Crackme 26

来源：互联网发布：全球分红系统源码编辑：程序博客网时间：2024/05/16 09:59

这里写图片描述
VB程序
首先用OD调试，搜索字符串

找到了，注册成功的语句，但是OD不能运行起来
最后使用了x32dbg,找到了字符串匹配的代码，输入name:12345 serial:123

看到了注册码，那么注册码一定是在这之前生成的，由于VB程序比较难分析，使用了VB Decompiler直接反编译

Private Sub Command1_Click() '402B10  Dim Me As Me  Dim var_4C As TextBox  Dim var_48 As TextBox  Dim var_12C As Label  Dim var_124 As Label  loc_00402BE6: var_124 = var_4C  loc_00402C06: var_28 = Text1.Text  loc_00402C37: var_eax = Unknown_VTable_Call[edx+00000054h]  loc_00402C8E: var_28 = Text1.Text  loc_00402CE6: If var_124 = 0 Then GoTo loc_00402D9C  loc_00402D50: var_74 = " Der Name muss mindestens 5 Chars haben "  loc_00402DCD: var_28 = Text1.Text  loc_00402DFB: var_EC = Len(var_28)  loc_00402E46: For var_24 =  To Len(var_28) Step 1  loc_00402E4F: var_184 = var_178  loc_00402E6A: If var_184 = 0 Then GoTo loc_00403099  loc_00402E8D: var_2C = Text1.Text  loc_00402EBE: var_118 = Asc(var_2C)  loc_00402EF4: var_28 = Label2.Caption  loc_00402FA8: var_198 = var_12C  loc_00402FBC: Label2.Caption = CStr(((var_28 * var_118) * global_401100) / Hex(21))  loc_00403027: var_eax = Text1.SetFocus  loc_00403086: Next var_24  loc_0040308C: var_184 = Next var_24  loc_00403094: GoTo loc_00402E64  loc_00403099: 'Referenced from: 00402E6A  loc_004030CC: var_28 = Label1.Caption  loc_00403108: call __vbaStrR8(Fix(var_28))  loc_00403113: var_2C = __vbaStrR8(Fix(var_28))  loc_00403123: Label1.Caption = var_2C  loc_0040318D: var_28 = Label4.Caption  loc_0040322B: var_2C = Label3.Caption  loc_0040325C: var_34 = Text1.Text  loc_004032B9: var_28 = Text1.Text  loc_00403319: var_EC = (var_2C + Asc(var_28))  loc_00403343: var_30 = Label3.Caption  loc_0040336B: Asc(var_34) = Asc(var_34) * 0019h  loc_004033A2: var_6C = (var_30 - Asc(var_34))  loc_004033AF: var_84 = Hex(var_6C)  loc_004033CE: var_38 = Label3.Caption  loc_004033FE: var_9C = var_38  loc_0040340E: var_B4 = Hex(var_38)  loc_0040342D: var_3C = Text1.Text  loc_00403464: var_40 = Text1.Text  loc_00403499: Asc(var_3C) = Asc(var_3C) * Len(var_40)  loc_004034B2: Asc(var_3C) = Asc(var_3C) - 0000001Bh  loc_004034C1: var_FC = Asc(var_3C)  loc_004034D8: var_94 = ((var_28 * var_118) * global_401100) & var_84  loc_0040350D: var_44 = CStr(var_94 & var_B4 &)  loc_0040351D: var_eax = Unknown_VTable_Call[ecx+00000054h]  loc_004035D6: var_28 = Text2.Text  loc_0040360D: var_2C = Label5.Caption  loc_0040363E: var_30 = Text1.Text  loc_0040369F: var_3C = var_2C & CStr(Len(var_30)) & "-CM"  loc_004036C5: esi = (var_28 = var_3C) + 1  loc_004036EB: If (var_28 = var_3C) + 1 = 0 Then GoTo loc_0040379C  loc_00403772: MsgBox(" Gratulation ,du hast es geschafft!", 64, "Colormaster´s Crackme 7.0", var_94, var_A4)  loc_004037A7: GoTo loc_00403839

一边使用x32dbg一边使用VB Decompiler静态分析，效果非常显著。
首先我们看第一个算法

loc_00402FBC: Label2.Caption = CStr(((var_28 * var_118) * global_401100) / Hex(21))

这里写图片描述

这里写图片描述
第一个字符的ASCII码*432.4*17.79/15
49*432.4*17.79/15 = 25128
第二个算法

  loc_0040336B: Asc(var_34) = Asc(var_34) * 0019h  loc_004033A2: var_6C = (var_30 - Asc(var_34))  loc_004033AF: var_84 = Hex(var_6C)

0040336B | imul bx,bx,19                           |0040336F | jo colormaster.403880                   |00403375 | movsx eax,bx                            |00403378 | mov dword ptr ss:[ebp-1AC],eax          |0040337E | lea ecx,dword ptr ss:[ebp-74]           |00403381 | fild dword ptr ss:[ebp-1AC]             |00403387 | lea edx,dword ptr ss:[ebp-84]           |0040338D | push ecx                                |0040338E | push edx                                |0040338F | mov dword ptr ss:[ebp-74],5             |00403396 | fstp qword ptr ss:[ebp-1B4]             |0040339C | fsub qword ptr ss:[ebp-1B4]             |004033A2 | fstp qword ptr ss:[ebp-6C]              |004033A5 | fnstsw ax                               |004033A7 | test al,D                               |

>>> 49*432.4*17.79/1525128.493599999998>>> 25128 - 0x31*0x1923903>>> hex(23903)'0x5d5f'>>>

第三个算法

  loc_004033AF: var_84 = Hex(var_6C)

>>> hex(25128)'0x6228'

第四个算法

  loc_00403464: var_40 = Text1.Text  loc_00403499: Asc(var_3C) = Asc(var_3C) * Len(var_40)  loc_004034B2: Asc(var_3C) = Asc(var_3C) - 0000001Bh  loc_004034C1: var_FC = Asc(var_3C)

00403464 | call dword ptr ds:[eax+A0]              |0040346A | test eax,eax                            |0040346C | fnclex                                  |0040346E | jge colormaster.403482                  |00403470 | push A0                                 |00403475 | push colormaster.401E94                 |0040347A | push ebx                                |0040347B | push eax                                |0040347C | call dword ptr ds:[<&__vbaHresultCheckO |00403482 | mov edx,dword ptr ss:[ebp-3C]           |00403485 | push edx                                |00403486 | call dword ptr ds:[<&rtcAnsiValueBstr>] |0040348C | movsx ebx,ax                            |0040348F | mov eax,dword ptr ss:[ebp-40]           |00403492 | push eax                                |00403493 | call dword ptr ds:[<&__vbaLenBstr>]     |00403499 | imul ebx,eax                            |0040349C | mov ecx,dword ptr ss:[ebp-154]          |004034A2 | mov dword ptr ss:[ebp-104],3            |004034AC | jo colormaster.403880                   |004034B2 | sub ebx,1B                              |004034B5 | lea edx,dword ptr ss:[ebp-F4]           |004034BB | jo colormaster.403880                   |004034C1 | mov dword ptr ss:[ebp-FC],ebx           |004034C7 | mov ebx,dword ptr ds:[ecx]              |004034C9 | lea eax,dword ptr ss:[ebp-84]           |

>>> 0x31 * 5 - 0x1b218

第五个算法
这里写图片描述
25128 + ord(s[0]) == 25177
第六个算法

  loc_0040369F: var_3C = var_2C & CStr(Len(var_30)) & "-CM"

251775D5F62282185-CM

最后写出注册机

name = raw_input("name:")f = ord(name[:1])s = int(f*432.4*17.79/15)print str(s+f)+hex(s-0x19*f)[2:]+hex(s)[2:]+str(f*len(name)-0x1b)+str(len(name))+"-CM"

这里写图片描述

0 0