【文章标题】: 某vb软件破解过程(高手飘过)
【文章作者】: noirlucifer
【作者邮箱】: sj20022002cn@163.COM
【下载地址】: 自己搜索下载
【加壳方式】: ASProtect 2.1x SKE
【保护方式】: 功能限制,只能做前30道题
【编写语言】: VB
【使用工具】: Peid,OllyDbg,ImportRec,Ida
【操作平台】: WinXp,sp2
【作者声明】: 第一次写文章,不足之处请多包含。只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1.脱壳
peid载入,显示ASProtect 2.1x SKE
od载入,运行volx的unpack1.0脚本
运行ImportRec根据od的log提示,填入oep,iat rva 和iat size,修复。
2.初步分析
看到加载Msvbvm60.dll判断是vb程序,因为不是完美脱壳 ,所以vb的反编译软件都无法反编译,哪位大虾知道怎么改以下可以反编译的请赐教!
直接od载入,F9运行按注册按扭,输入试练码noirlucifer,按确定,提示"关闭软件,重新打开!!"判断为重起验证。
od重新载入,命令行下断点bp RegQueryValueExA,F9运行 看堆栈再按4次F9后堆栈里的valuename为“SN",可疑此时返回
果然取的注册码,至此已经找到关键地方。
3.进一步分析
RegQueryValueExA 断下后Ctrl+F9返回到0041F014,以下分析省略部分不重要的代码
seg001:0041F00F call sub_4067EC 'RegQueryValueExA
seg001:0041F00F
seg001:0041F014 call ds:__vbaSetSystemError
seg001:0041F01A mov edx, [ebp+var_38]
seg001:0041F01D push edx
一直单步往下直到
seg001:0041C01E call sub_41C100 '关键call
seg001:0041C01E
seg001:0041C023 xor edx, edx
seg001:0041C025 cmp ax, 0FFFFh
seg001:0041C029 setz dl
seg001:0041C02C neg edx
seg001:0041C02E lea ecx, [ebp+var_14]
seg001:0041C031 mov si, dx
seg001:0041C034 call ds:__vbaFreeStr
seg001:0041C03A test si, si
seg001:0041C03D jz short loc_41C048
seg001:0041C03D
seg001:0041C03F mov ds:word_42106C, 0FFFFh
跟进41C100(关键call)
seg001:0041C100 push ebp
seg001:0041C101 mov ebp, esp
seg001:0041C103 sub esp, 8
seg001:0041C106 push offset __vbaExceptHandler
seg001:0041C10B mov eax, large fs:0
seg001:0041C111 push eax
seg001:0041C112 mov large fs:0, esp
seg001:0041C119 sub esp, 64h
seg001:0041C11C push ebx
seg001:0041C11D push esi
seg001:0041C11E push edi
seg001:0041C11F mov [ebp+var_8], esp
seg001:0041C122 mov [ebp+var_4], offset dword_401558
seg001:0041C129 xor esi, esi
seg001:0041C12B mov [ebp+var_14], esi
seg001:0041C12E mov [ebp+var_18], esi
seg001:0041C131 mov [ebp+var_1C], esi
seg001:0041C134 mov [ebp+var_2C], esi
seg001:0041C137 mov [ebp+var_3C], esi
seg001:0041C13A mov [ebp+var_4C], esi
seg001:0041C13D mov [ebp+var_5C], esi
seg001:0041C140 mov [ebp+var_6C], esi
seg001:0041C143 call sub_41CDD0 '算硬件码
seg001:0041C143
seg001:0041C148 mov edi, ds:__vbaStrMove
seg001:0041C14E mov edx, eax
seg001:0041C150 mov ecx, offset dword_421038
seg001:0041C155 call edi ; __vbaStrMove
seg001:0041C157 mov eax, [ebp+arg_0]
seg001:0041C15A mov ebx, ds:__vbaStrCopy
seg001:0041C160 mov ecx, offset dword_42103C
seg001:0041C165 mov edx, [eax]
seg001:0041C167 call ebx ; __vbaStrCopy
seg001:0041C169 mov edx, ds:dword_421038
seg001:0041C16F lea ecx, [ebp+var_14]
seg001:0041C172 call ebx ; __vbaStrCopy
seg001:0041C174 mov ecx, ds:dword_42103C
seg001:0041C17A push 1B8Bh
seg001:0041C17F push 0D59h
seg001:0041C184 push ecx
seg001:0041C185 call sub_41C420 '关键算法call
seg001:0041C185
seg001:0041C18A mov edx, eax
seg001:0041C18C lea ecx, [ebp+var_1C]
seg001:0041C18F call edi ; __vbaStrMove
seg001:0041C191 mov edi, ds:rtcTrimVar
seg001:0041C197 lea eax, [ebp+var_5C]
seg001:0041C19A lea ecx, [ebp+var_2C]
seg001:0041C19D lea edx, [ebp+var_14]
seg001:0041C1A0 mov ebx, 4008h
seg001:0041C1A5 push eax
seg001:0041C1A6 push ecx
seg001:0041C1A7 mov [ebp+var_54], edx
seg001:0041C1AA mov [ebp+var_5C], ebx
seg001:0041C1AD call edi ; rtcTrimVar
seg001:0041C1AF lea eax, [ebp+var_6C]
seg001:0041C1B2 lea ecx, [ebp+var_3C]
seg001:0041C1B5 lea edx, [ebp+var_1C]
seg001:0041C1B8 push eax
seg001:0041C1B9 push ecx
seg001:0041C1BA mov [ebp+var_64], edx
seg001:0041C1BD mov [ebp+var_6C], ebx
seg001:0041C1C0 call edi ; rtcTrimVar
seg001:0041C1C2 lea edx, [ebp+var_2C]
seg001:0041C1C5 lea eax, [ebp+var_3C]
seg001:0041C1C8 push edx
seg001:0041C1C9 push eax
seg001:0041C1CA call ds:__vbaVarTstEq
seg001:0041C1D0 lea ecx, [ebp+var_3C]
seg001:0041C1D3 lea edx, [ebp+var_2C]
seg001:0041C1D6 push ecx
seg001:0041C1D7 push edx
seg001:0041C1D8 push 2
seg001:0041C1DA mov edi, eax
seg001:0041C1DC call ds:__vbaFreeVarList
seg001:0041C1E2 add esp, 0Ch
seg001:0041C1E5 cmp di, si '关键比较
seg001:0041C1E8 jz short loc_41C1F1 '爆破点,改成nop
seg001:0041C1E8
seg001:0041C1EA mov [ebp+var_18], 0FFFFFFFFh '标志位,为0则失败,其他成功
seg001:0041C1EA
seg001:0041C1F1
seg001:0041C1F1 loc_41C1F1: ; CODE XREF: sub_41C100+E8j
seg001:0041C1F1 push offset sub_41C221
seg001:0041C1F6 jmp short loc_41C210
seg001:0041C1F6
seg001:0041C1F8 ; ---------------------------------------------------------------------------
seg001:0041C1F8
seg001:0041C1F8 loc_41C1F8: ; DATA XREF: seg001:00401564o
seg001:0041C1F8 lea eax, [ebp-4Ch]
seg001:0041C1FB lea ecx, [ebp-3Ch]
seg001:0041C1FE push eax
seg001:0041C1FF lea edx, [ebp-2Ch]
seg001:0041C202 push ecx
seg001:0041C203 push edx
seg001:0041C204 push 3
seg001:0041C206 call ds:__vbaFreeVarList
seg001:0041C20C add esp, 10h
seg001:0041C20F retn
seg001:0041C20F
seg001:0041C210 ; ---------------------------------------------------------------------------
seg001:0041C210
seg001:0041C210 loc_41C210: ; CODE XREF: sub_41C100+F6j
seg001:0041C210 ; DATA XREF: seg001:00401560o
seg001:0041C210 mov esi, ds:__vbaFreeStr
seg001:0041C216 lea ecx, [ebp+var_14]
seg001:0041C219 call esi ; __vbaFreeStr
seg001:0041C21B lea ecx, [ebp+var_1C]
seg001:0041C21E call esi ; __vbaFreeStr
seg001:0041C220 retn
seg001:0041C220
seg001:0041C220 sub_41C100 endp ; sp = 144h
seg001:0041C220
seg001:0041C221
seg001:0041C221 ; *************** S U B R O U T I N E ***************************************
seg001:0041C221
seg001:0041C221
seg001:0041C221 sub_41C221 proc near ; DATA XREF: sub_41C100:loc_41C1F1o
seg001:0041C221 mov ecx, [ebp-10h]
seg001:0041C224 mov ax, [ebp-18h]
seg001:0041C228 pop edi
seg001:0041C229 pop esi
seg001:0041C22A mov large fs:0, ecx
seg001:0041C231 pop ebx
seg001:0041C232 mov esp, ebp
seg001:0041C234 pop ebp
seg001:0041C235 retn 4
分析代码可知41CDD0是算硬件码的call,41C420是注册算法call跟进发现全是浮点运算,由于不会浮点只好放弃,随后的41C1E5就是关键比较,
就此爆破,修改下一行的je 41C1F1为nop.保存修改,重新启动软件,发现没有注册提示(窃喜),但由于是功能限制,所以就运行程序试以下
发现还是有问题,虽然在第30题的时候按下一题,编号也会出现31但题目显示不正常,无图象而且题目和30题一样,晕跟了半天还有校验的地方。
于是决定继续跟踪。
4.再次分析
那么多代码怎样才能找到关键的地方呢,由于对vb程序不熟悉,不能直接找到按扭的事件代码(哪位大吓知道请指教下,用笨办法找的比较慢),于是只好用苯办法,在每个过程调用上下断点
seg001:00403380 sub dword ptr [esp+4], 0FFFFh
seg001:00403388 jmp loc_4129B0
seg001:00403388
seg001:0040338D ; ---------------------------------------------------------------------------
seg001:0040338D sub dword ptr [esp+4], 0FFFFh
seg001:00403395 jmp loc_413430
seg001:00403395
.
.
.
.
seg001:0040349E
seg001:0040349E loc_40349E: ; DATA XREF: seg001:0040306Co
seg001:0040349E sub dword ptr [esp+4], 57h
seg001:004034A6 jmp loc_41A9D0
seg001:004034A6
seg001:004034AB ; ---------------------------------------------------------------------------
seg001:004034AB
seg001:004034AB loc_4034AB: ; DATA XREF: seg001:00403160o
seg001:004034AB sub dword ptr [esp+4], 5Fh
seg001:004034B3 jmp loc_41AC90
seg001:004034B3
seg001:004034B8 ; ---------------------------------------------------------------------------
seg001:004034B8
seg001:004034B8 loc_4034B8: ; DATA XREF: seg001:004031C0o
seg001:004034B8 sub dword ptr [esp+4], 63h
seg001:004034C0 jmp loc_41AE80
seg001:004034C0
seg001:004034C5 ; ---------------------------------------------------------------------------
seg001:004034C5
seg001:004034C5 loc_4034C5: ; DATA XREF: seg001:0040321Co
seg001:004034C5 sub dword ptr [esp+4], 67h
seg001:004034CD jmp loc_41B070
seg001:004034CD
seg001:004034D2 ; ---------------------------------------------------------------------------
seg001:004034D2 sub dword ptr [esp+4], 0FFFFh
seg001:004034DA jmp loc_41B460
seg001:004034DA
seg001:00404278 sub dword ptr [esp+4], 8Bh
seg001:00404280 jmp loc_4115B0
seg001:00404280
seg001:00404285 ; ---------------------------------------------------------------------------
seg001:00404285
seg001:00404285 loc_404285: ; DATA XREF: seg001:00404214o
seg001:00404285 sub dword ptr [esp+4], 8Bh
seg001:0040428D jmp loc_4117C0
seg001:0040428D
seg001:00404292 ; ---------------------------------------------------------------------------
seg001:00404292
.
.
.
.
seg001:00404348 ; ---------------------------------------------------------------------------
seg001:00404348
seg001:00404348 loc_404348: ; DATA XREF: seg001:00403C00o
seg001:00404348 sub dword ptr [esp+4], 4Bh
seg001:00404350 jmp loc_412680
seg001:00404350
seg001:00404355 ; ---------------------------------------------------------------------------
seg001:00404355
seg001:00404355 loc_404355: ; DATA XREF: seg001:00403AD4o
seg001:00404355 sub dword ptr [esp+4], 3Fh
seg001:0040435D jmp loc_412740
seg001:0040435D
seg001:00404362 ; ---------------------------------------------------------------------------
seg001:00404362
seg001:00404362 loc_404362: ; DATA XREF: seg001:00403994o
seg001:00404362 sub dword ptr [esp+4], 33h
seg001:0040436A jmp loc_4128B0
运行程序,等进入界面以后在上面的jmp上都下上断点(这样可以少中断几下),按“下一题”,有几个地方会中断,经分析4033F5处的跳转是我们要找的
seg001:004033F5 sub dword ptr [esp+4], 0FFFFh
seg001:004033FD jmp loc_4161D0
4161D0是我们要找的过程。
跟进分析
seg001:004161D0 push ebp
seg001:004161D1 mov ebp, esp
seg001:004161D3 sub esp, 8
seg001:004161D6 push offset __vbaExceptHandler
seg001:004161DB mov eax, large fs:0
seg001:004161E1 push eax
seg001:004161E2 mov large fs:0, esp
seg001:004161E9 sub esp, 68h
seg001:004161EC push ebx
seg001:004161ED push esi
seg001:004161EE push edi
seg001:004161EF mov [ebp-8], esp
seg001:004161F2 mov dword ptr [ebp-4], offset dword_4013D0
seg001:004161F9 mov ax, ds:word_421028
seg001:004161FF xor ebx, ebx
seg001:00416201 cmp ds:word_42106C, bx '这个42106C就是前面保存的标志位,因为已经爆破过所以=-1,此处bx=0所以,不会跳到下面的30的检测
seg001:00416208 mov [ebp-14h], ebx
seg001:0041620B mov [ebp-18h], ebx
seg001:0041620E mov [ebp-1Ch], ebx
seg001:00416211 mov [ebp-2Ch], ebx
seg001:00416214 mov [ebp-3Ch], ebx
seg001:00416217 mov [ebp-4Ch], ebx
seg001:0041621A mov [ebp-5Ch], ebx
seg001:0041621D mov [ebp-6Ch], ebx
seg001:00416220 jnz loc_4162BA
seg001:00416220
seg001:00416226 cmp ax, 1Eh ‘1E=30,ax是题号,如果ax超过30的话就显示限制。
seg001:0041622A jl loc_4162BA
seg001:0041622A
seg001:00416230 mov esi, [ebp+8]
seg001:00416233 push esi
.
.
.
.
seg001:00416356
seg001:0041635C
seg001:0041635C loc_41635C: ; CODE XREF: seg001:004162BEj
seg001:0041635C cmp ax, 64h
seg001:00416360 jz short loc_416395
seg001:00416360
seg001:00416362 mov esi, [ebp+8]
seg001:00416365 add ax, 1
seg001:00416369 jo short loc_4163E3
seg001:00416369
seg001:0041636B mov ds:word_421028, ax
seg001:00416371 mov edx, [esi]
seg001:00416373 push offset word_421028
seg001:00416378 push esi
seg001:00416379 call dword ptr [edx+6F8h] ‘关键call
seg001:0041637F cmp eax, ebx
seg001:00416381 jge short loc_416395
seg001:00416381
seg001:00416383 push 6F8h
seg001:00416388 push offset s_1siDrBos-ndjq ; "1釠%繠#?崵唓"
seg001:0041638D push esi
seg001:0041638E push eax
seg001:0041638F call ds:__vbaHresultCheckObj
seg001:0041638F
seg001:00416395
seg001:00416395 loc_416395: ; CODE XREF: seg001:00416360j
seg001:00416395 ; seg001:00416381j
seg001:00416395 push offset loc_4163CE
seg001:0041639A jmp short loc_4163BD
seg001:0041639A
seg001:0041639C ; ---------------------------------------------------------------------------
seg001:0041639C
seg001:0041639C loc_41639C: ; DATA XREF: seg001:004013DCo
seg001:0041639C lea ecx, [ebp-1Ch]
seg001:0041639F call ds:__vbaFreeObj
seg001:004163A5 lea eax, [ebp-4Ch]
seg001:004163A8 lea ecx, [ebp-3Ch]
seg001:004163AB push eax
seg001:004163AC lea edx, [ebp-2Ch]
seg001:004163AF push ecx
seg001:004163B0 push edx
seg001:004163B1 push 3
seg001:004163B3 call ds:__vbaFreeVarList
seg001:004163B9 add esp, 10h
seg001:004163BC retn
seg001:004163BC
seg001:004163BD ; ---------------------------------------------------------------------------
seg001:004163BD
seg001:004163BD loc_4163BD: ; CODE XREF: seg001:004162B5j
seg001:004163BD ; seg001:0041639Aj
seg001:004163BD ; DATA XREF: seg001:004013D8o
seg001:004163BD mov esi, ds:__vbaFreeStr
seg001:004163C3 lea ecx, [ebp-14h]
seg001:004163C6 call esi ; __vbaFreeStr
seg001:004163C8 lea ecx, [ebp-18h]
seg001:004163CB call esi ; __vbaFreeStr
seg001:004163CD retn
seg001:004163CD
seg001:004163CE ; ---------------------------------------------------------------------------
seg001:004163CE
seg001:004163CE loc_4163CE: ; DATA XREF: seg001:004162B0o
seg001:004163CE ; seg001:loc_416395o
seg001:004163CE mov ecx, [ebp-10h]
seg001:004163D1 pop edi
seg001:004163D2 pop esi
seg001:004163D3 xor eax, eax
seg001:004163D5 mov large fs:0, ecx
seg001:004163DC pop ebx
seg001:004163DD mov esp, ebp
seg001:004163DF pop ebp
seg001:004163E0 retn 4
一直往下到416379的 call dowrd ptr[edx+6f8]这个是关键call跟进
seg001:004129B0 push ebp
seg001:004129B1 mov ebp, esp
seg001:004129B3 sub esp, 0Ch
seg001:004129B6 push offset __vbaExceptHandler
seg001:004129BB mov eax, large fs:0
seg001:004129C1 push eax
seg001:004129C2 mov large fs:0, esp
seg001:004129C9 sub esp, 0CCh
seg001:004129CF push ebx
seg001:004129D0 push esi
seg001:004129D1 push edi
seg001:004129D2 mov [ebp-0Ch], esp
seg001:004129D5 mov dword ptr [ebp-8], offset dword_401348
seg001:004129DC xor ebx, ebx
seg001:004129DE mov [ebp-4], ebx
seg001:004129E1 mov esi, [ebp+8]
seg001:004129E4 push esi
seg001:004129E5 mov eax, [esi]
seg001:004129E7 call dword ptr [eax+4]
seg001:004129EA mov ecx, 8
seg001:004129EF xor eax, eax
seg001:004129F1 lea edi, [ebp-0BCh]
seg001:004129F7 mov [ebp-18h], ebx
seg001:004129FA rep stosd
seg001:004129FC lea ecx, [ebp-0BCh]
seg001:00412A02 mov [ebp-1Ch], ebx
seg001:00412A05 push ecx
seg001:00412A06 push offset asc_404688 ; ", "
seg001:00412A0B mov [ebp-20h], ebx
seg001:00412A0E mov [ebp-24h], ebx
seg001:00412A11 mov [ebp-28h], ebx
seg001:00412A14 mov [ebp-2Ch], ebx
seg001:00412A17 mov [ebp-3Ch], ebx
seg001:00412A1A mov [ebp-4Ch], ebx
seg001:00412A1D mov [ebp-5Ch], ebx
seg001:00412A20 mov [ebp-6Ch], ebx
seg001:00412A23 mov [ebp-7Ch], ebx
seg001:00412A26 mov [ebp-80h], ebx
seg001:00412A29 mov [ebp-84h], ebx
seg001:00412A2F call ds:__vbaRecDestruct
seg001:00412A35 mov eax, [esi+38h]
seg001:00412A38 lea edi, [esi+38h]
seg001:00412A3B cmp eax, ebx
seg001:00412A3D jnz short loc_412A4B
seg001:00412A3D
seg001:00412A3F push edi
seg001:00412A40 push offset dword_404E88
seg001:00412A45 call ds:__vbaNew2
seg001:00412A45
seg001:00412A4B
seg001:00412A4B loc_412A4B: ; CODE XREF: seg001:00412A3Dj
seg001:00412A4B mov edi, [edi]
seg001:00412A4D mov edx, offset s_Check ; "Check"
seg001:00412A52 lea ecx, [ebp-18h]
seg001:00412A55 call ds:__vbaStrCopy
seg001:00412A5B mov ecx, [ebp+0Ch]
seg001:00412A5E mov edx, [edi]
seg001:00412A60 lea eax, [ebp-0BCh]
seg001:00412A66 push eax
seg001:00412A67 push ecx
seg001:00412A68 lea eax, [ebp-18h]
seg001:00412A6B push offset dword_421038
seg001:00412A70 push eax
seg001:00412A71 push edi
seg001:00412A72 call dword ptr [edx+28h] ’关键call,call到dll中
seg001:00412A75 cmp eax, ebx
seg001:00412A77 fnclex
seg001:00412A79 jge short loc_412A8A
seg001:00412A79
seg001:00412A7B push 28h
跟进dll call
.text:11003F10 push ebp
.text:11003F11 mov ebp, esp
.text:11003F13 sub esp, 0Ch
.text:11003F16 push offset loc_11001316
.text:11003F1B mov eax, large fs:0
.text:11003F21 push eax
.text:11003F22 mov large fs:0, esp
.text:11003F29 sub esp, 88h
.text:11003F2F push ebx
.text:11003F30 push esi
.text:11003F31 push edi
.text:11003F32 mov [ebp-0Ch], esp
.text:11003F35 mov dword ptr [ebp-8], offset dword_11001238
.text:11003F3C xor ebx, ebx
.text:11003F3E mov [ebp-4], ebx
.text:11003F41 mov esi, [ebp+8]
.text:11003F44 push esi
.text:11003F45 mov eax, [esi]
.text:11003F47 call dword ptr [eax+4]
.text:11003F4A mov edx, [ebp+0Ch]
.text:11003F4D mov ecx, 8
.text:11003F52 xor eax, eax
.text:11003F54 lea edi, [ebp-34h]
.text:11003F57 rep stosd
.text:11003F59 mov eax, [edx]
.text:11003F5B mov ecx, [ebp+14h]
.text:11003F5E push eax
.text:11003F5F push offset s_Check ; "Check"
.text:11003F64 mov di, [ecx]
.text:11003F67 mov [ebp-38h], ebx
.text:11003F6A mov [ebp-3Ch], ebx
.text:11003F6D mov [ebp-4Ch], ebx
.text:11003F70 mov [ebp-5Ch], ebx
.text:11003F73 mov [ebp-6Ch], ebx
.text:11003F76 mov [ebp-7Ch], ebx
.text:11003F79 mov [ebp-8Ch], ebx
.text:11003F7F call ds:__vbaStrCmp
.text:11003F85 neg eax
.text:11003F87 sbb eax, eax
.text:11003F89 xor ecx, ecx
.text:11003F8B neg eax
.text:11003F8D cmp di, 1Eh '第二次校验
.text:11003F91 setl cl
.text:11003F94 or eax, ecx
.text:11003F96 jnz loc_11004052 '爆破改为jmp
.text:11003F96
.text:11003F9C mov edx, [esi]
哈哈,总算找到拉F9运行,一切正常,就此破解决完毕。
5.总结
这是个vb的典型的重起验证,由此可以断RegQueryValueExA,GetPrivateProfileStringA,ReadFile等断点,这个程序把注册码保存在
注册表中所以可以断RegQueryValueExA.在RegQueryValueExA返回后慢慢往下找一般就可以找到关键的算法。由于是功能限制所以经常
有功能调用是的第二次校验,我是用的笨办法慢慢找,要是谁有好办法请说下。最后修改好主程序和dll,破解完成!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于Pediy.com, 转载请注明作者并保持文章的完整, 谢谢!
2007年12月16日 9:59:42
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)