solved new crackme
This commit is contained in:
parent
b98b350332
commit
48ef99ba24
BIN
bjcm20a/BJCM20A.EXE
Normal file
BIN
bjcm20a/BJCM20A.EXE
Normal file
Binary file not shown.
46
bjcm20a/README.TXT
Normal file
46
bjcm20a/README.TXT
Normal file
@ -0,0 +1,46 @@
|
||||
aUTHOr -- Bjanes
|
||||
pROGRAm -- VB6 Crackme
|
||||
vERSIOn -- 2.0a
|
||||
dATe -- 23/09/1999
|
||||
pLACe -- Somewhere on my comp :)
|
||||
pROTECTIOn - Serial only
|
||||
rULEs -- There is only one rule -> You must find correct serial
|
||||
|
||||
Greetings to all crackers out there,
|
||||
|
||||
Hope you all sucessfuly crack previous version of crackme
|
||||
witch was, with right tools, very simple to crack.
|
||||
So here is new version of the proggie!
|
||||
I think it's a bit harder to crack then previous verison!
|
||||
Serial is not hardcoded and you can't find it just looking
|
||||
with hex editor. You also can't fish it with Sice.
|
||||
Program has simple calculation routine based on XOR function
|
||||
to generate correct Serial.
|
||||
I wrote it for NEWBIES to advance their R. C. E. skills on
|
||||
cracking Visual Basic programs.
|
||||
|
||||
Every version will have one crackme marked "a", and
|
||||
another one marked with "b".
|
||||
Crackmes marked with "a" has serial-only protection
|
||||
and crackmes marked with "b" has name/serial protection!
|
||||
Also every next version will be more difficult to crack.
|
||||
[Maybe there will be crackmes marked with "c"(misc. protection)]
|
||||
|
||||
Sorry, but I can't give you any hints, because I'm not experienced
|
||||
with cracking VB programs, actually I hate them :)
|
||||
|
||||
If you somehow lose the exe file, have only this text file and don't
|
||||
know where to download the executable, go to the Eternal Bliss' homepage
|
||||
and you'll probably find it. The link is http://crackmes.cjb.net/
|
||||
|
||||
If you're so stupid that you can't crack this program don't mail me! :)
|
||||
Mail me only if you sucessfuly crack it, and tell me how.
|
||||
My Email is -- BornaJanes@hotmail.com
|
||||
|
||||
Hope you'll learn something new from it,
|
||||
|
||||
Good luck and Enjoy!
|
||||
|
||||
Borna
|
||||
|
||||
My gratitude goes to: Eternal Bliss, The Sandman, Jeff, Iczelion, _ytc.
|
226
bjcm20a/solve.md
Normal file
226
bjcm20a/solve.md
Normal file
@ -0,0 +1,226 @@
|
||||
寻找serial
|
||||
|
||||
```
|
||||
长度9位,仅数字
|
||||
比较 单位ascii==(index xor 2)(最后一位)
|
||||
```
|
||||
|
||||
| index | (XOR) value | result | real result |
|
||||
| ----- | ----------- | ------ | ----------- |
|
||||
| 1 | 2 | 3 | 3 |
|
||||
| 2 | 2 | 0 | 0 |
|
||||
| 3 | 2 | 1 | 1 |
|
||||
| 4 | 2 | 6 | 6 |
|
||||
| 5 | 2 | 7 | 7 |
|
||||
| 6 | 2 | 4 | 4 |
|
||||
| 7 | 2 | 5 | 5 |
|
||||
| 8 | 2 | 10 | 0 |
|
||||
| 9 | 2 | 11 | 1 |
|
||||
|
||||
Serial结果: `301674501`
|
||||
|
||||
详细信息:
|
||||
|
||||
```assembly
|
||||
00403620 | 55 | push ebp | CheckSerial
|
||||
...
|
||||
...
|
||||
004036D9 | 8B45 E4 | mov eax,dword ptr ss:[ebp-1C] | [ebp-1C]:L"123456789"
|
||||
004036DC | 50 | push eax |
|
||||
004036DD | FF15 08104000 | call dword ptr ds:[<__vbaLenBstr>] |
|
||||
004036E3 | 33C9 | xor ecx,ecx |
|
||||
004036E5 | 83F8 09 | cmp eax,9 | 检查serial长度是否为9
|
||||
004036E8 | 0F95C1 | setne cl |
|
||||
004036EB | F7D9 | neg ecx |
|
||||
004036ED | 8BF1 | mov esi,ecx | esi:__vbaStrMove
|
||||
004036EF | 8D4D E4 | lea ecx,dword ptr ss:[ebp-1C] | [ebp-1C]:L"123456789"
|
||||
004036F2 | FF15 C0104000 | call dword ptr ds:[<__vbaFreeStr>] |
|
||||
004036F8 | 8D4D D4 | lea ecx,dword ptr ss:[ebp-2C] |
|
||||
004036FB | FF15 C4104000 | call dword ptr ds:[<__vbaFreeObj>] |
|
||||
00403701 | 66:3BF3 | cmp si,bx |
|
||||
00403704 | 0F85 1A030000 | jne <bjcm20a.Fail> |
|
||||
0040370A | 8B17 | mov edx,dword ptr ds:[edi] |
|
||||
0040370C | 57 | push edi |
|
||||
0040370D | FF92 08030000 | call dword ptr ds:[edx+308] |
|
||||
00403713 | 50 | push eax |
|
||||
00403714 | 8D45 D4 | lea eax,dword ptr ss:[ebp-2C] |
|
||||
00403717 | 50 | push eax |
|
||||
00403718 | FF15 2C104000 | call dword ptr ds:[<__vbaObjSet>] |
|
||||
0040371E | 8BF0 | mov esi,eax | esi:__vbaStrMove
|
||||
00403720 | 8D55 E4 | lea edx,dword ptr ss:[ebp-1C] | [ebp-1C]:L"123456789"
|
||||
00403723 | 52 | push edx |
|
||||
00403724 | 56 | push esi | esi:__vbaStrMove
|
||||
00403725 | 8B0E | mov ecx,dword ptr ds:[esi] | esi:__vbaStrMove
|
||||
00403727 | FF91 A0000000 | call dword ptr ds:[ecx+A0] |
|
||||
0040372D | 3BC3 | cmp eax,ebx | ebx:rtcStrFromVar
|
||||
0040372F | DBE2 | fnclex |
|
||||
...
|
||||
...
|
||||
00403745 | 8B45 E4 | mov eax,dword ptr ss:[ebp-1C] | [ebp-1C]:L"123456789"
|
||||
00403748 | 50 | push eax |
|
||||
00403749 | FF15 08104000 | call dword ptr ds:[<__vbaLenBstr>] |
|
||||
0040374F | 8BC8 | mov ecx,eax |
|
||||
00403751 | FF15 50104000 | call dword ptr ds:[<__vbaI2I4>] |
|
||||
00403757 | 8D4D E4 | lea ecx,dword ptr ss:[ebp-1C] | [ebp-1C]:L"123456789"
|
||||
0040375A | 8985 14FFFFFF | mov dword ptr ss:[ebp-EC],eax |
|
||||
00403760 | C745 E8 01000000 | mov dword ptr ss:[ebp-18],1 | index=1
|
||||
00403767 | FF15 C0104000 | call dword ptr ds:[<__vbaFreeStr>] |
|
||||
0040376D | 8D4D D4 | lea ecx,dword ptr ss:[ebp-2C] |
|
||||
00403770 | FF15 C4104000 | call dword ptr ds:[<__vbaFreeObj>] |
|
||||
00403776 | 8B35 AC104000 | mov esi,dword ptr ds:[<__vbaStrMove>] | esi:__vbaStrMove
|
||||
0040377C | 66:8B8D 14FFFFFF | mov cx,word ptr ss:[ebp-EC] | Loop
|
||||
00403783 | 66:394D E8 | cmp word ptr ss:[ebp-18],cx | 取出每一位进行检查
|
||||
00403787 | 0F8F 17030000 | jg <bjcm20a.Success> |
|
||||
0040378D | 8B17 | mov edx,dword ptr ds:[edi] |
|
||||
...
|
||||
...
|
||||
0040381D | 51 | push ecx |
|
||||
0040381E | 57 | push edi | edi:Index
|
||||
0040381F | 52 | push edx | edx:Name
|
||||
00403820 | 8945 C0 | mov dword ptr ss:[ebp-40],eax |
|
||||
00403823 | 8945 B0 | mov dword ptr ss:[ebp-50],eax |
|
||||
00403826 | FF15 44104000 | call dword ptr ds:[<Ordinal#631>] |
|
||||
0040382C | 8BD0 | mov edx,eax |
|
||||
0040382E | 8D4D D8 | lea ecx,dword ptr ss:[ebp-28] |
|
||||
00403831 | FFD6 | call esi | 检查当前位是否是数字
|
||||
00403833 | 50 | push eax | 通过循环检查整体
|
||||
00403834 | FF15 1C104000 | call dword ptr ds:[<Ordinal#516>] |
|
||||
0040383A | 8B4D E4 | mov ecx,dword ptr ss:[ebp-1C] | [ebp-1C]:L"123456789"
|
||||
0040383D | 33DB | xor ebx,ebx | ebx:rtcStrFromVar
|
||||
0040383F | 66:3D 3900 | cmp ax,39 | 39:'9'
|
||||
00403843 | 8D45 C0 | lea eax,dword ptr ss:[ebp-40] |
|
||||
00403846 | 50 | push eax |
|
||||
00403847 | 57 | push edi |
|
||||
00403848 | 0F9FC3 | setg bl |
|
||||
0040384B | 51 | push ecx |
|
||||
0040384C | F7DB | neg ebx | ebx:rtcStrFromVar
|
||||
0040384E | FF15 44104000 | call dword ptr ds:[<Ordinal#631>] |
|
||||
00403854 | 8BD0 | mov edx,eax |
|
||||
00403856 | 8D4D E0 | lea ecx,dword ptr ss:[ebp-20] |
|
||||
00403859 | FFD6 | call esi | esi:__vbaStrMove
|
||||
0040385B | 50 | push eax |
|
||||
0040385C | FF15 1C104000 | call dword ptr ds:[<Ordinal#516>] |
|
||||
00403862 | 33D2 | xor edx,edx |
|
||||
00403864 | 66:3D 3000 | cmp ax,30 | 30:'0'
|
||||
00403868 | 0F9CC2 | setl dl |
|
||||
0040386B | F7DA | neg edx |
|
||||
0040386D | 8D45 D8 | lea eax,dword ptr ss:[ebp-28] |
|
||||
00403870 | 23DA | and ebx,edx | ebx:rtcStrFromVar
|
||||
00403872 | 8D4D DC | lea ecx,dword ptr ss:[ebp-24] | [ebp-24]:L" 49"
|
||||
00403875 | 50 | push eax |
|
||||
00403876 | 8D55 E0 | lea edx,dword ptr ss:[ebp-20] |
|
||||
00403879 | 51 | push ecx |
|
||||
0040387A | 8D45 E4 | lea eax,dword ptr ss:[ebp-1C] | [ebp-1C]:L"123456789"
|
||||
...
|
||||
...
|
||||
004038A7 | 83C4 2C | add esp,2C |
|
||||
004038AA | 66:85DB | test bx,bx |
|
||||
004038AD | 0F85 6F010000 | jne <bjcm20a.Error2> | 如果包含非数字内容则Error2
|
||||
004038B3 | 8B45 08 | mov eax,dword ptr ss:[ebp+8] | [ebp+08]:"tZ@"
|
||||
...
|
||||
...
|
||||
004038F1 | 66:8B45 E8 | mov ax,word ptr ss:[ebp-18] |
|
||||
004038F5 | 8B1D 74104000 | mov ebx,dword ptr ds:[<Ordinal#536>] | ebx:rtcStrFromVar
|
||||
004038FB | 66:35 0200 | xor ax,2 | index xor 2
|
||||
004038FF | 8D4D A0 | lea ecx,dword ptr ss:[ebp-60] |
|
||||
00403902 | 0F80 A4020000 | jo bjcm20a.403BAC |
|
||||
00403908 | 51 | push ecx |
|
||||
00403909 | 66:8945 A8 | mov word ptr ss:[ebp-58],ax |
|
||||
0040390D | C745 A0 02000000 | mov dword ptr ss:[ebp-60],2 |
|
||||
00403914 | FFD3 | call ebx | ebx:rtcStrFromVar
|
||||
00403916 | 8BD0 | mov edx,eax |
|
||||
00403918 | 8D4D D8 | lea ecx,dword ptr ss:[ebp-28] |
|
||||
0040391B | FFD6 | call esi | esi:__vbaStrMove
|
||||
0040391D | 8B45 E4 | mov eax,dword ptr ss:[ebp-1C] | [ebp-1C]:L"123456789"
|
||||
00403920 | 8D55 C0 | lea edx,dword ptr ss:[ebp-40] |
|
||||
00403923 | 52 | push edx |
|
||||
00403924 | 57 | push edi |
|
||||
00403925 | 50 | push eax |
|
||||
00403926 | C745 C8 01000000 | mov dword ptr ss:[ebp-38],1 |
|
||||
0040392D | C745 C0 02000000 | mov dword ptr ss:[ebp-40],2 |
|
||||
00403934 | FF15 44104000 | call dword ptr ds:[<Ordinal#631>] |
|
||||
0040393A | 8BD0 | mov edx,eax |
|
||||
0040393C | 8D4D E0 | lea ecx,dword ptr ss:[ebp-20] |
|
||||
0040393F | FFD6 | call esi | esi:__vbaStrMove
|
||||
00403941 | 50 | push eax |
|
||||
00403942 | FF15 1C104000 | call dword ptr ds:[<Ordinal#516>] |
|
||||
00403948 | 8D4D B0 | lea ecx,dword ptr ss:[ebp-50] |
|
||||
0040394B | 66:8945 B8 | mov word ptr ss:[ebp-48],ax |
|
||||
0040394F | 51 | push ecx |
|
||||
00403950 | C745 B0 02000000 | mov dword ptr ss:[ebp-50],2 |
|
||||
00403957 | FFD3 | call ebx | ebx:rtcStrFromVar
|
||||
00403959 | 8BD0 | mov edx,eax |
|
||||
0040395B | 8D4D DC | lea ecx,dword ptr ss:[ebp-24] | [ebp-24]:L" 49"
|
||||
0040395E | FFD6 | call esi | esi:__vbaStrMove
|
||||
00403960 | 50 | push eax |
|
||||
00403961 | FF15 84104000 | call dword ptr ds:[<__vbaR8Str>] |
|
||||
00403967 | DC25 D8104000 | fsub qword ptr ds:[4010D8] | 减去48(实际意义类似"1"->1)
|
||||
0040396D | 8D55 90 | lea edx,dword ptr ss:[ebp-70] |
|
||||
00403970 | 6A 01 | push 1 |
|
||||
00403972 | 52 | push edx |
|
||||
00403973 | C785 30FFFFFF 058000 | mov dword ptr ss:[ebp-D0],8005 |
|
||||
0040397D | DD9D 38FFFFFF | fstp qword ptr ss:[ebp-C8] |
|
||||
00403983 | DFE0 | fnstsw ax |
|
||||
00403985 | A8 0D | test al,D |
|
||||
00403987 | 0F85 1A020000 | jne bjcm20a.403BA7 |
|
||||
0040398D | 8B45 D8 | mov eax,dword ptr ss:[ebp-28] |
|
||||
00403990 | C745 D8 00000000 | mov dword ptr ss:[ebp-28],0 |
|
||||
00403997 | 8945 98 | mov dword ptr ss:[ebp-68],eax | [ebp-68]:L" 3"
|
||||
0040399A | 8D45 80 | lea eax,dword ptr ss:[ebp-80] |
|
||||
0040399D | 50 | push eax |
|
||||
0040399E | C745 90 08000000 | mov dword ptr ss:[ebp-70],8 |
|
||||
004039A5 | FF15 B0104000 | call dword ptr ds:[<Ordinal#619>] |
|
||||
004039AB | 8D8D 30FFFFFF | lea ecx,dword ptr ss:[ebp-D0] |
|
||||
004039B1 | 8D55 80 | lea edx,dword ptr ss:[ebp-80] |
|
||||
004039B4 | 51 | push ecx | (int) serial[index]
|
||||
004039B5 | 52 | push edx | index Xor 2的结果取最后一位
|
||||
004039B6 | FF15 A0104000 | call dword ptr ds:[<__vbaVarTstNe>] | 比较
|
||||
004039BC | 8BF8 | mov edi,eax |
|
||||
004039BE | 8D45 D8 | lea eax,dword ptr ss:[ebp-28] |
|
||||
004039C1 | 8D4D DC | lea ecx,dword ptr ss:[ebp-24] | [ebp-24]:L" 49"
|
||||
004039C4 | 50 | push eax |
|
||||
004039C5 | 8D55 E0 | lea edx,dword ptr ss:[ebp-20] |
|
||||
004039C8 | 51 | push ecx |
|
||||
004039C9 | 8D45 E4 | lea eax,dword ptr ss:[ebp-1C] | [ebp-1C]:L"123456789"
|
||||
004039CC | 52 | push edx |
|
||||
004039CD | 50 | push eax |
|
||||
004039CE | 6A 04 | push 4 |
|
||||
004039D0 | FF15 90104000 | call dword ptr ds:[<__vbaFreeStrList>] |
|
||||
004039D6 | 83C4 14 | add esp,14 |
|
||||
004039D9 | 8D4D D4 | lea ecx,dword ptr ss:[ebp-2C] |
|
||||
004039DC | FF15 C4104000 | call dword ptr ds:[<__vbaFreeObj>] |
|
||||
004039E2 | 8D4D 80 | lea ecx,dword ptr ss:[ebp-80] |
|
||||
004039E5 | 8D55 90 | lea edx,dword ptr ss:[ebp-70] |
|
||||
004039E8 | 51 | push ecx |
|
||||
004039E9 | 8D45 A0 | lea eax,dword ptr ss:[ebp-60] |
|
||||
004039EC | 52 | push edx |
|
||||
004039ED | 8D4D B0 | lea ecx,dword ptr ss:[ebp-50] |
|
||||
004039F0 | 50 | push eax |
|
||||
004039F1 | 8D55 C0 | lea edx,dword ptr ss:[ebp-40] |
|
||||
004039F4 | 51 | push ecx |
|
||||
004039F5 | 52 | push edx |
|
||||
004039F6 | 6A 05 | push 5 |
|
||||
004039F8 | FF15 0C104000 | call dword ptr ds:[<__vbaFreeVarList>] |
|
||||
004039FE | 83C4 18 | add esp,18 |
|
||||
00403A01 | 66:85FF | test di,di |
|
||||
00403A04 | 75 1C | jne <bjcm20a.Error2> |
|
||||
00403A06 | 8B7D 08 | mov edi,dword ptr ss:[ebp+8] | [ebp+08]:"tZ@"
|
||||
00403A09 | B8 01000000 | mov eax,1 |
|
||||
00403A0E | 66:0345 E8 | add ax,word ptr ss:[ebp-18] |
|
||||
00403A12 | 0F80 94010000 | jo bjcm20a.403BAC |
|
||||
00403A18 | 8945 E8 | mov dword ptr ss:[ebp-18],eax |
|
||||
00403A1B | 33DB | xor ebx,ebx | ebx:rtcStrFromVar
|
||||
00403A1D | E9 5AFDFFFF | jmp bjcm20a.40377C | Next Loop
|
||||
00403A22 | 33DB | xor ebx,ebx | ebx:rtcStrFromVar
|
||||
00403A24 | 8B35 A4104000 | mov esi,dword ptr ds:[<__vbaVarDup>] | esi:__vbaStrMove
|
||||
...FAIL
|
||||
...
|
||||
00403AA2 | EB 7E | jmp bjcm20a.403B22 |
|
||||
00403AA4 | 8B35 A4104000 | mov esi,dword ptr ds:[<__vbaVarDup>] | esi:__vbaStrMove
|
||||
...SUCCESS
|
||||
...
|
||||
00403B22 | 6A 04 | push 4 |
|
||||
...
|
||||
...
|
||||
```
|
||||
|
Loading…
Reference in New Issue
Block a user