同CrackMe 2,在确定后暂停程序查看堆栈
找到最近一次调用窗口的位置
进而确定关键处理函数:
00401CD0 > \55 push ebp
00401CD1 . 8BEC mov ebp,esp
00401CD3 . 83EC 0C sub esp,0xC
00401CD6 . 68 16104000 push ; SE 处理程序安装
00401CDB . 64:A1 0000000>mov eax,dword ptr fs:[0]
00401CE1 . 50 push eax
00401CE2 . 64:8925 00000>mov dword ptr fs:[0],esp
00401CE9 . 81EC BC000000 sub esp,0xBC
00401CEF . 53 push ebx
00401CF0 . 56 push esi
00401CF1 . 57 push edi
00401CF2 . 8B7D 08 mov edi,dword ptr ss:[ebp+0x8]
00401CF5 . 8BC7 mov eax,edi
00401CF7 . 83E7 FE and edi,0xFFFFFFFE
00401CFA . 8965 F4 mov dword ptr ss:[ebp-0xC],esp
00401CFD . 83E0 01 and eax,0x1
00401D00 . 8B1F mov ebx,dword ptr ds:[edi]
00401D02 . C745 F8 00104>mov dword ptr ss:[ebp-0x8],Andréna.00401>
00401D09 . 57 push edi
00401D0A . 8945 FC mov dword ptr ss:[ebp-0x4],eax
00401D0D . 897D 08 mov dword ptr ss:[ebp+0x8],edi
00401D10 . FF53 04 call dword ptr ds:[ebx+0x4]
00401D13 . 33F6 xor esi,esi
00401D15 . 57 push edi
00401D16 . 8975 DC mov dword ptr ss:[ebp-0x24],esi
00401D19 . 8975 D8 mov dword ptr ss:[ebp-0x28],esi
00401D1C . 8975 D4 mov dword ptr ss:[ebp-0x2C],esi
00401D1F . 8975 C4 mov dword ptr ss:[ebp-0x3C],esi
00401D22 . 8975 B4 mov dword ptr ss:[ebp-0x4C],esi
00401D25 . 8975 A4 mov dword ptr ss:[ebp-0x5C],esi
00401D28 . 8975 94 mov dword ptr ss:[ebp-0x6C],esi
00401D2B . 8975 84 mov dword ptr ss:[ebp-0x7C],esi
00401D2E . 89B5 74FFFFFF mov dword ptr ss:[ebp-0x8C],esi
00401D34 . 89B5 44FFFFFF mov dword ptr ss:[ebp-0xBC],esi
00401D3A . FF93 00030000 call dword ptr ds:[ebx+0x300]
00401D40 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
00401D43 . 50 push eax
00401D44 . 51 push ecx
00401D45 . FF15 EC304000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; MSVBVM50.__vbaObjSet
00401D4B . 8BF8 mov edi,eax
00401D4D . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
00401D50 . 50 push eax
00401D51 . 57 push edi
00401D52 . 8B17 mov edx,dword ptr ds:[edi]
00401D54 . FF92 A0000000 call dword ptr ds:[edx+0xA0]
00401D5A . 3BC6 cmp eax,esi
00401D5C . 7D 12 jge XAndréna.00401D70
00401D5E . 68 A0000000 push 0xA0
00401D63 . 68 401A4000 push Andréna.00401A40
00401D68 . 57 push edi
00401D69 . 50 push eax
00401D6A . FF15 E4304000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
00401D70 > 8B4D D8 mov ecx,dword ptr ss:[ebp-0x28]
00401D73 . 51 push ecx
00401D74 . 68 541A4000 push Andréna.00401A54 ; UNICODE "SynTaX 2oo1"
00401D79 . FF15 08314000 call dword ptr ds:[<&MSVBVM50.__vbaStrCm>; MSVBVM50.__vbaStrCmp
00401D7F . 8BF8 mov edi,eax
00401D81 . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
00401D84 . F7DF neg edi
00401D86 . 1BFF sbb edi,edi
00401D88 . 47 inc edi
00401D89 . F7DF neg edi
00401D8B . FF15 5C314000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr
00401D91 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
00401D94 . FF15 60314000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObj
00401D9A . 66:3BFE cmp di,si
00401D9D . 0F84 A0000000 je Andréna.00401E43
00401DA3 . FF15 2C314000 call dword ptr ds:[<&MSVBVM50.#534>] ; MSVBVM50.rtcBeep
00401DA9 . 8B3D 48314000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaVa>; MSVBVM50.__vbaVarDup
00401DAF . B9 04000280 mov ecx,0x80020004
00401DB4 . 894D 9C mov dword ptr ss:[ebp-0x64],ecx
00401DB7 . B8 0A000000 mov eax,0xA
00401DBC . 894D AC mov dword ptr ss:[ebp-0x54],ecx
00401DBF . BB 08000000 mov ebx,0x8
00401DC4 . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
00401DCA . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
00401DCD . 8945 94 mov dword ptr ss:[ebp-0x6C],eax
00401DD0 . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax
00401DD3 . C785 7CFFFFFF>mov dword ptr ss:[ebp-0x84],Andréna.0040>; UNICODE "SuCCESFul !"
00401DDD . 899D 74FFFFFF mov dword ptr ss:[ebp-0x8C],ebx
00401DE3 . FFD7 call edi ; <&MSVBVM50.__vbaVarDup>
00401DE5 . 8D55 84 lea edx,dword ptr ss:[ebp-0x7C]
00401DE8 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
00401DEB . C745 8C 701A4>mov dword ptr ss:[ebp-0x74],Andréna.0040>; UNICODE "RiCHtiG ! ...nun weiter zu CrackMe 2 !"
00401DF2 . 895D 84 mov dword ptr ss:[ebp-0x7C],ebx
00401DF5 . FFD7 call edi
00401DF7 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
00401DFA . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
00401DFD . 52 push edx
00401DFE . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
00401E01 . 50 push eax
00401E02 . 51 push ecx
00401E03 . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]
00401E06 . 6A 30 push 0x30
00401E08 . 52 push edx
00401E09 . FF15 F0304000 call dword ptr ds:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox
00401E0F . 8D95 44FFFFFF lea edx,dword ptr ss:[ebp-0xBC]
00401E15 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
00401E18 . 8985 4CFFFFFF mov dword ptr ss:[ebp-0xB4],eax
00401E1E . C785 44FFFFFF>mov dword ptr ss:[ebp-0xBC],0x3
00401E28 . FF15 D0304000 call dword ptr ds:[<&MSVBVM50.__vbaVarMo>; MSVBVM50.__vbaVarMove
00401E2E . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
00401E31 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
00401E34 . 50 push eax
00401E35 . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C]
00401E38 . 51 push ecx
00401E39 . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
00401E3C . 52 push edx
00401E3D . 50 push eax
00401E3E . E9 95000000 jmp Andréna.00401ED8
00401E43 > 8B3D 48314000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaVa>; MSVBVM50.__vbaVarDup
00401E49 . B9 04000280 mov ecx,0x80020004
00401E4E . 894D 9C mov dword ptr ss:[ebp-0x64],ecx
00401E51 . B8 0A000000 mov eax,0xA
00401E56 . 894D AC mov dword ptr ss:[ebp-0x54],ecx
00401E59 . BB 08000000 mov ebx,0x8
00401E5E . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
00401E64 . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
00401E67 . 8945 94 mov dword ptr ss:[ebp-0x6C],eax
00401E6A . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax
00401E6D . C785 7CFFFFFF>mov dword ptr ss:[ebp-0x84],Andréna.0040>; UNICODE "leider NeiN !"
00401E77 . 899D 74FFFFFF mov dword ptr ss:[ebp-0x8C],ebx
00401E7D . FFD7 call edi ; <&MSVBVM50.__vbaVarDup>
00401E7F . 8D55 84 lea edx,dword ptr ss:[ebp-0x7C]
00401E82 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
00401E85 . C745 8C E01A4>mov dword ptr ss:[ebp-0x74],Andréna.0040>; UNICODE "Leider Falsch ! Schau noch mal genau nach ..."
00401E8C . 895D 84 mov dword ptr ss:[ebp-0x7C],ebx
00401E8F . FFD7 call edi
00401E91 . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C]
00401E94 . 8D55 A4 lea edx,dword ptr ss:[ebp-0x5C]
00401E97 . 51 push ecx
00401E98 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
00401E9B . 52 push edx
00401E9C . 50 push eax
00401E9D . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
00401EA0 . 6A 10 push 0x10
00401EA2 . 51 push ecx
00401EA3 . FF15 F0304000 call dword ptr ds:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox
就是一个简单的字符串比较:
00401D74 . 68 541A4000 push Andréna.00401A54 ; UNICODE "SynTaX 2oo1"
00401D79 . FF15 08314000 call dword ptr ds:[<&MSVBVM50.__vbaStrCm>; MSVBVM50.__vbaStrCmp
00401D7F . 8BF8 mov edi,eax
00401D81 . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
00401D84 . F7DF neg edi
00401D86 . 1BFF sbb edi,edi
00401D88 . 47 inc edi
00401D89 . F7DF neg edi
利用cmp结果取补取反作最后判断的方式和crackme 2相同
注册码可以看到是"SynTaX 2oo1"
输入即可成功
(最开始也可以根据他的提示错误的字符串找到判断位置(听闻这是德语),可以考虑使用VBExplorer汉化,但是感觉没必要)
Success