【软件大小】: 2.87M
【下载地址】: 自己搜索下载
【加壳方式】: 无壳
【保护方式】: 无保护
【编写语言】: MFC...VC6
【使用工具】: PEID,OD,LordPE
【软件介绍】: 飚王移动硬盘盒的解密程序
【作者声明】: 只谈技术,共同提高,欢迎批评指正
说明:
1 这个软件是飚王牌子的移动硬盘盒,用来解密加密分区的软件,
2 必须插上加密处理后的移动硬盘,再运行这个程序,按钮才有效,否者按钮是灰的
3 根本没有安全保护措施,这里应该批评下,哪怕是加个壳也好啊
正文:
运行之,发现输入密码错误后有MessageBox提示,太好了,就从这里入手吧
运行后,随便输入个错误的密码,弹出对话框后,不要关闭,od附加之,
点击K,查看调用堆栈.找到调用messageBox的函数,分析之.
代码:
00401D30 6A FF PUSH -1 00401D32 68 C6116000 PUSH DiskLock.006011C6 00401D37 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 00401D3D 50 PUSH EAX 00401D3E 64:8925 0000000>MOV DWORD PTR FS:[0],ESP 00401D45 81EC F4010000 SUB ESP,1F4 00401D4B 55 PUSH EBP 00401D4C 56 PUSH ESI 00401D4D 8BF1 MOV ESI,ECX 00401D4F 57 PUSH EDI 00401D50 33ED XOR EBP,EBP 00401D52 B9 0A000000 MOV ECX,0A 00401D57 33C0 XOR EAX,EAX 00401D59 8D7C24 0E LEA EDI,DWORD PTR SS:[ESP+E] 00401D5D 66:896C24 0C MOV WORD PTR SS:[ESP+C],BP 00401D62 F3:AB REP STOS DWORD PTR ES:[EDI] 00401D64 66:AB STOS WORD PTR ES:[EDI] 00401D66 83BE 38100000 0>CMP DWORD PTR DS:[ESI+1038],1 00401D6D 0F84 08020000 JE DiskLock.00401F7B 00401D73 6A 08 PUSH 8 00401D75 8BCE MOV ECX,ESI 00401D77 E8 34060000 CALL DiskLock.004023B0 00401D7C 83BE 38100000 0>CMP DWORD PTR DS:[ESI+1038],3 00401D83 0F85 9B010000 JNZ DiskLock.00401F24 00401D89 6A 03 PUSH 3 00401D8B 8BCE MOV ECX,ESI 00401D8D E8 1E060000 CALL DiskLock.004023B0 00401D92 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C] 00401D96 8DBE 58100000 LEA EDI,DWORD PTR DS:[ESI+1058] 00401D9C 50 PUSH EAX 00401D9D 57 PUSH EDI 00401D9E FF15 80046200 CALL DWORD PTR DS:[<&uDiskTool.?uReadPas>;uDiskToo.?uReadPasswordinSectorEx@@YAHPAG0@Z 00401DA4 83C4 08 ADD ESP,8 00401DA7 85C0 TEST EAX,EAX 00401DA9 0F84 76030000 JE DiskLock.00402125 00401DAF 6A 05 PUSH 5 00401DB1 8BCE MOV ECX,ESI 00401DB3 E8 F8050000 CALL DiskLock.004023B0 00401DB8 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C] 00401DBC 51 PUSH ECX 00401DBD FF15 98006200 CALL DWORD PTR DS:[<&MSVCRT.wcslen>] ;msvcrt.wcslen 00401DC3 83C4 04 ADD ESP,4 00401DC6 85C0 TEST EAX,EAX 00401DC8 0F86 4A010000 JBE DiskLock.00401F18 00401DCE 55 PUSH EBP 00401DCF 8D8C24 20010000 LEA ECX,DWORD PTR SS:[ESP+120] 00401DD6 E8 A5100000 CALL DiskLock.00402E80 00401DDB 8D8C24 1C010000 LEA ECX,DWORD PTR SS:[ESP+11C] 00401DE2 89AC24 08020000 MOV DWORD PTR SS:[ESP+208],EBP 00401DE9 E8 90160000 CALL <JMP.&MFC42u.#2506> 00401DEE 48 DEC EAX 00401DEF 74 4C JE SHORT DiskLock.00401E3D 00401DF1 48 DEC EAX 00401DF2 75 7A JNZ SHORT DiskLock.00401E6E 00401DF4 8D8C24 C0010000 LEA ECX,DWORD PTR SS:[ESP+1C0] 00401DFB C78424 08020000>MOV DWORD PTR SS:[ESP+208],4 00401E06 E8 33170000 CALL <JMP.&MFC42u.#795> 00401E0B 8D8C24 7C010000 LEA ECX,DWORD PTR SS:[ESP+17C] 00401E12 C68424 08020000>MOV BYTE PTR SS:[ESP+208],3 00401E1A E8 A9170000 CALL <JMP.&MFC42u.#656> 00401E1F 8D8C24 1C010000 LEA ECX,DWORD PTR SS:[ESP+11C] 00401E26 C78424 08020000>MOV DWORD PTR SS:[ESP+208],-1 00401E31 E8 0E170000 CALL <JMP.&MFC42u.#641> 00401E36 33C0 XOR EAX,EAX 00401E38 E9 26010000 JMP DiskLock.00401F63 00401E3D 6A 03 PUSH 3 00401E3F 8BCE MOV ECX,ESI 00401E41 E8 6A050000 CALL DiskLock.004023B0 00401E46 55 PUSH EBP 00401E47 57 PUSH EDI 00401E48 8BCE MOV ECX,ESI 00401E4A E8 01060000 CALL DiskLock.00402450 00401E4F 83F8 01 CMP EAX,1 00401E52 75 61 JNZ SHORT DiskLock.00401EB5 00401E54 6A 02 PUSH 2 00401E56 8BCE MOV ECX,ESI 00401E58 E8 53050000 CALL DiskLock.004023B0 00401E5D 57 PUSH EDI 00401E5E 8BCE MOV ECX,ESI 00401E60 E8 FB040000 CALL DiskLock.00402360 00401E65 6A 05 PUSH 5 00401E67 8BCE MOV ECX,ESI 00401E69 E8 42050000 CALL DiskLock.004023B0 00401E6E 8D8C24 C0010000 LEA ECX,DWORD PTR SS:[ESP+1C0] 00401E75 C78424 08020000>MOV DWORD PTR SS:[ESP+208],6 00401E80 E8 B9160000 CALL <JMP.&MFC42u.#795> 00401E85 8D8C24 7C010000 LEA ECX,DWORD PTR SS:[ESP+17C] 00401E8C C68424 08020000>MOV BYTE PTR SS:[ESP+208],5 00401E94 E8 2F170000 CALL <JMP.&MFC42u.#656> 00401E99 8D8C24 1C010000 LEA ECX,DWORD PTR SS:[ESP+11C] 00401EA0 C78424 08020000>MOV DWORD PTR SS:[ESP+208],-1 00401EAB E8 94160000 CALL <JMP.&MFC42u.#641> 00401EB0 E9 95000000 JMP DiskLock.00401F4A 00401EB5 8B96 50100000 MOV EDX,DWORD PTR DS:[ESI+1050] 00401EBB 6A 30 PUSH 30 00401EBD 55 PUSH EBP 00401EBE 8B42 0C MOV EAX,DWORD PTR DS:[EDX+C] 00401EC1 50 PUSH EAX 00401EC2 55 PUSH EBP 00401EC3 FF15 A0036200 CALL DWORD PTR DS:[<&USER32.MessageBoxW>>;USER32.MessageBoxW 00401EC9 6A 05 PUSH 5
发现00401D9E 处调用uDiskToo.?uReadPasswordinSectorEx@@YAHPAG0@Z,从函数名字上可以意会到这个是读密码的函数,这里F2下断点, Ctrl+F2,运行后,停在这里:
EAX=0012E168,在数据窗口看出这个地址的内容为0,是128大小的缓冲区,
EDI=0012FCB4, 也是缓冲区,内容是”//./PhysicalDrive1”.
单步走,走过这个函数,发现00401D9E这里正是存放的明文密码,
到这里,密码找到了,破解任务完成了.
下面修改这个程序,目标是让这个程序自动弹出MessageBox,显示密码.
还是原来的地方,向下看,有处调用wcslen函数计算密码的长度,决定从这里修改
要调用messagebox,就得知道这个函数的地址,用lordpe打开这个程序,
LordpePE editor,DirectoriesimportTable,上面找到user32.dll,下面找MessageBoxW函数,勾上FirstTrunk,记下函数地址002203a0.
要完成目标,还要知道messagebox函数的参数
查msdn,
int MessageBox(
HWND hWnd, // handle of owner window
LPCTSTR lpText, // address of text in message box
LPCTSTR lpCaption, // address of title of message box
UINT uType // style of message box
);
好了,有了上面的信息,下面开始修改程序,让它自动显示出密码.
观察00401DBC处,PUSH ECX CALL DWORD PTR DS:[<MSVCRT.wcslen>],这里ecx就是存放密码的缓冲区地址,用它作为messagebox的lpText参数即可
OK,下面开始修改,把光标移到00401dbc处,按空格键,依次输入以下代码:
Push 0 ;MB_OK宏的值就是0
Push 0; lpText
Push ecx ; lpCaption
Push 0 ; hWnd
CALL DWORD PTR DS:[6203A0]; 6203A0 = 002203a0加上基址00400000
CALL DWORD PTR DS:[6200B8];这个是msvcrt.dll中的exit函数.
显示完messagebox后就调用exit退出
大功告成,保存,运行,成功显示出密码