【文章标题】: 一款重起验证软件的破解
【文章作者】: qwgboy2000
【作者邮箱】: qwgboy2000@126.com
【作者主页】: 无
【作者QQ号】: 27141459
【软件名称】: 图片吸血鬼
【软件大小】: 974.6K
【下载地址】: 自己搜索下载
【加壳方式】: 无
【保护方式】: 重起验证
【编写语言】: Delphi
【使用工具】: OD
【操作平台】: WINXP
【软件介绍】: 可以搜索所选网站的所有图片,并自动下载
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
大概运行一次,发现是重起验证,那么首先要找到注册信息是放在哪里的,是文件还是注册表里面呢?
用DEDE找到断点,OD载入来到如下这里
00521910 |. 6A 40 push 40
00521912 |. 68 54195200 push 00521954 ; 警告
00521917 |. 68 5C195200 push 0052195C ; 注册码不能为空!
0052191C |. 8BC3 mov eax, ebx
0052191E |. E8 15EDF4FF call 00470638
00521923 |. 50 push eax ; |hOwner
00521924 |. E8 6B61EEFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00521929 |. EB 07 jmp short 00521932
0052192B |> 8BC3 mov eax, ebx
0052192D |. E8 E2FCFFFF call 00521614 ; 这个CALL进去之后发现是保存NAME和PASS到注册表
那么我们知道信息是存在注册表里面的了,重新载入软件来找读取注册表的地方下断点来到如下这里
005237F8 . 8D45 EC lea eax, [ebp-14]
005237FB . BA 083B5200 mov edx, 00523B08 ; Software\zy\Pic
00523800 . E8 7313EEFF call 00404B78 ; 这里就是读注册表的地方了
00523805 . B1 01 mov cl, 1
00523807 . 8B55 EC mov edx, [ebp-14]
0052380A . 8B45 F0 mov eax, [ebp-10]
0052380D . E8 428BF1FF call 0043C354
00523812 . 84C0 test al, al
00523814 . 0F84 92000000 je 005238AC
0052381A . 8D4D C0 lea ecx, [ebp-40]
0052381D . BA 203B5200 mov edx, 00523B20 ; Name
00523822 . 8B45 F0 mov eax, [ebp-10]
00523825 . E8 F28CF1FF call 0043C51C ; 读NAME
0052382A . 8B55 C0 mov edx, [ebp-40]
0052382D . 8B45 FC mov eax, [ebp-4]
00523830 . 05 FC030000 add eax, 3FC
00523835 . E8 FA12EEFF call 00404B34
0052383A . 8D4D BC lea ecx, [ebp-44]
0052383D . BA 303B5200 mov edx, 00523B30 ; Pass
00523842 . 8B45 F0 mov eax, [ebp-10]
00523845 . E8 D28CF1FF call 0043C51C ; 读PASS
0052384A . 8B55 BC mov edx, [ebp-44]
0052384D . 8B45 FC mov eax, [ebp-4]
00523850 . 05 00040000 add eax, 400
00523855 . E8 DA12EEFF call 00404B34
0052385A . 33C0 xor eax, eax
0052385C . 55 push ebp
0052385D . 68 83385200 push 00523883
00523862 . 64:FF30 push dword ptr fs:[eax]
00523865 . 64:8920 mov fs:[eax], esp
00523868 . BA 403B5200 mov edx, 00523B40 ; Date
0052386D . 8B45 F0 mov eax, [ebp-10]
00523870 . E8 8F8DF1FF call 0043C604
00523875 . DD5D E0 fstp qword ptr [ebp-20]
00523878 . 9B wait
00523879 . 33C0 xor eax, eax
0052387B . 5A pop edx
0052387C . 59 pop ecx
0052387D . 59 pop ecx
0052387E . 64:8910 mov fs:[eax], edx
00523881 . EB 29 jmp short 005238AC
00523883 .^ E9 2409EEFF jmp 004041AC
00523888 . FF75 DC push dword ptr [ebp-24] ; /Arg2
0052388B . FF75 D8 push dword ptr [ebp-28] ; |Arg1
0052388E . BA 403B5200 mov edx, 00523B40 ; |Date
00523893 . 8B45 F0 mov eax, [ebp-10] ; |
00523896 . E8 558DF1FF call 0043C5F0 ; \Down.0043C5F0
0052389B . 8B45 D8 mov eax, [ebp-28]
0052389E . 8945 E0 mov [ebp-20], eax
005238A1 . 8B45 DC mov eax, [ebp-24]
005238A4 . 8945 E4 mov [ebp-1C], eax
005238A7 . E8 680CEEFF call 00404514
005238AC > 8B45 F0 mov eax, [ebp-10]
005238AF . E8 0C8AF1FF call 0043C2C0
005238B4 . 33C0 xor eax, eax
005238B6 . 5A pop edx
005238B7 . 59 pop ecx
005238B8 . 59 pop ecx
005238B9 . 64:8910 mov fs:[eax], edx
005238BC . 68 D1385200 push 005238D1
005238C1 > 8B45 F0 mov eax, [ebp-10]
005238C4 . E8 0304EEFF call 00403CCC
005238C9 . C3 retn
005238CA .^ E9 910BEEFF jmp 00404460
005238CF .^ EB F0 jmp short 005238C1
005238D1 . 8D4D B8 lea ecx, [ebp-48]
005238D4 . 8B45 FC mov eax, [ebp-4]
005238D7 . 8B90 FC030000 mov edx, [eax+3FC] ; edx=NAME
005238DD . A1 5C9A5200 mov eax, [529A5C]
005238E2 . 8B00 mov eax, [eax]
005238E4 . E8 3BDBFFFF call 00521424 ; 关键CALL,跟进去
005238E9 . 8B55 B8 mov edx, [ebp-48] ; edx=真PASS
005238EC . 8B45 FC mov eax, [ebp-4]
005238EF . 8B80 00040000 mov eax, [eax+400] ; eax=假PASS
005238F5 . E8 F215EEFF call 00404EEC
005238FA 75 25 jnz short 00523921 ; 爆破点
接着找到关键CALL,跟进去来到核心算法部分了,如下
00521424 /$ 55 push ebp
00521425 |. 8BEC mov ebp, esp
00521427 |. 51 push ecx
00521428 |. B9 04000000 mov ecx, 4
0052142D |> 6A 00 /push 0
0052142F |. 6A 00 |push 0
00521431 |. 49 |dec ecx
00521432 |.^ 75 F9 \jnz short 0052142D
00521434 |. 51 push ecx
00521435 |. 874D FC xchg [ebp-4], ecx
00521438 |. 53 push ebx
00521439 |. 56 push esi
0052143A |. 57 push edi
0052143B |. 8BF9 mov edi, ecx
0052143D |. 8955 FC mov [ebp-4], edx
00521440 |. 8B45 FC mov eax, [ebp-4]
00521443 |. E8 483BEEFF call 00404F90
00521448 |. 33C0 xor eax, eax
0052144A |. 55 push ebp
0052144B |. 68 E5155200 push 005215E5
00521450 |. 64:FF30 push dword ptr fs:[eax]
00521453 |. 64:8920 mov fs:[eax], esp
00521456 |. 8BC7 mov eax, edi
00521458 |. E8 8336EEFF call 00404AE0
0052145D |. 8B45 FC mov eax, [ebp-4] ; eax=NAME
00521460 |. E8 3B39EEFF call 00404DA0 ; 取用户名长度
00521465 |. 8BF0 mov esi, eax
00521467 |. 85F6 test esi, esi
00521469 |. 7E 26 jle short 00521491
0052146B |. BB 01000000 mov ebx, 1 ; ebx=1
00521470 |> 8D4D EC /lea ecx, [ebp-14]
00521473 |. 8B45 FC |mov eax, [ebp-4]
00521476 |. 0FB64418 FF |movzx eax, byte ptr [eax+>; 依次取NAME
0052147B |. 33D2 |xor edx, edx
0052147D |. E8 F282EEFF |call 00409774 ; 转化为16进制的ASCII码,如
Q=71H变为‘7’‘1’字符
00521482 |. 8B55 EC |mov edx, [ebp-14]
00521485 |. 8D45 F8 |lea eax, [ebp-8]
00521488 |. E8 1B39EEFF |call 00404DA8
0052148D |. 43 |inc ebx
0052148E |. 4E |dec esi
0052148F |.^ 75 DF \jnz short 00521470
00521491 |> 8B45 F8 mov eax, [ebp-8] ; 连接上面得到的字符串放入起来
eax
00521494 |. E8 0739EEFF call 00404DA0
00521499 |. 8BF0 mov esi, eax
0052149B |. 85F6 test esi, esi
0052149D |. 7E 2C jle short 005214CB
0052149F |. BB 01000000 mov ebx, 1
005214A4 |> 8B45 F8 /mov eax, [ebp-8] ; 读入NAME变形码
005214A7 |. E8 F438EEFF |call 00404DA0 ; 取长度
005214AC |. 2BC3 |sub eax, ebx
005214AE |. 8B55 F8 |mov edx, [ebp-8] ; edx=NAME变形码
005214B1 |. 8A1402 |mov dl, [edx+eax] ; 倒序取变形码
005214B4 |. 8D45 E8 |lea eax, [ebp-18]
005214B7 |. E8 0C38EEFF |call 00404CC8
005214BC |. 8B55 E8 |mov edx, [ebp-18]
005214BF |. 8D45 F4 |lea eax, [ebp-C]
005214C2 |. E8 E138EEFF |call 00404DA8
005214C7 |. 43 |inc ebx
005214C8 |. 4E |dec esi
005214C9 |.^ 75 D9 \jnz short 005214A4
005214CB |> 8D45 F8 lea eax, [ebp-8]
005214CE |. 50 push eax
005214CF |. B9 04000000 mov ecx, 4
005214D4 |. BA 01000000 mov edx, 1
005214D9 |. 8B45 F4 mov eax, [ebp-C] ; 读入倒序变形码
005214DC |. E8 1F3BEEFF call 00405000 ; 第1位开始取4位存起来
005214E1 |. 8D45 F4 lea eax, [ebp-C]
005214E4 |. 50 push eax
005214E5 |. B9 04000000 mov ecx, 4
005214EA |. BA 05000000 mov edx, 5
005214EF |. 8B45 F4 mov eax, [ebp-C]
005214F2 |. E8 093BEEFF call 00405000 ; 第5位开始取4位存起来
005214F7 |. 8B45 F8 mov eax, [ebp-8]
005214FA |. E8 A138EEFF call 00404DA0
005214FF |. 83F8 04 cmp eax, 4
00521502 |. 7D 2F jge short 00521533
00521504 |. 8B45 F8 mov eax, [ebp-8]
00521507 |. E8 9438EEFF call 00404DA0
0052150C |. 8BD8 mov ebx, eax
0052150E |. 83FB 03 cmp ebx, 3
00521511 |. 7F 20 jg short 00521533
00521513 |> 8D4D E4 /lea ecx, [ebp-1C]
00521516 |. 8BC3 |mov eax, ebx
00521518 |. C1E0 02 |shl eax, 2
0052151B |. 33D2 |xor edx, edx
0052151D |. E8 5282EEFF |call 00409774
00521522 |. 8B55 E4 |mov edx, [ebp-1C]
00521525 |. 8D45 F8 |lea eax, [ebp-8]
00521528 |. E8 7B38EEFF |call 00404DA8
0052152D |. 43 |inc ebx
0052152E |. 83FB 04 |cmp ebx, 4
00521531 |.^ 75 E0 \jnz short 00521513
00521533 |> 8B45 F4 mov eax, [ebp-C]
00521536 |. E8 6538EEFF call 00404DA0
0052153B |. 83F8 04 cmp eax, 4
0052153E |. 7D 2F jge short 0052156F
00521540 |. 8B45 F4 mov eax, [ebp-C]
00521543 |. E8 5838EEFF call 00404DA0
00521548 |. 8BD8 mov ebx, eax
0052154A |. 83FB 03 cmp ebx, 3
0052154D |. 7F 20 jg short 0052156F
0052154F |> 8D4D E0 /lea ecx, [ebp-20]
00521552 |. 8BC3 |mov eax, ebx
00521554 |. C1E0 02 |shl eax, 2
00521557 |. 33D2 |xor edx, edx
00521559 |. E8 1682EEFF |call 00409774
0052155E |. 8B55 E0 |mov edx, [ebp-20]
00521561 |. 8D45 F4 |lea eax, [ebp-C]
00521564 |. E8 3F38EEFF |call 00404DA8
00521569 |. 43 |inc ebx
0052156A |. 83FB 04 |cmp ebx, 4
0052156D |.^ 75 E0 \jnz short 0052154F
0052156F |> 8D45 F0 lea eax, [ebp-10]
00521572 |. BA FC155200 mov edx, 005215FC ; Pic4ei8espr
00521577 |. E8 FC35EEFF call 00404B78 ; 把固定字符串存起来
0052157C |. 8D45 DC lea eax, [ebp-24]
0052157F |. 50 push eax
00521580 |. B9 04000000 mov ecx, 4
00521585 |. BA 01000000 mov edx, 1
0052158A |. 8B45 F0 mov eax, [ebp-10] ; 读入固定字符串
0052158D |. E8 6E3AEEFF call 00405000 ; 从第1位取4位字符
00521592 |. FF75 DC push dword ptr [ebp-24]
00521595 |. 68 10165200 push 00521610 ; -
0052159A |. FF75 F8 push dword ptr [ebp-8]
0052159D |. 8D45 D8 lea eax, [ebp-28]
005215A0 |. 50 push eax
005215A1 |. B9 05000000 mov ecx, 5
005215A6 |. BA 05000000 mov edx, 5
005215AB |. 8B45 F0 mov eax, [ebp-10]
005215AE |. E8 4D3AEEFF call 00405000 ; 从第5位开始取5位
005215B3 |. FF75 D8 push dword ptr [ebp-28]
005215B6 |. 68 10165200 push 00521610 ; -
005215BB |. FF75 F4 push dword ptr [ebp-C]
005215BE |. 8BC7 mov eax, edi
005215C0 |. BA 06000000 mov edx, 6
005215C5 |. E8 9638EEFF call 00404E60 ; 连接上面得到的字符串并储存
005215CA |. 33C0 xor eax, eax
005215CC |. 5A pop edx
005215CD |. 59 pop ecx
005215CE |. 59 pop ecx
005215CF |. 64:8910 mov fs:[eax], edx
005215D2 |. 68 EC155200 push 005215EC
005215D7 |> 8D45 D8 lea eax, [ebp-28]
005215DA |. BA 0A000000 mov edx, 0A
005215DF |. E8 2035EEFF call 00404B04
005215E4 \. C3 retn
到这里就完成了
--------------------------------------------------------------------------------
【经验总结】
1、逐一取NAME并转化为16进制的ASCII码字符串假设为A(如"qwgboy2000"==>"717767626F7932303030")
2、逐一取字符串A并倒序排列(如"717767626F7932303030"==>"0303032397F626767717")
3、从第1位开始取4位,从第5位开始取4位
4、取固定字符串"Pic4ei8espr",从第1位开始取4位,从第5位开始取5位
5、按一定顺序把上面的字符串和'-'连接起来(如:我得到"Pic4-0303ei8es-0323")
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年01月13日 下午 11:29:26
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
