2019-03-18 CrackMe 2

因为之前只弄过crackme1，把之前落下的补一下，尽量以后每天一个crackme
页面两个输入，name和serial
OD调试，在弹出提示Wrong的窗口后暂停(不要关闭窗口)，此时查看调用堆栈，可以看到：

Call stack

可以看到最后一行从用户代码调用了与窗口有关的rtcMsgBox
跟踪到此处调用，向上翻根据字符串找到程序最后判断位置：

judge

继续向上根据push ebp位置找到函数开始位置并下断：

start

重新输入后程序触发断点，单步执行看到关键处理位置（分析见注释）：

在此处看到我们输入的name字符串
00402403   .  FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;  MSVBVM50.__vbaHresultCheckObj
00402409   >  8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]
0040240F   .  8B45 E4       mov eax,dword ptr ss:[ebp-0x1C]
00402412   .  50            push eax                                 ; /String
00402413   .  8B1A          mov ebx,dword ptr ds:[edx]               ; |
00402415   .  FF15 E4404000 call dword ptr ds:[<&MSVBVM50.__vbaLenBs>; \__vbaLenBstr
0040241B   .  8BF8          mov edi,eax                              ;  取Name长度
0040241D   .  8B4D E8       mov ecx,dword ptr ss:[ebp-0x18]
00402420   .  69FF FB7C0100 imul edi,edi,0x17CFB                     ;  name * 0x17cfb
00402426   .  51            push ecx                                 ; /String
00402427   .  0F80 91020000 jo Afkayas_.004026BE                     ; |
0040242D   .  FF15 F8404000 call dword ptr ds:[<&MSVBVM50.#516>]     ; \rtcAnsiValueBstr返回第一个字符的字符代码
00402433   .  0FBFD0        movsx edx,ax
00402436   .  03FA          add edi,edx                              ;  name * num + input[0]
00402438   .  0F80 80020000 jo Afkayas_.004026BE
0040243E   .  57            push edi
0040243F   .  FF15 E0404000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>;  MSVBVM50.__vbaStrI4
00402445   .  8BD0          mov edx,eax                              ;  16进制数转10进制字符
00402447   .  8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]
0040244A   .  FF15 70414000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove ;复制字符串位置

而后：

00402510   > \8B45 E8       mov eax,dword ptr ss:[ebp-0x18]
00402513   .  8B4D E4       mov ecx,dword ptr ss:[ebp-0x1C]
00402516   .  8B3D 00414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCat
0040251C   .  50            push eax
0040251D   .  68 701B4000   push Afkayas_.00401B70                   ;  UNICODE "AKA-"
00402522   .  51            push ecx                                 ; /String
00402523   .  FFD7          call edi                                 ; \__vbaStrCat
00402525   .  8B1D 70414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrMove
0040252B   .  8BD0          mov edx,eax
0040252D   .  8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]
00402530   .  FFD3          call ebx                                 ;  <&MSVBVM50.__vbaStrMove>
00402532   .  50            push eax
00402533   .  FF15 28414000 call dword ptr ds:[<&MSVBVM50.__vbaStrCm>;  MSVBVM50.__vbaStrCmp
00402539   .  8BF0          mov esi,eax
0040253B   .  8D55 E0       lea edx,dword ptr ss:[ebp-0x20]
0040253E   .  F7DE          neg esi
00402540   .  8D45 E8       lea eax,dword ptr ss:[ebp-0x18]
00402543   .  52            push edx
00402544   .  1BF6          sbb esi,esi
00402546   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
00402549   .  50            push eax
0040254A   .  46            inc esi
0040254B   .  51            push ecx
0040254C   .  6A 03         push 0x3
0040254E   .  F7DE          neg esi
00402550   .  FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStrList
00402556   .  83C4 10       add esp,0x10
00402559   .  8D55 D8       lea edx,dword ptr ss:[ebp-0x28]
0040255C   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
0040255F   .  52            push edx
00402560   .  50            push eax
00402561   .  6A 02         push 0x2
00402563   .  FF15 F4404000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>;  MSVBVM50.__vbaFreeObjList
00402569   .  83C4 0C       add esp,0xC
0040256C   .  B9 04000280   mov ecx,0x80020004
00402571   .  B8 0A000000   mov eax,0xA
00402576   .  894D 9C       mov dword ptr ss:[ebp-0x64],ecx
00402579   .  66:85F6       test si,si
0040257C   .  8945 94       mov dword ptr ss:[ebp-0x6C],eax
0040257F   .  894D AC       mov dword ptr ss:[ebp-0x54],ecx
00402582   .  8945 A4       mov dword ptr ss:[ebp-0x5C],eax
00402585   .  894D BC       mov dword ptr ss:[ebp-0x44],ecx
00402588   .  8945 B4       mov dword ptr ss:[ebp-0x4C],eax
0040258B   .  74 58         je XAfkayas_.004025E5                    ;  judge in here
0040258D   .  68 801B4000   push Afkayas_.00401B80                   ;  UNICODE "You Get It"
00402592   .  68 9C1B4000   push Afkayas_.00401B9C                   ;  UNICODE "
"

整体过程：
取name长度len，而后len*0x17CFB+input[0]，将结果转为10进制字符串再与"AKA-"拼接，最后与serial比较，注意比较结果：

#主要过程
mov esi,eax
neg esi  ;取补，为0则CF=0，非0则CF=1  ，即0-esi并返回给esi
sbb esi,esi ;esi=esi-sei-CF
inc esi
neg esi
test esi,esi
所以cmp结果：
非0->取补CF=1->sbb后esi=-1->inc esi后esi=0->neg再次取补esi=0->je满足跳转->Wrong
0->取补CF=0->sbb后esi=0->inc esi后esi=1->neg取补0xFFFFFFFF->je不满足->Right
故而cmp相同->Right

获取name对应serial：

import sys

def get_serial(name):
    last=str(len(name)*0x17CFB+ord(name[0]))
    first="AKA-"
    return first+last

if __name__=="__main__":
    name=sys.argv[1]
    print get_serial(name)
#output:
H:\crackme> python  crackme2.py  beixiaozhi
AKA-975408

Right

2019-03-18 CrackMe 2

你可能感兴趣的:(2019-03-18 CrackMe 2)