Digimizer 5.6分析爆破
本帖最后由 speedboy 于 2021-3-24 18:31 编辑【文章标题】: Digimizer 5.6分析爆破
【文章作者】: speedboy
【软件名称】: Digimizer
【下载地址】:
【加壳方式】: 无
【编写语言】: Microsoft Visual C++
【使用工具】: Ollydbg
【操作平台】: win7
【软件介绍】:专业的图像测量工具,常常用在医学图像上,比如:X光图片、显微照片等,并且digimizer支持对图像内容进行手工精确测量,进行自动对象识别;还支持众多的图片格式,包括:JPG、GIF、TIFF、BMP、PNG、WMF和EMF多种格式等。不仅如此,digimizer还可以对图像进行简单的处理,支持图像进行旋转、反转、拉伸、图像明暗、对比调节等多种处理方法。
【作者声明】: 只做学习、交流
--------------------------------------------------------------------------------
【详细过程】
1、搜索“Unlicensed copy”,有两处,在其中一处双击来到反汇编区分析。
004243CA push Digimize.00488C24 ;Unlicensed copy
004463CE push Digimize.00488C24 ;Unlicensed copy
2、发现其上两行是cmp,je比较判断语句,只要使ds:=0,即可实现跳转,所以在 cmp byte ptr ds:,0x0 上“右键——查找参考——地址常量”
00424373|> \57 push edi ;Case 110 (WM_INITDIALOG) of switch 0042430A
00424374|.56 push esi
00424375|.FF15 2CF64600 call dword ptr ds:[<&mclib32._CenterDialog@4>] ;mclib32._CenterDialog@4
0042437B|.FF15 28F64600 call dword ptr ds:[<&mclib32._AppIsThemed@0>] ;mclib32._AppIsThemed@0
00424381|.68 1E0D0000 push 0xD1E ; /ControlID = D1E (3358.)
00424386|.56 push esi ; |hWnd = NULL
00424387|.FF15 54F34600 call dword ptr ds:[<&USER32.GetDlgItem>] ; \GetDlgItem
0042438D|.8B3D A4F24600 mov edi,dword ptr ds:[<&USER32.SetDlgItemTextW>] ;user32.SetDlgItemTextW
00424393|.85C0 test eax,eax ;kernel32.BaseThreadInitThunk
00424395|.74 2A je short Digimize.004243C1
00424397|.68 EC8B4800 push Digimize.00488BEC ; /5.6.0
0042439C|.68 F88B4800 push Digimize.00488BF8 ; |Digimizer Version %s
004243A1|.8D85 5CFFFFFF lea eax, ; |
004243A7|.6A 50 push 0x50 ; |Arg2 = 00000050
004243A9|.50 push eax ; |Arg1 = 7518343B
004243AA|.E8 818AFEFF call Digimize.0040CE30 ; \Digimize.0040CE30
004243AF|.83C4 10 add esp,0x10
004243B2|.8D85 5CFFFFFF lea eax,
004243B8|.50 push eax ;kernel32.BaseThreadInitThunk
004243B9|.68 1E0D0000 push 0xD1E
004243BE|.56 push esi
004243BF|.FFD7 call edi
004243C1|>803D 57494900>cmp byte ptr ds:,0x0
004243C8|.74 07 je short Digimize.004243D1
004243CA|.68 248C4800 push Digimize.00488C24 ;Unlicensed copy
004243CF|.EB 05 jmp short Digimize.004243D6
004243D1|>68 F0864A00 push Digimize.004A86F0
004243D6|>68 420D0000 push 0xD42
004243DB|.56 push esi
004243DC|.FFD7 call edi
004243DE|.6A 60 push 0x60
004243E0|.6A 00 push 0x0
004243E2|.6A 00 push 0x0
004243E4|.68 448C4800 push Digimize.00488C44 ;https://www.digimizer.com
004243E9|.68 ED0C0000 push 0xCED
004243EE|.68 ED0C0000 push 0xCED ; /ControlID = CED (3309.)
004243F3|.56 push esi ; |hWnd = NULL
004243F4|.FF15 54F34600 call dword ptr ds:[<&USER32.GetDlgItem>] ; \GetDlgItem
004243FA|.50 push eax ;kernel32.BaseThreadInitThunk
004243FB|.FF15 24F64600 call dword ptr ds:[<&mclib32._urlctrl_set@24>] ;mclib32._urlctrl_set@24
00424401|.5F pop edi ;kernel32.7518344D
00424402|.B8 01000000 mov eax,0x1
00424407|.5E pop esi ;kernel32.7518344D
00424408|.8B4D FC mov ecx,
0042440B|.33CD xor ecx,ebp
0042440D|.E8 9FEA0200 call Digimize.00452EB1
00424412|.8BE5 mov esp,ebp
00424414|.5D pop ebp ;kernel32.7518344D
00424415|.C2 1000 retn 0x10
3、查找地址常量后得到下面四条信息,有两处赋值为零的语句,在第一个处双击来到反汇编区。
004243C1 cmp byte ptr ds:,0x0 (初始 CPU 选择)
0042A743 mov byte ptr ds:,0x0 ds:=01
0042AD43 mov byte ptr ds:,0x0 ds:=01
004463BF cmp byte ptr ds:,0x0 ds:=01
4、经分析,要想实现 ds:=0 je short Digimize.0042A740必须实现,此行又是来自 jnz short Digimize.0042A70F,此语句必须实现跳转,则是当al=1时,al的支来自哪里?当然是上面的call了(call Digimize.0042A510),F7跟进分析。
0042A6A0 .B9 80794A00 mov ecx,Digimize.004A7980 ; |
0042A6A5 .E8 66FEFFFF call Digimize.0042A510 ; \》关键call
0042A6AA .83C4 04 add esp,0x4
0042A6AD .84C0 test al,al
0042A6AF .75 5E jnz short Digimize.0042A70F ;》跳转
0042A6B1 .3885 5BFDFFFF cmp byte ptr ss:,al
0042A6B7 .74 2B je short Digimize.0042A6E4
0042A6B9 .68 541F0000 push 0x1F54
0042A6BE .68 9C000000 push 0x9C
0042A6C3 .57 push edi
0042A6C4 .FF15 1CF64600 call dword ptr ds:[<&mclib32.AlertWindow>] ;mclib32.AlertWindow
0042A6CA .83C4 0C add esp,0xC
0042A6CD .B8 01000000 mov eax,0x1
0042A6D2 .5F pop edi ;kernel32.7518344D
0042A6D3 .5E pop esi ;kernel32.7518344D
0042A6D4 .8B4D FC mov ecx,dword ptr ss:
0042A6D7 .33CD xor ecx,ebp
0042A6D9 .E8 D3870200 call Digimize.00452EB1
0042A6DE .8BE5 mov esp,ebp
0042A6E0 .5D pop ebp ;kernel32.7518344D
0042A6E1 .C2 1000 retn 0x10
0042A6E4 >68 481F0000 push 0x1F48
0042A6E9 .68 9C000000 push 0x9C
0042A6EE .57 push edi
0042A6EF .FF15 1CF64600 call dword ptr ds:[<&mclib32.AlertWindow>] ;mclib32.AlertWindow
0042A6F5 .83C4 0C add esp,0xC
0042A6F8 .B8 01000000 mov eax,0x1
0042A6FD .5F pop edi ;kernel32.7518344D
0042A6FE .5E pop esi ;kernel32.7518344D
0042A6FF .8B4D FC mov ecx,dword ptr ss:
0042A702 .33CD xor ecx,ebp
0042A704 .E8 A8870200 call Digimize.00452EB1
0042A709 .8BE5 mov esp,ebp
0042A70B .5D pop ebp ;kernel32.7518344D
0042A70C .C2 1000 retn 0x10
0042A70F >80BD 5BFDFFFF>cmp byte ptr ss:,0x0
0042A716 .74 28 je short Digimize.0042A740 ;》跳转
0042A718 .68 541F0000 push 0x1F54
0042A71D .68 9C000000 push 0x9C
0042A722 .57 push edi
0042A723 .FF15 1CF64600 call dword ptr ds:[<&mclib32.AlertWindow>] ;mclib32.AlertWindow
0042A729 .83C4 0C add esp,0xC
0042A72C .33C0 xor eax,eax ;kernel32.BaseThreadInitThunk
0042A72E .5F pop edi ;kernel32.7518344D
0042A72F .5E pop esi ;kernel32.7518344D
0042A730 .8B4D FC mov ecx,dword ptr ss:
0042A733 .33CD xor ecx,ebp
0042A735 .E8 77870200 call Digimize.00452EB1
0042A73A .8BE5 mov esp,ebp
0042A73C .5D pop ebp ;kernel32.7518344D
0042A73D .C2 1000 retn 0x10
0042A740 >6A 01 push 0x1 ; /Result = 0x1
0042A742 .57 push edi ; |hWnd = NULL
0042A743 .C605 57494900>mov byte ptr ds:,0x0 ; |
0042A74A .FF15 94F24600 call dword ptr ds:[<&USER32.EndDialog>] ; \EndDialog
5、此语句0042A54Dmov al,0x1使al=1,而此语句来自jnz short Digimize.0042A54C,所以次跳转必须实现,也即是上一句 test al,al中al<>0,而al的值来自call Digimize.0042A100,F7跟进分析。
0042A510/$55 push ebp
0042A511|.8BEC mov ebp,esp
0042A513|.51 push ecx
0042A514|.8B45 08 mov eax,
0042A517|.56 push esi ;mclib32.UnicodeToUTF8
0042A518|.57 push edi ;Digimize.004A88F0
0042A519|.50 push eax
0042A51A|.8BF2 mov esi,edx
0042A51C|.C600 00 mov byte ptr ds:,0x0
0042A51F|.8BF9 mov edi,ecx
0042A521|.E8 DAFBFFFF call Digimize.0042A100 ;》关键call
0042A526|.83C4 04 add esp,0x4
0042A529|.84C0 test al,al
0042A52B|.75 1F jnz short Digimize.0042A54C ;》跳转
0042A52D|.8BD6 mov edx,esi ;mclib32.UnicodeToUTF8
0042A52F|.8BCF mov ecx,edi ;Digimize.004A88F0
0042A531|.E8 1AF8FFFF call Digimize.00429D50
0042A536|.84C0 test al,al
0042A538|.75 12 jnz short Digimize.0042A54C
0042A53A|.8BD6 mov edx,esi ;mclib32.UnicodeToUTF8
0042A53C|.8BCF mov ecx,edi ;Digimize.004A88F0
0042A53E|.E8 1DF4FFFF call Digimize.00429960
0042A543|.84C0 test al,al
0042A545|.75 05 jnz short Digimize.0042A54C
0042A547|.5F pop edi ;Digimize.004A86F0
0042A548|.5E pop esi ;Digimize.004A86F0
0042A549|.59 pop ecx ;Digimize.004A86F0
0042A54A|.5D pop ebp ;Digimize.004A86F0
0042A54B|.C3 retn
0042A54C|>5F pop edi ;Digimize.004A86F0
0042A54D|.B0 01 mov al,0x1
0042A54F|.5E pop esi ;Digimize.004A86F0
0042A550|.59 pop ecx ;Digimize.004A86F0
0042A551|.5D pop ebp ;Digimize.004A86F0
0042A552\.C3 retn
6、逐步分析后,程序来到 0042A4F4xor al,al 修改此处语句使al<>0即可实现破解。0042A100 $55 push ebp
0042A101 .8BEC mov ebp,esp
0042A103 .83E4 F8 and esp,0xFFFFFFF8
0042A106 .81EC 44030000 sub esp,0x344
0042A10C .A1 E4404900 mov eax,dword ptr ds:
0042A111 .33C4 xor eax,esp
0042A113 .898424 400300>mov dword ptr ss:,eax
0042A11A .53 push ebx
0042A11B .8B5D 08 mov ebx,dword ptr ss:
0042A11E .8D8424 400200>lea eax,dword ptr ss:
0042A125 .56 push esi ;mclib32.UnicodeToUTF8
0042A126 .8B35 34F64600 mov esi,dword ptr ds:[<&mclib32.UnicodeToUTF8>] ;mclib32.UnicodeToUTF8
0042A12C .57 push edi ;Digimize.004A88F0
0042A12D .68 00010000 push 0x100
0042A132 .50 push eax
0042A133 .51 push ecx
0042A134 .8BFA mov edi,edx
0042A136 .FFD6 call esi ;mclib32.UnicodeToUTF8; <&mclib32.UnicodeToUTF8>
0042A138 .83C4 0C add esp,0xC
0042A13B .8D4424 48 lea eax,dword ptr ss:
0042A13F .68 00010000 push 0x100
0042A144 .50 push eax
0042A145 .57 push edi ;Digimize.004A88F0
0042A146 .FFD6 call esi ;mclib32.UnicodeToUTF8
0042A148 .83C4 0C add esp,0xC
0042A14B .807C24 4D 2Dcmp byte ptr ss:,0x2D
0042A150 .0F85 97030000 jnz Digimize.0042A4ED
0042A156 .807C24 53 2Dcmp byte ptr ss:,0x2D
0042A15B .0F85 8C030000 jnz Digimize.0042A4ED
0042A161 .807C24 59 2Dcmp byte ptr ss:,0x2D
0042A166 .0F85 81030000 jnz Digimize.0042A4ED
0042A16C .807C24 5F 2Dcmp byte ptr ss:,0x2D
0042A171 .0F85 76030000 jnz Digimize.0042A4ED
………………
………………
………………
0042A4ED > \8B8C24 4C0300>mov ecx,dword ptr ss:
0042A4F4 32C0 xor al,al ;》【1】
0042A4F6 .5F pop edi ;Digimize.004A86F0
0042A4F7 .5E pop esi ;Digimize.004A86F0
0042A4F8 .5B pop ebx ;Digimize.004A86F0
0042A4F9 .33CC xor ecx,esp
0042A4FB .E8 B1890200 call Digimize.00452EB1
0042A500 .8BE5 mov esp,ebp
0042A502 .5D pop ebp ;Digimize.004A86F0
0042A503 .C3 retn
7、破解前后对比
赞一个了,感谢表哥分享。表哥技术越来越厉害啦! 感谢表哥分享精彩 表哥 你这节奏太快了啊跟不上呢
这个软件有网验么 wgz001 发表于 2021-3-25 13:52
表哥 你这节奏太快了啊跟不上呢
这个软件有网验么
公子,我还是小白呀{:biggrin:}
{:biggrin:}牛啊啊啊 来跟着学习一下思路 感谢表哥分享 跟着学习一下思路
页:
[1]