【软件名称】麻将拼图 v2.0
【下载地址】http://www.softreg.com.cn/shareware_view.asp?id=/E5DCF286-05EE-4AA8-8ABE-9524013EFADA/
【应用平台】Win9x/NT/2000/XP
【软件大小】314K
【软件限制】30天的试用期和启动程序时随机NAG窗口,试用期满以后本软件将不可用直到被注册使用。
【破解声明】菜鸟初学破解,只是感兴趣,无其它目的。失误之处敬请诸位大侠赐教!
【破解工具】OllyDbg1.10\PEid0.93\
【软件简介】本软件用来演示如何使用SSS库制作窗口游戏。
游戏规则:鼠标左键拖动麻将使之变红,右键点击变红麻将使之消失,所有麻将消失后就过关。只有两块相同的麻将相对(中间没有其它麻将)时才会变红。
========================================================================================
【分析过程】
用PEid扫描发现无壳,用VC++6写的。运行后点击注册,注册名pentaNC和注册码87654321,会报错,二话不说,用OD载入。
查找错误信息来到下面:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F88(U)
| //程序里面有一个万用KEY:52341546
:00402F8F 85C0 test eax, eax //注册不提示出错,会让你有一种注册成功的错觉
:00402F91 7459 je 00402FEC //经典比较。可惜只是一个陷阱,把时间调后一个月就知道了。
:00402F93 A178874000 mov eax, dword ptr [00408778]
:00402F98 6A00 push 00000000
:00402F9A 83F803 cmp eax, 00000003 //错不过三,HOHO
* Possible StringData Ref from Data Obj ->"用户注册"
|
:00402F9D 689C804000 push 0040809C
:00402FA2 7D23 jge 00402FC7
* Possible StringData Ref from Data Obj ->"注册码错误!请重新输入!"
|
:00402FA4 6880804000 push 00408080
:00402FA9 55 push ebp
===================================================================================
由上面我们可以知道,注册成功是不会有提示的。
再向上找,我们来到:
* Possible Reference to Dialog: DialogID_0070, CONTROL_ID:03E9, ""
|
:00402EF3 68E9030000 push 000003E9
:00402EF8 55 push ebp
:00402EF9 FFD3 call ebx
:00402EFB A180874000 mov eax, dword ptr [00408780]
:00402F00 803800 cmp byte ptr [eax], 00 //注册名为空不?
:00402F03 0F8438010000 je 00403041
:00402F09 8B0D74874000 mov ecx, dword ptr [00408774]
:00402F0F 803900 cmp byte ptr [ecx], 00 //注册码为空不?
:00402F12 0F8429010000 je 00403041
:00402F18 50 push eax //注册名入栈
:00402F19 E822FEFFFF call 00402D40 //关键CALL,注册码就是在这里面完成的
:00402F1E 8B3D74874000 mov edi, dword ptr [00408774]
:00402F24 A180874000 mov eax, dword ptr [00408780]
:00402F29 83C404 add esp, 00000004
:00402F2C 8BF7 mov esi, edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F4C(C) //注册码在这里面2个一组进行比较
|
:00402F2E 8A10 mov dl, byte ptr [eax]
:00402F30 8ACA mov cl, dl
:00402F32 3A16 cmp dl, byte ptr [esi] //比较第1个
:00402F34 751C jne 00402F52 //此跳是比较万用KEY,不过是个陷阱,也有可能是作者调试用的KEY,完成生取消了
:00402F36 84C9 test cl, cl //在此我有一个问题想问一下!见最后总结。
:00402F38 7414 je 00402F4E
:00402F3A 8A5001 mov dl, byte ptr [eax+01]
:00402F3D 8ACA mov cl, dl
:00402F3F 3A5601 cmp dl, byte ptr [esi+01] //比较第2个
:00402F42 750E jne 00402F52
:00402F44 83C002 add eax, 00000002
:00402F47 83C602 add esi, 00000002
:00402F4A 84C9 test cl, cl
:00402F4C 75E0 jne 00402F2E //循环,直到完成
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F38(C)
|
:00402F4E 33C0 xor eax, eax
:00402F50 EB05 jmp 00402F57
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402F34(C), :00402F42(C)
|
:00402F52 1BC0 sbb eax, eax
:00402F54 83D8FF sbb eax, FFFFFFFF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F50(U)
|
:00402F57 85C0 test eax, eax
:00402F59 0F848D000000 je 00402FEC //注册码正确,跳去保存
===================================================================================
我们跟进计算核心看一下:
* Referenced by a CALL at Addresses:
|:00402F19 , :0040315D
|
:00402D40 53 push ebx
:00402D41 56 push esi
:00402D42 57 push edi
:00402D43 8B7C2410 mov edi, dword ptr [esp+10]
:00402D47 32DB xor bl, bl
:00402D49 8BCF mov ecx, edi
:00402D4B 8A07 mov al, byte ptr [edi]
:00402D4D 84C0 test al, al
:00402D4F 740A je 00402D5B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402D59(C)
|
:00402D51 02D8 add bl, al //BL=AL+BL,只取低8位
:00402D53 8A4101 mov al, byte ptr [ecx+01] //取注册名的字符ASCII的总和
:00402D56 41 inc ecx
:00402D57 84C0 test al, al
:00402D59 75F6 jne 00402D51 //取完跳出
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402D4F(C)
|
:00402D5B A170874000 mov eax, dword ptr [00408770] //DS:[]初值为00989681
:00402D60 33F6 xor esi, esi
:00402D62 A37C874000 mov dword ptr [0040877C], eax
:00402D67 A16C874000 mov eax, dword ptr [0040876C]
:00402D6C 85C0 test eax, eax
:00402D6E 7E2D jle 00402D9D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402D9B(C)
|
:00402D70 8A0C3E mov cl, byte ptr [esi+edi]
:00402D73 32CB xor cl, bl //取当前字符的ASCII值与BL进行异或运算
:00402D75 51 push ecx
:00402D76 E895FFFFFF call 00402D10 //在此CALL中进行注册码的计算
:00402D7B 83C404 add esp, 00000004 //恢复ESP
:00402D7E 88043E mov byte ptr [esi+edi], al //上面计算出来的结果
:00402D81 3C0A cmp al, 0A //AL>0A就EAX=EAX+41,否则EAX=EAX+30
:00402D83 0FBEC0 movsx eax, al
:00402D86 7D05 jge 00402D8D
:00402D88 83C030 add eax, 00000030 //注册码只可能出现0-9
:00402D8B EB03 jmp 00402D90
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402D86(C)
|
:00402D8D 83C041 add eax, 00000041 //注册码只可能出现K-P
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402D8B(U)
|
:00402D90 88043E mov byte ptr [esi+edi], al //保存注册码
:00402D93 A16C874000 mov eax, dword ptr [0040876C] //置EAX初值
:00402D98 46 inc esi //计数器
:00402D99 3BF0 cmp esi, eax //不管注册名多长都只进行8次计算
:00402D9B 7CD3 jl 00402D70 //循环
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402D6E(C)
|
:00402D9D C6043800 mov byte ptr [eax+edi], 00 //注册码只有8位,多的去除
:00402DA1 5F pop edi
:00402DA2 5E pop esi
:00402DA3 5B pop ebx
:00402DA4 C3 ret
======================================================================
* Referenced by a CALL at Address:
|:00402D76
|
:00402D10 0FBE442404 movsx eax, byte ptr [esp+04] //将异或后的CL带符号扩展后放入EAX
:00402D15 03057C874000 add eax, dword ptr [0040877C] //EAX=EAX+DS:[],取双字
:00402D1B 69C0697DAE42 imul eax, 42AE7D69 //EAX=EAX*42AE7D69,取双字
:00402D21 0531D40000 add eax, 0000D431 //EAX=EAX+0D431
:00402D26 A37C874000 mov dword ptr [0040877C], eax //将此值保存DS:[]中备用
:00402D2B C1F810 sar eax, 10 //EAX右移10位,高位用符号位补空
:00402D2E 83E00F and eax, 0000000F //EAX=EAX 逻辑与 1111
:00402D31 C3 ret
========================================================================================
【分析总结】
这是我的第二篇破文,所以有写的不好之处还敬请指出。同时,我也有好多不明白之处。特别是在破解该软件时。明明是正确的注册码,可是注册时却提示错误。难道作者有先见之明故意为难我?HOHO,开个玩笑。是这样的:注册名为"pentacle",那么注册码应该为"68740406",但注册时却认为这个是错码。原因在进行真假注册码第三轮比较(比较"04")的时候,ZF位变为0,导致 je 00402F4E开跳。但是当我用"pentacleNC"的时候,注册码为"096563M8"却能正常注册。这是为什么呢?哪位高手告诉我啊!谢谢
========================================================================================
【版权信息】菜鸟所有
【感 谢】首前感谢前辈们的教程和工具,才有这只刚出笼的菜鸟。再次感谢霏凡论坛的林逸凡、深遂,要不是他们的帮忙就没有我在看雪的ID。最后,感谢我的亲友对我的支持,特别是三懂表哥。谨以此文献给大家,以表谢意。
2005-5-4
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法