好友
阅读权限10
听众
最后登录1970-1-1
|
【文章标题】: 轻羽网络验证 幻镜 - 无壳下简单爆破
【文章作者】: Crack_Qs[FF0000 TeAm]
【作者邮箱】: qs#ff0000.cc(#换@)
【下载地址】: http://www.52pojie.cn/thread-210424-1-1.html
【使用工具】: OllyDbg
【操作平台】: Windows 8
【作者声明】: 没加壳,娱乐下。感觉验证的流程很像CC以前的版本,当然绝对做了改动(不是很懂,说错勿笑)!
--------------------------------------------------------------------------------
【详细过程】
004021DC 55 push ebp ; 验证链接,retn掉 登陆按钮禁止
004021DD |. 8BEC mov ebp,esp
004021DF |. 81EC 08000000 sub esp,0x8
004021E5 |. EB 10 jmp X客户端.004021F7
004021E7 |. 56 4D 50 72 6>ascii "VMProtect begin",0
004021F7 |> C705 34614B00>mov dword ptr ds:[0x4B6134],0x1
00402201 |. C705 38614B00>mov dword ptr ds:[0x4B6138],0x0
0040280F /. 55 push ebp ; 按钮事件
00402810 |. 8BEC mov ebp,esp
00402812 |. 81EC 08000000 sub esp,0x8
00402818 |. EB 10 jmp X客户端.0040282A
0040281A |. 56 4D 50 72 6>ascii "VMProtect begin",0
0040282A |> 6A FF push -0x1
0040282C |. 6A 08 push 0x8
0040282E |. 68 54000116 push 0x16010054
00402833 |. 68 01000152 push 0x52010001
00402838 |. E8 70110000 call 客户端.004039AD ; 取用户名
0040283D |. 83C4 10 add esp,0x10
00402840 |. 8945 FC mov [local.1],eax
00402843 |. 68 98624700 push 客户端.00476298
00402848 |. FF75 FC push [local.1]
0040284B |. E8 B4E7FFFF call 客户端.00401004
00402850 |. 83C4 08 add esp,0x8
00402853 |. 83F8 00 cmp eax,0x0
00402856 |. B8 00000000 mov eax,0x0
0040285B |. 0F94C0 sete al
0040285E |. 8945 F8 mov [local.2],eax
00402861 |. 8B5D FC mov ebx,[local.1]
00402864 |. 85DB test ebx,ebx
00402866 |. 74 09 je X客户端.00402871
00402868 |. 53 push ebx
00402869 |. E8 27110000 call 客户端.00403995
0040286E |. 83C4 04 add esp,0x4
00402871 |> 837D F8 00 cmp [local.2],0x0 ; 校验用户名是否为空
00402875 |. 0F84 35000000 je 客户端.004028B0
0040287B |. 6A 00 push 0x0
0040287D |. 6A 00 push 0x0
0040287F |. 6A 00 push 0x0
00402881 |. 68 01030080 push 0x80000301
00402886 |. 6A 00 push 0x0
00402888 |. 68 00000000 push 0x0
0040288D |. 68 04000080 push 0x80000004
00402892 |. 6A 00 push 0x0
00402894 |. 68 99624700 push 客户端.00476299
00402899 |. 68 03000000 push 0x3
0040289E |. BB 60454000 mov ebx,客户端.00404560
004028A3 |. E8 FF100000 call 客户端.004039A7
004028A8 |. 83C4 28 add esp,0x28
004028AB |. E9 8B000000 jmp 客户端.0040293B
004028B0 |> 6A FF push -0x1
004028B2 |. 6A 08 push 0x8
004028B4 |. 68 57000116 push 0x16010057
004028B9 |. 68 01000152 push 0x52010001
004028BE |. E8 EA100000 call 客户端.004039AD ; 取密码
004028C3 |. 83C4 10 add esp,0x10
004028C6 |. 8945 FC mov [local.1],eax
004028C9 |. 68 98624700 push 客户端.00476298
004028CE |. FF75 FC push [local.1]
004028D1 |. E8 2EE7FFFF call 客户端.00401004
004028D6 |. 83C4 08 add esp,0x8
004028D9 |. 83F8 00 cmp eax,0x0
004028DC |. B8 00000000 mov eax,0x0
004028E1 |. 0F94C0 sete al
004028E4 |. 8945 F8 mov [local.2],eax
004028E7 |. 8B5D FC mov ebx,[local.1]
004028EA |. 85DB test ebx,ebx
004028EC |. 74 09 je X客户端.004028F7
004028EE |. 53 push ebx
004028EF |. E8 A1100000 call 客户端.00403995
004028F4 |. 83C4 04 add esp,0x4
004028F7 |> 837D F8 00 cmp [local.2],0x0 ; 校验密码是否为空
004028FB |. 0F84 35000000 je 客户端.00402936
00402901 |. 6A 00 push 0x0
00402903 |. 6A 00 push 0x0
00402905 |. 6A 00 push 0x0
00402907 |. 68 01030080 push 0x80000301
0040290C |. 6A 00 push 0x0
0040290E |. 68 00000000 push 0x0
00402913 |. 68 04000080 push 0x80000004
00402918 |. 6A 00 push 0x0
0040291A |. 68 AA624700 push 客户端.004762AA
0040291F |. 68 03000000 push 0x3
00402924 |. BB 60454000 mov ebx,客户端.00404560
00402929 |. E8 79100000 call 客户端.004039A7
0040292E |. 83C4 28 add esp,0x28
00402931 |. E9 05000000 jmp 客户端.0040293B
00402936 |> E8 14000000 call 客户端.0040294F ; call 进行验证
0040293B |> EB 0E jmp X客户端.0040294B
0040293D |. 56 4D 50 72 6>ascii "VMProtect end",0
0040294B |> 8BE5 mov esp,ebp
0040294D |. 5D pop ebp
0040294E \. C3 retn
0040294F /$ 55 push ebp ; 验证段
00402950 |. 8BEC mov ebp,esp
00402952 |. 81EC 10000000 sub esp,0x10
00402958 |. 6A 00 push 0x0
0040295A |. 68 01000000 push 0x1
0040295F |. 6A FF push -0x1
00402961 |. 6A 06 push 0x6
00402963 |. 68 59000116 push 0x16010059
00402968 |. 68 01000152 push 0x52010001
0040296D |. E8 47100000 call 客户端.004039B9
00402972 |. 83C4 18 add esp,0x18
00402975 |. 6A FF push -0x1
00402977 |. 6A 08 push 0x8
00402979 |. 68 54000116 push 0x16010054
0040297E |. 68 01000152 push 0x52010001
00402983 |. E8 25100000 call 客户端.004039AD ; 读用户名
00402988 |. 83C4 10 add esp,0x10
0040298B |. 8945 FC mov [local.1],eax
0040298E |. 8D45 FC lea eax,[local.1]
00402991 |. 50 push eax
00402992 |. E8 B3E9FFFF call 客户端.0040134A ; 没进去看,应该是一段判断用户名是否存在(post)
004029CB |. 85DB test ebx,ebx
004029CD |. 74 09 je X客户端.004029D8
004029CF |. 53 push ebx
004029D0 |. E8 C00F0000 call 客户端.00403995
004029D5 |. 83C4 04 add esp,0x4
004029D8 |> 837D F4 00 cmp [local.3],0x0 ; 这就很明显有问题
004029DC |. 0F84 98010000 je 客户端.00402B7A ; Nop
004029E2 |. EB 10 jmp X客户端.004029F4
004029E4 |. 56 4D 50 72 6>ascii "VMProtect begin",0
004029F4 |> E8 CBFBFFFF call 客户端.004025C4
004029F9 |. 6A FF push -0x1
00402A92 |. 85DB test ebx,ebx
00402A94 |. 74 09 je X客户端.00402A9F
00402A96 |. 53 push ebx
00402A97 |. E8 F90E0000 call 客户端.00403995
00402A9C |. 83C4 04 add esp,0x4
00402A9F |> 837D F8 01 cmp [local.2],0x1
00402AA3 |. 0F85 0F000000 jnz 客户端.00402AB8 ; Nop
00402AA9 |. E8 16FBFFFF call 客户端.004025C4 ; 不会易语言,就不求搞懂里面在干什么了
00402AAE |. E8 1E060000 call 客户端.004030D1 ; 创建窗口
00402AB3 |. E9 86000000 jmp 客户端.00402B3E
00402AB8 |> 68 010100A0 push 0xA0000101
00402ABD |. 6A 00 push 0x0
00402ABF |. 68 28644700 push 客户端.00476428
00402AC4 |. 68 01000000 push 0x1
00402AC9 |. BB 903E4000 mov ebx,客户端.00403E90
ok。
以下东西,可看可不看。
0018FCBC 005C0B70 ASCII "http://www.dnfpay.com/test/qy.php?cmd=connect&cp=密码"
0018FCC0 005C1308 ASCII "密码"
0018FCC4 005CC380 ASCII "?cmd=connect&cp="
0018FCC8 005C9508 ASCII "http://www.dnfpay.com/test/qy.php"
--------------------------------------------------------------------------------
【版权声明】: 本文原创于Crack_Qs, 转载请注明作者并保持文章的完整, 谢谢!
2013年08月20日 17:31:12
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2013-8-20 17:32
菜鸟路过