程序爆破后限制功能仍无法使用的问题
【软件名称】文心辅助写作系统V4.0【破解工具】PEiD OD C32ASM ASPack unpacker
【破解平台】WinXP
【软件大小】10.88MB
【官网下载】http://www.writer2008.cn/download/setup.rar
【保护方式】一机一码重启验证
看了飘雪的教材,有了冲动,找了个软件来练习爆破。可惜还是无法完美爆破。
程序虽然可以启动,但是限制的保存功能依旧无法使用。
小弟才疏学浅,入门时间不长,一时也想不出什么方法来。还请各位大大帮忙指点一下!
以下是我的操作步骤
1.首先用PEID,查看Writer.exe。壳是ASPack 2.12 -> Alexey Solodovnikov
2.用ASPack unpacker将壳脱出。是Borland Delphi 6.0 - 7.0
3.用C32ASM查看脱壳后的文件。找到"SOFTWARE\Mypassword"
4.用OD调试
第一步:将0040C878的跳转改动,启动程序,随意输入注册码,提示验证成功。0040C878 . /0F84 3E010000 jNZ 0040C9BC 将此处JNZ改成JE。
0040C87E . |B8 18CA4000 mov eax, 0040CA18
0040C883 . |E8 E856FFFF call <jmp.&vcl70.Dialogs::ShowMessage>
0040C888 . |B2 01 mov dl, 1
0040C88A . |A1 206D5000 mov eax, dword ptr [<&rtl70.Registry>
0040C88F . |E8 5458FFFF call <jmp.&rtl70.Registry::TRegistry:>
0040C894 . |8945 F4 mov dword ptr , eax
0040C897 . |33C0 xor eax, eax
0040C899 . |55 push ebp
0040C89A . |68 29C94000 push 0040C929
0040C89F . |64:FF30 push dword ptr fs:
0040C8A2 . |64:8920 mov dword ptr fs:, esp
0040C8A5 . |BA 02000080 mov edx, 80000002
0040C8AA . |8B45 F4 mov eax, dword ptr
0040C8AD . |E8 4658FFFF call <jmp.&rtl70.Registry::TRegistry:>
0040C8B2 . |8D45 F0 lea eax, dword ptr
0040C8B5 . |BA 30CA4000 mov edx, 0040CA30 ;ASCII "SOFTWARE\Mypassword" ------\\写入注册码到注册表Mypassword下第二步,重启后提示密码不正确。用OD,找到00418E8A的跳转,改动后,程序启动不再显示未注册或者密码不正确00418E8A|. /0F85 80000000 jnz 00418F10 \\将此跳转JNZ改成JE
00418E90|. |A1 94B04100 mov eax, dword ptr
00418E95|. |8B80 C0030000 mov eax, dword ptr
00418E9B|. |B2 01 mov dl, 1
00418E9D|. |E8 BE8DFEFF call <jmp.&vcl70.Menus::TMenuItem::Se>
00418EA2|. |A1 94B04100 mov eax, dword ptr
00418EA7|. |8B80 C4030000 mov eax, dword ptr
00418EAD|. |B2 01 mov dl, 1
00418EAF|. |E8 AC8DFEFF call <jmp.&vcl70.Menus::TMenuItem::Se>
00418EB4|. |A1 94B04100 mov eax, dword ptr
00418EB9|. |8B80 C8030000 mov eax, dword ptr
00418EBF|. |B2 01 mov dl, 1
00418EC1|. |E8 9A8DFEFF call <jmp.&vcl70.Menus::TMenuItem::Se>
00418EC6|. |A1 94B04100 mov eax, dword ptr
00418ECB|. |8B80 D0030000 mov eax, dword ptr
00418ED1|. |B2 01 mov dl, 1
00418ED3|. |E8 888DFEFF call <jmp.&vcl70.Menus::TMenuItem::Se>
00418ED8|. |A1 94B04100 mov eax, dword ptr
00418EDD|. |8B80 D4030000 mov eax, dword ptr
00418EE3|. |B2 01 mov dl, 1
00418EE5|. |E8 768DFEFF call <jmp.&vcl70.Menus::TMenuItem::Se>
00418EEA|. |A1 94B04100 mov eax, dword ptr
00418EEF|. |8B80 DC030000 mov eax, dword ptr
00418EF5|. |B2 01 mov dl, 1
00418EF7|. |E8 648DFEFF call <jmp.&vcl70.Menus::TMenuItem::Se>
00418EFC|. |A1 94B04100 mov eax, dword ptr
00418F01|. |8B80 E0030000 mov eax, dword ptr
00418F07|. |B2 01 mov dl, 1
00418F09|. |E8 528DFEFF call <jmp.&vcl70.Menus::TMenuItem::Se>
00418F0E|. |EB 16 jmp short 00418F26
00418F10|> \B8 A48F4100 mov eax, 00418FA4 \\提示注册码不正确
[ 本帖最后由 VC8 于 2007-11-25 20:27 编辑 ] 跟了下。像是明码的。不知道有些什么限制啊?
[ 本帖最后由 senots 于 2007-11-18 18:54 编辑 ] 限制就是编辑的内容无法保存,另外新建文本的按钮也是失效的。。 程序本身是演示版,
我这里只找到了注册码,即算法
0040C7F8 .55 push ebp
0040C7F9 .8BEC mov ebp, esp
0040C7FB .B9 05000000 mov ecx, 5
0040C800 >6A 00 push 0
0040C802 .6A 00 push 0
0040C804 .49 dec ecx
0040C805 .^ 75 F9 jnz short 0040C800
0040C807 .51 push ecx
0040C808 .8955 E8 mov , edx
0040C80B .8945 FC mov , eax
0040C80E .33C0 xor eax, eax
0040C810 .55 push ebp
0040C811 .68 04CA4000 push 0040CA04
0040C816 .64:FF30 push dword ptr fs:
0040C819 .64:8920 mov fs:, esp
0040C81C .A1 CCA14100 mov eax,
0040C821 .8B00 mov eax,
0040C823 .E8 D8CA0000 call 00419300
0040C828 .8BD0 mov edx, eax
0040C82A .8D45 E4 lea eax,
0040C82D .E8 AE48FFFF call <jmp.&rtl70.System::LStrFromPCha>
0040C832 .8B45 E4 mov eax,
0040C835 .8D55 F8 lea edx,
0040C838 .E8 B34DFFFF call <jmp.&rtl70.Sysutils::Trim>
0040C83D .A1 CCA14100 mov eax,
0040C842 .8B00 mov eax,
0040C844 .8B55 F8 mov edx,
0040C847 .E8 78C70000 call 00418FC4 ;算法关键
0040C84C .33D2 xor edx, edx
0040C84E .52 push edx
0040C84F .50 push eax ;eax=0090720A
0040C850 .8D45 E0 lea eax,
0040C853 .E8 A84DFFFF call <jmp.&rtl70.Sysutils::IntToStr>
0040C858 .8B45 E0 mov eax, ;(ASCII "9466378")
0040C85B .50 push eax
0040C85C .8D55 DC lea edx,
0040C85F .A1 6CB04100 mov eax,
0040C864 .8B80 00030000 mov eax,
0040C86A .E8 8950FFFF call <jmp.&vcl70.Controls::TControl::>
0040C86F .8B55 DC mov edx,
0040C872 .58 pop eax
0040C873 .E8 8848FFFF call <jmp.&rtl70.System::LStrCmp>
0040C878 .0F85 3E010000 jnz 0040C9BC
0040C87E .B8 18CA4000 mov eax, 0040CA18 ;正确的授权码!
0040C883 .E8 E856FFFF call <jmp.&vcl70.Dialogs::ShowMessage>
0040C888 .B2 01 mov dl, 1
0040C88A .A1 206D5000 mov eax, [<&rtl70.Registry::TRegistr>
0040C88F .E8 5458FFFF call <jmp.&rtl70.Registry::TRegistry:>
0040C894 .8945 F4 mov , eax
0040C897 .33C0 xor eax, eax
0040C899 .55 push ebp
0040C89A .68 29C94000 push 0040C929
0040C89F .64:FF30 push dword ptr fs:
0040C8A2 .64:8920 mov fs:, esp
0040C8A5 .BA 02000080 mov edx, 80000002
0040C8AA .8B45 F4 mov eax,
0040C8AD .E8 4658FFFF call <jmp.&rtl70.Registry::TRegistry:>
0040C8B2 .8D45 F0 lea eax,
0040C8B5 .BA 30CA4000 mov edx, 0040CA30 ;software\mypassword
0040C8BA .E8 1948FFFF call <jmp.&rtl70.System::LStrLAsg>
0040C8BF .8D55 D8 lea edx,
=======================
00418FC4/$55 push ebp
00418FC5|.8BEC mov ebp, esp
00418FC7|.83C4 EC add esp, -14
00418FCA|.8955 F8 mov , edx
00418FCD|.8945 FC mov , eax
00418FD0|.8B45 F8 mov eax,
00418FD3|.E8 3081FEFF call <jmp.&rtl70.System::LStrAddRef>
00418FD8|.33C0 xor eax, eax
00418FDA|.55 push ebp
00418FDB|.68 34904100 push 00419034
00418FE0|.64:FF30 push dword ptr fs:
00418FE3|.64:8920 mov fs:, esp
00418FE6|.C745 F4 22017>mov dword ptr , 710122 ;= 710122
00418FED|.8B45 F8 mov eax, ;(ASCII "PF2B27K2119S5A")
00418FF0|.E8 F380FEFF call <jmp.&rtl70.System::LStrLen>
00418FF5|.85C0 test eax, eax
00418FF7|.7E 25 jle short 0041901E
00418FF9|.8945 EC mov , eax ;eax=0000000E
00418FFC|.C745 F0 01000>mov dword ptr , 1
00419003|>8B4D F0 /mov ecx,
00419006|.8B45 F8 |mov eax, ;(ASCII "PF2B27K2119S5A")
00419009|.8B55 F0 |mov edx,
0041900C|.0FB64410 FF |movzx eax, byte ptr
00419011|.D3E0 |shl eax, cl ;右移(当前字符,当前位)
00419013|.0145 F4 |add , eax ;=+EAX
00419016|.FF45 F0 |inc dword ptr
00419019|.FF4D EC |dec dword ptr
0041901C|.^ 75 E5 \jnz short 00419003
0041901E|>33C0 xor eax, eax
00419020|.5A pop edx
00419021|.59 pop ecx
00419022|.59 pop ecx
00419023|.64:8910 mov fs:, edx
00419026|.68 3B904100 push 0041903B
0041902B|>8D45 F8 lea eax,
0041902E|.E8 9580FEFF call <jmp.&rtl70.System::LStrClr>
00419033\.C3 retn
00419034 .^ E9 5F80FEFF jmp <jmp.&rtl70.System::HandleFinall>
00419039 .^ EB F0 jmp short 0041902B
0041903B .8B45 F4 mov eax,
0041903E .8BE5 mov esp, ebp
00419040 .5D pop ebp
00419041 .C3 retn 谢谢的lzq1973的耐心解答。思路一下子清晰了不少。可惜是个演示版。残念。。
页:
[1]