160CM3

PEID查一下依然是VB 下断bp rtcMsgBox 往上翻可以看到
00408677 /74 62 je short AfKayAs_.004086DB是关键跳
直接nop爆破成功

00408677   /74 62           je short AfKayAs_.004086DB
00408679   |8B35 14B14000   mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>; msvbvm50.__vbaStrCat
0040867F   |68 C06F4000     push AfKayAs_.00406FC0                   ; UNICODE "You Get It"
00408684   |68 DC6F4000     push AfKayAs_.00406FDC                   ; ASCII "\r"
00408689   |FFD6            call esi
0040868B   |8BD0            mov edx,eax
0040868D   |8D4D E8         lea ecx,dword ptr ss:[ebp-0x18]
00408690   |FF15 94B14000   call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; msvbvm50.__vbaStrMove
00408696   |50              push eax
00408697   |68 E86F4000     push AfKayAs_.00406FE8                   ; UNICODE "KeyGen It Now"
0040869C   |FFD6            call esi
0040869E   |8945 CC         mov dword ptr ss:[ebp-0x34],eax
004086A1   |8D45 94         lea eax,dword ptr ss:[ebp-0x6C]
004086A4   |8D4D A4         lea ecx,dword ptr ss:[ebp-0x5C]
004086A7   |50              push eax
004086A8   |8D55 B4         lea edx,dword ptr ss:[ebp-0x4C]
004086AB   |51              push ecx                                 ; user32.77D18FFB
004086AC   |52              push edx                                 ; ntdll.7C920061
004086AD   |8D45 C4         lea eax,dword ptr ss:[ebp-0x3C]
004086B0   |6A 00           push 0x0
004086B2   |50              push eax
004086B3   |C745 C4 0800000>mov dword ptr ss:[ebp-0x3C],0x8
004086BA   |FF15 24B14000   call dword ptr ds:[<&MSVBVM50.#595>]     ; msvbvm50.rtcMsgBox
004086C0   |8D4D E8         lea ecx,dword ptr ss:[ebp-0x18]
004086C3   |FF15 A8B14000   call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; msvbvm50.__vbaFreeStr
004086C9   |8D4D 94         lea ecx,dword ptr ss:[ebp-0x6C]
004086CC   |8D55 A4         lea edx,dword ptr ss:[ebp-0x5C]
004086CF   |51              push ecx                                 ; user32.77D18FFB
004086D0   |8D45 B4         lea eax,dword ptr ss:[ebp-0x4C]
004086D3   |52              push edx                                 ; ntdll.7C920061
004086D4   |8D4D C4         lea ecx,dword ptr ss:[ebp-0x3C]
004086D7   |50              push eax
004086D8   |51              push ecx                                 ; user32.77D18FFB
004086D9   |EB 60           jmp short AfKayAs_.0040873B
004086DB   \8B35 14B14000   mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>; msvbvm50.__vbaStrCat
004086E1    68 08704000     push AfKayAs_.00407008                   ; UNICODE "You Get Wrong"
004086E6    68 DC6F4000     push AfKayAs_.00406FDC                   ; ASCII "\r"
004086EB    FFD6            call esi
004086ED    8BD0            mov edx,eax
004086EF    8D4D E8         lea ecx,dword ptr ss:[ebp-0x18]
004086F2    FF15 94B14000   call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; msvbvm50.__vbaStrMove
004086F8    50              push eax
004086F9    68 28704000     push AfKayAs_.00407028                   ; UNICODE "Try Again"
004086FE    FFD6            call esi
00408700    8945 CC         mov dword ptr ss:[ebp-0x34],eax
00408703    8D55 94         lea edx,dword ptr ss:[ebp-0x6C]
00408706    8D45 A4         lea eax,dword ptr ss:[ebp-0x5C]
00408709    52              push edx                                 ; ntdll.7C920061
0040870A    8D4D B4         lea ecx,dword ptr ss:[ebp-0x4C]
0040870D    50              push eax
0040870E    51              push ecx                                 ; user32.77D18FFB
0040870F    8D55 C4         lea edx,dword ptr ss:[ebp-0x3C]
00408712    6A 00           push 0x0
00408714    52              push edx                                 ; ntdll.7C920061
00408715    C745 C4 0800000>mov dword ptr ss:[ebp-0x3C],0x8
0040871C    FF15 24B14000   call dword ptr ds:[<&MSVBVM50.#595>]     ; msvbvm50.rtcMsgBox
00408722    8D4D E8         lea ecx,dword ptr ss:[ebp-0x18]
00408725    FF15 A8B14000   call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; msvbvm50.__vbaFreeStr
0040872B    8D45 94         lea eax,dword ptr ss:[ebp-0x6C]
0040872E    8D4D A4         lea ecx,dword ptr ss:[ebp-0x5C]
00408731    50              push eax
00408732    8D55 B4         lea edx,dword ptr ss:[ebp-0x4C]
00408735    51              push ecx                                 ; user32.77D18FFB
00408736    8D45 C4         lea eax,dword ptr ss:[ebp-0x3C]
00408739    52              push edx                                 ; ntdll.7C920061
0040873A    50              push eax
0040873B    6A 04           push 0x4
0040873D    FF15 00B14000   call dword ptr ds:[<&MSVBVM50.__vbaFreeV>; msvbvm50.__vbaFreeVarList
00408743    83C4 14         add esp,0x14
00408746    C745 FC 0000000>mov dword ptr ss:[ebp-0x4],0x0
0040874D    9B              wait
0040874E    68 A0874000     push AfKayAs_.004087A0


接下来尝试计算算法
跟踪可以看到147369258(假码)与2933566比较
2933566应该是正确密码
尝试一下

往上翻从第一次出现字符串开始往下慢慢看可以找到

004081F5    FF15 F8B04000   call dword ptr ds:[<&MSVBVM50.__vbaLenBs>; 
004081FB    8BF8            mov edi,eax
004081FD    8B4D E8         mov ecx,dword ptr ss:[ebp-0x18]
00408200    69FF 385B0100   imul edi,edi,0x15B38
00408206    51              push ecx
00408207    0F80 B7050000   jo AfKayAs_.004087C4
0040820D    FF15 0CB14000   call dword ptr ds:[<&MSVBVM50.#516>]     ; msvbvm50.rtcAnsiValueBstr
00408213    0FBFD0          movsx edx,ax
00408216    03FA            add edi,edx

call dword ptr ds:[<&MSVBVM50.__vbaLenBs>; 为返回数目
可以看到为取字符串长度然后加以0x15B38之后与字符串第一个字符的ASCII相加

004082E9    FF15 74B14000   call dword ptr ds:[<&MSVBVM50.__vbaR8Str>]       ; msvbvm50.__vbaR8Str
004082EF    D905 08104000   fld dword ptr ds:[0x401008]
004082F5    833D 00904000 0>cmp dword ptr ds:[0x409000],0x0
004082FC    75 08           jnz short AfKayAs_.00408306
004082FE    D835 0C104000   fdiv dword ptr ds:[0x40100C]
00408304    EB 0B           jmp short AfKayAs_.00408311
00408306    FF35 0C104000   push dword ptr ds:[0x40100C]
0040830C    E8 578DFFFF     call <jmp.&MSVBVM50._adj_fdiv_m32>
00408311    83EC 08         sub esp,0x8
00408314    DFE0            fstsw ax
00408316    A8 0D           test al,0xD
00408318    0F85 A1040000   jnz AfKayAs_.004087BF
0040831E    DEC1            faddp st(1),st
00408320    DFE0            fstsw ax
00408322    A8 0D           test al,0xD
00408324    0F85 95040000   jnz AfKayAs_.004087BF
0040832A    DD1C24          fstp qword ptr ss:[esp]
0040832D    FF15 48B14000   call dword ptr ds:[<&MSVBVM50.__vbaStrR8>]       ; msvbvm50.__vbaStrR8
00408333    8BD0            mov edx,eax

10/5=2 然后与之前计算的相加

004083FB    DC0D 10104000   fmul qword ptr ds:[0x401010]
00408401    83EC 08         sub esp,0x8
00408404    DC25 18104000   fsub qword ptr ds:[0x401018]
0040840A    DFE0            fstsw ax
0040840C    A8 0D           test al,0xD
0040840E    0F85 AB030000   jnz AfKayAs_.004087BF


乘3-2

004084D9    8B55 E8         mov edx,dword ptr ss:[ebp-0x18]
004084DC    52              push edx
004084DD    8B19            mov ebx,dword ptr ds:[ecx]
004084DF    FF15 74B14000   call dword ptr ds:[<&MSVBVM50.__vbaR8Str>]       ; msvbvm50.__vbaR8Str
004084E5    DC25 20104000   fsub qword ptr ds:[0x401020]
004084EB    83EC 08         sub esp,0x8
004084EE    DFE0            fstsw ax
004084F0    A8 0D           test al,0xD


加上15
最后总结一下 用户名长度88888+第一个字母的ASCII然后3-2+15
附上C艹代码

#include <iostream>
#include <string>
using namespace std;

int main()
{
    string num;
    cin >> num;
    cout << ((num.length()*88888+num[0])+2)*3-2+15<<endl;
    system("PAUSE");
    return 0;

}

留下评论