天网防火墙个人版破解分析
【破解作者】 飘之叶【作者邮箱】 [email protected]
【作者主页】 http://hi.baidu.com/piaozhiye
【使用工具】 OD PIED
【破解平台】 Win9x/NT/2000/XP
【软件名称】 天网防火墙个人版
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
PEID查壳 Borland C++ 1999
。
运行程序,若果没有注册得话,会弹出"注册信息无法确认,请注册天网防火墙"得注册对话框。
方法: F12暂停。
OD载入.
F9运行,弹出对话框,此时F12再选K看到:
调用堆栈
地址 堆栈 程序过程 / 参数 调用来自
结构
0012FA80 77D50617 ? USER32.MessageBoxTimeoutA USER32.77D50612
0012FA7C
0012FAA0 77D505CF ? USER32.MessageBoxExA USER32.77D505CA
0012FA9C
0012FAA4 00000000 hOwner = NULL
0012FAA8 014C66A4 Text = "注册信息无法确认,请注册天
0012FAAC 00594145 Title = "天网防火墙个人版"
0012FAB0 00001024 Style = MB_YESNO|MB_ICONQUESTION|M
0012FAB4 00000000 LanguageID = 0 (LANG_NEUTRAL)
0012FABC 00408440 ? <JMP.&USER32.MessageBoxA> PFW1.0040843B
0012FAB8
0012FAC0 00000000 hOwner = NULL
0012FAC4 014C66A4 Text = "注册信息无法确认,请注册天
0012FAC8 00594145 Title = "天网防火墙个人版"
0012FACC 00001024 Style = MB_YESNO|MB_ICONQUESTION|M
0012FC40 00403BEF PFW1.004082B4 PFW1.00403BEA
0012FC3C
0012FCAC 0040254F PFW1.00403814 PFW1.0040254A
0012FCA8
0012FE70 004E628F 包含 PFW1.0040254F PFW1.004E6289
0012FE6C
0012FE94 004E5F8B 包含 PFW1.004E628F PFW1.004E5F85
0012FE90
跟进:
<JMP.&USER32.MessageBoxA>
调用来自=PFW1.0040843B
结构=0012FAB8
--------------------------------
来到:
0040842B /74 05 JE SHORT PFW1.00408432
0040842D |8B4D EC MOV ECX,DWORD PTR SS:
00408430 |EB 06 JMP SHORT PFW1.00408438
00408432 \8D8F F2020000 LEA ECX,DWORD PTR DS:
00408438 51 PUSH ECX
00408439 6A 00 PUSH 0
0040843B E8 D8A71800 CALL <JMP.&USER32.MessageBoxA> ; 请注册
00408440 83F8 06 CMP EAX,6
00408443 BA 02000000 MOV EDX,2
00408448 0F94C0 SETE AL
0040844B 83E0 01 AND EAX,1
段首下断点:
004082B4 $55 PUSH EBP
004082B5 .8BEC MOV EBP,ESP
004082B7 .81C4 A0FEFFFF ADD ESP,-160
004082BD .53 PUSH EBX
004082BE .56 PUSH ESI
004082BF .57 PUSH EDI
004082C0 .8BF0 MOV ESI,EAX
004082C2 .BF 643E5900 MOV EDI,PFW1.00593E64
004082C7 .B8 EC615900 MOV EAX,PFW1.005961EC
004082CC .E8 C7201300 CALL PFW1.0053A398
004082D1 .66:C745 C8 14>MOV WORD PTR SS:,14
004082D7 .33D2 XOR EDX,EDX
004082D9 .A1 B0875B00 MOV EAX,DWORD PTR DS:
004082DE .8955 F8 MOV DWORD PTR SS:,EDX
004082E1 .8D55 F8 LEA EDX,DWORD PTR SS:
004082E4 .FF45 D4 INC DWORD PTR SS:
004082E7 .8B00 MOV EAX,DWORD PTR DS:
004082E9 .E8 EE550E00 CALL PFW1.004ED8DC
004082EE .8D45 F8 LEA EAX,DWORD PTR SS:
004082F1 .8B00 MOV EAX,DWORD PTR DS: ;读取程序
004082F3 .33D2 XOR EDX,EDX
004082F5 .8955 F4 MOV DWORD PTR SS:,EDX
004082F8 .8D55 F4 LEA EDX,DWORD PTR SS:
004082FB .FF45 D4 INC DWORD PTR SS:
004082FE .E8 315A1200 CALL PFW1.0052DD34
00408303 .8D45 F4 LEA EAX,DWORD PTR SS:
00408306 .50 PUSH EAX
00408307 .8D97 D5020000 LEA EDX,DWORD PTR DS: ;pfw.dat这里应该是注
册信息保存的地方
0040830D .8D45 F0 LEA EAX,DWORD PTR SS:
00408310 .E8 530C1500 CALL PFW1.00558F68
00408315 .FF45 D4 INC DWORD PTR SS:
00408318 .33C0 XOR EAX,EAX
0040831A .8945 FC MOV DWORD PTR SS:,EAX
0040831D .8D55 F0 LEA EDX,DWORD PTR SS:
00408320 .FF45 D4 INC DWORD PTR SS:
00408323 .8D4D FC LEA ECX,DWORD PTR SS:
00408326 .58 POP EAX
00408327 .E8 380E1500 CALL PFW1.00559164
0040832C .FF4D D4 DEC DWORD PTR SS:
0040832F .8D45 F0 LEA EAX,DWORD PTR SS:
00408332 .BA 02000000 MOV EDX,2
00408337 .E8 D00D1500 CALL PFW1.0055910C
0040833C .FF4D D4 DEC DWORD PTR SS:
0040833F .8D45 F4 LEA EAX,DWORD PTR SS:
00408342 .BA 02000000 MOV EDX,2
00408347 .E8 C00D1500 CALL PFW1.0055910C
0040834C .FF4D D4 DEC DWORD PTR SS:
0040834F .8D45 F8 LEA EAX,DWORD PTR SS:
00408352 .BA 02000000 MOV EDX,2
00408357 .E8 B00D1500 CALL PFW1.0055910C
0040835C .66:C745 C8 08>MOV WORD PTR SS:,8
00408362 .6A 14 PUSH 14 ; /Arg3 = 00000014
00408364 .6A 30 PUSH 30 ; |Arg2 = 00000030
00408366 .8D8D A0FEFFFF LEA ECX,DWORD PTR SS: ; |
0040836C .51 PUSH ECX ; |Arg1
0040836D .E8 721C1300 CALL PFW1.00539FE4 ; \PFW1.00539FE4
00408372 .83C4 0C ADD ESP,0C
00408375 .8D87 DD020000 LEA EAX,DWORD PTR DS: ;000000000000000000
,注册信息为空
0040837B .C645 B7 00 MOV BYTE PTR SS:,0
0040837F .50 PUSH EAX
00408380 .837D FC 00 CMP DWORD PTR SS:,0 ;pfw.dat
00408384 .74 05 JE SHORT PFW1.0040838B
00408386 .8B55 FC MOV EDX,DWORD PTR SS:
00408389 .EB 06 JMP SHORT PFW1.00408391
0040838B >8D97 E0020000 LEA EDX,DWORD PTR DS:
00408391 >52 PUSH EDX ; |Arg1
00408392 .E8 513D1300 CALL PFW1.0053C0E8 ; \PFW1.0053C0E8
00408397 .83C4 08 ADD ESP,8
0040839A .8BD8 MOV EBX,EAX
0040839C .85DB TEST EBX,EBX
0040839E .74 56 JE SHORT PFW1.004083F6
004083A0 .6A 00 PUSH 0 ; /Arg3 = 00000000
004083A2 .6A 00 PUSH 0 ; |Arg2 = 00000000
004083A4 .53 PUSH EBX ; |Arg1
004083A5 .E8 86401300 CALL PFW1.0053C430 ; \PFW1.0053C430
004083AA .83C4 0C ADD ESP,0C
004083AD .53 PUSH EBX ; /Arg4
004083AE .6A 01 PUSH 1 ; |Arg3 = 00000001
004083B0 .68 00010000 PUSH 100 ; |Arg2 = 00000100
004083B5 .8D85 B4FEFFFF LEA EAX,DWORD PTR SS: ; |
004083BB .50 PUSH EAX ; |Arg1
004083BC .E8 CF3F1300 CALL PFW1.0053C390 ; \PFW1.0053C390
004083C1 .83C4 10 ADD ESP,10
004083C4 .48 DEC EAX
004083C5 .75 28 JNZ SHORT PFW1.004083EF
004083C7 .81C6 FC030000 ADD ESI,3FC
004083CD .56 PUSH ESI ; /Arg3
004083CE .8D85 A0FEFFFF LEA EAX,DWORD PTR SS: ; |
004083D4 .50 PUSH EAX ; |Arg2
004083D5 .8D95 B4FEFFFF LEA EDX,DWORD PTR SS: ; |
004083DB .52 PUSH EDX ; |Arg1
004083DC .E8 4B3E0300 CALL PFW1.0043C22C ; \PFW1.0043C22C
004083E1 .83C4 0C ADD ESP,0C
004083E4 .85C0 TEST EAX,EAX
004083E6 .0F94C1 SETE CL
004083E9 .83E1 01 AND ECX,1
004083EC .884D B7 MOV BYTE PTR SS:,CL
004083EF >53 PUSH EBX
004083F0 .E8 4B381300 CALL PFW1.0053BC40
004083F5 .59 POP ECX
004083F6 >807D B7 00 CMP BYTE PTR SS:,0 ;注册信息是否为空
004083FA 0F85 5E010000 JNZ PFW1.0040855E ;强制跳走,就跳过了下
面的注册
00408400 .8D87 E1020000 LEA EAX,DWORD PTR DS:
00408406 .68 24100000 PUSH 1024
0040840B .50 PUSH EAX
0040840C .33D2 XOR EDX,EDX
0040840E .66:C745 C8 20>MOV WORD PTR SS:,20
00408414 .8955 EC MOV DWORD PTR SS:,EDX
00408417 .8D55 EC LEA EDX,DWORD PTR SS:
0040841A .FF45 D4 INC DWORD PTR SS:
0040841D .B8 5AC30000 MOV EAX,0C35A
00408422 .E8 850E1500 CALL PFW1.005592AC
00408427 .837D EC 00 CMP DWORD PTR SS:,0
0040842B .74 05 JE SHORT PFW1.00408432
0040842D .8B4D EC MOV ECX,DWORD PTR SS:
00408430 .EB 06 JMP SHORT PFW1.00408438
00408432 >8D8F F2020000 LEA ECX,DWORD PTR DS:
00408438 >51 PUSH ECX ; |Text
00408439 .6A 00 PUSH 0 ; |hOwner = NULL
0040843B .E8 D8A71800 CALL <JMP.&USER32.MessageBoxA> ; \请注册
00408440 .83F8 06 CMP EAX,6
00408443 .BA 02000000 MOV EDX,2
00408448 .0F94C0 SETE AL
0040844B .83E0 01 AND EAX,1
0040844E .50 PUSH EAX ; /Arg1
0040844F .8D45 EC LEA EAX,DWORD PTR SS: ; |
00408452 .FF4D D4 DEC DWORD PTR SS: ; |
00408455 .E8 B20C1500 CALL PFW1.0055910C ; \PFW1.0055910C
0040845A .59 POP ECX
0040845B .84C9 TEST CL,CL
0040845D .0F84 C9000000 JE PFW1.0040852C
00408463 .66:C745 C8 38>MOV WORD PTR SS:,38
00408469 .33C0 XOR EAX,EAX
0040846B .8B0D B0875B00 MOV ECX,DWORD PTR DS: ;PFW1.005B9348
00408471 .8945 E4 MOV DWORD PTR SS:,EAX
00408474 .8D55 E4 LEA EDX,DWORD PTR SS:
00408477 .FF45 D4 INC DWORD PTR SS:
0040847A .8B01 MOV EAX,DWORD PTR DS:
0040847C .E8 5B540E00 CALL PFW1.004ED8DC
00408481 .8D45 E4 LEA EAX,DWORD PTR SS:
00408484 .8B00 MOV EAX,DWORD PTR DS:
00408486 .33D2 XOR EDX,EDX
00408488 .8955 E0 MOV DWORD PTR SS:,EDX
0040848B .8D55 E0 LEA EDX,DWORD PTR SS:
0040848E .FF45 D4 INC DWORD PTR SS:
00408491 .E8 9E581200 CALL PFW1.0052DD34
00408496 .8D45 E0 LEA EAX,DWORD PTR SS:
00408499 .50 PUSH EAX
0040849A .8D97 F3020000 LEA EDX,DWORD PTR DS:
004084A0 .8D45 DC LEA EAX,DWORD PTR SS:
004084A3 .E8 C00A1500 CALL PFW1.00558F68
004084A8 .FF45 D4 INC DWORD PTR SS:
004084AB .33C0 XOR EAX,EAX
004084AD .8945 E8 MOV DWORD PTR SS:,EAX
004084B0 .8D55 DC LEA EDX,DWORD PTR SS:
004084B3 .FF45 D4 INC DWORD PTR SS:
004084B6 .8D4D E8 LEA ECX,DWORD PTR SS:
004084B9 .58 POP EAX
004084BA .E8 A50C1500 CALL PFW1.00559164
004084BF .FF4D D4 DEC DWORD PTR SS:
004084C2 .8D45 DC LEA EAX,DWORD PTR SS:
004084C5 .BA 02000000 MOV EDX,2
004084CA .E8 3D0C1500 CALL PFW1.0055910C
004084CF .FF4D D4 DEC DWORD PTR SS:
004084D2 .8D45 E0 LEA EAX,DWORD PTR SS:
004084D5 .BA 02000000 MOV EDX,2
004084DA .E8 2D0C1500 CALL PFW1.0055910C
004084DF .FF4D D4 DEC DWORD PTR SS:
004084E2 .8D45 E4 LEA EAX,DWORD PTR SS:
004084E5 .BA 02000000 MOV EDX,2
004084EA .E8 1D0C1500 CALL PFW1.0055910C
004084EF .66:C745 C8 2C>MOV WORD PTR SS:,2C
004084F5 .6A 01 PUSH 1
004084F7 .6A 00 PUSH 0
004084F9 .6A 00 PUSH 0
004084FB .837D E8 00 CMP DWORD PTR SS:,0
004084FF .74 05 JE SHORT PFW1.00408506
00408501 .8B4D E8 MOV ECX,DWORD PTR SS:
00408504 .EB 06 JMP SHORT PFW1.0040850C
00408506 >8D8F 01030000 LEA ECX,DWORD PTR DS:
0040850C >51 PUSH ECX ; |FileName
0040850D .6A 00 PUSH 0 ; |Operation = NULL
0040850F .6A 00 PUSH 0 ; |hWnd = NULL
00408511 .E8 02A41800 CALL <JMP.&SHELL32.ShellExecuteA> ; \ShellExecuteA
00408516 .FF4D D4 DEC DWORD PTR SS:
00408519 .8D45 E8 LEA EAX,DWORD PTR SS:
0040851C .BA 02000000 MOV EDX,2
00408521 .E8 E60B1500 CALL PFW1.0055910C
00408526 .66:C745 C8 08>MOV WORD PTR SS:,8
0040852C >A1 B0875B00 MOV EAX,DWORD PTR DS:
00408531 .8B00 MOV EAX,DWORD PTR DS:
00408533 .E8 904F0E00 CALL PFW1.004ED4C8
00408538 .66:C745 C8 44>MOV WORD PTR SS:,44
0040853E .6A 00 PUSH 0 ; /Arg1 = 00000000
00408540 .E8 93851300 CALL PFW1.00540AD8 ; \PFW1.00540AD8
00408545 .59 POP ECX
00408546 .66:C745 C8 08>MOV WORD PTR SS:,8
0040854C .EB 10 JMP SHORT PFW1.0040855E
0040854E .E8 09291300 CALL PFW1.0053AE5C
00408553 .66:C745 C8 4C>MOV WORD PTR SS:,4C
00408559 .E8 E0A51300 CALL PFW1.00542B3E
0040855E >8A45 B7 MOV AL,BYTE PTR SS:
00408561 .BA 02000000 MOV EDX,2
00408566 .50 PUSH EAX
00408567 .8D45 FC LEA EAX,DWORD PTR SS:
0040856A .FF4D D4 DEC DWORD PTR SS:
0040856D .E8 9A0B1500 CALL PFW1.0055910C
00408572 .58 POP EAX
00408573 .8B55 B8 MOV EDX,DWORD PTR SS:
00408576 .64:8915 00000>MOV DWORD PTR FS:,EDX
0040857D .5F POP EDI
0040857E .5E POP ESI
0040857F .5B POP EBX
00408580 .8BE5 MOV ESP,EBP
00408582 .5D POP EBP
00408583 .C3 RETN
上面返回到这里:
000403BEF|.84C0 TEST AL,AL 返回到这里
00403BF1|.75 2F JNZ SHORT PFW1.00403C22 ;强制跳走,即可破解
,注意看下面的标志位,如果不跳就完蛋了
00403BF3|.33C0 XOR EAX,EAX
00403BF5|.BA 02000000 MOV EDX,2
00403BFA|.50 PUSH EAX
00403BFB|.8D45 F8 LEA EAX,DWORD PTR SS:
00403BFE|.FF4F 1C DEC DWORD PTR DS:
00403C01|.E8 06551500 CALL PFW1.0055910C
00403C06|.FF4F 1C DEC DWORD PTR DS:
00403C09|.8D45 FC LEA EAX,DWORD PTR SS:
00403C0C|.BA 02000000 MOV EDX,2
00403C11|.E8 F6541500 CALL PFW1.0055910C
00403C16|.58 POP EAX
00403C17|.8B17 MOV EDX,DWORD PTR DS:
00403C19|.64:8915 00000>MOV DWORD PTR FS:,EDX
00403C20|.EB 54 JMP SHORT PFW1.00403C76
00403C22|>B2 01 MOV DL,1
00403C24|.8B83 40030000 MOV EAX,DWORD PTR DS:
00403C2A|.E8 752C0100 CALL PFW1.004168A4
00403C2F|.B2 01 MOV DL,1
00403C31|.8B83 44030000 MOV EAX,DWORD PTR DS:
00403C37|.E8 5CEF0000 CALL PFW1.00412B98
00403C3C|.B2 01 MOV DL,1
00403C3E|.8B83 44030000 MOV EAX,DWORD PTR DS:
00403C44|.E8 F7EC0000 CALL PFW1.00412940
00403C49|.B0 01 MOV AL,1
00403C4B|.BA 02000000 MOV EDX,2
00403C50|.50 PUSH EAX
00403C51|.8D45 F8 LEA EAX,DWORD PTR SS:
00403C54|.FF4F 1C DEC DWORD PTR DS:
00403C57|.E8 B0541500 CALL PFW1.0055910C
00403C5C|.FF4F 1C DEC DWORD PTR DS:
00403C5F|.8D45 FC LEA EAX,DWORD PTR SS:
00403C62|.BA 02000000 MOV EDX,2
00403C67|.E8 A0541500 CALL PFW1.0055910C
00403C6C|.58 POP EAX
00403C6D|.8B17 MOV EDX,DWORD PTR DS:
00403C6F|.64:8915 00000>MOV DWORD PTR FS:,EDX
00403C76|>5F POP EDI
00403C77|.5E POP ESI
00403C78|.5B POP EBX
00403C79|.8BE5 MOV ESP,EBP
00403C7B|.5D POP EBP
00403C7C\.C3 RETN
--------------------------------------------------------------------------------
【破解总结】
程序虽然使用加密算法,但是验证方法过于简单。。。
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 飘之叶 于 2008-7-6 22:16 编辑 ] 楼主高手啊,保存了/:017 分析这个真是太厉害了 佩服
收藏学习
/:good 这个我N久之前跟过MSLZ你少写了个升级文件的破解 既然没加壳/:L
导致了 破解相当容易 破的人多的,用的人才多嘛/:001 厉害,想你学习! 楼主厉害,收藏了!/:001 是哪个版本的呢? /:L
楼主厉害啊。 我记得天网还有个升级的验证吧,不知道这么做,升级的那个验证能否绕过
页:
[1]
2