【破文标题】(爆破)Beyond comxxxx
【破文作者】noNaMe-mOnk
【作者性别】男
【作者主页】
【作者邮箱】asanawen@sohu.com
【所属组织】
【软件名称】Beyond comxxxx
【下载地址】
【破解工具】peid,od1.10,win32asm,dede
【保护方式】我最头痛的keyfile
【软件限制】30day
【破解难度】中等
----------------------------------------------------
软件介绍:
是一套优秀的文件及文件夹(目录)比较工具,程序内建
了文件浏览器,方便您对文件、文件夹、压缩包、FTP网站之间的差异对比以及资
料同步。
----------------------------------------------------
破解声名:利吾之器,无它
----------------------------------------------------
【破解分析】
单位电脑总是有病毒,杀不完,防不住,都装了杀毒软件,都不升级病毒库,做个正常的文件表,觉得不对时就对比一下,看看有没有可以文件,于是就找到了它Beyond comxxxx,(为了他人利益,也为了不给自己找麻烦软件名称版本就省了吧,要得给我发e-mail,不过我不一定回,哈哈哈哈),前言到此
开工。
peid查壳,delphi 6.0-7.0,没壳
运行一下,试用/输入注册码,输入注册码时有时有提示说注册码错误,有时就没有(输入trial.key的文件内容)。找一下确定按钮,用dede:
043A742C . 55 PUSH EBP
043A742D . 8BEC MOV EBP,ESP
043A742F . 6A 00 PUSH 0
043A7431 . 6A 00 PUSH 0
043A7433 . 53 PUSH EBX
043A7434 . 8BD8 MOV EBX,EAX
043A7436 . 33C0 XOR EAX,EAX
043A7438 . 55 PUSH EBP
043A7439 . 68 28753A04 PUSH bcx.043A7528
043A743E . 64:FF30 PUSH DWORD PTR FS:[EAX]
043A7441 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
043A7444 . C783 4C020000 >MOV DWORD PTR DS:[EBX+24C],2
043A744E . 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
043A7451 . 8B83 00030000 MOV EAX,DWORD PTR DS:[EBX+300]
043A7457 . E8 E027E6FF CALL bcx.04209C3C
043A745C . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
043A745F . 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
043A7462 . E8 C5FCFFFF CALL bcx.043A712C
043A7467 . 837D FC 00 CMP DWORD PTR SS:[EBP-4],0
043A746B . 0F84 99000000 JE bcx.043A750A
043A7471 . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
043A7474 . B8 3C753A04 MOV EAX,bcx.043A753C ; ASCII "Begin Key----------------------"
043A7479 . E8 36E3DEFF CALL bcx.041957B4
043A747E . 85C0 TEST EAX,EAX
043A7480 . 75 1A JNZ SHORT bcx.043A749C
043A7482 . 68 64753A04 PUSH bcx.043A7564 ; ASCII "-Begin Key----------------------"
043A7487 . FF75 FC PUSH DWORD PTR SS:[EBP-4]
043A748A . 68 90753A04 PUSH bcx.043A7590 ; ASCII "------------------------End Key-"
043A748F . 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
043A7492 . BA 03000000 MOV EDX,3
043A7497 . E8 94E0DEFF CALL bcx.04195530
043A749C > 66:B8 F5FF MOV AX,0FFF5
043A74A0 . E8 7BC2FFFF CALL bcx.043A3720
043A74A5 . 33C0 XOR EAX,EAX
043A74A7 . 55 PUSH EBP
043A74A8 . 68 03753A04 PUSH bcx.043A7503
043A74AD . 64:FF30 PUSH DWORD PTR FS:[EAX]
043A74B0 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
043A74B3 . 33C0 XOR EAX,EAX
043A74B5 . 8983 4C020000 MOV DWORD PTR DS:[EBX+24C],EAX
043A74BB . 8B83 00030000 MOV EAX,DWORD PTR DS:[EBX+300]
043A74C1 . 8B10 MOV EDX,DWORD PTR DS:[EAX]
043A74C3 . FF92 E0000000 CALL DWORD PTR DS:[EDX+E0]
043A74C9 . 8B83 00030000 MOV EAX,DWORD PTR DS:[EBX+300]
043A74CF . 8B10 MOV EDX,DWORD PTR DS:[EAX]
043A74D1 . FF92 88000000 CALL DWORD PTR DS:[EDX+88]
043A74D7 . 68 F4010000 PUSH 1F4 ; /Timeout = 500. ms
043A74DC . E8 038BDFFF CALL <JMP.&kernel32.Sleep> ; \Sleep
043A74E1 . A1 E0EF3C04 MOV EAX,DWORD PTR DS:[43CEFE0]
043A74E6 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
043A74E8 . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
043A74EB . E8 4CD2ECFF CALL bcx.0427473C********这个跟进,因为过不去
043A74F0 . 33C0 XOR EAX,EAX
043A74F2 . 5A POP EDX
043A74F3 . 59 POP ECX
043A74F4 . 59 POP ECX
043A74F5 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
043A74F8 . 68 0A753A04 PUSH bcx.043A750A
043A74FD > E8 4AC2FFFF CALL bcx.043A374C
043A7502 . C3 RETN
*********************CALL bcx.0427473C*************************
0427473C /$ 55 PUSH EBP
0427473D |. 8BEC MOV EBP,ESP
0427473F |. B9 13000000 MOV ECX,13
04274744 |> 6A 00 /PUSH 0
04274746 |. 6A 00 |PUSH 0
04274748 |. 49 |DEC ECX
04274749 |.^75 F9 \JNZ SHORT bcx.04274744
0427474B |. 51 PUSH ECX
0427474C |. 53 PUSH EBX
0427474D |. 56 PUSH ESI
0427474E |. 57 PUSH EDI
0427474F |. 8BDA MOV EBX,EDX
04274751 |. 8BF0 MOV ESI,EAX
04274753 |. 33C0 XOR EAX,EAX
04274755 |. 55 PUSH EBP
04274756 |. 68 93482704 PUSH bcx.04274893
0427475B |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0427475E |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
04274761 |. 33C0 XOR EAX,EAX
04274763 |. 8986 B8000000 MOV DWORD PTR DS:[ESI+B8],EAX
04274769 |. C646 35 07 MOV BYTE PTR DS:[ESI+35],7
0427476D |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
04274770 |. 8BD3 MOV EDX,EBX
04274772 |. E8 C10AF2FF CALL bcx.04195238
04274777 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0427477A |. B8 AC482704 MOV EAX,bcx.042748AC ; ASCII "Begin Key----------------------"
0427477F |. E8 3010F2FF CALL bcx.041957B4
04274784 |. 8BD8 MOV EBX,EAX
04274786 |. 85DB TEST EBX,EBX
04274788 |. 75 16 JNZ SHORT bcx.042747A0
0427478A |. C786 B8000000 >MOV DWORD PTR DS:[ESI+B8],3
04274794 |. 8BC6 MOV EAX,ESI
04274796 |. E8 7D3D0000 CALL bcx.04278518
0427479B |. E9 C7000000 JMP bcx.04274867
042747A0 |> 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
042747A3 |. 50 PUSH EAX
042747A4 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
042747A7 |. E8 C40CF2FF CALL bcx.04195470
042747AC |. 8BC8 MOV ECX,EAX
042747AE |. 8D53 1F LEA EDX,DWORD PTR DS:[EBX+1F]
042747B1 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
042747B4 |. E8 170FF2FF CALL bcx.041956D0
042747B9 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
042747BC |. B8 D4482704 MOV EAX,bcx.042748D4 ; ASCII "------------------------End Key-"
042747C1 |. E8 EE0FF2FF CALL bcx.041957B4
042747C6 |. 85C0 TEST EAX,EAX
042747C8 |. 75 16 JNZ SHORT bcx.042747E0
042747CA |. C786 B8000000 >MOV DWORD PTR DS:[ESI+B8],4
042747D4 |. 8BC6 MOV EAX,ESI
042747D6 |. E8 3D3D0000 CALL bcx.04278518
042747DB |. E9 87000000 JMP bcx.04274867
042747E0 |> 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
042747E3 |. 50 PUSH EAX
042747E4 |. B8 D4482704 MOV EAX,bcx.042748D4 ; ASCII "------------------------End Key-"
042747E9 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
042747EC |. E8 C30FF2FF CALL bcx.041957B4
042747F1 |. 8BC8 MOV ECX,EAX
042747F3 |. BA 01000000 MOV EDX,1
042747F8 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
042747FB |. E8 D00EF2FF CALL bcx.041956D0
04274800 |. BF 01000000 MOV EDI,1
04274805 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
04274808 |. E8 9309F2FF CALL bcx.041951A0
0427480D |. EB 39 JMP SHORT bcx.04274848
0427480F |> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4]
04274812 |. 8A5C38 FF |MOV BL,BYTE PTR DS:[EAX+EDI-1]
04274816 |. 8BC3 |MOV EAX,EBX
04274818 |. 2C 2B |SUB AL,2B
0427481A |. 74 16 |JE SHORT bcx.04274832
0427481C |. 2C 02 |SUB AL,2
0427481E |. 74 12 |JE SHORT bcx.04274832
04274820 |. 04 FD |ADD AL,0FD
04274822 |. 2C 0A |SUB AL,0A
04274824 |. 72 0C |JB SHORT bcx.04274832
04274826 |. 04 F9 |ADD AL,0F9
04274828 |. 2C 1A |SUB AL,1A
0427482A |. 72 06 |JB SHORT bcx.04274832
0427482C |. 04 FA |ADD AL,0FA
0427482E |. 2C 1A |SUB AL,1A
04274830 |. 73 15 |JNB SHORT bcx.04274847
04274832 |> 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
04274835 |. 8BD3 |MOV EDX,EBX
04274837 |. E8 4C0BF2FF |CALL bcx.04195388
0427483C |. 8B55 F4 |MOV EDX,DWORD PTR SS:[EBP-C]
0427483F |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8]
04274842 |. E8 310CF2FF |CALL bcx.04195478
04274847 |> 47 |INC EDI
04274848 |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0427484B |. E8 200CF2FF |CALL bcx.04195470
04274850 |. 3BF8 |CMP EDI,EAX
04274852 |.^7C BB \JL SHORT bcx.0427480F
04274854 |. 8D85 64FFFFFF LEA EAX,DWORD PTR SS:[EBP-9C]
0427485A |. 50 PUSH EAX
0427485B |. 33C9 XOR ECX,ECX
0427485D |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
04274860 |. 8BC6 MOV EAX,ESI
04274862 |. E8 8D0D0000 CALL bcx.042755F4*******这里跟进*****
04274867 |> 33C0 XOR EAX,EAX
04274869 |. 5A POP EDX
0427486A |. 59 POP ECX
0427486B |. 59 POP ECX
0427486C |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0427486F |. 68 9A482704 PUSH bcx.0427489A
04274874 |> 8D85 64FFFFFF LEA EAX,DWORD PTR SS:[EBP-9C]
0427487A |. 8B15 C4452704 MOV EDX,DWORD PTR DS:[42745C4] ; bcx.042745C8
04274880 |. E8 DF16F2FF CALL bcx.04195F64
04274885 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
04274888 |. BA 03000000 MOV EDX,3
0427488D |. E8 3209F2FF CALL bcx.041951C4
04274892 \. C3 RETN
04274893 .^E9 A801F2FF JMP bcx.04194A40
04274898 .^EB DA JMP SHORT bcx.04274874
0427489A . 5F POP EDI
0427489B . 5E POP ESI
0427489C . 5B POP EBX
0427489D . 8BE5 MOV ESP,EBP
0427489F . 5D POP EBP
042748A0 . C3 RETN
我输入的是trial.key的内容:
VEJycIJsuIqrFRPXBT0VFoHOsfdnFzBA
lt76knwASpm0UlY4DySv6i1HDC+dHNKJ
O4y0IyvNV7OfhzzpWN4VkL3Qk67Kxj9R
tK7ltVAy8mQy2e4U0U459gaF+NHK+PAW
q4Q1jmi6SVDzxuopZMsTW8JNAx-fpK94
m9wgjX9zqx+R1zPIle+xg+rLUo7zXWBS
ZcIyFwejysuQP0A35Ub2fTIzRx0alPqJ
RfKRCJNhUUNPzar1vh9WH2K2dXgtv2wX
***************04274862 |. E8 8D0D0000 CALL bcx.042755F4
…………
********代码省略,太长了
绕了一圈,晕,在往回退一步,是不是有些标志要初始化,从输入注册码按钮开始。
043A89AC /$ 55 PUSH EBP
043A89AD |> 8BEC MOV EBP,ESP
043A89AF |. 83C4 F8 ADD ESP,-8
043A89B2 |. 53 PUSH EBX
043A89B3 |. 8BD8 MOV EBX,EAX
043A89B5 |. A0 3C193D04 MOV AL,BYTE PTR DS:[43D193C]***这里
043A89BA |. 8845 FB MOV BYTE PTR SS:[EBP-5],AL
043A89BD |. C605 3C193D04 >MOV BYTE PTR DS:[43D193C],3***这里
043A89C4 |. 33C0 XOR EAX,EAX
043A89C6 |. 55 PUSH EBP
043A89C7 |. 68 418A3A04 PUSH bcx.043A8A41
043A89CC |. 64:FF30 PUSH DWORD PTR FS:[EAX]
043A89CF |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
043A89D2 |. 8BCB MOV ECX,EBX
043A89D4 |. B2 01 MOV DL,1
043A89D6 |. A1 086F3A04 MOV EAX,DWORD PTR DS:[43A6F08]
043A89DB |. E8 C8B2E7FF CALL bcx.04223CA8
043A89E0 |. A3 48193D04 MOV DWORD PTR DS:[43D1948],EAX
043A89E5 |. 33C0 XOR EAX,EAX
043A89E7 |. 55 PUSH EBP
043A89E8 |. 68 1B8A3A04 PUSH bcx.043A8A1B
043A89ED |. 64:FF30 PUSH DWORD PTR FS:[EAX]
043A89F0 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
043A89F3 |. A1 48193D04 MOV EAX,DWORD PTR DS:[43D1948]
043A89F8 |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
043A89FA |. FF92 EC000000 CALL DWORD PTR DS:[EDX+EC]
043A8A00 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
043A8A03 |. 33C0 XOR EAX,EAX
043A8A05 |. 5A POP EDX
043A8A06 |. 59 POP ECX
043A8A07 |. 59 POP ECX
043A8A08 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
043A8A0B |. 68 228A3A04 PUSH bcx.043A8A22
043A8A10 |> B8 48193D04 MOV EAX,bcx.043D1948
043A8A15 |. E8 4E7BDFFF CALL bcx.041A0568
043A8A1A \. C3 RETN
对[43D1948]下内存访问断点,注册
043A86B0 . 803D 3C193D04 >CMP BYTE PTR DS:[43D193C],3******断在这里
043A86B7 . 75 6B JNZ SHORT bcx.043A8724
043A86B9 . A1 40193D04 MOV EAX,DWORD PTR DS:[43D1940]
043A86BE E8 7100EDFF CALL bcx.04278734******
043A86C3 . 3C 03 CMP AL,3
043A86C5 75 44 JNZ SHORT bcx.043A870B********发现这里不跳会出现注册成功的提示,但仍没真正成功,哈哈,不远了,跟进 CALL bcx.04278734
043A86C7 . 6A 00 PUSH 0
043A86C9 . 66:8B0D 2C873A>MOV CX,WORD PTR DS:[43A872C]
043A86D0 . B2 02 MOV DL,2
043A86D2 . B8 38873A04 MOV EAX,bcx.043A8738
043A86D7 . E8 20E3FFFF CALL bcx.043A69FC
043A86DC . A1 48193D04 MOV EAX,DWORD PTR DS:[43D1948]
043A86E1 . 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
043A86E4 . 8B15 1C763A04 MOV EDX,DWORD PTR DS:[43A761C] ; bcx.043A7668
043A86EA . E8 49BDDEFF CALL bcx.04194438
043A86EF . 84C0 TEST AL,AL
043A86F1 75 18 JNZ SHORT bcx.043A870B
043A86F3 . A1 80F13C04 MOV EAX,DWORD PTR DS:[43CF180]
043A86F8 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
043A86FA . E8 6124F2FF CALL bcx.042CAB60
043A86FF . A1 08F63C04 MOV EAX,DWORD PTR DS:[43CF608]
043A8704 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
043A8706 . E8 851AF9FF CALL bcx.0433A190
043A870B > 6A 00 PUSH 0
043A870D . 6A 01 PUSH 1
043A870F . 68 03040000 PUSH 403
043A8714 . A1 48193D04 MOV EAX,DWORD PTR DS:[43D1948]
043A8719 . E8 CE7FE6FF CALL bcx.042106EC
043A871E . 50 PUSH EAX ; |hWnd
043A871F . E8 3801DFFF CALL <JMP.&user32.PostMessageA> ; \PostMessageA
043A8724 > C605 3C193D04 >MOV BYTE PTR DS:[43D193C],2
043A872B . C3 RETN
****************CALL bcx.04278734**************************
04278734 8A80 10050000 MOV AL,BYTE PTR DS:[EAX+510]
0427873A \. C3 RETN
************************************************************
[eax+510]=[0095ab04]=02,有意思,对0095ab04下硬件访问断点。
04276954 FF2485 5B69270>JMP DWORD PTR DS:[EAX*4+427695B]
0427695B . 83692704 DD bcx.04276983 ; Switch table used at 04276954
0427695F . C1692704 DD bcx.042769C1
04276963 . FF692704 DD bcx.042769FF
04276967 . 606A2704 DD bcx.04276A60
0427696B . 9E6A2704 DD bcx.04276A9E
0427696F . DC6A2704 DD bcx.04276ADC
04276973 . 526B2704 DD bcx.04276B52
04276977 . 176B2704 DD bcx.04276B17
0427697B . 856B2704 DD bcx.04276B85
0427697F . 3D6A2704 DD bcx.04276A3D
04276983 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; Case 65 ('e') of switch 04276948
04276986 . C680 20050000 >MOV BYTE PTR DS:[EAX+520],0
0427698D . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
04276990 . C680 10050000 >MOV BYTE PTR DS:[EAX+510],2
04276997 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]*****断在这里,向上看,是一个跳转表,下面这些mov决定了注册成功与否,向下找mov [95ab04],03,即mov [eax+510],03
0427699A . C680 11050000 >MOV BYTE PTR DS:[EAX+511],0B
042769A1 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
042769A4 . 66:8B80 940000>MOV AX,WORD PTR DS:[EAX+94]
042769AB . 66:0B05 F06C27>OR AX,WORD PTR DS:[4276CF0]
042769B2 . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
042769B5 . 66:8982 940000>MOV WORD PTR DS:[EDX+94],AX
042769BC . E9 C4010000 JMP bcx.04276B85
042769C1 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; Case 66 ('f') of switch 04276948
042769C4 . C680 20050000 >MOV BYTE PTR DS:[EAX+520],0
042769CB . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
…………
04276B52 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; Case 6B ('k') of switch 04276948
04276B55 . C680 10050000 >MOV BYTE PTR DS:[EAX+510],3*****这里
04276B5C . 80BD 45FFFFFF >CMP BYTE PTR SS:[EBP-BB],0
04276B63 . 74 0C JE SHORT bcx.04276B71
04276B65 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
04276B68 . C680 11050000 >MOV BYTE PTR DS:[EAX+511],7
04276B6F . EB 0A JMP SHORT bcx.04276B7B
04276B71 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
04276B74 . C680 11050000 >MOV BYTE PTR DS:[EAX+511],4
04276B7B > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
04276B7E . C680 20050000 >MOV BYTE PTR DS:[EAX+520],1
修改跳转表的跳转语句JMP DWORD PTR DS:[EAX*4+427695B]
改为
04276954 E9 F9010000 JMP bcx.04276B52
04276959 90 NOP
0427695A 90 NOP
直接注册成功。爆破结束。
尾声:不能直接修改源程序,否则提示trial.key文件损坏。做一个内存补丁:
修改地址:4276954
修改长度:7
原始指令:ff24855b692704
修改指令:e9f90100009090
----------------------------------------------------
【总结】
收获:首先是这个软件,然后是经验,爆破,的确需要运气,也需要技术。
----------------------------------------------------
【版权信息】
转载时请保证文章的完整性,谢谢。
――――noNaMe-mOnk
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
