爆破某教学机器人3D仿真软件(适合新手练习)
本帖最后由 无闻无问 于 2018-3-19 11:30 编辑菜鸟一个,刚上手,分析不到位的,请海涵……
软件名称:3D仿真教育软件标准版 v1.1
下载地址:https://pan.baidu.com/s/1c2NByA
链接: https://pan.baidu.com/s/1dwZ4XlmtI2aC_Tsr7RSBjQ 密码: 7eeb
工 具:od
环 境:xp虚拟机
目 标:爆破网络版功能。
od载入,运行软件,出现以下界面:
点击“网络版”,弹出,登录对话框:
输入假码,弹出错误对话框:
好了,返回od,在程序领空搜索字符串……呵呵,全是英文和乱码……都被加密了……,好吧,既然弹出了对话框,那下对话框断点CreateWindowExW,下好断点,再次点击“登录”,成功断下:
然后alt+k,打开堆栈:
堆栈中红线内可以发现,弹出的消息框(information)引用位置:0041F368
=================================================================
调用堆栈: 主线程, 条目 19
地址=0013AA40
堆栈=0041F36E
函数过程 / 参数=QtGui4.QMessageBox::information
调用来自=RoBoSim.0041F368
=================================================================
选中它,右击,选择“显示调用”,来到程序领空,往上走到函数头:
选中它,在立即窗口中可看到很多调用,右击,跳转到
0041F177|.E8 54000000 call RoBoSim.0041F1D0
往上回溯,找到头部:
0041F0B0/$55 push ebp
F2下个断点,然后禁止其它断点,F9运行,再次点“登录”,此时,OD再次断下:
此时查看堆栈调用:
0013AB30 00433073返回到 RoBoSim.00433073 来自 RoBoSim.0041F0B0
选中它,右击,反汇编跟随,来到此处:
再往上回溯,懂点英文的朋友会发现很多有用的信息。找到函数头,再次下断,此处就是点击“登录”后的按钮事件处理过程了:
然后,F8步进,并不断F2下断,F9运行进行分析,这里就贴上结果了。
00432EA0 55 push ebp ; 单击“确定”按钮后事件处理过程。
00432EA1 8BEC mov ebp,esp
00432EA3 6A FF push -0x1
00432EA5 68 F3D74D00 push RoBoSim.004DD7F3
00432EAA 64:A1 00000000mov eax,dword ptr fs:
00432EB0 50 push eax
00432EB1 81EC 9C000000 sub esp,0x9C
00432EB7 A1 BC8E5700 mov eax,dword ptr ds:
00432EBC 33C5 xor eax,ebp
00432EBE 50 push eax
00432EBF 8D45 F4 lea eax,dword ptr ss:
00432EC2 64:A3 00000000mov dword ptr fs:,eax
00432EC8 894D A0 mov dword ptr ss:,ecx
00432ECB 833D 489B5700 0>cmp dword ptr ds:,0x2
00432ED2 74 05 je short RoBoSim.00432ED9 ; 改为jnz后F9出现无法连接服务器
00432ED4 E9 F2020000 jmp RoBoSim.004331CB
00432ED9 51 push ecx
00432EDA 8BCC mov ecx,esp
00432EDC 8965 CC mov dword ptr ss:,esp
00432EDF 6A 01 push 0x1
00432EE1 E8 DA71FFFF call RoBoSim.0042A0C0
00432EE6 8B45 08 mov eax,dword ptr ss: ; RoBoSim.00579B80
00432EE9 50 push eax
00432EEA 8D4D D0 lea ecx,dword ptr ss:
00432EED FF15 EC764F00 call dword ptr ds:[<&QtCore4.QDataStream>; QtCore4.QDataStream::QDataStream
00432EF3 C745 FC 0000000>mov dword ptr ss:,0x0
00432EFA 8D4D F0 lea ecx,dword ptr ss:
00432EFD FF15 18784F00 call dword ptr ds:[<&QtCore4.QString::QS>; QtCore4.QString::QString
00432F03 C645 FC 01 mov byte ptr ss:,0x1
00432F07 68 689B5700 push RoBoSim.00579B68
00432F0C 68 649B5700 push RoBoSim.00579B64
00432F11 68 609B5700 push RoBoSim.00579B60
00432F16 68 509B5700 push RoBoSim.00579B50
00432F1B 8D4D EC lea ecx,dword ptr ss:
00432F1E 51 push ecx
00432F1F 8D55 F0 lea edx,dword ptr ss:
00432F22 52 push edx
00432F23 8D45 D0 lea eax,dword ptr ss:
00432F26 50 push eax
00432F27 FF15 98774F00 call dword ptr ds:[<&QtCore4.operator>>>>; QtCore4.operator>>
00432F2D 83C4 08 add esp,0x8
00432F30 8BC8 mov ecx,eax
00432F32 FF15 38764F00 call dword ptr ds:[<&QtCore4.QDataStream>; QtCore4.QDataStream::operator>>
00432F38 8BC8 mov ecx,eax
00432F3A FF15 94774F00 call dword ptr ds:[<&QtCore4.QDataStream>; QtCore4.QDataStream::operator>>
00432F40 50 push eax
00432F41 FF15 98774F00 call dword ptr ds:[<&QtCore4.operator>>>>; QtCore4.operator>>
00432F47 83C4 08 add esp,0x8
00432F4A 50 push eax
00432F4B FF15 98774F00 call dword ptr ds:[<&QtCore4.operator>>>>; QtCore4.operator>>
00432F51 83C4 08 add esp,0x8
00432F54 50 push eax
00432F55 FF15 98774F00 call dword ptr ds:[<&QtCore4.operator>>>>; QtCore4.operator>>
00432F5B 83C4 08 add esp,0x8
00432F5E 68 D0F94F00 push RoBoSim.004FF9D0 ; Login
00432F63 8D4D F0 lea ecx,dword ptr ss:
00432F66 FF15 3C764F00 call dword ptr ds:[<&QtCore4.QString::op>; QtCore4.QString::operator!=
00432F6C 0FB6C8 movzx ecx,al
00432F6F 85C9 test ecx,ecx
00432F71 74 20 je short RoBoSim.00432F93 ; 必为jne后出现“服务器通讯出错”提示
00432F73 8B55 A0 mov edx,dword ptr ss:
00432F76 C642 15 00 mov byte ptr ds:,0x0
00432F7A B9 D09A5700 mov ecx,RoBoSim.00579AD0 ; 幸O
00432F7F E8 9C99FEFF call RoBoSim.0041C920
00432F84 6A 03 push 0x3
00432F86 8B4D A0 mov ecx,dword ptr ss:
00432F89 E8 D2FBFFFF call RoBoSim.00432B60
00432F8E E9 1B020000 jmp RoBoSim.004331AE
00432F93 837D EC 00 cmp dword ptr ss:,0x0
00432F97 74 1F je short RoBoSim.00432FB8 ; 似乎是关键跳,改为je后,弹出了主程序,但标题栏空的……
00432F99 B9 D09A5700 mov ecx,RoBoSim.00579AD0 ; 幸O
00432F9E E8 CDA2FEFF call RoBoSim.0041D270
00432FA3 8B45 A0 mov eax,dword ptr ss:
00432FA6 8B10 mov edx,dword ptr ds:
00432FA8 8B4D A0 mov ecx,dword ptr ss:
00432FAB 8B82 CC000000 mov eax,dword ptr ds:
00432FB1 FFD0 call eax
00432FB3 E9 F6010000 jmp RoBoSim.004331AE
00432FB8 8B4D A0 mov ecx,dword ptr ss:
00432FBB C641 15 00 mov byte ptr ds:,0x0
00432FBF B9 D09A5700 mov ecx,RoBoSim.00579AD0 ; 幸O
00432FC4 E8 5799FEFF call RoBoSim.0041C920
00432FC9 6A 00 push 0x0
00432FCB 8B4D A0 mov ecx,dword ptr ss:
00432FCE E8 8DFBFFFF call RoBoSim.00432B60
00432FD3 837D EC 01 cmp dword ptr ss:,0x1
00432FD7 74 06 je short RoBoSim.00432FDF
00432FD9 837D EC 02 cmp dword ptr ss:,0x2
00432FDD 75 20 jnz short RoBoSim.00432FFF
00432FDF 8B55 EC mov edx,dword ptr ss:
00432FE2 52 push edx
00432FE3 8D45 C8 lea eax,dword ptr ss:
00432FE6 50 push eax
00432FE7 B9 D09A5700 mov ecx,RoBoSim.00579AD0 ; 幸O
00432FEC E8 3F9AFEFF call RoBoSim.0041CA30
00432FF1 8D4D C8 lea ecx,dword ptr ss:
00432FF4 FF15 10784F00 call dword ptr ds:[<&QtCore4.QString::~Q>; QtCore4.QXmlStreamStringRef::~QXmlStreamStringRef
00432FFA E9 AF010000 jmp RoBoSim.004331AE
00432FFF 837D EC 03 cmp dword ptr ss:,0x3
00433003 75 73 jnz short RoBoSim.00433078
00433005 83EC 1C sub esp,0x1C
00433008 8BCC mov ecx,esp
0043300A 8965 C4 mov dword ptr ss:,esp
0043300D 68 D8F94F00 push RoBoSim.004FF9D8 ; sPass
00433012 FF15 10714F00 call dword ptr ds:[<&MSVCP90.std::basic_>; msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::basic_string<char,std::char_traits<char>,std::allocator<char> >
00433018 8945 9C mov dword ptr ss:,eax
0043301B 8B4D 9C mov ecx,dword ptr ss:
0043301E 894D 98 mov dword ptr ss:,ecx
00433021 C645 FC 02 mov byte ptr ss:,0x2
00433025 83EC 1C sub esp,0x1C
00433028 8BCC mov ecx,esp
0043302A 8965 C0 mov dword ptr ss:,esp
0043302D 68 E0F94F00 push RoBoSim.004FF9E0 ; slot_GetMsg
00433032 FF15 10714F00 call dword ptr ds:[<&MSVCP90.std::basic_>; msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::basic_string<char,std::char_traits<char>,std::allocator<char> >
00433038 8945 94 mov dword ptr ss:,eax
0043303B 8B55 94 mov edx,dword ptr ss: ; ntdll.7C92E900
0043303E 8955 90 mov dword ptr ss:,edx
00433041 C645 FC 03 mov byte ptr ss:,0x3
00433045 83EC 1C sub esp,0x1C
00433048 8BCC mov ecx,esp
0043304A 8965 BC mov dword ptr ss:,esp
0043304D 68 ECF94F00 push RoBoSim.004FF9EC ; CLoginDlg
00433052 FF15 10714F00 call dword ptr ds:[<&MSVCP90.std::basic_>; msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::basic_string<char,std::char_traits<char>,std::allocator<char> >
00433058 8945 8C mov dword ptr ss:,eax
0043305B 8B45 8C mov eax,dword ptr ss:
0043305E 8945 88 mov dword ptr ss:,eax
00433061 C645 FC 04 mov byte ptr ss:,0x4
00433065 C645 FC 01 mov byte ptr ss:,0x1
00433069 B9 D09A5700 mov ecx,RoBoSim.00579AD0 ; 幸O
0043306E E8 3DC0FEFF call RoBoSim.0041F0B0 ; ?错误提示框出现
00433073 E9 36010000 jmp RoBoSim.004331AE
00433078 837D EC 04 cmp dword ptr ss:,0x4
0043307C 0F85 85000000 jnz RoBoSim.00433107 ; 更改z位出现“账号未激活”提示
00433082 83EC 1C sub esp,0x1C
00433085 8BCC mov ecx,esp
00433087 8965 B8 mov dword ptr ss:,esp
0043308A 68 F8F94F00 push RoBoSim.004FF9F8 ; sUse
0043308F FF15 10714F00 call dword ptr ds:[<&MSVCP90.std::basic_>; msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::basic_string<char,std::char_traits<char>,std::allocator<char> >
00433095 8945 84 mov dword ptr ss:,eax
00433098 8B4D 84 mov ecx,dword ptr ss:
0043309B 894D 80 mov dword ptr ss:,ecx
0043309E C645 FC 05 mov byte ptr ss:,0x5
004330A2 83EC 1C sub esp,0x1C
004330A5 8BCC mov ecx,esp
004330A7 8965 B4 mov dword ptr ss:,esp
004330AA 68 00FA4F00 push RoBoSim.004FFA00 ; slot_GetMsg
004330AF FF15 10714F00 call dword ptr ds:[<&MSVCP90.std::basic_>; msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::basic_string<char,std::char_traits<char>,std::allocator<char> >
004330B5 8985 7CFFFFFF mov dword ptr ss:,eax
004330BB 8B95 7CFFFFFF mov edx,dword ptr ss:
004330C1 8995 78FFFFFF mov dword ptr ss:,edx
004330C7 C645 FC 06 mov byte ptr ss:,0x6
004330CB 83EC 1C sub esp,0x1C
004330CE 8BCC mov ecx,esp
004330D0 8965 B0 mov dword ptr ss:,esp
004330D3 68 0CFA4F00 push RoBoSim.004FFA0C ; CLoginDlg
004330D8 FF15 10714F00 call dword ptr ds:[<&MSVCP90.std::basic_>; msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::basic_string<char,std::char_traits<char>,std::allocator<char> >
004330DE 8985 74FFFFFF mov dword ptr ss:,eax
004330E4 8B85 74FFFFFF mov eax,dword ptr ss:
004330EA 8985 70FFFFFF mov dword ptr ss:,eax
004330F0 C645 FC 07 mov byte ptr ss:,0x7
004330F4 C645 FC 01 mov byte ptr ss:,0x1
004330F8 B9 D09A5700 mov ecx,RoBoSim.00579AD0 ; 幸O
004330FD E8 AEBFFEFF call RoBoSim.0041F0B0
00433102 E9 A7000000 jmp RoBoSim.004331AE
00433107 0FB60D D89A5700 movzx ecx,byte ptr ds:
0043310E 85C9 test ecx,ecx
00433110 75 06 jnz short RoBoSim.00433118
00433112 837D EC 05 cmp dword ptr ss:,0x5
00433116 75 0D jnz short RoBoSim.00433125
00433118 8B4D A0 mov ecx,dword ptr ss:
0043311B E8 20FBFFFF call RoBoSim.00432C40
00433120 E9 89000000 jmp RoBoSim.004331AE
00433125 83EC 1C sub esp,0x1C
00433128 8BCC mov ecx,esp
0043312A 8965 AC mov dword ptr ss:,esp
0043312D 68 18FA4F00 push RoBoSim.004FFA18 ; sMatch
00433132 FF15 10714F00 call dword ptr ds:[<&MSVCP90.std::basic_>; msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::basic_string<char,std::char_traits<char>,std::allocator<char> >
00433138 8985 6CFFFFFF mov dword ptr ss:,eax
0043313E 8B95 6CFFFFFF mov edx,dword ptr ss:
00433144 8995 68FFFFFF mov dword ptr ss:,edx
0043314A C645 FC 08 mov byte ptr ss:,0x8
0043314E 83EC 1C sub esp,0x1C
00433151 8BCC mov ecx,esp
00433153 8965 A8 mov dword ptr ss:,esp
00433156 68 20FA4F00 push RoBoSim.004FFA20 ; slot_GetMsg
0043315B FF15 10714F00 call dword ptr ds:[<&MSVCP90.std::basic_>; msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::basic_string<char,std::char_traits<char>,std::allocator<char> >
00433161 8985 64FFFFFF mov dword ptr ss:,eax
00433167 8B85 64FFFFFF mov eax,dword ptr ss:
0043316D 8985 60FFFFFF mov dword ptr ss:,eax
00433173 C645 FC 09 mov byte ptr ss:,0x9
00433177 83EC 1C sub esp,0x1C
0043317A 8BCC mov ecx,esp
0043317C 8965 A4 mov dword ptr ss:,esp
0043317F 68 2CFA4F00 push RoBoSim.004FFA2C ; CLoginDlg
00433184 FF15 10714F00 call dword ptr ds:[<&MSVCP90.std::basic_>; msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::basic_string<char,std::char_traits<char>,std::allocator<char> >
0043318A 8985 5CFFFFFF mov dword ptr ss:,eax
00433190 8B8D 5CFFFFFF mov ecx,dword ptr ss: ; ntdll.7C930098
00433196 898D 58FFFFFF mov dword ptr ss:,ecx
0043319C C645 FC 0A mov byte ptr ss:,0xA
004331A0 C645 FC 01 mov byte ptr ss:,0x1
004331A4 B9 D09A5700 mov ecx,RoBoSim.00579AD0 ; 幸O
004331A9 E8 02BFFEFF call RoBoSim.0041F0B0
004331AE C645 FC 00 mov byte ptr ss:,0x0
004331B2 8D4D F0 lea ecx,dword ptr ss:
004331B5 FF15 10784F00 call dword ptr ds:[<&QtCore4.QString::~Q>; QtCore4.QXmlStreamStringRef::~QXmlStreamStringRef
004331BB C745 FC FFFFFFF>mov dword ptr ss:,-0x1
004331C2 8D4D D0 lea ecx,dword ptr ss:
004331C5 FF15 A8774F00 call dword ptr ds:[<&QtCore4.QDataStream>; QtCore4.QDataStream::~QDataStream
004331CB 8B4D F4 mov ecx,dword ptr ss:
004331CE 64:890D 0000000>mov dword ptr fs:,ecx
004331D5 59 pop ecx
004331D6 8BE5 mov esp,ebp
004331D8 5D pop ebp
004331D9 C2 0400 retn 0x4
=========================================================================================
通过分析,将这一行00432F97 74 1F je short RoBoSim.00432FB8 nop后,保存,即可成功爆破账号登录验证……
=========================================================================================
2018年3月19日重新更正编辑
感谢Hmily大神的提醒,应将00432F97 74 1F je short RoBoSim.00432FB8 一行nop掉,预防有账号登录。现将进入主程序后,每隔几秒就再次弹出登录弹窗验证的过程附上,再次感谢大家的关注,感谢大神的赐教……
od载入上面nop掉的程序,启动它进入主程序(一定要主程序运行起来后),下showWindow断点。当登录窗再欲弹出时会在以上地方断下:
77D2AF56 >B8 2B120000 mov eax,0x122B断下,此时堆栈看到信息:
0012CE10 65086A70/CALL 到 ShowWindow 来自 QtGui4.65086A6A
0012CE14 001C08CE|hWnd = 001C08CE ('登录',class='QWidget')
0012CE18 00000001\ShowState = SW_SHOWNORMAL
断下后,再次打开堆栈调用(Alt+K),寻找以下敏感提示信息(Dialog即对话框),选择红框条,右击“显示调用”:
地址 0012CF58堆栈=00451684函数过程 / 参数=QtGui4.QDialog::exec 调用来自=RoBoSim?0045167E
来到程序领空:
0045167E|.FF15 F4834F00 call dword ptr ds:[<&QtGui4.QDialog::exe>;QtGui4.QDialog::exec
往上回溯,选择段首那一行,在下方立即窗口中选择红框行,右键,转到004515FF |.E8 3C000000 call RoBoSim?00451640:
现在就来到调用反复登录验证的地方了,按图中处理保存即可:
第一次发贴,如有违规,请管理员删帖,如有不当,敬请大神批评指正……谢谢。
gxggxy103 发表于 2018-3-17 20:49
虽然能够登录进去,但操作一会就会自动断掉登录。不知道是我自己搞得不对还是怎么
对,是有几秒反复弹出登录的问题,这部分我未贴出,需要再下弹窗断点,改其中一个跳转即可去除… gxggxy103 发表于 2018-3-18 12:58
不仅仅是弹窗的问题,而是断开了登录,也就是说,软件登录后的所有功能都失效了。
弹窗问题,下个showWindow断点,改其中一个路转即可……且不再弹出,所有功能正常,我已测试过……
佩服,小白一脸懵逼的看完了全过程,然而你爆破成功了,,,结果我还是一脸懵逼不懂。。。 小白一脸懵逼 请问这些需要什么知识 要汇编吧?现在大一 才学了c语言,和刚学 数据结构。。哈哈看不懂 {:1_921:}小白表示内心毫无波动,甚至想写作业 rohero 发表于 2018-3-16 18:07
请问这些需要什么知识 要汇编吧?现在大一 才学了c语言,和刚学 数据结构。。哈哈看不懂
嗯,汇编要一些,编程方面要也要,然后会用调试工具od…
小白一脸懵逼 还没入门的表示,很忧伤 强力啊楼主 表示很深奥