好友
阅读权限40
听众
最后登录1970-1-1
|
本帖最后由 missviola 于 2009-10-20 16:01 编辑
【破文标题】hackwm 超简单crackme分析
【破文作者】missviola[LCG]
【破解工具】PEID OllyDbg
【原版下载】http://www.52pojie.cn/thread-4182-1-1.html
【破解平台】Windows XP
【破解声明】只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
------------------------------------------------------------------------
【破解过程】首先用PEID查壳,发现为vb编写。用vpexplorer,找到注册按钮的对应事件地址为00402250。F2下好断点,输入QQ号码
327442221,注册码123456,点击注册断下,F8单步进行分析。
00402250 > \55 push ebp
00402251 . 8BEC mov ebp, esp
00402253 . 83EC 0C sub esp, 0C
00402256 . 68 F6104000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
0040225B . 64:A1 0000000>mov eax, dword ptr fs:[0]
00402261 . 50 push eax
00402262 . 64:8925 00000>mov dword ptr fs:[0], esp
00402269 . 81EC A0010000 sub esp, 1A0
0040226F . 53 push ebx
00402270 . 56 push esi
00402271 . 57 push edi
00402272 . 8965 F4 mov dword ptr [ebp-C], esp
00402275 . C745 F8 D8104>mov dword ptr [ebp-8], 004010D8
0040227C . 8B75 08 mov esi, dword ptr [ebp+8]
0040227F . 8BC6 mov eax, esi
00402281 . 83E0 01 and eax, 1
00402284 . 8945 FC mov dword ptr [ebp-4], eax
00402287 . 83E6 FE and esi, FFFFFFFE
0040228A . 56 push esi
0040228B . 8975 08 mov dword ptr [ebp+8], esi
0040228E . 8B0E mov ecx, dword ptr [esi]
00402290 . FF51 04 call dword ptr [ecx+4]
00402293 . 8B16 mov edx, dword ptr [esi]
00402295 . 33FF xor edi, edi
00402297 . 56 push esi
00402298 . 897D DC mov dword ptr [ebp-24], edi
0040229B . 897D D4 mov dword ptr [ebp-2C], edi
0040229E . 897D D0 mov dword ptr [ebp-30], edi
004022A1 . 897D C0 mov dword ptr [ebp-40], edi
004022A4 . 897D B0 mov dword ptr [ebp-50], edi
004022A7 . 897D A0 mov dword ptr [ebp-60], edi
004022AA . 897D 90 mov dword ptr [ebp-70], edi
004022AD . 897D 80 mov dword ptr [ebp-80], edi
004022B0 . 89BD 70FFFFFF mov dword ptr [ebp-90], edi
004022B6 . 89BD 60FFFFFF mov dword ptr [ebp-A0], edi
004022BC . 89BD 50FFFFFF mov dword ptr [ebp-B0], edi
004022C2 . 89BD 40FFFFFF mov dword ptr [ebp-C0], edi
004022C8 . 89BD 30FFFFFF mov dword ptr [ebp-D0], edi
004022CE . 89BD 20FFFFFF mov dword ptr [ebp-E0], edi
004022D4 . 89BD 10FFFFFF mov dword ptr [ebp-F0], edi
004022DA . 89BD 00FFFFFF mov dword ptr [ebp-100], edi
004022E0 . 89BD F0FEFFFF mov dword ptr [ebp-110], edi
004022E6 . 89BD E0FEFFFF mov dword ptr [ebp-120], edi
004022EC . 89BD D0FEFFFF mov dword ptr [ebp-130], edi
004022F2 . 89BD C0FEFFFF mov dword ptr [ebp-140], edi
004022F8 . 89BD B0FEFFFF mov dword ptr [ebp-150], edi
004022FE . 89BD A0FEFFFF mov dword ptr [ebp-160], edi
00402304 . 89BD 90FEFFFF mov dword ptr [ebp-170], edi
0040230A . 89BD 80FEFFFF mov dword ptr [ebp-180], edi
00402310 . 89BD 70FEFFFF mov dword ptr [ebp-190], edi
00402316 . FF92 08030000 call dword ptr [edx+308]
0040231C . 50 push eax
0040231D . 8D45 D0 lea eax, dword ptr [ebp-30]
00402320 . 50 push eax
00402321 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00402327 . 8BD8 mov ebx, eax
00402329 . 8D55 D4 lea edx, dword ptr [ebp-2C]
0040232C . 52 push edx
0040232D . 53 push ebx
0040232E . 8B0B mov ecx, dword ptr [ebx]
00402330 . FF91 A0000000 call dword ptr [ecx+A0]
00402336 . 3BC7 cmp eax, edi
00402338 . DBE2 fclex
0040233A . 7D 12 jge short 0040234E
0040233C . 68 A0000000 push 0A0
00402341 . 68 9C194000 push 0040199C
00402346 . 53 push ebx
00402347 . 50 push eax
00402348 . FF15 24104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040234E > 8B45 D4 mov eax, dword ptr [ebp-2C]
00402351 . 8D55 C0 lea edx, dword ptr [ebp-40]
00402354 . 8D4D DC lea ecx, dword ptr [ebp-24]
00402357 . 897D D4 mov dword ptr [ebp-2C], edi
0040235A . 8945 C8 mov dword ptr [ebp-38], eax
0040235D . C745 C0 08000>mov dword ptr [ebp-40], 8
00402364 . FF15 0C104000 call dword ptr [<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
0040236A . 8D4D D0 lea ecx, dword ptr [ebp-30]
0040236D . FF15 A0104000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00402373 . 8B06 mov eax, dword ptr [esi]
00402375 . 56 push esi
00402376 . FF90 04030000 call dword ptr [eax+304]
0040237C . 8D4D D0 lea ecx, dword ptr [ebp-30]
0040237F . 50 push eax
00402380 . 51 push ecx
00402381 . FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00402387 . 8BF0 mov esi, eax
00402389 . 8D45 D4 lea eax, dword ptr [ebp-2C]
0040238C . 50 push eax
0040238D . 56 push esi
0040238E . 8B16 mov edx, dword ptr [esi]
00402390 . FF92 A0000000 call dword ptr [edx+A0]
00402396 . 3BC7 cmp eax, edi
00402398 . DBE2 fclex
0040239A . 7D 12 jge short 004023AE
0040239C . 68 A0000000 push 0A0
004023A1 . 68 9C194000 push 0040199C
004023A6 . 56 push esi
004023A7 . 50 push eax
004023A8 . FF15 24104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
004023AE > DD05 D0104000 fld qword ptr [4010D0] [4010D0]=14
004023B4 . 833D 00304000>cmp dword ptr [403000], 0
004023BB . 75 08 jnz short 004023C5
004023BD . DC35 C8104000 fdiv qword ptr [4010C8] [4010C8]=4,两个数相除
004023C3 . /EB 11 jmp short 004023D6
004023C5 > |FF35 CC104000 push dword ptr [4010CC]
004023CB . |FF35 C8104000 push dword ptr [4010C8]
004023D1 . |E8 3EEDFFFF call <jmp.&MSVBVM60._adj_fdiv_m64>
004023D6 > \8B45 D4 mov eax, dword ptr [ebp-2C]
004023D9 . B9 02000000 mov ecx, 2
004023DE . 8985 28FFFFFF mov dword ptr [ebp-D8], eax
004023E4 . BA 05000000 mov edx, 5
004023E9 . 898D 00FFFFFF mov dword ptr [ebp-100], ecx
004023EF . 898D E0FEFFFF mov dword ptr [ebp-120], ecx
004023F5 . 898D C0FEFFFF mov dword ptr [ebp-140], ecx
004023FB . 898D B0FEFFFF mov dword ptr [ebp-150], ecx
00402401 . 898D 90FEFFFF mov dword ptr [ebp-170], ecx
00402407 . 8995 F0FEFFFF mov dword ptr [ebp-110], edx
0040240D . 8995 D0FEFFFF mov dword ptr [ebp-130], edx
00402413 . 8995 A0FEFFFF mov dword ptr [ebp-160], edx
00402419 . 8995 80FEFFFF mov dword ptr [ebp-180], edx
0040241F . 8D8D 20FFFFFF lea ecx, dword ptr [ebp-E0]
00402425 . 8D55 DC lea edx, dword ptr [ebp-24]
00402428 . BE 03000000 mov esi, 3
0040242D . 51 push ecx
0040242E . 52 push edx
0040242F . 8D4D C0 lea ecx, dword ptr [ebp-40]
00402432 . 89B5 08FFFFFF mov dword ptr [ebp-F8], esi
00402438 . BB 04000000 mov ebx, 4
0040243D . 89B5 70FEFFFF mov dword ptr [ebp-190], esi
00402443 . 8B35 88104000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaVarAdd
00402449 . 897D D4 mov dword ptr [ebp-2C], edi
0040244C . C785 20FFFFFF>mov dword ptr [ebp-E0], 8008
00402456 . 899D E8FEFFFF mov dword ptr [ebp-118], ebx
0040245C . 899D 98FEFFFF mov dword ptr [ebp-168], ebx
00402462 . C785 78FEFFFF>mov dword ptr [ebp-188], 3A8D1D87 0x3A8D1D87=982326663 记住这个数后面要用到哦
0040246C . DD9D F8FEFFFF fstp qword ptr [ebp-108]
00402472 . DFE0 fstsw ax
00402474 . A8 0D test al, 0D
00402476 . 0F85 01030000 jnz 0040277D
0040247C . DD05 C8104000 fld qword ptr [4010C8] [4010C8]=4
00402482 . 833D 00304000>cmp dword ptr [403000], 0
00402489 . 75 08 jnz short 00402493
0040248B . DC35 C0104000 fdiv qword ptr [4010C0] [4010C0]=2
00402491 . EB 11 jmp short 004024A4
00402493 > FF35 C4104000 push dword ptr [4010C4]
00402499 . FF35 C0104000 push dword ptr [4010C0]
0040249F . E8 70ECFFFF call <jmp.&MSVBVM60._adj_fdiv_m64>
004024A4 > DD9D D8FEFFFF fstp qword ptr [ebp-128]
004024AA . DFE0 fstsw ax
004024AC . A8 0D test al, 0D
004024AE . 0F85 C9020000 jnz 0040277D
004024B4 . DD05 C8104000 fld qword ptr [4010C8] [4010C8]=4
004024BA . 833D 00304000>cmp dword ptr [403000], 0
004024C1 . 75 08 jnz short 004024CB
004024C3 . DC35 C0104000 fdiv qword ptr [4010C0] [4010C0]=2
004024C9 . /EB 11 jmp short 004024DC
004024CB > |FF35 C4104000 push dword ptr [4010C4]
004024D1 . |FF35 C0104000 push dword ptr [4010C0]
004024D7 . |E8 38ECFFFF call <jmp.&MSVBVM60._adj_fdiv_m64>
004024DC > \B8 01000000 mov eax, 1
004024E1 . 8985 C8FEFFFF mov dword ptr [ebp-138], eax
004024E7 . 8985 B8FEFFFF mov dword ptr [ebp-148], eax
004024ED . DD9D A8FEFFFF fstp qword ptr [ebp-158]
004024F3 . DFE0 fstsw ax
004024F5 . A8 0D test al, 0D
004024F7 . 0F85 80020000 jnz 0040277D
004024FD . DD05 B8104000 fld qword ptr [4010B8] [4010B8]=28
00402503 . 833D 00304000>cmp dword ptr [403000], 0
0040250A . 75 08 jnz short 00402514
0040250C . DC35 C0104000 fdiv qword ptr [4010C0] [4010C0]=2
00402512 . EB 11 jmp short 00402525
00402514 > \FF35 C4104000 push dword ptr [4010C4]
0040251A . FF35 C0104000 push dword ptr [4010C0]
00402520 . E8 EFEBFFFF call <jmp.&MSVBVM60._adj_fdiv_m64>
00402525 > DD9D 88FEFFFF fstp qword ptr [ebp-178]
0040252B . DFE0 fstsw ax
0040252D . A8 0D test al, 0D
0040252F . 0F85 48020000 jnz 0040277D
00402535 . 8D85 00FFFFFF lea eax, dword ptr [ebp-100]
0040253B . 50 push eax
0040253C . 51 push ecx
0040253D . FFD6 call esi 这个call步过以后OD寄存器窗口中的ST7的数值为327442224.00000000000 是我们的
QQ号码加上3以后的结果我们接着往下看
0040253F . 8B1D 00104000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaVarSub
00402545 . 50 push eax ; /var18
00402546 . 8D95 F0FEFFFF lea edx, dword ptr [ebp-110] ; |
0040254C . 8D45 B0 lea eax, dword ptr [ebp-50] ; |
0040254F . 52 push edx ; |var28
00402550 . 50 push eax ; |SaveTo8
00402551 . FFD3 call ebx ; \__vbaVarSub
00402553 . 8D8D E0FEFFFF lea ecx, dword ptr [ebp-120]
00402550的call步过以后st7的数值为327442220.50000000000 是之前的结果减去3.5以后的结果。所以每步过一个vbaVarSub或者
vbaVarAdd的call以后,我们只需要关心st7里面的值就能明白加上或者减去的数字了。
00402559 . 50 push eax
0040255A . 8D55 A0 lea edx, dword ptr [ebp-60]
0040255D . 51 push ecx
0040255E . 52 push edx
0040255F . FFD6 call esi vbaVarAdd st7=327442224.50000000000
00402561 . 50 push eax
00402562 . 8D85 D0FEFFFF lea eax, dword ptr [ebp-130]
00402568 . 8D4D 90 lea ecx, dword ptr [ebp-70]
0040256B . 50 push eax
0040256C . 51 push ecx
0040256D . FFD3 call ebx vbaVarSub st7=327442222.50000000000
0040256F . 8D95 C0FEFFFF lea edx, dword ptr [ebp-140]
00402575 . 50 push eax
00402576 . 52 push edx
00402577 . 8D45 80 lea eax, dword ptr [ebp-80]
0040257A . 50 push eax
0040257B . FFD6 call esi vbaVarAdd st7=327442223.50000000000
0040257D . 8D8D B0FEFFFF lea ecx, dword ptr [ebp-150]
00402583 . 50 push eax
00402584 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
0040258A . 51 push ecx
0040258B . 52 push edx
0040258C . FFD6 call esi vbaVarAdd st7=327442224.50000000000
0040258E . 50 push eax
0040258F . 8D85 A0FEFFFF lea eax, dword ptr [ebp-160]
00402595 . 8D8D 60FFFFFF lea ecx, dword ptr [ebp-A0]
0040259B . 50 push eax
0040259C . 51 push ecx
0040259D . FFD3 call ebx vbaVarSub st7=327442222.50000000000
0040259F . 50 push eax
004025A0 . 8D95 90FEFFFF lea edx, dword ptr [ebp-170]
004025A6 . 8D85 50FFFFFF lea eax, dword ptr [ebp-B0]
004025AC . 52 push edx
004025AD . 50 push eax
004025AE . FFD6 call esi vbaVarAdd st7=327442226.50000000000
004025B0 . 8D8D 80FEFFFF lea ecx, dword ptr [ebp-180]
004025B6 . 50 push eax
004025B7 . 8D95 40FFFFFF lea edx, dword ptr [ebp-C0]
004025BD . 51 push ecx
004025BE . 52 push edx
004025BF . FFD3 call ebx vbaVarSub st7=327442212.50000000000
004025C1 . 50 push eax
004025C2 . 8D85 70FEFFFF lea eax, dword ptr [ebp-190]
004025C8 . 8D8D 30FFFFFF lea ecx, dword ptr [ebp-D0]
004025CE . 50 push eax
004025CF . 51 push ecx
004025D0 . FFD6 call esi MSVBVM60.__vbaVarAdd st7=1309768875.5000000000
此时st7中的数值就是真码了,我们跟进004025D0中的call可以发现是加上了0x3A8D1D87。这就是之前我让大家注意的那个数值。我
们接着往下看。
004025D2 . 50 push eax ; |var28 = 0012F438
004025D3 . FF15 48104000 call dword ptr [<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq 检验注册码
004025D9 . 8D4D D0 lea ecx, dword ptr [ebp-30]
004025DC . 8BF0 mov esi, eax
004025DE . FF15 A0104000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
004025E4 . 8D95 30FFFFFF lea edx, dword ptr [ebp-D0]
004025EA . 8D85 20FFFFFF lea eax, dword ptr [ebp-E0]
004025F0 . 8B1D 18104000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeVarList
004025F6 . 52 push edx
004025F7 . 8D8D 50FFFFFF lea ecx, dword ptr [ebp-B0]
004025FD . 50 push eax
004025FE . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
00402604 . 51 push ecx
00402605 . 8D45 80 lea eax, dword ptr [ebp-80]
00402608 . 52 push edx
00402609 . 8D4D A0 lea ecx, dword ptr [ebp-60]
0040260C . 50 push eax
0040260D . 8D55 C0 lea edx, dword ptr [ebp-40]
00402610 . 51 push ecx
00402611 . 52 push edx
00402612 . 6A 07 push 7
00402614 . FFD3 call ebx ; <&MSVBVM60.__vbaFreeVarList>
00402616 . 83C4 20 add esp, 20
00402619 . 66:3BF7 cmp si, di
0040261C 0F84 BE000000 je 004026E0 关键跳,可以直接修改
分析到这里这个crackme的算法我们也很清楚了,就是对QQ号码进行一系列的加减运算。我们根据最后的结果可以很容易的分析出注册算法就是QQ号码减去8.5以后再加上0x3A8D1D87。
这是本小菜第一次在52pojie上发破文,希望各位大侠多多鼓励下,最后祝大家中秋节快乐~~
------------------------------------------------------------------------
【破解总结】
------------------------------------------------------------------------
【版权声明】本文原创于52pojie技术论坛, 转载请注明作者并保持文章的完整, 谢谢! |
免费评分
-
查看全部评分
|
发表于 2009-10-3 11:09
发表于 2009-10-3 11:31
发表于 2009-10-3 11:46
|
发表于 2009-10-3 12:14
发表于 2009-10-5 02:18
再总结一下算法吧
