Any to Icon图像转换器爆破及通用补丁制作
本帖最后由 东海浪子 于 2016-5-9 12:41 编辑软件简介:Any to Icon 是一款强大的 ICO 图像转换器,能将常见的图片格式转换为 Windows ICO 图标,转换过程中可以改变颜色和尺寸,支持256色及真彩色图标,功能上比 SimplyIcon 要好。Any to Icon 方便之处在于支持批量转换,比如可以批量转换文件夹内的所有图片,并能灵活的自定义图片大小
【破文标题】Any to Icon爆破及通用补丁制作
【破文作者】东海浪子
【作者邮箱】
【作者主页】
【破解工具】OD
【破解平台】虚拟机WINXP SP3
【软件名称】Any to Icon 3.54
【软件大小】3.1M
【原版下载】飘云阁软件安全培训第十二期初级班考题-第一题https://www.chinapyg.com/thread-78686-1-1.htm 中文版自己百度下载
【补丁工具】通用特征码查找替换补丁工具v0.8
【阅读对象】爱好破解的初学者,大牛大神们飘过勿视
【破解声明】本文仅做研究所用,供破解技术爱好者学习研究讨论。如喜欢该软件,建议购买正版。
------------------------------------------------------------------------
【破解过程】
1、安装好Any to Icon,用peid查了一下。。无壳,delphi写的程序
2、收集信息:
a、运行程序出现2个窗口,,在第一个窗口中左上角显示“unregistered copy”字样
b、关掉改窗口后弹出about界面。。看到licensed未注册信息,注册按钮。。。
c、主界面上有about、注册按钮。。。右上角显示试用次数信息。。。。
d、尝试注册:在注册窗口,随便输入一些信息,点击注册,,显示错误提示:please reenter key. xxxx。尝试了几次,,xxxx显示了不同信息
3、首先想到从字符入手,,通过字符搜索“please reenter”,双击进入。。在代码窗口中从上往下。。查找是否有可用信息,,看到“Please enter email used in your order”、“Wrong key for this application”等字符,,初步判断是注册函数代码。。。在段首下断,重新注册。程序断下来。。。再一步一步往下走。。。
005013A4/$55 push ebp
005013A5|.8BEC mov ebp,esp
005013A7|.B9 06000000 mov ecx,0x6
005013AC|>6A 00 /push 0x0
005013AE|.6A 00 |push 0x0
005013B0|.49 |dec ecx
005013B1|.^ 75 F9 \jnz short Any2Icon.005013AC
005013B3|.53 push ebx
005013B4|.8BD8 mov ebx,eax
005013B6|.33C0 xor eax,eax
005013B8|.55 push ebp
005013B9|.68 2A165000 push Any2Icon.0050162A
005013BE|.64:FF30 push dword ptr fs:
005013C1|.64:8920 mov dword ptr fs:,esp
005013C4|.8D55 E8 lea edx,
005013C7|.8B83 F8020000 mov eax,dword ptr ds:
005013CD|.E8 4E49F3FF call Any2Icon.00435D20
005013D2|.8B45 E8 mov eax, ;放入假码
005013D5|.8D55 F8 lea edx,
005013D8|.E8 6B7DF0FF call Any2Icon.00409148
005013DD|.8D55 E4 lea edx,
005013E0|.8B83 00030000 mov eax,dword ptr ds:
005013E6|.E8 3549F3FF call Any2Icon.00435D20
005013EB|.8B45 E4 mov eax, ;放入邮箱
005013EE|.8D55 F4 lea edx,
005013F1|.E8 527DF0FF call Any2Icon.00409148
005013F6|.837D F8 00 cmp ,0x0 ;注册码和0比较
005013FA|.75 0C jnz short Any2Icon.00501408
005013FC|.A1 CCA86900 mov eax,dword ptr ds: ;l贻
00501401|.8B00 mov eax,dword ptr ds:
00501403|.E8 20FFFFFF call Any2Icon.00501328
00501408|>837D F4 00 cmp ,0x0 ;邮箱和0比较
0050140C|.75 16 jnz short Any2Icon.00501424
0050140E|.B9 44165000 mov ecx,Any2Icon.00501644 ;Please enter email used in your order
00501413|.B2 01 mov dl,0x1
00501415|.A1 BC824000 mov eax,dword ptr ds:
0050141A|.E8 89B2F0FF call Any2Icon.0040C6A8
0050141F|.E8 6024F0FF call Any2Icon.00403884
00501424|>8B45 F8 mov eax,
00501427|.E8 8C2CF0FF call Any2Icon.004040B8
0050142C 83F8 0A cmp eax,0xA ;注册码位数和A比较
0050142F 7D 0C jge short Any2Icon.0050143D
00501431|.A1 CCA86900 mov eax,dword ptr ds: ;l贻
00501436|.8B00 mov eax,dword ptr ds:
00501438|.E8 EBFEFFFF call Any2Icon.00501328
0050143D|>8D55 E0 lea edx,
00501440|.8B83 F8020000 mov eax,dword ptr ds:
00501446|.E8 D548F3FF call Any2Icon.00435D20
0050144B|.8B45 E0 mov eax,
0050144E|.E8 25F5FFFF call Any2Icon.00500978 ;注册码初步验证
00501453|.85C0 test eax,eax
00501455 74 0A je short Any2Icon.00501461 ;eax为0跳过错误key
00501457|.B8 74165000 mov eax,Any2Icon.00501674 ;Wrong key.
0050145C|.E8 C7FEFFFF call Any2Icon.00501328
00501461|>8B45 F8 mov eax,
00501464|.E8 6FF5FFFF call Any2Icon.005009D8
00501469|.8B93 08030000 mov edx,dword ptr ds:
0050146F|.8B45 F8 mov eax,
00501472|.E8 8DF3FFFF call Any2Icon.00500804 ;核心算法验证
00501477|.85C0 test eax,eax
00501479|.74 0A je short Any2Icon.00501485 ;eax为0,跳过错误key
0050147B|.B8 88165000 mov eax,Any2Icon.00501688 ;Wrong key for this application.
00501480|.E8 A3FEFFFF call Any2Icon.00501328
00501485|>B2 01 mov dl,0x1 ;下面这段是在注册表写入注册信息
00501487|.A1 D0834700 mov eax,dword ptr ds:
0050148C|.E8 3F70F7FF call Any2Icon.004784D0
00501491|.8945 F0 mov ,eax
00501494|.33C0 xor eax,eax
00501496|.55 push ebp
00501497|.68 AB155000 push Any2Icon.005015AB
0050149C|.64:FF30 push dword ptr fs:
0050149F|.64:8920 mov dword ptr fs:,esp
005014A2|.BA 01000080 mov edx,0x80000001
005014A7|.8B45 F0 mov eax,
005014AA|.E8 FD70F7FF call Any2Icon.004785AC
005014AF|.68 B0165000 push Any2Icon.005016B0 ;Software\
005014B4|.FFB3 0C030000 push dword ptr ds:
005014BA|.68 C4165000 push Any2Icon.005016C4 ;\
005014BF|.FFB3 10030000 push dword ptr ds:
005014C5|.68 C4165000 push Any2Icon.005016C4 ;\
005014CA|.8D45 D8 lea eax,
005014CD|.E8 BEF7FFFF call Any2Icon.00500C90
005014D2|.FF75 D8 push
005014D5|.8D45 DC lea eax,
005014D8|.BA 06000000 mov edx,0x6
005014DD|.E8 962CF0FF call Any2Icon.00404178
005014E2|.8B55 DC mov edx,
005014E5|.B1 01 mov cl,0x1
005014E7|.8B45 F0 mov eax,
005014EA|.E8 2171F7FF call Any2Icon.00478610
005014EF|.8845 FF mov byte ptr ss:,al
005014F2|.807D FF 00 cmp byte ptr ss:,0x0
005014F6|.0F84 99000000 je Any2Icon.00501595
005014FC|.8B4D F8 mov ecx,
005014FF|.BA D0165000 mov edx,Any2Icon.005016D0 ;Key
00501504|.8B45 F0 mov eax,
00501507|.E8 C072F7FF call Any2Icon.004787CC
0050150C|.BA D0165000 mov edx,Any2Icon.005016D0 ;Key
00501511|.8D4D D4 lea ecx,
00501514|.8B45 F0 mov eax,
00501517|.E8 DC72F7FF call Any2Icon.004787F8
0050151C|.8B55 D4 mov edx,
0050151F|.8B45 F8 mov eax,
00501522|.E8 A12CF0FF call Any2Icon.004041C8
00501527|.0f9445 ff sete byte ptr ss:
0050152B|.E8 9C93F0FF call Any2Icon.0040A8CC
00501530|.83C4 F8 add esp,-0x8
00501533|.DD1C24 fstp qword ptr ss:
00501536|.9B wait
00501537|.BA DC165000 mov edx,Any2Icon.005016DC ;Time
0050153C|.8B45 F0 mov eax,
0050153F|.E8 7073F7FF call Any2Icon.004788B4
00501544|.8B8B 14030000 mov ecx,dword ptr ds:
0050154A|.8B93 14030000 mov edx,dword ptr ds:
00501550|.8B45 F0 mov eax,
00501553|.E8 7472F7FF call Any2Icon.004787CC
00501558|.8D55 D0 lea edx,
0050155B|.8B83 EC020000 mov eax,dword ptr ds:
00501561|.E8 BA47F3FF call Any2Icon.00435D20
00501566|.8B45 D0 mov eax,
00501569|.8D55 EC lea edx,
0050156C|.E8 D77BF0FF call Any2Icon.00409148
00501571|.837D EC 00 cmp ,0x0
00501575|.8B4D EC mov ecx,
00501578|.BA EC165000 mov edx,Any2Icon.005016EC ;UserName
0050157D|.8B45 F0 mov eax,
00501580|.E8 4772F7FF call Any2Icon.004787CC
00501585|.8B4D F4 mov ecx,
00501588|.BA 00175000 mov edx,Any2Icon.00501700 ;Email
0050158D|.8B45 F0 mov eax,
00501590|.E8 3772F7FF call Any2Icon.004787CC
00501595|>33C0 xor eax,eax
00501597|.5A pop edx ;0012E850
00501598|.59 pop ecx ;0012E850
00501599|.59 pop ecx ;0012E850
0050159A|.64:8910 mov dword ptr fs:,edx
0050159D|.68 B2155000 push Any2Icon.005015B2
005015A2|>8B45 F0 mov eax,
005015A5|.E8 421BF0FF call Any2Icon.004030EC
005015AA\.C3 retn
005015AB .^ E9 9C22F0FF jmp Any2Icon.0040384C
005015B0 .^ EB F0 jmp short Any2Icon.005015A2
005015B2 .807D FF 00 cmp byte ptr ss:,0x0
005015B6 .75 1B jnz short Any2Icon.005015D3
005015B8 .8B0D 60AC6900 mov ecx,dword ptr ds: ;茑O
005015BE .8B09 mov ecx,dword ptr ds:
005015C0 .B2 01 mov dl,0x1
005015C2 .A1 BC824000 mov eax,dword ptr ds:
005015C7 .E8 DCB0F0FF call Any2Icon.0040C6A8
005015CC .E8 B322F0FF call Any2Icon.00403884
005015D1 .EB 12 jmp short Any2Icon.005015E5
005015D3 >B8 10175000 mov eax,Any2Icon.00501710 ;You should restart application now
005015D8 .E8 B7AFF5FF call Any2Icon.0045C594
通过上面流程,我们知道,经过一段验证,如果注册码正确,就在注册表中写入注册信息,然后提示你重启验证。如果注册码错误,就会弹出错误提示窗。既然要重启验证,我们就不必要在这里纠缠了,先通过爆破跳过注册码验证部分(修改位置有多处,我列举了一处,在文章后面修改1),把注册信息写入注册表。重启验证时也会调用核心算法call。我们就重启跟随进入核心算法call 。Any2Icon.00500804
下面提示 核心算法call ebp=0012E828 本地调用来自 00501472, 0065EDA4
我们知道了,程序重启时在0065eda4这段进行了验证,只要eax为0,就跳向注册成功的地方
0065ED7C/.55 push ebp
0065ED7D|.8BEC mov ebp,esp
0065ED7F|.6A 00 push 0x0
0065ED81|.6A 00 push 0x0
0065ED83|.53 push ebx
0065ED84|.8BD8 mov ebx,eax
0065ED86|.33C0 xor eax,eax
0065ED88|.55 push ebp
0065ED89|.68 37EE6500 push Any2Icon.0065EE37
0065ED8E|.64:FF30 push dword ptr fs:
0065ED91|.64:8920 mov dword ptr fs:,esp
0065ED94|.8D45 FC lea eax,
0065ED97|.E8 DC410000 call Any2Icon.00662F78
0065ED9C|.8B45 FC mov eax,
0065ED9F|.BA 4CEE6500 mov edx,Any2Icon.0065EE4C ;Any to Icon
0065EDA4|.E8 5B1AEAFF call Any2Icon.00500804 ;核心算法call
0065EDA9 85C0 test eax,eax
0065EDAB 74 05 je short Any2Icon.0065EDB2 ;eax为0,跳过去验证成功
0065EDAD|.E8 BE450000 call Any2Icon.00663370
0065EDB2|>8D45 F8 lea eax,
0065EDB5|.E8 3E410000 call Any2Icon.00662EF8
0065EDBA|.837D F8 00 cmp ,0x0
0065EDBE|.A1 10AD6900 mov eax,dword ptr ds:
0065EDC3|.0f9500 setne byte ptr ds:
0065EDC6|.A1 D0AC6900 mov eax,dword ptr ds: ;芊i
0065EDCB|.8B00 mov eax,dword ptr ds:
0065EDCD|.BA 60EE6500 mov edx,Any2Icon.0065EE60 ;Any to Icon 3.54
0065EDD2|.E8 015BDFFF call Any2Icon.004548D8
0065EDD7|.6A FF push -0x1
0065EDD9|.8BC3 mov eax,ebx
0065EDDB|.E8 84D1DDFF call Any2Icon.0043BF64
0065EDE0|.50 push eax ; |hWnd = 0012E81C
0065EDE1|.E8 0E91DAFF call <jmp.&shell32.DragAcceptFiles> ; \DragAcceptFiles
0065EDE6|.B2 01 mov dl,0x1
0065EDE8|.A1 D48B4700 mov eax,dword ptr ds:
eax是在哪里赋值的?我们进入核心算法call看看。
00500804/$55 push ebp
00500805|.8BEC mov ebp,esp
00500807|.33C9 xor ecx,ecx
00500809|.51 push ecx
0050080A|.51 push ecx
0050080B|.51 push ecx
0050080C|.51 push ecx
0050080D|.51 push ecx
0050080E|.53 push ebx
0050080F|.56 push esi
00500810|.8955 F8 mov ,edx
00500813|.8945 FC mov ,eax
00500816|.8B45 FC mov eax,
00500819|.E8 4E3AF0FF call Any2Icon.0040426C
0050081E|.8B45 F8 mov eax,
00500821|.E8 463AF0FF call Any2Icon.0040426C
00500826|.33C0 xor eax,eax
00500828|.55 push ebp
00500829|.68 3F095000 push Any2Icon.0050093F
0050082E|.64:FF30 push dword ptr fs:
00500831|.64:8920 mov dword ptr fs:,esp
00500834|.33F6 xor esi,esi
00500836|.8D55 F0 lea edx,
00500839|.8B45 FC mov eax,
0050083C|.E8 07FEFFFF call Any2Icon.00500648
00500841|.8B55 F0 mov edx,
00500844|.8D45 FC lea eax,
00500847|.E8 8436F0FF call Any2Icon.00403ED0
0050084C|.8B45 FC mov eax,
0050084F|.E8 6438F0FF call Any2Icon.004040B8
00500854|.83F8 07 cmp eax,0x7
00500857|.7D 0A jge short Any2Icon.00500863
00500859|.BE 0B000000 mov esi,0xB
0050085E|.E9 C1000000 jmp Any2Icon.00500924
00500863|>837D F8 00 cmp ,0x0
00500867|.0F84 B7000000 je Any2Icon.00500924
0050086D|.33DB xor ebx,ebx
0050086F|.8B45 F8 mov eax,
00500872|.E8 4138F0FF call Any2Icon.004040B8
00500877|.48 dec eax
00500878|.85C0 test eax,eax
0050087A|.7E 13 jle short Any2Icon.0050088F
0050087C|.BA 01000000 mov edx,0x1
00500881|>8B4D F8 /mov ecx,
00500884|.0FB64C11 FF |movzx ecx,byte ptr ds:
00500889|.03D9 |add ebx,ecx
0050088B|.42 |inc edx
0050088C|.48 |dec eax
0050088D|.^ 75 F2 \jnz short Any2Icon.00500881
0050088F|>8BC3 mov eax,ebx
00500891|.B9 1E000000 mov ecx,0x1E
00500896|.99 cdq
00500897|.F7F9 idiv ecx
00500899|.42 inc edx
0050089A|.B8 58095000 mov eax,Any2Icon.00500958 ;2345679qwertyupadfghjkzxcvbnms
0050089F|.8A4410 FF mov al,byte ptr ds:
005008A3|.8B55 FC mov edx,
005008A6|.3A42 01 cmp al,byte ptr ds:
005008A9|.74 01 je short Any2Icon.005008AC
005008AB|.46 inc esi
005008AC|>8D55 F4 lea edx,
005008AF|.8B45 F8 mov eax,
005008B2|.E8 5986F0FF call Any2Icon.00408F10
005008B7|.8D45 EC lea eax,
005008BA|.8B55 F4 mov edx,
005008BD|.8A12 mov dl,byte ptr ds:
005008BF|.E8 1C37F0FF call Any2Icon.00403FE0
005008C4|.8B45 EC mov eax,
005008C7|.BA 58095000 mov edx,Any2Icon.00500958 ;2345679qwertyupadfghjkzxcvbnms
005008CC|.E8 D33AF0FF call Any2Icon.004043A4
005008D1|.85C0 test eax,eax
005008D3|.7E 11 jle short Any2Icon.005008E6
005008D5|.8D45 FC lea eax,
005008D8|.E8 AB39F0FF call Any2Icon.00404288
005008DD|.8B55 F4 mov edx,
005008E0|.8A12 mov dl,byte ptr ds:
005008E2|.8810 mov byte ptr ds:,dl
005008E4|.EB 3E jmp short Any2Icon.00500924
005008E6|>33DB xor ebx,ebx
005008E8|.8B45 F8 mov eax,
005008EB|.E8 C837F0FF call Any2Icon.004040B8
005008F0|.48 dec eax
005008F1|.85C0 test eax,eax
005008F3|.7E 13 jle short Any2Icon.00500908
005008F5|.BA 01000000 mov edx,0x1
005008FA|>8B4D F8 /mov ecx,
005008FD|.0FB64C11 FF |movzx ecx,byte ptr ds:
00500902|.33D9 |xor ebx,ecx
00500904|.42 |inc edx
00500905|.48 |dec eax
00500906|.^ 75 F2 \jnz short Any2Icon.005008FA
00500908|>8BC3 mov eax,ebx
0050090A|.B9 1E000000 mov ecx,0x1E
0050090F|.99 cdq
00500910|.F7F9 idiv ecx
00500912|.42 inc edx
00500913|.B8 58095000 mov eax,Any2Icon.00500958 ;2345679qwertyupadfghjkzxcvbnms
00500918|.8A4410 FF mov al,byte ptr ds:
0050091C|.8B55 FC mov edx,
0050091F|.3A02 cmp al,byte ptr ds:
00500921|.74 01 je short Any2Icon.00500924
00500923|.46 inc esi
00500924|>33C0 xor eax,eax
00500926|.5A pop edx ;0012E850
00500927|.59 pop ecx ;0012E850
00500928|.59 pop ecx ;0012E850
00500929|.64:8910 mov dword ptr fs:,edx
0050092C|.68 46095000 push Any2Icon.00500946
00500931|>8D45 EC lea eax,
00500934|.BA 05000000 mov edx,0x5
00500939|.E8 1E35F0FF call Any2Icon.00403E5C
0050093E\.C3 retn
0050093F .^ E9 082FF0FF jmp Any2Icon.0040384C
00500944 .^ EB EB jmp short Any2Icon.00500931
00500946 8BC6 mov eax,esi
00500948 .5E pop esi ;0012E850
00500949 .5B pop ebx ;0012E850
0050094A .8BE5 mov esp,ebp
0050094C .5D pop ebp ;0012E850
0050094D .C3 retn
esi=0000000B
eax=00000000
00500946 8BC6 mov eax,esi,原来eax的值是由esi赋值的。我们修改的时候,只要到段尾,eax的值一直为0就可以了,(见下面修改2)
至此,破解结束了。通用补丁的制作见图,关键是要找到不易改变的特征码
修改1 原0050142C 83F8 0A cmp eax,0xA
改0050142C /EB 57 jmp short Any2Icon.00501485
0050142E |90 nop
修改2原00500946 8BC6 mov eax,esi
改00500946 9090 nop
或改00500946 8bf0 mov esi,eax (本人倾向于用这种)
【破解总结】总的思路:就是1.在输入注册信息时,要把注册信息写入注册表,2.在重启验证时,要让eax为0。具体操作,自由发挥,能达到上述目的就行。
这是学员的作业题,本人由于刚在本论坛自学几个月,水平有限。也自我测试一下,第一次写这种详细的破文,写的不好不足之处,敬请谅解。
学习了,感谢分享 从楼主这学到了很多知识,感谢楼主,谢啦
页:
[1]