- UID
- 2446
注册时间2005-7-21
阅读权限40
最后登录1970-1-1
独步武林
 
该用户从未签到
|
文章标题:中国龙历 4.10 破解分析
破解作者:风球[PYG]
破解工具:PEID,OD
下载地址:http://www.onlinedown.net/soft/44341.htm
软件简介:本软件涉及到您工作和生活中多方面的内容需求,拥有从时间日历、电脑系统、游戏娱乐、工作管理到网络操作等十几种相关功能,能给您的工作和生活带来秘书级服务。
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
很久没玩过破解了,今天就拿了几个简单的软件来练练手吧```哈```恐怕以后都会很少时间来上网了
PEID查壳为PECompact 2.x -> Jeremy Collake,手动脱壳,OD载入来到
00401000 > B8 F8AE5D00 mov eax,CNlongly.005DAEF8
00401005 50 push eax
00401006 64:FF35 0000000>push dword ptr fs:[0]
0040100D 64:8925 0000000>mov dword ptr fs:[0],esp ; 单步到这里使用ESP定律
00401014 33C0 xor eax,eax
00401016 8908 mov dword ptr ds:[eax],ecx
然后命令行下断 HR ESP ,F9运行中断,清除硬件断点,往下拉来到
005DAFC3 5B pop ebx
005DAFC4 5D pop ebp
005DAFC5 FFE0 jmp eax ; 运行到所选,再单步来到,原来是双层壳
005D1001 60 pushad
005D1002 E8 03000000 call CNlongly.005D100A ; 单步来到这里到使用ESP定律即可来到OEP
005D1007 - E9 EB045D45 jmp 45BA14F7
005D100C 55 push ebp
005D100D C3 retn
来到OEP知道原来是个VB程序,直接脱壳。。。
00409F58 68 90C14000 push CNlongly.0040C190 ; ASCII "VB5!6&vb6chs.dll"
00409F5D E8 EEFFFFFF call CNlongly.00409F50 ; jmp to msvbvm60.ThunRTMain
至此脱壳完成,下面进行算法分析部分。。。
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
004EEF41 55 push ebp
004EEF42 8BEC mov ebp,esp
004EEF44 83EC 18 sub esp,18
004EEF47 68 769A4000 push <jmp.&msvbvm60.__vbaExceptHandler>
'''删去部分无关非重要代码'''
004EEFA9 C745 FC 0300000>mov dword ptr ss:[ebp-4],3
004EEFB0 C745 88 0400000>mov dword ptr ss:[ebp-78],4
004EEFB7 C745 80 0200000>mov dword ptr ss:[ebp-80],2
004EEFBE 8B45 08 mov eax,dword ptr ss:[ebp+8]
004EEFC1 83C0 34 add eax,34
004EEFC4 8985 A8FEFFFF mov dword ptr ss:[ebp-158],eax
004EEFCA C785 A0FEFFFF 0>mov dword ptr ss:[ebp-160],4008
004EEFD4 8D45 80 lea eax,dword ptr ss:[ebp-80]
004EEFD7 50 push eax
004EEFD8 6A 09 push 9
004EEFDA 8D85 A0FEFFFF lea eax,dword ptr ss:[ebp-160]
004EEFE0 50 push eax
004EEFE1 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
004EEFE7 50 push eax
004EEFE8 E8 0FACF1FF call <jmp.&msvbvm60.rtcMidCharVar> ; 相当于Mid(字符,9,4)
004EEFED 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
004EEFF3 50 push eax
004EEFF4 8D45 BC lea eax,dword ptr ss:[ebp-44]
004EEFF7 50 push eax
004EEFF8 E8 A7ACF1FF call <jmp.&msvbvm60.__vbaStrVarVal>
004EEFFD 50 push eax ; 得到(UNICODE "1572")
004EEFFE E8 0DADF1FF call <jmp.&msvbvm60.rtcR8ValFromBstr>
004EF003 DD9D 40FEFFFF fstp qword ptr ss:[ebp-1C0] ; st=1572.0000000000000000
004EF009 0FBF05 64B05B00 movsx eax,word ptr ds:[5BB064]
004EF010 8985 1CFEFFFF mov dword ptr ss:[ebp-1E4],eax
004EF016 83BD 1CFEFFFF 0>cmp dword ptr ss:[ebp-1E4],0D
004EF01D 73 09 jnb short 5.004EF028
004EF01F 83A5 CCFDFFFF 0>and dword ptr ss:[ebp-234],0
004EF026 EB 0B jmp short 5.004EF033
004EF028 E8 59ACF1FF call <jmp.&msvbvm60.__vbaGenerateBoundsError>
004EF02D 8985 CCFDFFFF mov dword ptr ss:[ebp-234],eax
004EF033 8B85 1CFEFFFF mov eax,dword ptr ss:[ebp-1E4]
004EF039 8B0D 78B05B00 mov ecx,dword ptr ds:[5BB078]
004EF03F 0FBF0441 movsx eax,word ptr ds:[ecx+eax*2]
004EF043 8985 C8FDFFFF mov dword ptr ss:[ebp-238],eax
004EF049 DB85 C8FDFFFF fild dword ptr ss:[ebp-238] ; 固定数值s:[0012F230]=000000A5 (十进制 165.)
004EF04F DD9D C0FDFFFF fstp qword ptr ss:[ebp-240] ; st=165.00000000000000000
004EF055 DD85 40FEFFFF fld qword ptr ss:[ebp-1C0]
004EF05B DC8D C0FDFFFF fmul qword ptr ss:[ebp-240] ; 相乘1572*165
004EF061 DFE0 fstsw ax
004EF063 A8 0D test al,0D
004EF065 0F85 522F0000 jnz 5.004F1FBD
004EF06B 51 push ecx
004EF06C 51 push ecx
004EF06D DD1C24 fstp qword ptr ss:[esp] ; 结果st=259380.00000000000000
004EF070 E8 1DACF1FF call <jmp.&msvbvm60.__vbaStrR8>
004EF075 8985 68FFFFFF mov dword ptr ss:[ebp-98],eax ; (UNICODE "259380")
004EF07B C785 60FFFFFF 0>mov dword ptr ss:[ebp-A0],8
004EF085 6A 04 push 4
004EF087 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
004EF08D 50 push eax
004EF08E 8D85 50FFFFFF lea eax,dword ptr ss:[ebp-B0]
004EF094 50 push eax
004EF095 E8 A4ABF1FF call <jmp.&msvbvm60.rtcRightCharVar> ; 相当于Right(字符,4)
004EF09A 8D85 50FFFFFF lea eax,dword ptr ss:[ebp-B0]
004EF0A0 50 push eax
004EF0A1 E8 3EABF1FF call <jmp.&msvbvm60.__vbaStrVarMove>
004EF0A6 8BD0 mov edx,eax ; 得到第一段注册码(UNICODE "9380")
'''删去部分无关非重要代码'''
004EF0DB C745 FC 0400000>mov dword ptr ss:[ebp-4],4
004EF0E2 C745 88 0400000>mov dword ptr ss:[ebp-78],4
004EF0E9 C745 80 0200000>mov dword ptr ss:[ebp-80],2
004EF0F0 8B45 08 mov eax,dword ptr ss:[ebp+8]
004EF0F3 83C0 34 add eax,34
004EF0F6 8985 A8FEFFFF mov dword ptr ss:[ebp-158],eax
004EF0FC C785 A0FEFFFF 0>mov dword ptr ss:[ebp-160],4008
004EF106 8D45 80 lea eax,dword ptr ss:[ebp-80]
004EF109 50 push eax
004EF10A 6A 05 push 5
004EF10C 8D85 A0FEFFFF lea eax,dword ptr ss:[ebp-160]
004EF112 50 push eax
004EF113 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
004EF119 50 push eax
004EF11A E8 DDAAF1FF call <jmp.&msvbvm60.rtcMidCharVar> ; 相当于Mid(字符,5,4)
004EF11F 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
004EF125 50 push eax
004EF126 8D45 BC lea eax,dword ptr ss:[ebp-44]
004EF129 50 push eax
004EF12A E8 75ABF1FF call <jmp.&msvbvm60.__vbaStrVarVal>
004EF12F 50 push eax ; 得到(UNICODE "9809")
004EF130 E8 DBABF1FF call <jmp.&msvbvm60.rtcR8ValFromBstr>
004EF135 DD9D 40FEFFFF fstp qword ptr ss:[ebp-1C0] ; st=9809.0000000000000000
'''删去部分无关非重要代码'''
004EF142 8B00 mov eax,dword ptr ds:[eax]
004EF24B E8 C0AAF1FF call <jmp.&msvbvm60.rtcR8ValFromBstr>
004EF250 DD9D 28FEFFFF fstp qword ptr ss:[ebp-1D8]
004EF256 DD85 40FEFFFF fld qword ptr ss:[ebp-1C0] ; ss:[0012F2A8]=9809.000000000000
004EF25C DC0D C03A4000 fmul qword ptr ds:[403AC0] ; 固定数值ds:[00403AC0]=772.0000000000000
004EF262 DFE0 fstsw ax ; 上面相乘9809*772
004EF264 A8 0D test al,0D
004EF266 0F85 512D0000 jnz 5.004F1FBD
004EF26C 51 push ecx
004EF26D 51 push ecx
004EF26E DD1C24 fstp qword ptr ss:[esp] ; 结果st=7572548.0000000000000
004EF271 E8 1CAAF1FF call <jmp.&msvbvm60.__vbaStrR8>
004EF276 8985 68FFFFFF mov dword ptr ss:[ebp-98],eax ; (UNICODE "7572548")
004EF27C C785 60FFFFFF 0>mov dword ptr ss:[ebp-A0],8
004EF286 6A 04 push 4
004EF288 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
004EF28E 50 push eax
004EF28F 8D85 50FFFFFF lea eax,dword ptr ss:[ebp-B0]
004EF295 50 push eax
004EF296 E8 A3A9F1FF call <jmp.&msvbvm60.rtcRightCharVar> ; 相当于Right(字符,4)
004EF29B 8D85 50FFFFFF lea eax,dword ptr ss:[ebp-B0]
004EF2A1 50 push eax
004EF2A2 8D45 B8 lea eax,dword ptr ss:[ebp-48]
004EF2A5 50 push eax
004EF2A6 E8 F9A9F1FF call <jmp.&msvbvm60.__vbaStrVarVal>
004EF2AB 50 push eax ; 得到第二段注册码(UNICODE "2548")
004EF2AC E8 5FAAF1FF call <jmp.&msvbvm60.rtcR8ValFromBstr>
'''删去部分无关非重要代码'''
004EF391 C745 FC 0500000>mov dword ptr ss:[ebp-4],5
004EF398 C745 88 0400000>mov dword ptr ss:[ebp-78],4
004EF39F C745 80 0200000>mov dword ptr ss:[ebp-80],2
004EF3A6 8B45 08 mov eax,dword ptr ss:[ebp+8]
004EF3A9 83C0 34 add eax,34
004EF3AC 8985 A8FEFFFF mov dword ptr ss:[ebp-158],eax
004EF3B2 C785 A0FEFFFF 0>mov dword ptr ss:[ebp-160],4008
004EF3BC 8D45 80 lea eax,dword ptr ss:[ebp-80]
004EF3BF 50 push eax
004EF3C0 6A 01 push 1
004EF3C2 8D85 A0FEFFFF lea eax,dword ptr ss:[ebp-160]
004EF3C8 50 push eax
004EF3C9 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
004EF3CF 50 push eax
004EF3D0 E8 27A8F1FF call <jmp.&msvbvm60.rtcMidCharVar> ; 相当于Mid(字符,1,4)
004EF3D5 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
004EF3DB 50 push eax
004EF3DC 8D45 BC lea eax,dword ptr ss:[ebp-44]
004EF3DF 50 push eax
004EF3E0 E8 BFA8F1FF call <jmp.&msvbvm60.__vbaStrVarVal>
004EF3E5 50 push eax ; 得到(UNICODE "6802")
'''删去部分无关非重要代码'''
004EF56C E8 9FA7F1FF call <jmp.&msvbvm60.rtcR8ValFromBstr>
004EF571 DD9D 20FEFFFF fstp qword ptr ss:[ebp-1E0]
004EF577 DD85 40FEFFFF fld qword ptr ss:[ebp-1C0] ; 堆栈 ss:[0012F2A8]=6802.000000000000
004EF57D DC0D B03A4000 fmul qword ptr ds:[403AB0] ; 相乘,乘以固定数值369
004EF583 DFE0 fstsw ax
004EF585 A8 0D test al,0D
004EF587 0F85 302A0000 jnz 5.004F1FBD
004EF58D 51 push ecx
004EF58E 51 push ecx
004EF58F DD1C24 fstp qword ptr ss:[esp] ; 结果st=2509938.0000000000000
004EF592 E8 FBA6F1FF call <jmp.&msvbvm60.__vbaStrR8>
004EF597 8985 68FFFFFF mov dword ptr ss:[ebp-98],eax ; (UNICODE "2509938")
004EF59D C785 60FFFFFF 0>mov dword ptr ss:[ebp-A0],8
004EF5A7 6A 04 push 4
004EF5A9 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
004EF5AF 50 push eax
004EF5B0 8D85 50FFFFFF lea eax,dword ptr ss:[ebp-B0]
004EF5B6 50 push eax
004EF5B7 E8 82A6F1FF call <jmp.&msvbvm60.rtcRightCharVar> ; 相当于Right(字符,4)
004EF5BC 8D85 50FFFFFF lea eax,dword ptr ss:[ebp-B0]
004EF5C2 50 push eax
004EF5C3 8D45 B8 lea eax,dword ptr ss:[ebp-48]
004EF5C6 50 push eax
004EF5C7 E8 D8A6F1FF call <jmp.&msvbvm60.__vbaStrVarVal>
004EF5CC 50 push eax ; 得到第三段注册码(UNICODE "9938")
'''删去部分无关非重要代码'''
'''下面是三段注册码的比较,真假码的比较'''
004EF934 FF75 BC push dword ptr ss:[ebp-44] ; (UNICODE "1111")
004EF937 FF75 C8 push dword ptr ss:[ebp-38] ; (UNICODE "9380")
004EF93A E8 A7A3F1FF call <jmp.&msvbvm60.__vbaStrCmp>
004EF93F 8BF0 mov esi,eax
004EF941 F7DE neg esi
004EF943 1BF6 sbb esi,esi
004EF945 46 inc esi
004EF946 F7DE neg esi
004EF948 FF75 B8 push dword ptr ss:[ebp-48] ; (UNICODE "2222")
004EF94B FF75 C4 push dword ptr ss:[ebp-3C] ; (UNICODE "2548")
004EF94E E8 93A3F1FF call <jmp.&msvbvm60.__vbaStrCmp>
004EF953 F7D8 neg eax
004EF955 1BC0 sbb eax,eax
004EF957 40 inc eax
004EF958 F7D8 neg eax
004EF95A 66:23F0 and si,ax
004EF95D FF75 B4 push dword ptr ss:[ebp-4C] ; (UNICODE "3333")
004EF960 FF75 C0 push dword ptr ss:[ebp-40] ; (UNICODE "9938")
004EF963 E8 7EA3F1FF call <jmp.&msvbvm60.__vbaStrCmp>
'''删去部分无关非重要代码'''
004EF9A9 E8 32A3F1FF call <jmp.&msvbvm60.__vbaFreeObjList>
004EF9AE 83C4 1C add esp,1C
004EF9B1 0FBF85 ECFDFFFF movsx eax,word ptr ss:[ebp-214]
004EF9B8 85C0 test eax,eax
004EF9BA 0F84 D6200000 je 5.004F1A96 ; 跳则OVER,NOP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
破解总结:明码比较,算法简单,乘法的运算。下面是VB的算法注册机源码:
Private Sub Command1_Click()
temp = Right(Text1.Text, 12) 'Text1.Text为申请码,Text2.Text为序列号
sn1 = Val(Mid(temp, 9, 4)) * 165
sn2 = Val(Mid(temp, 5, 4)) * 772
sn3 = Val(Mid(temp, 1, 4)) * 369
Text2.Text = Right(sn1, 4) & "-" & Right(sn2, 4) & "-" & Right(sn3, 4)
End Sub
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
IP卡
发表于 2006-2-22 15:31:40
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2006-2-22 21:54:22
发表于 2006-2-22 22:51:02
发表于 2006-2-23 21:33:22