160 - 3 Afkayas.2
来源:互联网 发布:淘宝店名可以修改吗 编辑:程序博客网 时间:2024/05/24 06:59
环境:
Windows xp sp3
这次的目标有两个:
1.去除Nag窗口
2.找出Serial的算法
1.这次去除Nag窗口用了另外两个程序:
(1)VBLocalize v1.1.0.0
(2)UltraEdit
(3)VBExplorer
因为是VB程序,所以用VBLocalize加载程序,
据偏移地址,在文件中找到timer的偏移地址:
用VBExplorer可以看到timer的属性:
得知Nag窗口存在时间为7秒,Timer的位置是(2880,2160),转为16进制为:(0x0B40,0x0870)
7000的16进制为1B58,于是可以的得知:
00005b75-00005b76的值为Nag窗口存在的时间,可以把这个两个值改为 58 1B ->01 00,
如果改为0则Nag窗口一直存在。
2.找到Serial算法
和1一样,输入一个错的,然后F12,Alt + F9回到程序领空。
0040865D . B8 0A000000 mov eax,0xA00408662 . 894D 9C mov dword ptr ss:[ebp-0x64],ecx00408665 . 66:85F6 test si,si 00408668 . 8945 94 mov dword ptr ss:[ebp-0x6C],eax0040866B . 894D AC mov dword ptr ss:[ebp-0x54],ecx0040866E . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax00408671 . 894D BC mov dword ptr ss:[ebp-0x44],ecx00408674 . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax00408677 . 74 62 je XAfKayAs_.004086DB ; 这个不能跳00408679 . 8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>; MSVBVM50.__vbaStrCat0040867F . 68 C06F4000 push AfKayAs_.00406FC0 ; UNICODE "You Get It"00408684 . 68 DC6F4000 push AfKayAs_.00406FDC ; /String = ""00408689 . FFD6 call esi ; \__vbaStrCat0040868B . 8BD0 mov edx,eax0040868D . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]00408690 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; MSVBVM50.__vbaStrMove00408696 . 50 push eax00408697 . 68 E86F4000 push AfKayAs_.00406FE8 ; UNICODE "KeyGen It Now"0040869C . FFD6 call esi0040869E . 8945 CC mov dword ptr ss:[ebp-0x34],eax004086A1 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]004086A4 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]004086A7 . 50 push eax004086A8 . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C]004086AB . 51 push ecx004086AC . 52 push edx004086AD . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]004086B0 . 6A 00 push 0x0004086B2 . 50 push eax004086B3 . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8004086BA . FF15 24B14000 call dword ptr ds:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox004086C0 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]004086C3 . FF15 A8B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr004086C9 . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C]004086CC . 8D55 A4 lea edx,dword ptr ss:[ebp-0x5C]004086CF . 51 push ecx004086D0 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]004086D3 . 52 push edx004086D4 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]004086D7 . 50 push eax004086D8 . 51 push ecx004086D9 . EB 60 jmp XAfKayAs_.0040873B ; 上面是正确的消息,下面是错误的消息004086DB > 8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>; MSVBVM50.__vbaStrCat004086E1 . 68 08704000 push AfKayAs_.00407008 ; UNICODE "You Get Wrong"004086E6 . 68 DC6F4000 push AfKayAs_.00406FDC ; /String = ""004086EB . FFD6 call esi ; \__vbaStrCat004086ED . 8BD0 mov edx,eax004086EF . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]004086F2 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; MSVBVM50.__vbaStrMove004086F8 . 50 push eax004086F9 . 68 28704000 push AfKayAs_.00407028 ; UNICODE "Try Again"004086FE . FFD6 call esi00408700 . 8945 CC mov dword ptr ss:[ebp-0x34],eax00408703 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]00408706 . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]00408709 . 52 push edx0040870A . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]0040870D . 50 push eax0040870E . 51 push ecx0040870F . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]00408712 . 6A 00 push 0x000408714 . 52 push edx00408715 . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x80040871C . FF15 24B14000 call dword ptr ds:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox00408722 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] ; Atl+F9后回到这里
再往上一点就看到了这个:
004081E9 > \8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]004081EF . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]004081F2 . 50 push eax ; /String004081F3 . 8B1A mov ebx,dword ptr ds:[edx] ; |004081F5 . FF15 F8B04000 call dword ptr ds:[<&MSVBVM50.__vbaLenBs>; \__vbaLenBstr004081FB . 8BF8 mov edi,eax004081FD . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]00408200 . 69FF 385B0100 imul edi,edi,0x15B38 ; 这个东西不一样了00408206 . 51 push ecx ; /String00408207 . 0F80 B7050000 jo AfKayAs_.004087C4 ; |0040820D . FF15 0CB14000 call dword ptr ds:[<&MSVBVM50.#516>] ; \rtcAnsiValueBstr00408213 . 0FBFD0 movsx edx,ax00408216 . 03FA add edi,edx
这个是在1里面遇到的,就是乘数不一样了。
设
Name长度为L
Name的首字母为c
当前计算结果为s
得到公式: s = L*88888+ascii(c)
继续往下有:
004082E9 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; MSVBVM50.__vbaR8Str004082EF . D905 08104000 fld dword ptr ds:[0x401008] ; [401008]是10.0004082F5 . 833D 00904000>cmp dword ptr ds:[0x409000],0x0004082FC . 75 08 jnz XAfKayAs_.00408306004082FE . D835 0C104000 fdiv dword ptr ds:[0x40100C] ; [40100c]是5.0,这里是10.0/5.0 = 2.000408304 . EB 0B jmp XAfKayAs_.0040831100408306 > FF35 0C104000 push dword ptr ds:[0x40100C]0040830C . E8 578DFFFF call <jmp.&MSVBVM50._adj_fdiv_m32>00408311 > 83EC 08 sub esp,0x800408314 . DFE0 fstsw ax00408316 . A8 0D test al,0xD00408318 . 0F85 A1040000 jnz AfKayAs_.004087BF0040831E . DEC1 faddp st(1),st ; s = s + 2.000408320 . DFE0 fstsw ax
得到:
s = s + 2
继续往下:
004083F5 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; MSVBVM50.__vbaR8Str004083FB . DC0D 10104000 fmul qword ptr ds:[0x401010] ; [401010]是3,这里是s = s*300408401 . 83EC 08 sub esp,0x800408404 . DC25 18104000 fsub qword ptr ds:[0x401018] ; [401018]是2,这里是s = s-20040840A . DFE0 fstsw ax0040840C . A8 0D test al,0xD0040840E . 0F85 AB030000 jnz AfKayAs_.004087BF00408414 . DD1C24 fstp qword ptr ss:[esp]00408417 . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>; MSVBVM50.__vbaStrR8
得到:
s = s * 3 - 2
继续往下:
004084DF . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; MSVBVM50.__vbaR8Str004084E5 . DC25 20104000 fsub qword ptr ds:[0x401020] ; [0x401020]是-15,于是这里是s = s + 15 004084EB . 83EC 08 sub esp,0x8004084EE . DFE0 fstsw ax004084F0 . A8 0D test al,0xD004084F2 . 0F85 C7020000 jnz AfKayAs_.004087BF004084F8 . DD1C24 fstp qword ptr ss:[esp]004084FB . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>; MSVBVM50.__vbaStrR800408501 . 8BD0 mov edx,eax
s = s + 15
联合起来就是:
s = (L*88888+ascii(c))*3+19
0 0
- 160 - 3 Afkayas.2
- 160 - 2 Afkayas.1
- 160个CrackMe 003 Afkayas.2
- 160个破解练习之2-Afkayas.1.Exe
- 160个破解练习之CrackMe 003 Afkayas.2
- 160个CrackMe 002 Afkayas.1
- [破解实例][OllyDbg] CrackMe003-Afkayas.2
- 160个破解练习之CrackMe 002 Afkayas.1
- CrackMe 之Afkayas 破解
- 逆向工程实战--Afkayas.1
- [破解实例][OllyDbg] CrackMe002-Afkayas.1
- 160crackme-3
- 160cracked-2
- 160 - 5 ajj.2
- 160 - 7 aLoNg3x.2
- 160 - 9 Andrnalin.2
- 接口2 课本160
- 哈希加密算法 MD5,SHA-1,SHA-2,SHA-256,SHA-512,SHA-3,RIPEMD-160
- M公司的回忆录——L公司
- 3.2 读入两个参数
- [android基础]LayoutInflater的使用
- 二叉搜索树的一些基本操作
- Nginx反向代理、CORS、JSONP等跨域请求解决方法总结
- 160 - 3 Afkayas.2
- 如何用visual studio 2010 新建一个C程序项目
- LeetCode 61. Rotate List
- 完成管理平台的bootstrap界面布局
- git常用操作之查看改动日志和进行版本切换(四)
- 双叉积——拉格朗日公式证明
- 彻底理解javascript的回调函数
- JS的单引号,双引号问题
- 3.3 1!到n!的和