开新讨论课题,对某个证件软件的破解
本帖最后由 ljjdpyg 于 2011-5-17 10:58 编辑为了回避作者以版权纠纷来搞我们的论坛,特改下标题
软件限制:功能限制,保存功能不能用 水印限制圆圈+未注册水印
保存有次数限制
逐个击破后水印限制在下面我有标出,本来打算NOP掉的,可问题来了,NOP掉那个CALL,水印虽然都没了,但是,当你保存好或者打印后,软件会自动退出,没NOP掉时候就不会,所以请大家调试下互相探讨下
005090C0 8D8D E4FEFFFF lea ecx,dword ptr ss:
005090C6 .BA 32000000 mov edx,0x32
005090CB .B8 64000000 mov eax,0x64
005090D0 .E8 6B83FAFF call ptPrint.004B1440
005090D5 .8D85 E4FEFFFF lea eax,dword ptr ss:
005090DB .50 push eax
005090DC .6A 00 push 0x0
005090DE .33C9 xor ecx,ecx
005090E0 .B2 FF mov dl,0xFF
005090E2 .33C0 xor eax,eax
005090E4 .E8 BB83FAFF call ptPrint.004B14A4
005090E9 .50 push eax
005090EA .68 FF000000 push 0xFF
005090EF .33C9 xor ecx,ecx
005090F1 .33D2 xor edx,edx
005090F3 .B0 FF mov al,0xFF
005090F5 .E8 AA83FAFF call ptPrint.004B14A4
005090FA .50 push eax
005090FB .8D8D DCFEFFFF lea ecx,dword ptr ss:
00509101 .BA 0A000000 mov edx,0xA
00509106 .33C0 xor eax,eax
00509108 .E8 3383FAFF call ptPrint.004B1440
0050910D .8D8D DCFEFFFF lea ecx,dword ptr ss:
00509113 .B2 01 mov dl,0x1
00509115 .A1 88174B00 mov eax,dword ptr ds:
0050911A .E8 E18AFAFF call ptPrint.004B1C00
0050911F .8985 78FFFFFF mov dword ptr ss:,eax
00509125 .DB85 44FFFFFF fild dword ptr ss:
0050912B .DB85 4CFFFFFF fild dword ptr ss:
00509131 .D835 F0945000 fdiv dword ptr ds:
00509137 .DEC1 faddp st(1),st
00509139 .83C4 FC add esp,-0x4
0050913C .D91C24 fstp dword ptr ss:
0050913F .9B wait
00509140 .DB85 48FFFFFF fild dword ptr ss:
00509146 .DB85 50FFFFFF fild dword ptr ss:
0050914C .D835 F0945000 fdiv dword ptr ds:
00509152 .DEC1 faddp st(1),st
00509154 .83C4 FC add esp,-0x4
00509157 .D91C24 fstp dword ptr ss:
0050915A .9B wait
0050915B .68 0000C842 push 0x42C80000
00509160 .68 00004842 push 0x42480000
00509165 .8B95 78FFFFFF mov edx,dword ptr ss:
0050916B .8B45 F0 mov eax,dword ptr ss:
0050916E E8 4991FAFF call ptPrint.004B22BC ;调用水印圆圈
00509173 .6A 00 push 0x0
00509175 .B9 F8945000 mov ecx,ptPrint.005094F8 ;T
0050917A .B2 01 mov dl,0x1
0050917C .A1 0C154B00 mov eax,dword ptr ds:
00509181 .E8 0694FAFF call ptPrint.004B258C
00509186 .8945 84 mov dword ptr ss:,eax
00509189 .68 0000C041 push 0x41C00000
0050918E .6A 00 push 0x0
00509190 .6A 02 push 0x2
00509192 .8B4D 84 mov ecx,dword ptr ss:
00509195 .B2 01 mov dl,0x1
00509197 .A1 68154B00 mov eax,dword ptr ds:
0050919C .E8 A794FAFF call ptPrint.004B2648
005091A1 .8945 80 mov dword ptr ss:,eax
005091A4 .6A 00 push 0x0
005091A6 .33C9 xor ecx,ecx
005091A8 .33D2 xor edx,edx
005091AA .B0 FF mov al,0xFF
005091AC .E8 F382FAFF call ptPrint.004B14A4
005091B1 .8BC8 mov ecx,eax
005091B3 .B2 01 mov dl,0x1
005091B5 .A1 28174B00 mov eax,dword ptr ds:
005091BA .E8 ED89FAFF call ptPrint.004B1BAC
005091BF .8985 7CFFFFFF mov dword ptr ss:,eax
005091C5 .33C0 xor eax,eax
005091C7 .55 push ebp
005091C8 .68 6C925000 push ptPrint.0050926C
005091CD .64:FF30 push dword ptr fs:
005091D0 .64:8920 mov dword ptr fs:,esp
005091D3 .8B45 80 mov eax,dword ptr ss:
005091D6 .50 push eax
005091D7 .DB85 44FFFFFF fild dword ptr ss:
005091DD .DB85 4CFFFFFF fild dword ptr ss:
005091E3 .D835 F0945000 fdiv dword ptr ds:
005091E9 .DEC1 faddp st(1),st
005091EB .83C4 FC add esp,-0x4
005091EE .D91C24 fstp dword ptr ss:
005091F1 .9B wait
005091F2 .DB85 48FFFFFF fild dword ptr ss:
005091F8 .DB85 50FFFFFF fild dword ptr ss:
005091FE .D835 F0945000 fdiv dword ptr ds:
00509204 .DEC1 faddp st(1),st
00509206 .83C4 FC add esp,-0x4
00509209 .D91C24 fstp dword ptr ss:
0050920C .9B wait
0050920D .8D85 E4FEFFFF lea eax,dword ptr ss:
00509213 E8 3082FAFF call ptPrint.004B1448
00509218 .8D85 E4FEFFFF lea eax,dword ptr ss:
0050921E .50 push eax
0050921F .8B85 7CFFFFFF mov eax,dword ptr ss:
00509225 .50 push eax
00509226 .B9 03000000 mov ecx,0x3
0050922B .BA 1C955000 mov edx,ptPrint.0050951C
00509230 .8B45 F0 mov eax,dword ptr ss:
00509233 E8 6491FAFF call ptPrint.004B239C ;调用水印字体
00509238 .33C0 xor eax,eax
0050923A .5A pop edx
0050923B .59 pop ecx
0050923C .59 pop ecx
0050923D 64:8910 mov dword ptr fs:,edx
00509240 68 73925000 push ptPrint.00509273
00509245 8B85 7CFFFFFF mov eax,dword ptr ss:
0050924B E8 6CAAEFFF call ptPrint.00403CBC
00509250 8B45 84 mov eax,dword ptr ss:
00509253 E8 64AAEFFF call ptPrint.00403CBC
00509258 8B45 80 mov eax,dword ptr ss:
0050925B E8 5CAAEFFF call ptPrint.00403CBC
00509260 8B85 78FFFFFF mov eax,dword ptr ss:
00509266 E8 51AAEFFF call ptPrint.00403CBC
0050926B .C3 retn 以最新版2.5为例:
定位水印点:
bp GdipFillEllipse
bp GdipDrawString
005093DDWAIT ; 改法1:
005093DEPUSH 42C80000 ; ★push 0★
005093E3PUSH 42480000 ; ★push 0★
005093E8MOV EDX,DWORD PTR SS:
005093EEMOV EAX,DWORD PTR SS:
005093F1CALL unpacked.004B22BC ; 蓝色圈圈 改法2:F7进入后 改为ret 10
005093F6PUSH 0
005093F8MOV ECX,unpacked.00509784 ; UNICODE "Times New Roman"
005093FDMOV DL,1
005093FFMOV EAX,DWORD PTR DS:
00509404CALL unpacked.004B258C
00509409MOV DWORD PTR SS:,EAX
0050940CPUSH 41C00000
00509411PUSH 0
00509413PUSH 2
00509415MOV ECX,DWORD PTR SS:
00509418MOV DL,1
0050941AMOV EAX,DWORD PTR DS:
0050941FCALL unpacked.004B2648
00509424MOV DWORD PTR SS:,EAX
0050942APUSH 0
0050942CXOR ECX,ECX
0050942EXOR EDX,EDX
00509430MOV AL,0FF
00509432CALL unpacked.004B14A4
00509437MOV ECX,EAX
00509439MOV DL,1
0050943BMOV EAX,DWORD PTR DS:
00509440CALL unpacked.004B1BAC
00509445MOV DWORD PTR SS:,EAX
0050944BXOR EAX,EAX
0050944DPUSH EBP
0050944EPUSH unpacked.005094F8
00509453PUSH DWORD PTR FS:
00509456MOV DWORD PTR FS:,ESP
00509459MOV EAX,DWORD PTR SS:
0050945FPUSH EAX
00509460FILD DWORD PTR SS:
00509466FILD DWORD PTR SS:
0050946CFDIV DWORD PTR DS:
00509472FADDP ST(1),ST
00509474ADD ESP,-4
00509477FSTP DWORD PTR SS:
0050947AWAIT
0050947BFILD DWORD PTR SS:
00509481FILD DWORD PTR SS:
00509487FDIV DWORD PTR DS:
0050948DFADDP ST(1),ST
0050948FADD ESP,-4
00509492FSTP DWORD PTR SS:
00509495WAIT
00509496LEA EAX,DWORD PTR SS:
0050949CCALL unpacked.004B1448
005094A1LEA EAX,DWORD PTR SS:
005094A7PUSH EAX
005094A8MOV EAX,DWORD PTR SS:
005094AEPUSH EAX
005094AFMOV ECX,3 ; ★mov ecx,0★
005094B4MOV EDX,unpacked.005097A8
005094B9MOV EAX,DWORD PTR SS:
005094BCCALL unpacked.004B239C ; 文字
005094C1XOR EAX,EAX
005094C3POP EDX
005094C4POP ECX
005094C5POP ECX
005094C6MOV DWORD PTR FS:,EDX
005094C9PUSH unpacked.005094FF
005094CEMOV EAX,DWORD PTR SS:
005094D4CALL unpacked.00403CBC
005094D9MOV EAX,DWORD PTR SS:
005094DCCALL unpacked.00403CBC
005094E1MOV EAX,DWORD PTR SS:
005094E7CALL unpacked.00403CBC
005094ECMOV EAX,DWORD PTR SS:
005094F2CALL unpacked.00403CBC
005094F7RETN 回复 2# 飘云
谢谢飘云大哥,图片和文字利用不同原理, PUSH 03改成0即未注册等于0图片水印ret 10
005093DEPUSH 42C80000 ; ★push 0★改法1这里,把42c80000改成0 难道42C80000是传递圆圈水印的地址?
005093E3PUSH 42480000 ; ★push 0★ 回复 3# ljjdpyg
领悟到了,谢谢大哥 005094BCCALL unpacked.004B239C ; 文字这里,F7进入后改ret 0x0也达到效果
005094C1XOR EAX,EAX
005094C3POP EDX
005094C4POP ECX
005094C5POP ECX
005094C6MOV DWORD PTR FS:,EDX
005094C9PUSH unpacked.005094FF
005094CEMOV EAX,DWORD PTR SS:
005094D4CALL unpacked.00403CBC
005094D9MOV EAX,DWORD PTR SS:
005094DCCALL unpacked.00403CBC
005094E1MOV EAX,DWORD PTR SS:
005094E7CALL unpacked.00403CBC
005094ECMOV EAX,DWORD PTR SS:
005094F2CALL unpacked.00403CBC
页:
[1]