大大们可以绕过,
简单的破解时间限制。以及注册码算法的分析。楼主在看雪潜水也有2年多了,发一个一年多之前练手的例子,powercmd2.2版本。话不多说,开始正题吧。首先查壳,这是个没有壳的,简单了不少。本来想的是通过计算时间的函数来下断点,还有通过窗口消息来下断点的。想想是复杂了点,于是乎出于好奇的角度来看看注册信息字符串,的确发现了:unregistered, trial user! 或者not a valid serial number这2个。
下面就很简单啦~ 用字串查找确定被引用的位置,我找到位置:004093E7和00428ead
004093D9 |> \8946 10 MOV DWORD PTR DS:[ESI+10],EAX
004093DC |. 6A 19 PUSH 19 ; /Arg2 = 00000019
004093DE |. 33C0 XOR EAX,EAX ; |
004093E0 |. C746 14 07000>MOV DWORD PTR DS:[ESI+14],7 ; |
004093E7 |. 68 746B6500 PUSH PowerCmd.00656B74 ; |unregistered, trial user!
004093EC |. 8BCE MOV ECX,ESI ; |
004093EE |. 66:8906 MOV WORD PTR DS:[ESI],AX ; |
004093F1 |. E8 3A90FFFF CALL PowerCmd.00402430 ; \PowerCmd.00402430
004093F6 |. 8BC6 MOV EAX,ESI
004093F8 |. 8BE5 MOV ESP,EBP
004093FA |. 5D POP EBP
004093FB \. C3 RETN
然后从004093e7向上一步一步调试看看:
004093A6 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004093A9 |. 3805 1C166D00 CMP BYTE PTR DS:[6D161C],AL
004093AF |. 74 28 JE SHORT PowerCmd.004093D9
这个地方比较值来赋值标志位看是否跳转,ZF=1时跳转,一开始我只是把这里的跳转NOP掉了,还有004093bd的也nop掉了,形成爆破后的文件,发现只是修改了关于选项里的字符串而已,左上角的剩余多少天并没有消失,有点小小的失望!然后我继续向上找又用的信息,在利用00428ead处的字符串信息继续从此处发现有价值的信息:
00428E32 |. 50 PUSH EAX
00428E33 |. FFD2 CALL EDX
00428E35 |. 8D4C24 4C LEA ECX,DWORD PTR SS:[ESP+4C]
00428E39 |. C68424 880200>MOV BYTE PTR SS:[ESP+288],1
00428E41 E8 0AFFFDFF CALL PowerCmd.00408D50
00428E46 |. 8D5F 07 LEA EBX,DWORD PTR DS:[EDI+7]
00428E49 |. 3C 01 CMP AL,1
00428E4B |. 75 35 JNZ SHORT PowerCmd.00428E82
00428E4D |. 6A FF PUSH -1 ; /Arg3 = FFFFFFFF
00428E4F |. 57 PUSH EDI ; |Arg2
00428E50 |. 8D4424 70 LEA EAX,DWORD PTR SS:[ESP+70] ; |
00428E54 |. 50 PUSH EAX ; |Arg1
00428E55 |. B9 E0156D00 MOV ECX,PowerCmd.006D15E0 ; |
00428E5A |. E8 F19CFDFF CALL PowerCmd.00402B50 ; \PowerCmd.00402B50
00428E5F |. 6A FF PUSH -1 ; /Arg3 = FFFFFFFF
00428E61 |. 57 PUSH EDI ; |Arg2
00428E62 |. 8D4C24 54 LEA ECX,DWORD PTR SS:[ESP+54] ; |
00428E66 |. 51 PUSH ECX ; |Arg1
00428E67 |. B9 FC156D00 MOV ECX,PowerCmd.006D15FC ; |
00428E6C |. E8 DF9CFDFF CALL PowerCmd.00402B50 ; \PowerCmd.00402B50
00428E71 |. E8 4AE3FDFF CALL PowerCmd.004071C0
00428E76 |. 8BCE MOV ECX,ESI
00428E78 |. E8 037E0700 CALL PowerCmd.004A0C80
00428E7D |. E9 F1000000 JMP PowerCmd.00428F73
00428E82 |> 6A 0D PUSH 0D ; /Arg2 = 0000000D
00428E84 |. 33D2 XOR EDX,EDX ; |
00428E86 |. 68 70456600 PUSH PowerCmd.00664570 ; |serial number
00428E8B |. 8D4C24 38 LEA ECX,DWORD PTR SS:[ESP+38] ; |
00428E8F |. 895C24 4C MOV DWORD PTR SS:[ESP+4C],EBX ; |
00428E93 |. 897C24 48 MOV DWORD PTR SS:[ESP+48],EDI ; |
00428E97 |. 66:895424 38 MOV WORD PTR SS:[ESP+38],DX ; |
00428E9C |. E8 8F95FDFF CALL PowerCmd.00402430 ; \PowerCmd.00402430
00428EA1 |. C68424 880200>MOV BYTE PTR SS:[ESP+288],2
00428EA9 |. 6A 1A PUSH 1A ; /Arg2 = 0000001A
00428EAB |. 33C0 XOR EAX,EAX ; |
00428EAD |. 68 8C456600 PUSH PowerCmd.0066458C ; |not a valid serial number!
00428EB2 |. 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C] ; |
00428EB6 |. 895C24 30 MOV DWORD PTR SS:[ESP+30],EBX ; |
00428EBA |. 897C24 2C MOV DWORD PTR SS:[ESP+2C],EDI ; |
00428EBE |. 66:894424 1C MOV WORD PTR SS:[ESP+1C],AX ; |
00428EC3 |. E8 6895FDFF CALL PowerCmd.00402430 ; \PowerCmd.00402430
发现往上出现了serial number ,发现它是由00428E4B跳转过来的,
而在此之前还有个函数调用00428E41处,00428E41 E8 0AFFFDFF CALL PowerCmd.00408D50
这里应该是算法00408D50,因为此处调用了它,然后转而下一句就比较判断是否需要跳转到正确的Number处,所以我就直接找到地址为00408d50处去,果不其然此处真是算法部分:
00408D50 /$ 55 PUSH EBP
00408D51 |. 8BEC MOV EBP,ESP
00408D53 |. 6A FF PUSH -1
00408D55 |. 68 3BBE5E00 PUSH PowerCmd.005EBE3B
00408D5A |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00408D60 |. 50 PUSH EAX
00408D61 |. 81EC A0000000 SUB ESP,0A0
00408D67 |. A1 E4906900 MOV EAX,DWORD PTR DS:[6990E4]
00408D6C |. 33C5 XOR EAX,EBP
00408D6E |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
00408D71 |. 53 PUSH EBX
00408D72 |. 56 PUSH ESI
00408D73 |. 57 PUSH EDI
00408D74 |. 50 PUSH EAX
00408D75 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00408D78 |. 64:A3 0000000>MOV DWORD PTR FS:[0],EAX
00408D7E |. 8BF1 MOV ESI,ECX
00408D80 |. 837E 10 17 cmp dword ptr [esi+0x10], 0x17 ; 注册码长度23位
00408D84 |. C685 63FFFFFF>mov byte ptr [ebp-0x9D], 0x0
00408D8B |. 0F85 20050000 jnz 004092B1
00408D91 |. 6A 00 push 0x0 ; /Arg2 = 00000000
00408D93 |. 6A 2D push 0x2D ; |Arg1 = 0000002D
00408D95 |. E8 863E0400 call 0044CC20 ; \PowerCmd.0044CC20
00408D9A |. 6A 01 push 0x1 ; /Arg2 = 00000001
00408D9C |. 6A 2D push 0x2D ; |Arg1 = 0000002D
00408E79 |. 8D4D D4 lea ecx, dword ptr [ebp-0x2C] ; 假码第1段 堆栈地址=0018E978, (UNICODE "12345")
00408E7C |. E8 FF3C0400 call 0044CB80
00408E81 |. 8D4D 80 lea ecx, dword ptr [ebp-0x80] ; 假码第1段 堆栈地址=0018E924, (UNICODE "67890")
00408E84 |. E8 F73C0400 call 0044CB80
00408E89 |. 8D4D 9C lea ecx, dword ptr [ebp-0x64] ; 假码第1段 堆栈地址=0018E940, (UNICODE "ABCDE")
00408E8C |. E8 EF3C0400 call 0044CB80
00408E91 |. 8D4D B8 lea ecx, dword ptr [ebp-0x48] ; 假码第1段 堆栈地址=0018E95C, (UNICODE "FFFFF")
00408E94 |. E8 E73C0400 call 0044CB80
00408E99 |. 33C9 xor ecx, ecx
00408E9B |. 8D45 80 lea eax, dword ptr [ebp-0x80] ; 假码第1段 堆栈地址=0018E924, (UNICODE "67890")
00408E9E |. E8 8D410000 call 0040D030 ; 下面是计算
00408EA3 |. 0FB730 movzx esi, word ptr [eax] ; 36
00408EA6 |. 33C9 xor ecx, ecx
00408EA8 |. 8D45 D4 lea eax, dword ptr [ebp-0x2C]
00408EAB |. E8 80410000 call 0040D030
00408EB0 |. 0FB738 movzx edi, word ptr [eax]
00408EB3 |. 8D4B F0 lea ecx, dword ptr [ebx-0x10] ; 31
00408EB6 |. 8D45 80 lea eax, dword ptr [ebp-0x80]
00408EB9 |. 03FE add edi, esi ; 31+36
00408EBB |. E8 70410000 call 0040D030
00408EC0 |. 0FB730 movzx esi, word ptr [eax] ; 37
00408EC3 |. 8D4B F0 lea ecx, dword ptr [ebx-0x10]
00408EC6 |. 8D45 D4 lea eax, dword ptr [ebp-0x2C]
00408EC9 |. E8 62410000 call 0040D030
00408ECE |. 0FB718 movzx ebx, word ptr [eax] ; 32
00408ED1 |. B9 02000000 mov ecx, 0x2
00408ED6 |. 8D45 80 lea eax, dword ptr [ebp-0x80]
00408ED9 |. 03DE add ebx, esi ; 32+37
00408EDB |. E8 50410000 call 0040D030
00408EE0 |. 0FB730 movzx esi, word ptr [eax] ; 38
00408EE3 |. B9 02000000 mov ecx, 0x2
00408EE8 |. 8D45 D4 lea eax, dword ptr [ebp-0x2C]
00408EEB |. E8 40410000 call 0040D030
00408EF0 |. 0FB700 movzx eax, word ptr [eax] ; 33
00408EF3 |. 03C6 add eax, esi ; 33+38
00408EF5 |. 8985 54FFFFFF mov dword ptr [ebp-0xAC], eax
00408EFB |. B9 03000000 mov ecx, 0x3
00408F00 |. 8D45 80 lea eax, dword ptr [ebp-0x80]
00408F03 |. E8 28410000 call 0040D030
00408F08 |. 0FB730 movzx esi, word ptr [eax] ; 39
00408F0B |. B9 03000000 mov ecx, 0x3
00408F10 |. 8D45 D4 lea eax, dword ptr [ebp-0x2C]
00408F13 |. E8 18410000 call 0040D030
00408F18 |. 0FB700 movzx eax, word ptr [eax] ; 34
00408F1B |. 03C6 add eax, esi ; 34+39
00408F1D |. 8985 58FFFFFF mov dword ptr [ebp-0xA8], eax
00408F23 |. B9 04000000 mov ecx, 0x4
00408F28 |. 8D45 80 lea eax, dword ptr [ebp-0x80]
00408F2B |. E8 00410000 call 0040D030
00408F30 |. 0FB710 movzx edx, word ptr [eax] ; 30
00408F33 |. B9 04000000 mov ecx, 0x4
00408F38 |. 8D45 D4 lea eax, dword ptr [ebp-0x2C]
00408F3B |. 8995 5CFFFFFF mov dword ptr [ebp-0xA4], edx
00408F41 |. E8 EA400000 call 0040D030
00408F46 |. 0FB730 movzx esi, word ptr [eax] ; 35
00408F49 |. 03B5 5CFFFFFF add esi, dword ptr [ebp-0xA4] ; 30+35
00408F4F |. 33C9 xor ecx, ecx
00408F51 |. 03B5 58FFFFFF add esi, dword ptr [ebp-0xA8] ; 6D+65
00408F57 |. 8D45 B8 lea eax, dword ptr [ebp-0x48]
00408F5A |. 03B5 54FFFFFF add esi, dword ptr [ebp-0xAC] ; 6B+D2
00408F60 |. 03F3 add esi, ebx ; 69+13D
00408F62 |. 03F7 add esi, edi ; 67+1A6=20D
00408F64 |. E8 C7400000 call 0040D030
00408F69 |. 0FB718 movzx ebx, word ptr [eax] ; FFFF 46
00408F6C |. 33C9 xor ecx, ecx
00408F6E |. 8D45 9C lea eax, dword ptr [ebp-0x64]
00408F71 |. E8 BA400000 call 0040D030
00408F76 |. 0FB738 movzx edi, word ptr [eax] ; ABCDE 41
00408F79 |. B9 01000000 mov ecx, 0x1
00408F7E |. 8D45 B8 lea eax, dword ptr [ebp-0x48]
00408F81 |. 03FB add edi, ebx
00408F83 |. E8 A8400000 call 0040D030
00408F88 |. 0FB700 movzx eax, word ptr [eax]
00408F8B |. 8985 5CFFFFFF mov dword ptr [ebp-0xA4], eax
00408F91 |. B9 01000000 mov ecx, 0x1
00408F96 |. 8D45 9C lea eax, dword ptr [ebp-0x64]
00408F99 |. E8 92400000 call 0040D030
00408F9E |. 0FB718 movzx ebx, word ptr [eax]
00408FA1 |. 039D 5CFFFFFF add ebx, dword ptr [ebp-0xA4]
00408FA7 |. B9 02000000 mov ecx, 0x2
00408FAC |. 8D45 B8 lea eax, dword ptr [ebp-0x48]
00408FAF |. E8 7C400000 call 0040D030
00408FB4 |. 0FB708 movzx ecx, word ptr [eax]
00408FB7 |. 898D 5CFFFFFF mov dword ptr [ebp-0xA4], ecx
00408FBD |. B9 02000000 mov ecx, 0x2
00408FC2 |. 8D45 9C lea eax, dword ptr [ebp-0x64]
00408FC5 |. E8 66400000 call 0040D030
00408FCA |. 0FB700 movzx eax, word ptr [eax]
00408FCD |. 0385 5CFFFFFF add eax, dword ptr [ebp-0xA4]
00408FD3 |. B9 03000000 mov ecx, 0x3
00408FD8 |. 8985 54FFFFFF mov dword ptr [ebp-0xAC], eax
00408FDE |. 8D45 B8 lea eax, dword ptr [ebp-0x48]
00408FE1 |. E8 4A400000 call 0040D030
00408FE6 |. 0FB710 movzx edx, word ptr [eax]
00408FE9 |. B9 03000000 mov ecx, 0x3
00408FEE |. 8D45 9C lea eax, dword ptr [ebp-0x64]
00408FF1 |. 8995 5CFFFFFF mov dword ptr [ebp-0xA4], edx
00408FF7 |. E8 34400000 call 0040D030
00408FFC |. 0FB700 movzx eax, word ptr [eax]
00408FFF |. 0385 5CFFFFFF add eax, dword ptr [ebp-0xA4]
00409005 |. B9 04000000 mov ecx, 0x4
0040900A |. 8985 58FFFFFF mov dword ptr [ebp-0xA8], eax
00409010 |. 8D45 B8 lea eax, dword ptr [ebp-0x48]
00409013 |. E8 18400000 call 0040D030
00409018 |. 0FB700 movzx eax, word ptr [eax]
0040901B |. 8985 5CFFFFFF mov dword ptr [ebp-0xA4], eax
00409021 |. B9 04000000 mov ecx, 0x4
00409026 |. 8D45 9C lea eax, dword ptr [ebp-0x64]
00409029 |. E8 02400000 call 0040D030
0040902E |. 0FB708 movzx ecx, word ptr [eax]
00409031 |. 038D 5CFFFFFF add ecx, dword ptr [ebp-0xA4]
00409037 |. 038D 58FFFFFF add ecx, dword ptr [ebp-0xA8]
0040903D |. 038D 54FFFFFF add ecx, dword ptr [ebp-0xAC]
00409043 |. 03CB add ecx, ebx
00409045 |. 03CF add ecx, edi
00409047 |. 3BF1 cmp esi, ecx
00409049 |. 75 07 jnz short 00409052
0040904B |. C685 63FFFFFF>mov byte ptr [ebp-0x9D], 0x1
00409052 |> 33C9 xor ecx, ecx
00409054 |. 8D45 D4 lea eax, dword ptr [ebp-0x2C]
00409057 |. E8 D43F0000 call 0040D030
0040905C |. 66:8338 50 cmp word ptr [eax], 0x50 ; ASCII码为 P
00409060 |. 75 13 jnz short 00409075
00409062 |. B9 01000000 mov ecx, 0x1
00409067 |. 8D45 D4 lea eax, dword ptr [ebp-0x2C]
0040906A |. E8 C13F0000 call 0040D030
0040906F |. 66:8338 43 cmp word ptr [eax], 0x43 ; ASCII码为 C
00409073 |. 74 07 je short 0040907C
00409075 |> C685 63FFFFFF>mov byte ptr [ebp-0x9D], 0x0
0040907C |> 33C9 xor ecx, ecx
0040907E |. 8D45 9C lea eax, dword ptr [ebp-0x64]
00409081 |. E8 AA3F0000 call 0040D030
00409086 |. 0FB730 movzx esi, word ptr [eax] ; ABCDE
00409089 |. 33C9 xor ecx, ecx
0040908B |. 8D45 D4 lea eax, dword ptr [ebp-0x2C]
0040908E |. E8 9D3F0000 call 0040D030
00409093 |. 0FB738 movzx edi, word ptr [eax] ; PC345
00409096 |. B9 01000000 mov ecx, 0x1
0040909B |. 8D45 9C lea eax, dword ptr [ebp-0x64]
0040909E |. 03FE add edi, esi
004090A0 |. E8 8B3F0000 call 0040D030
004090A5 |. 0FB730 movzx esi, word ptr [eax]
004090A8 |. B9 01000000 mov ecx, 0x1
004090AD |. 8D45 D4 lea eax, dword ptr [ebp-0x2C]
004090B0 |. E8 7B3F0000 call 0040D030
004090B5 |. 0FB718 movzx ebx, word ptr [eax]
004090B8 |. B9 02000000 mov ecx, 0x2
004090BD |. 8D45 9C lea eax, dword ptr [ebp-0x64]
004090C0 |. 03DE add ebx, esi
004090C2 |. E8 693F0000 call 0040D030
004090C7 |. 0FB730 movzx esi, word ptr [eax]
004090CA |. B9 02000000 mov ecx, 0x2
004090CF |. 8D45 D4 lea eax, dword ptr [ebp-0x2C]
004090D2 |. E8 593F0000 call 0040D030
004090D7 |. 0FB700 movzx eax, word ptr [eax]
004090DA |. 03C6 add eax, esi
004090DC |. 8985 54FFFFFF mov dword ptr [ebp-0xAC], eax
004090E2 |. B9 03000000 mov ecx, 0x3
004090E7 |. 8D45 9C lea eax, dword ptr [ebp-0x64]
004090EA |. E8 413F0000 call 0040D030
004090EF |. 0FB730 movzx esi, word ptr [eax]
004090F2 |. B9 03000000 mov ecx, 0x3
004090F7 |. 8D45 D4 lea eax, dword ptr [ebp-0x2C]
004090FA |. E8 313F0000 call 0040D030
004090FF |. 0FB700 movzx eax, word ptr [eax]
00409102 |. 03C6 add eax, esi
00409104 |. 8985 58FFFFFF mov dword ptr [ebp-0xA8], eax
0040910A |. B9 04000000 mov ecx, 0x4
0040910F |. 8D45 9C lea eax, dword ptr [ebp-0x64]
00409112 |. E8 193F0000 call 0040D030
00409117 |. 0FB710 movzx edx, word ptr [eax]
0040911A |. B9 04000000 mov ecx, 0x4
0040911F |. 8D45 D4 lea eax, dword ptr [ebp-0x2C]
00409122 |. 8995 5CFFFFFF mov dword ptr [ebp-0xA4], edx
00409128 |. E8 033F0000 call 0040D030
0040912D |. 0FB730 movzx esi, word ptr [eax]
00409130 |. 03B5 5CFFFFFF add esi, dword ptr [ebp-0xA4]
00409136 |. 33C9 xor ecx, ecx
00409138 |. 03B5 58FFFFFF add esi, dword ptr [ebp-0xA8]
0040913E |. 8D45 B8 lea eax, dword ptr [ebp-0x48]
00409141 |. 03B5 54FFFFFF add esi, dword ptr [ebp-0xAC]
00409147 |. 03F3 add esi, ebx
00409149 |. 03F7 add esi, edi
0040914B |. E8 E03E0000 call 0040D030
00409150 |. 0FB718 movzx ebx, word ptr [eax]
00409153 |. 33C9 xor ecx, ecx
00409155 |. 8D45 80 lea eax, dword ptr [ebp-0x80]
00409158 |. E8 D33E0000 call 0040D030
0040915D |. 0FB738 movzx edi, word ptr [eax]
00409160 |. B9 01000000 mov ecx, 0x1
00409165 |. 8D45 B8 lea eax, dword ptr [ebp-0x48]
00409168 |. 03FB add edi, ebx
0040916A |. E8 C13E0000 call 0040D030
0040916F |. 0FB700 movzx eax, word ptr [eax]
00409172 |. 8985 5CFFFFFF mov dword ptr [ebp-0xA4], eax
00409178 |. B9 01000000 mov ecx, 0x1
0040917D |. 8D45 80 lea eax, dword ptr [ebp-0x80]
00409180 |. E8 AB3E0000 call 0040D030
00409185 |. 0FB718 movzx ebx, word ptr [eax]
00409188 |. 039D 5CFFFFFF add ebx, dword ptr [ebp-0xA4]
0040918E |. B9 02000000 mov ecx, 0x2
00409193 |. 8D45 B8 lea eax, dword ptr [ebp-0x48]
00409196 |. E8 953E0000 call 0040D030
0040919B |. 0FB708 movzx ecx, word ptr [eax]
0040919E |. 898D 5CFFFFFF mov dword ptr [ebp-0xA4], ecx
004091A4 |. B9 02000000 mov ecx, 0x2
004091A9 |. 8D45 80 lea eax, dword ptr [ebp-0x80]
004091AC |. E8 7F3E0000 call 0040D030
004091B1 |. 0FB700 movzx eax, word ptr [eax]
004091B4 |. 0385 5CFFFFFF add eax, dword ptr [ebp-0xA4]
004091BA |. 8985 54FFFFFF mov dword ptr [ebp-0xAC], eax
004091C0 |. B9 03000000 mov ecx, 0x3
004091C5 |. 8D45 B8 lea eax, dword ptr [ebp-0x48]
004091C8 |. E8 633E0000 call 0040D030
004091CD |. 0FB710 movzx edx, word ptr [eax]
004091D0 |. B9 03000000 mov ecx, 0x3
004091D5 |. 8D45 80 lea eax, dword ptr [ebp-0x80]
004091D8 |. 8995 5CFFFFFF mov dword ptr [ebp-0xA4], edx
004091DE |. E8 4D3E0000 call 0040D030
004091E3 |. 0FB700 movzx eax, word ptr [eax]
004091E6 |. 0385 5CFFFFFF add eax, dword ptr [ebp-0xA4]
004091EC |. B9 04000000 mov ecx, 0x4
004091F1 |. 8985 58FFFFFF mov dword ptr [ebp-0xA8], eax
004091F7 |. 8D45 B8 lea eax, dword ptr [ebp-0x48]
004091FA |. E8 313E0000 call 0040D030
004091FF |. 0FB700 movzx eax, word ptr [eax]
00409202 |. 8985 5CFFFFFF mov dword ptr [ebp-0xA4], eax
00409208 |. B9 04000000 mov ecx, 0x4
0040920D |. 8D45 80 lea eax, dword ptr [ebp-0x80]
00409210 |. E8 1B3E0000 call 0040D030
00409215 |. 0FB708 movzx ecx, word ptr [eax]
00409218 |. 038D 5CFFFFFF add ecx, dword ptr [ebp-0xA4]
0040921E |. 038D 58FFFFFF add ecx, dword ptr [ebp-0xA8]
00409224 |. 038D 54FFFFFF add ecx, dword ptr [ebp-0xAC]
0040922A |. 03CB add ecx, ebx
0040922C |. 03CF add ecx, edi
0040922E |. 3BF1 cmp esi, ecx
00409230 |. 7D 07 jge short 00409239
00409232 |. C685 63FFFFFF>mov byte ptr [ebp-0x9D], 0x0
00409239 |> B9 02000000 mov ecx, 0x2
0040923E |. 8D45 D4 lea eax, dword ptr [ebp-0x2C]
00409241 |. E8 EA3D0000 call 0040D030
00409246 |. 66:8338 4D cmp word ptr [eax], 0x4D ASCII码为M//////比较字符串
0040924A |. 75 26 jnz short 00409272
0040924C |. B9 03000000 mov ecx, 0x3
00409251 |. 8D45 D4 lea eax, dword ptr [ebp-0x2C]
00409254 |. E8 D73D0000 call 0040D030
00409259 |. 66:8338 44 cmp word ptr [eax], 0x44 ASCII码为D
0040925D |. 75 13 jnz short 00409272
0040925F |. B9 04000000 mov ecx, 0x4
00409264 |. 8D45 D4 lea eax, dword ptr [ebp-0x2C]
00409267 |. E8 C43D0000 call 0040D030
0040926C |. 66:8338 41 cmp word ptr [eax], 0x41 ASCII码为A
00409270 |. 74 07 je short 00409279
00409272 |> C685 63FFFFFF>mov byte ptr [ebp-0x9D], 0x0
00409279 |> 8D4D B8 lea ecx, dword ptr [ebp-0x48]
0040927C |. E8 EFC40E00 call 004F5770
00409281 |. 8D4D 9C lea ecx, dword ptr [ebp-0x64]
00409284 |. E8 E7C40E00 call 004F5770
00409289 |. 8D4D 80 lea ecx, dword ptr [ebp-0x80]
0040928C |. E8 DFC40E00 call 004F5770
00409291 |. 8D4D D4 lea ecx, dword ptr [ebp-0x2C]
00409294 |. E8 D7C40E00 call 004F5770
00409299 |> 83BD 78FFFFFF>cmp dword ptr [ebp-0x88], 0x8
004092A0 |. 72 0F jb short 004092B1
004092A2 |. 8B95 64FFFFFF mov edx, dword ptr [ebp-0x9C]
004092A8 |. 52 push edx
004092A9 |. E8 D37B0300 call 00440E81
004092AE |. 83C4 04 add esp, 0x4
004092B1 |> 8A85 63FFFFFF mov al, byte ptr [ebp-0x9D]
004092B7 |. A2 1C166D00 mov byte ptr [0x6D161C], al
004092BC |. 8B4D F4 mov ecx, dword ptr [ebp-0xC]
004092BF |. 64:890D 00000>mov dword ptr fs:[0], ecx
004092C6 |. 59 pop ecx
004092C7 |. 5F pop edi
004092C8 |. 5E pop esi
004092C9 |. 5B pop ebx
004092CA |. 8B4D F0 mov ecx, dword ptr [ebp-0x10]
004092CD |. 33CD xor ecx, ebp
004092CF |. E8 9E7B0300 call 00440E72
004092D4 |. 8BE5 mov esp, ebp
004092D6 |. 5D pop ebp
004092D7 \. C3 retn
上面注释若有不对之处请改改,谢谢!
算法上面几行为:
00408D50 /$ 55 PUSH EBP
00408D51 |. 8BEC MOV EBP,ESP
00408D53 |. 6A FF PUSH -1
00408D55 |. 68 3BBE5E00 PUSH PowerCmd.005EBE3B
00408D5A |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00408D60 |. 50 PUSH EAX
00408D61 |. 81EC A0000000 SUB ESP,0A0
00408D67 |. A1 E4906900 MOV EAX,DWORD PTR DS:[6990E4]
00408D6C |. 33C5 XOR EAX,EBP
00408D6E |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
00408D71 |. 53 PUSH EBX
00408D72 |. 56 PUSH ESI
00408D73 |. 57 PUSH EDI
00408D74 |. 50 PUSH EAX
00408D75 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00408D78 |. 64:A3 0000000>MOV DWORD PTR FS:[0],EAX
00408D7E |. 8BF1 MOV ESI,ECX
点击00408D50这一行,有提示:
本地调用来自 00406B31, 00428E41
然后跳到这2个地址处,直接将其NOP掉,并保存到可执行文件中去,形成patch后的文件。双击打开发现注册为已注册,没有时间限制了,爆破完成啦~
算法语言描述就是
第一组的字符必须是PCMDA
1组与2组字符HEX之和=3组与4组的字符HEX之和
1组与3组字符HEX之和=2组与4组的字符HEX之和
下面注册机就是soeasy的事啦~
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
上传的附件: