TA的每日心情 | 无聊
2017-5-31 13:17 |
|---|
签到天数: 5 天 [LV.2]偶尔看看I
|
破解记录:
1.bp rtcMsgbox
破解了三个功能限制
a.记录保存文件夹选择的修改.
b.导出限制
c.打印限制
2.万能断点法.破解已注册、获取图片、获取文字!
00406FE8 . 816C24 04 FFF>sub dword ptr [esp+4], 0FFFF
00406FF0 . E9 6BCF0000 jmp 00413F60
00406FF5 . 816C24 04 FFF>sub dword ptr [esp+4], 0FFFF
00406FFD . E9 6EE00000 jmp 00415070
00407002 . 816C24 04 F70>sub dword ptr [esp+4], 0F7
0040700A . E9 41E50000 jmp 00415550
0040700F . 816C24 04 B30>sub dword ptr [esp+4], 0B3
00407017 . E9 64E60000 jmp 00415680
0040701C . 816C24 04 B30>sub dword ptr [esp+4], 0B3
00407024 . E9 A71B0100 jmp 00418BD0
00407029 . 816C24 04 B30>sub dword ptr [esp+4], 0B3
00407031 . E9 EA480100 jmp 0041B920
略去一部分.
部分断点.
00416075 qq-msg_3 已禁止 call dword ptr [<&MSVBVM60.__vbaB
00416097 qq-msg_3 已禁止 je 0041613B 破解1 已注册
0041C891 qq-msg_3 已禁止 je 0041CAD3 破解3 万能断点,这里获取图片记录
00420CED qq-msg_3 已禁止 je 00420EA7 破解2 万能断点,这里获取文字记录
0就是通過這樣一步一步破解,完畢
00439153 qq-msg_3 已禁止 je 00439318 密码验证
0043AFDB qq-msg_3 已禁止 jnz 0043B06B 破解四
77E4FBBC USER32 始终 rep movs dword ptr es:[edi], dwo
万能断点的使用详细说明。(还可通过直接查找,二进制字符串816C24下段)
首先运行程序,运行限制的地方,下断,再运行,断下后,alt+f9返回,往上找比较,或着断首看来自那里。
万能断点+[ALT+F9],之后如下:
00438E10 > \55 push ebp //跳转来自 00403412
00438E11 . 8BEC mov ebp, esp
00438E13 . 83EC 18 sub esp, 18
00438E16 . 68 06274000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
略去一大堆...
00438FFE . 68 C8954000 push 004095C8 ; /szKey = "setupmm"
00439003 . 68 74804000 push 00408074 ; |Section = "clongxue"
00439008 . 68 74804000 push 00408074 ; |AppName = "clongxue"
0043900D . FF15 C0114000 call dword ptr [<&MSVBVM60.#689>] ; \rtcGetSetting
00439013 . 8BD0 mov edx, eax
00439015 . 8D4D DC lea ecx, dword ptr [ebp-24]
00439018 . FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
略去一大堆...
00439086 . 51 push ecx
00439087 . FF15 68104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckObj>] ; MSVBVM60.__vbaHresultCheckObj
0043908D . 8985 9CFEFFFF mov dword ptr [ebp-164], eax
00439093 . EB 0A jmp short 0043909F
00439095 > C785 9CFEFFFF 00000000 mov dword ptr [ebp-164], 0
0043909F > 8B55 D8 mov edx, dword ptr [ebp-28] ; 获取到密码
004390A2 . 8995 A0FEFFFF mov dword ptr [ebp-160], edx
004390A8 . C745 D8 00000000 mov dword ptr [ebp-28], 0
004390AF . 8B85 A0FEFFFF mov eax, dword ptr [ebp-160]
004390B5 . 8945 CC mov dword ptr [ebp-34], eax
004390B8 . C745 C4 08000000 mov dword ptr [ebp-3C], 8
004390BF . 8D4D C4 lea ecx, dword ptr [ebp-3C]
004390C2 . 51 push ecx
004390C3 . 8D55 B4 lea edx, dword ptr [ebp-4C]
004390C6 . 52 push edx
004390C7 . FF15 9C104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
004390CD . 8D45 B4 lea eax, dword ptr [ebp-4C]
004390D0 . 50 push eax
004390D1 . 8D4D A4 lea ecx, dword ptr [ebp-5C]
004390D4 . 51 push ecx
004390D5 . FF15 50104000 call dword ptr [<&MSVBVM60.#518>] ; MSVBVM60.rtcLowerCaseVar
004390DB . 8D55 DC lea edx, dword ptr [ebp-24]
004390DE . 8995 FCFEFFFF mov dword ptr [ebp-104], edx
004390E4 . C785 F4FEFFFF 08400000 mov dword ptr [ebp-10C], 4008
004390EE . 8D85 F4FEFFFF lea eax, dword ptr [ebp-10C]
004390F4 . 50 push eax
004390F5 . 8D4D 94 lea ecx, dword ptr [ebp-6C]
004390F8 . 51 push ecx
004390F9 . FF15 9C104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
004390FF . 8D55 94 lea edx, dword ptr [ebp-6C]
00439102 . 52 push edx
00439103 . 8D45 84 lea eax, dword ptr [ebp-7C]
00439106 . 50 push eax
00439107 . FF15 50104000 call dword ptr [<&MSVBVM60.#518>] ; MSVBVM60.rtcLowerCaseVar
0043910D . 8D4D A4 lea ecx, dword ptr [ebp-5C]
00439110 . 51 push ecx ; /var18
00439111 . 8D55 84 lea edx, dword ptr [ebp-7C] ; |
00439114 . 52 push edx ; |var28
00439115 . FF15 CC104000 call dword ptr [<&MSVBVM60.__vbaVarTstEq>] ; \__vbaVarTstEq
0043911B . 66:8985 B8FEFFFF mov word ptr [ebp-148], ax
00439122 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00439125 . FF15 18124000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
0043912B . 8D45 84 lea eax, dword ptr [ebp-7C]
0043912E . 50 push eax
0043912F . 8D4D A4 lea ecx, dword ptr [ebp-5C]
00439132 . 51 push ecx
00439133 . 8D55 94 lea edx, dword ptr [ebp-6C]
00439136 . 52 push edx
00439137 . 8D45 B4 lea eax, dword ptr [ebp-4C]
0043913A . 50 push eax
0043913B . 8D4D C4 lea ecx, dword ptr [ebp-3C]
0043913E . 51 push ecx
0043913F . 6A 05 push 5
00439141 . FF15 30104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
00439147 . 83C4 18 add esp, 18
0043914A . 0FBF95 B8FEFFFF movsx edx, word ptr [ebp-148]
00439151 . 85D2 test edx, edx
00439153 . 0F84 BF010000 je 00439318 ; 密码验证处
00439159 . C745 FC 06000000 mov dword ptr [ebp-4], 6
00439160 . 833D 10014400 00 cmp dword ptr [440110], 0
00439167 . 75 1C jnz short 00439185
00439169 . 68 10014400 push 00440110
0043916E . 68 CC2F4000 push 00402FCC
00439173 . FF15 80114000 call dword ptr [<&MSVBVM60.__vbaNew2>] ; MSVBVM60.__vbaNew2
00439179 . C785 98FEFFFF 10014400 mov dword ptr [ebp-168], 00440110
来到00403412这里,
004033F0 . 816C24 04 53000000 sub dword ptr [esp+4], 53
004033F8 E9 135A0300 jmp 00438E10 ; 确定之后登陆程序 与nag调换一下
004033FD . 816C24 04 4F000000 sub dword ptr [esp+4], 4F
00403405 . E9 46600300 jmp 00439450
0040340A . 816C24 04 57000000 sub dword ptr [esp+4], 57
00403412 E9 A9600300 jmp 004394C0 ; 加载nag
00403417 816C24 04 57000000 sub dword ptr [esp+4], 57
0040341F . E9 2C6F0300 jmp 0043A350
00403424 . 816C24 04 4B000000 sub dword ptr [esp+4], 4B
0040342C . E9 8F6F0300 jmp 0043A3C0 ; 获取密码输入程序
00403431 . 816C24 04 47000000 sub dword ptr [esp+4], 47
00403439 . E9 22700300 jmp 0043A460 ;
------------------------------------------------------------------------------------------------------------------------
密码验证处
------------------------------------------------------------------------------------------------------------------------
00415680 > \55 push ebp
00415681 . 8BEC mov ebp, esp
00415683 . 83EC 18 sub esp, 18
00415686 . 68 06274000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
0041568B . 64:A1 00000000 mov eax, dword ptr fs:[0]
....略去一大堆...
00415FE5 . 68 B07B4000 push 00407BB0 ; /szKey = "zcmm"
00415FEA . 68 74804000 push 00408074 ; |Section = "clongxue"
00415FEF . 68 74804000 push 00408074 ; |AppName = "clongxue"
00415FF4 . FF15 C0114000 call dword ptr [<&MSVBVM60.#689>] ; \rtcGetSetting
00415FFA . 8BD0 mov edx, eax
00415FFC . 8D4D 90 lea ecx, dword ptr [ebp-70]
00415FFF . FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
00416005 . C745 FC 19000000 mov dword ptr [ebp-4], 19
0041600C . C785 30FEFFFF F0794000 mov dword ptr [ebp-1D0], 004079F0 ; UNICODE "xue"
00416016 . C785 28FEFFFF 08000000 mov dword ptr [ebp-1D8], 8
00416020 . 6A 01 push 1
00416022 . 8B55 90 mov edx, dword ptr [ebp-70]
00416025 . 52 push edx
00416026 . 68 1C814000 push 0040811C ; UNICODE "leiw3-mbodr-9ewto-nmbio"
0041602B . 6A 00 push 0
0041602D . FF15 84114000 call dword ptr [<&MSVBVM60.__vbaInStr>; MSVBVM60.__vbaInStr
00416033 . 8985 20FEFFFF mov dword ptr [ebp-1E0], eax
00416039 . C785 18FEFFFF 03000000 mov dword ptr [ebp-1E8], 3
00416043 . 6A 01 push 1
00416045 . 8D45 98 lea eax, dword ptr [ebp-68]
00416048 . 50 push eax
00416049 . 8D8D 28FEFFFF lea ecx, dword ptr [ebp-1D8]
0041604F . 51 push ecx
00416050 . 6A 00 push 0
00416052 . 8D95 FCFEFFFF lea edx, dword ptr [ebp-104]
00416058 . 52 push edx
00416059 . FF15 5C114000 call dword ptr [<&MSVBVM60.__vbaInStr>; MSVBVM60.__vbaInStrVar
0041605F . 50 push eax
00416060 . 8D85 18FEFFFF lea eax, dword ptr [ebp-1E8]
00416066 . 50 push eax
00416067 . 8D8D ECFEFFFF lea ecx, dword ptr [ebp-114]
0041606D . 51 push ecx
0041606E . FF15 1C114000 call dword ptr [<&MSVBVM60.__vbaVarAn>; MSVBVM60.__vbaVarAnd
00416074 . 50 push eax
00416075 . FF15 A8104000 call dword ptr [<&MSVBVM60.__vbaBoolV>; MSVBVM60.__vbaBoolVarNull
0041607B . 66:8985 C4FDFFFF mov word ptr [ebp-23C], ax
00416082 . 8D8D FCFEFFFF lea ecx, dword ptr [ebp-104]
00416088 . FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
0041608E . 0FBF95 C4FDFFFF movsx edx, word ptr [ebp-23C]
00416095 . 85D2 test edx, edx
00416097 . 0F84 9E000000 je 0041613B ; 爆破点 --更改为已注册!!!第一处
0041609D . C745 FC 1A000000 mov dword ptr [ebp-4], 1A
004160A4 . 833D 10004400 00 cmp dword ptr [440010], 0
004160AB . 75 1C jnz short 004160C9
004160AD . 68 10004400 push 00440010
004160B2 . 68 20554000 push 00405520
004160B7 . FF15 80114000 call dword ptr [<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
004160BD . C785 28FDFFFF 10004400 mov dword ptr [ebp-2D8], 00440010
004160C7 . EB 0A jmp short 004160D3
004160C9 > C785 28FDFFFF 10004400 mov dword ptr [ebp-2D8], 00440010
004160D3 > 8B85 28FDFFFF mov eax, dword ptr [ebp-2D8]
004160D9 . 8B08 mov ecx, dword ptr [eax]
004160DB . 898D C4FDFFFF mov dword ptr [ebp-23C], ecx
004160E1 . 68 50814000 push 00408150 ; UNICODE "qq-msg 3.0 2009("
004160E6 . 8B95 C4FDFFFF mov edx, dword ptr [ebp-23C]
略去一大堆...
004188BB . 8B85 C4FDFFFF mov eax, dword ptr [ebp-23C]
004188C1 . 8B08 mov ecx, dword ptr [eax]
004188C3 . 8B95 C4FDFFFF mov edx, dword ptr [ebp-23C]
004188C9 . 52 push edx
004188CA . FF91 A4000000 call dword ptr [ecx+A4]
004188D0 . DBE2 fclex //alt+F9返回到这里.
------------------------------------------------------------------------------------------------------------------------
已注册
------------------------------------------------------------------------------------------------------------------------
http://115.com/file/anrrh4vd#qqmsg3.0.rar 想玩的就自己练习吧
|
|
IP卡
发表于 2012-7-8 11:05:59
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2012-7-14 12:14:00
楼主
几年前的老笔记翻吹来的
发表于 2012-7-15 22:17:40
