【文章标题】: 简单破解之winzip v8.0
【文章作者】: 豆腐
【作者邮箱】: [email]ry20@tom.com[/email]
【作者主页】: [email]ruanyi20@googlepages.com[/email]
【作者QQ号】: 52413013
【软件名称】: winzip v8.0
【下载地址】:
http://tel1.800disk.com/?ry20
【加壳方式】: 无壳
【保护方式】: 注册码保护
【使用工具】: Ollydbg第三版、W32Dasm、peid0.94
【操作平台】: winxp
【软件介绍】: winzip是一款压缩/解压软件,是免费共享软件.
【作者声明】: 这是我写的第一篇破文。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
大家好,通过在看学论坛上几个月的学习,我已从一个对软件破解一无所知的新人成长为一个对软件破解了解的菜鸟.
有很多人在开始接触时对破解相当热情,可是经过一段时间的学习,原有的热情就会有所下降,有人就此对破解不感兴趣.
在我看来要想获的成功,就要不怕失败,虚心学习,多看文章,多动手练习.好了,费话不多说了我们看程序.
一、用peid0.94查壳,显示Microsoft Visual C++ 6.0 [Debug] 无壳.
二、先运行一下软件.点击"Enter Registration Code".在name中输入doufu ,在Registration 中输入123456789.点击ok.
弹出"Incomplete or incorrect information"出错对话框.
三、用w32dasm载入软件,查找出错字符串所对应的地址. :0040800A 688E020000 push 0000028E
四、用Ollydbg载入软件.前往"0040800A"
00407F5F |> \BF 78CD4800 MOV EDI,WINZIP32.0048CD78
00407F64 |. 6A 29 PUSH 29
00407F66 |. 57 PUSH EDI
00407F67 |. 68 800C0000 PUSH 0C80
00407F6C |. 53 PUSH EBX
00407F6D |. FF15 28744700 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>
00407F73 |. 57 PUSH EDI :下断点
00407F74 |. E8 21790300 CALL WINZIP32.0043F89A
00407F79 |. 57 PUSH EDI :用户名载入
00407F7A |. E8 44790300 CALL WINZIP32.0043F8C3
00407F7F |. 59 POP ECX
00407F80 |. BE A4CD4800 MOV ESI,WINZIP32.0048CDA4
00407F85 |. 59 POP ECX
00407F86 |. 6A 0B PUSH 0B
00407F88 |. 56 PUSH ESI :注册码载入
00407F89 |. 68 810C0000 PUSH 0C81
00407F8E |. 53 PUSH EBX
00407F8F |. FF15 28744700 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>
00407F95 |. 56 PUSH ESI
00407F96 |. E8 FF780300 CALL WINZIP32.0043F89A
00407F9B |. 56 PUSH ESI
00407F9C |. E8 22790300 CALL WINZIP32.0043F8C3
00407FA1 |. 803D 78CD4800>CMP BYTE PTR DS:[48CD78],0
00407FA8 |. 59 POP ECX
00407FA9 |. 59 POP ECX
00407FAA |. 74 59 JE SHORT WINZIP32.00408005
00407FAC |. 803D A4CD4800>CMP BYTE PTR DS:[48CDA4],0
00407FB3 |. 74 50 JE SHORT WINZIP32.00408005
00407FB5 |. E8 1BFAFFFF CALL WINZIP32.004079D5 :算法分析,F7步入.
00407FBA |. 85C0 TEST EAX,EAX :经典句子
00407FBC |. 74 47 JE SHORT WINZIP32.00408005
00407FBE |. 57 PUSH EDI
00407FBF |. BF A4FF4700 MOV EDI,WINZIP32.0047FFA4
00407FC4 |. 68 24DB4700 PUSH WINZIP32.0047DB24
00407FC9 |. 57 PUSH EDI
00407FCA |. E8 0B360300 CALL WINZIP32.0043B5DA
00407FCF |. 56 PUSH ESI
00407FD0 |. 68 6CE64700 PUSH WINZIP32.0047E66C
00407FD5 |. 57 PUSH EDI
00407FD6 |. E8 FF350300 CALL WINZIP32.0043B5DA
00407FDB |. 68 C4FF4700 PUSH WINZIP32.0047FFC4
00407FE0 |. 6A 00 PUSH 0
00407FE2 |. 6A 00 PUSH 0
00407FE4 |. 68 30DB4700 PUSH WINZIP32.0047DB30
00407FE9 |. E8 D3350300 CALL WINZIP32.0043B5C1
00407FEE |. A1 F47A4800 MOV EAX,DWORD PTR DS:[487AF4]
00407FF3 |. 83C4 28 ADD ESP,28
00407FF6 |. 85C0 TEST EAX,EAX
00407FF8 |. 74 07 JE SHORT WINZIP32.00408001
00407FFA |. 50 PUSH EAX
00407FFB |. FF15 70704700 CALL DWORD PTR DS:[<&GDI32.DeleteObject>>
00408001 |> 6A 01 PUSH 1
00408003 |. EB 30 JMP SHORT WINZIP32.00408035
00408005 |> E8 9C020000 CALL WINZIP32.004082A6
0040800A |. 68 8E020000 PUSH 28E ;注册出错对话提示
0040800F |. E8 D9750300 CALL WINZIP32.0043F5ED
------------------------------------------------------------------------------------------------------------
我们来看一下具体算法:
004079D5 /$ 55 PUSH EBP
004079D6 |. 8BEC MOV EBP,ESP
004079D8 |. 81EC 08020000 SUB ESP,208
004079DE |. 53 PUSH EBX
004079DF |. 56 PUSH ESI
004079E0 |. 33F6 XOR ESI,ESI
004079E2 |. 803D 78CD4800>CMP BYTE PTR DS:[48CD78],0
004079E9 |. 57 PUSH EDI
004079EA |. 0F84 9A000000 JE WINZIP32.00407A8A
004079F0 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004079F3 |. 50 PUSH EAX
004079F4 |. 68 68E34700 PUSH WINZIP32.0047E368
004079F9 |. E8 AE9DFFFF CALL WINZIP32.004017AC
004079FE |. 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
00407A04 |. BF 78CD4800 MOV EDI,WINZIP32.0048CD78 ; ASCII "doufu"
00407A09 |. 50 PUSH EAX
00407A0A |. 57 PUSH EDI
00407A0B |. E8 9B020000 CALL WINZIP32.00407CAB
00407A10 |. 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
00407A16 |. 50 PUSH EAX
00407A17 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00407A1A |. 50 PUSH EAX
00407A1B |. E8 B0180600 CALL WINZIP32.004692D0
00407A20 |. 83C4 18 ADD ESP,18
00407A23 |. 85C0 TEST EAX,EAX
00407A25 |. 6A 01 PUSH 1
00407A27 |. 5B POP EBX
00407A28 |. 75 02 JNZ SHORT WINZIP32.00407A2C
00407A2A |. 8BF3 MOV ESI,EBX
00407A2C |> 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00407A2F |. 50 PUSH EAX
00407A30 |. 68 78E34700 PUSH WINZIP32.0047E378
00407A35 |. E8 729DFFFF CALL WINZIP32.004017AC
00407A3A |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00407A3D |. 50 PUSH EAX
00407A3E |. 57 PUSH EDI
00407A3F |. E8 8C180600 CALL WINZIP32.004692D0
00407A44 |. 83C4 10 ADD ESP,10
00407A47 |. 85C0 TEST EAX,EAX
00407A49 |. 75 0C JNZ SHORT WINZIP32.00407A57
00407A4B |. FF15 D8714700 CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; [GetTickCount
00407A51 |. 84C3 TEST BL,AL
00407A53 |. 74 02 JE SHORT WINZIP32.00407A57
00407A55 |. 8BF3 MOV ESI,EBX
00407A57 |> 6A 14 PUSH 14
00407A59 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00407A5C |. 6A 00 PUSH 0
00407A5E |. 50 PUSH EAX
00407A5F |. E8 AC010600 CALL WINZIP32.00467C10
00407A64 |. 68 C8000000 PUSH 0C8
00407A69 |. 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
00407A6F |. 6A 00 PUSH 0
00407A71 |. 50 PUSH EAX
00407A72 |. E8 99010600 CALL WINZIP32.00467C10
00407A77 |. 83C4 18 ADD ESP,18
00407A7A |. 85F6 TEST ESI,ESI
00407A7C |. 74 13 JE SHORT WINZIP32.00407A91
00407A7E |. E8 23080000 CALL WINZIP32.004082A6
00407A83 |. 8325 DC9F4800>AND DWORD PTR DS:[489FDC],0
00407A8A |> 33C0 XOR EAX,EAX
00407A8C |. E9 B1000000 JMP WINZIP32.00407B42
00407A91 |> 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
00407A97 |. 50 PUSH EAX
00407A98 |. 57 PUSH EDI : 用户名
00407A99 |. E8 A9000000 CALL WINZIP32.00407B47 : 计算注册码
00407A9E |. BE A4CD4800 MOV ESI,WINZIP32.0048CDA4 ; ASCII "123456789"
00407AA3 |. 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
00407AA9 |. 56 PUSH ESI ; 假注册码 123456789
00407AAA |. 50 PUSH EAX : 真注册码 A203045F
00407AAB |. E8 20180600 CALL WINZIP32.004692D0
00407AB0 |. 83C4 10 ADD ESP,10
00407AB3 |. F7D8 NEG EAX
00407AB5 |. 1BC0 SBB EAX,EAX
00407AB7 |. 40 INC EAX
00407AB8 |. A3 DC9F4800 MOV DWORD PTR DS:[489FDC],EAX
00407ABD |. 75 68 JNZ SHORT WINZIP32.00407B27
00407ABF |. 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
00407AC5 |. 50 PUSH EAX
00407AC6 |. 57 PUSH EDI : 用户名
00407AC7 |. E8 18010000 CALL WINZIP32.00407BE4 : 计算注册码
00407ACC |. 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
00407AD2 |. 56 PUSH ESI : 假注册码 123456789
00407AD3 |. 50 PUSH EAX : 真注册码 41475111
00407AD4 |. E8 F7170600 CALL WINZIP32.004692D0
00407AD9 |. 83C4 10 ADD ESP,10
00407ADC |. F7D8 NEG EAX
00407ADE |. 1BC0 SBB EAX,EAX
00407AE0 |. 40 INC EAX
00407AE1 |. A3 DC9F4800 MOV DWORD PTR DS:[489FDC],EAX
00407AE6 |. 75 3F JNZ SHORT WINZIP32.00407B27
00407AE8 |. 8D85 C4FEFFFF LEA EAX,DWORD PTR SS:[EBP-13C]
00407AEE |. 6A 04 PUSH 4
00407AF0 |. 50 PUSH EAX
00407AF1 |. 56 PUSH ESI
00407AF2 |. E8 C91B0600 CALL WINZIP32.004696C0
--------------------------------------------------------------------------------
【经验总结】
这是我第一篇破文,可能有很多失误的地方,请大家谅解.
这个软件有二个注册码.都可以用.
name:doufu
Registration :A203045F 41475111
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
学习了,我也是从一个对软件破解一无所知,成长为一个对软件破解了解的菜鸟,哈哈,互相学习.
