TA的每日心情 | 无聊
2018-7-9 18:21 |
|---|
签到天数: 948 天 [LV.10]以坛为家III
|
本帖最后由 东海浪子 于 2016-5-9 12:41 编辑
软件简介:Any to Icon 是一款强大的 ICO 图像转换器,能将常见的图片格式转换为 Windows ICO 图标,转换过程中可以改变颜色和尺寸,支持256色及真彩色图标,功能上比 SimplyIcon 要好。Any to Icon 方便之处在于支持批量转换,比如可以批量转换文件夹内的所有图片,并能灵活的自定义图片大小
【破文标题】Any to Icon爆破及通用补丁制作
【破文作者】东海浪子
【作者邮箱】
【作者主页】
【破解工具】OD
【破解平台】虚拟机WINXP SP3
【软件名称】Any to Icon 3.54
【软件大小】3.1M
【原版下载】飘云阁[5.4]软件安全培训第十二期初级班考题-第一题https://www.chinapyg.com/thread-78686-1-1.htm 中文版自己百度下载
【补丁工具】通用特征码查找替换补丁工具v0.8
【阅读对象】爱好破解的初学者,大牛大神们飘过勿视
【破解声明】本文仅做研究所用,供破解技术爱好者学习研究讨论。如喜欢该软件,建议购买正版。
------------------------------------------------------------------------
【破解过程】
1、安装好Any to Icon,用peid查了一下。。无壳,delphi写的程序
2、收集信息:
a、运行程序出现2个窗口,,在第一个窗口中左上角显示“unregistered copy”字样
b、关掉改窗口后弹出about界面。。看到licensed未注册信息,注册按钮。。。
c、主界面上有about、注册按钮。。。右上角显示试用次数信息。。。。
d、尝试注册:在注册窗口,随便输入一些信息,点击注册,,显示错误提示:please reenter key. xxxx。尝试了几次,,xxxx显示了不同信息
3、首先想到从字符入手,,通过字符搜索“please reenter”,双击进入。。在代码窗口中从上往下。。查找是否有可用信息,,看到“Please enter email used in your order”、“Wrong key for this application”等字符,,初步判断是注册函数代码。。。在段首下断,重新注册。程序断下来。。。再一步一步往下走。。。
005013A4 /$ 55 push ebp
005013A5 |. 8BEC mov ebp,esp
005013A7 |. B9 06000000 mov ecx,0x6
005013AC |> 6A 00 /push 0x0
005013AE |. 6A 00 |push 0x0
005013B0 |. 49 |dec ecx
005013B1 |.^ 75 F9 \jnz short Any2Icon.005013AC
005013B3 |. 53 push ebx
005013B4 |. 8BD8 mov ebx,eax
005013B6 |. 33C0 xor eax,eax
005013B8 |. 55 push ebp
005013B9 |. 68 2A165000 push Any2Icon.0050162A
005013BE |. 64:FF30 push dword ptr fs:[eax]
005013C1 |. 64:8920 mov dword ptr fs:[eax],esp
005013C4 |. 8D55 E8 lea edx,[local.6]
005013C7 |. 8B83 F8020000 mov eax,dword ptr ds:[ebx+0x2F8]
005013CD |. E8 4E49F3FF call Any2Icon.00435D20
005013D2 |. 8B45 E8 mov eax,[local.6] ; 放入假码
005013D5 |. 8D55 F8 lea edx,[local.2]
005013D8 |. E8 6B7DF0FF call Any2Icon.00409148
005013DD |. 8D55 E4 lea edx,[local.7]
005013E0 |. 8B83 00030000 mov eax,dword ptr ds:[ebx+0x300]
005013E6 |. E8 3549F3FF call Any2Icon.00435D20
005013EB |. 8B45 E4 mov eax,[local.7] ; 放入邮箱
005013EE |. 8D55 F4 lea edx,[local.3]
005013F1 |. E8 527DF0FF call Any2Icon.00409148
005013F6 |. 837D F8 00 cmp [local.2],0x0 ; 注册码和0比较
005013FA |. 75 0C jnz short Any2Icon.00501408
005013FC |. A1 CCA86900 mov eax,dword ptr ds:[0x69A8CC] ; l贻
00501401 |. 8B00 mov eax,dword ptr ds:[eax]
00501403 |. E8 20FFFFFF call Any2Icon.00501328
00501408 |> 837D F4 00 cmp [local.3],0x0 ; 邮箱和0比较
0050140C |. 75 16 jnz short Any2Icon.00501424
0050140E |. B9 44165000 mov ecx,Any2Icon.00501644 ; Please enter email used in your order
00501413 |. B2 01 mov dl,0x1
00501415 |. A1 BC824000 mov eax,dword ptr ds:[0x4082BC]
0050141A |. E8 89B2F0FF call Any2Icon.0040C6A8
0050141F |. E8 6024F0FF call Any2Icon.00403884
00501424 |> 8B45 F8 mov eax,[local.2]
00501427 |. E8 8C2CF0FF call Any2Icon.004040B8
0050142C 83F8 0A cmp eax,0xA ; 注册码位数和A比较
0050142F 7D 0C jge short Any2Icon.0050143D
00501431 |. A1 CCA86900 mov eax,dword ptr ds:[0x69A8CC] ; l贻
00501436 |. 8B00 mov eax,dword ptr ds:[eax]
00501438 |. E8 EBFEFFFF call Any2Icon.00501328
0050143D |> 8D55 E0 lea edx,[local.8]
00501440 |. 8B83 F8020000 mov eax,dword ptr ds:[ebx+0x2F8]
00501446 |. E8 D548F3FF call Any2Icon.00435D20
0050144B |. 8B45 E0 mov eax,[local.8]
0050144E |. E8 25F5FFFF call Any2Icon.00500978 ; 注册码初步验证
00501453 |. 85C0 test eax,eax
00501455 74 0A je short Any2Icon.00501461 ; eax为0跳过错误key
00501457 |. B8 74165000 mov eax,Any2Icon.00501674 ; Wrong key.
0050145C |. E8 C7FEFFFF call Any2Icon.00501328
00501461 |> 8B45 F8 mov eax,[local.2]
00501464 |. E8 6FF5FFFF call Any2Icon.005009D8
00501469 |. 8B93 08030000 mov edx,dword ptr ds:[ebx+0x308]
0050146F |. 8B45 F8 mov eax,[local.2]
00501472 |. E8 8DF3FFFF call Any2Icon.00500804 ; 核心算法验证
00501477 |. 85C0 test eax,eax
00501479 |. 74 0A je short Any2Icon.00501485 ; eax为0,跳过错误key
0050147B |. B8 88165000 mov eax,Any2Icon.00501688 ; Wrong key for this application.
00501480 |. E8 A3FEFFFF call Any2Icon.00501328
00501485 |> B2 01 mov dl,0x1 ; 下面这段是在注册表写入注册信息
00501487 |. A1 D0834700 mov eax,dword ptr ds:[0x4783D0]
0050148C |. E8 3F70F7FF call Any2Icon.004784D0
00501491 |. 8945 F0 mov [local.4],eax
00501494 |. 33C0 xor eax,eax
00501496 |. 55 push ebp
00501497 |. 68 AB155000 push Any2Icon.005015AB
0050149C |. 64:FF30 push dword ptr fs:[eax]
0050149F |. 64:8920 mov dword ptr fs:[eax],esp
005014A2 |. BA 01000080 mov edx,0x80000001
005014A7 |. 8B45 F0 mov eax,[local.4]
005014AA |. E8 FD70F7FF call Any2Icon.004785AC
005014AF |. 68 B0165000 push Any2Icon.005016B0 ; Software\
005014B4 |. FFB3 0C030000 push dword ptr ds:[ebx+0x30C]
005014BA |. 68 C4165000 push Any2Icon.005016C4 ; \
005014BF |. FFB3 10030000 push dword ptr ds:[ebx+0x310]
005014C5 |. 68 C4165000 push Any2Icon.005016C4 ; \
005014CA |. 8D45 D8 lea eax,[local.10]
005014CD |. E8 BEF7FFFF call Any2Icon.00500C90
005014D2 |. FF75 D8 push [local.10]
005014D5 |. 8D45 DC lea eax,[local.9]
005014D8 |. BA 06000000 mov edx,0x6
005014DD |. E8 962CF0FF call Any2Icon.00404178
005014E2 |. 8B55 DC mov edx,[local.9]
005014E5 |. B1 01 mov cl,0x1
005014E7 |. 8B45 F0 mov eax,[local.4]
005014EA |. E8 2171F7FF call Any2Icon.00478610
005014EF |. 8845 FF mov byte ptr ss:[ebp-0x1],al
005014F2 |. 807D FF 00 cmp byte ptr ss:[ebp-0x1],0x0
005014F6 |. 0F84 99000000 je Any2Icon.00501595
005014FC |. 8B4D F8 mov ecx,[local.2]
005014FF |. BA D0165000 mov edx,Any2Icon.005016D0 ; Key
00501504 |. 8B45 F0 mov eax,[local.4]
00501507 |. E8 C072F7FF call Any2Icon.004787CC
0050150C |. BA D0165000 mov edx,Any2Icon.005016D0 ; Key
00501511 |. 8D4D D4 lea ecx,[local.11]
00501514 |. 8B45 F0 mov eax,[local.4]
00501517 |. E8 DC72F7FF call Any2Icon.004787F8
0050151C |. 8B55 D4 mov edx,[local.11]
0050151F |. 8B45 F8 mov eax,[local.2]
00501522 |. E8 A12CF0FF call Any2Icon.004041C8
00501527 |. 0f9445 ff sete byte ptr ss:[ebp-0x1]
0050152B |. E8 9C93F0FF call Any2Icon.0040A8CC
00501530 |. 83C4 F8 add esp,-0x8
00501533 |. DD1C24 fstp qword ptr ss:[esp]
00501536 |. 9B wait
00501537 |. BA DC165000 mov edx,Any2Icon.005016DC ; Time
0050153C |. 8B45 F0 mov eax,[local.4]
0050153F |. E8 7073F7FF call Any2Icon.004788B4
00501544 |. 8B8B 14030000 mov ecx,dword ptr ds:[ebx+0x314]
0050154A |. 8B93 14030000 mov edx,dword ptr ds:[ebx+0x314]
00501550 |. 8B45 F0 mov eax,[local.4]
00501553 |. E8 7472F7FF call Any2Icon.004787CC
00501558 |. 8D55 D0 lea edx,[local.12]
0050155B |. 8B83 EC020000 mov eax,dword ptr ds:[ebx+0x2EC]
00501561 |. E8 BA47F3FF call Any2Icon.00435D20
00501566 |. 8B45 D0 mov eax,[local.12]
00501569 |. 8D55 EC lea edx,[local.5]
0050156C |. E8 D77BF0FF call Any2Icon.00409148
00501571 |. 837D EC 00 cmp [local.5],0x0
00501575 |. 8B4D EC mov ecx,[local.5]
00501578 |. BA EC165000 mov edx,Any2Icon.005016EC ; UserName
0050157D |. 8B45 F0 mov eax,[local.4]
00501580 |. E8 4772F7FF call Any2Icon.004787CC
00501585 |. 8B4D F4 mov ecx,[local.3]
00501588 |. BA 00175000 mov edx,Any2Icon.00501700 ; Email
0050158D |. 8B45 F0 mov eax,[local.4]
00501590 |. E8 3772F7FF call Any2Icon.004787CC
00501595 |> 33C0 xor eax,eax
00501597 |. 5A pop edx ; 0012E850
00501598 |. 59 pop ecx ; 0012E850
00501599 |. 59 pop ecx ; 0012E850
0050159A |. 64:8910 mov dword ptr fs:[eax],edx
0050159D |. 68 B2155000 push Any2Icon.005015B2
005015A2 |> 8B45 F0 mov eax,[local.4]
005015A5 |. E8 421BF0FF call Any2Icon.004030EC
005015AA \. C3 retn
005015AB .^ E9 9C22F0FF jmp Any2Icon.0040384C
005015B0 .^ EB F0 jmp short Any2Icon.005015A2
005015B2 . 807D FF 00 cmp byte ptr ss:[ebp-0x1],0x0
005015B6 . 75 1B jnz short Any2Icon.005015D3
005015B8 . 8B0D 60AC6900 mov ecx,dword ptr ds:[0x69AC60] ; 茑O
005015BE . 8B09 mov ecx,dword ptr ds:[ecx]
005015C0 . B2 01 mov dl,0x1
005015C2 . A1 BC824000 mov eax,dword ptr ds:[0x4082BC]
005015C7 . E8 DCB0F0FF call Any2Icon.0040C6A8
005015CC . E8 B322F0FF call Any2Icon.00403884
005015D1 . EB 12 jmp short Any2Icon.005015E5
005015D3 > B8 10175000 mov eax,Any2Icon.00501710 ; You should restart application now
005015D8 . E8 B7AFF5FF call Any2Icon.0045C594
通过上面流程,我们知道,经过一段验证,如果注册码正确,就在注册表中写入注册信息,然后提示你重启验证。如果注册码错误,就会弹出错误提示窗。既然要重启验证,我们就不必要在这里纠缠了,先通过爆破跳过注册码验证部分(修改位置有多处,我列举了一处,在文章后面修改1),把注册信息写入注册表。重启验证时也会调用核心算法call。我们就重启跟随进入核心算法call 。Any2Icon.00500804
下面提示 核心算法call ebp=0012E828 本地调用来自 00501472, 0065EDA4
我们知道了,程序重启时在0065eda4这段进行了验证,只要eax为0,就跳向注册成功的地方
0065ED7C /. 55 push ebp
0065ED7D |. 8BEC mov ebp,esp
0065ED7F |. 6A 00 push 0x0
0065ED81 |. 6A 00 push 0x0
0065ED83 |. 53 push ebx
0065ED84 |. 8BD8 mov ebx,eax
0065ED86 |. 33C0 xor eax,eax
0065ED88 |. 55 push ebp
0065ED89 |. 68 37EE6500 push Any2Icon.0065EE37
0065ED8E |. 64:FF30 push dword ptr fs:[eax]
0065ED91 |. 64:8920 mov dword ptr fs:[eax],esp
0065ED94 |. 8D45 FC lea eax,[local.1]
0065ED97 |. E8 DC410000 call Any2Icon.00662F78
0065ED9C |. 8B45 FC mov eax,[local.1]
0065ED9F |. BA 4CEE6500 mov edx,Any2Icon.0065EE4C ; Any to Icon
0065EDA4 |. E8 5B1AEAFF call Any2Icon.00500804 ; 核心算法call
0065EDA9 85C0 test eax,eax
0065EDAB 74 05 je short Any2Icon.0065EDB2 ; eax为0,跳过去验证成功
0065EDAD |. E8 BE450000 call Any2Icon.00663370
0065EDB2 |> 8D45 F8 lea eax,[local.2]
0065EDB5 |. E8 3E410000 call Any2Icon.00662EF8
0065EDBA |. 837D F8 00 cmp [local.2],0x0
0065EDBE |. A1 10AD6900 mov eax,dword ptr ds:[0x69AD10]
0065EDC3 |. 0f9500 setne byte ptr ds:[eax]
0065EDC6 |. A1 D0AC6900 mov eax,dword ptr ds:[0x69ACD0] ; 芊i
0065EDCB |. 8B00 mov eax,dword ptr ds:[eax]
0065EDCD |. BA 60EE6500 mov edx,Any2Icon.0065EE60 ; Any to Icon 3.54
0065EDD2 |. E8 015BDFFF call Any2Icon.004548D8
0065EDD7 |. 6A FF push -0x1
0065EDD9 |. 8BC3 mov eax,ebx
0065EDDB |. E8 84D1DDFF call Any2Icon.0043BF64
0065EDE0 |. 50 push eax ; |hWnd = 0012E81C
0065EDE1 |. E8 0E91DAFF call <jmp.&shell32.DragAcceptFiles> ; \DragAcceptFiles
0065EDE6 |. B2 01 mov dl,0x1
0065EDE8 |. A1 D48B4700 mov eax,dword ptr ds:[0x478BD4]
eax是在哪里赋值的?我们进入核心算法call看看。
00500804 /$ 55 push ebp
00500805 |. 8BEC mov ebp,esp
00500807 |. 33C9 xor ecx,ecx
00500809 |. 51 push ecx
0050080A |. 51 push ecx
0050080B |. 51 push ecx
0050080C |. 51 push ecx
0050080D |. 51 push ecx
0050080E |. 53 push ebx
0050080F |. 56 push esi
00500810 |. 8955 F8 mov [local.2],edx
00500813 |. 8945 FC mov [local.1],eax
00500816 |. 8B45 FC mov eax,[local.1]
00500819 |. E8 4E3AF0FF call Any2Icon.0040426C
0050081E |. 8B45 F8 mov eax,[local.2]
00500821 |. E8 463AF0FF call Any2Icon.0040426C
00500826 |. 33C0 xor eax,eax
00500828 |. 55 push ebp
00500829 |. 68 3F095000 push Any2Icon.0050093F
0050082E |. 64:FF30 push dword ptr fs:[eax]
00500831 |. 64:8920 mov dword ptr fs:[eax],esp
00500834 |. 33F6 xor esi,esi
00500836 |. 8D55 F0 lea edx,[local.4]
00500839 |. 8B45 FC mov eax,[local.1]
0050083C |. E8 07FEFFFF call Any2Icon.00500648
00500841 |. 8B55 F0 mov edx,[local.4]
00500844 |. 8D45 FC lea eax,[local.1]
00500847 |. E8 8436F0FF call Any2Icon.00403ED0
0050084C |. 8B45 FC mov eax,[local.1]
0050084F |. E8 6438F0FF call Any2Icon.004040B8
00500854 |. 83F8 07 cmp eax,0x7
00500857 |. 7D 0A jge short Any2Icon.00500863
00500859 |. BE 0B000000 mov esi,0xB
0050085E |. E9 C1000000 jmp Any2Icon.00500924
00500863 |> 837D F8 00 cmp [local.2],0x0
00500867 |. 0F84 B7000000 je Any2Icon.00500924
0050086D |. 33DB xor ebx,ebx
0050086F |. 8B45 F8 mov eax,[local.2]
00500872 |. E8 4138F0FF call Any2Icon.004040B8
00500877 |. 48 dec eax
00500878 |. 85C0 test eax,eax
0050087A |. 7E 13 jle short Any2Icon.0050088F
0050087C |. BA 01000000 mov edx,0x1
00500881 |> 8B4D F8 /mov ecx,[local.2]
00500884 |. 0FB64C11 FF |movzx ecx,byte ptr ds:[ecx+edx-0x1]
00500889 |. 03D9 |add ebx,ecx
0050088B |. 42 |inc edx
0050088C |. 48 |dec eax
0050088D |.^ 75 F2 \jnz short Any2Icon.00500881
0050088F |> 8BC3 mov eax,ebx
00500891 |. B9 1E000000 mov ecx,0x1E
00500896 |. 99 cdq
00500897 |. F7F9 idiv ecx
00500899 |. 42 inc edx
0050089A |. B8 58095000 mov eax,Any2Icon.00500958 ; 2345679qwertyupadfghjkzxcvbnms
0050089F |. 8A4410 FF mov al,byte ptr ds:[eax+edx-0x1]
005008A3 |. 8B55 FC mov edx,[local.1]
005008A6 |. 3A42 01 cmp al,byte ptr ds:[edx+0x1]
005008A9 |. 74 01 je short Any2Icon.005008AC
005008AB |. 46 inc esi
005008AC |> 8D55 F4 lea edx,[local.3]
005008AF |. 8B45 F8 mov eax,[local.2]
005008B2 |. E8 5986F0FF call Any2Icon.00408F10
005008B7 |. 8D45 EC lea eax,[local.5]
005008BA |. 8B55 F4 mov edx,[local.3]
005008BD |. 8A12 mov dl,byte ptr ds:[edx]
005008BF |. E8 1C37F0FF call Any2Icon.00403FE0
005008C4 |. 8B45 EC mov eax,[local.5]
005008C7 |. BA 58095000 mov edx,Any2Icon.00500958 ; 2345679qwertyupadfghjkzxcvbnms
005008CC |. E8 D33AF0FF call Any2Icon.004043A4
005008D1 |. 85C0 test eax,eax
005008D3 |. 7E 11 jle short Any2Icon.005008E6
005008D5 |. 8D45 FC lea eax,[local.1]
005008D8 |. E8 AB39F0FF call Any2Icon.00404288
005008DD |. 8B55 F4 mov edx,[local.3]
005008E0 |. 8A12 mov dl,byte ptr ds:[edx]
005008E2 |. 8810 mov byte ptr ds:[eax],dl
005008E4 |. EB 3E jmp short Any2Icon.00500924
005008E6 |> 33DB xor ebx,ebx
005008E8 |. 8B45 F8 mov eax,[local.2]
005008EB |. E8 C837F0FF call Any2Icon.004040B8
005008F0 |. 48 dec eax
005008F1 |. 85C0 test eax,eax
005008F3 |. 7E 13 jle short Any2Icon.00500908
005008F5 |. BA 01000000 mov edx,0x1
005008FA |> 8B4D F8 /mov ecx,[local.2]
005008FD |. 0FB64C11 FF |movzx ecx,byte ptr ds:[ecx+edx-0x1]
00500902 |. 33D9 |xor ebx,ecx
00500904 |. 42 |inc edx
00500905 |. 48 |dec eax
00500906 |.^ 75 F2 \jnz short Any2Icon.005008FA
00500908 |> 8BC3 mov eax,ebx
0050090A |. B9 1E000000 mov ecx,0x1E
0050090F |. 99 cdq
00500910 |. F7F9 idiv ecx
00500912 |. 42 inc edx
00500913 |. B8 58095000 mov eax,Any2Icon.00500958 ; 2345679qwertyupadfghjkzxcvbnms
00500918 |. 8A4410 FF mov al,byte ptr ds:[eax+edx-0x1]
0050091C |. 8B55 FC mov edx,[local.1]
0050091F |. 3A02 cmp al,byte ptr ds:[edx]
00500921 |. 74 01 je short Any2Icon.00500924
00500923 |. 46 inc esi
00500924 |> 33C0 xor eax,eax
00500926 |. 5A pop edx ; 0012E850
00500927 |. 59 pop ecx ; 0012E850
00500928 |. 59 pop ecx ; 0012E850
00500929 |. 64:8910 mov dword ptr fs:[eax],edx
0050092C |. 68 46095000 push Any2Icon.00500946
00500931 |> 8D45 EC lea eax,[local.5]
00500934 |. BA 05000000 mov edx,0x5
00500939 |. E8 1E35F0FF call Any2Icon.00403E5C
0050093E \. C3 retn
0050093F .^ E9 082FF0FF jmp Any2Icon.0040384C
00500944 .^ EB EB jmp short Any2Icon.00500931
00500946 8BC6 mov eax,esi
00500948 . 5E pop esi ; 0012E850
00500949 . 5B pop ebx ; 0012E850
0050094A . 8BE5 mov esp,ebp
0050094C . 5D pop ebp ; 0012E850
0050094D . C3 retn
esi=0000000B
eax=00000000
00500946 8BC6 mov eax,esi,原来eax的值是由esi赋值的。我们修改的时候,只要到段尾,eax的值一直为0就可以了,(见下面修改2)
至此,破解结束了。通用补丁的制作见图,关键是要找到不易改变的特征码
修改1 原0050142C 83F8 0A cmp eax,0xA
改0050142C /EB 57 jmp short Any2Icon.00501485
0050142E |90 nop
修改2原00500946 8BC6 mov eax,esi
改00500946 9090 nop
或改00500946 8bf0 mov esi,eax (本人倾向于用这种)
【破解总结】总的思路:就是1.在输入注册信息时,要把注册信息写入注册表,2.在重启验证时,要让eax为0。具体操作,自由发挥,能达到上述目的就行。
这是学员的作业题,本人由于刚在本论坛自学几个月,水平有限。也自我测试一下,第一次写这种详细的破文,写的不好不足之处,敬请谅解。
|
|
IP卡
发表于 2016-5-9 11:39:36
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2016-5-9 21:23:06
发表于 2016-6-1 15:39:44