hackwm 超简单crackme分析
本帖最后由 missviola 于 2009-10-20 16:01 编辑【破文标题】hackwm 超简单crackme分析
【破文作者】missviola
【破解工具】PEID OllyDbg
【原版下载】http://www.52pojie.cn/thread-4182-1-1.html
【破解平台】Windows XP
【破解声明】只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
------------------------------------------------------------------------
【破解过程】首先用PEID查壳,发现为vb编写。用vpexplorer,找到注册按钮的对应事件地址为00402250。F2下好断点,输入QQ号码
327442221,注册码123456,点击注册断下,F8单步进行分析。
00402250 > \55 push ebp
00402251 .8BEC mov ebp, esp
00402253 .83EC 0C sub esp, 0C
00402256 .68 F6104000 push <jmp.&MSVBVM60.__vbaExceptHandle>;SE 处理程序安装
0040225B .64:A1 0000000>mov eax, dword ptr fs:
00402261 .50 push eax
00402262 .64:8925 00000>mov dword ptr fs:, esp
00402269 .81EC A0010000 sub esp, 1A0
0040226F .53 push ebx
00402270 .56 push esi
00402271 .57 push edi
00402272 .8965 F4 mov dword ptr , esp
00402275 .C745 F8 D8104>mov dword ptr , 004010D8
0040227C .8B75 08 mov esi, dword ptr
0040227F .8BC6 mov eax, esi
00402281 .83E0 01 and eax, 1
00402284 .8945 FC mov dword ptr , eax
00402287 .83E6 FE and esi, FFFFFFFE
0040228A .56 push esi
0040228B .8975 08 mov dword ptr , esi
0040228E .8B0E mov ecx, dword ptr
00402290 .FF51 04 call dword ptr
00402293 .8B16 mov edx, dword ptr
00402295 .33FF xor edi, edi
00402297 .56 push esi
00402298 .897D DC mov dword ptr , edi
0040229B .897D D4 mov dword ptr , edi
0040229E .897D D0 mov dword ptr , edi
004022A1 .897D C0 mov dword ptr , edi
004022A4 .897D B0 mov dword ptr , edi
004022A7 .897D A0 mov dword ptr , edi
004022AA .897D 90 mov dword ptr , edi
004022AD .897D 80 mov dword ptr , edi
004022B0 .89BD 70FFFFFF mov dword ptr , edi
004022B6 .89BD 60FFFFFF mov dword ptr , edi
004022BC .89BD 50FFFFFF mov dword ptr , edi
004022C2 .89BD 40FFFFFF mov dword ptr , edi
004022C8 .89BD 30FFFFFF mov dword ptr , edi
004022CE .89BD 20FFFFFF mov dword ptr , edi
004022D4 .89BD 10FFFFFF mov dword ptr , edi
004022DA .89BD 00FFFFFF mov dword ptr , edi
004022E0 .89BD F0FEFFFF mov dword ptr , edi
004022E6 .89BD E0FEFFFF mov dword ptr , edi
004022EC .89BD D0FEFFFF mov dword ptr , edi
004022F2 .89BD C0FEFFFF mov dword ptr , edi
004022F8 .89BD B0FEFFFF mov dword ptr , edi
004022FE .89BD A0FEFFFF mov dword ptr , edi
00402304 .89BD 90FEFFFF mov dword ptr , edi
0040230A .89BD 80FEFFFF mov dword ptr , edi
00402310 .89BD 70FEFFFF mov dword ptr , edi
00402316 .FF92 08030000 call dword ptr
0040231C .50 push eax
0040231D .8D45 D0 lea eax, dword ptr
00402320 .50 push eax
00402321 .FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaObjSe>;MSVBVM60.__vbaObjSet
00402327 .8BD8 mov ebx, eax
00402329 .8D55 D4 lea edx, dword ptr
0040232C .52 push edx
0040232D .53 push ebx
0040232E .8B0B mov ecx, dword ptr
00402330 .FF91 A0000000 call dword ptr
00402336 .3BC7 cmp eax, edi
00402338 .DBE2 fclex
0040233A .7D 12 jge short 0040234E
0040233C .68 A0000000 push 0A0
00402341 .68 9C194000 push 0040199C
00402346 .53 push ebx
00402347 .50 push eax
00402348 .FF15 24104000 call dword ptr [<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
0040234E >8B45 D4 mov eax, dword ptr
00402351 .8D55 C0 lea edx, dword ptr
00402354 .8D4D DC lea ecx, dword ptr
00402357 .897D D4 mov dword ptr , edi
0040235A .8945 C8 mov dword ptr , eax
0040235D .C745 C0 08000>mov dword ptr , 8
00402364 .FF15 0C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>;MSVBVM60.__vbaVarMove
0040236A .8D4D D0 lea ecx, dword ptr
0040236D .FF15 A0104000 call dword ptr [<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObj
00402373 .8B06 mov eax, dword ptr
00402375 .56 push esi
00402376 .FF90 04030000 call dword ptr
0040237C .8D4D D0 lea ecx, dword ptr
0040237F .50 push eax
00402380 .51 push ecx
00402381 .FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaObjSe>;MSVBVM60.__vbaObjSet
00402387 .8BF0 mov esi, eax
00402389 .8D45 D4 lea eax, dword ptr
0040238C .50 push eax
0040238D .56 push esi
0040238E .8B16 mov edx, dword ptr
00402390 .FF92 A0000000 call dword ptr
00402396 .3BC7 cmp eax, edi
00402398 .DBE2 fclex
0040239A .7D 12 jge short 004023AE
0040239C .68 A0000000 push 0A0
004023A1 .68 9C194000 push 0040199C
004023A6 .56 push esi
004023A7 .50 push eax
004023A8 .FF15 24104000 call dword ptr [<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
004023AE >DD05 D0104000 fld qword ptr =14
004023B4 .833D 00304000>cmp dword ptr , 0
004023BB .75 08 jnz short 004023C5
004023BD .DC35 C8104000 fdiv qword ptr =4,两个数相除
004023C3 . /EB 11 jmp short 004023D6
004023C5 > |FF35 CC104000 push dword ptr
004023CB . |FF35 C8104000 push dword ptr
004023D1 . |E8 3EEDFFFF call <jmp.&MSVBVM60._adj_fdiv_m64>
004023D6 > \8B45 D4 mov eax, dword ptr
004023D9 .B9 02000000 mov ecx, 2
004023DE .8985 28FFFFFF mov dword ptr , eax
004023E4 .BA 05000000 mov edx, 5
004023E9 .898D 00FFFFFF mov dword ptr , ecx
004023EF .898D E0FEFFFF mov dword ptr , ecx
004023F5 .898D C0FEFFFF mov dword ptr , ecx
004023FB .898D B0FEFFFF mov dword ptr , ecx
00402401 .898D 90FEFFFF mov dword ptr , ecx
00402407 .8995 F0FEFFFF mov dword ptr , edx
0040240D .8995 D0FEFFFF mov dword ptr , edx
00402413 .8995 A0FEFFFF mov dword ptr , edx
00402419 .8995 80FEFFFF mov dword ptr , edx
0040241F .8D8D 20FFFFFF lea ecx, dword ptr
00402425 .8D55 DC lea edx, dword ptr
00402428 .BE 03000000 mov esi, 3
0040242D .51 push ecx
0040242E .52 push edx
0040242F .8D4D C0 lea ecx, dword ptr
00402432 .89B5 08FFFFFF mov dword ptr , esi
00402438 .BB 04000000 mov ebx, 4
0040243D .89B5 70FEFFFF mov dword ptr , esi
00402443 .8B35 88104000 mov esi, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaVarAdd
00402449 .897D D4 mov dword ptr , edi
0040244C .C785 20FFFFFF>mov dword ptr , 8008
00402456 .899D E8FEFFFF mov dword ptr , ebx
0040245C .899D 98FEFFFF mov dword ptr , ebx
00402462 .C785 78FEFFFF>mov dword ptr , 3A8D1D870x3A8D1D87=982326663 记住这个数后面要用到哦
0040246C .DD9D F8FEFFFF fstp qword ptr
00402472 .DFE0 fstsw ax
00402474 .A8 0D test al, 0D
00402476 .0F85 01030000 jnz 0040277D
0040247C .DD05 C8104000 fld qword ptr =4
00402482 .833D 00304000>cmp dword ptr , 0
00402489 .75 08 jnz short 00402493
0040248B .DC35 C0104000 fdiv qword ptr =2
00402491 .EB 11 jmp short 004024A4
00402493 >FF35 C4104000 push dword ptr
00402499 .FF35 C0104000 push dword ptr
0040249F .E8 70ECFFFF call <jmp.&MSVBVM60._adj_fdiv_m64>
004024A4 >DD9D D8FEFFFF fstp qword ptr
004024AA .DFE0 fstsw ax
004024AC .A8 0D test al, 0D
004024AE .0F85 C9020000 jnz 0040277D
004024B4 .DD05 C8104000 fld qword ptr =4
004024BA .833D 00304000>cmp dword ptr , 0
004024C1 .75 08 jnz short 004024CB
004024C3 .DC35 C0104000 fdiv qword ptr =2
004024C9 . /EB 11 jmp short 004024DC
004024CB > |FF35 C4104000 push dword ptr
004024D1 . |FF35 C0104000 push dword ptr
004024D7 . |E8 38ECFFFF call <jmp.&MSVBVM60._adj_fdiv_m64>
004024DC > \B8 01000000 mov eax, 1
004024E1 .8985 C8FEFFFF mov dword ptr , eax
004024E7 .8985 B8FEFFFF mov dword ptr , eax
004024ED .DD9D A8FEFFFF fstp qword ptr
004024F3 .DFE0 fstsw ax
004024F5 .A8 0D test al, 0D
004024F7 .0F85 80020000 jnz 0040277D
004024FD .DD05 B8104000 fld qword ptr =28
00402503 .833D 00304000>cmp dword ptr , 0
0040250A .75 08 jnz short 00402514
0040250C .DC35 C0104000 fdiv qword ptr =2
00402512 .EB 11 jmp short 00402525
00402514 > \FF35 C4104000 push dword ptr
0040251A .FF35 C0104000 push dword ptr
00402520 .E8 EFEBFFFF call <jmp.&MSVBVM60._adj_fdiv_m64>
00402525 >DD9D 88FEFFFF fstp qword ptr
0040252B .DFE0 fstsw ax
0040252D .A8 0D test al, 0D
0040252F .0F85 48020000 jnz 0040277D
00402535 .8D85 00FFFFFF lea eax, dword ptr
0040253B .50 push eax
0040253C .51 push ecx
0040253D .FFD6 call esi 这个call步过以后OD寄存器窗口中的ST7的数值为327442224.00000000000 是我们的
QQ号码加上3以后的结果我们接着往下看
0040253F .8B1D 00104000 mov ebx, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaVarSub
00402545 .50 push eax ; /var18
00402546 .8D95 F0FEFFFF lea edx, dword ptr ; |
0040254C .8D45 B0 lea eax, dword ptr ; |
0040254F .52 push edx ; |var28
00402550 .50 push eax ; |SaveTo8
00402551 .FFD3 call ebx ; \__vbaVarSub
00402553 .8D8D E0FEFFFF lea ecx, dword ptr
00402550的call步过以后st7的数值为327442220.50000000000 是之前的结果减去3.5以后的结果。所以每步过一个vbaVarSub或者
vbaVarAdd的call以后,我们只需要关心st7里面的值就能明白加上或者减去的数字了。
00402559 .50 push eax
0040255A .8D55 A0 lea edx, dword ptr
0040255D .51 push ecx
0040255E .52 push edx
0040255F .FFD6 call esi vbaVarAdd st7=327442224.50000000000
00402561 .50 push eax
00402562 .8D85 D0FEFFFF lea eax, dword ptr
00402568 .8D4D 90 lea ecx, dword ptr
0040256B .50 push eax
0040256C .51 push ecx
0040256D .FFD3 call ebx vbaVarSub st7=327442222.50000000000
0040256F .8D95 C0FEFFFF lea edx, dword ptr
00402575 .50 push eax
00402576 .52 push edx
00402577 .8D45 80 lea eax, dword ptr
0040257A .50 push eax
0040257B .FFD6 call esi vbaVarAdd st7=327442223.50000000000
0040257D .8D8D B0FEFFFF lea ecx, dword ptr
00402583 .50 push eax
00402584 .8D95 70FFFFFF lea edx, dword ptr
0040258A .51 push ecx
0040258B .52 push edx
0040258C .FFD6 call esi vbaVarAdd st7=327442224.50000000000
0040258E .50 push eax
0040258F .8D85 A0FEFFFF lea eax, dword ptr
00402595 .8D8D 60FFFFFF lea ecx, dword ptr
0040259B .50 push eax
0040259C .51 push ecx
0040259D .FFD3 call ebx vbaVarSub st7=327442222.50000000000
0040259F .50 push eax
004025A0 .8D95 90FEFFFF lea edx, dword ptr
004025A6 .8D85 50FFFFFF lea eax, dword ptr
004025AC .52 push edx
004025AD .50 push eax
004025AE .FFD6 call esi vbaVarAdd st7=327442226.50000000000
004025B0 .8D8D 80FEFFFF lea ecx, dword ptr
004025B6 .50 push eax
004025B7 .8D95 40FFFFFF lea edx, dword ptr
004025BD .51 push ecx
004025BE .52 push edx
004025BF .FFD3 call ebx vbaVarSub st7=327442212.50000000000
004025C1 .50 push eax
004025C2 .8D85 70FEFFFF lea eax, dword ptr
004025C8 .8D8D 30FFFFFF lea ecx, dword ptr
004025CE .50 push eax
004025CF .51 push ecx
004025D0 .FFD6 call esi MSVBVM60.__vbaVarAdd st7=1309768875.5000000000
此时st7中的数值就是真码了,我们跟进004025D0中的call可以发现是加上了0x3A8D1D87。这就是之前我让大家注意的那个数值。我
们接着往下看。
004025D2 .50 push eax ; |var28 = 0012F438
004025D3 .FF15 48104000 call dword ptr [<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq检验注册码
004025D9 .8D4D D0 lea ecx, dword ptr
004025DC .8BF0 mov esi, eax
004025DE .FF15 A0104000 call dword ptr [<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObj
004025E4 .8D95 30FFFFFF lea edx, dword ptr
004025EA .8D85 20FFFFFF lea eax, dword ptr
004025F0 .8B1D 18104000 mov ebx, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaFreeVarList
004025F6 .52 push edx
004025F7 .8D8D 50FFFFFF lea ecx, dword ptr
004025FD .50 push eax
004025FE .8D95 70FFFFFF lea edx, dword ptr
00402604 .51 push ecx
00402605 .8D45 80 lea eax, dword ptr
00402608 .52 push edx
00402609 .8D4D A0 lea ecx, dword ptr
0040260C .50 push eax
0040260D .8D55 C0 lea edx, dword ptr
00402610 .51 push ecx
00402611 .52 push edx
00402612 .6A 07 push 7
00402614 .FFD3 call ebx ;<&MSVBVM60.__vbaFreeVarList>
00402616 .83C4 20 add esp, 20
00402619 .66:3BF7 cmp si, di
0040261C 0F84 BE000000 je 004026E0 关键跳,可以直接修改
分析到这里这个crackme的算法我们也很清楚了,就是对QQ号码进行一系列的加减运算。我们根据最后的结果可以很容易的分析出注册算法就是QQ号码减去8.5以后再加上0x3A8D1D87。
这是本小菜第一次在52pojie上发破文,希望各位大侠多多鼓励下,最后祝大家中秋节快乐~~
------------------------------------------------------------------------
【破解总结】
------------------------------------------------------------------------
【版权声明】本文原创于52pojie技术论坛, 转载请注明作者并保持文章的完整, 谢谢! :lol再总结一下算法吧 这样 2# zapline
zapline版主,我不是后面总结了算法了么。。。 QQ号码减去8.5然后加上982326663。。。
难道总结的不对么。。。:'(weeqw 第一次写文章分析的很不错了,最后能来个总结就更好了,加个写算法注册机那就更完美了,加精鼓励,希望有更多妙文~ 2# zapline
zapline版主,我不是后面总结了算法了么。。。 QQ号码减去8.5然后加上982326663。。。
难道总结的不对么。。。:'(weeqw
missviold 发表于 2009-10-3 12:14 http://www.52pojie.cn/images/common/back.gif
汗这么短啊 学习学习。 也学习学习! 学习学习 看来这个对于我还是有点深奥
收藏先等我晋级了再看看能懂否
页:
[1]