crackme#003 Afkayas_2
2020-03-06 本文已影响0人
北嶋雪
0x01 准备工作
记得还是要给他dll,不然还是打不开。
打开程序有点不一样,先是给了这个窗口
open
然后跳转到:
mainpage
这次多了个提示,kill the nag是要求要把open窗口给杀了,然后还是常规的name/serial。这次就不用ida了,直接上od。
0x02 od分析
这次用od刚打开就告诉我,程序存在压缩内容。扔die里看一下
die
没壳,放心打开,直接找跳转判断
00408677 . /74 62 je short AfKayAs_.004086DB
00408679 . |8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>; Msvbvm50.__vbaStrCat
0040867F . |68 C06F4000 push AfKayAs_.00406FC0 ; UNICODE "You Get It"
00408684 . |68 DC6F4000 push AfKayAs_.00406FDC ; ASCII "\r"
00408689 . |FFD6 call esi ; AfKayAs_.<ModuleEntryPoint>; <&MSVBVM50.__vbaStrCat>
0040868B . |8BD0 mov edx,eax
0040868D . |8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
00408690 . |FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; Msvbvm50.__vbaStrMove
00408696 . |50 push eax
00408697 . |68 E86F4000 push AfKayAs_.00406FE8 ; UNICODE "KeyGen It Now"
0040869C . |FFD6 call esi ; AfKayAs_.<ModuleEntryPoint>
0040869E . |8945 CC mov dword ptr ss:[ebp-0x34],eax
004086A1 . |8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
004086A4 . |8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
004086A7 . |50 push eax
004086A8 . |8D55 B4 lea edx,dword ptr ss:[ebp-0x4C]
004086AB . |51 push ecx ; AfKayAs_.<ModuleEntryPoint>
004086AC . |52 push edx ; AfKayAs_.<ModuleEntryPoint>
004086AD . |8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
004086B0 . |6A 00 push 0x0
004086B2 . |50 push eax
004086B3 . |C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
004086BA . |FF15 24B14000 call dword ptr ds:[<&MSVBVM50.#rtcMsgBox>; Msvbvm50.rtcMsgBox
004086C0 . |8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004086C3 . |FF15 A8B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; Msvbvm50.__vbaFreeStr
004086C9 . |8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C]
004086CC . |8D55 A4 lea edx,dword ptr ss:[ebp-0x5C]
004086CF . |51 push ecx ; AfKayAs_.<ModuleEntryPoint>
004086D0 . |8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
004086D3 . |52 push edx ; AfKayAs_.<ModuleEntryPoint>
004086D4 . |8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
004086D7 . |50 push eax
004086D8 . |51 push ecx ; AfKayAs_.<ModuleEntryPoint>
004086D9 . |EB 60 jmp short AfKayAs_.0040873B
004086DB > \8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>; Msvbvm50.__vbaStrCat
004086E1 . 68 08704000 push AfKayAs_.00407008 ; UNICODE "You Get Wrong"
004086E6 . 68 DC6F4000 push AfKayAs_.00406FDC ; ASCII "\r"
nop爆破很简单,在跳转之前栈中也能找到注册码。接下来找到程序头部下断点,一步步观察:
004080EE 90 nop
004080EF 90 nop
004080F0 > 55 push ebp ; start
004080F1 . 8BEC mov ebp,esp
004080F3 . 83EC 0C sub esp,0xC
004080F6 . 68 56104000 push <jmp.&MSVBVM50.__vbaExceptHandler> ; SE handler installation
004080FB . 64:A1 0000000>mov eax,dword ptr fs:[0]
00408101 . 50 push eax
00408102 . 64:8925 00000>mov dword ptr fs:[0],esp
SE handler就是seh,一方面前面有nop段,这里也有seh的状态,汇编从这里开始看,目标是找到第一次出现name的地方:
004081E3 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; Msvbvm50.__vbaHresultCheckObj
004081E9 > 8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]
004081EF . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] ; eax = name
004081F2 . 50 push eax
004081F3 . 8B1A mov ebx,dword ptr ds:[edx]
004081F5 . FF15 F8B04000 call dword ptr ds:[<&MSVBVM50.__vbaLenBs>; Msvbvm50.__vbaLenBstr
004081FB . 8BF8 mov edi,eax
004081FD . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
我用注释标出来了第一次出现name的地方,也看到两个vb函数。其中__vbaLenBstr见到过多次了,是取字符串长度。
004081E3 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckO>; Msvbvm50.__vbaHresultCheckObj
004081E9 > 8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]
004081EF . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] ; eax = name
004081F2 . 50 push eax
004081F3 . 8B1A mov ebx,dword ptr ds:[edx]
004081F5 . FF15 F8B04000 call dword ptr ds:[<&MSVBVM50.__vbaLenBstr>] ; Msvbvm50.__vbaLenBstr
004081FB . 8BF8 mov edi,eax ; eax = namelength; edi = eax
004081FD . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18] ; ecx = name
00408200 . 69FF 385B0100 imul edi,edi,0x15B38 ; edi = edi * 0x15B38
00408206 . 51 push ecx
00408207 . 0F80 B7050000 jo AfKayAs_.004087C4
0040820D . FF15 0CB14000 call dword ptr ds:[<&MSVBVM50.#rtcAnsiValueBstr_>; Msvbvm50.rtcAnsiValueBstr
00408213 . 0FBFD0 movsx edx,ax ; edx = asc(firstnamechar)
00408216 . 03FA add edi,edx ; edi = edi + edx
00408218 . 0F80 A6050000 jo AfKayAs_.004087C4
0040821E . 57 push edi
0040821F . FF15 F4B04000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>] ; eax = unicode(edi)
00408225 . 8BD0 mov edx,eax
00408227 . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
0040822A . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMove>] ; Msvbvm50.__vbaStrMove
00408230 . 8BBD 50FFFFFF mov edi,dword ptr ss:[ebp-0xB0]
00408236 . 50 push eax
00408237 . 57 push edi
00408238 . FF93 A4000000 call dword ptr ds:[ebx+0xA4] ; Msvbvm50.0F050D32
0040823E . 85C0 test eax,eax
00408306 > \FF35 0C104000 push dword ptr ds:[0x40100C]
0040830C . E8 578DFFFF call <jmp.&MSVBVM50._adj_fdiv_m32>
00408311 > 83EC 08 sub esp,0x8
00408314 . DFE0 fstsw ax
00408316 . A8 0D test al,0xD
00408318 . 0F85 A1040000 jnz AfKayAs_.004087BF
0040831E . DEC1 faddp st(1),st
00408320 . DFE0 fstsw ax
00408322 . A8 0D test al,0xD
00408324 . 0F85 95040000 jnz AfKayAs_.004087BF
0040832A . DD1C24 fstp qword ptr ss:[esp]
0040832D . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>] ; Msvbvm50.__vbaStrR8
00408333 . 8BD0 mov edx,eax ; eax, edx = eax + 2
00408335 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
004083E3 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckO>; Msvbvm50.__vbaHresultCheckObj
004083E9 > 8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004083EF . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18] ; edx = keygenlvl1 + 2 = lvl2
004083F2 . 52 push edx
004083F3 . 8B19 mov ebx,dword ptr ds:[ecx]
004083F5 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; Msvbvm50.__vbaR8Str
004083FB . DC0D 10104000 fmul qword ptr ds:[0x401010] ; st0 = lvl2 * 3
00408401 . 83EC 08 sub esp,0x8
00408404 . DC25 18104000 fsub qword ptr ds:[0x401018] ; st0 = st0 - 2
0040840A . DFE0 fstsw ax
0040840C . A8 0D test al,0xD
0040840E . 0F85 AB030000 jnz AfKayAs_.004087BF
00408414 . DD1C24 fstp qword ptr ss:[esp]
00408417 . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>] ; Msvbvm50.__vbaStrR8
0040841D . 8BD0 mov edx,eax ; edx = eax = st0 = lvl3
0040841F . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00408422 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMove>] ; Msvbvm50.__vbaStrMove
004084CD . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckO>; Msvbvm50.__vbaHresultCheckObj
004084D3 > 8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004084D9 . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18] ; edx = lvl3
004084DC . 52 push edx
004084DD . 8B19 mov ebx,dword ptr ds:[ecx]
004084DF . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; Msvbvm50.__vbaR8Str
004084E5 . DC25 20104000 fsub qword ptr ds:[0x401020] ; lvl3 + 15
004084EB . 83EC 08 sub esp,0x8
004084EE . DFE0 fstsw ax
004084F0 . A8 0D test al,0xD
004084F2 . 0F85 C7020000 jnz AfKayAs_.004087BF
004084F8 . DD1C24 fstp qword ptr ss:[esp]
004084FB . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>] ; Msvbvm50.__vbaStrR8
00408501 . 8BD0 mov edx,eax ; edx = eax = lvl4
00408503 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00408506 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMove>] ; Msvbvm50.__vbaStrMove
汇编部分有点长,但是已经可以知道注册码是如何生成的了
0x03 注册码总结
Keygen = ((name.Length) * 0x15B38 + asc(name[0]) + 2) * 3 - 2 + 15
0x04 kill nag
注意到nag窗口是有持续时间的,况且又是vb写的,一定会有timer/interval之类的延时参数
0040676C . 54 69 6D 65 7>ascii "Timer1",0
00406773 0B db 0B
00406774 03 db 03
00406775 58 db 58 ; CHAR 'X'
00406776 1B db 1B
00406777 00 db 00
这里修改了没起到效果,还报了个ActiveX的错,看来是改崩了,换4c法。首先找到一开始的push:
00401170 > $ 68 D4674000 push AfKayAs_.004067D4
00401175 . E8 F0FFFFFF call <jmp.&MSVBVM50.#ThunRTMain_100>
image.png
根据004067D4+0x4c找到地址00406868,这里参考了网上的vb结构,修改窗口顺序。
