好友
阅读权限10
听众
最后登录1970-1-1
|
刚刚下了accese2007 准备安装的时候发现要验证码。。。我勒个去还要20块
直接OD,一看入口就知道是用VB写的
OD搜索unicode "验证通过,正在初始化,请稍侯 ..."(F12暂停单步分析得来)
向上找到JE直接NOP掉
成功爆破
没技术含量老鸟小鸟飞过.........
http://www.biso.cn/%B9%B2%CF%EDv5-6/access2007.exe软件下载地址(违规吗?)
.............
注册码貌似还有时间限制........
爆破点
.................
0041F07E . 8D8D ACFEFFFF lea ecx,dword ptr ss:[ebp-0x154]
0041F084 . 51 push ecx
0041F085 . FF15 2C114000 call dword ptr ds:[<&MSVBVM60.__vbaVarCa>; MSVBVM60.__vbaVarCat
0041F08B . 50 push eax
0041F08C . 8B55 08 mov edx,dword ptr ss:[ebp+0x8]
0041F08F . 8B02 mov eax,dword ptr ds:[edx]
0041F091 . 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
0041F094 . 51 push ecx
0041F095 . FF90 84070000 call dword ptr ds:[eax+0x784] ; 进行网络验证
0041F09B . 8985 20FEFFFF mov dword ptr ss:[ebp-0x1E0],eax
0041F0A1 . 83BD 20FEFFFF>cmp dword ptr ss:[ebp-0x1E0],0x0
0041F0A8 . 7D 23 jge Xaccess20.0041F0CD
0041F0AA . 68 84070000 push 0x784
0041F0AF . 68 E8464100 push access20.004146E8
0041F0B4 . 8B55 08 mov edx,dword ptr ss:[ebp+0x8]
0041F0B7 . 52 push edx
0041F0B8 . 8B85 20FEFFFF mov eax,dword ptr ss:[ebp-0x1E0]
0041F0BE . 50 push eax
0041F0BF . FF15 4C104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;
MSVBVM60.__vbaHresultCheckObj
0041F0C5 . 8985 E8FDFFFF mov dword ptr ss:[ebp-0x218],eax
0041F0CB . EB 0A jmp Xaccess20.0041F0D7
0041F0CD > C785 E8FDFFFF>mov dword ptr ss:[ebp-0x218],0x0
0041F0D7 > 8D95 9CFEFFFF lea edx,dword ptr ss:[ebp-0x164]
0041F0DD . 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
0041F0E0 . 81C1 98000000 add ecx,0x98
0041F0E6 . FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaVarMo>;
MSVBVM60.__vbaVarMove
0041F0EC . 8D8D 9CFEFFFF lea ecx,dword ptr ss:[ebp-0x164]
0041F0F2 . 51 push ecx
0041F0F3 . 8D95 ACFEFFFF lea edx,dword ptr ss:[ebp-0x154]
0041F0F9 . 52 push edx
0041F0FA . 8D85 BCFEFFFF lea eax,dword ptr ss:[ebp-0x144]
0041F100 . 50 push eax
0041F101 . 8D8D CCFEFFFF lea ecx,dword ptr ss:[ebp-0x134]
0041F107 . 51 push ecx
0041F108 . 8D95 DCFEFFFF lea edx,dword ptr ss:[ebp-0x124]
0041F10E . 52 push edx
0041F10F . 8D85 ECFEFFFF lea eax,dword ptr ss:[ebp-0x114]
0041F115 . 50 push eax
0041F116 . 8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-0x104]
0041F11C . 51 push ecx
0041F11D . 8D95 0CFFFFFF lea edx,dword ptr ss:[ebp-0xF4]
0041F123 . 52 push edx
0041F124 . 8D85 1CFFFFFF lea eax,dword ptr ss:[ebp-0xE4]
0041F12A . 50 push eax
0041F12B . 8D8D 2CFFFFFF lea ecx,dword ptr ss:[ebp-0xD4]
0041F131 . 51 push ecx
0041F132 . 8D95 3CFFFFFF lea edx,dword ptr ss:[ebp-0xC4]
0041F138 . 52 push edx
0041F139 . 8D85 4CFFFFFF lea eax,dword ptr ss:[ebp-0xB4]
0041F13F . 50 push eax
0041F140 . 6A 0C push 0xC
0041F142 . FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;
MSVBVM60.__vbaFreeVarList
0041F148 . 83C4 34 add esp,0x34
0041F14B . C745 FC 1D000>mov dword ptr ss:[ebp-0x4],0x1D
0041F152 . C785 94FEFFFF>mov dword ptr ss:[ebp-0x16C],access20.00>; pass
0041F15C . C785 8CFEFFFF>mov dword ptr ss:[ebp-0x174],0x8008
0041F166 . 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
0041F169 . 81C1 98000000 add ecx,0x98
0041F16F . 51 push ecx ; /var18
0041F170 . 8D95 8CFEFFFF lea edx,dword ptr ss:[ebp-0x174] ; |
0041F176 . 52 push edx ; |var28
0041F177 . FF15 B8104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq
0041F17D . 0FBFC0 movsx eax,ax
0041F180 . 85C0 test eax,eax
0041F182 . 0F84 92060000 je access20.0041F81A //跳转到无效
0041F188 . C745 FC 1E000>mov dword ptr ss:[ebp-0x4],0x1E
0041F18F . 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
0041F192 . 8B11 mov edx,dword ptr ds:[ecx]
0041F194 . 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
0041F197 . 50 push eax
0041F198 . FF92 08030000 call dword ptr ds:[edx+0x308]
0041F19E . 50 push eax
0041F19F . 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
0041F1A5 . 51 push ecx
0041F1A6 . FF15 70104000 call dword ptr ds:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
0041F1AC . 8985 20FEFFFF mov dword ptr ss:[ebp-0x1E0],eax
0041F1B2 . 68 B85E4100 push access20.00415EB8 ; 验证通过,正在初始化
,请稍侯 ...
0041F1B7 . 8B95 20FEFFFF mov edx,dword ptr ss:[ebp-0x1E0]
0041F1BD . 8B02 mov eax,dword ptr ds:[edx]
0041F1BF . 8B8D 20FEFFFF mov ecx,dword ptr ss:[ebp-0x1E0]
0041F1C5 . 51 push ecx
0041F1C6 . FF50 54 call dword ptr ds:[eax+0x54]
0041F1C9 . DBE2 fclex
0041F1CB . 8985 1CFEFFFF mov dword ptr ss:[ebp-0x1E4],eax
.....................
|
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
发表于 2012-3-24 23:04
|
发表于 2012-3-25 10:04
发表于 2012-3-24 23:20
