VB程序
首先用OD调试,搜索字符串
找到了,注册成功 的语句,但是OD不能运行起来
最后使用了x32dbg,找到了字符串匹配的代码,输入name:12345 serial:123
看到了注册码,那么注册码一定是在这之前生成的,由于VB程序比较难分析,使用了VB Decompiler直接反编译
Private Sub Command1_Click() '402B10
Dim Me As Me
Dim var_4C As TextBox
Dim var_48 As TextBox
Dim var_12C As Label
Dim var_124 As Label
loc_00402BE6: var_124 = var_4C
loc_00402C06: var_28 = Text1.Text
loc_00402C37: var_eax = Unknown_VTable_Call[edx+00000054h]
loc_00402C8E: var_28 = Text1.Text
loc_00402CE6: If var_124 = 0 Then GoTo loc_00402D9C
loc_00402D50: var_74 = " Der Name muss mindestens 5 Chars haben "
loc_00402DCD: var_28 = Text1.Text
loc_00402DFB: var_EC = Len(var_28)
loc_00402E46: For var_24 = To Len(var_28) Step 1
loc_00402E4F: var_184 = var_178
loc_00402E6A: If var_184 = 0 Then GoTo loc_00403099
loc_00402E8D: var_2C = Text1.Text
loc_00402EBE: var_118 = Asc(var_2C)
loc_00402EF4: var_28 = Label2.Caption
loc_00402FA8: var_198 = var_12C
loc_00402FBC: Label2.Caption = CStr(((var_28 * var_118) * global_401100) / Hex(21))
loc_00403027: var_eax = Text1.SetFocus
loc_00403086: Next var_24
loc_0040308C: var_184 = Next var_24
loc_00403094: GoTo loc_00402E64
loc_00403099: 'Referenced from: 00402E6A
loc_004030CC: var_28 = Label1.Caption
loc_00403108: call __vbaStrR8(Fix(var_28))
loc_00403113: var_2C = __vbaStrR8(Fix(var_28))
loc_00403123: Label1.Caption = var_2C
loc_0040318D: var_28 = Label4.Caption
loc_0040322B: var_2C = Label3.Caption
loc_0040325C: var_34 = Text1.Text
loc_004032B9: var_28 = Text1.Text
loc_00403319: var_EC = (var_2C + Asc(var_28))
loc_00403343: var_30 = Label3.Caption
loc_0040336B: Asc(var_34) = Asc(var_34) * 0019h
loc_004033A2: var_6C = (var_30 - Asc(var_34))
loc_004033AF: var_84 = Hex(var_6C)
loc_004033CE: var_38 = Label3.Caption
loc_004033FE: var_9C = var_38
loc_0040340E: var_B4 = Hex(var_38)
loc_0040342D: var_3C = Text1.Text
loc_00403464: var_40 = Text1.Text
loc_00403499: Asc(var_3C) = Asc(var_3C) * Len(var_40)
loc_004034B2: Asc(var_3C) = Asc(var_3C) - 0000001Bh
loc_004034C1: var_FC = Asc(var_3C)
loc_004034D8: var_94 = ((var_28 * var_118) * global_401100) & var_84
loc_0040350D: var_44 = CStr(var_94 & var_B4 &)
loc_0040351D: var_eax = Unknown_VTable_Call[ecx+00000054h]
loc_004035D6: var_28 = Text2.Text
loc_0040360D: var_2C = Label5.Caption
loc_0040363E: var_30 = Text1.Text
loc_0040369F: var_3C = var_2C & CStr(Len(var_30)) & "-CM"
loc_004036C5: esi = (var_28 = var_3C) + 1
loc_004036EB: If (var_28 = var_3C) + 1 = 0 Then GoTo loc_0040379C
loc_00403772: MsgBox(" Gratulation ,du hast es geschafft!", 64, "Colormaster´s Crackme 7.0", var_94, var_A4)
loc_004037A7: GoTo loc_00403839
一边使用x32dbg一边使用VB Decompiler静态分析,效果非常显著。
首先我们看第一个算法
loc_00402FBC: Label2.Caption = CStr(((var_28 * var_118) * global_401100) / Hex(21))
第一个字符的ASCII码*432.4*17.79/15
49*432.4*17.79/15 = 25128
第二个算法
loc_0040336B: Asc(var_34) = Asc(var_34) * 0019h
loc_004033A2: var_6C = (var_30 - Asc(var_34))
loc_004033AF: var_84 = Hex(var_6C)
0040336B | imul bx,bx,19 |
0040336F | jo colormaster.403880 |
00403375 | movsx eax,bx |
00403378 | mov dword ptr ss:[ebp-1AC],eax |
0040337E | lea ecx,dword ptr ss:[ebp-74] |
00403381 | fild dword ptr ss:[ebp-1AC] |
00403387 | lea edx,dword ptr ss:[ebp-84] |
0040338D | push ecx |
0040338E | push edx |
0040338F | mov dword ptr ss:[ebp-74],5 |
00403396 | fstp qword ptr ss:[ebp-1B4] |
0040339C | fsub qword ptr ss:[ebp-1B4] |
004033A2 | fstp qword ptr ss:[ebp-6C] |
004033A5 | fnstsw ax |
004033A7 | test al,D |
>>> 49*432.4*17.79/15
25128.493599999998
>>> 25128 - 0x31*0x19
23903
>>> hex(23903)
'0x5d5f'
>>>
第三个算法
loc_004033AF: var_84 = Hex(var_6C)
>>> hex(25128)
'0x6228'
第四个算法
loc_00403464: var_40 = Text1.Text
loc_00403499: Asc(var_3C) = Asc(var_3C) * Len(var_40)
loc_004034B2: Asc(var_3C) = Asc(var_3C) - 0000001Bh
loc_004034C1: var_FC = Asc(var_3C)
00403464 | call dword ptr ds:[eax+A0] |
0040346A | test eax,eax |
0040346C | fnclex |
0040346E | jge colormaster.403482 |
00403470 | push A0 |
00403475 | push colormaster.401E94 |
0040347A | push ebx |
0040347B | push eax |
0040347C | call dword ptr ds:[<&__vbaHresultCheckO |
00403482 | mov edx,dword ptr ss:[ebp-3C] |
00403485 | push edx |
00403486 | call dword ptr ds:[<&rtcAnsiValueBstr>] |
0040348C | movsx ebx,ax |
0040348F | mov eax,dword ptr ss:[ebp-40] |
00403492 | push eax |
00403493 | call dword ptr ds:[<&__vbaLenBstr>] |
00403499 | imul ebx,eax |
0040349C | mov ecx,dword ptr ss:[ebp-154] |
004034A2 | mov dword ptr ss:[ebp-104],3 |
004034AC | jo colormaster.403880 |
004034B2 | sub ebx,1B |
004034B5 | lea edx,dword ptr ss:[ebp-F4] |
004034BB | jo colormaster.403880 |
004034C1 | mov dword ptr ss:[ebp-FC],ebx |
004034C7 | mov ebx,dword ptr ds:[ecx] |
004034C9 | lea eax,dword ptr ss:[ebp-84] |
>>> 0x31 * 5 - 0x1b
218
第五个算法
25128 + ord(s[0]) == 25177
第六个算法
loc_0040369F: var_3C = var_2C & CStr(Len(var_30)) & "-CM"
251775D5F62282185-CM
最后写出注册机
name = raw_input("name:")
f = ord(name[:1])
s = int(f*432.4*17.79/15)
print str(s+f)+hex(s-0x19*f)[2:]+hex(s)[2:]+str(f*len(name)-0x1b)+str(len(name))+"-CM"