- UID
- 45135
注册时间2008-2-10
阅读权限20
最后登录1970-1-1
以武会友
 
TA的每日心情 | 怒
2017-7-19 15:45 |
|---|
签到天数: 2 天 [LV.1]初来乍到
|
用PEID查了下发现,没有壳,用插件看了下算法---很多,也许是作者对自己的加密算法很自信所以才没有加壳吧。
1.消息断点无效
2.ShowMessage也无效
3.万能断点,可以。
4.Dede,005F8998按钮事件。
5.查找字符串,可以。
6.GetPrivateProfileStringA,可以
最后找到的关键处在下面:
0061B404 /$ 55 push ebp ; 5个地方调用
0061B405 |. 8BEC mov ebp, esp
0061B407 |. 6A 00 push 0
0061B409 |. 6A 00 push 0
0061B40B |. 6A 00 push 0
0061B40D |. 53 push ebx
0061B40E |. 56 push esi
0061B40F |. 57 push edi
0061B410 |. 8BF0 mov esi, eax
0061B412 |. 33C0 xor eax, eax
0061B414 |. 55 push ebp
0061B415 |. 68 B8B46100 push recorder.0061B4B8
0061B41A |. 64:FF30 push dword ptr fs:[eax]
0061B41D |. 64:8920 mov dword ptr fs:[eax], esp
0061B420 |. 8B8E 08030000 mov ecx, dword ptr ds:[esi+308]
0061B426 |. B2 01 mov dl, 1
0061B428 |. A1 F42C4400 mov eax, dword ptr ds:[442CF4]
0061B42D |. E8 7279E2FF call recorder.00442DA4
0061B432 |. 8BD8 mov ebx, eax
0061B434 |. 68 D0B46100 push recorder.0061B4D0 ; username
0061B439 |. 8D45 FC lea eax, [local.1]
0061B43C |. 50 push eax
0061B43D |. B9 D0B46100 mov ecx, recorder.0061B4D0 ; username
0061B442 |. BA E4B46100 mov edx, recorder.0061B4E4 ; user_info
0061B447 |. 8BC3 mov eax, ebx
0061B449 |. 8B38 mov edi, dword ptr ds:[eax]
0061B44B |. FF17 call dword ptr ds:[edi]
0061B44D |. 68 F8B46100 push recorder.0061B4F8 ; regcode
0061B452 |. 8D45 F8 lea eax, [local.2]
0061B455 |. 50 push eax
0061B456 |. B9 F8B46100 mov ecx, recorder.0061B4F8 ; regcode
0061B45B |. BA E4B46100 mov edx, recorder.0061B4E4 ; user_info
0061B460 |. 8BC3 mov eax, ebx
0061B462 |. 8B38 mov edi, dword ptr ds:[eax]
0061B464 |. FF17 call dword ptr ds:[edi]
0061B466 |. 8BC3 mov eax, ebx
0061B468 |. E8 0787DEFF call recorder.00403B74
0061B46D |. E8 EE00DFFF call recorder.0040B560
0061B472 |. 83C4 F8 add esp, -8 ; /
0061B475 |. DD1C24 fstp qword ptr ss:[esp] ; |Arg1 (8-byte)
0061B478 |. 9B wait ; |
0061B479 |. 8D55 F4 lea edx, [local.3] ; |
0061B47C |. B8 08B56100 mov eax, recorder.0061B508 ; |yyyy-mm-dd
0061B481 |. E8 621ADFFF call recorder.0040CEE8 ; \recorder.0040CEE8
0061B486 |. 8B4D F8 mov ecx, [local.2]
0061B489 |. 8B55 FC mov edx, [local.1]
0061B48C |. 8BC6 mov eax, esi
0061B48E |. E8 A9FAFFFF call recorder.0061AF3C
0061B493 |. 84C0 test al, al
0061B495 |. 74 04 je short recorder.0061B49B //可改地方1
0061B497 |. B3 01 mov bl, 1
0061B499 |. EB 02 jmp short recorder.0061B49D
0061B49B |> 33DB xor ebx, ebx //可改地方2
0061B49D |> 33C0 xor eax, eax
0061B49F |. 5A pop edx
0061B4A0 |. 59 pop ecx
0061B4A1 |. 59 pop ecx
0061B4A2 |. 64:8910 mov dword ptr fs:[eax], edx
0061B4A5 |. 68 BFB46100 push recorder.0061B4BF
0061B4AA |> 8D45 F4 lea eax, [local.3]
0061B4AD |. BA 03000000 mov edx, 3
0061B4B2 |. E8 1595DEFF call recorder.004049CC
0061B4B7 \. C3 retn
0061B4B8 .^ E9 4B8EDEFF jmp recorder.00404308
0061B4BD .^ EB EB jmp short recorder.0061B4AA
0061B4BF . 8BC3 mov eax, ebx //可改地方3
0061B4C1 . 5F pop edi
0061B4C2 . 5E pop esi
0061B4C3 . 5B pop ebx
0061B4C4 . 8BE5 mov esp, ebp
0061B4C6 . 5D pop ebp
0061B4C7 . C3 retn
上面的三处每一处更改都可达到软件的爆破目的。
1.nop掉je
2.mov bl,1 或 mov al,1
3.mov al,1
最后一种,也是最麻烦的一种方法,要改0061B404五处调用的地方才能达到完美爆破。这个软件的算法我看了下,比较复杂吧(可能我基础不太好吧),用了好多知名的算法,其中含有大数运算,要分析出来,写注册机对我来说比较难,至于追码,软件采用的比较是非明文的,用加密后的密文进行的比较,这样追码是不太可能的。还有就是软件用到了浮点指令,我不太清楚浮点,以后还要加强学习。
这样改了以后,菜单栏上的软件注册按钮显示的注册框我感觉不好看,于是我就搜索所有的特征码,找到了这个关于的按钮0048CEC6,F7进,最后到了这里。
0061C75A |. 83FA 01 cmp edx, 1 ; Switch (cases 1..3)
0061C75D |. 75 19 jnz short recorder.0061C778
0061C75F |. A1 F4886400 mov eax, dword ptr ds:[6488F4] ; Case 1 of switch 0061C75A
0061C764 |. 8B00 mov eax, dword ptr ds:[eax]
0061C766 |. E8 C5C4E7FF call recorder.00498C30 //关键1正常窗体
0061C76B |. A1 F4886400 mov eax, dword ptr ds:[6488F4]
0061C770 |. 8B00 mov eax, dword ptr ds:[eax]
0061C772 |. E8 F9DBE5FF call recorder.0047A370
0061C777 |. C3 retn
0061C778 |> 83FA 02 cmp edx, 2
0061C77B |. 75 1A jnz short recorder.0061C797
0061C77D |. A1 34866400 mov eax, dword ptr ds:[648634] ; Case 2 of switch 0061C75A
0061C782 |. 8B00 mov eax, dword ptr ds:[eax]
0061C784 |. E8 A7C4E7FF call recorder.00498C30 //关键2英文窗体
0061C789 |. A1 34866400 mov eax, dword ptr ds:[648634]
0061C78E |. 8B00 mov eax, dword ptr ds:[eax]
0061C790 |. E8 DBDBE5FF call recorder.0047A370
0061C795 |. EB 2B jmp short recorder.0061C7C2
0061C797 |> 83FA 03 cmp edx, 3
0061C79A |. 75 0E jnz short recorder.0061C7AA
0061C79C |. A1 4C896400 mov eax, dword ptr ds:[64894C] ; Case 3 of switch 0061C75A
0061C7A1 |. 8B00 mov eax, dword ptr ds:[eax]
0061C7A3 |. E8 88C4E7FF call recorder.00498C30 //关键3未注册版只能转化前5分钟
0061C7A8 |. EB 18 jmp short recorder.0061C7C2
0061C7AA |> A1 34866400 mov eax, dword ptr ds:[648634] ; Default case of switch 0061C75A
0061C7AF |. 8B00 mov eax, dword ptr ds:[eax]
0061C7B1 |. E8 7AC4E7FF call recorder.00498C30 //关键4英文窗体
0061C7B6 |. A1 34866400 mov eax, dword ptr ds:[648634]
0061C7BB |. 8B00 mov eax, dword ptr ds:[eax]
0061C7BD |. E8 AEDBE5FF call recorder.0047A370
0061C7C2 \> C3 retn
感觉这几个窗体都没大用处。当然了,如果软件遇到软件菜单栏中的关于信息显示未注册的话,这样找关键点也是一种思路。 |
|
IP卡
发表于 2009-10-19 21:33:56
提升卡
置顶卡
变色卡
千斤顶
显身卡