VB.NET程式輕鬆駕考2004 V1.0之爆破

看雪資料發表於2004-07-14

【破解作者】 blue_devil_bomb[DFCG][BCG]
【作者郵箱】 ninesunnine@sina.com
【作者主頁】 www.chinadfcg.com
【使用工具】 ILDASM,HEXWORKSHOP
【破解平臺】 Win2000
【軟體名稱】 輕鬆駕考2004 1.0
【下載地址】 中國共享軟體註冊中心
【軟體簡介】 關於本軟體
1.1 系統功能
《輕鬆駕考2004》主要目的是幫助您熟悉機動車駕駛證理論考試的有關試題,使您在較短的時間內有針對性地瞭解和掌握駕照理論考試的有關內容。系統還提供最新交通法規、現行交通標誌、順序練習、模擬測試等功能。我們相信,透過使用本系統將對您順利透過駕照理論考試有相當的幫助。
1.2 系統特點
本系統採用公安部2004年7月份公佈的04版科目一題庫,並按照所學車型和試題種類進行了詳細的分類,提高了練習的針對性。
1.3 系統要求
本系統採用VB.net編寫,客戶端必須安裝DotNetFX1.1和MDAC2.7以上版本,最好安裝音效卡,系統的配置也不能太低。
【軟體大小】 160kb
【加殼方式】 未
【破解宣告】 我是一隻小菜鳥,偶得一點心得,願與大家分享:)
--------------------------------------------------------------------------------
【破解內容】


    前幾天一位朋友要考駕照,便找到該軟體,由於需要註冊。無奈之下我破解了它。可由於該軟體為VB.NET編寫的程式,本人還沒有接觸過,便在看雪學院上找到了相關的文章,在此還要感謝!
    由了前人破解的經驗,我們只需要依葫蘆畫瓢即可,由於.NET方面破解文章較少,小弟不才,不敢一人獨享,放上來與大家共享。
    該程式未註冊啟動時顯示為如下圖:
  
    背景知識介紹:首先,我們遇到的是一個全新的東西,.NET框架,這個東西是什麼呢,他怎麼工作的,如果你用WIN32DASM反彙編一下這個程式,你會看到莫名其妙的程式碼,因為它不再是我們傳統意義上的彙編程式碼了,它是.NET的核心也就是MSIL語言,IL全稱是INTERMEDIATE LANGUAGE,也就是一種中間語言,類似PCODE,但這回所有的程式語言包括VB,VC,C#全都編譯成MSIL然後再利用.NET框架的JIT實時轉譯成本地機的可執行程式碼,從而實現了平臺無關性,於是我們要破解這類程式就要找到一種類似PCODE反編譯器的東西,很幸運的是微軟大叔為我們提供了全套超強綠色套裝:)對我們最有用的就是ILDASM(這些東西在.NET FRAMEWORK SDK中提供) 
好了基本的東西知道了一點,現在開始就要了解這種語言了,當然微軟的MSDN有所有你想知道的東西,所以我這裡就不羅索了,你可以去看看他的教程,我就來講講具體的破解,這才是我等感興趣的:) 
首先用ILDASM把源程式載入,很快我們得到了反編譯的程式碼,你看到的是一種樹狀的結構圖: 
  

   很清晰的結構,完全採用類的結構,透過名字我們判斷frm_reg這個類就是關鍵所在,在這個類中找到btn_reg_click雙擊進入如下:
.method private instance void  btn_reg_Click(object sender,
                                             class [mscorlib]System.EventArgs e) cil managed
{
  // 程式碼大小       513 (0x201)
  .maxstack  6
  .locals init ([0] string Reg,
           [1] string regcode,
           [2] string RegStr,
           [3] class [ADODB]ADODB.Connection cn,
           [4] class [ADODB]ADODB.Recordset rs,
           [5] string sql,
           [6] class [mscorlib]System.Exception err,
           [7] string[] _Vb_t_array_0)
  IL_0000:  nop
  IL_0001:  ldarg.0
  IL_0002:  callvirt   instance class [System.Windows.Forms]System.Windows.Forms.TextBox DSES.frm_reg::get_txt_chr()
  IL_0007:  callvirt   instance string [System.Windows.Forms]System.Windows.Forms.TextBox::get_Text()
  IL_000c:  stloc.0
  IL_000d:  ldloc.0
  IL_000e:  call       int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Len(string)
  IL_0013:  ldc.i4.s   29
  IL_0015:  beq.s      IL_0030
  IL_0017:  ldstr      bytearray (79 72 81 5F 01 78 19 95 EF 8B 0C FF E0 65 D5 6C   // yr._.x.......e.l
                                  8C 5B 10 62 E8 6C 8C 51 01 FF )                   // .[.b.l.Q..
  IL_001c:  ldstr      bytearray (19 95 EF 8B ) 
  IL_0021:  ldc.i4.0
  IL_0022:  ldc.i4.s   48
  IL_0024:  call       valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string,
                                                                                                                                                     string,
                                                                                                                                                     valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxButtons,
                                                                                                                                                     valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxIcon)
  IL_0029:  pop
  IL_002a:  nop
  IL_002b:  br         IL_01ff
  IL_0030:  nop
  IL_0031:  ldc.i4.5
  IL_0032:  newarr     [mscorlib]System.String
  IL_0037:  stloc.s    _Vb_t_array_0
  IL_0039:  ldloc.s    _Vb_t_array_0
  IL_003b:  ldc.i4.0
  IL_003c:  ldloc.0
  IL_003d:  ldc.i4.1
  IL_003e:  ldc.i4.5
  IL_003f:  call       string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Mid(string,
                                                                                        int32,
                                                                                        int32)
  IL_0044:  call       int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.IntegerType::FromString(string)
  IL_0049:  ldc.i4.1
  IL_004a:  sub.ovf
  IL_004b:  call       char [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::ChrW(int32)
  IL_0050:  call       string [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::FromChar(char)
  IL_0055:  stelem.ref
  IL_0056:  nop
  IL_0057:  ldloc.s    _Vb_t_array_0
  IL_0059:  ldc.i4.1
  IL_005a:  ldloc.0
  IL_005b:  ldc.i4.7
  IL_005c:  ldc.i4.5
  IL_005d:  call       string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Mid(string,
                                                                                        int32,
                                                                                        int32)
  IL_0062:  call       int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.IntegerType::FromString(string)
  IL_0067:  ldc.i4.2
  IL_0068:  sub.ovf
  IL_0069:  call       char [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::ChrW(int32)
  IL_006e:  call       string [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::FromChar(char)
  IL_0073:  stelem.ref
  IL_0074:  nop
  IL_0075:  ldloc.s    _Vb_t_array_0
  IL_0077:  ldc.i4.2
  IL_0078:  ldloc.0
  IL_0079:  ldc.i4.s   12
  IL_007b:  ldc.i4.5
  IL_007c:  call       string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Mid(string,
                                                                                        int32,
                                                                                        int32)
  IL_0081:  call       int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.IntegerType::FromString(string)
  IL_0086:  ldc.i4.3
  IL_0087:  sub.ovf
  IL_0088:  call       char [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::ChrW(int32)
  IL_008d:  call       string [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::FromChar(char)
  IL_0092:  stelem.ref
  IL_0093:  nop
  IL_0094:  ldloc.s    _Vb_t_array_0
  IL_0096:  ldc.i4.3
  IL_0097:  ldloc.0
  IL_0098:  ldc.i4.s   19
  IL_009a:  ldc.i4.5
  IL_009b:  call       string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Mid(string,
                                                                                        int32,
                                                                                        int32)
  IL_00a0:  call       int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.IntegerType::FromString(string)
  IL_00a5:  ldc.i4.4
  IL_00a6:  sub.ovf
  IL_00a7:  call       char [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::ChrW(int32)
  IL_00ac:  call       string [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::FromChar(char)
  IL_00b1:  stelem.ref
  IL_00b2:  nop
  IL_00b3:  ldloc.s    _Vb_t_array_0
  IL_00b5:  ldc.i4.4
  IL_00b6:  ldloc.0
  IL_00b7:  ldc.i4.s   25
  IL_00b9:  ldc.i4.5
  IL_00ba:  call       string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::Mid(string,
                                                                                        int32,
                                                                                        int32)
  IL_00bf:  call       int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.IntegerType::FromString(string)
  IL_00c4:  ldc.i4.5
  IL_00c5:  sub.ovf
  IL_00c6:  call       char [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::ChrW(int32)
  IL_00cb:  call       string [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::FromChar(char)
  IL_00d0:  stelem.ref
  IL_00d1:  nop
  IL_00d2:  ldloc.s    _Vb_t_array_0
  IL_00d4:  call       string [mscorlib]System.String::Concat(string[])
  IL_00d9:  stloc.2
  IL_00da:  ldarg.0
  IL_00db:  ldloc.2
  IL_00dc:  callvirt   instance string DSES.frm_reg::CFS(string)
  IL_00e1:  stloc.1
  IL_00e2:  ldarg.0
  IL_00e3:  callvirt   instance class [System.Windows.Forms]System.Windows.Forms.TextBox DSES.frm_reg::get_txt_reg()
  IL_00e8:  callvirt   instance string [System.Windows.Forms]System.Windows.Forms.TextBox::get_Text()
  IL_00ed:  ldloc.1
  IL_00ee:  ldc.i4.0
  IL_00ef:  call       int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::StrCmp(string,
                                                                                                              string,
  IL_00f4:  /* 16   |                  */ ldc.i4.0
  IL_00f5:  /* 40   | F0000000         */ bne.un     IL_01ea
  IL_00fa:  /* 72   | (70)0006F4       */ ldstr      bytearray (6D 60 9C 55 0C FF E8 6C 8C 51 10 62 9F 52 01 FF   // m`.U...l.Q.b.R..
                                                                F7 8B 00 90 FA 51 6F 8F F6 4E 0E 54 CD 91 B0 65   // .....Qo..N.T...e
                                                                D0 8F 4C 88 6F 8F F6 4E E5 67 0B 77 E8 6C 8C 51   // ..L.o..N.g.w.l.Q
                                                                2F 66 26 54 10 62 9F 52 01 FF )                   // /f&T.b.R..
利用WIN2000自帶的字元對映表我們查出,這段字串的意思為:恭喜,註冊成功!請退出軟體重新啟動.....
我們在IL_00f5處看到bne.un   IL_01ea即不等的話跳轉到IL_01ea處,而IL_01ea處的字串的意思為:“註冊碼錯誤,無法完成註冊!”我們只需將此NOP掉,即什麼都不做就成功了。
用HEXWORKSHOP開啟該程式,查詢HEX值1640f000000072f4060070改為:16400000000072f4060070即可。
至此我們可以接過董存瑞手中的炸藥包,轟轟轟,從此整個世界清靜了。
  IL_00ff:  ldstr      bytearray (6F 8F F6 4E E8 6C 8C 51 )                         // o..N.l.Q
  IL_0104:  ldc.i4.0
  IL_0105:  ldc.i4.s   64
  IL_0107:  call       valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string,
                                                                                                                                                     string,
                                                                                                                                                     valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxButtons,
                                                                                                                                                     valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxIcon)
  IL_010c:  pop
  IL_010d:  newobj     instance void [ADODB]ADODB.ConnectionClass::.ctor()
  IL_0112:  stloc.3
  IL_0113:  ldloc.3
  IL_0114:  ldsfld     string DSES.frm_main::connstr
  IL_0119:  callvirt   instance void [ADODB]ADODB._Connection::set_ConnectionString(string)
  IL_011e:  nop
  IL_011f:  nop
  .try
  {
    .try
    {
      IL_0120:  ldloc.3
      IL_0121:  ldstr      ""
      IL_0126:  ldstr      ""
      IL_012b:  ldstr      ""
      IL_0130:  ldc.i4.m1
      IL_0131:  callvirt   instance void [ADODB]ADODB._Connection::Open(string,
                                                                        string,
                                                                        string,
                                                                        int32)
      IL_0136:  nop
      IL_0137:  newobj     instance void [ADODB]ADODB.RecordsetClass::.ctor()
      IL_013c:  stloc.s    rs
      IL_013e:  ldstr      "select top 1 * from [system]"
      IL_0143:  stloc.s    sql
      IL_0145:  ldloc.s    rs
      IL_0147:  ldloc.s    sql
      IL_0149:  ldloc.3
      IL_014a:  ldc.i4.1
      IL_014b:  ldc.i4.3
      IL_014c:  ldc.i4.m1
      IL_014d:  callvirt   instance void [ADODB]ADODB._Recordset::Open(object,
                                                                       object,
                                                                       valuetype [ADODB]ADODB.CursorTypeEnum,
                                                                       valuetype [ADODB]ADODB.LockTypeEnum,
                                                                       int32)
      IL_0152:  nop
      IL_0153:  ldloc.s    rs
      IL_0155:  callvirt   instance bool [ADODB]ADODB._Recordset::get_EOF()
      IL_015a:  ldloc.s    rs
      IL_015c:  callvirt   instance bool [ADODB]ADODB._Recordset::get_BOF()
      IL_0161:  and
      IL_0162:  brfalse.s  IL_017f
      IL_0164:  ldstr      bytearray (70 65 6E 63 93 5E 19 95 EF 8B 0C FF B9 70 FB 51   // penc.^.......p.Q
                                      6E 78 9A 5B 00 90 FA 51 01 FF F7 8B C0 68 E5 67   // nx.[...Q.....h.g
                                      FB 7C DF 7E 4D 91 6E 7F 84 76 63 6B 6E 78 27 60   // .|.~M.n..vcknx'`
                                      0C FF 82 59 9C 67 EE 95 98 98 9D 4F 36 71 58 5B   // ...Y.g.....O6qX[
                                      28 57 F7 8B 0E 4E 6F 8F F6 4E 9B 4F 94 5E 46 55   // (W...No..N.O.^FU
                                      54 80 FB 7C 02 30 )                               // T..|.0
      IL_0169:  ldstr      bytearray (FB 7C DF 7E 19 95 EF 8B )                         // .|.~....
      IL_016e:  ldc.i4.0
      IL_016f:  ldc.i4.s   48
      IL_0171:  call       valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string,
                                                                                                                                                         string,
                                                                                                                                                         valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxButtons,
                                                                                                                                                         valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxIcon)
      IL_0176:  pop
      IL_0177:  nop
      IL_0178:  leave      IL_01ff
      IL_017d:  br.s       IL_01aa
      IL_017f:  nop
      IL_0180:  ldloc.s    rs
      IL_0182:  callvirt   instance class [ADODB]ADODB.Fields [ADODB]ADODB._Recordset::get_Fields()
      IL_0187:  ldstr      "serialno"
      IL_018c:  callvirt   instance class [ADODB]ADODB.Field [ADODB]ADODB.Fields::get_Item(object)
      IL_0191:  ldloc.1
      IL_0192:  callvirt   instance void [ADODB]ADODB.Field::set_Value(object)
      IL_0197:  nop
      IL_0198:  ldloc.s    rs
      IL_019a:  ldsfld     class [mscorlib]System.Reflection.Missing [mscorlib]System.Reflection.Missing::Value
      IL_019f:  ldsfld     class [mscorlib]System.Reflection.Missing [mscorlib]System.Reflection.Missing::Value
      IL_01a4:  callvirt   instance void [ADODB]ADODB._Recordset::Update(object,
                                                                         object)
      IL_01a9:  nop
      IL_01aa:  nop
      IL_01ab:  ldloc.s    rs
      IL_01ad:  callvirt   instance void [ADODB]ADODB._Recordset::Close()
      IL_01b2:  nop
      IL_01b3:  ldnull
      IL_01b4:  stloc.s    rs
      IL_01b6:  leave.s    IL_01e0
    }  // end .try
    catch [mscorlib]System.Exception 
    {
      IL_01b8:  dup
      IL_01b9:  call       void [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(class [mscorlib]System.Exception)
      IL_01be:  stloc.s    err
      IL_01c0:  nop
      IL_01c1:  ldloc.s    err
      IL_01c3:  callvirt   instance string [mscorlib]System.Exception::ToString()
      IL_01c8:  call       valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)
      IL_01cd:  pop
      IL_01ce:  call       void [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError()
      IL_01d3:  leave.s    IL_01e0
    }  // end handler
  }  // end .try
  finally
  {
    IL_01d5:  nop
    IL_01d6:  ldloc.3
    IL_01d7:  callvirt   instance void [ADODB]ADODB._Connection::Close()
    IL_01dc:  nop
    IL_01dd:  ldnull
    IL_01de:  stloc.3
    IL_01df:  endfinally
  }  // end handler
  IL_01e0:  nop
  IL_01e1:  ldarg.0
  IL_01e2:  callvirt   instance void [System.Windows.Forms]System.Windows.Forms.Form::Close()
  IL_01e7:  nop
  IL_01e8:  br.s       IL_01fe
  IL_01ea:  nop
  IL_01eb:  ldstr      bytearray (E8 6C 8C 51 01 78 19 95 EF 8B 0C FF E0 65 D5 6C   // .l.Q.x.......e.l
                                  8C 5B 10 62 E8 6C 8C 51 01 FF )                   // .[.b.l.Q..
  該處的字串的意思為:註冊碼錯誤,無法完成註冊!

  IL_01f0:  ldstr      bytearray (6F 8F F6 4E E8 6C 8C 51 )                         // o..N.l.Q
  IL_01f5:  ldc.i4.0
  IL_01f6:  ldc.i4.s   48
  IL_01f8:  call       valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string,
                                                                                                                                                     string,
                                                                                                                                                     valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxButtons,
                                                                                                                                                     valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxIcon)
  IL_01fd:  pop
  IL_01fe:  nop
  IL_01ff:  nop
  IL_0200:  ret
} // end of method frm_reg::btn_reg_Click
--------------------------------------------------------------------------------
【破解總結】
由於本人是第一次破解.net程式,演算法還沒去看,有時間在看吧!
爆破方法為:用HEXWORKSHOP開啟該程式,查詢HEX值1640f000000072f4060070改為:16400000000072f4060070即可。
--------------------------------------------------------------------------------
【版權宣告】 本文純屬技術交流, 轉載請註明作者並保持文章的完整, 謝謝! 

相關文章