爆破某百度排名点击器,打补丁,求邀请码
本人是一个菜鸟,,对脱壳破解很感兴趣,,看了几课教程,,
这次 百度排名点击器,为了邀请码,
下面开始了,,见笑了,, 图片传不上来,,,
第一步:查壳 ASPack 2.12 -> Alexey Solodovnikov
第二步:Od载入,,脱壳,,这种壳,想到了用 ESP 定律法来脱,
1.开始就点F8向下走,注意观察OD右上角的寄存器中ESP有没突现
左键选中ESP的值,右键数据窗口跟随
2.在数据窗口找到地址0012FFA4,选中要下断点的地址,
右键下硬件访问断点,选者WORD
3.F9运行程序,断在005763B0处,
4.单步往下跟,立马找到OEP,OEP地址:0052A86C
5.接下来删除硬件断点,DUMP
6.尝试运行.可以,就不用修复了.PEID查壳,程序是用Borland Delphi 6.0 - 7.0 写的
第三步,载入OD,查看字符串,找关键字,Ultra 字符串参考,项目 1936
地址=00529E80
反汇编=mov edx,脱后的.00529FEC
文本字符串=已注册
打开这里 向上看
00529E11 /0F85 C7000000 jnz 脱后的.00529EDE
00529E17 |33D2 xor edx,edx
00529E19 |8B83 10040000 mov eax,dword ptr ds:[ebx+410]
00529E1F |8B08 mov ecx,dword ptr ds:[eax]
00529E21 |FF51 64 call dword ptr ds:[ecx+64]
00529E24 |8B45 FC mov eax,dword ptr ss:[ebp-4]
00529E27 |E8 C0ACEDFF call 脱后的.00404AEC
00529E2C |8BD0 mov edx,eax
00529E2E |4A dec edx
00529E2F |8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00529E32 |8B45 FC mov eax,dword ptr ss:[ebp-4]
00529E35 |E8 D6C2F0FF call 脱后的.00436110
00529E3A |8B55 E0 mov edx,dword ptr ss:[ebp-20]
00529E3D |8B83 00040000 mov eax,dword ptr ds:[ebx+400]
00529E43 |E8 3020F3FF call 脱后的.0045BE78
00529E48 |8D55 DC lea edx,dword ptr ss:[ebp-24]
00529E4B |8B83 00040000 mov eax,dword ptr ds:[ebx+400]
00529E51 |E8 F21FF3FF call 脱后的.0045BE48
00529E56 |8B55 DC mov edx,dword ptr ss:[ebp-24]
00529E59 |B8 7C235300 mov eax,脱后的.0053237C
00529E5E |E8 1DAAEDFF call 脱后的.00404880
00529E63 |8D45 D8 lea eax,dword ptr ss:[ebp-28]
00529E66 |B9 D89F5200 mov ecx,脱后的.00529FD8 ; config.xml
00529E6B |8B15 68235300 mov edx,dword ptr ds:[532368]
00529E71 |E8 C2ACEDFF call 脱后的.00404B38
00529E76 |8B45 D8 mov eax,dword ptr ss:[ebp-28]
00529E79 |33D2 xor edx,edx
00529E7B |E8 78A5FFFF call 脱后的.005243F8
00529E80 |BA EC9F5200 mov edx,脱后的.00529FEC ; 已注册
00529E85 |8B83 18040000 mov eax,dword ptr ds:[ebx+418]
00529E8B |E8 E81FF3FF call 脱后的.0045BE78
00529E90 |8D55 D4 lea edx,dword ptr ss:[ebp-2C]
00529E93 |A1 F0085300 mov eax,dword ptr ds:[5308F0]
00529E98 |8B00 mov eax,dword ptr ds:[eax]
00529E9A |E8 CD1BF5FF call 脱后的.0047BA6C
00529E9F |8B55 D4 mov edx,dword ptr ss:[ebp-2C]
00529EA2 |A1 64235300 mov eax,dword ptr ds:[532364]
00529EA7 |E8 CC1FF3FF call 脱后的.0045BE78
00529EAC |6A 40 push 40
00529EAE |68 689F5200 push 脱后的.00529F68
00529EB3 |68 F49F5200 push 脱后的.00529FF4 ; 激活成功!
00529EB8 |A1 64235300 mov eax,dword ptr ds:[532364]
00529EBD |E8 A687F3FF call 脱后的.00462668
00529EC2 |50 push eax
00529EC3 |E8 38DAEDFF call <jmp.&user32.MessageBoxA>
00529EC8 |C605 84235300 0>mov byte ptr ds:[532384],1
00529ECF |B2 01 mov dl,1
00529ED1 |8B83 58030000 mov eax,dword ptr ds:[ebx+358]
00529ED7 |8B08 mov ecx,dword ptr ds:[eax]
00529ED9 |FF51 64 call dword ptr ds:[ecx+64]
00529EDC |EB 20 jmp short 脱后的.00529EFE
00529EDE \6A 10 push 10
JNZ 00529EDE跳过了这个验证
可以改为jz或者直接NOP 这里我就NOP掉了哈,在向上看又出现一个跳
00529D8B /E9 6E010000 jmp 脱后的.00529EFE
00529D90 |8BB3 20040000 mov esi,dword ptr ds:[ebx+420]
00529D96 |C686 10010000 0>mov byte ptr ds:[esi+110],1
00529D9D |FF35 8C235300 push dword ptr ds:[53238C]
00529DA3 |68 949F5200 push 脱后的.00529F94 ; /active.asp?v1=
00529DA8 |FF35 80235300 push dword ptr ds:[532380]
00529DAE |68 AC9F5200 push 脱后的.00529FAC ; &v2=
00529DB3 |8D55 EC lea edx,dword ptr ss:[ebp-14]
00529DB6 |8B83 0C040000 mov eax,dword ptr ds:[ebx+40C]
00529DBC |E8 8720F3FF call 脱后的.0045BE48
00529DC1 |FF75 EC push dword ptr ss:[ebp-14]
00529DC4 |68 BC9F5200 push 脱后的.00529FBC ; &v3=
00529DC9 |8D55 E8 lea edx,dword ptr ss:[ebp-18]
00529DCC |8B83 2C040000 mov eax,dword ptr ds:[ebx+42C]
00529DD2 |E8 7120F3FF call 脱后的.0045BE48
00529DD7 |FF75 E8 push dword ptr ss:[ebp-18]
00529DDA |8D45 F0 lea eax,dword ptr ss:[ebp-10]
00529DDD |BA 07000000 mov edx,7
00529DE2 |E8 C5ADEDFF call 脱后的.00404BAC
00529DE7 |8B55 F0 mov edx,dword ptr ss:[ebp-10]
00529DEA |8D4D FC lea ecx,dword ptr ss:[ebp-4]
00529DED |8BC6 mov eax,esi
00529DEF |E8 282CFEFF call 脱后的.0050CA1C
00529DF4 |8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
00529DF7 |BA 01000000 mov edx,1
00529DFC |8B45 FC mov eax,dword ptr ss:[ebp-4]
00529DFF |E8 9CC2F0FF call 脱后的.004360A0
00529E04 |8B45 E4 mov eax,dword ptr ss:[ebp-1C]
00529E07 |BA CC9F5200 mov edx,脱后的.00529FCC ; 1
00529E0C |E8 27AEEDFF call 脱后的.00404C38
00529E11 |90 nop
00529E12 |90 nop
00529E13 |90 nop
00529E14 |90 nop
00529E15 |90 nop
00529E16 |90 nop
00529E17 |33D2 xor edx,edx
00529E19 |8B83 10040000 mov eax,dword ptr ds:[ebx+410]
00529E1F |8B08 mov ecx,dword ptr ds:[eax]
00529E21 |FF51 64 call dword ptr ds:[ecx+64]
00529E24 |8B45 FC mov eax,dword ptr ss:[ebp-4]
00529E27 |E8 C0ACEDFF call 脱后的.00404AEC
00529E2C |8BD0 mov edx,eax
00529E2E |4A dec edx
00529E2F |8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00529E32 |8B45 FC mov eax,dword ptr ss:[ebp-4]
00529E35 |E8 D6C2F0FF call 脱后的.00436110
00529E3A |8B55 E0 mov edx,dword ptr ss:[ebp-20]
00529E3D |8B83 00040000 mov eax,dword ptr ds:[ebx+400]
00529E43 |E8 3020F3FF call 脱后的.0045BE78
00529E48 |8D55 DC lea edx,dword ptr ss:[ebp-24]
00529E4B |8B83 00040000 mov eax,dword ptr ds:[ebx+400]
00529E51 |E8 F21FF3FF call 脱后的.0045BE48
00529E56 |8B55 DC mov edx,dword ptr ss:[ebp-24]
00529E59 |B8 7C235300 mov eax,脱后的.0053237C
00529E5E |E8 1DAAEDFF call 脱后的.00404880
00529E63 |8D45 D8 lea eax,dword ptr ss:[ebp-28]
00529E66 |B9 D89F5200 mov ecx,脱后的.00529FD8 ; config.xml
00529E6B |8B15 68235300 mov edx,dword ptr ds:[532368]
00529E71 |E8 C2ACEDFF call 脱后的.00404B38
00529E76 |8B45 D8 mov eax,dword ptr ss:[ebp-28]
00529E79 |33D2 xor edx,edx
00529E7B |E8 78A5FFFF call 脱后的.005243F8
00529E80 |BA EC9F5200 mov edx,脱后的.00529FEC ; 已注册
00529E85 |8B83 18040000 mov eax,dword ptr ds:[ebx+418]
00529E8B |E8 E81FF3FF call 脱后的.0045BE78
00529E90 |8D55 D4 lea edx,dword ptr ss:[ebp-2C]
00529E93 |A1 F0085300 mov eax,dword ptr ds:[5308F0]
00529E98 |8B00 mov eax,dword ptr ds:[eax]
00529E9A |E8 CD1BF5FF call 脱后的.0047BA6C
00529E9F |8B55 D4 mov edx,dword ptr ss:[ebp-2C]
00529EA2 |A1 64235300 mov eax,dword ptr ds:[532364]
00529EA7 |E8 CC1FF3FF call 脱后的.0045BE78
00529EAC |6A 40 push 40
00529EAE |68 689F5200 push 脱后的.00529F68
00529EB3 |68 F49F5200 push 脱后的.00529FF4 ; 激活成功!
00529EB8 |A1 64235300 mov eax,dword ptr ds:[532364]
00529EBD |E8 A687F3FF call 脱后的.00462668
00529EC2 |50 push eax
00529EC3 |E8 38DAEDFF call <jmp.&user32.MessageBoxA>
00529EC8 |C605 84235300 0>mov byte ptr ds:[532384],1
00529ECF |B2 01 mov dl,1
00529ED1 |8B83 58030000 mov eax,dword ptr ds:[ebx+358]
00529ED7 |8B08 mov ecx,dword ptr ds:[eax]
00529ED9 |FF51 64 call dword ptr ds:[ecx+64]
00529EDC |EB 20 jmp short 脱后的.00529EFE
00529EDE |6A 10 push 10
00529EE0 |68 689F5200 push 脱后的.00529F68
00529EE5 |8B45 FC mov eax,dword ptr ss:[ebp-4]
00529EE8 |E8 FFADEDFF call 脱后的.00404CEC
00529EED |50 push eax
00529EEE |A1 64235300 mov eax,dword ptr ds:[532364]
00529EF3 |E8 7087F3FF call 脱后的.00462668
00529EF8 |50 push eax
00529EF9 |E8 02DAEDFF call <jmp.&user32.MessageBoxA>
00529EFE \33C0 xor eax,eax
为了保险 把这个也给NOP 这玩意是个网络验证
好了,,保存 打开一下看看是否能注册成功 OK,注册成功,,我在打个补丁,,别人就可以用了,,
传到网盘上,,没破解的和补丁文件,,
网盘地址 http://e.ys168.com/?kanxue520
谢谢大家
[课程]Linux pwn 探索篇!