【文章标题】: Magenta's Crackme的算法分析
【文章作者】: Wucheng
【保护方式】: name,serial
【编写语言】: vb
【使用工具】: OD,计算器
【操作平台】: winxp
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
通过字符串参考下断,输入name:Wucheng,serial:790824
00402532 . FF15 64414000 call [<&MSVBVM50.__vbaLenVar>] ; EAX返回name长度
00402538 . 50 push eax ; 终值为name长度
00402539 . 8D95 C0FEFFFF lea edx, [ebp-140]
0040253F . 8D85 60FEFFFF lea eax, [ebp-1A0]
00402545 . 52 push edx ; 初值为1
00402546 . 8D8D 70FEFFFF lea ecx, [ebp-190]
0040254C . 50 push eax
0040254D . 8D55 DC lea edx, [ebp-24]
00402550 . 51 push ecx
00402551 . 52 push edx
00402552 . FF15 6C414000 call [<&MSVBVM50.__vbaVarForInit>] ; MSVBVM50.__vbaVarForInit
00402558 . 8B1D 4C414000 mov ebx, [<&MSVBVM50.__vbaFreeVarLis>; MSVBVM50.__vbaFreeVarList
0040255E > 85C0 test eax, eax ; 循环结束没?
00402560 . 0F84 8D020000 je 004027F3 ; 结束,跳
00402566 . 8D85 10FFFFFF lea eax, [ebp-F0]
0040256C . 8D4D DC lea ecx, [ebp-24]
0040256F . 50 push eax
00402570 . 51 push ecx
00402571 . C785 18FFFFFF>mov dword ptr [ebp-E8], 1
0040257B . 89BD 10FFFFFF mov [ebp-F0], edi
00402581 . FF15 FC414000 call [<&MSVBVM50.__vbaI4Var>] ; MSVBVM50.__vbaI4Var
00402587 . 50 push eax
00402588 . 8D55 BC lea edx, [ebp-44]
0040258B . 8D85 00FFFFFF lea eax, [ebp-100]
00402591 . 52 push edx
00402592 . 50 push eax
00402593 . FF15 9C414000 call [<&MSVBVM50.#632>] ; 依次取name的每个字符
00402599 . 8D95 00FFFFFF lea edx, [ebp-100]
0040259F . 8D4D CC lea ecx, [ebp-34]
004025A2 . FFD6 call esi
004025A4 . 8D8D 10FFFFFF lea ecx, [ebp-F0]
004025AA . FF15 44414000 call [<&MSVBVM50.__vbaFreeVar>] ; MSVBVM50.__vbaFreeVar
004025B0 . B8 01000000 mov eax, 1 ; 1入EAX
004025B5 . 8D8D 00FFFFFF lea ecx, [ebp-100]
004025BB . 8985 08FFFFFF mov [ebp-F8], eax
004025C1 . 8985 D8FEFFFF mov [ebp-128], eax
004025C7 . 8D55 DC lea edx, [ebp-24]
004025CA . 51 push ecx
004025CB . 8D85 D0FEFFFF lea eax, [ebp-130]
004025D1 . 52 push edx
004025D2 . 8D8D 10FFFFFF lea ecx, [ebp-F0]
004025D8 . 50 push eax
004025D9 . 51 push ecx
004025DA . 89BD 00FFFFFF mov [ebp-100], edi
004025E0 . 89BD D0FEFFFF mov [ebp-130], edi
004025E6 . FF15 04424000 call [<&MSVBVM50.__vbaVarAdd>] ; 循环次数+1
004025EC . 50 push eax
004025ED . FF15 FC414000 call [<&MSVBVM50.__vbaI4Var>] ; MSVBVM50.__vbaI4Var
004025F3 . 50 push eax
004025F4 . 8D55 BC lea edx, [ebp-44]
004025F7 . 8D85 F0FEFFFF lea eax, [ebp-110]
004025FD . 52 push edx
004025FE . 50 push eax
004025FF . FF15 9C414000 call [<&MSVBVM50.#632>] ; 取name的下一个字符
00402605 . 8D95 F0FEFFFF lea edx, [ebp-110]
0040260B . 8D4D AC lea ecx, [ebp-54]
0040260E . FFD6 call esi
00402610 . 8D8D 00FFFFFF lea ecx, [ebp-100]
00402616 . 8D95 10FFFFFF lea edx, [ebp-F0]
0040261C . 51 push ecx
0040261D . 52 push edx
0040261E . 57 push edi
0040261F . FFD3 call ebx
00402621 . 83C4 0C add esp, 0C
00402624 . 8D45 AC lea eax, [ebp-54]
00402627 . 8D8D D0FEFFFF lea ecx, [ebp-130]
0040262D . C785 D8FEFFFF>mov dword ptr [ebp-128], 00401D24
00402637 . 50 push eax
00402638 . 51 push ecx
00402639 . C785 D0FEFFFF>mov dword ptr [ebp-130], 8008
00402643 . FF15 A8414000 call [<&MSVBVM50.__vbaVarTstEq>] ; 测试下一个字符是否为空
00402649 . 66:85C0 test ax, ax
0040264C . 74 41 je short 0040268F ; 不空,跳
0040264E . 8D95 10FFFFFF lea edx, [ebp-F0]
00402654 . 8D45 BC lea eax, [ebp-44]
00402657 . 52 push edx
00402658 . 6A 01 push 1
0040265A . 8D8D 00FFFFFF lea ecx, [ebp-100]
00402660 . 50 push eax
00402661 . 51 push ecx
00402662 . C785 18FFFFFF>mov dword ptr [ebp-E8], 1
0040266C . 89BD 10FFFFFF mov [ebp-F0], edi
00402672 . FF15 9C414000 call [<&MSVBVM50.#632>] ; 取name的第1个字符
00402678 . 8D95 00FFFFFF lea edx, [ebp-100]
0040267E . 8D4D AC lea ecx, [ebp-54]
00402681 . FFD6 call esi
00402683 . 8D8D 10FFFFFF lea ecx, [ebp-F0]
00402689 . FF15 44414000 call [<&MSVBVM50.__vbaFreeVar>] ; MSVBVM50.__vbaFreeVar
0040268F > 8D55 CC lea edx, [ebp-34]
00402692 . 8D85 28FFFFFF lea eax, [ebp-D8]
00402698 . 52 push edx
00402699 . 50 push eax
0040269A . FF15 D0414000 call [<&MSVBVM50.__vbaStrVarVal>] ; MSVBVM50.__vbaStrVarVal
004026A0 . 50 push eax
004026A1 . FF15 58414000 call [<&MSVBVM50.#516>] ; EAX返回第1次取得的字符
004026A7 . 8D95 D0FEFFFF lea edx, [ebp-130]
004026AD . 8D8D 5CFFFFFF lea ecx, [ebp-A4]
004026B3 . 66:8985 D8FEF>mov [ebp-128], ax
004026BA . 89BD D0FEFFFF mov [ebp-130], edi
004026C0 . FFD6 call esi
004026C2 . 8D8D 28FFFFFF lea ecx, [ebp-D8]
004026C8 . FF15 2C424000 call [<&MSVBVM50.__vbaFreeStr>] ; MSVBVM50.__vbaFreeStr
004026CE . 8D4D AC lea ecx, [ebp-54]
004026D1 . 8D95 28FFFFFF lea edx, [ebp-D8]
004026D7 . 51 push ecx
004026D8 . 52 push edx
004026D9 . FF15 D0414000 call [<&MSVBVM50.__vbaStrVarVal>] ; MSVBVM50.__vbaStrVarVal
004026DF . 50 push eax
004026E0 . FF15 58414000 call [<&MSVBVM50.#516>] ; EAX返回第2次取得的字符
004026E6 . 8D95 D0FEFFFF lea edx, [ebp-130]
004026EC . 8D8D 4CFFFFFF lea ecx, [ebp-B4]
004026F2 . 66:8985 D8FEF>mov [ebp-128], ax
004026F9 . 89BD D0FEFFFF mov [ebp-130], edi
004026FF . FFD6 call esi
00402701 . 8D8D 28FFFFFF lea ecx, [ebp-D8]
00402707 . FF15 2C424000 call [<&MSVBVM50.__vbaFreeStr>] ; MSVBVM50.__vbaFreeStr
0040270D . 8D85 5CFFFFFF lea eax, [ebp-A4]
00402713 . 8D8D 4CFFFFFF lea ecx, [ebp-B4]
00402719 . 50 push eax
0040271A . 51 push ecx
0040271B . FF15 30414000 call [<&MSVBVM50.__vbaVarTstGt>] ; 第2次取得的字符是否大于第1次取得的字符
00402721 . 66:85C0 test ax, ax
00402724 . 74 2A je short 00402750 ; 大于,跳
00402726 . 8D95 5CFFFFFF lea edx, [ebp-A4]
0040272C . 8D85 4CFFFFFF lea eax, [ebp-B4]
00402732 . 52 push edx
00402733 . 8D8D 10FFFFFF lea ecx, [ebp-F0]
00402739 . 50 push eax
0040273A . 51 push ecx
0040273B . FF15 34414000 call [<&MSVBVM50.__vbaVarSub>] ; MSVBVM50.__vbaVarSub
00402741 . 8BD0 mov edx, eax
00402743 . 8D8D 7CFFFFFF lea ecx, [ebp-84]
00402749 . FFD6 call esi
0040274B . E9 86000000 jmp 004027D6
00402750 > 8D95 4CFFFFFF lea edx, [ebp-B4]
00402756 . 8D85 5CFFFFFF lea eax, [ebp-A4]
0040275C . 52 push edx
0040275D . 8D8D 10FFFFFF lea ecx, [ebp-F0]
00402763 . 50 push eax
00402764 . 51 push ecx
00402765 . FF15 34414000 call [<&MSVBVM50.__vbaVarSub>] ; 第2次取得的字符减第1次取得的字符
0040276B . 8BD0 mov edx, eax
0040276D . 8D8D 7CFFFFFF lea ecx, [ebp-84]
00402773 . FFD6 call esi
00402775 . 8D95 7CFFFFFF lea edx, [ebp-84]
0040277B . 8D85 10FFFFFF lea eax, [ebp-F0]
00402781 . 52 push edx
00402782 . 50 push eax
00402783 . FF15 0C424000 call [<&MSVBVM50.#613>] ; 把减得结果转换成十进制的字符串
00402789 . 8D8D 10FFFFFF lea ecx, [ebp-F0]
0040278F . 8D95 00FFFFFF lea edx, [ebp-100]
00402795 . 51 push ecx
00402796 . 52 push edx
00402797 . FF15 8C414000 call [<&MSVBVM50.#522>] ; 去掉首部空格
0040279D . 8D85 6CFFFFFF lea eax, [ebp-94]
004027A3 . 8D8D 00FFFFFF lea ecx, [ebp-100]
004027A9 . 50 push eax
004027AA . 8D95 F0FEFFFF lea edx, [ebp-110]
004027B0 . 51 push ecx
004027B1 . 52 push edx
004027B2 . FF15 04424000 call [<&MSVBVM50.__vbaVarAdd>] ; 连接字符串
004027B8 . 8BD0 mov edx, eax
004027BA . 8D8D 6CFFFFFF lea ecx, [ebp-94]
004027C0 . FFD6 call esi
004027C2 . 8D85 00FFFFFF lea eax, [ebp-100]
004027C8 . 8D8D 10FFFFFF lea ecx, [ebp-F0]
004027CE . 50 push eax
004027CF . 51 push ecx
004027D0 . 57 push edi
004027D1 . FFD3 call ebx
004027D3 . 83C4 0C add esp, 0C
004027D6 > 8D95 60FEFFFF lea edx, [ebp-1A0]
004027DC . 8D85 70FEFFFF lea eax, [ebp-190]
004027E2 . 52 push edx
004027E3 . 8D4D DC lea ecx, [ebp-24]
004027E6 . 50 push eax
004027E7 . 51 push ecx
004027E8 . FF15 20424000 call [<&MSVBVM50.__vbaVarForNext>] ; MSVBVM50.__vbaVarForNext
004027EE .^ E9 6BFDFFFF jmp 0040255E ; 循环
004027F3 > 8D55 9C lea edx, [ebp-64]
004027F6 . 8D85 24FFFFFF lea eax, [ebp-DC]
004027FC . 52 push edx
004027FD . 50 push eax
004027FE . FF15 D0414000 call [<&MSVBVM50.__vbaStrVarVal>] ; MSVBVM50.__vbaStrVarVal
00402804 . 50 push eax ; 假码入栈
00402805 . FF15 30424000 call [<&MSVBVM50.#581>] ; 转成浮点数
0040280B . DD9D 88FEFFFF fstp qword ptr [ebp-178]
00402811 . 8D8D 6CFFFFFF lea ecx, [ebp-94]
00402817 . 8D95 28FFFFFF lea edx, [ebp-D8]
0040281D . 51 push ecx
0040281E . 52 push edx
0040281F . FF15 D0414000 call [<&MSVBVM50.__vbaStrVarVal>] ; MSVBVM50.__vbaStrVarVal
00402825 . 50 push eax ; 真码入栈
00402826 . FF15 30424000 call [<&MSVBVM50.#581>] ; 转成浮点数
0040282C . DCA5 88FEFFFF fsub qword ptr [ebp-178] ; 真码-假码,结果记为A
00402832 . 8D95 D0FEFFFF lea edx, [ebp-130]
00402838 . 8D8D 2CFFFFFF lea ecx, [ebp-D4]
0040283E . C785 D0FEFFFF>mov dword ptr [ebp-130], 5
00402848 . DD9D D8FEFFFF fstp qword ptr [ebp-128]
0040284E . DFE0 fstsw ax
00402850 . A8 0D test al, 0D
00402852 . 0F85 99040000 jnz 00402CF1
00402858 . FFD6 call esi
0040285A . 8D85 24FFFFFF lea eax, [ebp-DC]
00402860 . 8D8D 28FFFFFF lea ecx, [ebp-D8]
00402866 . 50 push eax
00402867 . 51 push ecx
00402868 . 57 push edi
00402869 . FF15 EC414000 call [<&MSVBVM50.__vbaFreeStrList>] ; MSVBVM50.__vbaFreeStrList
0040286F . 83C4 0C add esp, 0C
00402872 . 8D95 2CFFFFFF lea edx, [ebp-D4]
00402878 . 8D85 D0FEFFFF lea eax, [ebp-130]
0040287E . C785 D8FEFFFF>mov dword ptr [ebp-128], 0
00402888 . 52 push edx ; A入栈
00402889 . 50 push eax ; 0入栈
0040288A . C785 D0FEFFFF>mov dword ptr [ebp-130], 8002
00402894 . FF15 A8414000 call [<&MSVBVM50.__vbaVarTstEq>] ; 比较A与0是否相等
0040289A . 66:85C0 test ax, ax
0040289D . B8 04000280 mov eax, 80020004
004028A2 . B9 0A000000 mov ecx, 0A
004028A7 . 8985 E8FEFFFF mov [ebp-118], eax
004028AD . 898D E0FEFFFF mov [ebp-120], ecx
004028B3 . 8985 F8FEFFFF mov [ebp-108], eax
004028B9 . 898D F0FEFFFF mov [ebp-110], ecx
004028BF . 0F84 4A020000 je 00402B0F ; 相等则成功,不跳;否则,完蛋
004028C5 . 8B3D 08424000 mov edi, [<&MSVBVM50.__vbaVarDup>] ; MSVBVM50.__vbaVarDup
004028CB . 8D95 C0FEFFFF lea edx, [ebp-140]
004028D1 . 8D8D 00FFFFFF lea ecx, [ebp-100]
004028D7 . C785 C8FEFFFF>mov dword ptr [ebp-138], 00401DB8 ; UNICODE "Congratulations"
004028E1 . C785 C0FEFFFF>mov dword ptr [ebp-140], 8
004028EB . FFD7 call edi ; <&MSVBVM50.__vbaVarDup>
004028ED . 8D95 D0FEFFFF lea edx, [ebp-130]
004028F3 . 8D8D 10FFFFFF lea ecx, [ebp-F0]
004028F9 . C785 D8FEFFFF>mov dword ptr [ebp-128], 00401D88 ; UNICODE "Job done, good work!"
算法小结:
1、设N为循环变量(从1开始),取name的第N个字符,第N+1个字符,如果第N+1个字符为空,则取第1个字符;
2、如果第N+1个字符大于第N个字符,则相减,并把其结果转换成十进制字符串;
3、重复第1步,直到循环结束。
4、连接第2步得到的字符串则得到正确的serial。
此算法有个小漏洞,如果name输入的是一个字符或者输入的几个字符都相同,则serial为0
如 name:Wucheng
serial:3059
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年10月19日 下午 08:30:42
[培训]科锐软件逆向50期预科班报名即将截止,速来!!! 50期正式班报名火爆招生中!!!
顶~
