屈指算来,踏上破解的贼船已经2周,基本是边看看雪的精华贴边动手实践来学习的。最近看到一篇教学贴种破解的一款半仙算命软件,采用的是爆破的方法,于是本想也如法练习一下,不想老版本实在找不到,只有新版本:
http://download.enet.com.cn/speed/toftp.php?fname=083472003060201
转念一想,何不乘此良机独自破解一次呢?
安装完毕,第一次运行看看,发现注册方式是注册码,并且需要填写序列号和注册码,初步估计是根据自己所填的序列号生成注册码,如图:
随便填写后点击确定,发现仅仅是把序列号和注册码的文本框清除,没有错误提示消息,太让我失望了
------------------------------------------
尽管如此还是先破解试试,先fi查壳,居然加壳了:
准备手动破壳试试,ollydbg载入:
00696001 s> 60 pushad
00696002 E8 03000000 call ssbx.0069600A
此Call为近Call,F7跟入,否则F8会跑飞
00696007 - E9 EB045D45 jmp 45C664F7
0069600C 55 push ebp
0069600D C3 retn
0069600E E8 01000000 call ssbx.00696014
此Call为近Call,F7跟入,否则F8会跑飞
00696013 EB 5D jmp short ssbx.00696072
00696015 BB EDFFFFFF mov ebx,-13
0069601A 03DD add ebx,ebp
0069601C 81EB 00602900 sub ebx,296000
00696022 83BD 22040000 00 cmp dword ptr ss:[ebp+422],0
00696029 899D 22040000 mov dword ptr ss:[ebp+422],ebx
0069602F 0F85 65030000 jnz ssbx.0069639A
00696035 8D85 2E040000 lea eax,dword ptr ss:[ebp+42E]
0069603B 50 push eax
0069603C FF95 4D0F0000 call dword ptr ss:[ebp+F4D]
00696042 8985 26040000 mov dword ptr ss:[ebp+426],eax
00696048 8BF8 mov edi,eax
0069604A 8D5D 5E lea ebx,dword ptr ss:[ebp+5E]
……………………………………
此后一路F8经过几个GetModuleHandleA,GetProcAddress等,遇到往后jump的就点后一句F4,一路来到popad处:
00696384 8906 mov dword ptr ds:[esi],eax ; ssbx.0057A250
00696386 8946 0C mov dword ptr ds:[esi+C],eax
00696389 8946 10 mov dword ptr ds:[esi+10],eax
0069638C 83C6 14 add esi,14
0069638F 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
00696395 ^ E9 EBFEFFFF jmp ssbx.00696285
0069639A B8 E83A1700 mov eax,173AE8
0069639F 50 push eax
006963A0 0385 22040000 add eax,dword ptr ss:[ebp+422]
006963A6 59 pop ecx
006963A7 0BC9 or ecx,ecx
006963A9 8985 A8030000 mov dword ptr ss:[ebp+3A8],eax
006963AF 61 popad
出口就快了
006963B0 75 08 jnz short ssbx.006963BA
006963B2 B8 01000000 mov eax,1
006963B7 C2 0C00 retn 0C
006963BA 68 00000000 push 0
006963BF C3 retn
返回出口
返回后直接插件dump,不料运行后悲剧……:
不死心,用imprec修复,抓取输入表时结果一个真值为假,崩溃了
只能自认菜鸟,用peid无脑脱壳试试,结果居然成功了…看来输入表的修复还要大侠们指教
-------------------------------------------
先静态,打开w32dasm,串式参考,果然没有注册码错误之类的信息,不过还好,注册成功串还是有的,此外有一个更方便的注册信息不全的提示,改提示八成是在进行注册码判断之前先进行文本框内的值判断,如果为空则输出注册信息不全的提示,于是双击来到:
:0055C04B 8B45FC mov eax, dword ptr [ebp-04]
:0055C04E 8B80F8020000 mov eax, dword ptr [eax+000002F8]
:0055C054 E8C7C0EEFF call 00448120
:0055C059 83BD90FEFFFF00 cmp dword ptr [ebp+FFFFFE90], 00000000
判断输入是否为空
:0055C060 750F jne 0055C071
不为空则跳过注册信息不全的提示
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0055C043(C)
|
* Possible StringData Ref from Code Obj ->"注册信息没有填写齐全"
|
:0055C062 B870C25500 mov eax, 0055C270
:0055C067 E8404EEEFF call 00440EAC
:0055C06C E970010000 jmp 0055C1E1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0055C060(C)
|
:0055C071 8D958CFEFFFF lea edx, dword ptr [ebp+FFFFFE8C]
此处开始一定是从注册码的生成一直到比较的代码段
:0055C077 8B45FC mov eax, dword ptr [ebp-04]
:0055C07A 8B8000030000 mov eax, dword ptr [eax+00000300]
:0055C080 E89BC0EEFF call 00448120
:0055C085 8B858CFEFFFF mov eax, dword ptr [ebp+FFFFFE8C]
:0055C08B 50 push eax
:0055C08C 8D9584FEFFFF lea edx, dword ptr [ebp+FFFFFE84]
:0055C092 8B45FC mov eax, dword ptr [ebp-04]
:0055C095 8B80F8020000 mov eax, dword ptr [eax+000002F8]
:0055C09B E880C0EEFF call 00448120
:0055C0A0 8B8584FEFFFF mov eax, dword ptr [ebp+FFFFFE84]
:0055C0A6 E83DD8EAFF call 004098E8
:0055C0AB 69C0B1040000 imul eax, 000004B1
:0055C0B1 8D9588FEFFFF lea edx, dword ptr [ebp+FFFFFE88]
:0055C0B7 E88CFDFFFF call 0055BE48
:0055C0BC 8B9588FEFFFF mov edx, dword ptr [ebp+FFFFFE88]
:0055C0C2 58 pop eax
:0055C0C3 E8288FEAFF call 00404FF0
:0055C0C8 0F85F3000000 jne 0055C1C1
………………………………
因此果断在0055C071处下断点,运行ollydbgF9,输入序列号1234,注册码随意5678,被断:
0055C071 > \8D95 8CFEFFFF lea edx,dword ptr ss:[ebp-174]
0055C077 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0055C07A . 8B80 00030000 mov eax,dword ptr ds:[eax+300]
0055C080 . E8 9BC0EEFF call ssbx_exe.00448120
0055C085 . 8B85 8CFEFFFF mov eax,dword ptr ss:[ebp-174]
0055C08B . 50 push eax
注意此时EAX为5678,继续F8
0055C08C . 8D95 84FEFFFF lea edx,dword ptr ss:[ebp-17C]
0055C092 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0055C095 . 8B80 F8020000 mov eax,dword ptr ds:[eax+2F8]
0055C09B . E8 80C0EEFF call ssbx_exe.00448120
注意此时EAX为1234,继续F8
0055C0A0 . 8B85 84FEFFFF mov eax,dword ptr ss:[ebp-17C]
0055C0A6 . E8 3DD8EAFF call ssbx_exe.004098E8
0055C0AB . 69C0 B1040000 imul eax,eax,4B1
0055C0B1 . 8D95 88FEFFFF lea edx,dword ptr ss:[ebp-178]
0055C0B7 . E8 8CFDFFFF call ssbx_exe.0055BE48
0055C0BC . 8B95 88FEFFFF mov edx,dword ptr ss:[ebp-178]
DX惊现类似注册码一样的东西!!!!上面一个call多半是关键call
0055C0C2 . 58 pop eax
把AX变成了我们随便输入的注册码5678
0055C0C3 . E8 288FEAFF call ssbx_exe.00404FF0
判断是否相等的call
0055C0C8 . 0F85 F3000000 jnz ssbx_exe.0055C1C1
邪恶的跳转在此!
0055C0CE . BA 90C25500 mov edx,ssbx_exe.0055C290 ; ASCII "sszc.dll"
0055C0D3 . 8D85 A8FEFFFF lea eax,dword ptr ss:[ebp-158]
0055C0D9 . E8 5A6EEAFF call ssbx_exe.00402F38
0055C0DE . BA 01000000 mov edx,1
…………………………
现在程序很明朗了,先前那个DX中出现的一串数字基本可以肯定时key了
,dump到内存中,保存到txt中,大功告成!
[课程]Linux pwn 探索篇!