第一次失败@第三次破解文件求助大家分析

4755 · 发表于 2007-1-31 11:08:36

求助：
事情是这样的，今日试着破解一个register,用w32D打开这个文件，参考字符串中能找到运行出错的信息“错误：请输入有效的序列号”双击进入分析，发现|:00401703(C), :0040170C(C)，于是我将这两处的跳转改为jmp short 0040177A,运行后显示“注册系统成功”，但没有真正注册。大家帮我分析一下，最好分析出算法。

注册文件已上传到附件

* Possible StringData Ref from Data Obj ->"错误：无效的注册码"
|
:00401750 68AC304000 push 004030AC
:00401755 EB5D jmp 004017B4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040174C(C)
|
:00401757 6801030000 push 00000301
* Possible StringData Ref from Data Obj ->"D:/ELIB/conf/serial"
|
:0040175C 6850304000 push 00403050
* Reference To: MSVCRT._open, Ord:0187h
|
:00401761 FF15F0214000 Call dword ptr [004021F0]
:00401767 8BF0 mov esi, eax
:00401769 83C408 add esp, 00000008
:0040176C 83FEFF cmp esi, FFFFFFFF
:0040176F 7509 jne 0040177A
:00401771 53 push ebx
:00401772 53 push ebx
* Possible StringData Ref from Data Obj ->"错误：注册系统失败"
|
:00401773 6898304000 push 00403098
:00401778 EB3A jmp 004017B4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040176F(C)
|
:0040177A 6A1D push 0000001D
:0040177C 53 push ebx
:0040177D 8D4C2414 lea ecx, dword ptr [esp+14]
* Reference To: MFC42.Ordinal:0B63, Ord:0B63h
|
:00401781 E83C030000 Call 00401AC2
:00401786 50 push eax
:00401787 56 push esi
* Reference To: MSVCRT._write, Ord:0217h
|
:00401788 FF1500224000 Call dword ptr [00402200]
:0040178E 56 push esi
* Reference To: MSVCRT._close, Ord:00B3h
|
:0040178F FF1508224000 Call dword ptr [00402208]
:00401795 83C410 add esp, 00000010
:00401798 53 push ebx
:00401799 53 push ebx
* Possible StringData Ref from Data Obj ->"注册系统成功"
|
:0040179A 6888304000 push 00403088
* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:0040179F E818030000 Call 00401ABC
:004017A4 8BCF mov ecx, edi
* Reference To: MFC42.Ordinal:12F5, Ord:12F5h
|
:004017A6 E80B030000 Call 00401AB6
:004017AB EB0C jmp 004017B9
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401703(C), :0040170C(C)
|
:004017AD 53 push ebx
:004017AE 53 push ebx
* Possible StringData Ref from Data Obj ->"错误：请输入有效的序列号"
|
:004017AF 686C304000 push 0040306C

复制代码

wan · 发表于 2007-1-31 11:47:41

明码比较...

wan · 发表于 2007-1-31 11:58:10

00401741    FF15 EC214000 call dword ptr ds:[<&MSVCRT._mbs>; msvcrt._mbscmp  //明码
00401747    83C4 14       add esp,14
0040174A    85C0          test eax,eax
0040174C    74 09          je short register.00401757

文件不完整~~~做了个内存注册机见附件

pygbian · 发表于 2007-1-31 12:30:22

对楼上的补充,怀疑原程序被修改过!
具体如下:
00401701 .  3BC3       CMP EAX,EBX
00401703 .  0F84 A4000000 JE register.004017AD
00401709 .  83F8 1D    CMP EAX,1D                            ;  看是不是29位！是就继续，不是就跳到004017AD
0040170C .  0F8C 9B000000 JL register.004017AD
00401712 .  8B15 9C314000 MOV EDX,DWORD PTR DS:[40319C]
00401718 .  A1 A0314000 MOV EAX,DWORD PTR DS:[4031A0]
0040171D .  52          PUSH EDX
0040171E .  50          PUSH EAX
0040171F .  E8 1CFCFFFF CALL register.00401340
00401724 .  83C4 08    ADD ESP,8                               ;  寄存器出现一组注册码！
00401727 .  8D4C24 10    LEA ECX,DWORD PTR SS:[ESP+10]
0040172B .  50          PUSH EAX                               ;  还是上面的注册码，怀疑可能是真码！
0040172C .  68 C0304000 PUSH register.004030C0                ;  %s
00401731 .  51          PUSH ECX
00401732 .  E8 5B030000 CALL <JMP.&MFC42.#2818>
00401737 .  8B5424 18    MOV EDX,DWORD PTR SS:[ESP+18]
0040173B .  8B4424 1C    MOV EAX,DWORD PTR SS:[ESP+1C]          ;  此处寄存器显示和我们的输入的注册码比较！
0040173F .  52          PUSH EDX                               ; /s2
00401740 .  50          PUSH EAX                               ; |s1
00401741 .  FF15 EC214000 CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] ; \_mbscmp
00401747 .  83C4 14    ADD ESP,14
0040174A .  85C0       TEST EAX,EAX
0040174C .  74 09       JE SHORT register.00401757
0040174E .  53          PUSH EBX
0040174F .  53          PUSH EBX
00401750 .  68 AC304000 PUSH register.004030AC                ;  错误：无效的注册码
00401755 .  EB 5D       JMP SHORT register.004017B4
00401757 >  68 01030000 PUSH 301                               ; |access = O_WRONLY|O_CREAT|O_TRUNC|SH_COMPAT0
0040175C .  68 50304000 PUSH register.00403050                ; |d:/elib/conf/serial
00401761 .  FF15 F0214000 CALL DWORD PTR DS:[<&MSVCRT._open>]    ; \_open
00401767 .  8BF0       MOV ESI,EAX
00401769 .  83C4 08    ADD ESP,8
0040176C .  83FE FF    CMP ESI,-1
0040176F    75 09       JNZ SHORT register.0040177A
00401771 .  53          PUSH EBX
00401772 .  53          PUSH EBX
00401773 .  68 98304000 PUSH register.00403098                ;  错误：注册系统失败
00401778    EB 3A       JMP SHORT register.004017B4
0040177A >  6A 1D       PUSH 1D
0040177C .  53          PUSH EBX
0040177D .  8D4C24 14    LEA ECX,DWORD PTR SS:[ESP+14]
00401781 .  E8 3C030000 CALL <JMP.&MFC42.#2915>
00401786 .  50          PUSH EAX                               ; |buf
00401787 .  56          PUSH ESI                               ; |handle
00401788 .  FF15 00224000 CALL DWORD PTR DS:[<&MSVCRT._write>]    ; \_write
0040178E .  56          PUSH ESI                               ; /handle
0040178F .  FF15 08224000 CALL DWORD PTR DS:[<&MSVCRT._close>]    ; \_close
00401795 .  83C4 10    ADD ESP,10
00401798 .  53          PUSH EBX
00401799 .  53          PUSH EBX
0040179A .  68 88304000 PUSH register.00403088                ;  注册系统成功
0040179F .  E8 18030000 CALL <JMP.&MFC42.#1200>
004017A4 .  8BCF       MOV ECX,EDI
004017A6 .  E8 0B030000 CALL <JMP.&MFC42.#4853>
004017AB .  EB 0C       JMP SHORT register.004017B9
004017AD >  53          PUSH EBX
004017AE .  53          PUSH EBX
004017AF .  68 6C304000 PUSH register.0040306C                ;  错误：请输入有效的序列号
004017B4 >  E8 03030000 CALL <JMP.&MFC42.#1200>
004017B9 >  8D4C24 10    LEA ECX,DWORD PTR SS:[ESP+10]
004017BD .  885C24 1C    MOV BYTE PTR SS:[ESP+1C],BL
004017C1 .  E8 BA020000 CALL <JMP.&MFC42.#800>
004017C6 .  8D4C24 0C    LEA ECX,DWORD PTR SS:[ESP+C]
004017CA .  C74424 1C FFF>MOV DWORD PTR SS:[ESP+1C],-1
004017D2 .  E8 A9020000 CALL <JMP.&MFC42.#800>
004017D7 .  8B4C24 14    MOV ECX,DWORD PTR SS:[ESP+14]
004017DB .  5F          POP EDI
004017DC .  5E          POP ESI
004017DD .  5B          POP EBX
004017DE .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
004017E5 .  83C4 14    ADD ESP,14
004017E8 .  C3          RETN

++++++++++++++++++++++++++++++++++++
以上是简单分析,不对的地方请老大们指教,猫也不给评作业,这两天只能自学了!呵呵
以下这行代码怀疑被修改过:(楼上的可以测试一下,你的注册机填入注册码,肯定不能注册成功)
0040176F    75 09       JNZ SHORT register.0040177A //应该为:JZ SHORT register.0040177A

4755 · 发表于 2007-1-31 14:27:25

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401703(C), :0040170C(C) //////错误是从这两个地方跳转来的
|
:004017AD 53 push ebx
:004017AE 53 push ebx
* Possible StringData Ref from Data Obj ->"错误：请输入有效的序列号"
|
:004017AF 686C304000 push 0040306C

复制代码

好我们到00401703(C),看看：

* Reference To: MFC42.Ordinal:0F22, Ord:0F22h
|
:004016F5 E8CE030000 Call 00401AC8 //关键call
:004016FA 8B4C240C mov ecx, dword ptr [esp+0C]
:004016FE 8B41F8 mov eax, dword ptr [ecx-08]
:00401701 3BC3 cmp eax, ebx
:00401703 0F84A4000000 je 004017AD
:00401709 83F81D cmp eax, 0000001D
:0040170C 0F8C9B000000 jl 004017AD
:00401712 8B159C314000 mov edx, dword ptr [0040319C]
:00401718 A1A0314000 mov eax, dword ptr [004031A0]
:0040171D 52 push edx
:0040171E 50 push eax
:0040171F E81CFCFFFF call 00401340 //高手们，这里也有一个Call,
//0040153C等地方都调用过它，我就是从这里开始突破的
:00401724 83C408 add esp, 00000008
:00401727 8D4C2410 lea ecx, dword ptr [esp+10]
:0040172B 50 push eax

复制代码

去看看这个call 00401340

* Referenced by a CALL at Addresses:
|:0040153C , :0040171F
|
:00401340 83EC5C sub esp, 0000005C
:00401343 B906000000 mov ecx, 00000006
:00401348 33C0 xor eax, eax
:0040134A 53 push ebx
:0040134B 55 push ebp
:0040134C 56 push esi
:0040134D 57 push edi
* Possible StringData Ref from Data Obj ->"HUAYUITDRNIARMOIDEMLAGOMG"
|
:0040134E BE34304000 mov esi, 00403034
:00401353 8D7C2410 lea edi, dword ptr [esp+10]
:00401357 F3 repz
:00401358 A5 movsd
:00401359 66A5 movsw
:0040135B B907000000 mov ecx, 00000007
:00401360 8D7C242C lea edi, dword ptr [esp+2C]
:00401364 F3 repz
:00401365 AB stosd
:00401366 66AB stosw
:00401368 B907000000 mov ecx, 00000007
:0040136D 33C0 xor eax, eax
:0040136F 8D7C244C lea edi, dword ptr [esp+4C]
:00401373 8D5C244C lea ebx, dword ptr [esp+4C]
:00401377 F3 repz
:00401378 AB stosd
:00401379 8B4C2470 mov ecx, dword ptr [esp+70]
:0040137D 8D6C242C lea ebp, dword ptr [esp+2C]
:00401381 66AB stosw
:00401383 8B442474 mov eax, dword ptr [esp+74]
:00401387 8BD0 mov edx, eax
:00401389 2BD1 sub edx, ecx
:0040138B 03C8 add ecx, eax
:0040138D 52 push edx
:0040138E 51 push ecx
／／／／／／／／中间省掉
* Reference To: MSVCRT._strdup, Ord:01BFh
|
:00401411 FF150C224000 Call dword ptr [0040220C]
:00401417 83C404 add esp, 00000004
:0040141A 5F pop edi
:0040141B 5E pop esi
:0040141C 5D pop ebp
:0040141D 5B pop ebx
:0040141E 83C45C add esp, 0000005C
:00401421 C3 ret //我是新手，以上算法不清楚，但猜想这一定 //是注册码返回的地方

复制代码

接下用OD载入，在00401421处设置断点
注册码果然在寄存器窗口显示出来了.

4755 · 发表于 2007-1-31 14:31:04

谢谢各位了，学习了很多东东。/:D /:D

pygbian · 发表于 2007-1-31 15:14:33

呵呵,单个测试不成功,估计是程序不完整!楼主给的是程序的一部分!
wan的解答应该没错的,如果是单个程序,肯定是程序的问题的!

4755 · 发表于 2007-1-31 15:25:00

谁告诉我怎样写用刘健英注册机编写器生成一个另类注册机，主要是以下不知怎么填写

中断地址为"00401421"

[ 本帖最后由 4755 于 2007-1-31 15:37 编辑 ]

wan · 发表于 2007-1-31 16:25:22

我上面那个作修改内存的的设置

boxect · 发表于 2007-1-31 16:28:51

原帖由 4755 于 2007-1-31 14:27 发表

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401703(C), :0040170C(C) //////错误是从这两个地方跳转来的
|
:004017AD 53 push ebx
:004017AE ...

我为什么不成功阿？

		自动登录	找回密码
密码			加入我们

[求助] 第一次失败@第三次破解文件求助大家分析

本帖子中包含更多资源

相关帖子

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源