-
-
[原创][原创]crackerlnn的crack456消息断点破解
-
发表于: 2010-4-4 22:25
-
crackerlnn的crack456是用vb写的,查找字符串啦反正是啥都没有,函数有不知道该下哪个函数
,于是想到了消息断点。前面有位大虾是用函数下断破解的(那个函数实在有点偏僻,可能是本人目光短浅吧,呵呵)。好了,闲言少叙,现在步入正题。
1.od载入,F9运行
2.ALT+W选择“注册”,右键-在classproc上设置消息断点,ok,设置消息断点202 WM_BUTTONLEFTUP,注意选择“仅中断在当前窗口”,如果选择“中断在任意窗口则设置完消息断点点击运行后注册码框无法输入。
3.输入用户名,注册码,点击注册,程序断在
7299F74E > 55 PUSH EBP
7299F74F 8BEC MOV EBP,ESP
7299F751 83EC 30 SUB ESP,30
7299F754 53 PUSH EBX
7299F755 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
7299F758 56 PUSH ESI
7299F759 57 PUSH EDI
7299F75A 53 PUSH EBX
7299F75B E8 2DBEFAFF CALL MSVBVM60.7294B58D
7299F760 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C]
7299F763 8BF0 MOV ESI,EAX
7299F765 85F6 TEST ESI,ESI
7299F767 75 40 JNZ SHORT MSVBVM60.7299F7A9
7299F769 83FF 24 CMP EDI,24
7299F76C 74 1D JE SHORT MSVBVM60.7299F78B
7299F76E 83FF 46 CMP EDI,46
7299F771 74 18 JE SHORT MSVBVM60.7299F78B
7299F773 81FF 80000000 CMP EDI,80
7299F779 0F86 6F020000 JBE MSVBVM60.7299F9EE
7299F77F 81FF 82000000 CMP EDI,82
7299F785 0F87 63020000 JA MSVBVM60.7299F9EE
7299F78B 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
7299F78E B9 70E4A472 MOV ECX,MSVBVM60.72A4E470
7299F793 50 PUSH EAX
7299F794 E8 D261FAFF CALL MSVBVM60.7294596B
7299F799 85C0 TEST EAX,EAX
7299F79B 74 0C JE SHORT MSVBVM60.7299F7A9
7299F79D 57 PUSH EDI
7299F79E 53 PUSH EBX
7299F79F FF75 EC PUSH DWORD PTR SS:[EBP-14]
7299F7A2 E8 5EFFFFFF CALL MSVBVM60.7299F705
...
此时处于系统底层代码,参考《加密解密》上的方法,此时按ALT+M选择.text(crack456对应的)按F2,f9运行,仍然是在系统领空里,没关系,一样的方法重复,知道od上显示是在crack456的领空里。
00401EB1 . 816C24 04 4B0>SUB DWORD PTR SS:[ESP+4],4B
00401EB9 . E9 52010000 JMP crack456.00402010
00401EBE . 816C24 04 3B0>SUB DWORD PTR SS:[ESP+4],3B
00401EC6 . E9 75030000 JMP crack456.00402240
00401ECB . 816C24 04 370>SUB DWORD PTR SS:[ESP+4],37
00401ED3 . E9 68040000 JMP crack456.00402340
00401ED8 EC1E4000 DD crack456.00401EEC
00401EDC 00 DB 00
00401EDD 00 DB 00
00401EDE 00 DB 00
00401EDF 00 DB 00
00401EE0 00 DB 00
00401EE1 00 DB 00
00401EE2 00 DB 00
...(大约4,5次吧,现在已经在系统的领空了,附件里有图片)
004020AD . 50 PUSH EAX
004020AE . FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
004020B4 > 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40] ; 取注册名
004020B7 . 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
004020BA . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
004020BD . 895D C0 MOV DWORD PTR SS:[EBP-40],EBX ; 取注册名
004020C0 . 8945 B4 MOV DWORD PTR SS:[EBP-4C],EAX
004020C3 . C745 AC 08000>MOV DWORD PTR SS:[EBP-54],8
004020CA . FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
004020D0 . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
004020D3 . FF15 9C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
004020D9 . 8B06 MOV EAX,DWORD PTR DS:[ESI]
004020DB . 56 PUSH ESI
004020DC . FF90 08030000 CALL DWORD PTR DS:[EAX+308]
004020E2 . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
004020E5 . 50 PUSH EAX
004020E6 . 51 PUSH ECX
004020E7 . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
004020ED . 8BF8 MOV EDI,EAX
004020EF . 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
004020F2 . 50 PUSH EAX
004020F3 . 57 PUSH EDI
004020F4 . 8B17 MOV EDX,DWORD PTR DS:[EDI]
004020F6 . FF92 A0000000 CALL DWORD PTR DS:[EDX+A0]
004020FC . 3BC3 CMP EAX,EBX
004020FE . DBE2 FCLEX
00402100 . 7D 12 JGE SHORT crack456.00402114
00402102 . 68 A0000000 PUSH 0A0
00402107 . 68 C8184000 PUSH crack456.004018C8
0040210C . 57 PUSH EDI
0040210D . 50 PUSH EAX
0040210E . FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00402114 > 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40] ; 取假吗
00402117 . 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
0040211A . 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38]
0040211D . 895D C0 MOV DWORD PTR SS:[EBP-40],EBX ; 假吗
00402120 . 8945 B4 MOV DWORD PTR SS:[EBP-4C],EAX
00402123 . C745 AC 08000>MOV DWORD PTR SS:[EBP-54],8
0040212A . FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
00402130 . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
00402133 . FF15 9C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00402139 . BA DC184000 MOV EDX,crack456.004018DC ; c
0040213E . 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
00402141 . FF15 78104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
00402147 . 8B4D D8 MOV ECX,DWORD PTR SS:[EBP-28]
0040214A . 8B3D 88104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaVa>; MSVBVM60.__vbaVarCmpEq
00402150 . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
00402153 . 894D 84 MOV DWORD PTR SS:[EBP-7C],ECX
00402156 . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
0040215C . 52 PUSH EDX
0040215D . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
00402160 . 50 PUSH EAX
00402161 . 51 PUSH ECX
00402162 . C785 7CFFFFFF>MOV DWORD PTR SS:[EBP-84],8008
0040216C . 66:C785 74FFF>MOV WORD PTR SS:[EBP-8C],463
00402175 . C785 6CFFFFFF>MOV DWORD PTR SS:[EBP-94],8002
0040217F . FFD7 CALL EDI ; <&MSVBVM60.__vbaVarCmpEq>
00402181 . 50 PUSH EAX
00402182 . 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
00402185 . 8D85 6CFFFFFF LEA EAX,DWORD PTR SS:[EBP-94]
0040218B . 52 PUSH EDX
0040218C . 8D4D 9C LEA ECX,DWORD PTR SS:[EBP-64]
0040218F . 50 PUSH EAX
00402190 . 51 PUSH ECX
00402191 . FFD7 CALL EDI
00402193 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00402196 . 50 PUSH EAX
00402197 . 52 PUSH EDX
00402198 . FF15 54104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAn>; MSVBVM60.__vbaVarAnd
0040219E . 50 PUSH EAX
0040219F . FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaBoolV>; MSVBVM60.__vbaBoolVarNull
004021A5 66:85C0 TEST AX,AX
004021A8 74 07 JE SHORT crack456.004021B1 关键跳(爆破点)nop掉
004021AA 68 F8184000 PUSH crack456.004018F8
004021AF . EB 05 JMP SHORT crack456.004021B6
004021B1 > 68 10194000 PUSH crack456.00401910
004021B6 > 56 PUSH ESI
004021B7 . 68 08194000 PUSH crack456.00401908
004021BC . FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaPrint>; MSVBVM60.__vbaPrintObj ;这就是那个在窗口上显示文字的函数了
004021C2 . 83C4 0C ADD ESP,0C
004021C5 . 895D FC MOV DWORD PTR SS:[EBP-4],EBX
004021C8 . 68 13224000 PUSH crack456.00402213
可以了,算法就先不分析了,收工!呵呵
,于是想到了消息断点。前面有位大虾是用函数下断破解的(那个函数实在有点偏僻,可能是本人目光短浅吧,呵呵)。好了,闲言少叙,现在步入正题。1.od载入,F9运行
2.ALT+W选择“注册”,右键-在classproc上设置消息断点,ok,设置消息断点202 WM_BUTTONLEFTUP,注意选择“仅中断在当前窗口”,如果选择“中断在任意窗口则设置完消息断点点击运行后注册码框无法输入。
3.输入用户名,注册码,点击注册,程序断在
7299F74E > 55 PUSH EBP
7299F74F 8BEC MOV EBP,ESP
7299F751 83EC 30 SUB ESP,30
7299F754 53 PUSH EBX
7299F755 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
7299F758 56 PUSH ESI
7299F759 57 PUSH EDI
7299F75A 53 PUSH EBX
7299F75B E8 2DBEFAFF CALL MSVBVM60.7294B58D
7299F760 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C]
7299F763 8BF0 MOV ESI,EAX
7299F765 85F6 TEST ESI,ESI
7299F767 75 40 JNZ SHORT MSVBVM60.7299F7A9
7299F769 83FF 24 CMP EDI,24
7299F76C 74 1D JE SHORT MSVBVM60.7299F78B
7299F76E 83FF 46 CMP EDI,46
7299F771 74 18 JE SHORT MSVBVM60.7299F78B
7299F773 81FF 80000000 CMP EDI,80
7299F779 0F86 6F020000 JBE MSVBVM60.7299F9EE
7299F77F 81FF 82000000 CMP EDI,82
7299F785 0F87 63020000 JA MSVBVM60.7299F9EE
7299F78B 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
7299F78E B9 70E4A472 MOV ECX,MSVBVM60.72A4E470
7299F793 50 PUSH EAX
7299F794 E8 D261FAFF CALL MSVBVM60.7294596B
7299F799 85C0 TEST EAX,EAX
7299F79B 74 0C JE SHORT MSVBVM60.7299F7A9
7299F79D 57 PUSH EDI
7299F79E 53 PUSH EBX
7299F79F FF75 EC PUSH DWORD PTR SS:[EBP-14]
7299F7A2 E8 5EFFFFFF CALL MSVBVM60.7299F705
...
此时处于系统底层代码,参考《加密解密》上的方法,此时按ALT+M选择.text(crack456对应的)按F2,f9运行,仍然是在系统领空里,没关系,一样的方法重复,知道od上显示是在crack456的领空里。
00401EB1 . 816C24 04 4B0>SUB DWORD PTR SS:[ESP+4],4B
00401EB9 . E9 52010000 JMP crack456.00402010
00401EBE . 816C24 04 3B0>SUB DWORD PTR SS:[ESP+4],3B
00401EC6 . E9 75030000 JMP crack456.00402240
00401ECB . 816C24 04 370>SUB DWORD PTR SS:[ESP+4],37
00401ED3 . E9 68040000 JMP crack456.00402340
00401ED8 EC1E4000 DD crack456.00401EEC
00401EDC 00 DB 00
00401EDD 00 DB 00
00401EDE 00 DB 00
00401EDF 00 DB 00
00401EE0 00 DB 00
00401EE1 00 DB 00
00401EE2 00 DB 00
...(大约4,5次吧,现在已经在系统的领空了,附件里有图片)
004020AD . 50 PUSH EAX
004020AE . FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
004020B4 > 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40] ; 取注册名
004020B7 . 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
004020BA . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
004020BD . 895D C0 MOV DWORD PTR SS:[EBP-40],EBX ; 取注册名
004020C0 . 8945 B4 MOV DWORD PTR SS:[EBP-4C],EAX
004020C3 . C745 AC 08000>MOV DWORD PTR SS:[EBP-54],8
004020CA . FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
004020D0 . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
004020D3 . FF15 9C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
004020D9 . 8B06 MOV EAX,DWORD PTR DS:[ESI]
004020DB . 56 PUSH ESI
004020DC . FF90 08030000 CALL DWORD PTR DS:[EAX+308]
004020E2 . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
004020E5 . 50 PUSH EAX
004020E6 . 51 PUSH ECX
004020E7 . FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
004020ED . 8BF8 MOV EDI,EAX
004020EF . 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
004020F2 . 50 PUSH EAX
004020F3 . 57 PUSH EDI
004020F4 . 8B17 MOV EDX,DWORD PTR DS:[EDI]
004020F6 . FF92 A0000000 CALL DWORD PTR DS:[EDX+A0]
004020FC . 3BC3 CMP EAX,EBX
004020FE . DBE2 FCLEX
00402100 . 7D 12 JGE SHORT crack456.00402114
00402102 . 68 A0000000 PUSH 0A0
00402107 . 68 C8184000 PUSH crack456.004018C8
0040210C . 57 PUSH EDI
0040210D . 50 PUSH EAX
0040210E . FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00402114 > 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40] ; 取假吗
00402117 . 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
0040211A . 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38]
0040211D . 895D C0 MOV DWORD PTR SS:[EBP-40],EBX ; 假吗
00402120 . 8945 B4 MOV DWORD PTR SS:[EBP-4C],EAX
00402123 . C745 AC 08000>MOV DWORD PTR SS:[EBP-54],8
0040212A . FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarMo>; MSVBVM60.__vbaVarMove
00402130 . 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
00402133 . FF15 9C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00402139 . BA DC184000 MOV EDX,crack456.004018DC ; c
0040213E . 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
00402141 . FF15 78104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
00402147 . 8B4D D8 MOV ECX,DWORD PTR SS:[EBP-28]
0040214A . 8B3D 88104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaVa>; MSVBVM60.__vbaVarCmpEq
00402150 . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
00402153 . 894D 84 MOV DWORD PTR SS:[EBP-7C],ECX
00402156 . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
0040215C . 52 PUSH EDX
0040215D . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
00402160 . 50 PUSH EAX
00402161 . 51 PUSH ECX
00402162 . C785 7CFFFFFF>MOV DWORD PTR SS:[EBP-84],8008
0040216C . 66:C785 74FFF>MOV WORD PTR SS:[EBP-8C],463
00402175 . C785 6CFFFFFF>MOV DWORD PTR SS:[EBP-94],8002
0040217F . FFD7 CALL EDI ; <&MSVBVM60.__vbaVarCmpEq>
00402181 . 50 PUSH EAX
00402182 . 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
00402185 . 8D85 6CFFFFFF LEA EAX,DWORD PTR SS:[EBP-94]
0040218B . 52 PUSH EDX
0040218C . 8D4D 9C LEA ECX,DWORD PTR SS:[EBP-64]
0040218F . 50 PUSH EAX
00402190 . 51 PUSH ECX
00402191 . FFD7 CALL EDI
00402193 . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
00402196 . 50 PUSH EAX
00402197 . 52 PUSH EDX
00402198 . FF15 54104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarAn>; MSVBVM60.__vbaVarAnd
0040219E . 50 PUSH EAX
0040219F . FF15 34104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaBoolV>; MSVBVM60.__vbaBoolVarNull
004021A5 66:85C0 TEST AX,AX
004021A8 74 07 JE SHORT crack456.004021B1 关键跳(爆破点)nop掉
004021AA 68 F8184000 PUSH crack456.004018F8
004021AF . EB 05 JMP SHORT crack456.004021B6
004021B1 > 68 10194000 PUSH crack456.00401910
004021B6 > 56 PUSH ESI
004021B7 . 68 08194000 PUSH crack456.00401908
004021BC . FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaPrint>; MSVBVM60.__vbaPrintObj ;这就是那个在窗口上显示文字的函数了
004021C2 . 83C4 0C ADD ESP,0C
004021C5 . 895D FC MOV DWORD PTR SS:[EBP-4],EBX
004021C8 . 68 13224000 PUSH crack456.00402213
可以了,算法就先不分析了,收工!呵呵
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
