博客详细分析了CrackMe160-002程序的序列生成过程,从汇编代码层面探讨了如何通过Name字段生成特定的序列,并解释了涉及的函数如vbaLenBstr、imul、rtcAnsiValueBstr和vbaStrI4的作用。最后,揭示了程序通过比较用户输入的Serial与生成序列来验证的逻辑。
CrackMe160-002
爆破思路
同001,从调用堆栈找到关键函数,进入
稍微向上翻一下即可看到字符串(字符串前面的L说明该字符串是由Unicode编码)
在转储中右键->十六进制->拓展ASCII 即可查看Unicode
有点偏题了。。那么按照001的思路这里可以同样的爆破,就不赘述了,把重头戏还是放在序列生成比较好
序列生成
老样子,这里断点打到判断之前,不过并没有发现类似cmp这样的指令,于是乎我考虑断点再段前面一些
00402310 | 55 | push ebp |
00402311 | 8BEC | mov ebp,esp |
00402313 | 83EC 0C | sub esp,C |
00402316 | 68 26104000 | push <JMP.&__vbaExceptHandler> |
0040231B | 64:A1 00000000 | mov eax,dword ptr fs:[0] |
00402321 | 50 | push eax |
00402322 | 64:8925 00000000 | mov dword ptr fs:[0],esp |
00402329 | 81EC B0000000 | sub esp,B0 |
0040232F | 53 | push ebx |
00402330 | 56 | push esi |
00402331 | 8B75 08 | mov esi,dword ptr ss:[ebp+8] |
00402334 | 57 | push edi |
00402335 | 8BC6 | mov eax,esi |
00402337 | 83E6 FE | and esi,FFFFFFFE |
0040233A | 8965 F4 | mov dword ptr ss:[ebp-C],esp |
0040233D | 83E0 01 | and eax,1 |
00402340 | 8B1E | mov ebx,dword ptr ds:[esi] |
00402342 | C745 F8 08104000 | mov dword ptr ss:[ebp-8],afkayas.1.401008 |
00402349 | 56 | push esi |
0040234A | 8945 FC | mov dword ptr ss:[ebp-4],eax |
0040234D | 8975 08 | mov dword ptr ss:[ebp+8],esi |
00402350 | FF53 04 | call dword ptr ds:[ebx+4] |
00402353 | 8B83 10030000 | mov eax,dword ptr ds:[ebx+310] |
00402359 | 33FF | xor edi,edi |
0040235B | 56 | push esi |
0040235C | 897D E8 | mov dword ptr ss:[ebp-18],edi |
0040235F | 897D E4 | mov dword ptr ss:[ebp-1C],edi |
00402362 | 897D E0 | mov dword ptr ss:[ebp-20],edi |
00402365 | 897D DC | mov dword ptr ss:[ebp-24],edi |
00402368 | 897D D8 | mov dword ptr ss:[ebp-28],edi |
0040236B | 897D D4 | mov dword ptr ss:[ebp-2C],edi |
0040236E | 897D C4 | mov dword ptr ss:[ebp-3C],edi |
00402371 | 897D B4 | mov dword ptr ss:[ebp-4C],edi |
00402374 | 897D A4 | mov dword ptr ss:[ebp-5C],edi |
00402377 | 897D 94 | mov dword ptr ss:[ebp-6C],edi |
0040237A | 8985 40FFFFFF | mov dword ptr ss:[ebp-C0],eax |
00402380 | FFD0 | call eax |
00402382 | 8D4D D4 | lea ecx,dword ptr ss:[ebp-2C] |
00402385 | 50 | push eax |
00402386 | 51 | push ecx |
00402387 | FF15 0C414000 | call dword ptr ds:[<&__vbaObjSet>] |
0040238D | 8B9B 00030000 | mov ebx,dword ptr ds:[ebx+300] |
00402393 | 56 | push esi |
00402394 | 8985 50FFFFFF | mov dword ptr ss:[ebp-B0],eax |
0040239A | 899D 3CFFFFFF | mov dword ptr ss:[ebp-C4],ebx |
004023A0 | FFD3 | call ebx |
004023A2 | 8D55 DC | lea edx,dword ptr ss:[ebp-24] |
004023A5 | 50 | push eax |
004023A6 | 52 | push edx |
004023A7 | FF15 0C414000 | call dword ptr ds:[<&__vbaObjSet>] |
004023AD | 8BD8 | mov ebx,eax |
004023AF | 8D4D E8 | lea ecx,dword ptr ss:[ebp-18] |
004023B2 | 51 | push ecx |
004023B3 | 53 | push ebx |
004023B4 | 8B03 | mov eax,dword ptr ds:[ebx] |
004023B6 | FF90 A0000000 | call dword ptr ds:[eax+A0] | 获取了Name的值
004023BC | 3BC7 | cmp eax,edi |
004023BE | 7D 12 | jge afkayas.1.4023D2 |
004023C0 | 68 A0000000 | push A0 |
004023C5 | 68 5C1B4000 | push afkayas.1.401B5C |
004023CA | 53 | push ebx |
004023CB | 50 | push eax |
004023CC | FF15 04414000 | call dword ptr ds:[<&__vbaHresultCheckObj> |
004023D2 | 56 | push esi |
004023D3 | FF95 3CFFFFFF | call dword ptr ss:[ebp-C4] |
004023D9 | 8D55 D8 | lea edx,dword ptr ss:[ebp-28] |
004023DC | 50 | push eax |
004023DD | 52 | push edx |
004023DE | FF15 0C414000 | call dword ptr ds:[<&__vbaObjSet>] |
004023E4 | 8BD8 | mov ebx,eax |
004023E6 | 8D4D E4 | lea ecx,dword ptr ss:[ebp-1C] |
004023E9 | 51 | push ecx |
004023EA | 53 | push ebx |
004023EB | 8B03 | mov eax,dword ptr ds:[ebx] |
004023ED | FF90 A0000000 | call dword ptr ds:[eax+A0] |
004023F3 | 3BC7 | cmp eax,edi |
004023F5 | 7D 12 | jge afkayas.1.402409 |
004023F7 | 68 A0000000 | push A0 |
004023FC | 68 5C1B4000 | push afkayas.1.401B5C |
00402401 | 53 | push ebx |
00402402 | 50 | push eax |
00402403 | FF15 04414000 | call dword ptr ds:[<&__vbaHresultCheckObj> |
00402409 | 8B95 50FFFFFF | mov edx,dword ptr ss:[ebp-B0] |
0040240F | 8B45 E4 | mov eax,dword ptr ss:[ebp-1C] |
00402412 | 50 | push eax |
00402413 | 8B1A | mov ebx,dword ptr ds:[edx] |
00402415 | FF15 E4404000 | call dword ptr ds:[<&__vbaLenBstr>] | 计算Name的长度(16进制)
0040241B | 8BF8 | mov edi,eax |
0040241D | 8B4D E8 | mov ecx,dword ptr ss:[ebp-18] |
00402420 | 69FF FB7C0100 | imul edi,edi,17CFB | Name的长度乘以17CFB,结果放入edi
00402426 | 51 | push ecx |
00402427 | 0F80 91020000 | jo afkayas.1.4026BE |
0040242D | FF15 F8404000 | call dword ptr ds:[<&rtcAnsiValueBstr>] | 第一个字节放入EAX,其余放入EDX
00402433 | 0FBFD0 | movsx edx,ax |
00402436 | 03FA | add edi,edx | edi=第一个字节加上长度*17CFB
00402438 | 0F80 80020000 | jo afkayas.1.4026BE |
0040243E | 57 | push edi |
0040243F | FF15 E0404000 | call dword ptr ds:[<&__vbaStrI4>] | 这里第一次算出Serial,结果存到EAX
00402445 | 8BD0 | mov edx,eax |
00402447 | 8D4D E0 | lea ecx,dword ptr ss:[ebp-20] |
0040244A | FF15 70414000 | call dword ptr ds:[<&__vbaStrMove>] |
00402450 | 8BBD 50FFFFFF | mov edi,dword ptr ss:[ebp-B0] |
00402456 | 50 | push eax |
00402457 | 57 | push edi |
00402458 | FF93 A4000000 | call dword ptr ds:[ebx+A4] |
0040245E | 85C0 | test eax,eax |
00402460 | 7D 12 | jge afkayas.1.402474 |
00402462 | 68 A4000000 | push A4 |
00402467 | 68 5C1B4000 | push afkayas.1.401B5C |
0040246C | 57 | push edi |
0040246D | 50 | push eax |
0040246E | FF15 04414000 | call dword ptr ds:[<&__vbaHresultCheckObj> |
00402474 | 8D45 E0 | lea eax,dword ptr ss:[ebp-20] |
00402477 | 8D4D E4 | lea ecx,dword ptr ss:[ebp-1C] |
0040247A | 50 | push eax |
0040247B | 8D55 E8 | lea edx,dword ptr ss:[ebp-18] |
0040247E | 51 | push ecx |
0040247F | 52 | push edx |
00402480 | 6A 03 | push 3 |
00402482 | FF15 5C414000 | call dword ptr ds:[<&__vbaFreeStrList>] |
00402488 | 83C4 10 | add esp,10 |
0040248B | 8D45 D4 | lea eax,dword ptr ss:[ebp-2C] |
0040248E | 8D4D D8 | lea ecx,dword ptr ss:[ebp-28] |
00402491 | 8D55 DC | lea edx,dword ptr ss:[ebp-24] |
00402494 | 50 | push eax |
00402495 | 51 | push ecx |
00402496 | 52 | push edx |
00402497 | 6A 03 | push 3 |
00402499 | FF15 F4404000 | call dword ptr ds:[<&__vbaFreeObjList>] |
0040249F | 8B06 | mov eax,dword ptr ds:[esi] |
004024A1 | 83C4 10 | add esp,10 |
004024A4 | 56 | push esi |
004024A5 | FF90 04030000 | call dword ptr ds:[eax+304] |
004024AB | 8B1D 0C414000 | mov ebx,dword ptr ds:[<&__vbaObjSet>] |
004024B1 | 50 | push eax |
004024B2 | 8D45 DC | lea eax,dword ptr ss:[ebp-24] |
004024B5 | 50 | push eax |
004024B6 | FFD3 | call ebx |
004024B8 | 8BF8 | mov edi,eax |
004024BA | 8D55 E8 | lea edx,dword ptr ss:[ebp-18] |
004024BD | 52 | push edx |
004024BE | 57 | push edi |
004024BF | 8B0F | mov ecx,dword ptr ds:[edi] |
004024C1 | FF91 A0000000 | call dword ptr ds:[ecx+A0] | 获取Serial
004024C7 | 85C0 | test eax,eax |
004024C9 | 7D 12 | jge afkayas.1.4024DD |
004024CB | 68 A0000000 | push A0 |
004024D0 | 68 5C1B4000 | push afkayas.1.401B5C |
004024D5 | 57 | push edi |
004024D6 | 50 | push eax |
004024D7 | FF15 04414000 | call dword ptr ds:[<&__vbaHresultCheckObj> |
004024DD | 56 | push esi |
004024DE | FF95 40FFFFFF | call dword ptr ss:[ebp-C0] |
004024E4 | 50 | push eax |
004024E5 | 8D45 D8 | lea eax,dword ptr ss:[ebp-28] |
004024E8 | 50 | push eax |
004024E9 | FFD3 | call ebx |
004024EB | 8BF0 | mov esi,eax |
004024ED | 8D55 E4 | lea edx,dword ptr ss:[ebp-1C] |
004024F0 | 52 | push edx |
004024F1 | 56 | push esi |
004024F2 | 8B0E | mov ecx,dword ptr ds:[esi] |
004024F4 | FF91 A0000000 | call dword ptr ds:[ecx+A0] |
004024FA | 85C0 | test eax,eax |
004024FC | 7D 12 | jge afkayas.1.402510 |
004024FE | 68 A0000000 | push A0 |
00402503 | 68 5C1B4000 | push afkayas.1.401B5C |
00402508 | 56 | push esi |
00402509 | 50 | push eax |
0040250A | FF15 04414000 | call dword ptr ds:[<&__vbaHresultCheckObj> |
00402510 | 8B45 E8 | mov eax,dword ptr ss:[ebp-18] |
00402513 | 8B4D E4 | mov ecx,dword ptr ss:[ebp-1C] |
00402516 | 8B3D 00414000 | mov edi,dword ptr ds:[<&__vbaStrCat>] |
0040251C | 50 | push eax |
0040251D | 68 701B4000 | push afkayas.1.401B70 | 401B70:L"AKA-"
00402522 | 51 | push ecx |
00402523 | FFD7 | call edi |
00402525 | 8B1D 70414000 | mov ebx,dword ptr ds:[<&__vbaStrMove>] |
0040252B | 8BD0 | mov edx,eax |
0040252D | 8D4D E0 | lea ecx,dword ptr ss:[ebp-20] |
00402530 | FFD3 | call ebx |
00402532 | 50 | push eax |
00402533 | FF15 28414000 | call dword ptr ds:[<&__vbaStrCmp>] |
00402539 | 8BF0 | mov esi,eax |
0040253B | 8D55 E0 | lea edx,dword ptr ss:[ebp-20] |
0040253E | F7DE | neg esi |
00402540 | 8D45 E8 | lea eax,dword ptr ss:[ebp-18] |
00402543 | 52 | push edx |
00402544 | 1BF6 | sbb esi,esi |
00402546 | 8D4D E4 | lea ecx,dword ptr ss:[ebp-1C] |
00402549 | 50 | push eax |
0040254A | 46 | inc esi |
0040254B | 51 | push ecx |
0040254C | 6A 03 | push 3 |
0040254E | F7DE | neg esi |
00402550 | FF15 5C414000 | call dword ptr ds:[<&__vbaFreeStrList>] |
00402556 | 83C4 10 | add esp,10 |
00402559 | 8D55 D8 | lea edx,dword ptr ss:[ebp-28] |
0040255C | 8D45 DC | lea eax,dword ptr ss:[ebp-24] |
0040255F | 52 | push edx |
00402560 | 50 | push eax |
00402561 | 6A 02 | push 2 |
00402563 | FF15 F4404000 | call dword ptr ds:[<&__vbaFreeObjList>] |
00402569 | 83C4 0C | add esp,C |
0040256C | B9 04000280 | mov ecx,80020004 |
00402571 | B8 0A000000 | mov eax,A | A:‘\n’
00402576 | 894D 9C | mov dword ptr ss:[ebp-64],ecx |
00402579 | 66:85F6 | test si,si |
0040257C | 8945 94 | mov dword ptr ss:[ebp-6C],eax |
0040257F | 894D AC | mov dword ptr ss:[ebp-54],ecx |
00402582 | 8945 A4 | mov dword ptr ss:[ebp-5C],eax |
00402585 | 894D BC | mov dword ptr ss:[ebp-44],ecx |
00402588 | 8945 B4 | mov dword ptr ss:[ebp-4C],eax |
0040258B | 74 58 | je afkayas.1.4025E5 |
0040258D | 68 801B4000 | push afkayas.1.401B80 | 401B80:L"You Get It"
00402592 | 68 9C1B4000 | push afkayas.1.401B9C | 401B9C:L"\r\n"
00402597 | FFD7 | call edi |
因为再上面就是另外一个函数的ret了,所以我考虑直接断在00402310,并且一行行执行
这个操作很重要,当然也可以不断这么前面,我只是打算直接一次看到头而已,也可以一点点往上面断,都可以
然后我们应该明确分析的思路:首先找到最终生成的序列,然后再一步步分析最终序列是如何生成的
大概执行到这个地方的时候,我们发现了一个可能是最终序列的字符串,尝试输入,并且通过了,那么就可以确认这个就是最终序列
所以我们可以得到整个程序的大概执行流程
获取Name(这里是type in your name)->生成对应的最终序列(这里是根据大概的流程可以看出是“AKA-”和数字“1658111”的拼接)->将用户输入的Serial和根据Name生成的序列对比判断->返回结果
这里我们就要分析“AKA-”和数字“1658111”是怎么生成的
根据这个我们容易知道AKA-是写死在程序的,作为一个变量直接保存了,那么我们只需要研究数字是怎么生成的就好了
在执行到这个位置的时候呢,Name的值被载入到了eax中,并且这里执行了一个函数vbaLenBstr,猜测是获取字符串长度的函数
执行前eax的值为Name的地址
执行后eax的值为00000011(转化为十进制就是17),那么可以断定这个vbaLenBstr函数就是获得eax存的字符串的长度
下面这个imul就是有符号数乘法,百度如下
那么这步的操作也就是注释所写的 Name的长度乘以17CFB,并把结果放入edi
下面这个rtcAnsiValueBstr可以根据得到的结果猜测
发现原来的字符串被拆解了,第一个字节放入了eax,剩下的字符放到了edx
所以这个函数的意思大概就是获取第一个字符的ANSI的值
下一步add就不说了
最后一个vbaStrI4很容易猜测就是转化为10进制的意思,因为结果毕竟没有ABCD,而且这个是系统函数,功能不会很偏,容易猜测
搞定!
扫一扫
219
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
