請看小弟KeyFile保護的破解 (7千字)

暴力破解第三回 Button Studio 1.41
目標軟體:Button Studio 1.41
保護方式:KeyFile
破解方法:暴力破解(怎麼每次都是爆破,你有暴力傾向呀!@#@&^&$#)
破解人:TAE!
軟體介紹:一個製造各種漂亮按鈕的工具,特點是小巧,易用,做出的按鈕很漂亮.
下載地址:www.interkodex.com

首先宣告本人心理健康,樂觀向上,絕對沒有暴力傾向,只是由於學藝不精,只有爆破了:)
這個軟體沒有讓你輸入註冊碼的地方,我想可能是KeyFile保護的.所以就執行Filemon
再執行Button Studio發現它讀取buttonstudio.rg這個檔案.猜想這個檔案應該是KeyFile.
建立buttonstudio.rg檔案.執行軟體,奇怪,沒反應,不能執行!!我猜對了,肯定是程式執行
時,檢查KeyFile,但我建立的檔案肯定不是真正的KeyFile(費話!)所以程式發現了,就不讓執行
了.
執行TRW 1.23(BTW:為什麼有時候CTRL+N不能呼叫?)設定斷點 bpx CreateFileA,執行
程式,被中斷,這時下D EAX檢視,按F5執行程式,又被中斷一定記住要檢視EAX的值,就這樣按
了大約6次F5,這時程式已經開始讀取buttonstudio.rg檔案了,下Pmodule,回到Button Studio
的程式段.
* Reference To: kernel32.CreateFileA, Ord:0000h
|
:0040636B E8B0AEFFFF Call 00401220

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406395(U)
|
:00406370 83F8FF cmp eax, FFFFFFFF //回到這裡.
:00406373 7429 je 0040639E
:00406375 8903 mov dword ptr [ebx], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004063AF(U)
|
:00406377 5F pop edi
:00406378 5E pop esi
:00406379 5B pop ebx
:0040637A C3 ret

稍後便會執行到這裡:
* Possible StringData Ref from Code Obj ->"buttonstudio.rg"
|
:004B3196 684C344B00 push 004B344C
:004B319B 8D852CFDFFFF lea eax, dword ptr [ebp+FFFFFD2C]
:004B31A1 BA03000000 mov edx, 00000003
:004B31A6 E8590FF5FF call 00404104
:004B31AB 8B952CFDFFFF mov edx, dword ptr [ebp+FFFFFD2C]
:004B31B1 8D8554FDFFFF lea eax, dword ptr [ebp+FFFFFD54]
:004B31B7 E8F22CF5FF call 00405EAE
:004B31BC BA01000000 mov edx, 00000001
:004B31C1 8D8554FDFFFF lea eax, dword ptr [ebp+FFFFFD54]
:004B31C7 E80532F5FF call 004063D1
:004B31CC 6A00 push 00000000
:004B31CE 8D55F0 lea edx, dword ptr [ebp-10]
:004B31D1 B901000000 mov ecx, 00000001
:004B31D6 8D8554FDFFFF lea eax, dword ptr [ebp+FFFFFD54]
:004B31DC E86F2DF5FF call 00405F50
:004B31E1 B8FF000000 mov eax, 000000FF
:004B31E6 2B45F0 sub eax, dword ptr [ebp-10]
:004B31E9 8945EC mov dword ptr [ebp-14], eax
:004B31EC 8B75EC mov esi, dword ptr [ebp-14]
:004B31EF 85F6 test esi, esi
:004B31F1 7E49 jle 004B323C
:004B31F3 C745FC01000000 mov [ebp-04], 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B323A(C)
|
:004B31FA 6A00 push 00000000 //
:004B31FC 8D55F0 lea edx, dword ptr [ebp-10] .
:004B31FF B901000000 mov ecx, 00000001 .
:004B3204 8D8554FDFFFF lea eax, dword ptr [ebp+FFFFFD54] .
:004B320A E8412DF5FF call 00405F50 .
:004B320F B8FF000000 mov eax, 000000FF .
:004B3214 2B45F0 sub eax, dword ptr [ebp-10] .這裡是個迴圈,好像是讀取檔案中
:004B3217 8945F0 mov dword ptr [ebp-10], eax .的Ascii,並且運算編碼,懶得看了.
:004B321A 8D8520FDFFFF lea eax, dword ptr [ebp+FFFFFD20] .
:004B3220 8B55F0 mov edx, dword ptr [ebp-10] .
:004B3223 E8440DF5FF call 00403F6C .
:004B3228 8B9520FDFFFF mov edx, dword ptr [ebp+FFFFFD20] .
:004B322E 8D45F8 lea eax, dword ptr [ebp-08] .
:004B3231 E8160EF5FF call 0040404C .
:004B3236 FF45FC inc [ebp-04] .
:004B3239 4E dec esi .
:004B323A 75BE jne 004B31FA //

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B31F1(C)
|
:004B323C 8B75EC mov esi, dword ptr [ebp-14] //將游標定位在這裡,按F7,繼續向下執行
:004B323F 85F6 test esi, esi
:004B3241 7E40 jle 004B3283
:004B3243 C745FC01000000 mov [ebp-04], 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3281(C)
|
:004B324A 6A00 push 00000000
:004B324C 8D55F0 lea edx, dword ptr [ebp-10]
:004B324F B901000000 mov ecx, 00000001
:004B3254 8D8554FDFFFF lea eax, dword ptr [ebp+FFFFFD54]
:004B325A E8F12CF5FF call 00405F50
:004B325F 8B45F8 mov eax, dword ptr [ebp-08]
:004B3262 8B55FC mov edx, dword ptr [ebp-04]
:004B3265 8A4410FF mov al, byte ptr [eax+edx-01]
:004B3269 34FF xor al, FF
:004B326B 25FF000000 and eax, 000000FF
:004B3270 0345FC add eax, dword ptr [ebp-04]
:004B3273 3B45F0 cmp eax, dword ptr [ebp-10] //到這裡停一停,比較!可惜經過編碼
:004B3276 7405 je 004B327D //在這裡一定要跳,下面還有一處
:004B3278 E88B09F5FF call 00403C08 //執行到這裡程式便退出了

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3276(C)
|
:004B327D FF45FC inc [ebp-04]
:004B3280 4E dec esi
:004B3281 75C7 jne 004B324A //又上去了.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3241(C)
|
:004B3283 6A00 push 00000000
:004B3285 8D55F0 lea edx, dword ptr [ebp-10]
:004B3288 B901000000 mov ecx, 00000001
:004B328D 8D8554FDFFFF lea eax, dword ptr [ebp+FFFFFD54]
:004B3293 E8B82CF5FF call 00405F50
:004B3298 8B45F8 mov eax, dword ptr [ebp-08]
:004B329B E8A40DF5FF call 00404044
:004B32A0 3B45F0 cmp eax, dword ptr [ebp-10] //又是比較
:004B32A3 7405 je 004B32AA //一定要跳!
:004B32A5 E85E09F5FF call 00403C08 //進去就完了!

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B32A3(C)
|
:004B32AA 8D8554FDFFFF lea eax, dword ptr [ebp+FFFFFD54]
:004B32B0 E8632DF5FF call 00406018
:004B32B5 B8849C4D00 mov eax, 004D9C84
:004B32BA 8B55F8 mov edx, dword ptr [ebp-08]
:004B32BD E8560BF5FF call 00403E18
:004B32C2 33C0 xor eax, eax
:004B32C4 A3809C4D00 mov dword ptr [004D9C80], eax

將上面的兩個跳轉改為 Jmp,試執行,沒有Nag了,看看About,那個討厭的Not registered變成了
Registered to:(亂碼),因為建立KeyFile中的Ascii不對,所以這裡顯示的是亂碼.無論如何破解都
成功了!
這裡真是個很好的地方,能和各位學到不少東西,可惜馬上就要開學,我今年中專三年級,要畢業了,
以後就沒那麼多時間搞Crack了,好苦啊!唉!還有這個月的電話費……,反正免不了挨媽媽一頓罵.

請看小弟KeyFile保護的破解 (7千字)

相關文章