大型网站如何优化百度知道官网登录入口
crackme010
| 名称 | 值 |
|---|---|
| 软件名称 | Andrénalin.3.exe |
| 加壳方式 | 无 |
| 保护方式 | serial |
| 编译语言 | Microsoft Visual Basic |
| 调试环境 | win10 64位 |
| 使用工具 | x32dbg,PEid |
| 破解日期 | 2025-06-18 |
脱壳
1. 先用PEid查壳
- 查到无壳
前置知识
该vb程序会用到较多的Variant变量和官方查询不到vb函数,请先阅读如下两篇文章
- VB逆向基础(一)
- vb逆向常用函数
寻找Serial
- 寻找flag,用x32dbg打开程序,
鼠标右键->搜索->当前模块->字符串,发现存在字符串L"RiCHTiG !"
- 双击
地址=00402090 反汇编=mov dword ptr ss:[ebp-B4],andrénalin.3.401B28 字符串地址=00401B28 字符串=L"RiCHTiG !"",跳转到代码
0040202B | lea eax,dword ptr ss:[ebp-34] |
0040202E | lea ecx,dword ptr ss:[ebp-AC] |
00402034 | push eax | 参数2,循环拼接结果
00402035 | push ecx | 参数1,字符串常量L"kXy^rO|*yXo*m\\kMuOn*+"
00402036 | mov dword ptr ss:[ebp-A4],andrénalin.3.401A8C | [ebp-A4]:L"kXy^rO|*yXo*m\\kMuOn*+", 401A8C:L"kXy^rO|*yXo*m\\kMuOn*+"
00402040 | mov dword ptr ss:[ebp-AC],8008 |
0040204A | call dword ptr ds:[<&__vbaVarTstEq>] | 判断两个变量是否相等,不相等eax返回0x0,相等返回0xFFFFFFFF
00402050 | test ax,ax | 两个变量相等,进入成功分支
00402053 | je andrénalin.3.402119 |
00402059 | call dword ptr ds:[<&rtcBeep>] |成功分支
0040205F | mov ebx,dword ptr ds:[<&__vbaVarDup>] |
00402065 | mov ecx,A |
0040206A | mov eax,80020004 |
0040206F | mov dword ptr ss:[ebp-9C],ecx |
00402075 | mov dword ptr ss:[ebp-8C],ecx |
0040207B | lea edx,dword ptr ss:[ebp-BC] |
00402081 | lea ecx,dword ptr ss:[ebp-7C] |
00402084 | mov dword ptr ss:[ebp-94],eax |
0040208A | mov dword ptr ss:[ebp-84],eax |
00402090 | mov dword ptr ss:[ebp-B4],andrénalin.3.401B28 | 401B28:L"RiCHTiG !" Flag字符串
0040209A | mov dword ptr ss:[ebp-BC],8 |
004020A4 | call ebx |
004020A6 | lea edx,dword ptr ss:[ebp-AC] |
004020AC | lea ecx,dword ptr ss:[ebp-6C] |
004020AF | mov dword ptr ss:[ebp-A4],andrénalin.3.401ABC | [ebp-A4]:L"kXy^rO|*yXo*m\\kMuOn*+"
004020B9 | mov dword ptr ss:[ebp-AC],8 |
004020C3 | call ebx |
004020C5 | lea edx,dword ptr ss:[ebp-9C] |
004020CB | lea eax,dword ptr ss:[ebp-8C] |
004020D1 | push edx |
004020D2 | lea ecx,dword ptr ss:[ebp-7C] |
004020D5 | push eax |
004020D6 | push ecx |
004020D7 | lea edx,dword ptr ss:[ebp-6C] |
004020DA | push 30 |
004020DC | push edx |
004020DD | call dword ptr ds:[<&rtcMsgBox>] |弹出成功提示框
- 分析关键代码为,比较dword ptr ss:[ebp-34] 与常量字符串L"kXy^rO|yXom\kMuOn*+",如果相等则成功。继续往上分析
00401F31 | lea eax,dword ptr ss:[ebp-6C] |
00401F34 | push edx | 字符串
00401F35 | push eax | 出参字符串长度
00401F36 | call dword ptr ds:[<&__vbaLenVar>] |
00401F3C | lea ecx,dword ptr ss:[ebp-BC] |
00401F42 | push eax | 参数5,循环变量上限 Long类型
00401F43 | lea edx,dword ptr ss:[ebp-114] |
00401F49 | push ecx | 参数4,循环初始值固定值,Int类型
00401F4A | lea eax,dword ptr ss:[ebp-104] |
00401F50 | push edx | 参数3,循环临时上限,Long类型 给__vbaVarForNext用
00401F51 | lea ecx,dword ptr ss:[ebp-24] |
00401F54 | push eax | 参数2,循环步长,Long类型
00401F55 | push ecx | 参数1,当前循环值,Long类型
00401F56 | call dword ptr ds:[<&__vbaVarForInit>] |
00401F5C | mov ebx,dword ptr ds:[<&__vbaVarCat>] |
00401F62 | mov edi,dword ptr ds:[<&__vbaFreeVarList>] |
00401F68 | test eax,eax |
00401F6A | je andrénalin.3.40202B |
00401F70 | lea edx,dword ptr ss:[ebp-6C] |
00401F73 | lea eax,dword ptr ss:[ebp-24] |
00401F76 | push edx |
00401F77 | push eax | var变量
00401F78 | mov dword ptr ss:[ebp-64],1 |
00401F7F | mov dword ptr ss:[ebp-6C],2 |
00401F86 | call dword ptr ds:[<&__vbaI4Var>] |
00401F8C | lea ecx,dword ptr ss:[ebp-44] |
00401F8F | push eax | 参数3,起始值
00401F90 | lea edx,dword ptr ss:[ebp-7C] |
00401F93 | push ecx | 参数2 key字符串
00401F94 | push edx | 参数1,edx+10截取字符串长度 值为1
00401F95 | call dword ptr ds:[<&rtcMidCharVar>] |
00401F9B | lea eax,dword ptr ss:[ebp-7C] |
00401F9E | lea ecx,dword ptr ss:[ebp-58] |
00401FA1 | push eax | 截取的字符串
00401FA2 | push ecx |
00401FA3 | call dword ptr ds:[<&__vbaStrVarVal>] | var字符串转换成裸字符串
00401FA9 | push eax | 裸字符串
00401FAA | call dword ptr ds:[<&rtcAnsiValueBstr>] | 首字符转换成ascii
00401FB0 | add ax,A | ascii+A
00401FB4 | jo andrénalin.3.40226A |
00401FBA | movsx edx,ax |
00401FBD | push edx |
00401FBE | call dword ptr ds:[<&rtcBstrFromAnsi>] |
00401FC4 | mov dword ptr ss:[ebp-84],eax |
00401FCA | lea eax,dword ptr ss:[ebp-34] |
00401FCD | lea ecx,dword ptr ss:[ebp-8C] |
00401FD3 | push eax | 左边变量,累计拼接结果,初始值为空
00401FD4 | lea edx,dword ptr ss:[ebp-9C] |
00401FDA | push ecx | 右边变量 ascii+A 字符串
00401FDB | push edx | 拼接结果
00401FDC | mov dword ptr ss:[ebp-8C],8 |
00401FE6 | call ebx | __vbaVarCat 变量拼接
00401FE8 | mov edx,eax |
00401FEA | lea ecx,dword ptr ss:[ebp-34] |
00401FED | call esi |
00401FEF | lea ecx,dword ptr ss:[ebp-58] |
00401FF2 | call dword ptr ds:[<&__vbaFreeStr>] |
00401FF8 | lea eax,dword ptr ss:[ebp-8C] |
00401FFE | lea ecx,dword ptr ss:[ebp-7C] |
00402001 | push eax |
00402002 | lea edx,dword ptr ss:[ebp-6C] |
00402005 | push ecx |
00402006 | push edx |
00402007 | push 3 |
00402009 | call edi |
0040200B | add esp,10 |
0040200E | lea eax,dword ptr ss:[ebp-114] |
00402014 | lea ecx,dword ptr ss:[ebp-104] |
0040201A | lea edx,dword ptr ss:[ebp-24] |
0040201D | push eax | 参数3,循环临时上限,Long类型
0040201E | push ecx | 参数2,循环临时步长,Long类型
0040201F | push edx | 参数1,当前循环值,Long类型
00402020 | call dword ptr ds:[<&__vbaVarForNext>] |更新下一次循环标志位
00402026 | jmp andrénalin.3.401F68 |跳转到循环判断条件处
- 分析代码发现,关键算法为循环遍历字符串,将每个字符都加上0xA,变成一个新串
- 综上写出注册机代码
#include<stdio.h>
#include<string.h>
int main()
{char key[1024] = "kXy^rO|*yXo*m\\kMuOn*+";int len = strlen(key);for (int i = 0; i < len; i++){key[i] -= 0xA;}printf("key为%s\r\n", key);return 0;
}
总结Crackme
- 开启注册机生成key,输入key,点击ok
