Excel汇总专家6简单爆破
本帖最后由 menglv 于 2015-5-22 14:55 编辑程序无壳,直接载入od,随便输入注册码,弹出注册码错误对话框后,按ALT+K。
调用堆栈: 主线程
地址 堆栈 函数过程 / 参数 调用来自 结构
0012EF3C 5559C8E9 包含Excel汇?0040D6E2 mfc100.5559C8E7 0012EF38
0012EF48 5559CACB mfc100.5559C8AE mfc100.5559CAC6 0012EF44
0012EF64 555C6248 mfc100.#8304 mfc100.555C6243 0012EF60
0012EF88 55626AFD 包含mfc100.555C6248 mfc100.55626AFA 0012EF84
0012EFD8 55626300 包含mfc100.55626AFD mfc100.556262FA 0012EFD4
0012F0A4 55626273 包含mfc100.55626300 mfc100.5562626D 0012F0A0
0012F0C4 55624696 包含mfc100.55626273 mfc100.55624690 0012F0C0
0012F13C 55624922 ? mfc100.#1858 mfc100.5562491D 0012F138
0012F160 5551CAE6 ? mfc100.#2090 mfc100.5551CAE1 0012F15C
0012F1A8 764C86EF 包含mfc100.5551CAE6 user32.764C86EC 0012F1A4
0012F1D4 764C8876 ? user32.764C86CC user32.764C8871 0012F1D0
0012F24C 764C43CF ? user32.764C87C3 user32.764C43CA 0012F248
0012F27C 764E41F9 ? user32.764C437E user32.764E41F4 0012F278
0012F29C 1002285C ? user32.CallWindowProcA SkinH.10022856 0012F298
0012F2A0 5551CA90 PrevProc = mfc100.5551CA90
0012F2A4 00070498 hWnd = 00070498 ('欢迎',class='#32
0012F2A8 00000111 Message = WM_COMMAND
0012F2AC 00000001 age = Notify = MENU/BN_CLICKED...
0012F2B0 00040496 hControage = 00040496 ('确定',clas
0012F2B8 1001F315 ? SkinH.10022590 SkinH.1001F310
我们定位最上面的call 0040D6E2
0040D6D2 E8 7963FFFF CALL Excel汇?00403A50 ; 关键call
0040D6D7 83C4 04 ADD ESP,0x4
0040D6DA 85C0 TEST EAX,EAX
0040D6DC 0F85 94000000 JNZ Excel汇?0040D776 ; 关键跳转
0040D6E2 68 F4010000 PUSH 0x1F4
0040D6E7 FF15 70704100 CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; kernel32.Sleep
0040D6ED 68 A0A34100 PUSH Excel汇?0041A3A0 ; REG_DLG_ENTER_CORRECT_KEY
0040D6F2 8D4D E4 LEA ECX,DWORD PTR SS:
0040D6F5 FF15 34734100 CALL DWORD PTR DS:[<&mfc100.#310>] ; mfc100.#310
0040D6FB 68 FC8F4100 PUSH Excel汇?00418FFC ; HYPEFRAME
0040D700 8D4D E0 LEA ECX,DWORD PTR SS:
0040D703 C645 FC 07 MOV BYTE PTR SS:,0x7
0040D707 FF15 34734100 CALL DWORD PTR DS:[<&mfc100.#310>] ; mfc100.#310
0040D70D 8D45 E4 LEA EAX,DWORD PTR SS:
0040D710 50 PUSH EAX
0040D711 8D4D E0 LEA ECX,DWORD PTR SS:
0040D714 51 PUSH ECX
0040D715 8D55 E8 LEA EDX,DWORD PTR SS:
0040D718 52 PUSH EDX
0040D719 C645 FC 08 MOV BYTE PTR SS:,0x8
0040D71D E8 CE500000 CALL Excel汇?004127F0
0040D722 83C4 0C ADD ESP,0xC
0040D725 8D4D E0 LEA ECX,DWORD PTR SS:
0040D728 FF15 BC794100 CALL DWORD PTR DS:[<&mfc100.#901>] ; mfc100.#13970
0040D72E 8D4D E4 LEA ECX,DWORD PTR SS:
0040D731 C645 FC 0B MOV BYTE PTR SS:,0xB
0040D735 FF15 BC794100 CALL DWORD PTR DS:[<&mfc100.#901>] ; mfc100.#13970
0040D73B E8 4E5F0000 CALL <JMP.&mfc100.#1939>
0040D740 85C0 TEST EAX,EAX
0040D742 74 0D JE SHORT Excel汇?0040D751
0040D744 8B10 MOV EDX,DWORD PTR DS:
0040D746 8BC8 MOV ECX,EAX
0040D748 8B42 7C MOV EAX,DWORD PTR DS:
0040D74B FFD0 CALL EAX
0040D74D 8BF0 MOV ESI,EAX
0040D74F EB 02 JMP SHORT Excel汇?0040D753
0040D751 33F6 XOR ESI,ESI
0040D753 8D4D E8 LEA ECX,DWORD PTR SS:
0040D756 FF15 D0794100 CALL DWORD PTR DS:[<&mfc100.#1448>] ; mfc100.#6207
0040D75C 8B4E 20 MOV ECX,DWORD PTR DS:
0040D75F 6A 00 PUSH 0x0
0040D761 50 PUSH EAX
0040D762 68 670F0000 PUSH 0xF67
0040D767 51 PUSH ECX
0040D768 FF15 C8724100 CALL DWORD PTR DS:[<&USER32.SendMessageA>; user32.SendMessageA
0040D76E 8D4D E8 LEA ECX,DWORD PTR SS:
0040D771 E9 97000000 JMP Excel汇?0040D80D
0040D776 8D55 F0 LEA EDX,DWORD PTR SS:
0040D779 52 PUSH EDX
0040D77A E8 4159FFFF CALL Excel汇?004030C0
0040D77F 83C4 04 ADD ESP,0x4
0040D782 68 90A34100 PUSH Excel汇?0041A390 ; REG_DLG_KEY_OK
0040D787 8D4D E4 LEA ECX,DWORD PTR SS:
0040D78A FF15 34734100 CALL DWORD PTR DS:[<&mfc100.#310>] ; mfc100.#310
0040D790 68 FC8F4100 PUSH Excel汇?00418FFC ; HYPEFRAME
0040D795 8D4D E0 LEA ECX,DWORD PTR SS:
可以看出上面也有很明显的字符串提示。我们跟进CALL Excel汇?00403A50
00403A50/$ 55 PUSH EBP
00403A51|. 8BEC MOV EBP,ESP
00403A53|. 6A FF PUSH -0x1
00403A55|. 68 784F4100 PUSH Excel汇?00414F78
00403A5A|. 64:A1 00000000 MOV EAX,DWORD PTR FS:
00403A60|. 50 PUSH EAX
00403A61|. 83EC 1C SUB ESP,0x1C
00403A64|. 53 PUSH EBX
00403A65|. 56 PUSH ESI
00403A66|. A1 DCF54100 MOV EAX,DWORD PTR DS:
00403A6B|. 33C5 XOR EAX,EBP
00403A6D|. 50 PUSH EAX
00403A6E|. 8D45 F4 LEA EAX,DWORD PTR SS:
00403A71|. 64:A3 00000000 MOV DWORD PTR FS:,EAX
00403A77|. 68 38914100 PUSH Excel汇?00419138 ;ProductCode
00403A7C|. 8D4D E8 LEA ECX,DWORD PTR SS:
00403A7F|. FF15 34734100CALL DWORD PTR DS:[<&mfc100.#310>] ;mfc100.#310
00403A85|. 8D45 E8 LEA EAX,DWORD PTR SS:
00403A88|. 50 PUSH EAX
00403A89|. 8D4D EC LEA ECX,DWORD PTR SS:
00403A8C|. 51 PUSH ECX
00403A8D|. C745 FC 000000>MOV DWORD PTR SS:,0x0
00403A94|. E8 B7FDFFFF CALL Excel汇?00403850
00403A99|. 83C4 08 ADD ESP,0x8
00403A9C|. 8D4D E8 LEA ECX,DWORD PTR SS:
00403A9F|. C645 FC 02 MOV BYTE PTR SS:,0x2
00403AA3|. FF15 BC794100CALL DWORD PTR DS:[<&mfc100.#901>] ;mfc100.#13970
00403AA9|. 68 2C914100 PUSH Excel汇?0041912C ;VersionCode
00403AAE|. 8D4D E4 LEA ECX,DWORD PTR SS:
00403AB1|. FF15 34734100CALL DWORD PTR DS:[<&mfc100.#310>] ;mfc100.#310
00403AB7|. 8D55 E4 LEA EDX,DWORD PTR SS:
00403ABA|. 52 PUSH EDX
00403ABB|. 8D45 F0 LEA EAX,DWORD PTR SS:
00403ABE|. 50 PUSH EAX
00403ABF|. C645 FC 03 MOV BYTE PTR SS:,0x3
00403AC3|. E8 88FDFFFF CALL Excel汇?00403850
00403AC8|. 83C4 08 ADD ESP,0x8
00403ACB|. B3 05 MOV BL,0x5
00403ACD|. 8D4D E4 LEA ECX,DWORD PTR SS:
00403AD0|. 885D FC MOV BYTE PTR SS:,BL
00403AD3|. FF15 BC794100CALL DWORD PTR DS:[<&mfc100.#901>] ;mfc100.#13970
00403AD9|. E8 B2FEFFFF CALL Excel汇?00403990
00403ADE|. 83F8 01 CMP EAX,0x1
00403AE1|. 0F85 9E000000JNZ Excel汇?00403B85
00403AE7|. 51 PUSH ECX
00403AE8|. 8D55 F0 LEA EDX,DWORD PTR SS:
00403AEB|. 8BCC MOV ECX,ESP
00403AED|. 8965 DC MOV DWORD PTR SS:,ESP
00403AF0|. 52 PUSH EDX
00403AF1|. FF15 C0794100CALL DWORD PTR DS:[<&mfc100.#300>] ;mfc100.#300
00403AF7|. 51 PUSH ECX
00403AF8|. 8D45 EC LEA EAX,DWORD PTR SS:
00403AFB|. 8BCC MOV ECX,ESP
00403AFD|. 8965 D8 MOV DWORD PTR SS:,ESP
00403B00|. 50 PUSH EAX
00403B01|. C645 FC 06 MOV BYTE PTR SS:,0x6
00403B05|. FF15 C0794100CALL DWORD PTR DS:[<&mfc100.#300>] ;mfc100.#300
00403B0B|. 8D4D E0 LEA ECX,DWORD PTR SS:
00403B0E|. 51 PUSH ECX
00403B0F|. 885D FC MOV BYTE PTR SS:,BL
00403B12|. E8 29B30000 CALL Excel汇?0040EE40
00403B17|. 50 PUSH EAX
00403B18|. 8D55 E8 LEA EDX,DWORD PTR SS:
00403B1B|. 52 PUSH EDX
00403B1C|. C645 FC 07 MOV BYTE PTR SS:,0x7
00403B20|. E8 5BB80000 CALL Excel汇?0040F380
00403B25|. 83C4 14 ADD ESP,0x14
00403B28|. 8BC8 MOV ECX,EAX
00403B2A|. C645 FC 08 MOV BYTE PTR SS:,0x8
00403B2E|. FF15 D0794100CALL DWORD PTR DS:[<&mfc100.#1448>] ;mfc100.#6207
00403B34|. 8B4D 08 MOV ECX,DWORD PTR SS:
00403B37|. 50 PUSH EAX
00403B38|. FF15 D4794100CALL DWORD PTR DS:[<&mfc100.#2611>] ;mfc100.#2611
00403B3E|. 85C0 TEST EAX,EAX
00403B40|. 8D4D E8 LEA ECX,DWORD PTR SS:
00403B43|. 0F94C3 SETE BL
00403B46|. FF15 BC794100CALL DWORD PTR DS:[<&mfc100.#901>] ;mfc100.#13970
00403B4C|. 8D4D E0 LEA ECX,DWORD PTR SS:
00403B4F|. FF15 BC794100CALL DWORD PTR DS:[<&mfc100.#901>] ;mfc100.#13970
00403B55|. 8D4D F0 LEA ECX,DWORD PTR SS:
00403B58|. FF15 BC794100CALL DWORD PTR DS:[<&mfc100.#901>] ;mfc100.#13970
00403B5E|. 8D4D EC LEA ECX,DWORD PTR SS:
00403B61|. FF15 BC794100CALL DWORD PTR DS:[<&mfc100.#901>] ;mfc100.#13970
00403B67|. 84DB TEST BL,BL
00403B69|. 0F84 9B000000JE Excel汇?00403C0A ;关键跳转
00403B6F|. B8 01000000 MOV EAX,0x1
00403B74|. 8B4D F4 MOV ECX,DWORD PTR SS:
00403B77|. 64:890D 000000>MOV DWORD PTR FS:,ECX
00403B7E|. 59 POP ECX
00403B7F|. 5E POP ESI
00403B80|. 5B POP EBX
00403B81|. 8BE5 MOV ESP,EBP
00403B83|. 5D POP EBP
00403B84|. C3 RETN
本地调用来自 004059BF, 00405BE4, 0040D6D2, 0040E4CE
简单测试,只需修改上面的call返回eax=1,做和谐补丁也很容易。
这个主程序是无壳的,亲 本帖最后由 menglv 于 2015-5-22 15:25 编辑
还有两处文件数比较在ExcelAssistant.dll里面,直接跳转即可。
0191D758 /0F84 CF010000 je 0191D92D
0191D75E |837B 24 02 cmp dword ptr , 0x2 ; 文件数比较
0191D762 |0F8E DF000000 jle 0191D847 ; 跳走即可
0191D768 |837B 44 00 cmp dword ptr , 0x0
0191D76C |0F84 88000000 je 0191D7FA
0191D772 |8B4D A8 mov ecx, dword ptr
0191D775 |8B55 C4 mov edx, dword ptr
0191D778 |8B45 B0 mov eax, dword ptr
0191D77B |51 push ecx
0191D77C |52 push edx
0191D77D |C743 44 0000000>mov dword ptr , 0x0
0191D784 |8B08 mov ecx, dword ptr
0191D786 |51 push ecx
0191D787 |8D55 C0 lea edx, dword ptr
0191D78A |68 E05D9301 push 01935DE0 ; 处理文件%s完成, 这个文件总共有%d个表, 处理了您指定的%d个表
0191D78F |52 push edx
0191D790 |FF15 0C099301 call dword ptr [<&mfc100.#4283>] ; mfc100.#4283
0191D796 |8B4B 1C mov ecx, dword ptr
019231D6 837E 24 0B cmp dword ptr , 0xB ; 文件数比较
019231DA C745 FC 0000000>mov dword ptr , 0x0
019231E1 7E 5A jle short 0192323D ; 跳走即可
019231E3 68 F4609301 push 019360F4 ; Register Info Error!
019231E8 8D4D 08 lea ecx, dword ptr
本帖最后由 menglv 于 2015-5-22 15:26 编辑
看来暗桩比较多,而且软件没什么用!不玩了。
好像也只有上面两处而已。
暗桩好多,学习了
暗桩不在主程序里,主程序修改一处就爆破成功了。 小菜来学习了 我是菜牛,这么厉害,大神 呼呼,学习中……
页:
[1]
2