CrackMe第十题爆破 + 算法分析 + 注册机
0x00 前言最近真的没有什么帖子好写了,在无意中发现了这个:
https://www.52pojie.cn/thread-709699-1-1.html
于是我就打算每天做一道CrackMe的题目
第一题:https://www.52pojie.cn/forum.php?mod=viewthread&tid=1107523
第二题:https://www.52pojie.cn/forum.php?mod=viewthread&tid=1107888
第三题:https://www.52pojie.cn/thread-1108487-1-1.html
第四题:https://www.52pojie.cn/thread-1109140-1-1.html
第五题:太变态了,算了
第六题:https://www.52pojie.cn/thread-1111030-1-1.html
第七题:https://www.52pojie.cn/thread-1112318-1-1.html
第八题:https://www.52pojie.cn/thread-1113163-1-1.html
第九题算法:https://www.52pojie.cn/thread-1114003-1-1.html
第九题爆破:https://www.52pojie.cn/thread-1113295-1-1.html
第十题:https://www.52pojie.cn/thread-1116170-1-1.html
最近装了个Linux,本来想用Linux给你们写帖子来着,,结果Wine打开OD会闪退
搞了两天没好,,于是只能用Windows了
0x01 正文
打开第十个CrackMe:
这次只有Key
注册码应该是固定的
先爆破,下rtcMsgBox断点
输入假码,注册,断下,运行到返回,下断:
爆破:
爆破完了,还有算法分析
贴上关键代码:
00401F30 .51 push ecx ; /Step8 = 0018F244
00401F31 .8D45 94 lea eax,dword ptr ss: ; |
00401F34 .52 push edx ; |/var18 = 0018F234
00401F35 .50 push eax ; ||retBuffer8 = 0018F29C
00401F36 .FF15 14414000 call dword ptr ds:[<&MSVBVM50.__vbaLenVa>; |\计算字符串长度
00401F3C .8D8D 44FFFFFF lea ecx,dword ptr ss: ; |
00401F42 .50 push eax ; |End8 = 0018F29C
00401F43 .8D95 ECFEFFFF lea edx,dword ptr ss: ; |
00401F49 .51 push ecx ; |Start8 = 0018F244
00401F4A .8D85 FCFEFFFF lea eax,dword ptr ss: ; |
00401F50 .52 push edx ; |TMPend8 = 0018F234
00401F51 .8D4D DC lea ecx,dword ptr ss: ; |
00401F54 .50 push eax ; |TMPstep8 = 0018F29C
00401F55 .51 push ecx ; |Counter8 = 0018F244
00401F56 .FF15 1C414000 call dword ptr ds:[<&MSVBVM50.__vbaVarFo>; \定义一个变量
00401F5C .8B1D 68414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVa>;两个变量相连的函数地址放到ebx
00401F62 .8B3D 00414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaFr>;释放内存函数地址放到edi
00401F68 >85C0 test eax,eax
00401F6A .0F84 BB000000 je Andréna.0040202B
00401F70 .8D55 94 lea edx,dword ptr ss:
00401F73 .8D45 DC lea eax,dword ptr ss:
00401F76 .52 push edx
00401F77 .50 push eax
00401F78 .C745 9C 01000>mov dword ptr ss:,0x1
00401F7F .C745 94 02000>mov dword ptr ss:,0x2
00401F86 .FF15 90414000 call dword ptr ds:[<&MSVBVM50.__vbaI4Var>;截取字符串
00401F8C .8D4D BC lea ecx,dword ptr ss: ; |
00401F8F .50 push eax ; |Start = 0x18F29C
00401F90 .8D55 84 lea edx,dword ptr ss: ; |
00401F93 .51 push ecx ; |dString8 = 0018F244
00401F94 .52 push edx ; |RetBUFFER = 0018F234
00401F95 .FF15 34414000 call dword ptr ds:[<&MSVBVM50.#632>] ; \取字符串中间
00401F9B .8D45 84 lea eax,dword ptr ss:
00401F9E .8D4D A8 lea ecx,dword ptr ss:
00401FA1 .50 push eax ; /String8 = 0018F29C
00401FA2 .51 push ecx ; |ARG2 = 0018F244
00401FA3 .FF15 64414000 call dword ptr ds:[<&MSVBVM50.__vbaStrVa>; \__vbaStrVarVal
00401FA9 .50 push eax ; /String = ""
00401FAA .FF15 08414000 call dword ptr ds:[<&MSVBVM50.#516>] ; \rtcAnsiValueBstr
00401FB0 .66:05 0A00 add ax,0xA ;把取出的ASCII + 0xA
00401FB4 .0F80 B0020000 jo Andréna.0040226A
00401FBA .0FBFD0 movsx edx,ax
00401FBD .52 push edx
00401FBE .FF15 70414000 call dword ptr ds:[<&MSVBVM50.#537>] ;MSVBVM50.rtcBstrFromAnsi
00401FC4 .8985 7CFFFFFF mov dword ptr ss:,eax
00401FCA .8D45 CC lea eax,dword ptr ss:
00401FCD .8D8D 74FFFFFF lea ecx,dword ptr ss:
00401FD3 .50 push eax
00401FD4 .8D95 64FFFFFF lea edx,dword ptr ss:
00401FDA .51 push ecx
00401FDB .52 push edx
00401FDC .C785 74FFFFFF>mov dword ptr ss:,0x8
00401FE6 .FFD3 call ebx ;应该是把另外一个字符串变量加上刚刚算出的ASCII的字符
00401FE8 .8BD0 mov edx,eax
00401FEA .8D4D CC lea ecx,dword ptr ss:
00401FED .FFD6 call esi ;MSVBVM50.__vbaVarMove
00401FEF .8D4D A8 lea ecx,dword ptr ss:
00401FF2 .FF15 B0414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>;MSVBVM50.__vbaFreeStr
00401FF8 .8D85 74FFFFFF lea eax,dword ptr ss:
00401FFE .8D4D 84 lea ecx,dword ptr ss:
00402001 .50 push eax
00402002 .8D55 94 lea edx,dword ptr ss:
00402005 .51 push ecx
00402006 .52 push edx
00402007 .6A 03 push 0x3
00402009 .FFD7 call edi ;MSVBVM50.__vbaFreeVarList
0040200B .83C4 10 add esp,0x10
0040200E .8D85 ECFEFFFF lea eax,dword ptr ss:
00402014 .8D8D FCFEFFFF lea ecx,dword ptr ss:
0040201A .8D55 DC lea edx,dword ptr ss:
0040201D .50 push eax ; /TMPend8 = 0018F29C
0040201E .51 push ecx ; |TMPstep8 = 0018F244
0040201F .52 push edx ; |Counter8 = 0018F234
00402020 .FF15 A4414000 call dword ptr ds:[<&MSVBVM50.__vbaVarFo>; \__vbaVarForNext
00402026 .^ E9 3DFFFFFF jmp Andréna.00401F68
0040202B >8D45 CC lea eax,dword ptr ss:
0040202E .8D8D 54FFFFFF lea ecx,dword ptr ss:
00402034 .50 push eax ; /var18 = 0018F29C
00402035 .51 push ecx ; |var28 = 0018F244
00402036 .C785 5CFFFFFF>mov dword ptr ss:,Andréna.0040>; |UNICODE "kXy^rO|*yXo*m\kMuOn*+"
00402040 .C785 54FFFFFF>mov dword ptr ss:,0x8008 ; |
0040204A .FF15 40414000 call dword ptr ds:[<&MSVBVM50.__vbaVarTs>; \__vbaVarTstEq
基本的流程就是
取出输入的每个字符,将他们的ASCII减去0xA对应的字符与“kXy^rO|*yXo*m\kMuOn*+”进行比较
相等就成功,不相等就失败
注册机:
一行Python:
for i in 'kXy^rO|*yXo*m\kMuOn*+': print(chr(ord(i) - 0xA))
好理解的Python:(这个再看不懂。。。我也没办法了)
注册码 = ''
for 字符串第循环次数位 in 'kXy^rO|*yXo*m\kMuOn*+':
转换成ASCII再减0xA = ord(字符串第循环次数位) - 0xA#减去0xA是因为在程序中加上了0xA,我们是进行逆运算,所以就要减
转换成字符的结果 = chr(转换成ASCII再减0xA)
注册码 += 转换成字符的结果 #注册码加上转换成字符的结果
print(注册码) #打印注册码
注册码你们自己去算吧
也可以刮刮卡:aNoThEr oNe cRaCkEd !
0x03 最后
评分不要钱!评分不要钱!评分不要钱! 好人一生平安 作者太良心。我会好好用的 写的蛮好,但有些看不懂。 谢谢作者的呕心力作。 虽然不懂但是好像很厉害的样子 我要什么时候才能达到这个等级 学习一下 感谢分享
页:
[1]
2