运行环境:Winxp/vista/win7/2000/2003
更新时间:2011-11-10 8:30:43
破解工具: OD + PEID
软件大小:22701KB
人气指数:80
软件语言:英文
软件下载: http://www.onlinedown.net/soft/112561.htm
软件介绍: Extra Mug Shot Sticker 您和您的朋友使用您的摄像头捕捉和分享图片。
与SNAP,你可以方便快捷地拍摄快照,然后添加标签,语音气泡,和古怪有趣的内
部过滤器。
因为需要这么个软件因此在网上找了一下,破解国产软件总是不好地 。。高手飘过如果
指点一下就更好...
1.呵呵~~~~~~~~~~~~现在就开工作下。用PEID查一下这个软件用了什么算法,
好像是CRC32。
2.试注册一下,看有什么信息可以给我们,可以看有错误的提示!!!!!如
图
3.载入OD中查找错误提示的字符串。看是否可以找到,呵呵运气好像不错喔。
4.双Thank you for registering ! 就来到了
00436B40 . 81EC 88000000 sub esp,0x88 这是段首
00436B46 . A1 98FB5700 mov eax,dword ptr ds:[0x57FB98]
00436B4B . 33C4 xor eax,esp
00436B4D . 898424 840000>mov dword ptr ss:[esp+0x84],eax
00436B54 . 56 push esi
00436B55 . 57 push edi
00436B56 . 8BF1 mov esi,ecx
00436B58 . 68 80000000 push 0x80
00436B5D . 8D4424 10 lea eax,dword ptr ss:[esp+0x10]
00436B61 . 8DBE 50050000 lea edi,dword ptr ds:[esi+0x550]
00436B67 . 50 push eax
00436B68 . 8BCF mov ecx,edi
00436B6A . E8 D5640500 call <jmp.&MFC80.#3760>
00436B6F . 8D4424 0C lea eax,dword ptr ss:[esp+0xC]
00436B73 . 8D50 01 lea edx,dword ptr ds:[eax+0x1]
00436B76 > 8A08 mov cl,byte ptr ds:[eax]
00436B78 . 83C0 01 add eax,0x1
00436B7B . 84C9 test cl,cl
00436B7D .^ 75 F7 jnz XExtraMug.00436B76
00436B7F . 2BC2 sub eax,edx
00436B81 . 75 12 jnz XExtraMug.00436B95
00436B83 . 56 push esi
00436B84 . 6A 10 push 0x10
00436B86 . 68 3C385400 push ExtraMug.0054383C ; error
00436B8B . 68 14385400 push ExtraMug.00543814 ; The user name could not be blank!
00436B90 . E9 D7000000 jmp ExtraMug.00436C6C
00436B95 > 68 80000000 push 0x80
00436B9A . 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10]
00436B9E . 51 push ecx
00436B9F . 8D8E A4050000 lea ecx,dword ptr ds:[esi+0x5A4]
00436BA5 . E8 9A640500 call <jmp.&MFC80.#3760>
00436BAA . 8D4424 0C lea eax,dword ptr ss:[esp+0xC]
00436BAE . 8D50 01 lea edx,dword ptr ds:[eax+0x1]
00436BB1 > 8A08 mov cl,byte ptr ds:[eax]
00436BB3 . 83C0 01 add eax,0x1
00436BB6 . 84C9 test cl,cl
00436BB8 .^ 75 F7 jnz XExtraMug.00436BB1
00436BBA . 2BC2 sub eax,edx
00436BBC . 75 12 jnz XExtraMug.00436BD0
00436BBE . 56 push esi
00436BBF . 6A 10 push 0x10
00436BC1 . 68 3C385400 push ExtraMug.0054383C ; error
00436BC6 . 68 E4375400 push ExtraMug.005437E4 ; The registration code could not be blank!
00436BCB . E9 9C000000 jmp ExtraMug.00436C6C
00436BD0 > A1 AC545800 mov eax,dword ptr ds:[0x5854AC]
00436BD5 . 8B0D 20395800 mov ecx,dword ptr ds:[0x583920]
00436BDB . 8D5424 0C lea edx,dword ptr ss:[esp+0xC]
00436BDF . 52 push edx
00436BE0 . 68 B0245400 push ExtraMug.005424B0 ; 压入字符串 RegCode
00436BE5 . 50 push eax ;EAX中存的是Software\Extra Mug Shot Sticker\General
00436BE6 . 68 01000080 push 0x80000001
00436BEB . 51 push ecx
00436BEC . E8 5F77FFFF call ExtraMug.0042E350 ;这个CALL是创建注册表把 RegCode写入注册表
00436BF1 . 68 80000000 push 0x80
00436BF6 . 8D5424 10 lea edx,dword ptr ss:[esp+0x10]
00436BFA . 52 push edx
00436BFB . 8BCF mov ecx,edi
00436BFD . E8 42640500 call <jmp.&MFC80.#3760>
00436C02 . 8B0D AC545800 mov ecx,dword ptr ds:[0x5854AC]
00436C08 . 8B15 20395800 mov edx,dword ptr ds:[0x583920]
00436C0E . 8D4424 0C lea eax,dword ptr ss:[esp+0xC]
00436C12 . 50 push eax
00436C13 . 68 5C0E5400 push ExtraMug.00540E5C ; UserName
00436C18 . 51 push ecx
00436C19 . 68 01000080 push 0x80000001
00436C1E . 52 push edx
00436C1F . E8 2C77FFFF call ExtraMug.0042E350 ;这个CALL是创建注册表把 UserName写入注册表
00436C24 . 8B0D 20395800 mov ecx,dword ptr ds:[0x583920]
00436C2A . E8 717BFFFF call ExtraMug.0042E7A0
00436C2F . 83F8 01 cmp eax,0x1
00436C32 . 56 push esi
00436C33 . 6A 00 push 0x0
00436C35 . 68 D4265400 push ExtraMug.005426D4 ; Information
00436C3A . 75 2B jnz XExtraMug.00436C67 ;跳向错误提示
00436C3C . 68 C8375400 push ExtraMug.005437C8 ; 成功提示Thank you for registering !
00436C41 . E8 DAA2FFFF call ExtraMug.00430F20
00436C46 . 83C4 10 add esp,0x10
00436C49 . 8BCE mov ecx,esi
00436C4B . E8 A0600500 call <jmp.&MFC80.#4212>
00436C50 . 5F pop edi
00436C51 . 5E pop esi
00436C52 . 8B8C24 840000>mov ecx,dword ptr ss:[esp+0x84]
00436C59 . 33CC xor ecx,esp
00436C5B . E8 EE640500 call ExtraMug.0048D14E
00436C60 . 81C4 88000000 add esp,0x88
00436C66 . C3 retn
00436C67 > 68 A0375400 push ExtraMug.005437A0 ; 错误提示 Invalid license code,register failed !
00436C6C > E8 AFA2FFFF call ExtraMug.00430F20
00436C71 . 8B8C24 9C0000>mov ecx,dword ptr ss:[esp+0x9C]
00436C78 . 83C4 10 add esp,0x10
00436C7B . 5F pop edi
00436C7C . 5E pop esi
00436C7D . 33CC xor ecx,esp
00436C7F . E8 CA640500 call ExtraMug.0048D14E
00436C84 . 81C4 88000000 add esp,0x88
00436C8A . C3 retn
把
00436C3A . 75 2B jnz XExtraMug.00436C67
;跳向错误提示NOP掉保存一份,试运行一下仍然未注册
看来上一个重起验证类型的软件。由于在上面的分析过程中我发现该软件向注册表中写入了RegCode UserName。呵呵想来这应该注册重起
验证的.OK 哪就下注册表断点吧!!!!!!!!!!!!!!!!!!!!!!!!!
bp RegOpenKeyExA 注意OD的堆栈框一直按F9直到出现RegCode
就反汇编跟随来到
0042E2D0 /$ 83EC 08 sub esp,0x8
0042E2D3 |. 8B4C24 14 mov ecx,dword ptr ss:[esp+0x14]
0042E2D7 |. 8B5424 10 mov edx,dword ptr ss:[esp+0x10]
0042E2DB |. 8D4424 14 lea eax,dword ptr ss:[esp+0x14]
0042E2DF |. 50 push eax ; /pHandle
0042E2E0 |. 6A 01 push 0x1 ; |Access = KEY_QUERY_VALUE
0042E2E2 |. 6A 00 push 0x0 ; |Reserved = 0
0042E2E4 |. 51 push ecx ; |Subkey
0042E2E5 |. 52 push edx ; |hKey
0042E2E6 |. C74424 14 040>mov dword ptr ss:[esp+0x14],0x104 ; |
0042E2EE |. C74424 18 010>mov dword ptr ss:[esp+0x18],0x1 ; |
0042E2F6 |. FF15 08C05300 call dword ptr ds:[<&ADVAPI32.RegOp>; \RegOpenKeyExA
0042E2FC |. 85C0 test eax,eax
0042E2FE 74 13 je XExtraMug.0042E313
0042E300 |. 8B4424 14 mov eax,dword ptr ss:[esp+0x14]
0042E304 |. 50 push eax ; /hKey
0042E305 |. FF15 18C05300 call dword ptr ds:[<&ADVAPI32.RegCl>; \RegCloseKey
0042E30B |. 32C0 xor al,al
0042E30D |. 83C4 08 add esp,0x8
0042E310 |. C2 1400 retn 0x14
取消之前下的断点,并在该段段首下断。重运行程序,按F9运行直到堆栈框中出字符串RegCode就反汇编跟随来到
0042E7A0 /$ 81EC 04010000 sub esp,0x104
0042E7A6 |. A1 98FB5700 mov eax,dword ptr ds:[0x57FB98]
0042E7AB |. 33C4 xor eax,esp
0042E7AD |. 898424 000100>mov dword ptr ss:[esp+0x100],eax
0042E7B4 |. 56 push esi
0042E7B5 |. 8D4424 04 lea eax,dword ptr ss:[esp+0x4]
0042E7B9 |. 50 push eax
0042E7BA |. 8BF1 mov esi,ecx
0042E7BC |. 8B0D 68395800 mov ecx,dword ptr ds:[0x583968]
0042E7C2 |. 68 B0245400 push ExtraMug.005424B0 ; RegCode
0042E7C7 |. 51 push ecx
0042E7C8 |. 68 01000080 push 0x80000001
0042E7CD |. 56 push esi
0042E7CE |. E8 FDFAFFFF call ExtraMug.0042E2D0
0042E7D3 |. 84C0 test al,al
0042E7D5 |. 75 1A jnz XExtraMug.0042E7F1
0042E7D7 |. 8806 mov byte ptr ds:[esi],al
0042E7D9 |. 33C0 xor eax,eax
0042E7DB |. 5E pop esi
0042E7DC |. 8B8C24 000100>mov ecx,dword ptr ss:[esp+0x100]
0042E7E3 |. 33CC xor ecx,esp
0042E7E5 |. E8 64E90500 call ExtraMug.0048D14E
0042E7EA |. 81C4 04010000 add esp,0x104
0042E7F0 |. C3 retn
0042E7F1 |> 8D5424 04 lea edx,dword ptr ss:[esp+0x4]
0042E7F5 |. 52 push edx
0042E7F6 |. 8BCE mov ecx,esi
0042E7F8 |. E8 63FEFFFF call ExtraMug.0042E660
0042E7FD |. 8B8C24 040100>mov ecx,dword ptr ss:[esp+0x104]
0042E804 |. 85C0 test eax,eax
0042E806 |. 0F95C0 setne al
0042E809 |. 8806 mov byte ptr ds:[esi],al
0042E80B |. 5E pop esi
0042E80C |. 33CC xor ecx,esp
0042E80E |. 0FB6C0 movzx eax,al
0042E811 |. E8 38E90500 call ExtraMug.0048D14E
0042E816 |. 81C4 04010000 add esp,0x104
0042E81C \. C3 retn
取消之前下的断点,并在该段段首下断。重运行程序,现在按F8单步,来到
0042E7F8 |. E8 63FEFFFF call ExtraMug.0042E660
进去看看有什么!!!!!!!!!!!!!!!
0042E660 /$ 81EC 04030000 sub esp,0x304
0042E666 |. A1 98FB5700 mov eax,dword ptr ds:[0x57FB98]
0042E66B |. 33C4 xor eax,esp
0042E66D |. 898424 000300>mov dword ptr ss:[esp+0x300],eax
0042E674 |. 53 push ebx
0042E675 |. 55 push ebp
0042E676 |. 56 push esi
0042E677 |. 8BB424 140300>mov esi,dword ptr ss:[esp+0x314]
0042E67E |. 8BC6 mov eax,esi
0042E680 |. 8BE9 mov ebp,ecx
0042E682 |. 8D50 01 lea edx,dword ptr ds:[eax+0x1]
0042E685 |. 33DB xor ebx,ebx
0042E687 |> 8A08 /mov cl,byte ptr ds:[eax] ----------->
0042E689 |. 83C0 01 |add eax,0x1 这部计算我们输入的长度
0042E68C |. 3ACB |cmp cl,bl
0042E68E |.^ 75 F7 \jnz XExtraMug.0042E687
0042E690 |. 2BC2 sub eax,edx <---------------
0042E692 |. 83F8 30 cmp eax,0x30 ; 比较我们的是否为48位不是就出错
0042E695 |. 74 07 je XExtraMug.0042E69E
0042E697 |. 33C0 xor eax,eax
0042E699 |. E9 E7000000 jmp ExtraMug.0042E785
0042E69E |> 57 push edi
0042E69F |. 68 FF000000 push 0xFF ; /n = FF (255.)
0042E6A4 |. 8D8424 150100>lea eax,dword ptr ss:[esp+0x115] ; |
0042E6AB |. 53 push ebx ; |c
0042E6AC |. 50 push eax ; |s
0042E6AD |. 889C24 1C0100>mov byte ptr ss:[esp+0x11C],bl ; |
0042E6B4 |. E8 89EA0500 call <jmp.&MSVCR80.memset> ; \memset
0042E6B9 |. 68 FF000000 push 0xFF ; /n = FF (255.)
0042E6BE |. 8D4C24 21 lea ecx,dword ptr ss:[esp+0x21] ; |
0042E6C2 |. 53 push ebx ; |c
0042E6C3 |. 51 push ecx ; |s
0042E6C4 |. 885C24 28 mov byte ptr ss:[esp+0x28],bl ; |
0042E6C8 |. E8 75EA0500 call <jmp.&MSVCR80.memset> ; \memset
0042E6CD |. 68 FF000000 push 0xFF ; /n = FF (255.)
0042E6D2 |. 8D9424 2D0200>lea edx,dword ptr ss:[esp+0x22D] ; |
0042E6D9 |. 53 push ebx ; |c
0042E6DA |. 52 push edx ; |s
0042E6DB |. 889C24 340200>mov byte ptr ss:[esp+0x234],bl ; |
0042E6E2 |. E8 5BEA0500 call <jmp.&MSVCR80.memset> ; \memset
0042E6E7 |. 8B3D 24CA5300 mov edi,dword ptr ds:[<&MSVCR80.str>; MSVCR80.strncpy
0042E6ED |. 6A 10 push 0x10 ; /maxlen = 10 (16.)
0042E6EF |. 8D8424 380100>lea eax,dword ptr ss:[esp+0x138] ; |
0042E6F6 |. 56 push esi ; |src
0042E6F7 |. 50 push eax ; |dest
0042E6F8 |. FFD7 call edi ; \strncpy
0042E6FA |. 6A 10 push 0x10
0042E6FC |. 8D4E 10 lea ecx,dword ptr ds:[esi+0x10]
0042E6FF |. 51 push ecx
0042E700 |. 8D5424 48 lea edx,dword ptr ss:[esp+0x48]
0042E704 |. 52 push edx
0042E705 |. FFD7 call edi
0042E707 |. 6A 10 push 0x10
0042E709 |. 83C6 20 add esi,0x20
0042E70C |. 8D8424 500200>lea eax,dword ptr ss:[esp+0x250]
0042E713 |. 56 push esi
0042E714 |. 50 push eax
0042E715 |. FFD7 call edi
0042E717 |. 83C4 48 add esp,0x48
0042E71A |. 68 9C245400 push ExtraMug.0054249C ; C9AD9CACFC81B689
0042E71F |. 8D8C24 140100>lea ecx,dword ptr ss:[esp+0x114]
0042E726 |. 51 push ecx
0042E727 |. 8BCD mov ecx,ebp
0042E729 |. 889C24 280100>mov byte ptr ss:[esp+0x128],bl
0042E730 |. 885C24 28 mov byte ptr ss:[esp+0x28],bl
0042E734 |. 889C24 280200>mov byte ptr ss:[esp+0x228],bl
0042E73B |. E8 C0FDFFFF call ExtraMug.0042E500 ;想找出注册就进去看看
[
进入0042E74E |. E8 ADFDFFFF call ExtraMug.0042E500里面看看
0042E5C8 |. 53 push ebx
0042E5C9 |. E8 721D0600 call ExtraMug.00490340
0042E5CE |. 8B4424 24 mov eax,dword ptr ss:[esp+0x24]
0042E5D2 |. 50 push eax
0042E5D3 |. 55 push ebp
0042E5D4 |. E8 671D0600 call ExtraMug.00490340
0042E5D9 |. 8B7C24 24 mov edi,dword ptr ss:[esp+0x24]
0042E5DD |. 68 80245400 push ExtraMug.00542480 ; 10001
0042E5E2 |. 57 push edi
0042E5E3 |. E8 581D0600 call ExtraMug.00490340
0042E5E8 |. 55 push ebp
0042E5E9 |. 53 push ebx
0042E5EA |. E8 E10A0600 call ExtraMug.0048F0D0
0042E5EF |. 83C4 20 add esp,0x20
0042E5F2 |. 83F8 FF cmp eax,-0x1
0042E5F5 |. 75 3F jnz XExtraMug.0042E636
0042E5F7 |. 8B7424 18 mov esi,dword ptr ss:[esp+0x18]
0042E5FB |. 56 push esi
0042E5FC |. 55 push ebp
0042E5FD |. 57 push edi
0042E5FE |. 53 push ebx
0042E5FF |. E8 BC1A0600 call ExtraMug.004900C0
0042E604 |. 6A 00 push 0x0
0042E606 |. 8D4C24 34 lea ecx,dword ptr ss:[esp+0x34]
0042E60A |. 51 push ecx
0042E60B |. 56 push esi
0042E60C |. 68 00010000 push 0x100
0042E611 |. E8 AA140600 call ExtraMug.0048FAC0
0042E616 |. 53 push ebx
0042E617 |. E8 14050600 call ExtraMug.0048EB30
0042E61C |. 56 push esi
0042E61D |. E8 0E050600 call ExtraMug.0048EB30
0042E622 |. 55 push ebp
0042E623 |. E8 08050600 call ExtraMug.0048EB30
0042E628 |. 57 push edi
0042E629 |. E8 02050600 call ExtraMug.0048EB30
0042E62E |. 83C4 30 add esp,0x30
0042E631 |. E8 1A050600 call ExtraMug.0048EB50
0042E636 |> 8D5424 20 lea edx,dword ptr ss:[esp+0x20]
0042E63A |. 52 push edx ; /s
0042E63B |. FF15 78CA5300 call dword ptr ds:[<&MSVCR80.atoi>] ; \atoi
0042E641 |. 8B8C24 240100>mov ecx,dword ptr ss:[esp+0x124]
0042E648 |. 83C4 04 add esp,0x4
0042E64B |. 5F pop edi
0042E64C |. 5E pop esi
0042E64D |. 5D pop ebp
0042E64E |. 5B pop ebx
0042E64F |. 33CC xor ecx,esp
0042E651 |. E8 F8EA0500 call ExtraMug.0048D14E
0042E656 |. 81C4 14010000 add esp,0x114
0042E65C \. C2 0800 retn 0x8
看过这段代码在找找关于CRC 的源码看看是不是很相像啊!!!!!!!!!!!!!
]
0042E740 |. 68 9C245400 push ExtraMug.0054249C ; C9AD9CACFC81B689
0042E745 |. 8D5424 14 lea edx,dword ptr ss:[esp+0x14]
0042E749 |. 52 push edx
0042E74A |. 8BCD mov ecx,ebp
0042E74C |. 8BF0 mov esi,eax
0042E74E |. E8 ADFDFFFF call ExtraMug.0042E500
0042E753 |. 8BF8 mov edi,eax
0042E755 |. 68 88245400 push ExtraMug.00542488 ; 9F8204E07CBECD21
0042E75A |. 8D8424 140200>lea eax,dword ptr ss:[esp+0x214]
0042E761 |. 50 push eax
0042E762 |. 8BCD mov ecx,ebp
0042E764 |. E8 97FDFFFF call ExtraMug.0042E500
0042E769 |. 3BF3 cmp esi,ebx
0042E76B |. 7E 15 jle XExtraMug.0042E782 ----------------->注意这个3个jle
0042E76D |. 3BFB cmp edi,ebx 它们是这个软件的关健爆破点:
0042E76F |. 7E 11 jle XExtraMug.0042E782
0042E771 |. 3BC3 cmp eax,ebx 把它们NOP掉就OK了
0042E773 |. 7E 0D jle XExtraMug.0042E782 <-------------------
0042E775 |. 33C9 xor ecx,ecx
0042E777 |. 03FE add edi,esi
0042E779 |. 3BF8 cmp edi,eax
0042E77B |. 0F94C1 sete cl
0042E77E |. 8BC1 mov eax,ecx
0042E780 |. EB 02 jmp XExtraMug.0042E784
0042E782 |> 33C0 xor eax,eax
0042E784 |> 5F pop edi
0042E785 |> 8B8C24 0C0300>mov ecx,dword ptr ss:[esp+0x30C]
0042E78C |. 5E pop esi
0042E78D |. 5D pop ebp
0042E78E |. 5B pop ebx
0042E78F |. 33CC xor ecx,esp
0042E791 |. E8 B8E90500 call ExtraMug.0048D14E
0042E796 |. 81C4 04030000 add esp,0x304
0042E79C \. C2 0400 retn 0x4
它们NOP掉保存试运行一下没有讨人厌的注册提示打关于看看软件注册给谁了??
根据上面的分析这个软件有以下特征:
1.这是一个CRC32重起验证的软件。
2.当面对一个软件不管是想爆破还是找出算法,不是重起验证的软件还是其他类型的,
一般就是找按钮事,要么下消息断点,要么用F12暂停,要么就查找字符串。。。。。。
等等我认为不管是什么猫只要能抓到老就是好猫!!!我用的最简单查找Thank you for registering !
3.按一般流程就找到关健注册段,要观察该有什么信息并做好记录。我在该段发软件在注
册时向注册表(Software\Extra Mug Shot Sticker\General\RegCode | UserName)写入了信息。
4.找到关健的CALL 和跳转后试修改,再起程序看是否爆破成功。如果没有,哪么程序
可能重起验证的软件。这个软件就是重起验证的软件。
5.此软件在我们修改关健的CALL 和跳转,还是没有爆破成功。结合我们在分析到在注册
时软件向注册表中写的信息来看,这个软件是个注册表重起验证的软件。
6.哪我们就要下注册表的断点了。
7.要注意的是填写注册信息时,应注意写的注册码要是48位的喔!!!!要不修改了3个
jle也爆破失败喔。因为在
0042E692 |. 83F8 30 cmp eax,0x30 ; 比较我们的是否为48位不是就出错
0042E695 |. 74 07 je XExtraMug.0042E69E
对注册码的位进行比较不是48位直接跳向注册失败。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法