-
-
[旧帖] [讨论]一篇未完的破文 0.00雪花
-
发表于: 2008-12-6 11:18 3449
-
一篇未完的破文
目标软件:Magic Photo Editor.exe老外的。天空下载!
拿到软件后
第一步:安装——运行——注册。有错误提示!!(先记下,呆会用。)
第二步:查壳,查有没有什么加密算法。PEiD查壳如图:
无加密算法。
第三步:脱壳,本人是手动脱的。
启动OD载入,用ESP定律,(dr 0013FFA4),——F9,断在这儿,如图
经分析最下面的无条件跳就是入口。用F4运行到jmp 004877F4,让它跳。跳至:
直接用OD所带的插件OllyDump,另存为一文件。成功运行,(好高兴!)至此,软伯脱壳成功!!
第四步:破解。OD打开脱壳后的程序,用插件查提示:如图
下断,运行:
004831CA 55 push ebp
004831CB 68 72334800 push 00483372
004831D0 64:FF30 push dword ptr fs:[eax]
004831D3 64:8920 mov dword ptr fs:[eax], esp
004831D6 8B83 00030000 mov eax, dword ptr [ebx+300]
004831DC 8B10 mov edx, dword ptr [eax]
004831DE FF52 50 call dword ptr [edx+50]
004831E1 3C 01 cmp al, 1
004831E3 0F85 18010000 jnz 00483301
004831E9 8D55 F8 lea edx, dword ptr [ebp-8]
004831EC 8BB3 00030000 mov esi, dword ptr [ebx+300]
004831F2 8BC6 mov eax, esi
004831F4 E8 8F39FBFF call 00436B88
004831F9 8B45 F8 mov eax, dword ptr [ebp-8] ; 伪码送eax
004831FC 8D55 FC lea edx, dword ptr [ebp-4]
004831FF E8 EC54F8FF call 004086F0
00483204 8B55 FC mov edx, dword ptr [ebp-4] ; 伪码送eax
00483207 8BC6 mov eax, esi
00483209 E8 AA39FBFF call 00436BB8
0048320E 8D55 F4 lea edx, dword ptr [ebp-C]
00483211 8B83 00030000 mov eax, dword ptr [ebx+300]
00483217 E8 6C39FBFF call 00436B88
0048321C 837D F4 00 cmp dword ptr [ebp-C], 0
00483220 0F84 CF000000 je 004832F5 ; 跳则挂
00483226 8D55 EC lea edx, dword ptr [ebp-14]
00483229 8B83 00030000 mov eax, dword ptr [ebx+300]
0048322F E8 5439FBFF call 00436B88
00483234 8B45 EC mov eax, dword ptr [ebp-14] ; 伪码送eax
00483237 8D55 F0 lea edx, dword ptr [ebp-10]
0048323A E8 6152F8FF call 004084A0
0048323F 8B45 F0 mov eax, dword ptr [ebp-10] ; 伪码送eax
00483242 E8 4DA4FFFF call 0047D694 ; 关键call
00483247 84C0 test al, al
00483249 0F84 9A000000 je 004832E9 ; 跳则挂
0048324F 8D55 E8 lea edx, dword ptr [ebp-18]
00483252 8B83 00030000 mov eax, dword ptr [ebx+300]
00483258 E8 2B39FBFF call 00436B88
0048325D 8B45 E8 mov eax, dword ptr [ebp-18]
00483260 E8 E713F8FF call 0040464C
00483265 83F8 0B cmp eax, 0B
00483268 75 7F jnz short 004832E9
0048326A 8D45 E4 lea eax, dword ptr [ebp-1C]
0048326D 50 push eax
0048326E 8D55 DC lea edx, dword ptr [ebp-24]
00483271 8B83 00030000 mov eax, dword ptr [ebx+300]
00483277 E8 0C39FBFF call 00436B88
0048327C 8B45 DC mov eax, dword ptr [ebp-24]
0048327F 8D55 E0 lea edx, dword ptr [ebp-20]
00483282 E8 1952F8FF call 004084A0
00483287 8B45 E0 mov eax, dword ptr [ebp-20]
0048328A B9 01000000 mov ecx, 1
0048328F BA 0B000000 mov edx, 0B
00483294 E8 0B16F8FF call 004048A4
00483299 8B45 E4 mov eax, dword ptr [ebp-1C]
0048329C BA 88334800 mov edx, 00483388 ; u
004832A1 E8 EA14F8FF call 00404790
004832A6 75 41 jnz short 004832E9
004832A8 8D55 D4 lea edx, dword ptr [ebp-2C]
004832AB 8B83 00030000 mov eax, dword ptr [ebx+300]
004832B1 E8 D238FBFF call 00436B88
004832B6 8B45 D4 mov eax, dword ptr [ebp-2C]
004832B9 8D55 D8 lea edx, dword ptr [ebp-28]
004832BC E8 DF51F8FF call 004084A0
004832C1 8B55 D8 mov edx, dword ptr [ebp-28]
004832C4 B8 94334800 mov eax, 00483394 ; magic.bin
004832C9 E8 FEA4FFFF call 0047D7CC
004832CE A1 149B4800 mov eax, dword ptr [489B14]
004832D3 BA A8334800 mov edx, 004833A8 ; y
004832D8 E8 0B11F8FF call 004043E8
004832DD B8 B4334800 mov eax, 004833B4 ; successfully registered!
004832E2 E8 35D4FAFF call 0043071C
004832E7 EB 22 jmp short 0048330B
004832E9 B8 D8334800 mov eax, 004833D8 ; invalid serialnumber!
004832EE E8 29D4FAFF call 0043071C
004832F3 EB 16 jmp short 0048330B
004832F5 B8 D8334800 mov eax, 004833D8 ; invalid serialnumber!
004832FA E8 1DD4FAFF call 0043071C
004832FF EB 0A jmp short 0048330B
00483301 B8 F8334800 mov eax, 004833F8 ; already registered!
00483306 E8 11D4FAFF call 0043071C
看到上面的三处提示了吧!!向前分析,断在004831CA 55 push ebp,下面的几个call,就是算法了,由于本人水平不限,分析不出来!!就不写了。
花了几天时间:略微知道,本软件先取计算机名(取前4),再取计算机的mac(取前6),然后按一定顺序形成username,我追到的username跟显示的少了一个S.注册码的处理跟这差不多,最后分步比较.就看不出来了.
希望爱好破解的研究一下.
同时也希望有人能用C++写出注册机!!
谢谢!!(本人将持续研究本软件!)
目标软件:Magic Photo Editor.exe老外的。天空下载!
拿到软件后
第一步:安装——运行——注册。有错误提示!!(先记下,呆会用。)
第二步:查壳,查有没有什么加密算法。PEiD查壳如图:
无加密算法。
第三步:脱壳,本人是手动脱的。
启动OD载入,用ESP定律,(dr 0013FFA4),——F9,断在这儿,如图
经分析最下面的无条件跳就是入口。用F4运行到jmp 004877F4,让它跳。跳至:
直接用OD所带的插件OllyDump,另存为一文件。成功运行,(好高兴!)至此,软伯脱壳成功!!
第四步:破解。OD打开脱壳后的程序,用插件查提示:如图
下断,运行:
004831CA 55 push ebp
004831CB 68 72334800 push 00483372
004831D0 64:FF30 push dword ptr fs:[eax]
004831D3 64:8920 mov dword ptr fs:[eax], esp
004831D6 8B83 00030000 mov eax, dword ptr [ebx+300]
004831DC 8B10 mov edx, dword ptr [eax]
004831DE FF52 50 call dword ptr [edx+50]
004831E1 3C 01 cmp al, 1
004831E3 0F85 18010000 jnz 00483301
004831E9 8D55 F8 lea edx, dword ptr [ebp-8]
004831EC 8BB3 00030000 mov esi, dword ptr [ebx+300]
004831F2 8BC6 mov eax, esi
004831F4 E8 8F39FBFF call 00436B88
004831F9 8B45 F8 mov eax, dword ptr [ebp-8] ; 伪码送eax
004831FC 8D55 FC lea edx, dword ptr [ebp-4]
004831FF E8 EC54F8FF call 004086F0
00483204 8B55 FC mov edx, dword ptr [ebp-4] ; 伪码送eax
00483207 8BC6 mov eax, esi
00483209 E8 AA39FBFF call 00436BB8
0048320E 8D55 F4 lea edx, dword ptr [ebp-C]
00483211 8B83 00030000 mov eax, dword ptr [ebx+300]
00483217 E8 6C39FBFF call 00436B88
0048321C 837D F4 00 cmp dword ptr [ebp-C], 0
00483220 0F84 CF000000 je 004832F5 ; 跳则挂
00483226 8D55 EC lea edx, dword ptr [ebp-14]
00483229 8B83 00030000 mov eax, dword ptr [ebx+300]
0048322F E8 5439FBFF call 00436B88
00483234 8B45 EC mov eax, dword ptr [ebp-14] ; 伪码送eax
00483237 8D55 F0 lea edx, dword ptr [ebp-10]
0048323A E8 6152F8FF call 004084A0
0048323F 8B45 F0 mov eax, dword ptr [ebp-10] ; 伪码送eax
00483242 E8 4DA4FFFF call 0047D694 ; 关键call
00483247 84C0 test al, al
00483249 0F84 9A000000 je 004832E9 ; 跳则挂
0048324F 8D55 E8 lea edx, dword ptr [ebp-18]
00483252 8B83 00030000 mov eax, dword ptr [ebx+300]
00483258 E8 2B39FBFF call 00436B88
0048325D 8B45 E8 mov eax, dword ptr [ebp-18]
00483260 E8 E713F8FF call 0040464C
00483265 83F8 0B cmp eax, 0B
00483268 75 7F jnz short 004832E9
0048326A 8D45 E4 lea eax, dword ptr [ebp-1C]
0048326D 50 push eax
0048326E 8D55 DC lea edx, dword ptr [ebp-24]
00483271 8B83 00030000 mov eax, dword ptr [ebx+300]
00483277 E8 0C39FBFF call 00436B88
0048327C 8B45 DC mov eax, dword ptr [ebp-24]
0048327F 8D55 E0 lea edx, dword ptr [ebp-20]
00483282 E8 1952F8FF call 004084A0
00483287 8B45 E0 mov eax, dword ptr [ebp-20]
0048328A B9 01000000 mov ecx, 1
0048328F BA 0B000000 mov edx, 0B
00483294 E8 0B16F8FF call 004048A4
00483299 8B45 E4 mov eax, dword ptr [ebp-1C]
0048329C BA 88334800 mov edx, 00483388 ; u
004832A1 E8 EA14F8FF call 00404790
004832A6 75 41 jnz short 004832E9
004832A8 8D55 D4 lea edx, dword ptr [ebp-2C]
004832AB 8B83 00030000 mov eax, dword ptr [ebx+300]
004832B1 E8 D238FBFF call 00436B88
004832B6 8B45 D4 mov eax, dword ptr [ebp-2C]
004832B9 8D55 D8 lea edx, dword ptr [ebp-28]
004832BC E8 DF51F8FF call 004084A0
004832C1 8B55 D8 mov edx, dword ptr [ebp-28]
004832C4 B8 94334800 mov eax, 00483394 ; magic.bin
004832C9 E8 FEA4FFFF call 0047D7CC
004832CE A1 149B4800 mov eax, dword ptr [489B14]
004832D3 BA A8334800 mov edx, 004833A8 ; y
004832D8 E8 0B11F8FF call 004043E8
004832DD B8 B4334800 mov eax, 004833B4 ; successfully registered!
004832E2 E8 35D4FAFF call 0043071C
004832E7 EB 22 jmp short 0048330B
004832E9 B8 D8334800 mov eax, 004833D8 ; invalid serialnumber!
004832EE E8 29D4FAFF call 0043071C
004832F3 EB 16 jmp short 0048330B
004832F5 B8 D8334800 mov eax, 004833D8 ; invalid serialnumber!
004832FA E8 1DD4FAFF call 0043071C
004832FF EB 0A jmp short 0048330B
00483301 B8 F8334800 mov eax, 004833F8 ; already registered!
00483306 E8 11D4FAFF call 0043071C
看到上面的三处提示了吧!!向前分析,断在004831CA 55 push ebp,下面的几个call,就是算法了,由于本人水平不限,分析不出来!!就不写了。
花了几天时间:略微知道,本软件先取计算机名(取前4),再取计算机的mac(取前6),然后按一定顺序形成username,我追到的username跟显示的少了一个S.注册码的处理跟这差不多,最后分步比较.就看不出来了.
希望爱好破解的研究一下.
同时也希望有人能用C++写出注册机!!
谢谢!!(本人将持续研究本软件!)
赞赏
他的文章
- 求推荐一个监视软件! 16391
- 找人帮忙看下,这软件是否有反调试!! 8600
- 软件能正常运行,但用OD调试直接终止是什么原因? 4208
- [求助]问个十分菜的问题.IDA插件过期 4352
谁下载
kanxue
xingbing
Winter-Night
prey
shoooo
冬月
heihu
icersg
arlenlc
wxxw
ztxwd
晓欣
iamatig
remoo
sdfcfy
santaga
sando
scz
gzdang
qvchat
xiaofu
云中来客
ahhflyf
honghan
mijew
yugi
cltt
dlyzh
winsix
北极狐狸
creamboy
avira
ybblfxf
fengjl
Cyane
shellwolf
aredfox
nalyc
xiaoxyz
egogg
kmchentw
冬祭
broodchris
willision
曾定国
azhiyu
wqhlgr
skyNirvana
livand
SFILTER
enffqogk呵呵
msgtogcr
yjcsxdl
wangyongge
blackk
游猎夕阳
senpojie
robertsong
thatsme
Sgdcl
stary
hekehx
谁下载
kanxue
xingbing
Winter-Night
prey
shoooo
冬月
heihu
icersg
arlenlc
wxxw
ztxwd
晓欣
iamatig
remoo
sdfcfy
santaga
sando
scz
gzdang
qvchat
xiaofu
云中来客
ahhflyf
honghan
mijew
yugi
cltt
dlyzh
winsix
北极狐狸
creamboy
avira
ybblfxf
fengjl
Cyane
shellwolf
aredfox
nalyc
xiaoxyz
egogg
kmchentw
冬祭
broodchris
willision
曾定国
azhiyu
wqhlgr
skyNirvana
livand
SFILTER
enffqogk呵呵
msgtogcr
yjcsxdl
wangyongge
blackk
游猎夕阳
senpojie
robertsong
thatsme
Sgdcl
stary
hekehx
谁下载
kanxue
xingbing
Winter-Night
prey
shoooo
冬月
heihu
icersg
arlenlc
wxxw
ztxwd
晓欣
iamatig
remoo
sdfcfy
santaga
sando
scz
gzdang
qvchat
xiaofu
云中来客
ahhflyf
honghan
mijew
yugi
cltt
dlyzh
winsix
北极狐狸
creamboy
avira
ybblfxf
fengjl
Cyane
shellwolf
aredfox
nalyc
xiaoxyz
egogg
kmchentw
冬祭
broodchris
willision
曾定国
azhiyu
wqhlgr
skyNirvana
livand
SFILTER
enffqogk呵呵
msgtogcr
yjcsxdl
wangyongge
blackk
游猎夕阳
senpojie
robertsong
thatsme
Sgdcl
stary
hekehx
谁下载
kanxue
xingbing
Winter-Night
prey
shoooo
冬月
heihu
icersg
arlenlc
wxxw
ztxwd
晓欣
iamatig
remoo
sdfcfy
santaga
sando
scz
gzdang
qvchat
xiaofu
云中来客
ahhflyf
honghan
mijew
yugi
cltt
dlyzh
winsix
北极狐狸
creamboy
avira
ybblfxf
fengjl
Cyane
shellwolf
aredfox
nalyc
xiaoxyz
egogg
kmchentw
冬祭
broodchris
willision
曾定国
azhiyu
wqhlgr
skyNirvana
livand
SFILTER
enffqogk呵呵
msgtogcr
yjcsxdl
wangyongge
blackk
游猎夕阳
senpojie
robertsong
thatsme
Sgdcl
stary
hekehx
看原图
赞赏
雪币:
留言: