Registry Help Pro 1.73 简单分析
软件大小:1132KB人气指数:70
软件语言:英文
软件授权:共享版
运行环境:Winxp/vista/win7/2000/2003
更新时间:2010-4-12 16:44:14
HomePage:http://www.foryoursoft.com/
华军下载:http://nj.newhua.com/soft/45172.htm
程序无壳,注册部分为网络验证,我们换一种思路绕过网络验证来实现暴破。
01. 程序注册部分为网络验证,我们跳过,直接突破其功能限制:
点程序About:
00404F00 .E8 7BC00200 CALL RegHelp.00430F80// 程序是否注册的验证call
00404F05 .83C4 08 ADD ESP,8
00404F08 .8D4C24 14 LEA ECX,DWORD PTR SS:
00404F0C .84C0 TEST AL,AL
00404F0E .0F85 9E000000 JNZ RegHelp.00404FB2
00404F14 .6A 44 PUSH 44
00404F16 .68 B05F4600 PUSH RegHelp.00465FB0 ;This is an free trial version with time and/or function limitations.
Here:
00430F80 6A FF PUSH -1
00430F82 68 60284600 PUSH RegHelp.00462860 ;咋
该call有三处调用 :Local calls from 00404F00, 0042EADC, 0042EB04
我们直接处理掉
mov eax,1
retn
/////////////
关于这三处调用 大家可以下断点来分析一下
启动时第一处调用:
0042EADC|.E8 9F240000 CALL RegHelp.00430F80
0042EAE1|.83C4 08 ADD ESP,8
0042EAE4|.84C0 TEST AL,AL // 这里比较函数返回值
0042EAE6|.74 05 JE SHORT RegHelp.0042EAED
0042EAE8|.C606 01 MOV BYTE PTR DS:,1 // 这里的赋值很重要哦 ~
0042EAEB|.EB 05 JMP SHORT RegHelp.0042EAF2
/////////////
02. 程序还有一处效检,这里我们通过UNICODE字符串来快速定位
0042EB60 $55 PUSH EBP
0042EB61 .8BEC MOV EBP,ESP
……
……
……
0042ECD9 .8965 E0 MOV DWORD PTR SS:,ESP
0042ECDC .68 80FF4600 PUSH RegHelp1.0046FF80 ;this copy is unauthorized, and will be auto terminated within 10 seconds. please contact our technical support at http://www.for
0042ECE1 .E8 1A3BFDFF CALL RegHelp1.00402800
0042ECE6 .68 10270000 PUSH 2710
0042ECEB .E8 00F1FDFF CALL RegHelp1.0040DDF0
0042ECF0 .83C4 10 ADD ESP,10
0042ECF3 .90 NOP
0042ECF4 .51 PUSH ECX
0042ECF5 .8BCC MOV ECX,ESP
0042ECF7 .8965 E0 MOV DWORD PTR SS:,ESP
0042ECFA .68 28FF4600 PUSH RegHelp1.0046FF28 ;http://www.foryoursoft.com/faq.htm?RHP#4
0042ECFF .E8 FC3AFDFF CALL RegHelp1.00402800
0042ED04 .E8 1738FEFF CALL RegHelp1.00412520
0042ED09 .83C4 04 ADD ESP,4
0042ED0C .90 NOP
0042ED0D .6A 00 PUSH 0 ; /ExitCode = 0
0042ED0F .FF15 90424600 CALL DWORD PTR DS:[<&KERNEL32.ExitProcess>] ; \ExitProcess
该函数有一处调用: Local call from 0042F676
0042F630 55 PUSH EBP ;这里直接retn掉
0042F631 .8BEC MOV EBP,ESP
0042F633 .6A FF PUSH -1
0042F635 .68 20254600 PUSH RegHelp1.00462520
0042F63A .64:A1 0000000>MOV EAX,DWORD PTR FS:
0042F640 .50 PUSH EAX
0042F641 .51 PUSH ECX
0042F642 .53 PUSH EBX
0042F643 .56 PUSH ESI
0042F644 .57 PUSH EDI
0042F645 .A1 4C324800 MOV EAX,DWORD PTR DS:
0042F64A .33C5 XOR EAX,EBP
0042F64C .50 PUSH EAX
0042F64D .8D45 F4 LEA EAX,DWORD PTR SS:
0042F650 .64:A3 0000000>MOV DWORD PTR FS:,EAX
0042F656 .8965 F0 MOV DWORD PTR SS:,ESP
0042F659 .8B7D 08 MOV EDI,DWORD PTR SS:
0042F65C .8B1D 8C424600 MOV EBX,DWORD PTR DS:[<&KERNEL32.Sleep>] ;kernel32.Sleep
0042F662 .897D 08 MOV DWORD PTR SS:,EDI
0042F665 .BE 60EA0000 MOV ESI,0EA60
0042F66A .C745 FC 00000>MOV DWORD PTR SS:,0
0042F671 >56 PUSH ESI
0042F672 .FFD3 CALL EBX
0042F674 .8BCF MOV ECX,EDI
0042F676 .E8 E5F4FFFF CALL RegHelp1.0042EB60 // 调用那个来自这里
03. 去程序的效检暗桩继续分析
我们观察下关键CALL的第二处调用
0042EB04|.E8 77240000 CALL RegHelp1.00430F80 // 第二处调用
0042EB09|.83C4 08 ADD ESP,8
0042EB0C|.8806 MOV BYTE PTR DS:,AL
0042EB0E|> \837E 08 00 CMP DWORD PTR DS:,0 ;这个比较很猥琐哈
0042EB12 75 19 JNZ SHORT RegHelp1.0042EB2D ;把这里修改为JMP
0042EB14|.8D4D EC LEA ECX,DWORD PTR SS:
0042EB17|.51 PUSH ECX ; /pThreadId
0042EB18|.6A 00 PUSH 0 ; |CreationFlags = 0
0042EB1A|.56 PUSH ESI ; |pThreadParm
0042EB1B|.68 30F64200 PUSH RegHelp1.0042F630 ; |ThreadFunction = RegHelp1.0042F630
0042EB20|.6A 00 PUSH 0 ; |StackSize = 0
0042EB22|.6A 00 PUSH 0 ; |pSecurity = NULL
0042EB24|.FF15 9C424600 CALL DWORD PTR DS:[<&KERNEL32.CreateThread>] ; \CreateThread
PUSH RegHelp1.0042F630 ; |ThreadFunction = RegHelp1.0042F630
这里是线程函数的地址,跟我们上方对比一下 /:017JMP掉这里就OK了
---------------------------------
这样基本上把比较明显的一些功能限制就去掉了 程序为keyfile(pid.bin)的验证方式 有时间的朋友可以继续深究这里我就点到为止了 ~~
学习了,谢谢Nisy老大的无私奉献 这个找线程函数的地方比较牛。第一次看到。
页:
[1]