SPX Studio暴破思路 (菜鸟篇)
SPX Studio暴破思路 (菜鸟篇)SPX Studio暴破思路
软件名称: SPX Studio2.1
软件语言: 英文
软件类别: 国外
运行环境: Win9x/NT/2000/XP
软件大小: 1.7MB
软件介绍:Explain your screen captures by adding basic annotations like: highlights, balloons, sticky notes, text areas, images. It makes the difference between a plain screen capture and an intelligent one.
下载地址:http://www.moodysoft.com/studio/sdsetup.exe
一、程序没加壳,Borland Delphi 6.0 - 7.0程序。
二、运行软件随意填注册码及用户名,出现Invalid User Name or Product ID. Please try again,好东西。OD载入程序后,我们搜索一下看看,果然很快就看到结果,双击后向上找:
从这里开始:
004BAF0D 55 push ebp
004BAF0E 68 8AB04B00 push Studio.004BB08A
004BAF13 64:FF30 push dword ptr fs:[eax]
004BAF16 64:8920 mov dword ptr fs:[eax],esp
004BAF19 8D55 FC lea edx,dword ptr ss:[ebp-4]
004BAF1C 8B83 180300>mov eax,dword ptr ds:[ebx+318]
004BAF22 E8 49BDF8FF call Studio.00446C70
004BAF27 837D FC 00cmp dword ptr ss:[ebp-4],0
004BAF2B 74 14 je short Studio.004BAF41 ; 判断注册名是否为0
004BAF2D 8D55 F8 lea edx,dword ptr ss:[ebp-8]
004BAF30 8B83 280300>mov eax,dword ptr ds:[ebx+328]
004BAF36 E8 35BDF8FF call Studio.00446C70
004BAF3B 837D F8 00cmp dword ptr ss:[ebp-8],0
004BAF3F 75 34 jnz short Studio.004BAF75 ; 判断注册码是否为零,不为零则进行下去
004BAF41 6A 30 push 30
004BAF43 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004BAF46 A1 4CB24C00 mov eax,dword ptr ds:
004BAF4B 8B00 mov eax,dword ptr ds:[eax]
004BAF4D E8 A6BFFAFF call Studio.00466EF8
004BAF52 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004BAF55 E8 369BF4FF call Studio.00404A90
004BAF5A 50 push eax
004BAF5B 68 98B04B00 push Studio.004BB098 ; ASCII "To obtain your UserName and Product ID please buy a licence."
004BAF60 A1 4CB24C00 mov eax,dword ptr ds:
004BAF65 8B00 mov eax,dword ptr ds:[eax]
004BAF67 8B40 30 mov eax,dword ptr ds:[eax+30]
004BAF6A 50 push eax
004BAF6B E8 80C5F4FF call <jmp.&user32.MessageBoxA>
004BAF70 E9 D8000000 jmp Studio.004BB04D
004BAF75 66:83BB 3A0>cmp word ptr ds:[ebx+33A],0
004BAF7D 0F84 CA0000>je Studio.004BB04D
004BAF83 6A 01 push 1
004BAF85 8D55 F0 lea edx,dword ptr ss:[ebp-10]
004BAF88 8B83 280300>mov eax,dword ptr ds:[ebx+328]
004BAF8E E8 DDBCF8FF call Studio.00446C70
004BAF93 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004BAF96 50 push eax ; 出现假注册码
004BAF97 8D55 EC lea edx,dword ptr ss:[ebp-14]
004BAF9A 8B83 180300>mov eax,dword ptr ds:[ebx+318]
004BAFA0 E8 CBBCF8FF call Studio.00446C70
004BAFA5 8B55 EC mov edx,dword ptr ss:[ebp-14]
004BAFA8 59 pop ecx
004BAFA9 8B83 3C0300>mov eax,dword ptr ds:[ebx+33C]
004BAFAF FF93 380300>call dword ptr ds:[ebx+338] ; 算法call(1),进去看看
004BAFB5 84C0 test al,al
004BAFB7 74 65 je short Studio.004BB01E 向下可看到,不跳转则注册成功,可见上面的test为标志位判断
004BAFB9 6A 30 push 30
004BAFBB 8D55 E8 lea edx,dword ptr ss:[ebp-18]
004BAFBE A1 4CB24C00 mov eax,dword ptr ds:
004BAFC3 8B00 mov eax,dword ptr ds:[eax]
004BAFC5 E8 2EBFFAFF call Studio.00466EF8
004BAFCA 8B45 E8 mov eax,dword ptr ss:[ebp-18]
004BAFCD E8 BE9AF4FF call Studio.00404A90
004BAFD2 50 push eax
004BAFD3 68 E0B04B00 push Studio.004BB0E0 ; ASCII "Thank you for registering "
跟随算法call(1),我们来到这里:
004BA7A1 53 push ebx
004BA7A2 56 push esi
004BA7A3 57 push edi
004BA7A4 894D F8 mov dword ptr ss:[ebp-8],ecx ; 假注册码
004BA7A7 8955 FC mov dword ptr ss:[ebp-4],edx ; 假注册名
004BA7AA 8BD8 mov ebx,eax
004BA7AC 8B45 FC mov eax,dword ptr ss:[ebp-4]
004BA7AF E8 CCA2F4FF call Studio.00404A80
004BA7B4 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004BA7B7 E8 C4A2F4FF call Studio.00404A80
004BA7BC 33C0 xor eax,eax
004BA7BE 55 push ebp
004BA7BF 68 09A94B00 push Studio.004BA909
004BA7C4 64:FF30 push dword ptr fs:[eax]
004BA7C7 64:8920 mov dword ptr fs:[eax],esp
004BA7CA C645 F7 00mov byte ptr ss:[ebp-9],0
004BA7CE A0 1CA94B00 mov al,byte ptr ds:
004BA7D3 50 push eax
004BA7D4 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
004BA7D7 50 push eax
004BA7D8 33C9 xor ecx,ecx
004BA7DA BA 28A94B00 mov edx,Studio.004BA928
004BA7DF 8B45 FC mov eax,dword ptr ss:[ebp-4]
004BA7E2 E8 C933F5FF call Studio.0040DBB0
004BA7E7 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
004BA7EA 8D55 E8 lea edx,dword ptr ss:[ebp-18]
004BA7ED E8 2EE1F4FF call Studio.00408920
004BA7F2 837D E8 00cmp dword ptr ss:[ebp-18],0
004BA7F6 0F84 E50000>je Studio.004BA8E1
004BA7FC 837D F8 00cmp dword ptr ss:[ebp-8],0
004BA800 0F84 DB0000>je Studio.004BA8E1
004BA806 8D45 F0 lea eax,dword ptr ss:[ebp-10]
004BA809 BA 34A94B00 mov edx,Studio.004BA934 ; ASCII "life"
004BA80E E8 659EF4FF call Studio.00404678
004BA813 8D45 EC lea eax,dword ptr ss:[ebp-14]; 4kg,有意思
004BA816 BA 44A94B00 mov edx,Studio.004BA944 ; ASCII "is soft and moody"
004BA81B E8 589EF4FF call Studio.00404678
004BA820 33C9 xor ecx,ecx
004BA822 B2 01 mov dl,1
004BA824 A1 54604B00 mov eax,dword ptr ds:
004BA829 E8 12CDFFFF call Studio.004B7540
004BA82E 8BF0 mov esi,eax
004BA830 8B0D D0754B>mov ecx,dword ptr ds:; Studio.004B761C
004BA836 8B53 38 mov edx,dword ptr ds:[ebx+38]
004BA839 8BC6 mov eax,esi
004BA83B E8 A8E4FEFF call Studio.004A8CE8 懂算法的,可以进去看看
004BA840 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
004BA843 8B55 E8 mov edx,dword ptr ss:[ebp-18]
004BA846 8BC6 mov eax,esi
004BA848 8B38 mov edi,dword ptr ds:[eax]
004BA84A FF57 54 call dword ptr ds:[edi+54]
004BA84D 8BC6 mov eax,esi
004BA84F 8B10 mov edx,dword ptr ds:[eax]
004BA851 FF52 44 call dword ptr ds:[edx+44]
004BA854 8BC6 mov eax,esi
004BA856 E8 958FF4FF call Studio.004037F0
004BA85B 33C9 xor ecx,ecx
004BA85D B2 01 mov dl,1
004BA85F A1 60A94A00 mov eax,dword ptr ds:
004BA864 E8 CBE8FEFF call Studio.004A9134
004BA869 8BF0 mov esi,eax
004BA86B 8B0D 00BA4A>mov ecx,dword ptr ds:; Studio.004ABA4C
004BA871 8B53 3C mov edx,dword ptr ds:[ebx+3C]
004BA874 8BC6 mov eax,esi
004BA876 E8 6DE4FEFF call Studio.004A8CE8
004BA87B 8D4D EC lea ecx,dword ptr ss:[ebp-14]
004BA87E 8B55 F8 mov edx,dword ptr ss:[ebp-8]
004BA881 8BC6 mov eax,esi
004BA883 8B38 mov edi,dword ptr ds:[eax]
004BA885 FF57 58 call dword ptr ds:[edi+58]
004BA888 8BC6 mov eax,esi
004BA88A 8B10 mov edx,dword ptr ds:[eax]
004BA88C FF52 44 call dword ptr ds:[edx+44]
004BA88F 8BC6 mov eax,esi
004BA891 E8 5A8FF4FF call Studio.004037F0
004BA896 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004BA899 8B55 EC mov edx,dword ptr ss:[ebp-14]
004BA89C E8 3BA1F4FF call Studio.004049DC
004BA8A1 0F94C0 sete al
004BA8A4 8843 34 mov byte ptr ds:[ebx+34],al
004BA8A7 807B 34 00cmp byte ptr ds:[ebx+34],0
004BA8AB 74 34 je short Studio.004BA8E1 ; 关键跳,nop掉即注册成功
004BA8AD 8D43 40 lea eax,dword ptr ds:[ebx+40]
004BA8B0 8B55 FC mov edx,dword ptr ss:[ebp-4]
004BA8B3 B9 FF000000 mov ecx,0FF
004BA8B8 E8 B79FF4FF call Studio.00404874
004BA8BD 8D83 400100>lea eax,dword ptr ds:[ebx+140]
004BA8C3 8B55 F8 mov edx,dword ptr ss:[ebp-8]
004BA8C6 B9 FF000000 mov ecx,0FF
004BA8CB E8 A49FF4FF call Studio.00404874
004BA8D0 807D 08 00cmp byte ptr ss:[ebp+8],0
004BA8D4 74 07 je short Studio.004BA8DD
004BA8D6 8BC3 mov eax,ebx
004BA8D8 E8 0B020000 call Studio.004BAAE8
004BA8DD C645 F7 01mov byte ptr ss:[ebp-9],1
004BA8E1 33C0 xor eax,eax
爆破完该处后运行软件发现还是有注册对话框,我们接着来分析,通过关键字符参考,我们可以找到如下爆破点:
004BA4FB /0F85 9F0100>jnz Studio.004BA6A0 此处改为绝对跳jmp,即可去除注册对话框
修改上两处后即注册成功。
总结:我只对爆破懂点,算法分析及写文章不是很在行,有不完善之处希望指正! 兄弟分析思路非常清晰,学习了! 兄弟真棒,又学习了!! 原帖由 绝恋风尘 于 2006-8-26 18:00 发表
兄弟真棒,又学习了!!
让兄弟见笑了:$ 学习了..谢谢
页:
[1]