0040396B FF15 8C464100 CALL NEAR DWORD PTR DS:[<&MSVCRT._mbs>;MSVCRT._mbscmp
00403971|.83C4 14 ADD ESP, 14
// 修改为
0040396B /E9 10F70000 JMP Excel汇?00413080
00403970 |90 NOP
Path 数据:
00413080 /EB 17 JMP SHORT Excel汇?00413099
00413082 |6D INSD
00413083 |73 76 JNB SHORT Excel汇?004130FB
00413085 |6372 74 ARPL WORD PTR DS:, SI
00413088 |2E: PREFIX CS:
00413089 |64:6C INSB
0041308B |6C INSB
0041308C |0073 74 ADD BYTE PTR DS:, DH
0041308F |72 63 JB SHORT Excel汇?004130F4
00413091 |70 79 JO SHORT Excel汇?0041310C
00413093 |0090 90909090 ADD BYTE PTR DS:, DL
00413099 \68 82304100 PUSH Excel汇?00413082 ;ASCII "msvcrt.dll"
0041309E E8 FC183F76 CALL kernel32.LoadLibraryA
004130A3 68 8D304100 PUSH Excel汇?0041308D ;ASCII "strcpy"
004130A8 50 PUSH EAX ;kernel32.BaseThreadInitThunk
004130A9 E8 67ED6975 CALL KERNELBA.GetProcAddress
004130AE FFD0 CALL NEAR EAX ;kernel32.BaseThreadInitThunk
004130B0 33C0 XOR EAX, EAX ;kernel32.BaseThreadInitThunk
004130B2 ^ E9 BA08FFFF JMP Excel汇?00403971 // 原地址
MORE: https://www.chinapyg.com/thread-51664-1-1.html
方法II: 不适用固定便宜的 ShellCode ...
0040396B|.E8 10F70000 CALL Excel汇?00413080
00403970|.90 NOP
00413080/$ /EB 12 JMP SHORT Excel汇?00413094
00413082|. |6D 73 76 63 72 7>ASCII "msvcrt.dll",0
0041308D|. |73 74 72 63 70 7>ASCII "strcpy",0
00413094|> \60 PUSHAD
00413095|.E8 00000000 CALL Excel汇?0041309A
0041309A|[ DISCUZ_CODE_1 ]nbsp; 5B POP EBX ;Excel汇?0041309A
0041309B|.8D43 E8 LEA EAX, DWORD PTR DS:
0041309E|.50 PUSH EAX ; /FileName = "W媩$?婰$W髁"
0041309F|.E8 FB183F76 CALL kernel32.LoadLibraryA ; \LoadLibraryA
004130A4|.8D4B F3 LEA ECX, DWORD PTR DS:
004130A7|.51 PUSH ECX ; /ProcNameOrOrdinal = "MZ?
004130A8|.50 PUSH EAX ; |hModule = 76948D6E
004130A9|.E8 67ED6975 CALL KERNELBA.GetProcAddress ; \GetProcAddress
004130AE FF7424 28 PUSH DWORD PTR SS:
004130B2 FF7424 28 PUSH DWORD PTR SS:
004130B6|.FFD0 CALL NEAR EAX ;MSVCRT.strcpy
004130B8|.61 POPAD
004130B9 83C4 08 ADD ESP, 8
004130BC 33C0 XOR EAX, EAX ;MSVCRT.strcpy
004130BE C3 RETN
EB 12 6D 73 76 63 72 74 2E 64 6C 6C 00 73 74 72 63 70 79 00 60 E8 00 00 00 00 5B 8D 43 E8 50 E8
FB 18 3F 76 8D 4B F3 51 50 E8 67 ED 69 75 FF 74 24 28 FF 74 24 28 FF D0 61 83 C4 08 33 C0 C3
调试程序安装包下载
链接: http://pan.baidu.com/s/1mgA5H0G 密码: u5m3
之所以用Path出来写代码的方法,是因为导入表中没有 strcpy 这个函数(有的话就直接用了) ... 所以我们要自己来找一下函数的地址,方便跨平台 ...
流弊啊
l哈哈哈好东西
Nisy 发表于 2014-11-28 10:33
调试程序安装包下载
链接: http://pan.baidu.com/s/1mgA5H0G 密码: u5m3
0040396A|.51 PUSH ECX ;MFC42.6C4456C8
0040396B|.E8 10F70000 CALL Excel汇?00413080
00403970|.90 NOP
00413080/$ /EB 12 JMP SHORT Excel汇?00413094
00413082|. |6D 73 76 63 72 74 2E>ASCII "msvcrt.dll",0
0041308D|. |73 74 72 63 70 79 00>ASCII "strcpy",0
00413094|> \60 PUSHAD
00413095|.E8 00000000 CALL Excel汇?0041309A
0041309A|$5B POP EBX ;Excel汇?00403970
0041309B|.8D43 E8 LEA EAX, DWORD PTR DS:
0041309E|.50 PUSH EAX ; /pModule = "83EY4M3KN77BKG7F8M86"
0041309F|.FF15 70404100 CALL NEAR DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>] ; \GetModuleHandleA
004130A5|.8D4B F3 LEA ECX, DWORD PTR DS:
004130A8|.51 PUSH ECX ; /ProcNameOrOrdinal = ""
004130A9|.50 PUSH EAX ; |hModule = 02311D90
004130AA|.FF15 50404100 CALL NEAR DWORD PTR DS:[<&KERNEL32.GetProcAddress>] ; \GetProcAddress
004130B0|.FF7424 28 PUSH DWORD PTR SS:
004130B4|.FF7424 28 PUSH DWORD PTR SS:
004130B8 FFD0 CALL NEAR EAX
004130BA|.61 POPAD
004130BB 83C4 08 ADD ESP, 8
004130BE 33C0 XOR EAX, EAX
004130C0 C3 RETN
修正一下,直接调用程序的导入表来实现。
EB 12 6D 73 76 63 72 74 2E 64 6C 6C 00 73 74 72 63 70 79 00 60 E8 00 00 00 00 5B 8D 43 E8 50 FF
15 70 40 41 00 8D 4B F3 51 50 FF 15 50 40 41 00 FF 74 24 28 FF 74 24 28 FF D0 61 83 C4 08 33 C0
C3
本帖最后由 零下八度 于 2014-12-3 12:03 编辑
前面几位果然牛~~
俺好好看看,研究研究~~
零下八度 发表于 2014-12-3 11:49
前面几位果然牛~~
小菜能发言么?
既然是明码比较,或许我会选择(内存)注册机,爆破有一点永远比不上注册 ...
或许你没看明白,这几个方法都是在真假码验证时,用真码去覆盖假码,也就是说通过了验证,保存的也是真码。
这个要支持一下呀,学习了呀。。。。哈哈。。。。。
哈哈,牛人真多。