破解实战-第一战
本帖最后由 我是用户 于 2013-6-23 13:50 编辑【软件名称】: 超级U盘锁
【作者邮箱】: 2714608453@qq.com
【下载地址】: 见附件
【加壳方式】: ASPack 2.12 -> Alexey Solodovnikov
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
1.脱壳
用PEID查壳,ASPack 2.12 -> Alexey Solodovnikov,用ESP定律脱去.
OEP如下:
00401000 >/$E8 06000000 call Unpack.0040100B
00401005|.50 push eax ; /ExitCode = 0x0
00401006\.E8 BB010000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess
0040100B $55 push ebp
0040100C .8BEC mov ebp,esp
0040100E .81C4 F0FEFFFF add esp,-0x110
00401014 .E9 83000000 jmp Unpack.0040109C
用PEID查壳,E language *
2.去自效验
打开文件,跳出程序被损坏对话框,证明有自效验
见图1:
BP MessageBoxA,堆栈回溯,定位"程序被损坏"对话框为005AED39处,向上找出关键跳转为005AECD9 改为JMP,保存。
005AECC7 /74 09 je short Unpack.005AECD2
005AECC9 |53 push ebx
005AECCA |E8 B1400000 call Unpack.005B2D80
005AECCF |83C4 04 add esp,0x4
005AECD2 \817D F4 605B030>cmp dword ptr ss:,0x35B60
005AECD9 E9 7D000000 jmp Unpack.005AED5B ; 关键跳
005AECDE 90 nop
005AECDF B8 550D0600 mov eax,0x60D55 ; B3CCD0F2D2D1BEADB1BBC6C6BBB521
005AECE4 8945 FC mov dword ptr ss:,eax
005AECE7 8D45 FC lea eax,dword ptr ss:
005AECEA 50 push eax
005AECEB E8 5FD2FFFF call Unpack.005ABF4F
005AECF0 8945 F8 mov dword ptr ss:,eax
005AECF3 8B5D FC mov ebx,dword ptr ss:
005AECF6 85DB test ebx,ebx
005AECF8 74 09 je short Unpack.005AED03
005AECFA 53 push ebx
005AECFB E8 80400000 call Unpack.005B2D80
005AED00 83C4 04 add esp,0x4
005AED03 68 04000080 push 0x80000004
005AED08 6A 00 push 0x0
005AED0A 68 A7000000 push 0xA7
005AED0F 68 01030080 push 0x80000301
005AED14 6A 00 push 0x0
005AED16 68 40000000 push 0x40
005AED1B 68 04000080 push 0x80000004
005AED20 6A 00 push 0x0
005AED22 8B45 F8 mov eax,dword ptr ss: ; kernel32.7C817080
005AED25 85C0 test eax,eax
005AED27 75 05 jnz short Unpack.005AED2E
005AED29 B8 A7000000 mov eax,0xA7
005AED2E 50 push eax
005AED2F 68 03000000 push 0x3
005AED34 BB 00030000 mov ebx,0x300
005AED39 E8 48400000 call Unpack.005B2D86 ; 弹出对话框
005AED3E 83C4 28 add esp,0x28
005AED41 8B5D F8 mov ebx,dword ptr ss: ; kernel32.7C817080
双击右下角图标,弹出程序被损坏.
见图2:
BP ExitProcess,堆栈回溯,定位程序退出为005B0B27处,向上找出关键跳转为005B0A76 改为JMP.
005B0A66 55 push ebp
005B0A67 8BEC mov ebp,esp
005B0A69 81EC 28000000 sub esp,0x28
005B0A6F 833D 34000000 0>cmp dword ptr ds:,0x0
005B0A76 E9 B4000000 jmp Unpack.005B0B2F ; 关键跳
005B0A7B 90 nop
005B0A7C 68 02000080 push 0x80000002
005B0A81 6A 00 push 0x0
005B0A83 68 00000000 push 0x0
005B0A88 68 01000100 push 0x10001
005B0A8D 68 00000106 push 0x6010000
005B0A92 68 01000152 push 0x52010001
005B0A97 68 01000100 push 0x10001
005B0A9C 68 FA000106 push 0x60100FA
005B0AA1 68 FB000152 push 0x520100FB
005B0AA6 68 03000000 push 0x3
005B0AAB BB 20030000 mov ebx,0x320
005B0AB0 E8 D1220000 call Unpack.005B2D86
005B0AB5 83C4 28 add esp,0x28
005B0AB8 B8 C00E0600 mov eax,0x60EC0 ;
B3CCD0F2B1BBC6C6BBB5BBF2D0DEB8C42CC7EBD6D8D0C2B0B2D7B0C8EDBCFE21
005B0ABD 8945 FC mov dword ptr ss:,eax
005B0AC0 8D45 FC lea eax,dword ptr ss:
005B0AC3 50 push eax
005B0AC4 E8 86B4FFFF call Unpack.005ABF4F
005B0AC9 8945 F8 mov dword ptr ss:,eax
005B0ACC 8B5D FC mov ebx,dword ptr ss:
005B0ACF 85DB test ebx,ebx
005B0AD1 74 09 je short Unpack.005B0ADC
005B0AD3 53 push ebx
005B0AD4 E8 A7220000 call Unpack.005B2D80
005B0AD9 83C4 04 add esp,0x4
005B0ADC 6A 00 push 0x0
005B0ADE FF75 F8 push dword ptr ss: ; kernel32.7C817080
005B0AE1 6A FF push -0x1
005B0AE3 6A 08 push 0x8
005B0AE5 68 FF000116 push 0x160100FF
005B0AEA 68 FB000152 push 0x520100FB
005B0AEF E8 B6220000 call Unpack.005B2DAA
005B0AF4 83C4 18 add esp,0x18
005B0AF7 8B5D F8 mov ebx,dword ptr ss: ; kernel32.7C817080
005B0AFA 85DB test ebx,ebx
005B0AFC 74 09 je short Unpack.005B0B07
005B0AFE 53 push ebx
005B0AFF E8 7C220000 call Unpack.005B2D80
005B0B04 83C4 04 add esp,0x4
005B0B07 68 01030080 push 0x80000301
005B0B0C 6A 00 push 0x0
005B0B0E 68 88130000 push 0x1388
005B0B13 68 01000000 push 0x1
005B0B18 BB 7C060000 mov ebx,0x67C
005B0B1D E8 64220000 call Unpack.005B2D86
005B0B22 83C4 10 add esp,0x10
005B0B25 6A 00 push 0x0
005B0B27 E8 42220000 call Unpack.005B2D6E ; 退出
005B0B2C 83C4 04 add esp,0x4
005B0B2F 8B1D 44000000 mov ebx,dword ptr ds:
005B0B35 85DB test ebx,ebx
005B0B37 74 09 je short Unpack.005B0B42
3.爆破
限制:试用版不能保存密码.
点击密码修改按钮,弹出提示,试用版不能保存密码.
见图3:
下断FF55FC(易语言按钮事件),到达关键代码处.
005AE453 55 push ebp
005AE454 8BEC mov ebp,esp
005AE456 81EC 08000000 sub esp,0x8
005AE45C 833D 7406B600 0>cmp dword ptr ds:,0x0
005AE463 0F84 41000000 je Unpack_3.005AE4AA
005AE469 68 02000080 push 0x80000002
005AE46E 6A 00 push 0x0
005AE470 68 01000000 push 0x1
005AE475 68 01000100 push 0x10001
005AE47A 68 00000106 push 0x6010000
005AE47F 68 01000152 push 0x52010001
005AE484 68 01000100 push 0x10001
005AE489 68 CB000106 push 0x60100CB
005AE48E 68 CC000152 push 0x520100CC
005AE493 68 03000000 push 0x3
005AE498 BB 20030000 mov ebx,0x320
005AE49D E8 E4480000 call Unpack_3.005B2D86 ; 弹出密码设置窗口
005AE4A2 83C4 28 add esp,0x28
005AE4A5 E9 90000000 jmp Unpack_3.005AE53A
可见注册标志保存在里,把005AE463处nop掉即可爆破。
现在让我们来找找注册标志是在哪赋值的。
重新运行程序,定位,下断内存写入断点,断下。 这里要注意,0xB60674一开始是不存在的,所以要等它出现了在下断。
005AD318 DFE0 fstsw ax
005AD31A F6C4 41 test ah,0x41
005AD31D 0F84 5E000000 je Unpack_3.005AD381 //nop掉
005AD323 C705 14000000 0>mov dword ptr ds:,0x1 //注册
005AD32D B8 5A070000 mov eax,0x75A
005AD332 8945 FC mov dword ptr ss:,eax
005AD335 8D45 FC lea eax,dword ptr ss:
005AD338 50 push eax
005AD339 E8 11ECFFFF call Unpack_3.005ABF4F
005AD33E 8945 F8 mov dword ptr ss:,eax
005AD341 8B5D FC mov ebx,dword ptr ss:
005AD344 85DB test ebx,ebx
005AD346 74 09 je short Unpack_3.005AD351
005AD348 53 push ebx
005AD349 E8 325A0000 call Unpack_3.005B2D80
005AD34E 83C4 04 add esp,0x4
005AD351 6A 00 push 0x0
005AD353 FF75 F8 push dword ptr ss: ; kernel32.7C817080
005AD356 6A FF push -0x1
005AD358 6A 08 push 0x8
005AD35A 68 96010116 push 0x16010196
005AD35F 68 01000152 push 0x52010001
005AD364 E8 415A0000 call Unpack_3.005B2DAA
005AD369 83C4 18 add esp,0x18
005AD36C 8B5D F8 mov ebx,dword ptr ss: ; kernel32.7C817080
005AD36F 85DB test ebx,ebx
005AD371 74 09 je short Unpack_3.005AD37C
005AD373 53 push ebx
005AD374 E8 075A0000 call Unpack_3.005B2D80
005AD379 83C4 04 add esp,0x4
005AD37C E9 0A000000 jmp Unpack_3.005AD38B
005AD381 C705 14000000 0>mov dword ptr ds:,0x0 未注册
把005AD381 代码处的0x0改为0x1或将JE改为NOP即可实现注册.
见图4:
软件下载地址:
http://www.onlinedown.net/soft/52481.htm
版本是5.1
=================================================================
传送门:
破解实战-第一战:http://www.52pojie.cn/thread-197281-1-1.html
破解实战-第二战:http://www.52pojie.cn/thread-197598-1-1.html
破解实战-第三站:http://www.52pojie.cn/thread-197957-1-1.html
破解实战-第四站:http://www.52pojie.cn/thread-198203-1-1.html
破解实战-第五战:http://www.52pojie.cn/thread-198365-1-1.html
破解实战-第六战:http://www.52pojie.cn/thread-198930-1-1.html
破解实战-第七战:http://www.52pojie.cn/thread-199459-1-1.html
破解实战-第八战:http://www.52pojie.cn/thread-199834-1-1.html
破解实战-第九战:http://www.52pojie.cn/thread-200655-1-1.html
破解实战-第十战:http://www.52pojie.cn/thread-200798-1-1.html
大牛,为什么我的OD在第三步的时候断不下ExitProcess,一F9就直接关掉了,在断MessageBoxA的时候要用另一个OD才能断下…最后两个OD都断下这个软件的ExitPocess……求指点一下。谢谢哦 研究得这么透彻……{:17_1062:} 学习学习 学习了.O(∩_∩)O谢谢 看不懂,还是要下点功夫才行 这么给力,菜鸟没看得很懂,下载下来慢慢研究,谢谢! 楼主牛逼。 问啥不是图呢感觉这样好看点 新人来学习~~ 楼主的教程不是给初学者准备的,同志们别急躁。