|
 
- 帖子
- 4728
- 积分
- 7436
- 注册时间
- 2007-10-25
   
|
3#
发表于 2010-4-16 01:02
| 只看该作者
感谢各位支持
本人的教程现在公布答案
首先,我这程序简单,用的是MSGBOX提示方式,如果有人说这个是你自己写的,你自己当然清楚了,错哦
首先MSGBOX是哪种方式实现的,VB就规定好了的
首先MSGBOX标准格式就是下图
标准使用方式是
MsgBox(prompt[, buttons] [, title] [, helpfile, context])
msgbox"你提示的内容",按钮方式(英文字母),"你提示的框的标题"
对应prompt
buttons
title
具体用法可查MSDN的VB帮助
学过VB的人,在调试的时候就很容易的判断出是不是MSGBOX方式了
除了MSGBOX之外,弹窗报错还有一种
是form方式,当然这种方式细致点的人都看得出来的。
我给了个程序,大家可以看看三种msgbox方式的不同
调试中的断点,大多数都是
bpx rtcMsgbox
少数下的断点是MessageBoxExA 类似这样的,但是我接触破解不够深入,技术还是个菜鸟级 ,所以我也不知道怎么下断点
此次的教程里涉及的软件未用到这个函数
继续教程讲解
在用OLLDBG载入程序之后,下断点bpx rtcMsgbox
断点在rtcMsgBox这个上就是禁止在MSGBOX弹出的时候跳转
根据个人调试经验,如果有多个判断
则往rtcMsgBox上找到跳转(请耐心调试),设置个断点,记下断点位置,输入测试的数字,看是否弹出报错的对话框,因为我是用的笨办法—因为每个rtcMsgBox对应一个判断,
不断调试,就能找出爆正确注册的MSGBOX,不是么004051C4 /74 7C je short 00405242 //这里是第一个跳转,就是我说的rtcmsgbox紧接着的判断跳转
004051C6 . |8B35 B0104000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaVarDup
004051CC . |B9 04000280 mov ecx, 80020004
004051D1 . |894D AC mov dword ptr [ebp-54], ecx
004051D4 . |B8 0A000000 mov eax, 0A
004051D9 . |894D BC mov dword ptr [ebp-44], ecx
004051DC . |BF 08000000 mov edi, 8
004051E1 . |8D55 84 lea edx, dword ptr [ebp-7C]
004051E4 . |8D4D C4 lea ecx, dword ptr [ebp-3C]
004051E7 . |8945 A4 mov dword ptr [ebp-5C], eax
004051EA . |8945 B4 mov dword ptr [ebp-4C], eax
004051ED . |C745 8C 30434>mov dword ptr [ebp-74], 00404330
004051F4 . |897D 84 mov dword ptr [ebp-7C], edi
004051F7 . |FFD6 call esi ; <&MSVBVM60.__vbaVarDup>
004051F9 . |8D55 94 lea edx, dword ptr [ebp-6C]
004051FC . |8D4D D4 lea ecx, dword ptr [ebp-2C]
004051FF . |C745 9C 14434>mov dword ptr [ebp-64], 00404314
00405206 . |897D 94 mov dword ptr [ebp-6C], edi
00405209 . |FFD6 call esi
0040520B . |8D55 A4 lea edx, dword ptr [ebp-5C]
0040520E . |8D45 B4 lea eax, dword ptr [ebp-4C]
00405211 . |52 push edx
00405212 . |8D4D C4 lea ecx, dword ptr [ebp-3C]
00405215 . |50 push eax
00405216 . |51 push ecx
00405217 . |8D55 D4 lea edx, dword ptr [ebp-2C]
0040521A . |53 push ebx
0040521B . |52 push edx
0040521C . |FF15 38104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox //第一个rtcmsgbox
00405222 . |8D45 A4 lea eax, dword ptr [ebp-5C]
00405225 . |8D4D B4 lea ecx, dword ptr [ebp-4C]
00405228 . |50 push eax
00405229 . |8D55 C4 lea edx, dword ptr [ebp-3C]
0040522C . |51 push ecx
0040522D . |8D45 D4 lea eax, dword ptr [ebp-2C]
00405230 . |52 push edx
00405231 . |50 push eax
00405232 . |6A 04 push 4
00405234 . |FF15 10104000 call dword ptr [<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
0040523A . |83C4 14 add esp, 14
0040523D . |E9 39040000 jmp 0040567B
00405242 > \8B0E mov ecx, dword ptr [esi]
00405244 . 56 push esi
00405245 . FF91 04030000 call dword ptr [ecx+304]
0040524B . 8D55 E4 lea edx, dword ptr [ebp-1C]
0040524E . 50 push eax
0040524F . 52 push edx
00405250 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00405256 . 8BF8 mov edi, eax
00405258 . 8D4D E8 lea ecx, dword ptr [ebp-18]
0040525B . 51 push ecx
0040525C . 57 push edi
0040525D . 8B07 mov eax, dword ptr [edi]
0040525F . FF90 A0000000 call dword ptr [eax+A0]
00405265 . 3BC3 cmp eax, ebx
00405267 . DBE2 fclex
00405269 . 7D 12 jge short 0040527D
0040526B . 68 A0000000 push 0A0
00405270 . 68 00434000 push 00404300
00405275 . 57 push edi
00405276 . 50 push eax
00405277 . FF15 24104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040527D > 8B55 E8 mov edx, dword ptr [ebp-18]
00405280 . 8B46 38 mov eax, dword ptr [esi+38]
00405283 . 52 push edx
00405284 . 50 push eax
00405285 . FF15 54104000 call dword ptr [<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
0040528B . 8BF8 mov edi, eax
0040528D . 8D4D E8 lea ecx, dword ptr [ebp-18]
00405290 . F7DF neg edi
00405292 . 1BFF sbb edi, edi
00405294 . 47 inc edi
00405295 . F7DF neg edi
00405297 . FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0040529D . 8D4D E4 lea ecx, dword ptr [ebp-1C]
004052A0 . FF15 D8104000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
004052A6 . 66:3BFB cmp di, bx
004052A9 . 74 3F je short 004052EA
004052AB . 8B35 B0104000 mov esi, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaVarDup
004052B1 . B9 04000280 mov ecx, 80020004
004052B6 . 894D AC mov dword ptr [ebp-54], ecx
004052B9 . B8 0A000000 mov eax, 0A
004052BE . 894D BC mov dword ptr [ebp-44], ecx
004052C1 . BF 08000000 mov edi, 8
004052C6 . 8D55 84 lea edx, dword ptr [ebp-7C]
004052C9 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
004052CC . 8945 A4 mov dword ptr [ebp-5C], eax
004052CF . 8945 B4 mov dword ptr [ebp-4C], eax
004052D2 . C745 8C 44434>mov dword ptr [ebp-74], 00404344
004052D9 . 897D 84 mov dword ptr [ebp-7C], edi
004052DC . FFD6 call esi ; <&MSVBVM60.__vbaVarDup>
004052DE . C745 9C 14434>mov dword ptr [ebp-64], 00404314
004052E5 . E9 0E020000 jmp 004054F8
004052EA > 8B06 mov eax, dword ptr [esi]
004052EC . 56 push esi
004052ED . FF90 04030000 call dword ptr [eax+304]
004052F3 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
004052F6 . 50 push eax
004052F7 . 51 push ecx
004052F8 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
004052FE . 8BF8 mov edi, eax
00405300 . 8D45 E8 lea eax, dword ptr [ebp-18]
00405303 . 50 push eax
00405304 . 57 push edi
00405305 . 8B17 mov edx, dword ptr [edi]
00405307 . FF92 A0000000 call dword ptr [edx+A0]
0040530D . 3BC3 cmp eax, ebx
0040530F . DBE2 fclex
00405311 . 7D 12 jge short 00405325
00405313 . 68 A0000000 push 0A0
00405318 . 68 00434000 push 00404300
0040531D . 57 push edi
0040531E . 50 push eax
0040531F . FF15 24104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
00405325 > 8B4D E8 mov ecx, dword ptr [ebp-18]
00405328 . 8B56 3C mov edx, dword ptr [esi+3C]
0040532B . 51 push ecx
0040532C . 52 push edx
0040532D . FF15 54104000 call dword ptr [<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
00405333 . 8BF8 mov edi, eax
00405335 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00405338 . F7DF neg edi
0040533A . 1BFF sbb edi, edi
0040533C . 47 inc edi
0040533D . F7DF neg edi
0040533F . FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00405345 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00405348 . FF15 D8104000 call dword ptr [<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
0040534E . 66:3BFB cmp di, bx
00405351 . 0F84 FD000000 je 00405454 //第二个rtcmsgbox的判断跳转,这里才是正确的判断跳转,这里NOP掉,就能得到正确地址
00405357 . 8B1D B0104000 mov ebx, dword ptr [<&MSVBVM60.__vba>; MSVBVM60.__vbaVarDup
0040535D . B9 04000280 mov ecx, 80020004
00405362 . 894D AC mov dword ptr [ebp-54], ecx
00405365 . B8 0A000000 mov eax, 0A
0040536A . 894D BC mov dword ptr [ebp-44], ecx
0040536D . BF 08000000 mov edi, 8
00405372 . 8D55 84 lea edx, dword ptr [ebp-7C]
00405375 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
00405378 . 8945 A4 mov dword ptr [ebp-5C], eax
0040537B . 8945 B4 mov dword ptr [ebp-4C], eax
0040537E . C745 8C 80434>mov dword ptr [ebp-74], 00404380
00405385 . 897D 84 mov dword ptr [ebp-7C], edi
00405388 . FFD3 call ebx ; <&MSVBVM60.__vbaVarDup>
0040538A . 8D55 94 lea edx, dword ptr [ebp-6C]
0040538D . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00405390 . C745 9C 58434>mov dword ptr [ebp-64], 00404358
00405397 . 897D 94 mov dword ptr [ebp-6C], edi
0040539A . FFD3 call ebx
0040539C . 8D45 A4 lea eax, dword ptr [ebp-5C]
0040539F . 8D4D B4 lea ecx, dword ptr [ebp-4C]
004053A2 . 50 push eax
004053A3 . 8D55 C4 lea edx, dword ptr [ebp-3C]
004053A6 . 51 push ecx
004053A7 . 52 push edx
004053A8 . 8D45 D4 lea eax, dword ptr [ebp-2C]
004053AB . 6A 00 push 0
004053AD . 50 push eax
004053AE . FF15 38104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox //这里是第二个rtcmsgbox
004051C4 /74 7C je short 00405242
改为NOP之后爆出的是这个MSGBOX(当然你要去掉第一个rtcmsgbox的断点)
我们调试第二个rtcmsgbox地址,前面那个rtcmsgbox地址的判断跳转(004051C4 )要还原啊!
00405351 /0F84 FD000000 je 00405454
第二个地址NOP掉看是什么结果(记得去掉第二个的rtcmsgbox的断点)
004053AE . FF15 38104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
这里的断点去掉哦
结果就弹出了
当然第二关的地址也就出来啦
点击链接 就到第二关了,哈哈,简单吧
总结下今天的破解第一关,
涉及的知识很少,就开头提到的汇编知识+基础知识。
主要是耐心,我调试2次之后,就找到弹出的是正确与否的判断的位置,如果是复杂点的简单破解程序,调试十几次,都是有可能的。
文中提到的MSGBOX弹窗报错的几种方法
|
附件: 您需要登录才可以下载或查看附件。没有帐号?注册
|
发表于 2010-5-2 15:43
|