家庭銀行家 v2b53 破解、跟蹤和序號產生器(MASM32)

看雪資料發表於2004-06-02

Software : 家庭銀行家 v2b53
           家庭理財軟體
           無法使用 KeyMake 做記憶體補丁, 抵制 OllyDbg 除錯(RtlRaiseException、zwQueryInformationProcess)
           http://www.homebanker.net/
Tools : pe-scan, W32Dasm, WinHex, OllyDbg, Win2000
Cracker : lq7972 [bruceyu13@sina.com]
蠻久冒做 PJ 了,今天溫習了一下~

用 pe-scan 可以脫殼,用 W32Dasm 反彙編,

【1.】 用 RET 大法輕鬆實現註冊
查詢軟體在程式主視窗標題欄中的"(未註冊版本,請註冊,剩餘天數:45)"

:00746CDD 8B8000030000            mov eaxdword ptr [eax+00000300]
:00746CE3 E8B4D0F4FF              call 00693D9C; 跟進
:00746CE8 84C0                    test alal; 這裡是註冊標識
:00746CEA 0F84B0000000            je 00746DA0; al = 0?
:00746CF0 8D55E8                  lea edxdword ptr [ebp-18]
:00746CF3 A1F4FD7500              mov eaxdword ptr [0075FDF4]
:00746CF8 E8BF45CFFF              call 0043B2BC
:00746CFD FF75E8                  push [ebp-18]

* Possible StringData Ref from Data Obj ->"(註冊使用者: "
;  ......
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00746CEA(C)
|
:00746DA0 8D55E0                  lea edxdword ptr [ebp-20]
:00746DA3 A1F4FD7500              mov eaxdword ptr [0075FDF4]
:00746DA8 E80F45CFFF              call 0043B2BC
:00746DAD FF75E0                  push [ebp-20]

* Possible StringData Ref from Data Obj ->"(未註冊版本,請註冊,剩餘天數:"
; ......
; ===========================================================================
; 跟進
ret 修改大法

:00693D9C 55                      push ebp; 在這裡改 "55" 為 "C3"
:00693D9D 8BEC                    mov ebpesp
:00693D9F E848010000              call 00693EEC
:00693DA4 5D                      pop ebp
:00693DA5 C3                      ret
; 用W32Dasm 有時不大靈光,用 WinHex 吧
; W32Dasm 中,把在游標定在 00693D9C 行,狀態列中內容如下:
Line:1362831 Pg 27257 of 35256 Code Data @:00693D9C @Offset 00293D9Ch ...
; WinHex 開啟主程式檔案, Alt+G, 輸入 "293D9C", 改 "55" 為 "C3"
; 儲存,ok


【2.】 尋找註冊演算法寫序號產生器
; ......
:00736129 8B83F0020000            mov eaxdword ptr [ebx+000002F0]
:0073612F E88851D0FF              call 0043B2BC
:00736134 8B55F8                  mov edxdword ptr [ebp-08]; 使用者名稱 name
:00736137 33C9                    xor ecxecx
:00736139 8B8300030000            mov eaxdword ptr [ebx+00000300]
:0073613F E874DFF5FF              call 006940B8; 計算註冊碼,跟進
:00736144 84C0                    test alal
:00736146 751A                    jne 00736162
:00736148 6A10                    push 00000010
; ...
* Possible StringData Ref from Data Obj ->"註冊失敗,請檢查您的註冊碼是否輸入正確。"
                                  |
:0073614F BAC4617300              mov edx, 007361C4
; ...
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00736146(C)
|
:00736162 8B8300030000            mov eaxdword ptr [ebx+00000300]
:00736168 E82FDCF5FF              call 00693D9C
:0073616D 84C0                    test alal
:0073616F 741F                    je 00736190
:00736171 6A40                    push 00000040

* Possible StringData Ref from Data Obj ->"家庭銀行家"
                                  |
:00736173 B9B8617300              mov ecx, 007361B8

* Possible StringData Ref from Data Obj ->"註冊成功,謝謝。請退出程式後重新進入。"
; ...
:00736190 33C0                    xor eaxeax
; ...

; ==============================================================================
; 0073613F 計算註冊碼
; ...
:006940F5 8B45FC                  mov eaxdword ptr [ebp-04]; 使用者名稱
:006940F8 E85F02D7FF              call 0040435C; 使用者名稱長度 name_len
:006940FD 3B433C                  cmp eaxdword ptr [ebx+3C]; name_len > 0x19? Yes, jump
:00694100 7F19                    jg 0069411B
:00694102 8B45FC                  mov eaxdword ptr [ebp-04]
:00694105 E85202D7FF              call 0040435C
:0069410A 3B4340                  cmp eaxdword ptr [ebx+40]; name_len < 3? Yes, jump
:0069410D 7C0C                    jl 0069411B
; ...
:0069411B 33DB                    xor ebxebx
:0069411D EB60                    jmp 0069417F
; ...
:0069417F 33C0                    xor eaxeax
; ????????????????????????????????????
; so, name_len > 3 && name_len < 0x19

:0069413D E866FCFFFF              call 00693DA8; 關鍵,跟進
:00694142 8B45F0                  mov eaxdword ptr [ebp-10]; 真註冊碼
:00694145 8B5508                  mov edxdword ptr [ebp+08]; 假註冊碼

; ==============================================================================
; 0069413D 計算註冊碼
; ...
:00693DD6 8B45FC                  mov eaxdword ptr [ebp-04]; 使用者名稱
:00693DD9 E87E05D7FF              call 0040435C; 使用者名稱長度 name_len
:00693DDE 3B463C                  cmp eaxdword ptr [esi+3C]; name_len > 0x19?
:00693DE1 7F0D                    jg 00693DF0
:00693DE3 8B45FC                  mov eaxdword ptr [ebp-04]
:00693DE6 E87105D7FF              call 0040435C
:00693DEB 3B4640                  cmp eaxdword ptr [esi+40]; name_len >= 3?
:00693DEE 7D0C                    jge 00693DFC; Yes, jump
; ...
:00693DFC 8B45FC                  mov eaxdword ptr [ebp-04]
:00693DFF E85805D7FF              call 0040435C
:00693E04 8BD8                    mov ebxeax; 使用者名稱長度,計數器
:00693E06 EB31                    jmp 00693E39

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00693E4A(C)
|
:00693E08 8B45FC                  mov eaxdword ptr [ebp-04]; 使用者名稱 name
:00693E0B 8A4418FF                mov albyte ptr [eax+ebx-01]; 從最後一位起 name[len-i]
:00693E0F 25FF000000              and eax, 000000FF
:00693E14 33D2                    xor edxedx
:00693E16 52                      push edx
:00693E17 50                      push eax
:00693E18 8B4658                  mov eaxdword ptr [esi+58]; 0xC7BC0D36
:00693E1B 8B565C                  mov edxdword ptr [esi+5C]; 0x0000025C
:00693E1E E8763BD7FF              call 00407999; 關鍵,跟進,根據 name[len-i] 計算得到 temp00
:00693E23 52                      push edx
:00693E24 50                      push eax
:00693E25 8D45E4                  lea eaxdword ptr [ebp-1C]
:00693E28 E81F67D7FF              call 0040A54C; temp00 轉為十進位制數字 temp01
:00693E2D 8B55E4                  mov edxdword ptr [ebp-1C]
:00693E30 8D45F4                  lea eaxdword ptr [ebp-0C]
:00693E33 E82C05D7FF              call 00404364
:00693E38 4B                      dec ebx; 計數器遞減

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00693E06(U)
|
:00693E39 8B45FC                  mov eaxdword ptr [ebp-04]
:00693E3C E81B05D7FF              call 0040435C
:00693E41 83E806                  sub eax, 00000006
:00693E44 3BD8                    cmp ebxeax
:00693E46 7C04                    jl 00693E4C
:00693E48 85DB                    test ebxebx
:00693E4A 7FBC                    jg 00693E08; 迴圈↑

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00693E46(C)
|
:00693E4C 8D55F8                  lea edxdword ptr [ebp-08]
:00693E4F 8B45F4                  mov eaxdword ptr [ebp-0C]; 得到中間值 temp01,千萬別當它是註冊碼
:00693E52 E8F925D7FF              call 00406450; 關鍵,跟進,利用 temp01 計算註冊碼 reg_code
:00693E57 8945E8                  mov dword ptr [ebp-18], eax; 註冊碼後8位
:00693E5A 8955EC                  mov dword ptr [ebp-14], edx; 註冊碼前4位
; ...
:00693E7F E83867D7FF              call 0040A5BC; 連線
:00693E84 8B07                    mov eaxdword ptr [edi]; 得到真的註冊碼 reg_code

相關文章