-
-
分析古老的程序
-
发表于: 2004-10-2 16:03 4496
-
JPEG Optimizer Version 3.15
cracker:essorg
tools:trw2000pll,language2k
level:0
用language2k探壳,无压缩,VC++编程
到注册界面,输入注册码随便打,出现 Incorrect release code 界面,
CTRL+N 进入 TRW2000
下hwnd 查该界面窗体句柄,再下bpmsg (hwnd) WM_COMMAND,X回到出错界面,点击确定,此时TRW中断进入
下U指令截码如下:
017F:00429400 55 PUSH EBP
017F:00429401 8BEC MOV EBP,ESP
017F:00429403 81C4B4FEFFFF ADD ESP,FFFFFEB4
017F:00429409 53 PUSH EBX
017F:0042940A 56 PUSH ESI
017F:0042940B 57 PUSH EDI
017F:0042940C 8BD8 MOV EBX,EAX
017F:0042940E 8D75B8 LEA ESI,[EBP-48]
017F:00429411 B820244800 MOV EAX,00482420
017F:00429416 E8815A0400 CALL 0046EE9C
017F:0042941B 56 PUSH ESI
017F:0042941C 8D7D9C LEA EDI,[EBP-64] 〈----正确注册移位到地址
017F:0042941F BE48234800 MOV ESI,00482348 〈----正确注册显示原信息
017F:00429424 B906000000 MOV ECX,06
017F:00429429 F3A5 REP MOVSD
017F:0042942B 66A5 MOVSW
017F:0042942D A4 MOVSB
017F:0042942E 5E POP ESI
017F:0042942F 8DBD7CFFFFFF LEA EDI,[EBP+FFFFFF7C] 〈----错误注册移位到地址
017F:00429435 56 PUSH ESI
017F:00429436 BE63234800 MOV ESI,00482363 〈----错误注册显示原信息
017F:0042943B B907000000 MOV ECX,07
017F:00429440 BAB0254800 MOV EDX,004825B0
017F:00429445 F3A5 REP MOVSD
017F:00429447 A4 MOVSB
017F:00429448 5E POP ESI
中间省略。。。。。。
017F:004294FB 8D45EC LEA EAX,[EBP-14] 〈----输入注册码地址
017F:004294FE E87B320200 CALL 0044C77E 〈----求输入注册码长度
017F:00429503 83F808 CMP EAX,BYTE +08 〈----判断输入注册码位数是否等于8
017F:00429506 751B JNZ 00429523
017F:00429508 837DF800 CMP DWORD [EBP-08],BYTE +00
017F:0042950C 7405 JZ 00429513
017F:0042950E 8B55F8 MOV EDX,[EBP-08]
017F:00429511 EB05 JMP SHORT 00429518
017F:00429513 BAB3254800 MOV EDX,004825B3
017F:00429518 52 PUSH EDX
017F:00429519 E8A60B0000 CALL 0042A0C4 〈----验证核心
017F:0042951E 59 POP ECX
017F:0042951F 84C0 TEST AL,AL 〈----验证注册标志
017F:00429521 7504 JNZ 00429527
017F:00429523 33C0 XOR EAX,EAX
017F:00429525 EB05 JMP SHORT 0042952C
017F:00429527 B801000000 MOV EAX,01
017F:0042952C 50 PUSH EAX
017F:0042952D FF4E1C DEC DWORD [ESI+1C]
017F:00429530 8D45EC LEA EAX,[EBP-14]
017F:00429533 BA02000000 MOV EDX,02
017F:00429538 E8E72F0200 CALL 0044C524
017F:0042953D 59 POP ECX
017F:0042953E 84C9 TEST CL,CL
017F:00429540 0F8458010000 JZ NEAR 0042969E 〈----转向注册错处理
中间省略。。。。。。
017F:0042962B 33C0 XOR EAX,EAX
017F:0042962D 56 PUSH ESI
017F:0042962E 8D7D9C LEA EDI,[EBP-64]
017F:00429631 83C9FF OR ECX,BYTE -01
017F:00429634 F2AE REPNE SCASB
017F:00429636 F7D1 NOT ECX
017F:00429638 2BF9 SUB EDI,ECX
017F:0042963A 8DB5B4FEFFFF LEA ESI,[EBP+FFFFFEB4]
017F:00429640 87F7 XCHG ESI,EDI
017F:00429642 8BD1 MOV EDX,ECX
017F:00429644 8BC7 MOV EAX,EDI
017F:00429646 C1E902 SHR ECX,02
017F:00429649 8D85B4FEFFFF LEA EAX,[EBP+FFFFFEB4]
017F:0042964F F3A5 REP MOVSD
017F:00429651 8BCA MOV ECX,EDX
017F:00429653 83E103 AND ECX,BYTE +03
017F:00429656 F3A4 REP MOVSB
017F:00429658 5E POP ESI
017F:00429659 50 PUSH EAX
017F:0042965A E891FDFFFF CALL 004293F0 〈----调用转换信息程序
017F:0042965F 59 POP ECX
017F:00429660 8B15789C4800 MOV EDX,[00489C78]
017F:00429666 8B8200030000 MOV EAX,[EDX+0300]
017F:0042966C B201 MOV DL,01
017F:0042966E E801440300 CALL 0045DA74
017F:00429673 E88C8DFDFF CALL 00402404
017F:00429678 6A40 PUSH BYTE +40
017F:0042967A 8D95B4FEFFFF LEA EDX,[EBP+FFFFFEB4]
017F:00429680 8B0D04A44800 MOV ECX,[0048A404]
017F:00429686 A15CA54900 MOV EAX,[0049A55C]
017F:0042968B E87C100400 CALL 0046A70C
017F:00429690 A1789C4800 MOV EAX,[00489C78]
017F:00429695 8BD0 MOV EDX,EAX
017F:00429697 E83CB9FDFF CALL 00404FD8
017F:0042969C EB50 JMP SHORT 004296EE
017F:0042969E 33C0 XOR EAX,EAX
017F:004296A0 56 PUSH ESI
017F:004296A1 8DBD7CFFFFFF LEA EDI,[EBP+FFFFFF7C]
017F:004296A7 83C9FF OR ECX,BYTE -01
017F:004296AA F2AE REPNE SCASB
017F:004296AC F7D1 NOT ECX
017F:004296AE 2BF9 SUB EDI,ECX
017F:004296B0 8DB5B4FEFFFF LEA ESI,[EBP+FFFFFEB4]
017F:004296B6 87F7 XCHG ESI,EDI
017F:004296B8 8BD1 MOV EDX,ECX
017F:004296BA 8BC7 MOV EAX,EDI
017F:004296BC C1E902 SHR ECX,02
017F:004296BF 8D85B4FEFFFF LEA EAX,[EBP+FFFFFEB4]
017F:004296C5 F3A5 REP MOVSD
017F:004296C7 8BCA MOV ECX,EDX
017F:004296C9 83E103 AND ECX,BYTE +03
017F:004296CC F3A4 REP MOVSB
017F:004296CE 5E POP ESI
017F:004296CF 50 PUSH EAX
017F:004296D0 E81BFDFFFF CALL 004293F0 〈----调用转换信息程序
017F:004296D5 59 POP ECX
017F:004296D6 6A30 PUSH BYTE +30
017F:004296D8 8D95B4FEFFFF LEA EDX,[EBP+FFFFFEB4]
转换信息程序:
004296D0调用转换出错信息:
将 Jodpssfdu!Sfhjtusbujpo!Dpef 转换为 Incorrect Registration Code
0042965A调用转换感谢注册信息:
将 Uibol!zpv!gps!sfhjtufsjoh 转换为 Thank you for registering
004293F0 55 PUSH EBP \:BYCALL CallBy:0042965A,004296D0,
004293F1 8BEC MOV EBP,ESP
004293F3 8B45 08 MOV EAX,[EBP+8]
004293F6 FE08 DEC BYTE PTR [EAX] \:BYJMP JmpBy:004293FC,
004293F8 40 INC EAX
004293F9 8038 00 CMP BYTE PTR [EAX],0
004293FC 75 F8 JNZ SHORT 004293F6 \:JMPUP
004293FE 5D POP EBP
004293FF C3 RETN
比对核心:
017F:0042A0C4 55 PUSH EBP
017F:0042A0C5 8BEC MOV EBP,ESP
017F:0042A0C7 83C4F4 ADD ESP,BYTE -0C
017F:0042A0CA 53 PUSH EBX
017F:0042A0CB 8B4508 MOV EAX,[EBP+08]
017F:0042A0CE 8D5DF4 LEA EBX,[EBP-0C]
017F:0042A0D1 8A10 MOV DL,[EAX]
017F:0042A0D3 8813 MOV [EBX],DL
017F:0042A0D5 8A4801 MOV CL,[EAX+01]
017F:0042A0D8 884B01 MOV [EBX+01],CL
017F:0042A0DB 8A5002 MOV DL,[EAX+02]
017F:0042A0DE 885302 MOV [EBX+02],DL
017F:0042A0E1 8A4803 MOV CL,[EAX+03]
017F:0042A0E4 884B03 MOV [EBX+03],CL
017F:0042A0E7 8A5004 MOV DL,[EAX+04]
017F:0042A0EA 885304 MOV [EBX+04],DL
017F:0042A0ED 8A4805 MOV CL,[EAX+05]
017F:0042A0F0 884B05 MOV [EBX+05],CL
017F:0042A0F3 8A5006 MOV DL,[EAX+06]
017F:0042A0F6 885306 MOV [EBX+06],DL
017F:0042A0F9 8A4807 MOV CL,[EAX+07]
017F:0042A0FC 884B07 MOV [EBX+07],CL
017F:0042A0FF 8A4008 MOV AL,[EAX+08]
017F:0042A102 884308 MOV [EBX+08],AL
017F:0042A105 C6430900 MOV BYTE [EBX+09],00
017F:0042A109 0FBE03 MOVSX EAX,BYTE [EBX]
017F:0042A10C 50 PUSH EAX
017F:0042A10D E8228C0400 CALL 00472D34 〈----小写变大写
017F:0042A112 59 POP ECX
017F:0042A113 83F84A CMP EAX,BYTE +4A 〈----J
017F:0042A116 7559 JNZ 0042A171
017F:0042A118 0FBE5301 MOVSX EDX,BYTE [EBX+01]
017F:0042A11C 52 PUSH EDX
017F:0042A11D E8128C0400 CALL 00472D34
017F:0042A122 59 POP ECX
017F:0042A123 83F853 CMP EAX,BYTE +53 〈----S
017F:0042A126 7549 JNZ 0042A171
017F:0042A128 0FBE4B02 MOVSX ECX,BYTE [EBX+02]
017F:0042A12C 83F924 CMP ECX,BYTE +24 〈----$
017F:0042A12F 7540 JNZ 0042A171
017F:0042A131 0FBE4303 MOVSX EAX,BYTE [EBX+03]
017F:0042A135 83F832 CMP EAX,BYTE +32 〈----2
017F:0042A138 7537 JNZ 0042A171
017F:0042A13A 0FBE5304 MOVSX EDX,BYTE [EBX+04]
017F:0042A13E 83FA38 CMP EDX,BYTE +38 〈----8
017F:0042A141 752E JNZ 0042A171
017F:0042A143 0FBE4B05 MOVSX ECX,BYTE [EBX+05]
017F:0042A147 83F939 CMP ECX,BYTE +39 〈----9
017F:0042A14A 7525 JNZ 0042A171
017F:0042A14C 0FBE4306 MOVSX EAX,BYTE [EBX+06]
017F:0042A150 83F832 CMP EAX,BYTE +32 〈----2
017F:0042A153 751C JNZ 0042A171
017F:0042A155 0FBE5307 MOVSX EDX,BYTE [EBX+07]
017F:0042A159 83FA31 CMP EDX,BYTE +31 〈----1
017F:0042A15C 7513 JNZ 0042A171
017F:0042A15E C70508A448001443+MOV DWORD [0048A408],69FC4314
017F:0042A168 E8B7A7FDFF CALL 00404924
017F:0042A16D B001 MOV AL,01
017F:0042A16F EB1B JMP SHORT 0042A18C
017F:0042A171 53 PUSH EBX
017F:0042A172 E8D1280000 CALL 0042CA48
017F:0042A177 59 POP ECX
017F:0042A178 84C0 TEST AL,AL
017F:0042A17A 7404 JZ 0042A180
017F:0042A17C B001 MOV AL,01
017F:0042A17E EB0C JMP SHORT 0042A18C
017F:0042A180 C70508A44800EBBC+MOV DWORD [0048A408],9603BCEB
017F:0042A18A 33C0 XOR EAX,EAX
017F:0042A18C 5B POP EBX
017F:0042A18D 8BE5 MOV ESP,EBP
017F:0042A18F 5D POP EBP
017F:0042A190 C3 RETN
总结:
以出错窗句柄介入,查找出比对核心。该程序狡猾狡猾的,将出错信息错位存储,在程序中转换
出来使用,可谓用心良苦,可是最终比对过于简单,再设置多复杂的地址查找都无济于事。
注册码:JS$28921 或 js$28921
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
|---|---|
|
|
