分析古老的程式
JPEG Optimizer Version 3.15
cracker:essorg
tools:trw2000pll,language2k
level:0
用language2k探殼,無壓縮,VC++程式設計
到註冊介面,輸入註冊碼隨便打,出現 Incorrect release code 介面,
CTRL+N 進入 TRW2000
下hwnd 查該介面窗體控制程式碼,再下bpmsg (hwnd) WM_COMMAND,X回到出錯介面,點選確定,此時TRW中斷進入
下U指令截碼如下:
017F:00429400 55 PUSH EBP
017F:00429401 8BEC MOV EBP,ESP
017F:00429403 81C4B4FEFFFF ADD ESP,FFFFFEB4
017F:00429409 53 PUSH EBX
017F:0042940A 56 PUSH ESI
017F:0042940B 57 PUSH EDI
017F:0042940C 8BD8 MOV EBX,EAX
017F:0042940E 8D75B8 LEA ESI,[EBP-48]
017F:00429411 B820244800 MOV EAX,00482420
017F:00429416 E8815A0400 CALL 0046EE9C
017F:0042941B 56 PUSH ESI
017F:0042941C 8D7D9C LEA EDI,[EBP-64] 〈----正確註冊移位到地址
017F:0042941F BE48234800 MOV ESI,00482348 〈----正確註冊顯示原資訊
017F:00429424 B906000000 MOV ECX,06
017F:00429429 F3A5 REP MOVSD
017F:0042942B 66A5 MOVSW
017F:0042942D A4 MOVSB
017F:0042942E 5E POP ESI
017F:0042942F 8DBD7CFFFFFF LEA EDI,[EBP+FFFFFF7C] 〈----錯誤註冊移位到地址
017F:00429435 56 PUSH ESI
017F:00429436 BE63234800 MOV ESI,00482363 〈----錯誤註冊顯示原資訊
017F:0042943B B907000000 MOV ECX,07
017F:00429440 BAB0254800 MOV EDX,004825B0
017F:00429445 F3A5 REP MOVSD
017F:00429447 A4 MOVSB
017F:00429448 5E POP ESI
中間省略。。。。。。
017F:004294FB 8D45EC LEA EAX,[EBP-14] 〈----輸入註冊碼地址
017F:004294FE E87B320200 CALL 0044C77E 〈----求輸入註冊碼長度
017F:00429503 83F808 CMP EAX,BYTE +08 〈----判斷輸入註冊碼位數是否等於8
017F:00429506 751B JNZ 00429523
017F:00429508 837DF800 CMP DWORD [EBP-08],BYTE +00
017F:0042950C 7405 JZ 00429513
017F:0042950E 8B55F8 MOV EDX,[EBP-08]
017F:00429511 EB05 JMP SHORT 00429518
017F:00429513 BAB3254800 MOV EDX,004825B3
017F:00429518 52 PUSH EDX
017F:00429519 E8A60B0000 CALL 0042A0C4 〈----驗證核心
017F:0042951E 59 POP ECX
017F:0042951F 84C0 TEST AL,AL 〈----驗證註冊標誌
017F:00429521 7504 JNZ 00429527
017F:00429523 33C0 XOR EAX,EAX
017F:00429525 EB05 JMP SHORT 0042952C
017F:00429527 B801000000 MOV EAX,01
017F:0042952C 50 PUSH EAX
017F:0042952D FF4E1C DEC DWORD [ESI+1C]
017F:00429530 8D45EC LEA EAX,[EBP-14]
017F:00429533 BA02000000 MOV EDX,02
017F:00429538 E8E72F0200 CALL 0044C524
017F:0042953D 59 POP ECX
017F:0042953E 84C9 TEST CL,CL
017F:00429540 0F8458010000 JZ NEAR 0042969E 〈----轉向註冊錯處理
中間省略。。。。。。
017F:0042962B 33C0 XOR EAX,EAX
017F:0042962D 56 PUSH ESI
017F:0042962E 8D7D9C LEA EDI,[EBP-64]
017F:00429631 83C9FF OR ECX,BYTE -01
017F:00429634 F2AE REPNE SCASB
017F:00429636 F7D1 NOT ECX
017F:00429638 2BF9 SUB EDI,ECX
017F:0042963A 8DB5B4FEFFFF LEA ESI,[EBP+FFFFFEB4]
017F:00429640 87F7 XCHG ESI,EDI
017F:00429642 8BD1 MOV EDX,ECX
017F:00429644 8BC7 MOV EAX,EDI
017F:00429646 C1E902 SHR ECX,02
017F:00429649 8D85B4FEFFFF LEA EAX,[EBP+FFFFFEB4]
017F:0042964F F3A5 REP MOVSD
017F:00429651 8BCA MOV ECX,EDX
017F:00429653 83E103 AND ECX,BYTE +03
017F:00429656 F3A4 REP MOVSB
017F:00429658 5E POP ESI
017F:00429659 50 PUSH EAX
017F:0042965A E891FDFFFF CALL 004293F0 〈----呼叫轉換資訊程式
017F:0042965F 59 POP ECX
017F:00429660 8B15789C4800 MOV EDX,[00489C78]
017F:00429666 8B8200030000 MOV EAX,[EDX+0300]
017F:0042966C B201 MOV DL,01
017F:0042966E E801440300 CALL 0045DA74
017F:00429673 E88C8DFDFF CALL 00402404
017F:00429678 6A40 PUSH BYTE +40
017F:0042967A 8D95B4FEFFFF LEA EDX,[EBP+FFFFFEB4]
017F:00429680 8B0D04A44800 MOV ECX,[0048A404]
017F:00429686 A15CA54900 MOV EAX,[0049A55C]
017F:0042968B E87C100400 CALL 0046A70C
017F:00429690 A1789C4800 MOV EAX,[00489C78]
017F:00429695 8BD0 MOV EDX,EAX
017F:00429697 E83CB9FDFF CALL 00404FD8
017F:0042969C EB50 JMP SHORT 004296EE
017F:0042969E 33C0 XOR EAX,EAX
017F:004296A0 56 PUSH ESI
017F:004296A1 8DBD7CFFFFFF LEA EDI,[EBP+FFFFFF7C]
017F:004296A7 83C9FF OR ECX,BYTE -01
017F:004296AA F2AE REPNE SCASB
017F:004296AC F7D1 NOT ECX
017F:004296AE 2BF9 SUB EDI,ECX
017F:004296B0 8DB5B4FEFFFF LEA ESI,[EBP+FFFFFEB4]
017F:004296B6 87F7 XCHG ESI,EDI
017F:004296B8 8BD1 MOV EDX,ECX
017F:004296BA 8BC7 MOV EAX,EDI
017F:004296BC C1E902 SHR ECX,02
017F:004296BF 8D85B4FEFFFF LEA EAX,[EBP+FFFFFEB4]
017F:004296C5 F3A5 REP MOVSD
017F:004296C7 8BCA MOV ECX,EDX
017F:004296C9 83E103 AND ECX,BYTE +03
017F:004296CC F3A4 REP MOVSB
017F:004296CE 5E POP ESI
017F:004296CF 50 PUSH EAX
017F:004296D0 E81BFDFFFF CALL 004293F0 〈----呼叫轉換資訊程式
017F:004296D5 59 POP ECX
017F:004296D6 6A30 PUSH BYTE +30
017F:004296D8 8D95B4FEFFFF LEA EDX,[EBP+FFFFFEB4]
轉換資訊程式:
004296D0呼叫轉換出錯資訊:
將 Jodpssfdu!Sfhjtusbujpo!Dpef 轉換為 Incorrect Registration Code
0042965A呼叫轉換感謝註冊資訊:
將 Uibol!zpv!gps!sfhjtufsjoh 轉換為 Thank you for registering
004293F0 55 PUSH EBP \:BYCALL CallBy:0042965A,004296D0,
004293F1 8BEC MOV EBP,ESP
004293F3 8B45 08 MOV EAX,[EBP+8]
004293F6 FE08 DEC BYTE PTR [EAX] \:BYJMP JmpBy:004293FC,
004293F8 40 INC EAX
004293F9 8038 00 CMP BYTE PTR [EAX],0
004293FC 75 F8 JNZ SHORT 004293F6 \:JMPUP
004293FE 5D POP EBP
004293FF C3 RETN
比對核心:
017F:0042A0C4 55 PUSH EBP
017F:0042A0C5 8BEC MOV EBP,ESP
017F:0042A0C7 83C4F4 ADD ESP,BYTE -0C
017F:0042A0CA 53 PUSH EBX
017F:0042A0CB 8B4508 MOV EAX,[EBP+08]
017F:0042A0CE 8D5DF4 LEA EBX,[EBP-0C]
017F:0042A0D1 8A10 MOV DL,[EAX]
017F:0042A0D3 8813 MOV [EBX],DL
017F:0042A0D5 8A4801 MOV CL,[EAX+01]
017F:0042A0D8 884B01 MOV [EBX+01],CL
017F:0042A0DB 8A5002 MOV DL,[EAX+02]
017F:0042A0DE 885302 MOV [EBX+02],DL
017F:0042A0E1 8A4803 MOV CL,[EAX+03]
017F:0042A0E4 884B03 MOV [EBX+03],CL
017F:0042A0E7 8A5004 MOV DL,[EAX+04]
017F:0042A0EA 885304 MOV [EBX+04],DL
017F:0042A0ED 8A4805 MOV CL,[EAX+05]
017F:0042A0F0 884B05 MOV [EBX+05],CL
017F:0042A0F3 8A5006 MOV DL,[EAX+06]
017F:0042A0F6 885306 MOV [EBX+06],DL
017F:0042A0F9 8A4807 MOV CL,[EAX+07]
017F:0042A0FC 884B07 MOV [EBX+07],CL
017F:0042A0FF 8A4008 MOV AL,[EAX+08]
017F:0042A102 884308 MOV [EBX+08],AL
017F:0042A105 C6430900 MOV BYTE [EBX+09],00
017F:0042A109 0FBE03 MOVSX EAX,BYTE [EBX]
017F:0042A10C 50 PUSH EAX
017F:0042A10D E8228C0400 CALL 00472D34 〈----小寫變大寫
017F:0042A112 59 POP ECX
017F:0042A113 83F84A CMP EAX,BYTE +4A 〈----J
017F:0042A116 7559 JNZ 0042A171
017F:0042A118 0FBE5301 MOVSX EDX,BYTE [EBX+01]
017F:0042A11C 52 PUSH EDX
017F:0042A11D E8128C0400 CALL 00472D34
017F:0042A122 59 POP ECX
017F:0042A123 83F853 CMP EAX,BYTE +53 〈----S
017F:0042A126 7549 JNZ 0042A171
017F:0042A128 0FBE4B02 MOVSX ECX,BYTE [EBX+02]
017F:0042A12C 83F924 CMP ECX,BYTE +24 〈----$
017F:0042A12F 7540 JNZ 0042A171
017F:0042A131 0FBE4303 MOVSX EAX,BYTE [EBX+03]
017F:0042A135 83F832 CMP EAX,BYTE +32 〈----2
017F:0042A138 7537 JNZ 0042A171
017F:0042A13A 0FBE5304 MOVSX EDX,BYTE [EBX+04]
017F:0042A13E 83FA38 CMP EDX,BYTE +38 〈----8
017F:0042A141 752E JNZ 0042A171
017F:0042A143 0FBE4B05 MOVSX ECX,BYTE [EBX+05]
017F:0042A147 83F939 CMP ECX,BYTE +39 〈----9
017F:0042A14A 7525 JNZ 0042A171
017F:0042A14C 0FBE4306 MOVSX EAX,BYTE [EBX+06]
017F:0042A150 83F832 CMP EAX,BYTE +32 〈----2
017F:0042A153 751C JNZ 0042A171
017F:0042A155 0FBE5307 MOVSX EDX,BYTE [EBX+07]
017F:0042A159 83FA31 CMP EDX,BYTE +31 〈----1
017F:0042A15C 7513 JNZ 0042A171
017F:0042A15E C70508A448001443+MOV DWORD [0048A408],69FC4314
017F:0042A168 E8B7A7FDFF CALL 00404924
017F:0042A16D B001 MOV AL,01
017F:0042A16F EB1B JMP SHORT 0042A18C
017F:0042A171 53 PUSH EBX
017F:0042A172 E8D1280000 CALL 0042CA48
017F:0042A177 59 POP ECX
017F:0042A178 84C0 TEST AL,AL
017F:0042A17A 7404 JZ 0042A180
017F:0042A17C B001 MOV AL,01
017F:0042A17E EB0C JMP SHORT 0042A18C
017F:0042A180 C70508A44800EBBC+MOV DWORD [0048A408],9603BCEB
017F:0042A18A 33C0 XOR EAX,EAX
017F:0042A18C 5B POP EBX
017F:0042A18D 8BE5 MOV ESP,EBP
017F:0042A18F 5D POP EBP
017F:0042A190 C3 RETN
總結:
以出錯窗控制程式碼介入,查詢出比對核心。該程式狡猾狡猾的,將出錯資訊錯位儲存,在程式中轉換
出來使用,可謂用心良苦,可是最終比對過於簡單,再設定多複雜的地址查詢都無濟於事。
註冊碼:JS$28921 或 js$28921
相關文章
- 古老的框架2015-12-15框架
- 古老的加密技術2019-01-17加密
- 古老的CSS同高列問題2017-05-08CSS
- 比爾·蓋茨 1978 年寫的 BASIC for 6502 古老程式曝光2017-09-02
- Java 集合深入理解(12):古老的 Vector2016-10-23Java
- 還記得這門古老的程式語言麼,送你一份perl書單!2020-10-30
- 10 個古老的經久不衰的開源專案2013-06-02
- googletrips中存在了280年的古老演算法2017-01-09Go演算法
- 135批量抓雞 依賴 古老得RTCS2007-09-25
- Quakecon:可能是現存最古老的遊戲線下聚會2020-08-05遊戲
- RPG 製作大師:古老的遊戲開發入門工具2020-08-26遊戲開發
- Flash已死,但這些古老的Flash遊戲還在努力活著2021-05-07遊戲
- 如何在 Linux 上設定古老又簡單的 TFTP 伺服器2022-07-27LinuxFTP伺服器
- 比「掃雷」還古老的遊戲,6000 萬歐美使用者玩瘋了2021-03-04遊戲
- 布法羅大學:研究揭開人類對碳水渴望背後的古老秘密2024-10-19
- Linux下的程式分析–PS2020-05-16Linux
- 小波分析的matlab程式2011-06-23Matlab
- 程式碼分析2002-09-12
- [譯] 我是如何修復 Python 3.7 中一個非常古老的 GIL 競態條件 bug 的2019-02-21Python
- 龍泉寺資訊科技組(下):佛教是古老的,但佛教徒是現代的(圖靈訪談)2012-03-05圖靈
- 龍泉寺資訊科技組(上):佛教是古老的,但佛教徒是現代的(圖靈訪談)2012-02-29圖靈
- LNMP架構下的程式模型分析2018-10-14LNMP架構模型
- Linux下的守護程式分析2018-06-25Linux
- 常用Java靜態程式碼分析工具的分析與比較2012-09-09Java
- Linux程式分析2020-04-07Linux
- AsyncTask 程式碼分析2018-12-18
- Perfview 分析程式效能2020-11-24View
- Swoole 程式模型分析2022-09-21模型
- 詞法分析程式2015-09-21詞法分析
- 用愛發電、用心傳火:那些為古老遊戲製作卡帶的人們2021-10-09遊戲
- 程式的編譯和連結原理分析2019-03-03編譯
- 編譯程式(compiler)的簡單分析2018-08-07編譯Compile
- Storm的wordcount程式碼編寫與分析2018-10-10ORM
- 關於奇怪的並行程式分析(二)2015-09-01並行行程
- 關於奇怪的並行程式分析(三)2015-09-02並行行程
- 面向.Net程式設計師的dump分析2014-08-01程式設計師
- JavaEE程式在Glassfish的效能調優分析2008-04-17Java
- 中文詞法分析的簡單程式 (轉)2007-12-29詞法分析