solved new crackme

This commit is contained in:
Chenx221 2024-10-05 16:09:29 +08:00
parent b98b350332
commit 48ef99ba24
Signed by: chenx221
GPG Key ID: D7A9EC07024C3021
3 changed files with 272 additions and 0 deletions

BIN
bjcm20a/BJCM20A.EXE Normal file

Binary file not shown.

46
bjcm20a/README.TXT Normal file
View File

@ -0,0 +1,46 @@
aUTHOr -- Bjanes
pROGRAm -- VB6 Crackme
vERSIOn -- 2.0a
dATe -- 23/09/1999
pLACe -- Somewhere on my comp :)
pROTECTIOn - Serial only
rULEs -- There is only one rule -> You must find correct serial
Greetings to all crackers out there,
Hope you all sucessfuly crack previous version of crackme
witch was, with right tools, very simple to crack.
So here is new version of the proggie!
I think it's a bit harder to crack then previous verison!
Serial is not hardcoded and you can't find it just looking
with hex editor. You also can't fish it with Sice.
Program has simple calculation routine based on XOR function
to generate correct Serial.
I wrote it for NEWBIES to advance their R. C. E. skills on
cracking Visual Basic programs.
Every version will have one crackme marked "a", and
another one marked with "b".
Crackmes marked with "a" has serial-only protection
and crackmes marked with "b" has name/serial protection!
Also every next version will be more difficult to crack.
[Maybe there will be crackmes marked with "c"(misc. protection)]
Sorry, but I can't give you any hints, because I'm not experienced
with cracking VB programs, actually I hate them :)
If you somehow lose the exe file, have only this text file and don't
know where to download the executable, go to the Eternal Bliss' homepage
and you'll probably find it. The link is http://crackmes.cjb.net/
If you're so stupid that you can't crack this program don't mail me! :)
Mail me only if you sucessfuly crack it, and tell me how.
My Email is -- BornaJanes@hotmail.com
Hope you'll learn something new from it,
Good luck and Enjoy!
Borna
My gratitude goes to: Eternal Bliss, The Sandman, Jeff, Iczelion, _ytc.

226
bjcm20a/solve.md Normal file
View File

@ -0,0 +1,226 @@
寻找serial
```
长度9位仅数字
比较 单位ascii==(index xor 2)(最后一位)
```
| index | (XOR) value | result | real result |
| ----- | ----------- | ------ | ----------- |
| 1 | 2 | 3 | 3 |
| 2 | 2 | 0 | 0 |
| 3 | 2 | 1 | 1 |
| 4 | 2 | 6 | 6 |
| 5 | 2 | 7 | 7 |
| 6 | 2 | 4 | 4 |
| 7 | 2 | 5 | 5 |
| 8 | 2 | 10 | 0 |
| 9 | 2 | 11 | 1 |
Serial结果: `301674501`
详细信息:
```assembly
00403620 | 55 | push ebp | CheckSerial
...
...
004036D9 | 8B45 E4 | mov eax,dword ptr ss:[ebp-1C] | [ebp-1C]:L"123456789"
004036DC | 50 | push eax |
004036DD | FF15 08104000 | call dword ptr ds:[<__vbaLenBstr>] |
004036E3 | 33C9 | xor ecx,ecx |
004036E5 | 83F8 09 | cmp eax,9 | 检查serial长度是否为9
004036E8 | 0F95C1 | setne cl |
004036EB | F7D9 | neg ecx |
004036ED | 8BF1 | mov esi,ecx | esi:__vbaStrMove
004036EF | 8D4D E4 | lea ecx,dword ptr ss:[ebp-1C] | [ebp-1C]:L"123456789"
004036F2 | FF15 C0104000 | call dword ptr ds:[<__vbaFreeStr>] |
004036F8 | 8D4D D4 | lea ecx,dword ptr ss:[ebp-2C] |
004036FB | FF15 C4104000 | call dword ptr ds:[<__vbaFreeObj>] |
00403701 | 66:3BF3 | cmp si,bx |
00403704 | 0F85 1A030000 | jne <bjcm20a.Fail> |
0040370A | 8B17 | mov edx,dword ptr ds:[edi] |
0040370C | 57 | push edi |
0040370D | FF92 08030000 | call dword ptr ds:[edx+308] |
00403713 | 50 | push eax |
00403714 | 8D45 D4 | lea eax,dword ptr ss:[ebp-2C] |
00403717 | 50 | push eax |
00403718 | FF15 2C104000 | call dword ptr ds:[<__vbaObjSet>] |
0040371E | 8BF0 | mov esi,eax | esi:__vbaStrMove
00403720 | 8D55 E4 | lea edx,dword ptr ss:[ebp-1C] | [ebp-1C]:L"123456789"
00403723 | 52 | push edx |
00403724 | 56 | push esi | esi:__vbaStrMove
00403725 | 8B0E | mov ecx,dword ptr ds:[esi] | esi:__vbaStrMove
00403727 | FF91 A0000000 | call dword ptr ds:[ecx+A0] |
0040372D | 3BC3 | cmp eax,ebx | ebx:rtcStrFromVar
0040372F | DBE2 | fnclex |
...
...
00403745 | 8B45 E4 | mov eax,dword ptr ss:[ebp-1C] | [ebp-1C]:L"123456789"
00403748 | 50 | push eax |
00403749 | FF15 08104000 | call dword ptr ds:[<__vbaLenBstr>] |
0040374F | 8BC8 | mov ecx,eax |
00403751 | FF15 50104000 | call dword ptr ds:[<__vbaI2I4>] |
00403757 | 8D4D E4 | lea ecx,dword ptr ss:[ebp-1C] | [ebp-1C]:L"123456789"
0040375A | 8985 14FFFFFF | mov dword ptr ss:[ebp-EC],eax |
00403760 | C745 E8 01000000 | mov dword ptr ss:[ebp-18],1 | index=1
00403767 | FF15 C0104000 | call dword ptr ds:[<__vbaFreeStr>] |
0040376D | 8D4D D4 | lea ecx,dword ptr ss:[ebp-2C] |
00403770 | FF15 C4104000 | call dword ptr ds:[<__vbaFreeObj>] |
00403776 | 8B35 AC104000 | mov esi,dword ptr ds:[<__vbaStrMove>] | esi:__vbaStrMove
0040377C | 66:8B8D 14FFFFFF | mov cx,word ptr ss:[ebp-EC] | Loop
00403783 | 66:394D E8 | cmp word ptr ss:[ebp-18],cx | 取出每一位进行检查
00403787 | 0F8F 17030000 | jg <bjcm20a.Success> |
0040378D | 8B17 | mov edx,dword ptr ds:[edi] |
...
...
0040381D | 51 | push ecx |
0040381E | 57 | push edi | edi:Index
0040381F | 52 | push edx | edx:Name
00403820 | 8945 C0 | mov dword ptr ss:[ebp-40],eax |
00403823 | 8945 B0 | mov dword ptr ss:[ebp-50],eax |
00403826 | FF15 44104000 | call dword ptr ds:[<Ordinal#631>] |
0040382C | 8BD0 | mov edx,eax |
0040382E | 8D4D D8 | lea ecx,dword ptr ss:[ebp-28] |
00403831 | FFD6 | call esi | 检查当前位是否是数字
00403833 | 50 | push eax | 通过循环检查整体
00403834 | FF15 1C104000 | call dword ptr ds:[<Ordinal#516>] |
0040383A | 8B4D E4 | mov ecx,dword ptr ss:[ebp-1C] | [ebp-1C]:L"123456789"
0040383D | 33DB | xor ebx,ebx | ebx:rtcStrFromVar
0040383F | 66:3D 3900 | cmp ax,39 | 39:'9'
00403843 | 8D45 C0 | lea eax,dword ptr ss:[ebp-40] |
00403846 | 50 | push eax |
00403847 | 57 | push edi |
00403848 | 0F9FC3 | setg bl |
0040384B | 51 | push ecx |
0040384C | F7DB | neg ebx | ebx:rtcStrFromVar
0040384E | FF15 44104000 | call dword ptr ds:[<Ordinal#631>] |
00403854 | 8BD0 | mov edx,eax |
00403856 | 8D4D E0 | lea ecx,dword ptr ss:[ebp-20] |
00403859 | FFD6 | call esi | esi:__vbaStrMove
0040385B | 50 | push eax |
0040385C | FF15 1C104000 | call dword ptr ds:[<Ordinal#516>] |
00403862 | 33D2 | xor edx,edx |
00403864 | 66:3D 3000 | cmp ax,30 | 30:'0'
00403868 | 0F9CC2 | setl dl |
0040386B | F7DA | neg edx |
0040386D | 8D45 D8 | lea eax,dword ptr ss:[ebp-28] |
00403870 | 23DA | and ebx,edx | ebx:rtcStrFromVar
00403872 | 8D4D DC | lea ecx,dword ptr ss:[ebp-24] | [ebp-24]:L" 49"
00403875 | 50 | push eax |
00403876 | 8D55 E0 | lea edx,dword ptr ss:[ebp-20] |
00403879 | 51 | push ecx |
0040387A | 8D45 E4 | lea eax,dword ptr ss:[ebp-1C] | [ebp-1C]:L"123456789"
...
...
004038A7 | 83C4 2C | add esp,2C |
004038AA | 66:85DB | test bx,bx |
004038AD | 0F85 6F010000 | jne <bjcm20a.Error2> | 如果包含非数字内容则Error2
004038B3 | 8B45 08 | mov eax,dword ptr ss:[ebp+8] | [ebp+08]:"tZ@"
...
...
004038F1 | 66:8B45 E8 | mov ax,word ptr ss:[ebp-18] |
004038F5 | 8B1D 74104000 | mov ebx,dword ptr ds:[<Ordinal#536>] | ebx:rtcStrFromVar
004038FB | 66:35 0200 | xor ax,2 | index xor 2
004038FF | 8D4D A0 | lea ecx,dword ptr ss:[ebp-60] |
00403902 | 0F80 A4020000 | jo bjcm20a.403BAC |
00403908 | 51 | push ecx |
00403909 | 66:8945 A8 | mov word ptr ss:[ebp-58],ax |
0040390D | C745 A0 02000000 | mov dword ptr ss:[ebp-60],2 |
00403914 | FFD3 | call ebx | ebx:rtcStrFromVar
00403916 | 8BD0 | mov edx,eax |
00403918 | 8D4D D8 | lea ecx,dword ptr ss:[ebp-28] |
0040391B | FFD6 | call esi | esi:__vbaStrMove
0040391D | 8B45 E4 | mov eax,dword ptr ss:[ebp-1C] | [ebp-1C]:L"123456789"
00403920 | 8D55 C0 | lea edx,dword ptr ss:[ebp-40] |
00403923 | 52 | push edx |
00403924 | 57 | push edi |
00403925 | 50 | push eax |
00403926 | C745 C8 01000000 | mov dword ptr ss:[ebp-38],1 |
0040392D | C745 C0 02000000 | mov dword ptr ss:[ebp-40],2 |
00403934 | FF15 44104000 | call dword ptr ds:[<Ordinal#631>] |
0040393A | 8BD0 | mov edx,eax |
0040393C | 8D4D E0 | lea ecx,dword ptr ss:[ebp-20] |
0040393F | FFD6 | call esi | esi:__vbaStrMove
00403941 | 50 | push eax |
00403942 | FF15 1C104000 | call dword ptr ds:[<Ordinal#516>] |
00403948 | 8D4D B0 | lea ecx,dword ptr ss:[ebp-50] |
0040394B | 66:8945 B8 | mov word ptr ss:[ebp-48],ax |
0040394F | 51 | push ecx |
00403950 | C745 B0 02000000 | mov dword ptr ss:[ebp-50],2 |
00403957 | FFD3 | call ebx | ebx:rtcStrFromVar
00403959 | 8BD0 | mov edx,eax |
0040395B | 8D4D DC | lea ecx,dword ptr ss:[ebp-24] | [ebp-24]:L" 49"
0040395E | FFD6 | call esi | esi:__vbaStrMove
00403960 | 50 | push eax |
00403961 | FF15 84104000 | call dword ptr ds:[<__vbaR8Str>] |
00403967 | DC25 D8104000 | fsub qword ptr ds:[4010D8] | 减去48(实际意义类似"1"->1)
0040396D | 8D55 90 | lea edx,dword ptr ss:[ebp-70] |
00403970 | 6A 01 | push 1 |
00403972 | 52 | push edx |
00403973 | C785 30FFFFFF 058000 | mov dword ptr ss:[ebp-D0],8005 |
0040397D | DD9D 38FFFFFF | fstp qword ptr ss:[ebp-C8] |
00403983 | DFE0 | fnstsw ax |
00403985 | A8 0D | test al,D |
00403987 | 0F85 1A020000 | jne bjcm20a.403BA7 |
0040398D | 8B45 D8 | mov eax,dword ptr ss:[ebp-28] |
00403990 | C745 D8 00000000 | mov dword ptr ss:[ebp-28],0 |
00403997 | 8945 98 | mov dword ptr ss:[ebp-68],eax | [ebp-68]:L" 3"
0040399A | 8D45 80 | lea eax,dword ptr ss:[ebp-80] |
0040399D | 50 | push eax |
0040399E | C745 90 08000000 | mov dword ptr ss:[ebp-70],8 |
004039A5 | FF15 B0104000 | call dword ptr ds:[<Ordinal#619>] |
004039AB | 8D8D 30FFFFFF | lea ecx,dword ptr ss:[ebp-D0] |
004039B1 | 8D55 80 | lea edx,dword ptr ss:[ebp-80] |
004039B4 | 51 | push ecx | (int) serial[index]
004039B5 | 52 | push edx | index Xor 2的结果取最后一位
004039B6 | FF15 A0104000 | call dword ptr ds:[<__vbaVarTstNe>] | 比较
004039BC | 8BF8 | mov edi,eax |
004039BE | 8D45 D8 | lea eax,dword ptr ss:[ebp-28] |
004039C1 | 8D4D DC | lea ecx,dword ptr ss:[ebp-24] | [ebp-24]:L" 49"
004039C4 | 50 | push eax |
004039C5 | 8D55 E0 | lea edx,dword ptr ss:[ebp-20] |
004039C8 | 51 | push ecx |
004039C9 | 8D45 E4 | lea eax,dword ptr ss:[ebp-1C] | [ebp-1C]:L"123456789"
004039CC | 52 | push edx |
004039CD | 50 | push eax |
004039CE | 6A 04 | push 4 |
004039D0 | FF15 90104000 | call dword ptr ds:[<__vbaFreeStrList>] |
004039D6 | 83C4 14 | add esp,14 |
004039D9 | 8D4D D4 | lea ecx,dword ptr ss:[ebp-2C] |
004039DC | FF15 C4104000 | call dword ptr ds:[<__vbaFreeObj>] |
004039E2 | 8D4D 80 | lea ecx,dword ptr ss:[ebp-80] |
004039E5 | 8D55 90 | lea edx,dword ptr ss:[ebp-70] |
004039E8 | 51 | push ecx |
004039E9 | 8D45 A0 | lea eax,dword ptr ss:[ebp-60] |
004039EC | 52 | push edx |
004039ED | 8D4D B0 | lea ecx,dword ptr ss:[ebp-50] |
004039F0 | 50 | push eax |
004039F1 | 8D55 C0 | lea edx,dword ptr ss:[ebp-40] |
004039F4 | 51 | push ecx |
004039F5 | 52 | push edx |
004039F6 | 6A 05 | push 5 |
004039F8 | FF15 0C104000 | call dword ptr ds:[<__vbaFreeVarList>] |
004039FE | 83C4 18 | add esp,18 |
00403A01 | 66:85FF | test di,di |
00403A04 | 75 1C | jne <bjcm20a.Error2> |
00403A06 | 8B7D 08 | mov edi,dword ptr ss:[ebp+8] | [ebp+08]:"tZ@"
00403A09 | B8 01000000 | mov eax,1 |
00403A0E | 66:0345 E8 | add ax,word ptr ss:[ebp-18] |
00403A12 | 0F80 94010000 | jo bjcm20a.403BAC |
00403A18 | 8945 E8 | mov dword ptr ss:[ebp-18],eax |
00403A1B | 33DB | xor ebx,ebx | ebx:rtcStrFromVar
00403A1D | E9 5AFDFFFF | jmp bjcm20a.40377C | Next Loop
00403A22 | 33DB | xor ebx,ebx | ebx:rtcStrFromVar
00403A24 | 8B35 A4104000 | mov esi,dword ptr ds:[<__vbaVarDup>] | esi:__vbaStrMove
...FAIL
...
00403AA2 | EB 7E | jmp bjcm20a.403B22 |
00403AA4 | 8B35 A4104000 | mov esi,dword ptr ds:[<__vbaVarDup>] | esi:__vbaStrMove
...SUCCESS
...
00403B22 | 6A 04 | push 4 |
...
...
```