题目: 菜鸟破解Iparmor 5.38.06
软件来源:电脑报合订本2002光盘
破解目的:非常遗憾,没有找到注册码,只好采取这种方式了。:(
难度:Easy
作者级别:菜鸟
工具:W32Dasm, TRW,UltraEdit
引子:今天在学习看雪精华3的时候,看到有大侠对IPARMOR3.51的破解方法,这个软件的保
护比较有趣,输入完注册码不立即进行对比,而是先把注册码保存在注册表内,等下次启动
的时候进行读取并对比。我下了bpx regqueryvalueexa断点后,能够拦住,但是等你辛苦地
按了27次左右的F12,你就发现程序莫名其妙的启动了。根本无法用这个断点。只好用
W32DASM反汇编,查看串引用,找到“Successful registration”。然后往上找啊找啊,
我们要找一个能够下断点的地方,我找到在进行注册表处理代码开始的一个跳转指令的前一
条指令上,这里我找到的地址在我机器上是563222。下断点,F5,启动IPARMOR,拦住。
* Possible StringData Ref from Code Obj -
>".DEFAULT\Software\AngelSoft\iparmor" //此处开始对注册表项处理
|
:00563207 BA103D5600 mov edx, 00563D10
:0056320C 8BC6 mov eax, esi
:0056320E E8096CF0FF call 00469E1C
:00563213 8D4DFC lea ecx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"pass"
|
:00563216 BA3C3D5600 mov edx, 00563D3C
:0056321B 8BC6 mov eax, esi
:0056321D E8DE72F0FF call 0046A500
:00563222 66817DF60408 cmp word ptr [ebp-0A], 0804
^^^^^^^^^^^^
:00563228 0F8565060000 jne 00563893 //把此处jne改为
je,即85->84
:0056322E C605C998580001 mov byte ptr [005898C9], 01
:00563235 A1C4985800 mov eax, dword ptr [005898C4]
:0056323A 8B80D4020000 mov eax, dword ptr [eax+000002D4]
====================================
.
.略去多行
.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00563228(C)
|
* Possible StringData Ref from Code Obj ->"Register name:"
|
:00563893 BA283F5600 mov edx, 00563F28 //跳到这里
:00563898 8B83E4020000 mov eax, dword ptr [ebx+000002E4]
.
.略去1200多行
.
====================================
.
* Reference To: getres.GetHDSerial, Ord:0000h
|
:00563984 E823F7FFFF Call 005630AC
:00563989 8D95B0FEFFFF lea edx, dword ptr [ebp+FFFFFEB0]
:0056398F E8D06BEAFF call 0040A564
:00563994 8B8DB0FEFFFF mov ecx, dword ptr [ebp+FFFFFEB0]
* Possible StringData Ref from Code Obj ->"name536"
|
:0056399A BA083F5600 mov edx, 00563F08
:0056399F 8BC6 mov eax, esi
:005639A1 E8266BF0FF call 0046A4CC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00563982(C)
|
:005639A6 8D55F0 lea edx, dword ptr [ebp-10]
:005639A9 8B45FC mov eax, dword ptr [ebp-04]
:005639AC E803F7FFFF call 005630B4
:005639B1 8B83D0020000 mov eax, dword ptr [ebx+000002D0]
:005639B7 8B8024020000 mov eax, dword ptr [eax+00000224]
:005639BD 05EA040000 add eax, 000004EA
:005639C2 99 cdq
:005639C3 33C2 xor eax, edx
:005639C5 2BC2 sub eax, edx
:005639C7 8D95A8FEFFFF lea edx, dword ptr [ebp+FFFFFEA8]
:005639CD E8926BEAFF call 0040A564
:005639D2 8B85A8FEFFFF mov eax, dword ptr [ebp+FFFFFEA8]
:005639D8 8D95ACFEFFFF lea edx, dword ptr [ebp+FFFFFEAC]
:005639DE E8D1F6FFFF call 005630B4
:005639E3 8B95ACFEFFFF mov edx, dword ptr [ebp+FFFFFEAC]
:005639E9 8B45F0 mov eax, dword ptr [ebp-10]
:005639EC E85B12EAFF call 00404C4C
:005639F1 0F85E8000000 jne 00563ADF //把此处jne改为
je,即85->84
:005639F7 8D45EC lea eax, dword ptr [ebp-14]
==========================
* Possible StringData Ref from Code Obj ->"Successful registration" //
这里没有被执行到,为什么最后程序窗口还能够显示“Successful registration”字样?
我不知后面的程序怎么转到这里的。我看了后面代码没有跳转到到这里来指令。:(
|
:00563AC3 BA983F5600 mov edx, 00563F98
:00563AC8 8B83E4020000 mov eax, dword ptr [ebx+000002E4]
:00563ACE E8119FEDFF call 0043D9E4
:00563AD3 8BC6 mov eax, esi
:00563AD5 E82EFFE9FF call 00403A08
:00563ADA E9BF010000 jmp 00563C9E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005639F1(C) //上面第
二个跳转到这里
|
:00563ADF 8D4DF8 lea ecx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"deta"
|
:00563AE2 BAB83F5600 mov edx, 00563FB8
:00563AE7 8BC6 mov eax, esi
:00563AE9 E8126AF0FF call 0046A500
:00563AEE 837DF800 cmp dword ptr [ebp-08], 00000000
:00563AF2 750D jne 00563B01
:00563AF4 8D45F8 lea eax, dword ptr [ebp-08]
:00563AF7 BAC83F5600 mov edx, 00563FC8
:00563AFC E82B0EEAFF call 0040492C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00563AF2(C)
|
:00563B01 8B45F8 mov eax, dword ptr [ebp-08]
:00563B04 E85F6BEAFF call 0040A668
:00563B09 85C0 test eax, eax
:00563B0B 0F8E18010000 jle 00563C29
:00563B11 803DC998580000 cmp byte ptr [005898C9], 00
:00563B18 743C je 00563B56
:00563B1A 8D959CFEFFFF lea edx, dword ptr [ebp+FFFFFE9C]
.
.略去N行
.
:00563B54 EB3A jmp 00563B90
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00563B18(C)
|
:00563B56 8D9594FEFFFF lea edx, dword ptr [ebp+FFFFFE94]
:00563B5C 8B07 mov eax, dword ptr [edi]
:00563B5E E8419EEDFF call 0043D9A4
:00563B63 FFB594FEFFFF push dword ptr [ebp+FFFFFE94]
:00563B69 68D43F5600 push 00563FD4
* Possible StringData Ref from Code Obj ->"Unregistered !" //未注册提示,不
过前面已经绕开了。
|
:00563B6E 68F03F5600 push 00563FF0
:00563B73 8D8598FEFFFF lea eax, dword ptr [ebp+FFFFFE98]
:00563B79 BA03000000 mov edx, 00000003
:00563B7E E87910EAFF call 00404BFC
:00563B83 8B9598FEFFFF mov edx, dword ptr [ebp+FFFFFE98]
:00563B89 8B07 mov eax, dword ptr [edi]
:00563B8B E8549EEDFF call 0043D9E4
==========================
小结:如果下平常的断点,比如注册表查询函数等无法见效的话,就需要想其他办法了。这
里就是通过观察发现断点。
我没有象精华3里面的ly2001大侠所说的办法那样找到注册码,因为在这个版本根本就没有
比较注册码的地方。或许我没有发现??希望大侠指教。因此只有爆破掉了,虽然我不喜欢
爆破,谁让他这么顽固呢?:( @^@.
还有更为希奇的是,这个软件我爆破掉之后,自动变成了英文版的了?真是奇怪的很!通过
修改上面两处,你可以在注册表内找到HKEY_CURRENT_USER\Software\AngelSoft\iparmo
,随便修改里面的NAME,PASS等。都是说注册成功。
如有错误请联系本人。
QDUWG
qduwg@163.com
2005年12月25日圣诞快乐
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课