好友
阅读权限25
听众
最后登录1970-1-1
|
本帖最后由 wuhanqi 于 2010-1-31 12:22 编辑
【文章标题】: 另类破解XX酷图+去除注册检验
【文章作者】: wuhanqi[LCG]
【作者主页】: http://hi.baidu.com/wuhanqi
【作者QQ号】: 459478830
【下载地址】: 自己搜索下载
【操作平台】: XP
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
废话不多说,直接进入正题、
程序无壳,Delphi编写,未注册有注册提示窗体、不是MessageBox、遂下bp ShowWindow、
一边F9一边观察堆栈,发现成功断下: 0012F7BC 0048F97F /CALL to ShowWindow from yfClPic.0048F97A
0012F7C0 001A05C0 |hWnd = 001A05C0 ('用户注册',class='TForm32',parent=001A043E)
0012F7C4 00000001 \ShowState = SW_SHOWNORMAL
0012F7C8 0012F7D4 Pointer to next SEH record
0012F7CC 0048FAA1 SE handler
0012F7D0 0012F7F4
然后在堆栈向下拉,找距离比较远的调用: 0012F7BC 0048F97F /CALL to ShowWindow from yfClPic.0048F97A
0012F7C0 001A05C0 |hWnd = 001A05C0 ('用户注册',class='TForm32',parent=001A043E)
0012F7C4 00000001 \ShowState = SW_SHOWNORMAL
省略N多代码................
0012FB68 |0048C61C yfClPic.0048C61C
0012FB6C |01099EF0
0012FB70 |0048FD98 RETURN to yfClPic.0048FD98 from yfClPic.0048C878
0012FB74 |00FA3D44
0012FB78 |005FDAD1 RETURN to yfClPic.005FDAD1 from yfClPic.0048FD8C
0012FB7C ]0012FBC4
0012FB80 |005FE971 RETURN to yfClPic.005FE971 from yfClPic.005FDAAC ★
0012FB84 |00190642
找到星号标记的地方,回车跟随到反汇编窗口、
005FE954 . 803D 9CB96B00>CMP BYTE PTR DS:[6BB99C],0
005FE95B . 75 14 JNZ SHORT 005FE971 ; jmp 掉就没提示框了
005FE95D . 6A 00 PUSH 0
005FE95F . 6A 00 PUSH 0
005FE961 . 6A 00 PUSH 0
005FE963 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005FE966 . E8 F1A8E7FF CALL 0047925C
005FE96B . 50 PUSH EAX
005FE96C . E8 3BF1FFFF CALL 005FDAAC ; 弹注册窗口
005FE971 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
心中窃喜,以为万事大吉,谁知道在运行程序的时候他连图像都不让我打开,按打开图像按钮...失效...
以为是程序自校验,于是用OD分别载入修改前后的程序,再用Delphi事件断点查找脚本找好断点,OK继续开工....
中间省略一点比较的过程...可以来到关键处: 00457784 . 53 PUSH EBX
00457785 . 56 PUSH ESI
00457786 . 57 PUSH EDI
00457787 . 8BD8 MOV EBX,EAX
00457789 . F643 1C 10 TEST BYTE PTR DS:[EBX+1C],10
0045778D . 75 37 JNZ SHORT 004577C6
0045778F . 8BBB 78010000 MOV EDI,DWORD PTR DS:[EBX+178]
00457795 . 85FF TEST EDI,EDI
00457797 . 74 06 JE SHORT 0045779F
00457799 . 807F 61 00 CMP BYTE PTR DS:[EDI+61],0
0045779D . 75 09 JNZ SHORT 004577A8
0045779F > 83BB 74010000>CMP DWORD PTR DS:[EBX+174],0
004577A6 74 1E JE SHORT 004577C6
004577A8 > 83BB 84010000>CMP DWORD PTR DS:[EBX+184],0
004577AF . 74 15 JE SHORT 004577C6
004577B1 . 8BD3 MOV EDX,EBX
004577B3 . 8B83 84010000 MOV EAX,DWORD PTR DS:[EBX+184]
004577B9 . 66:BE B2FF MOV SI,0FFB2
004577BD . E8 4EC4FAFF CALL 00403C10 ; 源程序是执行到这里的,但修改后的程序上面的跳转就会跳过去,于是乎修改跳转
004577C2 . 84C0 TEST AL,AL
004577C4 75 04 JNZ SHORT 004577CA
004577C6 > 33C0 XOR EAX,EAX
004577C8 . EB 02 JMP SHORT 004577CC
004577CA > B0 01 MOV AL,1
004577CC > 5F POP EDI
004577CD . 5E POP ESI
004577CE . 5B POP EBX
004577CF . C3 RETN
004577A6 /74 1E JE SHORT 004577C6
改为:
004577A6 /74 09 JE SHORT 004577B1
然后到CALL里面去看看: 00403C10 $ 50 PUSH EAX
00403C11 . 51 PUSH ECX
00403C12 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00403C14 . E8 C7FFFFFF CALL 00403BE0
00403C19 . 59 POP ECX
....省略部分代码.....
0045B720 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045B723 . C680 C8020000>MOV BYTE PTR DS:[EAX+2C8],0
0045B72A . 33D2 XOR EDX,EDX
0045B72C . 55 PUSH EBP
0045B72D . 68 05BA4500 PUSH 0045BA05
0045B732 . 64:FF32 PUSH DWORD PTR FS:[EDX]
0045B735 . 64:8922 MOV DWORD PTR FS:[EDX],ESP
0045B738 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0045B73B . 8B80 78010000 MOV EAX,DWORD PTR DS:[EAX+178] ; EAX+178的值为零,而在源程序里面是0x0109166C
0045B741 . 85C0 TEST EAX,EAX
0045B743 74 0E JE SHORT 0045B753 ; 发现修改过后的程序这里跳转了
0045B745 . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0045B748 . 8982 CC020000 MOV DWORD PTR DS:[EDX+2CC],EAX
0045B74E . E9 0D010000 JMP 0045B860
0045B753 > 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0045B756 . 8B80 74010000 MOV EAX,DWORD PTR DS:[EAX+174]
0045B75C . 85C0 TEST EAX,EAX
0045B75E . 0F84 F2000000 JE 0045B856
0045B764 . 8B10 MOV EDX,DWORD PTR DS:[EAX]
0045B766 . FF52 44 CALL DWORD PTR DS:[EDX+44]
0045B769 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045B76C . E8 E7FEFFFF CALL 0045B658
0045B771 . 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
0045B774 . B2 01 MOV DL,1
0045B776 . A1 701E4800 MOV EAX,DWORD PTR DS:[481E70]
于是我想到可能某个对EAX+178赋值的地址被我们用那个JMP一起JMP掉了、
另外这个程序是验证keyfile的,而且在注册框处比较了6BB99C是否为零,我右键查找地址常数,跟随到MOV BYTE PTR DS:[6BB99C],1附近看了看代码,八成是在那里进行验证并且对我们这个EAX+178赋值、
代码分析能力实在不强,而且本人比较懒- -...想到程序在试用部分也一定有对eax+178赋值的代码,我把那部分提取出来不就是了....
所以在源程序跟随EAX+178到数据窗口...
010854FC 6C 16 09 01 00 02 00 00 00 00 00 00 00 4B 08 01 l.........K
0108550C 2A 00 00 00 60 50 42 00 00 00 00 00 10 2A 47 00 *...`PB.....*G.
0108551C 84 53 08 01 F0 A2 06 01 00 00 00 00 08 00 00 FF 凷稷......
下硬件访问断点..重载程序F9两次来到...: 0045747C /$ 3B90 78010000 CMP EDX,DWORD PTR DS:[EAX+178]
00457482 |. 74 10 JE SHORT 00457494
00457484 |. 8990 78010000 MOV DWORD PTR DS:[EAX+178],EDX ; 这里对我们的EAX+178赋值了!此时EDX正是我们想要的值 0109166c
0045748A |. 85D2 TEST EDX,EDX
0045748C |. 74 06 JE SHORT 00457494
0045748E |. 92 XCHG EAX,EDX
0045748F |. E8 0CC1FCFF CALL 004235A0
00457494 \> C3 RETN
我们走出这个call看看: 005AA7C4 /. 55 PUSH EBP
005AA7C5 |. 8BEC MOV EBP,ESP
005AA7C7 |. 33C9 XOR ECX,ECX
005AA7C9 |. 51 PUSH ECX
005AA7CA |. 51 PUSH ECX
005AA7CB |. 51 PUSH ECX
005AA7CC |. 51 PUSH ECX
005AA7CD |. 51 PUSH ECX
005AA7CE |. 51 PUSH ECX
005AA7CF |. 53 PUSH EBX
005AA7D0 |. 56 PUSH ESI
005AA7D1 |. 8BD8 MOV EBX,EAX
005AA7D3 |. 33C0 XOR EAX,EAX
005AA7D5 |. 55 PUSH EBP
005AA7D6 |. 68 0DAA5A00 PUSH 005AAA0D
005AA7DB |. 64:FF30 PUSH DWORD PTR FS:[EAX]
005AA7DE |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
005AA7E1 |. 8B15 7CC56200 MOV EDX,DWORD PTR DS:[62C57C] ; yfClPic.006BB884
005AA7E7 |. 8B12 MOV EDX,DWORD PTR DS:[EDX]
005AA7E9 |. 8B83 28030000 MOV EAX,DWORD PTR DS:[EBX+328]
005AA7EF |. E8 9C81ECFF CALL 00472990
005AA7F4 |. A1 0CCA6200 MOV EAX,DWORD PTR DS:[62CA0C]
005AA7F9 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005AA7FB |. 8B90 D8040000 MOV EDX,DWORD PTR DS:[EAX+4D8]
005AA801 |. A1 0CCA6200 MOV EAX,DWORD PTR DS:[62CA0C]
005AA806 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005AA808 |. 8B80 90060000 MOV EAX,DWORD PTR DS:[EAX+690]
005AA80E |. E8 69CCEAFF CALL 0045747C ; 赋值EAX+178的call
005AA813 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
005AA816 |. A1 ECC76200 MOV EAX,DWORD PTR DS:[62C7EC]
005AA81B |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005AA81D |. E8 7A93EEFF CALL 00493B9C
005AA822 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
005AA825 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
005AA828 |. E8 57F4E5FF CALL 00409C84
005AA82D |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
005AA830 |. BA 24AA5A00 MOV EDX,005AAA24 ; ASCII "BuyWay.ini"
005AA835 |. E8 B6A2E5FF CALL 00404AF0
005AA83A |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005AA83D |. 50 PUSH EAX
005AA83E |. 33C9 XOR ECX,ECX
005AA840 |. BA 38AA5A00 MOV EDX,005AAA38 ; ASCII "Order"
005AA845 |. B8 48AA5A00 MOV EAX,005AAA48 ; ASCII "BuyWay"
005AA84A |. E8 51D5FAFF CALL 00557DA0
005AA84F |. 48 DEC EAX
005AA850 |. 75 34 JNZ SHORT 005AA886
005AA852 |. B2 01 MOV DL,1
005AA854 |. 8B83 50030000 MOV EAX,DWORD PTR DS:[EBX+350]
005AA85A |. E8 FDA3EDFF CALL 00484C5C
005AA85F |. B2 01 MOV DL,1
005AA861 |. 8B83 68030000 MOV EAX,DWORD PTR DS:[EBX+368]
005AA867 |. E8 F0A3EDFF CALL 00484C5C
005AA86C |. 33D2 XOR EDX,EDX
005AA86E |. 8B83 78030000 MOV EAX,DWORD PTR DS:[EBX+378]
005AA874 |. E8 E3A3EDFF CALL 00484C5C
005AA879 |. 33D2 XOR EDX,EDX
005AA87B |. 8B83 7C030000 MOV EAX,DWORD PTR DS:[EBX+37C]
005AA881 |. E8 D6A3EDFF CALL 00484C5C
005AA886 |> 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
005AA889 |. A1 ECC76200 MOV EAX,DWORD PTR DS:[62C7EC]
005AA88E |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005AA890 |. E8 0793EEFF CALL 00493B9C
005AA895 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
005AA898 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
005AA89B |. E8 E4F3E5FF CALL 00409C84
005AA8A0 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
005AA8A3 |. BA 24AA5A00 MOV EDX,005AAA24 ; ASCII "BuyWay.ini"
005AA8A8 |. E8 43A2E5FF CALL 00404AF0
005AA8AD |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
005AA8B0 |. 50 PUSH EAX
005AA8B1 |. 33C9 XOR ECX,ECX
005AA8B3 |. BA 58AA5A00 MOV EDX,005AAA58 ; ASCII "ShowTip2"
005AA8B8 |. B8 48AA5A00 MOV EAX,005AAA48 ; ASCII "BuyWay"
005AA8BD |. E8 DED4FAFF CALL 00557DA0
005AA8C2 |. 48 DEC EAX
005AA8C3 |. 75 10 JNZ SHORT 005AA8D5
005AA8C5 |. BA 6CAA5A00 MOV EDX,005AAA6C
005AA8CA |. 8B83 40030000 MOV EAX,DWORD PTR DS:[EBX+340]
005AA8D0 |. E8 BB80ECFF CALL 00472990
005AA8D5 |> E8 C60CE6FF CALL 0040B5A0
005AA8DA |. 83C4 F8 ADD ESP,-8
005AA8DD |. DD1C24 FSTP QWORD PTR SS:[ESP]
005AA8E0 |. 9B WAIT
005AA8E1 |. E8 F6CCFAFF CALL 005575DC
005AA8E6 |. 0FB7C8 MOVZX ECX,AX
005AA8E9 |. BA A0AA5A00 MOV EDX,005AAAA0 ; ASCII "DV"
005AA8EE |. B8 ACAA5A00 MOV EAX,005AAAAC ; ASCII "Application"
005AA8F3 |. E8 68CFFAFF CALL 00557860
005AA8F8 |. 8BF0 MOV ESI,EAX
005AA8FA |. E8 A10CE6FF CALL 0040B5A0
005AA8FF |. 83C4 F8 ADD ESP,-8
005AA902 |. DD1C24 FSTP QWORD PTR SS:[ESP]
005AA905 |. 9B WAIT
005AA906 |. E8 D1CCFAFF CALL 005575DC
005AA90B |. 0FB7C0 MOVZX EAX,AX
005AA90E |. 3BF0 CMP ESI,EAX
005AA910 |. 74 32 JE SHORT 005AA944
005AA912 |. B9 50000000 MOV ECX,50
005AA917 |. BA C0AA5A00 MOV EDX,005AAAC0 ; ASCII "ExeSet"
005AA91C |. B8 ACAA5A00 MOV EAX,005AAAAC ; ASCII "Application"
005AA921 |. E8 3ACFFAFF CALL 00557860
005AA926 |. 8BD0 MOV EDX,EAX
005AA928 |. B8 50000000 MOV EAX,50
005AA92D |. E8 0644E8FF CALL 0042ED38
005AA932 |. 8BC8 MOV ECX,EAX
005AA934 |. 49 DEC ECX
005AA935 |. BA C0AA5A00 MOV EDX,005AAAC0 ; ASCII "ExeSet"
005AA93A |. B8 ACAA5A00 MOV EAX,005AAAAC ; ASCII "Application"
005AA93F |. E8 3CD1FAFF CALL 00557A80
005AA944 |> E8 570CE6FF CALL 0040B5A0
005AA949 |. 83C4 F8 ADD ESP,-8
005AA94C |. DD1C24 FSTP QWORD PTR SS:[ESP]
005AA94F |. 9B WAIT
005AA950 |. E8 87CCFAFF CALL 005575DC
005AA955 |. 0FB7C8 MOVZX ECX,AX
005AA958 |. BA A0AA5A00 MOV EDX,005AAAA0 ; ASCII "DV"
005AA95D |. B8 ACAA5A00 MOV EAX,005AAAAC ; ASCII "Application"
005AA962 |. E8 19D1FAFF CALL 00557A80
005AA967 |. B9 50000000 MOV ECX,50
005AA96C |. BA C0AA5A00 MOV EDX,005AAAC0 ; ASCII "ExeSet"
005AA971 |. B8 ACAA5A00 MOV EAX,005AAAAC ; ASCII "Application"
005AA976 |. E8 E5CEFAFF CALL 00557860
005AA97B |. 8BD0 MOV EDX,EAX
005AA97D |. 83EA 41 SUB EDX,41
005AA980 |. B8 0F000000 MOV EAX,0F
005AA985 |. E8 AE43E8FF CALL 0042ED38
005AA98A |. 8BD0 MOV EDX,EAX
005AA98C |. 33C0 XOR EAX,EAX
005AA98E |. E8 5144E8FF CALL 0042EDE4
005AA993 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
005AA996 |. E8 0DE9E5FF CALL 004092A8
005AA99B |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
005AA99E |. 8B83 90030000 MOV EAX,DWORD PTR DS:[EBX+390]
005AA9A4 |. E8 E77FECFF CALL 00472990
005AA9A9 |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
005AA9AC |. 8B83 90030000 MOV EAX,DWORD PTR DS:[EBX+390]
005AA9B2 |. E8 A97FECFF CALL 00472960
005AA9B7 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
005AA9BA |. BA D0AA5A00 MOV EDX,005AAAD0
005AA9BF |. E8 70A2E5FF CALL 00404C34
005AA9C4 |. 75 24 JNZ SHORT 005AA9EA
005AA9C6 |. A1 0CCA6200 MOV EAX,DWORD PTR DS:[62CA0C]
005AA9CB |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005AA9CD |. 8B80 8C060000 MOV EAX,DWORD PTR DS:[EAX+68C]
005AA9D3 |. 33D2 XOR EDX,EDX
005AA9D5 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
005AA9D7 |. FF51 64 CALL DWORD PTR DS:[ECX+64]
005AA9DA |. BA DCAA5A00 MOV EDX,005AAADC ; ASCII "关闭退出软件"
005AA9DF |. 8B83 38030000 MOV EAX,DWORD PTR DS:[EBX+338]
005AA9E5 |. E8 A67FECFF CALL 00472990
005AA9EA |> 33C0 XOR EAX,EAX
005AA9EC |. 5A POP EDX
005AA9ED |. 59 POP ECX
005AA9EE |. 59 POP ECX
005AA9EF |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
005AA9F2 |. 68 14AA5A00 PUSH 005AAA14
005AA9F7 |> 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
005AA9FA |. E8 299EE5FF CALL 00404828
005AA9FF |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
005AAA02 |. BA 05000000 MOV EDX,5
005AAA07 |. E8 409EE5FF CALL 0040484C
005AAA0C \. C3 RETN
005AAA0D .^ E9 9697E5FF JMP 004041A8
005AAA12 .^ EB E3 JMP SHORT 005AA9F7
005AAA14 . 5E POP ESI
005AAA15 . 5B POP EBX
005AAA16 . 8BE5 MOV ESP,EBP
005AAA18 . 5D POP EBP
005AAA19 . C3 RETN
发现是用户注册那个窗体Formcreate调用的call..不要问我为什么..我是看了DEDE才知道的...
重点看这段代码: 005AA7E9 |. 8B83 28030000 MOV EAX,DWORD PTR DS:[EBX+328]
005AA7EF |. E8 9C81ECFF CALL 00472990
005AA7F4 |. A1 0CCA6200 MOV EAX,DWORD PTR DS:[62CA0C]
005AA7F9 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005AA7FB |. 8B90 D8040000 MOV EDX,DWORD PTR DS:[EAX+4D8]
005AA801 |. A1 0CCA6200 MOV EAX,DWORD PTR DS:[62CA0C]
005AA806 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
005AA808 |. 8B80 90060000 MOV EAX,DWORD PTR DS:[EAX+690]
005AA80E |. E8 69CCEAFF CALL 0045747C ; 赋值EAX+178的call
005AA813 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
005AA816 |. A1 ECC76200 MOV EAX,DWORD PTR DS:[62C7EC]
005AA81B |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
发现62CA0C里面放的是个固定的地址,那我们就把从005AA7F4到 005AA80E的代码都赋值下来、
还记得我们JMP了一段代码嘛?那就是免费的空间啊!
跟随到: 005FE954 . 803D 9CB96B00>CMP BYTE PTR DS:[6BB99C],0
005FE95B . 75 14 JNZ SHORT 005FE971 ; jmp 掉就没提示框了
005FE95D . 6A 00 PUSH 0
005FE95F . 6A 00 PUSH 0
005FE961 . 6A 00 PUSH 0
005FE963 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005FE966 . E8 F1A8E7FF CALL 0047925C
005FE96B . 50 PUSH EAX
005FE96C . E8 3BF1FFFF CALL 005FDAAC ; 弹注册窗口
005FE971 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
修改为: 005FE954 A1 0CCA6200 MOV EAX,DWORD PTR DS:[62CA0C]
005FE959 8B00 MOV EAX,DWORD PTR DS:[EAX]
005FE95B 8B90 D8040000 MOV EDX,DWORD PTR DS:[EAX+4D8] ; jmp 掉就没提示框了
005FE961 A1 0CCA6200 MOV EAX,DWORD PTR DS:[62CA0C]
005FE966 8B00 MOV EAX,DWORD PTR DS:[EAX]
005FE968 8B80 90060000 MOV EAX,DWORD PTR DS:[EAX+690]
005FE96E E8 098BE5FF CALL 0045747C
005FE973 90 NOP
挤掉了下面一句mov 不过并不影响结果..程序可以正常使用~
--------------------------------------------------------------------------------
【经验总结】
咱心里偷偷的笑,呵呵...
这样修改省去了分析算法- -,没办法,谁叫俺是菜鸟捏...一石二鸟,何乐而不为~
--------------------------------------------------------------------------------
【版权声明】: 么版权..菜..
2010年01月31日 12:24:46 |
免费评分
-
查看全部评分
|