好友
阅读权限10
听众
最后登录1970-1-1
|
write:钻石锅锅 (有问题私信)
当时不知道怎么找的这个音速启动的,还有个加密目录【VIP教程视频栏】现在链接已经报废了
教程是爆破功能,太菜所以只送上文字教程,方便以后有朋友做资料参考
过初始密码
F9运行 随便输入出现错误提示框 F12暂停
查看K(调用堆栈)找到
调用堆栈 ,项目 27
地址=0012F834
堆栈=004EDA84
函数例程 / 参数=? MSVBVM60.rtcMsgBox
调用来自=vstart.004EDA7E
框架=0012F830
跟进
004EDA7E . FF15 48114000 call dword ptr ds:[<&MSVBVM60.#595>] ; 出现错误框
继续单步
004ED98D . E8 4E4D0400 call vstart.005326E0 ; 出现输入框
往上找关键跳
004ED96D /0F8E 35010000 jle vstart.004EDAA8 ; 关键跳
将jle改jmp
在Files文件夹下Config.ini
[Config]
CheckInStart=1
PassWord=50C2EE5DE55AD6A63D6F3F10463626C6
将PassWord后清内容除掉就OK
16:07 2015-2-23
-----------------------------------------------------------------------------------------------------------
过加密目录
找到错误提示->F12暂停 ->K堆栈 找到调用来自=vstart.********
往上找到以下代码
005FC198 8B45 E0 mov eax,dword ptr ss:[ebp-20] ; 取假码
005FC19B 50 push eax
005FC19C 8B4D DC mov ecx,dword ptr ss:[ebp-24] ; 取真码
005FC19F 51 push ecx
005FC1A0 FF15 00124000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; 密码比较过程
005FC1A6 8BF8 mov edi,eax
005FC1A8 F7DF neg edi
005FC1AA 1BFF sbb edi,edi
005FC1AC 47 inc edi
005FC1AD F7DF neg edi
005FC1AF 8D4D DC lea ecx,dword ptr ss:[ebp-24]
005FC1B2 FF15 AC144000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
005FC1B8 66:3BFB cmp di,bx
005FC1BB 74 4C je short Damimi.005FC209 ; 第一次比较跳转
005FC1BD 8B55 E0 mov edx,dword ptr ss:[ebp-20] ; 取假码
005FC1C0 B9 B4E06800 mov ecx,Damimi.0068E0B4
005FC1C5 8B3D 94134000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
005FC1CB FFD7 call edi ; 二次校验 EAX=假码
005FC1CD 8B55 10 mov edx,dword ptr ss:[ebp+10]
005FC1D0 66:391A cmp word ptr ds:[edx],bx
005FC1D3 74 0A je short Damimi.005FC1DF
005FC1D5 8B55 E0 mov edx,dword ptr ss:[ebp-20]
005FC1D8 B9 B8E06800 mov ecx,Damimi.0068E0B8
005FC1DD FFD7 call edi ; 三次校验
005FC1DF 8B06 mov eax,dword ptr ds:[esi]
005FC1E1 6A 01 push 1
005FC1E3 56 push esi
005FC1E4 FF90 28080000 call dword ptr ds:[eax+828] ; 关键CALL 加载窗口 ‘’ 在这里F7进去 ****************
005FC1EA 3BC3 cmp eax,ebx
005FC1EC 0F8D 74010000 jge Damimi.005FC366
来到
0062DF60 55 push ebp ; 加载目录窗口过程&验证过程
0062DF61 8BEC mov ebp,esp
0062DF63 83EC 0C sub esp,0C
0062DF66 68 36204100 push <jmp.&MSVBVM60.__vbaExceptHandler>
0062DF6B 64:A1 00000000 mov eax,dword ptr fs:[0]
```````````````````````````````````````````````````````````
```````````````````````````````````````````````````````````
```````````````````````````````````````````````````````````
0062E044 FF15 00124000 call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0062E04A 85C0 test eax,eax
0062E04C 74 54 je short Damimi.0062E0A2 ; 是否密码校验 //关键跳
0062E04E 8B4D E4 mov ecx,dword ptr ss:[ebp-1C] ;//以下是验证过程
0062E051 8B15 B8E06800 mov edx,dword ptr ds:[68E0B8]
0062E057 8B3D 00124000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0062E05D 51 push ecx
0062E05E 52 push edx
0062E05F FFD7 call edi
0062E061 8B0D B4E06800 mov ecx,dword ptr ds:[68E0B4]
0062E067 8BD0 mov edx,eax
0062E069 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
0062E06C F7DA neg edx
0062E06E 1BD2 sbb edx,edx
0062E070 50 push eax
0062E071 F7DA neg edx
0062E073 51 push ecx
0062E074 8995 74FFFFFF mov dword ptr ss:[ebp-4C],edx
0062E07A FFD7 call edi ; 比较
0062E07C 8B95 74FFFFFF mov edx,dword ptr ss:[ebp-8C]
0062E082 F7D8 neg eax
0062E084 1BC0 sbb eax,eax
0062E086 F7D8 neg eax
0062E088 85D0 test eax,edx
0062E08A 0F85 C3010000 jnz Damimi.0062E253 ; 相等就跳 //关键跳
0062E090 BA A00A4400 mov edx,Damimi.00440AA0
0062E095 B9 B4E06800 mov ecx,Damimi.0068E0B4
0062E09A FF15 94134000 call dword ptr ds:[<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
0062E0A0 33FF xor edi,edi
0062E0A2 83EC 10 sub esp,10
把jnz 改jz
0062E08A 0F85 C3010000 jnz Damimi.0062E253 ; 相等就跳 //关键跳
或者
0062E074 8995 74FFFFFF mov dword ptr ss:[ebp-4C],edx
[ebp-4C]改[ebp-8C]
来到关键验证CALL修改方法很多
15:18 2015/2/25
______________________________________________________________________________________________________
过加密栏目
方法同上来到错误提示CALL
005E8337 . FF15 58114000 CALL DWORD PTR DS:[<&MSVBVM60.#595>] ; 错误提示
往上
005E82DE . FF15 E4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultChec>; MSVBVM60.__vbaHresultCheckObj
005E82E4 . E9 5D010000 JMP damimi1.005E8446
005E82E9 > 8B3D 54114000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
005E82EF > B9 04000280 MOV ECX,80020004
跳转来自 005E81B0
跳转至005E81B0 往上
找到关键完整代码:
005E816A > \8B45 E0 mov eax, dword ptr [ebp-20]
005E816D . 50 push eax
005E816E . 8B4D DC mov ecx, dword ptr [ebp-24]
005E8171 . 51 push ecx
005E8172 . FF15 10124000 call dword ptr [<&MSVBVM60.__vbaStrCmp>]
005E8178 . 8BD8 mov ebx, eax
005E817A . F7DB neg ebx
005E817C . 1BDB sbb ebx, ebx
005E817E . 43 inc ebx
005E817F . F7DB neg ebx
005E8181 . 8D4D DC lea ecx, dword ptr [ebp-24]
005E8184 . FF15 CC144000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
005E818A . 8D55 D4 lea edx, dword ptr [ebp-2C]
005E818D . 52 push edx
005E818E . 8D45 D8 lea eax, dword ptr [ebp-28]
005E8191 . 50 push eax
005E8192 . 6A 02 push 2
005E8194 . FF15 7C104000 call dword ptr [<&MSVBVM60.__vbaFreeObjList>; MSVBVM60.__vbaFreeObjList
005E819A . 8D4D B4 lea ecx, dword ptr [ebp-4C]
005E819D . 51 push ecx
005E819E . 8D55 C4 lea edx, dword ptr [ebp-3C]
005E81A1 . 52 push edx
005E81A2 . 6A 02 push 2
005E81A4 . FF15 5C104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>; MSVBVM60.__vbaFreeVarList
005E81AA . 83C4 18 add esp, 18
005E81AD . 66:85DB test bx, bx
005E81B0 . 0F84 39010000 je 005E82EF ; 第一关键跳 修改标志位 向下单步
005E81B6 . 8B55 E0 mov edx, dword ptr [ebp-20]
005E81B9 . B9 ACE06700 mov ecx, 0067E0AC
005E81BE . 8B1D AC134000 mov ebx, dword ptr [<&MSVBVM60.__vbaStrCop>; MSVBVM60.__vbaStrCopy
005E81C4 . FFD3 call ebx ; <&MSVBVM60.__vbaStrCopy>
005E81C6 . 8B45 10 mov eax, dword ptr [ebp+10]
005E81C9 . 66:8338 00 cmp word ptr [eax], 0
005E81CD . 74 0A je short 005E81D9
005E81CF . 8B55 E0 mov edx, dword ptr [ebp-20]
005E81D2 . B9 B0E06700 mov ecx, 0067E0B0
005E81D7 . FFD3 call ebx
005E81D9 > 6A 00 push 0
005E81DB . 68 19000340 push 40030019
005E81E0 . 8B0E mov ecx, dword ptr [esi]
005E81E2 . 56 push esi
005E81E3 . FF91 50030000 call dword ptr [ecx+350]
005E81E9 . 50 push eax
005E81EA . 8D55 D8 lea edx, dword ptr [ebp-28]
005E81ED . 52 push edx
005E81EE . FFD7 call edi
005E81F0 . 50 push eax
005E81F1 . 8D45 C4 lea eax, dword ptr [ebp-3C]
005E81F4 . 50 push eax
005E81F5 . FF15 80124000 call dword ptr [<&MSVBVM60.__vbaLateIdCallL>; MSVBVM60.__vbaLateIdCallLd
005E81FB . 83C4 10 add esp, 10
005E81FE . 50 push eax
005E81FF . FF15 F0134000 call dword ptr [<&MSVBVM60.__vbaI4Var>] ; MSVBVM60.__vbaI4Var
005E8205 . 8945 BC mov dword ptr [ebp-44], eax
005E8208 . C745 B4 03000>mov dword ptr [ebp-4C], 3
005E820F . 8B0E mov ecx, dword ptr [esi]
005E8211 . 8D55 B4 lea edx, dword ptr [ebp-4C]
005E8214 . 52 push edx
005E8215 . 56 push esi
005E8216 . FF91 5C080000 call dword ptr [ecx+85C] ; 栏目加载窗口&验证过程 这里要跟进去 修改关键窗口加载验证CAll
005E821C . 85C0 test eax, eax
005E821E . 7D 12 jge short 005E8232
来到加载窗口&验证过程
0061A460 > \55 PUSH EBP ; 栏目加载窗口&验证过程
0061A461 . 8BEC MOV EBP,ESP
0061A463 . 83EC 18 SUB ESP,18
0061A466 . 68 86204100 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
0061A46B . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0061A471 . 50 PUSH EAX
0061A472 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
0061A479 . B8 E0020000 MOV EAX,2E0
0061A47E . E8 FD7BDFFF CALL <JMP.&MSVBVM60.__vbaChkstk>
```````````````````````````````````````````````````````````
```````````````````````````````````````````````````````````
```````````````````````````````````````````````````````````
0061A830 . 50 PUSH EAX
0061A831 . 68 580F4400 PUSH damimi1.00440F58
0061A836 . FF15 10124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0061A83C . 85C0 TEST EAX,EAX
0061A83E 0F84 32010000 JE damimi1.0061A976 ; 是否密码校验 //关键跳
0061A844 . C745 FC 0D000>MOV DWORD PTR SS:[EBP-4],0D ; 以下是验证过程
0061A84B . 8B8D 78FFFFFF MOV ECX,DWORD PTR SS:[EBP-88]
0061A851 . 51 PUSH ECX
0061A852 . 8B15 ACE06700 MOV EDX,DWORD PTR DS:[67E0AC]
0061A858 . 52 PUSH EDX
0061A859 . FF15 10124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0061A85F . 8BF0 MOV ESI,EAX
0061A861 . F7DE NEG ESI
0061A863 . 1BF6 SBB ESI,ESI
0061A865 . F7DE NEG ESI
0061A867 . 8B85 78FFFFFF MOV EAX,DWORD PTR SS:[EBP-88]
0061A86D . 50 PUSH EAX
0061A86E . 8B0D B0E06700 MOV ECX,DWORD PTR DS:[67E0B0]
0061A874 . 51 PUSH ECX
0061A875 . FF15 10124000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
0061A87B . F7D8 NEG EAX
0061A87D . 1BC0 SBB EAX,EAX
0061A87F . F7D8 NEG EAX
0061A881 . 23F0 AND ESI,EAX
0061A883 . 85F6 TEST ESI,ESI
0061A885 . 75 1C JNZ SHORT damimi1.0061A8A3
0061A887 . C745 FC 0E000>MOV DWORD PTR SS:[EBP-4],0E
0061A88E . BA 580F4400 MOV EDX,damimi1.00440F58
0061A893 . B9 ACE06700 MOV ECX,damimi1.0067E0AC
0061A898 . FF15 AC134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCopy>] ; MSVBVM60.__vbaStrCopy
0061A89E . E9 D3000000 JMP damimi1.0061A976
0061A8A3 > C745 FC 10000>MOV DWORD PTR SS:[EBP-4],10
0061A8AA . 6A 01 PUSH 1
0061A83E 0F84 32010000 JE damimi1.0061A976 ; 是否密码校验 //关键跳
修改JE为JNE
19:54 2015-3-31
------------------------------------------------------------------------------------------------------
文件夹保护功能 只需结束进程vsEnFolder.exe 文件夹保护功能无效
|
免费评分
-
查看全部评分
|
发表于 2015-4-7 13:22
