- UID
- 6621
注册时间2006-1-8
阅读权限50
最后登录1970-1-1
感悟天道
 
TA的每日心情 | 奋斗
前天 08:25 |
|---|
签到天数: 1692 天 [LV.Master]伴坛终老
|
本帖最后由 speedboy 于 2023-11-10 21:36 编辑
程序为32位程序,(程序对提示字符串进行了加密处理),采用 Delphi编制,这样的程序特点明显。所以我们从特定字符串切入。
1、用Ollydbg载入程序,F8一路执行,当程序跑起来时记住调用的Call下断,Ctrl+F2重新载入,F9运行断在下断的Call处,F7进入;
2、反汇编区右键 — 中文搜索 — 智能搜索,得到一系列字符串,搜索“trial”,会发现有“TfrmTrial.Execute Begin”,这不就是“试用对话框”提示吗;
3、双击来到反汇编区,上溯到代码段首,看看调用来自何处。
[Asm] 纯文本查看 复制代码 010DFA9C /$ 55 push ebp
010DFA9D |. 8BEC mov ebp,esp
010DFA9F |. 51 push ecx ; Resize.014B07A0
010DFAA0 |. B9 0E000000 mov ecx,0xE
010DFAA5 |> 6A 00 /push 0x0
010DFAA7 |. 6A 00 |push 0x0
010DFAA9 |. 49 |dec ecx ; Resize.014B07A0
010DFAAA |.^ 75 F9 \jnz short Resize.010DFAA5
010DFAAC |. 51 push ecx ; Resize.014B07A0
010DFAAD |. 874D FC xchg [local.1],ecx ; Resize.014B07A0
010DFAB0 |. 53 push ebx
010DFAB1 |. 56 push esi ; Resize.<ModuleEntryPoint>
010DFAB2 |. 57 push edi ; Resize.<ModuleEntryPoint>
010DFAB3 |. 884D FB mov byte ptr ss:[ebp-0x5],cl
010DFAB6 |. 8955 FC mov [local.1],edx ; Resize.011A2964
010DFAB9 |. 8BF0 mov esi,eax
010DFABB |. 33C0 xor eax,eax
010DFABD |. 55 push ebp
010DFABE |. 68 5CFE0D01 push Resize.010DFE5C
010DFAC3 |. 64:FF30 push dword ptr fs:[eax] ; Resize.005F9CC1
010DFAC6 |. 64:8920 mov dword ptr fs:[eax],esp
010DFAC9 |. B8 78FE0D01 mov eax,Resize.010DFE78 ; TfrmTrial.Execute Begin
010DFACE |. E8 199EBEFF call Resize.00CC98EC
来自 011BA435, 011C5623 这两处,分别转到这两处分析。
【011BA435处】:
[Asm] 纯文本查看 复制代码 011BA3F1 . 80B8 35090000 00 cmp byte ptr ds:[eax+0x935],0x0
011BA3F8 . 74 40 je short Resize.011BA43A
011BA3FA . E8 A5FCB0FF call Resize.00CCA0A4
011BA3FF . D1F8 sar eax,1
011BA401 . 79 03 jns short Resize.011BA406
011BA403 . 83D0 00 adc eax,0x0
011BA406 > 83F8 03 cmp eax,0x3
011BA409 . 7F 05 jg short Resize.011BA410
011BA40B . B8 03000000 mov eax,0x3
011BA410 > 83F8 14 cmp eax,0x14
011BA413 . 7D 08 jge short Resize.011BA41D
011BA415 . 8985 D8FDFFFF mov dword ptr ss:[ebp-0x228],eax
011BA41B . EB 0A jmp short Resize.011BA427
011BA41D > C785 D8FDFFFF 1400>mov dword ptr ss:[ebp-0x228],0x14
011BA427 > 8BCB mov ecx,ebx
011BA429 . 8B95 D8FDFFFF mov edx,dword ptr ss:[ebp-0x228]
011BA42F . 8B85 FCFDFFFF mov eax,dword ptr ss:[ebp-0x204]
011BA435 . E8 6256F2FF call Resize.010DFA9C ; 》此处调用试用窗体
011BA43A > 33C0 xor eax,eax
【011C5623处】:
[Asm] 纯文本查看 复制代码 011C5613 . 80B8 35090000 00 cmp byte ptr ds:[eax+0x935],0x0
011C561A . 74 1A je short Resize.011C5636
011C561C . 33C9 xor ecx,ecx ; Resize.014B07A0
011C561E . 33D2 xor edx,edx ; Resize.011A2964
011C5620 . 8B45 D4 mov eax,dword ptr ss:[ebp-0x2C]
011C5623 . E8 74A4F1FF call Resize.010DFA9C ; 》此处调用试用窗体
011C5628 . 84C0 test al,al
011C562A . 75 0A jnz short Resize.011C5636
011C562C . E8 C72824FF call Resize.00407EF8
011C5631 . E9 EA240000 jmp Resize.011C7B20
011C5636 > 33C0 xor eax,eax
此两处都有跳转je,都有相同的比较语句 cmp byte ptr ds:[eax+0x935],0x0 所以只要 ds:[eax+0x935]=0,je跳转实现,跳过试用窗体,ds:[eax+0x935]≠0,je不跳转,出现提示窗体,这不,基本思路就有了:就是找到何处给 ds:[eax+0x935]赋值不为 0。
4、在 cmp byte ptr ds:[eax+0x935],0x0 上 右键 — 查找参考 — 地址常量,得到以下比较和赋值语句:
[Asm] 纯文本查看 复制代码 00CCD22C cmp byte ptr ds:[eax+0x935],0x0
00F63CD0 cmp byte ptr ds:[eax+0x935],0x0
011AF79D movzx edx,byte ptr ds:[eax+0x935]
011BA110 cmp byte ptr ds:[eax+0x935],0x0
011BA3F1 cmp byte ptr ds:[eax+0x935],0x0
011BD98B cmp byte ptr ds:[eax+0x935],0x0 》*
011C55B3 cmp byte ptr ds:[eax+0x935],0x0
011C55E8 cmp byte ptr ds:[eax+0x935],0x0
011C5613 cmp byte ptr ds:[eax+0x935],0x0 (初始 CPU 选择)
011CCE59 mov byte ptr ds:[ebx+0x935],al
011D597D cmp byte ptr ds:[esi+0x935],0x0
011D7EFB movzx eax,byte ptr ds:[eax+0x935]
011D9CB6 cmp byte ptr ds:[eax+0x935],0x0
011DBFFF mov byte ptr ds:[eax+0x935],0x0
011DC06D mov byte ptr ds:[eax+0x935],0x1
011DC07C mov byte ptr ds:[eax+0x935],0x1 》*
011DC093 mov byte ptr ds:[ebx+0x935],0x1
5、挨个下断,重新载入,运行调试此处是关键:
[Asm] 纯文本查看 复制代码 011DC07C mov byte ptr ds:[eax+0x935],0x1 》*
赋值修改为 0,接着运行,来到此处:
[Asm] 纯文本查看 复制代码 011BD98B 80B8 35090000 00 cmp byte ptr ds:[eax+0x935],0x0 ; 》*
011BD992 . 0F85 E2000000 jnz Resize.011BDA7A
011BD998 . A1 B82C2C01 mov eax,dword ptr ds:[0x12C2CB8]
011BD99D . 0FB600 movzx eax,byte ptr ds:[eax]
011BD9A0 . 2C 01 sub al,0x1 ; Switch (cases 0..4)
011BD9A2 . 72 0D jb short Resize.011BD9B1
011BD9A4 . 2C 03 sub al,0x3
011BD9A6 . 0F84 8A000000 je Resize.011BDA36
011BD9AC . E9 C9000000 jmp Resize.011BDA7A
011BD9B1 > 8B85 08FEFFFF mov eax,dword ptr ss:[ebp-0x1F8] ; Case 0 of switch 011BD9A0
011BD9B7 . 83B8 940A0000 00 cmp dword ptr ds:[eax+0xA94],0x0
011BD9BE . 74 42 je short Resize.011BDA02
011BD9C0 . 8B85 08FEFFFF mov eax,dword ptr ss:[ebp-0x1F8]
011BD9C6 . 8B80 940A0000 mov eax,dword ptr ds:[eax+0xA94]
011BD9CC . 83B8 E0000000 00 cmp dword ptr ds:[eax+0xE0],0x0
011BD9D3 . 74 2D je short Resize.011BDA02
011BD9D5 . 6A 00 push 0x0
011BD9D7 . 8B85 08FEFFFF mov eax,dword ptr ss:[ebp-0x1F8]
011BD9DD . 8B88 40090000 mov ecx,dword ptr ds:[eax+0x940]
011BD9E3 . 8B85 08FEFFFF mov eax,dword ptr ss:[ebp-0x1F8]
011BD9E9 . 8B80 940A0000 mov eax,dword ptr ds:[eax+0xA94]
011BD9EF . 8B90 E0000000 mov edx,dword ptr ds:[eax+0xE0]
011BD9F5 . 8B85 08FEFFFF mov eax,dword ptr ss:[ebp-0x1F8]
011BD9FB . E8 84320000 call Resize.011C0C84
011BDA00 . EB 1B jmp short Resize.011BDA1D
011BDA02 > 6A 00 push 0x0
011BDA04 . 8B85 08FEFFFF mov eax,dword ptr ss:[ebp-0x1F8]
011BDA0A . 8B88 40090000 mov ecx,dword ptr ds:[eax+0x940]
011BDA10 . 33D2 xor edx,edx
011BDA12 . 8B85 08FEFFFF mov eax,dword ptr ss:[ebp-0x1F8]
011BDA18 . E8 67320000 call Resize.011C0C84
011BDA1D > A1 B82C2C01 mov eax,dword ptr ds:[0x12C2CB8]
011BDA22 . 8038 00 cmp byte ptr ds:[eax],0x0
011BDA25 . 75 53 jnz short Resize.011BDA7A
011BDA27 . B2 01 mov dl,0x1
011BDA29 . 8B85 08FEFFFF mov eax,dword ptr ss:[ebp-0x1F8]
011BDA2F . E8 04F40000 call Resize.011CCE38
011BDA34 . EB 44 jmp short Resize.011BDA7A
011BDA36 > 6A 01 push 0x1 ; Case 4 of switch 011BD9A0
011BDA38 . 8B85 08FEFFFF mov eax,dword ptr ss:[ebp-0x1F8]
011BDA3E . 8B88 40090000 mov ecx,dword ptr ds:[eax+0x940]
011BDA44 . 8B85 08FEFFFF mov eax,dword ptr ss:[ebp-0x1F8]
011BDA4A . 8B80 940A0000 mov eax,dword ptr ds:[eax+0xA94]
011BDA50 . 8B90 E0000000 mov edx,dword ptr ds:[eax+0xE0]
011BDA56 . 8B85 08FEFFFF mov eax,dword ptr ss:[ebp-0x1F8]
011BDA5C . E8 23320000 call Resize.011C0C84
011BDA61 . A1 B82C2C01 mov eax,dword ptr ds:[0x12C2CB8]
011BDA66 . 8038 04 cmp byte ptr ds:[eax],0x4
011BDA69 . 75 51 jnz short Resize.011BDABC
011BDA6B . B2 01 mov dl,0x1
011BDA6D . 8B85 08FEFFFF mov eax,dword ptr ss:[ebp-0x1F8]
011BDA73 . E8 C0F30000 call Resize.011CCE38
011BDA78 . EB 42 jmp short Resize.011BDABC
011BDA7A > E8 25C6B0FF call Resize.00CCA0A4 ; Default case of switch
经逐步分析,此处 011BDA2F call Resize.011CCE38 调用“试用版本”标题,加密字符串为“%#xp{ 't#$x~}”,所以只需要 011BD992 . jnz Resize.011BDA7A 跳转实现即可,刚才我们已经把 数据堆栈 ds:[eax+0x935] 赋值为 0 了,因此,只要把 011BD98B cmp byte ptr ds:[eax+0x935],0x0 改为与 1 比较,下面一行的 jnz就会跳转实现。
6、总结
所以需要破解的地方有两处:
[Asm] 纯文本查看 复制代码 011DC07C mov byte ptr ds:[eax+0x935],0x1 改为 011DC07C mov byte ptr ds:[eax+0x935],0x0
011BD98B cmp byte ptr ds:[eax+0x935],0x0 改为 011BD98B cmp byte ptr ds:[eax+0x935],0x1
|
-
评分
-
查看全部评分
|
IP卡
发表于 2023-11-10 21:32:07
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2023-11-10 23:15:58
发表于 2023-11-12 17:43:44