- UID
- 8608
注册时间2006-2-27
阅读权限20
最后登录1970-1-1
以武会友
 
TA的每日心情 | 擦汗
2020-7-7 10:06 |
|---|
签到天数: 2 天 [LV.1]初来乍到
|
与兄弟们分享,请大家指正.
用OD加载后找到LoadLibaray和getprocessadress函数,解压时肯定会调用这两个函数,
因此在这两个函数上下断点.运行后向下来到:
004001C6 FF53 10 call [ebx+10]
004001C9 95 xchg eax, ebp
004001CA 8B07 mov eax, [edi]
004001CC 40 inc eax
004001CD ^ 78 F3 js short 004001C2
004001CF 75 03 jnz short 004001D4
004001D1 - FF63 0C jmp [ebx+C] ; 入口点[PYG]Cra.0040169C
004001D4 50 push eax
004001D5 55 push ebp
004001D6 FF53 14 call [ebx+14]
004001D9 AB stos dword ptr es:[edi]
004001DA ^ EB EE jmp short 004001CA
==================================================
继续运行来到这里
0040DA80 . 8D4D A>lea ecx, [ebp-54]
0040DA83 . 51 push ecx
0040DA84 . E8 973>call 00411820 ; 取程序所在磁盘序列dsn==>eax
0040DA89 . 8945 A>mov [ebp-58], eax ; eax=2f5e15dd=dsn=794695133
0040DA8C . C785 E>mov dword ptr [ebp-118], 6
0040DA96 . 89BD E>mov [ebp-120], edi
0040DA9C . 8D55 A>lea edx, [ebp-58] ; [edx]=dsn
0040DA9F . 8995 9>mov [ebp-16C], edx
0040DAA5 . C785 8>mov dword ptr [ebp-174], 4003
0040DAAF . 8D85 E>lea eax, [ebp-120]
0040DAB5 . 50 push eax
0040DAB6 . 6A 01 push 1
0040DAB8 . 8D8D 8>lea ecx, [ebp-174]
0040DABE . 51 push ecx
0040DABF . 8D95 D>lea edx, [ebp-130]
0040DAC5 . 52 push edx ; 磁盘序列号转十进制字符串,再取前6位
0040DAC6 . FFD3 call ebx ; =>[eax+8]=794695
...
0040DB9B . 8D55 8>lea edx, [ebp-7C]
0040DB9E . 52 push edx
0040DB9F . 8D85 D>lea eax, [ebp-130]
0040DBA5 . 50 push eax ; mid(dsn,1,3)=mid("794695",1,3)
0040DBA6 . FFD3 call ebx
...
0040DBD8 . 51 push ecx
0040DBD9 . 6A 04 push 4
0040DBDB . 8D55 8>lea edx, [ebp-7C]
0040DBDE . 52 push edx
0040DBDF . 8D85 D>lea eax, [ebp-130]
0040DBE5 . 50 push eax ; mid(dsn,4,3)=mid("794695",4,3)
0040DBE6 . FFD3 call ebx
...
0040DC02 . 8D8D 2>lea ecx, [ebp-E0]
0040DC08 . 51 push ecx
0040DC09 . 8D95 4>lea edx, [ebp-BC]
0040DC0F . 52 push edx
0040DC10 . 8D85 E>lea eax, [ebp-120]
0040DC16 . 50 push eax ; dsn的123位与456位对调=>695794
0040DC17 . FF15 3>call [<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat
0040DC1D . 8BD0 mov edx, eax ; **[eax+8]=695794,用于计算pyg2006.key
...
==========================================================================
0040E50A . 50 push eax ; [eax]="PYG2005.KEY"
0040E50B . 6A 01 push 1
0040E50D . 6A FF push -1
0040E50F . 6A 01 push 1
0040E511 . FF15 44114000 call [401144] ; MSVBVM60.__vbaFileOpen
==========================================================================
0040E4FC . 8BD0 mov edx, eax
0040E4FE . 8D8D 08FFFFFF lea ecx, [ebp-F8]
0040E504 . FF15 B0114000 call [4011B0] ; MSVBVM60.__vbaStrMove
0040E50A . 50 push eax ; [eax]=PYG2006.Key
0040E50B . 6A 01 push 1
0040E50D . 6A FF push -1
0040E50F . 6A 01 push 1
0040E511 . FF15 44114000 call [401144] ; MSVBVM60.__vbaFileOpen
0040E517 . 8D8D 08FFFFFF lea ecx, [ebp-F8]
0040E51D . FFD6 call esi
0040E51F . 8D73 64 lea esi, [ebx+64]
0040E522 . 6A 01 push 1
0040E524 . 56 push esi ; 读第一行数据,返回在[eax]
0040E525 . FF15 38104000 call [401038] ; MSVBVM60.__vbaLineInputVar
0040E52B . C785 94FEFFFF 1>mov dword ptr [ebp-16C], 12
0040E535 . 89BD 8CFEFFFF mov [ebp-174], edi
0040E53B . 56 push esi
0040E53C . 8D55 C4 lea edx, [ebp-3C]
0040E53F . 52 push edx
0040E540 . 8D85 E0FEFFFF lea eax, [ebp-120]
0040E546 . 50 push eax ; 计算sn-794695
0040E547 . FF15 00104000 call [401000] ; MSVBVM60.__vbaVarSub
0040E54D . 50 push eax
0040E54E . 8D8D 8CFEFFFF lea ecx, [ebp-174]
0040E554 . 51 push ecx
0040E555 . 8D95 D0FEFFFF lea edx, [ebp-130]
0040E55B . 52 push edx ; 计算(sn-794695)/18 ?
0040E55C . FF15 18114000 call [401118] ; MSVBVM60.__vbaVarDiv
0040E562 . 50 push eax
0040E563 . 8D85 08FFFFFF lea eax, [ebp-F8]
0040E569 . 50 push eax ; 返回计算结果在[eax]=[0013b694]中
0040E56A . FF15 30114000 call [401130] ; MSVBVM60.__vbaStrVarVal
0040E570 . 50 push eax
0040E571 . FF15 D8114000 call [4011D8] ; MSVBVM60.rtcR8ValFromBstr
0040E577 . FF15 94104000 call [401094] ; MSVBVM60.__vbaFpR8
0040E57D . DC1D 10124000 fcomp qword ptr [401210]
0040E583 . DFE0 fstsw ax
0040E585 . F6C4 40 test ah, 40
0040E588 . 74 07 je short 0040E591
0040E58A . B8 01000000 mov eax, 1
0040E58F . EB 02 jmp short 0040E593
0040E591 > 33C0 xor eax, eax
0040E593 > F7D8 neg eax
0040E595 . 66:8BF0 mov si, ax
0040E598 . 8D8D 08FFFFFF lea ecx, [ebp-F8]
0040E59E . FF15 D4114000 call [4011D4] ; MSVBVM60.__vbaFreeStr
0040E5A4 . 66:85F6 test si, si
0040E5A7 . 0F84 9B010000 je 0040E748
上面的程序功能是:读出文件pyg2006.key中第一行数据(密钥key),然后进行如下计算:
(key-794695)/18
若计算结果为20041201,则该密钥key是正确的.
=====================================================
0040D7D1 . 8BD0 mov edx, eax ; **取得执行文件的路径
0040D7D3 . 8D8D F8FEFFFF lea ecx, [ebp-108]
0040D7D9 . FFD3 call ebx
0040D7DB . 50 push eax ; **取文件长度(实际长度为af4d=43597)
0040D7DC . FF15 80114000 call [401180] ; MSVBVM60.rtcFileLen
0040D7E2 . 33D2 xor edx, edx ; eax=文件长度=0xaa4d=43597个字节
0040D7E4 . 3D C8AF0000 cmp eax, 0AFC8 ; 文件长度>0xAFC8=45000个字节?
0040D7E9 . 0F9FC2 setg dl ; eax=aa4d<afc8,==>dl=0
0040D7EC . F7DA neg edx ; 此时esi=0
0040D7EE . 8BFA mov edi, edx
======================================================
0040AF64 . 816C24 04 7B0>sub dword ptr [esp+4], 7B ; 调用了filelen
0040AF6C . E9 0F260000 jmp 0040D580
0040AF71 . 816C24 04 8F0>sub dword ptr [esp+4], 8F
0040AF79 . E9 22390000 jmp 0040E8A0
0040AF7E . 816C24 04 870>sub dword ptr [esp+4], 87 ; 确认按钮
0040AF86 . E9 E5390000 jmp 0040E970
0040AF8B . 816C24 04 8B0>sub dword ptr [esp+4], 8B ; 关于按钮
0040AF93 . E9 985F0000 jmp 00410F30
0040AF98 . 816C24 04 770>sub dword ptr [esp+4], 77
0040AFA0 . E9 7B600000 jmp 00411020
0040AFA5 . 816C24 04 FFF>sub dword ptr [esp+4], 0FFFF
0040AFAD . E9 DE600000 jmp 00411090
=========================================================
下面代码为验证文件是否被脱壳(比较文件长度)
0040D7DC . FF15 80114000 call [<&MSVBVM60.rtcFileLen>] ; MSVBVM60.rtcFileLen
0040D7E2 . 33D2 xor edx, edx ; eax=aa4d
0040D7E4 . 3D C8AF0000 cmp eax, 0AFC8 ; 文件长度不大于0ac8=15000字节?
0040D7E9 . 0F9FC2 setg dl
0040D7EC . F7DA neg edx
修改为:
0040D7DC . FF15 80114000 call [<&MSVBVM60.rtcFileLen>] ; MSVBVM60.rtcFileLen
0040D7E2 . 33D2 xor edx, edx ; eax=aa4d
0040D7E4 B8 4DAA0000 mov eax, 0AA4D
0040D7E9 90 nop
0040D7EA 90 nop
0040D7EB 90 nop
0040D7EC 90 nop
0040D7ED 90 nop
即取消了文件长度检查.
===========================================================
注意:程序中还要检查文件名是否被改变了,因此脱壳后的文件名应保持不变,即为:[PYG]CrackMe.exe
0040D8E8 > \8B95 08FFFFFF mov edx, [ebp-F8]
0040D8EE . 52 push edx ; 比较文件名是否被更改了
0040D8EF . 68 70B34000 push 0040B370 ; UNICODE "[PYG]CrackMe"
-------------------------------------------------------------------------------------------------
0040D8EF 52 push edx ==>取消文件名检查
0040D8F0 90 nop
0040D8F1 90 nop
0040D8F2 90 nop
0040D8F3 90 nop
-------------------------------------------------------------------------------------------------
0040D8F4 . FF15 C0104000 call [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0040D8FA . 8BF8 mov edi, eax
0040D8FC . F7DF neg edi
0040D8FE . 1BFF sbb edi, edi
0040D900 . F7DF neg edi
0040D902 . F7DF neg edi
0040D904 . 8D8D 08FFFFFF lea ecx, [ebp-F8]
0040D90A . FF15 D4114000 call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0040D910 . 8D8D F4FEFFFF lea ecx, [ebp-10C]
0040D916 . FF15 D0114000 call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
0040D91C . 66:3BFE cmp di, si
0040D91F . 74 5C je short 0040D97D ; 更改文件名后将结束程序
0040D921 . 3935 24544100 cmp [415424], esi
0040D927 . 75 10 jnz short 0040D939
=================================================================================================
到此,已找到密钥文件,且成功脱壳,取消了文件大小及文件名检查
密钥为:pyg2006.key=20041201*18+794695=361437412 [注:794695是一个根据文件所在磁盘序列号计算出来的值]
****************************************************************************************************
****************************************************************************************************
用算法识别工具kanal23检测出程序在00412EEA处使用了MD5加密.
转到00412eea,并向上来到函数开始处。
00412CD0 > > \55 push ebp ; MD5(M) ;M=-876604940 |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
|
IP卡
发表于 2007-1-11 13:46:21
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2007-1-11 19:07:42
发表于 2007-1-12 17:33:34
发表于 2007-1-16 16:34:44
