【破文标题】 CrackMe之chap561 破解分析
【破文作者】 weiyi75[Dfcg][D.4S]
【作者邮箱】 weiyi75@sohu.com
【作者主页】 Dfcg官方大本营、龙族联盟论坛
【使用工具】 peid,olldbg
【破解平台】 Win2000/XP
【软件名称】 chap561
【软件大小】 98.1KB
【下载地址】 本地下载
【编程语言】 Borland C++
【软件简介】 加密和解密第一版第五章的光盘检测保护程序
【破解目的】 从头学起,打好基础。
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
------------------------------------------------------------
首先 Peid 检测程序程序编程语言是Borland C++
程序要求把你的硬盘认为是光驱。
看清楚错误提示
"Bad Luck,This program isn't being run from a CD, Please insert the CD"
OD载入程序,点右键-搜索字符参考。
文本字符串参考位于 chap561:CODE
地址 反汇编 文本字符
004010A5 push chap561.00402098 ASCII "Well Done"
004010AA push chap561.00402074 ASCII "This program is being run from a CD"
004010B6 push chap561.004020A2 ASCII "Correct CD In Drive"
004010CA push chap561.004020F3 ASCII "Bad Luck" //双击。
004010CF push chap561.004020B6 ASCII "This program isn't being run from a CD, Please insert the CD"
004010DB push chap561.004020FC ASCII "Invalid CD In Drive"
00401136 push chap561.0040215D ASCII "ABOUT"
0040113B push chap561.00402110 ASCII "Coded By n0p3x in 1999. EMAIL: adminno1@yahoo.com. WEB: http://cod3r.cjb.net/"
00401164 push ebp (初始 CPU 选择)
004013A2 push chap561.004022C4 ASCII "__GetExceptDLLinfo"
..................................................................................
00401085 6A 00 push 0 //这个程序写得不好,连唯一一个参数都直接设为固定。
00401087 |. E8 84040000 call <jmp.&KERNEL32.GetDriveTypeA> ; \GetDriveTypeA
0040108C |. 8BC8 mov ecx, eax
0040108E |. BB AE3E0F00 mov ebx, 0F3EAE
00401093 |. 90 nop
00401094 |. 40 inc eax
00401095 |. 42 inc edx
00401096 |. 47 inc edi
00401097 |. 90 nop
00401098 |. 48 dec eax
00401099 |. 4A dec edx
0040109A |. 4F dec edi
0040109B |. 90 nop
0040109C |. 3BD9 cmp ebx, ecx //比较ebx和ecx
0040109E |. 75 25 jnz short chap561.004010C5 //不相等就跳走,爆破点
004010A0 |. 68 00100000 push 1000 ; /Style = MB_OK|MB_SYSTEMMODAL
004010A5 |. 68 98204000 push chap561.00402098 ; |Title = "Well Done"
004010AA |. 68 74204000 push chap561.00402074 ; |Text = "This program is being run from a CD"
004010AF |. 6A 00 push 0 ; |hOwner = NULL
004010B1 |. E8 6C040000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
004010B6 |. 68 A2204000 push chap561.004020A2 ; /Text = "Correct CD In Drive"
004010BB |. 6A 65 push 65 ; |ControlID = 65 (101.)
004010BD |. 56 push esi ; |hWnd
004010BE |. E8 59040000 call <jmp.&USER32.SetDlgItemTextA> ; \SetDlgItemTextA
004010C3 |. EB 23 jmp short chap561.004010E8
004010C5 |> 68 00100000 push 1000 ; /Style = MB_OK|MB_SYSTEMMODAL
004010CA |. 68 F3204000 push chap561.004020F3 ; |Title = "Bad Luck"
004010CF |. 68 B6204000 push chap561.004020B6 ; |Text = "This program isn't being run from a CD, Please insert the CD"
004010D4 |. 6A 00 push 0 ; |hOwner = NULL
004010D6 |. E8 47040000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
004010DB |. 68 FC204000 push chap561.004020FC ; /Text = "Invalid CD In Drive"
004010E0 |. 6A 65 push 65 ; |ControlID = 65 (101.)
004010E2 |. 56 push esi ; |hWnd
004010E3 |. E8 34040000 call <jmp.&USER32.SetDlgItemTextA> ; \SetDlgItemTextA
........................................................................
GetDriveTypeA函数原型
★★★★★★★★★★★★★★★★★★★★★★★★★★★
LPCTSTR lpRootPathName // 根路径地址
);
返回值如下所示之一:
0 无法决定
1 根目录不存在
DRIVE_REMOVABLE 可移动驱动器
DRIVE_FIXED 固定驱动器
DRIVE_REMOTE 远程(网络)驱动器
DRIVE_CDROM CD-ROM 驱动器
DRIVE_RAMDISK RAM disk
--------------------------------------------------------------------------------
DWORD GetLogicalDrives(VOID)
返回值:如果失败就返回零值,成功则返回由位掩码表示的当前可用驱动器:
bit 0 drive A
bit 1 drive B
bit 2 drive C
bit 3 drive D
。。。以此类推
★★★★★★★★★★★★★★★★★★★★★★★★★★★★
【破解总结】
爆破点
0040109E |. 75 25 jnz short chap561.004010C5
修改这句为
0040109E /74 25 je short chap561.004010C5
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[课程]Linux pwn 探索篇!
