-
-
[旧帖] [原创](超级俄罗斯方块)简单脱壳ASProtect 1.22 - 1.23 Beta 21+破解 0.00雪花
-
发表于: 2008-10-17 22:00
-
【文章标题】: (超级俄罗斯方块)简单脱壳ASProtect 1.22 - 1.23 Beta 21+破解
【文章作者】: noNaMe-mOnk
【作者邮箱】: asanawen@sohu.com
【软件名称】: 超级俄罗斯方块
【下载地址】: 自己搜索下载
【加壳方式】: ASProtect 1.22 - 1.23 Beta 21
【保护方式】: ASProtect 1.22 - 1.23 Beta 21
【使用工具】: od,peid,lordpe,importrec
【操作平台】: xp
【软件介绍】: 挺好玩的
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
前言:折腾了几天,有点顿悟的感觉,不明白的时候很晕,会了就感觉很简单,呵呵,一点感受
在网吧偶然得之。
od载入。
00401000 RUMBLE> 68 01806E00 push RUMBLECU.006E8001
00401005 E8 01000000 call RUMBLECU.0040100B
0040100A C3 retn
0040100B C3 retn
0040100C 3C E4 cmp al,0E4
0040100E D1D8 rcr eax,1
00401010 D2FE sar dh,cl
00401012 40 inc eax
00401013 65:57 push edi
00401015 67:BB D630EA2D mov ebx,2DEA30D6
0040101B - 7E A2 jle short RUMBLECU.00400FBF
忽略所有异常run一下,看看记录,没有int 3捷径,一下一下来吧。
重新载入。
shift+f9 n次,至
00DC05CC 3100 xor dword ptr ds:[eax],eax *********最后一个异常,另跟了几个1.23版的,下面这段代码注意几个push
00DC05CE 64:8F05 00000000 pop dword ptr fs:[0]
00DC05D5 58 pop eax
00DC05D6 833D DC49DC00 00 cmp dword ptr ds:[DC49DC],0
00DC05DD 74 14 je short 00DC05F3
00DC05DF 6A 0C push 0C
00DC05E1 B9 DC49DC00 mov ecx,0DC49DC
00DC05E6 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00DC05E9 BA 04000000 mov edx,4
00DC05EE E8 09C3FFFF call 00DBC8FC
00DC05F3 FF75 FC push dword ptr ss:[ebp-4]
00DC05F6 FF75 F8 push dword ptr ss:[ebp-8]
00DC05F9 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00DC05FC 8338 00 cmp dword ptr ds:[eax],0
00DC05FF 74 02 je short 00DC0603
00DC0601 FF30 push dword ptr ds:[eax]
00DC0603 FF75 F0 push dword ptr ss:[ebp-10]
00DC0606 FF75 EC push dword ptr ss:[ebp-14]
00DC0609 C3 retn ******************88 这里下断,shift+f9,由于上面有两个push,
esp+8=12ff64,为确定esp,最好在上面je处下断,
断下后取消f2断点,在内存区前往12ff64,
下硬件访问断点dword,f9,
通常找stolencode也是从这里开始
00DD2C47 05 B6568489 add eax,898456B6 ************断在这里,下面的jmp eax就是oep了,没有stolencode
00DD2C4C 5C pop esp
00DD2C4D 03C3 add eax,ebx
00DD2C4F 894424 1C mov dword ptr ss:[esp+1C],eax
00DD2C53 61 popad
00DD2C54 FFE0 jmp eax
00DD2C56 D3C7 rol edi,cl
00DD2C58 BF 6E250202 mov edi,202256E
00DD2C5D 81C7 E44D7871 add edi,71784DE4
00DD2C63 81C7 3DE26978 add edi,7869E23D
00489C3D 6A 60 push 60 *******OEP,dump,修复iat,一级追踪基本能解决大部分指针,
剩下三五个本想自己靠脑袋判断,就因为这搞了几天,晕死,文盲,
最后还是踩在巨人肩膀上,用外挂插件asp 1.22搞定
00489C3F 68 389D4900 push RUMBLECU.00499D38
00489C44 E8 E77A0000 call RUMBLECU.00491730
00489C49 BF 94000000 mov edi,94
00489C4E 8BC7 mov eax,edi
00489C50 E8 5BF1FFFF call RUMBLECU.00488DB0
00489C55 8965 E8 mov dword ptr ss:[ebp-18],esp
00489C58 8BF4 mov esi,esp
00489C5A 893E mov dword ptr ds:[esi],edi
00489C5C 56 push esi
00489C5D FF15 98714900 call dword ptr ds:[497198]
00489C63 8B4E 10 mov ecx,dword ptr ds:[esi+10]
00489C66 890D 8C764C00 mov dword ptr ds:[4C768C],ecx
00489C6C 8B46 04 mov eax,dword ptr ds:[esi+4]
待破解。
载入dump_.exe
运行,
用户名:noNaMe-mOnk
实验码:787878787878
messagebox,
对messageboxa下断,
00401C6F |. 55 push ebp ; |hWnd
00401C70 |. FFD6 call esi ; \GetDlgItemTextA
00401C72 |. 6A 18 push 18 ; /Count = 18 (24.)
00401C74 |. 8D4424 28 lea eax,dword ptr ss:[esp+28] ; |
00401C78 |. 50 push eax ; |Buffer
00401C79 |. 68 E9030000 push 3E9 ; |ControlID = 3E9 (1001.)
00401C7E |. 55 push ebp ; |hWnd
00401C7F |. FFD6 call esi ; \GetDlgItemTextA
00401C81 |. 8A4424 40 mov al,byte ptr ss:[esp+40]
00401C85 |. 84C0 test al,al ××××××××××××用户名是否为空
00401C87 |. 0F84 5C030000 je dumped_.00401FE9
00401C8D |. 8A4424 24 mov al,byte ptr ss:[esp+24]
00401C91 |. 84C0 test al,al ×××××××××××××注册码是否为空
00401C93 |. 0F84 50030000 je dumped_.00401FE9
00401C99 |. 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00401C9D |. 51 push ecx
00401C9E |. E8 2DF4FFFF call dumped_.004010D0 ×××××××××××跟进会发现判断注册码是否为0x14 即20位
重新输入注册码:78787878787878787878
00401CA3 |. 83C4 04 add esp,4
00401CA6 |. 85C0 test eax,eax
00401CA8 |. 75 47 jnz short dumped_.00401CF1 ×××××××跳转
00401CAA |. 6A FA push -6 ; /Index = GWL_HINSTANCE
00401CAC |. 55 push ebp ; |hWnd
00401CAD |. FF15 E4714900 call dword ptr ds:[<&user32.GetWindowLongA>>; \GetWindowLongA
00401CB3 |. 68 00040000 push 400 ; /Count = 400 (1024.)
00401CB8 |. 8D9424 C4010000 lea edx,dword ptr ss:[esp+1C4] ; |
00401CBF |. 52 push edx ; |Buffer
00401CC0 |. 6A 0C push 0C ; |RsrcID = STRING "The license code you entered is not the correct length. Please check that you entered all of the letters correctly."
00401CC2 |. 50 push eax ; |hInst
00401CC3 |. FF15 B4714900 call dword ptr ds:[<&user32.LoadStringA>] ; \LoadStringA
00401CC9 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401CCB |. 68 D4454A00 push dumped_.004A45D4 ; |Title = "Rumble Cube"
00401CD0 |. 8D8424 C8010000 lea eax,dword ptr ss:[esp+1C8] ; |
00401CD7 |. 50 push eax ; |Text
00401CD8 |. 55 push ebp ; |hOwner
00401CD9 |. FF15 E0714900 call dword ptr ds:[<&user32.MessageBoxA>] ; \MessageBoxA ××××××××××××××断在这里,向上看
00401CDF |. 5F pop edi
00401CE0 |. 5E pop esi
00401CF1 |> \8D4C24 24 lea ecx,dword ptr ss:[esp+24] ××××××××××跳至这里
00401CF5 |. 51 push ecx
00401CF6 |. 8D5424 44 lea edx,dword ptr ss:[esp+44]
00401CFA |. 52 push edx
00401CFB |. 8D8424 C8000000 lea eax,dword ptr ss:[esp+C8]
00401D02 |. 50 push eax
00401D03 |. E8 18F4FFFF call dumped_.00401120 ××××××××××跟进
00401D08 |. 83C4 0C add esp,0C
00401D0B |. C74424 10 0000000>mov dword ptr ss:[esp+10],0
00401D13 |. E8 78F3FFFF call dumped_.00401090
00401D18 |. 8B3D 10704900 mov edi,dword ptr ds:[<&advapi32.RegOpenKey>; advapi32.RegOpenKeyExA
00401D1E |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00401D22 |. 51 push ecx ; /pHandle
00401D23 |. 68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
f7来到这里:
00401120 /$ 8B5424 08 mov edx,dword ptr ss:[esp+8]
00401124 |. 8A02 mov al,byte ptr ds:[edx]
00401126 |. 81EC 00010000 sub esp,100
0040112C |. 56 push esi
0040112D |. 57 push edi
0040112E |. 33C9 xor ecx,ecx
00401130 |. 33FF xor edi,edi
00401132 |. 84C0 test al,al
00401134 |. 74 3D je short dumped_.00401173
00401136 |> /81F9 FF000000 /cmp ecx,0FF
0040113C |. |7D 31 |jge short dumped_.0040116F
0040113E |. |3C 20 |cmp al,20 ; 符号
00401140 |. |7E 25 |jle short dumped_.00401167
00401142 |. |3C 61 |cmp al,61 ; 小写字母
00401144 |. |7C 0F |jl short dumped_.00401155
00401146 |. |3C 7A |cmp al,7A
00401148 |. |7F 0B |jg short dumped_.00401155
0040114A |. |0FBEF0 |movsx esi,al ; 字母-〉esi
0040114D |. |8D7C37 E0 |lea edi,dword ptr ds:[edi+esi-20] ; 转换为大写字母求和-〉edi
00401151 |. |2C 20 |sub al,20 ; 字母-20,转换为大写
00401153 |. |EB 0D |jmp short dumped_.00401162
00401155 |> |3C 41 |cmp al,41 ; 大写字母
00401157 |. |7C 0D |jl short dumped_.00401166
00401159 |. |3C 5A |cmp al,5A
0040115B |. |7F 09 |jg short dumped_.00401166
0040115D |. |0FBEF0 |movsx esi,al
00401160 |. |03FE |add edi,esi ; 大写字母求和
00401162 |> |88440C 08 |mov byte ptr ss:[esp+ecx+8],al ; 保存-〉esp+8
00401166 |> |41 |inc ecx
00401167 |> |8A42 01 |mov al,byte ptr ds:[edx+1] ; 下一个
0040116A |. |42 |inc edx ; edx指向下一个
0040116B |. |84C0 |test al,al ; 是否结束
0040116D |.^\75 C7 \jnz short dumped_.00401136
0040116F |> 85FF test edi,edi ; 2F3,和值是否为零(全是符号)
00401171 |. 75 13 jnz short dumped_.00401186
跳至 这里:
00401186 |> \55 push ebp
00401187 |. 8B2D 6C714900 mov ebp,dword ptr ds:[<&kernel32.lstrcmpi>] ; kernel32.lstrcmpiA
0040118D |. C6440C 0C 00 mov byte ptr ss:[esp+ecx+C],0
00401192 |. 33F6 xor esi,esi
00401194 |> 8B8E 60304A00 /mov ecx,dword ptr ds:[esi+4A3060] ××××黑名单?CHONGCHINGBAK
MARIEFADER
JOHNKEITHSULLIVAN
KIMBERLYRICE
DKMFMM
SHEILAPREDMORE
GERALDROMANO
RAMSEYBONGKY
SERDARUYAR
0040119A |. 51 |push ecx
0040119B |. 8D5424 10 |lea edx,dword ptr ss:[esp+10]
0040119F |. 52 |push edx
004011A0 |. FFD5 |call ebp
004011A2 |. 85C0 |test eax,eax
004011A4 |. 74 71 |je short dumped_.00401217
004011A6 |. 83C6 04 |add esi,4
004011A9 |. 83FE 24 |cmp esi,24
004011AC |.^ 72 E6 \jb short dumped_.00401194
004011AE |. 8BC7 mov eax,edi ; 和值-〉eax
004011B0 |. 99 cdq ; 清空edx
004011B1 |. B9 1A000000 mov ecx,1A
004011B6 |. F7F9 idiv ecx ; 2f3/1a
004011B8 |. 53 push ebx
004011B9 |. 8B9C24 14010000 mov ebx,dword ptr ss:[esp+114]
004011C0 |. 8B1495 E0454A00 mov edx,dword ptr ds:[edx*4+4A45E0>; 利用edx中余数查表,指向字符串
004011C7 |. 52 push edx ; /String2
004011C8 |. 53 push ebx ; |String1
004011C9 |. FF15 78714900 call dword ptr ds:[<&kernel32.lstr>; \复制字符串
004011CF |. 8B3D 70714900 mov edi,dword ptr ds:[<&kernel32.l>; kernel32.lstrlenA
004011D5 |. 53 push ebx ; /String
004011D6 |. FFD7 call edi ; \lstrlenA
004011D8 |. 8BB424 1C010000 mov esi,dword ptr ss:[esp+11C] ; 注册码-〉esi
004011DF |. 8BE8 mov ebp,eax ; eax,字符串长度a2
004011E1 |. 8A06 mov al,byte ptr ds:[esi] ; 注册码第一位
004011E3 |. 84C0 test al,al
004011E5 |. 7E 0C jle short dumped_.004011F3 ; 是否为空
004011E7 |> 3C 20 /cmp al,20
004011E9 |. 7F 08 |jg short dumped_.004011F3 ; 是否为符号
004011EB |. 8A46 01 |mov al,byte ptr ds:[esi+1]
004011EE |. 46 |inc esi
004011EF |. 84C0 |test al,al
004011F1 |.^ 7F F4 \jg short dumped_.004011E7
004011F3 |> 56 push esi ; 如果全是符号esi=0
004011F4 |. FFD7 call edi
004011F6 |. 83F8 0A cmp eax,0A ; 剩余与10比较
004011F9 |. 8A06 mov al,byte ptr ds:[esi]
004011FB |. 0F8E 96000000 jle dumped_.00401297 ; 小于等于则跳
00401201 |. 84C0 test al,al
00401203 |. 0F84 A5000000 je dumped_.004012AE
00401209 |. 8DA424 00000000 lea esp,dword ptr ss:[esp]
00401210 |> 3C 2D cmp al,2D ; Switch (cases 2D..66)
00401212 |. 75 17 jnz short dumped_.0040122B
00401214 |. 46 inc esi ; 如果是'-',下一个; Case 2D ('-') of switch 00401210
00401215 |. EB 67 jmp short dumped_.0040127E
00401217 |> 8B8424 10010000 mov eax,dword ptr ss:[esp+110]
0040121E |. 5D pop ebp
0040121F |. 5F pop edi
00401220 |. C600 00 mov byte ptr ds:[eax],0
00401223 |. 5E pop esi
00401224 |. 81C4 00010000 add esp,100
0040122A |. C3 retn
0040122B |> 3C 61 cmp al,61 ; a-f
0040122D |. 7C 08 jl short dumped_.00401237
0040122F |. 3C 66 cmp al,66
00401231 |. 7F 04 jg short dumped_.00401237
00401233 |. 04 A9 add al,0A9 ; a-f+0a9
00401235 |. EB 16 jmp short dumped_.0040124D
00401237 |> 3C 41 cmp al,41 ; A-F; Default case of switch 00401210
00401239 |. 7C 08 jl short dumped_.00401243
0040123B |. 3C 46 cmp al,46
0040123D |. 7F 04 jg short dumped_.00401243
0040123F |. 04 C9 add al,0C9 ; A-F+0c9
00401241 |. EB 0A jmp short dumped_.0040124D
00401243 |> 3C 30 cmp al,30 ; 1-9
00401245 |. 7C 67 jl short dumped_.004012AE
00401247 |. 3C 39 cmp al,39
00401249 |. 7F 63 jg short dumped_.004012AE
0040124B |. 04 D0 add al,0D0 ; 1-9+0d0
0040124D |> 46 inc esi ; Cases 61 ('a'),62 ('b'),63 ('c'),64 ('d'),65 ('e'),66 ('f') of switch 00401210
0040124E |. 8AC8 mov cl,al ; 结果-〉cl
00401250 |. 8A06 mov al,byte ptr ds:[esi] ; 下一个,第二位
00401252 |. 3C 61 cmp al,61 ; a-f
00401254 |. 7C 08 jl short dumped_.0040125E
00401256 |. 3C 66 cmp al,66
00401258 |. 7F 04 jg short dumped_.0040125E
0040125A |. 04 A9 add al,0A9 ; a-f+0a9
0040125C |. EB 16 jmp short dumped_.00401274
0040125E |> 3C 41 cmp al,41
00401260 |. 7C 08 jl short dumped_.0040126A
00401262 |. 3C 46 cmp al,46
00401264 |. 7F 04 jg short dumped_.0040126A
00401266 |. 04 C9 add al,0C9 ; A-F+0c9
00401268 |. EB 0A jmp short dumped_.00401274
0040126A |> 3C 30 cmp al,30
0040126C |. 7C 40 jl short dumped_.004012AE
0040126E |. 3C 39 cmp al,39
00401270 |. 7F 3C jg short dumped_.004012AE
00401272 |. 04 D0 add al,0D0 ; 0-9+0d0
00401274 |> C0E1 04 shl cl,4 ; cl左移4位
00401277 |. 02C8 add cl,al ; cl+al
00401279 |. 46 inc esi ; 下一位,第三位
0040127A |. 880C2B mov byte ptr ds:[ebx+ebp],cl ; 保存-〉堆栈12e576,接至字符串尾
0040127D |. 45 inc ebp
0040127E |> 8A06 mov al,byte ptr ds:[esi]
00401280 |. 84C0 test al,al
00401282 |.^ 75 8C jnz short dumped_.00401210
00401284 |. C6042B 3D mov byte ptr ds:[ebx+ebp],3D ; =接至字符串尾
00401288 |. 88442B 01 mov byte ptr ds:[ebx+ebp+1],al ; 字符串结束
0040128C |. 5B pop ebx
0040128D |. 5D pop ebp
0040128E |. 5F pop edi
0040128F |. 5E pop esi
00401290 |. 81C4 00010000 add esp,100
00401296 |. C3 retn
00401090 /$ 81EC 00040000 sub esp,400
00401096 |. 68 00040000 push 400 ; /BufSize = 400 (1024.)
0040109B |. 8D4424 04 lea eax,dword ptr ss:[esp+>; |
0040109F |. 50 push eax ; |PathBuffer
004010A0 |. 6A 00 push 0 ; |hModule = NULL
004010A2 |. FF15 7C714900 call dword ptr ds:[<&kerne>; \GetModuleFileNameA 获得文件名及路径
004010A8 |. 68 E0734900 push dumped_.004973E0 ; /String2 = "Software\GameHouse\RumbleCube"
004010AD |. 68 F0074B00 push dumped_.004B07F0 ; |String1 = dumped_.004B07F0
004010B2 |. FF15 78714900 call dword ptr ds:[<&kerne>; \lstrcpyA
004010B8 |. B8 F0074B00 mov eax,dumped_.004B07F0 ; ASCII "Software\GameHouse\RumbleCube"
004010BD |. 81C4 00040000 add esp,400
004010C3 \. C3 retn
00401D1E |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00401D22 |. 51 push ecx ; /pHandle
00401D23 |. 68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
00401D28 |. 6A 00 push 0 ; |Reserved = 0
00401D2A |. 8BF0 mov esi,eax ; |
00401D2C |. 56 push esi ; |Subkey
00401D2D |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00401D32 |. FFD7 call edi ; \打开注册表现有项
00401D34 |. 85C0 test eax,eax ; 成功
00401D36 74 44 je short dumped_.00401D7C ; 否则创建
00401D38 |. 8B1D 0C704900 mov ebx,dword ptr ds:[<&advapi32.RegCreate>; advapi32.RegCreateKeyA
00401D3E |. 8D5424 10 lea edx,dword ptr ss:[esp+10]
00401D42 |. 52 push edx ; /pHandle
00401D43 |. 56 push esi ; |Subkey
00401D44 |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00401D49 |. FFD3 call ebx ; \RegCreateKeyA
00401D4B |. 85C0 test eax,eax
00401D4D |. 74 2D je short dumped_.00401D7C
00401D4F |. 8D4424 10 lea eax,dword ptr ss:[esp+10]
00401D53 |. 50 push eax ; /pHandle
00401D54 |. 68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
00401D59 |. 6A 00 push 0 ; |Reserved = 0
00401D5B |. 56 push esi ; |Subkey
00401D5C |. 68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER
00401D61 |. FFD7 call edi ; \RegOpenKeyExA
00401D63 |. 85C0 test eax,eax
00401D65 |. 74 15 je short dumped_.00401D7C
00401D67 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00401D6B |. 51 push ecx ; /pHandle
00401D6C |. 56 push esi ; |Subkey
00401D6D |. 68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER
00401D72 |. FFD3 call ebx ; \RegCreateKeyA
00401D74 |. 85C0 test eax,eax
00401D76 |. 0F85 6D020000 jnz dumped_.00401FE9
00401D7C |> 8B3D 70714900 mov edi,dword ptr ds:[<&kernel32.lstrlen>] ; kernel32.lstrlenA
00401D82 |. 8D9424 C0000000 lea edx,dword ptr ss:[esp+C0]
00401D89 |. 52 push edx ; /String
00401D8A |. FFD7 call edi ; \计算接码后字符串长度ad
00401D8C |. 8B4C24 10 mov ecx,dword ptr ss:[esp+10] ; 注册表句柄b4
00401D90 |. 8B35 00704900 mov esi,dword ptr ds:[<&advapi32.RegSetVal>; advapi32.RegSetValueExA
00401D96 |. 40 inc eax
00401D97 |. 50 push eax ; /BufSize
00401D98 |. 8D8424 C4000000 lea eax,dword ptr ss:[esp+C4] ; |
00401D9F |. 50 push eax ; |接码后字符串
00401DA0 |. 6A 01 push 1 ; |ValueType = REG_SZ
00401DA2 |. 6A 00 push 0 ; |Reserved = 0
00401DA4 |. 68 3C744900 push dumped_.0049743C ; |ValueName = "Registration"
00401DA9 |. 51 push ecx ; |hKey
00401DAA |. FFD6 call esi ; \RegSetValueExA
00401DAC |. 8D5424 40 lea edx,dword ptr ss:[esp+40] ; 设置指定项值
00401DB0 |. 52 push edx ; /String
00401DB1 |. FFD7 call edi ; \lstrlenA
00401DB3 |. 8B4C24 10 mov ecx,dword ptr ss:[esp+10] ; 计算注册名长度0b
00401DB7 |. 40 inc eax
00401DB8 |. 50 push eax ; /BufSize
00401DB9 |. 8D4424 44 lea eax,dword ptr ss:[esp+44] ; |
00401DBD |. 50 push eax ; |Buffer
00401DBE |. 6A 01 push 1 ; |ValueType = REG_SZ
00401DC0 |. 6A 00 push 0 ; |Reserved = 0
00401DC2 |. 68 28744900 push dumped_.00497428 ; |ValueName = "RegName"
00401DC7 |. 51 push ecx ; |hKey
00401DC8 |. FFD6 call esi ; \RegSetValueExA
00401DCA 68 88744900 push dumped_.00497488 ; ASCII "HACKER"
00401DCF |. 8D9424 C4000000 lea edx,dword ptr ss:[esp+C4] ; |
00401DD6 |. 52 push edx ; |String1
00401DD7 |. FF15 58714900 call dword ptr ds:[<&kernel32.lstrcmp>] ; \lstrcmpA
00401DDD |. 85C0 test eax,eax ; 与接码后的字符串比较?
00401DDF |. 75 16 jnz short dumped_.00401DF7 ; 跳不跳都o了?晕死,晕死ft
00401DE1 |. 6A 03 push 3 ; /BufSize = 3
00401DE3 |. 68 84744900 push dumped_.00497484 ; |Buffer = dumped_.00497484
00401DE8 |. 6A 01 push 1 ; |ValueType = REG_SZ
00401DEA |. 50 push eax ; |Reserved
00401DEB |. 8B4424 20 mov eax,dword ptr ss:[esp+20] ; |
00401DEF |. 68 30744900 push dumped_.00497430 ; |ValueName = "RegFault"
00401DF4 |. 50 push eax ; |hKey
00401DF5 |. FFD6 call esi ; \RegSetValueExA
00401DF7 |> 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
00401DFB |. 51 push ecx ; /hKey
00401DFC |. FF15 18704900 call dword ptr ds:[<&advapi32.RegCloseKey>>; \RegCloseKey
00401E02 |. 68 EB030000 push 3EB ; /Result = 3EB (1003.)
00401E07 |. 55 push ebp ; |hWnd
00401E08 |. FF15 FC714900 call dword ptr ds:[<&user32.EndDialog>] ; \EndDialog
难道注册另有蹊跷?
从启动入手,对所有交互式调用下断,重启
f9,f2交替,看到注释栏
0040242F . 68 00020000 push 200 ; /Count = 200 (512.)
00402434 . 8D8C24 30030000 lea ecx,dword ptr ss:[esp+330] ; |
0040243B . 51 push ecx ; |Buffer
0040243C . 8BF0 mov esi,eax ; |
0040243E . 6A 02 push 2 ; |RsrcID = STRING "Sorry, no more trial sessions allowed for %s."
00402440 . 56 push esi ; |hInst
00402441 . FF15 B4714900 call dword ptr ds:[<&user32.LoadString>; \LoadStringA
是注册对话框上的一句话,向上看
004023AB . 83C4 08 add esp,8
004023AE . E9 BC000000 jmp dumped_.0040246F ×××××这个跳过去了
004023B3 > 3935 E4064B00 cmp dword ptr ds:[4B06E4],esi
004023B9 . 0F84 C2000000 je dumped_.00402481 ×××××这个也跳过去了,下断重启
004023BF . 3935 84304A00 cmp dword ptr ds:[4A3084],esi
004023C5 . 75 59 jnz short dumped_.00402420
004023C7 . 56 push esi ; /pModule
004023C8 . FF15 4C714900 call dword ptr ds:[<&kernel32.GetModul>; \GetModuleHandleA
004023CE . 8BF0 mov esi,eax
004023D0 . 68 00020000 push 200 ; /Count = 200 (512.)
004023D5 . 8D8424 30030000 lea eax,dword ptr ss:[esp+330] ; |
004023DC . 50 push eax ; |Buffer
004023DD . 6A 01 push 1 ; |RsrcID = STRING "%s Trial has expired."
004023DF . 56 push esi ; |hInst
004023E0 . FF15 B4714900 call dword ptr ds:[<&user32.LoadString>; \LoadStringA
004023E6 . 68 D4454A00 push dumped_.004A45D4 ; ASCII "Rumble Cube"
004023EB . 8D8C24 30030000 lea ecx,dword ptr ss:[esp+330]
004023F2 . 51 push ecx
004023F3 . 8D9424 34010000 lea edx,dword ptr ss:[esp+134]
004023FA . 52 push edx
004023FB . FFD7 call edi
004023FD . 8D8424 38010000 lea eax,dword ptr ss:[esp+138]
00402404 . 50 push eax
00402405 . 56 push esi
00402406 . E8 55FDFFFF call dumped_.00402160
0040240B . 83C4 14 add esp,14
0040240E . 83F8 02 cmp eax,2
00402411 . 75 6E jnz short dumped_.00402481
00402413 . 5F pop edi
00402414 . 5E pop esi
00402415 . 81C4 24050000 add esp,524
0040241B .^ E9 60F0FFFF jmp dumped_.00401480
00402420 > 3935 88304A00 cmp dword ptr ds:[4A3088],esi
00402426 75 59 jnz short dumped_.00402481
00402428 . 56 push esi ; /pModule
00402429 . FF15 4C714900 call dword ptr ds:[<&kernel32.GetModul>; \GetModuleHandleA
重启后断在这里:
004023B3 > \3935 E4064B00 cmp dword ptr ds:[4B06E4],esi
[4b06e4]=1,esi=0
重启对4b06e4下内存写入断点:
断在这里:
004022E0 $ A1 E8064B00 mov eax,dword ptr ds:[4B06E8] ×××××××注意这里,
004022E5 . 81EC 24050000 sub esp,524
004022EB . 56 push esi
004022EC . 33F6 xor esi,esi
004022EE . 3BC6 cmp eax,esi ××××××eax是否为0,不是则跳
004022F0 . 0F85 8C010000 jnz dumped_.00402482 ××××××这个也跳过了
004022F6 . 57 push edi
004022F7 . 68 A0744900 push dumped_.004974A0 ; /String2 = "GHRC-1"
004022FC . 8D4424 30 lea eax,dword ptr ss:[esp+30] ; |
00402300 . 50 push eax ; |String1
00402301 C705 E4064B00 010>mov dword ptr ds:[4B06E4],1 ×××××××××××在这里,把1改成0,就爆破了,呵呵
0040230B . FF15 78714900 call dword ptr ds:[<&kernel32.lstrcpy>>; \lstrcpyA
00402311 . 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
向前跟踪到这里:
00402490 /$ A1 E8064B00 mov eax,dword ptr ds:[4B06E8] ××××××这个?
00402495 |. 85C0 test eax,eax
00402497 |. 75 1D jnz short dumped_.004024B6
00402499 |. E8 42FEFFFF call dumped_.004022E0 ————————————————
0040249E |. A1 E4064B00 mov eax,dword ptr ds:[4B06E4]
004024A3 |. 85C0 test eax,eax
004024A5 |. 74 0F je short dumped_.004024B6
004024A7 |. A1 88304A00 mov eax,dword ptr ds:[4A3088]
004024AC |. 85C0 test eax,eax
004024AE |. 75 06 jnz short dumped_.004024B6
004024B0 |. B8 01000000 mov eax,1
004024B5 |. C3 retn
004024B6 |> 33C0 xor eax,eax
004024B8 \. C3 retn
继续向前跟踪:
004248A0 $ 81EC B4020000 sub esp,2B4
004248A6 . E8 E5DBFDFF call dumped_.00402490 ————————————————
004248AB . 85C0 test eax,eax
004248AD 0F85 72060000 jnz dumped_.00424F25
004248B3 . 53 push ebx
004248B4 . 55 push ebp
004248B5 . 56 push esi
004248B6 . 33DB xor ebx,ebx
004248B8 . 57 push edi
004248B9 . 881D 37174B00 mov byte ptr ds:[4B1737],bl
004248BF . E8 CCD1FDFF call dumped_.00401A90
004248C4 . 85C0 test eax,eax
004248C6 . 8BAC24 C8020000 mov ebp,dword ptr ss:[esp+2C8]
004248CD 74 35 je short dumped_.00424904
004248CF . 8D8424 C4000000 lea eax,dword ptr ss:[esp+C4]
004248D6 . 50 push eax
004248D7 . 55 push ebp
004248D8 . E8 B3D0FDFF call dumped_.00401990
004248DD . 8D8C24 CC000000 lea ecx,dword ptr ss:[esp+CC]
004248E4 . 51 push ecx
004248E5 . 55 push ebp
004248E6 . E8 75D8FDFF call dumped_.00402160
004248EB . 83C4 10 add esp,10
004248EE . 3D EB030000 cmp eax,3EB
004248F3 . 75 16 jnz short dumped_.0042490B
004248F5 . 5F pop edi
004248F6 . 5E pop esi
004248F7 . 5D pop ebp
004248F8 . 5B pop ebx
004248F9 . 33C0 xor eax,eax
004248FB . 81C4 B4020000 add esp,2B4
00424901 . C2 1000 retn 10
再向前:
00489DBB . 56 push esi
00489DBC . 56 push esi
00489DBD . FFD7 call edi
00489DBF . 50 push eax
00489DC0 . E8 DBAAF9FF call dumped_.004248A0 ————————————————
00489DC5 . 8BF8 mov edi,eax
00489DC7 . 897D 94 mov dword ptr ss:[ebp-6C],edi
00489DCA . 3975 E4 cmp dword ptr ss:[ebp-1C],esi
00489DCD . 75 06 jnz short dumped_.00489DD5
00489DCF . 57 push edi
00489DD0 . E8 EC0E0000 call dumped_.0048ACC1
00489DD5 > E8 090F0000 call dumped_.0048ACE3
00489DDA . EB 2B jmp short dumped_.00489E07
00489DDC . 8B45 EC mov eax,dword ptr ss:[ebp-14]
00489DDF . 8B08 mov ecx,dword ptr ds:[eax]
00489DE1 . 8B09 mov ecx,dword ptr ds:[ecx]
00489DE3 . 894D 90 mov dword ptr ss:[ebp-70],ecx
00489DE6 . 50 push eax
没线索了,假定[4b06e8]=1,搜索命令
mov dword ptr [4b06e8],1
幸运,哈哈哈哈,找到这里:
00401780 . 8B4424 04 mov eax,dword ptr ss:[esp+4]
00401784 . 85C0 test eax,eax
00401786 . 74 19 je short dumped_.004017A1
00401788 . 8038 00 cmp byte ptr ds:[eax],0
0040178B . 74 14 je short dumped_.004017A1
0040178D . C705 E8064B00 010>mov dword ptr ds:[4B06E8],1 ××××××这里
00401797 . C705 E4064B00 000>mov dword ptr ds:[4B06E4],0
004017A1 > C2 0400 retn 4
在这段上下断点,重启看看,不经过这里……,
跟了n久,没有头绪,等高手:(
暂时只能爆破
--------------------------------------------------------------------------------
【经验总结】
运气有一点,无奈用完了,呵呵
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2008年10月17日 21:51:41
【文章作者】: noNaMe-mOnk
【作者邮箱】: asanawen@sohu.com
【软件名称】: 超级俄罗斯方块
【下载地址】: 自己搜索下载
【加壳方式】: ASProtect 1.22 - 1.23 Beta 21
【保护方式】: ASProtect 1.22 - 1.23 Beta 21
【使用工具】: od,peid,lordpe,importrec
【操作平台】: xp
【软件介绍】: 挺好玩的
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
前言:折腾了几天,有点顿悟的感觉,不明白的时候很晕,会了就感觉很简单,呵呵,一点感受
在网吧偶然得之。
od载入。
00401000 RUMBLE> 68 01806E00 push RUMBLECU.006E8001
00401005 E8 01000000 call RUMBLECU.0040100B
0040100A C3 retn
0040100B C3 retn
0040100C 3C E4 cmp al,0E4
0040100E D1D8 rcr eax,1
00401010 D2FE sar dh,cl
00401012 40 inc eax
00401013 65:57 push edi
00401015 67:BB D630EA2D mov ebx,2DEA30D6
0040101B - 7E A2 jle short RUMBLECU.00400FBF
忽略所有异常run一下,看看记录,没有int 3捷径,一下一下来吧。
重新载入。
shift+f9 n次,至
00DC05CC 3100 xor dword ptr ds:[eax],eax *********最后一个异常,另跟了几个1.23版的,下面这段代码注意几个push
00DC05CE 64:8F05 00000000 pop dword ptr fs:[0]
00DC05D5 58 pop eax
00DC05D6 833D DC49DC00 00 cmp dword ptr ds:[DC49DC],0
00DC05DD 74 14 je short 00DC05F3
00DC05DF 6A 0C push 0C
00DC05E1 B9 DC49DC00 mov ecx,0DC49DC
00DC05E6 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00DC05E9 BA 04000000 mov edx,4
00DC05EE E8 09C3FFFF call 00DBC8FC
00DC05F3 FF75 FC push dword ptr ss:[ebp-4]
00DC05F6 FF75 F8 push dword ptr ss:[ebp-8]
00DC05F9 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00DC05FC 8338 00 cmp dword ptr ds:[eax],0
00DC05FF 74 02 je short 00DC0603
00DC0601 FF30 push dword ptr ds:[eax]
00DC0603 FF75 F0 push dword ptr ss:[ebp-10]
00DC0606 FF75 EC push dword ptr ss:[ebp-14]
00DC0609 C3 retn ******************88 这里下断,shift+f9,由于上面有两个push,
esp+8=12ff64,为确定esp,最好在上面je处下断,
断下后取消f2断点,在内存区前往12ff64,
下硬件访问断点dword,f9,
通常找stolencode也是从这里开始
00DD2C47 05 B6568489 add eax,898456B6 ************断在这里,下面的jmp eax就是oep了,没有stolencode
00DD2C4C 5C pop esp
00DD2C4D 03C3 add eax,ebx
00DD2C4F 894424 1C mov dword ptr ss:[esp+1C],eax
00DD2C53 61 popad
00DD2C54 FFE0 jmp eax
00DD2C56 D3C7 rol edi,cl
00DD2C58 BF 6E250202 mov edi,202256E
00DD2C5D 81C7 E44D7871 add edi,71784DE4
00DD2C63 81C7 3DE26978 add edi,7869E23D
00489C3D 6A 60 push 60 *******OEP,dump,修复iat,一级追踪基本能解决大部分指针,
剩下三五个本想自己靠脑袋判断,就因为这搞了几天,晕死,文盲,
最后还是踩在巨人肩膀上,用外挂插件asp 1.22搞定
00489C3F 68 389D4900 push RUMBLECU.00499D38
00489C44 E8 E77A0000 call RUMBLECU.00491730
00489C49 BF 94000000 mov edi,94
00489C4E 8BC7 mov eax,edi
00489C50 E8 5BF1FFFF call RUMBLECU.00488DB0
00489C55 8965 E8 mov dword ptr ss:[ebp-18],esp
00489C58 8BF4 mov esi,esp
00489C5A 893E mov dword ptr ds:[esi],edi
00489C5C 56 push esi
00489C5D FF15 98714900 call dword ptr ds:[497198]
00489C63 8B4E 10 mov ecx,dword ptr ds:[esi+10]
00489C66 890D 8C764C00 mov dword ptr ds:[4C768C],ecx
00489C6C 8B46 04 mov eax,dword ptr ds:[esi+4]
待破解。
载入dump_.exe
运行,
用户名:noNaMe-mOnk
实验码:787878787878
messagebox,
对messageboxa下断,
00401C6F |. 55 push ebp ; |hWnd
00401C70 |. FFD6 call esi ; \GetDlgItemTextA
00401C72 |. 6A 18 push 18 ; /Count = 18 (24.)
00401C74 |. 8D4424 28 lea eax,dword ptr ss:[esp+28] ; |
00401C78 |. 50 push eax ; |Buffer
00401C79 |. 68 E9030000 push 3E9 ; |ControlID = 3E9 (1001.)
00401C7E |. 55 push ebp ; |hWnd
00401C7F |. FFD6 call esi ; \GetDlgItemTextA
00401C81 |. 8A4424 40 mov al,byte ptr ss:[esp+40]
00401C85 |. 84C0 test al,al ××××××××××××用户名是否为空
00401C87 |. 0F84 5C030000 je dumped_.00401FE9
00401C8D |. 8A4424 24 mov al,byte ptr ss:[esp+24]
00401C91 |. 84C0 test al,al ×××××××××××××注册码是否为空
00401C93 |. 0F84 50030000 je dumped_.00401FE9
00401C99 |. 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00401C9D |. 51 push ecx
00401C9E |. E8 2DF4FFFF call dumped_.004010D0 ×××××××××××跟进会发现判断注册码是否为0x14 即20位
重新输入注册码:78787878787878787878
00401CA3 |. 83C4 04 add esp,4
00401CA6 |. 85C0 test eax,eax
00401CA8 |. 75 47 jnz short dumped_.00401CF1 ×××××××跳转
00401CAA |. 6A FA push -6 ; /Index = GWL_HINSTANCE
00401CAC |. 55 push ebp ; |hWnd
00401CAD |. FF15 E4714900 call dword ptr ds:[<&user32.GetWindowLongA>>; \GetWindowLongA
00401CB3 |. 68 00040000 push 400 ; /Count = 400 (1024.)
00401CB8 |. 8D9424 C4010000 lea edx,dword ptr ss:[esp+1C4] ; |
00401CBF |. 52 push edx ; |Buffer
00401CC0 |. 6A 0C push 0C ; |RsrcID = STRING "The license code you entered is not the correct length. Please check that you entered all of the letters correctly."
00401CC2 |. 50 push eax ; |hInst
00401CC3 |. FF15 B4714900 call dword ptr ds:[<&user32.LoadStringA>] ; \LoadStringA
00401CC9 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401CCB |. 68 D4454A00 push dumped_.004A45D4 ; |Title = "Rumble Cube"
00401CD0 |. 8D8424 C8010000 lea eax,dword ptr ss:[esp+1C8] ; |
00401CD7 |. 50 push eax ; |Text
00401CD8 |. 55 push ebp ; |hOwner
00401CD9 |. FF15 E0714900 call dword ptr ds:[<&user32.MessageBoxA>] ; \MessageBoxA ××××××××××××××断在这里,向上看
00401CDF |. 5F pop edi
00401CE0 |. 5E pop esi
00401CF1 |> \8D4C24 24 lea ecx,dword ptr ss:[esp+24] ××××××××××跳至这里
00401CF5 |. 51 push ecx
00401CF6 |. 8D5424 44 lea edx,dword ptr ss:[esp+44]
00401CFA |. 52 push edx
00401CFB |. 8D8424 C8000000 lea eax,dword ptr ss:[esp+C8]
00401D02 |. 50 push eax
00401D03 |. E8 18F4FFFF call dumped_.00401120 ××××××××××跟进
00401D08 |. 83C4 0C add esp,0C
00401D0B |. C74424 10 0000000>mov dword ptr ss:[esp+10],0
00401D13 |. E8 78F3FFFF call dumped_.00401090
00401D18 |. 8B3D 10704900 mov edi,dword ptr ds:[<&advapi32.RegOpenKey>; advapi32.RegOpenKeyExA
00401D1E |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00401D22 |. 51 push ecx ; /pHandle
00401D23 |. 68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
f7来到这里:
00401120 /$ 8B5424 08 mov edx,dword ptr ss:[esp+8]
00401124 |. 8A02 mov al,byte ptr ds:[edx]
00401126 |. 81EC 00010000 sub esp,100
0040112C |. 56 push esi
0040112D |. 57 push edi
0040112E |. 33C9 xor ecx,ecx
00401130 |. 33FF xor edi,edi
00401132 |. 84C0 test al,al
00401134 |. 74 3D je short dumped_.00401173
00401136 |> /81F9 FF000000 /cmp ecx,0FF
0040113C |. |7D 31 |jge short dumped_.0040116F
0040113E |. |3C 20 |cmp al,20 ; 符号
00401140 |. |7E 25 |jle short dumped_.00401167
00401142 |. |3C 61 |cmp al,61 ; 小写字母
00401144 |. |7C 0F |jl short dumped_.00401155
00401146 |. |3C 7A |cmp al,7A
00401148 |. |7F 0B |jg short dumped_.00401155
0040114A |. |0FBEF0 |movsx esi,al ; 字母-〉esi
0040114D |. |8D7C37 E0 |lea edi,dword ptr ds:[edi+esi-20] ; 转换为大写字母求和-〉edi
00401151 |. |2C 20 |sub al,20 ; 字母-20,转换为大写
00401153 |. |EB 0D |jmp short dumped_.00401162
00401155 |> |3C 41 |cmp al,41 ; 大写字母
00401157 |. |7C 0D |jl short dumped_.00401166
00401159 |. |3C 5A |cmp al,5A
0040115B |. |7F 09 |jg short dumped_.00401166
0040115D |. |0FBEF0 |movsx esi,al
00401160 |. |03FE |add edi,esi ; 大写字母求和
00401162 |> |88440C 08 |mov byte ptr ss:[esp+ecx+8],al ; 保存-〉esp+8
00401166 |> |41 |inc ecx
00401167 |> |8A42 01 |mov al,byte ptr ds:[edx+1] ; 下一个
0040116A |. |42 |inc edx ; edx指向下一个
0040116B |. |84C0 |test al,al ; 是否结束
0040116D |.^\75 C7 \jnz short dumped_.00401136
0040116F |> 85FF test edi,edi ; 2F3,和值是否为零(全是符号)
00401171 |. 75 13 jnz short dumped_.00401186
跳至 这里:
00401186 |> \55 push ebp
00401187 |. 8B2D 6C714900 mov ebp,dword ptr ds:[<&kernel32.lstrcmpi>] ; kernel32.lstrcmpiA
0040118D |. C6440C 0C 00 mov byte ptr ss:[esp+ecx+C],0
00401192 |. 33F6 xor esi,esi
00401194 |> 8B8E 60304A00 /mov ecx,dword ptr ds:[esi+4A3060] ××××黑名单?CHONGCHINGBAK
MARIEFADER
JOHNKEITHSULLIVAN
KIMBERLYRICE
DKMFMM
SHEILAPREDMORE
GERALDROMANO
RAMSEYBONGKY
SERDARUYAR
0040119A |. 51 |push ecx
0040119B |. 8D5424 10 |lea edx,dword ptr ss:[esp+10]
0040119F |. 52 |push edx
004011A0 |. FFD5 |call ebp
004011A2 |. 85C0 |test eax,eax
004011A4 |. 74 71 |je short dumped_.00401217
004011A6 |. 83C6 04 |add esi,4
004011A9 |. 83FE 24 |cmp esi,24
004011AC |.^ 72 E6 \jb short dumped_.00401194
004011AE |. 8BC7 mov eax,edi ; 和值-〉eax
004011B0 |. 99 cdq ; 清空edx
004011B1 |. B9 1A000000 mov ecx,1A
004011B6 |. F7F9 idiv ecx ; 2f3/1a
004011B8 |. 53 push ebx
004011B9 |. 8B9C24 14010000 mov ebx,dword ptr ss:[esp+114]
004011C0 |. 8B1495 E0454A00 mov edx,dword ptr ds:[edx*4+4A45E0>; 利用edx中余数查表,指向字符串
004011C7 |. 52 push edx ; /String2
004011C8 |. 53 push ebx ; |String1
004011C9 |. FF15 78714900 call dword ptr ds:[<&kernel32.lstr>; \复制字符串
004011CF |. 8B3D 70714900 mov edi,dword ptr ds:[<&kernel32.l>; kernel32.lstrlenA
004011D5 |. 53 push ebx ; /String
004011D6 |. FFD7 call edi ; \lstrlenA
004011D8 |. 8BB424 1C010000 mov esi,dword ptr ss:[esp+11C] ; 注册码-〉esi
004011DF |. 8BE8 mov ebp,eax ; eax,字符串长度a2
004011E1 |. 8A06 mov al,byte ptr ds:[esi] ; 注册码第一位
004011E3 |. 84C0 test al,al
004011E5 |. 7E 0C jle short dumped_.004011F3 ; 是否为空
004011E7 |> 3C 20 /cmp al,20
004011E9 |. 7F 08 |jg short dumped_.004011F3 ; 是否为符号
004011EB |. 8A46 01 |mov al,byte ptr ds:[esi+1]
004011EE |. 46 |inc esi
004011EF |. 84C0 |test al,al
004011F1 |.^ 7F F4 \jg short dumped_.004011E7
004011F3 |> 56 push esi ; 如果全是符号esi=0
004011F4 |. FFD7 call edi
004011F6 |. 83F8 0A cmp eax,0A ; 剩余与10比较
004011F9 |. 8A06 mov al,byte ptr ds:[esi]
004011FB |. 0F8E 96000000 jle dumped_.00401297 ; 小于等于则跳
00401201 |. 84C0 test al,al
00401203 |. 0F84 A5000000 je dumped_.004012AE
00401209 |. 8DA424 00000000 lea esp,dword ptr ss:[esp]
00401210 |> 3C 2D cmp al,2D ; Switch (cases 2D..66)
00401212 |. 75 17 jnz short dumped_.0040122B
00401214 |. 46 inc esi ; 如果是'-',下一个; Case 2D ('-') of switch 00401210
00401215 |. EB 67 jmp short dumped_.0040127E
00401217 |> 8B8424 10010000 mov eax,dword ptr ss:[esp+110]
0040121E |. 5D pop ebp
0040121F |. 5F pop edi
00401220 |. C600 00 mov byte ptr ds:[eax],0
00401223 |. 5E pop esi
00401224 |. 81C4 00010000 add esp,100
0040122A |. C3 retn
0040122B |> 3C 61 cmp al,61 ; a-f
0040122D |. 7C 08 jl short dumped_.00401237
0040122F |. 3C 66 cmp al,66
00401231 |. 7F 04 jg short dumped_.00401237
00401233 |. 04 A9 add al,0A9 ; a-f+0a9
00401235 |. EB 16 jmp short dumped_.0040124D
00401237 |> 3C 41 cmp al,41 ; A-F; Default case of switch 00401210
00401239 |. 7C 08 jl short dumped_.00401243
0040123B |. 3C 46 cmp al,46
0040123D |. 7F 04 jg short dumped_.00401243
0040123F |. 04 C9 add al,0C9 ; A-F+0c9
00401241 |. EB 0A jmp short dumped_.0040124D
00401243 |> 3C 30 cmp al,30 ; 1-9
00401245 |. 7C 67 jl short dumped_.004012AE
00401247 |. 3C 39 cmp al,39
00401249 |. 7F 63 jg short dumped_.004012AE
0040124B |. 04 D0 add al,0D0 ; 1-9+0d0
0040124D |> 46 inc esi ; Cases 61 ('a'),62 ('b'),63 ('c'),64 ('d'),65 ('e'),66 ('f') of switch 00401210
0040124E |. 8AC8 mov cl,al ; 结果-〉cl
00401250 |. 8A06 mov al,byte ptr ds:[esi] ; 下一个,第二位
00401252 |. 3C 61 cmp al,61 ; a-f
00401254 |. 7C 08 jl short dumped_.0040125E
00401256 |. 3C 66 cmp al,66
00401258 |. 7F 04 jg short dumped_.0040125E
0040125A |. 04 A9 add al,0A9 ; a-f+0a9
0040125C |. EB 16 jmp short dumped_.00401274
0040125E |> 3C 41 cmp al,41
00401260 |. 7C 08 jl short dumped_.0040126A
00401262 |. 3C 46 cmp al,46
00401264 |. 7F 04 jg short dumped_.0040126A
00401266 |. 04 C9 add al,0C9 ; A-F+0c9
00401268 |. EB 0A jmp short dumped_.00401274
0040126A |> 3C 30 cmp al,30
0040126C |. 7C 40 jl short dumped_.004012AE
0040126E |. 3C 39 cmp al,39
00401270 |. 7F 3C jg short dumped_.004012AE
00401272 |. 04 D0 add al,0D0 ; 0-9+0d0
00401274 |> C0E1 04 shl cl,4 ; cl左移4位
00401277 |. 02C8 add cl,al ; cl+al
00401279 |. 46 inc esi ; 下一位,第三位
0040127A |. 880C2B mov byte ptr ds:[ebx+ebp],cl ; 保存-〉堆栈12e576,接至字符串尾
0040127D |. 45 inc ebp
0040127E |> 8A06 mov al,byte ptr ds:[esi]
00401280 |. 84C0 test al,al
00401282 |.^ 75 8C jnz short dumped_.00401210
00401284 |. C6042B 3D mov byte ptr ds:[ebx+ebp],3D ; =接至字符串尾
00401288 |. 88442B 01 mov byte ptr ds:[ebx+ebp+1],al ; 字符串结束
0040128C |. 5B pop ebx
0040128D |. 5D pop ebp
0040128E |. 5F pop edi
0040128F |. 5E pop esi
00401290 |. 81C4 00010000 add esp,100
00401296 |. C3 retn
00401090 /$ 81EC 00040000 sub esp,400
00401096 |. 68 00040000 push 400 ; /BufSize = 400 (1024.)
0040109B |. 8D4424 04 lea eax,dword ptr ss:[esp+>; |
0040109F |. 50 push eax ; |PathBuffer
004010A0 |. 6A 00 push 0 ; |hModule = NULL
004010A2 |. FF15 7C714900 call dword ptr ds:[<&kerne>; \GetModuleFileNameA 获得文件名及路径
004010A8 |. 68 E0734900 push dumped_.004973E0 ; /String2 = "Software\GameHouse\RumbleCube"
004010AD |. 68 F0074B00 push dumped_.004B07F0 ; |String1 = dumped_.004B07F0
004010B2 |. FF15 78714900 call dword ptr ds:[<&kerne>; \lstrcpyA
004010B8 |. B8 F0074B00 mov eax,dumped_.004B07F0 ; ASCII "Software\GameHouse\RumbleCube"
004010BD |. 81C4 00040000 add esp,400
004010C3 \. C3 retn
00401D1E |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00401D22 |. 51 push ecx ; /pHandle
00401D23 |. 68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
00401D28 |. 6A 00 push 0 ; |Reserved = 0
00401D2A |. 8BF0 mov esi,eax ; |
00401D2C |. 56 push esi ; |Subkey
00401D2D |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00401D32 |. FFD7 call edi ; \打开注册表现有项
00401D34 |. 85C0 test eax,eax ; 成功
00401D36 74 44 je short dumped_.00401D7C ; 否则创建
00401D38 |. 8B1D 0C704900 mov ebx,dword ptr ds:[<&advapi32.RegCreate>; advapi32.RegCreateKeyA
00401D3E |. 8D5424 10 lea edx,dword ptr ss:[esp+10]
00401D42 |. 52 push edx ; /pHandle
00401D43 |. 56 push esi ; |Subkey
00401D44 |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00401D49 |. FFD3 call ebx ; \RegCreateKeyA
00401D4B |. 85C0 test eax,eax
00401D4D |. 74 2D je short dumped_.00401D7C
00401D4F |. 8D4424 10 lea eax,dword ptr ss:[esp+10]
00401D53 |. 50 push eax ; /pHandle
00401D54 |. 68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
00401D59 |. 6A 00 push 0 ; |Reserved = 0
00401D5B |. 56 push esi ; |Subkey
00401D5C |. 68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER
00401D61 |. FFD7 call edi ; \RegOpenKeyExA
00401D63 |. 85C0 test eax,eax
00401D65 |. 74 15 je short dumped_.00401D7C
00401D67 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00401D6B |. 51 push ecx ; /pHandle
00401D6C |. 56 push esi ; |Subkey
00401D6D |. 68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER
00401D72 |. FFD3 call ebx ; \RegCreateKeyA
00401D74 |. 85C0 test eax,eax
00401D76 |. 0F85 6D020000 jnz dumped_.00401FE9
00401D7C |> 8B3D 70714900 mov edi,dword ptr ds:[<&kernel32.lstrlen>] ; kernel32.lstrlenA
00401D82 |. 8D9424 C0000000 lea edx,dword ptr ss:[esp+C0]
00401D89 |. 52 push edx ; /String
00401D8A |. FFD7 call edi ; \计算接码后字符串长度ad
00401D8C |. 8B4C24 10 mov ecx,dword ptr ss:[esp+10] ; 注册表句柄b4
00401D90 |. 8B35 00704900 mov esi,dword ptr ds:[<&advapi32.RegSetVal>; advapi32.RegSetValueExA
00401D96 |. 40 inc eax
00401D97 |. 50 push eax ; /BufSize
00401D98 |. 8D8424 C4000000 lea eax,dword ptr ss:[esp+C4] ; |
00401D9F |. 50 push eax ; |接码后字符串
00401DA0 |. 6A 01 push 1 ; |ValueType = REG_SZ
00401DA2 |. 6A 00 push 0 ; |Reserved = 0
00401DA4 |. 68 3C744900 push dumped_.0049743C ; |ValueName = "Registration"
00401DA9 |. 51 push ecx ; |hKey
00401DAA |. FFD6 call esi ; \RegSetValueExA
00401DAC |. 8D5424 40 lea edx,dword ptr ss:[esp+40] ; 设置指定项值
00401DB0 |. 52 push edx ; /String
00401DB1 |. FFD7 call edi ; \lstrlenA
00401DB3 |. 8B4C24 10 mov ecx,dword ptr ss:[esp+10] ; 计算注册名长度0b
00401DB7 |. 40 inc eax
00401DB8 |. 50 push eax ; /BufSize
00401DB9 |. 8D4424 44 lea eax,dword ptr ss:[esp+44] ; |
00401DBD |. 50 push eax ; |Buffer
00401DBE |. 6A 01 push 1 ; |ValueType = REG_SZ
00401DC0 |. 6A 00 push 0 ; |Reserved = 0
00401DC2 |. 68 28744900 push dumped_.00497428 ; |ValueName = "RegName"
00401DC7 |. 51 push ecx ; |hKey
00401DC8 |. FFD6 call esi ; \RegSetValueExA
00401DCA 68 88744900 push dumped_.00497488 ; ASCII "HACKER"
00401DCF |. 8D9424 C4000000 lea edx,dword ptr ss:[esp+C4] ; |
00401DD6 |. 52 push edx ; |String1
00401DD7 |. FF15 58714900 call dword ptr ds:[<&kernel32.lstrcmp>] ; \lstrcmpA
00401DDD |. 85C0 test eax,eax ; 与接码后的字符串比较?
00401DDF |. 75 16 jnz short dumped_.00401DF7 ; 跳不跳都o了?晕死,晕死ft
00401DE1 |. 6A 03 push 3 ; /BufSize = 3
00401DE3 |. 68 84744900 push dumped_.00497484 ; |Buffer = dumped_.00497484
00401DE8 |. 6A 01 push 1 ; |ValueType = REG_SZ
00401DEA |. 50 push eax ; |Reserved
00401DEB |. 8B4424 20 mov eax,dword ptr ss:[esp+20] ; |
00401DEF |. 68 30744900 push dumped_.00497430 ; |ValueName = "RegFault"
00401DF4 |. 50 push eax ; |hKey
00401DF5 |. FFD6 call esi ; \RegSetValueExA
00401DF7 |> 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
00401DFB |. 51 push ecx ; /hKey
00401DFC |. FF15 18704900 call dword ptr ds:[<&advapi32.RegCloseKey>>; \RegCloseKey
00401E02 |. 68 EB030000 push 3EB ; /Result = 3EB (1003.)
00401E07 |. 55 push ebp ; |hWnd
00401E08 |. FF15 FC714900 call dword ptr ds:[<&user32.EndDialog>] ; \EndDialog
难道注册另有蹊跷?
从启动入手,对所有交互式调用下断,重启
f9,f2交替,看到注释栏
0040242F . 68 00020000 push 200 ; /Count = 200 (512.)
00402434 . 8D8C24 30030000 lea ecx,dword ptr ss:[esp+330] ; |
0040243B . 51 push ecx ; |Buffer
0040243C . 8BF0 mov esi,eax ; |
0040243E . 6A 02 push 2 ; |RsrcID = STRING "Sorry, no more trial sessions allowed for %s."
00402440 . 56 push esi ; |hInst
00402441 . FF15 B4714900 call dword ptr ds:[<&user32.LoadString>; \LoadStringA
是注册对话框上的一句话,向上看
004023AB . 83C4 08 add esp,8
004023AE . E9 BC000000 jmp dumped_.0040246F ×××××这个跳过去了
004023B3 > 3935 E4064B00 cmp dword ptr ds:[4B06E4],esi
004023B9 . 0F84 C2000000 je dumped_.00402481 ×××××这个也跳过去了,下断重启
004023BF . 3935 84304A00 cmp dword ptr ds:[4A3084],esi
004023C5 . 75 59 jnz short dumped_.00402420
004023C7 . 56 push esi ; /pModule
004023C8 . FF15 4C714900 call dword ptr ds:[<&kernel32.GetModul>; \GetModuleHandleA
004023CE . 8BF0 mov esi,eax
004023D0 . 68 00020000 push 200 ; /Count = 200 (512.)
004023D5 . 8D8424 30030000 lea eax,dword ptr ss:[esp+330] ; |
004023DC . 50 push eax ; |Buffer
004023DD . 6A 01 push 1 ; |RsrcID = STRING "%s Trial has expired."
004023DF . 56 push esi ; |hInst
004023E0 . FF15 B4714900 call dword ptr ds:[<&user32.LoadString>; \LoadStringA
004023E6 . 68 D4454A00 push dumped_.004A45D4 ; ASCII "Rumble Cube"
004023EB . 8D8C24 30030000 lea ecx,dword ptr ss:[esp+330]
004023F2 . 51 push ecx
004023F3 . 8D9424 34010000 lea edx,dword ptr ss:[esp+134]
004023FA . 52 push edx
004023FB . FFD7 call edi
004023FD . 8D8424 38010000 lea eax,dword ptr ss:[esp+138]
00402404 . 50 push eax
00402405 . 56 push esi
00402406 . E8 55FDFFFF call dumped_.00402160
0040240B . 83C4 14 add esp,14
0040240E . 83F8 02 cmp eax,2
00402411 . 75 6E jnz short dumped_.00402481
00402413 . 5F pop edi
00402414 . 5E pop esi
00402415 . 81C4 24050000 add esp,524
0040241B .^ E9 60F0FFFF jmp dumped_.00401480
00402420 > 3935 88304A00 cmp dword ptr ds:[4A3088],esi
00402426 75 59 jnz short dumped_.00402481
00402428 . 56 push esi ; /pModule
00402429 . FF15 4C714900 call dword ptr ds:[<&kernel32.GetModul>; \GetModuleHandleA
重启后断在这里:
004023B3 > \3935 E4064B00 cmp dword ptr ds:[4B06E4],esi
[4b06e4]=1,esi=0
重启对4b06e4下内存写入断点:
断在这里:
004022E0 $ A1 E8064B00 mov eax,dword ptr ds:[4B06E8] ×××××××注意这里,
004022E5 . 81EC 24050000 sub esp,524
004022EB . 56 push esi
004022EC . 33F6 xor esi,esi
004022EE . 3BC6 cmp eax,esi ××××××eax是否为0,不是则跳
004022F0 . 0F85 8C010000 jnz dumped_.00402482 ××××××这个也跳过了
004022F6 . 57 push edi
004022F7 . 68 A0744900 push dumped_.004974A0 ; /String2 = "GHRC-1"
004022FC . 8D4424 30 lea eax,dword ptr ss:[esp+30] ; |
00402300 . 50 push eax ; |String1
00402301 C705 E4064B00 010>mov dword ptr ds:[4B06E4],1 ×××××××××××在这里,把1改成0,就爆破了,呵呵
0040230B . FF15 78714900 call dword ptr ds:[<&kernel32.lstrcpy>>; \lstrcpyA
00402311 . 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
向前跟踪到这里:
00402490 /$ A1 E8064B00 mov eax,dword ptr ds:[4B06E8] ××××××这个?
00402495 |. 85C0 test eax,eax
00402497 |. 75 1D jnz short dumped_.004024B6
00402499 |. E8 42FEFFFF call dumped_.004022E0 ————————————————
0040249E |. A1 E4064B00 mov eax,dword ptr ds:[4B06E4]
004024A3 |. 85C0 test eax,eax
004024A5 |. 74 0F je short dumped_.004024B6
004024A7 |. A1 88304A00 mov eax,dword ptr ds:[4A3088]
004024AC |. 85C0 test eax,eax
004024AE |. 75 06 jnz short dumped_.004024B6
004024B0 |. B8 01000000 mov eax,1
004024B5 |. C3 retn
004024B6 |> 33C0 xor eax,eax
004024B8 \. C3 retn
继续向前跟踪:
004248A0 $ 81EC B4020000 sub esp,2B4
004248A6 . E8 E5DBFDFF call dumped_.00402490 ————————————————
004248AB . 85C0 test eax,eax
004248AD 0F85 72060000 jnz dumped_.00424F25
004248B3 . 53 push ebx
004248B4 . 55 push ebp
004248B5 . 56 push esi
004248B6 . 33DB xor ebx,ebx
004248B8 . 57 push edi
004248B9 . 881D 37174B00 mov byte ptr ds:[4B1737],bl
004248BF . E8 CCD1FDFF call dumped_.00401A90
004248C4 . 85C0 test eax,eax
004248C6 . 8BAC24 C8020000 mov ebp,dword ptr ss:[esp+2C8]
004248CD 74 35 je short dumped_.00424904
004248CF . 8D8424 C4000000 lea eax,dword ptr ss:[esp+C4]
004248D6 . 50 push eax
004248D7 . 55 push ebp
004248D8 . E8 B3D0FDFF call dumped_.00401990
004248DD . 8D8C24 CC000000 lea ecx,dword ptr ss:[esp+CC]
004248E4 . 51 push ecx
004248E5 . 55 push ebp
004248E6 . E8 75D8FDFF call dumped_.00402160
004248EB . 83C4 10 add esp,10
004248EE . 3D EB030000 cmp eax,3EB
004248F3 . 75 16 jnz short dumped_.0042490B
004248F5 . 5F pop edi
004248F6 . 5E pop esi
004248F7 . 5D pop ebp
004248F8 . 5B pop ebx
004248F9 . 33C0 xor eax,eax
004248FB . 81C4 B4020000 add esp,2B4
00424901 . C2 1000 retn 10
再向前:
00489DBB . 56 push esi
00489DBC . 56 push esi
00489DBD . FFD7 call edi
00489DBF . 50 push eax
00489DC0 . E8 DBAAF9FF call dumped_.004248A0 ————————————————
00489DC5 . 8BF8 mov edi,eax
00489DC7 . 897D 94 mov dword ptr ss:[ebp-6C],edi
00489DCA . 3975 E4 cmp dword ptr ss:[ebp-1C],esi
00489DCD . 75 06 jnz short dumped_.00489DD5
00489DCF . 57 push edi
00489DD0 . E8 EC0E0000 call dumped_.0048ACC1
00489DD5 > E8 090F0000 call dumped_.0048ACE3
00489DDA . EB 2B jmp short dumped_.00489E07
00489DDC . 8B45 EC mov eax,dword ptr ss:[ebp-14]
00489DDF . 8B08 mov ecx,dword ptr ds:[eax]
00489DE1 . 8B09 mov ecx,dword ptr ds:[ecx]
00489DE3 . 894D 90 mov dword ptr ss:[ebp-70],ecx
00489DE6 . 50 push eax
没线索了,假定[4b06e8]=1,搜索命令
mov dword ptr [4b06e8],1
幸运,哈哈哈哈,找到这里:
00401780 . 8B4424 04 mov eax,dword ptr ss:[esp+4]
00401784 . 85C0 test eax,eax
00401786 . 74 19 je short dumped_.004017A1
00401788 . 8038 00 cmp byte ptr ds:[eax],0
0040178B . 74 14 je short dumped_.004017A1
0040178D . C705 E8064B00 010>mov dword ptr ds:[4B06E8],1 ××××××这里
00401797 . C705 E4064B00 000>mov dword ptr ds:[4B06E4],0
004017A1 > C2 0400 retn 4
在这段上下断点,重启看看,不经过这里……,
跟了n久,没有头绪,等高手:(
暂时只能爆破
--------------------------------------------------------------------------------
【经验总结】
运气有一点,无奈用完了,呵呵
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2008年10月17日 21:51:41
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
