第一次失败@第三次破解文件求助大家分析
求助:事情是这样的,今日试着破解一个register,用w32D打开这个文件,参考字符串中能找到运行出错的信息“错误:请输入有效的序列号”双击进入分析,发现|:00401703(C), :0040170C(C),于是我将这两处的跳转改为jmp short 0040177A,运行后显示“注册系统成功”,但没有真正注册。大家帮我分析一下,最好分析出算法。
注册文件已上传到附件
* Possible StringData Ref from Data Obj ->"错误:无效的注册码"
|
:00401750 68AC304000 push 004030AC
:00401755 EB5D jmp 004017B4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040174C(C)
|
:00401757 6801030000 push 00000301
* Possible StringData Ref from Data Obj ->"D:/ELIB/conf/serial"
|
:0040175C 6850304000 push 00403050
* Reference To: MSVCRT._open, Ord:0187h
|
:00401761 FF15F0214000 Call dword ptr
:00401767 8BF0 mov esi, eax
:00401769 83C408 add esp, 00000008
:0040176C 83FEFF cmp esi, FFFFFFFF
:0040176F 7509 jne 0040177A
:00401771 53 push ebx
:00401772 53 push ebx
* Possible StringData Ref from Data Obj ->"错误:注册系统失败"
|
:00401773 6898304000 push 00403098
:00401778 EB3A jmp 004017B4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040176F(C)
|
:0040177A 6A1D push 0000001D
:0040177C 53 push ebx
:0040177D 8D4C2414 lea ecx, dword ptr
* Reference To: MFC42.Ordinal:0B63, Ord:0B63h
|
:00401781 E83C030000 Call 00401AC2
:00401786 50 push eax
:00401787 56 push esi
* Reference To: MSVCRT._write, Ord:0217h
|
:00401788 FF1500224000 Call dword ptr
:0040178E 56 push esi
* Reference To: MSVCRT._close, Ord:00B3h
|
:0040178F FF1508224000 Call dword ptr
:00401795 83C410 add esp, 00000010
:00401798 53 push ebx
:00401799 53 push ebx
* Possible StringData Ref from Data Obj ->"注册系统成功"
|
:0040179A 6888304000 push 00403088
* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:0040179F E818030000 Call 00401ABC
:004017A4 8BCF mov ecx, edi
* Reference To: MFC42.Ordinal:12F5, Ord:12F5h
|
:004017A6 E80B030000 Call 00401AB6
:004017AB EB0C jmp 004017B9
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401703(C), :0040170C(C)
|
:004017AD 53 push ebx
:004017AE 53 push ebx
* Possible StringData Ref from Data Obj ->"错误:请输入有效的序列号"
|
:004017AF 686C304000 push 0040306C
明码比较... 00401741 FF15 EC214000 call dword ptr ds:[<&MSVCRT._mbs>; msvcrt._mbscmp//明码
00401747 83C4 14 add esp,14
0040174A 85C0 test eax,eax
0040174C 74 09 je short register.00401757
文件不完整~~~做了个内存注册机见附件 对楼上的补充,怀疑原程序被修改过!
具体如下:
00401701 .3BC3 CMP EAX,EBX
00401703 .0F84 A4000000 JE register.004017AD
00401709 .83F8 1D CMP EAX,1D ;看是不是29位!是就继续,不是就跳到004017AD
0040170C .0F8C 9B000000 JL register.004017AD
00401712 .8B15 9C314000 MOV EDX,DWORD PTR DS:
00401718 .A1 A0314000 MOV EAX,DWORD PTR DS:
0040171D .52 PUSH EDX
0040171E .50 PUSH EAX
0040171F .E8 1CFCFFFF CALL register.00401340
00401724 .83C4 08 ADD ESP,8 ;寄存器出现一组注册码!
00401727 .8D4C24 10 LEA ECX,DWORD PTR SS:
0040172B .50 PUSH EAX ;还是上面的注册码,怀疑可能是真码!
0040172C .68 C0304000 PUSH register.004030C0 ;%s
00401731 .51 PUSH ECX
00401732 .E8 5B030000 CALL <JMP.&MFC42.#2818>
00401737 .8B5424 18 MOV EDX,DWORD PTR SS:
0040173B .8B4424 1C MOV EAX,DWORD PTR SS: ;此处寄存器显示和我们的输入的注册码比较!
0040173F .52 PUSH EDX ; /s2
00401740 .50 PUSH EAX ; |s1
00401741 .FF15 EC214000 CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] ; \_mbscmp
00401747 .83C4 14 ADD ESP,14
0040174A .85C0 TEST EAX,EAX
0040174C .74 09 JE SHORT register.00401757
0040174E .53 PUSH EBX
0040174F .53 PUSH EBX
00401750 .68 AC304000 PUSH register.004030AC ;错误:无效的注册码
00401755 .EB 5D JMP SHORT register.004017B4
00401757 >68 01030000 PUSH 301 ; |access = O_WRONLY|O_CREAT|O_TRUNC|SH_COMPAT0
0040175C .68 50304000 PUSH register.00403050 ; |d:/elib/conf/serial
00401761 .FF15 F0214000 CALL DWORD PTR DS:[<&MSVCRT._open>] ; \_open
00401767 .8BF0 MOV ESI,EAX
00401769 .83C4 08 ADD ESP,8
0040176C .83FE FF CMP ESI,-1
0040176F 75 09 JNZ SHORT register.0040177A
00401771 .53 PUSH EBX
00401772 .53 PUSH EBX
00401773 .68 98304000 PUSH register.00403098 ;错误:注册系统失败
00401778 EB 3A JMP SHORT register.004017B4
0040177A >6A 1D PUSH 1D
0040177C .53 PUSH EBX
0040177D .8D4C24 14 LEA ECX,DWORD PTR SS:
00401781 .E8 3C030000 CALL <JMP.&MFC42.#2915>
00401786 .50 PUSH EAX ; |buf
00401787 .56 PUSH ESI ; |handle
00401788 .FF15 00224000 CALL DWORD PTR DS:[<&MSVCRT._write>] ; \_write
0040178E .56 PUSH ESI ; /handle
0040178F .FF15 08224000 CALL DWORD PTR DS:[<&MSVCRT._close>] ; \_close
00401795 .83C4 10 ADD ESP,10
00401798 .53 PUSH EBX
00401799 .53 PUSH EBX
0040179A .68 88304000 PUSH register.00403088 ;注册系统成功
0040179F .E8 18030000 CALL <JMP.&MFC42.#1200>
004017A4 .8BCF MOV ECX,EDI
004017A6 .E8 0B030000 CALL <JMP.&MFC42.#4853>
004017AB .EB 0C JMP SHORT register.004017B9
004017AD >53 PUSH EBX
004017AE .53 PUSH EBX
004017AF .68 6C304000 PUSH register.0040306C ;错误:请输入有效的序列号
004017B4 >E8 03030000 CALL <JMP.&MFC42.#1200>
004017B9 >8D4C24 10 LEA ECX,DWORD PTR SS:
004017BD .885C24 1C MOV BYTE PTR SS:,BL
004017C1 .E8 BA020000 CALL <JMP.&MFC42.#800>
004017C6 .8D4C24 0C LEA ECX,DWORD PTR SS:
004017CA .C74424 1C FFF>MOV DWORD PTR SS:,-1
004017D2 .E8 A9020000 CALL <JMP.&MFC42.#800>
004017D7 .8B4C24 14 MOV ECX,DWORD PTR SS:
004017DB .5F POP EDI
004017DC .5E POP ESI
004017DD .5B POP EBX
004017DE .64:890D 00000>MOV DWORD PTR FS:,ECX
004017E5 .83C4 14 ADD ESP,14
004017E8 .C3 RETN
++++++++++++++++++++++++++++++++++++
以上是简单分析,不对的地方请老大们指教,猫也不给评作业,这两天只能自学了!呵呵
以下这行代码怀疑被修改过:(楼上的可以测试一下,你的注册机填入注册码,肯定不能注册成功)
0040176F 75 09 JNZ SHORT register.0040177A //应该为:JZ SHORT register.0040177A
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401703(C), :0040170C(C) //////错误是从这两个地方跳转来的
|
:004017AD 53 push ebx
:004017AE 53 push ebx
* Possible StringData Ref from Data Obj ->"错误:请输入有效的序列号"
|
:004017AF 686C304000 push 0040306C
好我们到00401703(C),看看:
* Reference To: MFC42.Ordinal:0F22, Ord:0F22h
|
:004016F5 E8CE030000 Call 00401AC8 //关键call
:004016FA 8B4C240C mov ecx, dword ptr
:004016FE 8B41F8 mov eax, dword ptr
:00401701 3BC3 cmp eax, ebx
:00401703 0F84A4000000 je 004017AD
:00401709 83F81D cmp eax, 0000001D
:0040170C 0F8C9B000000 jl 004017AD
:00401712 8B159C314000 mov edx, dword ptr
:00401718 A1A0314000 mov eax, dword ptr
:0040171D 52 push edx
:0040171E 50 push eax
:0040171F E81CFCFFFF call 00401340 //高手们,这里也有一个Call,
//0040153C等地方都调用过它,我就是从这里开始突破的
:00401724 83C408 add esp, 00000008
:00401727 8D4C2410 lea ecx, dword ptr
:0040172B 50 push eax
去看看这个call 00401340
* Referenced by a CALL at Addresses:
|:0040153C , :0040171F
|
:00401340 83EC5C sub esp, 0000005C
:00401343 B906000000 mov ecx, 00000006
:00401348 33C0 xor eax, eax
:0040134A 53 push ebx
:0040134B 55 push ebp
:0040134C 56 push esi
:0040134D 57 push edi
* Possible StringData Ref from Data Obj ->"HUAYUITDRNIARMOIDEMLAGOMG"
|
:0040134E BE34304000 mov esi, 00403034
:00401353 8D7C2410 lea edi, dword ptr
:00401357 F3 repz
:00401358 A5 movsd
:00401359 66A5 movsw
:0040135B B907000000 mov ecx, 00000007
:00401360 8D7C242C lea edi, dword ptr
:00401364 F3 repz
:00401365 AB stosd
:00401366 66AB stosw
:00401368 B907000000 mov ecx, 00000007
:0040136D 33C0 xor eax, eax
:0040136F 8D7C244C lea edi, dword ptr
:00401373 8D5C244C lea ebx, dword ptr
:00401377 F3 repz
:00401378 AB stosd
:00401379 8B4C2470 mov ecx, dword ptr
:0040137D 8D6C242C lea ebp, dword ptr
:00401381 66AB stosw
:00401383 8B442474 mov eax, dword ptr
:00401387 8BD0 mov edx, eax
:00401389 2BD1 sub edx, ecx
:0040138B 03C8 add ecx, eax
:0040138D 52 push edx
:0040138E 51 push ecx
////////中间省掉
* Reference To: MSVCRT._strdup, Ord:01BFh
|
:00401411 FF150C224000 Call dword ptr
:00401417 83C404 add esp, 00000004
:0040141A 5F pop edi
:0040141B 5E pop esi
:0040141C 5D pop ebp
:0040141D 5B pop ebx
:0040141E 83C45C add esp, 0000005C
:00401421 C3 ret//我是新手,以上算法不清楚,但猜想这一定 //是注册码返回的地方
接下用OD载入,在00401421处设置断点
注册码果然在寄存器窗口显示出来了. 谢谢各位了,学习了很多东东。/:D /:D 呵呵,单个测试不成功,估计是程序不完整!楼主给的是程序的一部分!
wan的解答应该没错的,如果是单个程序,肯定是程序的问题的! 谁告诉我怎样写用刘健英注册机编写器生成一个另类注册机,主要是以下不知怎么填写
中断地址为"00401421"
[ 本帖最后由 4755 于 2007-1-31 15:37 编辑 ] 我上面那个作修改内存的的设置 原帖由 4755 于 2007-1-31 14:27 发表
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401703(C), :0040170C(C) //////错误是从这两个地方跳转来的
|
:004017AD 53 push ebx
:004017AE ...
我为什么不成功阿?
页:
[1]
2