AfkayAs.2

2022-01-23

白天最是时光短，凛冽寒冬早归家。

1. 信息收集

PEID查壳，没有加壳

打开crackme查看下流程，开头有一个NAG弹窗，需要去除

经典的Serial/Name，随机输入测试

和咱上一个一样，不过看起来Serial不支持英文呢

2. 分析过程

2.1 去NAG窗口

程序启动的时候有一个NAG窗口，会持续数秒，这个很影响我们正常操作，因此需要我们去除掉

这里要采用一个我最新学到的4C法，这种方法专门针对VB语言编写的程序

打开OD，载入程序

VB程序有一个很明显的特点，入口点处都是一个push指令，然后接一个call指令。而且看call指令后面跟的MSVBVM50推测是VB5.0编写的（如果载入程序后不是这种情况，那很可能被加壳了）

首先，我们定位到push指令后的地址004067D4，鼠标右键数据窗口中跟随

接下来，使用4C法，从当前地址偏移4C，即004067D4 + 4C = 00406820

接下来，我们继续跟随00406820中的地址00406868

在图中我们可以看到两块下相似的数据块，每块0x50个字节的长度，每块数据的第0x24字节处都有一个标志。该标志指定了每块代码（即程序启动后要加载的窗体）出现的顺序，先加载00（待去除的NAG窗口），再加载01（主窗口）。因此，我们将标志位颠倒一下，然后保存即可成功去除NAG窗口

2.2 程序爆破

将我们去除NAG弹窗后的程序重新载入OD，运行，当弹出错误窗口时我们先不点

在OD中点暂停，查看调用堆栈窗口（alt+k）

经过百度可以得知，rtcMsgBox是VB语言的弹窗函数，右键 -> 显式调用

向上翻看，有了Afkayas-1的经验，很轻松的就能找到我们的关键跳转

00408665   .  66:85F6       test si,si
00408668   .  8945 94       mov dword ptr ss:[ebp-0x6C],eax
0040866B   .  894D AC       mov dword ptr ss:[ebp-0x54],ecx
0040866E   .  8945 A4       mov dword ptr ss:[ebp-0x5C],eax
00408671   .  894D BC       mov dword ptr ss:[ebp-0x44],ecx
00408674   .  8945 B4       mov dword ptr ss:[ebp-0x4C],eax
00408677   .  74 62         je short AfKayAs_.004086DB               ;  关键跳转
00408679   .  8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCat
0040867F   .  68 C06F4000   push AfKayAs_.00406FC0                   ;  UNICODE "You Get It"
00408684   .  68 DC6F4000   push AfKayAs_.00406FDC                   ; /String = "
"
00408689   .  FFD6          call esi                                 ; \__vbaStrCat
0040868B   .  8BD0          mov edx,eax
0040868D   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
00408690   .  FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
00408696   .  50            push eax
00408697   .  68 E86F4000   push AfKayAs_.00406FE8                   ;  UNICODE "KeyGen It Now"
0040869C   .  FFD6          call esi
0040869E   .  8945 CC       mov dword ptr ss:[ebp-0x34],eax
004086A1   .  8D45 94       lea eax,dword ptr ss:[ebp-0x6C]
004086A4   .  8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]
004086A7   .  50            push eax
004086A8   .  8D55 B4       lea edx,dword ptr ss:[ebp-0x4C]
004086AB   .  51            push ecx
004086AC   .  52            push edx
004086AD   .  8D45 C4       lea eax,dword ptr ss:[ebp-0x3C]
004086B0   .  6A 00         push 0x0
004086B2   .  50            push eax
004086B3   .  C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
004086BA   .  FF15 24B14000 call dword ptr ds:[<&MSVBVM50.#rtcMsgBox>;  MSVBVM50.rtcMsgBox
004086C0   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
004086C3   .  FF15 A8B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>;  MSVBVM50.__vbaFreeStr
004086C9   .  8D4D 94       lea ecx,dword ptr ss:[ebp-0x6C]
004086CC   .  8D55 A4       lea edx,dword ptr ss:[ebp-0x5C]
004086CF   .  51            push ecx
004086D0   .  8D45 B4       lea eax,dword ptr ss:[ebp-0x4C]
004086D3   .  52            push edx
004086D4   .  8D4D C4       lea ecx,dword ptr ss:[ebp-0x3C]
004086D7   .  50            push eax
004086D8   .  51            push ecx
004086D9   .  EB 60         jmp short AfKayAs_.0040873B
004086DB   >  8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>;  MSVBVM50.__vbaStrCat
004086E1   .  68 08704000   push AfKayAs_.00407008                   ;  UNICODE "You Get Wrong"
004086E6   .  68 DC6F4000   push AfKayAs_.00406FDC                   ; /String = "
"
004086EB   .  FFD6          call esi                                 ; \__vbaStrCat
004086ED   .  8BD0          mov edx,eax
004086EF   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
004086F2   .  FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
004086F8   .  50            push eax
004086F9   .  68 28704000   push AfKayAs_.00407028                   ;  UNICODE "Try Again"
004086FE   .  FFD6          call esi
00408700   .  8945 CC       mov dword ptr ss:[ebp-0x34],eax
00408703   .  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]
00408706   .  8D45 A4       lea eax,dword ptr ss:[ebp-0x5C]
00408709   .  52            push edx
0040870A   .  8D4D B4       lea ecx,dword ptr ss:[ebp-0x4C]
0040870D   .  50            push eax
0040870E   .  51            push ecx
0040870F   .  8D55 C4       lea edx,dword ptr ss:[ebp-0x3C]
00408712   .  6A 00         push 0x0
00408714   .  52            push edx
00408715   .  C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
0040871C   .  FF15 24B14000 call dword ptr ds:[<&MSVBVM50.#rtcMsgBox>;  MSVBVM50.rtcMsgBox

爆破很简单，只要将我们的关键跳转直接给nop掉，然后保存就可以了。具体不在描述，毕竟我们的关注点主要还是它的算法流程。

2.3 算法分析

向上拉到我们的函数开头处，下断，重新运行

输入aaa/123321，点击ok，程序成功断在了我们的下断地址

一路F8向下分析，可以看到在这里获取了Name地址

和Afkayas-1一样，这个也是在取Name[0]的时候就开始了对Serial的计算

首先我们来看第一部分Code-1：

004081E9   > \8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]
004081EF   .  8B45 E4       mov eax,dword ptr ss:[ebp-0x1C]
004081F2   .  50            push eax                                 ; /String = "aaa"
004081F3   .  8B1A          mov ebx,dword ptr ds:[edx]               ; |
004081F5   .  FF15 F8B04000 call dword ptr ds:[<&MSVBVM50.__vbaLenBs>; \__vbaLenBstr
004081FB   .  8BF8          mov edi,eax
004081FD   .  8B4D E8       mov ecx,dword ptr ss:[ebp-0x18]
00408200   .  69FF 385B0100 imul edi,edi,0x15B38                     ;  Serial = nLen * 0x15B38 = 0x411A8 = 266664
00408206   .  51            push ecx                                 ; /String = "?"
00408207   .  0F80 B7050000 jo AfKayAs_.004087C4                     ; |
0040820D   .  FF15 0CB14000 call dword ptr ds:[<&MSVBVM50.#rtcAnsiVa>; \rtcAnsiValueBstr
00408213   .  0FBFD0        movsx edx,ax
00408216   .  03FA          add edi,edx                              ;  Serial = 0x411A8 + 0x61 = 0x41029 = 266761
00408218   .  0F80 A6050000 jo AfKayAs_.004087C4
0040821E   .  57            push edi
0040821F   .  FF15 F4B04000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>;  MSVBVM50.__vbaStrI4
00408225   .  8BD0          mov edx,eax
00408227   .  8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]
0040822A   .  FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
00408230   .  8BBD 50FFFFFF mov edi,dword ptr ss:[ebp-0xB0]
00408236   .  50            push eax
00408237   .  57            push edi
00408238   .  FF93 A4000000 call dword ptr ds:[ebx+0xA4]
0040823E   .  85C0          test eax,eax
00408240   .  7D 12         jge short AfKayAs_.00408254

取到我们的Name后，我们继续往下分析，来看Code-2：

004082DD   > \8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004082E3   .  8B55 E8       mov edx,dword ptr ss:[ebp-0x18]
004082E6   .  52            push edx                                 ;  edx = 266761
004082E7   .  8B19          mov ebx,dword ptr ds:[ecx]
004082E9   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  MSVBVM50.__vbaR8Str
004082EF   .  D905 08104000 fld dword ptr ds:[0x401008]              ;  10.0
004082F5   .  833D 00904000>cmp dword ptr ds:[0x409000],0x0
004082FC   .  75 08         jnz short AfKayAs_.00408306
004082FE   .  D835 0C104000 fdiv dword ptr ds:[0x40100C]             ;  10.0 / 5.0 = 2.0
00408304   .  EB 0B         jmp short AfKayAs_.00408311
00408306   >  FF35 0C104000 push dword ptr ds:[0x40100C]
0040830C   .  E8 578DFFFF   call <jmp.&MSVBVM50._adj_fdiv_m32>
00408311   >  83EC 08       sub esp,0x8
00408314   .  DFE0          fstsw ax
00408316   .  A8 0D         test al,0xD
00408318   .  0F85 A1040000 jnz AfKayAs_.004087BF
0040831E   .  DEC1          faddp st(1),st                           ;  266761.0 + 2.0 = 266763.0
00408320   .  DFE0          fstsw ax
00408322   .  A8 0D         test al,0xD
00408324   .  0F85 95040000 jnz AfKayAs_.004087BF
0040832A   .  DD1C24        fstp qword ptr ss:[esp]
0040832D   .  FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>;  MSVBVM50.__vbaStrR8
00408333   .  8BD0          mov edx,eax                              ;  eax = 266763 (Serial计算过度值)
00408335   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
00408338   .  FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove

经过这部分的计算后，我们此时的Serial值暂时为266763。当然，这个值还不是最终结果，我们还需要继续往下，后面还有计算结果。让我们来看看我们的Code-3：

004083E9   > \8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004083EF   .  8B55 E8       mov edx,dword ptr ss:[ebp-0x18]          ;  266763
004083F2   .  52            push edx
004083F3   .  8B19          mov ebx,dword ptr ds:[ecx]
004083F5   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  MSVBVM50.__vbaR8Str
004083FB   .  DC0D 10104000 fmul qword ptr ds:[0x401010]             ;  266763.0 * 3.0 = 800289.0
00408401   .  83EC 08       sub esp,0x8
00408404   .  DC25 18104000 fsub qword ptr ds:[0x401018]             ;  800289.0 - 2.0 = 800287.0
0040840A   .  DFE0          fstsw ax
0040840C   .  A8 0D         test al,0xD
0040840E   .  0F85 AB030000 jnz AfKayAs_.004087BF
00408414   .  DD1C24        fstp qword ptr ss:[esp]
00408417   .  FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>;  MSVBVM50.__vbaStrR8
0040841D   .  8BD0          mov edx,eax
0040841F   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
00408422   .  FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
00408428   .  899D 2CFFFFFF mov dword ptr ss:[ebp-0xD4],ebx
0040842E   .  8B9D 58FFFFFF mov ebx,dword ptr ss:[ebp-0xA8]
00408434   .  50            push eax
00408435   .  8B85 2CFFFFFF mov eax,dword ptr ss:[ebp-0xD4]
0040843B   .  53            push ebx
0040843C   .  FF90 A4000000 call dword ptr ds:[eax+0xA4]
00408442   .  85C0          test eax,eax
00408444   .  7D 12         jge short AfKayAs_.00408458

计算完成这部分后，我们还有最后一步计算，让我们继续往下Code-4：

004084D3   > \8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004084D9   .  8B55 E8       mov edx,dword ptr ss:[ebp-0x18]          ;  800287
004084DC   .  52            push edx
004084DD   .  8B19          mov ebx,dword ptr ds:[ecx]
004084DF   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  MSVBVM50.__vbaR8Str
004084E5   .  DC25 20104000 fsub qword ptr ds:[0x401020]             ;  800287.0 - (-15.0) = 800302.0
004084EB   .  83EC 08       sub esp,0x8
004084EE   .  DFE0          fstsw ax
004084F0   .  A8 0D         test al,0xD
004084F2   .  0F85 C7020000 jnz AfKayAs_.004087BF
004084F8   .  DD1C24        fstp qword ptr ss:[esp]
004084FB   .  FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>;  MSVBVM50.__vbaStrR8
00408501   .  8BD0          mov edx,eax
00408503   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
00408506   .  FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>;  MSVBVM50.__vbaStrMove
0040850C   .  899D 24FFFFFF mov dword ptr ss:[ebp-0xDC],ebx
00408512   .  8B9D 58FFFFFF mov ebx,dword ptr ss:[ebp-0xA8]
00408518   .  50            push eax
00408519   .  8B85 24FFFFFF mov eax,dword ptr ss:[ebp-0xDC]
0040851F   .  53            push ebx
00408520   .  FF90 A4000000 call dword ptr ds:[eax+0xA4]
00408526   .  85C0          test eax,eax
00408528   .  7D 12         jge short AfKayAs_.0040853C

其实到了这一步，就已经计算出来我们的Serial值了。再往下，就是我们的比较判断流程了Code-5：

004085CE   > \8B45 E8       mov eax,dword ptr ss:[ebp-0x18]          ;  123321   //取我们输入的Serial
004085D1   .  50            push eax
004085D2   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  MSVBVM50.__vbaR8Str
004085D8   .  8B4D E4       mov ecx,dword ptr ss:[ebp-0x1C]          ;  800302   //计算出的正确Serial
004085DB   .  DD9D 1CFFFFFF fstp qword ptr ss:[ebp-0xE4]
004085E1   .  51            push ecx
004085E2   .  FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>;  MSVBVM50.__vbaR8Str
004085E8   .  833D 00904000>cmp dword ptr ds:[0x409000],0x0
004085EF   .  75 08         jnz short AfKayAs_.004085F9
004085F1   .  DCBD 1CFFFFFF fdivr qword ptr ss:[ebp-0xE4]            ;  123321 / 800302 = 0.154...
004085F7   .  EB 11         jmp short AfKayAs_.0040860A
004085F9   >  FFB5 20FFFFFF push dword ptr ss:[ebp-0xE0]
004085FF   .  FFB5 1CFFFFFF push dword ptr ss:[ebp-0xE4]
00408605   .  E8 888AFFFF   call <jmp.&MSVBVM50._adj_fdivr_m64>
0040860A   >  DFE0          fstsw ax
0040860C   .  A8 0D         test al,0xD
0040860E   .  0F85 AB010000 jnz AfKayAs_.004087BF
00408614   .  FF15 34B14000 call dword ptr ds:[<&MSVBVM50.__vbaFpR8>>;  MSVBVM50.__vbaFpR8
0040861A   .  DC1D 28104000 fcomp qword ptr ds:[0x401028]
00408620   .  DFE0          fstsw ax
00408622   .  F6C4 40       test ah,0x40

上面的除法、取反等等操作，是为了处理esi的值，从而给后面的跳转提供条件

搞定，收工

2.4 注册机

最后，让我们来写个注册机

#include <stdio.h>
#include <string.h>

int main()
{
	char buff[100] = {0};
	printf("Input Name: \r\n");
    gets(buff);
    int nLen = strlen(buff);
    if ( nLen > 0 )
    {
        int nRet = nLen * 0x15B38;
        nRet += buff[0];
        double dRet = (double)nRet;
        dRet += (10.0/5.0);
        dRet *= 3.0;
        dRet -= 2;
        dRet -= -15;
        printf("Serial：%d\r\n",(int)dRet);
    }else{
        printf("Input error!\r\n");
    }
    return 0;
}

本文作者： foxcookie
发布时间： 2022-01-23
最后更新： 2023-07-21
本文标题： AfkayAs.2
本文链接： https://foxcookie.github.io/2022/01/23/AfkayAs-2/
版权声明： 本博客所有文章除特别声明外，均采用 CC BY-NC-SA 4.0 许可协议。转载请注明出处！