【文章标题】: 第一次写内存注册机
【文章作者】: LLY
【作者邮箱】: lly543@gmail.com
【作者QQ号】: 53221455
【软件名称】: ×××××2.1
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
同事今天要处理几百张图片,如果用Photoshop一张一张处理太慢了,用动作也不方便,于是到网上下载了×××××,还挺好用的,但未注册只能用30天,于是。。。
首先用PeiD查一下马甲原来是ASPack2.12->Alexey Solodovnikov用ESP定律很快脱掉了马甲,老规矩先运行一下脱壳后的程序,可以运行,点现在注册输入假码点注册,有尾巴,呵呵,OK
用OD载入SignPics.exe
00538CE4 > $ 55 PUSH EBP//暂停在这里
00538CE5 . 8BEC MOV EBP,ESP
00538CE7 . 83C4 F0 ADD ESP,-10
00538CEA . B8 14885300 MOV EAX,SignPics.00538814
00538CEF . E8 38E7ECFF CALL SignPics.0040742C
既然有尾巴当然是搜索到尾巴下断了
00535010 . 53 PUSH EBX
00535011 . 8BD8 MOV EBX,EAX
00535013 . 6A 10 PUSH 10
00535015 . 68 30505300 PUSH SignPics.00535030 ; 错误
0053501A . 68 38505300 PUSH SignPics.00535038 ; 无效的注册码!//尾巴在这里
往上看一下代码
00534F94 /. 55 PUSH EBP //在这里下断
00534F95 |. 8BEC MOV EBP,ESP
00534F97 |. 6A 00 PUSH 0
00534F99 |. 6A 00 PUSH 0
00534F9B |. 53 PUSH EBX
00534F9C |. 8BD9 MOV EBX,ECX
00534F9E |. 33C0 XOR EAX,EAX
F9运行程序输入假码lly12345678程序中断在00534F94
00534F94 /. 55 PUSH EBP
00534F95 |. 8BEC MOV EBP,ESP
00534F97 |. 6A 00 PUSH 0
00534F99 |. 6A 00 PUSH 0
00534F9B |. 53 PUSH EBX
00534F9C |. 8BD9 MOV EBX,ECX
00534F9E |. 33C0 XOR EAX,EAX
00534FA0 |. 55 PUSH EBP
00534FA1 |. 68 02505300 PUSH SignPics.00535002
00534FA6 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00534FA9 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00534FAC |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00534FAF |. A1 142F5500 MOV EAX,DWORD PTR DS:[552F14]
00534FB4 |. 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
00534FBA |. E8 115AF2FF CALL SignPics.0045A9D0 //计算出了机器码
00534FBF |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00534FC2 |. 8BC3 MOV EAX,EBX
00534FC4 |. E8 1701EDFF CALL SignPics.004050E0
00534FC9 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
00534FCC |. A1 142F5500 MOV EAX,DWORD PTR DS:[552F14]
00534FD1 |. 8B80 0C030000 MOV EAX,DWORD PTR DS:[EAX+30C]
00534FD7 |. E8 F459F2FF CALL SignPics.0045A9D0 //出现了我输入的假码lly12345678
00534FDC |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00534FDF |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00534FE2 |. E8 F900EDFF CALL SignPics.004050E0
00534FE7 |. 33C0 XOR EAX,EAX
00534FE9 |. 5A POP EDX
00534FEA |. 59 POP ECX
00534FEB |. 59 POP ECX
00534FEC |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00534FEF |. 68 09505300 PUSH SignPics.00535009
00534FF4 |> 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00534FF7 |. BA 02000000 MOV EDX,2
00534FFC |. E8 AF00EDFF CALL SignPics.004050B0
00535001 \. C3 RETN
一路F8到了0053285F
0053285F |. 8D86 9C000000 LEA EAX,DWORD PTR DS:[ESI+9C]
00532865 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
00532868 |. E8 7328EDFF CALL SignPics.004050E0
0053286D |. 8D4D F8 LEA ECX,DWORD PTR SS:[EBP-8]
00532870 |. 8B96 9C000000 MOV EDX,DWORD PTR DS:[ESI+9C]
00532876 |. 8BC6 MOV EAX,ESI
00532878 |. E8 D3010000 CALL SignPics.00532A50 //计算出了注册码
0053287D |. 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
00532881 |. 74 2C JE SHORT SignPics.005328AF
00532883 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00532886 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00532889 |. E8 CE6EEDFF CALL SignPics.0040975C //EAX里出现了注册码,写内存注册机的话到此就可以结束了
0053288E |. 85C0 TEST EAX,EAX
00532890 |. 0F94C3 SETE BL
00532893 |. 84DB TEST BL,BL
00532895 |. 75 18 JNZ SHORT SignPics.005328AF
00532897 |. 66:83BE EA000>CMP WORD PTR DS:[ESI+EA],0
0053289F |. 74 0E JE SHORT SignPics.005328AF
005328A1 |. 8BD6 MOV EDX,ESI
005328A3 |. 8B86 EC000000 MOV EAX,DWORD PTR DS:[ESI+EC]
005328A9 |. FF96 E8000000 CALL DWORD PTR DS:[ESI+E8]
005328AF |> 84DB TEST BL,BL
005328B1 |. 0F84 9D000000 JE SignPics.00532954
005328B7 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
005328BA |. 50 PUSH EAX
005328BB |. B1 01 MOV CL,1
005328BD |. 8B96 9C000000 MOV EDX,DWORD PTR DS:[ESI+9C]
005328C3 |. 8BC6 MOV EAX,ESI
005328C5 |. E8 42E2FFFF CALL SignPics.00530B0C
005328CA |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
005328CD |. BA C8295300 MOV EDX,SignPics.005329C8 ; r1
005328D2 |. 8BC6 MOV EAX,ESI
005328D4 |. E8 5FEFFFFF CALL SignPics.00531838
005328D9 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
005328DC |. 50 PUSH EAX
005328DD |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
005328E0 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005328E3 |. E8 6C6CEDFF CALL SignPics.00409554
005328E8 |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
005328EB |. B1 01 MOV CL,1
005328ED |. 8BC6 MOV EAX,ESI
005328EF |. E8 18E2FFFF CALL SignPics.00530B0C
005328F4 |. 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
005328F7 |. BA D4295300 MOV EDX,SignPics.005329D4 ; r2
005328FC |. 8BC6 MOV EAX,ESI
005328FE |. E8 35EFFFFF CALL SignPics.00531838
00532903 |. 66:83BE 1A010>CMP WORD PTR DS:[ESI+11A],0
0053290B |. 74 18 JE SHORT SignPics.00532925
0053290D |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00532910 |. 50 PUSH EAX
00532911 |. 8B8E 9C000000 MOV ECX,DWORD PTR DS:[ESI+9C]
00532917 |. 8BD6 MOV EDX,ESI
00532919 |. 8B86 1C010000 MOV EAX,DWORD PTR DS:[ESI+11C]
0053291F |. FF96 18010000 CALL DWORD PTR DS:[ESI+118]
00532925 |> 66:83BE 3A010>CMP WORD PTR DS:[ESI+13A],0
0053292D |. 74 0E JE SHORT SignPics.0053293D
0053292F |. 8BD6 MOV EDX,ESI
00532931 |. 8B86 3C010000 MOV EAX,DWORD PTR DS:[ESI+13C]
00532937 |. FF96 38010000 CALL DWORD PTR DS:[ESI+138]
0053293D |> 8D86 9C000000 LEA EAX,DWORD PTR DS:[ESI+9C]
00532943 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
00532946 |. E8 9527EDFF CALL SignPics.004050E0
0053294B |. C686 A0000000>MOV BYTE PTR DS:[ESI+A0],1
00532952 |. EB 2A JMP SHORT SignPics.0053297E
00532954 |> 66:83BE 42010>CMP WORD PTR DS:[ESI+142],0
0053295C |. 74 0E JE SHORT SignPics.0053296C
0053295E |. 8BD6 MOV EDX,ESI
00532960 |. 8B86 44010000 MOV EAX,DWORD PTR DS:[ESI+144]
00532966 |. FF96 40010000 CALL DWORD PTR DS:[ESI+140]
0053296C |> 8D86 9C000000 LEA EAX,DWORD PTR DS:[ESI+9C]
00532972 |. E8 1527EDFF CALL SignPics.0040508C
00532977 |. C686 A0000000>MOV BYTE PTR DS:[ESI+A0],2
0053297E |> 66:83BE 22010>CMP WORD PTR DS:[ESI+122],0
00532986 |. 74 0E JE SHORT SignPics.00532996
00532988 |. 8BD6 MOV EDX,ESI
0053298A |. 8B86 24010000 MOV EAX,DWORD PTR DS:[ESI+124]
00532990 |. FF96 20010000 CALL DWORD PTR DS:[ESI+120]
00532996 |> 33C0 XOR EAX,EAX
00532998 |. 5A POP EDX
00532999 |. 59 POP ECX
0053299A |. 59 POP ECX
0053299B |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0053299E |. 68 B8295300 PUSH SignPics.005329B8
005329A3 |> 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
005329A6 |. BA 06000000 MOV EDX,6
005329AB |. E8 0027EDFF CALL SignPics.004050B0
005329B0 \. C3 RETN
我接触Crack才几天,所以还不会分析算法,写个内存注册机吧,论坛的兄弟姐妹教我分析算法啊!
中断地址:00532889
中断次数:1
第一字节:E8
指令长度:5
OK,就写到这里了
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年10月30日 9:34:13
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!