VC破解《标准盲打指法练习 V3.00》心得:
步骤:
1,先侦壳发现无壳,是用VC++6.0写的!
2,请出我的屠龙刀w32dasm黄金中文版,反汇编,再选择‘字符串参考’,看到有:
"注册成功,非常感谢你的支持!!祝你早日成为打字"
"注册失败!!,如有问题请与我联系 "
双击任意一处来到下面:
* Possible StringData Ref from Data Obj ->" "
|
:00410C7E 68809D4500 push 00459D80
:00410C83 8BCE mov ecx, esi
:00410C85 E8E14F0200 call 00435C6B
:00410C8A 8B06 mov eax, dword ptr [esi]
:00410C8C C744242000000000 mov [esp+20], 00000000
:00410C94 8B48F8 mov ecx, dword ptr [eax-08]
:00410C97 85C9 test ecx, ecx
:00410C99 7458 je 00410CF3
:00410C9B 8B0F mov ecx, dword ptr [edi]
:00410C9D 8B41F8 mov eax, dword ptr [ecx-08]
:00410CA0 85C0 test eax, eax
:00410CA2 744F je 00410CF3
:00410CA4 51 push ecx
:00410CA5 8BCC mov ecx, esp
:00410CA7 89642414 mov dword ptr [esp+14], esp
:00410CAB 56 push esi
:00410CAC E8BF980200 call 0043A570
:00410CB1 51 push ecx
:00410CB2 C644242801 mov [esp+28], 01
:00410CB7 8BCC mov ecx, esp
:00410CB9 8964241C mov dword ptr [esp+1C], esp
:00410CBD 57 push edi
:00410CBE E8AD980200 call 0043A570
:00410CC3 8D4C2414 lea ecx, dword ptr [esp+14]
:00410CC7 C644242800 mov [esp+28], 00
:00410CCC E88FF4FFFF call 00410160
:00410CD1 8D4C240C lea ecx, dword ptr [esp+0C]
:00410CD5 E8C6F8FFFF call 004105A0
:00410CDA 85C0 test eax, eax
:00410CDC 6A00 push 00000000
:00410CDE 6A00 push 00000000
:00410CE0 7407 je 00410CE9
* Possible StringData Ref from Data Obj ->"注册成功,非常感谢你的支持!!祝你早日成为打字"
我先判断可能是if then/else 结构,于是用Uedit32修改跳转,输入任意注册码即出现"注册成功,非常感谢你的支持!!祝你早日成为打字",但是使用时候仍然功能限制,破解失败!
3,由于静态分析失败,于是动态追踪,看到一处CALL十分可疑,于是来到这里:
:004101B3 51 push ecx
:004101B4 E867FEFFFF call 00410020
:004101B9 8B00 mov eax, dword ptr [eax]
:004101BB 8B9424EC100000 mov edx, dword ptr [esp+000010EC]
:004101C2 50 push eax
:004101C3 52 push edx //我判断这里压入真假注册码
:004101C4 E8CE920100 call 00429497 //我判断这里关键比较CALL,在这里下断!
:004101C9 83C410 add esp, 00000010
4,再按F9,填入用户名:Sirus,注册码:1234567
被拦截!在下面的窗口点一下esp,看到下面:
Address: 01570058 is Not in a Loaded Module.
char[011]:"23894045192"
DWORD:39383332, WORD:3332, BYTE:32
CODE: xor dh, byte ptr [ebx]
是不是怎么看怎么象注册码啊!
5,输入23894045192,注册,出现错误提示!!!
6,我又跟了一下,来到下面:
:00429497 55 push ebp
:00429498 8BEC mov ebp, esp
:0042949A 833DFCFD450000 cmp dword ptr [0045FDFC], 00000000
:004294A1 53 push ebx
:004294A2 56 push esi
:004294A3 57 push edi
:004294A4 7512 jne 004294B8 //从这走过就出现错误提示了!
:004294A6 FF750C push [ebp+0C]
:004294A9 FF7508 push [ebp+08]
:004294AC E83F300000 call 0042C4F0
:004294B1 59 pop ecx
:004294B2 59 pop ecx
:004294B3 E989000000 jmp 00429541
7,正当我郁闷时,我又换了个用户名xibeilang注册,按照上面再来了一边,得到这个注册码:
Address: 01570058 is Not in a Loaded Module.
char[011]:"35411049761"
DWORD:31343533, WORD:3533, BYTE:33
CODE: xor esi, dword ptr [30313134]
8,填入用户名:xibeilang ,注册码:35411049761
确定,提示注册正确,功能也没有限制!这是为什么呢?难道Sirius这个字符长度不够?
到底算法是怎么样的?
哪个大虾帮忙分析一下注册码码算法啊!!!急等~~~~~~~~~~~!!!
※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※
※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※
※※●●●●※※※※●※※※※※※※※※※※※※●※※※※※※※※※※※※※※※※※
※●※※※●※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※
※●※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※
※※●※※※※※●●●※※※※●●※●●※※●●●※※※●●※※●●※※※●●●●※
※※※●●※※※※※●※※※※※●●※※※※※※●※※※※●※※※●※※●※※※●※
※※※※※●※※※※●※※※※※●※※※※※※※●※※※※●※※※●※※※●●※※※
※※※※※●※※※※●※※※※※●※※※※※※※●※※※※●※※※●※※※※※●※※
※●※※※●※※※※●※※※※※●※※※※※※※●※※※※●※※※●※※●※※※●※
※●●●●※※※●●●●●※※●●●●※※※●●●●●※※※●●●●●※●●●●※※
※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※
※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
