很久没有搞共享软件了,今天看到一个名为《电子鹦鹉》的有趣的软件。大体一看,这款软件表面上看来,作者为了防破解应该费了些心思了。比如说,该软件用了MD5。而且,该软件的验证注册码部分放在了Coder32Bit.dll里面。但是,一经跟踪调试,他的弱点正是无处不在。不但可以轻易爆破,更加失败的是最后的密码是用明文验证。这可真是个天大的问题!下面有部分跟踪的源码和解释。希望能为各位共享软件作者引以为鉴!
00372180 Coder32B.InitRegModule /$ 81EC E4030000 sub esp,3E4
00372180 Coder32B.InitRegModule /$ 81EC E4030000 sub esp,3E4
00372186 |. 53 push ebx
00372187 |. 57 push edi
00372188 |. E8 80180000 call Coder32B.00373A0D
0037218D |. 50 push eax
0037218E |. 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00372192 |. E8 DF160000 call <jmp.&MFC42.#6467_AFX_MAINTAIN_STATE2:>
00372197 |. 33C9 xor ecx,ecx
00372199 |. 33C0 xor eax,eax
0037219B |. 894C24 41 mov dword ptr ss:[esp+41],ecx /将内存清零备用
0037219F |. 894424 19 mov dword ptr ss:[esp+19],eax /
003721A3 |. 894C24 45 mov dword ptr ss:[esp+45],ecx /
003721A7 |. 894424 1D mov dword ptr ss:[esp+1D],eax /
003721AB |. 894C24 49 mov dword ptr ss:[esp+49],ecx /
003721AF |. 894424 21 mov dword ptr ss:[esp+21],eax /
003721B3 |. 894C24 4D mov dword ptr ss:[esp+4D],ecx /
003721B7 |. 894424 25 mov dword ptr ss:[esp+25],eax /
003721BB |. 66:894C24 51 mov word ptr ss:[esp+51],cx /
003721C0 |. 33DB xor ebx,ebx /
003721C2 |. 884C24 53 mov byte ptr ss:[esp+53],cl /
003721C6 |. 66:894424 29 mov word ptr ss:[esp+29],ax /
003721CB |. B9 08000000 mov ecx,8
003721D0 |. 8D7C24 55 lea edi,dword ptr ss:[esp+55]
003721D4 |. 885C24 54 mov byte ptr ss:[esp+54],bl
003721D8 |. 884424 2B mov byte ptr ss:[esp+2B],al
003721DC |. F3:AB rep stos dword ptr es:[edi]
003721DE |. B9 40000000 mov ecx,40
003721E3 |. 8DBC24 E5000000 lea edi,dword ptr ss:[esp+E5]
003721EA |. 889C24 E4000000 mov byte ptr ss:[esp+E4],bl
003721F1 |. 33D2 xor edx,edx
003721F3 |. F3:AB rep stos dword ptr es:[edi]
003721F5 |. 895424 2D mov dword ptr ss:[esp+2D],edx
003721F9 |. 885C24 18 mov byte ptr ss:[esp+18],bl
003721FD |. 895424 31 mov dword ptr ss:[esp+31],edx
00372201 |. 885C24 40 mov byte ptr ss:[esp+40],bl
00372205 |. 66:AB stos word ptr es:[edi]
00372207 |. 895424 35 mov dword ptr ss:[esp+35],edx
0037220B |. 885C24 2C mov byte ptr ss:[esp+2C],bl
0037220F |. 895424 39 mov dword ptr ss:[esp+39],edx
00372213 |. AA stos byte ptr es:[edi]
00372214 |. 8D4424 18 lea eax,dword ptr ss:[esp+18]
00372218 |. 66:895424 3D mov word ptr ss:[esp+3D],dx
0037221D |. 50 push eax
0037221E |. 885424 43 mov byte ptr ss:[esp+43],dl
00372222 |. E8 09150000 call Coder32B.00373730 /获取计算机的信息
00372227 |. 8D4C24 44 lea ecx,dword ptr ss:[esp+44]
0037222B |. 51 push ecx
0037222C |. E8 8F140000 call Coder32B.003736C0 /这里的算出的值后面要用到
00372231 |. 8D5424 34 lea edx,dword ptr ss:[esp+34]
00372235 |. 52 push edx
00372236 |. E8 C50E0000 call Coder32B.00373100 /这里也是算出一个字符串
0037223B |. 83C4 0C add esp,0C
0037223E |. 33C0 xor eax,eax
00372240 |> 8A4C04 2C /mov cl,byte ptr ss:[esp+eax+2C] /
00372244 |. 8A5404 40 |mov dl,byte ptr ss:[esp+eax+40] /
00372248 |. 02CA |add cl,dl /
0037224A |. 8A5404 18 |mov dl,byte ptr ss:[esp+eax+18] /
0037224E |. 02CA |add cl,dl /在此循环加,算出一个字节存入内存备用
00372250 |. 8A9404 E4000000 |mov dl,byte ptr ss:[esp+eax+E4] /
00372257 |. 02D1 |add dl,cl /
00372259 |. 889404 E4000000 |mov byte ptr ss:[esp+eax+E4],dl /
00372260 |. 40 |inc eax /
00372261 |. 83F8 08 |cmp eax,8 /
00372264 |.^ 7C DA \jl short Coder32B.00372240 /
00372266 |. 8D9424 EC020000 lea edx,dword ptr ss:[esp+2EC]
0037226D |. 68 20513700 push Coder32B.00375120
00372272 |. 52 push edx
00372273 |. E8 48080000 call Coder32B.00372AC0
00372278 |. 8D8424 EC000000 lea eax,dword ptr ss:[esp+EC]
0037227F |. 6A 02 push 2
00372281 |. 8D8C24 F8020000 lea ecx,dword ptr ss:[esp+2F8] /
00372288 |. 50 push eax /
00372289 |. 51 push ecx /
0037228A |. E8 910A0000 call Coder32B.00372D20 /
0037228F |. 83C4 14 add esp,14 /
00372292 |. 8D4C24 78 lea ecx,dword ptr ss:[esp+78] /
00372296 |. E8 35EEFFFF call Coder32B.003710D0 /
0037229B |. 8D9424 E4000000 lea edx,dword ptr ss:[esp+E4] /此处都是用到MD5,没有细看。各位可以跟入看个究竟
003722A2 |. 6A 10 push 10 /
003722A4 |. 52 push edx /
003722A5 |. 8D8C24 80000000 lea ecx,dword ptr ss:[esp+80] /
003722AC |. E8 2FEEFFFF call Coder32B.003710E0 /
003722B1 |. 8D4C24 78 lea ecx,dword ptr ss:[esp+78] /
003722B5 |. E8 F6EEFFFF call Coder32B.003711B0 /
003722BA |. 8D4C24 78 lea ecx,dword ptr ss:[esp+78] /
003722BE |. E8 8DEFFFFF call Coder32B.00371250 /
003722C3 |. 33C9 xor ecx,ecx
003722C5 |. 33D2 xor edx,edx
003722C7 |. 8A48 0F mov cl,byte ptr ds:[eax+F]
003722CA |. 8A50 0E mov dl,byte ptr ds:[eax+E]
003722CD |. 51 push ecx ; /<%02x>
003722CE |. 52 push edx ; |<%02x>
003722CF |. 33C9 xor ecx,ecx ; |
003722D1 |. 33D2 xor edx,edx ; |
003722D3 |. 8A48 0D mov cl,byte ptr ds:[eax+D] ; |
003722D6 |. 8A50 0C mov dl,byte ptr ds:[eax+C] ; |
003722D9 |. 51 push ecx ; |<%02x>
003722DA |. 52 push edx ; |<%02x>
003722DB |. 33C9 xor ecx,ecx ; |
003722DD |. 33D2 xor edx,edx ; |
003722DF |. 8A48 0B mov cl,byte ptr ds:[eax+B] ; |
003722E2 |. 8A50 0A mov dl,byte ptr ds:[eax+A] ; |
003722E5 |. 51 push ecx ; |<%02x>
003722E6 |. 52 push edx ; |<%02x>
003722E7 |. 33C9 xor ecx,ecx ; |
003722E9 |. 33D2 xor edx,edx ; |
003722EB |. 8A48 09 mov cl,byte ptr ds:[eax+9] ; |
003722EE |. 8A50 08 mov dl,byte ptr ds:[eax+8] ; |
003722F1 |. 51 push ecx ; |<%02x>
003722F2 |. 52 push edx ; |<%02x>
003722F3 |. 33C9 xor ecx,ecx ; |
003722F5 |. 33D2 xor edx,edx ; |
003722F7 |. 8A48 07 mov cl,byte ptr ds:[eax+7] ; |
003722FA |. 8A50 06 mov dl,byte ptr ds:[eax+6] ; |
003722FD |. 51 push ecx ; |<%02x>
003722FE |. 52 push edx ; |<%02x>
003722FF |. 33C9 xor ecx,ecx ; |
00372301 |. 33D2 xor edx,edx ; |
00372303 |. 8A48 05 mov cl,byte ptr ds:[eax+5] ; |
00372306 |. 8A50 04 mov dl,byte ptr ds:[eax+4] ; |
00372309 |. 51 push ecx ; |<%02x>
0037230A |. 52 push edx ; |<%02x>
0037230B |. 33C9 xor ecx,ecx ; |
0037230D |. 33D2 xor edx,edx ; |
0037230F |. 8A48 03 mov cl,byte ptr ds:[eax+3] ; |
00372312 |. 8A50 02 mov dl,byte ptr ds:[eax+2] ; |
00372315 |. 51 push ecx ; |<%02x>
00372316 |. 52 push edx ; |<%02x>
00372317 |. 33C9 xor ecx,ecx ; |
00372319 |. 33D2 xor edx,edx ; |
0037231B |. 8A48 01 mov cl,byte ptr ds:[eax+1] ; |
0037231E |. 8A10 mov dl,byte ptr ds:[eax] ; |
00372320 |. 51 push ecx ; |<%02x>
00372321 |. 52 push edx ; |<%02x>
00372322 |. 8D8424 94000000 lea eax,dword ptr ss:[esp+94] ; |
00372329 |. 68 28513700 push Coder32B.00375128 ; |format = "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
0037232E |. 50 push eax ; |s
0037232F |. FF15 CC413700 call dword ptr ds:[<&MSVCRT.sprintf>] ; \sprintf /至此,大家都可以看到正确的注册码了。
00373730 /$ 55 push ebp
00373731 |. 8BEC mov ebp,esp
00373733 |. 83EC 18 sub esp,18
00373736 |. 53 push ebx
00373737 |. 33C0 xor eax,eax
00373739 |. 0FA2 cpuid /这个指令有意思,中文就是丘比特(爱神降临)^^
0037373B |. 895D E8 mov dword ptr ss:[ebp-18],ebx
0037373E |. 8955 EC mov dword ptr ss:[ebp-14],edx
00373741 |. 894D F0 mov dword ptr ss:[ebp-10],ecx
00373744 |. B8 01000000 mov eax,1
00373749 |. 33D2 xor edx,edx
0037374B |. 0FA2 cpuid
0037374D |. 8955 FC mov dword ptr ss:[ebp-4],edx
00373750 |. 8945 F8 mov dword ptr ss:[ebp-8],eax
00373753 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00373756 |. 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00373759 |. 50 push eax ; /<%08x>
0037375A |. 68 3C5D3700 push Coder32B.00375D3C ; |format = "%08x"
0037375F |. 51 push ecx ; |s
00373760 |. FF15 CC413700 call dword ptr ds:[<&MSVCRT.sprintf>] ; \sprintf /这里的值在后面用到
00373766 |. 83C4 0C add esp,0C
00373769 |. B8 01000000 mov eax,1
0037376E |. 5B pop ebx
0037376F |. 8BE5 mov esp,ebp
00373771 |. 5D pop ebp
00373772 \. C3 retn
003736C0 /$ 81EC 94000000 sub esp,94
003736C6 |. 57 push edi
003736C7 |. B9 25000000 mov ecx,25
003736CC |. 33C0 xor eax,eax
003736CE |. 8D7C24 04 lea edi,dword ptr ss:[esp+4]
003736D2 |. F3:AB rep stos dword ptr es:[edi]
003736D4 |. 8D4424 04 lea eax,dword ptr ss:[esp+4]
003736D8 |. C74424 04 94000000 mov dword ptr ss:[esp+4],94
003736E0 |. 50 push eax ; /pVersionInformation
003736E1 |. FF15 1C403700 call dword ptr ds:[<&KERNEL32.GetVersionExA>; \GetVersionExA
003736E7 |. 8B4C24 14 mov ecx,dword ptr ss:[esp+14]
003736EB |. 33C0 xor eax,eax ; Switch (cases 1..2)
003736ED |. 49 dec ecx
003736EE |. 5F pop edi
003736EF |. 74 1A je short Coder32B.0037370B
003736F1 |. 49 dec ecx
003736F2 |. 75 27 jnz short Coder32B.0037371B
003736F4 |. 8B8C24 98000000 mov ecx,dword ptr ss:[esp+98] ; Case 2 of switch 003736EB
003736FB |. 51 push ecx
003736FC |. E8 9FFDFFFF call Coder32B.003734A0
00373701 |. 83C4 04 add esp,4
00373704 |. 81C4 94000000 add esp,94
0037370A |. C3 retn
PS:有加密,就有解密,这是一场没有硝烟的战斗。重要的是自己能否从中吸取经验,获得自身的提升。
望大家2005都有收获
[注意]APP应用上架合规检测服务,协助应用顺利上架!