昨天兄弟我看到一个朋友想破解 成功助理 专业时间管理软件5。1
他想爆破时间的限制,时间的爆破是不好破的。。。。。。。。。。。。。。。。
今天心情很好~
就写了一篇破文~~~~~~~~~
工具就是OD 这是个加了壳的程序没有查壳
本贴仅供学习研究测试之用。切勿用与非法用途。请下载后24小时内自行删除。
出现一切后果,LZ不负直接或连带责任。
直接把戏 成功助理 载入OD中用ESP定律到达OEP,再按F9运行程序出现错误提示按F12暂停,再按AIT+K调用堆栈框中找到调用来自=SuccessP.00842FC5
双击来到了
00842FC5 E8 3E59BCFF call SuccessP.00408908 ; jmp 到 USER32.MessageBoxA这是错误提示
向上找可以发现关键CALL判断跳转实现就会到这里,再一直向下运行程序直到出现注册错误的提示框
00842F94 33C0 xor eax,eax
00842F96 5A pop edx
00842F97 59 pop ecx
00842F98 59 pop ecx
00842F99 64:8910 mov dword ptr fs:[eax],edx
00842F9C EB 0A jmp short SuccessP.00842FA8
00842F9E ^ E9 1116BCFF jmp SuccessP.004045B4
00842FA3 E8 381ABCFF call SuccessP.004049E0
00842FA8 6A 30 push 30
00842FAA A1 F8A98900 mov eax,dword ptr ds:[89A9F8]
00842FAF 8B00 mov eax,dword ptr ds:[eax]
00842FB1 E8 0225BCFF call SuccessP.004054B8
00842FB6 50 push eax
00842FB7 68 3C308400 push SuccessP.0084303C
00842FBC 8B45 FC mov eax,dword ptr ss:[ebp-4]
00842FBF E8 103AC5FF call SuccessP.004969D4
00842FC4 50 push eax
00842FC5 E8 3E59BCFF call SuccessP.00408908 ; jmp 到 USER32.MessageBoxA这是错误提示
由此我们可以判断找到关键跳的地方在
00842B01 E8 B227BCFF call SuccessP.004052B8
00842B06 83F8 03 cmp eax,3
00842B09 0F8E 85040000 jle SuccessP.00842F94 没有实现跳转
00842B0F 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00842B12 E8 A127BCFF call SuccessP.004052B8
00842B17 83F8 10 cmp eax,10
00842B1A 0F85 74040000 jnz SuccessP.00842F94以轻心 实现跳转,跳向错误框,不能跳要NOP掉
00842B20 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00842B23 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00842B26 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00842B29 E8 82A6D3FF call SuccessP.0057D1B0
00842B2E 8B55 DC mov edx,dword ptr ss:[ebp-24]
00842B31 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00842B34 E8 CB28BCFF call SuccessP.00405404
00842B39 0F85 55040000 jnz SuccessP.00842F94 实现跳转,跳向错误框,不能跳要NOP掉 00842B3F A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842B44 8B00 mov eax,dword ptr ds:[eax]
00842B46 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842B4C BA 50308400 mov edx,SuccessP.00843050 ; ASCII "select * from usermsg"
00842B51 E8 6E91D3FF call SuccessP.0057BCC4
00842B56 84C0 test al,al
00842B58 0F84 36040000 je SuccessP.00842F94 实现跳转,跳向错误框,不能跳要NOP掉 00842B5E A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842B63 8B00 mov eax,dword ptr ds:[eax]
00842B65 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842B6B E8 1896C9FF call SuccessP.004DC188
00842B70 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
00842B73 8B15 C8A68900 mov edx,dword ptr ds:[89A6C8] ; SuccessP.00897790
00842B79 8B12 mov edx,dword ptr ds:[edx]
00842B7B 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00842B7E E8 5567D3FF call SuccessP.005792D8
00842B83 8B45 D8 mov eax,dword ptr ss:[ebp-28]
00842B86 50 push eax
00842B87 A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842B8C 8B00 mov eax,dword ptr ds:[eax]
00842B8E 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842B94 BA 70308400 mov edx,SuccessP.00843070 ; ASCII "field3"
00842B99 E8 2A7EC9FF call SuccessP.004DA9C8
00842B9E 5A pop edx
00842B9F 8B08 mov ecx,dword ptr ds:[eax]
00842BA1 FF91 B0000000 call dword ptr ds:[ecx+B0]
00842BA7 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00842BAA 8B15 C8A68900 mov edx,dword ptr ds:[89A6C8] ; SuccessP.00897790
00842BB0 8B12 mov edx,dword ptr ds:[edx]
00842BB2 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00842BB5 E8 1E67D3FF call SuccessP.005792D8
00842BBA 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
00842BBD 50 push eax
00842BBE A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842BC3 8B00 mov eax,dword ptr ds:[eax]
00842BC5 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842BCB BA 80308400 mov edx,SuccessP.00843080 ; ASCII "field4"
00842BD0 E8 F37DC9FF call SuccessP.004DA9C8
00842BD5 5A pop edx
00842BD6 8B08 mov ecx,dword ptr ds:[eax]
00842BD8 FF91 B0000000 call dword ptr ds:[ecx+B0]
00842BDE A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842BE3 8B00 mov eax,dword ptr ds:[eax]
00842BE5 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842BEB 8B10 mov edx,dword ptr ds:[eax]
00842BED FF92 4C020000 call dword ptr ds:[edx+24C]
00842BF3 8D55 CC lea edx,dword ptr ss:[ebp-34]
00842BF6 8B45 FC mov eax,dword ptr ss:[ebp-4]
00842BF9 8B80 00030000 mov eax,dword ptr ds:[eax+300]
00842BFF E8 14D4C4FF call SuccessP.00490018
00842C04 8B45 CC mov eax,dword ptr ss:[ebp-34]
00842C07 8D55 D0 lea edx,dword ptr ss:[ebp-30]
00842C0A E8 7976BCFF call SuccessP.0040A288
00842C0F 8B55 D0 mov edx,dword ptr ss:[ebp-30]
00842C12 A1 CCAB8900 mov eax,dword ptr ds:[89ABCC]
00842C17 E8 2024BCFF call SuccessP.0040503C
00842C1C 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
00842C1F 8B45 FC mov eax,dword ptr ss:[ebp-4]
00842C22 8B80 04030000 mov eax,dword ptr ds:[eax+304]
00842C28 E8 EBD3C4FF call SuccessP.00490018
00842C2D 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
00842C30 8D55 C8 lea edx,dword ptr ss:[ebp-38]
00842C33 E8 5076BCFF call SuccessP.0040A288
00842C38 8B55 C8 mov edx,dword ptr ss:[ebp-38]
00842C3B A1 C8A98900 mov eax,dword ptr ds:[89A9C8]
00842C40 E8 F723BCFF call SuccessP.0040503C
00842C45 A1 08AA8900 mov eax,dword ptr ds:[89AA08]
00842C4A C600 01 mov byte ptr ds:[eax],1
00842C4D A1 90A48900 mov eax,dword ptr ds:[89A490]
00842C52 C600 01 mov byte ptr ds:[eax],1
00842C55 8B45 FC mov eax,dword ptr ss:[ebp-4]
00842C58 8B80 10030000 mov eax,dword ptr ds:[eax+310]
00842C5E 8078 57 00 cmp byte ptr ds:[eax+57],0
00842C62 0F84 BB020000 je SuccessP.00842F23
00842C68 A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842C6D 8B00 mov eax,dword ptr ds:[eax]
00842C6F 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842C75 BA 90308400 mov edx,SuccessP.00843090 ; ASCII "select * from dbole"
00842C7A E8 4590D3FF call SuccessP.0057BCC4
00842C7F 84C0 test al,al
00842C81 0F84 9C020000 je SuccessP.00842F23
00842C87 B2 01 mov dl,1
00842C89 A1 60F34100 mov eax,dword ptr ds:[41F360]
00842C8E E8 1114BCFF call SuccessP.004040A4
00842C93 8945 F0 mov dword ptr ss:[ebp-10],eax
00842C96 E8 C9A3BCFF call SuccessP.0040D064
00842C9B 83C4 F8 add esp,-8
00842C9E DD1C24 fstp qword ptr ss:[esp]
00842CA1 9B wait
00842CA2 8D55 BC lea edx,dword ptr ss:[ebp-44]
00842CA5 B8 AC308400 mov eax,SuccessP.008430AC ; ASCII "yyyy-mm-dd"
00842CAA E8 9DB1BCFF call SuccessP.0040DE4C
00842CAF 8B45 BC mov eax,dword ptr ss:[ebp-44]
00842CB2 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00842CB5 8B15 C8A68900 mov edx,dword ptr ds:[89A6C8] ; SuccessP.00897790
00842CBB 8B12 mov edx,dword ptr ds:[edx]
00842CBD E8 1E65D3FF call SuccessP.005791E0
00842CC2 8B45 C0 mov eax,dword ptr ss:[ebp-40]
00842CC5 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00842CC8 E8 C369D3FF call SuccessP.00579690
00842CCD 33C0 xor eax,eax
00842CCF 55 push ebp
00842CD0 68 112F8400 push SuccessP.00842F11
00842CD5 64:FF30 push dword ptr fs:[eax]
00842CD8 64:8920 mov dword ptr fs:[eax],esp
00842CDB A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842CE0 8B00 mov eax,dword ptr ds:[eax]
00842CE2 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842CE8 8B10 mov edx,dword ptr ds:[eax]
00842CEA FF92 4C010000 call dword ptr ds:[edx+14C]
00842CF0 85C0 test eax,eax
00842CF2 0F8E 0A010000 jle SuccessP.00842E02
00842CF8 A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842CFD 8B00 mov eax,dword ptr ds:[eax]
00842CFF 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842D05 E8 7E94C9FF call SuccessP.004DC188
00842D0A 6A 00 push 0
00842D0C 6A 00 push 0
00842D0E 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00842D11 E8 9E20BEFF call SuccessP.00424DB4
00842D16 A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842D1B 8B00 mov eax,dword ptr ds:[eax]
00842D1D 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842D23 BA C0308400 mov edx,SuccessP.008430C0 ; ASCII "f1"
00842D28 E8 9B7CC9FF call SuccessP.004DA9C8
00842D2D 8B15 DCB34C00 mov edx,dword ptr ds:[4CB3DC] ; SuccessP.004CB428
00842D33 E8 4C15BCFF call SuccessP.00404284
00842D38 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00842D3B E8 441DC9FF call SuccessP.004D4A84
00842D40 A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842D45 8B00 mov eax,dword ptr ds:[eax]
00842D47 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842D4D BA CC308400 mov edx,SuccessP.008430CC ; ASCII "f2"
00842D52 E8 717CC9FF call SuccessP.004DA9C8
00842D57 8B15 DCB34C00 mov edx,dword ptr ds:[4CB3DC] ; SuccessP.004CB428
00842D5D E8 2215BCFF call SuccessP.00404284
00842D62 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00842D65 E8 1A1DC9FF call SuccessP.004D4A84
00842D6A A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842D6F 8B00 mov eax,dword ptr ds:[eax]
00842D71 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842D77 BA D8308400 mov edx,SuccessP.008430D8 ; ASCII "f3"
00842D7C E8 477CC9FF call SuccessP.004DA9C8
00842D81 8B15 DCB34C00 mov edx,dword ptr ds:[4CB3DC] ; SuccessP.004CB428
00842D87 E8 F814BCFF call SuccessP.00404284
00842D8C 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00842D8F E8 F01CC9FF call SuccessP.004D4A84
00842D94 A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842D99 8B00 mov eax,dword ptr ds:[eax]
00842D9B 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842DA1 BA E4308400 mov edx,SuccessP.008430E4 ; ASCII "f4"
00842DA6 E8 1D7CC9FF call SuccessP.004DA9C8
00842DAB 8B15 DCB34C00 mov edx,dword ptr ds:[4CB3DC] ; SuccessP.004CB428
00842DB1 E8 CE14BCFF call SuccessP.00404284
00842DB6 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00842DB9 E8 C61CC9FF call SuccessP.004D4A84
00842DBE A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842DC3 8B00 mov eax,dword ptr ds:[eax]
00842DC5 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842DCB BA F0308400 mov edx,SuccessP.008430F0 ; ASCII "f5"
00842DD0 E8 F37BC9FF call SuccessP.004DA9C8
00842DD5 8B15 DCB34C00 mov edx,dword ptr ds:[4CB3DC] ; SuccessP.004CB428
00842DDB E8 A414BCFF call SuccessP.00404284
00842DE0 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00842DE3 E8 9C1CC9FF call SuccessP.004D4A84
00842DE8 A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842DED 8B00 mov eax,dword ptr ds:[eax]
00842DEF 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842DF5 8B10 mov edx,dword ptr ds:[eax]
00842DF7 FF92 4C020000 call dword ptr ds:[edx+24C]
00842DFD E9 05010000 jmp SuccessP.00842F07
00842E02 A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842E07 8B00 mov eax,dword ptr ds:[eax]
00842E09 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842E0F E8 0894C9FF call SuccessP.004DC21C
00842E14 6A 00 push 0
00842E16 6A 00 push 0
00842E18 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00842E1B E8 941FBEFF call SuccessP.00424DB4
00842E20 A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842E25 8B00 mov eax,dword ptr ds:[eax]
00842E27 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842E2D BA C0308400 mov edx,SuccessP.008430C0 ; ASCII "f1"
00842E32 E8 917BC9FF call SuccessP.004DA9C8
00842E37 8B15 DCB34C00 mov edx,dword ptr ds:[4CB3DC] ; SuccessP.004CB428
00842E3D E8 4214BCFF call SuccessP.00404284
00842E42 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00842E45 E8 3A1CC9FF call SuccessP.004D4A84
00842E4A A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842E4F 8B00 mov eax,dword ptr ds:[eax]
00842E51 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842E57 BA CC308400 mov edx,SuccessP.008430CC ; ASCII "f2"
00842E5C E8 677BC9FF call SuccessP.004DA9C8
00842E61 8B15 DCB34C00 mov edx,dword ptr ds:[4CB3DC] ; SuccessP.004CB428
00842E67 E8 1814BCFF call SuccessP.00404284
00842E6C 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00842E6F E8 101CC9FF call SuccessP.004D4A84
00842E74 A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842E79 8B00 mov eax,dword ptr ds:[eax]
00842E7B 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842E81 BA D8308400 mov edx,SuccessP.008430D8 ; ASCII "f3"
00842E86 E8 3D7BC9FF call SuccessP.004DA9C8
00842E8B 8B15 DCB34C00 mov edx,dword ptr ds:[4CB3DC] ; SuccessP.004CB428
00842E91 E8 EE13BCFF call SuccessP.00404284
00842E96 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00842E99 E8 E61BC9FF call SuccessP.004D4A84
00842E9E A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842EA3 8B00 mov eax,dword ptr ds:[eax]
00842EA5 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842EAB BA E4308400 mov edx,SuccessP.008430E4 ; ASCII "f4"
00842EB0 E8 137BC9FF call SuccessP.004DA9C8
00842EB5 8B15 DCB34C00 mov edx,dword ptr ds:[4CB3DC] ; SuccessP.004CB428
00842EBB E8 C413BCFF call SuccessP.00404284
00842EC0 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00842EC3 E8 BC1BC9FF call SuccessP.004D4A84
00842EC8 A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842ECD 8B00 mov eax,dword ptr ds:[eax]
00842ECF 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842ED5 BA F0308400 mov edx,SuccessP.008430F0 ; ASCII "f5"
00842EDA E8 E97AC9FF call SuccessP.004DA9C8
00842EDF 8B15 DCB34C00 mov edx,dword ptr ds:[4CB3DC] ; SuccessP.004CB428
00842EE5 E8 9A13BCFF call SuccessP.00404284
00842EEA 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00842EED E8 921BC9FF call SuccessP.004D4A84
00842EF2 A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842EF7 8B00 mov eax,dword ptr ds:[eax]
00842EF9 8B80 40030000 mov eax,dword ptr ds:[eax+340]
00842EFF 8B10 mov edx,dword ptr ds:[eax]
00842F01 FF92 4C020000 call dword ptr ds:[edx+24C]
00842F07 33C0 xor eax,eax
00842F09 5A pop edx
00842F0A 59 pop ecx
00842F0B 59 pop ecx
00842F0C 64:8910 mov dword ptr fs:[eax],edx
00842F0F EB 0A jmp short SuccessP.00842F1B
00842F11 ^ E9 9E16BCFF jmp SuccessP.004045B4
00842F16 E8 C51ABCFF call SuccessP.004049E0
00842F1B 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00842F1E E8 B111BCFF call SuccessP.004040D4
00842F23 6A 30 push 30
00842F25 A1 F8A98900 mov eax,dword ptr ds:[89A9F8]
00842F2A 8B00 mov eax,dword ptr ds:[eax]
00842F2C E8 8725BCFF call SuccessP.004054B8
00842F31 50 push eax
00842F32 68 F4308400 push SuccessP.008430F4
00842F37 8B45 FC mov eax,dword ptr ss:[ebp-4]
00842F3A E8 953AC5FF call SuccessP.004969D4
00842F3F 50 push eax
00842F40 E8 C359BCFF call SuccessP.00408908 ; jmp 到 USER32.MessageBoxA正确提示
00842F45 A1 F8A28900 mov eax,dword ptr ds:[89A2F8]
00842F4A 8B00 mov eax,dword ptr ds:[eax]
大家可以用SMC技术也可以脱壳再把哪三个关键跳NOP就可以爆破了。。。。。。。。。。。。。。。。。。。。。。。
哈哈~~~~~~
我在OD中NOP掉哪三个关键跳运行程序,它就注册给我了。。。。。
真的不用上面哪SMC和脱壳再把哪三个关键跳NOP就会注册给你喔
[课程]Android-CTF解题方法汇总!