Excel汇总专家6简单爆破

menglv · 发表于 2015-5-22 10:56:13

本帖最后由 menglv 于 2015-5-22 14:55 编辑

程序无壳，直接载入od，随便输入注册码，弹出注册码错误对话框后，按ALT+K。
调用堆栈：    主线程
地址    堆栈    函数过程 / 参数                      调用来自                   结构
0012EF3C 5559C8E9 包含Excel汇?0040D6E2                   mfc100.5559C8E7             0012EF38
0012EF48 5559CACB mfc100.5559C8AE                      mfc100.5559CAC6             0012EF44
0012EF64 555C6248 mfc100.#8304                         mfc100.555C6243             0012EF60
0012EF88 55626AFD 包含mfc100.555C6248                   mfc100.55626AFA             0012EF84
0012EFD8 55626300 包含mfc100.55626AFD                   mfc100.556262FA             0012EFD4
0012F0A4 55626273 包含mfc100.55626300                   mfc100.5562626D             0012F0A0
0012F0C4 55624696 包含mfc100.55626273                   mfc100.55624690             0012F0C0
0012F13C 55624922 ? mfc100.#1858                      mfc100.5562491D             0012F138
0012F160 5551CAE6 ? mfc100.#2090                      mfc100.5551CAE1             0012F15C
0012F1A8 764C86EF 包含mfc100.5551CAE6                   user32.764C86EC             0012F1A4
0012F1D4 764C8876 ? user32.764C86CC                   user32.764C8871             0012F1D0
0012F24C 764C43CF ? user32.764C87C3                   user32.764C43CA             0012F248
0012F27C 764E41F9 ? user32.764C437E                   user32.764E41F4             0012F278
0012F29C 1002285C ? user32.CallWindowProcA             SkinH.10022856             0012F298
0012F2A0 5551CA90    PrevProc = mfc100.5551CA90
0012F2A4 00070498    hWnd = 00070498 ('欢迎',class='#32
0012F2A8 00000111    Message = WM_COMMAND
0012F2AC 00000001    age = Notify = MENU/BN_CLICKED...
0012F2B0 00040496    hControage = 00040496 ('确定',clas
0012F2B8 1001F315 ? SkinH.10022590                   SkinH.1001F310

我们定位最上面的call 0040D6E2

0040D6D2 E8 7963FFFF    CALL Excel汇?00403A50                   ; 关键call
0040D6D7 83C4 04       ADD ESP,0x4
0040D6DA 85C0          TEST EAX,EAX
0040D6DC 0F85 94000000 JNZ Excel汇?0040D776                   ; 关键跳转
0040D6E2 68 F4010000    PUSH 0x1F4
0040D6E7 FF15 70704100 CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; kernel32.Sleep
0040D6ED 68 A0A34100    PUSH Excel汇?0041A3A0                   ; REG_DLG_ENTER_CORRECT_KEY
0040D6F2 8D4D E4       LEA ECX,DWORD PTR SS:[EBP-0x1C]
0040D6F5 FF15 34734100 CALL DWORD PTR DS:[<&mfc100.#310>]    ; mfc100.#310
0040D6FB 68 FC8F4100    PUSH Excel汇?00418FFC                   ; HYPEFRAME
0040D700 8D4D E0       LEA ECX,DWORD PTR SS:[EBP-0x20]
0040D703 C645 FC 07    MOV BYTE PTR SS:[EBP-0x4],0x7
0040D707 FF15 34734100 CALL DWORD PTR DS:[<&mfc100.#310>]    ; mfc100.#310
0040D70D 8D45 E4       LEA EAX,DWORD PTR SS:[EBP-0x1C]
0040D710 50             PUSH EAX
0040D711 8D4D E0       LEA ECX,DWORD PTR SS:[EBP-0x20]
0040D714 51             PUSH ECX
0040D715 8D55 E8       LEA EDX,DWORD PTR SS:[EBP-0x18]
0040D718 52             PUSH EDX
0040D719 C645 FC 08    MOV BYTE PTR SS:[EBP-0x4],0x8
0040D71D E8 CE500000    CALL Excel汇?004127F0
0040D722 83C4 0C       ADD ESP,0xC
0040D725 8D4D E0       LEA ECX,DWORD PTR SS:[EBP-0x20]
0040D728 FF15 BC794100 CALL DWORD PTR DS:[<&mfc100.#901>]    ; mfc100.#13970
0040D72E 8D4D E4       LEA ECX,DWORD PTR SS:[EBP-0x1C]
0040D731 C645 FC 0B    MOV BYTE PTR SS:[EBP-0x4],0xB
0040D735 FF15 BC794100 CALL DWORD PTR DS:[<&mfc100.#901>]    ; mfc100.#13970
0040D73B E8 4E5F0000    CALL <JMP.&mfc100.#1939>
0040D740 85C0          TEST EAX,EAX
0040D742 74 0D          JE SHORT Excel汇?0040D751
0040D744 8B10          MOV EDX,DWORD PTR DS:[EAX]
0040D746 8BC8          MOV ECX,EAX
0040D748 8B42 7C       MOV EAX,DWORD PTR DS:[EDX+0x7C]
0040D74B FFD0          CALL EAX
0040D74D 8BF0          MOV ESI,EAX
0040D74F EB 02          JMP SHORT Excel汇?0040D753
0040D751 33F6          XOR ESI,ESI
0040D753 8D4D E8       LEA ECX,DWORD PTR SS:[EBP-0x18]
0040D756 FF15 D0794100 CALL DWORD PTR DS:[<&mfc100.#1448>]    ; mfc100.#6207
0040D75C 8B4E 20       MOV ECX,DWORD PTR DS:[ESI+0x20]
0040D75F 6A 00          PUSH 0x0
0040D761 50             PUSH EAX
0040D762 68 670F0000    PUSH 0xF67
0040D767 51             PUSH ECX
0040D768 FF15 C8724100 CALL DWORD PTR DS:[<&USER32.SendMessageA>; user32.SendMessageA
0040D76E 8D4D E8       LEA ECX,DWORD PTR SS:[EBP-0x18]
0040D771 E9 97000000    JMP Excel汇?0040D80D
0040D776 8D55 F0       LEA EDX,DWORD PTR SS:[EBP-0x10]
0040D779 52             PUSH EDX
0040D77A E8 4159FFFF    CALL Excel汇?004030C0
0040D77F 83C4 04       ADD ESP,0x4
0040D782 68 90A34100    PUSH Excel汇?0041A390                   ; REG_DLG_KEY_OK
0040D787 8D4D E4       LEA ECX,DWORD PTR SS:[EBP-0x1C]
0040D78A FF15 34734100 CALL DWORD PTR DS:[<&mfc100.#310>]    ; mfc100.#310
0040D790 68 FC8F4100    PUSH Excel汇?00418FFC                   ; HYPEFRAME
0040D795 8D4D E0       LEA ECX,DWORD PTR SS:[EBP-0x20]

可以看出上面也有很明显的字符串提示。我们跟进CALL Excel汇?00403A50

00403A50  /$ 55          PUSH EBP
00403A51  |. 8BEC          MOV EBP,ESP
00403A53  |. 6A FF       PUSH -0x1
00403A55  |. 68 784F4100 PUSH Excel汇?00414F78
00403A5A  |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00403A60  |. 50          PUSH EAX
00403A61  |. 83EC 1C       SUB ESP,0x1C
00403A64  |. 53          PUSH EBX
00403A65  |. 56          PUSH ESI
00403A66  |. A1 DCF54100 MOV EAX,DWORD PTR DS:[0x41F5DC]
00403A6B  |. 33C5          XOR EAX,EBP
00403A6D  |. 50          PUSH EAX
00403A6E  |. 8D45 F4       LEA EAX,DWORD PTR SS:[EBP-0xC]
00403A71  |. 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
00403A77  |. 68 38914100 PUSH Excel汇?00419138                   ;  ProductCode
00403A7C  |. 8D4D E8       LEA ECX,DWORD PTR SS:[EBP-0x18]
00403A7F  |. FF15 34734100  CALL DWORD PTR DS:[<&mfc100.#310>]    ;  mfc100.#310
00403A85  |. 8D45 E8       LEA EAX,DWORD PTR SS:[EBP-0x18]
00403A88  |. 50          PUSH EAX
00403A89  |. 8D4D EC       LEA ECX,DWORD PTR SS:[EBP-0x14]
00403A8C  |. 51          PUSH ECX
00403A8D  |. C745 FC 000000>MOV DWORD PTR SS:[EBP-0x4],0x0
00403A94  |. E8 B7FDFFFF CALL Excel汇?00403850
00403A99  |. 83C4 08       ADD ESP,0x8
00403A9C  |. 8D4D E8       LEA ECX,DWORD PTR SS:[EBP-0x18]
00403A9F  |. C645 FC 02    MOV BYTE PTR SS:[EBP-0x4],0x2
00403AA3  |. FF15 BC794100  CALL DWORD PTR DS:[<&mfc100.#901>]    ;  mfc100.#13970
00403AA9  |. 68 2C914100 PUSH Excel汇?0041912C                   ;  VersionCode
00403AAE  |. 8D4D E4       LEA ECX,DWORD PTR SS:[EBP-0x1C]
00403AB1  |. FF15 34734100  CALL DWORD PTR DS:[<&mfc100.#310>]    ;  mfc100.#310
00403AB7  |. 8D55 E4       LEA EDX,DWORD PTR SS:[EBP-0x1C]
00403ABA  |. 52          PUSH EDX
00403ABB  |. 8D45 F0       LEA EAX,DWORD PTR SS:[EBP-0x10]
00403ABE  |. 50          PUSH EAX
00403ABF  |. C645 FC 03    MOV BYTE PTR SS:[EBP-0x4],0x3
00403AC3  |. E8 88FDFFFF CALL Excel汇?00403850
00403AC8  |. 83C4 08       ADD ESP,0x8
00403ACB  |. B3 05       MOV BL,0x5
00403ACD  |. 8D4D E4       LEA ECX,DWORD PTR SS:[EBP-0x1C]
00403AD0  |. 885D FC       MOV BYTE PTR SS:[EBP-0x4],BL
00403AD3  |. FF15 BC794100  CALL DWORD PTR DS:[<&mfc100.#901>]    ;  mfc100.#13970
00403AD9  |. E8 B2FEFFFF CALL Excel汇?00403990
00403ADE  |. 83F8 01       CMP EAX,0x1
00403AE1  |. 0F85 9E000000  JNZ Excel汇?00403B85
00403AE7  |. 51          PUSH ECX
00403AE8  |. 8D55 F0       LEA EDX,DWORD PTR SS:[EBP-0x10]
00403AEB  |. 8BCC          MOV ECX,ESP
00403AED  |. 8965 DC       MOV DWORD PTR SS:[EBP-0x24],ESP
00403AF0  |. 52          PUSH EDX
00403AF1  |. FF15 C0794100  CALL DWORD PTR DS:[<&mfc100.#300>]    ;  mfc100.#300
00403AF7  |. 51          PUSH ECX
00403AF8  |. 8D45 EC       LEA EAX,DWORD PTR SS:[EBP-0x14]
00403AFB  |. 8BCC          MOV ECX,ESP
00403AFD  |. 8965 D8       MOV DWORD PTR SS:[EBP-0x28],ESP
00403B00  |. 50          PUSH EAX
00403B01  |. C645 FC 06    MOV BYTE PTR SS:[EBP-0x4],0x6
00403B05  |. FF15 C0794100  CALL DWORD PTR DS:[<&mfc100.#300>]    ;  mfc100.#300
00403B0B  |. 8D4D E0       LEA ECX,DWORD PTR SS:[EBP-0x20]
00403B0E  |. 51          PUSH ECX
00403B0F  |. 885D FC       MOV BYTE PTR SS:[EBP-0x4],BL
00403B12  |. E8 29B30000 CALL Excel汇?0040EE40
00403B17  |. 50          PUSH EAX
00403B18  |. 8D55 E8       LEA EDX,DWORD PTR SS:[EBP-0x18]
00403B1B  |. 52          PUSH EDX
00403B1C  |. C645 FC 07    MOV BYTE PTR SS:[EBP-0x4],0x7
00403B20  |. E8 5BB80000 CALL Excel汇?0040F380
00403B25  |. 83C4 14       ADD ESP,0x14
00403B28  |. 8BC8          MOV ECX,EAX
00403B2A  |. C645 FC 08    MOV BYTE PTR SS:[EBP-0x4],0x8
00403B2E  |. FF15 D0794100  CALL DWORD PTR DS:[<&mfc100.#1448>]    ;  mfc100.#6207
00403B34  |. 8B4D 08       MOV ECX,DWORD PTR SS:[EBP+0x8]
00403B37  |. 50          PUSH EAX
00403B38  |. FF15 D4794100  CALL DWORD PTR DS:[<&mfc100.#2611>]    ;  mfc100.#2611
00403B3E  |. 85C0          TEST EAX,EAX
00403B40  |. 8D4D E8       LEA ECX,DWORD PTR SS:[EBP-0x18]
00403B43  |. 0F94C3       SETE BL
00403B46  |. FF15 BC794100  CALL DWORD PTR DS:[<&mfc100.#901>]    ;  mfc100.#13970
00403B4C  |. 8D4D E0       LEA ECX,DWORD PTR SS:[EBP-0x20]
00403B4F  |. FF15 BC794100  CALL DWORD PTR DS:[<&mfc100.#901>]    ;  mfc100.#13970
00403B55  |. 8D4D F0       LEA ECX,DWORD PTR SS:[EBP-0x10]
00403B58  |. FF15 BC794100  CALL DWORD PTR DS:[<&mfc100.#901>]    ;  mfc100.#13970
00403B5E  |. 8D4D EC       LEA ECX,DWORD PTR SS:[EBP-0x14]
00403B61  |. FF15 BC794100  CALL DWORD PTR DS:[<&mfc100.#901>]    ;  mfc100.#13970
00403B67  |. 84DB          TEST BL,BL
00403B69  |. 0F84 9B000000  JE Excel汇?00403C0A                      ;  关键跳转
00403B6F  |. B8 01000000 MOV EAX,0x1
00403B74  |. 8B4D F4       MOV ECX,DWORD PTR SS:[EBP-0xC]
00403B77  |. 64:890D 000000>MOV DWORD PTR FS:[0],ECX
00403B7E  |. 59          POP ECX
00403B7F  |. 5E          POP ESI
00403B80  |. 5B          POP EBX
00403B81  |. 8BE5          MOV ESP,EBP
00403B83  |. 5D          POP EBP
00403B84  |. C3          RETN

本地调用来自 004059BF, 00405BE4, 0040D6D2, 0040E4CE

简单测试，只需修改上面的call返回eax=1，做和谐补丁也很容易。

冷月孤心 · 发表于 2015-5-22 12:20:46

这个主程序是无壳的，亲

xiangyabing1 · 发表于 2015-5-22 13:40:50

提示: 作者被禁止或删除内容自动屏蔽

menglv · 发表于 2015-5-22 14:33:41

本帖最后由 menglv 于 2015-5-22 15:25 编辑

还有两处文件数比较在ExcelAssistant.dll里面，直接跳转即可。
0191D758 /0F84 CF010000 je    0191D92D
0191D75E |837B 24 02    cmp    dword ptr [ebx+0x24], 0x2             ; 文件数比较
0191D762 |0F8E DF000000 jle    0191D847                                        ; 跳走即可
0191D768 |837B 44 00    cmp    dword ptr [ebx+0x44], 0x0
0191D76C |0F84 88000000 je    0191D7FA
0191D772 |8B4D A8       mov    ecx, dword ptr [ebp-0x58]
0191D775 |8B55 C4       mov    edx, dword ptr [ebp-0x3C]
0191D778 |8B45 B0       mov    eax, dword ptr [ebp-0x50]
0191D77B |51             push ecx
0191D77C |52             push edx
0191D77D |C743 44 0000000>mov    dword ptr [ebx+0x44], 0x0
0191D784 |8B08          mov    ecx, dword ptr [eax]
0191D786 |51             push ecx
0191D787 |8D55 C0       lea    edx, dword ptr [ebp-0x40]
0191D78A |68 E05D9301    push 01935DE0                                  ; 处理文件%s完成, 这个文件总共有%d个表, 处理了您指定的%d个表
0191D78F |52             push edx
0191D790 |FF15 0C099301 call dword ptr [<&mfc100.#4283>]    ; mfc100.#4283
0191D796 |8B4B 1C       mov    ecx, dword ptr [ebx+0x1C]

019231D6 837E 24 0B    cmp    dword ptr [esi+0x24], 0xB          ; 文件数比较
019231DA C745 FC 0000000>mov    dword ptr [ebp-0x4], 0x0
019231E1 7E 5A          jle    short 0192323D                                  ; 跳走即可
019231E3 68 F4609301    push 019360F4                                  ; Register Info Error!
019231E8 8D4D 08       lea    ecx, dword ptr [ebp+0x8]

menglv · 发表于 2015-5-22 14:42:01

本帖最后由 menglv 于 2015-5-22 15:26 编辑

看来暗桩比较多，而且软件没什么用！不玩了。
好像也只有上面两处而已。

wcb0414 · 发表于 2015-5-22 15:04:40

暗桩好多，学习了

冷月孤心 · 发表于 2015-5-22 17:08:02

暗桩不在主程序里，主程序修改一处就爆破成功了。

非诚勿扰 · 发表于 2015-5-22 22:02:17

小菜来学习了

1552759476@ · 发表于 2015-5-23 09:08:38

我是菜牛，这么厉害，大神

964761323 · 发表于 2015-5-26 23:18:39

呼呼，学习中……

		自动登录	找回密码
密码			加入我们

[原创] Excel汇总专家6简单爆破

点评