本帖最后由 Chief 于 2013-1-5 22:59 编辑
【文章标题】: 吾爱破解2012CM大赛破文-Ugvnui
【文章作者】: Chief
【作者邮箱】: hi_Chief@163.com
【下载地址】: http://down.52pojie.cn/2012CM/%E4%B8%AD/ugvnui/
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【难 度】: 中
--------------------------------------------------------------------------------
【详细过程】
F9运行---输入假码---注册---出现错误。
两个错误,
第一个很可惜你失败了!
第二个program internal error number is 报错
重载....
搜索下ASCLL 004046D2 push Ugvnui.0042B29C riched20.dll
004047F6 mov dword ptr ds:[ebx],Ugvnui.0042B6A9 威@
00406432 push Ugvnui.0042B895 \r\n
0040A9EE mov eax,Ugvnui.0042B910 信息:
0040D1AF mov dword ptr ds:[ebx],Ugvnui.0042B937 s,A
0040D34C push Ugvnui.0042B9EB TaskbarCreated
0040DFB7 mov eax,Ugvnui.0042B9FA WTWindow
0040E009 push Ugvnui.0042BA03 ShowTaskbar
0040E00E push Ugvnui.0042B9FA WTWindow
0040E42E mov eax,Ugvnui.0042B9FA WTWindow
0040E480 push Ugvnui.0042BA03 ShowTaskbar
0040E485 push Ugvnui.0042B9FA WTWindow
0040E5C2 push Ugvnui.0042BA0F #32770
0040E603 push Ugvnui.0042BA0F #32770
0040F47D mov eax,Ugvnui.0042BA16 Edit
0040FB52 mov eax,Ugvnui.0042BA1B 按钮
0040FC20 mov eax,Ugvnui.0042BA20 Button
00411ABC mov dword ptr ds:[ebx],Ugvnui.0042B937 s,A
00412FDA push Ugvnui.0042C1AC program internal error number is %d. (0x%Xh)
00412FF1 push Ugvnui.0042C1A4 error
0041303B push Ugvnui.0042C1A4 error
00413040 push Ugvnui.0042C1DC 内存不足
004131D8 mov esi,Ugvnui.0042B044 @WA
00413208 mov esi,Ugvnui.0042B044 @WA
出现了第二个报错的地方,双击进去
来到 00412FC0 /> \55 push ebp
00412FC1 |. 8BEC mov ebp,esp
00412FC3 |. 81EC 04010000 sub esp,0x104
00412FC9 |. 895D FC mov [local.1],ebx
00412FCC |. 8B45 FC mov eax,[local.1]
00412FCF |. 8B4D 08 mov ecx,[arg.1]
00412FD2 |. 50 push eax ; /<%X>
00412FD3 |. 51 push ecx ; |<%d>
00412FD4 |. 8D95 FCFEFFFF lea edx,[local.65] ; |
00412FDA |. 68 ACC14200 push Ugvnui.0042C1AC ; |program internal error number is %d. (0x%Xh)
00412FDF |. 52 push edx ; |s
00412FE0 |. FF15 BC814200 call dword ptr ds:[<&USER32.wsprintfA>] ; \wsprintfA
00412FE6 |. 83C4 10 add esp,0x10
00412FE9 |. 8D85 FCFEFFFF lea eax,[local.65]
00412FEF |. 6A 10 push 0x10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00412FF1 |. 68 A4C14200 push Ugvnui.0042C1A4 ; |error
00412FF6 |. 50 push eax ; |Text
00412FF7 |. 6A 00 push 0x0 ; |hOwner = NULL
00412FF9 |. FF15 68824200 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
00412FFF |. 6A 00 push 0x0
00413001 |. E8 7AFFFFFF call Ugvnui.00412F80
00413006 |. 83C4 04 add esp,0x4
00413009 |. 8BE5 mov esp,ebp
0041300B |. 5D pop ebp
-------------------------------------------------------------------------------
继续分析....
重新载入,
F9运行---输入假码---注册---出现错误。
F12暂停---Alt+F9【执行到用户代码】---错误信息框点确定
到这里 00413A52 |. 48 dec eax
00413A53 |. 81C4 04010000 add esp,0x104
00413A59 \. C3 retn
00413A5A 90 nop
00413A5B 90 nop
00413A5C 90 nop
00413A5D 90 nop
00413A5E 90 nop
00413A5F 90 nop
00413A60 /[ DISCUZ_CODE_41 ]nbsp; 56 push esi
到 0012F62C 00402B7C Ugvnui.00413860 Ugvnui.00402B77 0012F6F4
0012F6F8 00404629 Ugvnui.004014D0 Ugvnui.00404624 0012F6F4
0012F708 004066B5 Ugvnui.004066C0 Ugvnui.004066B0 0012F72C
0012F730 0040F9EA Ugvnui.0040667B Ugvnui.0040F9E5 0012F72C
0012F794 004066B5 Ugvnui.004066C0 Ugvnui.004066B0 0012F790
0012F7BC 00405DD3 Ugvnui.0040667B Ugvnui.00405DCE 0012F7B8
0012F850 004066B5 Ugvnui.004066C0 Ugvnui.004066B0 0012F84C
0012F878 00408D10 Ugvnui.0040667B Ugvnui.00408D0B 0012F874
0012F8D4 00408D34 Ugvnui.00408C0E Ugvnui.00408D2F 0012F8D0
0012F8F4 77D18734 包含Ugvnui.00408D34 user32.77D18731 0012F91C
0012F920 77D18816 ? user32.77D1870C user32.77D18811 0012F91C
0012F95C 77D28EA0 ? user32.77D1875F user32.77D28E9B
右键--显示调用
来到 00404621 . 56 push esi
00404622 . 57 push edi
00404623 . 53 push ebx
00404624 . E8 A7CEFFFF call Ugvnui.004014D0
00404629 . 5B pop ebx
0040462A . 5F pop edi
0040462B . 5E pop esi
重新载入程序,运行--输入假码---点注册----马上断下。 00404621 . 56 push esi
00404622 . 57 push edi
00404623 . 53 push ebx
00404624 . E8 A7CEFFFF call Ugvnui.004014D0
00404629 . 5B pop ebx
0040462A . 5F pop edi
0040462B . 5E pop esi
F7跟进去。
到 004014D0 /[ DISCUZ_CODE_45 ]nbsp; 55 push ebp
004014D1 |. 8BEC mov ebp,esp
004014D3 |. 81EC 9C000000 sub esp,0x9C
004014D9 |. 68 00000000 push 0x0
004014DE |. BB C4060000 mov ebx,0x6C4
0040160B |. 83C4 10 add esp,0x10
0040160E |. 8945 D0 mov [local.12],eax
00401611 |. 8B5D D4 mov ebx,[local.11]
00401614 |. 85DB test ebx,ebx
00401616 |. 74 09 je XUgvnui.00401621
00401618 |. 53 push ebx
00401619 |. E8 CA180100 call Ugvnui.00412EE8
继续F8
到这里出现我们刚才输的假码. 00401B72 |. /74 09 je XUgvnui.00401B7D
00401B74 |. |53 push ebx
00401B75 |. |E8 6E130100 call Ugvnui.00412EE8
00401B7A |. |83C4 04 add esp,0x4
00401B7D |> \8B85 68FFFFFF mov eax,[local.38] ; 出现假码
00401B83 |. 50 push eax
00401B84 |. FFB5 70FFFFFF push [local.36]
此时已经明码比较了。 00401B8F |. 83C4 08 add esp,0x8
00401B92 |. 83F8 00 cmp eax,0x0
00401B95 |. B8 00000000 mov eax,0x0
00401B9A |. 0F94C0 sete al
00401B9D |. 8985 64FFFFFF mov [local.39],eax
00401BA3 |. 8B9D 70FFFFFF mov ebx,[local.36]
00401BA9 |. 85DB test ebx,ebx
00401BAB |. 74 09 je XUgvnui.00401BB6
00401BAD |. 53 push ebx
00401BAE |. E8 35130100 call Ugvnui.00412EE8
00401BB3 |. 83C4 04 add esp,0x4
00401BB6 |> 8B9D 68FFFFFF mov ebx,[local.38]
00401BBC |. 85DB test ebx,ebx
00401BBE |. 74 09 je XUgvnui.00401BC9
00401BC0 |. 53 push ebx
00401BC1 |. E8 22130100 call Ugvnui.00412EE8
00401BC6 |. 83C4 04 add esp,0x4
00401BC9 |> 83BD 64FFFFFF>cmp [local.39],0x0
到 00401BD0 /0F84 C10E0000 je Ugvnui.00402A97 ; 大规模的跳转--实现状态
00401BD6 |. |68 00000000 push 0x0
00401BDB |. |BB C4060000 mov ebx,0x6C4
00401BE0 |. |E8 4B160100 call Ugvnui.00413230
00401BE5 |. |83C4 04 add esp,0x4
00401BE8 |. |8945 F4 mov [local.3],eax
00401BEB |. |DB45 F4 fild [local.3]
既然实现,我们就跟看看。
00402B67 |. B8 58B24200 mov eax,Ugvnui.0042B258
00402B6C |> 50 push eax
00402B6D |. 68 03000000 push 0x3
00402B72 |. BB 00030000 mov ebx,0x300
00402B77 |. E8 E40C0100 call Ugvnui.00413860 弹出错误
00402B7C |. 83C4 28 add esp,0x28
00402B7F |. 8B5D F4 mov ebx,[local.3]
00402B82 |. 85DB test ebx,ebx
00402B84 |. 74 09 je XUgvnui.00402B8F
弹出错误了。
那么刚才的跳转不让他实现
继续
还是到这... 00401BD0 /0F84 C10E0000 je Ugvnui.00402A97 ; 大规模的跳转--实现状态
00401BD6 |. |68 00000000 push 0x0
00401BDB |. |BB C4060000 mov ebx,0x6C4
00401BE0 |. |E8 4B160100 call Ugvnui.00413230
00401BE5 |. |83C4 04 add esp,0x4
00401BE8 |. |8945 F4 mov [local.3],eax
00401BEB |. |DB45 F4 fild [local.3]
运行软件试试
运行后马上被断下 00412FC0 /> \55 push ebp
00412FC1 |. 8BEC mov ebp,esp
00412FC3 |. 81EC 04010000 sub esp,0x104
00412FC9 |. 895D FC mov [local.1],ebx
00412FCC |. 8B45 FC mov eax,[local.1]
00412FCF |. 8B4D 08 mov ecx,[arg.1]
00412FD2 |. 50 push eax ; /<%X>
00412FD3 |. 51 push ecx ; |<%d>
00412FD4 |. 8D95 FCFEFFFF lea edx,[local.65] ; |
00412FDA |. 68 ACC14200 push Ugvnui.0042C1AC ; |program internal error number is %d. (0x%Xh)
00412FDF |. 52 push edx ; |s
00412FE0 |. FF15 BC814200 call dword ptr ds:[<&USER32.wsprintfA>] ; \wsprintfA
00412FE6 |. 83C4 10 add esp,0x10
00412FE9 |. 8D85 FCFEFFFF lea eax,[local.65]
00412FEF |. 6A 10 push 0x10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00412FF1 |. 68 A4C14200 push Ugvnui.0042C1A4 ; |error
00412FF6 |. 50 push eax ; |Text
00412FF7 |. 6A 00 push 0x0 ; |hOwner = NULL
00412FF9 |. FF15 68824200 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
00412FFF |. 6A 00 push 0x0
00413001 |. E8 7AFFFFFF call Ugvnui.00412F80
00413006 |. 83C4 04 add esp,0x4
00413009 |. 8BE5 mov esp,ebp
0041300B |. 5D pop ebp
00412FC0 /> \55 push ebp----断首retn掉。
调试了几次,都报错。没办法小菜只能用注册码来实现注册了。
好多地方都出现真码,可以拦截,我就随便用个地址演示吧
00401B13 |> \50 push eax EAX
中断地址:00401B13
中断次数:1
第一字节:50
指令长度:1
内存方式---寄存器---EAX
OK
内存注册机:
yes,求包养,求支持。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于Chief, 转载请注明作者并保持文章的完整, 谢谢!
2012年05月01日 14:42:02
| 
发表于 2012-5-1 14:50
发表于 2012-5-1 15:02
发表于 2012-5-1 20:36
发表于 2012-5-18 17:36
