这是一个VB代码,逻辑和算法也不复杂,唯一的问题是对VB的API不够了解.所以需要百度API的作用.这里我就贴出我破解这个程序的思路…
查找字符串定位关键代码段
如图所示,错误之后提示 password incorrect ,所以搜索该字符串
双击该password correct ,hehe,:-)字符串后定位到如下位置:
继续往上拉,在004030F0处下断点
输入密码之后,点击按钮,程序断下 往下走,看到输入的字符串的值和长度
004031A2 . FF15 14614000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; Msvbvm50.__vbaHresultCheckObj
004031A8 > 8B45 C0 mov eax,dword ptr ss:[ebp-0x40] ; 获取输入的密码
004031AB . 8D55 A8 lea edx,dword ptr ss:[ebp-0x58]
004031AE . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
004031B1 . 8975 C0 mov dword ptr ss:[ebp-0x40],esi
004031B4 . 8945 B0 mov dword ptr ss:[ebp-0x50],eax
004031B7 . C745 A8 08000>mov dword ptr ss:[ebp-0x58],0x8
004031BE . FF15 F8604000 call dword ptr ds:[<&MSVBVM50.__vbaVarMove>] ; Msvbvm50.__vbaVarMove
004031C4 . 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48]
004031C7 . FF15 B0614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] ; Msvbvm50.__vbaFreeObj
004031CD . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
004031D0 . 8D55 A8 lea edx,dword ptr ss:[ebp-0x58]
004031D3 . 51 push ecx ; /var18 = 00000007
004031D4 . 52 push edx ; |retBuffer8 = 0019F248
004031D5 . BE 01000000 mov esi,0x1 ; |
004031DA . FF15 18614000 call dword ptr ds:[<&MSVBVM50.__vbaLenVar>] ; \__vbaLenVar
004031E0 . 50 push eax
004031E1 . FF15 74614000 call dword ptr ds:[<&MSVBVM50.__vbaI2Var>] ; Msvbvm50.__vbaI2Var
004031E7 . 8985 F8FEFFFF mov dword ptr ss:[ebp-0x108],eax ; 这里得到输入字符串的长度
004031ED . 8BFE mov edi,esi
004031EF > 66:3BBD F8FEF>cmp di,word ptr ss:[ebp-0x108] ; 比较di 和输入的字符串的长度,大于则跳出循环
004031F6 . 8B1D 6C614000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaStrVarVal>] ; Msvbvm50.__vbaStrVarVal
004031FC . 0F8F 2D010000 jg cracking.0040332F
00403202 . 66:83FE 04 cmp si,0x4 ; 如果si大于4 则不跳 将esi 重新赋值为1
00403206 . 7E 05 jle short cracking.0040320D
00403208 . BE 01000000 mov esi,0x1
0040320D > 0FBFCF movsx ecx,di
00403210 . 8D45 A8 lea eax,dword ptr ss:[ebp-0x58]
00403213 . 8D55 D8 lea edx,dword ptr ss:[ebp-0x28]
00403216 . 50 push eax ; /Length8 = 0x7
00403217 . 51 push ecx ; |Start = 0x7
00403218 . 8D45 98 lea eax,dword ptr ss:[ebp-0x68] ; |
0040321B . 52 push edx ; |dString8 = 0019F248
0040321C . 50 push eax ; |RetBUFFER = 00000007
0040321D . C745 B0 01000>mov dword ptr ss:[ebp-0x50],0x1 ; |
00403224 . C745 A8 02000>mov dword ptr ss:[ebp-0x58],0x2 ; |
0040322B . FF15 38614000 call dword ptr ds:[<&MSVBVM50.#rtcMidCharVar_632>] ; \rtcMidCharVar
00403231 . B8 02000000 mov eax,0x2
00403236 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88]
0040323C . 0FBFD6 movsx edx,si
0040323F . 8985 78FFFFFF mov dword ptr ss:[ebp-0x88],eax
00403245 . 8945 88 mov dword ptr ss:[ebp-0x78],eax
00403248 . 51 push ecx ; /Length8 = 0x7
00403249 . 8D45 88 lea eax,dword ptr ss:[ebp-0x78] ; |
0040324C . 52 push edx ; |Start = 0x19F248
0040324D . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98] ; |
00403253 . 50 push eax ; |dString8 = 00000007
00403254 . 51 push ecx ; |RetBUFFER = 00000007
00403255 . C745 80 01000>mov dword ptr ss:[ebp-0x80],0x1 ; |
0040325C . C745 90 D0070>mov dword ptr ss:[ebp-0x70],0x7D0 ; |
00403263 . FF15 38614000 call dword ptr ds:[<&MSVBVM50.#rtcMidCharVar_632>] ; \rtcMidCharVar
00403269 . 8D55 98 lea edx,dword ptr ss:[ebp-0x68]
0040326C . 8D45 C0 lea eax,dword ptr ss:[ebp-0x40]
0040326F . 52 push edx
00403270 . 50 push eax
00403271 . FFD3 call ebx ; cracking.004043C8
00403273 . 50 push eax ; /String = 00000007 ???
00403274 . FF15 0C614000 call dword ptr ds:[<&MSVBVM50.#rtcAnsiValueBstr_516>>; \rtcAnsiValueBstr
0040327A . 0FBFD0 movsx edx,ax
0040327D . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98] ; 获取输入字符串的值转成ascii
00403283 . 8D45 BC lea eax,dword ptr ss:[ebp-0x44]
00403286 51 push ecx
00403287 50 push eax
00403288 . 8995 E8FEFFFF mov dword ptr ss:[ebp-0x118],edx ; 2 0 0 0
0040328E . FFD3 call ebx ; cracking.004043C8
00403290 . 50 push eax ; /String = 00000007 ???
00403291 . FF15 0C614000 call dword ptr ds:[<&MSVBVM50.#rtcAnsiValueBstr_516>>; \rtcAnsiValueBstr
00403297 . 8B95 E8FEFFFF mov edx,dword ptr ss:[ebp-0x118] ; 从某地址中读取到数值转化成ascii
0040329D . 0FBFC8 movsx ecx,ax
004032A0 . 33D1 xor edx,ecx ; 进行xor
004032A2 . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8]
004032A8 . 52 push edx
004032A9 . 50 push eax
004032AA . FF15 64614000 call dword ptr ds:[<&MSVBVM50.#rtcVarBstrFromAnsi_60>; Msvbvm50.rtcVarBstrFromAnsi
004032B0 . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38]
004032B3 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-0xA8]
004032B9 . 51 push ecx ; 将xor后的值转成ascii
004032BA . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8]
004032C0 . 52 push edx
004032C1 . 50 push eax
004032C2 . FF15 70614000 call dword ptr ds:[<&MSVBVM50.__vbaVarCat>] ; Msvbvm50.__vbaVarCat
004032C8 . 8BD0 mov edx,eax ; 将计算的结果拼接起来,形成新的字符串
004032CA . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38] ; ecx=0x6A4C7C
004032CD . FF15 F8604000 call dword ptr ds:[<&MSVBVM50.__vbaVarMove>] ; Msvbvm50.__vbaVarMove
004032D3 . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44]
004032D6 . 8D55 C0 lea edx,dword ptr ss:[ebp-0x40]
004032D9 . 51 push ecx
004032DA . 52 push edx
004032DB . 6A 02 push 0x2
004032DD . FF15 8C614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStrList>] ; Msvbvm50.__vbaFreeStrList
004032E3 . 83C4 0C add esp,0xC
004032E6 . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8]
004032EC . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98]
004032F2 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]
004032F8 . 50 push eax
004032F9 . 51 push ecx
004032FA . 8D45 88 lea eax,dword ptr ss:[ebp-0x78]
004032FD . 52 push edx
004032FE . 8D4D 98 lea ecx,dword ptr ss:[ebp-0x68]
00403301 . 50 push eax
00403302 . 8D55 A8 lea edx,dword ptr ss:[ebp-0x58]
00403305 . 51 push ecx
00403306 . 52 push edx
00403307 . 6A 06 push 0x6
00403309 . FF15 00614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>] ; Msvbvm50.__vbaFreeVarList
0040330F . 83C4 1C add esp,0x1C
00403312 . 66:46 inc si
00403314 . B8 01000000 mov eax,0x1
00403319 . 66:03C7 add ax,di
0040331C . 0F80 44020000 jo cracking.00403566
00403322 . 0F80 3E020000 jo cracking.00403566
00403328 . 8BF8 mov edi,eax
0040332A .^ E9 C0FEFFFF jmp cracking.004031EF
0040332F > 8D45 C8 lea eax,dword ptr ss:[ebp-0x38] ; 循环结束,跳转到这里
00403332 . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]
00403338 . 50 push eax ; /var18 = 00000007
00403339 . 51 push ecx ; |var28 = 00000007
0040333A . C785 40FFFFFF>mov dword ptr ss:[ebp-0xC0],cracking.004027C8 ; |qBQSYdXUe_B\V
00403344 . C785 38FFFFFF>mov dword ptr ss:[ebp-0xC8],0x8008 ; |
0040334E . FF15 44614000 call dword ptr ds:[<&MSVBVM50.__vbaVarTstEq>] ; \__vbaVarTstEq
00403354 . 66:85C0 test ax,ax ; 关键比较函数
00403357 . B9 04000280 mov ecx,0x80020004 ; 将拼接后的字符串与这里的地址的字符串比较,成功则返回eax=1,失败eax=0
0040335C . B8 0A000000 mov eax,0xA
00403361 . 894D 80 mov dword ptr ss:[ebp-0x80],ecx
00403364 . 8985 78FFFFFF mov dword ptr ss:[ebp-0x88],eax
0040336A . 894D 90 mov dword ptr ss:[ebp-0x70],ecx
0040336D . 8945 88 mov dword ptr ss:[ebp-0x78],eax
00403370 . 0F84 E8000000 je cracking.0040345E ; 往上翻定位到关键跳转
00403376 . 8B35 9C614000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVarDup>] ; Msvbvm50.__vbaVarDup
0040337C . BF 08000000 mov edi,0x8
00403381 . 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8]
00403387 . 8D4D 98 lea ecx,dword ptr ss:[ebp-0x68]
0040338A . C785 30FFFFFF>mov dword ptr ss:[ebp-0xD0],cracking.00402824 ; Valid
00403394 . 89BD 28FFFFFF mov dword ptr ss:[ebp-0xD8],edi
0040339A . FFD6 call esi ; <&MSVBVM50.__vbaVarDup>
0040339C . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
004033A2 . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
004033A5 . C785 40FFFFFF>mov dword ptr ss:[ebp-0xC0],cracking.004027E8 ; Password correct, hehe, :-)
004033AF . 89BD 38FFFFFF mov dword ptr ss:[ebp-0xC8],edi
004033B5 . FFD6 call esi
004033B7 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]
004033BD . 8D45 88 lea eax,dword ptr ss:[ebp-0x78]
004033C0 . 52 push edx
004033C1 . 8D4D 98 lea ecx,dword ptr ss:[ebp-0x68]
004033C4 . 50 push eax
004033C5 . 51 push ecx
004033C6 . 8D55 A8 lea edx,dword ptr ss:[ebp-0x58]
004033C9 . 6A 00 push 0x0
004033CB . 52 push edx
004033CC . FF15 24614000 call dword ptr ds:[<&MSVBVM50.#rtcMsgBox_595>] ; Msvbvm50.rtcMsgBox
004033D2 . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88]
004033D8 . 8D4D 88 lea ecx,dword ptr ss:[ebp-0x78]
004033DB . 50 push eax
004033DC . 8D55 98 lea edx,dword ptr ss:[ebp-0x68]
004033DF . 51 push ecx
004033E0 . 8D45 A8 lea eax,dword ptr ss:[ebp-0x58]
004033E3 . 52 push edx
004033E4 . 50 push eax
004033E5 . 6A 04 push 0x4
004033E7 . FF15 00614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>] ; Msvbvm50.__vbaFreeVarList
004033ED . A1 A4434000 mov eax,dword ptr ds:[0x4043A4]
004033F2 . 83C4 14 add esp,0x14
004033F5 . 85C0 test eax,eax
004033F7 . 75 10 jnz short cracking.00403409
004033F9 . 68 A4434000 push cracking.004043A4
004033FE . 68 50284000 push cracking.00402850
00403403 . FF15 80614000 call dword ptr ds:[<&MSVBVM50.__vbaNew2>] ; Msvbvm50.__vbaNew2
00403409 > A1 38404000 mov eax,dword ptr ds:[0x404038]
0040340E . 8B35 A4434000 mov esi,dword ptr ds:[0x4043A4]
00403414 . 85C0 test eax,eax
00403416 . 75 10 jnz short cracking.00403428
00403418 . 68 38404000 push cracking.00404038
0040341D . 68 6C204000 push cracking.0040206C
00403422 . FF15 80614000 call dword ptr ds:[<&MSVBVM50.__vbaNew2>] ; Msvbvm50.__vbaNew2
00403428 > 8B0D 38404000 mov ecx,dword ptr ds:[0x404038]
0040342E . 8B3E mov edi,dword ptr ds:[esi]
00403430 . 8D55 B8 lea edx,dword ptr ss:[ebp-0x48]
00403433 . 51 push ecx
00403434 . 52 push edx
00403435 . FF15 2C614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSetAddref>] ; Msvbvm50.__vbaObjSetAddref
0040343B . 50 push eax
0040343C . 56 push esi
0040343D . FF57 10 call dword ptr ds:[edi+0x10]
00403440 . 85C0 test eax,eax
00403442 . 7D 0F jge short cracking.00403453
00403444 . 6A 10 push 0x10
00403446 . 68 40284000 push cracking.00402840
0040344B . 56 push esi
0040344C . 50 push eax
0040344D . FF15 14614000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ; Msvbvm50.__vbaHresultCheckObj
00403453 > 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48]
00403456 . FF15 B0614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] ; Msvbvm50.__vbaFreeObj
0040345C . EB 7A jmp short cracking.004034D8
0040345E > 8B35 9C614000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVarDup>] ; Msvbvm50.__vbaVarDup
00403464 . BF 08000000 mov edi,0x8
00403469 . 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8]
0040346F . 8D4D 98 lea ecx,dword ptr ss:[ebp-0x68]
00403472 . C785 30FFFFFF>mov dword ptr ss:[ebp-0xD0],cracking.004028BC ; Invalid
0040347C . 89BD 28FFFFFF mov dword ptr ss:[ebp-0xD8],edi
00403482 . FFD6 call esi ; <&MSVBVM50.__vbaVarDup>
00403484 . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
0040348A . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
0040348D . C785 40FFFFFF>mov dword ptr ss:[ebp-0xC0],cracking.00402864 ; Password incorrect, please try again ...
00403497 . 89BD 38FFFFFF mov dword ptr ss:[ebp-0xC8],edi
0040349D . FFD6 call esi
0040349F . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88]
004034A5 . 8D4D 88 lea ecx,dword ptr ss:[ebp-0x78]
004034A8 . 50 push eax
004034A9 . 8D55 98 lea edx,dword ptr ss:[ebp-0x68]
004034AC . 51 push ecx
004034AD . 52 push edx
004034AE . 8D45 A8 lea eax,dword ptr ss:[ebp-0x58]
#include <stdio.h>
#include <String.h>
using namespace std;
int main()
{
//qBQSYdXUe_B\V
char key[] = {"qBQSYdXUe_B\\V"};//我用codeblock写的,这里为了避免转义字符'\' 所以我用了双反斜杠
int j =0;
char result[32] = {0};
char cal[4] = {0x32,0x30,0x30,0x30};
for(int i =0; i < strlen(key);i++)
{
printf("%d : %c", i,key[i]^cal[j%4]);
result[i] = key[i]^cal[j%4];
j++;
}
printf("%s",result);
return 0;
}
结果如下: