c000rack.00401 please input your name
0040292B MOV DWORD PTR SS:[EBP-8C],c000rack.00401 warning
00402946 MOV DWORD PTR SS:[EBP-7C],c000rack.00401 please input your sn
004029BC PUSH c000rack.00401FF8 good job--------------应该是注册成功信息
004029E5 PUSH c000rack.00402010 hehe,try again----------注册错误信息,这里双击来到下面:
00402B14 PUSH c000rack.00402044 sky
++++++++++++++++++++++++++++++++++++++++++++++
来到这里:
004029A1 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
004029A4 . 50 PUSH EAX
004029A5 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
004029A7 . 75 29 JNZ SHORT c000rack.004029D2-----------------------这里关键跳转,直接把JNZ改为JZ,就可以爆破了。
004029A9 . FF91 04030000 CALL DWORD PTR DS:[ECX+304]
004029AF . 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34]
004029B2 . 50 PUSH EAX
004029B3 . 52 PUSH EDX
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
继续分析,搜索第一个“waring”,往上个适当的地方下断点,来到下面:
040245F > /B8 06000000 MOV EAX,6
00402464 . |66:3BF0 CMP SI,AX
00402467 . |0F8F 97000000 JG crackme_.00402504
0040246D . |8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
00402473 . |8D4D BC LEA
ECX,DWORD PTR SS:[EBP-44]
00402476 . |C745 B4 01000>MOV DWORD PTR SS:[EBP-4C],1
0040247D . |C745 AC 02000>MOV DWORD PTR SS:[EBP-54],2
00402484 . |C745 84 541F4>MOV DWORD PTR SS:[EBP-7C],crackme_.00401>; elance
0040248B . |C785 7CFFFFFF>MOV DWORD PTR SS:[EBP-84],8
00402495 . |FF15 AC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
0040249B . |0FBFCE MOVSX ECX,SI
0040249E . |8D45 AC LEA EAX,DWORD PTR SS:[EBP-54]
004024A1 . |8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
004024A4 . |50 PUSH EAX
004024A5 . |51 PUSH ECX
004024A6 . |8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
004024A9 . |52 PUSH EDX
004024AA . |50 PUSH EAX
004024AB . |FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; MidCharVar
004024B1 . |8D4D 9C LEA ECX,DWORD PTR SS:[EBP-64]
004024B4 . |8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
004024B7 . |51 PUSH ECX
004024B8 . |52 PUSH EDX
004024B9 . |FF15 80104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
004024BF . |50 PUSH EAX
004024C0 . |FFD3 CALL EBX
004024C2 . |8B4D D8 MOV ECX,DWORD PTR SS:[EBP-28] ; 把上次的结果放入ECX
004024C5 . |0FBFC0 MOVSX EAX,AX ; elance的ASCII码,放入EAX
004024C8 . |03C1 ADD EAX,ECX ; elance的ASCII码的和,放入EAX
004024CA . |8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
004024CD . |0F80 A3050000 JO crackme_.00402A76
004024D3 . |8945 D8 MOV DWORD PTR SS:[EBP-28],EAX ; 放入SS:[EBP-28]
004024D6 . |FFD7 CALL EDI
004024D8 . |8D4D 9C LEA ECX,DWORD PTR SS:[EBP-64]
004024DB . |8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
004024DE . |51 PUSH ECX
秦海璐电视剧004024DF . |8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
004024E2 . |52 PUSH EDX
004024E3 . |50 PUSH EAX
004024E4 . |6A 03 PUSH 3
004024E6 . |FF15 0C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
004024EC . |B8 01000000 MOV EAX,1 ; EAX置一
004024F1 . |83C4 10 ADD ESP,10
004024F4 . |66:03C6 ADD AX,SI ; 求第几次回旋,控制
004024F7 . |0F80 79050000 JO crackme_.00402A76
004024FD . |8BF0 MOV ESI,EAX
004024FF .^\E9 5BFFFFFF JMP crackme_.0040245F--------------------------循环取elance的ASCII累加和。
00402504 > 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00402507 . 50 PUSH EAX
00402508 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
0040250A . FF91 08030000 CALL DWORD PTR DS:[ECX+308]
\\\\\\\\\\\\\\\\\\\\\省略N行\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
0040253B . 50
PUSH EAX
0040253C . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00402542 > 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C] ; 用户名放入EDX中~~
00402545 . 52 PUSH EDX
00402546 . FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
0040254C . 8BC8 MOV ECX,EAX ; 求出注册名长度,放入ECX中
0040254E . FF15 54104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>>; MSVBVM60.__vbaI2I4
00402554 . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00402557 . 8985 30FFFFFF MOV DWORD PTR SS:[EBP-D0],EAX ; 用户名长度放入EBP-D0
0040255D . BE 01000000 MOV ESI,1
00402562 . FFD7 CALL EDI
00402564 . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
00402567 . FF15 C8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0040256D > 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00402570 . 66:3BB5 30FFF>CMP SI,WORD PTR SS:[EBP-D0] ; 循环次数和用户名位数比较
00402577 . 50 PUSH EAX
00402578 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
0040257A . 0F8F D6000000 JG crackme_.00402656 ; 大于就跳
00402580 . FF91 08030000 CALL DWORD PTR DS:[ECX+308]
00402586 . 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34]
00402589 . 50 PUSH EAX
0040258A . 52 PUSH EDX
0040258B . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00402591 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
00402593 . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
00402596 . 52 PUSH EDX
00402597 . 50 PUSH EAX
00402598 . 8985 48FFFFFF MOV DWORD PTR SS:[EBP-B8],EAX
0040259E . FF91 A0000000 CALL DWORD PTR DS:[ECX+A0]
004025A4 . 85C0 TEST EAX,EAX
004025A6 . DBE2 FCLEX
004025A8 . 7D 18 JGE SHORT crackme_.004025C2
004025AA . 8B8D 48FFFFFF MOV ECX,DWORD PTR SS:[EBP-B8]
电脑总是自动关机怎么办004025B0 . 68 A0000000 PUSH 0A0
004025B5 . 68 641F4000 PUSH crackme_.00401F64
004025BA . 51 PUSH ECX
004025BB . 50 PUSH EAX
004025BC . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
004025C2 > 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] ; 用户名
004025C5 . 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
004025C8 . 8945 C4 MOV DWORD PTR SS:[EBP-3C],EAX ; 用户名放入SS:[EBP-3C]
004025CB . 52 PUSH EDX
004025CC . 0FBFC6 MOVSX EAX,SI
004025CF . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
004025D2 . 50 PUSH EAX
004025D3 . 8D55 9C LEA EDX,DWORD PTR SS:[EBP-64]
004025D6 . 51 PUSH ECX
004025D7 . 52 PUSH EDX
004025D8 . C745 B4 01000>MOV DWORD PTR SS:[EBP-4C],1
004025DF . C745 AC 02000>MOV DWORD PTR SS:[EBP-54],2
004025E6 . C745 D4 00000>MOV DWORD PTR SS:[EBP-2C],0
004025ED . C745 BC 08000>MOV DWORD PTR SS:[EBP-44],8
004025F4 . FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ; MidCharVar
004025FA . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
004025FD . 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
00402600 . 50 PUSH EAX
00402601 . 51 PUSH ECX
00402602 . FF15 80104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarVal
00402608 . 50 PUSH EAX
00402609 . FFD3 CALL EBX
0040260B . 0FBFD0 MOVSX EDX,AX ; 求出用户名的ASCII码AX放入EDX
0040260E . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00402611 . 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
00402614 . 03D0 ADD EDX,EAX ; 用户名ASCII码循环相加,值放入EDX
00402616 . 0F80 5A040000 JO crackme_.00402A76
0040261C . 8955 DC MOV DWORD PTR SS:[EBP-24],EDX ; 把上面加的结果放入EBP-24
梦见踩了一脚屎0040261F . FFD7 CALL EDI
00402621 . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
00402624 . FF15 C8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0040262A . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
0040262D . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
00402630 . 50 PUSH EAX
00402631 . 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
00402634 . 51 PUSH ECX
00402635 . 52 PUSH EDX
00402636 . 6A 03 PUSH 3
00402638 . FF15 0C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
首屈一指的动物0040263E . B8 01000000 MOV EAX,1
00402643 . 83C4 10 ADD ESP,10
00402646 . 66:03C6 ADD AX,SI ; 算出第几次循环,控制循环次数
00402649 . 0F80 27040000 JO crackme_.00402A76
0040264F . 8BF0 MOV ESI,EAX
00402651 .^ E9 17FFFFFF JMP crackme_.0040256D------------------循环取用户名的ASCII累加和。
00402656 > FF91 04030000 CALL DWORD PTR DS:[ECX+304]
0040265C . 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34]
0040265F . 50 PUSH EAX
\\\\\\\\\\\\\\\\\\\\\\\\\中间省略N行\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
00402687 . 50 PUSH EAX
00402688 . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040268E > 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C] ; 注册码放入EDX
00402691 . 52 PUSH EDX
00402692 . FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
00402698 . 8BC8 MOV ECX,EAX ; 上面CALL求出注册
发布评论