- UID
- 49015
注册时间2008-4-2
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
GetVBRes 0.51
VB程序资源查看工具
实在无聊就找来试下
下载地址:http://hackbase.com/soft/down.php?downid=10987&id=0
--------------------------------------------------------------
过程:这个软件点注册没有提示(马上来了精神) 先找按钮事件,发现跟不出关键的地方
找了下字符串发现注册信息存放在:software\restools\getvbres
下断点RegOpenKeyExA也没断在有用的地方
于是试了下:RegQueryValueExA F9运行
堆栈里出现
0012FC34 004651D3 /CALL 到 RegQueryValueExA 来自 GetVBRes.004651CE
0012FC38 00000070 |hKey = 70
0012FC3C 0049AFA8 |ValueName = "regcode"
0012FC40 00000000 |Reserved = NULL
0012FC44 0012FC50 |pValueType = 0012FC50
0012FC48 00000000 |Buffer = NULL
0012FC4C 0012FC6C \pBufSize = 0012FC6C
alt+F9返回到程序领空
F8单步走到
0049AE6D |. 84C0 test al, al
0049AE6F |. 74 10 je short 0049AE81
0049AE71 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
0049AE74 |. BA A8AF4900 mov edx, 0049AFA8 ; regcode
0049AE79 |. 8B45 F8 mov eax, dword ptr [ebp-8]
0049AE7C |. E8 BFA3FCFF call 00465240
0049AE81 |> 8B45 F0 mov eax, dword ptr [ebp-10]
0049AE84 |. E8 3B8FF6FF call 00403DC4
0049AE89 |. 83F8 28 cmp eax, 28
0049AE8C 0F85 91000000 jnz 0049AF23 //不能跳 NOP掉
0049AE92 |. 8B45 F4 mov eax, dword ptr [ebp-C]
0049AE95 |. E8 2A8FF6FF call 00403DC4
0049AE9A |. 85C0 test eax, eax
0049AE9C |. 0F8E 81000000 jle 0049AF23
0049AEA2 |. 68 368C0000 push 8C36
0049AEA7 |. 8D45 EC lea eax, dword ptr [ebp-14]
0049AEAA |. 50 push eax
0049AEAB |. B9 85310000 mov ecx, 3185
0049AEB0 |. BA D8030000 mov edx, 3D8
0049AEB5 |. 8B45 F4 mov eax, dword ptr [ebp-C]
0049AEB8 |. E8 47FBFFFF call 0049AA04
0049AEBD |. 8B55 EC mov edx, dword ptr [ebp-14]
0049AEC0 |. 8D45 F4 lea eax, dword ptr [ebp-C]
0049AEC3 |. E8 148DF6FF call 00403BDC
0049AEC8 |. 8D55 E8 lea edx, dword ptr [ebp-18]
0049AECB |. 8B45 F4 mov eax, dword ptr [ebp-C]
0049AECE |. E8 C1F9FFFF call 0049A894
0049AED3 |. 8B45 E8 mov eax, dword ptr [ebp-18]
0049AED6 |. 8B55 F0 mov edx, dword ptr [ebp-10]
0049AED9 |. E8 F68FF6FF call 00403ED4
0049AEDE |. 75 0C jnz short 0049AEEC
0049AEE0 |. A1 F0CA4A00 mov eax, dword ptr [4ACAF0]
0049AEE5 |. 8B00 mov eax, dword ptr [eax]
0049AEE7 |. E8 5CFEFAFF call 0044AD48
0049AEEC |> 68 368C0000 push 8C36
0049AEF1 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
0049AEF4 |. 50 push eax
0049AEF5 |. B9 85310000 mov ecx, 3185
0049AEFA |. BA D8030000 mov edx, 3D8
0049AEFF |. 8B45 F0 mov eax, dword ptr [ebp-10]
0049AF02 |. E8 EDF8FFFF call 0049A7F4
0049AF07 |. 8B55 E4 mov edx, dword ptr [ebp-1C]
0049AF0A |. 8D45 F0 lea eax, dword ptr [ebp-10]
0049AF0D |. E8 CA8CF6FF call 00403BDC
0049AF12 |. 8B45 F4 mov eax, dword ptr [ebp-C]
0049AF15 |. 8B55 F0 mov edx, dword ptr [ebp-10]
0049AF18 |. E8 B78FF6FF call 00403ED4
0049AF1D 75 04 jnz short 0049AF23 //不能跳 NOP掉
0049AF1F |. C645 FF 01 mov byte ptr [ebp-1], 1 //这里1给[ebp-1] (标志位爆破)
0049AF23 |> 33C0 xor eax, eax
0049AF25 |. 5A pop edx
0049AF26 |. 59 pop ecx
0049AF27 |. 59 pop ecx
0049AF28 |. 64:8910 mov dword ptr fs:[eax], edx
0049AF2B |. 68 40AF4900 push 0049AF40
0049AF30 |> 8B45 F8 mov eax, dword ptr [ebp-8]
0049AF33 |. E8 C07EF6FF call 00402DF8
0049AF38 \. C3 retn
0049AF39 .^ E9 1A86F6FF jmp 00403558
0049AF3E .^ EB F0 jmp short 0049AF30
0049AF40 . 33C0 xor eax, eax
0049AF42 . 5A pop edx
0049AF43 . 59 pop ecx
0049AF44 . 59 pop ecx
0049AF45 . 64:8910 mov dword ptr fs:[eax], edx
0049AF48 . 68 62AF4900 push 0049AF62
0049AF4D > 8D45 E4 lea eax, dword ptr [ebp-1C]
0049AF50 . BA 05000000 mov edx, 5
0049AF55 . E8 0E8CF6FF call 00403B68
0049AF5A . C3 retn
0049AF5B .^ E9 F885F6FF jmp 00403558
0049AF60 .^ EB EB jmp short 0049AF4D
0049AF62 . 8A45 FF mov al, byte ptr [ebp-1] //[ebp-1]=1给al
0049AF65 . 8BE5 mov esp, ebp
0049AF67 . 5D pop ebp
0049AF68 . C3 retn
爆破成功
本人初学者,写的不好的地方 希望大家别笑我!不知道这算不算标志位~! |
|
IP卡
发表于 2008-5-23 20:58:54
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-5-24 20:25:02