📄 crackme.cpp
字号:
// ---------------------------------------------------------------------------------------------------
// ThunderPwr of ARTeam Serial Sniffer
// ---------------------------------------------------------------------------------------------------
// Target name : CrackMeVB
// Target version : 1.0
// Target build : -
// Target web site: -
// ---------------------------------------------------------------------------------------------------
// Version 1
// Release 0
// ---------------------------------------------------------------------------------------------------
// 31/05/2005 first release
// ---------------------------------------------------------------------------------------------------
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
// ---------------------------------------------------------------------------------------------------
// General target information
// ---------------------------------------------------------------------------------------------------
char szTargetName[]="abex'2nd crackme"; // Target name
char szTargetVersion[]="1.0"; // Target version
char szTargetBuild[]="-"; // Target build (if applicable)
char szTargetURL[]="-"; // Target URL
char szTargetPacker[]="-"; // Target packer
BOOL bDebugStage = true; // Set the debug mode (show the message from loader to user)
BOOL bShowExcpNumber=false; // Exception number flag
BOOL bSystemBreakpoint = false; // System breakpoint
BOOL bFirstEvent = false;
char szVictimProcessName[]="abexcrackme2.exe"; // Program name
char notloaded[]="Process can be loaded :-("; // There is one error into loading process stage
char szMsgText[128]; // Used as a buffer for message to user
char szMsgCapt[]="ARTeam Serial Registration Code Sniffer"; // Caption for user message box
FARPROC iVictimDLLBaseAddress; // API base address
char szVictimDLLname[]="MSVBVM60.DLL"; // Target DLL
char szVictimDLLfunc[]="__vbaVarTstEq"; // Target function where we have to break
char szFakeSerial[128]; // Buffer for the fake serial
char szRightSerial[128]; // Buffer for the right serial
#define IMAXINDEX 1 // Max number of byte to patch (standard patching)
int index = 0; // Used to keep the current patch
// ---------------------------------------------------------------------------------------------------
// Definition for the patch vector data this vector must be filled
// with your patching data byte, take care to fill it with coerence
// to the address and original data
// ---------------------------------------------------------------------------------------------------
int iPatchData[IMAXINDEX] = { 0xCC }; // INT3 instruction
// ---------------------------------------------------------------------------------------------------
// Definition for the original target data byte vector, this must be filled
// with original target data byte, take care to fill it with coerence
// to the address data.
// ---------------------------------------------------------------------------------------------------
int iOridata[IMAXINDEX] = { 0x83 }; // for MSVBVM60.DLL, use 0x55 for MSVBVM50.DLL
int iOridataRead;
int iOridataReadOne;
int iOridataReadTwo;
// ---------------------------------------------------------------------------------------------------
// Definition about the address where to apply the patches.
// ---------------------------------------------------------------------------------------------------
DWORD dwPatchaddr[IMAXINDEX] = { 0x00};
// ---------------------------------------------------------------------------------------------------
// Exception counter
// ---------------------------------------------------------------------------------------------------
char iExceptionCounter = 0; // Global exception counter
char iLocalExcpCtr = 0; // Local exception counter (used to know when second POPFD is reached)
// ---------------------------------------------------------------------------------------------------
// Setting up the process structure (victim)
// ---------------------------------------------------------------------------------------------------
STARTUPINFO startupinfo;
PROCESS_INFORMATION processinfo;
CONTEXT victimContext;
HANDLE hVictimThreadHandle;
// ---------------------------------------------------------------------------------------------------
// PSAPI parameters and function declaration
// ---------------------------------------------------------------------------------------------------
HINSTANCE hPsapi = 0;
typedef struct _MODULEINFO
{
LPVOID lpBaseOfDll;
DWORD SizeOfImage;
LPVOID EntryPoint;
} MODULEINFO, *LPMODULEINFO;
BOOL (WINAPI *pEnumProcessModules)(HANDLE, HMODULE *, DWORD, LPDWORD);
DWORD (WINAPI *pGetModuleBaseName)(HANDLE, HMODULE, LPTSTR, DWORD);
BOOL (WINAPI *pGetModuleInformation)(HANDLE, HMODULE, LPMODULEINFO, DWORD);
BOOL (WINAPI *pEnumProcesses)(DWORD*, DWORD, DWORD*);
// ---------------------------------------------------------------------------------------------------
// IsDebuggerPresent patching routine
// ---------------------------------------------------------------------------------------------------
typedef LONG NTSTATUS;
typedef int WINBOOL;
#define STDCALL _stdcall
bool HideDebugger(HANDLE thread, HANDLE hproc)
{
CONTEXT ctx;
ctx.ContextFlags = CONTEXT_SEGMENTS;
if (!GetThreadContext(thread, &ctx))
return false;
LDT_ENTRY sel;
if (!GetThreadSelectorEntry(thread, ctx.SegFs, &sel))
return false;
DWORD fsbase = (sel.HighWord.Bytes.BaseHi << 8| sel.HighWord.Bytes.BaseMid) << 16 | sel.BaseLow;
DWORD RVApeb;
SIZE_T numread;
if (!ReadProcessMemory(hproc, (LPCVOID)(fsbase + 0x30), &RVApeb, 4, &numread) || numread != 4)
return false;
WORD beingDebugged;
if (!ReadProcessMemory(hproc, (LPCVOID)(RVApeb + 2), &beingDebugged, 2, &numread) || numread != 2)
return false;
beingDebugged = 0;
if (!WriteProcessMemory(hproc, (LPVOID)(RVApeb + 2), &beingDebugged, 2, &numread) || numread != 2)
return false;
return true;
}
// ---------------------------------------------------------------------------------------------------
// GetProcessId patching routine
// ---------------------------------------------------------------------------------------------------
typedef DWORD (STDCALL *fcnGetProcessId)(HANDLE Process);
DWORD GetProcessId(HANDLE Process) {
FARPROC addrIDP;
HINSTANCE hKer;
HANDLE hProcess = GetCurrentProcess();
BYTE rdt[10];
fcnGetProcessId fcn;
hKer = GetModuleHandle("Kernel32");
ZeroMemory(rdt,10);
addrIDP = GetProcAddress(hKer, "GetProcessId");
ReadProcessMemory(hProcess, (LPVOID)addrIDP, (LPVOID)rdt, 10, NULL);
if (addrIDP!=NULL) {
fcn=(fcnGetProcessId)addrIDP;
return fcn(Process);
}
return 0;
}
// ---------------------------------------------------------------------------------------------------
// DebugActiveProcessStop patching routine
// ---------------------------------------------------------------------------------------------------
typedef WINBOOL (STDCALL *fcnDebugActiveProcessStop)(DWORD dwProcessId);
WINBOOL STDCALL DebugActiveProcessStop(DWORD dwProcessId)
{
FARPROC addrIDP;
HINSTANCE hKer;
HANDLE hProcess = GetCurrentProcess();
BYTE rdt[14];
fcnDebugActiveProcessStop fcn;
hKer = GetModuleHandle("Kernel32");
ZeroMemory(rdt,14);
addrIDP = GetProcAddress(hKer, "DebugActiveProcessStop");
ReadProcessMemory(hProcess, (LPVOID)addrIDP, (LPVOID)rdt, 14, NULL);
if (addrIDP!=NULL) {
fcn=(fcnDebugActiveProcessStop)addrIDP;
return fcn(dwProcessId);
}
return 0;
}
// ---------------------------------------------------------------------------------------------------
// EnumAllProcesModule routine
// ---------------------------------------------------------------------------------------------------
FARPROC EnumAllProcesModule(DWORD, char *, BOOL);
FARPROC EnumAllProcesModule (DWORD aVictimProcessId, char * VictimDLLNamePtr, BOOL bDebugFlag)
{
HANDLE hTmpProcess; // Used when target is open by OpenProcess
HMODULE hMods[1024];
DWORD cbNeeded;
char szModName[MAX_PATH];
unsigned int j;
hTmpProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, aVictimProcessId );
if ( pEnumProcessModules(hTmpProcess, hMods, sizeof(hMods), &cbNeeded))
{
for ( j = 0; j < (cbNeeded / sizeof(HMODULE)); j++ )
{
// Get the full path to the module's file.
if ( pGetModuleBaseName( hTmpProcess, hMods[j], szModName, sizeof(szModName)))
{
if (bDebugFlag)
printf("\t%s\t(0x%08X)\n", szModName, hMods[j] );
if (!strcmp(szModName,VictimDLLNamePtr))
return( (FARPROC)hMods[j]);
}
}
}
CloseHandle( hTmpProcess );
return(0);
}
// ---------------------------------------------------------------------------------------------------
// ErrorExit routine
// ---------------------------------------------------------------------------------------------------
void ErrorExit(LPTSTR lpszFunction)
{
TCHAR szBuf[80];
LPVOID lpMsgBuf;
DWORD dw = GetLastError();
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
dw,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0, NULL );
wsprintf(szBuf,"%s failed with error %d: %s",lpszFunction, dw, lpMsgBuf);
MessageBox(NULL, szBuf, "Error", MB_OK);
LocalFree(lpMsgBuf);
ExitProcess(dw);
}
// ===================================================================================================
// MAIN PROGRAM
// ===================================================================================================
void main()
{
// ------------------------------------------------------------
// Used for find the process ID
// ------------------------------------------------------------
DWORD aProcesses[1024], cbNeeded, cProcesses; // Used for process enumeration
DWORD aVictimProcessId; // Victim process ID
HANDLE hTmpProcess; // Used when target is open by OpenProcess
HMODULE hMod; // Used for process enumeration
DWORD cbNeededTmp;
bool bVictimPIDfound = false; // Flag for PID successfully found
unsigned int i; // Used for for cycle
// ---------------------------------------------------------------
// Welcome message from loader to user is show into the DOS window
// ---------------------------------------------------------------
printf("-------------------------------------------------------------------\n");
printf("ThunderPwr of ARTeam - Serial sniffer\n");
printf("-------------------------------------------------------------------\n");
printf("Target : %s\n",szTargetName);
printf("Version: %s\n",szTargetVersion);
printf("Build : %s\n",szTargetBuild);
printf("URL : %s\n",szTargetURL);
printf("Packer : %s\n",szTargetPacker);
printf("-------------------------------------------------------------------\n");
printf("Loader is working, please wait... \n\n");
// -----------------------------------------
// Check about NT/XP systems
// -----------------------------------------
OSVERSIONINFO osver;
osver.dwOSVersionInfoSize = sizeof(osver);
if (!GetVersionEx(&osver))
return;
if (osver.dwMajorVersion < 4)
{
printf("Sorry, for this tool is needed a NT/XP system\n");
return;
}
// -----------------------------------------
// psapi function
// -----------------------------------------
hPsapi = LoadLibrary("psapi.dll");
if (!hPsapi)
{
printf("Cannot load psapi.dll :-(\n");
return;
}
pEnumProcessModules = (BOOL (WINAPI *)(HANDLE, HMODULE *, DWORD, LPDWORD)) GetProcAddress(hPsapi, "EnumProcessModules");
pGetModuleBaseName = (DWORD (WINAPI *)(HANDLE, HMODULE, LPTSTR, DWORD)) GetProcAddress(hPsapi, "GetModuleBaseNameA");
pGetModuleInformation = (BOOL (WINAPI *)(HANDLE, HMODULE, LPMODULEINFO, DWORD)) GetProcAddress(hPsapi, "GetModuleInformation");
pEnumProcesses = (BOOL (WINAPI *)(DWORD*, DWORD, DWORD*)) GetProcAddress(hPsapi, "EnumProcesses");
if ( (pEnumProcessModules == NULL) || (pGetModuleBaseName == NULL) )
{
printf("Cannot load psapi functions\n");
FreeLibrary(hPsapi);
return;
}
// -----------------------------------------
// Wait for user confirmation
// -----------------------------------------
sprintf(szMsgText,"\tStart the installer and press OK when you are into the registration window");
MessageBox(NULL, szMsgText, szMsgCapt, MB_OK);
printf("now go into the registration\nwindow and insert a fake serial...\n");
// -----------------------------------------
// Get the list of process identifiers.
// -----------------------------------------
TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");
if ( !pEnumProcesses( aProcesses, (DWORD)sizeof(aProcesses), &cbNeeded ) )
{
if (hPsapi != NULL)
FreeLibrary(hPsapi);
return ;return;
}
cProcesses = cbNeeded / sizeof(DWORD); // Calculate how many process identifiers were returned.
for ( i = 0; i < cProcesses; i++ ) // Print the name and process identifier for each process.
{
hTmpProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, aProcesses[i] ); // Get a handle to the process.
if (NULL != hTmpProcess ) // Get the process name.
{
if ( pEnumProcessModules( hTmpProcess, &hMod, sizeof(hMod), &cbNeededTmp) )
pGetModuleBaseName( hTmpProcess, hMod, szProcessName, sizeof(szProcessName)/sizeof(TCHAR) );
}
if (bDebugStage)
printf("%s (PID: %u)\n", szProcessName, aProcesses[i] ); // Print the process name and identifier.
if ( strcmp(szProcessName,szVictimProcessName) == 0) // Search for victim process name and retrieve the process ID
{
bVictimPIDfound = true;
aVictimProcessId = aProcesses[i];
}
CloseHandle( hTmpProcess ); // Close the process handle
}
if (bVictimPIDfound == false)
{
MessageBox(NULL, "\tVictim process ID not found!\n You've to start the installation before!", szMsgCapt, MB_OK);
if (hPsapi != NULL)
FreeLibrary(hPsapi);
return ;
}
else
{
if (bDebugStage)
MessageBox(NULL, "\tVictim process ID found!", szMsgCapt, MB_OK);
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -