五子棋终结者1.0正式版 功能暴破
这个下五子棋的软件比较NB,比之前那个美卡五子棋强N倍。拿到软件后,先想到的是注册,结果注册部分只比较一部分,剩下的那部分在哪比较我没找到,与是就开始了爆破之旅,感谢酷子(梅川酷子)、KuNgBiM、playboyjin(果果)、冷血书生这些朋友的帮助。注册部分:
004069EB|.6A 12 PUSH 12 ; /Count = 12 (18.)
004069ED|.56 PUSH ESI ; |Buffer => 五子棋终.00410A3A
004069EE|.53 PUSH EBX ; |hWnd
004069EF|.FF15 28D14000 CALL DWORD PTR DS:[<&USER32.GetWindowT>; \取注册码位数
004069F5|.56 PUSH ESI
004069F6|.E8 3F0D0000 CALL 五子棋终.0040773A ;算法CALL 跟进
004069FB|.59 POP ECX
004069FC|.85C0 TEST EAX,EAX
004069FE|.6A 00 PUSH 0
00406A00|.74 0C JE SHORT 五子棋终.00406A0E
00406A02|.68 78E74000 PUSH 五子棋终.0040E778 ;SUCCEED
00406A07|.68 6CE74000 PUSH 五子棋终.0040E76C ;注册成功!
00406A0C|.EB 0A JMP SHORT 五子棋终.00406A18
00406A0E|>68 64E74000 PUSH 五子棋终.0040E764 ;FAILED
00406A13|.68 58E74000 PUSH 五子棋终.0040E758 ;注册失败!
跟进算法CALL 0040773A
0040773A/$55 PUSH EBP
0040773B|.8BEC MOV EBP,ESP
0040773D|.51 PUSH ECX
0040773E|.53 PUSH EBX
0040773F|.56 PUSH ESI
00407740|.57 PUSH EDI
00407741|.FF75 08 PUSH DWORD PTR SS:
00407744|.E8 37040000 CALL 五子棋终.00407B80 ;取KEY位数
00407749|.83F8 10 CMP EAX,10 ;KEY位16位
0040774C|.59 POP ECX
0040774D|.74 04 JE SHORT 五子棋终.00407753
0040774F|.33C0 XOR EAX,EAX
00407751|.EB 62 JMP SHORT 五子棋终.004077B5
00407753|>8D45 FC LEA EAX,DWORD PTR SS:
00407756|.BB B8EC4000 MOV EBX,五子棋终.0040ECB8 ;%8lX
0040775B|.50 PUSH EAX
0040775C|.53 PUSH EBX
0040775D|.FF75 08 PUSH DWORD PTR SS:
00407760|.E8 F9090000 CALL 五子棋终.0040815E
00407765|.8B45 FC MOV EAX,DWORD PTR SS: ;取KEY前8位
00407768|.BF 888888F8 MOV EDI,F8888888
0040776D|.F7D0 NOT EAX ;前八位取反
0040776F|.33C7 XOR EAX,EDI ;取反后 异或 F8888888
00407771|.BE 000000F0 MOV ESI,F0000000
00407776|.0BC6 OR EAX,ESI ;其结果在再做与运算 ORF000000
00407778|.83C4 0C ADD ESP,0C
0040777B|.3B05 500A4100 CMP EAX,DWORD PTR DS: ;与机器码前8位做比较
00407781|.8945 FC MOV DWORD PTR SS:,EAX
00407784|.75 05 JNZ SHORT 五子棋终.0040778B ;不等则跳(不相等则执行第二种验证方式)
00407786|.6A 01 PUSH 1 ;相等则压栈01
00407788|.58 POP EAX
00407789|.EB 2A JMP SHORT 五子棋终.004077B5
0040778B|>8D45 FC LEA EAX,DWORD PTR SS:
0040778E|.50 PUSH EAX
0040778F|.8B45 08 MOV EAX,DWORD PTR SS:
00407792|.83C0 08 ADD EAX,8
00407795|.53 PUSH EBX
00407796|.50 PUSH EAX
00407797|.E8 C2090000 CALL 五子棋终.0040815E
0040779C|.8B45 FC MOV EAX,DWORD PTR SS: ;取KEY后8位
0040779F|.83C4 0C ADD ESP,0C
004077A2|.F7D0 NOT EAX ;取反
004077A4|.33C7 XOR EAX,EDI ;取反后 异或 F8888888
004077A6|.33C9 XOR ECX,ECX
004077A8|.0BC6 OR EAX,ESI ;其结果在再做与运算 ORF000000
004077AA|.3B05 540A4100 CMP EAX,DWORD PTR DS: ;与机器码后8位做比较
004077B0|.0F94C1 SETE CL ;相等则设置CL为1
004077B3|.8BC1 MOV EAX,ECX ;ECX数值送EAX
004077B5|>5F POP EDI
004077B6|.5E POP ESI
004077B7|.5B POP EBX
004077B8|.C9 LEAVE
004077B9\.C3 RETN
算法部分似貌不难,算法如下(其中K为注册码前8位后或后8位):
not(K)XOR(F8888888)OR(F0000000)=F9CF7331 ;
not(K)XOR(F8888888)OR(F0000000)=F5812533 。
两种情况满足其一即可。
我的机器码:F9CF7331F5812533。我们逆退一下:
F9CF7331二进制:11111001110011110111001100110001
F8888888二进制:11111000100010001000100010001000
注册码前8位数值 00000001010001111111101110111001
0147FBB9在取反:FEB80446
F5812533二进制:11110101100000010010010100110011
F8888888二进制:11111000100010001000100010001000
注册码前8位数值 00001101000010011010110110111011
0D09ADBB在取反:F2F65244
把两组KEY联系起来:FEB80446F2F65244。注册后软件功能仍旧无法使用。看来其他地方仍旧存在验证,那就从暴破入手好了。
正好酷子兄弟提醒使用EnableMenuItem函数来去灰钮。于是BP EnableMenuItem
堆栈提示:
0012F754 004053BB/CALL 到 EnableMenuItem 来自 五子棋终.004053B9
0012F758 00CB0901|hMenu = 00CB0901
0012F75C 000000D0|ItemID = D0 (208.)
0012F760 00000001\Flags = MF_BYCOMMAND|MF_GRAYED|MF_STRING
返回到数据窗口:
004053AF 6A 01 PUSH 1 ;酷子兄弟提醒 将此处修改为PUSH 0即可去灰钮
004053B1|.5B POP EBX
004053B2|.53 PUSH EBX ; /Flags => MF_BYCOMMAND|MF_GRAYED|MF_STRING
004053B3|.68 D0000000 PUSH 0D0 ; |ItemID = D0 (208.)
004053B8|.57 PUSH EDI ; |hMenu
004053B9|.FFD6 CALL ESI ; \EnableMenuItem
004053BB 53 PUSH EBX ;返回到这里 注意 此时EAX数值为0,若不采用第一方案,我们可修改为PUSH EAX去灰钮
004053BC 68 CF000000 PUSH 0CF
004053C1|.57 PUSH EDI ; |hMenu
004053C2|.FFD6 CALL ESI ; \EnableMenuItem
004053C4 53 PUSH EBX
将此处修改为 004053AF PUSH 0 保存后软件弹出NAG,我们下BP MessageBoxA找到关键点修改:
00405514|.FF15 60D14000 CALL DWORD PTR DS:[<&USER32.SetTimer>] ; \SetTimer
0040551A|.E8 4D230000 CALL 五子棋终.0040786C
0040551F|.3B05 F8F74000 CMP EAX,DWORD PTR DS:
00405525|.A3 580A4100 MOV DWORD PTR DS:,EAX
0040552A 74 28 JE SHORT 五子棋终.00405554 ;不跳则自效查出错谈出错误窗口,修改为JMP
0040552C|.50 PUSH EAX
0040552D|.BE 780A4100 MOV ESI,五子棋终.00410A78
00405532|.68 34E54000 PUSH 五子棋终.0040E534 ; no%lu \n
00405537|.56 PUSH ESI
00405538|.E8 82240000 CALL 五子棋终.004079BF
0040553D|.83C4 0C ADD ESP,0C
00405540|.55 PUSH EBP ; /Style
00405541|.68 24E54000 PUSH 五子棋终.0040E524 ; | fatal error
00405546|.56 PUSH ESI ; |Text
00405547|.55 PUSH EBP ; |hOwner
00405548|.FF15 68D14000 CALL DWORD PTR DS:[<&USER32.MessageBox>; \MessageBoxA
0040554E|.55 PUSH EBP
0040554F|.E8 EA240000 CALL 五子棋终.00407A3E
00405554|>E8 19190000 CALL 五子棋终.00406E72
00405559|.6A 43 PUSH 43
过NAG之后,我们在选择其他功能时候,弹出“未 注 册 版 本 不 提 供 此 功 能!”对话框,我们BP MessageBoxA来找到关键点。
堆栈提示:
0012FDB4 004077FD/CALL 到 MessageBoxA 来自 五子棋终.004077F7
0012FDB8 025C03E6|hOwner = 025C03E6 ('五子棋终结者,机器执黑必胜',class='FIVE')
0012FDBC 0040ECC0|Text = "未 注 册 版 本 不 提 供 此 功 能!"
0012FDC0 0040ECE8|Title = "unregisted version don't provide this function"
0012FDC4 00000000\Style = MB_OK|MB_APPLMODAL
0012FDC8 004048B5返回到 五子棋终.004048B5 来自 五子棋终.004077E5
返回到数据窗口:
004077E5/$6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
004077E7|.68 E8EC4000 PUSH 五子棋终.0040ECE8 ; |Title = "unregisted version don't provide this function"
004077EC|.68 C0EC4000 PUSH 五子棋终.0040ECC0 ; |Text = "未 注 册 版 本 不 提 供 此 功 能!"
004077F1|.FF35 2C1E4100 PUSH DWORD PTR DS: ; |hOwner = 025C03E6 ('五子棋终结者,机器执黑必胜',class='FIVE')
004077F7|.FF15 68D14000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
004077FD\.C3 RETN
004047C6|.391D F0F74000 CMP DWORD PTR DS:,EBX
004047CC|.0F84 DE000000 JE 五子棋终.004048B0 ;这里绝对不能跳 NOP掉
004047D2|.8B35 7CD14000 MOV ESI,DWORD PTR DS:[<&USER32.CheckMenu>;USER32.CheckMenuItem
004047D8|.53 PUSH EBX ; /Flags => MF_BYCOMMAND|MF_ENABLED|MF_STRING
004047D9|.68 CE000000 PUSH 0CE ; |ItemId = CE (206.)
004047DE|.50 PUSH EAX ; |hMenu
004047DF|.FFD6 CALL ESI ; \CheckMenuItem
004047E1|.6A 08 PUSH 8 ; /Flags = MF_BYCOMMAND|MF_ENABLED|MF_CHECKED|MF_STRING
004047E3|.57 PUSH EDI ; |ItemId
004047E4|.FF75 08 PUSH DWORD PTR SS: ; |hMenu
004047E7|.FFD6 CALL ESI ; \CheckMenuItem
004047E9|.53 PUSH EBX ; /Flags => MF_BYCOMMAND|MF_ENABLED|MF_STRING
004047EA|.68 D0000000 PUSH 0D0 ; |ItemId = D0 (208.)
004047EF|.FF75 08 PUSH DWORD PTR SS: ; |hMenu
004047F2|.FFD6 CALL ESI ; \CheckMenuItem
004047F4|.53 PUSH EBX ; /Flags => MF_BYCOMMAND|MF_ENABLED|MF_STRING
004047F5|.68 D1000000 PUSH 0D1 ; |ItemId = D1 (209.)
004047FA|.FF75 08 PUSH DWORD PTR SS: ; |hMenu
004047FD|.FFD6 CALL ESI ; \CheckMenuItem
004047FF|.C705 34F84000>MOV DWORD PTR DS:,43
00404809|.E9 E3000000 JMP 五子棋终.004048F1
0040480E|>BA D7000000 MOV EDX,0D7
00404813|.3BCA CMP ECX,EDX
00404815|.0F8F 58010000 JG 五子棋终.00404973
0040481B|.0F84 23010000 JE 五子棋终.00404944
00404821|.81E9 D0000000 SUB ECX,0D0 ;Switch (cases D0..D6)
00404827|.0F84 D3000000 JE 五子棋终.00404900
0040482D|.49 DEC ECX
0040482E|.74 76 JE SHORT 五子棋终.004048A6
00404830|.49 DEC ECX
00404831|.74 43 JE SHORT 五子棋终.00404876
00404833|.83E9 04 SUB ECX,4
00404836|.^ 0F85 E3FDFFFF JNZ 五子棋终.0040461F
0040483C|.8A0D 380A4100 MOV CL,BYTE PTR DS: ;Case D6 (EM_POSFROMCHAR) of switch
00404842|.80F9 01 CMP CL,1
00404845|.75 0B JNZ SHORT 五子棋终.00404852
00404847|.33DB XOR EBX,EBX
00404849|.881D 380A4100 MOV BYTE PTR DS:,BL
0040484F|.53 PUSH EBX
00404850|.EB 13 JMP SHORT 五子棋终.00404865
00404852|>33DB XOR EBX,EBX
00404854|.3ACB CMP CL,BL
00404856|.0F85 AB010000 JNZ 五子棋终.00404A07
0040485C|.C605 380A4100>MOV BYTE PTR DS:,1
00404863|.6A 08 PUSH 8
00404865|>68 D6000000 PUSH 0D6
0040486A|>50 PUSH EAX ; |hMenu
0040486B|.FF15 7CD14000 CALL DWORD PTR DS:[<&USER32.CheckMenuIte>; \CheckMenuItem
00404871|.E9 91010000 JMP 五子棋终.00404A07
00404876|>33DB XOR EBX,EBX ;Case D2 (EM_GETPASSWORDCHAR) of switch 00404821
00404878|.391D 3CF84000 CMP DWORD PTR DS:,EBX
0040487E|.75 1D JNZ SHORT 五子棋终.0040489D
00404880|.C705 3CF84000>MOV DWORD PTR DS:,1
0040488A|.6A 08 PUSH 8
0040488C|>68 D2000000 PUSH 0D2 ; |ItemId = D2 (210.)
00404891|.50 PUSH EAX ; |hMenu
00404892|.FF15 7CD14000 CALL DWORD PTR DS:[<&USER32.CheckMenuIte>; \CheckMenuItem
00404898|.E9 5C060000 JMP 五子棋终.00404EF9
0040489D|>891D 3CF84000 MOV DWORD PTR DS:,EBX
004048A3|.53 PUSH EBX
004048A4|.^ EB E6 JMP SHORT 五子棋终.0040488C
004048A6|>33DB XOR EBX,EBX ;Case D1 (EM_GETWORDBREAKPROC) of switch 00404821
004048A8|.391D F0F74000 CMP DWORD PTR DS:,EBX
004048AE|.75 0A JNZ SHORT 五子棋终.004048BA ;我们把这里JMP掉
004048B0|>E8 302F0000 CALL 五子棋终.004077E5 ;注意该CALL跳转来自4047CC
004048B5|.E9 3F060000 JMP 五子棋终.00404EF9
修改后我们点,当我们选择“玩家先”时,点开始,软件则自动关闭,我们下BP ExitProcess断点
堆栈提示:
0012FD94 00407AF7/CALL 到 ExitProcess 来自 五子棋终.00407AF1
0012FD98 00000000\ExitCode = 0
0012FD9C 0040E50CASCII " _5.first!='C'|'P' "
00407AE5 /75 10 JNZ SHORT 五子棋终.00407AF7 ;我们在这里下断 修改Z,使其跳过。
00407AE7|. |FF7424 08 PUSH DWORD PTR SS: ; /ExitCode
00407AEB|. |893D 2CF64000 MOV DWORD PTR DS:,EDI ; |
00407AF1|. |FF15 14D14000 CALL DWORD PTR DS:[<&KERNEL32.ExitProces>; \ExitProcess
00407AF7|> \5F POP EDI ;返回到这里
00407AF8\.C3 RETN
然后返回到这里:
004051F9|.53 PUSH EBX
004051FA|.55 PUSH EBP
004051FB|.56 PUSH ESI
004051FC|.8B35 68D14000 MOV ESI,DWORD PTR DS:[<&USER32.MessageBo>;USER32.MessageBoxA
00405202|.57 PUSH EDI
00405203|.6A 01 PUSH 1
00405205|.33DB XOR EBX,EBX
00405207|.59 POP ECX
00405208|.83F8 43 CMP EAX,43
0040520B|.891D F4F74000 MOV DWORD PTR DS:,EBX
00405211|.891D 001E4100 MOV DWORD PTR DS:,EBX
00405217|.891D 041E4100 MOV DWORD PTR DS:,EBX
0040521D|.891D 84F84000 MOV DWORD PTR DS:,EBX
00405223|.891D 78F84000 MOV DWORD PTR DS:,EBX
00405229|.891D 70F84000 MOV DWORD PTR DS:,EBX
0040522F|.891D 74F84000 MOV DWORD PTR DS:,EBX
00405235|.891D 88F84000 MOV DWORD PTR DS:,EBX
0040523B|.890D 24F84000 MOV DWORD PTR DS:,ECX
00405241|.A3 2CF84000 MOV DWORD PTR DS:,EAX
00405246|.BD 20E54000 MOV EBP,五子棋终.0040E520
0040524B|.BF 0CE54000 MOV EDI,五子棋终.0040E50C ;ASCII " _5.first!='C'|'P' "
00405250|. /75 0E JNZ SHORT 五子棋终.00405260 ;我们在这里下断点
00405252|. |890D 5CF84000 MOV DWORD PTR DS:,ECX
00405258|. |891D 64F84000 MOV DWORD PTR DS:,EBX
0040525E|. |EB 22 JMP SHORT 五子棋终.00405282
00405260|> \83F8 50 CMP EAX,50
00405263|.75 12 JNZ SHORT 五子棋终.00405277
00405265|.53 PUSH EBX
00405266|.890D 64F84000 MOV DWORD PTR DS:,ECX
0040526C|.891D 5CF84000 MOV DWORD PTR DS:,EBX
00405272|.E8 C7270000 CALL 五子棋终.00407A3E ;说明不能过这个CALL
00405277|>53 PUSH EBX ;返回到这里
通过对比,当我们选择“玩家先”时,00405250处发生跳转,所以我们将这里NOP掉。
还剩下一部分,“开发测试工具”选项目那里,一点那里软件就自动退出了继续使用上文所叙述发放来调试,无果。不清楚为何。望高手指定。(到作者官方网站得知 该程序其他功能还没有开发)
按上文的思路可以来到这里:
00404F80 .53 PUSH EBX
00404F81 .56 PUSH ESI
00404F82 .57 PUSH EDI
00404F83 6A 01 PUSH 1
00404F85 33DB XOR EBX,EBX
00404F87 .5F POP EDI
00404F88 .891D 70F84000 MOV DWORD PTR DS:,EBX
00404F8E .891D 74F84000 MOV DWORD PTR DS:,EBX
00404F94 .C705 88F84000>MOV DWORD PTR DS:,0C
00404F9E .893D 081E4100 MOV DWORD PTR DS:,EDI
00404FA4 .A3 0C1E4100 MOV DWORD PTR DS:,EAX
00404FA9 .891D 60F84000 MOV DWORD PTR DS:,EBX
00404FAF .891D 68F84000 MOV DWORD PTR DS:,EBX
00404FB5 .891D 141E4100 MOV DWORD PTR DS:,EBX
00404FBB .893D 101E4100 MOV DWORD PTR DS:,EDI
00404FC1 .FF15 F8D04000 CALL DWORD PTR DS:[<&KERNEL32.GetCurrent>; [GetCurrentThread
00404FC7 .8BF0 MOV ESI,EAX
00404FC9 .6A F1 PUSH -0F ; /Priority = THREAD_PRIORITY_IDLE
00404FCB .56 PUSH ESI ; |hThread
00404FCC .FF15 FCD04000 CALL DWORD PTR DS:[<&KERNEL32.SetThreadP>; \SetThreadPriority
00404FD2 .56 PUSH ESI ; /hThread
00404FD3 .FF15 00D14000 CALL DWORD PTR DS:[<&KERNEL32.GetThreadP>; \GetThreadPriority
00404FD9 .83F8 F1 CMP EAX,-0F
00404FDC .74 0E JE SHORT 五子棋终.00404FEC
00404FDE .68 A4E44000 PUSH 五子棋终.0040E4A4 ;ASCII "Thread_test priority!=THREAD_PRIORITY_IDLE"
00404FE3 .6A 04 PUSH 4
00404FE5 .E8 D0270000 CALL 五子棋终.004077BA
00404FEA .59 POP ECX
00404FEB .59 POP ECX
00404FEC >391D 28F84000 CMP DWORD PTR DS:,EBX
00404FF2 .75 16 JNZ SHORT 五子棋终.0040500A
00404FF4 .68 88E44000 PUSH 五子棋终.0040E488 ;ASCII "error:Thread_cgo is running"
00404FF9 .6A 04 PUSH 4
00404FFB .E8 BA270000 CALL 五子棋终.004077BA
00405000 .59 POP ECX
00405001 .8BC7 MOV EAX,EDI
00405003 .59 POP ECX
00405004 .5F POP EDI
00405005 .5E POP ESI
00405006 .5B POP EBX
00405007 .C2 0400 RETN 4
0040500A >53 PUSH EBX
0040500B .E8 2E2A0000 CALL 五子棋终.00407A3E
00405010/$55 PUSH EBP ;返回到这里
///////////////////////
找了一个弥补退出的方法,可以使“开发测试工具”这里不退出了,一点的话会有提示,该功能正在运行,不清楚这样和注册版是否一样。但是该选项目前边的对钩却没有显示。
00404F83 .6A 01 PUSH 1
00404F85 .E9 5B760000 JMP 五子棋终.0040C5E5 // 这里JMP出来
00404F8A 90 NOP
00404F8B 90 NOP
00404F8C 90 NOP
00404F8D 90 NOP
00404F8E >891D 74F84000 MOV DWORD PTR DS:,EBX
///////// 补充代码////////
0040C5E5 > \BB 01000000 MOV EBX,1
0040C5EA .5F POP EDI
0040C5EB .891D 70F84000 MOV DWORD PTR DS:,EBX
0040C5F1 .^ E9 9889FFFF JMP 五子棋终.00404F8E
总体感觉这样的修改其实功能还是没有实现。
/////////////////////////////
好强啊...
可惜偶是菜鸟/:002 正在学习中! 正在学习中,现在只会爆破,算法跟的太累。学习汇编中 学习!!:loveliness: /:018 不错写的好全呀支持一下 不知道老大能不能提供一个破解版的出来啊 在学习中! 看着好复杂啊/:002 是啊,好强.菜鸟我要努力学习..
页:
[1]
2