能力值:
![]()
(RANK:500 )
|
-
-
11 楼
我简单分析下吧
其实这个CM 也就是 用一个异常改变了程序流向
当你来到这里 也就是算法部分.
0042F749 . 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18]
0042F74C . 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40]
0042F74F . 99 CDQ
0042F750 . F77D C8 IDIV DWORD PTR SS:[EBP-38]
0042F753 . 8955 C4 MOV DWORD PTR SS:[EBP-3C],EDX
0042F756 . 8365 B4 00 AND DWORD PTR SS:[EBP-4C],0
0042F75A . EB 07 JMP SHORT CM06.0042F763
0042F75C > 8B45 B4 MOV EAX,DWORD PTR SS:[EBP-4C]
0042F75F . 40 INC EAX
0042F760 . 8945 B4 MOV DWORD PTR SS:[EBP-4C],EAX
0042F763 > 8B45 B4 MOV EAX,DWORD PTR SS:[EBP-4C]
0042F766 . 3B45 C8 CMP EAX,DWORD PTR SS:[EBP-38]
0042F769 . 7D 11 JGE SHORT CM06.0042F77C
0042F76B . 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
0042F76E . 0345 B4 ADD EAX,DWORD PTR SS:[EBP-4C]
0042F771 . 0FBE00 MOVSX EAX,BYTE PTR DS:[EAX]
0042F774 . 0345 DC ADD EAX,DWORD PTR SS:[EBP-24]
0042F777 . 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
0042F77A .^ EB E0 JMP SHORT CM06.0042F75C
0042F77C > 8365 B0 00 AND DWORD PTR SS:[EBP-50],0
0042F780 . EB 07 JMP SHORT CM06.0042F789
0042F782 > 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50]
0042F785 . 40 INC EAX
0042F786 . 8945 B0 MOV DWORD PTR SS:[EBP-50],EAX
0042F789 > 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50]
0042F78C . 3B45 C0 CMP EAX,DWORD PTR SS:[EBP-40]
0042F78F . 7D 11 JGE SHORT CM06.0042F7A2
0042F791 . 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
0042F794 . 0345 B0 ADD EAX,DWORD PTR SS:[EBP-50]
0042F797 . 0FBE00 MOVSX EAX,BYTE PTR DS:[EAX]
0042F79A . 0345 BC ADD EAX,DWORD PTR SS:[EBP-44]
0042F79D . 8945 BC MOV DWORD PTR SS:[EBP-44],EAX
0042F7A0 .^ EB E0 JMP SHORT CM06.0042F782
0042F7A2 > 6A 10 PUSH 10 ; /Arg3 = 00000010
0042F7A4 . FF75 E0 PUSH DWORD PTR SS:[EBP-20] ; |Arg2
0042F7A7 . FF75 DC PUSH DWORD PTR SS:[EBP-24] ; |Arg1
0042F7AA . E8 50FEFFFF CALL CM06.0042F5FF ; \CM06.0042F5FF
0042F7AF . 83C4 0C ADD ESP,0C
0042F7B2 . 6A 07 PUSH 7
0042F7B4 . 59 POP ECX
0042F7B5 . 8B75 E0 MOV ESI,DWORD PTR SS:[EBP-20]
0042F7B8 . 8B7D E4 MOV EDI,DWORD PTR SS:[EBP-1C]
0042F7BB . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
0042F7BD . 66:A5 MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI]
0042F7BF . 6A 10 PUSH 10 ; /Arg3 = 00000010
0042F7C1 . FF75 E0 PUSH DWORD PTR SS:[EBP-20] ; |Arg2
0042F7C4 . FF75 BC PUSH DWORD PTR SS:[EBP-44] ; |Arg1
0042F7C7 . E8 33FEFFFF CALL CM06.0042F5FF ; \CM06.0042F5FF
0042F7CC . 83C4 0C ADD ESP,0C
0042F7CF . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
0042F7D2 . 8945 8C MOV DWORD PTR SS:[EBP-74],EAX
0042F7D5 . 8B45 8C MOV EAX,DWORD PTR SS:[EBP-74]
0042F7D8 . 8945 88 MOV DWORD PTR SS:[EBP-78],EAX
0042F7DB > 8B45 8C MOV EAX,DWORD PTR SS:[EBP-74]
0042F7DE . 8A00 MOV AL,BYTE PTR DS:[EAX]
0042F7E0 . 8845 87 MOV BYTE PTR SS:[EBP-79],AL
0042F7E3 . FF45 8C INC DWORD PTR SS:[EBP-74]
0042F7E6 . 807D 87 00 CMP BYTE PTR SS:[EBP-79],0
0042F7EA .^ 75 EF JNZ SHORT CM06.0042F7DB
0042F7EC . 8B45 8C MOV EAX,DWORD PTR SS:[EBP-74]
0042F7EF . 2B45 88 SUB EAX,DWORD PTR SS:[EBP-78]
0042F7F2 . 8B4D 88 MOV ECX,DWORD PTR SS:[EBP-78]
0042F7F5 . 894D 80 MOV DWORD PTR SS:[EBP-80],ECX
0042F7F8 . 8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
0042F7FE . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0042F801 . 48 DEC EAX
0042F802 . 8985 78FFFFFF MOV DWORD PTR SS:[EBP-88],EAX
0042F808 > 8B85 78FFFFFF MOV EAX,DWORD PTR SS:[EBP-88]
0042F80E . 8A40 01 MOV AL,BYTE PTR DS:[EAX+1]
0042F811 . 8885 77FFFFFF MOV BYTE PTR SS:[EBP-89],AL
0042F817 . FF85 78FFFFFF INC DWORD PTR SS:[EBP-88]
0042F81D . 80BD 77FFFFFF>CMP BYTE PTR SS:[EBP-89],0
0042F824 .^ 75 E2 JNZ SHORT CM06.0042F808
0042F826 . 8BBD 78FFFFFF MOV EDI,DWORD PTR SS:[EBP-88]
0042F82C . 8B75 80 MOV ESI,DWORD PTR SS:[EBP-80]
0042F82F . 8B85 7CFFFFFF MOV EAX,DWORD PTR SS:[EBP-84]
0042F835 . 8BC8 MOV ECX,EAX
0042F837 . C1E9 02 SHR ECX,2
0042F83A . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
0042F83C . 8BC8 MOV ECX,EAX
0042F83E . 83E1 03 AND ECX,3
0042F841 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
0042F843 . 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40]
0042F846 . 99 CDQ
0042F847 . F77D C8 IDIV DWORD PTR SS:[EBP-38]
0042F84A . 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
0042F84D . 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40]
0042F850 . 2B45 C8 SUB EAX,DWORD PTR SS:[EBP-38]
0042F853 . 8945 B8 MOV DWORD PTR SS:[EBP-48],EAX
0042F856 . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
0042F859 . 0FAF45 C0 IMUL EAX,DWORD PTR SS:[EBP-40]
0042F85D . 8B4D BC MOV ECX,DWORD PTR SS:[EBP-44]
0042F860 . 0FAF4D C8 IMUL ECX,DWORD PTR SS:[EBP-38]
0042F864 . 03C1 ADD EAX,ECX
0042F866 . 8B4D C0 MOV ECX,DWORD PTR SS:[EBP-40]
0042F869 . 0FAF4D C8 IMUL ECX,DWORD PTR SS:[EBP-38]
0042F86D . 2BC1 SUB EAX,ECX
0042F86F . 0345 B8 ADD EAX,DWORD PTR SS:[EBP-48]
0042F872 . 8945 B8 MOV DWORD PTR SS:[EBP-48],EAX
0042F875 . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
0042F878 . 8B4D C0 MOV ECX,DWORD PTR SS:[EBP-40]
0042F87B . D3E0 SHL EAX,CL
0042F87D . 0345 B8 ADD EAX,DWORD PTR SS:[EBP-48]
0042F880 . 8945 B8 MOV DWORD PTR SS:[EBP-48],EAX
0042F883 . 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44]
0042F886 . 8B4D C8 MOV ECX,DWORD PTR SS:[EBP-38]
0042F889 . D3E0 SHL EAX,CL
0042F88B . 0345 B8 ADD EAX,DWORD PTR SS:[EBP-48]
0042F88E . 8945 B8 MOV DWORD PTR SS:[EBP-48],EAX
0042F891 . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
0042F894 . 0FAF45 BC IMUL EAX,DWORD PTR SS:[EBP-44]
0042F898 . 8B4D B8 MOV ECX,DWORD PTR SS:[EBP-48]
0042F89B . 2BC8 SUB ECX,EAX
0042F89D . 894D B8 MOV DWORD PTR SS:[EBP-48],ECX
0042F8A0 . 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
0042F8A3 . 0345 C0 ADD EAX,DWORD PTR SS:[EBP-40]
0042F8A6 . 50 PUSH EAX
0042F8A7 . E8 CBCEFEFF CALL CM06.0041C777
0042F8AC . 59 POP ECX
0042F8AD . 8B4D B8 MOV ECX,DWORD PTR SS:[EBP-48]
0042F8B0 . 2BC8 SUB ECX,EAX
0042F8B2 . 894D B8 MOV DWORD PTR SS:[EBP-48],ECX
0042F8B5 . 6A 1E PUSH 1E
0042F8B7 . 58 POP EAX
0042F8B8 . 2B45 C0 SUB EAX,DWORD PTR SS:[EBP-40]
0042F8BB . 50 PUSH EAX
0042F8BC . 6A 00 PUSH 0
0042F8BE . 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
0042F8C1 . 0345 C0 ADD EAX,DWORD PTR SS:[EBP-40]
0042F8C4 . 50 PUSH EAX
0042F8C5 . E8 16D1FEFF CALL CM06.0041C9E0
0042F8CA . 83C4 0C ADD ESP,0C
0042F8CD . 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
0042F8D0 . 83C0 05 ADD EAX,5
0042F8D3 . 50 PUSH EAX
0042F8D4 . E8 9ECEFEFF CALL CM06.0041C777
0042F8D9 . 59 POP ECX
0042F8DA . 8B4D B8 MOV ECX,DWORD PTR SS:[EBP-48]
0042F8DD . 2BC8 SUB ECX,EAX
0042F8DF . 894D B8 MOV DWORD PTR SS:[EBP-48],ECX
0042F8E2 . 6A 06 PUSH 6
0042F8E4 . 59 POP ECX
0042F8E5 . 33C0 XOR EAX,EAX
0042F8E7 . 8B7D D8 MOV EDI,DWORD PTR SS:[EBP-28]
0042F8EA . 83C7 05 ADD EDI,5
0042F8ED . F3:AB REP STOS DWORD PTR ES:[EDI]
0042F8EF . AA STOS BYTE PTR ES:[EDI]
0042F8F0 . FF75 D8 PUSH DWORD PTR SS:[EBP-28]
0042F8F3 . E8 7FCEFEFF CALL CM06.0041C777
0042F8F8 . 59 POP ECX
0042F8F9 . 8B4D B8 MOV ECX,DWORD PTR SS:[EBP-48]
0042F8FC . 2BC8 SUB ECX,EAX
0042F8FE . 894D B8 MOV DWORD PTR SS:[EBP-48],ECX
0042F901 . C745 FC 01000>MOV DWORD PTR SS:[EBP-4],1
0042F908 . 56 PUSH ESI
0042F909 . FF75 B8 PUSH DWORD PTR SS:[EBP-48] ; /pModule
0042F90C . FF15 84224300 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; \GetModuleHandleA
最后让
GetModuleHandleA的参数为0即可.也就是 SS:[EBP-48]=0即可
上面一大段算法无非是USER和SN 还有他们的长度之间 做一些很初等的运算
我想无须多说了吧
就这么简单!!
|
能力值:
![]()
(RANK:210 )
|
-
-
14 楼
是时候了吧:)
编译了以后用OD断下,修复几个地址offset,把成功msgbox那段的smc跑完第一次以后覆盖掉原来的就好了。
算法是一个非常原始的hash改的,原来的算法应该是单向的,改了以后验算的时候凑不起来只好在最后多加2位减成0。 :P
void CCM06Dlg::OnBnClickedOk()
{
int diff= 0, lname = 0, lkey = 0, tmp1 = 0, tmp2 = 0, tmp3 = 0, tmp4 = 0;
PDWORD dummy = new DWORD;
char* name = new char[10],*key= new char[30], *tmpch1 = new
char[30],*tmpch2 = new char[30];
lname= GetDlgItemText(IDC_EDIT1,name,10);
lkey=GetDlgItemText(IDC_EDIT2,key,30)-2; //偷懒! 多加2位!
__try{
if(sizeof(lname)/(lname<4 || lkey <8))
{
::MessageBox(NULL,"Username must >= 4 && Key must >= 10","Error",0);
};
}
__except(1){
tmp1=lkey%lname;
for(int i = 0; i < lname;i++)
{
tmp3+=(int)*(name+i);
}
for(int i = 0; i < lkey;i++)
{
tmp4+=(int)*(key+i);
}
itoa(tmp3,tmpch1,16);
memcpy(tmpch2,tmpch1,30);
itoa(tmp4,tmpch1,16);
strcat(tmpch2,tmpch1);
tmp2=lkey/lname;
diff = lkey-lname;
diff+=tmp3*lkey+tmp4*lname-lkey*lname;
diff+=tmp3<<lkey;
diff+=tmp4<<lname; //到此为止,下面毫无依据:)
diff-=tmp3*tmp4;
diff-=atol(key+lkey);
memset(key+lkey,'\0',30-lkey);
diff-=atol(key+5);
memset(key+5,'\0',30-5);
diff-=atol(key);
__try
{
__asm{
push esi; //这个push的应该是下面函数的参数,能造成下面div异常就好了
}
HMODULE handle = GetModuleHandle((char*)diff);
//如果diff不是0那肯定异常,是0的话相当于null,正好
__asm{
push eax; //这里存下基址,下面用了个offset定位
}
VirtualProtect(handle,0x2ffff,PAGE_EXECUTE_READWRITE,dummy);
}
__except(1)
{
free(name);
free(key);
return;
}
__try
{
__asm{
pop eax;
add eax,0x2f974; //这要用od跑了改
mov word ptr[eax], 0xF0F7;
mov ebx, eax;
pop eax;
push ebx
nop;
nop;
}
}
__except(1)
{
__asm
{
sub esp,4;
pop eax;
xor ecx,ecx;
add eax, 0x50; //这可能也要改
add ecx, eax;
mov ecx, 6; //循环次数
lp: mov ebx, dword ptr[eax];
xor ebx, 0x0f1f2f3f;
mov dword ptr[eax],ebx;
add eax,4;
loop lp;
jmp finish;
restore: mov ecx, 6;
mov eax, finish;
lp1: mov ebx, dword ptr[eax];
xor ebx, 0x0f1f2f3f;
mov dword ptr[eax],ebx;
add eax,4;
loop lp1;
jmp clean;
nop;
nop;
}
finish:
MessageBox("Good job!");
__asm{
jmp restore;
}
}
}
clean:
free(name);
free(key);
}
|
