- UID
- 9748
注册时间2006-3-20
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
【破文标题】GIF 动画转换王1.0爆破+追注册码+脱壳
【破文作者】LucIfer
【作者邮箱】jifeng9464@163.com
【作者主页】无
【破解工具】OD PEID0.94 W32Dasm无极版v3.0
【破解平台】XP SP2
【软件名称】GIF 动画转换王1.0
【软件大小】略
【原版下载】GOOGLE
【保护方式】略
【软件简介】略
【破解声明】偶是一只小菜鸟,一点心得,愿与大家分享!!
------------------------------------------------------------------------
看到论坛有该软件的动画,下载不下来,只好自己动手了
先查壳 NsPack V1.4 -> LiuXingPing *
OD载入,无提示,压缩壳,好办.....
00720920 > 9C PUSHFD
00720921 60 PUSHAD
00720922 E8 00000000 CALL GIF_动画.00720927
00720927 5D POP EBP
00720928 B8 B1854000 MOV EAX,GIF_动画.004085B1
0072092D 2D AA854000 SUB EAX,GIF_动画.004085AA
00720932 2BE8 SUB EBP,EAX
00720934 8DB5 0CFBFFFF LEA ESI,DWORD PTR SS:[EBP-4F4]
0072093A 8B06 MOV EAX,DWORD PTR DS:[ESI]
0072093C 83F8 00 CMP EAX,0
ESP定律,hr 0012ffc0 在00720921可看到ESP的值,回车,运行
00720B45 - E9 42D3D8FF JMP GIF_动画.004ADE8C 停在这里
00720B4A 8BB5 E4FAFFFF MOV ESI,DWORD PTR SS:[EBP-51C]
00720B50 0BF6 OR ESI,ESI
00720B52 0F84 97000000 JE GIF_动画.00720BEF
00720B58 8B95 E8FAFFFF MOV EDX,DWORD PTR SS:[EBP-518]
00720B5E 03F2 ADD ESI,EDX
00720B60 833E 00 CMP DWORD PTR DS:[ESI],0
00720B63 75 0E JNZ SHORT GIF_动画.00720B73
00720B65 837E 04 00 CMP DWORD PTR DS:[ESI+4],0
00720B69 75 08 JNZ SHORT GIF_动画.00720B73
00720B6B 837E 08 00 CMP DWORD PTR DS:[ESI+8],0
00720B6F 75 02 JNZ SHORT GIF_动画.00720B73
00720B71 EB 7A JMP SHORT GIF_动画.00720BED
还有什么好说的呢,F8,直接到达入口...
004ADE8C 55 DB 55 OEP ; CHAR 'U'
004ADE8D 8B DB 8B
004ADE8E EC DB EC
004ADE8F 83 DB 83
004ADE90 C4 DB C4
004ADE91 F0 DB F0
004ADE92 53 DB 53 ; CHAR 'S'
004ADE93 B8 DB B8
用插件脱壳吧,发现还能运行...
W32Dasm无极版v3.0再次载入脱壳后的程序....先去喝喝茶吧....
查到注册失败信息地址:004a7048
OD载入,ctrl+g 004a7048 向上看
004A7013 |. E8 54D4F5FF CALL 2.0040446C 关键CALL
004A7018 |. 75 2E JNZ SHORT 2.004A7048 关键跳转
004A701A |. 8B83 00030000 MOV EAX,DWORD PTR DS:[EBX+300]
004A7020 |. 05 80000000 ADD EAX,80
004A7025 |. 8B15 A81C4B00 MOV EDX,DWORD PTR DS:[4B1CA8]
004A702B |. E8 84D0F5FF CALL 2.004040B4
004A7030 |. B8 84704A00 MOV EAX,2.004A7084 ; 谢谢您的支持,您已注册成功.
004A7035 |. E8 5677F8FF CALL 2.0042E790
004A703A |. A1 90FF4A00 MOV EAX,DWORD PTR DS:[4AFF90]
004A703F |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004A7041 |. E8 5A060000 CALL 2.004A76A0
004A7046 |. EB 0A JMP SHORT 2.004A7052
004A7048 |> B8 A8704A00 MOV EAX,2.004A70A8 ; 请检查您的注册系列号有没有输入正确.
004A704D |. E8 3E77F8FF CALL 2.0042E790
运行的时候出现进程以中止,点一下程序,又有新线程创建,关键CALL断点...打开程序,随便输入一个我的是212121
好了....爆破的可以爆破了,问题是偶想追出注册码,到关键CALL跟进去看看
0040446C /$ 53 PUSH EBX
0040446D |. 56 PUSH ESI
0040446E |. 57 PUSH EDI
0040446F |. 89C6 MOV ESI,EAX
00404471 |. 89D7 MOV EDI,EDX D EDX可以看见真注册码
00404473 |. 39D0 CMP EAX,EDX 在次比较....
00404475 |. 0F84 8F000000 JE 2.0040450A
0040447B |. 85F6 TEST ESI,ESI
0040447D |. 74 68 JE SHORT 2.004044E7
0040447F |. 85FF TEST EDI,EDI
00404481 |. 74 6B JE SHORT 2.004044EE
00404483 |. 8B46 FC MOV EAX,DWORD PTR DS:[ESI-4]
00404486 |. 8B57 FC MOV EDX,DWORD PTR DS:[EDI-4]
00404489 |. 29D0 SUB EAX,EDX
0040448B |. 77 02 JA SHORT 2.0040448F
0040448D |. 01C2 ADD EDX,EAX
0040448F |> 52 PUSH EDX
00404490 |. C1EA 02 SHR EDX,2
00404493 |. 74 26 JE SHORT 2.004044BB
00404495 |> 8B0E /MOV ECX,DWORD PTR DS:[ESI]
00404497 |. 8B1F |MOV EBX,DWORD PTR DS:[EDI]
00404499 |. 39D9 |CMP ECX,EBX
0040449B |. 75 58 |JNZ SHORT 2.004044F5
0040449D |. 4A |DEC EDX
0040449E |. 74 15 |JE SHORT 2.004044B5
004044A0 |. 8B4E 04 |MOV ECX,DWORD PTR DS:[ESI+4]
004044A3 |. 8B5F 04 |MOV EBX,DWORD PTR DS:[EDI+4]
004044A6 |. 39D9 |CMP ECX,EBX
004044A8 |. 75 4B |JNZ SHORT 2.004044F5
004044AA |. 83C6 08 |ADD ESI,8
004044AD |. 83C7 08 |ADD EDI,8
004044B0 |. 4A |DEC EDX
004044B1 |.^ 75 E2 \JNZ SHORT 2.00404495
004044B3 |. EB 06 JMP SHORT 2.004044BB
004044B5 |> 83C6 04 ADD ESI,4
004044B8 |. 83C7 04 ADD EDI,4
004044BB |> 5A POP EDX
004044BC |. 83E2 03 AND EDX,3
004044BF |. 74 22 JE SHORT 2.004044E3
004044C1 |. 8B0E MOV ECX,DWORD PTR DS:[ESI]
004044C3 |. 8B1F MOV EBX,DWORD PTR DS:[EDI]
004044C5 |. 38D9 CMP CL,BL
004044C7 |. 75 41 JNZ SHORT 2.0040450A
004044C9 |. 4A DEC EDX
004044CA |. 74 17 JE SHORT 2.004044E3
004044CC |. 38FD CMP CH,BH
004044CE |. 75 3A JNZ SHORT 2.0040450A
004044D0 |. 4A DEC EDX
004044D1 |. 74 10 JE SHORT 2.004044E3
004044D3 |. 81E3 0000FF00 AND EBX,0FF0000
004044D9 |. 81E1 0000FF00 AND ECX,0FF0000
004044DF |. 39D9 CMP ECX,EBX
004044E1 |. 75 27 JNZ SHORT 2.0040450A
004044E3 |> 01C0 ADD EAX,EAX
004044E5 |. EB 23 JMP SHORT 2.0040450A
004044E7 |> 8B57 FC MOV EDX,DWORD PTR DS:[EDI-4]
004044EA |. 29D0 SUB EAX,EDX
004044EC |. EB 1C JMP SHORT 2.0040450A
004044EE |> 8B46 FC MOV EAX,DWORD PTR DS:[ESI-4]
004044F1 |. 29D0 SUB EAX,EDX
004044F3 |. EB 15 JMP SHORT 2.0040450A
004044F5 |> 5A POP EDX
004044F6 |. 38D9 CMP CL,BL
004044F8 |. 75 10 JNZ SHORT 2.0040450A
004044FA |. 38FD CMP CH,BH
004044FC |. 75 0C JNZ SHORT 2.0040450A
004044FE |. C1E9 10 SHR ECX,10
00404501 |. C1EB 10 SHR EBX,10
00404504 |. 38D9 CMP CL,BL
00404506 |. 75 02 JNZ SHORT 2.0040450A
00404508 |. 38FD CMP CH,BH
0040450A |> 5F POP EDI
0040450B |. 5E POP ESI
0040450C |. 5B POP EBX
0040450D \. C3 RETN
完成
------------------------------------------------------------------------
内存中的明文比较....
------------------------------------------------------------------------
【版权声明】本文原创,如有转载,请注明作者及出处
[ 本帖最后由 tigerisme 于 2006-8-26 21:27 编辑 ] |
|
IP卡
发表于 2006-4-10 21:05:07
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-4-18 19:59:11
发表于 2006-4-25 11:46:58
楼主