160个CrackMe 0x03 Afkayas_2

0x03 Afkayas_2

单步走找到对应name：name的serial：1066990

接下来写注册机，先看算法：

第一步跟上一题一样：

004081F2   | 50                | push eax                                     | eax:L"355662"
004081F3   | 8B1A              | mov ebx,dword ptr ds:[edx]                   | edx:L"355662"
004081F5   | FF15 F8B04000     | call dword ptr ds:[<&__vbaLenBstr>]          | 获取name字段长度
004081FB   | 8BF8              | mov edi,eax                                  | edi:L"-1-0", eax:L"355662"
004081FD   | 8B4D E8           | mov ecx,dword ptr ss:[ebp-18]                | [ebp-18]:L"name"
00408200   | 69FF 385B0100     | imul edi,edi,15B38                           | strlen(name)*0x15b38=0x56ce0
00408206   | 51                | push ecx                                     |
00408207   | 0F80 B7050000     | jo afkayas.2.4087C4                          |
0040820D   | FF15 0CB14000     | call dword ptr ds:[<&rtcRightVar>]           |
00408213   | 0FBFD0            | movsx edx,ax                                 | edx:L"355662"
00408216   | 03FA              | add edi,edx                                  | (strlen(name)*0x15b38)+name[0]=0x56d4e
00408218   | 0F80 A6050000     | jo afkayas.2.4087C4                          |
0040821E   | 57                | push edi                                     | edi:L"-1-0"
0040821F   | FF15 F4B04000     | call dword ptr ds:[<&__vbaStrI4>]            | hex2dec 355662
00408225   | 8BD0              | mov edx,eax                                  | edx:L"355662", eax:L"355662"
00408227   | 8D4D E0           | lea ecx,dword ptr ss:[ebp-20]                |

第二部分：

0040832A   | DD1C24            | fstp qword ptr ss:[esp],st(0)                |
0040832D   | FF15 48B14000     | call dword ptr ds:[<&__vbaStrR8>]            | serial+=(10.0/5.0) = 355664
00408333   | 8BD0              | mov edx,eax                                  | eax:L"355664"
00408335   | 8D4D E4           | lea ecx,dword ptr ss:[ebp-1C]                |
00408338   | FF15 94B14000     | call dword ptr ds:[<&__vbaStrMove>]          |
0040833E   | 899D 34FFFFFF     | mov dword ptr ss:[ebp-CC],ebx                |
00408344   | 8B9D 58FFFFFF     | mov ebx,dword ptr ss:[ebp-A8]                |

第三部分：

004083F2   | 52                 | push edx                                     |
004083F3   | 8B19               | mov ebx,dword ptr ds:[ecx]                   |
004083F5   | FF15 74B14000      | call dword ptr ds:[<&__vbaR8Str>]            |
004083FB   | DC0D 10104000      | fmul st(0),qword ptr ds:[401010]             |
00408401   | 83EC 08            | sub esp,8                                    |
00408404   | DC25 18104000      | fsub st(0),qword ptr ds:[401018]             |
0040840A   | DFE0               | fnstsw ax                                    |
0040840C   | A8 0D              | test al,D                                    |
0040840E   | 0F85 AB030000      | jne afkayas.2.4087BF                         |
00408414   | DD1C24             | fstp qword ptr ss:[esp],st(0)                |
00408417   | FF15 48B14000      | call dword ptr ds:[<&__vbaStrR8>]            |
0040841D   | 8BD0               | mov edx,eax                                  | eax:L"1066990"
0040841F   | 8D4D E4            | lea ecx,dword ptr ss:[ebp-1C]                |
00408422   | FF15 94B14000      | call dword ptr ds:[<&__vbaStrMove>]          |
00408428   | 899D 2CFFFFFF      | mov dword ptr ss:[ebp-D4],ebx                |
0040842E   | 8B9D 58FFFFFF      | mov ebx,dword ptr ss:[ebp-A8]                |
00408434   | 50                 | push eax                                     | eax:L"1066990"

总结算法：

serial = hex2dec((strlen(name)*0x15b38 + name[0]+2)*3-2-(-15))