好友
阅读权限40
听众
最后登录1970-1-1
|
我是用户
发表于 2013-7-3 21:02
本帖最后由 我是用户 于 2013-7-15 18:47 编辑
【软件名称】: MS Word Split
【作者邮箱】: 2714608453@qq.com
【下载地址】: 见附件
【软件语言】: VB
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
1.查壳
VB的,无误。
2.爆破。
打开程序,出现注册窗口。
如图1:
点击EnterLicense,然后输出假码,确定,无反应.
如图2:
我们这时注意,输入假码的窗口,其实是rtcInPutBox生成的,我们下断此函数,然后重新点击EnterLicense,程序断下。
如图3:
我们在rtcInputBox的下一行下好断点,输入假码1234567890,确定,程序断下。
如图4:
[C++] 纯文本查看 复制代码 0040CD9F . 8BD0 mov edx,eax
0040CDA1 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
0040CDA4 . FFD6 call esi ; MSVBVM60.73470000
0040CDA6 . 8D45 E0 lea eax,dword ptr ss:[ebp-0x20]
0040CDA9 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
0040CDAC . 50 push eax
0040CDAD . 51 push ecx ; ntdll.7C93005D
0040CDAE . 6A 02 push 0x2
0040CDB0 . FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
0040CDB6 . 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94]
0040CDBC . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84]
0040CDC2 . 52 push edx
0040CDC3 . 8D4D 8C lea ecx,dword ptr ss:[ebp-0x74]
0040CDC6 . 50 push eax
0040CDC7 . 8D55 9C lea edx,dword ptr ss:[ebp-0x64]
0040CDCA . 51 push ecx ; ntdll.7C93005D
0040CDCB . 8D45 AC lea eax,dword ptr ss:[ebp-0x54]
0040CDCE . 52 push edx
0040CDCF . 8D4D BC lea ecx,dword ptr ss:[ebp-0x44]
0040CDD2 . 50 push eax
0040CDD3 . 8D55 CC lea edx,dword ptr ss:[ebp-0x34]
0040CDD6 . 51 push ecx ; ntdll.7C93005D
0040CDD7 . 52 push edx
0040CDD8 . 6A 07 push 0x7
0040CDDA . FF15 34104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0040CDE0 . 83C4 2C add esp,0x2C
0040CDE3 . 8D8D DCFEFFFF lea ecx,dword ptr ss:[ebp-0x124]
0040CDE9 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
0040CDEC . C785 DCFEFFFF>mov dword ptr ss:[ebp-0x124],0x4008
0040CDF6 . 51 push ecx ; ntdll.7C93005D
0040CDF7 . 8985 E4FEFFFF mov dword ptr ss:[ebp-0x11C],eax
0040CDFD . FF15 08114000 call dword ptr ds:[<&MSVBVM60.#rtcIsNume>; MSVBVM60.rtcIsNumeric
0040CE03 . 66:3D FFFF cmp ax,0xFFFF
0040CE07 . 0F85 80050000 jnz MS_Word_.0040D38D ; 判断是否为数字,不为刚跳向失败
0040CE0D . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
0040CE10 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
0040CE13 . FF15 B4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
0040CE19 . 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]
0040CE1C . 52 push edx
0040CE1D . E8 5EDEFFFF call MS_Word_.0040AC80 ; 算法CALL
0040CE22 . 33C9 xor ecx,ecx ; ntdll.7C93005D
0040CE24 . 66:3D FFFF cmp ax,0xFFFF ; ax=0XFFFF表现注册成功
0040CE28 . 0F94C1 sete cl
0040CE2B . F7D9 neg ecx ; ntdll.7C93005D
0040CE2D . 66:8BF1 mov si,cx
0040CE30 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
0040CE33 . FF15 58124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0040CE39 . 66:3BF7 cmp si,di
0040CE3C . 0F84 4B050000 je MS_Word_.0040D38D ; 失败则跳
0040CE42 . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
0040CE45 . 52 push edx ; /szValue = 4C5000E7 ???
0040CE46 . 68 B4814000 push MS_Word_.004081B4 ; |szKey = "Key"
0040CE4B . 68 106D4000 push MS_Word_.00406D10 ; |Section = "MS Word Split (Divide, Save) Pages Into Separate Files Software"
0040CE50 . 68 9C814000 push MS_Word_.0040819C ; |APPName = "Sobolsoft"
0040CE55 . FF15 04104000 call dword ptr ds:[<&MSVBVM60.#rtcSaveSe>; \rtcSaveSetting
0040CE5B . 393D 38964100 cmp dword ptr ds:[0x419638],edi
0040CE61 . 75 10 jnz short MS_Word_.0040CE73
0040CE63 . 68 38964100 push MS_Word_.00419638
0040CE68 . 68 287C4000 push MS_Word_.00407C28
0040CE6D . FF15 A8114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
0040CE73 > A1 54904100 mov eax,dword ptr ds:[0x419054]
0040CE78 . 8B35 38964100 mov esi,dword ptr ds:[0x419638]
0040CE7E . 3BC7 cmp eax,edi
0040CE80 . 89B5 7CFEFFFF mov dword ptr ss:[ebp-0x184],esi ; MSVBVM60.73470000
0040CE86 . 75 10 jnz short MS_Word_.0040CE98
0040CE88 . 68 54904100 push MS_Word_.00419054
0040CE8D . 68 645B4000 push MS_Word_.00405B64
0040CE92 . FF15 A8114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
0040CE98 > A1 54904100 mov eax,dword ptr ds:[0x419054]
0040CE9D . 8B36 mov esi,dword ptr ds:[esi]
0040CE9F . 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
0040CEA2 . 50 push eax
0040CEA3 . 51 push ecx ; ntdll.7C93005D
0040CEA4 . FF15 A4104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSetAddref
0040CEAA . 8BD6 mov edx,esi ; MSVBVM60.73470000
0040CEAC . 8BB5 7CFEFFFF mov esi,dword ptr ss:[ebp-0x184]
0040CEB2 . 50 push eax
0040CEB3 . 56 push esi ; MSVBVM60.73470000
0040CEB4 . FF52 10 call dword ptr ds:[edx+0x10]
0040CEB7 . 3BC7 cmp eax,edi
0040CEB9 . DBE2 fclex
0040CEBB . 7D 0F jge short MS_Word_.0040CECC
0040CEBD . 6A 10 push 0x10
0040CEBF . 68 187C4000 push MS_Word_.00407C18
0040CEC4 . 56 push esi ; MSVBVM60.73470000
0040CEC5 . 50 push eax
0040CEC6 . FF15 60104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040CECC > 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
0040CECF . FF15 54124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0040CED5 . 393D 20904100 cmp dword ptr ds:[0x419020],edi
0040CEDB . 75 10 jnz short MS_Word_.0040CEED
0040CEDD . 68 20904100 push MS_Word_.00419020
0040CEE2 . 68 78604000 push MS_Word_.00406078
0040CEE7 . FF15 A8114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
0040CEED > 8B35 20904100 mov esi,dword ptr ds:[0x419020]
通过上述代码可知:
注册码必须为纯数字,这点在算法分析时会有体现。如果注册码正常则ax=0xFFFF,然后将注册码保存在注册表中,否则则跳向失败。
爆破的话改0040CE3C是不够的,因为程序在其他处也调用了算法CALL,所以我们只需让算法CALL无论什么时候都返回ax=0xFFFF就行了。
但这个程序是明码比较,我们直接追码就行。
3.追码
进入关键CALL
[C++] 纯文本查看 复制代码 0040AC80 $ 55 push ebp
0040AC81 . 8BEC mov ebp,esp
0040AC83 . 83EC 08 sub esp,0x8
0040AC86 . 68 16174000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
0040AC8B . 64:A1 0000000>mov eax,dword ptr fs:[0]
0040AC91 . 50 push eax
0040AC92 . 64:8925 00000>mov dword ptr fs:[0],esp
0040AC99 . 83EC 34 sub esp,0x34
0040AC9C . 53 push ebx
0040AC9D . 56 push esi ; MSVBVM60.73470000
0040AC9E . 57 push edi
0040AC9F . 8965 F8 mov dword ptr ss:[ebp-0x8],esp
0040ACA2 . C745 FC 80124>mov dword ptr ss:[ebp-0x4],MS_Word_.0040>
0040ACA9 . 8B5D 08 mov ebx,dword ptr ss:[ebp+0x8]
0040ACAC . 33C0 xor eax,eax
0040ACAE . 8945 E4 mov dword ptr ss:[ebp-0x1C],eax
0040ACB1 . 8945 E8 mov dword ptr ss:[ebp-0x18],eax
0040ACB4 . 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
0040ACB7 . 895D DC mov dword ptr ss:[ebp-0x24],ebx
0040ACBA . 50 push eax
0040ACBB . C745 D4 08400>mov dword ptr ss:[ebp-0x2C],0x4008
0040ACC2 . FF15 08114000 call dword ptr ds:[<&MSVBVM60.#rtcIsNume>; MSVBVM60.rtcIsNumeric
0040ACC8 . 66:3D FFFF cmp ax,0xFFFF
0040ACCC . 0F85 86000000 jnz MS_Word_.0040AD58 ; 再判断一次是否都为数字
0040ACD2 . 8B0B mov ecx,dword ptr ds:[ebx] ; MS_Word_.00419EDC
0040ACD4 . 51 push ecx ; ntdll.7C93005D
0040ACD5 . 68 40764000 push MS_Word_.00407640
0040ACDA . FF15 F8104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
0040ACE0 . 85C0 test eax,eax
0040ACE2 . 74 74 je short MS_Word_.0040AD58 ; 比较是否为空
0040ACE4 . BF 01000000 mov edi,0x1
0040ACE9 > B8 C8000000 mov eax,0xC8
0040ACEE . 66:3BF8 cmp di,ax
0040ACF1 . 7F 65 jg short MS_Word_.0040AD58
0040ACF3 . 57 push edi
0040ACF4 . FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI2>; MSVBVM60.__vbaStrI2
0040ACFA . 8BD0 mov edx,eax
0040ACFC . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
0040ACFF . FF15 30124000 call dword ptr ds:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0040AD05 . 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]
0040AD08 . 52 push edx
0040AD09 . E8 42FDFFFF call MS_Word_.0040AA50 ; 算法CALL
0040AD0E . FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaFpR8>>; MSVBVM60.__vbaFpR8
0040AD14 . 8B03 mov eax,dword ptr ds:[ebx] ; MS_Word_.00419EDC
0040AD16 . DD5D BC fstp qword ptr ss:[ebp-0x44]
0040AD19 . 50 push eax
0040AD1A . FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>; MSVBVM60.__vbaR8Str
0040AD20 . DC5D BC fcomp qword ptr ss:[ebp-0x44] ; 下断此处,真假码比较
0040AD23 . DFE0 fstsw ax
0040AD25 . F6C4 40 test ah,0x40
0040AD28 . 74 07 je short MS_Word_.0040AD31
0040AD2A . BE 01000000 mov esi,0x1
0040AD2F . EB 02 jmp short MS_Word_.0040AD33
0040AD31 > 33F6 xor esi,esi ; MSVBVM60.73470000
0040AD33 > 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
0040AD36 . FF15 58124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0040AD3C . F7DE neg esi ; MSVBVM60.73470000
0040AD3E . 66:85F6 test si,si
0040AD41 . 74 07 je short MS_Word_.0040AD4A
0040AD43 . C745 E8 FFFFF>mov dword ptr ss:[ebp-0x18],-0x1
0040AD4A > B8 01000000 mov eax,0x1
0040AD4F . 66:03C7 add ax,di
0040AD52 . 70 2E jo short MS_Word_.0040AD82
0040AD54 . 8BF8 mov edi,eax
0040AD56 .^ EB 91 jmp short MS_Word_.0040ACE9
0040AD58 > 9B wait
0040AD59 . 68 6BAD4000 push MS_Word_.0040AD6B
0040AD5E . EB 0A jmp short MS_Word_.0040AD6A
0040AD60 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
0040AD63 . FF15 58124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0040AD69 . C3 retn
由上述代码可知:
下断0040AD20,就可得到真码。
如图5:
这个软件的真码不是唯一的,他内部有维护一个数组,通过取这个数组的元素,进行加法和乘法运算,有兴趣的朋友可以跟一下.
注册成功如图6:
OK,下一期会涉及到算法分析,不过也是明码比较.
传送门==============================================================================
Crack实战系列教程-《VB系列-第一课》
http://www.52pojie.cn/thread-200996-1-1.html
Crack实战系列教程-《VB系列-第二课》
http://www.52pojie.cn/thread-201358-1-1.html
Crack实战系列教程-《VB系列-第三课》
http://www.52pojie.cn/thread-201748-1-1.html
Crack实战系列教程-《VB系列-第四课》
http://www.52pojie.cn/thread-202544-1-1.html
Crack实战系列教程-《VB系列-第五课》
http://www.52pojie.cn/thread-202545-1-1.html
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2013-7-3 21:09
