VB P-CODE完整逆向分析 之 QQ挂太阳专家1.0
【目 标】:QQ挂太阳专家 V1.0【工 具】:PEiD0.94、VBExplorer1.1
【任 务】:VB P-CODE逆向分析
【操作平台】:Win2003.SE.sp1
【作 者】:KuNgBiM{BCG}{DFCG}{DCM}{DCT}{SLT}
【相关链接】:N/A
【简要说明】:QQ升级已经是我们使用QQ很重要的部分,只要你事先输入QQ号码和密码,然后点升级,就可以模拟QQ登录了,它最主要的特点 是可以同时在一台机器上使用成千上万个QQ号升级! 每天点一次,万个QQ升级好轻松 (为了保护你的QQ密码,请不要在网吧使用该软件)
【作者声明】:很久没有写什么文章了,手也生疏了,今天从网上抓了个小软件拿来练练手,哪知....
【详细过程】:首先我们一定要查壳,作为一名初学破解的朋友来说,这点非常重要。如果软件程序是加的一个猛壳的话,就要提前作好“知难而退”的打算了...废话不多说...开始我们今天所要做的VB程序的P-CODE轻松之旅~~
还好,作者可能也是个初学者~~呵呵,没有对软件程序做任何保护措施,Microsoft Visual Basic 5.0 / 6.0的程序,起初用Ollydbg加载下,随便设置了几个断点(?????)纳闷了一下...怎么什么API都没有啊?难道是P-CODE的编译方式?
换一个调试器试试(也不完全叫做调试器,只能算是VB资源修改器吧),这下“VBExplorer”登台演出...
随便捣鼓了一番~~看来该程序确实为P-CODE编译方式所编译~
装载完毕后,双击左侧的“frmLogin”窗体,查看该窗体中全部的调用指令:
:0040592B050000 ImpAdLdRf ;Push ptr
:0040592E240100 NewIfNullPr ;
:004059310D10000200 VCallHresult ;Call ptr_004043BC
:004059361A78FF FFree1Ad ;Push ; Call [[]+8]; []=0
:0040593913 ExitProcHresult ;
:0040593AFF Unknown ;
:0040593BFF Unknown ;
//双击来到这里,装载程序的窗体
:004059CC0478FF FLdRfVar ;Push LOCAL_0088
***********Reference To:sub_00405E30
|
:004059CF1004070800 ThisVCallHresult ;Call ptr_00402AAF
:004059D46C78FF ILdRf ;Push DWORD
:004059D7FBFE CStrI4 ;vbaStrI4
:004059D92374FF FStStrNoPop ;SysFreeString ; =
:004059DC21 FLdPrThis ;=
:004059DD0FFC02 VCallAd ;Return the control index 01
:004059E01970FF FStAdFunc ;
:004059E30870FF FLdPr ;=
***********Reference To:TextBox.Text //赋值给一个文本框
|
:004059E60DA4000300 VCallHresult ;Call ptr_00404550
:004059EB2F74FF FFree1Str ;SysFreeString ; =0
:004059EE1A70FF FFree1Ad ;Push ; Call [[]+8]; []=0
:004059F113 ExitProcHresult ;
//声明变量
:00405DBCF500010000 LitI4 ;Push 00000100
:00405DC16C6CFF ILdRf ;Push DWORD
:00405DC40454FF FLdRfVar ;Push LOCAL_00AC
:00405DC734 CStr2Ansi ;vbaStrToAnsi
:00405DC86C54FF ILdRf ;Push DWORD
:00405DCB0464FF FLdRfVar ;Push LOCAL_009C
:00405DCE0468FF FLdRfVar ;Push LOCAL_0098
:00405DD10474FF FLdRfVar ;Push LOCAL_008C
:00405DD4F500010000 LitI4 ;Push 00000100
:00405DD96C70FF ILdRf ;Push DWORD
:00405DDC045CFF FLdRfVar ;Push LOCAL_00A4
:00405DDF34 CStr2Ansi ;vbaStrToAnsi
:00405DE06C5CFF ILdRf ;Push DWORD
******Possible String Ref To->"c:\" //定位系统C盘的识别符
|
:00405DE31B1000 LitStr ;Push ptr_004045E0
:00405DE60460FF FLdRfVar ;Push LOCAL_00A0
:00405DE934 CStr2Ansi ;vbaStrToAnsi
:00405DEA6C60FF ILdRf ;Push DWORD
***********Reference To:kernel32.GetVolumeInformationA //获取与一个磁盘卷有关的信息
|
:00405DED0A11002000 ImpAdCallFPR4 ;Call ptr_0040415C; check stack 0020; Push EAX
:00405DF23C SetLastSystemError ;Kernel GetLastError
:00405DF36C5CFF ILdRf ;Push DWORD
:00405DF60458FF FLdRfVar ;Push LOCAL_00A8
:00405DF9FC58 CStr2Uni ;vbaStrToUnicode
:00405DFB6C58FF ILdRf ;Push DWORD
:00405DFE6C70FF ILdRf ;Push DWORD
:00405E01470000 StFixedStr ;vbaLsetFixstr
:00405E046C54FF ILdRf ;Push DWORD
:00405E070450FF FLdRfVar ;Push LOCAL_00B0
:00405E0AFC58 CStr2Uni ;vbaStrToUnicode
:00405E0C6C50FF ILdRf ;Push DWORD
:00405E0F6C6CFF ILdRf ;Push DWORD
:00405E12470000 StFixedStr ;vbaLsetFixstr
:00405E15320A0060FF5CFF58 FFreeStr ;Do SysFreeString ; =0 000A/2 times ~ arg
:00405E226C74FF ILdRf ;Push DWORD
:00405E257178FF FStR4 ;Pop DWORD
:00405E28FF2F0C000400 ExitProcCbHresult ;
:00405E2EFF Unknown ;
:00405E2FFF Unknown ;
////////////////////////////////////////////////////////////////////////////////////////
'获取与一个磁盘卷有关的信息的标准模块:
Public Declare Function GetVolumeInformation Lib "kernel32" _
Alias "GetVolumeInformationA" (ByVal lpRootPathName As String, _
ByVal lpVolumeNameBuffer As String, ByVal nVolumeNameSize As Long, _
lpVolumeSerialNumber As Long, lpMaximumComponentLength As Long, _
lpFileSystemFlags As Long, ByVal lpFileSystemNameBuffer As String, _
ByVal nFileSystemNameSize As Long) As Long
'窗体启动时取机器码:
Private Sub Form_Load()
Dim Driver, VolName, Fsys As String
Dim volNumber, MCM, FSF As Long
Dim res As Long
Driver = "c:\"
res = GetVolumeInformation(Driver, VolName, 127, volNumber, MCM, FSF, Fsys, 127)
txtUserName = volNumber
End Sub
////////////////////////////////////////////////////////////////////////////////////////
//“确定”按钮
:00405E880474FF FLdRfVar ;Push LOCAL_008C
:00405E8B21 FLdPrThis ;=
:00405E8C0F0803 VCallAd ;Return the control index 04
:00405E8F1978FF FStAdFunc ;
:00405E920878FF FLdPr ;=
***********Reference To:TextBox.Text //赋值给另一个文本框
|
:00405E950DA0000300 VCallHresult ;Call ptr_00404550
:00405E9A6C74FF ILdRf ;Push DWORD
******Possible String Ref To->"hge5768ghdg" //取一个固定的字符串??难道这个是注册码?
|
:00405E9D1B0400 LitStr ;Push ptr_00404564
:00405EA0FB30 EqStr ;
:00405EA22F74FF FFree1Str ;SysFreeString ; =0
:00405EA51A78FF FFree1Ad ;Push ; Call [[]+8]; []=0
:00405EA81C8600 BranchF ;If Pop=0 then ESI=00405F0E
******Possible String Ref To->"llw_start" //取另一个固定的字符串
|
:00405EAB1B0500 LitStr ;Push ptr_00404598
:00405EAE436CFF FStStrCopy ;=SysAllocStringByteLen(Pop, ); SysFreeString Pop
:00405EB1046CFF FLdRfVar ;Push LOCAL_0094
******Possible String Ref To->"Run" //取另一个固定的字符串
|
:00405EB41B0600 LitStr ;Push ptr_0040458C
:00405EB74370FF FStStrCopy ;=SysAllocStringByteLen(Pop, ); SysFreeString Pop
:00405EBA0470FF FLdRfVar ;Push LOCAL_0090
******Possible String Ref To->"reg" //取另一个固定的字符串
|
:00405EBD1B0700 LitStr ;Push ptr_00404580
:00405EC04374FF FStStrCopy ;=SysAllocStringByteLen(Pop, ); SysFreeString Pop
:00405EC30474FF FLdRfVar ;Push LOCAL_008C
***********Reference To:sub_00405C04 //返回一个变量值提供给对话框
|
:00405EC61008070800 ThisVCallHresult ;Call ptr_00402AC3
:00405ECB32060074FF70FF6C FFreeStr ;Do SysFreeString ; =0 0006/2 times ~ arg
:00405ED427ECFE LitVar ;PushVar LOCAL_0114
:00405ED7270CFF LitVar ;PushVar LOCAL_00F4
:00405EDA272CFF LitVar ;PushVar LOCAL_00D4
:00405EDDF500000000 LitI4 ;Push 00000000
******Possible String Ref To->"????
" //这里应该是“注册码错误”
|
:00405EE23A5CFF0900 LitVarStr ;PushVarString ptr_004045B0
:00405EE74E4CFF FStVarCopyObj ;=vbaVarDup(Pop)
:00405EEA044CFF FLdRfVar ;Push LOCAL_00B4
**********Reference To->msvbvm60.rtcMsgBox //调用VB中的对话框函数
|
:00405EED0A0A001400 ImpAdCallFPR4 ;Call ptr_00401066; check stack 0014; Push EAX
:00405EF23608004CFF2CFF0C FFreeVar ;Free 0008/2 variants
******Possible String Ref To->"QQ??膙" //这里应该是“QQ挂太阳专家”
|
:00405EFD1B0B00 LitStr ;Push ptr_004045C0
:00405F00050C00 ImpAdLdRf ;Push ptr
:00405F03240D00 NewIfNullPr ;
:00405F060D54000E00 VCallHresult ;Call ptr_00403BD8
:00405F0B1EAF00 Branch ;ESI=00405F37
:00405F0E27ECFE LitVar ;PushVar LOCAL_0114
:00405F11270CFF LitVar ;PushVar LOCAL_00F4
:00405F14272CFF LitVar ;PushVar LOCAL_00D4
:00405F17F500000000 LitI4 ;Push 00000000
******Possible String Ref To->"?????" //这里应该是“注册成功”
|
:00405F1C3A5CFF0F00 LitVarStr ;PushVarString ptr_004045D0
:00405F214E4CFF FStVarCopyObj ;=vbaVarDup(Pop)
:00405F24044CFF FLdRfVar ;Push LOCAL_00B4
**********Reference To->msvbvm60.rtcMsgBox //调用VB中的对话框函数
|
:00405F270A0A001400 ImpAdCallFPR4 ;Call ptr_00401066; check stack 0014; Push EAX
:00405F2C3608004CFF2CFF0C FFreeVar ;Free 0008/2 variants
:00405F3713 ExitProcHresult ;
//声明变量
:00405B900478FF FLdRfVar ;Push LOCAL_0088
******Possible String Ref To->"Software\112334\" //定位注册表中的位置
|
:00405B931B1200 LitStr ;Push ptr_004045EC
:00405B96801000 ILdI4 ;Push DWORD
:00405B992A ConcatStr ;vbaStrCat
:00405B9A2374FF FStStrNoPop ;SysFreeString ; =
:00405B9D0470FF FLdRfVar ;Push LOCAL_0090
:00405BA034 CStr2Ansi ;vbaStrToAnsi
:00405BA16C70FF ILdRf ;Push DWORD
:00405BA4F502000080 LitI4 ;Push 80000002
***********Reference To:advapi32.dll.RegCreateKeyA //在指定的项下创建一个新项。
|
:00405BA90A13000C00 ImpAdCallFPR4 ;Call ptr_004041B8; check stack 000C; Push EAX
:00405BAE3C SetLastSystemError ;Kernel GetLastError
:00405BAF32040074FF70FF FFreeStr ;Do SysFreeString ; =0 0004/2 times ~ arg
:00405BB6800C00 ILdI4 ;Push DWORD
:00405BB94A FnLenStr ;vbaLenBstr
:00405BBA800C00 ILdI4 ;Push DWORD
:00405BBD0470FF FLdRfVar ;Push LOCAL_0090
:00405BC034 CStr2Ansi ;vbaStrToAnsi
:00405BC16C70FF ILdRf ;Push DWORD
:00405BC4F501000000 LitI4 ;Push 00000001
:00405BC9F500000000 LitI4 ;Push 00000000
:00405BCE801400 ILdI4 ;Push DWORD
:00405BD10474FF FLdRfVar ;Push LOCAL_008C
:00405BD434 CStr2Ansi ;vbaStrToAnsi
:00405BD56C74FF ILdRf ;Push DWORD
:00405BD86C78FF ILdRf ;Push DWORD
***********Reference To:advapi32.dll.RegSetValueExA //设置指定项的值
|
:00405BDB0A14001800 ImpAdCallFPR4 ;Call ptr_00404234; check stack 0018; Push EAX
:00405BE03C SetLastSystemError ;Kernel GetLastError
:00405BE16C74FF ILdRf ;Push DWORD
:00405BE46C1400 ILdRf ;Push DWORD
:00405BE7FC58 CStr2Uni ;vbaStrToUnicode
:00405BE96C70FF ILdRf ;Push DWORD
:00405BEC6C0C00 ILdRf ;Push DWORD
:00405BEFFC58 CStr2Uni ;vbaStrToUnicode
:00405BF132040074FF70FF FFreeStr ;Do SysFreeString ; =0 0004/2 times ~ arg
:00405BF86C78FF ILdRf ;Push DWORD
***********Reference To:advapi32.dll.RegCloseKey //关闭系统注册表中的一个项(或键)
|
:00405BFB0A15000400 ImpAdCallFPR4 ;Call ptr_004041EC; check stack 0004; Push EAX
:00405C003C SetLastSystemError ;Kernel GetLastError
:00405C0113 ExitProcHresult ;
:00405C02FF Unknown ;
:00405C03FF Unknown ;
////////////////////////////////////////////////////////////////////////////////////////
'注册表写入部分:
Public Const HKEY_LOCAL_MACHINE = &H80000002
Public Const REG_SZ = 1
'在指定的项下创建一个新项的标准模块:
Declare Function RegCreateKey Lib "advapi32.dll" _
Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, _
phkResult As Long) As Long
'关闭系统注册表中的一个项(或键)的标准模块:
Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
'设置指定项的值的标准模块:
Declare Function RegSetValueEx Lib "advapi32.dll" _
Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, _
ByVal Reserved As Long, ByVal dwType As Long, _
lpData As Any, ByVal cbData As Long) As Long
'注册码判断:
Private Sub cmdOK_Click()
Dim hKey, ret As Long
If txtPassword <> "hge5768ghdg" Then
MsgBox "注册码错误"
Else
RegCreateKey HKEY_LOCAL_MACHINE, "Software\112334\Run", hKey
RegSetValueEx hKey, "llw_start", 0, REG_SZ, ByVal "reg", 13
MsgBox "注册成功"
RegCloseKey hKey
End If
End Sub
////////////////////////////////////////////////////////////////////////////////////////
根据以上的分析,我们就能完完全全的模拟出来该软件的注册程序了。
--------------------------------------------------------------------------------
Cracked By KuNgBiM{BCG}{DFCG}{DCM}{DCT}{SLT}
2006-05-26
22:00:00 PM 老k换了马甲,呵呵 好文学习了,支持老K```呵 学习K兄的 厉害 学习一下~ 学习了~~ 原帖由 hyd009 于 2006-5-27 14:21 发表
老k换了马甲,呵呵
没换~只是小写而已~~
支持老K~` 学习,支持。。。。。。。。。 注册码是固定的。 收藏了。。。。。谢谢。
页:
[1]
2