[反汇编练习] 160个CrackMe之016
本帖最后由 44018723 于 2014-6-24 20:05 编辑[反汇编练习] 160个CrackMe之016.本系列文章的目的是从一个没有任何经验的新手的角度(其实就是我自己),一步步尝试将160个CrackMe全部破解,如果可以,通过任何方式写出一个类似于注册机的东西。其中,文章中按照如下逻辑编排(解决如下问题):1、使用什么环境和工具2、程序分析3、思路分析和破解流程4、注册机的探索----------------------------------提醒各位看客: 如果文章中的逻辑看不明白,那你一定是没有亲手操刀!OD中的跳转提示很强大,只要你跟踪了,不用怎么看代码就理解了!----------------------------------1、工具和环境:WinXP SP3 + 52Pojie六周年纪念版OD + PEID + 汇编金手指。160个CrackMe的打包文件。下载地址: http://pan.baidu.com/s/1xUWOY 密码: jbnq注:1、Win7系统对于模块和程序开启了随机初始地址的功能,会给分析带来很大的负担,所以不建议使用Win7进行分析。2、以上工具都是在52PoJie论坛下的原版程序,NOD32不报毒,个人承诺绝对不会进行任何和木马病毒相关内容。http://images.cnitblog.com/blog/573547/201406/192147191763366.png2、程序分析:想要破解一个程序,必须先了解这个程序。所以,在破解过程中,对最初程序的分析很重要,他可以帮助我们理解作者的目的和意图,特别是对于注册码的处理细节,从而方便我们反向跟踪和推导。和上一节一样,打开CHM,选择第16个BJCM20A.EXE,保存下来。运行程序,程序界面如下:http://images.cnitblog.com/blog/573547/201406/231857534244723.png又有信息框了,我很高兴啊!PEID: Microsoft Visual Basic 5.0 / 6.03、思路分析和破解流程步骤:1、打开OD,将exe拖到OD窗口中,等程序暂停后,直接点击运行按钮(F9),不用理会。2、在exe中输入Key:bbdxf。点击OK按钮,弹出错误信息框,不要关闭。3、在OD中点击暂停按钮(Ctrl+F12),再点击堆栈K按钮(Ctrl+K),可以看到当前堆栈情况。http://images.cnitblog.com/blog/573547/201406/231857583461327.png4、在Call xxxrtcMsgBox位置附近浏览代码,很容易地发现了两个文本:
00403A1D .^\E9 5AFDFFFF jmp 0040377C
00403A22 >33DB xor ebx,ebx
00403A24 >8B35 A4104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaVa>;msvbvm60.__vbaVarDup
00403A2A .B9 04000280 mov ecx,0x80020004
00403A2F .894D 98 mov dword ptr ss:,ecx
00403A32 .B8 0A000000 mov eax,0xA
00403A37 .894D A8 mov dword ptr ss:,ecx
00403A3A .BF 08000000 mov edi,0x8
00403A3F .8D95 50FFFFFF lea edx,dword ptr ss:
00403A45 .8D4D B0 lea ecx,dword ptr ss:
00403A48 .8945 90 mov dword ptr ss:,eax
00403A4B .8945 A0 mov dword ptr ss:,eax
00403A4E .C785 58FFFFFF>mov dword ptr ss:,004022F0 ;UNICODE "Wrong serial!"
00403A58 .89BD 50FFFFFF mov dword ptr ss:,edi
00403A5E .FFD6 call esi ;<&MSVBVM60.__vbaVarDup>
00403A60 .8D95 60FFFFFF lea edx,dword ptr ss:
00403A66 .8D4D C0 lea ecx,dword ptr ss:
00403A69 .C785 68FFFFFF>mov dword ptr ss:,004022C8 ;UNICODE "Sorry, try again!"
00403A73 .89BD 60FFFFFF mov dword ptr ss:,edi
00403A79 .FFD6 call esi
00403A7B .8D45 90 lea eax,dword ptr ss:
00403A7E .8D4D A0 lea ecx,dword ptr ss:
00403A81 .50 push eax
00403A82 .8D55 B0 lea edx,dword ptr ss:
00403A85 .51 push ecx
00403A86 .52 push edx
00403A87 .8D45 C0 lea eax,dword ptr ss:
00403A8A .53 push ebx
00403A8B .50 push eax
00403A8C .FF15 30104000 call dword ptr ds:[<&MSVBVM60.#595>] ;msvbvm60.rtcMsgBox
00403A92 .8D4D 90 lea ecx,dword ptr ss:
00403A95 .8D55 A0 lea edx,dword ptr ss:
00403A98 .51 push ecx
00403A99 .8D45 B0 lea eax,dword ptr ss:
00403A9C .52 push edx
00403A9D .8D4D C0 lea ecx,dword ptr ss:
00403AA0 .50 push eax
00403AA1 .51 push ecx
00403AA2 .EB 7E jmp short 00403B22
00403AA4 >8B35 A4104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaVa>;msvbvm60.__vbaVarDup
00403AAA .B9 04000280 mov ecx,0x80020004
00403AAF .894D 98 mov dword ptr ss:,ecx
00403AB2 .B8 0A000000 mov eax,0xA
00403AB7 .894D A8 mov dword ptr ss:,ecx
00403ABA .BF 08000000 mov edi,0x8
00403ABF .8D95 50FFFFFF lea edx,dword ptr ss:
00403AC5 .8D4D B0 lea ecx,dword ptr ss:
00403AC8 .8945 90 mov dword ptr ss:,eax
00403ACB .8945 A0 mov dword ptr ss:,eax
00403ACE .C785 58FFFFFF>mov dword ptr ss:,004022A4 ;UNICODE "Correct serial!"
00403AD8 .89BD 50FFFFFF mov dword ptr ss:,edi
00403ADE .FFD6 call esi ;<&MSVBVM60.__vbaVarDup>
00403AE0 .8D95 60FFFFFF lea edx,dword ptr ss:
00403AE6 .8D4D C0 lea ecx,dword ptr ss:
00403AE9 .C785 68FFFFFF>mov dword ptr ss:,00402258 ;UNICODE "Good job, tell me how you do that!"
00403AF3 .89BD 60FFFFFF mov dword ptr ss:,edi
00403AF9 .FFD6 call esi
00403AFB .8D55 90 lea edx,dword ptr ss:
00403AFE .8D45 A0 lea eax,dword ptr ss:
00403B01 .52 push edx
00403B02 .8D4D B0 lea ecx,dword ptr ss:
00403B05 .50 push eax
00403B06 .51 push ecx
00403B07 .8D55 C0 lea edx,dword ptr ss:
00403B0A .53 push ebx
00403B0B .52 push edx
00403B0C .FF15 30104000 call dword ptr ds:[<&MSVBVM60.#595>] ;msvbvm60.rtcMsgBox
5、继续向上浏览代码,查找je/jg/jmp等跳转位置,发现了关键跳转:
00403770 .FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;msvbvm60.__vbaFreeObj
00403776 .8B35 AC104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaSt>;msvbvm60.__vbaStrMove
0040377C >66:8B8D 14FFF>mov cx,word ptr ss:
00403783 .66:394D E8 cmp word ptr ss:,cx
00403787 0F8F 17030000 jg 00403AA4 ;// 这里是关键跳
0040378D .8B17 mov edx,dword ptr ds:
0040378F .57 push edi
00403790 .FF92 08030000 call dword ptr ds:
00403796 .50 push eax
00403797 .8D45 D4 lea eax,dword ptr ss:
0040379A .50 push eax
0040379B .FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>;msvbvm60.__vbaObjSet
修改 jg 00403AA4为jmp 00403AA4, 选中nop填充。好了,我们试试!…我试了,还是失败,为什么呢?我们继续向上浏览代码:
004036D3 .FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;msvbvm60.__vbaHresultCheckObj
004036D9 >8B45 E4 mov eax,dword ptr ss:
004036DC .50 push eax ;// eax = "123123"
004036DD .FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>;msvbvm60.__vbaLenBstr
004036E3 .33C9 xor ecx,ecx ;// eax = 6
004036E5 .83F8 09 cmp eax,0x9 ;// 必须为9
004036E8 .0F95C1 setne cl
004036EB .F7D9 neg ecx
004036ED .8BF1 mov esi,ecx
004036EF .8D4D E4 lea ecx,dword ptr ss:
004036F2 .FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;msvbvm60.__vbaFreeStr
004036F8 .8D4D D4 lea ecx,dword ptr ss:
004036FB .FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;msvbvm60.__vbaFreeObj
00403701 .66:3BF3 cmp si,bx
00403704 .0F85 1A030000 jnz 00403A24 ;// 跳转到失败,文本长度判断
这里进行了文本字符窜长度的判断,必须为9.好吧,我们重新输入试试:http://images.cnitblog.com/blog/573547/201406/231857595642798.png哈哈,成功了!4、注册机的探索注册码的判断肯定在关键跳转附近,我们在附近找找:
0040373F .FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;msvbvm60.__vbaHresultCheckObj
00403745 >8B45 E4 mov eax,dword ptr ss:
00403748 .50 push eax ;// eax ="123123123"
00403749 .FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>;msvbvm60.__vbaLenBstr
0040374F .8BC8 mov ecx,eax ;// eax = 9
00403751 .FF15 50104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>>;msvbvm60.__vbaI2I4
00403757 .8D4D E4 lea ecx,dword ptr ss:
0040375A .8985 14FFFFFF mov dword ptr ss:,eax ;// eax = 9
00403760 .C745 E8 01000>mov dword ptr ss:,0x1
00403767 .FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;msvbvm60.__vbaFreeStr
0040376D .8D4D D4 lea ecx,dword ptr ss:
00403770 .FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;msvbvm60.__vbaFreeObj
00403776 .8B35 AC104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaSt>;msvbvm60.__vbaStrMove
0040377C >66:8B8D 14FFF>mov cx,word ptr ss: ;// cx = eax = 9
00403783 .66:394D E8 cmp word ptr ss:,cx ;// 比较 0x1 与 cx
00403787 0F8F 17030000 jg 00403AA4 ;// 这里是关键跳
看到这里,我有点蛋疼,这个完全嗯哼之前一个程序的判断一样,与0x1比较判断,但是你懂的,这是不可能的。(我有些怀疑自己之前的理解是否正确,求大神指导啊!)所以,暂时没有注册码!只能爆破!
BY笨笨D幸福
32个赞 谢谢楼主精心的整理 值得学习 谢谢楼主 Ctrl+F2?Ctrl+F12? 整理的精确,希望能帮助新人们。 月光下の魔术师 发表于 2014-6-23 19:29
Ctrl+F2?Ctrl+F12?
确实是我错了,真细心!谢谢纠正! 算了,这个和以前的一样。还是不懂。 004039B6 .FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstNe>] ;msvbvm60.__vbaVarTstNe
........
........
就算这个的返回值为0。 导致程序执行到jmp 0040377C,也会执行到开始的代码,比较字符串长度与1的大小。
00403A01 .66:85FF test di,di ; edi==0时jnz不跳,则正确
00403A04 75 1C jnz short 00403A22 ;关键跳
00403A06 .8B7D 08 mov edi,dword ptr ss:
00403A09 .B8 01000000 mov eax,0x1
00403A0E .66:0345 E8 add ax,word ptr ss:
00403A12 .0F80 94010000 jo 00403BAC
00403A18 .8945 E8 mov dword ptr ss:,eax
00403A1B .33DB xor ebx,ebx
00403A1D .^ E9 5AFDFFFF jmp 0040377C
所以这题应该没有注册码,只能爆破。。。{:301_1005:}和14题一样,真的很无语啊。。
页:
[1]
2