160 - 2 Afkayas.1
2024-05-27 10:02:52
环境:
Windows Xp sp3
OD载入:
运行,然后输入:
然后回到OD,按F12来暂停,
然后ALT+F9回到程序领空,把弹出的那个错误消息框点掉,这时OD来到这里:
004025F9 . 68 E81B4000 push Afkayas_.00401BE8 ; Try Again
004025FE . FFD7 call edi
00402600 . 8945 CC mov dword ptr ss:[ebp-0x34],eax
00402603 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
00402606 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
00402609 . 50 push eax
0040260A . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C]
0040260D . 51 push ecx
0040260E . 52 push edx
0040260F . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
00402612 . 6A 00 push 0x0
00402614 . 50 push eax
00402615 . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
0040261C . FF15 10414000 call dword ptr ds:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox
00402622 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] ; 这时回到这里
00402625 . FF15 80414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr
0040262B . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C]
0040262E . 8D55 A4 lea edx,dword ptr ss:[ebp-0x5C]
00402631 . 51 push ecx
00402632 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
00402635 . 52 push edx
00402636 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
00402639 . 50 push eax
0040263A . 51 push ecx
0040263B > 6A 04 push 0x4
0040263D . FF15 EC404000 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>; MSVBVM50.__vbaFreeVarList往上看一看有个Try Again,再往上看看:
00402310 > \55 push ebp
00402311 . 8BEC mov ebp,esp
00402313 . 83EC 0C sub esp,0xC
00402316 . 68 26104000 push <jmp.&MSVBVM50.__vbaExceptHandler> ; SE 处理程序安装
0040231B . 64:A1 0000000>mov eax,dword ptr fs:[0]
00402321 . 50 push eax
00402322 . 64:8925 00000>mov dword ptr fs:[0],esp
00402329 . 81EC B0000000 sub esp,0xB0
0040232F . 53 push ebx
00402330 . 56 push esi
00402331 . 8B75 08 mov esi,dword ptr ss:[ebp+0x8]
00402334 . 57 push edi
00402335 . 8BC6 mov eax,esi
00402337 . 83E6 FE and esi,0xFFFFFFFE
0040233A . 8965 F4 mov dword ptr ss:[ebp-0xC],esp
0040233D . 83E0 01 and eax,0x1
00402340 . 8B1E mov ebx,dword ptr ds:[esi]
00402342 . C745 F8 08104>mov dword ptr ss:[ebp-0x8],Afkayas_.0040>
00402349 . 56 push esi
0040234A . 8945 FC mov dword ptr ss:[ebp-0x4],eax
0040234D . 8975 08 mov dword ptr ss:[ebp+0x8],esi
00402350 . FF53 04 call dword ptr ds:[ebx+0x4]
00402353 . 8B83 10030000 mov eax,dword ptr ds:[ebx+0x310]
00402359 . 33FF xor edi,edi
0040235B . 56 push esi
0040235C . 897D E8 mov dword ptr ss:[ebp-0x18],edi
0040235F . 897D E4 mov dword ptr ss:[ebp-0x1C],edi
00402362 . 897D E0 mov dword ptr ss:[ebp-0x20],edi
00402365 . 897D DC mov dword ptr ss:[ebp-0x24],edi
00402368 . 897D D8 mov dword ptr ss:[ebp-0x28],edi
0040236B . 897D D4 mov dword ptr ss:[ebp-0x2C],edi
0040236E . 897D C4 mov dword ptr ss:[ebp-0x3C],edi
00402371 . 897D B4 mov dword ptr ss:[ebp-0x4C],edi
00402374 . 897D A4 mov dword ptr ss:[ebp-0x5C],edi
00402377 . 897D 94 mov dword ptr ss:[ebp-0x6C],edi
0040237A . 8985 40FFFFFF mov dword ptr ss:[ebp-0xC0],eax
00402380 . FFD0 call eax
00402382 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
00402385 . 50 push eax
00402386 . 51 push ecx
00402387 . FF15 0C414000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; MSVBVM50.__vbaObjSet
0040238D . 8B9B 00030000 mov ebx,dword ptr ds:[ebx+0x300]
00402393 . 56 push esi
00402394 . 8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax
0040239A . 899D 3CFFFFFF mov dword ptr ss:[ebp-0xC4],ebx
004023A0 . FFD3 call ebx
004023A2 . 8D55 DC lea edx,dword ptr ss:[ebp-0x24]
004023A5 . 50 push eax
004023A6 . 52 push edx
004023A7 . FF15 0C414000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; MSVBVM50.__vbaObjSet
004023AD . 8BD8 mov ebx,eax
004023AF . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004023B2 . 51 push ecx
004023B3 . 53 push ebx
004023B4 . 8B03 mov eax,dword ptr ds:[ebx]
004023B6 . FF90 A0000000 call dword ptr ds:[eax+0xA0]
004023BC . 3BC7 cmp eax,edi
004023BE . 7D 12 jge XAfkayas_.004023D2
004023C0 . 68 A0000000 push 0xA0
004023C5 . 68 5C1B4000 push Afkayas_.00401B5C
004023CA . 53 push ebx
004023CB . 50 push eax
004023CC . FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
004023D2 > 56 push esi
004023D3 . FF95 3CFFFFFF call dword ptr ss:[ebp-0xC4]
004023D9 . 8D55 D8 lea edx,dword ptr ss:[ebp-0x28]
004023DC . 50 push eax
004023DD . 52 push edx
004023DE . FF15 0C414000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; MSVBVM50.__vbaObjSet
004023E4 . 8BD8 mov ebx,eax
004023E6 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
004023E9 . 51 push ecx
004023EA . 53 push ebx
004023EB . 8B03 mov eax,dword ptr ds:[ebx]
004023ED . FF90 A0000000 call dword ptr ds:[eax+0xA0]
004023F3 . 3BC7 cmp eax,edi
004023F5 . 7D 12 jge XAfkayas_.00402409
004023F7 . 68 A0000000 push 0xA0
004023FC . 68 5C1B4000 push Afkayas_.00401B5C
00402401 . 53 push ebx
00402402 . 50 push eax
00402403 . FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
00402409 > 8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]
0040240F . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
00402412 . 50 push eax ; /String
00402413 . 8B1A mov ebx,dword ptr ds:[edx] ; |
00402415 . FF15 E4404000 call dword ptr ds:[<&MSVBVM50.__vbaLenBs>; \__vbaLenBstr
0040241B . 8BF8 mov edi,eax ; 这里是取输入的Name的长度L
0040241D . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
00402420 . 69FF FB7C0100 imul edi,edi,0x17CFB ; 这里是长度s = L*0x17CFB
00402426 . 51 push ecx ; /String
00402427 . 0F80 91020000 jo Afkayas_.004026BE ; |
0040242D . FF15 F8404000 call dword ptr ds:[<&MSVBVM50.#516>] ; \rtcAnsiValueBstr
00402433 . 0FBFD0 movsx edx,ax ;这里是拿到输入的Name的首字符c
00402436 . 03FA add edi,edx ;这里是s = s+c,这里的结果s就是下面的x,注意是这个
00402438 . 0F80 80020000 jo Afkayas_.004026BE
0040243E . 57 push edi
0040243F . FF15 E0404000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>; MSVBVM50.__vbaStrI4
00402445 . 8BD0 mov edx,eax
00402447 . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
0040244A . FF15 70414000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; MSVBVM50.__vbaStrMove
00402450 . 8BBD 50FFFFFF mov edi,dword ptr ss:[ebp-0xB0]
00402456 . 50 push eax
00402457 . 57 push edi
00402458 . FF93 A4000000 call dword ptr ds:[ebx+0xA4]
0040245E . 85C0 test eax,eax
00402460 . 7D 12 jge XAfkayas_.00402474
00402462 . 68 A4000000 push 0xA4
00402467 . 68 5C1B4000 push Afkayas_.00401B5C
0040246C . 57 push edi
0040246D . 50 push eax
0040246E . FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
00402474 > 8D45 E0 lea eax,dword ptr ss:[ebp-0x20]
00402477 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
0040247A . 50 push eax
0040247B . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
0040247E . 51 push ecx
0040247F . 52 push edx
00402480 . 6A 03 push 0x3
00402482 . FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStrList
00402488 . 83C4 10 add esp,0x10
0040248B . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
0040248E . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
00402491 . 8D55 DC lea edx,dword ptr ss:[ebp-0x24]
00402494 . 50 push eax
00402495 . 51 push ecx
00402496 . 52 push edx
00402497 . 6A 03 push 0x3
00402499 . FF15 F4404000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObjList
0040249F . 8B06 mov eax,dword ptr ds:[esi]
004024A1 . 83C4 10 add esp,0x10
004024A4 . 56 push esi
004024A5 . FF90 04030000 call dword ptr ds:[eax+0x304]
004024AB . 8B1D 0C414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaOb>; MSVBVM50.__vbaObjSet
004024B1 . 50 push eax
004024B2 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
004024B5 . 50 push eax
004024B6 . FFD3 call ebx ; <&MSVBVM50.__vbaObjSet>
004024B8 . 8BF8 mov edi,eax
004024BA . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
004024BD . 52 push edx
004024BE . 57 push edi
004024BF . 8B0F mov ecx,dword ptr ds:[edi]
004024C1 . FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004024C7 . 85C0 test eax,eax
004024C9 . 7D 12 jge XAfkayas_.004024DD
004024CB . 68 A0000000 push 0xA0
004024D0 . 68 5C1B4000 push Afkayas_.00401B5C
004024D5 . 57 push edi
004024D6 . 50 push eax
004024D7 . FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
004024DD > 56 push esi
004024DE . FF95 40FFFFFF call dword ptr ss:[ebp-0xC0]
004024E4 . 50 push eax
004024E5 . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
004024E8 . 50 push eax
004024E9 . FFD3 call ebx
004024EB . 8BF0 mov esi,eax
004024ED . 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]
004024F0 . 52 push edx
004024F1 . 56 push esi
004024F2 . 8B0E mov ecx,dword ptr ds:[esi]
004024F4 . FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004024FA . 85C0 test eax,eax
004024FC . 7D 12 jge XAfkayas_.00402510
004024FE . 68 A0000000 push 0xA0
00402503 . 68 5C1B4000 push Afkayas_.00401B5C
00402508 . 56 push esi
00402509 . 50 push eax
0040250A . FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
00402510 > 8B45 E8 mov eax,dword ptr ss:[ebp-0x18]
00402513 . 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C]
00402516 . 8B3D 00414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaSt>; MSVBVM50.__vbaStrCat
0040251C . 50 push eax ; 这里是个StrCat,猜测是正确的serial是:AKA-x,x应该是
0040251D . 68 701B4000 push Afkayas_.00401B70 ; AKA-
00402522 . 51 push ecx ; /String 这里的ecx就是上面的x,所以上面生成了ecx的内容
00402523 . FFD7 call edi ; \__vbaStrCat
00402525 . 8B1D 70414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaSt>; MSVBVM50.__vbaStrMove
0040252B . 8BD0 mov edx,eax
0040252D . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
00402530 . FFD3 call ebx ; <&MSVBVM50.__vbaStrMove>
00402532 . 50 push eax
00402533 . FF15 28414000 call dword ptr ds:[<&MSVBVM50.__vbaStrCm>; MSVBVM50.__vbaStrCmp
00402539 . 8BF0 mov esi,eax ; 上面这里是个StrCmp,猜测上面那个call是对输入的serial和正确的进行比较
0040253B . 8D55 E0 lea edx,dword ptr ss:[ebp-0x20]
0040253E . F7DE neg esi
00402540 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
00402543 . 52 push edx
00402544 . 1BF6 sbb esi,esi
00402546 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00402549 . 50 push eax
0040254A . 46 inc esi
0040254B . 51 push ecx
0040254C . 6A 03 push 0x3
0040254E . F7DE neg esi
00402550 . FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStrList
00402556 . 83C4 10 add esp,0x10
00402559 . 8D55 D8 lea edx,dword ptr ss:[ebp-0x28]
0040255C . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
0040255F . 52 push edx
00402560 . 50 push eax
00402561 . 6A 02 push 0x2
00402563 . FF15 F4404000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObjList
00402569 . 83C4 0C add esp,0xC
0040256C . B9 04000280 mov ecx,0x80020004
00402571 . B8 0A000000 mov eax,0xA
00402576 . 894D 9C mov dword ptr ss:[ebp-0x64],ecx
00402579 . 66:85F6 test si,si
0040257C . 8945 94 mov dword ptr ss:[ebp-0x6C],eax
0040257F . 894D AC mov dword ptr ss:[ebp-0x54],ecx
00402582 . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax
00402585 . 894D BC mov dword ptr ss:[ebp-0x44],ecx
00402588 . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax
0040258B . 74 58 je XAfkayas_.004025E5
0040258D . 68 801B4000 push Afkayas_.00401B80 ; You Get It
00402592 . 68 9C1B4000 push Afkayas_.00401B9C ; \r\n
00402597 . FFD7 call edi
00402599 . 8BD0 mov edx,eax
0040259B . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
0040259E . FFD3 call ebx
004025A0 . 50 push eax
004025A1 . 68 A81B4000 push Afkayas_.00401BA8 ; KeyGen It Now
004025A6 . FFD7 call edi
004025A8 . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C]
004025AB . 8945 CC mov dword ptr ss:[ebp-0x34],eax
004025AE . 8D55 A4 lea edx,dword ptr ss:[ebp-0x5C]
004025B1 . 51 push ecx
004025B2 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
004025B5 . 52 push edx
004025B6 . 50 push eax
004025B7 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
004025BA . 6A 00 push 0x0
004025BC . 51 push ecx
004025BD . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
004025C4 . FF15 10414000 call dword ptr ds:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox
004025CA . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004025CD . FF15 80414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr
004025D3 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
004025D6 . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
004025D9 . 52 push edx
004025DA . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
004025DD . 50 push eax
004025DE . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]
004025E1 . 51 push ecx
004025E2 . 52 push edx
004025E3 . EB 56 jmp XAfkayas_.0040263B
004025E5 > 68 C81B4000 push Afkayas_.00401BC8 ; You Get Wrong
004025EA . 68 9C1B4000 push Afkayas_.00401B9C ; \r\n
004025EF . FFD7 call edi
004025F1 . 8BD0 mov edx,eax
004025F3 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004025F6 . FFD3 call ebx
004025F8 . 50 push eax
004025F9 . 68 E81B4000 push Afkayas_.00401BE8 ; Try Again
004025FE . FFD7 call edi得出Serial:
设L为输入的Name的长度,
设C为输入的Name的首字符,
设X为最后生成的结果,
得:
X = L*97531+C
所以serial为:
AKA-X
若有误,望不吝赐教
160 - 2 Afkayas.1相关推荐
- 160 - 3 Afkayas.2
环境: Windows xp sp3 这次的目标有两个: 1.去除Nag窗口 2.找出Serial的算法 1.这次去除Nag窗口用了另外两个程序: (1)VBLocalize v1.1.0.0 (2) ...
- 002/160 CrackMe Afkayas #1
Crack 依旧可以搜索字符串找到提示的错误信息 之后在上面下断点,单步往下走就可以在寄存器中看到正确的序列号了 KeyGen 直接扔进 IDA 中效果不理想,所以只能分析汇编了 在判断的上面打上断点 ...
- 160个crackme 持续更新(1\2\3\4\6\8\9)
最近感觉自己啥都不会吧,就算会也就是点皮毛,还是练的太少了,从160个crackme开始 慢慢来吧,从简单的开始 1.Acid burn OD动态调试一下,靠字符串定位打断点,如下 跟进这个函数可以看 ...
- 【CrackMe】1-爆破之Afkayas.1
[CrackMe]1-爆破之Afkayas.1 目标程序 来源:适合破解新手的160个crackme练手 程序:2- Afkayas.1 星级:★(容易) 下载地址: http://pan.baidu ...
- 硬盘温度70度正常吗_70多岁老年人原来血压160,现在130正常吗?医生为你分析实情...
70多岁的老年人,原来有高血压,高压160左右,现在是130左右,正常吗?这个问题问的太过笼统,我们只好通过这个问题,来分享一些老年高血压患者血压控制的一些知识点,希望能够对老年人的高血压控制,能够有 ...
- 微软语音扩展全球语言支持,发布160个新声音
导语:全世界有数千种语言,最具语言天赋的人也只能说数十种,普通人能够学会两三种语言已属不易.然而,在科技日新月异的今天,具备自然语言对话能力的AI已经能够掌握上百种语言,扩展人类自身能力,为不同场景的 ...
- 5分钟带你读「大清」微积分!160多年前清朝数学家撰写文言文版高等数学
视学算法报道 编辑:小咸鱼 好困 [新智元导读]你有见过160多年前清朝数学家写的微积分书吗?这可能是最难懂的高数教材了,堪称天书!近日,网上流传着一本清朝的微积分课本,其中的所有数学表达式都是 ...
- 机器学习160个常见问题.pdf
来自公众号:机器学习算法与Python实战 原文链接:https://hackernoon.com/160-data-science-interview-questions-415s3y2a (Ale ...
- 某34岁程序员哀叹:北京有一套房和160万现金,但500万的股票缩水到70万,上周刚失业,今天跟女友分手,心态崩了!...
在如今的互联网寒冬里,身处其中的打工人是什么处境呢? 来看看一个中年互联网人的故事:34岁,北京一套房,160万现金,原本500万的中概股现在缩水到70万.谈了一个90年的女友今天分手了,上周又刚失业 ...
最新文章
- 【Netty】Netty 入门案例分析 ( Netty 模型解析 | Netty 服务器端代码 | Netty 客户端代码 )
- tableau可视化数据分析60讲(十五)-tableau常用可视化视图(散点图气泡图)
- sftp服务器同步文件到本地,服务器之间通过sftp的方式同步文件,并入库到本地数据的表中...
- 1. VIM 系列 - 简单入门,拾起兴趣
- getsockopt和setsockopt函数
- 90 % Java 程序员被误导的一个性能优化策略
- Tomcat 配置支持APR
- Silverlight C# 游戏开发:Flyer06小小的改进让游戏更有趣
- js深入研究之神奇的匿名函数类生成方式
- Wcf传递的参数实际不为空,但是接收时显示为空。
- 配置好网络文件还是连不上外网
- 神州笔记本T6TI-X5黑苹果10.13.6安装教程 i5 7300HQ +HD630+alc269
- 训练集和测试集 (Training and Test Sets):拆分数据
- windows错误代码
- 「详解」imgaug 图像增强方法
- 数组转化为字符串,并用顿号隔开
- 中粮我买网为何能融资1亿美元?
- java 身份证号码校验工具类
- Java-PTA 自恋的水仙花
- 【BZOJ5314】【JSOI2018】—潜入行动(树形dp)
热门文章
- python用import xlwt出现红字_如何用python处理excel
- mysql orderby count_mysql中count(),groupby,orderby使用方法分享
- Cookie和会话Session
- 树莓派安装win10arm linux,在树莓派3B 上安装 Windows 10 ARM 版的方法
- 本地项目antd 修改.less文件导致内存溢出
- 有趣的js匿名函数写法(function嵌套)
- Html5结合JS实现浏览器全屏功能
- Html5开发之链接标签nav的用法
- css水平垂直居中(绝对定位居中)
- html笔记(一)html4+css2.0、css基础和属性、盒模型