CrackMe第九题算法分析
本帖最后由 growuphappily 于 2020-2-23 19:23 编辑0x00 前言
最近真的没有什么帖子好写了,在无意中发现了这个:
https://www.52pojie.cn/thread-709699-1-1.html
于是我就打算每天做一道CrackMe的题目
第一题:https://www.52pojie.cn/forum.php?mod=viewthread&tid=1107523
第二题:https://www.52pojie.cn/forum.php?mod=viewthread&tid=1107888
第三题:https://www.52pojie.cn/thread-1108487-1-1.html
第四题:https://www.52pojie.cn/thread-1109140-1-1.html
第五题:太变态了,算了
第六题:https://www.52pojie.cn/thread-1111030-1-1.html
第七题:https://www.52pojie.cn/thread-1112318-1-1.html
第八题:https://www.52pojie.cn/thread-1113163-1-1.html
第九题算法:https://www.52pojie.cn/thread-1114003-1-1.html
第九题爆破:https://www.52pojie.cn/thread-1113295-1-1.html
0x01 正文
继续上一篇,开始分析算法
先回到上次爆破的地方,在段首下断点
注册,断下
算法:
004020AE > \8B45 A8 mov eax,dword ptr ss: ;取出name
004020B1 .8975 A8 mov dword ptr ss:,esi ;ebp-0x58清零
004020B4 .8B35 FC404000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVarMove>] ;MSVBVM50.__vbaVarMove
004020BA .8D55 94 lea edx,dword ptr ss:
004020BD .8D4D BC lea ecx,dword ptr ss:
004020C0 .8945 9C mov dword ptr ss:,eax
004020C3 .C745 94 08000>mov dword ptr ss:,0x8
004020CA .FFD6 call esi ;MSVBVM50.__vbaVarMove; <&MSVBVM50.__vbaVarMove>
004020CC .8D4D A4 lea ecx,dword ptr ss:
004020CF .FF15 B4414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>] ;MSVBVM50.__vbaFreeObj
004020D5 .B8 01000000 mov eax,0x1
004020DA .8D8D 54FFFFFF lea ecx,dword ptr ss:
004020E0 .8985 5CFFFFFF mov dword ptr ss:,eax
004020E6 .8985 4CFFFFFF mov dword ptr ss:,eax
004020EC .8D55 BC lea edx,dword ptr ss:
004020EF .51 push ecx ; /Step8 = NULL
004020F0 .8D45 94 lea eax,dword ptr ss: ; |
004020F3 .BB 02000000 mov ebx,0x2 ; |
004020F8 .52 push edx ; |/var18 = NULL
004020F9 .50 push eax ; ||retBuffer8 = 005ADA10
004020FA .899D 54FFFFFF mov dword ptr ss:,ebx ; ||MSVBVM50.__vbaMidStmtVar
00402100 .899D 44FFFFFF mov dword ptr ss:,ebx ; ||计算name长度
00402106 .FF15 18414000 call dword ptr ds:[<&MSVBVM50.__vbaLenVar>] ; |\__vbaLenVar
0040210C .8D8D 44FFFFFF lea ecx,dword ptr ss: ; |
00402112 .50 push eax ; |End8 = 005ADA10
00402113 .8D95 E8FEFFFF lea edx,dword ptr ss: ; |
00402119 .51 push ecx ; |Start8 = NULL
0040211A .8D85 F8FEFFFF lea eax,dword ptr ss: ; |
00402120 .52 push edx ; |TMPend8 = NULL
00402121 .8D4D DC lea ecx,dword ptr ss: ; |
00402124 .50 push eax ; |TMPstep8 = 005ADA10
00402125 .51 push ecx ; |Counter8 = NULL
00402126 .FF15 20414000 call dword ptr ds:[<&MSVBVM50.__vbaVarForInit>] ; \__vbaVarForInit
0040212C .8B3D 04414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>] ;MSVBVM50.__vbaFreeVarList
00402132 >85C0 test eax,eax
00402134 .0F84 9C000000 je Andréna.004021D6
0040213A .8D55 94 lea edx,dword ptr ss:
0040213D .8D45 DC lea eax,dword ptr ss:
00402140 .52 push edx
00402141 .50 push eax
00402142 .C745 9C 01000>mov dword ptr ss:,0x1
00402149 .895D 94 mov dword ptr ss:,ebx ;MSVBVM50.__vbaMidStmtVar
0040214C .FF15 90414000 call dword ptr ds:[<&MSVBVM50.__vbaI4Var>] ;MSVBVM50.__vbaI4Var
00402152 .8D4D BC lea ecx,dword ptr ss: ; |
00402155 .50 push eax ; |Start = 0x5ADA10
00402156 .8D55 84 lea edx,dword ptr ss: ; |
00402159 .51 push ecx ; |dString8 = NULL
0040215A .52 push edx ; |RetBUFFER = NULL
0040215B .FF15 38414000 call dword ptr ds:[<&MSVBVM50.#632>] ; \rtcMidCharVar
00402161 .8D45 84 lea eax,dword ptr ss:
00402164 .8D4D A8 lea ecx,dword ptr ss: ;取第一位
00402167 .50 push eax ; /String8 = 005ADA10
00402168 .51 push ecx ; |ARG2 = NULL
00402169 .FF15 70414000 call dword ptr ds:[<&MSVBVM50.__vbaStrVarVal>] ; \__vbaStrVarVal
0040216F .50 push eax ; /String = "?@"
00402170 .FF15 0C414000 call dword ptr ds:[<&MSVBVM50.#516>] ; \转为ASCII
00402176 .66:8985 4CFFF>mov word ptr ss:,ax
0040217D .8D55 CC lea edx,dword ptr ss:
00402180 .8D85 44FFFFFF lea eax,dword ptr ss:
00402186 .52 push edx ; /var18 = NULL
00402187 .8D8D 74FFFFFF lea ecx,dword ptr ss: ; |
0040218D .50 push eax ; |var28 = 005ADA10
0040218E .51 push ecx ; |saveto8 = NULL
0040218F .899D 44FFFFFF mov dword ptr ss:,ebx ; |MSVBVM50.__vbaMidStmtVar
00402195 .FF15 94414000 call dword ptr ds:[<&MSVBVM50.__vbaVarAdd>] ; \__vbaVarAdd
0040219B .8BD0 mov edx,eax
0040219D .8D4D CC lea ecx,dword ptr ss:
004021A0 .FFD6 call esi ;MSVBVM50.__vbaVarMove
004021A2 .8D4D A8 lea ecx,dword ptr ss:
004021A5 .FF15 B8414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>] ;MSVBVM50.__vbaFreeStr
004021AB .8D55 84 lea edx,dword ptr ss:
004021AE .8D45 94 lea eax,dword ptr ss:
004021B1 .52 push edx
004021B2 .50 push eax
004021B3 .53 push ebx ;MSVBVM50.__vbaMidStmtVar
004021B4 .FFD7 call edi ;MSVBVM50.__vbaFreeVarList
004021B6 .83C4 0C add esp,0xC
004021B9 .8D8D E8FEFFFF lea ecx,dword ptr ss:
004021BF .8D95 F8FEFFFF lea edx,dword ptr ss:
004021C5 .8D45 DC lea eax,dword ptr ss:
004021C8 .51 push ecx ; /TMPend8 = NULL
004021C9 .52 push edx ; |TMPstep8 = NULL
004021CA .50 push eax ; |Counter8 = 005ADA10
004021CB .FF15 AC414000 call dword ptr ds:[<&MSVBVM50.__vbaVarForNext>] ; \__vbaVarForNext
004021D1 .^ E9 5CFFFFFF jmp Andréna.00402132
004021D6 >8D4D CC lea ecx,dword ptr ss:
004021D9 .8D95 54FFFFFF lea edx,dword ptr ss:
004021DF .51 push ecx ; /var18 = NULL
004021E0 .8D45 94 lea eax,dword ptr ss: ; |
004021E3 .52 push edx ; |var28 = NULL
004021E4 .50 push eax ; |SaveTo8 = 005ADA10
004021E5 .C785 5CFFFFFF>mov dword ptr ss:,0x499602D2 ; |
004021EF .C785 54FFFFFF>mov dword ptr ss:,0x3 ; |
004021F9 .FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vbaVarMul>] ; \__vbaVarMul
004021FF .8BD0 mov edx,eax
00402201 .8D4D CC lea ecx,dword ptr ss:
00402204 .FFD6 call esi ;MSVBVM50.__vbaVarMove
00402206 .8B1D A0414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaMidStmtVar>] ;MSVBVM50.__vbaMidStmtVar
0040220C .8D4D CC lea ecx,dword ptr ss:
0040220F .51 push ecx
00402210 .6A 04 push 0x4
00402212 .8D95 54FFFFFF lea edx,dword ptr ss:
00402218 .6A 01 push 0x1
0040221A .52 push edx
0040221B .C785 5CFFFFFF>mov dword ptr ss:,Andréna.00401C34 ;UNICODE "-"
00402225 .C785 54FFFFFF>mov dword ptr ss:,0x8
0040222F .FFD3 call ebx ;MSVBVM50.__vbaMidStmtVar; <&MSVBVM50.__vbaMidStmtVar>
00402231 .8D45 CC lea eax,dword ptr ss:
00402234 .8D8D 54FFFFFF lea ecx,dword ptr ss:
0040223A .50 push eax
0040223B .6A 09 push 0x9
0040223D .6A 01 push 0x1
0040223F .51 push ecx
00402240 .C785 5CFFFFFF>mov dword ptr ss:,Andréna.00401C34 ;UNICODE "-"
0040224A .C785 54FFFFFF>mov dword ptr ss:,0x8
00402254 .FFD3 call ebx ;MSVBVM50.__vbaMidStmtVar
00402256 .8B45 08 mov eax,dword ptr ss:
00402259 .50 push eax
0040225A .8B10 mov edx,dword ptr ds: ;Andréna.004032F0
0040225C .FF92 04030000 call dword ptr ds:
00402262 .50 push eax
00402263 .8D45 A4 lea eax,dword ptr ss:
00402266 .50 push eax
00402267 .FF15 24414000 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ;MSVBVM50.__vbaObjSet
0040226D .8BD8 mov ebx,eax
0040226F .8D55 A8 lea edx,dword ptr ss:
00402272 .52 push edx
00402273 .53 push ebx ;MSVBVM50.__vbaMidStmtVar
00402274 .8B0B mov ecx,dword ptr ds:
00402276 .FF91 A0000000 call dword ptr ds:
0040227C .85C0 test eax,eax
0040227E .7D 12 jge short Andréna.00402292
00402280 .68 A0000000 push 0xA0
00402285 .68 201C4000 push Andréna.00401C20
0040228A .53 push ebx ;MSVBVM50.__vbaMidStmtVar
0040228B .50 push eax
0040228C .FF15 14414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ;MSVBVM50.__vbaHresultCheckObj
00402292 >8B45 A8 mov eax,dword ptr ss:
00402295 .8D4D CC lea ecx,dword ptr ss:
00402298 .8945 9C mov dword ptr ss:,eax
0040229B .8D45 94 lea eax,dword ptr ss:
0040229E .50 push eax ; /var18 = 005ADA10
0040229F .51 push ecx ; |var28 = NULL
004022A0 .C745 A8 00000>mov dword ptr ss:,0x0 ; |
004022A7 .C745 94 08800>mov dword ptr ss:,0x8008 ; |
004022AE .FF15 48414000 call dword ptr ds:[<&MSVBVM50.__vbaVarTstEq>] ; \__vbaVarTstEq
看起来令人头疼。。VB的函数很奇怪,返回值不放eax非要放ebp-0x34
继续跟,看到了一个可疑的字符串:“177-6049-2150”
把它放进注册码试试
结果注册成功!
也就是说,growuphappily的注册码就是177-6049-2150!
然而,我分析了一小时,没有结果
我最终决定,,还是放进VB反编译器吧。。。
Private Sub Command1_Click() '401FF0
loc_00402092: var_58 = Text2.Text
loc_004020CA: var_44 = var_58
loc_00402126: For var_24 = 1 To Len(var_44) Step 1
loc_00402132:
loc_00402134: If var_108 = 0 Then GoTo loc_004021D6
loc_00402169: var_58 = CStr(Mid(var_44, CLng(var_24), 1))
loc_00402176: var_B4 = Asc(var_58)
loc_004021A0: var_34 = var_34 + Asc(var_58)
loc_004021CB: Next var_24
loc_004021D1: GoTo loc_00402132
loc_004021D6: 'Referenced from: 00402134
loc_00402204: var_34 = var_34 * 1234567890
loc_0040222F: call ebx(8, 00000001h, 00000004h, var_34, var_108, var_118, Me, undef 'Ignore this '__vbaFreeVarList, %ecx = %S_edx_S, 004041A0h)
loc_00402254: call ebx(8, 00000001h, 00000009h, var_34)
loc_00402276: var_58 = Text1.Text
loc_00402298: var_64 = var_58
loc_004022CB: If (var_58 = var_34) = 0 Then GoTo loc_00402391
loc_004022D1: Beep
loc_00402308: var_B4 = "对了!"
loc_00402327: var_A4 = "RiCHTiG !!!! ....weiter mit dem Nächsten !!!"
loc_00402374: var_54 = MsgBox("RiCHTiG !!!! ....weiter mit dem Nächsten !!!", 48, "对了!", 10, 10)
loc_0040238C: GoTo loc_00402446
loc_00402391: 'Referenced from: 004022CB
loc_004023C2: var_B4 = "抱歉,这不对!"
loc_004023E1: var_A4 = "可惜,错了,如果你做不到,那就E-Mail我在 xxxxxxxxxx@xxx.xxx(脱敏)"
loc_0040242E: var_54 = MsgBox("可惜,错了,如果你做不到,那就E-Mail我在 xxxxxxxxxx@xxx.xxx(脱敏)", 16, "抱歉,这不对!", 10, 10)
loc_00402446: 'Referenced from: 0040238C
loc_00402459: GoTo loc_0040248F
loc_0040248E: Exit Sub
loc_0040248F: 'Referenced from: 00402459
loc_004024C0: GoTo loc_00esi
End Sub
可以看出,就是把Name每个字符的ASCII加在一起再乘以1234567890
然后中间的那两个call不知道是干什么用的
先算出前面几步操作得出的值结果为1771604922150
再与注册码对比:177-6049-2150
这不就是把第四位,第九位换成‘-’了吗!
上注册机:
a = 0
for i in input('请输入你的名字:'):
a += ord(i)
a *= 1234567890
key = ''
for i in range(len(str(a))):
if i in :
key += '-'
continue
key += str(a)
print(key)
0x03 最后
评分不要钱!评分不要钱!评分不要钱! 中间两个call是VB函数 MID()
Mid(sn, 4, 1) = "-"
Mid(sn, 9, 1) = "-"
就是把4、9位换成“-”号 谢谢楼主分享:lol 有点难度 Mark一下,太强了 进来学习一下。 厉害?,好好学习
谢谢分享
进来学习一下。 需要好好消化一下 感谢分享
页:
[1]
2