好友
阅读权限25
听众
最后登录1970-1-1
|
上将无双
发表于 2020-2-18 08:30
本帖最后由 上将无双 于 2020-2-18 08:34 编辑
Crackme练习8-11题(Andrénalin)爆破记录
新人刚入门破解 第一次做记录;只会爆破 请大神包涵
链接:https://www.52pojie.cn/thread-709699-1-1.html选用的是008-011的Andrénalin系列。
1.初步观察:程序共同点and不同点
共同点:无壳,使用VB5编写
不同点:1号、3号只有注册码框、确定键
2号有用户名、密码、确定键
4号只有注册码,但有小键盘而没有确定键,注册状态在右侧显示
2.选用工具
吾爱破解OllyDbg
吾爱破解虚拟机
3.破解实践
3.1.Andrénalin.1.exe爆破
思路:可尝试寻找判断注册码错误的指令进行修改,跳过判断直接正确
首先把程序拖入OD加载加载完后 F9运行
如图所示 尝试输入伪码111 单击OK键此时弹出错误窗口
不关闭窗口 切回OD 暂停运行然后Alt+K调出调用堆栈窗口
除rtcmsgbox外的堆栈都过大 明显不是要找的
推测rtamsgbox是判断正误的关键处 右键显示调用
上下浏览代码可知 00401E85是错误窗口的信息
尝试寻找跳转至该地址的指令
[Asm] 纯文本查看 复制代码 00401D88 . 47 inc edi00401D89 . F7DF neg edi
00401D8B . FF15 5C314000 call dword ptr ds:[<&MSVBVM50>; msvbvm50.__vbaFreeStr
00401D91 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2>
00401D94 . FF15 60314000 call dword ptr ds:[<&MSVBVM50>; msvbvm50.__vbaFreeObj
00401D9A . 66:3BFE cmp di,si
00401D9D 0F84 A0000000 je Andréna.00401E43 //可疑跳转
00401DA3 . FF15 2C314000 call dword ptr ds:[<&MSVBVM50>; msvbvm50.rtcBeep
00401DA9 . 8B3D 48314000 mov edi,dword ptr ds:[<&MSVBV>; msvbvm50.__vbaVarDup
00401DAF . B9 04000280 mov ecx,0x80020004
00401DB4 . 894D 9C mov dword ptr ss:[ebp-0x64],e>
00401DB7 . B8 0A000000 mov eax,0xA
00401DBC . 894D AC mov dword ptr ss:[ebp-0x54],e>
00401DBF . BB 08000000 mov ebx,0x8
00401DC4 . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8>
00401DCA . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4>
00401DCD . 8945 94 mov dword ptr ss:[ebp-0x6C],e>
00401DD0 . 8945 A4 mov dword ptr ss:[ebp-0x5C],e>
00401DD3 . C785 7CFFFFFF>mov dword ptr ss:[ebp-0x84],A>; UNICODE "SuCCESFul !"/成功信息
00401DDD . 899D 74FFFFFF mov dword ptr ss:[ebp-0x8C],e>
00401DE3 . FFD7 call edi ; <&MSVBVM50.__vbaVarDup>
00401DE5 . 8D55 84 lea edx,dword ptr ss:[ebp-0x7>
00401DE8 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3>
00401DEB . C745 8C 701A4>mov dword ptr ss:[ebp-0x74],A>; UNICODE "RiCHtiG ! ...nun weiter zu CrackMe 2 !"
00401DF2 . 895D 84 mov dword ptr ss:[ebp-0x7C],e>
00401DF5 . FFD7 call edi
00401DF7 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6>
00401DFA . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5>
00401DFD . 52 push edx ; ntdll.KiFastSystemCallRet
00401DFE . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4>
00401E01 . 50 push eax
00401E02 . 51 push ecx
00401E03 . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3>
00401E06 . 6A 30 push 0x30
00401E08 . 52 push edx ; ntdll.KiFastSystemCallRet
00401E09 . FF15 F0304000 call dword ptr ds:[<&MSVBVM50>; msvbvm50.rtcMsgBox
00401E0F . 8D95 44FFFFFF lea edx,dword ptr ss:[ebp-0xB>
00401E15 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x2>
00401E18 . 8985 4CFFFFFF mov dword ptr ss:[ebp-0xB4],e>
00401E1E . C785 44FFFFFF>mov dword ptr ss:[ebp-0xBC],0>
00401E28 . FF15 D0304000 call dword ptr ds:[<&MSVBVM50>; msvbvm50.__vbaVarMove
00401E2E . 8D45 94 lea eax,dword ptr ss:[ebp-0x6>
00401E31 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5>
00401E34 . 50 push eax
00401E35 . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4>
00401E38 . 51 push ecx
00401E39 . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3>
00401E3C . 52 push edx ; ntdll.KiFastSystemCallRet
00401E3D . 50 push eax
00401E3E . E9 95000000 jmp Andréna.00401ED8
00401E43 > 8B3D 48314000 mov edi,dword ptr ds:[<&MSVBV>; msvbvm50.__vbaVarDup
00401E49 . B9 04000280 mov ecx,0x80020004
00401E4E . 894D 9C mov dword ptr ss:[ebp-0x64],e>
00401E51 . B8 0A000000 mov eax,0xA
00401E56 . 894D AC mov dword ptr ss:[ebp-0x54],e>
00401E59 . BB 08000000 mov ebx,0x8
00401E5E . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8>
00401E64 . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4>
00401E67 . 8945 94 mov dword ptr ss:[ebp-0x6C],e>
00401E6A . 8945 A4 mov dword ptr ss:[ebp-0x5C],e>
00401E6D . C785 7CFFFFFF>mov dword ptr ss:[ebp-0x84],A>; UNICODE "leider NeiN !"
00401E77 . 899D 74FFFFFF mov dword ptr ss:[ebp-0x8C],e>
00401E7D . FFD7 call edi ; <&MSVBVM50.__vbaVarDup>
00401E7F . 8D55 84 lea edx,dword ptr ss:[ebp-0x7>
00401E82 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3>
00401E85 . C745 8C E01A4>mov dword ptr ss:[ebp-0x74],A>; UNICODE "Leider Falsch ! Schau noch mal genau nach ..."
00401E8C . 895D 84 mov dword ptr ss:[ebp-0x7C],e>
00401E8F . FFD7 call edi
00401E91 . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6>
00401E94 . 8D55 A4 lea edx,dword ptr ss:[ebp-0x5>
00401E97 . 51 push ecx
00401E98 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4>
00401E9B . 52 push edx ; ntdll.KiFastSystemCallRet
00401E9C . 50 push eax
00401E9D . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3>
00401EA0 . 6A 10 push 0x10
00401EA2 . 51 push ecx
00401EA3 . FF15 F0304000 call dword ptr ds:[<&MSVBVM50>; msvbvm50.rtcMsgBox
发现:当注册码错误时,00401D9D处指令实现跳转,跳过成功信息
接下来,就把该句nop掉
应该成功了,再次F9运行,输入111
至此爆破成功。
3.2.Andrénalin.2.exe Andrénalin.3.exe爆破
思路都同3.1,因为目的是跳过判断,有没有用户名的检验无所谓
操作大同小异,不多赘述
二号爆破成功:
三号爆破成功:
3.3.Andrénalin.4.exe爆破
思路:没有确定键,该如何操作呢?不如直接搜索字符串,找找注册成功的语句,然后试着强制成功注册
右键 中文搜索引擎 智能搜索
一大堆数字看上去让人眼花
肯定不会是加密的注册码,太长了
但是下面的registriert(德语”注册“)是关键点
出现反复的registriert信息,推测是比较验证注册码每一位的正误
随意调用其中一个地址
[Asm] 纯文本查看 复制代码 0040B72D > 8D45 CC lea eax,dword ptr ss:[ebp-0x3>0040B730 . 8D8D 4CFFFFFF lea ecx,dword ptr ss:[ebp-0xB>
0040B736 . 50 push eax ; /var18 = NULL
0040B737 . 51 push ecx ; |var28 = 0012FFB0
0040B738 . C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],A>; |0817E747D7A7D7C7F82836D74747A7F7E7G7C7D826D817E7B7C
0040B742 . C785 4CFFFFFF>mov dword ptr ss:[ebp-0xB4],0>; |
0040B74C . FF15 5C104000 call dword ptr ds:[<&MSVBVM60>; \__vbaVarTstEq
0040B752 . 66:85C0 test ax,ax
0040B755 . 74 4C je short Andréna.0040B7A3 //可疑跳转
0040B757 . 8B45 08 mov eax,dword ptr ss:[ebp+0x8>; Andréna.<ModuleEntryPoint>
0040B75A . 50 push eax
0040B75B . 8B10 mov edx,dword ptr ds:[eax]
0040B75D . FF92 38030000 call dword ptr ds:[edx+0x338]
0040B763 . 50 push eax
0040B764 . 8D45 AC lea eax,dword ptr ss:[ebp-0x5>
0040B767 . 50 push eax
0040B768 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60>; msvbvm60.__vbaObjSet
0040B76E . 8B08 mov ecx,dword ptr ds:[eax]
0040B770 . 68 BC1E4000 push Andréna.00401EBC ; REGISTRIERT //成功注册信息
0040B775 . 50 push eax
0040B776 . 8985 30FFFFFF mov dword ptr ss:[ebp-0xD0],e>
0040B77C . FF51 54 call dword ptr ds:[ecx+0x54]
0040B77F . 85C0 test eax,eax
0040B781 . DBE2 fclex
0040B783 . 7D 15 jge short Andréna.0040B79A
0040B785 . 8B95 30FFFFFF mov edx,dword ptr ss:[ebp-0xD>
0040B78B . 6A 54 push 0x54
0040B78D . 68 D41E4000 push Andréna.00401ED4
0040B792 . 52 push edx ; ntdll.KiFastSystemCallRet
0040B793 . 50 push eax
0040B794 . FF15 2C104000 call dword ptr ds:[<&MSVBVM60>; msvbvm60.__vbaHresultCheckObj
0040B79A > 8D4D AC lea ecx,dword ptr ss:[ebp-0x5>
0040B79D . FF15 D4104000 call dword ptr ds:[<&MSVBVM60>; msvbvm60.__vbaFreeObj
发现一个跳转指令跳过0040B770
尝试nop掉
运行发现已成功注册(我不知道为啥跳过一个就能成功)
4.结束语
没什么技术含量啊(基本连猜带蒙) 给小白们提供一个经验参考
我做的爆破记录可能有不清楚的地方,请留言评分指正
Thanks for Reading!
2020.2.18 |
-
免费评分
-
查看全部评分
|
