TA的每日心情 | 开心
2018-10-30 22:05 |
|---|
签到天数: 6 天 [LV.2]偶尔看看I
|
软件自己找吧。。。。
程序是ASPROTECT的壳,用脚本脱掉。。
软件有自校检,出现错误提示用用F12+堆栈调用**很容易定位到。0041ECDE改为EB 20即可通过自校检,很简单就不细讲了。。
载入程序运行后输入注册信息,出现错误提示。用C32查找错误信息可以定位到注册部分代码:
0041BEF4 . 8BCE mov ecx,esi
0041BEF6 . E8 4BB80200 call <jmp.&mfc42.#3097>
0041BEFB . 8B5424 0C mov edx,dword ptr ss:[esp+C]
0041BEFF . 395A F8 cmp dword ptr ds:[edx-8],ebx ; 比较用户名长度是否为0
0041BF02 . 75 2D jnz short unpacked.0041BF31
0041BF04 . 68 26040000 push 426
0041BF09 . 8BCE mov ecx,esi
0041BF0B . E8 6AB70200 call <jmp.&mfc42.#3092>
0041BF10 . 8BC8 mov ecx,eax
0041BF12 . E8 B1B70200 call <jmp.&mfc42.#5981>
0041BF17 . 8B4E 60 mov ecx,dword ptr ds:[esi+60]
0041BF1A . 53 push ebx
0041BF1B . 6A 02 push 2
0041BF1D . 68 D8DE4500 push unpacked.0045DED8
0041BF22 . 68 CCDE4500 push unpacked.0045DECC
0041BF27 . E8 445C0000 call unpacked.00421B70
0041BF2C . E9 96000000 jmp unpacked.0041BFC7
0041BF31 > 8B4424 08 mov eax,dword ptr ss:[esp+8]
0041BF35 . 8B40 F8 mov eax,dword ptr ds:[eax-8]
0041BF38 . 3BC3 cmp eax,ebx ; 比较注册码长度是否为0
0041BF3A . 75 2A jnz short unpacked.0041BF66
0041BF3C . 68 27040000 push 427
0041BF41 . 8BCE mov ecx,esi
0041BF43 . E8 32B70200 call <jmp.&mfc42.#3092>
0041BF48 . 8BC8 mov ecx,eax
0041BF4A . E8 79B70200 call <jmp.&mfc42.#5981>
0041BF4F . 8B4E 60 mov ecx,dword ptr ds:[esi+60]
0041BF52 . 53 push ebx
0041BF53 . 6A 02 push 2
0041BF55 . 68 ACDE4500 push unpacked.0045DEAC
0041BF5A . 68 CCDE4500 push unpacked.0045DECC
0041BF5F . E8 0C5C0000 call unpacked.00421B70
0041BF64 . EB 61 jmp short unpacked.0041BFC7
0041BF66 > 83F8 1D cmp eax,1D ; 比较注册码长度是否为16进制1D
0041BF69 . 0F85 87000000 jnz unpacked.0041BFF6 ; 跳向错误提示
0041BF6F . 6A 2D push 2D
0041BF71 . 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
0041BF75 . E8 ECB80200 call <jmp.&mfc42.#2763> ; 检测注册码第6位是否为字符"-"
0041BF7A . 83F8 05 cmp eax,5
0041BF7D . 75 77 jnz short unpacked.0041BFF6 ; 跳向错误提示
0041BF7F . 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
0041BF83 . 51 push ecx
完成后软件提示重启验证注册信息。再次查看字符串信息,提示找到可疑字符“sUserID”和“sSerialID”。用OD都下上断点,重启后断在了004226A7,这里是加载注册信息的地方;返回出这个CALL就能看到关键东西了。。。
0041FF2E . E8 B9770200 call <jmp.&mfc42.#1768>
0041FF33 . 8BCE mov ecx,esi
0041FF35 . E8 A6220000 call unpacked.004221E0 ; 出来在这里
0041FF3A . 85C0 test eax,eax
0041FF3C . 75 0C jnz short unpacked.0041FF4A
0041FF3E . 68 D7000000 push 0D7 ; /Arg1 = 000000D7
0041FF43 . 8BCE mov ecx,esi ; |
0041FF45 . E8 A6A6FEFF call unpacked.0040A5F0 ; \unpacked.0040A5F0
0041FF4A > 8D9E FC0B0000 lea ebx,dword ptr ds:[esi+BFC]
0041FF50 . 68 19000200 push 20019
0041FF55 . 68 D4DA4500 push unpacked.0045DAD4 ; ASCII "SOFTWARE\softown\RunGuard\Rules"
0041FF5A . 68 02000080 push 80000002
0041FF5F . 8BCB mov ecx,ebx
0041FF61 . E8 CA700200 call unpacked.00447030
0041FF66 . 85C0 test eax,eax
0041FF68 . 75 12 jnz short unpacked.0041FF7C
0041FF6A . 57 push edi
0041FF6B . 68 D4DA4500 push unpacked.0045DAD4 ; ASCII "SOFTWARE\softown\RunGuard\Rules"
0041FF70 . 68 02000080 push 80000002
0041FF75 . 8BCB mov ecx,ebx
0041FF77 . E8 F4700200 call unpacked.00447070
0041FF7C > 8B86 8C1C0000 mov eax,dword ptr ds:[esi+1C8C]
0041FF82 . 8D8E 8C1C0000 lea ecx,dword ptr ds:[esi+1C8C]
0041FF88 . 3978 F8 cmp dword ptr ds:[eax-8],edi ; 比较用户名长度是否为0
0041FF8B . 0F84 87010000 je unpacked.00420118
0041FF91 . 8B96 901C0000 mov edx,dword ptr ds:[esi+1C90]
0041FF97 . 837A F8 1D cmp dword ptr ds:[edx-8],1D ; 比较注册码长度是否为16进制1D
0041FF9B . 0F85 77010000 jnz unpacked.00420118
0041FFA1 . 8B40 F8 mov eax,dword ptr ds:[eax-8]
0041FFA4 . 50 push eax
0041FFA5 . 50 push eax
0041FFA6 . E8 E3770200 call <jmp.&mfc42.#2915>
0041FFAB . 50 push eax
0041FFAC . 8D4424 20 lea eax,dword ptr ss:[esp+20]
0041FFB0 . 50 push eax
0041FFB1 . E8 BAA3FFFF call unpacked.0041A370 ; 计算用户名MD5码(小写)
0041FFB6 . 83C4 0C add esp,0C
0041FFB9 . 89BC24 8C030000 mov dword ptr ss:[esp+38C],edi
0041FFC0 . 897C24 2C mov dword ptr ss:[esp+2C],edi
0041FFC4 . 33ED xor ebp,ebp
0041FFC6 > 6A 05 push 5 ; 循环开始
0041FFC8 . 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0041FFCC . 55 push ebp
0041FFCD . 51 push ecx
0041FFCE . 8D8E 901C0000 lea ecx,dword ptr ds:[esi+1C90]
0041FFD4 . E8 7F7A0200 call <jmp.&mfc42.#4278> ; 依次取假码被"-"分割开的5位
0041FFD9 . 8B5424 18 mov edx,dword ptr ss:[esp+18]
0041FFDD . 8B4C24 2C mov ecx,dword ptr ss:[esp+2C]
0041FFE1 . 6A 04 push 4
0041FFE3 . 51 push ecx
0041FFE4 . 8A043A mov al,byte ptr ds:[edx+edi] ; 用户名MD5码依次到ASCII放入AL
0041FFE7 . 8D5424 38 lea edx,dword ptr ss:[esp+38]
0041FFEB . 52 push edx
0041FFEC . 8D8E 881C0000 lea ecx,dword ptr ds:[esi+1C88]
0041FFF2 . C68424 98030000 01 mov byte ptr ss:[esp+398],1
0041FFFA . 884424 40 mov byte ptr ss:[esp+40],al
0041FFFE . E8 557A0200 call <jmp.&mfc42.#4278> ; 依次取机器码4位
00420003 . 8B4C24 34 mov ecx,dword ptr ss:[esp+34]
00420007 . 8D5424 24 lea edx,dword ptr ss:[esp+24]
0042000B . 51 push ecx
0042000C . 50 push eax
0042000D . 52 push edx
0042000E . C68424 98030000 02 mov byte ptr ss:[esp+398],2
00420016 . E8 D57B0200 call <jmp.&mfc42.#923> ; 4位机器码与上面取出的MD5码的1位相连
0042001B . 8D4C24 30 lea ecx,dword ptr ss:[esp+30]
0042001F . C68424 8C030000 04 mov byte ptr ss:[esp+38C],4
00420027 . E8 24760200 call <jmp.&mfc42.#800>
0042002C . 8B4424 24 mov eax,dword ptr ss:[esp+24]
00420030 . 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00420034 . 8B40 F8 mov eax,dword ptr ds:[eax-8]
00420037 . 50 push eax
00420038 . 50 push eax
00420039 . E8 50770200 call <jmp.&mfc42.#2915>
0042003E . 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00420042 . 50 push eax
00420043 . 51 push ecx
00420044 . E8 27A3FFFF call unpacked.0041A370 ; 算出连接后字符的MD5码
00420049 . 83C4 0C add esp,0C
0042004C . 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
00420050 . C68424 8C030000 05 mov byte ptr ss:[esp+38C],5
00420058 . E8 997B0200 call <jmp.&mfc42.#4204> ; 再转换到大写
0042005D . 8D5424 10 lea edx,dword ptr ss:[esp+10]
00420061 . 6A 05 push 5
00420063 . 52 push edx
00420064 . 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
00420068 . E8 61760200 call <jmp.&mfc42.#4129> ; 取出前5位(真码)
0042006D . 8B00 mov eax,dword ptr ds:[eax]
0042006F . 50 push eax ; /放入真码
00420070 . 8B4424 20 mov eax,dword ptr ss:[esp+20] ; |
00420074 . 50 push eax ; |放入假码
00420075 . FF15 E8F74400 call dword ptr ds:[<&msvcrt._mbscm>; \真假码比较
0042007B . 83C4 08 add esp,8
0042007E . 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00420082 . 85C0 test eax,eax
00420084 0F95C3 setne bl ; 爆破点之一
00420087 . E8 C4750200 call <jmp.&mfc42.#800>
0042008C . 84DB test bl,bl
0042008E . C68424 8C030000 04 mov byte ptr ss:[esp+38C],4
00420096 . 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0042009A . 75 41 jnz short unpacked.004200DD
0042009C . E8 AF750200 call <jmp.&mfc42.#800>
004200A1 . 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
004200A5 . C68424 8C030000 01 mov byte ptr ss:[esp+38C],1
004200AD . E8 9E750200 call <jmp.&mfc42.#800>
004200B2 . 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
004200B6 . C68424 8C030000 00 mov byte ptr ss:[esp+38C],0
004200BE . E8 8D750200 call <jmp.&mfc42.#800>
004200C3 . 8B4C24 2C mov ecx,dword ptr ss:[esp+2C]
004200C7 . 83C5 06 add ebp,6
004200CA . 47 inc edi
004200CB . 83C1 04 add ecx,4
004200CE . 83FD 1E cmp ebp,1E
004200D1 . 894C24 2C mov dword ptr ss:[esp+2C],ecx
004200D5 .^ 0F8C EBFEFFFF jl unpacked.0041FFC6 ; 循环结尾
004200DB . EB 27 jmp short unpacked.00420104
004200DD > E8 6E750200 call <jmp.&mfc42.#800>
004200E2 . 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
爆破的方法很多种,我就说一种了。就是我上面标注那句setne bl 改为sete bl或者mov bl,0
算法很简单,就不总结了,附上算号器关键部分源码,易语言的很好明白。。
.版本 2
.支持库 dp1
yhm = 取数据摘要 (到字节集 (编辑框2.内容))
s1 = 到大写 (取文本左边 (取数据摘要 (到字节集 (取文本中间 (编辑框1.内容, 1, 4) + 取文本中间 (yhm, 1, 1))), 5))
s2 = 到大写 (取文本左边 (取数据摘要 (到字节集 (取文本中间 (编辑框1.内容, 5, 4) + 取文本中间 (yhm, 2, 1))), 5))
s3 = 到大写 (取文本左边 (取数据摘要 (到字节集 (取文本中间 (编辑框1.内容, 9, 4) + 取文本中间 (yhm, 3, 1))), 5))
s4 = 到大写 (取文本左边 (取数据摘要 (到字节集 (取文本中间 (编辑框1.内容, 13, 4) + 取文本中间 (yhm, 4, 1))), 5))
s5 = 到大写 (取文本左边 (取数据摘要 (到字节集 (取文本中间 (编辑框1.内容, 17, 4) + 取文本中间 (yhm, 5, 1))), 5))
sn = s1 + “-” + s2 + “-” + s3 + “-” + s4 + “-” + s5
其中编辑框1是机器码,编辑框2是用户名。取数据摘要就是取MD5码。
本人算法比较菜,也就能搞这些简单的了,呵呵。。。 |
|
IP卡
发表于 2008-7-30 20:04:03
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-9-4 07:23:19