PCHeal2.5.26.2014爆破分析
本帖最后由 beijingren 于 2014-6-12 06:50 编辑【破文标题】PCHeal2.5.26.2014爆破分析
【破文作者】Beijingren
【作者邮箱】[email protected]
【作者主页】www.meiyou.com
【破解工具】PEIDOD1.10
【破解平台】WindowsXP SP2
【软件名称】PCHeal2.5.26.2014
【软件大小】3.8MB
【原版下载】http://download.pchome.net/game/tools/download-9871.html官方下载地址http://www.swiftdog.com/downloads/pcheal.exe(已更新,软件名也改为PCMedik了)
【保护方式】注册表
【软件简介】PCHeal sets the standard for PC optimizing software. PCHeal locates and repairs problems with software and hardware incompatibilities which lead to computer performance issues. Very easy to use, fully compliant with all versions of Microsoft ? Windows and adjusts itself to your computer specifications. Take your existing PC and revitalize it the easy way.
【破解声明】本人不懂技术,完全瞎糊弄,如有雷同,纯属巧合。
------------------------------------------------------------------------
【破解过程】PEID-------无壳,DELPHI
程序目录下见PCHealRegister.exe,可能是调用这个程序进行注册的
Ctrl+G到401000,字符串搜索Unicode
看到 文本字符串=\Software\SwiftDog\PCHeal\
下面紧跟Name、Serial字样
跟进,段首下断
0055C9A4 $55 PUSH EBP
0055C9A5 .8BEC MOV EBP, ESP
0055C9A7 .33C9 XOR ECX, ECX
0055C9A9 .51 PUSH ECX
......
0055C9EB .BA 2CCB5500 MOV EDX, PCHeal.0055CB2C ;\Software\SwiftDog\PCHeal\
0055C9F0 .E8 37A1EAFF CALL PCHeal.00406B2C
0055C9F5 .837D FC 00 CMP DWORD PTR SS:, 0x0 ;注册码是否为空
0055C9F9 .74 06 JE SHORT PCHeal.0055CA01
0055C9FB .837D F8 00 CMP DWORD PTR SS:, 0x0 ;用户名是否为空
0055C9FF .75 2E JNZ SHORT PCHeal.0055CA2F
0055CA01 >6A 00 PUSH 0x0
......
0055CA35 .E8 8A110000 CALL PCHeal.0055DBC4
0055CA3A 3C 01 CMP AL, 0x1 标志位AL与1比较
0055CA3C .75 76 JNZ SHORT PCHeal.0055CAB4 未注册就跳走,到达清空注册表Name和Serial键值的代码
观察假码标志位返回值为0,遂修改标志位判断,保存。
试运行保存后的文件,发现虽然程序窗口下方注册提示消失了,但是点击About时,并未显示License to:后面的用户名。打开注册表查看,相关键值已经被清零。程序还存在其它地方的验证,发现未注册就把注册表项清零。
跟进标志位比较处上面的CALL,寻找al赋值处,找到这里
0055DD51 > \84C0 TEST AL, AL
0055DD53 .74 04 JE SHORT PCHeal.0055DD59 ;跳到EBX清零
0055DD55 .B3 01 MOV BL, 0x1 ;给BL赋值为1
0055DD57 .EB 02 JMP SHORT PCHeal.0055DD5B ;跳过EBX清零
......
0055DD93 .8BC3 MOV EAX, EBX :给EAX赋值
0055DD95 .5F POP EDI
0055DD96 .5E POP ESI
0055DD97 .5B POP EBX
0055DD98 .8BE5 MOV ESP, EBP
0055DD9A .5D POP EBP
0055DD9B .C3 RETN
NOP掉0055DD53处的JE,保存。
将注册表键值Name和Serial填上,可以正常显示License to: BEIJINGREN
算法分析不会,算法call在PCHealRegister.exe
感兴趣的朋友可以调试一下
注册表信息如下:
"InstalledDate"="2014-6-9 下午 09:01:23"
"ProcessorType"=dword:ffffffff
"Language"="english"
"Name"="BEIJINGREN"
"Restore"=dword:00000000
"Serial"="174L367CN000000"
"SpeedSetting"=dword:00000000
"Updated"=dword:00000000
"UpdatedDate"="2014-6-9 下午 09:01:23"
------------------------------------------------------------------------
【版权声明】版权所有,盗版不究。盗版劳烦注明出处。
0055DBC4 看一下这个函数调用有几处。并分析下返回值保存在哪里 感谢N大指导,晚上回来再看看!
早上先看看第4课的培训{:smile:}
不然进度跟不上了{:shy:} 在Z大的提示下,看了0055DBC4处函数调用,只有一处。
从标志位比较处继续往下跟
找到了注册表信息清零的代码,然后跟进call发现共有16处调用
0055CAB6 .6A 00 PUSH 0x0
0055CAB8 .6A 00 PUSH 0x0
0055CABA .B9 70CB5500 MOV ECX, PCHeal.0055CB70 ;Name
0055CABF .8B55 F4 MOV EDX, DWORD PTR SS:
0055CAC2 .8BC6 MOV EAX, ESI
0055CAC4 .E8 F767F9FF CALL PCHeal.004F32C0 ;写入注册表的call,共有16处调用
0055CAC9 .6A 00 PUSH 0x0
0055CACB .6A 00 PUSH 0x0
0055CACD .B9 88CB5500 MOV ECX, PCHeal.0055CB88 ;Serial
0055CAD2 .8B55 F4 MOV EDX, DWORD PTR SS:
0055CAD5 .8BC6 MOV EAX, ESI
0055CAD7 .E8 E467F9FF CALL PCHeal.004F32C0
图省事,call的首行直接retn
==================================================
这个程序在注册判断过程中会有网络验证,有网络的情况下调试,输入假码会打开一个网页告诉你IP已被记录,不要干坏事(PCHealRegister.exe程序内)
0053C972 . /0F85 E1030000 JNZ PCHealRe.0053CD59 ;跳到注册码不正确
0053C978 . |E8 9BE6FFFF CALL PCHealRe.0053B018 ;这个call打开官网并记录非法操作
0053C97D . |40 INC EAX ;Switch (cases -1..4)这里EAX如果小于4,底下的跳转就不起作用,直接到注册玛错误了
====================================
[返回值保存在哪里?]不知道如何跟,代码贴出来请老师们指导。
0055DBC4 $55 PUSH EBP
0055DBC5 .8BEC MOV EBP, ESP
0055DBC7 .B9 04000000 MOV ECX, 0x4
0055DBCC >6A 00 PUSH 0x0
0055DBCE .6A 00 PUSH 0x0
0055DBD0 .49 DEC ECX
0055DBD1 .^ 75 F9 JNZ SHORT PCHeal.0055DBCC
0055DBD3 .51 PUSH ECX
0055DBD4 .53 PUSH EBX
0055DBD5 .56 PUSH ESI
0055DBD6 .57 PUSH EDI
0055DBD7 .8955 F8 MOV DWORD PTR SS:, EDX
0055DBDA .8945 FC MOV DWORD PTR SS:, EAX
0055DBDD .8B45 FC MOV EAX, DWORD PTR SS:
0055DBE0 .E8 DB8EEAFF CALL PCHeal.00406AC0
0055DBE5 .8B45 F8 MOV EAX, DWORD PTR SS:
0055DBE8 .E8 D38EEAFF CALL PCHeal.00406AC0
0055DBED .33C0 XOR EAX, EAX
0055DBEF .55 PUSH EBP
0055DBF0 .68 8CDD5500 PUSH PCHeal.0055DD8C
0055DBF5 .64:FF30 PUSH DWORD PTR FS:
0055DBF8 .64:8920 MOV DWORD PTR FS:, ESP
0055DBFB .33D2 XOR EDX, EDX
0055DBFD .55 PUSH EBP
0055DBFE .68 65DD5500 PUSH PCHeal.0055DD65
0055DC03 .64:FF32 PUSH DWORD PTR FS:
0055DC06 .64:8922 MOV DWORD PTR FS:, ESP
0055DC09 .8D55 E8 LEA EDX, DWORD PTR SS:
0055DC0C .8B45 FC MOV EAX, DWORD PTR SS:
0055DC0F .E8 5045EBFF CALL PCHeal.00412164
0055DC14 .8B45 E8 MOV EAX, DWORD PTR SS:
0055DC17 .8D55 EC LEA EDX, DWORD PTR SS:
0055DC1A .E8 C54BEBFF CALL PCHeal.004127E4
0055DC1F .8B55 EC MOV EDX, DWORD PTR SS:
0055DC22 .8D45 FC LEA EAX, DWORD PTR SS:
0055DC25 .E8 028FEAFF CALL PCHeal.00406B2C
0055DC2A .8D55 E0 LEA EDX, DWORD PTR SS:
0055DC2D .8B45 F8 MOV EAX, DWORD PTR SS:
0055DC30 .E8 2F45EBFF CALL PCHeal.00412164
0055DC35 .8B45 E0 MOV EAX, DWORD PTR SS:
0055DC38 .8D55 E4 LEA EDX, DWORD PTR SS:
0055DC3B .E8 A44BEBFF CALL PCHeal.004127E4
0055DC40 .8B55 E4 MOV EDX, DWORD PTR SS:
0055DC43 .8D45 F8 LEA EAX, DWORD PTR SS:
0055DC46 .E8 E18EEAFF CALL PCHeal.00406B2C
0055DC4B .8B45 F8 MOV EAX, DWORD PTR SS:
0055DC4E .85C0 TEST EAX, EAX
0055DC50 .74 16 JE SHORT PCHeal.0055DC68
0055DC52 .8BD0 MOV EDX, EAX
0055DC54 .83EA 0A SUB EDX, 0xA
0055DC57 .66:833A 02 CMP WORD PTR DS:, 0x2
0055DC5B .74 0B JE SHORT PCHeal.0055DC68
0055DC5D .8D45 F8 LEA EAX, DWORD PTR SS:
0055DC60 .8B55 F8 MOV EDX, DWORD PTR SS:
0055DC63 .E8 7486EAFF CALL PCHeal.004062DC
0055DC68 >8BD8 MOV EBX, EAX
0055DC6A .85DB TEST EBX, EBX
0055DC6C .74 05 JE SHORT PCHeal.0055DC73
0055DC6E .83EB 04 SUB EBX, 0x4
0055DC71 .8B1B MOV EBX, DWORD PTR DS:
0055DC73 >8D45 F4 LEA EAX, DWORD PTR SS:
0055DC76 .50 PUSH EAX
0055DC77 .8B55 F8 MOV EDX, DWORD PTR SS:
0055DC7A .B8 A8DD5500 MOV EAX, PCHeal.0055DDA8 ;N
0055DC7F .E8 BC98EAFF CALL PCHeal.00407540
0055DC84 .8BD0 MOV EDX, EAX
0055DC86 .42 INC EDX
0055DC87 .8BCB MOV ECX, EBX
0055DC89 .8B45 F8 MOV EAX, DWORD PTR SS:
0055DC8C .E8 9795EAFF CALL PCHeal.00407228
0055DC91 .8D45 F0 LEA EAX, DWORD PTR SS:
0055DC94 .50 PUSH EAX
0055DC95 .8B55 F8 MOV EDX, DWORD PTR SS:
0055DC98 .B8 A8DD5500 MOV EAX, PCHeal.0055DDA8 ;N
0055DC9D .E8 9E98EAFF CALL PCHeal.00407540
0055DCA2 .8BD8 MOV EBX, EAX
0055DCA4 .4B DEC EBX
0055DCA5 .8B55 F8 MOV EDX, DWORD PTR SS:
0055DCA8 .B8 B8DD5500 MOV EAX, PCHeal.0055DDB8 ;C
0055DCAD .E8 8E98EAFF CALL PCHeal.00407540
0055DCB2 .2BD8 SUB EBX, EAX
0055DCB4 .53 PUSH EBX
0055DCB5 .8B55 F8 MOV EDX, DWORD PTR SS:
0055DCB8 .B8 B8DD5500 MOV EAX, PCHeal.0055DDB8 ;C
0055DCBD .E8 7E98EAFF CALL PCHeal.00407540
0055DCC2 .8BD0 MOV EDX, EAX
0055DCC4 .42 INC EDX
0055DCC5 .8B45 F8 MOV EAX, DWORD PTR SS:
0055DCC8 .59 POP ECX
0055DCC9 .E8 5A95EAFF CALL PCHeal.00407228
0055DCCE .8B45 FC MOV EAX, DWORD PTR SS:
0055DCD1 .85C0 TEST EAX, EAX
0055DCD3 .74 16 JE SHORT PCHeal.0055DCEB
0055DCD5 .8BD0 MOV EDX, EAX
0055DCD7 .83EA 0A SUB EDX, 0xA
0055DCDA .66:833A 02 CMP WORD PTR DS:, 0x2
0055DCDE .74 0B JE SHORT PCHeal.0055DCEB
0055DCE0 .8D45 FC LEA EAX, DWORD PTR SS:
0055DCE3 .8B55 FC MOV EDX, DWORD PTR SS:
0055DCE6 .E8 F185EAFF CALL PCHeal.004062DC
0055DCEB >85C0 TEST EAX, EAX
0055DCED .74 05 JE SHORT PCHeal.0055DCF4
0055DCEF .83E8 04 SUB EAX, 0x4
0055DCF2 .8B00 MOV EAX, DWORD PTR DS:
0055DCF4 >83F8 06 CMP EAX, 0x6
0055DCF7 .7C 2E JL SHORT PCHeal.0055DD27
0055DCF9 .8B45 F4 MOV EAX, DWORD PTR SS:
0055DCFC .85C0 TEST EAX, EAX
0055DCFE .74 16 JE SHORT PCHeal.0055DD16
0055DD00 .8BD0 MOV EDX, EAX
0055DD02 .83EA 0A SUB EDX, 0xA
0055DD05 .66:833A 02 CMP WORD PTR DS:, 0x2
0055DD09 .74 0B JE SHORT PCHeal.0055DD16
0055DD0B .8D45 F4 LEA EAX, DWORD PTR SS:
0055DD0E .8B55 F4 MOV EDX, DWORD PTR SS:
0055DD11 .E8 C685EAFF CALL PCHeal.004062DC
0055DD16 >85C0 TEST EAX, EAX
0055DD18 .74 05 JE SHORT PCHeal.0055DD1F
0055DD1A .83E8 04 SUB EAX, 0x4
0055DD1D .8B00 MOV EAX, DWORD PTR DS:
0055DD1F >83F8 05 CMP EAX, 0x5
0055DD22 .0F9DC0 SETGE AL
0055DD25 .EB 02 JMP SHORT PCHeal.0055DD29
0055DD27 >33C0 XOR EAX, EAX
0055DD29 >84C0 TEST AL, AL
0055DD2B .74 22 JE SHORT PCHeal.0055DD4F
0055DD2D .8D45 DC LEA EAX, DWORD PTR SS:
0055DD30 .50 PUSH EAX
0055DD31 .8B4D F0 MOV ECX, DWORD PTR SS:
0055DD34 .8B55 F4 MOV EDX, DWORD PTR SS:
0055DD37 .8B45 FC MOV EAX, DWORD PTR SS:
0055DD3A .E8 95FCFFFF CALL PCHeal.0055D9D4
0055DD3F .8B45 DC MOV EAX, DWORD PTR SS:
0055DD42 .8B55 F8 MOV EDX, DWORD PTR SS:
0055DD45 .E8 7694EAFF CALL PCHeal.004071C0
0055DD4A .0F94C0 SETE AL
0055DD4D .EB 02 JMP SHORT PCHeal.0055DD51
0055DD4F >33C0 XOR EAX, EAX
0055DD51 >84C0 TEST AL, AL
0055DD53 74 04 JE SHORT PCHeal.0055DD59 ;跳到EBX清零
0055DD55 .B3 01 MOV BL, 0x1 ;给BL赋值为1
0055DD57 .EB 02 JMP SHORT PCHeal.0055DD5B ;跳过EBX清零
0055DD59 >33DB XOR EBX, EBX
0055DD5B >33C0 XOR EAX, EAX
0055DD5D .5A POP EDX
0055DD5E .59 POP ECX
0055DD5F .59 POP ECX
0055DD60 .64:8910 MOV DWORD PTR FS:, EDX
0055DD63 .EB 0C JMP SHORT PCHeal.0055DD71
0055DD65 .^ E9 4678EAFF JMP PCHeal.004055B0
0055DD6A .33DB XOR EBX, EBX
0055DD6C .E8 977CEAFF CALL PCHeal.00405A08
0055DD71 >33C0 XOR EAX, EAX
0055DD73 .5A POP EDX
0055DD74 .59 POP ECX
0055DD75 .59 POP ECX
0055DD76 .64:8910 MOV DWORD PTR FS:, EDX
0055DD79 .68 93DD5500 PUSH PCHeal.0055DD93
0055DD7E >8D45 DC LEA EAX, DWORD PTR SS:
0055DD81 .BA 09000000 MOV EDX, 0x9
0055DD86 .E8 458DEAFF CALL PCHeal.00406AD0
0055DD8B .C3 RETN retn到0055DD93
0055DD8C .^ E9 D37AEAFF JMP PCHeal.00405864
0055DD91 .^ EB EB JMP SHORT PCHeal.0055DD7E
0055DD93 .8BC3 MOV EAX, EBX
0055DD95 .5F POP EDI
0055DD96 .5E POP ESI
0055DD97 .5B POP EBX
0055DD98 .8BE5 MOV ESP, EBP
0055DD9A .5D POP EBP
0055DD9B .C3 RETN
谢谢分享,支持下
页:
[1]