160 - 3 Afkayas.2

来源：互联网发布：淘宝店名可以修改吗编辑：程序博客网时间：2024/05/24 06:59

环境：

Windows xp sp3

这次的目标有两个：

1.去除Nag窗口

2.找出Serial的算法

1.这次去除Nag窗口用了另外两个程序：

（1）VBLocalize v1.1.0.0

（2）UltraEdit

（3）VBExplorer

因为是VB程序，所以用VBLocalize加载程序，

据偏移地址，在文件中找到timer的偏移地址：

用VBExplorer可以看到timer的属性：

得知Nag窗口存在时间为7秒，Timer的位置是（2880,2160），转为16进制为：（0x0B40,0x0870）

7000的16进制为1B58，于是可以的得知：

00005b75-00005b76的值为Nag窗口存在的时间，可以把这个两个值改为 58 1B ->01 00，

如果改为0则Nag窗口一直存在。

2.找到Serial算法

和1一样，输入一个错的，然后F12，Alt + F9回到程序领空。

0040865D   .  B8 0A000000   mov eax,0xA00408662   .  894D 9C       mov dword ptr ss:[ebp-0x64],ecx00408665   .  66:85F6       test si,si     00408668   .  8945 94       mov dword ptr ss:[ebp-0x6C],eax0040866B   .  894D AC       mov dword ptr ss:[ebp-0x54],ecx0040866E   .  8945 A4       mov dword ptr ss:[ebp-0x5C],eax00408671   .  894D BC       mov dword ptr ss:[ebp-0x44],ecx00408674   .  8945 B4       mov dword ptr ss:[ebp-0x4C],eax00408677   .  74 62         je XAfKayAs_.004086DB     ; 这个不能跳00408679   .  8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCat0040867F   .  68 C06F4000   push AfKayAs_.00406FC0                   ;  UNICODE "You Get It"00408684   .  68 DC6F4000   push AfKayAs_.00406FDC                   ; /String = ""00408689   .  FFD6          call esi                                 ; \__vbaStrCat0040868B   .  8BD0          mov edx,eax0040868D   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]00408690   .  FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove00408696   .  50            push eax00408697   .  68 E86F4000   push AfKayAs_.00406FE8                   ;  UNICODE "KeyGen It Now"0040869C   .  FFD6          call esi0040869E   .  8945 CC       mov dword ptr ss:[ebp-0x34],eax004086A1   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]004086A4   .  8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]004086A7   .  50            push eax004086A8   .  8D55 B4       lea edx,dword ptr ss:[ebp-0x4C]004086AB   .  51            push ecx004086AC   .  52            push edx004086AD   .  8D45 C4       lea eax,dword ptr ss:[ebp-0x3C]004086B0   .  6A 00         push 0x0004086B2   .  50            push eax004086B3   .  C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8004086BA   .  FF15 24B14000 call dword ptr ds:[<&MSVBVM50.#595>]     ;  MSVBVM50.rtcMsgBox004086C0   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]004086C3   .  FF15 A8B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr004086C9   .  8D4D 94       lea ecx,dword ptr ss:[ebp-0x6C]004086CC   .  8D55 A4       lea edx,dword ptr ss:[ebp-0x5C]004086CF   .  51            push ecx004086D0   .  8D45 B4       lea eax,dword ptr ss:[ebp-0x4C]004086D3   .  52            push edx004086D4   .  8D4D C4       lea ecx,dword ptr ss:[ebp-0x3C]004086D7   .  50            push eax004086D8   .  51            push ecx004086D9   .  EB 60         jmp XAfKayAs_.0040873B     ; 上面是正确的消息，下面是错误的消息004086DB   >  8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCat004086E1   .  68 08704000   push AfKayAs_.00407008                   ;  UNICODE "You Get Wrong"004086E6   .  68 DC6F4000   push AfKayAs_.00406FDC                   ; /String = ""004086EB   .  FFD6          call esi                                 ; \__vbaStrCat004086ED   .  8BD0          mov edx,eax004086EF   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]004086F2   .  FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove004086F8   .  50            push eax004086F9   .  68 28704000   push AfKayAs_.00407028                   ;  UNICODE "Try Again"004086FE   .  FFD6          call esi00408700   .  8945 CC       mov dword ptr ss:[ebp-0x34],eax00408703   .  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]00408706   .  8D45 A4       lea eax,dword ptr ss:[ebp-0x5C]00408709   .  52            push edx0040870A   .  8D4D B4       lea ecx,dword ptr ss:[ebp-0x4C]0040870D   .  50            push eax0040870E   .  51            push ecx0040870F   .  8D55 C4       lea edx,dword ptr ss:[ebp-0x3C]00408712   .  6A 00         push 0x000408714   .  52            push edx00408715   .  C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x80040871C   .  FF15 24B14000 call dword ptr ds:[<&MSVBVM50.#595>]     ;  MSVBVM50.rtcMsgBox00408722   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]     ;  Atl+F9后回到这里

再往上一点就看到了这个：

004081E9   > \8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]004081EF   .  8B45 E4       mov eax,dword ptr ss:[ebp-0x1C]004081F2   .  50            push eax                                 ; /String004081F3   .  8B1A          mov ebx,dword ptr ds:[edx]               ; |004081F5   .  FF15 F8B04000 call dword ptr ds:[<&MSVBVM50.__vbaLenBs>; \__vbaLenBstr004081FB   .  8BF8          mov edi,eax004081FD   .  8B4D E8       mov ecx,dword ptr ss:[ebp-0x18]00408200   .  69FF 385B0100 imul edi,edi,0x15B38     ; 这个东西不一样了00408206   .  51            push ecx                                 ; /String00408207   .  0F80 B7050000 jo AfKayAs_.004087C4                     ; |0040820D   .  FF15 0CB14000 call dword ptr ds:[<&MSVBVM50.#516>]     ; \rtcAnsiValueBstr00408213   .  0FBFD0        movsx edx,ax00408216   .  03FA          add edi,edx

这个是在1里面遇到的，就是乘数不一样了。

设

Name长度为L

Name的首字母为c

当前计算结果为s

得到公式： s = L*88888+ascii(c)

继续往下有：

004082E9   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  MSVBVM50.__vbaR8Str004082EF   .  D905 08104000 fld dword ptr ds:[0x401008]              ;  [401008]是10.0004082F5   .  833D 00904000>cmp dword ptr ds:[0x409000],0x0004082FC   .  75 08         jnz XAfKayAs_.00408306004082FE   .  D835 0C104000 fdiv dword ptr ds:[0x40100C]             ;  [40100c]是5.0，这里是10.0/5.0 = 2.000408304   .  EB 0B         jmp XAfKayAs_.0040831100408306   >  FF35 0C104000 push dword ptr ds:[0x40100C]0040830C   .  E8 578DFFFF   call <jmp.&MSVBVM50._adj_fdiv_m32>00408311   >  83EC 08       sub esp,0x800408314   .  DFE0          fstsw ax00408316   .  A8 0D         test al,0xD00408318   .  0F85 A1040000 jnz AfKayAs_.004087BF0040831E   .  DEC1          faddp st(1),st                           ;  s = s + 2.000408320   .  DFE0          fstsw ax

得到：

s = s + 2

继续往下：

004083F5   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  MSVBVM50.__vbaR8Str004083FB   .  DC0D 10104000 fmul qword ptr ds:[0x401010]             ; [401010]是3，这里是s = s*300408401   .  83EC 08       sub esp,0x800408404   .  DC25 18104000 fsub qword ptr ds:[0x401018]     ; [401018]是2，这里是s = s-20040840A   .  DFE0          fstsw ax0040840C   .  A8 0D         test al,0xD0040840E   .  0F85 AB030000 jnz AfKayAs_.004087BF00408414   .  DD1C24        fstp qword ptr ss:[esp]00408417   .  FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>;  MSVBVM50.__vbaStrR8

得到：

s = s * 3 - 2

继续往下：

004084DF   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  MSVBVM50.__vbaR8Str004084E5   .  DC25 20104000 fsub qword ptr ds:[0x401020]     ;  [0x401020]是-15，于是这里是s  = s + 15 004084EB   .  83EC 08       sub esp,0x8004084EE   .  DFE0          fstsw ax004084F0   .  A8 0D         test al,0xD004084F2   .  0F85 C7020000 jnz AfKayAs_.004087BF004084F8   .  DD1C24        fstp qword ptr ss:[esp]004084FB   .  FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>;  MSVBVM50.__vbaStrR800408501   .  8BD0          mov edx,eax

得到：

s = s + 15

联合起来就是:

s = (L*88888+ascii(c))*3+19

0 0