【破文标题】 System commander 8 算法分析
【破文作者】 daxia2002
【作者邮箱】 [email]daxia2002@126.com[/email]
【使用工具】 Peid,Ollydbg,ida
【破解平台】 Win2000/XP
【软件名称】 system commander 8
【下载地址】 http://www.v-com.com
【软件简介】Features System Commander provides a number of unique capabilities:
OS Wizard determines the best configuration for a new OS and prepares your system for the new OS.
Management of over 100 different operating systems in primary and logical partitions, the ability to boot from CDs, floppy drives A and B, or through specific master boot records. Management of up to 32 different FAT/FAT32 compatible operating systems in a single primary partition, including different DOS versions, Windows 95/98/Me, Windows NT/2000/XP/2003, and OS/2.
Optional security protection against unauthorized system use prevents hard disk access and booting from floppy disks.
Automatically saves and maintains system files and critical configuration files for each OS such as CONFIG.SYS, AUTOEXEC.BAT, BOOT.INI, and others.
Boot sector virus protection checks for infections on every boot with instant replacement of the infected boot sector and system files.
【软件大小】9.53MB
【保护方式】无。
【破解目的】研究软件的算法
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【破解内容】
启动安装程序,输入用户名:“dx”、公司名:“ml”、注册码:第一栏固定的灰色信息“SC8”,大概是system commander 8的简写;第二栏输入“111111”,字符长度6位,程序友好的给限制了;第三栏输入“2222222”,字符长度7位,程序也友好的给限制了;第四栏输入“3333”,字符长度4位,程序还是友好的给限制了。点击“下一步”按钮,提示“The Serila is incorrect.please reenter it.”,早在预料之中,嘿嘿。
好了启动Olldby,选择“文件”->“附加”,在附加窗口里,选中窗口名为“System Commander”,点击“附加”按钮,好了Olldby已附加上了,中断在系统空间,在代码窗口右键->“查看”->“console”切换到程序控件,F9运行一下。
下断点bp MessageBoxA,重新输入伪注册码“SC8-111111-2222222-3333”,点击“下一步”,被ollydbg断了下来,老办法,ALT+K打开调用堆栈窗口:
调用堆栈
地址 堆栈 例程 / 参数 调用来自 Frame
0012E9B4 004461CF USER32.MessageBoxA console.004461C9 0012EAE8
0012E9B8 000C04CE hOwner = 000C04CE ('Customer Information',class='#32770',paren
0012E9BC 00A34170 Text = "The serial number is incorrect. Please re-enter it."
0012E9C0 00A32490 Title = "System Commander"
0012E9C4 00000030 Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0012EAEC 00446220 Maybe console.00446117 console.0044621A 0012EAE8
0012EAF0 00A34170 Arg1 = 00A34170 ASCII "The serial number is incorrect. Please
0012EAF4 00000030 Arg2 = 00000030
0012EAF8 0000EF5F Arg3 = 0000EF5F
0012EB00 00446270 console.004461FE console.0044626B 0012EAFC
0012EB04 00A34170 Arg1 = 00A34170 ASCII "The serial number is incorrect. Please
0012EB08 00000030 Arg2 = 00000030
0012EB0C 0000EF5F Arg3 = 0000EF5F
0012EB28 0042211E console.00446236 console.00422119 0012EB24
0012EB2C 0000EF5F Arg1 = 0000EF5F
0012EB30 00000030 Arg2 = 00000030
0012EB34 FFFFFFFF Arg3 = FFFFFFFF
堆栈友好显示调用来自console.00422119,双击跳转到00422119:
0042207A > /8A10 mov dl,byte ptr ds:[eax]
0042207C . |8A1E mov bl,byte ptr ds:[esi]
0042207E . |8ACA mov cl,dl
00422080 . |3AD3 cmp dl,bl
00422082 . |75 1E jnz short console.004220A2
00422084 . |84C9 test cl,cl
00422086 . |74 16 je short console.0042209E
00422088 . |8A50 01 mov dl,byte ptr ds:[eax+1]
0042208B . |8A5E 01 mov bl,byte ptr ds:[esi+1]
0042208E . |8ACA mov cl,dl
00422090 . |3AD3 cmp dl,bl
00422092 . |75 0E jnz short console.004220A2
00422094 . |83C0 02 add eax,2
00422097 . |83C6 02 add esi,2
0042209A . |84C9 test cl,cl
0042209C .^\75 DC jnz short console.0042207A
0042209E > 33C0 xor eax,eax
004220A0 . EB 05 jmp short console.004220A7
004220A2 > 1BC0 sbb eax,eax
004220A4 . 83D8 FF sbb eax,-1
004220A7 > 85C0 test eax,eax
004220A9 . 74 7C je short console.00422127
004220AB . 8D7424 70 lea esi,dword ptr ss:[esp+70]
004220AF . 8D4424 14 lea eax,dword ptr ss:[esp+14]
004220B3 > 8A10 mov dl,byte ptr ds:[eax]
004220B5 . 8A1E mov bl,byte ptr ds:[esi]
004220B7 . 8ACA mov cl,dl
004220B9 . 3AD3 cmp dl,bl
004220BB . 75 1E jnz short console.004220DB
004220BD . 84C9 test cl,cl
004220BF . 74 16 je short console.004220D7
004220C1 . 8A50 01 mov dl,byte ptr ds:[eax+1]
004220C4 . 8A5E 01 mov bl,byte ptr ds:[esi+1]
004220C7 . 8ACA mov cl,dl
004220C9 . 3AD3 cmp dl,bl
004220CB . 75 0E jnz short console.004220DB
004220CD . 83C0 02 add eax,2
004220D0 . 83C6 02 add esi,2
004220D3 . 84C9 test cl,cl
004220D5 .^ 75 DC jnz short console.004220B3
004220D7 > 33C0 xor eax,eax
004220D9 . EB 05 jmp short console.004220E0
004220DB > 1BC0 sbb eax,eax
004220DD . 83D8 FF sbb eax,-1
004220E0 > 85C0 test eax,eax
004220E2 . 74 43 je short console.00422127
004220E4 . 8B7424 20 mov esi,dword ptr ss:[esp+20]
004220E8 . 68 60C44600 push console.0046C460
004220ED . 8BCE mov ecx,esi
004220EF . E8 6CD30100 call console.0043F460
004220F4 . 8B4C24 28 mov ecx,dword ptr ss:[esp+28]
004220F8 . 68 60C44600 push console.0046C460
004220FD . E8 5ED30100 call console.0043F460
00422102 . 8B4C24 24 mov ecx,dword ptr ss:[esp+24]
00422106 . 68 60C44600 push console.0046C460
0042210B . E8 50D30100 call console.0043F460
00422110 . 6A FF push -1
00422112 . 6A 30 push 30
00422114 . 68 5FEF0000 push 0EF5F
00422119 . E8 18410200 call console.00446236 //我们来到这里,向上很容易发现,004220E0处进行判断,可以爆破了。
0042211E . 8BCE mov ecx,esi
00422120 . E8 8AD40100 call console.0043F5AF
00422125 . EB 2C jmp short console.00422153
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)