系统 : Windows xp
程序 : abexcrackme2
程序下载地址 :http://pan.baidu.com/s/1qXhyt8C
要求 : 注册机编写
使用工具 : OD
可在“PEDIY CrackMe 2007”中查找关于此程序的破文,标题为“abex' #2的算法分析(VB简单)”。
程序是用VB语言编写,所以可以参考下这篇文章:http://www.cnblogs.com/bbdxf/p/3793545.html,大部分反汇编出来的函数名都可以在其中查到。
话不多说,我们采用OD载入程序,并利用超级字串参考插件查找宽字符串“yep, this key is right!”,并定位调用位置。向上搜索,定位关键代码:
00403191 . 8B1D 4C104000 mov ebx, dword ptr [<&MSVBVM60.#632>>; MSVBVM60.rtcMidCharVar
00403197 > 85C0 test eax, eax ; eax为0则结束循环
00403199 . 0F84 06010000 je 004032A5
0040319F . 8D95 64FFFFFF lea edx, dword ptr [ebp-9C]
004031A5 . 8D45 DC lea eax, dword ptr [ebp-24]
004031A8 . 52 push edx
004031A9 . 50 push eax
004031AA . C785 6CFFFFFF>mov dword ptr [ebp-94], 1
004031B4 . 89BD 64FFFFFF mov dword ptr [ebp-9C], edi
004031BA . FF15 A8104000 call dword ptr [<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
004031C0 . 8D4D 8C lea ecx, dword ptr [ebp-74]
004031C3 . 50 push eax
004031C4 . 8D95 54FFFFFF lea edx, dword ptr [ebp-AC]
004031CA . 51 push ecx
004031CB . 52 push edx
004031CC . FFD3 call ebx
004031CE . 8D95 54FFFFFF lea edx, dword ptr [ebp-AC]
004031D4 . 8D4D AC lea ecx, dword ptr [ebp-54]
004031D7 . FFD6 call esi
004031D9 . 8D8D 64FFFFFF lea ecx, dword ptr [ebp-9C]
004031DF . FF15 0C104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
004031E5 . 8D45 AC lea eax, dword ptr [ebp-54]
004031E8 . 8D8D 78FFFFFF lea ecx, dword ptr [ebp-88] ; ↓从字符串特点位置上获取其值
004031EE . 50 push eax ; /String8
004031EF . 51 push ecx ; |ARG2
004031F0 . FF15 80104000 call dword ptr [<&MSVBVM60.__vbaStrVa>; \__vbaStrVarVal
004031F6 . 50 push eax ; /String
004031F7 . FF15 1C104000 call dword ptr [<&MSVBVM60.#516>] ;
tcAnsiValueBstr
004031FD . 8D95 24FFFFFF lea edx, dword ptr [ebp-DC] ; ↑传回字符码
00403203 . 8D4D AC lea ecx, dword ptr [ebp-54]
00403206 . 66:8985 2CFFF>mov word ptr [ebp-D4], ax ; 保存字符码
0040320D . 89BD 24FFFFFF mov dword ptr [ebp-DC], edi
00403213 . FFD6 call esi
00403215 . 8D8D 78FFFFFF lea ecx, dword ptr [ebp-88] ; ↓释放出字符串所占的内存
0040321B . FF15 CC104000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00403221 . 8D55 AC lea edx, dword ptr [ebp-54]
00403224 . 8D85 24FFFFFF lea eax, dword ptr [ebp-DC]
0040322A . 52 push edx ; /var18
0040322B . 8D8D 64FFFFFF lea ecx, dword ptr [ebp-9C] ; |
00403231 . 50 push eax ; |var28
00403232 . 51 push ecx ; |saveto8
00403233 . C785 2CFFFFFF>mov dword ptr [ebp-D4], 64 ; |
0040323D . 89BD 24FFFFFF mov dword ptr [ebp-DC], edi ; |
00403243 . FF15 AC104000 call dword ptr [<&MSVBVM60.__vbaVarAd>; \__vbaVarAdd
00403249 . 8BD0 mov edx, eax
0040324B . 8D4D AC lea ecx, dword ptr [ebp-54]
0040324E . FFD6 call esi
00403250 . 8D55 AC lea edx, dword ptr [ebp-54]
00403253 . 8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
00403259 . 52 push edx
0040325A . 50 push eax
0040325B . FF15 94104000 call dword ptr [<&MSVBVM60.#573>] ; MSVBVM60.rtcHexVarFromVar
00403261 . 8D95 64FFFFFF lea edx, dword ptr [ebp-9C]
00403267 . 8D4D AC lea ecx, dword ptr [ebp-54]
0040326A . FFD6 call esi
0040326C . 8D4D BC lea ecx, dword ptr [ebp-44]
0040326F . 8D55 AC lea edx, dword ptr [ebp-54]
00403272 . 51 push ecx
00403273 . 8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
00403279 . 52 push edx
0040327A . 50 push eax
0040327B . FF15 84104000 call dword ptr [<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat
00403281 . 8BD0 mov edx, eax
00403283 . 8D4D BC lea ecx, dword ptr [ebp-44]
00403286 . FFD6 call esi
00403288 . 8D8D BCFEFFFF lea ecx, dword ptr [ebp-144]
0040328E . 8D95 CCFEFFFF lea edx, dword ptr [ebp-134]
00403294 . 51 push ecx ; /TMPend8
00403295 . 8D45 DC lea eax, dword ptr [ebp-24] ; |
00403298 . 52 push edx ; |TMPstep8
00403299 . 50 push eax ; |Counter8
0040329A . FF15 C0104000 call dword ptr [<&MSVBVM60.__vbaVarFo>; \__vbaVarForNext
004032A0 .^ E9 F2FEFFFF jmp 00403197
004032A5 > 8B45 08 mov eax, dword ptr [ebp+8]
004032A8 . 50 push eax
004032A9 . 8B08 mov ecx, dword ptr [eax]
004032AB . FF91 04030000 call dword ptr [ecx+304]
004032B1 . 8D95 74FFFFFF lea edx, dword ptr [ebp-8C]
004032B7 . 50 push eax
004032B8 . 52 push edx
004032B9 . FF15 38104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
004032BF . 8BF8 mov edi, eax
004032C1 . 8D8D 78FFFFFF lea ecx, dword ptr [ebp-88]
004032C7 . 51 push ecx
004032C8 . 57 push edi
004032C9 . 8B07 mov eax, dword ptr [edi]
004032CB . FF90 A0000000 call dword ptr [eax+A0]
004032D1 . 85C0 test eax, eax
004032D3 . DBE2 fclex
004032D5 . 7D 12 jge short 004032E9
004032D7 . 68 A0000000 push 0A0
004032DC . 68 68234000 push 00402368
004032E1 . 57 push edi
004032E2 . 50 push eax
004032E3 . FF15 24104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
004032E9 > 8B85 78FFFFFF mov eax, dword ptr [ebp-88]
004032EF . BF 08000000 mov edi, 8
004032F4 . 8D95 64FFFFFF lea edx, dword ptr [ebp-9C]
004032FA . 8D4D CC lea ecx, dword ptr [ebp-34]
004032FD . C785 78FFFFFF>mov dword ptr [ebp-88], 0
00403307 . 8985 6CFFFFFF mov dword ptr [ebp-94], eax
0040330D . 89BD 64FFFFFF mov dword ptr [ebp-9C], edi
00403313 . FFD6 call esi
00403315 . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
0040331B . FF15 C8104000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00403321 . 8D55 BC lea edx, dword ptr [ebp-44]
00403324 . 8D45 CC lea eax, dword ptr [ebp-34]
00403327 . 52 push edx ; /var18
00403328 . 50 push eax ; |var28
00403329 . FF15 58104000 call dword ptr [<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq
0040332F . 66:85C0 test ax, ax ; 判断核心
00403332 . 0F84 D0000000 je 00403408
以上,就是关键算法,其实注册算法相当简单:用户名字符+0x64即序列号。
没有学过VB的朋友对于其相当奇葩的函数调用和变量引用会理解的相对很吃力。这个crackme发布于1999年,2007年它的破文在看雪论坛发表。而今天,2016年1月12日由我来破解这个程序。时隔17年,时代变了,技术不断更新,VB语言也渐渐没落了。也许有一天,VB会被彻底淘汰。但对于曾用VB做开发,或是曾逆向过VB程序的程序员来说,我们会将它存入一个不知名的文件夹,连同过去的记忆一并,深埋心底。
好了,过去归于过去。现在的路还要好好的走。我们打开http://www.cnblogs.com/ZRBYYXDM/p/5115596.html中搭建的框架,并修改OnBtnDecrypt函数如下:
void CKengen_TemplateDlg::OnBtnDecrypt()
{
// TODO: Add your control notification handler code here
CString str;
GetDlgItemText( IDC_EDIT_NAME,str ); //获取用户名字串基本信息。
int len = str.GetLength();
if ( len >= 4 ){ //格式控制。
CString PassWord = "";
CString Temp = "";
for ( int i = 0 ; i != 4 ; i++ ){
Temp.Format( "%X",( str[i] + 0x64 ) );
PassWord += Temp;
}
SetDlgItemText( IDC_EDIT_PASSWORD,PassWord );
}
else
MessageBox( "用户名格式错误!" );
}
再在OnInitDialog中添加此代码修改标题:SetWindowText(_T("abexcrackme2_Keygen"));
运行效果:
