chenx221/Reverse
1
0
Fork 0
Code Pull Requests Activity
82372320dc
Reverse/blackice_crackme_1/solve.md
Chenx221 b0660021d3
solved new crackme
2024-10-08 16:13:27 +08:00

521 lines
42 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

启用Check按钮
```
1324h:00->01
```
计算Serial
```c#
private static string? GenerateKey(string name)
{
return string.Concat(name.Select(c => (c * name.Length).ToString("X")));
}
```
将Name的每一位字符*Name长度的十六进制值组合起来大写就是Serial了另外Name至少4位
详情:
```assembly
00401E10 | 55 | push ebp | CheckBtn
00401E11 | 8BEC | mov ebp,esp |
00401E13 | 83EC 0C | sub esp,C |
00401E16 | 68 E6104000 | push <JMP.&__vbaExceptHandler> |
00401E1B | 64:A1 00000000 | mov eax,dword ptr fs:[0] |
00401E21 | 50 | push eax |
00401E22 | 64:8925 00000000 | mov dword ptr fs:[0],esp |
00401E29 | 81EC 34010000 | sub esp,134 |
00401E2F | 53 | push ebx |
00401E30 | 56 | push esi |
00401E31 | 57 | push edi |
00401E32 | 8965 F4 | mov dword ptr ss:[ebp-C],esp |
00401E35 | C745 F8 D0104000 | mov dword ptr ss:[ebp-8],blackice crackme # |
00401E3C | 8B7D 08 | mov edi,dword ptr ss:[ebp+8] |
00401E3F | 8BC7 | mov eax,edi |
00401E41 | 83E0 01 | and eax,1 |
00401E44 | 8945 FC | mov dword ptr ss:[ebp-4],eax |
00401E47 | 83E7 FE | and edi,FFFFFFFE |
00401E4A | 57 | push edi |
00401E4B | 897D 08 | mov dword ptr ss:[ebp+8],edi |
00401E4E | 8B0F | mov ecx,dword ptr ds:[edi] |
00401E50 | FF51 04 | call dword ptr ds:[ecx+4] |
00401E53 | 8B17 | mov edx,dword ptr ds:[edi] |
00401E55 | 33F6 | xor esi,esi |
00401E57 | 57 | push edi |
00401E58 | 8975 DC | mov dword ptr ss:[ebp-24],esi |
00401E5B | 8975 CC | mov dword ptr ss:[ebp-34],esi | [ebp-34]:"Pj"
00401E5E | 8975 BC | mov dword ptr ss:[ebp-44],esi | [ebp-44]:int __stdcall DialogBox2(struct HWND__*, struct HWND__*, int, int)+1BA
00401E61 | 8975 AC | mov dword ptr ss:[ebp-54],esi |
00401E64 | 8975 9C | mov dword ptr ss:[ebp-64],esi | [ebp-64]:@HMValidateHandleNoSecure@8+47
00401E67 | 8975 8C | mov dword ptr ss:[ebp-74],esi |
00401E6A | 8975 88 | mov dword ptr ss:[ebp-78],esi |
00401E6D | 8975 84 | mov dword ptr ss:[ebp-7C],esi |
00401E70 | 8975 80 | mov dword ptr ss:[ebp-80],esi |
00401E73 | 89B5 7CFFFFFF | mov dword ptr ss:[ebp-84],esi |
00401E79 | 89B5 6CFFFFFF | mov dword ptr ss:[ebp-94],esi | [ebp-94]:_PeekMessageW@20+1B1
00401E7F | 89B5 5CFFFFFF | mov dword ptr ss:[ebp-A4],esi |
00401E85 | 89B5 4CFFFFFF | mov dword ptr ss:[ebp-B4],esi | [ebp-B4]:CtfImeProcessKey+1960
00401E8B | 89B5 3CFFFFFF | mov dword ptr ss:[ebp-C4],esi |
00401E91 | 89B5 2CFFFFFF | mov dword ptr ss:[ebp-D4],esi |
00401E97 | 89B5 1CFFFFFF | mov dword ptr ss:[ebp-E4],esi | [ebp-E4]:int __stdcall _PeekMessage(struct tagMSG *, struct HWND__*, unsigned int, unsigned int, unsigned int, unsigned int, int)+EB
00401E9D | 89B5 DCFEFFFF | mov dword ptr ss:[ebp-124],esi |
00401EA3 | 89B5 CCFEFFFF | mov dword ptr ss:[ebp-134],esi |
00401EA9 | FF92 FC020000 | call dword ptr ds:[edx+2FC] |
00401EAF | 50 | push eax |
00401EB0 | 8D45 80 | lea eax,dword ptr ss:[ebp-80] |
00401EB3 | 50 | push eax |
00401EB4 | FF15 38104000 | call dword ptr ds:[<__vbaObjSet>] |
00401EBA | 8BD8 | mov ebx,eax |
00401EBC | 8D55 88 | lea edx,dword ptr ss:[ebp-78] |
00401EBF | 52 | push edx |
00401EC0 | 53 | push ebx |
00401EC1 | 8B0B | mov ecx,dword ptr ds:[ebx] |
00401EC3 | FF91 A0000000 | call dword ptr ds:[ecx+A0] |
00401EC9 | 3BC6 | cmp eax,esi |
00401ECB | DBE2 | fnclex |
00401ECD | 7D 12 | jge blackice crackme #1_patched.401EE1 |
00401ECF | 68 A0000000 | push A0 |
00401ED4 | 68 681B4000 | push blackice crackme #1_patched.401B68 |
00401ED9 | 53 | push ebx |
00401EDA | 50 | push eax |
00401EDB | FF15 2C104000 | call dword ptr ds:[<__vbaHresultCheckObj>] |
00401EE1 | 8B45 88 | mov eax,dword ptr ss:[ebp-78] | [ebp-78]: Name
00401EE4 | 50 | push eax |
00401EE5 | FF15 14104000 | call dword ptr ds:[<__vbaLenBstr>] |
00401EEB | 33DB | xor ebx,ebx |
00401EED | 83F8 04 | cmp eax,4 | Name长度需大于等于4
00401EF0 | 0F9CC3 | setl bl |
00401EF3 | 8D4D 88 | lea ecx,dword ptr ss:[ebp-78] |
00401EF6 | F7DB | neg ebx |
00401EF8 | FF15 C4104000 | call dword ptr ds:[<__vbaFreeStr>] |
00401EFE | 8D4D 80 | lea ecx,dword ptr ss:[ebp-80] |
00401F01 | FF15 C8104000 | call dword ptr ds:[<__vbaFreeObj>] |
00401F07 | 66:3BDE | cmp bx,si |
00401F0A | 0F84 98000000 | je <blackice crackme #1_patched.Next#1> |
00401F10 | B9 04000280 | mov ecx,80020004 | Fail
00401F15 | B8 0A000000 | mov eax,A | 0A:'\n'
00401F1A | 898D 44FFFFFF | mov dword ptr ss:[ebp-BC],ecx |
00401F20 | 898D 54FFFFFF | mov dword ptr ss:[ebp-AC],ecx |
00401F26 | 898D 64FFFFFF | mov dword ptr ss:[ebp-9C],ecx |
00401F2C | 8D95 2CFFFFFF | lea edx,dword ptr ss:[ebp-D4] |
00401F32 | 8D8D 6CFFFFFF | lea ecx,dword ptr ss:[ebp-94] | [ebp-94]:_PeekMessageW@20+1B1
00401F38 | 8985 3CFFFFFF | mov dword ptr ss:[ebp-C4],eax |
00401F3E | 8985 4CFFFFFF | mov dword ptr ss:[ebp-B4],eax | [ebp-B4]:CtfImeProcessKey+1960
00401F44 | 8985 5CFFFFFF | mov dword ptr ss:[ebp-A4],eax |
00401F4A | C785 34FFFFFF 7C1B40 | mov dword ptr ss:[ebp-CC],blackice crackme | 401B7C:L"more than 4 lettters please"
00401F54 | C785 2CFFFFFF 080000 | mov dword ptr ss:[ebp-D4],8 |
00401F5E | FF15 A8104000 | call dword ptr ds:[<__vbaVarDup>] |
00401F64 | 8D8D 3CFFFFFF | lea ecx,dword ptr ss:[ebp-C4] |
00401F6A | 8D95 4CFFFFFF | lea edx,dword ptr ss:[ebp-B4] | [ebp-B4]:CtfImeProcessKey+1960
00401F70 | 51 | push ecx |
00401F71 | 8D85 5CFFFFFF | lea eax,dword ptr ss:[ebp-A4] |
00401F77 | 52 | push edx |
00401F78 | 50 | push eax |
00401F79 | 8D8D 6CFFFFFF | lea ecx,dword ptr ss:[ebp-94] | [ebp-94]:_PeekMessageW@20+1B1
00401F7F | 56 | push esi |
00401F80 | 51 | push ecx |
00401F81 | FF15 3C104000 | call dword ptr ds:[<Ordinal#595>] |
00401F87 | 8D95 3CFFFFFF | lea edx,dword ptr ss:[ebp-C4] |
00401F8D | 8D85 4CFFFFFF | lea eax,dword ptr ss:[ebp-B4] | [ebp-B4]:CtfImeProcessKey+1960
00401F93 | 52 | push edx |
00401F94 | 8D8D 5CFFFFFF | lea ecx,dword ptr ss:[ebp-A4] |
00401F9A | 50 | push eax |
00401F9B | 8D95 6CFFFFFF | lea edx,dword ptr ss:[ebp-94] | [ebp-94]:_PeekMessageW@20+1B1
00401FA1 | 51 | push ecx |
00401FA2 | 52 | push edx |
00401FA3 | E9 C1040000 | jmp blackice crackme #1_patched.402469 |
00401FA8 | 8B07 | mov eax,dword ptr ds:[edi] |
00401FAA | 57 | push edi |
00401FAB | FF90 FC020000 | call dword ptr ds:[eax+2FC] |
00401FB1 | 8D4D 80 | lea ecx,dword ptr ss:[ebp-80] |
00401FB4 | 50 | push eax |
00401FB5 | 51 | push ecx |
00401FB6 | FF15 38104000 | call dword ptr ds:[<__vbaObjSet>] |
00401FBC | 8BD8 | mov ebx,eax |
00401FBE | 8D45 88 | lea eax,dword ptr ss:[ebp-78] |
00401FC1 | 50 | push eax |
00401FC2 | 53 | push ebx |
00401FC3 | 8B13 | mov edx,dword ptr ds:[ebx] |
00401FC5 | FF92 A0000000 | call dword ptr ds:[edx+A0] |
00401FCB | 3BC6 | cmp eax,esi |
00401FCD | DBE2 | fnclex |
00401FCF | 7D 12 | jge blackice crackme #1_patched.401FE3 |
00401FD1 | 68 A0000000 | push A0 |
00401FD6 | 68 681B4000 | push blackice crackme #1_patched.401B68 |
00401FDB | 53 | push ebx |
00401FDC | 50 | push eax |
00401FDD | FF15 2C104000 | call dword ptr ds:[<__vbaHresultCheckObj>] |
00401FE3 | 8B4D 88 | mov ecx,dword ptr ss:[ebp-78] | [ebp-78]: Name
00401FE6 | 51 | push ecx |
00401FE7 | FF15 14104000 | call dword ptr ds:[<__vbaLenBstr>] |
00401FED | 8B1D 0C104000 | mov ebx,dword ptr ds:[<__vbaVarMove>] |
00401FF3 | 8D95 2CFFFFFF | lea edx,dword ptr ss:[ebp-D4] |
00401FF9 | 8D4D CC | lea ecx,dword ptr ss:[ebp-34] | -34:length
00401FFC | 8985 34FFFFFF | mov dword ptr ss:[ebp-CC],eax |
00402002 | C785 2CFFFFFF 030000 | mov dword ptr ss:[ebp-D4],3 |
0040200C | FFD3 | call ebx | ebx:__vbaVarMove
0040200E | 8D4D 88 | lea ecx,dword ptr ss:[ebp-78] |
00402011 | FF15 C4104000 | call dword ptr ds:[<__vbaFreeStr>] |
00402017 | 8D4D 80 | lea ecx,dword ptr ss:[ebp-80] |
0040201A | FF15 C8104000 | call dword ptr ds:[<__vbaFreeObj>] |
00402020 | B8 02000000 | mov eax,2 |
00402025 | B9 01000000 | mov ecx,1 |
0040202A | 8985 2CFFFFFF | mov dword ptr ss:[ebp-D4],eax |
00402030 | 8985 1CFFFFFF | mov dword ptr ss:[ebp-E4],eax | [ebp-E4]:int __stdcall _PeekMessage(struct tagMSG *, struct HWND__*, unsigned int, unsigned int, unsigned int, unsigned int, int)+EB
00402036 | 8D95 2CFFFFFF | lea edx,dword ptr ss:[ebp-D4] |
0040203C | 898D 34FFFFFF | mov dword ptr ss:[ebp-CC],ecx |
00402042 | 898D 24FFFFFF | mov dword ptr ss:[ebp-DC],ecx |
00402048 | 8D45 CC | lea eax,dword ptr ss:[ebp-34] | length
0040204B | 52 | push edx |
0040204C | 8D8D 1CFFFFFF | lea ecx,dword ptr ss:[ebp-E4] | [ebp-E4]:int __stdcall _PeekMessage(struct tagMSG *, struct HWND__*, unsigned int, unsigned int, unsigned int, unsigned int, int)+EB
00402052 | 50 | push eax |
00402053 | 8D95 CCFEFFFF | lea edx,dword ptr ss:[ebp-134] |
00402059 | 51 | push ecx |
0040205A | 8D85 DCFEFFFF | lea eax,dword ptr ss:[ebp-124] |
00402060 | 52 | push edx |
00402061 | 8D4D AC | lea ecx,dword ptr ss:[ebp-54] |
00402064 | 50 | push eax |
00402065 | 51 | push ecx |
00402066 | FF15 34104000 | call dword ptr ds:[<__vbaVarForInit>] |
0040206C | 3BC6 | cmp eax,esi | Loop eax init 1
0040206E | 0F84 3E020000 | je <blackice crackme #1_patched.Next#2> |
00402074 | 8B17 | mov edx,dword ptr ds:[edi] |
00402076 | 57 | push edi |
00402077 | FF92 FC020000 | call dword ptr ds:[edx+2FC] |
0040207D | 50 | push eax |
0040207E | 8D45 80 | lea eax,dword ptr ss:[ebp-80] |
00402081 | 50 | push eax |
00402082 | FF15 38104000 | call dword ptr ds:[<__vbaObjSet>] |
00402088 | 8BF0 | mov esi,eax |
0040208A | 8D55 88 | lea edx,dword ptr ss:[ebp-78] | [ebp-78]:Name
0040208D | 52 | push edx |
0040208E | 56 | push esi |
0040208F | 8B0E | mov ecx,dword ptr ds:[esi] |
00402091 | FF91 A0000000 | call dword ptr ds:[ecx+A0] |
00402097 | 85C0 | test eax,eax |
00402099 | DBE2 | fnclex |
0040209B | 7D 12 | jge blackice crackme #1_patched.4020AF |
0040209D | 68 A0000000 | push A0 |
004020A2 | 68 681B4000 | push blackice crackme #1_patched.401B68 |
004020A7 | 56 | push esi |
004020A8 | 50 | push eax |
004020A9 | FF15 2C104000 | call dword ptr ds:[<__vbaHresultCheckObj>] |
004020AF | 8B07 | mov eax,dword ptr ds:[edi] |
004020B1 | 57 | push edi |
004020B2 | FF90 FC020000 | call dword ptr ds:[eax+2FC] |
004020B8 | 8D8D 7CFFFFFF | lea ecx,dword ptr ss:[ebp-84] |
004020BE | 50 | push eax |
004020BF | 51 | push ecx |
004020C0 | FF15 38104000 | call dword ptr ds:[<__vbaObjSet>] |
004020C6 | 8BF0 | mov esi,eax |
004020C8 | 8D45 84 | lea eax,dword ptr ss:[ebp-7C] | [ebp-7C]:Name
004020CB | 50 | push eax |
004020CC | 56 | push esi |
004020CD | 8B16 | mov edx,dword ptr ds:[esi] |
004020CF | FF92 A0000000 | call dword ptr ds:[edx+A0] |
004020D5 | 85C0 | test eax,eax |
004020D7 | DBE2 | fnclex |
004020D9 | 7D 12 | jge blackice crackme #1_patched.4020ED |
004020DB | 68 A0000000 | push A0 |
004020E0 | 68 681B4000 | push blackice crackme #1_patched.401B68 |
004020E5 | 56 | push esi |
004020E6 | 50 | push eax |
004020E7 | FF15 2C104000 | call dword ptr ds:[<__vbaHresultCheckObj>] |
004020ED | 8B4D 84 | mov ecx,dword ptr ss:[ebp-7C] |
004020F0 | 51 | push ecx |
004020F1 | FF15 14104000 | call dword ptr ds:[<__vbaLenBstr>] |
004020F7 | 8985 34FFFFFF | mov dword ptr ss:[ebp-CC],eax | -CC:length
004020FD | 8B45 88 | mov eax,dword ptr ss:[ebp-78] |
00402100 | 8985 54FFFFFF | mov dword ptr ss:[ebp-AC],eax |
00402106 | 8D95 2CFFFFFF | lea edx,dword ptr ss:[ebp-D4] | -D4:length var
0040210C | 8D45 AC | lea eax,dword ptr ss:[ebp-54] |
0040210F | 52 | push edx |
00402110 | 8D8D 6CFFFFFF | lea ecx,dword ptr ss:[ebp-94] | [ebp-94]:_PeekMessageW@20+1B1
00402116 | 50 | push eax |
00402117 | 51 | push ecx |
00402118 | C785 2CFFFFFF 030000 | mov dword ptr ss:[ebp-D4],3 |
00402122 | C785 24FFFFFF 010000 | mov dword ptr ss:[ebp-DC],1 |
0040212C | C785 1CFFFFFF 020000 | mov dword ptr ss:[ebp-E4],2 | [ebp-E4]:int __stdcall _PeekMessage(struct tagMSG *, struct HWND__*, unsigned int, unsigned int, unsigned int, unsigned int, int)+EB
00402136 | C745 88 00000000 | mov dword ptr ss:[ebp-78],0 |
0040213D | C785 4CFFFFFF 080000 | mov dword ptr ss:[ebp-B4],8 | [ebp-B4]:CtfImeProcessKey+1960
00402147 | FF15 00104000 | call dword ptr ds:[<__vbaVarSub>] | length-index
0040214D | 50 | push eax |
0040214E | 8D95 1CFFFFFF | lea edx,dword ptr ss:[ebp-E4] | [ebp-E4]:int __stdcall _PeekMessage(struct tagMSG *, struct HWND__*, unsigned int, unsigned int, unsigned int, unsigned int, int)+EB
00402154 | 8D85 5CFFFFFF | lea eax,dword ptr ss:[ebp-A4] |
0040215A | 52 | push edx |
0040215B | 50 | push eax |
0040215C | FF15 A4104000 | call dword ptr ds:[<__vbaVarAdd>] | length+1
00402162 | 50 | push eax |
00402163 | FF15 A0104000 | call dword ptr ds:[<__vbaI4Var>] |
00402169 | 8D8D 4CFFFFFF | lea ecx,dword ptr ss:[ebp-B4] | [ebp-B4]:CtfImeProcessKey+1960
0040216F | 50 | push eax | length
00402170 | 8D95 3CFFFFFF | lea edx,dword ptr ss:[ebp-C4] |
00402176 | 51 | push ecx | Name
00402177 | 52 | push edx |
00402178 | FF15 B0104000 | call dword ptr ds:[<Ordinal#619>] | right(Name,length)
0040217E | 8D95 3CFFFFFF | lea edx,dword ptr ss:[ebp-C4] |
00402184 | 8D4D DC | lea ecx,dword ptr ss:[ebp-24] |
00402187 | FFD3 | call ebx |
00402189 | 8D4D 84 | lea ecx,dword ptr ss:[ebp-7C] |
0040218C | FF15 C4104000 | call dword ptr ds:[<__vbaFreeStr>] |
00402192 | 8D85 7CFFFFFF | lea eax,dword ptr ss:[ebp-84] |
00402198 | 8D4D 80 | lea ecx,dword ptr ss:[ebp-80] |
0040219B | 50 | push eax |
0040219C | 51 | push ecx |
0040219D | 6A 02 | push 2 |
0040219F | FF15 20104000 | call dword ptr ds:[<__vbaFreeObjList>] |
004021A5 | 8D95 5CFFFFFF | lea edx,dword ptr ss:[ebp-A4] |
004021AB | 8D85 4CFFFFFF | lea eax,dword ptr ss:[ebp-B4] | [ebp-B4]:CtfImeProcessKey+1960
004021B1 | 52 | push edx |
004021B2 | 50 | push eax |
004021B3 | 6A 02 | push 2 |
004021B5 | FF15 18104000 | call dword ptr ds:[<__vbaFreeVarList>] |
004021BB | 8B0F | mov ecx,dword ptr ds:[edi] |
004021BD | 83C4 18 | add esp,18 |
004021C0 | 57 | push edi |
004021C1 | FF91 FC020000 | call dword ptr ds:[ecx+2FC] |
004021C7 | 8D55 80 | lea edx,dword ptr ss:[ebp-80] |
004021CA | 50 | push eax |
004021CB | 52 | push edx |
004021CC | FF15 38104000 | call dword ptr ds:[<__vbaObjSet>] |
004021D2 | 8BF0 | mov esi,eax |
004021D4 | 8D4D 84 | lea ecx,dword ptr ss:[ebp-7C] | [ebp-7C]:Name
004021D7 | 51 | push ecx |
004021D8 | 56 | push esi |
004021D9 | 8B06 | mov eax,dword ptr ds:[esi] |
004021DB | FF90 A0000000 | call dword ptr ds:[eax+A0] |
004021E1 | 85C0 | test eax,eax |
004021E3 | DBE2 | fnclex |
004021E5 | 7D 12 | jge blackice crackme #1_patched.4021F9 |
004021E7 | 68 A0000000 | push A0 |
004021EC | 68 681B4000 | push blackice crackme #1_patched.401B68 |
004021F1 | 56 | push esi |
004021F2 | 50 | push eax |
004021F3 | FF15 2C104000 | call dword ptr ds:[<__vbaHresultCheckObj>] |
004021F9 | 8D55 DC | lea edx,dword ptr ss:[ebp-24] | 前面right结果
004021FC | 8D45 88 | lea eax,dword ptr ss:[ebp-78] |
004021FF | 52 | push edx |
00402200 | 50 | push eax |
00402201 | FF15 78104000 | call dword ptr ds:[<__vbaStrVarVal>] |
00402207 | 50 | push eax |
00402208 | FF15 24104000 | call dword ptr ds:[<Ordinal#516>] | name[0] ASCII
0040220E | 8B4D 84 | mov ecx,dword ptr ss:[ebp-7C] |
00402211 | 51 | push ecx |
00402212 | 0FBFF0 | movsx esi,ax |
00402215 | FF15 14104000 | call dword ptr ds:[<__vbaLenBstr>] |
0040221B | 0FAFF0 | imul esi,eax | length*asc
0040221E | 0F80 02030000 | jo <blackice crackme #1_patched.ErrOverflow |
00402224 | 8D95 2CFFFFFF | lea edx,dword ptr ss:[ebp-D4] |
0040222A | 8D4D 9C | lea ecx,dword ptr ss:[ebp-64] | result
0040222D | 89B5 34FFFFFF | mov dword ptr ss:[ebp-CC],esi |
00402233 | C785 2CFFFFFF 030000 | mov dword ptr ss:[ebp-D4],3 |
0040223D | FFD3 | call ebx |
0040223F | 8D55 84 | lea edx,dword ptr ss:[ebp-7C] |
00402242 | 8D45 88 | lea eax,dword ptr ss:[ebp-78] |
00402245 | 52 | push edx |
00402246 | 50 | push eax |
00402247 | 6A 02 | push 2 |
00402249 | FF15 90104000 | call dword ptr ds:[<__vbaFreeStrList>] |
0040224F | 83C4 0C | add esp,C |
00402252 | 8D4D 80 | lea ecx,dword ptr ss:[ebp-80] |
00402255 | FF15 C8104000 | call dword ptr ds:[<__vbaFreeObj>] |
0040225B | 8D4D 9C | lea ecx,dword ptr ss:[ebp-64] | result
0040225E | 8D95 6CFFFFFF | lea edx,dword ptr ss:[ebp-94] | [ebp-94]:_PeekMessageW@20+1B1
00402264 | 51 | push ecx |
00402265 | 52 | push edx |
00402266 | FF15 8C104000 | call dword ptr ds:[<Ordinal#573>] | HEX(result)
0040226C | 8D95 6CFFFFFF | lea edx,dword ptr ss:[ebp-94] | [ebp-94]:_PeekMessageW@20+1B1
00402272 | 8D4D BC | lea ecx,dword ptr ss:[ebp-44] | [ebp-44]:int __stdcall DialogBox2(struct HWND__*, struct HWND__*, int, int)+1BA
00402275 | FFD3 | call ebx | 读取上次的值
00402277 | 8D45 8C | lea eax,dword ptr ss:[ebp-74] | old
0040227A | 8D4D BC | lea ecx,dword ptr ss:[ebp-44] | newh
0040227D | 50 | push eax |
0040227E | 8D95 6CFFFFFF | lea edx,dword ptr ss:[ebp-94] | storage
00402284 | 51 | push ecx |
00402285 | 52 | push edx |
00402286 | FF15 A4104000 | call dword ptr ds:[<__vbaVarAdd>] | old+newh
0040228C | 8BD0 | mov edx,eax |
0040228E | 8D4D 8C | lea ecx,dword ptr ss:[ebp-74] |
00402291 | FFD3 | call ebx | ebp-74+=h
00402293 | 8D85 CCFEFFFF | lea eax,dword ptr ss:[ebp-134] |
00402299 | 8D8D DCFEFFFF | lea ecx,dword ptr ss:[ebp-124] |
0040229F | 50 | push eax |
004022A0 | 8D55 AC | lea edx,dword ptr ss:[ebp-54] |
004022A3 | 51 | push ecx |
004022A4 | 52 | push edx |
004022A5 | FF15 BC104000 | call dword ptr ds:[<__vbaVarForNext>] |
004022AB | 33F6 | xor esi,esi |
004022AD | E9 BAFDFFFF | jmp blackice crackme #1_patched.40206C | NextLoop
004022B2 | 8B07 | mov eax,dword ptr ds:[edi] |
004022B4 | 57 | push edi |
004022B5 | FF90 00030000 | call dword ptr ds:[eax+300] |
004022BB | 8D4D 80 | lea ecx,dword ptr ss:[ebp-80] |
004022BE | 50 | push eax |
004022BF | 51 | push ecx |
004022C0 | FF15 38104000 | call dword ptr ds:[<__vbaObjSet>] |
004022C6 | 8BF8 | mov edi,eax |
004022C8 | 8D45 88 | lea eax,dword ptr ss:[ebp-78] | [ebp-78]: UserInput Serial
004022CB | 50 | push eax |
004022CC | 57 | push edi |
004022CD | 8B17 | mov edx,dword ptr ds:[edi] |
004022CF | FF92 A0000000 | call dword ptr ds:[edx+A0] |
004022D5 | 3BC6 | cmp eax,esi |
004022D7 | DBE2 | fnclex |
004022D9 | 7D 12 | jge blackice crackme #1_patched.4022ED |
004022DB | 68 A0000000 | push A0 |
004022E0 | 68 681B4000 | push blackice crackme #1_patched.401B68 |
004022E5 | 57 | push edi |
004022E6 | 50 | push eax |
004022E7 | FF15 2C104000 | call dword ptr ds:[<__vbaHresultCheckObj>] |
004022ED | 8B45 88 | mov eax,dword ptr ss:[ebp-78] |
004022F0 | 8D8D 6CFFFFFF | lea ecx,dword ptr ss:[ebp-94] | [ebp-94]:_PeekMessageW@20+1B1
004022F6 | 8D55 8C | lea edx,dword ptr ss:[ebp-74] |
004022F9 | 51 | push ecx | UserInput Serial
004022FA | 52 | push edx | True Serial
004022FB | 8975 88 | mov dword ptr ss:[ebp-78],esi |
004022FE | 8985 74FFFFFF | mov dword ptr ss:[ebp-8C],eax |
00402304 | C785 6CFFFFFF 088000 | mov dword ptr ss:[ebp-94],8008 | [ebp-94]:_PeekMessageW@20+1B1
0040230E | FF15 54104000 | call dword ptr ds:[<__vbaVarTstEq>] | cmp
00402314 | 8D4D 80 | lea ecx,dword ptr ss:[ebp-80] |
00402317 | 8BF8 | mov edi,eax |
00402319 | FF15 C8104000 | call dword ptr ds:[<__vbaFreeObj>] |
0040231F | 8D8D 6CFFFFFF | lea ecx,dword ptr ss:[ebp-94] | [ebp-94]:_PeekMessageW@20+1B1
00402325 | FF15 10104000 | call dword ptr ds:[<__vbaFreeVar>] |
0040232B | B9 04000280 | mov ecx,80020004 |
00402330 | B8 0A000000 | mov eax,A | 0A:'\n'
00402335 | 66:3BFE | cmp di,si | serial检查
00402338 | 898D 44FFFFFF | mov dword ptr ss:[ebp-BC],ecx |
0040233E | 8985 3CFFFFFF | mov dword ptr ss:[ebp-C4],eax |
00402344 | 898D 54FFFFFF | mov dword ptr ss:[ebp-AC],ecx |
0040234A | 8985 4CFFFFFF | mov dword ptr ss:[ebp-B4],eax | [ebp-B4]:CtfImeProcessKey+1960
00402350 | 0F84 8C000000 | je <blackice crackme #1_patched.Fail> |
00402356 | 8B3D A8104000 | mov edi,dword ptr ds:[<__vbaVarDup>] | Success
0040235C | BB 08000000 | mov ebx,8 |
00402361 | 8D95 1CFFFFFF | lea edx,dword ptr ss:[ebp-E4] | [ebp-E4]:int __stdcall _PeekMessage(struct tagMSG *, struct HWND__*, unsigned int, unsigned int, unsigned int, unsigned int, int)+EB
00402367 | 8D8D 5CFFFFFF | lea ecx,dword ptr ss:[ebp-A4] |
0040236D | C785 24FFFFFF D01B40 | mov dword ptr ss:[ebp-DC],blackice crackme | 401BD0:L"Congrats"
00402377 | 899D 1CFFFFFF | mov dword ptr ss:[ebp-E4],ebx | [ebp-E4]:int __stdcall _PeekMessage(struct tagMSG *, struct HWND__*, unsigned int, unsigned int, unsigned int, unsigned int, int)+EB
0040237D | FFD7 | call edi |
0040237F | 8D95 2CFFFFFF | lea edx,dword ptr ss:[ebp-D4] |
00402385 | 8D8D 6CFFFFFF | lea ecx,dword ptr ss:[ebp-94] | [ebp-94]:_PeekMessageW@20+1B1
0040238B | C785 34FFFFFF B81B40 | mov dword ptr ss:[ebp-CC],blackice crackme | 401BB8:L"WELL DONE"
00402395 | 899D 2CFFFFFF | mov dword ptr ss:[ebp-D4],ebx |
0040239B | FFD7 | call edi |
0040239D | 8D85 3CFFFFFF | lea eax,dword ptr ss:[ebp-C4] |
004023A3 | 8D8D 4CFFFFFF | lea ecx,dword ptr ss:[ebp-B4] | [ebp-B4]:CtfImeProcessKey+1960
004023A9 | 50 | push eax |
004023AA | 8D95 5CFFFFFF | lea edx,dword ptr ss:[ebp-A4] |
004023B0 | 51 | push ecx |
004023B1 | 52 | push edx |
004023B2 | 8D85 6CFFFFFF | lea eax,dword ptr ss:[ebp-94] | [ebp-94]:_PeekMessageW@20+1B1
004023B8 | 6A 40 | push 40 |
004023BA | 50 | push eax |
004023BB | FF15 3C104000 | call dword ptr ds:[<Ordinal#595>] |
004023C1 | 8D8D 3CFFFFFF | lea ecx,dword ptr ss:[ebp-C4] |
004023C7 | 8D95 4CFFFFFF | lea edx,dword ptr ss:[ebp-B4] | [ebp-B4]:CtfImeProcessKey+1960
004023CD | 51 | push ecx |
004023CE | 8D85 5CFFFFFF | lea eax,dword ptr ss:[ebp-A4] |
004023D4 | 52 | push edx |
004023D5 | 8D8D 6CFFFFFF | lea ecx,dword ptr ss:[ebp-94] | [ebp-94]:_PeekMessageW@20+1B1
004023DB | 50 | push eax |
004023DC | 51 | push ecx |
004023DD | E9 87000000 | jmp blackice crackme #1_patched.402469 |
004023E2 | 8B3D A8104000 | mov edi,dword ptr ds:[<__vbaVarDup>] | Fail
004023E8 | BB 08000000 | mov ebx,8 |
004023ED | 8D95 1CFFFFFF | lea edx,dword ptr ss:[ebp-E4] | [ebp-E4]:int __stdcall _PeekMessage(struct tagMSG *, struct HWND__*, unsigned int, unsigned int, unsigned int, unsigned int, int)+EB
004023F3 | 8D8D 5CFFFFFF | lea ecx,dword ptr ss:[ebp-A4] |
004023F9 | C785 24FFFFFF 101C40 | mov dword ptr ss:[ebp-DC],blackice crackme | 401C10:L"ARGH"
00402403 | 899D 1CFFFFFF | mov dword ptr ss:[ebp-E4],ebx | [ebp-E4]:int __stdcall _PeekMessage(struct tagMSG *, struct HWND__*, unsigned int, unsigned int, unsigned int, unsigned int, int)+EB
00402409 | FFD7 | call edi |
0040240B | 8D95 2CFFFFFF | lea edx,dword ptr ss:[ebp-D4] |
00402411 | 8D8D 6CFFFFFF | lea ecx,dword ptr ss:[ebp-94] | [ebp-94]:_PeekMessageW@20+1B1
00402417 | C785 34FFFFFF E81B40 | mov dword ptr ss:[ebp-CC],blackice crackme | 401BE8:L"Sorry, try again"
00402421 | 899D 2CFFFFFF | mov dword ptr ss:[ebp-D4],ebx |
00402427 | FFD7 | call edi |
00402429 | 8D95 3CFFFFFF | lea edx,dword ptr ss:[ebp-C4] |
0040242F | 8D85 4CFFFFFF | lea eax,dword ptr ss:[ebp-B4] | [ebp-B4]:CtfImeProcessKey+1960
00402435 | 52 | push edx |
00402436 | 8D8D 5CFFFFFF | lea ecx,dword ptr ss:[ebp-A4] |
0040243C | 50 | push eax |
0040243D | 51 | push ecx |
0040243E | 8D95 6CFFFFFF | lea edx,dword ptr ss:[ebp-94] | [ebp-94]:_PeekMessageW@20+1B1
00402444 | 6A 10 | push 10 |
00402446 | 52 | push edx |
00402447 | FF15 3C104000 | call dword ptr ds:[<Ordinal#595>] |
0040244D | 8D85 3CFFFFFF | lea eax,dword ptr ss:[ebp-C4] |
00402453 | 8D8D 4CFFFFFF | lea ecx,dword ptr ss:[ebp-B4] | [ebp-B4]:CtfImeProcessKey+1960
00402459 | 50 | push eax |
0040245A | 8D95 5CFFFFFF | lea edx,dword ptr ss:[ebp-A4] |
00402460 | 51 | push ecx |
00402461 | 8D85 6CFFFFFF | lea eax,dword ptr ss:[ebp-94] | [ebp-94]:_PeekMessageW@20+1B1
00402467 | 52 | push edx |
00402468 | 50 | push eax |
00402469 | 6A 04 | push 4 |
0040246B | FF15 18104000 | call dword ptr ds:[<__vbaFreeVarList>] |
00402471 | 83C4 14 | add esp,14 |
00402474 | 8975 FC | mov dword ptr ss:[ebp-4],esi |
00402477 | 68 07254000 | push blackice crackme #1_patched.402507 |
0040247C | EB 4B | jmp blackice crackme #1_patched.4024C9 |
0040247E | 8D4D 84 | lea ecx,dword ptr ss:[ebp-7C] |
00402481 | 8D55 88 | lea edx,dword ptr ss:[ebp-78] |
00402484 | 51 | push ecx |
00402485 | 52 | push edx |
00402486 | 6A 02 | push 2 |
00402488 | FF15 90104000 | call dword ptr ds:[<__vbaFreeStrList>] |
0040248E | 8D85 7CFFFFFF | lea eax,dword ptr ss:[ebp-84] |
00402494 | 8D4D 80 | lea ecx,dword ptr ss:[ebp-80] |
00402497 | 50 | push eax |
00402498 | 51 | push ecx |
00402499 | 6A 02 | push 2 |
0040249B | FF15 20104000 | call dword ptr ds:[<__vbaFreeObjList>] |
004024A1 | 8D95 3CFFFFFF | lea edx,dword ptr ss:[ebp-C4] |
004024A7 | 8D85 4CFFFFFF | lea eax,dword ptr ss:[ebp-B4] | [ebp-B4]:CtfImeProcessKey+1960
004024AD | 52 | push edx |
004024AE | 8D8D 5CFFFFFF | lea ecx,dword ptr ss:[ebp-A4] |
004024B4 | 50 | push eax |
004024B5 | 8D95 6CFFFFFF | lea edx,dword ptr ss:[ebp-94] | [ebp-94]:_PeekMessageW@20+1B1
004024BB | 51 | push ecx |
004024BC | 52 | push edx |
004024BD | 6A 04 | push 4 |
004024BF | FF15 18104000 | call dword ptr ds:[<__vbaFreeVarList>] |
004024C5 | 83C4 2C | add esp,2C |
004024C8 | C3 | ret |
004024C9 | 8D85 CCFEFFFF | lea eax,dword ptr ss:[ebp-134] |
004024CF | 8D8D DCFEFFFF | lea ecx,dword ptr ss:[ebp-124] |
004024D5 | 50 | push eax |
004024D6 | 51 | push ecx |
004024D7 | 6A 02 | push 2 |
004024D9 | FF15 18104000 | call dword ptr ds:[<__vbaFreeVarList>] |
004024DF | 8B35 10104000 | mov esi,dword ptr ds:[<__vbaFreeVar>] |
004024E5 | 83C4 0C | add esp,C |
004024E8 | 8D4D DC | lea ecx,dword ptr ss:[ebp-24] |
004024EB | FFD6 | call esi |
004024ED | 8D4D CC | lea ecx,dword ptr ss:[ebp-34] | [ebp-34]:"Pj"
004024F0 | FFD6 | call esi |
004024F2 | 8D4D BC | lea ecx,dword ptr ss:[ebp-44] | [ebp-44]:int __stdcall DialogBox2(struct HWND__*, struct HWND__*, int, int)+1BA
004024F5 | FFD6 | call esi |
004024F7 | 8D4D AC | lea ecx,dword ptr ss:[ebp-54] |
004024FA | FFD6 | call esi |
004024FC | 8D4D 9C | lea ecx,dword ptr ss:[ebp-64] | [ebp-64]:@HMValidateHandleNoSecure@8+47
004024FF | FFD6 | call esi |
00402501 | 8D4D 8C | lea ecx,dword ptr ss:[ebp-74] |
00402504 | FFD6 | call esi |
00402506 | C3 | ret |
00402507 | 8B45 08 | mov eax,dword ptr ss:[ebp+8] |
0040250A | 50 | push eax |
0040250B | 8B10 | mov edx,dword ptr ds:[eax] |
0040250D | FF52 08 | call dword ptr ds:[edx+8] |
00402510 | 8B45 FC | mov eax,dword ptr ss:[ebp-4] |
00402513 | 8B4D EC | mov ecx,dword ptr ss:[ebp-14] |
00402516 | 5F | pop edi |
00402517 | 5E | pop esi |
00402518 | 64:890D 00000000 | mov dword ptr fs:[0],ecx |
0040251F | 5B | pop ebx |
00402520 | 8BE5 | mov esp,ebp |
00402522 | 5D | pop ebp |
00402523 | C2 0400 | ret 4 |
00402526 | FF15 80104000 | call dword ptr ds:[<__vbaErrorOverflow>] |
```
View Git Blame Copy Permalink