Light Image Resizer v6.1.9.0简单分析
本帖最后由 speedboy 于 2023-11-10 21:36 编辑程序为32位程序,(程序对提示字符串进行了加密处理),采用 Delphi编制,这样的程序特点明显。所以我们从特定字符串切入。
1、用Ollydbg载入程序,F8一路执行,当程序跑起来时记住调用的Call下断,Ctrl+F2重新载入,F9运行断在下断的Call处,F7进入;
2、反汇编区右键 — 中文搜索 — 智能搜索,得到一系列字符串,搜索“trial”,会发现有“TfrmTrial.Execute Begin”,这不就是“试用对话框”提示吗;
3、双击来到反汇编区,上溯到代码段首,看看调用来自何处。
010DFA9C/$55 push ebp
010DFA9D|.8BEC mov ebp,esp
010DFA9F|.51 push ecx ;Resize.014B07A0
010DFAA0|.B9 0E000000 mov ecx,0xE
010DFAA5|>6A 00 /push 0x0
010DFAA7|.6A 00 |push 0x0
010DFAA9|.49 |dec ecx ;Resize.014B07A0
010DFAAA|.^ 75 F9 \jnz short Resize.010DFAA5
010DFAAC|.51 push ecx ;Resize.014B07A0
010DFAAD|.874D FC xchg ,ecx ;Resize.014B07A0
010DFAB0|.53 push ebx
010DFAB1|.56 push esi ;Resize.<ModuleEntryPoint>
010DFAB2|.57 push edi ;Resize.<ModuleEntryPoint>
010DFAB3|.884D FB mov byte ptr ss:,cl
010DFAB6|.8955 FC mov ,edx ;Resize.011A2964
010DFAB9|.8BF0 mov esi,eax
010DFABB|.33C0 xor eax,eax
010DFABD|.55 push ebp
010DFABE|.68 5CFE0D01 push Resize.010DFE5C
010DFAC3|.64:FF30 push dword ptr fs: ;Resize.005F9CC1
010DFAC6|.64:8920 mov dword ptr fs:,esp
010DFAC9|.B8 78FE0D01 mov eax,Resize.010DFE78 ;TfrmTrial.Execute Begin
010DFACE|.E8 199EBEFF call Resize.00CC98EC
来自011BA435, 011C5623 这两处,分别转到这两处分析。
【011BA435处】:
011BA3F1 .80B8 35090000 00 cmp byte ptr ds:,0x0
011BA3F8 .74 40 je short Resize.011BA43A
011BA3FA .E8 A5FCB0FF call Resize.00CCA0A4
011BA3FF .D1F8 sar eax,1
011BA401 .79 03 jns short Resize.011BA406
011BA403 .83D0 00 adc eax,0x0
011BA406 >83F8 03 cmp eax,0x3
011BA409 .7F 05 jg short Resize.011BA410
011BA40B .B8 03000000 mov eax,0x3
011BA410 >83F8 14 cmp eax,0x14
011BA413 .7D 08 jge short Resize.011BA41D
011BA415 .8985 D8FDFFFF mov dword ptr ss:,eax
011BA41B .EB 0A jmp short Resize.011BA427
011BA41D >C785 D8FDFFFF 1400>mov dword ptr ss:,0x14
011BA427 >8BCB mov ecx,ebx
011BA429 .8B95 D8FDFFFF mov edx,dword ptr ss:
011BA42F .8B85 FCFDFFFF mov eax,dword ptr ss:
011BA435 .E8 6256F2FF call Resize.010DFA9C ;》此处调用试用窗体
011BA43A >33C0 xor eax,eax
【011C5623处】:
011C5613 .80B8 35090000 00 cmp byte ptr ds:,0x0
011C561A .74 1A je short Resize.011C5636
011C561C .33C9 xor ecx,ecx ;Resize.014B07A0
011C561E .33D2 xor edx,edx ;Resize.011A2964
011C5620 .8B45 D4 mov eax,dword ptr ss:
011C5623 .E8 74A4F1FF call Resize.010DFA9C ;》此处调用试用窗体
011C5628 .84C0 test al,al
011C562A .75 0A jnz short Resize.011C5636
011C562C .E8 C72824FF call Resize.00407EF8
011C5631 .E9 EA240000 jmp Resize.011C7B20
011C5636 >33C0 xor eax,eax
此两处都有跳转je,都有相同的比较语句 cmp byte ptr ds:,0x0 所以只要 ds:=0,je跳转实现,跳过试用窗体,ds:≠0,je不跳转,出现提示窗体,这不,基本思路就有了:就是找到何处给 ds:赋值不为 0。
4、在 cmp byte ptr ds:,0x0 上 右键 — 查找参考 — 地址常量,得到以下比较和赋值语句:
00CCD22C cmp byte ptr ds:,0x0
00F63CD0 cmp byte ptr ds:,0x0
011AF79D movzx edx,byte ptr ds:
011BA110 cmp byte ptr ds:,0x0
011BA3F1 cmp byte ptr ds:,0x0
011BD98B cmp byte ptr ds:,0x0 》*
011C55B3 cmp byte ptr ds:,0x0
011C55E8 cmp byte ptr ds:,0x0
011C5613 cmp byte ptr ds:,0x0 (初始 CPU 选择)
011CCE59 mov byte ptr ds:,al
011D597D cmp byte ptr ds:,0x0
011D7EFB movzx eax,byte ptr ds:
011D9CB6 cmp byte ptr ds:,0x0
011DBFFF mov byte ptr ds:,0x0
011DC06D mov byte ptr ds:,0x1
011DC07C mov byte ptr ds:,0x1 》*
011DC093 mov byte ptr ds:,0x1
5、挨个下断,重新载入,运行调试此处是关键:
011DC07C mov byte ptr ds:,0x1 》*
赋值修改为 0,接着运行,来到此处:
011BD98B 80B8 35090000 00 cmp byte ptr ds:,0x0 ;》*
011BD992 .0F85 E2000000 jnz Resize.011BDA7A
011BD998 .A1 B82C2C01 mov eax,dword ptr ds:
011BD99D .0FB600 movzx eax,byte ptr ds:
011BD9A0 .2C 01 sub al,0x1 ;Switch (cases 0..4)
011BD9A2 .72 0D jb short Resize.011BD9B1
011BD9A4 .2C 03 sub al,0x3
011BD9A6 .0F84 8A000000 je Resize.011BDA36
011BD9AC .E9 C9000000 jmp Resize.011BDA7A
011BD9B1 >8B85 08FEFFFF mov eax,dword ptr ss: ;Case 0 of switch 011BD9A0
011BD9B7 .83B8 940A0000 00 cmp dword ptr ds:,0x0
011BD9BE .74 42 je short Resize.011BDA02
011BD9C0 .8B85 08FEFFFF mov eax,dword ptr ss:
011BD9C6 .8B80 940A0000 mov eax,dword ptr ds:
011BD9CC .83B8 E0000000 00 cmp dword ptr ds:,0x0
011BD9D3 .74 2D je short Resize.011BDA02
011BD9D5 .6A 00 push 0x0
011BD9D7 .8B85 08FEFFFF mov eax,dword ptr ss:
011BD9DD .8B88 40090000 mov ecx,dword ptr ds:
011BD9E3 .8B85 08FEFFFF mov eax,dword ptr ss:
011BD9E9 .8B80 940A0000 mov eax,dword ptr ds:
011BD9EF .8B90 E0000000 mov edx,dword ptr ds:
011BD9F5 .8B85 08FEFFFF mov eax,dword ptr ss:
011BD9FB .E8 84320000 call Resize.011C0C84
011BDA00 .EB 1B jmp short Resize.011BDA1D
011BDA02 >6A 00 push 0x0
011BDA04 .8B85 08FEFFFF mov eax,dword ptr ss:
011BDA0A .8B88 40090000 mov ecx,dword ptr ds:
011BDA10 .33D2 xor edx,edx
011BDA12 .8B85 08FEFFFF mov eax,dword ptr ss:
011BDA18 .E8 67320000 call Resize.011C0C84
011BDA1D >A1 B82C2C01 mov eax,dword ptr ds:
011BDA22 .8038 00 cmp byte ptr ds:,0x0
011BDA25 .75 53 jnz short Resize.011BDA7A
011BDA27 .B2 01 mov dl,0x1
011BDA29 .8B85 08FEFFFF mov eax,dword ptr ss:
011BDA2F .E8 04F40000 call Resize.011CCE38
011BDA34 .EB 44 jmp short Resize.011BDA7A
011BDA36 >6A 01 push 0x1 ;Case 4 of switch 011BD9A0
011BDA38 .8B85 08FEFFFF mov eax,dword ptr ss:
011BDA3E .8B88 40090000 mov ecx,dword ptr ds:
011BDA44 .8B85 08FEFFFF mov eax,dword ptr ss:
011BDA4A .8B80 940A0000 mov eax,dword ptr ds:
011BDA50 .8B90 E0000000 mov edx,dword ptr ds:
011BDA56 .8B85 08FEFFFF mov eax,dword ptr ss:
011BDA5C .E8 23320000 call Resize.011C0C84
011BDA61 .A1 B82C2C01 mov eax,dword ptr ds:
011BDA66 .8038 04 cmp byte ptr ds:,0x4
011BDA69 .75 51 jnz short Resize.011BDABC
011BDA6B .B2 01 mov dl,0x1
011BDA6D .8B85 08FEFFFF mov eax,dword ptr ss:
011BDA73 .E8 C0F30000 call Resize.011CCE38
011BDA78 .EB 42 jmp short Resize.011BDABC
011BDA7A >E8 25C6B0FF call Resize.00CCA0A4 ;Default case of switch
经逐步分析,此处 011BDA2F call Resize.011CCE38 调用“试用版本”标题,加密字符串为“%#xp{ 't#$x~}”,所以只需要 011BD992 .jnz Resize.011BDA7A 跳转实现即可,刚才我们已经把 数据堆栈 ds: 赋值为 0 了,因此,只要把 011BD98B cmp byte ptr ds:,0x0 改为与 1 比较,下面一行的 jnz就会跳转实现。
6、总结
所以需要破解的地方有两处:
011DC07C mov byte ptr ds:,0x1 改为011DC07C mov byte ptr ds:,0x0
011BD98B cmp byte ptr ds:,0x0 改为011BD98B cmp byte ptr ds:,0x1
沙发备用。 看不懂,膜拜大神。 厉害厉害 @speedboy 大,有时间能否给分析一下EditPlus的爆破,网上都是需要在和谐版的基础上再用注册码注册一遍,貌似得向注册表写东西才能注册成功,能否来一个不用再手动注册的和谐方法?
感激不尽!!
页:
[1]