好友
阅读权限10
听众
最后登录1970-1-1
|
【文章标题】: 爆破“无敌邮件群发机”
【文章作者】: Mr.vit
【下载地址】: 自己搜索下载
【加壳方式】: 无
【编写语言】: Delphi
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
只是爆破,写给不知如何下断点的朋友!
用OD插件找不到字符时,可以利用的是F12堆栈调用法 ,个人感觉很好用的
软件是重启验证的
首先用OD载入
F9运行程序,然后点击注册,注册码随便填写,点注册后,就会出现出错提示
这时候,按F12,程序就暂停下来了,然后再ALT+K,打开堆栈调用窗口,这时会看到以下
信息
函数例程 调用来自
..............................................
..............................................
..............................................
? <jmp.&user32.MessageBoxA> WdMail.005CA1B4 //点击这个
稍微解释一下:MessageBoxA这个是消息对话框,简单说来刚才弹出的错误信息就是他实现的
点击的时候,要点击“调用来自”这一行的代码
这样就来了到
005CA12F E8 504FFBFF call WdMail.0057F084
005CA134 84C0 test al,al
005CA136 74 58 je short WdMail.005CA190 ; 不能跳,改NOP就行了
005CA138 8D55 F8 lea edx,dword ptr ss:[ebp-8]
005CA13B 8B83 88030000 mov eax,dword ptr ds:[ebx+388]
005CA141 E8 EA99E9FF call WdMail.00463B30
005CA146 8B45 F8 mov eax,dword ptr ss:[ebp-8]
005CA149 50 push eax
005CA14A 8B0D 8C3C6300 mov ecx,dword ptr ds:[633C8C] ; WdMail.006317B4
005CA150 8B09 mov ecx,dword ptr ds:[ecx]
005CA152 8B15 20306300 mov edx,dword ptr ds:[633020] ; WdMail.006317B0
005CA158 8B12 mov edx,dword ptr ds:[edx]
005CA15A 8B83 98030000 mov eax,dword ptr ds:[ebx+398]
005CA160 E8 1F5DFBFF call WdMail.0057FE84
005CA165 6A 00 push 0
005CA167 A1 C83E6300 mov eax,dword ptr ds:[633EC8]
005CA16C 8B00 mov eax,dword ptr ds:[eax]
005CA16E E8 6DB9E3FF call WdMail.00405AE0
005CA173 50 push eax
005CA174 A1 B8316300 mov eax,dword ptr ds:[6331B8]
005CA179 8B00 mov eax,dword ptr ds:[eax]
005CA17B E8 60B9E3FF call WdMail.00405AE0
005CA180 50 push eax
005CA181 8BC3 mov eax,ebx
005CA183 E8 4C1AEAFF call WdMail.0046BBD4
005CA188 50 push eax
005CA189 E8 1AEAE3FF call <jmp.&user32.MessageBoxA>
005CA18E EB 2B jmp short WdMail.005CA1BB
005CA190 6A 00 push 0
005CA192 A1 C83E6300 mov eax,dword ptr ds:[633EC8]
005CA197 8B00 mov eax,dword ptr ds:[eax]
005CA199 E8 42B9E3FF call WdMail.00405AE0
005CA19E 50 push eax
005CA19F A1 083B6300 mov eax,dword ptr ds:[633B08]
005CA1A4 8B00 mov eax,dword ptr ds:[eax]
005CA1A6 E8 35B9E3FF call WdMail.00405AE0
005CA1AB 50 push eax
005CA1AC 8BC3 mov eax,ebx
005CA1AE E8 211AEAFF call WdMail.0046BBD4
005CA1B3 50 push eax
005CA1B4 E8 EFE9E3FF call <jmp.&user32.MessageBoxA> ; 这里就是错误提示
005CA1B9 EB 0E jmp short WdMail.005CA1C9
005CA1BB C683 9C030000 01 mov byte ptr ds:[ebx+39C],1
005CA1C2 8BC3 mov eax,ebx
005CA1C4 E8 3F3EEBFF call WdMail.0047E008
把上面那个跳改成NOP就行了,这样第一次爆破就好了,接下来进行第二次爆破
还是用OD载入程序,运行程序,提示“注册码非法,程序将自动关闭”
这时候还是老方法,用F12暂时程序,然后打开堆栈调用窗口,找到
Call stack of main thread, item 14
Address=0012F2BC
Stack=00600571
Procedure / arguments=? <JMP.&user32.MessageBoxA>
Called from=123.0060056C //这里123是我的程序名,后面那个是地址
Frame=0012F2B8
还是在 调用来自 这里点那个地方0060056C,进去之后就是
0060055E |. E8 7D55E0FF CALL 123.00405AE0
00600563 |. 50 PUSH EAX
00600564 |. 8BC3 MOV EAX,EBX
00600566 |. E8 69B6E6FF CALL 123.0046BBD4
0060056B |. 50 PUSH EAX ; |hOwner = 001FB79C
0060056C |. E8 3786E0FF CALL <JMP.&user32.MessageBoxA> ; \错误提示处
00600571 |. 8B55 F4 MOV EDX,[LOCAL.3]
00600574 |. 8BC3 MOV EAX,EBX
00600576 |. E8 F9A50000 CALL 123.0060AB74
再接着往上找一个地址,用来下断点的
006000E0 /. 55 PUSH EBP ; 我找到了这里,下一个F2断点
006000E1 |. 8BEC MOV EBP,ESP
006000E3 |. 83C4 C4 ADD ESP,-3C
006000E6 |. 53 PUSH EBX
006000E7 |. 56 PUSH ESI
006000E8 |. 57 PUSH EDI
006000E9 |. 33C9 XOR ECX,ECX
006000EB |. 894D C4 MOV [LOCAL.15],ECX
006000EE |. 894D D0 MOV [LOCAL.12],ECX
006000F1 |. 894D D4 MOV [LOCAL.11],ECX
006000F4 |. 894D FC MOV [LOCAL.1],ECX
006000F7 |. 894D F8 MOV [LOCAL.2],ECX
006000FA |. 8955 F4 MOV [LOCAL.3],EDX
下好断点后,再重新载入程序,这样就断在刚才下断点的地址了
接下来就是单步跟踪了
00600370 |. /74 10 JE SHORT 123.00600382
00600372 |. |8B45 F8 MOV EAX,[LOCAL.2]
00600375 |. |E8 9EAFE0FF CALL 123.0040B318
0060037A |. |8983 2C090000 MOV DWORD PTR DS:[EBX+92C],EAX
00600380 |. |EB 08 JMP SHORT 123.0060038A
00600382 |> \33C0 XOR EAX,EAX
00600384 |. 8983 2C090000 MOV DWORD PTR DS:[EBX+92C],EAX
0060038A |> E8 59DEE0FF CALL 123.0040E1E8
0060038F |. DD5D E8 FSTP QWORD PTR SS:[EBP-18]
00600392 |. 9B WAIT
00600393 |. A1 EC416300 MOV EAX,DWORD PTR DS:[6341EC]
00600398 |. 8338 00 CMP DWORD PTR DS:[EAX],0
0060039B |. 0F84 E6010000 JE 123.00600587
006003A1 |. 8B15 EC416300 MOV EDX,DWORD PTR DS:[6341EC] ; 123.0063ADDC
006003A7 |. 8B12 MOV EDX,DWORD PTR DS:[EDX]
006003A9 |. 8B83 28090000 MOV EAX,DWORD PTR DS:[EBX+928]
006003AF |. E8 D0ECF7FF CALL 123.0057F084
006003B4 84C0 TEST AL,AL
006003B6 0F84 8C010000 JE 123.00600548 ; 这个不能跳
006003BC A1 943B6300 MOV EAX,DWORD PTR DS:[633B94]
006003C1 C600 00 MOV BYTE PTR DS:[EAX],0
006003C4 8B83 28090000 MOV EAX,DWORD PTR DS:[EBX+928]
006003CA E8 5DEFF7FF CALL 123.0057F32C
006003CF 83F8 02 CMP EAX,2
006003D2 0F85 31010000 JNZ 123.00600509 ; 这个不能跳
006003D8 8B83 28090000 MOV EAX,DWORD PTR DS:[EBX+928]
006003DE E8 51EFF7FF CALL 123.0057F334
006003E3 48 DEC EAX
006003E4 0F85 E0000000 JNZ 123.006004CA ; 这个不能跳
006003EA |. 8BB3 2C090000 MOV ESI,DWORD PTR DS:[EBX+92C]
006003F0 |. 85F6 TEST ESI,ESI ; 123.00639CDC
006003F2 |. 0F8E AD000000 JLE 123.006004A5
006003F8 |. 8D45 FC LEA EAX,[LOCAL.1]
006003FB |. 50 PUSH EAX ; /Arg1 = 01157D8C
006003FC |. 8975 C8 MOV [LOCAL.14],ESI ; |123.00639CDC
006003FF |. C645 CC 00 MOV BYTE PTR SS:[EBP-34],0 ; |
00600403 |. 8D55 C8 LEA EDX,[LOCAL.14] ; |
00600406 |. A1 6C2F6300 MOV EAX,DWORD PTR DS:[632F6C] ; |
0060040B |. 8B00 MOV EAX,DWORD PTR DS:[EAX] ; |
0060040D |. 33C9 XOR ECX,ECX ; |
0060040F |. E8 ECC2E0FF CALL 123.0040C700 ; \123.0040C700
00600414 |. 83BB 2C090000 0A CMP DWORD PTR DS:[EBX+92C],0A
0060041B |. 7F 10 JG SHORT 123.0060042D
0060041D |. 8D45 FC LEA EAX,[LOCAL.1]
00600420 |. 8B15 583A6300 MOV EDX,DWORD PTR DS:[633A58] ; 123.0062FF4C
00600426 |. 8B12 MOV EDX,DWORD PTR DS:[EDX]
00600428 |. E8 EF54E0FF CALL 123.0040591C
0060042D |> 8B83 74060000 MOV EAX,DWORD PTR DS:[EBX+674]
00600433 |. 8B80 50020000 MOV EAX,DWORD PTR DS:[EAX+250]
00600439 |. 33D2 XOR EDX,EDX
0060043B |. E8 A45EE9FF CALL 123.004962E4
00600440 |. 8B55 FC MOV EDX,[LOCAL.1]
00600443 |. E8 F85DE9FF CALL 123.00496240
00600448 |. A1 74426300 MOV EAX,DWORD PTR DS:[634274]
0060044D |. C600 01 MOV BYTE PTR DS:[EAX],1
00600450 |. 8BB3 2C090000 MOV ESI,DWORD PTR DS:[EBX+92C]
00600456 |. 83FE 07 CMP ESI,7
00600459 |. 0F8D F1020000 JGE 123.00600750
0060045F |. 8D45 FC LEA EAX,[LOCAL.1]
00600462 |. 50 PUSH EAX ; /Arg1 = 01157D8C
00600463 |. 8975 C8 MOV [LOCAL.14],ESI ; |123.00639CDC
把上面三个跳NOP掉就去掉了重启验证,然后保存一下,这样软件再次启动的时候,你可以在右下角看到
“正式版”字样了
--------------------------------------------------------------------------------
【版权声明】: 转载请注明作者并保持文章的完整, 谢谢!
2009年09月07日 22:23:21 |
|
[复制链接]
发表于 2009-9-7 22:28
