CrackMe 160 之 008
author: Andrénalin
level: ★
保护方式: Serial
最近学了王爽的汇编语言,看了半本后就拿逆向工程核心原理出来看一看,然而对第一章的crackme2分析还是有点吃力,为了增加点信心,还是先分析点简单的,于是就这个啦。
先随便输入一个key,提示
leider NeiN !
Leider Falsch ! Schau noch mal genau nach …
载入PEiD,无壳,VB程序
00401D9D . /0F84 A0000000 je Andréna.00401E43
00401DA3 . |FF15 2C314000 call dword ptr ds:[<&MSVBVM50.#534>] ; MSVBVM50.rtcBeep
00401DA9 . |8B3D 48314000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaVa>; MSVBVM50.__vbaVarDup
00401DAF . |B9 04000280 mov ecx,0x80020004
00401DB4 . |894D 9C mov dword ptr ss:[ebp-0x64],ecx ; Andréna.<模块入口点>
00401DB7 . |B8 0A000000 mov eax,0xA
00401DBC . |894D AC mov dword ptr ss:[ebp-0x54],ecx ; Andréna.<模块入口点>
00401DBF . |BB 08000000 mov ebx,0x8
00401DC4 . |8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
00401DCA . |8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
00401DCD . |8945 94 mov dword ptr ss:[ebp-0x6C],eax
00401DD0 . |8945 A4 mov dword ptr ss:[ebp-0x5C],eax
00401DD3 . |C785 7CFFFFFF>mov dword ptr ss:[ebp-0x84],Andréna.0040>; SuCCESFul !
00401DDD . |899D 74FFFFFF mov dword ptr ss:[ebp-0x8C],ebx
00401DE3 . |FFD7 call edi ; Andréna.<模块入口点>; <&MSVBVM50.__vbaVarDup>
00401DE5 . |8D55 84 lea edx,dword ptr ss:[ebp-0x7C]
00401DE8 . |8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
00401DEB . |C745 8C 701A4>mov dword ptr ss:[ebp-0x74],Andréna.0040>; RiCHtiG ! ...nun weiter zu CrackMe 2 !
00401DF2 . |895D 84 mov dword ptr ss:[ebp-0x7C],ebx
00401DF5 . |FFD7 call edi ; Andréna.<模块入口点>
00401DF7 . |8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
00401DFA . |8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
00401DFD . |52 push edx ; Andréna.<模块入口点>
00401DFE . |8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
00401E01 . |50 push eax
00401E02 . |51 push ecx ; Andréna.<模块入口点>
00401E03 . |8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]
00401E06 . |6A 30 push 0x30
00401E08 . |52 push edx ; Andréna.<模块入口点>
00401E09 . |FF15 F0304000 call dword ptr ds:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox
00401E0F . |8D95 44FFFFFF lea edx,dword ptr ss:[ebp-0xBC]
00401E15 . |8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
00401E18 . |8985 4CFFFFFF mov dword ptr ss:[ebp-0xB4],eax
00401E1E . |C785 44FFFFFF>mov dword ptr ss:[ebp-0xBC],0x3
00401E28 . |FF15 D0304000 call dword ptr ds:[<&MSVBVM50.__vbaVarMo>; MSVBVM50.__vbaVarMove
00401E2E . |8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
00401E31 . |8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
00401E34 . |50 push eax
00401E35 . |8D55 B4 lea edx,dword ptr ss:[ebp-0x4C]
00401E38 . |51 push ecx ; Andréna.<模块入口点>
00401E39 . |8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
00401E3C . |52 push edx ; Andréna.<模块入口点>
00401E3D . |50 push eax
00401E3E . |E9 95000000 jmp Andréna.00401ED8
00401E43 > \8B3D 48314000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaVa>; MSVBVM50.__vbaVarDup
00401E49 . B9 04000280 mov ecx,0x80020004
00401E4E . 894D 9C mov dword ptr ss:[ebp-0x64],ecx ; Andréna.<模块入口点>
00401E51 . B8 0A000000 mov eax,0xA
00401E56 . 894D AC mov dword ptr ss:[ebp-0x54],ecx ; Andréna.<模块入口点>
00401E59 . BB 08000000 mov ebx,0x8
00401E5E . 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
00401E64 . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
00401E67 . 8945 94 mov dword ptr ss:[ebp-0x6C],eax
00401E6A . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax
00401E6D . C785 7CFFFFFF>mov dword ptr ss:[ebp-0x84],Andréna.0040>; leider NeiN !
00401E77 . 899D 74FFFFFF mov dword ptr ss:[ebp-0x8C],ebx
00401E7D . FFD7 call edi ; Andréna.<模块入口点>; <&MSVBVM50.__vbaVarDup>
00401E7F . 8D55 84 lea edx,dword ptr ss:[ebp-0x7C]
00401E82 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
00401E85 . C745 8C E01A4>mov dword ptr ss:[ebp-0x74],Andréna.0040>; Leider Falsch ! Schau noch mal genau nach ...
可见00401D9D处的条件分支跳过了成功提示,只需要将此处代码右键-二进制-用NOP填充,即可达到破解目的,让它永远提示成功。
追码:
重新载入程序
在此处一直往上拉到00401CD0栈帧处F2下断点,F9运行,随意输入key,点OK,然后它就在栈帧处断下来了。
一直F8单步下去,在00401D73处看到了输入的key
在0041D74处看到了UNICODE SynTaX 2oo1 入栈
结合下一个CALL指令的注释MSVBVM50._vbaStrCmp可知这是一个VB程序字符串比较的api
执行完CALL后发现EAX寄存器的值为FFFFFFFF(-1的补码)
由此可知程序判断输入的key与SynTaX 2oo1用vbaStrCmp这个API来比较,若相同则返回值为0(返回值放到EAX中),否则返回-1(补码表示为FFFFFFFF)