吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 3578|回复: 9
上一主题 下一主题
收起左侧

[原创] Digimizer 5.6分析爆破

  [复制链接]
跳转到指定楼层
楼主
speedboy 发表于 2021-3-24 18:30 回帖奖励
【文章标题】: Digimizer 5.6分析爆破
【文章作者】: speedboy
【软件名称】: Digimizer
【下载地址】:
【加壳方式】: 无
【编写语言】: Microsoft Visual C++
【使用工具】: OllyDbg
【操作平台】: win7
【软件介绍】:专业的图像测量工具,常常用在医学图像上,比如:X光图片、显微照片等,并且digimizer支持对图像内容进行手工精确测量,进行自动对象识别;还支持众多的图片格式,包括:JPG、GIF、TIFF、BMP、PNG、WMF和EMF多种格式等。不仅如此,digimizer还可以对图像进行简单的处理,支持图像进行旋转、反转、拉伸、图像明暗、对比调节等多种处理方法。
【作者声明】: 只做学习、交流
--------------------------------------------------------------------------------
【详细过程】

1、搜索“Unlicensed copy”,有两处,在其中一处双击来到反汇编区分析。
[Asm] 纯文本查看 复制代码
004243CA     push Digimize.00488C24                                  ;  Unlicensed copy
004463CE     push Digimize.00488C24                                  ;  Unlicensed copy


2、发现其上两行是cmp,je比较判断语句,只要使ds:[0x494957]=0,即可实现跳转,所以在 cmp byte ptr ds:[0x494957],0x0 上“右键——查找参考——地址常量”
[Asm] 纯文本查看 复制代码
00424373  |> \57            push edi                                                ;  Case 110 (WM_INITDIALOG) of switch 0042430A
00424374  |.  56            push esi
00424375  |.  FF15 2CF64600 call dword ptr ds:[<&mclib32._CenterDialog@4>]          ;  mclib32._CenterDialog@4
0042437B  |.  FF15 28F64600 call dword ptr ds:[<&mclib32._AppIsThemed@0>]           ;  mclib32._AppIsThemed@0
00424381  |.  68 1E0D0000   push 0xD1E                                              ; /ControlID = D1E (3358.)
00424386  |.  56            push esi                                                ; |hWnd = NULL
00424387  |.  FF15 54F34600 call dword ptr ds:[<&USER32.GetDlgItem>]                ; \GetDlgItem
0042438D  |.  8B3D A4F24600 mov edi,dword ptr ds:[<&USER32.SetDlgItemTextW>]        ;  user32.SetDlgItemTextW
00424393  |.  85C0          test eax,eax                                            ;  kernel32.BaseThreadInitThunk
00424395  |.  74 2A         je short Digimize.004243C1
00424397  |.  68 EC8B4800   push Digimize.00488BEC                                  ; /5.6.0
0042439C  |.  68 F88B4800   push Digimize.00488BF8                                  ; |Digimizer Version %s
004243A1  |.  8D85 5CFFFFFF lea eax,[local.41]                                      ; |
004243A7  |.  6A 50         push 0x50                                               ; |Arg2 = 00000050
004243A9  |.  50            push eax                                                ; |Arg1 = 7518343B
004243AA  |.  E8 818AFEFF   call Digimize.0040CE30                                  ; \Digimize.0040CE30
004243AF  |.  83C4 10       add esp,0x10
004243B2  |.  8D85 5CFFFFFF lea eax,[local.41]
004243B8  |.  50            push eax                                                ;  kernel32.BaseThreadInitThunk
004243B9  |.  68 1E0D0000   push 0xD1E
004243BE  |.  56            push esi
004243BF  |.  FFD7          call edi
004243C1  |>  803D 57494900>cmp byte ptr ds:[0x494957],0x0
004243C8  |.  74 07         je short Digimize.004243D1
004243CA  |.  68 248C4800   push Digimize.00488C24                                  ;  Unlicensed copy
004243CF  |.  EB 05         jmp short Digimize.004243D6
004243D1  |>  68 F0864A00   push Digimize.004A86F0
004243D6  |>  68 420D0000   push 0xD42
004243DB  |.  56            push esi
004243DC  |.  FFD7          call edi
004243DE  |.  6A 60         push 0x60
004243E0  |.  6A 00         push 0x0
004243E2  |.  6A 00         push 0x0
004243E4  |.  68 448C4800   push Digimize.00488C44                                  ;  [url=https://www.digimizer.com]https://www.digimizer.com[/url]
004243E9  |.  68 ED0C0000   push 0xCED
004243EE  |.  68 ED0C0000   push 0xCED                                              ; /ControlID = CED (3309.)
004243F3  |.  56            push esi                                                ; |hWnd = NULL
004243F4  |.  FF15 54F34600 call dword ptr ds:[<&USER32.GetDlgItem>]                ; \GetDlgItem
004243FA  |.  50            push eax                                                ;  kernel32.BaseThreadInitThunk
004243FB  |.  FF15 24F64600 call dword ptr ds:[<&mclib32._urlctrl_set@24>]          ;  mclib32._urlctrl_set@24
00424401  |.  5F            pop edi                                                 ;  kernel32.7518344D
00424402  |.  B8 01000000   mov eax,0x1
00424407  |.  5E            pop esi                                                 ;  kernel32.7518344D
00424408  |.  8B4D FC       mov ecx,[local.1]
0042440B  |.  33CD          xor ecx,ebp
0042440D  |.  E8 9FEA0200   call Digimize.00452EB1
00424412  |.  8BE5          mov esp,ebp
00424414  |.  5D            pop ebp                                                 ;  kernel32.7518344D
00424415  |.  C2 1000       retn 0x10


3、查找地址常量后得到下面四条信息,有两处赋值为零的语句,在第一个处双击来到反汇编区。
[Asm] 纯文本查看 复制代码
004243C1   cmp byte ptr ds:[0x494957],0x0            (初始 CPU 选择)
0042A743   mov byte ptr ds:[0x494957],0x0            ds:[00494957]=01
0042AD43   mov byte ptr ds:[0x494957],0x0            ds:[00494957]=01
004463BF   cmp byte ptr ds:[0x494957],0x0            ds:[00494957]=01


4、经分析,要想实现 ds:[0x494957]=0 je short Digimize.0042A740必须实现,此行又是来自 jnz short Digimize.0042A70F,此语句必须实现跳转,则是当al=1时,al的支来自哪里?当然是上面的call了(call Digimize.0042A510),F7跟进分析。
[Asm] 纯文本查看 复制代码
0042A6A0   .  B9 80794A00   mov ecx,Digimize.004A7980                               ; |
0042A6A5   .  E8 66FEFFFF   call Digimize.0042A510                                  ; \》关键call
0042A6AA   .  83C4 04       add esp,0x4
0042A6AD   .  84C0          test al,al
0042A6AF   .  75 5E         jnz short Digimize.0042A70F                             ;  》跳转
0042A6B1   .  3885 5BFDFFFF cmp byte ptr ss:[ebp-0x2A5],al
0042A6B7   .  74 2B         je short Digimize.0042A6E4
0042A6B9   .  68 541F0000   push 0x1F54
0042A6BE   .  68 9C000000   push 0x9C
0042A6C3   .  57            push edi
0042A6C4   .  FF15 1CF64600 call dword ptr ds:[<&mclib32.AlertWindow>]              ;  mclib32.AlertWindow
0042A6CA   .  83C4 0C       add esp,0xC
0042A6CD   .  B8 01000000   mov eax,0x1
0042A6D2   .  5F            pop edi                                                 ;  kernel32.7518344D
0042A6D3   .  5E            pop esi                                                 ;  kernel32.7518344D
0042A6D4   .  8B4D FC       mov ecx,dword ptr ss:[ebp-0x4]
0042A6D7   .  33CD          xor ecx,ebp
0042A6D9   .  E8 D3870200   call Digimize.00452EB1
0042A6DE   .  8BE5          mov esp,ebp
0042A6E0   .  5D            pop ebp                                                 ;  kernel32.7518344D
0042A6E1   .  C2 1000       retn 0x10
0042A6E4   >  68 481F0000   push 0x1F48
0042A6E9   .  68 9C000000   push 0x9C
0042A6EE   .  57            push edi
0042A6EF   .  FF15 1CF64600 call dword ptr ds:[<&mclib32.AlertWindow>]              ;  mclib32.AlertWindow
0042A6F5   .  83C4 0C       add esp,0xC
0042A6F8   .  B8 01000000   mov eax,0x1
0042A6FD   .  5F            pop edi                                                 ;  kernel32.7518344D
0042A6FE   .  5E            pop esi                                                 ;  kernel32.7518344D
0042A6FF   .  8B4D FC       mov ecx,dword ptr ss:[ebp-0x4]
0042A702   .  33CD          xor ecx,ebp
0042A704   .  E8 A8870200   call Digimize.00452EB1
0042A709   .  8BE5          mov esp,ebp
0042A70B   .  5D            pop ebp                                                 ;  kernel32.7518344D
0042A70C   .  C2 1000       retn 0x10
0042A70F   >  80BD 5BFDFFFF>cmp byte ptr ss:[ebp-0x2A5],0x0
0042A716   .  74 28         je short Digimize.0042A740                              ;》跳转
0042A718   .  68 541F0000   push 0x1F54
0042A71D   .  68 9C000000   push 0x9C
0042A722   .  57            push edi
0042A723   .  FF15 1CF64600 call dword ptr ds:[<&mclib32.AlertWindow>]              ;  mclib32.AlertWindow
0042A729   .  83C4 0C       add esp,0xC
0042A72C   .  33C0          xor eax,eax                                             ;  kernel32.BaseThreadInitThunk
0042A72E   .  5F            pop edi                                                 ;  kernel32.7518344D
0042A72F   .  5E            pop esi                                                 ;  kernel32.7518344D
0042A730   .  8B4D FC       mov ecx,dword ptr ss:[ebp-0x4]
0042A733   .  33CD          xor ecx,ebp
0042A735   .  E8 77870200   call Digimize.00452EB1
0042A73A   .  8BE5          mov esp,ebp
0042A73C   .  5D            pop ebp                                                 ;  kernel32.7518344D
0042A73D   .  C2 1000       retn 0x10
0042A740   >  6A 01         push 0x1                                                ; /Result = 0x1
0042A742   .  57            push edi                                                ; |hWnd = NULL
0042A743   .  C605 57494900>mov byte ptr ds:[0x494957],0x0                          ; |
0042A74A   .  FF15 94F24600 call dword ptr ds:[<&USER32.EndDialog>]                 ; \EndDialog


5、此语句0042A54D  mov al,0x1使al=1,而此语句来自jnz short Digimize.0042A54C,所以次跳转必须实现,也即是上一句 test al,al中al<>0,而al的值来自call Digimize.0042A100,F7跟进分析。
[Asm] 纯文本查看 复制代码
0042A510  /$  55            push ebp
0042A511  |.  8BEC          mov ebp,esp
0042A513  |.  51            push ecx
0042A514  |.  8B45 08       mov eax,[arg.1]
0042A517  |.  56            push esi                                                ;  mclib32.UnicodeToUTF8
0042A518  |.  57            push edi                                                ;  Digimize.004A88F0
0042A519  |.  50            push eax
0042A51A  |.  8BF2          mov esi,edx
0042A51C  |.  C600 00       mov byte ptr ds:[eax],0x0
0042A51F  |.  8BF9          mov edi,ecx
0042A521  |.  E8 DAFBFFFF   call Digimize.0042A100                                  ;  》关键call
0042A526  |.  83C4 04       add esp,0x4
0042A529  |.  84C0          test al,al
0042A52B  |.  75 1F         jnz short Digimize.0042A54C                             ;  》跳转
0042A52D  |.  8BD6          mov edx,esi                                             ;  mclib32.UnicodeToUTF8
0042A52F  |.  8BCF          mov ecx,edi                                             ;  Digimize.004A88F0
0042A531  |.  E8 1AF8FFFF   call Digimize.00429D50
0042A536  |.  84C0          test al,al
0042A538  |.  75 12         jnz short Digimize.0042A54C
0042A53A  |.  8BD6          mov edx,esi                                             ;  mclib32.UnicodeToUTF8
0042A53C  |.  8BCF          mov ecx,edi                                             ;  Digimize.004A88F0
0042A53E  |.  E8 1DF4FFFF   call Digimize.00429960
0042A543  |.  84C0          test al,al
0042A545  |.  75 05         jnz short Digimize.0042A54C
0042A547  |.  5F            pop edi                                                 ;  Digimize.004A86F0
0042A548  |.  5E            pop esi                                                 ;  Digimize.004A86F0
0042A549  |.  59            pop ecx                                                 ;  Digimize.004A86F0
0042A54A  |.  5D            pop ebp                                                 ;  Digimize.004A86F0
0042A54B  |.  C3            retn
0042A54C  |>  5F            pop edi                                                 ;  Digimize.004A86F0
0042A54D  |.  B0 01         mov al,0x1
0042A54F  |.  5E            pop esi                                                 ;  Digimize.004A86F0
0042A550  |.  59            pop ecx                                                 ;  Digimize.004A86F0
0042A551  |.  5D            pop ebp                                                 ;  Digimize.004A86F0
0042A552  \.  C3            retn


6、逐步分析后,程序来到 0042A4F4  xor al,al 修改此处语句使al<>0即可实现破解
[Asm] 纯文本查看 复制代码
0042A100   $  55            push ebp
0042A101   .  8BEC          mov ebp,esp
0042A103   .  83E4 F8       and esp,0xFFFFFFF8
0042A106   .  81EC 44030000 sub esp,0x344
0042A10C   .  A1 E4404900   mov eax,dword ptr ds:[0x4940E4]
0042A111   .  33C4          xor eax,esp
0042A113   .  898424 400300>mov dword ptr ss:[esp+0x340],eax
0042A11A   .  53            push ebx
0042A11B   .  8B5D 08       mov ebx,dword ptr ss:[ebp+0x8]
0042A11E   .  8D8424 400200>lea eax,dword ptr ss:[esp+0x240]
0042A125   .  56            push esi                                                ;  mclib32.UnicodeToUTF8
0042A126   .  8B35 34F64600 mov esi,dword ptr ds:[<&mclib32.UnicodeToUTF8>]         ;  mclib32.UnicodeToUTF8
0042A12C   .  57            push edi                                                ;  Digimize.004A88F0
0042A12D   .  68 00010000   push 0x100
0042A132   .  50            push eax
0042A133   .  51            push ecx
0042A134   .  8BFA          mov edi,edx
0042A136   .  FFD6          call esi                                                ;  mclib32.UnicodeToUTF8; <&mclib32.UnicodeToUTF8>
0042A138   .  83C4 0C       add esp,0xC
0042A13B   .  8D4424 48     lea eax,dword ptr ss:[esp+0x48]
0042A13F   .  68 00010000   push 0x100
0042A144   .  50            push eax
0042A145   .  57            push edi                                                ;  Digimize.004A88F0
0042A146   .  FFD6          call esi                                                ;  mclib32.UnicodeToUTF8
0042A148   .  83C4 0C       add esp,0xC
0042A14B   .  807C24 4D 2D  cmp byte ptr ss:[esp+0x4D],0x2D
0042A150   .  0F85 97030000 jnz Digimize.0042A4ED
0042A156   .  807C24 53 2D  cmp byte ptr ss:[esp+0x53],0x2D
0042A15B   .  0F85 8C030000 jnz Digimize.0042A4ED
0042A161   .  807C24 59 2D  cmp byte ptr ss:[esp+0x59],0x2D
0042A166   .  0F85 81030000 jnz Digimize.0042A4ED
0042A16C   .  807C24 5F 2D  cmp byte ptr ss:[esp+0x5F],0x2D
0042A171   .  0F85 76030000 jnz Digimize.0042A4ED
………………
………………
………………
0042A4ED   > \8B8C24 4C0300>mov ecx,dword ptr ss:[esp+0x34C]
0042A4F4      32C0          xor al,al                                               ;  》【1】
0042A4F6   .  5F            pop edi                                                 ;  Digimize.004A86F0
0042A4F7   .  5E            pop esi                                                 ;  Digimize.004A86F0
0042A4F8   .  5B            pop ebx                                                 ;  Digimize.004A86F0
0042A4F9   .  33CC          xor ecx,esp
0042A4FB   .  E8 B1890200   call Digimize.00452EB1
0042A500   .  8BE5          mov esp,ebp
0042A502   .  5D            pop ebp                                                 ;  Digimize.004A86F0
0042A503   .  C3            retn


7、破解前后对比

免费评分

参与人数 3吾爱币 +9 热心值 +1 收起 理由
Hmily + 7 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!
Sukkk + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!
月六点年一倍 + 1 谢谢@Thanks!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

沙发
月六点年一倍 发表于 2021-3-24 20:19
谢谢分享
3#
芥末芥末 发表于 2021-3-24 20:21
4#
Sukkk 发表于 2021-3-24 20:30
5#
a794921417 发表于 2021-3-24 20:30
没有下载?厉害了
6#
tan567421 发表于 2021-3-24 20:57
厉害了。看看思路。。
7#
绝世小仟 发表于 2021-3-24 21:28
高大上,下载学习学习
8#
1laoslaos1 发表于 2021-3-24 23:01
好分享,谢谢!
9#
bdcpc 发表于 2021-3-25 11:20
        欢迎分析讨论交流,吾爱破解论坛有你更精彩!
10#
zhuyanxiang 发表于 2021-4-1 10:52
非常棒的学习知识,谢谢大佬
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-12-26 10:55

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表