菜鸟分析一个VB 的crackme,已经被别人破解过得到注册码但是采用的是穷举过程别没有对其算法进行分析,今天来对这个程序的算法进行一下分析。
首先我们运行这个程序会在界面上发现有Calculating ,ACCESS GRANTED ACCESS DENIED 的字符串,在我们查看这些字符串的时候并没有发现有明码在内存中,但是发现7个这样的UNICODE数字
004020AC 31 db 31 ; CHAR '1'
004020AD 00 db 00 unicode 164
004020AE 36 db 36 ; CHAR '6'
004020AF 00 db 00
004020B0 34 db 34 ; CHAR '4'
004020B1 00 db 00
004020B2 00 db 00
004020B3 00 db 00
004020B4 04 db 04
004020B5 00 db 00
004020B6 00 db 00
004020B7 00 db 00
004020B8 33 db 33 ; CHAR '3'
004020B9 00 db 00 unicode 39
004020BA 39 db 39 ; CHAR '9'
004020BB 00 db 00
004020BC 00 db 00
004020BD 00 db 00
004020BE 00 db 00
004020BF 00 db 00
004020C0 06 db 06
004020C1 00 db 00
004020C2 00 db 00
004020C3 00 db 00
004020C4 35 db 35 ; CHAR '5'
004020C5 00 db 00 unicode 512
004020C6 31 db 31 ; CHAR '1'
004020C7 00 db 00
004020C8 32 db 32 ; CHAR '2'
004020C9 00 db 00
004020CA 00 db 00
004020CB 00 db 00
004020CC 04 db 04
004020CD 00 db 00
004020CE 00 db 00
004020CF 00 db 00
004020D0 34 db 34 ; CHAR '4'
004020D1 00 db 00 unicode 40
004020D2 30 db 30 ; CHAR '0'
004020D3 00 db 00
004020D4 00 db 00
004020D5 00 db 00
004020D6 00 db 00
004020D7 00 db 00
004020D8 06 db 06
004020D9 00 db 00
004020DA 00 db 00
004020DB 00 db 00
004020DC 36 db 36 ; CHAR '6'
004020DD 00 db 00 unicode 696
004020DE 39 db 39 ; CHAR '9'
004020DF 00 db 00
004020E0 36 db 36 ; CHAR '6'
004020E1 00 db 00
004020E2 00 db 00
004020E3 00 db 00
004020E4 06 db 06
004020E5 00 db 00
004020E6 00 db 00
004020E7 00 db 00
004020E8 37 db 37 ; CHAR '7'
004020E9 00 db 00 unicode 756
004020EA 35 db 35 ; CHAR '5'
004020EB 00 db 00
004020EC 36 db 36 ; CHAR '6'
004020ED 00 db 00
004020EE 00 db 00
004020EF 00 db 00
004020F0 06 db 06
004020F1 00 db 00
004020F2 00 db 00
004020F3 00 db 00
004020F4 32 db 32 ; CHAR '2'
004020F5 00 db 00 unicode 296
004020F6 39 db 39 ; CHAR '9'
004020F7 00 db 00
004020F8 36 db 36 ; CHAR '6'
004020F9 00 db 00
004020FA 00 db 00
继续跟踪代码我们会发现有这样的代码
00402469 . FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBstr>] ; MSVBVM60.__vbaLenBstr
0040246F . 33C9 xor ecx,ecx
00402471 . 83F8 07 cmp eax,7
00402474 . 0F94C1 sete cl
这时候我们就会猜测可能是7位密码,并且可能与以上的7个unicode 数字有关
我继续跟踪发现开始比较
00402973 . 0FBF45 D8 movsx eax,word ptr ss:[ebp-28]
00402977 . 8985 0CFFFFFF mov dword ptr ss:[ebp-F4],eax
0040297D . 68 AC204000 push Login2.004020AC ; UNICODE "164"
00402982 . DB85 0CFFFFFF fild dword ptr ss:[ebp-F4]
00402988 . DD9D 04FFFFFF fstp qword ptr ss:[ebp-FC]
0040298E . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
00402994 . DC9D 04FFFFFF fcomp qword ptr ss:[ebp-FC] 在这开始比较
这就说明程序已经对我们输入的密码处理完了,00402973 . 0FBF45 D8 movsx eax,word ptr ss:[ebp-28]
所以我们要跟踪ss:[ebp-28]究竟是什么时候写入的,我们在信息窗口得到的地址是0012f474,于是我们在数据窗口下内存写入断点。第一处并不是我们想要的地方,继续走会在第二处断下代码如下:
004028BB . 8B45 D8 mov eax,dword ptr ss:[ebp-28]
004028BE . BA A0204000 mov edx,Login2.004020A0 ; UNICODE "no"
004028C3 . 66:05 0A00 add ax,0A
004028C7 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004028CA . 0F80 47060000 jo Login2.00402F17
004028D0 . 66:6BC0 02 imul ax,ax,2
004028D4 . 0F80 3D060000 jo Login2.00402F17
004028DA . 66:83C3 09 add bx,9
004028DE . 8945 D8 mov dword ptr ss:[ebp-28],eax
004028E1 . 0F80 30060000 jo Login2.00402F17
004028E7 . 66:6BDB 03 imul bx,bx,3
004028EB . 8B45 D0 mov eax,dword ptr ss:[ebp-30]
004028EE . 0F80 23060000 jo Login2.00402F17
004028F4 . 66:05 0800 add ax,8
004028F8 . 0F80 19060000 jo Login2.00402F17
004028FE . 66:6BC0 04 imul ax,ax,4
00402902 . 0F80 0F060000 jo Login2.00402F17
00402908 . 66:83C6 07 add si,7
0040290C . 8945 D0 mov dword ptr ss:[ebp-30],eax
0040290F . 0F80 02060000 jo Login2.00402F17
00402915 . 66:6BF6 05 imul si,si,5
00402919 . 8B45 C8 mov eax,dword ptr ss:[ebp-38]
0040291C . 0F80 F5050000 jo Login2.00402F17
00402922 . 66:05 0600 add ax,6
00402926 . 0F80 EB050000 jo Login2.00402F17
0040292C . 66:6BC0 06 imul ax,ax,6
00402930 . 0F80 E1050000 jo Login2.00402F17
00402936 . 8945 C8 mov dword ptr ss:[ebp-38],eax
00402939 . 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
0040293C . 66:05 0500 add ax,5
00402940 . 0F80 D1050000 jo Login2.00402F17
00402946 . 66:6BC0 07 imul ax,ax,7
0040294A . 0F80 C7050000 jo Login2.00402F17
00402950 . 8945 C4 mov dword ptr ss:[ebp-3C],eax
00402953 . 8B45 C0 mov eax,dword ptr ss:[ebp-40]
00402956 . 66:05 0400 add ax,4
0040295A . 0F80 B7050000 jo Login2.00402F17
00402960 . 66:6BC0 08 imul ax,ax,8
00402964 . 0F80 AD050000 jo Login2.00402F17
0040296A . 8945 C0 mov dword ptr ss:[ebp-40],eax
0040296D . FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
00402973 . 0FBF45 D8 movsx eax,word ptr ss:[ebp-28]
00402977 . 8985 0CFFFFFF mov dword ptr ss:[ebp-F4],eax
0040297D . 68 AC204000 push Login2.004020AC ; UNICODE "164"
00402982 . DB85 0CFFFFFF fild dword ptr ss:[ebp-F4]
00402988 . DD9D 04FFFFFF fstp qword ptr ss:[ebp-FC]
0040298E . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
00402994 . DC9D 04FFFFFF fcomp qword ptr ss:[ebp-FC]
0040299A . DFE0 fstsw ax
0040299C . F6C4 40 test ah,40
0040299F 0F84 2C010000 je Login2.00402AD1
004029A5 . 0FBFCB movsx ecx,bx
004029A8 . 898D 00FFFFFF mov dword ptr ss:[ebp-100],ecx
004029AE . 68 B8204000 push Login2.004020B8 ; UNICODE "39"
004029B3 . DB85 00FFFFFF fild dword ptr ss:[ebp-100]
004029B9 . DD9D F8FEFFFF fstp qword ptr ss:[ebp-108]
004029BF . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
004029C5 . DC9D F8FEFFFF fcomp qword ptr ss:[ebp-108]
004029CB . DFE0 fstsw ax
004029CD . F6C4 40 test ah,40
004029D0 0F84 FB000000 je Login2.00402AD1
004029D6 . 0FBF55 D0 movsx edx,word ptr ss:[ebp-30]
004029DA . 8995 F4FEFFFF mov dword ptr ss:[ebp-10C],edx
004029E0 . 68 C4204000 push Login2.004020C4 ; UNICODE "512"
004029E5 . DB85 F4FEFFFF fild dword ptr ss:[ebp-10C]
004029EB . DD9D ECFEFFFF fstp qword ptr ss:[ebp-114]
004029F1 . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
004029F7 . DC9D ECFEFFFF fcomp qword ptr ss:[ebp-114]
004029FD . DFE0 fstsw ax
004029FF . F6C4 40 test ah,40
00402A02 0F84 C9000000 je Login2.00402AD1
00402A08 . 0FBFC6 movsx eax,si
00402A0B . 8985 E8FEFFFF mov dword ptr ss:[ebp-118],eax
00402A11 . 68 D0204000 push Login2.004020D0 ; UNICODE "40"
00402A16 . DB85 E8FEFFFF fild dword ptr ss:[ebp-118]
00402A1C . DD9D E0FEFFFF fstp qword ptr ss:[ebp-120]
00402A22 . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
00402A28 . DC9D E0FEFFFF fcomp qword ptr ss:[ebp-120]
00402A2E . DFE0 fstsw ax
00402A30 . F6C4 40 test ah,40
00402A33 0F84 98000000 je Login2.00402AD1
00402A39 . 0FBF4D C8 movsx ecx,word ptr ss:[ebp-38]
00402A3D . 898D DCFEFFFF mov dword ptr ss:[ebp-124],ecx
00402A43 . 68 DC204000 push Login2.004020DC ; UNICODE "696"
00402A48 . DB85 DCFEFFFF fild dword ptr ss:[ebp-124]
00402A4E . DD9D D4FEFFFF fstp qword ptr ss:[ebp-12C]
00402A54 . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
00402A5A . DC9D D4FEFFFF fcomp qword ptr ss:[ebp-12C]
00402A60 . DFE0 fstsw ax
00402A62 . F6C4 40 test ah,40
00402A65 74 6A je short Login2.00402AD1
00402A67 . 0FBF55 C4 movsx edx,word ptr ss:[ebp-3C]
00402A6B . 8995 D0FEFFFF mov dword ptr ss:[ebp-130],edx
00402A71 . 68 E8204000 push Login2.004020E8 ; UNICODE "756"
00402A76 . DB85 D0FEFFFF fild dword ptr ss:[ebp-130]
00402A7C . DD9D C8FEFFFF fstp qword ptr ss:[ebp-138]
00402A82 . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
00402A88 . DC9D C8FEFFFF fcomp qword ptr ss:[ebp-138]
00402A8E . DFE0 fstsw ax
00402A90 . F6C4 40 test ah,40
00402A93 74 3C je short Login2.00402AD1
00402A95 . 0FBF45 C0 movsx eax,word ptr ss:[ebp-40]
00402A99 . 8985 C4FEFFFF mov dword ptr ss:[ebp-13C],eax
00402A9F . 68 F4204000 push Login2.004020F4 ; UNICODE "296"
00402AA4 . DB85 C4FEFFFF fild dword ptr ss:[ebp-13C]
00402AAA . DD9D BCFEFFFF fstp qword ptr ss:[ebp-144]
00402AB0 . FF15 8C104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
00402AB6 . DC9D BCFEFFFF fcomp qword ptr ss:[ebp-144]
00402ABC . DFE0 fstsw ax
00402ABE . F6C4 40 test ah,40
00402AC1 74 0E je short Login2.00402AD1
00402AC3 . BA 00214000 mov edx,Login2.00402100 ; UNICODE "yes"
这段代码就是对我们输入的密码所做处理的算法,显然同样用了7个IMUL,对应7个unicode 数字,先来看看第一个IMUL
8B45 D8 mov eax,dword ptr ss:[ebp-28]
004028BE . BA A0204000 mov edx,Login2.004020A0 ; UNICODE "no"
004028C3 . 66:05 0A00 add ax,0A
004028C7 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004028CA . 0F80 47060000 jo Login2.00402F17
004028D0 . 66:6BC0 02 imul ax,ax,2
因为我输入的密码是2222222,所以获取到的是0x32,先加上0A在乘上2,就等于0x78,所以到比较的时候内存中就会显示00000078,但是我现在要匹配的是unicode 164 ,十六进制就是0xA4,经过以上算法的逆运算就是0x48,就是大写字母H,同理按照7个不同的IMUL进行逆运算就会得到密码H4x1ng!
分析不对不清楚的地方,请各位大侠谅解。
[峰会]看雪.第八届安全开发者峰会10月23日上海龙之梦大酒店举办!
