能力值:
( LV2,RANK:10 )
|
-
-
2 楼
本软件有时间限制,30天后将不能再用,所以脱壳后,先将时间向后调30天,再用OD载入,F9----->出现程序界面及NAG,提示30天到期,点“输入注册信息”,输入任意用户名及注册码(先不要点确定),然后返回OD,按ALT+E,在弹出的窗口中双击USER32,再按CTRL+N,在弹出的窗口中下MessageBoxExA断点,然后返回程序,点“确定”,这时OD被断下来,在77D3B031处,并且在右下窗口可看到:
0012E26C 77D3B02E /CALL 到 MessageBoxExA 来自 USER32.77D3B029
0012E270 00620524 |hOwner = 00620524 ('请输入您的注册信息 ',class='#32770',parent=0025047C)
0012E274 00A88C48 |Text = "您输入的用户名/注册码不正确!"
0012E278 00A83CA0 |Title = "进程猎手 - Process Spy"
0012E27C 00000040 |Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
0012E280 00000000 \LanguageID = 0 (LANG_NEUTRAL)
0012E284 00437350 返回到 unpacked.00437350 来自 USER32.MessageBoxA
注意这里:
0012E284 00437350 返回到 unpacked.00437350 来自 USER32.MessageBoxA
接着ALT+F9------->"您输入的用户名/注册码不正确!"对话框出现,点确定后,程序返回,OD断在00437350处。
0043725C /> /55 push ebp
0043725D |. |8DAC24 68FFFFFF lea ebp,dword ptr ss:[esp-98]
00437264 |. |81EC 18010000 sub esp,118
0043726A |. |A1 50754500 mov eax,dword ptr ds:[457550]
0043726F |. |53 push ebx
00437270 |. |56 push esi
00437271 |. |57 push edi
00437272 |. |8BF1 mov esi,ecx
00437274 |. |33FF xor edi,edi
00437276 |. |57 push edi
00437277 |. |8985 94000000 mov dword ptr ss:[ebp+94],eax
0043727D |. |8975 84 mov dword ptr ss:[ebp-7C],esi
00437280 |. |E8 0CFFFFFF call unpacked.00437191
00437285 |. |8D45 8C lea eax,dword ptr ss:[ebp-74]
00437288 |. |50 push eax
00437289 |. |57 push edi
0043728A |. |E8 2FFFFFFF call unpacked.004371BE
0043728F |. |8BD8 mov ebx,eax
00437291 |. |3B5D 8C cmp ebx,dword ptr ss:[ebp-74]
00437294 |. |895D 80 mov dword ptr ss:[ebp-80],ebx
00437297 |. |74 09 je short unpacked.004372A2
00437299 |. |6A 01 push 1 ; /Enable = TRUE
0043729B |. |53 push ebx ; |hWnd
0043729C |. |FF15 E0454400 call dword ptr ds:[<&USER32.EnableWindow>; \EnableWindow
004372A2 |> |85DB test ebx,ebx
004372A4 |. |74 18 je short unpacked.004372BE
004372A6 |. |6A 00 push 0 ; /lParam = 0
004372A8 |. |6A 00 push 0 ; |wParam = 0
004372AA |. |68 76030000 push 376 ; |Message = MSG(376)
004372AF |. |53 push ebx ; |hWnd
004372B0 |. |FF15 24464400 call dword ptr ds:[<&USER32.SendMessageA>; \SendMessageA
004372B6 |. |85C0 test eax,eax
004372B8 |. |74 04 je short unpacked.004372BE
004372BA |. |8BF8 mov edi,eax
004372BC |. |EB 07 jmp short unpacked.004372C5
004372BE |> |85F6 test esi,esi
004372C0 |. |74 03 je short unpacked.004372C5
004372C2 |. |8D7E 74 lea edi,dword ptr ds:[esi+74]
004372C5 |> |8365 88 00 and dword ptr ss:[ebp-78],0
004372C9 |. |85FF test edi,edi
004372CB |. |74 16 je short unpacked.004372E3
004372CD |. |8B07 mov eax,dword ptr ds:[edi]
004372CF |. |8945 88 mov dword ptr ss:[ebp-78],eax
004372D2 |. |8B85 A8000000 mov eax,dword ptr ss:[ebp+A8]
004372D8 |. |85C0 test eax,eax
004372DA |. |74 07 je short unpacked.004372E3
004372DC |. |05 00000300 add eax,30000
004372E1 |. |8907 mov dword ptr ds:[edi],eax
004372E3 |> |F685 A4000000 F0 test byte ptr ss:[ebp+A4],0F0
004372EA |. |75 1F jnz short unpacked.0043730B
004372EC |. |8B85 A4000000 mov eax,dword ptr ss:[ebp+A4]
004372F2 |. |83E0 0F and eax,0F
004372F5 |. |83F8 01 cmp eax,1
004372F8 |. |76 0A jbe short unpacked.00437304
004372FA |. |83F8 02 cmp eax,2
004372FD |. |76 0C jbe short unpacked.0043730B
004372FF |. |83F8 04 cmp eax,4
00437302 |. |77 07 ja short unpacked.0043730B
00437304 |> |838D A4000000 30 or dword ptr ss:[ebp+A4],30
0043730B |> |85F6 test esi,esi
0043730D |. |C645 90 00 mov byte ptr ss:[ebp-70],0
00437311 |. |74 05 je short unpacked.00437318
00437313 |. |8B5E 4C mov ebx,dword ptr ds:[esi+4C]
00437316 |. |EB 22 jmp short unpacked.0043733A
00437318 |> |8D5D 90 lea ebx,dword ptr ss:[ebp-70]
0043731B |. |BE 04010000 mov esi,104
00437320 |. |56 push esi ; /BufSize => 104 (260.)
00437321 |. |8BC3 mov eax,ebx ; |
00437323 |. |50 push eax ; |PathBuffer
00437324 |. |6A 00 push 0 ; |hModule = NULL
00437326 |. |FF15 4C424400 call dword ptr ds:[<&KERNEL32.GetModuleF>; \GetModuleFileNameA
0043732C |. |3BC6 cmp eax,esi
0043732E |. |8B75 84 mov esi,dword ptr ss:[ebp-7C]
00437331 |. |75 07 jnz short unpacked.0043733A
00437333 |. |C685 93000000 00 mov byte ptr ss:[ebp+93],0
0043733A |> |FFB5 A4000000 push dword ptr ss:[ebp+A4] ; /Style
00437340 |. |53 push ebx ; |Title
00437341 |. |FFB5 A0000000 push dword ptr ss:[ebp+A0] ; |Text
00437347 |. |FF75 80 push dword ptr ss:[ebp-80] ; |hOwner
0043734A |. |FF15 B0444400 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA =========>看到了吗,就是这里出的对话框
00437350 |. |85FF test edi,edi ; unpacked.004585BC
00437352 |. |8BD8 mov ebx,eax
00437354 |. |74 05 je short unpacked.0043735B
00437356 |. |8B45 88 mov eax,dword ptr ss:[ebp-78]
00437359 |. |8907 mov dword ptr ds:[edi],eax
0043735B |> |837D 8C 00 cmp dword ptr ss:[ebp-74],0
0043735F |. |74 0B je short unpacked.0043736C
00437361 |. |6A 01 push 1 ; /Enable = TRUE
00437363 |. |FF75 8C push dword ptr ss:[ebp-74] ; |hWnd
00437366 |. |FF15 E0454400 call dword ptr ds:[<&USER32.EnableWindow>; \EnableWindow
0043736C |> |6A 01 push 1
0043736E |. |8BCE mov ecx,esi
00437370 |. |E8 1CFEFFFF call unpacked.00437191
00437375 |. |8B8D 94000000 mov ecx,dword ptr ss:[ebp+94]
0043737B |. |5F pop edi
0043737C |. |5E pop esi
0043737D |. |8BC3 mov eax,ebx
0043737F |. |5B pop ebx
00437380 |. |E8 0A19FEFF call unpacked.00418C8F
00437385 |. |81C5 98000000 add ebp,98
0043738B |. |C9 leave
0043738C |. |C2 0C00 retn 0C=====>这里返回到00405033
0043738F |$ |55 push ebp
00437390 |. |8BEC mov ebp,esp
00437392 |. |E8 876A0000 call unpacked.0043DE1E
00437397 |. |8B40 04 mov eax,dword ptr ds:[eax+4]
0043739A |. |85C0 test eax,eax
0043739C |. |74 0B je short unpacked.004373A9
0043739E |. |8B10 mov edx,dword ptr ds:[eax]
004373A0 |. |8BC8 mov ecx,eax
004373A2 |. |5D pop ebp
004373A3 |. |FFA2 98000000 jmp dword ptr ds:[edx+98]
004373A9 |> |33C9 xor ecx,ecx
004373AB |. |5D pop ebp
004373AC \.^\E9 ABFEFFFF jmp unpacked.0043725C
接着F8----->到0043738C
0043738C |. C2 0C00 retn 0C =====>这里返回到00405033
00404E93 . /0F87 5A030000 ja unpacked.004051F3====>改这里也行,但程序会在右下显示“未注册版”字样。
00404E99 . |57 push edi
00404E9A . |FF2485 10524000 jmp dword ptr ds:[eax*4+405210];这里跳了就出注册框,所以要NOP掉!
00404EA1 > |68 E84F4400 push unpacked.00444FE8 ; /Arg4 = 00444FE8 ASCII "?787j00!))7?{??u"; Case 67 ('g') of switch 00404E42
00404EA6 . |6A 0E push 0E ; |Arg3 = 0000000E
00404EA8 . |8D4424 1C lea eax,dword ptr ss:[esp+1C] ; |
00404EAC . |50 push eax ; |Arg2
00404EAD . |8D8C24 80000000 lea ecx,dword ptr ss:[esp+80] ; |
00404EB4 . |51 push ecx ; |Arg1
00404EB5 . |8BCE mov ecx,esi ; |
00404EB7 . |E8 64FDFFFF call unpacked.00404C20 ; \unpacked.00404C20
00404EBC . |8B00 mov eax,dword ptr ds:[eax]
00404EBE . |6A 00 push 0
00404EC0 . |6A 00 push 0
00404EC2 . |50 push eax
00404EC3 . |C78424 0C010000 00000000 mov dword ptr ss:[esp+10C],0
00404ECE . |E8 BC240300 call unpacked.0043738F
00404ED3 . |8B4424 74 mov eax,dword ptr ss:[esp+74]
00404ED7 . |83CF FF or edi,FFFFFFFF
00404EDA . |83C0 F0 add eax,-10
00404EDD . |89BC24 00010000 mov dword ptr ss:[esp+100],edi
00404EE4 . |8D50 0C lea edx,dword ptr ds:[eax+C]
00404EE7 . |8BCF mov ecx,edi
00404EE9 . |F0:0FC10A lock xadd dword ptr ds:[edx],ecx
00404EED . |49 dec ecx
00404EEE . |85C9 test ecx,ecx
00404EF0 . |7F 08 jg short unpacked.00404EFA
00404EF2 . |8B08 mov ecx,dword ptr ds:[eax]
00404EF4 . |8B11 mov edx,dword ptr ds:[ecx]
00404EF6 . |50 push eax
00404EF7 . |FF52 04 call dword ptr ds:[edx+4]
00404EFA > |68 E84F4400 push unpacked.00444FE8 ; /Arg4 = 00444FE8 ASCII "?787j00!))7?{??u"
00404EFF . |6A 07 push 7 ; |Arg3 = 00000007
00404F01 . |8D4424 14 lea eax,dword ptr ss:[esp+14] ; |
00404F05 . |50 push eax ; |Arg2
00404F06 . |8D4C24 7C lea ecx,dword ptr ss:[esp+7C] ; |
00404F0A . |51 push ecx ; |Arg1
00404F0B . |8BCE mov ecx,esi ; |
00404F0D . |E8 0EFDFFFF call unpacked.00404C20 ; \unpacked.00404C20
00404F12 . |8D96 CC010000 lea edx,dword ptr ds:[esi+1CC]
00404F18 . |52 push edx
00404F19 . |50 push eax
00404F1A . |8D8424 84000000 lea eax,dword ptr ss:[esp+84]
00404F21 . |50 push eax
00404F22 . |C78424 0C010000 01000000 mov dword ptr ss:[esp+10C],1
00404F2D . |E8 5EF5FFFF call unpacked.00404490
00404F32 . |83C4 0C add esp,0C
00404F35 . |8B00 mov eax,dword ptr ds:[eax]
00404F37 . |6A 01 push 1
00404F39 . |50 push eax
00404F3A . |6A 02 push 2
00404F3C . |8D8E 50020000 lea ecx,dword ptr ds:[esi+250]
00404F42 . |C68424 0C010000 02 mov byte ptr ss:[esp+10C],2
00404F4A . |E8 F3FA0200 call unpacked.00434A42
00404F4F . |8B4424 7C mov eax,dword ptr ss:[esp+7C]
00404F53 . |83C0 F0 add eax,-10
00404F56 . |C68424 00010000 01 mov byte ptr ss:[esp+100],1
00404F5E . |8D48 0C lea ecx,dword ptr ds:[eax+C]
00404F61 . |8BD7 mov edx,edi
00404F63 . |F0:0FC111 lock xadd dword ptr ds:[ecx],edx
00404F67 . |4A dec edx
00404F68 . |85D2 test edx,edx
00404F6A . |7F 08 jg short unpacked.00404F74
00404F6C . |8B08 mov ecx,dword ptr ds:[eax]
00404F6E . |8B11 mov edx,dword ptr ds:[ecx]
00404F70 . |50 push eax
00404F71 . |FF52 04 call dword ptr ds:[edx+4]
00404F74 > |8B4424 70 mov eax,dword ptr ss:[esp+70]
00404F78 . |83C0 F0 add eax,-10
00404F7B . |89BC24 00010000 mov dword ptr ss:[esp+100],edi
00404F82 . |8D48 0C lea ecx,dword ptr ds:[eax+C]
00404F85 . |F0:0FC139 lock xadd dword ptr ds:[ecx],edi
00404F89 . |4F dec edi
00404F8A . |85FF test edi,edi
00404F8C . |7F 08 jg short unpacked.00404F96
00404F8E . |8B08 mov ecx,dword ptr ds:[eax]
00404F90 . |8B11 mov edx,dword ptr ds:[ecx]
00404F92 . |50 push eax
00404F93 . |FF52 04 call dword ptr ds:[edx+4]
00404F96 > |8B46 1C mov eax,dword ptr ds:[esi+1C]
00404F99 . |50 push eax ; /hWnd
00404F9A . |FF15 B4454400 call dword ptr ds:[<&USER32.GetMenu>] ; \GetMenu
00404FA0 . |50 push eax
00404FA1 . |E8 5C860200 call unpacked.0042D602
00404FA6 . |8B3D BC454400 mov edi,dword ptr ds:[<&USER32.RemoveMen>; USER32.RemoveMenu
00404FAC . |6A 00 push 0 ; /Flags = MF_BYCOMMAND|MF_ENABLED|MF_STRING
00404FAE . |8BF0 mov esi,eax ; |
00404FB0 . |8B4E 04 mov ecx,dword ptr ds:[esi+4] ; |
00404FB3 . |68 15800000 push 8015 ; |ItemID = 8015 (32789.)
00404FB8 . |51 push ecx ; |hMenu
00404FB9 . |FFD7 call edi ; \RemoveMenu
00404FBB . |8B56 04 mov edx,dword ptr ds:[esi+4]
00404FBE . |6A 00 push 0 ; /Flags = MF_BYCOMMAND|MF_ENABLED|MF_STRING
00404FC0 . |68 17800000 push 8017 ; |ItemID = 8017 (32791.)
00404FC5 . |52 push edx ; |hMenu
00404FC6 . |FFD7 call edi ; \RemoveMenu
00404FC8 . |8B46 04 mov eax,dword ptr ds:[esi+4]
00404FCB . |6A 03 push 3 ; /Pos = 3
00404FCD . |50 push eax ; |hMenu
00404FCE . |FF15 C0454400 call dword ptr ds:[<&USER32.GetSubMenu>] ; \GetSubMenu
00404FD4 . |50 push eax
00404FD5 . |E8 28860200 call unpacked.0042D602
00404FDA . |8B48 04 mov ecx,dword ptr ds:[eax+4]
00404FDD . |68 00040000 push 400
00404FE2 . |6A 01 push 1
00404FE4 . |51 push ecx
00404FE5 . |FFD7 call edi
00404FE7 . |8B0D 2C854500 mov ecx,dword ptr ds:[45852C]
00404FED . |85C9 test ecx,ecx
00404FEF . |0F84 FD010000 je unpacked.004051F2
00404FF5 . |6A 01 push 1
00404FF7 . |E8 E77C0200 call unpacked.0042CCE3
00404FFC . |E9 F1010000 jmp unpacked.004051F2
00405001 > |68 E84F4400 push unpacked.00444FE8 ; /Arg4 = 00444FE8 ASCII "?787j00!))7?{??u"; Case 68 ('h') of switch 00404E42
00405006 . |6A 1C push 1C ; |Arg3 = 0000001C
00405008 . |8D5424 2C lea edx,dword ptr ss:[esp+2C] ; |
0040500C . |52 push edx ; |Arg2
0040500D . |8D8424 84000000 lea eax,dword ptr ss:[esp+84] ; |
00405014 . |50 push eax ; |Arg1
00405015 . |8BCE mov ecx,esi ; |
00405017 . |E8 04FCFFFF call unpacked.00404C20 ; \unpacked.00404C20
0040501C . |8B00 mov eax,dword ptr ds:[eax]
0040501E . |6A 00 push 0
00405020 . |6A 40 push 40
00405022 . |50 push eax
00405023 . |C78424 0C010000 03000000 mov dword ptr ss:[esp+10C],3
0040502E . |E8 5C230300 call unpacked.0043738F=====>到这个CALL就出"您输入的用户名/注册码不正确!"对话框了,所以不能让程序来这儿!
00405033 . |8B4424 78 mov eax,dword ptr ss:[esp+78]=====>0043738C处返回到这儿,向上看。
00405037 . |E9 95010000 jmp unpacked.004051D1
0040503C > |6A 00 push 0 ; Case 69 ('i') of switch 00404E42
0040503E . |8D8C24 8C000000 lea ecx,dword ptr ss:[esp+8C]
00405045 . |E8 46E4FFFF call unpacked.00403490
00404E9A处是一个选择,共用5个分支,当EAX为2时,就是第3个分支,当程序初次运行时,EAX为2,即跳到0040503C处,就是出要求输注册码的窗口,当输完用户名和注册码点确定后,注册码不正确则EAX为1,即跳到00405001处,出出错对话框。
00405210 . \A14E4000 dd unpacked.00404EA1 ; Switch table used at 00404E9A
00405214 . 01504000 dd unpacked.00405001
00405218 . 3C504000 dd unpacked.0040503C
0040521C . 9D504000 dd unpacked.0040509D
00405220 . 92514000 dd unpacked.00405192
所以,NOP掉00404E9A处,F9---->程序继续运行,并出“谢谢你的支持!”对话框,但只NOP掉00404E9A处,每次运行程序都会出“谢谢你的支持!”对话框,非常烦人,所以下一步就去掉这个对话框:
还记得这个地方吗:
0043733A |> \FFB5 A4000000 push dword ptr ss:[ebp+A4] ; /Style
00437340 |. 53 push ebx ; |Title
00437341 |. FFB5 A0000000 push dword ptr ss:[ebp+A0] ; |Text
00437347 |. FF75 80 push dword ptr ss:[ebp-80] ; |hOwner
0043734A |. FF15 B0444400 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
对,这里就是出对话框的地方,当00404E9A处不NOP掉时,注册码不正确,0043734A处就出"您输入的用户名/注册码不正确!",当00404E9A处NOP掉时,就出的“谢谢你的支持!”对话框,所以将0043733A到0043734A全部NOP掉,程序启动时就不再出对话框了,至此暴破完毕。
不过遗憾的是程序启动后右下只显示“注册给:”没有用户名,不过限制总算没有了。
由于我水平有限,所以没能跟到注册码算法,有那位大侠能跟出的能给我讲一讲吗?先谢过了!!!
|
