To tell the truth, this crackme did me very annoyed ...
All right, let's go:
Pseudo Code test:
Out of the dialog box is what ghost.
OD looks up a reference text string, and then I looked at the translation of these odd strings:
German.. The author is like a German ...
We navigate to the key position of the string and find it up
Vbavartsteq variable comparison function
So see jump position, make clear relationship, all NOP off, the program renamed after dump out, no brain blasting off:
OK, find algorithm, first, not familiar with VB API function to self-Baidu blog, follow the blog on the side of the search, while doing:
004020EC. 8d55 BC Lea Edx,dword ptr ss:[ebp-0x44]004020ef. ECX push; /STEP8 = 0019f228004020f0. 8D45 94 Lea Eax,dword PTR ss:[ebp-0x6c]; |004020f3. BB 02000000 mov ebx,0x2; |004020f8. |/var18 = 00000058004020f9. -Push eax; | | RetBuffer8 = 0019f228004020fa. 899D 54FFFFFF mov dword ptr ss:[ebp-0xac],ebx; | | 00402100. 899D 44FFFFFF mov dword ptr ss:[ebp-0xbc],ebx; | | 00402106. FF15 18414000 call DWORD ptr ds:[<&msvbvm50.__vbalenva>; |\__vbalenvar0040210c. 8d8d 44FFFFFF Lea Ecx,dword ptr SS:[EBP-0XBC]; |00402112. -Push eax; | End8 = 0019f22800402113. 8d95 e8feffff Lea Edx,dword ptr ss:[ebp-0x118]; |00402119. Wuyi push ECX ; | START8 = 0019f2280040211a. 8d85 f8feffff Lea Eax,dword ptr ss:[ebp-0x108]; |00402120. Push edx; | TMPend8 = 0000005800402121. 8D4D DC Lea Ecx,dword ptr ss:[ebp-0x24]; |00402124. -Push eax; | TMPSTEP8 = 0019f22800402125. ECX push; | Counter8 = 0019f22800402126. FF15 20414000 call DWORD ptr ds:[<&msvbvm50.__vbavarfo>; \__vbavarforinit0040212c. 8b3d 04414000 mov edi,dword ptr ds:[<&msvbvm50.__vbafr>; msvbvm50.__vbafreevarlist00402132 > 85c0 Test eax,eax00402134. 0f84 9c000000 JE andréna.004021d60040213a. 8D55 94 Lea Edx,dword PTR ss:[ebp-0x6c]0040213d. 8D45 DC Lea Eax,dword ptr ss:[ebp-0x24]00402140. edx00402141 push. Push eax00402142. C745 9C 01000>mov dword ptr ss:[ebp-0x64],0x100402149. 895D 94 mov dword ptr ss:[ebp-0x6c],ebx0040214c. FF15 90414000 call DWORD ptr ds:[<&msvbvm50.__vbai4var>; msvbvm50.__vbai4var00402152. 8D4D BC Lea Ecx,dword ptr ss:[ebp-0x44]; String conversion growth integer, eax here inexplicable self-added 00402155. -Push eax; | Start = 0x19f22800402156. 8d55 Edx,dword ptr ss:[ebp-0x7c]; |00402159. ECX push; |dstring8 = 0019f2280040215a. Push edx; | Retbuffer = 000000580040215B. FF15 38414000 call DWORD ptr ds:[<&msvbvm50. #632;]; \rtcmidcharvar00402161. 8D45 Eax,dword ptr ss:[ebp-0x7c]; ; rtcmidcharvar. Intercept string, the mid function in VB, use Mid ("string", "Start position", "take a few characters") 00402164. 8D4D A8 Lea Ecx,dword ptr ss:[ebp-0x58]00402167. -Push eax; /string8 = 0019f22800402168. 51push ecx; | ARG2 = 0019f22800402169. FF15 70414000 call DWORD ptr ds:[<&msvbvm50.__vbastrva>; \__vbastrvarval0040216f. -Push eax; /string = "" 00402170. FF15 0c414000 call DWORD ptr ds:[<&msvbvm50. #516;]; \rtcansivaluebstr00402176. 66:8985 4cfff>mov word ptr ss:[ebp-0xb4],ax; ; Gets the character of a particular position in the string converted to ASCII 0040217D. 8d55 CC Lea Edx,dword ptr ss:[ebp-0x34]00402180. 8d85 44FFFFFF Lea Eax,dword ptr ss:[ebp-0xbc]00402186. Push edx; /var18 = 0000005800402187. 8d8d 74FFFFFF Lea Ecx,dword ptr ss:[ebp-0x8c]; |0040218d. eax; |var28 = 0019f2280040218e. ECX push; |saveto8 = 0019f2280040218f. 899D 44FFFFFF mov dword ptr ss:[ebp-0xbc],ebx; |00402195. FF15 94414000 Call DWORD PTR ds:[<&msvbvm50.__vbavarad>; \__vbavaradd0040219b. 8BD0 mov edx,eax0040219d. 8D4D CC Lea Ecx,dword ptr ss:[ebp-0x34]004021a0. FFD6 call ESI; MSVBVM50.__VBAVARMOVE004021A2. 8D4D A8 Lea Ecx,dword ptr ss:[ebp-0x58]004021a5. FF15 B8414000 call DWORD ptr ds:[<&msvbvm50.__vbafrees>; Msvbvm50.__vbafreestr004021ab. 8D55-Lea Edx,dword ptr ss:[ebp-0x7c]004021ae. 8D45 94 Lea Eax,dword PTR ss:[ebp-0x6c]004021b1. EDX004021B2 push. Push Eax004021b3. EBX004021B4 push. FFD7 call EDI; Msvbvm50.__vbafreevarlist004021b6. 83C4 0C Add esp,0xc004021b9. 8d8d E8FEFFFF Lea Ecx,dword ptr SS:[EBP-0X118]004021BF. 8d95 f8feffff Lea Edx,dword ptr ss:[ebp-0x108]004021c5. 8D45 DC Lea Eax,dword ptr ss:[ebp-0x24]004021c8. Wuyi push ECX ; /tmpend8 = 0019f228004021c9. Push edx; | TMPSTEP8 = 00000058004021CA. -Push eax; | Counter8 = 0019F228004021CB. FF15 AC414000 call DWORD ptr ds:[<&msvbvm50.__vbavarfo>; \__vbavarfornext004021d1. ^ E9 5CFFFFFF jmp Andréna .00402132; Repetitive execution loop structure 004021d6 > 8d4d CC lea ecx,dword ptr ss:[ebp-0x34]004021d9. 8d95 54FFFFFF Lea Edx,dword ptr ss:[ebp-0xac]004021df. ECX push; /var18 = 0019f228004021e0. 8D45 94 Lea Eax,dword PTR ss:[ebp-0x6c]; |004021e3. |var28 = 00000058004021E4. -Push eax; | SaveTo8 = 0019f228004021e5. C785 5cffffff>mov dword ptr ss:[ebp-0xa4],0x499602d2; |004021ef. C785 54ffffff>mov DWORD ptr ss:[ebp-0xac],0x3 ; |004021f9. FF15 5c414000 call DWORD ptr ds:[<&msvbvm50.__vbavarmu>; \__vbavarmul004021ff. 8BD0 mov edx,eax; ; Two variables multiply by 00402201. 8D4D CC Lea Ecx,dword ptr ss:[ebp-0x34]; ; Store the result address 00402204. FFD6 call ESI; msvbvm50.__vbavarmove00402206. 8b1d A0414000 mov ebx,dword ptr ds:[<&msvbvm50.__vbami>; msvbvm50.__vbamidstmtvar0040220c. 8D4D CC Lea Ecx,dword PTR ss:[ebp-0x34]
I am really sorry, OD analysis vb is not very good, and VB this wonderful way of transfer, I also see the foggy, so I can only VB Decomplier:
Analysis Code:
Private Sub Command1_Click () ' 401ff0 loc_00402092:var_58=text2.text; input name string loc_004020ca:var_44=var_58 loc_004021 26:for var_24 =1to Len (var_44) step 1; for (I=1;i<=strlen (var_44); i++) step is cycle step loc_00402132:loc_00402134:If VA r_108 = 0 Then GoTo loc_004021d6 loc_00402169:var_58=cstr (Mid (var_44, CLng (var_24), 1)) Loc_00402176:var_b4=asc (var_58 ) LOC_004021A0:VAR_34=VAR_34+ASC (var_58); convert each byte of name to ASCII and add to Var34 loc_004021cb:next var_24 loc_004 021d1:goto loc_00402132 loc_004021d6: ' Referenced from:00402134 loc_00402204:var_34=var_34*1234567890; The Vbavarmul variable is multiplied. Loc_00402276:var_58=text1.text loc_00402298:var_64=var_58 loc_004022cb:if (var_58=var_34) =0 then GoTo loc_00402391; The input serial and the correct serial are not equal, jump to the Error statement box loc_004022d1:beep LOC_00402308:VAR_B4 = "Richtig!" LOC_00402327:VAR_A4 = "RICHTIG!!!! ..... weiter mit dem N?chsten!!! " loc_00402374:var_54 = MsgBox ("RICHTIG!!!! ..... weiter mit dem N?chsten!!! ", richtig! ", ten, Ten) Loc_0040238c:goto loc_00402446 loc_00402391: ' Referenced from:004022cb loc_004023c2:var_b4= ' LEiDER FALSC H! "Loc_004023e1:var_a4=" Leider falsch! Nochmal Veruschen! Wenn Du es nicht schaffen solltest, Schreib mir! [Email protected] "Loc_0040242e:var_54=msgbox (" Leider falsch! Nochmal Veruschen! Wenn Du es nicht schaffen solltest, Schreib mir! [email protected] ", Leider Falsch! ", ten, Ten) loc_00402446: ' Referenced from:0040238c loc_00402459:goto loc_0040248f loc_0040248e:exit Sub loc_0040248 F: ' Referenced from:00402459 loc_004024c0:goto loc_00esiend Sub
The process is generally well analyzed
0040214C. FF15 90414000 call DWORD ptr ds:[<&msvbvm50.__vbai4var>; msvbvm50.__vbai4var00402152. 8D4D BC Lea Ecx,dword ptr ss:[ebp-0x44]; String conversion growth integer, eax here inexplicable self-added 00402155. -Push eax; | Start = 0x19f22800402156. 8d55 Edx,dword ptr ss:[ebp-0x7c]; |00402159. ECX push; |dstring8 = 0019f2280040215a. Push edx; | Retbuffer = 000000580040215B. FF15 38414000 call DWORD ptr ds:[<&msvbvm50. #632;]; \rtcmidcharvar00402161. 8D45 Eax,dword ptr ss:[ebp-0x7c]; ; rtcmidcharvar. Intercept string, the mid function in VB, use Mid ("string", "Start position", "take a few characters") 00402164. 8D4D A8 Lea Ecx,dword ptr ss:[ebp-0x58]00402167. -Push eax; /string8 = 0019f22800402168. ECX push; | ARG2 = 0019F22800402169. FF15 70414000 call DWORD ptr ds:[<&msvbvm50.__vbastrva>; \__vbastrvarval0040216f. -Push eax; /string = "" 00402170. FF15 0c414000 call DWORD ptr ds:[<&msvbvm50. #516;]; \rtcansivaluebstr00402176. 66:8985 4cfff>mov word ptr ss:[ebp-0xb4],ax; ; Gets the character of a particular position in the string converted to ASCII 0040217D. 8d55 CC Lea Edx,dword ptr ss:[ebp-0x34]00402180. 8d85 44FFFFFF Lea Eax,dword ptr ss:[ebp-0xbc]00402186. Push edx; /var18 = 0000005800402187. 8d8d 74FFFFFF Lea Ecx,dword ptr ss:[ebp-0x8c]; |0040218d. eax; |var28 = 0019f2280040218e. ECX push; |saveto8 = 0019f2280040218f. 899D 44FFFFFF mov dword ptr ss:[ebp-0xbc],ebx; |00402195. FF15 94414000 call DWORD ptr ds:[<&msvbvm50.__vbavarad>; \__vbavaradd0040219B. 8BD0 mov edx,eax0040219d. 8D4D CC Lea Ecx,dword ptr ss:[ebp-0x34]004021a0. FFD6 call ESI; MSVBVM50.__VBAVARMOVE004021A2. 8D4D A8 Lea Ecx,dword ptr ss:[ebp-0x58]004021a5. FF15 B8414000 call DWORD ptr ds:[<&msvbvm50.__vbafrees>; Msvbvm50.__vbafreestr004021ab. 8D55-Lea Edx,dword ptr ss:[ebp-0x7c]004021ae. 8D45 94 Lea Eax,dword PTR ss:[ebp-0x6c]004021b1. EDX004021B2 push. Push Eax004021b3. EBX004021B4 push. FFD7 call EDI; Msvbvm50.__vbafreevarlist004021b6. 83C4 0C Add esp,0xc004021b9. 8d8d E8FEFFFF Lea Ecx,dword ptr SS:[EBP-0X118]004021BF. 8d95 f8feffff Lea Edx,dword ptr ss:[ebp-0x108]004021c5. 8D45 DC Lea Eax,dword ptr ss:[ebp-0x24]004021c8. ECX push; /tmpend8 = 0019f228004021c9. 52 Push edx; | TMPSTEP8 = 00000058004021CA. -Push eax; | Counter8 = 0019F228004021CB. FF15 AC414000 call DWORD ptr ds:[<&msvbvm50.__vbavarfo>; \__vbavarfornext004021d1. ^ E9 5CFFFFFF jmp Andréna .00402132; ; Repeating loop structureIn this loop, each character of name is taken out and converted into a acsii code and added
004021DF. ECX push; /var18 = 0019f228004021e0. 8D45 94 Lea Eax,dword PTR ss:[ebp-0x6c]; |004021e3. |var28 = 00000058004021E4. -Push eax; | SaveTo8 = 0019f228; decimal is 1234567890004021E5. C785 5cffffff>mov dword ptr ss:[ebp-0xa4],0x499602d2; |004021ef. C785 54ffffff>mov dword ptr ss:[ebp-0xac],0x3; |004021f9. FF15 5c414000 call DWORD ptr ds:[<&msvbvm50.__vbavarmu>; \__vbavarmul004021ff. 8BD0 mov edx,eax; ; Two variables multiply by 00402201. 8D4D CC Lea Ecx,dword ptr ss:[ebp-0x34]; ; Store the result address 00402204. FFD6 call ESI; msvbvm50.__vbavarmove00402206. 8b1d A0414000 mov ebx,dword ptr ds:[<&msvbvm50.__vbami>; Msvbvm50.__vbamidstmtvar
The results are multiplied by 1234567890 (DEC), and the results are stored in ss:[ebp-0x34], which is a key concern, and we crtl+g the past:
Find address location, what can not see, so look at this vbavarmul () function, multiply so large number 1234567890, should be saved, should be turned into floating point, right button, 64bit double
Check:
(0x31+0x32+0x33+0x34+0x35+0x36) *1234567890
Indeed, this address needs to be well watched.
Go on, it's a bit confusing:
0040220C. 8D4D CC Lea Ecx,dword ptr ss:[ebp-0x34]0040220f. ecx00402210 push. 6A 0x400402212 push. 8d95 54FFFFFF Lea Edx,dword ptr ss:[ebp-0xac]00402218. 6A 0x10040221a push. edx0040221b push. C785 5cffffff>mov DWORD ptr ss:[ebp-0xa4],andréna.0040>; -00402225. C785 54ffffff>mov dword ptr ss:[ebp-0xac],0x80040222f. FFD3 call ebx; <&msvbvm50.__vbamidstmtvar>00402231. 8D45 CC Lea Eax,dword ptr ss:[ebp-0x34]00402234. 8d8d 54FFFFFF Lea Ecx,dword ptr ss:[ebp-0xac]0040223a. Push eax0040223b. 6A 0x90040223d push. 6A 0x10040223f push. ecx00402240 push. C785 5cffffff>mov DWORD ptr ss:[ebp-0xa4],andréna.0040>; -0040224a. C785 54ffffff>mov dword ptr ss:[ebp-0xac],0x800402254. FFD3 call ebx00402256. 8B45 mov eax,dword ptr ss:[ebp+0x8]
Vbamidstmtvar () This function, check all over Baidu, no results, so, I can only learn from others weiteup ... Well, please don't squirt me:
The original is inserted, where there is a parameter that changes the character of the string at the specified position
00402210 . 6A 04 push 0x4 00402212 . 8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC] 00402218 . 6A 01 push 0x1 0040221A . 52 push edx 0040221B .
Change the character in 0x4 to "-"
0040223B . 6A 09 push 0x90040223D . 6A 01 push 0x10040223F . 51 push ecx00402240 . C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],Andréna.0040>; -0040224A . C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x800402254 . FFD3 call ebx00402256 . 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
Change the character in 0x9 to "-"
Finally, the comparison function is:
0040229E . 50 push eax ; /var18 = 0019F2600040229F . 51 push ecx ; |var28 = 59DE8000004022A0 . C745 A8 00000>mov dword ptr ss:[ebp-0x58],0x0 ; |004022A7 . C745 94 08800>mov dword ptr ss:[ebp-0x6C],0x8008 ; |;vbaVarTstEq进行变量比较004022AE . FF15 48414000 call dword ptr ds:[<&MSVBVM50.__vbaVarTs>; \__vbaVarTstEq004022B4 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]004022B7 . 8BD8 mov ebx,eax
Two parameters:
Var18 = 0019f260
Var28 = 59de8000
One is the storage address of the name we entered lxw1996, and the other is the above mentioned important, serial address, this address, after some changes in our pseudo-code, the result should be:
381-8147-010
Check:
All right, let's just take care of it, keygen:
Python:
names=raw_input("Please input your name:")len1=names.__len__()result=0i=0while i<len1: result=result+ord(names[i]) i=i+1result=result*1234567890print resultserial=str(result)l=list(serial)print ll[3]=‘-‘l[8]=‘-‘new= ‘‘.join(l)print new
See the gap, but also efforts, tools are on the one hand, no tools are not reversed it?
160 x Crackme 009 andrénalin.2
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
