160个CM之014爆破
本帖最后由 growuphappily 于 2020-3-31 13:14 编辑0x00 前言
这几天比较忙,所以,,,失踪了21天{:301_1008:}
最近在练160个CrackMe,原帖如下:
https://www.52pojie.cn/thread-709699-1-1.html
目录:
题目地址
第一题 https://www.52pojie.cn/forum.php?mod=viewthread&tid=1107523
第二题 https://www.52pojie.cn/forum.php?mod=viewthread&tid=1107888
第三题 ttps://www.52pojie.cn/thread-1108487-1-1.html
第四题 https://www.52pojie.cn/thread-1109140-1-1.html
第五题 太变态了,算了
第六题 https://www.52pojie.cn/thread-1111030-1-1.html
第七题 https://www.52pojie.cn/thread-1112318-1-1.html
第八题 https://www.52pojie.cn/thread-1113163-1-1.html
第九题爆破 https://www.52pojie.cn/thread-1113295-1-1.html
第九题算法 https://www.52pojie.cn/thread-1114003-1-1.html
第十题 https://www.52pojie.cn/thread-1116170-1-1.html
第十一题 https://www.52pojie.cn/thread-1119813-1-1.html
第十一题算法 https://www.52pojie.cn/thread-1120768-1-1.html
第十三题 https://www.52pojie.cn/forum.php?mod=viewthread&tid=1122833&page=1&extra=#pid30408289
第十四题 https://www.52pojie.cn/forum.php?mod=viewthread&tid=1144573&page=1&extra=#pid31010949
0x01 正文
打开姗姗来迟的第14个CM:
这次只有Serial?
0x01.01 爆破
不多说,拖入OD
先输入假码
应该是rtcMsgBox,下断点
运行到返回,单步
来到这里
004036E3 .33C9 xor ecx,ecx
004036E5 .83F8 09 cmp eax,0x9 ;长度必须为9
004036E8 .0F95C1 setne cl ;长度为9cl为0,不为9cl为1
004036EB .F7D9 neg ecx
004036ED .8BF1 mov esi,ecx
004036EF .8D4D E4 lea ecx,dword ptr ss:
004036F2 .FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;msvbvm60.__vbaFreeStr
004036F8 .8D4D D4 lea ecx,dword ptr ss:
004036FB .FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;msvbvm60.__vbaFreeObj
00403701 .66:3BF3 cmp si,bx
00403704 .0F85 1A030000 jnz bjanes_1.00403A24 ;如果cl不等于0则跳(失败)
0040370A .8B17 mov edx,dword ptr ds:
0040370C .57 push edi
0040370D .FF92 08030000 call dword ptr ds:
00403713 .50 push eax
00403714 .8D45 D4 lea eax,dword ptr ss:
00403717 .50 push eax
00403718 .FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>;msvbvm60.__vbaObjSet
0040371E .8BF0 mov esi,eax
00403720 .8D55 E4 lea edx,dword ptr ss:
00403723 .52 push edx
00403724 .56 push esi ;msvbvm60.__vbaVarDup
00403725 .8B0E mov ecx,dword ptr ds:
00403727 .FF91 A0000000 call dword ptr ds:
0040372D .3BC3 cmp eax,ebx
0040372F .DBE2 fclex
00403731 .7D 12 jge short bjanes_1.00403745
00403733 .68 A0000000 push 0xA0
00403738 .68 44224000 push bjanes_1.00402244
0040373D .56 push esi ;msvbvm60.__vbaVarDup
0040373E .50 push eax
0040373F .FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;msvbvm60.__vbaHresultCheckObj
00403745 >8B45 E4 mov eax,dword ptr ss:
00403748 .50 push eax ; /String = 00000001 ???
00403749 .FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>; \__vbaLenBstr
0040374F .8BC8 mov ecx,eax
00403751 .FF15 50104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>>;msvbvm60.__vbaI2I4
00403757 .8D4D E4 lea ecx,dword ptr ss:
0040375A .8985 14FFFFFF mov dword ptr ss:,eax
00403760 .C745 E8 01000>mov dword ptr ss:,0x1
00403767 .FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;msvbvm60.__vbaFreeStr
0040376D .8D4D D4 lea ecx,dword ptr ss:
00403770 .FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;msvbvm60.__vbaFreeObj
00403776 .8B35 AC104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaSt>;msvbvm60.__vbaStrMove
0040377C >66:8B8D 14FFF>mov cx,word ptr ss:
00403783 .66:394D E8 cmp word ptr ss:,cx
00403787 .0F8F 17030000 jg bjanes_1.00403AA4 ;这里跳向成功
0040378D .8B17 mov edx,dword ptr ds:
0040378F .57 push edi
00403790 .FF92 08030000 call dword ptr ds:
00403796 .50 push eax
00403797 .8D45 D4 lea eax,dword ptr ss:
0040379A .50 push eax
0040379B .FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>;msvbvm60.__vbaObjSet
004037A1 .8BD8 mov ebx,eax
004037A3 .8D55 E4 lea edx,dword ptr ss:
004037A6 .52 push edx
004037A7 .53 push ebx
004037A8 .8B0B mov ecx,dword ptr ds:
004037AA .FF91 A0000000 call dword ptr ds:
004037B0 .85C0 test eax,eax
004037B2 .DBE2 fclex
004037B4 .7D 12 jge short bjanes_1.004037C8
004037B6 .68 A0000000 push 0xA0
004037BB .68 44224000 push bjanes_1.00402244
004037C0 .53 push ebx
004037C1 .50 push eax
004037C2 .FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;msvbvm60.__vbaHresultCheckObj
004037C8 >8B07 mov eax,dword ptr ds:
004037CA .57 push edi
004037CB .FF90 08030000 call dword ptr ds:
004037D1 .8D4D D0 lea ecx,dword ptr ss:
004037D4 .50 push eax
004037D5 .51 push ecx
004037D6 .FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>;msvbvm60.__vbaObjSet
004037DC .8BF8 mov edi,eax
004037DE .8D45 DC lea eax,dword ptr ss:
004037E1 .50 push eax
004037E2 .57 push edi
004037E3 .8B17 mov edx,dword ptr ds:
004037E5 .FF92 A0000000 call dword ptr ds:
004037EB .85C0 test eax,eax
004037ED .DBE2 fclex
004037EF .7D 12 jge short bjanes_1.00403803
004037F1 .68 A0000000 push 0xA0
004037F6 .68 44224000 push bjanes_1.00402244
004037FB .57 push edi
004037FC .50 push eax
004037FD .FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;msvbvm60.__vbaHresultCheckObj
00403803 >0FBF7D E8 movsx edi,word ptr ss:
00403807 .8B55 DC mov edx,dword ptr ss:
0040380A .B9 01000000 mov ecx,0x1
0040380F .894D C8 mov dword ptr ss:,ecx
00403812 .894D B8 mov dword ptr ss:,ecx
00403815 .8D4D B0 lea ecx,dword ptr ss:
;太长了,中间这段省略
00403A48 .8945 90 mov dword ptr ss:,eax
00403A4B .8945 A0 mov dword ptr ss:,eax
00403A4E .C785 58FFFFFF>mov dword ptr ss:,bjanes_1.004>;UNICODE "Wrong serial!"
00403A58 .89BD 50FFFFFF mov dword ptr ss:,edi
00403A5E .FFD6 call esi ;msvbvm60.__vbaVarDup; <&MSVBVM60.__vbaVarDup>
00403A60 .8D95 60FFFFFF lea edx,dword ptr ss:
00403A66 .8D4D C0 lea ecx,dword ptr ss:
00403A69 .C785 68FFFFFF>mov dword ptr ss:,bjanes_1.004>;UNICODE "Sorry, try again!"
00403A73 .89BD 60FFFFFF mov dword ptr ss:,edi
00403A79 .FFD6 call esi ;msvbvm60.__vbaVarDup
00403A7B .8D45 90 lea eax,dword ptr ss:
00403A7E .8D4D A0 lea ecx,dword ptr ss:
00403A81 .50 push eax
00403A82 .8D55 B0 lea edx,dword ptr ss:
00403A85 .51 push ecx
00403A86 .52 push edx
00403A87 .8D45 C0 lea eax,dword ptr ss:
00403A8A .53 push ebx
00403A8B .50 push eax
00403A8C .FF15 30104000 call dword ptr ds:[<&MSVBVM60.#595>] ;msvbvm60.rtcMsgBox
00403A92 .8D4D 90 lea ecx,dword ptr ss:
00403A95 .8D55 A0 lea edx,dword ptr ss:
00403A98 .51 push ecx
00403A99 .8D45 B0 lea eax,dword ptr ss:
00403A9C .52 push edx
00403A9D .8D4D C0 lea ecx,dword ptr ss:
00403AA0 .50 push eax
00403AA1 .51 push ecx
00403AA2 .EB 7E jmp short bjanes_1.00403B22
00403AA4 >8B35 A4104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaVa>;msvbvm60.__vbaVarDup
00403AAA .B9 04000280 mov ecx,0x80020004
00403AAF .894D 98 mov dword ptr ss:,ecx
00403AB2 .B8 0A000000 mov eax,0xA
00403AB7 .894D A8 mov dword ptr ss:,ecx
00403ABA .BF 08000000 mov edi,0x8
00403ABF .8D95 50FFFFFF lea edx,dword ptr ss:
00403AC5 .8D4D B0 lea ecx,dword ptr ss:
00403AC8 .8945 90 mov dword ptr ss:,eax
00403ACB .8945 A0 mov dword ptr ss:,eax
00403ACE .C785 58FFFFFF>mov dword ptr ss:,bjanes_1.004>;UNICODE "Correct serial!"
00403AD8 .89BD 50FFFFFF mov dword ptr ss:,edi
00403ADE .FFD6 call esi ;msvbvm60.__vbaVarDup; <&MSVBVM60.__vbaVarDup>
00403AE0 .8D95 60FFFFFF lea edx,dword ptr ss:
00403AE6 .8D4D C0 lea ecx,dword ptr ss:
00403AE9 .C785 68FFFFFF>mov dword ptr ss:,bjanes_1.004>;UNICODE "Good job, tell me how you do that!"
00403AF3 .89BD 60FFFFFF mov dword ptr ss:,edi
00403AF9 .FFD6 call esi ;msvbvm60.__vbaVarDup
00403AFB .8D55 90 lea edx,dword ptr ss:
00403AFE .8D45 A0 lea eax,dword ptr ss:
00403B01 .52 push edx
00403B02 .8D4D B0 lea ecx,dword ptr ss:
00403B05 .50 push eax
00403B06 .51 push ecx
00403B07 .8D55 C0 lea edx,dword ptr ss:
00403B0A .53 push ebx
00403B0B .52 push edx
爆破还是很简单,只要把00403704的跳转NOP掉,把00403787的跳转改成JMP就行了
0x01.02 算法...穷举?
终于又到了最令人头疼的算法时间
用一下VBDecompiler
Private Sub Command1_Click() '403620
Dim var_2C As TextBox
loc_004036BB: var_1C = Text1.Text
loc_004036E8: setnz cl
loc_00403704: If ecx <> 0 Then GoTo loc_00403A24
loc_00403727: var_1C = Text1.Text
loc_0040375A: var_EC = Len(var_1C)
loc_0040377C:
loc_00403787: If var_18 > 0 Then GoTo loc_00403AA4
loc_004037AA: var_1C = Text1.Text
loc_004037E5: var_24 = Text1.Text
loc_00403831: var_28 = Mid$(var_24, vbNull, 1)
loc_00403848: setg bl
loc_00403859: var_20 = Mid$(var_1C, vbNull, 1)
loc_00403868: setl dl
loc_004038AD: If var_2C <> 0 Then GoTo loc_00403A22
loc_004038D3: var_1C = Text1.Text
loc_00403909: var_58 = var_18 xor 0002h
loc_0040391B: var_28 = Str$()
loc_0040393F: var_20 = Mid$(var_1C, vbNull, 1)
loc_0040394B: var_48 = Asc(var_20)
loc_0040395E: var_24 = Str$(Asc(var_20))
loc_00403997: var_68 = var_28
loc_004039A5: var_80 = Right(var_28, 1)
loc_00403A04: If ((var_24 - 48#) <> var_80) <> 0 Then GoTo loc_00403A22
loc_00403A0E: 00000001h = 00000001h + var_18
loc_00403A1D: GoTo loc_0040377C
loc_00403A22: 'Referenced from: 004038AD
loc_00403A24: 'Referenced from: 00403704
loc_00403A5E: var_50 = "Wrong serial!"
loc_00403A79: var_40 = "Sorry, try again!"
loc_00403AA2: GoTo loc_00403B22
loc_00403AA4: 'Referenced from: 00403787
loc_00403ADE: var_50 = "Correct serial!"
loc_00403AF9: var_40 = "Good job, tell me how you do that!"
loc_00403B22: 'Referenced from: 00403AA2
loc_00403B36: GoTo loc_00403B87
loc_00403B86: Exit Sub
loc_00403B87: 'Referenced from: 00403B36
loc_00403B87: Exit Sub
End Sub
这是反编译出来的代码
之后就有空再写吧
0x02 最后
别白嫖了,评个分呗!回帖有70%几率中奖哦! 厉害了,感谢 大神厉害 厉害厉害。
想学把Serial算法逆出来的能力。爆破会一点。 厉害厉害。 学习了。 厉害 厉害 厉害 我信你个鬼。我有看不懂