-
-
[原创]《图章制作系统 V3.63》注册验证破解分析[算法篇]
-
发表于:
2005-8-2 16:05
11284
-
[原创]《图章制作系统 V3.63》注册验证破解分析[算法篇]
【破文标题】:《图章制作系统 V3.63》注册验证破解分析[算法篇]
【破文作者】: KuNgBiM[DFCG]
【作者邮箱】: [email]gb_1227@163.com[/email]
【软件名称】: 图章制作系统 V3.63
【软件大小】: 724 KB
【软件类别】: 国产软件/共享软件/设计制作
【整理时间】: 2005-07-29
【下载地址】: http://www.downreg.com/Software/View-Software-4587.html
【软件简介】: 制作公章、手章,输出为gif图形,支持图片透明。支持圆形、椭圆、方形、矩形多种外观,多个参数可调,支持自定义文字大小,支持格式保存。
【保护方式】: 注册码 + 试用功能限制
【加密保护】: ASPack 2.12 + 脱壳自校验 + 程序自杀代码(调用系统autoexec.bat命令删除校验失败的程序) + Anti-Loader(反加载)
【编译语言】: Borland Delphi 6.0 - 7.0
【调试环境】: WinXP、PEiD、Ollydbg、LordPE、ImportREC
【破解日期】:
【破解目的】: 推广使用ESP定律脱壳,去除自校验,以及研究算法分析
【作者声明】: 初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
―――――――――――――――――――――――――――――――――
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
【破解过程】 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
试炼信息:
用户id:05809b6d5f477dc666db808b52e86086
注册id:98765432109876543210987654321098
―――――――――――――――――――――――――――――――――
●上篇我们脱壳去校验的主程序我从新命名为了“脱壳去校验_MakeSign.exe”便于区分●
OD
载入脱壳去校验的主程序后,使用“Ultra String Reference”插件的“Find ASCII”功能项查找“注册失败!注册码错误”:
0057E6BC 55
push ebp ; 来到此处F2下断,F9运行,添入试炼信息
0057E6BD 68 B0E75700
push 脱壳去校.0057E7B0
0057E6C2 64:FF30
push dword ptr fs:[
eax]
0057E6C5 64:8920
mov dword ptr fs:[
eax],
esp
0057E6C8 8D55 F8
lea edx,
dword ptr ss:[
ebp-8]
0057E6CB 8BB3 00030000
mov esi,
dword ptr ds:[
ebx+300]
0057E6D1 8BC6
mov eax,
esi
0057E6D3 E8 08FBECFF
call 脱壳去校.0044E1E0 ; 取“注册id”,长度送EAX
0057E6D8 8B45 F8
mov eax,
dword ptr ss:[
ebp-8]
;“注册id”送EAX,eax=00000020
0057E6DB 8D55 FC
lea edx,
dword ptr ss:[
ebp-4]
0057E6DE E8 19A8E8FF
call 脱壳去校.00408EFC ; 检测“注册id”是否合法
0057E6E3 8B55 FC
mov edx,
dword ptr ss:[
ebp-4]
;“注册id”送EDX,ASCII "98765432109876543210987654321098"
0057E6E6 8BC6
mov eax,
esi
0057E6E8 E8 23FBECFF
call 脱壳去校.0044E210
0057E6ED 8D55 F4
lea edx,
dword ptr ss:[
ebp-C]
0057E6F0 8B83 00030000
mov eax,
dword ptr ds:[
ebx+300]
0057E6F6 E8 E5FAECFF
call 脱壳去校.0044E1E0
0057E6FB 837D F4 00
cmp dword ptr ss:[
ebp-C],0
; 注册码是否为空
0057E6FF 0F84 88000000
je 脱壳去校.0057E78D ; 为空则跳死!
0057E705 B9 C8E75700
mov ecx,
脱壳去校.0057E7C8 ; 否则"HsjSoft.ini"送ECX,ASCII "HsjSoft.ini"
0057E70A B2 01
mov dl,1
; DL置1
0057E70C A1 04084700
mov eax,
dword ptr ds:[470804]
0057E711 E8 9E21EFFF
call 脱壳去校.004708B4
0057E716 8BF0
mov esi,
eax
0057E718 8D55 F0
lea edx,
dword ptr ss:[
ebp-10]
0057E71B 8B83 00030000
mov eax,
dword ptr ds:[
ebx+300]
0057E721 E8 BAFAECFF
call 脱壳去校.0044E1E0
0057E726 8B45 F0
mov eax,
dword ptr ss:[
ebp-10]
;“注册id”送EAX
0057E729 50
push eax ;“注册id”压栈,ASCII "98765432109876543210987654321098"
0057E72A B9 DCE75700
mov ecx,
脱壳去校.0057E7DC ; "reg_code"送ECX,ASCII "reg_code"
0057E72F 8B93 10030000
mov edx,
dword ptr ds:[
ebx+310]
0057E735 8BC6
mov eax,
esi
0057E737 8B38
mov edi,
dword ptr ds:[
eax]
0057E739 FF57 04
call dword ptr ds:[
edi+4]
0057E73C 8BC6
mov eax,
esi
0057E73E E8 0951E8FF
call 脱壳去校.0040384C
0057E743 8B83 10030000
mov eax,
dword ptr ds:[
ebx+310]
0057E749 E8 F60D0000
call 脱壳去校.0057F544 ; ★验证关键CALL,跟进!★
0057E74E 84C0
test al,
al ; AL是否为0,(如果刚才比较条件为真则AL为1)
0057E750 75 1B
jnz short
脱壳去校.0057E76D ; 关键跳转!注册码比较后若正确则跳向"注册成功" 0057E76D 处
0057E752 6A 00
push 0
0057E754 68 E8E75700
push 脱壳去校.0057E7E8
0057E759 68 F0E75700
push 脱壳去校.0057E7F0 ; "注册失败!\n注册码错误" <-- 双击来到这里
0057E75E 8BC3
mov eax,
ebx
0057E760 E8 BF62EDFF
call 脱壳去校.00454A24
0057E765 50
push eax
0057E766 E8 D990E8FF
call 脱壳去校.00407844 ; jmp to user32.MessageBoxA <-- 注册失败提示框!
0057E76B EB 20
jmp short
脱壳去校.0057E78D
0057E76D 6A 00
push 0
0057E76F 68 08E85700
push 脱壳去校.0057E808
0057E774 68 10E85700
push 脱壳去校.0057E810 ; "注册成功!"
0057E779 8BC3
mov eax,
ebx
0057E77B E8 A462EDFF
call 脱壳去校.00454A24
0057E780 50
push eax
0057E781 E8 BE90E8FF
call 脱壳去校.00407844 ; jmp to user32.MessageBoxA <-- 注册成功提示框!
0057E786 8BC3
mov eax,
ebx
0057E788 E8 3FD3EEFF
call 脱壳去校.0046BACC
0057E78D 33C0
xor eax,
eax
0057E78F 5A
pop edx
0057E790 59
pop ecx
0057E791 59
pop ecx
0057E792 64:8910
mov dword ptr fs:[
eax],
edx
0057E795 68 B7E75700
push 脱壳去校.0057E7B7
0057E79A 8D45 F0
lea eax,
dword ptr ss:[
ebp-10]
0057E79D BA 03000000
mov edx,3
0057E7A2 E8 B95EE8FF
call 脱壳去校.00404660
0057E7A7 8D45 FC
lea eax,
dword ptr ss:[
ebp-4]
0057E7AA E8 8D5EE8FF
call 脱壳去校.0040463C
0057E7AF C3
retn ; 返回程序
=================
跟进:0057E749 E8 F60D0000 call 脱壳去校.0057F544 =================
0057F544 55
push ebp
0057F545 8BEC
mov ebp,
esp
0057F547 33C9
xor ecx,
ecx
0057F549 51
push ecx
0057F54A 51
push ecx
0057F54B 51
push ecx
0057F54C 51
push ecx
0057F54D 51
push ecx
0057F54E 53
push ebx
0057F54F 56
push esi
0057F550 8945 FC
mov dword ptr ss:[
ebp-4],
eax ; 取固定字符串, (ASCII "HsjMakeSign")
0057F553 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
0057F556 E8 9155E8FF
call 脱壳去校.00404AEC
0057F55B 33C0
xor eax,
eax
0057F55D 55
push ebp
0057F55E 68 F8F55700
push 脱壳去校.0057F5F8
0057F563 64:FF30
push dword ptr fs:[
eax]
0057F566 64:8920
mov dword ptr fs:[
eax],
esp
0057F569 E8 7AF6FFFF
call 脱壳去校.0057EBE8
0057F56E 84C0
test al,
al ; al=00
0057F570 74 0E
je short
脱壳去校.0057F580
0057F572 A1 A48B5900
mov eax,
dword ptr ds:[598BA4]
0057F577 8B00
mov eax,
dword ptr ds:[
eax]
0057F579 E8 76FDEEFF
call 脱壳去校.0046F2F4
0057F57E EB 5D
jmp short
脱壳去校.0057F5DD
0057F580 8D55 F4
lea edx,
dword ptr ss:[
ebp-C]
; edx=2
0057F583 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
; 固定字符串送EAX
0057F586 E8 C1FDFFFF
call 脱壳去校.0057F34C
0057F58B 8D55 F8
lea edx,
dword ptr ss:[
ebp-8]
0057F58E 8B45 F4
mov eax,
dword ptr ss:[
ebp-C]
; “用户id”送EAX,ASCII "05809b6d5f477dc666db808b52e86086"
0057F591 E8 BEFEFFFF
call 脱壳去校.0057F454 ; ★验证关键CALL,跟进!★
0057F596 B9 10F65700
mov ecx,
脱壳去校.0057F610 ; 返回信息到"HsjSoft.ini"送ECX,ASCII "HsjSoft.ini"
0057F59B B2 01
mov dl,1
; DL置1
0057F59D A1 04084700
mov eax,
dword ptr ds:[470804]
0057F5A2 E8 0D13EFFF
call 脱壳去校.004708B4
0057F5A7 8BD8
mov ebx,
eax
0057F5A9 6A 00
push 0
0057F5AB 8D45 EC
lea eax,
dword ptr ss:[
ebp-14]
0057F5AE 50
push eax
0057F5AF B9 24F65700
mov ecx,
脱壳去校.0057F624 ; ASCII "reg_code"
0057F5B4 8B55 FC
mov edx,
dword ptr ss:[
ebp-4]
0057F5B7 8BC3
mov eax,
ebx
0057F5B9 8B30
mov esi,
dword ptr ds:[
eax]
0057F5BB FF16
call dword ptr ds:[
esi]
0057F5BD 8B45 EC
mov eax,
dword ptr ss:[
ebp-14]
; 假码送EAX,ASCII "98765432109876543210987654321098"
0057F5C0 8D55 F0
lea edx,
dword ptr ss:[
ebp-10]
0057F5C3 E8 3499E8FF
call 脱壳去校.00408EFC
0057F5C8 8BC3
mov eax,
ebx
0057F5CA E8 7D42E8FF
call 脱壳去校.0040384C
0057F5CF 8B45 F8
mov eax,
dword ptr ss:[
ebp-8]
; 真码送EAX,ASCII "2115997e981b8713f3b6f7124b631a14"
0057F5D2 8B55 F0
mov edx,
dword ptr ss:[
ebp-10]
; 假码送EAX,ASCII "98765432109876543210987654321098"
0057F5D5 E8 6E54E8FF
call 脱壳去校.00404A48 ; 假码和真码比较 ★验证爆破点★
0057F5DA 0F94C3
sete bl ; 置BL值,条件为假 FALSE
0057F5DD 33C0
xor eax,
eax ; EAX清零
0057F5DF 5A
pop edx
0057F5E0 59
pop ecx
0057F5E1 59
pop ecx
0057F5E2 64:8910
mov dword ptr fs:[
eax],
edx
0057F5E5 68 FFF55700
push 脱壳去校.0057F5FF
0057F5EA 8D45 EC
lea eax,
dword ptr ss:[
ebp-14]
0057F5ED BA 05000000
mov edx,5
0057F5F2 E8 6950E8FF
call 脱壳去校.00404660
0057F5F7 C3
retn
0057F5F8 ^\E9 E349E8FF
jmp 脱壳去校.00403FE0
0057F5FD ^ EB EB
jmp short
脱壳去校.0057F5EA
0057F5FF 8BC3
mov eax,
ebx
0057F601 5E
pop esi
0057F602 5B
pop ebx
0057F603 8BE5
mov esp,
ebp
0057F605 5D
pop ebp
0057F606 C3
retn ; 返回程序
=================
跟进:0057F591 E8 BEFEFFFF call 脱壳去校.0057F454 =================
0057F454 55
push ebp
0057F455 8BEC
mov ebp,
esp
0057F457 83C4 DC
add esp,-24
0057F45A 53
push ebx
0057F45B 56
push esi
0057F45C 33C9
xor ecx,
ecx
0057F45E 894D DC
mov dword ptr ss:[
ebp-24],
ecx
0057F461 894D E0
mov dword ptr ss:[
ebp-20],
ecx
0057F464 894D F8
mov dword ptr ss:[
ebp-8],
ecx
0057F467 894D F4
mov dword ptr ss:[
ebp-C],
ecx
0057F46A 8BF2
mov esi,
edx
0057F46C 8945 FC
mov dword ptr ss:[
ebp-4],
eax ; 读取保存在EAX中的“用户id”
0057F46F 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
; “用户id”送EAX,ASCII "05809b6d5f477dc666db808b52e86086"
0057F472 E8 7556E8FF
call 脱壳去校.00404AEC
0057F477 33C0
xor eax,
eax
0057F479 55
push ebp
0057F47A 68 1AF55700
push 脱壳去校.0057F51A
0057F47F 64:FF30
push dword ptr fs:[
eax]
0057F482 64:8920
mov dword ptr fs:[
eax],
esp
0057F485 8BC6
mov eax,
esi
0057F487 E8 B051E8FF
call 脱壳去校.0040463C
0057F48C 8D45 E0
lea eax,
dword ptr ss:[
ebp-20]
0057F48F 8B4D FC
mov ecx,
dword ptr ss:[
ebp-4]
; “用户id”送ECX,ASCII "05809b6d5f477dc666db808b52e86086"
0057F492 BA 30F55700
mov edx,
脱壳去校.0057F530
0057F497 E8 B454E8FF
call 脱壳去校.00404950
0057F49C 8B45 E0
mov eax,
dword ptr ss:[
ebp-20]
; “用户id”位数送EAX,eax=00000020
0057F49F 8D55 E4
lea edx,
dword ptr ss:[
ebp-1C]
0057F4A2 E8 71EEFFFF
call 脱壳去校.0057E318
0057F4A7 8D45 E4
lea eax,
dword ptr ss:[
ebp-1C]
0057F4AA 8D55 F8
lea edx,
dword ptr ss:[
ebp-8]
0057F4AD E8 DAEEFFFF
call 脱壳去校.0057E38C ; ★计算关键CALL,跟进!★
0057F4B2 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
; 运算值返回到这里
0057F4B5 E8 8251E8FF
call 脱壳去校.0040463C
0057F4BA 8B45 F8
mov eax,
dword ptr ss:[
ebp-8]
; 运算值送EAX,ASCII "41a136b4217f6b3f3178b189e7995112"
0057F4BD E8 4254E8FF
call 脱壳去校.00404904 ; 检测运算值是否为空,不是则取运算值长度并送EAX
0057F4C2 8BD8
mov ebx,
eax ; EAX送EBX
0057F4C4 83FB 01
cmp ebx,1
; EBX和1比较,ebx=00000020
0057F4C7 7C 1F
jl short
脱壳去校.0057F4E8 ; 若值小于1则直接跳死
0057F4C9 8D45 DC
lea eax,
dword ptr ss:[
ebp-24]
; 否则,进行下一步计算 ★ 循环开始 ★
0057F4CC 8B55 F8
mov edx,
dword ptr ss:[
ebp-8]
; 运算值送EDX,ASCII "41a136b4217f6b3f3178b189e7995112"
0057F4CF 8A541A FF
mov dl,
byte ptr ds:[
edx+
ebx-1]
; [edx+ebx-1]送DL,字符串倒序运算
0057F4D3 E8 4453E8FF
call 脱壳去校.0040481C
0057F4D8 8B55 DC
mov edx,
dword ptr ss:[
ebp-24]
0057F4DB 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
0057F4DE E8 2954E8FF
call 脱壳去校.0040490C
0057F4E3 4B
dec ebx ; EBX自减1,指向下一位,确保计算正常
0057F4E4 85DB
test ebx,
ebx ; 检测EBX值是否减去1,并且是否为0
0057F4E6 ^ 75 E1
jnz short
脱壳去校.0057F4C9 ; 不为0就继续
0057F4E8 8BC6
mov eax,
esi
0057F4EA 8B55 F4
mov edx,
dword ptr ss:[
ebp-C]
; 运算完毕,真码出现,ASCII "2115997e981b8713f3b6f7124b631a14"
0057F4ED E8 9E51E8FF
call 脱壳去校.00404690
0057F4F2 33C0
xor eax,
eax
0057F4F4 5A
pop edx
0057F4F5 59
pop ecx
0057F4F6 59
pop ecx
0057F4F7 64:8910
mov dword ptr fs:[
eax],
edx
0057F4FA 68 21F55700
push 脱壳去校.0057F521
0057F4FF 8D45 DC
lea eax,
dword ptr ss:[
ebp-24]
0057F502 BA 02000000
mov edx,2
0057F507 E8 5451E8FF
call 脱壳去校.00404660
0057F50C 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
0057F50F BA 03000000
mov edx,3
0057F514 E8 4751E8FF
call 脱壳去校.00404660
0057F519 C3
retn
0057F51A ^\E9 C14AE8FF
jmp 脱壳去校.00403FE0
0057F51F ^ EB DE
jmp short
脱壳去校.0057F4FF
0057F521 5E
pop esi
0057F522 5B
pop ebx
0057F523 8BE5
mov esp,
ebp
0057F525 5D
pop ebp ; 返回验证程序
0057F526 C3
retn
=================
跟进:0057F4AD E8 DAEEFFFF call 脱壳去校.0057E38C =================
0057E38C 55
push ebp
0057E38D 8BEC
mov ebp,
esp
0057E38F 83C4 E8
add esp,-18
0057E392 53
push ebx
0057E393 56
push esi
0057E394 57
push edi
0057E395 33C9
xor ecx,
ecx
0057E397 894D EC
mov dword ptr ss:[
ebp-14],
ecx
0057E39A 894D E8
mov dword ptr ss:[
ebp-18],
ecx
0057E39D 8BF0
mov esi,
eax
0057E39F 8D7D F0
lea edi,
dword ptr ss:[
ebp-10]
0057E3A2 A5
movs dword ptr es:[
edi],
dword ptr ds:[
esi]
; ds:[esi]=stack [0012F80C]=B436A141
0057E3A3 A5
movs dword ptr es:[
edi],
dword ptr ds:[
esi]
; ds:[esi]=stack [0012F810]=3F6B7F21
0057E3A4 A5
movs dword ptr es:[
edi],
dword ptr ds:[
esi]
; ds:[esi]=stack [0012F814]=89B17831
0057E3A5 A5
movs dword ptr es:[
edi],
dword ptr ds:[
esi]
; ds:[esi]=stack [0012F818]=125199E7
0057E3A6 8BFA
mov edi,
edx
0057E3A8 33C0
xor eax,
eax
0057E3AA 55
push ebp
0057E3AB 68 27E45700
push 脱壳去校.0057E427
0057E3B0 64:FF30
push dword ptr fs:[
eax]
0057E3B3 64:8920
mov dword ptr fs:[
eax],
esp
0057E3B6 8BC7
mov eax,
edi
0057E3B8 E8 7F62E8FF
call 脱壳去校.0040463C
0057E3BD B3 10
mov bl,10
0057E3BF 8D75 F0
lea esi,
dword ptr ss:[
ebp-10]
0057E3C2 FF37
push dword ptr ds:[
edi]
; ★★★ 循环开始 ★★★
0057E3C4 8D45 EC
lea eax,
dword ptr ss:[
ebp-14]
0057E3C7 33D2
xor edx,
edx ; 异或清零,edx=00000000
0057E3C9 8A16
mov dl,
byte ptr ds:[
esi]
; [esi]送DL
0057E3CB C1EA 04
shr edx,4
; EDX右移4位
0057E3CE 83E2 0F
and edx,0F
; 和0F与
0057E3D1 8A92 C8875900
mov dl,
byte ptr ds:[
edx+5987C8]
; [edx+5987C8]送DL
0057E3D7 E8 4064E8FF
call 脱壳去校.0040481C
0057E3DC FF75 EC
push dword ptr ss:[
ebp-14]
0057E3DF 8D45 E8
lea eax,
dword ptr ss:[
ebp-18]
0057E3E2 8A16
mov dl,
byte ptr ds:[
esi]
; [esi]送DL
0057E3E4 80E2 0F
and dl,0F
; DL和0F与
0057E3E7 81E2 FF000000
and edx,0FF
; EDX和0FF与
0057E3ED 8A92 C8875900
mov dl,
byte ptr ds:[
edx+5987C8]
; [edx+5987C8]送DL
0057E3F3 E8 2464E8FF
call 脱壳去校.0040481C
0057E3F8 FF75 E8
push dword ptr ss:[
ebp-18]
0057E3FB 8BC7
mov eax,
edi ; EDI送EAX
0057E3FD BA 03000000
mov edx,3
0057E402 E8 BD65E8FF
call 脱壳去校.004049C4
0057E407 46
inc esi ; ESI自加1指向下一位
0057E408 FECB
dec bl ; BL自减1,确保计算正常
0057E40A ^ 75 B6
jnz short
脱壳去校.0057E3C2 ; BL不为0则继续,循环完后得字符串
0057E40C 33C0
xor eax,
eax
0057E40E 5A
pop edx
0057E40F 59
pop ecx
0057E410 59
pop ecx
0057E411 64:8910
mov dword ptr fs:[
eax],
edx
0057E414 68 2EE45700
push 脱壳去校.0057E42E
0057E419 8D45 E8
lea eax,
dword ptr ss:[
ebp-18]
0057E41C BA 02000000
mov edx,2
0057E421 E8 3A62E8FF
call 脱壳去校.00404660
0057E426 C3
retn
0057E42E 5F
pop edi
0057E42F 5E
pop esi
0057E430 5B
pop ebx
0057E431 8BE5
mov esp,
ebp
0057E433 5D
pop ebp
0057E434 C3
retn ; 返回运算值"41a136b4217f6b3f3178b189e7995112"
-------------------------------------------------------------------------------------------------------------------------
【算法总结】
“用户id”通过变形MD5算法运算得到一字符串,再将此字符串倒序作为注册码
注意:由于该软件使用了“Anti-Loader(反加载)”技术,所以,想做内存注册机的话,那是不可能的了,它同样会调用系统autoexec.bat命令删除被加载的程序。
============================================================================================
【注册信息】
用户id:05809b6d5f477dc666db808b52e86086
注册id:2115997e981b8713f3b6f7124b631a14【注册信息保存位置】
x:\WINDOWS\HsjSoft.ini
(“x”为系统盘)删除后又可以玩一次!
HsjSoft.ini
内容:
[HsjMakeSign]
reg_code=2115997e981b8713f3b6f7124b631a14
【完美验证爆破点】
0057F5D5 E8 6E54E8FF
call 脱壳去校.00404A48 // nop掉
改为:
0057F5D5 90
nop
0057F5D6 90
nop
0057F5D7 90
nop
0057F5D8 90
nop
0057F5D9 90
nop
--------------------------------------------------------------------------------------------
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]--------------------------------------------------------------------------------------------
UnPacked & Cracked By KuNgBiM[DFCG]
2005-08-02
12:15:18 PM
[课程]Linux pwn 探索篇!