VBCrackMe 的逆向修改
感谢NBW提供的资料及CrackMe
原文请看:[ VB快速逆向法 ]
http://bbs.pediy.com/showthread.php?s=&threadid=12133
。。。这里只是重复操作了一下。。。
1, 菜单可用
::00402A6F:: 6A 00 PUSH 0 ;修改为FF
::00402A71:: 57 PUSH EDI
::00402A72:: 8B0F MOV ECX,[EDI]
::00402A74:: FF51 74 CALL [ECX+74]
修改后:
::00402A6F:: 6A FF PUSH -1
::00402A71:: 57 PUSH EDI
::00402A72:: 8B0F MOV ECX, DWORD PTR [EDI]
::00402A74:: FF51 74 CALL NEAR DWORD PTR [ECX+74]
2,去NAG窗1
::0040277E:: 6A FF PUSH -1
::00402780:: 56 PUSH ESI
::00402781:: 8B06 MOV EAX,[ESI]
::00402783:: FF90 BC010000 CALL [EAX+1BC]
修改后:
::0040277E:: 6A 00 PUSH 0
::00402780:: 56 PUSH ESI
::00402781:: 8B06 MOV EAX, DWORD PTR [ESI]
::00402783:: FF90 BC010000 CALL NEAR DWORD PTR [EAX+1BC]
3, 去NAG窗2
::00402678:: 68 24404000 PUSH 404024
::0040267D:: 68 88154000 PUSH 401588 \->: \x01
::00402682:: FF15 5C104000 CALL [40105C] >>>: MSVBVM60.DLL:__vbaNew2
::00402688:: 83EC 10 SUB ESP,10 \:BYJMP JmpBy:00402676,
::0040268B:: B9 0A000000 MOV ECX,A
::00402690:: 8BDC MOV EBX,ESP
::00402692:: 894D DC MOV [EBP-24],ECX
::00402695:: B8 04000280 MOV EAX,80020004
::0040269A:: 83EC 10 SUB ESP,10
::0040269D:: 890B MOV [EBX],ECX
::0040269F:: 8B4D D0 MOV ECX,[EBP-30]
::004026A2:: 8BD0 MOV EDX,EAX
::004026A4:: 8B35 24404000 MOV ESI,[404024] ; 这里进行了赋值
::004026AA:: 894B 04 MOV [EBX+4],ECX
::004026AD:: 8BCC MOV ECX,ESP
::004026AF:: 8B3E MOV EDI,[ESI]
::004026B1:: 56 PUSH ESI ;作为参数入栈
::004026B2:: 8943 08 MOV [EBX+8],EAX
::004026B5:: 8B45 D8 MOV EAX,[EBP-28]
::004026B8:: 8943 0C MOV [EBX+C],EAX
::004026BB:: 8B45 DC MOV EAX,[EBP-24]
::004026BE:: 8901 MOV [ECX],EAX
::004026C0:: 8B45 E0 MOV EAX,[EBP-20]
::004026C3:: 8941 04 MOV [ECX+4],EAX
::004026C6:: 8951 08 MOV [ECX+8],EDX
::004026C9:: 8B55 E8 MOV EDX,[EBP-18]
::004026CC:: 8951 0C MOV [ECX+C],EDX
::004026CF:: FF97 B0020000 CALL [EDI+2B0]
DS:[00404024]=0014F6F0
ESI=0012F604
修改后:
::004026B1:: 90 NOP ; 参数NOP掉
::004026CF:: 83C4 24 ADD ESP, 24 ; CALL同样也NOP掉,平衡堆栈
::004026D2:: EB 01 JMP SHORT 004026D5
;这句也不能少,少了会出现 运行时错误' -1476327224(a80108c8)': Automation 错误
::004026D4:: 90 NOP
4,去掉文本框中的内容:
::00402B61:: 68 F41C4000 PUSH 401CF4 \->: 挥??*NFh???观
::00402B66:: 57 PUSH EDI
::00402B67:: 8B0F MOV ECX,[EDI]
::00402B69:: FF91 A4000000 CALL [ECX+A4]
改变后:
::00402B61:: 68 F41C4000 PUSH 指向其他字符的地址即可
::00402B66:: 57 PUSH EDI
::00402B67:: 8B0F MOV ECX,[EDI]
::00402B69:: FF91 A4000000 CALL [ECX+A4]
5,按钮可用:
::00402AA7:: 6A 00 PUSH 0
::00402AA9:: 57 PUSH EDI
::00402AAA:: 8B0F MOV ECX,[EDI]
::00402AAC:: FF91 8C000000 CALL [ECX+8C]
修改后:
::00402AA7:: 6A FF PUSH -1
::00402AA9:: 57 PUSH EDI
::00402AAA:: 8B0F MOV ECX, DWORD PTR [EDI] ::00402AAC:: FF91 8C000000 CALL NEAR DWORD PTR [ECX+8C]
6,旁边有个Label -->
::00402AE5:: 6A 00 PUSH 0
::00402AE7:: 57 PUSH EDI
::00402AE8:: 8B0F MOV ECX,[EDI]
::00402AEA:: FF91 9C000000 CALL [ECX+9C]
修改后:
::00402AE5:: 6A FF PUSH -1
::00402AE7:: 57 PUSH EDI
::00402AE8:: 8B0F MOV ECX,[EDI]
::00402AEA:: FF91 9C000000 CALL [ECX+9C]
7, 去掉窗口标题
内存地址401272处存放窗口标题的数据,替换修改即可!
[培训]《安卓高级研修班(网课)》月薪三万计划,掌
握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
、
