[反汇编练习] 160个CrackMe之030.
本系列文章的目的是从一个没有任何经验的新手的角度(其实就是我自己),一步步尝试将160个CrackMe全部破解,如果可以,通过任何方式写出一个类似于注册机的东西。
其中,文章中按照如下逻辑编排(解决如下问题):
1、使用什么环境和工具
2、程序分析
3、思路分析和破解流程
4、注册机的探索
----------------------------------
提醒各位看客: 如果文章中的逻辑看不明白,那你一定是没有亲手操刀!OD中的跳转提示很强大,只要你跟踪了,不用怎么看代码就理解了!
----------------------------------
1、工具和环境:
WinXP SP3 + 52Pojie六周年纪念版OD + PEID + 汇编金手指。
160个CrackMe的打包文件。
下载地址: http://pan.baidu.com/s/1xUWOY 密码: jbnq
注:
1、Win7系统对于模块和程序开启了随机初始地址的功能,会给分析带来很大的负担,所以不建议使用Win7进行分析。
2、以上工具都是在52PoJie论坛下的原版程序,NOD32不报毒,个人承诺绝对不会进行任何和木马病毒相关内容。
2、程序分析:
想要破解一个程序,必须先了解这个程序。所以,在破解过程中,对最初程序的分析很重要,他可以帮助我们理解作者的目的和意图,特别是对于注册码的处理细节,从而方便我们反向跟踪和推导。
和上一节一样,打开CHM,选择第30个cracking4all.1.exe,保存下来。运行程序,程序界面如下:
点击上面的OK按钮,弹出了信息框,很好。
注意的是,点击确定按钮后,程序直接退出了。
PEID:Microsoft Visual Basic 5.0 / 6.0
哎,又是一个郁闷的征程!
3、思路分析和破解流程
1、打开OD,将exe拖到OD窗口中,等程序暂停后,直接点击运行按钮(F9),不用理会。
2、点击About->Register,随意输入伪码:21312321。点击OK按钮,弹出信息框,不要关闭,回到OD。
3、Ctrl+K查看堆栈信息:
选中rtcMsgBox,右键->Show call。
4、向上浏览代码:
00403370 . /0F84 E8000000 je 0040345E 00403376 . |8B35 9C614000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVa>; msvbvm50.__vbaVarDup 0040337C . |BF 08000000 mov edi,0x8 00403381 . |8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8] 00403387 . |8D4D 98 lea ecx,dword ptr ss:[ebp-0x68] 0040338A . |C785 30FFFFFF>mov dword ptr ss:[ebp-0xD0],00402824 ; UNICODE "Valid" 00403394 . |89BD 28FFFFFF mov dword ptr ss:[ebp-0xD8],edi 0040339A . |FFD6 call esi ; <&MSVBVM50.__vbaVarDup> 0040339C . |8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8] 004033A2 . |8D4D A8 lea ecx,dword ptr ss:[ebp-0x58] 004033A5 . |C785 40FFFFFF>mov dword ptr ss:[ebp-0xC0],004027E8 ; UNICODE "Password correct, hehe, :-)" 004033AF . |89BD 38FFFFFF mov dword ptr ss:[ebp-0xC8],edi 004033B5 . |FFD6 call esi 004033B7 . |8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88] 004033BD . |8D45 88 lea eax,dword ptr ss:[ebp-0x78] 004033C0 . |52 push edx 004033C1 . |8D4D 98 lea ecx,dword ptr ss:[ebp-0x68] 004033C4 . |50 push eax 004033C5 . |51 push ecx 004033C6 . |8D55 A8 lea edx,dword ptr ss:[ebp-0x58] 004033C9 . |6A 00 push 0x0 004033CB . |52 push edx 004033CC . |FF15 24614000 call dword ptr ds:[<&MSVBVM50.#595>] ; msvbvm50.rtcMsgBox 004033D2 . |8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88] 004033D8 . |8D4D 88 lea ecx,dword ptr ss:[ebp-0x78] 004033DB . |50 push eax 004033DC . |8D55 98 lea edx,dword ptr ss:[ebp-0x68] 004033DF . |51 push ecx 004033E0 . |8D45 A8 lea eax,dword ptr ss:[ebp-0x58] 004033E3 . |52 push edx 004033E4 . |50 push eax 004033E5 . |6A 04 push 0x4 004033E7 . |FF15 00614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>; msvbvm50.__vbaFreeVarList 004033ED . |A1 A4434000 mov eax,dword ptr ds:[0x4043A4] 004033F2 . |83C4 14 add esp,0x14 004033F5 . |85C0 test eax,eax 004033F7 . |75 10 jnz short 00403409 004033F9 . |68 A4434000 push 004043A4 ; /Arg2 = 004043A4 004033FE . |68 50284000 push 00402850 ; |Arg1 = 00402850 00403403 . |FF15 80614000 call dword ptr ds:[<&MSVBVM50.__vbaNew2>>; \__vbaNew2 00403409 > |A1 38404000 mov eax,dword ptr ds:[0x404038] 0040340E . |8B35 A4434000 mov esi,dword ptr ds:[0x4043A4] 00403414 . |85C0 test eax,eax 00403416 . |75 10 jnz short 00403428 00403418 . |68 38404000 push 00404038 ; /Arg2 = 00404038 0040341D . |68 6C204000 push 0040206C ; |Arg1 = 0040206C 00403422 . |FF15 80614000 call dword ptr ds:[<&MSVBVM50.__vbaNew2>>; \__vbaNew2 00403428 > |8B0D 38404000 mov ecx,dword ptr ds:[0x404038] 0040342E . |8B3E mov edi,dword ptr ds:[esi] 00403430 . |8D55 B8 lea edx,dword ptr ss:[ebp-0x48] 00403433 . |51 push ecx 00403434 . |52 push edx 00403435 . |FF15 2C614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; msvbvm50.__vbaObjSetAddref 0040343B . |50 push eax 0040343C . |56 push esi 0040343D . |FF57 10 call dword ptr ds:[edi+0x10] 00403440 . |85C0 test eax,eax 00403442 . |7D 0F jge short 00403453 00403444 . |6A 10 push 0x10 00403446 . |68 40284000 push 00402840 0040344B . |56 push esi 0040344C . |50 push eax 0040344D . |FF15 14614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj 00403453 > |8D4D B8 lea ecx,dword ptr ss:[ebp-0x48] 00403456 . |FF15 B0614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; msvbvm50.__vbaFreeObj 0040345C . |EB 7A jmp short 004034D8 0040345E > \8B35 9C614000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVa>; msvbvm50.__vbaVarDup 00403464 . BF 08000000 mov edi,0x8 00403469 . 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8] 0040346F . 8D4D 98 lea ecx,dword ptr ss:[ebp-0x68] 00403472 . C785 30FFFFFF>mov dword ptr ss:[ebp-0xD0],004028BC ; UNICODE "Invalid" 0040347C . 89BD 28FFFFFF mov dword ptr ss:[ebp-0xD8],edi 00403482 . FFD6 call esi ; <&MSVBVM50.__vbaVarDup> 00403484 . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8] 0040348A . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58] 0040348D . C785 40FFFFFF>mov dword ptr ss:[ebp-0xC0],00402864 ; UNICODE "Password incorrect, please try again ..." 00403497 . 89BD 38FFFFFF mov dword ptr ss:[ebp-0xC8],edi 0040349D . FFD6 call esi 0040349F . 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88] 004034A5 . 8D4D 88 lea ecx,dword ptr ss:[ebp-0x78] 004034A8 . 50 push eax 004034A9 . 8D55 98 lea edx,dword ptr ss:[ebp-0x68] 004034AC . 51 push ecx 004034AD . 52 push edx 004034AE . 8D45 A8 lea eax,dword ptr ss:[ebp-0x58] 004034B1 . 6A 00 push 0x0 004034B3 . 50 push eax 004034B4 . FF15 24614000 call dword ptr ds:[<&MSVBVM50.#595>] ; msvbvm50.rtcMsgBox
很容易发现了一个提示成功和一个提示失败的信息框,并且在成功的信息框旁边就是一个关键跳转。(为什么它是关键跳转?你用OD选中地址00403370 处 je 0040345E,在OD中很清晰地提示了它的跳转流程。)
所以,爆破就很简单了,选中它,右键->Binary->Fill with NOPs。
4、注册机的探索
继续向上查看代码,发现代码不是很长,我们尝试从开头大概地梳理下流程:
004030F0 > \55 push ebp 004030F1 . 8BEC mov ebp,esp 004030F3 . 83EC 0C sub esp,0xC 004030F6 . 68 56104000 push <jmp.&MSVBVM50.__vbaExceptHandler> ; SE handler installation 004030FB . 64:A1 0000000>mov eax,dword ptr fs:[0] 00403101 . 50 push eax 00403102 . 64:8925 00000>mov dword ptr fs:[0],esp 00403109 . 81EC 04010000 sub esp,0x104 0040310F . 53 push ebx 00403110 . 56 push esi 00403111 . 57 push edi 00403112 . 8B7D 08 mov edi,dword ptr ss:[ebp+0x8] 00403115 . 8BC7 mov eax,edi 00403117 . 83E7 FE and edi,0xFFFFFFFE 0040311A . 8965 F4 mov dword ptr ss:[ebp-0xC],esp 0040311D . 83E0 01 and eax,0x1 00403120 . 8B1F mov ebx,dword ptr ds:[edi] 00403122 . C745 F8 18104>mov dword ptr ss:[ebp-0x8],00401018 00403129 . 57 push edi 0040312A . 8945 FC mov dword ptr ss:[ebp-0x4],eax 0040312D . 897D 08 mov dword ptr ss:[ebp+0x8],edi 00403130 . FF53 04 call dword ptr ds:[ebx+0x4] 00403133 . 33F6 xor esi,esi 00403135 . 57 push edi 00403136 . 8975 D8 mov dword ptr ss:[ebp-0x28],esi 00403139 . 8975 C8 mov dword ptr ss:[ebp-0x38],esi 0040313C . 8975 C0 mov dword ptr ss:[ebp-0x40],esi 0040313F . 8975 BC mov dword ptr ss:[ebp-0x44],esi 00403142 . 8975 B8 mov dword ptr ss:[ebp-0x48],esi 00403145 . 8975 A8 mov dword ptr ss:[ebp-0x58],esi 00403148 . 8975 98 mov dword ptr ss:[ebp-0x68],esi 0040314B . 8975 88 mov dword ptr ss:[ebp-0x78],esi 0040314E . 89B5 78FFFFFF mov dword ptr ss:[ebp-0x88],esi 00403154 . 89B5 68FFFFFF mov dword ptr ss:[ebp-0x98],esi 0040315A . 89B5 58FFFFFF mov dword ptr ss:[ebp-0xA8],esi 00403160 . 89B5 48FFFFFF mov dword ptr ss:[ebp-0xB8],esi 00403166 . 89B5 38FFFFFF mov dword ptr ss:[ebp-0xC8],esi 0040316C . 89B5 28FFFFFF mov dword ptr ss:[ebp-0xD8],esi 00403172 . FF93 04030000 call dword ptr ds:[ebx+0x304] 00403178 . 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48] 0040317B . 50 push eax 0040317C . 51 push ecx 0040317D . FF15 20614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; msvbvm50.__vbaObjSet 00403183 . 8BF8 mov edi,eax 00403185 . 8D45 C0 lea eax,dword ptr ss:[ebp-0x40] 00403188 . 50 push eax 00403189 . 57 push edi 0040318A . 8B17 mov edx,dword ptr ds:[edi] 0040318C . FF92 A0000000 call dword ptr ds:[edx+0xA0] 00403192 . 3BC6 cmp eax,esi 00403194 . 7D 12 jge short 004031A8 00403196 . 68 A0000000 push 0xA0 0040319B . 68 B4274000 push 004027B4 004031A0 . 57 push edi 004031A1 . 50 push eax 004031A2 . FF15 14614000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj 004031A8 > 8B45 C0 mov eax,dword ptr ss:[ebp-0x40] 004031AB . 8D55 A8 lea edx,dword ptr ss:[ebp-0x58] 004031AE . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28] 004031B1 . 8975 C0 mov dword ptr ss:[ebp-0x40],esi 004031B4 . 8945 B0 mov dword ptr ss:[ebp-0x50],eax 004031B7 . C745 A8 08000>mov dword ptr ss:[ebp-0x58],0x8 004031BE . FF15 F8604000 call dword ptr ds:[<&MSVBVM50.__vbaVarMo>; msvbvm50.__vbaVarMove 004031C4 . 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48] 004031C7 . FF15 B0614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; msvbvm50.__vbaFreeObj 004031CD . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28] 004031D0 . 8D55 A8 lea edx,dword ptr ss:[ebp-0x58] 004031D3 . 51 push ecx ; /Arg2 = "123123" 004031D4 . 52 push edx ; |Arg1 = "123123" 004031D5 . BE 01000000 mov esi,0x1 ; | 004031DA . FF15 18614000 call dword ptr ds:[<&MSVBVM50.__vbaLenVa>; \__vbaLenVar 004031E0 . 50 push eax 004031E1 . FF15 74614000 call dword ptr ds:[<&MSVBVM50.__vbaI2Var>; msvbvm50.__vbaI2Var 004031E7 . 8985 F8FEFFFF mov dword ptr ss:[ebp-0x108],eax ; // eax = 6 004031ED . 8BFE mov edi,esi 004031EF > 66:3BBD F8FEF>cmp di,word ptr ss:[ebp-0x108] ; // 循环与6比较 004031F6 . 8B1D 6C614000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaSt>; msvbvm50.__vbaStrVarVal 004031FC . 0F8F 2D010000 jg 0040332F 00403202 . 66:83FE 04 cmp si,0x4 00403206 . 7E 05 jle short 0040320D 00403208 . BE 01000000 mov esi,0x1 0040320D > 0FBFCF movsx ecx,di 00403210 . 8D45 A8 lea eax,dword ptr ss:[ebp-0x58] 00403213 . 8D55 D8 lea edx,dword ptr ss:[ebp-0x28] 00403216 . 50 push eax ; 1 00403217 . 51 push ecx 00403218 . 8D45 98 lea eax,dword ptr ss:[ebp-0x68] 0040321B . 52 push edx ; "123123" 0040321C . 50 push eax 0040321D . C745 B0 01000>mov dword ptr ss:[ebp-0x50],0x1 00403224 . C745 A8 02000>mov dword ptr ss:[ebp-0x58],0x2 0040322B . FF15 38614000 call dword ptr ds:[<&MSVBVM50.#632>] ; msvbvm50.rtcMidCharVar 00403231 . B8 02000000 mov eax,0x2 00403236 . 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88] ; "1" "2"... 0040323C . 0FBFD6 movsx edx,si 0040323F . 8985 78FFFFFF mov dword ptr ss:[ebp-0x88],eax 00403245 . 8945 88 mov dword ptr ss:[ebp-0x78],eax 00403248 . 51 push ecx 00403249 . 8D45 88 lea eax,dword ptr ss:[ebp-0x78] 0040324C . 52 push edx 0040324D . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98] 00403253 . 50 push eax ; eax = 000007D0 = 2000 00403254 . 51 push ecx 00403255 . C745 80 01000>mov dword ptr ss:[ebp-0x80],0x1 0040325C . C745 90 D0070>mov dword ptr ss:[ebp-0x70],0x7D0 00403263 . FF15 38614000 call dword ptr ds:[<&MSVBVM50.#632>] ; msvbvm50.rtcMidCharVar 00403269 . 8D55 98 lea edx,dword ptr ss:[ebp-0x68] 0040326C . 8D45 C0 lea eax,dword ptr ss:[ebp-0x40] 0040326F . 52 push edx 00403270 . 50 push eax 00403271 . FFD3 call ebx ; msvbvm50.__vbaStrVarVal 00403273 . 50 push eax ; "1" 00403274 . FF15 0C614000 call dword ptr ds:[<&MSVBVM50.#516>] ; msvbvm50.rtcAnsiValueBstr 0040327A . 0FBFD0 movsx edx,ax 0040327D . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98] 00403283 . 8D45 BC lea eax,dword ptr ss:[ebp-0x44] 00403286 . 51 push ecx ; "2" "0" "0" "0" 00403287 . 50 push eax 00403288 . 8995 E8FEFFFF mov dword ptr ss:[ebp-0x118],edx 0040328E . FFD3 call ebx ; msvbvm50.__vbaStrVarVal 00403290 . 50 push eax ; "2" "0" "0" "0" 00403291 . FF15 0C614000 call dword ptr ds:[<&MSVBVM50.#516>] ; msvbvm50.rtcAnsiValueBstr 00403297 . 8B95 E8FEFFFF mov edx,dword ptr ss:[ebp-0x118] ; // edx = 0x31 0040329D . 0FBFC8 movsx ecx,ax ; // eax = 0x32 004032A0 . 33D1 xor edx,ecx ; // 异或运算 004032A2 . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8] 004032A8 . 52 push edx ; /Arg2 004032A9 . 50 push eax ; |Arg1 004032AA . FF15 64614000 call dword ptr ds:[<&MSVBVM50.#608>] ; \rtcVarBstrFromAnsi 004032B0 . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38] 004032B3 . 8D95 58FFFFFF lea edx,dword ptr ss:[ebp-0xA8] 004032B9 . 51 push ecx 004032BA . 8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8] 004032C0 . 52 push edx 004032C1 . 50 push eax ; // "OK" 004032C2 . FF15 70614000 call dword ptr ds:[<&MSVBVM50.__vbaVarCa>; msvbvm50.__vbaVarCat 004032C8 . 8BD0 mov edx,eax 004032CA . 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38] 004032CD . FF15 F8604000 call dword ptr ds:[<&MSVBVM50.__vbaVarMo>; msvbvm50.__vbaVarMove 004032D3 . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44] 004032D6 . 8D55 C0 lea edx,dword ptr ss:[ebp-0x40] 004032D9 . 51 push ecx 004032DA . 52 push edx 004032DB . 6A 02 push 0x2 004032DD . FF15 8C614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; msvbvm50.__vbaFreeStrList 004032E3 . 83C4 0C add esp,0xC 004032E6 . 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8] 004032EC . 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98] 004032F2 . 8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88] 004032F8 . 50 push eax 004032F9 . 51 push ecx 004032FA . 8D45 88 lea eax,dword ptr ss:[ebp-0x78] 004032FD . 52 push edx 004032FE . 8D4D 98 lea ecx,dword ptr ss:[ebp-0x68] 00403301 . 50 push eax 00403302 . 8D55 A8 lea edx,dword ptr ss:[ebp-0x58] 00403305 . 51 push ecx 00403306 . 52 push edx 00403307 . 6A 06 push 0x6 00403309 . FF15 00614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeV>; msvbvm50.__vbaFreeVarList 0040330F . 83C4 1C add esp,0x1C 00403312 . 66:46 inc si 00403314 . B8 01000000 mov eax,0x1 00403319 . 66:03C7 add ax,di 0040331C . 0F80 44020000 jo 00403566 00403322 . 0F80 3E020000 jo 00403566 00403328 . 8BF8 mov edi,eax 0040332A .^ E9 C0FEFFFF jmp 004031EF 0040332F > 8D45 C8 lea eax,dword ptr ss:[ebp-0x38] 00403332 . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8] 00403338 . 50 push eax 00403339 . 51 push ecx 0040333A . C785 40FFFFFF>mov dword ptr ss:[ebp-0xC0],004027C8 ; UNICODE "qBQSYdXUe_B\V" 00403344 . C785 38FFFFFF>mov dword ptr ss:[ebp-0xC8],0x8008 0040334E . FF15 44614000 call dword ptr ds:[<&MSVBVM50.__vbaVarTs>; msvbvm50.__vbaVarTstEq 00403354 . 66:85C0 test ax,ax 00403357 . B9 04000280 mov ecx,0x80020004 0040335C . B8 0A000000 mov eax,0xA 00403361 . 894D 80 mov dword ptr ss:[ebp-0x80],ecx 00403364 . 8985 78FFFFFF mov dword ptr ss:[ebp-0x88],eax 0040336A . 894D 90 mov dword ptr ss:[ebp-0x70],ecx 0040336D . 8945 88 mov dword ptr ss:[ebp-0x78],eax 00403370 0F84 E8000000 je 0040345E ; // 关键跳转 00403376 . 8B35 9C614000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVa>; msvbvm50.__vbaVarDup 0040337C . BF 08000000 mov edi,0x8 00403381 . 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8] 00403387 . 8D4D 98 lea ecx,dword ptr ss:[ebp-0x68] 0040338A . C785 30FFFFFF>mov dword ptr ss:[ebp-0xD0],00402824 ; UNICODE "Valid" 00403394 . 89BD 28FFFFFF mov dword ptr ss:[ebp-0xD8],edi 0040339A . FFD6 call esi ; <&MSVBVM50.__vbaVarDup> 0040339C . 8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8] 004033A2 . 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58] 004033A5 . C785 40FFFFFF>mov dword ptr ss:[ebp-0xC0],004027E8 ; UNICODE "Password correct, hehe, :-)" 004033AF . 89BD 38FFFFFF mov dword ptr ss:[ebp-0xC8],edi 004033B5 . FFD6 call esi
这个整个流程大概就是取文本的中间字符,然后转化为ANSII,然后与另外一个字符异或运算,最终得到一个文本,然后与"qBQSYdXUe_B\V"比较,相等则成功!
具体细节为……好吧,我承认,我跟踪了好几遍也没有弄清楚与输入序列异或的那个字符是怎么来的!
使用VB 反编译工具试试:
Private Sub Command1_Click() ‘4030F0
Dim var_48 As TextBox
loc_00403122: var_8 = &H401018
loc_0040317D: Set var_48 = Me
loc_0040318C: var_40 = Text1.Text
loc_004031B4: var_50 = var_40
loc_004031B7: var_58 = 8
loc_004031BE: var_28 = var_40
loc_004031DA: var_58 = Len(var_28)
loc_004031E7: var_108 = CInt(var_40)
If 00000001h > 0 Then GoTo loc_0040332F
loc_0040321D: var_50 = 1
loc_00403224: var_58 = 2
loc_0040323F: var_88 = 2
loc_00403245: var_78 = 2
loc_00403255: var_80 = 1
loc_0040325C: var_70 = &H7D0
loc_00403271: var_40 = CStr(Mid$(var_28, 1, 1))
loc_00403288: var_118 = Asc(var_40)
loc_0040328E: var_44 = CStr(Mid$(2000, 1, 1))
loc_004032AA: var_A8 = Chr(Asc(var_40) xor ecx)
loc_00403312: si = 00000001h + 1
loc_00403319: 00000001h = 00000001h + 00000001h
loc_0040332A: GoTo loc_004031EF
loc_0040332F:
loc_0040333A: var_C0 = "qBQSYdXUe_B\V"
loc_00403344: var_C8 = &H8008
loc_0040334E: Var_Ret_1 = (var_38 & &H7D0 = "qBQSYdXUe_B\V")
loc_00403361: var_80 = 80020004h
loc_00403364: var_88 = 10
loc_0040336A: var_70 = 80020004h
loc_0040336D: var_78 = 10
If Var_Ret_1 = 0 Then GoTo loc_0040345E
loc_0040338A: var_D0 = "Valid"
loc_00403394: var_D8 = 8
loc_004033A5: var_C0 = "Password correct, hehe, :-)"
loc_004033AF: var_C8 = 8
loc_004033CC: MsgBox "Password correct, hehe, :-)", 0, "Valid"
loc_00403435: Set var_48 = 4210744
loc_0040343D: call password.GetTypeInfo(var_48, var_88, var_48, 004027B4h, var_78, var_88, var_48, 004027B4h)
loc_0040345E:
loc_00403472: var_D0 = "Invalid"
loc_0040347C: var_D8 = 8
loc_0040348D: var_C0 = "Password incorrect, please try again ..."
loc_00403497: var_C8 = 8
loc_004034B4: MsgBox "Password incorrect, please try again ...", 0, "Invalid"
loc_004034D8: var_4 = 0
loc_004034E4: GoTo loc_00403536
loc_00403535: Exit Sub
loc_00403536:
loc_00403544: GoTo loc_00esi
loc_00403546: Exit Sub
End Sub
似乎与2000有些关系,但是VB代码中的流程太坑了,看的很迷糊!
SmartCheck:
哈哈,SmartCheck的流程加上OD中分析到的异或操作,我明白了!原来异或的文本就是2000,按照序号对4取余作为索引获得的ANSII。
大概就是这样:
pKey[i] = pName[i] ^ "2000"[i%4];
pKey == "qBQSYdXUe_B\V"
但是,我们的目的是获得原始文本,所以只好把算法的计算流程反过来还原,CPP如下:
// CrackMeDemo.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <iostream>
/*
pKey[i] = pName[i] ^ "2000"[i%4];
pKey == "qBQSYdXUe_B\V"
*/
int _tmain(int argc, _TCHAR* argv[])
{
char pkey[] = "qBQSYdXUe_B\\V"; // \会被转义,所以需要这么做
char pName[15] = {0};
int nLen = strlen(pkey);
for (int i=0;i<nLen;i++)
{
pName[i] = pkey[i] ^ "2000"[i%4];
}
printf("the input is: %s\r\n",pName);
system("pause");
return 0;
}
BY 笨笨D幸福
[反汇编练习] 160个CrackMe之030
时间: 2024-10-10 12:19:04