本人会一些编程,但是破解就弄的比较少,最近领导让我修改一个九几年买的财务软件,vb5编的,财务软件针对单位名称做了加密。
数据库里面保存了实际使用的单位名称,在软件安装目录下用文本文件保存了一个对应的加密字串。使用的时候,读取加密字串然后经过计算和数据库中单位名称做比较,如果成功就进入,否则就退出。我用ollydbg经过两天的跟踪大概跟踪加密比较的算法。汇编代码如下:
PUSH EBP
MOV EBP,ESP
SUB ESP,8
PUSH <JMP.&MSVBVM50.__vbaExceptHandler>
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0],ESP
SUB ESP,9C
MOV EAX,DWORD PTR DS:[E98A3C]
PUSH EBX
PUSH ESI
PUSH EDI
XOR EDI,EDI
MOV DWORD PTR SS:[EBP-8],ESP
CMP EAX,EDI
MOV DWORD PTR SS:[EBP-4],Kfcn.00407D68
MOV DWORD PTR SS:[EBP-14],EDI
MOV DWORD PTR SS:[EBP-1C],EDI
MOV DWORD PTR SS:[EBP-28],EDI
MOV DWORD PTR SS:[EBP-2C],EDI
MOV DWORD PTR SS:[EBP-30],EDI
MOV DWORD PTR SS:[EBP-40],EDI
MOV DWORD PTR SS:[EBP-50],EDI
MOV DWORD PTR SS:[EBP-60],EDI
MOV DWORD PTR SS:[EBP-70],EDI
MOV DWORD PTR SS:[EBP-80],EDI
MOV DWORD PTR SS:[EBP-90],EDI
MOV DWORD PTR SS:[EBP-94],EDI
MOV DWORD PTR SS:[EBP-18],EDI
JNZ L033
PUSH Kfcn.00E98A3C
PUSH Kfcn.00467528
CALL __vbaNew2
L033:
MOV ESI,DWORD PTR DS:[E98A3C]
LEA ECX,DWORD PTR SS:[EBP-30]
PUSH ECX
PUSH ESI
MOV EAX,DWORD PTR DS:[ESI]
CALL DWORD PTR DS:[EAX+14]
CMP EAX,EDI
JGE L046
PUSH 14
PUSH Kfcn.00467518
PUSH ESI
PUSH EAX
CALL __vbaHresultCheckObj
L046:
MOV EAX,DWORD PTR SS:[EBP-30]
LEA ECX,DWORD PTR SS:[EBP-28]
PUSH ECX
PUSH EAX
MOV EDX,DWORD PTR DS:[EAX]
MOV ESI,EAX
CALL DWORD PTR DS:[EDX+50]
CMP EAX,EDI
JGE L060
PUSH 50
PUSH Kfcn.00467538
PUSH ESI
PUSH EAX
CALL __vbaHresultCheckObj
L060:
MOV EDX,DWORD PTR SS:[EBP-28]
PUSH EDX
PUSH Kfcn.00493588
CALL __vbaStrCat
MOV #645
MOV DWORD PTR SS:[EBP-38],EAX
LEA EAX,DWORD PTR SS:[EBP-40]
PUSH EDI
PUSH EAX
MOV DWORD PTR SS:[EBP-40],8
CALL EBX
MOV __vbaStrMove
MOV EDX,EAX
LEA ECX,DWORD PTR SS:[EBP-2C]
CALL EDI
PUSH EAX
PUSH Kfcn.00465A08
CALL __vbaStrCmp
MOV ESI,EAX
LEA ECX,DWORD PTR SS:[EBP-2C]
NEG ESI
SBB ESI,ESI
LEA EDX,DWORD PTR SS:[EBP-28]
PUSH ECX
PUSH EDX
NEG ESI
PUSH 2
NEG ESI
CALL __vbaFreeStrList
ADD ESP,0C
LEA ECX,DWORD PTR SS:[EBP-30]
CALL __vbaFreeObj
LEA ECX,DWORD PTR SS:[EBP-40]
CALL __vbaFreeVar
TEST SI,SI
JE L099
MOV DWORD PTR SS:[EBP-18],-1
PUSH Kfcn.00D01A53
JMP L352
L099:
MOV EAX,DWORD PTR DS:[E98A3C]
TEST EAX,EAX
JNZ L105
PUSH Kfcn.00E98A3C
PUSH Kfcn.00467528
CALL __vbaNew2
L105:
MOV ESI,DWORD PTR DS:[E98A3C]
LEA ECX,DWORD PTR SS:[EBP-30]
PUSH ECX
PUSH ESI
MOV EAX,DWORD PTR DS:[ESI]
CALL DWORD PTR DS:[EAX+14]
TEST EAX,EAX
JGE L118
PUSH 14
PUSH Kfcn.00467518
PUSH ESI
PUSH EAX
CALL __vbaHresultCheckObj
L118:
MOV EAX,DWORD PTR SS:[EBP-30]
LEA ECX,DWORD PTR SS:[EBP-28]
PUSH ECX
PUSH EAX
MOV EDX,DWORD PTR DS:[EAX]
MOV ESI,EAX
CALL DWORD PTR DS:[EDX+50]
TEST EAX,EAX
JGE L132
PUSH 50
PUSH Kfcn.00467538
PUSH ESI
PUSH EAX
CALL __vbaHresultCheckObj
L132:
MOV EDX,DWORD PTR SS:[EBP-28]
PUSH EDX
PUSH Kfcn.004934D0
CALL __vbaStrCat
MOV DWORD PTR SS:[EBP-38],EAX
LEA EAX,DWORD PTR SS:[EBP-40]
PUSH 0
PUSH EAX
MOV DWORD PTR SS:[EBP-40],8
CALL EBX
MOV EDX,EAX
LEA ECX,DWORD PTR SS:[EBP-2C]
CALL EDI
PUSH EAX
PUSH Kfcn.00465A08
CALL __vbaStrCmp
MOV __vbaFreeStrList
MOV ESI,EAX
NEG ESI
LEA ECX,DWORD PTR SS:[EBP-2C]
LEA EDX,DWORD PTR SS:[EBP-28]
SBB ESI,ESI
PUSH ECX
NEG ESI
PUSH EDX
PUSH 2
NEG ESI
CALL EBX
ADD ESP,0C
LEA ECX,DWORD PTR SS:[EBP-30]
CALL __vbaFreeObj
LEA ECX,DWORD PTR SS:[EBP-40]
CALL __vbaFreeVar
TEST SI,SI
JE L331
MOV EAX,DWORD PTR DS:[E98A3C]
TEST EAX,EAX
JNZ L173
PUSH Kfcn.00E98A3C
PUSH Kfcn.00467528
CALL __vbaNew2
L173:
MOV ESI,DWORD PTR DS:[E98A3C]
LEA ECX,DWORD PTR SS:[EBP-30]
PUSH ECX
PUSH ESI
MOV EAX,DWORD PTR DS:[ESI]
CALL DWORD PTR DS:[EAX+14]
TEST EAX,EAX
JGE L186
PUSH 14
PUSH Kfcn.00467518
PUSH ESI
PUSH EAX
CALL __vbaHresultCheckObj
L186:
MOV EAX,DWORD PTR SS:[EBP-30]
LEA ECX,DWORD PTR SS:[EBP-28]
PUSH ECX
PUSH EAX
MOV EDX,DWORD PTR DS:[EAX]
MOV ESI,EAX
CALL DWORD PTR DS:[EDX+50]
TEST EAX,EAX
JGE L200
PUSH 50
PUSH Kfcn.00467538
PUSH ESI
PUSH EAX
CALL __vbaHresultCheckObj
L200:
MOV EDX,DWORD PTR SS:[EBP-28]
PUSH EDX
PUSH Kfcn.004934D0
CALL __vbaStrCat
MOV EDX,EAX
LEA ECX,DWORD PTR SS:[EBP-2C]
CALL EDI
PUSH EAX
PUSH 1
PUSH -1
PUSH 1
CALL __vbaFileOpen
LEA EAX,DWORD PTR SS:[EBP-2C]
LEA ECX,DWORD PTR SS:[EBP-28]
PUSH EAX
PUSH ECX
PUSH 2
CALL EBX
ADD ESP,0C
LEA ECX,DWORD PTR SS:[EBP-30]
CALL __vbaFreeObj
MOV #520
MOV __vbaFreeVarList
MOV DWORD PTR SS:[EBP-24],1
L224:
PUSH 1
CALL #571
TEST AX,AX
JNZ L329
LEA EDX,DWORD PTR SS:[EBP-14]
PUSH EDX
PUSH 1
PUSH Kfcn.00467554
CALL __vbaInputFile
MOV ECX,DWORD PTR SS:[EBP-14]
ADD ESP,0C
LEA EAX,DWORD PTR SS:[EBP-94]
MOV DWORD PTR SS:[EBP-94],0
PUSH EAX
PUSH ECX
CALL Kfcn.00D01CD0
MOV DWORD PTR SS:[EBP-38],EAX
LEA EDX,DWORD PTR SS:[EBP-40]
LEA EAX,DWORD PTR SS:[EBP-50]
PUSH EDX
PUSH EAX
MOV DWORD PTR SS:[EBP-40],8
CALL ESI
LEA ECX,DWORD PTR SS:[EBP-50]
PUSH ECX
CALL __vbaStrVarMove
MOV EDX,EAX
LEA ECX,DWORD PTR SS:[EBP-1C]
CALL EDI
LEA EDX,DWORD PTR SS:[EBP-50]
LEA EAX,DWORD PTR SS:[EBP-40]
PUSH EDX
PUSH EAX
PUSH 2
CALL EBX
ADD ESP,0C
CMP WORD PTR DS:[E94078],0
JE L285
MOV ECX,DWORD PTR SS:[EBP+8]
LEA EAX,DWORD PTR SS:[EBP-1C]
MOV DWORD PTR SS:[EBP-80],8008
MOV DWORD PTR SS:[EBP-68],EAX
MOV EDX,DWORD PTR DS:[ECX]
LEA ECX,DWORD PTR SS:[EBP-70]
MOV DWORD PTR SS:[EBP-78],EDX
LEA EDX,DWORD PTR SS:[EBP-40]
PUSH ECX
PUSH EDX
MOV DWORD PTR SS:[EBP-70],4008
CALL ESI
LEA EAX,DWORD PTR SS:[EBP-80]
LEA ECX,DWORD PTR SS:[EBP-40]
PUSH EAX
PUSH ECX
CALL __vbaVarTstEq
LEA ECX,DWORD PTR SS:[EBP-40]
MOV EDI,EAX
CALL __vbaFreeVar
TEST DI,DI
JNZ L328
JMP L322
L285:
MOV EDX,DWORD PTR SS:[EBP+8]
LEA ECX,DWORD PTR SS:[EBP-1C]
MOV DWORD PTR SS:[EBP-80],8
MOV DWORD PTR SS:[EBP-68],ECX
MOV EAX,DWORD PTR DS:[EDX]
LEA EDX,DWORD PTR SS:[EBP-70]
MOV DWORD PTR SS:[EBP-78],EAX
LEA EAX,DWORD PTR SS:[EBP-40]
PUSH EDX
PUSH EAX
MOV DWORD PTR SS:[EBP-70],4008
CALL ESI
LEA ECX,DWORD PTR SS:[EBP-80]
PUSH 1
LEA EDX,DWORD PTR SS:[EBP-40]
PUSH ECX
PUSH EDX
LEA EAX,DWORD PTR SS:[EBP-50]
PUSH 0
PUSH EAX
MOV DWORD PTR SS:[EBP-88],0
MOV DWORD PTR SS:[EBP-90],8002
CALL __vbaInStrVar
LEA ECX,DWORD PTR SS:[EBP-90]
PUSH EAX
PUSH ECX
CALL __vbaVarTstGt
MOV EDI,EAX
LEA EDX,DWORD PTR SS:[EBP-50]
LEA EAX,DWORD PTR SS:[EBP-40]
PUSH EDX
PUSH EAX
PUSH 2
CALL EBX
ADD ESP,0C
TEST DI,DI
JNZ L328
L322:
MOV CX,WORD PTR SS:[EBP-24]
MOV __vbaStrMove
ADD CX,1
JO SHORT Kfcn.00D01A6A
MOV DWORD PTR SS:[EBP-24],ECX
JMP L224
L328:
MOV DWORD PTR SS:[EBP-18],-1
L329:
PUSH 1
CALL __vbaFileClose
L331:
PUSH Kfcn.00D01A53
JMP L352
LEA EDX,DWORD PTR SS:[EBP-2C]
LEA EAX,DWORD PTR SS:[EBP-28]
PUSH EDX
PUSH EAX
PUSH 2
CALL __vbaFreeStrList
ADD ESP,0C
LEA ECX,DWORD PTR SS:[EBP-30]
CALL __vbaFreeObj
LEA ECX,DWORD PTR SS:[EBP-60]
LEA EDX,DWORD PTR SS:[EBP-50]
PUSH ECX
LEA EAX,DWORD PTR SS:[EBP-40]
PUSH EDX
PUSH EAX
PUSH 3
CALL __vbaFreeVarList
ADD ESP,10
RETN
L352:
MOV __vbaFreeStr
LEA ECX,DWORD PTR SS:[EBP-14]
CALL ESI
LEA ECX,DWORD PTR SS:[EBP-1C]
JMP ESI
RETN
MOV ECX,DWORD PTR SS:[EBP-10]
MOV AX,WORD PTR SS:[EBP-18]
POP EDI
POP ESI
MOV DWORD PTR FS:[0],ECX
POP EBX
MOV ESP,EBP
POP EBP
RETN 4
结束后用test ax,ax测试结果,我看了一天完全看不懂这段代码——大学里面学的一点汇编知识完全忘了,手里拿本汇编教程也完全看不懂在说什么。
不知道诸位大虾有没有人对于加密算法比较熟悉,能看懂这段代码的,大致帮我分析一下。
[课程]Linux pwn 探索篇!