目的:属技术交流,无其它目的,请不要任意散布或用用商业用途。初学破解,如有不对的地方欢迎批评
指出。
工具:softice,w32Dasm,ollydbg
试炼码:
序列号:107570653072
注册码:654321
查找出错信息
:004DC023 8B4DE4 mov ecx, dword ptr [ebp-1C]
:004DC026 8BC1 mov eax, ecx
:004DC028 99 cdq
:004DC029 3B55FC cmp edx, dword ptr [ebp-04]
:004DC02C 754E jne 004DC07C ====>出错
:004DC02E 3B45F8 cmp eax, dword ptr [ebp-08]
:004DC031 7549 jne 004DC07C =====>出错
:004DC033 33D2 xor edx, edx
:004DC035 8B8378030000 mov eax, dword ptr [ebx+00000378]
:004DC03B 8B08 mov ecx, dword ptr [eax]
:004DC03D FF5164 call [ecx+64]
:004DC040 B201 mov dl, 01
:004DC042 8B8308030000 mov eax, dword ptr [ebx+00000308]
:004DC048 8B08 mov ecx, dword ptr [eax]
:004DC04A FF5164 call [ecx+64]
:004DC04D 33D2 xor edx, edx
:004DC04F 8B8384030000 mov eax, dword ptr [ebx+00000384]
:004DC055 E8BAA2F6FF call 00446314
:004DC05A 8B8394030000 mov eax, dword ptr [ebx+00000394]
:004DC060 E8D7C0FEFF call 004C813C
:004DC065 6A00 push 00000000
:004DC067 668B0D04C14D00 mov cx, word ptr [004DC104]
:004DC06E B202 mov dl, 02
* Possible StringData Ref from Code Obj ->"软件登记注册成功"
|
:004DC070 B810C14D00 mov eax, 004DC110
:004DC075 E81E36F6FF call 0043F698
:004DC07A EB15 jmp 004DC091
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004DC02C(C), :004DC031(C)
|
:004DC07C 6A00 push 00000000
:004DC07E 668B0D04C14D00 mov cx, word ptr [004DC104]
:004DC085 B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"软件注册号错误"
--------------------------------------------------------------------------
在od中动态分析出关键部分:
004DBFA1 |. 33C0 XOR EAX,EAX
004DBFA3 |. 55 PUSH EBP
004DBFA4 |. 68 AFC04D00 PUSH faxnow.004DC0AF
004DBFA9 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004DBFAC |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004DBFAF |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004DBFB2 |. BA C4C04D00 MOV EDX,faxnow.004DC0C4 ; ASCII "00000000"
004DBFB7 |. E8 C48EF2FF CALL faxnow.00404E80
004DBFBC |. 8D4D F4 LEA ECX,DWORD PTR SS:[EBP-C]
004DBFBF |. BA D8C04D00 MOV EDX,faxnow.004DC0D8
004DBFC4 |. B8 F8C04D00 MOV EAX,faxnow.004DC0F8
004DBFC9 |. E8 E637F6FF CALL faxnow.0043F7B4
; 显示注册框,取输入的注册码
004DBFCE |. 3C 01 CMP AL,1
004DBFD0 |. 0F85 BB000000 JNZ faxnow.004DC091
004DBFD6 |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
004DBFD9 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
; 注册码入eax
004DBFDC |. E8 C3D4F2FF CALL faxnow.004094A4
; 把注册码入edx处地址
004DBFE1 |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
; 注册码入eax
004DBFE4 |. E8 0BD8F2FF CALL faxnow.004097F4
; 转换为十六进制
004DBFE9 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
; 把转换后的数保存在[EBP-8]中
004DBFEC |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
004DBFEF |. 6A 00 PUSH 0
004DBFF1 |. 68 D2010000 PUSH 1D2
004DBFF6 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004DBFF9 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
004DBFFC |. E8 DF9DF2FF CALL faxnow.00405DE0
; 注册码的十六进制除以1D2(即为466)
004DC001 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
; 商入[ebp-8]
004DC004 |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
; 余数入[ebp-4]
004DC007 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004DC00A |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
004DC00D |. 2D B3730700 SUB EAX,773B3
; 再减去773B3
004DC012 |. 83DA 00 SBB EDX,0
; 带借位减法,下面要比较是否为0,反推得edx必须是0
004DC015 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
004DC018 |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
004DC01B |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004DC01E |. E8 E1F4FFFF CALL faxnow.004DB504
; 取cpu的ID,我的为670(H),即为1648
004DC023 |. 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C]
; cpuid入ecx
004DC026 |. 8BC1 MOV EAX,ECX
; eax=ecx
004DC028 |. 99 CDQ
004DC029 |. 3B55 FC CMP EDX,DWORD PTR SS:[EBP-4]
; 比较[ebp-4]是否为0
004DC02C |. 75 4E JNZ SHORT faxnow.004DC07C
; 不等则跳
004DC02E |. 3B45 F8 CMP EAX,DWORD PTR SS:[EBP-8]
004DC031 |. 75 49 JNZ SHORT faxnow.004DC07C
; 不等则跳
004DC033 |. 33D2 XOR EDX,EDX
004DC035 |. 8B83 78030000 MOV EAX,DWORD PTR DS:[EBX+378]
------------------------------
总结:
反推:cpuid为670,加上773B3,为77A23,再乘以1d2,得D9C53B6,转换为十进制即为注册码:
228348854
爆破:在004DC02C及004DC031处,把其nop掉即可。 |
|
去除winrar注册框方法
比特币病毒怎么破解 比
查看所有0条评论>>