160个CrackMe之025

cjt included in 逆向
  1026 words 3 minutes 

进入程序主界面,有5秒的倒计时,之后continue按钮激活,点击进入,输入:1234,弹出错误框,此时不要点击确定按钮,返回OD暂停(F12),点击堆栈-K小图标(Ctrl+K) ,找到rtcMsgBox函数调用的地方:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

004056C4   .  8D55 84       lea edx,dword ptr ss:[ebp-0x7C]
004056C7   .  8D4D C4       lea ecx,dword ptr ss:[ebp-0x3C]
004056CA   .  8945 A4       mov dword ptr ss:[ebp-0x5C],eax
004056CD   .  8945 B4       mov dword ptr ss:[ebp-0x4C],eax
004056D0   .  C745 8C 68264>mov dword ptr ss:[ebp-0x74],CodeZero.00402668    ;  VB Crack-Me 1.0 by CodeZero
004056D7   .  8975 84       mov dword ptr ss:[ebp-0x7C],esi
004056DA   .  E8 63BAFFFF   call <jmp.&MSVBVM50.__vbaVarDup>
004056DF   .  C745 9C 1C264>mov dword ptr ss:[ebp-0x64],CodeZero.0040261C    ;  Please enter the registation code.
004056E6   .  E9 BB000000   jmp CodeZero.004057A6
004056EB   >  FF75 08       push dword ptr ss:[ebp+0x8]
004056EE   .  FFD6          call esi
004056F0   .  50            push eax
004056F1   .  8D45 E4       lea eax,dword ptr ss:[ebp-0x1C]
004056F4   .  50            push eax
004056F5   .  E8 66BAFFFF   call <jmp.&MSVBVM50.__vbaObjSet>
004056FA   .  8BF0          mov esi,eax
004056FC   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
004056FF   .  51            push ecx
00405700   .  56            push esi
00405701   .  8B06          mov eax,dword ptr ds:[esi]
00405703   .  FF90 A0000000 call dword ptr ds:[eax+0xA0]
00405709   .  3BC3          cmp eax,ebx
0040570B   .  7D 11         jge short CodeZero.0040571E
0040570D   .  68 A0000000   push 0xA0
00405712   .  68 00264000   push CodeZero.00402600
00405717   .  56            push esi
00405718   .  50            push eax
00405719   .  E8 3CBAFFFF   call <jmp.&MSVBVM50.__vbaHresultCheckObj>
0040571E   >  FF75 E8       push dword ptr ss:[ebp-0x18]                     ;  输入的序列号:12345
00405721   .  68 A4264000   push CodeZero.004026A4                           ;  55555
00405726   .  E8 3BBAFFFF   call <jmp.&MSVBVM50.__vbaStrCmp>                 ;  字符串比较
0040572B   .  8BF0          mov esi,eax
0040572D   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
00405730   .  F7DE          neg esi
00405732   .  1BF6          sbb esi,esi
00405734   .  46            inc esi
00405735   .  F7DE          neg esi
00405737   .  E8 18BAFFFF   call <jmp.&MSVBVM50.__vbaFreeStr>
0040573C   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
0040573F   .  E8 0ABAFFFF   call <jmp.&MSVBVM50.__vbaFreeObj>
00405744   .  6A 0A         push 0xA
00405746   .  66:3BF3       cmp si,bx
00405749   .  58            pop eax
0040574A   .  B9 04000280   mov ecx,0x80020004
0040574F   .  6A 08         push 0x8
00405751   .  894D AC       mov dword ptr ss:[ebp-0x54],ecx
00405754   .  5E            pop esi
00405755   .  894D BC       mov dword ptr ss:[ebp-0x44],ecx
00405758   .  8945 A4       mov dword ptr ss:[ebp-0x5C],eax
0040575B   .  8945 B4       mov dword ptr ss:[ebp-0x4C],eax
0040575E   .  C745 8C 68264>mov dword ptr ss:[ebp-0x74],CodeZero.00402668    ;  VB Crack-Me 1.0 by CodeZero
00405765   .  8975 84       mov dword ptr ss:[ebp-0x7C],esi
00405768   .  8D55 84       lea edx,dword ptr ss:[ebp-0x7C]
0040576B   .  8D4D C4       lea ecx,dword ptr ss:[ebp-0x3C]
0040576E      74 2A         je short CodeZero.0040579A                       ;  关键跳转
00405770   .  E8 CDB9FFFF   call <jmp.&MSVBVM50.__vbaVarDup>
00405775   .  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]
00405778   .  8D4D D4       lea ecx,dword ptr ss:[ebp-0x2C]
0040577B   .  C745 9C B4264>mov dword ptr ss:[ebp-0x64],CodeZero.004026B4    ;  Congratulations! you've really made it :-)
00405782   .  8975 94       mov dword ptr ss:[ebp-0x6C],esi
00405785   .  E8 B8B9FFFF   call <jmp.&MSVBVM50.__vbaVarDup>
0040578A   .  8D45 A4       lea eax,dword ptr ss:[ebp-0x5C]
0040578D   .  50            push eax
0040578E   .  8D45 B4       lea eax,dword ptr ss:[ebp-0x4C]
00405791   .  50            push eax
00405792   .  8D45 C4       lea eax,dword ptr ss:[ebp-0x3C]
00405795   .  50            push eax
00405796   .  6A 40         push 0x40
00405798   .  EB 28         jmp short CodeZero.004057C2
0040579A   >  E8 A3B9FFFF   call <jmp.&MSVBVM50.__vbaVarDup>
0040579F   .  C745 9C 10274>mov dword ptr ss:[ebp-0x64],CodeZero.00402710    ;  Invalid unlock code, please try again.
004057A6   >  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]
004057A9   .  8D4D D4       lea ecx,dword ptr ss:[ebp-0x2C]
004057AC   .  8975 94       mov dword ptr ss:[ebp-0x6C],esi
004057AF   .  E8 8EB9FFFF   call <jmp.&MSVBVM50.__vbaVarDup>
004057B4   .  8D45 A4       lea eax,dword ptr ss:[ebp-0x5C]
004057B7   .  50            push eax
004057B8   .  8D45 B4       lea eax,dword ptr ss:[ebp-0x4C]
004057BB   .  50            push eax
004057BC   .  8D45 C4       lea eax,dword ptr ss:[ebp-0x3C]
004057BF   .  50            push eax
004057C0   .  6A 10         push 0x10
004057C2   >  8D45 D4       lea eax,dword ptr ss:[ebp-0x2C]
004057C5   .  50            push eax
004057C6   .  E8 7DB9FFFF   call <jmp.&MSVBVM50.#rtcMsgBox_595>              ;  错误调试框调用

通过分析序列号为固定值:55555

现在要屏蔽掉开始的计时器:

通过VBExplorer工具我们可以看到有3个窗口。 查看属性的一些信息可以确定。 form1为输入注册码的窗口,为主窗口。 form2为倒记时的窗口 form3为点击关于按钮时弹出的窗口(这个没什么用) form1有三个事件。我们找到form_load事件。地址00405905。将此地址汇编为:retn

去neg窗口From1窗体load事件段首ret

Updated on 2023-08-01 
CC BY-NC 4.0
160个CrackMe
Back | Home
0%