|
|
【破解作者】 飘之叶
【作者邮箱】 [email protected]
【作者主页】 http://hi.baidu.com/piaozhiye
【使用工具】 OD PIED
【破解平台】 Win9x/NT/2000/XP
【软件名称】 天网防火墙个人版
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
PEID查壳 Borland C++ 1999
。
运行程序,若果没有注册得话,会弹出"注册信息无法确认,请注册天网防火墙"得注册对话框。
方法: F12暂停。
OD载入.
F9运行,弹出对话框,此时F12再选K看到:
调用堆栈
地址 堆栈 程序过程 / 参数 调用来自
结构
0012FA80 77D50617 ? USER32.MessageBoxTimeoutA USER32.77D50612
0012FA7C
0012FAA0 77D505CF ? USER32.MessageBoxExA USER32.77D505CA
0012FA9C
0012FAA4 00000000 hOwner = NULL
0012FAA8 014C66A4 Text = "注册信息无法确认,请注册天
0012FAAC 00594145 Title = "天网防火墙个人版"
0012FAB0 00001024 Style = MB_YESNO|MB_ICONQUESTION|M
0012FAB4 00000000 LanguageID = 0 (LANG_NEUTRAL)
0012FABC 00408440 ? <JMP.&USER32.MessageBoxA> PFW1.0040843B
0012FAB8
0012FAC0 00000000 hOwner = NULL
0012FAC4 014C66A4 Text = "注册信息无法确认,请注册天
0012FAC8 00594145 Title = "天网防火墙个人版"
0012FACC 00001024 Style = MB_YESNO|MB_ICONQUESTION|M
0012FC40 00403BEF PFW1.004082B4 PFW1.00403BEA
0012FC3C
0012FCAC 0040254F PFW1.00403814 PFW1.0040254A
0012FCA8
0012FE70 004E628F 包含 PFW1.0040254F PFW1.004E6289
0012FE6C
0012FE94 004E5F8B 包含 PFW1.004E628F PFW1.004E5F85
0012FE90
跟进:
<JMP.&USER32.MessageBoxA>
调用来自=PFW1.0040843B
结构=0012FAB8
--------------------------------
来到:
0040842B /74 05 JE SHORT PFW1.00408432
0040842D |8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
00408430 |EB 06 JMP SHORT PFW1.00408438
00408432 \8D8F F2020000 LEA ECX,DWORD PTR DS:[EDI+2F2]
00408438 51 PUSH ECX
00408439 6A 00 PUSH 0
0040843B E8 D8A71800 CALL <JMP.&USER32.MessageBoxA> ; 请注册
00408440 83F8 06 CMP EAX,6
00408443 BA 02000000 MOV EDX,2
00408448 0F94C0 SETE AL
0040844B 83E0 01 AND EAX,1
段首下断点:
004082B4 $ 55 PUSH EBP
004082B5 . 8BEC MOV EBP,ESP
004082B7 . 81C4 A0FEFFFF ADD ESP,-160
004082BD . 53 PUSH EBX
004082BE . 56 PUSH ESI
004082BF . 57 PUSH EDI
004082C0 . 8BF0 MOV ESI,EAX
004082C2 . BF 643E5900 MOV EDI,PFW1.00593E64
004082C7 . B8 EC615900 MOV EAX,PFW1.005961EC
004082CC . E8 C7201300 CALL PFW1.0053A398
004082D1 . 66:C745 C8 14>MOV WORD PTR SS:[EBP-38],14
004082D7 . 33D2 XOR EDX,EDX
004082D9 . A1 B0875B00 MOV EAX,DWORD PTR DS:[5B87B0]
004082DE . 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
004082E1 . 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004082E4 . FF45 D4 INC DWORD PTR SS:[EBP-2C]
004082E7 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
004082E9 . E8 EE550E00 CALL PFW1.004ED8DC
004082EE . 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004082F1 . 8B00 MOV EAX,DWORD PTR DS:[EAX] ; 读取程序
004082F3 . 33D2 XOR EDX,EDX
004082F5 . 8955 F4 MOV DWORD PTR SS:[EBP-C],EDX
004082F8 . 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004082FB . FF45 D4 INC DWORD PTR SS:[EBP-2C]
004082FE . E8 315A1200 CALL PFW1.0052DD34
00408303 . 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00408306 . 50 PUSH EAX
00408307 . 8D97 D5020000 LEA EDX,DWORD PTR DS:[EDI+2D5] ; pfw.dat这里应该是注
册信息保存的地方
0040830D . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00408310 . E8 530C1500 CALL PFW1.00558F68
00408315 . FF45 D4 INC DWORD PTR SS:[EBP-2C]
00408318 . 33C0 XOR EAX,EAX
0040831A . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0040831D . 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00408320 . FF45 D4 INC DWORD PTR SS:[EBP-2C]
00408323 . 8D4D FC LEA ECX,DWORD PTR SS:[EBP-4]
00408326 . 58 POP EAX
00408327 . E8 380E1500 CALL PFW1.00559164
0040832C . FF4D D4 DEC DWORD PTR SS:[EBP-2C]
0040832F . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00408332 . BA 02000000 MOV EDX,2
00408337 . E8 D00D1500 CALL PFW1.0055910C
0040833C . FF4D D4 DEC DWORD PTR SS:[EBP-2C]
0040833F . 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00408342 . BA 02000000 MOV EDX,2
00408347 . E8 C00D1500 CALL PFW1.0055910C
0040834C . FF4D D4 DEC DWORD PTR SS:[EBP-2C]
0040834F . 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00408352 . BA 02000000 MOV EDX,2
00408357 . E8 B00D1500 CALL PFW1.0055910C
0040835C . 66:C745 C8 08>MOV WORD PTR SS:[EBP-38],8
00408362 . 6A 14 PUSH 14 ; /Arg3 = 00000014
00408364 . 6A 30 PUSH 30 ; |Arg2 = 00000030
00408366 . 8D8D A0FEFFFF LEA ECX,DWORD PTR SS:[EBP-160] ; |
0040836C . 51 PUSH ECX ; |Arg1
0040836D . E8 721C1300 CALL PFW1.00539FE4 ; \PFW1.00539FE4
00408372 . 83C4 0C ADD ESP,0C
00408375 . 8D87 DD020000 LEA EAX,DWORD PTR DS:[EDI+2DD] ; 000000000000000000
,注册信息为空
0040837B . C645 B7 00 MOV BYTE PTR SS:[EBP-49],0
0040837F . 50 PUSH EAX
00408380 . 837D FC 00 CMP DWORD PTR SS:[EBP-4],0 ; pfw.dat
00408384 . 74 05 JE SHORT PFW1.0040838B
00408386 . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00408389 . EB 06 JMP SHORT PFW1.00408391
0040838B > 8D97 E0020000 LEA EDX,DWORD PTR DS:[EDI+2E0]
00408391 > 52 PUSH EDX ; |Arg1
00408392 . E8 513D1300 CALL PFW1.0053C0E8 ; \PFW1.0053C0E8
00408397 . 83C4 08 ADD ESP,8
0040839A . 8BD8 MOV EBX,EAX
0040839C . 85DB TEST EBX,EBX
0040839E . 74 56 JE SHORT PFW1.004083F6
004083A0 . 6A 00 PUSH 0 ; /Arg3 = 00000000
004083A2 . 6A 00 PUSH 0 ; |Arg2 = 00000000
004083A4 . 53 PUSH EBX ; |Arg1
004083A5 . E8 86401300 CALL PFW1.0053C430 ; \PFW1.0053C430
004083AA . 83C4 0C ADD ESP,0C
004083AD . 53 PUSH EBX ; /Arg4
004083AE . 6A 01 PUSH 1 ; |Arg3 = 00000001
004083B0 . 68 00010000 PUSH 100 ; |Arg2 = 00000100
004083B5 . 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C] ; |
004083BB . 50 PUSH EAX ; |Arg1
004083BC . E8 CF3F1300 CALL PFW1.0053C390 ; \PFW1.0053C390
004083C1 . 83C4 10 ADD ESP,10
004083C4 . 48 DEC EAX
004083C5 . 75 28 JNZ SHORT PFW1.004083EF
004083C7 . 81C6 FC030000 ADD ESI,3FC
004083CD . 56 PUSH ESI ; /Arg3
004083CE . 8D85 A0FEFFFF LEA EAX,DWORD PTR SS:[EBP-160] ; |
004083D4 . 50 PUSH EAX ; |Arg2
004083D5 . 8D95 B4FEFFFF LEA EDX,DWORD PTR SS:[EBP-14C] ; |
004083DB . 52 PUSH EDX ; |Arg1
004083DC . E8 4B3E0300 CALL PFW1.0043C22C ; \PFW1.0043C22C
004083E1 . 83C4 0C ADD ESP,0C
004083E4 . 85C0 TEST EAX,EAX
004083E6 . 0F94C1 SETE CL
004083E9 . 83E1 01 AND ECX,1
004083EC . 884D B7 MOV BYTE PTR SS:[EBP-49],CL
004083EF > 53 PUSH EBX
004083F0 . E8 4B381300 CALL PFW1.0053BC40
004083F5 . 59 POP ECX
004083F6 > 807D B7 00 CMP BYTE PTR SS:[EBP-49],0 ; 注册信息是否为空
004083FA 0F85 5E010000 JNZ PFW1.0040855E ; 强制跳走,就跳过了下
面的注册
00408400 . 8D87 E1020000 LEA EAX,DWORD PTR DS:[EDI+2E1]
00408406 . 68 24100000 PUSH 1024
0040840B . 50 PUSH EAX
0040840C . 33D2 XOR EDX,EDX
0040840E . 66:C745 C8 20>MOV WORD PTR SS:[EBP-38],20
00408414 . 8955 EC MOV DWORD PTR SS:[EBP-14],EDX
00408417 . 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
0040841A . FF45 D4 INC DWORD PTR SS:[EBP-2C]
0040841D . B8 5AC30000 MOV EAX,0C35A
00408422 . E8 850E1500 CALL PFW1.005592AC
00408427 . 837D EC 00 CMP DWORD PTR SS:[EBP-14],0
0040842B . 74 05 JE SHORT PFW1.00408432
0040842D . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
00408430 . EB 06 JMP SHORT PFW1.00408438
00408432 > 8D8F F2020000 LEA ECX,DWORD PTR DS:[EDI+2F2]
00408438 > 51 PUSH ECX ; |Text
00408439 . 6A 00 PUSH 0 ; |hOwner = NULL
0040843B . E8 D8A71800 CALL <JMP.&USER32.MessageBoxA> ; \请注册
00408440 . 83F8 06 CMP EAX,6
00408443 . BA 02000000 MOV EDX,2
00408448 . 0F94C0 SETE AL
0040844B . 83E0 01 AND EAX,1
0040844E . 50 PUSH EAX ; /Arg1
0040844F . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14] ; |
00408452 . FF4D D4 DEC DWORD PTR SS:[EBP-2C] ; |
00408455 . E8 B20C1500 CALL PFW1.0055910C ; \PFW1.0055910C
0040845A . 59 POP ECX
0040845B . 84C9 TEST CL,CL
0040845D . 0F84 C9000000 JE PFW1.0040852C
00408463 . 66:C745 C8 38>MOV WORD PTR SS:[EBP-38],38
00408469 . 33C0 XOR EAX,EAX
0040846B . 8B0D B0875B00 MOV ECX,DWORD PTR DS:[5B87B0] ; PFW1.005B9348
00408471 . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
00408474 . 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
00408477 . FF45 D4 INC DWORD PTR SS:[EBP-2C]
0040847A . 8B01 MOV EAX,DWORD PTR DS:[ECX]
0040847C . E8 5B540E00 CALL PFW1.004ED8DC
00408481 . 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
00408484 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00408486 . 33D2 XOR EDX,EDX
00408488 . 8955 E0 MOV DWORD PTR SS:[EBP-20],EDX
0040848B . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
0040848E . FF45 D4 INC DWORD PTR SS:[EBP-2C]
00408491 . E8 9E581200 CALL PFW1.0052DD34
00408496 . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00408499 . 50 PUSH EAX
0040849A . 8D97 F3020000 LEA EDX,DWORD PTR DS:[EDI+2F3]
004084A0 . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
004084A3 . E8 C00A1500 CALL PFW1.00558F68
004084A8 . FF45 D4 INC DWORD PTR SS:[EBP-2C]
004084AB . 33C0 XOR EAX,EAX
004084AD . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
004084B0 . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
004084B3 . FF45 D4 INC DWORD PTR SS:[EBP-2C]
004084B6 . 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
004084B9 . 58 POP EAX
004084BA . E8 A50C1500 CALL PFW1.00559164
004084BF . FF4D D4 DEC DWORD PTR SS:[EBP-2C]
004084C2 . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
004084C5 . BA 02000000 MOV EDX,2
004084CA . E8 3D0C1500 CALL PFW1.0055910C
004084CF . FF4D D4 DEC DWORD PTR SS:[EBP-2C]
004084D2 . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
004084D5 . BA 02000000 MOV EDX,2
004084DA . E8 2D0C1500 CALL PFW1.0055910C
004084DF . FF4D D4 DEC DWORD PTR SS:[EBP-2C]
004084E2 . 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004084E5 . BA 02000000 MOV EDX,2
004084EA . E8 1D0C1500 CALL PFW1.0055910C
004084EF . 66:C745 C8 2C>MOV WORD PTR SS:[EBP-38],2C
004084F5 . 6A 01 PUSH 1
004084F7 . 6A 00 PUSH 0
004084F9 . 6A 00 PUSH 0
004084FB . 837D E8 00 CMP DWORD PTR SS:[EBP-18],0
004084FF . 74 05 JE SHORT PFW1.00408506
00408501 . 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18]
00408504 . EB 06 JMP SHORT PFW1.0040850C
00408506 > 8D8F 01030000 LEA ECX,DWORD PTR DS:[EDI+301]
0040850C > 51 PUSH ECX ; |FileName
0040850D . 6A 00 PUSH 0 ; |Operation = NULL
0040850F . 6A 00 PUSH 0 ; |hWnd = NULL
00408511 . E8 02A41800 CALL <JMP.&SHELL32.ShellExecuteA> ; \ShellExecuteA
00408516 . FF4D D4 DEC DWORD PTR SS:[EBP-2C]
00408519 . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0040851C . BA 02000000 MOV EDX,2
00408521 . E8 E60B1500 CALL PFW1.0055910C
00408526 . 66:C745 C8 08>MOV WORD PTR SS:[EBP-38],8
0040852C > A1 B0875B00 MOV EAX,DWORD PTR DS:[5B87B0]
00408531 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00408533 . E8 904F0E00 CALL PFW1.004ED4C8
00408538 . 66:C745 C8 44>MOV WORD PTR SS:[EBP-38],44
0040853E . 6A 00 PUSH 0 ; /Arg1 = 00000000
00408540 . E8 93851300 CALL PFW1.00540AD8 ; \PFW1.00540AD8
00408545 . 59 POP ECX
00408546 . 66:C745 C8 08>MOV WORD PTR SS:[EBP-38],8
0040854C . EB 10 JMP SHORT PFW1.0040855E
0040854E . E8 09291300 CALL PFW1.0053AE5C
00408553 . 66:C745 C8 4C>MOV WORD PTR SS:[EBP-38],4C
00408559 . E8 E0A51300 CALL PFW1.00542B3E
0040855E > 8A45 B7 MOV AL,BYTE PTR SS:[EBP-49]
00408561 . BA 02000000 MOV EDX,2
00408566 . 50 PUSH EAX
00408567 . 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0040856A . FF4D D4 DEC DWORD PTR SS:[EBP-2C]
0040856D . E8 9A0B1500 CALL PFW1.0055910C
00408572 . 58 POP EAX
00408573 . 8B55 B8 MOV EDX,DWORD PTR SS:[EBP-48]
00408576 . 64:8915 00000>MOV DWORD PTR FS:[0],EDX
0040857D . 5F POP EDI
0040857E . 5E POP ESI
0040857F . 5B POP EBX
00408580 . 8BE5 MOV ESP,EBP
00408582 . 5D POP EBP
00408583 . C3 RETN
上面返回到这里:
000403BEF |. 84C0 TEST AL,AL 返回到这里
00403BF1 |. 75 2F JNZ SHORT PFW1.00403C22 ; 强制跳走,即可破解
,注意看下面的标志位,如果不跳就完蛋了
00403BF3 |. 33C0 XOR EAX,EAX
00403BF5 |. BA 02000000 MOV EDX,2
00403BFA |. 50 PUSH EAX
00403BFB |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00403BFE |. FF4F 1C DEC DWORD PTR DS:[EDI+1C]
00403C01 |. E8 06551500 CALL PFW1.0055910C
00403C06 |. FF4F 1C DEC DWORD PTR DS:[EDI+1C]
00403C09 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00403C0C |. BA 02000000 MOV EDX,2
00403C11 |. E8 F6541500 CALL PFW1.0055910C
00403C16 |. 58 POP EAX
00403C17 |. 8B17 MOV EDX,DWORD PTR DS:[EDI]
00403C19 |. 64:8915 00000>MOV DWORD PTR FS:[0],EDX
00403C20 |. EB 54 JMP SHORT PFW1.00403C76
00403C22 |> B2 01 MOV DL,1
00403C24 |. 8B83 40030000 MOV EAX,DWORD PTR DS:[EBX+340]
00403C2A |. E8 752C0100 CALL PFW1.004168A4
00403C2F |. B2 01 MOV DL,1
00403C31 |. 8B83 44030000 MOV EAX,DWORD PTR DS:[EBX+344]
00403C37 |. E8 5CEF0000 CALL PFW1.00412B98
00403C3C |. B2 01 MOV DL,1
00403C3E |. 8B83 44030000 MOV EAX,DWORD PTR DS:[EBX+344]
00403C44 |. E8 F7EC0000 CALL PFW1.00412940
00403C49 |. B0 01 MOV AL,1
00403C4B |. BA 02000000 MOV EDX,2
00403C50 |. 50 PUSH EAX
00403C51 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00403C54 |. FF4F 1C DEC DWORD PTR DS:[EDI+1C]
00403C57 |. E8 B0541500 CALL PFW1.0055910C
00403C5C |. FF4F 1C DEC DWORD PTR DS:[EDI+1C]
00403C5F |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00403C62 |. BA 02000000 MOV EDX,2
00403C67 |. E8 A0541500 CALL PFW1.0055910C
00403C6C |. 58 POP EAX
00403C6D |. 8B17 MOV EDX,DWORD PTR DS:[EDI]
00403C6F |. 64:8915 00000>MOV DWORD PTR FS:[0],EDX
00403C76 |> 5F POP EDI
00403C77 |. 5E POP ESI
00403C78 |. 5B POP EBX
00403C79 |. 8BE5 MOV ESP,EBP
00403C7B |. 5D POP EBP
00403C7C \. C3 RETN
--------------------------------------------------------------------------------
【破解总结】
程序虽然使用加密算法,但是验证方法过于简单。。。
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 飘之叶 于 2008-7-6 22:16 编辑 ] |
|
IP卡
发表于 2008-7-6 19:01:12
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-7-6 20:48:31
发表于 2008-7-17 09:10:07
发表于 2008-7-26 16:57:21
