【文章标题】: 《俪影2046》完美破解,菜鸟文章。
【文章作者】: JackyChou
【作者邮箱】: jiaqicx@163.com
【软件名称】: 《俪影2046》
【下载地址】: 自己搜索下载
【加壳方式】: 无
【保护方式】: 无保护
【编写语言】: VC
【使用工具】: OD,IDA,PEID
【操作平台】: XP
【软件介绍】: 图片制作软件
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
该软件对于没有图像制作经验的人,绝对是好帮手。很多精美漂亮的模板只要往上一拖即可。
软件的未注册版限制了保存图像和打印图像功能。 其他功能没有限制。
进入正题:
PEID查壳,什么都没有找到,OD载入,往下看看,可以看到MFC8.0的类库。
截取部分代码
0046C611 > $ E8 B0060000 call 0046CCC6
0046C616 .^ E9 36FDFFFF jmp 0046C351
0046C61B . 53 push ebx
0046C61C . 8A5C24 08 mov bl, byte ptr [esp+8]
0046C620 . F6C3 02 test bl, 2
0046C623 . 56 push esi
0046C624 . 8BF1 mov esi, ecx
0046C626 . 74 24 je short 0046C64C
0046C628 . 57 push edi
0046C629 . 68 78CF4600 push <jmp.&MSVCR80.type_info::_type_info_d>; 入口地址
0046C62E . 8D7E FC lea edi, dword ptr [esi-4]
0046C631 . FF37 push dword ptr [edi]
0046C633 . 6A 0C push 0C
0046C635 . 56 push esi
0046C636 . E8 8D000000 call 0046C6C8
0046C63B . F6C3 01 test bl, 1
0046C63E . 74 07 je short 0046C647
0046C640 . 57 push edi ; /block
0046C641 . E8 A2EAFFFF call <jmp.&MFC80U.#764> ; \free
0046C646 . 59 pop ecx
0046C647 > 8BC7 mov eax, edi
0046C649 . 5F pop edi
0046C64A . EB 13 jmp short 0046C65F
0046C64C > E8 27090000 call <jmp.&MSVCR80.type_info::_type_info_d>
0046C651 . F6C3 01 test bl, 1
0046C654 . 74 07 je short 0046C65D
0046C656 . 56 push esi ; /block
0046C657 . E8 8CEAFFFF call <jmp.&MFC80U.#764> ; \free
0046C65C . 59 pop ecx
0046C65D > 8BC6 mov eax, esi
0046C65F > 5E pop esi
0046C660 . 5B pop ebx
0046C661 . C2 0400 retn 4
0046C664 .- FF25 F4904700 jmp dword ptr [<&MSVCR80._purecall>] ; MSVCR80._purecall
0046C66A $ 6A 14 push 14
0046C66C . 68 508C4900 push 00498C50
0046C671 . E8 AE020000 call 0046C924
可以看出软件使用MFC编写,使用VS2005开发环境。
开始查找去除注册限制。
软件启动时,在未注册的情况下,会显示一个欢迎窗口,并有注册按钮,必须点了确定按钮后才能进行其他操作。
说明该对话框为模态对话框,这样就找到跟踪入口了,下断API DestroyWindow函数。
点了确定按钮后,在OD中断下了,ALT + F9返回程序领空去。
00410D44 > \6A 03 push 3
00410D46 . E8 31A90500 call <jmp.&MFC80U.#6086>
00410D4B > 57 push edi
00410D4C . 8BCE mov ecx, esi
00410D4E . E8 93F9FFFF call 004106E6 ; 关键CALL,F7跟进
00410D53 . 85C0 test eax, eax
00410D55 . 75 2A jnz short 00410D81 ; 关键跳转
00410D57 . 57 push edi
00410D58 . 8D8D 48FFFFFF lea ecx, dword ptr [ebp-B8]
00410D5E . E8 32990500 call 0046A695
00410D63 . 8D8D 48FFFFFF lea ecx, dword ptr [ebp-B8]
00410D69 . C645 FC 07 mov byte ptr [ebp-4], 7
00410D6D . E8 44A50500 call <jmp.&MFC80U.#2011> ; 调用模态对话框,欢迎窗口
00410D72 . 8D8D 48FFFFFF lea ecx, dword ptr [ebp-B8] ; 返回到程序领空
00410D78 . C645 FC 06 mov byte ptr [ebp-4], 6
00410D7C . E8 35990500 call 0046A6B6
00410D81 > C745 E4 D8BE4>mov dword ptr [ebp-1C], 0047BED8
00410D88 . 897D E8 mov dword ptr [ebp-18], edi
00410D8B . C645 FC 08 mov byte ptr [ebp-4], 8
00410D8F . E8 D212FFFF call 00402066
00410D94 . FF70 20 push dword ptr [eax+20] ; /hWnd
00410D97 . FF15 68924700 call dword ptr [<&USER32.GetMenu>] ; \GetMenu
00410D9D . 50 push eax
00410D9E . E8 5BAB0500 call <jmp.&MFC80U.#2365>
00410DA3 . 3BC7 cmp eax, edi
00410DA5 . 75 04 jnz short 00410DAB
00410DA7 . 33C0 xor eax, eax
00410DA9 . EB 03 jmp short 00410DAE
00410DAB > 8B40 04 mov eax, dword ptr [eax+4]
00410DAE > 50 push eax
00410DAF . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00410DB2 . E8 1FAC0500 call <jmp.&MFC80U.#1274>
00410DB7 . 6A 04 push 4 ; /Pos = 4
00410DB9 . FF75 E8 push dword ptr [ebp-18] ; |hMenu
00410DBC . FF15 6C924700 call dword ptr [<&USER32.GetSubMenu>] ; \GetSubMenu
00410DC2 . 50 push eax
00410DC3 . E8 36AB0500 call <jmp.&MFC80U.#2365>
00410DC8 . 8BD8 mov ebx, eax
00410DCA . 3BDF cmp ebx, edi
00410DCC . 74 1B je short 00410DE9
00410DCE . 8B35 70924700 mov esi, dword ptr [<&USER32.DeleteMenu>] ; USER32.DeleteMenu
00410DD4 . BF 00040000 mov edi, 400
00410DD9 . 57 push edi ; /Flags => MF_BYPOSITION|MF_ENABLED|MF_STRING
00410DDA . 6A 05 push 5 ; |ItemId = 5
00410DDC . FF73 04 push dword ptr [ebx+4] ; |hMenu
00410DDF . FFD6 call esi ; \DeleteMenu
00410DE1 . 57 push edi ; /Flags => MF_BYPOSITION|MF_ENABLED|MF_STRING
00410DE2 . 6A 04 push 4 ; |ItemId = 4
00410DE4 . FF73 04 push dword ptr [ebx+4] ; |hMenu
00410DE7 . FFD6 call esi ; \DeleteMenu
00410DE9 > 8D4D E4 lea ecx, dword ptr [ebp-1C]
00410DEC . E8 DFAB0500 call <jmp.&MFC80U.#1962>
00410DF1 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
00410DF4 . C645 FC 06 mov byte ptr [ebp-4], 6
00410DF8 . C745 E4 D8BE4>mov dword ptr [ebp-1C], 0047BED8
00410DFF . E8 F4AA0500 call <jmp.&MFC80U.#1946>
00410E04 . 33FF xor edi, edi
00410E06 . 47 inc edi
00410E07 .^ E9 07FFFFFF jmp 00410D13
上面00410D4E . E8 93F9FFFF call 004106E6 这个关键CALL在程序中很多对方进行了调用,推测该函数就是一个
注册验证函数,所以可以在这个函数里面可以进行完全破解。
F7跟进。
004106E6 /$ 68 1C020000 push 21C
004106EB |. B8 55EB4600 mov eax, 0046EB55
004106F0 |. E8 B5C00500 call 0046C7AA
004106F5 |. BE AC944700 mov esi, 004794AC
004106FA |. 56 push esi
004106FB |. 68 18964700 push 00479618 ; UNICODE "PassWord"
00410700 |. BF 2C964700 mov edi, 0047962C ; UNICODE "Register"
00410705 |. 57 push edi
00410706 |. 8D45 C4 lea eax, dword ptr [ebp-3C]
00410709 |. 50 push eax
0041070A |. 8BD9 mov ebx, ecx
0041070C |. E8 E7AB0500 call <jmp.&MFC80U.#3104>
00410711 |. 8365 FC 00 and dword ptr [ebp-4], 0
00410715 |. 8D45 B4 lea eax, dword ptr [ebp-4C]
00410718 |. 50 push eax
00410719 |. E8 CEFDFFFF call 004104EC
0041071E |. 56 push esi
0041071F |. 68 40964700 push 00479640 ; UNICODE "Email"
00410724 |. 57 push edi
00410725 |. 8D45 C0 lea eax, dword ptr [ebp-40]
00410728 |. 50 push eax
00410729 |. 8BCB mov ecx, ebx
0041072B |. E8 C8AB0500 call <jmp.&MFC80U.#3104>
00410730 |. 8D4D C0 lea ecx, dword ptr [ebp-40]
00410733 |. C645 FC 01 mov byte ptr [ebp-4], 1
00410737 |. FF15 3C834700 call dword ptr [<&MFC80U.#3927>] ; MFC80U.78303B70
0041073D |. 84C0 test al, al
0041073F |. 74 26 je short 00410767
00410741 |. 8D45 B8 lea eax, dword ptr [ebp-48]
00410744 |. 50 push eax
00410745 |. 8BCB mov ecx, ebx
00410747 |. E8 23F3FFFF call 0040FA6F
0041074C |. 50 push eax
0041074D |. 8D4D C0 lea ecx, dword ptr [ebp-40]
00410750 |. C645 FC 02 mov byte ptr [ebp-4], 2
00410754 |. FF15 848E4700 call dword ptr [<&MFC80U.#774>] ; MFC80U.78305C20
0041075A |. 8D4D B8 lea ecx, dword ptr [ebp-48]
0041075D |. C645 FC 01 mov byte ptr [ebp-4], 1
00410761 |. FF15 00904700 call dword ptr [<&MFC80U.#577>] ; MFC80U.7834DD87
00410767 |> 68 C8C04700 push 0047C0C8 ; UNICODE "45p734p434p545p3"
0041076C |. 8D4D C4 lea ecx, dword ptr [ebp-3C]
0041076F |. FF15 60834700 call dword ptr [<&MFC80U.#1472>] ; MFC80U.78305D7F
00410775 |. 85C0 test eax, eax
00410777 |. 74 36 je short 004107AF
00410779 |. 68 A4C04700 push 0047C0A4 ; UNICODE "89d699f63d56012p"
0041077E |. 8D4D C4 lea ecx, dword ptr [ebp-3C]
00410781 |. FF15 60834700 call dword ptr [<&MFC80U.#1472>] ; MFC80U.78305D7F
00410787 |. 85C0 test eax, eax
00410789 |. 74 24 je short 004107AF
0041078B |. 68 80C04700 push 0047C080 ; UNICODE "a47c018ed385757d"
00410790 |. 8D4D C4 lea ecx, dword ptr [ebp-3C]
00410793 |. FF15 60834700 call dword ptr [<&MFC80U.#1472>] ; MFC80U.78305D7F
00410799 |. 85C0 test eax, eax
0041079B |. 74 12 je short 004107AF
0041079D |. 68 5CC04700 push 0047C05C ; UNICODE "8888888888888888"
004107A2 |. 8D4D C4 lea ecx, dword ptr [ebp-3C]
004107A5 |. FF15 60834700 call dword ptr [<&MFC80U.#1472>] ; MFC80U.78305D7F
004107AB |. 85C0 test eax, eax
004107AD |. 75 0A jnz short 004107B9
004107AF |> 56 push esi
004107B0 |. 8D4D C4 lea ecx, dword ptr [ebp-3C]
004107B3 |. FF15 F88F4700 call dword ptr [<&MFC80U.#776>] ; MFC80U.78305C32
004107B9 |> 6A 14 push 14 ; /n = 14 (20.)
004107BB |. 33F6 xor esi, esi ; |
004107BD |. 8D45 DC lea eax, dword ptr [ebp-24] ; |
004107C0 |. 56 push esi ; |c => 00
004107C1 |. 50 push eax ; |s
004107C2 |. E8 57C10500 call <jmp.&MSVCR80.memset> ; \memset
004107C7 |. 6A 14 push 14 ; /n = 14 (20.)
004107C9 |. 8D45 C8 lea eax, dword ptr [ebp-38] ; |
004107CC |. 56 push esi ; |c
004107CD |. 50 push eax ; |s
004107CE |. E8 4BC10500 call <jmp.&MSVCR80.memset> ; \memset
004107D3 |. 83C4 18 add esp, 18
004107D6 |. 6A 08 push 8
004107D8 |. 8D45 DC lea eax, dword ptr [ebp-24]
004107DB |. 50 push eax
004107DC |. 51 push ecx
004107DD |. 8D45 C4 lea eax, dword ptr [ebp-3C]
004107E0 |. 8BCC mov ecx, esp
004107E2 |. 8965 B8 mov dword ptr [ebp-48], esp
004107E5 |. 50 push eax
004107E6 |. FF15 748E4700 call dword ptr [<&MFC80U.#280>] ; MFC80U.7830581E
004107EC |. E8 E1750400 call 00457DD2
004107F1 |. 8D45 C8 lea eax, dword ptr [ebp-38]
004107F4 |. 50 push eax
004107F5 |. 8D45 DC lea eax, dword ptr [ebp-24]
004107F8 |. 50 push eax
004107F9 |. 33FF xor edi, edi
004107FB |. 68 F8FD4900 push 0049FDF8 ; ASCII "238990123478987"
00410800 |. 47 inc edi
00410801 |. 57 push edi
00410802 |. E8 4ACBFFFF call 0040D351
00410807 |. 83C4 1C add esp, 1C
0041080A |. 8D45 C8 lea eax, dword ptr [ebp-38]
0041080D |. 50 push eax
0041080E |. 8D4D BC lea ecx, dword ptr [ebp-44]
00410811 |. FF15 8C874700 call dword ptr [<&MFC80U.#291>] ; MFC80U.78305930
00410817 |. 8D4D C0 lea ecx, dword ptr [ebp-40]
0041081A |. C645 FC 03 mov byte ptr [ebp-4], 3
0041081E |. FF15 3C834700 call dword ptr [<&MFC80U.#3927>] ; MFC80U.78303B70
00410824 |. 84C0 test al, al
00410826 |. 75 3A jnz short 00410862
00410828 |. 8D45 BC lea eax, dword ptr [ebp-44]
0041082B |. 50 push eax
0041082C |. 8D45 C0 lea eax, dword ptr [ebp-40]
0041082F |. 50 push eax
00410830 |. E8 9C17FFFF call 00401FD1
00410835 |. 84C0 test al, al
00410837 |. 59 pop ecx
00410838 |. 59 pop ecx
00410839 |. 74 27 je short 00410862 ; 关键跳转,NOP即可验证成功。
0041083B |> 8BF7 mov esi, edi
0041083D |> 8D4D BC lea ecx, dword ptr [ebp-44]
00410840 |. FF15 00904700 call dword ptr [<&MFC80U.#577>] ; MFC80U.7834DD87
00410846 |. 8D4D C0 lea ecx, dword ptr [ebp-40]
00410849 |. FF15 00904700 call dword ptr [<&MFC80U.#577>] ; MFC80U.7834DD87
0041084F |. 8D4D C4 lea ecx, dword ptr [ebp-3C]
00410852 |. FF15 00904700 call dword ptr [<&MFC80U.#577>] ; MFC80U.7834DD87
00410858 |. 8BC6 mov eax, esi
0041085A |. E8 CEBF0500 call 0046C82D
0041085F |. C2 0400 retn 4
00410862 |> 3975 08 cmp dword ptr [ebp+8], esi
00410865 |.^ 74 D6 je short 0041083D
00410867 |. 56 push esi
00410868 |. 8D8D D8FDFFFF lea ecx, dword ptr [ebp-228]
0041086E |. E8 EF730400 call 00457C62
00410873 |. 8D8D D8FDFFFF lea ecx, dword ptr [ebp-228]
00410879 |. C645 FC 04 mov byte ptr [ebp-4], 4
0041087D |. E8 34AA0500 call <jmp.&MFC80U.#2011>
00410882 |. 3BC7 cmp eax, edi
00410884 |. C645 FC 03 mov byte ptr [ebp-4], 3
00410888 |. 8D8D D8FDFFFF lea ecx, dword ptr [ebp-228]
0041088E |. 75 07 jnz short 00410897
00410890 |. E8 CFEFFFFF call 0040F864
00410895 |.^ EB A4 jmp short 0041083B
00410897 |> E8 C8EFFFFF call 0040F864
0041089C \.^ EB 9F jmp short 0041083D
修改完保存软件,运行。OK,没有欢迎窗口,菜单里面点注册,提示注册成功。
不过,没有结束,界面中央出现一个没有标题栏的非模态窗口,并且永远桌面上程序在最顶层,上面信息写着“您使用的
软件是破解的XXXXX”的字样。说明程序在启动的地方进行了再次验证。用IDA载入分析下,在下面这个地方发现再次验证。
贴出部分代码:
00410E99 . 6A 01 push 1
00410E9B . FF75 E8 push dword ptr [ebp-18]
00410E9E . 8BCB mov ecx, ebx
00410EA0 . FF75 E4 push dword ptr [ebp-1C]
00410EA3 . E8 908E0300 call 00449D38
00410EA8 > 89BE A8000000 mov dword ptr [esi+A8], edi
00410EAE > 8D86 DC000000 lea eax, dword ptr [esi+DC]
00410EB4 . 3938 cmp dword ptr [eax], edi
00410EB6 . 0F84 63010000 je 0041101F
00410EBC . 57 push edi
00410EBD . 8BCE mov ecx, esi
00410EBF . 8938 mov dword ptr [eax], edi
00410EC1 . E8 20F8FFFF call 004106E6 ; 前面提到的注册验证函数。
00410EC6 . 83F8 01 cmp eax, 1
00410EC9 . 0F85 50010000 jnz 0041101F ; 注册不成功,则跳
00410ECF . 8BCE mov ecx, esi
00410ED1 . E8 0EF2FFFF call 004100E4 ; 又一次进行验证。
00410ED6 . 85C0 test eax, eax
00410ED8 . 0F85 41010000 jnz 0041101F ; 上面的调用就这一处,不管,这边跳。
00410EDE . 8D4D F0 lea ecx, dword ptr [ebp-10] ; 若不跳,就显示上面说的烦人窗口
00410EE1 . FF15 F48F4700 call dword ptr [<&MFC80U.#293>] ; MFC80U.783997F3
00410EE7 . 897D FC mov dword ptr [ebp-4], edi
00410EEA . E8 F7A30500 call <jmp.&MFC80U.#1079>
00410EEF . 8B58 08 mov ebx, dword ptr [eax+8]
00410EF2 . B8 00010000 mov eax, 100
00410EF7 . 50 push eax
00410EF8 . 50 push eax
00410EF9 . 8D4D F0 lea ecx, dword ptr [ebp-10]
00410EFC . FF15 B4834700 call dword ptr [<&MFC80U.#2460>] ; MFC80U.78305431
00410F02 . 50 push eax ; |PathBuffer
00410F03 . 53 push ebx ; |hModule
00410F04 . FF15 C4824700 call dword ptr [<&KERNEL32.GetModuleFileNa>; \获取EXE所在路径,目的就是获取该路径下的图片
00410F0A . 6A FF push -1
00410F0C . 8D4D F0 lea ecx, dword ptr [ebp-10]
00410F0F . FF15 B0834700 call dword ptr [<&MFC80U.#5398>] ; MFC80U.7830549F
00410F15 . 8D45 00 lea eax, dword ptr [ebp]
00410F18 . 50 push eax
00410F19 . 8D4D F0 lea ecx, dword ptr [ebp-10]
00410F1C . 897D 00 mov dword ptr [ebp], edi
00410F1F . 897D 04 mov dword ptr [ebp+4], edi
00410F22 . 897D 08 mov dword ptr [ebp+8], edi
00410F25 . 897D 0C mov dword ptr [ebp+C], edi
00410F28 . 897D 10 mov dword ptr [ebp+10], edi
00410F2B . 897D 14 mov dword ptr [ebp+14], edi
00410F2E . FF15 A48E4700 call dword ptr [<&MFC80U.#870>] ; MFC80U.7839327F
00410F34 . 50 push eax
00410F35 . E8 0CA40500 call <jmp.&MFC80U.#3383>
00410F3A . 85C0 test eax, eax
00410F3C . 0F84 D0000000 je 00411012
00410F42 . 8D45 DC lea eax, dword ptr [ebp-24]
00410F45 . 50 push eax
00410F46 . E8 A1F5FFFF call 004104EC
00410F4B . 57 push edi
00410F4C . BF D4C14700 mov edi, 0047C1D4 ; UNICODE "Days"
00410F51 . 57 push edi
00410F52 . BB 40C24700 mov ebx, 0047C240 ; UNICODE "Desktop"
00410F57 . 53 push ebx
00410F58 . 8BCE mov ecx, esi
00410F5A . E8 75A90500 call <jmp.&MFC80U.#3103>
00410F5F . 8B55 DC mov edx, dword ptr [ebp-24]
00410F62 . 2B55 08 sub edx, dword ptr [ebp+8]
00410F65 . 8B4D E0 mov ecx, dword ptr [ebp-20]
00410F68 . 1B4D 0C sbb ecx, dword ptr [ebp+C]
00410F6B . 85C9 test ecx, ecx
00410F6D . 7F 15 jg short 00410F84
00410F6F . 7C 08 jl short 00410F79
00410F71 . 81FA 80F40300 cmp edx, 3F480
00410F77 . 77 0B ja short 00410F84
00410F79 > 3D 5540EF01 cmp eax, 1EF4055
00410F7E . 0F84 8C000000 je 00411010
OK,运行软件,一切正常,保存图像和打印图像功能可以正常使用,点注册,显示已经注册成功。点关于,糟糕,没有
显示注册码和注册号,呵呵,爆破原因,不过没有关系,只要在注册表中添加相应信息即可。
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\易软\俪影2046\Register]
"32days"="36305586f6ce7d95"
"Register Time"=dword:01ef4055
"CYLINDER"=dword:00001cd0
"CPU"=dword:0000063a
"PassWord"="45p734p434p545p3"
"Email"="JackyChou"
导入注册表,点关于,哈哈,注册号JackyChou,注册码45p7-34p4-34p5-45p3。一切OK。收工!
--------------------------------------------------------------------------------
【经验总结】
第一次写破文,写得很烂,也很菜,不过会继续努力。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2008年04月05日 11:59:45
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
