|
[求助]一个VFP程序破解思路
不玩**这些东西,但感觉应该不难 |
|
|
|
[成功了]一个加壳的VFP程序,搞了几天没法脱,大侠们有空帮看一看
这些东西太简单了,超小儿科!!! 无论加密多严格,VB和VFP在内存的解释执行注定他们被反的命运. VFP就不用说了,前两天研究VB的两种编译方面的程序,采用OD加我原来在这里说的二分法和断点法跟踪,很快搞定了一个还算很难的VB软件.绝不象这里一般的入门级的小朋友说的VB用OD总是跟跑到运行库里,只要方法得当,跟踪非常顺利,相应的类似于dede反delphi的工具可以很容易解释所有入口的详细地址,只是你要把工具配置好. 其实破解并不是什么难事儿,只是大家都是业余搞这个的,兴趣而已 |
|
[求助]网络验证+本地验证(VC6无壳,哪位兄弟看一下)
怎么就没有兄弟们研究一下呢 |
|
[求助]网络验证+本地验证(VC6无壳,哪位兄弟看一下)
爆了,界面可以出来,但结果可能还出不来,我说过了,我无心破解这个软件,结果并不重要,重要的学习它的加密方法和跟踪的方法 |
|
[求助]网络验证+本地验证(VC6无壳,哪位兄弟看一下)
没那么复杂,它的注册验证部分忆被kvllz兄弟注入后可以返回正确的验证信息,应该是对的 |
|
[求助]网络验证+本地验证(VC6无壳,哪位兄弟看一下)
以下为regshot跟踪程序第一次运行时的结果 Regshot 1.7 要点注释: 日期时间:2009/12/19 08:26:41 , 2009/12/19 08:27:22 计算机名:PC , PC 使用者名: , ---------------------------------- 增加值:1 ---------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DDLook: "C:\WINNT\system32 \ddhelp.exe" ---------------------------------- 修改值:2 ---------------------------------- HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: CF A3 F4 9F 52 64 F7 28 84 B1 A3 DC 3E 32 D2 04 43 B4 74 B8 28 09 FA 0C 68 18 8A 15 D9 4C 8B B4 9B 9A 2E D6 CE 00 DA 19 F4 EA B2 E8 A7 3E E7 1F 4B F4 63 5D 4A 8A 49 9C 3C BE 00 40 3D 75 72 28 A2 4D 84 9A 0E 53 47 93 CF 82 E9 F7 59 99 D3 71 HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: E3 79 35 2A 4D BE 60 EE 83 6C 17 3D 85 DD C9 3C 03 98 85 CF C7 CF CA 4B F2 84 97 54 7A CE 6F 0E 95 14 2B 5C 10 99 3B 85 57 F7 0C 17 D8 ED 46 E9 56 C1 84 AA 33 B3 9F 89 A8 66 87 C6 2B 9F 2B 8E 92 38 94 AC 28 9F FA D9 23 63 F1 59 A2 61 D6 57 HKU\S-1-5-21-57989841-764733703-1060284298-1000 \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 29 04 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 HKU\S-1-5-21-57989841-764733703-1060284298-1000 \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 2A 04 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ---------------------------------- 文件增加:5 ---------------------------------- C:\WINNT\system32\ddhelp.exe C:\WINNT\system32\dduser.dll C:\WINNT\notewnd.dll C:\WINNT\verwnd.dll C:\WINNT\show.html ---------------------------------- 文件修改:3 ---------------------------------- C:\WINNT\system32\config\software.LOG C:\WINNT\system32\config\SOFTWARE C:\WINNT\win.ini ---------------------------------- 总计:11 ---------------------------------- win.ini文件里加入的内容 [SciCalc] layout=0 [history] update=0 ddpath=C:\Program Files\Tencent\QQ\Bin\ [fileopr] C:\WINNT\system32\ddinfo.db=1 [QQHall] shell=1 usetype=5 [HistoryLook] looknum=0 num=86074731 [DDLook] update=0 version=1018 auto |
|
[求助]网络验证+本地验证(VC6无壳,哪位兄弟看一下)
看雪大哥在吗?指点一下好吗? |
|
[求助]网络验证+本地验证(VC6无壳,哪位兄弟看一下)
最终结论 确定为网络验证+本地验证 网络验证的方法: 网址+Key+noteid+notetext+softname=Ddlook 意思为密和用户名再加上订单号再加上你要验证的软件名 作者网站并没有防注入,经kvllz注入后可以返回正确的验证信息,但本人太笨,还是无法搞定 注入后的验证信息如下: http://www.zhongyuantech.com.cn/check.asp?key=kbdt96845wqer¬eid='or''='¬etext=dengpeiyou&softname=DDLook" |
|
[求助]网络验证+本地验证(VC6无壳,哪位兄弟看一下)
ida跟踪出遥伪C++代码: int __thiscall sub_4076D0(void *this) { LPARAM v1; // edi@1 int v2; // esi@1 int v3; // eax@1 HICON v4; // eax@1 int v5; // eax@1 HICON v6; // eax@1 int v7; // eax@1 HICON v8; // eax@1 LPARAM v9; // eax@2 LRESULT v10; // eax@4 LRESULT v11; // eax@6 int v12; // ecx@6 signed int v13; // ecx@6 signed int v14; // ecx@6 int v15; // ecx@6 int v16; // ecx@6 int v17; // eax@7 int v18; // edi@7 UINT v19; // eax@18 signed int v20; // ecx@26 int v22; // [sp-Ch] [bp-1BCh]@6 int v23; // [sp-8h] [bp-1B8h]@6 signed int v24; // [sp-4h] [bp-1B4h]@6 CHAR *v25; // [sp+0h] [bp-1B0h]@8 LPCSTR lpString; // [sp+10h] [bp-1A0h]@6 int *v27; // [sp+14h] [bp-19Ch]@6 LPCSTR lpKeyName; // [sp+18h] [bp-198h]@6 int v29; // [sp+1Ch] [bp-194h]@1 int v30; // [sp+20h] [bp-190h]@8 DWORD pcbBuffer; // [sp+2Ch] [bp-184h]@1 int v32; // [sp+30h] [bp-180h]@9 int v33; // [sp+34h] [bp-17Ch]@11 int v34; // [sp+38h] [bp-178h]@11 int v35; // [sp+3Ch] [bp-174h]@11 int v36; // [sp+40h] [bp-170h]@9 char v37; // [sp+44h] [bp-16Ch]@21 char v38; // [sp+A0h] [bp-110h]@23 CHAR Buffer; // [sp+A4h] [bp-10Ch]@1 int v40; // [sp+1ACh] [bp-4h]@1 v2 = (int)this; memset(&Buffer, 0, 0x100u); pcbBuffer = 256; GetUserNameA(&Buffer, &pcbBuffer); sub_42734D("ω"); v40 = 0; sub_425720((int)&v29, "%d %d", *(_BYTE *)v29); v1 = v2 + 1004; sub_4262C0(18, 18, 0x21u, 0, 4); AfxGetModuleState(); v3 = AfxGetModuleState(); v4 = LoadIconA(*(HINSTANCE *)(v3 + 12), (LPCSTR)132); ImageList_ReplaceIcon(*(HIMAGELIST *)(v2 + 1008), -1, v4); AfxGetModuleState(); v5 = AfxGetModuleState(); v6 = LoadIconA(*(HINSTANCE *)(v5 + 12), (LPCSTR)0x80); ImageList_ReplaceIcon(*(HIMAGELIST *)(v2 + 1008), -1, v6); AfxGetModuleState(); v7 = AfxGetModuleState(); v8 = LoadIconA(*(HINSTANCE *)(v7 + 12), (LPCSTR)0x8A); ImageList_ReplaceIcon(*(HIMAGELIST *)(v2 + 1008), -1, v8); if ( v2 == -1004 ) v9 = 0; else v9 = *(_DWORD *)(v2 + 1008); v10 = SendMessageA(*(HWND *)(v2 + 600), 4361u, 0, v9); sub_42628D((int (__cdecl *)(unsigned int))v10); if ( v2 != -1004 ) v1 = *(_DWORD *)(v2 + 1008); v11 = SendMessageA(*(HWND *)(v2 + 600), 0x1109u, 2u, v1); sub_42628D((int (__cdecl *)(unsigned int))v11); WriteProfileStringA("history", "update", L"0"); sub_40A7D0(1001, v2, 1); (*(void (__stdcall **)(_DWORD, signed int))(**(_DWORD **)(v2 + 900) + 264))(*(_DWORD *)(v2 + 900), -1); sub_42734D(Src); LOBYTE(v40) = 1; sub_425720((int)&lpKeyName, "%s\\ddinfo.db", dword_449788);===================>在这里打开了ddinfo.dll 地址:40788bh WriteProfileStringA("fileopr", lpKeyName, "1");=================>这里有一个写的东西,把fileopra项置1 以下是写的具体内容 [fileopr] C:\WINNT\system32\ddinfo.db=1 v24 = 1; v23 = v12; lpString = (LPCSTR)&v23; sub_427054(&lpKeyName); sub_405B00(v23, v24); sub_42C267((LPCSTR)0x82, v2); sub_403770(&unk_449728); v24 = v13; lpString = (LPCSTR)&v24; sub_427054(&lpAppName); sub_40CDC0((LPCSTR)v24);==============>这里取用户名和密码验证,地址为4078f1h v24 = v14; lpString = (LPCSTR)&v24; sub_427054(&unk_4497F4); sub_40D010(v24);======================>这里可能才是真正验证是否正版的地方,地址40790C 追入到验证追入1(附后) v24 = dword_4497F8; v23 = v15; lpString = (LPCSTR)&v23; sub_427054(&lpAppName); LOBYTE(v40) = 2; v22 = v16; v27 = &v22; sub_427054(&unk_4497F0); LOBYTE(v40) = 1; sub_40D990(v22, v23, v24); sub_40DAC0(&unk_4497C4); if ( dword_4497C8 ) { sub_427054(&unk_4497E0); LOBYTE(v40) = 3; sub_427054(&unk_4497D8); LOBYTE(v40) = 4; sub_427054(&unk_4497DC); v18 = dword_4497C8; LOBYTE(v40) = 5; sub_405400("verwnd.dll"); LOBYTE(v40) = 6; dword_44A0CC = v2; v17 = sub_405580(1, &dword_44A0CC, 4); if ( !v17 ) { LOBYTE(v40) = 5; sub_405420(v25); LOBYTE(v40) = 4; sub_4272DF(&v30); LOBYTE(v40) = 3; sub_4272DF(&v27); LOBYTE(v40) = 1; sub_4272DF(&lpString); goto LABEL_28; } v32 = v17; v36 = 1; if ( v18 < 0 ) v36 = 0; v24 = *((_DWORD *)lpString - 2); v34 = sub_42770F(v24); v24 = *(_DWORD *)(v30 - 8); v35 = sub_42770F(v24); v24 = *(v27 - 2); v33 = sub_42770F(v24); sub_405580(2, &v32, 20); if ( dword_4497C8 == -1 ) sub_42C797(1); LOBYTE(v40) = 5; sub_405420(v25); LOBYTE(v40) = 4; sub_4272DF(&v30); LOBYTE(v40) = 3; sub_4272DF(&v27); LOBYTE(v40) = 1; sub_4272DF(&lpString); } if ( sub_40DA10(&unk_4497C4) ) 取软件版本号407ae8h { sub_408D50(v2); 开始更新软件 407aF3h } else { if ( !sub_4024A0(&unk_449728) ) sub_4296C8("软件已经损坏,不能使用,请跟作者联系或者重新下载.", "系统提示", 0); } sub_409AA0(v2); v19 = GetProfileIntA(lpAppName, "auto", -1); *(_DWORD *)(v2 + 696) = v19; if ( v19 == -1 ) { v24 = (signed int)Src; *(_DWORD *)(v2 + 696) = 1; sub_42734D((LPCSTR)v24); v24 = *(_DWORD *)(v2 + 696); LOBYTE(v40) = 7; sub_425720((int)&lpString, "%d", v24); WriteProfileStringA(lpAppName, "auto", lpString); LOBYTE(v40) = 1; sub_4272DF(&lpString); } sub_42A0AE(0); v24 = *(_DWORD *)(v2 + 696); sub_401720(v24); if ( _mbscmp(dword_449800, Src) ) { sub_40CA20(0); LOBYTE(v40) = 8; if ( sub_42C637(&v37) != 1 ) sub_42C797(1); LOBYTE(v40) = 9; sub_4272DF(&v38); LOBYTE(v40) = 1; sub_42C229(&v37); } if ( !dword_4497B4 ) SetTimer(*(HWND *)(v2 + 28), 0xAu, 0x7D0u, 0); sub_42A0AE(0); sub_402820(&unk_449728); v24 = v20; lpString = (LPCSTR)&v24; sub_427054(&unk_4497FC); sub_407D30((LPCSTR)v24); if ( *(_DWORD *)(v2 + 1108) ) { sub_42C267((LPCSTR)0x86, v2); sub_42BF52(5); RedrawWindow(*(HWND *)(v2 + 1040), 0, 0, 0x105u); } LABEL_28: LOBYTE(v40) = 0; sub_4272DF(&lpKeyName); v40 = -1; return sub_4272DF(&v29); } =============================================================== 验证追入1 signed int __thiscall sub_40D010(void *this, char a2) { void *v2; // ebp@1 int v3; // ebx@2 int v4; // eax@2 int v5; // eax@2 signed int v7; // esi@13 int v8; // [sp+10h] [bp-30h]@1 int v9; // [sp+14h] [bp-2Ch]@3 int v10; // [sp+18h] [bp-28h]@2 int v11; // [sp+1Ch] [bp-24h]@3 int v12; // [sp+20h] [bp-20h]@4 char *v13; // [sp+24h] [bp-1Ch]@1 int v14; // [sp+28h] [bp-18h]@2 int v15; // [sp+2Ch] [bp-14h]@2 int v16; // [sp+30h] [bp-10h]@2 int v17; // [sp+3Ch] [bp-4h]@1 v2 = this; v17 = 0; v13 = (char *)this + 32; CString__operator_(Src); sub_427054(&v8, (LPCSTR *)v2 + 3); LOBYTE(v17) = 1; if ( *(_DWORD *)(v8 - 8) != 12 ) goto LABEL_12; sub_427418((char *)v2 + 28, (void **)&a2); v3 = *((_DWORD *)v2 + 1); v4 = *((_DWORD *)v2 + 2); v14 = 0; v10 = v4; v5 = *(_DWORD *)(v8 - 8); v15 = 0; v16 = 0; strcpy((char *)&v14, (const char *)sub_42770F(&v8, v5)); if ( SBYTE3(v14) != (v3 | (char)v14) % 10 + 48 || (v11 = SBYTE1(v14), v9 = (char)v15, (char)v15 != (v3 | SBYTE1(v14)) % 26 + 65) || (v12 = SBYTE1(v15), SBYTE1(v15) != (v3 | SBYTE2(v14)) % 26 + 97) || SBYTE2(v15) != (v10 & (char)v14) % 10 + 48 || SBYTE3(v15) != (v10 & v11) % 26 + 97 || (char)v16 != (v10 & SBYTE2(v14)) % 26 + 65 || SBYTE1(v16) != (v10 & SBYTE3(v14)) % 10 + 48 || SBYTE2(v16) != (v10 & v9) % 26 + 97 || SBYTE3(v16) != (v10 & v12) % 26 + 65 ) { *((_DWORD *)v2 + 5) = 2; LABEL_12: LOBYTE(v17) = 0; sub_4272DF(&v8); v17 = -1; sub_4272DF(&a2); return 0; } *((_DWORD *)v2 + 5) = 1; v7 = 0; &&总共运行V7次 do { if ( sub_40CEE0(v2) ) ====>这里再追入,到验证追2,此时的地址是40D1FE break; Sleep(0x3E8u); ++v7; } while ( v7 < 3 ); CString__operator_("12"); LOBYTE(v17) = 0; sub_4272DF(&v8); v17 = -1; sub_4272DF(&a2); return 1; } ======================================================================= 验证追入2 signed int __thiscall sub_40CEE0(int this) { int v1; // esi@1 int v2; // ecx@4 int v3; // edx@4 int v4; // eax@4 int v5; // ecx@4 int v7; // [sp-8h] [bp-28h]@4 int *v8; // [sp-4h] [bp-24h]@4 int v9; // [sp+8h] [bp-18h]@4 int v10; // [sp+Ch] [bp-14h]@4 int *v11; // [sp+10h] [bp-10h]@4 int v12; // [sp+1Ch] [bp-4h]@4 v1 = this; if ( *(_DWORD *)(*(_DWORD *)(this + 28) - 8) && *(_DWORD *)(*(_DWORD *)(this + 16) - 8) && *(_DWORD *)(*(_DWORD *)(this + 12) - 8) ) { sub_42734D(Src); v12 = 0; sub_42734D(Src); v2 = *(_DWORD *)(v1 + 12); v3 = *(_DWORD *)(v1 + 16); v8 = *(int **)(v1 + 24); v4 = *(_DWORD *)(v1 + 28); LOBYTE(v12) = 1; sub_425720(&v10, "%s?key=kbdt96845wqer¬eid=%s¬etext=%s&softname=%s", v4, v3, v2, v8);====>第一个密钥,地址为:40cf61 验证追入31 v8 = &v9; v7 = v5; v11 = &v7; sub_427054(&v7, (LPCSTR *)&v10); if ( sub_40A970(v7, v8) && *(_DWORD *)(v9 - 8) && sub_4253DF("验证返回:tbdt96843aqe1") >= 0 )===>第二个密钥, 地址为40cf7f 和40cf9d >>>>>验证追入32(sub_40A970)和验证追入33(sub_4253DF)<<<<< { *(_DWORD *)(v1 + 20) = 0; LOBYTE(v12) = 0; sub_4272DF(&v9); v12 = -1; sub_4272DF(&v10); return 1; } LOBYTE(v12) = 0; sub_4272DF(&v9); v12 = -1; sub_4272DF(&v10); } return 0; } ================================================================= 验证追入31 int __thiscall sub_425418(void *this, const char *Format, va_list a3) { va_list v3; // ebp@1 void *v4; // edi@1 const char *v5; // esi@1 const char v6; // al@3 const char *v7; // eax@3 signed int v8; // edi@4 int v9; // eax@8 const char *v10; // eax@13 int v11; // ebx@19 const char *v12; // eax@20 int v13; // eax@36 int v14; // eax@38 int v15; // eax@39 int v16; // eax@40 int v17; // eax@41 int v18; // eax@42 signed int v19; // eax@44 int v20; // eax@46 int v21; // eax@47 int v22; // eax@48 int v23; // eax@49 int v24; // eax@50 int v25; // eax@53 int v26; // eax@54 int v27; // eax@55 int v28; // eax@56 const wchar_t *v29; // eax@58 signed int v30; // eax@59 const CHAR *v31; // eax@61 int v32; // eax@72 int v33; // eax@74 int v34; // eax@75 int v35; // eax@76 int v36; // eax@77 int v38; // [sp+Ch] [bp-10h]@1 signed int v39; // [sp+10h] [bp-Ch]@22 void *v40; // [sp+14h] [bp-8h]@1 va_list v41; // [sp+18h] [bp-4h]@1 int v42; // [sp+24h] [bp+8h]@4 v38 = 0; v3 = a3; v5 = Format; v4 = this; v41 = a3; v40 = this; if ( !*Format ) goto LABEL_91; do { if ( *v5 != 37 || (v7 = (const char *)_mbsinc(v5), v5 = v7, v6 = *v7, v6 == 37) ) { v38 += _mbclen(v5); goto LABEL_90; } v8 = 0; v42 = 0; if ( !v6 ) { LABEL_15: v42 = atoi(v5); while ( *v5 && _ismbcdigit(*v5) ) v5 = (const char *)_mbsinc(v5); goto LABEL_19; } while ( v6 == 35 ) { v38 += 2; LABEL_13: v10 = (const char *)_mbsinc(v5); v5 = v10; v6 = *v10; if ( !v6 ) goto LABEL_14; } if ( v6 == 42 ) { v9 = *(_DWORD *)v3; v3 += 4; v42 = v9; goto LABEL_13; } if ( v6 == 45 || v6 == 43 || v6 == 48 || v6 == 32 ) goto LABEL_13; LABEL_14: if ( !v42 ) goto LABEL_15; LABEL_19: v11 = 0; if ( *v5 == 46 ) { v12 = (const char *)_mbsinc(v5); v5 = v12; if ( *v12 == 42 ) { v11 = *(_DWORD *)v3; v3 += 4; v5 = (const char *)_mbsinc(v12); } else { v11 = atoi(v12); while ( *v5 && _ismbcdigit(*v5) ) v5 = (const char *)_mbsinc(v5); } } v39 = 0; if ( !_mbsnbcmp((char *)v5, "I64", 3u) ) { v5 += 3; v39 = 262144; goto LABEL_36; } if ( *v5 == 70 || *v5 == 76 || *v5 == 78 ) goto LABEL_35; if ( *v5 == 104 ) { v39 = 65536; LABEL_35: v5 = (const char *)_mbsinc(v5); goto LABEL_36; } if ( *v5 == 108 ) { v39 = 131072; goto LABEL_35; } LABEL_36: v13 = v39 | *v5; if ( v13 > 65635 ) { v25 = v13 - 65651; if ( !v25 ) goto LABEL_61; v26 = v25 - 65488; if ( !v26 ) goto LABEL_60; v27 = v26 - 16; if ( !v27 ) { LABEL_58: v29 = *(const wchar_t **)v3; v3 += 4; if ( !v29 ) goto LABEL_62; v30 = wcslen(v29); goto LABEL_64; } v28 = v27 - 16; if ( !v28 ) { LABEL_60: v3 += 4; v8 = 2; goto LABEL_67; } if ( v28 == 16 ) goto LABEL_58; LABEL_44: v19 = *v5; if ( v19 > 105 ) { v33 = v19 - 110; if ( !v33 ) { v3 += 4; goto LABEL_88; } v34 = v33 - 1; if ( !v34 ) goto LABEL_85; v35 = v34 - 1; if ( v35 ) { v36 = v35 - 5; if ( v36 && v36 != 3 ) goto LABEL_88; goto LABEL_85; } } else { if ( v19 != 105 ) { v20 = v19 - 71; if ( !v20 ) goto LABEL_73; v21 = v20 - 17; if ( v21 ) { v22 = v21 - 12; if ( v22 ) { v23 = v22 - 1; if ( !v23 ) goto LABEL_73; v24 = v23 - 1; if ( v24 ) { if ( v24 != 1 ) goto LABEL_88; LABEL_73: v3 += 8; v8 = 128; LABEL_82: v32 = v11 + v42; } else { v3 += 8; v8 = 128; v32 = v11 + 312; } if ( v32 >= v8 ) v8 = v32; goto LABEL_88; } } } LABEL_85: if ( BYTE2(v39) & 4 ) { v3 += 8; goto LABEL_81; } } v3 += 4; LABEL_81: v8 = 32; goto LABEL_82; } if ( v13 == 65635 || (v14 = v13 - 67, !v14) ) goto LABEL_60; v15 = v14 - 16; if ( !v15 ) goto LABEL_58; v16 = v15 - 16; if ( !v16 ) goto LABEL_60; v17 = v16 - 16; if ( !v17 ) goto LABEL_61; v18 = v17 - 65488; if ( !v18 ) goto LABEL_60; if ( v18 != 16 ) goto LABEL_44; LABEL_61: v31 = *(const CHAR **)v3; v3 += 4; if ( !v31 ) { LABEL_62: v8 = 6; goto LABEL_67; } v30 = lstrlenA(v31); LABEL_64: v8 = v30; if ( v30 < 1 ) v8 = 1; if ( !v8 ) goto LABEL_44; LABEL_67: if ( v11 ) { if ( v8 >= v11 ) v8 = v11; } if ( v8 <= v42 ) v8 = v42; LABEL_88: v38 += v8; v4 = v40; LABEL_90: v5 = (const char *)_mbsinc(v5); } while ( *v5 ); LABEL_91: sub_42770F(v4, v38); vsprintf(*(char **)v4, Format, v41); return CString__ReleaseBuffer(-1); } ===================================================================== 验证追入32 signed int __cdecl sub_40A970(int a1) { int v1; // ebp@1 signed int v2; // eax@2 int v3; // ebx@5 int v4; // eax@6 int v5; // esi@6 int name; // [sp+8h] [bp-E60h]@1 int v8; // [sp+Ch] [bp-E5Ch]@1 char v9; // [sp+12h] [bp-E56h]@1 int v10; // [sp+14h] [bp-E54h]@1 char v11; // [sp+18h] [bp-E50h]@1 char Str; // [sp+1Ch] [bp-E4Ch]@5 char v13[256]; // [sp+3Ch] [bp-E2Ch]@2 char v14; // [sp+13Ch] [bp-D2Ch]@1 char Src; // [sp+A5Ch] [bp-40Ch]@6 int v16; // [sp+E64h] [bp-4h]@1 v1 = 0; v16 = 0; CString__operator_(::Src); sub_40AB60(&v14); name = (int)off_447538; v8 = (int)off_447538; LOBYTE(v16) = 3; sub_431256(a1, &v11, &name, &v8, &v9); sub_40AD30(name, v8, (int)&v10, 0, 0, 0, 0, 0); sub_40AC00(&v14); sub_40AC40((char *)name, 80); sub_40B190(0, 0); sub_40B280(16, 0); do { v2 = sub_40B350(v13, 256); if ( v2 > -1 ) v13[v2] = 0; } while ( v2 != -1 ); sub_40B3B0("Content-Length", (int)&Str, 30); sub_40B4C0(&v14); v3 = atoi(&Str); if ( v3 > 0 ) { do { memset(&Src, 0, 0x400u); v4 = sub_40B200(&Src, 1024); v5 = v4; if ( !v4 ) break; if ( v4 == -1 ) break;=========================>这个break是跳出do循环 sub_4276BB(&Src); v1 += v5; } while ( v1 < v3 ); } LOBYTE(v16) = 2; sub_4272DF(&v8); LOBYTE(v16) = 1; sub_4272DF(&name); LOBYTE(v16) = 0; sub_40ABF0(&v14); v16 = -1; sub_4272DF(&a1); return 1; ============================================================= 验证追入33 int __thiscall sub_4253ED(void *this, char *SubStr, int a3) { void *v3; // esi@1 int v4; // eax@2 int result; // eax@3 v3 = this; if ( a3 <= *(_DWORD *)(*(_DWORD *)this - 8) && (v4 = _mbsstr((char *)(a3 + *(_DWORD *)this), SubStr)) != 0 ) result = v4 - *(_DWORD *)v3; else result = -1; return result; } |
|
[求助]网络验证+本地验证(VC6无壳,哪位兄弟看一下)
导出记录有限制,先声明一下简单爆破无法导出记录,用ida5.5的图表分析功能进行了详细跟踪,结果如下 在41ec48h处有这样一个调用 call edi ; InterlockedDecrement 在407096h处有这样一个调用 call ds:InterlockedIncrement 41ec45h mov esi, offset Addend push edi push esi ; lpAddend call ds:InterlockedIncrement cmp dword_44C584, ebx mov edi, ds:InterlockedDecrement jz short loc_41EC55=======如正确跳,不锁 push esi ; lpAddend call edi ; InterlockedDecrement push 13h call __lock pop ecx push 1 pop ebx … loc_41EC55: ; C push [esp+0Ch+C] call _toupper_0 test ebx, ebx pop ecx mov [esp+0Ch+C], eax jz short loc_41EC71 … loc_41EC71: ; lpAddend 如果正确解锁 push esi call edi ; InterlockedDecrement . .text:004093AC mov eax, [edx-8] .text:004093AF test eax, eax .text:004093B1 jnz short loc_4093C0=必须跳,不跳就飞jmp .text:004093B3 mov byte ptr [esp+388h], 4 .text:004093BB jmp loc_409528 .text:004093C0 ; --------------------------------------------------------------------------- .text:004093C0 .text:004093C0 loc_4093C0: ; CODE XREF: .text:004093B1 j .text:004093C0 mov eax, dword_4497B4 .text:004093C5 test eax, eax .text:004093C7 jz loc_409474=必须跳,不跳提示未注册jmp .text:004093CD push 0 .text:00409474 push ecx .text:00409475 lea eax, [esp+14h] .text:00409479 mov ecx, esp .text:0040947B mov [esp+18h], esp .text:0040947F push eax .text:00409480 call sub_427054 .text:00409485 mov ecx, offset unk_449728 .text:0040948A call sub_4034D0 以下有这个CALL的详细分析 .text:0040948F push 0 .text:00409491 lea ecx, [esp+1Ch] .text:00409495 call sub_40CB70 .text:0040949A push offset asc_447040 ; "导出记录" .text:0040949F lea ecx, [esp+0B4h] .text:004094A6 mov byte ptr [esp+38Ch], 0Ah .text:004094AE call ??4CString@@QAEABV0@PBD@Z ; CString::operator=(char const *) .text:004094B3 push offset aNJ ; "记录已经导出成功!" sub_4034D0 以下分析是在提示写入成功前的前第三个CALL里 403532 H 这里下断 mov ecx, [eax-8] test ecx, ecx jz loc_4036C3======》跳飞就不再写了 nop掉 403560H 这里下断 push offset Src ; Str2 push eax ; Str1 mov byte ptr [ebp+var_4], 2 call __mbscmp add esp, 8 test eax, eax jz loc_4036AB======这里一跳就飞 nop 掉 403592H 下断 cmp edx, eax jge loc_40 ======这里必须强制跳,不跳就飞了 jmp 403647 这里下断 push offset Src ; Str2 push eax ; Str1 call __mbscmp &&通过比较这两个字符串看是否正版 add esp, 8 test eax, eax jz short loc_4036AB ===这里一跳就飞了,nop掉 403671 这里下断 lea ecx, [ebp+var_30] mov byte ptr [ebp+var_4], 4 call ?Open@CStdioFile@@UAEHPBDIPAVCFileException@@@Z ; CStdioFile::Open(char const *,uint,CFileException *) test eax, eax jz short loc_4036A0===这里一跳就飞了,nop掉 403686H 这里下断 push offset Src ; Str2 push eax ; Str1 call __mbscmp add esp, 8 test eax, eax jnz short loc_4036E7======》这里必须强制跳,不跳就飞了 jmp 按着这个方法,逆向改掉所有跳,可以导出但文本为空 |
|
[求助]网络验证+本地验证(VC6无壳,哪位兄弟看一下)
以下是从头开始跟踪的结果: 这里是程序的入口点OEP 00417276 >/$ 55 push ebp 00417277 |. 8BEC mov ebp, esp 00417279 |. 6A FF push -1 0041727B |. 68 E0CC4300 push 0043CCE0 00417280 |. 68 F49A4100 push 00419AF4 ; SE 处理程序安装 跟到这儿 0042C700 . 8BCE mov ecx, esi 0042C702 . 5B pop ebx 0042C703 . E8 8AF6FFFF call 0042BD92 0042C708 . F6C4 01 test ah, 1 0042C70B . 74 03 je short 0042C710 0042C70D . 6A 05 push 5 0042C70F . 5B pop ebx 0042C710 > 53 push ebx 0042C711 . 8BCE mov ecx, esi 0042C713 . E8 59DDFFFF call 0042A471 ; 出现未注册窗口 0042C718 > 397E 1C cmp dword ptr [esi+1C], edi 0042C71B . 74 2D je short 0042C74A 0042C71D . 68 97000000 push 97 0042C722 . 57 push edi 0042C723 . 57 push edi 0042C724 . 57 push edi 0042C725 . 57 push edi 0042C726 . 57 push edi 跟踪结果 用户定义的注释 地址 反汇编 注释 00406392 call 0042C637 程序入口4 004078F1 call 0040CDC0 取用户名和密码的关键CALL 0040948A call 004034D0 在这里进行了致命的判断 0040CE1A lea ecx, dword ptr [esp+10] 以下语句用于取回用户名 0040CE2C lea eax, dword ptr [esp+C] 用户名放EAX 0040CE30 lea edi, dword ptr [esi+C] EDI里放LuD 0040CE3A call 00425720 去掉用户名的第一位 0040CE4B call 00425733 (初始 CPU 选择) 0040CE6E push 00449804 以下语句用于取noteid即密码 0040CE7B lea eax, dword ptr [esp+C] 这里已经取密码到了EAX 0040CE89 call 00425720 密码也去换最左一位 00417351 call 00425017 程序入口1 00425027 call 0042D998 程序入口2 0042C6EF call 0042C348 延时1 0042C713 call 0042A471 出现未注册窗口 0042D9DC call dword ptr [eax+50] 程序入口3 40cdc0h取用户名和密码的过程入口点,总共有三次被调用 * Referenced by a CALL at Addresses: |:00403511 , :004078F1 , :0040854D | :0040CDC0 6AFF push FFFFFFFF :0040CDC2 6838644300 push 00436438 :0040CDC7 64A100000000 mov eax, dword ptr fs:[00000000] :0040CDCD 50 push eax |
|
[求助]网络验证+本地验证(VC6无壳,哪位兄弟看一下)
以下是跟踪时可能有用的所有关键点 用户定义的注释 地址 反汇编 注释 00403511 call 0040CDC0 在此处就开始转到取用户名和密码验证的过程中 00406392 call 0042C637 程序入口4 004076D0 push -1 验证开始 004078F1 call 0040CDC0 取用户名和密码的关键CALL-2 0040790C call 0040D010 真正验证的关键CALL@@@@@@@@ 004079A3 mov edi, dword ptr [4497C8] 下一条语句装于verwnd.dll 00407AFF call 004024A0 延迟程序1 0040854D call 0040CDC0 取用户名和密码进行验证Call-3 0040948A call 004034D0 在这里进行了致命的判断 0040A9FD lea ecx, dword ptr [esp+15C] 开始联网 0040AA4C push 100 从网页中取出想要的东西 0040AC6A mov eax, dword ptr [esp+28] 以下语句完成联网 0040CE1A lea ecx, dword ptr [esp+10] 以下语句用于取回用户名 0040CE2C lea eax, dword ptr [esp+C] 用户名放EAX 0040CE30 lea edi, dword ptr [esi+C] EDI里放LuD 0040CE3A call 00425720 去掉用户名的第一位 0040CE6E push 00449804 以下语句用于取noteid即密码 0040CE7B lea eax, dword ptr [esp+C] 这里已经取密码到了EAX 0040CE89 call 00425720 密码也去换最左一位 0040CF52 lea ecx, dword ptr [esp+1C] 开始出现第一密钥 0040CF5B push ecx esp+4开头的地址放的是noteid 0040CF69 lea edx, dword ptr [esp+8] 此时ESP里已放了验证所需的一切 0040CF6D lea eax, dword ptr [esp+C] 又出现LuD 0040CF79 push eax 网络验证前的准备工作 0040D04F call 00427054 致命一跳前的CALL 0040D05D cmp dword ptr [ecx-8], 0C 此时ecx为用户名,[esp+4]是"LuD" 0040D061 jnz 0040D1CA 最致命的一跳 0040D0B7 rep movs dword ptr es:[edi], dword p 取用户后两位 0040D0BB and ecx, 3 ecx里是用户名的长度 0040D0C4 mov edi, 0A 取用户名的第一个字符 0040D0DD jnz 0040D1C3 跳死1 0040D108 jnz 0040D1C3 跳死2 0040D12B jnz 0040D1C3 跳死3 0040D14B jnz short 0040D1C3 跳死4 0040D162 jnz short 0040D1C3 跳死5 0040D177 jnz short 0040D1C3 跳死6 0040D190 jnz short 0040D1C3 跳死7 0040D1AA jnz short 0040D1C3 跳死8 0040D1C1 je short 0040D1ED 关键跳(跳了才正确) 0040D1EB jmp short 0040D246 跳跑,不再验证 0040D1ED mov dword ptr [ebp+14], 1 从40D1C1跳来这儿开始验证 0040D1FE call 0040CEE0 验证追入第二层(真正的验证部分) 00417276 push ebp (初始 CPU 选择) 00417351 call 00425017 程序入口1 00425027 call 0042D998 程序入口2 0042705D cmp dword ptr [eax-C], 0 拿出用户名 00427061 jl short 00427071 如果为空就跳 0042C6EF call 0042C348 延时1 0042C713 call 0042A471 出现未注册窗口 0042D9DC call dword ptr [eax+50] 程序入口3 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值