[原創]帶殼分析共享軟體 (9千字)
軟體:Advanced Email Parser1.22
下載:http://www.mailutilities.com/
保護方式:aspretect+md5
作者:lordor
工具:ollyDBG+隱身外掛。
用ollyDbg載入帶殼的程式,還是按老辦法,來到這裡
00463E38 RETN
00463E39 LEA EAX,DWORD PTR SS:[ESP+8]
00463E3D PUSH EAX
00463E3E CALL aep.00463AE0
00463E43 ADD ESP,4
00463E46 PUSH 40
00463E48 PUSH aep.00546B74 ASCII "Registration"
00463E4D PUSH aep.00546B54 ASCII "Thank you for registering AEP!"
00463E52 CALL EDI
00463E54 PUSH EAX
00463E55 CALL DWORD PTR DS:[537674] user32.MessageBoxA
00463E5B MOV EAX,ESI
00463E5D POP EDI
00463E5E POP ESI
00463E5F MOV ESP,EBP
00463E61 POP EBP
00463E62 RETN
00463E63 PUSH 30
00463E65 PUSH aep.00546B74 ASCII "Registration"
00463E6A PUSH aep.00546B30 ASCII "The code you've entered is invalid!"
00463E6F CALL EDI
00463E71 PUSH EAX
00463E72 CALL DWORD PTR DS:[537674] user32.MessageBoxA
00463E78 POP EDI
00463E79 MOV EAX,ESI
00463E7B POP ESI
00463E7C MOV ESP,EBP
00463E7E POP EBP ===>在這下斷,看一下那裡呼叫,來到下面
00463E7F RETN
00473250 PUSH ESI
00473251 MOV ESI,ECX
00473253 CALL aep.00463DC0 跳出輸入框,F7進入
00473258 CALL aep.00463B30
0047325D TEST EAX,EAX
0047325F JE SHORT aep.00473287
00473261 CALL aep.00412840
00473266 TEST EAX,EAX
00473268 JNZ SHORT aep.00473272
0047326A PUSH 1
0047326C CALL DWORD PTR DS:[5373B0] kernel32.ExitProcess
00473272 JMP aep.00473287
00473277 JA SHORT aep.0047328B
00473279 ??? Unknown command
0047327A ADC EAX,384B7548
0047327F JL SHORT aep.004732A7
00473281 SBB DWORD PTR SS:[ESP+EDX*2+5E0A9CE7],ED>
--------------------------------------
來到上面的call:
00463DC0 PUSH EBP
00463DC1 MOV EBP,ESP
00463DC3 AND ESP,FFFFFFF8
00463DC6 SUB ESP,100
00463DCC PUSH ESI
00463DCD PUSH EDI
00463DCE XOR EAX,EAX
00463DD0 MOV BYTE PTR SS:[ESP+8],0
00463DD5 MOV ECX,3F
00463DDA LEA EDI,DWORD PTR SS:[ESP+9]
00463DDE REP STOS DWORD PTR ES:[EDI]
00463DE0 STOS WORD PTR ES:[EDI]
00463DE2 STOS BYTE PTR ES:[EDI]
00463DE3 MOV EDI,DWORD PTR DS:[537780] user32.GetFocus
00463DE9 PUSH 100
00463DEE LEA EAX,DWORD PTR SS:[ESP+C]
00463DF2 PUSH EAX
00463DF3 PUSH aep.00546B84 ASCII "Enter registration code:"
00463DF8 PUSH aep.00546B74 ASCII "Registration"
00463DFD XOR ESI,ESI
00463DFF CALL EDI
00463E01 PUSH EAX
00463E02 CALL aep.00463CF0 ==>這裡彈出輸入框
00463E07 ADD ESP,14
00463E0A CMP EAX,1
00463E0D JNZ SHORT aep.00463E78 ==>輸入嗎?
00463E0F LEA ECX,DWORD PTR SS:[ESP+8] ==>輸入的註冊碼入ecx
00463E13 PUSH ECX
00463E14 CALL aep.00463930 ==>關鍵call,F7進入
00463E19 MOV ESI,EAX
00463E1B ADD ESP,4
00463E1E TEST ESI,ESI
00463E20 JE SHORT aep.00463E63 ==>關鍵跳,不能跳
00463E22 LEA EDX,DWORD PTR SS:[ESP+8]
00463E26 PUSH EDX
00463E27 CALL aep.004056D0 ==>關鍵call,F7進入
00463E2C ADD ESP,4
00463E2F TEST EAX,EAX
00463E31 JNZ SHORT aep.00463E39 ==>要成功這裡要跳
00463E33 POP EDI
00463E34 POP ESI
00463E35 MOV ESP,EBP
00463E37 POP EBP
00463E38 RETN
00463E39 LEA EAX,DWORD PTR SS:[ESP+8]
00463E3D PUSH EAX
00463E3E CALL aep.00463AE0
00463E43 ADD ESP,4
00463E46 PUSH 40
00463E48 PUSH aep.00546B74 ASCII "Registration"
00463E4D PUSH aep.00546B54 ASCII "Thank you for registering AEP!"
00463E52 CALL EDI
00463E54 PUSH EAX
00463E55 CALL DWORD PTR DS:[537674] user32.MessageBoxA
00463E5B MOV EAX,ESI
00463E5D POP EDI
00463E5E POP ESI
00463E5F MOV ESP,EBP
00463E61 POP EBP
00463E62 RETN
00463E63 PUSH 30
00463E65 PUSH aep.00546B74 ASCII "Registration"
00463E6A PUSH aep.00546B30 ASCII "The code you've entered is invalid!"
00463E6F CALL EDI
00463E71 PUSH EAX
00463E72 CALL DWORD PTR DS:[537674] user32.MessageBoxA
00463E78 POP EDI
00463E79 MOV EAX,ESI
00463E7B POP ESI
00463E7C MOV ESP,EBP
00463E7E POP EBP
00463E7F RETN
00463E80 PUSH ESI
00463E81 MOV ESI,ECX
00463E83 MOV EAX,DWORD PTR DS:[ESI+4]
00463E86 TEST EAX,EAX
00463E88 MOV DWORD PTR DS:[ESI],aep.00546BA0
00463E8E JE SHORT aep.00463E97
00463E90 PUSH EAX
00463E91 CALL DWORD PTR DS:[537430]
-----------------------------------------------------------------
來到上面的第一個關鍵CALL aep.00463930,注意返回的值EAX不能為0
00463930 SUB ESP,68
00463933 PUSH EBX
00463934 PUSH ESI
00463935 LEA EAX,DWORD PTR SS:[ESP+18] ===>md5初始值
00463939 PUSH EDI
0046393A PUSH EAX
0046393B CALL aep.00462D30
00463940 MOV ESI,DWORD PTR SS:[ESP+7C] ==>輸入註冊碼
00463944 MOV EAX,ESI
00463946 ADD ESP,4
00463949 LEA EDX,DWORD PTR DS:[EAX+1]
0046394C LEA ESP,DWORD PTR SS:[ESP]
00463950 MOV CL,BYTE PTR DS:[EAX]
00463952 INC EAX
00463953 TEST CL,CL
00463955 JNZ SHORT aep.00463950
00463957 SUB EAX,EDX
00463959 PUSH EAX
0046395A LEA ECX,DWORD PTR SS:[ESP+20]
0046395E PUSH ESI ==>註冊碼
0046395F PUSH ECX ==>md5初始值
00463960 CALL aep.00463640 ==>計算md5
00463965 LEA EDX,DWORD PTR SS:[ESP+28]
00463969 PUSH EDX
0046396A LEA EAX,DWORD PTR SS:[ESP+1C]
0046396E PUSH EAX
0046396F CALL aep.00463700 ==>產生md5的值:654321為C33367701511B4F6020EC61DED352059
00463974 MOV EDI,DWORD PTR DS:[537520] SHLWAPI.StrCmpNIA
0046397A ADD ESP,14
0046397D PUSH 0B
0046397F PUSH aep.00546AE0 ASCII "AEP-D9MK316"
00463984 PUSH ESI ==>註冊碼
00463985 MOV EBX,1
0046398A CALL EDI ==>比較是否相等
0046398C TEST EAX,EAX
0046398E JNZ SHORT aep.004639AA
00463990 LEA ECX,DWORD PTR SS:[ESP+C]
00463994 PUSH ECX
00463995 MOV EBX,3
0046399A PUSH EBX
0046399B CALL aep.004638C0 ==>關鍵call,
004639A0 ADD ESP,8
004639A3 POP EDI
004639A4 POP ESI
004639A5 POP EBX
004639A6 ADD ESP,68
004639A9 RETN
004639AA PUSH 0B
004639AC PUSH aep.00546AD4 ASCII "AEP-D9MK3PE"
004639B1 PUSH ESI
004639B2 CALL EDI
004639B4 TEST EAX,EAX
004639B6 JNZ SHORT aep.004639D2
004639B8 LEA ECX,DWORD PTR SS:[ESP+C]
004639BC PUSH ECX
004639BD MOV EBX,1
004639C2 PUSH EBX
004639C3 CALL aep.004638C0
004639C8 ADD ESP,8
004639CB POP EDI
004639CC POP ESI
004639CD POP EBX
004639CE ADD ESP,68
004639D1 RETN
004639D2 PUSH 0B
004639D4 PUSH aep.00546AC8 ASCII "AEP-D9MK3PR"
004639D9 PUSH ESI
004639DA CALL EDI
004639DC TEST EAX,EAX
004639DE JNZ SHORT aep.004639FA
004639E0 LEA ECX,DWORD PTR SS:[ESP+C]
004639E4 PUSH ECX
004639E5 MOV EBX,2
004639EA PUSH EBX
004639EB CALL aep.004638C0
004639F0 ADD ESP,8
004639F3 POP EDI
004639F4 POP ESI
004639F5 POP EBX
004639F6 ADD ESP,68
004639F9 RETN
004639FA PUSH 0B
004639FC PUSH aep.00546ABC ASCII "AEP-RU56STE"
00463A01 PUSH ESI
00463A02 CALL EDI
00463A04 TEST EAX,EAX
00463A06 JNZ SHORT aep.00463A1F
00463A08 LEA ECX,DWORD PTR SS:[ESP+C]
00463A0C PUSH ECX
00463A0D XOR EBX,EBX
00463A0F PUSH EBX
00463A10 CALL aep.004638C0
00463A15 ADD ESP,8
00463A18 POP EDI
00463A19 POP ESI
00463A1A POP EBX
00463A1B ADD ESP,68
00463A1E RETN
00463A1F PUSH 0B
00463A21 PUSH aep.00546AB0 ASCII "AEP-D9MK3LT"
00463A26 PUSH ESI
00463A27 CALL EDI
00463A29 TEST EAX,EAX
00463A2B JNZ SHORT aep.00463A32
00463A2D MOV EBX,4
00463A32 LEA ECX,DWORD PTR SS:[ESP+C]
00463A36 PUSH ECX
00463A37 PUSH EBX
00463A38 CALL aep.004638C0 ==>
00463A3D ADD ESP,8
00463A40 POP EDI
00463A41 POP ESI
00463A42 POP EBX
00463A43 ADD ESP,68
00463A46 RETN
進入上面CALL aep.004638C0
004638C0 SUB ESP,8
004638C3 MOV ECX,DWORD PTR SS:[ESP+C]
004638C7 LEA EAX,DWORD PTR SS:[ESP]
004638CA PUSH EAX
004638CB PUSH ECX
004638CC CALL aep.00463810
004638D1 ADD ESP,8
004638D4 TEST EAX,EAX
004638D6 MOV DWORD PTR SS:[ESP+4],EAX
004638DA JNZ SHORT aep.004638E0 ==>這裡必須跳走,爆破點1
004638DC ADD ESP,8
004638DF RETN
004638E0 PUSH EBX
004638E1 PUSH EBP
004638E2 MOV EBP,DWORD PTR SS:[ESP+8]
004638E6 XOR EBX,EBX
004638E8 TEST EBP,EBP
004638EA JLE SHORT aep.0046390F
004638EC PUSH ESI
004638ED MOV EDX,EAX
004638EF PUSH EDI
004638F0 MOV ESI,DWORD PTR SS:[ESP+20]
004638F4 MOV ECX,4
004638F9 MOV EDI,EDX
004638FB XOR EAX,EAX
004638FD REPE CMPS DWORD PTR ES:[EDI],DWORD PTR D>
004638FF JE SHORT aep.00463909
00463901 INC EBX
00463902 ADD EDX,10
00463905 CMP EBX,EBP ==>這裡與預置的2000個註冊碼md5比較
00463907 JL SHORT aep.004638F0
00463909 MOV EAX,DWORD PTR SS:[ESP+14]
0046390D POP EDI
0046390E POP ESI
0046390F PUSH EAX
00463910 CALL aep.0048024E
00463915 ADD ESP,4
00463918 CMP EBX,EBP ==>是否迴圈2000次
0046391A JNZ SHORT aep.00463924 ==>這裡必須跳走,爆破點
0046391C POP EBP
0046391D XOR EAX,EAX
0046391F POP EBX
00463920 ADD ESP,8
00463923 RETN
00463924 POP EBP
00463925 LEA EAX,DWORD PTR DS:[EBX+1]
00463928 POP EBX
00463929 ADD ESP,8
0046392C RETN
---------------------------------------------
來到第二個關鍵CALL aep.004056D0,此返回值eax必須不能為0
004056D0 PUSH EBP
004056D1 MOV EBP,ESP
004056D3 AND ESP,FFFFFFF8
004056D6 PUSH -1
004056D8 PUSH aep.00527756
004056DD MOV EAX,DWORD PTR FS:[0]
004056E3 PUSH EAX
004056E4 MOV DWORD PTR FS:[0],ESP
004056EB SUB ESP,120
004056F1 PUSH EDI
004056F2 CALL aep.00412810
004056F7 TEST EAX,EAX
004056F9 JE aep.004057E2
004056FF JMP aep.004057FD
-----------------------------------------
總結:
這個公司的軟體,好像都是與預置的個註冊碼比較的程式,註冊碼的形式:AEP-D9MK316+XXXXXXX,要破解,只
要在0046391A JNZ SHORT aep.00463924及004638DA JNZ SHORT aep.004638E0處,把jnz改為jmp即可.不過好
像Asprotect加的殼做記憶體補丁時無效,不知那位高人能不能指點一下。
cracked by lordor
03.9.17
破解之道,在乎料敵先機!
www.digitalnuke.com
相關文章
- Alex-protect外殼完全分析【原創】2004-12-07
- ArtCursors 3.03 ASPR殼軟體脫殼後修整記 (10千字)2015-11-15
- 關於用ASProtect v1.3加殼軟體的脫殼方法體會 (5千字)2001-11-21
- 用ollydbg跟蹤te!lock加殼的軟體
(2千字)2015-11-15
- 談談如何使用加殼保護自己的軟體不被常用方法脫殼(2千字)2000-10-10
- 先分析,再脫殼(二) (13千字)2003-09-04
- 【原創】一個dex脫殼指令碼2017-01-03指令碼
- [原創]多層殼與Anti-ImportREC2004-11-15Import
- 用ollydbg跟蹤asproctect1.2加殼的軟體
(1千字)2015-11-15
- 【原創】一個彩票軟體演算法分析過程(詳細)2015-11-15演算法
- XDos v1.1~Dos的外殼程式 (9千字)2015-11-15
- 股市風暴4.0的外殼分析與脫殼方法(一) (7千字)2001-06-10
- 對PECompact加殼的DLL脫殼的一點分析 (7千字)2000-08-17
- 利用硬體資訊實現共享軟體的安全註冊 (4千字)2001-09-12
- VNC共享桌面軟體,VNC共享桌面軟體下載!2020-06-04VNC
- GraphPad Prism 9 資料分析軟體2022-03-15PHP
- Armadillo 2.52加殼原理分析和改進的脫殼方法
(12千字)2015-11-15
- [原創]軟體實施專案記(一)2008-06-03
- 軟體工程目錄管理淺析(原創)2008-07-01軟體工程
- 【原創】 一個會計軟體的演算法分析過程(詳細)2015-11-15演算法
- 手動脫掉Asprotect的殼,(給初學者的) (9千字)2002-01-24
- 流放一文。 對Asprotect v1.1的手動脫殼的一點分析 (9千字)2000-10-27
- TDMD軟體狗破解方法(帶狗殺狗) (6千字)2001-10-25
- JavaScript學習之旅-9(原創)2018-04-26JavaScript
- 原創文章檢測工具,原創文章檢測軟體,檢測文章相似度2020-06-15
- 文章原創度檢測軟體,增加你原創賬號透過機率2020-06-08
- 股票賬戶管理軟體 1.12(破解手記) (9千字)2002-02-16
- [原創]流行防毒軟體對惡意PDF文件檢測的概括性分析2011-02-22防毒
- [原創]淺談勝新系列軟體的破解2004-12-28
- (原創)[.Net] 程式間通訊框架(基於共享記憶體)——SimpleMMF2021-08-06框架記憶體
- 脫殼後軟體減肥大法2015-11-15
- [原創]heXer老兄的telock0.98脫殼機原理2004-06-16
- 脫殼----對用Petite2.2加殼的程式進行手動脫殼的一點分析
(5千字)2000-07-27
- 部份軟體的脫殼(Upx 0.72-1.0x,PC Guard,Telock,PECompact)
(4千字)2001-02-02
- 檢測文章原創度的軟體哪個好用?2020-06-16
- DEF分析與打造其脫殼軟體----我的一篇析文2015-11-15
- VM軟體建立共享磁碟2011-08-01
- nginx共享記憶體分析2019-02-11Nginx記憶體