【原创】飓驰猜猜瞧2.0注册流程简析――Delphi的PJ分析框架
―――手把手系列之九
【破解作者】 jackily
【作者主页】
http://estudy.ys168.com
http://jackily.ys168.com
【使用工具】 ollydbg、 unTElock、DeDe
【破解平台】 Win9x/NT/2000/XP
【加壳方式】 tElock 0.98b1 -> tE!
【破解声明】 本破解纯以学习和交流为目的,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
软件名称:飓驰猜猜瞧2.0
该软件共有20423道谜语和721道脑筋急转弯,有一定的趣味性。未注册版的数据库共258题,从217题开始为脑筋急转弯,并且有一定的功能限制。注册后可以使用在线升级,下载最新版的软件和数据库。
和本人以往的文章不同,这一节中没有详尽的算法追踪,只是分析Delphi程序的破解流程,给初学者提供一个分析框架。
运行程序,点关于―注册,输入注册码“123456”后,弹出“注请重新启动软件!”,然后退出。属于注册码+重启验证型保护。现在这一类的保护手段最常见。首先,用PEID查壳,发现tElock 0.98b1 -> tE!,用unTElock脱壳。再查发现该程序是用Delphi编写,于是用DeDe加载,处理。
------------------------------------------------------------------
如图一,点过程―TFORM3―事件,双击“Botton1Click”,得到关键代码,分析如下:
断点 004d9dda
来源于DeDe 3.5
004D9D88 55 push ebp
004D9D89 8BEC mov ebp, esp
004D9D8B B905000000 mov ecx, $00000005
004D9D90 6A00 push $00
004D9D92 6A00 push $00
004D9D94 49 dec ecx
004D9D95 75F9 jnz 004D9D90
004D9D97 51 push ecx
004D9D98 53 push ebx
004D9D99 56 push esi
004D9D9A 57 push edi
004D9D9B 8BD8 mov ebx, eax
004D9D9D 33C0 xor eax, eax
004D9D9F 55 push ebp
004D9DA0 68A29F4D00 push $004D9FA2
***** TRY
|
004D9DA5 64FF30 push dword ptr fs:[eax]
004D9DA8 648920 mov fs:[eax], esp
004D9DAB 8D55F4 lea edx, [ebp-$0C]
* Reference to control TForm3.Edit1 : TEdit
|
004D9DAE 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004D9DB4 E8BBE1F6FF call 00447F74
004D9DB9 8B45F4 mov eax, [ebp-$0C]
004D9DBC 8D55F8 lea edx, [ebp-$08]
* Reference to : TForm3._PROC_004D9C70() (此处是算法的最初一级调用)
|
004D9DBF E8ACFEFFFF call 004D9C70 ;算法 call,有兴趣的可以追一下,不过别被其搞晕哟
004D9DC4 8B45F8 mov eax, [ebp-$08]
004D9DC7 50 push eax
004D9DC8 8D55F0 lea edx, [ebp-$10]
* Reference to control TForm3.Edit2 : TEdit
|
004D9DCB 8B83FC020000 mov eax, [ebx+$02FC]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004D9DD1 E89EE1F6FF call 00447F74
004D9DD6 8B55F0 mov edx, [ebp-$10] ;我们输入的假码
004D9DD9 58 pop eax ;真正的注册码,内存注册机在此制作
* Reference to: System.@LStrCmp; (Delphi中典型的ansi字符串比较函数)
|
004D9DDA E83DA9F2FF call 0040471C ;其中比较真假注册码
004D9DDF 0F85DE000000 jnz 004D9EC3 ;不等跳至4D9Ec3
--------------------------------------------------------------------------------------------------
* Possible String Reference to: '请重新启动软件!' ;成功则对注册表和hgsoft.ini写入信息
从004D9DE5至004D9E3B 是把正确的注册码写入\SoftWare\Microsoft\hgsoft中;
004D9DE5 B8B89F4D00 mov eax, $004D9FB8
* Reference to: Dialogs.ShowMessage(AnsiString);
|
004D9DEA E80D90F5FF call 00432DFC
004D9DEF B201 mov dl, $01
* Reference to class TRegistry
|
004D9DF1 A1E0964300 mov eax, dword ptr [$004396E0]
* Reference to: Registry.TRegistry.Create(TRegistry;boolean);overload;
|
004D9DF6 E8E5F9F5FF call 004397E0
004D9DFB 8BF0 mov esi, eax
004D9DFD BA01000080 mov edx, $80000001
004D9E02 8BC6 mov eax, esi
* Reference to: Registry.TRegistry.SetRootKey(TRegistry;HKEY);
|
004D9E04 E877FAF5FF call 00439880
004D9E09 B101 mov cl, $01
* Possible String Reference to: '\SoftWare\Microsoft\hgsoft'
|
004D9E0B BAD49F4D00 mov edx, $004D9FD4
004D9E10 8BC6 mov eax, esi
* Reference to: Registry.TRegistry.OpenKey(TRegistry;AnsiString;Boolean):Boolean; 打开注册表\SoftWare\Microsoft\hgsoft
|
004D9E12 E8CDFAF5FF call 004398E4
004D9E17 8D55EC lea edx, [ebp-$14]
* Reference to control TForm3.Edit2 : TEdit
|
004D9E1A 8B83FC020000 mov eax, [ebx+$02FC]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004D9E20 E84FE1F6FF call 00447F74
004D9E25 8B4DEC mov ecx, [ebp-$14]
* Possible String Reference to: 'hgsoft'
|
004D9E28 BAF89F4D00 mov edx, $004D9FF8
004D9E2D 8BC6 mov eax, esi
* Reference to: Registry.TRegistry.WriteString(TRegistry;AnsiString;AnsiString);写入
|
004D9E2F E84CFCF5FF call 00439A80
004D9E34 8BC6 mov eax, esi
* Reference to: Registry.TRegistry.CloseKey(TRegistry) ;关闭注册表
|
004D9E36 E815FAF5FF call 00439850
004D9E3B 8D55E4 lea edx, [ebp-$1C]
-----------------------------------------------------------------------------
* Reference to TApplication instance
004D9E3E 至004D9EBE 分别把信息hEW=9S87I11#和REA=D2P3U1z写入hgsoft.ini的[soft]中,表示注册成功。其中D2P3U1z为注册框中的机器码。
004D9E3E A144EB4D00 mov eax, dword ptr [$004DEB44]
004D9E43 8B00 mov eax, [eax]
* Reference to: Forms.TApplication.GetExeName(TApplication):AnsiString;
|
004D9E45 E8F6E6F8FF call 00468540
004D9E4A 8B45E4 mov eax, [ebp-$1C]
004D9E4D 8D55E8 lea edx, [ebp-$18]
* Reference to: SysUtils.ExtractFilePath(AnsiString):AnsiString;
|
004D9E50 E81FF9F2FF call 00409774
004D9E55 8D45E8 lea eax, [ebp-$18]
* Possible String Reference to: '\hgsoft.ini'
|
004D9E58 BA08A04D00 mov edx, $004DA008
* Reference to: System.@LStrCat;
|
004D9E5D E876A7F2FF call 004045D8
004D9E62 8B45E8 mov eax, [ebp-$18]
004D9E65 8D55FC lea edx, [ebp-$04]
* Reference to: SysUtils.ExpandFileName(AnsiString):AnsiString;
|
004D9E68 E8BBF9F2FF call 00409828
004D9E6D 8B4DFC mov ecx, [ebp-$04]
004D9E70 B201 mov dl, $01
* Reference to class TIniFile
|
004D9E72 A194874300 mov eax, dword ptr [$00438794]
* Reference to: IniFiles.TCustomIniFile.Create(TCustomIniFile;boolean;AnsiString);
|
004D9E77 E8C8E9F5FF call 00438844
004D9E7C 8BF0 mov esi, eax
* Possible String Reference to: '9S87I11#'
|
004D9E7E 681CA04D00 push $004DA01C
* Possible String Reference to: 'hEW'
|
004D9E83 B930A04D00 mov ecx, $004DA030
* Possible String Reference to: 'soft'
|
004D9E88 BA3CA04D00 mov edx, $004DA03C
004D9E8D 8BC6 mov eax, esi
004D9E8F 8B38 mov edi, [eax]
* Reference to method TIniFile.WriteString(string,string,string) ;把信息hEW=9S87I11#写入[soft]中
|
004D9E91 FF5704 call dword ptr [edi+$04]
004D9E94 8D55E0 lea edx, [ebp-$20]
* Reference to control TForm3.Edit1 : TEdit
|
004D9E97 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004D9E9D E8D2E0F6FF call 00447F74
004D9EA2 8B45E0 mov eax, [ebp-$20]
004D9EA5 50 push eax
* Possible String Reference to: 'REA'
|
004D9EA6 B94CA04D00 mov ecx, $004DA04C
* Possible String Reference to: 'soft'
|
004D9EAB BA3CA04D00 mov edx, $004DA03C
004D9EB0 8BC6 mov eax, esi
004D9EB2 8B30 mov esi, [eax]
* Reference to method TIniFile.WriteString(string,string,string) ;写操作,REA=D2P3U1z
|
004D9EB4 FF5604 call dword ptr [esi+$04]
004D9EB7 8BC3 mov eax, ebx
* Reference to: Forms.TCustomForm.Close(TCustomForm);
|
004D9EB9 E8A2A8F8FF call 00464760
004D9EBE E98D000000 jmp 004D9F50 ;继续执行其它代码
-------------------------------------------------------------------------------------
由004D9DDF跳转而来,表示注册失败。此处没有对注册表进行操作,只是把hEW=dsfer和REW=mkuiP8730097187guy 写入hgsoft.ini中。
* Possible String Reference to: '注请重新启动软件!' ;我们所见到的提示
|
004D9EC3 B858A04D00 mov eax, $004DA058
* Reference to: Dialogs.ShowMessage(AnsiString);
|
004D9EC8 E82F8FF5FF call 00432DFC
004D9ECD 8D55D8 lea edx, [ebp-$28]
* Reference to TApplication instance
|
004D9ED0 A144EB4D00 mov eax, dword ptr [$004DEB44]
004D9ED5 8B00 mov eax, [eax]
* Reference to: Forms.TApplication.GetExeName(TApplication):AnsiString;
|
004D9ED7 E864E6F8FF call 00468540
004D9EDC 8B45D8 mov eax, [ebp-$28]
004D9EDF 8D55DC lea edx, [ebp-$24]
* Reference to: SysUtils.ExtractFilePath(AnsiString):AnsiString;
|
004D9EE2 E88DF8F2FF call 00409774
004D9EE7 8D45DC lea eax, [ebp-$24]
* Possible String Reference to: '\hgsoft.ini'
|
004D9EEA BA08A04D00 mov edx, $004DA008
* Reference to: System.@LStrCat;
|
004D9EEF E8E4A6F2FF call 004045D8
004D9EF4 8B45DC mov eax, [ebp-$24]
004D9EF7 8D55FC lea edx, [ebp-$04]
* Reference to: SysUtils.ExpandFileName(AnsiString):AnsiString;
|
004D9EFA E829F9F2FF call 00409828
004D9EFF 8B4DFC mov ecx, [ebp-$04]
004D9F02 B201 mov dl, $01
* Reference to class TIniFile
|
004D9F04 A194874300 mov eax, dword ptr [$00438794]
* Reference to: IniFiles.TCustomIniFile.Create(TCustomIniFile;boolean;AnsiString);
|
004D9F09 E836E9F5FF call 00438844
004D9F0E 8BF0 mov esi, eax
* Possible String Reference to: 'dsfer'
|
004D9F10 6874A04D00 push $004DA074
* Possible String Reference to: 'hEW'
|
004D9F15 B930A04D00 mov ecx, $004DA030
* Possible String Reference to: 'soft'
|
004D9F1A BA3CA04D00 mov edx, $004DA03C
004D9F1F 8BC6 mov eax, esi
004D9F21 8B38 mov edi, [eax]
* Reference to method TIniFile.WriteString(string,string,string) ;把hEW=dsfer写入
|
004D9F23 FF5704 call dword ptr [edi+$04]
004D9F26 8D55D4 lea edx, [ebp-$2C]
* Reference to control TForm3.Edit1 : TEdit
|
004D9F29 8B83F8020000 mov eax, [ebx+$02F8]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004D9F2F E840E0F6FF call 00447F74
004D9F34 8B45D4 mov eax, [ebp-$2C]
004D9F37 50 push eax
* Possible String Reference to: 'REW'
|
004D9F38 B984A04D00 mov ecx, $004DA084
* Possible String Reference to: 'soft'
|
004D9F3D BA3CA04D00 mov edx, $004DA03C
004D9F42 8BC6 mov eax, esi
004D9F44 8B30 mov esi, [eax]
* Reference to method TIniFile.WriteString(string,string,string) ;REW=mkuiP8730097187guy,写操作
|
004D9F46 FF5604 call dword ptr [esi+$04]
004D9F49 8BC3 mov eax, ebx
* Reference to: Forms.TCustomForm.Close(TCustomForm);
|
004D9F4B E810A8F8FF call 00464760
004D9F50 33C0 xor eax, eax
004D9F52 5A pop edx
004D9F53 59 pop ecx
004D9F54 59 pop ecx
004D9F55 648910 mov fs:[eax], edx
****** FINALLY
|
004D9F58 68A99F4D00 push $004D9FA9
004D9F5D 8D45D4 lea eax, [ebp-$2C]
* Reference to: System.@LStrClr(void;void);
|
004D9F60 E8ABA3F2FF call 00404310
004D9F65 8D45D8 lea eax, [ebp-$28]
004D9F68 BA02000000 mov edx, $00000002
................此处代码省略
* Reference to: System.@LStrArrayClr(void;void;Integer);
|
004D9F9C E893A3F2FF call 00404334
004D9FA1 C3 ret
* Reference to: System.@HandleFinally;
|
004D9FA2 E9099CF2FF jmp 00403BB0
004D9FA7 EBB4 jmp 004D9F5D
***** END
|
004D9FA9 5F pop edi
004D9FAA 5E pop esi
004D9FAB 5B pop ebx
004D9FAC 8BE5 mov esp, ebp
004D9FAE 5D pop ebp
004D9FAF C3 ret
----------------------------------------------------------------------------
【内存注册机】
地址:004D9DD9
次数:1
指令:58
长度:2
注册码选内存方式、寄存器为EAX
---------------------------------------------------------------------------
【心得总结】
本程序是Delphi的一个明码比较的典型例子,拿出来是让初学者了解一下Delphi的反编译和DeDe用法。Delphi所编译的程序和VB及VC有很大的区别,其特点是:
1. 尽可能地多用寄存器赋值,而少用堆栈,并且也有自己的内部函数,最常用的比较函数如004D9DDA的LStrCmp等等,用DeDe能分析出来;
2. 调用次数频繁,也就是说call中有call,一层套一层,给追踪带来麻烦;
3. 尽管嵌套调用很多,但层次还算清晰,分析Delphi和C++ Builder编译的程序需要极大耐心,要不断地跟进call。
其实本程序还有个BUG。前面分析指出,注册成功后,程序把hEW=9S87I11#和REA=D2P3U1z写入hgsoft.ini的[soft]中,并把注册码写入注册表中。而当我们把hEW=9S87I11#和REA=“你的机器码” 写入hgsoft.ini时,无须对注册表操作,该程序也认为注册成功。也就是说,你只是知道了自已的机器码,把hgsoft.ini改一下,就注册成功了。呵呵!
算法注册机暂时就不追了,有兴趣的追一下004D9DBF对004D9C70的call。
-------------------------------------------------------------------------
后记:一晃儿,农历新年即将过去了,学校也都马上开学了,我也该用心写我的硕士毕业论文了,最近要忙着学习了,不过有空会常来的。最后,祝大家身体好,工作好,学习好!
jackily
2005.2.21 于延吉
-------------------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课