2019-04-02 CrackMe 10

首先补充关于VB程序的几点：

很多时候VB函数返回值在ebp-0x34中（有时候在ax寄存器中）
VB有些函数操作(例如__vbaVarMul),结果保存为浮点数，可以在内存窗口查看64位浮点数看到

CrackMe 10，同样通过字符串搜索或者在弹窗后断下程序可以直接找到关键处理函数：

00401ED8   .  FF15 10414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
00401EDE   >  8B45 A8       mov eax,dword ptr ss:[ebp-0x58]
00401EE1   .  8975 A8       mov dword ptr ss:[ebp-0x58],esi
00401EE4   .  8B35 F8404000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVa>;  MSVBVM50.__vbaVarMove
00401EEA   .  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]
00401EED   .  8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]
00401EF0   .  8945 9C       mov dword ptr ss:[ebp-0x64],eax
00401EF3   .  C745 94 08000>mov dword ptr ss:[ebp-0x6C],0x8
00401EFA   .  FFD6          call esi                                 ;  <&MSVBVM50.__vbaVarMove>
00401EFC   .  8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]
00401EFF   .  FF15 AC414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>;  MSVBVM50.__vbaFreeObj
00401F05   .  B9 02000000   mov ecx,0x2
00401F0A   .  B8 01000000   mov eax,0x1
00401F0F   .  898D 54FFFFFF mov dword ptr ss:[ebp-0xAC],ecx
00401F15   .  898D 44FFFFFF mov dword ptr ss:[ebp-0xBC],ecx
00401F1B   .  8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC]
00401F21   .  8985 5CFFFFFF mov dword ptr ss:[ebp-0xA4],eax
00401F27   .  8985 4CFFFFFF mov dword ptr ss:[ebp-0xB4],eax
00401F2D   .  8D55 BC       lea edx,dword ptr ss:[ebp-0x44]
00401F30   .  51            push ecx                                 ; /Step8
00401F31   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]          ; |
00401F34   .  52            push edx                                 ; |/var18
00401F35   .  50            push eax                                 ; ||retBuffer8
00401F36   .  FF15 14414000 call dword ptr ds:[<&MSVBVM50.__vbaLenVa>; |\__vbaLenVar
00401F3C   .  8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-0xBC]          ; |
00401F42   .  50            push eax                                 ; |End8
00401F43   .  8D95 ECFEFFFF lea edx,dword ptr ss:[ebp-0x114]         ; |
00401F49   .  51            push ecx                                 ; |Start8
00401F4A   .  8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-0x104]         ; |
00401F50   .  52            push edx                                 ; |TMPend8
00401F51   .  8D4D DC       lea ecx,dword ptr ss:[ebp-0x24]          ; |
00401F54   .  50            push eax                                 ; |TMPstep8
00401F55   .  51            push ecx                                 ; |Counter8
00401F56   .  FF15 1C414000 call dword ptr ds:[<&MSVBVM50.__vbaVarFo>; \__vbaVarForInit

首先一样获取len(serial)，并初始化__vbaVarForInit,结合__vbaVarForNext形成for循环，循环过程：

00401F68   > /85C0          test eax,eax
00401F6A   . |0F84 BB000000 je Andréna.0040202B
00401F70   . |8D55 94       lea edx,dword ptr ss:[ebp-0x6C]
00401F73   . |8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
00401F76   . |52            push edx
00401F77   . |50            push eax
00401F78   . |C745 9C 01000>mov dword ptr ss:[ebp-0x64],0x1
00401F7F   . |C745 94 02000>mov dword ptr ss:[ebp-0x6C],0x2
00401F86   . |FF15 90414000 call dword ptr ds:[<&MSVBVM50.__vbaI4Var>;  MSVBVM50.__vbaI4Var
00401F8C   . |8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]          ; |
00401F8F   . |50            push eax                                 ; |Start
00401F90   . |8D55 84       lea edx,dword ptr ss:[ebp-0x7C]          ; |
00401F93   . |51            push ecx                                 ; |dString8
00401F94   . |52            push edx                                 ; |RetBUFFER
00401F95   . |FF15 34414000 call dword ptr ds:[<&MSVBVM50.#632>]     ; \rtcMidCharVar
00401F9B   . |8D45 84       lea eax,dword ptr ss:[ebp-0x7C]
00401F9E   . |8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]
00401FA1   . |50            push eax                                 ; /String8
00401FA2   . |51            push ecx                                 ; |ARG2
00401FA3   . |FF15 64414000 call dword ptr ds:[<&MSVBVM50.__vbaStrVa>; \__vbaStrVarVal
00401FA9   . |50            push eax                                 ; /String
00401FAA   . |FF15 08414000 call dword ptr ds:[<&MSVBVM50.#516>]     ; \rtcAnsiValueBstr
00401FB0   . |66:05 0A00    add ax,0xA
00401FB4   . |0F80 B0020000 jo Andréna.0040226A
00401FBA   . |0FBFD0        movsx edx,ax
00401FBD   . |52            push edx
00401FBE   . |FF15 70414000 call dword ptr ds:[<&MSVBVM50.#537>]     ;  MSVBVM50.rtcBstrFromAnsi
00401FC4   . |8985 7CFFFFFF mov dword ptr ss:[ebp-0x84],eax
00401FCA   . |8D45 CC       lea eax,dword ptr ss:[ebp-0x34]
00401FCD   . |8D8D 74FFFFFF lea ecx,dword ptr ss:[ebp-0x8C]
00401FD3   . |50            push eax
00401FD4   . |8D95 64FFFFFF lea edx,dword ptr ss:[ebp-0x9C]
00401FDA   . |51            push ecx
00401FDB   . |52            push edx
00401FDC   . |C785 74FFFFFF>mov dword ptr ss:[ebp-0x8C],0x8
00401FE6   . |FFD3          call ebx
00401FE8   . |8BD0          mov edx,eax
00401FEA   . |8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
00401FED   . |FFD6          call esi
00401FEF   . |8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]
00401FF2   . |FF15 B0414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
00401FF8   . |8D85 74FFFFFF lea eax,dword ptr ss:[ebp-0x8C]
00401FFE   . |8D4D 84       lea ecx,dword ptr ss:[ebp-0x7C]
00402001   . |50            push eax
00402002   . |8D55 94       lea edx,dword ptr ss:[ebp-0x6C]
00402005   . |51            push ecx
00402006   . |52            push edx
00402007   . |6A 03         push 0x3
00402009   . |FFD7          call edi
0040200B   . |83C4 10       add esp,0x10
0040200E   . |8D85 ECFEFFFF lea eax,dword ptr ss:[ebp-0x114]
00402014   . |8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-0x104]
0040201A   . |8D55 DC       lea edx,dword ptr ss:[ebp-0x24]
0040201D   . |50            push eax                                 ; /TMPend8
0040201E   . |51            push ecx                                 ; |TMPstep8
0040201F   . |52            push edx                                 ; |Counter8
00402020   . |FF15 A4414000 call dword ptr ds:[<&MSVBVM50.__vbaVarFo>; \__vbaVarForNext
00402026   .^\E9 3DFFFFFF   jmp Andréna.00401F68

首先rtcMidCharVar截取字符串：

rtcMidCharVar  从字符串中取相应字符，VB中的MID函数，用法MID("字符串","开始的位置","取几个字符") 

而后__vbastrvarval：

__vbastrvarval  从字符串特定位置上获取其值
#把字符转ascii码

而后rtcAnsiValueBstr返回对应字符的ascii码数据到ax
前后区别：

__vbastrvarval返回eax一个字符串对象(通常就是一个字符)，其中包含对应字符(也可视为ascii码)
rtcAnsiValueBstr直观地将这个字符串对象中的字符ascii数值返回到ax中

而后将数值加0xA后重新转为字符：rtcBstrFromAnsi
而后在后面：

00401FD3   .  50            push eax
00401FD4   .  8D95 64FFFFFF lea edx,dword ptr ss:[ebp-0x9C]
00401FDA   .  51            push ecx
00401FDB   .  52            push edx
00401FDC   .  C785 74FFFFFF>mov dword ptr ss:[ebp-0x8C],0x8
00401FE6   .  FFD3          call ebx                                 ;  MSVBVM50.__vbaVarCat

连接字符串
最后将最后连接的字符串与预定义字符比较：

00402034   .  50            push eax                                 ; /var18
00402035   .  51            push ecx                                 ; |var28
00402036   .  C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],Andréna.0040>; |UNICODE "kXy^rO|*yXo*m\kMuOn*+"
00402040   .  C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x8008       ; |
0040204A   .  FF15 40414000 call dword ptr ds:[<&MSVBVM50.__vbaVarTs>; \__vbaVarTstEq
00402050   .  66:85C0       test ax,ax
00402053   .  0F84 C0000000 je Andréna.00402119                      ;  judge
00402059   .  FF15 6C414000 call dword ptr ds:[<&MSVBVM50.#534>]     ;  MSVBVM50.rtcBeep
0040205F   .  8B1D 94414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaVa>;  MSVBVM50.__vbaVarDup
00402065   .  B9 0A000000   mov ecx,0xA
0040206A   .  B8 04000280   mov eax,0x80020004
0040206F   .  898D 64FFFFFF mov dword ptr ss:[ebp-0x9C],ecx
00402075   .  898D 74FFFFFF mov dword ptr ss:[ebp-0x8C],ecx
0040207B   .  8D95 44FFFFFF lea edx,dword ptr ss:[ebp-0xBC]
00402081   .  8D4D 84       lea ecx,dword ptr ss:[ebp-0x7C]
00402084   .  8985 6CFFFFFF mov dword ptr ss:[ebp-0x94],eax
0040208A   .  8985 7CFFFFFF mov dword ptr ss:[ebp-0x84],eax
00402090   .  C785 4CFFFFFF>mov dword ptr ss:[ebp-0xB4],Andréna.0040>;  UNICODE "RiCHTiG !"
0040209A   .  C785 44FFFFFF>mov dword ptr ss:[ebp-0xBC],0x8
004020A4   .  FFD3          call ebx                                 ;  <&MSVBVM50.__vbaVarDup>

所以对预定义字符串每个字符减0xa即可得到真正序列号：

def get_serial():
    final="kXy^rO|*yXo*m\\kMuOn*+"
    last=""
    for i in final:
      last+=chr(ord(i)-0xa)
    return last

if __name__=="__main__":
    print get_serial()
#output:
#aNoThEr oNe cRaCkEd !

输入即可：

Success