[求助]新人学破解求助一段汇编代码-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]新人学破解求助一段汇编代码 0.00雪花

发表于: 2011-11-21 15:18 1359

[旧帖] [求助]新人学破解求助一段汇编代码 0.00雪花

aquayhy

2011-11-21 15:18

1359

本人会一些编程，但是破解就弄的比较少，最近领导让我修改一个九几年买的财务软件，vb5编的，财务软件针对单位名称做了加密。
数据库里面保存了实际使用的单位名称，在软件安装目录下用文本文件保存了一个对应的加密字串。使用的时候，读取加密字串然后经过计算和数据库中单位名称做比较，如果成功就进入，否则就退出。我用ollydbg经过两天的跟踪大概跟踪加密比较的算法。汇编代码如下：

  PUSH EBP
  MOV EBP,ESP
  SUB ESP,8
  PUSH <JMP.&MSVBVM50.__vbaExceptHandler>
  MOV EAX,DWORD PTR FS:[0]
  PUSH EAX
  MOV DWORD PTR FS:[0],ESP
  SUB ESP,9C
  MOV EAX,DWORD PTR DS:[E98A3C]
  PUSH EBX
  PUSH ESI
  PUSH EDI
  XOR EDI,EDI
  MOV DWORD PTR SS:[EBP-8],ESP
  CMP EAX,EDI
  MOV DWORD PTR SS:[EBP-4],Kfcn.00407D68
  MOV DWORD PTR SS:[EBP-14],EDI
  MOV DWORD PTR SS:[EBP-1C],EDI
  MOV DWORD PTR SS:[EBP-28],EDI
  MOV DWORD PTR SS:[EBP-2C],EDI
  MOV DWORD PTR SS:[EBP-30],EDI
  MOV DWORD PTR SS:[EBP-40],EDI
  MOV DWORD PTR SS:[EBP-50],EDI
  MOV DWORD PTR SS:[EBP-60],EDI
  MOV DWORD PTR SS:[EBP-70],EDI
  MOV DWORD PTR SS:[EBP-80],EDI
  MOV DWORD PTR SS:[EBP-90],EDI
  MOV DWORD PTR SS:[EBP-94],EDI
  MOV DWORD PTR SS:[EBP-18],EDI
  JNZ L033
  PUSH Kfcn.00E98A3C
  PUSH Kfcn.00467528
  CALL __vbaNew2
L033:
  MOV ESI,DWORD PTR DS:[E98A3C]
  LEA ECX,DWORD PTR SS:[EBP-30]
  PUSH ECX
  PUSH ESI
  MOV EAX,DWORD PTR DS:[ESI]
  CALL DWORD PTR DS:[EAX+14]
  CMP EAX,EDI
  JGE L046
  PUSH 14
  PUSH Kfcn.00467518
  PUSH ESI
  PUSH EAX
  CALL __vbaHresultCheckObj
L046:
  MOV EAX,DWORD PTR SS:[EBP-30]
  LEA ECX,DWORD PTR SS:[EBP-28]
  PUSH ECX
  PUSH EAX
  MOV EDX,DWORD PTR DS:[EAX]
  MOV ESI,EAX
  CALL DWORD PTR DS:[EDX+50]
  CMP EAX,EDI
  JGE L060
  PUSH 50
  PUSH Kfcn.00467538
  PUSH ESI
  PUSH EAX
  CALL __vbaHresultCheckObj
L060:
  MOV EDX,DWORD PTR SS:[EBP-28]
  PUSH EDX
  PUSH Kfcn.00493588
  CALL __vbaStrCat
  MOV #645
  MOV DWORD PTR SS:[EBP-38],EAX
  LEA EAX,DWORD PTR SS:[EBP-40]
  PUSH EDI
  PUSH EAX
  MOV DWORD PTR SS:[EBP-40],8
  CALL EBX
  MOV __vbaStrMove
  MOV EDX,EAX
  LEA ECX,DWORD PTR SS:[EBP-2C]
  CALL EDI
  PUSH EAX
  PUSH Kfcn.00465A08
  CALL __vbaStrCmp
  MOV ESI,EAX
  LEA ECX,DWORD PTR SS:[EBP-2C]
  NEG ESI
  SBB ESI,ESI
  LEA EDX,DWORD PTR SS:[EBP-28]
  PUSH ECX
  PUSH EDX
  NEG ESI
  PUSH 2
  NEG ESI
  CALL __vbaFreeStrList
  ADD ESP,0C
  LEA ECX,DWORD PTR SS:[EBP-30]
  CALL __vbaFreeObj
  LEA ECX,DWORD PTR SS:[EBP-40]
  CALL __vbaFreeVar
  TEST SI,SI
  JE L099
  MOV DWORD PTR SS:[EBP-18],-1
  PUSH Kfcn.00D01A53
  JMP L352
L099:
  MOV EAX,DWORD PTR DS:[E98A3C]
  TEST EAX,EAX
  JNZ L105
  PUSH Kfcn.00E98A3C
  PUSH Kfcn.00467528
  CALL __vbaNew2
L105:
  MOV ESI,DWORD PTR DS:[E98A3C]
  LEA ECX,DWORD PTR SS:[EBP-30]
  PUSH ECX
  PUSH ESI
  MOV EAX,DWORD PTR DS:[ESI]
  CALL DWORD PTR DS:[EAX+14]
  TEST EAX,EAX
  JGE L118
  PUSH 14
  PUSH Kfcn.00467518
  PUSH ESI
  PUSH EAX
  CALL __vbaHresultCheckObj
L118:
  MOV EAX,DWORD PTR SS:[EBP-30]
  LEA ECX,DWORD PTR SS:[EBP-28]
  PUSH ECX
  PUSH EAX
  MOV EDX,DWORD PTR DS:[EAX]
  MOV ESI,EAX
  CALL DWORD PTR DS:[EDX+50]
  TEST EAX,EAX
  JGE L132
  PUSH 50
  PUSH Kfcn.00467538
  PUSH ESI
  PUSH EAX
  CALL __vbaHresultCheckObj
L132:
  MOV EDX,DWORD PTR SS:[EBP-28]
  PUSH EDX
  PUSH Kfcn.004934D0
  CALL __vbaStrCat
  MOV DWORD PTR SS:[EBP-38],EAX
  LEA EAX,DWORD PTR SS:[EBP-40]
  PUSH 0
  PUSH EAX
  MOV DWORD PTR SS:[EBP-40],8
  CALL EBX
  MOV EDX,EAX
  LEA ECX,DWORD PTR SS:[EBP-2C]
  CALL EDI
  PUSH EAX
  PUSH Kfcn.00465A08
  CALL __vbaStrCmp
  MOV __vbaFreeStrList
  MOV ESI,EAX
  NEG ESI
  LEA ECX,DWORD PTR SS:[EBP-2C]
  LEA EDX,DWORD PTR SS:[EBP-28]
  SBB ESI,ESI
  PUSH ECX
  NEG ESI
  PUSH EDX
  PUSH 2
  NEG ESI
  CALL EBX
  ADD ESP,0C
  LEA ECX,DWORD PTR SS:[EBP-30]
  CALL __vbaFreeObj
  LEA ECX,DWORD PTR SS:[EBP-40]
  CALL __vbaFreeVar
  TEST SI,SI
  JE L331
  MOV EAX,DWORD PTR DS:[E98A3C]
  TEST EAX,EAX
  JNZ L173
  PUSH Kfcn.00E98A3C
  PUSH Kfcn.00467528
  CALL __vbaNew2
L173:
  MOV ESI,DWORD PTR DS:[E98A3C]
  LEA ECX,DWORD PTR SS:[EBP-30]
  PUSH ECX
  PUSH ESI
  MOV EAX,DWORD PTR DS:[ESI]
  CALL DWORD PTR DS:[EAX+14]
  TEST EAX,EAX
  JGE L186
  PUSH 14
  PUSH Kfcn.00467518
  PUSH ESI
  PUSH EAX
  CALL __vbaHresultCheckObj
L186:
  MOV EAX,DWORD PTR SS:[EBP-30]
  LEA ECX,DWORD PTR SS:[EBP-28]
  PUSH ECX
  PUSH EAX
  MOV EDX,DWORD PTR DS:[EAX]
  MOV ESI,EAX
  CALL DWORD PTR DS:[EDX+50]
  TEST EAX,EAX
  JGE L200
  PUSH 50
  PUSH Kfcn.00467538
  PUSH ESI
  PUSH EAX
  CALL __vbaHresultCheckObj
L200:
  MOV EDX,DWORD PTR SS:[EBP-28]
  PUSH EDX
  PUSH Kfcn.004934D0
  CALL __vbaStrCat
  MOV EDX,EAX
  LEA ECX,DWORD PTR SS:[EBP-2C]
  CALL EDI
  PUSH EAX
  PUSH 1
  PUSH -1
  PUSH 1
  CALL __vbaFileOpen
  LEA EAX,DWORD PTR SS:[EBP-2C]
  LEA ECX,DWORD PTR SS:[EBP-28]
  PUSH EAX
  PUSH ECX
  PUSH 2
  CALL EBX
  ADD ESP,0C
  LEA ECX,DWORD PTR SS:[EBP-30]
  CALL __vbaFreeObj
  MOV #520
  MOV __vbaFreeVarList
  MOV DWORD PTR SS:[EBP-24],1
L224:
  PUSH 1
  CALL #571
  TEST AX,AX
  JNZ L329
  LEA EDX,DWORD PTR SS:[EBP-14]
  PUSH EDX
  PUSH 1
  PUSH Kfcn.00467554
  CALL __vbaInputFile
  MOV ECX,DWORD PTR SS:[EBP-14]
  ADD ESP,0C
  LEA EAX,DWORD PTR SS:[EBP-94]
  MOV DWORD PTR SS:[EBP-94],0
  PUSH EAX
  PUSH ECX
  CALL Kfcn.00D01CD0
  MOV DWORD PTR SS:[EBP-38],EAX
  LEA EDX,DWORD PTR SS:[EBP-40]
  LEA EAX,DWORD PTR SS:[EBP-50]
  PUSH EDX
  PUSH EAX
  MOV DWORD PTR SS:[EBP-40],8
  CALL ESI
  LEA ECX,DWORD PTR SS:[EBP-50]
  PUSH ECX
  CALL __vbaStrVarMove
  MOV EDX,EAX
  LEA ECX,DWORD PTR SS:[EBP-1C]
  CALL EDI
  LEA EDX,DWORD PTR SS:[EBP-50]
  LEA EAX,DWORD PTR SS:[EBP-40]
  PUSH EDX
  PUSH EAX
  PUSH 2
  CALL EBX
  ADD ESP,0C
  CMP WORD PTR DS:[E94078],0
  JE L285
  MOV ECX,DWORD PTR SS:[EBP+8]
  LEA EAX,DWORD PTR SS:[EBP-1C]
  MOV DWORD PTR SS:[EBP-80],8008
  MOV DWORD PTR SS:[EBP-68],EAX
  MOV EDX,DWORD PTR DS:[ECX]
  LEA ECX,DWORD PTR SS:[EBP-70]
  MOV DWORD PTR SS:[EBP-78],EDX
  LEA EDX,DWORD PTR SS:[EBP-40]
  PUSH ECX
  PUSH EDX
  MOV DWORD PTR SS:[EBP-70],4008
  CALL ESI
  LEA EAX,DWORD PTR SS:[EBP-80]
  LEA ECX,DWORD PTR SS:[EBP-40]
  PUSH EAX
  PUSH ECX
  CALL __vbaVarTstEq
  LEA ECX,DWORD PTR SS:[EBP-40]
  MOV EDI,EAX
  CALL __vbaFreeVar
  TEST DI,DI
  JNZ L328
  JMP L322
L285:
  MOV EDX,DWORD PTR SS:[EBP+8]
  LEA ECX,DWORD PTR SS:[EBP-1C]
  MOV DWORD PTR SS:[EBP-80],8
  MOV DWORD PTR SS:[EBP-68],ECX
  MOV EAX,DWORD PTR DS:[EDX]
  LEA EDX,DWORD PTR SS:[EBP-70]
  MOV DWORD PTR SS:[EBP-78],EAX
  LEA EAX,DWORD PTR SS:[EBP-40]
  PUSH EDX
  PUSH EAX
  MOV DWORD PTR SS:[EBP-70],4008
  CALL ESI
  LEA ECX,DWORD PTR SS:[EBP-80]
  PUSH 1
  LEA EDX,DWORD PTR SS:[EBP-40]
  PUSH ECX
  PUSH EDX
  LEA EAX,DWORD PTR SS:[EBP-50]
  PUSH 0
  PUSH EAX
  MOV DWORD PTR SS:[EBP-88],0
  MOV DWORD PTR SS:[EBP-90],8002
  CALL __vbaInStrVar
  LEA ECX,DWORD PTR SS:[EBP-90]
  PUSH EAX
  PUSH ECX
  CALL __vbaVarTstGt
  MOV EDI,EAX
  LEA EDX,DWORD PTR SS:[EBP-50]
  LEA EAX,DWORD PTR SS:[EBP-40]
  PUSH EDX
  PUSH EAX
  PUSH 2
  CALL EBX
  ADD ESP,0C
  TEST DI,DI
  JNZ L328
L322:
  MOV CX,WORD PTR SS:[EBP-24]
  MOV __vbaStrMove
  ADD CX,1
  JO SHORT Kfcn.00D01A6A
  MOV DWORD PTR SS:[EBP-24],ECX
  JMP L224
L328:
  MOV DWORD PTR SS:[EBP-18],-1
L329:
  PUSH 1
  CALL __vbaFileClose
L331:
  PUSH Kfcn.00D01A53
  JMP L352
  LEA EDX,DWORD PTR SS:[EBP-2C]
  LEA EAX,DWORD PTR SS:[EBP-28]
  PUSH EDX
  PUSH EAX
  PUSH 2
  CALL __vbaFreeStrList
  ADD ESP,0C
  LEA ECX,DWORD PTR SS:[EBP-30]
  CALL __vbaFreeObj
  LEA ECX,DWORD PTR SS:[EBP-60]
  LEA EDX,DWORD PTR SS:[EBP-50]
  PUSH ECX
  LEA EAX,DWORD PTR SS:[EBP-40]
  PUSH EDX
  PUSH EAX
  PUSH 3
  CALL __vbaFreeVarList
  ADD ESP,10
  RETN
L352:
  MOV __vbaFreeStr
  LEA ECX,DWORD PTR SS:[EBP-14]
  CALL ESI
  LEA ECX,DWORD PTR SS:[EBP-1C]
  JMP ESI
  RETN
  MOV ECX,DWORD PTR SS:[EBP-10]
  MOV AX,WORD PTR SS:[EBP-18]
  POP EDI
  POP ESI
  MOV DWORD PTR FS:[0],ECX
  POP EBX
  MOV ESP,EBP
  POP EBP
  RETN 4

结束后用test ax,ax测试结果，我看了一天完全看不懂这段代码——大学里面学的一点汇编知识完全忘了，手里拿本汇编教程也完全看不懂在说什么。

不知道诸位大虾有没有人对于加密算法比较熟悉，能看懂这段代码的，大致帮我分析一下。

[课程]Linux pwn 探索篇！

收藏・1

免费・0

支持

最新回复 (2)
吖吖狼雪币： 323 活跃值： (34) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 26 粉丝 0 关注私信	吖吖狼 2 楼代码太繁琐了，我也看不懂，爆破算了～～ 2011-11-21 15:51 0
aquayhy 雪币： 1 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 3 粉丝 0 关注私信	aquayhy 3 楼一共10个程序，都是加密的……爆破也可以，就是比较麻烦，要一个个的弄 2011-11-21 17:02 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

aquayhy

发帖

回帖

RANK

关注

私信

他的文章

[求助]新人学破解求助一段汇编代码 1360

关于我们

联系我们

企业服务

看雪公众号

最新回复 (2)
吖吖狼雪币： 323 活跃值： (34) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 26 粉丝 0 关注私信	吖吖狼 2 楼代码太繁琐了，我也看不懂，爆破算了～～ 2011-11-21 15:51 0
aquayhy 雪币： 1 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 3 粉丝 0 关注私信	aquayhy 3 楼一共10个程序，都是加密的……爆破也可以，就是比较麻烦，要一个个的弄 2011-11-21 17:02 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复