温馨家庭日记
cracker:essorg
tools:trw2000pll跟踪,U功能截码
level:0
用language2k探壳,无壳,VB6编程,运行到注册页面输入:
用户名:essorg
邮箱名:essorg@163.com
注册码:7878787878
到出错界面,下hwnd得到该窗口句柄号XXXX,接着
下bpmsg XXXX wm_command,
X 返回注册出错窗体,点击确定,trw2000拦截,上寻比对及分支程序,U得:
017F:0048C076 C7850CFFFFFF0000+MOV DWORD [EBP+FFFFFF0C],00
017F:0048C080 8B55DC MOV EDX,[EBP-24] 〈----输入用户名
017F:0048C083 52 PUSH EDX
017F:0048C084 8B45D8 MOV EAX,[EBP-28] 〈----输入邮箱名
017F:0048C087 50 PUSH EAX
017F:0048C088 FF155C104000 CALL `MSVBVM60!__vbaStrCat` 〈----合并用户名和邮箱名
017F:0048C08E 8BD0 MOV EDX,EAX
017F:0048C090 8D4DD4 LEA ECX,[EBP-2C]
017F:0048C093 FF15E0124000 CALL `MSVBVM60!__vbaStrMove`
017F:0048C099 50 PUSH EAX
017F:0048C09A E87126FFFF CALL 0047E710 〈----求真注册码
017F:0048C09F 8BD0 MOV EDX,EAX
017F:0048C0A1 8D4DCC LEA ECX,[EBP-34]
017F:0048C0A4 FF15E0124000 CALL `MSVBVM60!__vbaStrMove`
017F:0048C0AA 50 PUSH EAX
017F:0048C0AB 8B4DD0 MOV ECX,[EBP-30] 〈----输入注册码
017F:0048C0AE 51 PUSH ECX
017F:0048C0AF FF1550114000 CALL `MSVBVM60!__vbaStrCmp`
017F:0048C0B5 F7D8 NEG EAX
017F:0048C0B7 1BC0 SBB EAX,EAX
017F:0048C0B9 40 INC EAX
017F:0048C0BA F7D8 NEG EAX
017F:0048C0BC 6689853CFFFFFF MOV [EBP+FFFFFF3C],AX
=================================================================================
017F:0047E710 55 PUSH EBP
017F:0047E711 8BEC MOV EBP,ESP
017F:0047E713 83EC18 SUB ESP,BYTE +18
。。。。。。
017F:0047E770 C745FC03000000 MOV DWORD [EBP-04],03
017F:0047E777 6A00 PUSH BYTE +00
017F:0047E779 8B45D8 MOV EAX,[EBP-28]
017F:0047E77C 50 PUSH EAX
017F:0047E77D FF1580104000 CALL `MSVBVM60!__vbaLenBstrB` 〈----求字符串长度
。。。。。。
017F:0047E7D4 C745FC06000000 MOV DWORD [EBP-04],06
017F:0047E7DB 8B45D0 MOV EAX,[EBP-30]
017F:0047E7DE 50 PUSH EAX
017F:0047E7DF 6A01 PUSH BYTE +01
017F:0047E7E1 FF1518124000 CALL `MSVBVM60!__vbaUbound`
017F:0047E7E7 89854CFFFFFF MOV [EBP+FFFFFF4C],EAX 〈----字符串长度
017F:0047E7ED C78550FFFFFF0100+MOV DWORD [EBP+FFFFFF50],01
017F:0047E7F7 C745DC00000000 MOV DWORD [EBP-24],00
017F:0047E7FE EB12 JMP SHORT 0047E812
017F:0047E800 8B4DDC MOV ECX,[EBP-24]
017F:0047E803 038D50FFFFFF ADD ECX,[EBP+FFFFFF50]
017F:0047E809 0F80E7010000 JO NEAR 0047E9F6
017F:0047E80F 894DDC MOV [EBP-24],ECX
017F:0047E812 8B55DC MOV EDX,[EBP-24]
017F:0047E815 3B954CFFFFFF CMP EDX,[EBP+FFFFFF4C] 〈----与字符串长度比较,
017F:0047E81B 0F8F54010000 JG NEAR 0047E975 〈----如超出则转换计算结束
017F:0047E821 C745FC07000000 MOV DWORD [EBP-04],07
017F:0047E828 837DD000 CMP DWORD [EBP-30],BYTE +00
017F:0047E82C 744C JZ 0047E87A
017F:0047E82E 8B45D0 MOV EAX,[EBP-30]
017F:0047E831 66833801 CMP WORD [EAX],BYTE +01
017F:0047E835 7543 JNZ 0047E87A
017F:0047E837 8B4DD0 MOV ECX,[EBP-30]
017F:0047E83A 8B55DC MOV EDX,[EBP-24]
017F:0047E83D 2B5114 SUB EDX,[ECX+14]
017F:0047E840 899554FFFFFF MOV [EBP+FFFFFF54],EDX
017F:0047E846 8B45D0 MOV EAX,[EBP-30]
017F:0047E849 8B8D54FFFFFF MOV ECX,[EBP+FFFFFF54]
017F:0047E84F 3B4810 CMP ECX,[EAX+10]
017F:0047E852 730C JNC 0047E860
017F:0047E854 C78534FFFFFF0000+MOV DWORD [EBP+FFFFFF34],00
017F:0047E85E EB0C JMP SHORT 0047E86C
017F:0047E860 FF1544114000 CALL `MSVBVM60!__vbaGenerateBoundsError`
017F:0047E866 898534FFFFFF MOV [EBP+FFFFFF34],EAX
017F:0047E86C 8B9554FFFFFF MOV EDX,[EBP+FFFFFF54]
017F:0047E872 899530FFFFFF MOV [EBP+FFFFFF30],EDX
017F:0047E878 EB0C JMP SHORT 0047E886
017F:0047E87A FF1544114000 CALL `MSVBVM60!__vbaGenerateBoundsError`
017F:0047E880 898530FFFFFF MOV [EBP+FFFFFF30],EAX
017F:0047E886 8B45D0 MOV EAX,[EBP-30]
017F:0047E889 8B480C MOV ECX,[EAX+0C]
017F:0047E88C 8B9530FFFFFF MOV EDX,[EBP+FFFFFF30]
017F:0047E892 33C0 XOR EAX,EAX
017F:0047E894 8A0411 MOV AL,[ECX+EDX]
017F:0047E897 3345DC XOR EAX,[EBP-24]
017F:0047E89A 83C001 ADD EAX,BYTE +01
017F:0047E89D 0F8053010000 JO NEAR 0047E9F6
017F:0047E8A3 8945D4 MOV [EBP-2C],EAX
017F:0047E8A6 C745FC08000000 MOV DWORD [EBP-04],08
017F:0047E8AD 837DD400 CMP DWORD [EBP-2C],BYTE +00
017F:0047E8B1 7409 JZ 0047E8BC
017F:0047E8B3 817DD400010000 CMP DWORD [EBP-2C],0100
017F:0047E8BA 7E0D JNG 0047E8C9
017F:0047E8BC C745FC09000000 MOV DWORD [EBP-04],09
017F:0047E8C3 8B4DDC MOV ECX,[EBP-24]
017F:0047E8C6 894DD4 MOV [EBP-2C],ECX
017F:0047E8C9 C745FC0B000000 MOV DWORD [EBP-04],0B
017F:0047E8D0 8B55D8 MOV EDX,[EBP-28]
017F:0047E8D3 899560FFFFFF MOV [EBP+FFFFFF60],EDX
017F:0047E8D9 C78558FFFFFF0800+MOV DWORD [EBP+FFFFFF58],08
017F:0047E8E3 C745B401000000 MOV DWORD [EBP-4C],01
017F:0047E8EA C745AC02000000 MOV DWORD [EBP-54],02
017F:0047E8F1 C7458058024100 MOV DWORD [EBP-80],00410258
017F:0047E8F8 C78578FFFFFF0800+MOV DWORD [EBP+FFFFFF78],08
017F:0047E902 8D9578FFFFFF LEA EDX,[EBP+FFFFFF78]
017F:0047E908 8D4DBC LEA ECX,[EBP-44]
017F:0047E90B FF15AC124000 CALL `MSVBVM60!__vbaVarDup`
017F:0047E911 8D45AC LEA EAX,[EBP-54] 〈----02
017F:0047E914 50 PUSH EAX
017F:0047E915 8B4DD4 MOV ECX,[EBP-2C] 〈----输入字符
017F:0047E918 51 PUSH ECX
017F:0047E919 8D55BC LEA EDX,[EBP-44] 〈----字符表地址004E6728
017F:0047E91C 52 PUSH EDX
017F:0047E91D 8D459C LEA EAX,[EBP-64] 〈----结果地址
017F:0047E920 50 PUSH EAX
017F:0047E921 FF1520114000 CALL `MSVBVM60!rtcMidCharVar`
===================================================================================
1 0030:004E6728 41 00 51 00 41 00 43 00-5A 00 58 00 4C 00 4B 00 A.Q.A.C.Z.X.L.K.
2 0030:004E6738 4F 00 49 00 55 00 51 00-57 00 4D 00 4E 00 4A 00 O.I.U.Q.W.M.N.J.
3 0030:004E6748 48 00 47 00 41 00 4F 00-49 00 55 00 59 00 30 00 H.G.A.O.I.U.Y.0.
4 0030:004E6758 31 00 33 00 30 00 53 00-32 00 44 00 50 00 4F 00 1.3.0.S.2.D.P.O.
5 0030:004E6768 4C 00 51 00 33 00 4A 00-48 00 34 00 4B 00 4D 00 L.Q.3.J.H.4.K.M.
6 0030:004E6778 4F 00 4C 00 38 00 37 00-33 00 34 00 39 00 4D 00 O.L.8.7.3.4.9.M.
7 0030:004E6788 39 00 36 00 33 00 48 00-42 00 56 00 43 00 4B 00 9.6.3.H.B.V.C.K.
8 0030:004E6798 4C 00 46 00 47 00 34 00-32 00 36 00 52 00 44 00 L.F.G.4.2.6.R.D.
9 0030:004E67A8 46 00 44 00 53 00 4B 00-4A 00 4C 00 44 00 53 00 F.D.S.K.J.L.D.S.
10 0030:004E67B8 4D 00 4E 00 5A 00 31 00-55 00 49 00 4C 00 5A 00 M.N.Z.1.U.I.L.Z.
11 0030:004E67C8 58 00 45 00 57 00 4F 00-45 00 52 00 38 00 34 00 X.E.W.O.E.R.8.4.
12 0030:004E67D8 38 00 34 00 33 00 35 00-48 00 53 00 44 00 4C 00 8.4.3.5.H.S.D.L.
13 0030:004E67E8 4B 00 46 00 48 00 33 00-39 00 32 00 4E 00 4D 00 K.F.H.3.9.2.N.M.
14 0030:004E67F8 4E 00 43 00 42 00 44 00-46 00 53 00 44 00 46 00 N.C.B.D.F.S.D.F.
15 0030:004E6808 32 00 4B 00 33 00 4C 00-4A 00 53 00 44 00 46 00 2.K.3.L.J.S.D.F.
16 0030:004E6818 39 00 4E 00 42 00 5A 00-4A 00 4B 00 58 00 43 00 9.N.B.Z.J.K.X.C.
17 0030:004E6828 50 00 49 00 33 00 53 00-53 00 44 00 46 00 53 00 P.I.3.S.S.D.F.S.
18 0030:004E6838 4B 00 57 00 38 00 33 00-34 00 33 00 4A 00 4B 00 K.W.8.3.4.3.J.K.
19 0030:004E6848 44 00 46 00 47 00 44 00-46 00 47 00 4C 00 45 00 D.F.G.D.F.G.L.E.
20 0030:004E6858 52 00 57 00 53 00 44 00-46 00 53 00 44 00 4B 00 R.W.S.D.F.S.D.K.
21 0030:004E6868 4A 00 30 00 39 00 30 00-33 00 34 00 39 00 44 00 J.0.9.0.3.4.9.D.
===================================================================================
总结:
程序使用如下校验方法:
读取输入用户名及邮箱名,串接成一字符串并计算有效注册码,然后与输入注册码比较,如等则注册成功,
是一个善良的软件。
算法:输入串接字符串为宽字符格式,本例为:
e . s . s . o . r . g . 1 . @ . 2 . . . c . o . m .
ASCII: 65 00 73 00 73 00 6F 00 72 00 67 00 31 00 40 00 32 00 2E 00 63 00 6F 00 6D 00
序号: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19
取字符位置:(ASCII XOR 序号)+1
结果: 2 Q K C F X C K B I S Q 6 M L J 3 G 2 O F U N 0 S 3
由keymake1.73制作内存注册机,中断48C0AF,1次,FF头,6字节,记录寄存器EAX内容,宽字符方式。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!