Picture To Icon 1.96爆+追?
【破文标题】Picture To Icon 1.96爆+追【破文作者】【pyg】dh0807
【作者邮箱】[email protected]
【作者主页】dh0807.bokee.com
【破解工具】peid0.94+OD
【破解平台】盗版XPsp2
【软件名称】Picture To Icon
【软件大小】710KB
【原版下载】http://nmgsk.onlinedown.net/down/pic2icosetup.zip
【保护方式】加壳
【软件简介】能将图片或屏幕的一部分转化为ICON图标,调整图标大小以及从资源库中提取icon。支持BMP, JPEG, GIF, CUR, WMF。
【破解声明】本文仅供研究学习,本人对因这篇文章而导致的一切后果,不承担任何法律责任。本文中的不足之处请各位多多
------------------------------------------------------------------------
【破解过程】一、脱壳
PEiD 查壳:ASPack 2.001 -> Alexey Solodovnikov
OD载入,提示“入口点超出代码范围......”确定后停在下面:
00616001 60 PHSHAD ; 入口代码
00616002 E8 72050000 CALL Pic2Ico.00616579 ; F8到此 寄存器ESP=0012FFA4
00616007 EB 4C JMP SHORT Pic2Ico.00616055
下断:hr 0012FFA4
回车 --- F9运行
006164F4 /75 08 JNZ SHORT Pic2Ico.006164FE ; 断在此,F8跳
006164F6 |B8 01000000 MOV EAX,1
006164FB |C2 0C00 RETN 0C
006164FE \68 CC154000 PUSH Pic2Ico.004015CC ; 跳到这儿
00616503 C3 RETN ; F8返回到004015CC
004015CC /EB 10 JMP SHORT Pic2Ico.004015DE ; 到达OEP
004015CE |66:623A BOUND DI,DWORD PTR DS:
004015D1 |43 INC EBX
004015D2 |2B2B SUB EBP,DWORD PTR DS:
004015D4 |48 DEC EAX
004015D5 |4F DEC EDI
004015D6 |4F DEC EDI
004015D7 |4B DEC EBX
在004015CC处OllyDump方式1脱壳,保存文件后,运行正常。PEiD 再查: Borland C++ 1999
--------------------------------------------------
--------------------------------------------------
二、爆破
OD载入脱壳后文件,查找字串参考,找到出错提示:Your registration ....,双击来到:004249FC处,向看一下代码:
004249C5|.BA 754F5100 MOV EDX,unpack.00514F75 ;Register successfully!
004249CA|.8D45 D0 LEA EAX,DWORD PTR SS:
004249CD|.E8 FE6E0D00 CALL unpack.004FB8D0
004249D2|.FF45 C4 INC DWORD PTR SS:
004249D5|.8B00 MOV EAX,DWORD PTR DS:
004249D7|.E8 90010A00 CALL unpack.004C4B6C
004249DC|.FF4D C4 DEC DWORD PTR SS:
004249DF|.8D45 D0 LEA EAX,DWORD PTR SS:
004249E2|.BA 02000000 MOV EDX,2
004249E7|.E8 9C6F0D00 CALL unpack.004FB988
004249EC|.8B45 A4 MOV EAX,DWORD PTR SS:
004249EF|.E8 14660900 CALL unpack.004BB008
004249F4|.EB 37 JMP SHORT unpack.00424A2D
004249F6|>66:C745 B8 80>MOV WORD PTR SS:,80
004249FC|.BA 974F5100 MOV EDX,unpack.00514F97 ;Your registration code is
我们发现错误提示上边有个>从上边跳下来的符号,而且上面还有注册成功的提示,那么我们点4249F6,看程序是从哪跳来的:
004247D1|. /0F84 1F020000 JE unpack.004249F6 ;很明显是在这跳的
好那我们把JE改JNZ吧。呵呵退出运行注册成功。呵。
--------------------------------------------------
--------------------------------------------------
三、追码
OD载入脱壳后文件,查找字串参考,找到出错提示:Your registration ....,双击来到:004249FC处,向上翻一段代码,在004246C0处F2下断,F9运行程序 在注册框里填用户名:dh0807 注册码:138479629 点“Regesgit”
004246C0/.55 PUSH EBP ;断下
004246C1|.8BEC MOV EBP,ESP
004246C3|.83C4 9C ADD ESP,-64
004246C6|.8955 A0 MOV DWORD PTR SS:,EDX
004246C9|.8945 A4 MOV DWORD PTR SS:,EAX
004246CC|.B8 88595100 MOV EAX,unpack.00515988
004246D1|.E8 BEC10C00 CALL unpack.004F0894
004246D6|.8B15 C8D95100 MOV EDX,DWORD PTR DS: ;unpack._IconConverter
004246DC|.8B0A MOV ECX,DWORD PTR DS:
004246DE|.80B9 E4030000 00CMP BYTE PTR DS:,0
004246E5|.0F85 3A030000 JNZ unpack.00424A25
004246EB|.66:C745 B8 0800 MOV WORD PTR SS:,8
004246F1|.8D45 FC LEA EAX,DWORD PTR SS:
004246F4|.E8 0FE3FDFF CALL unpack.00402A08
004246F9|.8BD0 MOV EDX,EAX
004246FB|.FF45 C4 INC DWORD PTR SS:
004246FE|.8B4D A4 MOV ECX,DWORD PTR SS:
00424701|.8B81 00030000 MOV EAX,DWORD PTR DS:
00424707|.E8 045F0A00 CALL unpack.004CA610
0042470C|.8D45 FC LEA EAX,DWORD PTR SS: ;用户名地址指针入EAX
0042470F|.E8 0820FEFF CALL unpack.0040671C ;取得用户名位数
00424714|.83F8 03 CMP EAX,3 ;用户名位数与3比较大小
00424717|.0F9CC2 SETL DL
0042471A|.83E2 01 AND EDX,1
0042471D|.52 PUSH EDX ; /Arg1
0042471E|.FF4D C4 DEC DWORD PTR SS: ; |
00424721|.8D45 FC LEA EAX,DWORD PTR SS: ; |
00424724|.BA 02000000 MOV EDX,2 ; |
00424729|.E8 5A720D00 CALL unpack.004FB988 ; \unpack.004FB988
0042472E|.59 POP ECX
0042472F|.84C9 TEST CL,CL
00424731|.74 3C JE SHORT unpack.0042476F ;用户名位数大于3位跳
00424733|.66:C745 B8 1400 MOV WORD PTR SS:,14
00424739|.BA 3A4F5100 MOV EDX,unpack.00514F3A ;Please input your Full
0042476F|> \68 F4010000 PUSH 1F4 ; /跳在这
00424774|.E8 6FA80E00 CALL <JMP.&kernel32.Sleep> ; \Sleep
00424779|.66:C745 B8 2000 MOV WORD PTR SS:,20
0042477F|.8D45 F4 LEA EAX,DWORD PTR SS:
00424782|.E8 81E2FDFF CALL unpack.00402A08
00424787|.8BD0 MOV EDX,EAX
00424789|.FF45 C4 INC DWORD PTR SS:
0042478C|.8B4D A4 MOV ECX,DWORD PTR SS:
0042478F|.8B81 04030000 MOV EAX,DWORD PTR DS:
00424795|.E8 765E0A00 CALL unpack.004CA610 ;取假码
0042479A|.8D55 F4 LEA EDX,DWORD PTR SS: ;假码地址指针入EDX
0042479D|.FF32 PUSH DWORD PTR DS: ; /Arg1 = 00C630A8 ASCII "138479629"
0042479F|.E8 58E3FFFF CALL unpack.00422AFC ; \算法Call F7 进入
00422AFC/$55 PUSH EBP
00422AFD|.8BEC MOV EBP,ESP
...中间省
00422B61|.E8 228E0D00 CALL unpack.004FB988
00422B66|.8D45 08 LEA EAX,DWORD PTR SS:
00422B69|.E8 AE3BFEFF CALL unpack.0040671C ;取假码位数
00422B6E|.83F8 2C CMP EAX,2C
00422B71|.0F85 44020000 JNZ unpack.00422DBB
;大家注意上面这个2C(16进制)换算成(10进制)44,说明注册码要44位,不等则跳走。所以重新输入44位注册码。
不好意思写到这里写不下去请,请高手们指点一下。小弟先谢过了。
------------------------------------------------------------------------
【破解总结】爆破可以。追码知道是44位。可是追不到。请指教
------------------------------------------------------------------------
【版权声明】转载请注明作者并保持文章的完整, 谢谢! 再来学习学习啊 参考学习。 强~!可以分析算法了你~! 学习了,支持下
页:
[1]