好友
阅读权限40
听众
最后登录1970-1-1
|
楼主|
小生我怕怕
发表于 2008-8-25 19:07
首先脱壳
━━━━━━━━━━━━━━━━━━━━━━━━━━
0043F001 >9Cpushfd //OD载入
0043F00260pushad
0043F00370 61 jo short crackme.0043F066
0043F005636B 24 arpl word ptr ds:[ebx+24],bp
0043F00840inc eax
0043F00933C0xor eax,eax
0043F00B61popad
0043F00C9Dpopfd
0043F00D60pushad
0043F00EE8 00000000 call crackme.0043F013 //在此执行ESP定律
━━━━━━━━━━━━━━━━━━━━━━━━━━
0043F3B5^\EB FB jmp short crackme.0043F3B2//这个跳转让他向上跳
0043F3B7^ EB EB jmp short crackme.0043F3A4
0043F3B90068 68 add byte ptr ds:[eax+68],ch
0043F3BC41inc ecx
0043F3BD40inc eax
0043F3BE00C3add bl,al
0043F3C08B85 26040000 mov eax,dword ptr ss:[ebp+426]
━━━━━━━━━━━━━━━━━━━━━━━━━━
0043F3B2 /EB 04 jmp short crackme.0043F3B8//然后程序停在这里
0043F3B4 |61popad
0043F3B5^|EB FB jmp short crackme.0043F3B2
0043F3B7^|EB EB jmp short crackme.0043F3A4
0043F3B90068 68 add byte ptr ds:[eax+68],ch
0043F3BC41inc ecx
0043F3BD40inc eax
━━━━━━━━━━━━━━━━━━━━━━━━━━
0043F3B8 /EB 00 jmp short crackme.0043F3BA
0043F3BA \68 68414000 push crackme.00404168
0043F3BFC3retn //这里直接跳向我们的OEP啦
━━━━━━━━━━━━━━━━━━━━━━━━━━
0040416868 C8584000 push crackme.004058C8 //到达OEP,标准的OEP
0040416DE8 F0FFFFFF call crackme.00404162 //此时dump程序吧
004041720000add byte ptr ds:[eax],al
0040417440inc eax
004041750000add byte ptr ds:[eax],al
004041770030add byte ptr ds:[eax],dh
━━━━━━━━━━━━━━━━━━━━━━━━━━
现在程序报错提示:
兄弟,你又非法修改我的程序了
━━━━━━━━━━━━━━━━━━━━━━━━━━
用C32Asm加载程序----查看----字符串
在选择 编辑——使用Unicode分析字符串
XOR EAX, 43000420
::00401005::200400 AND BYTE PTR [EAX+EAX], AL
::00401008::53 PUSHEBX
::00401009::200400 AND BYTE PTR [EAX+EAX], AL
::0040100C::60 PUSHAD
::0040100D::200400 AND BYTE PTR [EAX+EAX], AL
::00401010::6920 04007620IMULESP, DWORD PTR [EAX], 20760004
::00401016::04 00ADD AL, 0
::00401018::8320 04AND DWORD PTR [EAX], 4
::0040101B::0092 200400A1ADD BYTE PTR [EDX+A1000420], DL
━━━━━━━━━━━━━━━━━━━━━━━━━━
此时我们要搜索他的错误提示的对话框(兄弟,你又非法修改我的程序了)
_TrackMouseEvent
::00412F1C->PUSH408E68
cmd.exe /c msg %username% /time:7 兄弟.你又非法修改我的程序了
::0040C262->MOV DWORD PTR [EBP-68], 407B9C
cmd.exe /c msg %username% 对不起输入错误
::0040C421->MOV DWORD PTR [EBP-54], 407C14
computername
━━━━━━━━━━━━━━━━━━━━━━━━━━
看下错误提示为0040c262提示出来的,现在我们OD加载我们脱壳后的程序
ctrl+G搜索0040c262
0040C236 . /75 5E jnz short unpack.0040C296//这里改jmp跳,就可以跳过我们的错误提示
0040C238 . |8B75 08 mov esi,dword ptr ss:[ebp+8]
0040C23B . |8D45 8C lea eax,dword ptr ss:[ebp-74]
0040C23E . |50push eax
0040C23F . |56push esi
0040C240 . |8B16mov edx,dword ptr ds:[esi]
0040C242 . |FF92 B8010000 call dword ptr ds:[edx+1B8]
0040C248 . |85C0test eax,eax
0040C24A . |DBE2fclex
0040C24C . |7D 0E jge short unpack.0040C25C
0040C24E . |68 B8010000 push 1B8
0040C253 . |68 107A4000 push unpack.00407A10
0040C258 . |56push esi
0040C259 . |50push eax
0040C25A . |FFD3call ebx
0040C25C > |8D55 90 lea edx,dword ptr ss:[ebp-70]
0040C25F . |8D4D A0 lea ecx,dword ptr ss:[ebp-60]
0040C262 . |C745 98 9C7B4>mov dword ptr ss:[ebp-68],unpack.00407B9>;//这里就是我们的错误提示
━━━━━━━━━━━━━━━━━━━━━━━━━━
此时程序可运行啦,那我们就好好想想吧,在我们刚查找unicode字符串时。那里有出现一个已破解,不防就此下手
-已破解
::0040C67C->PUSH407C5C
━━━━━━━━━━━━━━━━━━━━━━━━━━
在次OD载入我们修复后出错的程序,ctrl+g搜索0040c67c
0040C637 . /0F84 B0000000 je 1.0040C6ED //这里改JMP。即可达到爆破程序的效果
0040C63D . |8B16mov edx,dword ptr ds:[esi]
0040C63F . |56push esi
0040C640 . |FF92 00030000 call dword ptr ds:[edx+300]
0040C646 . |50push eax
0040C647 . |8D45 B4 lea eax,dword ptr ss:[ebp-4C]
0040C64A . |50push eax
0040C64B . |FF15 88104000 call dword ptr ds:[<&msvbvm60.__vbaObjSe>;msvbvm60.__vbaObjSet
0040C651 . |8BF8mov edi,eax
0040C653 . |8D55 B8 lea edx,dword ptr ss:[ebp-48]
0040C656 . |52push edx
0040C657 . |57push edi
0040C658 . |8B0Fmov ecx,dword ptr ds:[edi]
0040C65A . |FF91 A0000000 call dword ptr ds:[ecx+A0]
0040C660 . |3BC3cmp eax,ebx
0040C662 . |DBE2fclex
0040C664 . |7D 12 jge short 1.0040C678
0040C666 . |68 A0000000 push 0A0
0040C66B . |68 007C4000 push 1.00407C00
0040C670 . |57push edi
0040C671 . |50push eax
0040C672 . |FF15 60104000 call dword ptr ds:[<&msvbvm60.__vbaHresu>;msvbvm60.__vbaHresultCheckObj
0040C678 > |8B45 B8 mov eax,dword ptr ss:[ebp-48]
0040C67B . |50push eax
0040C67C . |68 5C7C4000 push 1.00407C5C //这里为我们的错误提示错在
0040C681 . |FF15 50104000 call dword ptr ds:[<&msvbvm60.__vbaStrCa>;msvbvm60.__vbaStrCat
━━━━━━━━━━━━━━━━━━━━━━━━━━
现在我们来追码吧,ctrl+g搜索004067c,然后寻找段首
0040C4B0 > \55push ebp //F2下断后,在加载程序
0040C4B1 .8BECmov ebp,esp//从新加载后,就运行程序
0040C4B3 .83EC 0C sub esp,0C
0040C4B6 .68 563E4000 push <jmp.&msvbvm60.__vbaExceptHandler>;SE 句柄安装
0040C4BB .64:A1 0000000>mov eax,dword ptr fs:[0]
0040C4C1 .50push eax
0040C4C2 .64:8925 00000>mov dword ptr fs:[0],esp
0040C4C9 .81EC 88000000 sub esp,88
0040C4CF .53push ebx
0040C4D0 .56push esi
0040C4D1 .57push edi
0040C4D2 .8965 F4 mov dword ptr ss:[ebp-C],esp
0040C4D5 .C745 F8 38124>mov dword ptr ss:[ebp-8],1.00401238
━━━━━━━━━━━━━━━━━━━━━━━━━━
我们输入用户名:fanfan
由于注册码是由输入时确定是否正确,所以我们便要直接复制我们的用户名fanfan,然后粘贴在注册码处
在我们单步跟到显示第5次注册名时,便去看看我们的堆栈窗口,出现了我们的注册码fanfan23374
因为被禁了复制程序,所以我也只能大体告诉大家几时出现注册码啦
0012E9D4 0016918CUNICODE "fanfan23374"
0012E9D8 77D3B3B4返回到 USER32.77D3B3B4
0012E9DC 00000000
0012E9E0 00000000
0012E9E4 0016B914UNICODE "fanfan"
0012E9E8 77D3B3B4返回到 USER32.77D3B3B4
0012E9EC 00000000
0012E9F0 00E83E44
0012E9F4 0016B914UNICODE "fanfan" |
|
发表于 2008-8-25 13:43
发表于 2008-8-25 13:54
发表于 2008-8-25 16:29
