三哈爆破之旅要点分享:

三哈是个图扩散软件。
1.先查下壳子看有没有变化? 无壳子,VC++类
2.来到目录下,干掉多余文件。比如升级检测啊,暗桩检测啊,登录提醒啊,托盘提示啊,垃圾服务进程啦,谷哥登录啦。果然找到哥们儿,移到回收站吧。
3.由于以前分析过,硬盘坏了,就先导入注册表键值

用process monitor看一下是否被读取到,果然有啦~~
前期准备好了,就可以开搞了。


告诉我不能找到注册信息,请我重新安装,看到这个么? 一阵窃喜。
为啥呢? 这是很多软件作者的障眼法。反其道而行,不是没找到,而是找到了不对的,不合法的注册信息。
很显然,我们还是可以用上一回中的经典技能,暂停大法

红框 兰圈1 倒数第二行,跟过去看一看吧。
根据堆栈中出现的顺序,你可以标记为 A1, A2, A3 ,然后各自下好断点!
我们Ctrl+F2 重载一次,发现竟然断不到。不过呢? 通道有很多条,也不用太沮丧。
这个软件目录下有xx.key  ,以及我们上边说的 注册表键值中的key信息
我们在当前模块,搜索下跨模块调用,发现没有多少,且不是。
再按Alt+E模块窗口中看看license之类的又有多少呢

看到没? 显然注册码的注册过程有网络的调用部分,这当然可以作为我们研究注册算法的另一支线任务。

同时F2 断点伺候

同理,如法炮制。
[Asm] 纯文本查看 复制代码

007D6630 | 55    | push ebp                                                | 这里很关键了!此处如果al=1 ;ret 呢 007D6631 | 8BEC  | mov ebp,esp                                             |007D6633 | 6A FF | push FFFFFFFF                                           |007D6635 | 68 EA | push <三哈.__ehhandler$?CheckRegistrationCore@CThinkWiseA |检测注册信息007D663A | 64:A1 | mov eax,dword ptr fs:[0]                                |007D6640 | 50    | push eax                                                |007D6641 | 83EC  | sub esp,34                                              |007D6644 | 53    | push ebx                                                |007D6645 | 56    | push esi                                                | esi:class Framework::CThinkWiseApp theApp007D6646 | 57    | push edi                                                | edi:theApp+560007D6647 | A1 40 | mov eax,dword ptr ds:[<___security_cookie>]             |007D664C | 33C5  | xor eax,ebp                                             |007D664E | 50    | push eax                                                |007D664F | 8D45  | lea eax,dword ptr ss:[ebp-C]                            |007D6652 | 64:A3 | mov dword ptr fs:[0],eax                                |007D6658 | 8BF1  | mov esi,ecx                                             | esi:class Framework::CThinkWiseApp theApp, ecx:class Framework::CThinkWiseApp theApp007D665A | 33FF  | xor edi,edi                                             | edi:theApp+560007D665C | 57    | push edi                                                | thinkwise.cpp:3127, edi:theApp+560007D665D | 56    | push esi                                                | esi:class Framework::CThinkWiseApp theApp007D665E | 8D4D  | lea ecx,dword ptr ss:[ebp-40]                           | ecx:class Framework::CThinkWiseApp theApp007D6661 | 897D  | mov dword ptr ss:[ebp-14],edi                           | edi:theApp+560007D6664 | E8 87 | call <三哈.public: __thiscall Utility::CUserRegKey::CUser |007D6669 | 57    | push edi                                                | thinkwise.cpp:3142, edi:theApp+560007D666A | 8D45  | lea eax,dword ptr ss:[ebp-1C]                           |007D666D | 50    | push eax                                                |007D666E | 8BCE  | mov ecx,esi                                             | ecx:class Framework::CThinkWiseApp theApp, esi:class Framework::CThinkWiseApp theApp007D6670 | 897D  | mov dword ptr ss:[ebp-4],edi                            | edi:theApp+560007D6673 | 89BE  | mov dword ptr ds:[esi+1804],edi                         | esi+1804:theApp+1804, edi:theApp+560007D6679 | E8 82 | call <三哈.public: class ATL::CStringT<wchar_t,class StrT |007D667E | 51    | push ecx                                                | ecx:class Framework::CThinkWiseApp theApp007D667F | 8BCC  | mov ecx,esp                                             | ecx:class Framework::CThinkWiseApp theApp007D6681 | 8965  | mov dword ptr ss:[ebp-20],esp                           |007D6684 | 68 C0 | push 三哈.15D67C0                                         | 15D67C0:L"mm.key"===》 中彩票了~~007D6689 | 50    | push eax                                                |007D668A | BB 01 | mov ebx,1                                               |007D668F | 51    | push ecx                                                | ecx:class Framework::CThinkWiseApp theApp007D6690 | C645  | mov byte ptr ss:[ebp-4],1                               |007D6694 | 895D  | mov dword ptr ss:[ebp-14],ebx                           |007D6697 | E8 A4 | call <三哈.class ATL::CStringT<wchar_t,class StrTraitMFC< |007D669C | 83C4  | add esp,C                                               |007D669F | 8D4D  | lea ecx,dword ptr ss:[ebp-40]                           | ecx:class Framework::CThinkWiseApp theApp007D66A2 | E8 79 | call <三哈.public: int __thiscall Utility::CUserRegKey::C |007D66A7 | 3BC7  | cmp eax,edi                                             | edi:theApp+560007D66A9 | 74 4E | je 三哈.7D66F9                                            |007D66AB | 57    | push edi                                                | edi:theApp+560007D66AC | 8D55  | lea edx,dword ptr ss:[ebp-18]                           |007D66AF | 52    | push edx                                                |007D66B0 | 8BCE  | mov ecx,esi                                             | ecx:class Framework::CThinkWiseApp theApp, esi:class Framework::CThinkWiseApp theApp007D66B2 | E8 49 | call <三哈.public: class ATL::CStringT<wchar_t,class StrT |007D66B7 | 51    | push ecx                                                | ecx:class Framework::CThinkWiseApp theApp007D66B8 | 8BCC  | mov ecx,esp                                             | ecx:class Framework::CThinkWiseApp theApp007D66BA | 8965  | mov dword ptr ss:[ebp-20],esp                           |007D66BD | 68 C0 | push 三哈.15D67C0                                         | 15D67C0:L"mm.key"再往下。。。。就接上咱们刚才 看到的那个浏览器信息了。。。。0071CCF0 | 55    | push ebp                                                | regkey.cpp:15190071CCF1 | 8BC3  | mov eax,ebx                                             | ebx:CDlgAuthSEWizPage1::InitNetwork+E20071CCF3 | 6A FF | push FFFFFFFF                                           |0071CCF5 | 68 5B | push <三哈.__ehhandler$?CheckVersion@CUserRegKey@Utility@ |0071CCFA | 64:A1 | mov eax,dword ptr fs:[0]                                |0071CD00 | 50    | push eax                                                |0071CD01 | 81EC  | sub esp,164                                             |0071CD07 | 53    | push ebx                                                | ebx:CDlgAuthSEWizPage1::InitNetwork+E20071CD08 | 56    | push esi                                                |0071CD09 | 57    | push edi                                                |0071CD0A | A1 40 | mov eax,dword ptr ds:[<___security_cookie>]             |0071CD0F | 33C5  | xor eax,ebp                                             |0071CD11 | 50    | push eax                                                |0071CD12 | 8D45  | lea eax,dword ptr ss:[ebp-C]                            |0071CD15 | 64:A3 | mov dword ptr fs:[0],eax                                |0071CD1B | 8D45  | lea eax,dword ptr ss:[ebp-10]                           | regkey.cpp:15200071CD1E | 50    | push eax                                                |0071CD1F | E8 DC | call <三哈.protected: class ATL::CStringT<wchar_t,class S |0071CD24 | 8B45  | mov eax,dword ptr ss:[ebp-10]                           | regkey.cpp:15240071CD27 | 8378  | cmp dword ptr ds:[eax-C],0                              |0071CD2B | C745  | mov dword ptr ss:[ebp-4],0                              |0071CD32 | 75 37 | jne 三哈.71CD6B                                           |0071CD34 | 83C0  | add eax,FFFFFFF0                                        | regkey.cpp:15260071CD37 | C745  | mov dword ptr ss:[ebp-4],FFFFFFFF                       |0071CD3E | 8D48  | lea ecx,dword ptr ds:[eax+C]                            |0071CD41 | 83CA  | or edx,FFFFFFFF                                         |0071CD44 | F0:0F | lock xadd dword ptr ds:[ecx],edx                        |0071CD48 | 4A    | dec edx                                                 |0071CD49 | 85D2  | test edx,edx                                            |0071CD4B | 7F 0A | jg 三哈.71CD57                                            |0071CD4D | 8B08  | mov ecx,dword ptr ds:[eax]                              |0071CD4F | 8B11  | mov edx,dword ptr ds:[ecx]                              |0071CD51 | 50    | push eax                                                |0071CD52 | 8B42  | mov eax,dword ptr ds:[edx+4]                            |0071CD55 | FFD0  | call eax                                                |0071CD57 | 33C0  | xor eax,eax                                             |0071CD59 | 8B4D  | mov ecx,dword ptr ss:[ebp-C]                            | regkey.cpp:15490071CD5C | 64:89 | mov dword ptr fs:[0],ecx                                |0071CD63 | 59    | pop ecx                                                 |0071CD64 | 5F    | pop edi                                                 |0071CD65 | 5E    | pop esi                                                 |0071CD66 | 5B    | pop ebx                                                 | ebx:CDlgAuthSEWizPage1::InitNetwork+E20071CD67 | 8BE5  | mov esp,ebp                                             |0071CD69 | 5D    | pop ebp                                                 |0071CD6A | C3    | ret                                                     |0071CD6B | 6A 04 | push 4                                                  | regkey.cpp:15290071CD6D | 6A 00 | push 0                                                  |0071CD6F | 8D4D  | lea ecx,dword ptr ss:[ebp-14]                           |0071CD72 | 51    | push ecx                                                |0071CD73 | 8D4D  | lea ecx,dword ptr ss:[ebp-10]                           |0071CD76 | E8 55 | call <三哈.public: class ATL::CStringT<wchar_t,class StrT |0071CD7B | 6A 05 | push 5                                                  | regkey.cpp:15300071CD7D | 6A 05 | push 5                                                  |0071CD7F | 8D55  | lea edx,dword ptr ss:[ebp-1C]                           | [ebp-1C]:CMFCVisualManagerOffice2003::OnDrawMenuBorder+580071CD82 | 52    | push edx                                                |0071CD83 | 8D4D  | lea ecx,dword ptr ss:[ebp-10]                           |0071CD86 | C645  | mov byte ptr ss:[ebp-4],1                               |0071CD8A | E8 41 | call <三哈.public: class ATL::CStringT<wchar_t,class StrT |0071CD8F | 6A 06 | push 6                                                  | regkey.cpp:15310071CD91 | 6A 0B | push B                                                  |0071CD93 | 8D45  | lea eax,dword ptr ss:[ebp-18]                           |0071CD96 | 50    | push eax                                                |0071CD97 | 8D4D  | lea ecx,dword ptr ss:[ebp-10]                           |0071CD9A | C645  | mov byte ptr ss:[ebp-4],2                               |0071CD9E | E8 2D | call <三哈.public: class ATL::CStringT<wchar_t,class StrT |0071CDA3 | B3 03 | mov bl,3                                                |0071CDA5 | 6A 00 | push 0                                                  | regkey.cpp:15330071CDA7 | 8D8D  | lea ecx,dword ptr ss:[ebp-170]                          |0071CDAD | 885D  | mov byte ptr ss:[ebp-4],bl                              |0071CDB0 | E8 AB | call <三哈.public: __thiscall UI::CDlgRegistration2::CDlg |0071CDB5 | 8B75  | mov esi,dword ptr ss:[ebp-1C]                           | regkey.cpp:1534, [ebp-1C]:CMFCVisualManagerOffice2003::OnDrawMenuBorder+580071CDB8 | 51    | push ecx                                                |0071CDB9 | 83C6  | add esi,FFFFFFF0                                        |0071CDBC | 8965  | mov dword ptr ss:[ebp-20],esp                           |0071CDBF | 8BFC  | mov edi,esp                                             |0071CDC1 | 56    | push esi                                                |0071CDC2 | C645  | mov byte ptr ss:[ebp-4],4                               |0071CDC6 | E8 15 | call <三哈.private: static struct ATL::CStringData * __cd |007DF1F9 | E8 F2 | call <mm_p4.public: int __thiscall U | 不能找到注册信息 F7进入,返回1▲007DF1FE | 391D  | cmp dword ptr ds:[189AA90],ebx       | thinkwise.cpp:1891007DF204 | 74 10 | je mm_p4.7DF216           


然后,我们再点关于

三哈就简单的爆破成功了。

进主界面卡顿,速度太慢的问题,我们就用WinHEX搜索下网址,结果发现了下面的内容。

然而这么改没有啥效果的。

但是修改后发现启动慢的问题,没有解决,但是速度上面的▲处返回1 之后,这个问题就意外的解决了。

最后,再让我们欣赏下主界面吧,1秒不到就进来了。圆满解决了全部问题。

THE END
喜欢就支持以下吧
点赞0
分享
评论 抢沙发
  • 管埋员

    昵称

  • 取消
    昵称