温故而知新 PYG学员毕业测试题
本帖最后由 wbz_008 于 2019-5-9 12:42 编辑PYG学员毕业测试题 温故而知新学如逆水行舟,不进则退,今天抽时间温习一下学过的知识,为什么要温习这个呢?个人认为对初学者来说,这个比较简单而且全面。
名称:PYG
壳:UPX
编写程序:Microsoft Visual Basic 5.0 / 6.0
本试题分5个基本部分(必做),1个附加(选做)
'1.手动脱壳
'2.去Nag
'3.去自效验
'4.追码
'5.算法分析
附加算法有点难度,且需要大家用一定的技巧!
老大说:注册部分,不得爆破!
程序运行如下图:
进入正题,查壳:如下
1、手动脱壳:载入OD
来到这里,00409040 > $60 pushad
一路往下f8,遇到向上跳的直接将光标放在其下面,直接f4即可,只下不上,知道出现 00409197 > \61 popad 看到这个,壳已经走完,继续两次f8,到程序入口,就可以开始脱壳了。脱完壳显示如下:
2、运行一下程序没有问题:将程序载入od,取Nag:直接下vb程序 断点 rtcmscbox看下图
看下面红色部分的代码就是关键了,就是我们要取的Nag,刚开始有两种思路,Nop掉红色代码,最后发现不行,所以就用第二中方法,我们看代码段首00404080 55 push ebp 和断尾00404ECE C3 retn,直接将段首的 00404080 55 push ebp 改为 jmp 00404ECE,直接从段首跳到段位,保存最后发现成功了,于是取nag 大功告成。
0404080 55 push ebp
00404081 8BEC mov ebp,esp
00404083 83EC 14 sub esp,0x14
00404086 68 D6114000 push <jmp.&msvbvm60.__vbaExceptHandler>
0040408B 64:A1 00000000mov eax,dword ptr fs:
00404091 50 push eax
00404092 64:8925 0000000>mov dword ptr fs:,esp
00404099 81EC 84040000 sub esp,0x484
0040409F 53 push ebx
004040A0 56 push esi ; msvbvm60.__vbaVarAdd
004040A1 57 push edi ; msvbvm60.rtcVarBstrFromAnsi
此处删除N多代码
0040432F C785 00FCFFFF A>mov dword ptr ss:,1111.00402DA4 ; UNICODE "请先去除这个提示框!"
00404339 BE 08000000 mov esi,0x8
0040433E 89B5 F8FBFFFF mov dword ptr ss:,esi ; msvbvm60.__vbaVarAdd
00404344 8D95 F8FBFFFF lea edx,dword ptr ss:
0040434A 8D8D C8FCFFFF lea ecx,dword ptr ss:
00404350 FF15 00114000 call dword ptr ds:[<&msvbvm60.__vbaVarDup>] ; msvbvm60.__vbaVarDup
00404356 C785 A0FCFFFF 3>mov dword ptr ss:,1111.00402C30 ; UNICODE "本试题分5个基本部分(必做),1个附加(选做)"
00404360 89B5 98FCFFFF mov dword ptr ss:,esi ; msvbvm60.__vbaVarAdd
00404366 C785 90FCFFFF 6>mov dword ptr ss:,1111.00402C64 ; UNICODE "1.手动脱壳"
00404370 89B5 88FCFFFF mov dword ptr ss:,esi ; msvbvm60.__vbaVarAdd
00404376 C785 80FCFFFF 7>mov dword ptr ss:,1111.00402C78 ; UNICODE "2.去Nag"
00404380 89B5 78FCFFFF mov dword ptr ss:,esi ; msvbvm60.__vbaVarAdd
00404386 C785 70FCFFFF 8>mov dword ptr ss:,1111.00402C8C ; UNICODE "3.去自效验"
00404390 89B5 68FCFFFF mov dword ptr ss:,esi ; msvbvm60.__vbaVarAdd
00404396 C785 60FCFFFF A>mov dword ptr ss:,1111.00402CA0 ; UNICODE "4.追码"
004043A0 89B5 58FCFFFF mov dword ptr ss:,esi ; msvbvm60.__vbaVarAdd
004043A6 C785 50FCFFFF B>mov dword ptr ss:,1111.00402CB0 ; UNICODE "5.算法分析"
004043B0 89B5 48FCFFFF mov dword ptr ss:,esi ; msvbvm60.__vbaVarAdd
004043B6 C785 40FCFFFF C>mov dword ptr ss:,1111.00402CC4 ; UNICODE "附加算法有点难度,且需要大家用一定的技巧!"
004043C0 89B5 38FCFFFF mov dword ptr ss:,esi ; msvbvm60.__vbaVarAdd
004043C6 C785 30FCFFFF F>mov dword ptr ss:,1111.00402CF4 ; UNICODE "敬告:注册部分,不得爆破!"
004043D0 89B5 28FCFFFF mov dword ptr ss:,esi ; msvbvm60.__vbaVarAdd
004043D6 C785 20FCFFFF 1>mov dword ptr ss:,1111.00402D14 ; UNICODE "请写出详细的分析过程,将作业完成情况 提交至 [email protected] "
004043E0 89B5 18FCFFFF mov dword ptr ss:,esi ; msvbvm60.__vbaVarAdd
004043E6 C785 10FCFFFF 6>mov dword ptr ss:,1111.00402D6C ; ASCII "迈"
004043F0 89B5 08FCFFFF mov dword ptr ss:,esi ; msvbvm60.__vbaVarAdd
此处删除N多代码
004045EA FF15 48104000 call dword ptr ds:[<&msvbvm60.rtcMsgBox>] ; msvbvm60.rtcMsgBox (这里是Nag弹窗,我们就要取掉它)
此处删除N多代码
00404EBE 50 push eax
00404EBF 6A 32 push 0x32
00404EC1 FF15 18104000 call dword ptr ds:[<&msvbvm60.__vbaFreeVarList>]; msvbvm60.__vbaFreeVarList
00404EC7 81C4 F0000000 add esp,0xF0
00404ECD C3 retn
00404ECE C3 retn
3、我们发现运行取掉nag 的程序后,出现闪退,那是因为有自效验,所以接下来开始去自效验,将取掉nag的程序载入od,由于是vb程序编写,所以直接下断rtcFileLength,运行程序来到下图
老方法,找到段首 00403B20 55 push ebp改为jmp 0040404F 直接跳到断尾,至此自效验就搞定了,看 下图
00403B20 55 push ebp
00403B21 8BEC mov ebp,esp
00403B23 83EC 14 sub esp,0x14
00403B26 68 D6114000 push <jmp.&msvbvm60.__vbaExceptHandler>
00403B2B 64:A1 00000000mov eax,dword ptr fs:
00403CBA 83C4 24 add esp,0x24
00403CBD 6A 01 push 0x1
00403CBF FF15 CC104000 call dword ptr ds:[<&msvbvm60.rtcFileLength>] ; msvbvm60.rtcFileLength(自效验call,干掉这个就大功告成)
00403CC5 8946 38 mov dword ptr ds:,eax
00403CC8 6A 01 push 0x1
0040404B 83C4 24 add esp,0x24
0040404E C3 retn
0040404F C3 retn
取掉自效验后程序运行如下图
接下来我们乱输入用户名和注册码,发现吴任何提示,于是将程序载入od,汇编窗口右键查看字符串也没有找到相关可用信息,于是就对其下断 vbastrcomp (VB程序字符串比较函数),运行程序,胡乱输入用户名和注册码,断在这里
72A27BE9 >837C24 04 02 cmp dword ptr ss:,0x2 段在这里
72A27BEE 75 07 jnz short msvbvm60.72A27BF7
72A27BF0 6A 05 push 0x5
72A27BF2 E8 3566FEFF call msvbvm60.72A0E22C
72A27BF7 68 01000300 push 0x30001
72A27BFC FF7424 08 push dword ptr ss: ; 222288.00402E20
72A27C00 FF7424 10 push dword ptr ss: ; 222288.004050B6
72A27C04 FF7424 18 push dword ptr ss:
72A27C08 FF15 40EFA472 call dword ptr ds: ; oleaut32.VarBstrCmp
72A27C0E 85C0 test eax,eax
72A27C10 7C 04 jl short msvbvm60.72A27C16
72A27C12 48 dec eax
72A27C13 C2 0C00 retn 0xC
此处删除N多代码
0040533D FF15 78104000 call dword ptr ds:[<&msvbvm60.__vbaVarTs>; msvbvm60.__vbaVarTstEq
00405343 66:85C0 test ax,ax
00405346 8B16 mov edx,dword ptr ds: ; 222288.004062FC
00405348 56 push esi
00405349 0F84 2D010000 je 222288.0040547C(关键跳,跳过就挂,不用在解释了)
0040534F FF92 10030000 call dword ptr ds: ; msvbvm60.72A442D8
00405355 50 push eax
00405356 8D45 9C lea eax,dword ptr ss:
00405359 50 push eax
0040535A 8B1D 40104000 mov ebx,dword ptr ds:[<&msvbvm60.__vbaOb>; msvbvm60.__vbaObjSet
00405360 FFD3 call ebx ; msvbvm60.__vbaVarAdd
00405362 8BF8 mov edi,eax
00405364 8B0F mov ecx,dword ptr ds:
00405366 68 00007A44 push 0x447A0000
0040536B 57 push edi
0040536C FF51 74 call dword ptr ds:
0040536F DBE2 fclex
00405371 85C0 test eax,eax
00405373 7D 0F jge short 222288.00405384
00405375 6A 74 push 0x74
00405377 68 2C2B4000 push 222288.00402B2C
0040537C 57 push edi
0040537D 50 push eax
0040537E FF15 30104000 call dword ptr ds:[<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
00405384 8D4D 9C lea ecx,dword ptr ss:
00405387 FF15 18114000 call dword ptr ds:[<&msvbvm60.__vbaFreeO>; msvbvm60.__vbaFreeObj
0040538D 8B16 mov edx,dword ptr ds: ; 222288.004062FC
0040538F 56 push esi
00405390 FF92 10030000 call dword ptr ds: ; msvbvm60.72A442D8
00405396 50 push eax
00405397 8D45 9C lea eax,dword ptr ss:
0040539A 50 push eax
0040539B FFD3 call ebx ; msvbvm60.__vbaVarAdd
0040539D 8BF8 mov edi,eax
0040539F C785 70FFFFFF 5>mov dword ptr ss:,222288.00402>; UNICODE ":恭喜!考试合格!"(不跳来到这里出现恭喜)
004053A9 C785 68FFFFFF 0>mov dword ptr ss:,0x8
004053B3 8B1F mov ebx,dword ptr ds:
004053B5 8D4D D4 lea ecx,dword ptr ss:
004053B8 51 push ecx
004053B9 8D95 68FFFFFF lea edx,dword ptr ss:
004053BF 52 push edx ; 222288.004062FC
004053C0 8D45 8C lea eax,dword ptr ss:
004053C3 50 push eax
程序运行如下图:
4、下来是关键,追码试试,od载入以上程序,下断点vbastrcomp 输入用户名和注册码,点击争当优秀,断到这里
72A27BE9 >837C24 04 02 cmp dword ptr ss:,0x2(一路f8)来到下面代码
此处删除N多代码
004036BB 8985 D0FEFFFF mov dword ptr ss:,eax ; 假码出现 (一路f8)
此处删除N多代码
004037C2 50 push eax
004037C3 51 push ecx
004037C4 6A 07 push 0x7
004037C6 FF15 18104000 call dword ptr ds:[<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVarList(关键call,计算真码,跟进去就会跟到真码)
004037CC 83C4 20 add esp,0x20
004037CF 66:3BFB cmp di,bx(真假比较看是否相等)
004037D2 0F84 34020000 je 22228899.00403A0C (关键条,如果是真码不跳,如果是假码跳过)
004037D8 8B16 mov edx,dword ptr ds: ; 22228899.004062FC
004037DA 56 push esi
004037DB FF92 10030000 call dword ptr ds:
004037E1 50 push eax
004037E2 8D85 3CFFFFFF lea eax,dword ptr ss:
此处删除N多代码
00403885 50 push eax
00403886 68 702B4000 push 22228899.00402B70 ; UNICODE ":恭喜!您已达到优秀级别!"
0040388B 8B3A mov edi,dword ptr ds:
0040388D FF15 2C104000 call dword ptr ds:[<&msvbvm60.__vbaStrCa>; msvbvm60.__vbaStrCat
00403893 8BD0 mov edx,eax
00403895 8D8D 44FFFFFF lea ecx,dword ptr ss:
0040389B FF15 08114000 call dword ptr ds:[<&msvbvm60.__vbaStrMo>; msvbvm60.__vbaStrMove
004038A1 8BCF mov ecx,edi ; msvbvm60.72A20000
004038A3 8BBD 68FEFFFF mov edi,dword ptr ss: ; gdi32.74CF5737
接下来跟进关键call 004037C6 FF15 18104000 call dword ptr ds:[<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVarList
72A47262 >8B4C24 08 mov ecx,dword ptr ss:
72A47266 56 push esi
72A47267 8D7424 10 lea esi,dword ptr ss:
72A4726B E8 C1F5FFFF call msvbvm60.__vbaFreeVar(进这个call)
来到下面代码
72A46831 >56 push esi
72A46832 8BF1 mov esi,ecx
72A46834 66:8B0E mov cx,word ptr ds:
72A46837 66:83F9 08 cmp cx,0x8
72A4683B 0F82 9F000000 jb msvbvm60.72A468E0
72A46841 F6C5 40 test ch,0x40
72A46844 0F85 96000000 jnz msvbvm60.72A468E0
72A4684A 8BC1 mov eax,ecx
72A4684C 25 FFFF0000 and eax,0xFFFF
72A46851 80E4 7F and ah,0x7F
72A46854 83F8 11 cmp eax,0x11
72A46857 77 3A ja short msvbvm60.72A46893
72A46859 33D2 xor edx,edx
72A4685B 8A90 0869A472 mov dl,byte ptr ds:
72A46861 FF2495 E868A472 jmp dword ptr ds: ; msvbvm60.72A46868
72A46868 8B46 08 mov eax,dword ptr ds: (第一组真码出现)继续f8往下,走了一会竟然又回到这里,还是这个地址,第二组真码出现,灵机一动,估计所有真码都存放在这里,循环计算后回到这里存放真码,于是就在此F2下断点,光标放在此处,连续f4,所有真码全部出现。
72A4686B 85C0 test eax,eax
真码:eax=028CA95C, (UNICODE "53464-142227729-3934735-3944452") 根据多次跟踪分析,真码应该由用户决定,这里跟了两组:
程序运行如下图:
wbz008 53464-142227729-3934735-3944452
PYG008 51865-95615280-2645200-2654917
小弟此次作业错略完成,由于还是新手,还有好多要学习,希望大家一起努力,大牛勿喷
PYG练习下载:
刚开始学习,第三步的断点不是 vbastrcomp吧
页:
[1]