-
-
[旧帖] [原创]破解Wise Installation安装程序的密码 0.00雪花
-
发表于: 2008-4-8 15:16
-
这两天一直在读看雪精华,粗略的看到6了,今天小试牛刀一把,嘿嘿~
工具OllyICE~let's go!
1.下断点GetDlgItemTextA,中断后点击堆栈区的ESP跟踪到下面的代码,是由主程序释放在temp目录的两个tmp文件(其实应该是dll)
10003544 50 push eax
10003545 57 push edi
10003546 FF15 84F30110 call dword ptr ds:[<&USER32.GetDlgItemTextA>] ; USER32.GetDlgItemTextA
1000354C A1 74680210 mov eax, dword ptr ds:[10026874]
10003551 8038 00 cmp byte ptr ds:[eax], 0 //比较用户是否输入
10003554 75 05 jnz short GLC408.1000355B
10003556 83FE 02 cmp esi, 2
10003559 75 08 jnz short GLC408.10003563
1000355B 56 push esi
1000355C 57 push edi
1000355D FF15 80F30110 call dword ptr ds:[<&USER32.EndDialog>] ; USER32.EndDialog
10003563 6A 01 push 1
10003565 58 pop eax ; GLC408.1000354C
10003566 E9 B4000000 jmp GLC408.1000361F
....
1000361B 6A 01 push 1
1000361D 58 pop eax ; GLC40E.1000354C
1000361E 5B pop ebx ; GLC40E.1000354C
1000361F 5F pop edi ; GLC40E.1000354C
10003620 5E pop esi ; GLC40E.1000354C
10003621 C2 1000 ret 10
2.执行了上面的ret以后,就会发觉在user32的领空,此时按alt+F9返回到程序领空
10014466 50 push eax
10014467 68 03060000 push 603
1001446C FF35 BC690210 push dword ptr ds:[100269BC] ; GLC40E.10000000
10014472 FF15 34F30110 call dword ptr ds:[<&USER32.DialogBoxParamA>] ; USER32.DialogBoxParamA
10014478 83F8 02 cmp eax, 2 //上面代码返回到此,比较是否按了"取消"键
1001447B 74 2E je short GLC40E.100144AB
1001447D FF35 74680210 push dword ptr ds:[10026874]
10014483 57 push edi ; GLC40E.10022FF0
10014484 E8 0BDEFFFF call GLC40E.10012294
10014489 FF35 74680210 push dword ptr ds:[10026874] //我们输入的密码
1001448F E8 1C000000 call GLC40E.100144B0 //关键函数,跟进去看看,呵呵
10014494 83C4 0C add esp, 0C
10014497 85C0 test eax, eax
10014499 ^ 0F85 52FFFFFF jnz GLC40E.100143F1
1001449F 8325 DC690210 FE and dword ptr ds:[100269DC], FFFFFFFE
100144A6 33C0 xor eax, eax
100144A8 5F pop edi ; GLC40E.10022FF0
100144A9 5E pop esi ; kernel32.lstrcpyA
100144AA C3 ret
3.
1001452E |> \A1 BC660210 mov eax, dword ptr ds:[100266BC] //内存中的9个字节的数据
10014533 |. 8B7C24 14 mov edi, dword ptr ss:[esp+14] //我们输入的密码
10014537 |. 33DB xor ebx, ebx
10014539 |. 33F6 xor esi, esi
1001453B |. 3818 cmp byte ptr ds:[eax], bl
1001453D |. 74 37 je short GLC40E.10014576
1001453F |> 381C3E /cmp byte ptr ds:[esi+edi], bl //是否比较字符的结束
10014542 |. 74 32 |je short GLC40E.10014576
10014544 |. 8A0430 |mov al, byte ptr ds:[eax+esi]
10014547 |. F6D0 |not al //取反
10014549 |. 0FB6C0 |movzx eax, al
1001454C |. 50 |push eax
1001454D |. E8 C04D0000 |call GLC40E.10019312
10014552 |. 8BE8 |mov ebp, eax
10014554 |. 0FBE043E |movsx eax, byte ptr ds:[esi+edi]
10014558 |. 50 |push eax
10014559 |. E8 B44D0000 |call GLC40E.10019312
1001455E |. 59 |pop ecx ; GLC40E.10022FF0
1001455F |. 3BE8 |cmp ebp, eax //跟我们输入的比较
10014561 |. 59 |pop ecx ; GLC40E.10022FF0
10014562 |. 75 0D |jnz short GLC40E.10014571
10014564 |. A1 BC660210 |mov eax, dword ptr ds:[100266BC]
10014569 |. 46 |inc esi
1001456A |. 381C30 |cmp byte ptr ds:[eax+esi], bl
1001456D |.^ 75 D0 \jnz short GLC40E.1001453F
1001456F |. EB 05 jmp short GLC40E.10014576
内存中的9个字节的数据
0099BFA0 BA 9E 8C 86 A9 BB 96 8C 94 00 00 00 00 00 00 00 簽寙┗枌?......
总结:
密码长度9位,就是内存中那9个字节取反对应的ASCII码~~~~
安装程序下载连接:
http://www.namipan.com/d/306301b984fae46558dea7328d3336421d4bc04cde8e6200
|
|
|---|---|
