- UID
- 28352
注册时间2007-2-21
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 开心
2024-5-1 14:44 |
|---|
签到天数: 2 天 [LV.1]初来乍到
|
【作者主页】无
【破解工具】PEiD,OD
【破解平台】Windows XP
【软件名称】step1
【软件大小】
【原版下载】
【保护方式】注册码
【软件简介】
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
--------------------------------------------------------------------------------
*******************************************************************************
一、运行程序,进行注册,输入错误的注册信息进行检测,有提示信息
"That's not correct"
*******************************************************************************
二、用PEiD对step1查壳,为 ASPack 1.06b / 1.061b -> Alexey Solodovnikov
*******************************************************************************
三、打开OD,用ESP定律脱壳
0040615F > 90 NOP ; //F8单步
00406160 75 00 JNZ SHORT step1.00406162
00406162 - E9 990E0100 JMP step1.00417000
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
00417000 60 PUSHAD ; //F8单步
00417001 E8 00000000 CALL step1.00417006 ; //下断点hr esp,F9运行
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
0041704F - FFE0 JMP EAX ; //删除硬件断点,F8单步
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
00401000 /EB 10 JMP SHORT step1.00401012 ; //Dump
根据操作做个脚本
//============================================================
// FileName : ASPack 1.06b / 1.061b -> Alexey Solodovnikov
// Author : tianxj
// Email : tianxj_2007@126.com
// WebSite : https://www.chinapyg.com
// Date : 2008-01-11 1
//============================================================
var addr
sto
sto
sto
sto
mov addr,esp
bphws addr,"r"
run
bphwc addr
sto
cmt eip, " OEP :)! Found by tianxj!"
MSG "Script by tianxj,Thank you for using my Scripts!"
ret
*******************************************************************************
四、用PEiD对1000查壳, 无壳。Borland C++ 1999编写。
*******************************************************************************
五、运行OD,打开1000,右键—超级字串参考—查找ASCII.
发现"That's not correct"
00401150 /$ 55 PUSH EBP
00401151 |. 8BEC MOV EBP,ESP
00401153 |. 83C4 AC ADD ESP,-54
00401156 |. 53 PUSH EBX
00401157 |. 56 PUSH ESI
00401158 |. 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
0040115B |. 6A 19 PUSH 19 ; /Arg3 = 00000019
0040115D |. 6A 00 PUSH 0 ; |Arg2 = 00000000
0040115F |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C] ; |
00401162 |. 50 PUSH EAX ; |Arg1
00401163 |. E8 CC110000 CALL 1000.00402334 ; \1000.00402334
00401168 |. 83C4 0C ADD ESP,0C
0040116B |. 6A 19 PUSH 19 ; /Arg3 = 00000019
0040116D |. 6A 00 PUSH 0 ; |Arg2 = 00000000
0040116F |. 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38] ; |
00401172 |. 52 PUSH EDX ; |Arg1
00401173 |. E8 BC110000 CALL 1000.00402334 ; \1000.00402334
00401178 |. 83C4 0C ADD ESP,0C
0040117B |. 6A 19 PUSH 19 ; /Arg3 = 00000019
0040117D |. 6A 00 PUSH 0 ; |Arg2 = 00000000
0040117F |. 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] ; |
00401182 |. 51 PUSH ECX ; |Arg1
00401183 |. E8 AC110000 CALL 1000.00402334 ; \1000.00402334
00401188 |. 83C4 0C ADD ESP,0C
0040118B |. 6A 65 PUSH 65 ; /ControlID = 65 (101.)
0040118D |. 56 PUSH ESI ; |hWnd
0040118E |. E8 5F900000 CALL <JMP.&user32.GetDlgItem> ; \GetDlgItem
00401193 |. 6A 19 PUSH 19 ; /Count = 19 (25.)
00401195 |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C] ; |
00401198 |. 52 PUSH EDX ; |Buffer
00401199 |. 50 PUSH EAX ; |hWnd
0040119A |. E8 59900000 CALL <JMP.&user32.GetWindowTextA> ; \GetWindowTextA
0040119F |. 6A 66 PUSH 66 ; /ControlID = 66 (102.)
004011A1 |. 56 PUSH ESI ; |hWnd
004011A2 |. E8 4B900000 CALL <JMP.&user32.GetDlgItem> ; \GetDlgItem
004011A7 |. 6A 19 PUSH 19 ; /Count = 19 (25.)
004011A9 |. 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38] ; |
004011AC |. 51 PUSH ECX ; |Buffer
004011AD |. 50 PUSH EAX ; |hWnd
004011AE |. E8 45900000 CALL <JMP.&user32.GetWindowTextA> ; \//将注册码长度送入EAX
004011B3 |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C] ; //将注册码送入EAX
004011B6 |. 50 PUSH EAX ; //将EAX压栈
004011B7 |. E8 A4120000 CALL 1000.00402460 ; //将用户名长度送入EAX,将用户名送入ECX
004011BC |. 59 POP ECX
004011BD |. 8BC8 MOV ECX,EAX ; //将用户名长度送入ECX
004011BF |. 83F9 04 CMP ECX,4 ; //将用户名长度与4比较
004011C2 |. 7D 14 JGE SHORT 1000.004011D8 ; //若大于等于则跳
004011C4 |. 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004011C6 |. 68 7CB14000 PUSH 1000.0040B17C ; |Title = "ERROR"
004011CB |. 68 4CB14000 PUSH 1000.0040B14C ; |Text = "Your name must contain at least 4 characters!
"
004011D0 |. 56 PUSH ESI ; |hOwner
004011D1 |. E8 28900000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
004011D6 |. EB 67 JMP SHORT 1000.0040123F
004011D8 |> 33D2 XOR EDX,EDX ; //将EDX清零
004011DA |. 33C0 XOR EAX,EAX ; //将EAX清零
004011DC |. 3BC8 CMP ECX,EAX ; //将用户名长度与0比较
004011DE |. 7E 0D JLE SHORT 1000.004011ED ; //若小于等于则跳
004011E0 |> 33DB /XOR EBX,EBX ; //将EBX清零
004011E2 |. 8A5C05 E4 |MOV BL,BYTE PTR SS:[EBP+EAX-1C] ; //依次将用户名ASC码16进制送入BL
004011E6 |. 03D3 |ADD EDX,EBX ; //EDX=EDX+EBX
004011E8 |. 40 |INC EAX ; //EAX=EAX+1
004011E9 |. 3BC8 |CMP ECX,EAX ; //将用户名长度与EAX比较
004011EB |.^ 7F F3 \JG SHORT 1000.004011E0 ; //若大于则跳
004011ED |> 52 PUSH EDX ; ///用户名ASC码16进制累加值
004011EE |. 68 82B14000 PUSH 1000.0040B182 ; |Arg2 = 0040B182 ASCII "%d"
004011F3 |. 8D45 AC LEA EAX,DWORD PTR SS:[EBP-54] ; |
004011F6 |. 50 PUSH EAX ; |Arg1
004011F7 |. E8 C0280000 CALL 1000.00403ABC ; \//用户名ASC码16进制累加值转10进制
004011FC |. 83C4 0C ADD ESP,0C
004011FF |. 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54] ; //将真码送入EDX
00401202 |. 52 PUSH EDX
00401203 |. 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38] ; //将试练码送入ECX
00401206 |. 51 PUSH ECX
00401207 |. E8 08120000 CALL 1000.00402414 ; //比较CALL
0040120C |. 83C4 08 ADD ESP,8
0040120F 85C0 TEST EAX,EAX
00401211 |. 75 17 JNZ SHORT 1000.0040122A ; //关键跳转
00401213 |. 68 30000400 PUSH 40030 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL|40000
00401218 |. 68 CEB14000 PUSH 1000.0040B1CE ; |Title = "You Did It!"
0040121D |. 68 85B14000 PUSH 1000.0040B185 ; |Text = "Congradulations, you have figured out Step1
Step1 unlock code is: 17FF25"
00401222 |. 56 PUSH ESI ; |hOwner
00401223 |. E8 D68F0000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00401228 |. EB 15 JMP SHORT 1000.0040123F
0040122A |> 68 30000400 PUSH 40030 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL|40000
0040122F |. 68 EDB14000 PUSH 1000.0040B1ED ; |Title = "Wrong!"
00401234 |. 68 DAB14000 PUSH 1000.0040B1DA ; |Text = "That's not correct"
00401239 |. 56 PUSH ESI ; |hOwner
0040123A |. E8 BF8F0000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0040123F |> 5E POP ESI
00401240 |. 5B POP EBX
00401241 |. 8BE5 MOV ESP,EBP
00401243 |. 5D POP EBP
00401244 \. C3 RETN
*******************************************************************************
【破解总结】
没有什么总结的
--------------------------------------------------------------------------------
【算法总结】
将用户名ASC码相加即为注册码
--------------------------------------------------------------------------------
【算法注册机】
KeyGen.rek
.const
.data
szHomePage db "https://www.chinapyg.com",0
szEmail db "mailto:tianxj_2007@126.com",0
szErrMess db "请输入用户名!",0
szErr db "用户名至少4个字符!",0
szBuffer db 50 dup (0)
szFMT db "%d",0
.code
mov esi,eax
invoke lstrlen,esi
mov ecx,eax
MOV ECX,EAX
CMP ECX,4
JGE n1
Err:
lea eax,szErr
jmp n0
n1:
XOR EDX,EDX
XOR EAX,EAX
n2:
XOR EBX,EBX
MOV BL,BYTE PTR SS:[esi+eax]
ADD EDX,EBX
INC EAX
CMP ECX,EAX
JG n2
invoke wsprintf,addr szBuffer,addr szFMT,edx
lea eax,szBuffer
n0:
--------------------------------------------------------------------------------
【内存注册机】
中断地址 401207
中断次数 1
第一字节 E8
指令长度 5
内存方式-寄存器-EDX
--------------------------------------------------------------------------------
【爆破地址】
00401211 |. 75 17 JNZ SHORT 1000.0040122A
将JNZ改为JE
--------------------------------------------------------------------------------
【注册信息】
用户名:abcdef
注册码:597
--------------------------------------------------------------------------------
希望以后可以在猫老大和PYG 5.4Cracker学习小组的帮助下进一步提高自己。
感谢飘云老大、猫老大、Nisy老大以及很多前辈们的学习教程以及所有帮助过我的论坛兄弟姐妹们!谢谢
--------------------------------------------------------------------------------
【版权声明】破文是学习的手记,兴趣是成功的源泉;本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! |
|
IP卡
发表于 2008-1-14 12:24:25
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-1-14 13:19:45
发表于 2008-5-8 12:40:29
发表于 2008-5-8 13:31:10
