-
-
[原创]某字体软件的破解过程
-
发表于:
2011-2-22 17:04
5554
-
目标程序:字体试衣间 v3.2.2 豪华版
一、去除 NAG 窗
载入运行,出现试用框后F12暂停程序,堆栈中找到
0012F90C /0012FCD4
0012F910 |004445F2 返回到 ffr.004445F2 来自 <jmp.&MFC80U.#2011>
0012F914 |9713812D
来到
004445AC 391D 60075100 cmp dword ptr ds:[510760],ebx ; [510760] = 0 即可
004445B2 75 08 jnz short 004445BC
004445B4 3BFB cmp edi,ebx
004445B6 0F84 D8010000 je 00444794
004445BC E8 53BD0700 call <jmp.&MFC80U.#1086>
004445C1 3BC3 cmp eax,ebx
004445C3 74 0B je short 004445D0
004445C5 8B10 mov edx,dword ptr ds:[eax]
004445C7 8BC8 mov ecx,eax
004445C9 8B42 7C mov eax,dword ptr ds:[edx+7C]
004445CC FFD0 call eax
004445CE EB 02 jmp short 004445D2
004445D0 33C0 xor eax,eax
004445D2 50 push eax
004445D3 8D8C24 9C010000 lea ecx,dword ptr ss:[esp+19C]
004445DA E8 8149FEFF call 00428F60
004445DF 8D8C24 98010000 lea ecx,dword ptr ss:[esp+198]
004445E6 899C24 10030000 mov dword ptr ss:[esp+310],ebx
004445ED E8 0AC00700 call <jmp.&MFC80U.#2011>
004445F2 83F8 02 cmp eax,2
004445F5 8B2D 84245100 mov ebp,dword ptr ds:[512484] ; USER32.PostMessageW
004445FB 75 34 jnz short 00444631
往上到
00444570 6A FF push -1 ; 这里F2下断
00444572 68 C67F4C00 push 004C7FC6
00444577 64:A1 00000000 mov eax,dword ptr fs:[0]
0044457D 50 push eax
0044457E 81EC F4020000 sub esp,2F4
重新载入运行,断下后看堆栈
0012FC28 7831338D 返回到 MFC80U.7831338D
0012FC2C 00000000
0012FC30 00000000
0012FC34 11677F39
0012FC38 0000047A ; 这个值就是调用NAG窗口的 PostMessageW 的消息ID
0012FC3C 00D3B274
0012FC40 00000111
查找常量 47A,找到
004507BA push 47A
00451347 push 47A
0045457D push 47A
00464251 push 47A
全部F2下断,重新载入运行,第一次断在
00451347 68 7A040000 push 47A
0045134C 50 push eax
0045134D FF15 84245100 call dword ptr ds:[512484] ; USER32.PostMessageW
往上到
00451307 813D 50085100 1A300A00 cmp dword ptr ds:[510850],0A301A ; 关键比较
00451311 0F87 E7000000 ja 004513FE ; 这里要跳
查找常量 00510850,找到下一处
0045B425 > \85C0 test eax,eax
0045B427 . 75 23 jnz short 0045B44C ; 这里显然不能跳
0045B429 . 8B45 EC mov eax,dword ptr ss:[ebp-14]
0045B42C . 50 push eax ; /<%s>
0045B42D . 68 A85A4D00 push 004D5AA8 ; |format = "%s"
0045B432 . 68 D8245100 push 005124D8 ; |wstr = ffr.005124D8
0045B437 . C705 50085100 87190E00 mov dword ptr ds:[510850],0E1987 ; |
0045B441 . FF15 48534D00 call dword ptr ds:[<&MSVCR80._swprintf>] ; \_swprintf
继续往上到
0045B050 . 55 push ebp
0045B051 . 8DAC24 2CFAFFFF lea ebp,dword ptr ss:[esp-5D4]
0045B058 . 81EC D4050000 sub esp,5D4
0045B05E . 6A FF push -1
0045B060 . 68 E29A4C00 push 004C9AE2
0045B065 . 64:A1 00000000 mov eax,dword ptr fs:[0]
0045B06B . 50 push eax
0045B06C . 83EC 6C sub esp,6C
0045B06F . A1 D0225100 mov eax,dword ptr ds:[5122D0]
这里开始验证注册信息,具体算法跟踪从略;
将 0045B427 处nop掉,保存后运行时出现程序校验警告;
二、去除自校验
用 MessageBoxW 断点断下,堆栈中找到
0012FC44 |00450E30 RETURN to ffr.00450E30 from <jmp.&MFC80U.#1117> ; 调用警告框
0012FC48 |000000C2
0012FC4C |00000000
0012FC50 |FFFFFFFF
0012FC54 |00450DF0 ffr.00450DF0
0012FC58 |783131F2 RETURN to MFC80U.783131F2
0012FC5C |2AF505C4
0012FC60 |0000046D ; 消息ID
0012FC64 |00E1A978 ASCII "LLN"
0012FC68 |0015D100
查找常量 46D 到
004448BE E8 DBB40700 call <jmp.&WINTRUST.WinVerifyTrust> ; 校验程序
004448C3 3D 00010B80 cmp eax,800B0100 ; TRUST_E_NOSIGNATURE
004448C8 75 19 jnz short 004448E3 ; 改 jmp 即可
004448CA 56 push esi
004448CB FF15 58554D00 call dword ptr ds:[<&USER32.IsWindow>] ; USER32.IsWindow
004448D1 85C0 test eax,eax
004448D3 74 0E je short 004448E3
004448D5 53 push ebx
004448D6 53 push ebx
004448D7 68 6D040000 push 46D ; 消息ID
004448DC 56 push esi
004448DD FF15 84245100 call dword ptr ds:[512484] ; PostMessageW
总结:
00451311 /0F87 E7000000 ja 004513FE ; 改 jmp
0045B427 75 23 jnz short 0045B44C ; nop掉
004448C8 75 19 jnz short 004448E3 ; 改 jmp
注册码任意:
----------------------------------------------------------------
REGEDIT4
[HKEY_CURRENT_USER\Software\Apolisoft\Font Fitting Room Deluxe]
"name"="加密值"
"key"="加密值"
----------------------------------------------------------------
补充:
若干天后出现暗桩,跟进 47A 常量,找到时间验证
0045A980 /$ 55 push ebp
0045A981 |. 8BEC mov ebp,esp
0045A983 |. 83E4 F8 and esp,FFFFFFF8
0045A986 |. 6A FF push -1
0045A988 |. 68 6B9A4C00 push 004C9A6B
0045A98D |. 64:A1 00000000 mov eax,dword ptr fs:[0]
0045A993 |. 50 push eax
0045A994 |. 81EC BC000000 sub esp,0BC
0045A99A |. 53 push ebx
0045A99B |. 55 push ebp
0045A99C |. 56 push esi
0045A99D |. 57 push edi
0045A99E |. A1 D0225100 mov eax,dword ptr ds:[5122D0]
0045A9A3 |. 33C4 xor eax,esp
0045A9A5 |. 50 push eax
0045A9A6 |. 8D8424 D0000000 lea eax,dword ptr ss:[esp+D0]
0045A9AD |. 64:A3 00000000 mov dword ptr fs:[0],eax
0045A9B3 |. 8BF9 mov edi,ecx
0045A9B5 |. 897C24 34 mov dword ptr ss:[esp+34],edi
0045A9B9 |. 8B35 14534D00 mov esi,dword ptr ds:[<&MSVCR80._time64>] ; MSVCR80._time64
0045A9BF |. 33DB xor ebx,ebx
0045A9C1 |. 53 push ebx
0045A9C2 |. 899C24 90000000 mov dword ptr ss:[esp+90],ebx
0045A9C9 |. C74424 70 01000000 mov dword ptr ss:[esp+70],1
0045A9D1 |. 899C24 94000000 mov dword ptr ss:[esp+94],ebx
0045A9D8 |. C74424 64 90100000 mov dword ptr ss:[esp+64],1090
0045A9E0 |. FFD6 call esi ; <&MSVCR80._time64>
0045A9E2 |. D9EE fldz
返回值必须大于 004E6820 处的值,将此处改为 0 保存即可;
如果有其他暗桩,查找 46D 和 47A 解决;
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课