小菜写的一个通杀用__vbaStrComp比较注册码的VB程序的内存注册机

笑倾天下 · 发表于 2016-9-11 14:40:34

/**
VB Killer V1.0
程序设计：天下
感谢名单：暂无
使用说明：
本程序可以破解一些由vb6制作的本地注册验证程序
代码使用VC2010编译
**/

#include <stdio.h>
#include <windows.h>
#include <TlHelp32.h>
#include <wchar.h>
#define SE_DEBUG_PRIVILEGE 20
typedef  DWORD(WINAPI *PRtlAdjustPrivilege) /**未文档化函数声明**/
(
ULONG Privilege,
BOOLEAN Enable,
BOOLEAN CurrentThread,
PBOOLEAN Enabled
);
void WINAPI AdjustPrivilege()       /**ntdll中的提权函数**/
{
BOOLEAN Enabled;
PRtlAdjustPrivilege RtlAdjustPrivilege = (PRtlAdjustPrivilege)GetProcAddress(LoadLibrary((LPCSTR)"ntdll.dll"), "RtlAdjustPrivilege");
RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &Enabled);
}

int main(void)
{
HANDLE hSnap;
BOOL dwNext;
PROCESSENTRY32 stPi;
DWORD dwPID;
HANDLE hProcess;
DWORD lpCmpFunc;
HMODULE hMdl;
BYTE bInt3 = 0xCC;
BYTE bOld1;
BYTE bOld2;
int dwStates = 1;
DEBUG_EVENT stDbg;
CONTEXT stCt;
HANDLE hThread;
DWORD lpPtr;
wchar_t szText[512];

AdjustPrivilege();
printf("VB6.0 Killer Version 1.0 Code By 天下\n");
hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hSnap == INVALID_HANDLE_VALUE)
      printf("I can't enum the process! You must enter the process ID by your self!\n");
else
{
      stPi.dwSize = sizeof(PROCESSENTRY32);
      dwNext = Process32First(hSnap, &stPi);
      while(dwNext)
      {
         printf("%*s%d\n", -40, stPi.szExeFile, stPi.th32ProcessID);
         dwNext = Process32Next(hSnap, &stPi);
      }
      CloseHandle(hSnap);
      printf("Now you shoult choose a process to get the right code\n");
}
printf("Please enter a process id: ");
scanf("%u", &dwPID);
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
if(hProcess == 0)
{
      printf("I can't open the process!\n");
      return 1;
}
/**
ESP + 8 --> 正确文本的地址

__vbaStrComp msvbvm60.dll

第一条指令长度为5个字节
**/
hMdl = LoadLibrary("msvbvm60.dll");
lpCmpFunc = (DWORD)GetProcAddress(hMdl, "__vbaStrComp");
FreeLibrary(hMdl);
if(lpCmpFunc == 0)
{
      printf("I can't get the function pointer\n");
      return 1;
}
DebugActiveProcess(dwPID);
ReadProcessMemory(hProcess, (LPVOID)lpCmpFunc, &bOld1, 1, NULL);
ReadProcessMemory(hProcess, (LPVOID)(lpCmpFunc + 5), &bOld2, 1, NULL);
WriteProcessMemory(hProcess, (LPVOID)lpCmpFunc, &bInt3, 1, NULL);
while(dwStates == 1)
{
      WaitForDebugEvent(&stDbg, INFINITE);
      switch(stDbg.dwDebugEventCode)
      {
      case EXCEPTION_DEBUG_EVENT:
         {
            if(stDbg.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_BREAKPOINT)
            {
                  if((DWORD)stDbg.u.Exception.ExceptionRecord.ExceptionAddress == lpCmpFunc)
                  {
                     hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, stDbg.dwThreadId);
                     stCt.ContextFlags = CONTEXT_ALL;
                     SuspendThread(hThread);
                     GetThreadContext(hThread, &stCt);
                     ReadProcessMemory(hProcess, (LPVOID)(stCt.Esp + 8), &lpPtr, 4, NULL);
                     ReadProcessMemory(hProcess, (LPVOID)lpPtr, szText, 1024, NULL);
                     printf("The right regcode:\n%ls\n", szText);
                     --stCt.Eip;
                     SetThreadContext(hThread, &stCt);
                     WriteProcessMemory(hProcess, (LPVOID)lpCmpFunc, &bOld1, 1, NULL);
                     WriteProcessMemory(hProcess, (LPVOID)(lpCmpFunc + 5), &bInt3, 1, NULL);
                     ResumeThread(hThread);
                     CloseHandle(hThread);
                     ContinueDebugEvent(stDbg.dwProcessId, stDbg.dwThreadId, DBG_CONTINUE);
                  }
                  else if((DWORD)stDbg.u.Exception.ExceptionRecord.ExceptionAddress == lpCmpFunc + 5)
                  {
                     hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, stDbg.dwThreadId);
                     stCt.ContextFlags = CONTEXT_ALL;
                     SuspendThread(hThread);
                     GetThreadContext(hThread, &stCt);
                     WriteProcessMemory(hProcess, (LPVOID)lpCmpFunc, &bInt3, 1, NULL);
                     WriteProcessMemory(hProcess, (LPVOID)(lpCmpFunc + 5), &bOld2, 1, NULL);
                     --stCt.Eip;
                     SetThreadContext(hThread, &stCt);
                     ResumeThread(hThread);
                     CloseHandle(hThread);
                     ContinueDebugEvent(stDbg.dwProcessId, stDbg.dwThreadId, DBG_CONTINUE);
                  }
                  else
                  {
                     ContinueDebugEvent(stDbg.dwProcessId, stDbg.dwThreadId, DBG_CONTINUE);
                  }
            }
            else
            {
                  ContinueDebugEvent(stDbg.dwProcessId, stDbg.dwThreadId, DBG_EXCEPTION_NOT_HANDLED);
            }
            break;
         }
      case EXIT_PROCESS_DEBUG_EVENT:
         {
            printf("Process is terminated\n");
            dwStates = 0;
            ContinueDebugEvent(stDbg.dwProcessId, stDbg.dwThreadId, DBG_CONTINUE);
            break;
         }
      default:
         {
            ContinueDebugEvent(stDbg.dwProcessId, stDbg.dwThreadId, DBG_CONTINUE);
            break;
         }
      }
}
WriteProcessMemory(hProcess, (LPVOID)lpCmpFunc, &bOld1, 1, NULL);
WriteProcessMemory(hProcess, (LPVOID)(lpCmpFunc + 5), &bOld2, 1, NULL);
DebugActiveProcessStop(dwPID);
return 0;
}

通常经常破解VB程序的同学都知道，__VBStrComp调用时，ESP + 8指向的就是其中的一个比较文本（当然，也有的人会这样写比较正确注册码 = 用户注册码，那这个时候程序就失效了，大家可以自己修改，留个需要几行代码就可以解决的小坑，嘻嘻{:soso__6236112034290849730_2:}）

雪花公子 · 发表于 2016-12-29 16:24:19

怎么不是工具啊，支持楼主把这个工具化

飘云 · 发表于 2016-9-15 23:37:58

支持楼主将代码工具化一下~~

wgz001 · 发表于 2016-9-20 08:17:36

这个牛逼啊，赞

1552759476@ · 发表于 2016-9-20 08:37:30

真牛！我们学习中

xingbing · 发表于 2016-9-29 22:24:23

这个貌似很NB。通用。

gzxxwllp · 发表于 2018-6-16 17:54:01

非常的不错,这个牛逼啊，赞

Hanns · 发表于 2018-10-19 23:11:23

怎么看都感觉很厉害，支持

wanghw · 发表于 2023-5-10 22:29:10

支持楼主将代码工具化

		自动登录	找回密码
密码			加入我们

[C/C++] 小菜写的一个通杀用__vbaStrComp比较注册码的VB程序的内存注册机

评分