工具:52下的OD;
研究对象:股易涨决策系统;
来源:网络
理由:和谐过程中的一点心得;
软件类型:VB、exe;
要达到目的:随便填用户名、密码
加密方式:sensm.exe
不知到这是一种什么加密,但发现很多软件是用这种方式加密,希望通过对这个程序的分析,能提供一种通用的解决方法,还不是只单单解决这个股易涨决策系统软件。
有效的用户名、密码:
正常运行界面:
任意用户名、密码:
出现登录失败提示。
既然这种加密具有代表性,几个简单的je\jne\jmp指令应该解决不了问题。还是用有效的用户名、密码来分析程序是怎么实现正常登录的。
OD加载程序查找登录的程序段:
[Asm] 纯文本查看 复制代码 007F1E00 55 push ebp ; //登陆验证
007F1E01 8BEC mov ebp,esp
007F1E03 83EC 18 sub esp,0x18
007F1E06 68 16004200 push <jmp.&MSVBVM60.__vbaExceptHandler>
007F1E0B 64:A1 00000000 mov eax,dword ptr fs:[0]
007F1E11 50 push eax
007F1E12 64:8925 00000000 mov dword ptr fs:[0],esp
007F1E19 B8 E8060000 mov eax,0x6E8
007F1E1E E8 EDE1C2FF call <jmp.&MSVBVM60.__vbaChkstk>
007F1E23 53 push ebx ; msvbvm60.__vbaHresultCheckObj
007F1E24 56 push esi
007F1E25 57 push edi ; sensm.00A08F8C
007F1E26 8965 E8 mov dword ptr ss:[ebp-0x18],esp
007F1E29 C745 EC B8064100 mov dword ptr ss:[ebp-0x14],sensm.004106B8 ; w
007F1E30 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
007F1E33 83E0 01 and eax,0x1
007F1E36 8945 F0 mov dword ptr ss:[ebp-0x10],eax
007F1E39 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
007F1E3C 83E1 FE and ecx,0xFFFFFFFE
007F1E3F 894D 08 mov dword ptr ss:[ebp+0x8],ecx ; sensm.00A08F8C
007F1E42 C745 F4 00000000 mov dword ptr ss:[ebp-0xC],0x0
007F1E49 8B55 08 mov edx,dword ptr ss:[ebp+0x8]
007F1E4C 8B02 mov eax,dword ptr ds:[edx] ; sensm.00A08F8C
007F1E4E 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
007F1E51 51 push ecx ; sensm.00A08F8C
007F1E52 FF50 04 call dword ptr ds:[eax+0x4]
007F1E55 C745 FC 01000000 mov dword ptr ss:[ebp-0x4],0x1
007F1E5C C745 FC 03000000 mov dword ptr ss:[ebp-0x4],0x3
007F1E63 6A FF push -0x1
007F1E65 FF15 8C114000 call dword ptr ds:[<&MSVBVM60.__vbaOnError>] ; msvbvm60.__vbaOnError
007F1E6B C745 FC 04000000 mov dword ptr ss:[ebp-0x4],0x4
007F1E72 68 8C4C4600 push sensm.00464C8C
007F1E77 68 6C4C4600 push sensm.00464C6C ; 1
007F1E7C 68 9C754600 push sensm.0046759C ; W[&{2N
007F1E81 E8 DAB7FFFF call sensm.007ED660
007F1E86 8985 E4FEFFFF mov dword ptr ss:[ebp-0x11C],eax
007F1E8C C785 DCFEFFFF 08000000 mov dword ptr ss:[ebp-0x124],0x8
007F1E96 8D95 DCFEFFFF lea edx,dword ptr ss:[ebp-0x124]
007F1E9C 8D4D C0 lea ecx,dword ptr ss:[ebp-0x40]
007F1E9F FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMove>] ; msvbvm60.__vbaVarMove
007F1EA5 C745 FC 05000000 mov dword ptr ss:[ebp-0x4],0x5
007F1EAC C785 E4FCFFFF EC254800 mov dword ptr ss:[ebp-0x31C],sensm.004825EC ; 账户或密码错误
007F1EB6 C785 DCFCFFFF 08000000 mov dword ptr ss:[ebp-0x324],0x8
007F1EC0 8D95 DCFCFFFF lea edx,dword ptr ss:[ebp-0x324]
007F1EC6 8D8D ACFEFFFF lea ecx,dword ptr ss:[ebp-0x154]
007F1EAC位置,“账户或密码错误”是明码了,007F1E00下F2断点,F9断在007F1E00,F8走一遍,这段程序有点长,需要点耐心。
[Asm] 纯文本查看 复制代码 007F413C 50 push eax
007F413D FF15 C8104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; msvbvm60.__vbaStrCat
007F4143 8BD0 mov edx,eax
007F4145 8D8D 0CFFFFFF lea ecx,dword ptr ss:[ebp-0xF4]
007F414B FF15 CC144000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
007F4151 50 push eax
007F4152 8D8D DCFEFFFF lea ecx,dword ptr ss:[ebp-0x124]
007F4158 51 push ecx ; sensm.00A08F8C
007F4159 E8 32B1FFFF call sensm.007EF290
007F415E 8D95 DCFEFFFF lea edx,dword ptr ss:[ebp-0x124]
007F4164 52 push edx
007F4165 FF15 48104000 call dword ptr ds:[<&MSVBVM60.__vbaStrVarMove>] ; msvbvm60.__vbaStrVarMove
007F416B 8BD0 mov edx,eax ; //[eax]=密文;pj3:改用户类型
007F416D 8D4D AC lea ecx,dword ptr ss:[ebp-0x54]
007F4170 FF15 CC144000 call dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
走到007F416B,[eax]看到一段很长的字符串
密文:
tcfCvbPJuaZ8MTIxMnZvbjZ8MjAyMS8xMi8xMiAxNTozNTo1N3wxNjB8MXwyMDIxLTEyLTE5IDE1OjUwOjQ5fDI5fHw1NDR8MjAyMS8xMi8xOSAxNTozNTowMCwyMDIxLzEyLzE5IDE1OjM1OjAwLDIwMjEvMTIvMTkgMTU6MzU6MDAsMjAyMS8xMi8xOSAxNTozNTowMCwyMDIxLzEyLzE5IDE1OjM1OjAwLDIwMjEvMTIvMTkgMTU6MzU6MDAsMjAyMS8xMi8xOSAxNTozNTowMCwyMDIxLzEyLzE5IDE1OjM1OjAwLDIwMjEvMTIvMTkgMTU6MzU6MDAsMjAyMS8xMi8xOSAxNTozNTowMCwyMDIxLzEyLzE5IDE1OjM1OjAwLDIwMjEvMTIvMTkgMTU6MzU6MDAsMjAyMS8xMi8xOSAxNTozNTowMHwwfDM4NDB8LDI2LDI3LDI4LDI5LDMwLDMxLDMyLDMzLDM0LDM1LDM2LDM3LDM4LHx8fHx8SWhTVWZJT1FFUlBBeXpkZk1RWlhFblh2cld3TENsZ218fDB8fHx8fHx8fDIwMDc5M3wwfEMxOUEtQjVBNS0zRTZDLTQ5OEZ8MTE3LjE4OC40Mi4xOTN8MjAyMS8xMi8xMiAxNTozNTo1N3w1Njc4OXwxfDZ8fHx8fHx8fHw=OK
[Asm] 纯文本查看 复制代码 追一下这段密文在程序中是如何处理的,到数据窗口下内存访问断点,F9
00968137 8B51 14 mov edx,dword ptr ds:[ecx+0x14]
0096813A 8BC3 mov eax,ebx
0096813C 2BC2 sub eax,edx
0096813E 8B51 10 mov edx,dword ptr ds:[ecx+0x10]
00968141 3BC2 cmp eax,edx
00968143 8985 74FFFFFF mov dword ptr ss:[ebp-0x8C],eax
00968149 72 1A jb short sensm.00968165
0096814B FF15 38124000 call dword ptr ds:[<&MSVBVM60.__vbaGenerateBounds>; msvbvm60.__vbaGenerateBoundsError
00968151 8B4D B0 mov ecx,dword ptr ss:[ebp-0x50]
00968154 8B85 74FFFFFF mov eax,dword ptr ss:[ebp-0x8C]
0096815A EB 09 jmp short sensm.00968165
0096815C FF15 38124000 call dword ptr ds:[<&MSVBVM60.__vbaGenerateBounds>; msvbvm60.__vbaGenerateBoundsError
00968162 8B4D B0 mov ecx,dword ptr ss:[ebp-0x50]
00968165 8B55 D8 mov edx,dword ptr ss:[ebp-0x28]
00968168 8B49 0C mov ecx,dword ptr ds:[ecx+0xC] ; //dword ptr ds:[ecx+0xC]=翻译密文
0096816B 8A143A mov dl,byte ptr ds:[edx+edi]
追到00968168,看翻译出了的结果:
登陆成功|1212von6|2021/12/12 15:35:57|160|1|2021-12-19 15:36:10|29||544|2021/12/19 15:35:00,2021/12/19 15:35:00,2021/12/19 15:35:00,2021/12/19 15:35:00,2021/12/19 15:35:00,2021/12/19 15:35:00,2021/12/19 15:35:00,2021/12/19 15:35:00,2021/12/19 15:35:00,2021/12/19 15:35:00,2021/12/19 15:35:00,2021/12/19 15:35:00,2021/12/19 15:35:00|0|3840|,26,27,28,29,30,31,32,33,34,35,36,37,38,|||||NMqIrutJYDTxjMfIdLDrXDRwobxRLfnA||0||||||||200793|0|C19A-B5A5-3E6C-498F|117.188.42.193|2021/12/12 15:35:57|56789|1|6||||||||| x8fHx8Tk1xSXJ1dEpZRFR4ak1mSWRMRHJYRFJ3b2J4UkxmbkF8fDB8fHx8fHx8fDIwMDc5M3wwfEMxOUEtQjVBNS0zRTZDLTQ5OEZ8MTE3LjE4OC40Mi4xOTN8MjAyMS8xMi8xMiAxNTozNTo1N3w1Njc4OXwxfDZ8fHx8fHx8fHw= To1N3w1Njc4OXwxfDZ8fHx8fHx8fHw= 下面来验证一下只要有密文就可以随便填用户名和密码:
看左下角红框,程序正常登录。结论是这种加密的验证是只需要有效密文就可以了。
20#楼、11#楼17#楼的两个问题,我统一答复一下:
20#楼的朋友应该是研究过这种加密,里面确实封装了通达信,封装的通达信也可以直接从里面剥离出来,早期的这种加密这样做也就可以了。但这个软件里面它有些功能并不是直接拿通达信就可以有的,像菜单上的预测。
11#楼17#楼的朋友讲的是一个关键点,为什么有了密文后就可以了呢,因为在这种加密的验证里,密文后面是本地验证,这个密文不是通达信的,是加密软件的。 | 
[复制链接]
发表于 2021-12-19 16:55
