[原创]CR-Game0.6 (6+1级) 的程序爆破-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [原创]CR-Game0.6 (6+1级) 的程序爆破 0.00雪花

发表于: 2015-12-9 19:36 1356

[旧帖] [原创]CR-Game0.6 (6+1级) 的程序爆破 0.00雪花

wenbuxiu

2015-12-9 19:36

1356

JiP大侠制作的CR-Game0.6 (6+1级) 的程序是我学习的第三个程序。水平有限，目前仅研究爆破。
level 1:
00401A13 /$  55          push ebp
00401A14 |.  8BEC          mov ebp,esp
00401A16 |.  83C4 F4       add esp,-0C
00401A19 |.  8D45 F4       lea eax,dword ptr ss:[ebp-C]
00401A1C |.  50          push eax                         ; /lParam
00401A1D |.  6A 0C       push 0C                         ; |wParam = C
00401A1F |.  6A 0D       push 0D                         ; |Message = WM_GETTEXT
00401A21 |.  FF35 2C404000  push dword ptr ds:[40402C]    ; |hWnd = NULL
00401A27 |.  E8 BE120000 call <jmp.&user32.SendMessageA>  ; \SendMessageA
00401A2C |.  83F8 03       cmp eax,3       ;serial长度要大于3
00401A2F |.  0F8E 9F000000  jle CR-Game0.00401AD4    ;此处爆破
修改文件偏移地址E2F处，把字节0F8E9F000000改为E99900000090
level 2:
00401ADA /$  55          push ebp
00401ADB |.  8BEC          mov ebp,esp
00401ADD |.  83C4 F4       add esp,-0C
00401AE0 |.  53          push ebx
00401AE1 |.  8D45 F6       lea eax,dword ptr ss:[ebp-A]
00401AE4 |.  50          push eax                               ; /lParam
00401AE5 |.  6A 0A       push 0A                                  ; |wParam = A
00401AE7 |.  6A 0D       push 0D                                  ; |Message = WM_GETTEXT
00401AE9 |.  FF35 2C404000  push dword ptr ds:[40402C]             ; |hWnd = C04AA
00401AEF |.  E8 F6110000 call <jmp.&user32.SendMessageA>          ; \SendMessageA
00401AF4 |.  83F8 08       cmp eax,8 serial的长度要大于8
00401AF7 |.  7E 60       jle short CR-Game0.00401B59    ;此处爆破
修改文件偏移地址EF7处，把字节7E60改为EB59
level 3:
00401B5E  /$  55             push ebp
00401B5F  |.  8BEC             mov    ebp, esp
00401B61  |.  83C4 A4          add    esp, -5C
00401B64  |.  53             push ebx
00401B65  |.  51             push ecx
00401B66  |.  52             push edx
00401B67  |.  57             push edi
00401B68  |.  8D45 D0          lea    eax, dword ptr [ebp-30]
00401B6B  |.  50             push eax                            ; /lParam
00401B6C  |.  6A 15          push 15                            ; |wParam = 15
00401B6E  |.  6A 0D          push 0D                            ; |Message = WM_GETTEXT
00401B70  |.  FF35 24404000    push dword ptr [404024]             ; |hWnd = 1401B4
00401B76  |.  E8 6F110000    call <jmp.&user32.SendMessageA>    ; \SendMessageA
00401B7B  |.  83F8 05          cmp    eax, 5
00401B7E    0F82 89000000    jb    00401C0D ;此处爆破
修改文件偏移地址F7E处，把字节0F8289000000改为E98300000090
level 4:
00401C15  /$  55             push ebp
00401C16  |.  8BEC             mov    ebp, esp
00401C18  |.  83C4 8C          add    esp, -74
00401C1B  |.  53             push ebx
00401C1C  |.  51             push ecx
00401C1D  |.  52             push edx
00401C1E  |.  56             push esi
00401C1F  |.  57             push edi
00401C20  |.  8D45 B5          lea    eax, dword ptr [ebp-4B]
00401C23  |.  50             push eax                            ; /lParam
00401C24  |.  6A 15          push 15                            ; |wParam = 15
00401C26  |.  6A 0D          push 0D                            ; |Message = WM_GETTEXT
00401C28  |.  FF35 24404000    push dword ptr [404024]             ; |hWnd = 1401B4
00401C2E  |.  E8 B7100000    call <jmp.&user32.SendMessageA>    ; \SendMessageA
00401C33  |.  83F8 05          cmp    eax, 5
00401C36    0F82 FB000000    jb    00401D37  ;此处爆破
修改文件偏移地址0x1036处，把字节0F82FB000000改为E9F500000090
level 5:
00401D40  /$  55             push ebp
00401D41  |.  8BEC             mov    ebp, esp
00401D43  |.  83C4 8C          add    esp, -74
00401D46  |.  53             push ebx
00401D47  |.  51             push ecx
00401D48  |.  52             push edx
00401D49  |.  56             push esi
00401D4A  |.  57             push edi
00401D4B  |.  8D45 B5          lea    eax, dword ptr [ebp-4B]
00401D4E  |.  50             push eax                            ; /lParam
00401D4F  |.  6A 15          push 15                            ; |wParam = 15
00401D51  |.  6A 0D          push 0D                            ; |Message = WM_GETTEXT
00401D53  |.  FF35 24404000    push dword ptr [404024]             ; |hWnd = 1401B4
00401D59  |.  E8 8C0F0000    call <jmp.&user32.SendMessageA>    ; \SendMessageA
00401D5E  |.  83F8 05          cmp    eax, 5
00401D61    0F82 C6000000    jb    00401E2D ;此处爆破
修改文件偏移地址0x1161处，把字节0F82C6000000改为E9C000000090
level 6:
00401E36  /$  55             push ebp
00401E37  |.  8BEC             mov    ebp, esp
00401E39  |.  83C4 80          add    esp, -80
00401E3C  |.  60             pushad
00401E3D  |.  8D45 E0          lea    eax, dword ptr [ebp-20]
00401E40  |.  50             push eax                            ; /lParam
00401E41  |.  6A 20          push 20                            ; |wParam = 20
00401E43  |.  6A 0D          push 0D                            ; |Message = WM_GETTEXT
00401E45  |.  FF35 24404000    push dword ptr [404024]             ; |hWnd = 1401B4
00401E4B  |.  E8 9A0E0000    call <jmp.&user32.SendMessageA>    ; \SendMessageA
00401E50  |.  83F8 05          cmp    eax, 5
00401E53    0F82 1D010000    jb    00401F76 ;此处爆破
修改文件偏移地址0x1253处，把字节0F821D010000改为E91701000090
level 7:
004022C5  |> \83F8 06          cmp    eax, 6
004022C8  |.  75 0A          jnz    short 004022D4
004022CA  |.  E8 67FBFFFF    call 00401E36                      ;  Case 5 of switch 0040226D
004022CF  |.  E9 83000000    jmp    00402357
004022D4  |>  E8 81F6FFFF    call 0040195A                      ;  Default case of switch 0040226D
004022D9  |.  83F8 00          cmp    eax, 0
004022DC    75 74          jnz    short 00402352 ;此处爆破
修改文件偏移地址0x16DC处，把字节7574改为EB1E

作者的整个程序我认真的跟了一遍。相对于程序的注册算法我更在意程序设计本身。作者的对话框和控件以及布局似乎都是自绘的，并且在标准编辑控件的基础上定义了自定义的编辑框。程序简洁工整，是初学者学习SDK编程的好代码。希望作者能公布源码供初学者学习，则功莫大焉。

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

上传的附件：