selph
selph
发布于 2022-08-10 / 220 阅读
0
0

新160个CrackMe练习:036-Andrnalin.2

算法难度:⭐⭐⭐

爆破难度:⭐

信息收集

运行情况:

image

查壳与脱壳:

无壳,VB程序!

image

调试分析

借助VB Decompiler辅助分析:

这里界面上有两个函数,一个是按钮,另一个是输入Name的时候的事件:

image

首先看Text2_change函数:就是根据Name有无输入值来判断是否启用按钮

Private Sub Text2_Change() '4024F0
  Dim var_1C As Variant
  loc_0040259D: If (Form1.Text2.Text = global_00401DC4) + 1 Then	// 如果输入的内容为空
  loc_004025AA:   Set var_1C = Form1.Command1		// 按钮
  loc_004025B7:   var_1C.Enabled = False			// 不启用
  loc_004025BF:   If var_1C >= 0 Then GoTo loc_004025F7
  loc_004025C1:   GoTo loc_004025E5
  loc_004025C3: End If
  loc_004025CE: Set var_1C = Form1.Command1
  loc_004025DB: var_1C.Enabled = True				// 有输入的内容则启用按钮
  loc_004025E3: If var_1C >= 0 Then GoTo loc_004025F7
  loc_004025E5: ' Referenced from: 004025C1
  loc_004025F1: var_1C = CheckObj(var_1C, global_00401DC8, 140)
  loc_0040260C: GoTo loc_00402621
  loc_00402620: Exit Sub
  loc_00402621: ' Referenced from: 0040260C
End Sub

接下来看Click函数:

Private Sub Command1_Click() '401FF0
  loc_004020CA: var_44 = Form1.Text2.Text					// Name编辑框的内容
  loc_00402126: For var_24 = 1 To Len(var_44) Step 1				// 遍历Name字符串
  loc_00402134:   If var_108 Then						// 
  loc_00402170:     var_8008 = Asc(CStr(Mid(var_44, CLng(var_24), 1)))		// 取一个字节变成ASCII码
  loc_00402176:     var_B4 = var_8008
  loc_004021A0:     var_34 = var_34 + var_8008					// 累加到var_34
  loc_004021CB:   Next var_24
  loc_004021D1:   GoTo loc_00402132
  loc_004021D6: End If
  loc_00402204: var_34 = var_34 * 1234567890			// 累加结果乘以1234567890
  loc_00402254: Mid(var_34, 9, 1) = "-"				// 修改其中一个值
  loc_004022CB: If (Form1.Text1.Text = var_34) Then		// 如果输入的Key == var_34则成功
  loc_004022D1:   Beep
  loc_00402374:   var_54 = MsgBox("  RiCHTiG !!!!   ....  weiter mit dem Nächsten !!!", 48, "RiCHTiG !", 10, 10)
  loc_00402391: Else
  loc_0040240F:   var_8018 = MsgBox("Leider Falsch!   Nochmal veruschen ! Wenn Du es nicht schaffen solltest, schreib mir !  Andrenalin@gmx.net", 16, "LEiDER Falsch !  ", 10, 10)
  loc_0040242E:   var_54 = var_8018
  loc_00402446: End If
  loc_00402459: GoTo loc_0040248F
  loc_0040248E: Exit Sub
  loc_0040248F: ' Referenced from: 00402459
  loc_004024C0: GoTo loc_00esi
End Sub

按照上述代码的思路去写注册机:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>

int main()
{
	char name[100] = { 0 };
	char serial[100] = { 0 };
	int len = 0;
	long long check = 0;

	std::cin >> name;
	len = strlen(name);
	for (int i = 0; name[i]; i++)	check += name[i];
	check *= 1234567890;

	sprintf(serial,"%lld",check);
	serial[8] = '-';
	std::cout << serial;
}

得出的结果不对,当输入为selph的时候,输出为:66666666-600,动态调试查看真正是输出:

到这里生成-的时候,发现这里出现了两次,而反汇编软件只识别到了一个,故再加一个即可

image

然后这就是完整的注册码生成了

注册机

注册码生成算法:

#define _CRT_SECURE_NO_WARNINGS
#include <iostream>

int main()
{
	char name[100] = { 0 };
	char serial[100] = { 0 };
	int len = 0;
	long long check = 0;

	std::cin >> name;
	len = strlen(name);
	for (int i = 0; name[i]; i++)
	{
		check += name[i];
	}
	check *= 1234567890;

	sprintf(serial,"%lld",check);
	serial[3] = '-';
	serial[8] = '-';
	std::cout << serial;
}

效果:换个Name测试

image

image


评论