VStart音速启动功能爆破
write:钻石锅锅 (有问题私信)当时不知道怎么找的这个音速启动的,还有个加密目录【VIP教程视频栏】现在链接已经报废了
教程是爆破功能,太菜所以只送上文字教程,方便以后有朋友做资料参考
过初始密码
F9运行 随便输入出现错误提示框 F12暂停
查看K(调用堆栈)找到
调用堆栈 ,项目 27
地址=0012F834
堆栈=004EDA84
函数例程 / 参数=? MSVBVM60.rtcMsgBox
调用来自=vstart.004EDA7E
框架=0012F830
跟进
004EDA7E .FF15 48114000 call dword ptr ds:[<&MSVBVM60.#595>] ;出现错误框
继续单步
004ED98D .E8 4E4D0400 call vstart.005326E0 ;出现输入框
往上找关键跳
004ED96D /0F8E 35010000 jle vstart.004EDAA8 ;关键跳
将jle改jmp
在Files文件夹下Config.ini
CheckInStart=1
PassWord=50C2EE5DE55AD6A63D6F3F10463626C6
将PassWord后清内容除掉就OK
16:07 2015-2-23
-----------------------------------------------------------------------------------------------------------
过加密目录
找到错误提示->F12暂停 ->K堆栈找到调用来自=vstart.********
往上找到以下代码
005FC198 8B45 E0 mov eax,dword ptr ss: ; 取假码
005FC19B 50 push eax
005FC19C 8B4D DC mov ecx,dword ptr ss: ; 取真码
005FC19F 51 push ecx
005FC1A0 FF15 00124000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; 密码比较过程
005FC1A6 8BF8 mov edi,eax
005FC1A8 F7DF neg edi
005FC1AA 1BFF sbb edi,edi
005FC1AC 47 inc edi
005FC1AD F7DF neg edi
005FC1AF 8D4D DC lea ecx,dword ptr ss:
005FC1B2 FF15 AC144000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
005FC1B8 66:3BFB cmp di,bx
005FC1BB 74 4C je short Damimi.005FC209 ; 第一次比较跳转
005FC1BD 8B55 E0 mov edx,dword ptr ss: ; 取假码
005FC1C0 B9 B4E06800 mov ecx,Damimi.0068E0B4
005FC1C5 8B3D 94134000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrCopy>]; MSVBVM60.__vbaStrCopy
005FC1CB FFD7 call edi ; 二次校验 EAX=假码
005FC1CD 8B55 10 mov edx,dword ptr ss:
005FC1D0 66:391A cmp word ptr ds:,bx
005FC1D3 74 0A je short Damimi.005FC1DF
005FC1D5 8B55 E0 mov edx,dword ptr ss:
005FC1D8 B9 B8E06800 mov ecx,Damimi.0068E0B8
005FC1DD FFD7 call edi ; 三次校验
005FC1DF 8B06 mov eax,dword ptr ds:
005FC1E1 6A 01 push 1
005FC1E3 56 push esi
005FC1E4 FF90 28080000 call dword ptr ds: ; 关键CALL 加载窗口 ‘’ 在这里F7进去 ****************
005FC1EA 3BC3 cmp eax,ebx
005FC1EC 0F8D 74010000 jge Damimi.005FC366
来到
0062DF60 55 push ebp ; 加载目录窗口过程&验证过程
0062DF61 8BEC mov ebp,esp
0062DF63 83EC 0C sub esp,0C
0062DF66 68 36204100 push <jmp.&MSVBVM60.__vbaExceptHandler>
0062DF6B 64:A1 00000000mov eax,dword ptr fs:
```````````````````````````````````````````````````````````
```````````````````````````````````````````````````````````
```````````````````````````````````````````````````````````
0062E044 FF15 00124000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0062E04A 85C0 test eax,eax
0062E04C 74 54 je short Damimi.0062E0A2 ; 是否密码校验 //关键跳
0062E04E 8B4D E4 mov ecx,dword ptr ss: ;//以下是验证过程
0062E051 8B15 B8E06800 mov edx,dword ptr ds:
0062E057 8B3D 00124000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0062E05D 51 push ecx
0062E05E 52 push edx
0062E05F FFD7 call edi
0062E061 8B0D B4E06800 mov ecx,dword ptr ds:
0062E067 8BD0 mov edx,eax
0062E069 8B45 E4 mov eax,dword ptr ss:
0062E06C F7DA neg edx
0062E06E 1BD2 sbb edx,edx
0062E070 50 push eax
0062E071 F7DA neg edx
0062E073 51 push ecx
0062E074 8995 74FFFFFF mov dword ptr ss:,edx
0062E07A FFD7 call edi ; 比较
0062E07C 8B95 74FFFFFF mov edx,dword ptr ss:
0062E082 F7D8 neg eax
0062E084 1BC0 sbb eax,eax
0062E086 F7D8 neg eax
0062E088 85D0 test eax,edx
0062E08A 0F85 C3010000 jnz Damimi.0062E253 ; 相等就跳//关键跳
0062E090 BA A00A4400 mov edx,Damimi.00440AA0
0062E095 B9 B4E06800 mov ecx,Damimi.0068E0B4
0062E09A FF15 94134000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
0062E0A0 33FF xor edi,edi
0062E0A2 83EC 10 sub esp,10
把jnz 改jz
0062E08A 0F85 C3010000 jnz Damimi.0062E253 ; 相等就跳//关键跳
或者
0062E074 8995 74FFFFFF mov dword ptr ss:,edx
改
来到关键验证CALL修改方法很多
15:18 2015/2/25
______________________________________________________________________________________________________
过加密栏目
方法同上来到错误提示CALL
005E8337 .FF15 58114000 CALL DWORD PTR DS:[<&MSVBVM60.#595>] ;错误提示
往上
005E82DE .FF15 E4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultChec>;MSVBVM60.__vbaHresultCheckObj
005E82E4 .E9 5D010000 JMP damimi1.005E8446
005E82E9 >8B3D 54114000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ;MSVBVM60.__vbaObjSet
005E82EF >B9 04000280 MOV ECX,80020004
跳转来自 005E81B0
跳转至005E81B0 往上
找到关键完整代码:
005E816A > \8B45 E0 mov eax, dword ptr
005E816D .50 push eax
005E816E .8B4D DC mov ecx, dword ptr
005E8171 .51 push ecx
005E8172 .FF15 10124000 call dword ptr [<&MSVBVM60.__vbaStrCmp>]
005E8178 .8BD8 mov ebx, eax
005E817A .F7DB neg ebx
005E817C .1BDB sbb ebx, ebx
005E817E .43 inc ebx
005E817F .F7DB neg ebx
005E8181 .8D4D DC lea ecx, dword ptr
005E8184 .FF15 CC144000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
005E818A .8D55 D4 lea edx, dword ptr
005E818D .52 push edx
005E818E .8D45 D8 lea eax, dword ptr
005E8191 .50 push eax
005E8192 .6A 02 push 2
005E8194 .FF15 7C104000 call dword ptr [<&MSVBVM60.__vbaFreeObjList>;MSVBVM60.__vbaFreeObjList
005E819A .8D4D B4 lea ecx, dword ptr
005E819D .51 push ecx
005E819E .8D55 C4 lea edx, dword ptr
005E81A1 .52 push edx
005E81A2 .6A 02 push 2
005E81A4 .FF15 5C104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>;MSVBVM60.__vbaFreeVarList
005E81AA .83C4 18 add esp, 18
005E81AD .66:85DB test bx, bx
005E81B0 .0F84 39010000 je 005E82EF ;第一关键跳 修改标志位 向下单步
005E81B6 .8B55 E0 mov edx, dword ptr
005E81B9 .B9 ACE06700 mov ecx, 0067E0AC
005E81BE .8B1D AC134000 mov ebx, dword ptr [<&MSVBVM60.__vbaStrCop>;MSVBVM60.__vbaStrCopy
005E81C4 .FFD3 call ebx ; <&MSVBVM60.__vbaStrCopy>
005E81C6 .8B45 10 mov eax, dword ptr
005E81C9 .66:8338 00 cmp word ptr , 0
005E81CD .74 0A je short 005E81D9
005E81CF .8B55 E0 mov edx, dword ptr
005E81D2 .B9 B0E06700 mov ecx, 0067E0B0
005E81D7 .FFD3 call ebx
005E81D9 >6A 00 push 0
005E81DB .68 19000340 push 40030019
005E81E0 .8B0E mov ecx, dword ptr
005E81E2 .56 push esi
005E81E3 .FF91 50030000 call dword ptr
005E81E9 .50 push eax
005E81EA .8D55 D8 lea edx, dword ptr
005E81ED .52 push edx
005E81EE .FFD7 call edi
005E81F0 .50 push eax
005E81F1 .8D45 C4 lea eax, dword ptr
005E81F4 .50 push eax
005E81F5 .FF15 80124000 call dword ptr [<&MSVBVM60.__vbaLateIdCallL>;MSVBVM60.__vbaLateIdCallLd
005E81FB .83C4 10 add esp, 10
005E81FE .50 push eax
005E81FF .FF15 F0134000 call dword ptr [<&MSVBVM60.__vbaI4Var>] ;MSVBVM60.__vbaI4Var
005E8205 .8945 BC mov dword ptr , eax
005E8208 .C745 B4 03000>mov dword ptr , 3
005E820F .8B0E mov ecx, dword ptr
005E8211 .8D55 B4 lea edx, dword ptr
005E8214 .52 push edx
005E8215 .56 push esi
005E8216 .FF91 5C080000 call dword ptr ;栏目加载窗口&验证过程 这里要跟进去 修改关键窗口加载验证CAll
005E821C .85C0 test eax, eax
005E821E .7D 12 jge short 005E8232
来到加载窗口&验证过程
0061A460 > \55 PUSH EBP ;栏目加载窗口&验证过程
0061A461 .8BEC MOV EBP,ESP
0061A463 .83EC 18 SUB ESP,18
0061A466 .68 86204100 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ;SE 处理程序安装
0061A46B .64:A1 0000000>MOV EAX,DWORD PTR FS:
0061A471 .50 PUSH EAX
0061A472 .64:8925 00000>MOV DWORD PTR FS:,ESP
0061A479 .B8 E0020000 MOV EAX,2E0
0061A47E .E8 FD7BDFFF CALL <JMP.&MSVBVM60.__vbaChkstk>
```````````````````````````````````````````````````````````
```````````````````````````````````````````````````````````
```````````````````````````````````````````````````````````
0061A830 .50 PUSH EAX
0061A831 .68 580F4400 PUSH damimi1.00440F58
0061A836 .FF15 10124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>] ;MSVBVM60.__vbaStrCmp
0061A83C .85C0 TEST EAX,EAX
0061A83E 0F84 32010000 JE damimi1.0061A976 ;是否密码校验 //关键跳
0061A844 .C745 FC 0D000>MOV DWORD PTR SS:,0D ;以下是验证过程
0061A84B .8B8D 78FFFFFF MOV ECX,DWORD PTR SS:
0061A851 .51 PUSH ECX
0061A852 .8B15 ACE06700 MOV EDX,DWORD PTR DS:
0061A858 .52 PUSH EDX
0061A859 .FF15 10124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>] ;MSVBVM60.__vbaStrCmp
0061A85F .8BF0 MOV ESI,EAX
0061A861 .F7DE NEG ESI
0061A863 .1BF6 SBB ESI,ESI
0061A865 .F7DE NEG ESI
0061A867 .8B85 78FFFFFF MOV EAX,DWORD PTR SS:
0061A86D .50 PUSH EAX
0061A86E .8B0D B0E06700 MOV ECX,DWORD PTR DS:
0061A874 .51 PUSH ECX
0061A875 .FF15 10124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>] ;MSVBVM60.__vbaStrCmp
0061A87B .F7D8 NEG EAX
0061A87D .1BC0 SBB EAX,EAX
0061A87F .F7D8 NEG EAX
0061A881 .23F0 AND ESI,EAX
0061A883 .85F6 TEST ESI,ESI
0061A885 .75 1C JNZ SHORT damimi1.0061A8A3
0061A887 .C745 FC 0E000>MOV DWORD PTR SS:,0E
0061A88E .BA 580F4400 MOV EDX,damimi1.00440F58
0061A893 .B9 ACE06700 MOV ECX,damimi1.0067E0AC
0061A898 .FF15 AC134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCopy>] ;MSVBVM60.__vbaStrCopy
0061A89E .E9 D3000000 JMP damimi1.0061A976
0061A8A3 >C745 FC 10000>MOV DWORD PTR SS:,10
0061A8AA .6A 01 PUSH 1
0061A83E 0F84 32010000 JE damimi1.0061A976 ;是否密码校验 //关键跳
修改JE为JNE
19:54 2015-3-31
------------------------------------------------------------------------------------------------------
文件夹保护功能 只需结束进程vsEnFolder.exe文件夹保护功能无效
感谢楼主分享哈。这个真心不错哦~ 不错的教程,学习了! 楼主你怎么那么棒呢 没看懂什么 表示路过 楼主很厉害啊是直接附加把? 感谢楼主分享教程啊。 学习了,不错!界面看起来养眼,呵呵。 我一般就直接用别人提供的vstart工具集,没有想到还有分析vstart的,牛人!
页:
[1]
2