- UID
- 6621
注册时间2006-1-8
阅读权限50
最后登录1970-1-1
感悟天道
 
TA的每日心情 | 奋斗
3 天前 |
|---|
签到天数: 1692 天 [LV.Master]伴坛终老
|
本帖最后由 speedboy 于 2021-3-24 18:31 编辑
【文章标题】: Digimizer 5.6分析爆破
【文章作者】: speedboy
【软件名称】: Digimizer
【下载地址】:
【加壳方式】: 无
【编写语言】: Microsoft Visual C++
【使用工具】: Ollydbg
【操作平台】: win7
【软件介绍】:专业的图像测量工具,常常用在医学图像上,比如:X光图片、显微照片等,并且digimizer支持对图像内容进行手工精确测量,进行自动对象识别;还支持众多的图片格式,包括:JPG、GIF、TIFF、BMP、PNG、WMF和EMF多种格式等。不仅如此,digimizer还可以对图像进行简单的处理,支持图像进行旋转、反转、拉伸、图像明暗、对比调节等多种处理方法。
【作者声明】: 只做学习、交流
--------------------------------------------------------------------------------
【详细过程】
1、搜索“Unlicensed copy”,有两处,在其中一处双击来到反汇编区分析。
[Asm] 纯文本查看 复制代码 004243CA push Digimize.00488C24 ; Unlicensed copy
004463CE push Digimize.00488C24 ; Unlicensed copy
2、发现其上两行是cmp,je比较判断语句,只要使ds:[0x494957]=0,即可实现跳转,所以在 cmp byte ptr ds:[0x494957],0x0 上“右键——查找参考——地址常量”
[Asm] 纯文本查看 复制代码 00424373 |> \57 push edi ; Case 110 (WM_INITDIALOG) of switch 0042430A
00424374 |. 56 push esi
00424375 |. FF15 2CF64600 call dword ptr ds:[<&mclib32._CenterDialog@4>] ; mclib32._CenterDialog@4
0042437B |. FF15 28F64600 call dword ptr ds:[<&mclib32._AppIsThemed@0>] ; mclib32._AppIsThemed@0
00424381 |. 68 1E0D0000 push 0xD1E ; /ControlID = D1E (3358.)
00424386 |. 56 push esi ; |hWnd = NULL
00424387 |. FF15 54F34600 call dword ptr ds:[<&USER32.GetDlgItem>] ; \GetDlgItem
0042438D |. 8B3D A4F24600 mov edi,dword ptr ds:[<&USER32.SetDlgItemTextW>] ; user32.SetDlgItemTextW
00424393 |. 85C0 test eax,eax ; kernel32.BaseThreadInitThunk
00424395 |. 74 2A je short Digimize.004243C1
00424397 |. 68 EC8B4800 push Digimize.00488BEC ; /5.6.0
0042439C |. 68 F88B4800 push Digimize.00488BF8 ; |Digimizer Version %s
004243A1 |. 8D85 5CFFFFFF lea eax,[local.41] ; |
004243A7 |. 6A 50 push 0x50 ; |Arg2 = 00000050
004243A9 |. 50 push eax ; |Arg1 = 7518343B
004243AA |. E8 818AFEFF call Digimize.0040CE30 ; \Digimize.0040CE30
004243AF |. 83C4 10 add esp,0x10
004243B2 |. 8D85 5CFFFFFF lea eax,[local.41]
004243B8 |. 50 push eax ; kernel32.BaseThreadInitThunk
004243B9 |. 68 1E0D0000 push 0xD1E
004243BE |. 56 push esi
004243BF |. FFD7 call edi
004243C1 |> 803D 57494900>cmp byte ptr ds:[0x494957],0x0
004243C8 |. 74 07 je short Digimize.004243D1
004243CA |. 68 248C4800 push Digimize.00488C24 ; Unlicensed copy
004243CF |. EB 05 jmp short Digimize.004243D6
004243D1 |> 68 F0864A00 push Digimize.004A86F0
004243D6 |> 68 420D0000 push 0xD42
004243DB |. 56 push esi
004243DC |. FFD7 call edi
004243DE |. 6A 60 push 0x60
004243E0 |. 6A 00 push 0x0
004243E2 |. 6A 00 push 0x0
004243E4 |. 68 448C4800 push Digimize.00488C44 ; [url=https://www.digimizer.com]https://www.digimizer.com[/url]
004243E9 |. 68 ED0C0000 push 0xCED
004243EE |. 68 ED0C0000 push 0xCED ; /ControlID = CED (3309.)
004243F3 |. 56 push esi ; |hWnd = NULL
004243F4 |. FF15 54F34600 call dword ptr ds:[<&USER32.GetDlgItem>] ; \GetDlgItem
004243FA |. 50 push eax ; kernel32.BaseThreadInitThunk
004243FB |. FF15 24F64600 call dword ptr ds:[<&mclib32._urlctrl_set@24>] ; mclib32._urlctrl_set@24
00424401 |. 5F pop edi ; kernel32.7518344D
00424402 |. B8 01000000 mov eax,0x1
00424407 |. 5E pop esi ; kernel32.7518344D
00424408 |. 8B4D FC mov ecx,[local.1]
0042440B |. 33CD xor ecx,ebp
0042440D |. E8 9FEA0200 call Digimize.00452EB1
00424412 |. 8BE5 mov esp,ebp
00424414 |. 5D pop ebp ; kernel32.7518344D
00424415 |. C2 1000 retn 0x10
3、查找地址常量后得到下面四条信息,有两处赋值为零的语句,在第一个处双击来到反汇编区。
[Asm] 纯文本查看 复制代码 004243C1 cmp byte ptr ds:[0x494957],0x0 (初始 CPU 选择)
0042A743 mov byte ptr ds:[0x494957],0x0 ds:[00494957]=01
0042AD43 mov byte ptr ds:[0x494957],0x0 ds:[00494957]=01
004463BF cmp byte ptr ds:[0x494957],0x0 ds:[00494957]=01
4、经分析,要想实现 ds:[0x494957]=0 je short Digimize.0042A740必须实现,此行又是来自 jnz short Digimize.0042A70F,此语句必须实现跳转,则是当al=1时,al的支来自哪里?当然是上面的call了(call Digimize.0042A510),F7跟进分析。
[Asm] 纯文本查看 复制代码 0042A6A0 . B9 80794A00 mov ecx,Digimize.004A7980 ; |
0042A6A5 . E8 66FEFFFF call Digimize.0042A510 ; \》关键call
0042A6AA . 83C4 04 add esp,0x4
0042A6AD . 84C0 test al,al
0042A6AF . 75 5E jnz short Digimize.0042A70F ; 》跳转
0042A6B1 . 3885 5BFDFFFF cmp byte ptr ss:[ebp-0x2A5],al
0042A6B7 . 74 2B je short Digimize.0042A6E4
0042A6B9 . 68 541F0000 push 0x1F54
0042A6BE . 68 9C000000 push 0x9C
0042A6C3 . 57 push edi
0042A6C4 . FF15 1CF64600 call dword ptr ds:[<&mclib32.AlertWindow>] ; mclib32.AlertWindow
0042A6CA . 83C4 0C add esp,0xC
0042A6CD . B8 01000000 mov eax,0x1
0042A6D2 . 5F pop edi ; kernel32.7518344D
0042A6D3 . 5E pop esi ; kernel32.7518344D
0042A6D4 . 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]
0042A6D7 . 33CD xor ecx,ebp
0042A6D9 . E8 D3870200 call Digimize.00452EB1
0042A6DE . 8BE5 mov esp,ebp
0042A6E0 . 5D pop ebp ; kernel32.7518344D
0042A6E1 . C2 1000 retn 0x10
0042A6E4 > 68 481F0000 push 0x1F48
0042A6E9 . 68 9C000000 push 0x9C
0042A6EE . 57 push edi
0042A6EF . FF15 1CF64600 call dword ptr ds:[<&mclib32.AlertWindow>] ; mclib32.AlertWindow
0042A6F5 . 83C4 0C add esp,0xC
0042A6F8 . B8 01000000 mov eax,0x1
0042A6FD . 5F pop edi ; kernel32.7518344D
0042A6FE . 5E pop esi ; kernel32.7518344D
0042A6FF . 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]
0042A702 . 33CD xor ecx,ebp
0042A704 . E8 A8870200 call Digimize.00452EB1
0042A709 . 8BE5 mov esp,ebp
0042A70B . 5D pop ebp ; kernel32.7518344D
0042A70C . C2 1000 retn 0x10
0042A70F > 80BD 5BFDFFFF>cmp byte ptr ss:[ebp-0x2A5],0x0
0042A716 . 74 28 je short Digimize.0042A740 ;》跳转
0042A718 . 68 541F0000 push 0x1F54
0042A71D . 68 9C000000 push 0x9C
0042A722 . 57 push edi
0042A723 . FF15 1CF64600 call dword ptr ds:[<&mclib32.AlertWindow>] ; mclib32.AlertWindow
0042A729 . 83C4 0C add esp,0xC
0042A72C . 33C0 xor eax,eax ; kernel32.BaseThreadInitThunk
0042A72E . 5F pop edi ; kernel32.7518344D
0042A72F . 5E pop esi ; kernel32.7518344D
0042A730 . 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]
0042A733 . 33CD xor ecx,ebp
0042A735 . E8 77870200 call Digimize.00452EB1
0042A73A . 8BE5 mov esp,ebp
0042A73C . 5D pop ebp ; kernel32.7518344D
0042A73D . C2 1000 retn 0x10
0042A740 > 6A 01 push 0x1 ; /Result = 0x1
0042A742 . 57 push edi ; |hWnd = NULL
0042A743 . C605 57494900>mov byte ptr ds:[0x494957],0x0 ; |
0042A74A . FF15 94F24600 call dword ptr ds:[<&USER32.EndDialog>] ; \EndDialog
5、此语句0042A54D mov al,0x1使al=1,而此语句来自jnz short Digimize.0042A54C,所以次跳转必须实现,也即是上一句 test al,al中al<>0,而al的值来自call Digimize.0042A100,F7跟进分析。
[Asm] 纯文本查看 复制代码 0042A510 /$ 55 push ebp
0042A511 |. 8BEC mov ebp,esp
0042A513 |. 51 push ecx
0042A514 |. 8B45 08 mov eax,[arg.1]
0042A517 |. 56 push esi ; mclib32.UnicodeToUTF8
0042A518 |. 57 push edi ; Digimize.004A88F0
0042A519 |. 50 push eax
0042A51A |. 8BF2 mov esi,edx
0042A51C |. C600 00 mov byte ptr ds:[eax],0x0
0042A51F |. 8BF9 mov edi,ecx
0042A521 |. E8 DAFBFFFF call Digimize.0042A100 ; 》关键call
0042A526 |. 83C4 04 add esp,0x4
0042A529 |. 84C0 test al,al
0042A52B |. 75 1F jnz short Digimize.0042A54C ; 》跳转
0042A52D |. 8BD6 mov edx,esi ; mclib32.UnicodeToUTF8
0042A52F |. 8BCF mov ecx,edi ; Digimize.004A88F0
0042A531 |. E8 1AF8FFFF call Digimize.00429D50
0042A536 |. 84C0 test al,al
0042A538 |. 75 12 jnz short Digimize.0042A54C
0042A53A |. 8BD6 mov edx,esi ; mclib32.UnicodeToUTF8
0042A53C |. 8BCF mov ecx,edi ; Digimize.004A88F0
0042A53E |. E8 1DF4FFFF call Digimize.00429960
0042A543 |. 84C0 test al,al
0042A545 |. 75 05 jnz short Digimize.0042A54C
0042A547 |. 5F pop edi ; Digimize.004A86F0
0042A548 |. 5E pop esi ; Digimize.004A86F0
0042A549 |. 59 pop ecx ; Digimize.004A86F0
0042A54A |. 5D pop ebp ; Digimize.004A86F0
0042A54B |. C3 retn
0042A54C |> 5F pop edi ; Digimize.004A86F0
0042A54D |. B0 01 mov al,0x1
0042A54F |. 5E pop esi ; Digimize.004A86F0
0042A550 |. 59 pop ecx ; Digimize.004A86F0
0042A551 |. 5D pop ebp ; Digimize.004A86F0
0042A552 \. C3 retn
6、逐步分析后,程序来到 0042A4F4 xor al,al 修改此处语句使al<>0即可实现破解。[Asm] 纯文本查看 复制代码 0042A100 $ 55 push ebp
0042A101 . 8BEC mov ebp,esp
0042A103 . 83E4 F8 and esp,0xFFFFFFF8
0042A106 . 81EC 44030000 sub esp,0x344
0042A10C . A1 E4404900 mov eax,dword ptr ds:[0x4940E4]
0042A111 . 33C4 xor eax,esp
0042A113 . 898424 400300>mov dword ptr ss:[esp+0x340],eax
0042A11A . 53 push ebx
0042A11B . 8B5D 08 mov ebx,dword ptr ss:[ebp+0x8]
0042A11E . 8D8424 400200>lea eax,dword ptr ss:[esp+0x240]
0042A125 . 56 push esi ; mclib32.UnicodeToUTF8
0042A126 . 8B35 34F64600 mov esi,dword ptr ds:[<&mclib32.UnicodeToUTF8>] ; mclib32.UnicodeToUTF8
0042A12C . 57 push edi ; Digimize.004A88F0
0042A12D . 68 00010000 push 0x100
0042A132 . 50 push eax
0042A133 . 51 push ecx
0042A134 . 8BFA mov edi,edx
0042A136 . FFD6 call esi ; mclib32.UnicodeToUTF8; <&mclib32.UnicodeToUTF8>
0042A138 . 83C4 0C add esp,0xC
0042A13B . 8D4424 48 lea eax,dword ptr ss:[esp+0x48]
0042A13F . 68 00010000 push 0x100
0042A144 . 50 push eax
0042A145 . 57 push edi ; Digimize.004A88F0
0042A146 . FFD6 call esi ; mclib32.UnicodeToUTF8
0042A148 . 83C4 0C add esp,0xC
0042A14B . 807C24 4D 2D cmp byte ptr ss:[esp+0x4D],0x2D
0042A150 . 0F85 97030000 jnz Digimize.0042A4ED
0042A156 . 807C24 53 2D cmp byte ptr ss:[esp+0x53],0x2D
0042A15B . 0F85 8C030000 jnz Digimize.0042A4ED
0042A161 . 807C24 59 2D cmp byte ptr ss:[esp+0x59],0x2D
0042A166 . 0F85 81030000 jnz Digimize.0042A4ED
0042A16C . 807C24 5F 2D cmp byte ptr ss:[esp+0x5F],0x2D
0042A171 . 0F85 76030000 jnz Digimize.0042A4ED
………………
………………
………………
0042A4ED > \8B8C24 4C0300>mov ecx,dword ptr ss:[esp+0x34C]
0042A4F4 32C0 xor al,al ; 》【1】
0042A4F6 . 5F pop edi ; Digimize.004A86F0
0042A4F7 . 5E pop esi ; Digimize.004A86F0
0042A4F8 . 5B pop ebx ; Digimize.004A86F0
0042A4F9 . 33CC xor ecx,esp
0042A4FB . E8 B1890200 call Digimize.00452EB1
0042A500 . 8BE5 mov esp,ebp
0042A502 . 5D pop ebp ; Digimize.004A86F0
0042A503 . C3 retn
7、破解前后对比
|
评分
-
| 参与人数 3 | 威望 +6 |
飘云币 +6 |
收起
理由
|
 wgz001
| + 2 |
+ 2 |
感谢发布原创作品,PYG有你更精彩! |
 cfc1680
| + 2 |
+ 2 |
感谢发布原创作品,PYG有你更精彩! |
 非诚勿扰
| + 2 |
+ 2 |
感谢发布原创作品,PYG有你更精彩! |
查看全部评分
|
IP卡
发表于 2021-3-24 18:25:18
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2021-3-25 13:52:32
楼主
发表于 2021-3-26 09:22:41
发表于 2021-3-26 17:20:22
发表于 2021-3-27 20:26:15
