【文章标题】: 一个系统错误修复软件需要网络验证的注册破解分析
【文章作者】: suredwang
【作者邮箱】: suredwang@126.com
【软件名称】: 系统错误修复精灵 V3.0
【软件大小】: 790K
【下载地址】: 自己搜索下载
【加壳方式】: 无壳
【保护方式】: 网络验证+注册码
【编写语言】: Microsoft Visual Basic 5.0 / 6.0
【使用工具】: OD
【操作平台】: XP
【软件介绍】: 能快速扫描检测和修复注册表错误,并且还可以作修复备份,随时恢复,维护系统很好用。未注册版本只能扫描不能进行错误修复
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
本人只是个小菜鸟,休息天,闲着无事,就下了个小程序练手,本来以为只是简单注册码保护,没想到还有网络验证,一时就想学习学习,
献丑了。没有其它目的,支持正版,高手飘过
首先用PEID查壳,发现无壳,而且是用VB编写的程序,直接用OD载入,F9运行至注册界面,任意输入注册码787878787878,
点注册 出现“注册码错误”的信息,先用右键查找字符串,发现里面没有一点字符信息,算了看来用查字符串的方法行不通了,打开断点插件
在__vbaStrComp函数下断先看看能否断下,或在命令行下断也一样 bp__vbaStrComp ,点注册后
734793DA > FF7424 08 push dword ptr [esp+8] ; 断在这里
734793DE FF7424 08 push dword ptr [esp+8]
734793E2 6A 00 push 0
734793E4 E8 44E6FFFF call __vbaStrComp
734793E9 C2 0800 retn 8
734793EC > FF7424 08 push dword ptr [esp+8]
734793F0 FF7424 08 push dword ptr [esp+8]
734793F4 6A 01 push 1
734793F6 E8 32E6FFFF call __vbaStrComp
734793FB C2 0800 retn 8
右边的寄存器栏里:
EAX 00000030
ECX 001918CC UNICODE "RCode error"
EDX 00000000
EBX 73497262 MSVBVM60.__vbaFreeVarList
ESP 0012EC08 ASCII "7Bb"
EBP 0012EDA4
ESI 73476A74 MSVBVM60.__vbaStrMove
EDI 00000000
EIP 734793DA MSVBVM60.__vbaStrCmp
看到右边寄存器栏里 出现字符串"RCode error" ,分析看来注册判断应在前面,好了,向上翻找来到注册关键CALL入口地址处再下断,重新
运行
00624000 > \55 push ebp ; 这里下断,重新运行断在这
00624001 . 8BEC mov ebp, esp
00624003 . 83EC 0C sub esp, 0C
00624006 . 68 66204000 push <jmp.&MSVBVM60.__vbaExceptHandle>; SE 处理程序安装
0062400B . 64:A1 0000000>mov eax, dword ptr fs:[0]
00624011 . 50 push eax
00624012 . 64:8925 00000>mov dword ptr fs:[0], esp
00624019 . 81EC 70010000 sub esp, 170
0062401F . 53 push ebx
00624020 . 56 push esi
00624021 . 57 push edi
00624022 . 8965 F4 mov dword ptr [ebp-C], esp
00624025 . C745 F8 A81F4>mov dword ptr [ebp-8], 00401FA8
0062402C . 8B75 08 mov esi, dword ptr [ebp+8]
0062402F . 8BC6 mov eax, esi
00624031 . 83E0 01 and eax, 1
00624034 . 8945 FC mov dword ptr [ebp-4], eax
00624037 . 83E6 FE and esi, FFFFFFFE
0062403A . 56 push esi
0062403B . 8975 08 mov dword ptr [ebp+8], esi
0062403E . 8B0E mov ecx, dword ptr [esi]
00624040 . FF51 04 call dword ptr [ecx+4] ; 按F8单步运行到这,注意这CALL按F8会跳飞,看来有VMP代
码
00624043 . 8B16 mov edx, dword ptr [esi]
00624045 . 33FF xor edi, edi
00624047 . 56 push esi
00624048 . 897D D8 mov dword ptr [ebp-28], edi
0062404B . 897D D4 mov dword ptr [ebp-2C], edi
0062404E . 897D D0 mov dword ptr [ebp-30], edi
00624051 . 897D C0 mov dword ptr [ebp-40], edi
00624054 . 897D B0 mov dword ptr [ebp-50], edi
00624057 . 897D A0 mov dword ptr [ebp-60], edi
0062405A . 897D 9C mov dword ptr [ebp-64], edi
0062405D . 897D 98 mov dword ptr [ebp-68], edi
00624060 . 897D 94 mov dword ptr [ebp-6C], edi
00624063 . 897D 90 mov dword ptr [ebp-70], edi
00624066 . 897D 80 mov dword ptr [ebp-80], edi
00624069 . 89BD 70FFFFFF mov dword ptr [ebp-90], edi
0062406F . 89BD 60FFFFFF mov dword ptr [ebp-A0], edi
00624075 . 89BD 50FFFFFF mov dword ptr [ebp-B0], edi
0062407B . 89BD 40FFFFFF mov dword ptr [ebp-C0], edi
00624081 . 89BD 30FFFFFF mov dword ptr [ebp-D0], edi
00624087 . 89BD 20FFFFFF mov dword ptr [ebp-E0], edi
0062408D . 89BD 10FFFFFF mov dword ptr [ebp-F0], edi
00624093 . 89BD 00FFFFFF mov dword ptr [ebp-100], edi
00624099 . FF92 00030000 call dword ptr [edx+300]
0062409F . 50 push eax
006240A0 . 8D45 90 lea eax, dword ptr [ebp-70]
006240A3 . 50 push eax
006240A4 . FF15 98104000 call dword ptr [<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
006240AA . 8BD8 mov ebx, eax
006240AC . 8D55 9C lea edx, dword ptr [ebp-64]
006240AF . 52 push edx
006240B0 . 53 push ebx
006240B1 . 8B0B mov ecx, dword ptr [ebx]
006240B3 . FF91 A0000000 call dword ptr [ecx+A0]
006240B9 . 3BC7 cmp eax, edi
006240BB . DBE2 fclex
006240BD . 7D 12 jge short 006240D1
006240BF . 68 A0000000 push 0A0
006240C4 . 68 58F84500 push 0045F858
006240C9 . 53 push ebx
006240CA . 50 push eax
006240CB . FF15 70104000 call dword ptr [<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
006240D1 > 8B45 9C mov eax, dword ptr [ebp-64] ; 这里出现假码
006240D4 . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
006240DA . 8945 88 mov dword ptr [ebp-78], eax
006240DD . 8D45 80 lea eax, dword ptr [ebp-80]
006240E0 . 50 push eax
006240E1 . 51 push ecx
006240E2 . 897D 9C mov dword ptr [ebp-64], edi
006240E5 . C745 80 08000>mov dword ptr [ebp-80], 8
006240EC . FF15 BC104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar 处理边空格
006240F2 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
006240F8 . 8D85 00FFFFFF lea eax, dword ptr [ebp-100]
006240FE . 52 push edx ; /var18
006240FF . 50 push eax ; |var28
00624100 . C785 08FFFFFF>mov dword ptr [ebp-F8], 0045DEE0 ; |
0062410A . C785 00FFFFFF>mov dword ptr [ebp-100], 8008 ; |
00624114 . FF15 00124000 call dword ptr [<&MSVBVM60.__vbaVarTstNe>] ; \比较变量是否不相等
0062411A . 8D4D 90 lea ecx, dword ptr [ebp-70]
0062411D . 8985 C4FEFFFF mov dword ptr [ebp-13C], eax
00624123 . FF15 70124000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
00624129 . 8B1D 3C104000 mov ebx, dword ptr [<&MSVBVM60.__vbaFreeVa>; MSVBVM60.__vbaFreeVarList
0062412F . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
00624135 . 8D55 80 lea edx, dword ptr [ebp-80]
00624138 . 51 push ecx
00624139 . 52 push edx
0062413A . 6A 02 push 2
0062413C . FFD3 call ebx ; <&MSVBVM60.__vbaFreeVarList>
0062413E . 83C4 0C add esp, 0C
00624141 . 66:39BD C4FEF>cmp word ptr [ebp-13C], di ; 判断注册码是否为空
00624148 0F84 841D0000 je 00625ED2 ; 为空就跳走
0062414E . 8B06 mov eax, dword ptr [esi]
00624150 . 56 push esi
00624151 . C785 08FFFFFF>mov dword ptr [ebp-F8], 0045F86C ; 堆栈里出现
http://www.FairySoftware.com/register/fse/?rcode="
0062415B . C785 00FFFFFF>mov dword ptr [ebp-100], 8
00624165 . FF90 00030000 call dword ptr [eax+300]
0062416B . 8D4D 90 lea ecx, dword ptr [ebp-70]
0062416E . 50 push eax
0062416F . 51 push ecx
00624170 . FF15 98104000 call dword ptr [<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00624176 . 8BF0 mov esi, eax
00624178 . 8D45 9C lea eax, dword ptr [ebp-64]
0062417B . 50 push eax
0062417C . 56 push esi
0062417D . 8B16 mov edx, dword ptr [esi]
0062417F . FF92 A0000000 call dword ptr [edx+A0]
00624185 . 3BC7 cmp eax, edi
00624187 . DBE2 fclex
00624189 . 7D 12 jge short 0062419D
0062418B . 68 A0000000 push 0A0
00624190 . 68 58F84500 push 0045F858
00624195 . 56 push esi
00624196 . 50 push eax
00624197 . FF15 70104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>; MSVBVM60.__vbaHresultCheckObj
0062419D > 8B45 9C mov eax, dword ptr [ebp-64] ; 又出现假码
006241A0 . 8D4D 80 lea ecx, dword ptr [ebp-80]
006241A3 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
006241A9 . 51 push ecx
006241AA . 52 push edx
006241AB . 897D 9C mov dword ptr [ebp-64], edi
006241AE . 8945 88 mov dword ptr [ebp-78], eax
006241B1 . C745 80 08000>mov dword ptr [ebp-80], 8
006241B8 . FF15 BC104000 call dword ptr [<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar
006241BE . 8D85 00FFFFFF lea eax, dword ptr [ebp-100]
006241C4 . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
006241CA . 50 push eax
006241CB . 8D95 60FFFFFF lea edx, dword ptr [ebp-A0]
006241D1 . 51 push ecx
006241D2 . 52 push edx
006241D3 . FF15 A0114000 call dword ptr [<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat 连接字符函数
006241D9 . 50 push eax
006241DA . FF15 30104000 call dword ptr [<&MSVBVM60.__vbaStrVarMove>>; MSVBVM60.__vbaStrVarMove
006241E0 . 8B35 44124000 mov esi, dword ptr [<&MSVBVM60.__vbaStrMov>; MSVBVM60.__vbaStrMove
006241E6 . 8BD0 mov edx, eax ; 字符串连接
http://www.FairySoftware.com/register/fse/?rcode=78787878787878")
006241E8 . 8D4D 98 lea ecx, dword ptr [ebp-68]
006241EB . FFD6 call esi ; <&MSVBVM60.__vbaStrMove>
006241ED . 8D45 98 lea eax, dword ptr [ebp-68]
006241F0 . 50 push eax
006241F1 . E8 AA2C0000 call 00626EA0 ; 网络验证CALL ,验证注册码并返回值
006241F6 . 8BD0 mov edx, eax ; 由服务器取回字符串"RCode error"
006241F8 . 8D4D D0 lea ecx, dword ptr [ebp-30]
006241FB . FFD6 call esi
006241FD . 8D4D 98 lea ecx, dword ptr [ebp-68]
00624200 . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00624206 . 8D4D 90 lea ecx, dword ptr [ebp-70]
00624209 . FF15 70124000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
0062420F . 8D8D 60FFFFFF lea ecx, dword ptr [ebp-A0]
00624215 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
0062421B . 51 push ecx
0062421C . 8D45 80 lea eax, dword ptr [ebp-80]
0062421F . 52 push edx
00624220 . 50 push eax
00624221 . 6A 03 push 3
00624223 . FFD3 call ebx
00624225 . 8B4D D0 mov ecx, dword ptr [ebp-30]
00624228 . 83C4 10 add esp, 10
0062422B . 51 push ecx ; 由服务器取回字符串"RCode error"
0062422C . 68 E0DE4500 push 0045DEE0 ; 与30h 作比较
00624231 . FF15 08114000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
00624237 . 85C0 test eax, eax
00624239 0F84 1F1C0000 je 00625E5E ; 判断网络服务器返回值是否为0,所以不会跳
0062423F . 8B45 08 mov eax, dword ptr [ebp+8]
00624242 . 50 push eax
00624243 . 8B10 mov edx, dword ptr [eax]
00624245 . FF92 00030000 call dword ptr [edx+300]
0062424B . 50 push eax
0062424C . 8D45 90 lea eax, dword ptr [ebp-70]
0062424F . 50 push eax
00624250 . FF15 98104000 call dword ptr [<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
00624256 . 8B08 mov ecx, dword ptr [eax]
00624258 . 8D55 9C lea edx, dword ptr [ebp-64]
0062425B . 52 push edx
0062425C . 50 push eax
0062425D . 8985 CCFEFFFF mov dword ptr [ebp-134], eax
00624263 . FF91 A0000000 call dword ptr [ecx+A0]
00624269 . 3BC7 cmp eax, edi
0062426B . DBE2 fclex
0062426D . 7D 18 jge short 00624287
0062426F . 8B8D CCFEFFFF mov ecx, dword ptr [ebp-134]
00624275 . 68 A0000000 push 0A0
0062427A . 68 58F84500 push 0045F858
0062427F . 51 push ecx
00624280 . 50 push eax
00624281 . FF15 70104000 call dword ptr [<&MSVBVM60.__vbaHresultChec>; MSVBVM60.__vbaHresultCheckObj
00624287 > 8B55 9C mov edx, dword ptr [ebp-64] ; 假码
0062428A . 6A 01 push 1
0062428C . 52 push edx
0062428D . 68 2CE74500 push 0045E72C ; -
00624292 . 57 push edi
00624293 . FF15 CC114000 call dword ptr [<&MSVBVM60.__vbaInStr>] ; MSVBVM60.__vbaInStr
00624299 . F7D8 neg eax ; 这里判断是否含有注册码并改标志
0062429B . 1BC0 sbb eax, eax
0062429D . 8D4D 9C lea ecx, dword ptr [ebp-64]
006242A0 . 40 inc eax
006242A1 . F7D8 neg eax
006242A3 . 8985 C4FEFFFF mov dword ptr [ebp-13C], eax
006242A9 . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
006242AF . 8D4D 90 lea ecx, dword ptr [ebp-70]
006242B2 . FF15 70124000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
006242B8 . 66:39BD C4FEF>cmp word ptr [ebp-13C], di ; 比较是否含有注册码的标志
006242BF 0F84 97000000 jne 0062435C ; 关键爆破点,改为JNZ 或JMP
...................此处省略
跳到这里
0062435C > \8D55 80 lea edx, dword ptr [ebp-80]
0062435F . C745 88 04000>mov dword ptr [ebp-78], 80020004
00624366 . 52 push edx ; /RNDNumber08
00624367 . C745 80 0A000>mov dword ptr [ebp-80], 0A ; |
0062436E . FF15 90104000 call dword ptr [<&MSVBVM60.#594>] ; \rtcRandomize
00624374 . 8D4D 80 lea ecx, dword ptr [ebp-80]
00624377 . FF15 24104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0062437D . 8D45 80 lea eax, dword ptr [ebp-80]
00624380 . C745 88 04000>mov dword ptr [ebp-78], 80020004
00624387 . 50 push eax ; /arg
00624388 . C745 80 0A000>mov dword ptr [ebp-80], 0A ; |
0062438F . FF15 84104000 call dword ptr [<&MSVBVM60.#593>] ; \rtcRandomNext
00624395 . D80D A01F4000 fmul dword ptr [401FA0]
0062439B . DFE0 fstsw ax
0062439D . A8 0D test al, 0D
0062439F . 0F85 6F1C0000 jnz 00626014
006243A5 . FF15 64124000 call dword ptr [<&MSVBVM60.__vbaFPInt>] ; MSVBVM60.__vbaFPInt
006243AB . D805 501A4000 fadd dword ptr [401A50]
006243B1 . DFE0 fstsw ax
006243B3 . A8 0D test al, 0D
006243B5 . 0F85 591C0000 jnz 00626014
006243BB . FF15 24124000 call dword ptr [<&MSVBVM60.__vbaFpI4>] ; MSVBVM60.__vbaFpI4
006243C1 . 8D4D 80 lea ecx, dword ptr [ebp-80]
006243C4 . 8985 BCFEFFFF mov dword ptr [ebp-144], eax
006243CA . 897D E8 mov dword ptr [ebp-18], edi
006243CD . FF15 24104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
006243D3 . 8B3D 1C104000 mov edi, dword ptr [<&MSVBVM60.__vbaVarMov>; MSVBVM60.__vbaVarMove
006243D9 > 8B45 E8 mov eax, dword ptr [ebp-18] ; 这里是下面JMP返回位
006243DC . 8B8D BCFEFFFF mov ecx, dword ptr [ebp-144]
006243E2 . 3BC1 cmp eax, ecx ; 此处要作多次算法循环
006243E4 . 0F8F AB030000 jg 00624795
006243EA . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
006243F0 . 8D4D C0 lea ecx, dword ptr [ebp-40]
006243F3 . 8985 08FFFFFF mov dword ptr [ebp-F8], eax
006243F9 . C785 00FFFFFF>mov dword ptr [ebp-100], 3
00624403 . FFD7 call edi
00624405 . 8B4D E8 mov ecx, dword ptr [ebp-18]
00624408 . 83C1 01 add ecx, 1
0062440B . 0F80 081C0000 jo 00626019
00624411 . 51 push ecx
00624412 . FF15 18104000 call dword ptr [<&MSVBVM60.__vbaStrI4>] ; MSVBVM60.__vbaStrI4
00624418 . 8BD0 mov edx, eax
0062441A . 8D4D 9C lea ecx, dword ptr [ebp-64]
0062441D . FFD6 call esi
0062441F . 8D55 9C lea edx, dword ptr [ebp-64]
00624422 . 52 push edx
00624423 . E8 78DBFFFF call 00621FA0 ; 算法关键CALL F7跟进看看做什么的
00624428 . 8945 88 mov dword ptr [ebp-78], eax
0062442B . 8D45 80 lea eax, dword ptr [ebp-80]
0062442E . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
00624434 . 50 push eax
00624435 . 51 push ecx
00624436 . C745 80 08000>mov dword ptr [ebp-80], 8
0062443D . FF15 00114000 call dword ptr [<&MSVBVM60.#528>] ; MSVBVM60.rtcUpperCaseVar
00624443 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
00624449 . 8D4D D8 lea ecx, dword ptr [ebp-28]
0062444C . FFD7 call edi
0062444E . 8D4D 9C lea ecx, dword ptr [ebp-64]
00624451 . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00624457 . 8D4D 80 lea ecx, dword ptr [ebp-80]
0062445A . FF15 24104000 call dword ptr [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
00624460 . 8B55 E8 mov edx, dword ptr [ebp-18]
00624463 . 8D4D B0 lea ecx, dword ptr [ebp-50]
00624466 . 83C2 01 add edx, 1
00624469 . C785 00FFFFFF>mov dword ptr [ebp-100], 3
00624473 . 0F80 A01B0000 jo 00626019
00624479 . 8995 08FFFFFF mov dword ptr [ebp-F8], edx
0062447F . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
00624485 . FFD7 call edi
00624487 . 8B45 E8 mov eax, dword ptr [ebp-18]
0062448A . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
00624490 . 83C0 02 add eax, 2
00624493 . 8D4D A0 lea ecx, dword ptr [ebp-60]
00624496 . 0F80 7D1B0000 jo 00626019
0062449C . 8985 08FFFFFF mov dword ptr [ebp-F8], eax
006244A2 . C785 00FFFFFF>mov dword ptr [ebp-100], 3
006244AC . FFD7 call edi
006244AE . 8D4D C0 lea ecx, dword ptr [ebp-40]
006244B1 . 8D55 B0 lea edx, dword ptr [ebp-50]
006244B4 . 51 push ecx ; /var18
006244B5 . 52 push edx ; |var28
006244B6 . FF15 10114000 call dword ptr [<&MSVBVM60.__vbaVarTstEq>] ; \__vbaVarTstEq
006244BC . 66:85C0 test ax, ax
006244BF . 0F84 92010000 je 00624657
006244C5 . E8 96CDFFFF call 00621260
006244CA . 8BD0 mov edx, eax
006244CC . 8D4D 9C lea ecx, dword ptr [ebp-64]
006244CF . FFD6 call esi
006244D1 . 50 push eax
006244D2 . FF15 C4114000 call dword ptr [<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
006244D8 . DC05 701E4000 fadd qword ptr [401E70]
006244DE . 83EC 08 sub esp, 8
006244E1 . DFE0 fstsw ax
006244E3 . A8 0D test al, 0D
006244E5 . 0F85 291B0000 jnz 00626014
006244EB . DD1C24 fstp qword ptr [esp]
006244EE . FF15 38114000 call dword ptr [<&MSVBVM60.__vbaStrR8>] ; MSVBVM60.__vbaStrR8
006244F4 . 8BD0 mov edx, eax
006244F6 . 8D4D 98 lea ecx, dword ptr [ebp-68]
006244F9 . FFD6 call esi
006244FB . 8D45 98 lea eax, dword ptr [ebp-68]
006244FE . 50 push eax
006244FF . E8 9CDAFFFF call 00621FA0
00624504 . 8D55 80 lea edx, dword ptr [ebp-80]
00624507 . 8D4D C0 lea ecx, dword ptr [ebp-40]
0062450A . 8945 88 mov dword ptr [ebp-78], eax
0062450D . C745 80 08000>mov dword ptr [ebp-80], 8
00624514 . FFD7 call edi
00624516 . 8D4D 98 lea ecx, dword ptr [ebp-68]
00624519 . 8D55 9C lea edx, dword ptr [ebp-64]
0062451C . 51 push ecx
0062451D . 52 push edx
0062451E . 6A 02 push 2
00624520 . FF15 EC114000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>; MSVBVM60.__vbaFreeStrList
00624526 . B9 04000280 mov ecx, 80020004
0062452B . B8 0A000000 mov eax, 0A
00624530 . 898D 58FFFFFF mov dword ptr [ebp-A8], ecx
00624536 . 898D 68FFFFFF mov dword ptr [ebp-98], ecx
0062453C . 898D 78FFFFFF mov dword ptr [ebp-88], ecx
00624542 . 83C4 0C add esp, 0C
00624545 . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
0062454B . 8D4D 80 lea ecx, dword ptr [ebp-80]
0062454E . 8985 50FFFFFF mov dword ptr [ebp-B0], eax
00624554 . 8985 60FFFFFF mov dword ptr [ebp-A0], eax
0062455A . 8985 70FFFFFF mov dword ptr [ebp-90], eax
00624560 . C785 08FFFFFF>mov dword ptr [ebp-F8], 0045F8F8
0062456A . C785 00FFFFFF>mov dword ptr [ebp-100], 8
00624574 . FF15 18124000 call dword ptr [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
0062457A . 8D85 50FFFFFF lea eax, dword ptr [ebp-B0]
00624580 . 8D8D 60FFFFFF lea ecx, dword ptr [ebp-A0]
00624586 . 50 push eax
00624587 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
0062458D . 51 push ecx
0062458E . 52 push edx
0062458F . 8D45 80 lea eax, dword ptr [ebp-80]
00624592 . 6A 30 push 30
00624594 . 50 push eax
00624595 . FF15 9C104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
0062459B . 8D8D 50FFFFFF lea ecx, dword ptr [ebp-B0]
006245A1 . 8D95 60FFFFFF lea edx, dword ptr [ebp-A0]
006245A7 . 51 push ecx
006245A8 . 8D85 70FFFFFF lea eax, dword ptr [ebp-90]
006245AE . 52 push edx
006245AF . 8D4D 80 lea ecx, dword ptr [ebp-80]
006245B2 . 50 push eax
006245B3 . 51 push ecx
006245B4 . 6A 04 push 4
006245B6 . FFD3 call ebx
006245B8 . 83C4 14 add esp, 14
006245BB . E8 A0CCFFFF call 00621260
006245C0 . 8BD0 mov edx, eax
006245C2 . 8D4D 9C lea ecx, dword ptr [ebp-64]
006245C5 . FFD6 call esi
006245C7 . 50 push eax
006245C8 . FF15 C4114000 call dword ptr [<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
006245CE . DC05 701E4000 fadd qword ptr [401E70]
006245D4 . 83EC 08 sub esp, 8
006245D7 . DFE0 fstsw ax
006245D9 . A8 0D test al, 0D
006245DB . 0F85 331A0000 jnz 00626014
006245E1 . DD1C24 fstp qword ptr [esp]
006245E4 . FF15 38114000 call dword ptr [<&MSVBVM60.__vbaStrR8>] ; MSVBVM60.__vbaStrR8
006245EA . 8BD0 mov edx, eax
006245EC . 8D4D 98 lea ecx, dword ptr [ebp-68]
006245EF . FFD6 call esi
006245F1 . 8D55 98 lea edx, dword ptr [ebp-68]
006245F4 . 52 push edx
006245F5 . E8 A6D9FFFF call 00621FA0
006245FA . 8945 88 mov dword ptr [ebp-78], eax
006245FD . 8D45 80 lea eax, dword ptr [ebp-80]
00624600 . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
00624606 . 50 push eax
00624607 . 51 push ecx
00624608 . C745 80 08000>mov dword ptr [ebp-80], 8
0062460F . FF15 00114000 call dword ptr [<&MSVBVM60.#528>] ; MSVBVM60.rtcUpperCaseVar
00624615 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
0062461B . 8D45 94 lea eax, dword ptr [ebp-6C]
0062461E . 52 push edx ; /String8
0062461F . 50 push eax ; |ARG2
00624620 . FF15 98114000 call dword ptr [<&MSVBVM60.__vbaStrVarVal>] ; \__vbaStrVarVal
00624626 . 50 push eax
00624627 . E8 74D3FFFF call 006219A0
0062462C . 8D4D 94 lea ecx, dword ptr [ebp-6C]
0062462F . 8D55 98 lea edx, dword ptr [ebp-68]
00624632 . 51 push ecx
00624633 . 8D45 9C lea eax, dword ptr [ebp-64]
00624636 . 52 push edx
00624637 . 50 push eax
00624638 . 6A 03 push 3
0062463A . FF15 EC114000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>; MSVBVM60.__vbaFreeStrList
00624640 . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
00624646 . 8D55 80 lea edx, dword ptr [ebp-80]
00624649 . 51 push ecx
0062464A . 52 push edx
0062464B . 6A 02 push 2
0062464D . FFD3 call ebx
0062464F . 83C4 1C add esp, 1C
00624652 . E9 26010000 jmp 0062477D
00624657 > 8D45 C0 lea eax, dword ptr [ebp-40]
0062465A . 8D8D 00FFFFFF lea ecx, dword ptr [ebp-100]
00624660 . 50 push eax ; /var18
00624661 . 51 push ecx ; |var28
00624662 . C785 08FFFFFF>mov dword ptr [ebp-F8], 0045F908 ; |o
0062466C . C785 00FFFFFF>mov dword ptr [ebp-100], 8008 ; |
00624676 . FF15 10114000 call dword ptr [<&MSVBVM60.__vbaVarTstEq>] ; \__vbaVarTstEq
0062467C . 66:85C0 test ax, ax
0062467F . 0F84 94000000 je 00624719
00624685 . B9 04000280 mov ecx, 80020004
0062468A . B8 0A000000 mov eax, 0A
0062468F . 898D 58FFFFFF mov dword ptr [ebp-A8], ecx
00624695 . 898D 68FFFFFF mov dword ptr [ebp-98], ecx
0062469B . 898D 78FFFFFF mov dword ptr [ebp-88], ecx
006246A1 . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
006246A7 . 8D4D 80 lea ecx, dword ptr [ebp-80]
006246AA . 8985 50FFFFFF mov dword ptr [ebp-B0], eax
006246B0 . 8985 60FFFFFF mov dword ptr [ebp-A0], eax
006246B6 . 8985 70FFFFFF mov dword ptr [ebp-90], eax
006246BC . C785 08FFFFFF>mov dword ptr [ebp-F8], 0045F8E4
006246C6 . C785 00FFFFFF>mov dword ptr [ebp-100], 8
006246D0 . FF15 18124000 call dword ptr [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
006246D6 . 8D95 50FFFFFF lea edx, dword ptr [ebp-B0]
006246DC . 8D85 60FFFFFF lea eax, dword ptr [ebp-A0]
006246E2 . 52 push edx
006246E3 . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
006246E9 . 50 push eax
006246EA . 51 push ecx
006246EB . 8D55 80 lea edx, dword ptr [ebp-80]
006246EE . 6A 30 push 30
006246F0 . 52 push edx
006246F1 . FF15 9C104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
006246F7 . 8D85 50FFFFFF lea eax, dword ptr [ebp-B0]
006246FD . 8D8D 60FFFFFF lea ecx, dword ptr [ebp-A0]
00624703 . 50 push eax
00624704 . 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
0062470A . 51 push ecx
0062470B . 8D45 80 lea eax, dword ptr [ebp-80]
0062470E . 52 push edx
0062470F . 50 push eax
00624710 . 6A 04 push 4
00624712 . FFD3 call ebx
00624714 . 83C4 14 add esp, 14
00624717 . EB 64 jmp short 0062477D
00624719 > E8 42CBFFFF call 00621260 ; 此处获取本地机器码
0062471E . 8BD0 mov edx, eax
00624720 . 8D4D 9C lea ecx, dword ptr [ebp-64]
00624723 . FFD6 call esi
00624725 . 50 push eax
00624726 . FF15 C4114000 call dword ptr [<&MSVBVM60.__vbaR8Str>] ; MSVBVM60.__vbaR8Str
0062472C . DC05 681E4000 fadd qword ptr [401E68]
00624732 . 83EC 08 sub esp, 8
00624735 . DFE0 fstsw ax
00624737 . A8 0D test al, 0D
00624739 . 0F85 D5180000 jnz 00626014
0062473F . DD1C24 fstp qword ptr [esp]
00624742 . FF15 38114000 call dword ptr [<&MSVBVM60.__vbaStrR8>] ; MSVBVM60.__vbaStrR8
00624748 . 8BD0 mov edx, eax
0062474A . 8D4D 98 lea ecx, dword ptr [ebp-68]
0062474D . FFD6 call esi
0062474F . 8D4D 98 lea ecx, dword ptr [ebp-68]
00624752 . 51 push ecx
00624753 . E8 48D8FFFF call 00621FA0 ; 算法CALL 由上面取得的机器码加入计算,由于只是
想破解,算法就不追了,有兴趣的可追出算法来
00624758 . 8D55 80 lea edx, dword ptr [ebp-80] ; 算出长字符串
0062475B . 8D4D B0 lea ecx, dword ptr [ebp-50]
0062475E . 8945 88 mov dword ptr [ebp-78], eax
00624761 . C745 80 08000>mov dword ptr [ebp-80], 8
00624768 . FFD7 call edi
0062476A . 8D55 98 lea edx, dword ptr [ebp-68]
0062476D . 8D45 9C lea eax, dword ptr [ebp-64]
00624770 . 52 push edx
00624771 . 50 push eax
00624772 . 6A 02 push 2
00624774 . FF15 EC114000 call dword ptr [<&MSVBVM60.__vbaFreeStrList>; MSVBVM60.__vbaFreeStrList
0062477A . 83C4 0C add esp, 0C
0062477D > 8B4D E8 mov ecx, dword ptr [ebp-18]
00624780 . B8 01000000 mov eax, 1
00624785 . 03C1 add eax, ecx
00624787 . 0F80 8C180000 jo 00626019
0062478D . 8945 E8 mov dword ptr [ebp-18], eax
00624790 .^ E9 44FCFFFF jmp 006243D9 ; 跳回作算法循环
...................此处省略
可以看看算法关键CALL 00621FA0做了什么
00621FA0 $ 55 push ebp
00621FA1 . 8BEC mov ebp, esp
00621FA3 . 83EC 08 sub esp, 8
00621FA6 . 68 66204000 push <jmp.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
00621FAB . 64:A1 0000000>mov eax, dword ptr fs:[0]
00621FB1 . 50 push eax
00621FB2 . 64:8925 00000>mov dword ptr fs:[0], esp
00621FB9 . 83EC 18 sub esp, 18
00621FBC . 53 push ebx
00621FBD . 56 push esi
00621FBE . 57 push edi
00621FBF . 8965 F8 mov dword ptr [ebp-8], esp
00621FC2 . C745 FC 101F4>mov dword ptr [ebp-4], 00401F10 ; \n
00621FC9 . 33F6 xor esi, esi
00621FCB . 8975 EC mov dword ptr [ebp-14], esi
00621FCE . 8975 E8 mov dword ptr [ebp-18], esi
00621FD1 . 8975 E4 mov dword ptr [ebp-1C], esi
00621FD4 . 8975 E0 mov dword ptr [ebp-20], esi
00621FD7 . 8975 DC mov dword ptr [ebp-24], esi
00621FDA . E8 81070000 call 00622760
00621FDF . 8B7D 08 mov edi, dword ptr [ebp+8]
00621FE2 . 57 push edi
00621FE3 . E8 88000000 call 00622070
00621FE8 . 8945 E4 mov dword ptr [ebp-1C], eax
00621FEB . 8D45 E4 lea eax, dword ptr [ebp-1C]
00621FEE . 8D4D DC lea ecx, dword ptr [ebp-24]
00621FF1 . 50 push eax
00621FF2 . 51 push ecx
00621FF3 . FF15 20104000 call dword ptr [<&MSVBVM60.__vbaAryMove>] ; MSVBVM60.__vbaAryMove
00621FF9 . 8B17 mov edx, dword ptr [edi]
00621FFB . 52 push edx ; /String
00621FFC . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaLenBstr>] ; \__vbaLenBstr
00622002 . 8945 E8 mov dword ptr [ebp-18], eax
00622005 . 8D45 DC lea eax, dword ptr [ebp-24]
00622008 . 8D4D E8 lea ecx, dword ptr [ebp-18]
0062200B . 50 push eax
0062200C . 51 push ecx
0062200D . E8 CE090000 call 006229E0
00622012 . 8D55 DC lea edx, dword ptr [ebp-24]
00622015 . 52 push edx
00622016 . 56 push esi
00622017 . FF15 D4104000 call dword ptr [<&MSVBVM60.__vbaErase>] ; MSVBVM60.__vbaErase
0062201D . E8 EE070000 call 00622810
00622022 . E8 09020000 call 00622230 ; 又是算法CALL,由于本次只是破解,不深入跟进,
有兴趣的可以跟踪算法
00622027 . 8BD0 mov edx, eax
00622029 . 8D4D EC lea ecx, dword ptr [ebp-14]
0062202C . FF15 44124000 call dword ptr [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
00622032 . 68 5A206200 push 0062205A
00622037 . EB 0A jmp short 00622043
00622039 . 8D4D EC lea ecx, dword ptr [ebp-14]
0062203C . FF15 74124000 call dword ptr [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00622042 . C3 retn
00622043 > 8B3D 80104000 mov edi, dword ptr [<&MSVBVM60.__vbaAryDes>; MSVBVM60.__vbaAryDestruct
00622049 . 8D45 E0 lea eax, dword ptr [ebp-20]
0062204C . 33F6 xor esi, esi
0062204E . 50 push eax
0062204F . 56 push esi
00622050 . FFD7 call edi ; <&MSVBVM60.__vbaAryDestruct>
00622052 . 8D4D DC lea ecx, dword ptr [ebp-24]
00622055 . 51 push ecx
00622056 . 56 push esi
00622057 . FFD7 call edi
00622059 . C3 retn
..................
这里接着上面
00625D18 . 51 push ecx
00625D19 . 52 push edx
00625D1A . 6A 02 push 2
00625D1C . FFD3 call ebx
00625D1E . 8B45 D4 mov eax, dword ptr [ebp-2C] ; 算出正确的注册码与服务器返回值作比较
00625D21 . 8B4D D0 mov ecx, dword ptr [ebp-30]
00625D24 . 83C4 18 add esp, 18
00625D27 . 50 push eax
00625D28 . 51 push ecx
00625D29 . FF15 08114000 call dword ptr [<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
00625D2F . 85C0 test eax, eax
00625D31 . B9 04000280 mov ecx, 80020004
00625D36 . B8 0A000000 mov eax, 0A
00625D3B . 898D 58FFFFFF mov dword ptr [ebp-A8], ecx
00625D41 . 8985 50FFFFFF mov dword ptr [ebp-B0], eax
00625D47 . 898D 68FFFFFF mov dword ptr [ebp-98], ecx
00625D4D . 8985 60FFFFFF mov dword ptr [ebp-A0], eax
00625D53 . 898D 78FFFFFF mov dword ptr [ebp-88], ecx
00625D59 . 8985 70FFFFFF mov dword ptr [ebp-90], eax
00625D5F 0F84 07010000 je 00625E6C ; 关键爆破点,这里可以改JE 或NOP
00625D65 . 8D95 00FFFFFF lea edx, dword ptr [ebp-100]
00625D6B . 8D4D 80 lea ecx, dword ptr [ebp-80]
00625D6E . C785 08FFFFFF>mov dword ptr [ebp-F8], 0045F8F8 ; 比较成功就出现字符 OK
00625D78 . C785 00FFFFFF>mov dword ptr [ebp-100], 8
00625D82 . FF15 18124000 call dword ptr [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
00625D88 . 8D95 50FFFFFF lea edx, dword ptr [ebp-B0]
00625D8E . 8D85 60FFFFFF lea eax, dword ptr [ebp-A0]
00625D94 . 52 push edx
00625D95 . 8D8D 70FFFFFF lea ecx, dword ptr [ebp-90]
00625D9B . 50 push eax
00625D9C . 51 push ecx
00625D9D . 8D55 80 lea edx, dword ptr [ebp-80]
00625DA0 . 6A 40 push 40
00625DA2 . 52 push edx ; 弹出注册成功信息
00625DA3 . FF15 9C104000 call dword ptr [<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
破解成功后, 在安装夹的“ro.ini”文件里写入正确注册码,并软件显示“已注册”标志,删除后再次变为未注册版
--------------------------------------------------------------------------------
【经验总结】
本程序是用VB编写的,字符看起来有些多,但只要能看懂那些API函数也不是太难,甚至比其它语言更容易看
调试时当在堆栈里看到
eax=00167DDC, (UNICODE "http://www.FairySoftware.com/register/fse/?rcode=78787878787878")
edx=00000062
马上应该想到是网络验证了,如果注册时没有连网,就会跳出连接网络服务器失败而无法注册,但连接网络服务器后,会返回一个值,由些
看来只要爆破掉返回值的比较点就很容易破解它的网络验证,不需要转为本地验证那一场繁琐。在
后面是用取得的返回值与结合本机机器码算出的真码字符串比较,验证成功后,就在ro.ini写入正确注册码等注册标志,然
后 就可以直接使用原程序了,以后使用程序不再进行网络验证了
。
不过本人还有点不太明白,删除注册标志成未注册版后再用ro.ini 可以成功注册,而直接输
入注册码却不成功,看来服务器返回值上还有点小道道,
有兴趣的可以讨论下
总的来说,这个软件没有必要再去跟踪算法
,因为只需要爆破那两个关键点后,生成正式注册文件后,而且继续使用程序时不再进行网络验证了,呵呵,也就是一次成形终
身使用的那种,是这种加密软件方法的缺陷,以后软件作者要注意避免了
破解补丁及破解文档.rar
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2012年02月26日 10:27:37
[课程]Android-CTF解题方法汇总!