【文章标题】: 小小菜鸟的边学边破
【文章作者】: ogmsetup
【软件名称】: 铁路槽车计量系统(2003)
【加壳方式】: 无
【编写语言】: Borland C++ 1999
【使用工具】: peid,Ollydbg
【软件介绍】: 一个老的软件,这几天临时要用一下,只能试着爆了
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
破文直接发上来应该没问题吧!有问题麻烦版主删改。
这个软件有点老,作者也不理了,这几天本人正好要用,没注册码只能自己想方法了,本人菜鸟一只,由于不懂汇编,也不懂OLLYDBG,看了几篇爆破的文章就开始试了费话不说了。
直接上,先运行软件,要注册码,随便搞个上去,会报“注册码不正确”,有门了,呵呵。
查壳,运气不错没壳。
1.用Ollydbg载入软件主程序“槽车计量”,查找ASCII,看有没有“注册码不正确”,小样,居然找到了,双击来到0041B760。
0041B75B |. B9 6ED65000 mov ecx,槽车计量.0050D66E ; 说明
0041B760 |. BA 60D65000 mov edx,槽车计量.0050D660 ; 注册码不正确!
0041B765 |. A1 D4195100 mov eax,dword ptr ds:[5119D4]
0041B76A |. 8B00 mov eax,dword ptr ds:[eax]
0041B76C |. E8 53610E00 call 槽车计量.005018C4
0041B771 |. 8B55 A0 mov edx,dword ptr ss:[ebp-60]
0041B774 |. 64:8915 00000>mov dword ptr fs:[0],edx
0041B77B |. EB 0A jmp short 槽车计量.0041B787
0041B77D |> 8B4D A0 mov ecx,dword ptr ss:[ebp-60]
0041B780 |. 64:890D 00000>mov dword ptr fs:[0],ecx
0041B787 |> 8BE5 mov esp,ebp
0041B789 |. 5D pop ebp
0041B78A \. C3 retn
2.先在0041b760那里F2下个断试试,然后F9运行程序被断下来了,试着看在右下边的注释有没有明码
0012F298 00000013
0012F29C 00BFEBB8 ASCII "TCY98-PRO435-DES33"
0012F2A0 0012F3FC
0012F2A4 0012F48C
0012F2A8 00BFE478
0012F2AC 0012F408
0012F2B0 004902AA 槽车计量.004902AA
0012F2B4 0012F408
0012F2B8 00BFE478
0012F2BC 004C6A88 槽车计量.004C6A88
0012F2C0 0012F48C
0012F2C4 0012F408
0012F2C8 00BFE478
0012F2CC 004C954B 槽车计量.004C954B
0012F2D0 0012F48C
0012F2D4 00BFE478
0012F2D8 00BFE478
0012F2DC 0012F2FC
0012F2E0 770F4A44 oleaut32.770F4A44
0012F2E4 76AB6034 ole32.76AB6034
0012F2E8 0015A768
0012F2EC 00000008
0012F2F0 00000005
0012F2F4 0015A768
0012F2F8 00000020
0012F2FC 0012F310
0012F300 770F48B5 oleaut32.770F48B5
0012F304 00000000
0012F308 00000020
0012F30C 0012F340
0012F310 0012F324
0012F314 770F4AC3 oleaut32.770F4AC3
0012F318 0015A76C UNICODE "111111"
3。看来没戏,向上找找看,好多CALL,看不懂只能猜了,继续向上长征,看出了点意思
0041B500 /$ 55 push ebp (“猜应该是这段的开始,不懂汇编只能靠猜了,呵呵”)
0041B501 |. 8BEC mov ebp,esp
0041B503 |. 83C4 84 add esp,-7C
0041B506 |. 8955 98 mov dword ptr ss:[ebp-68],edx
0041B509 |. 8945 9C mov dword ptr ss:[ebp-64],eax
0041B50C |. B8 3CD75000 mov eax,槽车计量.0050D73C
0041B511 |. E8 F6620E00 call 槽车计量.0050180C
0041B516 |. B2 01 mov dl,1
0041B518 |. A1 38294900 mov eax,dword ptr ds:[492938]
0041B51D |. E8 82750700 call 槽车计量.00492AA4
0041B522 |. 8945 84 mov dword ptr ss:[ebp-7C],eax
0041B525 |. C605 58205100>mov byte ptr ds:[512058],0
0041B52C |. 8B55 9C mov edx,dword ptr ss:[ebp-64]
0041B52F |. FFB2 E0020000 push dword ptr ds:[edx+2E0]
0041B535 |. E8 86A2FFFF call 槽车计量.004157C0
0041B53A |. 59 pop ecx
0041B53B |. 85C0 test eax,eax
0041B53D 75 0F jnz short 槽车计量.0041B54E
0041B53F |. 8B4D A0 mov ecx,dword ptr ss:[ebp-60]
0041B542 |. 64:890D 00000>mov dword ptr fs:[0],ecx
0041B549 E9 39020000 jmp 槽车计量.0041B787
0041B54E |> 66:C745 B0 08>mov word ptr ss:[ebp-50],8
0041B554 |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
0041B557 |. E8 1065FEFF call 槽车计量.00401A6C
0041B55C |. 8BD0 mov edx,eax
0041B55E |. FF45 BC inc dword ptr ss:[ebp-44]
0041B561 |. 8B4D 9C mov ecx,dword ptr ss:[ebp-64]
0041B564 |. 8B81 E0020000 mov eax,dword ptr ds:[ecx+2E0]
0041B56A |. E8 95A30A00 call 槽车计量.004C5904
0041B56F |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
0041B572 |. 52 push edx
0041B573 |. 68 0000F03F push 3FF00000 ; /Arg2 = 3FF00000(“我猜这里应该在对比什么”)
0041B578 |. 6A 00 push 0 ; |Arg1 = 00000000
0041B57A |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
0041B57D |. E8 E66B0E00 call 槽车计量.00502168 ; \槽车计量.00502168
0041B582 |. FF45 BC inc dword ptr ss:[ebp-44]
0041B585 |. 8D55 EC lea edx,dword ptr ss:[ebp-14]
0041B588 |. 52 push edx
0041B589 |. 8D45 DC lea eax,dword ptr ss:[ebp-24]
0041B58C |. E8 0F6B0E00 call 槽车计量.005020A0
0041B591 |. 8BC8 mov ecx,eax
0041B593 |. FF45 BC inc dword ptr ss:[ebp-44]
0041B596 |. 5A pop edx
0041B597 |. 58 pop eax
0041B598 |. E8 639BFEFF call 槽车计量.00405100
0041B59D |. 8D45 DC lea eax,dword ptr ss:[ebp-24]
0041B5A0 |. E8 CB6E0E00 call 槽车计量.00502470
0041B5A5 |. DD5D 90 fstp qword ptr ss:[ebp-70]
0041B5A8 |. FF4D BC dec dword ptr ss:[ebp-44]
0041B5AB |. 8D45 DC lea eax,dword ptr ss:[ebp-24]
0041B5AE |. BA 02000000 mov edx,2
0041B5B3 |. E8 506C0E00 call 槽车计量.00502208
0041B5B8 |. FF4D BC dec dword ptr ss:[ebp-44]
0041B5BB |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
0041B5BE |. BA 02000000 mov edx,2
0041B5C3 |. E8 406C0E00 call 槽车计量.00502208
0041B5C8 |. FF4D BC dec dword ptr ss:[ebp-44]
0041B5CB |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
0041B5CE |. BA 02000000 mov edx,2
0041B5D3 |. E8 8C640E00 call 槽车计量.00501A64
0041B5D8 |. 66:C745 B0 14>mov word ptr ss:[ebp-50],14
0041B5DE |. 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0041B5E1 |. E8 8664FEFF call 槽车计量.00401A6C
0041B5E6 |. 8BD0 mov edx,eax
0041B5E8 |. FF45 BC inc dword ptr ss:[ebp-44]
0041B5EB |. 8B4D 9C mov ecx,dword ptr ss:[ebp-64]
0041B5EE |. 8B81 DC020000 mov eax,dword ptr ds:[ecx+2DC]
0041B5F4 |. E8 0BA30A00 call 槽车计量.004C5904
0041B5F9 |. 8D55 D8 lea edx,dword ptr ss:[ebp-28]
0041B5FC |. FF32 push dword ptr ds:[edx] ; /Arg1
0041B5FE |. E8 75DEFFFF call 槽车计量.00419478 ; \槽车计量.00419478
0041B603 |. 59 pop ecx
0041B604 |. DD5D 88 fstp qword ptr ss:[ebp-78]
0041B607 |. FF4D BC dec dword ptr ss:[ebp-44]
0041B60A |. 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0041B60D |. BA 02000000 mov edx,2
0041B612 |. E8 4D640E00 call 槽车计量.00501A64
0041B617 |. FF05 54205100 inc dword ptr ds:[512054]
0041B61D |. 833D 54205100>cmp dword ptr ds:[512054],3
0041B624 7E 2C jle short 槽车计量.0041B652 (“最后明白这是关键一跳,下面在详细说”)
0041B626 |. 6A 40 push 40
0041B628 |. B9 36D65000 mov ecx,槽车计量.0050D636 ; 说明
0041B62D |. BA 2CD65000 mov edx,槽车计量.0050D62C ; 注册失败!(“这个我能明白”)
0041B632 |. A1 D4195100 mov eax,dword ptr ds:[5119D4]
0041B637 |. 8B00 mov eax,dword ptr ds:[eax]
0041B639 |. E8 86620E00 call 槽车计量.005018C4
0041B63E |. C605 58205100>mov byte ptr ds:[512058],0
0041B645 |. 8B45 9C mov eax,dword ptr ss:[ebp-64]
0041B648 |. E8 37CA0900 call 槽车计量.004B8084
0041B64D |. E9 2B010000 jmp 槽车计量.0041B77D
0041B652 |> DD45 88 fld qword ptr ss:[ebp-78]
0041B655 |. DC5D 90 fcomp qword ptr ss:[ebp-70]
0041B658 |. DFE0 fstsw ax
0041B65A |. 9E sahf
0041B65B 0F85 F8000000 jnz 槽车计量.0041B759
0041B661 |. C605 58205100>mov byte ptr ds:[512058],1
0041B668 |. 66:C745 B0 20>mov word ptr ss:[ebp-50],20
0041B66E |. BA 3BD65000 mov edx,槽车计量.0050D63B ; \software\measuresoft\demo(这就是成功的标志,呵呵)
0041B673 |. 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
0041B676 |. E8 69620E00 call 槽车计量.005018E4
0041B67B |. FF45 BC inc dword ptr ss:[ebp-44]
0041B67E |. 8B10 mov edx,dword ptr ds:[eax]
0041B680 |. B1 01 mov cl,1
0041B682 |. 8B45 84 mov eax,dword ptr ss:[ebp-7C]
0041B685 |. E8 3A760700 call 槽车计量.00492CC4
0041B68A |. FF4D BC dec dword ptr ss:[ebp-44]
0041B68D |. 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
0041B690 |. BA 02000000 mov edx,2
0041B695 |. E8 CA630E00 call 槽车计量.00501A64
0041B69A |. 8D45 CC lea eax,dword ptr ss:[ebp-34]
0041B69D |. E8 CA63FEFF call 槽车计量.00401A6C
0041B6A2 |. 8BD0 mov edx,eax
0041B6A4 |. FF45 BC inc dword ptr ss:[ebp-44]
0041B6A7 |. 8B4D 9C mov ecx,dword ptr ss:[ebp-64]
0041B6AA |. 8B81 DC020000 mov eax,dword ptr ds:[ecx+2DC]
0041B6B0 |. E8 4FA20A00 call 槽车计量.004C5904
0041B6B5 |. 8D55 CC lea edx,dword ptr ss:[ebp-34]
0041B6B8 |. FF32 push dword ptr ds:[edx]
0041B6BA |. 66:C745 B0 2C>mov word ptr ss:[ebp-50],2C
0041B6C0 |. BA 56D65000 mov edx,槽车计量.0050D656 ; name
0041B6C5 |. 8D45 D0 lea eax,dword ptr ss:[ebp-30]
0041B6C8 |. E8 17620E00 call 槽车计量.005018E4
0041B6CD |. FF45 BC inc dword ptr ss:[ebp-44]
0041B6D0 |. 8B10 mov edx,dword ptr ds:[eax]
0041B6D2 |. 8B45 84 mov eax,dword ptr ss:[ebp-7C]
0041B6D5 |. 59 pop ecx
0041B6D6 |. E8 85770700 call 槽车计量.00492E60
0041B6DB |. FF4D BC dec dword ptr ss:[ebp-44]
0041B6DE |. 8D45 CC lea eax,dword ptr ss:[ebp-34]
0041B6E1 |. BA 02000000 mov edx,2
0041B6E6 |. E8 79630E00 call 槽车计量.00501A64
0041B6EB |. FF4D BC dec dword ptr ss:[ebp-44]
0041B6EE |. 8D45 D0 lea eax,dword ptr ss:[ebp-30]
0041B6F1 |. BA 02000000 mov edx,2
0041B6F6 |. E8 69630E00 call 槽车计量.00501A64
0041B6FB |. FF75 94 push dword ptr ss:[ebp-6C] ; /Arg2
0041B6FE |. FF75 90 push dword ptr ss:[ebp-70] ; |Arg1
0041B701 |. 8D45 C4 lea eax,dword ptr ss:[ebp-3C] ; |
0041B704 |. E8 EF620E00 call 槽车计量.005019F8 ; \槽车计量.005019F8
0041B709 |. FF45 BC inc dword ptr ss:[ebp-44]
0041B70C |. FF30 push dword ptr ds:[eax]
0041B70E |. 66:C745 B0 38>mov word ptr ss:[ebp-50],38
0041B714 |. BA 5BD65000 mov edx,槽车计量.0050D65B ; pass
0041B719 |. 8D45 C8 lea eax,dword ptr ss:[ebp-38]
0041B71C |. E8 C3610E00 call 槽车计量.005018E4
0041B721 |. FF45 BC inc dword ptr ss:[ebp-44]
0041B724 |. 8B10 mov edx,dword ptr ds:[eax]
0041B726 |. 8B45 84 mov eax,dword ptr ss:[ebp-7C]
0041B729 |. 59 pop ecx
0041B72A |. E8 31770700 call 槽车计量.00492E60
0041B72F |. FF4D BC dec dword ptr ss:[ebp-44]
0041B732 |. 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
0041B735 |. BA 02000000 mov edx,2
0041B73A |. E8 25630E00 call 槽车计量.00501A64
0041B73F |. FF4D BC dec dword ptr ss:[ebp-44]
0041B742 |. 8D45 C8 lea eax,dword ptr ss:[ebp-38]
0041B745 |. BA 02000000 mov edx,2
0041B74A |. E8 15630E00 call 槽车计量.00501A64
0041B74F |. 8B45 9C mov eax,dword ptr ss:[ebp-64]
0041B752 |. E8 2DC90900 call 槽车计量.004B8084
0041B757 |. EB 24 jmp short 槽车计量.0041B77D
0041B759 |> 6A 40 push 40
0041B75B |. B9 6ED65000 mov ecx,槽车计量.0050D66E ; 说明
0041B760 |. BA 60D65000 mov edx,槽车计量.0050D660 ; 注册码不正确!(“被这里玩了一把”)
0041B765 |. A1 D4195100 mov eax,dword ptr ds:[5119D4]
0041B76A |. 8B00 mov eax,dword ptr ds:[eax]
0041B76C |. E8 53610E00 call 槽车计量.005018C4
0041B771 |. 8B55 A0 mov edx,dword ptr ss:[ebp-60]
0041B774 |. 64:8915 00000>mov dword ptr fs:[0],edx
0041B77B |. EB 0A jmp short 槽车计量.0041B787
0041B77D |> 8B4D A0 mov ecx,dword ptr ss:[ebp-60]
0041B780 |. 64:890D 00000>mov dword ptr fs:[0],ecx
0041B787 |> 8BE5 mov esp,ebp
0041B789 |. 5D pop ebp
0041B78A \. C3 retn
4。我的操作详细说明:
重新运行软件,在 0041B501 |. 8BEC mov ebp,esp 这里先下个断,再按F9,软件在还没弹注册窗口时断下来了,应该是判断语句的开始,猜的.
笨方法,在每一个CALL下面的MOV下个断,按F9一个一个排查,到了这里
0041B624 /7E 2C jle short 槽车计量.0041B652 改成0041b655
0041B626 |. |6A 40 push 40
0041B628 |. |B9 36D65000 mov ecx,槽车计量.0050D636 ; 说明
0041B62D |. |BA 2CD65000 mov edx,槽车计量.0050D62C ; 注册失败!
0041B632 |. |A1 D4195100 mov eax,dword ptr ds:[5119D4]
0041B637 |. |8B00 mov eax,dword ptr ds:[eax]
0041B639 |. |E8 86620E00 call 槽车计量.005018C4
0041B63E |. |C605 58205100>mov byte ptr ds:[512058],0
0041B645 |. |8B45 9C mov eax,dword ptr ss:[ebp-64]
0041B648 |. |E8 37CA0900 call 槽车计量.004B8084
0041B64D |. |E9 2B010000 jmp 槽车计量.0041B77D
0041B652 |> \DD45 88 fld qword ptr ss:[ebp-78]
0041B655 |. DC5D 90 fcomp qword ptr ss:[ebp-70] Y的给我来这里
0041B658 |. DFE0 fstsw ax
0041B65A |. 9E sahf
0041B65B 0F85 F8000000 jnz 槽车计量.0041B759
0041B661 |. C605 58205100>mov byte ptr ds:[512058],1
0041B668 |. 66:C745 B0 20>mov word ptr ss:[ebp-50],20
0041B66E |. BA 3BD65000 mov edx,槽车计量.0050D63B ; \software\measuresoft\demo
发现有个可疑的东西,下个断试试 F9再看来到了这里,提示栏说跳转已经实现,
0041B624 7E 2C jle short 槽车计量.0041B652 (“这个我认识若小于等于则跳”)
本人喜欢试,把它改到下一个地址试试0041B655,时间有点长,有戏,原来在写注册表,保存改过的软件。
试看运行了一下,也弹了个窗口“is not a valid integer value"不管它,点确定,搞定了。可以运行了,除了每次弹这窗口,只用几天不理它了。
第一次搞爆破,也第一次写爆文,有不对的地方多多愿谅,谢谢。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
