几分欢乐,几分愁――初学者的破解心得(4篇,适于初学者)
对破解的兴趣还是最近的事情,由于未来可能的工作需要,故而开始关注信息安全方面的书,这才开始看加密和解密的书和看雪论坛,顿时着迷。以前翻过汇编语言的书,觉得很难,而且也觉得学了似乎没什么用处,现在终于知道了汇编的重要用途之一――可以破解之用。这可以激励我带着目标去学汇编,当然就有兴趣学好它了。^-^
在看了一些破解方法和技巧后。立即实践之,遂照着范例开始破解 leapftp2.7.4
1.软件:leapftp2.7.4(忘了在哪下载,应该比较容易找到)
方法:静态破解
工具:w32dasm10(捉刀汉化修正版)
先打开leapftp,点帮助菜单,进入enter registration data,随便输用户名和密码,提示“The license key you entered...”记下它。
现在用w32dasm软件进行反汇编,在参考菜单中打开串式数据参考,查找上述字符串,哈哈,你会发现里面有N个,不过别着急,它一般是按字母顺序排列的;或者干脆直接查找这个字符串!找到后双击之,就来到:
* Possible StringData Ref from Code Obj ->"The license key you entered is "
->"not valid. To ensure accuracy, "
->"you should copy+paste the serial "
->"number directly from your order "
->"confirmation e-mail. If you continue "
->"to have trouble, please contact: "
->"support@leapware.com."
|
:00487F5B B8C47F4800 mov eax, 00487FC4<----------------定位在这里!
:00487F60 E82B2DFDFF call 0045AC90
往上看是不是看到了那个字符串,哈哈,不难把!已经成功了一半了。再接着往上走,直到:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487EB8(C)
|
:00487EC8 8B83F0020000 mov eax, dword ptr [ebx+000002F0]
:00487ECE 50 push eax
:00487ECF 8D55F4 lea edx, dword ptr [ebp-0C]
:00487ED2 8B83D0020000 mov eax, dword ptr [ebx+000002D0]
:00487ED8 E83FBFFAFF call 00433E1C
:00487EDD 8B55F4 mov edx, dword ptr [ebp-0C]
:00487EE0 8B4DFC mov ecx, dword ptr [ebp-04]
:00487EE3 8BC3 mov eax, ebx
:00487EE5 E8BA010000 call 004880A4<-------------------关键call
:00487EEA 84C0 test al, al<---------------------测试是否相等
:00487EEC 7462 je 00487F50<---------------------相等,就跳死!跳哪了?
将je 00487F50改为jne 00487F50(jump not equal好记吧)
相应的机器代码为7562,75代表不相等或不为零就跳。若不明白可以查看汇编语言指令或看雪论坛。
追入关键call,
* Referenced by a CALL at Addresses:
|:00487EE5 , :00488A3F
|
:004880A4 55 push ebp<------------------------在这承接关键call
:004880A5 8BEC mov ebp, esp
:004880A7 83C4DC add esp, FFFFFFDC
:004880AA 53 push ebx
:004880AB 33DB xor ebx, ebx
:004880AD 895DDC mov dword ptr [ebp-24], ebx
:004880B0 895DE0 mov dword ptr [ebp-20], ebx
:004880B3 895DEC mov dword ptr [ebp-14], ebx
:004880B6 894DF8 mov dword ptr [ebp-08], ecx
:004880B9 8955FC mov dword ptr [ebp-04], edx
:004880BC 8B45FC mov eax, dword ptr [ebp-04]
:004880BF E864C0F7FF call 00404128
:004880C4 8B45F8 mov eax, dword ptr [ebp-08]
:004880C7 E85CC0F7FF call 00404128
:004880CC 8B4508 mov eax, dword ptr [ebp+08]
我们发现程序在两个地方调用了关键call一个在00487EE5;另一个在00488A3F。我们来到00488A3F处:
:00488A3F E860F6FFFF call 004880A4<-----------------------这是一个判断使用次数的函数
:00488A44 84C0 test al, al
:00488A46 7404 je 00488A4C<-------------------------相等,就跳死
动手将其改为jne,相应的机器码为75,大家可以试试,若不改这一跳,仅改前一跳,则只能注册成功一次,下此打开leapftp还是未注册,而且还会冒出提醒你使用期限的警告,将这一跳改掉后,可彻底解决问题!
----------------------------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487EC6(C)
|
:00487EEE 8D55F0 lea edx, dword ptr [ebp-10]
:00487EF1 8B83E4020000 mov eax, dword ptr [ebx+000002E4]
:00487EF7 E820BFFAFF call 00433E1C
:00487EFC 8B45F0 mov eax, dword ptr [ebp-10]
:00487EFF 50 push eax
:00487F00 8D55EC lea edx, dword ptr [ebp-14]
:00487F03 8B83D0020000 mov eax, dword ptr [ebx+000002D0]
:00487F09 E80EBFFAFF call 00433E1C
:00487F0E 8B4DEC mov ecx, dword ptr [ebp-14]
:00487F11 8B93EC020000 mov edx, dword ptr [ebx+000002EC]
:00487F17 8BC3 mov eax, ebx
:00487F19 E8AE040000 call 004883CC
* Possible StringData Ref from Code Obj ->"Thank You For Registering!"
|
:00487F1E B89C7F4800 mov eax, 00487F9C
:00487F23 E8602EFDFF call 0045AD88
:00487F28 C7833402000001000000 mov dword ptr [ebx+00000234], 00000001
:00487F32 8D55E8 lea edx, dword ptr [ebp-18]
:00487F35 8B83D0020000 mov eax, dword ptr [ebx+000002D0]
:00487F3B E8DCBEFAFF call 00433E1C
:00487F40 8B55E8 mov edx, dword ptr [ebp-18]
:00487F43 8D83E8020000 lea eax, dword ptr [ebx+000002E8]
:00487F49 E8FABDF7FF call 00403D48
:00487F4E EB15 jmp 00487F65
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487EEC(C)
|
:00487F50 6A00 push 00000000<-----------------------跳这了,往下看,是不是死了?
:00487F52 668B0DB87F4800 mov cx, word ptr [00487FB8]
:00487F59 B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"The license key you entered is "
剩下的一步就是修改原始字节,可用W32dasm自带的功能,选中它并右键之,点击hexedit将74改为75即可,或者用utraedit修改也可,但是要注意在w32dasm的底端找到00487EEC、00488A46相应的的偏移地址000872ECh及00087E46h,然后查找相应的字节修改就是了,别忘了存盘。执行leapftp,随便输入用户名和密码就注册了。当然,也可以弄得好看点,用Codefs30的比较文件打个补丁,就可以在网上发布了。这是我第一次破解的软件,真是出奇地顺利,不到10分钟就搞定了,看来命运女神还是比较垂青我这个菜鸟的,引导我进一步走上破解的不归路,哈哈哈!
2.软件之二:CrackMe3来源于――
WWW.Crackmes.De
方法:静态破解
工具:w32dasm10(捉刀汉化修正版)
将crackme3与fi置同一目录,发现有壳,用的是Upx,故先用upx -d crackme3.exe脱壳,注意一定要加后缀名,是全名!否则不能脱壳,以前玩dos *.exe不用输后缀,但在这不行!另外,窃以为初学者适宜破解可以自动脱壳的软件,不适宜搞手动脱壳的软件,先易后难吗!对不对?
打开后见其已经给定了用户名和密码,按注册,当然会是错的啦,记下错误提示:“Wrong serial,try again”。对脱壳后的crackme3反汇编,结果如下:
* Possible StringData Ref from Code Obj ->"Registered User"<-----------------给定的用户名
|
:00440F2F BA14104400 mov edx, 00441014
:00440F34 E8F32BFCFF call 00403B2C<-----------------------------调用判断用户名的函数
:00440F39 7551 jne 00440F8C<------------------------------不相等就跳死!
将机器码75改为74,让它相等就跳!
:00440F3B 8D55FC lea edx, dword ptr [ebp-04]
:00440F3E 8B83C8020000 mov eax, dword ptr [ebx+000002C8]
:00440F44 E8D7FEFDFF call 00420E20
:00440F49 8B45FC mov eax, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"GFX-754-IER-954"<-----------------给定的密码,当然是错的啦!
|
:00440F4C BA2C104400 mov edx, 0044102C
:00440F51 E8D62BFCFF call 00403B2C<-------------------------判断密码的函数
:00440F56 751A jne 00440F72<--------------------------不相等就跳死!
同上,将机器码75改为74,让它相等就跳!
:00440F58 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"CrackMe cracked successfully"
|
:00440F5A B93C104400 mov ecx, 0044103C
* Possible StringData Ref from Code Obj ->"Congrats! You cracked this CrackMe!"
|
:00440F5F BA5C104400 mov edx, 0044105C
:00440F64 A1442C4400 mov eax, dword ptr [00442C44]
:00440F69 8B00 mov eax, dword ptr [eax]
:00440F6B E8F8C0FFFF call 0043D068
:00440F70 EB32 jmp 00440FA4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00440F56(C)
|
:00440F72 6A00 push 00000000<--------------------跳这里!死了吧?
|<-------------------还是跳这里!
* Possible StringData Ref from Code Obj ->"Beggar off!"<------------“乞丐走开“(什么,竟敢谩骂我们,扁你!)
|
:00440F74 B980104400 mov ecx, 00441080
* Possible StringData Ref from Code Obj ->"Wrong Serial,try again!"<--------双击错误字符串来到这!
记下两跳转的偏移地址00040339h和00040356h,用ultraedit编辑,修改后保存,再次打开crackme3,随便输,哈哈,成功!总的看来,这个破解练习比leapftp要容易,因为结构设计的比较简单,清晰!毕竟是做练习用的么!
3.软件:abexcm1,来源――
WWW.Crackmes.De
方法;静态破解
工具:w32dasm10
这是一个检查你的当前盘是不是cd-rom的练习,哈哈,学会了以后玩某些d版游戏,就可以把它变成硬盘版的了!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040101F(U)
|
:00401021 46 inc esi
:00401022 46 inc esi
:00401023 48 dec eax
:00401024 3BC6 cmp eax, esi<-----------------比较eax,esi的值
:00401026 7415 je 0040103D<------------------相等就跳
将74改为75,使其不相等也跳!
:00401028 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"Error"
|
:0040102A 6835204000 push 00402035
* Possible StringData Ref from Data Obj ->"Nah... This is not a CD-ROM Drive!"
|
:0040102F 683B204000 push 0040203B
:00401034 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:00401036 E826000000 Call 00401061
:0040103B EB13 jmp 00401050
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401026(C)
|
:0040103D 6A00 push 00000000<----------------------跳这拉,看后面,是不是成功了!
* Possible StringData Ref from Data Obj ->"YEAH!"
|
:0040103F 685E204000 push 0040205E
* Possible StringData Ref from Data Obj ->"Ok, I really think that your HD "
->"is a CD-ROM! :p"
|
:00401044 6864204000 push 00402064
:00401049 6A00 push 00000000
4.软件abexcm5,来源于
WWW.Crackmes.De
方法:静态+动态破解
工具:w32asm10+trw2000
先用fi诊测无壳,遂即反汇编,截取关键代码如下:
* Reference To: KERNEL32.lstrcmpiA, Ord:0000h
|
:004010F7 E851000000 Call 0040114D<------------------调用判断密码的核心函数
:004010FC 83F800 cmp eax, 00000000<--------------比较是否相等
:004010FF 7416 je 00401117<--------------------相等就跳到正确的地方,跳哪了呢?
:00401101 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"Error!"
|
:00401103 6834244000 push 00402434
* Possible StringData Ref from Data Obj ->"The serial you entered is not "
->"correct!"
|
:00401108 683B244000 push 0040243B
:0040110D FF7508 push [ebp+08]
-------------------------------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010FF(C)
|
:00401117 6A00 push 00000000<------------------跳到这了!
* Possible StringData Ref from Data Obj ->"Well Done!"
|
:00401119 6806244000 push 00402406
* Possible StringData Ref from Data Obj ->"Yep, you entered a correct serial!"
|
:0040111E 6811244000 push 00402411
:00401123 FF7508 push [ebp+08]
所以,将这一行:004010FF 7416 je 00401117的74改为75,让它输入错误密码也跳到正确的地方即可!
下面再用trw2000找出它的真实密码:
根据静态分析,关键call在004010F7,为保险期间在其前面下断点,如004010D4处。这样:
打开trw2000,再将被破解程序打开,随便输入123456789;
按ctrl-m呼出trw2000;
输入bpx 004010D4
g
回车,回到程序窗口,按确定;
显示 break on bp1,说明拦截成功!如下:
0187:004010CF 68FD234000 PUSH DWORD 004023FD<---------------L2c-5781 well done,yep(似曾相识对吧,因为在静态分析时,可以看见)
0187:004010D4 6800204000 PUSH DWORD 00402000<---------------先是0,f10后变为L2c-5781
0187:004010D9 E863000000 CALL `KERNEL32!lstrcatA`<----------调用函数
0187:004010DE 685C224000 PUSH DWORD 0040225C<---------------dcemup4562-abex
0187:004010E3 6800204000 PUSH DWORD 00402000<---------------L2c-5781dcemup4562-abex
0187:004010E8 E854000000 CALL `KERNEL32!lstrcatA`<----------调用密码比较核心函数
0187:004010ED 6824234000 PUSH DWORD 00402324<---------------123456789自己输入的
0187:004010F2 6800204000 PUSH DWORD 00402000<---------------L2c-5781dcemup4562-abex
0187:004010F7 E851000000 CALL `KERNEL32!lstrcmpiA`<---------执行完这后,出错提示!
0187:004010FC 83F800 CMP EAX,BYTE +00
0187:004010FF 7416 JZ 00401117
0187:00401101 6A00 PUSH BYTE +00
0187:00401103 6834244000 PUSH DWORD 00402434
0187:00401108 683B244000 PUSH DWORD 0040243B
0187:0040110D FF7508 PUSH DWORD [EBP+08]
现在一步一步按f10,用d 逐一查看内存信息,可看见内容,(窗口的右上方prot32下,当然可能是乱码,若能看见数字,就要小心是否是自己输的或是密码了,新手切记!!!)见注释。
从上述分析可看出正确的序列号就是L2c-5781dcemup4562-abex。简单吧!
事实上,作为新手,笔者认为,还是先进行静态分析,嗅出些关键线索来,然后再进行动态分析,这样可能好些,这就好比警察抓小偷,先有张地图,估计下嫌疑犯可能藏在哪,然后再去追击,是不是容易些,有道理吗?请老鸟们及pedi指正!
总结一下,笔者认为学习计算机从破解开始是个很好的方法,因为能够激发一个人的兴趣,以目的为导向的学习,即"干中学","学中干"可使人快速进入状态,然后由浅入深、由易到难,为了能破解必须学习更多的知识(包括e文),然后再挑战更难的软件,哈哈!良性互动。另一方面,即使是凭者兴趣和实用学习破解,最终也得逼迫人去学更多的计算机知识,实在是殊途同归呀!
具体到这一两周的破解心得来说,对于新手刚开始可以按照范例来破解,领会破解的思想,不一定找很难的软件,一定要不断地尝试,最后一般可以迅速入门。但是要成为高手,那就得继续学习和实践了!
以上是我的浅见,欢迎菜鸟们、老鸟们及大虾们批评指正,最后感谢 pedi的鼓励!
***还有个问题想请教,我在动态分析leapftp时,化了好几天时间,而且也找到了些线索,看见了我输的用户名和密码,发现了一个奇怪数字214065,可一输还是错误,换了几个用户名和密码,发现还是有这个数字,值不变,但显然不是正确的序列码,请高手指点,谢谢!
[培训]《安卓高级研修班(网课)》月薪三万计划,掌
握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
