Picture To Icon 2.4爆破分析&附赠美女图,哈哈
本帖最后由 zaas 于 2010-5-25 17:29 编辑【文章标题】: Picture To Icon 2.4爆破分析
【文章作者】: zaas
【下载地址】: http://www.exeicon.com/picture-to-icon/
【加壳方式】: ASPack 2.001 -> Alexey Solodovnikov
【编写语言】: Borland C++ DLL Method 1
【使用工具】: PEID/OD/dede
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【软件介绍】能将图片或屏幕的一部分转化为ICON图标,调整图标大小以及从资源库中提取icon。支持BMP, JPEG, GIF, CUR, WMF。
Picture To Icon can convert images or any part on your screen into icons, extract icons from libraries, modify the icon and convert icon to png or bmp .
Picture To Icon converts PNG, BMP, JPEG, GIF, CUR, WMF formats into multi-resolution Windows icons. You can capture your screen part and convert it to icon. You can easily create, edit, read and save icons with transparency. With color similarity adjustment, icon creation is made easy. You can extract icons from Windows resource files such as EXE, DLL, OCX file.
【详细过程】
按照N大的要求,遂有了这篇。最近不怎么写爆破文章,算法为主。嘿嘿。
ASPack esp脱之,不多说。
启动时弹出Nag要求注册,输入
注册名:zaas
假码:1334567890123456789012345678901234567890P2I4
下GetWindowTextA断点,成功断下。
返回发现已经在注册错误对话框了:
004AFC7E|.8BF8 mov edi, eax
004AFC80|.8B45 F4 mov eax, dword ptr
004AFC83|.89B8 F0020000 mov dword ptr , edi
004AFC89|.BA 88FE4A00 mov edx, 004AFE88 ;ASCII "Message"
004AFC8E|.8BC7 mov eax, edi
004AFC90|.8B08 mov ecx, dword ptr
004AFC92|.FF51 18 call dword ptr
004AFC95|.8B55 F4 mov edx, dword ptr
004AFC98|.8BC7 mov eax, edi
004AFC9A|.8B08 mov ecx, dword ptr
004AFC9C|.FF51 68 call dword ptr
004AFC9F|.B2 01 mov dl, 1
004AFCA1|.8BC7 mov eax, edi
004AFCA3|.E8 E8E2FCFF call 0047DF90
004AFCA8|.8B55 FC mov edx, dword ptr ;ASCII "Your registration code is invalid.",LF,"If you have purchased this software and get the wrong code, maybe you have not downloaded and installed the latest version. Or please send email to: [email protected] ",LF
继续返回。。。直到:
00424BCC/.55 push ebp ;注册按钮事件
00424BCD|.8BEC mov ebp, esp
00424BCF|.83C4 9C add esp, -64
00424BD2|.8955 A0 mov dword ptr , edx
00424BD5|.8945 A4 mov dword ptr , eax
00424BD8|.B8 180E5000 mov eax, 00500E18
00424BDD|.E8 EA7C0B00 call 004DC8CC
00424BE2|.8B15 64D15000 mov edx, dword ptr ;Pic2Ico2._IconConverter
00424BE8|.8B0A mov ecx, dword ptr
00424BEA 80B9 F8030000>cmp byte ptr , 0 ;注意这个全局变量
00424BF1 0F85 3A030000 jnz 00424F31 ;jnz说明已经注册,可以直接跳过注册检测
00424BF7|.66:C745 B8 08>mov word ptr , 8
00424BFD|.8D45 FC lea eax, dword ptr
00424C00|.E8 CBDEFDFF call 00402AD0
00424C05|.8BD0 mov edx, eax
00424C07|.FF45 C4 inc dword ptr
00424C0A|.8B4D A4 mov ecx, dword ptr
00424C0D|.8B81 00030000 mov eax, dword ptr
00424C13|.E8 C80C0900 call 004B58E0 ;取出注册名
00424C18|.8D45 FC lea eax, dword ptr
00424C1B|.E8 FC27FEFF call 0040741C ;注册名长度
00424C20|.83F8 03 cmp eax, 3 ;要大于三位
00424C23|.0F9CC2 setl dl
00424C26|.83E2 01 and edx, 1
00424C29|.52 push edx
00424C2A|.FF4D C4 dec dword ptr
00424C2D|.8D45 FC lea eax, dword ptr
00424C30|.BA 02000000 mov edx, 2
00424C35|.E8 9E2E0C00 call 004E7AD8
00424C3A|.59 pop ecx
00424C3B|.84C9 test cl, cl
00424C3D|.74 3C je short 00424C7B ;否则弹出输入注册名对话框
00424C3F|.66:C745 B8 14>mov word ptr , 14
00424C45|.BA C8035000 mov edx, 005003C8 ;ASCII "Please input your Full Name!"
00424C4A|.8D45 F8 lea eax, dword ptr
00424C4D|.E8 262D0C00 call 004E7978
00424C52|.FF45 C4 inc dword ptr
00424C55|.8B00 mov eax, dword ptr
00424C57|.E8 0CB30800 call 004AFF68
00424C5C|.FF4D C4 dec dword ptr
00424C5F|.8D45 F8 lea eax, dword ptr
00424C62|.BA 02000000 mov edx, 2
00424C67|.E8 6C2E0C00 call 004E7AD8
00424C6C|.8B4D A8 mov ecx, dword ptr
00424C6F|.64:890D 00000>mov dword ptr fs:, ecx
00424C76|.E9 C8020000 jmp 00424F43
00424C7B|>68 F4010000 push 1F4 ; /Timeout = 500. ms
00424C80|.E8 5F680D00 call <jmp.&kernel32.Sleep> ; \Sleep
00424C85|.66:C745 B8 20>mov word ptr , 20 ;睡会儿
00424C8B|.8D45 F4 lea eax, dword ptr
00424C8E|.E8 3DDEFDFF call 00402AD0
00424C93|.8BD0 mov edx, eax
00424C95|.FF45 C4 inc dword ptr
00424C98|.8B4D A4 mov ecx, dword ptr
00424C9B|.8B81 04030000 mov eax, dword ptr
00424CA1|.E8 3A0C0900 call 004B58E0 ;假码的取出
00424CA6|.8D55 F4 lea edx, dword ptr
00424CA9|.FF32 push dword ptr ;假码的长度
00424CAB|.E8 08E3FFFF call 00422FB8 ;算法call
00424CB0|.59 pop ecx
00424CB1|.8B0D 64D15000 mov ecx, dword ptr ;Pic2Ico2._IconConverter
00424CB7|.8B11 mov edx, dword ptr
00424CB9|.8882 F8030000 mov byte ptr , al ;给全局变量赋值
00424CBF|.FF4D C4 dec dword ptr
00424CC2|.8D45 F4 lea eax, dword ptr
00424CC5|.BA 02000000 mov edx, 2
00424CCA|.E8 092E0C00 call 004E7AD8
00424CCF|.A1 64D15000 mov eax, dword ptr
00424CD4|.8B08 mov ecx, dword ptr
00424CD6|.80B9 F8030000>cmp byte ptr , 0 ;比较全局变量
00424CDD 0F84 1F020000 je 00424F02 ;跳向死亡
00424CE3|.66:C745 B8 2C>mov word ptr , 2C
00424CE9|.8D45 F0 lea eax, dword ptr
00424CEC|.E8 DFDDFDFF call 00402AD0
00424CF1|.8BD0 mov edx, eax
00424CF3|.FF45 C4 inc dword ptr
00424CF6|.8B4D A4 mov ecx, dword ptr
00424CF9|.8B81 04030000 mov eax, dword ptr
00424CFF|.E8 DC0B0900 call 004B58E0
00424D04|.8D55 F0 lea edx, dword ptr
00424D07|.8B45 A4 mov eax, dword ptr
00424D0A|.05 1C030000 add eax, 31C
00424D0F|.E8 F42D0C00 call 004E7B08
00424D14|.FF4D C4 dec dword ptr
00424D17|.8D45 F0 lea eax, dword ptr
00424D1A|.BA 02000000 mov edx, 2
00424D1F|.E8 B42D0C00 call 004E7AD8
00424D24|.8B45 A4 mov eax, dword ptr
00424D27|.05 1C030000 add eax, 31C
00424D2C|.E8 D3D0FDFF call 00401E04
00424D31|.0FBE50 17 movsx edx, byte ptr
00424D35|.83FA 30 cmp edx, 30
00424D38|.7C 16 jl short 00424D50
00424D3A|.8B45 A4 mov eax, dword ptr
00424D3D|.05 1C030000 add eax, 31C
00424D42|.E8 BDD0FDFF call 00401E04
00424D47|.0FBE50 17 movsx edx, byte ptr ;假码第24位
00424D4B|.83FA 39 cmp edx, 39
00424D4E|.7E 0F jle short 00424D5F ;应小于等于9
00424D50|>8B0D 64D15000 mov ecx, dword ptr ;Pic2Ico2._IconConverter
00424D56|.8B01 mov eax, dword ptr
00424D58|.C680 F8030000>mov byte ptr , 0 ;又一个验证
00424D5F|>B2 01 mov dl, 1
00424D61|.A1 2CDA4500 mov eax, dword ptr
00424D66|.E8 C18D0300 call 0045DB2C
00424D6B|.8945 9C mov dword ptr , eax
00424D6E|.BA 01000080 mov edx, 80000001
00424D73|.8B45 9C mov eax, dword ptr
00424D76|.E8 692B0C00 call 004E78E4
00424D7B|.8B15 64D15000 mov edx, dword ptr ;Pic2Ico2._IconConverter
00424D81|.8B0A mov ecx, dword ptr
00424D83 80B9 F8030000>cmp byte ptr , 0 ;全局变量的再次比较
00424D8A 0F84 06010000 je 00424E96 ;跳了就死
00424D90|.66:C745 B8 38>mov word ptr , 38
00424D96|.BA E5035000 mov edx, 005003E5 ;ASCII "Software\XTZY\Pic2Ico"
00424D9B|.8D45 EC lea eax, dword ptr
00424D9E|.E8 D52B0C00 call 004E7978 ;写注册表了
00424DA3|.FF45 C4 inc dword ptr
00424DA6|.8B10 mov edx, dword ptr
00424DA8|.B1 01 mov cl, 1
00424DAA|.8B45 9C mov eax, dword ptr
00424DAD|.E8 7E8E0300 call 0045DC30
00424DB2|.84C0 test al, al
00424DB4|.0F95C0 setne al
00424DB7|.83E0 01 and eax, 1
00424DBA|.50 push eax
00424DBB|.FF4D C4 dec dword ptr
00424DBE|.8D45 EC lea eax, dword ptr
00424DC1|.BA 02000000 mov edx, 2
00424DC6|.E8 0D2D0C00 call 004E7AD8 ;又一次验证,**的作者
00424DCB|.59 pop ecx
00424DCC|.85C9 test ecx, ecx
00424DCE|.0F84 C2000000 je 00424E96 ;跳了还是死
00424DD4|.8D45 E4 lea eax, dword ptr
00424DD7|.E8 F4DCFDFF call 00402AD0
00424DDC|.8BD0 mov edx, eax
00424DDE|.FF45 C4 inc dword ptr
00424DE1|.8B4D A4 mov ecx, dword ptr
00424DE4|.8B81 04030000 mov eax, dword ptr
00424DEA|.E8 F10A0900 call 004B58E0
00424DEF|.8D55 E4 lea edx, dword ptr
00424DF2|.FF32 push dword ptr
00424DF4|.66:C745 B8 44>mov word ptr , 44
00424DFA|.BA FB035000 mov edx, 005003FB ;ASCII "NO"
00424DFF|.8D45 E8 lea eax, dword ptr
00424E02|.E8 712B0C00 call 004E7978
00424E07|.FF45 C4 inc dword ptr
00424E0A|.8B10 mov edx, dword ptr
00424E0C|.8B45 9C mov eax, dword ptr
00424E0F|.59 pop ecx
00424E10|.E8 B78F0300 call 0045DDCC
00424E15|.FF4D C4 dec dword ptr
00424E18|.8D45 E4 lea eax, dword ptr
00424E1B|.BA 02000000 mov edx, 2
00424E20|.E8 B32C0C00 call 004E7AD8
00424E25|.FF4D C4 dec dword ptr
00424E28|.8D45 E8 lea eax, dword ptr
00424E2B|.BA 02000000 mov edx, 2
00424E30|.E8 A32C0C00 call 004E7AD8
00424E35|.8D45 DC lea eax, dword ptr
00424E38|.E8 93DCFDFF call 00402AD0
00424E3D|.8BD0 mov edx, eax
00424E3F|.FF45 C4 inc dword ptr
00424E42|.8B4D A4 mov ecx, dword ptr
00424E45|.8B81 00030000 mov eax, dword ptr
00424E4B|.E8 900A0900 call 004B58E0
00424E50|.8D55 DC lea edx, dword ptr
00424E53|.FF32 push dword ptr
00424E55|.66:C745 B8 50>mov word ptr , 50
00424E5B|.BA FE035000 mov edx, 005003FE ;ASCII "Name"
00424E60|.8D45 E0 lea eax, dword ptr
00424E63|.E8 102B0C00 call 004E7978
00424E68|.FF45 C4 inc dword ptr
00424E6B|.8B10 mov edx, dword ptr
00424E6D|.8B45 9C mov eax, dword ptr
00424E70|.59 pop ecx
00424E71|.E8 568F0300 call 0045DDCC
00424E76|.FF4D C4 dec dword ptr
00424E79|.8D45 DC lea eax, dword ptr
00424E7C|.BA 02000000 mov edx, 2
00424E81|.E8 522C0C00 call 004E7AD8
00424E86|.FF4D C4 dec dword ptr
00424E89|.8D45 E0 lea eax, dword ptr
00424E8C|.BA 02000000 mov edx, 2
00424E91|.E8 422C0C00 call 004E7AD8
00424E96|>8B45 9C mov eax, dword ptr
00424E99|.E8 FE8C0300 call 0045DB9C ;close regkey
00424E9E|.8B55 9C mov edx, dword ptr
00424EA1|.8955 D4 mov dword ptr , edx
00424EA4|.837D D4 00 cmp dword ptr , 0
00424EA8|.74 21 je short 00424ECB
00424EAA|.8B4D D4 mov ecx, dword ptr
00424EAD|.8B01 mov eax, dword ptr
00424EAF|.8945 D8 mov dword ptr , eax
00424EB2|.66:C745 B8 68>mov word ptr , 68
00424EB8|.BA 03000000 mov edx, 3
00424EBD|.8B45 D4 mov eax, dword ptr
00424EC0|.8B08 mov ecx, dword ptr
00424EC2|.FF51 FC call dword ptr
00424EC5|.66:C745 B8 5C>mov word ptr , 5C
00424ECB|>66:C745 B8 74>mov word ptr , 74
00424ED1|.BA 03045000 mov edx, 00500403 ;ASCII "Register successfully!",LF,"Thank you."
00424ED6|.8D45 D0 lea eax, dword ptr
00424ED9|.E8 9A2A0C00 call 004E7978
00424EDE|.FF45 C4 inc dword ptr
00424EE1|.8B00 mov eax, dword ptr
00424EE3|.E8 80B00800 call 004AFF68 ;注册成功对话框
00424EE8|.FF4D C4 dec dword ptr
00424EEB|.8D45 D0 lea eax, dword ptr
00424EEE|.BA 02000000 mov edx, 2
00424EF3|.E8 E02B0C00 call 004E7AD8
00424EF8|.8B45 A4 mov eax, dword ptr
00424EFB|.E8 F0010800 call 004A50F0
00424F00|.EB 37 jmp short 00424F39
00424F02|>66:C745 B8 80>mov word ptr , 80
00424F08|.BA 25045000 mov edx, 00500425 ;ASCII "Your registration code is invalid.",LF,"If you have purchased this software and get the wrong code, maybe you have not downloaded and installed the latest version. Or please send email to: [email protected] ",LF
00424F0D|.8D45 CC lea eax, dword ptr
00424F10|.E8 632A0C00 call 004E7978
00424F15|.FF45 C4 inc dword ptr
00424F18|.8B00 mov eax, dword ptr
00424F1A|.E8 49B00800 call 004AFF68
00424F1F|.FF4D C4 dec dword ptr
00424F22|.8D45 CC lea eax, dword ptr
00424F25|.BA 02000000 mov edx, 2
00424F2A|.E8 A92B0C00 call 004E7AD8
00424F2F|.EB 08 jmp short 00424F39
00424F31|>8B45 A4 mov eax, dword ptr
00424F34|.E8 B7010800 call 004A50F0
00424F39|>8B55 A8 mov edx, dword ptr
00424F3C|.64:8915 00000>mov dword ptr fs:, edx
00424F43|>8BE5 mov esp, ebp
00424F45|.5D pop ebp
00424F46\.C3 retn
这里有明确的注册成功或失败提示信息。在段首下断再来一次。
跟进算法call看看:
00422FB8/$55 push ebp
00422FB9|.8BEC mov ebp, esp
00422FBB|.81C4 70FFFFFF add esp, -90
00422FC1|.56 push esi
00422FC2|.57 push edi
00422FC3|.B8 74055000 mov eax, 00500574
00422FC8|.E8 FF980B00 call 004DC8CC
00422FCD|.C745 F4 01000>mov dword ptr , 1
00422FD4|.8D55 08 lea edx, dword ptr
00422FD7|.8D45 08 lea eax, dword ptr
00422FDA|.E8 D1490C00 call 004E79B0
00422FDF|.FF45 F4 inc dword ptr
00422FE2|.66:C745 E8 08>mov word ptr , 8
00422FE8|.C645 D7 00 mov byte ptr , 0
00422FEC|.66:C745 E8 14>mov word ptr , 14
00422FF2|.8D45 FC lea eax, dword ptr
00422FF5|.E8 D6FAFDFF call 00402AD0
00422FFA|.8BD0 mov edx, eax
00422FFC|.FF45 F4 inc dword ptr
00422FFF|.8D45 08 lea eax, dword ptr
00423002|.E8 194E0C00 call 004E7E20
00423007|.8D55 FC lea edx, dword ptr
0042300A|.8D45 08 lea eax, dword ptr
0042300D|.E8 F64A0C00 call 004E7B08 ;假码的取出
00423012|.FF4D F4 dec dword ptr
00423015|.8D45 FC lea eax, dword ptr
00423018|.BA 02000000 mov edx, 2
0042301D|.E8 B64A0C00 call 004E7AD8
00423022|.8D45 08 lea eax, dword ptr
00423025|.E8 F243FEFF call 0040741C ; 假码长度
0042302A|.83F8 2C cmp eax, 2C ;=2c
0042302D|.0F85 44020000 jnz 00423277 ;不等跳死
00423033|.BE B4FF4F00 mov esi, 004FFFB4 ;ASCII "1z1h+2a0n-0g8y*9a1n|"
00423038|.8D7D 84 lea edi, dword ptr
0042303B|.B9 05000000 mov ecx, 5
00423040|.F3:A5 rep movs dword ptr es:, dword p>
00423042|.A4 movs byte ptr es:, byte ptr [esi>
00423043|.66:C745 E8 08>mov word ptr , 8
00423049|.8D45 08 lea eax, dword ptr
0042304C|.E8 B3EDFDFF call 00401E04
00423051|.0FBE50 28 movsx edx, byte ptr ;取假码倒数第4个字符
00423055|.83FA 50 cmp edx, 50 ;应等于“P”
00423058|.74 23 je short 0042307D
0042305A|.33C0 xor eax, eax
0042305C|.50 push eax
0042305D|.FF4D F4 dec dword ptr
00423060|.8D45 08 lea eax, dword ptr
00423063|.BA 02000000 mov edx, 2
00423068|.E8 6B4A0C00 call 004E7AD8
0042306D|.58 pop eax
0042306E|.8B55 D8 mov edx, dword ptr
00423071|.64:8915 00000>mov dword ptr fs:, edx
00423078|.E9 19020000 jmp 00423296
0042307D|>8D45 08 lea eax, dword ptr
00423080|.E8 7FEDFDFF call 00401E04
00423085|.0FBE50 29 movsx edx, byte ptr ;倒数第三个字符
00423089|.83FA 32 cmp edx, 32 ;应等于2
0042308C|.74 23 je short 004230B1
0042308E|.33C0 xor eax, eax
00423090|.50 push eax
00423091|.FF4D F4 dec dword ptr
00423094|.8D45 08 lea eax, dword ptr
00423097|.BA 02000000 mov edx, 2
0042309C|.E8 374A0C00 call 004E7AD8
004230A1|.58 pop eax
004230A2|.8B55 D8 mov edx, dword ptr
004230A5|.64:8915 00000>mov dword ptr fs:, edx
004230AC|.E9 E5010000 jmp 00423296
004230B1|>8D45 08 lea eax, dword ptr
004230B4|.E8 4BEDFDFF call 00401E04
004230B9|.0FBE50 2A movsx edx, byte ptr ;倒数第二个应等于I
004230BD|.83FA 49 cmp edx, 49
004230C0|.74 23 je short 004230E5
004230C2|.33C0 xor eax, eax
004230C4|.50 push eax
004230C5|.FF4D F4 dec dword ptr
004230C8|.8D45 08 lea eax, dword ptr
004230CB|.BA 02000000 mov edx, 2
004230D0|.E8 034A0C00 call 004E7AD8
004230D5|.58 pop eax
004230D6|.8B55 D8 mov edx, dword ptr
004230D9|.64:8915 00000>mov dword ptr fs:, edx
004230E0|.E9 B1010000 jmp 00423296
004230E5|>8D45 08 lea eax, dword ptr
004230E8|.E8 17EDFDFF call 00401E04
004230ED|.0FBE50 2B movsx edx, byte ptr ;最后一个应等于4
004230F1|.83FA 34 cmp edx, 34
004230F4|.74 23 je short 00423119
004230F6|.33C0 xor eax, eax
004230F8|.50 push eax
004230F9|.FF4D F4 dec dword ptr
004230FC|.8D45 08 lea eax, dword ptr
004230FF|.BA 02000000 mov edx, 2
00423104|.E8 CF490C00 call 004E7AD8
00423109|.58 pop eax
0042310A|.8B55 D8 mov edx, dword ptr
0042310D|.64:8915 00000>mov dword ptr fs:, edx
00423114|.E9 7D010000 jmp 00423296
00423119|>8D45 08 lea eax, dword ptr
0042311C|.E8 E3ECFDFF call 00401E04
00423121|.50 push eax
00423122|.8D55 9C lea edx, dword ptr
00423125|.52 push edx
00423126|.E8 FD940B00 call 004DC628
0042312B|.83C4 08 add esp, 8
0042312E|.0FBE4D 9D movsx ecx, byte ptr ;第二个应等于3
00423132|.83F9 33 cmp ecx, 33
00423135|.0F85 3C010000 jnz 00423277
0042313B|.C645 9D 23 mov byte ptr , 23
0042313F|.C645 D7 01 mov byte ptr , 1
00423143|.C745 D0 02000>mov dword ptr , 2
0042314A|>8B45 D0 /mov eax, dword ptr
0042314D|.0FBE5405 84 |movsx edx, byte ptr ;取固定字符串字符
00423152|.8B4D D0 |mov ecx, dword ptr
00423155|.0FBE440D 9B |movsx eax, byte ptr ;变化后的假码第二位
0042315A|.03D0 |add edx, eax
0042315C|.8B4D D0 |mov ecx, dword ptr
0042315F|.0FBE440D 9C |movsx eax, byte ptr
00423164|.33D0 |xor edx, eax
00423166|.8B4D D0 |mov ecx, dword ptr
00423169|.0FBE440D 84 |movsx eax, byte ptr
0042316E|.33D0 |xor edx, eax
00423170|.52 |push edx
00423171|.E8 A275FEFF |call 0040A718
00423176|.59 |pop ecx
00423177|.B9 1A000000 |mov ecx, 1A
0042317C|.99 |cdq
0042317D|.F7F9 |idiv ecx
0042317F|.83C2 41 |add edx, 41
00423182|.8B45 D0 |mov eax, dword ptr
00423185|.0FBE4C05 A5 |movsx ecx, byte ptr
0042318A|.3BD1 |cmp edx, ecx
0042318C|.74 06 |je short 00423194
0042318E|.C645 D7 00 |mov byte ptr , 0
00423192|.EB 09 |jmp short 0042319D
00423194|>FF45 D0 |inc dword ptr
00423197|.837D D0 0A |cmp dword ptr , 0A
0042319B|.^ 7C AD \jl short 0042314A
0042319D|>807D D7 00 cmp byte ptr , 0
004231A1|.0F84 C3000000 je 0042326A
004231A7|.C745 CC 18000>mov dword ptr , 18
004231AE|.66:C745 E8 08>mov word ptr , 8
004231B4|.837D CC 28 cmp dword ptr , 28
004231B8|.7D 4B jge short 00423205
004231BA|>8B55 CC /mov edx, dword ptr
004231BD|.0FBE4415 85 |movsx eax, byte ptr
004231C2|.B9 06000000 |mov ecx, 6
004231C7|.99 |cdq
004231C8|.F7F9 |idiv ecx
004231CA|.8BCA |mov ecx, edx
004231CC|.8B45 CC |mov eax, dword ptr
004231CF|.0FBE5405 86 |movsx edx, byte ptr
004231D4|.D3E2 |shl edx, cl
004231D6|.8B45 CC |mov eax, dword ptr
004231D9|.0FBE4C05 87 |movsx ecx, byte ptr
004231DE|.0BD1 |or edx, ecx
004231E0|.52 |push edx
004231E1|.E8 3275FEFF |call 0040A718
004231E6|.59 |pop ecx
004231E7|.B9 1A000000 |mov ecx, 1A
004231EC|.99 |cdq
004231ED|.F7F9 |idiv ecx
004231EF|.80C2 61 |add dl, 61
004231F2|.8B45 CC |mov eax, dword ptr
004231F5|.889405 58FFFF>|mov byte ptr , dl
004231FC|.FF45 CC |inc dword ptr
004231FF|.837D CC 28 |cmp dword ptr , 28
00423203|.^ 7C B5 \jl short 004231BA
00423205|>C645 80 5A mov byte ptr , 5A
00423209|.C645 81 59 mov byte ptr , 59
0042320D|.C745 C8 18000>mov dword ptr , 18
00423214|.66:C745 E8 08>mov word ptr , 8
0042321A|.837D C8 28 cmp dword ptr , 28
0042321E|.7D 4A jge short 0042326A
00423220|>8B55 C8 /mov edx, dword ptr
00423223|.0FBE8415 58FF>|movsx eax, byte ptr
0042322B|.C1E0 04 |shl eax, 4
0042322E|.8B55 C8 |mov edx, dword ptr
00423231|.0FBE8C15 59FF>|movsx ecx, byte ptr
00423239|.D1F9 |sar ecx, 1
0042323B|.33C1 |xor eax, ecx
0042323D|.50 |push eax
0042323E|.E8 D574FEFF |call 0040A718
00423243|.59 |pop ecx
00423244|.B9 1A000000 |mov ecx, 1A
00423249|.99 |cdq
0042324A|.F7F9 |idiv ecx
0042324C|.83C2 41 |add edx, 41
0042324F|.8B45 C8 |mov eax, dword ptr
00423252|.0FBE4405 9C |movsx eax, byte ptr
00423257|.3BD0 |cmp edx, eax
00423259|.74 06 |je short 00423261
0042325B|.C645 D7 00 |mov byte ptr , 0
0042325F|.EB 09 |jmp short 0042326A
00423261|>FF45 C8 |inc dword ptr
00423264|.837D C8 28 |cmp dword ptr , 28
00423268|.^ 7C B6 \jl short 00423220
0042326A|>0FBE55 A6 movsx edx, byte ptr
0042326E|.83FA 59 cmp edx, 59
00423271|.74 04 je short 00423277
00423273|.C645 D7 00 mov byte ptr , 0
00423277|>8A45 D7 mov al, byte ptr
0042327A|.50 push eax
0042327B|.FF4D F4 dec dword ptr
0042327E|.8D45 08 lea eax, dword ptr
00423281|.BA 02000000 mov edx, 2
00423286|.E8 4D480C00 call 004E7AD8
0042328B|.58 pop eax
0042328C|.8B55 D8 mov edx, dword ptr
0042328F|.64:8915 00000>mov dword ptr fs:, edx
00423296|>5F pop edi
00423297|.5E pop esi
00423298|.8BE5 mov esp, ebp
0042329A|.5D pop ebp
0042329B\.C3 retn
打住,跑题了。本文是爆破分析不是算法分析。不过看起来作者并没有使用什么高深的加密算法,应该不难搞定。这个留着以后有空了再玩。
爆破有时候比算法还难,本软件就是。嘿嘿。。。。
还是修改返回值后继续爆破吧。返回后看到还有验证,嘿嘿。。。恶心。
修改上边的关键点后,显示注册成功,about对话框也显示注册给zaas了。但是还没有完。。。再看看启动验证吧。
算法里有检测注册码长度0x2C,启动验证自然也有。查找常量2C,并不是太多,一一下断。重新运行后断到了:
0042329C .55 push ebp
0042329D .8BEC mov ebp, esp
0042329F .81C4 88FDFFFF add esp, -278
004232A5 .53 push ebx
004232A6 .56 push esi
004232A7 .57 push edi
004232A8 .8995 F4FEFFFF mov dword ptr , edx
004232AE .8985 F8FEFFFF mov dword ptr , eax
004232B4 .B8 98095000 mov eax, 00500998
004232B9 .E8 0E960B00 call 004DC8CC
004232BE .8B85 F8FEFFFF mov eax, dword ptr
004232C4 .E8 97FA0700 call 004A2D60
004232C9 .8BC8 mov ecx, eax
004232CB .BA 60000000 mov edx, 60
004232D0 .8B85 F8FEFFFF mov eax, dword ptr
004232D6 .E8 298A0900 call 004BBD04
004232DB .8B85 F8FEFFFF mov eax, dword ptr
004232E1 .E8 7AFA0700 call 004A2D60
004232E6 .50 push eax
004232E7 .B8 E0040000 mov eax, 4E0
004232EC .5A pop edx
004232ED .8BCA mov ecx, edx
004232EF .99 cdq
004232F0 .F7F9 idiv ecx
004232F2 .8BD0 mov edx, eax
004232F4 .8B85 F8FEFFFF mov eax, dword ptr
004232FA .8B40 68 mov eax, dword ptr
004232FD .E8 FA120700 call 004945FC
00423302 .8B85 F8FEFFFF mov eax, dword ptr
00423308 .E8 53FA0700 call 004A2D60
0042330D .83F8 60 cmp eax, 60
00423310 .7E 13 jle short 00423325
00423312 .8B95 F8FEFFFF mov edx, dword ptr
00423318 .8B82 18030000 mov eax, dword ptr
0042331E .B2 02 mov dl, 2
00423320 .E8 2FBE0500 call 0047F154
00423325 >8B0D 64D15000 mov ecx, dword ptr ;Pic2Ico2._IconConverter
0042332B .8B01 mov eax, dword ptr
0042332D .C680 F9030000>mov byte ptr , 0
00423334 .8B15 64D15000 mov edx, dword ptr ;Pic2Ico2._IconConverter
0042333A .8B0A mov ecx, dword ptr
0042333C .33C0 xor eax, eax
0042333E .8981 F0030000 mov dword ptr , eax
00423344 .8B15 64D15000 mov edx, dword ptr ;Pic2Ico2._IconConverter
0042334A .8B0A mov ecx, dword ptr
0042334C .33C0 xor eax, eax
0042334E .8981 F4030000 mov dword ptr , eax
00423354 .B2 01 mov dl, 1
00423356 .A1 2CDA4500 mov eax, dword ptr
0042335B .E8 CCA70300 call 0045DB2C
00423360 .8985 F0FEFFFF mov dword ptr , eax
00423366 .BA 01000080 mov edx, 80000001
0042336B .8B85 F0FEFFFF mov eax, dword ptr
00423371 .E8 6E450C00 call 004E78E4
00423376 .66:C785 0CFFF>mov word ptr , 8
0042337F .BA CDFF4F00 mov edx, 004FFFCD ;ASCII "Software\XTZY\Pic2Ico"
00423384 .8D45 EC lea eax, dword ptr
00423387 .E8 EC450C00 call 004E7978
0042338C .FF85 18FFFFFF inc dword ptr
00423392 .8B10 mov edx, dword ptr
00423394 .B1 01 mov cl, 1
00423396 .8B85 F0FEFFFF mov eax, dword ptr
0042339C .E8 8FA80300 call 0045DC30
004233A1 .50 push eax
004233A2 .FF8D 18FFFFFF dec dword ptr
004233A8 .8D45 EC lea eax, dword ptr
004233AB .BA 02000000 mov edx, 2
004233B0 .E8 23470C00 call 004E7AD8
004233B5 .59 pop ecx
004233B6 .84C9 test cl, cl
004233B8 .0F84 57040000 je 00423815
004233BE .66:C785 0CFFF>mov word ptr , 14
004233C7 .BA E3FF4F00 mov edx, 004FFFE3 ;ASCII "NO"
004233CC .8D45 E8 lea eax, dword ptr
004233CF .E8 A4450C00 call 004E7978
004233D4 .FF85 18FFFFFF inc dword ptr
004233DA .8B10 mov edx, dword ptr
004233DC .8B85 F0FEFFFF mov eax, dword ptr
004233E2 .E8 A9AB0300 call 0045DF90
004233E7 .50 push eax
004233E8 .FF8D 18FFFFFF dec dword ptr
004233EE .8D45 E8 lea eax, dword ptr
004233F1 .BA 02000000 mov edx, 2
004233F6 .E8 DD460C00 call 004E7AD8
004233FB .59 pop ecx
004233FC .84C9 test cl, cl
004233FE .74 72 je short 00423472
00423400 .66:C785 0CFFF>mov word ptr , 20
00423409 .8D45 E0 lea eax, dword ptr
0042340C .E8 BFF6FDFF call 00402AD0
00423411 .50 push eax
00423412 .FF85 18FFFFFF inc dword ptr
00423418 .BA E6FF4F00 mov edx, 004FFFE6 ;ASCII "NO"
0042341D .8D45 E4 lea eax, dword ptr
00423420 .E8 53450C00 call 004E7978
00423425 .FF85 18FFFFFF inc dword ptr
0042342B .8B10 mov edx, dword ptr
0042342D .8B85 F0FEFFFF mov eax, dword ptr
00423433 .59 pop ecx
00423434 .E8 BFA90300 call 0045DDF8 ;假码的取出
00423439 .8D55 E0 lea edx, dword ptr
0042343C .8B85 F8FEFFFF mov eax, dword ptr
00423442 .05 1C030000 add eax, 31C
00423447 .E8 BC460C00 call 004E7B08
0042344C .FF8D 18FFFFFF dec dword ptr
00423452 .8D45 E0 lea eax, dword ptr
00423455 .BA 02000000 mov edx, 2
0042345A .E8 79460C00 call 004E7AD8
0042345F .FF8D 18FFFFFF dec dword ptr
00423465 .8D45 E4 lea eax, dword ptr
00423468 .BA 02000000 mov edx, 2
0042346D .E8 66460C00 call 004E7AD8
00423472 >8B8D F8FEFFFF mov ecx, dword ptr
00423478 .8B91 1C030000 mov edx, dword ptr
0042347E .8B85 F8FEFFFF mov eax, dword ptr
00423484 .8B80 04030000 mov eax, dword ptr
0042348A .E8 81240900 call 004B5910
0042348F .66:C785 0CFFF>mov word ptr , 2C ;要取2C长度的东东了
00423498 .BA E9FF4F00 mov edx, 004FFFE9 ;ASCII "Name"
0042349D .8D45 DC lea eax, dword ptr
004234A0 .E8 D3440C00 call 004E7978
004234A5 .FF85 18FFFFFF inc dword ptr
004234AB .8B10 mov edx, dword ptr
004234AD .8B85 F0FEFFFF mov eax, dword ptr
004234B3 .E8 D8AA0300 call 0045DF90
004234B8 .50 push eax
004234B9 .FF8D 18FFFFFF dec dword ptr
004234BF .8D45 DC lea eax, dword ptr
004234C2 .BA 02000000 mov edx, 2
004234C7 .E8 0C460C00 call 004E7AD8
004234CC .59 pop ecx
004234CD .84C9 test cl, cl
004234CF .74 75 je short 00423546
004234D1 .66:C785 0CFFF>mov word ptr , 38
004234DA .8D45 D4 lea eax, dword ptr
004234DD .E8 EEF5FDFF call 00402AD0
004234E2 .50 push eax
004234E3 .FF85 18FFFFFF inc dword ptr
004234E9 .BA EEFF4F00 mov edx, 004FFFEE ;ASCII "Name"
004234EE .8D45 D8 lea eax, dword ptr
004234F1 .E8 82440C00 call 004E7978
004234F6 .FF85 18FFFFFF inc dword ptr
004234FC .8B10 mov edx, dword ptr
004234FE .8B85 F0FEFFFF mov eax, dword ptr
00423504 .59 pop ecx
00423505 .E8 EEA80300 call 0045DDF8 ;注册名的取出
0042350A .8D55 D4 lea edx, dword ptr
0042350D .8B12 mov edx, dword ptr
0042350F .8B85 F8FEFFFF mov eax, dword ptr
00423515 .8B80 00030000 mov eax, dword ptr
0042351B .E8 F0230900 call 004B5910
00423520 .FF8D 18FFFFFF dec dword ptr
00423526 .8D45 D4 lea eax, dword ptr
00423529 .BA 02000000 mov edx, 2
0042352E .E8 A5450C00 call 004E7AD8
00423533 .FF8D 18FFFFFF dec dword ptr
00423539 .8D45 D8 lea eax, dword ptr
0042353C .BA 02000000 mov edx, 2
00423541 .E8 92450C00 call 004E7AD8
........................................................
00424380 > \8B15 64D15000 mov edx, dword ptr ;Pic2Ico2._IconConverter
00424386 .8B02 mov eax, dword ptr
00424388 80B8 F8030000>cmp byte ptr , 0 ;又来关键点了
0042438F 0F85 3B020000 jnz 004245D0
00424395 .8B15 64D15000 mov edx, dword ptr ;Pic2Ico2._IconConverter
0042439B .8B0A mov ecx, dword ptr
0042439D .80B9 F9030000>cmp byte ptr , 0
004243A4 .0F85 E2010000 jnz 0042458C
004243AA .66:C785 0CFFF>mov word ptr , 1F4
004243B3 .8D85 34FFFFFF lea eax, dword ptr
004243B9 .E8 12E7FDFF call 00402AD0
004243BE .8BD0 mov edx, eax
004243C0 .FF85 18FFFFFF inc dword ptr
004243C6 .8B0D 64D15000 mov ecx, dword ptr ;Pic2Ico2._IconConverter
004243CC .8B01 mov eax, dword ptr
004243CE .8B80 F4030000 mov eax, dword ptr
004243D4 .E8 5BB50300 call 0045F934
004243D9 .8D95 34FFFFFF lea edx, dword ptr
004243DF .52 push edx
004243E0 .8D85 44FFFFFF lea eax, dword ptr
004243E6 .E8 E5E6FDFF call 00402AD0
004243EB .8BD0 mov edx, eax
004243ED .FF85 18FFFFFF inc dword ptr
004243F3 .8B0D 64D15000 mov ecx, dword ptr ;Pic2Ico2._IconConverter
004243F9 .8B01 mov eax, dword ptr
004243FB .8B80 F0030000 mov eax, dword ptr
00424401 .E8 2EB50300 call 0045F934
00424406 .8D95 44FFFFFF lea edx, dword ptr
0042440C .52 push edx
0042440D .8D85 40FFFFFF lea eax, dword ptr
00424413 .E8 B8E6FDFF call 00402AD0
00424418 .8BC8 mov ecx, eax
0042441A .FF85 18FFFFFF inc dword ptr
00424420 .B8 03025000 mov eax, 00500203
00424425 .5A pop edx
00424426 .E8 CD3C0C00 call 004E80F8
0042442B .8D8D 40FFFFFF lea ecx, dword ptr
00424431 .51 push ecx
00424432 .8D85 38FFFFFF lea eax, dword ptr
00424438 .E8 93E6FDFF call 00402AD0
0042443D .50 push eax
0042443E .FF85 18FFFFFF inc dword ptr
00424444 .BA 05025000 mov edx, 00500205 ;ASCII "/21 Uses, "
00424449 .8D85 3CFFFFFF lea eax, dword ptr
0042444F .E8 24350C00 call 004E7978
00424454 .FF85 18FFFFFF inc dword ptr
0042445A .8D95 3CFFFFFF lea edx, dword ptr
00424460 .59 pop ecx
00424461 .58 pop eax
00424462 .E8 C9360C00 call 004E7B30
00424467 .8D95 38FFFFFF lea edx, dword ptr
0042446D .52 push edx
0042446E .8D85 30FFFFFF lea eax, dword ptr
00424474 .E8 57E6FDFF call 00402AD0
00424479 .8BC8 mov ecx, eax
0042447B .FF85 18FFFFFF inc dword ptr
00424481 .58 pop eax
00424482 .5A pop edx
00424483 .E8 A8360C00 call 004E7B30
00424488 .8D8D 30FFFFFF lea ecx, dword ptr
0042448E .51 push ecx
0042448F .8D85 28FFFFFF lea eax, dword ptr
00424495 .E8 36E6FDFF call 00402AD0
0042449A .50 push eax
0042449B .FF85 18FFFFFF inc dword ptr
004244A1 .BA 10025000 mov edx, 00500210 ;ASCII "/15 Days) Picture To Icon ( Unregistered )"
004244A6 .8D85 2CFFFFFF lea eax, dword ptr
004244AC .E8 C7340C00 call 004E7978
004244B1 .FF85 18FFFFFF inc dword ptr
004244B7 .8D95 2CFFFFFF lea edx, dword ptr
004244BD .59 pop ecx
004244BE .58 pop eax
004244BF .E8 6C360C00 call 004E7B30
004244C4 .8D95 28FFFFFF lea edx, dword ptr
004244CA .8B12 mov edx, dword ptr
004244CC .8B85 F8FEFFFF mov eax, dword ptr
004244D2 .E8 39140900 call 004B5910
004244D7 .FF8D 18FFFFFF dec dword ptr
004244DD .8D85 28FFFFFF lea eax, dword ptr
004244E3 .BA 02000000 mov edx, 2
004244E8 .E8 EB350C00 call 004E7AD8
004244ED .FF8D 18FFFFFF dec dword ptr
004244F3 .8D85 2CFFFFFF lea eax, dword ptr
004244F9 .BA 02000000 mov edx, 2
004244FE .E8 D5350C00 call 004E7AD8
00424503 .FF8D 18FFFFFF dec dword ptr
00424509 .8D85 30FFFFFF lea eax, dword ptr
0042450F .BA 02000000 mov edx, 2
00424514 .E8 BF350C00 call 004E7AD8
00424519 .FF8D 18FFFFFF dec dword ptr
0042451F .8D85 34FFFFFF lea eax, dword ptr
00424525 .BA 02000000 mov edx, 2
0042452A .E8 A9350C00 call 004E7AD8
0042452F .FF8D 18FFFFFF dec dword ptr
00424535 .8D85 38FFFFFF lea eax, dword ptr
0042453B .BA 02000000 mov edx, 2
00424540 .E8 93350C00 call 004E7AD8
00424545 .FF8D 18FFFFFF dec dword ptr
0042454B .8D85 3CFFFFFF lea eax, dword ptr
00424551 .BA 02000000 mov edx, 2
00424556 .E8 7D350C00 call 004E7AD8
0042455B .FF8D 18FFFFFF dec dword ptr
00424561 .8D85 40FFFFFF lea eax, dword ptr
00424567 .BA 02000000 mov edx, 2
0042456C .E8 67350C00 call 004E7AD8
00424571 .FF8D 18FFFFFF dec dword ptr
00424577 .8D85 44FFFFFF lea eax, dword ptr
0042457D .BA 02000000 mov edx, 2
00424582 .E8 51350C00 call 004E7AD8
00424587 .E9 8C000000 jmp 00424618
0042458C >66:C785 0CFFF>mov word ptr , 200
00424595 .BA 3B025000 mov edx, 0050023B ;ASCII "Picture To Icon ( Expired )"
0042459A .8D85 24FFFFFF lea eax, dword ptr
004245A0 .E8 D3330C00 call 004E7978
004245A5 .FF85 18FFFFFF inc dword ptr
004245AB .8B10 mov edx, dword ptr
004245AD .8B85 F8FEFFFF mov eax, dword ptr
004245B3 .E8 58130900 call 004B5910
004245B8 .FF8D 18FFFFFF dec dword ptr
004245BE .8D85 24FFFFFF lea eax, dword ptr
004245C4 .BA 02000000 mov edx, 2
004245C9 .E8 0A350C00 call 004E7AD8
004245CE .EB 48 jmp short 00424618
004245D0 >66:C785 0CFFF>mov word ptr , 20C
004245D9 .BA 57025000 mov edx, 00500257 ;ASCII "**************************************************"
004245DE .8D85 20FFFFFF lea eax, dword ptr
004245E4 .E8 8F330C00 call 004E7978
004245E9 .FF85 18FFFFFF inc dword ptr
004245EF .8B10 mov edx, dword ptr
004245F1 .8B85 F8FEFFFF mov eax, dword ptr
004245F7 .8B80 04030000 mov eax, dword ptr
004245FD .E8 0E130900 call 004B5910
00424602 .FF8D 18FFFFFF dec dword ptr
00424608 .8D85 20FFFFFF lea eax, dword ptr
0042460E .BA 02000000 mov edx, 2
00424613 .E8 C0340C00 call 004E7AD8
00424618 >8385 18FFFFFF>add dword ptr , -3
0042461F .68 D87A4E00 push 004E7AD8 ;入口地址
00424624 .6A 03 push 3
00424626 .6A 03 push 3
00424628 .6A 04 push 4
0042462A .8D4D F0 lea ecx, dword ptr
0042462D .51 push ecx
0042462E .E8 7D730B00 call 004DB9B0
00424633 .83C4 14 add esp, 14
00424636 .FF8D 18FFFFFF dec dword ptr
0042463C .8D45 FC lea eax, dword ptr
0042463F .BA 02000000 mov edx, 2
00424644 .E8 8F340C00 call 004E7AD8
00424649 .8B8D FCFEFFFF mov ecx, dword ptr
0042464F .64:890D 00000>mov dword ptr fs:, ecx
00424656 .5F pop edi
00424657 .5E pop esi
00424658 .5B pop ebx
00424659 .8BE5 mov esp, ebp
0042465B .5D pop ebp
0042465C .C3 retn
看到了熟悉的全局变量。。。。
00424380 > \8B15 64D15000 mov edx, dword ptr ;Pic2Ico2._IconConverter
00424386 .8B02 mov eax, dword ptr
00424388 80B8 F8030000>cmp byte ptr , 0 ;又来关键点了
0042438F 0F85 3B020000 jnz 004245D0
修改:
cmp byte ptr , 0为mov byte ptr , 1
jmp 004245D0
跳过了NAG。。。about窗口显示完美。
但是事情还是没有完。。。实验下软件的功能,发现取出的图标,modify icon后,会在图标上打上一个大大的X。。。。暗桩闪现~~~
怎么办?怎么办?
思考下,有暗桩说明软件还有验证,验证应该还是要检测注册码,会不会依然和全局变量有关联?
中学时的数学老师说的好:大胆假设,小心求证。验证下看看再说。查找所有常量,统统下断。修改图标。。。断下来了。。。wahhhhh。。。
004381CC/.55 push ebp
004381CD|.8BEC mov ebp, esp
004381CF|.83C4 A4 add esp, -5C
004381D2|.8955 B8 mov dword ptr , edx
004381D5|.8945 BC mov dword ptr , eax
004381D8|.B8 0C3E5000 mov eax, 00503E0C
004381DD|.E8 EA460A00 call 004DC8CC ;去掉x
004381E2|.8B15 64D15000 mov edx, dword ptr ;Pic2Ico2._IconConverter
004381E8|.8B0A mov ecx, dword ptr
004381EA 8A81 F9030000 mov al, byte ptr ;这次是
004381F0 8845 B7 mov byte ptr , al ;这个。。。又是一个关键变量。。。
004381F3 8B15 70D15000 mov edx, dword ptr ;Pic2Ico2._Form3
004381F9|.8B02 mov eax, dword ptr
004381FB|.05 1C030000 add eax, 31C
00438200|.E8 17F2FCFF call 0040741C
00438205|.48 dec eax
00438206 7E 53 jle short 0043825B
00438208|.66:C745 D0 08>mov word ptr , 8
0043820E|.BA 20355000 mov edx, 00503520 ;ASCII "FPJUNT"
00438213|.8D45 FC lea eax, dword ptr
00438216|.E8 5DF70A00 call 004E7978
0043821B|.FF45 DC inc dword ptr
0043821E|.8D55 FC lea edx, dword ptr
00438221|.8B0D 70D15000 mov ecx, dword ptr ;Pic2Ico2._Form3
00438227|.8B01 mov eax, dword ptr
00438229|.05 1C030000 add eax, 31C
0043822E|.E8 B9FA0A00 call 004E7CEC
00438233|.85C0 test eax, eax
00438235|.0F95C2 setne dl
00438238|.83E2 01 and edx, 1
0043823B|.52 push edx
0043823C|.FF4D DC dec dword ptr
0043823F|.8D45 FC lea eax, dword ptr
00438242|.BA 02000000 mov edx, 2
00438247|.E8 8CF80A00 call 004E7AD8
0043824C|.59 pop ecx
0043824D|.84C9 test cl, cl ;cl是关键啦
0043824F|.74 06 je short 00438257
00438251|.C645 B7 00 mov byte ptr , 0
00438255|.EB 04 jmp short 0043825B
00438257 C645 B7 01 mov byte ptr , 1 ;这次的变量应该赋值为0才行
0043825B|>807D B7 00 cmp byte ptr , 0
0043825F 0F84 DD000000 je 00438342 ;不跳就要打X了,0分,跳了100分
00438265|.8B45 BC mov eax, dword ptr
00438268|.8B80 DC040000 mov eax, dword ptr
0043826E|.8B10 mov edx, dword ptr
00438270|.FF52 2C call dword ptr
00438273|.85C0 test eax, eax
00438275|.79 03 jns short 0043827A
具体怎么验证的,我没有管。。直接修改:
mov byte ptr , 1为mov byte ptr , 0就OK了。
但是事情还是没有完。。。(画外音:这位讲故事的水平不高,老是“但是事情还是没有完”这一句。)
修改完图标,保存。这时,没有任何提示,但是你会发现什么都没有保存!星星还是那个星星,月亮还是那个月亮。。。崩溃。。。
祭出DEDE**,查找保存的按钮事件,来到:
00408838 $55 push ebp
00408839 .8BEC mov ebp, esp
0040883B .81C4 88FEFFFF add esp, -178
00408841 .53 push ebx
00408842 .56 push esi
00408843 .57 push edi
00408844 .8995 FCFEFFFF mov dword ptr , edx
0040884A .8985 00FFFFFF mov dword ptr , eax
00408850 .B8 ECE34F00 mov eax, 004FE3EC
00408855 .E8 72400D00 call 004DC8CC
0040885A .8B15 E0D65000 mov edx, dword ptr
.........................................................
00408F77 . /0F84 470B0000 je 00409AC4
00408F7D . |8B0D 70D15000 mov ecx, dword ptr ;Pic2Ico2._Form3
00408F83 . |8B01 mov eax, dword ptr
00408F85 . |05 1C030000 add eax, 31C
00408F8A . |E8 8DE4FFFF call 0040741C
00408F8F . |48 dec eax
00408F90 |7E 63 jle short 00408FF5
00408F92 . |66:C785 14FFF>mov word ptr , 0BC
00408F9B . |BA B9C54F00 mov edx, 004FC5B9 ;ASCII "DUR"
00408FA0 . |8D45 B8 lea eax, dword ptr
00408FA3 . |E8 D0E90D00 call 004E7978
00408FA8 . |FF85 20FFFFFF inc dword ptr
00408FAE . |8D55 B8 lea edx, dword ptr
00408FB1 . |8B0D 70D15000 mov ecx, dword ptr ;Pic2Ico2._Form3
00408FB7 . |8B01 mov eax, dword ptr
00408FB9 . |05 1C030000 add eax, 31C
00408FBE . |E8 29ED0D00 call 004E7CEC ;假码再次现身~~~(不是献身啦)
00408FC3 . |85C0 test eax, eax
00408FC5 . |0F94C2 sete dl
00408FC8 . |83E2 01 and edx, 1
00408FCB . |52 push edx
00408FCC . |FF8D 20FFFFFF dec dword ptr
00408FD2 . |8D45 B8 lea eax, dword ptr
00408FD5 . |BA 02000000 mov edx, 2
00408FDA . |E8 F9EA0D00 call 004E7AD8
00408FDF . |59 pop ecx
00408FE0 . |84C9 test cl, cl
00408FE2 . |74 11 je short 00408FF5 ;那么,这个CL还是关键哦。。。,改为jmp
00408FE4 . |8B85 04FFFFFF mov eax, dword ptr
00408FEA . |64:A3 0000000>mov dword ptr fs:, eax
00408FF0 . |E9 DC0A0000 jmp 00409AD1
00408FF5 > \8B95 00FFFFFF mov edx, dword ptr
00408FFB .8B82 F4020000 mov eax, dword ptr
00409001 .E8 C25E0A00 call 004AEEC8 ;保存的格式
00409006 .48 dec eax
00409007 .0F85 00040000 jnz 0040940D
0040900D .66:C785 14FFF>mov word ptr , 0D4
00409016 .8D45 B0 lea eax, dword ptr
00409019 .E8 B29AFFFF call 00402AD0
0040901E .8BD0 mov edx, eax
00409020 .FF85 20FFFFFF inc dword ptr
00409026 .8B8D 00FFFFFF mov ecx, dword ptr
0040902C .8B81 F4020000 mov eax, dword ptr
00409032 .E8 395E0A00 call 004AEE70
00409037 .8D55 B0 lea edx, dword ptr
0040903A .FF32 push dword ptr
0040903C .8D45 B4 lea eax, dword ptr
0040903F .E8 8C9AFFFF call 00402AD0
00409044 .50 push eax
00409045 .FF85 20FFFFFF inc dword ptr
0040904B .BA BDC54F00 mov edx, 004FC5BD ;ASCII ".ico"
00409050 .8D45 AC lea eax, dword ptr
00409053 .E8 20E90D00 call 004E7978
00409058 .FF85 20FFFFFF inc dword ptr
0040905E .8B10 mov edx, dword ptr
00409060 .59 pop ecx
00409061 .58 pop eax
00409062 .E8 6D6E0500 call 0045FED4
00409067 .FF8D 20FFFFFF dec dword ptr
0040906D .8D45 AC lea eax, dword ptr
00409070 .BA 02000000 mov edx, 2
00409075 .E8 5EEA0D00 call 004E7AD8
0040907A .FF8D 20FFFFFF dec dword ptr
00409080 .8D45 B0 lea eax, dword ptr
00409083 .BA 02000000 mov edx, 2
00409088 .E8 4BEA0D00 call 004E7AD8
0040908D .66:C785 14FFF>mov word ptr , 0C8
00409096 .C685 A3FEFFFF>mov byte ptr , 0
0040909D .8B45 B4 mov eax, dword ptr
004090A0 .E8 6B6C0500 call 0045FD10 ;图标是否已存在
004090A5 .84C0 test al, al
004090A7 .0F84 8C020000 je 00409339
004090AD .6A 23 push 23
004090AF .68 39C64F00 push 004FC639 ;ASCII "Insert or overwrite"
004090B4 .66:C785 14FFF>mov word ptr , 0EC
004090BD .8D45 A8 lea eax, dword ptr
004090C0 .E8 0B9AFFFF call 00402AD0
004090C5 .8BC8 mov ecx, eax
004090C7 .FF85 20FFFFFF inc dword ptr
004090CD .8D55 B4 lea edx, dword ptr
004090D0 .B8 C2C54F00 mov eax, 004FC5C2 ;ASCII "Icon file",LF
004090D5 .E8 1EF00D00 call 004E80F8
004090DA .8D55 A8 lea edx, dword ptr
...........................................
00409AAF .59 pop ecx
00409AB0 .83BD BCFEFFFF>cmp dword ptr , 0 ;删除图标
00409AB7 74 0B je short 00409AC4
00409AB9 .FFB5 BCFEFFFF push dword ptr ; /hCursor
00409ABF .E8 E01D0F00 call <jmp.&USER32.DestroyCursor> ; \DestroyCursor
00409AC4 >8B8D 04FFFFFF mov ecx, dword ptr
00409ACA .64:890D 00000>mov dword ptr fs:, ecx
00409AD1 >5F pop edi
00409AD2 .5E pop esi
00409AD3 .5B pop ebx
00409AD4 .8BE5 mov esp, ebp
00409AD6 .5D pop ebp
00409AD7 .C3 retn
最后还被摆了一道,检测不通过,生成的图标还是要被删除!BTBTBTBTBT。。。。
je short 00409AC4改为jmp。图标终于可以保存了。。。。
但是事情还是没有完。。。哈哈,我说说而已啦!破这个软件用了2小时,写这篇文章却用了一上午。。。破解过程是完了,天知道是不是还有其他暗桩,思路就是这样了,再有问题的话再说吧。。。
【经验总结】大胆假设,小心求证。
【版权声明】: 本文原创zaas, 转载请注明作者并保持文章的完整, 谢谢!
------------------------------------------------------------------------------------
【后 记】
果然,还是“但是事情还是没有完。。。”检查发现保存icon时候还有一个验证。第一次保存成功,第二次就有问题,而且这时候about窗口重新显示unregister。(难道是刚刚调试的时候试用次数还没到的缘故?)
跟进:
00408CA6 > /8B15 70D15000 mov edx, dword ptr ;Pic2Ico2._Form3
00408CAC . |8B02 mov eax, dword ptr
00408CAE . |05 1C030000 add eax, 31C
00408CB3 . |E8 4C91FFFF call 00401E04
00408CB8 . |8B95 C0FEFFFF mov edx, dword ptr
00408CBE . |8A0C10 mov cl, byte ptr
00408CC1 . |888D C7FEFFFF mov byte ptr , cl
00408CC7 . |0FBE85 C7FEFF>movsx eax, byte ptr ;假码字符串
00408CCE . |83F8 30 cmp eax, 30
00408CD1 . |7C 12 jl short 00408CE5
00408CD3 . |0FBE95 C7FEFF>movsx edx, byte ptr ;取假码字符
00408CDA . |83FA 39 cmp edx, 39 ;验证假码在0-9之间的数字有几个
00408CDD . |7F 06 jg short 00408CE5
00408CDF . |FF85 C8FEFFFF inc dword ptr
00408CE5 > |FF85 C0FEFFFF inc dword ptr
00408CEB > |8B0D 70D15000 mov ecx, dword ptr ;Pic2Ico2._Form3
00408CF1 . |8B01 mov eax, dword ptr
00408CF3 . |05 1C030000 add eax, 31C
00408CF8 . |E8 1FE7FFFF call 0040741C
00408CFD . |3B85 C0FEFFFF cmp eax, dword ptr ;必须大于8个
00408D03 .^\7F A1 jg short 00408CA6
00408D05 .83BD C8FEFFFF>cmp dword ptr , 8
00408D0C .7E 0D jle short 00408D1B
00408D0E .8B95 00FFFFFF mov edx, dword ptr
00408D14 .C682 F8030000>mov byte ptr , 0
00408D1B >8B0D E0D65000 mov ecx, dword ptr
00408D21 .80B9 F8030000>cmp byte ptr , 0 ;又见全局变量
00408D28 .75 3A jnz short 00408D64
00408D2A .A1 E0D65000 mov eax, dword ptr
00408D2F .80B8 F9030000>cmp byte ptr , 0 ;也是全局变量了吗?
00408D36 .74 2C je short 00408D64
00408D38 .8B15 E0D65000 mov edx, dword ptr
00408D3E .C682 F9030000>mov byte ptr , 1
00408D45 .8B0D 40D45000 mov ecx, dword ptr ;Pic2Ico2.00514CDC
00408D4B .8B01 mov eax, dword ptr
00408D4D .E8 36FB0900 call 004A8888
00408D52 .8B95 04FFFFFF mov edx, dword ptr
00408D58 .64:8915 00000>mov dword ptr fs:, edx
00408D5F .E9 6D0D0000 jmp 00409AD1
修改00408D14 .C682 F8030000>mov byte ptr , 0为mov byte ptr , 1 解决。
好长啊,学习了,哈哈 还是不加的代码看起来更舒服些 ~
这个软件 麻雀虽小五脏俱全啊 感谢楼主整理分享 好,我编辑一下。 佩服LZ耐心,这个软件的验证还真多,请问各位大侠“全局变量”作何解释? 爆破有时候比算法还难,本软件就是 强,学习了/:good 分析的精彩。耐心更加了得。 看到一次全局变量,直接搜索相同指令可以不?
直接搜索"80B8 F8030000>cmp byte ptr , 0"这条指令应该能扫除一大堆的校验吧。
明天也去看看去。 来看美女图的!顺便学习一下算法!分析过程很详细,楼主辛苦 ! 学习下,感谢分享经验