《俪影2046》完美破解,菜鸟文章
【文章标题】: 《俪影2046》完美破解,菜鸟文章。【文章作者】: JackyChou
【作者邮箱】: [email protected]
【软件名称】: 《俪影2046》
【下载地址】: 自己搜索下载
【加壳方式】: 无
【保护方式】: 无保护
【编写语言】: VC
【使用工具】: OD,IDA,PEID
【操作平台】: XP
【软件介绍】: 图片制作软件
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
该软件对于没有图像制作经验的人,绝对是好帮手。很多精美漂亮的模板只要往上一拖即可。
软件的未注册版限制了保存图像和打印图像功能。 其他功能没有限制。
进入正题:
PEID查壳,什么都没有找到,OD载入,往下看看,可以看到MFC8.0的类库。
截取部分代码
0046C611 > $E8 B0060000 call 0046CCC6
0046C616 .^ E9 36FDFFFF jmp 0046C351
0046C61B .53 push ebx
0046C61C .8A5C24 08 mov bl, byte ptr
0046C620 .F6C3 02 test bl, 2
0046C623 .56 push esi
0046C624 .8BF1 mov esi, ecx
0046C626 .74 24 je short 0046C64C
0046C628 .57 push edi
0046C629 .68 78CF4600 push <jmp.&MSVCR80.type_info::_type_info_d>;入口地址
0046C62E .8D7E FC lea edi, dword ptr
0046C631 .FF37 push dword ptr
0046C633 .6A 0C push 0C
0046C635 .56 push esi
0046C636 .E8 8D000000 call 0046C6C8
0046C63B .F6C3 01 test bl, 1
0046C63E .74 07 je short 0046C647
0046C640 .57 push edi ; /block
0046C641 .E8 A2EAFFFF call <jmp.&MFC80U.#764> ; \free
0046C646 .59 pop ecx
0046C647 >8BC7 mov eax, edi
0046C649 .5F pop edi
0046C64A .EB 13 jmp short 0046C65F
0046C64C >E8 27090000 call <jmp.&MSVCR80.type_info::_type_info_d>
0046C651 .F6C3 01 test bl, 1
0046C654 .74 07 je short 0046C65D
0046C656 .56 push esi ; /block
0046C657 .E8 8CEAFFFF call <jmp.&MFC80U.#764> ; \free
0046C65C .59 pop ecx
0046C65D >8BC6 mov eax, esi
0046C65F >5E pop esi
0046C660 .5B pop ebx
0046C661 .C2 0400 retn 4
0046C664 .- FF25 F4904700 jmp dword ptr [<&MSVCR80._purecall>] ;MSVCR80._purecall
0046C66A $6A 14 push 14
0046C66C .68 508C4900 push 00498C50
0046C671 .E8 AE020000 call 0046C924
可以看出软件使用MFC编写,使用VS2005开发环境。
开始查找去除注册限制。
软件启动时,在未注册的情况下,会显示一个欢迎窗口,并有注册按钮,必须点了确定按钮后才能进行其他操作。
说明该对话框为模态对话框,这样就找到跟踪入口了,下断API DestroyWindow函数。
点了确定按钮后,在OD中断下了,ALT + F9返回程序领空去。
00410D44 > \6A 03 push 3
00410D46 .E8 31A90500 call <jmp.&MFC80U.#6086>
00410D4B >57 push edi
00410D4C .8BCE mov ecx, esi
00410D4E .E8 93F9FFFF call 004106E6 ;关键CALL,F7跟进
00410D53 .85C0 test eax, eax
00410D55 .75 2A jnz short 00410D81 ;关键跳转
00410D57 .57 push edi
00410D58 .8D8D 48FFFFFF lea ecx, dword ptr
00410D5E .E8 32990500 call 0046A695
00410D63 .8D8D 48FFFFFF lea ecx, dword ptr
00410D69 .C645 FC 07 mov byte ptr , 7
00410D6D .E8 44A50500 call <jmp.&MFC80U.#2011> ;调用模态对话框,欢迎窗口
00410D72 .8D8D 48FFFFFF lea ecx, dword ptr ;返回到程序领空
00410D78 .C645 FC 06 mov byte ptr , 6
00410D7C .E8 35990500 call 0046A6B6
00410D81 >C745 E4 D8BE4>mov dword ptr , 0047BED8
00410D88 .897D E8 mov dword ptr , edi
00410D8B .C645 FC 08 mov byte ptr , 8
00410D8F .E8 D212FFFF call 00402066
00410D94 .FF70 20 push dword ptr ; /hWnd
00410D97 .FF15 68924700 call dword ptr [<&USER32.GetMenu>] ; \GetMenu
00410D9D .50 push eax
00410D9E .E8 5BAB0500 call <jmp.&MFC80U.#2365>
00410DA3 .3BC7 cmp eax, edi
00410DA5 .75 04 jnz short 00410DAB
00410DA7 .33C0 xor eax, eax
00410DA9 .EB 03 jmp short 00410DAE
00410DAB >8B40 04 mov eax, dword ptr
00410DAE >50 push eax
00410DAF .8D4D E4 lea ecx, dword ptr
00410DB2 .E8 1FAC0500 call <jmp.&MFC80U.#1274>
00410DB7 .6A 04 push 4 ; /Pos = 4
00410DB9 .FF75 E8 push dword ptr ; |hMenu
00410DBC .FF15 6C924700 call dword ptr [<&USER32.GetSubMenu>] ; \GetSubMenu
00410DC2 .50 push eax
00410DC3 .E8 36AB0500 call <jmp.&MFC80U.#2365>
00410DC8 .8BD8 mov ebx, eax
00410DCA .3BDF cmp ebx, edi
00410DCC .74 1B je short 00410DE9
00410DCE .8B35 70924700 mov esi, dword ptr [<&USER32.DeleteMenu>] ;USER32.DeleteMenu
00410DD4 .BF 00040000 mov edi, 400
00410DD9 .57 push edi ; /Flags => MF_BYPOSITION|MF_ENABLED|MF_STRING
00410DDA .6A 05 push 5 ; |ItemId = 5
00410DDC .FF73 04 push dword ptr ; |hMenu
00410DDF .FFD6 call esi ; \DeleteMenu
00410DE1 .57 push edi ; /Flags => MF_BYPOSITION|MF_ENABLED|MF_STRING
00410DE2 .6A 04 push 4 ; |ItemId = 4
00410DE4 .FF73 04 push dword ptr ; |hMenu
00410DE7 .FFD6 call esi ; \DeleteMenu
00410DE9 >8D4D E4 lea ecx, dword ptr
00410DEC .E8 DFAB0500 call <jmp.&MFC80U.#1962>
00410DF1 .8D4D E4 lea ecx, dword ptr
00410DF4 .C645 FC 06 mov byte ptr , 6
00410DF8 .C745 E4 D8BE4>mov dword ptr , 0047BED8
00410DFF .E8 F4AA0500 call <jmp.&MFC80U.#1946>
00410E04 .33FF xor edi, edi
00410E06 .47 inc edi
00410E07 .^ E9 07FFFFFF jmp 00410D13
上面00410D4E .E8 93F9FFFF call 004106E6这个关键CALL在程序中很多对方进行了调用,推测该函数就是一个
注册验证函数,所以可以在这个函数里面可以进行完全破解。
F7跟进。
004106E6/$68 1C020000 push 21C
004106EB|.B8 55EB4600 mov eax, 0046EB55
004106F0|.E8 B5C00500 call 0046C7AA
004106F5|.BE AC944700 mov esi, 004794AC
004106FA|.56 push esi
004106FB|.68 18964700 push 00479618 ;UNICODE "PassWord"
00410700|.BF 2C964700 mov edi, 0047962C ;UNICODE "Register"
00410705|.57 push edi
00410706|.8D45 C4 lea eax, dword ptr
00410709|.50 push eax
0041070A|.8BD9 mov ebx, ecx
0041070C|.E8 E7AB0500 call <jmp.&MFC80U.#3104>
00410711|.8365 FC 00 and dword ptr , 0
00410715|.8D45 B4 lea eax, dword ptr
00410718|.50 push eax
00410719|.E8 CEFDFFFF call 004104EC
0041071E|.56 push esi
0041071F|.68 40964700 push 00479640 ;UNICODE "Email"
00410724|.57 push edi
00410725|.8D45 C0 lea eax, dword ptr
00410728|.50 push eax
00410729|.8BCB mov ecx, ebx
0041072B|.E8 C8AB0500 call <jmp.&MFC80U.#3104>
00410730|.8D4D C0 lea ecx, dword ptr
00410733|.C645 FC 01 mov byte ptr , 1
00410737|.FF15 3C834700 call dword ptr [<&MFC80U.#3927>] ;MFC80U.78303B70
0041073D|.84C0 test al, al
0041073F|.74 26 je short 00410767
00410741|.8D45 B8 lea eax, dword ptr
00410744|.50 push eax
00410745|.8BCB mov ecx, ebx
00410747|.E8 23F3FFFF call 0040FA6F
0041074C|.50 push eax
0041074D|.8D4D C0 lea ecx, dword ptr
00410750|.C645 FC 02 mov byte ptr , 2
00410754|.FF15 848E4700 call dword ptr [<&MFC80U.#774>] ;MFC80U.78305C20
0041075A|.8D4D B8 lea ecx, dword ptr
0041075D|.C645 FC 01 mov byte ptr , 1
00410761|.FF15 00904700 call dword ptr [<&MFC80U.#577>] ;MFC80U.7834DD87
00410767|>68 C8C04700 push 0047C0C8 ;UNICODE "45p734p434p545p3"
0041076C|.8D4D C4 lea ecx, dword ptr
0041076F|.FF15 60834700 call dword ptr [<&MFC80U.#1472>] ;MFC80U.78305D7F
00410775|.85C0 test eax, eax
00410777|.74 36 je short 004107AF
00410779|.68 A4C04700 push 0047C0A4 ;UNICODE "89d699f63d56012p"
0041077E|.8D4D C4 lea ecx, dword ptr
00410781|.FF15 60834700 call dword ptr [<&MFC80U.#1472>] ;MFC80U.78305D7F
00410787|.85C0 test eax, eax
00410789|.74 24 je short 004107AF
0041078B|.68 80C04700 push 0047C080 ;UNICODE "a47c018ed385757d"
00410790|.8D4D C4 lea ecx, dword ptr
00410793|.FF15 60834700 call dword ptr [<&MFC80U.#1472>] ;MFC80U.78305D7F
00410799|.85C0 test eax, eax
0041079B|.74 12 je short 004107AF
0041079D|.68 5CC04700 push 0047C05C ;UNICODE "8888888888888888"
004107A2|.8D4D C4 lea ecx, dword ptr
004107A5|.FF15 60834700 call dword ptr [<&MFC80U.#1472>] ;MFC80U.78305D7F
004107AB|.85C0 test eax, eax
004107AD|.75 0A jnz short 004107B9
004107AF|>56 push esi
004107B0|.8D4D C4 lea ecx, dword ptr
004107B3|.FF15 F88F4700 call dword ptr [<&MFC80U.#776>] ;MFC80U.78305C32
004107B9|>6A 14 push 14 ; /n = 14 (20.)
004107BB|.33F6 xor esi, esi ; |
004107BD|.8D45 DC lea eax, dword ptr ; |
004107C0|.56 push esi ; |c => 00
004107C1|.50 push eax ; |s
004107C2|.E8 57C10500 call <jmp.&MSVCR80.memset> ; \memset
004107C7|.6A 14 push 14 ; /n = 14 (20.)
004107C9|.8D45 C8 lea eax, dword ptr ; |
004107CC|.56 push esi ; |c
004107CD|.50 push eax ; |s
004107CE|.E8 4BC10500 call <jmp.&MSVCR80.memset> ; \memset
004107D3|.83C4 18 add esp, 18
004107D6|.6A 08 push 8
004107D8|.8D45 DC lea eax, dword ptr
004107DB|.50 push eax
004107DC|.51 push ecx
004107DD|.8D45 C4 lea eax, dword ptr
004107E0|.8BCC mov ecx, esp
004107E2|.8965 B8 mov dword ptr , esp
004107E5|.50 push eax
004107E6|.FF15 748E4700 call dword ptr [<&MFC80U.#280>] ;MFC80U.7830581E
004107EC|.E8 E1750400 call 00457DD2
004107F1|.8D45 C8 lea eax, dword ptr
004107F4|.50 push eax
004107F5|.8D45 DC lea eax, dword ptr
004107F8|.50 push eax
004107F9|.33FF xor edi, edi
004107FB|.68 F8FD4900 push 0049FDF8 ;ASCII "238990123478987"
00410800|.47 inc edi
00410801|.57 push edi
00410802|.E8 4ACBFFFF call 0040D351
00410807|.83C4 1C add esp, 1C
0041080A|.8D45 C8 lea eax, dword ptr
0041080D|.50 push eax
0041080E|.8D4D BC lea ecx, dword ptr
00410811|.FF15 8C874700 call dword ptr [<&MFC80U.#291>] ;MFC80U.78305930
00410817|.8D4D C0 lea ecx, dword ptr
0041081A|.C645 FC 03 mov byte ptr , 3
0041081E|.FF15 3C834700 call dword ptr [<&MFC80U.#3927>] ;MFC80U.78303B70
00410824|.84C0 test al, al
00410826|.75 3A jnz short 00410862
00410828|.8D45 BC lea eax, dword ptr
0041082B|.50 push eax
0041082C|.8D45 C0 lea eax, dword ptr
0041082F|.50 push eax
00410830|.E8 9C17FFFF call 00401FD1
00410835|.84C0 test al, al
00410837|.59 pop ecx
00410838|.59 pop ecx
00410839|.74 27 je short 00410862 ;关键跳转,NOP即可验证成功。
0041083B|>8BF7 mov esi, edi
0041083D|>8D4D BC lea ecx, dword ptr
00410840|.FF15 00904700 call dword ptr [<&MFC80U.#577>] ;MFC80U.7834DD87
00410846|.8D4D C0 lea ecx, dword ptr
00410849|.FF15 00904700 call dword ptr [<&MFC80U.#577>] ;MFC80U.7834DD87
0041084F|.8D4D C4 lea ecx, dword ptr
00410852|.FF15 00904700 call dword ptr [<&MFC80U.#577>] ;MFC80U.7834DD87
00410858|.8BC6 mov eax, esi
0041085A|.E8 CEBF0500 call 0046C82D
0041085F|.C2 0400 retn 4
00410862|>3975 08 cmp dword ptr , esi
00410865|.^ 74 D6 je short 0041083D
00410867|.56 push esi
00410868|.8D8D D8FDFFFF lea ecx, dword ptr
0041086E|.E8 EF730400 call 00457C62
00410873|.8D8D D8FDFFFF lea ecx, dword ptr
00410879|.C645 FC 04 mov byte ptr , 4
0041087D|.E8 34AA0500 call <jmp.&MFC80U.#2011>
00410882|.3BC7 cmp eax, edi
00410884|.C645 FC 03 mov byte ptr , 3
00410888|.8D8D D8FDFFFF lea ecx, dword ptr
0041088E|.75 07 jnz short 00410897
00410890|.E8 CFEFFFFF call 0040F864
00410895|.^ EB A4 jmp short 0041083B
00410897|>E8 C8EFFFFF call 0040F864
0041089C\.^ EB 9F jmp short 0041083D
修改完保存软件,运行。OK,没有欢迎窗口,菜单里面点注册,提示注册成功。
不过,没有结束,界面中央出现一个没有标题栏的非模态窗口,并且永远桌面上程序在最顶层,上面信息写着“您使用的
软件是破解的XXXXX”的字样。说明程序在启动的地方进行了再次验证。用IDA载入分析下,在下面这个地方发现再次验证。
贴出部分代码:
00410E99 .6A 01 push 1
00410E9B .FF75 E8 push dword ptr
00410E9E .8BCB mov ecx, ebx
00410EA0 .FF75 E4 push dword ptr
00410EA3 .E8 908E0300 call 00449D38
00410EA8 >89BE A8000000 mov dword ptr , edi
00410EAE >8D86 DC000000 lea eax, dword ptr
00410EB4 .3938 cmp dword ptr , edi
00410EB6 .0F84 63010000 je 0041101F
00410EBC .57 push edi
00410EBD .8BCE mov ecx, esi
00410EBF .8938 mov dword ptr , edi
00410EC1 .E8 20F8FFFF call 004106E6 ;前面提到的注册验证函数。
00410EC6 .83F8 01 cmp eax, 1
00410EC9 .0F85 50010000 jnz 0041101F ;注册不成功,则跳
00410ECF .8BCE mov ecx, esi
00410ED1 .E8 0EF2FFFF call 004100E4 ;又一次进行验证。
00410ED6 .85C0 test eax, eax
00410ED8 .0F85 41010000 jnz 0041101F ;上面的调用就这一处,不管,这边跳。
00410EDE .8D4D F0 lea ecx, dword ptr ;若不跳,就显示上面说的烦人窗口
00410EE1 .FF15 F48F4700 call dword ptr [<&MFC80U.#293>] ;MFC80U.783997F3
00410EE7 .897D FC mov dword ptr , edi
00410EEA .E8 F7A30500 call <jmp.&MFC80U.#1079>
00410EEF .8B58 08 mov ebx, dword ptr
00410EF2 .B8 00010000 mov eax, 100
00410EF7 .50 push eax
00410EF8 .50 push eax
00410EF9 .8D4D F0 lea ecx, dword ptr
00410EFC .FF15 B4834700 call dword ptr [<&MFC80U.#2460>] ;MFC80U.78305431
00410F02 .50 push eax ; |PathBuffer
00410F03 .53 push ebx ; |hModule
00410F04 .FF15 C4824700 call dword ptr [<&KERNEL32.GetModuleFileNa>; \获取EXE所在路径,目的就是获取该路径下的图片
00410F0A .6A FF push -1
00410F0C .8D4D F0 lea ecx, dword ptr
00410F0F .FF15 B0834700 call dword ptr [<&MFC80U.#5398>] ;MFC80U.7830549F
00410F15 .8D45 00 lea eax, dword ptr
00410F18 .50 push eax
00410F19 .8D4D F0 lea ecx, dword ptr
00410F1C .897D 00 mov dword ptr , edi
00410F1F .897D 04 mov dword ptr , edi
00410F22 .897D 08 mov dword ptr , edi
00410F25 .897D 0C mov dword ptr , edi
00410F28 .897D 10 mov dword ptr , edi
00410F2B .897D 14 mov dword ptr , edi
00410F2E .FF15 A48E4700 call dword ptr [<&MFC80U.#870>] ;MFC80U.7839327F
00410F34 .50 push eax
00410F35 .E8 0CA40500 call <jmp.&MFC80U.#3383>
00410F3A .85C0 test eax, eax
00410F3C .0F84 D0000000 je 00411012
00410F42 .8D45 DC lea eax, dword ptr
00410F45 .50 push eax
00410F46 .E8 A1F5FFFF call 004104EC
00410F4B .57 push edi
00410F4C .BF D4C14700 mov edi, 0047C1D4 ;UNICODE "Days"
00410F51 .57 push edi
00410F52 .BB 40C24700 mov ebx, 0047C240 ;UNICODE "Desktop"
00410F57 .53 push ebx
00410F58 .8BCE mov ecx, esi
00410F5A .E8 75A90500 call <jmp.&MFC80U.#3103>
00410F5F .8B55 DC mov edx, dword ptr
00410F62 .2B55 08 sub edx, dword ptr
00410F65 .8B4D E0 mov ecx, dword ptr
00410F68 .1B4D 0C sbb ecx, dword ptr
00410F6B .85C9 test ecx, ecx
00410F6D .7F 15 jg short 00410F84
00410F6F .7C 08 jl short 00410F79
00410F71 .81FA 80F40300 cmp edx, 3F480
00410F77 .77 0B ja short 00410F84
00410F79 >3D 5540EF01 cmp eax, 1EF4055
00410F7E .0F84 8C000000 je 00411010
OK,运行软件,一切正常,保存图像和打印图像功能可以正常使用,点注册,显示已经注册成功。点关于,糟糕,没有
显示注册码和注册号,呵呵,爆破原因,不过没有关系,只要在注册表中添加相应信息即可。
Windows Registry Editor Version 5.00
"32days"="36305586f6ce7d95"
"Register Time"=dword:01ef4055
"CYLINDER"=dword:00001cd0
"CPU"=dword:0000063a
"PassWord"="45p734p434p545p3"
"Email"="JackyChou"
导入注册表,点关于,哈哈,注册号JackyChou,注册码45p7-34p4-34p5-45p3。一切OK。收工!
--------------------------------------------------------------------------------
【经验总结】
第一次写破文,写得很烂,也很菜,不过会继续努力。
2008年04月05日 11:59:45 不错学习了
/:001
谢谢啊 先注册,再破就可以不用加注册表内容了!学习了,谢谢楼主! 不错啊,学习了,谢谢. 哈哈.又一个技术型人才亮相了.支持. 分析的很详细,学习中!~ 不错学习了,谢谢你的分享! 很好,学习了。
建议各位高手试试彩影2008,破解后再写写心得,俺们学习下。 楼主写的真好,希望以后再能见到你的帖子 标志位
004107E0 8BC6 MOV EAX,ESI
改
004107E0 B0 01 MOV AL,1
连注册的过程都省了,不过也没有注册信息/:013
[ 本帖最后由 Feng 于 2008-4-23 22:27 编辑 ]
页:
[1]
2