好友
阅读权限10
听众
最后登录1970-1-1
|
这个软件也是公司前几年购买的1个软件 有自动排班功能之类的,软件本身免费,但有些小功能需要收费,最近正好看到,于是拿来练练手,完美破解了,有条件的可以测试下,软件本身没有修改1个字节,追踪出正确的注册码!
废话不多说,开始记录破解过程:
1.首先去官网下载原版程序
http://www.cometgroup.com.cn/it/download_info.asp?nav=&Newid=158
2.安装完成 查壳为ASPack 2.12 -> Alexey Solodovnikov
3.脱掉吧 方法很多 脱了就成 程序为Borland Delphi 6.0 - 7.0所写
运行软件 软功能最多 机器码为DE252-3AB4F-4730A
4.开始破解之旅
(1)OD载入
程序入口点:一看代码就知道是Delphi 写的没错哦,那就开始吧
00941D94 >/$ 55 push ebp
00941D95 |. 8BEC mov ebp, esp
00941D97 |. B9 05000000 mov ecx, 5
00941D9C |> 6A 00 /push 0
00941D9E |. 6A 00 |push 0
00941DA0 |. 49 |dec ecx
00941DA1 |.^ 75 F9 \jnz short 00941D9C
00941DA3 |. 51 push ecx
00941DA4 |. B8 BC0D9400 mov eax, 00940DBC
00941DA9 |. E8 7E5CACFF call 00407A2C
00941DAE |. 33C0 xor eax, eax
00941DB0 |. 55 push ebp
00941DB1 |. 68 391F9400 push 00941F39
00941DB6 |. 64:FF30 push dword ptr fs:[eax]
00941DB9 |. 64:8920 mov dword ptr fs:[eax], esp
00941DBC |. 6A 00 push 0 ; /Title = NULL
00941DBE |. 68 481F9400 push 00941F48 ; |CM_AMS
00941DC3 |. E8 5C6BACFF call <jmp.&user32.FindWindowA> ; \FindWindowA
00941DC8 |. 85C0 test eax, eax
00941DCA |. 76 14 jbe short 00941DE0
用回溯的方法找到关键代码的地方
这里很明显关键代码如下
0084842C /. 55 push ebp 这里下断,接着开始分析
0084842D |. 8BEC mov ebp, esp
0084842F |. B9 07000000 mov ecx, 7
00848434 |> 6A 00 /push 0
00848436 |. 6A 00 |push 0
00848438 |. 49 |dec ecx
00848439 |.^ 75 F9 \jnz short 00848434
0084843B |. 51 push ecx
0084843C |. 53 push ebx
0084843D |. 56 push esi
0084843E |. 57 push edi
0084843F |. 8BD8 mov ebx, eax
00848441 |. 33C0 xor eax, eax
00848443 |. 55 push ebp
00848444 |. 68 F3868400 push 008486F3
00848449 |. 64:FF30 push dword ptr fs:[eax]
0084844C |. 64:8920 mov dword ptr fs:[eax], esp
0084844F |. 8BC3 mov eax, ebx
00848451 |. E8 CAFEFFFF call 00848320
00848456 |. 8B83 38030000 mov eax, dword ptr [ebx+338]
0084845C |. E8 9BCECBFF call 005052FC
00848461 |. 8B10 mov edx, dword ptr [eax]
00848463 |. FF52 14 call dword ptr [edx+14]
00848466 |. 8BF8 mov edi, eax
00848468 |. 4F dec edi
00848469 |. 85FF test edi, edi
0084846B |. 7C 38 jl short 008484A5
0084846D |. 47 inc edi
0084846E |. 33F6 xor esi, esi
00848470 |> 8BD6 /mov edx, esi
00848472 |. 8B83 38030000 |mov eax, dword ptr [ebx+338]
00848478 |. E8 0FCACBFF |call 00504E8C
0084847D |. 84C0 |test al, al
0084847F |. 74 20 |je short 008484A1
00848481 |. 8B83 38030000 |mov eax, dword ptr [ebx+338]
00848487 |. E8 70CECBFF |call 005052FC
0084848C |. 8D4D F8 |lea ecx, dword ptr [ebp-8]
0084848F |. 8BD6 |mov edx, esi
00848491 |. E8 92BDBDFF |call 00424228
00848496 |. 8B55 F8 |mov edx, dword ptr [ebp-8]
00848499 |. 8D45 FC |lea eax, dword ptr [ebp-4]
0084849C |. E8 0BD0BBFF |call 004054AC
008484A1 |> 46 |inc esi
008484A2 |. 4F |dec edi
008484A3 |.^ 75 CB \jnz short 00848470
008484A5 |> 8D55 F4 lea edx, dword ptr [ebp-C]
008484A8 |. 8B83 34030000 mov eax, dword ptr [ebx+334]
008484AE |. E8 0D61C4FF call 0048E5C0
008484B3 |. 8B45 F4 mov eax, dword ptr [ebp-C] ; 到这里开始出现我们填写的假吗
008484B6 |. 50 push eax
008484B7 |. 8D55 F0 lea edx, dword ptr [ebp-10]
008484BA |. 8B83 30030000 mov eax, dword ptr [ebx+330]
008484C0 |. E8 FB60C4FF call 0048E5C0 跟进这里可以出机器码的算法
008484C5 |. 8B45 F0 mov eax, dword ptr [ebp-10] ; 这里出机器码
008484C8 |. 50 push eax
008484C9 |. E8 9E65E7FF call <jmp.&cm.SalaryRegChkStr> 很明显这里下面判断是否注册成功的关键地方 我们要跟进分析
008484CE |. 84C0 test al, al
008484D0 0F84 74010000 je 0084864A ; 此跳转跳到错误 我们不能让他跳(爆破点)
008484D6 |. 68 0C878400 push 0084870C ; UPDATE SysInfo SET
008484DB |. A1 60D69400 mov eax, dword ptr [94D660]
008484E0 |. FF30 push dword ptr [eax]
008484E2 |. 68 28878400 push 00848728 ; ='
008484E7 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
008484EA |. E8 A998E7FF call 006C1D98
008484EF |. 8B45 E4 mov eax, dword ptr [ebp-1C]
008484F2 |. E8 0146EBFF call 006FCAF8
008484F7 |. 83C4 F8 add esp, -8
008484FA |. DD1C24 fstp qword ptr [esp]
008484FD |. 9B wait
008484FE |. 8D55 E8 lea edx, dword ptr [ebp-18]
00848501 |. B8 34878400 mov eax, 00848734 ; YYMMDD
00848506 |. E8 7565BCFF call 0040EA80
0084850B |. FF75 E8 push dword ptr [ebp-18]
0084850E |. 68 44878400 push 00848744 ; ' WHERE SysName='SysRegDate'
00848513 |. 8D45 EC lea eax, dword ptr [ebp-14]
00848516 |. BA 05000000 mov edx, 5
0084851B |. E8 44D0BBFF call 00405564
00848520 |. 8B45 EC mov eax, dword ptr [ebp-14]
00848523 |. B2 01 mov dl, 1
00848525 |. E8 1ADBE7FF call 006C6044
0084852A |. 68 0C878400 push 0084870C ; UPDATE SysInfo SET
0084852F |. A1 60D69400 mov eax, dword ptr [94D660]
00848534 |. FF30 push dword ptr [eax]
00848536 |. 68 28878400 push 00848728 ; ='
0084853B |. 8D55 DC lea edx, dword ptr [ebp-24]
0084853E |. 8B83 34030000 mov eax, dword ptr [ebx+334]
00848544 |. E8 7760C4FF call 0048E5C0
00848549 |. FF75 DC push dword ptr [ebp-24]
0084854C |. 68 6C878400 push 0084876C ; ' WHERE SysName='SysReg'
00848551 |. 8D45 E0 lea eax, dword ptr [ebp-20]
00848554 |. BA 05000000 mov edx, 5
00848559 |. E8 06D0BBFF call 00405564
0084855E |. 8B45 E0 mov eax, dword ptr [ebp-20]
00848561 |. B2 01 mov dl, 1
00848563 |. E8 DCDAE7FF call 006C6044
00848568 |. 68 0C878400 push 0084870C ; UPDATE SysInfo SET
0084856D |. A1 60D69400 mov eax, dword ptr [94D660]
00848572 |. FF30 push dword ptr [eax]
00848574 |. 68 28878400 push 00848728 ; ='
00848579 |. FF75 FC push dword ptr [ebp-4]
0084857C |. 68 90878400 push 00848790 ; ' WHERE SysName='SysSubSystem'
00848581 |. 8D45 D8 lea eax, dword ptr [ebp-28]
00848584 |. BA 05000000 mov edx, 5
00848589 |. E8 D6CFBBFF call 00405564
0084858E |. 8B45 D8 mov eax, dword ptr [ebp-28]
00848591 |. B2 01 mov dl, 1
00848593 |. E8 ACDAE7FF call 006C6044
00848598 |. 68 0C878400 push 0084870C ; UPDATE SysInfo SET
0084859D |. A1 60D69400 mov eax, dword ptr [94D660]
008485A2 |. FF30 push dword ptr [eax]
008485A4 |. 68 28878400 push 00848728 ; ='
008485A9 |. 8D55 D0 lea edx, dword ptr [ebp-30]
008485AC |. 8B83 30030000 mov eax, dword ptr [ebx+330]
008485B2 |. E8 0960C4FF call 0048E5C0
008485B7 |. FF75 D0 push dword ptr [ebp-30]
008485BA |. 68 B8878400 push 008487B8 ; '
008485BF |. 68 C4878400 push 008487C4 ; WHERE SysName='SysRegSerial'
008485C4 |. 8D45 D4 lea eax, dword ptr [ebp-2C]
008485C7 |. BA 06000000 mov edx, 6
008485CC |. E8 93CFBBFF call 00405564
008485D1 |. 8B45 D4 mov eax, dword ptr [ebp-2C]
008485D4 |. B2 01 mov dl, 1
008485D6 |. E8 69DAE7FF call 006C6044
008485DB |. 8B55 FC mov edx, dword ptr [ebp-4]
008485DE |. B8 EC878400 mov eax, 008487EC ; RF001
008485E3 |. E8 00D2BBFF call 004057E8
008485E8 |. 85C0 test eax, eax
008485EA |. 7E 18 jle short 00848604
008485EC |. 8D45 CC lea eax, dword ptr [ebp-34]
008485EF |. 50 push eax
008485F0 |. B9 FC878400 mov ecx, 008487FC ; 1
008485F5 |. BA 08888400 mov edx, 00848808 ; FixShow
008485FA |. B8 18888400 mov eax, 00848818 ; System
008485FF |. E8 CC36EBFF call 006FBCD0
00848604 |> 8B55 FC mov edx, dword ptr [ebp-4]
00848607 |. B8 28888400 mov eax, 00848828 ; RF002
0084860C |. E8 D7D1BBFF call 004057E8
00848611 |. 85C0 test eax, eax
00848613 |. 7E 18 jle short 0084862D
00848615 |. 8D45 C8 lea eax, dword ptr [ebp-38]
00848618 |. 50 push eax
00848619 |. B9 FC878400 mov ecx, 008487FC ; 1
0084861E |. BA 38888400 mov edx, 00848838 ; FilterDept
00848623 |. B8 18888400 mov eax, 00848818 ; System
00848628 |. E8 A336EBFF call 006FBCD0
0084862D |> B8 4C888400 mov eax, 0084884C ; SysRegOK
00848632 |. E8 FD94E7FF call 006C1B34 ; 注册成功
00848637 |. C783 40030000>mov dword ptr [ebx+340], 1
00848641 |. 8BC3 mov eax, ebx
00848643 |. E8 1057C6FF call 004ADD58
00848648 |. EB 42 jmp short 0084868C
0084864A |> B8 60888400 mov eax, 00848860 ; RegCodeErr
0084864F |. E8 A095E7FF call 006C1BF4 ; ?
00848654 |. FF83 44030000 inc dword ptr [ebx+344]
0084865A |. 83BB 44030000>cmp dword ptr [ebx+344], 3
00848661 |. 7C 29 jl short 0084868C
00848663 |. 8D55 C4 lea edx, dword ptr [ebp-3C]
00848666 |. 8B83 3C030000 mov eax, dword ptr [ebx+33C]
0084866C |. E8 4F5FC4FF call 0048E5C0
00848671 |. 8B45 C4 mov eax, dword ptr [ebp-3C]
00848674 |. E8 0F2BEBFF call 006FB188
00848679 |. 8BC3 mov eax, ebx
0084867B |. E8 D856C6FF call 004ADD58
00848680 |. A1 2CD39400 mov eax, dword ptr [94D32C]
00848685 |. 8B00 mov eax, dword ptr [eax]
00848687 |. E8 7496C6FF call 004B1D00
0084868C |> 33C0 xor eax, eax
0084868E |. 5A pop edx
0084868F |. 59 pop ecx
00848690 |. 59 pop ecx
00848691 |. 64:8910 mov dword ptr fs:[eax], edx
00848694 |. 68 FA868400 push 008486FA
00848699 |> 8D45 C4 lea eax, dword ptr [ebp-3C]
0084869C |. E8 43CBBBFF call 004051E4
008486A1 |. 8D45 C8 lea eax, dword ptr [ebp-38]
008486A4 |. BA 02000000 mov edx, 2
008486A9 |. E8 5ACBBBFF call 00405208
008486AE |. 8D45 D0 lea eax, dword ptr [ebp-30]
008486B1 |. E8 2ECBBBFF call 004051E4
008486B6 |. 8D45 D4 lea eax, dword ptr [ebp-2C]
008486B9 |. BA 02000000 mov edx, 2
008486BE |. E8 45CBBBFF call 00405208
008486C3 |. 8D45 DC lea eax, dword ptr [ebp-24]
008486C6 |. E8 19CBBBFF call 004051E4
008486CB |. 8D45 E0 lea eax, dword ptr [ebp-20]
008486CE |. BA 04000000 mov edx, 4
008486D3 |. E8 30CBBBFF call 00405208
008486D8 |. 8D45 F0 lea eax, dword ptr [ebp-10]
008486DB |. BA 02000000 mov edx, 2
008486E0 |. E8 23CBBBFF call 00405208
008486E5 |. 8D45 F8 lea eax, dword ptr [ebp-8]
008486E8 |. BA 02000000 mov edx, 2
008486ED |. E8 16CBBBFF call 00405208
008486F2 \. C3 retn
跟进
006BEA6C $- FF25 245E9700 jmp dword ptr [<&cm.SalaryRegChkStr>] ; cm.SalaryRegChkStr
注册程序其实是调用的这个函数 从字面意思上来看也看的出来“RegChk”
此时看堆栈窗口 你会发现程序2处地方调用该函数
006F1E0C, 008484C9
再发现00394468 (cm.SalaryRegChkStr) 也调用此函数,并且该地方为CM.DLL的领空
于是继续跟进,下断,到达
00394468 > 55 push ebp 接着我们继续分析
00394469 8BEC mov ebp, esp
0039446B 6A 00 push 0
0039446D 6A 00 push 0
0039446F 53 push ebx
00394470 8B45 08 mov eax, dword ptr [ebp+8]
00394473 E8 94FDFEFF call 0038420C
00394478 8B45 0C mov eax, dword ptr [ebp+C] ; 机器码
0039447B E8 8CFDFEFF call 0038420C
00394480 33C0 xor eax, eax
00394482 55 push ebp
00394483 68 E6443900 push 003944E6
00394488 64:FF30 push dword ptr fs:[eax]
0039448B 64:8920 mov dword ptr fs:[eax], esp
0039448E 8D55 FC lea edx, dword ptr [ebp-4]
00394491 8B45 08 mov eax, dword ptr [ebp+8] ; 再次出现机器码
00394494 E8 4F2AFFFF call 00386EE8 ; 机器码入EAX,比较机器码是否位数正确
00394499 837D FC 00 cmp dword ptr [ebp-4], 0
0039449D 75 04 jnz short 003944A3 ; 本身跳
0039449F 33DB xor ebx, ebx
003944A1 EB 1B jmp short 003944BE
003944A3 8B45 08 mov eax, dword ptr [ebp+8]
003944A6 50 push eax ; 机器码入EAX
003944A7 8D45 F8 lea eax, dword ptr [ebp-8]
003944AA 50 push eax
003944AB E8 B8F8FFFF call 00393D68 ; 跟进 关键 ,很明显这里是关键注册码算法的关键,会出一堆AS码,然后
开始拆分 共3组 有兴趣的可进行分析 算法注册机在这里完成
003944B0 8B55 F8 mov edx, dword ptr [ebp-8]
003944B3 8B45 0C mov eax, dword ptr [ebp+C] ; 假吗在堆栈,真码在EDX 52E0F-B47F3-981E1
003944B6 E8 ADFCFEFF call 00384168 ; 跟进 关键点
003944BB 0F94C3 sete bl 改为SETNE bl
003944BE 33C0 xor eax, eax 这里为爆破点 改成OR EAX.EAX 即可完成爆破
|
003944C0 5A pop edx
003944C1 59 pop ecx
003944C2 59 pop ecx
003944C3 64:8910 mov dword ptr fs:[eax], edx
003944C6 68 ED443900 push 003944ED
003944CB 8D45 F8 lea eax, dword ptr [ebp-8]
003944CE BA 02000000 mov edx, 2
003944D3 E8 CCF8FEFF call 00383DA4
003944D8 8D45 08 lea eax, dword ptr [ebp+8]
003944DB BA 02000000 mov edx, 2
003944E0 E8 BFF8FEFF call 00383DA4
003944E5 C3 retn
003944E6 ^ E9 0DF2FEFF jmp 003836F8
003944EB ^ EB DE jmp short 003944CB
003944ED 8BC3 mov eax, ebx
003944EF 5B pop ebx
003944F0 59 pop ecx
003944F1 59 pop ecx
003944F2 5D pop ebp
003944F3 C2 0800 retn 8
好了既然找到了真码 那我们来试验1下
怎么样成功了吧?
|
|