最新消息:想得多,做的少。一天到晚瞎鸡巴搞。

160个CrackMe – 003

套路与反套路 阿虚 755浏览 0评论

.    003和002是同一款程序,不过作者更新了一次算法。002仅仅是直接那了账户的第一个字节来做处理,003虽然也是那账户第一个字节,但是大量的用了将字符串转换为浮点数,将浮点数转换成了字符串。并且正对转换后的浮点数进行了运算操作。作者在这一个CM中不允许程序输入非0~9之外的字符。会走异常退出。

.     这个程序就不爆破了,因为爆破点都在同一处。不过算法的分析作者并未修改到其他地方,还是在爆破点之前。寻找算法和002的方式一样。

004081C9   .  51            push ecx
004081CA   .  53            push ebx
004081CB   .  8B03          mov eax,dword ptr ds:[ebx]
004081CD   .  FF90 A0000000 call dword ptr ds:[eax+0xA0]                   ;  得到输入的账户
004081D3   .  3BC7          cmp eax,edi
004081D5   .  7D 12         jge XAfKayAs_.004081E9
004081D7   .  68 A0000000   push 0xA0
004081DC   .  68 AC6F4000   push AfKayAs_.00406FAC
004081E1   .  53            push ebx
004081E2   .  50            push eax
004081E3   .  FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>;  msvbvm50.__vbaHresultCheckObj
004081E9   >  8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]
004081EF   .  8B45 E4       mov eax,dword ptr ss:[ebp-0x1C]
004081F2   .  50            push eax                                       ; /String
004081F3   .  8B1A          mov ebx,dword ptr ds:[edx]                     ; |
004081F5   .  FF15 F8B04000 call dword ptr ds:[<&MSVBVM50.__vbaLenBstr>]   ; \__vbaLenBstr
004081FB   .  8BF8          mov edi,eax                                    ;  得到账户长度
004081FD   .  8B4D E8       mov ecx,dword ptr ss:[ebp-0x18]
00408200   .  69FF 385B0100 imul edi,edi,0x15B38                           ;  len * 0x15B38
00408206   .  51            push ecx                                       ; /String
00408207   .  0F80 B7050000 jo AfKayAs_.004087C4                           ; |如果长度*0x15B38大于等于0X80000000就异常
0040820D   .  FF15 0CB14000 call dword ptr ds:[<&MSVBVM50.#516>]           ; \rtcAnsiValueBstr
00408213   .  0FBFD0        movsx edx,ax
00408216   .  03FA          add edi,edx                                    ;  计算出来的长度+第一个字节十六进制
00408218   .  0F80 A6050000 jo AfKayAs_.004087C4                           ;  如果长度*0x15B38大于等于0X80000000就异常
0040821E   .  57            push edi                                       ;  将计算出来的结果转换成字符串
0040821F   .  FF15 F4B04000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>]     ;  msvbvm50.__vbaStrI4
00408225   .  8BD0          mov edx,eax
00408227   .  8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]
........
004082BA   .  8D45 E8       lea eax,dword ptr ss:[ebp-0x18]
004082BD   .  50            push eax
004082BE   .  53            push ebx
004082BF   .  8B13          mov edx,dword ptr ds:[ebx]
004082C1   .  FF92 A0000000 call dword ptr ds:[edx+0xA0]                   ;  得到算出来的KEY,字符串方式存储
004082C7   .  85C0          test eax,eax
004082C9   .  7D 12         jge XAfKayAs_.004082DD
004082CB   .  68 A0000000   push 0xA0
004082D0   .  68 AC6F4000   push AfKayAs_.00406FAC
004082D5   .  53            push ebx
004082D6   .  50            push eax
004082D7   .  FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>;  msvbvm50.__vbaHresultCheckObj
004082DD   >  8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004082E3   .  8B55 E8       mov edx,dword ptr ss:[ebp-0x18]
004082E6   .  52            push edx
004082E7   .  8B19          mov ebx,dword ptr ds:[ecx]
004082E9   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>]     ;  将KEY转换为浮点数据存放到浮点寄存器中
004082EF   .  D905 08104000 fld dword ptr ds:[0x401008]                    ;  浮点寄存器放入10.0
004082F5   .  833D 00904000>cmp dword ptr ds:[0x409000],0x0
004082FC   .  75 08         jnz XAfKayAs_.00408306
004082FE   .  D835 0C104000 fdiv dword ptr ds:[0x40100C]                   ;  ST0 / 5.0
00408304   .  EB 0B         jmp XAfKayAs_.00408311
00408306   >  FF35 0C104000 push dword ptr ds:[0x40100C]
0040830C   .  E8 578DFFFF   call <jmp.&MSVBVM50._adj_fdiv_m32>
00408311   >  83EC 08       sub esp,0x8
00408314   .  DFE0          fstsw ax
00408316   .  A8 0D         test al,0xD
00408318   .  0F85 A1040000 jnz AfKayAs_.004087BF
0040831E   .  DEC1          faddp st(1),st                                 ;  KEY+ST0  ST1==KEY, ST0 = 10.0/5.0
00408320   .  DFE0          fstsw ax
00408322   .  A8 0D         test al,0xD
00408324   .  0F85 95040000 jnz AfKayAs_.004087BF
0040832A   .  DD1C24        fstp qword ptr ss:[esp]                        ;  ST0+KEY结果存放到SPE中
0040832D   .  FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>]     ;  将KEY转换成字符串
00408333   .  8BD0          mov edx,eax
......
004083C6   .  8D45 E8       lea eax,dword ptr ss:[ebp-0x18]
004083C9   .  50            push eax
004083CA   .  53            push ebx
004083CB   .  8B13          mov edx,dword ptr ds:[ebx]
004083CD   .  FF92 A0000000 call dword ptr ds:[edx+0xA0]                   ;  得到KEY,以字符串方式
004083D3   .  85C0          test eax,eax
004083D5   .  7D 12         jge XAfKayAs_.004083E9
004083D7   .  68 A0000000   push 0xA0
004083DC   .  68 AC6F4000   push AfKayAs_.00406FAC
004083E1   .  53            push ebx
004083E2   .  50            push eax
004083E3   .  FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>;  msvbvm50.__vbaHresultCheckObj
004083E9   >  8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004083EF   .  8B55 E8       mov edx,dword ptr ss:[ebp-0x18]
004083F2   .  52            push edx
004083F3   .  8B19          mov ebx,dword ptr ds:[ecx]
004083F5   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>]     ;  将KEY转换成浮点数存储在浮点寄存器
004083FB   .  DC0D 10104000 fmul qword ptr ds:[0x401010]                   ;  key * 3
00408401   .  83EC 08       sub esp,0x8
00408404   .  DC25 18104000 fsub qword ptr ds:[0x401018]                   ;  key - 2.0
0040840A   .  DFE0          fstsw ax
0040840C   .  A8 0D         test al,0xD
0040840E   .  0F85 AB030000 jnz AfKayAs_.004087BF
00408414   .  DD1C24        fstp qword ptr ss:[esp]                        ;  将key转换成字符串
00408417   .  FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>]     ;  msvbvm50.__vbaStrR8
0040841D   .  8BD0          mov edx,eax
0040841F   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
.....
004084AE   .  8BD8          mov ebx,eax
004084B0   .  8D45 E8       lea eax,dword ptr ss:[ebp-0x18]
004084B3   .  50            push eax
004084B4   .  53            push ebx
004084B5   .  8B13          mov edx,dword ptr ds:[ebx]
004084B7   .  FF92 A0000000 call dword ptr ds:[edx+0xA0]                   ;  得到KEY,义字符串方式
004084BD   .  85C0          test eax,eax
004084BF   .  7D 12         jge XAfKayAs_.004084D3
004084C1   .  68 A0000000   push 0xA0
004084C6   .  68 AC6F4000   push AfKayAs_.00406FAC
004084CB   .  53            push ebx
004084CC   .  50            push eax
004084CD   .  FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>;  msvbvm50.__vbaHresultCheckObj
004084D3   >  8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004084D9   .  8B55 E8       mov edx,dword ptr ss:[ebp-0x18]
004084DC   .  52            push edx
004084DD   .  8B19          mov ebx,dword ptr ds:[ecx]
004084DF   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>]     ;  讲KEY转换为浮点数存入浮点寄存器
004084E5   .  DC25 20104000 fsub qword ptr ds:[0x401020]                   ;  KEY+15.0
004084EB   .  83EC 08       sub esp,0x8
004084EE   .  DFE0          fstsw ax
004084F0   .  A8 0D         test al,0xD
004084F2   .  0F85 C7020000 jnz AfKayAs_.004087BF
004084F8   .  DD1C24        fstp qword ptr ss:[esp]                        ;  将KEY转换成字符串
004084FB   .  FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>]     ;  msvbvm50.__vbaStrR8
00408501   .  8BD0          mov edx,eax
......
00408570   .  8BD8          mov ebx,eax
00408572   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
00408575   .  51            push ecx
00408576   .  53            push ebx
00408577   .  8B03          mov eax,dword ptr ds:[ebx]
00408579   .  FF90 A0000000 call dword ptr ds:[eax+0xA0]                   ;  得到KEY,以字符串方式
0040857F   .  85C0          test eax,eax
00408581   .  7D 12         jge XAfKayAs_.00408595
00408583   .  68 A0000000   push 0xA0
00408588   .  68 AC6F4000   push AfKayAs_.00406FAC
0040858D   .  53            push ebx
0040858E   .  50            push eax
0040858F   .  FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>;  msvbvm50.__vbaHresultCheckObj
00408595   >  8B95 40FFFFFF mov edx,dword ptr ss:[ebp-0xC0]
0040859B   .  56            push esi
0040859C   .  FF92 14030000 call dword ptr ds:[edx+0x314]
004085A2   .  50            push eax
004085A3   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
004085A6   .  50            push eax
004085A7   .  FFD7          call edi
004085A9   .  8BF0          mov esi,eax
004085AB   .  8D55 E8       lea edx,dword ptr ss:[ebp-0x18]
004085AE   .  52            push edx
004085AF   .  56            push esi
004085B0   .  8B0E          mov ecx,dword ptr ds:[esi]
004085B2   .  FF91 A0000000 call dword ptr ds:[ecx+0xA0]                   ;  得到用户输入的密码
004085B8   .  85C0          test eax,eax
004085BA   .  7D 12         jge XAfKayAs_.004085CE
004085BC   .  68 A0000000   push 0xA0
004085C1   .  68 AC6F4000   push AfKayAs_.00406FAC
004085C6   .  56            push esi
004085C7   .  50            push eax
004085C8   .  FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>;  msvbvm50.__vbaHresultCheckObj
004085CE   >  8B45 E8       mov eax,dword ptr ss:[ebp-0x18]
004085D1   .  50            push eax
004085D2   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>]     ;  将用户输入的KEY转换成浮点数存储在STO
004085D8   .  8B4D E4       mov ecx,dword ptr ss:[ebp-0x1C]
004085DB   .  DD9D 1CFFFFFF fstp qword ptr ss:[ebp-0xE4]                   ;  st0出站到局部变量中
004085E1   .  51            push ecx
004085E2   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>]     ;  将计算出来的KEY存放到ST0中
004085E8   .  833D 00904000>cmp dword ptr ds:[0x409000],0x0
004085EF   .  75 08         jnz XAfKayAs_.004085F9
004085F1   .  DCBD 1CFFFFFF fdivr qword ptr ss:[ebp-0xE4]                  ;  将计算的KEY与密码相除
004085F7   .  EB 11         jmp XAfKayAs_.0040860A
004085F9   >  FFB5 20FFFFFF push dword ptr ss:[ebp-0xE0]
004085FF   .  FFB5 1CFFFFFF push dword ptr ss:[ebp-0xE4]
00408605   .  E8 888AFFFF   call <jmp.&MSVBVM50._adj_fdivr_m64>
0040860A   >  DFE0          fstsw ax
0040860C   .  A8 0D         test al,0xD
0040860E   .  0F85 AB010000 jnz AfKayAs_.004087BF
00408614   .  FF15 34B14000 call dword ptr ds:[<&MSVBVM50.__vbaFpR8>]      ;  msvbvm50.__vbaFpR8
0040861A   .  DC1D 28104000 fcomp qword ptr ds:[0x401028]                  ;  key与密码相除的商与1.0作比较
00408620   .  DFE0          fstsw ax                                       ;  将FST存储在AX中
00408622   .  F6C4 40       test ah,0x40                                   ;  判断FST AH 是否为0x40,为0x40则比较正确,为0比较错误
00408625   .  74 07         je XAfKayAs_.0040862E
00408627   .  BE 01000000   mov esi,0x1                                    ;  如果AH = 0X40 SI = 1
0040862C   .  EB 02         jmp XAfKayAs_.00408630
0040862E   >  33F6          xor esi,esi                                    ;  如果AH != 0X40 SI = 0
00408630   >  8D55 E4       lea edx,dword ptr ss:[ebp-0x1C]
00408633   .  8D45 E8       lea eax,dword ptr ss:[ebp-0x18]
00408636   .  52            push edx
00408637   .  50            push eax
00408638   .  6A 02         push 0x2
0040863A   .  FF15 80B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStrList>;  msvbvm50.__vbaFreeStrList
00408640   .  83C4 0C       add esp,0xC
00408643   .  8D4D D8       lea ecx,dword ptr ss:[ebp-0x28]
00408646   .  8D55 DC       lea edx,dword ptr ss:[ebp-0x24]
00408649   .  51            push ecx
0040864A   .  52            push edx
0040864B   .  6A 02         push 0x2
0040864D   .  FF15 08B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObjList>;  msvbvm50.__vbaFreeObjList
00408653   .  F7DE          neg esi
00408655   .  83C4 0C       add esp,0xC
00408658   .  B9 04000280   mov ecx,0x80020004
0040865D   .  B8 0A000000   mov eax,0xA
00408662   .  894D 9C       mov dword ptr ss:[ebp-0x64],ecx
00408665   .  66:85F6       test si,si                                     ;  判断SI是否不等于0
00408668   .  8945 94       mov dword ptr ss:[ebp-0x6C],eax
0040866B   .  894D AC       mov dword ptr ss:[ebp-0x54],ecx
0040866E   .  8945 A4       mov dword ptr ss:[ebp-0x5C],eax
00408671   .  894D BC       mov dword ptr ss:[ebp-0x44],ecx
00408674   .  8945 B4       mov dword ptr ss:[ebp-0x4C],eax
00408677   .  74 62         je XAfKayAs_.004086DB                          ;  爆破点了。。

转换成C语言代码为:

void Fun(char *ZhangHu)
{
    unsigned long data = ((strlen(ZhangHu) * 0x15B38 + ZhangHu[0]) + 2) * 3.0 - 2.0 + 15.0;
    printf("%d \r\n", data);
}

转载请注明:虚无 » 160个CrackMe – 003

发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址