一个重启验证程序的详细破解
本帖最后由 sahacker 于 2016-12-4 12:49 编辑入门级逆向教程大牛飘过
一个重命名软件
查壳asp的,很简单一个esp定律搞定也可以不脱壳打补丁
未注册前有广告弹窗和未注册字样
输入注册码让你重新运行程序典型的重启验证
收索字符串到00401000处
找到关键字符串,这软件很垃圾 所有有用的字符串都可以在这里看到
双击进入后
其实i关键提示都在一块 很简单
找到关键跳河关键call
进入赋值
004DACE9 .55 push ebp
004DACEA .68 8AAE4D00 push RenameWi.004DAE8A
004DACEF .64:FF30 push dword ptr fs:
004DACF2 .64:8920 mov dword ptr fs:,esp
004DACF5 .E8 5AF2FFFF call RenameWi.004D9F54
004DACFA .3C 01 cmp al,0x1
004DACFC .75 1D jnz short RenameWi.004DAD1B
004DACFE .6A 00 push 0x0
004DAD00 .B9 98AE4D00 mov ecx,RenameWi.004DAE98 ;批量更名专家 V2.6
004DAD05 .BA ACAE4D00 mov edx,RenameWi.004DAEAC ;批量更名专家 V2.6您已经是注册用户,谢谢您的支持!
004DAD0A .A1 C4A64E00 mov eax,dword ptr ds:
004DAD0F .8B00 mov eax,dword ptr ds:
004DAD11 .E8 EEB9FBFF call RenameWi.00496704
004DAD16 .E9 47010000 jmp RenameWi.004DAE62
004DAD1B >8D55 F0 lea edx,dword ptr ss:
004DAD1E .8B83 00030000 mov eax,dword ptr ds:
004DAD24 .E8 87AFF9FF call RenameWi.00475CB0
004DAD29 .8B45 F0 mov eax,dword ptr ss:
004DAD2C .8D55 FC lea edx,dword ptr ss:
004DAD2F .E8 C0E9F2FF call RenameWi.004096F4
004DAD34 .8D55 EC lea edx,dword ptr ss:
004DAD37 .8B83 04030000 mov eax,dword ptr ds:
004DAD3D .E8 6EAFF9FF call RenameWi.00475CB0
004DAD42 .8B45 EC mov eax,dword ptr ss:
004DAD45 .8D55 F8 lea edx,dword ptr ss:
004DAD48 .E8 A7E9F2FF call RenameWi.004096F4
004DAD4D .837D FC 00 cmp dword ptr ss:,0x0
004DAD51 .74 06 je short RenameWi.004DAD59
004DAD53 .837D F8 00 cmp dword ptr ss:,0x0
004DAD57 .75 0F jnz short RenameWi.004DAD68
004DAD59 >B8 E8AE4D00 mov eax,RenameWi.004DAEE8 ;请输入作者发送给您的注册码认证,谢谢!
004DAD5E .E8 81A8F5FF call RenameWi.004355E4
004DAD63 .E9 FA000000 jmp RenameWi.004DAE62
004DAD68 >B2 01 mov dl,0x1
004DAD6A .A1 18D74300 mov eax,dword ptr ds: ;d证
004DAD6F .E8 A42AF6FF call RenameWi.0043D818
004DAD74 .8945 F4 mov dword ptr ss:,eax
004DAD77 .33D2 xor edx,edx ;ntdll.KiFastSystemCallRet
004DAD79 .55 push ebp
004DAD7A .68 37AE4D00 push RenameWi.004DAE37
004DAD7F .64:FF32 push dword ptr fs:
004DAD82 .64:8922 mov dword ptr fs:,esp
004DAD85 .BA 02000080 mov edx,0x80000002
004DAD8A .8B45 F4 mov eax,dword ptr ss: ;kernel32.7C839AC0
004DAD8D .E8 262BF6FF call RenameWi.0043D8B8
004DAD92 .B1 01 mov cl,0x1
004DAD94 .BA 18AF4D00 mov edx,RenameWi.004DAF18 ;\Software\360zd\renamewiz\
004DAD99 .8B45 F4 mov eax,dword ptr ss: ;kernel32.7C839AC0
004DAD9C .E8 7B2BF6FF call RenameWi.0043D91C
004DADA1 .84C0 test al,al
004DADA3 .74 3E je short RenameWi.004DADE3
004DADA5 .33D2 xor edx,edx ;ntdll.KiFastSystemCallRet
004DADA7 .55 push ebp
004DADA8 .68 CDAD4D00 push RenameWi.004DADCD
004DADAD .64:FF32 push dword ptr fs:
004DADB0 .64:8922 mov dword ptr fs:,esp
004DADB3 .8B4D FC mov ecx,dword ptr ss:
004DADB6 .BA 3CAF4D00 mov edx,RenameWi.004DAF3C ;RWUser
004DADBB .8B45 F4 mov eax,dword ptr ss: ;kernel32.7C839AC0
004DADBE .E8 F52CF6FF call RenameWi.0043DAB8
004DADC3 .33C0 xor eax,eax
004DADC5 .5A pop edx ;kernel32.7C817067
004DADC6 .59 pop ecx ;kernel32.7C817067
004DADC7 .59 pop ecx ;kernel32.7C817067
004DADC8 .64:8910 mov dword ptr fs:,edx ;ntdll.KiFastSystemCallRet
004DADCB .EB 16 jmp short RenameWi.004DADE3
004DADCD .^ E9 E297F2FF jmp RenameWi.004045B4
004DADD2 01 db 01
004DADD3 00 db 00
004DADD4 00 db 00
004DADD5 00 db 00
004DADD6 B8D64300 dd RenameWi.0043D6B8
004DADDA DEAD4D00 dd RenameWi.004DADDE
004DADDE .E8 0D9AF2FF call RenameWi.004047F0
004DADE3 >33D2 xor edx,edx ;ntdll.KiFastSystemCallRet
004DADE5 .55 push ebp
004DADE6 .68 0BAE4D00 push RenameWi.004DAE0B
004DADEB .64:FF32 push dword ptr fs:
004DADEE .64:8922 mov dword ptr fs:,esp
004DADF1 .8B4D F8 mov ecx,dword ptr ss: ;kernel32.7C817070
004DADF4 .BA 4CAF4D00 mov edx,RenameWi.004DAF4C ;RWCode
004DADF9 .8B45 F4 mov eax,dword ptr ss: ;kernel32.7C839AC0
004DADFC .E8 B72CF6FF call RenameWi.0043DAB8
004DAE01 .33C0 xor eax,eax
004DAE03 .5A pop edx ;kernel32.7C817067
004DAE04 .59 pop ecx ;kernel32.7C817067
004DAE05 .59 pop ecx ;kernel32.7C817067
004DAE06 .64:8910 mov dword ptr fs:,edx ;ntdll.KiFastSystemCallRet
004DAE09 .EB 16 jmp short RenameWi.004DAE21
004DAE0B .^ E9 A497F2FF jmp RenameWi.004045B4
004DAE10 01 db 01
004DAE11 00 db 00
004DAE12 00 db 00
004DAE13 00 db 00
004DAE14 B8D64300 dd RenameWi.0043D6B8
004DAE18 1CAE4D00 dd RenameWi.004DAE1C
004DAE1C .E8 CF99F2FF call RenameWi.004047F0
004DAE21 >33C0 xor eax,eax
004DAE23 .5A pop edx ;kernel32.7C817067
004DAE24 .59 pop ecx ;kernel32.7C817067
004DAE25 .59 pop ecx ;kernel32.7C817067
004DAE26 .64:8910 mov dword ptr fs:,edx ;ntdll.KiFastSystemCallRet
004DAE29 .68 3EAE4D00 push RenameWi.004DAE3E ;j
004DAE2E >8B45 F4 mov eax,dword ptr ss: ;kernel32.7C839AC0
004DAE31 .E8 5E91F2FF call RenameWi.00403F94
004DAE36 .C3 retn
004DAE37 .^ E9 0099F2FF jmp RenameWi.0040473C
004DAE3C .^ EB F0 jmp short RenameWi.004DAE2E
004DAE3E .6A 00 push 0x0
004DAE40 .B9 98AE4D00 mov ecx,RenameWi.004DAE98 ;批量更名专家 V2.6
004DAE45 .BA 54AF4D00 mov edx,RenameWi.004DAF54 ;非常感谢您的注册,请重新运行程序来验证注册码, 谢谢!
004DAE4A .A1 C4A64E00 mov eax,dword ptr ds:
004DAE4F .8B00 mov eax,dword ptr ds:
004DAE51 .E8 AEB8FBFF call RenameWi.00496704
004DAE56 .A1 C4A64E00 mov eax,dword ptr ds:
004DAE5B .8B00 mov eax,dword ptr ds:
004DAE5D .E8 FEB7FBFF call RenameWi.00496660
004DAE62 >33C0 xor eax,eax
004DAE64 .5A pop edx ;kernel32.7C817067
004DAE65 .59 pop ecx ;kernel32.7C817067
004DAE66 .59 pop ecx ;kernel32.7C817067
004DAE67 .64:8910 mov dword ptr fs:,edx ;ntdll.KiFastSystemCallRet
004DAE6A .68 91AE4D00 push RenameWi.004DAE91
004DAE6F >8D45 EC lea eax,dword ptr ss:
004DAE72 .BA 02000000 mov edx,0x2
004DAE77 .E8 8C9FF2FF call RenameWi.00404E08
004DAE7C .8D45 F8 lea eax,dword ptr ss:
004DAE7F .BA 02000000 mov edx,0x2
004DAE84 .E8 7F9FF2FF call RenameWi.00404E08
004DAE89 .C3 retn
004DAE8A .^ E9 AD98F2FF jmp RenameWi.0040473C
004DAE8F .^ EB DE jmp short RenameWi.004DAE6F
004DAE91 .5F pop edi ;kernel32.7C817067
004DAE92 .5E pop esi ;kernel32.7C817067
004DAE93 .5B pop ebx ;kernel32.7C817067
004DAE94 .8BE5 mov esp,ebp
004DAE96 .5D pop ebp ;kernel32.7C817067
004DAE97 .C3 retn
PJ完成
菜鸟教程 大牛飘过只针对入门选手有用的话请评个分@Shark恒
先感谢分享教程,然后我想问个问题,现在有好多张图没有用到,这是因为教程中没有讲解那些内容吗?如果不讲解的话,建议删除掉多余的图片,我刚才尝试着给你重新编辑,但是由于图片太多,没敢乱删,怕删错,所以希望你看以后,把没用的图片清理一下。再次感谢啦! 本帖最后由 sahacker 于 2016-12-4 12:51 编辑
Shark恒 发表于 2016-12-4 12:43
先感谢分享教程,然后我想问个问题,现在有好多张图没有用到,这是因为教程中没有讲解那些内容吗?如果不讲 ...
我会重新整理的 感谢刘兄辛苦整理 楼主,我先感谢你把你的逆向经验给分享出来,但我这有个小小的建议哈,就是逆向的时候你看到了那个第一个让你继续试用的提示框,那么,此时就可以想到在他前面有个判断,我用图片给讲下我的逆向经过哈:::
我觉得大家在看教程的时候大家看的都是以注册方面进行逆向,那是因为老师给你的提示,比如这软件假入没那些限制提示框,我们可以从注册方面入手,但有这些限制的消息框我们就可以从这方面入手(毕竟老师教的技术,技术是死的,人是活的,死技术灵活运用哈)
haier8917 发表于 2016-12-4 13:49
楼主,我先感谢你把你的逆向经验给分享出来,但我这有个小小的建议哈,就是逆向的时候你看到了那个第一个让 ...
对的所以我认为我发的都是初级入门教程 感谢haier8917关于暂停法的详细讲解 不客气,我一般是以暂停法为主,如果他没限制框就搜字符串,如果搜不到,我就在内存中搜(而且字符串我一般注意的是功能提示的字符串,因为有些时时候像未注册或者已注册,爆破可能不是很完美,你就还要去找其他的线索),还搜不到就只能以注册方式进行爆破了 进来学习,看看思路
[快捷回复]-感谢楼主热心分享!
页:
[1]
2