首页>网络技术>密码解析>记一次破解小软件
回复
« 返回列表
灯火互联
灯火互联
管理员
管理员
  • 注册日期2011-07-27
  • 发帖数41778
  • QQ
  • 火币41290枚
  • 粉丝1086
  • 关注100
写私信 打招呼
  • 终身成就奖
  • 最爱沙发
  • 忠实会员
  • 灌水天才奖
  • 贴图大师奖
  • 原创先锋奖
  • 特殊贡献奖
  • 宣传大使奖
  • 优秀斑竹奖
  • 社区明星
阅读:5434回复:0

记一次破解小软件

楼主#
更多 发布于:2012-08-24 20:01

实验对象http://down.qiannao.com/space/file/lengyeasu/share/2010/8/1/linglei.rar/.page我在这下载的。下面说下我是怎样破解这个水印软件的。

由于基础太差,我就不具体分析了。代码我加的分析可能有错误,朋友们看到了还望指出。
用Ollyice载入已脱壳的程序,至于脱壳方法相信大家比我懂,此处不再啰嗦。
依靠ollyice的字符串参考在软件的这里设下断点

1.     00538F73 . E8 C0FDFFFF call 00538D38 ; 关键Call

2.     00538F78 . 84C0 test al, al


按F7跟进,来到这里:(因为基础差做了很多没用的注释删去了)

1.     00538D38 /$ 55 push ebp

2.     00538D39 |. 8BEC mov ebp, esp

3.     00538D3B |. 33C9 xor ecx, ecx

4.     00538D3D |. 51 push ecx

5.     00538D3E |. 51 push ecx

6.     00538D3F |. 51 push ecx

7.     00538D40 |. 51 push ecx

8.     00538D41 |. 51 push ecx

9.     00538D42 |. 53 push ebx

10.  00538D43 |. 56 push esi

11.  00538D44 |. 8955 FC mov dword ptr [ebp-4], edx ; edx=005472B0 (1.005472B0), ASCII "HsjMakeSign"

12.  00538D47 |. 8BD8 mov ebx, eax ; 将eax暂时--ebx eax=00C18148

13.  00538D49 |. 8B45 FC mov eax, dword ptr [ebp-4] ; edx---eax ASCII "HsjMakeSign"

14.  00538D4C |. E8 B7BDECFF call 00404B08

15.  00538D51 |. 33C0 xor eax, eax

16.  00538D53 |. 55 push ebp

17.  00538D54 |. 68 238E5300 push 00538E23

18.  00538D59 |. 64:FF30 push dword ptr fs:[eax]

19.  00538D5C |. 64:8920 mov dword ptr fs:[eax], esp

20.  00538D5F |. 8D4D F4 lea ecx, dword ptr [ebp-C]

21.  00538D62 |. 8B55 FC mov edx, dword ptr [ebp-4] ; edx -- "HsjMakeSign"

22.  00538D65 |. 8BC3 mov eax, ebx ; 还原ebx--eax

23.  00538D67 |. E8 F0FCFFFF call 00538A5C ; 得到软件的机器码数字部分

24.  00538D6C |. 8D55 F8 lea edx, dword ptr [ebp-8]

25.  00538D6F |. 8B45 F4 mov eax, dword ptr [ebp-C] ; 载入机器码

26.  00538D72 |. E8 1DFEFFFF call 00538B94 ; 得到正确的注册码的关键CALL

27.  00538D77 |. B9 3C8E5300 mov ecx, 00538E3C ; hsjsoft.ini临时存放机器码

28.  00538D7C |. B2 01 mov dl, 1

29.  00538D7E |. A1 00C94300 mov eax, dword ptr [43C900]

30.  00538D83 |. E8 283CF0FF call 0043C9B0

31.  00538D88 |. 8BD8 mov ebx, eax

32.  00538D8A |. 6A 00 push 0

33.  00538D8C |. 8D45 EC lea eax, dword ptr [ebp-14]

34.  00538D8F |. 50 push eax

35.  00538D90 |. B9 508E5300 mov ecx, 00538E50 ; reg_code

36.  00538D95 |. 8B55 FC mov edx, dword ptr [ebp-4]

37.  00538D98 |. 8BC3 mov eax, ebx

38.  00538D9A |. 8B30 mov esi, dword ptr [eax]

39.  00538D9C |. FF16 call near dword ptr [esi] ; 传递注册数据

40.  00538D9E 8B45 EC mov eax, dword ptr [ebp-14] ; 传入用户输入的注册码

41.  00538DA1 |. 8D55 F0 lea edx, dword ptr [ebp-10]

42.  00538DA4 |. E8 EF01EDFF call 00408F98

43.  00538DA9 |. 8BC3 mov eax, ebx

44.  00538DAB |. E8 88AAECFF call 00403838

45.  00538DB0 |. E8 8BA1ECFF call 00402F40

46.  00538DB5 |. B8 20000000 mov eax, 20

47.  00538DBA |. E8 8DA4ECFF call 0040324C

48.  00538DBF |. 8BD8 mov ebx, eax

49.  00538DC1 |. 85DB test ebx, ebx

50.  00538DC3 |. 7F 05 jg short 00538DCA

51.  00538DC5 |. BB 01000000 mov ebx, 1

52.  00538DCA |> 83FB 1E cmp ebx, 1E

53.  00538DCD |. 7E 05 jle short 00538DD4

54.  00538DCF |. BB 1E000000 mov ebx, 1E

55.  00538DD4 |> 8D45 F8 lea eax, dword ptr [ebp-8]

56.  00538DD7 |. 50 push eax

57.  00538DD8 |. B9 02000000 mov ecx, 2

58.  00538DDD |. 8BD3 mov edx, ebx

59.  00538DDF |. 8B45 F8 mov eax, dword ptr [ebp-8]

60.  00538DE2 |. E8 91BDECFF call 00404B78

61.  00538DE7 |. 8D45 F0 lea eax, dword ptr [ebp-10]

62.  00538DEA |. 50 push eax

63.  00538DEB |. B9 02000000 mov ecx, 2

64.  00538DF0 |. 8BD3 mov edx, ebx

65.  00538DF2 8B45 F0 mov eax, dword ptr [ebp-10]

66.  00538DF5 |. E8 7EBDECFF call 00404B78 ; 来到比较的地方,我估计是取任意位置的两数比较

67.  00538DFA |. 8B45 F8 mov eax, dword ptr [ebp-8]

68.  00538DFD 8B55 F0 mov edx, dword ptr [ebp-10]

69.  00538E00 |. E8 5FBCECFF call 00404A64 ; 判断注册码是否正确

70.  00538E05 |. 0F94C3 sete bl

71.  00538E08 |. 33C0 xor eax, eax

72.  00538E0A |. 5A pop edx

73.  00538E0B |. 59 pop ecx

74.  00538E0C |. 59 pop ecx

75.  00538E0D |. 64:8910 mov dword ptr fs:[eax], edx

76.  00538E10 |. 68 2A8E5300 push 00538E2A

77.  00538E15 |> 8D45 EC lea eax, dword ptr [ebp-14]

78.  00538E18 |. BA 05000000 mov edx, 5

79.  00538E1D |. E8 4AB8ECFF call 0040466C

80.  00538E22 \. C3 retn

81.  00538E23 .^ E9 78B1ECFF jmp 00403FA0

82.  00538E28 .^ EB EB jmp short 00538E15

83.  00538E2A . 8BC3 mov eax, ebx

84.  00538E2C . 5E pop esi

85.  00538E2D . 5B pop ebx

86.  00538E2E . 8BE5 mov esp, ebp

87.  00538E30 . 5D pop ebp

88.  00538E31 . C3 retn



在这里动态调试单步走,在00538D67处进入得到软件的机器码数字部分代码:

1.     00538A5C $ 55 push ebp ; 机器码获取部分

2.     00538A5D . 8BEC mov ebp, esp ; 保存esp至ebp

3.     00538A5F . 83C4 D0 add esp, -30

4.     00538A62 . 53 push ebx

5.     00538A63 . 56 push esi

6.     00538A64 . 57 push edi ; edi=0012FE94

7.     00538A65 . 33DB xor ebx, ebx ; ebx归零

8.     00538A67 . 895D E0 mov dword ptr [ebp-20], ebx

9.     00538A6A . 895D F0 mov dword ptr [ebp-10], ebx

10.  00538A6D . 895D EC mov dword ptr [ebp-14], ebx

11.  00538A70 . 895D E8 mov dword ptr [ebp-18], ebx

12.  00538A73 . 895D E4 mov dword ptr [ebp-1C], ebx

13.  00538A76 . 895D F4 mov dword ptr [ebp-C], ebx

14.  00538A79 . 894D F8 mov dword ptr [ebp-8], ecx

15.  00538A7C . 8955 FC mov dword ptr [ebp-4], edx ; edx=005472B0 (1.005472B0), ASCII "HsjMakeSign"

16.  00538A7F . 8BD8 mov ebx, eax ; ebx=eax=00C18148

17.  00538A81 . 8B45 FC mov eax, dword ptr [ebp-4] ; eax=HsjMakeSign

18.  00538A84 . E8 7FC0ECFF call 00404B08 ; 用途未知

19.  00538A89 . 33C0 xor eax, eax ; eax清零

20.  00538A8B . 55 push ebp ; ebp压入

21.  00538A8C . 68 698B5300 push 00538B69 ; 00538B69=00538B69

22.  00538A91 . 64:FF30 push dword ptr fs:[eax] ; fs:[00000000]=[7FFDF000]=0012FBC4

23.  00538A94 . 64:8920 mov dword ptr fs:[eax], esp ; esp=0012FB74

24.  00538A97 . 8B45 F8 mov eax, dword ptr [ebp-8] ; 堆栈ss:[0012FBB4]=0012FBE0

25.  00538A9A . E8 A9BBECFF call 00404648

26.  00538A9F . 33C0 xor eax, eax ; eax归零

27.  00538AA1 . 55 push ebp ; ebp=0012FBBC

28.  00538AA2 . 68 0E8B5300 push 00538B0E ; 00538B0E=00538B0E

29.  00538AA7 . 64:FF30 push dword ptr fs:[eax] ; fs:[00000000]=[7FFDF000]=0012FB74

30.  00538AAA . 64:8920 mov dword ptr fs:[eax], esp

31.  00538AAD . FF75 FC push dword ptr [ebp-4] ; 堆栈ss:[0012FBB8]=005472B0 (1.005472B0), ASCII "HsjMakeSign"

32.  00538AB0 . 68 808B5300 push 00538B80

33.  00538AB5 . 8D45 F0 lea eax, dword ptr [ebp-10] ; 堆栈地址=0012FBAC

34.  00538AB8 . E8 63F8FFFF call 00538320 ; 获取机器信息---bios部分

35.  00538ABD . FF75 F0 push dword ptr [ebp-10] ; 机器信息(ASCII "BiosInfo:System BIOS Version Line 1 = LENOVO - 1System BIOS Version Line 2 = Ver 1.00System BIOS Date 12/04/09Video BIOS Version Line 1 = Hardware Version 0.0")

36.  00538AC0 . 68 808B5300 push 00538B80 ; ;

37.  00538AC5 . 8D45 EC lea eax, dword ptr [ebp-14] ; 堆栈地址=0012FBA8

38.  00538AC8 . E8 87FBFFFF call 00538654 ; 获取机器信息

39.  00538ACD . FF75 EC push dword ptr [ebp-14] ; ASCII "DisplayDeviceInfo:Mobile intel(R) 4 Series Express Chipset FamilyMobile Intel(R) 4 Series Express Chipset FamilyNetMeeting driverRDPDD Chained DD

40.  00538AD0 . 68 808B5300 push 00538B80 ; ;

41.  00538AD5 . 8D45 E8 lea eax, dword ptr [ebp-18]

42.  00538AD8 . E8 57FCFFFF call 00538734 ; 获取机器信息---cpu部分

43.  00538ADD . FF75 E8 push dword ptr [ebp-18] ; CpuType:GenuineIntel586

44.  00538AE0 . 68 808B5300 push 00538B80 ; ;

45.  00538AE5 . 8D55 E4 lea edx, dword ptr [ebp-1C]

46.  00538AE8 . 8BC3 mov eax, ebx

47.  00538AEA . E8 F5FDFFFF call 005388E4 ; 获取机器信息---硬盘id部分

48.  00538AEF . FF75 E4 push dword ptr [ebp-1C] ; ASCII DiskId:

49.  00538AF2 . 68 808B5300 push 00538B80 ; ;

50.  00538AF7 . 8D45 F4 lea eax, dword ptr [ebp-C]

51.  00538AFA . BA 0A000000 mov edx, 0A

52.  00538AFF . E8 D4BEECFF call 004049D8

53.  00538B04 . 33C0 xor eax, eax

54.  00538B06 . 5A pop edx

55.  00538B07 . 59 pop ecx

56.  00538B08 . 59 pop ecx

57.  00538B09 . 64:8910 mov dword ptr fs:[eax], edx

58.  00538B0C . EB 0A jmp short 00538B18

59.  00538B0E .^ E9 D9B1ECFF jmp 00403CEC

60.  00538B13 . E8 3CB5ECFF call 00404054

61.  00538B18 > 68 8C8B5300 push 00538B8C ; 6.0;

62.  00538B1D . FF75 FC push dword ptr [ebp-4]

63.  00538B20 . 8D55 D0 lea edx, dword ptr [ebp-30] ; 下一步就将机器信息汇总

64.  00538B23 . 8B45 F4 mov eax, dword ptr [ebp-C] ; HsjMakeSign;BiosInfo:System BIOS Version Line 1 = LENOVO - 1System BIOS Version Line 2 = Ver 1.00System BIOS Date 12/04/09Video BIOS Version Line 1 = Hardware Version 0.0;DisplayDeviceInfo:Mobile Intel(R) 4 Series Express Chipset FamilyM

65.  00538B26 . E8 EDE6FFFF call 00537218

66.  00538B2B . 8D45 D0 lea eax, dword ptr [ebp-30]

67.  00538B2E . 8D55 E0 lea edx, dword ptr [ebp-20] ; edx此时存放有机器信息

68.  00538B31 . E8 56E7FFFF call 0053728C ; 计算得到机器码的关键Call

69.  00538B36 . FF75 E0 push dword ptr [ebp-20]

70.  00538B39 . 8B45 F8 mov eax, dword ptr [ebp-8]

71.  00538B3C . BA 03000000 mov edx, 3

72.  00538B41 . E8 92BEECFF call 004049D8

73.  00538B46 . 33C0 xor eax, eax

74.  00538B48 . 5A pop edx

75.  00538B49 . 59 pop ecx

76.  00538B4A . 59 pop ecx

77.  00538B4B . 64:8910 mov dword ptr fs:[eax], edx

78.  00538B4E . 68 708B5300 push 00538B70

79.  00538B53 > 8D45 E0 lea eax, dword ptr [ebp-20]

80.  00538B56 . BA 06000000 mov edx, 6

81.  00538B5B . E8 0CBBECFF call 0040466C

82.  00538B60 . 8D45 FC lea eax, dword ptr [ebp-4]

83.  00538B63 . E8 E0BAECFF call 00404648

84.  00538B68 . C3 retn

85.  00538B69 .^ E9 32B4ECFF jmp 00403FA0

86.  00538B6E .^ EB E3 jmp short 00538B53

87.  00538B70 . 5F pop edi

88.  00538B71 . 5E pop esi

89.  00538B72 . 5B pop ebx

90.  00538B73 . 8BE5 mov esp, ebp

91.  00538B75 . 5D pop ebp

92.  00538B76 . C3 retn


以上代码前半部分是获取机器信息,在00538B31处跟进来到计算机器码32位数字的代码部分(注:分成的四部分机器码都经过调序得到真正机器码的四部分):

1.     0053728C /$ 55 push ebp

2.     0053728D |. 8BEC mov ebp, esp

3.     0053728F |. 83C4 E8 add esp, -18

4.     00537292 |. 53 push ebx

5.     00537293 |. 56 push esi

6.     00537294 |. 57 push edi

7.     00537295 |. 33C9 xor ecx, ecx

8.     00537297 |. 894D EC mov dword ptr [ebp-14], ecx

9.     0053729A |. 894D E8 mov dword ptr [ebp-18], ecx

10.  0053729D |. 8BF0 mov esi, eax

11.  0053729F |. 8D7D F0 lea edi, dword ptr [ebp-10]

12.  005372A2 |. A5 movs dword ptr es:[edi], dword ptr [e>; 机器码第一部分[0012FB9C]=AE2C1742

13.  005372A3 |. A5 movs dword ptr es:[edi], dword ptr [e>; 机器码第二部分[0012FBA0]=6FAA135F

14.  005372A4 |. A5 movs dword ptr es:[edi], dword ptr [e>; 机器码第三部分[0012FBA4]=4B1A2D3A

15.  005372A5 |. A5 movs dword ptr es:[edi], dword ptr [e>; 机器码第四部分[0012FBA8]=4031BBC7

16.  005372A6 |. 8BFA mov edi, edx

17.  005372A8 |. 33C0 xor eax, eax

18.  005372AA |. 55 push ebp

19.  005372AB |. 68 27735300 push 00537327

20.  005372B0 |. 64:FF30 push dword ptr fs:[eax]

21.  005372B3 |. 64:8920 mov dword ptr fs:[eax], esp

22.  005372B6 |. 8BC7 mov eax, edi

23.  005372B8 |. E8 8BD3ECFF call 00404648

24.  005372BD |. B3 10 mov bl, 10

25.  005372BF |. 8D75 F0 lea esi, dword ptr [ebp-10]

26.  005372C2 |> FF37 /push dword ptr [edi] ; 进入循环将机器码顺序校正直至

27.  005372C4 |. 8D45 EC |lea eax, dword ptr [ebp-14]

28.  005372C7 |. 33D2 |xor edx, edx

29.  005372C9 |. 8A16 |mov dl, byte ptr [esi]

30.  005372CB |. C1EA 04 |shr edx, 4

31.  005372CE |. 83E2 0F |and edx, 0F

32.  005372D1 |. 8A92 28255600 |mov dl, byte ptr [edx+562528]

33.  005372D7 |. E8 54D5ECFF |call 00404830

34.  005372DC |. FF75 EC |push dword ptr [ebp-14]

35.  005372DF |. 8D45 E8 |lea eax, dword ptr [ebp-18]

36.  005372E2 |. 8A16 |mov dl, byte ptr [esi]

37.  005372E4 |. 80E2 0F |and dl, 0F

38.  005372E7 |. 81E2 FF000000 |and edx, 0FF

39.  005372ED |. 8A92 28255600 |mov dl, byte ptr [edx+562528]

40.  005372F3 |. E8 38D5ECFF |call 00404830

41.  005372F8 |. FF75 E8 |push dword ptr [ebp-18]

42.  005372FB |. 8BC7 |mov eax, edi

43.  005372FD |. BA 03000000 |mov edx, 3

44.  00537302 |. E8 D1D6ECFF |call 004049D8

45.  00537307 |. 46 |inc esi

46.  00537308 |. FECB |dec bl

47.  0053730A |.^ 75 B6 \jnz short 005372C2

48.  0053730C |. 33C0 xor eax, eax

49.  0053730E |. 5A pop edx

50.  0053730F |. 59 pop ecx

51.  00537310 |. 59 pop ecx

52.  00537311 |. 64:8910 mov dword ptr fs:[eax], edx

53.  00537314 |. 68 2E735300 push 0053732E

54.  00537319 |> 8D45 E8 lea eax, dword ptr [ebp-18]

55.  0053731C |. BA 02000000 mov edx, 2

56.  00537321 |. E8 46D3ECFF call 0040466C

57.  00537326 \. C3 retn


出来后再单步走完机器码获取部分,来到00538d9e位置,这时机器码已经得到了即6.0;HsjMakeSign42172cae5f13aa6f3a2d1a4bc7bb3140
下面在进入00538D72的call-->00538B94  即得到正确的注册码的CALL:

1.     00538B94 /$ 55 push ebp

2.     00538B95 |. 8BEC mov ebp, esp

3.     00538B97 |. 83C4 D8 add esp, -28

4.     00538B9A |. 53 push ebx

5.     00538B9B |. 56 push esi

6.     00538B9C |. 33C9 xor ecx, ecx

7.     00538B9E |. 894D D8 mov dword ptr [ebp-28], ecx

8.     00538BA1 |. 894D DC mov dword ptr [ebp-24], ecx ; 4031BBC7

9.     00538BA4 |. 894D F8 mov dword ptr [ebp-8], ecx ; 0012FBE0

10.  00538BA7 |. 894D F4 mov dword ptr [ebp-C], ecx

11.  00538BAA |. 894D F0 mov dword ptr [ebp-10], ecx

12.  00538BAD |. 8BF2 mov esi, edx

13.  00538BAF |. 8945 FC mov dword ptr [ebp-4], eax

14.  00538BB2 |. 8B45 FC mov eax, dword ptr [ebp-4]

15.  00538BB5 |. E8 4EBFECFF call 00404B08

16.  00538BBA |. 33C0 xor eax, eax

17.  00538BBC |. 55 push ebp

18.  00538BBD |. 68 CB8C5300 push 00538CCB

19.  00538BC2 |. 64:FF30 push dword ptr fs:[eax]

20.  00538BC5 |. 64:8920 mov dword ptr fs:[eax], esp

21.  00538BC8 |. 8BC6 mov eax, esi

22.  00538BCA |. E8 79BAECFF call 00404648

23.  00538BCF |. 8D45 F8 lea eax, dword ptr [ebp-8]

24.  00538BD2 |. E8 71BAECFF call 00404648

25.  00538BD7 |. 8D45 F8 lea eax, dword ptr [ebp-8]

26.  00538BDA |. BA E08C5300 mov edx, 00538CE0 ; 版

27.  00538BDF |. E8 3CBDECFF call 00404920

28.  00538BE4 |. 8D45 F8 lea eax, dword ptr [ebp-8]

29.  00538BE7 |. BA EC8C5300 mov edx, 00538CEC ; 权

30.  00538BEC |. E8 2FBDECFF call 00404920

31.  00538BF1 |. 8D45 F8 lea eax, dword ptr [ebp-8]

32.  00538BF4 |. BA F88C5300 mov edx, 00538CF8 ; 所

33.  00538BF9 |. E8 22BDECFF call 00404920

34.  00538BFE |. 8D45 F8 lea eax, dword ptr [ebp-8]

35.  00538C01 |. BA 048D5300 mov edx, 00538D04 ; 有

36.  00538C06 |. E8 15BDECFF call 00404920

37.  00538C0B |. 8D45 F8 lea eax, dword ptr [ebp-8]

38.  00538C0E |. BA 108D5300 mov edx, 00538D10 ; :

39.  00538C13 |. E8 08BDECFF call 00404920

40.  00538C18 |. 8D45 F8 lea eax, dword ptr [ebp-8]

41.  00538C1B |. BA 1C8D5300 mov edx, 00538D1C ; 韩

42.  00538C20 |. E8 FBBCECFF call 00404920

43.  00538C25 |. 8D45 F8 lea eax, dword ptr [ebp-8]

44.  00538C28 |. BA 288D5300 mov edx, 00538D28 ; 树

45.  00538C2D |. E8 EEBCECFF call 00404920

46.  00538C32 |. 8D45 F8 lea eax, dword ptr [ebp-8]

47.  00538C35 |. BA 348D5300 mov edx, 00538D34 ; 江

48.  00538C3A |. E8 E1BCECFF call 00404920

49.  00538C3F |. 8D45 DC lea eax, dword ptr [ebp-24]

50.  00538C42 |. 8B4D FC mov ecx, dword ptr [ebp-4] ; (ASCII "6.0;HsjMakeSign42172cae5f13aa6f3a2d1a4bc7bb3140")

51.  00538C45 |. 8B55 F8 mov edx, dword ptr [ebp-8]

52.  00538C48 |. E8 17BDECFF call 00404964

53.  00538C4D |. 8B45 DC mov eax, dword ptr [ebp-24]

54.  00538C50 |. 8D55 E0 lea edx, dword ptr [ebp-20]

55.  00538C53 |. E8 C0E5FFFF call 00537218

56.  00538C58 |. 8D45 E0 lea eax, dword ptr [ebp-20]

57.  00538C5B |. 8D55 F4 lea edx, dword ptr [ebp-C]

58.  00538C5E |. E8 29E6FFFF call 0053728C ; 关键Call整出注册码

59.  00538C63 |. 8D45 F0 lea eax, dword ptr [ebp-10]

60.  00538C66 |. E8 DDB9ECFF call 00404648 ; 作用未知

61.  00538C6B |. 8B45 F4 mov eax, dword ptr [ebp-C] ; 注册码6c9125ab21e9252438e413f6536217d0

62.  00538C6E |. E8 A5BCECFF call 00404918

63.  00538C73 |. 8BD8 mov ebx, eax

64.  00538C75 |. 83FB 01 cmp ebx, 1

65.  00538C78 |. 7C 1F jl short 00538C99 ; 调序部分,倒转注册码

66.  00538C7A |> 8D45 D8 /lea eax, dword ptr [ebp-28]

67.  00538C7D |. 8B55 F4 |mov edx, dword ptr [ebp-C]

68.  00538C80 |. 8A541A FF |mov dl, byte ptr [edx+ebx-1]

69.  00538C84 |. E8 A7BBECFF |call 00404830

70.  00538C89 |. 8B55 D8 |mov edx, dword ptr [ebp-28]

71.  00538C8C |. 8D45 F0 |lea eax, dword ptr [ebp-10]

72.  00538C8F |. E8 8CBCECFF |call 00404920

73.  00538C94 |. 4B |dec ebx

74.  00538C95 |. 85DB |test ebx, ebx

75.  00538C97 |.^ 75 E1 \jnz short 00538C7A

76.  00538C99 |> 8BC6 mov eax, esi

77.  00538C9B |. 8B55 F0 mov edx, dword ptr [ebp-10] ; 倒转后正确的注册码0d7126356f314e8342529e12ba5219c6

78.  00538C9E |. E8 F9B9ECFF call 0040469C

79.  00538CA3 |. 33C0 xor eax, eax

80.  00538CA5 |. 5A pop edx

81.  00538CA6 |. 59 pop ecx

82.  00538CA7 |. 59 pop ecx

83.  00538CA8 |. 64:8910 mov dword ptr fs:[eax], edx

84.  00538CAB |. 68 D28C5300 push 00538CD2

85.  00538CB0 |> 8D45 D8 lea eax, dword ptr [ebp-28]

86.  00538CB3 |. BA 02000000 mov edx, 2

87.  00538CB8 |. E8 AFB9ECFF call 0040466C

88.  00538CBD |. 8D45 F0 lea eax, dword ptr [ebp-10]

89.  00538CC0 |. BA 04000000 mov edx, 4

90.  00538CC5 |. E8 A2B9ECFF call 0040466C

91.  00538CCA \. C3 retn

92.  00538CCB .^ E9 D0B2ECFF jmp 00403FA0

93.  00538CD0 .^ EB DE jmp short 00538CB0

94.  00538CD2 . 5E pop esi

95.  00538CD3 . 5B pop ebx

96.  00538CD4 . 8BE5 mov esp, ebp

97.  00538CD6 . 5D pop ebp

98.  00538CD7 . C3 retn



简单说下,这部分代码前半部分得到机器码数字,然后在00538C5E处是得到注册码的模块,那么我们在跟进0053728C那里瞧瞧:
来到这里,得到注册码的部分(注:分成的四部分注册码都需经过调序得到真正注册码的四部分)

1.     0053728C /$ 55 push ebp

2.     0053728D |. 8BEC mov ebp, esp

3.     0053728F |. 83C4 E8 add esp, -18

4.     00537292 |. 53 push ebx

5.     00537293 |. 56 push esi

6.     00537294 |. 57 push edi

7.     00537295 |. 33C9 xor ecx, ecx

8.     00537297 |. 894D EC mov dword ptr [ebp-14], ecx

9.     0053729A |. 894D E8 mov dword ptr [ebp-18], ecx

10.  0053729D |. 8BF0 mov esi, eax

11.  0053729F |. 8D7D F0 lea edi, dword ptr [ebp-10]

12.  005372A2 |. A5 movs dword ptr es:[edi], dword ptr [e>; 注册码第四部分[0012FB9C]=AB25916C

13.  005372A3 |. A5 movs dword ptr es:[edi], dword ptr [e>; 注册码第三部分[0012FBA0]=2425E921

14.  005372A4 |. A5 movs dword ptr es:[edi], dword ptr [e>; 注册码第二部分[0012FBA4]=F613E438

15.  005372A5 |. A5 movs dword ptr es:[edi], dword ptr [e>; 注册码第一部分[0012FBA8]=D0176253

16.  005372A6 |. 8BFA mov edi, edx

17.  005372A8 |. 33C0 xor eax, eax

18.  005372AA |. 55 push ebp

19.  005372AB |. 68 27735300 push 00537327

20.  005372B0 |. 64:FF30 push dword ptr fs:[eax]

21.  005372B3 |. 64:8920 mov dword ptr fs:[eax], esp

22.  005372B6 |. 8BC7 mov eax, edi

23.  005372B8 |. E8 8BD3ECFF call 00404648

24.  005372BD |. B3 10 mov bl, 10

25.  005372BF |. 8D75 F0 lea esi, dword ptr [ebp-10]

26.  005372C2 |> FF37 /push dword ptr [edi] ; 进入循环将注册码顺序校正

27.  005372C4 |. 8D45 EC |lea eax, dword ptr [ebp-14]

28.  005372C7 |. 33D2 |xor edx, edx

29.  005372C9 |. 8A16 |mov dl, byte ptr [esi]

30.  005372CB |. C1EA 04 |shr edx, 4

31.  005372CE |. 83E2 0F |and edx, 0F

32.  005372D1 |. 8A92 28255600 |mov dl, byte ptr [edx+562528]

33.  005372D7 |. E8 54D5ECFF |call 00404830

34.  005372DC |. FF75 EC |push dword ptr [ebp-14]

35.  005372DF |. 8D45 E8 |lea eax, dword ptr [ebp-18]

36.  005372E2 |. 8A16 |mov dl, byte ptr [esi]

37.  005372E4 |. 80E2 0F |and dl, 0F

38.  005372E7 |. 81E2 FF000000 |and edx, 0FF

39.  005372ED |. 8A92 28255600 |mov dl, byte ptr [edx+562528]

40.  005372F3 |. E8 38D5ECFF |call 00404830

41.  005372F8 |. FF75 E8 |push dword ptr [ebp-18]

42.  005372FB |. 8BC7 |mov eax, edi

43.  005372FD |. BA 03000000 |mov edx, 3

44.  00537302 |. E8 D1D6ECFF |call 004049D8

45.  00537307 |. 46 |inc esi

46.  00537308 |. FECB |dec bl

47.  0053730A |.^ 75 B6 \jnz short 005372C2

48.  0053730C |. 33C0 xor eax, eax

49.  0053730E |. 5A pop edx

50.  0053730F |. 59 pop ecx

51.  00537310 |. 59 pop ecx

52.  00537311 |. 64:8910 mov dword ptr fs:[eax], edx

53.  00537314 |. 68 2E735300 push 0053732E

54.  00537319 |> 8D45 E8 lea eax, dword ptr [ebp-18]

55.  0053731C |. BA 02000000 mov edx, 2

56.  00537321 |. E8 46D3ECFF call 0040466C

57.  00537326 \. C3 retn

58.  00537327 .^ E9 74CCECFF jmp 00403FA0

59.  0053732C .^ EB EB jmp short 00537319

60.  0053732E . 5F pop edi

61.  0053732F . 5E pop esi

62.  00537330 . 5B pop ebx

63.  00537331 . 8BE5 mov esp, ebp

64.  00537333 . 5D pop ebp

65.  00537334 . C3 retn



通过这段代码看到了机器码(数字部分)与注册码实际是调用同一部分代码,只是时间紧迫,我没能分析明白算法具体是什么,只能分析一下流程了。
或许大家看到这个步骤有些发懵,建议大家动手试一下,如果有流程图或许会好些吧。
至于要得到破解版本,我的思路是让软件自己计算出注册码与自己比较,呵呵,肯定是正确的了。(补充:该软件的注册方式是从32位注册码中任取两个数,与用户输入的注册码同位置两处比较,若正确则成功,所以利用追出的注册码修改一下有时能注册成功,有时则会失败。这是我在沙盘下调试多次加上动态调试的猜想,没办法,我汇编根本没起步,分析的头都大了。嘿嘿)
在此次分析第一次跟进的代码区域往下看有这样一段:

1.     00538DF2 8B45 F0 mov eax, dword ptr [ebp-10]

2.     00538DF5 |. E8 7EBDECFF call 00404B78 ; 来到比较的地方,我估计是通过函数任意取注册码的一个位置

3.     00538DFA |. 8B45 F8 mov eax, dword ptr [ebp-8]

4.     00538DFD 8B55 F0 mov edx, dword ptr [ebp-10]

5.     00538E00 |. E8 5FBCECFF call 00404A64

6.     00538E05 |. 0F94C3 sete bl ;判断逻辑真假,若为真,注册成功。


这样得到破解版我们还需做以下修改:
00538DF2和00538DFD处修改汇编代码将ebp-10改为ebp-8
此时用动态调试,00538E05逻辑为真。说明接近成功了。
保存修改,双击打开,软件就变为已注册版本了。

不求精华,知道没到那个水平,但求一个邀请码,犒劳一下
喜欢0 评分0
淘宝天猫隐藏优惠券地址
回复
游客

Powered by atcpu.com ©2008-2021

灯火互联网 蜀ICP备13028548号

手机认证个人空间个人相册音乐电台音乐畅听网站终身会员手机吉凶在线YY百宝箱
返回顶部