- UID
- 34249
注册时间2007-8-13
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
【文章标题】: WingFaster2.8(VB)爆破
【文章作者】: gongsui
【下载地址】: 自己搜索下载
【加壳方式】: no
【编写语言】: Microsoft Visual Basic [Native] | Basic
【使用工具】: die/od/c32asm
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
很简单的一个小程序,老规矩——高手直接飘过~~~~~
由于是Microsoft Visual Basic [Native] | Basic程序,od找不到字符串,所以用c32asm的unicode查找字符串(注册码错误、已注册)
可以找到关键字符串的位置
看一下代码:
0040F064 . 8945 98 mov dword ptr [ebp-68], eax
0040F067 . 894D B0 mov dword ptr [ebp-50], ecx
0040F06A . 8945 A8 mov dword ptr [ebp-58], eax
0040F06D . 894D C0 mov dword ptr [ebp-40], ecx
0040F070 . 8945 B8 mov dword ptr [ebp-48], eax
0040F073 0F84 91010000 je 0040F20A ;关键跳转
0040F079 . 8D55 88 lea edx, dword ptr [ebp-78]
0040F07C . 8D4D C8 lea ecx, dword ptr [ebp-38]
0040F07F . C745 90 C8894>mov dword ptr [ebp-70], 004089C8 ; ASCII "m`淯!"
0040F086 . C745 88 08000>mov dword ptr [ebp-78], 8
0040F08D . FF15 68114000 call dword ptr [<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
0040F093 . 8D55 98 lea edx, dword ptr [ebp-68]
0040F096 . 8D45 A8 lea eax, dword ptr [ebp-58]
0040F099 . 52 push edx
0040F09A . 8D4D B8 lea ecx, dword ptr [ebp-48]
0040F09D . 50 push eax
0040F09E . 51 push ecx
0040F09F . 8D55 C8 lea edx, dword ptr [ebp-38]
0040F0A2 . 6A 40 push 40
0040F0A4 . 52 push edx
0040F0A5 . FF15 7C104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
0040F0AB . 8D45 98 lea eax, dword ptr [ebp-68]
0040F0AE . 8D4D A8 lea ecx, dword ptr [ebp-58]
0040F0B1 . 50 push eax
0040F0B2 . 8D55 B8 lea edx, dword ptr [ebp-48]
0040F0B5 . 51 push ecx
0040F0B6 . 8D45 C8 lea eax, dword ptr [ebp-38]
0040F0B9 . 52 push edx
0040F0BA . 50 push eax
0040F0BB . 6A 04 push 4
0040F0BD . FFD6 call esi
0040F0BF . 83C4 14 add esp, 14
0040F0C2 . 6A 01 push 1
0040F0C4 . FF15 04104000 call dword ptr [<&MSVBVM60.__vbaStrI2>; MSVBVM60.__vbaStrI2
0040F0CA . 8BD0 mov edx, eax
0040F0CC . 8D4D E8 lea ecx, dword ptr [ebp-18]
0040F0CF . FF15 84114000 call dword ptr [<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0040F0D5 . 50 push eax
0040F0D6 . 68 60814000 push 00408160 ; UNICODE "RegInfo"
0040F0DB . 68 58794000 push 00407958 ; UNICODE "WingFaster"
0040F0E0 . 68 48794000 push 00407948 ; UNICODE "81915"
0040F0E5 . FF15 00104000 call dword ptr [<&MSVBVM60.#690>] ; MSVBVM60.rtcSaveSetting
0040F0EB . 8D4D E8 lea ecx, dword ptr [ebp-18]
0040F0EE . FF15 A0114000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0040F0F4 . A1 10304100 mov eax, dword ptr [413010]
0040F0F9 . 85C0 test eax, eax
0040F0FB . 75 15 jnz short 0040F112
0040F0FD . 68 10304100 push 00413010
0040F102 . 68 245C4000 push 00405C24
0040F107 . FF15 34114000 call dword ptr [<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
0040F10D . A1 10304100 mov eax, dword ptr [413010]
0040F112 > 8B08 mov ecx, dword ptr [eax]
0040F114 . 50 push eax
0040F115 . FF91 58030000 call dword ptr [ecx+358]
0040F11B . 8B1D 74104000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaObjSet
0040F121 . 8D55 DC lea edx, dword ptr [ebp-24]
0040F124 . 50 push eax
0040F125 . 52 push edx
0040F126 . FFD3 call ebx ; <&MSVBVM60.__vbaObjSet>
0040F128 . 8BF0 mov esi, eax
0040F12A . 6A 00 push 0
0040F12C . 56 push esi
0040F12D . 8B06 mov eax, dword ptr [esi]
0040F12F . FF90 8C000000 call dword ptr [eax+8C]
0040F135 . 85C0 test eax, eax
0040F137 . DBE2 fclex
0040F139 . 7D 12 jge short 0040F14D
0040F13B . 68 8C000000 push 8C
0040F140 . 68 70814000 push 00408170
0040F145 . 56 push esi
0040F146 . 50 push eax
0040F147 . FF15 5C104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040F14D > 8D4D DC lea ecx, dword ptr [ebp-24]
0040F150 . FF15 9C114000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0040F156 . A1 10304100 mov eax, dword ptr [413010]
0040F15B . 85C0 test eax, eax
0040F15D . 75 15 jnz short 0040F174
0040F15F . 68 10304100 push 00413010
0040F164 . 68 245C4000 push 00405C24
0040F169 . FF15 34114000 call dword ptr [<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
0040F16F . A1 10304100 mov eax, dword ptr [413010]
0040F174 > 8B08 mov ecx, dword ptr [eax]
0040F176 . 50 push eax
0040F177 . FF91 58030000 call dword ptr [ecx+358]
0040F17D . 8D55 DC lea edx, dword ptr [ebp-24]
0040F180 . 50 push eax
0040F181 . 52 push edx
0040F182 . FFD3 call ebx
0040F184 . 8BF0 mov esi, eax
0040F186 . 68 84814000 push 00408184 ; 已注册
0040F18B . 56 push esi
0040F18C . 8B06 mov eax, dword ptr [esi]
0040F18E . FF50 54 call dword ptr [eax+54]
0040F191 . 85C0 test eax, eax
0040F193 . DBE2 fclex
0040F195 . 7D 0F jge short 0040F1A6
0040F197 . 6A 54 push 54
0040F199 . 68 70814000 push 00408170
0040F19E . 56 push esi
0040F19F . 50 push eax
0040F1A0 . FF15 5C104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040F1A6 > 8B1D 9C114000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaFreeObj
0040F1AC . 8D4D DC lea ecx, dword ptr [ebp-24]
0040F1AF . FFD3 call ebx ; <&MSVBVM60.__vbaFreeObj>
0040F1B1 . A1 D0364100 mov eax, dword ptr [4136D0]
0040F1B6 . 85C0 test eax, eax
0040F1B8 . 75 10 jnz short 0040F1CA
0040F1BA . 68 D0364100 push 004136D0
0040F1BF . 68 38804000 push 00408038
0040F1C4 . FF15 34114000 call dword ptr [<&MSVBVM60.__vbaNew2>>; MSVBVM60.__vbaNew2
0040F1CA > 8B35 D0364100 mov esi, dword ptr [4136D0]
0040F1D0 . 8D4D DC lea ecx, dword ptr [ebp-24]
0040F1D3 . 57 push edi
0040F1D4 . 51 push ecx
0040F1D5 . 8B16 mov edx, dword ptr [esi]
0040F1D7 . 8995 34FFFFFF mov dword ptr [ebp-CC], edx
0040F1DD . FF15 84104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSetAddref
0040F1E3 . 8B95 34FFFFFF mov edx, dword ptr [ebp-CC]
0040F1E9 . 50 push eax
0040F1EA . 56 push esi
0040F1EB . FF52 10 call dword ptr [edx+10]
0040F1EE . 85C0 test eax, eax
0040F1F0 . DBE2 fclex
0040F1F2 . 7D 0F jge short 0040F203
0040F1F4 . 6A 10 push 10
0040F1F6 . 68 28804000 push 00408028
0040F1FB . 56 push esi
0040F1FC . 50 push eax
0040F1FD . FF15 5C104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040F203 > 8D4D DC lea ecx, dword ptr [ebp-24]
0040F206 . FFD3 call ebx
0040F208 . EB 49 jmp short 0040F253
0040F20A > 8D55 88 lea edx, dword ptr [ebp-78] ;0040F073跳转到这里。
0040F20D . 8D4D C8 lea ecx, dword ptr [ebp-38]
0040F210 . C745 90 E0894>mov dword ptr [ebp-70], 004089E0 ; 注册码错误!
0040F217 . C745 88 08000>mov dword ptr [ebp-78], 8
0040F21E . FF15 68114000 call dword ptr [<&MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
0040F224 . 8D45 98 lea eax, dword ptr [ebp-68]
0040F227 . 8D4D A8 lea ecx, dword ptr [ebp-58]
0040F22A . 50 push eax
0040F22B . 8D55 B8 lea edx, dword ptr [ebp-48]
0040F22E . 51 push ecx
0040F22F . 52 push edx
可以看到0040F073 /0F84 91010000 je 0040F20A是跳转到
0040F20A > \8D55 88 lea edx, dword ptr [ebp-78]
将0040F073 /0F84 91010000 je 0040F20A
改成0040F073 /0F84 91010000 jnz 0040F20A
保存,打开,再重启看一下有没有重启验证。
ok,没有重启验证
大功告成
--------------------------------------------------------------------------------
【经验总结】
我看到vb程序就怕。。。。。尤其是pcode的。。。。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于pyg, 转载请注明作者并保持文章的完整, 谢谢!
2007年09月13日 17:25:23 |
|
IP卡
发表于 2007-9-13 17:27:21
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2007-10-7 13:15:48
