转载一枚自写km+分析过程
本帖最后由 yypE 于 2015-6-17 13:01 编辑好一阵子没上论坛了,发个KM保护ID~
KM在某首发,这里直接转过来:
要求:
提供2组可用Name与AccessCode即可,同样欢迎爆破练习
KM特征:
UPX
关键代码处虚拟,不影响追码爆破~
奖励酌情...
KM下载地址:
==============================
//请没有玩过的朋友跳过以下分析内容,玩过之后再来==
==============================
分析过程:
源码如下:
#include "iostream.h"
#include "stdio.h"
#include "math.h"
#include "VirtualizerSDK.h"
int code[]=
{
149314,149314,138208,85146,39488,134506,119698,123400,124634,39488,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
135740,95018,124634,54296,129570,125868,39488,149314,136974,144378,
46892,141910,124634,124634,39488,143144,128336,129570,141910,39488,
38254,39488,75274,75274,75274,75274,75274,75274,75274,75274,
143144,124634,148080,143144,39488,129570,135740,39488,149314,136974,
38254,75274,75274,75274,75274,75274,75274,75274,75274,75274,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
38254,75274,0,39488,39488,92550,124634,149314,127102,124634,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
38254,135740,95018,124634,39488,120932,149314,39488,149314,149314,
135740,149314,39488,138208,140676,136974,127102,140676,119698,134506,
38254,138208,85146,0,39488,39488,39488,39488,39488,61700,
135740,149314,39488,138208,140676,136974,127102,140676,119698,134506,
38254,59232,60466,65402,55530,66636,55530,60466,60466,0,
141910,54296,129570,143144,39488,138208,140676,136974,145612,124634,
38254,39488,75274,75274,75274,75274,75274,75274,75274,75274,
141910,39488,143144,128336,119698,143144,39488,149314,136974,144378,
38254,75274,75274,75274,75274,75274,75274,75274,75274,75274,
48126,119698,140676,124634,39488,140676,124634,119698,133272,133272,
38254,75274,1522756,1522756,1522756,1522756,1522756,1522756,1522756,0,
149314,39488,127102,140676,124634,119698,143144,40722,81444,59232,
38254,39488,98720,133272,124634,119698,141910,124634,39488,85146,
141910,54296,129570,143144,39488,138208,140676,136974,145612,124634,
38254,135740,143144,124634,140676,39488,109826,136974,144378,140676,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
38254,39488,96252,119698,134506,124634,49360,69104,50594,71572,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
39488,13574,13574,13574,13574,13574,13574,13574,13574,309734,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
75274,136974,273948,410922,547896,684870,821844,958818,1095792,309734,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
76508,81444,83912,78976,115996,78976,2468,3702,7404,309734,
141910,54296,129570,143144,39488,138208,140676,136974,145612,124634,
77742,141910,54296,129570,143144,39488,138208,140676,136974,309734,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
38254,39488,98720,133272,124634,119698,141910,124634,39488,85146,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
38254,135740,143144,124634,140676,39488,80210,122166,122166,124634,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
38254,141910,141910,39488,82678,136974,123400,124634,49360,1522756,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
38254,69104,50594,71572,1522756,1522756,1522756,1522756,1522756,1522756,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
39488,14808,25914,14808,25914,13574,38254,64168,54296,544194,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
78976,233226,161654,166590,170292,186334,135740,12340,24680,568874,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
80210,0,0,0,0,0,0,0,12340,24680,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
81444,0,0,0,0,0,0,0,12340,24680,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
82678,0,0,0,0,0,0,0,12340,24680,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
83912,0,0,0,0,0,0,0,12340,24680,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
85146,0,0,0,0,0,0,0,12340,24680,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
86380,0,0,0,0,0,0,0,12340,24680,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
87614,0,0,0,0,0,0,0,12340,24680,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
88848,0,0,0,0,0,0,0,12340,24680,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
38254,0,39488,107358,140676,136974,135740,127102,56764,1522756,
38254,0,39488,80210,122166,122166,124634,141910,141910,1522756,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
38254,39488,102422,144378,122166,122166,124634,141910,141910,125868,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
38254,144378,133272,133272,149314,56764,1522756,1522756,1522756,1522756,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634
};
char a;
char b;
int e;
int ck(int num)
{
if(num!=0)return 1;else return 0;
}
int vmRun(int array)
{
VIRTUALIZER_START;//CodeVirtualizer加壳标志
for (int i = 0;i <10;i++)
{
if (i!=0)
{
switch (array)
{
case 31:
{
if (array==00) {cout<<endl;break;}
if (array==1234) break;
a=array;
cout<<a;
break;
}
}
}
else
{
if (array==32)
{
e=array;
cin>>b;
for (int nn =0;nn < 8;nn++)
{
code+nn]=b;
}
}
if (array==61)
{
for (int nn =0;nn < 8;nn++)
{
code+nn]&=array;
}
}
if (array==62)
{
for (int nn =0;nn < 8;nn++)
{
if (nn<7)
code+nn]+=(int)sin(code+nn+1]);
else
code+nn]+=(int)sin(code]);
}
}
if (array==63)
{
for (int nn =0;nn < 8;nn++)
{
code+nn]=(int)(53+4*sin(code+nn]));
}
}
if (array==64)
{
for (int nn =0;nn < 8;nn++)
{
code+nn]=code-code;
}
}
for (int f=65;f<73;f++)
{
if (array==f)
{
return array)];
}
}
}
}
return 20;
VIRTUALIZER_END;
}
void main()
{
int n=0,c=0;
int array={0,0,0,0,0,0,0,0,0,0};
for (int i = 0;i < sizeof(code)/sizeof(code);i+=0)
{
n=0;
while(n<10)
{
array=code/1234;
n++;
}
c=vmRun(array);
i+=c;
}
cout<<endl<<endl<<endl<<endl;
getchar();
}
这不仔细看是看不出什么来的,用了个幼儿园级别的虚拟函数vmRun来解释code
真实算法翻译成伪代码:
Put Name inArray;//Array {2 3 4 56 7 8 9}= and111=and222…=and888 …算法(SF)1
=+sin( )//sin取整=+sin( )…=+sin( )…SF2
=53+4*sin( )//+后结果取整sin结果保留小数=53+4*sin( )…=53+4*sin( )…SF3//至此中保留8位1-9字符的ASCII码(49-57)即accesscode//明码...
简单说说这个解释器吧,main中循环抽取code中的指令(均乘以1234了,还原),一次抽取10个放在array里,丢给vmRun解释:Array info:
12345678910
Typedatadatadatadatadatadatadatadatadata
其中:
Type Func dataFunc31 cout 0 endl32 cin 1234 useless61 SF162 SF263 SF365-72chk
vmRun函数里头的cin /out由1位的31/32带过,接着便是61/62/63的三个算法,代码里头都能看的看清楚
最后便是check结果了,当1位是65-72时,通过检查输入的值与算出的值的异同,来设定vmRun的返回值,如果相同(即正确),则返回第10位(20),否则返回第9位(10),vmRun的返回值作为main()中for()的跳转。
根据算法可以找到爆破处(将code中的65-72中的第九位换成20就OK啦),
65*1234=80210=01 39 52
从此处开始搜索12340(10*1234),8处替换为24680(20*1234十六68 60)即可完成爆破保存文件如下(把upx脱了或者直接内存补丁)
爆破结果:
同样也可以追码(明码硬伤),
code hex转int:
锁定32(cin *1234后为39488)输入name "xuepojie."之后发现:
ascii码翻译过来为21851887,输入AccessCode即可
当然这是我知道源码的情况下OD中逆向,不知道源码也可以稍稍分析下,IDA可以逆出main中的算法,不过由于vmRun虚拟处理了下,爆破的话就只能从CODE里头下手咯。。。追码什么的,简单了,已经在上文说明了。END
ps.@Shark恒恒大,discuz论坛转帖子感觉都挺麻烦的,尤其是图片,嘿嘿,52的水印留着,不碍事儿哈对了,上次来论坛还没开放CM区呢{:7_242:}
是啊,你好久没来了。 Shark恒 发表于 2015-6-17 13:27
是啊,你好久没来了。
哎哟,难得有个帖子admin还跟我抢绩效
页:
[1]