申请会员ID:atomy【申请通过】
1、申 请 I D:atomy2、个人邮箱:atomy@foxmail.com
3、原创技术文章:
http://bbs.pediy.com/search.php?searchid=6557990
【文章标题】: 处女作CCProxy6.3.9分析
【文章作者】: atomy
【软件名称】: CCProxy6.3.9
【下载地址】: http://www.ccproxy.com/download/ccproxysetup.exe
【使用工具】: Peid,Ollydbg,W32dsm
【软件介绍】: 代{过}{滤}理服务器
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
第一次学习破解,很多地方都不懂。本次分析也是按照论坛以前老前辈发的文章作参考的。
也是我第一次写这种文章,请大家多多包涵。不多说了,进入主题
拿到软件,发现软件是多语言版本的。 未注册版有三个客户端的限制。 运行软件,点击注册输入88888888
点击“注册”按钮弹出“对不起,注册失败!”
再看该软件下面 Language 文件夹下的 ChineseGB.ini 文件 看到注册失败的文本对应的字符
Congratulations. You have registered successfully!=祝贺您,注册成功!
Sorry. Registration Failed!=对不起,注册失败!
用Peid查壳,发现无壳,为Microsoft Visual C++ 6.0 编写。
按照老前辈说的方法用W32dsm打开软件,查找字符串“ registered successfully ”找到一处
记录下地址为 00418001
用Ollydbg 加载软件后 找到该地址处函数入口处下断点 运行软件,点击注册输入88888888 点击“注册” 程序被断下
00417DC0 .6A FF push -1 ;断在这里
00417DC2 .68 56914700 push 00479156 ;SE 处理程序安装
00417DC7 .64:A1 0000000>mov eax, fs:
00417DCD .50 push eax
00417DCE .64:8925 00000>mov fs:, esp
00417DD5 .81EC 10080000 sub esp, 810
00417DDB .53 push ebx
00417DDC .55 push ebp
00417DDD .56 push esi
00417DDE .57 push edi
00417DDF .8BF1 mov esi, ecx
00417DE1 .6A 01 push 1
00417DE3 .E8 0D4A0500 call 0046C7F5
00417DE8 .8B86 1C010000 mov eax, ;获得注册码 放入ax
00417DEE .8B1D 4CC34700 mov ebx, [<&KERNEL32.WritePrivatePro>;kernel32.WritePrivateProfileStringA
00417DF4 .8DBE 1C010000 lea edi,
00417DFA .68 B83E4900 push 00493EB8 ; /FileName = ""
00417DFF .50 push eax ; |String
00417E00 .68 28E54800 push 0048E528 ; |Key = "RegCode"
00417E05 .68 8CD14800 push 0048D18C ; |Section = "System"
00417E0A .FFD3 call ebx ; \将注册信息写入配置文件
00417E0C .8B86 24010000 mov eax,
00417E12 .8DAE 24010000 lea ebp,
00417E18 .68 B83E4900 push 00493EB8 ; /FileName = ""
00417E1D .50 push eax ; |String
00417E1E .68 2CD44800 push 0048D42C ; |Key = "UserName"
00417E23 .68 8CD14800 push 0048D18C ; |Section = "System"
00417E28 .FFD3 call ebx ; \将序列号写入配置文件
00417E2A .8BCE mov ecx, esi
00417E2C .E8 E8550500 call 0046D419
00417E31 .E8 3A7E0200 call 0043FC70 ;关键CALL 跟进
00417E36 .8BCE mov ecx, esi
00417E38 .E8 F1550500 call 0046D42E
00417E3D .A1 3C1A4900 mov eax,
00417E42 .894424 14 mov , eax
00417E46 .8B0D C03F4900 mov ecx,
00417E4C .C78424 280800>mov dword ptr , 0
00417E57 .F7D9 neg ecx
00417E59 .1BC9 sbb ecx, ecx
00417E5B .83E1 05 and ecx, 5
00417E5E .51 push ecx
00417E5F .68 A3040000 push 4A3
00417E64 .8BCE mov ecx, esi
00417E66 .E8 0E580500 call 0046D679
00417E6B .8BC8 mov ecx, eax
00417E6D .E8 F8590500 call 0046D86A
00417E72 .8B15 C03F4900 mov edx,
00417E78 .8BCE mov ecx, esi
00417E7A .F7DA neg edx
00417E7C .1BD2 sbb edx, edx
00417E7E .83E2 FB and edx, FFFFFFFB
00417E81 .83C2 05 add edx, 5
00417E84 .52 push edx
00417E85 .68 A1040000 push 4A1
00417E8A .E8 EA570500 call 0046D679
00417E8F .8BC8 mov ecx, eax
00417E91 .E8 D4590500 call 0046D86A
00417E96 .A1 C03F4900 mov eax,
00417E9B .8BCE mov ecx, esi
00417E9D .F7D8 neg eax
00417E9F .1BC0 sbb eax, eax
00417EA1 .24 FB and al, 0FB
00417EA3 .83C0 05 add eax, 5
00417EA6 .50 push eax
00417EA7 .68 2D040000 push 42D
00417EAC .E8 C8570500 call 0046D679
00417EB1 .8BC8 mov ecx, eax
00417EB3 .E8 B2590500 call 0046D86A
00417EB8 .6A 00 push 0
00417EBA .68 A2040000 push 4A2
00417EBF .8BCE mov ecx, esi
00417EC1 .E8 B3570500 call 0046D679
00417EC6 .8BC8 mov ecx, eax
00417EC8 .E8 9D590500 call 0046D86A
00417ECD .6A 00 push 0
00417ECF .68 2E040000 push 42E
00417ED4 .8BCE mov ecx, esi
00417ED6 .E8 9E570500 call 0046D679
00417EDB .8BC8 mov ecx, eax
00417EDD .E8 88590500 call 0046D86A
00417EE2 .8B0D C03F4900 mov ecx,
00417EE8 .F7D9 neg ecx
00417EEA .1BC9 sbb ecx, ecx
00417EEC .83E1 FB and ecx, FFFFFFFB
00417EEF .83C1 05 add ecx, 5
00417EF2 .51 push ecx
00417EF3 .68 CA000000 push 0CA
00417EF8 .8BCE mov ecx, esi
00417EFA .E8 7A570500 call 0046D679
00417EFF .8BC8 mov ecx, eax
00417F01 .E8 64590500 call 0046D86A
00417F06 .8B15 C03F4900 mov edx,
00417F0C .8BCE mov ecx, esi
00417F0E .F7DA neg edx
00417F10 .1BD2 sbb edx, edx
00417F12 .83E2 FB and edx, FFFFFFFB
00417F15 .83C2 05 add edx, 5
00417F18 .52 push edx
00417F19 .68 CB000000 push 0CB
00417F1E .E8 56570500 call 0046D679
00417F23 .8BC8 mov ecx, eax
00417F25 .E8 40590500 call 0046D86A
00417F2A .A1 C03F4900 mov eax,
00417F2F .85C0 test eax, eax
00417F31 .75 54 jnz short 00417F87
00417F33 .8D4424 10 lea eax,
00417F37 .6A 04 push 4 ; /BufSize = 4
00417F39 .50 push eax ; |Buffer
00417F3A .6A 03 push 3 ; |InfoType = 3
00417F3C .68 00080000 push 800 ; |LocaleId = 800
00417F41 .FF15 14C34700 call [<&KERNEL32.GetLocaleInfoA>] ; \GetLocaleInfoA
00417F47 .8D4C24 10 lea ecx,
00417F4B .68 A0E44800 push 0048E4A0 ;ASCII "CHS"
00417F50 .51 push ecx
00417F51 .E8 3A450400 call 0045C490
00417F56 .83C4 08 add esp, 8
00417F59 .85C0 test eax, eax
00417F5B .74 2A je short 00417F87
00417F5D .6A 05 push 5
00417F5F .68 A2040000 push 4A2
00417F64 .8BCE mov ecx, esi
00417F66 .E8 0E570500 call 0046D679
00417F6B .8BC8 mov ecx, eax
00417F6D .E8 F8580500 call 0046D86A
00417F72 .6A 05 push 5
00417F74 .68 2E040000 push 42E
00417F79 .8BCE mov ecx, esi
00417F7B .E8 F9560500 call 0046D679
00417F80 .8BC8 mov ecx, eax
00417F82 .E8 E3580500 call 0046D86A
00417F87 >8B1D 5CC34700 mov ebx, [<&KERNEL32.GetPrivateProfi>;kernel32.GetPrivateProfileStringA
00417F8D .68 B83E4900 push 00493EB8 ; /IniFileName = ""
00417F92 .8D5424 1C lea edx, ; |
00417F96 .68 00040000 push 400 ; |BufSize = 400 (1024.)
00417F9B .52 push edx ; |ReturnBuffer
00417F9C .68 C03A4900 push 00493AC0 ; |Default = ""
00417FA1 .68 28E54800 push 0048E528 ; |Key = "RegCode"
00417FA6 .68 8CD14800 push 0048D18C ; |Section = "System"
00417FAB .FFD3 call ebx ; \GetPrivateProfileStringA
00417FAD .68 B83E4900 push 00493EB8 ; /IniFileName = ""
00417FB2 .8D8424 200400>lea eax, ; |
00417FB9 .68 00040000 push 400 ; |BufSize = 400 (1024.)
00417FBE .50 push eax ; |ReturnBuffer
00417FBF .68 C03A4900 push 00493AC0 ; |Default = ""
00417FC4 .68 2CD44800 push 0048D42C ; |Key = "UserName"
00417FC9 .68 8CD14800 push 0048D18C ; |Section = "System"
00417FCE .FFD3 call ebx ; \GetPrivateProfileStringA
00417FD0 .8D4C24 18 lea ecx,
00417FD4 .51 push ecx
00417FD5 .8BCF mov ecx, edi
00417FD7 .E8 FF5D0500 call 0046DDDB
00417FDC .8D9424 1C0400>lea edx,
00417FE3 .8BCD mov ecx, ebp
00417FE5 .52 push edx
00417FE6 .E8 F05D0500 call 0046DDDB
00417FEB .6A 00 push 0
00417FED .8BCE mov ecx, esi
00417FEF .E8 01480500 call 0046C7F5
00417FF4 .A1 C03F4900 mov eax,
00417FF9 .5F pop edi
00417FFA .5E pop esi
00417FFB .5D pop ebp
00417FFC .85C0 test eax, eax
00417FFE .5B pop ebx
00417FFF .74 40 je short 00418041
00418001 .8D4424 00 lea eax, ;注册成功
00418005 .6A 7D push 7D
00418007 .50 push eax
00418008 .E8 C3A5FEFF call 004025D0
0041800D .83C4 08 add esp, 8
00418010 .50 push eax
00418011 .8D4C24 08 lea ecx,
00418015 .C68424 1C0800>mov byte ptr , 1
0041801D .E8 695D0500 call 0046DD8B
00418022 .8D4C24 00 lea ecx,
00418026 .C68424 180800>mov byte ptr , 0
0041802E .E8 1F5C0500 call 0046DC52
00418033 .8B4C24 04 mov ecx,
00418037 .6A 00 push 0 ; /Arg3 = 00000000
00418039 .6A 40 push 40 ; |Arg2 = 00000040
0041803B .51 push ecx ; |Arg1
0041803C .E8 959D0500 call 00471DD6 ; \CCProxy.00471DD6
00418041 >8D4C24 04 lea ecx,
00418045 .C78424 180800>mov dword ptr , -1
00418050 .E8 FD5B0500 call 0046DC52
00418055 .8B8C24 100800>mov ecx,
0041805C .64:890D 00000>mov fs:, ecx
00418063 .81C4 1C080000 add esp, 81C
00418069 .C3 retn
从00417E31 跟进call 0043FC70
发现前面有很长一段代码是用来读取配置文件的注册码和序列号的 按了N次F8 来到关键地方
0043FCEA|.51 push ecx
0043FCEB|.68 BC094900 push 004909BC ;ASCII "%s\CCProxy.ini"
0043FCF0|.52 push edx
0043FCF1|.E8 4D7A0100 call 00457743
0043FCF6|.A0 C03A4900 mov al,
0043FCFB|.B9 FF000000 mov ecx, 0FF
0043FD00|.888424 C01F00>mov , al
0043FD07|.33C0 xor eax, eax
0043FD09|.8DBC24 C11F00>lea edi,
0043FD10|.83C4 14 add esp, 14
0043FD13|.F3:AB rep stos dword ptr es:
0043FD15|.8B1D 5CC34700 mov ebx, [<&KERNEL32.GetPrivateProfi>;kernel32.GetPrivateProfileStringA
0043FD1B|.8D8C24 980200>lea ecx,
0043FD22|.51 push ecx ; /IniFileName
0043FD23|.8D9424 A80700>lea edx, ; |
0043FD2A|.68 00040000 push 400 ; |BufSize = 400 (1024.)
0043FD2F|.52 push edx ; |ReturnBuffer
0043FD30|.66:AB stos word ptr es: ; |
0043FD32|.68 C03A4900 push 00493AC0 ; |Default = ""
0043FD37|.68 28E54800 push 0048E528 ; |Key = "RegCode"
0043FD3C|.68 8CD14800 push 0048D18C ; |Section = "System"
0043FD41|.AA stos byte ptr es: ; |
0043FD42|.FFD3 call ebx ; \GetPrivateProfileStringA
0043FD44|.8D8424 980200>lea eax,
0043FD4B|.8D8C24 A00300>lea ecx,
0043FD52|.50 push eax ; /IniFileName
0043FD53|.68 00040000 push 400 ; |BufSize = 400 (1024.)
0043FD58|.51 push ecx ; |ReturnBuffer
0043FD59|.68 C03A4900 push 00493AC0 ; |Default = ""
0043FD5E|.68 2CD44800 push 0048D42C ; |Key = "UserName"
0043FD63|.68 8CD14800 push 0048D18C ; |Section = "System"
0043FD68|.FFD3 call ebx ; \GetPrivateProfileStringA
..................
00440030|> \8D8424 A00300>lea eax,
00440037|.8D8C24 A40700>lea ecx,
0044003E|.50 push eax ;将注册码入栈
0044003F|.51 push ecx ;将序列号稿入栈
00440040|.E8 BBE3FFFF call 0043E400 ;关键call 不跟进就没了
00440045|.83C4 08 add esp, 8
00440048|.A3 C03F4900 mov , eax ;注册标志放入内存
0044004D|.85C0 test eax, eax ;ax=1 注册 ax=0 未注册
0044004F 0F84 7B010000 je 004401D0 ;没注册 走人
00440055|.80BC24 A50300>cmp byte ptr , 30
0044005D|.0F85 6D010000 jnz 004401D0
从00440040跟进call 0043E400
这里发现注册码原来是 12 位的 重新启动程序输入注册码 888888888888
0043E400/$6A FF push -1
0043E402|.64:A1 0000000>mov eax, fs:
0043E408|.68 8C9D4700 push 00479D8C
0043E40D|.50 push eax
0043E40E|.B8 88290000 mov eax, 2988
0043E413|.64:8925 00000>mov fs:, esp
0043E41A|.E8 01940100 call 00457820
0043E41F|.A0 C03A4900 mov al,
0043E424|.53 push ebx
0043E425|.55 push ebp
0043E426|.56 push esi
0043E427|.57 push edi
0043E428|.884424 24 mov , al
0043E42C|.B9 41000000 mov ecx, 41
0043E431|.33C0 xor eax, eax
0043E433|.8D7C24 25 lea edi,
0043E437|.68 05010000 push 105 ; /BufSize = 105 (261.)
0043E43C|.F3:AB rep stos dword ptr es: ; |
0043E43E|.8D4C24 28 lea ecx, ; |
0043E442|.33F6 xor esi, esi ; |
0043E444|.51 push ecx ; |PathBuffer
0043E445|.56 push esi ; |hModule => NULL
0043E446|.FF15 50C34700 call [<&KERNEL32.GetModuleFileNameA>] ; \GetModuleFileNameA
0043E44C|.8D5424 24 lea edx,
0043E450|.6A 5C push 5C
0043E452|.52 push edx
0043E453|.E8 689B0100 call 00457FC0
0043E458|.C600 00 mov byte ptr , 0
0043E45B|.A0 C03A4900 mov al,
0043E460|.888424 B40100>mov , al
0043E467|.B9 41000000 mov ecx, 41
0043E46C|.33C0 xor eax, eax
0043E46E|.8DBC24 B50100>lea edi,
0043E475|.F3:AB rep stos dword ptr es:
0043E477|.8D4C24 2C lea ecx,
0043E47B|.8D9424 B40100>lea edx,
0043E482|.51 push ecx
0043E483|.68 BC094900 push 004909BC ;ASCII "%s\CCProxy.ini"
0043E488|.52 push edx
0043E489|.E8 B5920100 call 00457743
0043E48E|.8B9C24 C02900>mov ebx,
0043E495|.83C9 FF or ecx, FFFFFFFF
0043E498|.8BFB mov edi, ebx ;把注册码放入目的寄存器 DI 用于比较
0043E49A|.33C0 xor eax, eax ;清0
0043E49C|.83C4 14 add esp, 14
0043E49F|.F2:AE repne scas byte ptr es: ;扫描注册码
0043E4A1|.F7D1 not ecx
0043E4A3|.49 dec ecx ;cx = 注册码长度
0043E4A4 0F84 61040000 je 0043E90B ;为空跳转
0043E4AA|.8BFB mov edi, ebx ;将注册码放入 目的寄存器 di
0043E4AC|.83C9 FF or ecx, FFFFFFFF
0043E4AF|.F2:AE repne scas byte ptr es:
0043E4B1|.F7D1 not ecx
0043E4B3|.49 dec ecx
0043E4B4|.83F9 0C cmp ecx, 0C
0043E4B7 74 34 je short 0043E4ED ;如果注册码 = 12 位 则跳转
0043E4B9|.8D4424 10 lea eax,
0043E4BD|.6A 7E push 7E
0043E4BF|.50 push eax
0043E4C0|.E8 0B41FCFF call 004025D0
0043E4C5|.83C4 08 add esp, 8
0043E4C8|.8B00 mov eax,
0043E4CA|.56 push esi ; /Arg3
0043E4CB|.56 push esi ; |Arg2
0043E4CC|.50 push eax ; |Arg1
0043E4CD|.89B424 AC2900>mov , esi ; |
0043E4D4|.E8 FD380300 call 00471DD6 ; \CCProxy.00471DD6
0043E4D9|.C78424 A02900>mov dword ptr , -1
0043E4E4|.8D4C24 10 lea ecx,
0043E4E8|.E9 19040000 jmp 0043E906
0043E4ED|>8D4C24 18 lea ecx,
0043E4F1|.6A 04 push 4 ; /BufSize = 4
0043E4F3|.51 push ecx ; |Buffer
0043E4F4|.6A 03 push 3 ; |InfoType = 3
0043E4F6|.68 00080000 push 800 ; |LocaleId = 800
0043E4FB|.FF15 14C34700 call [<&KERNEL32.GetLocaleInfoA>] ; \取得与指定“地方”有关的信息
0043E501|.8D5424 18 lea edx, ;取得为中文系统 放入dx
0043E505|.68 A0E44800 push 0048E4A0 ;ASCII "CHS"
0043E50A|.52 push edx
0043E50B|.E8 80DF0100 call 0045C490 ;应该是对比是否为中文系统
0043E510|.83C4 08 add esp, 8
0043E513|.85C0 test eax, eax
0043E515|.74 1E je short 0043E535 ;测试ax 是否为空 (中文系统转移)
0043E517|.8B8424 A82900>mov eax,
0043E51E|.68 AC094900 push 004909AC ;ASCII "888888888888"
0043E523|.53 push ebx
0043E524|.50 push eax
0043E525|.E8 06040000 call 0043E930
0043E52A|.83C4 0C add esp, 0C
0043E52D|.3BC6 cmp eax, esi
0043E52F|.0F85 D8030000 jnz 0043E90D
0043E535|>8A15 C03A4900 mov dl,
0043E53B|.B9 FF000000 mov ecx, 0FF
0043E540|.33C0 xor eax, eax
0043E542|.8DBC24 B50600>lea edi,
0043E549|.889424 B40600>mov , dl
0043E550|.889424 B40A00>mov , dl
0043E557|.F3:AB rep stos dword ptr es:
0043E559|.66:AB stos word ptr es:
0043E55B|.AA stos byte ptr es:
0043E55C|.B9 FF000000 mov ecx, 0FF
0043E561|.33C0 xor eax, eax
0043E563|.8DBC24 B50A00>lea edi,
跟到这里后 发现下面是一些与注册无关的一些代码,而且后面有很多这种情况 。
按F8 一起跳到下面的代码
发现这里又多了个序列号,但是在注册的时候只要输入单一的注册码。后来在注册的界面上乱点的时候 不小心把序列号的输入框给点出来了,呵呵 这也许是作者故意这样做的
并且作者还将注册码和网上进行了验证,如果那里不跳的话 注册就无效
0043E681|.8B8424 C82900>|mov eax, ;序列号
0043E688|.8D9424 D40600>|lea edx, ;特征码
0043E68F|.52 |push edx
0043E690|.53 |push ebx ;注册码
0043E691|.50 |push eax
0043E692|.E8 99020000 |call 0043E930 ;核心计算函数
0043E697|.8A0D C03A4900 |mov cl,
0043E69D|.8BE8 |mov ebp, eax
0043E69F|.888C24 E00200>|mov , cl
0043E6A6|.B9 FF000000 |mov ecx, 0FF
0043E6AB|.33C0 |xor eax, eax
0043E6AD|.8DBC24 E10200>|lea edi,
0043E6B4|.F3:AB |rep stos dword ptr es:
0043E6B6|.66:AB |stos word ptr es:
0043E6B8|.8D9424 E00600>|lea edx,
0043E6BF|.AA |stos byte ptr es:
0043E6C0|.52 |push edx
0043E6C1|.8D8424 E40200>|lea eax,
0043E6C8|.53 |push ebx ;注册码
0043E6C9|.50 |push eax ;特征码
0043E6CA|.E8 61130000 |call 0043FA30 ;互联网验证函数
0043E6CF|.83C4 38 |add esp, 38
0043E6D2|.85C0 |test eax, eax
0043E6D4 74 5F je short 0043E735 ;如果连接网络失败 跳转
0043E6D6|.8A8424 B40200>|mov al, ;
0043E6DD|.85ED |test ebp, ebp ;
0043E6DF 0F85 EC000000 jnz 0043E7D1 ;关键跳转
0043E6E5|.3C 2D |cmp al, 2D
0043E6E7 75 27 jnz short 0043E710 ;
0043E6E9|.8D8C24 B50200>|lea ecx, ;无效序列号
0043E6F0|.68 00040000 |push 400
0043E6F5|.8D9424 B80A00>|lea edx,
0043E6FC|.51 |push ecx
0043E6FD|.52 |push edx
0043E6FE|.E8 FD9B0100 |call 00458300
0043E703|.83C4 0C |add esp, 0C
0043E706|.C68424 B30E00>|mov byte ptr , 0
0043E70E|.EB 2D |jmp short 0043E73D
0043E710|>8D8424 B40600>|lea eax,
0043E717|.8D8C24 B40200>|lea ecx, ;无效的序列号
0043E71E|.50 |push eax
0043E71F|.53 |push ebx
0043E720|.51 |push ecx
0043E721|.E8 0A020000 |call 0043E930
0043E726|.8BF8 |mov edi, eax
0043E728|.83C4 0C |add esp, 0C
0043E72B|.85FF |test edi, edi
0043E72D|.0F85 CF000000 |jnz 0043E802
0043E733|.EB 08 |jmp short 0043E73D
0043E735|>85ED |test ebp, ebp
0043E737|.0F85 EC000000 |jnz 0043E829
0043E73D|>8B4424 10 |mov eax,
0043E741|.8B4C24 14 |mov ecx,
0043E745|.40 |inc eax
0043E746|.83C6 10 |add esi, 10
0043E749|.3BC1 |cmp eax, ecx
0043E74B|.894424 10 |mov , eax
0043E74F|.^ 0F8C CEFEFFFF \jl 0043E623
0043E755|>8A8424 B40A00>mov al,
0043E75C|.8D4C24 18 lea ecx,
0043E760|.84C0 test al, al
0043E762|.68 A0E44800 push 0048E4A0 ;ASCII "CHS"
0043E767|.51 push ecx
0043E768|.0F84 ED000000 je 0043E85B
0043E76E|.E8 1DDD0100 call 0045C490
0043E773|.83C4 08 add esp, 8
0043E776|.85C0 test eax, eax
0043E778|.6A 7E push 7E
0043E77A|.0F84 B0000000 je 0043E830
0043E780|.8D5424 18 lea edx,
0043E784|.52 push edx
0043E785|.E8 463EFCFF call 004025D0
0043E78A|.8B30 mov esi,
0043E78C|.8D4424 18 lea eax,
0043E790|.6A 7E push 7E
0043E792|.50 push eax
0043E793|.C78424 B02900>mov dword ptr , 1
0043E79E|.E8 2D3EFCFF call 004025D0
0043E7A3|.8B00 mov eax,
0043E7A5|.83C4 10 add esp, 10
0043E7A8|.6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0043E7AA|.56 push esi ; |Title
0043E7AB|.50 push eax ; |Text
0043E7AC|.6A 00 push 0 ; |hOwner = NULL
0043E7AE|.FF15 00C54700 call [<&USER32.MessageBoxA>] ; \MessageBoxA
0043E7B4|.8D4C24 10 lea ecx,
0043E7B8|.E8 95F40200 call 0046DC52
0043E7BD|.C78424 A02900>mov dword ptr , -1
0043E7C8|.8D4C24 14 lea ecx,
0043E7CC|.E9 35010000 jmp 0043E906
0043E7D1|>3C 2D cmp al, 2D
0043E7D3 75 54 jnz short 0043E829 ;不跳 序列号无效
0043E7D5|.8D5424 10 lea edx,
0043E7D9|.6A 7E push 7E
0043E7DB|.52 push edx
0043E7DC|.E8 EF3DFCFF call 004025D0
0043E7E1|.8B00 mov eax,
0043E7E3|.83C4 08 add esp, 8
0043E7E6|.8D8C24 B50200>lea ecx,
0043E7ED|.6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0043E7EF|.50 push eax ; |Title
0043E7F0|.51 push ecx ; |Text
0043E7F1|.6A 00 push 0 ; |hOwner = NULL
0043E7F3|.FF15 00C54700 call [<&USER32.MessageBoxA>] ; \MessageBoxA
0043E7F9|.8D4C24 10 lea ecx,
0043E7FD|.E9 04010000 jmp 0043E906
0043E802|>8D9424 AC0100>lea edx,
0043E809|.8D8424 B40200>lea eax,
0043E810|.52 push edx ; /FileName
0043E811|.50 push eax ; |String
0043E812|.68 28E54800 push 0048E528 ; |Key = "RegCode"
0043E817|.68 8CD14800 push 0048D18C ; |Section = "System"
0043E81C|.FF15 4CC34700 call [<&KERNEL32.WritePrivateProfileS>; \WritePrivateProfileStringA
0043E822|.8BC7 mov eax, edi
0043E824|.E9 E4000000 jmp 0043E90D
0043E829|>8BC5 mov eax, ebp
0043E82B|.E9 DD000000 jmp 0043E90D
0043E830|>8D4C24 14 lea ecx,
0043E834|.51 push ecx
0043E835|.E8 963DFCFF call 004025D0
0043E83A|.8B10 mov edx,
0043E83C|.83C4 08 add esp, 8
0043E83F|.8D8424 B40A00>lea eax,
0043E846|.6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0043E848|.52 push edx ; |Title
0043E849|.50 push eax ; |Text
0043E84A|.6A 00 push 0 ; |hOwner = NULL
0043E84C|.FF15 00C54700 call [<&USER32.MessageBoxA>] ; \MessageBoxA
0043E852|.8D4C24 10 lea ecx,
0043E856|.E9 AB000000 jmp 0043E906
0043E85B|>E8 30DC0100 call 0045C490
0043E860|.83C4 08 add esp, 8
0043E863|.85C0 test eax, eax
0043E865|.6A 7E push 7E
0043E867 75 51 jnz short 0043E8BA ;
0043E869|.8D5424 18 lea edx,
0043E86D|.52 push edx
0043E86E|.E8 5D3DFCFF call 004025D0
0043E873|.8B30 mov esi,
0043E875|.8D4424 18 lea eax,
0043E879|.68 18094900 push 00490918
0043E87E|.50 push eax
0043E87F|.C78424 B02900>mov dword ptr , 2
0043E88A|.E8 C197FCFF call 00408050
0043E88F|.8B00 mov eax,
0043E891|.83C4 10 add esp, 10
0043E894|.6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0043E896|.56 push esi ; |Title
0043E897|.50 push eax ; |Text
0043E898|.6A 00 push 0 ; |hOwner = NULL
0043E89A|.FF15 00C54700 call [<&USER32.MessageBoxA>] ; \MessageBoxA
0043E8A0|.8D4C24 10 lea ecx,
0043E8A4|.E8 A9F30200 call 0046DC52
0043E8A9|.C78424 A02900>mov dword ptr , -1
0043E8B4|.8D4C24 14 lea ecx,
0043E8B8|.EB 4C jmp short 0043E906
0043E8BA|>8D4C24 24 lea ecx,
0043E8BE|.51 push ecx
0043E8BF|.E8 0C3DFCFF call 004025D0
0043E8C4|.8B30 mov esi,
0043E8C6|.8D5424 24 lea edx,
0043E8CA|.6A 7E push 7E
0043E8CC|.52 push edx
0043E8CD|.C78424 B02900>mov dword ptr , 3
0043E8D8|.E8 F33CFCFF call 004025D0
0043E8DD|.8B00 mov eax,
0043E8DF|.83C4 10 add esp, 10
0043E8E2|.6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0043E8E4|.56 push esi ; |Title
0043E8E5|.50 push eax ; |Text
0043E8E6|.6A 00 push 0 ; |hOwner = NULL
0043E8E8|.FF15 00C54700 call [<&USER32.MessageBoxA>] ; \MessageBoxA
0043E8EE|.8D4C24 1C lea ecx,
0043E8F2|.E8 5BF30200 call 0046DC52
0043E8F7|.C78424 A02900>mov dword ptr , -1
0043E902|.8D4C24 20 lea ecx,
0043E906|>E8 47F30200 call 0046DC52
0043E90B|>33C0 xor eax, eax
0043E90D|>8B8C24 982900>mov ecx,
0043E914|.5F pop edi
0043E915|.5E pop esi
0043E916|.5D pop ebp
0043E917|.5B pop ebx
0043E918|.64:890D 00000>mov fs:, ecx
0043E91F|.81C4 94290000 add esp, 2994
0043E925 C3 retn
从0043E692跟进 call 0043E930核心算法 。
这里算法俺就不会分析了。 应该是和以前的版本一样 将注册码进行两次计算 然后得出了真的注册码
偶现在只想找到内存中的是否有注册码的明码对比。
0043E930/$B8 E4140000 mov eax, 14E4
0043E935|.E8 E68E0100 call 00457820
0043E93A|.53 push ebx
0043E93B|.8B9C24 F01400>mov ebx,
0043E942|.55 push ebp
0043E943|.56 push esi
0043E944|.57 push edi
0043E945|.8BFB mov edi, ebx ;把注册码送入目的寄存器
0043E947|.83C9 FF or ecx, FFFFFFFF
0043E94A|.33C0 xor eax, eax
0043E94C|.F2:AE repne scas byte ptr es:
0043E94E|.F7D1 not ecx
0043E950|.49 dec ecx ;计算注册码位数
0043E951|.C74424 2C 012>mov dword ptr , 67452301 ;初始化MD5算法
0043E959|.8BE9 mov ebp, ecx ;把注册码长度 放到bp中
0043E95B|.C74424 30 89A>mov dword ptr , EFCDAB89
0043E963|.C1E9 1D shr ecx, 1D
0043E966|.8D04ED 000000>lea eax,
0043E96D|.83FD 40 cmp ebp, 40 ;对比 注册码位数?
0043E970|.C74424 34 FED>mov dword ptr , 98BADCFE
0043E978|.C74424 38 765>mov dword ptr , 10325476
0043E980|.894424 3C mov , eax ;
0043E984|.894C24 40 mov , ecx ;
0043E988|.72 39 jb short 0043E9C3 ;小于 40 转移
这里是算法,这里又好像和原来的版本不一样 原来把一些算法函数分开了
这个版本没有 全部放在一个函数里的
.................................................
0043ECB4|.8B8C24 930000>mov ecx,
0043ECBB|.81E1 FF000000 and ecx, 0FF
0043ECC1|.51 push ecx
0043ECC2|.68 14D54800 push 0048D514 ;ASCII "%02x"
0043ECC7|.68 B0215300 push 005321B0 ;ASCII "77"
0043ECCC|.E8 728A0100 call 00457743
0043ECD1|.8A15 C03A4900 mov dl,
0043ECD7|.B9 00040000 mov ecx, 400
0043ECDC|.33C0 xor eax, eax
0043ECDE|.8DBC24 FD0400>lea edi,
0043ECE5|.889424 FC0400>mov , dl
0043ECEC|.83C4 0C add esp, 0C
0043ECEF|.F3:AB rep stos dword ptr es:
0043ECF1|.BF 90215300 mov edi, 00532190 ;ASCII "b96deb5effe36fdd64efffffd3ffdefb77"
0043ECF6|.83C9 FF or ecx, FFFFFFFF
0043ECF9|.F2:AE repne scas byte ptr es:
0043ECFB|.F7D1 not ecx
0043ECFD|.2BF9 sub edi, ecx
0043ECFF|.8D9424 F00400>lea edx,
0043ED06|.8BC1 mov eax, ecx
0043ED08|.8BF7 mov esi, edi ;ESI 指向注册码
0043ED0A|.8BFA mov edi, edx
0043ED0C|.8BAC24 F81400>mov ebp,
0043ED13|.C1E9 02 shr ecx, 2
0043ED16|.F3:A5 rep movs dword ptr es:, dword p>;将注册码复制到EDI里面
0043ED18|.8BC8 mov ecx, eax
0043ED1A|.8D8424 F00400>lea eax,
0043ED21|.83E1 03 and ecx, 3
0043ED24|.F3:A4 rep movs byte ptr es:, byte ptr>;经过这里 才是真正的注册码
0043ED26|.8BF5 mov esi, ebp ;假注册码
0043ED28|>8A10 /mov dl, ;一个一个的对比
0043ED2A|.8A1E |mov bl,
0043ED2C|.8ACA |mov cl, dl
0043ED2E|.3AD3 |cmp dl, bl
0043ED30 75 1E jnz short 0043ED50 ;不对就没了
0043ED32|.84C9 |test cl, cl
0043ED34 74 16 je short 0043ED4C ;是否对比完成
0043ED36|.8A50 01 |mov dl,
0043ED39|.8A5E 01 |mov bl,
0043ED3C|.8ACA |mov cl, dl
0043ED3E|.3AD3 |cmp dl, bl
0043ED40 75 0E jnz short 0043ED50 ;不对就没了
0043ED42|.83C0 02 |add eax, 2
0043ED45|.83C6 02 |add esi, 2
0043ED48|.84C9 |test cl, cl
0043ED4A|.^ 75 DC \jnz short 0043ED28
0043ED4C|>33C0 xor eax, eax
0043ED4E|.EB 05 jmp short 0043ED55
0043ED50|>1BC0 sbb eax, eax
0043ED52|.83D8 FF sbb eax, -1
0043ED55|>85C0 test eax, eax
0043ED57|.0F85 95020000 jnz 0043EFF2 ;不为空 不对 没了
0043ED5D|.8B9C24 FC1400>mov ebx,
0043ED64|.83C9 FF or ecx, FFFFFFFF
0043ED67|.8BFB mov edi, ebx
0043ED69|.F2:AE repne scas byte ptr es:
0043ED6B|.F7D1 not ecx
0043ED6D|.49 dec ecx
0043ED6E|.83F9 0C cmp ecx, 0C ;序列号是否=12
0043ED71|.74 10 je short 0043ED83 ;不等死路
0043ED73|.5F pop edi
0043ED74|.5E pop esi
0043ED75|.5D pop ebp
0043ED76|.B8 03000000 mov eax, 3
0043ED7B|.5B pop ebx
0043ED7C|.81C4 E4140000 add esp, 14E4
0043ED82|.C3 retn
终于找到 正确的注册码了。 但是到后面该软件还去网上进行了验证 里面也有一些验证的算法 有兴趣的朋友可以继续跟下去
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
请在看雪论坛给hmilywen发一条短消息确认是本人申请。 已加好友~~~{:1_912:} ID:atomy
邮箱:atomy@foxmail.com
申请通过,欢迎光临吾爱破解论坛,期待吾爱破解有你更加精彩,ID和密码自己通过邮件密码找回功能修改,请即时登陆并修改密码!
登陆后请在一周内在此帖报道,否则将删除ID信息。 嘿,感谢通过验证~~~ 恭喜恭喜 恭喜恭喜。。。。 恭喜,Happy New Year 恭喜恭喜哈
页:
[1]