ai做图标教程网站,简述几种网络营销的方法,中堂网站建设,昆明室内设计公司排名crackme010
名称值软件名称Andrnalin.3.exe加壳方式无保护方式serial编译语言Microsoft Visual Basic调试环境win10 64位使用工具x32dbg,PEid破解日期2025-06-18
脱壳
1. 先用PEid查壳 查到无壳
前置知识
该vb程序会用到较多的Variant变量和官方查询不到vb函数#xff0c…crackme010
名称值软件名称Andrénalin.3.exe加壳方式无保护方式serial编译语言Microsoft Visual Basic调试环境win10 64位使用工具x32dbg,PEid破解日期2025-06-18
脱壳
1. 先用PEid查壳 查到无壳
前置知识
该vb程序会用到较多的Variant变量和官方查询不到vb函数请先阅读如下两篇文章
VB逆向基础一vb逆向常用函数
寻找Serial
寻找flag用x32dbg打开程序鼠标右键-搜索-当前模块-字符串发现存在字符串LRiCHTiG ! 双击地址00402090 反汇编mov dword ptr ss:[ebp-B4],andrénalin.3.401B28 字符串地址00401B28 字符串LRiCHTiG !跳转到代码
0040202B | lea eax,dword ptr ss:[ebp-34] |
0040202E | lea ecx,dword ptr ss:[ebp-AC] |
00402034 | push eax | 参数2循环拼接结果
00402035 | push ecx | 参数1字符串常量LkXy^rO|*yXo*m\\kMuOn*
00402036 | mov dword ptr ss:[ebp-A4],andrénalin.3.401A8C | [ebp-A4]:LkXy^rO|*yXo*m\\kMuOn*, 401A8C:LkXy^rO|*yXo*m\\kMuOn*
00402040 | mov dword ptr ss:[ebp-AC],8008 |
0040204A | call dword ptr ds:[__vbaVarTstEq] | 判断两个变量是否相等不相等eax返回0x0相等返回0xFFFFFFFF
00402050 | test ax,ax | 两个变量相等进入成功分支
00402053 | je andrénalin.3.402119 |
00402059 | call dword ptr ds:[rtcBeep] |成功分支
0040205F | mov ebx,dword ptr ds:[__vbaVarDup] |
00402065 | mov ecx,A |
0040206A | mov eax,80020004 |
0040206F | mov dword ptr ss:[ebp-9C],ecx |
00402075 | mov dword ptr ss:[ebp-8C],ecx |
0040207B | lea edx,dword ptr ss:[ebp-BC] |
00402081 | lea ecx,dword ptr ss:[ebp-7C] |
00402084 | mov dword ptr ss:[ebp-94],eax |
0040208A | mov dword ptr ss:[ebp-84],eax |
00402090 | mov dword ptr ss:[ebp-B4],andrénalin.3.401B28 | 401B28:LRiCHTiG ! Flag字符串
0040209A | mov dword ptr ss:[ebp-BC],8 |
004020A4 | call ebx |
004020A6 | lea edx,dword ptr ss:[ebp-AC] |
004020AC | lea ecx,dword ptr ss:[ebp-6C] |
004020AF | mov dword ptr ss:[ebp-A4],andrénalin.3.401ABC | [ebp-A4]:LkXy^rO|*yXo*m\\kMuOn*
004020B9 | mov dword ptr ss:[ebp-AC],8 |
004020C3 | call ebx |
004020C5 | lea edx,dword ptr ss:[ebp-9C] |
004020CB | lea eax,dword ptr ss:[ebp-8C] |
004020D1 | push edx |
004020D2 | lea ecx,dword ptr ss:[ebp-7C] |
004020D5 | push eax |
004020D6 | push ecx |
004020D7 | lea edx,dword ptr ss:[ebp-6C] |
004020DA | push 30 |
004020DC | push edx |
004020DD | call dword ptr ds:[rtcMsgBox] |弹出成功提示框分析关键代码为比较dword ptr ss:[ebp-34] 与常量字符串LkXy^rO|yXom\kMuOn*如果相等则成功。继续往上分析
00401F31 | lea eax,dword ptr ss:[ebp-6C] |
00401F34 | push edx | 字符串
00401F35 | push eax | 出参字符串长度
00401F36 | call dword ptr ds:[__vbaLenVar] |
00401F3C | lea ecx,dword ptr ss:[ebp-BC] |
00401F42 | push eax | 参数5循环变量上限 Long类型
00401F43 | lea edx,dword ptr ss:[ebp-114] |
00401F49 | push ecx | 参数4循环初始值固定值Int类型
00401F4A | lea eax,dword ptr ss:[ebp-104] |
00401F50 | push edx | 参数3循环临时上限Long类型 给__vbaVarForNext用
00401F51 | lea ecx,dword ptr ss:[ebp-24] |
00401F54 | push eax | 参数2循环步长Long类型
00401F55 | push ecx | 参数1当前循环值Long类型
00401F56 | call dword ptr ds:[__vbaVarForInit] |
00401F5C | mov ebx,dword ptr ds:[__vbaVarCat] |
00401F62 | mov edi,dword ptr ds:[__vbaFreeVarList] |
00401F68 | test eax,eax |
00401F6A | je andrénalin.3.40202B |
00401F70 | lea edx,dword ptr ss:[ebp-6C] |
00401F73 | lea eax,dword ptr ss:[ebp-24] |
00401F76 | push edx |
00401F77 | push eax | var变量
00401F78 | mov dword ptr ss:[ebp-64],1 |
00401F7F | mov dword ptr ss:[ebp-6C],2 |
00401F86 | call dword ptr ds:[__vbaI4Var] |
00401F8C | lea ecx,dword ptr ss:[ebp-44] |
00401F8F | push eax | 参数3起始值
00401F90 | lea edx,dword ptr ss:[ebp-7C] |
00401F93 | push ecx | 参数2 key字符串
00401F94 | push edx | 参数1edx10截取字符串长度 值为1
00401F95 | call dword ptr ds:[rtcMidCharVar] |
00401F9B | lea eax,dword ptr ss:[ebp-7C] |
00401F9E | lea ecx,dword ptr ss:[ebp-58] |
00401FA1 | push eax | 截取的字符串
00401FA2 | push ecx |
00401FA3 | call dword ptr ds:[__vbaStrVarVal] | var字符串转换成裸字符串
00401FA9 | push eax | 裸字符串
00401FAA | call dword ptr ds:[rtcAnsiValueBstr] | 首字符转换成ascii
00401FB0 | add ax,A | asciiA
00401FB4 | jo andrénalin.3.40226A |
00401FBA | movsx edx,ax |
00401FBD | push edx |
00401FBE | call dword ptr ds:[rtcBstrFromAnsi] |
00401FC4 | mov dword ptr ss:[ebp-84],eax |
00401FCA | lea eax,dword ptr ss:[ebp-34] |
00401FCD | lea ecx,dword ptr ss:[ebp-8C] |
00401FD3 | push eax | 左边变量累计拼接结果初始值为空
00401FD4 | lea edx,dword ptr ss:[ebp-9C] |
00401FDA | push ecx | 右边变量 asciiA 字符串
00401FDB | push edx | 拼接结果
00401FDC | mov dword ptr ss:[ebp-8C],8 |
00401FE6 | call ebx | __vbaVarCat 变量拼接
00401FE8 | mov edx,eax |
00401FEA | lea ecx,dword ptr ss:[ebp-34] |
00401FED | call esi |
00401FEF | lea ecx,dword ptr ss:[ebp-58] |
00401FF2 | call dword ptr ds:[__vbaFreeStr] |
00401FF8 | lea eax,dword ptr ss:[ebp-8C] |
00401FFE | lea ecx,dword ptr ss:[ebp-7C] |
00402001 | push eax |
00402002 | lea edx,dword ptr ss:[ebp-6C] |
00402005 | push ecx |
00402006 | push edx |
00402007 | push 3 |
00402009 | call edi |
0040200B | add esp,10 |
0040200E | lea eax,dword ptr ss:[ebp-114] |
00402014 | lea ecx,dword ptr ss:[ebp-104] |
0040201A | lea edx,dword ptr ss:[ebp-24] |
0040201D | push eax | 参数3循环临时上限Long类型
0040201E | push ecx | 参数2循环临时步长Long类型
0040201F | push edx | 参数1当前循环值Long类型
00402020 | call dword ptr ds:[__vbaVarForNext] |更新下一次循环标志位
00402026 | jmp andrénalin.3.401F68 |跳转到循环判断条件处分析代码发现关键算法为循环遍历字符串将每个字符都加上0xA变成一个新串综上写出注册机代码
#includestdio.h
#includestring.h
int main()
{char key[1024] kXy^rO|*yXo*m\\kMuOn*;int len strlen(key);for (int i 0; i len; i){key[i] - 0xA;}printf(key为%s\r\n, key);return 0;
}总结Crackme
开启注册机生成key输入key点击ok
