Software : 家庭銀行家 v2b53
家庭理財軟體
無法使用 KeyMake 做記憶體補丁, 抵制 OllyDbg 除錯(RtlRaiseException、zwQueryInformationProcess)
http://www.homebanker.net/
Tools : pe-scan, W32Dasm, WinHex, OllyDbg, Win2000
Cracker : lq7972 [bruceyu13@sina.com]
蠻久冒做 PJ 了,今天溫習了一下~
用 pe-scan 可以脫殼,用 W32Dasm 反彙編,
【1.】 用 RET 大法輕鬆實現註冊
查詢軟體在程式主視窗標題欄中的"(未註冊版本,請註冊,剩餘天數:45)"
:00746CDD 8B8000030000 mov eax, dword ptr [eax+00000300]
:00746CE3 E8B4D0F4FF call 00693D9C; 跟進
:00746CE8 84C0 test al, al; 這裡是註冊標識
:00746CEA 0F84B0000000 je 00746DA0; al = 0?
:00746CF0 8D55E8 lea edx, dword ptr [ebp-18]
:00746CF3 A1F4FD7500 mov eax, dword ptr [0075FDF4]
:00746CF8 E8BF45CFFF call 0043B2BC
:00746CFD FF75E8 push [ebp-18]
* Possible StringData Ref from Data Obj ->"(註冊使用者: "
; ......
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00746CEA(C)
|
:00746DA0 8D55E0 lea edx, dword ptr [ebp-20]
:00746DA3 A1F4FD7500 mov eax, dword ptr [0075FDF4]
:00746DA8 E80F45CFFF call 0043B2BC
:00746DAD FF75E0 push [ebp-20]
* Possible StringData Ref from Data Obj ->"(未註冊版本,請註冊,剩餘天數:"
; ......
; ===========================================================================
; 跟進
; ret 修改大法
:00693D9C 55 push ebp; 在這裡改 "55" 為 "C3"
:00693D9D 8BEC mov ebp, esp
:00693D9F E848010000 call 00693EEC
:00693DA4 5D pop ebp
:00693DA5 C3 ret
; 用W32Dasm 有時不大靈光,用 WinHex 吧
; W32Dasm 中,把在游標定在 00693D9C 行,狀態列中內容如下:
Line:1362831 Pg 27257 of 35256 Code Data @:00693D9C @Offset 00293D9Ch ...
; WinHex 開啟主程式檔案, Alt+G, 輸入 "293D9C", 改 "55" 為 "C3"
; 儲存,ok
【2.】 尋找註冊演算法寫序號產生器
; ......
:00736129 8B83F0020000 mov eax, dword ptr [ebx+000002F0]
:0073612F E88851D0FF call 0043B2BC
:00736134 8B55F8 mov edx, dword ptr [ebp-08]; 使用者名稱 name
:00736137 33C9 xor ecx, ecx
:00736139 8B8300030000 mov eax, dword ptr [ebx+00000300]
:0073613F E874DFF5FF call 006940B8; 計算註冊碼,跟進
:00736144 84C0 test al, al
:00736146 751A jne 00736162
:00736148 6A10 push 00000010
; ...
* Possible StringData Ref from Data Obj ->"註冊失敗,請檢查您的註冊碼是否輸入正確。"
|
:0073614F BAC4617300 mov edx, 007361C4
; ...
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00736146(C)
|
:00736162 8B8300030000 mov eax, dword ptr [ebx+00000300]
:00736168 E82FDCF5FF call 00693D9C
:0073616D 84C0 test al, al
:0073616F 741F je 00736190
:00736171 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"家庭銀行家"
|
:00736173 B9B8617300 mov ecx, 007361B8
* Possible StringData Ref from Data Obj ->"註冊成功,謝謝。請退出程式後重新進入。"
; ...
:00736190 33C0 xor eax, eax
; ...
; ==============================================================================
; 0073613F 計算註冊碼
; ...
:006940F5 8B45FC mov eax, dword ptr [ebp-04]; 使用者名稱
:006940F8 E85F02D7FF call 0040435C; 使用者名稱長度 name_len
:006940FD 3B433C cmp eax, dword ptr [ebx+3C]; name_len > 0x19? Yes, jump
:00694100 7F19 jg 0069411B
:00694102 8B45FC mov eax, dword ptr [ebp-04]
:00694105 E85202D7FF call 0040435C
:0069410A 3B4340 cmp eax, dword ptr [ebx+40]; name_len < 3? Yes, jump
:0069410D 7C0C jl 0069411B
; ...
:0069411B 33DB xor ebx, ebx
:0069411D EB60 jmp 0069417F
; ...
:0069417F 33C0 xor eax, eax
; ????????????????????????????????????
; so, name_len > 3 && name_len < 0x19
:0069413D E866FCFFFF call 00693DA8; 關鍵,跟進
:00694142 8B45F0 mov eax, dword ptr [ebp-10]; 真註冊碼
:00694145 8B5508 mov edx, dword ptr [ebp+08]; 假註冊碼
; ==============================================================================
; 0069413D 計算註冊碼
; ...
:00693DD6 8B45FC mov eax, dword ptr [ebp-04]; 使用者名稱
:00693DD9 E87E05D7FF call 0040435C; 使用者名稱長度 name_len
:00693DDE 3B463C cmp eax, dword ptr [esi+3C]; name_len > 0x19?
:00693DE1 7F0D jg 00693DF0
:00693DE3 8B45FC mov eax, dword ptr [ebp-04]
:00693DE6 E87105D7FF call 0040435C
:00693DEB 3B4640 cmp eax, dword ptr [esi+40]; name_len >= 3?
:00693DEE 7D0C jge 00693DFC; Yes, jump
; ...
:00693DFC 8B45FC mov eax, dword ptr [ebp-04]
:00693DFF E85805D7FF call 0040435C
:00693E04 8BD8 mov ebx, eax; 使用者名稱長度,計數器
:00693E06 EB31 jmp 00693E39
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00693E4A(C)
|
:00693E08 8B45FC mov eax, dword ptr [ebp-04]; 使用者名稱 name
:00693E0B 8A4418FF mov al, byte ptr [eax+ebx-01]; 從最後一位起 name[len-i]
:00693E0F 25FF000000 and eax, 000000FF
:00693E14 33D2 xor edx, edx
:00693E16 52 push edx
:00693E17 50 push eax
:00693E18 8B4658 mov eax, dword ptr [esi+58]; 0xC7BC0D36
:00693E1B 8B565C mov edx, dword ptr [esi+5C]; 0x0000025C
:00693E1E E8763BD7FF call 00407999; 關鍵,跟進,根據 name[len-i] 計算得到 temp00
:00693E23 52 push edx
:00693E24 50 push eax
:00693E25 8D45E4 lea eax, dword ptr [ebp-1C]
:00693E28 E81F67D7FF call 0040A54C; temp00 轉為十進位制數字 temp01
:00693E2D 8B55E4 mov edx, dword ptr [ebp-1C]
:00693E30 8D45F4 lea eax, dword ptr [ebp-0C]
:00693E33 E82C05D7FF call 00404364
:00693E38 4B dec ebx; 計數器遞減
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00693E06(U)
|
:00693E39 8B45FC mov eax, dword ptr [ebp-04]
:00693E3C E81B05D7FF call 0040435C
:00693E41 83E806 sub eax, 00000006
:00693E44 3BD8 cmp ebx, eax
:00693E46 7C04 jl 00693E4C
:00693E48 85DB test ebx, ebx
:00693E4A 7FBC jg 00693E08; 迴圈↑
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00693E46(C)
|
:00693E4C 8D55F8 lea edx, dword ptr [ebp-08]
:00693E4F 8B45F4 mov eax, dword ptr [ebp-0C]; 得到中間值 temp01,千萬別當它是註冊碼
:00693E52 E8F925D7FF call 00406450; 關鍵,跟進,利用 temp01 計算註冊碼 reg_code
:00693E57 8945E8 mov dword ptr [ebp-18], eax; 註冊碼後8位
:00693E5A 8955EC mov dword ptr [ebp-14], edx; 註冊碼前4位
; ...
:00693E7F E83867D7FF call 0040A5BC; 連線
:00693E84 8B07 mov eax, dword ptr [edi]; 得到真的註冊碼 reg_code