160个CrackMe之013

cjt included in 逆向
  1492 words 3 minutes 

删除最开始的提示框,直接字符串搜索,定位到00402C85,找到调用函数的提示框(00402CFE),

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

00402C7C   .  8975 8C       mov dword ptr ss:[ebp-0x74],esi
00402C7F   .  89B5 5CFFFFFF mov dword ptr ss:[ebp-0xA4],esi
00402C85   .  C745 84 F01E4>mov dword ptr ss:[ebp-0x7C],blaster9.004>;  Entferne diesen Nag, oder bekomme das richtige Passwort heraus !
00402C8C   .  899D 7CFFFFFF mov dword ptr ss:[ebp-0x84],ebx
00402C92   .  E8 95E4FFFF   call <jmp.&MSVBVM50.__vbaVarCopy>
00402C97   .  6A 03         push 0x3
00402C99   .  8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-0x84]
00402C9F   .  5F            pop edi                                  ;  0060B6A4
00402CA0   .  8D4D DC       lea ecx,dword ptr ss:[ebp-0x24]
00402CA3   .  C745 84 21000>mov dword ptr ss:[ebp-0x7C],0x21
00402CAA   .  89BD 7CFFFFFF mov dword ptr ss:[ebp-0x84],edi
00402CB0   .  E8 71E4FFFF   call <jmp.&MSVBVM50.__vbaVarMove>
00402CB5   .  8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-0x84]
00402CBB   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
00402CBE   .  C745 84 781F4>mov dword ptr ss:[ebp-0x7C],blaster9.004>;  Nag Meldung
00402CC5   .  899D 7CFFFFFF mov dword ptr ss:[ebp-0x84],ebx
00402CCB   .  E8 5CE4FFFF   call <jmp.&MSVBVM50.__vbaVarCopy>
00402CD0   .  6A 0A         push 0xA
00402CD2   .  B9 04000280   mov ecx,0x80020004
00402CD7   .  58            pop eax                                  ;  0060B6A4
00402CD8   .  894D 94       mov dword ptr ss:[ebp-0x6C],ecx
00402CDB   .  8945 8C       mov dword ptr ss:[ebp-0x74],eax
00402CDE   .  8945 9C       mov dword ptr ss:[ebp-0x64],eax
00402CE1   .  8D45 8C       lea eax,dword ptr ss:[ebp-0x74]
00402CE4   .  894D A4       mov dword ptr ss:[ebp-0x5C],ecx
00402CE7   .  50            push eax
00402CE8   .  8D45 9C       lea eax,dword ptr ss:[ebp-0x64]
00402CEB   .  50            push eax
00402CEC   .  8D45 CC       lea eax,dword ptr ss:[ebp-0x34]
00402CEF   .  50            push eax
00402CF0   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
00402CF3   .  50            push eax
00402CF4   .  E8 21E4FFFF   call <jmp.&MSVBVM50.__vbaI4Var>
00402CF9   .  50            push eax
00402CFA   .  8D45 AC       lea eax,dword ptr ss:[ebp-0x54]
00402CFD   .  50            push eax
00402CFE      E8 1DE4FFFF   call <jmp.&MSVBVM50.#rtcMsgBox_595>      ;  调用提示框
00402D03   .  8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-0xA4]
00402D09   .  8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]
00402D0C   .  8985 64FFFFFF mov dword ptr ss:[ebp-0x9C],eax
00402D12   .  89BD 5CFFFFFF mov dword ptr ss:[ebp-0xA4],edi
00402D18   .  E8 09E4FFFF   call <jmp.&MSVBVM50.__vbaVarMove>
00402D1D   .  8D45 8C       lea eax,dword ptr ss:[ebp-0x74]
00402D20   .  50            push eax
00402D21   .  8D45 9C       lea eax,dword ptr ss:[ebp-0x64]
00402D24   .  50            push eax
00402D25   .  6A 02         push 0x2
00402D27   .  E8 E8E3FFFF   call <jmp.&MSVBVM50.__vbaFreeVarList>
00402D2C   .  83C4 0C       add esp,0xC
00402D2F   .  8D45 BC       lea eax,dword ptr ss:[ebp-0x44]
00402D32   .  C745 84 01000>mov dword ptr ss:[ebp-0x7C],0x1
00402D39   .  C785 7CFFFFFF>mov dword ptr ss:[ebp-0x84],0x8003
00402D43   .  50            push eax                                 ; /var18 = NULL
00402D44   .  8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84]          ; |
00402D4A   .  50            push eax                                 ; |var28 = NULL
00402D4B   .  E8 BEE3FFFF   call <jmp.&MSVBVM50.__vbaVarTstEq>       ; \__vbaVarTstEq
00402D50   .  66:85C0       test ax,ax
00402D53     /75 05         jnz short blaster9.00402D5A              ;  选择是或否的跳转
00402D55   . |E8 AEE3FFFF   call <jmp.&MSVBVM50.__vbaEnd>
00402D5A   > \8975 FC       mov dword ptr ss:[ebp-0x4],esi
00402D5D   .  68 982D4000   push blaster9.00402D98
00402D62   .  EB 13         jmp short blaster9.00402D77
00402D64   .  8D45 8C       lea eax,dword ptr ss:[ebp-0x74]

填充调用提示框函数,将条件跳转jnz改成无条件跳转jmp:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

00402CFA   .  8D45 AC       lea eax,dword ptr ss:[ebp-0x54]
00402CFD   .  50            push eax
00402CFE      90            nop                                      ;  调用提示框
00402CFF      90            nop
00402D00      90            nop
00402D01      90            nop
00402D02      90            nop
00402D03   .  8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-0xA4]
00402D09   .  8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]
00402D0C   .  8985 64FFFFFF mov dword ptr ss:[ebp-0x9C],eax
00402D12   .  89BD 5CFFFFFF mov dword ptr ss:[ebp-0xA4],edi
00402D18   .  E8 09E4FFFF   call <jmp.&MSVBVM50.__vbaVarMove>
00402D1D   .  8D45 8C       lea eax,dword ptr ss:[ebp-0x74]
00402D20   .  50            push eax
00402D21   .  8D45 9C       lea eax,dword ptr ss:[ebp-0x64]
00402D24   .  50            push eax
00402D25   .  6A 02         push 0x2
00402D27   .  E8 E8E3FFFF   call <jmp.&MSVBVM50.__vbaFreeVarList>
00402D2C   .  83C4 0C       add esp,0xC
00402D2F   .  8D45 BC       lea eax,dword ptr ss:[ebp-0x44]
00402D32   .  C745 84 01000>mov dword ptr ss:[ebp-0x7C],0x1
00402D39   .  C785 7CFFFFFF>mov dword ptr ss:[ebp-0x84],0x8003
00402D43   .  50            push eax                                 ; /var18 = NULL
00402D44   .  8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84]          ; |
00402D4A   .  50            push eax                                 ; |var28 = NULL
00402D4B   .  E8 BEE3FFFF   call <jmp.&MSVBVM50.__vbaVarTstEq>       ; \__vbaVarTstEq
00402D50   .  66:85C0       test ax,ax
00402D53      EB 05         jmp short blaster9.00402D5A              ;  选择是或否的跳转
00402D55   .  E8 AEE3FFFF   call <jmp.&MSVBVM50.__vbaEnd>
00402D5A   >  8975 FC       mov dword ptr ss:[ebp-0x4],esi

进入主界面,输入:1234,进行注册,弹出一个错误提示框,根据提示搜索字符串定位:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

00402A69   .  C785 7CFFFFFF>mov dword ptr ss:[ebp-0x84],new_blas.004>;  Error ! Das Passwort ist falsch !
00402A73   .  C785 74FFFFFF>mov dword ptr ss:[ebp-0x8C],0x8
00402A7D   .  E8 AAE6FFFF   call <jmp.&MSVBVM50.__vbaVarCopy>
00402A82   .  8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
00402A88   .  8D4D DC       lea ecx,dword ptr ss:[ebp-0x24]
00402A8B   .  C785 7CFFFFFF>mov dword ptr ss:[ebp-0x84],0x10
00402A95   .  899D 74FFFFFF mov dword ptr ss:[ebp-0x8C],ebx
00402A9B   .  E8 86E6FFFF   call <jmp.&MSVBVM50.__vbaVarMove>
00402AA0   .  8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
00402AA6   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
00402AA9   .  C785 7CFFFFFF>mov dword ptr ss:[ebp-0x84],new_blas.004>;  PASSWORT FALSCH !
00402AB3   .  C785 74FFFFFF>mov dword ptr ss:[ebp-0x8C],0x8
00402ABD   .  E8 6AE6FFFF   call <jmp.&MSVBVM50.__vbaVarCopy>
00402AC2   .  8D45 84       lea eax,dword ptr ss:[ebp-0x7C]
00402AC5   .  897D 8C       mov dword ptr ss:[ebp-0x74],edi
00402AC8   .  50            push eax
00402AC9   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]
00402ACC   .  50            push eax
00402ACD   .  8D45 CC       lea eax,dword ptr ss:[ebp-0x34]
00402AD0   .  50            push eax
00402AD1   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
00402AD4   .  50            push eax
00402AD5   .  8975 84       mov dword ptr ss:[ebp-0x7C],esi
00402AD8   .  897D 9C       mov dword ptr ss:[ebp-0x64],edi
00402ADB   .  8975 94       mov dword ptr ss:[ebp-0x6C],esi
00402ADE   .  E8 37E6FFFF   call <jmp.&MSVBVM50.__vbaI4Var>
00402AE3   .  50            push eax
00402AE4   .  8D45 AC       lea eax,dword ptr ss:[ebp-0x54]
00402AE7   .  50            push eax
00402AE8   .  E8 33E6FFFF   call <jmp.&MSVBVM50.#rtcMsgBox_595>      ;  错误提示框
00402AED   .  8D95 54FFFFFF lea edx,dword ptr ss:[ebp-0xAC]
00402AF3   .  8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]
00402AF6   .  8985 5CFFFFFF mov dword ptr ss:[ebp-0xA4],eax

继续往上分析,查找跳转到此处的关键跳转:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

004028A9   .  68 A0000000   push 0xA0
004028AE   .  68 F41D4000   push new_blas.00401DF4
004028B3   .  57            push edi
004028B4   .  50            push eax
004028B5   .  E8 84E8FFFF   call <jmp.&MSVBVM50.__vbaHresultCheckObj>
004028BA   >  FF75 A8       push dword ptr ss:[ebp-0x58]             ;  输入的:1234
004028BD   .  68 DC1D4000   push new_blas.00401DDC                   ;  2G83G35Hs2
004028C2   .  E8 83E8FFFF   call <jmp.&MSVBVM50.__vbaStrCmp>         ;  字符串比较
004028C7   .  8BF8          mov edi,eax
004028C9   .  8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]
004028CC   .  F7DF          neg edi
004028CE   .  1BFF          sbb edi,edi
004028D0   .  47            inc edi
004028D1   .  F7DF          neg edi
004028D3   .  E8 60E8FFFF   call <jmp.&MSVBVM50.__vbaFreeStr>
004028D8   .  8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]
004028DB   .  E8 52E8FFFF   call <jmp.&MSVBVM50.__vbaFreeObj>
004028E0   .  66:3BFE       cmp di,si
004028E3      0F84 F3000000 je new_blas.004029DC                     ;  错误与失败的跳转
004028E9   .  6A 08         push 0x8
004028EB   .  8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
004028F1   .  5E            pop esi
004028F2   .  8D4D AC       lea ecx,dword ptr ss:[ebp-0x54]
004028F5   .  C785 7CFFFFFF>mov dword ptr ss:[ebp-0x84],new_blas.004>;  Danke, das Passwort ist richtig !
004028FF   .  89B5 74FFFFFF mov dword ptr ss:[ebp-0x8C],esi
00402905   .  E8 22E8FFFF   call <jmp.&MSVBVM50.__vbaVarCopy>
0040290A   .  6A 03         push 0x3
0040290C   .  8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
00402912   .  5B            pop ebx
00402913   .  8D4D DC       lea ecx,dword ptr ss:[ebp-0x24]
00402916   .  C785 7CFFFFFF>mov dword ptr ss:[ebp-0x84],0x31
00402920   .  899D 74FFFFFF mov dword ptr ss:[ebp-0x8C],ebx
00402926   .  E8 FBE7FFFF   call <jmp.&MSVBVM50.__vbaVarMove>

根据分析得出注册码为固定值:2G83G35Hs2

Updated on 2023-07-31 
CC BY-NC 4.0
160个CrackMe
Back | Home
0%