爆破windows snapshot maker v3.5(一款截屏软件)大牛们飘过
本帖最后由 5598869 于 2012-2-13 20:57 编辑我是一只小菜鸟,算法分析搞不了,只能爆破,大牛们飘过
WINSNAP暴力破解过程OD载入,运行,输入注册名和注册码,确定,出现错误提示。F12暂停,ALT+K打开堆栈,在下面的一行双击进入-------------------------------------------------------------------------地址 堆栈 函数过程/ 参数 调用来自 结构------------------------------------------------------------------------------------------0012C060 004080F0 USER32.MessageBoxW WinSnap.004080EA 0012C05C------------------------------------------------------------------------------------------在WinSnap.004080EA这里双击。来到下面-------------------------------------------------------------------------004080B0 /$56 push esi》》此处下断004080B1 |.FF15 A0624400 call dword ptrds:[<&KERNEL32.GetCurrent>; 004080B7 |.50 push eax ; /ThreadID004080B8 |.A1 E0AF4500 mov eax,dword ptr ds: ; |004080BD |.50 push eax ; |hModule=> 00400000 (WinSnap)004080BE |.68 70804000 push WinSnap.00408070 ; |Hookproc =WinSnap.00408070004080C3 |.6A 05 push 0x5 ; |HookType =WH_CBT004080C5 |.FF15 68654400 call dword ptrds:[<&USER32.SetWindowsHo>; \SetWindowsHookExW004080CB |.8B4C24 14 mov ecx,dword ptr ss:004080CF |.8B5424 10 mov edx,dword ptr ss:004080D3 |.FF05 5CB04500 inc dword ptrds:004080D9 |.51 push ecx ; /Style004080DA |.8B4C24 0C mov ecx,dword ptr ss: ; |004080DE |.A3 38AE4500 mov dword ptr ds:,eax ; |004080E3 |.8B4424 10 mov eax,dword ptr ss: ; |004080E7 |.52 push edx ; |Title004080E8 |.50 push eax ; |Text004080E9 |.51 push ecx ; |hOwner004080EA |.FF15 60654400 call dword ptrds:[<&USER32.MessageBoxW>>; \MessageBoxW//跟随到这里的下一行------------------------------------------------------------------------------------------点击错误提示框的确定,然后再重新点击注册,断下来后,看堆栈如下------------------------------------------------------------------------------------------0012C0780040823F返回到WinSnap.0040823F 来自 WinSnap.004080B0------------------------------------------------------------------------------------------取消断点后,在堆栈里这一行右键,选择“反汇编数据窗口中跟随”,来到下面------------------------------------------------------------------------------------------004081F0 /$81EC 04040000 sub esp,0x404 》》此处下断004081F6 |.A1 50204500 mov eax,dword ptr ds:004081FB |.33C4 xor eax,esp004081FD |.898424 000400>mov dword ptrss:,eax00408204 |.53 push ebx00408205 |.8D8424 040200>lea eax,dwordptr ss:0040820C |.50 push eax0040820D |.51 push ecx0040820E |.BB 00010000 mov ebx,0x10000408213 |.E8 F8250000 call WinSnap.0040A81000408218 |.8D5424 0C lea edx,dword ptr ss:0040821C |.52 push edx0040821D |.68 007D0000 push 0x7D0000408222 |.E8 E9250000 call WinSnap.0040A81000408227 |.68 10200100 push 0x120100040822C |.8D4424 18 lea eax,dword ptr ss:00408230 |.50 push eax00408231|.8D8C24 1C0200>lea ecx,dword ptrss:00408238 |.51 push ecx00408239 |.56 push esi0040823A |.E8 71FEFFFF call WinSnap.004080B00040823F |.8B8C24 240400>mov ecx,dwordptr ss://跟随到这里,回溯到段首,下断------------------------------------------------------------------------------------------运行,出现错误提示,点击错误提示框的确定,然后再重新点击注册,断下来后,看堆栈如下------------------------------------------------------------------------------------------0012C4A40040162B返回到WinSnap.0040162B 来自 WinSnap.004081F0------------------------------------------------------------------------------------------取消断点后,在堆栈里这一行右键,选择“反汇编数据窗口中跟随”,来到下面------------------------------------------------------------------------------------------00401430$55 push ebp》》下断00401431.8BEC mov ebp,esp00401433.6A FF push -0x100401435.68 C6494400 push WinSnap.004449C60040143A.64:A1 0000000>mov eax,dwordptr fs:00401440.50 push eax00401441.51 push ecx00401442.B8 2C1F0000 mov eax,0x1F2C00401447.E8 14EE0300 call WinSnap.004402600040144C.A1 50204500 mov eax,dword ptr ds:00401451.33C5 xor eax,ebp00401453.8945 E8 mov dword ptr ss:,eax00401456.53 push ebx00401457.56 push esi00401458.57 push edi00401459.50 push eax0040145A.8D45 F4 lea eax,dword ptr ss:0040145D.64:A3 0000000>mov dword ptrfs:,eax00401463.8965 F0 mov dword ptr ss:,esp00401466.8B45 08 mov eax,dword ptr ss:00401469.33DB xor ebx,ebx0040146B.8BF2 mov esi,edx0040146D.89B5 74E1FFFF mov dword ptrss:,esi00401473.3BCB cmp ecx,ebx00401475.0F85 74050000 jnzWinSnap.004019EF0040147B.3D 6D200000 cmp eax,0x206D ;Switch (cases 1..206E)00401480.0F8F 51050000 jgWinSnap.004019D700401486 7413 je XWinSnap.0040149B00401488.83E8 01 sub eax,0x10040148B.74 0E je XWinSnap.0040149B》》关键跳NOP掉 0040148D.83E8 01 sub eax,0x100401490 0F84 4C050000 je WinSnap.004019E2 》》关键跳JMP掉 00401496.E9 C0080000 jmp WinSnap.00401D5B0040149B>391D 2C974500 cmp dword ptrds:,ebx ;Cases 1,206D of switch 0040147B004014A1.0F85 5C030000 jnzWinSnap.00401803------------------------------省略若干代码--------------------------------------0040160F.899D 6CE1FFFF mov dword ptrss:,ebx00401615.E8 B68E0000 call WinSnap.0040A4D00040161A.83C4 08 add esp,0x80040161D.84C0 test al,al0040161F.75 0F jnz XWinSnap.0040163000401621.B9 347D0000 mov ecx,0x7D3400401626.E8 C56B0000 call WinSnap.004081F00040162B .E964030000 jmp WinSnap.00401994 //跟随到这里,回溯到段首,下断------------------------------------------------------------------------------------------保存一下。经过以上修改输入注册码部分被爆破掉下面还有启动软件时出现的NAG注册窗口将修改保存后的文件OD载入,运行,出现NAG窗口。F12暂停,ALT+K打开堆栈,在下面的一行双击进入------------------------------------------------------------------------------------------地址 堆栈 函数过程/ 参数 调用来自 结构------------------------------------------------------------------------------------------0012EA0C 004013DD USER32.DialogBoxParamW WinSnap.004013D7 0012EA08------------------------------------------------------------------------------------------在WinSnap.004013D7这里双击进入,来到------------------------------------------------------------------------------------------00401399.FF15 F0644400 call dword ptrds:[<&USER32.IsWindow>] ;\IsWindow0040139F.85C0 test eax,eax004013A1.74 13 je XWinSnap.004013B6 》》关键跳NOP掉004013A3.A1 30AD4500 mov eax,dword ptr ds:004013A8.6A 01 push 0x1004013AA.E8 31710000 call WinSnap.004084E0004013AF.83C4 04 add esp,0x4004013B2.8BC6 mov eax,esi004013B4.5E pop esi004013B5.C3 retn004013B6 >8B35 E8AF4500 mov esi,dword ptr ds:004013BC.8B0D E0AF4500 mov ecx,dword ptrds: ;WinSnap.00400000004013C2.FF05 5CB04500 inc dword ptrds:004013C8.57 push edi004013C9.6A 05 push 0x5 ; /lParam =00000005004013CB.68 80214000 push WinSnap.00402180 ; |DlgProc =WinSnap.00402180004013D0.56 push esi ; |hOwner=> 00130220 ('Windows Snapshot Maker v3.5',class='#32770',parent=001301C0)004013D1.68 B7000000 push 0xB7 ; |pTemplate =B7004013D6.51 push ecx ; |hInst =>00400000004013D7.FF15 80654400 call dword ptrds:[<&USER32.DialogBoxPar>; \DialogBoxParamW//跟随到此处,向上回溯------------------------------------------------------------------------------------------经过观察发现004013A1 .7413 je XWinSnap.004013B6 直接跳到了004013B6>8B35 E8AF4500 mov esi,dwordptr ds: 从而出现了NAG窗口。因此将上面的JE 改成NOP就去掉了NAG窗口总结:1、个人认为,F12暂停调用堆栈法处理NAG窗口和提示框都很好用。2、仔细认真的跟踪分析,加耐心,细心,时破解时不可缺少的。后记:我是一只很菜的小菜鸟,希望大家多多关照。
沙发还是自己坐 不错的教程 还不错的教程,楼主辛苦 这菜鸟也太强了·!~
! {:1_912:} 好强的菜鸟呀,向你学习! 不错的教程,支持楼主 很好的东西学习了哈。 学习了 谢谢楼主!