|
. 003和002是同一款程序,不过作者更新了一次算法。002仅仅是直接那了账户的第一个字节来做处理,003虽然也是那账户第一个字节,但是大量的用了将字符串转换为浮点数,将浮点数转换成了字符串。并且正对转换后的浮点数进行了运算操作。作者在这一个CM中不允许程序输入非0~9之外的字符。会走异常退出。 . 这个程序就不爆破了,因为爆破点都在同一处。不过算法的分析作者并未修改到其他地方,还是在爆破点之前。寻找算法和002的方式一样。 [Asm] 纯文本查看 复制代码 004081C9 . 51 push ecx
004081CA . 53 push ebx
004081CB . 8B03 mov eax,dword ptr ds:[ebx]
004081CD . FF90 A0000000 call dword ptr ds:[eax+0xA0] ; 得到输入的账户
004081D3 . 3BC7 cmp eax,edi
004081D5 . 7D 12 jge XAfKayAs_.004081E9
004081D7 . 68 A0000000 push 0xA0
004081DC . 68 AC6F4000 push AfKayAs_.00406FAC
004081E1 . 53 push ebx
004081E2 . 50 push eax
004081E3 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>; msvbvm50.__vbaHresultCheckObj
004081E9 > 8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]
004081EF . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
004081F2 . 50 push eax ; /String
004081F3 . 8B1A mov ebx,dword ptr ds:[edx] ; |
004081F5 . FF15 F8B04000 call dword ptr ds:[<&MSVBVM50.__vbaLenBstr>] ; \__vbaLenBstr
004081FB . 8BF8 mov edi,eax ; 得到账户长度
004081FD . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
00408200 . 69FF 385B0100 imul edi,edi,0x15B38 ; len * 0x15B38
00408206 . 51 push ecx ; /String
00408207 . 0F80 B7050000 jo AfKayAs_.004087C4 ; |如果长度*0x15B38大于等于0X80000000就异常
0040820D . FF15 0CB14000 call dword ptr ds:[<&MSVBVM50.#516>] ; \rtcAnsiValueBstr
00408213 . 0FBFD0 movsx edx,ax
00408216 . 03FA add edi,edx ; 计算出来的长度+第一个字节十六进制
00408218 . 0F80 A6050000 jo AfKayAs_.004087C4 ; 如果长度*0x15B38大于等于0X80000000就异常
0040821E . 57 push edi ; 将计算出来的结果转换成字符串
0040821F . FF15 F4B04000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>] ; msvbvm50.__vbaStrI4
00408225 . 8BD0 mov edx,eax
00408227 . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
........
004082BA . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
004082BD . 50 push eax
004082BE . 53 push ebx
004082BF . 8B13 mov edx,dword ptr ds:[ebx]
004082C1 . FF92 A0000000 call dword ptr ds:[edx+0xA0] ; 得到算出来的KEY,字符串方式存储
004082C7 . 85C0 test eax,eax
004082C9 . 7D 12 jge XAfKayAs_.004082DD
004082CB . 68 A0000000 push 0xA0
004082D0 . 68 AC6F4000 push AfKayAs_.00406FAC
004082D5 . 53 push ebx
004082D6 . 50 push eax
004082D7 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>; msvbvm50.__vbaHresultCheckObj
004082DD > 8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004082E3 . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
004082E6 . 52 push edx
004082E7 . 8B19 mov ebx,dword ptr ds:[ecx]
004082E9 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; 将KEY转换为浮点数据存放到浮点寄存器中
004082EF . D905 08104000 fld dword ptr ds:[0x401008] ; 浮点寄存器放入10.0
004082F5 . 833D 00904000>cmp dword ptr ds:[0x409000],0x0
004082FC . 75 08 jnz XAfKayAs_.00408306
004082FE . D835 0C104000 fdiv dword ptr ds:[0x40100C] ; ST0 / 5.0
00408304 . EB 0B jmp XAfKayAs_.00408311
00408306 > FF35 0C104000 push dword ptr ds:[0x40100C]
0040830C . E8 578DFFFF call <jmp.&MSVBVM50._adj_fdiv_m32>
00408311 > 83EC 08 sub esp,0x8
00408314 . DFE0 fstsw ax
00408316 . A8 0D test al,0xD
00408318 . 0F85 A1040000 jnz AfKayAs_.004087BF
0040831E . DEC1 faddp st(1),st ; KEY+ST0 ST1==KEY, ST0 = 10.0/5.0
00408320 . DFE0 fstsw ax
00408322 . A8 0D test al,0xD
00408324 . 0F85 95040000 jnz AfKayAs_.004087BF
0040832A . DD1C24 fstp qword ptr ss:[esp] ; ST0+KEY结果存放到SPE中
0040832D . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>] ; 将KEY转换成字符串
00408333 . 8BD0 mov edx,eax
......
004083C6 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
004083C9 . 50 push eax
004083CA . 53 push ebx
004083CB . 8B13 mov edx,dword ptr ds:[ebx]
004083CD . FF92 A0000000 call dword ptr ds:[edx+0xA0] ; 得到KEY,以字符串方式
004083D3 . 85C0 test eax,eax
004083D5 . 7D 12 jge XAfKayAs_.004083E9
004083D7 . 68 A0000000 push 0xA0
004083DC . 68 AC6F4000 push AfKayAs_.00406FAC
004083E1 . 53 push ebx
004083E2 . 50 push eax
004083E3 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>; msvbvm50.__vbaHresultCheckObj
004083E9 > 8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004083EF . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
004083F2 . 52 push edx
004083F3 . 8B19 mov ebx,dword ptr ds:[ecx]
004083F5 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; 将KEY转换成浮点数存储在浮点寄存器
004083FB . DC0D 10104000 fmul qword ptr ds:[0x401010] ; key * 3.0
00408401 . 83EC 08 sub esp,0x8
00408404 . DC25 18104000 fsub qword ptr ds:[0x401018] ; key - 2.0
0040840A . DFE0 fstsw ax
0040840C . A8 0D test al,0xD
0040840E . 0F85 AB030000 jnz AfKayAs_.004087BF
00408414 . DD1C24 fstp qword ptr ss:[esp] ; 将key转换成字符串
00408417 . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>] ; msvbvm50.__vbaStrR8
0040841D . 8BD0 mov edx,eax
0040841F . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
.....
004084AE . 8BD8 mov ebx,eax
004084B0 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
004084B3 . 50 push eax
004084B4 . 53 push ebx
004084B5 . 8B13 mov edx,dword ptr ds:[ebx]
004084B7 . FF92 A0000000 call dword ptr ds:[edx+0xA0] ; 得到KEY,义字符串方式
004084BD . 85C0 test eax,eax
004084BF . 7D 12 jge XAfKayAs_.004084D3
004084C1 . 68 A0000000 push 0xA0
004084C6 . 68 AC6F4000 push AfKayAs_.00406FAC
004084CB . 53 push ebx
004084CC . 50 push eax
004084CD . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>; msvbvm50.__vbaHresultCheckObj
004084D3 > 8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004084D9 . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
004084DC . 52 push edx
004084DD . 8B19 mov ebx,dword ptr ds:[ecx]
004084DF . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; 讲KEY转换为浮点数存入浮点寄存器
004084E5 . DC25 20104000 fsub qword ptr ds:[0x401020] ; KEY+15.0
004084EB . 83EC 08 sub esp,0x8
004084EE . DFE0 fstsw ax
004084F0 . A8 0D test al,0xD
004084F2 . 0F85 C7020000 jnz AfKayAs_.004087BF
004084F8 . DD1C24 fstp qword ptr ss:[esp] ; 将KEY转换成字符串
004084FB . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>] ; msvbvm50.__vbaStrR8
00408501 . 8BD0 mov edx,eax
......
00408570 . 8BD8 mov ebx,eax
00408572 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00408575 . 51 push ecx
00408576 . 53 push ebx
00408577 . 8B03 mov eax,dword ptr ds:[ebx]
00408579 . FF90 A0000000 call dword ptr ds:[eax+0xA0] ; 得到KEY,以字符串方式
0040857F . 85C0 test eax,eax
00408581 . 7D 12 jge XAfKayAs_.00408595
00408583 . 68 A0000000 push 0xA0
00408588 . 68 AC6F4000 push AfKayAs_.00406FAC
0040858D . 53 push ebx
0040858E . 50 push eax
0040858F . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>; msvbvm50.__vbaHresultCheckObj
00408595 > 8B95 40FFFFFF mov edx,dword ptr ss:[ebp-0xC0]
0040859B . 56 push esi
0040859C . FF92 14030000 call dword ptr ds:[edx+0x314]
004085A2 . 50 push eax
004085A3 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
004085A6 . 50 push eax
004085A7 . FFD7 call edi
004085A9 . 8BF0 mov esi,eax
004085AB . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
004085AE . 52 push edx
004085AF . 56 push esi
004085B0 . 8B0E mov ecx,dword ptr ds:[esi]
004085B2 . FF91 A0000000 call dword ptr ds:[ecx+0xA0] ; 得到用户输入的密码
004085B8 . 85C0 test eax,eax
004085BA . 7D 12 jge XAfKayAs_.004085CE
004085BC . 68 A0000000 push 0xA0
004085C1 . 68 AC6F4000 push AfKayAs_.00406FAC
004085C6 . 56 push esi
004085C7 . 50 push eax
004085C8 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>; msvbvm50.__vbaHresultCheckObj
004085CE > 8B45 E8 mov eax,dword ptr ss:[ebp-0x18]
004085D1 . 50 push eax
004085D2 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; 将用户输入的KEY转换成浮点数存储在STO
004085D8 . 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C]
004085DB . DD9D 1CFFFFFF fstp qword ptr ss:[ebp-0xE4] ; st0出站到局部变量中
004085E1 . 51 push ecx
004085E2 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; 将计算出来的KEY存放到ST0中
004085E8 . 833D 00904000>cmp dword ptr ds:[0x409000],0x0
004085EF . 75 08 jnz XAfKayAs_.004085F9
004085F1 . DCBD 1CFFFFFF fdivr qword ptr ss:[ebp-0xE4] ; 将计算的KEY与密码相除
004085F7 . EB 11 jmp XAfKayAs_.0040860A
004085F9 > FFB5 20FFFFFF push dword ptr ss:[ebp-0xE0]
004085FF . FFB5 1CFFFFFF push dword ptr ss:[ebp-0xE4]
00408605 . E8 888AFFFF call <jmp.&MSVBVM50._adj_fdivr_m64>
0040860A > DFE0 fstsw ax
0040860C . A8 0D test al,0xD
0040860E . 0F85 AB010000 jnz AfKayAs_.004087BF
00408614 . FF15 34B14000 call dword ptr ds:[<&MSVBVM50.__vbaFpR8>] ; msvbvm50.__vbaFpR8
0040861A . DC1D 28104000 fcomp qword ptr ds:[0x401028] ; key与密码相除的商与1.0作比较
00408620 . DFE0 fstsw ax ; 将FST存储在AX中
00408622 . F6C4 40 test ah,0x40 ; 判断FST AH 是否为0x40,为0x40则比较正确,为0比较错误
00408625 . 74 07 je XAfKayAs_.0040862E
00408627 . BE 01000000 mov esi,0x1 ; 如果AH = 0X40 SI = 1
0040862C . EB 02 jmp XAfKayAs_.00408630
0040862E > 33F6 xor esi,esi ; 如果AH != 0X40 SI = 0
00408630 > 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]
00408633 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
00408636 . 52 push edx
00408637 . 50 push eax
00408638 . 6A 02 push 0x2
0040863A . FF15 80B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStrList>; msvbvm50.__vbaFreeStrList
00408640 . 83C4 0C add esp,0xC
00408643 . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
00408646 . 8D55 DC lea edx,dword ptr ss:[ebp-0x24]
00408649 . 51 push ecx
0040864A . 52 push edx
0040864B . 6A 02 push 0x2
0040864D . FF15 08B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObjList>; msvbvm50.__vbaFreeObjList
00408653 . F7DE neg esi
00408655 . 83C4 0C add esp,0xC
00408658 . B9 04000280 mov ecx,0x80020004
0040865D . B8 0A000000 mov eax,0xA
00408662 . 894D 9C mov dword ptr ss:[ebp-0x64],ecx
00408665 . 66:85F6 test si,si ; 判断SI是否不等于0
00408668 . 8945 94 mov dword ptr ss:[ebp-0x6C],eax
0040866B . 894D AC mov dword ptr ss:[ebp-0x54],ecx
0040866E . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax
00408671 . 894D BC mov dword ptr ss:[ebp-0x44],ecx
00408674 . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax
00408677 . 74 62 je XAfKayAs_.004086DB ; 爆破点了。。
转换成C语言代码为: [C] 纯文本查看 复制代码 void Fun(char *ZhangHu)
{
unsigned long data = ((strlen(ZhangHu) * 0x15B38 + ZhangHu[0]) + 2) * 3.0 - 2.0 + 15.0;
printf("%d \r\n", data);
}
|
发表于 2015-8-21 21:38
|
发表于 2015-8-21 21:46
