软件名称: 英语会话精灵(双语音版)V3.2
下载页面: http://www.anyeasy.com
本人初学Crack,菜鸟一个,只是感兴趣,没有其它目的, 有以下问题求教!
1. 脱壳, 用PE-SCAN看是PEbundle, 用Ollydbg手动脱壳(找到的oep为0056D370, 脱壳后提示运行错误, 还请高手指教啊)
2. 用PEiD看脱壳后的程序, 提示为Borland Delphi 6.0 - 7.0编写,
没办法只好先运行原程序然后用DeDe3.50 dump后进行分析,
发现注册码验证窗口TfrmReg, Event=suitempButton1Click---004CF160,
关键代码如下:
004CF160 55 push ebp
004CF161 8BEC mov ebp, esp
004CF163 B920000000 mov ecx, $00000020
004CF168 6A00 push $00
004CF16A 6A00 push $00
004CF16C 49 dec ecx
004CF16D 75F9 jnz 004CF168
004CF16F 51 push ecx
004CF170 53 push ebx
004CF171 56 push esi
004CF172 8BD8 mov ebx, eax
004CF174 33C0 xor eax, eax
004CF176 55 push ebp
* Possible String Reference to: '?K??^[?]?
|
004CF177 68ADF44C00 push $004CF4AD
***** TRY
|
004CF17C 64FF30 push dword ptr fs:[eax]
004CF17F 648920 mov fs:[eax], esp
004CF182 8D951CFFFFFF lea edx, [ebp+$FFFFFF1C]
* Reference to control TfrmReg.Edit3 : TsuiEdit
|
004CF188 8B8300030000 mov eax, [ebx+$0300]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004CF18E E8F13DF7FF call 00442F84
004CF193 8B851CFFFFFF mov eax, [ebp+$FFFFFF1C] //the input serial
004CF199 8D9520FFFFFF lea edx, [ebp+$FFFFFF20]
* Reference to: SysUtils.Trim(AnsiString):AnsiString;overload;
|
004CF19F E8949AF3FF call 00408C38
004CF1A4 8B8520FFFFFF mov eax, [ebp+$FFFFFF20]
* Reference to: System.@LStrLen(String):Integer;
|
004CF1AA E85157F3FF call 00404900
004CF1AF 83F80F cmp eax, +$0F
004CF1B2 0F8EEB010000 jle 004CF3A3
* Possible String Reference to: 'reg.dll'
|
004CF1B8 68BCF44C00 push $004CF4BC
|
004CF1BD E8FA7CF3FF call 00406EBC //LoadLibrary
004CF1C2 8BF0 mov esi, eax eax = return addr
004CF1C4 85F6 test esi, esi return addr != NUll
004CF1C6 0F8407010000 jz 004CF2D3
004CF1CC 8D8526FFFFFF lea eax, [ebp+$FFFFFF26]
004CF1D2 33C9 xor ecx, ecx
004CF1D4 BA65000000 mov edx, $00000065
* Reference to: System.@FillChar(void;void;Integer;Char);
|
004CF1D9 E8DA3EF3FF call 004030B8
004CF1DE 8D458B lea eax, [ebp-$75]
004CF1E1 33C9 xor ecx, ecx
004CF1E3 BA65000000 mov edx, $00000065
* Reference to: System.@FillChar(void;void;Integer;Char);
|
004CF1E8 E8CB3EF3FF call 004030B8
* Possible String Reference to: 'BlowFishDecrypt'
|
004CF1ED 68C4F44C00 push $004CF4C4
004CF1F2 56 push esi
|
004CF1F3 E8147CF3FF call 00406E0C //GetProcAddress
004CF1F8 8945FC mov [ebp-$04], eax //func address 'BlowFishDecrypt'
* Possible String Reference to: 'EncryptStringFun1'
|
004CF1FB 68D4F44C00 push $004CF4D4
004CF200 56 push esi
|
004CF201 E8067CF3FF call 00406E0C //GetProcAddress
004CF206 8945F8 mov [ebp-$08], eax //func address 'EncryptStringFun1'
004CF209 837DFC00 cmp dword ptr [ebp-$04], +$00
004CF20D 0F84C0000000 jz 004CF2D3
004CF213 837DF800 cmp dword ptr [ebp-$08], +$00
004CF217 0F84B6000000 jz 004CF2D3
* Possible String Reference to: 'lxhest-EC3CABAC25C0F96DCC5AE18F874B
| 07DC98F0E672C26924FD'
|
004CF21D 68E8F44C00 push $004CF4E8
004CF222 8D8526FFFFFF lea eax, [ebp+$FFFFFF26]
004CF228 50 push eax //指向输出解密字符串缓冲区的指针
* Possible String Reference to: 'sbipxa'
|
004CF229 6820F54C00 push $004CF520 //指向用于解密的密钥字符串缓冲区的指针。
004CF22E 8D9514FFFFFF lea edx, [ebp+$FFFFFF14]
* Reference to control TfrmReg.Edit3 : TsuiEdit
|
004CF234 8B8300030000 mov eax, [ebx+$0300]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004CF23A E8453DF7FF call 00442F84
004CF23F 8B8514FFFFFF mov eax, [ebp+$FFFFFF14] //the input serial
004CF245 8D8D18FFFFFF lea ecx, [ebp+$FFFFFF18] //
004CF24B BA10000000 mov edx, $00000010
* Reference to: StrUtils.LeftStr(AnsiString;Integer):AnsiString;
|
004CF250 E84BD7F6FF call 0043C9A0
004CF255 8B8518FFFFFF mov eax, [ebp+$FFFFFF18] //the input serial
* Reference to: System.@LStrToPChar(String):PAnsiChar;
|
004CF25B E89858F3FF call 00404AF8
004CF260 50 push eax // eax = the input serial
004CF261 FF55FC call dword ptr [ebp-$04] //func address 'BlowFishDecrypt'
004CF264 84C0 test al, al
004CF266 7413 jz 004CF27B
004CF268 8D45F4 lea eax, [ebp-$0C]
004CF26B 8D9526FFFFFF lea edx, [ebp+$FFFFFF26]
004CF271 B965000000 mov ecx, $00000065
* Reference to: System.@LStrFromArray(String;String;PAnsiChar;Integer);
|
004CF276 E83556F3FF call 004048B0
* Possible String Reference to: 'lxhest-EC3CABAC25C0F96DCC5AE18F874B
| 07DC98F0E672C26924FD'
|
004CF27B 68E8F44C00 push $004CF4E8 //lpRegisterCode
004CF280 8D458B lea eax, [ebp-$75]
004CF283 50 push eax //lpOutBuffer
* Possible String Reference to: 'sbipxa'
|
004CF284 6820F54C00 push $004CF520 //lpKey
004CF289 8D9510FFFFFF lea edx, [ebp+$FFFFFF10]
* Reference to control TfrmReg.Edit6 : TsuiEdit
|
004CF28F 8B83FC020000 mov eax, [ebx+$02FC]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004CF295 E8EA3CF7FF call 00442F84
004CF29A 8B8510FFFFFF mov eax, [ebp+$FFFFFF10] //用户编号
* Reference to: System.@LStrToPChar(String):PAnsiChar;
|
004CF2A0 E85358F3FF call 00404AF8
004CF2A5 50 push eax //lpInBuffer
004CF2A6 FF55F8 call dword ptr [ebp-$08] //func address 'EncryptStringFun1'
004CF2A9 84C0 test al, al
004CF2AB 7426 jz 004CF2D3
004CF2AD 8D850CFFFFFF lea eax, [ebp+$FFFFFF0C] //
004CF2B3 8D558B lea edx, [ebp-$75] //ebp-$75 = lpOutBuffer
0004CF2B6 B965000000 mov ecx, $0000065
g* Reference to: System.@LStrFromArray(String;Strin;PAnsiChar;Integer);
|
004CF2BB E8F055F3FF call 004048B0
004CF2C0 8B850CFFFFFF mov eax, [ebp+$FFFFFF0C]
004CF2C6 8D4DF0 lea ecx, [ebp-$10]
004CF2C9 BA06000000 mov edx, $00000006 //6
* Reference to: StrUtils.RightStr(AnsiString;Integer):AnsiString;
|
004CF2CE E8E9D6F6FF call 0043C9BC //取右边的6个字符
004CF2D3 56 push esi
|
004CF2D4 E8BB7AF3FF call 00406D94 //FreeLibrary
004CF2D9 8B45F4 mov eax, [ebp-$0C] //注册码生成的加密串
004CF2DC 8B55F0 mov edx, [ebp-$10] //用户编号生成的加密串
* Reference to: System.@LStrCmp;
|
004CF2DF E86057F3FF call 00404A44 //关键比较
004CF2E4 0F85B9000000 jnz 004CF3A3
* Reference to control TfrmReg.suiMessageDialog1 : TsuiMessageDialog
|
004CF2EA 8BB3F0020000 mov esi, [ebx+$02F0]
* Reference to field TsuiMessageDialog.OFFS_0064
|
004CF2F0 C6466403 mov byte ptr [esi+$64], $03
* Reference to field TsuiMessageDialog.OFFS_0068
|
004CF2F4 8D4668 lea eax, [esi+$68]
* Possible String Reference to: '注册成功!请保留好您的注册码,谢谢?
跟踪进reg.dll, 发现该文件是<共享软件加密算法库>, 可从http://liangs99.yeah.net下载。
注册比较算法为:
BlowFishDecrypt(注册码, 'sbipxa') = 取右边的6个字符(EncryptStringFun1(用户编号, 'sbipxa'))
则推出注册码生成方法为:
equalVal = 取右边的6个字符(EncryptStringFun1(用户编号, 'sbipxa'))
注册码 = BlowFishEncrypt(equalVal, 'sbipxa')
BlowFishDecrypt和EncryptStringFun1都为reg.dll中的函数
如我的机器用户编号为34318-E2D51, 生成的注册码为F825AA94A3A45BAE。(ps: 可以直接利用共享软件加密算法库中附带的example来生成)。
到此, 输入生成的注册码会提示注册成功。
但是重新运行该程序发现可使用的功能和未注册前一样, 实在很困惑没有头绪, 难道还有其他的判断点吗?
不知哪位高手能抽出点时间看一下, 非常感谢 !
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!