2006年成员认证[PYG]CrackeMe分析
与兄弟们分享,请大家指正.用OD加载后找到LoadLibaray和getprocessadress函数,解压时肯定会调用这两个函数,
因此在这两个函数上下断点.运行后向下来到:
004001C6 FF53 10 call
004001C9 95 xchg eax, ebp
004001CA 8B07 mov eax,
004001CC 40 inc eax
004001CD^ 78 F3 js short 004001C2
004001CF 75 03 jnz short 004001D4
004001D1- FF63 0C jmp ; 入口点Cra.0040169C
004001D4 50 push eax
004001D5 55 push ebp
004001D6 FF53 14 call
004001D9 AB stos dword ptr es:
004001DA^ EB EE jmp short 004001CA
==================================================
继续运行来到这里
0040DA80 .8D4D A>lea ecx,
0040DA83 .51 push ecx
0040DA84 .E8 973>call 00411820 ;取程序所在磁盘序列dsn==>eax
0040DA89 .8945 A>mov , eax ;eax=2f5e15dd=dsn=794695133
0040DA8C .C785 E>mov dword ptr , 6
0040DA96 .89BD E>mov , edi
0040DA9C .8D55 A>lea edx, ;=dsn
0040DA9F .8995 9>mov , edx
0040DAA5 .C785 8>mov dword ptr , 4003
0040DAAF .8D85 E>lea eax,
0040DAB5 .50 push eax
0040DAB6 .6A 01push 1
0040DAB8 .8D8D 8>lea ecx,
0040DABE .51 push ecx
0040DABF .8D95 D>lea edx,
0040DAC5 .52 push edx ;磁盘序列号转十进制字符串,再取前6位
0040DAC6 .FFD3 call ebx ;=>=794695
...
0040DB9B .8D55 8>lea edx,
0040DB9E .52 push edx
0040DB9F .8D85 D>lea eax,
0040DBA5 .50 push eax ;mid(dsn,1,3)=mid("794695",1,3)
0040DBA6 .FFD3 call ebx
...
0040DBD8 .51 push ecx
0040DBD9 .6A 04push 4
0040DBDB .8D55 8>lea edx,
0040DBDE .52 push edx
0040DBDF .8D85 D>lea eax,
0040DBE5 .50 push eax ;mid(dsn,4,3)=mid("794695",4,3)
0040DBE6 .FFD3 call ebx
...
0040DC02 .8D8D 2>lea ecx,
0040DC08 .51 push ecx
0040DC09 .8D95 4>lea edx,
0040DC0F .52 push edx
0040DC10 .8D85 E>lea eax,
0040DC16 .50 push eax ;dsn的123位与456位对调=>695794
0040DC17 .FF15 3>call [<&MSVBVM60.__vbaVarCat>] ;MSVBVM60.__vbaVarCat
0040DC1D .8BD0 mov edx, eax ;**=695794,用于计算pyg2006.key
...
==========================================================================
0040E50A .50 push eax ;="PYG2005.KEY"
0040E50B .6A 01 push 1
0040E50D .6A FF push -1
0040E50F .6A 01 push 1
0040E511 .FF15 44114000 call ;MSVBVM60.__vbaFileOpen
==========================================================================
0040E4FC .8BD0 mov edx, eax
0040E4FE .8D8D 08FFFFFF lea ecx,
0040E504 .FF15 B0114000 call ;MSVBVM60.__vbaStrMove
0040E50A .50 push eax ;=PYG2006.Key
0040E50B .6A 01 push 1
0040E50D .6A FF push -1
0040E50F .6A 01 push 1
0040E511 .FF15 44114000 call ;MSVBVM60.__vbaFileOpen
0040E517 .8D8D 08FFFFFF lea ecx,
0040E51D .FFD6 call esi
0040E51F .8D73 64 lea esi,
0040E522 .6A 01 push 1
0040E524 .56 push esi ;读第一行数据,返回在
0040E525 .FF15 38104000 call ;MSVBVM60.__vbaLineInputVar
0040E52B .C785 94FEFFFF 1>mov dword ptr , 12
0040E535 .89BD 8CFEFFFF mov , edi
0040E53B .56 push esi
0040E53C .8D55 C4 lea edx,
0040E53F .52 push edx
0040E540 .8D85 E0FEFFFF lea eax,
0040E546 .50 push eax ;计算sn-794695
0040E547 .FF15 00104000 call ;MSVBVM60.__vbaVarSub
0040E54D .50 push eax
0040E54E .8D8D 8CFEFFFF lea ecx,
0040E554 .51 push ecx
0040E555 .8D95 D0FEFFFF lea edx,
0040E55B .52 push edx ;计算(sn-794695)/18?
0040E55C .FF15 18114000 call ;MSVBVM60.__vbaVarDiv
0040E562 .50 push eax
0040E563 .8D85 08FFFFFF lea eax,
0040E569 .50 push eax ;返回计算结果在=中
0040E56A .FF15 30114000 call ;MSVBVM60.__vbaStrVarVal
0040E570 .50 push eax
0040E571 .FF15 D8114000 call ;MSVBVM60.rtcR8ValFromBstr
0040E577 .FF15 94104000 call ;MSVBVM60.__vbaFpR8
0040E57D .DC1D 10124000 fcomp qword ptr
0040E583 .DFE0 fstsw ax
0040E585 .F6C4 40 test ah, 40
0040E588 .74 07 je short 0040E591
0040E58A .B8 01000000 mov eax, 1
0040E58F .EB 02 jmp short 0040E593
0040E591 >33C0 xor eax, eax
0040E593 >F7D8 neg eax
0040E595 .66:8BF0 mov si, ax
0040E598 .8D8D 08FFFFFF lea ecx,
0040E59E .FF15 D4114000 call ;MSVBVM60.__vbaFreeStr
0040E5A4 .66:85F6 test si, si
0040E5A7 .0F84 9B010000 je 0040E748
上面的程序功能是:读出文件pyg2006.key中第一行数据(密钥key),然后进行如下计算:
(key-794695)/18
若计算结果为20041201,则该密钥key是正确的.
=====================================================
0040D7D1 .8BD0 mov edx, eax ;**取得执行文件的路径
0040D7D3 .8D8D F8FEFFFF lea ecx,
0040D7D9 .FFD3 call ebx
0040D7DB .50 push eax ;**取文件长度(实际长度为af4d=43597)
0040D7DC .FF15 80114000 call ;MSVBVM60.rtcFileLen
0040D7E2 .33D2 xor edx, edx ;eax=文件长度=0xaa4d=43597个字节
0040D7E4 .3D C8AF0000 cmp eax, 0AFC8 ;文件长度>0xAFC8=45000个字节?
0040D7E9 .0F9FC2 setg dl ;eax=aa4d<afc8,==>dl=0
0040D7EC .F7DA neg edx ;此时esi=0
0040D7EE .8BFA mov edi, edx
======================================================
0040AF64 .816C24 04 7B0>sub dword ptr , 7B ;调用了filelen
0040AF6C .E9 0F260000 jmp 0040D580
0040AF71 .816C24 04 8F0>sub dword ptr , 8F
0040AF79 .E9 22390000 jmp 0040E8A0
0040AF7E .816C24 04 870>sub dword ptr , 87 ;确认按钮
0040AF86 .E9 E5390000 jmp 0040E970
0040AF8B .816C24 04 8B0>sub dword ptr , 8B ;关于按钮
0040AF93 .E9 985F0000 jmp 00410F30
0040AF98 .816C24 04 770>sub dword ptr , 77
0040AFA0 .E9 7B600000 jmp 00411020
0040AFA5 .816C24 04 FFF>sub dword ptr , 0FFFF
0040AFAD .E9 DE600000 jmp 00411090
=========================================================
下面代码为验证文件是否被脱壳(比较文件长度)
0040D7DC .FF15 80114000 call [<&MSVBVM60.rtcFileLen>] ;MSVBVM60.rtcFileLen
0040D7E2 .33D2 xor edx, edx ;eax=aa4d
0040D7E4 .3D C8AF0000 cmp eax, 0AFC8 ;文件长度不大于0ac8=15000字节?
0040D7E9 .0F9FC2 setg dl
0040D7EC .F7DA neg edx
修改为:
0040D7DC .FF15 80114000 call [<&MSVBVM60.rtcFileLen>] ;MSVBVM60.rtcFileLen
0040D7E2 .33D2 xor edx, edx ;eax=aa4d
0040D7E4 B8 4DAA0000 mov eax, 0AA4D
0040D7E9 90 nop
0040D7EA 90 nop
0040D7EB 90 nop
0040D7EC 90 nop
0040D7ED 90 nop
即取消了文件长度检查.
===========================================================
注意:程序中还要检查文件名是否被改变了,因此脱壳后的文件名应保持不变,即为:CrackMe.exe
0040D8E8 > \8B95 08FFFFFF mov edx,
0040D8EE .52 push edx ;比较文件名是否被更改了
0040D8EF .68 70B34000 push 0040B370 ;UNICODE "CrackMe"
-------------------------------------------------------------------------------------------------
0040D8EF 52 push edx ==>取消文件名检查
0040D8F0 90 nop
0040D8F1 90 nop
0040D8F2 90 nop
0040D8F3 90 nop
-------------------------------------------------------------------------------------------------
0040D8F4 .FF15 C0104000 call [<&MSVBVM60.__vbaStrCmp>] ;MSVBVM60.__vbaStrCmp
0040D8FA .8BF8 mov edi, eax
0040D8FC .F7DF neg edi
0040D8FE .1BFF sbb edi, edi
0040D900 .F7DF neg edi
0040D902 .F7DF neg edi
0040D904 .8D8D 08FFFFFF lea ecx,
0040D90A .FF15 D4114000 call [<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
0040D910 .8D8D F4FEFFFF lea ecx,
0040D916 .FF15 D0114000 call [<&MSVBVM60.__vbaFreeObj>] ;MSVBVM60.__vbaFreeObj
0040D91C .66:3BFE cmp di, si
0040D91F .74 5C je short 0040D97D ;更改文件名后将结束程序
0040D921 .3935 24544100 cmp , esi
0040D927 .75 10 jnz short 0040D939
=================================================================================================
到此,已找到密钥文件,且成功脱壳,取消了文件大小及文件名检查
密钥为:pyg2006.key=20041201*18+794695=361437412 [注:794695是一个根据文件所在磁盘序列号计算出来的值]
****************************************************************************************************
****************************************************************************************************
用算法识别工具kanal23检测出程序在00412EEA处使用了MD5加密.
转到00412eea,并向上来到函数开始处。
00412CD0 > > \55 push ebp ;MD5(M) ;M=-876604940 :victory: 高手...支持下..... 我晕了也要坐着凳子看! 终于看见,等了快半年了!! 搞了N久米出来 学习~~ 高手,高高手,支持下 太难了,在地板上躺着看~~ 2006的没作出来。。。。。
2007继续学习! :victory: :victory: :victory:
我要继续学习~ 这个是干什么用的?