首页>网络技术>密码解析>记一次破解小软件
回复
« 返回列表
灯火互联
灯火互联
管理员
管理员
  • 注册日期2011-07-27
  • 发帖数41778
  • QQ
  • 火币41290枚
  • 粉丝1086
  • 关注100
写私信 打招呼
  • 终身成就奖
  • 最爱沙发
  • 忠实会员
  • 灌水天才奖
  • 贴图大师奖
  • 原创先锋奖
  • 特殊贡献奖
  • 宣传大使奖
  • 优秀斑竹奖
  • 社区明星
阅读:3235回复:0

记一次破解小软件

楼主#
更多 发布于:2012-02-01 16:32
实验对象http://down.qiannao.com/space/file/lengyeasu/share/2010/8/1/linglei.rar/.page我在这下载的。下面说下我是怎样破解这个水印软件的。
 
由于基础太差,我就不具体分析了。代码我加的分析可能有错误,朋友们看到了还望指出。
用Ollyice载入已脱壳的程序,至于脱壳方法相信大家比我懂,此处不再啰嗦。
依靠ollyice的字符串参考在软件的这里设下断点
 
1.     00538F73 . E8 C0FDFFFF call 00538D38 ; 关键Call
 
2.     00538F78 . 84C0 test al, al
 
 
按F7跟进,来到这里:(因为基础差做了很多没用的注释删去了)
 
1.     00538D38 /$ 55 push ebp
 
2.     00538D39 |. 8BEC mov ebp, esp
 
3.     00538D3B |. 33C9 xor ecx, ecx
 
4.     00538D3D |. 51 push ecx
 
5.     00538D3E |. 51 push ecx
 
6.     00538D3F |. 51 push ecx
 
7.     00538D40 |. 51 push ecx
 
8.     00538D41 |. 51 push ecx
 
9.     00538D42 |. 53 push ebx
 
10.  00538D43 |. 56 push esi
 
11.  00538D44 |. 8955 FC mov dword ptr [ebp-4], edx ; edx=005472B0 (1.005472B0), ASCII "HsjMakeSign"
 
12.  00538D47 |. 8BD8 mov ebx, eax ; 将eax暂时--ebx eax=00C18148
 
13.  00538D49 |. 8B45 FC mov eax, dword ptr [ebp-4] ; edx---eax ASCII "HsjMakeSign"
 
14.  00538D4C |. E8 B7BDECFF call 00404B08
 
15.  00538D51 |. 33C0 xor eax, eax
 
16.  00538D53 |. 55 push ebp
 
17.  00538D54 |. 68 238E5300 push 00538E23
 
18.  00538D59 |. 64:FF30 push dword ptr fs:[eax]
 
19.  00538D5C |. 64:8920 mov dword ptr fs:[eax], esp
 
20.  00538D5F |. 8D4D F4 lea ecx, dword ptr [ebp-C]
 
21.  00538D62 |. 8B55 FC mov edx, dword ptr [ebp-4] ; edx -- "HsjMakeSign"
 
22.  00538D65 |. 8BC3 mov eax, ebx ; 还原ebx--eax
 
23.  00538D67 |. E8 F0FCFFFF call 00538A5C ; 得到软件的机器码数字部分
 
24.  00538D6C |. 8D55 F8 lea edx, dword ptr [ebp-8]
 
25.  00538D6F |. 8B45 F4 mov eax, dword ptr [ebp-C] ; 载入机器码
 
26.  00538D72 |. E8 1DFEFFFF call 00538B94 ; 得到正确的注册码的关键CALL
 
27.  00538D77 |. B9 3C8E5300 mov ecx, 00538E3C ; hsjsoft.ini临时存放机器码
 
28.  00538D7C |. B2 01 mov dl, 1
 
29.  00538D7E |. A1 00C94300 mov eax, dword ptr [43C900]
 
30.  00538D83 |. E8 283CF0FF call 0043C9B0
 
31.  00538D88 |. 8BD8 mov ebx, eax
 
32.  00538D8A |. 6A 00 push 0
 
33.  00538D8C |. 8D45 EC lea eax, dword ptr [ebp-14]
 
34.  00538D8F |. 50 push eax
 
35.  00538D90 |. B9 508E5300 mov ecx, 00538E50 ; reg_code
 
36.  00538D95 |. 8B55 FC mov edx, dword ptr [ebp-4]
 
37.  00538D98 |. 8BC3 mov eax, ebx
 
38.  00538D9A |. 8B30 mov esi, dword ptr [eax]
 
39.  00538D9C |. FF16 call near dword ptr [esi] ; 传递注册数据
 
40.  00538D9E 8B45 EC mov eax, dword ptr [ebp-14] ; 传入用户输入的注册码
 
41.  00538DA1 |. 8D55 F0 lea edx, dword ptr [ebp-10]
 
42.  00538DA4 |. E8 EF01EDFF call 00408F98
 
43.  00538DA9 |. 8BC3 mov eax, ebx
 
44.  00538DAB |. E8 88AAECFF call 00403838
 
45.  00538DB0 |. E8 8BA1ECFF call 00402F40
 
46.  00538DB5 |. B8 20000000 mov eax, 20
 
47.  00538DBA |. E8 8DA4ECFF call 0040324C
 
48.  00538DBF |. 8BD8 mov ebx, eax
 
49.  00538DC1 |. 85DB test ebx, ebx
 
50.  00538DC3 |. 7F 05 jg short 00538DCA
 
51.  00538DC5 |. BB 01000000 mov ebx, 1
 
52.  00538DCA |> 83FB 1E cmp ebx, 1E
 
53.  00538DCD |. 7E 05 jle short 00538DD4
 
54.  00538DCF |. BB 1E000000 mov ebx, 1E
 
55.  00538DD4 |> 8D45 F8 lea eax, dword ptr [ebp-8]
 
56.  00538DD7 |. 50 push eax
 
57.  00538DD8 |. B9 02000000 mov ecx, 2
 
58.  00538DDD |. 8BD3 mov edx, ebx
 
59.  00538DDF |. 8B45 F8 mov eax, dword ptr [ebp-8]
 
60.  00538DE2 |. E8 91BDECFF call 00404B78
 
61.  00538DE7 |. 8D45 F0 lea eax, dword ptr [ebp-10]
 
62.  00538DEA |. 50 push eax
 
63.  00538DEB |. B9 02000000 mov ecx, 2
 
64.  00538DF0 |. 8BD3 mov edx, ebx
 
65.  00538DF2 8B45 F0 mov eax, dword ptr [ebp-10]
 
66.  00538DF5 |. E8 7EBDECFF call 00404B78 ; 来到比较的地方,我估计是取任意位置的两数比较
 
67.  00538DFA |. 8B45 F8 mov eax, dword ptr [ebp-8]
 
68.  00538DFD 8B55 F0 mov edx, dword ptr [ebp-10]
 
69.  00538E00 |. E8 5FBCECFF call 00404A64 ; 判断注册码是否正确
 
70.  00538E05 |. 0F94C3 sete bl
 
71.  00538E08 |. 33C0 xor eax, eax
 
72.  00538E0A |. 5A pop edx
 
73.  00538E0B |. 59 pop ecx
 
74.  00538E0C |. 59 pop ecx
 
75.  00538E0D |. 64:8910 mov dword ptr fs:[eax], edx
 
76.  00538E10 |. 68 2A8E5300 push 00538E2A
 
77.  00538E15 |> 8D45 EC lea eax, dword ptr [ebp-14]
 
78.  00538E18 |. BA 05000000 mov edx, 5
 
79.  00538E1D |. E8 4AB8ECFF call 0040466C
 
80.  00538E22 \. C3 retn
 
81.  00538E23 .^ E9 78B1ECFF jmp 00403FA0
 
82.  00538E28 .^ EB EB jmp short 00538E15
 
83.  00538E2A . 8BC3 mov eax, ebx
 
84.  00538E2C . 5E pop esi
 
85.  00538E2D . 5B pop ebx
 
86.  00538E2E . 8BE5 mov esp, ebp
 
87.  00538E30 . 5D pop ebp
 
88.  00538E31 . C3 retn
 
 
 
在这里动态调试单步走,在00538D67处进入得到软件的机器码数字部分代码:
 
1.     00538A5C $ 55 push ebp ; 机器码获取部分
 
2.     00538A5D . 8BEC mov ebp, esp ; 保存esp至ebp
 
3.     00538A5F . 83C4 D0 add esp, -30
 
4.     00538A62 . 53 push ebx
 
5.     00538A63 . 56 push esi
 
6.     00538A64 . 57 push edi ; edi=0012FE94
 
7.     00538A65 . 33DB xor ebx, ebx ; ebx归零
 
8.     00538A67 . 895D E0 mov dword ptr [ebp-20], ebx
 
9.     00538A6A . 895D F0 mov dword ptr [ebp-10], ebx
 
10.  00538A6D . 895D EC mov dword ptr [ebp-14], ebx
 
11.  00538A70 . 895D E8 mov dword ptr [ebp-18], ebx
 
12.  00538A73 . 895D E4 mov dword ptr [ebp-1C], ebx
 
13.  00538A76 . 895D F4 mov dword ptr [ebp-C], ebx
 
14.  00538A79 . 894D F8 mov dword ptr [ebp-8], ecx
 
15.  00538A7C . 8955 FC mov dword ptr [ebp-4], edx ; edx=005472B0 (1.005472B0), ASCII "HsjMakeSign"
 
16.  00538A7F . 8BD8 mov ebx, eax ; ebx=eax=00C18148
 
17.  00538A81 . 8B45 FC mov eax, dword ptr [ebp-4] ; eax=HsjMakeSign
 
18.  00538A84 . E8 7FC0ECFF call 00404B08 ; 用途未知
 
19.  00538A89 . 33C0 xor eax, eax ; eax清零
 
20.  00538A8B . 55 push ebp ; ebp压入
 
21.  00538A8C . 68 698B5300 push 00538B69 ; 00538B69=00538B69
 
22.  00538A91 . 64:FF30 push dword ptr fs:[eax] ; fs:[00000000]=[7FFDF000]=0012FBC4
 
23.  00538A94 . 64:8920 mov dword ptr fs:[eax], esp ; esp=0012FB74
 
24.  00538A97 . 8B45 F8 mov eax, dword ptr [ebp-8] ; 堆栈ss:[0012FBB4]=0012FBE0
 
25.  00538A9A . E8 A9BBECFF call 00404648
 
26.  00538A9F . 33C0 xor eax, eax ; eax归零
 
27.  00538AA1 . 55 push ebp ; ebp=0012FBBC
 
28.  00538AA2 . 68 0E8B5300 push 00538B0E ; 00538B0E=00538B0E
 
29.  00538AA7 . 64:FF30 push dword ptr fs:[eax] ; fs:[00000000]=[7FFDF000]=0012FB74
 
30.  00538AAA . 64:8920 mov dword ptr fs:[eax], esp
 
31.  00538AAD . FF75 FC push dword ptr [ebp-4] ; 堆栈ss:[0012FBB8]=005472B0 (1.005472B0), ASCII "HsjMakeSign"
 
32.  00538AB0 . 68 808B5300 push 00538B80
 
33.  00538AB5 . 8D45 F0 lea eax, dword ptr [ebp-10] ; 堆栈地址=0012FBAC
 
34.  00538AB8 . E8 63F8FFFF call 00538320 ; 获取机器信息---bios部分
 
35.  00538ABD . FF75 F0 push dword ptr [ebp-10] ; 机器信息(ASCII "BiosInfo:System BIOS Version Line 1 = LENOVO - 1System BIOS Version Line 2 = Ver 1.00System BIOS Date 12/04/09Video BIOS Version Line 1 = Hardware Version 0.0")
 
36.  00538AC0 . 68 808B5300 push 00538B80 ; ;
 
37.  00538AC5 . 8D45 EC lea eax, dword ptr [ebp-14] ; 堆栈地址=0012FBA8
 
38.  00538AC8 . E8 87FBFFFF call 00538654 ; 获取机器信息
 
39.  00538ACD . FF75 EC push dword ptr [ebp-14] ; ASCII "DisplayDeviceInfo:Mobile intel(R) 4 Series Express Chipset FamilyMobile Intel(R) 4 Series Express Chipset FamilyNetMeeting driverRDPDD Chained DD
 
40.  00538AD0 . 68 808B5300 push 00538B80 ; ;
 
41.  00538AD5 . 8D45 E8 lea eax, dword ptr [ebp-18]
 
42.  00538AD8 . E8 57FCFFFF call 00538734 ; 获取机器信息---cpu部分
 
43.  00538ADD . FF75 E8 push dword ptr [ebp-18] ; CpuType:GenuineIntel586
 
44.  00538AE0 . 68 808B5300 push 00538B80 ; ;
 
45.  00538AE5 . 8D55 E4 lea edx, dword ptr [ebp-1C]
 
46.  00538AE8 . 8BC3 mov eax, ebx
 
47.  00538AEA . E8 F5FDFFFF call 005388E4 ; 获取机器信息---硬盘id部分
 
48.  00538AEF . FF75 E4 push dword ptr [ebp-1C] ; ASCII DiskId:
 
49.  00538AF2 . 68 808B5300 push 00538B80 ; ;
 
50.  00538AF7 . 8D45 F4 lea eax, dword ptr [ebp-C]
 
51.  00538AFA . BA 0A000000 mov edx, 0A
 
52.  00538AFF . E8 D4BEECFF call 004049D8
 
53.  00538B04 . 33C0 xor eax, eax
 
54.  00538B06 . 5A pop edx
 
55.  00538B07 . 59 pop ecx
 
56.  00538B08 . 59 pop ecx
 
57.  00538B09 . 64:8910 mov dword ptr fs:[eax], edx
 
58.  00538B0C . EB 0A jmp short 00538B18
 
59.  00538B0E .^ E9 D9B1ECFF jmp 00403CEC
 
60.  00538B13 . E8 3CB5ECFF call 00404054
 
61.  00538B18 > 68 8C8B5300 push 00538B8C ; 6.0;
 
62.  00538B1D . FF75 FC push dword ptr [ebp-4]
 
63.  00538B20 . 8D55 D0 lea edx, dword ptr [ebp-30] ; 下一步就将机器信息汇总
 
64.  00538B23 . 8B45 F4 mov eax, dword ptr [ebp-C] ; HsjMakeSign;BiosInfo:System BIOS Version Line 1 = LENOVO - 1System BIOS Version Line 2 = Ver 1.00System BIOS Date 12/04/09Video BIOS Version Line 1 = Hardware Version 0.0;DisplayDeviceInfo:Mobile Intel(R) 4 Series Express Chipset FamilyM
 
65.  00538B26 . E8 EDE6FFFF call 00537218
 
66.  00538B2B . 8D45 D0 lea eax, dword ptr [ebp-30]
 
67.  00538B2E . 8D55 E0 lea edx, dword ptr [ebp-20] ; edx此时存放有机器信息
 
68.  00538B31 . E8 56E7FFFF call 0053728C ; 计算得到机器码的关键Call
 
69.  00538B36 . FF75 E0 push dword ptr [ebp-20]
 
70.  00538B39 . 8B45 F8 mov eax, dword ptr [ebp-8]
 
71.  00538B3C . BA 03000000 mov edx, 3
 
72.  00538B41 . E8 92BEECFF call 004049D8
 
73.  00538B46 . 33C0 xor eax, eax
 
74.  00538B48 . 5A pop edx
 
75.  00538B49 . 59 pop ecx
 
76.  00538B4A . 59 pop ecx
 
77.  00538B4B . 64:8910 mov dword ptr fs:[eax], edx
 
78.  00538B4E . 68 708B5300 push 00538B70
 
79.  00538B53 > 8D45 E0 lea eax, dword ptr [ebp-20]
 
80.  00538B56 . BA 06000000 mov edx, 6
 
81.  00538B5B . E8 0CBBECFF call 0040466C
 
82.  00538B60 . 8D45 FC lea eax, dword ptr [ebp-4]
 
83.  00538B63 . E8 E0BAECFF call 00404648
 
84.  00538B68 . C3 retn
 
85.  00538B69 .^ E9 32B4ECFF jmp 00403FA0
 
86.  00538B6E .^ EB E3 jmp short 00538B53
 
87.  00538B70 . 5F pop edi
 
88.  00538B71 . 5E pop esi
 
89.  00538B72 . 5B pop ebx
 
90.  00538B73 . 8BE5 mov esp, ebp
 
91.  00538B75 . 5D pop ebp
 
92.  00538B76 . C3 retn
 
 
以上代码前半部分是获取机器信息,在00538B31处跟进来到计算机器码32位数字的代码部分(注:分成的四部分机器码都经过调序得到真正机器码的四部分):
 
1.     0053728C /$ 55 push ebp
 
2.     0053728D |. 8BEC mov ebp, esp
 
3.     0053728F |. 83C4 E8 add esp, -18
 
4.     00537292 |. 53 push ebx
 
5.     00537293 |. 56 push esi
 
6.     00537294 |. 57 push edi
 
7.     00537295 |. 33C9 xor ecx, ecx
 
8.     00537297 |. 894D EC mov dword ptr [ebp-14], ecx
 
9.     0053729A |. 894D E8 mov dword ptr [ebp-18], ecx
 
10.  0053729D |. 8BF0 mov esi, eax
 
11.  0053729F |. 8D7D F0 lea edi, dword ptr [ebp-10]
 
12.  005372A2 |. A5 movs dword ptr es:[edi], dword ptr [e>; 机器码第一部分[0012FB9C]=AE2C1742
 
13.  005372A3 |. A5 movs dword ptr es:[edi], dword ptr [e>; 机器码第二部分[0012FBA0]=6FAA135F
 
14.  005372A4 |. A5 movs dword ptr es:[edi], dword ptr [e>; 机器码第三部分[0012FBA4]=4B1A2D3A
 
15.  005372A5 |. A5 movs dword ptr es:[edi], dword ptr [e>; 机器码第四部分[0012FBA8]=4031BBC7
 
16.  005372A6 |. 8BFA mov edi, edx
 
17.  005372A8 |. 33C0 xor eax, eax
 
18.  005372AA |. 55 push ebp
 
19.  005372AB |. 68 27735300 push 00537327
 
20.  005372B0 |. 64:FF30 push dword ptr fs:[eax]
 
21.  005372B3 |. 64:8920 mov dword ptr fs:[eax], esp
 
22.  005372B6 |. 8BC7 mov eax, edi
 
23.  005372B8 |. E8 8BD3ECFF call 00404648
 
24.  005372BD |. B3 10 mov bl, 10
 
25.  005372BF |. 8D75 F0 lea esi, dword ptr [ebp-10]
 
26.  005372C2 |> FF37 /push dword ptr [edi] ; 进入循环将机器码顺序校正直至
 
27.  005372C4 |. 8D45 EC |lea eax, dword ptr [ebp-14]
 
28.  005372C7 |. 33D2 |xor edx, edx
 
29.  005372C9 |. 8A16 |mov dl, byte ptr [esi]
 
30.  005372CB |. C1EA 04 |shr edx, 4
 
31.  005372CE |. 83E2 0F |and edx, 0F
 
32.  005372D1 |. 8A92 28255600 |mov dl, byte ptr [edx+562528]
 
33.  005372D7 |. E8 54D5ECFF |call 00404830
 
34.  005372DC |. FF75 EC |push dword ptr [ebp-14]
 
35.  005372DF |. 8D45 E8 |lea eax, dword ptr [ebp-18]
 
36.  005372E2 |. 8A16 |mov dl, byte ptr [esi]
 
37.  005372E4 |. 80E2 0F |and dl, 0F
 
38.  005372E7 |. 81E2 FF000000 |and edx, 0FF
 
39.  005372ED |. 8A92 28255600 |mov dl, byte ptr [edx+562528]
 
40.  005372F3 |. E8 38D5ECFF |call 00404830
 
41.  005372F8 |. FF75 E8 |push dword ptr [ebp-18]
 
42.  005372FB |. 8BC7 |mov eax, edi
 
43.  005372FD |. BA 03000000 |mov edx, 3
 
44.  00537302 |. E8 D1D6ECFF |call 004049D8
 
45.  00537307 |. 46 |inc esi
 
46.  00537308 |. FECB |dec bl
 
47.  0053730A |.^ 75 B6 \jnz short 005372C2
 
48.  0053730C |. 33C0 xor eax, eax
 
49.  0053730E |. 5A pop edx
 
50.  0053730F |. 59 pop ecx
 
51.  00537310 |. 59 pop ecx
 
52.  00537311 |. 64:8910 mov dword ptr fs:[eax], edx
 
53.  00537314 |. 68 2E735300 push 0053732E
 
54.  00537319 |> 8D45 E8 lea eax, dword ptr [ebp-18]
 
55.  0053731C |. BA 02000000 mov edx, 2
 
56.  00537321 |. E8 46D3ECFF call 0040466C
 
57.  00537326 \. C3 retn
 
 
出来后再单步走完机器码获取部分,来到00538d9e位置,这时机器码已经得到了即6.0;HsjMakeSign42172cae5f13aa6f3a2d1a4bc7bb3140
下面在进入00538D72的call-->00538B94  即得到正确的注册码的CALL:
 
1.     00538B94 /$ 55 push ebp
 
2.     00538B95 |. 8BEC mov ebp, esp
 
3.     00538B97 |. 83C4 D8 add esp, -28
 
4.     00538B9A |. 53 push ebx
 
5.     00538B9B |. 56 push esi
 
6.     00538B9C |. 33C9 xor ecx, ecx
 
7.     00538B9E |. 894D D8 mov dword ptr [ebp-28], ecx
 
8.     00538BA1 |. 894D DC mov dword ptr [ebp-24], ecx ; 4031BBC7
 
9.     00538BA4 |. 894D F8 mov dword ptr [ebp-8], ecx ; 0012FBE0
 
10.  00538BA7 |. 894D F4 mov dword ptr [ebp-C], ecx
 
11.  00538BAA |. 894D F0 mov dword ptr [ebp-10], ecx
 
12.  00538BAD |. 8BF2 mov esi, edx
 
13.  00538BAF |. 8945 FC mov dword ptr [ebp-4], eax
 
14.  00538BB2 |. 8B45 FC mov eax, dword ptr [ebp-4]
 
15.  00538BB5 |. E8 4EBFECFF call 00404B08
 
16.  00538BBA |. 33C0 xor eax, eax
 
17.  00538BBC |. 55 push ebp
 
18.  00538BBD |. 68 CB8C5300 push 00538CCB
 
19.  00538BC2 |. 64:FF30 push dword ptr fs:[eax]
 
20.  00538BC5 |. 64:8920 mov dword ptr fs:[eax], esp
 
21.  00538BC8 |. 8BC6 mov eax, esi
 
22.  00538BCA |. E8 79BAECFF call 00404648
 
23.  00538BCF |. 8D45 F8 lea eax, dword ptr [ebp-8]
 
24.  00538BD2 |. E8 71BAECFF call 00404648
 
25.  00538BD7 |. 8D45 F8 lea eax, dword ptr [ebp-8]
 
26.  00538BDA |. BA E08C5300 mov edx, 00538CE0 ; 版
 
27.  00538BDF |. E8 3CBDECFF call 00404920
 
28.  00538BE4 |. 8D45 F8 lea eax, dword ptr [ebp-8]
 
29.  00538BE7 |. BA EC8C5300 mov edx, 00538CEC ; 权
 
30.  00538BEC |. E8 2FBDECFF call 00404920
 
31.  00538BF1 |. 8D45 F8 lea eax, dword ptr [ebp-8]
 
32.  00538BF4 |. BA F88C5300 mov edx, 00538CF8 ; 所
 
33.  00538BF9 |. E8 22BDECFF call 00404920
 
34.  00538BFE |. 8D45 F8 lea eax, dword ptr [ebp-8]
 
35.  00538C01 |. BA 048D5300 mov edx, 00538D04 ; 有
 
36.  00538C06 |. E8 15BDECFF call 00404920
 
37.  00538C0B |. 8D45 F8 lea eax, dword ptr [ebp-8]
 
38.  00538C0E |. BA 108D5300 mov edx, 00538D10 ; :
 
39.  00538C13 |. E8 08BDECFF call 00404920
 
40.  00538C18 |. 8D45 F8 lea eax, dword ptr [ebp-8]
 
41.  00538C1B |. BA 1C8D5300 mov edx, 00538D1C ; 韩
 
42.  00538C20 |. E8 FBBCECFF call 00404920
 
43.  00538C25 |. 8D45 F8 lea eax, dword ptr [ebp-8]
 
44.  00538C28 |. BA 288D5300 mov edx, 00538D28 ; 树
 
45.  00538C2D |. E8 EEBCECFF call 00404920
 
46.  00538C32 |. 8D45 F8 lea eax, dword ptr [ebp-8]
 
47.  00538C35 |. BA 348D5300 mov edx, 00538D34 ; 江
 
48.  00538C3A |. E8 E1BCECFF call 00404920
 
49.  00538C3F |. 8D45 DC lea eax, dword ptr [ebp-24]
 
50.  00538C42 |. 8B4D FC mov ecx, dword ptr [ebp-4] ; (ASCII "6.0;HsjMakeSign42172cae5f13aa6f3a2d1a4bc7bb3140")
 
51.  00538C45 |. 8B55 F8 mov edx, dword ptr [ebp-8]
 
52.  00538C48 |. E8 17BDECFF call 00404964
 
53.  00538C4D |. 8B45 DC mov eax, dword ptr [ebp-24]
 
54.  00538C50 |. 8D55 E0 lea edx, dword ptr [ebp-20]
 
55.  00538C53 |. E8 C0E5FFFF call 00537218
 
56.  00538C58 |. 8D45 E0 lea eax, dword ptr [ebp-20]
 
57.  00538C5B |. 8D55 F4 lea edx, dword ptr [ebp-C]
 
58.  00538C5E |. E8 29E6FFFF call 0053728C ; 关键Call整出注册码
 
59.  00538C63 |. 8D45 F0 lea eax, dword ptr [ebp-10]
 
60.  00538C66 |. E8 DDB9ECFF call 00404648 ; 作用未知
 
61.  00538C6B |. 8B45 F4 mov eax, dword ptr [ebp-C] ; 注册码6c9125ab21e9252438e413f6536217d0
 
62.  00538C6E |. E8 A5BCECFF call 00404918
 
63.  00538C73 |. 8BD8 mov ebx, eax
 
64.  00538C75 |. 83FB 01 cmp ebx, 1
 
65.  00538C78 |. 7C 1F jl short 00538C99 ; 调序部分,倒转注册码
 
66.  00538C7A |> 8D45 D8 /lea eax, dword ptr [ebp-28]
 
67.  00538C7D |. 8B55 F4 |mov edx, dword ptr [ebp-C]
 
68.  00538C80 |. 8A541A FF |mov dl, byte ptr [edx+ebx-1]
 
69.  00538C84 |. E8 A7BBECFF |call 00404830
 
70.  00538C89 |. 8B55 D8 |mov edx, dword ptr [ebp-28]
 
71.  00538C8C |. 8D45 F0 |lea eax, dword ptr [ebp-10]
 
72.  00538C8F |. E8 8CBCECFF |call 00404920
 
73.  00538C94 |. 4B |dec ebx
 
74.  00538C95 |. 85DB |test ebx, ebx
 
75.  00538C97 |.^ 75 E1 \jnz short 00538C7A
 
76.  00538C99 |> 8BC6 mov eax, esi
 
77.  00538C9B |. 8B55 F0 mov edx, dword ptr [ebp-10] ; 倒转后正确的注册码0d7126356f314e8342529e12ba5219c6
 
78.  00538C9E |. E8 F9B9ECFF call 0040469C
 
79.  00538CA3 |. 33C0 xor eax, eax
 
80.  00538CA5 |. 5A pop edx
 
81.  00538CA6 |. 59 pop ecx
 
82.  00538CA7 |. 59 pop ecx
 
83.  00538CA8 |. 64:8910 mov dword ptr fs:[eax], edx
 
84.  00538CAB |. 68 D28C5300 push 00538CD2
 
85.  00538CB0 |> 8D45 D8 lea eax, dword ptr [ebp-28]
 
86.  00538CB3 |. BA 02000000 mov edx, 2
 
87.  00538CB8 |. E8 AFB9ECFF call 0040466C
 
88.  00538CBD |. 8D45 F0 lea eax, dword ptr [ebp-10]
 
89.  00538CC0 |. BA 04000000 mov edx, 4
 
90.  00538CC5 |. E8 A2B9ECFF call 0040466C
 
91.  00538CCA \. C3 retn
 
92.  00538CCB .^ E9 D0B2ECFF jmp 00403FA0
 
93.  00538CD0 .^ EB DE jmp short 00538CB0
 
94.  00538CD2 . 5E pop esi
 
95.  00538CD3 . 5B pop ebx
 
96.  00538CD4 . 8BE5 mov esp, ebp
 
97.  00538CD6 . 5D pop ebp
 
98.  00538CD7 . C3 retn
 
 
 
简单说下,这部分代码前半部分得到机器码数字,然后在00538C5E处是得到注册码的模块,那么我们在跟进0053728C那里瞧瞧:
来到这里,得到注册码的部分(注:分成的四部分注册码都需经过调序得到真正注册码的四部分)
 
1.     0053728C /$ 55 push ebp
 
2.     0053728D |. 8BEC mov ebp, esp
 
3.     0053728F |. 83C4 E8 add esp, -18
 
4.     00537292 |. 53 push ebx
 
5.     00537293 |. 56 push esi
 
6.     00537294 |. 57 push edi
 
7.     00537295 |. 33C9 xor ecx, ecx
 
8.     00537297 |. 894D EC mov dword ptr [ebp-14], ecx
 
9.     0053729A |. 894D E8 mov dword ptr [ebp-18], ecx
 
10.  0053729D |. 8BF0 mov esi, eax
 
11.  0053729F |. 8D7D F0 lea edi, dword ptr [ebp-10]
 
12.  005372A2 |. A5 movs dword ptr es:[edi], dword ptr [e>; 注册码第四部分[0012FB9C]=AB25916C
 
13.  005372A3 |. A5 movs dword ptr es:[edi], dword ptr [e>; 注册码第三部分[0012FBA0]=2425E921
 
14.  005372A4 |. A5 movs dword ptr es:[edi], dword ptr [e>; 注册码第二部分[0012FBA4]=F613E438
 
15.  005372A5 |. A5 movs dword ptr es:[edi], dword ptr [e>; 注册码第一部分[0012FBA8]=D0176253
 
16.  005372A6 |. 8BFA mov edi, edx
 
17.  005372A8 |. 33C0 xor eax, eax
 
18.  005372AA |. 55 push ebp
 
19.  005372AB |. 68 27735300 push 00537327
 
20.  005372B0 |. 64:FF30 push dword ptr fs:[eax]
 
21.  005372B3 |. 64:8920 mov dword ptr fs:[eax], esp
 
22.  005372B6 |. 8BC7 mov eax, edi
 
23.  005372B8 |. E8 8BD3ECFF call 00404648
 
24.  005372BD |. B3 10 mov bl, 10
 
25.  005372BF |. 8D75 F0 lea esi, dword ptr [ebp-10]
 
26.  005372C2 |> FF37 /push dword ptr [edi] ; 进入循环将注册码顺序校正
 
27.  005372C4 |. 8D45 EC |lea eax, dword ptr [ebp-14]
 
28.  005372C7 |. 33D2 |xor edx, edx
 
29.  005372C9 |. 8A16 |mov dl, byte ptr [esi]
 
30.  005372CB |. C1EA 04 |shr edx, 4
 
31.  005372CE |. 83E2 0F |and edx, 0F
 
32.  005372D1 |. 8A92 28255600 |mov dl, byte ptr [edx+562528]
 
33.  005372D7 |. E8 54D5ECFF |call 00404830
 
34.  005372DC |. FF75 EC |push dword ptr [ebp-14]
 
35.  005372DF |. 8D45 E8 |lea eax, dword ptr [ebp-18]
 
36.  005372E2 |. 8A16 |mov dl, byte ptr [esi]
 
37.  005372E4 |. 80E2 0F |and dl, 0F
 
38.  005372E7 |. 81E2 FF000000 |and edx, 0FF
 
39.  005372ED |. 8A92 28255600 |mov dl, byte ptr [edx+562528]
 
40.  005372F3 |. E8 38D5ECFF |call 00404830
 
41.  005372F8 |. FF75 E8 |push dword ptr [ebp-18]
 
42.  005372FB |. 8BC7 |mov eax, edi
 
43.  005372FD |. BA 03000000 |mov edx, 3
 
44.  00537302 |. E8 D1D6ECFF |call 004049D8
 
45.  00537307 |. 46 |inc esi
 
46.  00537308 |. FECB |dec bl
 
47.  0053730A |.^ 75 B6 \jnz short 005372C2
 
48.  0053730C |. 33C0 xor eax, eax
 
49.  0053730E |. 5A pop edx
 
50.  0053730F |. 59 pop ecx
 
51.  00537310 |. 59 pop ecx
 
52.  00537311 |. 64:8910 mov dword ptr fs:[eax], edx
 
53.  00537314 |. 68 2E735300 push 0053732E
 
54.  00537319 |> 8D45 E8 lea eax, dword ptr [ebp-18]
 
55.  0053731C |. BA 02000000 mov edx, 2
 
56.  00537321 |. E8 46D3ECFF call 0040466C
 
57.  00537326 \. C3 retn
 
58.  00537327 .^ E9 74CCECFF jmp 00403FA0
 
59.  0053732C .^ EB EB jmp short 00537319
 
60.  0053732E . 5F pop edi
 
61.  0053732F . 5E pop esi
 
62.  00537330 . 5B pop ebx
 
63.  00537331 . 8BE5 mov esp, ebp
 
64.  00537333 . 5D pop ebp
 
65.  00537334 . C3 retn
 
 
 
通过这段代码看到了机器码(数字部分)与注册码实际是调用同一部分代码,只是时间紧迫,我没能分析明白算法具体是什么,只能分析一下流程了。
或许大家看到这个步骤有些发懵,建议大家动手试一下,如果有流程图或许会好些吧。
至于要得到破解版本,我的思路是让软件自己计算出注册码与自己比较,呵呵,肯定是正确的了。(补充:该软件的注册方式是从32位注册码中任取两个数,与用户输入的注册码同位置两处比较,若正确则成功,所以利用追出的注册码修改一下有时能注册成功,有时则会失败。这是我在沙盘下调试多次加上动态调试的猜想,没办法,我汇编根本没起步,分析的头都大了。嘿嘿)
在此次分析第一次跟进的代码区域往下看有这样一段:
 
1.     00538DF2 8B45 F0 mov eax, dword ptr [ebp-10]
 
2.     00538DF5 |. E8 7EBDECFF call 00404B78 ; 来到比较的地方,我估计是通过函数任意取注册码的一个位置
 
3.     00538DFA |. 8B45 F8 mov eax, dword ptr [ebp-8]
 
4.     00538DFD 8B55 F0 mov edx, dword ptr [ebp-10]
 
5.     00538E00 |. E8 5FBCECFF call 00404A64
 
6.     00538E05 |. 0F94C3 sete bl ;判断逻辑真假,若为真,注册成功。
 
 
这样得到破解版我们还需做以下修改:
00538DF2和00538DFD处修改汇编代码将ebp-10改为ebp-8
此时用动态调试,00538E05逻辑为真。说明接近成功了。
保存修改,双击打开,软件就变为已注册版本了。
 
不求精华,知道没到那个水平,但求一个邀请码,犒劳一下
喜欢0 评分0
淘宝天猫隐藏优惠券地址
回复
游客

Powered by atcpu.com ©2008-2021

灯火互联网 蜀ICP备13028548号

手机认证个人空间个人相册音乐电台音乐畅听网站终身会员手机吉凶在线YY百宝箱
返回顶部