160CM2

PEID查壳为VB程序 因为弹出信息框所以bp rtcMsgBox然后走出看到

00402576   .  894D 9C       mov dword ptr ss:[ebp-0x64],ecx          ;  ntdll.7C93003D
00402579   .  66:85F6       test si,si
0040257C   .  8945 94       mov dword ptr ss:[ebp-0x6C],eax
0040257F   .  894D AC       mov dword ptr ss:[ebp-0x54],ecx          ;  ntdll.7C93003D
00402582   .  8945 A4       mov dword ptr ss:[ebp-0x5C],eax
00402585   .  894D BC       mov dword ptr ss:[ebp-0x44],ecx          ;  ntdll.7C93003D
00402588   .  8945 B4       mov dword ptr ss:[ebp-0x4C],eax
0040258B   .  74 58         je short Afkayas_.004025E5   
0040258D   .  68 801B4000   push Afkayas_.00401B80                   ;  You Get It
00402592   .  68 9C1B4000   push Afkayas_.00401B9C                   ;  \r\n
00402597   .  FFD7          call edi                                 ;  msvbvm50.__vbaStrCat
00402599   .  8BD0          mov edx,eax
0040259B   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
0040259E   .  FFD3          call ebx                                 ;  msvbvm50.__vbaStrMove
004025A0   .  50            push eax
004025A1   .  68 A81B4000   push Afkayas_.00401BA8                   ;  KeyGen It Now
004025A6   .  FFD7          call edi                                 ;  msvbvm50.__vbaStrCat
004025A8   .  8D4D 94       lea ecx,dword ptr ss:[ebp-0x6C]
004025AB   .  8945 CC       mov dword ptr ss:[ebp-0x34],eax
004025AE   .  8D55 A4       lea edx,dword ptr ss:[ebp-0x5C]
004025B1   .  51            push ecx                                 ;  ntdll.7C93003D
004025B2   .  8D45 B4       lea eax,dword ptr ss:[ebp-0x4C]
004025B5   .  52            push edx
004025B6   .  50            push eax
004025B7   .  8D4D C4       lea ecx,dword ptr ss:[ebp-0x3C]
004025BA   .  6A 00         push 0x0
004025BC   .  51            push ecx                                 ;  ntdll.7C93003D
004025BD   .  C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
004025C4   .  FF15 10414000 call dword ptr ds:[<&MSVBVM50.#595>]     ;  msvbvm50.rtcMsgBox
004025CA   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
004025CD   .  FF15 80414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>;  msvbvm50.__vbaFreeStr
004025D3   .  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]
004025D6   .  8D45 A4       lea eax,dword ptr ss:[ebp-0x5C]
004025D9   .  52            push edx
004025DA   .  8D4D B4       lea ecx,dword ptr ss:[ebp-0x4C]
004025DD   .  50            push eax
004025DE   .  8D55 C4       lea edx,dword ptr ss:[ebp-0x3C]
004025E1   .  51            push ecx                                 ;  ntdll.7C93003D
004025E2   .  52            push edx
004025E3   .  EB 56         jmp short Afkayas_.0040263B
004025E5   >  68 C81B4000   push Afkayas_.00401BC8                   ;  You Get Wrong
004025EA   .  68 9C1B4000   push Afkayas_.00401B9C                   ;  \r\n
004025EF   .  FFD7          call edi                                 ;  msvbvm50.__vbaStrCat
004025F1   .  8BD0          mov edx,eax
004025F3   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
004025F6   .  FFD3          call ebx                                 ;  msvbvm50.__vbaStrMove
004025F8   .  50            push eax
004025F9   .  68 E81B4000   push Afkayas_.00401BE8                   ;  Try Again
004025FE   .  FFD7          call edi                                 ;  msvbvm50.__vbaStrCat


0040258B . 74 58 je short Afkayas_.004025E5 可以看出这个是关键跳直接nop就可以成功
接下来分析算法

00402433   .  0FBFD0        movsx edx,ax  取注册的第一个ascii 
00402436   .  03FA          add edi,edx 
00402438   .  0F80 80020000 jo Afkayas_.004026BE
0040243E   .  57            push edi
0040243F   .  FF15 E0404000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>;  msvbvm50.__vbaStrI4
00402445   .  8BD0          mov edx,eax

取第一个字符的ASCII然后乘以1072841得出的10进制前边加上AKA-就ok了

附上C艹代码

#include <iostream>
using namespace std;

int main()
{
    char num;
    cin >> num;
    cout << "AKA-" << (int)num + 1072841<<endl;
    system("PAUSE");
    return 0;

}

留下评论