PCHeal2.5.26.2014爆破分析

kindbigbear0 · 发表于 2014-6-11 23:26

【破文标题】PCHeal2.5.26.2014爆破分析
【破文作者】Kindbigbear0
【作者邮箱】bugao@suni.com
【作者主页】www.meiyou.com
【破解工具】PEID  OD1.10
【破解平台】WindowsXP SP2
【软件名称】PCHeal2.5.26.2014
【软件大小】3.8MB
【原版下载】http://www.swiftdog.com/downloads/pcheal.exe
【保护方式】注册表
【软件简介】PCHeal sets the standard for PC optimizing software. PCHeal locates and repairs problems with software and hardware incompatibilities which lead to computer performance issues. Very easy to use, fully compliant with all versions of Microsoft ? Windows and adjusts itself to your computer specifications. Take your existing PC and revitalize it the easy way.
【破解声明】本人不懂技术，完全瞎糊弄，如有雷同，纯属巧合。
------------------------------------------------------------------------
【破解过程】PEID-------无壳，DELPHI
程序目录下见PCHealRegister.exe，可能是调用这个程序进行注册的
Ctrl+G到401000，字符串搜索Unicode
看到文本字符串=\Software\SwiftDog\PCHeal\
下面紧跟Name、Serial字样
跟进，段首下断
0055C9A4 $  55          PUSH EBP
0055C9A5 .  8BEC       MOV    EBP, ESP
0055C9A7 .  33C9       XOR    ECX, ECX
0055C9A9 .  51          PUSH ECX
......
0055C9EB .  BA 2CCB5500 MOV    EDX, PCHeal.0055CB2C          ;  \Software\SwiftDog\PCHeal\
0055C9F0 .  E8 37A1EAFF CALL PCHeal.00406B2C
0055C9F5 .  837D FC 00 CMP    DWORD PTR SS:[EBP-0x4], 0x0    ;  注册码是否为空
0055C9F9 .  74 06       JE    SHORT PCHeal.0055CA01
0055C9FB .  837D F8 00 CMP    DWORD PTR SS:[EBP-0x8], 0x0    ;  用户名是否为空
0055C9FF .  75 2E       JNZ    SHORT PCHeal.0055CA2F
0055CA01 >  6A 00       PUSH 0x0
......
0055CA35 .  E8 8A110000 CALL PCHeal.0055DBC4
0055CA3A    3C 01       CMP    AL, 0x1                   标志位AL与1比较
0055CA3C .  75 76       JNZ    SHORT PCHeal.0055CAB4    未注册就跳走，到达清空注册表Name和Serial键值的代码
观察假码标志位返回值为0，遂修改标志位判断，保存。
试运行保存后的文件，发现虽然程序窗口下方注册提示消失了，但是点击About时，并未显示License to:后面的用户名。打开注册表查看，相关键值已经被清零。程序还存在其它地方的验证，发现未注册就把注册表项清零。
跟进标志位比较处上面的CALL，寻找al赋值处，找到这里
0055DD51 > \84C0       TEST AL, AL
0055DD53 .  74 04       JE    SHORT PCHeal.0055DD59          ;  跳到EBX清零
0055DD55 .  B3 01       MOV    BL, 0x1                         ;  给BL赋值为1
0055DD57 .  EB 02       JMP    SHORT PCHeal.0055DD5B          ;  跳过EBX清零
......
0055DD93 .  8BC3       MOV    EAX, EBX                      :  给EAX赋值
0055DD95 .  5F          POP    EDI
0055DD96 .  5E          POP    ESI
0055DD97 .  5B          POP    EBX
0055DD98 .  8BE5       MOV    ESP, EBP
0055DD9A .  5D          POP    EBP
0055DD9B .  C3          RETN
NOP掉0055DD53处的JE，保存。
将注册表键值Name和Serial填上，可以正常显示License to: BEIJINGREN
算法分析不会，算法call在PCHealRegister.exe
感兴趣的朋友可以调试一下

注册表信息如下：
[HKEY_LOCAL_MACHINE\SOFTWARE\SwiftDog\PCHeal]
"InstalledDate"="2014-6-9 下午 09:01:23"
"ProcessorType"=dword:ffffffff
"Language"="english"
"Name"="BEIJINGREN"
"Restore"=dword:00000000
"Serial"="174L367CN000000"
"SpeedSetting"=dword:00000000
"Updated"=dword:00000000
"UpdatedDate"="2014-6-9 下午 09:01:23"
------------------------------------------------------------------------
【版权声明】版权所有，盗版不究。盗版劳烦注明出处。

挚爱、安安 · 发表于 2014-6-11 23:42

PCHeal sets the standard for PC optimizing software. PCHeal locates and repairs problems with software and hardware incompatibilities which lead to computer performance issues. Very easy to use, fully compliant with all versions of Microsoft ? Windows and adjusts itself to your computer specifications. Take your existing PC and revitalize it the easy way.

lwj一辈子 · 发表于 2014-6-11 23:46

感谢发布原创作品，学习了

ningzhonghui · 发表于 2014-6-12 08:35

不错，又学习了...

帐号		自动登录	找回密码
密码			注册[Register]

[分享] PCHeal2.5.26.2014爆破分析