好友
阅读权限35
听众
最后登录1970-1-1
|
KaQqi
发表于 2016-11-6 09:40
这个cm是那位德国人第三个cm。昨天分析了009,009和008都是一星级的,没什么难度。
这次是三星级的,看看能怎么滴。
打开软件,发现只要输入ID就可以了
我喜欢,哈哈,少输一点跟踪起来简单
好,开始分析。
首先爆破。
载入od。
运行起来,输入假码
alt f9,返回程序领空。
[Asm] 纯文本查看 复制代码 00402196 . 51 push ecx ; ntdll.76EE68B0
00402197 . FF15 24414000 call dword ptr ds:[<&MSVBVM50.#rtcMsgBox>; Msvbvm50.rtcMsgBox
0040219D . 8D95 14FFFFFF lea edx,dword ptr ss:[ebp-0xEC]
004021A3 . 8D4D AC lea ecx,dword ptr ss:[ebp-0x54]
004021A6 . 8985 1CFFFFFF mov dword ptr ss:[ebp-0xE4],eax
004021AC . C785 14FFFFFF>mov dword ptr ss:[ebp-0xEC],0x3
这是信息框弹出 。向上回溯,找失败提示。
[Asm] 纯文本查看 复制代码 0040213E . 8985 6CFFFFFF mov dword ptr ss:[ebp-0x94],eax
00402144 . 8985 7CFFFFFF mov dword ptr ss:[ebp-0x84],eax
0040214A . C785 4CFFFFFF>mov dword ptr ss:[ebp-0xB4],Andréna.0040>; UNICODE "LEiDER Falsch ! "
00402154 . C785 44FFFFFF>mov dword ptr ss:[ebp-0xBC],0x8
0040215E . FFD3 call ebx ; Msvbvm50.__vbaVarDup; <&MSVBVM50.__vbaVarDup>
00402160 . 8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC]
00402166 . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C]
00402169 . C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],Andréna.0040>; UNICODE "Leider Falsch! Nochmal veruschen ! Wenn Du es ni"
00402173 . C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x8
0040217D . FFD3 call ebx ; Msvbvm50.__vbaVarDup
0040217F . 8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-0x9C]
00402185 . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
0040218B . 51 push ecx ; ntdll.76EE68B0
可以找到。那么我所在的位置就是判断call。
看看有没有跳转进来。
[Asm] 纯文本查看 复制代码 00402114 . /E9 B5000000 jmp Andréna.004021CE
00402119 > |8B1D 94414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVa>; Msvbvm50.__vbaVarDup
0040211F . |B9 0A000000 mov ecx,0xA
00402124 . |B8 04000280 mov eax,0x80020004
00402129 . |898D 64FFFFFF mov dword ptr ss:[ebp-0x9C],ecx ; ntdll.76EE68B0
0040212F . |898D 74FFFFFF mov dword ptr ss:[ebp-0x8C],ecx ; ntdll.76EE68B0
00402135 . |8D95 44FFFFFF lea edx,dword ptr ss:[ebp-0xBC]
0040213B . |8D4D 84 lea ecx,dword ptr ss:[ebp-0x7C]
0040213E . |8985 6CFFFFFF mov dword ptr ss:[ebp-0x94],eax
00402144 . |8985 7CFFFFFF mov dword ptr ss:[ebp-0x84],eax
0040214A . |C785 4CFFFFFF>mov dword ptr ss:[ebp-0xB4],Andréna.0040>; UNICODE "LEiDER Falsch ! "
00402154 . |C785 44FFFFFF>mov dword ptr ss:[ebp-0xBC],0x8
又看到了vb典型判断的尾部,追踪跳转。
[Asm] 纯文本查看 复制代码 00402053 . /0F84 C0000000 je Andréna.00402119
00402059 . |FF15 6C414000 call dword ptr ds:[<&MSVBVM50.#rtcBeep_5>; Msvbvm50.rtcBeep
0040205F . |8B1D 94414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVa>; Msvbvm50.__vbaVarDup
00402065 . |B9 0A000000 mov ecx,0xA
0040206A . |B8 04000280 mov eax,0x80020004
0040206F . |898D 64FFFFFF mov dword ptr ss:[ebp-0x9C],ecx ; ntdll.76EE68B0
00402075 . |898D 74FFFFFF mov dword ptr ss:[ebp-0x8C],ecx ; ntdll.76EE68B0
0040207B . |8D95 44FFFFFF lea edx,dword ptr ss:[ebp-0xBC]
00402081 . |8D4D 84 lea ecx,dword ptr ss:[ebp-0x7C]
00402084 . |8985 6CFFFFFF mov dword ptr ss:[ebp-0x94],eax
0040208A . |8985 7CFFFFFF mov dword ptr ss:[ebp-0x84],eax
00402090 . |C785 4CFFFFFF>mov dword ptr ss:[ebp-0xB4],Andréna.0040>; UNICODE "RiCHTiG !"
0040209A . |C785 44FFFFFF>mov dword ptr ss:[ebp-0xBC],0x8
004020A4 . |FFD3 call ebx ; Msvbvm50.__vbaVarDup; <&MSVBVM50.__vbaVarDup>
004020A6 . |8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC]
004020AC . |8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C]
好的,je是关键跳,nop即可成功。
追码开始。
vb程序典例,到段首下段后跟踪。
[Asm] 纯文本查看 复制代码 00401E66 . 8975 DC mov dword ptr ss:[ebp-0x24],esi
00401E69 . 8975 CC mov dword ptr ss:[ebp-0x34],esi
00401E6C . 8975 BC mov dword ptr ss:[ebp-0x44],esi
00401E6F . 8975 AC mov dword ptr ss:[ebp-0x54],esi
00401E72 . 8975 A8 mov dword ptr ss:[ebp-0x58],esi
00401E75 . 8975 A4 mov dword ptr ss:[ebp-0x5C],esi
00401E78 . 8975 94 mov dword ptr ss:[ebp-0x6C],esi
00401E7B . 8975 84 mov dword ptr ss:[ebp-0x7C],esi
00401E7E . 89B5 74FFFFFF mov dword ptr ss:[ebp-0x8C],esi
00401E84 . 89B5 64FFFFFF mov dword ptr ss:[ebp-0x9C],esi
00401E8A . 89B5 54FFFFFF mov dword ptr ss:[ebp-0xAC],esi
00401E90 . 89B5 44FFFFFF mov dword ptr ss:[ebp-0xBC],esi
00401E96 . 89B5 14FFFFFF mov dword ptr ss:[ebp-0xEC],esi
00401E9C . 89B5 FCFEFFFF mov dword ptr ss:[ebp-0x104],esi
00401EA2 . 89B5 ECFEFFFF mov dword ptr ss:[ebp-0x114],esi
这块运算。esi一直是0.
[Asm] 纯文本查看 复制代码 00401EC2 . FF92 A0000000 call dword ptr ds:[edx+0xA0]
00401EC8 . 3BC6 cmp eax,esi
00401ECA . 7D 12 jge short Andréna.00401EDE
00401ECC . 68 A0000000 push 0xA0
00401ED1 . 68 781A4000 push Andréna.00401A78
00401ED6 . 57 push edi
00401ED7 . 50 push eax
00401ED8 . FF15 10414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; Msvbvm50.__vbaHresultCheckObj
00401EDE > 8B45 A8 mov eax,dword ptr ss:[ebp-0x58]
虽然eax是0,但这部分没卵用。
因为都要执行下方代码。
[Asm] 纯文本查看 复制代码 00401EDE > \8B45 A8 mov eax,dword ptr ss:[ebp-0x58]
00401EE1 . 8975 A8 mov dword ptr ss:[ebp-0x58],esi
好的,这里出现了假码,下段标记。
[Asm] 纯文本查看 复制代码 00401F68 > /85C0 test eax,eax
00401F6A . |0F84 BB000000 je Andréna.0040202B
00401F70 . |8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
00401F73 . |8D45 DC lea eax,dword ptr ss:[ebp-0x24]
00401F76 . |52 push edx
00401F77 . |50 push eax
00401F78 . |C745 9C 01000>mov dword ptr ss:[ebp-0x64],0x1
00401F7F . |C745 94 02000>mov dword ptr ss:[ebp-0x6C],0x2
00401F86 . |FF15 90414000 call dword ptr ds:[<&MSVBVM50.__vbaI4Var>; Msvbvm50.__vbaI4Var
00401F8C . |8D4D BC lea ecx,dword ptr ss:[ebp-0x44] ; |
00401F8F . |50 push eax ; |Start = 0x1
00401F90 . |8D55 84 lea edx,dword ptr ss:[ebp-0x7C] ; |
00401F93 . |51 push ecx ; |dString8 = 00000003
00401F94 . |52 push edx ; |RetBUFFER = 00000009
00401F95 . |FF15 34414000 call dword ptr ds:[<&MSVBVM50.#rtcMidCha>; \rtcMidCharVar
00401F9B . |8D45 84 lea eax,dword ptr ss:[ebp-0x7C]
00401F9E . |8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
00401FA1 . |50 push eax ; /String8 = 00000001
00401FA2 . |51 push ecx ; |ARG2 = 00000003
00401FA3 . |FF15 64414000 call dword ptr ds:[<&MSVBVM50.__vbaStrVa>; \__vbaStrVarVal
00401FA9 . |50 push eax ; /String = 00000001 ???
00401FAA . |FF15 08414000 call dword ptr ds:[<&MSVBVM50.#rtcAnsiVa>; \rtcAnsiValueBstr
00401FB0 . |66:05 0A00 add ax,0xA
00401FB4 . |0F80 B0020000 jo Andréna.0040226A
00401FBA . |0FBFD0 movsx edx,ax
00401FBD . |52 push edx
00401FBE . |FF15 70414000 call dword ptr ds:[<&MSVBVM50.#rtcBstrFr>; Msvbvm50.rtcBstrFromAnsi
00401FC4 . |8985 7CFFFFFF mov dword ptr ss:[ebp-0x84],eax
00401FCA . |8D45 CC lea eax,dword ptr ss:[ebp-0x34]
00401FCD . |8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C]
00401FD3 . |50 push eax
00401FD4 . |8D95 64FFFFFF lea edx,dword ptr ss:[ebp-0x9C]
00401FDA . |51 push ecx
00401FDB . |52 push edx
00401FDC . |C785 74FFFFFF>mov dword ptr ss:[ebp-0x8C],0x8
00401FE6 . |FFD3 call ebx ; Msvbvm50.__vbaVarCat
00401FE8 . |8BD0 mov edx,eax
00401FEA . |8D4D CC lea ecx,dword ptr ss:[ebp-0x34]
00401FED . |FFD6 call esi ; Msvbvm50.__vbaVarMove
00401FEF . |8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
00401FF2 . |FF15 B0414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; Msvbvm50.__vbaFreeStr
00401FF8 . |8D85 74FFFFFF lea eax,dword ptr ss:[ebp-0x8C]
00401FFE . |8D4D 84 lea ecx,dword ptr ss:[ebp-0x7C]
00402001 . |50 push eax
00402002 . |8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
00402005 . |51 push ecx
00402006 . |52 push edx
00402007 . |6A 03 push 0x3
00402009 . |FFD7 call edi ; Msvbvm50.__vbaFreeVarList
0040200B . |83C4 10 add esp,0x10
0040200E . |8D85 ECFEFFFF lea eax,dword ptr ss:[ebp-0x114]
00402014 . |8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-0x104]
0040201A . |8D55 DC lea edx,dword ptr ss:[ebp-0x24]
0040201D . |50 push eax ; /TMPend8 = 00000001
0040201E . |51 push ecx ; |TMPstep8 = 00000003
0040201F . |52 push edx ; |Counter8 = 00000009
00402020 . |FF15 A4414000 call dword ptr ds:[<&MSVBVM50.__vbaVarFo>; \__vbaVarForNext
00402026 .^\E9 3DFFFFFF jmp Andréna.00401F68
这是一个循环。我估测,这是算法部分。
下段标记。
[Asm] 纯文本查看 复制代码 00401F6A . /0F84 BB000000 je Andréna.0040202B
七次后,跳出循环。
[Asm] 纯文本查看 复制代码 00402034 . 50 push eax ; /var18 = NULL
00402035 . 51 push ecx ; |var28 = 001930D0
00402036 . C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],Andréna.0040>; |UNICODE "kXy^rO|*yXo*m\kMuOn*+"
00402040 . C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x8008 ; |
0040204A . FF15 40414000 call dword ptr ds:[<&MSVBVM50.__vbaVarTs>; \__vbaVarTstEq
00402050 . 66:85C0 test ax,ax
走到这了。进入。
好的,追到真马
00401A8C=Andréna.00401A8C (UNICODE "kXy^rO|*yXo*m\kMuOn*+")
堆栈 ss:[0012F3CC]=00401A8C (Andréna.00401A8C), UNICODE "kXy^rO|*yXo*m\kMuOn*+"
好了,这次的确比上次要难的多。
算法分析等扔进反编译利器再说。
这次主要通过指针算出注册码
谢谢观看。
|
免费评分
-
查看全部评分
|
