Crackme9-笔记

链接:https://www.52pojie.cn/thread-615320-1-1.html
https://www.52pojie.cn/thread-265789-1-1.html

【这个感觉还是没有理解透彻……以后再弄】

程序是VB,表示不会
这里写图片描述

1、搜索关键字/堆栈平衡都可以找到关键跳转,直接nop掉即可。
2、看不懂程序,只看到了有很多的函数_vbaVarForInit、rtcMidCharVar、_vbaStrVarVal、_rtcAnsiValueBstr、_vbaVarAdd、_vbaVarNext

004020A6   .  53            push ebx                                              ;  msvbvm50.__vbaMidStmtVar
004020A7   .  50            push eax
004020A8   .  FF15 14414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>]  ;  msvbvm50.__vbaHresultCheckObj
004020AE   >  8B45 A8       mov eax,dword ptr ss:[ebp-0x58]                       ;  用户名[15d6fc]
004020B1   .  8975 A8       mov dword ptr ss:[ebp-0x58],esi                       ;  msvbvm50.__vbaVarMove
004020B4   .  8B35 FC404000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVarMove>]       ;  msvbvm50.__vbaVarMove
004020BA   .  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]
004020BD   .  8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]
004020C0   .  8945 9C       mov dword ptr ss:[ebp-0x64],eax                       ;  eax=用户名
004020C3   .  C745 94 08000>mov dword ptr ss:[ebp-0x6C],0x8
004020CA   .  FFD6          call esi                                              ;  msvbvm50.__vbaVarMove; <&MSVBVM50.__vbaVarMove>
004020CC   .  8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]
004020CF   .  FF15 B4414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>]          ;  msvbvm50.__vbaFreeObj
004020D5   .  B8 01000000   mov eax,0x1                                           ;  eax = 1
004020DA   .  8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC]
004020E0   .  8985 5CFFFFFF mov dword ptr ss:[ebp-0xA4],eax
004020E6   .  8985 4CFFFFFF mov dword ptr ss:[ebp-0xB4],eax
004020EC   .  8D55 BC       lea edx,dword ptr ss:[ebp-0x44]                       ;  edx = 0012f49c
004020EF   .  51            push ecx                                              ; /Step8 = NULL
004020F0   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]                       ; |
004020F3   .  BB 02000000   mov ebx,0x2                                           ; |ebx = 2
004020F8   .  52            push edx                                              ; |/var18 = 00914950
004020F9   .  50            push eax                                              ; ||retBuffer8 = 0012F484
004020FA   .  899D 54FFFFFF mov dword ptr ss:[ebp-0xAC],ebx                       ; ||edx = 用户名
00402100   .  899D 44FFFFFF mov dword ptr ss:[ebp-0xBC],ebx                       ; ||msvbvm50.__vbaMidStmtVar
00402106   .  FF15 18414000 call dword ptr ds:[<&MSVBVM50.__vbaLenVar>]           ; |\__vbaLenVar
0040210C   .  8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-0xBC]                       ; |
00402112   .  50            push eax                                              ; |End8 = 0012F484
00402113   .  8D95 E8FEFFFF lea edx,dword ptr ss:[ebp-0x118]                      ; |
00402119   .  51            push ecx                                              ; |Start8 = NULL
0040211A   .  8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-0x108]                      ; |
00402120   .  52            push edx                                              ; |TMPend8 = 00914950
00402121   .  8D4D DC       lea ecx,dword ptr ss:[ebp-0x24]                       ; |
00402124   .  50            push eax                                              ; |TMPstep8 = 0012F484
00402125   .  51            push ecx                                              ; |Counter8 = NULL
00402126   .  FF15 20414000 call dword ptr ds:[<&MSVBVM50.__vbaVarForInit>]       ; \__vbaVarForInit
0040212C   .  8B3D 04414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>]   ;  msvbvm50.__vbaFreeVarList
00402132   >  85C0          test eax,eax
00402134   .  0F84 9C000000 je Andréna.004021D6
0040213A   .  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]
0040213D   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
00402140   .  52            push edx
00402141   .  50            push eax
00402142   .  C745 9C 01000>mov dword ptr ss:[ebp-0x64],0x1
00402149   .  895D 94       mov dword ptr ss:[ebp-0x6C],ebx                       ;  msvbvm50.__vbaMidStmtVar
0040214C   .  FF15 90414000 call dword ptr ds:[<&MSVBVM50.__vbaI4Var>]            ;  msvbvm50.__vbaI4Var
00402152   .  8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]                       ; |
00402155   .  50            push eax                                              ; |Start = 0x12F484
00402156   .  8D55 84       lea edx,dword ptr ss:[ebp-0x7C]                       ; |
00402159   .  51            push ecx                                              ; |dString8 = NULL
0040215A   .  52            push edx                                              ; |RetBUFFER = 00914950
0040215B   .  FF15 38414000 call dword ptr ds:[<&MSVBVM50.#rtcMidCharVar_632>]    ; \rtcMidCharVar
00402161   .  8D45 84       lea eax,dword ptr ss:[ebp-0x7C]                       ;  此函数的意思是从字符串中取出相应的字符
00402164   .  8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]
00402167   .  50            push eax                                              ; /String8 = 0012F484
00402168   .  51            push ecx                                              ; |ARG2 = NULL
00402169   .  FF15 70414000 call dword ptr ds:[<&MSVBVM50.__vbaStrVarVal>]        ; \__vbaStrVarVal
0040216F   .  50            push eax                                              ; /String = ""
00402170   .  FF15 0C414000 call dword ptr ds:[<&MSVBVM50.#rtcAnsiValueBstr_516>] ; \rtcAnsiValueBstr
00402176   .  66:8985 4CFFF>mov word ptr ss:[ebp-0xB4],ax                         ;  "1"=31
0040217D   .  8D55 CC       lea edx,dword ptr ss:[ebp-0x34]
00402180   .  8D85 44FFFFFF lea eax,dword ptr ss:[ebp-0xBC]
00402186   .  52            push edx                                              ; /var18 = 00914950
00402187   .  8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C]                       ; |
0040218D   .  50            push eax                                              ; |var28 = 0012F484
0040218E   .  51            push ecx                                              ; |saveto8 = NULL
0040218F   .  899D 44FFFFFF mov dword ptr ss:[ebp-0xBC],ebx                       ; |msvbvm50.__vbaMidStmtVar
00402195   .  FF15 94414000 call dword ptr ds:[<&MSVBVM50.__vbaVarAdd>]           ; \__vbaVarAdd
0040219B   .  8BD0          mov edx,eax
0040219D   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
004021A0   .  FFD6          call esi                                              ;  msvbvm50.__vbaVarMove
004021A2   .  8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]
004021A5   .  FF15 B8414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>]          ;  msvbvm50.__vbaFreeStr
004021AB   .  8D55 84       lea edx,dword ptr ss:[ebp-0x7C]                       ;  "&OK"
004021AE   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]
004021B1   .  52            push edx
004021B2   .  50            push eax
004021B3   .  53            push ebx                                              ;  msvbvm50.__vbaMidStmtVar
004021B4   .  FFD7          call edi                                              ;  msvbvm50.__vbaFreeVarList
004021B6   .  83C4 0C       add esp,0xC
004021B9   .  8D8D E8FEFFFF lea ecx,dword ptr ss:[ebp-0x118]
004021BF   .  8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-0x108]
004021C5   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
004021C8   .  51            push ecx                                              ; /TMPend8 = NULL
004021C9   .  52            push edx                                              ; |TMPstep8 = 00914950
004021CA   .  50            push eax                                              ; |Counter8 = 0012F484
004021CB   .  FF15 AC414000 call dword ptr ds:[<&MSVBVM50.__vbaVarForNext>]       ; \__vbaVarForNext
004021D1   .^ E9 5CFFFFFF   jmp Andréna.00402132
004021D6   >  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
004021D9   .  8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC]
004021DF   .  51            push ecx                                              ; /var18 = NULL
004021E0   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]                       ; |
004021E3   .  52            push edx                                              ; |var28 = 00914950
004021E4   .  50            push eax                                              ; |SaveTo8 = 0012F484
004021E5   .  C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],0x499602D2                ; |
004021EF   .  C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x3                       ; |
004021F9   .  FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vbaVarMul>]           ; \__vbaVarMul
004021FF   .  8BD0          mov edx,eax
00402201   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
00402204   .  FFD6          call esi                                              ;  msvbvm50.__vbaVarMove
00402206   .  8B1D A0414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaMidStmtVar>]    ;  msvbvm50.__vbaMidStmtVar
0040220C   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
0040220F   .  51            push ecx
00402210   .  6A 04         push 0x4
00402212   .  8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC]
00402218   .  6A 01         push 0x1
0040221A   .  52            push edx
0040221B   .  C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],Andréna.00401C34          ;  -
00402225   .  C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x8
0040222F   .  FFD3          call ebx                                              ;  msvbvm50.__vbaMidStmtVar; <&MSVBVM50.__vbaMidStmtVar>
00402231   .  8D45 CC       lea eax,dword ptr ss:[ebp-0x34]                       ;  "ck"
00402234   .  8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC]
0040223A   .  50            push eax
0040223B   .  6A 09         push 0x9
0040223D   .  6A 01         push 0x1
0040223F   .  51            push ecx
00402240   .  C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],Andréna.00401C34          ;  -
0040224A   .  C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x8
00402254   .  FFD3          call ebx                                              ;  msvbvm50.__vbaMidStmtVar
00402256   .  8B45 08       mov eax,dword ptr ss:[ebp+0x8]                        ;  "ck"
00402259   .  50            push eax
0040225A   .  8B10          mov edx,dword ptr ds:[eax]
0040225C   .  FF92 04030000 call dword ptr ds:[edx+0x304]
00402262   .  50            push eax
00402263   .  8D45 A4       lea eax,dword ptr ss:[ebp-0x5C]
00402266   .  50            push eax                                              ;  "110-4691-5770"
00402267   .  FF15 24414000 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>]           ;  msvbvm50.__vbaObjSet
0040226D   .  8BD8          mov ebx,eax
0040226F   .  8D55 A8       lea edx,dword ptr ss:[ebp-0x58]
00402272   .  52            push edx
00402273   .  53            push ebx                                              ;  msvbvm50.__vbaMidStmtVar
00402274   .  8B0B          mov ecx,dword ptr ds:[ebx]
00402276   .  FF91 A0000000 call dword ptr ds:[ecx+0xA0]
0040227C   .  85C0          test eax,eax
0040227E   .  7D 12         jge short Andréna.00402292
00402280   .  68 A0000000   push 0xA0
00402285   .  68 201C4000   push Andréna.00401C20
0040228A   .  53            push ebx                                              ;  msvbvm50.__vbaMidStmtVar
0040228B   .  50            push eax
0040228C   .  FF15 14414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>]  ;  msvbvm50.__vbaHresultCheckObj
00402292   >  8B45 A8       mov eax,dword ptr ss:[ebp-0x58]                       ;  注册码
00402295   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
00402298   .  8945 9C       mov dword ptr ss:[ebp-0x64],eax
0040229B   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]
0040229E   .  50            push eax                                              ; /var18 = 0012F484
0040229F   .  51            push ecx                                              ; |var28 = NULL
004022A0   .  C745 A8 00000>mov dword ptr ss:[ebp-0x58],0x0                       ; |
004022A7   .  C745 94 08800>mov dword ptr ss:[ebp-0x6C],0x8008                    ; |
004022AE   .  FF15 48414000 call dword ptr ds:[<&MSVBVM50.__vbaVarTstEq>]         ; \__vbaVarTstEq
004022B4   .  8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]
004022B7   .  8BD8          mov ebx,eax                                           ;  关键!!
004022B9   .  FF15 B4414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>]          ;  msvbvm50.__vbaFreeObj
004022BF   .  8D4D 94       lea ecx,dword ptr ss:[ebp-0x6C]
004022C2   .  FF15 00414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeVar>]          ;  msvbvm50.__vbaFreeVar
004022C8   .  66:85DB       test bx,bx
004022CB   .  0F84 C0000000 je Andréna.00402391                                   ;  关键跳转
004022D1   .  FF15 74414000 call dword ptr ds:[<&MSVBVM50.#rtcBeep_534>]          ;  msvbvm50.rtcBeep
004022D7   .  8B1D 98414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVarDup>]        ;  msvbvm50.__vbaVarDup
004022DD   .  B9 04000280   mov ecx,0x80020004
004022E2   .  898D 6CFFFFFF mov dword ptr ss:[ebp-0x94],ecx
004022E8   .  B8 0A000000   mov eax,0xA
004022ED   .  898D 7CFFFFFF mov dword ptr ss:[ebp-0x84],ecx
004022F3   .  8D95 44FFFFFF lea edx,dword ptr ss:[ebp-0xBC]
004022F9   .  8D4D 84       lea ecx,dword ptr ss:[ebp-0x7C]
004022FC   .  8985 64FFFFFF mov dword ptr ss:[ebp-0x9C],eax
00402302   .  8985 74FFFFFF mov dword ptr ss:[ebp-0x8C],eax
00402308   .  C785 4CFFFFFF>mov dword ptr ss:[ebp-0xB4],Andréna.00401CA8          ;  RiCHTiG !
00402312   .  C785 44FFFFFF>mov dword ptr ss:[ebp-0xBC],0x8

3、用VB Decomplier工具进行反编译
这里写图片描述

4、发现程序算法是:取name的每一个字符ascii进行相加,之后再与1234567890相乘,将其转为字符串,并将第4和第9个字符转为“-”

好像是这样……

阅读更多
个人分类: Crackme
上一篇Crackme7-笔记
下一篇Python学习笔记--获取好友信息
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

关闭
关闭
关闭