- UID
- 1848
注册时间2005-6-1
阅读权限20
最后登录1970-1-1
以武会友
 
TA的每日心情 | 开心
2022-3-15 04:07 |
|---|
签到天数: 76 天 [LV.6]常住居民II
|
【破文作者】 lnn1123[PYG][PCG][GZG][OCN][BCG][DCM]
【 E-mail 】 [email protected]
【 作者QQ 】 254513595
【文章题目】 TitleBarClock Pro5.2算法分析
【软件名称】 TitleBarClock Pro5.2
【下载地址】 天空软件
----------------------------------------------------------------------------------------------
【加密方式】 注册码
【破解工具】 OD,PEID
【软件限制】 没看
【破解平台】 Win9x/NT/2000/XP/XP SP2
----------------------------------------------------------------------------------------------
【软件简介】
TitleBarClock Pro Copyright ?2002-2005
Runs on Windows 98-Me-NT4-2000-XP.
This is a full functioning 15 day free trial of TBC Pro.
After the trial is up you must register. Right click on
the TBC Pro tray icon then click on the "TBC Pro Website"
menu option. This will take you to the online registration
website. Click on "Buy TitleBarClock Pro" to purchase a
registration number for $9.95 US. After registration is
completed a registration number will be sent to your email
address. Your one(1) time registration entitles you to all
future updates of TitleBarClock Pro.
TBC Pro displays the Day Month Date Time Year and
Megabytes of free physical memory in right side of
the Title Bar of any main window that has the mouse
or keyboard focus.
TBC Pro also places a clock icon in the System Tray
when you start the program. Right click on the Tray
Icon to change default settings.
Changes made to these settings are saved for the next
time you start up your computer.
XP USERS:
When switching between XP theme and Classic Theme it is
recommended that you exit the TitleBarClock Pro program
change to the other theme then reload the program.
StyleXP USERS:
When switching between StyleXP theme it is recommended
that you exit the TitleBarClock Pro program change to
the new StyleXP theme then reload the program.
Run the un-install program to completely remove TBC Pro.
You MUST EXIT the TitleBarClock Pro program first before
you run the un-install operation.
Will worth the $9.95 purchase registration price!!
Please report any bugs or suggestions to improve the
program to - [email protected]
www.wfcravener.com/tbcpro.html
www.quickersoft.com/tbcpro.html
【文章简介】
文章比较简单啊,高手过!
----------------------------------------------------------------------------------------------
【破解过程】
用PEID查看是PECompact 2.x -> Jeremy Collake的壳,设置Ollydbg忽略所有的异常选项
00401000 > B8 58CB4100 MOV EAX,Tbcpro.0041CB58 ; 停在这里
00401005 50 PUSH EAX
00401006 64:FF35 00000000 PUSH DWORD PTR FS:[0]
0040100D 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
00401014 33C0 XOR EAX,EAX
00401016 8908 MOV DWORD PTR DS:[EAX],ECX
00401018 50 PUSH EAX
00401019 45 INC EBP
0040101A 43 INC EBX
下断:BP VirtualFree (这些API经常要,要记住),运行后,取消断点,ALT+F9
返回,再走几不就到OEP了
下断短在这里:
7C809B14 > 8BFF MOV EDI,EDI ; Tbcpro.00400000
7C809B16 55 PUSH EBP
7C809B17 8BEC MOV EBP,ESP
7C809B19 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C809B1C FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C809B1F FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C809B22 6A FF PUSH -1
7C809B24 E8 09000000 CALL kernel32.VirtualFreeEx
7C809B29 5D POP EBP
7C809B2A C2 0C00 RETN 0C
ALT+F9到这里:
0038039C 58 POP EAX ; <&kernel32.VirtualFree>
0038039D 68 00800000 PUSH 8000
003803A2 6A 00 PUSH 0
003803A4 FFB5 E3120010 PUSH DWORD PTR SS:[EBP+100012E3]
003803AA FF10 CALL DWORD PTR DS:[EAX]
003803AC 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
003803AF 03C7 ADD EAX,EDI
003803B1 5D POP EBP
003803B2 5E POP ESI
003803B3 5F POP EDI
003803B4 59 POP ECX
003803B5 5B POP EBX
003803B6 C3 RETN
F8走到这里:
0041CBFE 8985 1C110010 MOV DWORD PTR SS:[EBP+1000111C],EAX ; Tbcpro.<ModuleEntryPoint>
0041CC04 8BF0 MOV ESI,EAX
0041CC06 59 POP ECX
0041CC07 5A POP EDX
0041CC08 03CA ADD ECX,EDX
0041CC0A 68 00800000 PUSH 8000
0041CC0F 6A 00 PUSH 0
0041CC11 57 PUSH EDI
0041CC12 FF11 CALL DWORD PTR DS:[ECX]
0041CC14 8BC6 MOV EAX,ESI
0041CC16 5E POP ESI
0041CC17 5F POP EDI
0041CC18 59 POP ECX
0041CC19 5B POP EBX
0041CC1A 5D POP EBP
0041CC1B FFE0 JMP EAX ; JMP OEP
OD插件可以脱壳了,我这里不要修复就可以运行了,脱壳完成。
看算法了,输入Order ID and Regcode后,看到有错误提示,不会加密字符吧,老
罗插件看看,没有加密,找到字符后下断这里:
===================================代码=============================================
00405A10 |. 6A 10 PUSH 10 ; /Count = 10 (16.)
00405A12 |. 68 82D94000 PUSH 1.0040D982 ; |Buffer = 1.0040D982
00405A17 |. 68 AA0F0000 PUSH 0FAA ; |ControlID = FAA (4010.)
00405A1C |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00405A1F |. E8 08490000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00405A24 |. E8 18370000 CALL 1.00409141 ; 上面的CALL获取假码,关键CALL,进入
00405A29 |. 833D 4BD74000 >CMP DWORD PTR DS:[40D74B],1 ; 标志位比较
00405A30 |. 75 19 JNZ SHORT 1.00405A4B ; 不跳就死
00405A32 |. 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00405A34 |. 68 3CC04000 PUSH 1.0040C03C ; |Title = "TitleBarClock Pro 5.2"
00405A39 |. 68 80C04000 PUSH 1.0040C080 ; |Text = "Invalid Registration Code"
00405A3E |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
00405A41 |. E8 40490000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00405A46 |. E9 B5000000 JMP 1.00405B00
00405A4B |> 6A 1E PUSH 1E ; /Count = 1E (30.)
00405A4D |. 68 E6D94000 PUSH 1.0040D9E6 ; |Buffer = 1.0040D9E6
00405A52 |. 68 B40F0000 PUSH 0FB4 ; |ControlID = FB4 (4020.)
00405A57 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00405A5A |. E8 CD480000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00405A5F |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX ; 注册名长度
00405A62 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; /注册名长度
00405A65 |. E8 5F370000 CALL 1.004091C9 ; \关键CALL,进入
00405A6A |. 833D 4FD74000 >CMP DWORD PTR DS:[40D74F],1
00405A71 |. 75 62 JNZ SHORT 1.00405AD5
00405A73 |. 66:C705 9FD740>MOV WORD PTR DS:[40D79F],0
00405A7C |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; /Arg1
00405A7F |. E8 4C300000 CALL 1.00408AD0 ; \1.00408AD0
00405A84 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; /Arg1
00405A87 |. E8 AC2C0000 CALL 1.00408738 ; \1.00408738
00405A8C |. 6A 00 PUSH 0 ; /Flags = MF_BYCOMMAND|MF_ENABLED|MF_STRING
00405A8E |. 68 4C040000 PUSH 44C ; |ItemID = 44C (1100.)
00405A93 |. FF35 84EC4000 PUSH DWORD PTR DS:[40EC84] ; |hMenu = ABC00201
00405A99 |. E8 24490000 CALL <JMP.&user32.RemoveMenu> ; \RemoveMenu
00405A9E |. 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00405AA0 |. 68 3CC04000 PUSH 1.0040C03C ; |Title = "TitleBarClock Pro 5.2"
00405AA5 |. 68 B1C04000 PUSH 1.0040C0B1 ; |Text = "Thank You!
TitleBarClock Pro
Registration Successful."
00405AAA |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
00405AAD |. E8 D4480000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00405AB2 |. 6A 00 PUSH 0 ; /Flags = MF_BYCOMMAND|MF_ENABLED|MF_STRING
00405AB4 |. FF35 88EC4000 PUSH DWORD PTR DS:[40EC88] ; |ItemID = 647C01D3 (1685848531.)
00405ABA |. FF35 84EC4000 PUSH DWORD PTR DS:[40EC84] ; |hMenu = ABC00201
00405AC0 |. E8 1F480000 CALL <JMP.&user32.EnableMenuItem> ; \EnableMenuItem
00405AC5 |. 6A 00 PUSH 0 ; /lParam = 0
00405AC7 |. 6A 00 PUSH 0 ; |wParam = 0
00405AC9 |. 6A 10 PUSH 10 ; |Message = WM_CLOSE
00405ACB |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00405ACE |. E8 FB480000 CALL <JMP.&user32.SendMessageA> ; \SendMessageA
00405AD3 |. EB 14 JMP SHORT 1.00405AE9
00405AD5 |> 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00405AD7 |. 68 3CC04000 PUSH 1.0040C03C ; |Title = "TitleBarClock Pro 5.2"
00405ADC |. 68 9AC04000 PUSH 1.0040C09A ; |Text = "Invalid RegNow OrderID"
00405AE1 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
00405AE4 |. E8 9D480000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00405AE9 |> EB 15 JMP SHORT 1.00405B00
00405AEB |> 3D C80F0000 CMP EAX,0FC8
00405AF0 |. 75 0E JNZ SHORT 1.00405B00
00405AF2 |. 6A 00 PUSH 0 ; /lParam = 0
00405AF4 |. 6A 00 PUSH 0 ; |wParam = 0
00405AF6 |. 6A 10 PUSH 10 ; |Message = WM_CLOSE
00405AF8 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00405AFB |. E8 CE480000 CALL <JMP.&user32.SendMessageA> ; \SendMessageA
00405B00 |> 33C0 XOR EAX,EAX
00405B02 |. C9 LEAVE
00405B03 \. C2 1000 RETN 10
======================================进CALL 00409141==================================================
00409141 /$ 56 PUSH ESI ; 1.0040594B
00409142 |. 57 PUSH EDI
00409143 |. 51 PUSH ECX
00409144 |. C705 4BD74000 >MOV DWORD PTR DS:[40D74B],0
0040914E |. BF B4D94000 MOV EDI,1.0040D9B4 ; ASCII "Z526WT491QN387B"
00409153 |. 57 PUSH EDI
00409154 |. BE 22DE4000 MOV ESI,1.0040DE22
00409159 |. B9 05000000 MOV ECX,5 ; 串传送的计数器
0040915E |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 串传送
00409160 |. BE 67E04000 MOV ESI,1.0040E067 ; 特殊字符
00409165 |. B9 05000000 MOV ECX,5 ; 串传送的计数器
0040916A |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 串传送
0040916C |. BE 92DF4000 MOV ESI,1.0040DF92 ; 特殊字符
00409171 |. B9 05000000 MOV ECX,5 ; 串传送的计数器
00409176 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 串传送
00409178 |. 5F POP EDI
00409179 |. 8BF7 MOV ESI,EDI
0040917B |. E8 21000000 CALL 1.004091A1 ; 解密上面传送的字符后就是注册码了,跟进
00409180 |. BE 82D94000 MOV ESI,1.0040D982 ; ASCII "78787878"
00409185 |. BF B4D94000 MOV EDI,1.0040D9B4 ; ASCII "Z526WT491QN387B"
0040918A |. B9 0F000000 MOV ECX,0F ; 计数器为15
0040918F |. F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 串比较
00409191 |. 74 0A JE SHORT 1.0040919D ; 不等就OVER
00409193 |. C705 4BD74000 >MOV DWORD PTR DS:[40D74B],1 ; 标志位
0040919D |> 59 POP ECX
0040919E |. 5F POP EDI
0040919F |. 5E POP ESI
004091A0 \. C3 RETN
=====================================进CALL 004091A1================================================================
004091A1 /$ 56 PUSH ESI
004091A2 |. 57 PUSH EDI
004091A3 |. 8BF7 MOV ESI,EDI ; 1.0040D9B4
004091A5 |. B9 0F000000 MOV ECX,0F ; 计数器为15
004091AA |> AC LODS BYTE PTR DS:[ESI] ; 串读取字符
004091AB |. 2C 03 SUB AL,3 ; AL=AL-3
004091AD |. D0E8 SHR AL,1 ; 右移一位
004091AF |. AA STOS BYTE PTR ES:[EDI] ; 存回去
004091B0 |. 49 DEC ECX ; 计数器减1
004091B1 |.^75 F7 JNZ SHORT 1.004091AA ; 循环
004091B3 |. 5F POP EDI
004091B4 |. 5E POP ESI
004091B5 \. C3 RETN
到这里Regcode 已经很容易得到了,这个软件的Order ID还有要求呢,我看看
========================================进 CALL 004091C9============================================
004091C9 /$ 55 PUSH EBP
004091CA |. 8BEC MOV EBP,ESP
004091CC |. 83C4 FC ADD ESP,-4
004091CF |. 56 PUSH ESI
004091D0 |. 57 PUSH EDI
004091D1 |. 51 PUSH ECX
004091D2 |. BE E6D94000 MOV ESI,1.0040D9E6 ; ASCII "1234567890-1123-0000"
004091D7 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
004091DA |. C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0
004091E1 |> AC /LODS BYTE PTR DS:[ESI] ; 串读取注册名
004091E2 |. 3C 2D |CMP AL,2D ; 是-号吗?
004091E4 |. 74 1B |JE SHORT 1.00409201 ; 是-就跳,如果你输入的ID没有-就OVER!
004091E6 |. 3C 39 |CMP AL,39 ; 与9比较
004091E8 |. 7F 29 |JG SHORT 1.00409213
004091EA |. FF45 FC |INC DWORD PTR SS:[EBP-4]
004091ED |. 49 |DEC ECX
004091EE |.^75 F1 \JNZ SHORT 1.004091E1
004091F0 |. C705 4FD74000 >MOV DWORD PTR DS:[40D74F],0 ; 标志位
004091FA |. 59 POP ECX
004091FB |. 5F POP EDI
004091FC |. 5E POP ESI
004091FD |. C9 LEAVE
004091FE |. C2 0400 RETN 4
00409201 |> 837D FC 0A CMP DWORD PTR SS:[EBP-4],0A ; C常数
00409205 |. 75 0C JNZ SHORT 1.00409213 ; 如果你的-号不是出现在ID的第十一位就OVER
00409207 |> AC /LODS BYTE PTR DS:[ESI] ; 串读取第一个-号后面的内容
00409208 |. 3C 2D |CMP AL,2D ; 是-号吗?看来还要有-号
0040920A |. 74 18 |JE SHORT 1.00409224 ; 没有-号OVER
0040920C |. 3C 39 |CMP AL,39 ; 小于9吗?
0040920E |. 7F 03 |JG SHORT 1.00409213
00409210 |. 49 |DEC ECX
00409211 |.^75 F4 \JNZ SHORT 1.00409207
00409213 |> C705 4FD74000 >MOV DWORD PTR DS:[40D74F],0 ; 标志位
0040921D |. 59 POP ECX
0040921E |. 5F POP EDI
0040921F |. 5E POP ESI
00409220 |. C9 LEAVE
00409221 |. C2 0400 RETN 4
00409224 |> AC /LODS BYTE PTR DS:[ESI] ; 串读取第2个-号后面的内容
00409225 |. 3C 00 |CMP AL,0 ; 是0?
00409227 |. 74 07 |JE SHORT 1.00409230
00409229 |. 3C 39 |CMP AL,39 ; 小于9?
0040922B |.^7F E6 |JG SHORT 1.00409213
0040922D |. 49 |DEC ECX
0040922E |.^75 F4 \JNZ SHORT 1.00409224
00409230 |> C705 4FD74000 >MOV DWORD PTR DS:[40D74F],1 ; 标志位
0040923A |. 59 POP ECX
0040923B |. 5F POP EDI
0040923C |. 5E POP ESI
0040923D |. C9 LEAVE
0040923E \. C2 0400 RETN 4
Order ID的要求总结一下,就是要前十位数字是0-9,第十一位是“-”,第一个“-”
后面还必须有0-9的数字,后面还要有一个“-”,“-”后数字随便,就OK
举例:1234567890-1123-0000
表达能力较差,不要骂我啊
到这里算法就完毕了,比较简单。
================================================================================
注册信息:
Order ID:1234567890-1123-0000
Regcode :Z526WT491QN387B
----------------------------------------------------------------------------------------------
【破解心得】
这个软件刚开始的串传送时候的字符可能各个机子上不一样,就是那段字符解密比较重要
啊,写文章真的好累,破花了一点时间,可写花了不少时间啊
----------------------------------------------------------------------------------------------
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
----------------------------------------------------------------------------------------------
文章写于2004-9-7 19:25:11
[ Last edited by lnn1123 on 2005-9-8 at 09:48 AM ] |
|
IP卡
发表于 2005-9-8 09:45:45
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2005-9-8 21:17:00
