再次湊湊熱鬧：破解心得之ChinaZip 5.0（中華壓縮）篇 (8千字)

破解心得之ChinaZip 5.0（中華壓縮）篇

作者：時空幻影
時間：2001年4月6日
工具：W32DASM8.93黃金版中文版、TRW2000 1.22已註冊版、CASPR （一種脫殼工具）、FILEINFO 2.43a。

過程：
先用FILEINFO檢視ChinaZip.exe有沒有加殼，果然它是由ASPack v2.001加的殼，用CASPR脫掉它的殼，再用W32DASM反彙編，點工具欄上的“STING REF（串式參考）”，查詢可疑的字串，果然看到字串“您的註冊碼不正確!”，雙擊它，再往上翻，看看有什麼跳轉指令，果然馬上找到了，如下所示：

:004DF699 8D4DF8 lea ecx, dword ptr [ebp-08] <--在TRW2000中用PMODULE後再按幾次F10就會到這
:004DF69C 8B55FC mov edx, dword ptr [ebp-04]
:004DF69F 8BC3 mov eax, ebx
:004DF6A1 E87AFEFFFF call 004DF520 <--這裡按F8進入這裡，這裡面計算註冊碼
:004DF6A6 8D55F4 lea edx, dword ptr [ebp-0C]
:004DF6A9 A1A4AD4E00 mov eax, dword ptr [004EADA4]
:004DF6AE 8B00 mov eax, dword ptr [eax]
:004DF6B0 8B80E4020000 mov eax, dword ptr [eax+000002E4]
:004DF6B6 E8BD37F5FF call 00432E78
:004DF6BB 8B45F4 mov eax, dword ptr [ebp-0C]
:004DF6BE 8B55F8 mov edx, dword ptr [ebp-08]
:004DF6C1 E8324AF2FF call 004040F8 <--這裡面註冊碼進行比較
:004DF6C6 7568 jne 004DF730 <--跳轉的話就GAME OVER了
:004DF6C8 A108AF4E00 mov eax, dword ptr [004EAF08]
:004DF6CD 8B00 mov eax, dword ptr [eax]
:004DF6CF 8B8008040000 mov eax, dword ptr [eax+00000408]
:004DF6D5 B201 mov dl, 01
:004DF6D7 E8F090FEFF call 004C87CC
:004DF6DC 8D55F0 lea edx, dword ptr [ebp-10]
:004DF6DF A1F8AF4E00 mov eax, dword ptr [004EAFF8]
:004DF6E4 8B00 mov eax, dword ptr [eax]
:004DF6E6 E89515F7FF call 00450C80
:004DF6EB 8D45F0 lea eax, dword ptr [ebp-10]

* Possible StringData Ref from Code Obj ->" - 註冊使用者!"
|
:004DF6EE BA7CF74D00 mov edx, 004DF77C
:004DF6F3 E8F848F2FF call 00403FF0
:004DF6F8 8B55F0 mov edx, dword ptr [ebp-10]
:004DF6FB A108AF4E00 mov eax, dword ptr [004EAF08]
:004DF700 8B00 mov eax, dword ptr [eax]
:004DF702 E8A137F5FF call 00432EA8
:004DF707 6A40 push 00000040

* Possible StringData Ref from Code Obj ->"註冊成功！"
|
:004DF709 B98CF74D00 mov ecx, 004DF78C

* Possible StringData Ref from Code Obj ->"謝謝您的寶貴支援."
|
:004DF70E BA98F74D00 mov edx, 004DF798
:004DF713 A1F8AF4E00 mov eax, dword ptr [004EAFF8]
:004DF718 8B00 mov eax, dword ptr [eax]
:004DF71A E8951BF7FF call 004512B4
:004DF71F A1EC345100 mov eax, dword ptr [005134EC]
:004DF724 C7803402000001000000 mov dword ptr [ebx+00000234], 00000001
:004DF72E EB0A jmp 004DF73A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DF6C6(C)
|

* Possible StringData Ref from Code Obj ->"您的註冊碼不正確!"
|
:004DF730 B8B4F74D00 mov eax, 004DF7B4 <--雙擊字串“您的註冊碼不正確!”來到這，然後往上看
:004DF735 E81288F7FF call 00457F4C

在那個CALL 004DF520按F8進入後就看到以下指令：

* Referenced by a CALL at Address:
|:004DF6A1
|
:004DF520 55 push ebp
:004DF521 8BEC mov ebp, esp
:004DF523 6A00 push 00000000
:004DF525 6A00 push 00000000
:004DF527 6A00 push 00000000
:004DF529 6A00 push 00000000
:004DF52B 6A00 push 00000000
:004DF52D 6A00 push 00000000
:004DF52F 6A00 push 00000000
:004DF531 53 push ebx
:004DF532 56 push esi
:004DF533 57 push edi
:004DF534 894DF8 mov dword ptr [ebp-08], ecx
:004DF537 8955FC mov dword ptr [ebp-04], edx
:004DF53A 8B45FC mov eax, dword ptr [ebp-04]
:004DF53D E85A4CF2FF call 0040419C
:004DF542 33C0 xor eax, eax
:004DF544 55 push ebp
:004DF545 6808F64D00 push 004DF608
:004DF54A 64FF30 push dword ptr fs:[eax]
:004DF54D 648920 mov dword ptr fs:[eax], esp
:004DF550 33F6 xor esi, esi
:004DF552 8D45F4 lea eax, dword ptr [ebp-0C]
:004DF555 8B55FC mov edx, dword ptr [ebp-04]
:004DF558 E8A348F2FF call 00403E00
:004DF55D 8B45F4 mov eax, dword ptr [ebp-0C]
:004DF560 E8834AF2FF call 00403FE8 <--這裡計算使用者名稱的長度
:004DF565 8BF8 mov edi, eax
:004DF567 85FF test edi, edi <--判斷使用者名稱長度是否為0
:004DF569 7E57 jle 004DF5C2
:004DF56B BB01000000 mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DF5C0(C)
|
:004DF570 8B45F4 mov eax, dword ptr [ebp-0C]
:004DF573 8A4418FF mov al, byte ptr [eax+ebx-01] <--[EAX]為使用者名稱的記憶體表示
:004DF577 E858FFFFFF call 004DF4D4 <--判斷AL裡的數是否為素數
:004DF57C 84C0 test al, al <--為素數的話AL為1，否則為0
:004DF57E 7425 je 004DF5A5
:004DF580 8D45E8 lea eax, dword ptr [ebp-18] <--以下為計算註冊碼字元部分
:004DF583 8B55F4 mov edx, dword ptr [ebp-0C]
:004DF586 8A541AFF mov dl, byte ptr [edx+ebx-01]
:004DF58A E88149F2FF call 00403F10
:004DF58F 8B45E8 mov eax, dword ptr [ebp-18]
:004DF592 8D55EC lea edx, dword ptr [ebp-14]
:004DF595 E81294F2FF call 004089AC <--小寫轉換成大寫
:004DF59A 8B55EC mov edx, dword ptr [ebp-14]
:004DF59D 8D45F0 lea eax, dword ptr [ebp-10]
:004DF5A0 E84B4AF2FF call 00403FF0 <--合併字元

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DF57E(C)
|
:004DF5A5 83FB01 cmp ebx, 00000001 <--以下為計算註冊碼數字部分
:004DF5A8 740A je 004DF5B4
:004DF5AA 8B45F4 mov eax, dword ptr [ebp-0C]
:004DF5AD 0FB64418FE movzx eax, byte ptr [eax+ebx-02]
:004DF5B2 EB06 jmp 004DF5BA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DF5A8(C)
|
:004DF5B4 8B45F4 mov eax, dword ptr [ebp-0C]
:004DF5B7 0FB600 movzx eax, byte ptr [eax]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DF5B2(U)
|
:004DF5BA 8D748612 lea esi, dword ptr [esi+4*eax+12]
:004DF5BE 43 inc ebx
:004DF5BF 4F dec edi
:004DF5C0 75AE jne 004DF570

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DF569(C)
|
:004DF5C2 8D55E4 lea edx, dword ptr [ebp-1C]
:004DF5C5 8BC6 mov eax, esi <--ESI為註冊碼數字部分的十六進位制
:004DF5C7 E8A497F2FF call 00408D70 <--十六進位制轉換成十進位制的字串
:004DF5CC 8B4DE4 mov ecx, dword ptr [ebp-1C]
:004DF5CF 8D45F4 lea eax, dword ptr [ebp-0C]
:004DF5D2 8B55F0 mov edx, dword ptr [ebp-10]
:004DF5D5 E85A4AF2FF call 00404034 <--把註冊碼的字元部分與數字部分合並
:004DF5DA 8B45F8 mov eax, dword ptr [ebp-08]
:004DF5DD 8B55F4 mov edx, dword ptr [ebp-0C]
:004DF5E0 E8D747F2FF call 00403DBC
:004DF5E5 33C0 xor eax, eax
:004DF5E7 5A pop edx
:004DF5E8 59 pop ecx
:004DF5E9 59 pop ecx
:004DF5EA 648910 mov dword ptr fs:[eax], edx
:004DF5ED 680FF64D00 push 004DF60F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DF60D(U)
|
:004DF5F2 8D45E4 lea eax, dword ptr [ebp-1C]
:004DF5F5 BA05000000 mov edx, 00000005
:004DF5FA E88D47F2FF call 00403D8C
:004DF5FF 8D45FC lea eax, dword ptr [ebp-04]
:004DF602 E86147F2FF call 00403D68
:004DF607 C3 ret

這是我第一次寫破解心得，錯誤遺漏再所難免，希望大家指正。
由於我沒時間寫序號產生器了，哪位程式設計愛好者寫一下吧！！呵呵！！！

再次湊湊熱鬧：破解心得之ChinaZip 5.0（中華壓縮）篇 (8千字)

相關文章