好友
阅读权限10
听众
最后登录1970-1-1
|
【文章标题】: 通用考试系统_校园版追注册码过程
【文章作者】: sun152121
【软件名称】: 通用考试系统_校园版
【软件大小】: 820K
【下载地址】: 自己搜索下载
【加壳方式】: 无壳
【保护方式】: 注册码
【编写语言】: VB
【使用工具】: OD PEID
【操作平台】: winxp
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
用PEID查壳,显示Microsoft Visual Basic 5.0 / 6.0,无壳。
载入OD,我们来到这里:
00402B10 >/$ 68 80874100 push 00418780 ; (initial cpu selection)
00402B15 |. E8 EEFFFFFF call <jmp.&MSVBVM60.#100>
00402B1A |. 0000 add byte ptr [eax], al
00402B1C |. 0000 add byte ptr [eax], al
00402B1E |. 0000 add byte ptr [eax], al
00402B20 |. 3000 xor byte ptr [eax], al
00402B22 |. 0000 add byte ptr [eax], al
00402B24 |. 3800 cmp byte ptr [eax], al
00402B26 |. 0000 add byte ptr [eax], al
00402B28 |. 0000 add byte ptr [eax], al
00402B2A |. 0000 add byte ptr [eax], al
F9运行,点击注册,我这里软件显示机器码:8808698827 , 输入注册码 0123456789,提示"注册码不正确,注册失败!"
F12暂停,打开堆栈:
调用堆栈: 主线程
地址 堆栈 函数过程 / 参数 调用来自 结构
0012E0D8 77D19418 包含ntdll.KiFastSystemCallRet USER32.77D19416 0012E10C
0012E0DC 77D2770A USER32.WaitMessage USER32.77D27705 0012E10C
0012E110 77D249C4 USER32.77D2757B USER32.77D249BF 0012E10C
0012E138 77D3A956 USER32.77D2490E USER32.77D3A951 0012E134
0012E3F8 77D3A2BC USER32.SoftModalMessageBox USER32.77D3A2B7 0012E3F4
0012E548 77D3A10B USER32.77D3A147 USER32.77D3A106 0012E544
0012E5B4 733FF6B2 包含USER32.77D3A10B MSVBVM60.733FF6B0 0012E5B0
0012E5F4 733FF52E 包含MSVBVM60.733FF6B2 MSVBVM60.733FF52B 0012E5F0
0012E61C 733FF829 MSVBVM60.733FF414 MSVBVM60.733FF824 0012E618
0012E64C 733F3BF0 MSVBVM60.733FF798 MSVBVM60.733F3BEB 0012E648
0012E6B0 7346D07A MSVBVM60.733F3963 MSVBVM60.7346D075 0012E6AC
0012E728 004BA1B0 ? MSVBVM60.rtcMsgBox JDKS.004BA1AA 0012E724
选择最后一行,点右键“显示调用”,我们来到这里:
004BA1AA . FF15 C0104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
004BA1B0 . 8D85 78FFFFFF lea eax, dword ptr [ebp-88]
004BA1B6 . 8D4D 88 lea ecx, dword ptr [ebp-78]
004BA1B9 . 50 push eax
004BA1BA . 8D55 98 lea edx, dword ptr [ebp-68]
004BA1BD . 51 push ecx
004BA1BE . 8D45 A8 lea eax, dword ptr [ebp-58]
004BA1C1 . 52 push edx
004BA1C2 . 50 push eax
004BA1C3 . 6A 04 push 4
004BA1C5 . FF15 44104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
004BA1CB . 83C4 14 add esp, 14
004BA1CE . E9 D9010000 jmp 004BA3AC
004BA1D3 > 8B0F mov ecx, dword ptr [edi]
004BA1D5 . 57 push edi
004BA1D6 . FF91 FC020000 call dword ptr [ecx+2FC]
004BA1DC . 8D55 C0 lea edx, dword ptr [ebp-40]
004BA1DF . 50 push eax
004BA1E0 . 52 push edx
004BA1E1 . FF15 B8104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
在这段断首下好断点:
004B9C90 55 push ebp
004B9C91 8BEC mov ebp, esp
004B9C93 . 83EC 0C sub esp, 0C ; (initial cpu selection)
004B9C96 . 68 46264000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
004B9C9B . 64:A1 0000000>mov eax, dword ptr fs:[0]
004B9CA1 . 50 push eax
F9运行后,断下来了
004B9C90 55 push ebp
F8单步走
004B9D63 > \8B4D D8 mov ecx, dword ptr [ebp-28] ; 机器码//堆栈 ss:[0012E314]=08B30A1C, (UNICODE "8808698827")
ecx=7C93005D (ntdll.7C93005D)
跳转来自 004B9D4F
004B9D66 . 51 push ecx
004B9D67 . E8 94340000 call 004BD200 ; 产生真正的注册码//eax=08B3484C, (UNICODE "5B73ED99")
edx=00000000,EAX保存的是真码
004B9D6C . 8BD0 mov edx, eax
004B9D6E . 8D4D E4 lea ecx, dword ptr [ebp-1C]
004B9D71 . FF15 C8124000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
004B9D77 . 8D4D D8 lea ecx, dword ptr [ebp-28]
004B9D7A . FF15 28134000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
004B9D80 . 8D4D C0 lea ecx, dword ptr [ebp-40]
004B9D83 . FF15 24134000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
004B9D89 . 8B17 mov edx, dword ptr [edi]
004B9D8B . 57 push edi
004B9D8C . FF92 00030000 call dword ptr [edx+300]
004B9D92 . 50 push eax
004B9D93 . 8D45 C0 lea eax, dword ptr [ebp-40]
004B9D96 . 50 push eax
004B9D97 . FFD3 call ebx
004B9D99 . 8BF0 mov esi, eax
004B9D9B . 8D55 D8 lea edx, dword ptr [ebp-28]
004B9D9E . 52 push edx
004B9D9F . 56 push esi
004B9DA0 . 8B0E mov ecx, dword ptr [esi]
004B9DA2 . FF91 A0000000 call dword ptr [ecx+A0]
004B9DA8 . 85C0 test eax, eax
004B9DAA . DBE2 fclex
004B9DAC . 7D 12 jge short 004B9DC0
004B9DAE . 68 A0000000 push 0A0
004B9DB3 . 68 00224200 push 00422200
004B9DB8 . 56 push esi
004B9DB9 . 50 push eax
004B9DBA . FF15 8C104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
004B9DC0 > 8B45 D8 mov eax, dword ptr [ebp-28] ; 取假码
004B9DC3 . 8D4D 98 lea ecx, dword ptr [ebp-68]
004B9DC6 . 8945 B0 mov dword ptr [ebp-50], eax
004B9DC9 . 8D45 A8 lea eax, dword ptr [ebp-58]
004B9DCC . 50 push eax
004B9DCD . 51 push ecx
004B9DCE . C745 D8 00000>mov dword ptr [ebp-28], 0
004B9DD5 . C745 A8 08000>mov dword ptr [ebp-58], 8
004B9DDC . FF15 E4104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
004B9DE2 . 8D55 98 lea edx, dword ptr [ebp-68]
004B9DE5 . 8D45 88 lea eax, dword ptr [ebp-78]
004B9DE8 . 52 push edx
004B9DE9 . 50 push eax
004B9DEA . FF15 20114000 call dword ptr [<&MSVBVM60.#528>] ; MSVBVM60.rtcUpperCaseVar
004B9DF0 . 8B4D E4 mov ecx, dword ptr [ebp-1C] ; 再次出现真码
004B9DF3 . 8D55 88 lea edx, dword ptr [ebp-78]
004B9DF6 . 8D85 58FFFFFF lea eax, dword ptr [ebp-A8]
004B9DFC . 52 push edx ; /var18
004B9DFD . 50 push eax ; |var28
004B9DFE . 898D 60FFFFFF mov dword ptr [ebp-A0], ecx ; |
004B9E04 . C785 58FFFFFF>mov dword ptr [ebp-A8], 8008 ; |
004B9E0E . FF15 2C114000 call dword ptr [<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq
004B9E14 . 8D4D C0 lea ecx, dword ptr [ebp-40]
004B9E17 . 66:8BF0 mov si, ax
004B9E1A . FF15 24134000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
004B9E20 . 8D4D 88 lea ecx, dword ptr [ebp-78]
004B9E23 . 8D55 98 lea edx, dword ptr [ebp-68]
004B9E26 . 51 push ecx
004B9E27 . 8D45 A8 lea eax, dword ptr [ebp-58]
004B9E2A . 52 push edx
004B9E2B . 50 push eax
004B9E2C . 6A 03 push 3
004B9E2E . FF15 44104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
004B9E34 . 83C4 10 add esp, 10
004B9E37 . 66:85F6 test si, si
004B9E3A 0F84 FB020000 je 004BA13B ; 关键跳,跳了就挂!//改 jne 或 改 nop爆破
004B9E40 . 68 F8674200 push 004267F8
004B9E45 . FF15 78114000 call dword ptr [<&MSVBVM60.__vbaNew>] ; MSVBVM60.__vbaNew
004B9E4B . 8D4D DC lea ecx, dword ptr [ebp-24]
004B9E4E . 50 push eax
004B9E4F . 51 push ecx
004B9E50 . FFD3 call ebx
004B9E52 . A1 04BD4C00 mov eax, dword ptr [4CBD04]
004B9E57 . 85C0 test eax, eax
004B9E59 . 75 10 jnz short 004B9E6B
004B9E5B . 68 04BD4C00 push 004CBD04
004B9E60 . 68 9C144200 push 0042149C
004B9E65 . FF15 18124000 call dword ptr [<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
004B9E6B > 8B35 04BD4C00 mov esi, dword ptr [4CBD04]
004B9E71 . 8D45 C0 lea eax, dword ptr [ebp-40]
004B9E74 . 50 push eax
004B9E75 . 56 push esi
--------------------------------------------------------------------------------
【经验总结】
这是一个明码比较的软件,追注册码也比较简单。改爆破也很简单。给新手的教程,高手飘过~
--------------------------------------------------------------------------------
【版权声明】: 本文原创, 转载请注明作者并保持文章的完整, 谢谢!
2011年04月04日 11:26:46
|
|
发表于 2011-4-4 11:29
|
发表于 2011-4-4 11:35
