大神管理员们，看看我的文章，我想要一个邀请码

乐百事 发表于 2017-6-22 17:38

邮箱：1251464842@qq.com各位大牛好，我是一个小小白,比较喜欢信息安全，为了弄份渗透测试的差事吃了不少苦头，大公司以及中等公司都不要我，小公司地理位置太偏僻，不敢去，这样持续了很久，但丝毫没有打消我的积极性。所以打算继续学习，写一个不是技术贴的技术贴，希望管理员能给我个邀请码，让我继续学习[\泪目]今天我本来想照着教程用Python写一个暴力破解zip的，然后都写完了，发现没有密码字典，于是我就上网搜了一个小型的密码字典，不过发现是要写注册码的，不然的话只能生成1000条：
于是乎，因为之前接触过od，所以我打算把它破解了再用。首先用peid查一下壳：
原来是用VB写的，据说vb的会不寻常一点，但是庆幸的是没有壳。那么米娜桑就随我一起看，让我直接载入od吧：少女祈祷中。。。。。。。。。载入成功，我们发现：
好，那这样我们就爆破就好了了，看看能不能成功首先跟随注册成功字眼来到反汇编代码的位置：
然后我们找关键跳，看有没有跳过它的：对不起，没找到，由于没有注册失败的提示，所以就别智能搜索了注册失败了，那么我们找请输入注册码下面吧，看看有没有大跳转跳过成功：
还真有一个，代码如下（最后一行是跳到的地方）：005199F8 . C785 64FFFFFF>mov dword ptr ss:,真空密码.0040C49>;请输入注册码:00519A02 . C785 5CFFFFFF>mov dword ptr ss:,0x800519A0C . FFD3 call ebx00519A0E . 8D95 6CFFFFFF lea edx,dword ptr ss:00519A14 . 8D85 7CFFFFFF lea eax,dword ptr ss:00519A1A . 52 push edx ;真空密码.<ModuleEntryPoint>00519A1B . 8D4D 8C lea ecx,dword ptrss:00519A1E . 50 push eax ;kernel32.BaseThreadInitThunk00519A1F . 8D55 9C lea edx,dword ptrss:00519A22 . 51 push ecx00519A23 . 8D45 AC lea eax,dword ptrss:00519A26 . 52 push edx ;真空密码.<ModuleEntryPoint>00519A27 . 8D4D BC lea ecx,dword ptrss:00519A2A . 50 push eax ;kernel32.BaseThreadInitThunk00519A2B . 8D55 CC lea edx,dword ptrss:00519A2E . 51 push ecx00519A2F . 52 push edx ;真空密码.<ModuleEntryPoint>00519A30 . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.#596>] ; msvbvm60.rtcInputBox00519A36 . 8B1D 54124000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaSt>;msvbvm60.__vbaStrMove00519A3C . 8BD0 mov edx,eax ;kernel32.BaseThreadInitThunk00519A3E . 8D4D E8 lea ecx,dword ptrss:00519A41 . FFD3 call ebx ;<&MSVBVM60.__vbaStrMove>00519A43 . 8D85 6CFFFFFF lea eax,dword ptr ss:00519A49 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:00519A4F . 50 push eax ;kernel32.BaseThreadInitThunk00519A50 . 8D55 8C lea edx,dword ptrss:00519A53 . 51 push ecx00519A54 . 8D45 9C lea eax,dword ptrss:00519A57 . 52 push edx ;真空密码.<ModuleEntryPoint>00519A58 . 8D4D AC lea ecx,dword ptrss:00519A5B . 50 push eax ;kernel32.BaseThreadInitThunk00519A5C . 8D55 BC lea edx,dword ptrss:00519A5F . 51 push ecx00519A60 . 8D45 CC lea eax,dword ptrss:00519A63 . 52 push edx ;真空密码.<ModuleEntryPoint>00519A64 . 50 push eax ;kernel32.BaseThreadInitThunk00519A65 .6A07 push 0x700519A67 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;msvbvm60.__vbaFreeVarList00519A6D . 8B4D E8 mov ecx,dword ptrss:00519A70 . 83C4 20 add esp,0x2000519A73 . 51 push ecx00519A74 .68DCC34000 push 真空密码.0040C3DC00519A79 . FF15 00114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCm>;msvbvm60.__vbaStrCmp00519A7F . 85C0 test eax,eax ;kernel32.BaseThreadInitThunk00519A81 . 0F84 B3010000 je 真空密码.00519C3A00519A87 . 8B46 34 mov eax,dword ptr ds:00519A8A . 8D4D E0 lea ecx,dword ptrss:00519A8D . 51 push ecx00519A8E . 8B4D E8 mov ecx,dword ptrss:00519A91 . 8B10 mov edx,dword ptrds:00519A93 . 51 push ecx00519A94 . 50 push eax ;kernel32.BaseThreadInitThunk00519A95 . FF52 3C call dword ptrds:00519A98 . 85C0 test eax,eax ; kernel32.BaseThreadInitThunk00519A9A . DBE2 fclex00519A9C .7D12 jge short 真空密码.00519AB000519A9E . 8B56 34 mov edx,dword ptrds:00519AA1 .6A3C push 0x3C00519AA3 .6818BF4000 push 真空密码.0040BF1800519AA8 . 52 push edx ;真空密码.<ModuleEntryPoint>00519AA9 . 50 push eax ;kernel32.BaseThreadInitThunk00519AAA . FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;msvbvm60.__vbaHresultCheckObj00519AB0 > 8B55 E0 mov edx,dword ptrss:00519AB3 . 8D4D E8 lea ecx,dword ptrss:00519AB6 . C745 E0 00000>mov dword ptr ss:,0x000519ABD . FFD3 call ebx00519ABF . 8B46 34 mov eax,dword ptrds:00519AC2 . 8B55 E8 mov edx,dword ptrss:00519AC5 .6A03 push 0x300519AC7 . 52 push edx ;真空密码.<ModuleEntryPoint>00519AC8 . 8B08 mov ecx,dword ptrds:00519ACA . 50 push eax ;kernel32.BaseThreadInitThunk00519ACB . FF51 28 call dword ptrds:00519ACE . 85C0 test eax,eax ;kernel32.BaseThreadInitThunk00519AD0 . DBE2 fclex00519AD2 .7D12 jge short 真空密码.00519AE600519AD4 . 8B4E 34 mov ecx,dword ptrds:00519AD7 .6A28 push 0x2800519AD9 .6818BF4000 push 真空密码.0040BF1800519ADE . 51 push ecx00519ADF . 50 push eax ;kernel32.BaseThreadInitThunk00519AE0 . FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;msvbvm60.__vbaHresultCheckObj00519AE6 > 8B46 34 mov eax,dword ptrds:00519AE9 . 8D8D F8FEFFFF lea ecx,dword ptr ss:00519AEF . 51 push ecx00519AF0 . 50 push eax ; kernel32.BaseThreadInitThunk00519AF1 . 8B10 mov edx,dword ptrds:00519AF3 . FF52 48 call dword ptrds:00519AF6 . 85C0 test eax,eax ;kernel32.BaseThreadInitThunk00519AF8 . DBE2 fclex00519AFA .7D12 jge short 真空密码.00519B0E00519AFC . 8B56 34 mov edx,dword ptrds:00519AFF .6A48 push 0x4800519B01 .6818BF4000 push 真空密码.0040BF1800519B06 . 52 push edx ;真空密码.<ModuleEntryPoint>00519B07 . 50 push eax ;kernel32.BaseThreadInitThunk00519B08 . FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;msvbvm60.__vbaHresultCheckObj00519B0E > 66:83BD F8FEF>cmp word ptr ss:,0xFFFF00519B16 .^ 0F85 45FEFFFF jnz 真空密码.0051996100519B1C . 8B45 E8 mov eax,dword ptrss:00519B1F .68C4C44000 push 真空密码.0040C4C4 ;update ZKSys_Sys set sysinfo='00519B24 . 50 push eax ; /String ="?U嬱吷卽."00519B25 . FF15 60104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCa>;\__vbaStrCat00519B2B . 8BD0 mov edx,eax ; kernel32.BaseThreadInitThunk00519B2D . 8D4D E0 lea ecx,dword ptrss:00519B30 . FFD3 call ebx00519B32 . 50 push eax ;kernel32.BaseThreadInitThunk00519B33 .6808C54000 push 真空密码.0040C508 ; /'00519B38 . FF15 60104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCa>;\__vbaStrCat00519B3E . 8BD0 mov edx,eax ;kernel32.BaseThreadInitThunk00519B40 .8D4DE4 lea ecx,dword ptr ss:00519B43 . FFD3 call ebx00519B45 . 8D4D E0 lea ecx,dword ptrss:00519B48 . FF15 8C124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;msvbvm60.__vbaFreeStr00519B4E .8B4DE4 mov ecx,dword ptr ss:00519B51 .6A00 push 0x000519B53 . 51 push ecx00519B54 .E8470D0000 call 真空密码.0051A8A000519B59 .B804000280 mov eax,0x8002000400519B5E . 8D95 5CFFFFFF lea edx,dword ptr ss:00519B64 . 8D4D CC lea ecx,dword ptrss:00519B67 . 8945 A4 mov dword ptrss:,eax ;kernel32.BaseThreadInitThunk00519B6A . 897D 9C mov dword ptrss:,edi00519B6D .8945B4 mov dword ptrss:,eax ;kernel32.BaseThreadInitThunk00519B70 . 897D AC mov dword ptrss:,edi00519B73 . 8945 C4 mov dword ptrss:,eax ;kernel32.BaseThreadInitThunk00519B76 . 897D BC mov dword ptrss:,edi00519B79 . C785 64FFFFFF>mov dword ptr ss:,真空密码.0040C51>;注册成功!!00519B83 . C785 5CFFFFFF>mov dword ptr ss:,0x800519B8D . FF15 1C124000 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>;msvbvm60.__vbaVarDup00519B93 . 8D55 9C lea edx,dword ptrss:00519B96 . 8D45 AC lea eax,dword ptrss:00519B99 . 52 push edx ;真空密码.<ModuleEntryPoint>00519B9A .8D4DBC lea ecx,dword ptr ss:00519B9D . 50 push eax ;kernel32.BaseThreadInitThunk00519B9E . 51 push ecx00519B9F . 8D55 CC lea edx,dword ptrss:00519BA2 .6A00 push 0x000519BA4 . 52 push edx ;真空密码.<ModuleEntryPoint>00519BA5 . FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#595>] ; msvbvm60.rtcMsgBox00519BAB . 8D45 9C lea eax,dword ptrss:00519BAE . 8D4D AC lea ecx,dword ptrss:00519BB1 . 50 push eax ;kernel32.BaseThreadInitThunk00519BB2 . 8D55 BC lea edx,dword ptrss:00519BB5 . 51 push ecx00519BB6 . 8D45 CC lea eax,dword ptrss:00519BB9 . 52 push edx ;真空密码.<ModuleEntryPoint>00519BBA . 50 push eax ;kernel32.BaseThreadInitThunk00519BBB .6A04 push 0x400519BBD . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;msvbvm60.__vbaFreeVarList00519BC3 . 8B0E mov ecx,dword ptrds:00519BC5 . 83C4 14 add esp,0x1400519BC8 . 56 push esi00519BC9 . FF91 34030000 call dword ptr ds:00519BCF . 8B1D A0104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaOb>;msvbvm60.__vbaObjSet00519BD5 . 8D55 DC lea edx,dword ptrss:00519BD8 .50 push eax ;kernel32.BaseThreadInitThunk00519BD9 . 52 push edx ;真空密码.<ModuleEntryPoint>00519BDA . FFD3 call ebx ;<&MSVBVM60.__vbaObjSet>00519BDC . 8BF8 mov edi,eax ;kernel32.BaseThreadInitThunk00519BDE .6A00 push 0x000519BE0 . 57 push edi00519BE1 . 8B07 mov eax,dword ptrds:00519BE3 . FF50 5C call dword ptrds:00519BE6 . 85C0 test eax,eax ;kernel32.BaseThreadInitThunk00519BE8 . DBE2 fclex00519BEA .7D0F jge short 真空密码.00519BFB00519BEC .6A5C push 0x5C00519BEE .68C4C04000 push 真空密码.0040C0C400519BF3 . 57 push edi00519BF4 . 50 push eax ;kernel32.BaseThreadInitThunk00519BF5 . FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;msvbvm60.__vbaHresultCheckObj00519BFB > 8B3D 88124000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaFr>;msvbvm60.__vbaFreeObj00519C01 . 8D4D DC lea ecx,dword ptrss:00519C04 . FFD7 call edi ;<&MSVBVM60.__vbaFreeObj>00519C06 . 8B0E mov ecx,dword ptrds:00519C08 . 56 push esi00519C09 . FF91 30030000 call dword ptr ds:00519C0F . 8D55 DC lea edx,dword ptrss:00519C12 . 50 push eax ;kernel32.BaseThreadInitThunk00519C13 . 52 push edx ;真空密码.<ModuleEntryPoint>00519C14 . FFD3 call ebx00519C16 .8BF0 mov esi,eax ;kernel32.BaseThreadInitThunk00519C18 .6A00 push 0x000519C1A . 56 push esi00519C1B . 8B06 mov eax,dword ptrds:00519C1D . FF50 5C call dword ptrds:00519C20 . 85C0 test eax,eax ;kernel32.BaseThreadInitThunk00519C22 . DBE2 fclex00519C24 .7D0F jge short 真空密码.00519C3500519C26 .6A5C push 0x5C00519C28 .68C4C04000 push 真空密码.0040C0C400519C2D . 56 push esi00519C2E . 50 push eax ;kernel32.BaseThreadInitThunk00519C2F . FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;msvbvm60.__vbaHresultCheckObj00519C35 > 8D4D DC lea ecx,dword ptrss:00519C38 . FFD7 call edi00519C3A > C745 FC 00000>mov dword ptr ss:,0x0他是je跳转，我觉得要不然把它改成jne吧，这样一来只要我输入的不正确它都可以跳转注册成功了。
保存一个试试：原来不可以，还和没注册是一样的。好像都不行，那我就跟着程序跑一下吧,我在请输入注册码处不输入，看看他能跑到哪里去，发现这个程序一运行一个jnz，它会跳到上面去
那么我们改上面这个比较就行了，把0xFFFF改成1.看他还跳不跳，果然不跳了。输入任意错误码，注册成功！
虽然是个很简单的软件，还是希望大牛能给我个邀请码，很喜欢信息安全，但是接触时间短，希望能早日进入这个圈子，谢谢大神们

Hmily 发表于 2017-6-23 10:03

发申请贴起码应该好好阅读下申请规则，把格式写正确了，未能达到申请要求，申请不通过，可以关注论坛官方微信（吾爱破解论坛），等待开放注册通知，下个月暑假应该会开放注册，可以到时候自己来注册。

性本善 发表于 2017-6-23 11:09

紧跟H大{:301_1001:}

yzhzhp 发表于 2017-6-23 18:18

都是牛人

pwp 发表于 2017-7-3 00:10

想学习，就买码

页: [1]

吾爱破解 - 52pojie.cn's Archiver

大神管理员们，看看我的文章，我想要一个邀请码