首页 > 代码库 > [反汇编练习] 160个CrackMe之037

[反汇编练习] 160个CrackMe之037

[反汇编练习] 160个CrackMe之037.

本系列文章的目的是从一个没有任何经验的新手的角度(其实就是我自己),一步步尝试将160个CrackMe全部破解,如果可以,通过任何方式写出一个类似于注册机的东西。

其中,文章中按照如下逻辑编排(解决如下问题):

1、使用什么环境和工具

2、程序分析

3、思路分析和破解流程

4、注册机的探索

----------------------------------

提醒各位看客: 如果文章中的逻辑看不明白,那你一定是没有亲手操刀!OD中的跳转提示很强大,只要你跟踪了,不用怎么看代码就理解了!

----------------------------------

1、工具和环境:

WinXP SP3 + 52Pojie六周年纪念版OD + PEID + 汇编金手指。

160个CrackMe的打包文件。

下载地址: http://pan.baidu.com/s/1xUWOY 密码: jbnq

注:

1、Win7系统对于模块和程序开启了随机初始地址的功能,会给分析带来很大的负担,所以不建议使用Win7进行分析。

2、以上工具都是在52PoJie论坛下的原版程序,NOD32不报毒,个人承诺绝对不会进行任何和木马病毒相关内容。

wps_clip_image-880

2、程序分析:

想要破解一个程序,必须先了解这个程序。所以,在破解过程中,对最初程序的分析很重要,他可以帮助我们理解作者的目的和意图,特别是对于注册码的处理细节,从而方便我们反向跟踪和推导。

和上一节一样,打开CHM,选择第35个CyberBlade.1.exe,保存下来。运行程序,程序界面如下:

 1

PEID: Microsoft Visual Basic 5.0 / 6.0

 

3、思路分析和破解流程

直接使用字符串查找,但是又因为他有信息框弹出,所以暂停,Ctrl+K,查看堆栈也可以的。

具体步骤…写的都不想写了!!

直接查看字符串吧! 右键->中文搜索插件->智能搜索:

2

随意看看,发现文本应该是不能少于9个,有很多的文本提示!

不管是文本查找,随意跟进去一个,或着,暂停,然后堆栈查看都可以找到这一块:

(代码很长,但是都是文本提示的内容)

0040E135   .  F7DF          neg edi0040E137   .  66:85FF       test di,di0040E13A   .  0F84 2C010000 je 0040E26C0040E140   .  BB 04000280   mov ebx,0x800200040040E145   .  BF 0A000000   mov edi,0xA0040E14A   .  BE 08000000   mov esi,0x80040E14F   .  8D55 80       lea edx,dword ptr ss:[ebp-0x80]0040E152   .  8D4D C0       lea ecx,dword ptr ss:[ebp-0x40]0040E155   .  895D A8       mov dword ptr ss:[ebp-0x58],ebx0040E158   .  897D A0       mov dword ptr ss:[ebp-0x60],edi0040E15B   .  895D B8       mov dword ptr ss:[ebp-0x48],ebx0040E15E   .  897D B0       mov dword ptr ss:[ebp-0x50],edi0040E161   .  C745 88 5C354>mov dword ptr ss:[ebp-0x78],0040355C     ;  UNICODE "Correct password"0040E168   .  8975 80       mov dword ptr ss:[ebp-0x80],esi0040E16B   .  FF15 78114100 call dword ptr ds:[<&MSVBVM50.__vbaVarDu>;  msvbvm50.__vbaVarDup0040E171   .  8D55 90       lea edx,dword ptr ss:[ebp-0x70]0040E174   .  8D4D D0       lea ecx,dword ptr ss:[ebp-0x30]0040E177   .  C745 98 FC344>mov dword ptr ss:[ebp-0x68],004034FC     ;  UNICODE "Not bad, you have found the correct password."0040E17E   .  8975 90       mov dword ptr ss:[ebp-0x70],esi0040E181   .  FF15 78114100 call dword ptr ds:[<&MSVBVM50.__vbaVarDu>;  msvbvm50.__vbaVarDup0040E187   .  8D55 A0       lea edx,dword ptr ss:[ebp-0x60]0040E18A   .  8D45 B0       lea eax,dword ptr ss:[ebp-0x50]0040E18D   .  52            push edx0040E18E   .  8D4D C0       lea ecx,dword ptr ss:[ebp-0x40]0040E191   .  50            push eax0040E192   .  51            push ecx0040E193   .  8D55 D0       lea edx,dword ptr ss:[ebp-0x30]0040E196   .  6A 40         push 0x400040E198   .  52            push edx0040E199   .  FF15 04114100 call dword ptr ds:[<&MSVBVM50.#595>]     ;  msvbvm50.rtcMsgBox0040E19F   .  8D45 A0       lea eax,dword ptr ss:[ebp-0x60]0040E1A2   .  8D4D B0       lea ecx,dword ptr ss:[ebp-0x50]0040E1A5   .  50            push eax0040E1A6   .  8D55 C0       lea edx,dword ptr ss:[ebp-0x40]0040E1A9   .  51            push ecx0040E1AA   .  8D45 D0       lea eax,dword ptr ss:[ebp-0x30]0040E1AD   .  52            push edx0040E1AE   .  50            push eax0040E1AF   .  6A 04         push 0x40040E1B1   .  FF15 EC104100 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>;  msvbvm50.__vbaFreeVarList0040E1B7   .  897D A0       mov dword ptr ss:[ebp-0x60],edi0040E1BA   .  897D B0       mov dword ptr ss:[ebp-0x50],edi0040E1BD   .  8B3D 78114100 mov edi,dword ptr ds:[<&MSVBVM50.__vbaVa>;  msvbvm50.__vbaVarDup0040E1C3   .  83C4 14       add esp,0x140040E1C6   .  8D55 80       lea edx,dword ptr ss:[ebp-0x80]0040E1C9   .  8D4D C0       lea ecx,dword ptr ss:[ebp-0x40]0040E1CC   .  895D A8       mov dword ptr ss:[ebp-0x58],ebx0040E1CF   .  895D B8       mov dword ptr ss:[ebp-0x48],ebx0040E1D2   .  C745 88 24364>mov dword ptr ss:[ebp-0x78],00403624     ;  UNICODE "Correct password!"0040E1D9   .  8975 80       mov dword ptr ss:[ebp-0x80],esi0040E1DC   .  FFD7          call edi                                 ;  <&MSVBVM50.__vbaVarDup>0040E1DE   .  8D55 90       lea edx,dword ptr ss:[ebp-0x70]0040E1E1   .  8D4D D0       lea ecx,dword ptr ss:[ebp-0x30]0040E1E4   .  C745 98 84354>mov dword ptr ss:[ebp-0x68],00403584     ;  UNICODE "Mail me, how you got it, there‘s a price waiting f"0040E1EB   .  8975 90       mov dword ptr ss:[ebp-0x70],esi0040E1EE   .  FFD7          call edi0040E1F0   .  8D4D A0       lea ecx,dword ptr ss:[ebp-0x60]0040E1F3   .  8D55 B0       lea edx,dword ptr ss:[ebp-0x50]0040E1F6   .  51            push ecx0040E1F7   .  8D45 C0       lea eax,dword ptr ss:[ebp-0x40]0040E1FA   .  52            push edx0040E1FB   .  50            push eax0040E1FC   .  8D4D D0       lea ecx,dword ptr ss:[ebp-0x30]0040E1FF   .  6A 40         push 0x400040E201   .  51            push ecx0040E202   .  FF15 04114100 call dword ptr ds:[<&MSVBVM50.#595>]     ;  msvbvm50.rtcMsgBox0040E208   .  8D55 A0       lea edx,dword ptr ss:[ebp-0x60]0040E20B   .  8D45 B0       lea eax,dword ptr ss:[ebp-0x50]0040E20E   .  52            push edx0040E20F   .  8D4D C0       lea ecx,dword ptr ss:[ebp-0x40]0040E212   .  50            push eax0040E213   .  8D55 D0       lea edx,dword ptr ss:[ebp-0x30]0040E216   .  51            push ecx0040E217   .  52            push edx0040E218   .  6A 04         push 0x40040E21A   .  FF15 EC104100 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>;  msvbvm50.__vbaFreeVarList0040E220   .  8B45 08       mov eax,dword ptr ss:[ebp+0x8]0040E223   .  8B8D 44FFFFFF mov ecx,dword ptr ss:[ebp-0xBC]0040E229   .  83C4 14       add esp,0x140040E22C   .  50            push eax0040E22D   .  FF91 FC020000 call dword ptr ds:[ecx+0x2FC]0040E233   .  8D55 E0       lea edx,dword ptr ss:[ebp-0x20]0040E236   .  50            push eax0040E237   .  52            push edx0040E238   .  FF15 00114100 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>;  msvbvm50.__vbaObjSet0040E23E   .  8BF0          mov esi,eax0040E240   .  68 4C364000   push 0040364C                            ;  UNICODE "Exit"0040E245   .  56            push esi0040E246   .  8B06          mov eax,dword ptr ds:[esi]0040E248   .  FF50 54       call dword ptr ds:[eax+0x54]0040E24B   .  85C0          test eax,eax0040E24D   .  7D 0F         jge short 0040E25E0040E24F   .  6A 54         push 0x540040E251   .  68 58364000   push 004036580040E256   .  56            push esi0040E257   .  50            push eax0040E258   .  FF15 F8104100 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;  msvbvm50.__vbaHresultCheckObj0040E25E   >  8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]0040E261   .  FF15 90114100 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>;  msvbvm50.__vbaFreeObj0040E267   .  E9 E5010000   jmp 0040E4510040E26C   >  66:8B43 50    mov ax,word ptr ds:[ebx+0x50]0040E270   .  66:40         inc ax0040E272   .  0F80 83020000 jo 0040E4FB0040E278   .  66:3D 0600    cmp ax,0x60040E27C   .  66:8943 50    mov word ptr ds:[ebx+0x50],ax0040E280   .  0F85 0F010000 jnz 0040E3950040E286   .  BB 04000280   mov ebx,0x800200040040E28B   .  BF 0A000000   mov edi,0xA0040E290   .  BE 08000000   mov esi,0x80040E295   .  8D55 80       lea edx,dword ptr ss:[ebp-0x80]0040E298   .  8D4D C0       lea ecx,dword ptr ss:[ebp-0x40]0040E29B   .  895D A8       mov dword ptr ss:[ebp-0x58],ebx0040E29E   .  897D A0       mov dword ptr ss:[ebp-0x60],edi0040E2A1   .  895D B8       mov dword ptr ss:[ebp-0x48],ebx0040E2A4   .  897D B0       mov dword ptr ss:[ebp-0x50],edi0040E2A7   .  C745 88 A4364>mov dword ptr ss:[ebp-0x78],004036A4     ;  UNICODE "I can‘t stand it anymore"0040E2AE   .  8975 80       mov dword ptr ss:[ebp-0x80],esi0040E2B1   .  FF15 78114100 call dword ptr ds:[<&MSVBVM50.__vbaVarDu>;  msvbvm50.__vbaVarDup0040E2B7   .  8D55 90       lea edx,dword ptr ss:[ebp-0x70]0040E2BA   .  8D4D D0       lea ecx,dword ptr ss:[ebp-0x30]0040E2BD   .  C745 98 6C364>mov dword ptr ss:[ebp-0x68],0040366C     ;  UNICODE "-=Do you need a hint ?=-"0040E2C4   .  8975 90       mov dword ptr ss:[ebp-0x70],esi0040E2C7   .  FF15 78114100 call dword ptr ds:[<&MSVBVM50.__vbaVarDu>;  msvbvm50.__vbaVarDup0040E2CD   .  8D4D A0       lea ecx,dword ptr ss:[ebp-0x60]0040E2D0   .  8D55 B0       lea edx,dword ptr ss:[ebp-0x50]0040E2D3   .  51            push ecx0040E2D4   .  8D45 C0       lea eax,dword ptr ss:[ebp-0x40]0040E2D7   .  52            push edx0040E2D8   .  50            push eax0040E2D9   .  8D4D D0       lea ecx,dword ptr ss:[ebp-0x30]0040E2DC   .  6A 24         push 0x240040E2DE   .  51            push ecx0040E2DF   .  FF15 04114100 call dword ptr ds:[<&MSVBVM50.#595>]     ;  msvbvm50.rtcMsgBox0040E2E5   .  33D2          xor edx,edx0040E2E7   .  83F8 07       cmp eax,0x70040E2EA   .  0F94C2        sete dl0040E2ED   .  F7DA          neg edx0040E2EF   .  8D45 A0       lea eax,dword ptr ss:[ebp-0x60]0040E2F2   .  8995 5CFFFFFF mov dword ptr ss:[ebp-0xA4],edx0040E2F8   .  8D4D B0       lea ecx,dword ptr ss:[ebp-0x50]0040E2FB   .  50            push eax0040E2FC   .  8D55 C0       lea edx,dword ptr ss:[ebp-0x40]0040E2FF   .  51            push ecx0040E300   .  8D45 D0       lea eax,dword ptr ss:[ebp-0x30]0040E303   .  52            push edx0040E304   .  50            push eax0040E305   .  6A 04         push 0x40040E307   .  FF15 EC104100 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>;  msvbvm50.__vbaFreeVarList0040E30D   .  83C4 14       add esp,0x140040E310   .  66:83BD 5CFFF>cmp word ptr ss:[ebp-0xA4],0x00040E318   .  0F85 72010000 jnz 0040E4900040E31E   .  897D A0       mov dword ptr ss:[ebp-0x60],edi0040E321   .  897D B0       mov dword ptr ss:[ebp-0x50],edi0040E324   .  8B3D 78114100 mov edi,dword ptr ds:[<&MSVBVM50.__vbaVa>;  msvbvm50.__vbaVarDup0040E32A   .  8D55 80       lea edx,dword ptr ss:[ebp-0x80]0040E32D   .  8D4D C0       lea ecx,dword ptr ss:[ebp-0x40]0040E330   .  895D A8       mov dword ptr ss:[ebp-0x58],ebx0040E333   .  895D B8       mov dword ptr ss:[ebp-0x48],ebx0040E336   .  C745 88 F8364>mov dword ptr ss:[ebp-0x78],004036F8     ;  UNICODE "he, he..."0040E33D   .  8975 80       mov dword ptr ss:[ebp-0x80],esi0040E340   .  FFD7          call edi                                 ;  <&MSVBVM50.__vbaVarDup>0040E342   .  8D55 90       lea edx,dword ptr ss:[ebp-0x70]0040E345   .  8D4D D0       lea ecx,dword ptr ss:[ebp-0x30]0040E348   .  C745 98 DC364>mov dword ptr ss:[ebp-0x68],004036DC     ;  UNICODE "Forget it."0040E34F   .  8975 90       mov dword ptr ss:[ebp-0x70],esi0040E352   .  FFD7          call edi0040E354   .  8D4D A0       lea ecx,dword ptr ss:[ebp-0x60]0040E357   .  8D55 B0       lea edx,dword ptr ss:[ebp-0x50]0040E35A   .  51            push ecx0040E35B   .  8D45 C0       lea eax,dword ptr ss:[ebp-0x40]0040E35E   .  52            push edx0040E35F   .  50            push eax0040E360   .  8D4D D0       lea ecx,dword ptr ss:[ebp-0x30]0040E363   .  6A 40         push 0x400040E365   .  51            push ecx0040E366   .  FF15 04114100 call dword ptr ds:[<&MSVBVM50.#595>]     ;  msvbvm50.rtcMsgBox0040E36C   .  8D55 A0       lea edx,dword ptr ss:[ebp-0x60]0040E36F   .  8D45 B0       lea eax,dword ptr ss:[ebp-0x50]0040E372   .  52            push edx0040E373   .  8D4D C0       lea ecx,dword ptr ss:[ebp-0x40]0040E376   .  50            push eax0040E377   .  8D55 D0       lea edx,dword ptr ss:[ebp-0x30]0040E37A   .  51            push ecx0040E37B   .  52            push edx0040E37C   .  6A 04         push 0x40040E37E   .  FF15 EC104100 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>;  msvbvm50.__vbaFreeVarList0040E384   .  8B45 08       mov eax,dword ptr ss:[ebp+0x8]0040E387   .  83C4 14       add esp,0x140040E38A   .  66:C740 50 00>mov word ptr ds:[eax+0x50],0x00040E390   .  E9 BC000000   jmp 0040E4510040E395   >  BF 0A000000   mov edi,0xA0040E39A   .  BB 04000280   mov ebx,0x800200040040E39F   .  BE 08000000   mov esi,0x80040E3A4   .  66:3D 0300    cmp ax,0x30040E3A8   .  897D A0       mov dword ptr ss:[ebp-0x60],edi0040E3AB   .  897D B0       mov dword ptr ss:[ebp-0x50],edi0040E3AE   .  8B3D 78114100 mov edi,dword ptr ds:[<&MSVBVM50.__vbaVa>;  msvbvm50.__vbaVarDup0040E3B4   .  895D A8       mov dword ptr ss:[ebp-0x58],ebx0040E3B7   .  895D B8       mov dword ptr ss:[ebp-0x48],ebx0040E3BA   .  C745 88 A0374>mov dword ptr ss:[ebp-0x78],004037A0     ;  UNICODE "Failed"0040E3C1   .  8975 80       mov dword ptr ss:[ebp-0x80],esi0040E3C4   .  8D55 80       lea edx,dword ptr ss:[ebp-0x80]0040E3C7   .  8D4D C0       lea ecx,dword ptr ss:[ebp-0x40]0040E3CA   .  7E 3E         jle short 0040E40A0040E3CC   .  FFD7          call edi                                 ;  <&MSVBVM50.__vbaVarDup>0040E3CE   .  8D55 90       lea edx,dword ptr ss:[ebp-0x70]0040E3D1   .  8D4D D0       lea ecx,dword ptr ss:[ebp-0x30]0040E3D4   .  C745 98 10374>mov dword ptr ss:[ebp-0x68],00403710     ;  UNICODE "Have you ever been trying to be successful in crac"0040E3DB   .  8975 90       mov dword ptr ss:[ebp-0x70],esi0040E3DE   .  FFD7          call edi0040E3E0   .  8D4D A0       lea ecx,dword ptr ss:[ebp-0x60]0040E3E3   .  8D55 B0       lea edx,dword ptr ss:[ebp-0x50]0040E3E6   .  51            push ecx0040E3E7   .  8D45 C0       lea eax,dword ptr ss:[ebp-0x40]0040E3EA   .  52            push edx0040E3EB   .  50            push eax0040E3EC   .  8D4D D0       lea ecx,dword ptr ss:[ebp-0x30]0040E3EF   .  6A 20         push 0x200040E3F1   .  51            push ecx0040E3F2   .  FF15 04114100 call dword ptr ds:[<&MSVBVM50.#595>]     ;  msvbvm50.rtcMsgBox0040E3F8   .  8D55 A0       lea edx,dword ptr ss:[ebp-0x60]0040E3FB   .  8D45 B0       lea eax,dword ptr ss:[ebp-0x50]0040E3FE   .  52            push edx0040E3FF   .  8D4D C0       lea ecx,dword ptr ss:[ebp-0x40]0040E402   .  50            push eax0040E403   .  8D55 D0       lea edx,dword ptr ss:[ebp-0x30]0040E406   .  51            push ecx0040E407   .  52            push edx0040E408   .  EB 3C         jmp short 0040E4460040E40A   >  FFD7          call edi0040E40C   .  8D55 90       lea edx,dword ptr ss:[ebp-0x70]0040E40F   .  8D4D D0       lea ecx,dword ptr ss:[ebp-0x30]0040E412   .  C745 98 B4374>mov dword ptr ss:[ebp-0x68],004037B4     ;  UNICODE "Sorry, wrong key."0040E419   .  8975 90       mov dword ptr ss:[ebp-0x70],esi0040E41C   .  FFD7          call edi0040E41E   .  8D45 A0       lea eax,dword ptr ss:[ebp-0x60]0040E421   .  8D4D B0       lea ecx,dword ptr ss:[ebp-0x50]0040E424   .  50            push eax0040E425   .  8D55 C0       lea edx,dword ptr ss:[ebp-0x40]0040E428   .  51            push ecx0040E429   .  52            push edx0040E42A   .  8D45 D0       lea eax,dword ptr ss:[ebp-0x30]0040E42D   .  6A 40         push 0x400040E42F   .  50            push eax0040E430   .  FF15 04114100 call dword ptr ds:[<&MSVBVM50.#595>]     ;  msvbvm50.rtcMsgBox

根据文本提示,Correct password,找到对应的跳转 0040E13A     /0F84 2C010000 je 0040E26C

爆破:
选中 0040E13A     /0F84 2C010000 je 0040E26C 右键->Binary-> NOP填充

3baopo

 

4、注册机的探索

关键跳转附近, 算法处理如下:

0040E0E2   .  FF15 F8104100 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;  msvbvm50.__vbaHresultCheckObj0040E0E8   >  8B4D E4       mov ecx,dword ptr ss:[ebp-0x1C]0040E0EB   .  51            push ecx                                 ; /Arg1="123456789"0040E0EC   .  FF15 5C114100 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; \__vbaR8Str0040E0F2   .  DB43 4C       fild dword ptr ds:[ebx+0x4C]             ;  // ST0 = xxx, 压栈后ST0 = 12D1FB78  = 3157512880040E0F5   .  DD9D 38FFFFFF fstp qword ptr ss:[ebp-0xC8]0040E0FB   .  DCA5 38FFFFFF fsub qword ptr ss:[ebp-0xC8]             ;  // 两个数减,315751288 - 123456789 = -192294499 ? 负的?0040E101   .  DFE0          fstsw ax0040E103   .  A8 0D         test al,0xD                              ;  // 浮点数错误检测0040E105   .  0F85 EB030000 jnz 0040E4F60040E10B   .  FF15 14114100 call dword ptr ds:[<&MSVBVM50.__vbaFpR8>>;  msvbvm50.__vbaFpR80040E111   .  DC1D 08104000 fcomp qword ptr ds:[0x401008]            ;  // 浮点数比较然后出栈0040E117   .  DFE0          fstsw ax0040E119   .  F6C4 40       test ah,0x400040E11C   .  74 05         je short 0040E123                        ;  // 这个条件必须成立,否则edi=1就失败了0040E11E   .  BF 01000000   mov edi,0x10040E123   >  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]0040E126   .  FF15 8C114100 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>;  msvbvm50.__vbaFreeStr0040E12C   .  8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]0040E12F   .  FF15 90114100 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>;  msvbvm50.__vbaFreeObj0040E135   .  F7DF          neg edi                                  ;  // edi = 1 则就失败了0040E137   .  66:85FF       test di,di0040E13A      0F84 2C010000 je 0040E26C                              ;  // 在这里爆破

核心的一个内容是fcomp命令,其实不是它多难,只是我以前都没见过,然后找啊找啊找!!

看雪论坛找到fcomp问题:

条件 C3 C2 C0
ST(0) > SRC 0 0 0
ST(0) < SRC 0 0 1
ST(0)  SRC 1 0  0
无序* 1 1 1

 
有了。

FPU的状态字呀。貌似弹栈就是把st(0)的数据清除了、

0040E119   .  F6C4 40       test ah,0x40
0040E11C   . /74 05         je short 0040E123                        ;  // 这个条件必须成立,否则edi=1就失败了

所以,ST(0) 必须等于[0x401008]的值  315751288

4

 

BY 笨笨D幸福