Windows Lotto Pro 2000 V5.39之暴力破解 (10千字)

看雪資料發表於2001-04-02
Windows

Windows Lotto Pro 2000 V5.39之暴力破解

下載地址:ftp://datasol.intnet.net/pub/lotpro32.exe
軟體說明:好像是國外的一個彩票軟體,限制是時間限制和NAG屏,以及功能限制。
        本次破解只討論破解前兩個限制,功能限制不在討論之列。本軟體用shrink
        加殼。
工具:trw2k,bw2k02,wdasm893,ultraedit

過程:

1、脫殼
先執行bw2k02,點track,執行lotpro32.exe,發現入口值為6301f4(感謝D.boy給我們
做出如此好的工具)。用TRW載入程式,設斷bpx 6301f4,執行後,在此處中斷,下指令pedump
(感謝劉濤濤和朱南灝作出如此棒的工具),至此脫殼成功,執行無誤。

2、用wdasm893反編譯,不要指望能完全反完,不過一部分亦足矣。
檢視字串框,發現下面一段"Thank you for continuing to use ",呵呵,這不正是NAG屏上的話麼?雙點該串,來到呼叫空間。上下翻動看看,還有幾個相似的。於是可以斷定此處為判斷時間限制的關鍵之處。下面是該段程式:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00624C05(C)
|
:00624C7B 80EB01                  sub bl, 01
:00624C7E 721D                    jb 00624C9D    **不能跳**
:00624C80 0F8496000000            je 00624D1C    **不能跳**

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00624C11(C)
|
:00624C86 80EB02                  sub bl, 02
:00624C89 0F84A3000000            je 00624D32    **不能跳**
:00624C8F 80EB03                  sub bl, 03
:00624C92 0F84B0000000            je 00624D48    **不能跳**
:00624C98 E9BF000000              jmp 00624D5C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00624C7E(C)
|
:00624C9D 8B87A4030000            mov eax, dword ptr [edi+000003A4]
:00624CA3 E800E5E8FF              call 004B31A8
:00624CA8 83F80F                  cmp eax, 0000000F
:00624CAB 7534                    jne 00624CE1

* Possible StringData Ref from Code Obj ->"Thank you for your interest in "
                                        ->"Windows Lotto Pro 2000. You have "
                                        ->"been granted a license to use "
                                        ->"this program for evaluation. Your "
                                        ->"evaluation period will expire "
                                        ->"in "
                                  |
:00624CAD 68444E6200              push 00624E44
:00624CB2 8B87A4030000            mov eax, dword ptr [edi+000003A4]
:00624CB8 E8EBE4E8FF              call 004B31A8
:00624CBD 8D55F4                  lea edx, dword ptr [ebp-0C]
:00624CC0 E8075ADEFF              call 0040A6CC
:00624CC5 FF75F4                  push [ebp-0C]

* Possible StringData Ref from Code Obj ->" days. "
                                  |
:00624CC8 68F04E6200              push 00624EF0

* Possible StringData Ref from Code Obj ->"Click on the Register Now button "
                                        ->"below for registration benefits "
                                        ->"and information on how to register."
                                  |
:00624CCD 68004F6200              push 00624F00
:00624CD2 8D45FC                  lea eax, dword ptr [ebp-04]
:00624CD5 BA04000000              mov edx, 00000004
:00624CDA E80DF5DDFF              call 004041EC
:00624CDF EB32                    jmp 00624D13

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00624CAB(C)
|

* Possible StringData Ref from Code Obj ->"Thank you for continuing to use "
                                        ->"Windows Lotto Pro 2000. You have "
                                        ->"been granted a license to use "
                                        ->"this program for evaluation. Your "
                                        ->"evaluation period will expire "
                                        ->"in "
                                  |
:00624CE1 68704F6200              push 00624F70
:00624CE6 8B87A4030000            mov eax, dword ptr [edi+000003A4]
:00624CEC E8B7E4E8FF              call 004B31A8
:00624CF1 8D55F0                  lea edx, dword ptr [ebp-10]
:00624CF4 E8D359DEFF              call 0040A6CC
:00624CF9 FF75F0                  push [ebp-10]

* Possible StringData Ref from Code Obj ->" days. "
                                  |
:00624CFC 68F04E6200              push 00624EF0

* Possible StringData Ref from Code Obj ->"Click on the Register Now button "
                                        ->"below for registration benefits "
                                        ->"and information on how to register."
                                  |
:00624D01 68004F6200              push 00624F00
:00624D06 8D45FC                  lea eax, dword ptr [ebp-04]
:00624D09 BA04000000              mov edx, 00000004
:00624D0E E8D9F4DDFF              call 004041EC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00624CDF(U)
|
:00624D13 C687680E000000          mov byte ptr [edi+00000E68], 00
:00624D1A EB40                    jmp 00624D5C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00624C80(C)
|
:00624D1C 8D45FC                  lea eax, dword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"The evaluation period for Windows "
                                        ->"Lotto Pro 2000 has expired. Click "
                                        ->"on the Register Now button below "
                                        ->"for registration benefits and "
                                        ->"information on how to register."
                                  |
:00624D1F BA1C506200              mov edx, 0062501C
:00624D24 E81BF2DDFF              call 00403F44
:00624D29 C687680E000001          mov byte ptr [edi+00000E68], 01
:00624D30 EB2A                    jmp 00624D5C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00624C89(C)
|
:00624D32 8D45FC                  lea eax, dword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"The evaluation period for Windows "
                                        ->"Lotto Pro 2000 has expired. Click "
                                        ->"on the Register Now button below "
                                        ->"for registration benefits and "
                                        ->"information on how register."
                                  |
:00624D35 BAC8506200              mov edx, 006250C8
:00624D3A E805F2DDFF              call 00403F44
:00624D3F C687680E000001          mov byte ptr [edi+00000E68], 01
:00624D46 EB14                    jmp 00624D5C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00624C92(C)
|
:00624D48 8D45FC                  lea eax, dword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"The evaluation period for Windows "
                                        ->"Lotto Pro 2000 has expired. Click "
                                        ->"on the Register Now button below "
                                        ->"for registration benefits and "
                                        ->"information on how to register."
                                  |
:00624D4B BA1C506200              mov edx, 0062501C
:00624D50 E8EFF1DDFF              call 00403F44
:00624D55 C687680E000001          mov byte ptr [edi+00000E68], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00624C98(U), :00624D1A(U), :00624D30(U), :00624D46(U)
|
:00624D5C 8B0DBC456300            mov ecx, dword ptr [006345BC]
:00624D62 8B09                    mov ecx, dword ptr [ecx]
:00624D64 B201                    mov dl, 01

把上面標誌不能跳的地方NOP掉,該程式的時間限制便去掉了。
隨便說一句,在字串框內也有關於功能限制的語句,看一下其跳轉應該也可以改掉的,

3、NAG屏的破除,這裡用的是SMC的技巧。
因為雖然已經脫殼,但裡面還是有很多花指令的,跳來跳去的很煩,且很難定位到哪一個CALL是顯NAG屏,也很難找到其跳轉處,只是在shink段內打轉。於是便想到用SMC去掉它。
(1)先用TRW追NAG屏,經過一層層的追蹤,將會發現455c84處一過會顯NAG屏。
:00455C84 E83BFEFFFF              call 00455AC4
追進去,裡面很簡單:
:00455AC4 53                      push ebx
:00455AC5 8BD8                    mov ebx, eax
:00455AC7 B201                    mov dl, 01
:00455AC9 8BC3                    mov eax, ebx
:00455ACB E824CEFFFF              call 004528F4  **若執行CALL,則NAG屏出現,所以應暫時跳過**
:00455AD0 8BC3                    mov eax, ebx
:00455AD2 E8DD3FFEFF              call 00439AB4  **此CALL一定要執行,否則程式視窗不全**
:00455AD7 5B                      pop ebx
:00455AD8 C3                      ret

但程式跳出來後,會陷入迴圈檢測中(因要求試用要點按鈕的,NAG屏雖未出現但程式認為已以有了)。下面是迴圈檢測段:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00455CF9(C)
|
:00455CB9 8B03                    mov eax, dword ptr [ebx]
:00455CBB E8042F0000              call 00458BC4
:00455CC0 8B03                    mov eax, dword ptr [ebx]
:00455CC2 80B88C00000000          cmp byte ptr [eax+0000008C], 00
:00455CC9 740F                    je 00455CDA
:00455CCB 8B45FC                  mov eax, dword ptr [ebp-04]
:00455CCE C7803402000002000000    mov dword ptr [ebx+00000234], 00000002
:00455CD8 EB14                    jmp 00455CEE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00455CC9(C)
|
:00455CDA 8B45FC                  mov eax, dword ptr [ebp-04]
:00455CDD 83B83402000000          cmp dword ptr [eax+00000234], 00000000
:00455CE4 7408                    je 00455CEE
:00455CE6 8B45FC                  mov eax, dword ptr [ebp-04]
:00455CE9 E826FDFFFF              call 00455A14

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00455CD8(U), :00455CE4(C)
|
:00455CEE 8B45FC                  mov eax, dword ptr [ebp-04]
:00455CF1 8B8034020000            mov eax, dword ptr [eax+00000234]
:00455CF7 85C0                    test eax, eax
:00455CF9 74BE                    je 00455CB9  **暫時將此處NOP掉即可**
:00455CFB 8945F8                  mov [ebp-08],eax

經測試可知,只要將455cf9處的跳轉NOP掉即可進入主程式。但此處不能永久改變,否則程式裡面的許多窗體將不能顯示了(因此處是公共CALL,給窗體一個關閉訊號)。
至此打補丁的地方都找到了。

(2)先用topo給程式增加一段可寫空間,應該增加一段新的(大小可設為50),而不要在存在的空間裡面寫,因為shrink好像還要用到。

1):00455ACB E824CEFFFF  call 004528F4  改為e930753700  jmp 7cd000(跳到補丁處)
恢復455acb原先的值,以使以後的程式正常執行。
7cd000: nop
7cd001:c705cb5a4500e824ceff        mov dword[455acb],ffce24e8
7cd00b:c605cf5a4500ff              mov byte[455acf],ff
7cd012:e9bb8ac8ff                  jmp 455ad2

2):00455CF9 74BE      je 00455CB9  改為e919733700  jmp 7cd017(跳到補丁處)
恢復455cf9處的程式碼,以使以後的程式正常執行。
7cd017:c705f95c450074be8945        mov dword[455cf9],4589be74
7cd021:c605fd5c4500f8              mov byte[455cfd],f8
7cd028:e9ce8cc8ff                  jmp 455cfb

OK,至此程式的兩個限制完全除掉。

該篇破的雖說有點難看,但裡面提到bw2k02與TRW配合脫殼的方法、wdasm893破解的方法、smc方法相信對初學者還是有一定借鑑價值的。

注:該程式可完全用smc方法破掉,只是稍複雜一些罷了。

===========<完>==============

                                          <Cracked by KanKer>

相關文章