吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 4011|回复: 11
收起左侧

[原创] CrackMe第十一题算法 + 注册机

  [复制链接]
growuphappily 发表于 2020-3-2 13:21
本帖最后由 growuphappily 于 2020-3-2 13:22 编辑

0x00 前言

最近真的没有什么帖子好写了,在无意中发现了这个:
https://www.52pojie.cn/thread-709699-1-1.html
于是我就打算每天做一道CrackMe的题目
第一题:https://www.52pojie.cn/forum.php?mod=viewthread&tid=1107523
第二题:https://www.52pojie.cn/forum.php?mod=viewthread&tid=1107888
第三题:https://www.52pojie.cn/thread-1108487-1-1.html
第四题:https://www.52pojie.cn/thread-1109140-1-1.html
第五题:太变态了,算了
第六题:https://www.52pojie.cn/thread-1111030-1-1.html
第七题:https://www.52pojie.cn/thread-1112318-1-1.html
第八题:https://www.52pojie.cn/thread-1113163-1-1.html
第九题算法:https://www.52pojie.cn/thread-1114003-1-1.html
第九题爆破:https://www.52pojie.cn/thread-1113295-1-1.html
第十题:https://www.52pojie.cn/thread-1116170-1-1.html
第十一题:https://www.52pojie.cn/thread-1119813-1-1.html
第十一题算法:https://www.52pojie.cn/thread-1120768-1-1.html
第十二题:16位的程序,没法运行,算了(其实是看见别人说难才算了2333)
0x01 正文


想想上次爆破的时候,发现了一堆字符串,只有一个是16进制
看一下VBDecomplier的代码:
[Visual Basic] 纯文本查看 复制代码
  loc_004064A2: For var_24 = 1 To Len(var_44) Step 1
  loc_004064A8: 
  loc_004064AA: If var_24 = 0 Then GoTo loc_004065D9
  loc_004064C4: var_50 = CStr(Left(var_44, 2))
  loc_00406516: var_3A0 = Asc(Mid$(CStr(var_44), CLng(var_24), 1))
  loc_00406558: var_8C = Hex$((var_3A8 + var_CC))
  loc_00406585: var_34 = 0 & Hex$((var_3A8 + var_CC))
  loc_004065CE: Next var_24
  loc_004065D4: GoTo loc_004064A8
  loc_004065D9: 'Referenced from: 004064AA
  loc_00406601: If (var_34 = "0817E747D7A7D7C7F82836D74747A7F7E7B7C7D826D817E7B7C") = 0 Then GoTo loc_0040664F

就是逐个取出字符串中的字符,转换成ASCII码,加上var_CC,再把它们合并在一起,再在最前面加上个0
这个var_CC是什么还不知道,要去看看OD的代码
(var_CC就是OD中的ebp-0xCC)
OD的代码:
[Asm] 纯文本查看 复制代码
00406432   > \8D95 4CFFFFFF lea edx,dword ptr ss:[ebp-0xB4]
00406438   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
0040643B   .  C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x0
00406445   .  C785 4CFFFFFF>mov dword ptr ss:[ebp-0xB4],0x2
0040644F   .  FFD7          call edi                                 ;  user32.PeekMessageA
00406451   .  B8 02000000   mov eax,0x2
00406456   .  B9 01000000   mov ecx,0x1
0040645B   .  8985 4CFFFFFF mov dword ptr ss:[ebp-0xB4],eax          ;  msvbvm60.6601A3C8
00406461   .  8985 3CFFFFFF mov dword ptr ss:[ebp-0xC4],eax          ;  msvbvm60.6601A3C8
00406467   .  898D 54FFFFFF mov dword ptr ss:[ebp-0xAC],ecx
0040646D   .  898D 44FFFFFF mov dword ptr ss:[ebp-0xBC],ecx
00406473   .  8D85 4CFFFFFF lea eax,dword ptr ss:[ebp-0xB4]
00406479   .  8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]
0040647C   .  50            push eax                                 ; /Step8 = msvbvm60.6601A3C8
0040647D   .  8D55 9C       lea edx,dword ptr ss:[ebp-0x64]          ; |
00406480   .  51            push ecx                                 ; |/var18 = C71CB2C8
00406481   .  52            push edx                                 ; ||retBuffer8 = NULL
00406482   .  FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaLenVa>; |\__vbaLenVar
00406488   .  50            push eax                                 ; |End8 = msvbvm60.6601A3C8
00406489   .  8D85 3CFFFFFF lea eax,dword ptr ss:[ebp-0xC4]          ; |
0040648F   .  8D8D 68FDFFFF lea ecx,dword ptr ss:[ebp-0x298]         ; |
00406495   .  50            push eax                                 ; |Start8 = msvbvm60.6601A3C8
00406496   .  8D95 78FDFFFF lea edx,dword ptr ss:[ebp-0x288]         ; |
0040649C   .  51            push ecx                                 ; |TMPend8 = C71CB2C8
0040649D   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]          ; |
004064A0   .  52            push edx                                 ; |TMPstep8 = NULL
004064A1   .  50            push eax                                 ; |Counter8 = msvbvm60.6601A3C8
004064A2   .  FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vbaVarFo>; \__vbaVarForInit
004064A8   >  85C0          test eax,eax                             ;  msvbvm60.6601A3C8
004064AA   .  0F84 29010000 je Andréna.004065D9
004064B0   .  8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]
004064B3   .  6A 02         push 0x2 ; push了2,说明只取前两位
004064B5   .  8D55 8C       lea edx,dword ptr ss:[ebp-0x74]
004064B8   .  51            push ecx
004064B9   .  52            push edx
004064BA   .  FFD3          call ebx ; 这个call是VB的Left()函数,取一个字符串的前几位,上面push了2,说明是取前两位
004064BC   .  8D45 8C       lea eax,dword ptr ss:[ebp-0x74]
004064BF   .  8D4D B0       lea ecx,dword ptr ss:[ebp-0x50]
004064C2   .  50            push eax                                 ;  msvbvm60.6601A3C8
004064C3   .  51            push ecx
004064C4   .  FFD6          call esi ; 这个call是把前面取到的字符串放到一个内存地址,并把地址放在eax
004064C6   .  50            push eax                                 ;  msvbvm60.6601A3C8
004064C7   .  FF15 D8104000 call dword ptr ds:[<&MSVBVM60.#581>]     ; 将取出的字符转换成16进制放到浮点寄存器   注意:不是10进制到16进制,举个例子:输入12,输出0x12
004064CD   .  DD9D 34FFFFFF fstp qword ptr ss:[ebp-0xCC]    ;这里把刚刚转换的十六进制数字赋值给ebp-0xCC
004064D3   .  8D55 9C       lea edx,dword ptr ss:[ebp-0x64] 
004064D6   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
004064D9   .  52            push edx
004064DA   .  50            push eax                                 ;  msvbvm60.6601A3C8
004064DB   .  C745 A4 01000>mov dword ptr ss:[ebp-0x5C],0x1
004064E2   .  C745 9C 02000>mov dword ptr ss:[ebp-0x64],0x2
004064E9   .  FF15 AC104000 call dword ptr ds:[<&MSVBVM60.__vbaI4Var>;  msvbvm60.__vbaI4Var
004064EF   .  8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]
004064F2   .  50            push eax                                 ;  msvbvm60.6601A3C8
004064F3   .  8D55 B8       lea edx,dword ptr ss:[ebp-0x48]
004064F6   .  51            push ecx
004064F7   .  52            push edx
004064F8   .  FFD6          call esi
004064FA   .  50            push eax                                 ;  msvbvm60.6601A3C8
004064FB   .  FF15 4C104000 call dword ptr ds:[<&MSVBVM60.#631>]     ;  msvbvm60.rtcMidCharBstr
00406501   .  8BD0          mov edx,eax                              ;  msvbvm60.6601A3C8
00406503   .  8D4D B4       lea ecx,dword ptr ss:[ebp-0x4C]
00406506   .  FF15 BC104000 call dword ptr ds:[<&MSVBVM60.__vbaStrMo>;  msvbvm60.__vbaStrMove
0040650C   .  50            push eax                                 ; /String = "tl"
0040650D   .  FF15 20104000 call dword ptr ds:[<&MSVBVM60.#516>]     ; \rtcAnsiValueBstr
00406513   .  0FBFC0        movsx eax,ax
00406516   .  8985 60FCFFFF mov dword ptr ss:[ebp-0x3A0],eax         ;  msvbvm60.6601A3C8
0040651C   .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
00406522   .  DB85 60FCFFFF fild dword ptr ss:[ebp-0x3A0]
00406528   .  51            push ecx
00406529   .  C785 7CFFFFFF>mov dword ptr ss:[ebp-0x84],0x5
00406533   .  DD9D 58FCFFFF fstp qword ptr ss:[ebp-0x3A8]
00406539   .  DD85 58FCFFFF fld qword ptr ss:[ebp-0x3A8]
0040653F   .  DC85 34FFFFFF fadd qword ptr ss:[ebp-0xCC]
00406545   .  DD5D 84       fstp qword ptr ss:[ebp-0x7C]
00406548   .  DFE0          fstsw ax
0040654A   .  A8 0D         test al,0xD
0040654C   .  0F85 7A040000 jnz Andréna.004069CC
00406552   .  FF15 94104000 call dword ptr ds:[<&MSVBVM60.#572>]     ;  msvbvm60.rtcHexBstrFromVar
00406558   .  8985 74FFFFFF mov dword ptr ss:[ebp-0x8C],eax          ;  msvbvm60.6601A3C8
0040655E   .  8D55 CC       lea edx,dword ptr ss:[ebp-0x34]
00406561   .  8D85 6CFFFFFF lea eax,dword ptr ss:[ebp-0x94]
00406567   .  52            push edx
00406568   .  8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
0040656E   .  50            push eax                                 ;  msvbvm60.6601A3C8
0040656F   .  51            push ecx
00406570   .  C785 6CFFFFFF>mov dword ptr ss:[ebp-0x94],0x8
0040657A   .  FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaVarCa>;  msvbvm60.__vbaVarCat
00406580   .  8BD0          mov edx,eax                              ;  msvbvm60.6601A3C8
00406582   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
00406585   .  FFD7          call edi                                 ;  user32.PeekMessageA
00406587   .  8D55 B0       lea edx,dword ptr ss:[ebp-0x50]
0040658A   .  8D45 B4       lea eax,dword ptr ss:[ebp-0x4C]
0040658D   .  52            push edx
0040658E   .  8D4D B8       lea ecx,dword ptr ss:[ebp-0x48]
00406591   .  50            push eax                                 ;  msvbvm60.6601A3C8
00406592   .  51            push ecx
00406593   .  6A 03         push 0x3
00406595   .  FF15 9C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;  msvbvm60.__vbaFreeStrList
0040659B   .  8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94]
004065A1   .  8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84]
004065A7   .  52            push edx
004065A8   .  8D4D 8C       lea ecx,dword ptr ss:[ebp-0x74]
004065AB   .  50            push eax                                 ;  msvbvm60.6601A3C8
004065AC   .  8D55 9C       lea edx,dword ptr ss:[ebp-0x64]
004065AF   .  51            push ecx
004065B0   .  52            push edx
004065B1   .  6A 04         push 0x4
004065B3   .  FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;  msvbvm60.__vbaFreeVarList
004065B9   .  83C4 24       add esp,0x24
004065BC   .  8D85 68FDFFFF lea eax,dword ptr ss:[ebp-0x298]
004065C2   .  50            push eax                                 ; /TMPend8 = msvbvm60.6601A3C8
004065C3   .  8D8D 78FDFFFF lea ecx,dword ptr ss:[ebp-0x288]         ; |
004065C9   .  8D55 DC       lea edx,dword ptr ss:[ebp-0x24]          ; |
004065CC   .  51            push ecx                                 ; |TMPstep8 = C71CB2C8
004065CD   .  52            push edx                                 ; |Counter8 = NULL
004065CE   .  FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarFo>; \__vbaVarForNext
004065D4   .^ E9 CFFEFFFF   jmp Andréna.004064A8
004065D9   >  8D45 CC       lea eax,dword ptr ss:[ebp-0x34]
004065DC   .  8D8D 4CFFFFFF lea ecx,dword ptr ss:[ebp-0xB4]
004065E2   .  50            push eax                                 ; /var18 = msvbvm60.6601A3C8
004065E3   .  51            push ecx                                 ; |var28 = C71CB2C8
004065E4   .  C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],Andréna.0040>; |0817E747D7A7D7C7F82836D74747A7F7E7B7C7D826D817E7B7C
004065EE   .  C785 4CFFFFFF>mov dword ptr ss:[ebp-0xB4],0x8008       ; |
004065F8   .  FF15 5C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq

所以var_CC的来源搞清楚了
(具体看注释)
主要流程:取输入的key,取到第二位,然后把前面的结果转换成数字,再把输入的每个字符的ASCII加上前面计算所得的数字,转换成16进制字符串,然后合并在一起,在前面加上0,与0817E747D7A7D7C7F82836D74747A7F7E7B7C7D826D817E7B7C比较
对于这个,我们可以用穷举法(通俗一点就是一个一个试)
注册机:
[Python] 纯文本查看 复制代码
key = "81,7E,74,7D,7A,7D,7C,7F,82,83,6D,74,74,7A,7F,7E,7B,7C,7D,82,6D,81,7E,7B,7C"
keys = []
for i in key.split(','):
    keys.append(int(i,16))
t = 1
for i in ['0','1','2','3','4','5','6','7','8','9']:
    for ii in ['0','1','2','3','4','5','6','7','8','9']:
        a = i + ii
        if chr(keys[0] - int(a)) in ['1','2','3','4','5','6','7','8','9']:
            print('密匙{0}:'.format(t),end='')
            for iii in keys:
                print(chr(iii-int(a)),end='')
            print('')
            t += 1

结果:
[Python] 纯文本查看 复制代码
密匙1:96,52547:;%,,276345:%9634
密匙2:85+414369:$++1652349$8523
密匙3:74*3032589#**0541238#7412
密匙4:63)2/21478"))/430127"6301
密匙5:52(1.10367!((.32/016!52/0
密匙6:41'0-0/256 ''-21./05 41./
密匙7:30&/,/.145&&,10-./430-.
密匙8:2/%.+.-034%%+0/,-.32/,-
密匙9:1.$-*-,/23$$*/.+,-21.+,

有九个密匙
其中只有第三个是可以输入的
所以,密匙就是74*3032589#**0541238#7412
效果图:
成功.gif
0x03 最后

评分不要钱!评分不要钱!评分不要钱!

免费评分

参与人数 14吾爱币 +18 热心值 +10 收起 理由
Hmily + 7 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!
HG/飞飞 + 1 用心讨论,共获提升!
雷_影 + 1 + 1 感谢您的宝贵建议,我们会努力争取做得更好!
友人A- + 1 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!
Theseaway + 1 我很赞同!
Id!0tNe + 1 我很赞同!
圆缘999999 + 1 热心回复!
jun198510 + 1 + 1 谢谢@Thanks!
未来的日子下 + 1 + 1 谢谢@Thanks!
minchang + 1 + 1 热心回复!
jinyif + 1 我很赞同!
lingyunbbs + 1 + 1 鼓励转贴优秀软件安全工具和文档!
良人灬 + 1 热心回复!
quick7 + 1 + 1 用心讨论,共获提升!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

wuyaqing981206 发表于 2020-3-2 18:45
蒙蔽的来懵逼的走
jinyif 发表于 2020-3-2 14:54
Sylia若风 发表于 2020-3-2 16:49
DJesues 发表于 2020-3-2 21:58
不错,这个解题....我不懂....
叶霸霸 发表于 2020-3-2 22:49
哦哟,不错哦
kao2288 发表于 2020-3-3 00:40
怎么个算法
nj2004 发表于 2020-3-3 08:45
好好学习怎么弄的
咸某鱼 发表于 2020-3-3 10:00
大佬大佬大佬
symbian 发表于 2020-3-3 11:48
刚好有需要 感谢分享
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-16 16:32

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表