好友
阅读权限10
听众
最后登录1970-1-1
|
【软件名称】: 文件万能大师
【软件大小】: 511k
【下载地址】: http://shareware.skycn.com/
【加壳方式】: ASPack 2.12
【保护方式】: 注册码
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: od peid
【操作平台】: winxp
【详细过程】
peid查壳ASPack 2.12 -> Alexey Solodovnikov
用peid插件脱壳,是Borland Delphi 6.0 - 7.0写的。
而且用了DES加密算法。
用户名gonghui注册码123123123,提示注册完成,请重启程序。
od载入脱壳后程序,下断点RegQueryValueExA,一直f9大约211下,看到寄存器出现RegNo的字样。
alt+m打开内存窗口,ctrl+b搜索ASCII码"gonghui"选中这些字符,下内存断点,F9,来到下面。
0040298F|.F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>;断在这里,一路F8。
00402991|.89C1MOV ECX,EAX
00402993|.83E1 03 AND ECX,3
00402996|.F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00402998|.5FPOP EDI
00402999|.5EPOP ESI
0040299A|.C3RETN
一路F8,来到这里:
004F3F99|.8D45 F0 |LEA EAX,DWORD PTR SS:[EBP-10]
004F3F9C|.33C9|XOR ECX,ECX
004F3F9E|.BA 08000000 |MOV EDX,8
004F3FA3|.E8 E4F1F0FF |CALL FileKing.0040318C
004F3FA8|.8B45 D4 |MOV EAX,DWORD PTR SS:[EBP-2C]
004F3FAB|.E8 300BF1FF |CALL FileKing.00404AE0
004F3FB0|.50|PUSH EAX
004F3FB1|.8D45 D4 |LEA EAX,DWORD PTR SS:[EBP-2C]
004F3FB4|.E8 770DF1FF |CALL FileKing.00404D30
004F3FB9|.8D55 F0 |LEA EDX,DWORD PTR SS:[EBP-10]
004F3FBC|.59|POP ECX
004F3FBD|.E8 BAE9F0FF |CALL FileKing.0040297C
004F3FC2|.8D55 E8 |LEA EDX,DWORD PTR SS:[EBP-18]
004F3FC5|.8D45 F0 |LEA EAX,DWORD PTR SS:[EBP-10]
004F3FC8|.E8 A3F4FFFF |CALL FileKing.004F3470
004F3FCD|.BE 08000000 |MOV ESI,8
004F3FD2|.8D5D E8 |LEA EBX,DWORD PTR SS:[EBP-18]
004F3FD5|>8D4D D0 |/LEA ECX,DWORD PTR SS:[EBP-30]
004F3FD8|.33C0||XOR EAX,EAX
004F3FDA|.8A03||MOV AL,BYTE PTR DS:[EBX]
004F3FDC|.BA 02000000 ||MOV EDX,2
004F3FE1|.E8 FE50F1FF ||CALL FileKing.004090E4;算法call,F7跟进
004F3FE6|.8B55 D0 ||MOV EDX,DWORD PTR SS:[EBP-30]
004F3FE9|.8BC7||MOV EAX,EDI
004F3FEB|.E8 F80AF1FF ||CALL FileKing.00404AE8
004F3FF0|.43||INC EBX
004F3FF1|.4E||DEC ESI
004F3FF2|.^ 75 E1 |\JNZ SHORT FileKing.004F3FD5
004F3FF4|.8345 D8 08|ADD DWORD PTR SS:[EBP-28],8
004F3FF8|.8B45 DC |MOV EAX,DWORD PTR SS:[EBP-24]
004F3FFB|.83C0 07 |ADD EAX,7
004F3FFE|.85C0|TEST EAX,EAX
004F4000|.79 03 |JNS SHORT FileKing.004F4005
004F4002|.83C0 07 |ADD EAX,7
004F4005|>C1F8 03 |SAR EAX,3
004F4008|.C1E0 03 |SHL EAX,3
004F400B|.3B45 D8 |CMP EAX,DWORD PTR SS:[EBP-28]
004F400E|.^ 0F8D 71FFFFFF \JGE FileKing.004F3F85
004F4014|.33C0XOR EAX,EAX
004F4016|.5APOP EDX
004F4017|.59POP ECX
004F4018|.59POP ECX
004F4019|.64:8910 MOV DWORD PTR FS:[EAX],EDX
004F401C|.68 43404F00 PUSH FileKing.004F4043
004F4021|>8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
004F4024|.BA 02000000 MOV EDX,2
004F4029|.E8 1E08F1FF CALL FileKing.0040484C
004F402E|.8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004F4031|.BA 02000000 MOV EDX,2
004F4036|.E8 1108F1FF CALL FileKing.0040484C
004F403B\.C3RETN
004F403C .^ E9 EF01F1FF JMP FileKing.00404230
004F4041 .^ EB DE JMP SHORT FileKing.004F4021
004F4043 .5FPOP EDI
004F4044 .5EPOP ESI
004F4045 .5BPOP EBX
004F4046 .8BE5MOV ESP,EBP
004F4048 .5DPOP EBP
004F4049 .C3RETN
;上面004F3FD5到004F3FF2的循环依次计算出两位注册码,004F4049的RETN后回到:
004F52E2|.E8 39ECFFFF CALL FileKing.004F3F20
004F52E7|.8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C];暴出注册码 "A81230444A4D8FC3".
004F52EA|.58POP EAX
来到这里:
004090E4/$83C4 F0 ADD ESP,-10
004090E7|.6A 01 PUSH 1
004090E9|.895424 04 MOV DWORD PTR SS:[ESP+4],EDX
004090ED|.C64424 08 00MOV BYTE PTR SS:[ESP+8],0
004090F2|.894424 0C MOV DWORD PTR SS:[ESP+C],EAX
004090F6|.C64424 10 00MOV BYTE PTR SS:[ESP+10],0
004090FB|.8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
004090FF|.BA 18914000 MOV EDX,FileKing.00409118
00409104|.91XCHG EAX,ECX
00409105|.E8 EE0B0000 CALL FileKing.00409CF8;算法,F7 跟进
0040910A|.83C4 10 ADD ESP,10
0040910D\.C3RETN
来到这里:
00409CF8/$55PUSH EBP
00409CF9|.8BECMOV EBP,ESP
00409CFB|.81C4 04F0FFFF ADD ESP,-0FFC
00409D01|.50PUSH EAX
00409D02|.83C4 F8 ADD ESP,-8
00409D05|.53PUSH EBX
00409D06|.56PUSH ESI
00409D07|.894D F8 MOV DWORD PTR SS:[EBP-8],ECX
00409D0A|.8955 FC MOV DWORD PTR SS:[EBP-4],EDX
00409D0D|.8BF0MOV ESI,EAX
00409D0F|.BB 00100000 MOV EBX,1000
00409D14|.8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00409D17|.E8 C4ADFFFF CALL FileKing.00404AE0
00409D1C|.3D 000C0000 CMP EAX,0C00
00409D21|.7D 26 JGE SHORT FileKing.00409D49
00409D23|.8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00409D26|.E8 B5ADFFFF CALL FileKing.00404AE0
00409D2B|.50PUSH EAX
00409D2C|.8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00409D2F|.50PUSH EAX
00409D30|.8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00409D33|.50PUSH EAX
00409D34|.8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
00409D37|.8D85 F8EFFFFF LEA EAX,DWORD PTR SS:[EBP-1008]
00409D3D|.BA FF0F0000 MOV EDX,0FFF
00409D42|.E8 09FBFFFF CALL FileKing.00409850
00409D47|.EB 0C JMP SHORT FileKing.00409D55
00409D49|>8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00409D4C|.E8 8FADFFFF CALL FileKing.00404AE0
00409D51|.8BD8MOV EBX,EAX
00409D53|.8BC3MOV EAX,EBX
00409D55|>8BD3MOV EDX,EBX
00409D57|.4ADEC EDX
00409D58|.3BC2CMP EAX,EDX
00409D5A|.7C 43 JL SHORT FileKing.00409D9F
00409D5C|.EB 30 JMP SHORT FileKing.00409D8E
00409D5E|>03DB/ADD EBX,EBX
00409D60|.8BC6|MOV EAX,ESI
00409D62|.E8 C1AAFFFF |CALL FileKing.00404828
00409D67|.8BC6|MOV EAX,ESI
00409D69|.8BD3|MOV EDX,EBX
00409D6B|.E8 F4B0FFFF |CALL FileKing.00404E64
00409D70|.8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
00409D73|.E8 68ADFFFF |CALL FileKing.00404AE0
00409D78|.50|PUSH EAX
00409D79|.8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]
00409D7C|.50|PUSH EAX
00409D7D|.8B45 08 |MOV EAX,DWORD PTR SS:[EBP+8]
00409D80|.50|PUSH EAX
00409D81|.8B4D FC |MOV ECX,DWORD PTR SS:[EBP-4]
00409D84|.8BD3|MOV EDX,EBX
00409D86|.4A|DEC EDX
00409D87|.8B06|MOV EAX,DWORD PTR DS:[ESI]
00409D89|.E8 C2FAFFFF |CALL FileKing.00409850
00409D8E|>8BD3 MOV EDX,EBX
00409D90|.4A|DEC EDX
00409D91|.3BC2|CMP EAX,EDX
00409D93|.^ 7D C9 \JGE SHORT FileKing.00409D5E
00409D95|.8BD6MOV EDX,ESI
00409D97|.92XCHG EAX,EDX
00409D98|.E8 C7B0FFFF CALL FileKing.00404E64
00409D9D|.EB 0E JMP SHORT FileKing.00409DAD
00409D9F|>8D95 F8EFFFFF LEA EDX,DWORD PTR SS:[EBP-1008]
00409DA5|.8BCEMOV ECX,ESI
00409DA7|.91XCHG EAX,ECX
00409DA8|.E8 6BABFFFF CALL FileKing.00404918;算法,F7跟进
00409DAD|>5EPOP ESI
00409DAE|.5BPOP EBX
00409DAF|.8BE5MOV ESP,EBP
00409DB1|.5DPOP EBP
00409DB2\.C2 0400 RETN 4
来到这里:
00404918/$53PUSH EBX
00404919|.56PUSH ESI
0040491A|.57PUSH EDI
0040491B|.89C3MOV EBX,EAX
0040491D|.89D6MOV ESI,EDX
0040491F|.89CFMOV EDI,ECX
00404921|.89F8MOV EAX,EDI
00404923|.E8 C4FFFFFF CALL FileKing.004048EC
00404928|.89F9MOV ECX,EDI
0040492A|.89C7MOV EDI,EAX
0040492C|.85F6TEST ESI,ESI
0040492E|.74 09 JE SHORT FileKing.00404939
00404930|.89C2MOV EDX,EAX
00404932|.89F0MOV EAX,ESI
00404934|.E8 43E0FFFF CALL FileKing.0040297C;F7跟进
00404939|>89D8MOV EAX,EBX
0040493B|.E8 E8FEFFFF CALL FileKing.00404828
00404940|.893BMOV DWORD PTR DS:[EBX],EDI
00404942|.5FPOP EDI
00404943|.5EPOP ESI
00404944|.5BPOP EBX
00404945\.C3RETN
F7跟进,来到这里:
004029798D40 00 LEA EAX,DWORD PTR DS:[EAX]
0040297C/$56PUSH ESI
0040297D|.57PUSH EDI
0040297E|.89C6MOV ESI,EAX
00402980|.89D7MOV EDI,EDX
00402982|.89C8MOV EAX,ECX
00402984|.39F7CMP EDI,ESI
00402986|.77 13 JA SHORT FileKing.0040299B
00402988|.74 2F JE SHORT FileKing.004029B9
0040298A|.C1F9 02 SAR ECX,2
0040298D|.78 2A JS SHORT FileKing.004029B9
0040298F|.F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00402991|.89C1MOV ECX,EAX
00402993|.83E1 03 AND ECX,3
00402996|.F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00402998|.5FPOP EDI
00402999|.5EPOP ESI
0040299A|.C3RETN
0040299B|>8D7431 FC LEA ESI,DWORD PTR DS:[ECX+ESI-4]
0040299F|.8D7C39 FC LEA EDI,DWORD PTR DS:[ECX+EDI-4]
004029A3|.C1F9 02 SAR ECX,2
004029A6|.78 11 JS SHORT FileKing.004029B9
004029A8|.FDSTD
004029A9|.F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
004029AB|.89C1MOV ECX,EAX
004029AD|.83E1 03 AND ECX,3
004029B0|.83C6 03 ADD ESI,3
004029B3|.83C7 03 ADD EDI,3
004029B6|.F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
004029B8|.FCCLD;依次计算出两位注册码
004029B9|>5FPOP EDI
004029BA|.5EPOP ESI
004029BB\.C3RETN
最后用"gonghui"和"A81230444A4D8FC3"注册成功。
--------------------------------------------------------------------------------
【经验总结】
重启验证貌似很难的加密其实也很容易破解 |
|
发表于 2008-7-19 11:39
