-
-
[旧帖] [原创]记一次破解小软件 0.00雪花
-
2012-1-9 13:15
-
实验对象http://down.qiannao.com/space/file/lengyeasu/share/2010/8/1/linglei.rar/.page我在这下载的。下面说下我是怎样破解这个水印软件的。
由于基础太差,我就不具体分析了。代码我加的分析可能有错误,朋友们看到了还望指出。
用Ollyice载入已脱壳的程序,至于脱壳方法相信大家比我懂,此处不再啰嗦。
依靠ollyice的字符串参考在软件的这里设下断点
1. 00538F73 . E8 C0FDFFFF call 00538D38 ; 关键Call
2. 00538F78 . 84C0 test al, al
按F7跟进,来到这里:(因为基础差做了很多没用的注释删去了)
1. 00538D38 /$ 55 push ebp
2. 00538D39 |. 8BEC mov ebp, esp
3. 00538D3B |. 33C9 xor ecx, ecx
4. 00538D3D |. 51 push ecx
5. 00538D3E |. 51 push ecx
6. 00538D3F |. 51 push ecx
7. 00538D40 |. 51 push ecx
8. 00538D41 |. 51 push ecx
9. 00538D42 |. 53 push ebx
10. 00538D43 |. 56 push esi
11. 00538D44 |. 8955 FC mov dword ptr [ebp-4], edx ; edx=005472B0 (1.005472B0), ASCII "HsjMakeSign"
12. 00538D47 |. 8BD8 mov ebx, eax ; 将eax暂时--ebx eax=00C18148
13. 00538D49 |. 8B45 FC mov eax, dword ptr [ebp-4] ; edx---eax ASCII "HsjMakeSign"
14. 00538D4C |. E8 B7BDECFF call 00404B08
15. 00538D51 |. 33C0 xor eax, eax
16. 00538D53 |. 55 push ebp
17. 00538D54 |. 68 238E5300 push 00538E23
18. 00538D59 |. 64:FF30 push dword ptr fs:[eax]
19. 00538D5C |. 64:8920 mov dword ptr fs:[eax], esp
20. 00538D5F |. 8D4D F4 lea ecx, dword ptr [ebp-C]
21. 00538D62 |. 8B55 FC mov edx, dword ptr [ebp-4] ; edx -- "HsjMakeSign"
22. 00538D65 |. 8BC3 mov eax, ebx ; 还原ebx--eax
23. 00538D67 |. E8 F0FCFFFF call 00538A5C ; 得到软件的机器码数字部分
24. 00538D6C |. 8D55 F8 lea edx, dword ptr [ebp-8]
25. 00538D6F |. 8B45 F4 mov eax, dword ptr [ebp-C] ; 载入机器码
26. 00538D72 |. E8 1DFEFFFF call 00538B94 ; 得到正确的注册码的关键CALL
27. 00538D77 |. B9 3C8E5300 mov ecx, 00538E3C ; hsjsoft.ini临时存放机器码
28. 00538D7C |. B2 01 mov dl, 1
29. 00538D7E |. A1 00C94300 mov eax, dword ptr [43C900]
30. 00538D83 |. E8 283CF0FF call 0043C9B0
31. 00538D88 |. 8BD8 mov ebx, eax
32. 00538D8A |. 6A 00 push 0
33. 00538D8C |. 8D45 EC lea eax, dword ptr [ebp-14]
34. 00538D8F |. 50 push eax
35. 00538D90 |. B9 508E5300 mov ecx, 00538E50 ; reg_code
36. 00538D95 |. 8B55 FC mov edx, dword ptr [ebp-4]
37. 00538D98 |. 8BC3 mov eax, ebx
38. 00538D9A |. 8B30 mov esi, dword ptr [eax]
39. 00538D9C |. FF16 call near dword ptr [esi] ; 传递注册数据
40. 00538D9E 8B45 EC mov eax, dword ptr [ebp-14] ; 传入用户输入的注册码
41. 00538DA1 |. 8D55 F0 lea edx, dword ptr [ebp-10]
42. 00538DA4 |. E8 EF01EDFF call 00408F98
43. 00538DA9 |. 8BC3 mov eax, ebx
44. 00538DAB |. E8 88AAECFF call 00403838
45. 00538DB0 |. E8 8BA1ECFF call 00402F40
46. 00538DB5 |. B8 20000000 mov eax, 20
47. 00538DBA |. E8 8DA4ECFF call 0040324C
48. 00538DBF |. 8BD8 mov ebx, eax
49. 00538DC1 |. 85DB test ebx, ebx
50. 00538DC3 |. 7F 05 jg short 00538DCA
51. 00538DC5 |. BB 01000000 mov ebx, 1
52. 00538DCA |> 83FB 1E cmp ebx, 1E
53. 00538DCD |. 7E 05 jle short 00538DD4
54. 00538DCF |. BB 1E000000 mov ebx, 1E
55. 00538DD4 |> 8D45 F8 lea eax, dword ptr [ebp-8]
56. 00538DD7 |. 50 push eax
57. 00538DD8 |. B9 02000000 mov ecx, 2
58. 00538DDD |. 8BD3 mov edx, ebx
59. 00538DDF |. 8B45 F8 mov eax, dword ptr [ebp-8]
60. 00538DE2 |. E8 91BDECFF call 00404B78
61. 00538DE7 |. 8D45 F0 lea eax, dword ptr [ebp-10]
62. 00538DEA |. 50 push eax
63. 00538DEB |. B9 02000000 mov ecx, 2
64. 00538DF0 |. 8BD3 mov edx, ebx
65. 00538DF2 8B45 F0 mov eax, dword ptr [ebp-10]
66. 00538DF5 |. E8 7EBDECFF call 00404B78 ; 来到比较的地方,我估计是取任意位置的两数比较
67. 00538DFA |. 8B45 F8 mov eax, dword ptr [ebp-8]
68. 00538DFD 8B55 F0 mov edx, dword ptr [ebp-10]
69. 00538E00 |. E8 5FBCECFF call 00404A64 ; 判断注册码是否正确
70. 00538E05 |. 0F94C3 sete bl
71. 00538E08 |. 33C0 xor eax, eax
72. 00538E0A |. 5A pop edx
73. 00538E0B |. 59 pop ecx
74. 00538E0C |. 59 pop ecx
75. 00538E0D |. 64:8910 mov dword ptr fs:[eax], edx
76. 00538E10 |. 68 2A8E5300 push 00538E2A
77. 00538E15 |> 8D45 EC lea eax, dword ptr [ebp-14]
78. 00538E18 |. BA 05000000 mov edx, 5
79. 00538E1D |. E8 4AB8ECFF call 0040466C
80. 00538E22 \. C3 retn
81. 00538E23 .^ E9 78B1ECFF jmp 00403FA0
82. 00538E28 .^ EB EB jmp short 00538E15
83. 00538E2A . 8BC3 mov eax, ebx
84. 00538E2C . 5E pop esi
85. 00538E2D . 5B pop ebx
86. 00538E2E . 8BE5 mov esp, ebp
87. 00538E30 . 5D pop ebp
88. 00538E31 . C3 retn
在这里动态调试单步走,在00538D67处进入得到软件的机器码数字部分代码:
1. 00538A5C $ 55 push ebp ; 机器码获取部分
2. 00538A5D . 8BEC mov ebp, esp ; 保存esp至ebp
3. 00538A5F . 83C4 D0 add esp, -30
4. 00538A62 . 53 push ebx
5. 00538A63 . 56 push esi
6. 00538A64 . 57 push edi ; edi=0012FE94
7. 00538A65 . 33DB xor ebx, ebx ; ebx归零
8. 00538A67 . 895D E0 mov dword ptr [ebp-20], ebx
9. 00538A6A . 895D F0 mov dword ptr [ebp-10], ebx
10. 00538A6D . 895D EC mov dword ptr [ebp-14], ebx
11. 00538A70 . 895D E8 mov dword ptr [ebp-18], ebx
12. 00538A73 . 895D E4 mov dword ptr [ebp-1C], ebx
13. 00538A76 . 895D F4 mov dword ptr [ebp-C], ebx
14. 00538A79 . 894D F8 mov dword ptr [ebp-8], ecx
15. 00538A7C . 8955 FC mov dword ptr [ebp-4], edx ; edx=005472B0 (1.005472B0), ASCII "HsjMakeSign"
16. 00538A7F . 8BD8 mov ebx, eax ; ebx=eax=00C18148
17. 00538A81 . 8B45 FC mov eax, dword ptr [ebp-4] ; eax=HsjMakeSign
18. 00538A84 . E8 7FC0ECFF call 00404B08 ; 用途未知
19. 00538A89 . 33C0 xor eax, eax ; eax清零
20. 00538A8B . 55 push ebp ; ebp压入
21. 00538A8C . 68 698B5300 push 00538B69 ; 00538B69=00538B69
22. 00538A91 . 64:FF30 push dword ptr fs:[eax] ; fs:[00000000]=[7FFDF000]=0012FBC4
23. 00538A94 . 64:8920 mov dword ptr fs:[eax], esp ; esp=0012FB74
24. 00538A97 . 8B45 F8 mov eax, dword ptr [ebp-8] ; 堆栈 ss:[0012FBB4]=0012FBE0
25. 00538A9A . E8 A9BBECFF call 00404648
26. 00538A9F . 33C0 xor eax, eax ; eax归零
27. 00538AA1 . 55 push ebp ; ebp=0012FBBC
28. 00538AA2 . 68 0E8B5300 push 00538B0E ; 00538B0E=00538B0E
29. 00538AA7 . 64:FF30 push dword ptr fs:[eax] ; fs:[00000000]=[7FFDF000]=0012FB74
30. 00538AAA . 64:8920 mov dword ptr fs:[eax], esp
31. 00538AAD . FF75 FC push dword ptr [ebp-4] ; 堆栈 ss:[0012FBB8]=005472B0 (1.005472B0), ASCII "HsjMakeSign"
32. 00538AB0 . 68 808B5300 push 00538B80
33. 00538AB5 . 8D45 F0 lea eax, dword ptr [ebp-10] ; 堆栈地址=0012FBAC
34. 00538AB8 . E8 63F8FFFF call 00538320 ; 获取机器信息---bios部分
35. 00538ABD . FF75 F0 push dword ptr [ebp-10] ; 机器信息(ASCII "BiosInfo:System BIOS Version Line 1 = LENOVO - 1System BIOS Version Line 2 = Ver 1.00System BIOS Date 12/04/09Video BIOS Version Line 1 = Hardware Version 0.0")
36. 00538AC0 . 68 808B5300 push 00538B80 ; ;
37. 00538AC5 . 8D45 EC lea eax, dword ptr [ebp-14] ; 堆栈地址=0012FBA8
38. 00538AC8 . E8 87FBFFFF call 00538654 ; 获取机器信息
39. 00538ACD . FF75 EC push dword ptr [ebp-14] ; ASCII "DisplayDeviceInfo:Mobile Intel(R) 4 Series Express Chipset FamilyMobile Intel(R) 4 Series Express Chipset FamilyNetMeeting driverRDPDD Chained DD
40. 00538AD0 . 68 808B5300 push 00538B80 ; ;
41. 00538AD5 . 8D45 E8 lea eax, dword ptr [ebp-18]
42. 00538AD8 . E8 57FCFFFF call 00538734 ; 获取机器信息---CPU部分
43. 00538ADD . FF75 E8 push dword ptr [ebp-18] ; CpuType:GenuineIntel586
44. 00538AE0 . 68 808B5300 push 00538B80 ; ;
45. 00538AE5 . 8D55 E4 lea edx, dword ptr [ebp-1C]
46. 00538AE8 . 8BC3 mov eax, ebx
47. 00538AEA . E8 F5FDFFFF call 005388E4 ; 获取机器信息---硬盘id部分
48. 00538AEF . FF75 E4 push dword ptr [ebp-1C] ; ASCII DiskId:
49. 00538AF2 . 68 808B5300 push 00538B80 ; ;
50. 00538AF7 . 8D45 F4 lea eax, dword ptr [ebp-C]
51. 00538AFA . BA 0A000000 mov edx, 0A
52. 00538AFF . E8 D4BEECFF call 004049D8
53. 00538B04 . 33C0 xor eax, eax
54. 00538B06 . 5A pop edx
55. 00538B07 . 59 pop ecx
56. 00538B08 . 59 pop ecx
57. 00538B09 . 64:8910 mov dword ptr fs:[eax], edx
58. 00538B0C . EB 0A jmp short 00538B18
59. 00538B0E .^ E9 D9B1ECFF jmp 00403CEC
60. 00538B13 . E8 3CB5ECFF call 00404054
61. 00538B18 > 68 8C8B5300 push 00538B8C ; 6.0;
62. 00538B1D . FF75 FC push dword ptr [ebp-4]
63. 00538B20 . 8D55 D0 lea edx, dword ptr [ebp-30] ; 下一步就将机器信息汇总
64. 00538B23 . 8B45 F4 mov eax, dword ptr [ebp-C] ; HsjMakeSign;BiosInfo:System BIOS Version Line 1 = LENOVO - 1System BIOS Version Line 2 = Ver 1.00System BIOS Date 12/04/09Video BIOS Version Line 1 = Hardware Version 0.0;DisplayDeviceInfo:Mobile Intel(R) 4 Series Express Chipset FamilyM
65. 00538B26 . E8 EDE6FFFF call 00537218
66. 00538B2B . 8D45 D0 lea eax, dword ptr [ebp-30]
67. 00538B2E . 8D55 E0 lea edx, dword ptr [ebp-20] ; edx此时存放有机器信息
68. 00538B31 . E8 56E7FFFF call 0053728C ; 计算得到机器码的关键Call
69. 00538B36 . FF75 E0 push dword ptr [ebp-20]
70. 00538B39 . 8B45 F8 mov eax, dword ptr [ebp-8]
71. 00538B3C . BA 03000000 mov edx, 3
72. 00538B41 . E8 92BEECFF call 004049D8
73. 00538B46 . 33C0 xor eax, eax
74. 00538B48 . 5A pop edx
75. 00538B49 . 59 pop ecx
76. 00538B4A . 59 pop ecx
77. 00538B4B . 64:8910 mov dword ptr fs:[eax], edx
78. 00538B4E . 68 708B5300 push 00538B70
79. 00538B53 > 8D45 E0 lea eax, dword ptr [ebp-20]
80. 00538B56 . BA 06000000 mov edx, 6
81. 00538B5B . E8 0CBBECFF call 0040466C
82. 00538B60 . 8D45 FC lea eax, dword ptr [ebp-4]
83. 00538B63 . E8 E0BAECFF call 00404648
84. 00538B68 . C3 retn
85. 00538B69 .^ E9 32B4ECFF jmp 00403FA0
86. 00538B6E .^ EB E3 jmp short 00538B53
87. 00538B70 . 5F pop edi
88. 00538B71 . 5E pop esi
89. 00538B72 . 5B pop ebx
90. 00538B73 . 8BE5 mov esp, ebp
91. 00538B75 . 5D pop ebp
92. 00538B76 . C3 retn
以上代码前半部分是获取机器信息,在00538B31处跟进来到计算机器码32位数字的代码部分(注:分成的四部分机器码都经过调序得到真正机器码的四部分):
1. 0053728C /$ 55 push ebp
2. 0053728D |. 8BEC mov ebp, esp
3. 0053728F |. 83C4 E8 add esp, -18
4. 00537292 |. 53 push ebx
5. 00537293 |. 56 push esi
6. 00537294 |. 57 push edi
7. 00537295 |. 33C9 xor ecx, ecx
8. 00537297 |. 894D EC mov dword ptr [ebp-14], ecx
9. 0053729A |. 894D E8 mov dword ptr [ebp-18], ecx
10. 0053729D |. 8BF0 mov esi, eax
11. 0053729F |. 8D7D F0 lea edi, dword ptr [ebp-10]
12. 005372A2 |. A5 movs dword ptr es:[edi], dword ptr [e>; 机器码第一部分[0012FB9C]=AE2C1742
13. 005372A3 |. A5 movs dword ptr es:[edi], dword ptr [e>; 机器码第二部分[0012FBA0]=6FAA135F
14. 005372A4 |. A5 movs dword ptr es:[edi], dword ptr [e>; 机器码第三部分[0012FBA4]=4B1A2D3A
15. 005372A5 |. A5 movs dword ptr es:[edi], dword ptr [e>; 机器码第四部分[0012FBA8]=4031BBC7
16. 005372A6 |. 8BFA mov edi, edx
17. 005372A8 |. 33C0 xor eax, eax
18. 005372AA |. 55 push ebp
19. 005372AB |. 68 27735300 push 00537327
20. 005372B0 |. 64:FF30 push dword ptr fs:[eax]
21. 005372B3 |. 64:8920 mov dword ptr fs:[eax], esp
22. 005372B6 |. 8BC7 mov eax, edi
23. 005372B8 |. E8 8BD3ECFF call 00404648
24. 005372BD |. B3 10 mov bl, 10
25. 005372BF |. 8D75 F0 lea esi, dword ptr [ebp-10]
26. 005372C2 |> FF37 /push dword ptr [edi] ; 进入循环将机器码顺序校正直至
27. 005372C4 |. 8D45 EC |lea eax, dword ptr [ebp-14]
28. 005372C7 |. 33D2 |xor edx, edx
29. 005372C9 |. 8A16 |mov dl, byte ptr [esi]
30. 005372CB |. C1EA 04 |shr edx, 4
31. 005372CE |. 83E2 0F |and edx, 0F
32. 005372D1 |. 8A92 28255600 |mov dl, byte ptr [edx+562528]
33. 005372D7 |. E8 54D5ECFF |call 00404830
34. 005372DC |. FF75 EC |push dword ptr [ebp-14]
35. 005372DF |. 8D45 E8 |lea eax, dword ptr [ebp-18]
36. 005372E2 |. 8A16 |mov dl, byte ptr [esi]
37. 005372E4 |. 80E2 0F |and dl, 0F
38. 005372E7 |. 81E2 FF000000 |and edx, 0FF
39. 005372ED |. 8A92 28255600 |mov dl, byte ptr [edx+562528]
40. 005372F3 |. E8 38D5ECFF |call 00404830
41. 005372F8 |. FF75 E8 |push dword ptr [ebp-18]
42. 005372FB |. 8BC7 |mov eax, edi
43. 005372FD |. BA 03000000 |mov edx, 3
44. 00537302 |. E8 D1D6ECFF |call 004049D8
45. 00537307 |. 46 |inc esi
46. 00537308 |. FECB |dec bl
47. 0053730A |.^ 75 B6 \jnz short 005372C2
48. 0053730C |. 33C0 xor eax, eax
49. 0053730E |. 5A pop edx
50. 0053730F |. 59 pop ecx
51. 00537310 |. 59 pop ecx
52. 00537311 |. 64:8910 mov dword ptr fs:[eax], edx
53. 00537314 |. 68 2E735300 push 0053732E
54. 00537319 |> 8D45 E8 lea eax, dword ptr [ebp-18]
55. 0053731C |. BA 02000000 mov edx, 2
56. 00537321 |. E8 46D3ECFF call 0040466C
57. 00537326 \. C3 retn
出来后再单步走完机器码获取部分,来到00538d9e位置,这时机器码已经得到了即6.0;HsjMakeSign42172cae5f13aa6f3a2d1a4bc7bb3140
下面在进入00538D72的call-->00538B94 即得到正确的注册码的CALL:
1. 00538B94 /$ 55 push ebp
2. 00538B95 |. 8BEC mov ebp, esp
3. 00538B97 |. 83C4 D8 add esp, -28
4. 00538B9A |. 53 push ebx
5. 00538B9B |. 56 push esi
6. 00538B9C |. 33C9 xor ecx, ecx
7. 00538B9E |. 894D D8 mov dword ptr [ebp-28], ecx
8. 00538BA1 |. 894D DC mov dword ptr [ebp-24], ecx ; 4031BBC7
9. 00538BA4 |. 894D F8 mov dword ptr [ebp-8], ecx ; 0012FBE0
10. 00538BA7 |. 894D F4 mov dword ptr [ebp-C], ecx
11. 00538BAA |. 894D F0 mov dword ptr [ebp-10], ecx
12. 00538BAD |. 8BF2 mov esi, edx
13. 00538BAF |. 8945 FC mov dword ptr [ebp-4], eax
14. 00538BB2 |. 8B45 FC mov eax, dword ptr [ebp-4]
15. 00538BB5 |. E8 4EBFECFF call 00404B08
16. 00538BBA |. 33C0 xor eax, eax
17. 00538BBC |. 55 push ebp
18. 00538BBD |. 68 CB8C5300 push 00538CCB
19. 00538BC2 |. 64:FF30 push dword ptr fs:[eax]
20. 00538BC5 |. 64:8920 mov dword ptr fs:[eax], esp
21. 00538BC8 |. 8BC6 mov eax, esi
22. 00538BCA |. E8 79BAECFF call 00404648
23. 00538BCF |. 8D45 F8 lea eax, dword ptr [ebp-8]
24. 00538BD2 |. E8 71BAECFF call 00404648
25. 00538BD7 |. 8D45 F8 lea eax, dword ptr [ebp-8]
26. 00538BDA |. BA E08C5300 mov edx, 00538CE0 ; 版
27. 00538BDF |. E8 3CBDECFF call 00404920
28. 00538BE4 |. 8D45 F8 lea eax, dword ptr [ebp-8]
29. 00538BE7 |. BA EC8C5300 mov edx, 00538CEC ; 权
30. 00538BEC |. E8 2FBDECFF call 00404920
31. 00538BF1 |. 8D45 F8 lea eax, dword ptr [ebp-8]
32. 00538BF4 |. BA F88C5300 mov edx, 00538CF8 ; 所
33. 00538BF9 |. E8 22BDECFF call 00404920
34. 00538BFE |. 8D45 F8 lea eax, dword ptr [ebp-8]
35. 00538C01 |. BA 048D5300 mov edx, 00538D04 ; 有
36. 00538C06 |. E8 15BDECFF call 00404920
37. 00538C0B |. 8D45 F8 lea eax, dword ptr [ebp-8]
38. 00538C0E |. BA 108D5300 mov edx, 00538D10 ; :
39. 00538C13 |. E8 08BDECFF call 00404920
40. 00538C18 |. 8D45 F8 lea eax, dword ptr [ebp-8]
41. 00538C1B |. BA 1C8D5300 mov edx, 00538D1C ; 韩
42. 00538C20 |. E8 FBBCECFF call 00404920
43. 00538C25 |. 8D45 F8 lea eax, dword ptr [ebp-8]
44. 00538C28 |. BA 288D5300 mov edx, 00538D28 ; 树
45. 00538C2D |. E8 EEBCECFF call 00404920
46. 00538C32 |. 8D45 F8 lea eax, dword ptr [ebp-8]
47. 00538C35 |. BA 348D5300 mov edx, 00538D34 ; 江
48. 00538C3A |. E8 E1BCECFF call 00404920
49. 00538C3F |. 8D45 DC lea eax, dword ptr [ebp-24]
50. 00538C42 |. 8B4D FC mov ecx, dword ptr [ebp-4] ; (ASCII "6.0;HsjMakeSign42172cae5f13aa6f3a2d1a4bc7bb3140")
51. 00538C45 |. 8B55 F8 mov edx, dword ptr [ebp-8]
52. 00538C48 |. E8 17BDECFF call 00404964
53. 00538C4D |. 8B45 DC mov eax, dword ptr [ebp-24]
54. 00538C50 |. 8D55 E0 lea edx, dword ptr [ebp-20]
55. 00538C53 |. E8 C0E5FFFF call 00537218
56. 00538C58 |. 8D45 E0 lea eax, dword ptr [ebp-20]
57. 00538C5B |. 8D55 F4 lea edx, dword ptr [ebp-C]
58. 00538C5E |. E8 29E6FFFF call 0053728C ; 关键Call整出注册码
59. 00538C63 |. 8D45 F0 lea eax, dword ptr [ebp-10]
60. 00538C66 |. E8 DDB9ECFF call 00404648 ; 作用未知
61. 00538C6B |. 8B45 F4 mov eax, dword ptr [ebp-C] ; 注册码6c9125ab21e9252438e413f6536217d0
62. 00538C6E |. E8 A5BCECFF call 00404918
63. 00538C73 |. 8BD8 mov ebx, eax
64. 00538C75 |. 83FB 01 cmp ebx, 1
65. 00538C78 |. 7C 1F jl short 00538C99 ; 调序部分,倒转注册码
66. 00538C7A |> 8D45 D8 /lea eax, dword ptr [ebp-28]
67. 00538C7D |. 8B55 F4 |mov edx, dword ptr [ebp-C]
68. 00538C80 |. 8A541A FF |mov dl, byte ptr [edx+ebx-1]
69. 00538C84 |. E8 A7BBECFF |call 00404830
70. 00538C89 |. 8B55 D8 |mov edx, dword ptr [ebp-28]
71. 00538C8C |. 8D45 F0 |lea eax, dword ptr [ebp-10]
72. 00538C8F |. E8 8CBCECFF |call 00404920
73. 00538C94 |. 4B |dec ebx
74. 00538C95 |. 85DB |test ebx, ebx
75. 00538C97 |.^ 75 E1 \jnz short 00538C7A
76. 00538C99 |> 8BC6 mov eax, esi
77. 00538C9B |. 8B55 F0 mov edx, dword ptr [ebp-10] ; 倒转后正确的注册码0d7126356f314e8342529e12ba5219c6
78. 00538C9E |. E8 F9B9ECFF call 0040469C
79. 00538CA3 |. 33C0 xor eax, eax
80. 00538CA5 |. 5A pop edx
81. 00538CA6 |. 59 pop ecx
82. 00538CA7 |. 59 pop ecx
83. 00538CA8 |. 64:8910 mov dword ptr fs:[eax], edx
84. 00538CAB |. 68 D28C5300 push 00538CD2
85. 00538CB0 |> 8D45 D8 lea eax, dword ptr [ebp-28]
86. 00538CB3 |. BA 02000000 mov edx, 2
87. 00538CB8 |. E8 AFB9ECFF call 0040466C
88. 00538CBD |. 8D45 F0 lea eax, dword ptr [ebp-10]
89. 00538CC0 |. BA 04000000 mov edx, 4
90. 00538CC5 |. E8 A2B9ECFF call 0040466C
91. 00538CCA \. C3 retn
92. 00538CCB .^ E9 D0B2ECFF jmp 00403FA0
93. 00538CD0 .^ EB DE jmp short 00538CB0
94. 00538CD2 . 5E pop esi
95. 00538CD3 . 5B pop ebx
96. 00538CD4 . 8BE5 mov esp, ebp
97. 00538CD6 . 5D pop ebp
98. 00538CD7 . C3 retn
简单说下,这部分代码前半部分得到机器码数字,然后在00538C5E处是得到注册码的模块,那么我们在跟进0053728C那里瞧瞧:
来到这里,得到注册码的部分(注:分成的四部分注册码都需经过调序得到真正注册码的四部分)
1. 0053728C /$ 55 push ebp
2. 0053728D |. 8BEC mov ebp, esp
3. 0053728F |. 83C4 E8 add esp, -18
4. 00537292 |. 53 push ebx
5. 00537293 |. 56 push esi
6. 00537294 |. 57 push edi
7. 00537295 |. 33C9 xor ecx, ecx
8. 00537297 |. 894D EC mov dword ptr [ebp-14], ecx
9. 0053729A |. 894D E8 mov dword ptr [ebp-18], ecx
10. 0053729D |. 8BF0 mov esi, eax
11. 0053729F |. 8D7D F0 lea edi, dword ptr [ebp-10]
12. 005372A2 |. A5 movs dword ptr es:[edi], dword ptr [e>; 注册码第四部分[0012FB9C]=AB25916C
13. 005372A3 |. A5 movs dword ptr es:[edi], dword ptr [e>; 注册码第三部分[0012FBA0]=2425E921
14. 005372A4 |. A5 movs dword ptr es:[edi], dword ptr [e>; 注册码第二部分[0012FBA4]=F613E438
15. 005372A5 |. A5 movs dword ptr es:[edi], dword ptr [e>; 注册码第一部分[0012FBA8]=D0176253
16. 005372A6 |. 8BFA mov edi, edx
17. 005372A8 |. 33C0 xor eax, eax
18. 005372AA |. 55 push ebp
19. 005372AB |. 68 27735300 push 00537327
20. 005372B0 |. 64:FF30 push dword ptr fs:[eax]
21. 005372B3 |. 64:8920 mov dword ptr fs:[eax], esp
22. 005372B6 |. 8BC7 mov eax, edi
23. 005372B8 |. E8 8BD3ECFF call 00404648
24. 005372BD |. B3 10 mov bl, 10
25. 005372BF |. 8D75 F0 lea esi, dword ptr [ebp-10]
26. 005372C2 |> FF37 /push dword ptr [edi] ; 进入循环将注册码顺序校正
27. 005372C4 |. 8D45 EC |lea eax, dword ptr [ebp-14]
28. 005372C7 |. 33D2 |xor edx, edx
29. 005372C9 |. 8A16 |mov dl, byte ptr [esi]
30. 005372CB |. C1EA 04 |shr edx, 4
31. 005372CE |. 83E2 0F |and edx, 0F
32. 005372D1 |. 8A92 28255600 |mov dl, byte ptr [edx+562528]
33. 005372D7 |. E8 54D5ECFF |call 00404830
34. 005372DC |. FF75 EC |push dword ptr [ebp-14]
35. 005372DF |. 8D45 E8 |lea eax, dword ptr [ebp-18]
36. 005372E2 |. 8A16 |mov dl, byte ptr [esi]
37. 005372E4 |. 80E2 0F |and dl, 0F
38. 005372E7 |. 81E2 FF000000 |and edx, 0FF
39. 005372ED |. 8A92 28255600 |mov dl, byte ptr [edx+562528]
40. 005372F3 |. E8 38D5ECFF |call 00404830
41. 005372F8 |. FF75 E8 |push dword ptr [ebp-18]
42. 005372FB |. 8BC7 |mov eax, edi
43. 005372FD |. BA 03000000 |mov edx, 3
44. 00537302 |. E8 D1D6ECFF |call 004049D8
45. 00537307 |. 46 |inc esi
46. 00537308 |. FECB |dec bl
47. 0053730A |.^ 75 B6 \jnz short 005372C2
48. 0053730C |. 33C0 xor eax, eax
49. 0053730E |. 5A pop edx
50. 0053730F |. 59 pop ecx
51. 00537310 |. 59 pop ecx
52. 00537311 |. 64:8910 mov dword ptr fs:[eax], edx
53. 00537314 |. 68 2E735300 push 0053732E
54. 00537319 |> 8D45 E8 lea eax, dword ptr [ebp-18]
55. 0053731C |. BA 02000000 mov edx, 2
56. 00537321 |. E8 46D3ECFF call 0040466C
57. 00537326 \. C3 retn
58. 00537327 .^ E9 74CCECFF jmp 00403FA0
59. 0053732C .^ EB EB jmp short 00537319
60. 0053732E . 5F pop edi
61. 0053732F . 5E pop esi
62. 00537330 . 5B pop ebx
63. 00537331 . 8BE5 mov esp, ebp
64. 00537333 . 5D pop ebp
65. 00537334 . C3 retn
通过这段代码看到了机器码(数字部分)与注册码实际是调用同一部分代码,只是时间紧迫,我没能分析明白算法具体是什么,只能分析一下流程了。
或许大家看到这个步骤有些发懵,建议大家动手试一下,如果有流程图或许会好些吧。
至于要得到破解版本,我的思路是让软件自己计算出注册码与自己比较,呵呵,肯定是正确的了。(补充:该软件的注册方式是从32位注册码中任取两个数,与用户输入的注册码同位置两处比较,若正确则成功,所以利用追出的注册码修改一下有时能注册成功,有时则会失败。这是我在沙盘下调试多次加上动态调试的猜想,没办法,我汇编根本没起步,分析的头都大了。嘿嘿)
在此次分析第一次跟进的代码区域往下看有这样一段:
1. 00538DF2 8B45 F0 mov eax, dword ptr [ebp-10]
2. 00538DF5 |. E8 7EBDECFF call 00404B78 ; 来到比较的地方,我估计是通过函数任意取注册码的一个位置
3. 00538DFA |. 8B45 F8 mov eax, dword ptr [ebp-8]
4. 00538DFD 8B55 F0 mov edx, dword ptr [ebp-10]
5. 00538E00 |. E8 5FBCECFF call 00404A64
6. 00538E05 |. 0F94C3 sete bl ;判断逻辑真假,若为真,注册成功。
这样得到破解版我们还需做以下修改:
00538DF2和00538DFD处修改汇编代码将ebp-10改为ebp-8
此时用动态调试,00538E05逻辑为真。说明接近成功了。
保存修改,双击打开,软件就变为已注册版本了。
不求精华,知道没到那个水平,但求一个邀请码,犒劳一下。
由于基础太差,我就不具体分析了。代码我加的分析可能有错误,朋友们看到了还望指出。
用Ollyice载入已脱壳的程序,至于脱壳方法相信大家比我懂,此处不再啰嗦。
依靠ollyice的字符串参考在软件的这里设下断点
1. 00538F73 . E8 C0FDFFFF call 00538D38 ; 关键Call
2. 00538F78 . 84C0 test al, al
按F7跟进,来到这里:(因为基础差做了很多没用的注释删去了)
1. 00538D38 /$ 55 push ebp
2. 00538D39 |. 8BEC mov ebp, esp
3. 00538D3B |. 33C9 xor ecx, ecx
4. 00538D3D |. 51 push ecx
5. 00538D3E |. 51 push ecx
6. 00538D3F |. 51 push ecx
7. 00538D40 |. 51 push ecx
8. 00538D41 |. 51 push ecx
9. 00538D42 |. 53 push ebx
10. 00538D43 |. 56 push esi
11. 00538D44 |. 8955 FC mov dword ptr [ebp-4], edx ; edx=005472B0 (1.005472B0), ASCII "HsjMakeSign"
12. 00538D47 |. 8BD8 mov ebx, eax ; 将eax暂时--ebx eax=00C18148
13. 00538D49 |. 8B45 FC mov eax, dword ptr [ebp-4] ; edx---eax ASCII "HsjMakeSign"
14. 00538D4C |. E8 B7BDECFF call 00404B08
15. 00538D51 |. 33C0 xor eax, eax
16. 00538D53 |. 55 push ebp
17. 00538D54 |. 68 238E5300 push 00538E23
18. 00538D59 |. 64:FF30 push dword ptr fs:[eax]
19. 00538D5C |. 64:8920 mov dword ptr fs:[eax], esp
20. 00538D5F |. 8D4D F4 lea ecx, dword ptr [ebp-C]
21. 00538D62 |. 8B55 FC mov edx, dword ptr [ebp-4] ; edx -- "HsjMakeSign"
22. 00538D65 |. 8BC3 mov eax, ebx ; 还原ebx--eax
23. 00538D67 |. E8 F0FCFFFF call 00538A5C ; 得到软件的机器码数字部分
24. 00538D6C |. 8D55 F8 lea edx, dword ptr [ebp-8]
25. 00538D6F |. 8B45 F4 mov eax, dword ptr [ebp-C] ; 载入机器码
26. 00538D72 |. E8 1DFEFFFF call 00538B94 ; 得到正确的注册码的关键CALL
27. 00538D77 |. B9 3C8E5300 mov ecx, 00538E3C ; hsjsoft.ini临时存放机器码
28. 00538D7C |. B2 01 mov dl, 1
29. 00538D7E |. A1 00C94300 mov eax, dword ptr [43C900]
30. 00538D83 |. E8 283CF0FF call 0043C9B0
31. 00538D88 |. 8BD8 mov ebx, eax
32. 00538D8A |. 6A 00 push 0
33. 00538D8C |. 8D45 EC lea eax, dword ptr [ebp-14]
34. 00538D8F |. 50 push eax
35. 00538D90 |. B9 508E5300 mov ecx, 00538E50 ; reg_code
36. 00538D95 |. 8B55 FC mov edx, dword ptr [ebp-4]
37. 00538D98 |. 8BC3 mov eax, ebx
38. 00538D9A |. 8B30 mov esi, dword ptr [eax]
39. 00538D9C |. FF16 call near dword ptr [esi] ; 传递注册数据
40. 00538D9E 8B45 EC mov eax, dword ptr [ebp-14] ; 传入用户输入的注册码
41. 00538DA1 |. 8D55 F0 lea edx, dword ptr [ebp-10]
42. 00538DA4 |. E8 EF01EDFF call 00408F98
43. 00538DA9 |. 8BC3 mov eax, ebx
44. 00538DAB |. E8 88AAECFF call 00403838
45. 00538DB0 |. E8 8BA1ECFF call 00402F40
46. 00538DB5 |. B8 20000000 mov eax, 20
47. 00538DBA |. E8 8DA4ECFF call 0040324C
48. 00538DBF |. 8BD8 mov ebx, eax
49. 00538DC1 |. 85DB test ebx, ebx
50. 00538DC3 |. 7F 05 jg short 00538DCA
51. 00538DC5 |. BB 01000000 mov ebx, 1
52. 00538DCA |> 83FB 1E cmp ebx, 1E
53. 00538DCD |. 7E 05 jle short 00538DD4
54. 00538DCF |. BB 1E000000 mov ebx, 1E
55. 00538DD4 |> 8D45 F8 lea eax, dword ptr [ebp-8]
56. 00538DD7 |. 50 push eax
57. 00538DD8 |. B9 02000000 mov ecx, 2
58. 00538DDD |. 8BD3 mov edx, ebx
59. 00538DDF |. 8B45 F8 mov eax, dword ptr [ebp-8]
60. 00538DE2 |. E8 91BDECFF call 00404B78
61. 00538DE7 |. 8D45 F0 lea eax, dword ptr [ebp-10]
62. 00538DEA |. 50 push eax
63. 00538DEB |. B9 02000000 mov ecx, 2
64. 00538DF0 |. 8BD3 mov edx, ebx
65. 00538DF2 8B45 F0 mov eax, dword ptr [ebp-10]
66. 00538DF5 |. E8 7EBDECFF call 00404B78 ; 来到比较的地方,我估计是取任意位置的两数比较
67. 00538DFA |. 8B45 F8 mov eax, dword ptr [ebp-8]
68. 00538DFD 8B55 F0 mov edx, dword ptr [ebp-10]
69. 00538E00 |. E8 5FBCECFF call 00404A64 ; 判断注册码是否正确
70. 00538E05 |. 0F94C3 sete bl
71. 00538E08 |. 33C0 xor eax, eax
72. 00538E0A |. 5A pop edx
73. 00538E0B |. 59 pop ecx
74. 00538E0C |. 59 pop ecx
75. 00538E0D |. 64:8910 mov dword ptr fs:[eax], edx
76. 00538E10 |. 68 2A8E5300 push 00538E2A
77. 00538E15 |> 8D45 EC lea eax, dword ptr [ebp-14]
78. 00538E18 |. BA 05000000 mov edx, 5
79. 00538E1D |. E8 4AB8ECFF call 0040466C
80. 00538E22 \. C3 retn
81. 00538E23 .^ E9 78B1ECFF jmp 00403FA0
82. 00538E28 .^ EB EB jmp short 00538E15
83. 00538E2A . 8BC3 mov eax, ebx
84. 00538E2C . 5E pop esi
85. 00538E2D . 5B pop ebx
86. 00538E2E . 8BE5 mov esp, ebp
87. 00538E30 . 5D pop ebp
88. 00538E31 . C3 retn
在这里动态调试单步走,在00538D67处进入得到软件的机器码数字部分代码:
1. 00538A5C $ 55 push ebp ; 机器码获取部分
2. 00538A5D . 8BEC mov ebp, esp ; 保存esp至ebp
3. 00538A5F . 83C4 D0 add esp, -30
4. 00538A62 . 53 push ebx
5. 00538A63 . 56 push esi
6. 00538A64 . 57 push edi ; edi=0012FE94
7. 00538A65 . 33DB xor ebx, ebx ; ebx归零
8. 00538A67 . 895D E0 mov dword ptr [ebp-20], ebx
9. 00538A6A . 895D F0 mov dword ptr [ebp-10], ebx
10. 00538A6D . 895D EC mov dword ptr [ebp-14], ebx
11. 00538A70 . 895D E8 mov dword ptr [ebp-18], ebx
12. 00538A73 . 895D E4 mov dword ptr [ebp-1C], ebx
13. 00538A76 . 895D F4 mov dword ptr [ebp-C], ebx
14. 00538A79 . 894D F8 mov dword ptr [ebp-8], ecx
15. 00538A7C . 8955 FC mov dword ptr [ebp-4], edx ; edx=005472B0 (1.005472B0), ASCII "HsjMakeSign"
16. 00538A7F . 8BD8 mov ebx, eax ; ebx=eax=00C18148
17. 00538A81 . 8B45 FC mov eax, dword ptr [ebp-4] ; eax=HsjMakeSign
18. 00538A84 . E8 7FC0ECFF call 00404B08 ; 用途未知
19. 00538A89 . 33C0 xor eax, eax ; eax清零
20. 00538A8B . 55 push ebp ; ebp压入
21. 00538A8C . 68 698B5300 push 00538B69 ; 00538B69=00538B69
22. 00538A91 . 64:FF30 push dword ptr fs:[eax] ; fs:[00000000]=[7FFDF000]=0012FBC4
23. 00538A94 . 64:8920 mov dword ptr fs:[eax], esp ; esp=0012FB74
24. 00538A97 . 8B45 F8 mov eax, dword ptr [ebp-8] ; 堆栈 ss:[0012FBB4]=0012FBE0
25. 00538A9A . E8 A9BBECFF call 00404648
26. 00538A9F . 33C0 xor eax, eax ; eax归零
27. 00538AA1 . 55 push ebp ; ebp=0012FBBC
28. 00538AA2 . 68 0E8B5300 push 00538B0E ; 00538B0E=00538B0E
29. 00538AA7 . 64:FF30 push dword ptr fs:[eax] ; fs:[00000000]=[7FFDF000]=0012FB74
30. 00538AAA . 64:8920 mov dword ptr fs:[eax], esp
31. 00538AAD . FF75 FC push dword ptr [ebp-4] ; 堆栈 ss:[0012FBB8]=005472B0 (1.005472B0), ASCII "HsjMakeSign"
32. 00538AB0 . 68 808B5300 push 00538B80
33. 00538AB5 . 8D45 F0 lea eax, dword ptr [ebp-10] ; 堆栈地址=0012FBAC
34. 00538AB8 . E8 63F8FFFF call 00538320 ; 获取机器信息---bios部分
35. 00538ABD . FF75 F0 push dword ptr [ebp-10] ; 机器信息(ASCII "BiosInfo:System BIOS Version Line 1 = LENOVO - 1System BIOS Version Line 2 = Ver 1.00System BIOS Date 12/04/09Video BIOS Version Line 1 = Hardware Version 0.0")
36. 00538AC0 . 68 808B5300 push 00538B80 ; ;
37. 00538AC5 . 8D45 EC lea eax, dword ptr [ebp-14] ; 堆栈地址=0012FBA8
38. 00538AC8 . E8 87FBFFFF call 00538654 ; 获取机器信息
39. 00538ACD . FF75 EC push dword ptr [ebp-14] ; ASCII "DisplayDeviceInfo:Mobile Intel(R) 4 Series Express Chipset FamilyMobile Intel(R) 4 Series Express Chipset FamilyNetMeeting driverRDPDD Chained DD
40. 00538AD0 . 68 808B5300 push 00538B80 ; ;
41. 00538AD5 . 8D45 E8 lea eax, dword ptr [ebp-18]
42. 00538AD8 . E8 57FCFFFF call 00538734 ; 获取机器信息---CPU部分
43. 00538ADD . FF75 E8 push dword ptr [ebp-18] ; CpuType:GenuineIntel586
44. 00538AE0 . 68 808B5300 push 00538B80 ; ;
45. 00538AE5 . 8D55 E4 lea edx, dword ptr [ebp-1C]
46. 00538AE8 . 8BC3 mov eax, ebx
47. 00538AEA . E8 F5FDFFFF call 005388E4 ; 获取机器信息---硬盘id部分
48. 00538AEF . FF75 E4 push dword ptr [ebp-1C] ; ASCII DiskId:
49. 00538AF2 . 68 808B5300 push 00538B80 ; ;
50. 00538AF7 . 8D45 F4 lea eax, dword ptr [ebp-C]
51. 00538AFA . BA 0A000000 mov edx, 0A
52. 00538AFF . E8 D4BEECFF call 004049D8
53. 00538B04 . 33C0 xor eax, eax
54. 00538B06 . 5A pop edx
55. 00538B07 . 59 pop ecx
56. 00538B08 . 59 pop ecx
57. 00538B09 . 64:8910 mov dword ptr fs:[eax], edx
58. 00538B0C . EB 0A jmp short 00538B18
59. 00538B0E .^ E9 D9B1ECFF jmp 00403CEC
60. 00538B13 . E8 3CB5ECFF call 00404054
61. 00538B18 > 68 8C8B5300 push 00538B8C ; 6.0;
62. 00538B1D . FF75 FC push dword ptr [ebp-4]
63. 00538B20 . 8D55 D0 lea edx, dword ptr [ebp-30] ; 下一步就将机器信息汇总
64. 00538B23 . 8B45 F4 mov eax, dword ptr [ebp-C] ; HsjMakeSign;BiosInfo:System BIOS Version Line 1 = LENOVO - 1System BIOS Version Line 2 = Ver 1.00System BIOS Date 12/04/09Video BIOS Version Line 1 = Hardware Version 0.0;DisplayDeviceInfo:Mobile Intel(R) 4 Series Express Chipset FamilyM
65. 00538B26 . E8 EDE6FFFF call 00537218
66. 00538B2B . 8D45 D0 lea eax, dword ptr [ebp-30]
67. 00538B2E . 8D55 E0 lea edx, dword ptr [ebp-20] ; edx此时存放有机器信息
68. 00538B31 . E8 56E7FFFF call 0053728C ; 计算得到机器码的关键Call
69. 00538B36 . FF75 E0 push dword ptr [ebp-20]
70. 00538B39 . 8B45 F8 mov eax, dword ptr [ebp-8]
71. 00538B3C . BA 03000000 mov edx, 3
72. 00538B41 . E8 92BEECFF call 004049D8
73. 00538B46 . 33C0 xor eax, eax
74. 00538B48 . 5A pop edx
75. 00538B49 . 59 pop ecx
76. 00538B4A . 59 pop ecx
77. 00538B4B . 64:8910 mov dword ptr fs:[eax], edx
78. 00538B4E . 68 708B5300 push 00538B70
79. 00538B53 > 8D45 E0 lea eax, dword ptr [ebp-20]
80. 00538B56 . BA 06000000 mov edx, 6
81. 00538B5B . E8 0CBBECFF call 0040466C
82. 00538B60 . 8D45 FC lea eax, dword ptr [ebp-4]
83. 00538B63 . E8 E0BAECFF call 00404648
84. 00538B68 . C3 retn
85. 00538B69 .^ E9 32B4ECFF jmp 00403FA0
86. 00538B6E .^ EB E3 jmp short 00538B53
87. 00538B70 . 5F pop edi
88. 00538B71 . 5E pop esi
89. 00538B72 . 5B pop ebx
90. 00538B73 . 8BE5 mov esp, ebp
91. 00538B75 . 5D pop ebp
92. 00538B76 . C3 retn
以上代码前半部分是获取机器信息,在00538B31处跟进来到计算机器码32位数字的代码部分(注:分成的四部分机器码都经过调序得到真正机器码的四部分):
1. 0053728C /$ 55 push ebp
2. 0053728D |. 8BEC mov ebp, esp
3. 0053728F |. 83C4 E8 add esp, -18
4. 00537292 |. 53 push ebx
5. 00537293 |. 56 push esi
6. 00537294 |. 57 push edi
7. 00537295 |. 33C9 xor ecx, ecx
8. 00537297 |. 894D EC mov dword ptr [ebp-14], ecx
9. 0053729A |. 894D E8 mov dword ptr [ebp-18], ecx
10. 0053729D |. 8BF0 mov esi, eax
11. 0053729F |. 8D7D F0 lea edi, dword ptr [ebp-10]
12. 005372A2 |. A5 movs dword ptr es:[edi], dword ptr [e>; 机器码第一部分[0012FB9C]=AE2C1742
13. 005372A3 |. A5 movs dword ptr es:[edi], dword ptr [e>; 机器码第二部分[0012FBA0]=6FAA135F
14. 005372A4 |. A5 movs dword ptr es:[edi], dword ptr [e>; 机器码第三部分[0012FBA4]=4B1A2D3A
15. 005372A5 |. A5 movs dword ptr es:[edi], dword ptr [e>; 机器码第四部分[0012FBA8]=4031BBC7
16. 005372A6 |. 8BFA mov edi, edx
17. 005372A8 |. 33C0 xor eax, eax
18. 005372AA |. 55 push ebp
19. 005372AB |. 68 27735300 push 00537327
20. 005372B0 |. 64:FF30 push dword ptr fs:[eax]
21. 005372B3 |. 64:8920 mov dword ptr fs:[eax], esp
22. 005372B6 |. 8BC7 mov eax, edi
23. 005372B8 |. E8 8BD3ECFF call 00404648
24. 005372BD |. B3 10 mov bl, 10
25. 005372BF |. 8D75 F0 lea esi, dword ptr [ebp-10]
26. 005372C2 |> FF37 /push dword ptr [edi] ; 进入循环将机器码顺序校正直至
27. 005372C4 |. 8D45 EC |lea eax, dword ptr [ebp-14]
28. 005372C7 |. 33D2 |xor edx, edx
29. 005372C9 |. 8A16 |mov dl, byte ptr [esi]
30. 005372CB |. C1EA 04 |shr edx, 4
31. 005372CE |. 83E2 0F |and edx, 0F
32. 005372D1 |. 8A92 28255600 |mov dl, byte ptr [edx+562528]
33. 005372D7 |. E8 54D5ECFF |call 00404830
34. 005372DC |. FF75 EC |push dword ptr [ebp-14]
35. 005372DF |. 8D45 E8 |lea eax, dword ptr [ebp-18]
36. 005372E2 |. 8A16 |mov dl, byte ptr [esi]
37. 005372E4 |. 80E2 0F |and dl, 0F
38. 005372E7 |. 81E2 FF000000 |and edx, 0FF
39. 005372ED |. 8A92 28255600 |mov dl, byte ptr [edx+562528]
40. 005372F3 |. E8 38D5ECFF |call 00404830
41. 005372F8 |. FF75 E8 |push dword ptr [ebp-18]
42. 005372FB |. 8BC7 |mov eax, edi
43. 005372FD |. BA 03000000 |mov edx, 3
44. 00537302 |. E8 D1D6ECFF |call 004049D8
45. 00537307 |. 46 |inc esi
46. 00537308 |. FECB |dec bl
47. 0053730A |.^ 75 B6 \jnz short 005372C2
48. 0053730C |. 33C0 xor eax, eax
49. 0053730E |. 5A pop edx
50. 0053730F |. 59 pop ecx
51. 00537310 |. 59 pop ecx
52. 00537311 |. 64:8910 mov dword ptr fs:[eax], edx
53. 00537314 |. 68 2E735300 push 0053732E
54. 00537319 |> 8D45 E8 lea eax, dword ptr [ebp-18]
55. 0053731C |. BA 02000000 mov edx, 2
56. 00537321 |. E8 46D3ECFF call 0040466C
57. 00537326 \. C3 retn
出来后再单步走完机器码获取部分,来到00538d9e位置,这时机器码已经得到了即6.0;HsjMakeSign42172cae5f13aa6f3a2d1a4bc7bb3140
下面在进入00538D72的call-->00538B94 即得到正确的注册码的CALL:
1. 00538B94 /$ 55 push ebp
2. 00538B95 |. 8BEC mov ebp, esp
3. 00538B97 |. 83C4 D8 add esp, -28
4. 00538B9A |. 53 push ebx
5. 00538B9B |. 56 push esi
6. 00538B9C |. 33C9 xor ecx, ecx
7. 00538B9E |. 894D D8 mov dword ptr [ebp-28], ecx
8. 00538BA1 |. 894D DC mov dword ptr [ebp-24], ecx ; 4031BBC7
9. 00538BA4 |. 894D F8 mov dword ptr [ebp-8], ecx ; 0012FBE0
10. 00538BA7 |. 894D F4 mov dword ptr [ebp-C], ecx
11. 00538BAA |. 894D F0 mov dword ptr [ebp-10], ecx
12. 00538BAD |. 8BF2 mov esi, edx
13. 00538BAF |. 8945 FC mov dword ptr [ebp-4], eax
14. 00538BB2 |. 8B45 FC mov eax, dword ptr [ebp-4]
15. 00538BB5 |. E8 4EBFECFF call 00404B08
16. 00538BBA |. 33C0 xor eax, eax
17. 00538BBC |. 55 push ebp
18. 00538BBD |. 68 CB8C5300 push 00538CCB
19. 00538BC2 |. 64:FF30 push dword ptr fs:[eax]
20. 00538BC5 |. 64:8920 mov dword ptr fs:[eax], esp
21. 00538BC8 |. 8BC6 mov eax, esi
22. 00538BCA |. E8 79BAECFF call 00404648
23. 00538BCF |. 8D45 F8 lea eax, dword ptr [ebp-8]
24. 00538BD2 |. E8 71BAECFF call 00404648
25. 00538BD7 |. 8D45 F8 lea eax, dword ptr [ebp-8]
26. 00538BDA |. BA E08C5300 mov edx, 00538CE0 ; 版
27. 00538BDF |. E8 3CBDECFF call 00404920
28. 00538BE4 |. 8D45 F8 lea eax, dword ptr [ebp-8]
29. 00538BE7 |. BA EC8C5300 mov edx, 00538CEC ; 权
30. 00538BEC |. E8 2FBDECFF call 00404920
31. 00538BF1 |. 8D45 F8 lea eax, dword ptr [ebp-8]
32. 00538BF4 |. BA F88C5300 mov edx, 00538CF8 ; 所
33. 00538BF9 |. E8 22BDECFF call 00404920
34. 00538BFE |. 8D45 F8 lea eax, dword ptr [ebp-8]
35. 00538C01 |. BA 048D5300 mov edx, 00538D04 ; 有
36. 00538C06 |. E8 15BDECFF call 00404920
37. 00538C0B |. 8D45 F8 lea eax, dword ptr [ebp-8]
38. 00538C0E |. BA 108D5300 mov edx, 00538D10 ; :
39. 00538C13 |. E8 08BDECFF call 00404920
40. 00538C18 |. 8D45 F8 lea eax, dword ptr [ebp-8]
41. 00538C1B |. BA 1C8D5300 mov edx, 00538D1C ; 韩
42. 00538C20 |. E8 FBBCECFF call 00404920
43. 00538C25 |. 8D45 F8 lea eax, dword ptr [ebp-8]
44. 00538C28 |. BA 288D5300 mov edx, 00538D28 ; 树
45. 00538C2D |. E8 EEBCECFF call 00404920
46. 00538C32 |. 8D45 F8 lea eax, dword ptr [ebp-8]
47. 00538C35 |. BA 348D5300 mov edx, 00538D34 ; 江
48. 00538C3A |. E8 E1BCECFF call 00404920
49. 00538C3F |. 8D45 DC lea eax, dword ptr [ebp-24]
50. 00538C42 |. 8B4D FC mov ecx, dword ptr [ebp-4] ; (ASCII "6.0;HsjMakeSign42172cae5f13aa6f3a2d1a4bc7bb3140")
51. 00538C45 |. 8B55 F8 mov edx, dword ptr [ebp-8]
52. 00538C48 |. E8 17BDECFF call 00404964
53. 00538C4D |. 8B45 DC mov eax, dword ptr [ebp-24]
54. 00538C50 |. 8D55 E0 lea edx, dword ptr [ebp-20]
55. 00538C53 |. E8 C0E5FFFF call 00537218
56. 00538C58 |. 8D45 E0 lea eax, dword ptr [ebp-20]
57. 00538C5B |. 8D55 F4 lea edx, dword ptr [ebp-C]
58. 00538C5E |. E8 29E6FFFF call 0053728C ; 关键Call整出注册码
59. 00538C63 |. 8D45 F0 lea eax, dword ptr [ebp-10]
60. 00538C66 |. E8 DDB9ECFF call 00404648 ; 作用未知
61. 00538C6B |. 8B45 F4 mov eax, dword ptr [ebp-C] ; 注册码6c9125ab21e9252438e413f6536217d0
62. 00538C6E |. E8 A5BCECFF call 00404918
63. 00538C73 |. 8BD8 mov ebx, eax
64. 00538C75 |. 83FB 01 cmp ebx, 1
65. 00538C78 |. 7C 1F jl short 00538C99 ; 调序部分,倒转注册码
66. 00538C7A |> 8D45 D8 /lea eax, dword ptr [ebp-28]
67. 00538C7D |. 8B55 F4 |mov edx, dword ptr [ebp-C]
68. 00538C80 |. 8A541A FF |mov dl, byte ptr [edx+ebx-1]
69. 00538C84 |. E8 A7BBECFF |call 00404830
70. 00538C89 |. 8B55 D8 |mov edx, dword ptr [ebp-28]
71. 00538C8C |. 8D45 F0 |lea eax, dword ptr [ebp-10]
72. 00538C8F |. E8 8CBCECFF |call 00404920
73. 00538C94 |. 4B |dec ebx
74. 00538C95 |. 85DB |test ebx, ebx
75. 00538C97 |.^ 75 E1 \jnz short 00538C7A
76. 00538C99 |> 8BC6 mov eax, esi
77. 00538C9B |. 8B55 F0 mov edx, dword ptr [ebp-10] ; 倒转后正确的注册码0d7126356f314e8342529e12ba5219c6
78. 00538C9E |. E8 F9B9ECFF call 0040469C
79. 00538CA3 |. 33C0 xor eax, eax
80. 00538CA5 |. 5A pop edx
81. 00538CA6 |. 59 pop ecx
82. 00538CA7 |. 59 pop ecx
83. 00538CA8 |. 64:8910 mov dword ptr fs:[eax], edx
84. 00538CAB |. 68 D28C5300 push 00538CD2
85. 00538CB0 |> 8D45 D8 lea eax, dword ptr [ebp-28]
86. 00538CB3 |. BA 02000000 mov edx, 2
87. 00538CB8 |. E8 AFB9ECFF call 0040466C
88. 00538CBD |. 8D45 F0 lea eax, dword ptr [ebp-10]
89. 00538CC0 |. BA 04000000 mov edx, 4
90. 00538CC5 |. E8 A2B9ECFF call 0040466C
91. 00538CCA \. C3 retn
92. 00538CCB .^ E9 D0B2ECFF jmp 00403FA0
93. 00538CD0 .^ EB DE jmp short 00538CB0
94. 00538CD2 . 5E pop esi
95. 00538CD3 . 5B pop ebx
96. 00538CD4 . 8BE5 mov esp, ebp
97. 00538CD6 . 5D pop ebp
98. 00538CD7 . C3 retn
简单说下,这部分代码前半部分得到机器码数字,然后在00538C5E处是得到注册码的模块,那么我们在跟进0053728C那里瞧瞧:
来到这里,得到注册码的部分(注:分成的四部分注册码都需经过调序得到真正注册码的四部分)
1. 0053728C /$ 55 push ebp
2. 0053728D |. 8BEC mov ebp, esp
3. 0053728F |. 83C4 E8 add esp, -18
4. 00537292 |. 53 push ebx
5. 00537293 |. 56 push esi
6. 00537294 |. 57 push edi
7. 00537295 |. 33C9 xor ecx, ecx
8. 00537297 |. 894D EC mov dword ptr [ebp-14], ecx
9. 0053729A |. 894D E8 mov dword ptr [ebp-18], ecx
10. 0053729D |. 8BF0 mov esi, eax
11. 0053729F |. 8D7D F0 lea edi, dword ptr [ebp-10]
12. 005372A2 |. A5 movs dword ptr es:[edi], dword ptr [e>; 注册码第四部分[0012FB9C]=AB25916C
13. 005372A3 |. A5 movs dword ptr es:[edi], dword ptr [e>; 注册码第三部分[0012FBA0]=2425E921
14. 005372A4 |. A5 movs dword ptr es:[edi], dword ptr [e>; 注册码第二部分[0012FBA4]=F613E438
15. 005372A5 |. A5 movs dword ptr es:[edi], dword ptr [e>; 注册码第一部分[0012FBA8]=D0176253
16. 005372A6 |. 8BFA mov edi, edx
17. 005372A8 |. 33C0 xor eax, eax
18. 005372AA |. 55 push ebp
19. 005372AB |. 68 27735300 push 00537327
20. 005372B0 |. 64:FF30 push dword ptr fs:[eax]
21. 005372B3 |. 64:8920 mov dword ptr fs:[eax], esp
22. 005372B6 |. 8BC7 mov eax, edi
23. 005372B8 |. E8 8BD3ECFF call 00404648
24. 005372BD |. B3 10 mov bl, 10
25. 005372BF |. 8D75 F0 lea esi, dword ptr [ebp-10]
26. 005372C2 |> FF37 /push dword ptr [edi] ; 进入循环将注册码顺序校正
27. 005372C4 |. 8D45 EC |lea eax, dword ptr [ebp-14]
28. 005372C7 |. 33D2 |xor edx, edx
29. 005372C9 |. 8A16 |mov dl, byte ptr [esi]
30. 005372CB |. C1EA 04 |shr edx, 4
31. 005372CE |. 83E2 0F |and edx, 0F
32. 005372D1 |. 8A92 28255600 |mov dl, byte ptr [edx+562528]
33. 005372D7 |. E8 54D5ECFF |call 00404830
34. 005372DC |. FF75 EC |push dword ptr [ebp-14]
35. 005372DF |. 8D45 E8 |lea eax, dword ptr [ebp-18]
36. 005372E2 |. 8A16 |mov dl, byte ptr [esi]
37. 005372E4 |. 80E2 0F |and dl, 0F
38. 005372E7 |. 81E2 FF000000 |and edx, 0FF
39. 005372ED |. 8A92 28255600 |mov dl, byte ptr [edx+562528]
40. 005372F3 |. E8 38D5ECFF |call 00404830
41. 005372F8 |. FF75 E8 |push dword ptr [ebp-18]
42. 005372FB |. 8BC7 |mov eax, edi
43. 005372FD |. BA 03000000 |mov edx, 3
44. 00537302 |. E8 D1D6ECFF |call 004049D8
45. 00537307 |. 46 |inc esi
46. 00537308 |. FECB |dec bl
47. 0053730A |.^ 75 B6 \jnz short 005372C2
48. 0053730C |. 33C0 xor eax, eax
49. 0053730E |. 5A pop edx
50. 0053730F |. 59 pop ecx
51. 00537310 |. 59 pop ecx
52. 00537311 |. 64:8910 mov dword ptr fs:[eax], edx
53. 00537314 |. 68 2E735300 push 0053732E
54. 00537319 |> 8D45 E8 lea eax, dword ptr [ebp-18]
55. 0053731C |. BA 02000000 mov edx, 2
56. 00537321 |. E8 46D3ECFF call 0040466C
57. 00537326 \. C3 retn
58. 00537327 .^ E9 74CCECFF jmp 00403FA0
59. 0053732C .^ EB EB jmp short 00537319
60. 0053732E . 5F pop edi
61. 0053732F . 5E pop esi
62. 00537330 . 5B pop ebx
63. 00537331 . 8BE5 mov esp, ebp
64. 00537333 . 5D pop ebp
65. 00537334 . C3 retn
通过这段代码看到了机器码(数字部分)与注册码实际是调用同一部分代码,只是时间紧迫,我没能分析明白算法具体是什么,只能分析一下流程了。
或许大家看到这个步骤有些发懵,建议大家动手试一下,如果有流程图或许会好些吧。
至于要得到破解版本,我的思路是让软件自己计算出注册码与自己比较,呵呵,肯定是正确的了。(补充:该软件的注册方式是从32位注册码中任取两个数,与用户输入的注册码同位置两处比较,若正确则成功,所以利用追出的注册码修改一下有时能注册成功,有时则会失败。这是我在沙盘下调试多次加上动态调试的猜想,没办法,我汇编根本没起步,分析的头都大了。嘿嘿)
在此次分析第一次跟进的代码区域往下看有这样一段:
1. 00538DF2 8B45 F0 mov eax, dword ptr [ebp-10]
2. 00538DF5 |. E8 7EBDECFF call 00404B78 ; 来到比较的地方,我估计是通过函数任意取注册码的一个位置
3. 00538DFA |. 8B45 F8 mov eax, dword ptr [ebp-8]
4. 00538DFD 8B55 F0 mov edx, dword ptr [ebp-10]
5. 00538E00 |. E8 5FBCECFF call 00404A64
6. 00538E05 |. 0F94C3 sete bl ;判断逻辑真假,若为真,注册成功。
这样得到破解版我们还需做以下修改:
00538DF2和00538DFD处修改汇编代码将ebp-10改为ebp-8
此时用动态调试,00538E05逻辑为真。说明接近成功了。
保存修改,双击打开,软件就变为已注册版本了。
不求精华,知道没到那个水平,但求一个邀请码,犒劳一下。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
 不错不错
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
看看 学习啦
|
|
|
|
|
|
|
|
|
|
|
|
|
