小弟的一篇湊數的破解文章,是小弟解決的第一個密碼學軟體!(爆破哈!) (14千字)
破解軟體:一個加密檔案的軟體,電腦愛好者上曾經有過介紹
破解人:powerboy
軟體保護介紹:軟體屬於註冊碼保護但是特別的是註冊碼比較是在網上進行的認證,所以進行註冊碼破解顯然是不可能,只能爆破.
首先,檢視軟體是否加殼(可能是作者對自己軟體的保護很有信心所以連殼都沒加,VC編譯)
然後,進入軟體進行一次註冊,輸入:
NAME:powerboy
SN:1234567890123456(軟體告訴你了註冊碼要16位)並且有很多提示.
查詢有關的註冊提示,很有幫助.
首先看到"註冊失敗"有門看看!
:00418226 E8C5820000
Call 004204F0
:0041822B 6A01
push 00000001
:0041822D 8D4E64
lea ecx, dword ptr [esi+64]
:00418230
5F
pop edi
:00418231 50
push eax
:00418232 897DFC
mov dword ptr [ebp-04], edi
* Reference
To: MFC42.Ordinal:035A, Ord:035Ah
|
:00418235 E8D0800000 Call
0042030A
:0041823A 834DFCFF
or dword ptr [ebp-04], FFFFFFFF
:0041823E 8D4DF0
lea ecx, dword ptr [ebp-10]
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:00418241 E80C7E0000
Call 00420052
:00418246 8BCE
mov ecx, esi
:00418248 E840020000
call 0041848D----------->這裡是個關鍵的CALL(要跟進去看看一會你就知道了)
:0041824D 85C0
test eax, eax
:0041824F 752F
jne 00418280------------>既然不跳是錯誤,那跳呢!!!!
:00418251
50
push eax
:00418252 50
push eax
* Possible StringData Ref from Data Obj
->"註冊失敗"
|
:00418253 68201F4300
push 00431F20
* Reference
To: MFC42.Ordinal:04B0, Ord:04B0h
|
:00418258 E8CB800000 Call
00420328
:0041825D E9DA000000
jmp 0041833C
* Referenced by a (U)nconditional or (C)onditional Jump
at Addresses:
|:004181E9(C), :004181EE(C)
:00418262 6A00
push 00000000
:00418264
6A00 push
00000000
* Possible StringData Ref from Data Obj ->"註冊碼型別錯誤"
|
:00418266 68101F4300
push 00431F10
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00418185(U), :00418196(U)
|
* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:0041826B E8B8800000
Call 00420328
:00418270 8D8E14010000
lea ecx, dword ptr [esi+00000114]
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00418170(U)
|
* Reference
To: MFC42.Ordinal:175D, Ord:175Dh
|
:00418276 E8ED7F0000 Call
00420268
:0041827B E9BC000000
jmp 0041833C
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:0041824F(C)
|
:00418280 8BCE
mov ecx, esi------------------------->跳到這裡了,向下看看!
:00418282 E8E2060000 call
00418969
:00418287 85C0
test eax, eax
:00418289 0F84AD000000
je 0041833C
:0041828F 8BCE
mov ecx, esi
:00418291 E884040000
call 0041871A
:00418296 85C0
test eax, eax
:00418298 0F849E000000 je 0041833C
:0041829E 89BBC8080000 mov dword ptr
[ebx+000008C8], edi
:004182A4 8DBEA4020000
lea edi, dword ptr [esi+000002A4]
:004182AA 57
push edi
:004182AB
8D45F0 lea eax,
dword ptr [ebp-10]
* Possible StringData Ref from Data Obj ->"*****
- " 軟體的名稱啊!
|
:004182AE
68CC104300 push 004310CC
:004182B3 50
push eax
* Reference To: MFC42.Ordinal:039E, Ord:039Eh
|
:004182B4 E857800000
Call 00420310
:004182B9 FF30
push dword ptr [eax]
:004182BB
8BCB mov
ecx, ebx
:004182BD C745FC02000000 mov [ebp-04],
00000002
* Reference To: MFC42.Ordinal:1837, Ord:1837h
|
:004182C4 E8B77F0000
Call 00420280
:004182C9 834DFCFF
or dword ptr [ebp-04], FFFFFFFF
:004182CD 8D4DF0
lea ecx, dword ptr [ebp-10]
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:004182D0 E87D7D0000
Call 00420052
* Possible Reference to Dialog: DialogID_0092,
CONTROL_ID:03E9, ""
|
:004182D5
68E9030000 push 000003E9
:004182DA FF7320
push [ebx+20]
* Reference To: USER32.KillTimer, Ord:0195h
|
:004182DD FF1520584200
Call dword ptr [00425820]
:004182E3 57
push edi
:004182E4
8D45E4 lea eax,
dword ptr [ebp-1C]
* Possible StringData Ref from Data Obj ->"恭喜你 "--------------------->看到這個了嗎!軟體替你說了^_^
|
==========================================================================
跟入上面的關鍵CALL........
* Referenced by a CALL at Address:
|:00418248
|
:0041848D B87C3D4200
mov eax, 00423D7C
* Reference To: MSVCRT._EH_prolog, Ord:0042h
|
:00418492 E8A9820000
Call 00420740
:00418497 81EC80000000
sub esp, 00000080
:0041849D 53
push ebx
:0041849E
56
push esi
:0041849F 57
push edi
:004184A0 6A40
push 00000040
* Possible StringData
Ref from Data Obj ->"使用者註冊通知"
|
:004184A2
6828224300 push 00432228
:004184A7 8BD9
mov ebx, ecx
* Possible StringData Ref from Data Obj ->"親愛的使用者! 3.0以上版本必須進行網上啟用,
請稍"
->"等片刻既可完成整個註冊驗證過程."
|
:004184A9
68D8214300 push 004321D8
* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:004184AE E8AF7D0000
Call 00420262
:004184B3 E8B29FFEFF
call 0040246A
:004184B8 8BF8
mov edi, eax
* Possible StringData Ref from
Data Obj ->"\"
|
:004184BA 6844014300
push 00430144
:004184BF 8D87D43A0000
lea eax, dword ptr [edi+00003AD4]
:004184C5
50
push eax
:004184C6 8D45E0
lea eax, dword ptr [ebp-20]
:004184C9 50
push eax
* Reference
To: MFC42.Ordinal:039C, Ord:039Ch
|
:004184CA E82F7E0000 Call
004202FE
:004184CF 8365FC00
and dword ptr [ebp-04], 00000000
:004184D3 8D4B60
lea ecx, dword ptr [ebx+60]
:004184D6
51
push ecx
:004184D7 50
push eax
:004184D8 8D45E4
lea eax, dword ptr [ebp-1C]
:004184DB
50
push eax
* Reference To: MFC42.Ordinal:039A, Ord:039Ah
|
:004184DC E8177E0000
Call 004202F8
* Possible StringData Ref from Data Obj
->".dat"
|
:004184E1 BED0214300
mov esi, 004321D0
:004184E6 C645FC01
mov [ebp-04], 01
:004184EA
56
push esi
:004184EB 50
push eax
:004184EC 8D45EC
lea eax, dword ptr [ebp-14]
:004184EF
50
push eax
* Reference To: MFC42.Ordinal:039C, Ord:039Ch
|
:004184F0 E8097E0000
Call 004202FE
:004184F5 8D4DE4
lea ecx, dword ptr [ebp-1C]
:004184F8 C645FC04
mov [ebp-04], 04
*
Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:004184FC E8517B0000 Call
00420052
:00418501 8D4DE0
lea ecx, dword ptr [ebp-20]
:00418504 C645FC03
mov [ebp-04], 03
* Reference
To: MFC42.Ordinal:0320, Ord:0320h
|
:00418508 E8457B0000 Call
00420052
:0041850D 8D4360
lea eax, dword ptr [ebx+60]
:00418510 50
push eax
:00418511
8D45DC lea eax,
dword ptr [ebp-24]
* Possible
StringData Ref from Data Obj ->"http://www.wjmshome.com/register/" 看到了嗎!要上網去效驗的啊!
|
:00418514 68AC214300
push 004321AC
:00418519 50
push eax
* Reference To: MFC42.Ordinal:039E, Ord:039Eh
|
:0041851A E8F17D0000
Call 00420310
:0041851F 56
push esi
:00418520 50
push eax
:00418521 8D45E8
lea eax, dword ptr [ebp-18]
:00418524 C645FC05
mov [ebp-04], 05
:00418528 50
push eax
* Reference To: MFC42.Ordinal:039C,
Ord:039Ch
|
:00418529 E8D07D0000
Call 004202FE
:0041852E 8D4DDC
lea ecx, dword ptr [ebp-24]
:00418531 C645FC07
mov [ebp-04], 07
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:00418535 E8187B0000
Call 00420052
:0041853A 8BCF
mov ecx, edi
:0041853C E89D27FFFF
call 0040ACDE
:00418541 51
push ecx
:00418542 8D45EC
lea eax, dword ptr [ebp-14]
:00418545 8BCC
mov ecx, esp
:00418547 8965D8
mov dword ptr [ebp-28], esp
:0041854A 50
push eax
* Reference To: MFC42.Ordinal:0217, Ord:0217h
|
:0041854B E81E7D0000
Call 0042026E
:00418550 51
push ecx
:00418551 8D45E8
lea eax, dword ptr [ebp-18]
:00418554 8BCC
mov ecx, esp
:00418556 8965D4
mov dword ptr [ebp-2C], esp
:00418559 50
push eax
:0041855A
C645FC08 mov [ebp-04],
08
* Reference To: MFC42.Ordinal:0217, Ord:0217h
|
:0041855E E80B7D0000
Call 0042026E
:00418563 8BCF
mov ecx, edi
:00418565 C645FC07
mov [ebp-04], 07
:00418569
E8E025FFFF call 0040AB4E
:0041856E 33F6
xor esi, esi
:00418570 3BC6
cmp eax, esi
:00418572 7511
jne 00418585
:00418574 56
push esi
:00418575 56
push esi
* Possible StringData Ref from Data Obj ->"無法接入Internet註冊資料,請與開發商聯絡"
|
:00418576 6880214300
push 00432180
* Reference To: MFC42.Ordinal:04B0,
Ord:04B0h
|
:0041857B E8A87D0000
Call 00420328
:00418580 E93B010000
jmp 004186C0
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00418572(C)
|
:00418585 8D4DC4
lea ecx, dword ptr [ebp-3C]
* Reference To: MFC42.Ordinal:0162,
Ord:0162h
|
:00418588 E8417D0000
Call 004202CE
:0041858D 56
push esi
:0041858E 6800800000 push
00008000
:00418593 FF75EC
push [ebp-14]
:00418596 8D4DC4
lea ecx, dword ptr [ebp-3C]
:00418599 C645FC09
mov [ebp-04], 09
*
Reference To: MFC42.Ordinal:1442, Ord:1442h
|
:0041859D E81A7D0000 Call
004202BC
:004185A2 85C0
test eax, eax
:004185A4 7511
jne 004185B7
:004185A6 56
push esi
:004185A7
56
push esi
* Possible StringData Ref from Data Obj ->"無法讀取已經下載的Internet註冊資料"
|
:004185A8 685C214300
push 0043215C
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00418639(U), :00418693(U)
|
* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:004185AD E8767D0000
Call 00420328
:004185B2 E9FD000000
jmp 004186B4
看到了嗎!輸入註冊碼之後,不是在本地比較,而是在網上比較那可怎麼辦啊!不如我們還一種思路,既然是在網上比較那麼怎麼才能
說明是否正確呢!一定有標誌!在找找看!
註冊在網上比較,如果錯誤一定提示所以在關鍵字元中找找有沒有關於註冊碼的提示!哈!!!!!!!
看到下面了嗎
==================================================================================
:0041867F E8CE790000 Call
00420052
:00418684 807DF300
cmp byte ptr [ebp-0D], 00---------->為0則跳,一定要跳
:00418688 740E
je 00418698
:0041868A 33F6
xor esi, esi
:0041868C 56
push esi
:0041868D 56
push esi
* Possible
StringData Ref from Data Obj ->"註冊碼輸入錯誤"
|
:0041868E 6828214300 push
00432128
:00418693 E915FFFFFF
jmp 004185AD
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00418688(C)
|
:00418698 807DC201
cmp byte ptr [ebp-3E], 01---------->如果返回的值是1就正確
:0041869C 754B
jne 004186E9----------------------->不相等則跳
:0041869E 6A40
push 00000040
* Possible StringData Ref from Data Obj ->"感謝您的註冊"
|
:004186A0 6818214300
push 00432118
* Possible StringData Ref from Data Obj ->"你已是*******的正式註冊使用者並可免費註冊以後的"
->"所有版本,
如果公開註冊碼將會被取消註冊使用者資?
->"?"
|
:004186A5
68B8204300 push 004320B8
==================================================================================
到這裡我們知道我們找到的關鍵CALL該返回什麼,有知道在哪裡返回---改啊!還等什麼啊!
爆破之後你會發現,軟體重啟之後就已經註冊成功了,沒有重啟效驗看來作者對他的註冊碼保護方式很有信心啊!
註冊名和註冊碼的變形值儲存在登錄檔裡:
小弟對密碼學不是很懂但是軟體是一個用RSA為檔案加密的軟體所以小弟猜這個變型是RSA的(沒有驗證啊)
註冊碼和使用者名稱沒有關係,但是儲存在JIM.DAT中的我們輸入的註冊碼和儲存在登錄檔裡的變型之後的數值有關啊!
HKEY_CURRENT_USER\Software\檔案密使\Register
RegisterName="powerboy"
RegisterCodeSanLieZhi=fc 01 c9 5b eb f6 14 68
5e b0 70 82 5b 77 4b 56
註冊碼儲存在JIM.DAT裡看這個檔案的最下面,是我們輸入的註冊碼.
到這裡應該清楚了,原來軟體註冊成功之後只是把JIM.DAT裡的註冊碼與登錄檔裡的註冊碼變形進行比較.
所以註冊碼和使用者名稱無關,註冊成功就是把我們輸入的註冊碼變形儲存在登錄檔裡.
相關文章
- ES6總結篇(一)小弟的第一滴血,希望大家多多包涵哈2020-03-14
- F150的新小弟!福特全新皮卡Maverick正式釋出IHH2022-03-07
- 快手、B站、鬥魚、虎牙的遊戲直播:一場騰訊四小弟的PK2020-03-26遊戲
- 我的第一篇文章2018-08-23
- zip密碼爆破:fcrackzip2024-03-28密碼
- 這是第一篇 learnKu 文章2019-12-17
- 《密碼學系列》|| 密碼學中的流密碼是怎麼回事?2020-04-07密碼學
- 在密碼學中,“加鹽”(Salting)是指在儲存使用者密碼的雜湊值之前,向原始密碼新增一個隨機生成的字串(稱為“鹽”Salt)的過程。2024-04-29密碼學隨機字串
- 破解 RHEL7.3 的 root 密碼2020-06-07密碼
- 小任的第一篇部落格-哈夫曼樹2020-12-27
- oracle 密碼詳解以及破解2021-07-25Oracle密碼
- 這可能是你的第一個 DevOps 解決方案!2020-04-25dev
- 在Laravel釋出的第一篇文章2020-10-31Laravel
- 初學Power bi上手第一個專案財務與人力-劉劉的第一篇學習記錄文章2020-10-14
- 鮑勃大叔認為軟體不同於數學,軟體是科學,科學與數學是有區別的2019-06-05
- 密碼危機:深度學習正在加速密碼破解!2018-07-03密碼深度學習
- mongodb密碼特殊字元的解決方法2019-01-07MongoDB密碼字元
- 這是一篇關於程式設計師學習的文章2019-12-10程式設計師
- 【密碼學系列】|| 分組密碼的工作模式詳解2020-04-07密碼學模式
- JVM學習第一篇思考:一個Java程式碼是怎麼執行起來的-上篇2021-06-24JVMJava
- 大佬們幫小弟看看這個單列模式哪裡有問題,因為啟動瀏覽器會出現兩個,且第一個為 data,以前遇到過但是忘記解決方案了2024-04-16模式瀏覽器
- ASEMI整流橋MBS家族的小弟MB6S為何比大哥MB10S還出名2022-06-01
- 社群中的第一篇文章 phpwprd 模板使用2020-04-08PHP
- 第一篇文章2024-04-08
- 這是一篇成為 git 高手的文章2019-09-03Git
- 各位大佬,小弟想學習一下大資料測試,請問有什麼課程可以推薦的麼?2024-03-03大資料
- 一篇文章能否解決你事件監聽的許多疑問2019-07-10事件
- 寶塔皮膚密碼的解決方案2021-03-29密碼
- 密碼安全:密碼設定要求,密碼爆破辦法,密碼歸類使用,密碼處置方案2018-11-01密碼
- 【無線安全實踐入門】破解WiFi密碼的多個方法2019-07-12WiFi密碼
- 自動化指令碼不穩定,原來是軟體彈窗惹的禍,2個方法解決!2024-04-19指令碼
- 軟體工程博士講師:軟體工程是一個學習過程,程式碼只是學習的副產品2021-01-19軟體工程
- 密碼爆破ssh與ftp服務(finish)2024-05-21密碼FTP
- 軟體的未來是無碼2018-08-20
- 第一篇部落格文章2024-11-02
- 又叒叕是一篇講快取的文章2019-01-22快取
- 檢測文章原創度的軟體哪個好用?2020-06-16
- 可能是把Java記憶體區域講的最清楚的一篇文章2021-09-09Java記憶體
- 密碼學中的一些數學基礎2018-04-10密碼學