本帖最后由 ja3klyTim9k 于 2013-11-12 09:22 编辑
作为吾爱 破解的新人,第一次发帖.最近刚开始学习逆向,对很多东西都还不是很懂,所以此贴适合初学者观看,大牛请略过,,,
得益学校一大牛指点,前两天发给我一个软件,带有反调试的CM,从来没有接触过这些东东呀,心里顿感压力,作为菜鸟的我们果断首先百度,发现网上果然是大牛云集的地方,终获一方案,果断跟随学习,到目前,算是基本了解此软件的一些运行原理,下面详解:
一如破解的顺序,首先拖入PEid中探求有无壳,发现没壳;接下来打开软件探求破解之道,发现随意输入密码后会弹出“Try Again,something did not work right.”于是果断拖入OD,先前说过此软件带有反调试,所以在OD中很多断点根本无法准确断下,经过反复调试,确认用消息断点下断,于是,首先F9运行起来,“查看”->“窗口”,刷新如下:
在&Redister上右键选择在CLASSPRO上设置消息断点.. 如下图:
设置好后点击运行的软件上的Register按键,然后选择OD上的M按钮,或者alt+m快捷键,进入下面:
在00401000上右键“在访问上设置断点”(至于为什么在此处设置断点,相信你们都应该有一些理解,一般软件在载入内存后,默认的偏移地址的1000,这个你可以在PEIDEPSection后面的“>”可以看到:
所以我们在此下断点,直接F9运行,它会断在程序的入口处执行,如下图:
[AppleScript] 纯文本查看 复制代码 00401230 /. 55 push ebp
00401231 |. 8BEC mov ebp,esp
00401233 |. 817D 0C 10010>cmp [arg.2],0x110 ; --110 消息断点WM_INITDIALOG
0040123A |. 75 1E jnz short KGM1Tal.0040125A
0040123C |. 68 057F0000 push 0x7F05 ; /RsrcName =IDI_WINLOGO
00401241 |. 6A 00 push 0x0 ; |hInst = NULL
00401243 |. E8 5A030000 call<jmp.&user32.LoadIconA> ; \LoadIconA
00401248 |. 50 push eax ; /lParam =7FFDD000
00401249 |. 6A 01 push 0x1 ; |wParam = 1
0040124B |. 68 80000000 push 0x80 ; |Message =WM_SETICON
00401250 |. FF75 08 push [arg.1] ; |hWnd = 1A00A2
00401253 |. E8 56030000 call<jmp.&user32.SendMessageA> ; \SendMessageA
00401258 |. EB 36 jmp short KGM1Tal.00401290
0040125A |> 817D 0C11010>cmp [arg.2],0x111 ; --消息断点111是WM_COMMAND
00401261 75 1D jnz short KGM1Tal.00401280
00401263 |. 817D 10 E9030>cmp[arg.3],0x3E9
0040126A 75 24 jnz short KGM1Tal.00401290
0040126C |. E8 A8020000 call KGM1Tal.00401519 ; <-- F7跟进
[AppleScript] 纯文本查看 复制代码 00401519 $ BF 96124000 mov edi,KGM1Tal.00401296 ; 入口地址
0040151E . B9 00010000 mov ecx,0x100 ecx为下面REPNE的循环次数
00401523 . B0 99 mov al,0x99
00401525 . 34 55 xor al,0x55 ; 0x99与0x55异或得到0xcc
00401527 . F2:AE repne scas byte ptr es:[edi] ; 检查有无INT3断点,在401296--401395内不能有断点,否则出错
00401529 . 85C9 test ecx,ecx
0040152B . 74 06 je short KGM1Tal.00401533 ; --此处必须跳转,否则出错
0040152D . 5E pop esi ; KGM1Tal.00401271
0040152E . 33F6 xor esi,esi ; KGM1Tal.00401230
00401530 . 57 push edi ; KGM1Tal.00401396
00401531 .^ EB C2 jmp short KGM1Tal.004014F5
00401533 > C3 retn
[AppleScript] 纯文本查看 复制代码 00401271 |. E8 33020000 call KGM1Tal.004014A9 ; <-- F7跟进,检测有没有对GETDLGITEM下断
004014A9 $ BE 9C154000 movesi,<jmp.&user32.GetDlgItem>; 入口地址
004014AE . 8B7E 02 mov edi,dword ptr ds:[esi+0x2] ; <&user32.GetDlgItemTextA>
004014B1 . 8B3F movedi,dword ptr ds:[edi]
004014B3 . B9 06000000 mov ecx,0x6
004014B8 . B0 CC mov al,0xCC
004014BA . F2:AE repne scas byte ptr es:[edi] ; --检测有没有对GETDLGITEM下断
004014BC . 85C9 test ecx,ecx
004014BE . 74 06 je short KGM1Tal.004014C6 ; --此处必须跳,不然出错
004014C0 . 5E pop esi ; KGM1Tal.00401276
004014C1 . 33F6 xor esi,esi ; KGM1Tal.0040159C
004014C3 . 57 push edi ; user32.77D6AC0C
004014C4 . EB 2F jmp short KGM1Tal.004014F5
004014C6 > C3 retn
00401276 |. FF75 08 push [arg.1]
00401279 |. E8 18000000 call KGM1Tal.00401296 ; <-- 跟进
[AppleScript] 纯文本查看 复制代码 00401296 $ 55 push ebp
00401297 . 8BEC mov ebp,esp
00401299 . 60 pushad
0040129A . BE FE124000 mov esi,KGM1Tal.004012FE
0040129F . 56 push esi ; KGM1Tal.0040159C
004012A0 . 64:FF35 00000>push dword ptr fs:[0]
004012A7 . 64:8925 00000>mov dword ptr fs:[0],esp
004012AE . FF35 3C304000 push dword ptr ds:[0x40303C] ; /Count = 1E (30.)
004012B4 . 68 00304000 push KGM1Tal.00403000 ; |Buffer = KGM1Tal.00403000
004012B9 . 68 EC030000 push 0x3EC ; |ControlID = 3EC(1004.)
004012BE . FF75 08 push dword ptr ss:[ebp+0x8] ; |hWnd = 001A00A2('KeyGen1 - Taliesin',class='#32770')
004012C1 . E8 D6020000 call <jmp.&user32.GetDlgItemTex>; \GetDlgItemTextA 此处获取用户名
004012C6 . FF35 40304000 push dword ptrds:[0x403040] ; /Count = 14 (20.)
004012CC . 68 23304000 push KGM1Tal.00403023 ; |Buffer = KGM1Tal.00403023
004012D1 . 68 ED030000 push 0x3ED ; |ControlID = 3ED(1005.)
004012D6 . FF75 08 push dword ptr ss:[ebp+0x8] ; |hWnd = 001A00A2('KeyGen1 - Taliesin',class='#32770')
004012D9 . E8 BE020000 call <jmp.&user32.GetDlgItemTex>;\GetDlgItemTextA 此处获取密码
004012DE . E8 4F000000 callKGM1Tal.00401332 跟进[AppleScript] 纯文本查看 复制代码 00401332 $ 33C0 xor eax,eax
00401334 . B9 00000000 mov ecx,0x0
00401339 . BE 23304000 mov esi,KGM1Tal.00403023 ; ASCII "HAOHAOXUEXI"
0040133E . 8A06 mov al,byte ptr ds:[esi]
00401340 . EB 10 jmp short KGM1Tal.00401352
00401342 > 0FB6C0 movzxeax,al
00401345 . 80B8 50314000>cmp byte ptrds:[eax+0x403150],0x2 ; 判断是否为大写,2为大写,其他的则为符号或者小写,此处可以用DD 403150命令看下此处的内存
寄存器数据如下:
00403150 09090900 00403154 09090909 00403158 09050609 0040315C 09090509 00403160 09090909 00403164 09090909 00403168 09090909 0040316C 09090909 00403170 05050506 00403174 05050509 00403178 04040505 0040317C 04050405 00403180 01010101 00403184 01010101 00403188 05050101 0040318C 05050505 00403190 02020209 00403194 02020202 00403198 02020202 0040319C 02020202 004031A0 02020202 004031A4 02020202 004031A8 05020202
所以我们大概可以明白为什么是和0x2比较了,继续向下分析:
[AppleScript] 纯文本查看 复制代码 0040134C /75 0A jnzshort KGM1Tal.00401358 ; 不是则跳,所以密码必须为大写
0040134E . |41 inc ecx
0040134F . |8A0431 mov al,byte ptr ds:[ecx+esi]
00401352 > |3C00 cmp al,0x0 ; 判断密码是否取完
00401354 .^|77 EC ja shortKGM1Tal.00401342
00401356 . |EB 07 jmp short KGM1Tal.0040135F
00401358 > \C605 44304000>mov byte ptr ds:[0x403044],0x40
0040135F > BE 00304000 mov esi,KGM1Tal.00403000 ; ASCII "jackylin"
00401364 . 33C9 xor ecx,ecx
00401366 . B8 01000000 mov eax,0x1
0040136B . 33D2 xor edx,edx
0040136D . C705 45304000>mov dword ptrds:[0x403045],0x0
00401377 > B9 00000000 mov ecx,0x0
0040137C . 8A0C32 mov cl,byte ptr ds:[edx+esi]
0040137F . 80F900 cmp cl,0x0 ; 判断用户名是否取完
00401382 . 74 09 je short KGM1Tal.0040138D
00401384 . 42 inc edx
00401385 . 000D 45304000 add byte ptrds:[0x403045],cl ; 将用户名所有字符的ascll码值相加,得到和SUM1
0040138B .^ EB EA jmp shortKGM1Tal.00401377
0040138D > A1 45304000 mov eax,dword ptr ds:[0x403045]
00401392 . B9 18000000 mov ecx,0x18
00401397 . 99 cdq
00401398 . F7F9 idiv ecx
0040139A . 8815 4F304000mov byte ptr ds:[0x40304F],dl
004013A0 . 8A0D44304000 mov cl,byte ptr ds:[0x403044]
004013A6 . 80F940 cmp cl,0x40 ; 如果之前不是大写的话,这里就不会跳转,不跳则错,所以密码必须大写
004013A9 75 05 jnz short KGM1Tal.004013B0 ; 此处必须跳
004013AB E9 45010000 jmp KGM1Tal.004014F5
004013B0 > E9 CB000000 jmp KGM1Tal.00401480
004013B5 . C3 retn
00401480 > \E8 8B000000 callKGM1Tal.00401510 ; --F7跟进
[AppleScript] 纯文本查看 复制代码 00401510 $ A024304000 mov al,byte ptrds:[0x403024] ; --此处将密码的第二个字符移入al中,你若不确定,可以用DD 403024命令查看该地址的ASCLL码
00401515 . 3C 45 cmp al,0x45 ; --- - ---比较,不等则跳
00401517 ^ 75 DC jnz short KGM1Tal.004014F5
00401519 $ BF96124000 mov edi,KGM1Tal.00401296 ; --- --- 入口地址
0040151E . B900010000 mov ecx,0x100
00401523 . B099 mov al,0x99
00401525 . 3455 xor al,0x55 ; 0x99与0x55异或得到0xcc
00401527 . F2:AE repne scas byte ptres:[edi] ; 检查有无INT3断点,在401296--401395内不能有断点,否则出错
00401529 . 85C9 test ecx,ecx
0040152B . 7406 je short KGM1Tal.00401533 ; --此处必须跳转,否则出错
0040152D . 5E pop esi ; KGM1Tal.00401485
0040152E . 33F6 xor esi,esi ; KGM1Tal.00403000
00401530 . 57 push edi ; KGM1Tal.00401396
00401531 .^ EB C2 jmp short KGM1Tal.004014F5
00401533 > C3 retn
00401485 . 33DB xor ebx,ebx
00401487 . BF80144000 mov edi,KGM1Tal.00401480
0040148C . 83EF60 sub edi,0x60
0040148F . B8DE000000 mov eax,0xDE
00401494 . 83F0 12 xor eax,0x12 ; 0x60与0x12异或得到CC
00401497 . B959000000 mov ecx,0x59
0040149C . F2:AE repne scas byte ptres:[edi] ; --检查00401420-00401479处有无断点
0040149E . 85C9 test ecx,ecx
004014A0 . 74 06 je short KGM1Tal.004014A8 ; --此处必须跳转,否则失败
004014A2 . 5E pop esi ; KGM1Tal.004012E3
004014A3 . 33F6 xor esi,esi ; KGM1Tal.00403000
004014A5 . 57 push edi ; KGM1Tal.00401479
004014A6 . EB 4D jmp short KGM1Tal.004014F5
004014A8 > C3 retn
004012E8 . E8 C9000000 call KGM1Tal.004013B6 ; --F7跟进
[AppleScript] 纯文本查看 复制代码 004013B6 $ 55 push ebp
004013B7 . 8BEC mov ebp,esp
004013B9 . 6823304000 push KGM1Tal.00403023 ; ASCII "HAOHAOXUEXI"
004013BE . E87D010000 call KGM1Tal.00401540 ; --F7跟进
[AppleScript] 纯文本查看 复制代码 00401540 /$ 8B4424 04 mov eax,dword ptrss:[esp+0x4] ; --取密码
00401544 |. 83E8 04 sub eax,0x4 ; --此段代码主要作用是用一个循环依次比较在密码的第几位为零,即密码的位数是多少
00401547 |> 83C0 04 /add eax,0x4
0040154A |. 8038 00 |cmp byte ptrds:[eax],0x0
0040154D |. 7430 |je short KGM1Tal.0040157F
0040154F |. 8078 01 00 |cmp byte ptrds:[eax+0x1],0x0
00401553 |. 7420 |je short KGM1Tal.00401575
00401555 |. 8078 02 00 |cmp byte ptrds:[eax+0x2],0x0
00401559 |. 7410 |je short KGM1Tal.0040156B
0040155B |. 8078 03 00 |cmp byte ptrds:[eax+0x3],0x0
0040155F |.^ 75 E6 \jnz short KGM1Tal.00401547
00401561 |. 2B4424 04 sub eax,dword ptrss:[esp+0x4] ; KGM1Tal.004012ED
00401565 |. 83C0 03 add eax,0x3
00401568 |. C20400 retn 0x4
0040156B |> 2B4424 04 sub eax,dword ptrss:[esp+0x4] ; KGM1Tal.004012ED
0040156F |. 83C0 02 add eax,0x2
00401572 |. C20400 retn 0x4
00401575 |> 2B4424 04 sub eax,dword ptrss:[esp+0x4] ; KGM1Tal.004012ED
00401579 |. 83C0 01 add eax,0x1
0040157C |. C20400 retn 0x4
0040157F |> 2B4424 04 sub eax,dword ptrss:[esp+0x4] ; KGM1Tal.004012ED
00401583 \. C20400 retn 0x4
004013C3 |. 83F80A cmp eax,0xA ; --密码必须为十位
004013C6 |. 0F8529010000 jnz KGM1Tal2.004014F5
004013CC |. BE23304000 mov esi,KGM1Tal2.00403023 ; ASCII "HAOHAOXUEXI"
004013D1 |. B800000000 mov eax,0x0
004013D6 |. BB00000000 mov ebx,0x0
004013DB |. 33C9 xor ecx,ecx
004013DD |. EB06 jmp short KGM1Tal2.004013E5
004013DF |> 8A0C30 /mov cl,byte ptr ds:[eax+esi]
004013E2 |. 03D9 |add ebx,ecx ; ---取密码的ASCLL码值相加得到SUM2
004013E4 |. 40 |inc eax
004013E5 |> 83F8 09 cmp eax,0x9
004013E8 |.^ 72 F5 \jb short KGM1Tal2.004013DF
004013EA |. 8BC3 mov eax,ebx
004013EC |. B909000000 mov ecx,0x9
004013F1 |. 99 cdq
004013F2 |. F7F9 idiv ecx
004013F4 |. A3 4A304000 mov dword ptr ds:[0x40304A],eax
004013F9 |. 8B7D 08 mov edi,[arg.1] ; KGM1Tal2.00403053
004013FC |. 8A15 4F304000mov dl,byte ptr ds:[0x40304F]
00401402 |. 8AC2 mov al,dl
00401404 |. 3C 18 cmp al,0x18
00401406 |. 7602 jbe short KGM1Tal2.0040140A
00401408 |. 2C 18 sub al,0x18
0040140A |> A2 4E304000 mov byte ptrds:[0x40304E],al
0040140F |. 33C0 xor eax,eax
00401411 |. A04E304000 mov al,byte ptr ds:[0x40304E]
00401416 |. 8A2438 mov ah,byte ptr ds:[eax+edi]
00401419 |. 8A36 mov dh,byte ptr ds:[esi] ; --移入第一位密码进行比较
0040141B |. 38F4 cmp ah,dh
0040141D |. 0F85 D2000000 jnz KGM1Tal2.004014F5
00401423 |. 80EE 41 sub dh,0x41
00401426 |. 8AF2 mov dh,dl
00401428 |. B400 mov ah,0x0
0040142A |. A24E304000 mov byte ptr ds:[0x40304E],al
0040142F |. 33C0 xor eax,eax
00401431 |. A04E304000 mov al,byte ptr ds:[0x40304E]
00401436 |. 02C2 add al,dl
00401438 |. 3C 18 cmp al,0x18
0040143A |. 7602 jbe short KGM1Tal2.0040143E
0040143C |. 2C 18 sub al,0x18 ; --若大于0x18就减去它
0040143E |> B9 02000000 mov ecx,0x2
00401443 |. 8A2438 mov ah,byte ptr ds:[eax+edi]
00401446 |. 8A3431 mov dh,byte ptr ds:[ecx+esi] ; --移入密码第三位
00401449 |. 38F4 cmp ah,dh
0040144B |. 0F85 A4000000jnz KGM1Tal2.004014F5
到这里各位童鞋是否觉得有点茫然,很正常,里面绕的弯子比较多,但是没事,一遍看不懂就多看两遍,你总会看懂的,我就是这样子的,继续往后分析:
[AppleScript] 纯文本查看 复制代码 00401451 |. /EB 24 jmp short KGM1Tal2.00401477 ; - -此处代码比较第四位到第九位的密码
00401453 |> |A2 4E304000 /mov byte ptr ds:[0x40304E],al
00401458 |. |33C0 |xor eax,eax
0040145A |. |A0 4E304000 |mov al,byte ptr ds:[0x40304E]
0040145F |. |80EE 41 |sub dh,0x41
00401462 |. |8AD6 |mov dl,dh
00401464 |. |41 |inc ecx
00401465 |. |02C2 |add al,dl
00401467 |. |3C18 |cmp al,0x18
00401469 |. |76 02 |jbe short KGM1Tal2.0040146D
0040146B |. |2C18 |sub al,0x18
0040146D |> |8A2438 |mov ah,byte ptr ds:[eax+edi]
00401470 |. |8A3431 |mov dh,byte ptr ds:[ecx+esi]
00401473 |. |38F4 |cmp ah,dh
00401475 |. |75 7E |jnz short KGM1Tal2.004014F5
00401477 |> \83F908 cmp ecx,0x8
0040147A |.^ 72 D7 \jb short KGM1Tal2.00401453
0040147C |. C9 leave
0040147D \. C20400 retn 0x4
004012ED . E8DC010000 call KGM1Tal2.004014CE ; ---f7跟进
[AppleScript] 纯文本查看 复制代码 004014CE /$ BE23304000 mov esi,KGM1Tal2.00403023 ; ASCII "HAOHAOXUEXI"
004014D3 |. A1 4A304000 mov eax,dword ptr ds:[0x40304A]
004014D8 |. 8A5E 09 mov bl,byte ptr ds:[esi+0x9] ; ---取密码最后一位
004014DB |. 38D8 cmp al,bl
004014DD |. 7516 jnz short KGM1Tal2.004014F5
004014DF |. B8 6C304000 mov eax,KGM1Tal2.0040306C ; ASCII "Great Job!"
004014E4 |. 8BD8 mov ebx,eax
004014E6 |. 83C3 0B add ebx,0xB
到此就算跟完了,各位童鞋是否已经睡着,但是不急,我们确实已经跟完了,细细回想发现过程其实也不是很难,只是内容较多…
最后附带两个链接,里面有原版的软件和一个破解补丁… 希望各位童鞋好好学习,天天向上… 第一次的贴被提出字迹太乱,希望想认真看着帖子的人多提意见,我会继续编辑修改,不好意思...
软件地址链接: http://pan.baidu.com/share/link?shareid=481844&uk=1344482023 破解补丁链接:http://pan.baidu.com/share/link?shareid=481840&uk=1344482023
|
发表于 2013-11-12 01:26
|
发表于 2013-11-12 01:52
