爆破“无敌邮件群发机”
【文章标题】: 爆破“无敌邮件群发机”【文章作者】: Mr.vit
【下载地址】: 自己搜索下载
【加壳方式】: 无
【编写语言】: Delphi
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
只是爆破,写给不知如何下断点的朋友!
用OD插件找不到字符时,可以利用的是F12堆栈调用法 ,个人感觉很好用的
软件是重启验证的
首先用OD载入
F9运行程序,然后点击注册,注册码随便填写,点注册后,就会出现出错提示
这时候,按F12,程序就暂停下来了,然后再ALT+K,打开堆栈调用窗口,这时会看到以下
信息
函数例程 调用来自
..............................................
..............................................
..............................................
? <jmp.&user32.MessageBoxA> WdMail.005CA1B4 //点击这个
稍微解释一下:MessageBoxA这个是消息对话框,简单说来刚才弹出的错误信息就是他实现的
点击的时候,要点击“调用来自”这一行的代码
这样就来了到
005CA12F E8 504FFBFF call WdMail.0057F084
005CA134 84C0 test al,al
005CA136 74 58 je short WdMail.005CA190 ; 不能跳,改NOP就行了
005CA138 8D55 F8 lea edx,dword ptr ss:
005CA13B 8B83 88030000 mov eax,dword ptr ds:
005CA141 E8 EA99E9FF call WdMail.00463B30
005CA146 8B45 F8 mov eax,dword ptr ss:
005CA149 50 push eax
005CA14A 8B0D 8C3C6300 mov ecx,dword ptr ds: ; WdMail.006317B4
005CA150 8B09 mov ecx,dword ptr ds:
005CA152 8B15 20306300 mov edx,dword ptr ds: ; WdMail.006317B0
005CA158 8B12 mov edx,dword ptr ds:
005CA15A 8B83 98030000 mov eax,dword ptr ds:
005CA160 E8 1F5DFBFF call WdMail.0057FE84
005CA165 6A 00 push 0
005CA167 A1 C83E6300 mov eax,dword ptr ds:
005CA16C 8B00 mov eax,dword ptr ds:
005CA16E E8 6DB9E3FF call WdMail.00405AE0
005CA173 50 push eax
005CA174 A1 B8316300 mov eax,dword ptr ds:
005CA179 8B00 mov eax,dword ptr ds:
005CA17B E8 60B9E3FF call WdMail.00405AE0
005CA180 50 push eax
005CA181 8BC3 mov eax,ebx
005CA183 E8 4C1AEAFF call WdMail.0046BBD4
005CA188 50 push eax
005CA189 E8 1AEAE3FF call <jmp.&user32.MessageBoxA>
005CA18E EB 2B jmp short WdMail.005CA1BB
005CA190 6A 00 push 0
005CA192 A1 C83E6300 mov eax,dword ptr ds:
005CA197 8B00 mov eax,dword ptr ds:
005CA199 E8 42B9E3FF call WdMail.00405AE0
005CA19E 50 push eax
005CA19F A1 083B6300 mov eax,dword ptr ds:
005CA1A4 8B00 mov eax,dword ptr ds:
005CA1A6 E8 35B9E3FF call WdMail.00405AE0
005CA1AB 50 push eax
005CA1AC 8BC3 mov eax,ebx
005CA1AE E8 211AEAFF call WdMail.0046BBD4
005CA1B3 50 push eax
005CA1B4 E8 EFE9E3FF call <jmp.&user32.MessageBoxA> ; 这里就是错误提示
005CA1B9 EB 0E jmp short WdMail.005CA1C9
005CA1BB C683 9C030000 01 mov byte ptr ds:,1
005CA1C2 8BC3 mov eax,ebx
005CA1C4 E8 3F3EEBFF call WdMail.0047E008
把上面那个跳改成NOP就行了,这样第一次爆破就好了,接下来进行第二次爆破
还是用OD载入程序,运行程序,提示“注册码非法,程序将自动关闭”
这时候还是老方法,用F12暂时程序,然后打开堆栈调用窗口,找到
Call stack of main thread, item 14
Address=0012F2BC
Stack=00600571
Procedure / arguments=? <JMP.&user32.MessageBoxA>
Called from=123.0060056C //这里123是我的程序名,后面那个是地址
Frame=0012F2B8
还是在 调用来自 这里点那个地方0060056C,进去之后就是
0060055E |.E8 7D55E0FF CALL 123.00405AE0
00600563 |.50 PUSH EAX
00600564 |.8BC3 MOV EAX,EBX
00600566 |.E8 69B6E6FF CALL 123.0046BBD4
0060056B |.50 PUSH EAX ; |hOwner = 001FB79C
0060056C |.E8 3786E0FF CALL <JMP.&user32.MessageBoxA> ; \错误提示处
00600571 |.8B55 F4 MOV EDX,
00600574 |.8BC3 MOV EAX,EBX
00600576 |.E8 F9A50000 CALL 123.0060AB74
再接着往上找一个地址,用来下断点的
006000E0 /.55 PUSH EBP ;我找到了这里,下一个F2断点
006000E1 |.8BEC MOV EBP,ESP
006000E3 |.83C4 C4 ADD ESP,-3C
006000E6 |.53 PUSH EBX
006000E7 |.56 PUSH ESI
006000E8 |.57 PUSH EDI
006000E9 |.33C9 XOR ECX,ECX
006000EB |.894D C4 MOV ,ECX
006000EE |.894D D0 MOV ,ECX
006000F1 |.894D D4 MOV ,ECX
006000F4 |.894D FC MOV ,ECX
006000F7 |.894D F8 MOV ,ECX
006000FA |.8955 F4 MOV ,EDX
下好断点后,再重新载入程序,这样就断在刚才下断点的地址了
接下来就是单步跟踪了
00600370 |. /74 10 JE SHORT 123.00600382
00600372 |. |8B45 F8 MOV EAX,
00600375 |. |E8 9EAFE0FF CALL 123.0040B318
0060037A |. |8983 2C090000 MOV DWORD PTR DS:,EAX
00600380 |. |EB 08 JMP SHORT 123.0060038A
00600382 |> \33C0 XOR EAX,EAX
00600384 |.8983 2C090000 MOV DWORD PTR DS:,EAX
0060038A |>E8 59DEE0FF CALL 123.0040E1E8
0060038F |.DD5D E8 FSTP QWORD PTR SS:
00600392 |.9B WAIT
00600393 |.A1 EC416300 MOV EAX,DWORD PTR DS:
00600398 |.8338 00 CMP DWORD PTR DS:,0
0060039B |.0F84 E6010000 JE 123.00600587
006003A1 |.8B15 EC416300 MOV EDX,DWORD PTR DS: ;123.0063ADDC
006003A7 |.8B12 MOV EDX,DWORD PTR DS:
006003A9 |.8B83 28090000 MOV EAX,DWORD PTR DS:
006003AF |.E8 D0ECF7FF CALL 123.0057F084
006003B4 84C0 TEST AL,AL
006003B6 0F84 8C010000 JE 123.00600548 ;这个不能跳
006003BC A1 943B6300 MOV EAX,DWORD PTR DS:
006003C1 C600 00 MOV BYTE PTR DS:,0
006003C4 8B83 28090000 MOV EAX,DWORD PTR DS:
006003CA E8 5DEFF7FF CALL 123.0057F32C
006003CF 83F8 02 CMP EAX,2
006003D2 0F85 31010000 JNZ 123.00600509 ;这个不能跳
006003D8 8B83 28090000 MOV EAX,DWORD PTR DS:
006003DE E8 51EFF7FF CALL 123.0057F334
006003E3 48 DEC EAX
006003E4 0F85 E0000000 JNZ 123.006004CA ;这个不能跳
006003EA |.8BB3 2C090000 MOV ESI,DWORD PTR DS:
006003F0 |.85F6 TEST ESI,ESI ;123.00639CDC
006003F2 |.0F8E AD000000 JLE 123.006004A5
006003F8 |.8D45 FC LEA EAX,
006003FB |.50 PUSH EAX ; /Arg1 = 01157D8C
006003FC |.8975 C8 MOV ,ESI ; |123.00639CDC
006003FF |.C645 CC 00 MOV BYTE PTR SS:,0 ; |
00600403 |.8D55 C8 LEA EDX, ; |
00600406 |.A1 6C2F6300 MOV EAX,DWORD PTR DS: ; |
0060040B |.8B00 MOV EAX,DWORD PTR DS: ; |
0060040D |.33C9 XOR ECX,ECX ; |
0060040F |.E8 ECC2E0FF CALL 123.0040C700 ; \123.0040C700
00600414 |.83BB 2C090000 0A CMP DWORD PTR DS:,0A
0060041B |.7F 10 JG SHORT 123.0060042D
0060041D |.8D45 FC LEA EAX,
00600420 |.8B15 583A6300 MOV EDX,DWORD PTR DS: ;123.0062FF4C
00600426 |.8B12 MOV EDX,DWORD PTR DS:
00600428 |.E8 EF54E0FF CALL 123.0040591C
0060042D |>8B83 74060000 MOV EAX,DWORD PTR DS:
00600433 |.8B80 50020000 MOV EAX,DWORD PTR DS:
00600439 |.33D2 XOR EDX,EDX
0060043B |.E8 A45EE9FF CALL 123.004962E4
00600440 |.8B55 FC MOV EDX,
00600443 |.E8 F85DE9FF CALL 123.00496240
00600448 |.A1 74426300 MOV EAX,DWORD PTR DS:
0060044D |.C600 01 MOV BYTE PTR DS:,1
00600450 |.8BB3 2C090000 MOV ESI,DWORD PTR DS:
00600456 |.83FE 07 CMP ESI,7
00600459 |.0F8D F1020000 JGE 123.00600750
0060045F |.8D45 FC LEA EAX,
00600462 |.50 PUSH EAX ; /Arg1 = 01157D8C
00600463 |.8975 C8 MOV ,ESI ; |123.00639CDC
把上面三个跳NOP掉就去掉了重启验证,然后保存一下,这样软件再次启动的时候,你可以在右下角看到
“正式版”字样了
--------------------------------------------------------------------------------
【版权声明】: 转载请注明作者并保持文章的完整, 谢谢!
2009年09月07日 22:23:21 学习中
不错 欢迎大家测试下LZ的的破解方法是否没有限制:loveliness: 还是有重起修复了软件,还是显示有注册非法等字样,希望追出注册码为上策 试了试,似乎爆破位置不对,换机器就失效 再研究研究改进期待中。。。 寻师啦...谁教教我阿..谢谢.一点也看不懂阿 支持原创文章 操蛋的很。我怎么不能下载附件啊