Crack for Newbies Crackme v2.0
1,请把壳去掉2,请不要爆破
3,请写出详细分析过程
4,请写出注册机源码
5,请帖上编译好的注册机
6,做出的话,可以得到 v1.0
7,暂时没想到:)
[ 本帖最后由 冷血书生 于 2006-7-28 03:31 编辑 ] crackme还放壳..... 这个跟偶的crackme有虾米区别,就是多了个鸡蛋壳 原帖由 joker27 于 2006-7-28 12:55 发表
这个跟偶的crackme有虾米区别,就是多了个鸡蛋壳
没啥区别啊!我也只会写这么简单的东西!:$ 原帖由 Rcracker 于 2006-7-28 09:47 发表
大概分析一下,没写出详细过程,让大家再玩玩。
在004011c0处脱壳
004029F4 > \8B45 E8 MOV EAX,DWORD PTR SS:
004029F7 .8B4D E4 MOV ECX,DWORD PTR SS:
...
正确! Microsoft Visual Basic 5.0 / 6.0哦也脱掉拉,在11C0
偶怎么看不出来是什么壳??
上面都用什么工具看滴??
[ 本帖最后由 网游难民 于 2006-7-28 14:32 编辑 ] 不用管它是鸡或鸭,用手脱就行了。这个ME很简单几分钟就能搞定。
差点忘了,冷血你的奥迪V1.0呢?打包空运给我吧。/:D/:D/:D不就500000RMB吗,对你来说不就是九牛一毛吗!:L:L:L
[ 本帖最后由 Rcracker 于 2006-7-28 16:42 编辑 ] 用OD载入后停在这里:
00401000 >/$68 5D5C4000 PUSH Newbies_.00405C5D----------停在这里
00401005|.E8 01000000 CALL Newbies_.0040100B----------F8到这里后F7跟进
0040100A\.C3 RETN
=================================================================
F7跟后一直F8到这里:
00405C6F 60 PUSHAD
00405C70 E8 00000000 CALL Newbies_.00405C75--------F8到这里后使用ESP定律。
00405C75 5E POP ESI
=====================================================
ESP定律后来到这里:
00405C5D B8 C0110000 MOV EAX,11C0---------------停到这里
00405C62 BA 00004000 MOV EDX,Newbies_.00400000
00405C67 03C2 ADD EAX,EDX
00405C69 FFE0 JMP EAX-------------------F8到这里,跟进;
00405C6B B1 15 MOV CL,15
======================================================
到达这里:
004011C0 68 DB 68 --------------------------OEP,在这里脱壳。
004011C1 E8 DB E8
004011C2 1C DB 1C
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
用OD载入脱壳后程序,下bp __vbaStrCmp断点,F9运行来到这里:
堆栈框提示:
0012F430 0040295A返回到 11C0.0040295A 来自 MSVBVM60.__vbaStrCmp---------这里反汇编窗口跟随。
0012F434 004021A411C0.004021A4
0012F438 0014D564UNICODE "goqq2008"
=================================================
来到了这里:
00402954 .FF15 40104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>;MSVBVM60.__vbaStrCmp
0040295A .8BF8 MOV EDI,EAX------------------------------------来到了这里,F4运行到所选,F8单步
0040295C .8D4D E8 LEA ECX,DWORD PTR SS:
0040295F .F7DF NEG EDI
00402961 .1BFF SBB EDI,EDI
00402963 .47 INC EDI
00402964 .F7DF NEG EDI
00402966 .FF15 98104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
0040296C .8D4D E0 LEA ECX,DWORD PTR SS:
0040296F .FF15 9C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObj
00402975 .66:3BFB CMP DI,BX
00402978 .0F85 1D010000 JNZ 11C0.00402A9B
0040297E .8B0E MOV ECX,DWORD PTR DS:
00402980 .56 PUSH ESI
00402981 .FF91 08030000 CALL DWORD PTR DS:
00402987 .8D55 E0 LEA EDX,DWORD PTR SS:
0040298A .50 PUSH EAX
0040298B .52 PUSH EDX
0040298C .FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>;MSVBVM60.__vbaObjSet
00402992 .8BF8 MOV EDI,EAX
00402994 .8D4D E8 LEA ECX,DWORD PTR SS:
00402997 .51 PUSH ECX
00402998 .57 PUSH EDI
00402999 .8B07 MOV EAX,DWORD PTR DS:
0040299B .FF90 A0000000 CALL DWORD PTR DS:
004029A1 .3BC3 CMP EAX,EBX
004029A3 .DBE2 FCLEX
004029A5 .7D 12 JGE SHORT 11C0.004029B9
004029A7 .68 A0000000 PUSH 0A0
004029AC .68 90214000 PUSH 11C0.00402190
004029B1 .57 PUSH EDI
004029B2 .50 PUSH EAX
004029B3 .FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
004029B9 >8B16 MOV EDX,DWORD PTR DS:
004029BB .56 PUSH ESI
004029BC .FF92 04030000 CALL DWORD PTR DS:
004029C2 .50 PUSH EAX
004029C3 .8D45 DC LEA EAX,DWORD PTR SS:
004029C6 .50 PUSH EAX
004029C7 .FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>;MSVBVM60.__vbaObjSet
004029CD .8BF0 MOV ESI,EAX
004029CF .8D55 E4 LEA EDX,DWORD PTR SS:
004029D2 .52 PUSH EDX
004029D3 .56 PUSH ESI
004029D4 .8B0E MOV ECX,DWORD PTR DS:
004029D6 .FF91 A0000000 CALL DWORD PTR DS:
004029DC .3BC3 CMP EAX,EBX
004029DE .DBE2 FCLEX
004029E0 .7D 12 JGE SHORT 11C0.004029F4
004029E2 .68 A0000000 PUSH 0A0
004029E7 .68 90214000 PUSH 11C0.00402190
004029EC .56 PUSH ESI
004029ED .50 PUSH EAX
004029EE .FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
004029F4 >8B45 E8 MOV EAX,DWORD PTR SS: ;试练码
004029F7 .8B4D E4 MOV ECX,DWORD PTR SS: ;用户名
004029FA .50 PUSH EAX
004029FB .51 PUSH ECX
004029FC .FF15 40104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>;关键CALL(1),F7跟进。
00402A02 .8BF0 MOV ESI,EAX
00402A04 .8D55 E4 LEA EDX,DWORD PTR SS:
00402A07 .F7DE NEG ESI
00402A09 .1BF6 SBB ESI,ESI
00402A0B .8D45 E8 LEA EAX,DWORD PTR SS:
00402A0E .52 PUSH EDX
00402A0F .46 INC ESI
00402A10 .50 PUSH EAX
00402A11 .6A 02 PUSH 2
00402A13 .F7DE NEG ESI
00402A15 .FF15 74104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStrList
00402A1B .8D4D DC LEA ECX,DWORD PTR SS:
00402A1E .8D55 E0 LEA EDX,DWORD PTR SS:
00402A21 .51 PUSH ECX
00402A22 .52 PUSH EDX
00402A23 .6A 02 PUSH 2
00402A25 .FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObjList
00402A2B .83C4 18 ADD ESP,18
00402A2E .66:3BF3 CMP SI,BX
00402A31 .74 68 JE SHORT 11C0.00402A9B ;关键跳转,爆破就在这里。
00402A33 .B9 04000280 MOV ECX,80020004
00402A38 .B8 0A000000 MOV EAX,0A
===========================================================================================
关键CALL(1):
733B4813 >FF7424 08 PUSH DWORD PTR SS:
733B4817 FF7424 08 PUSH DWORD PTR SS:
733B481B 6A 00 PUSH 0
733B481D E8 03000000 CALL MSVBVM60.__vbaStrComp---------------关键CALL(2),跟进。
733B4822 C2 0800 RETN 8
============================================================================================
关键CALL(2):
733B4813 >FF7424 08 PUSH DWORD PTR SS:
733B4817 FF7424 08 PUSH DWORD PTR SS:
733B481B 6A 00 PUSH 0
733B481D E8 03000000 CALL MSVBVM60.__vbaStrComp--------------关键CALL(3),跟进。
733B4822 C2 0800 RETN 8
===============================================================
关键CALL(3):
733B4825 >837C24 04 02 CMP DWORD PTR SS:,2
733B482A 0F84 DB2C0200 JE MSVBVM60.733D750B
733B4830 68 01000300 PUSH 30001
733B4835 FF7424 08 PUSH DWORD PTR SS:
733B4839 FF7424 10 PUSH DWORD PTR SS:
733B483D FF7424 18 PUSH DWORD PTR SS:
733B4841 FF15 840E4A73 CALL DWORD PTR DS: ; 关键CALL(4),跟进。
733B4847 85C0 TEST EAX,EAX
733B4849 0F8C C32C0200 JL MSVBVM60.733D7512
733B484F 48 DEC EAX
733B4850 C2 0C00 RETN 0C
===============================================================
关键CALL(4):
77100328 >8BFF MOV EDI,EDI
7710032A 55 PUSH EBP
7710032B 8BEC MOV EBP,ESP
7710032D 53 PUSH EBX
7710032E 56 PUSH ESI
7710032F 8B75 08 MOV ESI,DWORD PTR SS:
77100332 57 PUSH EDI
77100333 56 PUSH ESI
77100334 E8 6F49FFFF CALL OLEAUT32.SysStringByteLen
77100339 8B7D 0C MOV EDI,DWORD PTR SS:
7710033C 8BD8 MOV EBX,EAX
7710033E 57 PUSH EDI
7710033F 895D 08 MOV DWORD PTR SS:,EBX
77100342 E8 6149FFFF CALL OLEAUT32.SysStringByteLen
77100347 3BD8 CMP EBX,EAX
77100349 8945 0C MOV DWORD PTR SS:,EAX
7710034C 72 02 JB SHORT OLEAUT32.77100350
7710034E 8BD8 MOV EBX,EAX
77100350 8B4D 10 MOV ECX,DWORD PTR SS:
77100353 85C9 TEST ECX,ECX
77100355 75 24 JNZ SHORT OLEAUT32.7710037B
77100357 85DB TEST EBX,EBX
77100359 74 2E JE SHORT OLEAUT32.77100389
7710035B 8BC3 MOV EAX,EBX
7710035D D1E8 SHR EAX,1
7710035F 50 PUSH EAX
77100360 57 PUSH EDI
77100361 56 PUSH ESI
77100362 E8 50000000 CALL OLEAUT32.771003B7----------------------------关键CALL(5),跟进。
77100367 85C0 TEST EAX,EAX
77100369 7F 0B JG SHORT OLEAUT32.77100376
7710036B 7D 6C JGE SHORT OLEAUT32.771003D9
7710036D 33C0 XOR EAX,EAX
======================================================================
关键CALL(5):
771003B7 8BFF MOV EDI,EDI
771003B9 55 PUSH EBP
771003BA 8BEC MOV EBP,ESP
771003BC 56 PUSH ESI
771003BD 57 PUSH EDI
771003BE 8B7D 0C MOV EDI,DWORD PTR SS:---------------------用户名放入EDI
771003C1 8B75 08 MOV ESI,DWORD PTR SS:----------------------试练码放入ESI
771003C4 8B4D 10 MOV ECX,DWORD PTR SS:---------------------试练码位数放入ECX
771003C7 33C0 XOR EAX,EAX--------------------------------------EAX清0。
771003C9 F3:66:A7 REPE CMPS WORD PTR ES:,WORD PTR DS:>-----------------关键比较,比较用户名前n(试练码)位数和注册玛是否相等。
771003CC 74 05 JE SHORT OLEAUT32.771003D3---------------------关键跳转,爆破点一。
771003CE 1BC0 SBB EAX,EAX
771003D0 83D8 FF SBB EAX,-1
================================================================
爆破后一直F8来到这里:
77100389 3945 08 CMP DWORD PTR SS:,EAX
7710038C^ 77 E8 JA SHORT OLEAUT32.77100376-------------------------爆破点2,比较用户名和注册玛长度是否相等。
7710038E 1BC0 SBB EAX,EAX
77100390 40 INC EAX
77100391^ EB DC JMP SHORT OLEAUT32.7710036F
77100393 8BF8 MOV EDI,EAX
==========================================================================
算法总结:
有爆破点一和二可知道,要求用户名和注册码相等即注册成功!!!!!
冷血兄和我们开了个玩笑~~
冷血兄,这个是你自己写给紫月雨的注册机源码,偶还给你啊~~~~;P;P;P
VB注册机源码:
Private Sub Command1_Click()
Text2.Text = Text1.Text
End Sub
[ 本帖最后由 网游难民 于 2006-7-29 04:23 编辑 ] 呵呵。。。。。。
页:
[1]