破解重启验证,注册码保存于注册表,针对上篇代码修改
给小鸟看看,大鸟就不用看了!
用PEID查看,无壳,用Borland Delphi 6.0 - 7.0编写
首先用注册表监控得知注册码是保存在注册表的,所以用OD载入后用RegOpenKeyExA下断点
然后F9运行,它的注册码是在注册表的Software\jsasp这里,此时注意堆栈数据变化
0012F8E8 40008C17 /CALL 到 RegOpenKeyExA 来自 rtl60.40008C12
0012F8EC 80000001 |hKey = HKEY_CURRENT_USER
0012F8F0 40008E08 |Subkey = "Software\Borland\Locales"注意这里
0012F8F4 00000000 |Reserved = 0
0012F8F8 000F0019 |Access = KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|F0000
继续F9直到它来到这里后就要停止按F9了
0012FD68 40043753 /CALL 到 RegOpenKeyExA 来自 rtl60.4004374E
0012FD6C 80000002 |hKey = HKEY_LOCAL_MACHINE
0012FD70 00459CA8 |Subkey = "Software\jsasp"就是这里了
0012FD74 00000000 |Reserved = 0
0012FD78 000F003F |Access = KEY_ALL_ACCESS
0012FD7C 0012FD9C \pHandle = 0012FD9C
0012FD80 0012FDAC 指向下一个 SEH 记录的指针
0012FD84 400437D9 SE处理程序
然后取消断点,用CTRL+F9返回到程序的领空
77DA7707 C2 1400 RETN 14
77DA770A 90 NOP
77DA770B 90 NOP
77DA770C 90 NOP
77DA770D 90 NOP
77DA770E 90 NOP
77DA770F > 8BFF MOV EDI,EDI
77DA7711 55 PUSH EBP
77DA7712 8BEC MOV EBP,ESP
再按CTRL+F9直到它来到这里
00459C9D . C3 RETN
00459C9E 00 DB 00
00459C9F 00 DB 00
00459CA0 . FFFFFFFF DD FFFFFFFF
00459CA4 . 0E000000 DD 0000000E
00459CA8 . 53 6F 66 74 7>ASCII "Software\jsasp",0 这里
有的软件是先算好注册码后在跟我们输入的假注册码做比较的,这个软件就是这样,
所以到这里后就要往上查看,大家看下面
00459BE3 |. 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX这里取真码第一部分
00459BE6 |. 8955 E4 MOV DWORD PTR SS:[EBP-1C],EDX
00459BE9 |. FF75 DC PUSH DWORD PTR SS:[EBP-24]
00459BEC |. FF75 D8 PUSH DWORD PTR SS:[EBP-28]
00459BEF |. 6A 00 PUSH 0
00459BF1 |. 68 F9862C00 PUSH 2C86F9
00459BF6 |. 6A 00 PUSH 0
00459BF8 |. 68 E3A0AA69 PUSH 69AAA0E3
00459BFD |. E8 6AB4FFFF CALL telee.0045506C
00459C02 |. 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX这里取真码第二部分
00459C05 |. 8955 DC MOV DWORD PTR SS:[EBP-24],EDX
00459C08 |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C]
00459C0B |. FF75 E0 PUSH DWORD PTR SS:[EBP-20]
00459C0E |. 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
00459C11 |. B8 08000000 MOV EAX,8
00459C16 |. E8 517EFAFF CALL <JMP.&rtl60.@Sysutils@IntToHex$qqrj>
00459C1B |. 8B55 B0 MOV EDX,DWORD PTR SS:[EBP-50]
00459C1E |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00459C21 |. E8 3A76FAFF CALL <JMP.&rtl60.@System@@LStrCmp$qqrv>
00459C26 |. 75 40 JNZ SHORT telee.00459C68
00459C28 |. FF75 DC PUSH DWORD PTR SS:[EBP-24]
00459C2B |. FF75 D8 PUSH DWORD PTR SS:[EBP-28]
00459C2E |. 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
00459C31 |. B8 08000000 MOV EAX,8
00459C36 |. E8 317EFAFF CALL <JMP.&rtl60.@Sysutils@IntToHex$qqrj>
00459C3B |. 8B55 AC MOV EDX,DWORD PTR SS:[EBP-54]
00459C3E |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00459C41 |. E8 1A76FAFF CALL <JMP.&rtl60.@System@@LStrCmp$qqrv>
00459C46 |. 75 20 JNZ SHORT telee.00459C68
00459C48 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00459C4B |. 8B80 C0030000 MOV EAX,DWORD PTR DS:[EAX+3C0]
00459C51 |. 33D2 XOR EDX,EDX
00459C53 |. E8 8489FAFF CALL <JMP.&vcl60.@Menus@TMenuItem@SetVis>
00459C58 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00459C5B |. 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+300]
00459C61 |. B2 01 MOV DL,1
00459C63 |. E8 848AFAFF CALL <JMP.&vcl60.@Controls@TControl@SetV>
00459C68 |> 33C0 XOR EAX,EAX
00459C6A |. 5A POP EDX
00459C6B |. 59 POP ECX
00459C6C |. 59 POP ECX
00459C6D |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00459C70 |. 68 979C4500 PUSH telee.00459C97
00459C75 |> 8D45 AC LEA EAX,DWORD PTR SS:[EBP-54]
00459C78 |. BA 07000000 MOV EDX,7
00459C7D |. E8 7675FAFF CALL <JMP.&rtl60.@System@@LStrArrayClr$q>
00459C82 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00459C85 |. BA 04000000 MOV EDX,4
00459C8A |. E8 6975FAFF CALL <JMP.&rtl60.@System@@LStrArrayClr$q>
00459C8F \. C3 RETN
00459C90 .^ E9 1B75FAFF JMP <JMP.&rtl60.@System@@HandleFinally$q>
00459C95 .^ EB DE JMP SHORT telee.00459C75
00459C97 . 5F POP EDI
00459C98 . 5E POP ESI
00459C99 . 5B POP EBX
00459C9A . 8BE5 MOV ESP,EBP
00459C9C . 5D POP EBP
00459C9D . C3 RETN
00459C9E 00 DB 00
00459C9F 00 DB 00
00459CA0 . FFFFFFFF DD FFFFFFFF
00459CA4 . 0E000000 DD 0000000E
00459CA8 . 53 6F 66 74 7>ASCII "Software\jsasp",0这里取出注册表的假码的路径
00459CB7 00 DB 00
00459CB8 . FFFFFFFF DD FFFFFFFF
00459CBC . 0A000000 DD 0000000A
00459CC0 . 52 65 67 69 7>ASCII "Register_1",0 假码第一部分
00459CCB 00 DB 00
00459CCC . FFFFFFFF DD FFFFFFFF
00459CD0 . 0A000000 DD 0000000A
00459CD4 . 52 65 67 69 7>ASCII "Register_2",0 假码第二部分
往上看可以看到真注册码分为两部份分别在00459BE3和00459C02
好现在开始做注册机,先做第一步份注册码的注册机,地址459BE3 中断一次 第一字节89 位数2 寄存器EAX 生成!
第二部分注册机,地址459C02 中断一次 第一字节89 位数2 寄存器EAX 生成!
好,我们来试一下,运行第一注册机,看 注册码出来了,赶紧复制起来,关掉程序,
再运行第二注册机,它奶奶的,注册码又出来了,复制起来,好,输入得到的注册码提交,OK 成功了!
[课程]Linux pwn 探索篇!