注册表类型爆破
GetVBRes 0.51VB程序资源查看工具
实在无聊就找来试下
下载地址:http://hackbase.com/soft/down.php?downid=10987&id=0
--------------------------------------------------------------
过程:这个软件点注册没有提示(马上来了精神) 先找按钮事件,发现跟不出关键的地方
找了下字符串发现注册信息存放在:software\restools\getvbres
下断点RegOpenKeyExA也没断在有用的地方
于是试了下:RegQueryValueExA F9运行
堆栈里出现
0012FC34 004651D3/CALL 到 RegQueryValueExA 来自 GetVBRes.004651CE
0012FC38 00000070|hKey = 70
0012FC3C 0049AFA8|ValueName = "regcode"
0012FC40 00000000|Reserved = NULL
0012FC44 0012FC50|pValueType = 0012FC50
0012FC48 00000000|Buffer = NULL
0012FC4C 0012FC6C\pBufSize = 0012FC6C
alt+F9返回到程序领空
F8单步走到
0049AE6D|.84C0 test al, al
0049AE6F|.74 10 je short 0049AE81
0049AE71|.8D4D F0 lea ecx, dword ptr
0049AE74|.BA A8AF4900 mov edx, 0049AFA8 ;regcode
0049AE79|.8B45 F8 mov eax, dword ptr
0049AE7C|.E8 BFA3FCFF call 00465240
0049AE81|>8B45 F0 mov eax, dword ptr
0049AE84|.E8 3B8FF6FF call 00403DC4
0049AE89|.83F8 28 cmp eax, 28
0049AE8C 0F85 91000000 jnz 0049AF23 //不能跳 NOP掉
0049AE92|.8B45 F4 mov eax, dword ptr
0049AE95|.E8 2A8FF6FF call 00403DC4
0049AE9A|.85C0 test eax, eax
0049AE9C|.0F8E 81000000 jle 0049AF23
0049AEA2|.68 368C0000 push 8C36
0049AEA7|.8D45 EC lea eax, dword ptr
0049AEAA|.50 push eax
0049AEAB|.B9 85310000 mov ecx, 3185
0049AEB0|.BA D8030000 mov edx, 3D8
0049AEB5|.8B45 F4 mov eax, dword ptr
0049AEB8|.E8 47FBFFFF call 0049AA04
0049AEBD|.8B55 EC mov edx, dword ptr
0049AEC0|.8D45 F4 lea eax, dword ptr
0049AEC3|.E8 148DF6FF call 00403BDC
0049AEC8|.8D55 E8 lea edx, dword ptr
0049AECB|.8B45 F4 mov eax, dword ptr
0049AECE|.E8 C1F9FFFF call 0049A894
0049AED3|.8B45 E8 mov eax, dword ptr
0049AED6|.8B55 F0 mov edx, dword ptr
0049AED9|.E8 F68FF6FF call 00403ED4
0049AEDE|.75 0C jnz short 0049AEEC
0049AEE0|.A1 F0CA4A00 mov eax, dword ptr
0049AEE5|.8B00 mov eax, dword ptr
0049AEE7|.E8 5CFEFAFF call 0044AD48
0049AEEC|>68 368C0000 push 8C36
0049AEF1|.8D45 E4 lea eax, dword ptr
0049AEF4|.50 push eax
0049AEF5|.B9 85310000 mov ecx, 3185
0049AEFA|.BA D8030000 mov edx, 3D8
0049AEFF|.8B45 F0 mov eax, dword ptr
0049AF02|.E8 EDF8FFFF call 0049A7F4
0049AF07|.8B55 E4 mov edx, dword ptr
0049AF0A|.8D45 F0 lea eax, dword ptr
0049AF0D|.E8 CA8CF6FF call 00403BDC
0049AF12|.8B45 F4 mov eax, dword ptr
0049AF15|.8B55 F0 mov edx, dword ptr
0049AF18|.E8 B78FF6FF call 00403ED4
0049AF1D 75 04 jnz short 0049AF23 //不能跳 NOP掉
0049AF1F|.C645 FF 01 mov byte ptr , 1 //这里1给 (标志位爆破)
0049AF23|>33C0 xor eax, eax
0049AF25|.5A pop edx
0049AF26|.59 pop ecx
0049AF27|.59 pop ecx
0049AF28|.64:8910 mov dword ptr fs:, edx
0049AF2B|.68 40AF4900 push 0049AF40
0049AF30|>8B45 F8 mov eax, dword ptr
0049AF33|.E8 C07EF6FF call 00402DF8
0049AF38\.C3 retn
0049AF39 .^ E9 1A86F6FF jmp 00403558
0049AF3E .^ EB F0 jmp short 0049AF30
0049AF40 .33C0 xor eax, eax
0049AF42 .5A pop edx
0049AF43 .59 pop ecx
0049AF44 .59 pop ecx
0049AF45 .64:8910 mov dword ptr fs:, edx
0049AF48 .68 62AF4900 push 0049AF62
0049AF4D >8D45 E4 lea eax, dword ptr
0049AF50 .BA 05000000 mov edx, 5
0049AF55 .E8 0E8CF6FF call 00403B68
0049AF5A .C3 retn
0049AF5B .^ E9 F885F6FF jmp 00403558
0049AF60 .^ EB EB jmp short 0049AF4D
0049AF62 .8A45 FF mov al, byte ptr //=1给al
0049AF65 .8BE5 mov esp, ebp
0049AF67 .5D pop ebp
0049AF68 .C3 retn
爆破成功
本人初学者,写的不好的地方 希望大家别笑我!不知道这算不算标志位~! 不错,学习中...........
页:
[1]