标题:中华通讯录V5.0
作者:jney2
日期:2005.1.26
声明:个人学习,交流经验,找出软件的软肋,希望作者在下一版本中有所改进!
观念:喜欢分析注册流程,极少算法分析。
工具:W32Dasm9b
平台:WinXP
算法在精华中搜索可找到三篇,很简单的,但都没分析注册流程,我来说一下:
中华通讯录V5.0是UPX的壳,用UPX就可脱掉,在W32Dasm9b中分析:
:0053AFF9 8BD8 mov ebx, eax
:0053AFFB 8BC3 mov eax, ebx
:0053AFFD E876CBFFFF call 00537B78 //注册码验证CALL
:0053B002 84C0 test al, al
:0053B004 7409 je 0053B00F //错误就跳。
:0053B006 8BC3 mov eax, ebx
:0053B008 E8D7C8FFFF call 005378E4 //写注册信息到注册表
:0053B00D 5B pop ebx
:0053B00E C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0053B004(C)
|
* Possible StringData Ref from Code Obj ->"注册码不正确,无法注册"
|
:0053B00F B824B05300 mov eax, 0053B024
:0053B014 E8CF40F2FF call 0045F0E8
:0053B019 5B pop ebx
:0053B01A C3 ret
* Referenced by a CALL at Address:
|:0053AFFD
|
:00537B78 55 push ebp
:00537B79 8BEC mov ebp, esp
:00537B7B 33C9 xor ecx, ecx
:00537B7D 51 push ecx
:00537B7E 51 push ecx
:00537B7F 51 push ecx
:00537B80 51 push ecx
:00537B81 51 push ecx
:00537B82 53 push ebx
:00537B83 56 push esi
:00537B84 8945FC mov dword ptr [ebp-04], eax
:00537B87 33C0 xor eax, eax
:00537B89 55 push ebp
:00537B8A 68547C5300 push 00537C54
:00537B8F 64FF30 push dword ptr fs:[eax]
:00537B92 648920 mov dword ptr fs:[eax], esp
:00537B95 33C0 xor eax, eax
:00537B97 8945F4 mov dword ptr [ebp-0C], eax
:00537B9A 8D55F8 lea edx, dword ptr [ebp-08]
:00537B9D 8B45FC mov eax, dword ptr [ebp-04]
:00537BA0 8B8020040000 mov eax, dword ptr [eax+00000420]
:00537BA6 E8FDEBEFFF call 004367A8
:00537BAB 8B45F8 mov eax, dword ptr [ebp-08]
:00537BAE E889C5ECFF call 0040413C
:00537BB3 8BD8 mov ebx, eax
:00537BB5 85DB test ebx, ebx
:00537BB7 7E2E jle 00537BE7
:00537BB9 BE01000000 mov esi, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00537BE5(C)
|
:00537BBE 8D45F0 lea eax, dword ptr [ebp-10]
:00537BC1 50 push eax
:00537BC2 B901000000 mov ecx, 00000001
:00537BC7 8BD6 mov edx, esi
:00537BC9 8B45F8 mov eax, dword ptr [ebp-08]
:00537BCC E873C7ECFF call 00404344
:00537BD1 8B45F0 mov eax, dword ptr [ebp-10]
:00537BD4 E827C7ECFF call 00404300
:00537BD9 8A00 mov al, byte ptr [eax]
:00537BDB 25FF000000 and eax, 000000FF
:00537BE0 0145F4 add dword ptr [ebp-0C], eax
:00537BE3 46 inc esi
:00537BE4 4B dec ebx
:00537BE5 75D7 jne 00537BBE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00537BB7(C)
|
:00537BE7 8D55EC lea edx, dword ptr [ebp-14]
:00537BEA 8B45FC mov eax, dword ptr [ebp-04]
:00537BED 8B8024040000 mov eax, dword ptr [eax+00000424]
:00537BF3 E8B0EBEFFF call 004367A8
:00537BF8 8B45EC mov eax, dword ptr [ebp-14]
:00537BFB E89024EDFF call 0040A090
:00537C00 8B55F4 mov edx, dword ptr [ebp-0C]
:00537C03 81C2FC7E1200 add edx, 00127EFC
:00537C09 81C29EE46400 add edx, 0064E49E
:00537C0F 3BC2 cmp eax, edx
:00537C11 7519 jne 00537C2C //爆破点:改为不跳,即7519改为7500。然后就会在系统中置注册成功标志。
:00537C13 B301 mov bl, 01
:00537C15 B8ECC55400 mov eax, 0054C5EC
:00537C1A 8B55F8 mov edx, dword ptr [ebp-08]
:00537C1D E8EEC2ECFF call 00403F10
:00537C22 8B45F4 mov eax, dword ptr [ebp-0C]
:00537C25 A3F0C55400 mov dword ptr [0054C5F0], eax
:00537C2A EB02 jmp 00537C2E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00537C11(C)
|
:00537C2C 33DB xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00537C2A(U)
|
:00537C2E 33C0 xor eax, eax
:00537C30 5A pop edx
:00537C31 59 pop ecx
:00537C32 59 pop ecx
:00537C33 648910 mov dword ptr fs:[eax], edx
:00537C36 685B7C5300 push 00537C5B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00537C59(U)
|
:00537C3B 8D45EC lea eax, dword ptr [ebp-14]
:00537C3E E879C2ECFF call 00403EBC
:00537C43 8D45F0 lea eax, dword ptr [ebp-10]
:00537C46 E871C2ECFF call 00403EBC
:00537C4B 8D45F8 lea eax, dword ptr [ebp-08]
:00537C4E E869C2ECFF call 00403EBC
:00537C53 C3 ret
:00537C54 E95BBCECFF jmp 004038B4
:00537C59 EBE0 jmp 00537C3B
:00537C5B 8BC3 mov eax, ebx
:00537C5D 5E pop esi
:00537C5E 5B pop ebx
:00537C5F 8BE5 mov esp, ebp
:00537C61 5D pop ebp
:00537C62 C3 ret
//写注册表的CALL。
* Referenced by a CALL at Address:
|:0053B008
|
:005378E4 53 push ebx
:005378E5 56 push esi
:005378E6 8BF0 mov esi, eax
:005378E8 B201 mov dl, 01
:005378EA A11C544E00 mov eax, dword ptr [004E541C]
:005378EF E894DCFAFF call 004E5588
:005378F4 8BD8 mov ebx, eax
:005378F6 BA03000080 mov edx, 80000003
:005378FB 8BC3 mov eax, ebx
:005378FD E862DDFAFF call 004E5664
:00537902 B101 mov cl, 01
* Possible StringData Ref from Code Obj ->".DEFAULT\Software\cnet\Demo"
|
:00537904 BA58795300 mov edx, 00537958
:00537909 8BC3 mov eax, ebx
:0053790B E8BCDDFAFF call 004E56CC
:00537910 8B0DECC55400 mov ecx, dword ptr [0054C5EC]
* Possible StringData Ref from Code Obj ->"Name"
|
:00537916 BA7C795300 mov edx, 0053797C
:0053791B 8BC3 mov eax, ebx
:0053791D E896E0FAFF call 004E59B8
:00537922 8B0DF0C55400 mov ecx, dword ptr [0054C5F0]
* Possible StringData Ref from Code Obj ->"Pass"
|
:00537928 BA8C795300 mov edx, 0053798C
:0053792D 8BC3 mov eax, ebx
:0053792F E828E1FAFF call 004E5A5C
:00537934 8BC3 mov eax, ebx
:00537936 E819B8ECFF call 00403154
* Possible StringData Ref from Code Obj ->"感谢你注册本软件!"
|
:0053793B B89C795300 mov eax, 0053799C
:00537940 E8A377F2FF call 0045F0E8
:00537945 8BC6 mov eax, esi
:00537947 E864000000 call 005379B0
:0053794C 5E pop esi
:0053794D 5B pop ebx
:0053794E C3 ret
搜索“\Software\cnet\Demo”可找到另一处,即启动时读注册表的代码:
:005379CB A11C544E00 mov eax, dword ptr [004E541C]
:005379D0 E8B3DBFAFF call 004E5588
:005379D5 8BF0 mov esi, eax
:005379D7 BA03000080 mov edx, 80000003
:005379DC 8BC6 mov eax, esi
:005379DE E881DCFAFF call 004E5664
:005379E3 33C9 xor ecx, ecx
* Possible StringData Ref from Code Obj ->".DEFAULT\Software\cnet\Demo"
|
:005379E5 BAE07A5300 mov edx, 00537AE0
:005379EA 8BC6 mov eax, esi
:005379EC E8DBDCFAFF call 004E56CC //读取注册表的CALL,该CALL并不对读出的数据处理。
:005379F1 84C0 test al, al
:005379F3 0F84A5000000 je 00537A9E //读不到则跳,即“未注册”。
* Possible StringData Ref from Code Obj ->"中华通讯录"
|
:005379F9 BA047B5300 mov edx, 00537B04
:005379FE A1E8C55400 mov eax, dword ptr [0054C5E8]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0053798E(C)
|
:00537A03 E8D0EDEFFF call 004367D8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005379F3(C)
|
* Possible StringData Ref from Code Obj ->"中华通讯录--你是未注册用户,请注册为正式用户?
->"?硎苋?抗δ堋?
|
:00537A9E BA387B5300 mov edx, 00537B38
:00537AA3 A1E8C55400 mov eax, dword ptr [0054C5E8]
:00537AA8 E82BEDEFFF call 004367D8
注册信息保存在注册表中:
[HKEY_USERS\.DEFAULT\Software\cnet\Demo]
"Name"="175F-110D"
"Pass"=dword:000001e6
总结:这样的注册流程极少见,启动时只要上述键值读成功即注册成功(如果没有键值而改变流向的,会有错误提示,但不影响注册),键值是多少无所谓,只要类型对。注册判断时,正确就写注册表。其它地方不参与判断,与你的注册码一点不沾边。
Crack难度:易。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
