好友
阅读权限10
听众
最后登录1970-1-1
|
惮殃
发表于 2020-1-27 06:11
纯萌新..学习经历有限, 诸位憋笑话
...看了2集52入门教程
...看了几章OllyDbg零基础chm文档, 砍了crackme的一个弹窗..
前两天, 看到52破解上myBase的教程, https://www.52pojie.cn/thread-611328-1-1.html
就开始动手了...
因为个人是myBase用户, 刚好52论坛上有2个myBase的教程, 不过是7.0版本的.
网上也有现成的7.1, 不过这次纯练手了.. 两个晚上的成果
先说7.1...
从Registration 开始到 AL 这个过程不提. 7.0与7.1的差别不大
不过是有些许偏差. 直接上断点的copy
最终爆破点位于 0074B233 处, 由 XOR 改为 OR, 让EBX始终为1, 最终辗转赋值给EAX
从 MOV EAX,DWORD PTR SS:[EBP-2C] 开始逆推上去的, 最后追到 EBX 寄存器
-------------------------------------------------------------------------------------------------------------------------------------------------
Breakpoints
-------------------------------------------------------------------------------------------------------------------------------------------------
Address Module Active Disassembly Comment
-------------------------------------------------------------------------------------------------------------------------------------------------
0050A6F6 myBase Always CALL myBase.0074ACF0 出来后EAX为0, 从此处判断EAX
0050A707 myBase Always CALL myBase.006FC130 到此给EAX赋值的EDI为0
0050A78E myBase Always MOV EAX,EDI 最后一次EAX赋值, 由EDI的值赋予
00525F9E myBase Always SUB ESP,8 EAX改为1也无用
00525FCC myBase Always CALL myBase.0050A5B0 出来EAX为空
00525FF4 myBase Always MOV DWORD PTR SS:[EBP-2C],EAX *** 将EAX送到EBP-2C
00525FFC myBase Always MOV EAX,DWORD PTR SS:[EBP-2C] *** 栈EBP-2C送还给EAX
00547ED4 myBase Always CALL myBase.00525F60
00547EDE myBase Always JE myBase.00548241 *** 检测注册AL
-------------------------------------------------------------------------------------------------------------------------------------------------
0074ADB4 myBase Always JE SHORT myBase.0074ADC2
0074ADC2 myBase Always XOR EBX,EBX EBX 被XOR为0时失败
0074B233 myBase Always OR EBX,EBX *** 似乎EBX最后一次赋值为0
0074B8AC myBase Always CALL <JMP.&libstdc++-6._ZNSs4_Rep10_
0074B8B1 myBase Always MOV EAX,EBX 由EBX赋值给EAX, EBX为0失败
0074BB66 myBase Always LEA EBX,DWORD PTR SS:[EBP-214] EBX此处又赋值
-------------------------------------------------------------------------------------------------------------------------------------------------
接着是7.3.4.
这个爆破有几毛钱运气成分
得益于之前没经验乱闯函数体, 碰到一个关键字串
-------------------------------------------------------------------------------------
1-62A385BFD178B9A5DEB303693AD279A437A264BE94CF834545F263D2B0
-------------------------------------------------------------------------------------
我也不知道这是什么
和7.1的区别是, 这个regisration断点没法得到最终循环取注册码的位置
在一个QtEventLoop之类的地方把我搞懵了, 可能myBase官方做了防范把注册码获取循环分派到另一处线程去了
我在同样上方那个形式的在字符串搜索 "1-" , 下了 n 个断点. 才找到 7.1与7.0版本的AL破口
最后也是逆推, 最后这处爆破口有一个跳跃特别大
爆破点还是EBX, 地址 00766542, 同样XOR 改成 OR
7.1 版本我破了2个晚上纯当练习了, 7.3.4, 破了两个小时...
-------------------------------------------------------------------------------------------------------------------------------------------------
Breakpoints
-------------------------------------------------------------------------------------------------------------------------------------------------
Address Module Active Disassembly Comment
-------------------------------------------------------------------------------------------------------------------------------------------------
00512E95 myBase Always JE myBase.00512FC6 跳转到赋值空处
00512F6F myBase Always CALL myBase.00766000 此处的EAX变为0
00512F79 myBase Always CALL myBase.00716F60 此处赋空EDI
00512F86 myBase Always XOR EDI,EDI
00512FFE myBase Always MOV EAX,EDI 由EDI赋予EAX
0052F256 myBase Always MOV DWORD PTR SS:[ESP],myBase.0086FE 1-62A385BFD178B9A5DEB303693AD279A437A264BE94CF834545F263D2B0
0052F311 myBase Always MOV DWORD PTR SS:[ESP],myBase.0086FE 1-19D5A898FEE5707F600D1AD762910F8A434365E5005A74F25BB0933AB0C
0052F47D myBase Always CALL myBase.00512E30 *** 此处之后AL赋空
0055B7EB myBase Always MOV DWORD PTR SS:[ESP],myBase.00871F 1-62A385BFD178B9A5DEB303693AD279A437A264BE94CF834545F263D2B0
0055B883 myBase Always MOV DWORD PTR SS:[ESP],myBase.00871F 1-19D5A898FEE5707F600D1AD762910F8A434365E5005A74F25BB0933AB0C
005668F6 myBase Always MOV DWORD PTR SS:[ESP],myBase.00871F 1-62A385BFD178B9A5DEB303693AD279A437A264BE94CF834545F263D2B0
00566A5A myBase Always MOV DWORD PTR SS:[ESP],myBase.00871F 1-19D5A898FEE5707F600D1AD762910F8A434365E5005A74F25BB0933AB0C
005793EE myBase Always MOV DWORD PTR SS:[ESP],myBase.00871F 1-62A385BFD178B9A5DEB303693AD279A437A264BE94CF834545F263D2B0
005794AD myBase Always MOV DWORD PTR SS:[ESP],myBase.00871F 1-19D5A898FEE5707F600D1AD762910F8A434365E5005A74F25BB0933AB0C
0057DEAF myBase Always MOV DWORD PTR SS:[ESP],myBase.00871F 这一长串不知道干嘛, 下了n个1-开头的探针..1-62A385BFD178B9A5DEB303693AD279A437A264BE94CF834545F263D2B0
0057DF64 myBase Always MOV DWORD PTR SS:[ESP],myBase.00871F 1-19D5A898FEE5707F600D1AD762910F8A434365E5005A74F25BB0933AB0C
005D94FE myBase Always MOV DWORD PTR SS:[ESP],myBase.0087D8 1-62A385BFD178B9A5DEB303693AD279A437A264BE94CF834545F263D2B0
005D9569 myBase Always MOV DWORD PTR SS:[ESP],myBase.0087D9 1-19D5A898FEE5707F600D1AD762910F8A434365E5005A74F25BB0933AB0C
00716FB3 myBase Always MOV DWORD PTR SS:[ESP],0 尝试改动EDI为1
007660D2 myBase Always XOR EBX,EBX 似乎可以在此最终爆破
007660E9 myBase Always MOV EAX,EBX
00766542 myBase Always OR EBX,EBX *** 又似乎是这里 *** 此处最终爆破
-------------------------------------------------------------------------------------------------------------------------------------------------
00766642 myBase Always JMP myBase.007660D4
00766BB0 myBase Always LEA EAX,DWORD PTR SS:[EBP-180]
00766BB6 myBase Always MOV DWORD PTR SS:[ESP],EAX
00766BB9 myBase Always LEA ECX,DWORD PTR DS:[EDX-C]
00766BBC myBase Always CALL <JMP.&libstdc++-6._ZNSs4_Rep10_
00766BC1 myBase Always MOV EAX,EBX EBX转交给EAX
-------------------------------------------------------------------------------------------------------------------------------------------------
真正意义上的处女作, 在这里留个帖子纪念..
蓝奏云的地址:
https://www.lanzouj.com/i8vjkoh
额, 保证无毒无后门, 我还没放毒的水平..这个大家伙放心..
用法和前辈的帖子一样, 安装了然后把对应版本的文件扔到安装目录下, 打开, 随意输入注册码, 然后确定...
Author: 虚荣
Date: 2020 / 01 / 17
|
免费评分
-
查看全部评分
|
[复制链接]
