160个CrakeMe程序之022
又是随便抽一个来练练吧~,就这样。一、程序基础信息
总结: 是一个VB程序,无壳,一个破解序列号类型的
上vbexplorer反编译···这个过程中意外发现这个程序关闭后任务管理器内还会残留····(不好吐槽了)导致我vbexplorer载入程序老是显示此程序被使用···
然后让我找到一个更好的反编译器VB Decompiler
VB Decompiler反编译出来许多有用信息,比我之前惯用的好用的多,其他有用的信息后面会介绍,目前是获得了关键的事件地址--------》00402D20
00402D20 > \55 push ebp ;Button
00402D21 .8BEC mov ebp,esp
00402D23 .83EC 0C sub esp,0xC
00402D26 .68 66104000 push <jmp.&MSVBVM50.__vbaExceptHandler>;SE 处理程序安装
00402D2B .64:A1 0000000>mov eax,dword ptr fs:
00402D31 .50 push eax ;CarLitoZ.00401EEF
00402D32 .64:8925 00000>mov dword ptr fs:,esp
00402D39 .81EC 98000000 sub esp,0x98
00402D3F .53 push ebx
00402D40 .56 push esi
00402D41 .8B75 08 mov esi,dword ptr ss:
00402D44 .57 push edi
00402D45 .8BC6 mov eax,esi
00402D47 .83E6 FE and esi,-0x2
00402D4A .8965 F4 mov dword ptr ss:,esp
00402D4D .83E0 01 and eax,0x1
00402D50 .8B1E mov ebx,dword ptr ds:
00402D52 .C745 F8 20104>mov dword ptr ss:,CarLitoZ.0040>
00402D59 .56 push esi
00402D5A .8945 FC mov dword ptr ss:,eax ;CarLitoZ.00401EEF
00402D5D .8975 08 mov dword ptr ss:,esi
00402D60 .FF53 04 call dword ptr ds: ;msvbvm50.7404C5C8
00402D63 .33FF xor edi,edi
00402D65 .56 push esi
00402D66 .897D E8 mov dword ptr ss:,edi
00402D69 .897D E4 mov dword ptr ss:,edi
00402D6C .897D D4 mov dword ptr ss:,edi
00402D6F .897D C4 mov dword ptr ss:,edi
00402D72 .897D B4 mov dword ptr ss:,edi
00402D75 .897D A4 mov dword ptr ss:,edi
00402D78 .897D 94 mov dword ptr ss:,edi
00402D7B .897D 84 mov dword ptr ss:,edi
00402D7E .FF93 F8060000 call dword ptr ds: ;因该是关键call
00402D84 .3BC7 cmp eax,edi
00402D86 .7D 12 jge short CarLitoZ.00402D9A
00402D88 .68 F8060000 push 0x6F8
00402D8D .68 0C224000 push CarLitoZ.0040220C
00402D92 .56 push esi
00402D93 .50 push eax ;CarLitoZ.00401EEF
00402D94 .FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;msvbvm50.__vbaHresultCheckObj
00402D9A >8D4E 34 lea ecx,dword ptr ds:
00402D9D .8D55 94 lea edx,dword ptr ss:
00402DA0 .51 push ecx ; /var18 = NULL
00402DA1 .52 push edx ; |var28 = NULL
00402DA2 .C745 9C 01000>mov dword ptr ss:,0x1 ; |
00402DA9 .C745 94 02800>mov dword ptr ss:,0x8002 ; |
00402DB0 .FF15 6C614000 call dword ptr ds:[<&MSVBVM50.__vbaVarTs>; \_vbaVarTstEq字符比较
00402DB6 .8B3D C4614000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaVa>;msvbvm50.__vbaVarDup
00402DBC .B9 04000280 mov ecx,0x80020004
00402DC1 .66:85C0 test ax,ax
00402DC4 .B8 0A000000 mov eax,0xA
00402DC9 .894D AC mov dword ptr ss:,ecx
00402DCC .894D BC mov dword ptr ss:,ecx
00402DCF .8945 A4 mov dword ptr ss:,eax ;CarLitoZ.00401EEF
00402DD2 .8945 B4 mov dword ptr ss:,eax ;CarLitoZ.00401EEF
00402DD5 .C745 8C 08234>mov dword ptr ss:,CarLitoZ.004>;CrackMe v1.0
00402DDC .C745 84 08000>mov dword ptr ss:,0x8
00402DE3 .8D55 84 lea edx,dword ptr ss:
00402DE6 .8D4D C4 lea ecx,dword ptr ss:
00402DE9 .0F84 5A010000 je CarLitoZ.00402F49 ; 关键跳转
,
在随意输入一串字符后,点下按钮,OD成功断下简单查看了事件代码发现并不简单···
二,强行破解
1、
00402DE9 关键跳转处修改寄存器Z标志位后,OD继续运行程序,程序直接验证成功
2、
VB函数_vbaVarTstEq比较字符函数中有两个关键值分别为var18 和 var28在前期的信息收集中发现
var18='trv2156j0e' ,一开始我以为是程序的序列号,尝试过后并不是,在c:\windows\MTR.dat 将其找到打开后 发现‘ oiv2156j0e’
emmmm....强迫症 我把oi改成 tr 后保存退出,打开程序 Duang验证成功状态···
三、序列号探究
找到关键事件00402D20后,发现它并不简单,简单过了一遍后,没有发现任何字符操作,以及循环等等,莫名奇妙就结束了。
看中一个可疑call00402d7e 跟进,在跟进了比较长一段代码后找到了关键代码
嘤嘤嘤!! 代码很长,我还是打算粘进来比较舒服····{:301_986:}
004035F8 .8B07 mov eax,dword ptr ds: ; var 18
004035FA .FF90 A0000000 call dword ptr ds:
00403600 .3BC6 cmp eax,esi
00403602 .7D 12 jge short CarLitoZ.00403616
00403604 .68 A0000000 push 0xA0
00403609 .68 C0224000 push CarLitoZ.004022C0
0040360E .57 push edi
0040360F .50 push eax
00403610 .FF15 34614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;msvbvm50.__vbaHresultCheckObj
00403616 >8B45 E8 mov eax,dword ptr ss: ;eax为注册码
00403619 .8B3D 58614000 mov edi,dword ptr ds:[<&MSVBVM50.#632_rt>;msvbvm50.rtcMidCharVar
0040361F .8985 ACFDFFFF mov dword ptr ss:,eax ;var_254 = var_18
00403625 .8B45 E4 mov eax,dword ptr ss:
00403628 .8D55 84 lea edx,dword ptr ss:
0040362B .8945 9C mov dword ptr ss:,eax
0040362E .52 push edx ; /Length8 = 0x12F3E0
0040362F .8D45 94 lea eax,dword ptr ss: ; |
00403632 .6A 06 push 0x6 ; |Start = 0x6
00403634 .8D8D 74FFFFFF lea ecx,dword ptr ss: ; |
0040363A .BB 02000000 mov ebx,0x2 ; |
0040363F .50 push eax ; |dString8 = 0091BA04
00403640 .51 push ecx ; |RetBUFFER = 0012F404
00403641 .8975 E8 mov dword ptr ss:,esi ; |
00403644 .C785 A4FDFFFF>mov dword ptr ss:,0x8008 ; |
0040364E .C745 8C 01000>mov dword ptr ss:,0x1 ; |
00403655 .895D 84 mov dword ptr ss:,ebx ; |msvbvm50.__vbaObjSet
00403658 .8975 E4 mov dword ptr ss:,esi ; |
0040365B .C745 94 08000>mov dword ptr ss:,0x8 ; |
00403662 .FFD7 call edi ; \rtcMidCharVar从字符串中取相应字符
00403664 .8B45 E0 mov eax,dword ptr ss:
00403667 .8D95 54FFFFFF lea edx,dword ptr ss:
0040366D .8985 6CFFFFFF mov dword ptr ss:,eax
00403673 .52 push edx ; /Length8 = 0x12F3E0
00403674 .8D85 64FFFFFF lea eax,dword ptr ss: ; |
0040367A .6A 09 push 0x9 ; |Start = 0x9
0040367C .8D8D 44FFFFFF lea ecx,dword ptr ss: ; |
00403682 .50 push eax ; |dString8 = 0091BA04
00403683 .51 push ecx ; |RetBUFFER = 0012F404
00403684 .C785 5CFFFFFF>mov dword ptr ss:,0x1 ; |
0040368E .899D 54FFFFFF mov dword ptr ss:,ebx ; |msvbvm50.__vbaObjSet
00403694 .8975 E0 mov dword ptr ss:,esi ; |
00403697 .C785 64FFFFFF>mov dword ptr ss:,0x8 ; |
004036A1 .FFD7 call edi ; \rtcMidCharVar从字符串中取相应字符
004036A3 .8B45 DC mov eax,dword ptr ss:
004036A6 .8D95 14FFFFFF lea edx,dword ptr ss:
004036AC .8985 2CFFFFFF mov dword ptr ss:,eax
004036B2 .52 push edx ; /Length8 = 0x12F3E0
004036B3 .8D85 24FFFFFF lea eax,dword ptr ss: ; |
004036B9 .68 8F000000 push 0x8F ; |Start = 0x8F
004036BE .8D8D 04FFFFFF lea ecx,dword ptr ss: ; |
004036C4 .50 push eax ; |dString8 = 0091BA04
004036C5 .51 push ecx ; |RetBUFFER = 0012F404
004036C6 .C785 1CFFFFFF>mov dword ptr ss:,0x1 ; |
004036D0 .899D 14FFFFFF mov dword ptr ss:,ebx ; |msvbvm50.__vbaObjSet
004036D6 .8975 DC mov dword ptr ss:,esi ; |
004036D9 .C785 24FFFFFF>mov dword ptr ss:,0x8 ; |
004036E3 .FFD7 call edi ; \rtcMidCharVar从字符串中取相应字符
004036E5 .8B45 D8 mov eax,dword ptr ss:
004036E8 .8D95 D4FEFFFF lea edx,dword ptr ss:
004036EE .8985 ECFEFFFF mov dword ptr ss:,eax
004036F4 .52 push edx ; /Length8 = 0x12F3E0
004036F5 .8D85 E4FEFFFF lea eax,dword ptr ss: ; |
004036FB .6A 10 push 0x10 ; |Start = 0x10
004036FD .8D8D C4FEFFFF lea ecx,dword ptr ss: ; |
00403703 .50 push eax ; |dString8 = 0091BA04
00403704 .51 push ecx ; |RetBUFFER = 0012F404
00403705 .C785 DCFEFFFF>mov dword ptr ss:,0x1 ; |
0040370F .899D D4FEFFFF mov dword ptr ss:,ebx ; |msvbvm50.__vbaObjSet
00403715 .8975 D8 mov dword ptr ss:,esi ; |
00403718 .C785 E4FEFFFF>mov dword ptr ss:,0x8 ; |
00403722 .FFD7 call edi ; \rtcMidCharVar从字符串中取相应字符
00403724 .8B45 D4 mov eax,dword ptr ss:
00403727 .8D95 94FEFFFF lea edx,dword ptr ss:
0040372D .8985 ACFEFFFF mov dword ptr ss:,eax
00403733 .52 push edx ; /Length8 = 0x12F3E0
00403734 .8D85 A4FEFFFF lea eax,dword ptr ss: ; |
0040373A .68 A1000000 push 0xA1 ; |Start = 0xA1
0040373F .8D8D 84FEFFFF lea ecx,dword ptr ss: ; |
00403745 .50 push eax ; |dString8 = 0091BA04
00403746 .51 push ecx ; |RetBUFFER = 0012F404
00403747 .C785 9CFEFFFF>mov dword ptr ss:,0x1 ; |
00403751 .899D 94FEFFFF mov dword ptr ss:,ebx ; |msvbvm50.__vbaObjSet
00403757 .8975 D4 mov dword ptr ss:,esi ; |
0040375A .C785 A4FEFFFF>mov dword ptr ss:,0x8 ; |
00403764 .FFD7 call edi ; \rtcMidCharVar从字符串中取相应字符
00403766 .8B45 D0 mov eax,dword ptr ss:
00403769 .C785 5CFEFFFF>mov dword ptr ss:,0x1
00403773 .899D 54FEFFFF mov dword ptr ss:,ebx ;msvbvm50.__vbaObjSet
00403779 .8975 D0 mov dword ptr ss:,esi
0040377C .8985 6CFEFFFF mov dword ptr ss:,eax
00403782 .8D95 54FEFFFF lea edx,dword ptr ss:
00403788 .8D85 64FEFFFF lea eax,dword ptr ss:
0040378E .52 push edx ; /Length8 = 0x12F3E0
0040378F .68 AB000000 push 0xAB ; |Start = 0xAB
00403794 .8D8D 44FEFFFF lea ecx,dword ptr ss: ; |
0040379A .50 push eax ; |dString8 = 0091BA04
0040379B .51 push ecx ; |RetBUFFER = 0012F404
0040379C .C785 64FEFFFF>mov dword ptr ss:,0x8 ; |
004037A6 .FFD7 call edi ; \rtcMidCharVar从字符串中取相应字符
004037A8 .8B45 CC mov eax,dword ptr ss:
004037AB .8D95 14FEFFFF lea edx,dword ptr ss:
004037B1 .8985 2CFEFFFF mov dword ptr ss:,eax
004037B7 .52 push edx ; /Length8 = 0x12F3E0
004037B8 .8D85 24FEFFFF lea eax,dword ptr ss: ; |
004037BE .68 A6000000 push 0xA6 ; |Start = 0xA6
004037C3 .8D8D 04FEFFFF lea ecx,dword ptr ss: ; |
004037C9 .50 push eax ; |dString8 = 0091BA04
004037CA .51 push ecx ; |RetBUFFER = 0012F404
004037CB .C785 1CFEFFFF>mov dword ptr ss:,0x1 ; |
004037D5 .899D 14FEFFFF mov dword ptr ss:,ebx ; |msvbvm50.__vbaObjSet
004037DB .8975 CC mov dword ptr ss:,esi ; |
004037DE .C785 24FEFFFF>mov dword ptr ss:,0x8 ; |
004037E8 .FFD7 call edi ; \rtcMidCharVar从字符串中取相应字符
004037EA .8B45 C8 mov eax,dword ptr ss:
004037ED .8D95 D4FDFFFF lea edx,dword ptr ss:
004037F3 .8985 ECFDFFFF mov dword ptr ss:,eax
004037F9 .52 push edx ; /Length8 = 0x12F3E0
004037FA .8D85 E4FDFFFF lea eax,dword ptr ss: ; |
00403800 .68 A8000000 push 0xA8 ; |Start = 0xA8
00403805 .8D8D C4FDFFFF lea ecx,dword ptr ss: ; |
0040380B .50 push eax ; |dString8 = 0091BA04
0040380C .51 push ecx ; |RetBUFFER = 0012F404
0040380D .C785 DCFDFFFF>mov dword ptr ss:,0x1 ; |
00403817 .899D D4FDFFFF mov dword ptr ss:,ebx ; |msvbvm50.__vbaObjSet
0040381D .8975 C8 mov dword ptr ss:,esi ; |
00403820 .C785 E4FDFFFF>mov dword ptr ss:,0x8 ; |
0040382A .FFD7 call edi ; \rtcMidCharVar从字符串中取相应字符
0040382C .8B3D C0614000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaVa>;msvbvm50.__vbaVarAdd
00403832 .8D95 A4FDFFFF lea edx,dword ptr ss:
00403838 .8D85 74FFFFFF lea eax,dword ptr ss:
0040383E .52 push edx ; /var18 = 0012F3E0
0040383F .8D8D 44FFFFFF lea ecx,dword ptr ss: ; |
00403845 .50 push eax ; |/var18 = 0091BA04
00403846 .8D95 34FFFFFF lea edx,dword ptr ss: ; ||
0040384C .51 push ecx ; ||var28 = 0012F404
0040384D .52 push edx ; ||saveto8 = 0012F3E0
0040384E .FFD7 call edi ; |\__vbavaradd 两个变量值相加
00403850 .50 push eax ; |/var18 = 0091BA04
00403851 .8D85 04FFFFFF lea eax,dword ptr ss: ; ||
00403857 .8D8D F4FEFFFF lea ecx,dword ptr ss: ; ||
0040385D .50 push eax ; ||var28 = 0091BA04
0040385E .51 push ecx ; ||saveto8 = 0012F404
0040385F .FFD7 call edi ; |\__vbavaradd 两个变量值相加
00403861 .50 push eax ; |/var18 = 0091BA04
00403862 .8D95 C4FEFFFF lea edx,dword ptr ss: ; ||
00403868 .8D85 B4FEFFFF lea eax,dword ptr ss: ; ||
0040386E .52 push edx ; ||var28 = 0012F3E0
0040386F .50 push eax ; ||saveto8 = 0091BA04
00403870 .FFD7 call edi ; |\__vbavaradd 两个变量值相加
00403872 .8D8D 84FEFFFF lea ecx,dword ptr ss: ; |
00403878 .50 push eax ; |/var18 = 0091BA04
00403879 .8D95 74FEFFFF lea edx,dword ptr ss: ; ||
0040387F .51 push ecx ; ||var28 = 0012F404
00403880 .52 push edx ; ||saveto8 = 0012F3E0
00403881 .FFD7 call edi ; |\__vbavaradd 两个变量值相加
00403883 .50 push eax ; |/var18 = 0091BA04
00403884 .8D85 44FEFFFF lea eax,dword ptr ss: ; ||
0040388A .8D8D 34FEFFFF lea ecx,dword ptr ss: ; ||
00403890 .50 push eax ; ||var28 = 0091BA04
00403891 .51 push ecx ; ||saveto8 = 0012F404
00403892 .FFD7 call edi ; |\__vbavaradd 两个变量值相加
00403894 .50 push eax ; |/var18 = 0091BA04
00403895 .8D95 04FEFFFF lea edx,dword ptr ss: ; ||
0040389B .8D85 F4FDFFFF lea eax,dword ptr ss: ; ||
004038A1 .52 push edx ; ||var28 = 0012F3E0
004038A2 .50 push eax ; ||saveto8 = 0091BA04
004038A3 .FFD7 call edi ; |\__vbavaradd 两个变量值相加
004038A5 .8D8D C4FDFFFF lea ecx,dword ptr ss: ; |
004038AB .50 push eax ; |/var18 = 0091BA04
004038AC .51 push ecx ; ||var28 = 0012F404
004038AD .8D95 B4FDFFFF lea edx,dword ptr ss: ; ||
004038B3 .52 push edx ; ||saveto8 = 0012F3E0
004038B4 .FFD7 call edi ; |\__vbavaradd 两个变量值相加
004038B6 .50 push eax ; |var28 = 0091BA04
004038B7 .FF15 6C614000 call dword ptr ds:[<&MSVBVM50.__vbaVarTs>; \__vbavartsteq比较两个变量值是否相等
一开始跟我是头疼的··· 字符截取函数 rtcMidCharVar总共有八个,变量相加函数vbavaradd 有七个
rtcMidCharVar 分别从第 6914316 161171166168 处截取出字符进行操作(顿时炸裂···这个序列号到底有多长啊···)
简单跟进后也没有发现有明显函数或者代码将我输入的字符进行操作。。。。懵了····
再进行深度跟进,结合数据窗口以及堆栈窗口----->(再堆栈窗口右键地址---》选择相对于 ebp 跟踪重要的地址)
(在八个rtcMidCharVar call中寄存器发现了几个可疑字符)跟踪八个后 分别为 “r k h 1 o y i e”
这时候就怀疑后面 七个 变量相加函数是对上面的字符进行操作再得出 序列号。
数据窗口在跟踪 vbavaradd的两个变量时
到最后一个vbavaradd 函数时
果断输入 rkh1oyie尝试! 结果验证成功!
四、注册机
得到了序列号后我们来探究一下,其序列号是怎么生成的,序列号共八位数,好像并没有对用户输入的字符进行运算
那它是怎么的进行得出这八位序列号呢·····
在我不懈努力的跟进rtcMidCharVar 函数后
对的,字符很熟悉是about窗口的字符, r k h...... 分别对应,我在所有字符参考那找到了这段字符
0040261C 01 db 01
0040261D .62 50 65 20 4>ascii "bPe CrackMe v1"
0040262D .2E 30 20 20 2>ascii ".0 "
0040263D .20 20 20 20 2>ascii " "
0040264D .20 20 20 20 2>ascii " "
0040265D .20 20 20 20 2>ascii " "
0040266D .20 20 20 20 2>ascii " "
0040267D .20 20 20 20 2>ascii " "
0040268D .20 20 20 20 2>ascii " "
0040269D .20 20 20 20 2>ascii " Thi"
004026AD .73 20 43 72 6>ascii "s CrackMe it's t"
004026BD .6F 20 74 72 6>ascii "o trainer your V"
004026CD .42 20 63 72 6>ascii "B cracking abili"
004026DD .74 79 20 20 2>ascii "ty "
004026ED .20 20 20 20 2>ascii " "
004026FD .20 20 20 20 2>ascii " "
0040270D .20 20 20 20 2>ascii " "
0040271D .20 20 20 20 2>ascii " "
0040272D .20 20 20 20 2>ascii " "
0040273D .20 20 20 20 2>ascii " "
0040274D .20 20 20 20 2>ascii " Dev"
0040275D .65 6C 6F 70 6>ascii "eloped by CarLit"
0040276D .6F 5A 00 ascii "oZ",0
收集的基础信息里
loc_00403892: var_ret_5 = Mid$(var_1C, 6, 1) + Mid$(var_20, 9, 1) + Mid$(var_24, 143, 1) + Mid$(var_28, 16, 1) + Mid$(var_2C, 161, 1) + Mid$(var_30, 171, 1)
loc_004038B7: var_ret_8 = (var_18 = var_ret_5 + Mid$(var_34, 166, 1) + Mid$(var_38, 168, 1))
猜测是照6914316 161171166168的顺序来取字符
得到的字符和rkh1oyie 完全匹配
写出注册机······(简陋····{:301_983:})
ps六行空格有减 96
#include<stdio.h>
#include<iostream>
int main ()
{
int x=1;
char encrypt="+bPe CrackMe v1.0 This CrackMe it's to trainer your VB cracking ability";
printf("The is key : \n");
printf("%c",encrypt);
printf("%c",encrypt);
printf("%c",encrypt);
printf("%c",encrypt);
printf("%c",encrypt);
printf("%c",encrypt);
printf("%c",encrypt);
printf("%c \n",encrypt);
system("pause");
return 0;
}
如有错误欢迎大佬指出~~ 不胜感激!!!
介绍的很详细 学习一下 介绍的很详细 学习一下 坚持了01-02堕落了,
加油看好你,小帅哥 一看就是写的太着急,忘写窗口关闭事件了
这么一看我的CM也是这样啊... 很厉害,学习了 好厉害的样子,看得我都蒙了 我连第1课还没学会呢 lihaohua 发表于 2018-5-11 20:53
大佬 有环境吗? 想跟您学习
度娘走起, 看不懂,不过感谢。
页:
[1]
2