3.Afkayas2

3.Afkayas2

同1时类似,依旧是找到MsgBox函数,右键显示调用;

image-20220926154437328

image-20220926154612946

找到的序列号为1600318,完全没有章法;

直接单步运行,记录寄存器变化;

image-20220926160355015

用户名:itachi,长度6,第一个字符ascii码为0x69,

第一次计算:len(s)*0x15B38 + ascii(first(s)),值为533433

533433-> 533435->1600303->1600318

第一次浮点计算

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
004082D7   .  FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;  msvbvm50.__vbaHresultCheckObj
004082DD   >  8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004082E3   .  8B55 E8       mov edx,dword ptr ss:[ebp-0x18]
004082E6   .  52            push edx                                 ;  // edx=355603
004082E7   .  8B19          mov ebx,dword ptr ds:[ecx]
004082E9   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  msvbvm50.__vbaR8Str
004082EF   .  D905 08104000 fld dword ptr ds:[0x401008]              ;  // 10.0
004082F5   .  833D 00904000>cmp dword ptr ds:[0x409000],0x0
004082FC   .  75 08         jnz short 00408306
004082FE   .  D835 0C104000 fdiv dword ptr ds:[0x40100C]             ;  // 5.0, 做除法==2。0
00408304   .  EB 0B         jmp short 00408311
00408306   >  FF35 0C104000 push dword ptr ds:[0x40100C]
0040830C   .  E8 578DFFFF   call <jmp.&MSVBVM50._adj_fdiv_m32>
00408311   >  83EC 08       sub esp,0x8
00408314   .  DFE0          fstsw ax                                 ;  // 将值给eax=3100
00408316   .  A8 0D         test al,0xD
00408318   .  0F85 A1040000 jnz 004087BF
0040831E   .  DEC1          faddp st(1),st                           ;  // 加法,355603 + 2
00408320   .  DFE0          fstsw ax
00408322   .  A8 0D         test al,0xD
00408324   .  0F85 95040000 jnz 004087BF
0040832A   .  DD1C24        fstp qword ptr ss:[esp]
0040832D   .  FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>;  msvbvm50.__vbaStrR8
00408333   .  8BD0          mov edx,eax                              ;  // eax = 355605 字符串
00408335   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
00408338   .  FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>;  msvbvm50.__vbaStrMove
0040833E   .  899D 34FFFFFF mov dword ptr ss:[ebp-0xCC],ebx
00408344   .  8B9D 58FFFFFF mov ebx,dword ptr ss:[ebp-0xA8]
0040834A   .  50            push eax
0040834B   .  8B85 34FFFFFF mov eax,dword ptr ss:[ebp-0xCC]          ;  // 355605
00408351   .  53            push ebx
00408352   .  FF90 A4000000 call dword ptr ds:[eax+0xA4]
00408358   .  85C0          test eax,eax                             ;  // eax=0,ecx=" "
0040835A   .  7D 12         jge short 0040836E

第二次浮点计算

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
004083E3   .  FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;  msvbvm50.__vbaHresultCheckObj
004083E9   >  8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004083EF   .  8B55 E8       mov edx,dword ptr ss:[ebp-0x18]         ;  // 355605
004083F2   .  52            push edx
004083F3   .  8B19          mov ebx,dword ptr ds:[ecx]
004083F5   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  msvbvm50.__vbaR8Str
004083FB   .  DC0D 10104000 fmul qword ptr ds:[0x401010]            ;  // 355605 * 3 = 1066815.0
00408401   .  83EC 08       sub esp,0x8
00408404   .  DC25 18104000 fsub qword ptr ds:[0x401018]            ;  // 1066815 - 2 = 1066813
0040840A   .  DFE0          fstsw ax                                ;  // ax = 3900
0040840C   .  A8 0D         test al,0xD
0040840E   .  0F85 AB030000 jnz 004087BF
00408414   .  DD1C24        fstp qword ptr ss:[esp]
00408417   .  FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>;  msvbvm50.__vbaStrR8
0040841D   .  8BD0          mov edx,eax                             ;  // eax=1600133
0040841F   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
00408422   .  FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>;  msvbvm50.__vbaStrMove
00408428   .  899D 2CFFFFFF mov dword ptr ss:[ebp-0xD4],ebx
0040842E   .  8B9D 58FFFFFF mov ebx,dword ptr ss:[ebp-0xA8]
00408434   .  50            push eax                                ;  1066813
00408435   .  8B85 2CFFFFFF mov eax,dword ptr ss:[ebp-0xD4]
0040843B   .  53            push ebx
0040843C   .  FF90 A4000000 call dword ptr ds:[eax+0xA4]
00408442   .  85C0          test eax,eax
00408444   .  7D 12         jge short 00408458

第三次浮点计算

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
004084CD   .  FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;  msvbvm50.__vbaHresultCheckObj
004084D3   >  8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004084D9   .  8B55 E8       mov edx,dword ptr ss:[ebp-0x18]
004084DC   .  52            push edx
004084DD   .  8B19          mov ebx,dword ptr ds:[ecx]
004084DF   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  msvbvm50.__vbaR8Str
004084E5   .  DC25 20104000 fsub qword ptr ds:[0x401020]             ;  // 1066813.0 - (-15.0) = 1066828
004084EB   .  83EC 08       sub esp,0x8
004084EE   .  DFE0          fstsw ax
004084F0   .  A8 0D         test al,0xD
004084F2   .  0F85 C7020000 jnz 004087BF
004084F8   .  DD1C24        fstp qword ptr ss:[esp]
004084FB   .  FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>;  msvbvm50.__vbaStrR8
00408501   .  8BD0          mov edx,eax                              ;  // 1066828
00408503   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
00408506   .  FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>;  msvbvm50.__vbaStrMove

Serial

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
004085C8   .  FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;  msvbvm50.__vbaHresultCheckObj
004085CE   >  8B45 E8       mov eax,dword ptr ss:[ebp-0x18]
004085D1   .  50            push eax                                 ;  // 获取Serial
004085D2   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  msvbvm50.__vbaR8Str
004085D8   .  8B4D E4       mov ecx,dword ptr ss:[ebp-0x1C]          ;  // 1066828
004085DB   .  DD9D 1CFFFFFF fstp qword ptr ss:[ebp-0xE4]
004085E1   .  51            push ecx
004085E2   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  msvbvm50.__vbaR8Str
004085E8   .  833D 00904000>cmp dword ptr ds:[0x409000],0x0
004085EF   .  75 08         jnz short 004085F9
004085F1   .  DCBD 1CFFFFFF fdivr qword ptr ss:[ebp-0xE4]            ;  // 做除法
004085F7   .  EB 11         jmp short 0040860A
004085F9   > \FFB5 20FFFFFF push dword ptr ss:[ebp-0xE0]
004085FF   .  FFB5 1CFFFFFF push dword ptr ss:[ebp-0xE4]
00408605   .  E8 888AFFFF   call <jmp.&MSVBVM50._adj_fdivr_m64>
0040860A   >  DFE0          fstsw ax                                 ;  // 把结果送入ax
0040860C   .  A8 0D         test al,0xD
0040860E   .  0F85 AB010000 jnz 004087BF
00408614   .  FF15 34B14000 call dword ptr ds:[<&MSVBVM50.__vbaFpR8>>;  msvbvm50.__vbaFpR8
0040861A   .  DC1D 28104000 fcomp qword ptr ds:[0x401028]
00408620   .  DFE0          fstsw ax                                 ;  //ax=20
00408622   .  F6C4 40       test ah,0x40                             ;  // ah=40
00408625   .  74 07         je short 0040862E
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
// CrackMe160.cpp : 定义控制台应用程序的入口点。
// 003
  
#include "stdafx.h"
#include <stdio.h>
#include "iostream"
  
char buff[100] = {0};
int _tmain(int argc, _TCHAR* argv[])
{
    printf("160CrackMe-003 Name/Serial\r\n\r\n");
    printf("Name:");
    gets_s(buff,100);
    int nLen = strlen(buff);
    if ( nLen > 0 )
    {
        int nRet = nLen * 0x15B38;
        nRet += buff[0];
        double dRet = (double)nRet;
        dRet += (10.0/5.0);
        dRet *= 3.0;
        dRet -= 2;
        dRet -= -15;
        printf("Serial:%d\r\n",(int)dRet);
    }else{
        printf("Input error!\r\n");
    }
    system("pause");
    return 0;
}

先计算出Name的长度nLen,然后edi=edi*0x15B38+cName, cName是Name第一个字符的ANSI码。然后,计算浮点数10.0/5.0=2.0, edi转换为浮点数,加上2.0,然后结果再乘以3.0,然后减去2,然后再减去-15,得到的值转换为文本,即为正确的序列号。