[P-CODE]cscg-crackme 0.1 算法分析
【破文标题】cscg-crackme 0.1 算法分析【破文作者】飘云
【作者邮箱】[email protected]
【作者主页】BBS.CHINAPYG.COM
【破解工具】Peid0.94,OllyDbg,VB
【破解平台】Win9x/NT/2000/XP
【软件名称】cscg-crackme 0.1
【软件大小】15kb
【原版下载】https://www.chinapyg.com/viewthread.php?tid=7727
【保护方式】用户名+序列号
【软件简介】cscg-crackme 0.1
VB P-CODE方式编译
【破解声明】我是一只菜菜鸟,偶得一点心得,愿与大家分享 !^_^
------------------------------------------------------------------------
【破解过程】
:004057780878FF FLdPr ;=
***********Reference To:TextBox.Text //★用户名输入框
|
:0040577B0DA0000000 VCallHresult ;Call ptr_00402CB4
:004057802834FF0100 LitVarI2 ;PushVarInteger 0001 //★参数:1
:00405785F505000000 LitI4 ;Push 00000005 //★参数:5
:0040578A3E74FF FLdZeroAd ;Push DWORD ; =0
:0040578D4654FF CVarStr ;
:004057900414FF FLdRfVar ;Push LOCAL_00EC
**********Reference To->msvbvm60.rtcMidCharVar //★截取用户名第5位
|
:004057930A04001000 ImpAdCallFPR4 ;Call ptr_00401056; check stack 0010; Push EAX
:004057980414FF FLdRfVar ;Push LOCAL_00EC
:0040579BFCF6C4FE FStVar ;
:0040579F1A78FF FFree1Ad ;Push ; Call [[]+8]; []=0
:004057A236040054FF34FF FFreeVar ;Free 0004/2 variants
:004057A904C4FE FLdRfVar ;Push LOCAL_013C
******Possible String Ref To->""
|
:004057AC3A64FF0500 LitVarStr ;PushVarString ptr_00402CF0
:004057B15D HardType ;
:004057B2FB33 EqVarBool ;
:004057B41C5C01 BranchF ;If Pop=0 then ESI=00405808 //★是否为空~~
******Possible String Ref To->"" //★这里就间接说明了用户
名至少为5位!
.
.
.
.
.
.
(省略部分代码)
:004058120878FF FLdPr ;=
***********Reference To:TextBox.Text //★注册码输入框
|
:004058150DA0000000 VCallHresult ;Call ptr_00402CB4
:0040581A2834FF0400 LitVarI2 ;PushVarInteger 0004 //★参数:4
:0040581FF501000000 LitI4 ;Push 00000001 //★参数:1
:004058243E74FF FLdZeroAd ;Push DWORD ; =0
:004058274654FF CVarStr ;
:0040582A0414FF FLdRfVar ;Push LOCAL_00EC
**********Reference To->msvbvm60.rtcMidCharVar //★从第1位开始截取4位
|
:0040582D0A04001000 ImpAdCallFPR4 ;Call ptr_00401056; check stack 0010; Push EAX
:004058320414FF FLdRfVar ;Push LOCAL_00EC
:00405835FCF6A4FE FStVar ;
:004058391A78FF FFree1Ad ;Push ; Call [[]+8]; []=0
:0040583C36040054FF34FF FFreeVar ;Free 0004/2 variants
:004058430474FF FLdRfVar ;Push LOCAL_008C
:0040584621 FLdPrThis ;=
:004058470F0C03 VCallAd ;Return the control index 05
:0040584A1978FF FStAdFunc ;
:0040584D0878FF FLdPr ;=
***********Reference To:TextBox.Text //★注册码输入框
|
:004058500DA0000000 VCallHresult ;Call ptr_00402CB4
:00405855F506000000 LitI4 ;Push 00000006 //★参数:6
:0040585A3E74FF FLdZeroAd ;Push DWORD ; =0
:0040585D4654FF CVarStr ;
:004058600434FF FLdRfVar ;Push LOCAL_00CC
**********Reference To->msvbvm60.rtcRightCharVar //★从右边截取6位
|
:004058630A07000C00 ImpAdCallFPR4 ;Call ptr_0040105C; check stack 000C; Push EAX
:004058680434FF FLdRfVar ;Push LOCAL_00CC
:0040586BFCF694FE FStVar ;
:0040586F1A78FF FFree1Ad ;Push ; Call [[]+8]; []=0
:004058723554FF FFree1Var ;Free LOCAL_00AC
:0040587504A4FE FLdRfVar ;Push LOCAL_015C
:004058780494FE FLdRfVar ;Push LOCAL_016C
:0040587BFBEF54FF ConcatVar ; //★连接起来
:0040587FFCF684FE FStVar ;
:004058830484FE FLdRfVar ;Push LOCAL_017C
******Possible String Ref To->"csks" //★特征串
|
:004058863A64FF0800 LitVarStr ;PushVarString ptr_00402D14
:0040588B5D HardType ;
:0040588CFB33 EqVarBool ;
:0040588E1CA105 BranchF ;If Pop=0 then ESI=00405C4D//★上面连接之后的字符串是否和特
征串相同~~~
:004058910474FF FLdRfVar ;Push LOCAL_008C
:0040589421 FLdPrThis ;=
:004058950F1003 VCallAd ;Return the control index 06
:004058981978FF FStAdFunc ;
:0040589B0878FF FLdPr ;=
***********Reference To:TextBox.Text //★用户名输入框
|
:0040589E0DA0000000 VCallHresult ;Call ptr_00402CB4
:004058A3F503000000 LitI4 ;Push 00000003 //★参数:3
:004058A83E74FF FLdZeroAd ;Push DWORD ; =0
:004058AB4654FF CVarStr ;
:004058AE0434FF FLdRfVar ;Push LOCAL_00CC
**********Reference To->msvbvm60.rtcRightCharVar //★从用户名右边截取3位
|
:004058B10A07000C00 ImpAdCallFPR4 ;Call ptr_0040105C; check stack 000C; Push EAX
:004058B60434FF FLdRfVar ;Push LOCAL_00CC
:004058B9FCF674FE FStVar ;
:004058BD1A78FF FFree1Ad ;Push ; Call [[]+8]; []=0
:004058C03554FF FFree1Var ;Free LOCAL_00AC
:004058C30474FF FLdRfVar ;Push LOCAL_008C
:004058C621 FLdPrThis ;=
:004058C70F1003 VCallAd ;Return the control index 06
:004058CA1978FF FStAdFunc ;
:004058CD0878FF FLdPr ;=
***********Reference To:TextBox.Text //★用户名输入框
|
:004058D00DA0000000 VCallHresult ;Call ptr_00402CB4
:004058D52834FF0300 LitVarI2 ;PushVarInteger 0003 //★参数:3
:004058DAF501000000 LitI4 ;Push 00000001 //★参数:1
:004058DF3E74FF FLdZeroAd ;Push DWORD ; =0
:004058E24654FF CVarStr ;
:004058E50414FF FLdRfVar ;Push LOCAL_00EC
**********Reference To->msvbvm60.rtcMidCharVar //★从用户名第1位开始取3位
|
:004058E80A04001000 ImpAdCallFPR4 ;Call ptr_00401056; check stack 0010; Push EAX
:004058ED0414FF FLdRfVar ;Push LOCAL_00EC
:004058F0FCF664FE FStVar ;
:004058F41A78FF FFree1Ad ;Push ; Call [[]+8]; []=0
:004058F736040054FF34FF FFreeVar ;Free 0004/2 variants
:004058FE0474FE FLdRfVar ;Push LOCAL_018C
******Possible String Ref To->"csks" //★特征串
|
:004059013A64FF0800 LitVarStr ;PushVarString ptr_00402D14
:00405906FBEF54FF ConcatVar ; //★连接
:0040590A0464FE FLdRfVar ;Push LOCAL_019C
:0040590DFBEF34FF ConcatVar ; //★连接
:004059110474FF FLdRfVar ;Push LOCAL_008C
:0040591421 FLdPrThis ;=
:004059150F1003 VCallAd ;Return the control index 06
:004059181978FF FStAdFunc ;
:0040591B0878FF FLdPr ;=
***********Reference To:TextBox.Text //★用户名输入框
|
:0040591E0DA0000000 VCallHresult ;Call ptr_00402CB4
:004059233E74FF FLdZeroAd ;Push DWORD ; =0
:004059264614FF CVarStr ;//★和上面的连接之后构成新用户名
:00405929FBEFF4FE ConcatVar ;
:0040592DFCF654FE FStVar ;
:004059311A78FF FFree1Ad ;Push ; Call [[]+8]; []=0
:0040593436060054FF34FF14 FFreeVar ;Free 0006/2 variants
:0040593D0454FE FLdRfVar ;Push LOCAL_01AC
:00405940FBEB54FF FnLenVar ;vbaLenVar //★取新用户名长度
:00405944FCF644FE FStVar ;
:00405948F400 LitI2_Byte ;Push 00 //★初始化 0
:0040594A703EFE FStI2 ;Pop WORD
:0040594D0454FE FLdRfVar ;Push LOCAL_01AC
:00405950FC02 CStrVar ;vbaStrVarCopy
:004059523140FE FStStr ;SysFreeString ; =Pop
:004059552824FF0100 LitVarI2 ;PushVarInteger 0001
:0040595A042CFE FLdRfVar ;Push LOCAL_01D4
:0040595D6C40FE ILdRf ;Push DWORD
:004059604A FnLenStr ;vbaLenBstr
:00405961FD6944FF CVarI4 ;
:00405965FE680CFEED02 ForVar ; //★for...(next)
:0040596B6B3EFE FLdI2 ;Push WORD
:0040596E2754FF LitVar ;PushVar LOCAL_00AC
:00405971042CFE FLdRfVar ;Push LOCAL_01D4
:00405974FC22 CI4Var ;vbaI4Var
:004059766C40FE ILdRf ;Push DWORD
**********Reference To->msvbvm60.rtcMidCharBstr
|
:004059790B09000C00 ImpAdCallI2 ;Call ptr_00401062; check stack 000C; Push EAX
:0040597E2374FF FStStrNoPop ;SysFreeString ; =
**********Reference To->msvbvm60.rtcAnsiValueBstr
|
:004059810B0A000400 ImpAdCallI2 ;Call ptr_00401068; check stack 0004; Push EAX
:00405986A9 AddI2 ; //★累加新用户名ASCII
:00405987703EFE FStI2 ;Pop WORD
:0040598A2F74FF FFree1Str ;SysFreeString ; =0
:0040598D3554FF FFree1Var ;Free LOCAL_00AC
:00405990042CFE FLdRfVar ;Push LOCAL_01D4
:00405993FE7E0CFEBF02 NextStepVar ; //★(for)...next
:004059992854FF0100 LitVarI2 ;PushVarInteger 0001 //★参数:1
:0040599EF503000000 LitI4 ;Push 00000003 //★参数:3
:004059A3043EFE FLdRfVar ;Push LOCAL_01C2
:004059A64D64FF0240 CVarRef ;
:004059AB0434FF FLdRfVar ;Push LOCAL_00CC
**********Reference To->msvbvm60.rtcMidCharVar //★取累加和中第3位字符
| //下面就是一个selest case了~~
:004059AE0A04001000 ImpAdCallFPR4 ;Call ptr_00401056; check stack 0010; Push EAX
:004059B30434FF FLdRfVar ;Push LOCAL_00CC
:004059B6FCF6FCFD FStVar ;
:004059BA3554FF FFree1Var ;Free LOCAL_00AC
:004059BD04FCFD FLdRfVar ;Push LOCAL_0204
:004059C02864FF0100 LitVarI2 ;PushVarInteger 0001
:004059C55D HardType ;
:004059C6FB33 EqVarBool ;
:004059C81C2B03 BranchF ;If Pop=0 then ESI=004059D7
******Possible String Ref To->"["
|
:004059CB3A64FF0B00 LitVarStr ;PushVarString ptr_00402D30
:004059D0FD00ECFD FStVarCopy ;=vbaVarCopy(Pop)
:004059D41E1504 Branch ;ESI=00405AC1
:004059D704FCFD FLdRfVar ;Push LOCAL_0204
:004059DA2864FF0200 LitVarI2 ;PushVarInteger 0002
:004059DF5D HardType ;
:004059E0FB33 EqVarBool ;
:004059E21C4503 BranchF ;If Pop=0 then ESI=004059F1
******Possible String Ref To->"中"
|
:004059E53A64FF0C00 LitVarStr ;PushVarString ptr_00402D38
:004059EAFD00ECFD FStVarCopy ;=vbaVarCopy(Pop)
:004059EE1E1504 Branch ;ESI=00405AC1
:004059F104FCFD FLdRfVar ;Push LOCAL_0204
:004059F42864FF0300 LitVarI2 ;PushVarInteger 0003
:004059F95D HardType ;
:004059FAFB33 EqVarBool ;
:004059FC1C5F03 BranchF ;If Pop=0 then ESI=00405A0B
******Possible String Ref To->"华"
|
:004059FF3A64FF0D00 LitVarStr ;PushVarString ptr_00402D40
:00405A04FD00ECFD FStVarCopy ;=vbaVarCopy(Pop)
:00405A081E1504 Branch ;ESI=00405AC1
:00405A0B04FCFD FLdRfVar ;Push LOCAL_0204
:00405A0E2864FF0400 LitVarI2 ;PushVarInteger 0004
:00405A135D HardType ;
:00405A14FB33 EqVarBool ;
:00405A161C7903 BranchF ;If Pop=0 then ESI=00405A25
******Possible String Ref To->"软"
|
:00405A193A64FF0E00 LitVarStr ;PushVarString ptr_00402D48
:00405A1EFD00ECFD FStVarCopy ;=vbaVarCopy(Pop)
:00405A221E1504 Branch ;ESI=00405AC1
:00405A2504FCFD FLdRfVar ;Push LOCAL_0204
:00405A282864FF0500 LitVarI2 ;PushVarInteger 0005
:00405A2D5D HardType ;
:00405A2EFB33 EqVarBool ;
:00405A301C9303 BranchF ;If Pop=0 then ESI=00405A3F
******Possible String Ref To->"件"
|
:00405A333A64FF0F00 LitVarStr ;PushVarString ptr_00402D50
:00405A38FD00ECFD FStVarCopy ;=vbaVarCopy(Pop)
:00405A3C1E1504 Branch ;ESI=00405AC1
:00405A3F04FCFD FLdRfVar ;Push LOCAL_0204
:00405A422864FF0600 LitVarI2 ;PushVarInteger 0006
:00405A475D HardType ;
:00405A48FB33 EqVarBool ;
:00405A4A1CAD03 BranchF ;If Pop=0 then ESI=00405A59
******Possible String Ref To->"解"
|
:00405A4D3A64FF1000 LitVarStr ;PushVarString ptr_00402D58
:00405A52FD00ECFD FStVarCopy ;=vbaVarCopy(Pop)
:00405A561E1504 Branch ;ESI=00405AC1
:00405A5904FCFD FLdRfVar ;Push LOCAL_0204
:00405A5C2864FF0700 LitVarI2 ;PushVarInteger 0007
:00405A615D HardType ;
:00405A62FB33 EqVarBool ;
:00405A641CC703 BranchF ;If Pop=0 then ESI=00405A73
******Possible String Ref To->"密"
|
:00405A673A64FF1100 LitVarStr ;PushVarString ptr_00402D60
:00405A6CFD00ECFD FStVarCopy ;=vbaVarCopy(Pop)
:00405A701E1504 Branch ;ESI=00405AC1
:00405A7304FCFD FLdRfVar ;Push LOCAL_0204
:00405A762864FF0800 LitVarI2 ;PushVarInteger 0008
:00405A7B5D HardType ;
:00405A7CFB33 EqVarBool ;
:00405A7E1CE103 BranchF ;If Pop=0 then ESI=00405A8D
******Possible String Ref To->"同"
|
:00405A813A64FF1200 LitVarStr ;PushVarString ptr_00402D68
:00405A86FD00ECFD FStVarCopy ;=vbaVarCopy(Pop)
:00405A8A1E1504 Branch ;ESI=00405AC1
:00405A8D04FCFD FLdRfVar ;Push LOCAL_0204
:00405A902864FF0900 LitVarI2 ;PushVarInteger 0009
:00405A955D HardType ;
:00405A96FB33 EqVarBool ;
:00405A981CFB03 BranchF ;If Pop=0 then ESI=00405AA7
******Possible String Ref To->"盟"
|
:00405A9B3A64FF1300 LitVarStr ;PushVarString ptr_00402D70
:00405AA0FD00ECFD FStVarCopy ;=vbaVarCopy(Pop)
:00405AA41E1504 Branch ;ESI=00405AC1
:00405AA704FCFD FLdRfVar ;Push LOCAL_0204
:00405AAA2864FF0000 LitVarI2 ;PushVarInteger 0000
:00405AAF5D HardType ;
:00405AB0FB33 EqVarBool ;
:00405AB21C1504 BranchF ;If Pop=0 then ESI=00405AC1
******Possible String Ref To->"]"
|
:00405AB53A64FF1400 LitVarStr ;PushVarString ptr_00402D78
:00405ABAFD00ECFD FStVarCopy ;=vbaVarCopy(Pop)
:00405ABE1E1504 Branch ;ESI=00405AC1
:00405AC16B3EFE FLdI2 ;Push WORD
:00405AC4F38019 LitI2 ;Push 1980 //★参数:1980(16进制)
:00405AC7FB12 XorI4 ; //★和累加值做异或运算
:00405AC94464FF CVarI2 ;
:00405ACCFCF6DCFD FStVar ;
******Possible String Ref To->"csks" //★前特征串
|
:00405AD03A64FF1500 LitVarStr ;PushVarString ptr_00402D80
:00405AD504DCFD FLdRfVar ;Push LOCAL_0224
:00405AD80444FE FLdRfVar ;Push LOCAL_01BC
:00405ADBFB9C54FF SubVar ; //★累加值-新用户名长度
:00405ADFFBEF34FF ConcatVar ; //★连接
:00405AE304ECFD FLdRfVar ;Push LOCAL_0214
:00405AE6FBEF14FF ConcatVar ; //★连接
:00405AEA6B3EFE FLdI2 ;Push WORD
:00405AED4444FF CVarI2 ;
:00405AF00444FE FLdRfVar ;Push LOCAL_01BC
:00405AF3FB9CF4FE SubVar ; //★(和累加值做异或运算)的结果-新用户名长
度
:00405AF704DCFD FLdRfVar ;Push LOCAL_0224
:00405AFAFB94CCFD AddVar ; //★上面两步的结果相加-新用户名长度
:00405AFEFBEFBCFD ConcatVar ; //★连接
******Possible String Ref To->"" //★后特征串
|
:00405B023A24FF1600 LitVarStr ;PushVarString ptr_00402D90
:00405B07FBEFACFD ConcatVar ; //★OK,第4次连接,这里之后就是真正注册码了
!
:00405B0BFCF69CFD FStVar ;
:00405B0F36080034FF14FFCC FFreeVar ;Free 0008/2 variants
:00405B1A2854FF0400 LitVarI2 ;PushVarInteger 0004
:00405B1FF50A000000 LitI4 ;Push 0000000A
:00405B24049CFD FLdRfVar ;Push LOCAL_0264
:00405B270434FF FLdRfVar ;Push LOCAL_00CC
.
.
.
.
.
.
(省略部分代码)------------------------------------------------------------------------
【破解总结】1.用户名至少5位
2.name1=用户名右边3位+"csks"+用户名左边3位+用户名 得到新用户名
3.LenName1=新用户名长度
4.sum=累加上面的ascii值
5.str1=Sum转换成字符串,,由第3位决定 取 哪个字符:
1:[
2:中
3:华
4:软
5:件
6:解
7:密
8:同
9:盟
0:]
6.Sum1 = Sum xor 0x1980
7.A=Sum - LenName1
8.B=Sum1 - LenName1
9.C = A+B+LenName1
10.Sn = "csks" & B & Str1 & C & ""
------------------------------------------------------------------------
【注册机】
'为方便阅读,关键变量均和【破解总结】中的一至
Dim Name, Name1 As String
Dim LenName, LenName1 As Integer
Dim Sum, Sum1 As Integer
Dim Str1 As String
Dim A, B, C As Integer
Dim Sn As String
Dim i As Integer
Name = Text1.Text
LenName = Len(Name)
If Name <> "" And LenName >= 5 Then
Name1 = Right(Name, 3) & "csks" & Left(Name, 3) & Name
LenName1 = Len(Name1)
For i = 1 To LenName1
Sum = Sum + Asc(Mid(Name1, i, 1))
Next i
Select Case Mid(Trim(Str(Sum)), 3, 1)
Case 0
Str1 = "]"
Case 1
Str1 = "["
Case 2
Str1 = "中"
Case 3
Str1 = "华"
Case 4
Str1 = "软"
Case 5
Str1 = "件"
Case 6
Str1 = "解"
Case 7
Str1 = "密"
Case 8
Str1 = "同"
Case 9
Str1 = "盟"
End Select
Sum1 = Sum Xor &H1980
A = Sum - LenName1
B = Sum1 - LenName1
C = A + B + LenName1
Sn = "csks" & B & Str1 & C & ""
Text2.Text = Sn
Else
Text2.Text = "请输入用户名!"
End If
------------------------------------------------------------------------
【版权声明】本文纯属技术交流,转载请注明作者信息并保持文章的完整,谢谢! 原帖由 飘云
【破解工具】Peid0.94,OllyDbg,VB
...
一直对P-CODE比较仇视,在OD中调试让人想碰墙
老大没用VBExplorer和VKTDEBUG吗?
另外外界流传的飘云修改版QQ不知是否和PYG有关系,我在本论坛没有发现任何链接 强悍,学习了 破文写得好公整啊! 老大出手的东东,就是不同凡响,P-CODE的,老大一个静态反编就搞定了,佩服! 看了一下,发现这个算法用Delphi写不如用易语言写来的简单(我刚开始学Delphi) 放了那么就,总算1个crackme被完整破解了。恭喜
我的crackme 0.2试过没有??? 向老大学习.算法我还是不懂啊 破文写得好公整啊! 这个是用什么工具分析出来的
是用2楼的兄弟说的那个工具吗??
页:
[1]
2