160个CrackMe之002
为了提高自己对反汇编的熟练程度,打算对这160个CrackMe的爆破点及注册算法都分析一下。
需要练手的朋友可以到这里下载,链接: http://pan.baidu.com/s/1c06fNOW 密码: ht4e
废话不多说,进入正题,第二个CrackMe:
运行程序,找到输入用户名和注册码的地方,输入假码,点击注册,弹窗提示错误。
使用OD载入程序,搜索字符串,很快可以找到关键点。
0040258B . /74 58 JE SHORT Afkayas_.004025E5 ; //此处nop即可达到爆破 0040258D . |68 801B4000 PUSH Afkayas_.00401B80 ; You Get It 00402592 . |68 9C1B4000 PUSH Afkayas_.00401B9C ; \r\n 00402597 . |FFD7 CALL NEAR EDI 00402599 . |8BD0 MOV EDX, EAX 0040259B . |8D4D E8 LEA ECX, DWORD PTR SS:[EBP-18] 0040259E . |FFD3 CALL NEAR EBX 004025A0 . |50 PUSH EAX 004025A1 . |68 A81B4000 PUSH Afkayas_.00401BA8 ; KeyGen It Now 004025A6 . |FFD7 CALL NEAR EDI 004025A8 . |8D4D 94 LEA ECX, DWORD PTR SS:[EBP-6C] 004025AB . |8945 CC MOV DWORD PTR SS:[EBP-34], EAX 004025AE . |8D55 A4 LEA EDX, DWORD PTR SS:[EBP-5C] 004025B1 . |51 PUSH ECX 004025B2 . |8D45 B4 LEA EAX, DWORD PTR SS:[EBP-4C] 004025B5 . |52 PUSH EDX 004025B6 . |50 PUSH EAX 004025B7 . |8D4D C4 LEA ECX, DWORD PTR SS:[EBP-3C] 004025BA . |6A 00 PUSH 0 004025BC . |51 PUSH ECX 004025BD . |C745 C4 08000>MOV DWORD PTR SS:[EBP-3C], 8 004025C4 . |FF15 10414000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.#5>; MSVBVM50.rtcMsgBox 004025CA . |8D4D E8 LEA ECX, DWORD PTR SS:[EBP-18] 004025CD . |FF15 80414000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__>; MSVBVM50.__vbaFreeStr 004025D3 . |8D55 94 LEA EDX, DWORD PTR SS:[EBP-6C] 004025D6 . |8D45 A4 LEA EAX, DWORD PTR SS:[EBP-5C] 004025D9 . |52 PUSH EDX 004025DA . |8D4D B4 LEA ECX, DWORD PTR SS:[EBP-4C] 004025DD . |50 PUSH EAX 004025DE . |8D55 C4 LEA EDX, DWORD PTR SS:[EBP-3C] 004025E1 . |51 PUSH ECX 004025E2 . |52 PUSH EDX 004025E3 . |EB 56 JMP SHORT Afkayas_.0040263B 004025E5 > \68 C81B4000 PUSH Afkayas_.00401BC8 ; You Get Wrong
下面看一下程序的注册算法,在断首下断点,重新运行,输入假码,点击注册,断了下来。
00402310 > \55 PUSH EBP 00402311 . 8BEC MOV EBP, ESP 00402313 . 83EC 0C SUB ESP, 0C 00402316 . 68 26104000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler> ; SE 处理程序安装 0040231B . 64:A1 0000000>MOV EAX, DWORD PTR FS:[0] 00402321 . 50 PUSH EAX 00402322 . 64:8925 00000>MOV DWORD PTR FS:[0], ESP 00402329 . 81EC B0000000 SUB ESP, 0B0 0040232F . 53 PUSH EBX 00402330 . 56 PUSH ESI 00402331 . 8B75 08 MOV ESI, DWORD PTR SS:[EBP+8] 00402334 . 57 PUSH EDI 00402335 . 8BC6 MOV EAX, ESI 00402337 . 83E6 FE AND ESI, FFFFFFFE 0040233A . 8965 F4 MOV DWORD PTR SS:[EBP-C], ESP 0040233D . 83E0 01 AND EAX, 1 00402340 . 8B1E MOV EBX, DWORD PTR DS:[ESI] 00402342 . C745 F8 08104>MOV DWORD PTR SS:[EBP-8], Afkayas_.00401008 00402349 . 56 PUSH ESI 0040234A . 8945 FC MOV DWORD PTR SS:[EBP-4], EAX 0040234D . 8975 08 MOV DWORD PTR SS:[EBP+8], ESI 00402350 . FF53 04 CALL NEAR DWORD PTR DS:[EBX+4] 00402353 . 8B83 10030000 MOV EAX, DWORD PTR DS:[EBX+310] 00402359 . 33FF XOR EDI, EDI 0040235B . 56 PUSH ESI 0040235C . 897D E8 MOV DWORD PTR SS:[EBP-18], EDI 0040235F . 897D E4 MOV DWORD PTR SS:[EBP-1C], EDI 00402362 . 897D E0 MOV DWORD PTR SS:[EBP-20], EDI 00402365 . 897D DC MOV DWORD PTR SS:[EBP-24], EDI 00402368 . 897D D8 MOV DWORD PTR SS:[EBP-28], EDI 0040236B . 897D D4 MOV DWORD PTR SS:[EBP-2C], EDI 0040236E . 897D C4 MOV DWORD PTR SS:[EBP-3C], EDI 00402371 . 897D B4 MOV DWORD PTR SS:[EBP-4C], EDI 00402374 . 897D A4 MOV DWORD PTR SS:[EBP-5C], EDI 00402377 . 897D 94 MOV DWORD PTR SS:[EBP-6C], EDI 0040237A . 8985 40FFFFFF MOV DWORD PTR SS:[EBP-C0], EAX 00402380 . FFD0 CALL NEAR EAX 00402382 . 8D4D D4 LEA ECX, DWORD PTR SS:[EBP-2C] 00402385 . 50 PUSH EAX 00402386 . 51 PUSH ECX 00402387 . FF15 0C414000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet 0040238D . 8B9B 00030000 MOV EBX, DWORD PTR DS:[EBX+300] 00402393 . 56 PUSH ESI 00402394 . 8985 50FFFFFF MOV DWORD PTR SS:[EBP-B0], EAX 0040239A . 899D 3CFFFFFF MOV DWORD PTR SS:[EBP-C4], EBX 004023A0 . FFD3 CALL NEAR EBX 004023A2 . 8D55 DC LEA EDX, DWORD PTR SS:[EBP-24] 004023A5 . 50 PUSH EAX 004023A6 . 52 PUSH EDX 004023A7 . FF15 0C414000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet 004023AD . 8BD8 MOV EBX, EAX 004023AF . 8D4D E8 LEA ECX, DWORD PTR SS:[EBP-18] 004023B2 . 51 PUSH ECX 004023B3 . 53 PUSH EBX 004023B4 . 8B03 MOV EAX, DWORD PTR DS:[EBX] 004023B6 . FF90 A0000000 CALL NEAR DWORD PTR DS:[EAX+A0] 004023BC . 3BC7 CMP EAX, EDI 004023BE . 7D 12 JGE SHORT Afkayas_.004023D2 004023C0 . 68 A0000000 PUSH 0A0 004023C5 . 68 5C1B4000 PUSH Afkayas_.00401B5C 004023CA . 53 PUSH EBX 004023CB . 50 PUSH EAX 004023CC . FF15 04414000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaHresultChec>; MSVBVM50.__vbaHresultCheckObj 004023D2 > 56 PUSH ESI 004023D3 . FF95 3CFFFFFF CALL NEAR DWORD PTR SS:[EBP-C4] 004023D9 . 8D55 D8 LEA EDX, DWORD PTR SS:[EBP-28] 004023DC . 50 PUSH EAX 004023DD . 52 PUSH EDX 004023DE . FF15 0C414000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet 004023E4 . 8BD8 MOV EBX, EAX 004023E6 . 8D4D E4 LEA ECX, DWORD PTR SS:[EBP-1C] 004023E9 . 51 PUSH ECX 004023EA . 53 PUSH EBX 004023EB . 8B03 MOV EAX, DWORD PTR DS:[EBX] 004023ED . FF90 A0000000 CALL NEAR DWORD PTR DS:[EAX+A0] ; //得到用户名 004023F3 . 3BC7 CMP EAX, EDI 004023F5 . 7D 12 JGE SHORT Afkayas_.00402409 004023F7 . 68 A0000000 PUSH 0A0 004023FC . 68 5C1B4000 PUSH Afkayas_.00401B5C 00402401 . 53 PUSH EBX 00402402 . 50 PUSH EAX 00402403 . FF15 04414000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaHresultChec>; MSVBVM50.__vbaHresultCheckObj 00402409 > 8B95 50FFFFFF MOV EDX, DWORD PTR SS:[EBP-B0] 0040240F . 8B45 E4 MOV EAX, DWORD PTR SS:[EBP-1C] 00402412 . 50 PUSH EAX ; /String 00402413 . 8B1A MOV EBX, DWORD PTR DS:[EDX] ; |//取用户名长度 00402415 . FF15 E4404000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaLenBstr>] ; \__vbaLenBstr 0040241B . 8BF8 MOV EDI, EAX 0040241D . 8B4D E8 MOV ECX, DWORD PTR SS:[EBP-18] 00402420 . 69FF FB7C0100 IMUL EDI, EDI, 17CFB ; //用户名长度(EDI) = EDI * 0x17CFB 00402426 . 51 PUSH ECX ; /String 00402427 . 0F80 91020000 JO Afkayas_.004026BE ; |//将字符转成ASCII码 0040242D . FF15 F8404000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.#516>] ; \rtcAnsiValueBstr 00402433 . 0FBFD0 MOVSX EDX, AX ; //转换好的ASCII码带符号扩展到EDX 00402436 . 03FA ADD EDI, EDX ; //乘积的结果 + 扩展的ASCII码 00402438 . 0F80 80020000 JO Afkayas_.004026BE 0040243E . 57 PUSH EDI ; //将一个字符串转为长整型 0040243F . FF15 E0404000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaStrI4>] ; MSVBVM50.__vbaStrI4 00402445 . 8BD0 MOV EDX, EAX ; //转好的值给EDX 00402447 . 8D4D E0 LEA ECX, DWORD PTR SS:[EBP-20] 0040244A . FF15 70414000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaStrMove>] ; MSVBVM50.__vbaStrMove 00402450 . 8BBD 50FFFFFF MOV EDI, DWORD PTR SS:[EBP-B0] 00402456 . 50 PUSH EAX 00402457 . 57 PUSH EDI 00402458 . FF93 A4000000 CALL NEAR DWORD PTR DS:[EBX+A4] 0040245E . 85C0 TEST EAX, EAX 00402460 . 7D 12 JGE SHORT Afkayas_.00402474 00402462 . 68 A4000000 PUSH 0A4 00402467 . 68 5C1B4000 PUSH Afkayas_.00401B5C 0040246C . 57 PUSH EDI 0040246D . 50 PUSH EAX 0040246E . FF15 04414000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaHresultChec>; MSVBVM50.__vbaHresultCheckObj 00402474 > 8D45 E0 LEA EAX, DWORD PTR SS:[EBP-20] 00402477 . 8D4D E4 LEA ECX, DWORD PTR SS:[EBP-1C] 0040247A . 50 PUSH EAX 0040247B . 8D55 E8 LEA EDX, DWORD PTR SS:[EBP-18] 0040247E . 51 PUSH ECX 0040247F . 52 PUSH EDX 00402480 . 6A 03 PUSH 3 00402482 . FF15 5C414000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaFreeStrList>; MSVBVM50.__vbaFreeStrList 00402488 . 83C4 10 ADD ESP, 10 0040248B . 8D45 D4 LEA EAX, DWORD PTR SS:[EBP-2C] 0040248E . 8D4D D8 LEA ECX, DWORD PTR SS:[EBP-28] 00402491 . 8D55 DC LEA EDX, DWORD PTR SS:[EBP-24] 00402494 . 50 PUSH EAX 00402495 . 51 PUSH ECX 00402496 . 52 PUSH EDX 00402497 . 6A 03 PUSH 3 00402499 . FF15 F4404000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaFreeObjList>; MSVBVM50.__vbaFreeObjList 0040249F . 8B06 MOV EAX, DWORD PTR DS:[ESI] 004024A1 . 83C4 10 ADD ESP, 10 004024A4 . 56 PUSH ESI 004024A5 . FF90 04030000 CALL NEAR DWORD PTR DS:[EAX+304] 004024AB . 8B1D 0C414000 MOV EBX, DWORD PTR DS:[<&MSVBVM50.__vbaObjSet>] ; MSVBVM50.__vbaObjSet 004024B1 . 50 PUSH EAX 004024B2 . 8D45 DC LEA EAX, DWORD PTR SS:[EBP-24] 004024B5 . 50 PUSH EAX 004024B6 . FFD3 CALL NEAR EBX ; <&MSVBVM50.__vbaObjSet> 004024B8 . 8BF8 MOV EDI, EAX 004024BA . 8D55 E8 LEA EDX, DWORD PTR SS:[EBP-18] 004024BD . 52 PUSH EDX 004024BE . 57 PUSH EDI 004024BF . 8B0F MOV ECX, DWORD PTR DS:[EDI] 004024C1 . FF91 A0000000 CALL NEAR DWORD PTR DS:[ECX+A0] ; //得到假码 004024C7 . 85C0 TEST EAX, EAX 004024C9 . 7D 12 JGE SHORT Afkayas_.004024DD 004024CB . 68 A0000000 PUSH 0A0 004024D0 . 68 5C1B4000 PUSH Afkayas_.00401B5C 004024D5 . 57 PUSH EDI 004024D6 . 50 PUSH EAX 004024D7 . FF15 04414000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaHresultChec>; MSVBVM50.__vbaHresultCheckObj 004024DD > 56 PUSH ESI 004024DE . FF95 40FFFFFF CALL NEAR DWORD PTR SS:[EBP-C0] 004024E4 . 50 PUSH EAX 004024E5 . 8D45 D8 LEA EAX, DWORD PTR SS:[EBP-28] 004024E8 . 50 PUSH EAX 004024E9 . FFD3 CALL NEAR EBX 004024EB . 8BF0 MOV ESI, EAX 004024ED . 8D55 E4 LEA EDX, DWORD PTR SS:[EBP-1C] 004024F0 . 52 PUSH EDX 004024F1 . 56 PUSH ESI 004024F2 . 8B0E MOV ECX, DWORD PTR DS:[ESI] 004024F4 . FF91 A0000000 CALL NEAR DWORD PTR DS:[ECX+A0] 004024FA . 85C0 TEST EAX, EAX 004024FC . 7D 12 JGE SHORT Afkayas_.00402510 004024FE . 68 A0000000 PUSH 0A0 00402503 . 68 5C1B4000 PUSH Afkayas_.00401B5C 00402508 . 56 PUSH ESI 00402509 . 50 PUSH EAX 0040250A . FF15 04414000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaHresultChec>; MSVBVM50.__vbaHresultCheckObj 00402510 > 8B45 E8 MOV EAX, DWORD PTR SS:[EBP-18] ; //取假码 00402513 . 8B4D E4 MOV ECX, DWORD PTR SS:[EBP-1C] ; //取真码 00402516 . 8B3D 00414000 MOV EDI, DWORD PTR DS:[<&MSVBVM50.__vbaStrCat>] ; MSVBVM50.__vbaStrCat 0040251C . 50 PUSH EAX ; //拼接 0040251D . 68 701B4000 PUSH Afkayas_.00401B70 ; AKA- 00402522 . 51 PUSH ECX ; /String 00402523 . FFD7 CALL NEAR EDI ; \__vbaStrCat 00402525 . 8B1D 70414000 MOV EBX, DWORD PTR DS:[<&MSVBVM50.__vbaStrMove>] ; MSVBVM50.__vbaStrMove 0040252B . 8BD0 MOV EDX, EAX ; //拼接好的字符串给EDX AKA-真码 0040252D . 8D4D E0 LEA ECX, DWORD PTR SS:[EBP-20] 00402530 . FFD3 CALL NEAR EBX ; <&MSVBVM50.__vbaStrMove> 00402532 . 50 PUSH EAX 00402533 . FF15 28414000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaStrCmp>] ; MSVBVM50.__vbaStrCmp 00402539 . 8BF0 MOV ESI, EAX ; //字符串比较 返回-1 0040253B . 8D55 E0 LEA EDX, DWORD PTR SS:[EBP-20] 0040253E . F7DE NEG ESI 00402540 . 8D45 E8 LEA EAX, DWORD PTR SS:[EBP-18] 00402543 . 52 PUSH EDX 00402544 . 1BF6 SBB ESI, ESI 00402546 . 8D4D E4 LEA ECX, DWORD PTR SS:[EBP-1C] 00402549 . 50 PUSH EAX 0040254A . 46 INC ESI 0040254B . 51 PUSH ECX 0040254C . 6A 03 PUSH 3 0040254E . F7DE NEG ESI 00402550 . FF15 5C414000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaFreeStrList>; MSVBVM50.__vbaFreeStrList 00402556 . 83C4 10 ADD ESP, 10 00402559 . 8D55 D8 LEA EDX, DWORD PTR SS:[EBP-28] 0040255C . 8D45 DC LEA EAX, DWORD PTR SS:[EBP-24] 0040255F . 52 PUSH EDX 00402560 . 50 PUSH EAX 00402561 . 6A 02 PUSH 2 00402563 . FF15 F4404000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaFreeObjList>; MSVBVM50.__vbaFreeObjList 00402569 . 83C4 0C ADD ESP, 0C 0040256C . B9 04000280 MOV ECX, 80020004 00402571 . B8 0A000000 MOV EAX, 0A 00402576 . 894D 9C MOV DWORD PTR SS:[EBP-64], ECX 00402579 . 66:85F6 TEST SI, SI 0040257C . 8945 94 MOV DWORD PTR SS:[EBP-6C], EAX 0040257F . 894D AC MOV DWORD PTR SS:[EBP-54], ECX 00402582 . 8945 A4 MOV DWORD PTR SS:[EBP-5C], EAX 00402585 . 894D BC MOV DWORD PTR SS:[EBP-44], ECX 00402588 . 8945 B4 MOV DWORD PTR SS:[EBP-4C], EAX 0040258B . 74 58 JE SHORT Afkayas_.004025E5 ; //此处nop即可达到爆破 0040258D . 68 801B4000 PUSH Afkayas_.00401B80 ; You Get It 00402592 . 68 9C1B4000 PUSH Afkayas_.00401B9C ; \r\n 00402597 . FFD7 CALL NEAR EDI 00402599 . 8BD0 MOV EDX, EAX 0040259B . 8D4D E8 LEA ECX, DWORD PTR SS:[EBP-18] 0040259E . FFD3 CALL NEAR EBX 004025A0 . 50 PUSH EAX 004025A1 . 68 A81B4000 PUSH Afkayas_.00401BA8 ; KeyGen It Now 004025A6 . FFD7 CALL NEAR EDI 004025A8 . 8D4D 94 LEA ECX, DWORD PTR SS:[EBP-6C] 004025AB . 8945 CC MOV DWORD PTR SS:[EBP-34], EAX 004025AE . 8D55 A4 LEA EDX, DWORD PTR SS:[EBP-5C] 004025B1 . 51 PUSH ECX 004025B2 . 8D45 B4 LEA EAX, DWORD PTR SS:[EBP-4C] 004025B5 . 52 PUSH EDX 004025B6 . 50 PUSH EAX 004025B7 . 8D4D C4 LEA ECX, DWORD PTR SS:[EBP-3C] 004025BA . 6A 00 PUSH 0 004025BC . 51 PUSH ECX 004025BD . C745 C4 08000>MOV DWORD PTR SS:[EBP-3C], 8 004025C4 . FF15 10414000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox 004025CA . 8D4D E8 LEA ECX, DWORD PTR SS:[EBP-18] 004025CD . FF15 80414000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.__vbaFreeStr>] ; MSVBVM50.__vbaFreeStr 004025D3 . 8D55 94 LEA EDX, DWORD PTR SS:[EBP-6C] 004025D6 . 8D45 A4 LEA EAX, DWORD PTR SS:[EBP-5C] 004025D9 . 52 PUSH EDX 004025DA . 8D4D B4 LEA ECX, DWORD PTR SS:[EBP-4C] 004025DD . 50 PUSH EAX 004025DE . 8D55 C4 LEA EDX, DWORD PTR SS:[EBP-3C] 004025E1 . 51 PUSH ECX 004025E2 . 52 PUSH EDX 004025E3 . EB 56 JMP SHORT Afkayas_.0040263B 004025E5 > 68 C81B4000 PUSH Afkayas_.00401BC8 ; You Get Wrong 004025EA . 68 9C1B4000 PUSH Afkayas_.00401B9C ; \r\n 004025EF . FFD7 CALL NEAR EDI 004025F1 . 8BD0 MOV EDX, EAX 004025F3 . 8D4D E8 LEA ECX, DWORD PTR SS:[EBP-18] 004025F6 . FFD3 CALL NEAR EBX 004025F8 . 50 PUSH EAX 004025F9 . 68 E81B4000 PUSH Afkayas_.00401BE8 ; Try Again 004025FE . FFD7 CALL NEAR EDI 00402600 . 8945 CC MOV DWORD PTR SS:[EBP-34], EAX 00402603 . 8D45 94 LEA EAX, DWORD PTR SS:[EBP-6C] 00402606 . 8D4D A4 LEA ECX, DWORD PTR SS:[EBP-5C] 00402609 . 50 PUSH EAX 0040260A . 8D55 B4 LEA EDX, DWORD PTR SS:[EBP-4C] 0040260D . 51 PUSH ECX 0040260E . 52 PUSH EDX 0040260F . 8D45 C4 LEA EAX, DWORD PTR SS:[EBP-3C] 00402612 . 6A 00 PUSH 0 00402614 . 50 PUSH EAX 00402615 . C745 C4 08000>MOV DWORD PTR SS:[EBP-3C], 8 0040261C . FF15 10414000 CALL NEAR DWORD PTR DS:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox
可以看到,该程序的算法很简单,取用户名的长度然后乘上0x17CFB,然后取用户名的第一位转成ASCII码 + 之前的乘积,结果转成长整型,最后拼接AKA-长整型结果的形式。
知道了算法,下面可以来写注册机了:
#include <stdio.h> #include <string.h> #include <stdlib.h> int main(int argc, char* argv[]) { char szBuff[32] = {0}; int nNameLength = 0; printf("请输入用户名: "); scanf("%31s", szBuff); nNameLength = strlen(szBuff); nNameLength *= 0x17CFB; nNameLength += szBuff[0]; printf("注册码: AKA-%d\r\n", nNameLength); system("pause"); return 0; }
浙公网安备 33010602011771号