网页点击专家 2.68 去校验+爆破
网页点击专家 2.68去校验+爆破下载地址:http://www.onlinedown.net/soft/50737.htm
本人初学破解 感谢PYG能让我学到不少知识
------------------------------------------------------------------------------------
在看雪上看到有人求破就这下下来试试高手不用看了!
壳为:ASPack 2.12
脱壳后下断:bpx CreateFileAF9运行3次
断在00403243|.E8 D8E0FFFF call <jmp.&kernel32.CreateFileA> ; \CreateFileA
找到段首下断
004031A8/$53 push ebx //段首
004031A9|.56 push esi
004031AA|.57 push edi
004031AB|.89D6 mov esi, edx
004031AD|.89CF mov edi, ecx
004031AF|.31D2 xor edx, edx
004031B1|.89C3 mov ebx, eax
004031B3|.66:8B50 04 mov dx, word ptr
004031B7|.81EA B0D70000 sub edx, 0D7B0 ;Switch (cases D7B0..D7B3)
004031BD|.74 15 je short 004031D4
004031BF|.83FA 03 cmp edx, 3
004031C2|.0F87 A2000000 ja 0040326A
004031C8|.FF53 24 call dword ptr ;Cases D7B1,D7B2,D7B3 of switch 004031B7
004031CB|.85C0 test eax, eax
004031CD|.74 05 je short 004031D4
004031CF|.E8 E4F7FFFF call 004029B8
004031D4|>66:C743 04 B3>mov word ptr , 0D7B3 ;Case D7B0 of switch 004031B7
004031DA|.8973 08 mov dword ptr , esi
004031DD|.C743 24 80314>mov dword ptr , 00403180
004031E4|.C743 1C 982C4>mov dword ptr , 00402C98
004031EB|.807B 48 00 cmp byte ptr , 0
004031EF 74 60 je short 00403251 //这里要跳
004031F1|.B8 000000C0 mov eax, C0000000
004031F6|.8A15 08205300 mov dl, byte ptr
004031FC|.83E2 70 and edx, 70
004031FF|.C1EA 02 shr edx, 2
00403202|.8B92 68205300 mov edx, dword ptr
00403208|.B9 02000000 mov ecx, 2
0040320D|.83EF 03 sub edi, 3
00403210|.74 21 je short 00403233
00403212|.B9 03000000 mov ecx, 3
00403217|.47 inc edi
00403218|.74 19 je short 00403233
0040321A|.B8 00000040 mov eax, 40000000
0040321F|.47 inc edi
00403220|.66:C743 04 B2>mov word ptr , 0D7B2
00403226|.74 0B je short 00403233
00403228|.B8 00000080 mov eax, 80000000
0040322D|.66:C743 04 B1>mov word ptr , 0D7B1
00403233|>6A 00 push 0 ; /hTemplateFile = NULL
00403235|.68 80000000 push 80 ; |Attributes = NORMAL
0040323A|.51 push ecx ; |Mode
0040323B|.6A 00 push 0 ; |pSecurity = NULL
0040323D|.52 push edx ; |ShareMode
0040323E|.50 push eax ; |Access
0040323F|.8D43 48 lea eax, dword ptr ; |
00403242|.50 push eax ; |FileName
00403243|.E8 D8E0FFFF call <jmp.&kernel32.CreateFileA> ; \CreateFileA
爆破
搜索字符串“未注册” 找到段首
0052AAA8/.55 push ebp
0052AAA9|.8BEC mov ebp, esp
0052AAAB|.B9 18000000 mov ecx, 18
0052AAB0|>6A 00 /push 0
0052AAB2|.6A 00 |push 0
0052AAB4|.49 |dec ecx
0052AAB5|.^ 75 F9 \jnz short 0052AAB0
0052AAB7|.53 push ebx
0052AAB8|.56 push esi
0052AAB9|.57 push edi
0052AABA|.8BD8 mov ebx, eax
0052AABC|.33C0 xor eax, eax
0052AABE|.55 push ebp
0052AABF|.68 AAB15200 push 0052B1AA
0052AAC4|.64:FF30 push dword ptr fs:
0052AAC7|.64:8920 mov dword ptr fs:, esp
0052AACA|.33C0 xor eax, eax
0052AACC|.8983 D4070000 mov dword ptr , eax
0052AAD2|.BE 01000000 mov esi, 1
0052AAD7|>8B0D A8535300 /mov ecx, dword ptr ;defclick.00536B4C
0052AADD|.8B09 |mov ecx, dword ptr
0052AADF|.B2 01 |mov dl, 1
0052AAE1|.A1 3C0C5100 |mov eax, dword ptr
0052AAE6|.E8 C526FEFF |call 0050D1B0
0052AAEB|.8BF8 |mov edi, eax
0052AAED|.89BCB3 A80700>|mov dword ptr , edi
0052AAF4|.899F AC020000 |mov dword ptr , ebx
0052AAFA|.C787 A8020000>|mov dword ptr , 0052D9AC
0052AB04|.83C9 FF |or ecx, FFFFFFFF
0052AB07|.BA 27020000 |mov edx, 227
0052AB0C|.8BC7 |mov eax, edi
0052AB0E|.E8 553BFEFF |call 0050E668
0052AB13|.46 |inc esi
0052AB14|.83FE 0B |cmp esi, 0B
0052AB17|.^ 75 BE \jnz short 0052AAD7
0052AB19|.A1 F0505300 mov eax, dword ptr
0052AB1E|.BA C4B15200 mov edx, 0052B1C4 ;yyyy-mm-dd
0052AB23|.E8 1C9DEDFF call 00404844
0052AB28|.A1 344F5300 mov eax, dword ptr
0052AB2D|.BA D8B15200 mov edx, 0052B1D8 ;hh:nn:ss
0052AB32|.E8 0D9DEDFF call 00404844
0052AB37|.A1 B8545300 mov eax, dword ptr
0052AB3C|.BA ECB15200 mov edx, 0052B1EC ;yyyy-mm-dd hh:nn:ss
0052AB41|.E8 FE9CEDFF call 00404844
0052AB46|.A1 FC4F5300 mov eax, dword ptr
0052AB4B|.C600 2D mov byte ptr , 2D
0052AB4E|.A1 5C4E5300 mov eax, dword ptr
0052AB53|.C600 3A mov byte ptr , 3A
0052AB56|.C683 D8070000>mov byte ptr , 0
0052AB5D|.8D45 FC lea eax, dword ptr
0052AB60|.E8 67FAFFFF call 0052A5CC
0052AB65|.8B45 FC mov eax, dword ptr
0052AB68|.E8 A7FDFFFF call 0052A914
0052AB6D|.8883 D8070000 mov byte ptr , al
0052AB73|.8B83 04030000 mov eax, dword ptr
0052AB79|.E8 42D6FFFF call 005281C0
0052AB7E|.8B83 08040000 mov eax, dword ptr
0052AB84|.E8 1FFEFDFF call 0050A9A8
0052AB89|.BA 08B25200 mov edx, 0052B208 ;select * from dconfig where isselect<>0
0052AB8E|.8B08 mov ecx, dword ptr
0052AB90|.FF51 2C call dword ptr
0052AB93|.8B83 08040000 mov eax, dword ptr
0052AB99|.E8 3A19F7FF call 0049C4D8
0052AB9E|.8B83 08040000 mov eax, dword ptr
0052ABA4|.E8 EF3CF7FF call 0049E898
0052ABA9|.84C0 test al, al
0052ABAB|.0F85 81000000 jnz 0052AC32
0052ABB1|.8D4D EC lea ecx, dword ptr
0052ABB4|.BA 38B25200 mov edx, 0052B238 ;showstr
0052ABB9|.8B83 08040000 mov eax, dword ptr
0052ABBF|.E8 0C28F7FF call 0049D3D0
0052ABC4|.8D55 EC lea edx, dword ptr
0052ABC7|.A1 98555300 mov eax, dword ptr
0052ABCC|.E8 2B9DEEFF call 004148FC
0052ABD1|.8D4D DC lea ecx, dword ptr
0052ABD4|.BA 48B25200 mov edx, 0052B248 ;url
0052ABD9|.8B83 08040000 mov eax, dword ptr
0052ABDF|.E8 EC27F7FF call 0049D3D0
0052ABE4|.8D55 DC lea edx, dword ptr
0052ABE7|.A1 24515300 mov eax, dword ptr
0052ABEC|.E8 0B9DEEFF call 004148FC
0052ABF1|.8D4D C8 lea ecx, dword ptr
0052ABF4|.BA 54B25200 mov edx, 0052B254 ;appname
0052ABF9|.8B83 08040000 mov eax, dword ptr
0052ABFF|.E8 CC27F7FF call 0049D3D0
0052AC04|.8D55 C8 lea edx, dword ptr
0052AC07|.8D45 D8 lea eax, dword ptr
0052AC0A|.E8 ED9CEEFF call 004148FC
0052AC0F|.8B55 D8 mov edx, dword ptr
0052AC12|.8BC3 mov eax, ebx
0052AC14|.E8 03A1F3FF call 00464D1C
0052AC19|.8D55 C4 lea edx, dword ptr
0052AC1C|.8BC3 mov eax, ebx
0052AC1E|.E8 C9A0F3FF call 00464CEC
0052AC23|.8B55 C4 mov edx, dword ptr
0052AC26|.A1 A8535300 mov eax, dword ptr
0052AC2B|.8B00 mov eax, dword ptr
0052AC2D|.E8 5A2DF3FF call 0045D98C
0052AC32|>8B83 08040000 mov eax, dword ptr
0052AC38|.E8 5B3CF7FF call 0049E898
0052AC3D|.84C0 test al, al
0052AC3F|.0F85 9A040000 jnz 0052B0DF
0052AC45|.80BB D8070000>cmp byte ptr , 0
0052AC4C|.75 0B jnz short 0052AC59
0052AC4E|.8B83 AC030000 mov eax, dword ptr
0052AC54|.8B10 mov edx, dword ptr
0052AC56|.FF52 44 call dword ptr
0052AC59|>8D45 C0 lea eax, dword ptr
0052AC5C|.E8 6BF9FFFF call 0052A5CC
0052AC61|.8B45 C0 mov eax, dword ptr
0052AC64|.E8 ABFCFFFF call 0052A914 //关键CALL F7进去
0052AC69|.8883 D8070000 mov byte ptr , al //al要是1
0052AC6F|.80BB D8070000>cmp byte ptr , 0 //ebx+7D8=0则不跳
0052AC76|.75 5C jnz short 0052ACD4 //关键跳
0052AC78|.6A 20 push 20 ; /Style = MB_OK|MB_ICONQUESTION|MB_APPLMODAL
0052AC7A|.68 5CB25200 push 0052B25C ; |系统提示
0052AC7F|.68 68B25200 push 0052B268 ; |没有注册!
0052AC84|.A1 A8535300 mov eax, dword ptr ; |
0052AC89|.8B00 mov eax, dword ptr ; |
0052AC8B|.8B40 30 mov eax, dword ptr ; |
0052AC8E|.50 push eax ; |hOwner
0052AC8F|.E8 C4CDEDFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0052AC94|.8D55 BC lea edx, dword ptr
0052AC97|.8BC3 mov eax, ebx
0052AC99|.E8 4EA0F3FF call 00464CEC
0052AC9E|.8D45 BC lea eax, dword ptr
0052ACA1|.BA 7CB25200 mov edx, 0052B27C ; (未注册!)
0052ACA6|.E8 0D9EEDFF call 00404AB8
0052ACAB|.8B55 BC mov edx, dword ptr
0052ACAE|.8BC3 mov eax, ebx
0052ACB0|.E8 67A0F3FF call 00464D1C
0052ACB5|.6A 01 push 1
0052ACB7|.6A 00 push 0
0052ACB9|.6A 00 push 0
0052ACBB|.68 88B25200 push 0052B288 ;http://www.softong.com/webclick/luck.htm
0052ACC0|.68 B4B25200 push 0052B2B4 ;open
0052ACC5|.8BC3 mov eax, ebx
0052ACC7|.E8 200AF4FF call 0046B6EC
0052ACCC|.50 push eax ; |hWnd
0052ACCD|.E8 32A1F0FF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
0052ACD2|.EB 1D jmp short 0052ACF1
0052ACD4|>BA C4B25200 mov edx, 0052B2C4 ;正式版
0052ACD9|.8B83 AC030000 mov eax, dword ptr
0052ACDF|.E8 9C93F4FF call 00474080
0052ACE4|.33D2 xor edx, edx
0052ACE6|.8B83 AC030000 mov eax, dword ptr
F7进来
0052A914 $55 push ebp
0052A915 .8BEC mov ebp, esp
0052A917 .B9 05000000 mov ecx, 5
0052A91C >6A 00 push 0
0052A91E .6A 00 push 0
0052A920 .49 dec ecx
0052A921 .^ 75 F9 jnz short 0052A91C
0052A923 .51 push ecx
0052A924 .53 push ebx
0052A925 .56 push esi
0052A926 .57 push edi
0052A927 .8945 FC mov dword ptr , eax
0052A92A .8B45 FC mov eax, dword ptr
0052A92D .E8 6EA3EDFF call 00404CA0
0052A932 .33C0 xor eax, eax
0052A934 .55 push ebp
0052A935 .68 95AA5200 push 0052AA95
0052A93A .64:FF30 push dword ptr fs:
0052A93D .64:8920 mov dword ptr fs:, esp
0052A940 .C645 FB 00 mov byte ptr , 0
0052A944 .33C0 xor eax, eax
0052A946 .55 push ebp
0052A947 .68 5DAA5200 push 0052AA5D
0052A94C .64:FF30 push dword ptr fs:
0052A94F .64:8920 mov dword ptr fs:, esp
0052A952 .8D4D E8 lea ecx, dword ptr
0052A955 .BA 04000000 mov edx, 4
0052A95A .8B45 FC mov eax, dword ptr
0052A95D .E8 5A05F1FF call 0043AEBC
0052A962 .8B45 E8 mov eax, dword ptr
0052A965 .50 push eax
0052A966 .8D45 E0 lea eax, dword ptr
0052A969 .50 push eax
0052A96A .8B45 FC mov eax, dword ptr
0052A96D .E8 3EA1EDFF call 00404AB0
0052A972 .8BC8 mov ecx, eax
0052A974 .83E9 04 sub ecx, 4
0052A977 .BA 01000000 mov edx, 1
0052A97C .8B45 FC mov eax, dword ptr
0052A97F .E8 8CA3EDFF call 00404D10
0052A984 .8B45 E0 mov eax, dword ptr
0052A987 .8D55 E4 lea edx, dword ptr
0052A98A .E8 C5C4FEFF call 00516E54
0052A98F .8B45 E4 mov eax, dword ptr
0052A992 .5A pop edx
0052A993 .E8 ECE6EDFF call 00409084
0052A998 .85C0 test eax, eax
0052A99A 74 0D je short 0052A9A9 //改成跳
0052A99C .33C0 xor eax, eax
0052A99E .5A pop edx
0052A99F .59 pop ecx
0052A9A0 .59 pop ecx
0052A9A1 .64:8910 mov dword ptr fs:, edx
0052A9A4 .E9 C9000000 jmp 0052AA72
0052A9A9 >8D45 FC lea eax, dword ptr
0052A9AC .50 push eax
0052A9AD .8B45 FC mov eax, dword ptr
0052A9B0 .E8 FBA0EDFF call 00404AB0
0052A9B5 .8BC8 mov ecx, eax
0052A9B7 .83E9 04 sub ecx, 4
0052A9BA .BA 01000000 mov edx, 1
0052A9BF .8B45 FC mov eax, dword ptr
0052A9C2 .E8 49A3EDFF call 00404D10
0052A9C7 .8D45 FC lea eax, dword ptr
0052A9CA .33D2 xor edx, edx
0052A9CC .E8 43CAFEFF call 00517414
0052A9D1 .8D45 FC lea eax, dword ptr
0052A9D4 .33D2 xor edx, edx
0052A9D6 .E8 DDC5FEFF call 00516FB8
0052A9DB .8D55 EC lea edx, dword ptr
0052A9DE .8B45 FC mov eax, dword ptr
0052A9E1 .E8 FECEFEFF call 005178E4
0052A9E6 .84C0 test al, al
0052A9E8 .75 0A jnz short 0052A9F4
0052A9EA .33C0 xor eax, eax
0052A9EC .5A pop edx
0052A9ED .59 pop ecx
0052A9EE .59 pop ecx
0052A9EF .64:8910 mov dword ptr fs:, edx
0052A9F2 .EB 7E jmp short 0052AA72
0052A9F4 >8D4D F0 lea ecx, dword ptr
0052A9F7 .8D55 F4 lea edx, dword ptr
0052A9FA .8B45 EC mov eax, dword ptr
0052A9FD .E8 46D2FEFF call 00517C48
0052AA02 .84C0 test al, al
0052AA04 75 0A jnz short 0052AA10 //改成跳
0052AA06 .33C0 xor eax, eax
0052AA08 .5A pop edx
0052AA09 .59 pop ecx
0052AA0A .59 pop ecx
0052AA0B .64:8910 mov dword ptr fs:, edx
0052AA0E .EB 62 jmp short 0052AA72
0052AA10 >8D4D DC lea ecx, dword ptr
0052AA13 .BA 0B000000 mov edx, 0B
0052AA18 .8B45 F0 mov eax, dword ptr
0052AA1B .E8 FCC1FEFF call 00516C1C
0052AA20 .8B45 DC mov eax, dword ptr
0052AA23 .50 push eax
0052AA24 .8D45 D4 lea eax, dword ptr
0052AA27 .E8 90C3FEFF call 00516DBC
0052AA2C .8B45 D4 mov eax, dword ptr
0052AA2F .8D4D D8 lea ecx, dword ptr
0052AA32 .BA 12000000 mov edx, 12
0052AA37 .E8 E0C1FEFF call 00516C1C
0052AA3C .8B45 D8 mov eax, dword ptr
0052AA3F .5A pop edx
0052AA40 .E8 3FE6EDFF call 00409084
0052AA45 .85C0 test eax, eax
0052AA47 74 0A je short 0052AA53 //改成跳
0052AA49 .33C0 xor eax, eax
0052AA4B .5A pop edx
0052AA4C .59 pop ecx
0052AA4D .59 pop ecx
0052AA4E .64:8910 mov dword ptr fs:, edx
0052AA51 .EB 1F jmp short 0052AA72
0052AA53 >33C0 xor eax, eax
0052AA55 .5A pop edx
0052AA56 .59 pop ecx
0052AA57 .59 pop ecx
0052AA58 .64:8910 mov dword ptr fs:, edx
0052AA5B .EB 11 jmp short 0052AA6E
0052AA5D .^ E9 5A93EDFF jmp 00403DBC
0052AA62 .E8 8197EDFF call 004041E8
0052AA67 .EB 09 jmp short 0052AA72
0052AA69 .E8 7A97EDFF call 004041E8
0052AA6E >C645 FB 01 mov byte ptr , 1 //1给了ebp-5 (标志位爆破)
0052AA72 >33C0 xor eax, eax
0052AA74 .5A pop edx
0052AA75 .59 pop ecx
0052AA76 .59 pop ecx
0052AA77 .64:8910 mov dword ptr fs:, edx
0052AA7A .68 9CAA5200 push 0052AA9C
0052AA7F >8D45 D4 lea eax, dword ptr
0052AA82 .BA 09000000 mov edx, 9
0052AA87 .E8 889DEDFF call 00404814
0052AA8C .8D45 FC lea eax, dword ptr
0052AA8F .E8 5C9DEDFF call 004047F0
0052AA94 .C3 retn
0052AA95 .^ E9 D695EDFF jmp 00404070
0052AA9A .^ EB E3 jmp short 0052AA7F
0052AA9C .8A45 FB mov al, byte ptr //ebp-5又给了al
0052AA9F .5F pop edi
0052AAA0 .5E pop esi
0052AAA1 .5B pop ebx
0052AAA2 .8BE5 mov esp, ebp
0052AAA4 .5D pop ebp
0052AAA5 .C3 retn
0052AC69|.8883 D8070000 mov byte ptr , al //al=1给了ebx+7D8
0052AC6F|.80BB D8070000>cmp byte ptr , 0 //1和0比较
0052AC76|.75 5C jnz short 0052ACD4 //跳过未注册
0052AC78|.6A 20 push 20 ; /Style = MB_OK|MB_ICONQUESTION|MB_APPLMODAL
0052AC7A|.68 5CB25200 push 0052B25C ; |系统提示
0052AC7F|.68 68B25200 push 0052B268 ; |没有注册!
0052AC84|.A1 A8535300 mov eax, dword ptr ; |
0052AC89|.8B00 mov eax, dword ptr ; |
0052AC8B|.8B40 30 mov eax, dword ptr ; |
0052AC8E|.50 push eax ; |hOwner
0052AC8F|.E8 C4CDEDFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0052AC94|.8D55 BC lea edx, dword ptr
0052AC97|.8BC3 mov eax, ebx
0052AC99|.E8 4EA0F3FF call 00464CEC
0052AC9E|.8D45 BC lea eax, dword ptr
0052ACA1|.BA 7CB25200 mov edx, 0052B27C ; (未注册!)
爆破成功
[ 本帖最后由 chfggg 于 2008-5-21 22:57 编辑 ] 不错哦 KeyFile验证的? CreateFileA
标志位爆破 /:good 老大~CreateFileA应该是去校验的
然后标志位爆破~~这个软件不错~! 不错 。
/:017 学习了谢谢楼主啊 这儿是程序自校验的地方(EBX为脱壳后文件的大小):
00527D5C|.8B45 FC MOV EAX,DWORD PTR SS:
00527D5F|.E8 28FDFFFF CALL 131B78.00527A8C
00527D64 81FB 00730800 CMP EBX,87300
00527D6A 74 08 JE SHORT 131B78.00527D74
00527D6C 81FB 00670800 CMP EBX,86700
00527D72 75 0E JNZ SHORT 131B78.00527D82
00527D74 3D 00730800 CMP EAX,87300
00527D79 74 13 JE SHORT 131B78.00527D8E
00527D7B 3D 00670800 CMP EAX,86700
00527D80 74 0C JE SHORT 131B78.00527D8E
00527D82|>A1 A8535300 MOV EAX,DWORD PTR DS:
00527D87|.8B00 MOV EAX,DWORD PTR DS:
00527D89|.E8 8A61F3FF CALL 131B78.0045DF18
00527D8E|>33C0 XOR EAX,EAX
并将00403248 83F8 01 CMP EAX,-1改为CMP EDI,-1
[ 本帖最后由 chadd 于 2008-5-25 22:12 编辑 ] 不错,收藏了.... 学习中............ 不错..............