某诗词诗词软件 V1.2版分析破解
清理电脑的时候发现一个很早的古董,点开看了一下,原来还有很多诗词,于是觉得有点意思,看了一下还没有注册,想以前的老软件现在破解应该比较容易了,于是搬出来折腾一下,记录如下,请很菜的菜鸟来给点批评,稍强一点的请绕道。软件名称:中外诗词荟萃 V1.2版
软件大小:6.59M
破解平台:winXP
破解工具:PEID,OD
编写语言:Borland Delphi 6.0 - 7.0
peid查壳,aspack壳,脱壳机脱之。
OD载入,查找字符串,找到“注册成功”,往上回溯,在005A2DED下断点,运行,点注册按钮,随便输入用户名和密码,点注册,断下在005A2DED处。
005A2DED 53 push ebx ; 注册按钮被按下
005A2DEE 8BD8 mov ebx,eax
005A2DF0 33C0 xor eax,eax
005A2DF2 55 push ebp
005A2DF3 68 EE2E5A00 push Unpacked.005A2EEE
005A2DF8 64:FF30 push dword ptr fs:
005A2DFB 64:8920 mov dword ptr fs:,esp
005A2DFE 8D55 F8 lea edx,dword ptr ss:
005A2E01 8B83 14030000mov eax,dword ptr ds:
005A2E07 E8 24B8EBFF call Unpacked.0045E630 ; 取假码
005A2E0C 8B45 F8 mov eax,dword ptr ss:
005A2E0F 50 push eax ; 假码入栈
005A2E10 8D55 F4 lea edx,dword ptr ss:
005A2E13 8B83 10030000mov eax,dword ptr ds:
005A2E19 E8 12B8EBFF call Unpacked.0045E630 ; 取用户名
005A2E1E 8B55 F4 mov edx,dword ptr ss:
005A2E21 A1 7C8D5A00 mov eax,dword ptr ds: ; 用户名入栈
005A2E26 8B00 mov eax,dword ptr ds:
005A2E28 8B40 64 mov eax,dword ptr ds:
005A2E2B 33C9 xor ecx,ecx
005A2E2D E8 C620F1FF call Unpacked.004B4EF8 ; 关键call
005A2E32 84C0 test al,al ; eax低位必须不为0
005A2E34 75 2C jnz short Unpacked.005A2E62 ; 这里一定要跳
005A2E36 8D45 FC lea eax,dword ptr ss:
005A2E39 BA 042F5A00 mov edx,Unpacked.005A2F04 ; 输入注册码不正确,请检查!
005A2E3E E8 2118E6FF call Unpacked.00404664
005A2E43 6A 40 push 40
005A2E45 8B45 FC mov eax,dword ptr ss:
005A2E48 E8 4F1CE6FF call Unpacked.00404A9C
005A2E4D 8BD0 mov edx,eax
005A2E4F B9 202F5A00 mov ecx,Unpacked.005A2F20 ; 输入错误
005A2E54 A1 608B5A00 mov eax,dword ptr ds:
005A2E59 8B00 mov eax,dword ptr ds:
005A2E5B E8 D8BCEDFF call Unpacked.0047EB38
005A2E60 EB 69 jmp short Unpacked.005A2ECB
005A2E62 68 342F5A00 push Unpacked.005A2F34 ; 注册成功!\n注册信息为:\n用户名:
005A2E67 A1 7C8D5A00 mov eax,dword ptr ds:
005A2E6C 8B00 mov eax,dword ptr ds:
005A2E6E 8B58 64 mov ebx,dword ptr ds:
005A2E71 FF73 48 push dword ptr ds:
005A2E74 68 602F5A00 push Unpacked.005A2F60 ; \n
005A2E79 68 602F5A00 push Unpacked.005A2F60 ; \n
005A2E7E 68 6C2F5A00 push Unpacked.005A2F6C ; 注册码:
005A2E83 A1 7C8D5A00 mov eax,dword ptr ds:
005A2E88 FF73 5C push dword ptr ds:
005A2E8B 68 602F5A00 push Unpacked.005A2F60 ; \n
005A2E90 68 802F5A00 push Unpacked.005A2F80 ; 感谢您对我们的支持!请重新启动。
005A2E95 8D45 FC lea eax,dword ptr ss:
005A2E98 BA 08000000 mov edx,8
005A2E9D E8 BA1AE6FF call Unpacked.0040495C
005A2EA2 6A 40 push 40
005A2EA4 8B45 FC mov eax,dword ptr ss:
005A2EA7 E8 F01BE6FF call Unpacked.00404A9C
005A2EAC 8BD0 mov edx,eax
005A2EAE B9 A42F5A00 mov ecx,Unpacked.005A2FA4 ; 注册成功
**********************************************************************
在关键call处F7跟进
004B4EF8 55 push ebp
004B4EF9 8BEC mov ebp,esp
004B4EFB 83C4 F0 add esp,-10
004B4EFE 53 push ebx
004B4EFF 33DB xor ebx,ebx
004B4F01 895D F0 mov dword ptr ss:,ebx
004B4F04 895D F4 mov dword ptr ss:,ebx
004B4F07 894D F8 mov dword ptr ss:,ecx
004B4F0A 8955 FC mov dword ptr ss:,edx
004B4F0D 8BD8 mov ebx,eax
004B4F0F 8B45 FC mov eax,dword ptr ss:
004B4F12 E8 75FBF4FF call Unpacked.00404A8C ; 用户名计算
004B4F17 8B45 F8 mov eax,dword ptr ss:
004B4F1A E8 6DFBF4FF call Unpacked.00404A8C
004B4F1F 8B45 08 mov eax,dword ptr ss:
004B4F22 E8 65FBF4FF call Unpacked.00404A8C ; 假码计算
004B4F27 33C0 xor eax,eax
004B4F29 55 push ebp
004B4F2A 68 E24F4B00 push Unpacked.004B4FE2
004B4F2F 64:FF30 push dword ptr fs:
004B4F32 64:8920 mov dword ptr fs:,esp
004B4F35 8B45 FC mov eax,dword ptr ss:
004B4F38 E8 5FF9F4FF call Unpacked.0040489C ; 关键call
004B4F3D 3B43 4C cmp eax,dword ptr ds:
004B4F40 7F 19 jg short Unpacked.004B4F5B
004B4F42 8B45 FC mov eax,dword ptr ss:
004B4F45 E8 52F9F4FF call Unpacked.0040489C
004B4F4A 3B43 50 cmp eax,dword ptr ds: ; 比较注册码长度是否小于11位
004B4F4D 7C 0C jl short Unpacked.004B4F5B ; 小于则跳走
004B4F4F 8B45 08 mov eax,dword ptr ss:
004B4F52 E8 45F9F4FF call Unpacked.0040489C ; 假码入栈
004B4F57 85C0 test eax,eax ; 用户名位数是否为0,即是否为空
004B4F59 75 04 jnz short Unpacked.004B4F5F ; 非空则跳走
004B4F5B 33DB xor ebx,ebx
004B4F5D EB 60 jmp short Unpacked.004B4FBF
004B4F5F 8D55 F4 lea edx,dword ptr ss:
004B4F62 8B45 08 mov eax,dword ptr ss: ; 假码入栈
004B4F65 E8 DE3FF5FF call Unpacked.00408F48
004B4F6A 8B55 F4 mov edx,dword ptr ss:
004B4F6D 8D45 08 lea eax,dword ptr ss: ; 假码入栈
004B4F70 E8 EFF6F4FF call Unpacked.00404664
004B4F75 8D4D F0 lea ecx,dword ptr ss:
004B4F78 8B55 FC mov edx,dword ptr ss:
004B4F7B 8BC3 mov eax,ebx ; 用户名入栈
004B4F7D E8 46FBFFFF call Unpacked.004B4AC8
004B4F82 8B45 F0 mov eax,dword ptr ss:
004B4F85 8B55 08 mov edx,dword ptr ss: ; eax出现一行字:0000A93F6A9D
004B4F88 E8 5B40F5FF call Unpacked.00408FE8 ; 这里又有一行
004B4F8D 85C0 test eax,eax ; 是否相同
004B4F8F 74 04 je short Unpacked.004B4F95 ; 跳走就成功了
004B4F91 33DB xor ebx,ebx
004B4F93 EB 2A jmp short Unpacked.004B4FBF
004B4F95 8D43 48 lea eax,dword ptr ds:
004B4F98 8B55 FC mov edx,dword ptr ss:
004B4F9B E8 80F6F4FF call Unpacked.00404620
004B4FA0 8D43 54 lea eax,dword ptr ds:
004B4FA3 8B55 F8 mov edx,dword ptr ss:
004B4FA6 E8 75F6F4FF call Unpacked.00404620
004B4FAB 8D43 5C lea eax,dword ptr ds:
004B4FAE 8B55 08 mov edx,dword ptr ss:
004B4FB1 E8 6AF6F4FF call Unpacked.00404620
004B4FB6 8BC3 mov eax,ebx
004B4FB8 E8 5B020000 call Unpacked.004B5218
004B4FBD B3 01 mov bl,1
004B4FBF 33C0 xor eax,eax
004B4FC1 5A pop edx
004B4FC2 59 pop ecx
004B4FC3 59 pop ecx
004B4FC4 64:8910 mov dword ptr fs:,edx
004B4FC7 68 E94F4B00 push Unpacked.004B4FE9
004B4FCC 8D45 F0 lea eax,dword ptr ss:
004B4FCF BA 04000000 mov edx,4
004B4FD4 E8 17F6F4FF call Unpacked.004045F0
004B4FD9 8D45 08 lea eax,dword ptr ss:
004B4FDC E8 EBF5F4FF call Unpacked.004045CC
004B4FE1 C3 retn
**********************************************************************
明码的东西,写个内存注册机马虎搞掉算了。
没有深入的算法分析,就此结束吧。
名字就不写了,太菜,不敢写。
08-5-1
[ 本帖最后由 yangcongwen 于 2008-5-1 20:20 编辑 ] 呃,重启验证的, 刚刚搞不定,在找些相关资料。。。。
页:
[1]