好友
阅读权限40
听众
最后登录1970-1-1
|
【文章标题】: GFTV爆破+追码
【文章作者】: 夜凉如水
【作者邮箱】: Estelle@yeah.net
【作者QQ号】: 272227777
【软件名称】: 网络电视
【下载地址】: 自己搜索下载
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
OD加载发现加了N层壳 所以就不脱壳了 浪费时间
00E95730 G> 9C PUSHFD //ep
00E95731 60 PUSHAD
00E95732 E8 00000000 CALL GFTV.00E95737
00E95737 5D POP EBP ; kernel32.7C817067
00E95738 B8 07000000 MOV EAX,7
00E9573D 2BE8 SUB EBP,EAX
00E9573F 8DB5 80FEFFFF LEA ESI,DWORD PTR SS:[EBP-180]
00E95745 8A06 MOV AL,BYTE PTR DS:[ESI]
00E95747 3C 00 CMP AL,0
00E95749 74 12 JE SHORT GFTV.00E9575D
00E9574B 8BF5 MOV ESI,EBP
00E9574D 8DB5 A8FEFFFF LEA ESI,DWORD PTR SS:[EBP-158]
00E95753 8A06 MOV AL,BYTE PTR DS:[ESI]
00E95755 3C 01 CMP AL,1
00E95757 0F84 42020000 JE GFTV.00E9599F
00E9575D C606 01 MOV BYTE PTR DS:[ESI],1
大家应该知道e的oep在401000 所以我们直接在401000下硬件执行断点F9 2次 删除分析
00401000 E8 06000000 CALL GFTV.0040100B //oep
00401005 50 PUSH EAX
00401006 E8 BB010000 CALL GFTV.004011C6 ; JMP to kernel32.ExitProcess
0040100B 55 PUSH EBP
0040100C 8BEC MOV EBP,ESP
0040100E 81C4 F0FEFFFF ADD ESP,-110
00401014 E9 83000000 JMP GFTV.0040109C
00401019 6B72 6E 6C IMUL ESI,DWORD PTR DS:[EDX+6E],6C
0040101D 6E OUTS DX,BYTE PTR ES:[EDI] ; I/O command
0040101E 2E:66:6E OUTS DX,BYTE PTR ES:[EDI] ; I/O command
00401021 72 00 JB SHORT GFTV.00401023
00401023 6B72 6E 6C IMUL ESI,DWORD PTR DS:[EDX+6E],6C
00401027 6E OUTS DX,BYTE PTR ES:[EDI] ; I/O command
00401028 2E:66:6E OUTS DX,BYTE PTR ES:[EDI] ; I/O command
0040102B 65:0047 65 ADD BYTE PTR GS:[EDI+65],AL
shift+F9 运行 输入注册码 弹出错误消息 F12暂定 查看 K窗口
10062630 FF15 A0260C10 CALL DWORD PTR DS:[<&USER32.Message>; USER32.MessageBoxA
10062636 5F POP EDI ; USER32.77D19418
10062637 83F8 03 CMP EAX,3
1006263A 5E POP ESI ; USER32.77D19418
1006263B 75 0F JNZ SHORT krnln.1006264C
1006263D 8B4C24 68 MOV ECX,DWORD PTR SS:[ESP+68]
10062641 B8 02000000 MOV EAX,2
10062646 8901 MOV DWORD PTR DS:[ECX],EAX
10062648 83C4 64 ADD ESP,64
1006264B C3 RETN
1006263B F2断点 F9运行 点错误提示窗口 会暂停下来 返回到00C7771B 然后向上查看 E语言的判断注册特点
CALL XXXXXXXXX
ADD ESP,8
CMP EAX,0
MOV EAX,0
SETE AL
我们可以找到几处所以在最上面的 00C77270 处下F2断点 F9运行 输入假码 程序断下
00C77270 E8 B3C7FBFF CALL GFTV.00C33A28
00C77275 83C4 08 ADD ESP,8
00C77278 83F8 00 CMP EAX,0
00C7727B B8 00000000 MOV EAX,0
00C77280 0F94C0 SETE AL
00C77283 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00C77286 8B5D FC MOV EBX,DWORD PTR SS:[EBP-4]
00C77289 85DB TEST EBX,EBX ; krnln.100E357C
00C7728B 74 09 JE SHORT GFTV.00C77296
00C7728D 53 PUSH EBX ; krnln.100E357C
00C7728E E8 C5900000 CALL GFTV.00C80358
00C77293 83C4 04 ADD ESP,4
00C77296 8B5D F8 MOV EBX,DWORD PTR SS:[EBP-8]
00C77299 85DB TEST EBX,EBX ; krnln.100E357C
00C7729B 74 09 JE SHORT GFTV.00C772A6
00C7729D 53 PUSH EBX ; krnln.100E357C
00C7729E E8 B5900000 CALL GFTV.00C80358
00C772A3 83C4 04 ADD ESP,4
00C772A6 837D F4 00 CMP DWORD PTR SS:[EBP-C],0 //比较EBP-C 是否等于0
00C772AA 0F84 32040000 JE GFTV.00C776E2 //跳出错误提示 所以修改标志Z为0
.......
00C772ED E8 36C7FBFF CALL GFTV.00C33A28 //f2下段
00C772F2 83C4 08 ADD ESP,8
00C772F5 83F8 00 CMP EAX,0
00C772F8 B8 00000000 MOV EAX,0
00C772FD 0F94C0 SETE AL
00C77300 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00C77303 8B5D FC MOV EBX,DWORD PTR SS:[EBP-4]
00C77306 85DB TEST EBX,EBX
00C77308 74 09 JE SHORT GFTV.00C77313
EAX 061D2F88 ASCII "l51j389" //怀疑未注册码
ECX 0012F7F8
EDX 00000000
EBX 06CF8080
ESP 0012F768
EBP 0012F790
ESI 00450251 ASCII "6R*0^8&4O粿aO9粿3#O@40750P1O/"
EDI 0636C760
EIP 00C772ED GFTV.00C772ED
00C772ED E8 36C7FBFF CALL GFTV.00C33A28
00C772F2 83C4 08 ADD ESP,8
00C772F5 83F8 00 CMP EAX,0
00C772F8 B8 00000000 MOV EAX,0
00C772FD 0F94C0 SETE AL
00C77300 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00C77303 8B5D FC MOV EBX,DWORD PTR SS:[EBP-4]
00C77306 85DB TEST EBX,EBX
00C77308 74 09 JE SHORT GFTV.00C77313
00C7730A 53 PUSH EBX
00C7730B E8 48900000 CALL GFTV.00C80358
00C77310 83C4 04 ADD ESP,4
00C77313 8B5D F8 MOV EBX,DWORD PTR SS:[EBP-8]
00C77316 85DB TEST EBX,EBX
00C77318 74 09 JE SHORT GFTV.00C77323
00C7731A 53 PUSH EBX
00C7731B E8 38900000 CALL GFTV.00C80358
00C77320 83C4 04 ADD ESP,4
00C77323 837D F4 00 CMP DWORD PTR SS:[EBP-C],0
00C77327 0F85 59000000 JNZ GFTV.00C77386 \\跳为体验版 不跳 分2种情况
00C77352 E8 D1C6FBFF CALL GFTV.00C33A28
00C77357 83C4 08 ADD ESP,8
00C7735A 83F8 00 CMP EAX,0
00C7735D B8 00000000 MOV EAX,0
00C77362 0F94C0 SETE AL
00C77365 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
00C77368 8B5D F0 MOV EBX,DWORD PTR SS:[EBP-10]
00C7736B 85DB TEST EBX,EBX
00C7736D 74 09 JE SHORT GFTV.00C77378
00C7736F 53 PUSH EBX
00C77370 E8 E38F0000 CALL GFTV.00C80358
00C77375 83C4 04 ADD ESP,4
00C77378 837D EC 00 CMP DWORD PTR SS:[EBP-14],0
00C7737C 0F85 04000000 JNZ GFTV.00C77386
00C77382 33C0 XOR EAX,EAX
00C77384 EB 05 JMP SHORT GFTV.00C7738B
00C77451 E8 D2C5FBFF CALL GFTV.00C33A28
00C77456 83C4 08 ADD ESP,8
00C77459 83F8 00 CMP EAX,0
00C7745C B8 00000000 MOV EAX,0
00C77461 0F94C0 SETE AL
00C77464 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00C77467 8B5D FC MOV EBX,DWORD PTR SS:[EBP-4]
00C7746A 85DB TEST EBX,EBX
00C7746C 74 09 JE SHORT GFTV.00C77477
00C7746E 53 PUSH EBX
00C7746F E8 E48E0000 CALL GFTV.00C80358
00C77474 83C4 04 ADD ESP,4
00C77477 8B5D F8 MOV EBX,DWORD PTR SS:[EBP-8]
00C7747A 85DB TEST EBX,EBX
00C7747C 74 09 JE SHORT GFTV.00C77487
00C7747E 53 PUSH EBX
00C7747F E8 D48E0000 CALL GFTV.00C80358
00C77484 83C4 04 ADD ESP,4
00C77487 837D F4 00 CMP DWORD PTR SS:[EBP-C],0
00C7748B 0F84 A0010000 JE GFTV.00C77631 //这里跳为白金版 不跳为钻石版
注册提示需要重新启动软件 这个比较烦 因为是E语言的软件 我们请出E-code 反编译查看
查看到对象ID 0X160138FD E语言的特点 每当它要做点事情首先 push XXXXXX
我们alt+m 搜索 68 fd 38 01 16
00C475B7 E8 6CC4FEFF CALL GFTV.00C33A28
00C475BC 83C4 08 ADD ESP,8
00C475BF 83F8 00 CMP EAX,0
00C475C2 B8 00000000 MOV EAX,0
00C475C7 0F94C0 SETE AL
00C475CA 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
00C475CD 8B5D F4 MOV EBX,DWORD PTR SS:[EBP-C]
00C475D0 85DB TEST EBX,EBX
00C475D2 74 09 JE SHORT GFTV.00C475DD
00C475D4 53 PUSH EBX
00C475D5 E8 7E8D0300 CALL GFTV.00C80358
00C475DA 83C4 04 ADD ESP,4
00C475DD 8B5D F0 MOV EBX,DWORD PTR SS:[EBP-10]
00C475E0 85DB TEST EBX,EBX
00C475E2 74 09 JE SHORT GFTV.00C475ED
00C475E4 53 PUSH EBX
00C475E5 E8 6E8D0300 CALL GFTV.00C80358
00C475EA 83C4 04 ADD ESP,4
00C475ED 837D EC 00 CMP DWORD PTR SS:[EBP-14],0
00C475F1 0F84 4D000000 JE GFTV.00C47644 不能跳
00C501E5 E8 3E38FEFF CALL GFTV.00C33A28
00C501EA 83C4 08 ADD ESP,8
00C501ED 83F8 00 CMP EAX,0
00C501F0 B8 00000000 MOV EAX,0
00C501F5 0F94C0 SETE AL
00C501F8 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
00C501FB 8B5D F8 MOV EBX,DWORD PTR SS:[EBP-8]
00C501FE 85DB TEST EBX,EBX
00C50200 74 09 JE SHORT GFTV.00C5020B
00C50202 53 PUSH EBX
00C50203 E8 50010300 CALL GFTV.00C80358
00C50208 83C4 04 ADD ESP,4
00C5020B 8B5D F4 MOV EBX,DWORD PTR SS:[EBP-C]
00C5020E 85DB TEST EBX,EBX
00C50210 74 09 JE SHORT GFTV.00C5021B
00C50212 53 PUSH EBX
00C50213 E8 40010300 CALL GFTV.00C80358
00C50218 83C4 04 ADD ESP,4
00C5021B 837D F0 00 CMP DWORD PTR SS:[EBP-10],0
00C5021F 0F84 05020000 JE GFTV.00C5042A //不能跳
就可以跳过启动检测了 好了 不多写了 还记得我们以前怀疑的注册码吗 "l51j389"
测试注册提示为 体验用户 所有功能都可以使用 888 瞎写了一段
--------------------------------------------------------------------------------
【版权声明】: 本文原创于吾爱破解论坛, 转载请注明作者并保持文章的完整, 谢谢!
2009年02月01日 21:21:04 |
|