[反汇编练习] 160个CrackMe之030. 本系列文章的目的是从一个没有任何经验的新手的角度(其实就是我自己),一步步尝试将160个CrackMe全部破解,如果可以,通过任何方式写出一个类似于注册机的东西。 其中,文章中按照如下逻辑编排(解决如下问题): 1、使用什么环境和工具 2、程序分析 3、思路分析和破解流程 4、注册机的探索 ---------------------------------- 提醒各位看客: 如果文章中的逻辑看不明白,那你一定是没有亲手操刀!OD中的跳转提示很强大,只要你跟踪了,不用怎么看代码就理解了! ---------------------------------- 1、工具和环境: WinXP SP3 + 52Pojie六周年纪念版OD + PEID + 汇编金手指。 160个CrackMe的打包文件。 下载地址: http://pan.baidu.com/s/1xUWOY 密码: jbnq 注: 1、Win7系统对于模块和程序开启了随机初始地址的功能,会给分析带来很大的负担,所以不建议使用Win7进行分析。 2、以上工具都是在52PoJie论坛下的原版程序,NOD32不报毒,个人承诺绝对不会进行任何和木马病毒相关内容。 2、程序分析: 想要破解一个程序,必须先了解这个程序。所以,在破解过程中,对最初程序的分析很重要,他可以帮助我们理解作者的目的和意图,特别是对于注册码的处理细节,从而方便我们反向跟踪和推导。 和上一节一样,打开CHM,选择第30个cracking4all.1.exe,保存下来。运行程序,程序界面如下:
点击上面的OK按钮,弹出了信息框,很好。 注意的是,点击确定按钮后,程序直接退出了。 PEID:Microsoft Visual Basic 5.0 / 6.0 哎,又是一个郁闷的征程! 3、思路分析和破解流程 1、打开OD,将exe拖到OD窗口中,等程序暂停后,直接点击运行按钮(F9),不用理会。 2、点击About->Register,随意输入伪码:21312321。点击OK按钮,弹出信息框,不要关闭,回到OD。 3、Ctrl+K查看堆栈信息: 选中rtcMsgBox,右键->Show call。 4、向上浏览代码:
[Asm] 纯文本查看 复制代码 00403370 . /0F84 E8000000 je 0040345E
00403376 . |8B35 9C614000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVa>; msvbvm50.__vbaVarDup
0040337C . |BF 08000000 mov edi,0x8
00403381 . |8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8]
00403387 . |8D4D 98 lea ecx,dword ptr ss:[ebp-0x68]
0040338A . |C785 30FFFFFF>mov dword ptr ss:[ebp-0xD0],00402824 ; UNICODE "Valid"
00403394 . |89BD 28FFFFFF mov dword ptr ss:[ebp-0xD8],edi
0040339A . |FFD6 call esi ; <&MSVBVM50.__vbaVarDup>
0040339C . |8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
004033A2 . |8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
004033A5 . |C785 40FFFFFF>mov dword ptr ss:[ebp-0xC0],004027E8 ; UNICODE "Password correct, hehe, :-)"
004033AF . |89BD 38FFFFFF mov dword ptr ss:[ebp-0xC8],edi
004033B5 . |FFD6 call esi
004033B7 . |8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]
004033BD . |8D45 88 lea eax,dword ptr ss:[ebp-0x78]
004033C0 . |52 push edx
004033C1 . |8D4D 98 lea ecx,dword ptr ss:[ebp-0x68]
004033C4 . |50 push eax
004033C5 . |51 push ecx
004033C6 . |8D55 A8 lea edx,dword ptr ss:[ebp-0x58]
004033C9 . |6A 00 push 0x0
004033CB . |52 push edx
004033CC . |FF15 24614000 call dword ptr ds:[<&MSVBVM50.#595>] ; msvbvm50.rtcMsgBox
004033D2 . |8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88]
004033D8 . |8D4D 88 lea ecx,dword ptr ss:[ebp-0x78]
004033DB . |50 push eax
004033DC . |8D55 98 lea edx,dword ptr ss:[ebp-0x68]
004033DF . |51 push ecx
004033E0 . |8D45 A8 lea eax,dword ptr ss:[ebp-0x58]
004033E3 . |52 push edx
004033E4 . |50 push eax
004033E5 . |6A 04 push 0x4
004033E7 . |FF15 00614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>; msvbvm50.__vbaFreeVarList
004033ED . |A1 A4434000 mov eax,dword ptr ds:[0x4043A4]
004033F2 . |83C4 14 add esp,0x14
004033F5 . |85C0 test eax,eax
004033F7 . |75 10 jnz short 00403409
004033F9 . |68 A4434000 push 004043A4 ; /Arg2 = 004043A4
004033FE . |68 50284000 push 00402850 ; |Arg1 = 00402850
00403403 . |FF15 80614000 call dword ptr ds:[<&MSVBVM50.__vbaNew2>>; \__vbaNew2
00403409 > |A1 38404000 mov eax,dword ptr ds:[0x404038]
0040340E . |8B35 A4434000 mov esi,dword ptr ds:[0x4043A4]
00403414 . |85C0 test eax,eax
00403416 . |75 10 jnz short 00403428
00403418 . |68 38404000 push 00404038 ; /Arg2 = 00404038
0040341D . |68 6C204000 push 0040206C ; |Arg1 = 0040206C
00403422 . |FF15 80614000 call dword ptr ds:[<&MSVBVM50.__vbaNew2>>; \__vbaNew2
00403428 > |8B0D 38404000 mov ecx,dword ptr ds:[0x404038]
0040342E . |8B3E mov edi,dword ptr ds:[esi]
00403430 . |8D55 B8 lea edx,dword ptr ss:[ebp-0x48]
00403433 . |51 push ecx
00403434 . |52 push edx
00403435 . |FF15 2C614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; msvbvm50.__vbaObjSetAddref
0040343B . |50 push eax
0040343C . |56 push esi
0040343D . |FF57 10 call dword ptr ds:[edi+0x10]
00403440 . |85C0 test eax,eax
00403442 . |7D 0F jge short 00403453
00403444 . |6A 10 push 0x10
00403446 . |68 40284000 push 00402840
0040344B . |56 push esi
0040344C . |50 push eax
0040344D . |FF15 14614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
00403453 > |8D4D B8 lea ecx,dword ptr ss:[ebp-0x48]
00403456 . |FF15 B0614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; msvbvm50.__vbaFreeObj
0040345C . |EB 7A jmp short 004034D8
0040345E > \8B35 9C614000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVa>; msvbvm50.__vbaVarDup
00403464 . BF 08000000 mov edi,0x8
00403469 . 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8]
0040346F . 8D4D 98 lea ecx,dword ptr ss:[ebp-0x68]
00403472 . C785 30FFFFFF>mov dword ptr ss:[ebp-0xD0],004028BC ; UNICODE "Invalid"
0040347C . 89BD 28FFFFFF mov dword ptr ss:[ebp-0xD8],edi
00403482 . FFD6 call esi ; <&MSVBVM50.__vbaVarDup>
00403484 . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
0040348A . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
0040348D . C785 40FFFFFF>mov dword ptr ss:[ebp-0xC0],00402864 ; UNICODE "Password incorrect, please try again ..."
00403497 . 89BD 38FFFFFF mov dword ptr ss:[ebp-0xC8],edi
0040349D . FFD6 call esi
0040349F . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88]
004034A5 . 8D4D 88 lea ecx,dword ptr ss:[ebp-0x78]
004034A8 . 50 push eax
004034A9 . 8D55 98 lea edx,dword ptr ss:[ebp-0x68]
004034AC . 51 push ecx
004034AD . 52 push edx
004034AE . 8D45 A8 lea eax,dword ptr ss:[ebp-0x58]
004034B1 . 6A 00 push 0x0
004034B3 . 50 push eax
004034B4 . FF15 24614000 call dword ptr ds:[<&MSVBVM50.#595>] ; msvbvm50.rtcMsgBox
很容易发现了一个提示成功和一个提示失败的信息框,并且在成功的信息框旁边就是一个关键跳转。(为什么它是关键跳转?你用OD选中地址00403370 处 je 0040345E,在OD中很清晰地提示了它的跳转流程。) 所以,爆破就很简单了,选中它,右键->Binary->Fill with NOPs。
4、注册机的探索 继续向上查看代码,发现代码不是很长,我们尝试从开头大概地梳理下流程:
[Asm] 纯文本查看 复制代码 004030F0 > \55 push ebp
004030F1 . 8BEC mov ebp,esp
004030F3 . 83EC 0C sub esp,0xC
004030F6 . 68 56104000 push <jmp.&MSVBVM50.__vbaExceptHandler> ; SE handler installation
004030FB . 64:A1 0000000>mov eax,dword ptr fs:[0]
00403101 . 50 push eax
00403102 . 64:8925 00000>mov dword ptr fs:[0],esp
00403109 . 81EC 04010000 sub esp,0x104
0040310F . 53 push ebx
00403110 . 56 push esi
00403111 . 57 push edi
00403112 . 8B7D 08 mov edi,dword ptr ss:[ebp+0x8]
00403115 . 8BC7 mov eax,edi
00403117 . 83E7 FE and edi,0xFFFFFFFE
0040311A . 8965 F4 mov dword ptr ss:[ebp-0xC],esp
0040311D . 83E0 01 and eax,0x1
00403120 . 8B1F mov ebx,dword ptr ds:[edi]
00403122 . C745 F8 18104>mov dword ptr ss:[ebp-0x8],00401018
00403129 . 57 push edi
0040312A . 8945 FC mov dword ptr ss:[ebp-0x4],eax
0040312D . 897D 08 mov dword ptr ss:[ebp+0x8],edi
00403130 . FF53 04 call dword ptr ds:[ebx+0x4]
00403133 . 33F6 xor esi,esi
00403135 . 57 push edi
00403136 . 8975 D8 mov dword ptr ss:[ebp-0x28],esi
00403139 . 8975 C8 mov dword ptr ss:[ebp-0x38],esi
0040313C . 8975 C0 mov dword ptr ss:[ebp-0x40],esi
0040313F . 8975 BC mov dword ptr ss:[ebp-0x44],esi
00403142 . 8975 B8 mov dword ptr ss:[ebp-0x48],esi
00403145 . 8975 A8 mov dword ptr ss:[ebp-0x58],esi
00403148 . 8975 98 mov dword ptr ss:[ebp-0x68],esi
0040314B . 8975 88 mov dword ptr ss:[ebp-0x78],esi
0040314E . 89B5 78FFFFFF mov dword ptr ss:[ebp-0x88],esi
00403154 . 89B5 68FFFFFF mov dword ptr ss:[ebp-0x98],esi
0040315A . 89B5 58FFFFFF mov dword ptr ss:[ebp-0xA8],esi
00403160 . 89B5 48FFFFFF mov dword ptr ss:[ebp-0xB8],esi
00403166 . 89B5 38FFFFFF mov dword ptr ss:[ebp-0xC8],esi
0040316C . 89B5 28FFFFFF mov dword ptr ss:[ebp-0xD8],esi
00403172 . FF93 04030000 call dword ptr ds:[ebx+0x304]
00403178 . 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48]
0040317B . 50 push eax
0040317C . 51 push ecx
0040317D . FF15 20614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; msvbvm50.__vbaObjSet
00403183 . 8BF8 mov edi,eax
00403185 . 8D45 C0 lea eax,dword ptr ss:[ebp-0x40]
00403188 . 50 push eax
00403189 . 57 push edi
0040318A . 8B17 mov edx,dword ptr ds:[edi]
0040318C . FF92 A0000000 call dword ptr ds:[edx+0xA0]
00403192 . 3BC6 cmp eax,esi
00403194 . 7D 12 jge short 004031A8
00403196 . 68 A0000000 push 0xA0
0040319B . 68 B4274000 push 004027B4
004031A0 . 57 push edi
004031A1 . 50 push eax
004031A2 . FF15 14614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
004031A8 > 8B45 C0 mov eax,dword ptr ss:[ebp-0x40]
004031AB . 8D55 A8 lea edx,dword ptr ss:[ebp-0x58]
004031AE . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
004031B1 . 8975 C0 mov dword ptr ss:[ebp-0x40],esi
004031B4 . 8945 B0 mov dword ptr ss:[ebp-0x50],eax
004031B7 . C745 A8 08000>mov dword ptr ss:[ebp-0x58],0x8
004031BE . FF15 F8604000 call dword ptr ds:[<&MSVBVM50.__vbaVarMo>; msvbvm50.__vbaVarMove
004031C4 . 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48]
004031C7 . FF15 B0614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; msvbvm50.__vbaFreeObj
004031CD . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
004031D0 . 8D55 A8 lea edx,dword ptr ss:[ebp-0x58]
004031D3 . 51 push ecx ; /Arg2 = "123123"
004031D4 . 52 push edx ; |Arg1 = "123123"
004031D5 . BE 01000000 mov esi,0x1 ; |
004031DA . FF15 18614000 call dword ptr ds:[<&MSVBVM50.__vbaLenVa>; \__vbaLenVar
004031E0 . 50 push eax
004031E1 . FF15 74614000 call dword ptr ds:[<&MSVBVM50.__vbaI2Var>; msvbvm50.__vbaI2Var
004031E7 . 8985 F8FEFFFF mov dword ptr ss:[ebp-0x108],eax ; // eax = 6
004031ED . 8BFE mov edi,esi
004031EF > 66:3BBD F8FEF>cmp di,word ptr ss:[ebp-0x108] ; // 循环与6比较
004031F6 . 8B1D 6C614000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaSt>; msvbvm50.__vbaStrVarVal
004031FC . 0F8F 2D010000 jg 0040332F
00403202 . 66:83FE 04 cmp si,0x4
00403206 . 7E 05 jle short 0040320D
00403208 . BE 01000000 mov esi,0x1
0040320D > 0FBFCF movsx ecx,di
00403210 . 8D45 A8 lea eax,dword ptr ss:[ebp-0x58]
00403213 . 8D55 D8 lea edx,dword ptr ss:[ebp-0x28]
00403216 . 50 push eax ; 1
00403217 . 51 push ecx
00403218 . 8D45 98 lea eax,dword ptr ss:[ebp-0x68]
0040321B . 52 push edx ; "123123"
0040321C . 50 push eax
0040321D . C745 B0 01000>mov dword ptr ss:[ebp-0x50],0x1
00403224 . C745 A8 02000>mov dword ptr ss:[ebp-0x58],0x2
0040322B . FF15 38614000 call dword ptr ds:[<&MSVBVM50.#632>] ; msvbvm50.rtcMidCharVar
00403231 . B8 02000000 mov eax,0x2
00403236 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88] ; "1" "2"...
0040323C . 0FBFD6 movsx edx,si
0040323F . 8985 78FFFFFF mov dword ptr ss:[ebp-0x88],eax
00403245 . 8945 88 mov dword ptr ss:[ebp-0x78],eax
00403248 . 51 push ecx
00403249 . 8D45 88 lea eax,dword ptr ss:[ebp-0x78]
0040324C . 52 push edx
0040324D . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98]
00403253 . 50 push eax ; eax = 000007D0 = 2000
00403254 . 51 push ecx
00403255 . C745 80 01000>mov dword ptr ss:[ebp-0x80],0x1
0040325C . C745 90 D0070>mov dword ptr ss:[ebp-0x70],0x7D0
00403263 . FF15 38614000 call dword ptr ds:[<&MSVBVM50.#632>] ; msvbvm50.rtcMidCharVar
00403269 . 8D55 98 lea edx,dword ptr ss:[ebp-0x68]
0040326C . 8D45 C0 lea eax,dword ptr ss:[ebp-0x40]
0040326F . 52 push edx
00403270 . 50 push eax
00403271 . FFD3 call ebx ; msvbvm50.__vbaStrVarVal
00403273 . 50 push eax ; "1"
00403274 . FF15 0C614000 call dword ptr ds:[<&MSVBVM50.#516>] ; msvbvm50.rtcAnsiValueBstr
0040327A . 0FBFD0 movsx edx,ax
0040327D . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98]
00403283 . 8D45 BC lea eax,dword ptr ss:[ebp-0x44]
00403286 . 51 push ecx ; "2" "0" "0" "0"
00403287 . 50 push eax
00403288 . 8995 E8FEFFFF mov dword ptr ss:[ebp-0x118],edx
0040328E . FFD3 call ebx ; msvbvm50.__vbaStrVarVal
00403290 . 50 push eax ; "2" "0" "0" "0"
00403291 . FF15 0C614000 call dword ptr ds:[<&MSVBVM50.#516>] ; msvbvm50.rtcAnsiValueBstr
00403297 . 8B95 E8FEFFFF mov edx,dword ptr ss:[ebp-0x118] ; // edx = 0x31
0040329D . 0FBFC8 movsx ecx,ax ; // eax = 0x32
004032A0 . 33D1 xor edx,ecx ; // 异或运算
004032A2 . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8]
004032A8 . 52 push edx ; /Arg2
004032A9 . 50 push eax ; |Arg1
004032AA . FF15 64614000 call dword ptr ds:[<&MSVBVM50.#608>] ; \rtcVarBstrFromAnsi
004032B0 . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38]
004032B3 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-0xA8]
004032B9 . 51 push ecx
004032BA . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8]
004032C0 . 52 push edx
004032C1 . 50 push eax ; // "OK"
004032C2 . FF15 70614000 call dword ptr ds:[<&MSVBVM50.__vbaVarCa>; msvbvm50.__vbaVarCat
004032C8 . 8BD0 mov edx,eax
004032CA . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38]
004032CD . FF15 F8604000 call dword ptr ds:[<&MSVBVM50.__vbaVarMo>; msvbvm50.__vbaVarMove
004032D3 . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44]
004032D6 . 8D55 C0 lea edx,dword ptr ss:[ebp-0x40]
004032D9 . 51 push ecx
004032DA . 52 push edx
004032DB . 6A 02 push 0x2
004032DD . FF15 8C614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; msvbvm50.__vbaFreeStrList
004032E3 . 83C4 0C add esp,0xC
004032E6 . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8]
004032EC . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98]
004032F2 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]
004032F8 . 50 push eax
004032F9 . 51 push ecx
004032FA . 8D45 88 lea eax,dword ptr ss:[ebp-0x78]
004032FD . 52 push edx
004032FE . 8D4D 98 lea ecx,dword ptr ss:[ebp-0x68]
00403301 . 50 push eax
00403302 . 8D55 A8 lea edx,dword ptr ss:[ebp-0x58]
00403305 . 51 push ecx
00403306 . 52 push edx
00403307 . 6A 06 push 0x6
00403309 . FF15 00614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>; msvbvm50.__vbaFreeVarList
0040330F . 83C4 1C add esp,0x1C
00403312 . 66:46 inc si
00403314 . B8 01000000 mov eax,0x1
00403319 . 66:03C7 add ax,di
0040331C . 0F80 44020000 jo 00403566
00403322 . 0F80 3E020000 jo 00403566
00403328 . 8BF8 mov edi,eax
0040332A .^ E9 C0FEFFFF jmp 004031EF
0040332F > 8D45 C8 lea eax,dword ptr ss:[ebp-0x38]
00403332 . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]
00403338 . 50 push eax
00403339 . 51 push ecx
0040333A . C785 40FFFFFF>mov dword ptr ss:[ebp-0xC0],004027C8 ; UNICODE "qBQSYdXUe_B\V"
00403344 . C785 38FFFFFF>mov dword ptr ss:[ebp-0xC8],0x8008
0040334E . FF15 44614000 call dword ptr ds:[<&MSVBVM50.__vbaVarTs>; msvbvm50.__vbaVarTstEq
00403354 . 66:85C0 test ax,ax
00403357 . B9 04000280 mov ecx,0x80020004
0040335C . B8 0A000000 mov eax,0xA
00403361 . 894D 80 mov dword ptr ss:[ebp-0x80],ecx
00403364 . 8985 78FFFFFF mov dword ptr ss:[ebp-0x88],eax
0040336A . 894D 90 mov dword ptr ss:[ebp-0x70],ecx
0040336D . 8945 88 mov dword ptr ss:[ebp-0x78],eax
00403370 0F84 E8000000 je 0040345E ; // 关键跳转
00403376 . 8B35 9C614000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVa>; msvbvm50.__vbaVarDup
0040337C . BF 08000000 mov edi,0x8
00403381 . 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8]
00403387 . 8D4D 98 lea ecx,dword ptr ss:[ebp-0x68]
0040338A . C785 30FFFFFF>mov dword ptr ss:[ebp-0xD0],00402824 ; UNICODE "Valid"
00403394 . 89BD 28FFFFFF mov dword ptr ss:[ebp-0xD8],edi
0040339A . FFD6 call esi ; <&MSVBVM50.__vbaVarDup>
0040339C . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
004033A2 . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
004033A5 . C785 40FFFFFF>mov dword ptr ss:[ebp-0xC0],004027E8 ; UNICODE "Password correct, hehe, :-)"
004033AF . 89BD 38FFFFFF mov dword ptr ss:[ebp-0xC8],edi
004033B5 . FFD6 call esi
这个整个流程大概就是取文本的中间字符,然后转化为ANSII,然后与另外一个字符异或运算,最终得到一个文本,然后与"qBQSYdXUe_B\V"比较,相等则成功! 具体细节为……好吧,我承认,我跟踪了好几遍也没有弄清楚与输入序列异或的那个字符是怎么来的! 使用VB 反编译工具试试:
[Visual Basic] 纯文本查看 复制代码 Private Sub Command1_Click() '4030F0
Dim var_48 As TextBox
loc_00403122: var_8 = &H401018
loc_0040317D: Set var_48 = Me
loc_0040318C: var_40 = Text1.Text
loc_004031B4: var_50 = var_40
loc_004031B7: var_58 = 8
loc_004031BE: var_28 = var_40
loc_004031DA: var_58 = Len(var_28)
loc_004031E7: var_108 = CInt(var_40)
If 00000001h > 0 Then GoTo loc_0040332F
loc_0040321D: var_50 = 1
loc_00403224: var_58 = 2
loc_0040323F: var_88 = 2
loc_00403245: var_78 = 2
loc_00403255: var_80 = 1
loc_0040325C: var_70 = &H7D0
loc_00403271: var_40 = CStr(Mid$(var_28, 1, 1))
loc_00403288: var_118 = Asc(var_40)
loc_0040328E: var_44 = CStr(Mid$(2000, 1, 1))
loc_004032AA: var_A8 = Chr(Asc(var_40) xor ecx)
loc_00403312: si = 00000001h + 1
loc_00403319: 00000001h = 00000001h + 00000001h
loc_0040332A: GoTo loc_004031EF
loc_0040332F:
loc_0040333A: var_C0 = "qBQSYdXUe_B\V"
loc_00403344: var_C8 = &H8008
loc_0040334E: Var_Ret_1 = (var_38 & &H7D0 = "qBQSYdXUe_B\V")
loc_00403361: var_80 = 80020004h
loc_00403364: var_88 = 10
loc_0040336A: var_70 = 80020004h
loc_0040336D: var_78 = 10
If Var_Ret_1 = 0 Then GoTo loc_0040345E
loc_0040338A: var_D0 = "Valid"
loc_00403394: var_D8 = 8
loc_004033A5: var_C0 = "Password correct, hehe, :-)"
loc_004033AF: var_C8 = 8
loc_004033CC: MsgBox "Password correct, hehe, :-)", 0, "Valid"
loc_00403435: Set var_48 = 4210744
loc_0040343D: call password.GetTypeInfo(var_48, var_88, var_48, 004027B4h, var_78, var_88, var_48, 004027B4h)
loc_0040345E:
loc_00403472: var_D0 = "Invalid"
loc_0040347C: var_D8 = 8
loc_0040348D: var_C0 = "Password incorrect, please try again ..."
loc_00403497: var_C8 = 8
loc_004034B4: MsgBox "Password incorrect, please try again ...", 0, "Invalid"
loc_004034D8: var_4 = 0
loc_004034E4: GoTo loc_00403536
loc_00403535: Exit Sub
loc_00403536:
loc_00403544: GoTo loc_00esi
loc_00403546: Exit Sub
End Sub
似乎与2000有些关系,但是VB代码中的流程太坑了,看的很迷糊! SmartCheck:
哈哈,SmartCheck的流程加上OD中分析到的异或操作,我明白了!原来异或的文本就是2000,按照序号对4取余作为索引获得的ANSII。 大概就是这样: pKey = pName ^ "2000"[i%4];
pKey == "qBQSYdXUe_B\V" 但是,我们的目的是获得原始文本,所以只好把算法的计算流程反过来还原,CPP如下:
[C++] 纯文本查看 复制代码 // CrackMeDemo.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <iostream>
/*
pKey[i] = pName[i] ^ "2000"[i%4];
pKey == "qBQSYdXUe_B\V"
*/
int _tmain(int argc, _TCHAR* argv[])
{
char pkey[] = "qBQSYdXUe_B\\V"; // \会被转义,所以需要这么做
char pName[15] = {0};
int nLen = strlen(pkey);
for (int i=0;i<nLen;i++)
{
pName[i] = pkey[i] ^ "2000"[i%4];
}
printf("the input is: %s\r\n",pName);
system("pause");
return 0;
}
BY 笨笨D幸福
|