SPXStudio v2.1 爆破+DLL劫持补丁+通杀patch
本帖最后由 geekcat 于 2014-6-29 13:22 编辑【文章标题】: SPXStudio v2.1爆破+DLL劫持补丁+通杀patch【文章作者】: geekcat
【作者邮箱】: geek_huang@163.com
【作者主页】:
【软件名称】: SPXStudio v2.1
【软件大小】: 1.80 MB (1,893,420 字节)
【加壳方式】: 无
【保护方式】: 注册码
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD、PEID
【操作平台】: XP SP3【下载地址】:http://www.moodysoft.com/【破解声明】:破解在于交流思路和过程,结果并不重要,请不要用于非法用途;
【软件介绍】:SPX Studio 是 SPX Instant Screen Capture 的配套工具,主要用来编辑 SPX Instant Screen Capture 抓取的屏幕抓图,其功能包括:添加图象,文字说明、注释、气泡提示等……与 SPX Instant Screen Capture 搭配使用,能让你的抓图更加完美地表达出你的意图! 【破解声明】:PYG第九轮作业五--------------------------------------------------------------------------------------------------------------------------------【破解过程】
1、OD加载程序F9运行输入注册信息,有错误提示“Invalid User Name or Product ID. Please try again.”;2、重载程序,搜索字符串找到错误提示,双击到来程序出错处,向上看到注册成功,找到关键CALL和关键跳;代码:
004B2D64|.59 pop ecx004B2D65|.8B83 3C030000 mov eax,dword ptr ds:004B2D6B|.FF93 38030000 call dword ptr ds: ;关键CALL 注册时验证004B2D71|.84C0 test al,al004B2D73 74 65 je short Studio.004B2DDA ;关键跳004B2D75|.6A 30 push 0x30004B2D77|.8D55 E8 lea edx,dword ptr ss:004B2D7A|.A1 30414C00 mov eax,dword ptr ds:004B2D7F|.8B00 mov eax,dword ptr ds:004B2D81|.E8 72C9FAFF call Studio.0045F6F8004B2D86|.8B45 E8 mov eax,dword ptr ss:004B2D89|.E8 B61CF5FF call Studio.00404A44004B2D8E|.50 push eax004B2D8F|.68 9C2E4B00 push Studio.004B2E9C ;Thank you for registering004B2D94|.8D55 E0 lea edx,dword ptr ss:004B2D97|.A1 30414C00 mov eax,dword ptr ds:………………………………………………………………………………………………………省略去中间N多代码 004B2DEB|.8B45 DC mov eax,dword ptr ss:004B2DEE|.E8 511CF5FF call Studio.00404A44004B2DF3|.50 push eax ; |Title004B2DF4|.68 C42E4B00 push Studio.004B2EC4 ; |Invalid User Name or Product ID. Please try again.
3、在关键CALL和关键跳下断,重载程序F9运行输入注册信息断在关键CALL处F7进行:可以看到这个CALL有两处调用;一处为重启验证调用,一处为关于功能调用;代码:
004B3494/$55 push ebp ;算法CALL004B3495|.8BEC mov ebp,esp………………………………………………………………………………………………………省略去中间N多代码 004B34F1|.E8 CE53F5FF call Studio.004088C4004B34F6|.837D E8 00 cmp dword ptr ss:,0x0 ;判断注册名是否为空004B34FA|.0F84 E5000000 je Studio.004B35E5004B3500|.837D F8 00 cmp dword ptr ss:,0x0 ;判断输入的假是否为空004B3504|.0F84 DB000000 je Studio.004B35E5004B350A|.8D45 F0 lea eax,dword ptr ss:004B350D|.BA 38364B00 mov edx,Studio.004B3638 ;life004B3512|.E8 1511F5FF call Studio.0040462C004B3517|.8D45 EC lea eax,dword ptr ss: ;(ASCII "86K")004B351A|.BA 48364B00 mov edx,Studio.004B3648 ;is soft and moody004B351F|.E8 0811F5FF call Studio.0040462C004B3524|.33C9 xor ecx,ecx004B3526|.B2 01 mov dl,0x1004B3528|.A1 88E74A00 mov eax,dword ptr ds: ;(ASCII "H6K")004B352D|.E8 42C7FFFF call Studio.004AFC74004B3532|.8BF0 mov esi,eax004B3534|.8B0D 04FD4A00 mov ecx,dword ptr ds: ;Studio.004AFD50004B353A|.8B53 38 mov edx,dword ptr ds: ;(ASCII "ldmaigtbsmare")004B353D|.8BC6 mov eax,esi004B353F|.E8 D8DEFEFF call Studio.004A141C004B3544|.8D4D F0 lea ecx,dword ptr ss: ;(ASCII "86K")004B3547|.8B55 E8 mov edx,dword ptr ss:004B354A|.8BC6 mov eax,esi004B354C|.8B38 mov edi,dword ptr ds:004B354E|.FF57 54 call dword ptr ds:004B3551|.8BC6 mov eax,esi004B3553|.8B10 mov edx,dword ptr ds: ;(ASCII "IpWq0V/w6w==")004B3555|.FF52 44 call dword ptr ds:004B3558|.8BC6 mov eax,esi004B355A|.E8 4502F5FF call Studio.004037A4004B355F|.33C9 xor ecx,ecx004B3561|.B2 01 mov dl,0x1004B3563|.A1 94304A00 mov eax,dword ptr ds: ;ムJ004B3568|.E8 FBE2FEFF call Studio.004A1868004B356D|.8BF0 mov esi,eax004B356F|.8B0D 34414A00 mov ecx,dword ptr ds: ;Studio.004A4180004B3575|.8B53 3C mov edx,dword ptr ds: ;(ASCII "bsstopudioxmil")004B3578|.8BC6 mov eax,esi004B357A|.E8 9DDEFEFF call Studio.004A141C004B357F|.8D4D EC lea ecx,dword ptr ss: ;(ASCII "H6K")入ecx004B3582|.8B55 F8 mov edx,dword ptr ss: ;假码入edx004B3585|.8BC6 mov eax,esi004B3587|.8B38 mov edi,dword ptr ds:004B3589|.FF57 58 call dword ptr ds:004B358C|.8BC6 mov eax,esi004B358E|.8B10 mov edx,dword ptr ds:004B3590|.FF52 44 call dword ptr ds:004B3593|.8BC6 mov eax,esi004B3595|.E8 0A02F5FF call Studio.004037A4004B359A|.8B45 F0 mov eax,dword ptr ss:004B359D|.8B55 EC mov edx,dword ptr ss:004B35A0|.E8 EB13F5FF call Studio.00404990 ;注意al的值004B35A5|.0F94C0 sete al ;爆破点:修改为setne al 004B35A8 8843 34 mov byte ptr ds:,al ;全局变量:ebx+0x34004B35AB 807B 34 00 cmp byte ptr ds:,0x0 004B35AF|.74 34 je short Studio.004B35E5………………………………………………………………………………………………………省略去中间N多代码 004B3617 .5F pop edi004B3618 .5E pop esi004B3619 .5B pop ebx004B361A .8BE5 mov esp,ebp004B361C .5D pop ebp004B361D .C2 0400 retn 0x4
4、来到第三步中提到的两处处调用分别下断,重载程序F9运行在重启验证处断下;代码:
004B37A7 .8B55 F4 mov edx,dword ptr ss:004B37AA .8B45 FC mov eax,dword ptr ss:004B37AD .59 pop ecx004B37AE .E8 E1FCFFFF call Studio.004B3494 ;启动时调用004B37B3 .84C0 test al,al004B37B5 .75 08 jnz short Studio.004B37BF004B37B7 .8B45 FC mov eax,dword ptr ss:
5、第四中断下后直接F8向下走,返回到如下: 看到这里看软件还可以试用多少天,这不就是软件在之前输入注册信息处的提示吗?代码
004B31F4|.8BC3 mov eax,ebx004B31F6|.E8 61040000 call Studio.004B365C004B31FB 807B 34 00 cmp byte ptr ds:,0x0 ;返回处全局变量:ebx+0x34再次出现004B31FF 0F85 9F010000 jnz Studio.004B33A4………………………………………………………………………………………………………省略去中间N多代码 004B328E|.FF51 08 call dword ptr ds:004B3291|.68 04344B00 push Studio.004B3404 ;Thank you for using004B3296|.8D95 E4FEFFFF lea edx,dword ptr ss:………………………………………………………………………………………………………省略去中间N多代码 004B32EC|.8D85 E0FEFFFF lea eax,dword ptr ss:004B32F2|.BA 30344B00 mov edx,Studio.004B3430 ; days remaining.004B32F7|.E8 5815F5FF call Studio.00404854004B32FC|.8B95 E0FEFFFF mov edx,dword ptr ss:004B3302|.8B86 FC020000 mov eax,dword ptr ds:004B3308|.E8 13C3F8FF call Studio.0043F620004B330D|.EB 25 jmp short Studio.004B3334004B330F|>4F dec edi004B3310|.75 12 jnz short Studio.004B3324004B3312|.BA 4C344B00 mov edx,Studio.004B344C ;1 day remaining.004B3317|.8B86 FC020000 mov eax,dword ptr ds:004B331D|.E8 FEC2F8FF call Studio.0043F620004B3322|.EB 10 jmp short Studio.004B3334004B3324|>BA 68344B00 mov edx,Studio.004B3468 ;0 days remaining.004B3329|.8B86 FC020000 mov eax,dword ptr ds:004B332F|.E8 ECC2F8FF call Studio.0043F620004B3334|>83BB 50020000 0>cmp dword ptr ds:,0x0
6、在重启验证的段首下断,重载程序F9运行断下F8向下走在信息窗口可以看到“(ASCII "C:\WINDOWS\system32\winsoap.crc")”注册信息保存在这里用记事本打开可以看到;
----------------------------------------------------------------------------------------------------------------------------【破解总结】:1、字符串没加密,容易切入注册验证流程中;2、写出第五5步的目的是为了提供另一个思路,下取系统时间API断点来切入验证体系,我没试过但觉得这是可以的!----------------------------------------------------------------------------------------------------------------------------【版权声明】:本文原创于geekcat,转载请注明作者并保存文章的完整!
收藏一个,写的很详细。 谢谢分享,收下了。{:victory:} 谢谢分享 太感谢了```手下` 非常好,长知识了,那个爆破点没看明白。 tt521 发表于 2015-1-14 21:09
非常好,长知识了,那个爆破点没看明白。
sete al 根据zf(zero flags)标志位来设置al的值。即是如果zf=1,则al等于1,否则等于0
把sete修改成setne 相当于取反 al值
其中al值赋给全局变量
当我们随便输入的注册码肯定是错误的,如果不修改al的值值赋给全局变量得到的结果就是注册 失败,修改了反之就变成注册成功了。
这些指令在Intel指令上有说明
太感谢了```手下` geekcat 发表于 2015-1-14 21:59
sete al 根据zf(zero flags)标志位来设置al的值。即是如果zf=1,则al等于1,否则等于0
把sete修改成setne ...
非常感谢,明白了。
路过必顶,谢谢分享。
页:
[1]
2