CrackMe第十一题算法 + 注册机
本帖最后由 growuphappily 于 2020-3-2 13:22 编辑0x00 前言
最近真的没有什么帖子好写了,在无意中发现了这个:
https://www.52pojie.cn/thread-709699-1-1.html
于是我就打算每天做一道CrackMe的题目
第一题:https://www.52pojie.cn/forum.php?mod=viewthread&tid=1107523
第二题:https://www.52pojie.cn/forum.php?mod=viewthread&tid=1107888
第三题:https://www.52pojie.cn/thread-1108487-1-1.html
第四题:https://www.52pojie.cn/thread-1109140-1-1.html
第五题:太变态了,算了
第六题:https://www.52pojie.cn/thread-1111030-1-1.html
第七题:https://www.52pojie.cn/thread-1112318-1-1.html
第八题:https://www.52pojie.cn/thread-1113163-1-1.html
第九题算法:https://www.52pojie.cn/thread-1114003-1-1.html
第九题爆破:https://www.52pojie.cn/thread-1113295-1-1.html
第十题:https://www.52pojie.cn/thread-1116170-1-1.html
第十一题:https://www.52pojie.cn/thread-1119813-1-1.html
第十一题算法:https://www.52pojie.cn/thread-1120768-1-1.html
第十二题:16位的程序,没法运行,算了(其实是看见别人说难才算了2333)
0x01 正文
想想上次爆破的时候,发现了一堆字符串,只有一个是16进制
看一下VBDecomplier的代码:
loc_004064A2: For var_24 = 1 To Len(var_44) Step 1
loc_004064A8:
loc_004064AA: If var_24 = 0 Then GoTo loc_004065D9
loc_004064C4: var_50 = CStr(Left(var_44, 2))
loc_00406516: var_3A0 = Asc(Mid$(CStr(var_44), CLng(var_24), 1))
loc_00406558: var_8C = Hex$((var_3A8 + var_CC))
loc_00406585: var_34 = 0 & Hex$((var_3A8 + var_CC))
loc_004065CE: Next var_24
loc_004065D4: GoTo loc_004064A8
loc_004065D9: 'Referenced from: 004064AA
loc_00406601: If (var_34 = "0817E747D7A7D7C7F82836D74747A7F7E7B7C7D826D817E7B7C") = 0 Then GoTo loc_0040664F
就是逐个取出字符串中的字符,转换成ASCII码,加上var_CC,再把它们合并在一起,再在最前面加上个0
这个var_CC是什么还不知道,要去看看OD的代码
(var_CC就是OD中的ebp-0xCC)
OD的代码:
00406432 > \8D95 4CFFFFFF lea edx,dword ptr ss:
00406438 .8D4D CC lea ecx,dword ptr ss:
0040643B .C785 54FFFFFF>mov dword ptr ss:,0x0
00406445 .C785 4CFFFFFF>mov dword ptr ss:,0x2
0040644F .FFD7 call edi ;user32.PeekMessageA
00406451 .B8 02000000 mov eax,0x2
00406456 .B9 01000000 mov ecx,0x1
0040645B .8985 4CFFFFFF mov dword ptr ss:,eax ;msvbvm60.6601A3C8
00406461 .8985 3CFFFFFF mov dword ptr ss:,eax ;msvbvm60.6601A3C8
00406467 .898D 54FFFFFF mov dword ptr ss:,ecx
0040646D .898D 44FFFFFF mov dword ptr ss:,ecx
00406473 .8D85 4CFFFFFF lea eax,dword ptr ss:
00406479 .8D4D BC lea ecx,dword ptr ss:
0040647C .50 push eax ; /Step8 = msvbvm60.6601A3C8
0040647D .8D55 9C lea edx,dword ptr ss: ; |
00406480 .51 push ecx ; |/var18 = C71CB2C8
00406481 .52 push edx ; ||retBuffer8 = NULL
00406482 .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVa>; |\__vbaLenVar
00406488 .50 push eax ; |End8 = msvbvm60.6601A3C8
00406489 .8D85 3CFFFFFF lea eax,dword ptr ss: ; |
0040648F .8D8D 68FDFFFF lea ecx,dword ptr ss: ; |
00406495 .50 push eax ; |Start8 = msvbvm60.6601A3C8
00406496 .8D95 78FDFFFF lea edx,dword ptr ss: ; |
0040649C .51 push ecx ; |TMPend8 = C71CB2C8
0040649D .8D45 DC lea eax,dword ptr ss: ; |
004064A0 .52 push edx ; |TMPstep8 = NULL
004064A1 .50 push eax ; |Counter8 = msvbvm60.6601A3C8
004064A2 .FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarFo>; \__vbaVarForInit
004064A8 >85C0 test eax,eax ;msvbvm60.6601A3C8
004064AA .0F84 29010000 je Andréna.004065D9
004064B0 .8D4D BC lea ecx,dword ptr ss:
004064B3 .6A 02 push 0x2 ; push了2,说明只取前两位
004064B5 .8D55 8C lea edx,dword ptr ss:
004064B8 .51 push ecx
004064B9 .52 push edx
004064BA .FFD3 call ebx ; 这个call是VB的Left()函数,取一个字符串的前几位,上面push了2,说明是取前两位
004064BC .8D45 8C lea eax,dword ptr ss:
004064BF .8D4D B0 lea ecx,dword ptr ss:
004064C2 .50 push eax ;msvbvm60.6601A3C8
004064C3 .51 push ecx
004064C4 .FFD6 call esi ; 这个call是把前面取到的字符串放到一个内存地址,并把地址放在eax
004064C6 .50 push eax ;msvbvm60.6601A3C8
004064C7 .FF15 D8104000 call dword ptr ds:[<&MSVBVM60.#581>] ; 将取出的字符转换成16进制放到浮点寄存器 注意:不是10进制到16进制,举个例子:输入12,输出0x12
004064CD .DD9D 34FFFFFF fstp qword ptr ss: ;这里把刚刚转换的十六进制数字赋值给ebp-0xCC
004064D3 .8D55 9C lea edx,dword ptr ss:
004064D6 .8D45 DC lea eax,dword ptr ss:
004064D9 .52 push edx
004064DA .50 push eax ;msvbvm60.6601A3C8
004064DB .C745 A4 01000>mov dword ptr ss:,0x1
004064E2 .C745 9C 02000>mov dword ptr ss:,0x2
004064E9 .FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>;msvbvm60.__vbaI4Var
004064EF .8D4D BC lea ecx,dword ptr ss:
004064F2 .50 push eax ;msvbvm60.6601A3C8
004064F3 .8D55 B8 lea edx,dword ptr ss:
004064F6 .51 push ecx
004064F7 .52 push edx
004064F8 .FFD6 call esi
004064FA .50 push eax ;msvbvm60.6601A3C8
004064FB .FF15 4C104000 call dword ptr ds:[<&MSVBVM60.#631>] ;msvbvm60.rtcMidCharBstr
00406501 .8BD0 mov edx,eax ;msvbvm60.6601A3C8
00406503 .8D4D B4 lea ecx,dword ptr ss:
00406506 .FF15 BC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMo>;msvbvm60.__vbaStrMove
0040650C .50 push eax ; /String = "tl"
0040650D .FF15 20104000 call dword ptr ds:[<&MSVBVM60.#516>] ; \rtcAnsiValueBstr
00406513 .0FBFC0 movsx eax,ax
00406516 .8985 60FCFFFF mov dword ptr ss:,eax ;msvbvm60.6601A3C8
0040651C .8D8D 7CFFFFFF lea ecx,dword ptr ss:
00406522 .DB85 60FCFFFF fild dword ptr ss:
00406528 .51 push ecx
00406529 .C785 7CFFFFFF>mov dword ptr ss:,0x5
00406533 .DD9D 58FCFFFF fstp qword ptr ss:
00406539 .DD85 58FCFFFF fld qword ptr ss:
0040653F .DC85 34FFFFFF fadd qword ptr ss:
00406545 .DD5D 84 fstp qword ptr ss:
00406548 .DFE0 fstsw ax
0040654A .A8 0D test al,0xD
0040654C .0F85 7A040000 jnz Andréna.004069CC
00406552 .FF15 94104000 call dword ptr ds:[<&MSVBVM60.#572>] ;msvbvm60.rtcHexBstrFromVar
00406558 .8985 74FFFFFF mov dword ptr ss:,eax ;msvbvm60.6601A3C8
0040655E .8D55 CC lea edx,dword ptr ss:
00406561 .8D85 6CFFFFFF lea eax,dword ptr ss:
00406567 .52 push edx
00406568 .8D8D 5CFFFFFF lea ecx,dword ptr ss:
0040656E .50 push eax ;msvbvm60.6601A3C8
0040656F .51 push ecx
00406570 .C785 6CFFFFFF>mov dword ptr ss:,0x8
0040657A .FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCa>;msvbvm60.__vbaVarCat
00406580 .8BD0 mov edx,eax ;msvbvm60.6601A3C8
00406582 .8D4D CC lea ecx,dword ptr ss:
00406585 .FFD7 call edi ;user32.PeekMessageA
00406587 .8D55 B0 lea edx,dword ptr ss:
0040658A .8D45 B4 lea eax,dword ptr ss:
0040658D .52 push edx
0040658E .8D4D B8 lea ecx,dword ptr ss:
00406591 .50 push eax ;msvbvm60.6601A3C8
00406592 .51 push ecx
00406593 .6A 03 push 0x3
00406595 .FF15 9C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;msvbvm60.__vbaFreeStrList
0040659B .8D95 6CFFFFFF lea edx,dword ptr ss:
004065A1 .8D85 7CFFFFFF lea eax,dword ptr ss:
004065A7 .52 push edx
004065A8 .8D4D 8C lea ecx,dword ptr ss:
004065AB .50 push eax ;msvbvm60.6601A3C8
004065AC .8D55 9C lea edx,dword ptr ss:
004065AF .51 push ecx
004065B0 .52 push edx
004065B1 .6A 04 push 0x4
004065B3 .FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;msvbvm60.__vbaFreeVarList
004065B9 .83C4 24 add esp,0x24
004065BC .8D85 68FDFFFF lea eax,dword ptr ss:
004065C2 .50 push eax ; /TMPend8 = msvbvm60.6601A3C8
004065C3 .8D8D 78FDFFFF lea ecx,dword ptr ss: ; |
004065C9 .8D55 DC lea edx,dword ptr ss: ; |
004065CC .51 push ecx ; |TMPstep8 = C71CB2C8
004065CD .52 push edx ; |Counter8 = NULL
004065CE .FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarFo>; \__vbaVarForNext
004065D4 .^ E9 CFFEFFFF jmp Andréna.004064A8
004065D9 >8D45 CC lea eax,dword ptr ss:
004065DC .8D8D 4CFFFFFF lea ecx,dword ptr ss:
004065E2 .50 push eax ; /var18 = msvbvm60.6601A3C8
004065E3 .51 push ecx ; |var28 = C71CB2C8
004065E4 .C785 54FFFFFF>mov dword ptr ss:,Andréna.0040>; |0817E747D7A7D7C7F82836D74747A7F7E7B7C7D826D817E7B7C
004065EE .C785 4CFFFFFF>mov dword ptr ss:,0x8008 ; |
004065F8 .FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq
所以var_CC的来源搞清楚了
(具体看注释)
主要流程:取输入的key,取到第二位,然后把前面的结果转换成数字,再把输入的每个字符的ASCII加上前面计算所得的数字,转换成16进制字符串,然后合并在一起,在前面加上0,与0817E747D7A7D7C7F82836D74747A7F7E7B7C7D826D817E7B7C比较
对于这个,我们可以用穷举法(通俗一点就是一个一个试)
注册机:
key = "81,7E,74,7D,7A,7D,7C,7F,82,83,6D,74,74,7A,7F,7E,7B,7C,7D,82,6D,81,7E,7B,7C"
keys = []
for i in key.split(','):
keys.append(int(i,16))
t = 1
for i in ['0','1','2','3','4','5','6','7','8','9']:
for ii in ['0','1','2','3','4','5','6','7','8','9']:
a = i + ii
if chr(keys - int(a)) in ['1','2','3','4','5','6','7','8','9']:
print('密匙{0}:'.format(t),end='')
for iii in keys:
print(chr(iii-int(a)),end='')
print('')
t += 1
结果:
密匙1:96,52547:;%,,276345:%9634
密匙2:85+414369:$++1652349$8523
密匙3:74*3032589#**0541238#7412
密匙4:63)2/21478"))/430127"6301
密匙5:52(1.10367!((.32/016!52/0
密匙6:41'0-0/256 ''-21./05 41./
密匙7:30&/,/.145 &&,10-./4 30-.
密匙8:2/%.+.-034 %%+0/,-.3 2/,-
密匙9:1.$-*-,/23 $$*/.+,-2 1.+,
有九个密匙
其中只有第三个是可以输入的
所以,密匙就是74*3032589#**0541238#7412
效果图:
0x03 最后
评分不要钱!评分不要钱!评分不要钱! 蒙蔽的来懵逼的走 学习学习 学习一下 不错,这个解题....我不懂.... 哦哟,不错哦 怎么个算法 好好学习怎么弄的 大佬大佬大佬 刚好有需要 感谢分享
页:
[1]
2