【软件名称】某交通客运信息管理系统
【软件限制】注册码+加密狗
【破解声明】破解只是感兴趣,无其它目的。失误之处敬请诸位大侠赐教!
【破解工具】W32Dasm8.93 TRW20001.23
========================================================================================
【分析过程】
此软件不注册运行在试用版功能,注册后加密狗启动,程序无法运行.
我只找了一下注册码,没有详细分析算法.主要把加密狗解除思路写一下.
分析如下:
* Possible StringData Ref from Code Obj ->"�197712280530qlm提示窗口"
|
:0062365A BAA8376200 mov edx, 006237A8
:0062365F E8F4BCECFF call 004EF358
:00623664 8D95F0FEFFFF lea edx, dword ptr [ebp+FFFFFEF0]
:0062366A 8B83F4020000 mov eax, dword ptr [ebx+000002F4]
:00623670 E843B2E2FF call 0044E8B8
:00623675 8B85F0FEFFFF mov eax, dword ptr [ebp+FFFFFEF0]
:0062367B 8D95F4FEFFFF lea edx, dword ptr [ebp+FFFFFEF4]
:00623681 E8525FDEFF call 004095D8
:00623686 8B85F4FEFFFF mov eax, dword ptr [ebp+FFFFFEF4]
:0062368C 50 push eax
:0062368D 8D95ECFEFFFF lea edx, dword ptr [ebp+FFFFFEEC]
:00623693 8B45FC mov eax, dword ptr [ebp-04]
:00623696 E83D5FDEFF call 004095D8
:0062369B 8B95ECFEFFFF mov edx, dword ptr [ebp+FFFFFEEC] //注册码 算法省略...
:006236A1 58 pop eax
:006236A2 E85119DEFF call 00404FF8
:006236A7 743B je 006236E4
:006236A9 6A40 push 00000040
:006236AB B9B8376200 mov ecx, 006237B8
* Possible StringData Ref from Code Obj ->"您输入的注册号错误,请重新输入."
|
:006236B0 BAC4376200 mov edx, 006237C4
:006236B5 A140426300 mov eax, dword ptr [00634240]
:006236BA 8B00 mov eax, dword ptr [eax]
:006236BC E827B7E4FF call 0046EDE8
:006236C1 8B83F4020000 mov eax, dword ptr [ebx+000002F4]
:006236C7 66BEB8FF mov si, FFB8
:006236CB E8DC08DEFF call 00403FAC
:006236D0 84C0 test al, al
:006236D2 747E je 00623752
:006236D4 8B83F4020000 mov eax, dword ptr [ebx+000002F4]
:006236DA 8B10 mov edx, dword ptr [eax]
:006236DC FF92C0000000 call dword ptr [edx+000000C0]
:006236E2 EB6E jmp 00623752
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006236A7(C)
|
:006236E4 8BC3 mov eax, ebx
:006236E6 E891010000 call 0062387C
:006236EB 84C0 test al, al
:006236ED 744B je 0062373A //不能跳
:006236EF 6A40 push 00000040
:006236F1 B9B8376200 mov ecx, 006237B8
* Possible StringData Ref from Code Obj ->"恭喜您注册成功,欢迎使用状元正版软件。
请重新
====================================================================================
* Possible StringData Ref from Code Obj ->" 试用版 V5.0 "
|
:00628870 BA048E6200 mov edx, 00628E04
:00628875 E86E60E2FF call 0044E8E8
:0062887A E9D3040000 jmp 00628D52
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00628865(C)
|
:0062887F 8B45FC mov eax, dword ptr [ebp-04]
:00628882 8B8000030000 mov eax, dword ptr [eax+00000300]
* Possible StringData Ref from Code Obj ->" 正试版 V5.0 "
|
:00628888 BA1C8E6200 mov edx, 00628E1C
:0062888D E85660E2FF call 0044E8E8
:00628892 A15C656300 mov eax, dword ptr [0063655C]
:00628897 8B80FC020000 mov eax, dword ptr [eax+000002FC]
* Possible StringData Ref from Code Obj ->"系统正在检测加密狗,请等待。。。"
|
:0062889D BA348E6200 mov edx, 00628E34
:006288A2 E84160E2FF call 0044E8E8
:006288A7 33C0 xor eax, eax
:006288A9 A34C656300 mov dword ptr [0063654C], eax
:006288AE E8AD4E0000 call 0062D760 //在这里读狗 杀入.....
:006288B3 8BD8 mov ebx, eax //返回eax=0表明有狗
:006288B5 85DB test ebx, ebx //ebx必须等于0
:006288B7 7428 je 006288E1 //跳走就成功了,简单的爆破可能会有隐患,因此我们必须进入上面的call观察
:006288B9 33D2 xor edx, edx
* Possible StringData Ref from Code Obj ->" 系统检测加密狗失败!可能是网络不通或加密狗"
->"未安装正确!
请先进行调试后再运行本系统!
"
->" 如果您仍无法解决,请与供应商联系!"
|
:006288BB B8608E6200 mov eax, 00628E60
:006288C0 E80B5DECFF call 004EE5D0
:006288C5 8B45FC mov eax, dword ptr [ebp-04]
:006288C8 8B80FC020000 mov eax, dword ptr [eax+000002FC]
* Possible StringData Ref from Code Obj ->"加载加密狗失败!"
|
:006288CE BAEC8E6200 mov edx, 00628EEC
:006288D3 E81060E2FF call 0044E8E8
:006288D8 C645FB00 mov [ebp-05], 00
:006288DC E971040000 jmp 00628D52
=====================================call 0062D760 ===================================
* Referenced by a CALL at Address:
|:006288AE
:0062D760 55 push ebp
:0062D761 8BEC mov ebp, esp
:0062D763 52 push edx
:0062D764 51 push ecx
:0062D765 6846D76200 push 0062D746
:0062D76A 68C1D46200 push 0062D4C1
:0062D76F 6A01 push 00000001
:0062D771 E829F6FFFF call 0062CD9F //读狗
:0062D776 83C40C add esp, 0000000C
:0062D779 59 pop ecx
:0062D77A 5A pop edx
:0062D77B 5D pop ebp
:0062D77C C3 ret
:0062D77D 55 push ebp
:0062D77E 8BEC mov ebp, esp
:0062D780 52 push edx
:0062D781 51 push ecx
:0062D782 6846D76200 push 0062D746
:0062D787 68C1D46200 push 0062D4C1
:0062D78C 6A05 push 00000005
:0062D78E E80CF6FFFF call 0062CD9F //读狗
:0062D793 83C40C add esp, 0000000C
:0062D796 59 pop ecx
:0062D797 5A pop edx
:0062D798 5D pop ebp
:0062D799 C3 ret
:0062D79A 55 push ebp
:0062D79B 8BEC mov ebp, esp
:0062D79D 52 push edx
:0062D79E 51 push ecx
:0062D79F 6846D76200 push 0062D746
:0062D7A4 68C1D46200 push 0062D4C1
:0062D7A9 6A02 push 00000002
:0062D7AB E8EFF5FFFF call 0062CD9F //读狗
:0062D7B0 83C40C add esp, 0000000C
:0062D7B3 59 pop ecx
:0062D7B4 5A pop edx
:0062D7B5 85C0 test eax, eax
:0062D7B7 750A jne 0062D7C3
:0062D7B9 8B1558656300 mov edx, dword ptr [00636558]
:0062D7BF 33C9 xor ecx, ecx
:0062D7C1 890A mov dword ptr [edx], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0062D7B7(C)
|
:0062D7C3 5D pop ebp
:0062D7C4 C3 ret
* Referenced by a CALL at Addresses:
|:006288FE , :006289FE , :00628B18 , :00628C35
|
:0062D7C5 55 push ebp
:0062D7C6 8BEC mov ebp, esp
:0062D7C8 52 push edx
:0062D7C9 51 push ecx
:0062D7CA 6846D76200 push 0062D746
:0062D7CF 68C1D46200 push 0062D4C1
:0062D7D4 6A03 push 00000003
:0062D7D6 E8C4F5FFFF call 0062CD9F //读狗
:0062D7DB 83C40C add esp, 0000000C
:0062D7DE 59 pop ecx
:0062D7DF 5A pop edx
:0062D7E0 5D pop ebp
:0062D7E1 C3 ret
从上面可以看出有不少地方在读狗.....进入call 0062CD9F
=======================================call 0062CD9F=========================================
* Referenced by a CALL at Addresses:
|:0062D771 , :0062D78E , :0062D7AB , :0062D7D6
|
:0062CD9F 55 push ebp //修改为xor eax,eax ret //在这里让eax返回0就成功了
:0062CDA0 8BEC mov ebp, esp
:0062CDA2 83C4B8 add esp, FFFFFFB8
:0062CDA5 53 push ebx
:0062CDA6 56 push esi
:0062CDA7 E8EEFEFFFF call 0062CC9A
:0062CDAC 8945DC mov dword ptr [ebp-24], eax
:0062CDAF 66C745D00A00 mov [ebp-30], 000A
:0062CDB5 E9F0030000 jmp 0062D1AA
:0062CDBA EB01 jmp 0062CDBD
:0062CDBC 00 BYTE 00
========================================================================================
【分析总结】
这个加密狗不是很复杂,只要让读狗后返回0解狗即可成功,采用一追到底的方法,到程序的
根部修改,而不是简单的修改跳转.好处是可以避免许多暗桩.
初学解狗希望对大家有所帮助,也希望起到抛砖引玉.
========================================================================================
|
|
去除winrar注册框方法
比特币病毒怎么破解 比
查看所有0条评论>>