- UID
- 49015
注册时间2008-4-2
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
网页点击专家 2.68 去校验+爆破
下载地址:http://www.onlinedown.net/soft/50737.htm
本人初学破解 感谢PYG能让我学到不少知识
------------------------------------------------------------------------------------
在看雪上看到有人求破就这下下来试试 高手不用看了!
壳为:ASPack 2.12
脱壳后下断:bpx CreateFileA F9运行3次
断在00403243 |. E8 D8E0FFFF call <jmp.&kernel32.CreateFileA> ; \CreateFileA
找到段首下断
004031A8 /$ 53 push ebx //段首
004031A9 |. 56 push esi
004031AA |. 57 push edi
004031AB |. 89D6 mov esi, edx
004031AD |. 89CF mov edi, ecx
004031AF |. 31D2 xor edx, edx
004031B1 |. 89C3 mov ebx, eax
004031B3 |. 66:8B50 04 mov dx, word ptr [eax+4]
004031B7 |. 81EA B0D70000 sub edx, 0D7B0 ; Switch (cases D7B0..D7B3)
004031BD |. 74 15 je short 004031D4
004031BF |. 83FA 03 cmp edx, 3
004031C2 |. 0F87 A2000000 ja 0040326A
004031C8 |. FF53 24 call dword ptr [ebx+24] ; Cases D7B1,D7B2,D7B3 of switch 004031B7
004031CB |. 85C0 test eax, eax
004031CD |. 74 05 je short 004031D4
004031CF |. E8 E4F7FFFF call 004029B8
004031D4 |> 66:C743 04 B3>mov word ptr [ebx+4], 0D7B3 ; Case D7B0 of switch 004031B7
004031DA |. 8973 08 mov dword ptr [ebx+8], esi
004031DD |. C743 24 80314>mov dword ptr [ebx+24], 00403180
004031E4 |. C743 1C 982C4>mov dword ptr [ebx+1C], 00402C98
004031EB |. 807B 48 00 cmp byte ptr [ebx+48], 0
004031EF 74 60 je short 00403251 //这里要跳
004031F1 |. B8 000000C0 mov eax, C0000000
004031F6 |. 8A15 08205300 mov dl, byte ptr [532008]
004031FC |. 83E2 70 and edx, 70
004031FF |. C1EA 02 shr edx, 2
00403202 |. 8B92 68205300 mov edx, dword ptr [edx+532068]
00403208 |. B9 02000000 mov ecx, 2
0040320D |. 83EF 03 sub edi, 3
00403210 |. 74 21 je short 00403233
00403212 |. B9 03000000 mov ecx, 3
00403217 |. 47 inc edi
00403218 |. 74 19 je short 00403233
0040321A |. B8 00000040 mov eax, 40000000
0040321F |. 47 inc edi
00403220 |. 66:C743 04 B2>mov word ptr [ebx+4], 0D7B2
00403226 |. 74 0B je short 00403233
00403228 |. B8 00000080 mov eax, 80000000
0040322D |. 66:C743 04 B1>mov word ptr [ebx+4], 0D7B1
00403233 |> 6A 00 push 0 ; /hTemplateFile = NULL
00403235 |. 68 80000000 push 80 ; |Attributes = NORMAL
0040323A |. 51 push ecx ; |Mode
0040323B |. 6A 00 push 0 ; |pSecurity = NULL
0040323D |. 52 push edx ; |ShareMode
0040323E |. 50 push eax ; |Access
0040323F |. 8D43 48 lea eax, dword ptr [ebx+48] ; |
00403242 |. 50 push eax ; |FileName
00403243 |. E8 D8E0FFFF call <jmp.&kernel32.CreateFileA> ; \CreateFileA
爆破
搜索字符串“未注册” 找到段首
0052AAA8 /. 55 push ebp
0052AAA9 |. 8BEC mov ebp, esp
0052AAAB |. B9 18000000 mov ecx, 18
0052AAB0 |> 6A 00 /push 0
0052AAB2 |. 6A 00 |push 0
0052AAB4 |. 49 |dec ecx
0052AAB5 |.^ 75 F9 \jnz short 0052AAB0
0052AAB7 |. 53 push ebx
0052AAB8 |. 56 push esi
0052AAB9 |. 57 push edi
0052AABA |. 8BD8 mov ebx, eax
0052AABC |. 33C0 xor eax, eax
0052AABE |. 55 push ebp
0052AABF |. 68 AAB15200 push 0052B1AA
0052AAC4 |. 64:FF30 push dword ptr fs:[eax]
0052AAC7 |. 64:8920 mov dword ptr fs:[eax], esp
0052AACA |. 33C0 xor eax, eax
0052AACC |. 8983 D4070000 mov dword ptr [ebx+7D4], eax
0052AAD2 |. BE 01000000 mov esi, 1
0052AAD7 |> 8B0D A8535300 /mov ecx, dword ptr [5353A8] ; defclick.00536B4C
0052AADD |. 8B09 |mov ecx, dword ptr [ecx]
0052AADF |. B2 01 |mov dl, 1
0052AAE1 |. A1 3C0C5100 |mov eax, dword ptr [510C3C]
0052AAE6 |. E8 C526FEFF |call 0050D1B0
0052AAEB |. 8BF8 |mov edi, eax
0052AAED |. 89BCB3 A80700>|mov dword ptr [ebx+esi*4+7A8], edi
0052AAF4 |. 899F AC020000 |mov dword ptr [edi+2AC], ebx
0052AAFA |. C787 A8020000>|mov dword ptr [edi+2A8], 0052D9AC
0052AB04 |. 83C9 FF |or ecx, FFFFFFFF
0052AB07 |. BA 27020000 |mov edx, 227
0052AB0C |. 8BC7 |mov eax, edi
0052AB0E |. E8 553BFEFF |call 0050E668
0052AB13 |. 46 |inc esi
0052AB14 |. 83FE 0B |cmp esi, 0B
0052AB17 |.^ 75 BE \jnz short 0052AAD7
0052AB19 |. A1 F0505300 mov eax, dword ptr [5350F0]
0052AB1E |. BA C4B15200 mov edx, 0052B1C4 ; yyyy-mm-dd
0052AB23 |. E8 1C9DEDFF call 00404844
0052AB28 |. A1 344F5300 mov eax, dword ptr [534F34]
0052AB2D |. BA D8B15200 mov edx, 0052B1D8 ; hh:nn:ss
0052AB32 |. E8 0D9DEDFF call 00404844
0052AB37 |. A1 B8545300 mov eax, dword ptr [5354B8]
0052AB3C |. BA ECB15200 mov edx, 0052B1EC ; yyyy-mm-dd hh:nn:ss
0052AB41 |. E8 FE9CEDFF call 00404844
0052AB46 |. A1 FC4F5300 mov eax, dword ptr [534FFC]
0052AB4B |. C600 2D mov byte ptr [eax], 2D
0052AB4E |. A1 5C4E5300 mov eax, dword ptr [534E5C]
0052AB53 |. C600 3A mov byte ptr [eax], 3A
0052AB56 |. C683 D8070000>mov byte ptr [ebx+7D8], 0
0052AB5D |. 8D45 FC lea eax, dword ptr [ebp-4]
0052AB60 |. E8 67FAFFFF call 0052A5CC
0052AB65 |. 8B45 FC mov eax, dword ptr [ebp-4]
0052AB68 |. E8 A7FDFFFF call 0052A914
0052AB6D |. 8883 D8070000 mov byte ptr [ebx+7D8], al
0052AB73 |. 8B83 04030000 mov eax, dword ptr [ebx+304]
0052AB79 |. E8 42D6FFFF call 005281C0
0052AB7E |. 8B83 08040000 mov eax, dword ptr [ebx+408]
0052AB84 |. E8 1FFEFDFF call 0050A9A8
0052AB89 |. BA 08B25200 mov edx, 0052B208 ; select * from dconfig where isselect<>0
0052AB8E |. 8B08 mov ecx, dword ptr [eax]
0052AB90 |. FF51 2C call dword ptr [ecx+2C]
0052AB93 |. 8B83 08040000 mov eax, dword ptr [ebx+408]
0052AB99 |. E8 3A19F7FF call 0049C4D8
0052AB9E |. 8B83 08040000 mov eax, dword ptr [ebx+408]
0052ABA4 |. E8 EF3CF7FF call 0049E898
0052ABA9 |. 84C0 test al, al
0052ABAB |. 0F85 81000000 jnz 0052AC32
0052ABB1 |. 8D4D EC lea ecx, dword ptr [ebp-14]
0052ABB4 |. BA 38B25200 mov edx, 0052B238 ; showstr
0052ABB9 |. 8B83 08040000 mov eax, dword ptr [ebx+408]
0052ABBF |. E8 0C28F7FF call 0049D3D0
0052ABC4 |. 8D55 EC lea edx, dword ptr [ebp-14]
0052ABC7 |. A1 98555300 mov eax, dword ptr [535598]
0052ABCC |. E8 2B9DEEFF call 004148FC
0052ABD1 |. 8D4D DC lea ecx, dword ptr [ebp-24]
0052ABD4 |. BA 48B25200 mov edx, 0052B248 ; url
0052ABD9 |. 8B83 08040000 mov eax, dword ptr [ebx+408]
0052ABDF |. E8 EC27F7FF call 0049D3D0
0052ABE4 |. 8D55 DC lea edx, dword ptr [ebp-24]
0052ABE7 |. A1 24515300 mov eax, dword ptr [535124]
0052ABEC |. E8 0B9DEEFF call 004148FC
0052ABF1 |. 8D4D C8 lea ecx, dword ptr [ebp-38]
0052ABF4 |. BA 54B25200 mov edx, 0052B254 ; appname
0052ABF9 |. 8B83 08040000 mov eax, dword ptr [ebx+408]
0052ABFF |. E8 CC27F7FF call 0049D3D0
0052AC04 |. 8D55 C8 lea edx, dword ptr [ebp-38]
0052AC07 |. 8D45 D8 lea eax, dword ptr [ebp-28]
0052AC0A |. E8 ED9CEEFF call 004148FC
0052AC0F |. 8B55 D8 mov edx, dword ptr [ebp-28]
0052AC12 |. 8BC3 mov eax, ebx
0052AC14 |. E8 03A1F3FF call 00464D1C
0052AC19 |. 8D55 C4 lea edx, dword ptr [ebp-3C]
0052AC1C |. 8BC3 mov eax, ebx
0052AC1E |. E8 C9A0F3FF call 00464CEC
0052AC23 |. 8B55 C4 mov edx, dword ptr [ebp-3C]
0052AC26 |. A1 A8535300 mov eax, dword ptr [5353A8]
0052AC2B |. 8B00 mov eax, dword ptr [eax]
0052AC2D |. E8 5A2DF3FF call 0045D98C
0052AC32 |> 8B83 08040000 mov eax, dword ptr [ebx+408]
0052AC38 |. E8 5B3CF7FF call 0049E898
0052AC3D |. 84C0 test al, al
0052AC3F |. 0F85 9A040000 jnz 0052B0DF
0052AC45 |. 80BB D8070000>cmp byte ptr [ebx+7D8], 0
0052AC4C |. 75 0B jnz short 0052AC59
0052AC4E |. 8B83 AC030000 mov eax, dword ptr [ebx+3AC]
0052AC54 |. 8B10 mov edx, dword ptr [eax]
0052AC56 |. FF52 44 call dword ptr [edx+44]
0052AC59 |> 8D45 C0 lea eax, dword ptr [ebp-40]
0052AC5C |. E8 6BF9FFFF call 0052A5CC
0052AC61 |. 8B45 C0 mov eax, dword ptr [ebp-40]
0052AC64 |. E8 ABFCFFFF call 0052A914 //关键CALL F7进去
0052AC69 |. 8883 D8070000 mov byte ptr [ebx+7D8], al //al要是1
0052AC6F |. 80BB D8070000>cmp byte ptr [ebx+7D8], 0 //ebx+7D8=0则不跳
0052AC76 |. 75 5C jnz short 0052ACD4 //关键跳
0052AC78 |. 6A 20 push 20 ; /Style = MB_OK|MB_ICONQUESTION|MB_APPLMODAL
0052AC7A |. 68 5CB25200 push 0052B25C ; |系统提示
0052AC7F |. 68 68B25200 push 0052B268 ; |没有注册!
0052AC84 |. A1 A8535300 mov eax, dword ptr [5353A8] ; |
0052AC89 |. 8B00 mov eax, dword ptr [eax] ; |
0052AC8B |. 8B40 30 mov eax, dword ptr [eax+30] ; |
0052AC8E |. 50 push eax ; |hOwner
0052AC8F |. E8 C4CDEDFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0052AC94 |. 8D55 BC lea edx, dword ptr [ebp-44]
0052AC97 |. 8BC3 mov eax, ebx
0052AC99 |. E8 4EA0F3FF call 00464CEC
0052AC9E |. 8D45 BC lea eax, dword ptr [ebp-44]
0052ACA1 |. BA 7CB25200 mov edx, 0052B27C ; (未注册!)
0052ACA6 |. E8 0D9EEDFF call 00404AB8
0052ACAB |. 8B55 BC mov edx, dword ptr [ebp-44]
0052ACAE |. 8BC3 mov eax, ebx
0052ACB0 |. E8 67A0F3FF call 00464D1C
0052ACB5 |. 6A 01 push 1
0052ACB7 |. 6A 00 push 0
0052ACB9 |. 6A 00 push 0
0052ACBB |. 68 88B25200 push 0052B288 ; http://www.softong.com/webclick/luck.htm
0052ACC0 |. 68 B4B25200 push 0052B2B4 ; open
0052ACC5 |. 8BC3 mov eax, ebx
0052ACC7 |. E8 200AF4FF call 0046B6EC
0052ACCC |. 50 push eax ; |hWnd
0052ACCD |. E8 32A1F0FF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
0052ACD2 |. EB 1D jmp short 0052ACF1
0052ACD4 |> BA C4B25200 mov edx, 0052B2C4 ; 正式版
0052ACD9 |. 8B83 AC030000 mov eax, dword ptr [ebx+3AC]
0052ACDF |. E8 9C93F4FF call 00474080
0052ACE4 |. 33D2 xor edx, edx
0052ACE6 |. 8B83 AC030000 mov eax, dword ptr [ebx+3AC]
F7进来
0052A914 $ 55 push ebp
0052A915 . 8BEC mov ebp, esp
0052A917 . B9 05000000 mov ecx, 5
0052A91C > 6A 00 push 0
0052A91E . 6A 00 push 0
0052A920 . 49 dec ecx
0052A921 .^ 75 F9 jnz short 0052A91C
0052A923 . 51 push ecx
0052A924 . 53 push ebx
0052A925 . 56 push esi
0052A926 . 57 push edi
0052A927 . 8945 FC mov dword ptr [ebp-4], eax
0052A92A . 8B45 FC mov eax, dword ptr [ebp-4]
0052A92D . E8 6EA3EDFF call 00404CA0
0052A932 . 33C0 xor eax, eax
0052A934 . 55 push ebp
0052A935 . 68 95AA5200 push 0052AA95
0052A93A . 64:FF30 push dword ptr fs:[eax]
0052A93D . 64:8920 mov dword ptr fs:[eax], esp
0052A940 . C645 FB 00 mov byte ptr [ebp-5], 0
0052A944 . 33C0 xor eax, eax
0052A946 . 55 push ebp
0052A947 . 68 5DAA5200 push 0052AA5D
0052A94C . 64:FF30 push dword ptr fs:[eax]
0052A94F . 64:8920 mov dword ptr fs:[eax], esp
0052A952 . 8D4D E8 lea ecx, dword ptr [ebp-18]
0052A955 . BA 04000000 mov edx, 4
0052A95A . 8B45 FC mov eax, dword ptr [ebp-4]
0052A95D . E8 5A05F1FF call 0043AEBC
0052A962 . 8B45 E8 mov eax, dword ptr [ebp-18]
0052A965 . 50 push eax
0052A966 . 8D45 E0 lea eax, dword ptr [ebp-20]
0052A969 . 50 push eax
0052A96A . 8B45 FC mov eax, dword ptr [ebp-4]
0052A96D . E8 3EA1EDFF call 00404AB0
0052A972 . 8BC8 mov ecx, eax
0052A974 . 83E9 04 sub ecx, 4
0052A977 . BA 01000000 mov edx, 1
0052A97C . 8B45 FC mov eax, dword ptr [ebp-4]
0052A97F . E8 8CA3EDFF call 00404D10
0052A984 . 8B45 E0 mov eax, dword ptr [ebp-20]
0052A987 . 8D55 E4 lea edx, dword ptr [ebp-1C]
0052A98A . E8 C5C4FEFF call 00516E54
0052A98F . 8B45 E4 mov eax, dword ptr [ebp-1C]
0052A992 . 5A pop edx
0052A993 . E8 ECE6EDFF call 00409084
0052A998 . 85C0 test eax, eax
0052A99A 74 0D je short 0052A9A9 //改成跳
0052A99C . 33C0 xor eax, eax
0052A99E . 5A pop edx
0052A99F . 59 pop ecx
0052A9A0 . 59 pop ecx
0052A9A1 . 64:8910 mov dword ptr fs:[eax], edx
0052A9A4 . E9 C9000000 jmp 0052AA72
0052A9A9 > 8D45 FC lea eax, dword ptr [ebp-4]
0052A9AC . 50 push eax
0052A9AD . 8B45 FC mov eax, dword ptr [ebp-4]
0052A9B0 . E8 FBA0EDFF call 00404AB0
0052A9B5 . 8BC8 mov ecx, eax
0052A9B7 . 83E9 04 sub ecx, 4
0052A9BA . BA 01000000 mov edx, 1
0052A9BF . 8B45 FC mov eax, dword ptr [ebp-4]
0052A9C2 . E8 49A3EDFF call 00404D10
0052A9C7 . 8D45 FC lea eax, dword ptr [ebp-4]
0052A9CA . 33D2 xor edx, edx
0052A9CC . E8 43CAFEFF call 00517414
0052A9D1 . 8D45 FC lea eax, dword ptr [ebp-4]
0052A9D4 . 33D2 xor edx, edx
0052A9D6 . E8 DDC5FEFF call 00516FB8
0052A9DB . 8D55 EC lea edx, dword ptr [ebp-14]
0052A9DE . 8B45 FC mov eax, dword ptr [ebp-4]
0052A9E1 . E8 FECEFEFF call 005178E4
0052A9E6 . 84C0 test al, al
0052A9E8 . 75 0A jnz short 0052A9F4
0052A9EA . 33C0 xor eax, eax
0052A9EC . 5A pop edx
0052A9ED . 59 pop ecx
0052A9EE . 59 pop ecx
0052A9EF . 64:8910 mov dword ptr fs:[eax], edx
0052A9F2 . EB 7E jmp short 0052AA72
0052A9F4 > 8D4D F0 lea ecx, dword ptr [ebp-10]
0052A9F7 . 8D55 F4 lea edx, dword ptr [ebp-C]
0052A9FA . 8B45 EC mov eax, dword ptr [ebp-14]
0052A9FD . E8 46D2FEFF call 00517C48
0052AA02 . 84C0 test al, al
0052AA04 75 0A jnz short 0052AA10 //改成跳
0052AA06 . 33C0 xor eax, eax
0052AA08 . 5A pop edx
0052AA09 . 59 pop ecx
0052AA0A . 59 pop ecx
0052AA0B . 64:8910 mov dword ptr fs:[eax], edx
0052AA0E . EB 62 jmp short 0052AA72
0052AA10 > 8D4D DC lea ecx, dword ptr [ebp-24]
0052AA13 . BA 0B000000 mov edx, 0B
0052AA18 . 8B45 F0 mov eax, dword ptr [ebp-10]
0052AA1B . E8 FCC1FEFF call 00516C1C
0052AA20 . 8B45 DC mov eax, dword ptr [ebp-24]
0052AA23 . 50 push eax
0052AA24 . 8D45 D4 lea eax, dword ptr [ebp-2C]
0052AA27 . E8 90C3FEFF call 00516DBC
0052AA2C . 8B45 D4 mov eax, dword ptr [ebp-2C]
0052AA2F . 8D4D D8 lea ecx, dword ptr [ebp-28]
0052AA32 . BA 12000000 mov edx, 12
0052AA37 . E8 E0C1FEFF call 00516C1C
0052AA3C . 8B45 D8 mov eax, dword ptr [ebp-28]
0052AA3F . 5A pop edx
0052AA40 . E8 3FE6EDFF call 00409084
0052AA45 . 85C0 test eax, eax
0052AA47 74 0A je short 0052AA53 //改成跳
0052AA49 . 33C0 xor eax, eax
0052AA4B . 5A pop edx
0052AA4C . 59 pop ecx
0052AA4D . 59 pop ecx
0052AA4E . 64:8910 mov dword ptr fs:[eax], edx
0052AA51 . EB 1F jmp short 0052AA72
0052AA53 > 33C0 xor eax, eax
0052AA55 . 5A pop edx
0052AA56 . 59 pop ecx
0052AA57 . 59 pop ecx
0052AA58 . 64:8910 mov dword ptr fs:[eax], edx
0052AA5B . EB 11 jmp short 0052AA6E
0052AA5D .^ E9 5A93EDFF jmp 00403DBC
0052AA62 . E8 8197EDFF call 004041E8
0052AA67 . EB 09 jmp short 0052AA72
0052AA69 . E8 7A97EDFF call 004041E8
0052AA6E > C645 FB 01 mov byte ptr [ebp-5], 1 //1给了ebp-5 (标志位爆破)
0052AA72 > 33C0 xor eax, eax
0052AA74 . 5A pop edx
0052AA75 . 59 pop ecx
0052AA76 . 59 pop ecx
0052AA77 . 64:8910 mov dword ptr fs:[eax], edx
0052AA7A . 68 9CAA5200 push 0052AA9C
0052AA7F > 8D45 D4 lea eax, dword ptr [ebp-2C]
0052AA82 . BA 09000000 mov edx, 9
0052AA87 . E8 889DEDFF call 00404814
0052AA8C . 8D45 FC lea eax, dword ptr [ebp-4]
0052AA8F . E8 5C9DEDFF call 004047F0
0052AA94 . C3 retn
0052AA95 .^ E9 D695EDFF jmp 00404070
0052AA9A .^ EB E3 jmp short 0052AA7F
0052AA9C . 8A45 FB mov al, byte ptr [ebp-5] //ebp-5又给了al
0052AA9F . 5F pop edi
0052AAA0 . 5E pop esi
0052AAA1 . 5B pop ebx
0052AAA2 . 8BE5 mov esp, ebp
0052AAA4 . 5D pop ebp
0052AAA5 . C3 retn
0052AC69 |. 8883 D8070000 mov byte ptr [ebx+7D8], al //al=1给了ebx+7D8
0052AC6F |. 80BB D8070000>cmp byte ptr [ebx+7D8], 0 //1和0比较
0052AC76 |. 75 5C jnz short 0052ACD4 //跳过未注册
0052AC78 |. 6A 20 push 20 ; /Style = MB_OK|MB_ICONQUESTION|MB_APPLMODAL
0052AC7A |. 68 5CB25200 push 0052B25C ; |系统提示
0052AC7F |. 68 68B25200 push 0052B268 ; |没有注册!
0052AC84 |. A1 A8535300 mov eax, dword ptr [5353A8] ; |
0052AC89 |. 8B00 mov eax, dword ptr [eax] ; |
0052AC8B |. 8B40 30 mov eax, dword ptr [eax+30] ; |
0052AC8E |. 50 push eax ; |hOwner
0052AC8F |. E8 C4CDEDFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0052AC94 |. 8D55 BC lea edx, dword ptr [ebp-44]
0052AC97 |. 8BC3 mov eax, ebx
0052AC99 |. E8 4EA0F3FF call 00464CEC
0052AC9E |. 8D45 BC lea eax, dword ptr [ebp-44]
0052ACA1 |. BA 7CB25200 mov edx, 0052B27C ; (未注册!)
爆破成功
[ 本帖最后由 chfggg 于 2008-5-21 22:57 编辑 ] |
|
IP卡
发表于 2008-5-21 22:44:54
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-5-22 10:48:29
发表于 2008-5-22 23:22:27
发表于 2008-5-22 23:31:55
发表于 2008-5-26 18:55:45
