Xianpao it, then find the key string
The key is a string You Get Wrong and Try Again, IDA seems not identify them but this string in Ollydbg Right Search For, looking for all strings, these strings can be found, like unicode code, there is no way to identify possible IDA
Then the code located
.text:004025E5 push offset aYouGetWrong ; "You Get Wrong"
Then navigate to the calling code, jump here if it is ignored then you can jump directly to the correct result
.text:0040258B jz short loc_4025E5
Rewrite this place directly in Ollydbg instruction, right-binary-> edit, these two instructions into nop
Then on ok
The above modification illustrates the key judgment is indeed here
Look at the code in this section
.text:00402510 loc_402510: ; CODE XREF: .text:004024FC↑j .text:00402510 mov eax, [ebp-18h] ;指向UNICODE "Type In Your Serial" .text:00402513 mov ecx, [ebp-1Ch] ;指向UNICODE "1658111"
.text:00402516 mov edi, ds:__vbaStrCat .text:0040251C push eax .text:0040251D push offset aAka ; "AKA-" .text:00402522 push ecx .text:00402523 call edi ; __vbaStrCat ;应该是VBA里面的字符串拼接函数,参数都是通过栈来传递的,返回值为AKA-1658111 .text:00402525 mov ebx, ds:__vbaStrMove .text:0040252B mov edx, eax .text:0040252D lea ecx, [ebp-20h] .text:00402530 call ebx ; __vbaStrMove .text:00402532 push eax .text:00402533 call ds:__vbaStrCmp ;比较函数,比较的是"AKA-1658111"和序列号字符串 .text:00402539 mov esi, eax ;返回值为1,赋值给esi .text:0040253B lea edx, [ebp-20h] .text:0040253E neg esi ;求补运算,这里esi等于全f .text:00402540 lea eax, [ebp-18h] .text:00402543 push edx .text:00402544 sbb esi, esi .text:00402546 lea ecx, [ebp-1Ch] .text:00402549 push eax .text:0040254A inc esi ;加1变为0 .text:0040254B push ecx .text:0040254C push 3 .text:0040254E neg esi ;求补还是0 .text:00402550 call ds:__vbaFreeStrList .text:00402556 add esp, 10h .text:00402559 lea edx, [ebp-28h] .text:0040255C lea eax, [ebp-24h] .text:0040255F push edx .text:00402560 push eax .text:00402561 push 2 .text:00402563 call ds:__vbaFreeObjList .text:00402569 add esp, 0Ch .text:0040256C mov ecx, 80020004h .text:00402571 mov eax, 0Ah .text:00402576 mov [ebp-64h], ecx .text:00402579 test si, si ;esi为0,test设置了zf标志位 .text:0040257C mov [ebp-6Ch], eax .text:0040257F mov [ebp-54h], ecx .text:00402582 mov [ebp-5Ch], eax .text:00402585 mov [ebp-44h], ecx .text:00402588 mov [ebp-4Ch], eax .text:0040258B jz short loc_4025E5 ;所以这里ZF标志位是1,要进行跳转 .text:0040258D push offset aYouGetIt ; "You Get It" .text:00402592 push offset asc_401B9C ; "\r\n" .text:00402597 call edi ; __vbaStrCat .text:00402599 mov edx, eax .text:0040259B lea ecx, [ebp-18h] .text:0040259E call ebx ; __vbaStrMove .text:004025A0 push eax .text:004025A1 push offset aKeygenItNow ; "KeyGen It Now"
大致过一遍上面的代码,可以知道只需要序列号等于AKA-1658111就可以让比较函数返回0,然后通过后面的检测,由于AKA是固定字符串,剩下的就是看1658111这个串是怎么来的。
然后再往前找ebp-1ch在哪里被引用了
004023F3这个位置,ebp-1ch被修改为了用户名字符串,接着402415处又将该字符串作为参数调用长度,返回0x11,长度值。00402420处将长度值乘以17CFB,0040242D调用了rtcAnsiValueBstr函数,参数为用户名,返回第一个字符,该函数执行之后,eax值为0x54,T的ascll码,然后加上前面长度值乘以17CFB的结果,位0x194cff,0040243F将这个值作为参数调用了__vbaStrI4函数,这个函数返回之后,eax指向字符串“1658111”,这个字符串就来了,所以这应该是数字转字符串的函数。
所以最后的算法应该是用户名的长度乘以17CFB加上用户名的第一个字符,结果转成10进制,再转成字符串,加上前缀"AKA-"。
最后,可以改最后一个条件的判断码,来实现跳转转移,JE改成JNE,74改75
