起手
追注册码
爆破就跳过吧.
对于,VB.Decompiler这个软件的反汇编真是又爱又恨,伪代码降低阅读的难度,当然错误也不少,比如这种代码是不可能对的.所以还是打开对照着aid慢慢看.
loc_004024C1: var_18 = Serial.Text
loc_004024DE: call var_C0(Me, Me)
loc_004024F4: var_1C = Serial.Text
loc_00402530: var_20 = "AKA-" & var_1C
loc_0040254A: esi = (var_18 = var_20) + 1
loc_0040258B: If (var_18 = var_20) + 1 = 0 Then GoTo loc_004025E5
loc_004025AB: var_34 = "You Get It" & "vbCrLf" & "KeyGen It Now"
- 从代码风格上来看,作者肯定没有进行变量声明,导致代码中大量的VARIANT类型数据,内存处理函数一大堆,极大地增加了阅读难度.
.text:004023D2
.text:004023D2 loc_4023D2:
.text:004023D2 push esi
.text:004023D3 call dword ptr [ebp-0C4h]
.text:004023D9 lea edx, [ebp-28h]
.text:004023DC push eax
.text:004023DD push edx
.text:004023DE call ds:__vbaObjSet
.text:004023E4 mov ebx, eax
.text:004023E6 lea ecx, [ebp-1Ch]
.text:004023E9 push ecx
.text:004023EA push ebx
.text:004023EB mov eax, [ebx]
.text:004023ED call dword ptr [eax+0A0h] ; 读文本框字符到ebp-1ch中
.text:004023F3 cmp eax, edi
.text:004023F5 jge short loc_402409
.text:00402409
.text:00402409 loc_402409:
.text:00402409 mov edx, [ebp-0B0h]
.text:0040240F mov eax, [ebp-1Ch]
.text:00402412 push eax
.text:00402413 mov ebx, [edx]
.text:00402415 call ds:__vbaLenBstr
.text:0040241B mov edi, eax
.text:0040241D mov ecx, [ebp-18h]
.text:00402420 imul edi, 17CFBh ; 取出Name的长度 x 97531
.text:00402426 push ecx
.text:00402427 jo loc_4026BE
.text:0040242D call ds:rtcAnsiValueBstr
.text:00402433 movsx edx, ax
.text:00402436 add edi, edx ; 和Name的第一个字符Ascii相加
.text:00402438 jo loc_4026BE
.text:0040243E push edi
.text:0040243F call ds:__vbaStrI4 ; 变成字符串
.text:00402445 mov edx, eax
.text:00402447 lea ecx, [ebp-20h]
.text:0040244A call ds:__vbaStrMove
.text:00402450 mov edi, [ebp-0B0h] ; 隐藏文本框对象指针
.text:00402456 push eax
.text:00402457 push edi
.text:00402458 call dword ptr [ebx+0A4h] ; 保存在一个影藏的文本框中
.text:0040245E test eax, eax
.text:00402460 jge short loc_402474
.text:004024DD
.text:004024DD loc_4024DD:
.text:004024DD push esi
.text:004024DE call dword ptr [ebp-0C0h]
.text:004024E4 push eax
.text:004024E5 lea eax, [ebp-28h]
.text:004024E8 push eax
.text:004024E9 call ebx ; __vbaObjSet
.text:004024EB mov esi, eax
.text:004024ED lea edx, [ebp-1Ch]
.text:004024F0 push edx
.text:004024F1 push esi
.text:004024F2 mov ecx, [esi]
.text:004024F4 call dword ptr [ecx+0A0h] ; 吧算好的注册码拿出来
.text:004024FA test eax, eax
.text:004024FC jge short loc_402510
.text:00402510
.text:00402510 loc_402510:
.text:00402510 mov eax, [ebp-18h]
.text:00402513 mov ecx, [ebp-1Ch]
.text:00402516 mov edi, ds:__vbaStrCat
.text:0040251C push eax
.text:0040251D push offset aAka ; "AKA-"
.text:00402522 push ecx ; 和AKA组合
.text:00402523 call edi ; __vbaStrCat
.text:00402525 mov ebx, ds:__vbaStrMove
.text:0040252B mov edx, eax
.text:0040252D lea ecx, [ebp-20h]
.text:00402530 call ebx ; __vbaStrMove
.text:00402532 push eax
.text:00402533 call ds:__vbaStrCmp ; 对比,注册码
.text:00402539 mov esi, eax
.text:0040253B lea edx, [ebp-20h]
注册机
很简单,追算法可一点不简单.
Function Regcode(userName As String) As String
Regcode = "AKA-" & (Len(userName) * 97531 + Asc(userName))
End Function
总结
看来VB程序还真是安全呢,一个简单的程序就能把人累到半死,特别是中间部分(我怀疑是作者故意的),放入文本框,一顿乱搞后在从文本框把字符串再拿出来......变成汇编就是下边这种样子:追码的人可以说是瞬间蒙圈,贴出来大家欣赏下
.text:00402474
.text:00402474 loc_402474:
.text:00402474 lea eax, [ebp-20h]
.text:00402477 lea ecx, [ebp-1Ch]
.text:0040247A push eax
.text:0040247B lea edx, [ebp-18h]
.text:0040247E push ecx
.text:0040247F push edx
.text:00402480 push 3
.text:00402482 call ds:__vbaFreeStrList
.text:00402488 add esp, 10h
.text:0040248B lea eax, [ebp-2Ch]
.text:0040248E lea ecx, [ebp-28h]
.text:00402491 lea edx, [ebp-24h]
.text:00402494 push eax
.text:00402495 push ecx
.text:00402496 push edx
.text:00402497 push 3
.text:00402499 call ds:__vbaFreeObjList
.text:0040249F mov eax, [esi]
.text:004024A1 add esp, 10h
.text:004024A4 push esi
.text:004024A5 call dword ptr [eax+304h]
.text:004024AB mov ebx, ds:__vbaObjSet
.text:004024B1 push eax
.text:004024B2 lea eax, [ebp-24h]
.text:004024B5 push eax
.text:004024B6 call ebx ; __vbaObjSet
.text:004024B8 mov edi, eax
.text:004024BA lea edx, [ebp-18h]
.text:004024BD push edx
.text:004024BE push edi
.text:004024BF mov ecx, [edi]
.text:004024C1 call dword ptr [ecx+0A0h]
.text:004024C7 test eax, eax
.text:004024C9 jge short loc_4024DD
疑问
有人知道怎么强制调整ida的栈帧大小么?比如把下边这个栈帧调整成300.
原因很简单,不是所有的程序块都是完整的sub,有的可能是一个loc,ida根本不会自动建立栈帧,也就没法命名局部变量了.
-00000274 ; D/A/* : change type (data/ascii/array)
-00000274 ; N : rename
-00000274 ; U : undefine
-00000274 ; Use data definition commands to create local variables and function arguments.
-00000274 ; Two special fields " r" and " s" represent return address and saved registers.
-00000274 ; Frame size: 274; Saved regs: 4; Purge: 8
-00000274 ;
-00000274
-00000274 db ? ; undefined
-00000273 db ? ; undefined
-00000272 db ? ; undefined
-00000271 db ? ; undefined
-00000270 db ? ; undefined
-0000026F db ? ; undefined
-0000026E db ? ; undefined
-0000026D db ? ; undefined
-0000026C db ? ; undefined
-0000026B db ? ; undefined
-0000026A db ? ; undefined
发表于 2021-1-11 22:30
