2019-03-31 CrackMe 3

有没有一些事情
你打算明天再做
却再也没有做过

CrackMe 3

004081E3   .  FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
004081E9   >  8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]
004081EF   .  8B45 E4       mov eax,dword ptr ss:[ebp-0x1C]
004081F2   .  50            push eax                                 ; /String
004081F3   .  8B1A          mov ebx,dword ptr ds:[edx]               ; |
004081F5   .  FF15 F8B04000 call dword ptr ds:[<&MSVBVM50.__vbaLenBs>; \__vbaLenBstr
004081FB   .  8BF8          mov edi,eax                              ;  len(name)
004081FD   .  8B4D E8       mov ecx,dword ptr ss:[ebp-0x18]
00408200   .  69FF 385B0100 imul edi,edi,0x15B38                     ;  len(name)*0x15b38
00408206   .  51            push ecx                                 ; /String
00408207   .  0F80 B7050000 jo AfKayAs_.004087C4                     ; |
0040820D   .  FF15 0CB14000 call dword ptr ds:[<&MSVBVM50.#516>]     ; \rtcAnsiValueBstr
00408213   .  0FBFD0        movsx edx,ax                             ;  ord(name[0])
00408216   .  03FA          add edi,edx                              ;  ord(name[0])+mul_ans
00408218   .  0F80 A6050000 jo AfKayAs_.004087C4
0040821E   .  57            push edi
0040821F   .  FF15 F4B04000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>;  MSVBVM50.__vbaStrI4
00408225   .  8BD0          mov edx,eax                              ;  str(last_add_ans)
00408227   .  8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]
0040822A   .  FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove

可以看到首先的过程是
len(name)*0x15b38+ord(name[0])

004082E9   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  MSVBVM50.__vbaR8Str
004082EF   .  D905 08104000 fld dword ptr ds:[0x401008]              ;  字符串转双精度(8bytes)
004082F5   .  833D 00904000>cmp dword ptr ds:[0x409000],0x0          ;  fld:类似PUSH指令，将数传入fpu
004082FC   .  75 08         jnz XAfKayAs_.00408306
004082FE   .  D835 0C104000 fdiv dword ptr ds:[0x40100C]             ;  2.0
00408304   .  EB 0B         jmp XAfKayAs_.00408311
00408306   >  FF35 0C104000 push dword ptr ds:[0x40100C]
0040830C   .  E8 578DFFFF   call 
00408311   >  83EC 08       sub esp,0x8
00408314   .  DFE0          fstsw ax                                 ;  把状态寄存器的值传送给AX
00408316   .  A8 0D         test al,0xD
00408318   .  0F85 A1040000 jnz AfKayAs_.004087BF
0040831E   .  DEC1          faddp st(1),st                           ;  last_ans+2.0
00408320   .  DFE0          fstsw ax
00408322   .  A8 0D         test al,0xD
00408324   .  0F85 95040000 jnz AfKayAs_.004087BF
0040832A   .  DD1C24        fstp qword ptr ss:[esp]                  ;  类似POP指令
0040832D   .  FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>;  MSVBVM50.__vbaStrR8
00408333   .  8BD0          mov edx,eax                              ;  双精度转str
00408335   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
00408338   .  FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove

这里进行last_ans+(10.0/2.0)
然后：

004083E3   .  FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
004083E9   >  8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004083EF   .  8B55 E8       mov edx,dword ptr ss:[ebp-0x18]
004083F2   .  52            push edx
004083F3   .  8B19          mov ebx,dword ptr ds:[ecx]
004083F5   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  MSVBVM50.__vbaR8Str
004083FB   .  DC0D 10104000 fmul qword ptr ds:[0x401010]             ;  last_ans*3.0
00408401   .  83EC 08       sub esp,0x8
00408404   .  DC25 18104000 fsub qword ptr ds:[0x401018]             ;  last_ans-2.0
0040840A   .  DFE0          fstsw ax
0040840C   .  A8 0D         test al,0xD
0040840E   .  0F85 AB030000 jnz AfKayAs_.004087BF
00408414   .  DD1C24        fstp qword ptr ss:[esp]
00408417   .  FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>;  MSVBVM50.__vbaStrR8
0040841D   .  8BD0          mov edx,eax
0040841F   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
00408422   .  FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove

这里进行last_ans*3.0-2.0
最后一步：

004084DF   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  MSVBVM50.__vbaR8Str
004084E5   .  DC25 20104000 fsub qword ptr ds:[0x401020]             ;  last_ans-(-15.0)
004084EB   .  83EC 08       sub esp,0x8
004084EE   .  DFE0          fstsw ax
004084F0   .  A8 0D         test al,0xD
004084F2   .  0F85 C7020000 jnz AfKayAs_.004087BF
004084F8   .  DD1C24        fstp qword ptr ss:[esp]
004084FB   .  FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>;  MSVBVM50.__vbaStrR8
00408501   .  8BD0          mov edx,eax
00408503   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
00408506   .  FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove

last_ans-(-15.0)
最终会将此值div序列号str对应的浮点数与1.0进行比较：

004085C8   .  FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
004085CE   >  8B45 E8       mov eax,dword ptr ss:[ebp-0x18]
004085D1   .  50            push eax
004085D2   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  MSVBVM50.__vbaR8Str
004085D8 > .  8B4D E4       mov ecx,dword ptr ss:[ebp-0x1C]          ;  serial->fpu
004085DB   .  DD9D 1CFFFFFF fstp qword ptr ss:[ebp-0xE4]
004085E1   .  51            push ecx
004085E2   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  MSVBVM50.__vbaR8Str
004085E8   .  833D 00904000>cmp dword ptr ds:[0x409000],0x0          ;  func(name)->fpu
004085EF   .  75 08         jnz XAfKayAs_.004085F9
004085F1   .  DCBD 1CFFFFFF fdivr qword ptr ss:[ebp-0xE4]            ;  serial/func(name)
004085F7   .  EB 11         jmp XAfKayAs_.0040860A
004085F9   >  FFB5 20FFFFFF push dword ptr ss:[ebp-0xE0]
004085FF   .  FFB5 1CFFFFFF push dword ptr ss:[ebp-0xE4]
00408605   .  E8 888AFFFF   call 
0040860A   >  DFE0          fstsw ax
0040860C   .  A8 0D         test al,0xD
0040860E   .  0F85 AB010000 jnz AfKayAs_.004087BF
00408614   .  FF15 34B14000 call dword ptr ds:[<&MSVBVM50.__vbaFpR8>>;  MSVBVM50.__vbaFpR8
0040861A   .  DC1D 28104000 fcomp qword ptr ds:[0x401028]            ;  1.0
00408620   .  DFE0          fstsw ax
00408622   .  F6C4 40       test ah,0x40
00408625   . /74 07         je XAfKayAs_.0040862E
00408627   . |BE 01000000   mov esi,0x1
0040862C   . |EB 02         jmp XAfKayAs_.00408630
0040862E   > \33F6          xor esi,esi

剩下和crackme2一样的判断方式，相等esi会用xor设置为0
否则会置为1
这里关于直接查看双精度数的操作：
在寄存器区域右键查看FPU寄存器即可看到当前储存双精度的ST循环栈的情况
在数据区右键选择浮点类型即可查看程序本身内存对应位置的双精度数
如果自己直接可以从内存byte看出双精度数值，可以不考虑这些方法
脚本获取对应name的序列号：

import sys

def get_serial(name):
    last=len(name)*0x15b38+ord(name[0])
    last+=2
    last=last*3-2
    last+=15
    return str(last)

if __name__=="__main__":
    name=sys.argv[1]
    print get_serial(name)
#output:
python crackme3.py beixiaozhi
2666953

success