轻羽网络验证 幻镜 - 无壳下简单爆破
【文章标题】: 轻羽网络验证 幻镜 - 无壳下简单爆破【文章作者】: Crack_Qs
【作者邮箱】: qs#ff0000.cc(#换@)
【下载地址】: http://www.52pojie.cn/thread-210424-1-1.html
【使用工具】: OllyDBG
【操作平台】: Windows 8
【作者声明】: 没加壳,娱乐下。感觉验证的流程很像CC以前的版本,当然绝对做了改动(不是很懂,说错勿笑)!
--------------------------------------------------------------------------------
【详细过程】
004021DC 55 push ebp ;验证链接,retn掉 登陆按钮禁止
004021DD|.8BEC mov ebp,esp
004021DF|.81EC 08000000 sub esp,0x8
004021E5|.EB 10 jmp X客户端.004021F7
004021E7|.56 4D 50 72 6>ascii "VMProtect begin",0
004021F7|>C705 34614B00>mov dword ptr ds:,0x1
00402201|.C705 38614B00>mov dword ptr ds:,0x0
0040280F/.55 push ebp ;按钮事件
00402810|.8BEC mov ebp,esp
00402812|.81EC 08000000 sub esp,0x8
00402818|.EB 10 jmp X客户端.0040282A
0040281A|.56 4D 50 72 6>ascii "VMProtect begin",0
0040282A|>6A FF push -0x1
0040282C|.6A 08 push 0x8
0040282E|.68 54000116 push 0x16010054
00402833|.68 01000152 push 0x52010001
00402838|.E8 70110000 call 客户端.004039AD ;取用户名
0040283D|.83C4 10 add esp,0x10
00402840|.8945 FC mov ,eax
00402843|.68 98624700 push 客户端.00476298
00402848|.FF75 FC push
0040284B|.E8 B4E7FFFF call 客户端.00401004
00402850|.83C4 08 add esp,0x8
00402853|.83F8 00 cmp eax,0x0
00402856|.B8 00000000 mov eax,0x0
0040285B|.0F94C0 sete al
0040285E|.8945 F8 mov ,eax
00402861|.8B5D FC mov ebx,
00402864|.85DB test ebx,ebx
00402866|.74 09 je X客户端.00402871
00402868|.53 push ebx
00402869|.E8 27110000 call 客户端.00403995
0040286E|.83C4 04 add esp,0x4
00402871|>837D F8 00 cmp ,0x0 ;校验用户名是否为空
00402875|.0F84 35000000 je 客户端.004028B0
0040287B|.6A 00 push 0x0
0040287D|.6A 00 push 0x0
0040287F|.6A 00 push 0x0
00402881|.68 01030080 push 0x80000301
00402886|.6A 00 push 0x0
00402888|.68 00000000 push 0x0
0040288D|.68 04000080 push 0x80000004
00402892|.6A 00 push 0x0
00402894|.68 99624700 push 客户端.00476299
00402899|.68 03000000 push 0x3
0040289E|.BB 60454000 mov ebx,客户端.00404560
004028A3|.E8 FF100000 call 客户端.004039A7
004028A8|.83C4 28 add esp,0x28
004028AB|.E9 8B000000 jmp 客户端.0040293B
004028B0|>6A FF push -0x1
004028B2|.6A 08 push 0x8
004028B4|.68 57000116 push 0x16010057
004028B9|.68 01000152 push 0x52010001
004028BE|.E8 EA100000 call 客户端.004039AD ;取密码
004028C3|.83C4 10 add esp,0x10
004028C6|.8945 FC mov ,eax
004028C9|.68 98624700 push 客户端.00476298
004028CE|.FF75 FC push
004028D1|.E8 2EE7FFFF call 客户端.00401004
004028D6|.83C4 08 add esp,0x8
004028D9|.83F8 00 cmp eax,0x0
004028DC|.B8 00000000 mov eax,0x0
004028E1|.0F94C0 sete al
004028E4|.8945 F8 mov ,eax
004028E7|.8B5D FC mov ebx,
004028EA|.85DB test ebx,ebx
004028EC|.74 09 je X客户端.004028F7
004028EE|.53 push ebx
004028EF|.E8 A1100000 call 客户端.00403995
004028F4|.83C4 04 add esp,0x4
004028F7|>837D F8 00 cmp ,0x0 ;校验密码是否为空
004028FB|.0F84 35000000 je 客户端.00402936
00402901|.6A 00 push 0x0
00402903|.6A 00 push 0x0
00402905|.6A 00 push 0x0
00402907|.68 01030080 push 0x80000301
0040290C|.6A 00 push 0x0
0040290E|.68 00000000 push 0x0
00402913|.68 04000080 push 0x80000004
00402918|.6A 00 push 0x0
0040291A|.68 AA624700 push 客户端.004762AA
0040291F|.68 03000000 push 0x3
00402924|.BB 60454000 mov ebx,客户端.00404560
00402929|.E8 79100000 call 客户端.004039A7
0040292E|.83C4 28 add esp,0x28
00402931|.E9 05000000 jmp 客户端.0040293B
00402936|>E8 14000000 call 客户端.0040294F ;call 进行验证
0040293B|>EB 0E jmp X客户端.0040294B
0040293D|.56 4D 50 72 6>ascii "VMProtect end",0
0040294B|>8BE5 mov esp,ebp
0040294D|.5D pop ebp
0040294E\.C3 retn
0040294F/$55 push ebp ;验证段
00402950|.8BEC mov ebp,esp
00402952|.81EC 10000000 sub esp,0x10
00402958|.6A 00 push 0x0
0040295A|.68 01000000 push 0x1
0040295F|.6A FF push -0x1
00402961|.6A 06 push 0x6
00402963|.68 59000116 push 0x16010059
00402968|.68 01000152 push 0x52010001
0040296D|.E8 47100000 call 客户端.004039B9
00402972|.83C4 18 add esp,0x18
00402975|.6A FF push -0x1
00402977|.6A 08 push 0x8
00402979|.68 54000116 push 0x16010054
0040297E|.68 01000152 push 0x52010001
00402983|.E8 25100000 call 客户端.004039AD ;读用户名
00402988|.83C4 10 add esp,0x10
0040298B|.8945 FC mov ,eax
0040298E|.8D45 FC lea eax,
00402991|.50 push eax
00402992|.E8 B3E9FFFF call 客户端.0040134A ;没进去看,应该是一段判断用户名是否存在(post)
004029CB|.85DB test ebx,ebx
004029CD|.74 09 je X客户端.004029D8
004029CF|.53 push ebx
004029D0|.E8 C00F0000 call 客户端.00403995
004029D5|.83C4 04 add esp,0x4
004029D8|>837D F4 00 cmp ,0x0 ;这就很明显有问题
004029DC|.0F84 98010000 je 客户端.00402B7A ;Nop
004029E2|.EB 10 jmp X客户端.004029F4
004029E4|.56 4D 50 72 6>ascii "VMProtect begin",0
004029F4|>E8 CBFBFFFF call 客户端.004025C4
004029F9|.6A FF push -0x1
00402A92|.85DB test ebx,ebx
00402A94|.74 09 je X客户端.00402A9F
00402A96|.53 push ebx
00402A97|.E8 F90E0000 call 客户端.00403995
00402A9C|.83C4 04 add esp,0x4
00402A9F|>837D F8 01 cmp ,0x1
00402AA3|.0F85 0F000000 jnz 客户端.00402AB8 ;Nop
00402AA9|.E8 16FBFFFF call 客户端.004025C4 ;不会易语言,就不求搞懂里面在干什么了
00402AAE|.E8 1E060000 call 客户端.004030D1 ;创建窗口
00402AB3|.E9 86000000 jmp 客户端.00402B3E
00402AB8|>68 010100A0 push 0xA0000101
00402ABD|.6A 00 push 0x0
00402ABF|.68 28644700 push 客户端.00476428
00402AC4|.68 01000000 push 0x1
00402AC9|.BB 903E4000 mov ebx,客户端.00403E90
ok。
以下东西,可看可不看。
0018FCBC 005C0B70ASCII "http://www.dnfpay.com/test/qy.php?cmd=connect&cp=密码"
0018FCC0 005C1308ASCII "密码"
0018FCC4 005CC380ASCII "?cmd=connect&cp="
0018FCC8 005C9508ASCII "http://www.dnfpay.com/test/qy.php"
--------------------------------------------------------------------------------
【版权声明】: 本文原创于Crack_Qs, 转载请注明作者并保持文章的完整, 谢谢!
2013年08月20日 17:31:12
哥们来个视频嘛 好厉害,大牛啊{:1_932:} 膜拜大神感谢提供分享! 大神好快的动作 我了个。。。绝对不是CC改的!!但是你动作好快撒 其实 我也想说 有点像CC。。。 膜拜.. 跟不上大牛的脚步了 支持一下{:1_908:}菜鸟路过
页:
[1]
2