2021-07-25CrackMe00
请注意,本文编写于 491 天前,最后修改于 204 天前,其中某些信息可能已经过时。

目录


工具:X32Dbg
系统:WinXp

简要分析

随便输入,提示报错You Get Wrong Try Again

没有其他类型的报错,我们可以从messagebox入手

分析步骤

用OD打开程序,并运行,输入账号密码后提示报错,此时不点击确定,而是暂停程序,并打开堆栈视图

在堆栈视图中没有找到MessageBox, 但有几个看起来相似的比如SoftModalMessageBoxrtcMsgBox
分别显示调用看了一下,rtcMsgBox就是我们要找的,右键 显示调用

尝试逆向算法
在函数开始的位置下断,重新运行程序

代码很长,我们只找关键代码

asm
004081E3   .  FF15 18B14000 call    dword ptr [<&MSVBVM50.__vbaHresu>;  msvbvm50.__vbaHresultCheckObj
004081E9   >  8B95 50FFFFFF mov     edx, dword ptr [ebp-B0]
004081EF   .  8B45 E4       mov     eax, dword ptr [ebp-1C]
004081F2   .  50            push    eax                              ; /String
004081F3   .  8B1A          mov     ebx, dword ptr [edx]             ; |
004081F5   .  FF15 F8B04000 call    dword ptr [<&MSVBVM50.__vbaLenBs>; \获取用户名长度
004081FB   .  8BF8          mov     edi, eax                         ;  保存长度到edi
004081FD   .  8B4D E8       mov     ecx, dword ptr [ebp-18]          ;  用户名地址
00408200   .  69FF 385B0100 imul    edi, edi, 15B38                  ;  edi*0x15b38
00408206   .  51            push    ecx                              ; /String
00408207   .  0F80 B7050000 jo      004087C4                         ; |
0040820D   .  FF15 0CB14000 call    dword ptr [<&MSVBVM50.# 516>]     ; \获取用户名第一个字符的ascii码
00408213   .  0FBFD0        movsx   edx, ax
00408216   .  03FA          add     edi, edx                         ;  edi + 用户名第一个字符的ascii码
00408218   .  0F80 A6050000 jo      004087C4
0040821E   .  57            push    edi
0040821F   .  FF15 F4B04000 call    dword ptr [<&MSVBVM50.__vbaStrI4>;  msvbvm50.__vbaStrI4
00408225   .  8BD0          mov     edx, eax                         ;  eax = 533377
00408227   .  8D4D E0       lea     ecx, dword ptr [ebp-20]
0040822A   .  FF15 94B14000 call    dword ptr [<&MSVBVM50.__vbaStrMo>;  msvbvm50.__vbaStrMove
00408230   .  8BBD 50FFFFFF mov     edi, dword ptr [ebp-B0]
00408236   .  50            push    eax
00408237   .  57            push    edi
00408238   .  FF93 A4000000 call    dword ptr [ebx+A4]

第一次运算:

asm
004082D7   .  FF15 18B14000 call    dword ptr [<&MSVBVM50.__vbaHresu>;  msvbvm50.__vbaHresultCheckObj
004082DD   >  8B8D 58FFFFFF mov     ecx, dword ptr [ebp-A8]
004082E3   .  8B55 E8       mov     edx, dword ptr [ebp-18]
004082E6   .  52            push    edx
004082E7   .  8B19          mov     ebx, dword ptr [ecx]
004082E9   .  FF15 74B14000 call    dword ptr [<&MSVBVM50.__vbaR8Str>;  msvbvm50.__vbaR8Str
004082EF   .  D905 08104000 fld     dword ptr [401008]               ;  10.0
004082F5   .  833D 00904000>cmp     dword ptr [409000], 0
004082FC   .  75 08         jnz     short 00408306
004082FE   .  D835 0C104000 fdiv    dword ptr [40100C]               ;  除法 5.0/2 = 2.0
00408304   .  EB 0B         jmp     short 00408311
00408306   >  FF35 0C104000 push    dword ptr [40100C]
0040830C   .  E8 578DFFFF   call    <jmp.&MSVBVM50._adj_fdiv_m32>
00408311   >  83EC 08       sub     esp, 8
00408314   .  DFE0          fstsw   ax                               ;  值给eax  3100
00408316   .  A8 0D         test    al, 0D
00408318   .  0F85 A1040000 jnz     004087BF
0040831E   .  DEC1          faddp   st(1), st                        ;  533377.0 + 2.0
00408320   .  DFE0          fstsw   ax                               ;  值给eax 3900
00408322   .  A8 0D         test    al, 0D
00408324   .  0F85 95040000 jnz     004087BF
0040832A   .  DD1C24        fstp    qword ptr [esp]
0040832D   .  FF15 48B14000 call    dword ptr [<&MSVBVM50.__vbaStrR8>;  msvbvm50.__vbaStrR8
00408333   .  8BD0          mov     edx, eax                         ;  ebx = 533379
00408335   .  8D4D E4       lea     ecx, dword ptr [ebp-1C]
00408338   .  FF15 94B14000 call    dword ptr [<&MSVBVM50.__vbaStrMo>;  msvbvm50.__vbaStrMove
0040833E   .  899D 34FFFFFF mov     dword ptr [ebp-CC], ebx
00408344   .  8B9D 58FFFFFF mov     ebx, dword ptr [ebp-A8]
0040834A   .  50            push    eax
0040834B   .  8B85 34FFFFFF mov     eax, dword ptr [ebp-CC]
00408351   .  53            push    ebx
00408352   .  FF90 A4000000 call    dword ptr [eax+A4]
00408358   .  85C0          test    eax, eax
0040835A   .  7D 12         jge     short 0040836E

第二次算法

asm
004083E3   .  FF15 18B14000 call    dword ptr [<&MSVBVM50.__vbaHresu>;  msvbvm50.__vbaHresultCheckObj
004083E9   >  8B8D 58FFFFFF mov     ecx, dword ptr [ebp-A8]
004083EF   .  8B55 E8       mov     edx, dword ptr [ebp-18]          ;  533379
004083F2   .  52            push    edx
004083F3   .  8B19          mov     ebx, dword ptr [ecx]
004083F5   .  FF15 74B14000 call    dword ptr [<&MSVBVM50.__vbaR8Str>;  msvbvm50.__vbaR8Str
004083FB   .  DC0D 10104000 fmul    qword ptr [401010]               ;  533379 * 3.0  = 1600137
00408401   .  83EC 08       sub     esp, 8
00408404   .  DC25 18104000 fsub    qword ptr [401018]               ;  1600137 - 2.0 - 1600135
0040840A   .  DFE0          fstsw   ax                               ;  eax = 3900
0040840C   .  A8 0D         test    al, 0D
0040840E   .  0F85 AB030000 jnz     004087BF
00408414   .  DD1C24        fstp    qword ptr [esp]
00408417   .  FF15 48B14000 call    dword ptr [<&MSVBVM50.__vbaStrR8>;  msvbvm50.__vbaStrR8
0040841D   .  8BD0          mov     edx, eax                         ;  1600135
0040841F   .  8D4D E4       lea     ecx, dword ptr [ebp-1C]
00408422   .  FF15 94B14000 call    dword ptr [<&MSVBVM50.__vbaStrMo>;  msvbvm50.__vbaStrMove
00408428   .  899D 2CFFFFFF mov     dword ptr [ebp-D4], ebx
0040842E   .  8B9D 58FFFFFF mov     ebx, dword ptr [ebp-A8]
00408434   .  50            push    eax
00408435   .  8B85 2CFFFFFF mov     eax, dword ptr [ebp-D4]
0040843B   .  53            push    ebx
0040843C   .  FF90 A4000000 call    dword ptr [eax+A4]
00408442   .  85C0          test    eax, eax
00408444   .  7D 12         jge     short 00408458

第三次算法

asm
004084CD   .  FF15 18B14000 call    dword ptr [<&MSVBVM50.__vbaHresu>;  msvbvm50.__vbaHresultCheckObj
004084D3   >  8B8D 58FFFFFF mov     ecx, dword ptr [ebp-A8]
004084D9   .  8B55 E8       mov     edx, dword ptr [ebp-18]          ;  1600135
004084DC   .  52            push    edx
004084DD   .  8B19          mov     ebx, dword ptr [ecx]
004084DF   .  FF15 74B14000 call    dword ptr [<&MSVBVM50.__vbaR8Str>;  msvbvm50.__vbaR8Str
004084E5   .  DC25 20104000 fsub    qword ptr [401020]               ;  1600135 - -15
004084EB   .  83EC 08       sub     esp, 8
004084EE   .  DFE0          fstsw   ax
004084F0   .  A8 0D         test    al, 0D                           ;  eax = 3900
004084F2   .  0F85 C7020000 jnz     004087BF
004084F8   .  DD1C24        fstp    qword ptr [esp]
004084FB   .  FF15 48B14000 call    dword ptr [<&MSVBVM50.__vbaStrR8>;  msvbvm50.__vbaStrR8
00408501   .  8BD0          mov     edx, eax
00408503   .  8D4D E4       lea     ecx, dword ptr [ebp-1C]
00408506   .  FF15 94B14000 call    dword ptr [<&MSVBVM50.__vbaStrMo>;  msvbvm50.__vbaStrMove
0040850C   .  899D 24FFFFFF mov     dword ptr [ebp-DC], ebx
00408512   .  8B9D 58FFFFFF mov     ebx, dword ptr [ebp-A8]
00408518   .  50            push    eax
00408519   .  8B85 24FFFFFF mov     eax, dword ptr [ebp-DC]
0040851F   .  53            push    ebx
00408520   .  FF90 A4000000 call    dword ptr [eax+A4]
00408526   .  85C0          test    eax, eax
00408528   .  7D 12         jge     short 0040853C

最终得到一个值1600150

验证结果:

算法总结:

获取用户名的长度,保存到edi,并edi * 15B38,接着获取用户名的第一个字符的ascii码 edi += 第一个字符的ascii码。10.0 / 5.0 = 2.0 ,edi + 2.0 接着又乘以3.0,又减去2.0 然后又减去-15相当于+15,结果就是最终的序列号了

c
# include <iostream>
using namespace std;

int main()
{
	char szName[256] = { 0 };
	cout << "enter one user name" << endl;
	cin >> szName;
	int nLen = strlen(szName);
	if (nLen <= 0)
	{
		printf("error");
	}
	else
	{
		nLen *= 0x15B38;
		nLen += szName[0];
		nLen += 2.0;
		nLen *= 3.0;
		nLen -= 2.0;
		nLen -= -15;
		printf("%d\r\n", nLen);
	}
	system("pause");
	return 0;
}

本文作者:Na1r

本文链接:

版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!