0x00 前言
最近真的没有什么帖子好写了,在无意中发现了这个:
https://www.52pojie.cn/thread-709699-1-1.html
于是我就打算每天做一道CrackMe的题目
第一题:https://www.52pojie.cn/forum.php?mod=viewthread&tid=1107523
第二题:https://www.52pojie.cn/forum.php?mod=viewthread&tid=1107888
第三题:https://www.52pojie.cn/thread-1108487-1-1.html
第四题:https://www.52pojie.cn/thread-1109140-1-1.html
第五题:太变态了,算了
第六题:https://www.52pojie.cn/thread-1111030-1-1.html
第七题:https://www.52pojie.cn/thread-1112318-1-1.html
第八题:https://www.52pojie.cn/thread-1113163-1-1.html
第九题算法:https://www.52pojie.cn/thread-1114003-1-1.html
第九题爆破:https://www.52pojie.cn/thread-1113295-1-1.html
第十题:https://www.52pojie.cn/thread-1116170-1-1.html
最近装了个Linux,本来想用Linux给你们写帖子来着,,结果Wine打开OD会闪退
搞了两天没好,,于是只能用Windows了
0x01 正文
打开第十个CrackMe:
这次只有Key
注册码应该是固定的
先爆破,下rtcMsgBox断点
输入假码,注册,断下,运行到返回,下断:
爆破:
爆破完了,还有算法分析
贴上关键代码:
[Asm] 纯文本查看 复制代码 00401F30 . 51 push ecx ; /Step8 = 0018F244
00401F31 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C] ; |
00401F34 . 52 push edx ; |/var18 = 0018F234
00401F35 . 50 push eax ; ||retBuffer8 = 0018F29C
00401F36 . FF15 14414000 call dword ptr ds:[<&MSVBVM50.__vbaLenVa>; |\计算字符串长度
00401F3C . 8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-0xBC] ; |
00401F42 . 50 push eax ; |End8 = 0018F29C
00401F43 . 8D95 ECFEFFFF lea edx,dword ptr ss:[ebp-0x114] ; |
00401F49 . 51 push ecx ; |Start8 = 0018F244
00401F4A . 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-0x104] ; |
00401F50 . 52 push edx ; |TMPend8 = 0018F234
00401F51 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24] ; |
00401F54 . 50 push eax ; |TMPstep8 = 0018F29C
00401F55 . 51 push ecx ; |Counter8 = 0018F244
00401F56 . FF15 1C414000 call dword ptr ds:[<&MSVBVM50.__vbaVarFo>; \定义一个变量
00401F5C . 8B1D 68414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVa>; 两个变量相连的函数地址放到ebx
00401F62 . 8B3D 00414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaFr>; 释放内存函数地址放到edi
00401F68 > 85C0 test eax,eax
00401F6A . 0F84 BB000000 je Andréna.0040202B
00401F70 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
00401F73 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
00401F76 . 52 push edx
00401F77 . 50 push eax
00401F78 . C745 9C 01000>mov dword ptr ss:[ebp-0x64],0x1
00401F7F . C745 94 02000>mov dword ptr ss:[ebp-0x6C],0x2
00401F86 . FF15 90414000 call dword ptr ds:[<&MSVBVM50.__vbaI4Var>; 截取字符串
00401F8C . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44] ; |
00401F8F . 50 push eax ; |Start = 0x18F29C
00401F90 . 8D55 84 lea edx,dword ptr ss:[ebp-0x7C] ; |
00401F93 . 51 push ecx ; |dString8 = 0018F244
00401F94 . 52 push edx ; |RetBUFFER = 0018F234
00401F95 . FF15 34414000 call dword ptr ds:[<&MSVBVM50.#632>] ; \取字符串中间
00401F9B . 8D45 84 lea eax,dword ptr ss:[ebp-0x7C]
00401F9E . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
00401FA1 . 50 push eax ; /String8 = 0018F29C
00401FA2 . 51 push ecx ; |ARG2 = 0018F244
00401FA3 . FF15 64414000 call dword ptr ds:[<&MSVBVM50.__vbaStrVa>; \__vbaStrVarVal
00401FA9 . 50 push eax ; /String = ""
00401FAA . FF15 08414000 call dword ptr ds:[<&MSVBVM50.#516>] ; \rtcAnsiValueBstr
00401FB0 . 66:05 0A00 add ax,0xA ; 把取出的ASCII + 0xA
00401FB4 . 0F80 B0020000 jo Andréna.0040226A
00401FBA . 0FBFD0 movsx edx,ax
00401FBD . 52 push edx
00401FBE . FF15 70414000 call dword ptr ds:[<&MSVBVM50.#537>] ; MSVBVM50.rtcBstrFromAnsi
00401FC4 . 8985 7CFFFFFF mov dword ptr ss:[ebp-0x84],eax
00401FCA . 8D45 CC lea eax,dword ptr ss:[ebp-0x34]
00401FCD . 8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C]
00401FD3 . 50 push eax
00401FD4 . 8D95 64FFFFFF lea edx,dword ptr ss:[ebp-0x9C]
00401FDA . 51 push ecx
00401FDB . 52 push edx
00401FDC . C785 74FFFFFF>mov dword ptr ss:[ebp-0x8C],0x8
00401FE6 . FFD3 call ebx ; 应该是把另外一个字符串变量加上刚刚算出的ASCII的字符
00401FE8 . 8BD0 mov edx,eax
00401FEA . 8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
00401FED . FFD6 call esi ; MSVBVM50.__vbaVarMove
00401FEF . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
00401FF2 . FF15 B0414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr
00401FF8 . 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-0x8C]
00401FFE . 8D4D 84 lea ecx,dword ptr ss:[ebp-0x7C]
00402001 . 50 push eax
00402002 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
00402005 . 51 push ecx
00402006 . 52 push edx
00402007 . 6A 03 push 0x3
00402009 . FFD7 call edi ; MSVBVM50.__vbaFreeVarList
0040200B . 83C4 10 add esp,0x10
0040200E . 8D85 ECFEFFFF lea eax,dword ptr ss:[ebp-0x114]
00402014 . 8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-0x104]
0040201A . 8D55 DC lea edx,dword ptr ss:[ebp-0x24]
0040201D . 50 push eax ; /TMPend8 = 0018F29C
0040201E . 51 push ecx ; |TMPstep8 = 0018F244
0040201F . 52 push edx ; |Counter8 = 0018F234
00402020 . FF15 A4414000 call dword ptr ds:[<&MSVBVM50.__vbaVarFo>; \__vbaVarForNext
00402026 .^ E9 3DFFFFFF jmp Andréna.00401F68
0040202B > 8D45 CC lea eax,dword ptr ss:[ebp-0x34]
0040202E . 8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC]
00402034 . 50 push eax ; /var18 = 0018F29C
00402035 . 51 push ecx ; |var28 = 0018F244
00402036 . C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],Andréna.0040>; |UNICODE "kXy^rO|*yXo*m\kMuOn*+"
00402040 . C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x8008 ; |
0040204A . FF15 40414000 call dword ptr ds:[<&MSVBVM50.__vbaVarTs>; \__vbaVarTstEq
基本的流程就是
取出输入的每个字符,将他们的ASCII减去0xA对应的字符与“kXy^rO|*yXo*m\kMuOn*+”进行比较
相等就成功,不相等就失败
注册机:
一行Python:
[] 纯文本查看 复制代码 for i in 'kXy^rO|*yXo*m\kMuOn*+': print(chr(ord(i) - 0xA))
好理解的Python:(这个再看不懂。。。我也没办法了)
[Python] 纯文本查看 复制代码 注册码 = ''
for 字符串第循环次数位 in 'kXy^rO|*yXo*m\kMuOn*+':
转换成ASCII再减0xA = ord(字符串第循环次数位) - 0xA #减去0xA是因为在程序中加上了0xA,我们是进行逆运算,所以就要减
转换成字符的结果 = chr(转换成ASCII再减0xA)
注册码 += 转换成字符的结果 #注册码加上转换成字符的结果
print(注册码) #打印注册码
注册码你们自己去算吧
也可以刮刮卡:aNoThEr oNe cRaCkEd !
0x03 最后
评分不要钱!评分不要钱!评分不要钱! | 
[复制链接]
发表于 2020-2-26 11:28
