160个CrackMe之002

cjt included in 逆向
  2721 words 6 minutes 

还是和前面一样首先了解一下这个程序,随意输入Name/Serial,会弹出一个错误框。

选择Serial/Name,输入一个用户名和序列号:

1
2

Name:111222
Serial:333444

点击ok,会弹出一个错误框。此时不要点击确定按钮,返回OD暂停(F12),点击堆栈-K小图标(Ctrl+K) ,如下:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

调用堆栈:     主线程
地址       堆栈       函数过程 / 参数                       调用来自                      结构
0012EDB0   77D19418   包含ntdll.KiFastSystemCallRet           user32.77D19416               0012EDE4
0012EDB4   77D2770A   user32.WaitMessage                    user32.77D27705               0012EDE4
0012EDE8   77D249C4   user32.77D2757B                       user32.77D249BF               0012EDE4
0012EE10   77D3A956   user32.77D2490E                       user32.77D3A951               0012EE0C
0012F0D0   77D3A2BC   user32.SoftModalMessageBox            user32.77D3A2B7               0012F0CC
0012F220   77D3A10B   user32.77D3A147                       user32.77D3A106               0012F21C
0012F28C   740CEE19   user32.MessageBoxIndirectA            msvbvm50.740CEE13             0012F288
0012F290   0012F298     pMsgBoxParams = 0012F298
0012F2C4   740CEC81   包含msvbvm50.740CEE19                   msvbvm50.740CEC7E             0012F2C0
0012F2E8   740CEFAF   msvbvm50.740CEB58                     msvbvm50.740CEFAA             0012F2E4
0012F318   740C6394   msvbvm50.740CEF19                     msvbvm50.740C638F             0012F314
0012F384   740F414D   msvbvm50.740C60F3                     msvbvm50.740F4148             0012F380
0012F3F8   00402622   msvbvm50.rtcMsgBox                    Afkayas_.0040261C             0012F3F4

rtcMsgBox() 函数,这是VB 的消息框函数。这里就是弹出错误消息的函数。看看是那里调用它:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269

00402310   > \55            push ebp
00402311   .  8BEC          mov ebp,esp
00402313   .  83EC 0C       sub esp,0xC
00402316   .  68 26104000   push <jmp.&MSVBVM50.__vbaExceptHandler>             ;  SE 处理程序安装
0040231B   .  64:A1 0000000>mov eax,dword ptr fs:[0]
00402321   .  50            push eax
00402322   .  64:8925 00000>mov dword ptr fs:[0],esp
00402329   .  81EC B0000000 sub esp,0xB0
0040232F   .  53            push ebx
00402330   .  56            push esi
00402331   .  8B75 08       mov esi,dword ptr ss:[ebp+0x8]
00402334   .  57            push edi
00402335   .  8BC6          mov eax,esi
00402337   .  83E6 FE       and esi,-0x2
0040233A   .  8965 F4       mov dword ptr ss:[ebp-0xC],esp
0040233D   .  83E0 01       and eax,0x1
00402340   .  8B1E          mov ebx,dword ptr ds:[esi]
00402342   .  C745 F8 08104>mov dword ptr ss:[ebp-0x8],Afkayas_.00401008
00402349   .  56            push esi
0040234A   .  8945 FC       mov dword ptr ss:[ebp-0x4],eax
0040234D   .  8975 08       mov dword ptr ss:[ebp+0x8],esi
00402350   .  FF53 04       call dword ptr ds:[ebx+0x4]
00402353   .  8B83 10030000 mov eax,dword ptr ds:[ebx+0x310]
00402359   .  33FF          xor edi,edi
0040235B   .  56            push esi
0040235C   .  897D E8       mov dword ptr ss:[ebp-0x18],edi
0040235F   .  897D E4       mov dword ptr ss:[ebp-0x1C],edi
00402362   .  897D E0       mov dword ptr ss:[ebp-0x20],edi
00402365   .  897D DC       mov dword ptr ss:[ebp-0x24],edi
00402368   .  897D D8       mov dword ptr ss:[ebp-0x28],edi
0040236B   .  897D D4       mov dword ptr ss:[ebp-0x2C],edi
0040236E   .  897D C4       mov dword ptr ss:[ebp-0x3C],edi
00402371   .  897D B4       mov dword ptr ss:[ebp-0x4C],edi
00402374   .  897D A4       mov dword ptr ss:[ebp-0x5C],edi
00402377   .  897D 94       mov dword ptr ss:[ebp-0x6C],edi
0040237A   .  8985 40FFFFFF mov dword ptr ss:[ebp-0xC0],eax
00402380   .  FFD0          call eax
00402382   .  8D4D D4       lea ecx,dword ptr ss:[ebp-0x2C]
00402385   .  50            push eax
00402386   .  51            push ecx
00402387   .  FF15 0C414000 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>]         ;  msvbvm50.__vbaObjSet
0040238D   .  8B9B 00030000 mov ebx,dword ptr ds:[ebx+0x300]
00402393   .  56            push esi
00402394   .  8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax
0040239A   .  899D 3CFFFFFF mov dword ptr ss:[ebp-0xC4],ebx
004023A0   .  FFD3          call ebx
004023A2   .  8D55 DC       lea edx,dword ptr ss:[ebp-0x24]
004023A5   .  50            push eax
004023A6   .  52            push edx
004023A7   .  FF15 0C414000 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>]         ;  msvbvm50.__vbaObjSet
004023AD   .  8BD8          mov ebx,eax
004023AF   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
004023B2   .  51            push ecx
004023B3   .  53            push ebx
004023B4   .  8B03          mov eax,dword ptr ds:[ebx]
004023B6   .  FF90 A0000000 call dword ptr ds:[eax+0xA0]
004023BC   .  3BC7          cmp eax,edi
004023BE   .  7D 12         jge short Afkayas_.004023D2
004023C0   .  68 A0000000   push 0xA0
004023C5   .  68 5C1B4000   push Afkayas_.00401B5C
004023CA   .  53            push ebx
004023CB   .  50            push eax
004023CC   .  FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>>;  msvbvm50.__vbaHresultCheckObj
004023D2   >  56            push esi
004023D3   .  FF95 3CFFFFFF call dword ptr ss:[ebp-0xC4]
004023D9   .  8D55 D8       lea edx,dword ptr ss:[ebp-0x28]
004023DC   .  50            push eax
004023DD   .  52            push edx
004023DE   .  FF15 0C414000 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>]         ;  msvbvm50.__vbaObjSet
004023E4   .  8BD8          mov ebx,eax
004023E6   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
004023E9   .  51            push ecx
004023EA   .  53            push ebx
004023EB   .  8B03          mov eax,dword ptr ds:[ebx]
004023ED   .  FF90 A0000000 call dword ptr ds:[eax+0xA0]
004023F3   .  3BC7          cmp eax,edi
004023F5   .  7D 12         jge short Afkayas_.00402409
004023F7   .  68 A0000000   push 0xA0
004023FC   .  68 5C1B4000   push Afkayas_.00401B5C
00402401   .  53            push ebx
00402402   .  50            push eax
00402403   .  FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>>;  msvbvm50.__vbaHresultCheckObj
00402409   >  8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]
0040240F   .  8B45 E4       mov eax,dword ptr ss:[ebp-0x1C]                     ;  用户名:111222
00402412   .  50            push eax                                            ; /用户名:111222
00402413   .  8B1A          mov ebx,dword ptr ds:[edx]                          ; |
00402415   .  FF15 E4404000 call dword ptr ds:[<&MSVBVM50.__vbaLenBstr>]        ; \__vbaLenBstr
0040241B   .  8BF8          mov edi,eax                                         ;  用户名长度:0x6
0040241D   .  8B4D E8       mov ecx,dword ptr ss:[ebp-0x18]                     ;  ecx保存的是用户名的地址
00402420   .  69FF FB7C0100 imul edi,edi,0x17CFB                                ;  edi = 用户名长度 * 0x17CFB == 0x8EDE2
00402426   .  51            push ecx                                            ; /String = 00000001 ???
00402427   .  0F80 91020000 jo Afkayas_.004026BE                                ; |
0040242D   .  FF15 F8404000 call dword ptr ds:[<&MSVBVM50.#rtcAnsiValueBstr_516>; \rtcAnsiValueBstr
00402433   .  0FBFD0        movsx edx,ax                                        ;  取得用户名的第一个字节:0x31
00402436   .  03FA          add edi,edx                                         ;  0x8EDE2 + 0x31 = 0x8EE13
00402438   .  0F80 80020000 jo Afkayas_.004026BE
0040243E   .  57            push edi
0040243F   .  FF15 E0404000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>]          ;  将无符号数转为10进制字符串
00402445   .  8BD0          mov edx,eax                                         ;  edx = "585235"
00402447   .  8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]
0040244A   .  FF15 70414000 call dword ptr ds:[<&MSVBVM50.__vbaStrMove>]        ;  msvbvm50.__vbaStrMove
00402450   .  8BBD 50FFFFFF mov edi,dword ptr ss:[ebp-0xB0]
00402456   .  50            push eax
00402457   .  57            push edi
00402458   .  FF93 A4000000 call dword ptr ds:[ebx+0xA4]
0040245E   .  85C0          test eax,eax
00402460   .  7D 12         jge short Afkayas_.00402474
00402462   .  68 A4000000   push 0xA4
00402467   .  68 5C1B4000   push Afkayas_.00401B5C
0040246C   .  57            push edi
0040246D   .  50            push eax
0040246E   .  FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>>;  msvbvm50.__vbaHresultCheckObj
00402474   >  8D45 E0       lea eax,dword ptr ss:[ebp-0x20]
00402477   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
0040247A   .  50            push eax
0040247B   .  8D55 E8       lea edx,dword ptr ss:[ebp-0x18]
0040247E   .  51            push ecx
0040247F   .  52            push edx
00402480   .  6A 03         push 0x3
00402482   .  FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStrList>]    ;  msvbvm50.__vbaFreeStrList
00402488   .  83C4 10       add esp,0x10
0040248B   .  8D45 D4       lea eax,dword ptr ss:[ebp-0x2C]
0040248E   .  8D4D D8       lea ecx,dword ptr ss:[ebp-0x28]
00402491   .  8D55 DC       lea edx,dword ptr ss:[ebp-0x24]
00402494   .  50            push eax
00402495   .  51            push ecx
00402496   .  52            push edx
00402497   .  6A 03         push 0x3
00402499   .  FF15 F4404000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObjList>]    ;  msvbvm50.__vbaFreeObjList
0040249F   .  8B06          mov eax,dword ptr ds:[esi]
004024A1   .  83C4 10       add esp,0x10
004024A4   .  56            push esi
004024A5   .  FF90 04030000 call dword ptr ds:[eax+0x304]
004024AB   .  8B1D 0C414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaObjSet>]      ;  msvbvm50.__vbaObjSet
004024B1   .  50            push eax
004024B2   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
004024B5   .  50            push eax
004024B6   .  FFD3          call ebx                                            ;  <&MSVBVM50.__vbaObjSet>
004024B8   .  8BF8          mov edi,eax
004024BA   .  8D55 E8       lea edx,dword ptr ss:[ebp-0x18]
004024BD   .  52            push edx
004024BE   .  57            push edi
004024BF   .  8B0F          mov ecx,dword ptr ds:[edi]
004024C1   .  FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004024C7   .  85C0          test eax,eax
004024C9   .  7D 12         jge short Afkayas_.004024DD
004024CB   .  68 A0000000   push 0xA0
004024D0   .  68 5C1B4000   push Afkayas_.00401B5C
004024D5   .  57            push edi
004024D6   .  50            push eax
004024D7   .  FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>>;  msvbvm50.__vbaHresultCheckObj
004024DD   >  56            push esi
004024DE   .  FF95 40FFFFFF call dword ptr ss:[ebp-0xC0]
004024E4   .  50            push eax
004024E5   .  8D45 D8       lea eax,dword ptr ss:[ebp-0x28]
004024E8   .  50            push eax
004024E9   .  FFD3          call ebx
004024EB   .  8BF0          mov esi,eax
004024ED   .  8D55 E4       lea edx,dword ptr ss:[ebp-0x1C]
004024F0   .  52            push edx
004024F1   .  56            push esi
004024F2   .  8B0E          mov ecx,dword ptr ds:[esi]
004024F4   .  FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004024FA   .  85C0          test eax,eax
004024FC   .  7D 12         jge short Afkayas_.00402510
004024FE   .  68 A0000000   push 0xA0
00402503   .  68 5C1B4000   push Afkayas_.00401B5C
00402508   .  56            push esi
00402509   .  50            push eax
0040250A   .  FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>>;  msvbvm50.__vbaHresultCheckObj
00402510   >  8B45 E8       mov eax,dword ptr ss:[ebp-0x18]                     ;  输入的序列号:333444
00402513   .  8B4D E4       mov ecx,dword ptr ss:[ebp-0x1C]                     ;  根据用户名计算的序列号:585235
00402516   .  8B3D 00414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaStrCat>]      ;  msvbvm50.__vbaStrCat
0040251C   .  50            push eax
0040251D   .  68 701B4000   push Afkayas_.00401B70                              ;  UNICODE "AKA-"
00402522   .  51            push ecx                                            ; /String = 00000001 ???
00402523   .  FFD7          call edi                                            ; \__vbaStrCat
00402525   .  8B1D 70414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaStrMove>]     ;  msvbvm50.__vbaStrMove
0040252B   .  8BD0          mov edx,eax                                         ;  拼接字符串:AKA-585235
0040252D   .  8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]
00402530   .  FFD3          call ebx                                            ;  <&MSVBVM50.__vbaStrMove>
00402532   .  50            push eax
00402533   .  FF15 28414000 call dword ptr ds:[<&MSVBVM50.__vbaStrCmp>]         ;  msvbvm50.__vbaStrCmp
00402539   .  8BF0          mov esi,eax
0040253B   .  8D55 E0       lea edx,dword ptr ss:[ebp-0x20]
0040253E   .  F7DE          neg esi
00402540   .  8D45 E8       lea eax,dword ptr ss:[ebp-0x18]
00402543   .  52            push edx
00402544   .  1BF6          sbb esi,esi
00402546   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
00402549   .  50            push eax
0040254A   .  46            inc esi
0040254B   .  51            push ecx
0040254C   .  6A 03         push 0x3
0040254E   .  F7DE          neg esi
00402550   .  FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStrList>]    ;  msvbvm50.__vbaFreeStrList
00402556   .  83C4 10       add esp,0x10
00402559   .  8D55 D8       lea edx,dword ptr ss:[ebp-0x28]
0040255C   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
0040255F   .  52            push edx
00402560   .  50            push eax
00402561   .  6A 02         push 0x2
00402563   .  FF15 F4404000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObjList>]    ;  msvbvm50.__vbaFreeObjList
00402569   .  83C4 0C       add esp,0xC
0040256C   .  B9 04000280   mov ecx,0x80020004
00402571   .  B8 0A000000   mov eax,0xA
00402576   .  894D 9C       mov dword ptr ss:[ebp-0x64],ecx
00402579   .  66:85F6       test si,si
0040257C   .  8945 94       mov dword ptr ss:[ebp-0x6C],eax
0040257F   .  894D AC       mov dword ptr ss:[ebp-0x54],ecx
00402582   .  8945 A4       mov dword ptr ss:[ebp-0x5C],eax
00402585   .  894D BC       mov dword ptr ss:[ebp-0x44],ecx
00402588   .  8945 B4       mov dword ptr ss:[ebp-0x4C],eax
0040258B      74 58         je short Afkayas_.004025E5                          ;  关键的跳转
0040258D   .  68 801B4000   push Afkayas_.00401B80                              ;  UNICODE "You Get It"
00402592   .  68 9C1B4000   push Afkayas_.00401B9C                              ;  ASCII "\r"
00402597   .  FFD7          call edi
00402599   .  8BD0          mov edx,eax
0040259B   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
0040259E   .  FFD3          call ebx
004025A0   .  50            push eax
004025A1   .  68 A81B4000   push Afkayas_.00401BA8                              ;  UNICODE "KeyGen It Now"
004025A6   .  FFD7          call edi
004025A8   .  8D4D 94       lea ecx,dword ptr ss:[ebp-0x6C]
004025AB   .  8945 CC       mov dword ptr ss:[ebp-0x34],eax
004025AE   .  8D55 A4       lea edx,dword ptr ss:[ebp-0x5C]
004025B1   .  51            push ecx
004025B2   .  8D45 B4       lea eax,dword ptr ss:[ebp-0x4C]
004025B5   .  52            push edx
004025B6   .  50            push eax
004025B7   .  8D4D C4       lea ecx,dword ptr ss:[ebp-0x3C]
004025BA   .  6A 00         push 0x0
004025BC   .  51            push ecx
004025BD   .  C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
004025C4   .  FF15 10414000 call dword ptr ds:[<&MSVBVM50.#rtcMsgBox_595>]      ;  msvbvm50.rtcMsgBox
004025CA   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
004025CD   .  FF15 80414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>]        ;  msvbvm50.__vbaFreeStr
004025D3   .  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]
004025D6   .  8D45 A4       lea eax,dword ptr ss:[ebp-0x5C]
004025D9   .  52            push edx
004025DA   .  8D4D B4       lea ecx,dword ptr ss:[ebp-0x4C]
004025DD   .  50            push eax
004025DE   .  8D55 C4       lea edx,dword ptr ss:[ebp-0x3C]
004025E1   .  51            push ecx
004025E2   .  52            push edx
004025E3   .  EB 56         jmp short Afkayas_.0040263B
004025E5   >  68 C81B4000   push Afkayas_.00401BC8                              ;  UNICODE "You Get Wrong"
004025EA   .  68 9C1B4000   push Afkayas_.00401B9C                              ;  ASCII "\r"
004025EF   .  FFD7          call edi
004025F1   .  8BD0          mov edx,eax
004025F3   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
004025F6   .  FFD3          call ebx
004025F8   .  50            push eax
004025F9   .  68 E81B4000   push Afkayas_.00401BE8                              ;  UNICODE "Try Again"
004025FE   .  FFD7          call edi
00402600   .  8945 CC       mov dword ptr ss:[ebp-0x34],eax
00402603   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]
00402606   .  8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]
00402609   .  50            push eax
0040260A   .  8D55 B4       lea edx,dword ptr ss:[ebp-0x4C]
0040260D   .  51            push ecx
0040260E   .  52            push edx
0040260F   .  8D45 C4       lea eax,dword ptr ss:[ebp-0x3C]
00402612   .  6A 00         push 0x0
00402614   .  50            push eax
00402615   .  C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
0040261C   .  FF15 10414000 call dword ptr ds:[<&MSVBVM50.#rtcMsgBox_595>]      ;  错误提示消息框
00402622   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
00402625   .  FF15 80414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStr>]        ;  msvbvm50.__vbaFreeStr

分析得出:先取出注册码的长度len, 然后取出注册码第一个字符的ANSI值cName, 让后计算len*0x17CFB+cName,将计算的值转换为10进制文本,前面加上”AKA-”组成最后的注册码。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

#include <iostream>

int main() {
	const char* str_ = "111222";
	unsigned int len_ = strlen(str_);
	unsigned int cnt = len_ * 0x17CFB;
	cnt += str_[0];

	printf("Serial: AKA-%d\r\n", cnt);

	return 0;
}
Updated on 2023-07-29 
CC BY-NC 4.0
160个CrackMe
Back | Home
0%