易语言的网络验证实现详解
易语言就是一种脚本语言,他是采用的封装形式去完成
他在5.0以下版本时,都是采用的易语言开发环境的编译模式,同时是采用C++编译
他主要以中文编程,深受新手朋友欢迎,所以这这里,我也推荐大家去学习一下
易语言其实就像我们人穿着衣服一样的,需要看到内在的话,就需要先脱掉衣服,其实也就是和壳的类型相差无己
00445151>/$ 55 pushebp 、、载入程序后的入口
00445152 |. 8BEC movebp,esp
00445154 |. 6AFF push-0x1
00445156 |. 6870AD4600 push1111.0046AD70
0044515B |. 685C994400 push1111.0044995C ; SE处理程序安装
00445160 |. 64:A10000000>moveax,dwordptrfs:[0]
00445166 |. 50 pusheax
00445167 |. 64:892500000>movdwordptrfs:[0],esp
0044516E |. 83EC58 subesp,0x58
00445171 |. 53 pushebx
00445172 |. 56 pushesi
00445173 |. 57 pushedi ; ntdll.7C930738
00445174 |. 8965E8 mov[local.6],esp
二进制查找,便于识别易语言FCDBE3
我们可以运行起来之后,在AIT+E查找用户模块中使用二进制查找
004198A1 59 popecx
004198A2 49 dececx
004198A3 ^75EB jnzshort六开挤线.00419890
004198A5 E8A8000000 call六开挤线.00419952
004198AA 83C404 addesp,0x4
004198AD 8B1D18754C00 movebx,dwordptrds:[0x4C7518]
004198B3 85DB testebx,ebx
004198B5 7409 jeshort六开挤线.004198C0
004198B7 53 pushebx
004198B8 E895000000 call六开挤线.00419952
004198BD 83C404 addesp,0x4
004198C0 8B1D1C754C00 movebx,dwordptrds:[0x4C751C]
004198C6 53 pushebx
004198C7 E886000000 call六开挤线.00419952
004198CC 83C404 addesp,0x4
004198CF 8B1D20754C00 movebx,dwordptrds:[0x4C7520]
004198D5 53 pushebx
004198D6 E877000000 call六开挤线.00419952
004198DB 83C404 addesp,0x4
004198DE 8B1D24754C00 movebx,dwordptrds:[0x4C7524]
004198E4 85DB testebx,ebx
004198E6 7409 jeshort六开挤线.004198F1
004198E8 53 pushebx
004198E9 E864000000 call六开挤线.00419952
004198EE 83C404 addesp,0x4
004198F1 8B1D30754C00 movebx,dwordptrds:[0x4C7530]
004198F7 53 pushebx
004198F8 E855000000 call六开挤线.00419952
004198FD 83C404 addesp,0x4
00419900 8B1D34754C00 movebx,dwordptrds:[0x4C7534]
00419906 53 pushebx
00419907 E846000000 call六开挤线.00419952
0041990C 83C404 addesp,0x4
0041990F C3 retn
00419910 B806000000 moveax,0x6
00419915 E832000000 call六开挤线.0041994C
0041991A FC cld
0041991B DBE3 finit
0041991D E833FDFFFF call六开挤线.00419655
00419922 68F1974100 push六开挤线.004197F1
00419927 B803000000 moveax,0x3
0041992C E81B000000 call六开挤线.0041994C
00419931 83C404 addesp,0x4
00419934 E8E5E8FFFF call六开挤线.0041821E
00419939 E8C676FEFF call六开挤线.00401004
0041993E E803000000 call六开挤线.00419946
00419943 33C0 xoreax,eax
00419945 C3 retn
00419946 FF2564AA4900 jmpdwordptrds:[0x49AA64] ;六开挤线.0043B7C0
0041994C FF256CAA4900 jmpdwordptrds:[0x49AA6C] ;六开挤线.0043B3A0
00419952 FF255CAA4900 jmpdwordptrds:[0x49AA5C] ;六开挤线.0043B960
00419958 FF2554AA4900 jmpdwordptrds:[0x49AA54] ;六开挤线.0043B830
0041995E FF2548AA4900 jmpdwordptrds:[0x49AA48] ;六开挤线.0043B420
00419964 FF254CAA4900 jmpdwordptrds:[0x49AA4C] ;六开挤线.0043B770
0041996A FF2550AA4900 jmpdwordptrds:[0x49AA50] ;六开挤线.0043B790
00419970 FF2540AA4900 jmpdwordptrds:[0x49AA40] ;六开挤线.0043B3D0
00419976 FF253CAA4900 jmpdwordptrds:[0x49AA3C] ;六开挤线.0043B750
0041997C FF2544AA4900 jmpdwordptrds:[0x49AA44] ;六开挤线.0043B3E0
00419982 FF2558AA4900 jmpdwordptrds:[0x49AA58] ;六开挤线.0043B8A0
以上代码简称易原体
首先我们按强度排列
第一的当然是
可可验证
绝大多数运用在DNF外挂上面
飘零网络验证
飘零的早期版本,是可以山寨到管理端的
CC网络验证
相对来说,较为简单,但是作者也颇贱,原版CC就带有格盘代码
小烦的网络验证
更为简单,有数据库漏洞
当我们辨别出是那一款比较常见的网络验证之时,可以常试先找一份无壳版的跟一下,然后在套用思路即可
UPX0.89.6-1.02/1.05-2.90->Markus&Laszlo
这个不带附加数据,可以判定为5.XX版所编译,也就是无脱壳机的
当然UPX较为简单,是有脱壳机的,要是VMP的话,就抱着JJ叫疼吧
在一个程序脱壳之后,第一步不应该是去运行看他能否运行,因为要是有效验,你就死在你那
小手一点之上啦
0041CF7B . 50 pusheax ;/Style=MB_OKCANCEL|MB_APPLMODAL
0041CF7C . 52 pushedx ;|Title=""
0041CF7D . 51 pushecx ;|Text="?"
0041CF7E . 6A00 push0x0 ;|hOwner=NULL
0041CF80 . FF1518754900calldwordptrds:[<&USER32.MessageBoxA>>;\MessageBoxA
0041CF86 . 5F popedi ; 六开挤线.0041BA91
0041CF87 . 83F803 cmpeax,0x3 ; Switch(cases2..7)
0041CF8A . 5E popesi ; 六开挤线.0041BA91
0041CF8B . 750F jnzshort六开挤线.0041CF9C //当我们走到此
0041CF8D . 8B4C2468 movecx,dwordptrss:[esp+0x68] ; Case3ofswitch0041CF87
0041CF91 . B802000000 moveax,0x2
0041CF96 . 8901 movdwordptrds:[ecx],eax
0041CF98 . 83C464 addesp,0x64
0041CF9B . C3 retn
当我们回缩之后,所有的易语言都会停留在这样一个位置,当然也只是针对信息框
修改Z标志位使跳转不实现,或者单步多次跟
00415728 >\6A00 push0x0
0041572A . 6A00 push0x0
0041572C . 6A00 push0x0
0041572E . 6801030080 push0x80000301
00415733 . 6A00 push0x0
00415735 . 6800000100 push0x10000 ; UNICODE"=::=::\"
0041573A . 6804000080 push0x80000004
0041573F . 6A00 push0x0
00415741 . 6884D64900 push六开挤线.0049D684 ; 启动线程失败,内部错误。
00415746 . 6803000000 push0x3
0041574B . BBE0CE4100 movebx,六开挤线.0041CEE0
00415750 . E809420000 call六开挤线.0041995E
00415755 . 83C428 addesp,0x28---------------------------------------------------------------------------------------------------------------------------
004156A5 . 6802000080 push0x80000002
004156AA . 6A00 push0x0
004156AC . 6800000000 push0x0
004156B1 . 6A00 push0x0
004156B3 . 6A00 push0x0
004156B5 . 6A00 push0x0
004156B7 . 6801000100 push0x10001
004156BC . FF35D4744C00pushdwordptrds:[0x4C74D4]
004156C2 . FF35D0744C00pushdwordptrds:[0x4C74D0]
004156C8 . 6803000000 push0x3
004156CD . BBD09E4100 movebx,六开挤线.00419ED0
004156D2 . E887420000 call六开挤线.0041995E
004156D7 . 83C428 addesp,0x28
004156DA . 6A00 push0x0
004156DC . 6802000000 push0x2
004156E1 . 6AFF push-0x1
004156E3 . 6A12 push0x12
004156E5 . 68E6A90206 push0x602A9E6
004156EA . 687F9F0252 push0x52029F7F
004156EF . E876420000 call六开挤线.0041996A
004156F4 . 83C418 addesp,0x18
004156F7 . 6A00 push0x0
004156F9 . 6800000000 push0x0
004156FE . 6AFF push-0x1
00415700 . 6A05 push0x5
00415702 . 68E6A90206 push0x602A9E6
00415707 . 687F9F0252 push0x52029F7F
0041570C . E859420000 call六开挤线.0041996A
00415711 . 83C418 addesp,0x18
00415714 . E80B79FFFF call六开挤线.0040D024
00415719 . E8C594FFFF call六开挤线.0040EBE3
004156DA . 6A00 push0x0
004156DC . 6802000000 push0x2
004156E1 . 6AFF push-0x1
004156E3 . 6A12 push0x12
004156E5 . 68E6A90206 push0x602A9E6
004156EA . 687F9F0252 push0x52029F7F
004156EF . E876420000 call六开挤线.0041996A
004156F4 . 83C418 addesp,0x18
这样的代码我们叫他为窗体事件,只要鼓捣过易语言老版本的人都比较清楚
只要能锁定到窗体事件,完全就可以来一个超级大跳转
易语言按钮事件查找方法
查找二进制代码
FF55FC5F5E
00402A70 |. F6C401 testah,0x1
00402A73 |. 7402 jeshort六开挤线.00402A77
00402A75 |. D9E0 fchs
00402A77 |> DC1D63AC4900fcompqwordptrds:[0x49AC63]
00402A7D |. DFE0 fstswax
00402A7F |. F6C441 testah,0x41
00402A82 |. 0F8404000000je六开挤线.00402A8C 通常易语言采用浮点计算时,我们可以把TESTAH,41之下的JE使不让其跳转
00402A88 |. 33C0 xoreax,eax
00402A8A |. EB05 jmpshort六开挤线.00402A91
易语言的远跳转以及易语言的JEJNZ是非常需要关注的
0043B880 55 pushebp
0043B881 |. 8BEC movebp,esp
0043B883 |. 8B4508 moveax,[arg.1] ; 六开挤线.004D3690
0043B886 |. 50 pusheax
0043B887 |. B960364D00 movecx,六开挤线.004D3660
0043B88C |. E8FF85FFFF call六开挤线.00433E90
0043B891 |. 8B4D08 movecx,[arg.1] ; 六开挤线.004D3690
0043B894 |. 51 pushecx ;/ExitCode=BD8B88
0043B895 \. FF1590724900calldwordptrds:[<&KERNEL32.ExitProces>;\ExitProcess
0043B89B . 5D popebp ; user32.77D191AE
0043B89C . C3 retn
把0043B880给RETN掉即可解决退出的暗装
85C9750933C0803A00740140C3F7C20300000075378B023A01752B0AC074243A
610175220AE4741BC1E8103A410275160AC0740F3A6103750D83C10483C2040A
E475D233C0C31BC0D1E040C3004022F8 |>\85C9 testecx,ecx
004022FA |. 7509 jnzshort六开挤线.00402305
004022FC |. 33C0 xoreax,eax
004022FE |. 803A00 cmpbyteptrds:[edx],0x0
00402301 |. 7401 jeshort六开挤线.00402304
00402303 |. 40 inceax
00402304 |> C3 retn
00402305 |> F7C203000000testedx,0x3
0040230B |. 7537 jnzshort六开挤线.00402344
0040230D |> 8B02 /moveax,dwordptrds:[edx]
0040230F |. 3A01 |cmpal,byteptrds:[ecx]
00402311 |. 752B |jnzshort六开挤线.0040233E
00402313 |. 0AC0 |oral,al
00402315 |. 7424 |jeshort六开挤线.0040233B
00402317 |. 3A6101 |cmpah,byteptrds:[ecx+0x1]
0040231A |. 7522 |jnzshort六开挤线.0040233E
0040231C |. 0AE4 |orah,ah
0040231E |. 741B |jeshort六开挤线.0040233B
00402320 |. C1E810 |shreax,0x10
00402323 |. 3A4102 |cmpal,byteptrds:[ecx+0x2]
00402326 |. 7516 |jnzshort六开挤线.0040233E
00402328 |. 0AC0 |oral,al
0040232A |. 740F |jeshort六开挤线.0040233B
0040232C |. 3A6103 |cmpah,byteptrds:[ecx+0x3]
0040232F |. 750D |jnzshort六开挤线.0040233E
00402331 |. 83C104 |addecx,0x4
00402334 |. 83C204 |addedx,0x4
00402337 |. 0AE4 |orah,ah
00402339 |.^75D2 \jnzshort六开挤线.0040230D
0040233B |> 33C0 xoreax,eax 控制跳转时返回为0
0040233D |. C3 retn
0040233E |> 1BC0 sbbeax,eax 控制跳转时返回为1
00402340 |. D1E0 shleax,1
00402342 |. 40 inceax
00402343 |. C3 retn
0040109A |. 68C2920152 push0x520192C2 这里简称主窗体特征
易语言破解,不外乎关注EAX
注意远跳转
当字符串中存在以下字符串皆为老版本
老版本的查找字符串,就需要先找到
0040118A |$ 810424761E00>adddwordptrss:[esp],0x1E76
00401191 |. FFD0 calleax
如果要找按钮事件,必须在我选中的这句里面去寻找
10028CCE E84D050300 callkrnln.10059220
10028CD3 -FFE0 jmpeax EAX从这里进 ;梦幻风霜.00403000
10028CD5 EB0E jmpshortkrnln.10028CE5
10028CD7 8B5508 movedx,dwordptrss:[ebp+0x8] ;梦幻风霜.00403000
10028CDA 52 pushedx ;ntdll.7C99C0D8
10028CDB 8B4DF8 movecx,dwordptrss:[ebp-0x8] ;krnln.1002979B
10028CDE E83D050300 callkrnln.10059220
10028CE3 FFD0 calleax DLL从这里进 ;梦幻风霜.00403000当出现上图的错误时,可以先锁定这样的地址JL和JNS
004770CC /7C0D jlshort梦幻风霜.004770DB
004770CE |6801000000 push0x1
004770D3 |E8BA890000 call梦幻风霜.0047FA92
004770D8 |83C404 addesp,0x4
004770DB \C1E002 shleax,0x2
A段必定有CALL调用下面一段,而调用A段的必定是A段的上面一段
声明:本文内容来源于网络,版权归原作者所有,内容由互联网用户自发贡献自行上传,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任。如果您发现有涉嫌版权的内容,欢迎发送邮件至:czq8825#qq.com(发邮件时,请将#更换为@)进行举报,并提供相关证据,一经查实,本站将立刻删除涉嫌侵权内容。