|
好久没写破解文章,像BW所说'刀本来钝,现在还生锈了',再不用可能真不会破解了.这个软件是位朋友要求我帮忙破解,在精华III看到过它前面几个版本的破解过程,心里想应该不难.ok,开工干活..用Peid查出他是
ASProtect 1.2 的壳,脱壳后记得把2ce01的7434改为eb34,才可以运行,不过有个密码窗口出来,这方面我没再研究.请高手指点..
:0042DBEB E8D433FFFF call 00420FC4 //对假注册码进行比较和计算出三个数!!!!
:0042DBF0 84C0 test al, al
:0042DBF2 0F84A7000000 je 0042DC9F
:0042DBF8 8B1500796400 mov edx, dword ptr [00647900]
:0042DBFE 8B02 mov eax, dword ptr [edx]
:0042DC00 8B9538FFFFFF mov edx, dword ptr [ebp+FFFFFF38]
:0042DC06 E8C92DFFFF call 004209D4 //把注册名和序列号串起来计算出三个数!!
:0042DC0B 84C0 test al, al
:0042DC0D 0F848C000000 je 0042DC9F
:0042DC13 EB04 jmp 0042DC19
:0042DC15 EB05 jmp 0042DC1C
:0042DC17 8901 mov dword ptr [ecx], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DC13(U)
|
:0042DC19 8B8D34FFFFFF mov ecx, dword ptr [ebp+FFFFFF34]
:0042DC1F 8B9538FFFFFF mov edx, dword ptr [ebp+FFFFFF38]
:0042DC25 8B01 mov eax, dword ptr [ecx]
:0042DC27 3B02 cmp eax, dword ptr [edx] //比较①
:0042DC29 756E jne 0042DC99
:0042DC2B 8B8D34FFFFFF mov ecx, dword ptr [ebp+FFFFFF34]
:0042DC31 8B9538FFFFFF mov edx, dword ptr [ebp+FFFFFF38]
:0042DC37 8B4104 mov eax, dword ptr [ecx+04]
:0042DC3A 3B4204 cmp eax, dword ptr [edx+04]//比较②
:0042DC3D 755A jne 0042DC99
:0042DC3F 8B8D34FFFFFF mov ecx, dword ptr [ebp+FFFFFF34]
:0042DC45 8B9538FFFFFF mov edx, dword ptr [ebp+FFFFFF38]
:0042DC4B 8B4108 mov eax, dword ptr [ecx+08]
:0042DC4E 3B4208 cmp eax, dword ptr [edx+08]//比较③
:0042DC51 7546 jne 0042DC99
:0042DC53 66C746109800 mov [esi+10], 0098
:0042DC59 BA33816300 mov edx, 00638133
:0042DC5E 8D45C4 lea eax, dword ptr [ebp-3C]
:0042DC61 E8C66C1F00 call 0062492C
:0042DC66 FF461C inc [esi+1C]
:0042DC69 8B10 mov edx, dword ptr [eax]
:0042DC6B A15C846400 mov eax, dword ptr [0064845C]
:0042DC70 E8F3E21A00 call 005DBF68
:0042DC75 FF4E1C dec [esi+1C]
:0042DC78 8D45C4 lea eax, dword ptr [ebp-3C]
:0042DC7B BA02000000 mov edx, 00000002
:0042DC80 E81B6D1F00 call 006249A0
:0042DC85 8B8734030000 mov eax, dword ptr [edi+00000334]
:0042DC8B 33D2 xor edx, edx
:0042DC8D E8EADC1700 call 005AB97C
:0042DC92 C687DC06000001 mov byte ptr [edi+000006DC], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042DC29(C), :0042DC3D(C), :0042DC51(C)
|
:0042DC99 EB04 jmp 0042DC9F
:0042DC9B EB05 jmp 0042DCA2
:0042DC9D 99 cdq
:0042DC9E 018BC3E8624D add dword ptr [ebx+4D62E8C3], ecx
:0042DCA4 17 pop ss
:0042DCA5 00EB add bl, ch
:0042DCA7 04EB add al, EB
:0042DCA9 05890133D2 add eax, D2330189
:0042DCAE 33C9 xor ecx, ecx
:0042DCB0 8997C0060000 mov dword ptr [edi+000006C0], edx
:0042DCB6 898D3CFFFFFF mov dword ptr [ebp+FFFFFF3C], ecx
:0042DCBC 80BFDC06000000 cmp byte ptr [edi+000006DC], 00
:0042DCC3 743E je 0042DD03
:0042DCC5 8B8534FFFFFF mov eax, dword ptr [ebp+FFFFFF34]
:0042DCCB 8B8D38FFFFFF mov ecx, dword ptr [ebp+FFFFFF38]
:0042DCD1 8B10 mov edx, dword ptr [eax]
:0042DCD3 3B11 cmp edx, dword ptr [ecx]//比较④
:0042DCD5 752C jne 0042DD03
:0042DCD7 8B8534FFFFFF mov eax, dword ptr [ebp+FFFFFF34]
:0042DCDD 8B8D38FFFFFF mov ecx, dword ptr [ebp+FFFFFF38]
:0042DCE3 8B5004 mov edx, dword ptr [eax+04]
:0042DCE6 3B5104 cmp edx, dword ptr [ecx+04]//比较⑤
:0042DCE9 7518 jne 0042DD03
:0042DCEB 8B8534FFFFFF mov eax, dword ptr [ebp+FFFFFF34]
:0042DCF1 8B8D38FFFFFF mov ecx, dword ptr [ebp+FFFFFF38]
:0042DCF7 8B5008 mov edx, dword ptr [eax+08]
:0042DCFA 3B5108 cmp edx, dword ptr [ecx+08]//比较⑥
:0042DCFD 0F8440020000 je 0042DF43
======================A===============================
上面通过六次比教其实只是三数值进行两次比较..这里不罗嗦了下面先进入假注册码的比较和计算过程看看..
===================00420FC4 BEGIN======================
:00420FC4 53 push ebx
:00420FC5 56 push esi
:00420FC6 57 push edi
:00420FC7 83C4E4 add esp, FFFFFFE4
:00420FCA 894C2404 mov dword ptr [esp+04], ecx
:00420FCE 8BFA mov edi, edx
:00420FD0 890424 mov dword ptr [esp], eax
:00420FD3 8BC7 mov eax, edi
:00420FD5 E882C61E00 call 0060D65C
:00420FDA 83F80E cmp eax, 0000000E//比较假注册码为数是否14为
:00420FDD 750C jne 00420FEB
:00420FDF 807F042D cmp byte ptr [edi+04], 2D//比较假注册码的第五位是否'-'
:00420FE3 7506 jne 00420FEB
:00420FE5 807F092D cmp byte ptr [edi+09], 2D//比较假注册码的第十位是否'-'
:00420FE9 7407 je 00420FF2
从上面看出注册码的形式是:XXXX-XXXX-XXXX
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00420FDD(C), :00420FE3(C)
|
:00420FEB 33C0 xor eax, eax
:00420FED E9E9000000 jmp 004210DB
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00420FE9(C)
|
:00420FF2 33D2 xor edx, edx
:00420FF4 8D442410 lea eax, dword ptr [esp+10]
:00420FF8 89542408 mov dword ptr [esp+08], edx
:00420FFC 89442418 mov dword ptr [esp+18], eax
:00421000 33F6 xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421082(C)
|
:00421002 8B542418 mov edx, dword ptr [esp+18]
:00421006 66C7020000 mov word ptr [edx], 0000
:0042100B 33DB xor ebx, ebx
:0042100D 8B442418 mov eax, dword ptr [esp+18]
:00421011 8BD0 mov edx, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421077(C)
|
:00421013 8D0CB6 lea ecx, dword ptr [esi+4*esi]
:00421016 83C103 add ecx, 00000003
:00421019 2BCB sub ecx, ebx
:0042101B 85DB test ebx, ebx
:0042101D 8A040F mov al, byte ptr [edi+ecx]
:00421020 7504 jne 00421026
:00421022 8844240C mov byte ptr [esp+0C], al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421020(C)
|
:00421026 85DB test ebx, ebx
:00421028 760A jbe 00421034
:0042102A 3A44240C cmp al, byte ptr [esp+0C]
:0042102E 7504 jne 00421034
:00421030 FF442408 inc [esp+08]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00421028(C), :0042102E(C)
|
:00421034 3C30 cmp al, 30
:00421036 7204 jb 0042103C
:00421038 3C46 cmp al, 46
:0042103A 7607 jbe 00421043
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421036(C)
|
:0042103C 33C0 xor eax, eax
:0042103E E998000000 jmp 004210DB
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042103A(C)
|
:00421043 3C39 cmp al, 39
:00421045 760B jbe 00421052
:00421047 3C41 cmp al, 41
:00421049 7307 jnb 00421052
:0042104B 33C0 xor eax, eax
:0042104D E989000000 jmp 004210DB
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00421045(C), :00421049(C)
|
:00421052 3C41 cmp al, 41
:00421054 720B jb 00421061
:00421056 33C9 xor ecx, ecx
:00421058 8AC8 mov cl, al
:0042105A 83E937 sub ecx, 00000037
:0042105D 8BC1 mov eax, ecx
:0042105F EB08 jmp 00421069
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421054(C)
|
:00421061 25FF000000 and eax, 000000FF
:00421066 83E830 sub eax, 00000030
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042105F(U)
|
:00421069 8BCB mov ecx, ebx
:0042106B C1E102 shl ecx, 02
:0042106E D3E0 shl eax, cl
:00421070 660102 add word ptr [edx], ax
:00421073 43 inc ebx
:00421074 83FB04 cmp ebx, 00000004
:00421077 729A jb 00421013
:00421079 46 inc esi
:0042107A 8344241802 add dword ptr [esp+18], 00000002
:0042107F 83FE03 cmp esi, 00000003
:00421082 0F827AFFFFFF jb 00421002
=============================================================
上面判断假注册码是否在0-9和A-Z范围,并把假注册码由ASCII转换成数字和字母存放,譬如假注册码为:
1234-6789-ABCD转换成34128967CDAB形式存放,.
:00421088 33DB xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004210A2(C)
|
:0042108A 6A06 push 00000006
:0042108C 8D442414 lea eax, dword ptr [esp+14]
:00421090 50 push eax
:00421091 8B542408 mov edx, dword ptr [esp+08]
:00421095 52 push edx
:00421096 E8ADFEFFFF call 00420F48//过程A
:0042109B 83C40C add esp, 0000000C
:0042109E 43 inc ebx
:0042109F 83FB02 cmp ebx, 00000002
:004210A2 72E6 jb 0042108A
================================================================
把刚才的34128967CDAB分成六组A1=3412,A2=1289,A3=8967,A4=67CD,A5=CDAB,A6=AB34通过过程A换算,其算法如下:
B1=((A1 SHL 1) AND $FFOO) SHR 8=68
B2=((A2 SHL 1) AND $FF00) SHR 8=25
B3=((A3 SHL 1) AND $FF00) SHR 8=12
B4=((A4 SHL 1) AND $FF00) SHR 8=CF
B5=((A5 SHL 1) AND $FF00) SHR 8=9B
B6=((A6 SHL 1) AND $FF00) SHR 8=56
然后将B1,B2,B3,B4,B5,B6在组成新六组数C1=6825,C2=2512,C3=12CF,C4=CF9B,C5=9B56在用过程A换算一次得出
D04A259F36AC
================================================================
:004210A4 33F6 xor esi, esi
:004210A6 8B442404 mov eax, dword ptr [esp+04]
:004210AA 8BD8 mov ebx, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004210CF(C)
|
:004210AC 8BD6 mov edx, esi
:004210AE 03D2 add edx, edx
:004210B0 8D442410 lea eax, dword ptr [esp+10]
:004210B4 03D0 add edx, eax
:004210B6 B902000000 mov ecx, 00000002
:004210BB 8B0424 mov eax, dword ptr [esp]
:004210BE E8D10F0000 call 00422094 //将D04A259F36AC分成三组D1=D04A,D2=259F,D3=36AC进行换算,F8跟进..
:004210C3 0FB7D0 movzx edx, ax//将上面计算出来的数值保存
:004210C6 8913 mov dword ptr [ebx], edx
:004210C8 46 inc esi
:004210C9 83C304 add ebx, 00000004
:004210CC 83FE03 cmp esi, 00000003
:004210CF 72DB jb 004210AC
:004210D1 33C0 xor eax, eax
:004210D3 837C240808 cmp dword ptr [esp+08], 00000008
:004210D8 7701 ja 004210DB
:004210DA 40 inc eax
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00420FED(U), :0042103E(U), :0042104D(U), :004210D8(C)
|
:004210DB 83C41C add esp, 0000001C
:004210DE 5F pop edi
:004210DF 5E pop esi
:004210E0 5B pop ebx
:004210E1 C3 ret
======================00422094 BEGIN============================
:00422094 53 push ebx
:00422095 56 push esi
:00422096 57 push edi
:00422097 83C494 add esp, FFFFFF94
:0042209A 8BF9 mov edi, ecx
:0042209C 8BF2 mov esi, edx
:0042209E 8BD8 mov ebx, eax
:004220A0 54 push esp
:004220A1 E816F4FFFF call 004214BC //初始化四个常数,A=$76543210,B=$FEDCBA98,C=$89ABCDEF,D=$01234567,看到这四个数是否很面熟,MD5??看清楚..不一样啊..
:004220A6 59 pop ecx
:004220A7 57 push edi
:004220A8 56 push esi
:004220A9 8D442408 lea eax, dword ptr [esp+08]
:004220AD 50 push eax
:004220AE E835F4FFFF call 004214E8//初始化数组这和MD5一样..
:004220B3 83C40C add esp, 0000000C
:004220B6 54 push esp
:004220B7 8D54245C lea edx, dword ptr [esp+5C]
:004220BB 52 push edx
:004220BC E8BFF4FFFF call 00421580//这过过程我叫它为变形MD5,因为它所采用的数据和那四轮循环都和MD5一样,只是顺序变动..有兴趣的朋友可以进一步分析..这里分别将D1,D2,D3进行计算
:004220C1 83C408 add esp, 00000008
:004220C4 B910000000 mov ecx, 00000010
:004220C9 8BC3 mov eax, ebx
:004220CB C644246800 mov [esp+68], 00
:004220D0 8D542458 lea edx, dword ptr [esp+58]
:004220D4 E80BF0FFFF call 004210E4//将变形MD5计算出来的128BIT的数再进行计算,我叫这过程为过程B
:004220D9 83C46C add esp, 0000006C
:004220DC 5F pop edi
:004220DD 5E pop esi
:004220DE 5B pop ebx
:004220DF C3 ret
==================00422094 END========================
通过过程B计算出来的三个数值将和注册名计算出来三个的数值比较..OK..假注册码的换算分析完毕下面简单说说注册名换算过程..
=============00420FC4 END===================注册名换算再过程004209D4完成,它的步骤大概如下:
1.将序列号换算,假设为11223344
2.将1122334400和注册名串起来,通过变形MD5和过程B计算出CODE1
3.将注册名和0011223344串起来,通过变形MD5和过程B计算出CODE2
4.将CODE1和CODE2串起来,通过变形MD5和过程B计算出CODE3
5.再将CODE1,CODE2,CODE3分别通过变形MD5和过程B计算出计算出三个数,这三个数就和假注册码计算出来的三个数进行比较...
========================================END=================================
这个软件是启动验证,所以这部分算法是在启动那里.在输入注册码那里主要的是分析序列号的换算过程..在拦截方面我开始也是'老鼠拉龟',后来得到DiKeN和PaulYoung的指点才找到方法,先用BPX GETCOMMANDLINEA,按3次F5,清除断点,再用BPC REGCREATEKEYEXA中断就可以到达上面...
ssljxOCG
2002.3.21 |
|
设为首页
加入收藏
总编信箱
投稿或申请专栏请先 [登 陆]
