Registry Finder去除30天试用限制爆破分析
本帖最后由 东海浪子 于 2016-5-20 22:36 编辑【破文标题】Registry Finder去除30天试用限制爆破分析
【破文作者】东海浪子
【作者邮箱】
【作者主页】
【破解工具】OD
【破解平台】虚拟机WINXP SP3
【软件名称】Acelogix Software 注册表搜索器
【软件大小】
【原版下载】 http://www.acelogix.com/regfinder.html
【软件说明】Registry Finder是一款方便实用的注册表搜索工具,功能强大,可以在注册表中快速查找指定内容,搜索位置包括整个注册表,也可以是指定键值。
【阅读对象】爱好破解的初学者。有错误不足之处恳请大牛大神们多多指正
【破解声明】本文仅做研究所用,供破解技术爱好者学习研究讨论。如喜欢该软件,建议购买正版。
------------------------------------------------------------------------
【破解过程】
1、安装好Acelogix Software,用peid查了一下。Unknown,VC8 -> Microsoft Corporation *。不知有没壳,就 OD载入,直接调试。
2、OD载入运行后,试注册,有错误弹窗“ Invalid Key!\nPlease try again. Contact Acelogix Software Support if needed.”,可以通过字符串搜索或F12暂停堆栈法,很容易找到注册段代码。来到这里
00451690/$81EC 78060000 sub esp,0x678 ;注册入口
00451696|.A1 B8734600 mov eax,dword ptr ds:
0045169B|.33C4 xor eax,esp
0045169D|.898424 740600>mov dword ptr ss:,eax
004516A4|.53 push ebx
004516A5|.55 push ebp
004516A6|.56 push esi
004516A7|.8B35 88A54500 mov esi,dword ptr ds:[<&USER32.GetDlgIte>;user32.GetDlgItemTextA
004516AD|.57 push edi
004516AE|.68 04010000 push 0x104 ; /Count = 104 (260.)
004516B3|.8D8424 7C0300>lea eax,dword ptr ss: ; |
004516BA|.8BF9 mov edi,ecx ; |
004516BC|.8B4F 04 mov ecx,dword ptr ds: ; |
004516BF|.50 push eax ; |Buffer = NULL
004516C0|.68 03040000 push 0x403 ; |ControlID = 403 (1027.)
004516C5|.51 push ecx ; |hWnd = 0012FFB0
004516C6|.897C24 20 mov dword ptr ss:,edi ; |
004516CA|.FFD6 call esi ; \GetDlgItemTextA
004516CC|.85C0 test eax,eax
004516CE|.0F84 F1010000 je regfind.004518C5
004516D4|.8B47 04 mov eax,dword ptr ds:
004516D7|.68 04010000 push 0x104 ; /Count = 104 (260.)
004516DC|.8D5424 70 lea edx,dword ptr ss: ; |
004516E0|.52 push edx ; |Buffer = ntdll.KiFastSystemCallRet
004516E1|.68 12040000 push 0x412 ; |ControlID = 412 (1042.)
004516E6|.50 push eax ; |hWnd = NULL
004516E7|.FFD6 call esi ; \GetDlgItemTextA
004516E9|.85C0 test eax,eax
004516EB|.0F84 D4010000 je regfind.004518C5
004516F1|.8D4C24 14 lea ecx,dword ptr ss:
004516F5|.8D47 20 lea eax,dword ptr ds:
004516F8|.51 push ecx
004516F9|.50 push eax
004516FA|.C700 00000000 mov dword ptr ds:,0x0
00451700|.E8 8BFEFFFF call regfind.00451590 ;关键call
00451705|.8BE8 mov ebp,eax
00451707|.83C4 08 add esp,0x8
0045170A|.85ED test ebp,ebp
0045170C|.0F84 65010000 je regfind.00451877 ;跳向常量地址ds:验证的地方
00451712|.8D45 08 lea eax, ;注册名入eax
00451715|.8D9424 780300>lea edx,dword ptr ss: ;注册名入edx
0045171C|.C785 20030000>mov dword ptr ss:,0x1
00451726|.BE 04010000 mov esi,0x104
0045172B|.2BD0 sub edx,eax
0045172D|.8D49 00 lea ecx,dword ptr ds:
00451730|>8D8E FAFEFF7F /lea ecx,dword ptr ds: ;esi+7ffffefa入ecx
00451736|.85C9 |test ecx,ecx
00451738|.74 11 |je short regfind.0045174B
0045173A|.8A0C02 |mov cl,byte ptr ds: ;取注册名每个字母的ASCII码
0045173D|.84C9 |test cl,cl
0045173F|.74 0A |je short regfind.0045174B ;循环取完ascii码后跳走
00451741|.8808 |mov byte ptr ds:,cl ;把ascii码放入eax地址
00451743|.40 |inc eax ;eax累加
00451744|.83EE 01 |sub esi,0x1 ;esi-1
00451747|.^ 75 E7 \jnz short regfind.00451730 ;向上循环
00451749|.EB 04 jmp short regfind.0045174F
0045174B|>85F6 test esi,esi
0045174D|.75 01 jnz short regfind.00451750
0045174F|>48 dec eax
00451750|>C600 00 mov byte ptr ds:,0x0
00451753|.8D85 1C020000 lea eax,dword ptr ss: ;注册码入eax
00451759|.8D5424 6C lea edx,dword ptr ss: ;注册码入edx
0045175D|.BE 04010000 mov esi,0x104
00451762|.2BD0 sub edx,eax
00451764|>8D8E FAFEFF7F /lea ecx,dword ptr ds: ;esi+7ffffefa入ecx
0045176A|.85C9 |test ecx,ecx
0045176C|.74 11 |je short regfind.0045177F
0045176E|.8A0C02 |mov cl,byte ptr ds: ;取注册码的ascii码入cl
00451771|.84C9 |test cl,cl
00451773|.74 0A |je short regfind.0045177F ;循环取完ascii码后跳走
00451775|.8808 |mov byte ptr ds:,cl
00451777|.40 |inc eax ;eax累加
00451778|.83EE 01 |sub esi,0x1 ;esi-1
0045177B|.^ 75 E7 \jnz short regfind.00451764 ;向上循环
0045177D|.EB 04 jmp short regfind.00451783
0045177F|>85F6 test esi,esi
00451781|.75 01 jnz short regfind.00451784
00451783|>48 dec eax
00451784|>C600 00 mov byte ptr ds:,0x0
00451787|.8B4424 14 mov eax,dword ptr ss:
0045178B|.99 cdq
0045178C|.52 push edx ;ntdll.KiFastSystemCallRet
0045178D|.50 push eax
0045178E|.68 D4CC4500 push regfind.0045CCD4 ;%I64d
。。。。。。。不搞算法。。。。。。省略一部分代码。。。。。。。。。。。。。。。
00451854|.8BF5 mov esi,ebp
00451856|.83C7 20 add edi,0x20
00451859|.50 push eax
0045185A|.F3:A5 rep movs dword ptr es:,dword ptr ds>
0045185C|.FFD3 call ebx
0045185E|.8B4C24 1C mov ecx,dword ptr ss:
00451862|.51 push ecx
00451863|.FFD3 call ebx
00451865|>8B7C24 10 mov edi,dword ptr ss:
00451869|>55 push ebp ; /BaseAddress = 0012FFF0
0045186A|.FF15 D4A24500 call dword ptr ds:[<&KERNEL32.UnmapViewO>; \UnmapViewOfFile
00451870|.8B5424 14 mov edx,dword ptr ss:
00451874|.52 push edx ;ntdll.KiFastSystemCallRet
00451875|.FFD3 call ebx
00451877 837F 20 00 cmp dword ptr ds:,0x0 ;常量地址ds:和0比较
0045187B 74 2E je short regfind.004518AB ;相等,跳走就失败
0045187D|.6A 40 push 0x40
0045187F|.51 push ecx
00451880|.8BC4 mov eax,esp
00451882|.C700 14CC4500 mov dword ptr ds:,regfind.0045CC14;Registry Finder
00451888|.51 push ecx
00451889|.8BC4 mov eax,esp
0045188B|.C700 00CD4500 mov dword ptr ds:,regfind.0045CD00;Thank You. Key successfully installed.\n\nPlease restart the program注册成功
00451891|.8B47 04 mov eax,dword ptr ds:
00451894|.50 push eax
00451895|.E8 460CFBFF call regfind.004024E0
0045189A|.8B4F 04 mov ecx,dword ptr ds:
0045189D|.83C4 10 add esp,0x10
004518A0|.6A 01 push 0x1 ; /Result = 0x1
004518A2|.51 push ecx ; |hWnd = 0012FFB0
004518A3|.FF15 90A54500 call dword ptr ds:[<&USER32.EndDialog>]; \EndDialog
004518A9|.EB 3A jmp short regfind.004518E5
004518AB|>6A 10 push 0x10
004518AD|.51 push ecx
004518AE|.8BC4 mov eax,esp
004518B0|.C700 14CC4500 mov dword ptr ds:,regfind.0045CC14;Registry Finder
004518B6|.51 push ecx
004518B7|.8BC4 mov eax,esp
004518B9|.C700 88CD4500 mov dword ptr ds:,regfind.0045CD88;Invalid Key!\nPlease try again. Contact Acelogix Software Support if needed.注册失败
004518BF|.8B57 04 mov edx,dword ptr ds:
004518C2|.52 push edx ;ntdll.KiFastSystemCallRet
004518C3|.EB 18 jmp short regfind.004518DD
004518C5|>6A 40 push 0x40
004518C7|.51 push ecx
004518C8|.8BC4 mov eax,esp我们从注册成功的字符串往上逆反,从0045187B /74 2Eje short regfind.004518AB; 向上,跟着箭头 可以找到关键call
00451700|.E8 8BFEFFFF call regfind.00451590 。
我们进call
00451590/$83EC 0C sub esp,0xC
00451593|.53 push ebx
00451594|.56 push esi
00451595|.33F6 xor esi,esi
00451597|.56 push esi ; /MapName = 0012B880 ???
00451598|.68 24030000 push 0x324 ; |MaximumSizeLow = 0x324
0045159D|.56 push esi ; |MaximumSizeHigh = 0x12B880
0045159E|.6A 04 push 0x4 ; |Protection = PAGE_READWRITE
004515A0|.8D4424 18 lea eax,dword ptr ss: ; |
004515A4|.50 push eax ; |pSecurity = NULL
004515A5|.6A FF push -0x1 ; |hFile = FFFFFFFF
004515A7|.C74424 20 0C0>mov dword ptr ss:,0xC ; |
004515AF|.897424 24 mov dword ptr ss:,esi ; |
004515B3|.C74424 28 010>mov dword ptr ss:,0x1 ; |
004515BB|.FF15 F0A24500 call dword ptr ds:[<&KERNEL32.CreateFile>; \CreateFileMappingW
004515C1|.8BD8 mov ebx,eax
004515C3 3BDE cmp ebx,esi
004515C5 74 47 je short regfind.0045160E
004515C7|.55 push ebp
004515C8|.56 push esi ; /MapSize = 12B880 (1226880.)
004515C9|.56 push esi ; |OffsetLow = 0x12B880
004515CA|.56 push esi ; |OffsetHigh = 0x12B880
004515CB|.6A 02 push 0x2 ; |AccessMode = FILE_MAP_WRITE
004515CD|.53 push ebx ; |hMapObject = 7FFDC000
004515CE|.FF15 E8A24500 call dword ptr ds:[<&KERNEL32.MapViewOfF>; \MapViewOfFile
004515D4|.8BE8 mov ebp,eax
004515D6|.3BEE cmp ebp,esi
004515D8 75 18 jnz short regfind.004515F2
004515DA|.53 push ebx ; /hObject = 7FFDC000
004515DB|.FF15 E4A24500 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
004515E1|.8B4C24 20 mov ecx,dword ptr ss: ;kernel32.7C839AC0
004515E5|.33C0 xor eax,eax
004515E7|.8901 mov dword ptr ds:,eax
004515E9|.8BC5 mov eax,ebp
004515EB|.5D pop ebp ;kernel32.7C817067
004515EC|.5E pop esi ;kernel32.7C817067
004515ED|.5B pop ebx ;kernel32.7C817067
004515EE|.83C4 0C add esp,0xC
004515F1|.C3 retn
004515F2|>8B7424 1C mov esi,dword ptr ss:
004515F6|.8B5424 20 mov edx,dword ptr ss: ;kernel32.7C839AC0
004515FA|.57 push edi
004515FB|.8BFD mov edi,ebp
004515FD|.B9 C9000000 mov ecx,0xC9
00451602|.F3:A5 rep movs dword ptr es:,dword ptr ds>
00451604|.5F pop edi ;kernel32.7C817067
00451605|.5D pop ebp ;kernel32.7C817067
00451606|.5E pop esi ;kernel32.7C817067
00451607|.891A mov dword ptr ds:,ebx
00451609|.5B pop ebx ;kernel32.7C817067
0045160A|.83C4 0C add esp,0xC
0045160D|.C3 retn
0045160E|>8B4424 1C mov eax,dword ptr ss:
00451612|.8918 mov dword ptr ds:,ebx
00451614 8BC6 mov eax,esi
00451616|.5E pop esi ;kernel32.7C817067
00451617|.5B pop ebx ;kernel32.7C817067
00451618|.83C4 0C add esp,0xC
0045161B\.C3 retn
0045161C CC int3
0045161D CC int3
0045161E CC int3
0045161F CC int3
esp=0012FFC4
本地调用来自 00403477, 00451700
这个软件是注册成功后重启验证的,那我们估计这个call的调用,一处是来自刚才的00451700注册call,,那么另一处00403477是在软件启动验证call的。我们转到00403477,在段首00403440下断,重启软件,在这里暂停。
00403440/$55 push ebp
00403441|.8BEC mov ebp,esp
00403443|.83E4 F8 and esp,-0x8
00403446|.81EC 84040000 sub esp,0x484
0040344C|.A1 B8734600 mov eax,dword ptr ds:
00403451|.33C4 xor eax,esp
00403453|.898424 800400>mov dword ptr ss:,eax
0040345A|.8B45 08 mov eax, ;regfind.<ModuleEntryPoint>
0040345D|.53 push ebx
0040345E|.56 push esi
0040345F|.57 push edi
00403460|.8D4C24 0C lea ecx,dword ptr ss:
00403464|.894424 14 mov dword ptr ss:,eax
00403468|.83C0 14 add eax,0x14
0040346B|.51 push ecx
0040346C|.33FF xor edi,edi
0040346E|.50 push eax
0040346F|.897C24 18 mov dword ptr ss:,edi
00403473|.894424 24 mov dword ptr ss:,eax
00403477|.E8 14E10400 call regfind.00451590 关键call
0040347C|.8BF0 mov esi,eax
0040347E|.8B4424 14 mov eax,dword ptr ss:
00403482|.99 cdq
00403483|.52 push edx ;ntdll.KiFastSystemCallRet
00403484|.50 push eax
00403485|.68 D4CC4500 push regfind.0045CCD4 ;%I64d
0040348A|.B9 04010000 mov ecx,0x104
0040348F|.8D9C24 940200>lea ebx,dword ptr ss:
00403496|.897424 2C mov dword ptr ss:,esi
0040349A|.C786 18020000>mov dword ptr ds:,0x1
004034A4|.89BE 20030000 mov dword ptr ds:,edi
004034AA|.E8 A1EFFFFF call regfind.00402450
004034AF|.8B1D E4A24500 mov ebx,dword ptr ds:[<&KERNEL32.CloseHa>;kernel32.CloseHandle
004034B5|.83C4 14 add esp,0x14
004034B8|.85C0 test eax,eax
004034BA 0F8C BF000000 jl regfind.0040357F
004034C0|.A1 34A84600 mov eax,dword ptr ds:
004034C5|.68 04010000 push 0x104 ; /BufSize = 104 (260.)
004034CA|.8D5424 7C lea edx,dword ptr ss: ; |
004034CE|.52 push edx ; |PathBuffer = ntdll.KiFastSystemCallRet
004034CF|.50 push eax ; |hModule = NULL
004034D0|.FF15 E0A24500 call dword ptr ds:[<&KERNEL32.GetModuleF>; \GetModuleFileNameW
004034D6|.8D4C24 78 lea ecx,dword ptr ss:
004034DA|.E8 11B20400 call regfind.0044E6F0
004034DF|.85C0 test eax,eax
004034E1 0F84 98000000 je regfind.0040357F
004034E7|.8D4C24 78 lea ecx,dword ptr ss:
004034EB|.6A 5C push 0x5C
004034ED|.51 push ecx
004034EE|.E8 BBC00200 call regfind.0042F5AE
004034F3|.83C4 08 add esp,0x8
004034F6|.33D2 xor edx,edx ;ntdll.KiFastSystemCallRet
004034F8|.68 E0CC4500 push regfind.0045CCE0 ;\rf_hlpr.exe
我们看到00403477关键call,下方的跳转jl regfind.0040357F,运行到这里,箭头是灰色,我们就把jl改成jmp。为什么?因为我们是未注册的,破解当然要取相反的操作。再运行,出现弹窗提示"Unable to find components",我们再查找字符串,来到这里。
0044F5C0/$55 push ebp
0044F5C1|.8BEC mov ebp,esp
0044F5C3|.83E4 F8 and esp,-0x8
0044F5C6|.83EC 3C sub esp,0x3C
0044F5C9|.53 push ebx
0044F5CA|.56 push esi
0044F5CB|.8B75 08 mov esi, ;regfind.<ModuleEntryPoint>
0044F5CE|.33DB xor ebx,ebx
0044F5D0|.57 push edi
0044F5D1|.395D 0C cmp ,ebx
0044F5D4 75 35 jnz short regfind.0044F60B
0044F5D6 6A 40 push 0x40
0044F5D8 51 push ecx
0044F5D9 8BC4 mov eax,esp
0044F5DB|.8918 mov dword ptr ds:,ebx
0044F5DD|.51 push ecx
0044F5DE|.8BC4 mov eax,esp
0044F5E0|.C700 0CD44500 mov dword ptr ds:,regfind.0045D40C;Unable to find components
0044F5E6|.8B46 04 mov eax,dword ptr ds:
0044F5E9|.50 push eax
0044F5EA|.E8 F12EFBFF call regfind.004024E0
0044F5EF|.8B4E 04 mov ecx,dword ptr ds:
0044F5F2|.83C4 10 add esp,0x10
0044F5F5|.53 push ebx ; /lParam = 0x7FFDC000
0044F5F6|.53 push ebx ; |wParam = 0x7FFDC000
0044F5F7|.6A 10 push 0x10 ; |Message = WM_CLOSE
0044F5F9|.51 push ecx ; |hWnd = 0x12FFB0
0044F5FA|.FF15 50A54500 call dword ptr ds:[<&USER32.PostMessageW>; \PostMessageW
0044F600|.33C0 xor eax,eax
0044F602|.5F pop edi ;kernel32.7C817067
0044F603|.5E pop esi ;kernel32.7C817067
0044F604|.5B pop ebx ;kernel32.7C817067
0044F605|.8BE5 mov esp,ebp
0044F607|.5D pop ebp ;kernel32.7C817067
0044F608|.C2 0800 retn 0x8
0044F60B|>399E 9C000000 cmp dword ptr ds:,ebx
0044F611|.75 35 jnz short regfind.0044F648
0044F613|.6A 40 push 0x40
0044F615|.51 push ecx
0044F616|.8BC4 mov eax,esp
0044F618|.8918 mov dword ptr ds:,ebx
0044F61A|.51 push ecx
0044F61B|.8BC4 mov eax,esp
0044F61D|.C700 0CD44500 mov dword ptr ds:,regfind.0045D40C;Unable to find components
0044F623|.8B56 04 mov edx,dword ptr ds:
0044F626|.52 push edx ;ntdll.KiFastSystemCallRet
0044F627|.E8 B42EFBFF call regfind.004024E0
0044F62C|.8B46 04 mov eax,dword ptr ds:
0044F62F|.83C4 10 add esp,0x10
0044F632|.53 push ebx ; /lParam = 0x7FFDC000
0044F633|.53 push ebx ; |wParam = 0x7FFDC000
0044F634|.6A 10 push 0x10 ; |Message = WM_CLOSE
0044F636|.50 push eax ; |hWnd = NULL
0044F637|.FF15 50A54500 call dword ptr ds:[<&USER32.PostMessageW>; \PostMessageW
0044F63D|.33C0 xor eax,eax
0044F63F|.5F pop edi ;kernel32.7C817067
0044F640|.5E pop esi ;kernel32.7C817067
0044F641|.5B pop ebx ;kernel32.7C817067
0044F642|.8BE5 mov esp,ebp
0044F644|.5D pop ebp ;kernel32.7C817067
0044F645|.C2 0800 retn 0x8
0044F648|>8B8E AC010000 mov ecx,dword ptr ds:
0044F64E|.3BCB cmp ecx,ebx
0044F650|.7F 0C jg short regfind.0044F65E
0044F652|.399E B4020000 cmp dword ptr ds:,ebx
0044F658 0F84 0A020000 je regfind.0044F868 相等,跳过下面30天限制的验证
0044F65E|>895C24 1C mov dword ptr ss:,ebx
。。。。。。。。。。。。。。。省略部分代码。。。。。。。。。。。。。。。。。。。
0044F6F5|.2BC8 sub ecx,eax
0044F6F7|.51 push ecx
0044F6F8|.68 40D44500 push regfind.0045D440 ; (Evaluation: Day %d of 30)
0044F6FD|.8D4C24 18 lea ecx,dword ptr ss:
0044F701|.E8 8A33FBFF call regfind.00402A90
0044F706|.83C4 08 add esp,0x8
0044F709|.EB 32 jmp short regfind.0044F73D
0044F70B|>8B4424 44 mov eax,dword ptr ss:
0044F70F|.83F8 1E cmp eax,0x1E ;eax和1E(30)比较
0044F712|.7D 1B jge short regfind.0044F72F
0044F714|.BA 1E000000 mov edx,0x1E
0044F719|.2BD0 sub edx,eax
0044F71B|.52 push edx ;ntdll.KiFastSystemCallRet
0044F71C|.68 78D44500 push regfind.0045D478 ; (Uses left: %d)
0044F721|.8D4C24 18 lea ecx,dword ptr ss:
0044F725|.E8 6633FBFF call regfind.00402A90
0044F72A|.83C4 08 add esp,0x8
0044F72D|.EB 0E jmp short regfind.0044F73D
0044F72F|>BA 9CD44500 mov edx,regfind.0045D49C ; Trial Period Expired
0044F734|.8D7C24 10 lea edi,dword ptr ss:
。。。。。。。。。。。。。。。。。。。省略部分代码。。。。。。。。。。。。。。
0044F854|.50 push eax
0044F855|.8B42 04 mov eax,dword ptr ds:
0044F858|.FFD0 call eax
0044F85A|>8B4424 2C mov eax,dword ptr ss:
0044F85E|.85C0 test eax,eax
0044F860|.74 06 je short regfind.0044F868
0044F862|.50 push eax
0044F863|.E8 DAE2FDFF call regfind.0042DB42
0044F868|>5F pop edi ;kernel32.7C817067
0044F869|.5E pop esi ;kernel32.7C817067
0044F86A|.33C0 xor eax,eax
0044F86C|.5B pop ebx ;kernel32.7C817067
0044F86D|.8BE5 mov esp,ebp
0044F86F|.5D pop ebp ;kernel32.7C817067
0044F870\.C2 0800 retn 0x8
0044F873 CC int3
0044F874 CC int3
0044F875 CC int3
在这里我们看到,在这段里,有30天限制的验证。我们修改,跳过"Unable to find components"和30天试用限制的验证的地方就可以了。
3、重启,运行,已经没有30天试用的限制,在个“关于”里,已没有未注册的提示。破解成功。
【破解总结】
本次破解修改位置有2处
1.
原004034BA /0F8C BF000000 jl regfind.0040357F
改004034BA /E9 C0000000 jmp regfind.0040357F
004034BF |90 nop
2.
原0044F5D4 /75 35 jnz short regfind.0044F60B
0044F5D6 6A 40 push 0x40
0044F5D8 51 push ecx
改0044F5D4 /E9 8F020000 jmp regfind.0044F868
我也来玩玩貌似有点意思? 英文看不懂呀 谢谢LZ分享 虽然我用registry workshop! 我也来玩玩,貌似有点意思? 学习经验了。感谢。 下的版本是64位的,没下载到32位的 学习了!不明觉厉! 学习了!不明觉厉!
页:
[1]