才学破解几天,请各位大侠不要见笑。高手就不要看这篇歪文了。言归正传。我的破解程序是这样的:
1、我用PEID看一下,原来加的是ASPACK2.12的壳,我们先脱壳,得到解压的UNPACKED。
2、打开W32DASM,装入UNPACKED。我们试着注册,注册名随意,注册码随意,没有反应。
3、因为是一个小软件,我们打开串式参考看一下。我发现此类小软件的注册成功信息多在串式参考窗口中的下半部分。我们往下看,发现“试用期已过”,双击之,来到下面所示之处:
:00402444 8B55D0 mov edx, dword ptr [ebp-30]
:00402447 64891500000000 mov dword ptr fs:[00000000], edx
:0040244E E9A7000000 jmp 004024FA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402440(C)
|
:00402453 66C745E00800 mov [ebp-20], 0008
* Possible StringData Ref from Data Obj ->"X桌面 -试用期已过"
|
:00402459 BA1CD24B00 mov edx, 004BD21C #######到此
:0040245E 8D45FC lea eax, dword ptr [ebp-04]
:00402461 E83E690A00 call 004A8DA4
4、往上看,没有常见的需修改的地方,直观告诉:这不是我所要的地方。
5、再看串式参考,往下找,发现“注册成功,按确定关闭,然后重新运行程序。”这应该就是我们要找的地方。往上看,来到下面所示之处:
:00402E36 66C745E40800 mov [ebp-1C], 0008
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402E19(C)
|
:00402E3C 807DC700 cmp byte ptr [ebp-39], 00
:00402E40 7420 je 00402E62 ####关键跳转,若相等则跳,不管三七二十一改!
:00402E42 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"注册信息"
|
:00402E44 B989D24B00 mov ecx, 004BD289
* Possible StringData Ref from Data Obj ->"注册成功,按确定关闭,然后重新运行程序。"
|
:00402E49 BA60D24B00 mov edx, 004BD260
:00402E4E A19C784C00 mov eax, dword ptr [004C789C]
:00402E53 8B00 mov eax, dword ptr [eax]
:00402E55 E8965E0A00 call 004A8CF0
:00402E5A 8B45D0 mov eax, dword ptr [ebp-30]
:00402E5D E892CA0600 call 0046F8F4
6、打开ULTRAEDIT,找到偏移地址为@offset00002e40h,把74改为75,试运行软件,显示注册成功的信息。重启软件,破解成功。没想到如此简单!
7、试运行软件,发现试用15天的提示不见了,但是软件的功能还受到一定限制,也就是增加桌面的功能不能用。重新打开W32DSAM,查看串式参考,觉得“桌面-未注册版”的信息很可疑,双击来到下面的代码:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B03(C)
|
:00401B25 59 pop ecx
:00401B26 8945FC mov dword ptr [ebp-04], eax
:00401B29 85C0 test eax, eax
:00401B2B 741E je 00401B4B %%%%此处应为我们要修改的地方
:00401B2D 66C745DC1400 mov [ebp-24], 0014
* Possible StringData Ref from Data Obj ->"X桌 - 未注册版"
|
:00401B33 BAB0D14B00 mov edx, 004BD1B0 %%%%双击到此
:00401B38 8B45FC mov eax, dword ptr [ebp-04]
:00401B3B E864720A00 call 004A8DA4
:00401B40 66C745DC0800 mov [ebp-24], 0008
:00401B46 8B55FC mov edx, dword ptr [ebp-04]
:00401B49 EB03 jmp 00401B4E
8、往上看,把je 00401B4B修改为JNE,74改为75,运行软件,依然不成功。
9、往下看,找到“X桌面”提示串,然后向上看来到:
:00401DAF 59 pop ecx
:00401DB0 84C0 test al, al
:00401DB2 750F jne 00401DC3\\\\\关键跳转
:00401DB4 8B4508 mov eax, dword ptr [ebp+08]
:00401DB7 C780500300000A000000 mov dword ptr [ebx+00000350], 0000000A
:00401DC1 EB37 jmp 00401DFA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401DB2(C)
|
:00401DC3 66C745D80800 mov [ebp-28], 0008
* Possible StringData Ref from Data Obj ->"X桌面"
|
:00401DC9 BACED14B00 mov edx, 004BD1CE
:00401DCE 8D45FC lea eax, dword ptr [ebp-04]
:00401DD1 E8CE6F0A00 call 004A8DA4
:00401DD6 FF45E4 inc [ebp-1C]
:00401DD9 8D55FC lea edx, dword ptr [ebp-04]
:00401DDC 8B4D08 mov ecx, dword ptr [ebp+08]
:00401DDF 8B8158030000 mov eax, dword ptr [ecx+00000358]
:00401DE5 E84A710A00 call 004A8F34
:00401DEA FF4DE4 dec [ebp-1C]
:00401DED 8D45FC lea eax, dword ptr [ebp-04]
:00401DF0 BA02000000 mov edx, 00000002
:00401DF5 E80A710A00 call 004A8F04
10、看到这一行:00401DB2 750F jne 00401DC3把75改为74,试运行软件,功能不再受限,破解成功。
11、一点感想:像我这种破解偶然性很大,不过才学几天也就满足了。我以后会更加努力,争取写点好的文章,向大侠们多学习!
[课程]Android-CTF解题方法汇总!