首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 付费问答
    3. 发新帖
[旧帖] [求助]小菜鸟的求助,破解到这里,停住了 0.00雪花
发表于: 2007-2-24 00:45 3734

[旧帖] [求助]小菜鸟的求助,破解到这里,停住了 0.00雪花

redforest 活跃值
2007-2-24 00:45
3734
发个程序出来,自己搞不定,不过我觉得比较有代表性

gearbox 5.0 减速器设计系统
软件大小: 5879 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 机械电子
应用平台: Win9x/NT/2000/XP/2003
界面预览: 无
插件情况:  投诉
更新时间: 2006-11-15 09:04:18
下载次数: 14636
推荐等级:  
联 系 人: sunyick126.com
开 发 商: http://www.changfengjixie.com/...
作者空间:

下载地址:http://www.skycn.com/soft/22894.html     (天空下载)

不过下面的代码是 2.0那个版本的,我想结构不会发生大变化!

鄙人小小菜鸟一只,不识汇编语言,更不敢说破解~!~前几天看到个破解动画,觉得有意思,就拿出以前的一个程序来开刀!哪知不是每一个程序都是和教程里面一样~~~~~搞了一阵子都搞不定,放上来,给大家试试看。顺便说说我遇到的问题,望高手指点指点:

首先查壳,鄙人用peid查了,没壳。不过我的水平,不值得相信…………大家有时间玩这个程序,最好自己试试,有壳不怪我~~

然后看看字符串,有没有可以利用的参考字符串,用了3个软件:w32dasm c32asm od 都没发现出错窗口的参考字符串~~~~晕~~也可能我水平实在臭,没领悟教程的方法!现在的教程大多数都是基于找到了字符串的情况下来破解的,高手能不能出不参考字符串来破解的。

实在不行吧,我想就用od的插件,在常用的函数名地方下断点吧,messageboxa地方断点,嘿嘿,断下来了。发现如下地方,可是就不知道如何往下走了~~~,贴出来,向大家讨教讨教,大家有兴趣也可以拿这个软件开开刀

77D5050B > 8BFF MOV EDI,EDI
77D5050D 55 PUSH EBP
77D5050E 8BEC MOV EBP,ESP
77D50510 833D 1C04D777 0>CMP DWORD PTR DS:[77D7041C],0
77D50517 74 24 JE SHORT USER32.77D5053D
77D50519 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
77D5051F 6A 00 PUSH 0
77D50521 FF70 24 PUSH DWORD PTR DS:[EAX+24]
77D50524 68 F40AD777 PUSH USER32.77D70AF4
77D50529 FF15 1812D177 CALL DWORD PTR DS:[<&KERNEL32.Interlocke>; kernel32.InterlockedCompareExchange
77D5052F 85C0 TEST EAX,EAX
77D50531 75 0A JNZ SHORT USER32.77D5053D
77D50533 C705 F00AD777 0>MOV DWORD PTR DS:[77D70AF0],1
77D5053D 6A 00 PUSH 0
77D5053F FF75 14 PUSH DWORD PTR SS:[EBP+14]
77D50542 FF75 10 PUSH DWORD PTR SS:[EBP+10]
77D50545 FF75 0C PUSH DWORD PTR SS:[EBP+C]
77D50548 FF75 08 PUSH DWORD PTR SS:[EBP+8]
77D5054B E8 2D000000 CALL USER32.MessageBoxExA
77D50550 5D POP EBP

上面是USER32的领空,就是断点的地方,到最下面那句话,就弹出错误信息的窗口了~~~
********************************************************

以下是messageboxa在程序的领空,注意,不是主程序exe,而是跑到一个dll里面去了(PBVM80。dll)。

10C235C0 > 83EC 48 SUB ESP,48
10C235C3 8B4424 4C MOV EAX,DWORD PTR SS:[ESP+4C]
10C235C7 53 PUSH EBX
10C235C8 55 PUSH EBP
10C235C9 56 PUSH ESI
10C235CA 8B68 04 MOV EBP,DWORD PTR DS:[EAX+4]
10C235CD 8D4C24 30 LEA ECX,DWORD PTR SS:[ESP+30]
10C235D1 57 PUSH EDI
10C235D2 33F6 XOR ESI,ESI
10C235D4 51 PUSH ECX
10C235D5 55 PUSH EBP
10C235D6 897424 50 MOV DWORD PTR SS:[ESP+50],ESI
10C235DA 897424 4C MOV DWORD PTR SS:[ESP+4C],ESI
10C235DE 896C24 18 MOV DWORD PTR SS:[ESP+18],EBP
10C235E2 E8 C9110B00 CALL PBVM80.ot_get_valptr_arg
10C235E7 55 PUSH EBP
10C235E8 894424 30 MOV DWORD PTR SS:[ESP+30],EAX
10C235EC E8 EF0C0B00 CALL PBVM80.ot_get_next_evaled_arg
10C235F1 8BF8 MOV EDI,EAX
10C235F3 8B5C24 60 MOV EBX,DWORD PTR SS:[ESP+60]
10C235F7 897424 14 MOV DWORD PTR SS:[ESP+14],ESI
10C235FB 8A57 04 MOV DL,BYTE PTR DS:[EDI+4]
10C235FE 83E2 01 AND EDX,1
10C23601 83FB 02 CMP EBX,2
10C23604 895424 38 MOV DWORD PTR SS:[ESP+38],EDX
10C23608 76 11 JBE SHORT PBVM80.10C2361B
10C2360A 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C]
10C2360E 50 PUSH EAX
10C2360F 55 PUSH EBP
10C23610 E8 EB0D0B00 CALL PBVM80.ot_get_simple_intarg
10C23615 894424 28 MOV DWORD PTR SS:[ESP+28],EAX
10C23619 EB 0A JMP SHORT PBVM80.10C23625
10C2361B 33C0 XOR EAX,EAX
10C2361D 894424 28 MOV DWORD PTR SS:[ESP+28],EAX
10C23621 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX
10C23625 83FB 03 CMP EBX,3
10C23628 76 11 JBE SHORT PBVM80.10C2363B
10C2362A 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
10C2362E 51 PUSH ECX
10C2362F 55 PUSH EBP
10C23630 E8 CB0D0B00 CALL PBVM80.ot_get_simple_intarg
10C23635 894424 60 MOV DWORD PTR SS:[ESP+60],EAX
10C23639 EB 0A JMP SHORT PBVM80.10C23645
10C2363B 33C0 XOR EAX,EAX
10C2363D 894424 60 MOV DWORD PTR SS:[ESP+60],EAX
10C23641 894424 20 MOV DWORD PTR SS:[ESP+20],EAX
10C23645 83FB 04 CMP EBX,4
10C23648 76 0F JBE SHORT PBVM80.10C23659
10C2364A 8D5424 24 LEA EDX,DWORD PTR SS:[ESP+24]
10C2364E 52 PUSH EDX
10C2364F 55 PUSH EBP
10C23650 E8 2B0E0B00 CALL PBVM80.ot_get_intarg
10C23655 8BD8 MOV EBX,EAX
10C23657 EB 0D JMP SHORT PBVM80.10C23666
10C23659 BB 01000000 MOV EBX,1
10C2365E C74424 24 00000>MOV DWORD PTR SS:[ESP+24],0
10C23666 8B4424 34 MOV EAX,DWORD PTR SS:[ESP+34]
10C2366A 85C0 TEST EAX,EAX
10C2366C 0F85 19020000 JNZ PBVM80.10C2388B
10C23672 8B4424 38 MOV EAX,DWORD PTR SS:[ESP+38]
10C23676 85C0 TEST EAX,EAX
10C23678 0F85 0D020000 JNZ PBVM80.10C2388B
10C2367E 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+1C]
10C23682 85C0 TEST EAX,EAX
10C23684 0F85 01020000 JNZ PBVM80.10C2388B
10C2368A 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+20]
10C2368E 85C0 TEST EAX,EAX
10C23690 0F85 F5010000 JNZ PBVM80.10C2388B
10C23696 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]
10C2369A 85C0 TEST EAX,EAX
10C2369C 0F85 E9010000 JNZ PBVM80.10C2388B
10C236A2 8B7424 5C MOV ESI,DWORD PTR SS:[ESP+5C]
10C236A6 66:837F 06 06 CMP WORD PTR DS:[EDI+6],6
10C236AB 8B46 52 MOV EAX,DWORD PTR DS:[ESI+52]
10C236AE 894424 18 MOV DWORD PTR SS:[ESP+18],EAX
10C236B2 74 23 JE SHORT PBVM80.10C236D7
10C236B4 8B4E 10 MOV ECX,DWORD PTR DS:[ESI+10]
10C236B7 6A 00 PUSH 0
10C236B9 68 FF000000 PUSH 0FF
10C236BE 51 PUSH ECX
10C236BF E8 8C6AF9FF CALL PBVM80.pbstg_alc
10C236C4 68 FF000000 PUSH 0FF
10C236C9 50 PUSH EAX
10C236CA 57 PUSH EDI
10C236CB 56 PUSH ESI
10C236CC 894424 24 MOV DWORD PTR SS:[ESP+24],EAX
10C236D0 E8 9B56FDFF CALL PBVM80.FN_FormatData
10C236D5 EB 0B JMP SHORT PBVM80.10C236E2
10C236D7 57 PUSH EDI
10C236D8 55 PUSH EBP
10C236D9 E8 221F0A00 CALL PBVM80.ot_get_valptr
10C236DE 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
10C236E2 8B5424 28 MOV EDX,DWORD PTR SS:[ESP+28]
10C236E6 BF 00200000 MOV EDI,2000
10C236EB 8D42 FF LEA EAX,DWORD PTR DS:[EDX-1]
10C236EE 83F8 03 CMP EAX,3
10C236F1 77 1C JA SHORT PBVM80.10C2370F
10C236F3 FF2485 1439C210 JMP DWORD PTR DS:[EAX*4+10C23914]
10C236FA BF 10200000 MOV EDI,2010
10C236FF EB 13 JMP SHORT PBVM80.10C23714
10C23701 BF 30200000 MOV EDI,2030
10C23706 EB 0C JMP SHORT PBVM80.10C23714
10C23708 BF 20200000 MOV EDI,2020
10C2370D EB 05 JMP SHORT PBVM80.10C23714
10C2370F BF 40200000 MOV EDI,2040
10C23714 8B4424 60 MOV EAX,DWORD PTR SS:[ESP+60]
10C23718 48 DEC EAX
10C23719 83F8 04 CMP EAX,4
10C2371C 77 1E JA SHORT PBVM80.10C2373C
10C2371E FF2485 2439C210 JMP DWORD PTR DS:[EAX*4+10C23924]
10C23725 83CF 01 OR EDI,1
10C23728 EB 12 JMP SHORT PBVM80.10C2373C
10C2372A 83CF 05 OR EDI,5
10C2372D EB 0D JMP SHORT PBVM80.10C2373C
10C2372F 83CF 02 OR EDI,2
10C23732 EB 08 JMP SHORT PBVM80.10C2373C
10C23734 83CF 04 OR EDI,4
10C23737 EB 03 JMP SHORT PBVM80.10C2373C
10C23739 83CF 03 OR EDI,3
10C2373C 8BC3 MOV EAX,EBX
10C2373E 83E8 02 SUB EAX,2
10C23741 74 0B JE SHORT PBVM80.10C2374E
10C23743 48 DEC EAX
10C23744 75 0E JNZ SHORT PBVM80.10C23754
10C23746 81CF 00020000 OR EDI,200
10C2374C EB 06 JMP SHORT PBVM80.10C23754
10C2374E 81CF 00010000 OR EDI,100
10C23754 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
10C23758 8B81 E0000000 MOV EAX,DWORD PTR DS:[ECX+E0]
10C2375E 85C0 TEST EAX,EAX
10C23760 74 13 JE SHORT PBVM80.10C23775
10C23762 6A 0B PUSH 0B
10C23764 50 PUSH EAX
10C23765 55 PUSH EBP
10C23766 E8 B5870300 CALL PBVM80.ob_get_int_field
10C2376B 85C0 TEST EAX,EAX
10C2376D 74 06 JE SHORT PBVM80.10C23775
10C2376F 81CF 00001800 OR EDI,180000
10C23775 FF15 F898D910 CALL DWORD PTR DS:[<&USER32.GetFocus>] ; USER32.GetFocus
10C2377B 8B35 9C99D910 MOV ESI,DWORD PTR DS:[<&USER32.SendMessa>; USER32.SendMessageA
10C23781 85C0 TEST EAX,EAX
10C23783 74 09 JE SHORT PBVM80.10C2378E
10C23785 6A 00 PUSH 0
10C23787 6A 00 PUSH 0
10C23789 6A 1F PUSH 1F
10C2378B 50 PUSH EAX
10C2378C FFD6 CALL ESI
10C2378E 8B1D 1498D910 MOV EBX,DWORD PTR DS:[<&USER32.GetCaptur>; USER32.GetCapture
10C23794 FFD3 CALL EBX
10C23796 85C0 TEST EAX,EAX
10C23798 74 09 JE SHORT PBVM80.10C237A3
10C2379A 6A 00 PUSH 0
10C2379C 6A 00 PUSH 0
10C2379E 6A 1F PUSH 1F
10C237A0 50 PUSH EAX
10C237A1 FFD6 CALL ESI
10C237A3 8B2D 8492D910 MOV EBP,DWORD PTR DS:[<&KERNEL32.GetCurr>; kernel32.GetCurrentThreadId
10C237A9 FFD5 CALL EBP
10C237AB 8BF0 MOV ESI,EAX
10C237AD A1 1026E010 MOV EAX,DWORD PTR DS:[10E02610]
10C237B2 3BC6 CMP EAX,ESI
10C237B4 0F84 82000000 JE PBVM80.10C2383C
10C237BA FFD3 CALL EBX
10C237BC 85C0 TEST EAX,EAX
10C237BE 75 7C JNZ SHORT PBVM80.10C2383C
10C237C0 6A 01 PUSH 1
10C237C2 6A 12 PUSH 12
10C237C4 6A 12 PUSH 12
10C237C6 8D5424 48 LEA EDX,DWORD PTR SS:[ESP+48]
10C237CA 50 PUSH EAX
10C237CB 52 PUSH EDX
10C237CC 8935 1026E010 MOV DWORD PTR DS:[10E02610],ESI
10C237D2 FF15 0C99D910 CALL DWORD PTR DS:[<&USER32.PeekMessageA>; USER32.PeekMessageA
10C237D8 8BD8 MOV EBX,EAX
10C237DA 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
10C237DE 8B70 44 MOV ESI,DWORD PTR DS:[EAX+44]
10C237E1 56 PUSH ESI
10C237E2 FF15 8C99D910 CALL DWORD PTR DS:[<&USER32.IsWindow>] ; USER32.IsWindow
10C237E8 85C0 TEST EAX,EAX
10C237EA 74 0B JE SHORT PBVM80.10C237F7
10C237EC 56 PUSH ESI
10C237ED FF15 6C98D910 CALL DWORD PTR DS:[<&USER32.IsWindowVisi>; USER32.IsWindowVisible
10C237F3 85C0 TEST EAX,EAX
10C237F5 75 02 JNZ SHORT PBVM80.10C237F9
10C237F7 33F6 XOR ESI,ESI
10C237F9 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
10C237FD 8B41 14 MOV EAX,DWORD PTR DS:[ECX+14]
10C23800 85C0 TEST EAX,EAX
10C23802 75 02 JNZ SHORT PBVM80.10C23806
10C23804 33F6 XOR ESI,ESI
10C23806 8B5424 2C MOV EDX,DWORD PTR SS:[ESP+2C]
10C2380A 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
10C2380E 57 PUSH EDI
10C2380F 52 PUSH EDX
10C23810 50 PUSH EAX
10C23811 56 PUSH ESI
10C23812 FF15 E499D910 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; USER32.MessageBoxA :这个是错误的提示框

右下角的内容是:

***********************************************************
0012EE04 10C23818 /CALL 到 MessageBoxA 来自 PBVM80.10C23812
0012EE08 001706E2 |hOwner = 001706E2 ('软件注册',class='FNWNS380')
0012EE0C 091C0034 |Text = "您输入的注册码无效!请与供应商联系获得正确的注册码!"
0012EE10 018D00B8 |Title = "软件注册"
0012EE14 00002040 \Style = MB_OK|MB_ICONASTERISK|MB_TASKMODAL
**********************************************************

[课程]Android-CTF解题方法汇总!

收藏
免费 0
支持
分享
最新回复 (2)
redforest
雪    币: 166
活跃值: (34)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
没有人帮帮忙看看吗??难道这个软件是某牛人写的,大家都不敢动?
2007-2-24 20:28
0
walgq
雪    币: 201
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
希望高手能分析一下
2007-2-24 23:32
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//