- UID
- 56300
注册时间2008-9-7
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 开心
2024-8-15 13:22 |
|---|
签到天数: 8 天 [LV.3]偶尔看看II
|
【破文标题】Asprotect脱壳破解一例
【破文作者】BREAK_FM
【作者邮箱】[email protected]
【作者主页】http://807986389.qzone.qq.com
【破解工具】PEID/OllyDBG/W32Dasm
【破解平台】Win9x/Me/NT/2000/XP/2003
【软件名称】Liatro Button Maker 2.2
【软件大小】2.33 MB
【原版下载】http://www.onlinedown.net/soft/15008.htm
【保护方式】ASProtect 1.2 / 1.2c-> Alexey Solodovnikov
【软件简介】Liatro Button Maker是一套专门制作网页按钮的绘图软件,透过向量绘图的功能以及内建各种范本,使用者将可快速建立起优质的网页图形按钮,却并不需要高深的美术绘图功力。
【破解声明】破解技术交流,切勿用于商业目的![脱壳方法参考语音教程:手脱ASProtect 1.2(脚本脱壳法介绍)
下载地址:http://www.520hack.com/donghua/donghua7/200709/7108.html]
【破解过程】
1.PEID查壳:ASProtect 1.2 / 1.2c-> Alexey Solodovnikov;
2.OllyDBG载入,设置OllyDbg,如下图:
Shift+F9 20次,停在:
00A886A1 FE02 inc byte ptr [edx]
00A886A3 ^ EB E8 jmp short 00A8868D
00A886A5 48 dec eax
00A886A6 2BDB sub ebx, ebx
00A886A8 64:8F03 pop dword ptr fs:[ebx]
00A886AB 5B pop ebx
00A886AC E8 00000000 call 00A886B1
00A886B1 40 inc eax
00A886B2 8B0C24 mov ecx, dword ptr [esp]
00A886B5 58 pop eax
00A886B6 81E9 DD5DE600 sub ecx, 0E65DDD
00A886BC 05 C1DB7E6E add eax, 6E7EDBC1
00A886C1 E8 09000000 call 00A886CF
00A886C6 98 cwde
00A886C7 E9 07000000 jmp 00A886D3
00A886CC 83F0 9E xor eax, FFFFFF9E
00A886CF C1D0 A5 rcl eax, 0A5
00A886D2 C3 retn //F2下断 shift+F9 运行停在这里,然后再取消断点
查看内存,找到:
Memory map, 条目 22
地址=00401000
大小=000AA000 (696320.)
属主=LBMaker 00400000
区段=
包含=代码
类型=Imag 01001002
访问=R
初始访问=RWE
下断,Shift+F9,就到OEP了,
0042F21A 55 push ebp ; //这个就是OEP!
脱壳保存为dump,不用修复就能正常运行,查壳:Microsoft Visual C++ 6.0;
运行dump,输入假码:
Name:BREAK_FM-免费共享空间
Key:123456789
点击Unlock,弹出错误提示对话框:"Infomation invalid,Can not register,Please be sure you type it as It was given to you. "
打开W32Dasm,载入dump:
查找字符串,错误提示:
String Resource ID=00204: "Infomation invalid,Can not register,Please be sure you type"
双击该段代码来到
:00411F1E 50 push eax
:00411F1F 51 push ecx
:00411F20 B9A8ED4C00 mov ecx, 004CEDA8
:00411F25 E846040000 call 00412370
:00411F2A 8D54240C lea edx, dword ptr [esp+0C]
:00411F2E 8D84240C010000 lea eax, dword ptr [esp+0000010C]
:00411F35 52 push edx
:00411F36 50 push eax //打开OllyDBG,载入dump,跟随到00411F36,在此F2下断,F9运行
:00411F37 B9A8ED4C00 mov ecx, 004CEDA8
:00411F3C E85F050000 call 004124A0
:00411F41 85C0 test eax, eax
:00411F43 743D je 00411F82
:00411F45 8D4C240C lea ecx, dword ptr [esp+0C]
:00411F49 8D94240C010000 lea edx, dword ptr [esp+0000010C]
:00411F50 51 push ecx
:00411F51 52 push edx
:00411F52 B9A8ED4C00 mov ecx, 004CEDA8
:00411F57 E824030000 call 00412280
:00411F5C 85C0 test eax, eax
:00411F5E 7422 je 00411F82
:00411F60 6AFF push FFFFFFFF
:00411F62 6A00 push 00000000
* Possible Reference to String Resource ID=00205: "Registration OK,Thanks for your support."
|
:00411F64 68CD000000 push 000000CD
:00411F69 E857410700 call 004860C5
:00411F6E 8B06 mov eax, dword ptr [esi]
:00411F70 8BCE mov ecx, esi
:00411F72 FF90C8000000 call dword ptr [eax+000000C8]
:00411F78 5F pop edi
:00411F79 5E pop esi
:00411F7A 5B pop ebx
:00411F7B 81C400020000 add esp, 00000200
:00411F81 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00411F43(C), :00411F5E(C)
|
:00411F82 6AFF push FFFFFFFF
:00411F84 6A00 push 00000000
* Possible Reference to Dialog: DialogID_7802, CONTROL_ID:00CC, ""
|
* Possible Reference to String Resource ID=00204: "Infomation invalid,Can not register,Please be sure you type"
|
:00411F86 68CC000000 push 000000CC
打开OllyDBG,载入dump,跟随到00411F36,在此F2下断,F9运行,输入假码:
Name:BREAK_FM-免费共享空间
Key:123456789
点击Unlock后断了下来,F8单步向下运行,到 00411F57 . E8 24030000 call 00412280 ; 时F7跟进,
继续F8单步,运行到 00412351 33FF xor edi, edi ; 时在这串代码上面点击右键,汇编,修改xor为or,然后保存,运行保存后的程序,没有弹出注册框,直接进去,看一下注册,Register变为灰色的了:
,爆破成功,好了教程就到这里了!
※破解的时候在堆栈里面出现了好多类似注册码的字符串,输入进去验证错误,不知该怎么办了,希望高手指点,怎么追码?
BY:BREAK_FM
QQ:78241768 807986389
希望有兴趣共同探讨破解的朋友加我为好友,共同进步!
[ 本帖最后由 樊盟 于 2009-2-11 16:00 编辑 ] |
|
IP卡
发表于 2009-2-11 15:59:25
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2009-2-12 14:19:55
发表于 2009-2-13 13:48:02
楼主
