160cm之010 爆破、追码 by cqr2287
这个cm是那位德国人第三个cm。昨天分析了009,009和008都是一星级的,没什么难度。这次是三星级的,看看能怎么滴。
打开软件,发现只要输入ID就可以了
我喜欢,哈哈,少输一点跟踪起来简单{:301_997:}
好,开始分析。
static/image/hrline/2.gif
首先爆破。
载入od。
运行起来,输入假码
alt f9,返回程序领空。
00402196 .51 push ecx ;ntdll.76EE68B0
00402197 .FF15 24414000 call dword ptr ds:[<&MSVBVM50.#rtcMsgBox>;Msvbvm50.rtcMsgBox
0040219D .8D95 14FFFFFF lea edx,dword ptr ss:
004021A3 .8D4D AC lea ecx,dword ptr ss:
004021A6 .8985 1CFFFFFF mov dword ptr ss:,eax
004021AC .C785 14FFFFFF>mov dword ptr ss:,0x3
这是信息框弹出 。向上回溯,找失败提示。
0040213E .8985 6CFFFFFF mov dword ptr ss:,eax
00402144 .8985 7CFFFFFF mov dword ptr ss:,eax
0040214A .C785 4CFFFFFF>mov dword ptr ss:,Andréna.0040>;UNICODE "LEiDER Falsch !"
00402154 .C785 44FFFFFF>mov dword ptr ss:,0x8
0040215E .FFD3 call ebx ;Msvbvm50.__vbaVarDup; <&MSVBVM50.__vbaVarDup>
00402160 .8D95 54FFFFFF lea edx,dword ptr ss:
00402166 .8D4D 94 lea ecx,dword ptr ss:
00402169 .C785 5CFFFFFF>mov dword ptr ss:,Andréna.0040>;UNICODE "Leider Falsch! Nochmal veruschen ! Wenn Du es ni"
00402173 .C785 54FFFFFF>mov dword ptr ss:,0x8
0040217D .FFD3 call ebx ;Msvbvm50.__vbaVarDup
0040217F .8D8D 64FFFFFF lea ecx,dword ptr ss:
00402185 .8D95 74FFFFFF lea edx,dword ptr ss:
0040218B .51 push ecx ;ntdll.76EE68B0
可以找到。那么我所在的位置就是判断call。
看看有没有跳转进来。
00402114 . /E9 B5000000 jmp Andréna.004021CE
00402119 > |8B1D 94414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVa>;Msvbvm50.__vbaVarDup
0040211F . |B9 0A000000 mov ecx,0xA
00402124 . |B8 04000280 mov eax,0x80020004
00402129 . |898D 64FFFFFF mov dword ptr ss:,ecx ;ntdll.76EE68B0
0040212F . |898D 74FFFFFF mov dword ptr ss:,ecx ;ntdll.76EE68B0
00402135 . |8D95 44FFFFFF lea edx,dword ptr ss:
0040213B . |8D4D 84 lea ecx,dword ptr ss:
0040213E . |8985 6CFFFFFF mov dword ptr ss:,eax
00402144 . |8985 7CFFFFFF mov dword ptr ss:,eax
0040214A . |C785 4CFFFFFF>mov dword ptr ss:,Andréna.0040>;UNICODE "LEiDER Falsch !"
00402154 . |C785 44FFFFFF>mov dword ptr ss:,0x8
又看到了vb典型判断的尾部,追踪跳转。
00402053 . /0F84 C0000000 je Andréna.00402119
00402059 . |FF15 6C414000 call dword ptr ds:[<&MSVBVM50.#rtcBeep_5>;Msvbvm50.rtcBeep
0040205F . |8B1D 94414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVa>;Msvbvm50.__vbaVarDup
00402065 . |B9 0A000000 mov ecx,0xA
0040206A . |B8 04000280 mov eax,0x80020004
0040206F . |898D 64FFFFFF mov dword ptr ss:,ecx ;ntdll.76EE68B0
00402075 . |898D 74FFFFFF mov dword ptr ss:,ecx ;ntdll.76EE68B0
0040207B . |8D95 44FFFFFF lea edx,dword ptr ss:
00402081 . |8D4D 84 lea ecx,dword ptr ss:
00402084 . |8985 6CFFFFFF mov dword ptr ss:,eax
0040208A . |8985 7CFFFFFF mov dword ptr ss:,eax
00402090 . |C785 4CFFFFFF>mov dword ptr ss:,Andréna.0040>;UNICODE "RiCHTiG !"
0040209A . |C785 44FFFFFF>mov dword ptr ss:,0x8
004020A4 . |FFD3 call ebx ;Msvbvm50.__vbaVarDup; <&MSVBVM50.__vbaVarDup>
004020A6 . |8D95 54FFFFFF lea edx,dword ptr ss:
004020AC . |8D4D 94 lea ecx,dword ptr ss:
好的,je是关键跳,nop即可成功。
static/image/hrline/2.gif
追码开始。
vb程序典例,到段首下段后跟踪。
00401E66 .8975 DC mov dword ptr ss:,esi
00401E69 .8975 CC mov dword ptr ss:,esi
00401E6C .8975 BC mov dword ptr ss:,esi
00401E6F .8975 AC mov dword ptr ss:,esi
00401E72 .8975 A8 mov dword ptr ss:,esi
00401E75 .8975 A4 mov dword ptr ss:,esi
00401E78 .8975 94 mov dword ptr ss:,esi
00401E7B .8975 84 mov dword ptr ss:,esi
00401E7E .89B5 74FFFFFF mov dword ptr ss:,esi
00401E84 .89B5 64FFFFFF mov dword ptr ss:,esi
00401E8A .89B5 54FFFFFF mov dword ptr ss:,esi
00401E90 .89B5 44FFFFFF mov dword ptr ss:,esi
00401E96 .89B5 14FFFFFF mov dword ptr ss:,esi
00401E9C .89B5 FCFEFFFF mov dword ptr ss:,esi
00401EA2 .89B5 ECFEFFFF mov dword ptr ss:,esi
这块运算。esi一直是0.
00401EC2 .FF92 A0000000 call dword ptr ds:
00401EC8 .3BC6 cmp eax,esi
00401ECA .7D 12 jge short Andréna.00401EDE
00401ECC .68 A0000000 push 0xA0
00401ED1 .68 781A4000 push Andréna.00401A78
00401ED6 .57 push edi
00401ED7 .50 push eax
00401ED8 .FF15 10414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;Msvbvm50.__vbaHresultCheckObj
00401EDE >8B45 A8 mov eax,dword ptr ss:
虽然eax是0,但这部分没卵用。
因为都要执行下方代码。
00401EDE > \8B45 A8 mov eax,dword ptr ss:
00401EE1 .8975 A8 mov dword ptr ss:,esi
好的,这里出现了假码,下段标记。
00401F68 > /85C0 test eax,eax
00401F6A . |0F84 BB000000 je Andréna.0040202B
00401F70 . |8D55 94 lea edx,dword ptr ss:
00401F73 . |8D45 DC lea eax,dword ptr ss:
00401F76 . |52 push edx
00401F77 . |50 push eax
00401F78 . |C745 9C 01000>mov dword ptr ss:,0x1
00401F7F . |C745 94 02000>mov dword ptr ss:,0x2
00401F86 . |FF15 90414000 call dword ptr ds:[<&MSVBVM50.__vbaI4Var>;Msvbvm50.__vbaI4Var
00401F8C . |8D4D BC lea ecx,dword ptr ss: ; |
00401F8F . |50 push eax ; |Start = 0x1
00401F90 . |8D55 84 lea edx,dword ptr ss: ; |
00401F93 . |51 push ecx ; |dString8 = 00000003
00401F94 . |52 push edx ; |RetBUFFER = 00000009
00401F95 . |FF15 34414000 call dword ptr ds:[<&MSVBVM50.#rtcMidCha>; \rtcMidCharVar
00401F9B . |8D45 84 lea eax,dword ptr ss:
00401F9E . |8D4D A8 lea ecx,dword ptr ss:
00401FA1 . |50 push eax ; /String8 = 00000001
00401FA2 . |51 push ecx ; |ARG2 = 00000003
00401FA3 . |FF15 64414000 call dword ptr ds:[<&MSVBVM50.__vbaStrVa>; \__vbaStrVarVal
00401FA9 . |50 push eax ; /String = 00000001 ???
00401FAA . |FF15 08414000 call dword ptr ds:[<&MSVBVM50.#rtcAnsiVa>; \rtcAnsiValueBstr
00401FB0 . |66:05 0A00 add ax,0xA
00401FB4 . |0F80 B0020000 jo Andréna.0040226A
00401FBA . |0FBFD0 movsx edx,ax
00401FBD . |52 push edx
00401FBE . |FF15 70414000 call dword ptr ds:[<&MSVBVM50.#rtcBstrFr>;Msvbvm50.rtcBstrFromAnsi
00401FC4 . |8985 7CFFFFFF mov dword ptr ss:,eax
00401FCA . |8D45 CC lea eax,dword ptr ss:
00401FCD . |8D8D 74FFFFFF lea ecx,dword ptr ss:
00401FD3 . |50 push eax
00401FD4 . |8D95 64FFFFFF lea edx,dword ptr ss:
00401FDA . |51 push ecx
00401FDB . |52 push edx
00401FDC . |C785 74FFFFFF>mov dword ptr ss:,0x8
00401FE6 . |FFD3 call ebx ;Msvbvm50.__vbaVarCat
00401FE8 . |8BD0 mov edx,eax
00401FEA . |8D4D CC lea ecx,dword ptr ss:
00401FED . |FFD6 call esi ;Msvbvm50.__vbaVarMove
00401FEF . |8D4D A8 lea ecx,dword ptr ss:
00401FF2 . |FF15 B0414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>;Msvbvm50.__vbaFreeStr
00401FF8 . |8D85 74FFFFFF lea eax,dword ptr ss:
00401FFE . |8D4D 84 lea ecx,dword ptr ss:
00402001 . |50 push eax
00402002 . |8D55 94 lea edx,dword ptr ss:
00402005 . |51 push ecx
00402006 . |52 push edx
00402007 . |6A 03 push 0x3
00402009 . |FFD7 call edi ;Msvbvm50.__vbaFreeVarList
0040200B . |83C4 10 add esp,0x10
0040200E . |8D85 ECFEFFFF lea eax,dword ptr ss:
00402014 . |8D8D FCFEFFFF lea ecx,dword ptr ss:
0040201A . |8D55 DC lea edx,dword ptr ss:
0040201D . |50 push eax ; /TMPend8 = 00000001
0040201E . |51 push ecx ; |TMPstep8 = 00000003
0040201F . |52 push edx ; |Counter8 = 00000009
00402020 . |FF15 A4414000 call dword ptr ds:[<&MSVBVM50.__vbaVarFo>; \__vbaVarForNext
00402026 .^\E9 3DFFFFFF jmp Andréna.00401F68
这是一个循环。我估测,这是算法部分。
下段标记。
00401F6A . /0F84 BB000000 je Andréna.0040202B
七次后,跳出循环。
00402034 .50 push eax ; /var18 = NULL
00402035 .51 push ecx ; |var28 = 001930D0
00402036 .C785 5CFFFFFF>mov dword ptr ss:,Andréna.0040>; |UNICODE "kXy^rO|*yXo*m\kMuOn*+"
00402040 .C785 54FFFFFF>mov dword ptr ss:,0x8008 ; |
0040204A .FF15 40414000 call dword ptr ds:[<&MSVBVM50.__vbaVarTs>; \__vbaVarTstEq
00402050 .66:85C0 test ax,ax
走到这了。进入。
好的,追到真马
00401A8C=Andréna.00401A8C (UNICODE "kXy^rO|*yXo*m\kMuOn*+")
堆栈 ss:=00401A8C (Andréna.00401A8C), UNICODE "kXy^rO|*yXo*m\kMuOn*+"
static/image/hrline/2.gif
好了,这次的确比上次要难的多。
算法分析等扔进反编译利器再说。
这次主要通过指针算出注册码
谢谢观看。{:301_974:}
分给你了 沙发我的 前排膜拜。 前排膜拜。 膜拜
追码还是没看懂{:1_908:} 楼主这用的什么软件好高端
页:
[1]