Crackme 26
来源:互联网 发布:全球分红系统源码 编辑:程序博客网 时间:2024/05/16 09:59
VB程序
首先用OD调试,搜索字符串
找到了,注册成功 的语句,但是OD不能运行起来
最后使用了x32dbg,找到了字符串匹配的代码,输入name:12345 serial:123
看到了注册码,那么注册码一定是在这之前生成的,由于VB程序比较难分析,使用了VB Decompiler直接反编译
Private Sub Command1_Click() '402B10 Dim Me As Me Dim var_4C As TextBox Dim var_48 As TextBox Dim var_12C As Label Dim var_124 As Label loc_00402BE6: var_124 = var_4C loc_00402C06: var_28 = Text1.Text loc_00402C37: var_eax = Unknown_VTable_Call[edx+00000054h] loc_00402C8E: var_28 = Text1.Text loc_00402CE6: If var_124 = 0 Then GoTo loc_00402D9C loc_00402D50: var_74 = " Der Name muss mindestens 5 Chars haben " loc_00402DCD: var_28 = Text1.Text loc_00402DFB: var_EC = Len(var_28) loc_00402E46: For var_24 = To Len(var_28) Step 1 loc_00402E4F: var_184 = var_178 loc_00402E6A: If var_184 = 0 Then GoTo loc_00403099 loc_00402E8D: var_2C = Text1.Text loc_00402EBE: var_118 = Asc(var_2C) loc_00402EF4: var_28 = Label2.Caption loc_00402FA8: var_198 = var_12C loc_00402FBC: Label2.Caption = CStr(((var_28 * var_118) * global_401100) / Hex(21)) loc_00403027: var_eax = Text1.SetFocus loc_00403086: Next var_24 loc_0040308C: var_184 = Next var_24 loc_00403094: GoTo loc_00402E64 loc_00403099: 'Referenced from: 00402E6A loc_004030CC: var_28 = Label1.Caption loc_00403108: call __vbaStrR8(Fix(var_28)) loc_00403113: var_2C = __vbaStrR8(Fix(var_28)) loc_00403123: Label1.Caption = var_2C loc_0040318D: var_28 = Label4.Caption loc_0040322B: var_2C = Label3.Caption loc_0040325C: var_34 = Text1.Text loc_004032B9: var_28 = Text1.Text loc_00403319: var_EC = (var_2C + Asc(var_28)) loc_00403343: var_30 = Label3.Caption loc_0040336B: Asc(var_34) = Asc(var_34) * 0019h loc_004033A2: var_6C = (var_30 - Asc(var_34)) loc_004033AF: var_84 = Hex(var_6C) loc_004033CE: var_38 = Label3.Caption loc_004033FE: var_9C = var_38 loc_0040340E: var_B4 = Hex(var_38) loc_0040342D: var_3C = Text1.Text loc_00403464: var_40 = Text1.Text loc_00403499: Asc(var_3C) = Asc(var_3C) * Len(var_40) loc_004034B2: Asc(var_3C) = Asc(var_3C) - 0000001Bh loc_004034C1: var_FC = Asc(var_3C) loc_004034D8: var_94 = ((var_28 * var_118) * global_401100) & var_84 loc_0040350D: var_44 = CStr(var_94 & var_B4 &) loc_0040351D: var_eax = Unknown_VTable_Call[ecx+00000054h] loc_004035D6: var_28 = Text2.Text loc_0040360D: var_2C = Label5.Caption loc_0040363E: var_30 = Text1.Text loc_0040369F: var_3C = var_2C & CStr(Len(var_30)) & "-CM" loc_004036C5: esi = (var_28 = var_3C) + 1 loc_004036EB: If (var_28 = var_3C) + 1 = 0 Then GoTo loc_0040379C loc_00403772: MsgBox(" Gratulation ,du hast es geschafft!", 64, "Colormaster´s Crackme 7.0", var_94, var_A4) loc_004037A7: GoTo loc_00403839
一边使用x32dbg一边使用VB Decompiler静态分析,效果非常显著。
首先我们看第一个算法
loc_00402FBC: Label2.Caption = CStr(((var_28 * var_118) * global_401100) / Hex(21))
第一个字符的ASCII码*432.4*17.79/15
49*432.4*17.79/15 = 25128
第二个算法
loc_0040336B: Asc(var_34) = Asc(var_34) * 0019h loc_004033A2: var_6C = (var_30 - Asc(var_34)) loc_004033AF: var_84 = Hex(var_6C)
0040336B | imul bx,bx,19 |0040336F | jo colormaster.403880 |00403375 | movsx eax,bx |00403378 | mov dword ptr ss:[ebp-1AC],eax |0040337E | lea ecx,dword ptr ss:[ebp-74] |00403381 | fild dword ptr ss:[ebp-1AC] |00403387 | lea edx,dword ptr ss:[ebp-84] |0040338D | push ecx |0040338E | push edx |0040338F | mov dword ptr ss:[ebp-74],5 |00403396 | fstp qword ptr ss:[ebp-1B4] |0040339C | fsub qword ptr ss:[ebp-1B4] |004033A2 | fstp qword ptr ss:[ebp-6C] |004033A5 | fnstsw ax |004033A7 | test al,D |
>>> 49*432.4*17.79/1525128.493599999998>>> 25128 - 0x31*0x1923903>>> hex(23903)'0x5d5f'>>>
第三个算法
loc_004033AF: var_84 = Hex(var_6C)
>>> hex(25128)'0x6228'
第四个算法
loc_00403464: var_40 = Text1.Text loc_00403499: Asc(var_3C) = Asc(var_3C) * Len(var_40) loc_004034B2: Asc(var_3C) = Asc(var_3C) - 0000001Bh loc_004034C1: var_FC = Asc(var_3C)
00403464 | call dword ptr ds:[eax+A0] |0040346A | test eax,eax |0040346C | fnclex |0040346E | jge colormaster.403482 |00403470 | push A0 |00403475 | push colormaster.401E94 |0040347A | push ebx |0040347B | push eax |0040347C | call dword ptr ds:[<&__vbaHresultCheckO |00403482 | mov edx,dword ptr ss:[ebp-3C] |00403485 | push edx |00403486 | call dword ptr ds:[<&rtcAnsiValueBstr>] |0040348C | movsx ebx,ax |0040348F | mov eax,dword ptr ss:[ebp-40] |00403492 | push eax |00403493 | call dword ptr ds:[<&__vbaLenBstr>] |00403499 | imul ebx,eax |0040349C | mov ecx,dword ptr ss:[ebp-154] |004034A2 | mov dword ptr ss:[ebp-104],3 |004034AC | jo colormaster.403880 |004034B2 | sub ebx,1B |004034B5 | lea edx,dword ptr ss:[ebp-F4] |004034BB | jo colormaster.403880 |004034C1 | mov dword ptr ss:[ebp-FC],ebx |004034C7 | mov ebx,dword ptr ds:[ecx] |004034C9 | lea eax,dword ptr ss:[ebp-84] |
>>> 0x31 * 5 - 0x1b218
第五个算法
25128 + ord(s[0]) == 25177
第六个算法
loc_0040369F: var_3C = var_2C & CStr(Len(var_30)) & "-CM"
251775D5F62282185-CM
最后写出注册机
name = raw_input("name:")f = ord(name[:1])s = int(f*432.4*17.79/15)print str(s+f)+hex(s-0x19*f)[2:]+hex(s)[2:]+str(f*len(name)-0x1b)+str(len(name))+"-CM"
0 0
- Crackme 26
- Triangle CrackMe
- CrackMe-crackhead
- crackme 网站
- Crackme 1
- Crackme 2
- Crackme 3
- Crackme 4
- Crackme 20
- Crackme 21
- Crackme 22
- Crackme 23
- Crackme 5
- Crackme 24
- Crackme 25
- Crackme 28
- Crackme 29
- Crackme 30
- linux下自动检测mongodb 有问题就重启
- 每日170224
- C++ 笔记 关于动态内存分配 (new / delete)
- codeforces 776C Molly's Chemicals(连续子序列和为k的次方的个数)
- SpringMvc的controller是singleton的(非线程安全的)
- Crackme 26
- “此文件来自其他计算机,可能被阻止以帮助保护该计算机” 教你win7解除阻止程序运行怎么操作
- 教你win7解除阻止程序运行怎么操作
- 北京大学校领导接待日完全是“作秀”
- gcc使用---动态库链接静态库
- 比特币 区块链 几种交易标准详解 P2PKH、P2PK、MS、P2SH加密方式
- 【数据结构与算法】B tree 即相关操作 深入解读
- 登入LINUX
- PAT A1042. Shuffling Machine (20)