[原创]飘云阁Crackme去NAG
【破文作者】qxtianlong【所属组织】无
【作者主页】http://qxtianlong.77169.com
【 E-mail 】[email protected]
【 作者QQ 】249935058
【文章题目】Crackme的详解
【软件名称】飘云阁Crackme
【下载地址】
【加密方式】无
【加壳方式】Aspack2.12
【破解工具】OD,FI
【软件限制】NAG+30次使用限制
【破解平台】wxp
=======================================================================================================
【软件简介】
Crackme生存的唯一目的就是让我们练手之用!
=======================================================================================================
【文章简介】
我的破解很菜,写这篇东西是给对这个 crackme 有兴趣的兄弟们,分享一下破解心得
=======================================================================================================
【解密过程】
首先使用FI查壳,是Aspack2.12,OD载入手动脱壳,弱壳,我就简单说一下,当然你也可以用自动脱壳机
00406001 C>60 pushad //入口处
00406002 E8 03000000 call CRACKME.0040600A //F7跟F8就跑飞了
00406007 - E9 EB045D45 jmp 459D64F7
0040600C 55 push ebp
0040600D C3 retn
0040600E E8 01000000 call CRACKME.00406014 //F7跟F8就跑飞了
中间省略N行,一路F8只能往前跑,不能往后跑,马上来到
004063AF 61 popad //曙光,光明离我们不远了
004063B0 75 08 jnz short CRACKME.004063BA
004063B2 B8 01000000 mov eax,1
004063B7 C2 0C00 retn 0C
004063BA 68 3C124000 push CRACKME.0040123C ***飞向光明之巅
004063BF C3 retn F8过
0040123C 68 DC204000 push CRACKME.004020DC ; ASCII "VB5!6&vb6chs.dll"在这DUMP
选择重建输入表方式一,我用方式二有错误
下断点bp rtcMsgBox,F9运行断在系统领空,Crtl+F9返回,出现Nag对话框,确认后返回程序领空
向上找到
00402D80 55 push ebp //代码开始
00402D81 8BEC mov ebp,esp
00402D83 83EC 0C sub esp,0C
00402D86 68 26114000 push <jmp.&MSVBVM60.__vbaExceptHandl>
00402D8B 64:A1 00000000 mov eax,dword ptr fs:
00402D91 50 push eax
00402D92 64:8925 00000000 mov dword ptr fs:,esp
00402D99 81EC 94000000 sub esp,94
00402D9F 53 push ebx
00402DA0 56 push esi
00402DA1 57 push edi
00402DA2 8965 F4 mov dword ptr ss:,esp
00402DA5 C745 F8 C0104000 mov dword ptr ss:,unpacked.00>
00402DAC 8B45 08 mov eax,dword ptr ss:
00402DAF 8BC8 mov ecx,eax
00402DB1 83E1 01 and ecx,1
00402DB4 894D FC mov dword ptr ss:,ecx
00402DB7 24 FE and al,0FE
00402DB9 50 push eax
00402DBA 8945 08 mov dword ptr ss:,eax
00402DBD 8B10 mov edx,dword ptr ds:
00402DBF FF52 04 call dword ptr ds:
00402DC2 83EC 10 sub esp,10
00402DC5 33DB xor ebx,ebx
00402DC7 8BD4 mov edx,esp
00402DC9 B9 02000000 mov ecx,2
00402DCE 895D 90 mov dword ptr ss:,ebx
00402DD1 894D 90 mov dword ptr ss:,ecx
00402DD4 890A mov dword ptr ds:,ecx
00402DD6 8B4D 94 mov ecx,dword ptr ss:
00402DD9 33C0 xor eax,eax
00402DDB 68 F8254000 push unpacked.004025F8 ; UNICODE "times"
00402DE0 894A 04 mov dword ptr ds:,ecx
00402DE3 8945 98 mov dword ptr ss:,eax
00402DE6 68 EC254000 push unpacked.004025EC ; UNICODE "set"
00402DEB 68 DC254000 push unpacked.004025DC ; UNICODE "MyApp"
00402DF0 8942 08 mov dword ptr ds:,eax
00402DF3 8B45 9C mov eax,dword ptr ss:
00402DF6 895D E4 mov dword ptr ss:,ebx
00402DF9 895D E0 mov dword ptr ss:,ebx
00402DFC 895D D0 mov dword ptr ss:,ebx
00402DFF 895D C0 mov dword ptr ss:,ebx
00402E02 895D B0 mov dword ptr ss:,ebx
00402E05 895D A0 mov dword ptr ss:,ebx
00402E08 895D 80 mov dword ptr ss:,ebx
00402E0B 8942 0C mov dword ptr ds:,eax
00402E0E FF15 94104000 call dword ptr ds:[<&MSVBVM60.#689>] ; MSVBVM60.rtcGetSetting
00402E14 8B3D A4104000 mov edi,dword ptr ds:[<&MSVBVM60.__v>; MSVBVM60.__vbaStrMove
00402E1A 8BD0 mov edx,eax
00402E1C 8D4D E4 lea ecx,dword ptr ss:
00402E1F FFD7 call edi
00402E21 50 push eax
00402E22 FF15 80104000 call dword ptr ds:[<&MSVBVM60.__vbaI>; MSVBVM60.__vbaI4Str
00402E28 8D4D E4 lea ecx,dword ptr ss:
00402E2B 8BF0 mov esi,eax
00402E2D FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStr
00402E33 83FE 1D cmp esi,1D
00402E36 0F8E 83000000 jle unpacked.00402EBF
00402E3C B9 04000280 mov ecx,80020004
00402E41 B8 0A000000 mov eax,0A
00402E46 894D A8 mov dword ptr ss:,ecx
00402E49 894D B8 mov dword ptr ss:,ecx
00402E4C 8D55 80 lea edx,dword ptr ss:
00402E4F 8D4D C0 lea ecx,dword ptr ss:
00402E52 8945 A0 mov dword ptr ss:,eax
00402E55 8945 B0 mov dword ptr ss:,eax
00402E58 C745 88 28264000 mov dword ptr ss:,unpacked.0>; UNICODE "piaoyun"
00402E5F C745 80 08000000 mov dword ptr ss:,8
00402E66 FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaV>; MSVBVM60.__vbaVarDup
00402E6C 8D55 90 lea edx,dword ptr ss:
00402E6F 8D4D D0 lea ecx,dword ptr ss:
00402E72 C745 98 08264000 mov dword ptr ss:,unpacked.0>
00402E79 C745 90 08000000 mov dword ptr ss:,8
00402E80 FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaV>; MSVBVM60.__vbaVarDup
00402E86 8D4D A0 lea ecx,dword ptr ss:
00402E89 8D55 B0 lea edx,dword ptr ss:
00402E8C 51 push ecx
00402E8D 8D45 C0 lea eax,dword ptr ss:
00402E90 52 push edx
00402E91 50 push eax
00402E92 8D4D D0 lea ecx,dword ptr ss:
00402E95 6A 10 push 10
00402E97 51 push ecx
00402E98 FF15 30104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
00402E9E 8D55 A0 lea edx,dword ptr ss:
00402EA1 8D45 B0 lea eax,dword ptr ss:
00402EA4 52 push edx
00402EA5 8D4D C0 lea ecx,dword ptr ss:
00402EA8 50 push eax
00402EA9 8D55 D0 lea edx,dword ptr ss:
00402EAC 51 push ecx
00402EAD 52 push edx
00402EAE 6A 04 push 4
00402EB0 FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeVarList
00402EB6 83C4 14 add esp,14
00402EB9 FF15 14104000 call dword ptr ds:[<&MSVBVM60.__vbaE>; MSVBVM60.__vbaEnd
00402EBF B9 04000280 mov ecx,80020004
00402EC4 B8 0A000000 mov eax,0A
00402EC9 894D A8 mov dword ptr ss:,ecx
00402ECC 894D B8 mov dword ptr ss:,ecx
00402ECF 8D55 90 lea edx,dword ptr ss:
00402ED2 8D4D C0 lea ecx,dword ptr ss:
00402ED5 8945 A0 mov dword ptr ss:,eax
00402ED8 8945 B0 mov dword ptr ss:,eax
00402EDB C745 98 28264000 mov dword ptr ss:,unpacked.0>; UNICODE "piaoyun"
00402EE2 C745 90 08000000 mov dword ptr ss:,8
00402EE9 FF15 98104000 call dword ptr ds:[<&MSVBVM60.__vbaV>; MSVBVM60.__vbaVarDup
00402EEF B8 1E000000 mov eax,1E
00402EF4 68 48264000 push unpacked.00402648
00402EF9 2BC6 sub eax,esi
00402EFB 0F80 01010000 jo unpacked.00403002
00402F01 50 push eax
00402F02 FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrI4
00402F08 8BD0 mov edx,eax
00402F0A 8D4D E4 lea ecx,dword ptr ss:
00402F0D FFD7 call edi
00402F0F 50 push eax
00402F10 FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrCat
00402F16 8BD0 mov edx,eax
00402F18 8D4D E0 lea ecx,dword ptr ss:
00402F1B FFD7 call edi
00402F1D 50 push eax
00402F1E 68 54264000 push unpacked.00402654
00402F23 FF15 20104000 call dword ptr ds:[<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrCat
00402F29 8D4D A0 lea ecx,dword ptr ss:
00402F2C 8945 D8 mov dword ptr ss:,eax
00402F2F 8D55 B0 lea edx,dword ptr ss:
00402F32 51 push ecx
00402F33 8D45 C0 lea eax,dword ptr ss:
00402F36 52 push edx
00402F37 50 push eax
00402F38 8D4D D0 lea ecx,dword ptr ss:
00402F3B 6A 40 push 40
00402F3D 51 push ecx
00402F3E C745 D0 08000000 mov dword ptr ss:,8
00402F45 FF15 30104000 call dword ptr ds:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBoxNAG对话框
00402F4B 8D55 E0 lea edx,dword ptr ss:
00402F4E 8D45 E4 lea eax,dword ptr ss:
00402F51 52 push edx
00402F52 50 push eax
00402F53 6A 02 push 2
00402F55 FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStrList
00402F5B 8D4D A0 lea ecx,dword ptr ss:
00402F5E 8D55 B0 lea edx,dword ptr ss:
00402F61 51 push ecx
00402F62 8D45 C0 lea eax,dword ptr ss:
00402F65 52 push edx
00402F66 8D4D D0 lea ecx,dword ptr ss:
00402F69 50 push eax
00402F6A 51 push ecx
00402F6B 6A 04 push 4
00402F6D FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeVarList
00402F73 83C4 20 add esp,20
00402F76 83C6 01 add esi,1
00402F79 0F80 83000000 jo unpacked.00403002
00402F7F 56 push esi
00402F80 FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrI4
00402F86 8BD0 mov edx,eax
00402F88 8D4D E4 lea ecx,dword ptr ss:
00402F8B FFD7 call edi
00402F8D 50 push eax
00402F8E 68 F8254000 push unpacked.004025F8 ; UNICODE "times"
00402F93 68 EC254000 push unpacked.004025EC ; UNICODE "set"
00402F98 68 DC254000 push unpacked.004025DC ; UNICODE "MyApp"
00402F9D FF15 00104000 call dword ptr ds:[<&MSVBVM60.#690>] ; MSVBVM60.rtcSaveSetting
00402FA3 8D4D E4 lea ecx,dword ptr ss:
00402FA6 FF15 B4104000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStr
00402FAC 895D FC mov dword ptr ss:,ebx
00402FAF 68 E32F4000 push unpacked.00402FE3
00402FB4 EB 2C jmp short unpacked.00402FE2
00402FB6 8D55 E0 lea edx,dword ptr ss:
00402FB9 8D45 E4 lea eax,dword ptr ss:
00402FBC 52 push edx
00402FBD 50 push eax
00402FBE 6A 02 push 2
00402FC0 FF15 84104000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStrList
00402FC6 8D4D A0 lea ecx,dword ptr ss:
00402FC9 8D55 B0 lea edx,dword ptr ss:
00402FCC 51 push ecx
00402FCD 8D45 C0 lea eax,dword ptr ss:
00402FD0 52 push edx
00402FD1 8D4D D0 lea ecx,dword ptr ss:
00402FD4 50 push eax
00402FD5 51 push ecx
00402FD6 6A 04 push 4
00402FD8 FF15 10104000 call dword ptr ds:[<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeVarList
00402FDE 83C4 20 add esp,20
00402FE1 C3 retn //过程返回
00402D80 55 push ebp改为jmp 00402D80就OK啦吧~~ ^_^
【解密心得】
遇到NAG类型的东东,要想办法跳过这段子程序
=======================================================================================================
【破解声明】我是一个小小菜虫子,文章如有错误,请高手指正!
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
=======================================================================================================
2005-10-14 12:00 啊!这个东西你怎么有?
这是我们学校计算机协会的啊~ Originally posted by 飘云 at 2005-10-14 09:53 PM:
啊!这个东西你怎么有?
这是我们学校计算机协会的啊~
呵呵!
飘云老大,还是让人找到了?
;P;P 下来看看,试试了 改了 2个地方..去了NAG和限制.../:x/:x/:x 修改过两个地方,嘿嘿 恭喜你迈入的第一步
页:
[1]