【吾爱2013CM大赛解答】-- 风云CM2013 --风云思星
本帖最后由 1354669803 于 2013-12-14 09:57 编辑【文章标题】: 【吾爱2013CM大赛解答】-- 风云CM2013 --风云思星
【文章作者】: Kelly
【软件名称】: CM
【下载地址】: http://www.52pojie.cn/thread-228498-1-1.html
【加壳方式】: 无
【编写语言】: E语言
【使用工具】: OD
【操作平台】: XP SP3
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
载入OD
00401005 E8 6F5F0100 call 风云CM20.00416F79 (进入call)
搜索字符串 发现/reg.ini字样 那么可以肯定就是ini文件重启验证
所谓ini重启验证 就是写入信息到文件 在软件启动的时候进行验证
大致思路 找到软件启动前的比较点 即爆破点
这里我不采用下读取ini文件的断点 比较繁琐 现在有字符串 那就更好办了
搜索字符串:风云CM2013(未注册) 点击进入 找到段首
0040102D 55 push ebp -----------F2段首下断0040102E 8BEC mov ebp,esp
00401030 81EC 18000000 sub esp,18
00401036 6A 01 push 1
00401038 68 01000000 push 1
0040103D C745 FC 0000000>mov dword ptr ss:,0
00401044 6A 00 push 0
00401046 FF75 FC push dword ptr ss:
00401049 C745 F8 0000000>mov dword ptr ss:,0
00401050 6A 00 push 0
00401052 8D45 F8 lea eax,dword ptr ss:
00401055 50 push eax
00401056 6A 01 push 1
00401058 68 01000000 push 1
0040105D C745 F4 0000000>mov dword ptr ss:,0
00401064 6A 00 push 0
00401066 FF75 F4 push dword ptr ss: ; 风云CM20.0040130C
00401069 6A 01 push 1
0040106B 68 0000CF00 push 0CF0000
00401070 6A 01 push 1
00401072 68 D4000000 push 0D4
00401077 6A 01 push 1
00401079 68 28010000 push 128
0040107E C745 F0 0000000>mov dword ptr ss:,0
00401085 6A 00 push 0
00401087 FF75 F0 push dword ptr ss:
0040108A C745 EC 0000000>mov dword ptr ss:,0
00401091 6A 00 push 0
00401093 FF75 EC push dword ptr ss: ; 风云CM20.00417340
00401096 6A 01 push 1
00401098 68 00000000 push 0
0040109D 6A 01 push 1
0040109F 68 1A744000 push 风云CM20.0040741A
004010A4 6A 01 push 1
004010A6 B8 00E24100 mov eax,风云CM20.0041E200 ; 风云CM2013(未注册)
004010AB 8945 E8 mov dword ptr ss:,eax
004010AE 8D45 E8 lea eax,dword ptr ss:
004010B1 50 push eax
004010B2 6A 01 push 1
004010B4 68 00000000 push 0
004010B9 68 86F64100 push 风云CM20.0041F686
004010BE 8B0424 mov eax,dword ptr ss: ; msvcrt.77C071C6
004010C1 8B00 mov eax,dword ptr ds:
004010C3 8B00 mov eax,dword ptr ds:
004010C5 FF90 04020000 call dword ptr ds:
004010CB 8B5D E8 mov ebx,dword ptr ss:
004010CE 85DB test ebx,ebx
004010D0 74 09 je short 风云CM20.004010DB
004010D2 53 push ebx
004010D3 E8 F15E0100 call 风云CM20.00416FC9
004010D8 83C4 04 add esp,4
004010DB 8B5D F8 mov ebx,dword ptr ss:
004010DE 85DB test ebx,ebx
004010E0 74 09 je short 风云CM20.004010EB
004010E2 53 push ebx
004010E3 E8 E15E0100 call 风云CM20.00416FC9
004010E8 83C4 04 add esp,4
004010EB 68 00000400 push 40000
004010F0 68 86F64100 push 风云CM20.0041F686
004010F5 8B0424 mov eax,dword ptr ss: ; msvcrt.77C071C6
004010F8 8B00 mov eax,dword ptr ds:
004010FA 8B00 mov eax,dword ptr ds:
004010FC FF90 F4000000 call dword ptr ds:
00401102 E8 A7010000 call 风云CM20.004012AE -------F7跟进此处
004012AE 55 push ebp ---------F2下断做个标记
004012AF 8BEC mov ebp,esp
004012B1 81EC 20000000 sub esp,20
004012B7 E8 BF030000 call 风云CM20.0040167B
004012BC A3 8AF64100 mov dword ptr ds:,eax
004012C1 833D 8AF64100 0>cmp dword ptr ds:,1
004012C8 0F85 23000000 jnz 风云CM20.004012F1
004012CE 68 01030080 push 80000301
004012D3 6A 00 push 0
004012D5 68 63000000 push 63
004012DA 68 01000000 push 1
004012DF BB 90000000 mov ebx,90
004012E4 E8 37600100 call 风云CM20.00417320
004012E9 83C4 10 add esp,10
004012EC E9 1E000000 jmp 风云CM20.0040130F
004012F1 68 01030080 push 80000301
004012F6 6A 00 push 0
004012F8 68 64000000 push 64
004012FD 68 01000000 push 1
00401302 BB 90000000 mov ebx,90
00401307 E8 14600100 call 风云CM20.00417320
0040130C 83C4 10 add esp,10
0040130F E8 98030000 call 风云CM20.004016AC (F7跟进)
004016E6 A3 A6F64100 mov dword ptr ds:,eax
004016EB 68 01030080 push 80000301
004016F0 6A 00 push 0
004016F2 68 0F270000 push 270F
004016F7 68 01030080 push 80000301
004016FC 6A 00 push 0
004016FE 68 E8030000 push 3E8
00401703 68 02000000 push 2
00401708 BB 94000000 mov ebx,94
0040170D E8 CE600100 call 风云CM20.004177E0
00401712 83C4 1C add esp,1C
00401715 68 01030080 push 80000301
0040171A 6A 00 push 0
0040171C 50 push eax
0040171D 68 01000000 push 1
00401722 BB 68010000 mov ebx,168
00401727 E8 E45D0100 call 风云CM20.00417510 ----取出机器码的第一段
0040172C 83C4 10 add esp,10
00401799 8B1D AEF64100 mov ebx,dword ptr ds:
0040179F 85DB test ebx,ebx
004017A1 74 09 je short 风云CM20.004017AC
004017A3 53 push ebx
004017A4 E8 20580100 call 风云CM20.00416FC9
004017A9 83C4 04 add esp,4
004017AC 58 pop eax ; msvcrt.77C071C6
004017AD A3 AEF64100 mov dword ptr ds:,eax
004017B2 E8 5C1C0000 call 风云CM20.00403413 ----貌似是取CPU名称
004017B7 8945 FC mov dword ptr ss:,eax
004017BA 68 04000080 push 80000004
004017BF 6A 00 push 0
004017C1 8B45 FC mov eax,dword ptr ss:
0040184B 50 push eax
0040184C 8B1D B2F64100 mov ebx,dword ptr ds:
00401852 85DB test ebx,ebx
00401854 74 09 je short 风云CM20.0040185F
00401856 53 push ebx
00401857 E8 6D570100 call 风云CM20.00416FC9
0040185C 83C4 04 add esp,4
0040185F 58 pop eax ; msvcrt.77C071C6
00401860 A3 B2F64100 mov dword ptr ds:,eax
00401865 E8 EE1C0000 call 风云CM20.00403558 ----应该是CPU序列号吧
004018FE 50 push eax
004018FF 8B1D B6F64100 mov ebx,dword ptr ds:
00401905 85DB test ebx,ebx
00401907 74 09 je short 风云CM20.00401912
00401909 53 push ebx
0040190A E8 BA560100 call 风云CM20.00416FC9
0040190F 83C4 04 add esp,4
00401912 58 pop eax ; msvcrt.77C071C6
00401913 A3 B6F64100 mov dword ptr ds:,eax
00401918 E8 AF1D0000 call 风云CM20.004036CC -----处理器ID
004019D7 85C0 test eax,eax
004019D9 75 05 jnz short 风云CM20.004019E0
004019DB B8 74E24100 mov eax,风云CM20.0041E274
004019E0 50 push eax
004019E1 68 01000000 push 1
004019E6 BB 68010000 mov ebx,168
004019EB E8 205B0100 call 风云CM20.00417510 -----第一段机器码出现
004019F0 83C4 10 add esp,10
004019F3 8945 FC mov dword ptr ss:,eax
004019F6 68 05000080 push 80000005
004019FB 6A 00 push 0
004019FD A1 AEF64100 mov eax,dword ptr ds:
00401A02 85C0 test eax,eax
00401A04 75 05 jnz short 风云CM20.00401A0B
00401A06 B8 74E24100 mov eax,风云CM20.0041E274
00401A0B 50 push eax
00401A0C 68 01000000 push 1
00401A11 BB 68010000 mov ebx,168
00401A16 E8 F55A0100 call 风云CM20.00417510 ----第二段机器码出现
00401A1B 83C4 10 add esp,10
00401A1E 8945 F8 mov dword ptr ss:,eax
00401A21 68 05000080 push 80000005
00401A26 6A 00 push 0
00401A28 A1 B2F64100 mov eax,dword ptr ds:
00401A2D 85C0 test eax,eax
00401A2F 75 05 jnz short 风云CM20.00401A36
00401A31 B8 74E24100 mov eax,风云CM20.0041E274
00401A36 50 push eax
00401A37 68 01000000 push 1
00401A3C BB 68010000 mov ebx,168
00401A41 E8 CA5A0100 call 风云CM20.00417510 ----第三段机器码出现(字母一开始为小写)
00401A49 8945 F4 mov dword ptr ss:,eax
00401A4C 68 05000080 push 80000005
00401A51 6A 00 push 0
00401A53 A1 B6F64100 mov eax,dword ptr ds:
00401A58 85C0 test eax,eax
00401A5A 75 05 jnz short 风云CM20.00401A61
00401A5C B8 74E24100 mov eax,风云CM20.0041E274
00401A61 50 push eax
00401A62 68 01000000 push 1
00401A67 BB 68010000 mov ebx,168
00401A6C E8 9F5A0100 call 风云CM20.00417510 ----第四段机器码出现(字母一开始为小写)
00401A71 83C4 10 add esp,10
00401A74 8945 F0 mov dword ptr ss:,eax
00401A71 83C4 10 add esp,10
00401A74 8945 F0 mov dword ptr ss:,eax
00401A77 68 05000080 push 80000005
00401A7C 6A 00 push 0
00401A7E A1 BAF64100 mov eax,dword ptr ds:
00401A83 85C0 test eax,eax
00401A85 75 05 jnz short 风云CM20.00401A8C
00401A87 B8 74E24100 mov eax,风云CM20.0041E274
00401A8C 50 push eax
00401A8D 68 01000000 push 1
00401A92 BB 68010000 mov ebx,168
00401A97 E8 745A0100 call 风云CM20.00417510 ----最后一段机器码出现
00401A9C 83C4 10 add esp,10
00401A8C 50 push eax
00401A8D 68 01000000 push 1
00401A92 BB 68010000 mov ebx,168
00401A97 E8 745A0100 call 风云CM20.00417510
00401A9C 83C4 10 add esp,10
00401A9F 8945 EC mov dword ptr ss:,eax
00401AA2 FF75 EC push dword ptr ss:
00401AA5 68 7CE24100 push 风云CM20.0041E27C ; -
00401AAA FF75 F0 push dword ptr ss:
00401AAD 68 7CE24100 push 风云CM20.0041E27C ; -
00401AB2 FF75 F4 push dword ptr ss:
00401AB5 68 7CE24100 push 风云CM20.0041E27C ; -
00401ABA FF75 F8 push dword ptr ss:
00401ABD 68 7CE24100 push 风云CM20.0041E27C ; -
00401AC2 FF75 FC push dword ptr ss: 以上分别加符号进行分段
00401ABA FF75 F8 push dword ptr ss:
00401ABD 68 7CE24100 push 风云CM20.0041E27C ; -
00401AC2 FF75 FC push dword ptr ss:
00401AC5 B9 09000000 mov ecx,9
00401ACA E8 E6F6FFFF call 风云CM20.004011B5
00401ACF 83C4 24 add esp,24
00401AD2 8945 E8 mov dword ptr ss:,eax ----出现完整一段机器码(字母一开始为小写)
00401AD5 8B5D FC mov ebx,dword ptr ss:
00401AD8 85DB test ebx,ebx
00401ADA 74 09 je short 风云CM20.00401AE5
00401ADC 53 push ebx
00401ADD E8 E7540100 call 风云CM20.00416FC9
00401AE2 83C4 04 add esp,4
00401AE5 8B5D F8 mov ebx,dword ptr ss:
00401B0A /74 09 je short 风云CM20.00401B15
00401B0C |53 push ebx
00401B0D |E8 B7540100 call 风云CM20.00416FC9
00401B12 |83C4 04 add esp,4
00401B15 \8B5D EC mov ebx,dword ptr ss:
00401B18 85DB test ebx,ebx
00401B1A 74 09 je short 风云CM20.00401B25
00401B1C 53 push ebx
00401B1D E8 A7540100 call 风云CM20.00416FC9
00401B22 83C4 04 add esp,4
00401B25 8D45 E8 lea eax,dword ptr ss:
00401B28 50 push eax
00401B29 E8 351D0000 call 风云CM20.00403863 ----完成小写字母转大写字母
00401314 68 00000000 push 0
00401319 BB 04010000 mov ebx,104
0040131E E8 2D600100 call 风云CM20.00417350
00401323 83C4 04 add esp,4
00401326 8945 FC mov dword ptr ss:,eax
00401329 68 13E24100 push 风云CM20.0041E213 ; /reg.ini ----寻找文件
0040132E FF75 FC push dword ptr ss:
00401331 B9 02000000 mov ecx,2
00401336 E8 7AFEFFFF call 风云CM20.004011B5
0040133B 83C4 08 add esp,8
0040133E 8945 F8 mov dword ptr ss:,eax
00401341 8B5D FC mov ebx,dword ptr ss:
00401344 85DB test ebx,ebx
00401346 74 09 je short 风云CM20.00401351
00401348 53 push ebx
00401349 E8 7B5C0100 call 风云CM20.00416FC9
0040134E 83C4 04 add esp,4
00401351 68 04000080 push 80000004
00401356 6A 00 push 0
00401358 8B45 F8 mov eax,dword ptr ss:
0040135B 85C0 test eax,eax
0040135D 75 05 jnz short 风云CM20.00401364
0040135F B8 1CE24100 mov eax,风云CM20.0041E21C
00401364 50 push eax
00401365 68 01000000 push 1
0040136A BB 4C020000 mov ebx,24C
0040136F E8 7C600100 call 风云CM20.004173F0
00401374 83C4 10 add esp,10
00401377 8945 F4 mov dword ptr ss:,eax
0040137A 8B5D F8 mov ebx,dword ptr ss:
0040137D 85DB test ebx,ebx
0040137F 74 09 je short 风云CM20.0040138A
00401381 53 push ebx
00401382 E8 425C0100 call 风云CM20.00416FC9
00401387 83C4 04 add esp,4
0040138A 837D F4 01 cmp dword ptr ss:,1
0040138E 0F85 E3020000 jnz 风云CM20.00401677 判断是否存在注册文件reg.ini
004013D7 68 04000080 push 80000004
004013DC 6A 00 push 0
004013DE 68 1DE24100 push 风云CM20.0041E21D ; 机器码
004013E3 68 04000080 push 80000004
004013E8 6A 00 push 0
004013EA 68 24E24100 push 风云CM20.0041E224 ; 注册信息
004013EF 68 04000080 push 80000004
004013F4 6A 00 push 0
004013F6 8B45 F8 mov eax,dword ptr ss:
004013F9 85C0 test eax,eax
004013FB 75 05 jnz short 风云CM20.00401402
004013FD B8 1CE24100 mov eax,风云CM20.0041E21C
00401402 50 push eax
00401403 68 04000000 push 4
00401408 BB C8080000 mov ebx,8C8
0040140D E8 EE5F0100 call 风云CM20.00417400 -----载入机器码
00401412 83C4 34 add esp,34
0040147A E8 4A5B0100 call 风云CM20.00416FC9
0040147F 83C4 04 add esp,4
00401482 6A 00 push 0
00401484 6A 00 push 0
00401486 6A 00 push 0
00401488 68 04000080 push 80000004
0040148D 6A 00 push 0
0040148F 68 2DE24100 push 风云CM20.0041E22D ; 注册码
00401494 68 04000080 push 80000004
00401499 6A 00 push 0
0040149B 68 24E24100 push 风云CM20.0041E224 ; 注册信息
004014A0 68 04000080 push 80000004
004014A5 6A 00 push 0
004014A7 8B45 F8 mov eax,dword ptr ss:
004014AA 85C0 test eax,eax
004014AC 75 05 jnz short 风云CM20.004014B3
004014AE B8 1CE24100 mov eax,风云CM20.0041E21C
004014B3 50 push eax
004014B4 68 04000000 push 4
004014B9 BB C8080000 mov ebx,8C8
004014BE E8 3D5F0100 call 风云CM20.00417400 ----载入注册码
004014C3 83C4 34 add esp,34
004014D9 8B45 F4 mov eax,dword ptr ss:
004014DC 50 push eax
004014DD 8B1D 92F64100 mov ebx,dword ptr ds:
004014E3 85DB test ebx,ebx
004014E5 74 09 je short 风云CM20.004014F0
004014E7 53 push ebx
004014E8 E8 DC5A0100 call 风云CM20.00416FC9
004014ED 83C4 04 add esp,4
004014F0 58 pop eax ; 风云CM20.0041F68E
004014F1 A3 92F64100 mov dword ptr ds:,eax
004014F6 68 8EF64100 push 风云CM20.0041F68E
004014FB 68 92F64100 push 风云CM20.0041F692
00401500 E8 CE230000 call 风云CM20.004038D3 ----关键call
00401505 8945 F8 mov dword ptr ss:,eax
00401508 837D F8 01 cmp dword ptr ss:,1
0040150C 0F85 73000000 jnz 风云CM20.00401585 ---------关键一跳
00401569 /74 09 je short 风云CM20.00401574
0040156B |53 push ebx
0040156C |E8 585A0100 call 风云CM20.00416FC9
00401571 |83C4 04 add esp,4
00401574 \837D E8 01 cmp dword ptr ss:,1
00401578 0F85 07000000 jnz 风云CM20.00401585 ----关键第二跳
0040157E B8 01000000 mov eax,1
00401583 EB 02 jmp short 风云CM20.00401587
00401585 33C0 xor eax,eax
00401587 85C0 test eax,eax
00401589 0F84 A1000000 je 风云CM20.00401630
0040158F 68 010100A0 push A0000101
Patch:0040150C 改NOP
00401578 改NOP
--------------------------------------------------------------------------------
【版权声明】: 本文原创于Kelly, 转载请注明作者并保持文章的完整, 谢谢!
2013年12月14日 上午 09:12:55
前排,:lol 高手在民间 我不转载,我是来学习滴{:300_957:} 格盘牛,被吞贴了吧。。没见关键分析啊。。果然是大牛,就是速度。。 大牛,你好厉害啊。前来膜拜。
{:1_908:}这CM怎的如此。。。
哥你尾巴留错了.. 本帖最后由 20120427 于 2013-12-14 13:43 编辑
004015C0|.FF90 08010000 call dword ptr ds:轻松锁定关键
忘了这里还有检查reg.ini文件
20120427 发表于 2013-12-14 10:25 static/image/common/back.gif
00401589|. /0F84 A1000000 je 风云CM20.00401630 这里nop即可
004015C0|.FF90 08010000 call dwo ...
表示正在分析机器码的算法
页:
[1]