【已结束】第三关、反调试模块【无壳无花】突破者:josong
本帖最后由 Heiye_Hack 于 2015-8-9 04:26 编辑前言:基于论坛cm版块不够活跃,高难度的cm帖子极少,就算有,也是加了各种强壳,要么就是Km帖子,而我们这个是【无壳无花】。
所以特别为大家准备些高难度,及其难吃的菜,此前我把其命名为:第一课第二课,如今改写成第一关第二关、你懂的
但愿我们的cm帖子能给大家带来更好的学习,技术更上一层楼。
历史关卡突破者
第一关:josong大神已突破
第二关:josong大神已突破(依旧是他)
第三关:josong大神已突破(三连杀)
文件详情
文件:注册码算法防破测试.exe
大小:1,961,984 字节
MD5:a0ec00c25f14010f8b02753102ebb7db
反调试方式:易语言反调试模块
加密方式:无【无壳无花】
在线查毒:http://r.virscan.org/report/3147978c7afd7aee6f834e9ddbfd0b93
在线分析:http://habo.qq.com/file/showdetail?pk=ADMGZV1vB2QIOA==
改动:1、变更算法,提高突破难度
2、同时基于cm版块版规以及大家的建议,特地去除触发核心【蓝屏】暗桩
规则:群雄争锋,难度越高的东西,学到的东西越多,你懂的
=============下面上图+说明============
==================================================
====================成功突破界面=====================
==================================================
============================================================================================
附件/百度云: http://pan.baidu.com/s/1nt1kLOd 密码: ibkb
(由于文件改为加载dll,文件过大,无法上传附件)
============================================================================================
第一关:http://www.52pojie.cn/thread-395586-1-1.html
第二关:http://www.52pojie.cn/thread-396226-1-1.html
第三关:http://www.52pojie.cn/thread-397607-1-1.html【本帖就是第三关】
↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓
我希望大家能够多回复评分,给我一点支持及动力,同时也是大家也互相学习的机会。
Heiye_Hack 发表于 2015-8-8 21:22
@josong
连关键密钥是8为字节的长度都能这么清楚 分析的这么彻得 想让你们找不到验证处都这么难
03403843 55 push ebp
03403844 8BEC mov ebp,esp
03403846 81EC 28000000 sub esp,0x28
0340384C C745 FC 0000000>mov dword ptr ss:,0x0
03403853 C745 F8 0000000>mov dword ptr ss:,0x0
0340385A C745 F4 0000000>mov dword ptr ss:,0x0
03403861 68 04000080 push 0x80000004
03403866 6A 00 push 0x0
03403868 8B5D 08 mov ebx,dword ptr ss:
0340386B 8B03 mov eax,dword ptr ds:
0340386D 85C0 test eax,eax
0340386F 75 05 jnz short 03403876
03403871 B8 FDED4903 mov eax,0x349EDFD
03403876 50 push eax
03403877 68 01000000 push 0x1
0340387C BB 00B54103 mov ebx,0x341B500
03403881 E8 1F6C0100 call 0341A4A5
03403886 83C4 10 add esp,0x10
03403889 8945 F0 mov dword ptr ss:,eax
0340388C 8B45 F0 mov eax,dword ptr ss:
0340388F 50 push eax
03403890 8B5D FC mov ebx,dword ptr ss:
03403893 85DB test ebx,ebx
03403895 74 09 je short 034038A0
03403897 53 push ebx
03403898 E8 FC6B0100 call 0341A499
0340389D 83C4 04 add esp,0x4
034038A0 58 pop eax ; 034037E3
034038A1 8945 FC mov dword ptr ss:,eax
034038A4 33C9 xor ecx,ecx ; ntdll.7C93003D
034038A6 8D45 F8 lea eax,dword ptr ss:
034038A9 8BD8 mov ebx,eax
034038AB 41 inc ecx ; ntdll.7C93003D
034038AC 51 push ecx ; ntdll.7C93003D
034038AD 53 push ebx
034038AE 890B mov dword ptr ds:,ecx ; ntdll.7C93003D
034038B0 83F9 20 cmp ecx,0x20
034038B3 0F8F 9A000000 jg 03403953
034038B9 8B5D FC mov ebx,dword ptr ss:
034038BC 8B0B mov ecx,dword ptr ds:
034038BE 41 inc ecx ; ntdll.7C93003D
034038BF C1E1 02 shl ecx,0x2
034038C2 03D9 add ebx,ecx ; ntdll.7C93003D
034038C4 53 push ebx
034038C5 8B45 F8 mov eax,dword ptr ss:
034038C8 48 dec eax
034038C9 5B pop ebx ; 034037E3
034038CA 03D8 add ebx,eax
034038CC 895D F0 mov dword ptr ss:,ebx
034038CF 8B5D F0 mov ebx,dword ptr ss:
034038D2 8A03 mov al,byte ptr ds:
034038D4 25 FF000000 and eax,0xFF
034038D9 8945 E8 mov dword ptr ss:,eax
034038DC DB45 E8 fild dword ptr ss:
034038DF DD5D E8 fstp qword ptr ss:
034038E2 DD45 E8 fld qword ptr ss:
034038E5 DC05 D7AE4B03 fadd qword ptr ds:
034038EB DD5D E0 fstp qword ptr ss:
034038EE 68 01060080 push 0x80000601
034038F3 FF75 E4 push dword ptr ss:
034038F6 FF75 E0 push dword ptr ss:
034038F9 68 01000000 push 0x1
034038FE BB 00B54103 mov ebx,0x341B500
03403903 E8 9D6B0100 call 0341A4A5
03403908 83C4 10 add esp,0x10
0340390B 8945 DC mov dword ptr ss:,eax
0340390E FF75 DC push dword ptr ss:
03403911 FF75 F4 push dword ptr ss:
03403914 B9 02000000 mov ecx,0x2
03403919 E8 97D8FEFF call 033F11B5
0340391E 83C4 08 add esp,0x8
03403921 8945 D8 mov dword ptr ss:,eax
03403924 8B5D DC mov ebx,dword ptr ss:
03403927 85DB test ebx,ebx
03403929 74 09 je short 03403934
0340392B 53 push ebx
0340392C E8 686B0100 call 0341A499
03403931 83C4 04 add esp,0x4
03403934 8B45 D8 mov eax,dword ptr ss: ; ntdll.7C93003D
03403937 50 push eax
03403938 8B5D F4 mov ebx,dword ptr ss:
0340393B 85DB test ebx,ebx
0340393D 74 09 je short 03403948
0340393F 53 push ebx
03403940 E8 546B0100 call 0341A499
03403945 83C4 04 add esp,0x4
03403948 58 pop eax ; 034037E3
03403949 8945 F4 mov dword ptr ss:,eax
0340394C 5B pop ebx ; 034037E3
0340394D 59 pop ecx ; 034037E3
0340394E^ E9 58FFFFFF jmp 034038AB
03403953 83C4 08 add esp,0x8
03403956 68 05000080 push 0x80000005
0340395B 6A 00 push 0x0
0340395D 8B45 F4 mov eax,dword ptr ss:
03403960 85C0 test eax,eax
03403962 75 05 jnz short 03403969
03403964 B8 F5ED4903 mov eax,0x349EDF5
03403969 50 push eax
0340396A 68 01000000 push 0x1
0340396F BB A0BD4103 mov ebx,0x341BDA0
03403974 E8 2C6B0100 call 0341A4A5
03403979 83C4 10 add esp,0x10
0340397C 8945 F0 mov dword ptr ss:,eax
0340397F 8B45 F0 mov eax,dword ptr ss:
03403982 E9 00000000 jmp 03403987
03403987 50 push eax
03403988 8B5D FC mov ebx,dword ptr ss:
0340398B 85DB test ebx,ebx
0340398D 74 09 je short 03403998
0340398F 53 push ebx
03403990 E8 046B0100 call 0341A499
03403995 83C4 04 add esp,0x4
03403998 8B5D F4 mov ebx,dword ptr ss:
0340399B 85DB test ebx,ebx
0340399D 74 09 je short 034039A8
0340399F 53 push ebx
034039A0 E8 F46A0100 call 0341A499
034039A5 83C4 04 add esp,0x4
034039A8 58 pop eax ; 034037E3
034039A9 8BE5 mov esp,ebp
034039AB 5D pop ebp ; 034037E3
034039AC C2 0400 retn 0x4 josong 发表于 2015-8-8 20:42
你要给人猜8字节的Key?
不会的,相信大牛你不玩这么阴的。
03403843 55 push ebp
03403844 8BEC mov ebp,esp
03403846 81EC 28000000 sub esp,0x28
0340384C C745 FC 0000000>mov dword ptr ss:,0x0
03403853 C745 F8 0000000>mov dword ptr ss:,0x0
0340385A C745 F4 0000000>mov dword ptr ss:,0x0
03403861 68 04000080 push 0x80000004
03403866 6A 00 push 0x0
03403868 8B5D 08 mov ebx,dword ptr ss:
0340386B 8B03 mov eax,dword ptr ds:
0340386D 85C0 test eax,eax
0340386F 75 05 jnz short 03403876
03403871 B8 FDED4903 mov eax,0x349EDFD
03403876 50 push eax
03403877 68 01000000 push 0x1
0340387C BB 00B54103 mov ebx,0x341B500
03403881 E8 1F6C0100 call 0341A4A5
03403886 83C4 10 add esp,0x10
03403889 8945 F0 mov dword ptr ss:,eax
0340388C 8B45 F0 mov eax,dword ptr ss:
0340388F 50 push eax
03403890 8B5D FC mov ebx,dword ptr ss:
03403893 85DB test ebx,ebx
03403895 74 09 je short 034038A0
03403897 53 push ebx
03403898 E8 FC6B0100 call 0341A499
0340389D 83C4 04 add esp,0x4
034038A0 58 pop eax ; 034037E3
034038A1 8945 FC mov dword ptr ss:,eax
034038A4 33C9 xor ecx,ecx ; ntdll.7C93003D
034038A6 8D45 F8 lea eax,dword ptr ss:
034038A9 8BD8 mov ebx,eax
034038AB 41 inc ecx ; ntdll.7C93003D
034038AC 51 push ecx ; ntdll.7C93003D
034038AD 53 push ebx
034038AE 890B mov dword ptr ds:,ecx ; ntdll.7C93003D
034038B0 83F9 20 cmp ecx,0x20
034038B3 0F8F 9A000000 jg 03403953
034038B9 8B5D FC mov ebx,dword ptr ss:
034038BC 8B0B mov ecx,dword ptr ds:
034038BE 41 inc ecx ; ntdll.7C93003D
034038BF C1E1 02 shl ecx,0x2
034038C2 03D9 add ebx,ecx ; ntdll.7C93003D
034038C4 53 push ebx
034038C5 8B45 F8 mov eax,dword ptr ss:
034038C8 48 dec eax
034038C9 5B pop ebx ; 034037E3
034038CA 03D8 add ebx,eax
034038CC 895D F0 mov dword ptr ss:,ebx
034038CF 8B5D F0 mov ebx,dword ptr ss:
034038D2 8A03 mov al,byte ptr ds:
034038D4 25 FF000000 and eax,0xFF
034038D9 8945 E8 mov dword ptr ss:,eax
034038DC DB45 E8 fild dword ptr ss:
034038DF DD5D E8 fstp qword ptr ss:
034038E2 DD45 E8 fld qword ptr ss:
034038E5 DC05 D7AE4B03 fadd qword ptr ds:
034038EB DD5D E0 fstp qword ptr ss:
034038EE 68 01060080 push 0x80000601
034038F3 FF75 E4 push dword ptr ss:
034038F6 FF75 E0 push dword ptr ss:
034038F9 68 01000000 push 0x1
034038FE BB 00B54103 mov ebx,0x341B500
03403903 E8 9D6B0100 call 0341A4A5
03403908 83C4 10 add esp,0x10
0340390B 8945 DC mov dword ptr ss:,eax
0340390E FF75 DC push dword ptr ss:
03403911 FF75 F4 push dword ptr ss:
03403914 B9 02000000 mov ecx,0x2
03403919 E8 97D8FEFF call 033F11B5
0340391E 83C4 08 add esp,0x8
03403921 8945 D8 mov dword ptr ss:,eax
03403924 8B5D DC mov ebx,dword ptr ss:
03403927 85DB test ebx,ebx
03403929 74 09 je short 03403934
0340392B 53 push ebx
0340392C E8 686B0100 call 0341A499
03403931 83C4 04 add esp,0x4
03403934 8B45 D8 mov eax,dword ptr ss: ; ntdll.7C93003D
03403937 50 push eax
03403938 8B5D F4 mov ebx,dword ptr ss:
0340393B 85DB test ebx,ebx
0340393D 74 09 je short 03403948
0340393F 53 push ebx
03403940 E8 546B0100 call 0341A499
03403945 83C4 04 add esp,0x4
03403948 58 pop eax ; 034037E3
03403949 8945 F4 mov dword ptr ss:,eax
0340394C 5B pop ebx ; 034037E3
0340394D 59 pop ecx ; 034037E3
0340394E^ E9 58FFFFFF jmp 034038AB
03403953 83C4 08 add esp,0x8
03403956 68 05000080 push 0x80000005
0340395B 6A 00 push 0x0
0340395D 8B45 F4 mov eax,dword ptr ss:
03403960 85C0 test eax,eax
03403962 75 05 jnz short 03403969
03403964 B8 F5ED4903 mov eax,0x349EDF5
03403969 50 push eax
0340396A 68 01000000 push 0x1
0340396F BB A0BD4103 mov ebx,0x341BDA0
03403974 E8 2C6B0100 call 0341A4A5
03403979 83C4 10 add esp,0x10
0340397C 8945 F0 mov dword ptr ss:,eax
0340397F 8B45 F0 mov eax,dword ptr ss:
03403982 E9 00000000 jmp 03403987
03403987 50 push eax
03403988 8B5D FC mov ebx,dword ptr ss:
0340398B 85DB test ebx,ebx
0340398D 74 09 je short 03403998
0340398F 53 push ebx
03403990 E8 046B0100 call 0341A499
03403995 83C4 04 add esp,0x4
03403998 8B5D F4 mov ebx,dword ptr ss:
0340399B 85DB test ebx,ebx
0340399D 74 09 je short 034039A8
0340399F 53 push ebx
034039A0 E8 F46A0100 call 0341A499
034039A5 83C4 04 add esp,0x4
034039A8 58 pop eax ; 034037E3
034039A9 8BE5 mov esp,ebp
034039AB 5D pop ebp ; 034037E3
034039AC C2 0400 retn 0x4
坑爹之处1 沙发我留着,有需要在这说明。 小白来支持下 要追注册码写算法才算成功吗 本帖最后由 Heiye_Hack 于 2015-8-7 20:05 编辑
饥饿滴小凤 发表于 2015-8-7 20:00
要追注册码写算法才算成功吗
提醒:程序无壳无花,至于您想用那种方式来获取成功。。。我只能告诉你,请您把您最恶心的手段使出来,那就是。。。。。。。。【使用任意手段】。。。。。当然,P图的不算。。。 看大神表演 电脑死掉了 要不要这样啊 死机了,等下换个虚拟机,你的CM我一个都不能很好运行,有时正常,有时开不了 卡死也是检测 看cpu一直不变说明被检测到 如果0的话 可能就是cm有问题了 本帖最后由 ollydebug 于 2015-8-8 21:58 编辑
好吧我错了