安全删除文件Kernel File Shredder11.04.01爆破分析
本帖最后由 东海浪子 于 2016-5-30 15:24 编辑【破文标题】安全删除文件Kernel File Shredder11.04.01爆破笔记
【破文作者】东海浪子
【作者邮箱】
【作者主页】
【破解工具】OD
【破解平台】虚拟机WINXP SP3
【软件名称】Kernel File Shredder11.04.01
【软件大小】
【原版下载】http://www.freedownloadscenter.com/Utilities/Misc__Utilities/Secure_Delete_Files_Download.html
【软件说明】内核文件碎纸机永久性删除Windows用户敏感数据从计算机硬盘。它采用先进的文件切碎算法如零集成(1通)和国防部(3次)5220(百度翻译的)
【阅读对象】爱好破解的初学者,有不足错误之处恳请大牛大神多多指正
【破解声明】本文仅做研究所用,供破解技术爱好者学习研究讨论。如喜欢该软件,建议购买正版。
------------------------------------------------------------------------
【破解过程】
1、安装好Kernel File Shredder11.04.01,用peid查了一下。Unknown。VC8 -> Microsoft Corporation *不知道什么壳,先OD载入调试。
2、运行软件,试注册,通过F12暂停法和字符串查找,下断点,经过几次重启调试,很容易来到下面这段关键call,这步骤不详细介绍了。
0040E8E0/$6A FF push -0x1 ;关键call入口,重启验证和注册验证都来这里
0040E8E2|.68 C5BE7A00 push Kernel_F.007ABEC5
0040E8E7|.64:A1 0000000>mov eax,dword ptr fs:
0040E8ED|.50 push eax
0040E8EE|.B8 503A0000 mov eax,0x3A50
0040E8F3|.E8 08E41200 call Kernel_F.0053CD00
0040E8F8|.A1 C0678600 mov eax,dword ptr ds:
0040E8FD|.33C4 xor eax,esp
0040E8FF|.898424 483A00>mov dword ptr ss:,eax
0040E906|.53 push ebx
0040E907|.55 push ebp
0040E908|.56 push esi
0040E909|.57 push edi ;Kernel_F.00874B34
0040E90A|.A1 C0678600 mov eax,dword ptr ds:
0040E90F|.33C4 xor eax,esp
0040E911|.50 push eax
0040E912|.8D8424 643A00>lea eax,dword ptr ss:
0040E919|.64:A3 0000000>mov dword ptr fs:,eax
0040E91F|.8BAC24 743A00>mov ebp,dword ptr ss: ;Kernel_F.00874A38
0040E926|.896C24 28 mov dword ptr ss:,ebp
0040E92A|.6A 00 push 0x0
0040E92C|.8D8D F4000000 lea ecx,dword ptr ss:
0040E932|.68 3C488100 push Kernel_F.0081483C
0040E937|.C78424 743A00>mov dword ptr ss:,0x0
0040E942|.E8 1950FFFF call Kernel_F.00403960
0040E947|.6A 00 push 0x0
0040E949|.8D8D F8000000 lea ecx,dword ptr ss:
0040E94F|.68 40488100 push Kernel_F.00814840
0040E954|.E8 0750FFFF call Kernel_F.00403960
0040E959|.68 44488100 push Kernel_F.00814844 ;UNI56V
0040E95E|.8D4C24 40 lea ecx,dword ptr ss:
0040E962|.E8 2951FFFF call Kernel_F.00403A90
0040E967|.C68424 6C3A00>mov byte ptr ss:,0x1
0040E96F|.E8 DBAD0400 call Kernel_F.0045974F
0040E974|.33C9 xor ecx,ecx
0040E976|.85C0 test eax,eax
0040E978|.0F95C1 setne cl
0040E97B|.85C9 test ecx,ecx
0040E97D|.75 0A jnz short Kernel_F.0040E989
0040E97F|>68 05400080 push 0x80004005
0040E984|.E8 272EFFFF call Kernel_F.004017B0
0040E989|>8B10 mov edx,dword ptr ds: ;Kernel_F.004A0054
0040E98B|.8BC8 mov ecx,eax
0040E98D|.8B42 0C mov eax,dword ptr ds:
0040E990|.FFD0 call eax
0040E992|.83C0 10 add eax,0x10
0040E995|.894424 2C mov dword ptr ss:,eax
0040E999|.8D8C24 783A00>lea ecx,dword ptr ss:
0040E9A0|.51 push ecx
0040E9A1|.8D5424 3C lea edx,dword ptr ss:
0040E9A5|.68 54488100 push Kernel_F.00814854 ;Software\
0040E9AA|.BB 02000000 mov ebx,0x2
0040E9AF|.52 push edx ;Kernel_F.004D0054
0040E9B0|.889C24 783A00>mov byte ptr ss:,bl
0040E9B7|.E8 44810000 call Kernel_F.00416B00
0040E9BC|.83C4 0C add esp,0xC
0040E9BF|.50 push eax
0040E9C0|.8D4C24 30 lea ecx,dword ptr ss:
0040E9C4|.C68424 703A00>mov byte ptr ss:,0x3
0040E9CC|.E8 3F5FFFFF call Kernel_F.00404910
0040E9D1|.889C24 6C3A00>mov byte ptr ss:,bl
0040E9D8|.8B4424 38 mov eax,dword ptr ss:
0040E9DC|.83C0 F0 add eax,-0x10
0040E9DF|.8D48 0C lea ecx,dword ptr ds:
0040E9E2|.83CA FF or edx,-0x1
0040E9E5|.f0:0fc111 lock xadd dword ptr ds:,edx
0040E9E9|.4A dec edx ;Kernel_F.004D0054
0040E9EA|.85D2 test edx,edx ;Kernel_F.004D0054
0040E9EC|.7F 0A jg short Kernel_F.0040E9F8
0040E9EE|.8B08 mov ecx,dword ptr ds: ;Kernel_F.004A0054
0040E9F0|.8B11 mov edx,dword ptr ds:
0040E9F2|.50 push eax
0040E9F3|.8B42 04 mov eax,dword ptr ds:
0040E9F6|.FFD0 call eax
0040E9F8|>8B4424 2C mov eax,dword ptr ss:
0040E9FC|.8D9424 4C3600>lea edx,dword ptr ss:
0040EA03|.2BD0 sub edx,eax
0040EA05|>0FB708 /movzx ecx,word ptr ds:
0040EA08|.66:890C02 |mov word ptr ds:,cx
0040EA0C|.03C3 |add eax,ebx
0040EA0E|.66:85C9 |test cx,cx
0040EA11|.^ 75 F2 \jnz short Kernel_F.0040EA05
0040EA13|.C74424 40 684>mov dword ptr ss:,Kernel_F.00814868 ;RegVal下面检测注册表里regval值
0040EA1B|.E8 2FAD0400 call Kernel_F.0045974F
0040EA20|.33C9 xor ecx,ecx
0040EA22|.85C0 test eax,eax
0040EA24|.0F95C1 setne cl
0040EA27|.85C9 test ecx,ecx
0040EA29|.75 0A jnz short Kernel_F.0040EA35
0040EA2B|.68 05400080 push 0x80004005
0040EA30|.E8 7B2DFFFF call Kernel_F.004017B0
0040EA35|>8B10 mov edx,dword ptr ds: ;Kernel_F.004A0054
0040EA37|.8BC8 mov ecx,eax
0040EA39|.8B42 0C mov eax,dword ptr ds:
0040EA3C|.FFD0 call eax
0040EA3E|.83C0 10 add eax,0x10
0040EA41|.894424 20 mov dword ptr ss:,eax
0040EA45|.68 68488100 push Kernel_F.00814868 ;RegVal
0040EA4A|.8D8C24 503600>lea ecx,dword ptr ss:
0040EA51|.8DBD FC000000 lea edi,dword ptr ss:
0040EA57|.51 push ecx
0040EA58|.8D5C24 28 lea ebx,dword ptr ss:
0040EA5C|.C68424 743A00>mov byte ptr ss:,0x4
0040EA64|.E8 E7130400 call Kernel_F.0044FE50
0040EA69|.8B7424 20 mov esi,dword ptr ss: ;Kernel_F.0086E358
0040EA6D|.8D9424 543800>lea edx,dword ptr ss:
0040EA74|.8BC6 mov eax,esi
0040EA76|.2BD6 sub edx,esi
0040EA78|.EB 06 jmp short Kernel_F.0040EA80
0040EA7A| 8D9B 00000000 lea ebx,dword ptr ds:
0040EA80|>0FB708 /movzx ecx,word ptr ds:
0040EA83|.83C0 02 |add eax,0x2
0040EA86|.66:85C9 |test cx,cx
0040EA89|.^ 75 F5 \jnz short Kernel_F.0040EA80
0040EA8B|.68 58468100 push Kernel_F.00814658 ;abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUWXYZ0123456789 -_.@
0040EA90|.56 push esi
0040EA91|.E8 55971200 call Kernel_F.005381EB
0040EA96|.83C4 08 add esp,0x8
0040EA99|.85C0 test eax,eax
0040EA9B|.74 1F je short Kernel_F.0040EABC
0040EA9D|.2BC6 sub eax,esi
0040EA9F|.D1F8 sar eax,1
0040EAA1|.83F8 FF cmp eax,-0x1
0040EAA4|.74 16 je short Kernel_F.0040EABC
0040EAA6|.8D4C24 20 lea ecx,dword ptr ss:
0040EAAA|.E8 31F0FFFF call Kernel_F.0040DAE0
0040EAAF|.83F8 FF cmp eax,-0x1
0040EAB2|.0F85 D2030000 jnz Kernel_F.0040EE8A
0040EAB8|.8B7424 20 mov esi,dword ptr ss: ;Kernel_F.0086E358
0040EABC|>83BC24 7C3A00>cmp dword ptr ss:,0x0 ;比较注册表里有无数值
0040EAC4|.0F84 A9000000 je Kernel_F.0040EB73 ;相等跳向注册框
0040EACA|.8D46 F0 lea eax,dword ptr ds:
0040EACD|.C68424 6C3A00>mov byte ptr ss:,0x2
0040EAD5|.8D50 0C lea edx,dword ptr ds:
0040EAD8|.83C9 FF or ecx,-0x1
0040EADB|.f0:0fc10a lock xadd dword ptr ds:,ecx
0040EADF|.49 dec ecx
0040EAE0|.85C9 test ecx,ecx
0040EAE2|>7F 0A jg short Kernel_F.0040EAEE
0040EAE4|.8B08 mov ecx,dword ptr ds: ;Kernel_F.004A0054
0040EAE6|.8B11 mov edx,dword ptr ds:
0040EAE8|.50 push eax
0040EAE9|.8B42 04 mov eax,dword ptr ds:
0040EAEC|.FFD0 call eax
0040EAEE|>C68424 6C3A00>mov byte ptr ss:,0x1
0040EAF6|.8B4424 2C mov eax,dword ptr ss:
0040EAFA|.83C0 F0 add eax,-0x10
0040EAFD|.8D48 0C lea ecx,dword ptr ds:
0040EB00|.83CA FF or edx,-0x1
0040EB03|.f0:0fc111 lock xadd dword ptr ds:,edx
0040EB07|.4A dec edx ;Kernel_F.004D0054
0040EB08|.85D2 test edx,edx ;Kernel_F.004D0054
0040EB0A|.7F 0A jg short Kernel_F.0040EB16
0040EB0C|.8B08 mov ecx,dword ptr ds: ;Kernel_F.004A0054
0040EB0E|.8B11 mov edx,dword ptr ds:
0040EB10|.50 push eax
0040EB11|.8B42 04 mov eax,dword ptr ds:
0040EB14|.FFD0 call eax
0040EB16|>C68424 6C3A00>mov byte ptr ss:,0x0
0040EB1E|.8B4424 3C mov eax,dword ptr ss:
0040EB22|.83C0 F0 add eax,-0x10
0040EB25|.83CA FF or edx,-0x1
0040EB28|.8D48 0C lea ecx,dword ptr ds:
0040EB2B|.f0:0fc111 lock xadd dword ptr ds:,edx
0040EB2F|.4A dec edx ;Kernel_F.004D0054
0040EB30|.85D2 test edx,edx ;Kernel_F.004D0054
0040EB32|.7F 0A jg short Kernel_F.0040EB3E
0040EB34|.8B08 mov ecx,dword ptr ds: ;Kernel_F.004A0054
0040EB36|.8B11 mov edx,dword ptr ds:
0040EB38|.50 push eax
0040EB39|.8B42 04 mov eax,dword ptr ds:
0040EB3C|.FFD0 call eax
0040EB3E|>C78424 6C3A00>mov dword ptr ss:,-0x1
0040EB49|.8B8424 783A00>mov eax,dword ptr ss:
0040EB50|.83C0 F0 add eax,-0x10
0040EB53|.8D48 0C lea ecx,dword ptr ds:
0040EB56|.83CA FF or edx,-0x1
0040EB59|.f0:0fc111 lock xadd dword ptr ds:,edx
0040EB5D|.4A dec edx ;Kernel_F.004D0054
0040EB5E|.85D2 test edx,edx ;Kernel_F.004D0054
0040EB60|.7F 0A jg short Kernel_F.0040EB6C
0040EB62|.8B08 mov ecx,dword ptr ds: ;Kernel_F.004A0054
0040EB64|.8B11 mov edx,dword ptr ds:
0040EB66|.50 push eax
0040EB67|.8B42 04 mov eax,dword ptr ds:
0040EB6A|.FFD0 call eax
0040EB6C|>33C0 xor eax,eax
0040EB6E|.E9 E20C0000 jmp Kernel_F.0040F855
0040EB73|>8D4C24 4C /lea ecx,dword ptr ss:
0040EB77|.51 |push ecx
0040EB78|.E8 43880000 |call Kernel_F.004173C0
0040EB7D|.8D4C24 4C |lea ecx,dword ptr ss:
0040EB81|.C68424 6C3A00>|mov byte ptr ss:,0x5
0040EB89|.E8 402D0400 |call Kernel_F.004518CE ;弹出注册窗口call
0040EB8E|.83F8 01 |cmp eax,0x1 ;比较有无注册
0040EB91|.0F85 AA020000 |jnz Kernel_F.0040EE41
0040EB97|.8B8424 BC2D00>|mov eax,dword ptr ss: ;注册码入eax
0040EB9E|.83C0 F0 |add eax,-0x10 ;注册码地址-10
0040EBA1|.50 |push eax
0040EBA2|.E8 C94AFFFF |call Kernel_F.00403670
0040EBA7|.8D68 10 |lea ebp,dword ptr ds: ;注册码入ebp
0040EBAA|.83C4 04 |add esp,0x4 ;esp+4
0040EBAD|.896C24 38 |mov dword ptr ss:,ebp ;注册码入esp+38
0040EBB1|.C68424 6C3A00>|mov byte ptr ss:,0x6 ;6入esp+3A6C
0040EBB9|.8B8424 C02D00>|mov eax,dword ptr ss: ;esp+2DC0(注册名)入eax
0040EBC0|.83C0 F0 |add eax,-0x10 ;eax-10
0040EBC3|.50 |push eax
0040EBC4|.E8 A74AFFFF |call Kernel_F.00403670
0040EBC9|.8D58 10 |lea ebx,dword ptr ds: ;eax+10(注册名)入ebx
0040EBCC|.83C4 04 |add esp,0x4 ;esp+4
0040EBCF|.895C24 1C |mov dword ptr ss:,ebx ;注册名入esp+1C
0040EBD3|.8B7424 28 |mov esi,dword ptr ss: ;Kernel_F.00874A38
0040EBD7|.8D5424 1C |lea edx,dword ptr ss:
0040EBDB|.52 |push edx ;Kernel_F.004D0054
0040EBDC|.8D8E F4000000 |lea ecx,dword ptr ds:
0040EBE2|.C68424 703A00>|mov byte ptr ss:,0x7 ;7入esp+3A70
0040EBEA|.E8 215DFFFF |call Kernel_F.00404910
0040EBEF|.8D4424 38 |lea eax,dword ptr ss: ;esp+38入eax
0040EBF3|.50 |push eax
0040EBF4|.8D8E F8000000 |lea ecx,dword ptr ds:
0040EBFA|.E8 115DFFFF |call Kernel_F.00404910
0040EBFF|.68 78488100 |push Kernel_F.00814878
0040EC04|.8D4C24 28 |lea ecx,dword ptr ss:
0040EC08|.E8 834EFFFF |call Kernel_F.00403A90
0040EC0D|.8D4C24 24 |lea ecx,dword ptr ss:
0040EC11|.C68424 6C3A00>|mov byte ptr ss:,0x8 ;8入esp+3A6C
0040EC19|.8B8424 783A00>|mov eax,dword ptr ss: ;esp+3A78(LKFSHR)入eax
0040EC20|.51 |push ecx
0040EC21|.51 |push ecx
0040EC22|.83C0 F0 |add eax,-0x10 ;eax-10
0040EC25|.896424 3C |mov dword ptr ss:,esp ;esp入esp+3C
0040EC29|.8BF4 |mov esi,esp ;esp入esi
0040EC2B|.50 |push eax
0040EC2C|.E8 3F4AFFFF |call Kernel_F.00403670
0040EC31|.83C0 10 |add eax,0x10 ;eax+10
0040EC34|.8906 |mov dword ptr ds:,eax ;eax(LFKSHR)入esi
0040EC36|.C68424 783A00>|mov byte ptr ss:,0x9 ;9入esp+3A78
0040EC3E|.8D43 F0 |lea eax,dword ptr ds: ;ebx-10入eax
0040EC41|.896424 3C |mov dword ptr ss:,esp ;esp入esp+3C
0040EC45|.8BF4 |mov esi,esp ;esp入esi
0040EC47|.50 |push eax
0040EC48|.E8 234AFFFF |call Kernel_F.00403670
0040EC4D|.83C0 10 |add eax,0x10 ;esx+10
0040EC50|.8906 |mov dword ptr ds:,eax ;eax(注册名)入esi
0040EC52|.83C4 04 |add esp,0x4 ;esp+4
0040EC55|.C68424 783A00>|mov byte ptr ss:,0x8 ;8入esp+3A78
0040EC5D|.E8 1E0C0000 |call Kernel_F.0040F880 ;算法call
0040EC62|.33C0 |xor eax,eax ;eax清零
0040EC64|.83C4 0C |add esp,0xC ;esp+c
0040EC67|.85ED |test ebp,ebp
0040EC69|.0F95C0 |setne al ;设为真
0040EC6C|.85C0 |test eax,eax
0040EC6E|.^ 0F84 0BFDFFFF |je Kernel_F.0040E97F
0040EC74|.8B7424 24 |mov esi,dword ptr ss: ;esp+24(真码)入esi,可以做内存注册机
0040EC78|.8BCD |mov ecx,ebp ;注册码入ecx(爆破,可以把真码esi入ecx)
0040EC7A|.8BC6 |mov eax,esi ;esi(真码)入eax
0040EC7C|.8D6424 00 |lea esp,dword ptr ss:
0040EC80|>66:8B10 |/mov dx,word ptr ds: ;取eax(真码)奇数位字符ASCII码入dx
0040EC83|.66:3B11 ||cmp dx,word ptr ds: ;dx和注册码字节的ASCII码比较
0040EC86 75 1E ||jnz short Kernel_F.0040ECA6 ;不相等跳走,爆破点1
0040EC88|.66:85D2 ||test dx,dx ;有没取完字节
0040EC8B|.74 15 ||je short Kernel_F.0040ECA2 ;取完跳走
0040EC8D|.66:8B50 02 ||mov dx,word ptr ds: ;取eax+2(真码)偶数位字符ASCII码入dx
0040EC91|.66:3B51 02 ||cmp dx,word ptr ds: ;取ecx+2(注册码)字符ascii码和dx比较
0040EC95 75 0F ||jnz short Kernel_F.0040ECA6 ;不相等跳走,爆破点2
0040EC97|.83C0 04 ||add eax,0x4 ;eax+4
0040EC9A|.83C1 04 ||add ecx,0x4 ;ecx+4
0040EC9D|.66:85D2 ||test dx,dx ;有没取完字节。
0040ECA0|.^ 75 DE |\jnz short Kernel_F.0040EC80 ;不相等往上跳(循环)
0040ECA2|>33C0 |xor eax,eax ;eax清零
0040ECA4|.EB 05 |jmp short Kernel_F.0040ECAB
0040ECA6|>1BC0 |sbb eax,eax
0040ECA8|.83D8 FF |sbb eax,-0x1
0040ECAB|>85C0 |test eax,eax
0040ECAD|.0F94C0 |sete al ;条件为真
0040ECB0|.84C0 |test al,al
0040ECB2|.0F84 E3000000 |je Kernel_F.0040ED9B
0040ECB8|.B9 7C488100 |mov ecx,Kernel_F.0081487C
0040ECBD|.8BC5 |mov eax,ebp ;注册码入eax
0040ECBF|.90 |nop
0040ECC0|>66:8B10 |/mov dx,word ptr ds: ;注册码奇数位字符ascii码入dx
0040ECC3|.66:3B11 ||cmp dx,word ptr ds: ;和ecx奇数位字符ascii码比较
0040ECC6|.75 1E ||jnz short Kernel_F.0040ECE6 ;不等跳走
0040ECC8|.66:85D2 ||test dx,dx ;有没取完字节
0040ECCB|.74 15 ||je short Kernel_F.0040ECE2 ;取完就跳走
0040ECCD|.66:8B50 02 ||mov dx,word ptr ds: ;注册码偶数位字节ascii码入dx
0040ECD1|.66:3B51 02 ||cmp dx,word ptr ds: ;和ecx偶数位字节ascii码比较
0040ECD5|.75 0F ||jnz short Kernel_F.0040ECE6 ;不相等跳走
0040ECD7|.83C0 04 ||add eax,0x4 ;eax+4
0040ECDA|.83C1 04 ||add ecx,0x4 ;ecx+4
0040ECDD|.66:85D2 ||test dx,dx ;比较有没取完字节
0040ECE0|.^ 75 DE |\jnz short Kernel_F.0040ECC0 ;不相等往上跳(循环)
0040ECE2|>33C0 |xor eax,eax ;esx清零
0040ECE4|.EB 05 |jmp short Kernel_F.0040ECEB
0040ECE6|>1BC0 |sbb eax,eax
0040ECE8|.83D8 FF |sbb eax,-0x1
0040ECEB|>85C0 |test eax,eax
0040ECED|.0F95C0 |setne al
0040ECF0|.84C0 |test al,al
0040ECF2|.0F84 A3000000 |je Kernel_F.0040ED9B
0040ECF8|.68 D0458100 |push Kernel_F.008145D0 ;abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUWXYZ0123456789 -_.@
0040ECFD|.56 |push esi
0040ECFE|.E8 E8941200 |call Kernel_F.005381EB
0040ED03|.83C4 08 |add esp,0x8 ;esp+8
0040ED06|.85C0 |test eax,eax
0040ED08|.74 38 |je short Kernel_F.0040ED42
0040ED0A|.2B4424 24 |sub eax,dword ptr ss: ;eax(真码)-esp+24(真码)
0040ED0E|.D1F8 |sar eax,1 ;eax右移一位
0040ED10|.83F8 FF |cmp eax,-0x1 ;eax和-1比较
0040ED13|.74 2D |je short Kernel_F.0040ED42
0040ED15|.8D4C24 24 |lea ecx,dword ptr ss:
0040ED19|.E8 C2E6FFFF |call Kernel_F.0040D3E0
0040ED1E|.83F8 FF |cmp eax,-0x1
0040ED21|.74 1F |je short Kernel_F.0040ED42
0040ED23|.8B5424 40 |mov edx,dword ptr ss: ;esp+40(RegVal)入edx
0040ED27|.8B7424 28 |mov esi,dword ptr ss: ;esp+28(真码换算后字符)入esi
0040ED2B|.8B7C24 24 |mov edi,dword ptr ss: ;esp+24(真码换算后字符)入edi
0040ED2F|.52 |push edx ;Kernel_F.004D0054
0040ED30|.8D8424 503600>|lea eax,dword ptr ss: ;esp+3650(Software\LKFSHR)入eax
0040ED37|.81C6 FC000000 |add esi,0xFC ;esi+FC(这段是把注册码换算后的字符写入注册表Software\LKFSHR里的RegVal。
0040ED3D|.E8 9E100400 |call Kernel_F.0044FDE0
0040ED42|>68 D0458100 |push Kernel_F.008145D0 ;abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUWXYZ0123456789 -_.@
0040ED47|.53 |push ebx
0040ED48|.C74424 48 804>|mov dword ptr ss:,Kernel_F.00814880 ;eml入esp+48
0040ED50|.E8 96941200 |call Kernel_F.005381EB
0040ED55|.83C4 08 |add esp,0x8 ;esp+8
0040ED58|.85C0 |test eax,eax ;有没注册名
0040ED5A|.74 38 |je short Kernel_F.0040ED94
0040ED5C|.2BC3 |sub eax,ebx ;eax(注册名)-ebx(注册名)
0040ED5E|.D1F8 |sar eax,1 ;eax右移1位
0040ED60|.83F8 FF |cmp eax,-0x1 ;eax和-1比较
0040ED63|.74 2F |je short Kernel_F.0040ED94
0040ED65|.8D4C24 1C |lea ecx,dword ptr ss:
0040ED69|.E8 72E6FFFF |call Kernel_F.0040D3E0
0040ED6E|.8B5C24 1C |mov ebx,dword ptr ss: ;esp+1C(注册名换算后字符)入ebx
0040ED72|.83F8 FF |cmp eax,-0x1 ;比较eax和-1
0040ED75|.74 1D |je short Kernel_F.0040ED94
0040ED77|.8B7424 28 |mov esi,dword ptr ss: ;Kernel_F.00874A38
0040ED7B|.68 80488100 |push Kernel_F.00814880 ;eml
0040ED80|.8BFB |mov edi,ebx ;ebx(注册名换算后字符)入edi
0040ED82|.8D8424 503600>|lea eax,dword ptr ss: ;esp+3650(Software\LKFSHR)入eax
0040ED89|.81C6 FC000000 |add esi,0xFC ;esi+FC(这段是把注册名换算后的字符写入注册表Software\LKFSHR里的eml
0040ED8F|.E8 4C100400 |call Kernel_F.0044FDE0
0040ED94|>BE 01000000 |mov esi,0x1 ;1入esi
0040ED99|.EB 10 |jmp short Kernel_F.0040EDAB
0040ED9B|>6A 00 |push 0x0
0040ED9D|.6A 10 |push 0x10
0040ED9F|.68 88488100 |push Kernel_F.00814888 ;Registration information is not valid, please check it and try again.注册失败
0040EDA4|.E8 EFBD0400 |call Kernel_F.0045AB98
【破解总结】
该软件验证注册流程是注册名换算成15位的字符串,和输入的注册码比较,相等,则把注册名和注册码再分别换算,写入注册表Software\LKFSHR里的eml和RegVal。重启后,再验证注册表里eml和RegVal的值。
因为出现注册码明文比较,爆破很简单,有多种方法,列举一二。
1.原0040EC78|.8BCD |mov ecx,ebp 改mov ecx,esi 把假码入ecx修改为真码入ecx,然后真码和真码比较
2.原0040EC86 75 1E ||jnz short Kernel_F.0040ECA6
0040EC95 75 0F ||jnz short Kernel_F.0040ECA6 在真假码比较时不相等跳走给nop掉。
本想进入算法call练一下算法的。代码很长,粗看一下,过程好像是 注册名 连接固定字符窜LKFSHR查表替换,运算,再和固定字符串wresthelmtgrhjwlautr连接,查表,运算,然后去前15位做注册码。代码太长了,因为有明码出现了,就没有耐心看下去,太费时费力了。
算法call好几处调用,在其他地方好像都是跟注册表比较。
现提供三组可用注册信息
1注册名 [email protected]
注册码 QHEQHOQTFRQIDHP
2.注册名 东海浪子@pyg.com
注册码TJEGHTYOVULIIVP
3.注册名 [email protected]
注册码 GBEGHRVTGZPIZZP
沙发,顶起来,感谢分享 支持兄弟了!
页:
[1]