【文章标题】: 破解密膺盘--计算机考试1级B-windows for 菜鸟
【文章作者】: playx
【作者邮箱】: playx@km169.net
【作者主页】: http://playx.ys168.com
【作者QQ号】: 2385580
【软件名称】: 计算机考试1级B-windows
【软件大小】: 6.20M
【下载地址】: 我的网络U盘
【加壳方式】: 无
【保护方式】: 钥匙软盘
【编写语言】: VB5.0
【使用工具】: W32dasm10,peid094,Ollydbg110,getvbres0.8
【操作平台】: winxp sp2
【软件介绍】: 全国计算机等级考试一级B Windows版,密膺盘保护。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
这段时间在论坛上看到有初学的朋友讨论用钥匙软盘保护方式的软件破解方法,也许是高手们没时间回答或不屑讨论这些简单的问题吧,做 为小鸟的偶把以前破解过的东东拿出来整理一下,能给象偶一样的菜鸟们些许提示,也算是为论坛尽点自己的力,还望高手们别见笑~
由于软件比较老了,可能没有地方下载,需要的朋友可以去我的网络U盘下载。言归正传,默认安装完成后,用peid查壳无壳,程序用VB5编 写。在开始菜单打开软件之练习项,软驱一阵狂响之后,两次提示“请插入钥匙盘!”确认后出现“致命错误:无法确认钥匙盘,请使用正版 软件。请与应用程序供应商联系!”,记下此出错信息备用。
拿出屠龙宝刀W32dasm,载入“上机.exe”,查找刚才的出错信息,晕~,什么中文字串都没有!呵呵,字串加密,不错!以下有两种思路应 对:1、在OD中对函数 MSVBVM50.__vbaStrCmp下断点,然后单步跟踪,到出错提示处修改代码(两处);2、用资源修改工具打开程序修改字串 ,然后在OD中查找字串参考确定断点。经过测试,两种方法均可。第一种方法比较简单,下面我以第二种方法进行破解。
由于程序是VB5.0编写,首选工具当然是getvbres。用getvbres打开程序后,查找“请插入钥匙盘!”,找到后双击进行修改,我这里填写的 是7897897,确定后选择“文件”菜单项-“更新当前程序资源”,可以看到状态已由待修改变成已修改了。OK,现在可以用W32dasm和 Ollydbg110进行分析了。先进行静态分析:W32dasm载入主程序,查找字串参考,找到刚才填写的7897897双击,只有一处。见下面的代码:
* Reference To: MSVBVM50.__vbaStrCat, Ord:0000h
|
:00547E53 FF1590F45D00 Call dword ptr [005DF490]
<========//在此下断
:00547E59 8945A8
mov dword ptr [
ebp-58],
eax
:00547E5C B808000000
mov eax, 00000008
:00547E61 8D9570FFFFFF
lea edx, dword ptr [
ebp+FFFFFF70]
:00547E67 8D4DB0
lea ecx, dword ptr [
ebp-50]
:00547E6A 8945A0
mov dword ptr [
ebp-60],
eax
* Possible StringData Ref from Code Obj ->
"7897897"
|
:00547E6D C78578FFFFFF7C904200
mov dword ptr [
ebp+FFFFFF78], 0042907C
<========//来到这里,向上看我在上面的call下断。
:00547E77 898570FFFFFF
mov dword ptr [
ebp+FFFFFF70],
eax
:00547E7D FFD7
call edi
:00547E7F 8D4580
lea eax, dword ptr [
ebp-80]
:00547E82 8D4D90
lea ecx, dword ptr [
ebp-70]
:00547E85 50
push eax
:00547E86 8D55A0
lea edx, dword ptr [
ebp-60]
:00547E89 51
push ecx
:00547E8A 52
push edx
:00547E8B 8D45B0
lea eax, dword ptr [
ebp-50]
:00547E8E 6A00
push 00000000
:00547E90 50
push eax
* Reference To: MSVBVM50.rtcMsgBox, Ord:0253h
|
:00547E91 FF15F4F45D00 Call dword ptr [005DF4F4]
<========//走到这里出现第一次出错提示,nop掉。
:00547E97 8D4D80
lea ecx, dword ptr [
ebp-80]
:00547E9A 8D5590
lea edx, dword ptr [
ebp-70]
:00547E9D 51
push ecx
:00547E9E 8D45A0
lea eax, dword ptr [
ebp-60]
:00547EA1 52
push edx
:00547EA2 8D4DB0
lea ecx, dword ptr [
ebp-50]
:00547EA5 50
push eax
:00547EA6 51
push ecx
--------------------------------------
下面用OD载入主程序,Ctrl+G直接到00547E53下断:
00547E4C . 7D 74
jge short 上机.00547EC2
00547E4E . 68 E05E4200
push 上机.00425EE0
00547E53 . FF15 90F45D00
call dword ptr
ds:[<&MSVBVM50.__>; MSVBVM50.__vbaStrCat
<========//在此下断运行,第一 次读软驱后停在这里
00547E59 . 8945 A8
mov dword ptr
ss:[
ebp-58],eax
<========//以下都是F8单步走。
00547E5C . B8 08000000
mov eax,8
00547E61 . 8D95 70FFFFFF
lea edx,dword ptr
ss:[
ebp-90]
00547E67 . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547E6A . 8945 A0
mov dword ptr
ss:[
ebp-60],
eax
00547E6D . C785 78FFFFFF 7C9>
mov dword ptr
ss:[
ebp-88],
上机.004>; UNICODE "7897897
"
00547E77 . 8985 70FFFFFF
mov dword ptr
ss:[
ebp-90],
eax
00547E7D . FFD7
call edi ; MSVBVM50.__vbaVarDup
00547E7F . 8D45 80
lea eax,dword ptr
ss:[
ebp-80]
00547E82 . 8D4D 90
lea ecx,dword ptr
ss:[
ebp-70]
00547E85 . 50
push eax
00547E86 . 8D55 A0
lea edx,dword ptr
ss:[
ebp-60]
00547E89 . 51
push ecx ; ntdll.7C93056D
00547E8A . 52
push edx
00547E8B . 8D45 B0
lea eax,dword ptr
ss:[
ebp-50]
00547E8E . 6A 00
push 0
00547E90 . 50
push eax
00547E91 . FF15 F4F45D00
call dword ptr
ds:[<&MSVBVM50.#5>; MSVBVM50.rtcMsgBox
<========//走到这里出现第一次 出错提示,nop掉。在汇编框中输入nop,注意要选上下面的“用nop填充”
---------------------------------------------------------------------
变成下面的形式:
00547E90 . 50
push eax
00547E91 90 nop
<========//继续F8单步走。
00547E92 90
nop
00547E93 90
nop
00547E94 90
nop
00547E95 90
nop
00547E96 90
nop
00547E97 . 8D4D 80
lea ecx,dword ptr
ss:[
ebp-80]
00547E9A . 8D55 90
lea edx,dword ptr
ss:[
ebp-70]
00547E9D . 51
push ecx ; ntdll.7C93056D
00547E9E . 8D45 A0
lea eax,dword ptr
ss:[
ebp-60]
00547EA1 . 52
push edx
00547EA2 . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547EA5 . 50
push eax
00547EA6 . 51
push ecx ; ntdll.7C93056D
00547EA7 . 6A 04
push 4
00547EA9 . FF15 48F45D00
call dword ptr
ds:[<&MSVBVM50.__>; MSVBVM50.__vbaFreeVarList
00547EAF . 83C4 14
add esp,14
00547EB2 . 66:46
inc si
00547EB4 . 0F80 5B010000
jo 上机.00548015
00547EBA . 8975 D0
mov dword ptr
ss:[
ebp-30],
esi
00547EBD .^ E9 4BFBFFFF
jmp 上机.00547A0D <========//这里往第一次回跳, 第二次检测密膺盘。
00547EC2 > 68 68904200
push 上机.00429068
00547EC7 . FF15 90F45D00
call dword ptr
ds:[<&MSVBVM50.__>; MSVBVM50.__vbaStrCat
00547ECD . BE 08000000
mov esi,8
---------------------------------------------------------------------
从00547EBD回跳到这里;;;;第二次回跳。
00547A0D > 8D95 70FFFFFF
lea edx,dword ptr
ss:[
ebp-90]
<========//继续F8单步走。
00547A13 . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547A16 . C785 78FFFFFF C08>
mov dword ptr
ss:[
ebp-88],
上机.00428FC0 ; UNICODE "c:\wymi.dll
"
00547A20 . C785 70FFFFFF 080>
mov dword ptr
ss:[
ebp-90],8
00547A2A . FFD7
call edi ; MSVBVM50.__vbaVarDup
00547A2C . 8D45 B0
lea eax,dword ptr
ss:[
ebp-50]
00547A2F . 6A 02
push 2
00547A31 . 50
push eax
00547A32 . FF15 90F65D00
call dword ptr
ds:[<&MSVBVM50.#645>] ; MSVBVM50.rtcDir
00547A38 . 8BD0
mov edx,
eax
00547A3A . 8D4D C8
lea ecx,dword ptr
ss:[
ebp-38]
00547A3D . FF15 78F75D00
call dword ptr
ds:[<&MSVBVM50.__vbaStrMov>; MSVBVM50.__vbaStrMove
00547A43 . 50
push eax
00547A44 . 68 30F74100
push 上机.0041F730
00547A49 . FF15 94F55D00
call dword ptr
ds:[<&MSVBVM50.__vbaStrCmp>; MSVBVM50.__vbaStrCmp
00547A4F . 8BF0
mov esi,
eax
00547A51 . 8D4D C8
lea ecx,dword ptr
ss:[
ebp-38]
00547A54 . F7DE
neg esi
00547A56 . 1BF6
sbb esi,
esi
00547A58 . F7DE
neg esi
00547A5A . F7DE
neg esi
00547A5C . FF15 D0F75D00
call dword ptr
ds:[<&MSVBVM50.__vbaFreeSt>; MSVBVM50.__vbaFreeStr
00547A62 . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547A65 . FFD3
call ebx ; MSVBVM50.__vbaFreeVar
00547A67 . 66:85F6
test si,
si
00547A6A . 74 2E
je short 上机.00547A9A <========//这里向下跳。
00547A6C . 8D95 70FFFFFF
lea edx,dword ptr
ss:[
ebp-90]
00547A72 . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547A75 . C785 78FFFFFF C08>
mov dword ptr
ss:[
ebp-88],
上机.00428FC0 ; UNICODE "c:\wymi.dll
"
00547A7F . C785 70FFFFFF 080>
mov dword ptr
ss:[
ebp-90],8
00547A89 . FFD7
call edi ; MSVBVM50.__vbaVarDup
00547A8B . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547A8E . 51
push ecx
00547A8F . FF15 90F55D00
call dword ptr
ds:[<&MSVBVM50.#529>] ; MSVBVM50.rtcKillFiles
00547A95 . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547A98 . FFD3
call ebx ; MSVBVM50.__vbaFreeVar
00547A9A > 8D95 70FFFFFF
lea edx,dword ptr
ss:[
ebp-90]
00547AA0 . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547AA3 . C785 78FFFFFF DC8>
mov dword ptr
ss:[
ebp-88],
上机.00428FDC ; UNICODE "c:\wynomi.dll
"
00547AAD . C785 70FFFFFF 080>
mov dword ptr
ss:[
ebp-90],8
00547AB7 . FFD7
call edi ; MSVBVM50.__vbaVarDup
00547AB9 . 8D55 B0
lea edx,dword ptr
ss:[
ebp-50]
00547ABC . 6A 02
push 2
00547ABE . 52
push edx
00547ABF . FF15 90F65D00
call dword ptr
ds:[<&MSVBVM50.#645>] ; MSVBVM50.rtcDir
00547AC5 . 8BD0
mov edx,
eax
00547AC7 . 8D4D C8
lea ecx,dword ptr
ss:[
ebp-38]
00547ACA . FF15 78F75D00
call dword ptr
ds:[<&MSVBVM50.__vbaStrMov>; MSVBVM50.__vbaStrMove
00547AD0 . 50
push eax
00547AD1 . 68 30F74100
push 上机.0041F730
00547AD6 . FF15 94F55D00
call dword ptr
ds:[<&MSVBVM50.__vbaStrCmp>; MSVBVM50.__vbaStrCmp
00547ADC . 8BF0
mov esi,
eax
00547ADE . 8D4D C8
lea ecx,dword ptr
ss:[
ebp-38]
00547AE1 . F7DE
neg esi
00547AE3 . 1BF6
sbb esi,
esi
00547AE5 . F7DE
neg esi
00547AE7 . F7DE
neg esi
00547AE9 . FF15 D0F75D00
call dword ptr
ds:[<&MSVBVM50.__vbaFreeSt>; MSVBVM50.__vbaFreeStr
00547AEF . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547AF2 . FFD3
call ebx ; MSVBVM50.__vbaFreeVar
00547AF4 . 66:85F6
test si,
si
00547AF7 . 74 2E
je short 上机.00547B27
00547AF9 . 8D95 70FFFFFF
lea edx,dword ptr
ss:[
ebp-90]
00547AFF . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547B02 . C785 78FFFFFF DC8>
mov dword ptr
ss:[
ebp-88],
上机.00428FDC ; UNICODE "c:\wynomi.dll
"
00547B0C . C785 70FFFFFF 080>
mov dword ptr
ss:[
ebp-90],8
00547B16 . FFD7
call edi ; MSVBVM50.__vbaVarDup
00547B18 . 8D45 B0
lea eax,dword ptr
ss:[
ebp-50]
00547B1B . 50
push eax
00547B1C . FF15 90F55D00
call dword ptr
ds:[<&MSVBVM50.#529>] ; MSVBVM50.rtcKillFiles
00547B22 . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547B25 . FFD3
call ebx ; MSVBVM50.__vbaFreeVar
00547B27 > A1 D8225D00
mov eax,dword ptr
ds:[5D22D8]
00547B2C . 85C0
test eax,
eax
00547B2E . 75 10
jnz short 上机.00547B40
00547B30 . 68 D8225D00
push 上机.005D22D8
00547B35 . 68 60FF4100
push 上机.0041FF60
00547B3A . FF15 B8F65D00
call dword ptr
ds:[<&MSVBVM50.__vbaNew2>] ; MSVBVM50.__vbaNew2
00547B40 > 8B35 D8225D00
mov esi,dword ptr
ds:[5D22D8]
00547B46 . 8D55 C0
lea edx,dword ptr
ss:[
ebp-40]
00547B49 . 52
push edx
00547B4A . 56
push esi
00547B4B . 8B0E
mov ecx,dword ptr
ds:[
esi]
00547B4D . FF51 14
call dword ptr
ds:[
ecx+14]
00547B50 85C0
test eax,
eax
00547B52 . 7D 0F
jge short 上机.00547B63
00547B54 . 6A 14
push 14
00547B56 . 68 50FF4100
push 上机.0041FF50
00547B5B . 56
push esi
00547B5C . 50
push eax
00547B5D . FF15 A8F45D00
call dword ptr
ds:[<&MSVBVM50.__vbaHresul>; MSVBVM50.__vbaHresultCheckObj
00547B63 > 8B45 C0
mov eax,dword ptr
ss:[
ebp-40]
00547B66 . 8D55 C8
lea edx,dword ptr
ss:[
ebp-38]
00547B69 . 52
push edx
00547B6A . 50
push eax
00547B6B . 8B08
mov ecx,dword ptr
ds:[
eax]
00547B6D . 8BF0
mov esi,
eax
00547B6F . FF51 50
call dword ptr
ds:[
ecx+50]
00547B72 85C0
test eax,
eax
00547B74 . 7D 0F
jge short 上机.00547B85
00547B76 . 6A 50
push 50
00547B78 . 68 70FF4100
push 上机.0041FF70
00547B7D . 56
push esi
00547B7E . 50
push eax
00547B7F . FF15 A8F45D00
call dword ptr
ds:[<&MSVBVM50.__vbaHresul>; MSVBVM50.__vbaHresultCheckObj
00547B85 > 8B45 C8
mov eax,dword ptr
ss:[
ebp-38]
00547B88 . 50
push eax
00547B89 . 68 FC8F4200
push 上机.00428FFC ; UNICODE "\dat\jiami.exe
"
00547B8E . FF15 90F45D00
call dword ptr
ds:[<&MSVBVM50.__vbaStrCat>; MSVBVM50.__vbaStrCat
00547B94 . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547B97 . 6A 02
push 2
00547B99 . 51
push ecx
00547B9A . 8945 B8
mov dword ptr
ss:[
ebp-48],
eax
00547B9D . C745 B0 08000000
mov dword ptr
ss:[
ebp-50],8
00547BA4 . FF15 90F65D00
call dword ptr
ds:[<&MSVBVM50.#645>] ; MSVBVM50.rtcDir
00547BAA . 8BD0
mov edx,
eax
00547BAC . 8D4D C4
lea ecx,dword ptr
ss:[
ebp-3C]
00547BAF . FF15 78F75D00
call dword ptr
ds:[<&MSVBVM50.__vbaStrMov>; MSVBVM50.__vbaStrMove
00547BB5 . 50
push eax
00547BB6 . 68 30F74100
push 上机.0041F730
00547BBB . FF15 94F55D00
call dword ptr
ds:[<&MSVBVM50.__vbaStrCmp>; MSVBVM50.__vbaStrCmp
00547BC1 . 8BF0
mov esi,
eax
00547BC3 . 8D55 C4
lea edx,dword ptr
ss:[
ebp-3C]
00547BC6 . F7DE
neg esi
00547BC8 . 1BF6
sbb esi,
esi
00547BCA . 8D45 C8
lea eax,dword ptr
ss:[
ebp-38]
00547BCD . 52
push edx
00547BCE . 46
inc esi
00547BCF . 50
push eax
00547BD0 . 6A 02
push 2
00547BD2 . F7DE
neg esi
00547BD4 . FF15 E8F65D00
call dword ptr
ds:[<&MSVBVM50.__vbaFreeSt>; MSVBVM50.__vbaFreeStrList
00547BDA . 83C4 0C
add esp,0C
00547BDD . 8D4D C0
lea ecx,dword ptr
ss:[
ebp-40]
00547BE0 . FF15 D4F75D00
call dword ptr
ds:[<&MSVBVM50.__vbaFreeOb>; MSVBVM50.__vbaFreeObj
00547BE6 . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547BE9 . FFD3
call ebx ; MSVBVM50.__vbaFreeVar
00547BEB 66:85F6
test si,
si
00547BEE . 0F84 85000000
je 上机.00547C79 <========//这里向下跳。
00547BF4 . B9 04000280
mov ecx,80020004
---------------------------------------------------------------------
从00547BEE跳到这里
00547C79 > A1 D8225D00
mov eax,dword ptr
ds:[5D22D8]
00547C7E . 85C0
test eax,
eax
00547C80 . 75 10
jnz short 上机.00547C92
00547C82 . 68 D8225D00
push 上机.005D22D8
00547C87 . 68 60FF4100
push 上机.0041FF60
00547C8C . FF15 B8F65D00
call dword ptr
ds:[<&MSVBVM50.__vbaNew2>] ; MSVBVM50.__vbaNew2
00547C92 > 8B35 D8225D00
mov esi,dword ptr
ds:[5D22D8]
00547C98 . 8D4D C0
lea ecx,dword ptr
ss:[
ebp-40]
00547C9B . 51
push ecx
00547C9C . 56
push esi
00547C9D . 8B06
mov eax,dword ptr
ds:[
esi]
00547C9F . FF50 14
call dword ptr
ds:[
eax+14]
00547CA2 85C0
test eax,
eax
00547CA4 . 7D 0F
jge short 上机.00547CB5
00547CA6 . 6A 14
push 14
00547CA8 . 68 50FF4100
push 上机.0041FF50
00547CAD . 56
push esi
00547CAE . 50
push eax
00547CAF . FF15 A8F45D00
call dword ptr
ds:[<&MSVBVM50.__vbaHresul>; MSVBVM50.__vbaHresultCheckObj
00547CB5 > 8B45 C0
mov eax,dword ptr
ss:[
ebp-40]
00547CB8 . 8D4D C8
lea ecx,dword ptr
ss:[
ebp-38]
00547CBB . 51
push ecx
00547CBC . 50
push eax
00547CBD . 8B10
mov edx,dword ptr
ds:[
eax]
00547CBF . 8BF0
mov esi,
eax
00547CC1 . FF52 50
call dword ptr
ds:[
edx+50]
00547CC4 85C0
test eax,
eax
00547CC6 . 7D 0F
jge short 上机.00547CD7
00547CC8 . 6A 50
push 50
00547CCA . 68 70FF4100
push 上机.0041FF70
00547CCF . 56
push esi
00547CD0 . 50
push eax
00547CD1 . FF15 A8F45D00
call dword ptr
ds:[<&MSVBVM50.__vbaHresul>; MSVBVM50.__vbaHresultCheckObj
00547CD7 > 8B55 C8
mov edx,dword ptr
ss:[
ebp-38]
00547CDA . 52
push edx
00547CDB . 68 FC8F4200
push 上机.00428FFC ; UNICODE "\dat\jiami.exe
"
00547CE0 . FF15 90F45D00
call dword ptr
ds:[<&MSVBVM50.__vbaStrCat>; MSVBVM50.__vbaStrCat
00547CE6 . 8945 B8
mov dword ptr
ss:[
ebp-48],
eax
00547CE9 . 8D45 B0
lea eax,dword ptr
ss:[
ebp-50]
00547CEC . 6A 00
push 0
00547CEE . 50
push eax
00547CEF . C745 B0 08000000
mov dword ptr
ss:[
ebp-50],8
00547CF6 . FF15 FCF55D00
call dword ptr
ds:[<&MSVBVM50.#600>] ; MSVBVM50.rtcShell
<========//第二次读软驱 检测密膺盘,nop掉,方法同上。
00547CFC . DD9D 78FFFFFF
fstp qword ptr
ss:[
ebp-88]
00547D02 . 8D95 70FFFFFF
lea edx,dword ptr
ss:[
ebp-90]
---------------------------------------------------------------------
变成下面的形式:
00547CF6 90 nop
<========//继续F8单步走 。
00547CF7 90
nop
00547CF8 90
nop
00547CF9 90
nop
00547CFA 90
nop
00547CFB 90
nop
00547CFC . DD9D 78FFFFFF
fstp qword ptr
ss:[
ebp-88]
00547D02 . 8D95 70FFFFFF
lea edx,dword ptr
ss:[
ebp-90]
00547D08 . 8D4D DC
lea ecx,dword ptr
ss:[
ebp-24]
00547D0B . C785 70FFFFFF 050>
mov dword ptr
ss:[
ebp-90],5
00547D0B . C785 70FFFFFF 050>
mov dword ptr
ss:[
ebp-90],5
00547D15 . FF15 20F45D00
call dword ptr
ds:[<&MSVBVM50.__vbaVarMov>; MSVBVM50.__vbaVarMove
00547D1B . 8D4D C8
lea ecx,dword ptr
ss:[
ebp-38]
00547D1E . FF15 D0F75D00
call dword ptr
ds:[<&MSVBVM50.__vbaFreeSt>; MSVBVM50.__vbaFreeStr
00547D24 . 8D4D C0
lea ecx,dword ptr
ss:[
ebp-40]
00547D27 . FF15 D4F75D00
call dword ptr
ds:[<&MSVBVM50.__vbaFreeOb>; MSVBVM50.__vbaFreeObj
00547D2D . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547D30 . FFD3
call ebx ; MSVBVM50.__vbaFreeVar
00547D32 > 8D95 70FFFFFF
lea edx,dword ptr
ss:[
ebp-90]
00547D38 . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547D3B . C785 78FFFFFF C08>
mov dword ptr
ss:[
ebp-88],
上机.00428FC0 ; UNICODE "c:\wymi.dll
"
00547D45 . C785 70FFFFFF 080>
mov dword ptr
ss:[
ebp-90],8
00547D4F . FFD7
call edi ; MSVBVM50.__vbaVarDup
00547D51 . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547D54 . 6A 02
push 2
00547D56 . 51
push ecx
00547D57 . FF15 90F65D00
call dword ptr
ds:[<&MSVBVM50.#645>] ; MSVBVM50.rtcDir
00547D5D . 8BD0
mov edx,
eax
00547D5F . 8D4D C8
lea ecx,dword ptr
ss:[
ebp-38]
00547D62 . FF15 78F75D00
call dword ptr
ds:[<&MSVBVM50.__vbaStrMov>; MSVBVM50.__vbaStrMove
00547D68 . 50
push eax
00547D69 . 68 30F74100
push 上机.0041F730
00547D6E . FF15 94F55D00
call dword ptr
ds:[<&MSVBVM50.__vbaStrCmp>; MSVBVM50.__vbaStrCmp
00547D74 . 8BF0
mov esi,
eax
00547D76 . 8D4D C8
lea ecx,dword ptr
ss:[
ebp-38]
00547D79 . F7DE
neg esi
00547D7B . 1BF6
sbb esi,
esi
00547D7D . F7DE
neg esi
00547D7F . F7DE
neg esi
00547D81 . FF15 D0F75D00
call dword ptr
ds:[<&MSVBVM50.__vbaFreeSt>; MSVBVM50.__vbaFreeStr
00547D87 . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547D8A . FFD3
call ebx ; MSVBVM50.__vbaFreeVar
00547D8C 66:85F6
test si,
si
00547D8F . 0F85 20020000
jnz 上机.00547FB5
00547D95 . 8D95 70FFFFFF
lea edx,dword ptr
ss:[
ebp-90]
00547D9B . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547D9E . C785 78FFFFFF DC8>
mov dword ptr
ss:[
ebp-88],
上机.00428FDC ; UNICODE "c:\wynomi.dll
"
00547DA8 . C785 70FFFFFF 080>
mov dword ptr
ss:[
ebp-90],8
00547DB2 . FFD7
call edi ; MSVBVM50.__vbaVarDup
00547DB4 . 8D55 B0
lea edx,dword ptr
ss:[
ebp-50]
00547DB7 . 6A 02
push 2
00547DB9 . 52
push edx
00547DBA . FF15 90F65D00
call dword ptr
ds:[<&MSVBVM50.#645>] ; MSVBVM50.rtcDir
00547DC0 . 8BD0
mov edx,
eax
00547DC2 . 8D4D C8
lea ecx,dword ptr
ss:[
ebp-38]
00547DC5 . FF15 78F75D00
call dword ptr
ds:[<&MSVBVM50.__vbaStrMov>; MSVBVM50.__vbaStrMove
00547DCB . 50
push eax
00547DCC . 68 30F74100
push 上机.0041F730
00547DD1 . FF15 94F55D00
call dword ptr
ds:[<&MSVBVM50.__vbaStrCmp>; MSVBVM50.__vbaStrCmp
00547DD7 . 8BF0
mov esi,
eax
00547DD9 . 8D4D C8
lea ecx,dword ptr
ss:[
ebp-38]
00547DDC . F7DE
neg esi
00547DDE . 1BF6
sbb esi,
esi
00547DE0 . F7DE
neg esi
00547DE2 . F7DE
neg esi
00547DE4 . FF15 D0F75D00
call dword ptr
ds:[<&MSVBVM50.__vbaFreeSt>; MSVBVM50.__vbaFreeStr
00547DEA . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547DED . FFD3
call ebx ; MSVBVM50.__vbaFreeVar
00547DEF 66:85F6
test si,
si
00547DF2 . 75 36
jnz short 上机.00547E2A <========//这里向下跳。
00547DF4 . FF15 80F65D00
call dword ptr
ds:[<&MSVBVM50.#535>] ; MSVBVM50.rtcGetTimer
00547DFA . D95D D4
fstp dword ptr
ss:[
ebp-2C]
00547DFD . FF15 18F55D00
call dword ptr
ds:[<&MSVBVM50.#598>] ; MSVBVM50.rtcDoEvents
00547E03 . D945 D4
fld dword ptr
ss:[
ebp-2C]
00547E06 . D865 CC
fsub dword ptr
ss:[
ebp-34]
00547E09 . DFE0
fstsw ax
00547E0B . A8 0D
test al,0D
00547E0D . 0F85 FD010000
jnz 上机.00548010 <========//第二次回跳后到这里向下跳,借用fly大侠一 句名言:飞向光明之巅!
跳到00548010后,出现一次异常,Shift+F9,程 序正常运行了。
00547E13 . FF15 20F55D00
call dword ptr
ds:[<&MSVBVM50.__vbaFpR4>] ; MSVBVM50.__vbaFpR4
00547E19 . D81D A4784000
fcomp dword ptr
ds:[4078A4]
00547E1F . DFE0
fstsw ax
00547E21 . F6C4 41
test ah,41
00547E24 .^ 0F85 08FFFFFF
jnz 上机.00547D32
00547E2A > 8B75 D0
mov esi,dword ptr
ss:[
ebp-30]
00547E2D . B9 04000280
mov ecx,80020004
00547E32 . B8 0A000000
mov eax,0A
00547E37 . 66:83FE 02
cmp si,2
00547E3B . 894D 88
mov dword ptr
ss:[
ebp-78],
ecx
00547E3E . 8945 80
mov dword ptr
ss:[
ebp-80],
eax
00547E41 . 894D 98
mov dword ptr
ss:[
ebp-68],
ecx
00547E44 . 8945 90
mov dword ptr
ss:[
ebp-70],
eax
00547E47 . 68 D4F84100
push 上机.0041F8D4
00547E4C . 7D 74
jge short 上机.00547EC2
00547E4E . 68 E05E4200
push 上机.00425EE0
00547E53 . FF15 90F45D00
call dword ptr
ds:[<&MSVBVM50.__vbaStrCat>; MSVBVM50.__vbaStrCat
00547E59 . 8945 A8
mov dword ptr
ss:[
ebp-58],
eax
00547E5C . B8 08000000
mov eax,8
00547E61 . 8D95 70FFFFFF
lea edx,dword ptr
ss:[
ebp-90]
00547E67 . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547E6A . 8945 A0
mov dword ptr
ss:[
ebp-60],
eax
00547E6D . C785 78FFFFFF 7C9>
mov dword ptr
ss:[
ebp-88],
上机.0042907C ; UNICODE "7897897
"
00547E77 . 8985 70FFFFFF
mov dword ptr
ss:[
ebp-90],
eax
00547E7D . FFD7
call edi ; MSVBVM50.__vbaVarDup
00547E7F . 8D45 80
lea eax,dword ptr
ss:[
ebp-80]
00547E82 . 8D4D 90
lea ecx,dword ptr
ss:[
ebp-70]
00547E85 . 50
push eax
00547E86 . 8D55 A0
lea edx,dword ptr
ss:[
ebp-60]
00547E89 . 51
push ecx
00547E8A . 52
push edx
00547E8B . 8D45 B0
lea eax,dword ptr
ss:[
ebp-50]
00547E8E . 6A 00
push 0
00547E90 . 50
push eax
00547E91 90
nop
00547E92 90
nop
00547E93 90
nop
00547E94 90
nop
00547E95 90
nop
00547E96 90
nop
00547E97 . 8D4D 80
lea ecx,dword ptr
ss:[
ebp-80]
00547E9A . 8D55 90
lea edx,dword ptr
ss:[
ebp-70]
00547E9D . 51
push ecx
00547E9E . 8D45 A0
lea eax,dword ptr
ss:[
ebp-60]
00547EA1 . 52
push edx
00547EA2 . 8D4D B0
lea ecx,dword ptr
ss:[
ebp-50]
00547EA5 . 50
push eax
00547EA6 . 51
push ecx
00547EA7 . 6A 04
push 4
00547EA9 . FF15 48F45D00
call dword ptr
ds:[<&MSVBVM50.__vbaFreeVa>; MSVBVM50.__vbaFreeVarList
00547EAF . 83C4 14
add esp,14
00547EB2 . 66:46
inc si
00547EB4 . 0F80 5B010000
jo 上机.00548015
00547EBA . 8975 D0
mov dword ptr
ss:[
ebp-30],
esi
00547EBD .^ E9 4BFBFFFF
jmp 上机.00547A0D <========//这里又往回跳 ,跳到刚才第二步的位置进行第三次 检测密膺盘。
00547EC2 > 68 68904200
push 上机.00429068
00547EC7 . FF15 90F45D00
call dword ptr
ds:[<&MSVBVM50.__vbaStrCat>; MSVBVM50.__vbaStrCat
00547ECD . BE 08000000
mov esi,8
00547ED2 . 8D95 70FFFFFF
lea edx,dword ptr
ss:[
ebp-90]
剩下的工作就简单了,在OD中主窗口中(C窗口)右键--复制到可执行文件--全部修正,在弹出的文件窗口(D窗口)中右键--保存文件,提示 覆盖,保存后,再用getvbres将改动的地方还原。另外,在调试过程,还发现了另一种下断点的方法:搜索字串参考时,发现多次出现调用 \win1b\dat\jiami.exe这个文件。进安装文件夹dat下查看,拼音字母不就是“加密”吗?看来程序多次调用它来检测密膺盘的合法性,所以, 在搜索不到可用中文信息时,也可用它参考下断。
--------------------------------------------------------------------------------
【经验总结】
下面三处需要nop 掉。
00547CF6 FF15 FCF55D00
call dword ptr
ds:[<&MSVBVM50.>; MSVBVM50.rtcShell
第一次读软驱检测密钥盘提示
00547E91 FF15 F4F45D00
call dword ptr
ds:[<&MSVBVM50.>; MSVBVM50.rtcMsgBox
第二次读软驱检测密钥盘提示
00547F05 FF15 F4F45D00
call dword ptr
ds:[<&MSVBVM50.>; MSVBVM50.rtcMsgBox
出现致命错误的提示
本文没多少技术含量,遇到此类软件最好的办法就是爆破。在调试此类软件时,建议在有软驱的机器上进行,更为直观。在隐藏、加密中文 字符串后(现在共享软件基本上都是这样的),需要大家多掌握几种下断点的方法,这样,我们菜鸟才能不被学习过程中的拦路虎吓住。最后 ,祝广大和我一样水平的菜鸟早日进步!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006
年03月03日 1:32:46
[课程]Android-CTF解题方法汇总!
精 
