160 CrackMe 之 009算法分析及易语言注册机编写
本帖最后由 wbz_007 于 2019-9-6 22:08 编辑160 CrackMe 之 009算法分析及易语言注册机编写
仍旧秉承以前的宗旨,算法分析是硬道理,搞懂算法才是目的,先看看这个crackme,有没有壳,查询如下:无壳vb程序,省掉了一步脱壳,直接开始。
,
运行程序,随便输入用户名和密码:显示如下,弹出错误窗口
程序载入od,反汇编窗口右键查找-------所有参考文本字串,由于是vb程序,也可以直接下vb专用断点 rtcMsgbox或者 字符串比较 断点vbastrcomp 我用的右键------所有参考文本字串,来到如下:
看到了如上内容为错误弹窗的内容,双击或者反汇编中跟随,来到如下。
于是向下翻页,来到如下代码,在段首下断
00401FF0 > \55 push ebp 这里下断
00401FF1 .8BEC mov ebp, esp
00401FF3 .83EC 0C sub esp, 0xC
00401FF6 .68 26104000 push <jmp.&MSVBVM50.__vbaExceptHandle>;SE 处理程序安装
00401FFB .64:A1 00000000 mov eax, dword ptr fs:
00402001 .50 push eax
00402002 .64:8925 00000000 mov dword ptr fs:, esp
00402009 .81EC 18010000 sub esp, 0x118
0040200F .53 push ebx
00402010 .8B5D 08 mov ebx, dword ptr ss:
00402013 .8BC3 mov eax, ebx
00402015 .56 push esi
00402016 .83E3 FE and ebx, 0xFFFFFFFE
00402019 .57 push edi
0040201A .8965 F4 mov dword ptr ss:, esp
0040201D .83E0 01 and eax, 0x1
00402020 .8B3B mov edi, dword ptr ds:
00402022 .C745 F8 00104000 mov dword ptr ss:, Andréna.>
00402029 .53 push ebx
0040202A .8945 FC mov dword ptr ss:, eax
0040202D .895D 08 mov dword ptr ss:, ebx
00402030 .FF57 04 call near dword ptr ds:
00402033 .33F6 xor esi, esi
00402035 .53 push ebx
00402036 .8975 DC mov dword ptr ss:, esi
00402039 .8975 CC mov dword ptr ss:, esi
0040203C .8975 BC mov dword ptr ss:, esi
0040203F .8975 AC mov dword ptr ss:, esi
00402042 .8975 A8 mov dword ptr ss:, esi
00402045 .8975 A4 mov dword ptr ss:, esi
00402048 .8975 94 mov dword ptr ss:, esi
0040204B .8975 84 mov dword ptr ss:, esi
0040204E .89B5 74FFFFFF mov dword ptr ss:, esi
00402054 .89B5 64FFFFFF mov dword ptr ss:, esi
0040205A .89B5 54FFFFFF mov dword ptr ss:, esi
00402060 .89B5 44FFFFFF mov dword ptr ss:, esi
00402066 .89B5 14FFFFFF mov dword ptr ss:, esi
0040206C .89B5 F8FEFFFF mov dword ptr ss:, esi
00402072 .89B5 E8FEFFFF mov dword ptr ss:, esi
00402078 .FF97 FC020000 call near dword ptr ds:
0040207E .8D4D A4 lea ecx, dword ptr ss:
00402081 .50 push eax
00402082 .51 push ecx
00402083 .FF15 24414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaObjSet
00402089 .8BD8 mov ebx, eax
0040208B .8D45 A8 lea eax, dword ptr ss:
0040208E .50 push eax
0040208F .53 push ebx
00402090 .8B13 mov edx, dword ptr ds:
00402092 .FF92 A0000000 call near dword ptr ds:
00402098 .3BC6 cmp eax, esi
0040209A .7D 12 jge short Andréna.004020AE
0040209C .68 A0000000 push 0xA0
004020A1 .68 201C4000 push Andréna.00401C20
004020A6 .53 push ebx
004020A7 .50 push eax
004020A8 .FF15 14414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaHresultCheckObj
004020AE >8B45 A8 mov eax, dword ptr ss: ;中的用户名给eax
004020B1 .8975 A8 mov dword ptr ss:, esi ;esi=0 给 地址
004020B4 .8B35 FC404000 mov esi, dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaVarMove
004020BA .8D55 94 lea edx, dword ptr ss:
004020BD .8D4D BC lea ecx, dword ptr ss:
004020C0 .8945 9C mov dword ptr ss:, eax ;用户名 给 地址
004020C3 .C745 94 08000000 mov dword ptr ss:, 0x8 ;8 给 地址
004020CA .FFD6 call near esi ;<&MSVBVM50.__vbaVarMove>
004020CC .8D4D A4 lea ecx, dword ptr ss: ; 地址给ecx
004020CF .FF15 B4414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaFreeObj
004020D5 .B8 01000000 mov eax, 0x1 ;1 给eax
004020DA .8D8D 54FFFFFF lea ecx, dword ptr ss:
004020E0 .8985 5CFFFFFF mov dword ptr ss:, eax ;eax=1 给 地址
004020E6 .8985 4CFFFFFF mov dword ptr ss:, eax ;eax=1 给 地址
004020EC .8D55 BC lea edx, dword ptr ss:
004020EF .51 push ecx ; /Step8
004020F0 .8D45 94 lea eax, dword ptr ss: ; |
004020F3 .BB 02000000 mov ebx, 0x2 ; |2 给ebx
004020F8 .52 push edx ; |/var18
004020F9 .50 push eax ; ||retBuffer8
004020FA .899D 54FFFFFF mov dword ptr ss:, ebx ; ||ebx=2 给 地址
00402100 .899D 44FFFFFF mov dword ptr ss:, ebx ; ||ebx=2 给 地址
00402106 .FF15 18414000 call near dword ptr ds:[<&MSVBVM50.__>; |\__vbaLenVar
0040210C .8D8D 44FFFFFF lea ecx, dword ptr ss: ; |地址 数值给ecx
00402112 .50 push eax ; |End8
00402113 .8D95 E8FEFFFF lea edx, dword ptr ss: ; |
00402119 .51 push ecx ; |Start8
0040211A .8D85 F8FEFFFF lea eax, dword ptr ss: ; |
00402120 .52 push edx ; |TMPend8
00402121 .8D4D DC lea ecx, dword ptr ss: ; |
00402124 .50 push eax ; |TMPstep8
00402125 .51 push ecx ; |Counter8
00402126 .FF15 20414000 call near dword ptr ds:[<&MSVBVM50.__>; \__vbaVarForInit
0040212C .8B3D 04414000 mov edi, dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaFreeVarList
00402132 >85C0 test eax, eax
00402134 .0F84 9C000000 je Andréna.004021D6
0040213A .8D55 94 lea edx, dword ptr ss:
0040213D .8D45 DC lea eax, dword ptr ss:
00402140 .52 push edx
00402141 .50 push eax
00402142 .C745 9C 01000000 mov dword ptr ss:, 0x1 ; 地址里是用户名 长度 ,把 1给这个地址
00402149 .895D 94 mov dword ptr ss:, ebx
0040214C .FF15 90414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaI4Var
00402152 .8D4D BC lea ecx, dword ptr ss: ; |
00402155 .50 push eax ; |Start
00402156 .8D55 84 lea edx, dword ptr ss: ; |
00402159 .51 push ecx ; |dString8
0040215A .52 push edx ; |RetBUFFER
0040215B .FF15 38414000 call near dword ptr ds:[<&MSVBVM50.#6>; \rtcMidCharVar
00402161 .8D45 84 lea eax, dword ptr ss:
00402164 .8D4D A8 lea ecx, dword ptr ss:
00402167 .50 push eax ; /String8
00402168 .51 push ecx ; |ARG2
00402169 .FF15 70414000 call near dword ptr ds:[<&MSVBVM50.__>; \取用户名每一位
0040216F .50 push eax ; /压入用户名每一位
00402170 .FF15 0C414000 call near dword ptr ds:[<&MSVBVM50.#5>; \用户名每一位取十六进制给eax
00402176 .66:8985 4CFFFFFF mov word ptr ss:, ax ;用户名每一位十六进制给地址
0040217D .8D55 CC lea edx, dword ptr ss:
00402180 .8D85 44FFFFFF lea eax, dword ptr ss:
00402186 .52 push edx ; /var18
00402187 .8D8D 74FFFFFF lea ecx, dword ptr ss: ; |
0040218D .50 push eax ; |var28
0040218E .51 push ecx ; |saveto8
0040218F .899D 44FFFFFF mov dword ptr ss:, ebx ; |ebx= =2
00402195 .FF15 94414000 call near dword ptr ds:[<&MSVBVM50.__>; \__vbaVarAdd
0040219B .8BD0 mov edx, eax
0040219D .8D4D CC lea ecx, dword ptr ss:
004021A0 .FFD6 call near esi ;用户名每一位十六进制累加的结果给ecx
004021A2 .8D4D A8 lea ecx, dword ptr ss:
004021A5 .FF15 B8414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaFreeStr
004021AB .8D55 84 lea edx, dword ptr ss:
004021AE .8D45 94 lea eax, dword ptr ss:
004021B1 .52 push edx
004021B2 .50 push eax
004021B3 .53 push ebx
004021B4 .FFD7 call near edi
004021B6 .83C4 0C add esp, 0xC
004021B9 .8D8D E8FEFFFF lea ecx, dword ptr ss:
004021BF .8D95 F8FEFFFF lea edx, dword ptr ss:
004021C5 .8D45 DC lea eax, dword ptr ss:
004021C8 .51 push ecx ; /TMPend8
004021C9 .52 push edx ; |TMPstep8
004021CA .50 push eax ; |Counter8
004021CB .FF15 AC414000 call near dword ptr ds:[<&MSVBVM50.__>; \__vbaVarForNext
004021D1 .^ E9 5CFFFFFF jmp Andréna.00402132 ; 跳上去循环计算用户名每一位十六进制的和
004021D6 >8D4D CC lea ecx, dword ptr ss:
004021D9 .8D95 54FFFFFF lea edx, dword ptr ss:
004021DF .51 push ecx ; /var18
004021E0 .8D45 94 lea eax, dword ptr ss: ; |
004021E3 .52 push edx ; |var28
004021E4 .50 push eax ; |SaveTo8
004021E5 .C785 5CFFFFFF D202>mov dword ptr ss:, 0x49960>; |499602D2 预设放在 =地址
004021EF .C785 54FFFFFF 0300>mov dword ptr ss:, 0x3 ; |3 给地址=
004021F9 .FF15 5C414000 call near dword ptr ds:[<&MSVBVM50.__>; 关键call 计算出 预设 499602D2 乘以 用户名十六进制累加的结果的 积
004021FF .8BD0 mov edx, eax
00402201 .8D4D CC lea ecx, dword ptr ss:
00402204 .FFD6 call near esi
00402206 .8B1D A0414000 mov ebx, dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaMidStmtVar
0040220C .8D4D CC lea ecx, dword ptr ss:
0040220F .51 push ecx
00402210 .6A 04 push 0x4 ;第4位
00402212 .8D95 54FFFFFF lea edx, dword ptr ss:
00402218 .6A 01 push 0x1
0040221A .52 push edx
0040221B .C785 5CFFFFFF 341C>mov dword ptr ss:, Andréna>;(- 预设) 给地址 ,对以上的乘积结果的十进制第4位替换预设的-
00402225 .C785 54FFFFFF 0800>mov dword ptr ss:, 0x8 ;8 给 地址
0040222F .FFD3 call near ebx ;<&MSVBVM50.__vbaMidStmtVar>
00402231 .8D45 CC lea eax, dword ptr ss:
00402234 .8D8D 54FFFFFF lea ecx, dword ptr ss:
0040223A .50 push eax
0040223B .6A 09 push 0x9 ;第9位
0040223D .6A 01 push 0x1
0040223F .51 push ecx
00402240 .C785 5CFFFFFF 341C>mov dword ptr ss:, Andréna>;- 预设 给 地址 对以上的乘积结果的十进制第9位替换成预设的
0040224A .C785 54FFFFFF 0800>mov dword ptr ss:, 0x8
00402254 .FFD3 call near ebx
00402256 .8B45 08 mov eax, dword ptr ss: ;程序走到这里时候,看看堆栈窗口 出现了可以注册吗
00402259 .50 push eax
0040225A .8B10 mov edx, dword ptr ds:
0040225C .FF92 04030000 call near dword ptr ds:
00402262 .50 push eax
00402263 .8D45 A4 lea eax, dword ptr ss:
00402266 .50 push eax
00402267 .FF15 24414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaObjSet
0040226D .8BD8 mov ebx, eax
0040226F .8D55 A8 lea edx, dword ptr ss:
00402272 .52 push edx
00402273 .53 push ebx
00402274 .8B0B mov ecx, dword ptr ds:
00402276 .FF91 A0000000 call near dword ptr ds:
0040227C .85C0 test eax, eax
0040227E .7D 12 jge short Andréna.00402292
00402280 .68 A0000000 push 0xA0
00402285 .68 201C4000 push Andréna.00401C20
0040228A .53 push ebx
0040228B .50 push eax
0040228C .FF15 14414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaHresultCheckObj
00402292 >8B45 A8 mov eax, dword ptr ss: ; 假码给eax
00402295 .8D4D CC lea ecx, dword ptr ss: ;这里应该传送真码,在寄存器窗口ecx 上右键堆栈窗口中跟随,发现可疑注册码
00402298 .8945 9C mov dword ptr ss:, eax ;假码 给地址
0040229B .8D45 94 lea eax, dword ptr ss:
0040229E .50 push eax ; /var18
0040229F .51 push ecx ; |var28
004022A0 .C745 A8 00000000 mov dword ptr ss:, 0x0 ; |
004022A7 .C745 94 08800000 mov dword ptr ss:, 0x8008; |
004022AE .FF15 48414000 call near dword ptr ds:[<&MSVBVM50.__>; \__vbaVarTstEq
004022B4 .8D4D A4 lea ecx, dword ptr ss:
004022B7 .8BD8 mov ebx, eax
004022B9 .FF15 B4414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaFreeObj
004022BF .8D4D 94 lea ecx, dword ptr ss:
004022C2 .FF15 00414000 call near dword ptr ds:[<&MSVBVM50.__>;MSVBVM50.__vbaFreeVar
004022C8 .66:85DB test bx, bx
004022CB .0F84 C0000000 je Andréna.00402391 ;爆破关键点,跳过就挂了
004022D1 .FF15 74414000 call near dword ptr ds:[<&MSVBVM50.#5>;MSVBVM50.rtcBeep
进入这个关键call 004021F9 . FF15 5C414000 call near dword ptr ds:[<&MSVBVM50.__>来到一下代码
74121986 >55 push ebp
74121987 33C0 xor eax, eax ; eax 清零
74121989 8BEC mov ebp, esp
7412198B 83EC 1C sub esp, 0x1C
7412198E 3905 64F01274 cmp dword ptr ds:, eax
74121994 53 push ebx
74121995 56 push esi
74121996 8945 E8 mov dword ptr ss:, eax
74121999 57 push edi
7412199A 0F85 D3670000 jnz MSVBVM50.74128173
741219A0 A1 6CF01274 mov eax, dword ptr ds:
741219A5 8D48 50 lea ecx, dword ptr ds:
741219A8 83C0 60 add eax, 0x60
741219AB 8B7D 10 mov edi, dword ptr ss:
741219AE 8B5D 0C mov ebx, dword ptr ss:
741219B1 8B75 08 mov esi, dword ptr ss:
741219B4 894D F4 mov dword ptr ss:, ecx
741219B7 66:8B0F mov cx, word ptr ds:
741219BA 8945 E4 mov dword ptr ss:, eax
741219BD 66:8B03 mov ax, word ptr ds:
741219C0 66:894D FE mov word ptr ss:, cx
741219C4 66:8945 F2 mov word ptr ss:, ax
741219C8 66:837D F2 11 cmp word ptr ss:, 0x11
741219CD 0F87 B1670000 ja MSVBVM50.74128184
741219D3 0FB745 FE movzx eax, word ptr ss: ; 2 给eax
741219D7 0FB74D F2 movzx ecx, word ptr ss: ; 3 给ecx
741219DB 6BC0 12 imul eax, eax, 0x12 ; eax=eax*12
741219DE 03C1 add eax, ecx ; eax=eax+ecx
741219E0 3D 43010000 cmp eax, 0x143
741219E5 0F87 04680000 ja MSVBVM50.741281EF
741219EB 0FB690 0D1D1274 movzx edx, byte ptr ds:[eax+0x74121D0D>
741219F2 FF2495 A51A1274 jmp near dword ptr ds:[edx*4+0x74121>
741219F9 0FBF4F 08 movsx ecx, word ptr ds:
741219FD 0FBF43 08 movsx eax, word ptr ds:
74121A01 0FAFC8 imul ecx, eax
74121A04 0FBFC1 movsx eax, cx
74121A07 3BC1 cmp eax, ecx
74121A09 0F85 A86B0000 jnz MSVBVM50.741285B7
74121A0F 66:C745 FE 0200 mov word ptr ss:, 0x2
74121A15 66:894E 08 mov word ptr ds:, cx
74121A19 EB 78 jmp short MSVBVM50.74121A93
74121A1B 0FBF4F 08 movsx ecx, word ptr ds: ; 用户名所有十六进制累计的和给ecx
74121A1F 56 push esi
74121A20 FF73 08 push dword ptr ds:
74121A23 51 push ecx
74121A24 E8 1DCCF3FF call MSVBVM50.7405E646 ;关键call进入(很关键)
74121A29 EB 6F jmp short MSVBVM50.74121A9A
进入这个call 74121A24 E8 1DCCF3FF call MSVBVM50.7405E646 来到下面代码
7405E646 55 push ebp
7405E647 8BEC mov ebp, esp
7405E649 8B45 08 mov eax, dword ptr ss: ; 地址里的 用户名十六进制和 给eax
7405E64C F76D 0C imul dword ptr ss: ; 这里是关键 地址里的 预设499602D2和 用户名每一位十六进制累加的和 相乘
7405E64F 8B4D 10 mov ecx, dword ptr ss:
7405E652 0F80 2CC70300 jo MSVBVM50.7409AD84 程序走到这里跳到一下代码
7405E658 66:C701 0300 mov word ptr ds:, 0x3
程序运行到 7405E652 跳到一下代码:
以下图是,堆栈中的真码,和以上图中的长整数对比,是不是从相乘的结果中取的,取码规则将第四位、第九位都替换成-,即可,上面的代码里有取码的过程。
算法分析:第一步取用户名每一位的十六进制值,全部累加起来(对累加结果取10进制)
第二步 用上面的累加的值 乘以 作者的预设 499602D2(10进制为1234567890)
第三部 对乘积的结果取长整数,把结果的第四位和第九位替换成预设的“-”
附上易语言编写的注册机工程文件及注册机,一起交流学习
沙发一下!:lol 学习学习 学习了!!!!!!!!!!!
页:
[1]