Crack实战系列教程-《VB系列-第四课》
本帖最后由 我是用户 于 2013-7-15 18:47 编辑【软件名称】: MS Word Split
【作者邮箱】: 2714608453@qq.com
【下载地址】: 见附件
【软件语言】: VB
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
1.查壳
VB的,无误。
2.爆破。
打开程序,出现注册窗口。
如图1:
点击EnterLicense,然后输出假码,确定,无反应.
如图2:
我们这时注意,输入假码的窗口,其实是rtcInPutBox生成的,我们下断此函数,然后重新点击EnterLicense,程序断下。
如图3:
我们在rtcInputBox的下一行下好断点,输入假码1234567890,确定,程序断下。
如图4:
0040CD9F .8BD0 mov edx,eax
0040CDA1 .8D4D E8 lea ecx,dword ptr ss:
0040CDA4 .FFD6 call esi ;MSVBVM60.73470000
0040CDA6 .8D45 E0 lea eax,dword ptr ss:
0040CDA9 .8D4D E4 lea ecx,dword ptr ss:
0040CDAC .50 push eax
0040CDAD .51 push ecx ;ntdll.7C93005D
0040CDAE .6A 02 push 0x2
0040CDB0 .FF15 C4114000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStrList
0040CDB6 .8D95 6CFFFFFF lea edx,dword ptr ss:
0040CDBC .8D85 7CFFFFFF lea eax,dword ptr ss:
0040CDC2 .52 push edx
0040CDC3 .8D4D 8C lea ecx,dword ptr ss:
0040CDC6 .50 push eax
0040CDC7 .8D55 9C lea edx,dword ptr ss:
0040CDCA .51 push ecx ;ntdll.7C93005D
0040CDCB .8D45 AC lea eax,dword ptr ss:
0040CDCE .52 push edx
0040CDCF .8D4D BC lea ecx,dword ptr ss:
0040CDD2 .50 push eax
0040CDD3 .8D55 CC lea edx,dword ptr ss:
0040CDD6 .51 push ecx ;ntdll.7C93005D
0040CDD7 .52 push edx
0040CDD8 .6A 07 push 0x7
0040CDDA .FF15 34104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
0040CDE0 .83C4 2C add esp,0x2C
0040CDE3 .8D8D DCFEFFFF lea ecx,dword ptr ss:
0040CDE9 .8D45 E8 lea eax,dword ptr ss:
0040CDEC .C785 DCFEFFFF>mov dword ptr ss:,0x4008
0040CDF6 .51 push ecx ;ntdll.7C93005D
0040CDF7 .8985 E4FEFFFF mov dword ptr ss:,eax
0040CDFD .FF15 08114000 call dword ptr ds:[<&MSVBVM60.#rtcIsNume>;MSVBVM60.rtcIsNumeric
0040CE03 .66:3D FFFF cmp ax,0xFFFF
0040CE07 .0F85 80050000 jnz MS_Word_.0040D38D ;判断是否为数字,不为刚跳向失败
0040CE0D .8B55 E8 mov edx,dword ptr ss:
0040CE10 .8D4D E4 lea ecx,dword ptr ss:
0040CE13 .FF15 B4114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCo>;MSVBVM60.__vbaStrCopy
0040CE19 .8D55 E4 lea edx,dword ptr ss:
0040CE1C .52 push edx
0040CE1D .E8 5EDEFFFF call MS_Word_.0040AC80 ;算法CALL
0040CE22 .33C9 xor ecx,ecx ;ntdll.7C93005D
0040CE24 .66:3D FFFF cmp ax,0xFFFF ;ax=0XFFFF表现注册成功
0040CE28 .0F94C1 sete cl
0040CE2B .F7D9 neg ecx ;ntdll.7C93005D
0040CE2D .66:8BF1 mov si,cx
0040CE30 .8D4D E4 lea ecx,dword ptr ss:
0040CE33 .FF15 58124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
0040CE39 .66:3BF7 cmp si,di
0040CE3C .0F84 4B050000 je MS_Word_.0040D38D ;失败则跳
0040CE42 .8B55 E8 mov edx,dword ptr ss:
0040CE45 .52 push edx ; /szValue = 4C5000E7 ???
0040CE46 .68 B4814000 push MS_Word_.004081B4 ; |szKey = "Key"
0040CE4B .68 106D4000 push MS_Word_.00406D10 ; |Section = "MS Word Split (Divide, Save) Pages Into Separate Files Software"
0040CE50 .68 9C814000 push MS_Word_.0040819C ; |APPName = "Sobolsoft"
0040CE55 .FF15 04104000 call dword ptr ds:[<&MSVBVM60.#rtcSaveSe>; \rtcSaveSetting
0040CE5B .393D 38964100 cmp dword ptr ds:,edi
0040CE61 .75 10 jnz short MS_Word_.0040CE73
0040CE63 .68 38964100 push MS_Word_.00419638
0040CE68 .68 287C4000 push MS_Word_.00407C28
0040CE6D .FF15 A8114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>;MSVBVM60.__vbaNew2
0040CE73 >A1 54904100 mov eax,dword ptr ds:
0040CE78 .8B35 38964100 mov esi,dword ptr ds:
0040CE7E .3BC7 cmp eax,edi
0040CE80 .89B5 7CFEFFFF mov dword ptr ss:,esi ;MSVBVM60.73470000
0040CE86 .75 10 jnz short MS_Word_.0040CE98
0040CE88 .68 54904100 push MS_Word_.00419054
0040CE8D .68 645B4000 push MS_Word_.00405B64
0040CE92 .FF15 A8114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>;MSVBVM60.__vbaNew2
0040CE98 >A1 54904100 mov eax,dword ptr ds:
0040CE9D .8B36 mov esi,dword ptr ds:
0040CE9F .8D4D DC lea ecx,dword ptr ss:
0040CEA2 .50 push eax
0040CEA3 .51 push ecx ;ntdll.7C93005D
0040CEA4 .FF15 A4104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>;MSVBVM60.__vbaObjSetAddref
0040CEAA .8BD6 mov edx,esi ;MSVBVM60.73470000
0040CEAC .8BB5 7CFEFFFF mov esi,dword ptr ss:
0040CEB2 .50 push eax
0040CEB3 .56 push esi ;MSVBVM60.73470000
0040CEB4 .FF52 10 call dword ptr ds:
0040CEB7 .3BC7 cmp eax,edi
0040CEB9 .DBE2 fclex
0040CEBB .7D 0F jge short MS_Word_.0040CECC
0040CEBD .6A 10 push 0x10
0040CEBF .68 187C4000 push MS_Word_.00407C18
0040CEC4 .56 push esi ;MSVBVM60.73470000
0040CEC5 .50 push eax
0040CEC6 .FF15 60104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
0040CECC >8D4D DC lea ecx,dword ptr ss:
0040CECF .FF15 54124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObj
0040CED5 .393D 20904100 cmp dword ptr ds:,edi
0040CEDB .75 10 jnz short MS_Word_.0040CEED
0040CEDD .68 20904100 push MS_Word_.00419020
0040CEE2 .68 78604000 push MS_Word_.00406078
0040CEE7 .FF15 A8114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>;MSVBVM60.__vbaNew2
0040CEED >8B35 20904100 mov esi,dword ptr ds:
通过上述代码可知:
注册码必须为纯数字,这点在算法分析时会有体现。如果注册码正常则ax=0xFFFF,然后将注册码保存在注册表中,否则则跳向失败。
爆破的话改0040CE3C是不够的,因为程序在其他处也调用了算法CALL,所以我们只需让算法CALL无论什么时候都返回ax=0xFFFF就行了。
但这个程序是明码比较,我们直接追码就行。
3.追码
进入关键CALL
0040AC80 $55 push ebp
0040AC81 .8BEC mov ebp,esp
0040AC83 .83EC 08 sub esp,0x8
0040AC86 .68 16174000 push <jmp.&MSVBVM60.__vbaExceptHandler>;SE 处理程序安装
0040AC8B .64:A1 0000000>mov eax,dword ptr fs:
0040AC91 .50 push eax
0040AC92 .64:8925 00000>mov dword ptr fs:,esp
0040AC99 .83EC 34 sub esp,0x34
0040AC9C .53 push ebx
0040AC9D .56 push esi ;MSVBVM60.73470000
0040AC9E .57 push edi
0040AC9F .8965 F8 mov dword ptr ss:,esp
0040ACA2 .C745 FC 80124>mov dword ptr ss:,MS_Word_.0040>
0040ACA9 .8B5D 08 mov ebx,dword ptr ss:
0040ACAC .33C0 xor eax,eax
0040ACAE .8945 E4 mov dword ptr ss:,eax
0040ACB1 .8945 E8 mov dword ptr ss:,eax
0040ACB4 .8D45 D4 lea eax,dword ptr ss:
0040ACB7 .895D DC mov dword ptr ss:,ebx
0040ACBA .50 push eax
0040ACBB .C745 D4 08400>mov dword ptr ss:,0x4008
0040ACC2 .FF15 08114000 call dword ptr ds:[<&MSVBVM60.#rtcIsNume>;MSVBVM60.rtcIsNumeric
0040ACC8 .66:3D FFFF cmp ax,0xFFFF
0040ACCC .0F85 86000000 jnz MS_Word_.0040AD58 ;再判断一次是否都为数字
0040ACD2 .8B0B mov ecx,dword ptr ds: ;MS_Word_.00419EDC
0040ACD4 .51 push ecx ;ntdll.7C93005D
0040ACD5 .68 40764000 push MS_Word_.00407640
0040ACDA .FF15 F8104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCm>;MSVBVM60.__vbaStrCmp
0040ACE0 .85C0 test eax,eax
0040ACE2 .74 74 je short MS_Word_.0040AD58 ;比较是否为空
0040ACE4 .BF 01000000 mov edi,0x1
0040ACE9 >B8 C8000000 mov eax,0xC8
0040ACEE .66:3BF8 cmp di,ax
0040ACF1 .7F 65 jg short MS_Word_.0040AD58
0040ACF3 .57 push edi
0040ACF4 .FF15 08104000 call dword ptr ds:[<&MSVBVM60.__vbaStrI2>;MSVBVM60.__vbaStrI2
0040ACFA .8BD0 mov edx,eax
0040ACFC .8D4D E4 lea ecx,dword ptr ss:
0040ACFF .FF15 30124000 call dword ptr ds:[<&MSVBVM60.__vbaStrMo>;MSVBVM60.__vbaStrMove
0040AD05 .8D55 E4 lea edx,dword ptr ss:
0040AD08 .52 push edx
0040AD09 .E8 42FDFFFF call MS_Word_.0040AA50 ;算法CALL
0040AD0E .FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaFpR8>>;MSVBVM60.__vbaFpR8
0040AD14 .8B03 mov eax,dword ptr ds: ;MS_Word_.00419EDC
0040AD16 .DD5D BC fstp qword ptr ss:
0040AD19 .50 push eax
0040AD1A .FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>;MSVBVM60.__vbaR8Str
0040AD20 .DC5D BC fcomp qword ptr ss: ;下断此处,真假码比较
0040AD23 .DFE0 fstsw ax
0040AD25 .F6C4 40 test ah,0x40
0040AD28 .74 07 je short MS_Word_.0040AD31
0040AD2A .BE 01000000 mov esi,0x1
0040AD2F .EB 02 jmp short MS_Word_.0040AD33
0040AD31 >33F6 xor esi,esi ;MSVBVM60.73470000
0040AD33 >8D4D E4 lea ecx,dword ptr ss:
0040AD36 .FF15 58124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
0040AD3C .F7DE neg esi ;MSVBVM60.73470000
0040AD3E .66:85F6 test si,si
0040AD41 .74 07 je short MS_Word_.0040AD4A
0040AD43 .C745 E8 FFFFF>mov dword ptr ss:,-0x1
0040AD4A >B8 01000000 mov eax,0x1
0040AD4F .66:03C7 add ax,di
0040AD52 .70 2E jo short MS_Word_.0040AD82
0040AD54 .8BF8 mov edi,eax
0040AD56 .^ EB 91 jmp short MS_Word_.0040ACE9
0040AD58 >9B wait
0040AD59 .68 6BAD4000 push MS_Word_.0040AD6B
0040AD5E .EB 0A jmp short MS_Word_.0040AD6A
0040AD60 .8D4D E4 lea ecx,dword ptr ss:
0040AD63 .FF15 58124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
0040AD69 .C3 retn
由上述代码可知:
下断0040AD20,就可得到真码。
如图5:
这个软件的真码不是唯一的,他内部有维护一个数组,通过取这个数组的元素,进行加法和乘法运算,有兴趣的朋友可以跟一下.
注册成功如图6:
OK,下一期会涉及到算法分析,不过也是明码比较.
传送门==============================================================================
Crack实战系列教程-《VB系列-第一课》
http://www.52pojie.cn/thread-200996-1-1.html
Crack实战系列教程-《VB系列-第二课》
http://www.52pojie.cn/thread-201358-1-1.html
Crack实战系列教程-《VB系列-第三课》
http://www.52pojie.cn/thread-201748-1-1.html
Crack实战系列教程-《VB系列-第四课》
http://www.52pojie.cn/thread-202544-1-1.html
Crack实战系列教程-《VB系列-第五课》
http://www.52pojie.cn/thread-202545-1-1.html
膜拜大神! 再次膜拜大神{:1_931:} 值得学习··· 支持了再看。。这课程温故而知新啊。 评分不了了,只能回帖支持 谢谢你的教程 本系列教程我似乎能看懂一些 谢谢楼主分享,学习学习!
页:
[1]
2