First, the same operation, Peid check shell:
VB program, no shell, OK, pay attention to the function of VB can, here is recommended a microblog, summed up in the reverse commonly used in VB function
The common function of reverse disassembly of VB Program
Try running on your own:
Od run up, right-click, find, find all reference text strings, find the location of the error string
See our error string, you Get wrong, and also found on the above should be the correct string, two strings are not far away, well, this topic should not be difficult (at least skip the transfer less.)
Double-click the string to enter the location, found the jump command
In the jump position F2 down, rerun the program, enter our nonsense string up:
OK, stop, parse the code up, find its key function _vbastrcmp () string comparison function
This means that the serial number is generated at this point, so the serial number generation code is in this assembly code for the input name and the generated name comparison.
So I found the head of this function, F2 down:
Re-run, F9 to the location of the breakpoint, F8 step by step debugging, encountered important do not know the VB function, go to the blog to check, know what it is to do with the can, the process of specific analysis does not say, patience, very simple, analysis Source:
00402409 > \8b95 50FFFFFF mov edx,dword ptr ss:[ebp-0xb0]0040240f. 8b45 E4 mov eax,dword ptr ss:[ebp-0x1c]; The input name:1234500402412. -Push eax; /string = 0000000A??? 00402413. 8B1A mov ebx,dword ptr ds:[edx]; |00402415. FF15 E4404000 call DWORD ptr ds:[<&msvbvm50.__vbalenbstr>]; \__vbalenbstr gets the length of a string of 0040241B. 8bf8 mov edi,eax; The return value of the function is placed in the EAX register, this example is 50040241D. 8b4d E8 mov ecx,dword ptr ss:[ebp-0x18]00402420. 69FF fb7c0100 Imul EDI,EDI,0X17CFB; EDI is the length of name multiplied by 0x17cfb00402426. ECX push; /string= "1" takes out the first character of name 00402427. 0f80 91020000 Jo Afkayas_.004026be; |0040242d. FF15 F8404000 call DWORD ptr ds:[<&msvbvm50. #rtcAnsiValuebstr_516>>; \RTCANSIVALUEBSTR calculates the ASCII value of the first character of name 00402433. 0fbfd0 MOVSX Edx,ax; The value of the final EDI is the length of name multiplied by the ASCII value of 0X17CFB in addition to the first character 00402436. 03FA add edi,edx00402438. 0f80 80020000 Jo afkayas_.004026be0040243e. $ push EDI; msvbvm50.__vbastrcat0040243f. FF15 E0404000 call DWORD ptr ds:[<&msvbvm50.__vbastri4>]; Msvbm50._vbastri4 EDI median 16 binary to 10 binary 00402445. 8BD0 mov edx,eax; Get the number part of the correct Serila 00402447. 8D4D E0 Lea Ecx,dword ptr ss:[ebp-0x20]0040244a. FF15 70414000 call DWORD ptr ds:[<&msvbvm50.__vbastrmove>]; msvbvm50.__vbastrmove00402450. 8BBD 50FFFFFF mov edi,dword ptr ss:[ebp-0xb0]00402456. Push eax00402457. $ push EDI; msvbvm50.__vbastrcat00402458. FF93 A4000000 CallDWORD ptr ds:[ebx+0xa4]0040245e. 85C0 Test eax,eax00402460. 7D Jge Short afkayas_.0040247400402462. A4000000 push 0xa400402467. 5c1b4000 push afkayas_.00401b5c0040246c. $ push EDI; msvbvm50.__vbastrcat0040246d. Push eax0040246e. FF15 04414000 call DWORD ptr ds:[<&msvbvm50.__vbahresultcheckobj>]; msvbvm50.__vbahresultcheckobj00402474 > 8d45 E0 lea eax,dword ptr ss:[ebp-0x20]00402477. 8D4D E4 Lea Ecx,dword ptr ss:[ebp-0x1c]0040247a. Push eax0040247b. 8d55 E8 Lea Edx,dword ptr ss:[ebp-0x18]0040247e. ecx0040247f push. edx00402480 push. 6A. Push 0x300402482. FF15 5c414000 call DWORD ptr ds:[<&msvbvm50.__vbafreestrlist>]; msvbvm50.__vbafreestrlist00402488. 83C4 add esp,0x100040248b. 8D45 D4 Lea Eax,dword PTR SS:[ebp-0x2c]0040248e. 8D4D D8 Lea Ecx,dword ptr ss:[ebp-0x28]00402491. 8d55 DC Lea Edx,dword ptr ss:[ebp-0x24]00402494. Push eax00402495. ecx00402496 push. edx00402497 push. 6A. Push 0x300402499. FF15 F4404000 call DWORD ptr ds:[<&msvbvm50.__vbafreeobjlist>]; msvbvm50.__vbafreeobjlist0040249f. 8B06 mov eax,dword ptr ds:[esi]004024a1. 83C4 add esp,0x10004024a4. ESI004024A5 push. FF90 04030000 call DWORD ptr ds:[eax+0x304]004024ab. 8b1d 0c414000 mov ebx,dword ptr ds:[<&msvbvm50.__vbaobjset>]; Msvbvm50.__vbaobjset004024b1. Push eax004024b2. 8D45 DC Lea Eax,dword ptr ss:[ebp-0x24]004024b5. Push Eax004024b6. FFD3 call ebx; Msvbvm50.__vbastrmove; <&msvbvm50.__vbaobjset>004024b8. 8bf8 mov edi,eAx004024ba. 8d55 E8 Lea Edx,dword ptr ss:[ebp-0x18]004024bd. Edx004024be push. $ push EDI; MSVBVM50.__VBASTRCAT004024BF. 8b0f mov ecx,dword ptr ds:[edi]004024c1. FF91 A0000000 call DWORD ptr ds:[ecx+0xa0]004024c7. 85C0 Test Eax,eax004024c9. 7D Jge Short AFKAYAS_.004024DD004024CB. A0000000 push 0xa0004024d0. 5c1b4000 push Afkayas_.00401b5c004024d5. $ push EDI; Msvbvm50.__vbastrcat004024d6. Push Eax004024d7. FF15 04414000 call DWORD ptr ds:[<&msvbvm50.__vbahresultcheckobj>]; MSVBVM50.__VBAHRESULTCHECKOBJ004024DD > ESI004024DE push. FF95 40FFFFFF call DWORD ptr ss:[ebp-0xc0]; Msvbvm50.741cc368004024e4. Push Eax004024e5. 8D45 D8 Lea Eax,dword ptr ss:[ebp-0x28]004024e8 . Push Eax004024e9. FFD3 call ebx; Msvbvm50.__vbastrmove004024eb. 8BF0 mov esi,eax004024ed. 8d55 E4 Lea Edx,dword ptr ss:[ebp-0x1c]004024f0. EDX004024F1 push. ESI004024F2 push. 8B0E mov ecx,dword ptr ds:[esi]004024f4. FF91 A0000000 call DWORD ptr ds:[ecx+0xa0]004024fa. 85C0 Test EAX,EAX004024FC. 7D Jge Short Afkayas_.00402510004024fe. A0000000 push 0xa000402503. 5c1b4000 push afkayas_.00401b5c00402508. esi00402509 push. Push eax0040250a. FF15 04414000 call DWORD ptr ds:[<&msvbvm50.__vbahresultcheckobj>]; msvbvm50.__vbahresultcheckobj00402510 > 8b45 E8 mov eax,dword ptr ss:[ebp-0x18]00402513. 8b4d E4 mov ecx,dword ptr ss:[ebp-0x1c]00402516. 8b3d 00414000 mov edi,dword ptr ds:[<&msvbvm50.__vbastrcat>] ; msvbvm50.__vbastrcat0040251c. Push eax0040251d. 701b4000 push afkayas_.00401b70; UNICODE "aka-" 00402522. ECX push; /string = 80020004??? 00402523. FFD7 call EDI; \__vbastrcat00402525. 8b1d 70414000 mov ebx,dword ptr ds:[<&msvbvm50.__vbastrmove>]; msvbvm50.__vbastrmove0040252b. 8BD0 mov edx,eax0040252d. 8D4D E0 Lea Ecx,dword ptr ss:[ebp-0x20]00402530. FFD3 call ebx; Msvbvm50.__vbastrmove; <&msvbvm50.__vbastrmove>00402532. -Push eax; "AKA-487704" 00402533. FF15 28414000 call DWORD ptr ds:[<&msvbvm50.__vbastrcmp>]; msvbvm50.__vbastrcmp00402539. 8BF0 mov esi,eax ; The results of the comparison exist in EAX, which is FFFFFFFF, indicating failure.
One of the functions in this position is _VBASTRI4 ()
0040243E . 57 push edi 0040243F . FF15 E0404000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>] ; msvbm50._vbaStrI4 edi中值16进制转成10进制 00402445 . 8BD0 mov edx,eax ; 得到正确serila的数字部分 00402447 . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
The function of it I checked briefly, did not find (of course I try to find), but
The same routine as the first question ... 16 binary to 10 binary string
Experiment with the results of this example:
Success!
Algorithm Analysis:
The final generated serial is
aka-(the length of name) *0x17cfb+ the ASCII value of the first character) into a 10 binary string)
OK, write the keygen, I want to use Python
str1=raw_input(‘input your name:‘)length=str1.__len__()c=ord(str1[0])serial=length*97531+cprint ‘serial:‘print ‘AKA-‘+str(serial)
Finally there are several places where Jo commands are judged whether overflow, overflow on the direct error. This my heart to forget ..., it should be difficult to overflow, it is not considered.
This topic can also use the VB Disassembly tool, for example: VB Decompiler
Directly read VB Source:
Is this simple?
Source:
Private Sub OK_Click () ' 402310 Dim var_24 As TextBox Dim var_b0 As TextBox loc_0040237a:var_c0 = Crackme.regserial ' Ig Nore this loc_00402387:set var_2c = crackme.regserial loc_00402394:var_b0 = var_2c LOC_0040239A:VAR_C4 = CrackMe.Tex T1 ' Ignore this loc_004023a7:set var_24 = var_2c loc_004023b6:var_18 = Text1.Text Loc_004023d3:call var_c4 (Me, Me, M E, EDI, Me, var_24) loc_004023ed:var_1c = Text1.Text Loc_00402420:len (var_1c) = Len (var_1c) * 97531 Loc_00402436:len (var_1c) = Len (var_1c) + ASC (var_18) Loc_0040243f:call var_4040e0 (len (var_1c)) loc_0040244a:var_20 = var_4040e0 (len (VA R_1C)) Loc_00402458:Text1.Text = var_20 loc_004024c1:var_18 = Serial.text Loc_004024de:call var_c0 (Me, ME) loc_0040 24f4:var_1c = Serial.text loc_00402530:var_20 = "aka-" & var_1c Loc_0040254a:esi = (var_18 = var_20) + 1 loc_004 0258b:if (var_18 = var_20) + 1 = 0 Then GoTo loc_004025e5 loc_004025ab:var_34 = "Get It" & "VbCrLf" & "Keyg En It Now "loc_004025e3: GoTo loc_0040263b loc_004025e5: ' referenced from:0040258b loc_00402600:var_34 = ' You Get wrong ' & ' VbCrLf ' & "Try Again" loc_0040263b: ' referenced from:004025e3 loc_00402652:goto loc_0040269e loc_0040269d:exit Sub loc_00402 69E: ' Referenced from:00402652 loc_0040269e:exit subend Sub Compared to the assembly, this is easy to understand, but the use of tools is ultimately external forces, there is always a tool is limited, the only thing that can change this is their own NB, No one can cheat you (I'm still a novice, don't spray).
160 x Crackme 002 Afkayas.1