某诗词诗词软件 V1.2版分析破解

yangcongwen · 发表于 2008-5-1 20:17:55

清理电脑的时候发现一个很早的古董，点开看了一下，原来还有很多诗词，于是觉得有点意思，看了一下还没有注册，想以前的老软件现在破解应该比较容易了，于是搬出来折腾一下，记录如下，请很菜的菜鸟来给点批评，稍强一点的请绕道。

软件名称：中外诗词荟萃 V1.2版
软件大小：6.59M
破解平台：winXP
破解工具：PEID，OD
编写语言：Borland Delphi 6.0 - 7.0

peid查壳，aspack壳，脱壳机脱之。
OD载入，查找字符串，找到“注册成功”，往上回溯，在005A2DED下断点，运行，点注册按钮，随便输入用户名和密码，点注册，断下在005A2DED处。

005A2DED    53          push ebx                         ; 注册按钮被按下
005A2DEE    8BD8          mov ebx,eax
005A2DF0    33C0          xor eax,eax
005A2DF2    55          push ebp
005A2DF3    68 EE2E5A00 push Unpacked.005A2EEE
005A2DF8    64:FF30       push dword ptr fs:[eax]
005A2DFB    64:8920       mov dword ptr fs:[eax],esp
005A2DFE    8D55 F8       lea edx,dword ptr ss:[ebp-8]
005A2E01    8B83 14030000  mov eax,dword ptr ds:[ebx+314]
005A2E07    E8 24B8EBFF call Unpacked.0045E630          ; 取假码
005A2E0C    8B45 F8       mov eax,dword ptr ss:[ebp-8]
005A2E0F    50          push eax                         ; 假码入栈
005A2E10    8D55 F4       lea edx,dword ptr ss:[ebp-C]
005A2E13    8B83 10030000  mov eax,dword ptr ds:[ebx+310]
005A2E19    E8 12B8EBFF call Unpacked.0045E630          ; 取用户名
005A2E1E    8B55 F4       mov edx,dword ptr ss:[ebp-C]
005A2E21    A1 7C8D5A00 mov eax,dword ptr ds:[5A8D7C]    ; 用户名入栈
005A2E26    8B00          mov eax,dword ptr ds:[eax]
005A2E28    8B40 64       mov eax,dword ptr ds:[eax+64]
005A2E2B    33C9          xor ecx,ecx
005A2E2D    E8 C620F1FF call Unpacked.004B4EF8          ; 关键call
005A2E32    84C0          test al,al                      ; eax低位必须不为0
005A2E34    75 2C       jnz short Unpacked.005A2E62       ; 这里一定要跳
005A2E36    8D45 FC       lea eax,dword ptr ss:[ebp-4]
005A2E39    BA 042F5A00 mov edx,Unpacked.005A2F04       ; 输入注册码不正确，请检查！
005A2E3E    E8 2118E6FF call Unpacked.00404664
005A2E43    6A 40       push 40
005A2E45    8B45 FC       mov eax,dword ptr ss:[ebp-4]
005A2E48    E8 4F1CE6FF call Unpacked.00404A9C
005A2E4D    8BD0          mov edx,eax
005A2E4F    B9 202F5A00 mov ecx,Unpacked.005A2F20       ; 输入错误
005A2E54    A1 608B5A00 mov eax,dword ptr ds:[5A8B60]
005A2E59    8B00          mov eax,dword ptr ds:[eax]
005A2E5B    E8 D8BCEDFF call Unpacked.0047EB38
005A2E60    EB 69       jmp short Unpacked.005A2ECB
005A2E62    68 342F5A00 push Unpacked.005A2F34          ; 注册成功！\n注册信息为：\n用户名：
005A2E67    A1 7C8D5A00 mov eax,dword ptr ds:[5A8D7C]
005A2E6C    8B00          mov eax,dword ptr ds:[eax]
005A2E6E    8B58 64       mov ebx,dword ptr ds:[eax+64]
005A2E71    FF73 48       push dword ptr ds:[ebx+48]
005A2E74    68 602F5A00 push Unpacked.005A2F60          ; \n
005A2E79    68 602F5A00 push Unpacked.005A2F60          ; \n
005A2E7E    68 6C2F5A00 push Unpacked.005A2F6C          ; 注册码：
005A2E83    A1 7C8D5A00 mov eax,dword ptr ds:[5A8D7C]
005A2E88    FF73 5C       push dword ptr ds:[ebx+5C]
005A2E8B    68 602F5A00 push Unpacked.005A2F60          ; \n
005A2E90    68 802F5A00 push Unpacked.005A2F80          ; 感谢您对我们的支持！请重新启动。
005A2E95    8D45 FC       lea eax,dword ptr ss:[ebp-4]
005A2E98    BA 08000000 mov edx,8
005A2E9D    E8 BA1AE6FF call Unpacked.0040495C
005A2EA2    6A 40       push 40
005A2EA4    8B45 FC       mov eax,dword ptr ss:[ebp-4]
005A2EA7    E8 F01BE6FF call Unpacked.00404A9C
005A2EAC    8BD0          mov edx,eax
005A2EAE    B9 A42F5A00 mov ecx,Unpacked.005A2FA4       ; 注册成功

**********************************************************************
在关键call处F7跟进
004B4EF8    55          push ebp
004B4EF9    8BEC          mov ebp,esp
004B4EFB    83C4 F0       add esp,-10
004B4EFE    53          push ebx
004B4EFF    33DB          xor ebx,ebx
004B4F01    895D F0       mov dword ptr ss:[ebp-10],ebx
004B4F04    895D F4       mov dword ptr ss:[ebp-C],ebx
004B4F07    894D F8       mov dword ptr ss:[ebp-8],ecx
004B4F0A    8955 FC       mov dword ptr ss:[ebp-4],edx
004B4F0D    8BD8          mov ebx,eax
004B4F0F    8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B4F12    E8 75FBF4FF call Unpacked.00404A8C          ; 用户名计算
004B4F17    8B45 F8       mov eax,dword ptr ss:[ebp-8]
004B4F1A    E8 6DFBF4FF call Unpacked.00404A8C
004B4F1F    8B45 08       mov eax,dword ptr ss:[ebp+8]
004B4F22    E8 65FBF4FF call Unpacked.00404A8C          ; 假码计算
004B4F27    33C0          xor eax,eax
004B4F29    55          push ebp
004B4F2A    68 E24F4B00 push Unpacked.004B4FE2
004B4F2F    64:FF30       push dword ptr fs:[eax]
004B4F32    64:8920       mov dword ptr fs:[eax],esp
004B4F35    8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B4F38    E8 5FF9F4FF call Unpacked.0040489C          ; 关键call
004B4F3D    3B43 4C       cmp eax,dword ptr ds:[ebx+4C]
004B4F40    7F 19       jg short Unpacked.004B4F5B
004B4F42    8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B4F45    E8 52F9F4FF call Unpacked.0040489C
004B4F4A    3B43 50       cmp eax,dword ptr ds:[ebx+50]    ; 比较注册码长度是否小于11位
004B4F4D    7C 0C       jl short Unpacked.004B4F5B       ; 小于则跳走
004B4F4F    8B45 08       mov eax,dword ptr ss:[ebp+8]
004B4F52    E8 45F9F4FF call Unpacked.0040489C          ; 假码入栈
004B4F57    85C0          test eax,eax                      ; 用户名位数是否为0，即是否为空
004B4F59    75 04       jnz short Unpacked.004B4F5F       ; 非空则跳走
004B4F5B    33DB          xor ebx,ebx
004B4F5D    EB 60       jmp short Unpacked.004B4FBF
004B4F5F    8D55 F4       lea edx,dword ptr ss:[ebp-C]
004B4F62    8B45 08       mov eax,dword ptr ss:[ebp+8]    ; 假码入栈
004B4F65    E8 DE3FF5FF call Unpacked.00408F48
004B4F6A    8B55 F4       mov edx,dword ptr ss:[ebp-C]
004B4F6D    8D45 08       lea eax,dword ptr ss:[ebp+8]    ; 假码入栈
004B4F70    E8 EFF6F4FF call Unpacked.00404664
004B4F75    8D4D F0       lea ecx,dword ptr ss:[ebp-10]
004B4F78    8B55 FC       mov edx,dword ptr ss:[ebp-4]
004B4F7B    8BC3          mov eax,ebx                      ; 用户名入栈
004B4F7D    E8 46FBFFFF call Unpacked.004B4AC8
004B4F82    8B45 F0       mov eax,dword ptr ss:[ebp-10]
004B4F85    8B55 08       mov edx,dword ptr ss:[ebp+8]    ; eax出现一行字：0000A93F6A9D
004B4F88    E8 5B40F5FF call Unpacked.00408FE8          ; 这里又有一行
004B4F8D    85C0          test eax,eax                      ; 是否相同
004B4F8F    74 04       je short Unpacked.004B4F95       ; 跳走就成功了
004B4F91    33DB          xor ebx,ebx
004B4F93    EB 2A       jmp short Unpacked.004B4FBF
004B4F95    8D43 48       lea eax,dword ptr ds:[ebx+48]
004B4F98    8B55 FC       mov edx,dword ptr ss:[ebp-4]
004B4F9B    E8 80F6F4FF call Unpacked.00404620
004B4FA0    8D43 54       lea eax,dword ptr ds:[ebx+54]
004B4FA3    8B55 F8       mov edx,dword ptr ss:[ebp-8]
004B4FA6    E8 75F6F4FF call Unpacked.00404620
004B4FAB    8D43 5C       lea eax,dword ptr ds:[ebx+5C]
004B4FAE    8B55 08       mov edx,dword ptr ss:[ebp+8]
004B4FB1    E8 6AF6F4FF call Unpacked.00404620
004B4FB6    8BC3          mov eax,ebx
004B4FB8    E8 5B020000 call Unpacked.004B5218
004B4FBD    B3 01       mov bl,1
004B4FBF    33C0          xor eax,eax
004B4FC1    5A          pop edx
004B4FC2    59          pop ecx
004B4FC3    59          pop ecx
004B4FC4    64:8910       mov dword ptr fs:[eax],edx
004B4FC7    68 E94F4B00 push Unpacked.004B4FE9
004B4FCC    8D45 F0       lea eax,dword ptr ss:[ebp-10]
004B4FCF    BA 04000000 mov edx,4
004B4FD4    E8 17F6F4FF call Unpacked.004045F0
004B4FD9    8D45 08       lea eax,dword ptr ss:[ebp+8]
004B4FDC    E8 EBF5F4FF call Unpacked.004045CC
004B4FE1    C3          retn

**********************************************************************
明码的东西，写个内存注册机马虎搞掉算了。

没有深入的算法分析，就此结束吧。
名字就不写了，太菜，不敢写。
08-5-1

[ 本帖最后由 yangcongwen 于 2008-5-1 20:20 编辑 ]

流浪的风 · 发表于 2008-6-1 12:58:45

呃，重启验证的，刚刚搞不定，在找些相关资料。。。。

		自动登录	找回密码
密码			加入我们

[原创] 某诗词诗词软件 V1.2版分析破解

相关帖子