. 003和002是同一款程序,不过作者更新了一次算法。002仅仅是直接那了账户的第一个字节来做处理,003虽然也是那账户第一个字节,但是大量的用了将字符串转换为浮点数,将浮点数转换成了字符串。并且正对转换后的浮点数进行了运算操作。作者在这一个CM中不允许程序输入非0~9之外的字符。会走异常退出。
. 这个程序就不爆破了,因为爆破点都在同一处。不过算法的分析作者并未修改到其他地方,还是在爆破点之前。寻找算法和002的方式一样。
004081C9 . 51 push ecx 004081CA . 53 push ebx 004081CB . 8B03 mov eax,dword ptr ds:[ebx] 004081CD . FF90 A0000000 call dword ptr ds:[eax+0xA0] ; 得到输入的账户 004081D3 . 3BC7 cmp eax,edi 004081D5 . 7D 12 jge XAfKayAs_.004081E9 004081D7 . 68 A0000000 push 0xA0 004081DC . 68 AC6F4000 push AfKayAs_.00406FAC 004081E1 . 53 push ebx 004081E2 . 50 push eax 004081E3 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>; msvbvm50.__vbaHresultCheckObj 004081E9 > 8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0] 004081EF . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] 004081F2 . 50 push eax ; /String 004081F3 . 8B1A mov ebx,dword ptr ds:[edx] ; | 004081F5 . FF15 F8B04000 call dword ptr ds:[<&MSVBVM50.__vbaLenBstr>] ; \__vbaLenBstr 004081FB . 8BF8 mov edi,eax ; 得到账户长度 004081FD . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18] 00408200 . 69FF 385B0100 imul edi,edi,0x15B38 ; len * 0x15B38 00408206 . 51 push ecx ; /String 00408207 . 0F80 B7050000 jo AfKayAs_.004087C4 ; |如果长度*0x15B38大于等于0X80000000就异常 0040820D . FF15 0CB14000 call dword ptr ds:[<&MSVBVM50.#516>] ; \rtcAnsiValueBstr 00408213 . 0FBFD0 movsx edx,ax 00408216 . 03FA add edi,edx ; 计算出来的长度+第一个字节十六进制 00408218 . 0F80 A6050000 jo AfKayAs_.004087C4 ; 如果长度*0x15B38大于等于0X80000000就异常 0040821E . 57 push edi ; 将计算出来的结果转换成字符串 0040821F . FF15 F4B04000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>] ; msvbvm50.__vbaStrI4 00408225 . 8BD0 mov edx,eax 00408227 . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20] ........ 004082BA . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18] 004082BD . 50 push eax 004082BE . 53 push ebx 004082BF . 8B13 mov edx,dword ptr ds:[ebx] 004082C1 . FF92 A0000000 call dword ptr ds:[edx+0xA0] ; 得到算出来的KEY,字符串方式存储 004082C7 . 85C0 test eax,eax 004082C9 . 7D 12 jge XAfKayAs_.004082DD 004082CB . 68 A0000000 push 0xA0 004082D0 . 68 AC6F4000 push AfKayAs_.00406FAC 004082D5 . 53 push ebx 004082D6 . 50 push eax 004082D7 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>; msvbvm50.__vbaHresultCheckObj 004082DD > 8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8] 004082E3 . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18] 004082E6 . 52 push edx 004082E7 . 8B19 mov ebx,dword ptr ds:[ecx] 004082E9 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; 将KEY转换为浮点数据存放到浮点寄存器中 004082EF . D905 08104000 fld dword ptr ds:[0x401008] ; 浮点寄存器放入10.0 004082F5 . 833D 00904000>cmp dword ptr ds:[0x409000],0x0 004082FC . 75 08 jnz XAfKayAs_.00408306 004082FE . D835 0C104000 fdiv dword ptr ds:[0x40100C] ; ST0 / 5.0 00408304 . EB 0B jmp XAfKayAs_.00408311 00408306 > FF35 0C104000 push dword ptr ds:[0x40100C] 0040830C . E8 578DFFFF call <jmp.&MSVBVM50._adj_fdiv_m32> 00408311 > 83EC 08 sub esp,0x8 00408314 . DFE0 fstsw ax 00408316 . A8 0D test al,0xD 00408318 . 0F85 A1040000 jnz AfKayAs_.004087BF 0040831E . DEC1 faddp st(1),st ; KEY+ST0 ST1==KEY, ST0 = 10.0/5.0 00408320 . DFE0 fstsw ax 00408322 . A8 0D test al,0xD 00408324 . 0F85 95040000 jnz AfKayAs_.004087BF 0040832A . DD1C24 fstp qword ptr ss:[esp] ; ST0+KEY结果存放到SPE中 0040832D . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>] ; 将KEY转换成字符串 00408333 . 8BD0 mov edx,eax ...... 004083C6 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18] 004083C9 . 50 push eax 004083CA . 53 push ebx 004083CB . 8B13 mov edx,dword ptr ds:[ebx] 004083CD . FF92 A0000000 call dword ptr ds:[edx+0xA0] ; 得到KEY,以字符串方式 004083D3 . 85C0 test eax,eax 004083D5 . 7D 12 jge XAfKayAs_.004083E9 004083D7 . 68 A0000000 push 0xA0 004083DC . 68 AC6F4000 push AfKayAs_.00406FAC 004083E1 . 53 push ebx 004083E2 . 50 push eax 004083E3 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>; msvbvm50.__vbaHresultCheckObj 004083E9 > 8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8] 004083EF . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18] 004083F2 . 52 push edx 004083F3 . 8B19 mov ebx,dword ptr ds:[ecx] 004083F5 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; 将KEY转换成浮点数存储在浮点寄存器 004083FB . DC0D 10104000 fmul qword ptr ds:[0x401010] ; key * 3 00408401 . 83EC 08 sub esp,0x8 00408404 . DC25 18104000 fsub qword ptr ds:[0x401018] ; key - 2.0 0040840A . DFE0 fstsw ax 0040840C . A8 0D test al,0xD 0040840E . 0F85 AB030000 jnz AfKayAs_.004087BF 00408414 . DD1C24 fstp qword ptr ss:[esp] ; 将key转换成字符串 00408417 . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>] ; msvbvm50.__vbaStrR8 0040841D . 8BD0 mov edx,eax 0040841F . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C] ..... 004084AE . 8BD8 mov ebx,eax 004084B0 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18] 004084B3 . 50 push eax 004084B4 . 53 push ebx 004084B5 . 8B13 mov edx,dword ptr ds:[ebx] 004084B7 . FF92 A0000000 call dword ptr ds:[edx+0xA0] ; 得到KEY,义字符串方式 004084BD . 85C0 test eax,eax 004084BF . 7D 12 jge XAfKayAs_.004084D3 004084C1 . 68 A0000000 push 0xA0 004084C6 . 68 AC6F4000 push AfKayAs_.00406FAC 004084CB . 53 push ebx 004084CC . 50 push eax 004084CD . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>; msvbvm50.__vbaHresultCheckObj 004084D3 > 8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8] 004084D9 . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18] 004084DC . 52 push edx 004084DD . 8B19 mov ebx,dword ptr ds:[ecx] 004084DF . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; 讲KEY转换为浮点数存入浮点寄存器 004084E5 . DC25 20104000 fsub qword ptr ds:[0x401020] ; KEY+15.0 004084EB . 83EC 08 sub esp,0x8 004084EE . DFE0 fstsw ax 004084F0 . A8 0D test al,0xD 004084F2 . 0F85 C7020000 jnz AfKayAs_.004087BF 004084F8 . DD1C24 fstp qword ptr ss:[esp] ; 将KEY转换成字符串 004084FB . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>] ; msvbvm50.__vbaStrR8 00408501 . 8BD0 mov edx,eax ...... 00408570 . 8BD8 mov ebx,eax 00408572 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C] 00408575 . 51 push ecx 00408576 . 53 push ebx 00408577 . 8B03 mov eax,dword ptr ds:[ebx] 00408579 . FF90 A0000000 call dword ptr ds:[eax+0xA0] ; 得到KEY,以字符串方式 0040857F . 85C0 test eax,eax 00408581 . 7D 12 jge XAfKayAs_.00408595 00408583 . 68 A0000000 push 0xA0 00408588 . 68 AC6F4000 push AfKayAs_.00406FAC 0040858D . 53 push ebx 0040858E . 50 push eax 0040858F . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>; msvbvm50.__vbaHresultCheckObj 00408595 > 8B95 40FFFFFF mov edx,dword ptr ss:[ebp-0xC0] 0040859B . 56 push esi 0040859C . FF92 14030000 call dword ptr ds:[edx+0x314] 004085A2 . 50 push eax 004085A3 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24] 004085A6 . 50 push eax 004085A7 . FFD7 call edi 004085A9 . 8BF0 mov esi,eax 004085AB . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18] 004085AE . 52 push edx 004085AF . 56 push esi 004085B0 . 8B0E mov ecx,dword ptr ds:[esi] 004085B2 . FF91 A0000000 call dword ptr ds:[ecx+0xA0] ; 得到用户输入的密码 004085B8 . 85C0 test eax,eax 004085BA . 7D 12 jge XAfKayAs_.004085CE 004085BC . 68 A0000000 push 0xA0 004085C1 . 68 AC6F4000 push AfKayAs_.00406FAC 004085C6 . 56 push esi 004085C7 . 50 push eax 004085C8 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>; msvbvm50.__vbaHresultCheckObj 004085CE > 8B45 E8 mov eax,dword ptr ss:[ebp-0x18] 004085D1 . 50 push eax 004085D2 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; 将用户输入的KEY转换成浮点数存储在STO 004085D8 . 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C] 004085DB . DD9D 1CFFFFFF fstp qword ptr ss:[ebp-0xE4] ; st0出站到局部变量中 004085E1 . 51 push ecx 004085E2 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; 将计算出来的KEY存放到ST0中 004085E8 . 833D 00904000>cmp dword ptr ds:[0x409000],0x0 004085EF . 75 08 jnz XAfKayAs_.004085F9 004085F1 . DCBD 1CFFFFFF fdivr qword ptr ss:[ebp-0xE4] ; 将计算的KEY与密码相除 004085F7 . EB 11 jmp XAfKayAs_.0040860A 004085F9 > FFB5 20FFFFFF push dword ptr ss:[ebp-0xE0] 004085FF . FFB5 1CFFFFFF push dword ptr ss:[ebp-0xE4] 00408605 . E8 888AFFFF call <jmp.&MSVBVM50._adj_fdivr_m64> 0040860A > DFE0 fstsw ax 0040860C . A8 0D test al,0xD 0040860E . 0F85 AB010000 jnz AfKayAs_.004087BF 00408614 . FF15 34B14000 call dword ptr ds:[<&MSVBVM50.__vbaFpR8>] ; msvbvm50.__vbaFpR8 0040861A . DC1D 28104000 fcomp qword ptr ds:[0x401028] ; key与密码相除的商与1.0作比较 00408620 . DFE0 fstsw ax ; 将FST存储在AX中 00408622 . F6C4 40 test ah,0x40 ; 判断FST AH 是否为0x40,为0x40则比较正确,为0比较错误 00408625 . 74 07 je XAfKayAs_.0040862E 00408627 . BE 01000000 mov esi,0x1 ; 如果AH = 0X40 SI = 1 0040862C . EB 02 jmp XAfKayAs_.00408630 0040862E > 33F6 xor esi,esi ; 如果AH != 0X40 SI = 0 00408630 > 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C] 00408633 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18] 00408636 . 52 push edx 00408637 . 50 push eax 00408638 . 6A 02 push 0x2 0040863A . FF15 80B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStrList>; msvbvm50.__vbaFreeStrList 00408640 . 83C4 0C add esp,0xC 00408643 . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28] 00408646 . 8D55 DC lea edx,dword ptr ss:[ebp-0x24] 00408649 . 51 push ecx 0040864A . 52 push edx 0040864B . 6A 02 push 0x2 0040864D . FF15 08B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObjList>; msvbvm50.__vbaFreeObjList 00408653 . F7DE neg esi 00408655 . 83C4 0C add esp,0xC 00408658 . B9 04000280 mov ecx,0x80020004 0040865D . B8 0A000000 mov eax,0xA 00408662 . 894D 9C mov dword ptr ss:[ebp-0x64],ecx 00408665 . 66:85F6 test si,si ; 判断SI是否不等于0 00408668 . 8945 94 mov dword ptr ss:[ebp-0x6C],eax 0040866B . 894D AC mov dword ptr ss:[ebp-0x54],ecx 0040866E . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax 00408671 . 894D BC mov dword ptr ss:[ebp-0x44],ecx 00408674 . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax 00408677 . 74 62 je XAfKayAs_.004086DB ; 爆破点了。。
转换成C语言代码为:
void Fun(char *ZhangHu) { unsigned long data = ((strlen(ZhangHu) * 0x15B38 + ZhangHu[0]) + 2) * 3.0 - 2.0 + 15.0; printf("%d \r\n", data); }
转载请注明:虚无 » 160个CrackMe – 003