吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 7300|回复: 11
收起左侧

[原创] [反汇编练习] 160个CrackMe之030

  [复制链接]
44018723 发表于 2014-7-10 09:39

[反汇编练习] 160个CrackMe之030.

本系列文章的目的是从一个没有任何经验的新手的角度(其实就是我自己),一步步尝试将160个CrackMe全部破解,如果可以,通过任何方式写出一个类似于注册机的东西。

其中,文章中按照如下逻辑编排(解决如下问题):

1、使用什么环境和工具

2、程序分析

3、思路分析和破解流程

4、注册机的探索

----------------------------------

提醒各位看客: 如果文章中的逻辑看不明白,那你一定是没有亲手操刀!OD中的跳转提示很强大,只要你跟踪了,不用怎么看代码就理解了!

----------------------------------

1、工具和环境:

WinXP SP3 + 52Pojie六周年纪念版OD + PEID + 汇编金手指。

160个CrackMe的打包文件。

下载地址: http://pan.baidu.com/s/1xUWOY 密码: jbnq

注:

1、Win7系统对于模块和程序开启了随机初始地址的功能,会给分析带来很大的负担,所以不建议使用Win7进行分析。

2、以上工具都是在52PoJie论坛下的原版程序,NOD32不报毒,个人承诺绝对不会进行任何和木马病毒相关内容。

2、程序分析:

想要破解一个程序,必须先了解这个程序。所以,在破解过程中,对最初程序的分析很重要,他可以帮助我们理解作者的目的和意图,特别是对于注册码的处理细节,从而方便我们反向跟踪和推导。

和上一节一样,打开CHM,选择第30个cracking4all.1.exe,保存下来。运行程序,程序界面如下:

0.png

点击上面的OK按钮,弹出了信息框,很好。

注意的是,点击确定按钮后,程序直接退出了。

PEID:Microsoft Visual Basic 5.0 / 6.0

哎,又是一个郁闷的征程!

3、思路分析和破解流程

1、打开OD,将exe拖到OD窗口中,等程序暂停后,直接点击运行按钮(F9),不用理会。

2、点击About->Register,随意输入伪码:21312321。点击OK按钮,弹出信息框,不要关闭,回到OD。
3、Ctrl+K查看堆栈信息:
1.png

选中rtcMsgBox,右键->Show call。

4、向上浏览代码:


[Asm] 纯文本查看 复制代码
00403370   . /0F84 E8000000 je 0040345E
00403376   . |8B35 9C614000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVa>;  msvbvm50.__vbaVarDup
0040337C   . |BF 08000000   mov edi,0x8
00403381   . |8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8]
00403387   . |8D4D 98       lea ecx,dword ptr ss:[ebp-0x68]
0040338A   . |C785 30FFFFFF>mov dword ptr ss:[ebp-0xD0],00402824     ;  UNICODE "Valid"
00403394   . |89BD 28FFFFFF mov dword ptr ss:[ebp-0xD8],edi
0040339A   . |FFD6          call esi                                 ;  <&MSVBVM50.__vbaVarDup>
0040339C   . |8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
004033A2   . |8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]
004033A5   . |C785 40FFFFFF>mov dword ptr ss:[ebp-0xC0],004027E8     ;  UNICODE "Password correct, hehe, :-)"
004033AF   . |89BD 38FFFFFF mov dword ptr ss:[ebp-0xC8],edi
004033B5   . |FFD6          call esi
004033B7   . |8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]
004033BD   . |8D45 88       lea eax,dword ptr ss:[ebp-0x78]
004033C0   . |52            push edx
004033C1   . |8D4D 98       lea ecx,dword ptr ss:[ebp-0x68]
004033C4   . |50            push eax
004033C5   . |51            push ecx
004033C6   . |8D55 A8       lea edx,dword ptr ss:[ebp-0x58]
004033C9   . |6A 00         push 0x0
004033CB   . |52            push edx
004033CC   . |FF15 24614000 call dword ptr ds:[<&MSVBVM50.#595>]     ;  msvbvm50.rtcMsgBox
004033D2   . |8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88]
004033D8   . |8D4D 88       lea ecx,dword ptr ss:[ebp-0x78]
004033DB   . |50            push eax
004033DC   . |8D55 98       lea edx,dword ptr ss:[ebp-0x68]
004033DF   . |51            push ecx
004033E0   . |8D45 A8       lea eax,dword ptr ss:[ebp-0x58]
004033E3   . |52            push edx
004033E4   . |50            push eax
004033E5   . |6A 04         push 0x4
004033E7   . |FF15 00614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>;  msvbvm50.__vbaFreeVarList
004033ED   . |A1 A4434000   mov eax,dword ptr ds:[0x4043A4]
004033F2   . |83C4 14       add esp,0x14
004033F5   . |85C0          test eax,eax
004033F7   . |75 10         jnz short 00403409
004033F9   . |68 A4434000   push 004043A4                            ; /Arg2 = 004043A4
004033FE   . |68 50284000   push 00402850                            ; |Arg1 = 00402850
00403403   . |FF15 80614000 call dword ptr ds:[<&MSVBVM50.__vbaNew2>>; \__vbaNew2
00403409   > |A1 38404000   mov eax,dword ptr ds:[0x404038]
0040340E   . |8B35 A4434000 mov esi,dword ptr ds:[0x4043A4]
00403414   . |85C0          test eax,eax
00403416   . |75 10         jnz short 00403428
00403418   . |68 38404000   push 00404038                            ; /Arg2 = 00404038
0040341D   . |68 6C204000   push 0040206C                            ; |Arg1 = 0040206C
00403422   . |FF15 80614000 call dword ptr ds:[<&MSVBVM50.__vbaNew2>>; \__vbaNew2
00403428   > |8B0D 38404000 mov ecx,dword ptr ds:[0x404038]
0040342E   . |8B3E          mov edi,dword ptr ds:[esi]
00403430   . |8D55 B8       lea edx,dword ptr ss:[ebp-0x48]
00403433   . |51            push ecx
00403434   . |52            push edx
00403435   . |FF15 2C614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>;  msvbvm50.__vbaObjSetAddref
0040343B   . |50            push eax
0040343C   . |56            push esi
0040343D   . |FF57 10       call dword ptr ds:[edi+0x10]
00403440   . |85C0          test eax,eax
00403442   . |7D 0F         jge short 00403453
00403444   . |6A 10         push 0x10
00403446   . |68 40284000   push 00402840
0040344B   . |56            push esi
0040344C   . |50            push eax
0040344D   . |FF15 14614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;  msvbvm50.__vbaHresultCheckObj
00403453   > |8D4D B8       lea ecx,dword ptr ss:[ebp-0x48]
00403456   . |FF15 B0614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>;  msvbvm50.__vbaFreeObj
0040345C   . |EB 7A         jmp short 004034D8
0040345E   > \8B35 9C614000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVa>;  msvbvm50.__vbaVarDup
00403464   .  BF 08000000   mov edi,0x8
00403469   .  8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8]
0040346F   .  8D4D 98       lea ecx,dword ptr ss:[ebp-0x68]
00403472   .  C785 30FFFFFF>mov dword ptr ss:[ebp-0xD0],004028BC     ;  UNICODE "Invalid"
0040347C   .  89BD 28FFFFFF mov dword ptr ss:[ebp-0xD8],edi
00403482   .  FFD6          call esi                                 ;  <&MSVBVM50.__vbaVarDup>
00403484   .  8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
0040348A   .  8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]
0040348D   .  C785 40FFFFFF>mov dword ptr ss:[ebp-0xC0],00402864     ;  UNICODE "Password incorrect, please try again ..."
00403497   .  89BD 38FFFFFF mov dword ptr ss:[ebp-0xC8],edi
0040349D   .  FFD6          call esi
0040349F   .  8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88]
004034A5   .  8D4D 88       lea ecx,dword ptr ss:[ebp-0x78]
004034A8   .  50            push eax
004034A9   .  8D55 98       lea edx,dword ptr ss:[ebp-0x68]
004034AC   .  51            push ecx
004034AD   .  52            push edx
004034AE   .  8D45 A8       lea eax,dword ptr ss:[ebp-0x58]
004034B1   .  6A 00         push 0x0
004034B3   .  50            push eax
004034B4   .  FF15 24614000 call dword ptr ds:[<&MSVBVM50.#595>]     ;  msvbvm50.rtcMsgBox

很容易发现了一个提示成功和一个提示失败的信息框,并且在成功的信息框旁边就是一个关键跳转。(为什么它是关键跳转?你用OD选中地址00403370 处 je 0040345E,在OD中很清晰地提示了它的跳转流程。)

所以,爆破就很简单了,选中它,右键->Binary->Fill with NOPs。

2.png


4、注册机的探索

继续向上查看代码,发现代码不是很长,我们尝试从开头大概地梳理下流程:


[Asm] 纯文本查看 复制代码
004030F0   > \55            push ebp
004030F1   .  8BEC          mov ebp,esp
004030F3   .  83EC 0C       sub esp,0xC
004030F6   .  68 56104000   push <jmp.&MSVBVM50.__vbaExceptHandler>  ;  SE handler installation
004030FB   .  64:A1 0000000>mov eax,dword ptr fs:[0]
00403101   .  50            push eax
00403102   .  64:8925 00000>mov dword ptr fs:[0],esp
00403109   .  81EC 04010000 sub esp,0x104
0040310F   .  53            push ebx
00403110   .  56            push esi
00403111   .  57            push edi
00403112   .  8B7D 08       mov edi,dword ptr ss:[ebp+0x8]
00403115   .  8BC7          mov eax,edi
00403117   .  83E7 FE       and edi,0xFFFFFFFE
0040311A   .  8965 F4       mov dword ptr ss:[ebp-0xC],esp
0040311D   .  83E0 01       and eax,0x1
00403120   .  8B1F          mov ebx,dword ptr ds:[edi]
00403122   .  C745 F8 18104>mov dword ptr ss:[ebp-0x8],00401018
00403129   .  57            push edi
0040312A   .  8945 FC       mov dword ptr ss:[ebp-0x4],eax
0040312D   .  897D 08       mov dword ptr ss:[ebp+0x8],edi
00403130   .  FF53 04       call dword ptr ds:[ebx+0x4]
00403133   .  33F6          xor esi,esi
00403135   .  57            push edi
00403136   .  8975 D8       mov dword ptr ss:[ebp-0x28],esi
00403139   .  8975 C8       mov dword ptr ss:[ebp-0x38],esi
0040313C   .  8975 C0       mov dword ptr ss:[ebp-0x40],esi
0040313F   .  8975 BC       mov dword ptr ss:[ebp-0x44],esi
00403142   .  8975 B8       mov dword ptr ss:[ebp-0x48],esi
00403145   .  8975 A8       mov dword ptr ss:[ebp-0x58],esi
00403148   .  8975 98       mov dword ptr ss:[ebp-0x68],esi
0040314B   .  8975 88       mov dword ptr ss:[ebp-0x78],esi
0040314E   .  89B5 78FFFFFF mov dword ptr ss:[ebp-0x88],esi
00403154   .  89B5 68FFFFFF mov dword ptr ss:[ebp-0x98],esi
0040315A   .  89B5 58FFFFFF mov dword ptr ss:[ebp-0xA8],esi
00403160   .  89B5 48FFFFFF mov dword ptr ss:[ebp-0xB8],esi
00403166   .  89B5 38FFFFFF mov dword ptr ss:[ebp-0xC8],esi
0040316C   .  89B5 28FFFFFF mov dword ptr ss:[ebp-0xD8],esi
00403172   .  FF93 04030000 call dword ptr ds:[ebx+0x304]
00403178   .  8D4D B8       lea ecx,dword ptr ss:[ebp-0x48]
0040317B   .  50            push eax
0040317C   .  51            push ecx
0040317D   .  FF15 20614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>;  msvbvm50.__vbaObjSet
00403183   .  8BF8          mov edi,eax
00403185   .  8D45 C0       lea eax,dword ptr ss:[ebp-0x40]
00403188   .  50            push eax
00403189   .  57            push edi
0040318A   .  8B17          mov edx,dword ptr ds:[edi]
0040318C   .  FF92 A0000000 call dword ptr ds:[edx+0xA0]
00403192   .  3BC6          cmp eax,esi
00403194   .  7D 12         jge short 004031A8
00403196   .  68 A0000000   push 0xA0
0040319B   .  68 B4274000   push 004027B4
004031A0   .  57            push edi
004031A1   .  50            push eax
004031A2   .  FF15 14614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;  msvbvm50.__vbaHresultCheckObj
004031A8   >  8B45 C0       mov eax,dword ptr ss:[ebp-0x40]
004031AB   .  8D55 A8       lea edx,dword ptr ss:[ebp-0x58]
004031AE   .  8D4D D8       lea ecx,dword ptr ss:[ebp-0x28]
004031B1   .  8975 C0       mov dword ptr ss:[ebp-0x40],esi
004031B4   .  8945 B0       mov dword ptr ss:[ebp-0x50],eax
004031B7   .  C745 A8 08000>mov dword ptr ss:[ebp-0x58],0x8
004031BE   .  FF15 F8604000 call dword ptr ds:[<&MSVBVM50.__vbaVarMo>;  msvbvm50.__vbaVarMove
004031C4   .  8D4D B8       lea ecx,dword ptr ss:[ebp-0x48]
004031C7   .  FF15 B0614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>;  msvbvm50.__vbaFreeObj
004031CD   .  8D4D D8       lea ecx,dword ptr ss:[ebp-0x28]
004031D0   .  8D55 A8       lea edx,dword ptr ss:[ebp-0x58]
004031D3   .  51            push ecx                                 ; /Arg2 = "123123"
004031D4   .  52            push edx                                 ; |Arg1 = "123123"
004031D5   .  BE 01000000   mov esi,0x1                              ; |
004031DA   .  FF15 18614000 call dword ptr ds:[<&MSVBVM50.__vbaLenVa>; \__vbaLenVar
004031E0   .  50            push eax
004031E1   .  FF15 74614000 call dword ptr ds:[<&MSVBVM50.__vbaI2Var>;  msvbvm50.__vbaI2Var
004031E7   .  8985 F8FEFFFF mov dword ptr ss:[ebp-0x108],eax         ;  // eax = 6
004031ED   .  8BFE          mov edi,esi
004031EF   >  66:3BBD F8FEF>cmp di,word ptr ss:[ebp-0x108]           ;  // 循环与6比较
004031F6   .  8B1D 6C614000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaSt>;  msvbvm50.__vbaStrVarVal
004031FC   .  0F8F 2D010000 jg 0040332F
00403202   .  66:83FE 04    cmp si,0x4
00403206   .  7E 05         jle short 0040320D
00403208   .  BE 01000000   mov esi,0x1
0040320D   >  0FBFCF        movsx ecx,di
00403210   .  8D45 A8       lea eax,dword ptr ss:[ebp-0x58]
00403213   .  8D55 D8       lea edx,dword ptr ss:[ebp-0x28]
00403216   .  50            push eax                                 ;  1
00403217   .  51            push ecx
00403218   .  8D45 98       lea eax,dword ptr ss:[ebp-0x68]
0040321B   .  52            push edx                                 ;  "123123"
0040321C   .  50            push eax
0040321D   .  C745 B0 01000>mov dword ptr ss:[ebp-0x50],0x1
00403224   .  C745 A8 02000>mov dword ptr ss:[ebp-0x58],0x2
0040322B   .  FF15 38614000 call dword ptr ds:[<&MSVBVM50.#632>]     ;  msvbvm50.rtcMidCharVar
00403231   .  B8 02000000   mov eax,0x2
00403236   .  8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88]          ;  "1" "2"...
0040323C   .  0FBFD6        movsx edx,si
0040323F   .  8985 78FFFFFF mov dword ptr ss:[ebp-0x88],eax
00403245   .  8945 88       mov dword ptr ss:[ebp-0x78],eax
00403248   .  51            push ecx
00403249   .  8D45 88       lea eax,dword ptr ss:[ebp-0x78]
0040324C   .  52            push edx
0040324D   .  8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98]
00403253   .  50            push eax                                 ;  eax = 000007D0 = 2000
00403254   .  51            push ecx
00403255   .  C745 80 01000>mov dword ptr ss:[ebp-0x80],0x1
0040325C   .  C745 90 D0070>mov dword ptr ss:[ebp-0x70],0x7D0
00403263   .  FF15 38614000 call dword ptr ds:[<&MSVBVM50.#632>]     ;  msvbvm50.rtcMidCharVar
00403269   .  8D55 98       lea edx,dword ptr ss:[ebp-0x68]
0040326C   .  8D45 C0       lea eax,dword ptr ss:[ebp-0x40]
0040326F   .  52            push edx
00403270   .  50            push eax
00403271   .  FFD3          call ebx                                 ;  msvbvm50.__vbaStrVarVal
00403273   .  50            push eax                                 ;  "1"
00403274   .  FF15 0C614000 call dword ptr ds:[<&MSVBVM50.#516>]     ;  msvbvm50.rtcAnsiValueBstr
0040327A   .  0FBFD0        movsx edx,ax
0040327D   .  8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98]
00403283   .  8D45 BC       lea eax,dword ptr ss:[ebp-0x44]
00403286   .  51            push ecx                                 ;  "2" "0" "0" "0"
00403287   .  50            push eax
00403288   .  8995 E8FEFFFF mov dword ptr ss:[ebp-0x118],edx
0040328E   .  FFD3          call ebx                                 ;  msvbvm50.__vbaStrVarVal
00403290   .  50            push eax                                 ;  "2" "0" "0" "0"
00403291   .  FF15 0C614000 call dword ptr ds:[<&MSVBVM50.#516>]     ;  msvbvm50.rtcAnsiValueBstr
00403297   .  8B95 E8FEFFFF mov edx,dword ptr ss:[ebp-0x118]         ;  // edx = 0x31
0040329D   .  0FBFC8        movsx ecx,ax                             ;  // eax = 0x32
004032A0   .  33D1          xor edx,ecx                              ;  // 异或运算
004032A2   .  8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8]
004032A8   .  52            push edx                                 ; /Arg2
004032A9   .  50            push eax                                 ; |Arg1
004032AA   .  FF15 64614000 call dword ptr ds:[<&MSVBVM50.#608>]     ; \rtcVarBstrFromAnsi
004032B0   .  8D4D C8       lea ecx,dword ptr ss:[ebp-0x38]
004032B3   .  8D95 58FFFFFF lea edx,dword ptr ss:[ebp-0xA8]
004032B9   .  51            push ecx
004032BA   .  8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8]
004032C0   .  52            push edx
004032C1   .  50            push eax                                 ;  // "OK"
004032C2   .  FF15 70614000 call dword ptr ds:[<&MSVBVM50.__vbaVarCa>;  msvbvm50.__vbaVarCat
004032C8   .  8BD0          mov edx,eax
004032CA   .  8D4D C8       lea ecx,dword ptr ss:[ebp-0x38]
004032CD   .  FF15 F8604000 call dword ptr ds:[<&MSVBVM50.__vbaVarMo>;  msvbvm50.__vbaVarMove
004032D3   .  8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]
004032D6   .  8D55 C0       lea edx,dword ptr ss:[ebp-0x40]
004032D9   .  51            push ecx
004032DA   .  52            push edx
004032DB   .  6A 02         push 0x2
004032DD   .  FF15 8C614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>;  msvbvm50.__vbaFreeStrList
004032E3   .  83C4 0C       add esp,0xC
004032E6   .  8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8]
004032EC   .  8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98]
004032F2   .  8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]
004032F8   .  50            push eax
004032F9   .  51            push ecx
004032FA   .  8D45 88       lea eax,dword ptr ss:[ebp-0x78]
004032FD   .  52            push edx
004032FE   .  8D4D 98       lea ecx,dword ptr ss:[ebp-0x68]
00403301   .  50            push eax
00403302   .  8D55 A8       lea edx,dword ptr ss:[ebp-0x58]
00403305   .  51            push ecx
00403306   .  52            push edx
00403307   .  6A 06         push 0x6
00403309   .  FF15 00614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>;  msvbvm50.__vbaFreeVarList
0040330F   .  83C4 1C       add esp,0x1C
00403312   .  66:46         inc si
00403314   .  B8 01000000   mov eax,0x1
00403319   .  66:03C7       add ax,di
0040331C   .  0F80 44020000 jo 00403566
00403322   .  0F80 3E020000 jo 00403566
00403328   .  8BF8          mov edi,eax
0040332A   .^ E9 C0FEFFFF   jmp 004031EF
0040332F   >  8D45 C8       lea eax,dword ptr ss:[ebp-0x38]
00403332   .  8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]
00403338   .  50            push eax
00403339   .  51            push ecx
0040333A   .  C785 40FFFFFF>mov dword ptr ss:[ebp-0xC0],004027C8     ;  UNICODE "qBQSYdXUe_B\V"
00403344   .  C785 38FFFFFF>mov dword ptr ss:[ebp-0xC8],0x8008
0040334E   .  FF15 44614000 call dword ptr ds:[<&MSVBVM50.__vbaVarTs>;  msvbvm50.__vbaVarTstEq
00403354   .  66:85C0       test ax,ax
00403357   .  B9 04000280   mov ecx,0x80020004
0040335C   .  B8 0A000000   mov eax,0xA
00403361   .  894D 80       mov dword ptr ss:[ebp-0x80],ecx
00403364   .  8985 78FFFFFF mov dword ptr ss:[ebp-0x88],eax
0040336A   .  894D 90       mov dword ptr ss:[ebp-0x70],ecx
0040336D   .  8945 88       mov dword ptr ss:[ebp-0x78],eax
00403370      0F84 E8000000 je 0040345E                              ;  // 关键跳转
00403376   .  8B35 9C614000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVa>;  msvbvm50.__vbaVarDup
0040337C   .  BF 08000000   mov edi,0x8
00403381   .  8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8]
00403387   .  8D4D 98       lea ecx,dword ptr ss:[ebp-0x68]
0040338A   .  C785 30FFFFFF>mov dword ptr ss:[ebp-0xD0],00402824     ;  UNICODE "Valid"
00403394   .  89BD 28FFFFFF mov dword ptr ss:[ebp-0xD8],edi
0040339A   .  FFD6          call esi                                 ;  <&MSVBVM50.__vbaVarDup>
0040339C   .  8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
004033A2   .  8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]
004033A5   .  C785 40FFFFFF>mov dword ptr ss:[ebp-0xC0],004027E8     ;  UNICODE "Password correct, hehe, :-)"
004033AF   .  89BD 38FFFFFF mov dword ptr ss:[ebp-0xC8],edi
004033B5   .  FFD6          call esi

这个整个流程大概就是取文本的中间字符,然后转化为ANSII,然后与另外一个字符异或运算,最终得到一个文本,然后与"qBQSYdXUe_B\V"比较,相等则成功!

具体细节为……好吧,我承认,我跟踪了好几遍也没有弄清楚与输入序列异或的那个字符是怎么来的!

使用VB 反编译工具试试:


[Visual Basic] 纯文本查看 复制代码
Private Sub Command1_Click() '4030F0
  Dim var_48 As TextBox
  loc_00403122: var_8 = &H401018
  loc_0040317D: Set var_48 = Me
  loc_0040318C: var_40 = Text1.Text
  loc_004031B4: var_50 = var_40
  loc_004031B7: var_58 = 8
  loc_004031BE: var_28 = var_40
  loc_004031DA: var_58 = Len(var_28)
  loc_004031E7: var_108 = CInt(var_40)
                If 00000001h > 0 Then GoTo loc_0040332F
  loc_0040321D: var_50 = 1
  loc_00403224: var_58 = 2
  loc_0040323F: var_88 = 2
  loc_00403245: var_78 = 2
  loc_00403255: var_80 = 1
  loc_0040325C: var_70 = &H7D0
  loc_00403271: var_40 = CStr(Mid$(var_28, 1, 1))
  loc_00403288: var_118 = Asc(var_40)
  loc_0040328E: var_44 = CStr(Mid$(2000, 1, 1))
  loc_004032AA: var_A8 = Chr(Asc(var_40) xor ecx)
  loc_00403312: si = 00000001h + 1
  loc_00403319: 00000001h = 00000001h + 00000001h
  loc_0040332A: GoTo loc_004031EF
  loc_0040332F: 
  loc_0040333A: var_C0 = "qBQSYdXUe_B\V"
  loc_00403344: var_C8 = &H8008
  loc_0040334E: Var_Ret_1 = (var_38 & &H7D0 = "qBQSYdXUe_B\V")
  loc_00403361: var_80 = 80020004h
  loc_00403364: var_88 = 10
  loc_0040336A: var_70 = 80020004h
  loc_0040336D: var_78 = 10
                If Var_Ret_1 = 0 Then GoTo loc_0040345E
  loc_0040338A: var_D0 = "Valid"
  loc_00403394: var_D8 = 8
  loc_004033A5: var_C0 = "Password correct, hehe, :-)"
  loc_004033AF: var_C8 = 8
  loc_004033CC: MsgBox "Password correct, hehe, :-)", 0, "Valid"
  loc_00403435: Set var_48 = 4210744
  loc_0040343D: call password.GetTypeInfo(var_48, var_88, var_48, 004027B4h, var_78, var_88, var_48, 004027B4h)
  loc_0040345E: 
  loc_00403472: var_D0 = "Invalid"
  loc_0040347C: var_D8 = 8
  loc_0040348D: var_C0 = "Password incorrect, please try again ..."
  loc_00403497: var_C8 = 8
  loc_004034B4: MsgBox "Password incorrect, please try again ...", 0, "Invalid"
  loc_004034D8: var_4 = 0
  loc_004034E4: GoTo loc_00403536
  loc_00403535: Exit Sub
  loc_00403536: 
  loc_00403544: GoTo loc_00esi
  loc_00403546: Exit Sub
End Sub

似乎与2000有些关系,但是VB代码中的流程太坑了,看的很迷糊!

SmartCheck:

4.png

哈哈,SmartCheck的流程加上OD中分析到的异或操作,我明白了!原来异或的文本就是2000,按照序号对4取余作为索引获得的ANSII。

大概就是这样:

pKey = pName ^ "2000"[i%4];
pKey == "qBQSYdXUe_B\V"

但是,我们的目的是获得原始文本,所以只好把算法的计算流程反过来还原,CPP如下:


[C++] 纯文本查看 复制代码
// CrackMeDemo.cpp : 定义控制台应用程序的入口点。
//
 
#include "stdafx.h"
#include <iostream>
/*
pKey[i] = pName[i] ^ "2000"[i%4];
pKey == "qBQSYdXUe_B\V"
*/
int _tmain(int argc, _TCHAR* argv[])
{
    char pkey[] = "qBQSYdXUe_B\\V"; // \会被转义,所以需要这么做
    char pName[15] = {0};
    int nLen = strlen(pkey);
    for (int i=0;i<nLen;i++)
    {
        pName[i] = pkey[i] ^ "2000"[i%4];
    }
    printf("the input is: %s\r\n",pName);
    system("pause");
    return 0;
}

3.png


BY  笨笨D幸福


本帖被以下淘专辑推荐:

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

1061498807 发表于 2014-7-10 09:50
不错!支持一下
骑乌龟的帅蜗牛 发表于 2014-7-10 09:44
 楼主| 44018723 发表于 2014-7-10 09:40
zfm11 发表于 2014-7-10 09:57
不错!支持一下
maomaosky 发表于 2014-7-10 10:03
谢谢,学习了。
头像被屏蔽
bao宝明 发表于 2014-7-10 10:14
提示: 作者被禁止或删除 内容自动屏蔽
yousss 发表于 2014-7-10 17:38
先赞一个,收藏,转走,慢慢来
shuguang 发表于 2014-7-19 21:00
好吧,我偷懒了,没看算法,直接在比较那查出真码。
头像被屏蔽
vk929495v 发表于 2014-7-22 17:39
提示: 作者被禁止或删除 内容自动屏蔽
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-12-22 16:08

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表