好友
阅读权限10
听众
最后登录1970-1-1
|
一 查壳
Borland Delphi 6.0 - 7.0
顺便看下算法:
大家注意下,有个CRC32算法,OK,Let's Go!
二 破解
输入假码 '1111-2222-3333-4444-5555',提示:
F12,然后ALT+K:
007106EC E8 B37AF5FF call <jmp.&user32.MessageBoxA> ; 注册失败
找到断首:
00710554 6A 00 push 0
00710556 6A 00 push 0
00710558 49 dec ecx
00710559 ^ 75 F9 jnz short CheckReg.00710554
...
因为是个循环,我们直接在下面下段,其实这也是我们要找的注册按钮事件:
0071055B 51 push ecx ; 注册按钮
...
单步F8,跟踪:
0071057A E8 05DDF9FF call CheckReg.006AE284 ;"1111"
0071059F E8 E0DCF9FF call CheckReg.006AE284 ;"2222"
007105C4 E8 BBDCF9FF call CheckReg.006AE284 ;"3333"
007105E9 E8 96DCF9FF call CheckReg.006AE284 ;"4444"
0071060E E8 71DCF9FF call CheckReg.006AE284 ;"5555"
...
0071063E E8 3D98F5FF call CheckReg.00669E80 ;第一段位数与5比较,小于5就跳
00710643 83F8 05 cmp eax,5
00710646 0F85 80000000 jnz CheckReg.007106CC
...
00710662 E8 1998F5FF call CheckReg.00669E80 ;第二段位数与5比较,小于5就跳
00710667 83F8 05 cmp eax,5
0071066A 75 60 jnz short CheckReg.007106CC
...
就是把每段注册码取出来,验证位数,如果不是5就跳向失败,呵呵,很简单,我们重新构造注册码格式:
'11111-22222-33333-44444-55555'
重新加载运行,断下,继续F8跟踪:
007106F6 8D55 C0 lea edx,dword ptr ss:[ebp-40]
007106F9 8B83 98030000 mov eax,dword ptr ds:[ebx+398]
007106FF E8 80DBF9FF call CheckReg.006AE284
00710704 837D C0 00 cmp dword ptr ss:[ebp-40],0 ; 是否输入第一段注册码
00710708 74 3C je short CheckReg.00710746
0071070A 8D55 BC lea edx,dword ptr ss:[ebp-44]
0071070D 8B83 9C030000 mov eax,dword ptr ds:[ebx+39C]
00710713 E8 6CDBF9FF call CheckReg.006AE284
00710718 837D BC 00 cmp dword ptr ss:[ebp-44],0 ; 是否输入第二段注册码
0071071C 74 28 je short CheckReg.00710746
0071071E 8D55 B8 lea edx,dword ptr ss:[ebp-48]
00710721 8B83 A0030000 mov eax,dword ptr ds:[ebx+3A0]
00710727 E8 58DBF9FF call CheckReg.006AE284
0071072C 837D B8 00 cmp dword ptr ss:[ebp-48],0 ; 是否输入第三段注册码
00710730 74 14 je short CheckReg.00710746
00710732 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
00710735 8B83 A4030000 mov eax,dword ptr ds:[ebx+3A4]
0071073B E8 44DBF9FF call CheckReg.006AE284
00710740 837D B4 00 cmp dword ptr ss:[ebp-4C],0 ; 是否输入第四段注册码
00710744 75 2A jnz short CheckReg.00710770 ; 跳走
...
007106F6 8D55 C0 lea edx,dword ptr ss:[ebp-40]
007106F9 8B83 98030000 mov eax,dword ptr ds:[ebx+398]
007106FF E8 80DBF9FF call CheckReg.006AE284
00710704 837D C0 00 cmp dword ptr ss:[ebp-40],0 ; 是否输入第一段注册码
00710708 74 3C je short CheckReg.00710746
0071070A 8D55 BC lea edx,dword ptr ss:[ebp-44]
0071070D 8B83 9C030000 mov eax,dword ptr ds:[ebx+39C]
00710713 E8 6CDBF9FF call CheckReg.006AE284
00710718 837D BC 00 cmp dword ptr ss:[ebp-44],0 ; 是否输入第二段注册码
0071071C 74 28 je short CheckReg.00710746
0071071E 8D55 B8 lea edx,dword ptr ss:[ebp-48]
00710721 8B83 A0030000 mov eax,dword ptr ds:[ebx+3A0]
00710727 E8 58DBF9FF call CheckReg.006AE284
0071072C 837D B8 00 cmp dword ptr ss:[ebp-48],0 ; 是否输入第三段注册码
00710730 74 14 je short CheckReg.00710746
00710732 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
00710735 8B83 A4030000 mov eax,dword ptr ds:[ebx+3A4]
0071073B E8 44DBF9FF call CheckReg.006AE284
00710740 837D B4 00 cmp dword ptr ss:[ebp-4C],0 ; 是否输入第四段注册码
00710744 75 2A jnz short CheckReg.00710770
...
00710798 8BC8 mov ecx,eax
0071079A 8BC6 mov eax,esi
esi=00008235 //'33333'
eax=00002710 //'10000'
第三段注册码与 '10000'比较,因为有CRC算法,所以我们要注册查看可疑的寄存器,这是追码关键
0071079C BF 10270000 mov edi,2710
007107A1 33D2 xor edx,edx
007107A3 F7F7 div edi
007107A5 8BF8 mov edi,eax
007107A7 8BC1 mov eax,ecx
007107A9 B9 10270000 mov ecx,2710
007107AE 33D2 xor edx,edx
007107B0 F7F1 div ecx
007107B2 3BF8 cmp edi,eax ; 判断第一和第三段注册码是否相等,不等就错误
很明显,注册码第一段和第三段注册码是应该相等即都应为'10000',重新构造注册码:
10000-22222-10000-44444-55555
重新加载,运行,继续F8:
00710810 8B45 A4 mov eax,dword ptr ss:[ebp-5C] ; EAX中保存 '22222'
00710813 E8 A490F5FF call CheckReg.006698BC //关键CALL,F7 进入
...
006698CC 8BF0 mov esi,eax
006698CE 833C24 00 cmp dword ptr ss:[esp],0
eax=000056CE //'22222'
esi=00002042 //'8258'
很显然,取得第二段注册码'8258',但注册码应该是五位啊?呵呵,'8258'就是'08258'啦...
继续F8:
00710828 E8 57DAF9FF call CheckReg.006AE284 //取出'44444'
0071082D 8B45 A0 mov eax,dword ptr ss:[ebp-60]
00710830 E8 8790F5FF call CheckReg.006698BC
00710835 99 cdq
00710836 52 push edx
00710837 50 push eax
00710838 8BC6 mov eax,esi
0071083A 33D2 xor edx,edx
0071083C 3B5424 04 cmp edx,dword ptr ss:[esp+4]
00710840 /75 03 jnz short CheckReg.00710845
00710842 |3B0424 cmp eax,dword ptr ss:[esp] ;
eax=000056CE //'8258',经过上面分析,也就是'08258'啦
dword ptr ss:[esp] 中值是多少呢?呵呵,修改数据,显示'44444',那么第四位很显然也是'08258',重新构造注册码:
10000-08258-10000-08258-55555
就差最后一个注册码了,我们重新加载,F8继续跟踪:
00710856 E8 29DAF9FF call CheckReg.006AE284
0071085B 8B45 9C mov eax,dword ptr ss:[ebp-64] ; 取得'55555'到EAX中
0071085E E8 5990F5FF call CheckReg.006698BC
00710863 99 cdq
00710864 52 push edx
00710865 50 push eax
00710866 8BC7 mov eax,edi
edi=000157C0 //'88000'
eax=0000D903 //'55555'
再显然不过的啦,呵呵,组合下我们的坠码:
10000-08258-10000-08258-88000
保存,运行:
完美破解,呵呵,欢迎访问我的小窝:hi.baidu.com/alic0ol |
|
发表于 2010-6-28 15:38
支持 沙发 学习了 非常感谢 搂主
