2021-07-20CrackMe00
请注意,本文编写于 497 天前,最后修改于 204 天前,其中某些信息可能已经过时。

目录


环境

工具:看雪OD
系统:WinXp

简要分析


随便输入,提示报错You Get Wrong Try Again

没有其他类型的报错,我们可以从messagebox入手

分析步骤

用OD打开程序,并运行,输入账号密码后提示报错,此时不点击确定,而是暂停程序,并打开堆栈视图

在堆栈视图中查找MessageBox

在堆栈视图中没有找到MessageBox, 但有几个看起来相似的比如SoftModalMessageBoxrtcMsgBox
分别显示调用看了一下,rtcMsgBox就是我们要找的

关键跳转,nop掉即可破解,但是出于学习的目的这里将尝试还原算法

找到函数开始的位置下断点,输入账号密码等待,然后一步步跟踪

asm
00402402   .  50            push    eax
00402403   .  FF15 04414000 call    dword ptr [<&MSVBVM50.__vbaHresultCheckObj>;  msvbvm50.__vbaHresultCheckObj
00402409   >  8B95 50FFFFFF mov     edx, dword ptr [ebp-B0]
0040240F   .  8B45 E4       mov     eax, dword ptr [ebp-1C]
00402412   .  50            push    eax                                        ; /String
00402413   .  8B1A          mov     ebx, dword ptr [edx]                       ; |
00402415   .  FF15 E4404000 call    dword ptr [<&MSVBVM50.__vbaLenBstr>]       ; \获取用户名长度
0040241B   .  8BF8          mov     edi, eax                                   ;  长度保存edi
0040241D   .  8B4D E8       mov     ecx, dword ptr [ebp-18]                    ;  用户名地址
00402420   .  69FF FB7C0100 imul    edi, edi, 17CFB                            ;  edi*0x17cfb
00402426   .  51            push    ecx                                        ; /String
00402427   .  0F80 91020000 jo      004026BE                                   ; |
0040242D   .  FF15 F8404000 call    dword ptr [<&MSVBVM50.# 516>]               ; \获取用户名第一个字符的ascii码
00402433   .  0FBFD0        movsx   edx, ax                                    ;  赋给edx
00402436   .  03FA          add     edi, edx                                   ; edi + 用户名第一个字符的ascii码
00402438   .  0F80 80020000 jo      004026BE
0040243E   .  57            push    edi
0040243F   .  FF15 E0404000 call    dword ptr [<&MSVBVM50.__vbaStrI4>]         ;  msvbvm50.__vbaStrI4
00402445   .  8BD0          mov     edx, eax                                   ;  eax = 585235
00402447   .  8D4D E0       lea     ecx, dword ptr [ebp-20]
0040244A   .  FF15 70414000 call    dword ptr [<&MSVBVM50.__vbaStrMove>]       ;  msvbvm50.__vbaStrMove
00402450   .  8BBD 50FFFFFF mov     edi, dword ptr [ebp-B0]
00402456   .  50            push    eax
00402457   .  57            push    edi
00402458   .  FF93 A4000000 call    dword ptr [ebx+A4]
0040245E   .  85C0          test    eax, eax
00402460   .  7D 12         jge     short 00402474
00402462   .  68 A4000000   push    0A4
00402467   .  68 5C1B4000   push    00401B5C
0040246C   .  57            push    edi
0040246D   .  50            push    eax
0040246E   .  FF15 04414000 call    dword ptr [<&MSVBVM50.__vbaHresultCheckObj>;  msvbvm50.__vbaHresultCheckObj
00402474   >  8D45 E0       lea     eax, dword ptr [ebp-20]
00402477   .  8D4D E4       lea     ecx, dword ptr [ebp-1C]
0040247A   .  50            push    eax
0040247B   .  8D55 E8       lea     edx, dword ptr [ebp-18]
0040247E   .  51            push    ecx
0040247F   .  52            push    edx
00402480   .  6A 03         push    3
00402482   .  FF15 5C414000 call    dword ptr [<&MSVBVM50.__vbaFreeStrList>]   ;  msvbvm50.__vbaFreeStrList
00402488   .  83C4 10       add     esp, 10
0040248B   .  8D45 D4       lea     eax, dword ptr [ebp-2C]
0040248E   .  8D4D D8       lea     ecx, dword ptr [ebp-28]
00402491   .  8D55 DC       lea     edx, dword ptr [ebp-24]
00402494   .  50            push    eax
00402495   .  51            push    ecx
00402496   .  52            push    edx
00402497   .  6A 03         push    3
00402499   .  FF15 F4404000 call    dword ptr [<&MSVBVM50.__vbaFreeObjList>]   ;  msvbvm50.__vbaFreeObjList
0040249F   .  8B06          mov     eax, dword ptr [esi]
004024A1   .  83C4 10       add     esp, 10
004024A4   .  56            push    esi
004024A5   .  FF90 04030000 call    dword ptr [eax+304]
004024AB   .  8B1D 0C414000 mov     ebx, dword ptr [<&MSVBVM50.__vbaObjSet>]   ;  msvbvm50.__vbaObjSet
004024B1   .  50            push    eax
004024B2   .  8D45 DC       lea     eax, dword ptr [ebp-24]
004024B5   .  50            push    eax
004024B6   .  FFD3          call    ebx                                        ;  <&MSVBVM50.__vbaObjSet>
004024B8   .  8BF8          mov     edi, eax
004024BA   .  8D55 E8       lea     edx, dword ptr [ebp-18]
004024BD   .  52            push    edx
004024BE   .  57            push    edi
004024BF   .  8B0F          mov     ecx, dword ptr [edi]
004024C1   .  FF91 A0000000 call    dword ptr [ecx+A0]
004024C7   .  85C0          test    eax, eax
004024C9   .  7D 12         jge     short 004024DD
004024CB   .  68 A0000000   push    0A0
004024D0   .  68 5C1B4000   push    00401B5C
004024D5   .  57            push    edi
004024D6   .  50            push    eax
004024D7   .  FF15 04414000 call    dword ptr [<&MSVBVM50.__vbaHresultCheckObj>;  msvbvm50.__vbaHresultCheckObj
004024DD   >  56            push    esi
004024DE   .  FF95 40FFFFFF call    dword ptr [ebp-C0]
004024E4   .  50            push    eax
004024E5   .  8D45 D8       lea     eax, dword ptr [ebp-28]
004024E8   .  50            push    eax
004024E9   .  FFD3          call    ebx
004024EB   .  8BF0          mov     esi, eax
004024ED   .  8D55 E4       lea     edx, dword ptr [ebp-1C]
004024F0   .  52            push    edx
004024F1   .  56            push    esi
004024F2   .  8B0E          mov     ecx, dword ptr [esi]
004024F4   .  FF91 A0000000 call    dword ptr [ecx+A0]
004024FA   .  85C0          test    eax, eax
004024FC   .  7D 12         jge     short 00402510
004024FE   .  68 A0000000   push    0A0
00402503   .  68 5C1B4000   push    00401B5C
00402508   .  56            push    esi
00402509   .  50            push    eax
0040250A   .  FF15 04414000 call    dword ptr [<&MSVBVM50.__vbaHresultCheckObj>;  msvbvm50.__vbaHresultCheckObj
00402510   >  8B45 E8       mov     eax, dword ptr [ebp-18]                    ;  密码给eax
00402513   .  8B4D E4       mov     ecx, dword ptr [ebp-1C]                    ;  ecx=585235
00402516   .  8B3D 00414000 mov     edi, dword ptr [<&MSVBVM50.__vbaStrCat>]   ;  msvbvm50.__vbaStrCat
0040251C   .  50            push    eax
0040251D   .  68 701B4000   push    00401B70                                   ;  UNICODE "AKA-"
00402522   .  51            push    ecx                                        ; /String
00402523   .  FFD7          call    edi                                        ; \__vbaStrCat
00402525   .  8B1D 70414000 mov     ebx, dword ptr [<&MSVBVM50.__vbaStrMove>]  ;  msvbvm50.__vbaStrMove
0040252B   .  8BD0          mov     edx, eax                                   ;  eax=AKA-585235
0040252D   .  8D4D E0       lea     ecx, dword ptr [ebp-20]
00402530   .  FFD3          call    ebx                                        ;  <&MSVBVM50.__vbaStrMove>
00402532   .  50            push    eax
00402533   .  FF15 28414000 call    dword ptr [<&MSVBVM50.__vbaStrCmp>]        ;  msvbvm50.__vbaStrCmp
00402539   .  8BF0          mov     esi, eax
0040253B   .  8D55 E0       lea     edx, dword ptr [ebp-20]
0040253E   .  F7DE          neg     esi
00402540   .  8D45 E8       lea     eax, dword ptr [ebp-18]
00402543   .  52            push    edx
00402544   .  1BF6          sbb     esi, esi
00402546   .  8D4D E4       lea     ecx, dword ptr [ebp-1C]
00402549   .  50            push    eax
0040254A   .  46            inc     esi
0040254B   .  51            push    ecx
0040254C   .  6A 03         push    3
0040254E   .  F7DE          neg     esi
00402550   .  FF15 5C414000 call    dword ptr [<&MSVBVM50.__vbaFreeStrList>]   ;  msvbvm50.__vbaFreeStrList
00402556   .  83C4 10       add     esp, 10
00402559   .  8D55 D8       lea     edx, dword ptr [ebp-28]
0040255C   .  8D45 DC       lea     eax, dword ptr [ebp-24]
0040255F   .  52            push    edx
00402560   .  50            push    eax
00402561   .  6A 02         push    2
00402563   .  FF15 F4404000 call    dword ptr [<&MSVBVM50.__vbaFreeObjList>]   ;  msvbvm50.__vbaFreeObjList
00402569   .  83C4 0C       add     esp, 0C
0040256C   .  B9 04000280   mov     ecx, 80020004
00402571   .  B8 0A000000   mov     eax, 0A
00402576   .  894D 9C       mov     dword ptr [ebp-64], ecx
00402579   .  66:85F6       test    si, si
0040257C   .  8945 94       mov     dword ptr [ebp-6C], eax
0040257F   .  894D AC       mov     dword ptr [ebp-54], ecx
00402582   .  8945 A4       mov     dword ptr [ebp-5C], eax
00402585   .  894D BC       mov     dword ptr [ebp-44], ecx
00402588   .  8945 B4       mov     dword ptr [ebp-4C], eax
0040258B   .  74 58         je      short 004025E5
0040258D   .  68 801B4000   push    00401B80                                   ;  UNICODE "You Get It"
00402592   .  68 9C1B4000   push    00401B9C                                   ;  UNICODE CR,LF
00402597   .  FFD7          call    edi

大致流程:输入账号密码之后,首先获取用户名长度,然后长度乘以0x17cfb,然后加上用户名的第一个字符ascii码,将结果转成十进制,和AKA-拼接是序列号了

注册机

c
# include <iostream>
using namespace std;

int main()
{
    char szName[256] = { 0 };
	cout << "enter one user name" << endl;
	cin >> szName;
	int nLen = strlen(szName);
	if (nLen <= 0)
	{
		printf("error");
	}
	else
	{
		nLen *= 0x17cfb;
		nLen += szName[0];
		printf("AKA-%d\r\n", nLen);
	}
	system("pause");
	return 0;
}

本文作者:Na1r

本文链接:

版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!