某软件爆破之后反编译源码分析

lovejgx · 发表于 2012-5-24 11:14

本帖最后由 lovejgx 于 2012-5-24 12:10 编辑

有个老软件，有天突然不能用了报错.. 估计是过期了，有N年了作者也找不到了没办法直有自己动下手了我来52好久了但自己动手的少所以还是菜鸟一个
凭着强大的工具包和狗屎运找到了两处爆破点修改后程序可以了
但是想分析一下原因程序是VB的找了反编绎工具竟然反出来了源代码.. 没学过VB 但看着好像不是纯代码下边是代码和分析
【文章标题】: 某软件爆破之后反编译源码分析
【软件名称】: XXXX软件
【加壳方式】: 无
【保护方式】:日期，重启动验证
【编写语言】: VB
【使用工具】: od
【操作平台】: xp
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
验证的主要部分代码：
程序没加密，错误是弹框出来的我直接用插件下了对话框断点..没插件我都不知道怎么下断工具包真强大，接着慢慢找让我找到一个
第一处

0068F6A3 .  52          push edx
0068F6A4 .  50          push eax
0068F6A5 .  6A 02       push 0x2
0068F6A7 .  FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;  MSVBVM60.__vbaFreeVarList
0068F6AD .  83C4 20    add esp,0x20
0068F6B0 .  66:83BD D4FEF>cmp word ptr ss:[ebp-0x12C],0x0       ;查找这个
0068F6B8 .  0F84 D5000000 je HYGL.0068F793                      ;  这里跳过error2000
0068F6BE .  8D4D B4    lea ecx,dword ptr ss:[ebp-0x4C]
0068F6C1 .  6A 0D       push 0xD
0068F6C3 .  51          push ecx
0068F6C4 .  FF15 80114000 call dword ptr ds:[<&MSVBVM60.#608>]    ;  MSVBVM60.rtcVarBstrFromAnsi

改了第一个又出个错.. 然后又找连修改标志改跳转都不会一个一个标志试出来的接着重新运行过了第一处向下找找到了

第二处

0068FB3B .  50          push eax
0068FB3C .  51          push ecx
0068FB3D .  6A 02       push 0x2
0068FB3F .  FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;  MSVBVM60.__vbaFreeVarList
0068FB45 .  83C4 0C    add esp,0xC
0068FB48 .  66:83BD ECFEF>cmp word ptr ss:[ebp-0x114],0x0       ;查找这个
0068FB50 .  0F84 4C0E0000 je HYGL.006909A2                      ;  这里跳过error2003
0068FB56 .  8D55 B4    lea edx,dword ptr ss:[ebp-0x4C]
0068FB59 .  52          push edx
0068FB5A .  FF15 F0114000 call dword ptr ds:[<&MSVBVM60.#610>]    ;  MSVBVM60.rtcGetDateVar

然后直接反汇编改死保存..。以后就不验证这两个地方了，今天上班没事儿想分析一下程序的验证原理，用了跟踪软件没发现啥注册信息，然后就看反汇编的关键跳关键CALL,结果看不懂  没办法搜了一下VB反汇编，竟然让我找到个能用的反出源码了，下边是源码，不知道是不是和写的VB一样

//这儿是确定的方法名
Begin VB.CommandButton cmdOK
   Caption       = "确定"
   Default       =  -1
   Height       = 390
   Left          = 1215
   TabIndex       = 2
   Top          = 1635
   Width          = 1140
End

//这儿是方法的具体代码
Sub cmdOK_Click()
'N  * ref: __vbaExceptHandler
'N  * ref: __vbaObjSet
'N  * ref: __vbaHresultCheckObj
'N  * ref: Trim$(
'N  * ref: UCase(
'N  * ref: __vbaStrVarMove
'N  * ref: __vbaStrMove
'N  * ref: __vbaStrCopy
'N  * ref: __vbaFreeStrList
'N  * ref: __vbaFreeObj
'N  * ref: __vbaFreeVarList
'N  * ref: __vbaHresultCheckObj
'N  * ref: Trim$(
'N  * ref: __vbaStrMove
'N  * ref: __vbaStrCopy
'N  * ref: __vbaFreeStrList
'N  * ref: __vbaFreeObj
'N  * ref: "select * from forminfo where 使用=True" //找了数据库，发现有三列可能有用分别是  日期标志使用
'N  * ref: __vbaLateIdSt
'N  * ref: __vbaLateIdCall
'N  * ref: __vbaLateIdCallLd
'N  * ref: __vbaCastObjVar
'N  * ref: __vbaHresultCheckObj
'N  * ref: "标志"
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaVarTstEq //好像是比较标志，不知道和啥比
'N  * ref: __vbaFreeObjList
'N  * ref: __vbaFreeVarList
'N  * ref: Chr(
'N  * ref: __vbaVarDup
'N  * ref: __vbaVarCat
'N  * ref: "Event ID : 2000"
'N  * ref: "Description : Error 2000 Programe is close"
'N  * ref: MsgBox
'N  * ref: __vbaCastObjVar
'N  * ref: __vbaHresultCheckObj
'N  * ref: "日期"
'N  * ref: __vbaHresultCheckObj
'N  * ref: Year(
'N  * ref: __vbaI2Var
'N  * ref: __vbaFreeObjList
'N  * ref: __vbaFreeVarList
'N  * ref: __vbaCastObjVar
'N  * ref: __vbaHresultCheckObj
'N  * ref: "日期"
'N  * ref: __vbaHresultCheckObj
'N  * ref: Month(
'N  * ref: __vbaI2Var
'N  * ref: __vbaFreeObjList
'N  * ref: __vbaFreeVarList
'N  * ref: __vbaCastObjVar
'N  * ref: __vbaHresultCheckObj
'N  * ref: "日期"
'N  * ref: __vbaHresultCheckObj
'N  * ref: Day(
'N  * ref: __vbaI2Var
'N  * ref: __vbaFreeObjList
'N  * ref: __vbaFreeVarList
'N  * ref: Date
'N  * ref: Year(
'N  * ref: __vbaVarTstGe
'N  * ref: __vbaFreeVarList
'N  * ref: Date
'N  * ref: Month(
'N  * ref: __vbaVarTstLe
'N  * ref: __vbaFreeVarList
'N  * ref: Date
'N  * ref: Day(
'N  * ref: Date
'N  * ref: Month(
'N  * ref: __vbaVarSub
'N  * ref: __vbaVarCmpGe
'N  * ref: __vbaVarCmpEq //应当是比日期
'N  * ref: __vbaVarAnd
'N  * ref: __vbaBoolVarNull
'N  * ref: __vbaFreeVarList
'N  * ref: __vbaCastObjVar
'N  * ref: "标志"
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaFreeObjList  //这些都啥东西呢不明白
'N  * ref: __vbaFreeVar
'N  * ref: __vbaCastObjVar
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaFreeObjList
'N  * ref: __vbaFreeVar
'N  * ref: Chr(
'N  * ref: __vbaVarDup
'N  * ref: "Event ID : 2001"
'N  * ref: "Description : Error 2001 Programe is close"
'N  * ref: __vbaCastObjVar
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaFreeObjList
'N  * ref: __vbaFreeVar
'N  * ref: __vbaCastObjVar
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaFreeObjList
'N  * ref: __vbaFreeVar
'N  * ref: __vbaCastObjVar
'N  * ref: __vbaHresultCheckObj
'N  * ref: "用户名"
'N  * ref: __vbaHresultCheckObj
'N  * ref: UCase(
'N  * ref: __vbaCastObjVar
'N  * ref: __vbaHresultCheckObj
'N  * ref: "密码"
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaVarCmpEq
'N  * ref: __vbaVarCmpEq
'N  * ref: __vbaVarAnd
'N  * ref: __vbaBoolVarNull
'N  * ref: __vbaFreeObjList
'N  * ref: __vbaFreeVarList
'N  * ref: __vbaCastObjVar
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaFreeObjList
'N  * ref: __vbaFreeVar
'N  * ref: __vbaCastObjVar
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaFreeObjList
'N  * ref: __vbaFreeVar
'N  * ref: __vbaVarDup
'N  * ref: "登录"
'N  * ref: "无效的密码，请重试!"
'N  * ref: MsgBox
'N  * ref: __vbaFreeVarList
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaFreeObj
'N  * ref: "{Home}+{End}"
'N  * ref: SendKeys
'N  * ref: __vbaFreeVar
'N  * ref: __vbaLateIdCallLd
'N  * ref: __vbaCastObjVar
'N  * ref: __vbaHresultCheckObj
'N  * ref: "用户名"
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaStrVarMove
'N  * ref: __vbaStrMove
'N  * ref: __vbaFreeObjList
'N  * ref: __vbaFreeVarList
'N  * ref: __vbaCastObjVar
'N  * ref: __vbaHresultCheckObj
'N  * ref: "权限"
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaStrVarMove
'N  * ref: __vbaStrMove
'N  * ref: __vbaFreeObjList
'N  * ref: __vbaFreeVarList
'N  * ref: __vbaNew2
'N  * ref: __vbaObjSetAddref
'N  * ref: __vbaFreeObj
'N  * ref: __vbaCastObjVar
'N  * ref: "标志"
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaFreeObjList
'N  * ref: __vbaFreeVar
'N  * ref: __vbaCastObjVar
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaFreeObjList
'N  * ref: __vbaFreeVar
'N  * ref: Chr(
'N  * ref: __vbaVarDup
'N  * ref: "Event ID : 2002"
'N  * ref: "Description : Error 2002 Programe is close"
'N  * ref: __vbaCastObjVar
'N  * ref: "标志"
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaFreeObjList
'N  * ref: __vbaFreeVar
'N  * ref: __vbaCastObjVar
'N  * ref: __vbaHresultCheckObj
'N  * ref: __vbaFreeObjList
'N  * ref: __vbaFreeVar
'N  * ref: Chr(
'N  * ref: __vbaVarDup
'N  * ref: "Event ID : 2003"
'N  * ref: "Description : Error 2003 Programe is close"
'N  * ref: __vbaVarCat
'N  * ref: MsgBox
'N  * ref: __vbaFreeVarList
'N  * ref: __vbaFreeStrList
'N  * ref: __vbaFreeObjList
'N  * ref: __vbaFreeVarList
End Sub
后来猜着是日期标志使用这些影响的，分别改了一下然后发现程序是先看标志标志为true就说明过期了，然后看时间超过了说明过期了，并修改标志
又一篇适合新手看的..  算是第二次破解高手莫笑
完了这是第一次 http://www.52pojie.cn/thread-71027-1-1.html

Cser2 · 发表于 2012-5-24 12:00

反编译、、编译出了源码....这话好吓人的亲

lovejgx · 发表于 2012-5-24 12:16

刚才我把代码放在代码块... 发布后直有一行。。重新编辑了

pengjingwei · 发表于 2012-6-2 19:22

自己还要好好学习哦

初见你时的纯洁 · 发表于 2012-11-1 13:54

汇编好难学的感觉。那玩意就像跟CPU搞语言

weibo · 发表于 2012-12-15 19:04

帮看下，我这软件能反编议不 http://dl.vmall.com/c0k5875fug

帐号		自动登录	找回密码
密码			注册[Register]

[原创] 某软件爆破之后反编译源码分析

点评