大家好,我是学习破解的菜鸟,一直以来,我都是有空上论坛看各位大虾的帖子,比较懒,一般不回帖:),这两天看了 关于valen发的“外挂
制作集成学习环境2005“的壳子问题。刚好我想了解点外挂知识,就下载了这个软件。
按照“外挂制作集成学习环境2005“的壳子问题帖子上介绍进行了脱壳
以下这些内容出自djpvd大虾。
///////////////////////////////////////////////////
以OD载入
0062D240 61 popad 改为 60 pushad
0062D3A2 60 pushad 改为 61 popad
复制到可执行文件 保存
用UPX-Ripper 可以完美脱壳
////////////////////////////////////////////////////////////
脱壳完用peid查了1下,发现是用delphi编写的,呵呵,下载了dede进行分析,我是在看雪主页下载的dark 3.50.04版本,很容易在uRegSoft窗
体中的procedure中发现btnRegClick这个过程,打开分析1下,代码如下:
0050FE44 55 push ebp
0050FE45 8BEC mov ebp, esp
0050FE47 6A00 push $00
0050FE49 6A00 push $00
0050FE4B 6A00 push $00
0050FE4D 53 push ebx
0050FE4E 8BD8 mov ebx, eax
0050FE50 33C0 xor eax, eax
0050FE52 55 push ebp
0050FE53 682EFF5000 push $0050FF2E
***** TRY
|
0050FE58 64FF30 push dword ptr fs:[eax]
0050FE5B 648920 mov fs:[eax], esp
0050FE5E 8D55F8 lea edx, [ebp-$08]
* Reference to control edtCode : N.A.
|
0050FE61 8B830C030000 mov eax, [ebx+$030C]
* Reference to: Controls.TControl.GetText(TControl):TCaption; //取得输入用的注册码
|
0050FE67 E80C61F4FF call 00455F78
0050FE6C 8B45F8 mov eax, [ebp-$08]
0050FE6F 50 push eax
0050FE70 8D55F4 lea edx, [ebp-$0C]
* Reference to control edtDDHName : N.A.
|
0050FE73 8B8308030000 mov eax, [ebx+$0308]
* Reference to: Controls.TControl.GetText(TControl):TCaption; //取得加密字符串 天下无挂无挂天下
|
0050FE79 E8FA60F4FF call 00455F78
0050FE7E 8B55F4 mov edx, [ebp-$0C]
* Reference to control RegwareII : N.A.
|
0050FE81 8B8318030000 mov eax, [ebx+$0318]
0050FE87 59 pop ecx
|
0050FE88 E8CF4BFFFF call 00504A5C //关键点,如果al返回1表示注册成功,
0050FE8D 84C0 test al, al //从后面的字符串可以看出
0050FE8F 752C jnz 0050FEBD
0050FE91 8D45FC lea eax, [ebp-$04]
* Possible String Reference to: '输入注册码不正确,请检查'
|
0050FE94 BA44FF5000 mov edx, $0050FF44
* Reference to: System.@LStrLAsg(void;void;void;void);
|
0050FE99 E81E45EFFF call 004043BC
0050FE9E 6A40 push $40
0050FEA0 8B45FC mov eax, [ebp-$04]
* Reference to: System.@LStrToPChar(String):PAnsiChar;
|
0050FEA3 E83C49EFFF call 004047E4
0050FEA8 8BD0 mov edx, eax
* Possible String Reference to: '输入错误'
|
0050FEAA B960FF5000 mov ecx, $0050FF60
0050FEAF A15C925100 mov eax, dword ptr [$0051925C]
0050FEB4 8B00 mov eax, [eax]
* Reference to: Forms.TApplication.MessageBox(TApplication;PChar;PChar;Longint):Integer;
|
0050FEB6 E8D15EF6FF call 00475D8C
0050FEBB EB4E jmp 0050FF0B
* Possible String Reference to: '注册成功!注册信息为:注册码:'
|
0050FEBD 6874FF5000 push $0050FF74
* Reference to control RegwareII : N.A.
|
0050FEC2 8B8318030000 mov eax, [ebx+$0318]
0050FEC8 FF7058 push dword ptr [eax+$58]
0050FECB 68A0FF5000 push $0050FFA0
///////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////
//以下跟进call 00504A5C
00504A5C 55 push ebp
00504A5D 8BEC mov ebp, esp
00504A5F 83C4F0 add esp, -$10
00504A62 53 push ebx
00504A63 33DB xor ebx, ebx
00504A65 895DF0 mov [ebp-$10], ebx
00504A68 895DF4 mov [ebp-$0C], ebx
00504A6B 894DF8 mov [ebp-$08], ecx
00504A6E 8955FC mov [ebp-$04], edx
00504A71 8BD8 mov ebx, eax
00504A73 8B45FC mov eax, [ebp-$04]
* Reference to: System.@LStrAddRef(void;void):Pointer;
|
00504A76 E859FDEFFF call 004047D4
00504A7B 8B45F8 mov eax, [ebp-$08]
* Reference to: System.@LStrAddRef(void;void):Pointer;
|
00504A7E E851FDEFFF call 004047D4
00504A83 33C0 xor eax, eax
00504A85 55 push ebp
00504A86 682B4B5000 push $00504B2B
***** TRY
|
00504A8B 64FF30 push dword ptr fs:[eax]
00504A8E 648920 mov fs:[eax], esp
00504A91 8B45FC mov eax, [ebp-$04]
* Reference to: System.@LStrLen(String):Integer; //计算字符串长度
|
00504A94 E84BFBEFFF call 004045E4
00504A99 3B434C cmp eax, [ebx+$4C]
00504A9C 7F19 jnle 00504AB7
00504A9E 8B45FC mov eax, [ebp-$04]
* Reference to: System.@LStrLen(String):Integer; //计算字符串长度
| or: System.@DynArrayLength;
|
00504AA1 E83EFBEFFF call 004045E4
00504AA6 3B4350 cmp eax, [ebx+$50]
00504AA9 7C0C jl 00504AB7
00504AAB 8B45F8 mov eax, [ebp-$08]
* Reference to: System.@LStrLen(String):Integer;
| or: System.@DynArrayLength;
| or: System.DynArraySize(Pointer):Integer;
| or: Variants.DynArraySize(Pointer):Integer;
|
00504AAE E831FBEFFF call 004045E4
00504AB3 85C0 test eax, eax
00504AB5 7504 jnz 00504ABB
00504AB7 33DB xor ebx, ebx
00504AB9 EB55 jmp 00504B10
00504ABB 8D55F4 lea edx, [ebp-$0C]
00504ABE 8B45F8 mov eax, [ebp-$08]
* Reference to: SysUtils.UpperCase(AnsiString):AnsiString; //把输入的注册码转化成大写
|
00504AC1 E8723EF0FF call 00408938
00504AC6 8B55F4 mov edx, [ebp-$0C]
00504AC9 8D45F8 lea eax, [ebp-$08]
* Reference to: System.@LStrLAsg(void;void;void;void);
|
00504ACC E8EBF8EFFF call 004043BC
00504AD1 8D4DF0 lea ecx, [ebp-$10]
00504AD4 8B55FC mov edx, [ebp-$04]
00504AD7 8BC3 mov eax, ebx
* Reference to : TRegwareII._PROC_00504634() //关键点,根据机器码和加密字符串计算注册码
| //这个是猜测,没有跟进
00504AD9 E856FBFFFF call 00504634
00504ADE 8B45F0 mov eax, [ebp-$10]
00504AE1 8B55F8 mov edx, [ebp-$08]
* Reference to: SysUtils.CompareStr(AnsiString;AnsiString):Integer; //如果计算注册码和输入相等,则注册成功
|
00504AE4 E8C73EF0FF call 004089B0
00504AE9 85C0 test eax, eax
00504AEB 7404 jz 00504AF1
00504AED 33DB xor ebx, ebx
00504AEF EB1F jmp 00504B10
00504AF1 8D4348 lea eax, [ebx+$48]
00504AF4 8B55FC mov edx, [ebp-$04]
好了,到这里把得到的注册码记下,在输入注册码地方输入,就会发现注册成功.
等等,怎么按下确定还是说 对不起,你不是注册用户只能试用,还有什么地方没有搞对吗?
革命尚未成功,同志还需努力.
继续
在uRegSoft窗体中的button2click过程中发现以下代码,如下:
005104B8 53 push ebx
005104B9 8BD8 mov ebx, eax
005104BB 6A30 push $30
* Possible String Reference to: '天下无挂提醒你'
|
005104BD 68D8045100 push $005104D8
* Possible String Reference to: '对不起,你不是注册用户只能试用'
|
005104C2 68E8045100 push $005104E8
005104C7 8BC3 mov eax, ebx
* Reference to: Controls.TWinControl.GetHandle(TWinControl):HWND;
| or: QComCtrls.TTrackBar.GetHandle(TTrackBar):QClxSliderH;
| or: QComCtrls.TCustomViewControl.GetHandle(TCustomViewControl):QListViewH;
| or: QComCtrls.TCustomViewControl.ViewportHandle(TCustomViewControl):QWidgetH;
| or: QComCtrls.TCustomHeaderControl.GetHandle(TCustomHeaderControl):QHeaderH;
| or: QComCtrls.TCustomSpinEdit.GetHandle(TCustomSpinEdit):QClxSpinBoxH;
|
005104C9 E8CAC2F4FF call 0045C798
005104CE 50 push eax
* Reference to: DragAcceptFiles.MessageBoxA()
|
005104CF E8206FEFFF call 004073F4
005104D4 5B pop ebx
005104D5 C3 ret
///////////////////////////////////////////////////////////////////////////
//从代码中可以看到,根本没有成功的机会,难道这个只是1个演示版??
//进1步求证
//在代码中发现如下信息
CODE:00511983 dd 74682EF7h, 6Dh, 0FFFFFF00h, 0FFFh
CODE:00511993 align 4
CODE:00511994 aImagesFid_jpg db '\images\fid.jpg',0 ; DATA XREF: CODE:005118D1o
CODE:005119A4 dd 0FFFFFFFFh, 79h
CODE:005119AC aProviderMicros db 'Provider=Microsoft.Jet.OLEDB.4.0;Data Source=%s;Persist Secu'
CODE:005119AC ; DATA XREF: CODE:005118F1o
CODE:005119AC db 'rity Info=False;Jet OLEDB:Database Password=bing!Qin@Ping#98'
CODE:005119AC db '$',0
//可以知道程序是从数据库中读取信息,然后显示,这可难不倒我,跟踪1下引用
CODE:005118EF xor ecx, ecx
CODE:005118F1 mov eax, offset aProviderMicros ; "Provider=Microsoft.Jet.OLEDB.4.0;Data S"...
CODE:005118F6 call sub_409DA4
CODE:005118FB mov edx, [ebp-28h]
//发现引用的数据源是 images目录下的fid.jpg, 奸,把数据库的扩展名改了,把它改回来,密码也有了,就是 bing!Qin@Ping#98$
//我用access2003打开,不知道为什么看不到任何表,无奈,建了个数据源,用delphi的sql explore打开,
//这下所有信息都有了,有wpe基础,编程基础,加密解密,脚本制作等等,信息都以memo字段形式存在每个表中,再打开memo字段,
//傻眼了,里面都是1些垃圾信息,重复的,至此,终于知道这个只是1个演示版,不可以破解成适用版
这个是我的处女作,希望各位大虾不要见笑,有什么不对请大家多多指点,谢谢.另外,还想结识些朋友,有意者加qq:232673885.
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!