160CrackMe练手 002

首先查壳无壳,输入伪码报错,根据报错od查找字符串,定位到错误代码附近,可以看到有个条件跳转,改掉就可以爆破,接下来分析下注册算法,我们周围看看,从最近几个call看,并没有我们输入的用户名在堆栈中出现,那我们直接从这个函数开头往下找,一般一个函数开头是push ebp一段代码用来提升堆栈,找到后我们往下找,注意堆栈,直到我们输入的字符出现,开始细心往下跟

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
00402310 > \55 push ebp
00402311 . 8BEC mov ebp,esp
00402313 . 83EC 0C sub esp,0xC
00402316 . 68 26104000 push <jmp.&MSVBVM50.__vbaExceptHandler> ; SE 处理程序安装
0040231B . 64:A1 0000000>mov eax,dword ptr fs:[0]
00402321 . 50 push eax ; Afkayas_.00402191
00402322 . 64:8925 00000>mov dword ptr fs:[0],esp
00402329 . 81EC B0000000 sub esp,0xB0
0040232F . 53 push ebx
00402330 . 56 push esi
00402331 . 8B75 08 mov esi,dword ptr ss:[ebp+0x8] ; esi -> ASCII "2@"
00402334 . 57 push edi
00402335 . 8BC6 mov eax,esi ; eax -> ASCII "2@"
00402337 . 83E6 FE and esi,-0x2
0040233A . 8965 F4 mov dword ptr ss:[ebp-0xC],esp
0040233D . 83E0 01 and eax,0x1
00402340 . 8B1E mov ebx,dword ptr ds:[esi]
00402342 . C745 F8 08104>mov dword ptr ss:[ebp-0x8],Afkayas_.0040>
00402349 . 56 push esi
0040234A . 8945 FC mov dword ptr ss:[ebp-0x4],eax ; Afkayas_.00402191
0040234D . 8975 08 mov dword ptr ss:[ebp+0x8],esi
00402350 . FF53 04 call dword ptr ds:[ebx+0x4] ; msvbvm50.7404C5C8
00402353 . 8B83 10030000 mov eax,dword ptr ds:[ebx+0x310]
00402359 . 33FF xor edi,edi
0040235B . 56 push esi
0040235C . 897D E8 mov dword ptr ss:[ebp-0x18],edi
0040235F . 897D E4 mov dword ptr ss:[ebp-0x1C],edi
00402362 . 897D E0 mov dword ptr ss:[ebp-0x20],edi
00402365 . 897D DC mov dword ptr ss:[ebp-0x24],edi
00402368 . 897D D8 mov dword ptr ss:[ebp-0x28],edi
0040236B . 897D D4 mov dword ptr ss:[ebp-0x2C],edi
0040236E . 897D C4 mov dword ptr ss:[ebp-0x3C],edi
00402371 . 897D B4 mov dword ptr ss:[ebp-0x4C],edi
00402374 . 897D A4 mov dword ptr ss:[ebp-0x5C],edi
00402377 . 897D 94 mov dword ptr ss:[ebp-0x6C],edi
0040237A . 8985 40FFFFFF mov dword ptr ss:[ebp-0xC0],eax ; Afkayas_.00402191
00402380 . FFD0 call eax ; Afkayas_.00402191
00402382 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
00402385 . 50 push eax ; Afkayas_.00402191
00402386 . 51 push ecx
00402387 . FF15 0C414000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; msvbvm50.__vbaObjSet
0040238D . 8B9B 00030000 mov ebx,dword ptr ds:[ebx+0x300]
00402393 . 56 push esi
00402394 . 8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax ; Afkayas_.00402191
0040239A . 899D 3CFFFFFF mov dword ptr ss:[ebp-0xC4],ebx
004023A0 . FFD3 call ebx
004023A2 . 8D55 DC lea edx,dword ptr ss:[ebp-0x24]
004023A5 . 50 push eax ; Afkayas_.00402191
004023A6 . 52 push edx
004023A7 . FF15 0C414000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; msvbvm50.__vbaObjSet
004023AD . 8BD8 mov ebx,eax ; Afkayas_.00402191
004023AF . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004023B2 . 51 push ecx
004023B3 . 53 push ebx
004023B4 . 8B03 mov eax,dword ptr ds:[ebx]
004023B6 . FF90 A0000000 call dword ptr ds:[eax+0xA0]
004023BC . 3BC7 cmp eax,edi
004023BE . 7D 12 jge short Afkayas_.004023D2
004023C0 . 68 A0000000 push 0xA0
004023C5 . 68 5C1B4000 push Afkayas_.00401B5C
004023CA . 53 push ebx
004023CB . 50 push eax ; Afkayas_.00402191
004023CC . FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
004023D2 > 56 push esi
004023D3 . FF95 3CFFFFFF call dword ptr ss:[ebp-0xC4]
004023D9 . 8D55 D8 lea edx,dword ptr ss:[ebp-0x28]
004023DC . 50 push eax ; Afkayas_.00402191
004023DD . 52 push edx
004023DE . FF15 0C414000 call dword ptr ds:[<&MSVBVM50.__vbaObjSe>; msvbvm50.__vbaObjSet
004023E4 . 8BD8 mov ebx,eax ; Afkayas_.00402191
004023E6 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
004023E9 . 51 push ecx
004023EA . 53 push ebx
004023EB . 8B03 mov eax,dword ptr ds:[ebx]
004023ED . FF90 A0000000 call dword ptr ds:[eax+0xA0]
004023F3 . 3BC7 cmp eax,edi
004023F5 . 7D 12 jge short Afkayas_.00402409
004023F7 . 68 A0000000 push 0xA0
004023FC . 68 5C1B4000 push Afkayas_.00401B5C
00402401 . 53 push ebx
00402402 . 50 push eax ; Afkayas_.00402191
00402403 . FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
00402409 > 8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]
0040240F . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] ; 用户名 -> eax
00402412 . 50 push eax ; /用户名 -> 堆栈
00402413 . 8B1A mov ebx,dword ptr ds:[edx] ; |
00402415 . FF15 E4404000 call dword ptr ds:[<&MSVBVM50.__vbaLenBs>; \len(用户名) -> eax
0040241B . 8BF8 mov edi,eax ; len(用户名) -> edi
0040241D . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18] ; 用户名 -> ecx
00402420 . 69FF FB7C0100 imul edi,edi,0x17CFB ; len(用户名) * 0x17CFB ==> edi=A6ADD
00402426 . 51 push ecx ; /String = NULL
00402427 . 0F80 91020000 jo Afkayas_.004026BE ; |
0040242D . FF15 F8404000 call dword ptr ds:[<&MSVBVM50.#rtcAnsiVa>; \用户名去掉首字母 -> edx
00402433 . 0FBFD0 movsx edx,ax
00402436 . 03FA add edi,edx
00402438 . 0F80 80020000 jo Afkayas_.004026BE
0040243E . 57 push edi ; len(用户名) * 0x17CFB 入栈-> ebp-D4
0040243F . FF15 E0404000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>; 十进制(len(用户名) * 0x17CFB) + 首字母十进制ascii值 -> eax
00402445 . 8BD0 mov edx,eax ; Afkayas_.00402191
00402447 . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
0040244A . FF15 70414000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; msvbvm50.__vbaStrMove
00402450 . 8BBD 50FFFFFF mov edi,dword ptr ss:[ebp-0xB0]
00402456 . 50 push eax ; Afkayas_.00402191
00402457 . 57 push edi ; 十进制(len(用户名) * 0x17CFB) + 首字母十进制ascii值 入栈 -> ebp-D4
00402458 . FF93 A4000000 call dword ptr ds:[ebx+0xA4]
0040245E . 85C0 test eax,eax ; Afkayas_.00402191
00402460 . 7D 12 jge short Afkayas_.00402474
00402462 . 68 A4000000 push 0xA4
00402467 . 68 5C1B4000 push Afkayas_.00401B5C
0040246C . 57 push edi
0040246D . 50 push eax ; Afkayas_.00402191
0040246E . FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
00402474 > 8D45 E0 lea eax,dword ptr ss:[ebp-0x20]
00402477 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
0040247A . 50 push eax ; Afkayas_.00402191
0040247B . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
0040247E . 51 push ecx
0040247F . 52 push edx
00402480 . 6A 03 push 0x3
00402482 . FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; msvbvm50.__vbaFreeStrList
00402488 . 83C4 10 add esp,0x10
0040248B . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
0040248E . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
00402491 . 8D55 DC lea edx,dword ptr ss:[ebp-0x24]
00402494 . 50 push eax ; Afkayas_.00402191
00402495 . 51 push ecx
00402496 . 52 push edx
00402497 . 6A 03 push 0x3
00402499 . FF15 F4404000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; msvbvm50.__vbaFreeObjList
0040249F . 8B06 mov eax,dword ptr ds:[esi]
004024A1 . 83C4 10 add esp,0x10
004024A4 . 56 push esi
004024A5 . FF90 04030000 call dword ptr ds:[eax+0x304]
004024AB . 8B1D 0C414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaOb>; msvbvm50.__vbaObjSet
004024B1 . 50 push eax ; Afkayas_.00402191
004024B2 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
004024B5 . 50 push eax ; Afkayas_.00402191
004024B6 . FFD3 call ebx ; <&MSVBVM50.__vbaObjSet>
004024B8 . 8BF8 mov edi,eax ; Afkayas_.00402191
004024BA . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
004024BD . 52 push edx
004024BE . 57 push edi
004024BF . 8B0F mov ecx,dword ptr ds:[edi]
004024C1 . FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004024C7 . 85C0 test eax,eax ; Afkayas_.00402191
004024C9 . 7D 12 jge short Afkayas_.004024DD
004024CB . 68 A0000000 push 0xA0
004024D0 . 68 5C1B4000 push Afkayas_.00401B5C
004024D5 . 57 push edi
004024D6 . 50 push eax ; Afkayas_.00402191
004024D7 . FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
004024DD > 56 push esi
004024DE . FF95 40FFFFFF call dword ptr ss:[ebp-0xC0]
004024E4 . 50 push eax ; Afkayas_.00402191
004024E5 . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
004024E8 . 50 push eax ; Afkayas_.00402191
004024E9 . FFD3 call ebx
004024EB . 8BF0 mov esi,eax ; Afkayas_.00402191
004024ED . 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]
004024F0 . 52 push edx
004024F1 . 56 push esi
004024F2 . 8B0E mov ecx,dword ptr ds:[esi]
004024F4 . FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004024FA . 85C0 test eax,eax ; Afkayas_.00402191
004024FC . 7D 12 jge short Afkayas_.00402510
004024FE . 68 A0000000 push 0xA0
00402503 . 68 5C1B4000 push Afkayas_.00401B5C
00402508 . 56 push esi
00402509 . 50 push eax ; Afkayas_.00402191
0040250A . FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
00402510 > 8B45 E8 mov eax,dword ptr ss:[ebp-0x18] ; user32.77D2BBF7
00402513 . 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C]
00402516 . 8B3D 00414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaSt>; 十进制(len(用户名) * 0x17CFB) + 首字母十进制ascii值 -> ecx 密码 -> eax
0040251C . 50 push eax ; Afkayas_.00402191
0040251D . 68 701B4000 push Afkayas_.00401B70 ; "AKA-"入栈
00402522 . 51 push ecx ; /十进制(len(用户名) * 0x17CFB) + 首字母十进制ascii值 入栈
00402523 . FFD7 call edi ; \"AKA-"+"十进制(len(用户名) * 0x17CFB) + 首字母十进制ascii值" -> eax
00402525 . 8B1D 70414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaSt>; msvbvm50.__vbaStrMove
0040252B . 8BD0 mov edx,eax ; Afkayas_.00402191
0040252D . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
00402530 . FFD3 call ebx ; <&MSVBVM50.__vbaStrMove>
00402532 . 50 push eax ; Afkayas_.00402191
00402533 . FF15 28414000 call dword ptr ds:[<&MSVBVM50.__vbaStrCm>; msvbvm50.__vbaStrCmp
00402539 . 8BF0 mov esi,eax ; Afkayas_.00402191
0040253B . 8D55 E0 lea edx,dword ptr ss:[ebp-0x20]
0040253E . F7DE neg esi
00402540 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
00402543 . 52 push edx
00402544 . 1BF6 sbb esi,esi
00402546 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00402549 . 50 push eax ; Afkayas_.00402191
0040254A . 46 inc esi
0040254B . 51 push ecx
0040254C . 6A 03 push 0x3
0040254E . F7DE neg esi
00402550 . FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; msvbvm50.__vbaFreeStrList
00402556 . 83C4 10 add esp,0x10
00402559 . 8D55 D8 lea edx,dword ptr ss:[ebp-0x28]
0040255C . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
0040255F . 52 push edx
00402560 . 50 push eax ; Afkayas_.00402191
00402561 . 6A 02 push 0x2
00402563 . FF15 F4404000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; msvbvm50.__vbaFreeObjList
00402569 . 83C4 0C add esp,0xC
0040256C . B9 04000280 mov ecx,0x80020004
00402571 . B8 0A000000 mov eax,0xA
00402576 . 894D 9C mov dword ptr ss:[ebp-0x64],ecx
00402579 . 66:85F6 test si,si
0040257C . 8945 94 mov dword ptr ss:[ebp-0x6C],eax ; Afkayas_.00402191
0040257F . 894D AC mov dword ptr ss:[ebp-0x54],ecx
00402582 . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax ; Afkayas_.00402191
00402585 . 894D BC mov dword ptr ss:[ebp-0x44],ecx
00402588 . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax ; Afkayas_.00402191
0040258B . 74 58 je short Afkayas_.004025E5
0040258D . 68 801B4000 push Afkayas_.00401B80 ; You Get It
00402592 . 68 9C1B4000 push Afkayas_.00401B9C ; \r\n
00402597 . FFD7 call edi
00402599 . 8BD0 mov edx,eax ; Afkayas_.00402191
0040259B . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
0040259E . FFD3 call ebx
004025A0 . 50 push eax ; Afkayas_.00402191
004025A1 . 68 A81B4000 push Afkayas_.00401BA8 ; KeyGen It Now
004025A6 . FFD7 call edi
004025A8 . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C]
004025AB . 8945 CC mov dword ptr ss:[ebp-0x34],eax ; Afkayas_.00402191
004025AE . 8D55 A4 lea edx,dword ptr ss:[ebp-0x5C]
004025B1 . 51 push ecx
004025B2 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
004025B5 . 52 push edx
004025B6 . 50 push eax ; Afkayas_.00402191
004025B7 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
004025BA . 6A 00 push 0x0
004025BC . 51 push ecx
004025BD . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
004025C4 . FF15 10414000 call dword ptr ds:[<&MSVBVM50.#rtcMsgBox>; msvbvm50.rtcMsgBox
004025CA . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004025CD . FF15 80414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; msvbvm50.__vbaFreeStr
004025D3 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
004025D6 . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
004025D9 . 52 push edx
004025DA . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
004025DD . 50 push eax ; Afkayas_.00402191
004025DE . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]
004025E1 . 51 push ecx
004025E2 . 52 push edx
004025E3 . EB 56 jmp short Afkayas_.0040263B
004025E5 > 68 C81B4000 push Afkayas_.00401BC8 ; You Get Wrong
004025EA . 68 9C1B4000 push Afkayas_.00401B9C ; \r\n
004025EF . FFD7 call edi
004025F1 . 8BD0 mov edx,eax ; Afkayas_.00402191
004025F3 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004025F6 . FFD3 call ebx
004025F8 . 50 push eax ; Afkayas_.00402191
004025F9 . 68 E81B4000 push Afkayas_.00401BE8 ; Try Again

通过分析可以看到加密关键代码是

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
0040240F . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] ; 用户名 -> eax
00402412 . 50 push eax ; /用户名 -> 堆栈
00402413 . 8B1A mov ebx,dword ptr ds:[edx] ; |
00402415 . FF15 E4404000 call dword ptr ds:[<&MSVBVM50.__vbaLenBs>; \len(用户名) -> eax
0040241B . 8BF8 mov edi,eax ; len(用户名) -> edi
0040241D . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18] ; 用户名 -> ecx
00402420 . 69FF FB7C0100 imul edi,edi,0x17CFB ; len(用户名) * 0x17CFB ==> edi=A6ADD
00402426 . 51 push ecx ; /String = NULL
00402427 . 0F80 91020000 jo Afkayas_.004026BE ; |
0040242D . FF15 F8404000 call dword ptr ds:[<&MSVBVM50.#rtcAnsiVa>; \用户名去掉首字母 -> edx
0040243E . 57 push edi ; len(用户名) * 0x17CFB 入栈-> ebp-D4
0040243F . FF15 E0404000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>; 十进制(len(用户名) * 0x17CFB) + 首字母十进制ascii值 -> eax
0040251D . 68 701B4000 push Afkayas_.00401B70 ; "AKA-"入栈
00402522 . 51 push ecx ; /十进制(len(用户名) * 0x17CFB) + 首字母十进制ascii值 入栈
00402523 . FFD7 call edi ; \"AKA-"+"十进制(len(用户名) * 0x17CFB) + 首字母十进制ascii值" -> eax

可以看出流程就是 “AKA-“+”十进制(len(用户名) * 0x17CFB) + 首字母十进制ascii值”

写注册机(Python)

1
2
3
4
5
6
import sys
username = sys.argv[1]
pwend = len(username) * 0x17CFB + ord(username[0])
password = "AKA-%d"%pwend
print(password)

测试结果

1
2
C:\Users\Administrator\Desktop>python 1.py akkuman
AKA-682814

!坚持技术分享,您的支持将鼓励我继续创作!