好友
阅读权限25
听众
最后登录1970-1-1
|
本帖最后由 wbz_007 于 2019-9-6 22:08 编辑
160 CrackMe 之 009算法分析及易语言注册机编写
仍旧秉承以前的宗旨,算法分析是硬道理,搞懂算法才是目的,先看看这个crackme,有没有壳,查询如下:无壳vb程序,省掉了一步脱壳,直接开始。
,
运行程序,随便输入用户名和密码:显示如下,弹出错误窗口
程序载入od,反汇编窗口右键查找-------所有参考文本字串,由于是vb程序,也可以直接下vb专用断点 rtcMsgbox 或者 字符串比较 断点vbastrcomp 我用的右键------所有参考文本字串,来到如下:
看到了如上内容为错误弹窗的内容,双击或者反汇编中跟随,来到如下。
于是向下翻页,来到如下代码,在段首下断
[Asm] 纯文本查看 复制代码
00401FF0 > \55 push ebp 这里下断
00401FF1 . 8BEC mov ebp, esp
00401FF3 . 83EC 0C sub esp, 0xC
00401FF6 . 68 26104000 push <jmp.&MSVBVM50.__vbaExceptHandle>; SE 处理程序安装
00401FFB . 64:A1 00000000 mov eax, dword ptr fs:[0]
00402001 . 50 push eax
00402002 . 64:8925 00000000 mov dword ptr fs:[0], esp
00402009 . 81EC 18010000 sub esp, 0x118
0040200F . 53 push ebx
00402010 . 8B5D 08 mov ebx, dword ptr ss:[ebp+0x8]
00402013 . 8BC3 mov eax, ebx
00402015 . 56 push esi
00402016 . 83E3 FE and ebx, 0xFFFFFFFE
00402019 . 57 push edi
0040201A . 8965 F4 mov dword ptr ss:[ebp-0xC], esp
0040201D . 83E0 01 and eax, 0x1
00402020 . 8B3B mov edi, dword ptr ds:[ebx]
00402022 . C745 F8 00104000 mov dword ptr ss:[ebp-0x8], Andréna.>
00402029 . 53 push ebx
0040202A . 8945 FC mov dword ptr ss:[ebp-0x4], eax
0040202D . 895D 08 mov dword ptr ss:[ebp+0x8], ebx
00402030 . FF57 04 call near dword ptr ds:[edi+0x4]
00402033 . 33F6 xor esi, esi
00402035 . 53 push ebx
00402036 . 8975 DC mov dword ptr ss:[ebp-0x24], esi
00402039 . 8975 CC mov dword ptr ss:[ebp-0x34], esi
0040203C . 8975 BC mov dword ptr ss:[ebp-0x44], esi
0040203F . 8975 AC mov dword ptr ss:[ebp-0x54], esi
00402042 . 8975 A8 mov dword ptr ss:[ebp-0x58], esi
00402045 . 8975 A4 mov dword ptr ss:[ebp-0x5C], esi
00402048 . 8975 94 mov dword ptr ss:[ebp-0x6C], esi
0040204B . 8975 84 mov dword ptr ss:[ebp-0x7C], esi
0040204E . 89B5 74FFFFFF mov dword ptr ss:[ebp-0x8C], esi
00402054 . 89B5 64FFFFFF mov dword ptr ss:[ebp-0x9C], esi
0040205A . 89B5 54FFFFFF mov dword ptr ss:[ebp-0xAC], esi
00402060 . 89B5 44FFFFFF mov dword ptr ss:[ebp-0xBC], esi
00402066 . 89B5 14FFFFFF mov dword ptr ss:[ebp-0xEC], esi
0040206C . 89B5 F8FEFFFF mov dword ptr ss:[ebp-0x108], esi
00402072 . 89B5 E8FEFFFF mov dword ptr ss:[ebp-0x118], esi
00402078 . FF97 FC020000 call near dword ptr ds:[edi+0x2FC]
0040207E . 8D4D A4 lea ecx, dword ptr ss:[ebp-0x5C]
00402081 . 50 push eax
00402082 . 51 push ecx
00402083 . FF15 24414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaObjSet
00402089 . 8BD8 mov ebx, eax
0040208B . 8D45 A8 lea eax, dword ptr ss:[ebp-0x58]
0040208E . 50 push eax
0040208F . 53 push ebx
00402090 . 8B13 mov edx, dword ptr ds:[ebx]
00402092 . FF92 A0000000 call near dword ptr ds:[edx+0xA0]
00402098 . 3BC6 cmp eax, esi
0040209A . 7D 12 jge short Andréna.004020AE
0040209C . 68 A0000000 push 0xA0
004020A1 . 68 201C4000 push Andréna.00401C20
004020A6 . 53 push ebx
004020A7 . 50 push eax
004020A8 . FF15 14414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaHresultCheckObj
004020AE > 8B45 A8 mov eax, dword ptr ss:[ebp-0x58] ; [ebp-0x58]中的用户名给eax
004020B1 . 8975 A8 mov dword ptr ss:[ebp-0x58], esi ; esi=0 给 [ebp-0x58]地址
004020B4 . 8B35 FC404000 mov esi, dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaVarMove
004020BA . 8D55 94 lea edx, dword ptr ss:[ebp-0x6C]
004020BD . 8D4D BC lea ecx, dword ptr ss:[ebp-0x44]
004020C0 . 8945 9C mov dword ptr ss:[ebp-0x64], eax ; 用户名 给 [ebp-0x64] 地址
004020C3 . C745 94 08000000 mov dword ptr ss:[ebp-0x6C], 0x8 ; 8 给 地址 [ebp-0x6C]
004020CA . FFD6 call near esi ; <&MSVBVM50.__vbaVarMove>
004020CC . 8D4D A4 lea ecx, dword ptr ss:[ebp-0x5C] ; [ebp-0x5C] 地址给ecx
004020CF . FF15 B4414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaFreeObj
004020D5 . B8 01000000 mov eax, 0x1 ; 1 给eax
004020DA . 8D8D 54FFFFFF lea ecx, dword ptr ss:[ebp-0xAC]
004020E0 . 8985 5CFFFFFF mov dword ptr ss:[ebp-0xA4], eax ; eax=1 给 [ebp-0xA4]地址
004020E6 . 8985 4CFFFFFF mov dword ptr ss:[ebp-0xB4], eax ; eax=1 给 [ebp-0xB4] 地址
004020EC . 8D55 BC lea edx, dword ptr ss:[ebp-0x44]
004020EF . 51 push ecx ; /Step8
004020F0 . 8D45 94 lea eax, dword ptr ss:[ebp-0x6C] ; |
004020F3 . BB 02000000 mov ebx, 0x2 ; |2 给ebx
004020F8 . 52 push edx ; |/var18
004020F9 . 50 push eax ; ||retBuffer8
004020FA . 899D 54FFFFFF mov dword ptr ss:[ebp-0xAC], ebx ; ||ebx=2 给 地址 [ebp-0xAC]
00402100 . 899D 44FFFFFF mov dword ptr ss:[ebp-0xBC], ebx ; ||ebx=2 给 地址 [ebp-0xBC]
00402106 . FF15 18414000 call near dword ptr ds:[<&MSVBVM50.__>; |\__vbaLenVar
0040210C . 8D8D 44FFFFFF lea ecx, dword ptr ss:[ebp-0xBC] ; |[ebp-0xBC] 地址 数值给ecx
00402112 . 50 push eax ; |End8
00402113 . 8D95 E8FEFFFF lea edx, dword ptr ss:[ebp-0x118] ; |
00402119 . 51 push ecx ; |Start8
0040211A . 8D85 F8FEFFFF lea eax, dword ptr ss:[ebp-0x108] ; |
00402120 . 52 push edx ; |TMPend8
00402121 . 8D4D DC lea ecx, dword ptr ss:[ebp-0x24] ; |
00402124 . 50 push eax ; |TMPstep8
00402125 . 51 push ecx ; |Counter8
00402126 . FF15 20414000 call near dword ptr ds:[<&MSVBVM50.__>; \__vbaVarForInit
0040212C . 8B3D 04414000 mov edi, dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaFreeVarList
00402132 > 85C0 test eax, eax
00402134 . 0F84 9C000000 je Andréna.004021D6
0040213A . 8D55 94 lea edx, dword ptr ss:[ebp-0x6C]
0040213D . 8D45 DC lea eax, dword ptr ss:[ebp-0x24]
00402140 . 52 push edx
00402141 . 50 push eax
00402142 . C745 9C 01000000 mov dword ptr ss:[ebp-0x64], 0x1 ; [ebp-0x64] 地址里是用户名 长度 ,把 1给这个地址
00402149 . 895D 94 mov dword ptr ss:[ebp-0x6C], ebx
0040214C . FF15 90414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaI4Var
00402152 . 8D4D BC lea ecx, dword ptr ss:[ebp-0x44] ; |
00402155 . 50 push eax ; |Start
00402156 . 8D55 84 lea edx, dword ptr ss:[ebp-0x7C] ; |
00402159 . 51 push ecx ; |dString8
0040215A . 52 push edx ; |RetBUFFER
0040215B . FF15 38414000 call near dword ptr ds:[<&MSVBVM50.#6>; \rtcMidCharVar
00402161 . 8D45 84 lea eax, dword ptr ss:[ebp-0x7C]
00402164 . 8D4D A8 lea ecx, dword ptr ss:[ebp-0x58]
00402167 . 50 push eax ; /String8
00402168 . 51 push ecx ; |ARG2
00402169 . FF15 70414000 call near dword ptr ds:[<&MSVBVM50.__>; \取用户名每一位
0040216F . 50 push eax ; /压入用户名每一位
00402170 . FF15 0C414000 call near dword ptr ds:[<&MSVBVM50.#5>; \用户名每一位取十六进制给eax
00402176 . 66:8985 4CFFFFFF mov word ptr ss:[ebp-0xB4], ax ; 用户名每一位十六进制给地址 [ebp-0xB4]
0040217D . 8D55 CC lea edx, dword ptr ss:[ebp-0x34]
00402180 . 8D85 44FFFFFF lea eax, dword ptr ss:[ebp-0xBC]
00402186 . 52 push edx ; /var18
00402187 . 8D8D 74FFFFFF lea ecx, dword ptr ss:[ebp-0x8C] ; |
0040218D . 50 push eax ; |var28
0040218E . 51 push ecx ; |saveto8
0040218F . 899D 44FFFFFF mov dword ptr ss:[ebp-0xBC], ebx ; |ebx=[ebp-0xBC] =2
00402195 . FF15 94414000 call near dword ptr ds:[<&MSVBVM50.__>; \__vbaVarAdd
0040219B . 8BD0 mov edx, eax
0040219D . 8D4D CC lea ecx, dword ptr ss:[ebp-0x34]
004021A0 . FFD6 call near esi ; 用户名每一位十六进制累加的结果给ecx
004021A2 . 8D4D A8 lea ecx, dword ptr ss:[ebp-0x58]
004021A5 . FF15 B8414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaFreeStr
004021AB . 8D55 84 lea edx, dword ptr ss:[ebp-0x7C]
004021AE . 8D45 94 lea eax, dword ptr ss:[ebp-0x6C]
004021B1 . 52 push edx
004021B2 . 50 push eax
004021B3 . 53 push ebx
004021B4 . FFD7 call near edi
004021B6 . 83C4 0C add esp, 0xC
004021B9 . 8D8D E8FEFFFF lea ecx, dword ptr ss:[ebp-0x118]
004021BF . 8D95 F8FEFFFF lea edx, dword ptr ss:[ebp-0x108]
004021C5 . 8D45 DC lea eax, dword ptr ss:[ebp-0x24]
004021C8 . 51 push ecx ; /TMPend8
004021C9 . 52 push edx ; |TMPstep8
004021CA . 50 push eax ; |Counter8
004021CB . FF15 AC414000 call near dword ptr ds:[<&MSVBVM50.__>; \__vbaVarForNext
004021D1 .^ E9 5CFFFFFF jmp Andréna.00402132 ; 跳上去循环计算用户名每一位十六进制的和
004021D6 > 8D4D CC lea ecx, dword ptr ss:[ebp-0x34]
004021D9 . 8D95 54FFFFFF lea edx, dword ptr ss:[ebp-0xAC]
004021DF . 51 push ecx ; /var18
004021E0 . 8D45 94 lea eax, dword ptr ss:[ebp-0x6C] ; |
004021E3 . 52 push edx ; |var28
004021E4 . 50 push eax ; |SaveTo8
004021E5 . C785 5CFFFFFF D202>mov dword ptr ss:[ebp-0xA4], 0x49960>; |499602D2 预设放在 [ebp-0xA4]=[0018F390]地址
004021EF . C785 54FFFFFF 0300>mov dword ptr ss:[ebp-0xAC], 0x3 ; |3 给地址[ebp-0xAC]=[0018F388]
004021F9 . FF15 5C414000 call near dword ptr ds:[<&MSVBVM50.__>; 关键call 计算出 预设 499602D2 乘以 用户名十六进制累加的结果的 积
004021FF . 8BD0 mov edx, eax
00402201 . 8D4D CC lea ecx, dword ptr ss:[ebp-0x34]
00402204 . FFD6 call near esi
00402206 . 8B1D A0414000 mov ebx, dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaMidStmtVar
0040220C . 8D4D CC lea ecx, dword ptr ss:[ebp-0x34]
0040220F . 51 push ecx
00402210 . 6A 04 push 0x4 ; 第4位
00402212 . 8D95 54FFFFFF lea edx, dword ptr ss:[ebp-0xAC]
00402218 . 6A 01 push 0x1
0040221A . 52 push edx
0040221B . C785 5CFFFFFF 341C>mov dword ptr ss:[ebp-0xA4], Andréna>; (- 预设) 给地址 [ebp-0xA4] ,对以上的乘积结果的十进制第4位替换预设的-
00402225 . C785 54FFFFFF 0800>mov dword ptr ss:[ebp-0xAC], 0x8 ; 8 给 地址 [ebp-0xAC]
0040222F . FFD3 call near ebx ; <&MSVBVM50.__vbaMidStmtVar>
00402231 . 8D45 CC lea eax, dword ptr ss:[ebp-0x34]
00402234 . 8D8D 54FFFFFF lea ecx, dword ptr ss:[ebp-0xAC]
0040223A . 50 push eax
0040223B . 6A 09 push 0x9 ; 第9位
0040223D . 6A 01 push 0x1
0040223F . 51 push ecx
00402240 . C785 5CFFFFFF 341C>mov dword ptr ss:[ebp-0xA4], Andréna>; - 预设 给 地址[ebp-0xA4] 对以上的乘积结果的十进制第9位替换成预设的
0040224A . C785 54FFFFFF 0800>mov dword ptr ss:[ebp-0xAC], 0x8
00402254 . FFD3 call near ebx
00402256 . 8B45 08 mov eax, dword ptr ss:[ebp+0x8] ;程序走到这里时候,看看堆栈窗口 出现了可以注册吗
00402259 . 50 push eax
0040225A . 8B10 mov edx, dword ptr ds:[eax]
0040225C . FF92 04030000 call near dword ptr ds:[edx+0x304]
00402262 . 50 push eax
00402263 . 8D45 A4 lea eax, dword ptr ss:[ebp-0x5C]
00402266 . 50 push eax
00402267 . FF15 24414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaObjSet
0040226D . 8BD8 mov ebx, eax
0040226F . 8D55 A8 lea edx, dword ptr ss:[ebp-0x58]
00402272 . 52 push edx
00402273 . 53 push ebx
00402274 . 8B0B mov ecx, dword ptr ds:[ebx]
00402276 . FF91 A0000000 call near dword ptr ds:[ecx+0xA0]
0040227C . 85C0 test eax, eax
0040227E . 7D 12 jge short Andréna.00402292
00402280 . 68 A0000000 push 0xA0
00402285 . 68 201C4000 push Andréna.00401C20
0040228A . 53 push ebx
0040228B . 50 push eax
0040228C . FF15 14414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaHresultCheckObj
00402292 > 8B45 A8 mov eax, dword ptr ss:[ebp-0x58] ; 假码给eax
00402295 . 8D4D CC lea ecx, dword ptr ss:[ebp-0x34] ; 这里应该传送真码,在寄存器窗口ecx 上右键堆栈窗口中跟随,发现可疑注册码
00402298 . 8945 9C mov dword ptr ss:[ebp-0x64], eax ; 假码 给地址 [ebp-0x64]
0040229B . 8D45 94 lea eax, dword ptr ss:[ebp-0x6C]
0040229E . 50 push eax ; /var18
0040229F . 51 push ecx ; |var28
004022A0 . C745 A8 00000000 mov dword ptr ss:[ebp-0x58], 0x0 ; |
004022A7 . C745 94 08800000 mov dword ptr ss:[ebp-0x6C], 0x8008 ; |
004022AE . FF15 48414000 call near dword ptr ds:[<&MSVBVM50.__>; \__vbaVarTstEq
004022B4 . 8D4D A4 lea ecx, dword ptr ss:[ebp-0x5C]
004022B7 . 8BD8 mov ebx, eax
004022B9 . FF15 B4414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaFreeObj
004022BF . 8D4D 94 lea ecx, dword ptr ss:[ebp-0x6C]
004022C2 . FF15 00414000 call near dword ptr ds:[<&MSVBVM50.__>; MSVBVM50.__vbaFreeVar
004022C8 . 66:85DB test bx, bx
004022CB . 0F84 C0000000 je Andréna.00402391 ;爆破关键点,跳过就挂了
004022D1 . FF15 74414000 call near dword ptr ds:[<&MSVBVM50.#5>; MSVBVM50.rtcBeep
进入这个关键call 004021F9 . FF15 5C414000 call near dword ptr ds:[<&MSVBVM50.__> 来到一下代码
[Asm] 纯文本查看 复制代码 74121986 > 55 push ebp
74121987 33C0 xor eax, eax ; eax 清零
74121989 8BEC mov ebp, esp
7412198B 83EC 1C sub esp, 0x1C
7412198E 3905 64F01274 cmp dword ptr ds:[0x7412F064], eax
74121994 53 push ebx
74121995 56 push esi
74121996 8945 E8 mov dword ptr ss:[ebp-0x18], eax
74121999 57 push edi
7412199A 0F85 D3670000 jnz MSVBVM50.74128173
741219A0 A1 6CF01274 mov eax, dword ptr ds:[0x7412F06C]
741219A5 8D48 50 lea ecx, dword ptr ds:[eax+0x50]
741219A8 83C0 60 add eax, 0x60
741219AB 8B7D 10 mov edi, dword ptr ss:[ebp+0x10]
741219AE 8B5D 0C mov ebx, dword ptr ss:[ebp+0xC]
741219B1 8B75 08 mov esi, dword ptr ss:[ebp+0x8]
741219B4 894D F4 mov dword ptr ss:[ebp-0xC], ecx
741219B7 66:8B0F mov cx, word ptr ds:[edi]
741219BA 8945 E4 mov dword ptr ss:[ebp-0x1C], eax
741219BD 66:8B03 mov ax, word ptr ds:[ebx]
741219C0 66:894D FE mov word ptr ss:[ebp-0x2], cx
741219C4 66:8945 F2 mov word ptr ss:[ebp-0xE], ax
741219C8 66:837D F2 11 cmp word ptr ss:[ebp-0xE], 0x11
741219CD 0F87 B1670000 ja MSVBVM50.74128184
741219D3 0FB745 FE movzx eax, word ptr ss:[ebp-0x2] ; 2 给eax
741219D7 0FB74D F2 movzx ecx, word ptr ss:[ebp-0xE] ; 3 给ecx
741219DB 6BC0 12 imul eax, eax, 0x12 ; eax=eax*12
741219DE 03C1 add eax, ecx ; eax=eax+ecx
741219E0 3D 43010000 cmp eax, 0x143
741219E5 0F87 04680000 ja MSVBVM50.741281EF
741219EB 0FB690 0D1D1274 movzx edx, byte ptr ds:[eax+0x74121D0D>
741219F2 FF2495 A51A1274 jmp near dword ptr ds:[edx*4+0x74121>
741219F9 0FBF4F 08 movsx ecx, word ptr ds:[edi+0x8]
741219FD 0FBF43 08 movsx eax, word ptr ds:[ebx+0x8]
74121A01 0FAFC8 imul ecx, eax
74121A04 0FBFC1 movsx eax, cx
74121A07 3BC1 cmp eax, ecx
74121A09 0F85 A86B0000 jnz MSVBVM50.741285B7
74121A0F 66:C745 FE 0200 mov word ptr ss:[ebp-0x2], 0x2
74121A15 66:894E 08 mov word ptr ds:[esi+0x8], cx
74121A19 EB 78 jmp short MSVBVM50.74121A93
74121A1B 0FBF4F 08 movsx ecx, word ptr ds:[edi+0x8] ; [edi+0x8]用户名所有十六进制累计的和给ecx
74121A1F 56 push esi
74121A20 FF73 08 push dword ptr ds:[ebx+0x8]
74121A23 51 push ecx
74121A24 E8 1DCCF3FF call MSVBVM50.7405E646 ;关键call 进入(很关键)
74121A29 EB 6F jmp short MSVBVM50.74121A9A
进入这个call 74121A24 E8 1DCCF3FF call MSVBVM50.7405E646 来到下面代码
[Asm] 纯文本查看 复制代码 7405E646 55 push ebp
7405E647 8BEC mov ebp, esp
7405E649 8B45 08 mov eax, dword ptr ss:[ebp+0x8] ; [edi+0x8] 地址里的 用户名十六进制和 给eax
7405E64C F76D 0C imul dword ptr ss:[ebp+0xC] ; 这里是关键 [ebp+0xC]地址里的 预设499602D2和 用户名每一位十六进制累加的和 相乘
7405E64F 8B4D 10 mov ecx, dword ptr ss:[ebp+0x10]
7405E652 0F80 2CC70300 jo MSVBVM50.7409AD84 程序走到这里跳到一下代码
7405E658 66:C701 0300 mov word ptr ds:[ecx], 0x3
程序运行到 7405E652 跳到一下代码:
以下图是,堆栈中的真码,和以上图中的长整数对比,是不是从相乘的结果中取的,取码规则将第四位、第九位都替换成-,即可,上面的代码里有取码的过程。
算法分析:第一步取用户名每一位的十六进制值,全部累加起来(对累加结果取10进制)
第二步 用上面的累加的值 乘以 作者的预设 499602D2(10进制为1234567890)
第三部 对乘积的结果取长整数,把结果的第四位和第九位替换成预设的“-”
附上易语言编写的注册机工程文件及注册机,一起交流学习
注册机工程文件及成品注册机.rar
(13.5 KB, 下载次数: 20)
|
免费评分
-
| 参与人数 2 | 威望 +1 |
吾爱币 +8 |
热心值 +2 |
收起
理由
|
 Hmily
| + 1 |
+ 7 |
+ 1 |
感谢发布原创作品,吾爱破解论坛因你更精彩! |
 柠檬泪i
| |
+ 1 |
+ 1 |
谢谢@Thanks! |
查看全部评分
|
[复制链接]
发表于 2019-9-6 21:36
|
发表于 2019-9-7 16:57
