因为之前只弄过crackme1,把之前落下的补一下,尽量以后每天一个crackme
页面两个输入,name和serial
OD调试,在弹出提示Wrong的窗口后暂停(不要关闭窗口),此时查看调用堆栈,可以看到:
Call stack
可以看到最后一行从用户代码调用了与窗口有关的rtcMsgBox
跟踪到此处调用,向上翻根据字符串找到程序最后判断位置:
judge
继续向上根据push ebp位置找到函数开始位置并下断:
start
重新输入后程序触发断点,单步执行看到关键处理位置(分析见注释):
在此处看到我们输入的name字符串
00402403 . FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
00402409 > 8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]
0040240F . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
00402412 . 50 push eax ; /String
00402413 . 8B1A mov ebx,dword ptr ds:[edx] ; |
00402415 . FF15 E4404000 call dword ptr ds:[<&MSVBVM50.__vbaLenBs>; \__vbaLenBstr
0040241B . 8BF8 mov edi,eax ; 取Name长度
0040241D . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
00402420 . 69FF FB7C0100 imul edi,edi,0x17CFB ; name * 0x17cfb
00402426 . 51 push ecx ; /String
00402427 . 0F80 91020000 jo Afkayas_.004026BE ; |
0040242D . FF15 F8404000 call dword ptr ds:[<&MSVBVM50.#516>] ; \rtcAnsiValueBstr返回第一个字符的字符代码
00402433 . 0FBFD0 movsx edx,ax
00402436 . 03FA add edi,edx ; name * num + input[0]
00402438 . 0F80 80020000 jo Afkayas_.004026BE
0040243E . 57 push edi
0040243F . FF15 E0404000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>; MSVBVM50.__vbaStrI4
00402445 . 8BD0 mov edx,eax ; 16进制数转10进制字符
00402447 . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
0040244A . FF15 70414000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; MSVBVM50.__vbaStrMove ;复制字符串位置
而后:
00402510 > \8B45 E8 mov eax,dword ptr ss:[ebp-0x18]
00402513 . 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C]
00402516 . 8B3D 00414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaSt>; MSVBVM50.__vbaStrCat
0040251C . 50 push eax
0040251D . 68 701B4000 push Afkayas_.00401B70 ; UNICODE "AKA-"
00402522 . 51 push ecx ; /String
00402523 . FFD7 call edi ; \__vbaStrCat
00402525 . 8B1D 70414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaSt>; MSVBVM50.__vbaStrMove
0040252B . 8BD0 mov edx,eax
0040252D . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
00402530 . FFD3 call ebx ; <&MSVBVM50.__vbaStrMove>
00402532 . 50 push eax
00402533 . FF15 28414000 call dword ptr ds:[<&MSVBVM50.__vbaStrCm>; MSVBVM50.__vbaStrCmp
00402539 . 8BF0 mov esi,eax
0040253B . 8D55 E0 lea edx,dword ptr ss:[ebp-0x20]
0040253E . F7DE neg esi
00402540 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
00402543 . 52 push edx
00402544 . 1BF6 sbb esi,esi
00402546 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00402549 . 50 push eax
0040254A . 46 inc esi
0040254B . 51 push ecx
0040254C . 6A 03 push 0x3
0040254E . F7DE neg esi
00402550 . FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStrList
00402556 . 83C4 10 add esp,0x10
00402559 . 8D55 D8 lea edx,dword ptr ss:[ebp-0x28]
0040255C . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
0040255F . 52 push edx
00402560 . 50 push eax
00402561 . 6A 02 push 0x2
00402563 . FF15 F4404000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObjList
00402569 . 83C4 0C add esp,0xC
0040256C . B9 04000280 mov ecx,0x80020004
00402571 . B8 0A000000 mov eax,0xA
00402576 . 894D 9C mov dword ptr ss:[ebp-0x64],ecx
00402579 . 66:85F6 test si,si
0040257C . 8945 94 mov dword ptr ss:[ebp-0x6C],eax
0040257F . 894D AC mov dword ptr ss:[ebp-0x54],ecx
00402582 . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax
00402585 . 894D BC mov dword ptr ss:[ebp-0x44],ecx
00402588 . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax
0040258B . 74 58 je XAfkayas_.004025E5 ; judge in here
0040258D . 68 801B4000 push Afkayas_.00401B80 ; UNICODE "You Get It"
00402592 . 68 9C1B4000 push Afkayas_.00401B9C ; UNICODE "
"
整体过程:
取name长度len,而后len*0x17CFB+input[0],将结果转为10进制字符串再与"AKA-"拼接,最后与serial比较,注意比较结果:
#主要过程
mov esi,eax
neg esi ;取补,为0则CF=0,非0则CF=1 ,即0-esi并返回给esi
sbb esi,esi ;esi=esi-sei-CF
inc esi
neg esi
test esi,esi
所以cmp结果:
非0->取补CF=1->sbb后esi=-1->inc esi后esi=0->neg再次取补esi=0->je满足跳转->Wrong
0->取补CF=0->sbb后esi=0->inc esi后esi=1->neg取补0xFFFFFFFF->je不满足->Right
故而cmp相同->Right
获取name对应serial:
import sys
def get_serial(name):
last=str(len(name)*0x17CFB+ord(name[0]))
first="AKA-"
return first+last
if __name__=="__main__":
name=sys.argv[1]
print get_serial(name)
#output:
H:\crackme> python crackme2.py beixiaozhi
AKA-975408
Right