160个CrackMe-003
. 003和002是同一款程序,不过作者更新了一次算法。002仅仅是直接那了账户的第一个字节来做处理,003虽然也是那账户第一个字节,但是大量的用了将字符串转换为浮点数,将浮点数转换成了字符串。并且正对转换后的浮点数进行了运算操作。作者在这一个CM中不允许程序输入非0~9之外的字符。会走异常退出。. 这个程序就不爆破了,因为爆破点都在同一处。不过算法的分析作者并未修改到其他地方,还是在爆破点之前。寻找算法和002的方式一样。004081C9 .51 push ecx004081CA .53 push ebx
004081CB .8B03 mov eax,dword ptr ds:
004081CD .FF90 A0000000 call dword ptr ds: ;得到输入的账户
004081D3 .3BC7 cmp eax,edi
004081D5 .7D 12 jge XAfKayAs_.004081E9
004081D7 .68 A0000000 push 0xA0
004081DC .68 AC6F4000 push AfKayAs_.00406FAC
004081E1 .53 push ebx
004081E2 .50 push eax
004081E3 .FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>;msvbvm50.__vbaHresultCheckObj
004081E9 >8B95 50FFFFFF mov edx,dword ptr ss:
004081EF .8B45 E4 mov eax,dword ptr ss:
004081F2 .50 push eax ; /String
004081F3 .8B1A mov ebx,dword ptr ds: ; |
004081F5 .FF15 F8B04000 call dword ptr ds:[<&MSVBVM50.__vbaLenBstr>] ; \__vbaLenBstr
004081FB .8BF8 mov edi,eax ;得到账户长度
004081FD .8B4D E8 mov ecx,dword ptr ss:
00408200 .69FF 385B0100 imul edi,edi,0x15B38 ;len * 0x15B38
00408206 .51 push ecx ; /String
00408207 .0F80 B7050000 jo AfKayAs_.004087C4 ; |如果长度*0x15B38大于等于0X80000000就异常
0040820D .FF15 0CB14000 call dword ptr ds:[<&MSVBVM50.#516>] ; \rtcAnsiValueBstr
00408213 .0FBFD0 movsx edx,ax
00408216 .03FA add edi,edx ;计算出来的长度+第一个字节十六进制
00408218 .0F80 A6050000 jo AfKayAs_.004087C4 ;如果长度*0x15B38大于等于0X80000000就异常
0040821E .57 push edi ;将计算出来的结果转换成字符串
0040821F .FF15 F4B04000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>] ;msvbvm50.__vbaStrI4
00408225 .8BD0 mov edx,eax
00408227 .8D4D E0 lea ecx,dword ptr ss:
........
004082BA .8D45 E8 lea eax,dword ptr ss:
004082BD .50 push eax
004082BE .53 push ebx
004082BF .8B13 mov edx,dword ptr ds:
004082C1 .FF92 A0000000 call dword ptr ds: ;得到算出来的KEY,字符串方式存储
004082C7 .85C0 test eax,eax
004082C9 .7D 12 jge XAfKayAs_.004082DD
004082CB .68 A0000000 push 0xA0
004082D0 .68 AC6F4000 push AfKayAs_.00406FAC
004082D5 .53 push ebx
004082D6 .50 push eax
004082D7 .FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>;msvbvm50.__vbaHresultCheckObj
004082DD >8B8D 58FFFFFF mov ecx,dword ptr ss:
004082E3 .8B55 E8 mov edx,dword ptr ss:
004082E6 .52 push edx
004082E7 .8B19 mov ebx,dword ptr ds:
004082E9 .FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ;将KEY转换为浮点数据存放到浮点寄存器中
004082EF .D905 08104000 fld dword ptr ds: ;浮点寄存器放入10.0
004082F5 .833D 00904000>cmp dword ptr ds:,0x0
004082FC .75 08 jnz XAfKayAs_.00408306
004082FE .D835 0C104000 fdiv dword ptr ds: ;ST0 / 5.0
00408304 .EB 0B jmp XAfKayAs_.00408311
00408306 >FF35 0C104000 push dword ptr ds:
0040830C .E8 578DFFFF call <jmp.&MSVBVM50._adj_fdiv_m32>
00408311 >83EC 08 sub esp,0x8
00408314 .DFE0 fstsw ax
00408316 .A8 0D test al,0xD
00408318 .0F85 A1040000 jnz AfKayAs_.004087BF
0040831E .DEC1 faddp st(1),st ;KEY+ST0ST1==KEY, ST0 = 10.0/5.0
00408320 .DFE0 fstsw ax
00408322 .A8 0D test al,0xD
00408324 .0F85 95040000 jnz AfKayAs_.004087BF
0040832A .DD1C24 fstp qword ptr ss: ;ST0+KEY结果存放到SPE中
0040832D .FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>] ;将KEY转换成字符串
00408333 .8BD0 mov edx,eax
......
004083C6 .8D45 E8 lea eax,dword ptr ss:
004083C9 .50 push eax
004083CA .53 push ebx
004083CB .8B13 mov edx,dword ptr ds:
004083CD .FF92 A0000000 call dword ptr ds: ;得到KEY,以字符串方式
004083D3 .85C0 test eax,eax
004083D5 .7D 12 jge XAfKayAs_.004083E9
004083D7 .68 A0000000 push 0xA0
004083DC .68 AC6F4000 push AfKayAs_.00406FAC
004083E1 .53 push ebx
004083E2 .50 push eax
004083E3 .FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>;msvbvm50.__vbaHresultCheckObj
004083E9 >8B8D 58FFFFFF mov ecx,dword ptr ss:
004083EF .8B55 E8 mov edx,dword ptr ss:
004083F2 .52 push edx
004083F3 .8B19 mov ebx,dword ptr ds:
004083F5 .FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ;将KEY转换成浮点数存储在浮点寄存器
004083FB .DC0D 10104000 fmul qword ptr ds: ;key * 3.0
00408401 .83EC 08 sub esp,0x8
00408404 .DC25 18104000 fsub qword ptr ds: ;key - 2.0
0040840A .DFE0 fstsw ax
0040840C .A8 0D test al,0xD
0040840E .0F85 AB030000 jnz AfKayAs_.004087BF
00408414 .DD1C24 fstp qword ptr ss: ;将key转换成字符串
00408417 .FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>] ;msvbvm50.__vbaStrR8
0040841D .8BD0 mov edx,eax
0040841F .8D4D E4 lea ecx,dword ptr ss:
.....
004084AE .8BD8 mov ebx,eax
004084B0 .8D45 E8 lea eax,dword ptr ss:
004084B3 .50 push eax
004084B4 .53 push ebx
004084B5 .8B13 mov edx,dword ptr ds:
004084B7 .FF92 A0000000 call dword ptr ds: ;得到KEY,义字符串方式
004084BD .85C0 test eax,eax
004084BF .7D 12 jge XAfKayAs_.004084D3
004084C1 .68 A0000000 push 0xA0
004084C6 .68 AC6F4000 push AfKayAs_.00406FAC
004084CB .53 push ebx
004084CC .50 push eax
004084CD .FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>;msvbvm50.__vbaHresultCheckObj
004084D3 >8B8D 58FFFFFF mov ecx,dword ptr ss:
004084D9 .8B55 E8 mov edx,dword ptr ss:
004084DC .52 push edx
004084DD .8B19 mov ebx,dword ptr ds:
004084DF .FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ;讲KEY转换为浮点数存入浮点寄存器
004084E5 .DC25 20104000 fsub qword ptr ds: ;KEY+15.0
004084EB .83EC 08 sub esp,0x8
004084EE .DFE0 fstsw ax
004084F0 .A8 0D test al,0xD
004084F2 .0F85 C7020000 jnz AfKayAs_.004087BF
004084F8 .DD1C24 fstp qword ptr ss: ;将KEY转换成字符串
004084FB .FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>] ;msvbvm50.__vbaStrR8
00408501 .8BD0 mov edx,eax
......
00408570 .8BD8 mov ebx,eax
00408572 .8D4D E4 lea ecx,dword ptr ss:
00408575 .51 push ecx
00408576 .53 push ebx
00408577 .8B03 mov eax,dword ptr ds:
00408579 .FF90 A0000000 call dword ptr ds: ;得到KEY,以字符串方式
0040857F .85C0 test eax,eax
00408581 .7D 12 jge XAfKayAs_.00408595
00408583 .68 A0000000 push 0xA0
00408588 .68 AC6F4000 push AfKayAs_.00406FAC
0040858D .53 push ebx
0040858E .50 push eax
0040858F .FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>;msvbvm50.__vbaHresultCheckObj
00408595 >8B95 40FFFFFF mov edx,dword ptr ss:
0040859B .56 push esi
0040859C .FF92 14030000 call dword ptr ds:
004085A2 .50 push eax
004085A3 .8D45 DC lea eax,dword ptr ss:
004085A6 .50 push eax
004085A7 .FFD7 call edi
004085A9 .8BF0 mov esi,eax
004085AB .8D55 E8 lea edx,dword ptr ss:
004085AE .52 push edx
004085AF .56 push esi
004085B0 .8B0E mov ecx,dword ptr ds:
004085B2 .FF91 A0000000 call dword ptr ds: ;得到用户输入的密码
004085B8 .85C0 test eax,eax
004085BA .7D 12 jge XAfKayAs_.004085CE
004085BC .68 A0000000 push 0xA0
004085C1 .68 AC6F4000 push AfKayAs_.00406FAC
004085C6 .56 push esi
004085C7 .50 push eax
004085C8 .FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>;msvbvm50.__vbaHresultCheckObj
004085CE >8B45 E8 mov eax,dword ptr ss:
004085D1 .50 push eax
004085D2 .FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ;将用户输入的KEY转换成浮点数存储在STO
004085D8 .8B4D E4 mov ecx,dword ptr ss:
004085DB .DD9D 1CFFFFFF fstp qword ptr ss: ;st0出站到局部变量中
004085E1 .51 push ecx
004085E2 .FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ;将计算出来的KEY存放到ST0中
004085E8 .833D 00904000>cmp dword ptr ds:,0x0
004085EF .75 08 jnz XAfKayAs_.004085F9
004085F1 .DCBD 1CFFFFFF fdivr qword ptr ss: ;将计算的KEY与密码相除
004085F7 .EB 11 jmp XAfKayAs_.0040860A
004085F9 >FFB5 20FFFFFF push dword ptr ss:
004085FF .FFB5 1CFFFFFF push dword ptr ss:
00408605 .E8 888AFFFF call <jmp.&MSVBVM50._adj_fdivr_m64>
0040860A >DFE0 fstsw ax
0040860C .A8 0D test al,0xD
0040860E .0F85 AB010000 jnz AfKayAs_.004087BF
00408614 .FF15 34B14000 call dword ptr ds:[<&MSVBVM50.__vbaFpR8>] ;msvbvm50.__vbaFpR8
0040861A .DC1D 28104000 fcomp qword ptr ds: ;key与密码相除的商与1.0作比较
00408620 .DFE0 fstsw ax ;将FST存储在AX中
00408622 .F6C4 40 test ah,0x40 ;判断FST AH 是否为0x40,为0x40则比较正确,为0比较错误
00408625 .74 07 je XAfKayAs_.0040862E
00408627 .BE 01000000 mov esi,0x1 ;如果AH = 0X40 SI = 1
0040862C .EB 02 jmp XAfKayAs_.00408630
0040862E >33F6 xor esi,esi ;如果AH != 0X40 SI = 0
00408630 >8D55 E4 lea edx,dword ptr ss:
00408633 .8D45 E8 lea eax,dword ptr ss:
00408636 .52 push edx
00408637 .50 push eax
00408638 .6A 02 push 0x2
0040863A .FF15 80B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStrList>;msvbvm50.__vbaFreeStrList
00408640 .83C4 0C add esp,0xC
00408643 .8D4D D8 lea ecx,dword ptr ss:
00408646 .8D55 DC lea edx,dword ptr ss:
00408649 .51 push ecx
0040864A .52 push edx
0040864B .6A 02 push 0x2
0040864D .FF15 08B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObjList>;msvbvm50.__vbaFreeObjList
00408653 .F7DE neg esi
00408655 .83C4 0C add esp,0xC
00408658 .B9 04000280 mov ecx,0x80020004
0040865D .B8 0A000000 mov eax,0xA
00408662 .894D 9C mov dword ptr ss:,ecx
00408665 .66:85F6 test si,si ;判断SI是否不等于0
00408668 .8945 94 mov dword ptr ss:,eax
0040866B .894D AC mov dword ptr ss:,ecx
0040866E .8945 A4 mov dword ptr ss:,eax
00408671 .894D BC mov dword ptr ss:,ecx
00408674 .8945 B4 mov dword ptr ss:,eax
00408677 .74 62 je XAfKayAs_.004086DB ;爆破点了。。
转换成C语言代码为:void Fun(char *ZhangHu)
{
unsigned long data = ((strlen(ZhangHu) * 0x15B38 + ZhangHu) + 2) * 3.0 - 2.0 + 15.0;
printf("%d \r\n", data);
}
楼主大神,膜拜啊 看不懂啊,,,, 大神你好啊 858973926 发表于 2015-8-21 21:41
看不懂啊,,,,
我也是刚刚玩着东西的,并非大神。。。
论坛下载一个160个CrackMe慢慢玩,练就好了。。:keai 楼主很屌了 我都不会分析 各种爆破 其实有人发过这些啦
http://www.52pojie.cn/thread-264605-1-1.html
楼主有待改善哦希望下次楼主能做的比他更好
页:
[1]