Asprotect脱壳破解一例
【破文标题】Asprotect脱壳破解一例【破文作者】BREAK_FM
【作者邮箱】[email protected]
【作者主页】http://807986389.qzone.qq.com
【破解工具】PEID/OllyDBG/W32Dasm
【破解平台】Win9x/Me/NT/2000/XP/2003
【软件名称】Liatro Button Maker 2.2
【软件大小】2.33 MB
【原版下载】http://www.onlinedown.net/soft/15008.htm
【保护方式】ASProtect 1.2 / 1.2c-> Alexey Solodovnikov
【软件简介】Liatro Button Maker是一套专门制作网页按钮的绘图软件,透过向量绘图的功能以及内建各种范本,使用者将可快速建立起优质的网页图形按钮,却并不需要高深的美术绘图功力。
【破解声明】破解技术交流,切勿用于商业目的![脱壳方法参考语音教程:手脱ASProtect 1.2(脚本脱壳法介绍)
下载地址:http://www.520hack.com/donghua/donghua7/200709/7108.html]
【破解过程】
1.PEID查壳:ASProtect 1.2 / 1.2c-> Alexey Solodovnikov;
2.OllyDBG载入,设置OllyDbg,如下图:
Shift+F9 20次,停在:
00A886A1 FE02 inc byte ptr
00A886A3^ EB E8 jmp short 00A8868D
00A886A5 48 dec eax
00A886A6 2BDB sub ebx, ebx
00A886A8 64:8F03 pop dword ptr fs:
00A886AB 5B pop ebx
00A886AC E8 00000000 call 00A886B1
00A886B1 40 inc eax
00A886B2 8B0C24 mov ecx, dword ptr
00A886B5 58 pop eax
00A886B6 81E9 DD5DE600 sub ecx, 0E65DDD
00A886BC 05 C1DB7E6E add eax, 6E7EDBC1
00A886C1 E8 09000000 call 00A886CF
00A886C6 98 cwde
00A886C7 E9 07000000 jmp 00A886D3
00A886CC 83F0 9E xor eax, FFFFFF9E
00A886CF C1D0 A5 rcl eax, 0A5
00A886D2 C3 retn //F2下断shift+F9 运行停在这里,然后再取消断点
查看内存,找到:
Memory map, 条目 22
地址=00401000
大小=000AA000 (696320.)
属主=LBMaker00400000
区段=
包含=代码
类型=Imag 01001002
访问=R
初始访问=RWE
下断,Shift+F9,就到OEP了,
0042F21A 55 push ebp ; //这个就是OEP!
脱壳保存为dump,不用修复就能正常运行,查壳:Microsoft Visual C++ 6.0;
运行dump,输入假码:
Name:BREAK_FM-免费共享空间
Key:123456789
点击Unlock,弹出错误提示对话框:"Infomation invalid,Can not register,Pleasebe sure you type it as It was given to you. "
打开W32Dasm,载入dump:
查找字符串,错误提示:
String Resource ID=00204: "Infomation invalid,Can not register,Pleasebe sure you type"
双击该段代码来到
:00411F1E 50 push eax
:00411F1F 51 push ecx
:00411F20 B9A8ED4C00 mov ecx, 004CEDA8
:00411F25 E846040000 call 00412370
:00411F2A 8D54240C lea edx, dword ptr
:00411F2E 8D84240C010000 lea eax, dword ptr
:00411F35 52 push edx
:00411F36 50 push eax //打开OllyDBG,载入dump,跟随到00411F36,在此F2下断,F9运行
:00411F37 B9A8ED4C00 mov ecx, 004CEDA8
:00411F3C E85F050000 call 004124A0
:00411F41 85C0 test eax, eax
:00411F43 743D je 00411F82
:00411F45 8D4C240C lea ecx, dword ptr
:00411F49 8D94240C010000 lea edx, dword ptr
:00411F50 51 push ecx
:00411F51 52 push edx
:00411F52 B9A8ED4C00 mov ecx, 004CEDA8
:00411F57 E824030000 call 00412280
:00411F5C 85C0 test eax, eax
:00411F5E 7422 je 00411F82
:00411F60 6AFF push FFFFFFFF
:00411F62 6A00 push 00000000
* Possible Reference to String Resource ID=00205: "Registration OK,Thanks for your support."
|
:00411F64 68CD000000 push 000000CD
:00411F69 E857410700 call 004860C5
:00411F6E 8B06 mov eax, dword ptr
:00411F70 8BCE mov ecx, esi
:00411F72 FF90C8000000 call dword ptr
:00411F78 5F pop edi
:00411F79 5E pop esi
:00411F7A 5B pop ebx
:00411F7B 81C400020000 add esp, 00000200
:00411F81 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00411F43(C), :00411F5E(C)
|
:00411F82 6AFF push FFFFFFFF
:00411F84 6A00 push 00000000
* Possible Reference to Dialog: DialogID_7802, CONTROL_ID:00CC, ""
|
* Possible Reference to String Resource ID=00204: "Infomation invalid,Can not register,Pleasebe sure you type"
|
:00411F86 68CC000000 push 000000CC
打开OllyDBG,载入dump,跟随到00411F36,在此F2下断,F9运行,输入假码:
Name:BREAK_FM-免费共享空间
Key:123456789
点击Unlock后断了下来,F8单步向下运行,到 00411F57 .E8 24030000 call 00412280 ; 时F7跟进,
继续F8单步,运行到 00412351 33FF xor edi, edi ;时在这串代码上面点击右键,汇编,修改xor为or,然后保存,运行保存后的程序,没有弹出注册框,直接进去,看一下注册,Register变为灰色的了:
,爆破成功,好了教程就到这里了!
※破解的时候在堆栈里面出现了好多类似注册码的字符串,输入进去验证错误,不知该怎么办了,希望高手指点,怎么追码?
BY:BREAK_FM
QQ:78241768 807986389
希望有兴趣共同探讨破解的朋友加我为好友,共同进步!
[ 本帖最后由 樊盟 于 2009-2-11 16:00 编辑 ] W32 用的不多了 建议用OD或者上IDA 哇,我也会脱壳了...
OD里查不到字符串.
以下是时间限制
00412029 .8B15 50A54C00 mov edx, dword ptr ;一.004CA564
0041202F .895424 0C mov dword ptr , edx
00412033 .85FF test edi, edi ;EDI =F 为15天的限制
00412035 .C74424 1C 000>mov dword ptr , 0
0041203D .75 10 jnz short 0041204F
0041203F .68 689E4C00 push 004C9E68 ;ASCII "Expired!"
00412044 .8D4C24 10 lea ecx, dword ptr
00412048 .E8 82B20600 call 0047D2CF
0041204D .EB 13 jmp short 00412062
0041204F >57 push edi
00412050 .8D4424 10 lea eax, dword ptr
00412054 .68 589E4C00 push 004C9E58 ;ASCII "%d Days left"
00412059 .50 push eax
0041205A .E8 10450600 call 0047656F
0041205F .83C4 0C add esp, 0C
00412062 >8B4C24 0C mov ecx, dword ptr
00412066 .51 push ecx
00412067 .8D4E 60 lea ecx, dword ptr
0041206A .E8 79A70600 call 0047C7E8
0041206F .8B46 5C mov eax, dword ptr
00412072 .85C0 test eax, eax
00412074 .7F 1C jg short 00412092
00412076 .68 18040000 push 418
0041207B .8BCE mov ecx, esi
[ 本帖最后由 JOHN 于 2009-2-13 16:11 编辑 ]
回复 2# 千里之外 的帖子
恩慢慢学 好贴 顶一个 谢谢楼主的教程,学习了 学习脱壳。 谢谢楼主的教程。慢慢学!!! 楼主用的是最后一次异常法?~~为什么一定要忽略内存访问呢?~ 好东西``要认真学啊````
页:
[1]
2