-
-
[旧帖] [邀请已发,结帖] 短信猫二次开发包的破解 0.00雪花
-
发表于: 2009-6-5 12:36
-
最近公司要做短信发送方面的项目,因此开始研究短信猫的开发包。找来找去,发现这个还不错,但是却需要授权信息。二次开发包下载地址是:http://www.smsalert.cn/Download/Kingbase_Mobile_SMS_CSharp_DOTNET_SDK_V2.2.rar
自己手头有一个短信猫,但是却没有二次开发包的授权号码。提示信息如下:
因此就想破掉这个限制。
刚开始学习破解,这是边看教程边学习的结果。
破解工具:OD
壳:无(太幸运了,现在最怕有壳了,脱壳还没学呢)
断点:bp GetWindowTextA
过程:首先尝试搜索提示信息,发现找不到。(后来知道原因在于提示信息都在DLL文件中)。
猜测如果要获得输入的授权号吗,应该会调用GetWindowText函数。所以尝试设置这个断点。
OD加载ModemTools.exe。F9运行。设置断点。设置断点之后,点“连接设备”按钮。断点断在了user32中。这时,按Alt+K,打开调用堆栈。
直接转到最高一层:
一看旁边的注释,心里有底了,正是自己要找的地方。然后就开始单步跟踪,终于找到验证注册码的地方。
验证注册码的算法:
在上面的跟踪过程中已经发现了正确的注册码。
大功告成!
下面的代码是用来计算正确注册码的。变换算法:
注册码好像和GSM Modem的某一个序列号有关系,汇编还不熟悉,注册机暂时就不写了
第一次破解,好像挺容易。不过可能因为这个软件的加密本身太简单了,呵呵。不过这给了我很大的信心,希望以后有更大的进步
自己手头有一个短信猫,但是却没有二次开发包的授权号码。提示信息如下:
因此就想破掉这个限制。
刚开始学习破解,这是边看教程边学习的结果。
破解工具:OD
壳:无(太幸运了,现在最怕有壳了,脱壳还没学呢)
断点:bp GetWindowTextA
过程:首先尝试搜索提示信息,发现找不到。(后来知道原因在于提示信息都在DLL文件中)。
猜测如果要获得输入的授权号吗,应该会调用GetWindowText函数。所以尝试设置这个断点。
OD加载ModemTools.exe。F9运行。设置断点。设置断点之后,点“连接设备”按钮。断点断在了user32中。这时,按Alt+K,打开调用堆栈。
直接转到最高一层:
00458494 /. 55 PUSH EBP 00458495 |. 8BEC MOV EBP,ESP 00458497 |. B9 05000000 MOV ECX,5 0045849C |> 6A 00 /PUSH 0 0045849E |. 6A 00 |PUSH 0 004584A0 |. 49 |DEC ECX 004584A1 |.^ 75 F9 \JNZ SHORT ModemToo.0045849C 004584A3 |. 51 PUSH ECX 004584A4 |. 53 PUSH EBX 004584A5 |. 8BD8 MOV EBX,EAX 004584A7 |. 33C0 XOR EAX,EAX 004584A9 |. 55 PUSH EBP 004584AA |. 68 B5864500 PUSH ModemToo.004586B5 004584AF |. 64:FF30 PUSH DWORD PTR FS:[EAX] 004584B2 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP 004584B5 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4] 004584B8 |. 8B83 40030000 MOV EAX,DWORD PTR DS:[EBX+340] 004584BE |. E8 9DE6FDFF CALL ModemToo.00436B60 004584C3 |. 837D FC 00 CMP DWORD PTR SS:[EBP-4],0 004584C7 |. 75 1D JNZ SHORT ModemToo.004584E6 004584C9 |. B8 CC864500 MOV EAX,ModemToo.004586CC ; 请指定通讯端口! 004584CE |. E8 71F2FCFF CALL ModemToo.00427744 004584D3 |. 8B83 40030000 MOV EAX,DWORD PTR DS:[EBX+340] 004584D9 |. 8B10 MOV EDX,DWORD PTR DS:[EAX] 004584DB |. FF92 C4000000 CALL DWORD PTR DS:[EDX+C4] 004584E1 |. E9 8F010000 JMP ModemToo.00458675 004584E6 |> 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8] 004584E9 |. 8B83 60030000 MOV EAX,DWORD PTR DS:[EBX+360] 004584EF |. E8 6CE6FDFF CALL ModemToo.00436B60 004584F4 |. 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 004584F8 |. 75 1D JNZ SHORT ModemToo.00458517 004584FA |. B8 E8864500 MOV EAX,ModemToo.004586E8 ; 请指定通讯波特率! 004584FF |. E8 40F2FCFF CALL ModemToo.00427744 00458504 |. 8B83 60030000 MOV EAX,DWORD PTR DS:[EBX+360] 0045850A |. 8B10 MOV EDX,DWORD PTR DS:[EAX] 0045850C |. FF92 C4000000 CALL DWORD PTR DS:[EDX+C4] 00458512 |. E9 5E010000 JMP ModemToo.00458675 00458517 |> 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C] 0045851A |. 8B83 34030000 MOV EAX,DWORD PTR DS:[EBX+334] 00458520 |. E8 3BE6FDFF CALL ModemToo.00436B60 00458525 |. 837D F4 00 CMP DWORD PTR SS:[EBP-C],0 00458529 |. 75 1D JNZ SHORT ModemToo.00458548 0045852B |. B8 04874500 MOV EAX,ModemToo.00458704 ; 请输入授权号码! 00458530 |. E8 0FF2FCFF CALL ModemToo.00427744 00458535 |. 8B83 34030000 MOV EAX,DWORD PTR DS:[EBX+334] 0045853B |. 8B10 MOV EDX,DWORD PTR DS:[EAX] 0045853D |. FF92 C4000000 CALL DWORD PTR DS:[EDX+C4] 00458543 |. E9 2D010000 JMP ModemToo.00458675 00458548 |> BA 20874500 MOV EDX,ModemToo.00458720 ; 正在连接设备,请稍等 ...... 0045854D |. 8B83 5C030000 MOV EAX,DWORD PTR DS:[EBX+35C] 00458553 |. E8 38E6FDFF CALL ModemToo.00436B90 00458558 |. BA 32000000 MOV EDX,32 0045855D |. 8B83 54030000 MOV EAX,DWORD PTR DS:[EBX+354] 00458563 |. E8 7418FDFF CALL ModemToo.00429DDC 00458568 |. B8 44874500 MOV EAX,ModemToo.00458744 ; 连接设备: 开始...................................................... 0045856D |. E8 0AF6FFFF CALL ModemToo.00457B7C 00458572 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10] 00458575 |. 8B83 34030000 MOV EAX,DWORD PTR DS:[EBX+334] 0045857B |. E8 E0E5FDFF CALL ModemToo.00436B60 00458580 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] 00458583 |. E8 84BDFAFF CALL <ModemToo.判断授权码是否为空> 00458588 |. 50 PUSH EAX 00458589 |. 6A 00 PUSH 0 0045858B |. 6A 00 PUSH 0 0045858D |. 6A 00 PUSH 0 0045858F |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14] 00458592 |. 8B83 60030000 MOV EAX,DWORD PTR DS:[EBX+360] 00458598 |. E8 C3E5FDFF CALL ModemToo.00436B60 0045859D |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 004585A0 |. E8 67BDFAFF CALL <ModemToo.判断授权码是否为空> 004585A5 |. 50 PUSH EAX 004585A6 |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18] 004585A9 |. 8B83 40030000 MOV EAX,DWORD PTR DS:[EBX+340] 004585AF |. E8 ACE5FDFF CALL ModemToo.00436B60 004585B4 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] 004585B7 |. E8 50BDFAFF CALL <ModemToo.判断授权码是否为空> 004585BC |. 50 PUSH EAX 004585BD |. E8 8AF5FFFF CALL <JMP.&GSMMultiPort.GSMModemInit> ; 对Modem进行初始化,初始化过程中对授权号进行检查 004585C2 |. 3C 01 CMP AL,1 004585C4 |. 75 0C JNZ SHORT ModemToo.004585D2 004585C6 |. B8 94874500 MOV EAX,ModemToo.00458794 ; gsmmodeminit: 连接成功! 004585CB |. E8 74F1FCFF CALL ModemToo.00427744 004585D0 |. EB 3E JMP SHORT ModemToo.00458610 004585D2 |> 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24] 004585D5 |. 8B83 40030000 MOV EAX,DWORD PTR DS:[EBX+340] 004585DB |. E8 80E5FDFF CALL ModemToo.00436B60 004585E0 |. 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] 004585E3 |. E8 24BDFAFF CALL <ModemToo.判断授权码是否为空> 004585E8 |. 50 PUSH EAX 004585E9 |. E8 66F5FFFF CALL <JMP.&GSMMultiPort.GSMModemGetError> 004585EE |. 8BD0 MOV EDX,EAX 004585F0 |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 004585F3 |. E8 4CBAFAFF CALL ModemToo.00404044 004585F8 |. 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20] 004585FB |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C] 004585FE |. BA B8874500 MOV EDX,ModemToo.004587B8 ; gsmmodeminit: 连接失败: 00458603 |. E8 50BBFAFF CALL ModemToo.00404158 00458608 |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 0045860B |. E8 34F1FCFF CALL ModemToo.00427744 00458610 |> 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C] 00458613 |. 8B83 40030000 MOV EAX,DWORD PTR DS:[EBX+340] 00458619 |. E8 42E5FDFF CALL ModemToo.00436B60 0045861E |. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] 00458621 |. E8 E6BCFAFF CALL <ModemToo.判断授权码是否为空> 00458626 |. 50 PUSH EAX 00458627 |. E8 28F5FFFF CALL <JMP.&GSMMultiPort.GSMModemGetError> 0045862C |. 8BD0 MOV EDX,EAX 0045862E |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28] 00458631 |. E8 0EBAFAFF CALL ModemToo.00404044 00458636 |. 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28] 00458639 |. 8B83 30030000 MOV EAX,DWORD PTR DS:[EBX+330] 0045863F |. E8 4CE5FDFF CALL ModemToo.00436B90 00458644 |. BA D8874500 MOV EDX,ModemToo.004587D8 ; 连接完毕! 00458649 |. 8B83 5C030000 MOV EAX,DWORD PTR DS:[EBX+35C] 0045864F |. E8 3CE5FDFF CALL ModemToo.00436B90 00458654 |. BA 64000000 MOV EDX,64 00458659 |. 8B83 54030000 MOV EAX,DWORD PTR DS:[EBX+354] 0045865F |. E8 7817FDFF CALL ModemToo.00429DDC 00458664 |. B8 EC874500 MOV EAX,ModemToo.004587EC ; 连接设备:......................................................结束 00458669 |. E8 0EF5FFFF CALL ModemToo.00457B7C 0045866E |. 33C0 XOR EAX,EAX 00458670 |. E8 07F5FFFF CALL ModemToo.00457B7C 00458675 |> 33C0 XOR EAX,EAX 00458677 |. 5A POP EDX 00458678 |. 59 POP ECX 00458679 |. 59 POP ECX 0045867A |. 64:8910 MOV DWORD PTR FS:[EAX],EDX 0045867D |. 68 BC864500 PUSH ModemToo.004586BC 00458682 |> 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C] 00458685 |. E8 C2B7FAFF CALL ModemToo.00403E4C 0045868A |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28] 0045868D |. E8 BAB7FAFF CALL ModemToo.00403E4C 00458692 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24] 00458695 |. E8 B2B7FAFF CALL ModemToo.00403E4C 0045869A |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 0045869D |. BA 02000000 MOV EDX,2 004586A2 |. E8 C9B7FAFF CALL ModemToo.00403E70 004586A7 |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18] 004586AA |. BA 06000000 MOV EDX,6 004586AF |. E8 BCB7FAFF CALL ModemToo.00403E70 004586B4 \. C3 RETN
一看旁边的注释,心里有底了,正是自己要找的地方。然后就开始单步跟踪,终于找到验证注册码的地方。
验证注册码的算法:
10061610 55 PUSH EBP 10061611 8BEC MOV EBP,ESP 10061613 6A FF PUSH -1 10061615 68 8BDD0F10 PUSH GSMMulti.100FDD8B 1006161A 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 10061620 50 PUSH EAX 10061621 64:8925 0000000>MOV DWORD PTR FS:[0],ESP 10061628 51 PUSH ECX 10061629 81EC D8010000 SUB ESP,1D8 1006162F 53 PUSH EBX 10061630 56 PUSH ESI 10061631 57 PUSH EDI 10061632 8DBD 18FEFFFF LEA EDI,DWORD PTR SS:[EBP-1E8] 10061638 B9 76000000 MOV ECX,76 1006163D B8 CCCCCCCC MOV EAX,CCCCCCCC 10061642 F3:AB REP STOS DWORD PTR ES:[EDI] 10061644 8965 F0 MOV DWORD PTR SS:[EBP-10],ESP 10061647 C745 FC 0000000>MOV DWORD PTR SS:[EBP-4],0 1006164E 68 912C1510 PUSH GSMMulti.10152C91 10061653 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 10061656 69C9 AC010000 IMUL ECX,ECX,1AC 1006165C 81C1 D0A01610 ADD ECX,GSMMulti.1016A0D0 10061662 E8 3C79FFFF CALL GSMMulti.10058FA3 10061667 68 80000000 PUSH 80 1006166C 6A 00 PUSH 0 1006166E 8D85 6CFFFFFF LEA EAX,DWORD PTR SS:[EBP-94] 10061674 50 PUSH EAX 10061675 E8 0377FFFF CALL GSMMulti.10058D7D 1006167A 83C4 0C ADD ESP,0C 1006167D 8D85 6CFFFFFF LEA EAX,DWORD PTR SS:[EBP-94] 10061683 50 PUSH EAX 10061684 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 10061687 51 PUSH ECX 10061688 E8 F85FFFFF CALL GSMMulti.10057685 1006168D 83C4 08 ADD ESP,8 10061690 8985 1CFEFFFF MOV DWORD PTR SS:[EBP-1E4],EAX 10061696 83BD 1CFEFFFF 0>CMP DWORD PTR SS:[EBP-1E4],0 1006169D 75 07 JNZ SHORT GSMMulti.100616A6 1006169F 32C0 XOR AL,AL 100616A1 E9 43020000 JMP GSMMulti.100618E9 100616A6 6A 14 PUSH 14 100616A8 6A 00 PUSH 0 100616AA 8D85 50FFFFFF LEA EAX,DWORD PTR SS:[EBP-B0] 100616B0 50 PUSH EAX 100616B1 E8 C776FFFF CALL GSMMulti.10058D7D 100616B6 83C4 0C ADD ESP,0C 100616B9 6A 01 PUSH 1 100616BB 8D85 6CFFFFFF LEA EAX,DWORD PTR SS:[EBP-94] 100616C1 50 PUSH EAX 100616C2 E8 7B57FFFF CALL <GSMMulti.变换算法> 100616C7 83C4 08 ADD ESP,8 100616CA 8985 1CFEFFFF MOV DWORD PTR SS:[EBP-1E4],EAX 100616D0 8B8D 1CFEFFFF MOV ECX,DWORD PTR SS:[EBP-1E4] 100616D6 898D 44FFFFFF MOV DWORD PTR SS:[EBP-BC],ECX 100616DC 8B85 44FFFFFF MOV EAX,DWORD PTR SS:[EBP-BC] 100616E2 50 PUSH EAX 100616E3 68 8C2D1510 PUSH GSMMulti.10152D8C ; ASCII "%s" 100616E8 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0] 100616EE 51 PUSH ECX 100616EF E8 6964FFFF CALL GSMMulti.10057B5D 100616F4 83C4 0C ADD ESP,0C 100616F7 83BD 44FFFFFF 0>CMP DWORD PTR SS:[EBP-BC],0 100616FE 74 1B JE SHORT GSMMulti.1006171B 10061700 8B85 44FFFFFF MOV EAX,DWORD PTR SS:[EBP-BC] 10061706 8985 24FEFFFF MOV DWORD PTR SS:[EBP-1DC],EAX 1006170C 8B8D 24FEFFFF MOV ECX,DWORD PTR SS:[EBP-1DC] 10061712 51 PUSH ECX 10061713 E8 6D50FFFF CALL GSMMulti.10056785 10061718 83C4 04 ADD ESP,4 1006171B 6A 02 PUSH 2 1006171D 8D85 6CFFFFFF LEA EAX,DWORD PTR SS:[EBP-94] 10061723 50 PUSH EAX 10061724 E8 1957FFFF CALL <GSMMulti.变换算法> 10061729 83C4 08 ADD ESP,8 1006172C 8985 1CFEFFFF MOV DWORD PTR SS:[EBP-1E4],EAX 10061732 8B8D 1CFEFFFF MOV ECX,DWORD PTR SS:[EBP-1E4] 10061738 898D 44FFFFFF MOV DWORD PTR SS:[EBP-BC],ECX 1006173E 8B85 44FFFFFF MOV EAX,DWORD PTR SS:[EBP-BC] 10061744 50 PUSH EAX 10061745 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0] 1006174B 51 PUSH ECX 1006174C 68 842D1510 PUSH GSMMulti.10152D84 ; ASCII "%s-%s" 10061751 8D95 50FFFFFF LEA EDX,DWORD PTR SS:[EBP-B0] 10061757 52 PUSH EDX 10061758 E8 0064FFFF CALL GSMMulti.10057B5D 1006175D 83C4 10 ADD ESP,10 10061760 83BD 44FFFFFF 0>CMP DWORD PTR SS:[EBP-BC],0 10061767 74 1B JE SHORT GSMMulti.10061784 10061769 8B85 44FFFFFF MOV EAX,DWORD PTR SS:[EBP-BC] 1006176F 8985 30FEFFFF MOV DWORD PTR SS:[EBP-1D0],EAX 10061775 8B8D 30FEFFFF MOV ECX,DWORD PTR SS:[EBP-1D0] 1006177B 51 PUSH ECX 1006177C E8 0450FFFF CALL GSMMulti.10056785 10061781 83C4 04 ADD ESP,4 10061784 6A 03 PUSH 3 10061786 8D85 6CFFFFFF LEA EAX,DWORD PTR SS:[EBP-94] 1006178C 50 PUSH EAX 1006178D E8 B056FFFF CALL <GSMMulti.变换算法> 10061792 83C4 08 ADD ESP,8 10061795 8985 1CFEFFFF MOV DWORD PTR SS:[EBP-1E4],EAX 1006179B 8B8D 1CFEFFFF MOV ECX,DWORD PTR SS:[EBP-1E4] 100617A1 898D 44FFFFFF MOV DWORD PTR SS:[EBP-BC],ECX 100617A7 8B85 44FFFFFF MOV EAX,DWORD PTR SS:[EBP-BC] 100617AD 50 PUSH EAX 100617AE 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0] 100617B4 51 PUSH ECX 100617B5 68 842D1510 PUSH GSMMulti.10152D84 ; ASCII "%s-%s" 100617BA 8D95 50FFFFFF LEA EDX,DWORD PTR SS:[EBP-B0] 100617C0 52 PUSH EDX 100617C1 E8 9763FFFF CALL GSMMulti.10057B5D 100617C6 83C4 10 ADD ESP,10 100617C9 83BD 44FFFFFF 0>CMP DWORD PTR SS:[EBP-BC],0 100617D0 74 1B JE SHORT GSMMulti.100617ED 100617D2 8B85 44FFFFFF MOV EAX,DWORD PTR SS:[EBP-BC] 100617D8 8985 3CFEFFFF MOV DWORD PTR SS:[EBP-1C4],EAX 100617DE 8B8D 3CFEFFFF MOV ECX,DWORD PTR SS:[EBP-1C4] 100617E4 51 PUSH ECX 100617E5 E8 9B4FFFFF CALL GSMMulti.10056785 100617EA 83C4 04 ADD ESP,4 100617ED 6A 04 PUSH 4 100617EF 8D85 6CFFFFFF LEA EAX,DWORD PTR SS:[EBP-94] 100617F5 50 PUSH EAX 100617F6 E8 4756FFFF CALL <GSMMulti.变换算法> 100617FB 83C4 08 ADD ESP,8 100617FE 8985 1CFEFFFF MOV DWORD PTR SS:[EBP-1E4],EAX 10061804 8B8D 1CFEFFFF MOV ECX,DWORD PTR SS:[EBP-1E4] 1006180A 898D 44FFFFFF MOV DWORD PTR SS:[EBP-BC],ECX 10061810 8B85 44FFFFFF MOV EAX,DWORD PTR SS:[EBP-BC] 10061816 50 PUSH EAX 10061817 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0] 1006181D 51 PUSH ECX 1006181E 68 842D1510 PUSH GSMMulti.10152D84 ; ASCII "%s-%s" 10061823 8D95 50FFFFFF LEA EDX,DWORD PTR SS:[EBP-B0] 10061829 52 PUSH EDX 1006182A E8 2E63FFFF CALL GSMMulti.10057B5D 1006182F 83C4 10 ADD ESP,10 10061832 83BD 44FFFFFF 0>CMP DWORD PTR SS:[EBP-BC],0 10061839 74 1B JE SHORT GSMMulti.10061856 1006183B 8B85 44FFFFFF MOV EAX,DWORD PTR SS:[EBP-BC] 10061841 8985 48FEFFFF MOV DWORD PTR SS:[EBP-1B8],EAX 10061847 8B8D 48FEFFFF MOV ECX,DWORD PTR SS:[EBP-1B8] 1006184D 51 PUSH ECX 1006184E E8 324FFFFF CALL GSMMulti.10056785 10061853 83C4 04 ADD ESP,4 10061856 8D85 50FFFFFF LEA EAX,DWORD PTR SS:[EBP-B0] 1006185C 50 PUSH EAX 1006185D 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] 10061860 51 PUSH ECX ; 在这儿可以看到正确的注册号了。注意观察寄存器窗口的信息。EAX指向的就是正确的注册码。 10061861 E8 6F77FFFF CALL GSMMulti.10058FD5 ; 比较注册号是否正确 10061866 83C4 08 ADD ESP,8 10061869 85C0 TEST EAX,EAX 1006186B 75 04 JNZ SHORT GSMMulti.10061871 ; 爆破可以修改这里。NOP掉应该就可以了。 1006186D B0 01 MOV AL,1 1006186F EB 78 JMP SHORT GSMMulti.100618E9 10061871 EB 6D JMP SHORT GSMMulti.100618E0 10061873 8BF4 MOV ESI,ESP 10061875 8B85 38FFFFFF MOV EAX,DWORD PTR SS:[EBP-C8] 1006187B 8B10 MOV EDX,DWORD PTR DS:[EAX] 1006187D 8B8D 38FFFFFF MOV ECX,DWORD PTR SS:[EBP-C8] 10061883 FF52 04 CALL DWORD PTR DS:[EDX+4] 10061886 3BF4 CMP ESI,ESP 10061888 E8 3661FFFF CALL GSMMulti.100579C3 1006188D 50 PUSH EAX 1006188E 68 682D1510 PUSH GSMMulti.10152D68 ; ASCII "ModemCheck[ERROR]: %s" 10061893 8D85 54FEFFFF LEA EAX,DWORD PTR SS:[EBP-1AC] 10061899 50 PUSH EAX 1006189A E8 2948FFFF CALL GSMMulti.100560C8 1006189F 83C4 0C ADD ESP,0C 100618A2 8985 1CFEFFFF MOV DWORD PTR SS:[EBP-1E4],EAX 100618A8 8B8D 1CFEFFFF MOV ECX,DWORD PTR SS:[EBP-1E4] 100618AE 898D 18FEFFFF MOV DWORD PTR SS:[EBP-1E8],ECX 100618B4 C645 FC 02 MOV BYTE PTR SS:[EBP-4],2 100618B8 8B95 18FEFFFF MOV EDX,DWORD PTR SS:[EBP-1E8] 100618BE 52 PUSH EDX 100618BF B9 404B1810 MOV ECX,GSMMulti.10184B40 100618C4 E8 C775FFFF CALL GSMMulti.10058E90 100618C9 C645 FC 01 MOV BYTE PTR SS:[EBP-4],1 100618CD 8D8D 54FEFFFF LEA ECX,DWORD PTR SS:[EBP-1AC] 100618D3 E8 CE5FFFFF CALL GSMMulti.100578A6 100618D8 B8 DE180610 MOV EAX,GSMMulti.100618DE 100618DD C3 RETN 100618DE EB 07 JMP SHORT GSMMulti.100618E7 100618E0 C745 FC FFFFFFF>MOV DWORD PTR SS:[EBP-4],-1 100618E7 32C0 XOR AL,AL 100618E9 52 PUSH EDX 100618EA 8BCD MOV ECX,EBP 100618EC 50 PUSH EAX 100618ED 8D15 18190610 LEA EDX,DWORD PTR DS:[10061918] 100618F3 E8 4C4EFFFF CALL GSMMulti.10056744 100618F8 58 POP EAX 100618F9 5A POP EDX 100618FA 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 100618FD 64:890D 0000000>MOV DWORD PTR FS:[0],ECX 10061904 5F POP EDI 10061905 5E POP ESI 10061906 5B POP EBX 10061907 81C4 E8010000 ADD ESP,1E8 1006190D 3BEC CMP EBP,ESP 1006190F E8 AF60FFFF CALL GSMMulti.100579C3 10061914 8BE5 MOV ESP,EBP 10061916 5D POP EBP 10061917 C3 RETN
在上面的跟踪过程中已经发现了正确的注册码。
大功告成!下面的代码是用来计算正确注册码的。变换算法:
10060F00 55 PUSH EBP ; 这是变换算法 10060F01 8BEC MOV EBP,ESP 10060F03 81EC 98010000 SUB ESP,198 10060F09 53 PUSH EBX 10060F0A 56 PUSH ESI 10060F0B 57 PUSH EDI 10060F0C 8DBD 68FEFFFF LEA EDI,DWORD PTR SS:[EBP-198] 10060F12 B9 66000000 MOV ECX,66 10060F17 B8 CCCCCCCC MOV EAX,CCCCCCCC 10060F1C F3:AB REP STOS DWORD PTR ES:[EDI] 10060F1E C745 F8 2C2D151>MOV DWORD PTR SS:[EBP-8],GSMMulti.10152D>; ASCII "QWERTYUIOPASDFGHJKLZXCVBNM0123456789" 10060F25 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 10060F28 50 PUSH EAX 10060F29 E8 7A80FFFF CALL GSMMulti.10058FA8 10060F2E 83C4 04 ADD ESP,4 10060F31 8945 EC MOV DWORD PTR SS:[EBP-14],EAX 10060F34 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] 10060F37 C1E0 02 SHL EAX,2 10060F3A 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX 10060F3D C745 D4 0000000>MOV DWORD PTR SS:[EBP-2C],0 10060F44 C745 C8 0000000>MOV DWORD PTR SS:[EBP-38],0 10060F4B 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] 10060F4E 2B45 EC SUB EAX,DWORD PTR SS:[EBP-14] 10060F51 85C0 TEST EAX,EAX 10060F53 7E 7B JLE SHORT GSMMulti.10060FD0 10060F55 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] 10060F58 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX 10060F5B 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] 10060F5E 83C0 01 ADD EAX,1 10060F61 50 PUSH EAX 10060F62 E8 5080FFFF CALL GSMMulti.10058FB7 10060F67 83C4 04 ADD ESP,4 10060F6A 8985 6CFEFFFF MOV DWORD PTR SS:[EBP-194],EAX 10060F70 8B8D 6CFEFFFF MOV ECX,DWORD PTR SS:[EBP-194] 10060F76 894D C8 MOV DWORD PTR SS:[EBP-38],ECX 10060F79 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] 10060F7C 83C0 01 ADD EAX,1 10060F7F 50 PUSH EAX 10060F80 6A 00 PUSH 0 10060F82 8B4D C8 MOV ECX,DWORD PTR SS:[EBP-38] 10060F85 51 PUSH ECX 10060F86 E8 F27DFFFF CALL GSMMulti.10058D7D 10060F8B 83C4 0C ADD ESP,0C 10060F8E 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 10060F91 50 PUSH EAX 10060F92 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 10060F95 51 PUSH ECX 10060F96 8B55 C8 MOV EDX,DWORD PTR SS:[EBP-38] 10060F99 52 PUSH EDX 10060F9A E8 4463FFFF CALL GSMMulti.100572E3 10060F9F 83C4 0C ADD ESP,0C 10060FA2 C745 BC 0000000>MOV DWORD PTR SS:[EBP-44],0 10060FA9 EB 09 JMP SHORT GSMMulti.10060FB4 10060FAB 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44] 10060FAE 83C0 01 ADD EAX,1 10060FB1 8945 BC MOV DWORD PTR SS:[EBP-44],EAX 10060FB4 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] 10060FB7 2B45 EC SUB EAX,DWORD PTR SS:[EBP-14] 10060FBA 3945 BC CMP DWORD PTR SS:[EBP-44],EAX 10060FBD 7D 0F JGE SHORT GSMMulti.10060FCE 10060FBF 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 10060FC2 0345 BC ADD EAX,DWORD PTR SS:[EBP-44] 10060FC5 8B4D C8 MOV ECX,DWORD PTR SS:[EBP-38] 10060FC8 C60401 30 MOV BYTE PTR DS:[ECX+EAX],30 10060FCC ^ EB DD JMP SHORT GSMMulti.10060FAB 10060FCE EB 4D JMP SHORT GSMMulti.1006101D 10060FD0 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 10060FD3 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX 10060FD6 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 10060FD9 83C0 01 ADD EAX,1 10060FDC 50 PUSH EAX 10060FDD E8 D57FFFFF CALL GSMMulti.10058FB7 10060FE2 83C4 04 ADD ESP,4 10060FE5 8985 78FEFFFF MOV DWORD PTR SS:[EBP-188],EAX 10060FEB 8B8D 78FEFFFF MOV ECX,DWORD PTR SS:[EBP-188] 10060FF1 894D C8 MOV DWORD PTR SS:[EBP-38],ECX 10060FF4 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 10060FF7 83C0 01 ADD EAX,1 10060FFA 50 PUSH EAX 10060FFB 6A 00 PUSH 0 10060FFD 8B4D C8 MOV ECX,DWORD PTR SS:[EBP-38] 10061000 51 PUSH ECX 10061001 E8 777DFFFF CALL GSMMulti.10058D7D 10061006 83C4 0C ADD ESP,0C 10061009 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 1006100C 50 PUSH EAX 1006100D 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 10061010 51 PUSH ECX 10061011 8B55 C8 MOV EDX,DWORD PTR SS:[EBP-38] 10061014 52 PUSH EDX 10061015 E8 C962FFFF CALL GSMMulti.100572E3 1006101A 83C4 0C ADD ESP,0C 1006101D 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] 10061020 83C0 01 ADD EAX,1 10061023 50 PUSH EAX 10061024 E8 8E7FFFFF CALL GSMMulti.10058FB7 10061029 83C4 04 ADD ESP,4 1006102C 8985 84FEFFFF MOV DWORD PTR SS:[EBP-17C],EAX 10061032 8B8D 84FEFFFF MOV ECX,DWORD PTR SS:[EBP-17C] 10061038 894D B0 MOV DWORD PTR SS:[EBP-50],ECX 1006103B 6A 05 PUSH 5 1006103D E8 757FFFFF CALL GSMMulti.10058FB7 10061042 83C4 04 ADD ESP,4 10061045 8985 90FEFFFF MOV DWORD PTR SS:[EBP-170],EAX 1006104B 8B85 90FEFFFF MOV EAX,DWORD PTR SS:[EBP-170] 10061051 8945 A4 MOV DWORD PTR SS:[EBP-5C],EAX 10061054 C745 98 0000000>MOV DWORD PTR SS:[EBP-68],0 1006105B 6A 05 PUSH 5 1006105D 6A 00 PUSH 0 1006105F 8B45 A4 MOV EAX,DWORD PTR SS:[EBP-5C] 10061062 50 PUSH EAX 10061063 E8 157DFFFF CALL GSMMulti.10058D7D 10061068 83C4 0C ADD ESP,0C 1006106B C745 8C 0000000>MOV DWORD PTR SS:[EBP-74],0 10061072 8B45 8C MOV EAX,DWORD PTR SS:[EBP-74] 10061075 3B45 D4 CMP EAX,DWORD PTR SS:[EBP-2C] 10061078 0F8D 91000000 JGE GSMMulti.1006110F 1006107E 837D 98 04 CMP DWORD PTR SS:[EBP-68],4 10061082 7C 05 JL SHORT GSMMulti.10061089 10061084 E9 86000000 JMP GSMMulti.1006110F 10061089 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] 1006108C 83C0 01 ADD EAX,1 1006108F 50 PUSH EAX 10061090 6A 00 PUSH 0 10061092 8B4D B0 MOV ECX,DWORD PTR SS:[EBP-50] 10061095 51 PUSH ECX 10061096 E8 E27CFFFF CALL GSMMulti.10058D7D 1006109B 83C4 0C ADD ESP,0C 1006109E C745 80 0000000>MOV DWORD PTR SS:[EBP-80],0 100610A5 EB 09 JMP SHORT GSMMulti.100610B0 100610A7 8B45 80 MOV EAX,DWORD PTR SS:[EBP-80] 100610AA 83C0 01 ADD EAX,1 100610AD 8945 80 MOV DWORD PTR SS:[EBP-80],EAX 100610B0 8B45 80 MOV EAX,DWORD PTR SS:[EBP-80] 100610B3 3B45 0C CMP EAX,DWORD PTR SS:[EBP+C] 100610B6 7D 1B JGE SHORT GSMMulti.100610D3 100610B8 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50] 100610BB 0345 80 ADD EAX,DWORD PTR SS:[EBP-80] 100610BE 8B4D C8 MOV ECX,DWORD PTR SS:[EBP-38] 100610C1 034D 8C ADD ECX,DWORD PTR SS:[EBP-74] 100610C4 8A11 MOV DL,BYTE PTR DS:[ECX] 100610C6 8810 MOV BYTE PTR DS:[EAX],DL 100610C8 8B45 8C MOV EAX,DWORD PTR SS:[EBP-74] 100610CB 83C0 01 ADD EAX,1 100610CE 8945 8C MOV DWORD PTR SS:[EBP-74],EAX 100610D1 ^ EB D4 JMP SHORT GSMMulti.100610A7 100610D3 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50] 100610D6 50 PUSH EAX 100610D7 E8 787DFFFF CALL GSMMulti.10058E54 100610DC 83C4 04 ADD ESP,4 100610DF 8985 74FFFFFF MOV DWORD PTR SS:[EBP-8C],EAX 100610E5 8B85 74FFFFFF MOV EAX,DWORD PTR SS:[EBP-8C] 100610EB 99 CDQ 100610EC B9 19000000 MOV ECX,19 100610F1 F7F9 IDIV ECX 100610F3 8B45 A4 MOV EAX,DWORD PTR SS:[EBP-5C] 100610F6 0345 98 ADD EAX,DWORD PTR SS:[EBP-68] 100610F9 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] 100610FC 8A1411 MOV DL,BYTE PTR DS:[ECX+EDX] 100610FF 8810 MOV BYTE PTR DS:[EAX],DL 10061101 8B45 98 MOV EAX,DWORD PTR SS:[EBP-68] 10061104 83C0 01 ADD EAX,1 10061107 8945 98 MOV DWORD PTR SS:[EBP-68],EAX 1006110A ^ E9 63FFFFFF JMP GSMMulti.10061072 1006110F 837D B0 00 CMP DWORD PTR SS:[EBP-50],0 10061113 74 18 JE SHORT GSMMulti.1006112D 10061115 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50] 10061118 8985 9CFEFFFF MOV DWORD PTR SS:[EBP-164],EAX 1006111E 8B8D 9CFEFFFF MOV ECX,DWORD PTR SS:[EBP-164] 10061124 51 PUSH ECX 10061125 E8 5B56FFFF CALL GSMMulti.10056785 1006112A 83C4 04 ADD ESP,4 1006112D 837D C8 00 CMP DWORD PTR SS:[EBP-38],0 10061131 74 18 JE SHORT GSMMulti.1006114B 10061133 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38] 10061136 8985 A8FEFFFF MOV DWORD PTR SS:[EBP-158],EAX 1006113C 8B8D A8FEFFFF MOV ECX,DWORD PTR SS:[EBP-158] 10061142 51 PUSH ECX 10061143 E8 3D56FFFF CALL GSMMulti.10056785 10061148 83C4 04 ADD ESP,4 1006114B 8B45 A4 MOV EAX,DWORD PTR SS:[EBP-5C] 1006114E 5F POP EDI 1006114F 5E POP ESI 10061150 5B POP EBX 10061151 81C4 98010000 ADD ESP,198 10061157 3BEC CMP EBP,ESP 10061159 E8 6568FFFF CALL GSMMulti.100579C3 1006115E 8BE5 MOV ESP,EBP 10061160 5D POP EBP 10061161 C3 RETN
注册码好像和GSM Modem的某一个序列号有关系,汇编还不熟悉,注册机暂时就不写了
第一次破解,好像挺容易。不过可能因为这个软件的加密本身太简单了,呵呵。不过这给了我很大的信心,希望以后有更大的进步
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
1. Alt+K能够打开调用堆栈窗口。因为断点设置在GetWindowText上,所以断点肯定不是断在应用程序中的领空,而是系统DLL的领空。就像这里,实际上断在了user32.dll中。通过调用堆栈,我们可以直接找到谁调用了它。这些调用者的代码时我们更加要关心的内容。
2. 在OD中,在寄存器窗口中,如果寄存器中的内容是一个内存地址,而地址指向一个字符串的话,那么内存中字符串的内容也会显示在寄存器后面  。你可以自己跟踪一下试试就知道效果了。在这个程序里面:EAX指向正确的序列号,ECX指向我们输入的假序列号。3.知道这个函数是干什么用的,主要是通过多次单步调试跟踪的出来的结论。你可以注意到:我们能够看到的提示信息的内容(invalid license..)就在这个调用之后,而且调用之后紧接着就有一个判断/跳转指令,因此首先就怀疑到这个函数上。而实际上跟踪进去一看也证实了这个思路。当然了“对Modem进行初始化,初始化过程中对授权号进行检查“这句话是我加上去的,不是原来程序里面就带有的 我也是刚开始学习这个,这只是我的一点心得,希望对你有帮助。我们共同进步! |
|
|
谢谢楼主了。
还有个问题,想请教下: 图片的左边有两栏,一个是地址,一个是堆栈, 地址是不是指寄存器刚入栈的地址。 堆栈是不是指入栈后指针所指向的地址 |
|
|
|
|
|
|
|
|
|
|
|
这个我也没有发言权了,我也是很多看不懂
 学习Win32汇编应该是必须的吧,反正书看多了不浪费
|
|
|
呵呵。一起努力啊。不过看楼主破解分析得很好,应该比我好多了。
|
|
|
|
|
|
|
|
|
|
|
|
|
