标题:大名鼎鼎5.0注册流程分析
作者:jney2
日期:2005.1.26
声明:个人学习,交流经验,找出软件的软肋,希望作者在下一版本中有所改进!
观念:喜欢分析注册流程,极少算法分析。
工具:Ollydbg1.1 W32Dasm9b
平台:WinXP
注册版本和非注册版本的区别:基本没有什么功能上的限制,非注册版本有使用次数上的限制
启动软件,在注册窗口输入如下假码:
BBBBBBBB-BBBBBBBB-BBBBBBBB-BBBBBBBB
7878787878
软件重启验证。
软件是ASPack 2.12的壳,用stripper脱之,用W32Dasm9b反汇编,搜索“未注册”可找到如下:
* Referenced by a CALL at Address:
|:0065C708
|
:0065A6B4 55 push ebp
:0065A6B5 8BEC mov ebp, esp
:0065A6B7 33C9 xor ecx, ecx
:0065A6B9 51 push ecx
:0065A6BA 51 push ecx
:0065A6BB 51 push ecx
:0065A6BC 51 push ecx
:0065A6BD 51 push ecx
:0065A6BE 33C0 xor eax, eax
:0065A6C0 55 push ebp
:0065A6C1 68A2A76500 push 0065A7A2
:0065A6C6 64FF30 push dword ptr fs:[eax]
:0065A6C9 648920 mov dword ptr fs:[eax], esp
:0065A6CC E8CB6FFFFF call 0065169C //关键CALL
:0065A6D1 84C0 test al, al
:0065A6D3 0F8485000000 je 0065A75E //跳走即为“[未注册]”
:0065A6D9 833D0442670000 cmp dword ptr [00674204], 00000000
:0065A6E0 743E je 0065A720
:0065A6E2 8D55F8 lea edx, dword ptr [ebp-08]
:0065A6E5 A16CFF6600 mov eax, dword ptr [0066FF6C]
:0065A6EA 8B00 mov eax, dword ptr [eax]
:0065A6EC E8835EE5FF call 004B0574
:0065A6F1 FF75F8 push [ebp-08]
* Possible StringData Ref from Code Obj ->" - ["
|
:0065A6F4 68B8A76500 push 0065A7B8
:0065A6F9 FF3504426700 push dword ptr [00674204]
:0065A6FF 68C8A76500 push 0065A7C8
:0065A704 8D45FC lea eax, dword ptr [ebp-04]
:0065A707 BA04000000 mov edx, 00000004
:0065A70C E87FAFDAFF call 00405690
:0065A711 8B55FC mov edx, dword ptr [ebp-04]
:0065A714 A1E8416700 mov eax, dword ptr [006741E8]
:0065A719 E8963FE3FF call 0048E6B4
:0065A71E EB67 jmp 0065A787
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0065A6E0(C)
|
:0065A720 8D55F0 lea edx, dword ptr [ebp-10]
:0065A723 A16CFF6600 mov eax, dword ptr [0066FF6C]
:0065A728 8B00 mov eax, dword ptr [eax]
:0065A72A E8455EE5FF call 004B0574
:0065A72F FF75F0 push [ebp-10]
* Possible StringData Ref from Code Obj ->" - ["
|
:0065A732 68B8A76500 push 0065A7B8
:0065A737 FF3500426700 push dword ptr [00674200]
:0065A73D 68C8A76500 push 0065A7C8
:0065A742 8D45F4 lea eax, dword ptr [ebp-0C]
:0065A745 BA04000000 mov edx, 00000004
:0065A74A E841AFDAFF call 00405690
:0065A74F 8B55F4 mov edx, dword ptr [ebp-0C]
:0065A752 A1E8416700 mov eax, dword ptr [006741E8]
:0065A757 E8583FE3FF call 0048E6B4
:0065A75C EB29 jmp 0065A787
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0065A6D3(C)
|
:0065A75E 8D55EC lea edx, dword ptr [ebp-14]
:0065A761 A16CFF6600 mov eax, dword ptr [0066FF6C]
:0065A766 8B00 mov eax, dword ptr [eax]
:0065A768 E8075EE5FF call 004B0574
:0065A76D 8D45EC lea eax, dword ptr [ebp-14]
* Possible StringData Ref from Code Obj ->" - [未注册]"
|
:0065A770 BAD4A76500 mov edx, 0065A7D4
:0065A775 E85EAEDAFF call 004055D8
:0065A77A 8B55EC mov edx, dword ptr [ebp-14]
:0065A77D A1E8416700 mov eax, dword ptr [006741E8]
:0065A782 E82D3FE3FF call 0048E6B4
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0065A71E(U), :0065A75C(U)
|
:0065A787 33C0 xor eax, eax
:0065A789 5A pop edx
:0065A78A 59 pop ecx
:0065A78B 59 pop ecx
:0065A78C 648910 mov dword ptr fs:[eax], edx
:0065A78F 68A9A76500 push 0065A7A9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0065A7A7(U)
|
:0065A794 8D45EC lea eax, dword ptr [ebp-14]
:0065A797 BA05000000 mov edx, 00000005
:0065A79C E883ABDAFF call 00405324
:0065A7A1 C3 ret
:0065A7A2 E9B1A3DAFF jmp 00404B58
:0065A7A7 EBEB jmp 0065A794
:0065A7A9 8BE5 mov esp, ebp
:0065A7AB 5D pop ebp
:0065A7AC C3 ret
在Ollydbg中BP 65169C,重新载入,F9运行。在65169C断下,F8跟踪,仔细观察寄存器窗口。
0065169C /$ 55 PUSH EBP
0065169D |. 8BEC MOV EBP,ESP
0065169F |. 6A 00 PUSH 0
006516A1 |. 53 PUSH EBX
006516A2 |. 33C0 XOR EAX,EAX
006516A4 |. 55 PUSH EBP
006516A5 |. 68 F3166500 PUSH _THINKCA.006516F3
006516AA |. 64:FF30 PUSH DWORD PTR FS:[EAX]
006516AD |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
006516B0 |. 8D4D FC LEA ECX,DWORD PTR SS:[EBP-4]
006516B3 |. 8B15 CC036700 MOV EDX,DWORD PTR DS:[6703CC] ; _THINKCA.006741EC
006516B9 |. 8B52 28 MOV EDX,DWORD PTR DS:[EDX+28]
006516BC |. A1 CC036700 MOV EAX,DWORD PTR DS:[6703CC]
006516C1 |. 8B40 2C MOV EAX,DWORD PTR DS:[EAX+2C]
006516C4 |. E8 2716EBFF CALL _THINKCA.00502CF0
006516C9 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] //执行完这条指令,EAX指向的便是真码。
006516CC |. 8B15 CC036700 MOV EDX,DWORD PTR DS:[6703CC] //在此可做出内存注册机。
006516D2 |. 8B52 30 MOV EDX,DWORD PTR DS:[EDX+30]
006516D5 |. E8 4240DBFF CALL _THINKCA.0040571C
006516DA |. 0F94C3 SETE BL
006516DD |. 33C0 XOR EAX,EAX
006516DF |. 5A POP EDX
006516E0 |. 59 POP ECX
006516E1 |. 59 POP ECX
006516E2 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
006516E5 |. 68 FA166500 PUSH _THINKCA.006516FA
006516EA |> 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
006516ED |. E8 0E3CDBFF CALL _THINKCA.00405300
006516F2 \. C3 RETN
006516F3 .^ E9 6034DBFF JMP _THINKCA.00404B58
006516F8 .^ EB F0 JMP SHORT _THINKCA.006516EA
006516FA . 8BC3 MOV EAX,EBX
006516FC . 5B POP EBX
006516FD . 59 POP ECX
006516FE . 5D POP EBP
006516FF . C3 RETN
我跟到的真码如下:
BBBBBBBB-BBBBBBBB-BBBBBBBB-BBBBBBBB
48479046
经分析,注册码没有保存在注册表中,而是保存数据库中。
总结:Crack难度:一般,ASPack的壳虽然有名气,但有很好的脱壳机,不加也罢。注册明码比较注定了Crack难度一般。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
