【破解作者】 曾经
【使用工具】 P32Dasm1.5, WKTVBDE1.4
【破解平台】 Win9x/NT/2000/XP
【软件名称】 dvchen最新CrackMe算法版
【下载地址】
http://bbs.pediy.com/attachment.php?s=&attachmentid=508
【软件简介】 VB p-code.
【软件大小】 268k
【加壳方式】 无
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
谨对无私奉献的CrackMe作者致敬!
--------------------------------------------------------------------------------
【破解内容】
机器码 =
"2649858861763138"
是由硬盘号码前8字与cpuid隔位交错得来的。
假设注册码 =
"7878787856565656"
第一步:用P32Dasm反出如下代码:
并且,将每行的开头
"0000"替换成
"40", 便于设断点是拷贝。
第二步:根据代码的提示,用WKTVBDE14在相关位置下断,跟踪。反出如下代码:
frmMain 2.9 cmdCalc.Unknown ----
40C71C: 00 LargeBos
40C71E: 00 LargeBos
40C720: 4B OnErrorGoto
40C723: 00 LargeBos
40C725: 04
FLdRfVar var_218
40C728: 21
FLdPrThis
40C729: 0F
VCallAd frmMain.txtSerial
40C72C: 19
FStAdFunc var_214
40C72F: 08
FLdPr var_214
40C732: 0D
VCallHresult TextBox.Get_Text()
;TextBox.Get_Text()
40C737: 6C
ILdRf var_218
;"7878787856565656"
40C73A: 1B
LitStr:
""
40C73D: FB30
EqStr=
;判断是否为空
40C73F: 04
FLdRfVar var_220
40C742: 21
FLdPrThis
40C743: 0F
VCallAd frmMain.txtSerial
40C746: 19
FStAdFunc var_21C
40C749: 08
FLdPr var_21C
40C74C: 0D
VCallHresult TextBox.Get_Text()
;TextBox.Get_Text()
40C751: 6C
ILdRf var_220
40C754: 4A
FnLenStr Len()
;获得字串长度
40C755: F5
LitI4: 16 0x10
;16
40C75A: D1
LtI4 <
40C75B: C5
OrI4 Or
40C75C: 32
FFreeStr var_218 var_220
40C763: 29
FFreeAd: var_214 var_21C
40C76A: 1C
BranchF 40C78D
;长度相等,才跳。
40C76D: 00 LargeBos
40C76F: 05
ImpAdLdRf
40C772: 56
NewIfNullAd
40C775: FD9C
FStAdNoPop
40C779: 05
ImpAdLdRf
40C77C: 24
NewIfNullPr
40C77F: 0D
VCallHresult Global._Unload(object As IDispatch)
40C784: 1A
FFree1Ad var_214
40C787: 00 LargeBos
40C789: 13
ExitProcHresult ;FAIL, GAME OVER!
40C78A: 1E Branch 40CBDB
40C78D: loc_0040C76A
;长度=16, 跳这里继续
40C78D: 00 LargeBos
40C78F: 00 LargeBos
40C791: 04
FLdRfVar var_218
40C794: 21
FLdPrThis
40C795: 0F
VCallAd
40C798: 19
FStAdFunc var_214
40C79B: 08
FLdPr var_214
40C79E: 0D
VCallHresult TextBox.Get_Text()
40C7A3: 3E
FLdZeroAd var_218
;"7878787856565656"
40C7A6: 46
CVarStr var_230
40C7A9: FCF6
FStVar var_94
40C7AD: 1A
FFree1Ad var_214
40C7B0: 00 LargeBos
40C7B2: 04
FLdRfVar var_218
40C7B5: 21
FLdPrThis
40C7B6: 0F
VCallAd frmMain.txtUserName
40C7B9: 19
FStAdFunc var_214
40C7BC: 08
FLdPr var_214
40C7BF: 0D
VCallHresult TextBox.Get_Text()
;机器码 UNICODE "2649858861763138OCN"
40C7C4: 04
FLdRfVar var_220
40C7C7: 21
FLdPrThis
40C7C8: 0F
VCallAd frmMain.txtUserName
40C7CB: 19
FStAdFunc var_21C
40C7CE: 08
FLdPr var_21C
40C7D1: 0D
VCallHresult TextBox.Get_Text()
40C7D6: 6C
ILdRf var_220
;机器码 UNICODE "2649858861763138OCN"
40C7D9: 4A
FnLenStr Len()
;19 chars
40C7DA: F5
LitI4: 3 0x3
;去掉3个
40C7DF: AE
SubI4 -
40C7E0: 3E
FLdZeroAd var_218
40C7E3: 46
CVarStr var_230
40C7E6: 04
FLdRfVar var_240
40C7E9: 0A
ImpAdCallFPR4 Left()
40C7EE: 04
FLdRfVar var_240
;机器码 UNICODE "2649858861763138"
40C7F1: FCF6
FStVar var_A4
40C7F5: 2F
FFree1Str var_220
40C7F8: 29
FFreeAd: var_214 var_21C
40C7FF: 35
FFree1Var var_230
40C802: 00 LargeBos
40C804: 28
LitVarI2: 1 0x1 var_260
40C809: 04
FLdRfVar var_208
40C80C: 04
FLdRfVar var_94
;"7878787856565656"
40C80F: FBEB
FnLenVar
40C813: 28
LitVarI2: 2 0x2 var_250
40C818: FE70 ForStepVar For (counter=start) To (
end) Step (step)
;循环For counter=1 To Len(var_94) Step 2
40C81E: 00 LargeBos
40C820: 04
FLdRfVar var_174
40C823: 28
LitVarI2: 1 0x1 var_230
;1
40C828: 04
FLdRfVar var_208
;counter
40C82B: FC22
CI4Var
40C82D: 04
FLdRfVar var_94
;"7878787856565656"
40C830: 04
FLdRfVar var_240
40C833: 0A
ImpAdCallFPR4 Mid()
;Mid(var_94, var_208, var_230)
40C838: 04
FLdRfVar var_240
;"77775..."
40C83B: FBEF
ConcatVar ;ConcatVar连接
40C83F: FCF6
FStVar var_174
40C843: 36 FFreeVar var_230 var_240
40C84A: 00 LargeBos
40C84C: 04
FLdRfVar var_184
40C84F: 28
LitVarI2: 1 0x1 var_240
;1
40C854: 04
FLdRfVar var_208
40C857: 28
LitVarI2: 1 0x1 var_250
40C85C: FB94
AddVar + var_230
;counter
40C860: FC22
CI4Var
40C862: 04
FLdRfVar var_94
;"7878787856565656"
40C865: 04
FLdRfVar var_290
40C868: 0A
ImpAdCallFPR4 Mid()
;Mid()
40C86D: 04
FLdRfVar var_290
;"88886..."
40C870: FBEF
ConcatVar ;ConcatVar连接
40C874: FCF6
FStVar var_184
40C878: 36 FFreeVar var_230 var_240 var_290
40C881: 00 LargeBos
40C883: 04
FLdRfVar var_208
40C886: FE86
NextStepVar Next (element)
;循环结束40C88C: 00 LargeBos
40C88E: 04
FLdRfVar var_184
40C891: FDFE
CStrVarVal var_2A4
40C895: 04
FLdRfVar var_2A8
40C898: 34
CStr2Ansi
40C899: 6C
ILdRf var_2A8
;"88886666"
40C89C: 04
FLdRfVar var_94
40C89F: FDFE
CStrVarVal var_218
40C8A3: 04
FLdRfVar var_220
40C8A6: 34
CStr2Ansi
40C8A7: 6C
ILdRf var_220
;"7878787856565656"
40C8AA: 0B
ImpAdCallI2 DVID32.DesEn
;DesEn变换="A396BD0E18B901D646903DF5AA0051EEksaiy"
40C8AF: 31
FStStr var_2AC
40C8B2: 3C
SetLastSystemError
40C8B3: 04
FLdRfVar var_184
40C8B6: FDFE
CStrVarVal var_2BC
40C8BA: 04
FLdRfVar var_2C0
40C8BD: 34
CStr2Ansi
40C8BE: 6C
ILdRf var_2C0
;"88886666"
40C8C1: 04
FLdRfVar var_94
40C8C4: FDFE
CStrVarVal var_2B4
40C8C8: 04
FLdRfVar var_2B8
40C8CB: 34
CStr2Ansi
40C8CC: 6C
ILdRf var_2B8
;"7878787856565656"
40C8CF: 0B
ImpAdCallI2 DVID32.DesEn
;DesEn变换="A396BD0E18B901D646903DF5AA0051EEksaiy"
40C8D4: 31
FStStr var_2C4
40C8D7: 3C
SetLastSystemError
40C8D8: 6C
ILdRf var_2C4
40C8DB: 04
FLdRfVar var_2C8
40C8DE: FC58 CStr2Uni
40C8E0: 6C
ILdRf var_2C8
40C8E3: 4A
FnLenStr Len()
;37 chars
40C8E4: F5
LitI4: 5 0x5
;5
40C8E9: AE
SubI4 -
;37-5=32
40C8EA: 6C
ILdRf var_2AC
40C8ED: 04
FLdRfVar var_2B0
40C8F0: FC58 CStr2Uni
40C8F2: 6C
ILdRf var_2B0
40C8F5: 46
CVarStr var_250
40C8F8: 4E
FStVarCopyObj var_230
40C8FB: 04
FLdRfVar var_230
40C8FE: 04
FLdRfVar var_240
40C901: 0A
ImpAdCallFPR4 Left()
;取左边32字符
40C906: 04
FLdRfVar var_240
;"A396BD0E18B901D646903DF5AA0051EE"
40C909: FCF6
FStVar var_124
40C90D: 32
FFreeStr var_218 var_220 var_2A4 var_2A8 var_2AC var_2B0 var_2B4 var_2B8 var_2BC var_2C0 var_2C4 var_2C8
40C928: 35
FFree1Var var_230
40C92B: 00 LargeBos
40C92D: 28
LitVarI2: 2 0x2 var_260
40C932: 04
FLdRfVar var_1F8
40C935: 04
FLdRfVar var_124
;"A396BD0E18B901D646903DF5AA0051EE"
40C938: FBEB
FnLenVar ;32 chars
40C93C: 28
LitVarI2: 2 0x2 var_250
40C941: FE70 ForStepVar For (counter=start) To (
end) Step (step)
;循环开始 For counter=2 To (32) Step 2
40C947: 00 LargeBos
40C949: 28
LitVarI2: 1 0x1 var_230
40C94E: 04
FLdRfVar var_1F8
40C951: FC22
CI4Var
40C953: 04
FLdRfVar var_124
40C956: 04
FLdRfVar var_240
40C959: 0A
ImpAdCallFPR4 Mid()
;取第2,4,6,...字符
40C95E: 04
FLdRfVar var_240
40C961: FCF6
FStVar var_1D8
40C965: 35
FFree1Var var_230
40C968: 00 LargeBos
40C96A: 04
FLdRfVar var_1D8
;"3","6","D",...
40C96D: FDFE
CStrVarVal var_218
40C971: 0B
ImpAdCallI2 Asc()
;的Asc()值 (asc("D")=68
40C976: 44
CVarI2 var_250
40C979: FCF6
FStVar var_1E8
40C97D: 2F
FFree1Str var_218
40C980: 00 LargeBos
40C982: 04
FLdRfVar var_1E8
40C985: 28
LitVarI2: 57 0x39 var_250
40C98A: 5D
HardType
40C98B: FB49
LeVar <=
40C98F: 04
FLdRfVar var_1E8
40C992: 28
LitVarI2: 48 0x30 var_260
40C997: 5D
HardType
40C998: FB56
GeVar >=
40C99C: FB27
AndVar
40C9A0: FF1B
CBoolVarNull
40C9A2: 1C
BranchF 40C9B1
40C9A5: 00 LargeBos
40C9A7: 04
FLdRfVar var_1D8
40C9AA: FD00
FStVarCopy
40C9AE: 1E Branch 40C9CC
40C9B1: loc_0040C9A2
40C9B1: 00 LargeBos
40C9B3: 00 LargeBos
40C9B5: F5
LitI4: 1 0x1
40C9BA: 04
FLdRfVar var_1E8
40C9BD: 04
FLdRfVar var_230
40C9C0: 0A
ImpAdCallFPR4 Right()
;的个位
40C9C5: 04
FLdRfVar var_230
40C9C8: FCF6
FStVar var_1D8
40C9CC: loc_0040C9AE
40C9CC: 00 LargeBos
40C9CE: 00 LargeBos
40C9D0: 04
FLdRfVar var_134
;循环结果 "3689891660855019"
40C9D3: 04
FLdRfVar var_1D8
40C9D6: FB94
AddVar + var_230
40C9DA: FCF6
FStVar var_134
40C9DE: 00 LargeBos
40C9E0: 04
FLdRfVar var_1F8
40C9E3: FE86
NextStepVar Next (element)
;循环结束40C9E9: 00 LargeBos
40C9EB: 28
LitVarI2: 1 0x1 var_260
40C9F0: 04
FLdRfVar var_1F8
;counter
40C9F3: 04
FLdRfVar var_134
40C9F6: FBEB
FnLenVar
40C9FA: 28
LitVarI2: 2 0x2 var_250
40C9FF: FE70 ForStepVar For (counter=start) To (
end) Step (step)
;循环开始 For counter=1 To Len(var_134) Step 2
40CA05: 00 LargeBos
40CA07: 04
FLdRfVar var_144
40CA0A: 28
LitVarI2: 1 0x1 var_230
;1
40CA0F: 04
FLdRfVar var_1F8
40CA12: FC22
CI4Var
40CA14: 04
FLdRfVar var_134
;"3689891660855019"
40CA17: 04
FLdRfVar var_240
40CA1A: 0A
ImpAdCallFPR4 Mid()
40CA1F: 04
FLdRfVar var_240
40CA22: FBEF
ConcatVar
40CA26: FCF6
FStVar var_144
;"38816851"
40CA2A: 36 FFreeVar var_230 var_240
40CA31: 00 LargeBos
40CA33: 04
FLdRfVar var_1F8
40CA36: FE86
NextStepVar Next (element)
;循环结束
40CA3C: 00 LargeBos
40CA3E: 28
LitVarI2: 1 0x1 var_318
40CA43: 04
FLdRfVar var_208
40CA46: 28
LitVarI2: 8 0x8 var_260
40CA4B: FE68
ForVar For (counter=start) To (
end)
;循环开始 For counter=1 To 8
40CA51: 00 LargeBos
40CA53: 04
FLdRfVar var_154
40CA56: 28
LitVarI2: 1 0x1 var_230
;1
40CA5B: 04
FLdRfVar var_208
40CA5E: FC22
CI4Var
40CA60: 04
FLdRfVar var_144
;"38816851"
40CA63: 04
FLdRfVar var_240
40CA66: 0A
ImpAdCallFPR4 Mid()
40CA6B: 04
FLdRfVar var_240
40CA6E: FBEF
ConcatVar ;="38888818668..."
40CA72: 28
LitVarI2: 1 0x1 var_2A0
40CA77: 04
FLdRfVar var_208
40CA7A: FC22
CI4Var
40CA7C: 04
FLdRfVar var_184
;"88886666"
40CA7F: 04
FLdRfVar var_348
40CA82: 0A
ImpAdCallFPR4 Mid()
40CA87: 04
FLdRfVar var_348
40CA8A: FBEF
ConcatVar ;="388888186686.."
40CA8E: FCF6
FStVar var_154
40CA92: 36 FFreeVar var_230 var_240 var_2A0 var_290 var_348
40CA9F: 00 LargeBos
40CAA1: 04
FLdRfVar var_208
40CAA4: FE7E
NextStepVar Next (element)
;循环结束, ="3888881866865616"40CAAA: 00 LargeBos
40CAAC: 1B
LitStr:
"C7C5014CA9775ACFE7773D44D17372330EE8E33B3627C07A53110F"
40CAAF: 43
FStStrCopy var_1A8
40CAB2: 00 LargeBos
40CAB4: 04
FLdRfVar var_184
40CAB7: FDFE
CStrVarVal var_218
40CABB: 04
FLdRfVar var_220
40CABE: 34
CStr2Ansi
40CABF: 6C
ILdRf var_220
;ascii "88886666"
40CAC2: 0B
ImpAdCallI2 DVID32.MD5En
;MD5En变换 ="7ef770ea663c23b71630f758551304f0ksaiy"
40CAC7: 31
FStStr var_2A4
40CACA: 3C
SetLastSystemError
40CACB: 04
FLdRfVar var_184
40CACE: FDFE
CStrVarVal var_2AC
40CAD2: 04
FLdRfVar var_2B0
40CAD5: 34
CStr2Ansi
40CAD6: 6C
ILdRf var_2B0
;ascii "88886666"
40CAD9: 0B
ImpAdCallI2 DVID32.MD5En
;MD5En变换 ="7ef770ea663c23b71630f758551304f0ksaiy"
40CADE: 31
FStStr var_2B4
40CAE1: 3C
SetLastSystemError
40CAE2: 6C
ILdRf var_2B4
40CAE5: 04
FLdRfVar var_2B8
40CAE8: FC58 CStr2Uni
40CAEA: 6C
ILdRf var_2B8
40CAED: 4A
FnLenStr Len()
40CAEE: F5
LitI4: 5 0x5
40CAF3: AE
SubI4 -
40CAF4: 6C
ILdRf var_2A4
40CAF7: 04
FLdRfVar var_2A8
40CAFA: FC58 CStr2Uni
40CAFC: 6C
ILdRf var_2A8
40CAFF: 46
CVarStr var_250
40CB02: 4E
FStVarCopyObj var_230
40CB05: 04
FLdRfVar var_230
40CB08: 04
FLdRfVar var_240
40CB0B: 0A
ImpAdCallFPR4 Left()
40CB10: 1B
LitStr:
"Jrji48HJFwer428KdEJ9"
40CB13: 04
FLdRfVar var_2C4
40CB16: 34
CStr2Ansi
40CB17: 6C
ILdRf var_2C4
;"Jrji48HJFwer428KdEJ9"
40CB1A: 04
FLdRfVar var_240
40CB1D: FDFE
CStrVarVal var_2BC
40CB21: 04
FLdRfVar var_2C0
40CB24: 34
CStr2Ansi
40CB25: 6C
ILdRf var_2C0
;ascii "7ef770ea663c23b71630f758551304f0"
40CB28: 0B
ImpAdCallI2 DVID32.DesEn
;DesEn变换="E8C0DA14F50A6F14A2E2B43BEFC47D8C61ED2CF3F3DE2E7CAF4E4DD36F968586..."
40CB2D: 31
FStStr var_2C8
40CB30: 3C
SetLastSystemError
40CB31: 6C
ILdRf var_2C8
40CB34: 04
FLdRfVar var_35C
40CB37: FC58 CStr2Uni
40CB39: 6C
ILdRf var_35C
40CB3C: 46
CVarStr var_260
40CB3F: FD00
FStVarCopy
40CB43: 32
FFreeStr var_218 var_220 var_2A4 var_2A8 var_2AC var_2B0 var_2B4 var_2B8 var_2BC var_2C0 var_2C4 var_2C8 var_35C
40CB60: 36 FFreeVar var_230 var_240
40CB67: 00 LargeBos
40CB69: 04
FLdRfVar var_194
40CB6C: FBEB
FnLenVar ;长度
40CB70: 28
LitVarI2: 15 0xF var_250
;15
40CB75: FB9C
SubVar -
;删除15字
40CB79: FC22
CI4Var
40CB7B: 04
FLdRfVar var_194
;"E8C0DA14F50A6F14A2E2B43BEFC47D8C61ED2CF3F3DE2E7CAF4E4DD36F968586ksaiy"
40CB7E: 04
FLdRfVar var_290
40CB81: 0A
ImpAdCallFPR4 Left()
40CB86: 04
FLdRfVar var_290
40CB89: FCF6
FStVar var_1A4
40CB8D: 00 LargeBos
40CB8F: 04
FLdRfVar var_154
;"3888881866865616"
40CB92: 04
FLdRfVar var_A4
;机器码 "2649858861763138"
40CB95: FB2F
EqVar=
;比较
40CB99: 04
FLdRfVar var_1A4
;"E8C0DA14F50A6F14A2E2B43BEFC47D8C61ED2CF3F3DE2E7CAF4E4D"
40CB9C: 6C
ILdRf var_1A8
;"C7C5014CA9775ACFE7773D44D17372330EE8E33B3627C07A53110F"
40CB9F: 46
CVarStr var_250
40CBA2: 5D
HardType
40CBA3: FB2F
EqVar=
;比较
40CBA7: FB27
AndVar ;两次比较结果and运算
40CBAB: FF1B
CBoolVarNull
40CBAD: 1C
BranchF 40CBBD
40CBB0: 00 LargeBos
40CBB2: F4
LitI2_Byte: 255 0xFF (True)
40CBB4: 08
FLdPr param_8
40CBB7: 8E
MemStI2
40CBBA: 1E Branch 40CBD9
40CBBD: loc_0040CBAD
40CBBD: 00 LargeBos
40CBBF: 00 LargeBos
40CBC1: 05
ImpAdLdRf
40CBC4: 56
NewIfNullAd
40CBC7: FD9C
FStAdNoPop
40CBCB: 05
ImpAdLdRf
40CBCE: 24
NewIfNullPr
40CBD1: 0D
VCallHresult Global._Unload(object As IDispatch)
;程序结束。
40CBD6: 1A
FFree1Ad var_214
40CBD9: loc_0040CBBA
40CBD9: 00 LargeBos
40CBDB: loc_0040C78A
40CBDB: 00 LargeBos
40CBDD: 00 LargeBos
40CBDF: 13
ExitProcHresult
调试结束。
;===============================================================================
第三步:整理如下:
1. 注册码长度=16
2. DesEn1=DesEn(str=注册码,key=注册码偶数位)
3. DesEn1偶数位挑出来,属于字母的,取ascii码的十进制个位。假设结果为string
4. 将string的偶数位替换位注册码偶数位。假设结果为str2
5. str3=MD5(注册码偶数位)
6. DesEn2=DesEn(str3,
"Jrji48HJFwer428KdEJ9")
7. str2与机器码比较
8. DesEn2与
"C7C5014CA9775ACFE7773D44D17372330EE8E33B3627C07A53110F"比较
;===============================================================================
那么,矛盾来了:
1. 注册码偶数位=机器码偶数位
而: 机器码是由硬盘号码前8字与cpuid隔位交错得来的,对每台机器应该是不同的。
2. str3 = DesDe(
"C7C5014CA9775ACFE7773D44D17372330EE8E33B3627C07A53110F",
"Jrji48HJFwer428KdEJ9")
=
"b1441c8fe79b07346aea8bef"
注册码偶数位 = MD5De(
"b1441c8fe79b07346aea8bef") =
"39483971", 是一个常数
实际上没有这个函数。数字比较小,我们可以穷举。
选择相信第二点,算出序列号,注册一下:
"5329640823093791"
40CB8F: 04
FLdRfVar var_154
;"8359549853896791"
40CB92: 04
FLdRfVar var_A4
;机器码 "2649858861763138"
40CB95: FB2F
EqVar=
;比较, 结果不相等"00000000"
40CB99: 04
FLdRfVar var_1A4
;"C7C5014CA9775ACFE7773D44D17372330EE8E33B3627C07A53110F"
40CB9C: 6C
ILdRf var_1A8
;"C7C5014CA9775ACFE7773D44D17372330EE8E33B3627C07A53110F"
40CB9F: 46
CVarStr var_250
40CBA2: 5D
HardType
40CBA3: FB2F
EqVar=
;比较, 结果相等"FFFFFFFF"
--------------------------------------------------------------------------------
【破解总结】
以失败告终。虽然我知道,整个过程就是某软件的注册过程。
有待高人指导。
--------------------------------------------------------------------------------
【版权声明】 用老罗代码着色器染色, 谢谢老罗!
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
