【破文作者】 lnn1123[[BCG][DCM]]
【 E-mail 】 lnn11231123@163.com
【 作者QQ 】 254513595
【文章题目】 TitleBarClock Pro5.2算法分析
【软件名称】 TitleBarClock Pro5.2
【下载地址】 天空软件
----------------------------------------------------------------------------------------------
【加密方式】 注册码
【破解工具】 OD,PEID
【软件限制】 没看
【破解平台】 Win9x/NT/2000/XP/XP SP2
----------------------------------------------------------------------------------------------
【文章简介】
文章比较简单啊,高手过!
----------------------------------------------------------------------------------------------
【破解过程】
用PEID查看是PECompact 2.x -> Jeremy Collake的壳,设置Ollydbg忽略所有的异常选项
00401000 > B8 58CB4100
MOV EAX,Tbcpro.0041CB58
; 停在这里
00401005 50
PUSH EAX
00401006 64:FF35 00000000
PUSH DWORD PTR FS:[0]
0040100D 64:8925 00000000
MOV DWORD PTR FS:[0],
ESP
00401014 33C0
XOR EAX,
EAX
00401016 8908
MOV DWORD PTR DS:[
EAX],
ECX
00401018 50
PUSH EAX
00401019 45
INC EBP
0040101A 43
INC EBX
下断:BP VirtualFree (这些API经常要,要记住),运行后,取消断点,ALT+F9
返回,再走几不就到OEP了
下断短在这里:
7C809B14 > 8BFF
MOV EDI,
EDI ; Tbcpro.00400000
7C809B16 55
PUSH EBP
7C809B17 8BEC
MOV EBP,
ESP
7C809B19 FF75 10
PUSH DWORD PTR SS:[
EBP+10]
7C809B1C FF75 0C
PUSH DWORD PTR SS:[
EBP+C]
7C809B1F FF75 08
PUSH DWORD PTR SS:[
EBP+8]
7C809B22 6A FF
PUSH -1
7C809B24 E8 09000000
CALL kernel32.VirtualFreeEx
7C809B29 5D
POP EBP
7C809B2A C2 0C00
RETN 0C
ALT+F9
到这里:
0038039C 58
POP EAX ; <&kernel32.VirtualFree>
0038039D 68 00800000
PUSH 8000
003803A2 6A 00
PUSH 0
003803A4 FFB5 E3120010
PUSH DWORD PTR SS:[
EBP+100012E3]
003803AA FF10
CALL DWORD PTR DS:[
EAX]
003803AC 8B46 0C
MOV EAX,
DWORD PTR DS:[
ESI+C]
003803AF 03C7
ADD EAX,
EDI
003803B1 5D
POP EBP
003803B2 5E
POP ESI
003803B3 5F
POP EDI
003803B4 59
POP ECX
003803B5 5B
POP EBX
003803B6 C3
RETN
F8
走到这里:
0041CBFE 8985 1C110010
MOV DWORD PTR SS:[
EBP+1000111C],
EAX ; Tbcpro.<ModuleEntryPoint>
0041CC04 8BF0
MOV ESI,
EAX
0041CC06 59
POP ECX
0041CC07 5A
POP EDX
0041CC08 03CA
ADD ECX,
EDX
0041CC0A 68 00800000
PUSH 8000
0041CC0F 6A 00
PUSH 0
0041CC11 57
PUSH EDI
0041CC12 FF11
CALL DWORD PTR DS:[
ECX]
0041CC14 8BC6
MOV EAX,
ESI
0041CC16 5E
POP ESI
0041CC17 5F
POP EDI
0041CC18 59
POP ECX
0041CC19 5B
POP EBX
0041CC1A 5D
POP EBP
0041CC1B FFE0
JMP EAX ; JMP OEP
OD
插件可以脱壳了,我这里不要修复就可以运行了,脱壳完成。
看算法了,输入Order ID and Regcode后,看到有错误提示,不会加密字符吧,老
罗插件看看,没有加密,找到字符后下断这里:
===================================
代码=============================================
00405A10 |. 6A 10
PUSH 10
; /Count = 10 (16.)
00405A12 |. 68 82D94000
PUSH 1.0040D982
; |Buffer = 1.0040D982
00405A17 |. 68 AA0F0000
PUSH 0FAA
; |ControlID = FAA (4010.)
00405A1C |. FF75 08
PUSH DWORD PTR SS:[
EBP+8]
; |hWnd
00405A1F |. E8 08490000
CALL <JMP.&user32.GetDlgItemTextA>
; \GetDlgItemTextA
00405A24 |. E8 18370000
CALL 1.00409141
; 上面的CALL获取假码,关键CALL,进入
00405A29 |. 833D 4BD74000 >
CMP DWORD PTR DS:[40D74B],1
; 标志位比较
00405A30 |. 75 19
JNZ SHORT 1.00405A4B
; 不跳就死
00405A32 |. 6A 30
PUSH 30
; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00405A34 |. 68 3CC04000
PUSH 1.0040C03C
; |Title = "TitleBarClock Pro 5.2"
00405A39 |. 68 80C04000
PUSH 1.0040C080
; |Text = "Invalid Registration Code"
00405A3E |. FF75 08
PUSH DWORD PTR SS:[
EBP+8]
; |hOwner
00405A41 |. E8 40490000
CALL <JMP.&user32.MessageBoxA>
; \MessageBoxA
00405A46 |. E9 B5000000
JMP 1.00405B00
00405A4B |> 6A 1E
PUSH 1E
; /Count = 1E (30.)
00405A4D |. 68 E6D94000
PUSH 1.0040D9E6
; |Buffer = 1.0040D9E6
00405A52 |. 68 B40F0000
PUSH 0FB4
; |ControlID = FB4 (4020.)
00405A57 |. FF75 08
PUSH DWORD PTR SS:[
EBP+8]
; |hWnd
00405A5A |. E8 CD480000
CALL <JMP.&user32.GetDlgItemTextA>
; \GetDlgItemTextA
00405A5F |. 8945 FC
MOV DWORD PTR SS:[
EBP-4],
EAX ; 注册名长度
00405A62 |. FF75 FC
PUSH DWORD PTR SS:[
EBP-4]
; /注册名长度
00405A65 |. E8 5F370000
CALL 1.004091C9
; \关键CALL,进入
00405A6A |. 833D 4FD74000 >
CMP DWORD PTR DS:[40D74F],1
00405A71 |. 75 62
JNZ SHORT 1.00405AD5
00405A73 |. 66:C705 9FD740>
MOV WORD PTR DS:[40D79F],0
00405A7C |. FF75 08
PUSH DWORD PTR SS:[
EBP+8]
; /Arg1
00405A7F |. E8 4C300000
CALL 1.00408AD0
; \1.00408AD0
00405A84 |. FF75 08
PUSH DWORD PTR SS:[
EBP+8]
; /Arg1
00405A87 |. E8 AC2C0000
CALL 1.00408738
; \1.00408738
00405A8C |. 6A 00
PUSH 0
; /Flags = MF_BYCOMMAND|MF_ENABLED|MF_STRING
00405A8E |. 68 4C040000
PUSH 44C
; |ItemID = 44C (1100.)
00405A93 |. FF35 84EC4000
PUSH DWORD PTR DS:[40EC84]
; |hMenu = ABC00201
00405A99 |. E8 24490000
CALL <JMP.&user32.RemoveMenu>
; \RemoveMenu
00405A9E |. 6A 30
PUSH 30
; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00405AA0 |. 68 3CC04000
PUSH 1.0040C03C
; |Title = "TitleBarClock Pro 5.2"
00405AA5 |. 68 B1C04000
PUSH 1.0040C0B1
; |Text = "Thank You!
TitleBarClock Pro
Registration Successful.
"
00405AAA |. FF75 08
PUSH DWORD PTR SS:[
EBP+8]
; |hOwner
00405AAD |. E8 D4480000
CALL <JMP.&user32.MessageBoxA>
; \MessageBoxA
00405AB2 |. 6A 00
PUSH 0
; /Flags = MF_BYCOMMAND|MF_ENABLED|MF_STRING
00405AB4 |. FF35 88EC4000
PUSH DWORD PTR DS:[40EC88]
; |ItemID = 647C01D3 (1685848531.)
00405ABA |. FF35 84EC4000
PUSH DWORD PTR DS:[40EC84]
; |hMenu = ABC00201
00405AC0 |. E8 1F480000
CALL <JMP.&user32.EnableMenuItem>
; \EnableMenuItem
00405AC5 |. 6A 00
PUSH 0
; /lParam = 0
00405AC7 |. 6A 00
PUSH 0
; |wParam = 0
00405AC9 |. 6A 10
PUSH 10
; |Message = WM_CLOSE
00405ACB |. FF75 08
PUSH DWORD PTR SS:[
EBP+8]
; |hWnd
00405ACE |. E8 FB480000
CALL <JMP.&user32.SendMessageA>
; \SendMessageA
00405AD3 |. EB 14
JMP SHORT 1.00405AE9
00405AD5 |> 6A 30
PUSH 30
; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00405AD7 |. 68 3CC04000
PUSH 1.0040C03C
; |Title = "TitleBarClock Pro 5.2"
00405ADC |. 68 9AC04000
PUSH 1.0040C09A
; |Text = "Invalid RegNow OrderID"
00405AE1 |. FF75 08
PUSH DWORD PTR SS:[
EBP+8]
; |hOwner
00405AE4 |. E8 9D480000
CALL <JMP.&user32.MessageBoxA>
; \MessageBoxA
00405AE9 |> EB 15
JMP SHORT 1.00405B00
00405AEB |> 3D C80F0000
CMP EAX,0FC8
00405AF0 |. 75 0E
JNZ SHORT 1.00405B00
00405AF2 |. 6A 00
PUSH 0
; /lParam = 0
00405AF4 |. 6A 00
PUSH 0
; |wParam = 0
00405AF6 |. 6A 10
PUSH 10
; |Message = WM_CLOSE
00405AF8 |. FF75 08
PUSH DWORD PTR SS:[
EBP+8]
; |hWnd
00405AFB |. E8 CE480000
CALL <JMP.&user32.SendMessageA>
; \SendMessageA
00405B00 |> 33C0
XOR EAX,
EAX
00405B02 |. C9
LEAVE
00405B03 \. C2 1000
RETN 10
======================================
进CALL 00409141==================================================
00409141 /$ 56
PUSH ESI ; 1.0040594B
00409142 |. 57
PUSH EDI
00409143 |. 51
PUSH ECX
00409144 |. C705 4BD74000 >
MOV DWORD PTR DS:[40D74B],0
0040914E |. BF B4D94000
MOV EDI,1.0040D9B4
; ASCII "Z526WT491QN387B"
00409153 |. 57
PUSH EDI
00409154 |. BE 22DE4000
MOV ESI,1.0040DE22
00409159 |. B9 05000000
MOV ECX,5
; 串传送的计数器
0040915E |. F3:A4
REP MOVS BYTE PTR ES:[
EDI],
BYTE PTR DS:[
ESI]
; 串传送
00409160 |. BE 67E04000
MOV ESI,1.0040E067
; 特殊字符
00409165 |. B9 05000000
MOV ECX,5
; 串传送的计数器
0040916A |. F3:A4
REP MOVS BYTE PTR ES:[
EDI],
BYTE PTR DS:[
ESI]
; 串传送
0040916C |. BE 92DF4000
MOV ESI,1.0040DF92
; 特殊字符
00409171 |. B9 05000000
MOV ECX,5
; 串传送的计数器
00409176 |. F3:A4
REP MOVS BYTE PTR ES:[
EDI],
BYTE PTR DS:[
ESI]
; 串传送
00409178 |. 5F
POP EDI
00409179 |. 8BF7
MOV ESI,
EDI
0040917B |. E8 21000000
CALL 1.004091A1
; 解密上面传送的字符后就是注册码了,跟进
00409180 |. BE 82D94000
MOV ESI,1.0040D982
; ASCII "78787878"
00409185 |. BF B4D94000
MOV EDI,1.0040D9B4
; ASCII "Z526WT491QN387B"
0040918A |. B9 0F000000
MOV ECX,0F
; 计数器为15
0040918F |. F3:A6
REPE CMPS BYTE PTR ES:[
EDI],
BYTE PTR DS:[
ESI]
; 串比较
00409191 |. 74 0A
JE SHORT 1.0040919D
; 不等就OVER
00409193 |. C705 4BD74000 >
MOV DWORD PTR DS:[40D74B],1
; 标志位
0040919D |> 59
POP ECX
0040919E |. 5F
POP EDI
0040919F |. 5E
POP ESI
004091A0 \. C3
RETN
=====================================
进CALL 004091A1================================================================
004091A1 /$ 56
PUSH ESI
004091A2 |. 57
PUSH EDI
004091A3 |. 8BF7
MOV ESI,
EDI ; 1.0040D9B4
004091A5 |. B9 0F000000
MOV ECX,0F
; 计数器为15
004091AA |> AC
LODS BYTE PTR DS:[
ESI]
; 串读取字符
004091AB |. 2C 03
SUB AL,3
; AL=AL-3
004091AD |. D0E8
SHR AL,1
; 右移一位
004091AF |. AA
STOS BYTE PTR ES:[
EDI]
; 存回去
004091B0 |. 49
DEC ECX ; 计数器减1
004091B1 |.^75 F7
JNZ SHORT 1.004091AA
; 循环
004091B3 |. 5F
POP EDI
004091B4 |. 5E
POP ESI
004091B5 \. C3
RETN
到这里Regcode 已经很容易得到了,这个软件的Order ID还有要求呢,我看看========================================
进 CALL 004091C9============================================
004091C9 /$ 55
PUSH EBP
004091CA |. 8BEC
MOV EBP,
ESP
004091CC |. 83C4 FC
ADD ESP,-4
004091CF |. 56
PUSH ESI
004091D0 |. 57
PUSH EDI
004091D1 |. 51
PUSH ECX
004091D2 |. BE E6D94000
MOV ESI,1.0040D9E6
; ASCII "1234567890-1123-0000"
004091D7 |. 8B4D 08
MOV ECX,
DWORD PTR SS:[
EBP+8]
004091DA |. C745 FC 000000>
MOV DWORD PTR SS:[
EBP-4],0
004091E1 |> AC /
LODS BYTE PTR DS:[
ESI]
; 串读取注册名
004091E2 |. 3C 2D |
CMP AL,2D
; 是-号吗?
004091E4 |. 74 1B |
JE SHORT 1.00409201
; 是-就跳,如果你输入的ID没有-就OVER!
004091E6 |. 3C 39 |
CMP AL,39
; 与9比较
004091E8 |. 7F 29 |
JG SHORT 1.00409213
004091EA |. FF45 FC |
INC DWORD PTR SS:[
EBP-4]
004091ED |. 49 |
DEC ECX
004091EE |.^75 F1 \JNZ SHORT 1.004091E1
004091F0 |. C705 4FD74000 >
MOV DWORD PTR DS:[40D74F],0
; 标志位
004091FA |. 59
POP ECX
004091FB |. 5F
POP EDI
004091FC |. 5E
POP ESI
004091FD |. C9
LEAVE
004091FE |. C2 0400
RETN 4
00409201 |> 837D FC 0A
CMP DWORD PTR SS:[
EBP-4],0A
; C常数
00409205 |. 75 0C
JNZ SHORT 1.00409213
; 如果你的-号不是出现在ID的第十一位就OVER
00409207 |> AC /
LODS BYTE PTR DS:[
ESI]
; 串读取第一个-号后面的内容
00409208 |. 3C 2D |
CMP AL,2D
; 是-号吗?看来还要有-号
0040920A |. 74 18 |
JE SHORT 1.00409224
; 没有-号OVER
0040920C |. 3C 39 |
CMP AL,39
; 小于9吗?
0040920E |. 7F 03 |
JG SHORT 1.00409213
00409210 |. 49 |
DEC ECX
00409211 |.^75 F4 \JNZ SHORT 1.00409207
00409213 |> C705 4FD74000 >
MOV DWORD PTR DS:[40D74F],0
; 标志位
0040921D |. 59
POP ECX
0040921E |. 5F
POP EDI
0040921F |. 5E
POP ESI
00409220 |. C9
LEAVE
00409221 |. C2 0400
RETN 4
00409224 |> AC /
LODS BYTE PTR DS:[
ESI]
; 串读取第2个-号后面的内容
00409225 |. 3C 00 |
CMP AL,0
; 是0?
00409227 |. 74 07 |
JE SHORT 1.00409230
00409229 |. 3C 39 |
CMP AL,39
; 小于9?
0040922B |.^7F E6 |
JG SHORT 1.00409213
0040922D |. 49 |
DEC ECX
0040922E |.^75 F4 \JNZ SHORT 1.00409224
00409230 |> C705 4FD74000 >
MOV DWORD PTR DS:[40D74F],1
; 标志位
0040923A |. 59
POP ECX
0040923B |. 5F
POP EDI
0040923C |. 5E
POP ESI
0040923D |. C9
LEAVE
0040923E \. C2 0400
RETN 4
Order ID
的要求总结一下,就是要前十位数字是0-9,第十一位是“-”,第一个“-”
后面还必须有0-9的数字,后面还要有一个“-”,“-”后数字随便,就OK
举例:1234567890-1123-0000
表达能力较差,不要骂我啊
到这里算法就完毕了,比较简单。
================================================================================
注册信息:
Order ID
:1234567890-1123-0000
Regcode
:Z526WT491QN387B
----------------------------------------------------------------------------------------------
【破解心得】
这个软件刚开始的串传送时候的字符可能各个机子上不一样,就是那段字符解密比较重要
啊,写文章真的好累,破花了一点时间,可写花了不少时间啊
----------------------------------------------------------------------------------------------
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
----------------------------------------------------------------------------------------------
文章写于2004-9-7 19:25:11
[课程]Linux pwn 探索篇!