[反汇编练习] 160个CrackMe之010
[反汇编练习] 160个CrackMe之010.本系列文章的目的是从一个没有任何经验的新手的角度(其实就是我自己),一步步尝试将160个CrackMe全部破解,如果可以,通过任何方式写出一个类似于注册机的东西。其中,文章中按照如下逻辑编排(解决如下问题):1、使用什么环境和工具2、程序分析3、思路分析和破解流程4、注册机的探索----------------------------------提醒各位看客: 如果文章中的逻辑看不明白,那你一定是没有亲手操刀!OD中的跳转提示很强大,只要你跟踪了,不用怎么看代码就理解了!----------------------------------1、工具和环境:WinXP SP3 + 52Pojie六周年纪念版OD + PEID + 汇编金手指。160个CrackMe的打包文件。下载地址: http://pan.baidu.com/s/1xUWOY密码: jbnq注:1、Win7系统对于模块和程序开启了随机初始地址的功能,会给分析带来很大的负担,所以不建议使用Win7进行分析。2、以上工具都是在52PoJie论坛下的原版程序,NOD32不报毒,个人承诺绝对不会进行任何和木马病毒相关内容。http://images.cnitblog.com/blog/573547/201406/152219166701903.png 2、程序分析:想要破解一个程序,必须先了解这个程序。所以,在破解过程中,对最初程序的分析很重要,他可以帮助我们理解作者的目的和意图,特别是对于注册码的处理细节,从而方便我们反向跟踪和推导。和上一节一样,打开CHM,选择第10个Andrénalin.3,保存下来。运行程序,程序界面如下:
3、思路分析和破解流程:点击【OK】按钮之后,直接弹出了错误信息框(囧,虽然我看不明白说的啥),现象完全和之前的程序一样。使用PEID查看之后,Microsoft Visual Basic 5.0 / 6.0,没有加壳,可以直接放到OD中了!1、打开OD,将exe拖到OD窗口中,等程序暂停后,直接点击运行按钮(F9),不用理会。2、在exe中输入Key:bbdxf。点击OK按钮,弹出错误信息框,不要关闭。3、在OD中点击暂停按钮(Ctrl+F2),再点击堆栈K按钮(Ctrl+K),可以看到当前堆栈情况。
4、和之前的一样,我们跟踪信息框所在的代码段,选中rtcMsgBox,右键->Show call,返回到反汇编界面。5、在返回到的位置向上查看代码,寻找类似cmp,je等跳转信息,同样和之前的程序一样,很容易找到了。
00402050 .66:85C0 test ax,ax
00402053 0F84 C0000000 je 00402119 ;// 和上一个一样的关键跳
00402059 .FF15 6C414000 call dword ptr ds:[<&MSVBVM50.#534>] ;msvbvm50.rtcBeep
0040205F .8B1D 94414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVarDup>] ;msvbvm50.__vbaVarDup
00402065 .B9 0A000000 mov ecx,0xA
0040206A .B8 04000280 mov eax,0x80020004
0040206F .898D 64FFFFFF mov dword ptr ss:,ecx
00402075 .898D 74FFFFFF mov dword ptr ss:,ecx
0040207B .8D95 44FFFFFF lea edx,dword ptr ss:
00402081 .8D4D 84 lea ecx,dword ptr ss:
00402084 .8985 6CFFFFFF mov dword ptr ss:,eax
0040208A .8985 7CFFFFFF mov dword ptr ss:,eax
00402090 .C785 4CFFFFFF>mov dword ptr ss:,00401B28 ;UNICODE "RiCHTiG !"
0040209A .C785 44FFFFFF>mov dword ptr ss:,0x8
004020A4 .FFD3 call ebx ;<&MSVBVM50.__vbaVarDup>
004020A6 .8D95 54FFFFFF lea edx,dword ptr ss:
004020AC .8D4D 94 lea ecx,dword ptr ss:
004020AF .C785 5CFFFFFF>mov dword ptr ss:,00401ABC
004020B9 .C785 54FFFFFF>mov dword ptr ss:,0x8
004020C3 .FFD3 call ebx
004020C5 .8D95 64FFFFFF lea edx,dword ptr ss:
004020CB .8D85 74FFFFFF lea eax,dword ptr ss:
004020D1 .52 push edx
004020D2 .8D4D 84 lea ecx,dword ptr ss:
004020D5 .50 push eax
004020D6 .51 push ecx
004020D7 .8D55 94 lea edx,dword ptr ss:
004020DA .6A 30 push 0x30
004020DC .52 push edx
004020DD .FF15 24414000 call dword ptr ds:[<&MSVBVM50.#595>] ;msvbvm50.rtcMsgBox
004020E3 .8D95 14FFFFFF lea edx,dword ptr ss:
004020E9 .8D4D AC lea ecx,dword ptr ss:
004020EC .8985 1CFFFFFF mov dword ptr ss:,eax
004020F2 .C785 14FFFFFF>mov dword ptr ss:,0x3
004020FC .FFD6 call esi
004020FE .8D85 64FFFFFF lea eax,dword ptr ss:
00402104 .8D8D 74FFFFFF lea ecx,dword ptr ss:
0040210A .50 push eax
0040210B .8D55 84 lea edx,dword ptr ss:
0040210E .51 push ecx
0040210F .8D45 94 lea eax,dword ptr ss:
00402112 .52 push edx
00402113 .50 push eax
00402114 .E9 B5000000 jmp 004021CE
00402119 >8B1D 94414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVarDup>] ;msvbvm50.__vbaVarDup
0040211F .B9 0A000000 mov ecx,0xA
00402124 .B8 04000280 mov eax,0x80020004
00402129 .898D 64FFFFFF mov dword ptr ss:,ecx
0040212F .898D 74FFFFFF mov dword ptr ss:,ecx
00402135 .8D95 44FFFFFF lea edx,dword ptr ss:
0040213B .8D4D 84 lea ecx,dword ptr ss:
0040213E .8985 6CFFFFFF mov dword ptr ss:,eax
00402144 .8985 7CFFFFFF mov dword ptr ss:,eax
0040214A .C785 4CFFFFFF>mov dword ptr ss:,00401C1C ;UNICODE "LEiDER Falsch !"
00402154 .C785 44FFFFFF>mov dword ptr ss:,0x8
0040215E .FFD3 call ebx ;<&MSVBVM50.__vbaVarDup>
00402160 .8D95 54FFFFFF lea edx,dword ptr ss:
00402166 .8D4D 94 lea ecx,dword ptr ss:
00402169 .C785 5CFFFFFF>mov dword ptr ss:,00401B40 ;UNICODE "Leider Falsch! Nochmal veruschen ! Wenn Du es ni"
00402173 .C785 54FFFFFF>mov dword ptr ss:,0x8
0040217D .FFD3 call ebx
0040217F .8D8D 64FFFFFF lea ecx,dword ptr ss:
00402185 .8D95 74FFFFFF lea edx,dword ptr ss:
0040218B .51 push ecx
0040218C .8D45 84 lea eax,dword ptr ss:
0040218F .52 push edx
00402190 .50 push eax
00402191 .8D4D 94 lea ecx,dword ptr ss:
00402194 .6A 10 push 0x10
00402196 .51 push ecx
00402197 .FF15 24414000 call dword ptr ds:[<&MSVBVM50.#595>] ;msvbvm50.rtcMsgBox
关键的跳转就是 je 00402119 ,在OD中选中这一行,很容易就可以发现JE是否跳转决定了提示的成功与失败!好吧,我们来爆破他!选中je 00402119这一行,右键->Binary->Fill with NOPs。回到exe程序,随意输入一个key,点击【OK】按钮,哈哈,是不是成功啦!
4、注册码探索继续向上找,如果看过第9篇的就知道,他们还是基本一样的,请参考009。其中,VB代码反汇编需要参考http://www.cnblogs.com/bbdxf/p/3793545.html,分析之后代码如下:00401F30 .51 push ecx
00401F31 .8D45 94 lea eax,dword ptr ss:
00401F34 .52 push edx
00401F35 .50 push eax
00401F36 .FF15 14414000 call dword ptr ds:[<&MSVBVM50.__vbaLenVar>] ;msvbvm50.__vbaLenVar
00401F3C .8D8D 44FFFFFF lea ecx,dword ptr ss:
00401F42 .50 push eax
00401F43 .8D95 ECFEFFFF lea edx,dword ptr ss:
00401F49 .51 push ecx
00401F4A .8D85 FCFEFFFF lea eax,dword ptr ss:
00401F50 .52 push edx
00401F51 .8D4D DC lea ecx,dword ptr ss:
00401F54 .50 push eax
00401F55 .51 push ecx
00401F56 .FF15 1C414000 call dword ptr ds:[<&MSVBVM50.__vbaVarForInit>] ;msvbvm50.__vbaVarForInit
00401F5C .8B1D 68414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVarCat>] ;msvbvm50.__vbaVarCat
00401F62 .8B3D 00414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>] ;msvbvm50.__vbaFreeVarList
00401F68 >85C0 test eax,eax
00401F6A .0F84 BB000000 je 0040202B
00401F70 .8D55 94 lea edx,dword ptr ss:
00401F73 .8D45 DC lea eax,dword ptr ss:
00401F76 .52 push edx
00401F77 .50 push eax
00401F78 .C745 9C 01000>mov dword ptr ss:,0x1
00401F7F .C745 94 02000>mov dword ptr ss:,0x2
00401F86 .FF15 90414000 call dword ptr ds:[<&MSVBVM50.__vbaI4Var>] ;msvbvm50.__vbaI4Var
00401F8C .8D4D BC lea ecx,dword ptr ss:
00401F8F .50 push eax ;// eax=0x01 2 3 4 5
00401F90 .8D55 84 lea edx,dword ptr ss:
00401F93 .51 push ecx ;// bbdxf
00401F94 .52 push edx
00401F95 .FF15 34414000 call dword ptr ds:[<&MSVBVM50.#632>] ;msvbvm50.rtcMidCharVar
00401F9B .8D45 84 lea eax,dword ptr ss:
00401F9E .8D4D A8 lea ecx,dword ptr ss:
00401FA1 .50 push eax
00401FA2 .51 push ecx
00401FA3 .FF15 64414000 call dword ptr ds:[<&MSVBVM50.__vbaStrVarVal>] ;msvbvm50.__vbaStrVarVal
00401FA9 .50 push eax
00401FAA .FF15 08414000 call dword ptr ds:[<&MSVBVM50.#516>] ;msvbvm50.rtcAnsiValueBstr
00401FB0 .66:05 0A00 add ax,0xA ;// 每个字符+0xA
00401FB4 .0F80 B0020000 jo 0040226A
00401FBA .0FBFD0 movsx edx,ax
00401FBD .52 push edx
00401FBE .FF15 70414000 call dword ptr ds:[<&MSVBVM50.#537>] ;msvbvm50.rtcBstrFromAnsi
00401FC4 .8985 7CFFFFFF mov dword ptr ss:,eax
00401FCA .8D45 CC lea eax,dword ptr ss:
00401FCD .8D8D 74FFFFFF lea ecx,dword ptr ss:
00401FD3 .50 push eax ;// 上次存的
00401FD4 .8D95 64FFFFFF lea edx,dword ptr ss:
00401FDA .51 push ecx ;// +0xA之后的字符文本
00401FDB .52 push edx
00401FDC .C785 74FFFFFF>mov dword ptr ss:,0x8
00401FE6 .FFD3 call ebx ;__vbaStrCat // 连接字符串,结果放在eax
00401FE8 .8BD0 mov edx,eax ;// bbdxf循环到x时,超出128,所以被截断了
00401FEA .8D4D CC lea ecx,dword ptr ss:
00401FED .FFD6 call esi
00401FEF .8D4D A8 lea ecx,dword ptr ss:
00401FF2 .FF15 B0414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>] ;msvbvm50.__vbaFreeStr
00401FF8 .8D85 74FFFFFF lea eax,dword ptr ss:
00401FFE .8D4D 84 lea ecx,dword ptr ss:
00402001 .50 push eax
00402002 .8D55 94 lea edx,dword ptr ss:
00402005 .51 push ecx
00402006 .52 push edx
00402007 .6A 03 push 0x3
00402009 .FFD7 call edi
0040200B .83C4 10 add esp,0x10
0040200E .8D85 ECFEFFFF lea eax,dword ptr ss:
00402014 .8D8D FCFEFFFF lea ecx,dword ptr ss:
0040201A .8D55 DC lea edx,dword ptr ss:
0040201D .50 push eax
0040201E .51 push ecx
0040201F .52 push edx
00402020 .FF15 A4414000 call dword ptr ds:[<&MSVBVM50.__vbaVarForNext>] ;msvbvm50.__vbaVarForNext
00402026 .^ E9 3DFFFFFF jmp 00401F68
0040202B >8D45 CC lea eax,dword ptr ss: ;// 循环后的结果存到eax中
0040202E .8D8D 54FFFFFF lea ecx,dword ptr ss:
00402034 .50 push eax ;// eax = 计算输入的文本后的值
00402035 .51 push ecx
00402036 .C785 5CFFFFFF>mov dword ptr ss:,00401A8C ;UNICODE "kXy^rO|*yXo*m\kMuOn*+"
00402040 .C785 54FFFFFF>mov dword ptr ss:,0x8008 ;// 修改ecx指针的值为上面的字符串
0040204A .FF15 40414000 call dword ptr ds:[<&MSVBVM50.__vbaVarTstEq>] ;msvbvm50.__vbaVarTstEq
00402050 .66:85C0 test ax,ax
00402053 0F84 C0000000 je 00402119 ;// 和上一个一样的关键跳
算法分析如下:在VB中,使用了 __vbaVarForInit,__vbaFreeVarList,__vbaVarForNext 三个函数完成了一个For循环(参看上面的汇编代码),再循环中,每一次通过rtcMidCharVar取出一个字符,然后使用 rtcAnsiValueBstr 将字符转换为ANSII码值,将ANSII值加上0x0A之后再转换回字符,最后组成的字符串与"kXy^rO|*yXo*m\kMuOn*+"比较,比较的结果决定je跳转的成功和失败。
下面使用代码反计算Key值:C/CPP代码:#include "stdafx.h"
#include "iostream"
int _tmain(int argc, _TCHAR* argv[])
{
char keyCode = "kXy^rO|*yXo*m\\kMuOn*+";
char keyOld = {0};
int nLen = strlen(keyCode);
printf("%d\r\n",nLen);
for ( int i=0;i<nLen;i++ )
{
keyOld = keyCode - 0x0A;
}
printf("Key: %s\r\n",keyOld);
system("pause");
return 0;
}
BY笨笨D幸福
{:301_978:}写的真详细呀。谢谢楼主分享呀。等下下来试试呀。哈哈。 kXy^rO|*yXo*m\kMuOn*+,,,,想问一下这里怎么可以转换为key 值 膜拜大牛~ 给跪了、看了下win7 耶。为何我win7 一直跪 楼主加油啊,160胜利在望。 一如既往地支持 一样的,这三个,easy 只爆破,路过