经过了第一个列子的学习,开始对逆向分析有了一个基本的认识,第二个列子相比第一个列子来说,更加的简单,分析过程如下:
首先用DIE插壳,程序是用VB语言写的,没有壳:
然后打开程序,发现只是一个“用户名/序列号”形式的验证,任意输入一组用户名密码,弹出如下信息:
因此用OD加载程序,用智能搜索字符串,搜索 “ You Get ”,转到如下地址处:
004025BD . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
004025C4 . FF15 10414000 call dword ptr ds:[<&MSVBVM50.#rtcMsgBox>; 正确的提示
004025CA . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004025CD . FF15 80414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; msvbvm50.__vbaFreeStr
004025D3 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
004025D6 . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
004025D9 . 52 push edx ; Afkayas_.<ModuleEntryPoint>
004025DA . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
004025DD . 50 push eax ; kernel32.BaseThreadInitThunk
004025DE . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]
004025E1 . 51 push ecx
004025E2 . 52 push edx ; Afkayas_.<ModuleEntryPoint>
004025E3 . EB 56 jmp short Afkayas_.0040263B
004025E5 > 68 C81B4000 push Afkayas_.00401BC8 ; You Get Wrong
004025EA . 68 9C1B4000 push Afkayas_.00401B9C ; \r\n
004025EF . FFD7 call edi
004025F1 . 8BD0 mov edx,eax ; kernel32.BaseThreadInitThunk
004025F3 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004025F6 . FFD3 call ebx
004025F8 . 50 push eax ; kernel32.BaseThreadInitThunk
004025F9 . 68 E81B4000 push Afkayas_.00401BE8 ; Try Again
004025FE . FFD7 call edi
00402600 . 8945 CC mov dword ptr ss:[ebp-0x34],eax ; kernel32.BaseThreadInitThunk
00402603 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
00402606 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
00402609 . 50 push eax ; kernel32.BaseThreadInitThunk
0040260A . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C]
0040260D . 51 push ecx
0040260E . 52 push edx ; Afkayas_.<ModuleEntryPoint>
0040260F . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
00402612 . 6A 00 push 0x0
00402614 . 50 push eax ; kernel32.BaseThreadInitThunk
00402615 . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
0040261C . FF15 10414000 call dword ptr ds:[<&MSVBVM50.#rtcMsgBox>; 错误信息提示
00402622 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
00402625 . FF15 80414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; msvbvm50.__vbaFreeStr
通过下断点分析,发现在错误字符串的下方,地址 40261C 处,是一个弹出错误信息的call,同时在上方地址4025E3处,有一个jmp可以跳过错误信息,但是当输入的信息不对时,这个jmp被上面的跳转跳过了:
00402588 . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax
0040258B 74 58 je short Afkayas_.004025E5 ; 关键跳,不跳就正确
0040258D . 68 801B4000 push Afkayas_.00401B80 ; You Get It
00402592 . 68 9C1B4000 push Afkayas_.00401B9C ; \r\n
00402597 . FFD7 call edi ; msvbvm50.__vbaStrCat
00402599 . 8BD0 mov edx,eax
0040259B . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
0040259E . FFD3 call ebx ; msvbvm50.__vbaStrMove
004025A0 . 50 push eax
004025A1 . 68 A81B4000 push Afkayas_.00401BA8 ; KeyGen It Now
004025A6 . FFD7 call edi ; msvbvm50.__vbaStrCat
004025A8 . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C]
004025AB . 8945 CC mov dword ptr ss:[ebp-0x34],eax
004025AE . 8D55 A4 lea edx,dword ptr ss:[ebp-0x5C]
004025B1 . 51 push ecx
004025B2 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
004025B5 . 52 push edx
004025B6 . 50 push eax
004025B7 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
004025BA . 6A 00 push 0x0
004025BC . 51 push ecx
004025BD . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
004025C4 . FF15 10414000 call dword ptr ds:[<&MSVBVM50.#rtcMsgBox>; 正确的提示
004025CA . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004025CD . FF15 80414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; msvbvm50.__vbaFreeStr
004025D3 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
004025D6 . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
004025D9 . 52 push edx
004025DA . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
004025DD . 50 push eax
004025DE . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]
004025E1 . 51 push ecx
004025E2 . 52 push edx
004025E3 . EB 56 jmp short Afkayas_.0040263B
004025E5 > 68 C81B4000 push Afkayas_.00401BC8 ; You Get Wrong
也就是地址4025B8处的跳转跳过了正确部分,因此只要将这个跳转NOP掉就可以进行爆破。我们现在到段首下断点,从头分析流程:
0040240F . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
00402412 . 50 push eax ; /String = "123"
00402413 . 8B1A mov ebx,dword ptr ds:[edx] ; |
00402415 . FF15 E4404000 call dword ptr ds:[<&MSVBVM50.__vbaLenBs>; \__vbaLenBstr
0040241B . 8BF8 mov edi,eax ; 获取字符串长度
0040241D . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
00402420 . 69FF FB7C0100 imul edi,edi,0x17CFB
00402426 . 51 push ecx ; /这个字符串很重要
00402427 . 0F80 91020000 jo Afkayas_.004026BE ; |
0040242D . FF15 F8404000 call dword ptr ds:[<&MSVBVM50.#rtcAnsiVa>; \rtcAnsiValueBstr
00402433 . 0FBFD0 movsx edx,ax ; 获取第一个字符的ASCII码
00402436 . 03FA add edi,edx
00402438 . 0F80 80020000 jo Afkayas_.004026BE
0040243E . 57 push edi ; edi为参数,数字转成字符串
0040243F . FF15 E0404000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>; 数值转成字符串
00402445 . 8BD0 mov edx,eax
00402447 . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
0040244A . FF15 70414000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; msvbvm50.__vbaStrMove
00402450 . 8BBD 50FFFFFF mov edi,dword ptr ss:[ebp-0xB0]
00402456 . 50 push eax
00402457 . 57 push edi
00402458 . FF93 A4000000 call dword ptr ds:[ebx+0xA4]
0040245E . 85C0 test eax,eax
00402460 . 7D 12 jge short Afkayas_.00402474
00402462 . 68 A4000000 push 0xA4
00402467 . 68 5C1B4000 push Afkayas_.00401B5C
0040246C . 57 push edi
0040246D . 50 push eax
0040246E . FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
00402474 > 8D45 E0 lea eax,dword ptr ss:[ebp-0x20]
00402477 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
0040247A . 50 push eax
0040247B . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
0040247E . 51 push ecx
0040247F . 52 push edx
00402480 . 6A 03 push 0x3
00402482 . FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; msvbvm50.__vbaFreeStrList
00402488 . 83C4 10 add esp,0x10
0040248B . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
0040248E . 8D4D D8 lea ecx,dword ptr ss:[ebp-0x28]
00402491 . 8D55 DC lea edx,dword ptr ss:[ebp-0x24]
00402494 . 50 push eax
00402495 . 51 push ecx
00402496 . 52 push edx
00402497 . 6A 03 push 0x3
00402499 . FF15 F4404000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; msvbvm50.__vbaFreeObjList
0040249F . 8B06 mov eax,dword ptr ds:[esi] ; Afkayas_.004032F0
004024A1 . 83C4 10 add esp,0x10
004024A4 . 56 push esi
004024A5 . FF90 04030000 call dword ptr ds:[eax+0x304]
004024AB . 8B1D 0C414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaOb>; msvbvm50.__vbaObjSet
004024B1 . 50 push eax
004024B2 . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
004024B5 . 50 push eax
004024B6 . FFD3 call ebx ; <&MSVBVM50.__vbaObjSet>
004024B8 . 8BF8 mov edi,eax
004024BA . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
004024BD . 52 push edx
004024BE . 57 push edi
004024BF . 8B0F mov ecx,dword ptr ds:[edi]
004024C1 . FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004024C7 . 85C0 test eax,eax
004024C9 . 7D 12 jge short Afkayas_.004024DD
004024CB . 68 A0000000 push 0xA0
004024D0 . 68 5C1B4000 push Afkayas_.00401B5C
004024D5 . 57 push edi
004024D6 . 50 push eax
004024D7 . FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
004024DD > 56 push esi
004024DE . FF95 40FFFFFF call dword ptr ss:[ebp-0xC0] ; msvbvm50.741CC368
004024E4 . 50 push eax
004024E5 . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
004024E8 . 50 push eax
004024E9 . FFD3 call ebx
004024EB . 8BF0 mov esi,eax
004024ED . 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]
004024F0 . 52 push edx
004024F1 . 56 push esi
004024F2 . 8B0E mov ecx,dword ptr ds:[esi] ; Afkayas_.004032F0
004024F4 . FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004024FA . 85C0 test eax,eax
004024FC . 7D 12 jge short Afkayas_.00402510
004024FE . 68 A0000000 push 0xA0
00402503 . 68 5C1B4000 push Afkayas_.00401B5C
00402508 . 56 push esi
00402509 . 50 push eax
0040250A . FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
00402510 > 8B45 E8 mov eax,dword ptr ss:[ebp-0x18]
00402513 . 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C]
00402516 . 8B3D 00414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaSt>; msvbvm50.__vbaStrCat
0040251C . 50 push eax
0040251D . 68 701B4000 push Afkayas_.00401B70 ; AKA-
00402522 . 51 push ecx ; /String = 00000001 ???
00402523 . FFD7 call edi ; \__vbaStrCat
00402525 . 8B1D 70414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaSt>; msvbvm50.__vbaStrMove
0040252B . 8BD0 mov edx,eax
0040252D . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
00402530 . FFD3 call ebx ; 合并字符串; <&MSVBVM50.__vbaStrMove>
00402532 . 50 push eax
00402533 . FF15 28414000 call dword ptr ds:[<&MSVBVM50.__vbaStrCm>; 可能是字符串对比
00402539 . 8BF0 mov esi,eax
0040253B . 8D55 E0 lea edx,dword ptr ss:[ebp-0x20]
0040253E . F7DE neg esi
00402540 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
00402543 . 52 push edx
00402544 . 1BF6 sbb esi,esi
00402546 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00402549 . 50 push eax
0040254A . 46 inc esi
0040254B . 51 push ecx
0040254C . 6A 03 push 0x3
0040254E . F7DE neg esi
00402550 . FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; msvbvm50.__vbaFreeStrList
00402556 . 83C4 10 add esp,0x10
00402559 . 8D55 D8 lea edx,dword ptr ss:[ebp-0x28]
0040255C . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
0040255F . 52 push edx
00402560 . 50 push eax
00402561 . 6A 02 push 0x2
00402563 . FF15 F4404000 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; 可能是字符串对比
00402569 . 83C4 0C add esp,0xC
0040256C . B9 04000280 mov ecx,0x80020004
00402571 . B8 0A000000 mov eax,0xA
00402576 . 894D 9C mov dword ptr ss:[ebp-0x64],ecx
00402579 . 66:85F6 test si,si
0040257C . 8945 94 mov dword ptr ss:[ebp-0x6C],eax
0040257F . 894D AC mov dword ptr ss:[ebp-0x54],ecx
00402582 . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax
00402585 . 894D BC mov dword ptr ss:[ebp-0x44],ecx
00402588 . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax
0040258B 74 58 je short Afkayas_.004025E5 ; 关键跳,不跳就正确
0040258D . 68 801B4000 push Afkayas_.00401B80 ; You Get It
00402592 . 68 9C1B4000 push Afkayas_.00401B9C ; \r\n
00402597 . FFD7 call edi
00402599 . 8BD0 mov edx,eax
0040259B . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
0040259E . FFD3 call ebx
004025A0 . 50 push eax
004025A1 . 68 A81B4000 push Afkayas_.00401BA8 ; KeyGen It Now
004025A6 . FFD7 call edi
004025A8 . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C]
004025AB . 8945 CC mov dword ptr ss:[ebp-0x34],eax
004025AE . 8D55 A4 lea edx,dword ptr ss:[ebp-0x5C]
004025B1 . 51 push ecx
004025B2 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
004025B5 . 52 push edx
004025B6 . 50 push eax
004025B7 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
004025BA . 6A 00 push 0x0
004025BC . 51 push ecx
004025BD . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
004025C4 . FF15 10414000 call dword ptr ds:[<&MSVBVM50.#rtcMsgBox>; 正确的提示
004025CA . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004025CD . FF15 80414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; msvbvm50.__vbaFreeStr
004025D3 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
004025D6 . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
004025D9 . 52 push edx
004025DA . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
004025DD . 50 push eax
004025DE . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]
004025E1 . 51 push ecx
004025E2 . 52 push edx
004025E3 . EB 56 jmp short Afkayas_.0040263B
004025E5 > 68 C81B4000 push Afkayas_.00401BC8 ; You Get Wrong
004025EA . 68 9C1B4000 push Afkayas_.00401B9C ; \r\n
004025EF . FFD7 call edi
004025F1 . 8BD0 mov edx,eax
004025F3 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004025F6 . FFD3 call ebx
004025F8 . 50 push eax
004025F9 . 68 E81B4000 push Afkayas_.00401BE8 ; Try Again
004025FE . FFD7 call edi
00402600 . 8945 CC mov dword ptr ss:[ebp-0x34],eax
00402603 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
00402606 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
00402609 . 50 push eax
0040260A . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C]
0040260D . 51 push ecx
0040260E . 52 push edx
0040260F . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
00402612 . 6A 00 push 0x0
00402614 . 50 push eax
00402615 . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
0040261C . FF15 10414000 call dword ptr ds:[<&MSVBVM50.#rtcMsgBox>; 错误信息提示
上面代码的第一行,获取到了输入的用户名,这里我输入的是123,然后调用了API保存了字符串的长度,保存在了寄存器 edi中,然后用edi的值乘以0x17CFB,结果同样保存在edi中,接下来调用API获取了用户名中第一个字符的ASCII码,同样与edi中的值相加保存在edi中。然后调用API将数值转成了字符串,保存在了edx中。
最后与字符串 " AKA- " 合并,生成了最终正确的字符串。
在F8单步调试时,查看栈中的窗口如下:
此时栈中出现了正确的序列号和自己输入的序列号,因此可以判断,此时这个call就是对比序列号。紧接着在下面就应该是跳转部分:
由于我们输入的是错误的序列号,因此je跳过了正确提示,到达了jmp后面执行错误提示,否则,je不会跳转,执行完正确的提示,然后jmp跳过错误提示。