小菜写的一个通杀用__vbaStrComp比较注册码的VB程序的内存注册机
/**VB Killer V1.0
程序设计:天下
感谢名单:暂无
使用说明:
本程序可以破解一些由vb6制作的本地注册验证程序
代码使用VC2010编译
**/
#include <stdio.h>
#include <windows.h>
#include <TlHelp32.h>
#include <wchar.h>
#define SE_DEBUG_PRIVILEGE 20
typedefDWORD(WINAPI *PRtlAdjustPrivilege) /**未文档化函数声明**/
(
ULONG Privilege,
BOOLEAN Enable,
BOOLEAN CurrentThread,
PBOOLEAN Enabled
);
void WINAPI AdjustPrivilege() /**ntdll中的提权函数**/
{
BOOLEAN Enabled;
PRtlAdjustPrivilege RtlAdjustPrivilege = (PRtlAdjustPrivilege)GetProcAddress(LoadLibrary((LPCSTR)"ntdll.dll"), "RtlAdjustPrivilege");
RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &Enabled);
}
int main(void)
{
HANDLE hSnap;
BOOL dwNext;
PROCESSENTRY32 stPi;
DWORD dwPID;
HANDLE hProcess;
DWORD lpCmpFunc;
HMODULE hMdl;
BYTE bInt3 = 0xCC;
BYTE bOld1;
BYTE bOld2;
int dwStates = 1;
DEBUG_EVENT stDbg;
CONTEXT stCt;
HANDLE hThread;
DWORD lpPtr;
wchar_t szText;
AdjustPrivilege();
printf("VB6.0 Killer Version 1.0 Code By 天下\n");
hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hSnap == INVALID_HANDLE_VALUE)
printf("I can't enum the process! You must enter the process ID by your self!\n");
else
{
stPi.dwSize = sizeof(PROCESSENTRY32);
dwNext = Process32First(hSnap, &stPi);
while(dwNext)
{
printf("%*s%d\n", -40, stPi.szExeFile, stPi.th32ProcessID);
dwNext = Process32Next(hSnap, &stPi);
}
CloseHandle(hSnap);
printf("Now you shoult choose a process to get the right code\n");
}
printf("Please enter a process id: ");
scanf("%u", &dwPID);
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
if(hProcess == 0)
{
printf("I can't open the process!\n");
return 1;
}
/**
ESP + 8 --> 正确文本的地址
__vbaStrComp msvbvm60.dll
第一条指令长度为5个字节
**/
hMdl = LoadLibrary("msvbvm60.dll");
lpCmpFunc = (DWORD)GetProcAddress(hMdl, "__vbaStrComp");
FreeLibrary(hMdl);
if(lpCmpFunc == 0)
{
printf("I can't get the function pointer\n");
return 1;
}
DebugActiveProcess(dwPID);
ReadProcessMemory(hProcess, (LPVOID)lpCmpFunc, &bOld1, 1, NULL);
ReadProcessMemory(hProcess, (LPVOID)(lpCmpFunc + 5), &bOld2, 1, NULL);
WriteProcessMemory(hProcess, (LPVOID)lpCmpFunc, &bInt3, 1, NULL);
while(dwStates == 1)
{
WaitForDebugEvent(&stDbg, INFINITE);
switch(stDbg.dwDebugEventCode)
{
case EXCEPTION_DEBUG_EVENT:
{
if(stDbg.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_BREAKPOINT)
{
if((DWORD)stDbg.u.Exception.ExceptionRecord.ExceptionAddress == lpCmpFunc)
{
hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, stDbg.dwThreadId);
stCt.ContextFlags = CONTEXT_ALL;
SuspendThread(hThread);
GetThreadContext(hThread, &stCt);
ReadProcessMemory(hProcess, (LPVOID)(stCt.Esp + 8), &lpPtr, 4, NULL);
ReadProcessMemory(hProcess, (LPVOID)lpPtr, szText, 1024, NULL);
printf("The right regcode:\n%ls\n", szText);
--stCt.Eip;
SetThreadContext(hThread, &stCt);
WriteProcessMemory(hProcess, (LPVOID)lpCmpFunc, &bOld1, 1, NULL);
WriteProcessMemory(hProcess, (LPVOID)(lpCmpFunc + 5), &bInt3, 1, NULL);
ResumeThread(hThread);
CloseHandle(hThread);
ContinueDebugEvent(stDbg.dwProcessId, stDbg.dwThreadId, DBG_CONTINUE);
}
else if((DWORD)stDbg.u.Exception.ExceptionRecord.ExceptionAddress == lpCmpFunc + 5)
{
hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, stDbg.dwThreadId);
stCt.ContextFlags = CONTEXT_ALL;
SuspendThread(hThread);
GetThreadContext(hThread, &stCt);
WriteProcessMemory(hProcess, (LPVOID)lpCmpFunc, &bInt3, 1, NULL);
WriteProcessMemory(hProcess, (LPVOID)(lpCmpFunc + 5), &bOld2, 1, NULL);
--stCt.Eip;
SetThreadContext(hThread, &stCt);
ResumeThread(hThread);
CloseHandle(hThread);
ContinueDebugEvent(stDbg.dwProcessId, stDbg.dwThreadId, DBG_CONTINUE);
}
else
{
ContinueDebugEvent(stDbg.dwProcessId, stDbg.dwThreadId, DBG_CONTINUE);
}
}
else
{
ContinueDebugEvent(stDbg.dwProcessId, stDbg.dwThreadId, DBG_EXCEPTION_NOT_HANDLED);
}
break;
}
case EXIT_PROCESS_DEBUG_EVENT:
{
printf("Process is terminated\n");
dwStates = 0;
ContinueDebugEvent(stDbg.dwProcessId, stDbg.dwThreadId, DBG_CONTINUE);
break;
}
default:
{
ContinueDebugEvent(stDbg.dwProcessId, stDbg.dwThreadId, DBG_CONTINUE);
break;
}
}
}
WriteProcessMemory(hProcess, (LPVOID)lpCmpFunc, &bOld1, 1, NULL);
WriteProcessMemory(hProcess, (LPVOID)(lpCmpFunc + 5), &bOld2, 1, NULL);
DebugActiveProcessStop(dwPID);
return 0;
}
通常经常破解VB程序的同学都知道,__VBStrComp调用时,ESP + 8指向的就是其中的一个比较文本(当然,也有的人会这样写比较正确注册码 = 用户注册码,那这个时候程序就失效了,大家可以自己修改,留个需要几行代码就可以解决的小坑,嘻嘻{:soso__6236112034290849730_2:})
怎么不是工具啊,支持楼主把这个工具化 支持楼主将代码工具化一下~~
这个牛逼啊,赞 真牛!我们学习中 这个貌似很NB。通用。 非常的不错,这个牛逼啊,赞 怎么看都感觉很厉害,支持 支持楼主将代码工具化
页:
[1]