邮箱:1251464842@qq.com各位大牛好,我是一个小小白,比较喜欢信息安全,为了弄份渗透测试的差事吃了不少苦头,大公司以及中等公司都不要我,小公司地理位置太偏僻,不敢去,这样持续了很久,但丝毫没有打消我的积极性。所以打算继续学习,写一个不是技术贴的技术贴,希望管理员能给我个邀请码,让我继续学习[\泪目]今天我本来想照着教程用Python写一个暴力破解zip的,然后都写完了,发现没有密码字典,于是我就上网搜了一个小型的密码字典,不过发现是要写注册码的,不然的话只能生成1000条:
于是乎,因为之前接触过od,所以我打算把它破解了再用。首先用peid查一下壳:
原来是用VB写的,据说vb的会不寻常一点,但是庆幸的是没有壳。那么米娜桑就随我一起看,让我直接载入od吧:少女祈祷中。。。。。。。。。载入成功,我们发现:
![RKZ%T9P2YELP]}NBK90PU_R.png](https://attach.52pojie.cn/forum/201706/22/173552iekex8tkkvalg7vp.png "RKZ%T9P2YELP]}NBK90PU_R.png")
好,那这样我们就爆破就好了了,看看能不能成功首先跟随注册成功字眼来到反汇编代码的位置:
然后我们找关键跳,看有没有跳过它的:对不起,没找到,由于没有注册失败的提示,所以就别智能搜索了注册失败了,那么我们找请输入注册码下面吧,看看有没有大跳转跳过成功:
![G]KFC6FVV2Y2B(4BF0XKLZ9.png](https://attach.52pojie.cn/forum/201706/22/173552cfw0v9m0g21wp70k.png "G]KFC6FVV2Y2B(4BF0XKLZ9.png")
还真有一个,代码如下(最后一行是跳到的地方):005199F8 . C785 64FFFFFF>mov dword ptr ss:[ebp-0x9C],真空密码.0040C49>; 请输入注册码:00519A02 . C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],0x800519A0C . FFD3 call ebx00519A0E . 8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94]00519A14 . 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-0x84]00519A1A . 52 push edx ; 真空密码.<ModuleEntryPoint>00519A1B . 8D4D 8C lea ecx,dword ptrss:[ebp-0x74]00519A1E . 50 push eax ; kernel32.BaseThreadInitThunk00519A1F . 8D55 9C lea edx,dword ptrss:[ebp-0x64]00519A22 . 51 push ecx00519A23 . 8D45 AC lea eax,dword ptrss:[ebp-0x54]00519A26 . 52 push edx ; 真空密码.<ModuleEntryPoint>00519A27 . 8D4D BC lea ecx,dword ptrss:[ebp-0x44]00519A2A . 50 push eax ; kernel32.BaseThreadInitThunk00519A2B . 8D55 CC lea edx,dword ptrss:[ebp-0x34]00519A2E . 51 push ecx00519A2F . 52 push edx ; 真空密码.<ModuleEntryPoint>00519A30 . FF15 AC104000 call dword ptr ds:[<&MSVBVM60.#596>] ; msvbvm60.rtcInputBox00519A36 . 8B1D 54124000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaSt>; msvbvm60.__vbaStrMove00519A3C . 8BD0 mov edx,eax ; kernel32.BaseThreadInitThunk00519A3E . 8D4D E8 lea ecx,dword ptrss:[ebp-0x18]00519A41 . FFD3 call ebx ; <&MSVBVM60.__vbaStrMove>00519A43 . 8D85 6CFFFFFF lea eax,dword ptr ss:[ebp-0x94]00519A49 . 8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]00519A4F . 50 push eax ; kernel32.BaseThreadInitThunk00519A50 . 8D55 8C lea edx,dword ptrss:[ebp-0x74]00519A53 . 51 push ecx00519A54 . 8D45 9C lea eax,dword ptrss:[ebp-0x64]00519A57 . 52 push edx ; 真空密码.<ModuleEntryPoint>00519A58 . 8D4D AC lea ecx,dword ptrss:[ebp-0x54]00519A5B . 50 push eax ; kernel32.BaseThreadInitThunk00519A5C . 8D55 BC lea edx,dword ptrss:[ebp-0x44]00519A5F . 51 push ecx00519A60 . 8D45 CC lea eax,dword ptrss:[ebp-0x34]00519A63 . 52 push edx ; 真空密码.<ModuleEntryPoint>00519A64 . 50 push eax ; kernel32.BaseThreadInitThunk00519A65 . 6A07 push 0x700519A67 . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; msvbvm60.__vbaFreeVarList00519A6D . 8B4D E8 mov ecx,dword ptrss:[ebp-0x18]00519A70 . 83C4 20 add esp,0x2000519A73 . 51 push ecx00519A74 . 68DCC34000 push 真空密码.0040C3DC00519A79 . FF15 00114000 call dword ptr ds:[<&MSVBVM60.__vbaStrCm>; msvbvm60.__vbaStrCmp00519A7F . 85C0 test eax,eax ; kernel32.BaseThreadInitThunk00519A81 . 0F84 B3010000 je 真空密码.00519C3A00519A87 . 8B46 34 mov eax,dword ptr ds:[esi+0x34]00519A8A . 8D4D E0 lea ecx,dword ptrss:[ebp-0x20]00519A8D . 51 push ecx00519A8E . 8B4D E8 mov ecx,dword ptrss:[ebp-0x18]00519A91 . 8B10 mov edx,dword ptrds:[eax]00519A93 . 51 push ecx00519A94 . 50 push eax ; kernel32.BaseThreadInitThunk00519A95 . FF52 3C call dword ptrds:[edx+0x3C]00519A98 . 85C0 test eax,eax ; kernel32.BaseThreadInitThunk00519A9A . DBE2 fclex00519A9C . 7D12 jge short 真空密码.00519AB000519A9E . 8B56 34 mov edx,dword ptrds:[esi+0x34]00519AA1 . 6A3C push 0x3C00519AA3 . 6818BF4000 push 真空密码.0040BF1800519AA8 . 52 push edx ; 真空密码.<ModuleEntryPoint>00519AA9 . 50 push eax ; kernel32.BaseThreadInitThunk00519AAA . FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj00519AB0 > 8B55 E0 mov edx,dword ptrss:[ebp-0x20]00519AB3 . 8D4D E8 lea ecx,dword ptrss:[ebp-0x18]00519AB6 . C745 E0 00000>mov dword ptr ss:[ebp-0x20],0x000519ABD . FFD3 call ebx00519ABF . 8B46 34 mov eax,dword ptrds:[esi+0x34]00519AC2 . 8B55 E8 mov edx,dword ptrss:[ebp-0x18]00519AC5 . 6A03 push 0x300519AC7 . 52 push edx ; 真空密码.<ModuleEntryPoint>00519AC8 . 8B08 mov ecx,dword ptrds:[eax]00519ACA . 50 push eax ; kernel32.BaseThreadInitThunk00519ACB . FF51 28 call dword ptrds:[ecx+0x28]00519ACE . 85C0 test eax,eax ; kernel32.BaseThreadInitThunk00519AD0 . DBE2 fclex00519AD2 . 7D12 jge short 真空密码.00519AE600519AD4 . 8B4E 34 mov ecx,dword ptrds:[esi+0x34]00519AD7 . 6A28 push 0x2800519AD9 . 6818BF4000 push 真空密码.0040BF1800519ADE . 51 push ecx00519ADF . 50 push eax ; kernel32.BaseThreadInitThunk00519AE0 . FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj00519AE6 > 8B46 34 mov eax,dword ptrds:[esi+0x34]00519AE9 . 8D8D F8FEFFFF lea ecx,dword ptr ss:[ebp-0x108]00519AEF . 51 push ecx00519AF0 . 50 push eax ; kernel32.BaseThreadInitThunk00519AF1 . 8B10 mov edx,dword ptrds:[eax]00519AF3 . FF52 48 call dword ptrds:[edx+0x48]00519AF6 . 85C0 test eax,eax ; kernel32.BaseThreadInitThunk00519AF8 . DBE2 fclex00519AFA . 7D12 jge short 真空密码.00519B0E00519AFC . 8B56 34 mov edx,dword ptrds:[esi+0x34]00519AFF . 6A48 push 0x4800519B01 . 6818BF4000 push 真空密码.0040BF1800519B06 . 52 push edx ; 真空密码.<ModuleEntryPoint>00519B07 . 50 push eax ; kernel32.BaseThreadInitThunk00519B08 . FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj00519B0E > 66:83BD F8FEF>cmp word ptr ss:[ebp-0x108],0xFFFF00519B16 .^ 0F85 45FEFFFF jnz 真空密码.0051996100519B1C . 8B45 E8 mov eax,dword ptrss:[ebp-0x18]00519B1F . 68C4C44000 push 真空密码.0040C4C4 ; update ZKSys_Sys set sysinfo='00519B24 . 50 push eax ; /String ="?U嬱吷卽."00519B25 . FF15 60104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCa>;\__vbaStrCat00519B2B . 8BD0 mov edx,eax ; kernel32.BaseThreadInitThunk00519B2D . 8D4D E0 lea ecx,dword ptrss:[ebp-0x20]00519B30 . FFD3 call ebx00519B32 . 50 push eax ; kernel32.BaseThreadInitThunk00519B33 . 6808C54000 push 真空密码.0040C508 ; /'00519B38 . FF15 60104000 call dword ptr ds:[<&MSVBVM60.__vbaStrCa>;\__vbaStrCat00519B3E . 8BD0 mov edx,eax ; kernel32.BaseThreadInitThunk00519B40 . 8D4DE4 lea ecx,dword ptr ss:[ebp-0x1C]00519B43 . FFD3 call ebx00519B45 . 8D4D E0 lea ecx,dword ptrss:[ebp-0x20]00519B48 . FF15 8C124000 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>; msvbvm60.__vbaFreeStr00519B4E . 8B4DE4 mov ecx,dword ptr ss:[ebp-0x1C]00519B51 . 6A00 push 0x000519B53 . 51 push ecx00519B54 . E8470D0000 call 真空密码.0051A8A000519B59 . B804000280 mov eax,0x8002000400519B5E . 8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-0xA4]00519B64 . 8D4D CC lea ecx,dword ptrss:[ebp-0x34]00519B67 . 8945 A4 mov dword ptrss:[ebp-0x5C],eax ; kernel32.BaseThreadInitThunk00519B6A . 897D 9C mov dword ptrss:[ebp-0x64],edi00519B6D . 8945B4 mov dword ptrss:[ebp-0x4C],eax ; kernel32.BaseThreadInitThunk00519B70 . 897D AC mov dword ptrss:[ebp-0x54],edi00519B73 . 8945 C4 mov dword ptrss:[ebp-0x3C],eax ; kernel32.BaseThreadInitThunk00519B76 . 897D BC mov dword ptrss:[ebp-0x44],edi00519B79 . C785 64FFFFFF>mov dword ptr ss:[ebp-0x9C],真空密码.0040C51>; 注册成功!!00519B83 . C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],0x800519B8D . FF15 1C124000 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>; msvbvm60.__vbaVarDup00519B93 . 8D55 9C lea edx,dword ptrss:[ebp-0x64]00519B96 . 8D45 AC lea eax,dword ptrss:[ebp-0x54]00519B99 . 52 push edx ; 真空密码.<ModuleEntryPoint>00519B9A . 8D4DBC lea ecx,dword ptr ss:[ebp-0x44]00519B9D . 50 push eax ; kernel32.BaseThreadInitThunk00519B9E . 51 push ecx00519B9F . 8D55 CC lea edx,dword ptrss:[ebp-0x34]00519BA2 . 6A00 push 0x000519BA4 . 52 push edx ; 真空密码.<ModuleEntryPoint>00519BA5 . FF15 A8104000 call dword ptr ds:[<&MSVBVM60.#595>] ; msvbvm60.rtcMsgBox00519BAB . 8D45 9C lea eax,dword ptrss:[ebp-0x64]00519BAE . 8D4D AC lea ecx,dword ptrss:[ebp-0x54]00519BB1 . 50 push eax ; kernel32.BaseThreadInitThunk00519BB2 . 8D55 BC lea edx,dword ptrss:[ebp-0x44]00519BB5 . 51 push ecx00519BB6 . 8D45 CC lea eax,dword ptrss:[ebp-0x34]00519BB9 . 52 push edx ; 真空密码.<ModuleEntryPoint>00519BBA . 50 push eax ; kernel32.BaseThreadInitThunk00519BBB . 6A04 push 0x400519BBD . FF15 3C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>; msvbvm60.__vbaFreeVarList00519BC3 . 8B0E mov ecx,dword ptrds:[esi]00519BC5 . 83C4 14 add esp,0x1400519BC8 . 56 push esi00519BC9 . FF91 34030000 call dword ptr ds:[ecx+0x334]00519BCF . 8B1D A0104000 mov ebx,dword ptr ds:[<&MSVBVM60.__vbaOb>; msvbvm60.__vbaObjSet00519BD5 . 8D55 DC lea edx,dword ptrss:[ebp-0x24]00519BD8 . 50 push eax ; kernel32.BaseThreadInitThunk00519BD9 . 52 push edx ; 真空密码.<ModuleEntryPoint>00519BDA . FFD3 call ebx ; <&MSVBVM60.__vbaObjSet>00519BDC . 8BF8 mov edi,eax ; kernel32.BaseThreadInitThunk00519BDE . 6A00 push 0x000519BE0 . 57 push edi00519BE1 . 8B07 mov eax,dword ptrds:[edi]00519BE3 . FF50 5C call dword ptrds:[eax+0x5C]00519BE6 . 85C0 test eax,eax ; kernel32.BaseThreadInitThunk00519BE8 . DBE2 fclex00519BEA . 7D0F jge short 真空密码.00519BFB00519BEC . 6A5C push 0x5C00519BEE . 68C4C04000 push 真空密码.0040C0C400519BF3 . 57 push edi00519BF4 . 50 push eax ; kernel32.BaseThreadInitThunk00519BF5 . FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj00519BFB > 8B3D 88124000 mov edi,dword ptr ds:[<&MSVBVM60.__vbaFr>; msvbvm60.__vbaFreeObj00519C01 . 8D4D DC lea ecx,dword ptrss:[ebp-0x24]00519C04 . FFD7 call edi ; <&MSVBVM60.__vbaFreeObj>00519C06 . 8B0E mov ecx,dword ptrds:[esi]00519C08 . 56 push esi00519C09 . FF91 30030000 call dword ptr ds:[ecx+0x330]00519C0F . 8D55 DC lea edx,dword ptrss:[ebp-0x24]00519C12 . 50 push eax ; kernel32.BaseThreadInitThunk00519C13 . 52 push edx ; 真空密码.<ModuleEntryPoint>00519C14 . FFD3 call ebx00519C16 . 8BF0 mov esi,eax ; kernel32.BaseThreadInitThunk00519C18 . 6A00 push 0x000519C1A . 56 push esi00519C1B . 8B06 mov eax,dword ptrds:[esi]00519C1D . FF50 5C call dword ptrds:[eax+0x5C]00519C20 . 85C0 test eax,eax ; kernel32.BaseThreadInitThunk00519C22 . DBE2 fclex00519C24 . 7D0F jge short 真空密码.00519C3500519C26 . 6A5C push 0x5C00519C28 . 68C4C04000 push 真空密码.0040C0C400519C2D . 56 push esi00519C2E . 50 push eax ; kernel32.BaseThreadInitThunk00519C2F . FF15 78104000 call dword ptr ds:[<&MSVBVM60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj00519C35 > 8D4D DC lea ecx,dword ptrss:[ebp-0x24]00519C38 . FFD7 call edi00519C3A > C745 FC 00000>mov dword ptr ss:[ebp-0x4],0x0他是je跳转,我觉得要不然把它改成jne吧,这样一来只要我输入的不正确它都可以跳转注册成功了。
保存一个试试:原来不可以,还和没注册是一样的。好像都不行,那我就跟着程序跑一下吧,我在请输入注册码处不输入,看看他能跑到哪里去,发现这个程序一运行一个jnz,它会跳到上面去
那么我们改上面这个比较就行了,把0xFFFF改成1.看他还跳不跳,果然不跳了。输入任意错误码,注册成功!
虽然是个很简单的软件,还是希望大牛能给我个邀请码,很喜欢信息安全,但是接触时间短,希望能早日进入这个圈子,谢谢大神们 |
吾爱游客
发表于 2017-6-22 17:38
发表于 2017-6-23 10:03
