先说一下总结:这个crackme,有一个小坑,并且它的判断循环特别的长。
首先我们先说说这个坑:
004036DC . 50 push eax ; /String = " 3"
004036DD . FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaLenBs>; 求长度
004036E3 . 33C9 xor ecx,ecx
004036E5 . 83F8 09 cmp eax,0x9
004036E8 . 0f95c1 setne cl ; if eax=9 then cl=0;if eax<>9 then cl=1
004036EB . F7D9 neg ecx ; ecx求补后存入ecx中:cl=0,求补后还为0;cl=1,求补为-1,用FFFFFFFF表示
004036ED . 8BF1 mov esi,ecx
004036EF . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
004036F2 . FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; msvbvm60.__vbaFreeStr
004036F8 . 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
004036FB . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>; msvbvm60.__vbaFreeObj
00403701 . 66:3BF3 cmp si,bx
00403704 . 0F85 1A030000 jnz bjanes_1.00403A24 ; 跳失败
这一段代码主要的是会将我们输入的码求长度和9比较,不同的话就跳转失败。
00403783 . 66:394D E8 cmp word ptr ss:[ebp-0x18],cx ; 1和码长度比较,1>9跳成功
00403787 . 0F8F 17030000 jg bjanes_1.00403AA4 ; 跳成功
而这一段则是1和码的长度比较,如果码的长度小于1,则跳成功。
这两段完全相反意思的代码,容易让我们以为这道题只能通过爆破。
但是,这道题是可以破解注册机的。
我们输入一个长度为9的假码,运行后,我们可以看到因为跳转失败,所以会执行下面的大循环。
我们继续向下,来到检查真码的循环:
0040377C > /66:8B8D 14FFF>mov cx,word ptr ss:[ebp-0xEC]
00403783 . |66:394D E8 cmp word ptr ss:[ebp-0x18],cx ; 1和码长度比较,1>9跳成功
00403787 . |0F8F 17030000 jg bjanes_1.00403AA4 ; 跳成功
0040378D . |8B17 mov edx,dword ptr ds:[edi]
0040378F . |57 push edi
00403790 . |FF92 08030000 call dword ptr ds:[edx+0x308]
00403796 . |50 push eax
00403797 . |8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
0040379A . |50 push eax
0040379B . |FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; msvbvm60.__vbaObjSet
004037A1 . |8BD8 mov ebx,eax
004037A3 . |8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]
004037A6 . |52 push edx
004037A7 . |53 push ebx ; msvbvm60.rtcStrFromVar
004037A8 . |8B0B mov ecx,dword ptr ds:[ebx]
004037AA . |FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004037B0 . |85C0 test eax,eax
004037B2 . |DBE2 fclex
004037B4 . |7D 12 jge short bjanes_1.004037C8
004037B6 . |68 A0000000 push 0xA0
004037BB . |68 44224000 push bjanes_1.00402244
004037C0 . |53 push ebx ; msvbvm60.rtcStrFromVar
004037C1 . |50 push eax
004037C2 . |FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
004037C8 > |8B07 mov eax,dword ptr ds:[edi]
004037CA . |57 push edi
004037CB . |FF90 08030000 call dword ptr ds:[eax+0x308]
004037D1 . |8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]
004037D4 . |50 push eax
004037D5 . |51 push ecx
004037D6 . |FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; msvbvm60.__vbaObjSet
004037DC . |8BF8 mov edi,eax
004037DE . |8D45 DC lea eax,dword ptr ss:[ebp-0x24]
004037E1 . |50 push eax
004037E2 . |57 push edi
004037E3 . |8B17 mov edx,dword ptr ds:[edi]
004037E5 . |FF92 A0000000 call dword ptr ds:[edx+0xA0]
004037EB . |85C0 test eax,eax
004037ED . |DBE2 fclex
004037EF . |7D 12 jge short bjanes_1.00403803
004037F1 . |68 A0000000 push 0xA0
004037F6 . |68 44224000 push bjanes_1.00402244
004037FB . |57 push edi
004037FC . |50 push eax
004037FD . |FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
00403803 > |0FBF7D E8 movsx edi,word ptr ss:[ebp-0x18]
00403807 . |8B55 DC mov edx,dword ptr ss:[ebp-0x24]
0040380A . |B9 01000000 mov ecx,0x1
0040380F . |894D C8 mov dword ptr ss:[ebp-0x38],ecx ; ascii码
00403812 . |894D B8 mov dword ptr ss:[ebp-0x48],ecx
00403815 . |8D4D B0 lea ecx,dword ptr ss:[ebp-0x50]
00403818 . |B8 02000000 mov eax,0x2
0040381D . |51 push ecx
0040381E . |57 push edi
0040381F . |52 push edx
00403820 . |8945 C0 mov dword ptr ss:[ebp-0x40],eax
00403823 . |8945 B0 mov dword ptr ss:[ebp-0x50],eax
00403826 . |FF15 44104000 call dword ptr ds:[<&MSVBVM60.#rtcMidCha>; msvbvm60.rtcMidCharBstr
0040382C . |8BD0 mov edx,eax
0040382E . |8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
00403831 . |FFD6 call esi ; msvbvm60.__vbaStrMove
00403833 . |50 push eax ; /String = " "
00403834 . |FF15 1C104000 call dword ptr ds:[<&MSVBVM60.#rtcAnsiVa>;
tcAnsiValueBstr
0040383A . |8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C]
0040383D . |33DB xor ebx,ebx ; msvbvm60.rtcStrFromVar
0040383F . |66:3D 3900 cmp ax,0x39 ;
00403843 . |8D45 C0 lea eax,dword ptr ss:[ebp-0x40]
00403846 . |50 push eax
00403847 . |57 push edi
00403848 . |0f9fc3 setg bl
0040384B . |51 push ecx
0040384C . |F7DB neg ebx ; msvbvm60.rtcStrFromVar
0040384E . |FF15 44104000 call dword ptr ds:[<&MSVBVM60.#rtcMidCha>; msvbvm60.rtcMidCharBstr
00403854 . |8BD0 mov edx,eax
00403856 . |8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
00403859 . |FFD6 call esi ; msvbvm60.__vbaStrMove
0040385B . |50 push eax ; /String = " "
0040385C . |FF15 1C104000 call dword ptr ds:[<&MSVBVM60.#rtcAnsiVa>;
tcAnsiValueBstr
00403862 . |33D2 xor edx,edx
00403864 . |66:3D 3000 cmp ax,0x30
00403868 . |0f9cc2 setl dl
0040386B . |F7DA neg edx
0040386D . |8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
00403870 . |23DA and ebx,edx
00403872 . |8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
00403875 . |50 push eax
00403876 . |8D55 E0 lea edx,dword ptr ss:[ebp-0x20]
00403879 . |51 push ecx
0040387A . |8D45 E4 lea eax,dword ptr ss:[ebp-0x1C]
0040387D . |52 push edx
0040387E . |50 push eax
0040387F . |6A 04 push 0x4
00403881 . |FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; msvbvm60.__vbaFreeStrList
00403887 . |8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]
0040388A . |8D55 D4 lea edx,dword ptr ss:[ebp-0x2C]
0040388D . |51 push ecx
0040388E . |52 push edx
0040388F . |6A 02 push 0x2
00403891 . |FF15 18104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>; msvbvm60.__vbaFreeObjList
00403897 . |8D45 B0 lea eax,dword ptr ss:[ebp-0x50]
0040389A . |8D4D C0 lea ecx,dword ptr ss:[ebp-0x40]
0040389D . |50 push eax
0040389E . |51 push ecx
0040389F . |6A 02 push 0x2
004038A1 . |FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; msvbvm60.__vbaFreeVarList
004038A7 . |83C4 2C add esp,0x2C
004038AA . |66:85DB test bx,bx
004038AD . |0F85 6F010000 jnz bjanes_1.00403A22 ; If var_2C <> 0 Then GoTo loc_00403A22
004038B3 . |8B45 08 mov eax,dword ptr ss:[ebp+0x8]
004038B6 . |50 push eax
004038B7 . |8B10 mov edx,dword ptr ds:[eax]
004038B9 . |FF92 08030000 call dword ptr ds:[edx+0x308]
004038BF . |50 push eax
004038C0 . |8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
004038C3 . |50 push eax
004038C4 . |FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; msvbvm60.__vbaObjSet
004038CA . |8BD8 mov ebx,eax
004038CC . |8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]
004038CF . |52 push edx
004038D0 . |53 push ebx ; msvbvm60.rtcStrFromVar
004038D1 . |8B0B mov ecx,dword ptr ds:[ebx]
004038D3 . |FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004038D9 . |85C0 test eax,eax
004038DB . |DBE2 fclex
004038DD . |7D 12 jge short bjanes_1.004038F1
004038DF . |68 A0000000 push 0xA0
004038E4 . |68 44224000 push bjanes_1.00402244
004038E9 . |53 push ebx ; msvbvm60.rtcStrFromVar
004038EA . |50 push eax
004038EB . |FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
004038F1 > |66:8B45 E8 mov ax,word ptr ss:[ebp-0x18]
004038F5 . |8B1D 74104000 mov ebx,dword ptr ds:[<&MSVBVM60.#rtcStr>; msvbvm60.rtcStrFromVar
004038FB . |66:35 0200 xor ax,0x2
004038FF . |8D4D A0 lea ecx,dword ptr ss:[ebp-0x60]
00403902 . |0F80 A4020000 jo bjanes_1.00403BAC
00403908 . |51 push ecx
00403909 . |66:8945 A8 mov word ptr ss:[ebp-0x58],ax
0040390D . |C745 A0 02000>mov dword ptr ss:[ebp-0x60],0x2
00403914 . |FFD3 call ebx ; msvbvm60.rtcStrFromVar; <&MSVBVM60.#rtcStrFromVar_536>
00403916 . |8BD0 mov edx,eax
00403918 . |8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
0040391B . |FFD6 call esi ; msvbvm60.__vbaStrMove
0040391D . |8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] ; 真码出现
00403920 . |8D55 C0 lea edx,dword ptr ss:[ebp-0x40]
00403923 . |52 push edx
00403924 . |57 push edi
00403925 . |50 push eax
00403926 . |C745 C8 01000>mov dword ptr ss:[ebp-0x38],0x1
0040392D . |C745 C0 02000>mov dword ptr ss:[ebp-0x40],0x2
00403934 . |FF15 44104000 call dword ptr ds:[<&MSVBVM60.#rtcMidCha>; msvbvm60.rtcMidCharBstr
0040393A . |8BD0 mov edx,eax
0040393C . |8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
0040393F . |FFD6 call esi ; msvbvm60.__vbaStrMove
00403941 . |50 push eax ; /String = " "
00403942 . |FF15 1C104000 call dword ptr ds:[<&MSVBVM60.#rtcAnsiVa>;
tcAnsiValueBstr
00403948 . |8D4D B0 lea ecx,dword ptr ss:[ebp-0x50]
0040394B . |66:8945 B8 mov word ptr ss:[ebp-0x48],ax
0040394F . |51 push ecx
00403950 . |C745 B0 02000>mov dword ptr ss:[ebp-0x50],0x2
00403957 . |FFD3 call ebx ; msvbvm60.rtcStrFromVar
00403959 . |8BD0 mov edx,eax
0040395B . |8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
0040395E . |FFD6 call esi ; msvbvm60.__vbaStrMove
00403960 . |50 push eax
00403961 . |FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>; msvbvm60.__vbaR8Str
00403967 . |DC25 D8104000 fsub qword ptr ds:[0x4010D8]
0040396D . |8D55 90 lea edx,dword ptr ss:[ebp-0x70]
00403970 . |6A 01 push 0x1
00403972 . |52 push edx
00403973 . |C785 30FFFFFF>mov dword ptr ss:[ebp-0xD0],0x8005
0040397D . |DD9D 38FFFFFF fstp qword ptr ss:[ebp-0xC8]
00403983 . |DFE0 fstsw ax
00403985 . |A8 0D test al,0xD
00403987 . |0F85 1A020000 jnz bjanes_1.00403BA7
0040398D . |8B45 D8 mov eax,dword ptr ss:[ebp-0x28]
00403990 . |C745 D8 00000>mov dword ptr ss:[ebp-0x28],0x0
00403997 . |8945 98 mov dword ptr ss:[ebp-0x68],eax
0040399A . |8D45 80 lea eax,dword ptr ss:[ebp-0x80]
0040399D . |50 push eax
0040399E . |C745 90 08000>mov dword ptr ss:[ebp-0x70],0x8
004039A5 . |FF15 B0104000 call dword ptr ds:[<&MSVBVM60.#rtcRightC>; msvbvm60.rtcRightCharVar
004039AB . |8D8D 30FFFFFF lea ecx,dword ptr ss:[ebp-0xD0]
004039B1 . |8D55 80 lea edx,dword ptr ss:[ebp-0x80]
004039B4 . |51 push ecx ; /var18 = 0018F540
004039B5 . |52 push edx ; |var28 = 0055FCDC
004039B6 . |FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTs>; 比较函数,相同返回0,不同返回-1
004039BC . |8BF8 mov edi,eax
004039BE . |8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
004039C1 . |8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
004039C4 . |50 push eax
004039C5 . |8D55 E0 lea edx,dword ptr ss:[ebp-0x20]
004039C8 . |51 push ecx
004039C9 . |8D45 E4 lea eax,dword ptr ss:[ebp-0x1C]
004039CC . |52 push edx
004039CD . |50 push eax
004039CE . |6A 04 push 0x4
004039D0 . |FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; msvbvm60.__vbaFreeStrList
004039D6 . |83C4 14 add esp,0x14
004039D9 . |8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
004039DC . |FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>; msvbvm60.__vbaFreeObj
004039E2 . |8D4D 80 lea ecx,dword ptr ss:[ebp-0x80]
004039E5 . |8D55 90 lea edx,dword ptr ss:[ebp-0x70]
004039E8 . |51 push ecx
004039E9 . |8D45 A0 lea eax,dword ptr ss:[ebp-0x60]
004039EC . |52 push edx
004039ED . |8D4D B0 lea ecx,dword ptr ss:[ebp-0x50]
004039F0 . |50 push eax
004039F1 . |8D55 C0 lea edx,dword ptr ss:[ebp-0x40]
004039F4 . |51 push ecx
004039F5 . |52 push edx
004039F6 . |6A 05 push 0x5
004039F8 . |FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; msvbvm60.__vbaFreeVarList
004039FE . |83C4 18 add esp,0x18
00403A01 . |66:85FF test di,di
00403A04 . |75 1C jnz short bjanes_1.00403A22 ; 跳失败
00403A06 . |8B7D 08 mov edi,dword ptr ss:[ebp+0x8]
00403A09 . |B8 01000000 mov eax,0x1
00403A0E . |66:0345 E8 add ax,word ptr ss:[ebp-0x18]
00403A12 . |0F80 94010000 jo bjanes_1.00403BAC
00403A18 . |8945 E8 mov dword ptr ss:[ebp-0x18],eax
00403A1B . |33DB xor ebx,ebx ; msvbvm60.rtcStrFromVar
00403A1D .^E9 5AFDFFFF jmp bjanes_1.0040377C ; 循环
这个循环跨度有点长,大概的步骤就是,将每一位的数字取出,与2异或,最后异或出的结果进行单独比较。
当为-1时,eax全为F。
于是我们就可以一个一个的尝试,最后尝试出来,serial为“301674501”
