-
-
CHM浏览器破解+算法分析
-
发表于: 2004-6-4 19:16 5914
-
呵呵,我又来了。 又快到期末了,学习更忙了,但还是抑制不住对破解的兴趣,于是又带来三篇文章,请各位前辈指教!
第一篇
【破解作者】 WXHing
【作者邮箱】 [email]WXHing@163.com[/email]
【使用工具】 OllyDbg1.09,W32dasm8.93
【破解平台】 Win9x/NT/2000/XP
【软件名称】 CHM浏览器
【下载地址】 中国共享软件注册中心
[保护方式] 注册码保护
【软件简介】CHM浏览器 是一个 CHM 工具,它能帮助你导出 CHM 中的文件。
CHM浏览器能够反编译出已编译的Windows HTML帮忙文件(*.chm)中的任何类型文件。它处理CHM文件就像ZIP文件一样。你可以像使用Winzip查看ZIP文件一样来运行或查看CHM中的文件。你可以通过双击文件的图标来查看HTML文件或图片文件。
【软件大小】 500Kb
【破解声明】 本人菜鸟一只,初学破解,如有不当之处,还望各位前辈指教,先行谢过!
--------------------------------------------------------------------------------
【破解内容】首先用PEID检查无壳
运行之,选择注册
输入用户名 WXHing
试练码 9876543210
确定,出错!
好,请出我的屠龙宝刀OD,装载目标程序,F9运行,注册它,弹出错误对话框,不要关它,回到OD界面,ALT+M,查看内 存镜像,搜索WXHing,下硬件访问断点dword,重新运行,重复第一步,确定。
0040FA02 . 8807 mov byte ptr ds:[edi], al ; 中断在这
0040FA04 . 8B45 08 mov eax, dword ptr ss:[ebp+8]
0040FA07 . 5E pop esi
0040FA08 . 5F pop edi
0040FA09 . C9 leave
0040FA0A . C3 retn
0040FA0B 90 nop
0040FA0C > 8A06 mov al, byte ptr ds:[esi]
0040FA0E . 8807 mov byte ptr ds:[edi], al
004227AD |. E8 6DD5FFFF call CHMUnpac.0041FD1F ; ecx指向试练码
004227B2 |. EB 13 jmp short CHMUnpac.004227C7
004227B4 |> 8BCE mov ecx, esi
004227B6 |. E8 D2ECFFFF call CHMUnpac.0042148D
004227BB |. 85C0 test eax, eax
004227BD |. 74 08 je short CHMUnpac.004227C7
004227BF |. 57 push edi
004227C0 |. 8BC8 mov ecx, eax
004227C2 |. E8 52FFFFFF call CHMUnpac.00422719
004227C7 |> 8B07 mov eax, dword ptr ds:[edi]
004227C9 |. 5F pop edi
004227CA |. 5E pop esi
004227CB |. 8B40 F8 mov eax, dword ptr ds:[eax-8] ;eax=试练码位数‘9’
004227CE \. C2 0800 retn 8
.........
........
00405A8F . E8 CDCC0100 call CHMUnpac.00422761
00405A94 . 8B5424 0C mov edx, dword ptr ss:[esp+C]
00405A98 . 68 30C94400 push CHMUnpac.0044C930 ; /Arg2 = 0044C930
00405A9D . 52 push edx ; |Arg1
00405A9E . E8 83910000 call CHMUnpac.0040EC26 ; \CHMUnpac.0040EC26
00405AA3 . 83C4 08 add esp, 8
00405AA6 . 85C0 test eax, eax ; 检测用户名是否为空
00405AA8 . 75 0C jnz short CHMUnpac.00405AB6
00405AAA . 53 push ebx
00405AAB . 53 push ebx
00405AAC . 68 94A54400 push CHMUnpac.0044A594
00405AB1 . E9 3B010000 jmp CHMUnpac.00405BF1
00405AB6 > 8B4424 08 mov eax, dword ptr ss:[esp+8]
00405ABA . 68 30C94400 push CHMUnpac.0044C930 ; /Arg2 = 0044C930
00405ABF . 50 push eax ; |Arg1
00405AC0 . E8 61910000 call CHMUnpac.0040EC26 ; \CHMUnpac.0040EC26
00405AC5 . 83C4 08 add esp, 8
00405AC8 . 85C0 test eax, eax ;检测注册码是否为空
00405ACA . 75 0C jnz short CHMUnpac.00405AD8
00405ACC . 53 push ebx
00405ACD . 53 push ebx
00405ACE . 68 84A54400 push CHMUnpac.0044A584
00405AD3 . E9 19010000 jmp CHMUnpac.00405BF1
00405AD8 > 68 80A54400 push CHMUnpac.0044A580
00405ADD . 8D4C24 0C lea ecx, dword ptr ss:[esp+C]
00405AE1 . E8 FC6F0100 call CHMUnpac.0041CAE2
00405AE6 . 68 80A54400 push CHMUnpac.0044A580
00405AEB . 8D4C24 0C lea ecx, dword ptr ss:[esp+C]
00405AEF . E8 4F6F0100 call CHMUnpac.0041CA43
00405AF4 . 8B4424 08 mov eax, dword ptr ss:[esp+8]
00405AF8 . 8378 F8 10 cmp dword ptr ds:[eax-8], 10 ;检测注册码长度是否等于0x10,十
00405AFC . 74 0C je short CHMUnpac.00405B0A 进制16
00405AFE . 53 push ebx
00405AFF . 53 push ebx
00405B00 . 68 70A54400 push CHMUnpac.0044A570
00405B05 . E9 E7000000 jmp CHMUnpac.00405BF1
00405B0A > 68 5CA54400 push CHMUnpac.0044A55C ; /Arg2 = 0044A55C ASCII "eLRYdMs7IhHiObJg" ;未知字符串入栈
00405B0F . 50 push eax ; |Arg1 ; 试练码入栈
00405B10 . E8 11910000 call CHMUnpac.0040EC26 ; \CHMUnpac.0040EC26
00405B15 . 83C4 08 add esp, 8
00405B18 . 85C0 test eax, eax
00405B1A . 0F84 CA000000 je CHMUnpac.00405BEA ;相等则跳转,跳过去会显示这是被破解的注册码,迷惑人的
00405B20 . 8B4C24 08 mov ecx, dword ptr ss:[esp+8]
00405B24 . 68 48A54400 push CHMUnpac.0044A548 ; /Arg2 = 0044A548 ASCII "FkZQYRjGoBNcgJVU"
;未知字符串入栈
00405B29 . 51 push ecx ; |Arg1
; 试练码入栈
00405B2A . E8 F7900000 call CHMUnpac.0040EC26 ; \CHMUnpac.0040EC26
00405B2F . 83C4 08 add esp, 8
00405B32 . 85C0 test eax, eax
00405B34 . 0F84 B0000000 je CHMUnpac.00405BEA ;相等则跳转,跳过去会显示这是被破解的注册码,迷惑人的
00405B3A . 8D5424 10 lea edx, dword ptr ss:[esp+10]
00405B3E . 57 push edi
00405B3F . 52 push edx ; /pHandle
00405B40 . 68 2CA54400 push CHMUnpac.0044A52C ; |Subkey = "Software\YBSoft\CHMUnpacker"
00405B45 . 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE ;
00405B4A . FF15 10B04300 call dword ptr ds:[<&ADVAPI32.RegCreat>; \RegCreateKeyA ;看到了吗,过了这里,将把你的用户名和注册码写入注册表,接下去软件将会提示你下次启动时检验注册码是否正确,可以阴险的笑一下了,呵呵
00405B50 . 8B4424 0C mov eax, dword ptr ss:[esp+C]
00405B54 . 8D4C24 0C lea ecx, dword ptr ss:[esp+C]
00405B58 . 8B40 F8 mov eax, dword ptr ds:[eax-8]
00405B5B . 50 push eax
00405B5C . 6A 01 push 1
00405B5E . E8 6DA10100 call CHMUnpac.0041FCD0
00405B63 . 8B4C24 18 mov ecx, dword ptr ss:[esp+18] ; |
00405B67 . 8B3D 0CB04300 mov edi, dword ptr ds:[<&ADVAPI32.RegS>; |ADVAPI32.RegSetValueExA
00405B6D . 50 push eax ; |Buffer
00405B6E . 6A 01 push 1 ; |ValueType = REG_SZ
00405B70 . 53 push ebx ; |Reserved
00405B71 . 68 80A24400 push CHMUnpac.0044A280 ; |ValueName = "Version"
00405B76 . 51 push ecx ; |hKey
00405B77 . FFD7 call edi ; \RegSetValueExA
00405B79 . 8B5424 10 mov edx, dword ptr ss:[esp+10]
00405B7D . 8D4C24 10 lea ecx, dword ptr ss:[esp+10]
00405B81 . 8B42 F8 mov eax, dword ptr ds:[edx-8]
.....................
..................
好,重新运行,下断bp RegCreateKeyA ,不停按F9,太烦了,读了那么多注册表键值,一不留神就会跟丢的,好,清楚倚天剑吧,用W32dasm去分析,找到字符串“ V1.3 - 未注册21天试用版",这是未注册版本的标志,看看它是从那里跳来的,004041CA(C), :004041F7(C), :00404229(C)
OK,重新载入,下断点,bpx 4041ca,F9运行,轻松着陆
004041CA . /75 6A jnz short CHMUnpac.00404236
004041CC . |8D5424 14 lea edx, dword ptr ss:[esp+14]
004041D0 . |8D4424 3C lea eax, dword ptr ss:[esp+3C]
004041D4 . |52 push edx ; /pBufSize
004041D5 . |8B5424 14 mov edx, dword ptr ss:[esp+14] ; |
004041D9 . |8D4C24 2C lea ecx, dword ptr ss:[esp+2C] ; |
004041DD . |50 push eax ; |Buffer
004041DE . |51 push ecx ; |pValueType
004041DF . |6A 00 push 0 ; |Reserved = NULL
004041E1 . |68 80A24400 push CHMUnpac.0044A280 ; |ValueName = "Version"
004041E6 . |52 push edx ; |hKey
004041E7 . |C74424 2C FF000000 mov dword ptr ss:[esp+2C], 0FF ; |
004041EF . |FF15 04B04300 call dword ptr ds:[<&ADVAPI32.RegQuery>; \RegQueryValueExA
004041F5 . |85C0 test eax, eax
004041F7 . |75 3D jnz short CHMUnpac.00404236
004041F9 . |8B4424 10 mov eax, dword ptr ss:[esp+10]
004041FD . |50 push eax ; /hKey
004041FE . |FF15 30B04300 call dword ptr ds:[<&ADVAPI32.RegClose>; \RegCloseKey
00404204 . |33DB xor ebx, ebx
00404206 . 8D7C24 3C lea edi, dword ptr ss:[esp+3C] ;edi指向试练码
0040420A > 8A4F 01 mov cl, byte ptr ds:[edi+1] ;获取后一字符
0040420D . 51 push ecx ;F7跟进
0040420E . E8 1DFBFFFF call CHMUnpac.00403D30
00404213 . 8A17 mov dl, byte ptr ds:[edi] ;获取前一字符
00404215 . 52 push edx
00404216 . 0FBEE8 movsx ebp, al ;刚转换后的字符存入ebp
00404219 . E8 12FBFFFF call CHMUnpac.00403D30
0040421E . 0FBEC0 movsx eax, al ;扩展存入eax
00404221 . 03E8 add ebp, eax ;ebp=ebp+eax
00404223 . 83C4 08 add esp, 8 ;esp=esp+8
00404226 . 83FD 3D cmp ebp, 3D ;ebp=3d吗
00404229 . 75 0B jnz short CHMUnpac.00404236 ;不等,就OVER了,改,让它等于0x3D 注册码改为s7t6u5v4w3x2y1z0
0040422C . 83C7 02 add edi, 2
0040422F . 83FB 08 cmp ebx, 8
00404232 .^ 7C D6 jl short CHMUnpac.0040420A
00404234 . EB 5C jmp short CHMUnpac.00404292
00404236 > 8D4C24 10 lea ecx, dword ptr ss:[esp+10]
0040423A . 51 push ecx
0040423B . 8BCE mov ecx, esi
0040423D . E8 EE060000 call CHMUnpac.00404930
00404242 . 68 38A44400 push CHMUnpac.0044A438
00404247 . 8D5424 18 lea edx, dword ptr ss:[esp+18]
0040424B . 50 push eax
0040424C . 52 push edx
0040424D . C68424 50010000 04 mov byte ptr ss:[esp+150], 4
00404255 . E8 DBB80100 call CHMUnpac.0041FB35
0040425A . 8B00 mov eax, dword ptr ds:[eax]
0040425C . 8D8E AC000000 lea ecx, dword ptr ds:[esi+AC]
00404262 . 50 push eax
00404263 . C68424 48010000 05 mov byte ptr ss:[esp+148], 5
0040426B . E8 B9B70100 call CHMUnpac.0041FA29
00404270 . 8D4C24 14 lea ecx, dword ptr ss:[esp+14]
00404274 . C68424 44010000 04 mov byte ptr ss:[esp+144], 4
0040427C . E8 1FB60100 call CHMUnpac.0041F8A0
00404281 . 8D4C24 10 lea ecx, dword ptr ss:[esp+10]
00404285 . C68424 44010000 01 mov byte ptr ss:[esp+144], 1
0040428D . E8 0EB60100 call CHMUnpac.0041F8A0
00404292 > 8D4424 10 lea eax, dword ptr ss:[esp+10]
00404296 . 50 push eax ; /pHandle
00404297 . 68 88A24400 push CHMUnpac.0044A288 ; |Subkey = "SOFTWARE\YBSoft\CHMUnpacker"
0040429C . 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
004042A1 . FF15 08B04300 call dword ptr ds:[<&ADVAPI32.RegOpenK>; \RegOpenKeyA
004042A7 . 85C0 test eax, eax
004042A9 . 0F85 41010000 jnz CHMUnpac.004043F0
004042AF . 8D4C24 14 lea ecx, dword ptr ss:[esp+14]
004042B3 . 8D5424 3C lea edx, dword ptr ss:[esp+3C] ;edx指向试练码
004042B7 . 51 push ecx ; /pBufSize
004042B8 . 8B4C24 14 mov ecx, dword ptr ss:[esp+14] ; |
004042BC . 8D4424 2C lea eax, dword ptr ss:[esp+2C] ; |
004042C0 . 52 push edx ; |Buffer
004042C1 . 50 push eax ; |pValueType
004042C2 . 6A 00 push 0 ; |Reserved = NULL
004042C4 . 68 80A24400 push CHMUnpac.0044A280 ; |ValueName = "Version"
004042C9 . 51 push ecx ; |hKey
004042CA . C74424 2C FF000000 mov dword ptr ss:[esp+2C], 0FF ; |
004042D2 . FF15 04B04300 call dword ptr ds:[<&ADVAPI32.RegQuery>; \RegQueryValueExA
004042D8 . 85C0 test eax, eax
004042DA . 0F85 10010000 jnz CHMUnpac.004043F0
004042E0 . 8B5424 10 mov edx, dword ptr ss:[esp+10]
004042E4 . 52 push edx ; /hKey
004042E5 . FF15 30B04300 call dword ptr ds:[<&ADVAPI32.RegClose>; \RegCloseKey
004042EB . 33ED xor ebp, ebp
004042ED . 8D7C24 3D lea edi, dword ptr ss:[esp+3D] ;edi指向试练码
004042F1 > 8A47 FF mov al, byte ptr ds:[edi-1] ;eax取第一字符
004042F4 . 3C 61 cmp al, 61 ;eax<61码
004042F6 . 7C 04 jl short CHMUnpac.004042FC ;小于则跳
004042F8 . 2C 3D sub al, 3D ;al=al-3d
004042FA . EB 0A jmp short CHMUnpac.00404306
004042FC > 3C 41 cmp al, 41 ;al<41吗
004042FE . 7C 04 jl short CHMUnpac.00404304
00404300 . 2C 37 sub al, 37 ;小于则跳
00404302 . EB 02 jmp short CHMUnpac.00404306
00404304 > 2C 30 sub al, 30 ;al=al-30
00404306 > 8AD8 mov bl, al ;bl=al
00404308 . 8A07 mov al, byte ptr ds:[edi] ;al取下一位字符
0040430A . 50 push eax
0040430B . E8 20FAFFFF call CHMUnpac.00403D30 ;进入这个call进行字符变换
00404310 . 0FBEC8 movsx ecx, al ;变换后的字符扩展存入ecx
00404313 . 0FBED3 movsx edx, bl ;bl扩展存入edx
00404316 . 03CA add ecx, edx ;ecx=ecx+edx
00404318 . 83C4 04 add esp, 4
0040431B . 83F9 3D cmp ecx, 3D ;ecx=3d吗
0040431E . 0F85 CC000000 jnz CHMUnpac.004043F0 ;不等则OVER
00404324 . 45 inc ebp
00404325 . 83C7 02 add edi, 2
00404328 . 83FD 08 cmp ebp, 8
0040432B .^ 7C C4 jl short CHMUnpac.004042F1
.........
.........以后是一些启动信息,与注册无关了
注意!很多地方都用到这个call,有必要研究一下
00403D30 /$ 8A4424 04 mov al, byte ptr ss:[esp+4] ;eax=获取的字符16进制
00403D34 |. 3C 61 cmp al, 61 ; eax<61吗
00403D36 |. 7C 04 jl short CHMUnpac.00403D3C ;小于则跳
00403D38 |. 83E8 3D sub eax, 3D ;不小于,eax=eax-3d
00403D3B |. C3 retn
00403D3C |> 3C 41 cmp al, 41 ;eax<41吗
00403D3E |. 7C 04 jl short CHMUnpac.00403D44 ;小于则跳
00403D40 |. 83E8 37 sub eax, 37 ;不小于,eax=eax-37
00403D43 |. C3 retn
00403D44 |> 83E8 30 sub eax, 30 ;小于,eax=eax-30
00403D47 \. C3 ret
这个call是将字符转换
--------------------------------------------------------------------------------
【破解总结】
这个软件的注册码与用户名无关,只是满足关系式即可(注册码长度必须为16)
if eax>61
eax=eax-3D;
else eax>41
eax=eax-37;
else eax=eax-41;
前后两字符变换后的代数和等于0x3D,就OK了!
洋洋洒洒的一大篇,终于完成了,其实算法很简单。最后感谢您看完本文,谢谢!
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
|
|
|---|---|
|
|
