美文网首页
2019-04-02 CrackMe 10

2019-04-02 CrackMe 10

作者: 月夜阑珊 | 来源:发表于2019-04-02 22:28 被阅读0次

    首先补充关于VB程序的几点:

    很多时候VB函数返回值在ebp-0x34中(有时候在ax寄存器中)
VB有些函数操作(例如__vbaVarMul),结果保存为浮点数,可以在内存窗口查看64位浮点数看到

    CrackMe 10,同样通过字符串搜索或者在弹窗后断下程序可以直接找到关键处理函数:

    00401ED8   .  FF15 10414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
00401EDE   >  8B45 A8       mov eax,dword ptr ss:[ebp-0x58]
00401EE1   .  8975 A8       mov dword ptr ss:[ebp-0x58],esi
00401EE4   .  8B35 F8404000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVa>;  MSVBVM50.__vbaVarMove
00401EEA   .  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]
00401EED   .  8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]
00401EF0   .  8945 9C       mov dword ptr ss:[ebp-0x64],eax
00401EF3   .  C745 94 08000>mov dword ptr ss:[ebp-0x6C],0x8
00401EFA   .  FFD6          call esi                                 ;  <&MSVBVM50.__vbaVarMove>
00401EFC   .  8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]
00401EFF   .  FF15 AC414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>;  MSVBVM50.__vbaFreeObj
00401F05   .  B9 02000000   mov ecx,0x2
00401F0A   .  B8 01000000   mov eax,0x1
00401F0F   .  898D 54FFFFFF mov dword ptr ss:[ebp-0xAC],ecx
00401F15   .  898D 44FFFFFF mov dword ptr ss:[ebp-0xBC],ecx
00401F1B   .  8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC]
00401F21   .  8985 5CFFFFFF mov dword ptr ss:[ebp-0xA4],eax
00401F27   .  8985 4CFFFFFF mov dword ptr ss:[ebp-0xB4],eax
00401F2D   .  8D55 BC       lea edx,dword ptr ss:[ebp-0x44]
00401F30   .  51            push ecx                                 ; /Step8
00401F31   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]          ; |
00401F34   .  52            push edx                                 ; |/var18
00401F35   .  50            push eax                                 ; ||retBuffer8
00401F36   .  FF15 14414000 call dword ptr ds:[<&MSVBVM50.__vbaLenVa>; |\__vbaLenVar
00401F3C   .  8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-0xBC]          ; |
00401F42   .  50            push eax                                 ; |End8
00401F43   .  8D95 ECFEFFFF lea edx,dword ptr ss:[ebp-0x114]         ; |
00401F49   .  51            push ecx                                 ; |Start8
00401F4A   .  8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-0x104]         ; |
00401F50   .  52            push edx                                 ; |TMPend8
00401F51   .  8D4D DC       lea ecx,dword ptr ss:[ebp-0x24]          ; |
00401F54   .  50            push eax                                 ; |TMPstep8
00401F55   .  51            push ecx                                 ; |Counter8
00401F56   .  FF15 1C414000 call dword ptr ds:[<&MSVBVM50.__vbaVarFo>; \__vbaVarForInit

    首先一样获取len(serial),并初始化__vbaVarForInit,结合__vbaVarForNext形成for循环,循环过程:

    00401F68   > /85C0          test eax,eax
00401F6A   . |0F84 BB000000 je Andréna.0040202B
00401F70   . |8D55 94       lea edx,dword ptr ss:[ebp-0x6C]
00401F73   . |8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
00401F76   . |52            push edx
00401F77   . |50            push eax
00401F78   . |C745 9C 01000>mov dword ptr ss:[ebp-0x64],0x1
00401F7F   . |C745 94 02000>mov dword ptr ss:[ebp-0x6C],0x2
00401F86   . |FF15 90414000 call dword ptr ds:[<&MSVBVM50.__vbaI4Var>;  MSVBVM50.__vbaI4Var
00401F8C   . |8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]          ; |
00401F8F   . |50            push eax                                 ; |Start
00401F90   . |8D55 84       lea edx,dword ptr ss:[ebp-0x7C]          ; |
00401F93   . |51            push ecx                                 ; |dString8
00401F94   . |52            push edx                                 ; |RetBUFFER
00401F95   . |FF15 34414000 call dword ptr ds:[<&MSVBVM50.#632>]     ; \rtcMidCharVar
00401F9B   . |8D45 84       lea eax,dword ptr ss:[ebp-0x7C]
00401F9E   . |8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]
00401FA1   . |50            push eax                                 ; /String8
00401FA2   . |51            push ecx                                 ; |ARG2
00401FA3   . |FF15 64414000 call dword ptr ds:[<&MSVBVM50.__vbaStrVa>; \__vbaStrVarVal
00401FA9   . |50            push eax                                 ; /String
00401FAA   . |FF15 08414000 call dword ptr ds:[<&MSVBVM50.#516>]     ; \rtcAnsiValueBstr
00401FB0   . |66:05 0A00    add ax,0xA
00401FB4   . |0F80 B0020000 jo Andréna.0040226A
00401FBA   . |0FBFD0        movsx edx,ax
00401FBD   . |52            push edx
00401FBE   . |FF15 70414000 call dword ptr ds:[<&MSVBVM50.#537>]     ;  MSVBVM50.rtcBstrFromAnsi
00401FC4   . |8985 7CFFFFFF mov dword ptr ss:[ebp-0x84],eax
00401FCA   . |8D45 CC       lea eax,dword ptr ss:[ebp-0x34]
00401FCD   . |8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C]
00401FD3   . |50            push eax
00401FD4   . |8D95 64FFFFFF lea edx,dword ptr ss:[ebp-0x9C]
00401FDA   . |51            push ecx
00401FDB   . |52            push edx
00401FDC   . |C785 74FFFFFF>mov dword ptr ss:[ebp-0x8C],0x8
00401FE6   . |FFD3          call ebx
00401FE8   . |8BD0          mov edx,eax
00401FEA   . |8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
00401FED   . |FFD6          call esi
00401FEF   . |8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]
00401FF2   . |FF15 B0414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00401FF8   . |8D85 74FFFFFF lea eax,dword ptr ss:[ebp-0x8C]
00401FFE   . |8D4D 84       lea ecx,dword ptr ss:[ebp-0x7C]
00402001   . |50            push eax
00402002   . |8D55 94       lea edx,dword ptr ss:[ebp-0x6C]
00402005   . |51            push ecx
00402006   . |52            push edx
00402007   . |6A 03         push 0x3
00402009   . |FFD7          call edi
0040200B   . |83C4 10       add esp,0x10
0040200E   . |8D85 ECFEFFFF lea eax,dword ptr ss:[ebp-0x114]
00402014   . |8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-0x104]
0040201A   . |8D55 DC       lea edx,dword ptr ss:[ebp-0x24]
0040201D   . |50            push eax                                 ; /TMPend8
0040201E   . |51            push ecx                                 ; |TMPstep8
0040201F   . |52            push edx                                 ; |Counter8
00402020   . |FF15 A4414000 call dword ptr ds:[<&MSVBVM50.__vbaVarFo>; \__vbaVarForNext
00402026   .^\E9 3DFFFFFF   jmp Andréna.00401F68

    首先rtcMidCharVar截取字符串:

    rtcMidCharVar  从字符串中取相应字符,VB中的MID函数,用法MID("字符串","开始的位置","取几个字符")

    而后__vbastrvarval:

    __vbastrvarval  从字符串特定位置上获取其值
#把字符转ascii码

    而后rtcAnsiValueBstr返回对应字符的ascii码数据到ax
    前后区别:

    __vbastrvarval返回eax一个字符串对象(通常就是一个字符),其中包含对应字符(也可视为ascii码)
rtcAnsiValueBstr直观地将这个字符串对象中的字符ascii数值返回到ax中

    而后将数值加0xA后重新转为字符:rtcBstrFromAnsi
    而后在后面:

    00401FD3   .  50            push eax
00401FD4   .  8D95 64FFFFFF lea edx,dword ptr ss:[ebp-0x9C]
00401FDA   .  51            push ecx
00401FDB   .  52            push edx
00401FDC   .  C785 74FFFFFF>mov dword ptr ss:[ebp-0x8C],0x8
00401FE6   .  FFD3          call ebx                                 ;  MSVBVM50.__vbaVarCat

    连接字符串
    最后将最后连接的字符串与预定义字符比较:

    00402034   .  50            push eax                                 ; /var18
00402035   .  51            push ecx                                 ; |var28
00402036   .  C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],Andréna.0040>; |UNICODE "kXy^rO|*yXo*m\kMuOn*+"
00402040   .  C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x8008       ; |
0040204A   .  FF15 40414000 call dword ptr ds:[<&MSVBVM50.__vbaVarTs>; \__vbaVarTstEq
00402050   .  66:85C0       test ax,ax
00402053   .  0F84 C0000000 je Andréna.00402119                      ;  judge
00402059   .  FF15 6C414000 call dword ptr ds:[<&MSVBVM50.#534>]     ;  MSVBVM50.rtcBeep
0040205F   .  8B1D 94414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVa>;  MSVBVM50.__vbaVarDup
00402065   .  B9 0A000000   mov ecx,0xA
0040206A   .  B8 04000280   mov eax,0x80020004
0040206F   .  898D 64FFFFFF mov dword ptr ss:[ebp-0x9C],ecx
00402075   .  898D 74FFFFFF mov dword ptr ss:[ebp-0x8C],ecx
0040207B   .  8D95 44FFFFFF lea edx,dword ptr ss:[ebp-0xBC]
00402081   .  8D4D 84       lea ecx,dword ptr ss:[ebp-0x7C]
00402084   .  8985 6CFFFFFF mov dword ptr ss:[ebp-0x94],eax
0040208A   .  8985 7CFFFFFF mov dword ptr ss:[ebp-0x84],eax
00402090   .  C785 4CFFFFFF>mov dword ptr ss:[ebp-0xB4],Andréna.0040>;  UNICODE "RiCHTiG !"
0040209A   .  C785 44FFFFFF>mov dword ptr ss:[ebp-0xBC],0x8
004020A4   .  FFD3          call ebx                                 ;  <&MSVBVM50.__vbaVarDup>

    所以对预定义字符串每个字符减0xa即可得到真正序列号:

    def get_serial():
    final="kXy^rO|*yXo*m\\kMuOn*+"
    last=""
    for i in final:
      last+=chr(ord(i)-0xa)
    return last

if __name__=="__main__":
    print get_serial()
#output:
#aNoThEr oNe cRaCkEd !

    输入即可:


    Success

    相关文章

      网友评论

          本文标题:2019-04-02 CrackMe 10

          本文链接:https://www.haomeiwen.com/subject/nywnbqtx.html

          延伸阅读

          深度阅读

          • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

          栏目导航

          热点阅读

          关于我们|服务条款|联系我们|2019-04-02 CrackMe 10|投稿指南|网站地图|RSS订阅|排版工具|手机版

          提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

          Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

          备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

          本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

          所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!