好友
阅读权限25
听众
最后登录1970-1-1
|
本帖最后由 hjm666 于 2018-5-7 16:16 编辑
时隔几天,停停续续,160个CrakeMe 点小公鸡抽的第14 ,终于出炉了,虽然有些不怎么完美(敲下不完美时,强迫症蠢蠢欲动·· 但有点无奈这次跟值跟址有点烦
如有大佬练过手,可否授经···· )
正文开始: 收集程序的基础信息
主界面
子窗口:
查壳:
无壳,抽的这几个好像都是 Serial 的类型,下次抽个有壳的试试手
照常先用反编译软件试试风:
vbexplorer仔细找一下可以找到Check it 键的事件地址
接下来长驱直入,有些比较繁琐的步骤可能会进行省略~~
写到这里时·····才发现我OD缓存因为不知名力量没了,没了,没了!! emmmmm ...... 所以,我又要重新注释代码······心态炸了·。。。
先把特别长的主要代码全放上来,再从头分析··
[Asm] 纯文本查看 复制代码 00403620 > \55 push ebp
00403621 . 8BEC mov ebp,esp
00403623 . 83EC 0C sub esp,0xC
00403626 . 68 16114000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
0040362B . 64:A1 0000000>mov eax,dword ptr fs:[0]
00403631 . 50 push eax
00403632 . 64:8925 00000>mov dword ptr fs:[0],esp
00403639 . 81EC E4000000 sub esp,0xE4
0040363F . 53 push ebx ; msvbvm60.rtcStrFromVar
00403640 . 56 push esi ; msvbvm60.__vbaStrMove
00403641 . 57 push edi
00403642 . 8965 F4 mov dword ptr ss:[ebp-0xC],esp
00403645 . C745 F8 E0104>mov dword ptr ss:[ebp-0x8],bjanes_1.004010E0
0040364C . 8B7D 08 mov edi,dword ptr ss:[ebp+0x8]
0040364F . 8BC7 mov eax,edi
00403651 . 83E0 01 and eax,0x1
00403654 . 8945 FC mov dword ptr ss:[ebp-0x4],eax
00403657 . 83E7 FE and edi,-0x2
0040365A . 57 push edi
0040365B . 897D 08 mov dword ptr ss:[ebp+0x8],edi
0040365E . 8B0F mov ecx,dword ptr ds:[edi]
00403660 . FF51 04 call dword ptr ds:[ecx+0x4]
00403663 . 8B17 mov edx,dword ptr ds:[edi]
00403665 . 33DB xor ebx,ebx ; msvbvm60.rtcStrFromVar
00403667 . 57 push edi
00403668 . 895D E4 mov dword ptr ss:[ebp-0x1C],ebx ; msvbvm60.rtcStrFromVar
0040366B . 895D E0 mov dword ptr ss:[ebp-0x20],ebx ; msvbvm60.rtcStrFromVar
0040366E . 895D DC mov dword ptr ss:[ebp-0x24],ebx ; msvbvm60.rtcStrFromVar
00403671 . 895D D8 mov dword ptr ss:[ebp-0x28],ebx ; msvbvm60.rtcStrFromVar
00403674 . 895D D4 mov dword ptr ss:[ebp-0x2C],ebx ; msvbvm60.rtcStrFromVar
00403677 . 895D D0 mov dword ptr ss:[ebp-0x30],ebx ; msvbvm60.rtcStrFromVar
0040367A . 895D C0 mov dword ptr ss:[ebp-0x40],ebx ; msvbvm60.rtcStrFromVar
0040367D . 895D B0 mov dword ptr ss:[ebp-0x50],ebx ; msvbvm60.rtcStrFromVar
00403680 . 895D A0 mov dword ptr ss:[ebp-0x60],ebx ; msvbvm60.rtcStrFromVar
00403683 . 895D 90 mov dword ptr ss:[ebp-0x70],ebx ; msvbvm60.rtcStrFromVar
00403686 . 895D 80 mov dword ptr ss:[ebp-0x80],ebx ; msvbvm60.rtcStrFromVar
00403689 . 899D 70FFFFFF mov dword ptr ss:[ebp-0x90],ebx ; msvbvm60.rtcStrFromVar
0040368F . 899D 60FFFFFF mov dword ptr ss:[ebp-0xA0],ebx ; msvbvm60.rtcStrFromVar
00403695 . 899D 50FFFFFF mov dword ptr ss:[ebp-0xB0],ebx ; msvbvm60.rtcStrFromVar
0040369B . 899D 30FFFFFF mov dword ptr ss:[ebp-0xD0],ebx ; msvbvm60.rtcStrFromVar
004036A1 . FF92 08030000 call dword ptr ds:[edx+0x308]
004036A7 . 50 push eax
004036A8 . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
004036AB . 50 push eax
004036AC . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
004036B2 . 8BF0 mov esi,eax
004036B4 . 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]
004036B7 . 52 push edx
004036B8 . 56 push esi ; msvbvm60.__vbaStrMove
004036B9 . 8B0E mov ecx,dword ptr ds:[esi]
004036BB . FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004036C1 . 3BC3 cmp eax,ebx ; msvbvm60.rtcStrFromVar
004036C3 . DBE2 fclex
004036C5 . 7D 12 jge short bjanes_1.004036D9
004036C7 . 68 A0000000 push 0xA0
004036CC . 68 44224000 push bjanes_1.00402244
004036D1 . 56 push esi ; msvbvm60.__vbaStrMove
004036D2 . 50 push eax
004036D3 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
004036D9 > 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
004036DC . 50 push eax ; /String = " 3"
004036DD . FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; \_vbaLenBster 计算字符长度
004036E3 . 33C9 xor ecx,ecx
004036E5 . 83F8 09 cmp eax,0x9 ; 字符长度必须等于9
004036E8 . 0f95c1 setne cl ; eax =9 - > cl=0;if eax不等于9 cl=1
004036EB . F7D9 neg ecx
004036ED . 8BF1 mov esi,ecx
004036EF . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
004036F2 . FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
004036F8 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
004036FB . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
00403701 . 66:3BF3 cmp si,bx
00403704 . 0F85 1A030000 jnz bjanes_1.00403A24 ; 不跳, 验证字符长度是否=9
0040370A . 8B17 mov edx,dword ptr ds:[edi]
0040370C . 57 push edi
0040370D . FF92 08030000 call dword ptr ds:[edx+0x308]
00403713 . 50 push eax
00403714 . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
00403717 . 50 push eax
00403718 . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
0040371E . 8BF0 mov esi,eax
00403720 . 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]
00403723 . 52 push edx
00403724 . 56 push esi ; msvbvm60.__vbaStrMove
00403725 . 8B0E mov ecx,dword ptr ds:[esi]
00403727 . FF91 A0000000 call dword ptr ds:[ecx+0xA0]
0040372D . 3BC3 cmp eax,ebx ; msvbvm60.rtcStrFromVar
0040372F . DBE2 fclex
00403731 . 7D 12 jge short bjanes_1.00403745
00403733 . 68 A0000000 push 0xA0
00403738 . 68 44224000 push bjanes_1.00402244
0040373D . 56 push esi ; msvbvm60.__vbaStrMove
0040373E . 50 push eax
0040373F . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
00403745 > 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
00403748 . 50 push eax ; /String = " 3"
00403749 . FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; \_vbaLenBster 计算字符长度
0040374F . 8BC8 mov ecx,eax
00403751 . FF15 50104000 call dword ptr ds:[<&MSVBVM60.__vbaI2I4>] ; msvbvm60.__vbaI2I4
00403757 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
0040375A . 8985 14FFFFFF mov dword ptr ss:[ebp-0xEC],eax
00403760 . C745 E8 01000>mov dword ptr ss:[ebp-0x18],0x1
00403767 . FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; msvbvm60.__vbaFreeStr
0040376D . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
00403770 . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
00403776 . 8B35 AC104000 mov esi,dword ptr ds:[<&MSVBVM60.__vbaStrMove>] ; msvbvm60.__vbaStrMove
0040377C > 66:8B8D 14FFF>mov cx,word ptr ss:[ebp-0xEC]
00403783 . 66:394D E8 cmp word ptr ss:[ebp-0x18],cx
00403787 . 0F8F 17030000 jg bjanes_1.00403AA4 ; 重要的成功跳转
0040378D . 8B17 mov edx,dword ptr ds:[edi]
0040378F . 57 push edi
00403790 . FF92 08030000 call dword ptr ds:[edx+0x308]
00403796 . 50 push eax
00403797 . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
0040379A . 50 push eax
0040379B . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
004037A1 . 8BD8 mov ebx,eax
004037A3 . 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]
004037A6 . 52 push edx
004037A7 . 53 push ebx ; msvbvm60.rtcStrFromVar
004037A8 . 8B0B mov ecx,dword ptr ds:[ebx]
004037AA . FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004037B0 . 85C0 test eax,eax
004037B2 . DBE2 fclex
004037B4 . 7D 12 jge short bjanes_1.004037C8
004037B6 . 68 A0000000 push 0xA0
004037BB . 68 44224000 push bjanes_1.00402244
004037C0 . 53 push ebx ; msvbvm60.rtcStrFromVar
004037C1 . 50 push eax
004037C2 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
004037C8 > 8B07 mov eax,dword ptr ds:[edi]
004037CA . 57 push edi
004037CB . FF90 08030000 call dword ptr ds:[eax+0x308]
004037D1 . 8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]
004037D4 . 50 push eax
004037D5 . 51 push ecx
004037D6 . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
004037DC . 8BF8 mov edi,eax
004037DE . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
004037E1 . 50 push eax
004037E2 . 57 push edi
004037E3 . 8B17 mov edx,dword ptr ds:[edi]
004037E5 . FF92 A0000000 call dword ptr ds:[edx+0xA0]
004037EB . 85C0 test eax,eax
004037ED . DBE2 fclex
004037EF . 7D 12 jge short bjanes_1.00403803
004037F1 . 68 A0000000 push 0xA0
004037F6 . 68 44224000 push bjanes_1.00402244
004037FB . 57 push edi
004037FC . 50 push eax
004037FD . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
00403803 > 0FBF7D E8 movsx edi,word ptr ss:[ebp-0x18]
00403807 . 8B55 DC mov edx,dword ptr ss:[ebp-0x24]
0040380A . B9 01000000 mov ecx,0x1
0040380F . 894D C8 mov dword ptr ss:[ebp-0x38],ecx
00403812 . 894D B8 mov dword ptr ss:[ebp-0x48],ecx
00403815 . 8D4D B0 lea ecx,dword ptr ss:[ebp-0x50]
00403818 . B8 02000000 mov eax,0x2
0040381D . 51 push ecx
0040381E . 57 push edi
0040381F . 52 push edx
00403820 . 8945 C0 mov dword ptr ss:[ebp-0x40],eax
00403823 . 8945 B0 mov dword ptr ss:[ebp-0x50],eax
00403826 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.#631_rtcMidCharBstr>] ; msvbvm60.rtcMidCharBstr
0040382C . 8BD0 mov edx,eax
0040382E . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
00403831 . FFD6 call esi ; msvbvm60.__vbaStrMove
00403833 . 50 push eax ; /String = " "
00403834 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.#516_rtcAnsiValueBstr>] ; \rtcAnsiValueBstr 截取字符
0040383A . 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C]
0040383D . 33DB xor ebx,ebx ; msvbvm60.rtcStrFromVar
0040383F . 66:3D 3900 cmp ax,0x39
00403843 . 8D45 C0 lea eax,dword ptr ss:[ebp-0x40]
00403846 . 50 push eax
00403847 . 57 push edi
00403848 . 0f9fc3 setg bl
0040384B . 51 push ecx
0040384C . F7DB neg ebx ; msvbvm60.rtcStrFromVar
0040384E . FF15 44104000 call dword ptr ds:[<&MSVBVM60.#631_rtcMidCharBstr>] ; msvbvm60.rtcMidCharBstr
00403854 . 8BD0 mov edx,eax
00403856 . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
00403859 . FFD6 call esi ; msvbvm60.__vbaStrMove
0040385B . 50 push eax ; /String = " "
0040385C . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.#516_rtcAnsiValueBstr>] ; \rtcAnsiValueBstr 截取字符
00403862 . 33D2 xor edx,edx
00403864 . 66:3D 3000 cmp ax,0x30
00403868 . 0f9cc2 setl dl
0040386B . F7DA neg edx
0040386D . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
00403870 . 23DA and ebx,edx
00403872 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
00403875 . 50 push eax
00403876 . 8D55 E0 lea edx,dword ptr ss:[ebp-0x20]
00403879 . 51 push ecx
0040387A . 8D45 E4 lea eax,dword ptr ss:[ebp-0x1C]
0040387D . 52 push edx
0040387E . 50 push eax
0040387F . 6A 04 push 0x4
00403881 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList
00403887 . 8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]
0040388A . 8D55 D4 lea edx,dword ptr ss:[ebp-0x2C]
0040388D . 51 push ecx
0040388E . 52 push edx
0040388F . 6A 02 push 0x2
00403891 . FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObjList>] ; msvbvm60.__vbaFreeObjList
00403897 . 8D45 B0 lea eax,dword ptr ss:[ebp-0x50]
0040389A . 8D4D C0 lea ecx,dword ptr ss:[ebp-0x40]
0040389D . 50 push eax
0040389E . 51 push ecx
0040389F . 6A 02 push 0x2
004038A1 . FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
004038A7 . 83C4 2C add esp,0x2C
004038AA . 66:85DB test bx,bx
004038AD . 0F85 6F010000 jnz bjanes_1.00403A22 ; 不跳
004038B3 . 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
004038B6 . 50 push eax
004038B7 . 8B10 mov edx,dword ptr ds:[eax]
004038B9 . FF92 08030000 call dword ptr ds:[edx+0x308]
004038BF . 50 push eax
004038C0 . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
004038C3 . 50 push eax
004038C4 . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; msvbvm60.__vbaObjSet
004038CA . 8BD8 mov ebx,eax
004038CC . 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]
004038CF . 52 push edx
004038D0 . 53 push ebx ; msvbvm60.rtcStrFromVar
004038D1 . 8B0B mov ecx,dword ptr ds:[ebx]
004038D3 . FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004038D9 . 85C0 test eax,eax
004038DB . DBE2 fclex
004038DD . 7D 12 jge short bjanes_1.004038F1
004038DF . 68 A0000000 push 0xA0
004038E4 . 68 44224000 push bjanes_1.00402244
004038E9 . 53 push ebx ; msvbvm60.rtcStrFromVar
004038EA . 50 push eax
004038EB . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaHresultCheckObj>] ; msvbvm60.__vbaHresultCheckObj
004038F1 > 66:8B45 E8 mov ax,word ptr ss:[ebp-0x18] ; ------------var18
004038F5 . 8B1D 74104000 mov ebx,dword ptr ds:[<&MSVBVM60.#536_rtcStrFromVar>] ; msvbvm60.rtcStrFromVar
004038FB . 66:35 0200 xor ax,0x2 ; xor var18 ,0x2
004038FF . 8D4D A0 lea ecx,dword ptr ss:[ebp-0x60]
00403902 . 0F80 A4020000 jo bjanes_1.00403BAC
00403908 . 51 push ecx
00403909 . 66:8945 A8 mov word ptr ss:[ebp-0x58],ax ; eax xor 的值
0040390D . C745 A0 02000>mov dword ptr ss:[ebp-0x60],0x2
00403914 . FFD3 call ebx ; msvbvm60.rtcStrFromVar; <&MSVBVM60.#536_rtcStrFromVar>
00403916 . 8BD0 mov edx,eax
00403918 . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
0040391B . FFD6 call esi ; ebp -28 = eax =xor var18 ,0x2
0040391D . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
00403920 . 8D55 C0 lea edx,dword ptr ss:[ebp-0x40]
00403923 . 52 push edx
00403924 . 57 push edi
00403925 . 50 push eax
00403926 . C745 C8 01000>mov dword ptr ss:[ebp-0x38],0x1
0040392D . C745 C0 02000>mov dword ptr ss:[ebp-0x40],0x2
00403934 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.#631_rtcMidCharBstr>] ; msvbvm60.rtcMidCharBstr
0040393A . 8BD0 mov edx,eax
0040393C . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
0040393F . FFD6 call esi ; msvbvm60.__vbaStrMove
00403941 . 50 push eax ; /String = " "
00403942 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.#516_rtcAnsiValueBstr>] ; \rtcAnsiValueBstr 截取字符
00403948 . 8D4D B0 lea ecx,dword ptr ss:[ebp-0x50]
0040394B . 66:8945 B8 mov word ptr ss:[ebp-0x48],ax
0040394F . 51 push ecx
00403950 . C745 B0 02000>mov dword ptr ss:[ebp-0x50],0x2
00403957 . FFD3 call ebx ; msvbvm60.rtcStrFromVar
00403959 . 8BD0 mov edx,eax
0040395B . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
0040395E . FFD6 call esi ; msvbvm60.__vbaStrMove
00403960 . 50 push eax
00403961 . FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ; msvbvm60.__vbaR8Str
00403967 . DC25 D8104000 fsub qword ptr ds:[0x4010D8]
0040396D . 8D55 90 lea edx,dword ptr ss:[ebp-0x70]
00403970 . 6A 01 push 0x1
00403972 . 52 push edx
00403973 . C785 30FFFFFF>mov dword ptr ss:[ebp-0xD0],0x8005
0040397D . DD9D 38FFFFFF fstp qword ptr ss:[ebp-0xC8]
00403983 . DFE0 fstsw ax
00403985 . A8 0D test al,0xD
00403987 . 0F85 1A020000 jnz bjanes_1.00403BA7 ; 不跳
0040398D . 8B45 D8 mov eax,dword ptr ss:[ebp-0x28] ; --------------var28
00403990 . C745 D8 00000>mov dword ptr ss:[ebp-0x28],0x0
00403997 . 8945 98 mov dword ptr ss:[ebp-0x68],eax
0040399A . 8D45 80 lea eax,dword ptr ss:[ebp-0x80]
0040399D . 50 push eax
0040399E . C745 90 08000>mov dword ptr ss:[ebp-0x70],0x8
004039A5 . FF15 B0104000 call dword ptr ds:[<&MSVBVM60.#619_rtcRightCharVar>] ; msvbvm60.rtcRightCharVar
004039AB . 8D8D 30FFFFFF lea ecx,dword ptr ss:[ebp-0xD0]
004039B1 . 8D55 80 lea edx,dword ptr ss:[ebp-0x80]
004039B4 . 51 push ecx ; /var18 = 0012F5E8
004039B5 . 52 push edx ; |var28 = 00247B34
004039B6 . FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstNe>] ; \__vbaVarTstNe
004039BC . 8BF8 mov edi,eax ; _vbaVarTstNe 比较字符
004039BE . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
004039C1 . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
004039C4 . 50 push eax
004039C5 . 8D55 E0 lea edx,dword ptr ss:[ebp-0x20]
004039C8 . 51 push ecx
004039C9 . 8D45 E4 lea eax,dword ptr ss:[ebp-0x1C]
004039CC . 52 push edx
004039CD . 50 push eax
004039CE . 6A 04 push 0x4
004039D0 . FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>] ; msvbvm60.__vbaFreeStrList
004039D6 . 83C4 14 add esp,0x14
004039D9 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
004039DC . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>] ; msvbvm60.__vbaFreeObj
004039E2 . 8D4D 80 lea ecx,dword ptr ss:[ebp-0x80]
004039E5 . 8D55 90 lea edx,dword ptr ss:[ebp-0x70]
004039E8 . 51 push ecx
004039E9 . 8D45 A0 lea eax,dword ptr ss:[ebp-0x60]
004039EC . 52 push edx
004039ED . 8D4D B0 lea ecx,dword ptr ss:[ebp-0x50]
004039F0 . 50 push eax
004039F1 . 8D55 C0 lea edx,dword ptr ss:[ebp-0x40]
004039F4 . 51 push ecx
004039F5 . 52 push edx
004039F6 . 6A 05 push 0x5
004039F8 . FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
004039FE . 83C4 18 add esp,0x18
00403A01 . 66:85FF test di,di
00403A04 . 75 1C jnz short bjanes_1.00403A22 ; 不跳
00403A06 . 8B7D 08 mov edi,dword ptr ss:[ebp+0x8]
00403A09 . B8 01000000 mov eax,0x1
00403A0E . 66:0345 E8 add ax,word ptr ss:[ebp-0x18] ; 不跳
00403A12 . 0F80 94010000 jo bjanes_1.00403BAC
00403A18 . 8945 E8 mov dword ptr ss:[ebp-0x18],eax
00403A1B . 33DB xor ebx,ebx ; msvbvm60.rtcStrFromVar
00403A1D .^ E9 5AFDFFFF jmp bjanes_1.0040377C ; JMP到成功
一开始是一个字符长度验证跳转,但这个跳转并不像一般的 cmp 后紧接着是跳转,所以一开始我一顿瞎几把乱敲一堆验证码check it 后, 我莫名奇妙的发现
程序还什么都没做就把我抛飞了,仔细看了后才发现这个跳转,利用的是改变寄存器标志位达到00403704是否跳转
然后就是这个程序下的一个小陷阱了,一开始分析时,将比较重要的跳转和函数标注后,自行照着程序跑了一遍,发现根本没有get到程序的任何G点啊······
只是找到了截取出了第一个字符出来进行一段反正我是看不懂的操作后,函数进行了验证一下后就直接跑飞了·······没有找到像样的的循环操作等,一开始我
怀疑字符处理的步骤隐藏在了众多的call中,后来花了很多时间跟进call (过程略······心态有炸,桑心···逆向啊··还是得有心态··)
[Asm] 纯文本查看 复制代码 004039F8 . FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>] ; msvbvm60.__vbaFreeVarList
004039FE . 83C4 18 add esp,0x18
00403A01 . 66:85FF test di,di
00403A04 . 75 1C jnz short bjanes_1.00403A22 ; 不跳
00403A06 . 8B7D 08 mov edi,dword ptr ss:[ebp+0x8]
00403A09 . B8 01000000 mov eax,0x1
00403A0E . 66:0345 E8 add ax,word ptr ss:[ebp-0x18] ; 不跳
00403A12 . 0F80 94010000 jo bjanes_1.00403BAC
00403A18 . 8945 E8 mov dword ptr ss:[ebp-0x18],eax
00403A1B . 33DB xor ebx,ebx ; msvbvm60.rtcStrFromVar
00403A1D .^ E9 5AFDFFFF jmp bjanes_1.0040377C ; JMP到成功
后来我将00403a04 在寄存器中将他的z标志位修改后让程序运行到 00403A1D后让程序继续跟下去,然后我就发现了新世界····
程序并没有直接结束,而是再运行了一遍验证,这次可以看到抽取了我输入的第二个字符进行操作
[Asm] 纯文本查看 复制代码 004039B1 . 8D55 80 lea edx,dword ptr ss:[ebp-0x80]
004039B4 . 51 push ecx ; /var18 = 0012F5E8
004039B5 . 52 push edx ; |var28 = 00247B34
004039B6 . FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstNe>] ; \__vbaVarTstNe
004039BC . 8BF8 mov edi,eax ; _vbaVarTstNe 比较字符
004039BE . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
根据这个验证函数的两个值 var18 和 var 28,我开始在多次循环中找到他们的值,以便跟踪下去
[Asm] 纯文本查看 复制代码 004038F1 > \66:8B45 E8 mov ax,word ptr ss:[ebp-0x18] ; ------------var18
004038F5 . 8B1D 74104000 mov ebx,dword ptr ds:[<&MSVBVM60.#536_rtcStrFromVar>] ; msvbvm60.rtcStrFromVar
004038FB . 66:35 0200 xor ax,0x2 ; xor var18 ,0x2
004038FF . 8D4D A0 lea ecx,dword ptr ss:[ebp-0x60]
00403902 . 0F80 A4020000 jo bjanes_1.00403BAC
00403908 . 51 push ecx
00403909 . 66:8945 A8 mov word ptr ss:[ebp-0x58],ax ; eax xor 的值
0040390D . C745 A0 02000>mov dword ptr ss:[ebp-0x60],0x2
00403914 . FFD3 call ebx ; msvbvm60.rtcStrFromVar; <&MSVBVM60.#536_rtcStrFromVar>
00403916 . 8BD0 mov edx,eax
00403918 . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
0040391B . FFD6 call esi ; ebp -28 = eax =xor var18 ,0x2
0040391D . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
00403920 . 8D55 C0 lea edx,dword ptr ss:[ebp-0x40]
00403923 . 52 push edx
00403924 . 57 push edi
00403925 . 50 push eax
00403926 . C745 C8 01000>mov dword ptr ss:[ebp-0x38],0x1
0040392D . C745 C0 02000>mov dword ptr ss:[ebp-0x40],0x2
00403934 . FF15 44104000 call dword ptr ds:[<&MSVBVM60.#631_rtcMidCharBstr>] ; msvbvm60.rtcMidCharBstr
0040393A . 8BD0 mov edx,eax
0040393C . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
0040393F . FFD6 call esi ; msvbvm60.__vbaStrMove
00403941 . 50 push eax ; /String = " "
00403942 . FF15 1C104000 call dword ptr ds:[<&MSVBVM60.#516_rtcAnsiValueBstr>] ; \rtcAnsiValueBstr 截取字符
00403948 . 8D4D B0 lea ecx,dword ptr ss:[ebp-0x50]
0040394B . 66:8945 B8 mov word ptr ss:[ebp-0x48],ax
0040394F . 51 push ecx
00403950 . C745 B0 02000>mov dword ptr ss:[ebp-0x50],0x2
00403957 . FFD3 call ebx ; msvbvm60.rtcStrFromVar
00403959 . 8BD0 mov edx,eax
0040395B . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
0040395E . FFD6 call esi ; msvbvm60.__vbaStrMove
00403960 . 50 push eax
00403961 . FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ; msvbvm60.__vbaR8Str
00403967 . DC25 D8104000 fsub qword ptr ds:[0x4010D8]
0040396D . 8D55 90 lea edx,dword ptr ss:[ebp-0x70]
00403970 . 6A 01 push 0x1
00403972 . 52 push edx
00403973 . C785 30FFFFFF>mov dword ptr ss:[ebp-0xD0],0x8005
0040397D . DD9D 38FFFFFF fstp qword ptr ss:[ebp-0xC8]
00403983 . DFE0 fstsw ax
00403985 . A8 0D test al,0xD
00403987 . 0F85 1A020000 jnz bjanes_1.00403BA7 ; 不跳
0040398D . 8B45 D8 mov eax,dword ptr ss:[ebp-0x28] ; --------------var28
这两个值的关键点也被我找到,有个技巧:在堆栈窗口中右键选择地址------》选择相对于ebp -------》找到你想要的值 ------》锁定窗口
var28 的第一次循环后的值得到 ‘3’,然后我尝试将我输入的字符第一个数字修改为 3xxxxxxx OD中我发现00403a04 中的跳转不用我修改也直接不跳了,这证明第一个字符是3
无误,手动循环后我将var28 的值得出来了: 30167451011 emmmmmmmm。。。。。 莫名多出两位来了,是为第8,和第9 分别为 10 11,一开始我试着转成A B后输入尝试失败 ,在多次无脑猜测尝试后这两位分别是 0 1 ,取这的末位,直接成功(emmmm就是这有些不完美,我跟了很多次后始终没有发现是怎么取得末位,只是靠猜测····)
[Asm] 纯文本查看 复制代码 00403909 . 66:8945 A8 mov word ptr ss:[ebp-0x58],ax ; eax xor 的值
0040390D . C745 A0 02000>mov dword ptr ss:[ebp-0x60],0x2
00403914 . FFD3 call ebx ; msvbvm60.rtcStrFromVar; <&MSVBVM60.#536_rtcStrFromVar>
00403916 . 8BD0 mov edx,eax
00403918 . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
0040391B . FFD6 call esi ; ebp -28 = eax =xor var18 ,0x2
0040391D . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
00403920 . 8D55 C0 lea edx,dword ptr ss:[ebp-0x40]
00403923 . 52 push edx
00403924 . 57 push edi
00403925 . 50 push eax
通过堆栈和数据窗口的敏感数值的跟踪 找到了它的运算: 将每位字符抽取出来进行 xor 2 操作 (没错它只有一个注册码····)
然后因为注册码只有一个我也就不写注册机了··
此程序到此就结束了,烦的是VB,和堆栈窗口以及数据窗口的数据跟随·····
ps 如有错误请大佬指出,不胜感激··· |
免费评分
-
| 参与人数 2 | 威望 +1 |
吾爱币 +11 |
热心值 +2 |
收起
理由
|
 海天一色001
| |
+ 1 |
+ 1 |
用心讨论,共获提升! |
 Hmily
| + 1 |
+ 10 |
+ 1 |
感谢发布原创作品,吾爱破解论坛因你更精彩! |
查看全部评分
|
发表于 2018-5-7 09:59
|
发表于 2018-5-7 16:15
