首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
rhino V2.03注册分析[KeyFile protect]
发表于: 2005-5-20 16:13 10673

rhino V2.03注册分析[KeyFile protect]

winndy 活跃值
17
2005-5-20 16:13
10673

rhino V2.03注册分析[KeyFile protect]
【破解作者】 winndy[FCG][PYG]
【作者邮箱】 CNwinndy@hotmail.com
【使用工具】 PEID v0.93  OllyDbg v1.10 fly修改版,upx 1.24w
【破解平台】 Winxp SP2
【软件名称】 rhino V2.03
【官方网址】 http://bigtick.pastnotecut.org
【编写语言】 Microsoft Visual C++
【破解说明】 keyfile保护,失误之处还请指教!

              在浏览http://www.codecomments.com/archive258-2004-4-152138.html的时候,看到
              “
              BigTick
            2004-03-19, 8:26 pm

            I've written a short essay that may interest you. It's mostly C++, but it shows that you can get a decent amount of protection with only a little bit of asm. Of course if you code primarily in asm, you can apply the same technique.
            Anyway... read the stuff here: http://bigtick.pastnotecut.org/tutorials/cp.html
            Comments are welcome.
            'Tick

             PS. The text describes the principles only, but I can provide a fully working example if you're interested.

              ”
              这样一段话,不禁给人跃跃欲试的感觉。
              看了他的那片文章,还不错,于是down下rhino看看。
              
【破解声明】 For study ,For Fun,
            

【破解过程】 PEID查壳,UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo,
             用upx 1.24w 脱壳,
             upx -d -o unpacked.exe rhino2.exe
            
             用OD载入unpacked.exe,搜索字符串:
            
             文本字符串参考位于 unpacked:.text,项目 2241
地址=00451972
反汇编=push unpacked.004B7F74
文本字符=ASCII "Thank you for using Rhino !"

             文本字符串参考位于 unpacked:.text,项目 2242
地址=004519E6
反汇编=push unpacked.004B7F38
文本字符=ASCII "Please support shareware development by registering Rhino."

  下断,并双击
  
  

  00451935     > \8B55 F0          mov edx,dword ptr ss:[ebp-10]
00451938     .  8B8A 48080000    mov ecx,dword ptr ds:[edx+848]
0045193E     .  E8 CDB0FDFF      call unpacked.0042CA10                ==>Attention
00451943        0FB6C0           movzx eax,al
00451946        85C0             test eax,eax                            ===>注意
00451948     .  74 74            je short unpacked.004519BE
0045194A     .  8D8D 97FCFFFF    lea ecx,dword ptr ss:[ebp-369]
00451950     .  E8 1B280000      call unpacked.00454170
00451955     .  8985 E8FBFFFF    mov dword ptr ss:[ebp-418],eax
0045195B     .  8B8D E8FBFFFF    mov ecx,dword ptr ss:[ebp-418]
00451961     .  898D E4FBFFFF    mov dword ptr ss:[ebp-41C],ecx
00451967     .  C645 FC 22       mov byte ptr ss:[ebp-4],22
0045196B     .  8B95 E4FBFFFF    mov edx,dword ptr ss:[ebp-41C]
00451971     .  52               push edx                                   ; /Arg2
00451972     .  68 747F4B00      push unpacked.004B7F74                     ; |Arg1 = 004B7F74 ASCII "Thank you for using Rhino !"
00451977     .  8D8D 98FCFFFF    lea ecx,dword ptr ss:[ebp-368]             ; |
0045197D     .  E8 5E9FFDFF      call unpacked.0042B8E0                     ; \unpacked.0042B8E0
00451982     .  C645 FC 23       mov byte ptr ss:[ebp-4],23
00451986     .  8D85 98FCFFFF    lea eax,dword ptr ss:[ebp-368]
0045198C     .  50               push eax
0045198D     .  8B8D 6CFCFFFF    mov ecx,dword ptr ss:[ebp-394]
00451993     .  81C1 AC000000    add ecx,0AC
00451999     .  E8 42A5FFFF      call unpacked.0044BEE0
0045199E     .  C645 FC 22       mov byte ptr ss:[ebp-4],22
004519A2     .  8D8D 98FCFFFF    lea ecx,dword ptr ss:[ebp-368]
004519A8     .  E8 13DBFCFF      call unpacked.0041F4C0
004519AD     .  C645 FC 06       mov byte ptr ss:[ebp-4],6
004519B1     .  8D8D 97FCFFFF    lea ecx,dword ptr ss:[ebp-369]
004519B7     .  E8 D4330100      call unpacked.00464D90
004519BC     .  EB 72            jmp short unpacked.00451A30
004519BE     >  8D8D 7FFCFFFF    lea ecx,dword ptr ss:[ebp-381]
004519C4     .  E8 A7270000      call unpacked.00454170
004519C9     .  8985 E0FBFFFF    mov dword ptr ss:[ebp-420],eax
004519CF     .  8B8D E0FBFFFF    mov ecx,dword ptr ss:[ebp-420]
004519D5     .  898D DCFBFFFF    mov dword ptr ss:[ebp-424],ecx
004519DB     .  C645 FC 24       mov byte ptr ss:[ebp-4],24
004519DF     .  8B95 DCFBFFFF    mov edx,dword ptr ss:[ebp-424]
004519E5     .  52               push edx                                   ; /Arg2
004519E6     .  68 387F4B00      push unpacked.004B7F38                     ; |Arg1 = 004B7F38 ASCII "Please support shareware development by registering Rhino."
004519EB     .  8D8D 80FCFFFF    lea ecx,dword ptr ss:[ebp-380]             ; |
004519F1     .  E8 EA9EFDFF      call unpacked.0042B8E0                     ; \unpacked.0042B8E0
004519F6     .  C645 FC 25       mov byte ptr ss:[ebp-4],25

0042C510   /$  81EC 8C010000   sub esp,18C
0042C516   |.  53              push ebx
0042C517   |.  55              push ebp
0042C518   |.  56              push esi
0042C519   |.  8BB424 9C010000 mov esi,dword ptr ss:[esp+19C]
0042C520   |.  8BE9            mov ebp,ecx
0042C522   |.  57              push edi
0042C523   |.  33C0            xor eax,eax
0042C525   |.  B9 63000000     mov ecx,63
0042C52A   |.  8BFD            mov edi,ebp
0042C52C   |.  68 90694B00     push unpacked.004B6990               ; /mode = "rb"
0042C531   |.  F3:AB           rep stos dword ptr es:[edi]          ; |
0042C533   |.  56              push esi                             ; |path
0042C534   |.  89B5 8C010000   mov dword ptr ss:[ebp+18C],esi       ; |
0042C53A   |.  FF15 20A24900   call dword ptr ds:[<&MSVCRT.fopen>]  ; \fopen

0042C540   |.  8BD8            mov ebx,eax
0042C542   |.  83C4 08         add esp,8
0042C545   |.  85DB            test ebx,ebx
0042C547   |.  75 40           jnz short unpacked.0042C589
0042C549   |.  83C9 FF         or ecx,FFFFFFFF
0042C54C   |.  8BFE            mov edi,esi
0042C54E   |.  F2:AE           repne scas byte ptr es:[edi]
0042C550   |.  F7D1            not ecx
0042C552   |.  83C1 07         add ecx,7
0042C555   |.  51              push ecx
0042C556   |.  E8 C1500600     call <jmp.&MSVCRT.operator new>
0042C55B   |.  56              push esi                                ; /<%s> = "C:\Program Files\Rhino2\key"
0042C55C   |.  8BF8            mov edi,eax                             ; |
0042C55E   |.  68 88694B00     push unpacked.004B6988                  ; |format = "%s.dat"
0042C563   |.  57              push edi                                ; |s
0042C564   |.  FF15 64A24900   call dword ptr ds:[<&MSVCRT.sprintf>]   ; \sprintf

0042C56A   |.  68 90694B00     push unpacked.004B6990                        ; /mode = "rb"
0042C56F   |.  57              push edi                                      ; |path = "C:\Program Files\Rhino2\key.dat"
0042C570   |.  FF15 20A24900   call dword ptr ds:[<&MSVCRT.fopen>]           ; \fopen

0042C576   |.  57              push edi
0042C577   |.  8BD8            mov ebx,eax
0042C579   |.  E8 72500600     call unpacked.004915F0
0042C57E   |.  83C4 1C         add esp,1C
0042C581   |.  85DB            test ebx,ebx
0042C583   |.  0F84 7C010000   je unpacked.0042C705
0042C589   |>  6A 02           push 2                                   ; /whence = SEEK_END
0042C58B   |.  6A 00           push 0                                   ; |offset = 0
0042C58D   |.  53              push ebx                                 ; |stream = msvcrt.77C2FCE0
0042C58E   |.  FF15 0CA24900   call dword ptr ds:[<&MSVCRT.fseek>]      ; \fseek

0042C594   |.  53              push ebx                                 ; /stream = msvcrt.77C2FCE0
0042C595   |.  FF15 10A24900   call dword ptr ds:[<&MSVCRT.ftell>]      ; \ftell
0042C59B   |.  83C4 10         add esp,10
0042C59E   |.  3D 8C010000     cmp eax,18C                              ;size(key.dat)=18C
0042C5A3   |.  0F85 B2000000   jnz unpacked.0042C65B
0042C5A9   |.  53              push ebx                                 ; /stream = msvcrt.77C2FCE0
0042C5AA   |.  FF15 18A24900   call dword ptr ds:[<&MSVCRT.rewind>]     ; \rewind

0042C5B0   |.  53              push ebx                                 ; /stream
0042C5B1   |.  68 8C010000     push 18C                                 ; |n = 18C (396.)
0042C5B6   |.  8D4424 1C       lea eax,dword ptr ss:[esp+1C]            ; |
0042C5BA   |.  6A 01           push 1                                   ; |size = 1
0042C5BC   |.  50              push eax                                 ; |ptr = 0012F4A4
0042C5BD   |.  FF15 14A24900   call dword ptr ds:[<&MSVCRT.fread>]      ; \fread

//18C byte= 63 Dword


0042C5C3   |.  83C4 14         add esp,14
0042C5C6   |.  33FF            xor edi,edi
0042C5C8   |.  B8 78563412     mov eax,12345678
0042C5CD   |.  33C9            xor ecx,ecx
0042C5CF   |.  90              nop
0042C5D0   |>  8B548C 10       /mov edx,dword ptr ss:[esp+ecx*4+10]   ;esp+10=0012F4A4
0042C5D4   |.  8BF0            |mov esi,eax
0042C5D6   |.  0FAFF0          |imul esi,eax
0042C5D9   |.  03F8            |add edi,eax  ====\
0042C5DB   |.  2BF2            |sub esi,edx   ===/exchanged
0042C5DD   |.  33FA            |xor edi,edx
0042C5DF   |.  41              |inc ecx
0042C5E0   |.  83F9 63         |cmp ecx,63                            ;Is the END?
0042C5E3   |.  8BC6            |mov eax,esi                           ;can be moved before 'inc ecx'
0042C5E5   |.^ 7C E9           \jl short unpacked.0042C5D0
0042C5E7   |.  33C9            xor ecx,ecx
0042C5E9   |.  3BF9            cmp edi,ecx                            ;edi=0?
0042C5EB   |.  75 37           jnz short unpacked.0042C624            ;Don't jump

 
0042C5ED   |.  8B4424 10       mov eax,dword ptr ss:[esp+10]          ;the first Dword
0042C5F1   |.  B9 01000000     mov ecx,1
0042C5F6   |>  8B7C8C 10       /mov edi,dword ptr ss:[esp+ecx*4+10]
0042C5FA   |.  8D3401          |lea esi,dword ptr ds:[ecx+eax]         ;esi=ecx+eax
0042C5FD   |.  0FAFF0          |imul esi,eax                           ;esi=esi*eax
0042C600   |.  33F8            |xor edi,eax
0042C602   |.  897C8C 10       |mov dword ptr ss:[esp+ecx*4+10],edi    ;modify Dword
0042C606   |.  41              |inc ecx                                ;move to the next Dword
0042C607   |.  83F9 63         |cmp ecx,63
0042C60A   |.  8BD7            |mov edx,edi
0042C60C   |.  8D8416 78563412 |lea eax,dword ptr ds:[esi+edx+12345678] ;eax=esi+edx+12345678
0042C613   |.^ 7C E1           \jl short unpacked.0042C5F6

0042C615   |.  B9 63000000     mov ecx,63
0042C61A   |.  8D7424 10       lea esi,dword ptr ss:[esp+10]            ;0012FAA4,Buffer pointer
0042C61E   |.  8BFD            mov edi,ebp                              ;0202C030,Buffer2 pointer
0042C620   |.  F3:A5           rep movs dword ptr es:[edi],dword ptr ds:[esi]
0042C622   |.  33C9            xor ecx,ecx
0042C624   |>  B8 B0C84900     mov eax,unpacked.0049C8B0

0042C629   |.  8DA424 00000000 lea esp,dword ptr ss:[esp]    
                     
0042C630   |> /8B55 04         /mov edx,dword ptr ss:[ebp+4]      ;0202C030,the 2nd Dword
0042C633   |. |3B10            |cmp edx,dword ptr ds:[eax]
0042C635   |. |75 03           |jnz short unpacked.0042C63A
0042C637   |. |894D 04         |mov dword ptr ss:[ebp+4],ecx      ;set zero
0042C63A   |> |8B10            |mov edx,dword ptr ds:[eax]
0042C63C   |. |83C0 04         |add eax,4
0042C63F   |. |85D2            |test edx,edx
0042C641   |.^\75 ED           \jnz short unpacked.0042C630

if the first Dword=one of the 13 Dword,then,set the 2nd Dword to 0!


0042C643   |.  B8 E8C84900     mov eax,unpacked.0049C8E8

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 7
支持
分享
最新回复 (7)
李东国
雪    币: 205
活跃值: (15)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
先顶为快!
附件注册机说不能发的
2005-5-20 16:21
0
cnbragon
雪    币: 3686
活跃值: (1036)
能力值: (RANK:760 )
在线值:
发帖
回帖
粉丝
私信
3
你在这里感谢jB,他是看不到的.
2005-5-20 17:38
0
kanxue
雪    币: 47147
活跃值: (20450)
能力值: (RANK:350 )
在线值:
发帖
回帖
粉丝
私信
4
最初由 李东国 发布
先顶为快!
附件注册机说不能发的


有技术含量的源码可以。不要放编译好的EXE注册机文件。
2005-5-20 18:28
0
小剑
雪    币: 110
活跃值: (13)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
又学到东西了
2005-5-20 18:30
0
yuqli
雪    币: 214
活跃值: (70)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
6
厉害顶一个`~~~
2005-5-20 21:38
0
xsy3660
雪    币: 221
活跃值: (137)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
7
好文章,不支持不行呀
2005-5-20 22:10
0
prince
雪    币: 603
活跃值: (617)
能力值: ( LV12,RANK:660 )
在线值:
发帖
回帖
粉丝
私信
8
好文, 支持~
2005-5-21 00:15
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//