好友
阅读权限25
听众
最后登录1970-1-1
|
本帖最后由 wuhanqi 于 2010-1-31 12:22 编辑
【文章标题】: 另类破解XX酷图+去除注册检验
【文章作者】: wuhanqi[LCG]
【作者主页】: http://hi.baidu.com/wuhanqi
【作者QQ号】: 459478830
【下载地址】: 自己搜索下载
【操作平台】: XP
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
废话不多说,直接进入正题、
程序无壳,Delphi编写,未注册有注册提示窗体、不是MessageBox、遂下bp ShowWindow、
一边F9一边观察堆栈,发现成功断下: 0012F7BC 0048F97F /CALL to ShowWindow from yfClPic.0048F97A
0012F7C0 001A05C0 |hWnd = 001A05C0 ('用户注册',class='TForm32',parent=001A043E)
0012F7C4 00000001 \ShowState = SW_SHOWNORMAL
0012F7C8 0012F7D4 Pointer to next SEH record
0012F7CC 0048FAA1 SE handler
0012F7D0 0012F7F4
然后在堆栈向下拉,找距离比较远的调用: 0012F7BC 0048F97F /CALL to ShowWindow from yfClPic.0048F97A
0012F7C0 001A05C0 |hWnd = 001A05C0 ('用户注册',class='TForm32',parent=001A043E)
0012F7C4 00000001 \ShowState = SW_SHOWNORMAL
省略N多代码................
0012FB68 |0048C61C yfClPic.0048C61C
0012FB6C |01099EF0
0012FB70 |0048FD98 RETURN to yfClPic.0048FD98 from yfClPic.0048C878
0012FB74 |00FA3D44
0012FB78 |005FDAD1 RETURN to yfClPic.005FDAD1 from yfClPic.0048FD8C
0012FB7C ]0012FBC4
0012FB80 |005FE971 RETURN to yfClPic.005FE971 from yfClPic.005FDAAC ★
0012FB84 |00190642
005FE954 . 803D 9CB96B00>CMP BYTE PTR DS:[6BB99C],0
005FE95B . 75 14 JNZ SHORT 005FE971 ; jmp 掉就没提示框了
005FE95D . 6A 00 PUSH 0
005FE95F . 6A 00 PUSH 0
005FE961 . 6A 00 PUSH 0
005FE963 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005FE966 . E8 F1A8E7FF CALL 0047925C
005FE96B . 50 PUSH EAX
005FE96C . E8 3BF1FFFF CALL 005FDAAC ; 弹注册窗口
005FE971 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
心中窃喜,以为万事大吉,谁知道在运行程序的时候他连图像都不让我打开,按打开图像按钮...失效...
以为是程序自校验,于是用OD分别载入修改前后的程序,再用Delphi事件断点查找脚本找好断点,OK继续开工....
中间省略一点比较的过程...可以来到关键处: 00457784 . 53 PUSH EBX
00457785 . 56 PUSH ESI
00457786 . 57 PUSH EDI
00457787 . 8BD8 MOV EBX,EAX
00457789 . F643 1C 10 TEST BYTE PTR DS:[EBX+1C],10
0045778D . 75 37 JNZ SHORT 004577C6
0045778F . 8BBB 78010000 MOV EDI,DWORD PTR DS:[EBX+178]
00457795 . 85FF TEST EDI,EDI
00457797 . 74 06 JE SHORT 0045779F
00457799 . 807F 61 00 CMP BYTE PTR DS:[EDI+61],0
0045779D . 75 09 JNZ SHORT 004577A8
0045779F > 83BB 74010000>CMP DWORD PTR DS:[EBX+174],0
004577A6 74 1E JE SHORT 004577C6
004577A8 > 83BB 84010000>CMP DWORD PTR DS:[EBX+184],0
004577AF . 74 15 JE SHORT 004577C6
004577B1 . 8BD3 MOV EDX,EBX
004577B3 . 8B83 84010000 MOV EAX,DWORD PTR DS:[EBX+184]
004577B9 . 66:BE B2FF MOV SI,0FFB2
004577BD . E8 4EC4FAFF CALL 00403C10 ; 源程序是执行到这里的,但修改后的程序上面的跳转就会跳过去,于是乎修改跳转
004577C2 . 84C0 TEST AL,AL
004577C4 75 04 JNZ SHORT 004577CA
004577C6 > 33C0 XOR EAX,EAX
004577C8 . EB 02 JMP SHORT 004577CC
004577CA > B0 01 MOV AL,1
004577CC > 5F POP EDI
004577CD . 5E POP ESI
004577CE . 5B POP EBX
004577CF . C3 RETN
004577A6 /74 1E JE SHORT 004577C6
改为:
004577A6 /74 09 JE SHORT 004577B1
然后到CALL里面去看看: 00403C10 $ 50 PUSH EAX
00403C11 . 51 PUSH ECX
00403C12 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00403C14 . E8 C7FFFFFF CALL 00403BE0
00403C19 . 59 POP ECX
....省略部分代码.....
0045B720 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045B723 . C680 C8020000>MOV BYTE PTR DS:[EAX+2C8],0
0045B72A . 33D2 XOR EDX,EDX
0045B72C . 55 PUSH EBP
0045B72D . 68 05BA4500 PUSH 0045BA05
0045B732 . 64:FF32 PUSH DWORD PTR FS:[EDX]
0045B735 . 64:8922 MOV DWORD PTR FS:[EDX],ESP
0045B738 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0045B73B . 8B80 78010000 MOV EAX,DWORD PTR DS:[EAX+178] ; EAX+178的值为零,而在源程序里面是0x0109166C
0045B741 . 85C0 TEST EAX,EAX
0045B743 74 0E JE SHORT 0045B753 ; 发现修改过后的程序这里跳转了
0045B745 . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0045B748 . 8982 CC020000 MOV DWORD PTR DS:[EDX+2CC],EAX
0045B74E . E9 0D010000 JMP 0045B860
0045B753 > 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0045B756 . 8B80 74010000 MOV EAX,DWORD PTR DS:[EAX+174]
0045B75C . 85C0 TEST EAX,EAX
0045B75E . 0F84 F2000000 JE 0045B856
0045B764 . 8B10 MOV EDX,DWORD PTR DS:[EAX]
0045B766 . FF52 44 CALL DWORD PTR DS:[EDX+44]
0045B769 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045B76C . E8 E7FEFFFF CALL 0045B658
0045B771 . 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
0045B774 . B2 01 MOV DL,1
0045B776 . A1 701E4800 MOV EAX,DWORD PTR DS:[481E70]
于是我想到可能某个对EAX+178赋值的地址被我们用那个JMP一起JMP掉了、
另外这个程序是验证keyfile的,而且在注册框处比较了6BB99C是否为零,我右键查找地址常数,跟随到MOV BYTE PTR DS:[6BB99C],1附近看了看代码,八成是在那里进行验证并且对我们这个EAX+178赋值、
代码分析能力实在不强,而且本人比较懒- -...想到程序在试用部分也一定有对eax+178赋值的代码,我把那部分提取出来不就是了....
所以在源程序跟随EAX+178到数据窗口...
010854FC 6C 16 09 01 00 02 00 00 00 00 00 00 00 4B 08 01 l�.�.�.......K��
0108550C 2A 00 00 00 60 50 42 00 00 00 00 00 10 2A 47 00 *...`PB.....�*G.
0108551C 84 53 08 01 F0 A2 06 01 00 00 00 00 08 00 00 FF 凷��稷��....�..
下硬件访问断点..重载程序F9两次来到...: 0045747C /$ 3B90 78010000 CMP EDX,DWORD PTR DS:[EAX+178]
00457482 |. 74 10 JE SHORT 00457494
00457484 |. 8990 78010000 MOV DWORD PTR DS:[EAX+178],EDX ; 这里对我们的EAX+178赋值了!此时EDX正是我们想要的值 0109166c
0045748A |. 85D2 TEST EDX,EDX
0045748C |. 74 06 JE SHORT 00457494
0045748E |. 92 XCHG EAX,EDX
0045748F |. E8 0CC1FCFF CALL 004235A0
00457494 \> C3 RETN
我们走出这个call看看: 005AA7C4 /. 55 PUSH EBP
005AA7C5 |. 8BEC MOV EBP,ESP
005AA7C7 |. 33C9 XOR ECX,ECX
005AA7C9 |. 51 PUSH ECX
005AA7CA |. 51 PUSH ECX
005AA7CB |. 51 PUSH ECX
005AA7CC |. 51 PUSH ECX
005AA7CD |. 51 PUSH ECX
005AA7CE |. 51 PUSH ECX
005AA7CF |. 53 PUSH EBX
005AA7D0 |. 56 PUSH ESI
005AA7D1 |. 8BD8 MOV EBX,EAX
005AA7D3 |. 33C0 XOR EAX,EAX
005AA7D5 |. 55 PUSH EBP
005AA7D6 |. 68 0DAA5A00 PUSH 005AAA0D
005AA7DB |. 64:FF30 PUSH DWORD PTR FS:[EAX]
005AA7DE |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
005AA7E1 |. 8B15 7CC56200 MOV EDX,DWORD PTR DS:[62C57C] ; yfClPic.006BB884
005AA7E7 |. 8B12 MOV EDX,DWORD PTR DS:[EDX]
005AA7E9 |. 8B83 28030000 MOV EAX,DWORD PTR DS:[EBX+328]
005AA7EF |. E8 9C81ECFF CALL 00472990
005AA7F4 |. A1 0CCA6200 MOV EAX,DWORD PTR DS:[62CA0C]
005AA7F9 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005AA7FB |. 8B90 D8040000 MOV EDX,DWORD PTR DS:[EAX+4D8]
005AA801 |. A1 0CCA6200 MOV EAX,DWORD PTR DS:[62CA0C]
005AA806 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005AA808 |. 8B80 90060000 MOV EAX,DWORD PTR DS:[EAX+690]
005AA80E |. E8 69CCEAFF CALL 0045747C ; 赋值EAX+178的call
005AA813 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
005AA816 |. A1 ECC76200 MOV EAX,DWORD PTR DS:[62C7EC]
005AA81B |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005AA81D |. E8 7A93EEFF CALL 00493B9C
005AA822 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
005AA825 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
005AA828 |. E8 57F4E5FF CALL 00409C84
005AA82D |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
005AA830 |. BA 24AA5A00 MOV EDX,005AAA24 ; ASCII "BuyWay.ini"
005AA835 |. E8 B6A2E5FF CALL 00404AF0
005AA83A |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005AA83D |. 50 PUSH EAX
005AA83E |. 33C9 XOR ECX,ECX
005AA840 |. BA 38AA5A00 MOV EDX,005AAA38 ; ASCII "Order"
005AA845 |. B8 48AA5A00 MOV EAX,005AAA48 ; ASCII "BuyWay"
005AA84A |. E8 51D5FAFF CALL 00557DA0
005AA84F |. 48 DEC EAX
005AA850 |. 75 34 JNZ SHORT 005AA886
005AA852 |. B2 01 MOV DL,1
005AA854 |. 8B83 50030000 MOV EAX,DWORD PTR DS:[EBX+350]
005AA85A |. E8 FDA3EDFF CALL 00484C5C
005AA85F |. B2 01 MOV DL,1
005AA861 |. 8B83 68030000 MOV EAX,DWORD PTR DS:[EBX+368]
005AA867 |. E8 F0A3EDFF CALL 00484C5C
005AA86C |. 33D2 XOR EDX,EDX
005AA86E |. 8B83 78030000 MOV EAX,DWORD PTR DS:[EBX+378]
005AA874 |. E8 E3A3EDFF CALL 00484C5C
005AA879 |. 33D2 XOR EDX,EDX
005AA87B |. 8B83 7C030000 MOV EAX,DWORD PTR DS:[EBX+37C]
005AA881 |. E8 D6A3EDFF CALL 00484C5C
005AA886 |> 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
005AA889 |. A1 ECC76200 MOV EAX,DWORD PTR DS:[62C7EC]
005AA88E |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005AA890 |. E8 0793EEFF CALL 00493B9C
005AA895 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
005AA898 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
005AA89B |. E8 E4F3E5FF CALL 00409C84
005AA8A0 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
005AA8A3 |. BA 24AA5A00 MOV EDX,005AAA24 ; ASCII "BuyWay.ini"
005AA8A8 |. E8 43A2E5FF CALL 00404AF0
005AA8AD |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
005AA8B0 |. 50 PUSH EAX
005AA8B1 |. 33C9 XOR ECX,ECX
005AA8B3 |. BA 58AA5A00 MOV EDX,005AAA58 ; ASCII "ShowTip2"
005AA8B8 |. B8 48AA5A00 MOV EAX,005AAA48 ; ASCII "BuyWay"
005AA8BD |. E8 DED4FAFF CALL 00557DA0
005AA8C2 |. 48 DEC EAX
005AA8C3 |. 75 10 JNZ SHORT 005AA8D5
005AA8C5 |. BA 6CAA5A00 MOV EDX,005AAA6C
005AA8CA |. 8B83 40030000 MOV EAX,DWORD PTR DS:[EBX+340]
005AA8D0 |. E8 BB80ECFF CALL 00472990
005AA8D5 |> E8 C60CE6FF CALL 0040B5A0
005AA8DA |. 83C4 F8 ADD ESP,-8
005AA8DD |. DD1C24 FSTP QWORD PTR SS:[ESP]
005AA8E0 |. 9B WAIT
005AA8E1 |. E8 F6CCFAFF CALL 005575DC
005AA8E6 |. 0FB7C8 MOVZX ECX,AX
005AA8E9 |. BA A0AA5A00 MOV EDX,005AAAA0 ; ASCII "DV"
005AA8EE |. B8 ACAA5A00 MOV EAX,005AAAAC ; ASCII "Application"
005AA8F3 |. E8 68CFFAFF CALL 00557860
005AA8F8 |. 8BF0 MOV ESI,EAX
005AA8FA |. E8 A10CE6FF CALL 0040B5A0
005AA8FF |. 83C4 F8 ADD ESP,-8
005AA902 |. DD1C24 FSTP QWORD PTR SS:[ESP]
005AA905 |. 9B WAIT
005AA906 |. E8 D1CCFAFF CALL 005575DC
005AA90B |. 0FB7C0 MOVZX EAX,AX
005AA90E |. 3BF0 CMP ESI,EAX
005AA910 |. 74 32 JE SHORT 005AA944
005AA912 |. B9 50000000 MOV ECX,50
005AA917 |. BA C0AA5A00 MOV EDX,005AAAC0 ; ASCII "ExeSet"
005AA91C |. B8 ACAA5A00 MOV EAX,005AAAAC ; ASCII "Application"
005AA921 |. E8 3ACFFAFF CALL 00557860
005AA926 |. 8BD0 MOV EDX,EAX
005AA928 |. B8 50000000 MOV EAX,50
005AA92D |. E8 0644E8FF CALL 0042ED38
005AA932 |. 8BC8 MOV ECX,EAX
005AA934 |. 49 DEC ECX
005AA935 |. BA C0AA5A00 MOV EDX,005AAAC0 ; ASCII "ExeSet"
005AA93A |. B8 ACAA5A00 MOV EAX,005AAAAC ; ASCII "Application"
005AA93F |. E8 3CD1FAFF CALL 00557A80
005AA944 |> E8 570CE6FF CALL 0040B5A0
005AA949 |. 83C4 F8 ADD ESP,-8
005AA94C |. DD1C24 FSTP QWORD PTR SS:[ESP]
005AA94F |. 9B WAIT
005AA950 |. E8 87CCFAFF CALL 005575DC
005AA955 |. 0FB7C8 MOVZX ECX,AX
005AA958 |. BA A0AA5A00 MOV EDX,005AAAA0 ; ASCII "DV"
005AA95D |. B8 ACAA5A00 MOV EAX,005AAAAC ; ASCII "Application"
005AA962 |. E8 19D1FAFF CALL 00557A80
005AA967 |. B9 50000000 MOV ECX,50
005AA96C |. BA C0AA5A00 MOV EDX,005AAAC0 ; ASCII "ExeSet"
005AA971 |. B8 ACAA5A00 MOV EAX,005AAAAC ; ASCII "Application"
005AA976 |. E8 E5CEFAFF CALL 00557860
005AA97B |. 8BD0 MOV EDX,EAX
005AA97D |. 83EA 41 SUB EDX,41
005AA980 |. B8 0F000000 MOV EAX,0F
005AA985 |. E8 AE43E8FF CALL 0042ED38
005AA98A |. 8BD0 MOV EDX,EAX
005AA98C |. 33C0 XOR EAX,EAX
005AA98E |. E8 5144E8FF CALL 0042EDE4
005AA993 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
005AA996 |. E8 0DE9E5FF CALL 004092A8
005AA99B |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
005AA99E |. 8B83 90030000 MOV EAX,DWORD PTR DS:[EBX+390]
005AA9A4 |. E8 E77FECFF CALL 00472990
005AA9A9 |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
005AA9AC |. 8B83 90030000 MOV EAX,DWORD PTR DS:[EBX+390]
005AA9B2 |. E8 A97FECFF CALL 00472960
005AA9B7 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
005AA9BA |. BA D0AA5A00 MOV EDX,005AAAD0
005AA9BF |. E8 70A2E5FF CALL 00404C34
005AA9C4 |. 75 24 JNZ SHORT 005AA9EA
005AA9C6 |. A1 0CCA6200 MOV EAX,DWORD PTR DS:[62CA0C]
005AA9CB |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005AA9CD |. 8B80 8C060000 MOV EAX,DWORD PTR DS:[EAX+68C]
005AA9D3 |. 33D2 XOR EDX,EDX
005AA9D5 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
005AA9D7 |. FF51 64 CALL DWORD PTR DS:[ECX+64]
005AA9DA |. BA DCAA5A00 MOV EDX,005AAADC ; ASCII "关闭退出软件"
005AA9DF |. 8B83 38030000 MOV EAX,DWORD PTR DS:[EBX+338]
005AA9E5 |. E8 A67FECFF CALL 00472990
005AA9EA |> 33C0 XOR EAX,EAX
005AA9EC |. 5A POP EDX
005AA9ED |. 59 POP ECX
005AA9EE |. 59 POP ECX
005AA9EF |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
005AA9F2 |. 68 14AA5A00 PUSH 005AAA14
005AA9F7 |> 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
005AA9FA |. E8 299EE5FF CALL 00404828
005AA9FF |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
005AAA02 |. BA 05000000 MOV EDX,5
005AAA07 |. E8 409EE5FF CALL 0040484C
005AAA0C \. C3 RETN
005AAA0D .^ E9 9697E5FF JMP 004041A8
005AAA12 .^ EB E3 JMP SHORT 005AA9F7
005AAA14 . 5E POP ESI
005AAA15 . 5B POP EBX
005AAA16 . 8BE5 MOV ESP,EBP
005AAA18 . 5D POP EBP
005AAA19 . C3 RETN
发现是用户注册那个窗体Formcreate调用的call..不要问我为什么..我是看了DEDE才知道的...
重点看这段代码: 005AA7E9 |. 8B83 28030000 MOV EAX,DWORD PTR DS:[EBX+328]
005AA7EF |. E8 9C81ECFF CALL 00472990
005AA7F4 |. A1 0CCA6200 MOV EAX,DWORD PTR DS:[62CA0C]
005AA7F9 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005AA7FB |. 8B90 D8040000 MOV EDX,DWORD PTR DS:[EAX+4D8]
005AA801 |. A1 0CCA6200 MOV EAX,DWORD PTR DS:[62CA0C]
005AA806 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005AA808 |. 8B80 90060000 MOV EAX,DWORD PTR DS:[EAX+690]
005AA80E |. E8 69CCEAFF CALL 0045747C ; 赋值EAX+178的call
005AA813 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
005AA816 |. A1 ECC76200 MOV EAX,DWORD PTR DS:[62C7EC]
005AA81B |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
发现62CA0C里面放的是个固定的地址,那我们就把从005AA7F4到 005AA80E的代码都赋值下来、
还记得我们JMP了一段代码嘛?那就是免费的空间啊!
跟随到: 005FE954 . 803D 9CB96B00>CMP BYTE PTR DS:[6BB99C],0
005FE95B . 75 14 JNZ SHORT 005FE971 ; jmp 掉就没提示框了
005FE95D . 6A 00 PUSH 0
005FE95F . 6A 00 PUSH 0
005FE961 . 6A 00 PUSH 0
005FE963 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005FE966 . E8 F1A8E7FF CALL 0047925C
005FE96B . 50 PUSH EAX
005FE96C . E8 3BF1FFFF CALL 005FDAAC ; 弹注册窗口
005FE971 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
修改为: 005FE954 A1 0CCA6200 MOV EAX,DWORD PTR DS:[62CA0C]
005FE959 8B00 MOV EAX,DWORD PTR DS:[EAX]
005FE95B 8B90 D8040000 MOV EDX,DWORD PTR DS:[EAX+4D8] ; jmp 掉就没提示框了
005FE961 A1 0CCA6200 MOV EAX,DWORD PTR DS:[62CA0C]
005FE966 8B00 MOV EAX,DWORD PTR DS:[EAX]
005FE968 8B80 90060000 MOV EAX,DWORD PTR DS:[EAX+690]
005FE96E E8 098BE5FF CALL 0045747C
005FE973 90 NOP
挤掉了下面一句mov 不过并不影响结果..程序可以正常使用~
--------------------------------------------------------------------------------
【经验总结】
咱心里偷偷的笑,呵呵...
这样修改省去了分析算法- -,没办法,谁叫俺是菜鸟捏...一石二鸟,何乐而不为~
--------------------------------------------------------------------------------
【版权声明】: 么版权..菜..
2010年01月31日 12:24:46 |
免费评分
-
查看全部评分
|
