[反汇编练习] 160个CrackMe之037
[反汇编练习] 160个CrackMe之037.本系列文章的目的是从一个没有任何经验的新手的角度(其实就是我自己),一步步尝试将160个CrackMe全部破解,如果可以,通过任何方式写出一个类似于注册机的东西。其中,文章中按照如下逻辑编排(解决如下问题):1、使用什么环境和工具2、程序分析3、思路分析和破解流程4、注册机的探索----------------------------------提醒各位看客: 如果文章中的逻辑看不明白,那你一定是没有亲手操刀!OD中的跳转提示很强大,只要你跟踪了,不用怎么看代码就理解了!----------------------------------1、工具和环境:WinXP SP3 + 52Pojie六周年纪念版OD + PEID + 汇编金手指。160个CrackMe的打包文件。下载地址: http://pan.baidu.com/s/1xUWOY 密码: jbnq注:1、Win7系统对于模块和程序开启了随机初始地址的功能,会给分析带来很大的负担,所以不建议使用Win7进行分析。2、以上工具都是在52PoJie论坛下的原版程序,NOD32不报毒,个人承诺绝对不会进行任何和木马病毒相关内容。http://images.cnitblog.com/blog/573547/201406/192147191763366.png2、程序分析:想要破解一个程序,必须先了解这个程序。所以,在破解过程中,对最初程序的分析很重要,他可以帮助我们理解作者的目的和意图,特别是对于注册码的处理细节,从而方便我们反向跟踪和推导。和上一节一样,打开CHM,选择第35个CyberBlade.1.exe,保存下来。运行程序,程序界面如下:
PEID: Microsoft Visual Basic 5.0 / 6.0 3、思路分析和破解流程直接使用字符串查找,但是又因为他有信息框弹出,所以暂停,Ctrl+K,查看堆栈也可以的。具体步骤…写的都不想写了!!直接查看字符串吧! 右键->中文搜索插件->智能搜索:
随意看看,发现文本应该是不能少于9个,有很多的文本提示!不管是文本查找,随意跟进去一个,或着,暂停,然后堆栈查看都可以找到这一块:(代码很长,但是都是文本提示的内容)
0040E135 .F7DF neg edi
0040E137 .66:85FF test di,di
0040E13A .0F84 2C010000 je 0040E26C
0040E140 .BB 04000280 mov ebx,0x80020004
0040E145 .BF 0A000000 mov edi,0xA
0040E14A .BE 08000000 mov esi,0x8
0040E14F .8D55 80 lea edx,dword ptr ss:
0040E152 .8D4D C0 lea ecx,dword ptr ss:
0040E155 .895D A8 mov dword ptr ss:,ebx
0040E158 .897D A0 mov dword ptr ss:,edi
0040E15B .895D B8 mov dword ptr ss:,ebx
0040E15E .897D B0 mov dword ptr ss:,edi
0040E161 .C745 88 5C354>mov dword ptr ss:,0040355C ;UNICODE "Correct password"
0040E168 .8975 80 mov dword ptr ss:,esi
0040E16B .FF15 78114100 call dword ptr ds:[<&MSVBVM50.__vbaVarDu>;msvbvm50.__vbaVarDup
0040E171 .8D55 90 lea edx,dword ptr ss:
0040E174 .8D4D D0 lea ecx,dword ptr ss:
0040E177 .C745 98 FC344>mov dword ptr ss:,004034FC ;UNICODE "Not bad, you have found the correct password."
0040E17E .8975 90 mov dword ptr ss:,esi
0040E181 .FF15 78114100 call dword ptr ds:[<&MSVBVM50.__vbaVarDu>;msvbvm50.__vbaVarDup
0040E187 .8D55 A0 lea edx,dword ptr ss:
0040E18A .8D45 B0 lea eax,dword ptr ss:
0040E18D .52 push edx
0040E18E .8D4D C0 lea ecx,dword ptr ss:
0040E191 .50 push eax
0040E192 .51 push ecx
0040E193 .8D55 D0 lea edx,dword ptr ss:
0040E196 .6A 40 push 0x40
0040E198 .52 push edx
0040E199 .FF15 04114100 call dword ptr ds:[<&MSVBVM50.#595>] ;msvbvm50.rtcMsgBox
0040E19F .8D45 A0 lea eax,dword ptr ss:
0040E1A2 .8D4D B0 lea ecx,dword ptr ss:
0040E1A5 .50 push eax
0040E1A6 .8D55 C0 lea edx,dword ptr ss:
0040E1A9 .51 push ecx
0040E1AA .8D45 D0 lea eax,dword ptr ss:
0040E1AD .52 push edx
0040E1AE .50 push eax
0040E1AF .6A 04 push 0x4
0040E1B1 .FF15 EC104100 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>;msvbvm50.__vbaFreeVarList
0040E1B7 .897D A0 mov dword ptr ss:,edi
0040E1BA .897D B0 mov dword ptr ss:,edi
0040E1BD .8B3D 78114100 mov edi,dword ptr ds:[<&MSVBVM50.__vbaVa>;msvbvm50.__vbaVarDup
0040E1C3 .83C4 14 add esp,0x14
0040E1C6 .8D55 80 lea edx,dword ptr ss:
0040E1C9 .8D4D C0 lea ecx,dword ptr ss:
0040E1CC .895D A8 mov dword ptr ss:,ebx
0040E1CF .895D B8 mov dword ptr ss:,ebx
0040E1D2 .C745 88 24364>mov dword ptr ss:,00403624 ;UNICODE "Correct password!"
0040E1D9 .8975 80 mov dword ptr ss:,esi
0040E1DC .FFD7 call edi ;<&MSVBVM50.__vbaVarDup>
0040E1DE .8D55 90 lea edx,dword ptr ss:
0040E1E1 .8D4D D0 lea ecx,dword ptr ss:
0040E1E4 .C745 98 84354>mov dword ptr ss:,00403584 ;UNICODE "Mail me, how you got it, there's a price waiting f"
0040E1EB .8975 90 mov dword ptr ss:,esi
0040E1EE .FFD7 call edi
0040E1F0 .8D4D A0 lea ecx,dword ptr ss:
0040E1F3 .8D55 B0 lea edx,dword ptr ss:
0040E1F6 .51 push ecx
0040E1F7 .8D45 C0 lea eax,dword ptr ss:
0040E1FA .52 push edx
0040E1FB .50 push eax
0040E1FC .8D4D D0 lea ecx,dword ptr ss:
0040E1FF .6A 40 push 0x40
0040E201 .51 push ecx
0040E202 .FF15 04114100 call dword ptr ds:[<&MSVBVM50.#595>] ;msvbvm50.rtcMsgBox
0040E208 .8D55 A0 lea edx,dword ptr ss:
0040E20B .8D45 B0 lea eax,dword ptr ss:
0040E20E .52 push edx
0040E20F .8D4D C0 lea ecx,dword ptr ss:
0040E212 .50 push eax
0040E213 .8D55 D0 lea edx,dword ptr ss:
0040E216 .51 push ecx
0040E217 .52 push edx
0040E218 .6A 04 push 0x4
0040E21A .FF15 EC104100 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>;msvbvm50.__vbaFreeVarList
0040E220 .8B45 08 mov eax,dword ptr ss:
0040E223 .8B8D 44FFFFFF mov ecx,dword ptr ss:
0040E229 .83C4 14 add esp,0x14
0040E22C .50 push eax
0040E22D .FF91 FC020000 call dword ptr ds:
0040E233 .8D55 E0 lea edx,dword ptr ss:
0040E236 .50 push eax
0040E237 .52 push edx
0040E238 .FF15 00114100 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>;msvbvm50.__vbaObjSet
0040E23E .8BF0 mov esi,eax
0040E240 .68 4C364000 push 0040364C ;UNICODE "Exit"
0040E245 .56 push esi
0040E246 .8B06 mov eax,dword ptr ds:
0040E248 .FF50 54 call dword ptr ds:
0040E24B .85C0 test eax,eax
0040E24D .7D 0F jge short 0040E25E
0040E24F .6A 54 push 0x54
0040E251 .68 58364000 push 00403658
0040E256 .56 push esi
0040E257 .50 push eax
0040E258 .FF15 F8104100 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;msvbvm50.__vbaHresultCheckObj
0040E25E >8D4D E0 lea ecx,dword ptr ss:
0040E261 .FF15 90114100 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>;msvbvm50.__vbaFreeObj
0040E267 .E9 E5010000 jmp 0040E451
0040E26C >66:8B43 50 mov ax,word ptr ds:
0040E270 .66:40 inc ax
0040E272 .0F80 83020000 jo 0040E4FB
0040E278 .66:3D 0600 cmp ax,0x6
0040E27C .66:8943 50 mov word ptr ds:,ax
0040E280 .0F85 0F010000 jnz 0040E395
0040E286 .BB 04000280 mov ebx,0x80020004
0040E28B .BF 0A000000 mov edi,0xA
0040E290 .BE 08000000 mov esi,0x8
0040E295 .8D55 80 lea edx,dword ptr ss:
0040E298 .8D4D C0 lea ecx,dword ptr ss:
0040E29B .895D A8 mov dword ptr ss:,ebx
0040E29E .897D A0 mov dword ptr ss:,edi
0040E2A1 .895D B8 mov dword ptr ss:,ebx
0040E2A4 .897D B0 mov dword ptr ss:,edi
0040E2A7 .C745 88 A4364>mov dword ptr ss:,004036A4 ;UNICODE "I can't stand it anymore"
0040E2AE .8975 80 mov dword ptr ss:,esi
0040E2B1 .FF15 78114100 call dword ptr ds:[<&MSVBVM50.__vbaVarDu>;msvbvm50.__vbaVarDup
0040E2B7 .8D55 90 lea edx,dword ptr ss:
0040E2BA .8D4D D0 lea ecx,dword ptr ss:
0040E2BD .C745 98 6C364>mov dword ptr ss:,0040366C ;UNICODE "-=Do you need a hint ?=-"
0040E2C4 .8975 90 mov dword ptr ss:,esi
0040E2C7 .FF15 78114100 call dword ptr ds:[<&MSVBVM50.__vbaVarDu>;msvbvm50.__vbaVarDup
0040E2CD .8D4D A0 lea ecx,dword ptr ss:
0040E2D0 .8D55 B0 lea edx,dword ptr ss:
0040E2D3 .51 push ecx
0040E2D4 .8D45 C0 lea eax,dword ptr ss:
0040E2D7 .52 push edx
0040E2D8 .50 push eax
0040E2D9 .8D4D D0 lea ecx,dword ptr ss:
0040E2DC .6A 24 push 0x24
0040E2DE .51 push ecx
0040E2DF .FF15 04114100 call dword ptr ds:[<&MSVBVM50.#595>] ;msvbvm50.rtcMsgBox
0040E2E5 .33D2 xor edx,edx
0040E2E7 .83F8 07 cmp eax,0x7
0040E2EA .0F94C2 sete dl
0040E2ED .F7DA neg edx
0040E2EF .8D45 A0 lea eax,dword ptr ss:
0040E2F2 .8995 5CFFFFFF mov dword ptr ss:,edx
0040E2F8 .8D4D B0 lea ecx,dword ptr ss:
0040E2FB .50 push eax
0040E2FC .8D55 C0 lea edx,dword ptr ss:
0040E2FF .51 push ecx
0040E300 .8D45 D0 lea eax,dword ptr ss:
0040E303 .52 push edx
0040E304 .50 push eax
0040E305 .6A 04 push 0x4
0040E307 .FF15 EC104100 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>;msvbvm50.__vbaFreeVarList
0040E30D .83C4 14 add esp,0x14
0040E310 .66:83BD 5CFFF>cmp word ptr ss:,0x0
0040E318 .0F85 72010000 jnz 0040E490
0040E31E .897D A0 mov dword ptr ss:,edi
0040E321 .897D B0 mov dword ptr ss:,edi
0040E324 .8B3D 78114100 mov edi,dword ptr ds:[<&MSVBVM50.__vbaVa>;msvbvm50.__vbaVarDup
0040E32A .8D55 80 lea edx,dword ptr ss:
0040E32D .8D4D C0 lea ecx,dword ptr ss:
0040E330 .895D A8 mov dword ptr ss:,ebx
0040E333 .895D B8 mov dword ptr ss:,ebx
0040E336 .C745 88 F8364>mov dword ptr ss:,004036F8 ;UNICODE "he, he..."
0040E33D .8975 80 mov dword ptr ss:,esi
0040E340 .FFD7 call edi ;<&MSVBVM50.__vbaVarDup>
0040E342 .8D55 90 lea edx,dword ptr ss:
0040E345 .8D4D D0 lea ecx,dword ptr ss:
0040E348 .C745 98 DC364>mov dword ptr ss:,004036DC ;UNICODE "Forget it."
0040E34F .8975 90 mov dword ptr ss:,esi
0040E352 .FFD7 call edi
0040E354 .8D4D A0 lea ecx,dword ptr ss:
0040E357 .8D55 B0 lea edx,dword ptr ss:
0040E35A .51 push ecx
0040E35B .8D45 C0 lea eax,dword ptr ss:
0040E35E .52 push edx
0040E35F .50 push eax
0040E360 .8D4D D0 lea ecx,dword ptr ss:
0040E363 .6A 40 push 0x40
0040E365 .51 push ecx
0040E366 .FF15 04114100 call dword ptr ds:[<&MSVBVM50.#595>] ;msvbvm50.rtcMsgBox
0040E36C .8D55 A0 lea edx,dword ptr ss:
0040E36F .8D45 B0 lea eax,dword ptr ss:
0040E372 .52 push edx
0040E373 .8D4D C0 lea ecx,dword ptr ss:
0040E376 .50 push eax
0040E377 .8D55 D0 lea edx,dword ptr ss:
0040E37A .51 push ecx
0040E37B .52 push edx
0040E37C .6A 04 push 0x4
0040E37E .FF15 EC104100 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>;msvbvm50.__vbaFreeVarList
0040E384 .8B45 08 mov eax,dword ptr ss:
0040E387 .83C4 14 add esp,0x14
0040E38A .66:C740 50 00>mov word ptr ds:,0x0
0040E390 .E9 BC000000 jmp 0040E451
0040E395 >BF 0A000000 mov edi,0xA
0040E39A .BB 04000280 mov ebx,0x80020004
0040E39F .BE 08000000 mov esi,0x8
0040E3A4 .66:3D 0300 cmp ax,0x3
0040E3A8 .897D A0 mov dword ptr ss:,edi
0040E3AB .897D B0 mov dword ptr ss:,edi
0040E3AE .8B3D 78114100 mov edi,dword ptr ds:[<&MSVBVM50.__vbaVa>;msvbvm50.__vbaVarDup
0040E3B4 .895D A8 mov dword ptr ss:,ebx
0040E3B7 .895D B8 mov dword ptr ss:,ebx
0040E3BA .C745 88 A0374>mov dword ptr ss:,004037A0 ;UNICODE "Failed"
0040E3C1 .8975 80 mov dword ptr ss:,esi
0040E3C4 .8D55 80 lea edx,dword ptr ss:
0040E3C7 .8D4D C0 lea ecx,dword ptr ss:
0040E3CA .7E 3E jle short 0040E40A
0040E3CC .FFD7 call edi ;<&MSVBVM50.__vbaVarDup>
0040E3CE .8D55 90 lea edx,dword ptr ss:
0040E3D1 .8D4D D0 lea ecx,dword ptr ss:
0040E3D4 .C745 98 10374>mov dword ptr ss:,00403710 ;UNICODE "Have you ever been trying to be successful in crac"
0040E3DB .8975 90 mov dword ptr ss:,esi
0040E3DE .FFD7 call edi
0040E3E0 .8D4D A0 lea ecx,dword ptr ss:
0040E3E3 .8D55 B0 lea edx,dword ptr ss:
0040E3E6 .51 push ecx
0040E3E7 .8D45 C0 lea eax,dword ptr ss:
0040E3EA .52 push edx
0040E3EB .50 push eax
0040E3EC .8D4D D0 lea ecx,dword ptr ss:
0040E3EF .6A 20 push 0x20
0040E3F1 .51 push ecx
0040E3F2 .FF15 04114100 call dword ptr ds:[<&MSVBVM50.#595>] ;msvbvm50.rtcMsgBox
0040E3F8 .8D55 A0 lea edx,dword ptr ss:
0040E3FB .8D45 B0 lea eax,dword ptr ss:
0040E3FE .52 push edx
0040E3FF .8D4D C0 lea ecx,dword ptr ss:
0040E402 .50 push eax
0040E403 .8D55 D0 lea edx,dword ptr ss:
0040E406 .51 push ecx
0040E407 .52 push edx
0040E408 .EB 3C jmp short 0040E446
0040E40A >FFD7 call edi
0040E40C .8D55 90 lea edx,dword ptr ss:
0040E40F .8D4D D0 lea ecx,dword ptr ss:
0040E412 .C745 98 B4374>mov dword ptr ss:,004037B4 ;UNICODE "Sorry, wrong key."
0040E419 .8975 90 mov dword ptr ss:,esi
0040E41C .FFD7 call edi
0040E41E .8D45 A0 lea eax,dword ptr ss:
0040E421 .8D4D B0 lea ecx,dword ptr ss:
0040E424 .50 push eax
0040E425 .8D55 C0 lea edx,dword ptr ss:
0040E428 .51 push ecx
0040E429 .52 push edx
0040E42A .8D45 D0 lea eax,dword ptr ss:
0040E42D .6A 40 push 0x40
0040E42F .50 push eax
0040E430 .FF15 04114100 call dword ptr ds:[<&MSVBVM50.#595>] ;msvbvm50.rtcMsgBox
根据文本提示,Correct password,找到对应的跳转 0040E13A /0F84 2C010000 je 0040E26C爆破:
选中 0040E13A /0F84 2C010000 je 0040E26C 右键->Binary-> NOP填充
4、注册机的探索关键跳转附近, 算法处理如下:
0040E0E2 .FF15 F8104100 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;msvbvm50.__vbaHresultCheckObj
0040E0E8 >8B4D E4 mov ecx,dword ptr ss:
0040E0EB .51 push ecx ; /Arg1="123456789"
0040E0EC .FF15 5C114100 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; \__vbaR8Str
0040E0F2 .DB43 4C fild dword ptr ds: ;// ST0 = xxx, 压栈后ST0 = 12D1FB78= 315751288
0040E0F5 .DD9D 38FFFFFF fstp qword ptr ss:
0040E0FB .DCA5 38FFFFFF fsub qword ptr ss: ;// 两个数减,315751288 - 123456789 = -192294499 ? 负的?
0040E101 .DFE0 fstsw ax
0040E103 .A8 0D test al,0xD ;// 浮点数错误检测
0040E105 .0F85 EB030000 jnz 0040E4F6
0040E10B .FF15 14114100 call dword ptr ds:[<&MSVBVM50.__vbaFpR8>>;msvbvm50.__vbaFpR8
0040E111 .DC1D 08104000 fcomp qword ptr ds: ;// 浮点数比较然后出栈
0040E117 .DFE0 fstsw ax
0040E119 .F6C4 40 test ah,0x40
0040E11C .74 05 je short 0040E123 ;// 这个条件必须成立,否则edi=1就失败了
0040E11E .BF 01000000 mov edi,0x1
0040E123 >8D4D E4 lea ecx,dword ptr ss:
0040E126 .FF15 8C114100 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>;msvbvm50.__vbaFreeStr
0040E12C .8D4D E0 lea ecx,dword ptr ss:
0040E12F .FF15 90114100 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>;msvbvm50.__vbaFreeObj
0040E135 .F7DF neg edi ;// edi = 1 则就失败了
0040E137 .66:85FF test di,di
0040E13A 0F84 2C010000 je 0040E26C ;// 在这里爆破
核心的一个内容是fcomp命令,其实不是它多难,只是我以前都没见过,然后找啊找啊找!!看雪论坛找到fcomp问题:条件 C3 C2 C0
ST(0) > SRC 0 0 0
ST(0) < SRC 0 0 1
ST(0)SRC 1 00
无序* 1 1 1
有了。FPU的状态字呀。貌似弹栈就是把st(0)的数据清除了、0040E119 .F6C4 40 test ah,0x40
0040E11C . /74 05 je short 0040E123 ;// 这个条件必须成立,否则edi=1就失败了所以,ST(0) 必须等于的值315751288
BY 笨笨D幸福
nice坐等38 的分析 膜拜LZ dych1688 发表于 2014-7-30 20:29
怎么不更新了啊 。。
{:1_932:}{:1_931:}为了后半生的xingfu努力,累的要死!更新这等小事,七夕过后继续! 老师这么不出个语言教程出来啊 学习了,很详细 楼主我又来学习了 终于赶上来了. 怎么不更新了啊 。。
页:
[1]
2