转载：测试用的穷举框架

转载来源：  http://blog.youkuaiyun.com/lostspeed/article/details/53154033

注入DLL

// ExhaustiveDll.cpp : Defines the entry point for the DLL application.
//

#include "stdafx.h"
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>

typedef void (__cdecl* PFN_CalcRegSn)();

DWORD WINAPI ThreadProc(LPVOID lpThreadParameter)
{
    BOOL bFindRegSnOkOnce = FALSE;
    BOOL bGetTimeCostOnce = FALSE;
    DWORD dwTickCostOnce = 0;
    DWORD dwTickBegin = 0;
    DWORD dwTickEnd = 0;
    DWORD dwRetryCnt = 0;
    DWORD dwRetryCntToDispMsg = 0;
    DWORD dwImageBase = 0;
    char* pcMsg_ok = NULL;
    PFN_CalcRegSn pfnCalcRegSn = NULL;
    int iRc = 0;
    DWORD dwUserIn = 0;
    DWORD dwIndex = 0;
    char szBuf[0x100] = {'\0'};
    /*
    000311A5          |.  8B0D 80330300 mov     ecx, dword ptr [33380]           ;  ecx = 22222222
    000311AB          |.  A1 88330300   mov     eax, dword ptr [33388]           ;  eax = 11111111
    000311B0          |.  51            push    ecx                              ;  push 22222222
    000311B1          |.  E8 9AFEFFFF   call    00031050                         ;  fnVerify
    000311B6          |.  83C4 34       add     esp, 34                          ;  平栈
    */
    ::MessageBox(NULL, "提示", "穷举开始", MB_OK);
    dwImageBase = (DWORD)GetModuleHandle(NULL);
    pfnCalcRegSn = (PFN_CalcRegSn)(dwImageBase + 0x1050);
    // 003B11B9  |.  68 78333B00   push test1.003B3378                      ;  ASCII "ok"
    pcMsg_ok = (char*)(dwImageBase + 0x3378);

    // 穷举
    dwTickBegin = GetTickCount();
    for (dwRetryCnt = 0, dwIndex = 0; dwIndex < 0xffffffff; dwIndex++, dwRetryCnt++) {
        dwUserIn = 0x22222222; // 用户输入的注册码, 假设就是要找"22222222"对应的注册码
        __asm {
            mov ecx, dwIndex
            mov eax, dwUserIn
            push ecx
        };
        iRc = 0;
        pfnCalcRegSn();
        __asm {
            mov iRc, eax
            add esp, 4h
        };

        if (!bGetTimeCostOnce) {
            bGetTimeCostOnce = TRUE;
            dwTickEnd = GetTickCount();
            dwTickCostOnce = dwTickEnd - dwTickBegin;
            if (dwTickCostOnce > 1) {
                if (dwTickCostOnce > 30000) {
                    dwRetryCntToDispMsg = 1;
                } else {
                    dwRetryCntToDispMsg = (DWORD)(1.0 * 30000 / dwTickCostOnce);
                }
            } else {
                // 如果注册函数由判断无效不干活的话, 导致无效注册码不计算, 第一次的时间偏短
                // 这个显示信息的时间要估算
                dwRetryCntToDispMsg = 0xfffff;
            }

            sprintf(szBuf, "dwRetryCntToDispMsg = 0x%8.8X, \r\n", dwRetryCntToDispMsg);
            OutputDebugString(szBuf);
        }

        // 003B11B9  |.  68 78333B00   push test1.003B3378                      ;  ASCII "ok"
        if ((1 == iRc)
                && ('o' == *pcMsg_ok)
                && ('k' == *(pcMsg_ok + 1))
                && ('\0' == *(pcMsg_ok + 2))) {
            bFindRegSnOkOnce = TRUE;
            sprintf(szBuf, "找到注册码! => 0x%8.8X\r\n", dwIndex);
            OutputDebugString(szBuf);
        } else if (bGetTimeCostOnce && (dwRetryCnt > dwRetryCntToDispMsg)) {
            // 用来观察程序是否还在跑
            dwRetryCnt = 0;
            sprintf(szBuf, "Finding 0x%8.8X\r\n", dwIndex);
            OutputDebugString(szBuf);
        }
    }

    if (bFindRegSnOkOnce) {
        ::MessageBox(NULL, "找到注册码!", "穷举成功", MB_OK);
    } else {
        ::MessageBox(NULL, "END", "穷举结束", MB_OK);
    }

    return 0;
}

// 如果在OD中跑，用strongOD插件注入DLL
// 如果自己跑，要写个注入DLL的管理程序
BOOL APIENTRY DllMain(HANDLE hModule,
                      DWORD  ul_reason_for_call,
                      LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call) {
        case DLL_PROCESS_ATTACH: {
                    OutputDebugString(">> ExhaustiveDll\r\n");
                    CreateThread(NULL, 0, ThreadProc, NULL, NULL, NULL);
                }
                break;
        case DLL_THREAD_ATTACH:
                break;
        case DLL_THREAD_DETACH:
                break;
        case DLL_PROCESS_DETACH: {
                    OutputDebugString("<< ExhaustiveDll\r\n");
                }
                break;
    }

    return TRUE;
}


 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127

管理注入的EXE

// hw.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#include <tchar.h>
#include <math.h>

#define INJECT_DLL_NAME _T("ExhaustiveDll.dll")
#define CMD_QUIT "quit"

// 注入管理程序用于测试
int main(int argc, char* argv[])
{
    DWORD dwProcessID = 0;
    HANDLE hObjProcess = NULL;
    HANDLE hRemoteThread = NULL;
    char szBuf[_MAX_PATH] = {'\0'};
    LPVOID lpObjProcessBuf = NULL;
    SIZE_T nNumberOfBytesWritten = 0;
    DWORD dwThreadID = 0;

    do {
        printf("请输入要注入进程的PID:");
        scanf("%d", &dwProcessID);
        printf("您输入的PID = %d\r\n", dwProcessID);
        hObjProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID);

        if (NULL == hObjProcess) {
            printf("打开进程失败\r\n");
            break;
        }

        lpObjProcessBuf = VirtualAllocEx(hObjProcess, 0, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

        if (NULL == lpObjProcessBuf) {
            printf("在对方进程分配空间失败\r\n");
            break;
        }

        ZeroMemory(szBuf, sizeof(szBuf));
        strcpy(szBuf, INJECT_DLL_NAME);
        if (!WriteProcessMemory(hObjProcess,
                                lpObjProcessBuf,
                                szBuf,
                                sizeof(szBuf),
                                &nNumberOfBytesWritten)) {
            printf("写对方进程失败\r\n");
            break;
        }

        hRemoteThread = CreateRemoteThread(hObjProcess,
                                           NULL,
                                           0,
                                           (LPTHREAD_START_ROUTINE)LoadLibraryA,
                                           (LPTSTR)(LPCTSTR)lpObjProcessBuf,
                                           0,
                                           &dwThreadID);

        if (NULL == hRemoteThread) {
            printf("建立远线程失败\r\n");
            break;
        }

        printf("线程注入成功, 请打开debugview, 观察注入DLL的输出\r\n");

        do {
            printf("\r\n如果要退出程序，请输入%s, 然后回车: ", CMD_QUIT);
            ZeroMemory(szBuf, sizeof(szBuf));
            scanf("%4s", szBuf);

            if (0 == memcmp(szBuf, CMD_QUIT, strlen(CMD_QUIT))) {
                printf("收到退出命令\r\n");
                break;
            }
        } while (1);
    } while (0);

    if (NULL != hRemoteThread) {
        CloseHandle(hRemoteThread);
        hRemoteThread = NULL;
    }

    if (NULL != hObjProcess) {
        CloseHandle(hObjProcess);
        hObjProcess = NULL;
    }

    printf("END\r\n");
    system("pause");
    return 0;
}