好友
阅读权限10
听众
最后登录1970-1-1
|
【文章标题】: 爆破一款程序
【文章作者】: r.angel
【软件名称】: LinToolBar
【下载地址】: 自己搜索下载
【加壳方式】: 无
【编写语言】: VB5.0-6.0
【使用工具】: OD.GetVBRes
【软件介绍】: 游戏的辅助程序
【作者声明】: 只是一个菜鸟 。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
提示窗口 提示未注册关闭信息
执行程序 直接弹出 未注册关闭 点即确定后就关闭
OD查找不到字符,先用GetVBRes把 提示 未注册 这3个字符 改成数字 123
OD查找UNICODE-发现有字符是123 就是刚刚修改的 未注册 字符
发现有2处未注册字符串 接下来点即进去字符串所在地址
0040C9A9 . 50 push eax
0040C9AA . FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
0040C9B0 . 85C0 test eax,eax
0040C9B2 . 74 14 je short LinToolB.0040C9C8
0040C9B4 > B8 01000000 mov eax,1
0040C9B9 . 66:0345 E4 add ax,word ptr ss:[ebp-1C]
0040C9BD . 0F80 8A170000 jo LinToolB.0040E14D
0040C9C3 .^ E9 40FDFFFF jmp LinToolB.0040C708
0040C9C8 > B9 01000000 mov ecx,1
0040C9CD . FFD7 call edi
0040C9CF . 8845 98 mov byte ptr ss:[ebp-68],al
0040C9D2 > 8A45 98 mov al,byte ptr ss:[ebp-68]
0040C9D5 . 84C0 test al,al
0040C9D7 0F84 A5000000 je LinToolB.0040CA82 ; 关键跳
0040C9DD . B9 0A000000 mov ecx,0A
0040C9E2 . B8 04000280 mov eax,80020004
0040C9E7 . 898D 18FFFFFF mov dword ptr ss:[ebp-E8],ecx
0040C9ED . 898D 28FFFFFF mov dword ptr ss:[ebp-D8],ecx
0040C9F3 . 898D 38FFFFFF mov dword ptr ss:[ebp-C8],ecx
0040C9F9 . 8D95 08FFFFFF lea edx,dword ptr ss:[ebp-F8]
0040C9FF . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
0040CA05 . 8985 20FFFFFF mov dword ptr ss:[ebp-E0],eax
0040CA0B . 8985 30FFFFFF mov dword ptr ss:[ebp-D0],eax
0040CA11 . 8985 40FFFFFF mov dword ptr ss:[ebp-C0],eax
0040CA17 . C785 10FFFFFF>mov dword ptr ss:[ebp-F0],LinToolB.00409>; 未注册字符串
0040CA21 . C785 08FFFFFF>mov dword ptr ss:[ebp-F8],8
0040CA2B . FF15 A0114000 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
0040CA31 . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
0040CA37 . 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-D8]
0040CA3D . 51 push ecx
0040CA3E . 8D85 38FFFFFF lea eax,dword ptr ss:[ebp-C8]
0040CA44 . 52 push edx
0040CA45 . 50 push eax
0040CA46 . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
0040CA4C . 6A 10 push 10
0040CA4E . 51 push ecx
0040CA4F . FF15 80104000 call dword ptr ds:[<&MSVBVM60.#595>] ; 提示窗口 提示未注册关闭信息
0040CA55 . 8D95 18FFFFFF lea edx,dword ptr ss:[ebp-E8]
0040CA5B . 8D85 28FFFFFF lea eax,dword ptr ss:[ebp-D8]
0040CA61 . 52 push edx
0040CA62 . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-C8]
0040CA68 . 50 push eax
0040CA69 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
0040CA6F . 51 push ecx
0040CA70 . 52 push edx
0040CA71 . 6A 04 push 4
0040CA73 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
第二处字符串
0040C9AA . FF15 C0104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
0040C9B0 . 85C0 test eax,eax
0040C9B2 . 74 14 je short LinToolB.0040C9C8
0040C9B4 > B8 01000000 mov eax,1
0040C9B9 . 66:0345 E4 add ax,word ptr ss:[ebp-1C]
0040C9BD . 0F80 8A170000 jo LinToolB.0040E14D
0040C9C3 .^ E9 40FDFFFF jmp LinToolB.0040C708
0040C9C8 > B9 01000000 mov ecx,1
0040C9CD . FFD7 call edi
0040C9CF . 8845 98 mov byte ptr ss:[ebp-68],al
0040C9D2 > 8A45 98 mov al,byte ptr ss:[ebp-68]
0040C9D5 . 84C0 test al,al
0040C9D7 0F85 A5000000 jnz LinToolB.0040CA82 ; 关键跳
0040C9DD . B9 0A000000 mov ecx,0A
0040C9E2 . B8 04000280 mov eax,80020004
0040C9E7 . 898D 18FFFFFF mov dword ptr ss:[ebp-E8],ecx
0040C9ED . 898D 28FFFFFF mov dword ptr ss:[ebp-D8],ecx
0040C9F3 . 898D 38FFFFFF mov dword ptr ss:[ebp-C8],ecx
0040C9F9 . 8D95 08FFFFFF lea edx,dword ptr ss:[ebp-F8]
0040C9FF . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
0040CA05 . 8985 20FFFFFF mov dword ptr ss:[ebp-E0],eax
0040CA0B . 8985 30FFFFFF mov dword ptr ss:[ebp-D0],eax
0040CA11 . 8985 40FFFFFF mov dword ptr ss:[ebp-C0],eax
0040CA17 . C785 10FFFFFF>mov dword ptr ss:[ebp-F0],LinToolB.00409>; 未注册字符串
0040CA21 . C785 08FFFFFF>mov dword ptr ss:[ebp-F8],8
0040CA2B . FF15 A0114000 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
0040CA31 . 8D8D 18FFFFFF lea ecx,dword ptr ss:[ebp-E8]
0040CA37 . 8D95 28FFFFFF lea edx,dword ptr ss:[ebp-D8]
0040CA3D . 51 push ecx
0040CA3E . 8D85 38FFFFFF lea eax,dword ptr ss:[ebp-C8]
0040CA44 . 52 push edx
0040CA45 . 50 push eax
0040CA46 . 8D8D 48FFFFFF lea ecx,dword ptr ss:[ebp-B8]
0040CA4C . 6A 10 push 10
0040CA4E . 51 push ecx
0040CA4F . FF15 80104000 call dword ptr ds:[<&MSVBVM60.#595>] ; 提示窗口 提示未注册关闭信息
0040CA55 . 8D95 18FFFFFF lea edx,dword ptr ss:[ebp-E8]
0040CA5B . 8D85 28FFFFFF lea eax,dword ptr ss:[ebp-D8]
0040CA61 . 52 push edx
0040CA62 . 8D8D 38FFFFFF lea ecx,dword ptr ss:[ebp-C8]
0040CA68 . 50 push eax
0040CA69 . 8D95 48FFFFFF lea edx,dword ptr ss:[ebp-B8]
0040CA6F . 51 push ecx
0040CA70 . 52 push edx
0040CA71 . 6A 04 push 4
0040CA73 . FF15 24104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0040CA79 . 83C4 14 add esp,14
0040CA7C . FF15 28104000 call dword ptr ds:[<&MSVBVM60.__vbaEnd>] ; MSVBVM60.__vbaEnd
0040CA82 > A1 3C954100 mov eax,dword ptr ds:[41953C]
0040CA87 . 85C0 test eax,eax
0040CA89 . 75 10 jnz short LinToolB.0040CA9B
0040CA8B . 68 3C954100 push LinToolB.0041953C
0040CA90 . 68 70944000 push LinToolB.00409470
0040CA95 . FF15 64114000 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
2处关键跳 都不跳就会跑到 提示 未注册关闭讯息
所以我们要让他实现跳转. 跳过这个提视窗
第1处关键跳 -检测注册码格式
je-jnz
第2处关键跳
jnz-je
JE/JZ 等于转移.
JNE/JNZ 不等于时转移.
--------------------------------------------------------------------------------
【经验总结】
1.使用GetVBRes查找字符串
2.找到关键跳
破解就是这么简单
先找简单的软件给自己一点信心
-------------------------------------------------------------------------------- |
|