-
-
[旧帖] [讨论]一篇未完的破文 0.00雪花
-
发表于: 2008-12-6 11:18
-
一篇未完的破文
目标软件:Magic Photo Editor.exe老外的。天空下载!
拿到软件后
第一步:安装——运行——注册。有错误提示!!(先记下,呆会用。)
第二步:查壳,查有没有什么加密算法。PEiD查壳如图:
无加密算法。
第三步:脱壳,本人是手动脱的。
启动OD载入,用ESP定律,(dr 0013FFA4),——F9,断在这儿,如图
经分析最下面的无条件跳就是入口。用F4运行到jmp 004877F4,让它跳。跳至:
直接用OD所带的插件OllyDump,另存为一文件。成功运行,(好高兴!)至此,软伯脱壳成功!!
第四步:破解。OD打开脱壳后的程序,用插件查提示:如图
下断,运行:
004831CA 55 push ebp
004831CB 68 72334800 push 00483372
004831D0 64:FF30 push dword ptr fs:[eax]
004831D3 64:8920 mov dword ptr fs:[eax], esp
004831D6 8B83 00030000 mov eax, dword ptr [ebx+300]
004831DC 8B10 mov edx, dword ptr [eax]
004831DE FF52 50 call dword ptr [edx+50]
004831E1 3C 01 cmp al, 1
004831E3 0F85 18010000 jnz 00483301
004831E9 8D55 F8 lea edx, dword ptr [ebp-8]
004831EC 8BB3 00030000 mov esi, dword ptr [ebx+300]
004831F2 8BC6 mov eax, esi
004831F4 E8 8F39FBFF call 00436B88
004831F9 8B45 F8 mov eax, dword ptr [ebp-8] ; 伪码送eax
004831FC 8D55 FC lea edx, dword ptr [ebp-4]
004831FF E8 EC54F8FF call 004086F0
00483204 8B55 FC mov edx, dword ptr [ebp-4] ; 伪码送eax
00483207 8BC6 mov eax, esi
00483209 E8 AA39FBFF call 00436BB8
0048320E 8D55 F4 lea edx, dword ptr [ebp-C]
00483211 8B83 00030000 mov eax, dword ptr [ebx+300]
00483217 E8 6C39FBFF call 00436B88
0048321C 837D F4 00 cmp dword ptr [ebp-C], 0
00483220 0F84 CF000000 je 004832F5 ; 跳则挂
00483226 8D55 EC lea edx, dword ptr [ebp-14]
00483229 8B83 00030000 mov eax, dword ptr [ebx+300]
0048322F E8 5439FBFF call 00436B88
00483234 8B45 EC mov eax, dword ptr [ebp-14] ; 伪码送eax
00483237 8D55 F0 lea edx, dword ptr [ebp-10]
0048323A E8 6152F8FF call 004084A0
0048323F 8B45 F0 mov eax, dword ptr [ebp-10] ; 伪码送eax
00483242 E8 4DA4FFFF call 0047D694 ; 关键call
00483247 84C0 test al, al
00483249 0F84 9A000000 je 004832E9 ; 跳则挂
0048324F 8D55 E8 lea edx, dword ptr [ebp-18]
00483252 8B83 00030000 mov eax, dword ptr [ebx+300]
00483258 E8 2B39FBFF call 00436B88
0048325D 8B45 E8 mov eax, dword ptr [ebp-18]
00483260 E8 E713F8FF call 0040464C
00483265 83F8 0B cmp eax, 0B
00483268 75 7F jnz short 004832E9
0048326A 8D45 E4 lea eax, dword ptr [ebp-1C]
0048326D 50 push eax
0048326E 8D55 DC lea edx, dword ptr [ebp-24]
00483271 8B83 00030000 mov eax, dword ptr [ebx+300]
00483277 E8 0C39FBFF call 00436B88
0048327C 8B45 DC mov eax, dword ptr [ebp-24]
0048327F 8D55 E0 lea edx, dword ptr [ebp-20]
00483282 E8 1952F8FF call 004084A0
00483287 8B45 E0 mov eax, dword ptr [ebp-20]
0048328A B9 01000000 mov ecx, 1
0048328F BA 0B000000 mov edx, 0B
00483294 E8 0B16F8FF call 004048A4
00483299 8B45 E4 mov eax, dword ptr [ebp-1C]
0048329C BA 88334800 mov edx, 00483388 ; u
004832A1 E8 EA14F8FF call 00404790
004832A6 75 41 jnz short 004832E9
004832A8 8D55 D4 lea edx, dword ptr [ebp-2C]
004832AB 8B83 00030000 mov eax, dword ptr [ebx+300]
004832B1 E8 D238FBFF call 00436B88
004832B6 8B45 D4 mov eax, dword ptr [ebp-2C]
004832B9 8D55 D8 lea edx, dword ptr [ebp-28]
004832BC E8 DF51F8FF call 004084A0
004832C1 8B55 D8 mov edx, dword ptr [ebp-28]
004832C4 B8 94334800 mov eax, 00483394 ; magic.bin
004832C9 E8 FEA4FFFF call 0047D7CC
004832CE A1 149B4800 mov eax, dword ptr [489B14]
004832D3 BA A8334800 mov edx, 004833A8 ; y
004832D8 E8 0B11F8FF call 004043E8
004832DD B8 B4334800 mov eax, 004833B4 ; successfully registered!
004832E2 E8 35D4FAFF call 0043071C
004832E7 EB 22 jmp short 0048330B
004832E9 B8 D8334800 mov eax, 004833D8 ; invalid serialnumber!
004832EE E8 29D4FAFF call 0043071C
004832F3 EB 16 jmp short 0048330B
004832F5 B8 D8334800 mov eax, 004833D8 ; invalid serialnumber!
004832FA E8 1DD4FAFF call 0043071C
004832FF EB 0A jmp short 0048330B
00483301 B8 F8334800 mov eax, 004833F8 ; already registered!
00483306 E8 11D4FAFF call 0043071C
看到上面的三处提示了吧!!向前分析,断在004831CA 55 push ebp,下面的几个call,就是算法了,由于本人水平不限,分析不出来!!就不写了。
花了几天时间:略微知道,本软件先取计算机名(取前4),再取计算机的mac(取前6),然后按一定顺序形成username,我追到的username跟显示的少了一个S.注册码的处理跟这差不多,最后分步比较.就看不出来了.
希望爱好破解的研究一下.
同时也希望有人能用C++写出注册机!!
谢谢!!(本人将持续研究本软件!)
目标软件:Magic Photo Editor.exe老外的。天空下载!
拿到软件后
第一步:安装——运行——注册。有错误提示!!(先记下,呆会用。)
第二步:查壳,查有没有什么加密算法。PEiD查壳如图:
无加密算法。
第三步:脱壳,本人是手动脱的。
启动OD载入,用ESP定律,(dr 0013FFA4),——F9,断在这儿,如图
经分析最下面的无条件跳就是入口。用F4运行到jmp 004877F4,让它跳。跳至:
直接用OD所带的插件OllyDump,另存为一文件。成功运行,(好高兴!)至此,软伯脱壳成功!!
第四步:破解。OD打开脱壳后的程序,用插件查提示:如图
下断,运行:
004831CA 55 push ebp
004831CB 68 72334800 push 00483372
004831D0 64:FF30 push dword ptr fs:[eax]
004831D3 64:8920 mov dword ptr fs:[eax], esp
004831D6 8B83 00030000 mov eax, dword ptr [ebx+300]
004831DC 8B10 mov edx, dword ptr [eax]
004831DE FF52 50 call dword ptr [edx+50]
004831E1 3C 01 cmp al, 1
004831E3 0F85 18010000 jnz 00483301
004831E9 8D55 F8 lea edx, dword ptr [ebp-8]
004831EC 8BB3 00030000 mov esi, dword ptr [ebx+300]
004831F2 8BC6 mov eax, esi
004831F4 E8 8F39FBFF call 00436B88
004831F9 8B45 F8 mov eax, dword ptr [ebp-8] ; 伪码送eax
004831FC 8D55 FC lea edx, dword ptr [ebp-4]
004831FF E8 EC54F8FF call 004086F0
00483204 8B55 FC mov edx, dword ptr [ebp-4] ; 伪码送eax
00483207 8BC6 mov eax, esi
00483209 E8 AA39FBFF call 00436BB8
0048320E 8D55 F4 lea edx, dword ptr [ebp-C]
00483211 8B83 00030000 mov eax, dword ptr [ebx+300]
00483217 E8 6C39FBFF call 00436B88
0048321C 837D F4 00 cmp dword ptr [ebp-C], 0
00483220 0F84 CF000000 je 004832F5 ; 跳则挂
00483226 8D55 EC lea edx, dword ptr [ebp-14]
00483229 8B83 00030000 mov eax, dword ptr [ebx+300]
0048322F E8 5439FBFF call 00436B88
00483234 8B45 EC mov eax, dword ptr [ebp-14] ; 伪码送eax
00483237 8D55 F0 lea edx, dword ptr [ebp-10]
0048323A E8 6152F8FF call 004084A0
0048323F 8B45 F0 mov eax, dword ptr [ebp-10] ; 伪码送eax
00483242 E8 4DA4FFFF call 0047D694 ; 关键call
00483247 84C0 test al, al
00483249 0F84 9A000000 je 004832E9 ; 跳则挂
0048324F 8D55 E8 lea edx, dword ptr [ebp-18]
00483252 8B83 00030000 mov eax, dword ptr [ebx+300]
00483258 E8 2B39FBFF call 00436B88
0048325D 8B45 E8 mov eax, dword ptr [ebp-18]
00483260 E8 E713F8FF call 0040464C
00483265 83F8 0B cmp eax, 0B
00483268 75 7F jnz short 004832E9
0048326A 8D45 E4 lea eax, dword ptr [ebp-1C]
0048326D 50 push eax
0048326E 8D55 DC lea edx, dword ptr [ebp-24]
00483271 8B83 00030000 mov eax, dword ptr [ebx+300]
00483277 E8 0C39FBFF call 00436B88
0048327C 8B45 DC mov eax, dword ptr [ebp-24]
0048327F 8D55 E0 lea edx, dword ptr [ebp-20]
00483282 E8 1952F8FF call 004084A0
00483287 8B45 E0 mov eax, dword ptr [ebp-20]
0048328A B9 01000000 mov ecx, 1
0048328F BA 0B000000 mov edx, 0B
00483294 E8 0B16F8FF call 004048A4
00483299 8B45 E4 mov eax, dword ptr [ebp-1C]
0048329C BA 88334800 mov edx, 00483388 ; u
004832A1 E8 EA14F8FF call 00404790
004832A6 75 41 jnz short 004832E9
004832A8 8D55 D4 lea edx, dword ptr [ebp-2C]
004832AB 8B83 00030000 mov eax, dword ptr [ebx+300]
004832B1 E8 D238FBFF call 00436B88
004832B6 8B45 D4 mov eax, dword ptr [ebp-2C]
004832B9 8D55 D8 lea edx, dword ptr [ebp-28]
004832BC E8 DF51F8FF call 004084A0
004832C1 8B55 D8 mov edx, dword ptr [ebp-28]
004832C4 B8 94334800 mov eax, 00483394 ; magic.bin
004832C9 E8 FEA4FFFF call 0047D7CC
004832CE A1 149B4800 mov eax, dword ptr [489B14]
004832D3 BA A8334800 mov edx, 004833A8 ; y
004832D8 E8 0B11F8FF call 004043E8
004832DD B8 B4334800 mov eax, 004833B4 ; successfully registered!
004832E2 E8 35D4FAFF call 0043071C
004832E7 EB 22 jmp short 0048330B
004832E9 B8 D8334800 mov eax, 004833D8 ; invalid serialnumber!
004832EE E8 29D4FAFF call 0043071C
004832F3 EB 16 jmp short 0048330B
004832F5 B8 D8334800 mov eax, 004833D8 ; invalid serialnumber!
004832FA E8 1DD4FAFF call 0043071C
004832FF EB 0A jmp short 0048330B
00483301 B8 F8334800 mov eax, 004833F8 ; already registered!
00483306 E8 11D4FAFF call 0043071C
看到上面的三处提示了吧!!向前分析,断在004831CA 55 push ebp,下面的几个call,就是算法了,由于本人水平不限,分析不出来!!就不写了。
花了几天时间:略微知道,本软件先取计算机名(取前4),再取计算机的mac(取前6),然后按一定顺序形成username,我追到的username跟显示的少了一个S.注册码的处理跟这差不多,最后分步比较.就看不出来了.
希望爱好破解的研究一下.
同时也希望有人能用C++写出注册机!!
谢谢!!(本人将持续研究本软件!)
