Creckme_bjanes.1

摘要:
00403783.66:394DE8密码:[ebp-0x18],cx;1.与码长相比,1>9跳成功00403787.0F8F17030000jgbjanes_1.00403AA4;跳转成功。本节是1和代码长度之间的比较。如果代码长度小于1,则跳转成功。这两段含义完全相反的代码很容易让我们认为这个问题只能通过爆破来解决。然而,这个问题可能会破解注册机。我们输入一个长度为9的假代码。运行后,我们可以看到,由于跳转失败,将执行以下大循环。

先说一下总结:这个crackme,有一个小坑,并且它的判断循环特别的长。

首先我们先说说这个坑:

004036DC    .  50            push eax                                 ; /String = " 3"
004036DD    .  FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>; 求长度
004036E3    .  33C9          xor ecx,ecx
004036E5    .  83F8 09       cmp eax,0x9
004036E8    .  0f95c1        setne cl                                 ;  if eax=9 then cl=0;if eax<>9 then cl=1
004036EB    .  F7D9          neg ecx                                  ;  ecx求补后存入ecx中:cl=0,求补后还为0;cl=1,求补为-1,用FFFFFFFF表示
004036ED    .  8BF1          mov esi,ecx
004036EF    .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
004036F2    .  FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;  msvbvm60.__vbaFreeStr
004036F8    .  8D4D D4       lea ecx,dword ptr ss:[ebp-0x2C]
004036FB    .  FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;  msvbvm60.__vbaFreeObj
00403701    .  66:3BF3       cmp si,bx
00403704    .  0F85 1A030000 jnz bjanes_1.00403A24                    ;  跳失败

这一段代码主要的是会将我们输入的码求长度和9比较,不同的话就跳转失败。

00403783    .  66:394D E8    cmp word ptr ss:[ebp-0x18],cx            ;  1和码长度比较,1>9跳成功
00403787    .  0F8F 17030000 jg bjanes_1.00403AA4                     ;  跳成功

而这一段则是1和码的长度比较,如果码的长度小于1,则跳成功。

这两段完全相反意思的代码,容易让我们以为这道题只能通过爆破。

但是,这道题是可以破解注册机的。

我们输入一个长度为9的假码,运行后,我们可以看到因为跳转失败,所以会执行下面的大循环。

我们继续向下,来到检查真码的循环:

0040377C    > /66:8B8D 14FFF>mov cx,word ptr ss:[ebp-0xEC]
00403783    . |66:394D E8    cmp word ptr ss:[ebp-0x18],cx            ;  1和码长度比较,1>9跳成功
00403787    . |0F8F 17030000 jg bjanes_1.00403AA4                     ;  跳成功
0040378D    . |8B17          mov edx,dword ptr ds:[edi]
0040378F    . |57            push edi
00403790    . |FF92 08030000 call dword ptr ds:[edx+0x308]
00403796    . |50            push eax
00403797    . |8D45 D4       lea eax,dword ptr ss:[ebp-0x2C]
0040379A    . |50            push eax
0040379B    . |FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>;  msvbvm60.__vbaObjSet
004037A1    . |8BD8          mov ebx,eax
004037A3    . |8D55 E4       lea edx,dword ptr ss:[ebp-0x1C]
004037A6    . |52            push edx
004037A7    . |53            push ebx                                 ;  msvbvm60.rtcStrFromVar
004037A8    . |8B0B          mov ecx,dword ptr ds:[ebx]
004037AA    . |FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004037B0    . |85C0          test eax,eax
004037B2    . |DBE2          fclex
004037B4    . |7D 12         jge short bjanes_1.004037C8
004037B6    . |68 A0000000   push 0xA0
004037BB    . |68 44224000   push bjanes_1.00402244
004037C0    . |53            push ebx                                 ;  msvbvm60.rtcStrFromVar
004037C1    . |50            push eax
004037C2    . |FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;  msvbvm60.__vbaHresultCheckObj
004037C8    > |8B07          mov eax,dword ptr ds:[edi]
004037CA    . |57            push edi
004037CB    . |FF90 08030000 call dword ptr ds:[eax+0x308]
004037D1    . |8D4D D0       lea ecx,dword ptr ss:[ebp-0x30]
004037D4    . |50            push eax
004037D5    . |51            push ecx
004037D6    . |FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>;  msvbvm60.__vbaObjSet
004037DC    . |8BF8          mov edi,eax
004037DE    . |8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
004037E1    . |50            push eax
004037E2    . |57            push edi
004037E3    . |8B17          mov edx,dword ptr ds:[edi]
004037E5    . |FF92 A0000000 call dword ptr ds:[edx+0xA0]
004037EB    . |85C0          test eax,eax
004037ED    . |DBE2          fclex
004037EF    . |7D 12         jge short bjanes_1.00403803
004037F1    . |68 A0000000   push 0xA0
004037F6    . |68 44224000   push bjanes_1.00402244
004037FB    . |57            push edi
004037FC    . |50            push eax
004037FD    . |FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;  msvbvm60.__vbaHresultCheckObj
00403803    > |0FBF7D E8     movsx edi,word ptr ss:[ebp-0x18]
00403807    . |8B55 DC       mov edx,dword ptr ss:[ebp-0x24]
0040380A    . |B9 01000000   mov ecx,0x1
0040380F    . |894D C8       mov dword ptr ss:[ebp-0x38],ecx          ;  ascii码
00403812    . |894D B8       mov dword ptr ss:[ebp-0x48],ecx
00403815    . |8D4D B0       lea ecx,dword ptr ss:[ebp-0x50]
00403818    . |B8 02000000   mov eax,0x2
0040381D    . |51            push ecx
0040381E    . |57            push edi
0040381F    . |52            push edx
00403820    . |8945 C0       mov dword ptr ss:[ebp-0x40],eax
00403823    . |8945 B0       mov dword ptr ss:[ebp-0x50],eax
00403826    . |FF15 44104000 call dword ptr ds:[<&MSVBVM60.#rtcMidCha>;  msvbvm60.rtcMidCharBstr
0040382C    . |8BD0          mov edx,eax
0040382E    . |8D4D D8       lea ecx,dword ptr ss:[ebp-0x28]
00403831    . |FFD6          call esi                                 ;  msvbvm60.__vbaStrMove
00403833    . |50            push eax                                 ; /String = " "
00403834    . |FF15 1C104000 call dword ptr ds:[<&MSVBVM60.#rtcAnsiVa>; 
tcAnsiValueBstr
0040383A    . |8B4D E4       mov ecx,dword ptr ss:[ebp-0x1C]
0040383D    . |33DB          xor ebx,ebx                              ;  msvbvm60.rtcStrFromVar
0040383F    . |66:3D 3900    cmp ax,0x39                              ;  
00403843    . |8D45 C0       lea eax,dword ptr ss:[ebp-0x40]
00403846    . |50            push eax
00403847    . |57            push edi
00403848    . |0f9fc3        setg bl
0040384B    . |51            push ecx
0040384C    . |F7DB          neg ebx                                  ;  msvbvm60.rtcStrFromVar
0040384E    . |FF15 44104000 call dword ptr ds:[<&MSVBVM60.#rtcMidCha>;  msvbvm60.rtcMidCharBstr
00403854    . |8BD0          mov edx,eax
00403856    . |8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]
00403859    . |FFD6          call esi                                 ;  msvbvm60.__vbaStrMove
0040385B    . |50            push eax                                 ; /String = " "
0040385C    . |FF15 1C104000 call dword ptr ds:[<&MSVBVM60.#rtcAnsiVa>; 
tcAnsiValueBstr
00403862    . |33D2          xor edx,edx
00403864    . |66:3D 3000    cmp ax,0x30
00403868    . |0f9cc2        setl dl
0040386B    . |F7DA          neg edx
0040386D    . |8D45 D8       lea eax,dword ptr ss:[ebp-0x28]
00403870    . |23DA          and ebx,edx
00403872    . |8D4D DC       lea ecx,dword ptr ss:[ebp-0x24]
00403875    . |50            push eax
00403876    . |8D55 E0       lea edx,dword ptr ss:[ebp-0x20]
00403879    . |51            push ecx
0040387A    . |8D45 E4       lea eax,dword ptr ss:[ebp-0x1C]
0040387D    . |52            push edx
0040387E    . |50            push eax
0040387F    . |6A 04         push 0x4
00403881    . |FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;  msvbvm60.__vbaFreeStrList
00403887    . |8D4D D0       lea ecx,dword ptr ss:[ebp-0x30]
0040388A    . |8D55 D4       lea edx,dword ptr ss:[ebp-0x2C]
0040388D    . |51            push ecx
0040388E    . |52            push edx
0040388F    . |6A 02         push 0x2
00403891    . |FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;  msvbvm60.__vbaFreeObjList
00403897    . |8D45 B0       lea eax,dword ptr ss:[ebp-0x50]
0040389A    . |8D4D C0       lea ecx,dword ptr ss:[ebp-0x40]
0040389D    . |50            push eax
0040389E    . |51            push ecx
0040389F    . |6A 02         push 0x2
004038A1    . |FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;  msvbvm60.__vbaFreeVarList
004038A7    . |83C4 2C       add esp,0x2C
004038AA    . |66:85DB       test bx,bx
004038AD    . |0F85 6F010000 jnz bjanes_1.00403A22                    ;  If var_2C <> 0 Then GoTo loc_00403A22
004038B3    . |8B45 08       mov eax,dword ptr ss:[ebp+0x8]
004038B6    . |50            push eax
004038B7    . |8B10          mov edx,dword ptr ds:[eax]
004038B9    . |FF92 08030000 call dword ptr ds:[edx+0x308]
004038BF    . |50            push eax
004038C0    . |8D45 D4       lea eax,dword ptr ss:[ebp-0x2C]
004038C3    . |50            push eax
004038C4    . |FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>;  msvbvm60.__vbaObjSet
004038CA    . |8BD8          mov ebx,eax
004038CC    . |8D55 E4       lea edx,dword ptr ss:[ebp-0x1C]
004038CF    . |52            push edx
004038D0    . |53            push ebx                                 ;  msvbvm60.rtcStrFromVar
004038D1    . |8B0B          mov ecx,dword ptr ds:[ebx]
004038D3    . |FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004038D9    . |85C0          test eax,eax
004038DB    . |DBE2          fclex
004038DD    . |7D 12         jge short bjanes_1.004038F1
004038DF    . |68 A0000000   push 0xA0
004038E4    . |68 44224000   push bjanes_1.00402244
004038E9    . |53            push ebx                                 ;  msvbvm60.rtcStrFromVar
004038EA    . |50            push eax
004038EB    . |FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;  msvbvm60.__vbaHresultCheckObj
004038F1    > |66:8B45 E8    mov ax,word ptr ss:[ebp-0x18]
004038F5    . |8B1D 74104000 mov ebx,dword ptr ds:[<&MSVBVM60.#rtcStr>;  msvbvm60.rtcStrFromVar
004038FB    . |66:35 0200    xor ax,0x2
004038FF    . |8D4D A0       lea ecx,dword ptr ss:[ebp-0x60]
00403902    . |0F80 A4020000 jo bjanes_1.00403BAC
00403908    . |51            push ecx
00403909    . |66:8945 A8    mov word ptr ss:[ebp-0x58],ax
0040390D    . |C745 A0 02000>mov dword ptr ss:[ebp-0x60],0x2
00403914    . |FFD3          call ebx                                 ;  msvbvm60.rtcStrFromVar; <&MSVBVM60.#rtcStrFromVar_536>
00403916    . |8BD0          mov edx,eax
00403918    . |8D4D D8       lea ecx,dword ptr ss:[ebp-0x28]
0040391B    . |FFD6          call esi                                 ;  msvbvm60.__vbaStrMove
0040391D    . |8B45 E4       mov eax,dword ptr ss:[ebp-0x1C]          ;  真码出现
00403920    . |8D55 C0       lea edx,dword ptr ss:[ebp-0x40]
00403923    . |52            push edx
00403924    . |57            push edi
00403925    . |50            push eax
00403926    . |C745 C8 01000>mov dword ptr ss:[ebp-0x38],0x1
0040392D    . |C745 C0 02000>mov dword ptr ss:[ebp-0x40],0x2
00403934    . |FF15 44104000 call dword ptr ds:[<&MSVBVM60.#rtcMidCha>;  msvbvm60.rtcMidCharBstr
0040393A    . |8BD0          mov edx,eax
0040393C    . |8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]
0040393F    . |FFD6          call esi                                 ;  msvbvm60.__vbaStrMove
00403941    . |50            push eax                                 ; /String = " "
00403942    . |FF15 1C104000 call dword ptr ds:[<&MSVBVM60.#rtcAnsiVa>; 
tcAnsiValueBstr
00403948    . |8D4D B0       lea ecx,dword ptr ss:[ebp-0x50]
0040394B    . |66:8945 B8    mov word ptr ss:[ebp-0x48],ax
0040394F    . |51            push ecx
00403950    . |C745 B0 02000>mov dword ptr ss:[ebp-0x50],0x2
00403957    . |FFD3          call ebx                                 ;  msvbvm60.rtcStrFromVar
00403959    . |8BD0          mov edx,eax
0040395B    . |8D4D DC       lea ecx,dword ptr ss:[ebp-0x24]
0040395E    . |FFD6          call esi                                 ;  msvbvm60.__vbaStrMove
00403960    . |50            push eax
00403961    . |FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>;  msvbvm60.__vbaR8Str
00403967    . |DC25 D8104000 fsub qword ptr ds:[0x4010D8]
0040396D    . |8D55 90       lea edx,dword ptr ss:[ebp-0x70]
00403970    . |6A 01         push 0x1
00403972    . |52            push edx
00403973    . |C785 30FFFFFF>mov dword ptr ss:[ebp-0xD0],0x8005
0040397D    . |DD9D 38FFFFFF fstp qword ptr ss:[ebp-0xC8]
00403983    . |DFE0          fstsw ax
00403985    . |A8 0D         test al,0xD
00403987    . |0F85 1A020000 jnz bjanes_1.00403BA7
0040398D    . |8B45 D8       mov eax,dword ptr ss:[ebp-0x28]
00403990    . |C745 D8 00000>mov dword ptr ss:[ebp-0x28],0x0
00403997    . |8945 98       mov dword ptr ss:[ebp-0x68],eax
0040399A    . |8D45 80       lea eax,dword ptr ss:[ebp-0x80]
0040399D    . |50            push eax
0040399E    . |C745 90 08000>mov dword ptr ss:[ebp-0x70],0x8
004039A5    . |FF15 B0104000 call dword ptr ds:[<&MSVBVM60.#rtcRightC>;  msvbvm60.rtcRightCharVar
004039AB    . |8D8D 30FFFFFF lea ecx,dword ptr ss:[ebp-0xD0]
004039B1    . |8D55 80       lea edx,dword ptr ss:[ebp-0x80]
004039B4    . |51            push ecx                                 ; /var18 = 0018F540
004039B5    . |52            push edx                                 ; |var28 = 0055FCDC
004039B6    . |FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTs>; 比较函数,相同返回0,不同返回-1
004039BC    . |8BF8          mov edi,eax
004039BE    . |8D45 D8       lea eax,dword ptr ss:[ebp-0x28]
004039C1    . |8D4D DC       lea ecx,dword ptr ss:[ebp-0x24]
004039C4    . |50            push eax
004039C5    . |8D55 E0       lea edx,dword ptr ss:[ebp-0x20]
004039C8    . |51            push ecx
004039C9    . |8D45 E4       lea eax,dword ptr ss:[ebp-0x1C]
004039CC    . |52            push edx
004039CD    . |50            push eax
004039CE    . |6A 04         push 0x4
004039D0    . |FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;  msvbvm60.__vbaFreeStrList
004039D6    . |83C4 14       add esp,0x14
004039D9    . |8D4D D4       lea ecx,dword ptr ss:[ebp-0x2C]
004039DC    . |FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;  msvbvm60.__vbaFreeObj
004039E2    . |8D4D 80       lea ecx,dword ptr ss:[ebp-0x80]
004039E5    . |8D55 90       lea edx,dword ptr ss:[ebp-0x70]
004039E8    . |51            push ecx
004039E9    . |8D45 A0       lea eax,dword ptr ss:[ebp-0x60]
004039EC    . |52            push edx
004039ED    . |8D4D B0       lea ecx,dword ptr ss:[ebp-0x50]
004039F0    . |50            push eax
004039F1    . |8D55 C0       lea edx,dword ptr ss:[ebp-0x40]
004039F4    . |51            push ecx
004039F5    . |52            push edx
004039F6    . |6A 05         push 0x5
004039F8    . |FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;  msvbvm60.__vbaFreeVarList
004039FE    . |83C4 18       add esp,0x18
00403A01    . |66:85FF       test di,di
00403A04    . |75 1C         jnz short bjanes_1.00403A22              ;  跳失败
00403A06    . |8B7D 08       mov edi,dword ptr ss:[ebp+0x8]
00403A09    . |B8 01000000   mov eax,0x1
00403A0E    . |66:0345 E8    add ax,word ptr ss:[ebp-0x18]
00403A12    . |0F80 94010000 jo bjanes_1.00403BAC
00403A18    . |8945 E8       mov dword ptr ss:[ebp-0x18],eax
00403A1B    . |33DB          xor ebx,ebx                              ;  msvbvm60.rtcStrFromVar
00403A1D    .^E9 5AFDFFFF   jmp bjanes_1.0040377C                    ;  循环

这个循环跨度有点长,大概的步骤就是,将每一位的数字取出,与2异或,最后异或出的结果进行单独比较。

Creckme_bjanes.1第1张

当为-1时,eax全为F。

于是我们就可以一个一个的尝试,最后尝试出来,serial为“301674501”

Creckme_bjanes.1第2张

免责声明:文章转载自《Creckme_bjanes.1》仅用于学习参考。如对内容有疑问,请及时联系本站处理。

上篇AIR:使用 HTML + Javascript 开发桌面应用memcpy的使用方法总结下篇

宿迁高防,2C2G15M,22元/月;香港BGP,2C5G5M,25元/月 雨云优惠码:MjYwNzM=

相关文章

[原创]反调试技巧总结-原理和实现(1)(2)(3)(4)(5)(6)......

反调试技巧总结-原理和实现 ------------------------------------------------------------------------------------------------------- 2008.8.7shellwolf 一、 前言 前段学习反调试和vc,写了antidebug-tester,经常会收到me...

Google 74版本上传附件没有“选择文件”按钮

这是因为flash插件权限受到限制,需要修改注册表,才能将允许运行Flash的网站名单加入进去。 新建adobe-flash-player.reg注册表文件,将下面内容复制到文件中(使用notepad打开,注意编码问题)。 Windows Registry Editor Version 5.00[HKEY_CURRENT_USERSOFTWAREPoli...

WINCE系统声音定制

作者:ARM-WinCE 2010的第一篇Blog,介绍一下WinCE系统声音的定制。说白了,就是设置注册表。WinCE系统启动的开机音乐,点击触摸屏以及键盘输入的按键音,还有系统运行过程中的各种声音其实都是在注册表里面预先设置好的。这里做个简单介绍: 整个WinCE系统声音注册表设置如下: [HKEY_CURRENT_USER\ControlPanel...

linux下svn不能连接上windows服务器:SSL handshake failed: SSL error

在linux服务器下载https链接的svn源码时出现:SSL handshake failed: SSL error: Key usage violation in certificate has been detected 错误原因是windows使用的证书linux不能识别 Add the following registry value to th...

进程枚举技术

1、快照方式枚举进程 CreateToolhelp32Snapshot() 介绍: 功能:获取指定进程的快照, 以及这些进程使用的堆、模块和线程。 函数原型:HANDLE CreateToolhelp32Snapshot(                  DWORD dwFlags,  // 系统快照的某些部分。                  DWO...

DELPHI 中的Delay函数,利用GetTickCount和Application.ProcessMessages构建

  作者 关劲松           delphi 开发中有些时候需要停留片刻,等待界面输入,或异步操作完成,如果使用sleep函数的话,整个程序都会停顿,界面还会出现冻结的情况。因此需要自行编写一个delay函数,以毫秒为单位控制等待时间。         函数功能:GetTickCount返回(retrieve)从操作系统启动到现在所经过(elapse...