160 - 3 Afkayas.2

于 2017-02-03 19:03:58 发布
阅读量514 收藏
点赞数
分类专栏: 160个CrackMe
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/goodnameused/article/details/54848964
版权

环境:

Windows xp sp3


这次的目标有两个:

1.去除Nag窗口

2.找出Serial的算法


1.这次去除Nag窗口用了另外两个程序:

(1)VBLocalize v1.1.0.0

(2)UltraEdit

(3)VBExplorer

因为是VB程序,所以用VBLocalize加载程序,

据偏移地址,在文件中找到timer的偏移地址:

用VBExplorer可以看到timer的属性:

得知Nag窗口存在时间为7秒,Timer的位置是(2880,2160),转为16进制为:(0x0B40,0x0870)

7000的16进制为1B58,于是可以的得知:

00005b75-00005b76的值为Nag窗口存在的时间,可以把这个两个值改为 58 1B ->01 00,

如果改为0则Nag窗口一直存在。







2.找到Serial算法


和1一样,输入一个错的,然后F12,Alt + F9回到程序领空。


0040865D   .  B8 0A000000   mov eax,0xA
00408662   .  894D 9C       mov dword ptr ss:[ebp-0x64],ecx
00408665   .  66:85F6       test si,si				     
00408668   .  8945 94       mov dword ptr ss:[ebp-0x6C],eax
0040866B   .  894D AC       mov dword ptr ss:[ebp-0x54],ecx
0040866E   .  8945 A4       mov dword ptr ss:[ebp-0x5C],eax
00408671   .  894D BC       mov dword ptr ss:[ebp-0x44],ecx
00408674   .  8945 B4       mov dword ptr ss:[ebp-0x4C],eax
00408677   .  74 62         je XAfKayAs_.004086DB		     ; 这个不能跳
00408679   .  8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCat
0040867F   .  68 C06F4000   push AfKayAs_.00406FC0                   ;  UNICODE "You Get It"
00408684   .  68 DC6F4000   push AfKayAs_.00406FDC                   ; /String = ""
00408689   .  FFD6          call esi                                 ; \__vbaStrCat
0040868B   .  8BD0          mov edx,eax
0040868D   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
00408690   .  FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
00408696   .  50            push eax
00408697   .  68 E86F4000   push AfKayAs_.00406FE8                   ;  UNICODE "KeyGen It Now"
0040869C   .  FFD6          call esi
0040869E   .  8945 CC       mov dword ptr ss:[ebp-0x34],eax
004086A1   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]
004086A4   .  8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]
004086A7   .  50            push eax
004086A8   .  8D55 B4       lea edx,dword ptr ss:[ebp-0x4C]
004086AB   .  51            push ecx
004086AC   .  52            push edx
004086AD   .  8D45 C4       lea eax,dword ptr ss:[ebp-0x3C]
004086B0   .  6A 00         push 0x0
004086B2   .  50            push eax
004086B3   .  C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
004086BA   .  FF15 24B14000 call dword ptr ds:[<&MSVBVM50.#595>]     ;  MSVBVM50.rtcMsgBox
004086C0   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
004086C3   .  FF15 A8B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
004086C9   .  8D4D 94       lea ecx,dword ptr ss:[ebp-0x6C]
004086CC   .  8D55 A4       lea edx,dword ptr ss:[ebp-0x5C]
004086CF   .  51            push ecx
004086D0   .  8D45 B4       lea eax,dword ptr ss:[ebp-0x4C]
004086D3   .  52            push edx
004086D4   .  8D4D C4       lea ecx,dword ptr ss:[ebp-0x3C]
004086D7   .  50            push eax
004086D8   .  51            push ecx
004086D9   .  EB 60         jmp XAfKayAs_.0040873B		     ; 上面是正确的消息,下面是错误的消息
004086DB   >  8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCat
004086E1   .  68 08704000   push AfKayAs_.00407008                   ;  UNICODE "You Get Wrong"
004086E6   .  68 DC6F4000   push AfKayAs_.00406FDC                   ; /String = ""
004086EB   .  FFD6          call esi                                 ; \__vbaStrCat
004086ED   .  8BD0          mov edx,eax
004086EF   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
004086F2   .  FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
004086F8   .  50            push eax
004086F9   .  68 28704000   push AfKayAs_.00407028                   ;  UNICODE "Try Again"
004086FE   .  FFD6          call esi
00408700   .  8945 CC       mov dword ptr ss:[ebp-0x34],eax
00408703   .  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]
00408706   .  8D45 A4       lea eax,dword ptr ss:[ebp-0x5C]
00408709   .  52            push edx
0040870A   .  8D4D B4       lea ecx,dword ptr ss:[ebp-0x4C]
0040870D   .  50            push eax
0040870E   .  51            push ecx
0040870F   .  8D55 C4       lea edx,dword ptr ss:[ebp-0x3C]
00408712   .  6A 00         push 0x0
00408714   .  52            push edx
00408715   .  C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
0040871C   .  FF15 24B14000 call dword ptr ds:[<&MSVBVM50.#595>]     ;  MSVBVM50.rtcMsgBox
00408722   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]	     ;  Atl+F9后回到这里


再往上一点就看到了这个:

004081E9   > \8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]
004081EF   .  8B45 E4       mov eax,dword ptr ss:[ebp-0x1C]
004081F2   .  50            push eax                                 ; /String
004081F3   .  8B1A          mov ebx,dword ptr ds:[edx]               ; |
004081F5   .  FF15 F8B04000 call dword ptr ds:[<&MSVBVM50.__vbaLenBs>; \__vbaLenBstr
004081FB   .  8BF8          mov edi,eax
004081FD   .  8B4D E8       mov ecx,dword ptr ss:[ebp-0x18]
00408200   .  69FF 385B0100 imul edi,edi,0x15B38		     ; 这个东西不一样了
00408206   .  51            push ecx                                 ; /String
00408207   .  0F80 B7050000 jo AfKayAs_.004087C4                     ; |
0040820D   .  FF15 0CB14000 call dword ptr ds:[<&MSVBVM50.#516>]     ; \rtcAnsiValueBstr
00408213   .  0FBFD0        movsx edx,ax
00408216   .  03FA          add edi,edx

这个是在1里面遇到的,就是乘数不一样了。

Name长度为L

Name的首字母为c

当前计算结果为s


得到公式: s = L*88888+ascii(c)

继续往下有:

004082E9   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  MSVBVM50.__vbaR8Str
004082EF   .  D905 08104000 fld dword ptr ds:[0x401008]              ;  [401008]是10.0
004082F5   .  833D 00904000>cmp dword ptr ds:[0x409000],0x0
004082FC   .  75 08         jnz XAfKayAs_.00408306
004082FE   .  D835 0C104000 fdiv dword ptr ds:[0x40100C]             ;  [40100c]是5.0,这里是10.0/5.0 = 2.0
00408304   .  EB 0B         jmp XAfKayAs_.00408311
00408306   >  FF35 0C104000 push dword ptr ds:[0x40100C]
0040830C   .  E8 578DFFFF   call <jmp.&MSVBVM50._adj_fdiv_m32>
00408311   >  83EC 08       sub esp,0x8
00408314   .  DFE0          fstsw ax
00408316   .  A8 0D         test al,0xD
00408318   .  0F85 A1040000 jnz AfKayAs_.004087BF
0040831E   .  DEC1          faddp st(1),st                           ;  s = s + 2.0
00408320   .  DFE0          fstsw ax

得到:

s = s + 2

继续往下:


004083F5   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  MSVBVM50.__vbaR8Str
004083FB   .  DC0D 10104000 fmul qword ptr ds:[0x401010]             ; [401010]是3,这里是s = s*3
00408401   .  83EC 08       sub esp,0x8
00408404   .  DC25 18104000 fsub qword ptr ds:[0x401018]	     ; [401018]是2,这里是s = s-2
0040840A   .  DFE0          fstsw ax
0040840C   .  A8 0D         test al,0xD
0040840E   .  0F85 AB030000 jnz AfKayAs_.004087BF
00408414   .  DD1C24        fstp qword ptr ss:[esp]
00408417   .  FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>;  MSVBVM50.__vbaStrR8

得到:

s = s * 3 - 2

继续往下:


004084DF   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  MSVBVM50.__vbaR8Str
004084E5   .  DC25 20104000 fsub qword ptr ds:[0x401020]	     ;  [0x401020]是-15,于是这里是s  = s + 15 
004084EB   .  83EC 08       sub esp,0x8
004084EE   .  DFE0          fstsw ax
004084F0   .  A8 0D         test al,0xD
004084F2   .  0F85 C7020000 jnz AfKayAs_.004087BF
004084F8   .  DD1C24        fstp qword ptr ss:[esp]
004084FB   .  FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>;  MSVBVM50.__vbaStrR8
00408501   .  8BD0          mov edx,eax


得到:

s = s + 15


联合起来就是:


s = (L*88888+ascii(c))*3+19



什么名字都被用了
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值