└文章标题┐:王牌超级工具箱v11.9 asp1.22-1.23脱壳,网络验证爆破
└破文作者┐:-=大菜一号<=-
└破解对象┐:王牌超级工具箱v11.9
└下载地址┐:自己搜
└对象大小┐:未知
└加壳方式┐:ASProtect 1.22 - 1.23 Beta 21 -> Alexey Solodovnikov
└保护方式┐:网络验证
└编写语言┐:VB
└使用工具┐:OD,VBExplorer
└破解平台┐:D-XP
└破解声明┐:嘿嘿``网络验证的,第一次下手
----------------------------------------------------------------------------------
└破解过程┐:
用peid看一下是ASProtect 1.22 - 1.23 Beta 21 -> Alexey Solodovnikov
较好扒掉的加密壳,西西````
1、解决壳
用OD载入,不忽略内存访问异常,shift+f9一路异常,到程序运行时共有26次
ctrl+f2重新载入,一路shift+f9到达最后一次异常,堆栈提示我们要在1002a89处的se下断,哦呵呵呵!
再shift+f9断在1002a89处,alt+m打开内存镜像:
Memory map
地址 大小 属主 区段 包含 类型 访问 初始访问
00010000 00001000 Priv RW RW <-对准这里f2下断
00020000 00001000 Priv RW RW
0012C000 00001000 Priv RW RW
0012D000 00003000 堆栈 于
shift+f9到达程序oep,用OD插件dump之后发现运行出错,用REC追踪层次1修复所有坏指针,运行正常
2、网络验证爆破
脱壳之后一看,"vb"写的,好讨厌,乱七八糟的代码!
用VBExplorer找到程序“注册认证”按钮代码,下断运行后来到下面;
0048B290 > \55 push ebp <-断在这里
0048B291 . 8BEC mov ebp, esp
0048B293 . 83EC 0C sub esp, 0C
0048B296 . 68 E61E4000 push <jmp.&msvbvm60.__vbaExceptHandle>; SE 处理程序安装
0048B29B . 64:A1 0000000>mov eax, dword ptr fs:[0]
0048B2A1 . 50 push eax
0048B2A2 . 64:8925 00000>mov dword ptr fs:[0], esp
0048B2A9 . 81EC DC000000 sub esp, 0DC
0048B2AF . 53 push ebx
0048B2B0 . 56 push esi
0048B2B1 . 57 push edi
0048B2B2 . 8965 F4 mov dword ptr [ebp-C], esp
0048B2B5 . C745 F8 981C4>mov dword ptr [ebp-8], 00401C98
0048B2BC . 8B75 08 mov esi, dword ptr [ebp+8]
0048B2BF . 8BC6 mov eax, esi
0048B2C1 . 83E0 01 and eax, 1
0048B2C4 . 8945 FC mov dword ptr [ebp-4], eax
0048B2C7 . 83E6 FE and esi, FFFFFFFE
0048B2CA . 56 push esi
0048B2CB . 8975 08 mov dword ptr [ebp+8], esi
0048B2CE . 8B0E mov ecx, dword ptr [esi]
0048B2D0 . FF51 04 call dword ptr [ecx+4]
0048B2D3 . 8B16 mov edx, dword ptr [esi]
0048B2D5 . 33DB xor ebx, ebx
0048B2D7 . 56 push esi
0048B2D8 . 895D E4 mov dword ptr [ebp-1C], ebx
0048B2DB . 895D E0 mov dword ptr [ebp-20], ebx
0048B2DE . 895D DC mov dword ptr [ebp-24], ebx
0048B2E1 . 895D D8 mov dword ptr [ebp-28], ebx
0048B2E4 . 895D D4 mov dword ptr [ebp-2C], ebx
0048B2E7 . 895D D0 mov dword ptr [ebp-30], ebx
0048B2EA . 895D C0 mov dword ptr [ebp-40], ebx
0048B2ED . 895D B0 mov dword ptr [ebp-50], ebx
0048B2F0 . 895D A0 mov dword ptr [ebp-60], ebx
0048B2F3 . 895D 90 mov dword ptr [ebp-70], ebx
0048B2F6 . 895D 80 mov dword ptr [ebp-80], ebx
0048B2F9 . 899D 60FFFFFF mov dword ptr [ebp-A0], ebx
0048B2FF . FF92 FC020000 call dword ptr [edx+2FC]
0048B305 . 8B3D 90104000 mov edi, dword ptr [<&msvbvm60.__vba>; msvbvm60.__vbaObjSet
0048B30B . 50 push eax
0048B30C . 8D45 D0 lea eax, dword ptr [ebp-30]
0048B30F . 50 push eax
0048B310 . FFD7 call edi ; <&msvbvm60.__vbaObjSet>
0048B312 . 8B0E mov ecx, dword ptr [esi]
0048B314 . 56 push esi
0048B315 . 8985 44FFFFFF mov dword ptr [ebp-BC], eax
0048B31B . FF91 FC020000 call dword ptr [ecx+2FC]
0048B321 . 8D55 D4 lea edx, dword ptr [ebp-2C]
0048B324 . 50 push eax
0048B325 . 52 push edx
0048B326 . FFD7 call edi
0048B328 . 8B08 mov ecx, dword ptr [eax]
0048B32A . 8D55 E0 lea edx, dword ptr [ebp-20]
0048B32D . 52 push edx
0048B32E . 50 push eax
0048B32F . 8985 4CFFFFFF mov dword ptr [ebp-B4], eax
0048B335 . FF91 A0000000 call dword ptr [ecx+A0]
0048B33B . 3BC3 cmp eax, ebx
0048B33D . DBE2 fclex
0048B33F . 7D 18 jge short 0048B359
0048B341 . 8B8D 4CFFFFFF mov ecx, dword ptr [ebp-B4]
0048B347 . 68 A0000000 push 0A0
0048B34C . 68 84FC4500 push 0045FC84
0048B351 . 51 push ecx
0048B352 . 50 push eax
0048B353 . FF15 6C104000 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
0048B359 > 8B45 E0 mov eax, dword ptr [ebp-20]
0048B35C . 8D55 C0 lea edx, dword ptr [ebp-40]
0048B35F . 8945 C8 mov dword ptr [ebp-38], eax
0048B362 . 8D45 B0 lea eax, dword ptr [ebp-50]
0048B365 . 52 push edx
0048B366 . 50 push eax
0048B367 . 895D E0 mov dword ptr [ebp-20], ebx
0048B36A . C745 C0 08000>mov dword ptr [ebp-40], 8
0048B371 . FF15 B0104000 call dword ptr [<&msvbvm60.rtcLeftTri>; msvbvm60.rtcLeftTrimVar
0048B377 . 8B8D 44FFFFFF mov ecx, dword ptr [ebp-BC]
0048B37D . 8D55 B0 lea edx, dword ptr [ebp-50]
0048B380 . 8D45 DC lea eax, dword ptr [ebp-24]
0048B383 . 52 push edx
0048B384 . 8B19 mov ebx, dword ptr [ecx]
0048B386 . 50 push eax
0048B387 . FF15 54114000 call dword ptr [<&msvbvm60.__vbaStrVa>; msvbvm60.__vbaStrVarVal
0048B38D . 8BCB mov ecx, ebx
0048B38F . 8B9D 44FFFFFF mov ebx, dword ptr [ebp-BC]
0048B395 . 50 push eax
0048B396 . 53 push ebx
0048B397 . FF91 A4000000 call dword ptr [ecx+A4]
0048B39D . 85C0 test eax, eax
0048B39F . DBE2 fclex
0048B3A1 . 7D 12 jge short 0048B3B5
0048B3A3 . 68 A4000000 push 0A4
0048B3A8 . 68 84FC4500 push 0045FC84
0048B3AD . 53 push ebx
0048B3AE . 50 push eax
0048B3AF . FF15 6C104000 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
0048B3B5 > 8D4D DC lea ecx, dword ptr [ebp-24]
0048B3B8 . FF15 24124000 call dword ptr [<&msvbvm60.__vbaFreeS>; msvbvm60.__vbaFreeStr
0048B3BE . 8D55 D0 lea edx, dword ptr [ebp-30]
0048B3C1 . 8D45 D4 lea eax, dword ptr [ebp-2C]
0048B3C4 . 52 push edx
0048B3C5 . 50 push eax
0048B3C6 . 6A 02 push 2
0048B3C8 . FF15 48104000 call dword ptr [<&msvbvm60.__vbaFreeO>; msvbvm60.__vbaFreeObjList
0048B3CE . 8D4D B0 lea ecx, dword ptr [ebp-50]
0048B3D1 . 8D55 C0 lea edx, dword ptr [ebp-40]
0048B3D4 . 51 push ecx
0048B3D5 . 52 push edx
0048B3D6 . 6A 02 push 2
0048B3D8 . FF15 3C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVarList
0048B3DE . 8B06 mov eax, dword ptr [esi]
0048B3E0 . 83C4 18 add esp, 18
0048B3E3 . 56 push esi
0048B3E4 . FF90 FC020000 call dword ptr [eax+2FC]
0048B3EA . 8D4D D0 lea ecx, dword ptr [ebp-30]
0048B3ED . 50 push eax
0048B3EE . 51 push ecx
0048B3EF . FFD7 call edi
0048B3F1 . 8B16 mov edx, dword ptr [esi]
0048B3F3 . 56 push esi
0048B3F4 . 8985 44FFFFFF mov dword ptr [ebp-BC], eax
0048B3FA . FF92 FC020000 call dword ptr [edx+2FC]
0048B400 . 50 push eax
0048B401 . 8D45 D4 lea eax, dword ptr [ebp-2C]
0048B404 . 50 push eax
0048B405 . FFD7 call edi
0048B407 . 8BD8 mov ebx, eax
0048B409 . 8D55 E0 lea edx, dword ptr [ebp-20]
0048B40C . 52 push edx
0048B40D . 53 push ebx
0048B40E . 8B0B mov ecx, dword ptr [ebx]
0048B410 . FF91 A0000000 call dword ptr [ecx+A0]
0048B416 . 85C0 test eax, eax
0048B418 . DBE2 fclex
0048B41A . 7D 12 jge short 0048B42E
0048B41C . 68 A0000000 push 0A0
0048B421 . 68 84FC4500 push 0045FC84
0048B426 . 53 push ebx
0048B427 . 50 push eax
0048B428 . FF15 6C104000 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
0048B42E > 8B45 E0 mov eax, dword ptr [ebp-20]
0048B431 . 8D4D B0 lea ecx, dword ptr [ebp-50]
0048B434 . 8945 C8 mov dword ptr [ebp-38], eax
0048B437 . 8D45 C0 lea eax, dword ptr [ebp-40]
0048B43A . 50 push eax
0048B43B . 51 push ecx
0048B43C . C745 E0 00000>mov dword ptr [ebp-20], 0
0048B443 . C745 C0 08000>mov dword ptr [ebp-40], 8
0048B44A . FF15 BC104000 call dword ptr [<&msvbvm60.rtcRightTr>; msvbvm60.rtcRightTrimVar
0048B450 . 8B95 44FFFFFF mov edx, dword ptr [ebp-BC]
0048B456 . 8D45 B0 lea eax, dword ptr [ebp-50]
0048B459 . 8D4D DC lea ecx, dword ptr [ebp-24]
0048B45C . 50 push eax
0048B45D . 8B1A mov ebx, dword ptr [edx]
0048B45F . 51 push ecx
0048B460 . FF15 54114000 call dword ptr [<&msvbvm60.__vbaStrVa>; msvbvm60.__vbaStrVarVal
0048B466 . 8BD3 mov edx, ebx
0048B468 . 8B9D 44FFFFFF mov ebx, dword ptr [ebp-BC]
0048B46E . 50 push eax
0048B46F . 53 push ebx
0048B470 . FF92 A4000000 call dword ptr [edx+A4]
0048B476 . 85C0 test eax, eax
0048B478 . DBE2 fclex
0048B47A . 7D 12 jge short 0048B48E
0048B47C . 68 A4000000 push 0A4
0048B481 . 68 84FC4500 push 0045FC84
0048B486 . 53 push ebx
0048B487 . 50 push eax
0048B488 . FF15 6C104000 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
0048B48E > 8D4D DC lea ecx, dword ptr [ebp-24]
0048B491 . FF15 24124000 call dword ptr [<&msvbvm60.__vbaFreeS>; msvbvm60.__vbaFreeStr
0048B497 . 8D45 D0 lea eax, dword ptr [ebp-30]
0048B49A . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0048B49D . 50 push eax
0048B49E . 51 push ecx
0048B49F . 6A 02 push 2
0048B4A1 . FF15 48104000 call dword ptr [<&msvbvm60.__vbaFreeO>; msvbvm60.__vbaFreeObjList
0048B4A7 . 8D55 B0 lea edx, dword ptr [ebp-50]
0048B4AA . 8D45 C0 lea eax, dword ptr [ebp-40]
0048B4AD . 52 push edx
0048B4AE . 50 push eax
0048B4AF . 6A 02 push 2
0048B4B1 . FF15 3C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVarList
0048B4B7 . 8B0E mov ecx, dword ptr [esi]
0048B4B9 . 83C4 18 add esp, 18
0048B4BC . 56 push esi
0048B4BD . FF91 08030000 call dword ptr [ecx+308]
0048B4C3 . 8D55 D0 lea edx, dword ptr [ebp-30]
0048B4C6 . 50 push eax
0048B4C7 . 52 push edx
0048B4C8 . FFD7 call edi
0048B4CA . 8985 44FFFFFF mov dword ptr [ebp-BC], eax
0048B4D0 . 8B06 mov eax, dword ptr [esi]
0048B4D2 . 56 push esi
0048B4D3 . FF90 08030000 call dword ptr [eax+308]
0048B4D9 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0048B4DC . 50 push eax
0048B4DD . 51 push ecx
0048B4DE . FFD7 call edi
0048B4E0 . 8BD8 mov ebx, eax
0048B4E2 . 8D45 E0 lea eax, dword ptr [ebp-20]
0048B4E5 . 50 push eax
0048B4E6 . 53 push ebx
0048B4E7 . 8B13 mov edx, dword ptr [ebx]
0048B4E9 . FF92 A0000000 call dword ptr [edx+A0]
0048B4EF . 85C0 test eax, eax
0048B4F1 . DBE2 fclex
0048B4F3 . 7D 12 jge short 0048B507
0048B4F5 . 68 A0000000 push 0A0
0048B4FA . 68 84FC4500 push 0045FC84
0048B4FF . 53 push ebx
0048B500 . 50 push eax
0048B501 . FF15 6C104000 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
0048B507 > 8B45 E0 mov eax, dword ptr [ebp-20]
0048B50A . 8D4D C0 lea ecx, dword ptr [ebp-40]
0048B50D . 8D55 B0 lea edx, dword ptr [ebp-50]
0048B510 . 51 push ecx
0048B511 . 52 push edx
0048B512 . C745 E0 00000>mov dword ptr [ebp-20], 0
0048B519 . 8945 C8 mov dword ptr [ebp-38], eax
0048B51C . C745 C0 08000>mov dword ptr [ebp-40], 8
0048B523 . FF15 B0104000 call dword ptr [<&msvbvm60.rtcLeftTri>; msvbvm60.rtcLeftTrimVar
0048B529 . 8B85 44FFFFFF mov eax, dword ptr [ebp-BC]
0048B52F . 8D4D B0 lea ecx, dword ptr [ebp-50]
0048B532 . 8D55 DC lea edx, dword ptr [ebp-24]
0048B535 . 51 push ecx
0048B536 . 8B18 mov ebx, dword ptr [eax]
0048B538 . 52 push edx
0048B539 . FF15 54114000 call dword ptr [<&msvbvm60.__vbaStrVa>; msvbvm60.__vbaStrVarVal
0048B53F . 899D 18FFFFFF mov dword ptr [ebp-E8], ebx
0048B545 . 8B9D 44FFFFFF mov ebx, dword ptr [ebp-BC]
0048B54B . 50 push eax
0048B54C . 8B85 18FFFFFF mov eax, dword ptr [ebp-E8]
0048B552 . 53 push ebx
0048B553 . FF90 A4000000 call dword ptr [eax+A4]
0048B559 . 85C0 test eax, eax
0048B55B . DBE2 fclex
0048B55D . 7D 12 jge short 0048B571
0048B55F . 68 A4000000 push 0A4
0048B564 . 68 84FC4500 push 0045FC84
0048B569 . 53 push ebx
0048B56A . 50 push eax
0048B56B . FF15 6C104000 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
0048B571 > 8D4D DC lea ecx, dword ptr [ebp-24]
0048B574 . FF15 24124000 call dword ptr [<&msvbvm60.__vbaFreeS>; msvbvm60.__vbaFreeStr
0048B57A . 8D4D D0 lea ecx, dword ptr [ebp-30]
0048B57D . 8D55 D4 lea edx, dword ptr [ebp-2C]
0048B580 . 51 push ecx
0048B581 . 52 push edx
0048B582 . 6A 02 push 2
0048B584 . FF15 48104000 call dword ptr [<&msvbvm60.__vbaFreeO>; msvbvm60.__vbaFreeObjList
0048B58A . 8D45 B0 lea eax, dword ptr [ebp-50]
0048B58D . 8D4D C0 lea ecx, dword ptr [ebp-40]
0048B590 . 50 push eax
0048B591 . 51 push ecx
0048B592 . 6A 02 push 2
0048B594 . FF15 3C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVarList
0048B59A . 8B16 mov edx, dword ptr [esi]
0048B59C . 83C4 18 add esp, 18
0048B59F . 56 push esi
0048B5A0 . FF92 08030000 call dword ptr [edx+308]
0048B5A6 . 50 push eax
0048B5A7 . 8D45 D0 lea eax, dword ptr [ebp-30]
0048B5AA . 50 push eax
0048B5AB . FFD7 call edi
0048B5AD . 8B0E mov ecx, dword ptr [esi]
0048B5AF . 56 push esi
0048B5B0 . 8985 44FFFFFF mov dword ptr [ebp-BC], eax
0048B5B6 . FF91 08030000 call dword ptr [ecx+308]
0048B5BC . 8D55 D4 lea edx, dword ptr [ebp-2C]
0048B5BF . 50 push eax
0048B5C0 . 52 push edx
0048B5C1 . FFD7 call edi
0048B5C3 . 8BD8 mov ebx, eax
0048B5C5 . 8D4D E0 lea ecx, dword ptr [ebp-20]
0048B5C8 . 51 push ecx
0048B5C9 . 53 push ebx
0048B5CA . 8B03 mov eax, dword ptr [ebx]
0048B5CC . FF90 A0000000 call dword ptr [eax+A0]
0048B5D2 . 85C0 test eax, eax
0048B5D4 . DBE2 fclex
0048B5D6 . 7D 12 jge short 0048B5EA
0048B5D8 . 68 A0000000 push 0A0
0048B5DD . 68 84FC4500 push 0045FC84
0048B5E2 . 53 push ebx
0048B5E3 . 50 push eax
0048B5E4 . FF15 6C104000 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
0048B5EA > 8B45 E0 mov eax, dword ptr [ebp-20]
0048B5ED . 8D55 C0 lea edx, dword ptr [ebp-40]
0048B5F0 . 8945 C8 mov dword ptr [ebp-38], eax
0048B5F3 . 8D45 B0 lea eax, dword ptr [ebp-50]
0048B5F6 . 52 push edx
0048B5F7 . 50 push eax
0048B5F8 . C745 E0 00000>mov dword ptr [ebp-20], 0
0048B5FF . C745 C0 08000>mov dword ptr [ebp-40], 8
0048B606 . FF15 BC104000 call dword ptr [<&msvbvm60.rtcRightTr>; msvbvm60.rtcRightTrimVar
0048B60C . 8B8D 44FFFFFF mov ecx, dword ptr [ebp-BC]
0048B612 . 8D55 B0 lea edx, dword ptr [ebp-50]
0048B615 . 8D45 DC lea eax, dword ptr [ebp-24]
0048B618 . 52 push edx
0048B619 . 8B19 mov ebx, dword ptr [ecx]
0048B61B . 50 push eax
0048B61C . FF15 54114000 call dword ptr [<&msvbvm60.__vbaStrVa>; msvbvm60.__vbaStrVarVal
0048B622 . 8BCB mov ecx, ebx
0048B624 . 8B9D 44FFFFFF mov ebx, dword ptr [ebp-BC]
0048B62A . 50 push eax
0048B62B . 53 push ebx
0048B62C . FF91 A4000000 call dword ptr [ecx+A4]
0048B632 . 85C0 test eax, eax
0048B634 . DBE2 fclex
0048B636 . 7D 12 jge short 0048B64A
0048B638 . 68 A4000000 push 0A4
0048B63D . 68 84FC4500 push 0045FC84
0048B642 . 53 push ebx
0048B643 . 50 push eax
0048B644 . FF15 6C104000 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
0048B64A > 8D4D DC lea ecx, dword ptr [ebp-24]
0048B64D . FF15 24124000 call dword ptr [<&msvbvm60.__vbaFreeS>; msvbvm60.__vbaFreeStr
0048B653 . 8D55 D0 lea edx, dword ptr [ebp-30]
0048B656 . 8D45 D4 lea eax, dword ptr [ebp-2C]
0048B659 . 52 push edx
0048B65A . 50 push eax
0048B65B . 6A 02 push 2
0048B65D . FF15 48104000 call dword ptr [<&msvbvm60.__vbaFreeO>; msvbvm60.__vbaFreeObjList
0048B663 . 8D4D B0 lea ecx, dword ptr [ebp-50]
0048B666 . 8D55 C0 lea edx, dword ptr [ebp-40]
0048B669 . 51 push ecx
0048B66A . 52 push edx
0048B66B . 6A 02 push 2
0048B66D . FF15 3C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVarList
0048B673 . 8B06 mov eax, dword ptr [esi]
0048B675 . 83C4 18 add esp, 18
0048B678 . 56 push esi
0048B679 . FF90 08030000 call dword ptr [eax+308]
0048B67F . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0048B682 . 50 push eax
0048B683 . 51 push ecx
0048B684 . FFD7 call edi
0048B686 . 8BD8 mov ebx, eax
0048B688 . 8D45 E0 lea eax, dword ptr [ebp-20]
0048B68B . 50 push eax
0048B68C . 53 push ebx
0048B68D . 8B13 mov edx, dword ptr [ebx]
0048B68F . FF92 A0000000 call dword ptr [edx+A0]
0048B695 . 85C0 test eax, eax
0048B697 . DBE2 fclex
0048B699 . 7D 12 jge short 0048B6AD
0048B69B . 68 A0000000 push 0A0
0048B6A0 . 68 84FC4500 push 0045FC84
0048B6A5 . 53 push ebx
0048B6A6 . 50 push eax
0048B6A7 . FF15 6C104000 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
0048B6AD > 8B0E mov ecx, dword ptr [esi]
0048B6AF . 56 push esi
0048B6B0 . FF91 FC020000 call dword ptr [ecx+2FC]
0048B6B6 . 8D55 D0 lea edx, dword ptr [ebp-30]
0048B6B9 . 50 push eax
0048B6BA . 52 push edx
0048B6BB . FFD7 call edi
0048B6BD . 8BD8 mov ebx, eax
0048B6BF . 8D4D DC lea ecx, dword ptr [ebp-24]
0048B6C2 . 51 push ecx
0048B6C3 . 53 push ebx
0048B6C4 . 8B03 mov eax, dword ptr [ebx]
0048B6C6 . FF90 A0000000 call dword ptr [eax+A0]
0048B6CC . 85C0 test eax, eax
0048B6CE . DBE2 fclex
0048B6D0 . 7D 12 jge short 0048B6E4
0048B6D2 . 68 A0000000 push 0A0
0048B6D7 . 68 84FC4500 push 0045FC84
0048B6DC . 53 push ebx
0048B6DD . 50 push eax
0048B6DE . FF15 6C104000 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
0048B6E4 > 8B55 DC mov edx, dword ptr [ebp-24]
0048B6E7 . 52 push edx
0048B6E8 . FF15 34104000 call dword ptr [<&msvbvm60.__vbaLenBs>; msvbvm60.__vbaLenBstr <-取注册名长度
0048B6EE . 33DB xor ebx, ebx
0048B6F0 . 83F8 0D cmp eax, 0D <-注册名长度和13比较
0048B6F3 . 8B45 E0 mov eax, dword ptr [ebp-20]
0048B6F6 . 0F9CC3 setl bl
0048B6F9 . 50 push eax
0048B6FA . F7DB neg ebx
0048B6FC . FF15 34104000 call dword ptr [<&msvbvm60.__vbaLenBs>; msvbvm60.__vbaLenBstr <-取注册码长度
0048B702 . 33C9 xor ecx, ecx
0048B704 . 83F8 14 cmp eax, 14 <-注册码长度和20比较
0048B707 . 8D55 DC lea edx, dword ptr [ebp-24]
0048B70A . 8D45 E0 lea eax, dword ptr [ebp-20]
0048B70D . 0F9CC1 setl cl
0048B710 . 52 push edx
0048B711 . 50 push eax
0048B712 . F7D9 neg ecx
0048B714 . 6A 02 push 2
0048B716 . 0BD9 or ebx, ecx
0048B718 . FF15 98114000 call dword ptr [<&msvbvm60.__vbaFreeS>; msvbvm60.__vbaFreeStrList
0048B71E . 8D4D D0 lea ecx, dword ptr [ebp-30]
0048B721 . 8D55 D4 lea edx, dword ptr [ebp-2C]
0048B724 . 51 push ecx
0048B725 . 52 push edx
0048B726 . 6A 02 push 2
0048B728 . FF15 48104000 call dword ptr [<&msvbvm60.__vbaFreeO>; msvbvm60.__vbaFreeObjList
0048B72E . 83C4 18 add esp, 18
0048B731 . 66:85DB test bx, bx
0048B734 . 0F85 CD040000 jnz 0048BC07 <-不等就不连网
0048B73A . B9 04000280 mov ecx, 80020004
0048B73F . B8 0A000000 mov eax, 0A
0048B744 . 894D 98 mov dword ptr [ebp-68], ecx
0048B747 . 894D A8 mov dword ptr [ebp-58], ecx
0048B74A . 8D55 80 lea edx, dword ptr [ebp-80]
0048B74D . 8D4D B0 lea ecx, dword ptr [ebp-50]
0048B750 . 8945 90 mov dword ptr [ebp-70], eax
0048B753 . 8945 A0 mov dword ptr [ebp-60], eax
0048B756 . C745 88 24534>mov dword ptr [ebp-78], 00465324
0048B75D . C745 80 08000>mov dword ptr [ebp-80], 8
0048B764 . FF15 C8114000 call dword ptr [<&msvbvm60.__vbaVarDu>; msvbvm60.__vbaVarDup
0048B76A . 68 B4524600 push 004652B4
0048B76F . 68 08004600 push 00460008 ; UNICODE CR,LF
0048B774 . FF15 5C104000 call dword ptr [<&msvbvm60.__vbaStrCa>; msvbvm60.__vbaStrCat
0048B77A . 8B1D F8114000 mov ebx, dword ptr [<&msvbvm60.__vba>; msvbvm60.__vbaStrMove
0048B780 . 8BD0 mov edx, eax
0048B782 . 8D4D E0 lea ecx, dword ptr [ebp-20]
0048B785 . FFD3 call ebx ; <&msvbvm60.__vbaStrMove>
0048B787 . 50 push eax
0048B788 . 68 08004600 push 00460008 ; UNICODE CR,LF
0048B78D . FF15 5C104000 call dword ptr [<&msvbvm60.__vbaStrCa>; msvbvm60.__vbaStrCat
0048B793 . 8BD0 mov edx, eax
0048B795 . 8D4D DC lea ecx, dword ptr [ebp-24]
0048B798 . FFD3 call ebx
0048B79A . 50 push eax
0048B79B . 68 F4524600 push 004652F4
0048B7A0 . FF15 5C104000 call dword ptr [<&msvbvm60.__vbaStrCa>; msvbvm60.__vbaStrCat
0048B7A6 . 8945 C8 mov dword ptr [ebp-38], eax
0048B7A9 . 8D45 90 lea eax, dword ptr [ebp-70]
0048B7AC . 8D4D A0 lea ecx, dword ptr [ebp-60]
0048B7AF . 50 push eax
0048B7B0 . 8D55 B0 lea edx, dword ptr [ebp-50]
0048B7B3 . 51 push ecx
0048B7B4 . 52 push edx
0048B7B5 . 8D45 C0 lea eax, dword ptr [ebp-40]
0048B7B8 . 6A 41 push 41
0048B7BA . 50 push eax
0048B7BB . C745 C0 08000>mov dword ptr [ebp-40], 8
0048B7C2 . FF15 94104000 call dword ptr [<&msvbvm60.rtcMsgBox>>; msvbvm60.rtcMsgBox <-相等就提示连网
0048B7C8 . 8BC8 mov ecx, eax
0048B7CA . FF15 F4104000 call dword ptr [<&msvbvm60.__vbaI2I4>>; msvbvm60.__vbaI2I4
0048B7D0 . 8D4D DC lea ecx, dword ptr [ebp-24]
0048B7D3 . 8D55 E0 lea edx, dword ptr [ebp-20]
0048B7D6 . 51 push ecx
0048B7D7 . 52 push edx
0048B7D8 . 6A 02 push 2
0048B7DA . 8945 E8 mov dword ptr [ebp-18], eax
0048B7DD . FF15 98114000 call dword ptr [<&msvbvm60.__vbaFreeS>; msvbvm60.__vbaFreeStrList
0048B7E3 . 8D45 90 lea eax, dword ptr [ebp-70]
0048B7E6 . 8D4D A0 lea ecx, dword ptr [ebp-60]
0048B7E9 . 50 push eax
0048B7EA . 8D55 B0 lea edx, dword ptr [ebp-50]
0048B7ED . 51 push ecx
0048B7EE . 8D45 C0 lea eax, dword ptr [ebp-40]
0048B7F1 . 52 push edx
0048B7F2 . 50 push eax
0048B7F3 . 6A 04 push 4
0048B7F5 . FF15 3C104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVarList
0048B7FB . 8B0E mov ecx, dword ptr [esi]
0048B7FD . 83C4 20 add esp, 20
0048B800 . 66:837D E8 01 cmp word ptr [ebp-18], 1 <-提示框是否选"确定"
0048B805 . 56 push esi
0048B806 . 0F85 BD030000 jnz 0048BBC9 <-不是就不连接网络
0048B80C . FF91 10030000 call dword ptr [ecx+310]
0048B812 . 8D55 D4 lea edx, dword ptr [ebp-2C]
0048B815 . 50 push eax
0048B816 . 52 push edx
0048B817 . FFD7 call edi
0048B819 . 8B08 mov ecx, dword ptr [eax]
0048B81B . 68 34534600 push 00465334
0048B820 . 50 push eax
0048B821 . 8985 4CFFFFFF mov dword ptr [ebp-B4], eax
0048B827 . FF91 A4000000 call dword ptr [ecx+A4]
0048B82D . 85C0 test eax, eax
0048B82F . DBE2 fclex
0048B831 . 7D 18 jge short 0048B84B
0048B833 . 8B95 4CFFFFFF mov edx, dword ptr [ebp-B4]
0048B839 . 68 A4000000 push 0A4
0048B83E . 68 84FC4500 push 0045FC84
0048B843 . 52 push edx
0048B844 . 50 push eax
0048B845 . FF15 6C104000 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
0048B84B > 8D4D D4 lea ecx, dword ptr [ebp-2C]
0048B84E . FF15 20124000 call dword ptr [<&msvbvm60.__vbaFreeO>; msvbvm60.__vbaFreeObj
0048B854 . 8B06 mov eax, dword ptr [esi]
0048B856 . 6A 0B push 0B
0048B858 . 56 push esi
0048B859 . FF90 A4000000 call dword ptr [eax+A4]
0048B85F . 85C0 test eax, eax
0048B861 . DBE2 fclex
0048B863 . 7D 12 jge short 0048B877
0048B865 . 68 A4000000 push 0A4
0048B86A . 68 ACF34500 push 0045F3AC
0048B86F . 56 push esi
0048B870 . 50 push eax
0048B871 . FF15 6C104000 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
0048B877 > 83EC 10 sub esp, 10
0048B87A . B9 08000000 mov ecx, 8
0048B87F . 8BD4 mov edx, esp
0048B881 . 894D 80 mov dword ptr [ebp-80], ecx
0048B884 . B8 68534600 mov eax, 00465368 ; UNICODE "http://www.kingft.com/use"<-就是这个网址
0048B889 . 83EC 10 sub esp, 10
0048B88C . 890A mov dword ptr [edx], ecx
0048B88E . 8B4D 84 mov ecx, dword ptr [ebp-7C]
0048B891 . 8945 88 mov dword ptr [ebp-78], eax
0048B894 . C785 68FFFFFF>mov dword ptr [ebp-98], 0
0048B89E . 894A 04 mov dword ptr [edx+4], ecx
0048B8A1 . 8BCC mov ecx, esp
0048B8A3 . 6A 02 push 2
0048B8A5 . 6A 16 push 16
0048B8A7 . 8942 08 mov dword ptr [edx+8], eax
0048B8AA . 8B45 8C mov eax, dword ptr [ebp-74]
0048B8AD . 56 push esi
0048B8AE . 8942 0C mov dword ptr [edx+C], eax
0048B8B1 . 8B95 64FFFFFF mov edx, dword ptr [ebp-9C]
0048B8B7 . B8 03000000 mov eax, 3
0048B8BC . 8901 mov dword ptr [ecx], eax
0048B8BE . 8B85 68FFFFFF mov eax, dword ptr [ebp-98]
0048B8C4 . 8951 04 mov dword ptr [ecx+4], edx
0048B8C7 . 8B95 6CFFFFFF mov edx, dword ptr [ebp-94]
0048B8CD . 8941 08 mov dword ptr [ecx+8], eax
0048B8D0 . 8B06 mov eax, dword ptr [esi]
0048B8D2 . 8951 0C mov dword ptr [ecx+C], edx
0048B8D5 . FF90 24030000 call dword ptr [eax+324]
0048B8DB . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0048B8DE . 50 push eax
0048B8DF . 51 push ecx
0048B8E0 . FFD7 call edi
0048B8E2 . 8D55 C0 lea edx, dword ptr [ebp-40]
0048B8E5 . 50 push eax
0048B8E6 . 52 push edx
0048B8E7 . FF15 08114000 call dword ptr [<&msvbvm60.__vbaLateI>; msvbvm60.__vbaLateIdCallLd <-连网了
0048B8ED . 83C4 30 add esp, 30
0048B8ED . 83C4 30 add esp, 30
0048B8F0 . 50 push eax
0048B8F1 . FF15 38104000 call dword ptr [<&msvbvm60.__vbaStrVa>; msvbvm60.__vbaStrVarMove
0048B8F7 . 8BD0 mov edx, eax
0048B8F9 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
0048B8FC . FFD3 call ebx
0048B8FE . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0048B901 . FF15 20124000 call dword ptr [<&msvbvm60.__vbaFreeO>; msvbvm60.__vbaFreeObj
0048B907 . 8D4D C0 lea ecx, dword ptr [ebp-40]
0048B90A . FF15 28104000 call dword ptr [<&msvbvm60.__vbaFreeV>; msvbvm60.__vbaFreeVar
0048B910 . 8B45 E4 mov eax, dword ptr [ebp-1C]
0048B913 . 50 push eax
0048B914 . 68 E4F54500 push 0045F5E4
0048B919 . FF15 E8104000 call dword ptr [<&msvbvm60.__vbaStrCm>; msvbvm60.__vbaStrCmp <-返回值比较
0048B91F . 85C0 test eax, eax <-eax是否为空
0048B921 0F85 8D000000 jnz 0048B9B4<-------------------------为空则注册失败,改为jmp
0048B927 . 8B0E mov ecx, dword ptr [esi]
好,f9运行之后提示注册验证成功了!
关掉OD直接运行程序时发现仍然是“尚未注册”,OD再载入,来到刚才的位置:
0048B927 . 8B0E mov ecx, dword ptr [esi] <-接上面的地方
0048B929 . 56 push esi
0048B92A . FF91 10030000 call dword ptr [ecx+310]
0048B930 . 8D55 D4 lea edx, dword ptr [ebp-2C]
0048B933 . 50 push eax
0048B934 . 52 push edx
0048B935 . FFD7 call edi
0048B937 . 8BF0 mov esi, eax
0048B939 . 68 FC514600 push 004651FC
0048B93E . 68 08004600 push 00460008 ; UNICODE CR,LF
0048B943 . 8B3E mov edi, dword ptr [esi]
0048B945 . FF15 5C104000 call dword ptr [<&msvbvm60.__vbaStrCa>; msvbvm60.__vbaStrCat
0048B94B . 8BD0 mov edx, eax
0048B94D . 8D4D E0 lea ecx, dword ptr [ebp-20]
0048B950 . FFD3 call ebx
0048B952 . 50 push eax
0048B953 . 68 08004600 push 00460008 ; UNICODE CR,LF
0048B958 . FF15 5C104000 call dword ptr [<&msvbvm60.__vbaStrCa>; msvbvm60.__vbaStrCat
0048B95E . 8BD0 mov edx, eax
0048B960 . 8D4D DC lea ecx, dword ptr [ebp-24]
0048B963 . FFD3 call ebx
0048B965 . 50 push eax
0048B966 . 68 A0534600 push 004653A0
0048B96B . FF15 5C104000 call dword ptr [<&msvbvm60.__vbaStrCa>; msvbvm60.__vbaStrCat
0048B971 . 8BD0 mov edx, eax
0048B973 . 8D4D D8 lea ecx, dword ptr [ebp-28]
0048B976 . FFD3 call ebx
0048B978 . 50 push eax
0048B979 . 56 push esi
0048B97A . FF97 A4000000 call dword ptr [edi+A4]
0048B980 . 85C0 test eax, eax
0048B982 . DBE2 fclex
0048B984 . 7D 12 jge short 0048B998
0048B986 . 68 A4000000 push 0A4
0048B98B . 68 84FC4500 push 0045FC84
0048B990 . 56 push esi
0048B991 . 50 push eax
0048B992 . FF15 6C104000 call dword ptr [<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
0048B998 > 8D45 D8 lea eax, dword ptr [ebp-28]
0048B99B . 8D4D DC lea ecx, dword ptr [ebp-24]
0048B99E . 50 push eax
0048B99F . 8D55 E0 lea edx, dword ptr [ebp-20]
0048B9A2 . 51 push ecx
0048B9A3 . 52 push edx
0048B9A4 . 6A 03 push 3
0048B9A6 . FF15 98114000 call dword ptr [<&msvbvm60.__vbaFreeS>; msvbvm60.__vbaFreeStrList
0048B9AC . 83C4 10 add esp, 10
0048B9AF . E9 4A020000 jmp 0048BBFE <-注册不成功在这里要跳
0048B9B4 > 8B06 mov eax, dword ptr [esi] <-注册成功跳到这里
........省略一堆代码.........
在代码非常下面可以看到:
0048BE90 . 50 push eax
0048BE91 . 68 BCF84500 push 0045F8BC ; UNICODE "2002"
0048BE96 . 68 9CF84500 push 0045F89C ; UNICODE "toolstimework" <-子项
0048BE9B . 68 F0ED4500 push 0045EDF0 ; UNICODE "kingtools" <-注册项
0048BEA0 . FF15 08104000 call dword ptr [<&msvbvm60.rtcSaveSet>; msvbvm60.rtcSaveSetting <-保存设置,设置什么不知道
0048BEA6 . 8D4D DC lea ecx, dword ptr [ebp-24]
0048BEA9 . FF15 24124000 call dword ptr [<&msvbvm60.__vbaFreeS>; msvbvm60.__vbaFreeStr
0048BEAF . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0048BEB2 . FF15 20124000 call dword ptr [<&msvbvm60.__vbaFreeO>; msvbvm60.__vbaFreeObj
我们改了上面的关键跳转之后,发现注册表里"toolstimework"这个项值里有613912这个键
它的值是"gdcikjynnfexspmhnj8omgh90mjg449tblo9i6fgjk7643du09mjy756gj9jng76uhvyt87jngre47hb44f6ghjufddfgtwfsdsxyytudfb9lghrffku45fc87j5hv84swvh745fgdfdwfjkhr2387hbkiu5rdf"
删除之后就是反安装了!
呵呵``这样就行了!
改了关键跳转,点击"注册认证"之后程序会认为注册成功,而在注册表里加上这么一串!
至于怎么算的,我看还是放弃跟了!vb的东西代码贼乱~~~*_*b
----------------------------------------------------------------------------------
└经验总结┐:
嘿嘿``网络验证也不难嘛!哦呵呵``至少这个是这样!^-^
----------------------------------------------------------------------------------
└版权声明┐ 本文原创于看雪软件安全论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年5月6日 8:26:12
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课