暴力破解《網路吸血鬼3.3》 (9千字)
暴力破解《網路吸血鬼3.3》
作者:mjing(菜鳥級)
E-mail:mjing@wx88.net
時間:2001.3.15
工具:soft-ice 4.01,icedump 6.015,ultraedit 8.0,FileMon
下載地址:(某D版光碟)
保護方式:這個軟體採用註冊碼保護,其將輸入的註冊碼儲存到其目錄
下的一個名為VAMPIRE.key的檔案中,到下次啟動時再進行判斷。
分析:基於上面的原因,斷點不太好下,嘗試用bpx createfilea
斷點,但是這個傢伙啟動時使用createfilea函式次數過多,嚴重干擾了跟蹤,
我花了很長時間逐一檢視,居然沒有發現有用線索???(它倒底是用什麼函式
開啟檔案??,哪位指點一下)而且用DASM反彙編也不好使,找不到
“VAMPIRE.key”等字串,簡直把我逼到了山窮水盡的地步。還好,藉助
FileMon的神威,終於發現它的一個致使弱點,每次它都會刪除VAMPIRE.key
檔案,即使該檔案不存在!
載入Vampire.exe,下斷點,bpx deletefilea ,按F5執行,過一會兒,被攔下
後,按一下F11,回到程式的領空中
015F:0048BF58 POP EDX
015F:0048BF59 POP ECX
015F:0048BF5A POP ECX
015F:0048BF5B MOV FS:[EAX],EDX
015F:0048BF5E JMP 0048BF9C
015F:0048BF60 JMP 00403234
015F:0048BF65 MOV EAX,004ADA60
015F:0048BF6A CALL 00403A84
015F:0048BF6F LEA EDX,[EBP-08]
015F:0048BF72 XOR EAX,EAX
015F:0048BF74 CALL 004028CC
015F:0048BF79 MOV EAX,[EBP-08]
015F:0048BF7C LEA ECX,[EBP-04]
015F:0048BF7F MOV EDX,0048BFF8
015F:0048BF84 CALL 00407CE4
015F:0048BF89 MOV EAX,[EBP-04]
015F:0048BF8C CALL 00403EC4
015F:0048BF91 PUSH EAX
015F:0048BF92 CALL KERNEL32!DeleteFileA ;刪除了VAMPIRE.key檔案
015F:0048BF97 CALL 0040354C
015F:0048BF9C XOR EAX,EAX
015F:0048BF9E POP EDX
015F:0048BF9F POP ECX
015F:0048BFA0 POP ECX
015F:0048BFA1 MOV FS:[EAX],EDX
015F:0048BFA4 PUSH 0048BFBE
015F:0048BFA9 LEA EAX,[EBP-0C]
015F:0048BFAC MOV EDX,00000003
015F:0048BFB1 CALL 00403AA8
015F:0048BFB6 RET
015F:0048BFB7 JMP 00403430
015F:0048BFBC JMP 0048BFA9
015F:0048BFBE POP EDI
015F:0048BFBF POP ESI
015F:0048BFC0 POP EBX
015F:0048BFC1 MOV ESP,EBP
015F:0048BFC3 POP EBP
015F:0048BFC4 RET
015F:0048BFC5 ADD [EAX],AL
015F:0048BFC7 ADD BH,BH
015F:0048BFC9 INVALID
小心地按F10,返回幾個CALL之後,到達如下地盤:
015F:0049AF27 MOV EAX,[004AC96C]
015F:0049AF2C CMP DWORD PTR [EAX],07
015F:0049AF2F JNZ 0049AF49
015F:0049AF31 MOV DL,01
015F:0049AF33 MOV EAX,[EBP-04]
015F:0049AF36 CALL 0049AD30
015F:0049AF3B MOV EAX,[004AC9A8]
015F:0049AF40 MOV EAX,[EAX]
015F:0049AF42 CALL 004316EC
015F:0049AF47 JMP 0049AF5D
015F:0049AF49 MOV EAX,[EBP-04]
015F:0049AF4C MOV BYTE PTR [EAX+00000630],01
015F:0049AF53 XOR EDX,EDX
015F:0049AF55 MOV EAX,[EBP-04]
015F:0049AF58 CALL 0049AD30
015F:0049AF5D CALL 0048BEDC ;停在這裡
015F:0049AF62 MOV EAX,[004AC9A0]
015F:0049AF67 CMP DWORD PTR [EAX],00 ---
015F:0049AF6A JNZ 0049AF8D
| 這個
015F:0049AF6C MOV EAX,[EBP-04]
| 結構
015F:0049AF6F MOV EAX,[EAX+0000050C] |
大大
015F:0049AF75 CALL 0047210C
| 可疑
015F:0049AF7A MOV EAX,[EBP-04]
|
015F:0049AF7D MOV EAX,[EAX+0000050C] |
015F:0049AF83 CALL 00471C24
|
015F:0049AF88 JMP 0049B00D
---
015F:0049AF8D XOR EDX,EDX
015F:0049AF8F MOV EAX,[EBP-04]
015F:0049AF92 MOV EAX,[EAX+0000035C]
015F:0049AF98 CALL 00421AB8
015F:0049AF9D XOR EDX,EDX
015F:0049AF9F MOV EAX,[EBP-04]
015F:0049AFA2 MOV EAX,[EAX+00000360]
015F:0049AFA8 CALL 00421AB8
015F:0049AFAD XOR EDX,EDX
015F:0049AFAF MOV EAX,[EBP-04]
015F:0049AFB2 MOV EAX,[EAX+00000364]
015F:0049AFB8 CALL 00421AB8
015F:0049AFBD XOR EDX,EDX
015F:0049AFBF MOV EAX,[EBP-04]
015F:0049AFC2 MOV EAX,[EAX+000003B8]
在015F:0049AF6A一行試著下命令:
r fl z ,F5執行,運氣不錯,瞎貓碰上死耗子,廣告窗
居然沒有了,抄下機器碼,用UEdit一改,就破解了:>
切入015F:0049AF5D CALL 0048BEDC 再跟蹤一下,
想找出註冊碼,但是奇蹟再也沒有出現,只看見許多可疑
的程式碼,但實在看不懂其演算法,哪位高手指點一下??
最後,跟蹤到如下一段
015F:0048BF14 CALL 00461634
015F:0048BF19 MOV EAX,[EBP-04]
015F:0048BF1C PUSH EAX
015F:0048BF1D LEA EAX,[EBP-08]
015F:0048BF20 PUSH EAX
015F:0048BF21 LEA EAX,[EBP-0C]
015F:0048BF24 MOV ECX,0048BFE4
015F:0048BF29 MOV EDX,[004ADA60]
015F:0048BF2F CALL 00403D4C
015F:0048BF34 MOV EAX,[EBP-0C]
015F:0048BF37 MOV ECX,00000009
015F:0048BF3C MOV EDX,00000001
015F:0048BF41 CALL 00403F04
015F:0048BF46 MOV EDX,[EBP-08]
015F:0048BF49 POP EAX
015F:0048BF4A CALL 00403E10
015F:0048BF4F JZ 0048BF56 ;改為JMP
就沒有廣告窗了
因此上面的Call有重大
嫌疑,很可能是註冊比較
但看不懂:(
015F:0048BF51 CALL 0040ACF4
015F:0048BF56 XOR EAX,EAX
015F:0048BF58 POP EDX
015F:0048BF59 POP ECX
015F:0048BF5A POP ECX
015F:0048BF5B MOV FS:[EAX],EDX
015F:0048BF5E JMP 0048BF9C
015F:0048BF60 JMP 00403234
015F:0048BF65 MOV EAX,004ADA60
015F:0048BF6A CALL 00403A84
015F:0048BF6F LEA EDX,[EBP-08]
015F:0048BF72 XOR EAX,EAX
015F:0048BF74 CALL 004028CC
015F:0048BF79 MOV EAX,[EBP-08]
015F:0048BF7C LEA ECX,[EBP-04]
015F:0048BF7F MOV EDX,0048BFF8
015F:0048BF84 CALL 00407CE4
015F:0048BF89 MOV EAX,[EBP-04]
015F:0048BF8C CALL 00403EC4
015F:0048BF91 PUSH EAX
015F:0048BF92 CALL KERNEL32!DeleteFileA
015F:0048BF97 CALL 0040354C
015F:0048BF9C XOR EAX,EAX
015F:0048BF9E POP EDX
OK,又算是完成了一篇“破”文,確實很破(誰讓我是隻菜鳥呢),
不要問我原理,我也不知道。
破解軟體運氣也很哦,當然,這上建立在一定的經驗和功力上的。
原本不打算再寫破文了,但是破了的東東不寫出來,總好像沒完成
一件什麼事似的,順便說一句,上面的方法也可以搞掉新出來的
Net Vampire Pro 4.0b 。我好像只會暴力破解,不過本人非常熱愛
和平:)好了,以後有機會再見吧!
相關文章
- 3.3 神經網路的訓練2019-12-31神經網路
- 暴力破解3 (6千字)2001-02-18
- SYSTEM CLEANER 暴力破解 (1千字)2001-01-04
- 暴力破解Security setup II (7千字)2001-10-24
- 暴力破解windows Commander 4.52 (5千字)2001-02-19Windows
- Kryptel 3.8 暴力破解過程 (18千字)2001-09-18
- DISKdata v3.2.0之暴力破解 (6千字)2000-10-01
- image optimizer v3.0之暴力破解 (6千字)2000-10-12
- Tornado2之Licence暴力破解 (15千字)2000-10-22
- Update NOW 2000 暴力破解方法! (8千字)2001-02-11
- 流光2001完全暴力破解 (3千字)2001-08-14
- 禁用登錄檔之暴力破解法。 (4千字)2001-10-14
- freeResV0.94瘋狂暴力破解 (3千字)2002-01-09
- ios網路學習------9 播放網路視訊2014-07-02iOS
- UltraEdit-32 v8.10.a 暴力破解 (4千字)2001-05-11
- solaris9網路安裝2007-11-09
- 也談《傲世三國》的暴力破解法 (11千字)2001-01-10
- 暴力破解Paragon CD Emulator時間及功能限制 (7千字)2001-03-24Go
- 暴力破解 程式獵人(Phunter) V1.30 (11千字)2001-10-25
- 3.32024-10-28
- Java吸血鬼數字2015-12-16Java
- 《漂葉網咖管理系統4.0》破解心得: (9千字)2001-01-14
- 初學者(9) (3千字)2000-05-07
- 初學者(26) (9千字)2000-08-17
- Java網路爬蟲實操(9)2018-03-17Java爬蟲
- “網路9·11”發出的警告2017-07-03
- FISH精美屏保暴力破解---WD32ASM893版 (6千字)2001-02-05ASM
- 來一篇:暴力破解Crystal Button 1.31A (7千字)2015-11-15
- 鸚鵡螺網路助手破解 (5千字)2001-01-19
- Windows Lotto Pro 2000 V5.39之暴力破解
(10千字)2001-04-02Windows
- IOS9後網路的問題2015-09-10iOS
- 鸚鵡螺網路助手1.70破解 (11千字)2001-02-01
- 三星S9 S9+ 網路鎖介紹2018-05-29
- 翻譯一篇很簡單的暴力破解installshield! (6千字)2001-03-15
- 分析家資料批量轉換器暴力破解手記 (3千字)2001-09-07
- 天翼雲從業認證課後習題(3.3天翼雲網路產品)2020-12-12
- 吸血鬼數字演算法2017-10-09演算法
- ePublisher Gold v1.4 (9千字)2001-01-15Go