160个crakeme之cracking4all.1.exe

最新推荐文章于 2022-06-18 16:50:02 发布

还好一切都可以重来

最新推荐文章于 2022-06-18 16:50:02 发布

阅读量288

点赞数 3

分类专栏：开发学习文章标签：逆向编程

本文链接：https://blog.csdn.net/qq_36535153/article/details/102986559

版权

开发同时被 2 个专栏收录

11 篇文章 1 订阅

订阅专栏

学习

9 篇文章 0 订阅

订阅专栏

这是一个VB代码,逻辑和算法也不复杂,唯一的问题是对VB的API不够了解.所以需要百度API的作用.这里我就贴出我破解这个程序的思路…

查找字符串定位关键代码段

在这里插入图片描述
如图所示,错误之后提示 password incorrect ,所以搜索该字符串

双击该password correct ,hehe,:-)字符串后定位到如下位置:

继续往上拉,在004030F0处下断点

输入密码之后,点击按钮,程序断下往下走,看到输入的字符串的值和长度
在这里插入图片描述

004031A2   .  FF15 14614000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ;  Msvbvm50.__vbaHresultCheckObj
004031A8   >  8B45 C0       mov eax,dword ptr ss:[ebp-0x40]                      ;  获取输入的密码
004031AB   .  8D55 A8       lea edx,dword ptr ss:[ebp-0x58]
004031AE   .  8D4D D8       lea ecx,dword ptr ss:[ebp-0x28]
004031B1   .  8975 C0       mov dword ptr ss:[ebp-0x40],esi
004031B4   .  8945 B0       mov dword ptr ss:[ebp-0x50],eax
004031B7   .  C745 A8 08000>mov dword ptr ss:[ebp-0x58],0x8
004031BE   .  FF15 F8604000 call dword ptr ds:[<&MSVBVM50.__vbaVarMove>]         ;  Msvbvm50.__vbaVarMove
004031C4   .  8D4D B8       lea ecx,dword ptr ss:[ebp-0x48]
004031C7   .  FF15 B0614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>]         ;  Msvbvm50.__vbaFreeObj
004031CD   .  8D4D D8       lea ecx,dword ptr ss:[ebp-0x28]
004031D0   .  8D55 A8       lea edx,dword ptr ss:[ebp-0x58]
004031D3   .  51            push ecx                                             ; /var18 = 00000007
004031D4   .  52            push edx                                             ; |retBuffer8 = 0019F248
004031D5   .  BE 01000000   mov esi,0x1                                          ; |
004031DA   .  FF15 18614000 call dword ptr ds:[<&MSVBVM50.__vbaLenVar>]          ; \__vbaLenVar
004031E0   .  50            push eax
004031E1   .  FF15 74614000 call dword ptr ds:[<&MSVBVM50.__vbaI2Var>]           ;  Msvbvm50.__vbaI2Var
004031E7   .  8985 F8FEFFFF mov dword ptr ss:[ebp-0x108],eax                     ;  这里得到输入字符串的长度
004031ED   .  8BFE          mov edi,esi
004031EF   >  66:3BBD F8FEF>cmp di,word ptr ss:[ebp-0x108]                       ;  比较di 和输入的字符串的长度,大于则跳出循环
004031F6   .  8B1D 6C614000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaStrVarVal>]    ;  Msvbvm50.__vbaStrVarVal
004031FC   .  0F8F 2D010000 jg cracking.0040332F
00403202   .  66:83FE 04    cmp si,0x4                                           ;  如果si大于4 则不跳 将esi 重新赋值为1
00403206   .  7E 05         jle short cracking.0040320D
00403208   .  BE 01000000   mov esi,0x1
0040320D   >  0FBFCF        movsx ecx,di
00403210   .  8D45 A8       lea eax,dword ptr ss:[ebp-0x58]
00403213   .  8D55 D8       lea edx,dword ptr ss:[ebp-0x28]
00403216   .  50            push eax                                             ; /Length8 = 0x7
00403217   .  51            push ecx                                             ; |Start = 0x7
00403218   .  8D45 98       lea eax,dword ptr ss:[ebp-0x68]                      ; |
0040321B   .  52            push edx                                             ; |dString8 = 0019F248
0040321C   .  50            push eax                                             ; |RetBUFFER = 00000007
0040321D   .  C745 B0 01000>mov dword ptr ss:[ebp-0x50],0x1                      ; |
00403224   .  C745 A8 02000>mov dword ptr ss:[ebp-0x58],0x2                      ; |
0040322B   .  FF15 38614000 call dword ptr ds:[<&MSVBVM50.#rtcMidCharVar_632>]   ; \rtcMidCharVar
00403231   .  B8 02000000   mov eax,0x2
00403236   .  8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-0x88]
0040323C   .  0FBFD6        movsx edx,si
0040323F   .  8985 78FFFFFF mov dword ptr ss:[ebp-0x88],eax
00403245   .  8945 88       mov dword ptr ss:[ebp-0x78],eax
00403248   .  51            push ecx                                             ; /Length8 = 0x7
00403249   .  8D45 88       lea eax,dword ptr ss:[ebp-0x78]                      ; |
0040324C   .  52            push edx                                             ; |Start = 0x19F248
0040324D   .  8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98]                      ; |
00403253   .  50            push eax                                             ; |dString8 = 00000007
00403254   .  51            push ecx                                             ; |RetBUFFER = 00000007
00403255   .  C745 80 01000>mov dword ptr ss:[ebp-0x80],0x1                      ; |
0040325C   .  C745 90 D0070>mov dword ptr ss:[ebp-0x70],0x7D0                    ; |
00403263   .  FF15 38614000 call dword ptr ds:[<&MSVBVM50.#rtcMidCharVar_632>]   ; \rtcMidCharVar
00403269   .  8D55 98       lea edx,dword ptr ss:[ebp-0x68]
0040326C   .  8D45 C0       lea eax,dword ptr ss:[ebp-0x40]
0040326F   .  52            push edx
00403270   .  50            push eax
00403271   .  FFD3          call ebx                                             ;  cracking.004043C8
00403273   .  50            push eax                                             ; /String = 00000007 ???
00403274   .  FF15 0C614000 call dword ptr ds:[<&MSVBVM50.#rtcAnsiValueBstr_516>>; \rtcAnsiValueBstr
0040327A   .  0FBFD0        movsx edx,ax
0040327D   .  8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98]                      ;  获取输入字符串的值转成ascii
00403283   .  8D45 BC       lea eax,dword ptr ss:[ebp-0x44]
00403286      51            push ecx
00403287      50            push eax
00403288   .  8995 E8FEFFFF mov dword ptr ss:[ebp-0x118],edx                     ;  2  0  0  0
0040328E   .  FFD3          call ebx                                             ;  cracking.004043C8
00403290   .  50            push eax                                             ; /String = 00000007 ???
00403291   .  FF15 0C614000 call dword ptr ds:[<&MSVBVM50.#rtcAnsiValueBstr_516>>; \rtcAnsiValueBstr
00403297   .  8B95 E8FEFFFF mov edx,dword ptr ss:[ebp-0x118]                     ;  从某地址中读取到数值转化成ascii
0040329D   .  0FBFC8        movsx ecx,ax
004032A0   .  33D1          xor edx,ecx                                          ;  进行xor
004032A2   .  8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8]
004032A8   .  52            push edx
004032A9   .  50            push eax
004032AA   .  FF15 64614000 call dword ptr ds:[<&MSVBVM50.#rtcVarBstrFromAnsi_60>;  Msvbvm50.rtcVarBstrFromAnsi
004032B0   .  8D4D C8       lea ecx,dword ptr ss:[ebp-0x38]
004032B3   .  8D95 58FFFFFF lea edx,dword ptr ss:[ebp-0xA8]
004032B9   .  51            push ecx                                             ;  将xor后的值转成ascii
004032BA   .  8D85 48FFFFFF lea eax,dword ptr ss:[ebp-0xB8]
004032C0   .  52            push edx
004032C1   .  50            push eax
004032C2   .  FF15 70614000 call dword ptr ds:[<&MSVBVM50.__vbaVarCat>]          ;  Msvbvm50.__vbaVarCat
004032C8   .  8BD0          mov edx,eax                                          ;  将计算的结果拼接起来,形成新的字符串
004032CA   .  8D4D C8       lea ecx,dword ptr ss:[ebp-0x38]                      ;  ecx=0x6A4C7C
004032CD   .  FF15 F8604000 call dword ptr ds:[<&MSVBVM50.__vbaVarMove>]         ;  Msvbvm50.__vbaVarMove
004032D3   .  8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]
004032D6   .  8D55 C0       lea edx,dword ptr ss:[ebp-0x40]
004032D9   .  51            push ecx
004032DA   .  52            push edx
004032DB   .  6A 02         push 0x2
004032DD   .  FF15 8C614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStrList>]     ;  Msvbvm50.__vbaFreeStrList
004032E3   .  83C4 0C       add esp,0xC
004032E6   .  8D85 58FFFFFF lea eax,dword ptr ss:[ebp-0xA8]
004032EC   .  8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98]
004032F2   .  8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]
004032F8   .  50            push eax
004032F9   .  51            push ecx
004032FA   .  8D45 88       lea eax,dword ptr ss:[ebp-0x78]
004032FD   .  52            push edx
004032FE   .  8D4D 98       lea ecx,dword ptr ss:[ebp-0x68]
00403301   .  50            push eax
00403302   .  8D55 A8       lea edx,dword ptr ss:[ebp-0x58]
00403305   .  51            push ecx
00403306   .  52            push edx
00403307   .  6A 06         push 0x6
00403309   .  FF15 00614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>]     ;  Msvbvm50.__vbaFreeVarList
0040330F   .  83C4 1C       add esp,0x1C
00403312   .  66:46         inc si
00403314   .  B8 01000000   mov eax,0x1
00403319   .  66:03C7       add ax,di
0040331C   .  0F80 44020000 jo cracking.00403566
00403322   .  0F80 3E020000 jo cracking.00403566
00403328   .  8BF8          mov edi,eax
0040332A   .^ E9 C0FEFFFF   jmp cracking.004031EF
0040332F   >  8D45 C8       lea eax,dword ptr ss:[ebp-0x38]                      ;  循环结束,跳转到这里
00403332   .  8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-0xC8]
00403338   .  50            push eax                                             ; /var18 = 00000007
00403339   .  51            push ecx                                             ; |var28 = 00000007
0040333A   .  C785 40FFFFFF>mov dword ptr ss:[ebp-0xC0],cracking.004027C8        ; |qBQSYdXUe_B\V
00403344   .  C785 38FFFFFF>mov dword ptr ss:[ebp-0xC8],0x8008                   ; |
0040334E   .  FF15 44614000 call dword ptr ds:[<&MSVBVM50.__vbaVarTstEq>]        ; \__vbaVarTstEq
00403354   .  66:85C0       test ax,ax                                           ;  关键比较函数
00403357   .  B9 04000280   mov ecx,0x80020004                                   ;  将拼接后的字符串与这里的地址的字符串比较,成功则返回eax=1,失败eax=0
0040335C   .  B8 0A000000   mov eax,0xA
00403361   .  894D 80       mov dword ptr ss:[ebp-0x80],ecx
00403364   .  8985 78FFFFFF mov dword ptr ss:[ebp-0x88],eax
0040336A   .  894D 90       mov dword ptr ss:[ebp-0x70],ecx
0040336D   .  8945 88       mov dword ptr ss:[ebp-0x78],eax
00403370   .  0F84 E8000000 je cracking.0040345E                                 ;  往上翻定位到关键跳转
00403376   .  8B35 9C614000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVarDup>]       ;  Msvbvm50.__vbaVarDup
0040337C   .  BF 08000000   mov edi,0x8
00403381   .  8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8]
00403387   .  8D4D 98       lea ecx,dword ptr ss:[ebp-0x68]
0040338A   .  C785 30FFFFFF>mov dword ptr ss:[ebp-0xD0],cracking.00402824        ;  Valid
00403394   .  89BD 28FFFFFF mov dword ptr ss:[ebp-0xD8],edi
0040339A   .  FFD6          call esi                                             ;  <&MSVBVM50.__vbaVarDup>
0040339C   .  8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
004033A2   .  8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]
004033A5   .  C785 40FFFFFF>mov dword ptr ss:[ebp-0xC0],cracking.004027E8        ;  Password correct, hehe, :-)
004033AF   .  89BD 38FFFFFF mov dword ptr ss:[ebp-0xC8],edi
004033B5   .  FFD6          call esi
004033B7   .  8D95 78FFFFFF lea edx,dword ptr ss:[ebp-0x88]
004033BD   .  8D45 88       lea eax,dword ptr ss:[ebp-0x78]
004033C0   .  52            push edx
004033C1   .  8D4D 98       lea ecx,dword ptr ss:[ebp-0x68]
004033C4   .  50            push eax
004033C5   .  51            push ecx
004033C6   .  8D55 A8       lea edx,dword ptr ss:[ebp-0x58]
004033C9   .  6A 00         push 0x0
004033CB   .  52            push edx
004033CC   .  FF15 24614000 call dword ptr ds:[<&MSVBVM50.#rtcMsgBox_595>]       ;  Msvbvm50.rtcMsgBox
004033D2   .  8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88]
004033D8   .  8D4D 88       lea ecx,dword ptr ss:[ebp-0x78]
004033DB   .  50            push eax
004033DC   .  8D55 98       lea edx,dword ptr ss:[ebp-0x68]
004033DF   .  51            push ecx
004033E0   .  8D45 A8       lea eax,dword ptr ss:[ebp-0x58]
004033E3   .  52            push edx
004033E4   .  50            push eax
004033E5   .  6A 04         push 0x4
004033E7   .  FF15 00614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeVarList>]     ;  Msvbvm50.__vbaFreeVarList
004033ED   .  A1 A4434000   mov eax,dword ptr ds:[0x4043A4]
004033F2   .  83C4 14       add esp,0x14
004033F5   .  85C0          test eax,eax
004033F7   .  75 10         jnz short cracking.00403409
004033F9   .  68 A4434000   push cracking.004043A4
004033FE   .  68 50284000   push cracking.00402850
00403403   .  FF15 80614000 call dword ptr ds:[<&MSVBVM50.__vbaNew2>]            ;  Msvbvm50.__vbaNew2
00403409   >  A1 38404000   mov eax,dword ptr ds:[0x404038]
0040340E   .  8B35 A4434000 mov esi,dword ptr ds:[0x4043A4]
00403414   .  85C0          test eax,eax
00403416   .  75 10         jnz short cracking.00403428
00403418   .  68 38404000   push cracking.00404038
0040341D   .  68 6C204000   push cracking.0040206C
00403422   .  FF15 80614000 call dword ptr ds:[<&MSVBVM50.__vbaNew2>]            ;  Msvbvm50.__vbaNew2
00403428   >  8B0D 38404000 mov ecx,dword ptr ds:[0x404038]
0040342E   .  8B3E          mov edi,dword ptr ds:[esi]
00403430   .  8D55 B8       lea edx,dword ptr ss:[ebp-0x48]
00403433   .  51            push ecx
00403434   .  52            push edx
00403435   .  FF15 2C614000 call dword ptr ds:[<&MSVBVM50.__vbaObjSetAddref>]    ;  Msvbvm50.__vbaObjSetAddref
0040343B   .  50            push eax
0040343C   .  56            push esi
0040343D   .  FF57 10       call dword ptr ds:[edi+0x10]
00403440   .  85C0          test eax,eax
00403442   .  7D 0F         jge short cracking.00403453
00403444   .  6A 10         push 0x10
00403446   .  68 40284000   push cracking.00402840
0040344B   .  56            push esi
0040344C   .  50            push eax
0040344D   .  FF15 14614000 call dword ptr ds:[<&MSVBVM50.__vbaHresultCheckObj>] ;  Msvbvm50.__vbaHresultCheckObj
00403453   >  8D4D B8       lea ecx,dword ptr ss:[ebp-0x48]
00403456   .  FF15 B0614000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObj>]         ;  Msvbvm50.__vbaFreeObj
0040345C   .  EB 7A         jmp short cracking.004034D8
0040345E   >  8B35 9C614000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaVarDup>]       ;  Msvbvm50.__vbaVarDup
00403464   .  BF 08000000   mov edi,0x8
00403469   .  8D95 28FFFFFF lea edx,dword ptr ss:[ebp-0xD8]
0040346F   .  8D4D 98       lea ecx,dword ptr ss:[ebp-0x68]
00403472   .  C785 30FFFFFF>mov dword ptr ss:[ebp-0xD0],cracking.004028BC        ;  Invalid
0040347C   .  89BD 28FFFFFF mov dword ptr ss:[ebp-0xD8],edi
00403482   .  FFD6          call esi                                             ;  <&MSVBVM50.__vbaVarDup>
00403484   .  8D95 38FFFFFF lea edx,dword ptr ss:[ebp-0xC8]
0040348A   .  8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]
0040348D   .  C785 40FFFFFF>mov dword ptr ss:[ebp-0xC0],cracking.00402864        ;  Password incorrect, please try again ...
00403497   .  89BD 38FFFFFF mov dword ptr ss:[ebp-0xC8],edi
0040349D   .  FFD6          call esi
0040349F   .  8D85 78FFFFFF lea eax,dword ptr ss:[ebp-0x88]
004034A5   .  8D4D 88       lea ecx,dword ptr ss:[ebp-0x78]
004034A8   .  50            push eax
004034A9   .  8D55 98       lea edx,dword ptr ss:[ebp-0x68]
004034AC   .  51            push ecx
004034AD   .  52            push edx
004034AE   .  8D45 A8       lea eax,dword ptr ss:[ebp-0x58]

在这里插入图片描述

#include <stdio.h>
#include <String.h>

using namespace std;

int main()
{
    //qBQSYdXUe_B\V
    char key[] = {"qBQSYdXUe_B\\V"};//我用codeblock写的,这里为了避免转义字符'\' 所以我用了双反斜杠
    int j =0;
    char result[32] = {0};
    char cal[4] = {0x32,0x30,0x30,0x30};

    for(int i =0; i < strlen(key);i++)
    {
        printf("%d : %c", i,key[i]^cal[j%4]);

        result[i] = key[i]^cal[j%4];
        j++;
    }

    printf("%s",result);
    return 0;
}

结果如下:
在这里插入图片描述

还好一切都可以重来

关注

3
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
160个crakeme之cracking4all.1.exe

这是一个VB代码,逻辑和算法也不复杂,唯一的问题是对VB的API不够了解.所以需要百度API的作用.这里我就贴出我破解这个程序的思路…查找字符串定位关键代码段如图所示,错误之后提示 password incorrect ,所以搜索该字符串双击该password correct ,hehe,:-)字符串后定位到如下位置:继续往上拉,在004030F0处下断点输入密码之后,点击按钮,...
复制链接

扫一扫

专栏目录