标题:某抓书狂破解分析
链接:http://www.unpack.cn/viewthread.php?tid=16306
贴者:dsmall
日期:2007-8-17 16:03
用Odbg载入程序
00551014 B> B8 00000000 mov eax,0
00551019 60 pushad
0055101A 0BC0 or eax,eax
0055101C 74 58 je short 00551076 ; BookDown.00551076
0055101E E8 00000000 call 00551023 ; BookDown.00551023
00551023 58 pop eax ; kernel32.7C816FF7
00551024 05 43000000 add eax,43
00551029 8038 E9 cmp byte ptr ds:[eax],0E9
0055102C 75 03 jnz short 00551031 ; BookDown.00551031
0055102E 61 popad
0055102F EB 35 jmp short 00551066 ; BookDown.00551066
00551031 E8 00000000 call 00551036 ; BookDown.00551036
00551036 58 pop eax ; kernel32.7C816FF7
00551037 25 00F0FFFF and eax,FFFFF000
0055103C 33FF xor edi,edi ; ntdll.7C930738
0055103E 66:BB 195A mov bx,5A19
执行a__p大侠脚本Themida & WinLicen.V1.1.X-1.8.X.By.oSc后暂停在406980处,我的天,有stolen,算了,带壳分析吧。
00406980 53 push ebx ; (Initial CPU selection)
00406981 8BD8 mov ebx,eax ; BookDown.004FD1A4
00406983 33C0 xor eax,eax ; BookDown.004FD1A4
00406985 A3 9CE04F00 mov dword ptr ds:[4FE09C],eax ; BookDown.004FD1A4
0040698A 6A 00 push 0
0040698C E8 2BFFFFFF call 004068BC ; jmp to kernel32.GetModuleHandleA
00406991 A3 68665000 mov dword ptr ds:[506668],eax ; BookDown.004FD1A4
00406996 A1 68665000 mov eax,dword ptr ds:[506668]
0040699B A3 A8E04F00 mov dword ptr ds:[4FE0A8],eax ; BookDown.004FD1A4
004069A0 33C0 xor eax,eax ; BookDown.004FD1A4
004069A2 A3 ACE04F00 mov dword ptr ds:[4FE0AC],eax ; BookDown.004FD1A4
004069A7 33C0 xor eax,eax ; BookDown.004FD1A4
004069A9 A3 B0E04F00 mov dword ptr ds:[4FE0B0],eax ; BookDown.004FD1A4
004069AE E8 C1FFFFFF call 00406974 ; BookDown.00406974
004069B3 BA A4E04F00 mov edx,4FE0A4
004069B8 8BC3 mov eax,ebx
004069BA E8 15D8FFFF call 004041D4 ; BookDown.004041D4
004069BF 5B pop ebx ; BookDown.007BFFBB
004069C0 C3 retn
搜索字符串“谢谢您的注册,现在您使用的是无任何功能限制的版本了!”来到4ed8c0
004ED897 8B55 E8 mov edx,dword ptr ss:[ebp-18] ; BookDown.00406980
004ED89A 8B45 FC mov eax,dword ptr ss:[ebp-4]
004ED89D 59 pop ecx ; BookDown.007BFFBB
004ED89E E8 65F9FFFF call 004ED208 ; BookDown.004ED208
004ED8A3 84C0 test al,al
004ED8A5 0F84 EB000000 je 004ED996 ; BookDown.004ED996
004ED8AB A1 A44F5000 mov eax,dword ptr ds:[504FA4]
004ED8B0 8B00 mov eax,dword ptr ds:[eax]
004ED8B2 C680 A0030000 01 mov byte ptr ds:[eax+3A0],1
004ED8B9 A1 A44F5000 mov eax,dword ptr ds:[504FA4]
004ED8BE 8B00 mov eax,dword ptr ds:[eax]
004ED8C0 BA 04DA4E00 mov edx,4EDA04 ; 谢谢您的注册,现在您使用的是无任何功能限制的版本了!
004ED8C5 E8 1AEE0000 call 004FC6E4 ; BookDown.004FC6E4
004ED8CA 33C0 xor eax,eax ; BookDown.004FD1A4
004ED8CC 55 push ebp
004ED8CD 68 85D94E00 push 4ED985
004ED8D2 64:FF30 push dword ptr fs:[eax]
004ED8D5 64:8920 mov dword ptr fs:[eax],esp
004ED8D8 8D55 DC lea edx,dword ptr ss:[ebp-24]
004ED8DB 8B45 FC mov eax,dword ptr ss:[ebp-4]
往上看,知4ed208为关键call,在004ED89E处下断,F9执行程序。点击注册,任意输入注册码,确定,中断在004ED89E,F7进入。
004ED208 55 push ebp
004ED209 8BEC mov ebp,esp
004ED20B 83C4 C8 add esp,-38
004ED20E 53 push ebx ; BookDown.00409857
004ED20F 33DB xor ebx,ebx ; BookDown.00409857
004ED211 895D CC mov dword ptr ss:[ebp-34],ebx ; BookDown.00409857
004ED214 895D C8 mov dword ptr ss:[ebp-38],ebx ; BookDown.00409857
004ED217 895D D0 mov dword ptr ss:[ebp-30],ebx ; BookDown.00409857
004ED21A 895D EC mov dword ptr ss:[ebp-14],ebx ; BookDown.00409857
004ED21D 895D E8 mov dword ptr ss:[ebp-18],ebx ; BookDown.00409857
004ED220 894D F4 mov dword ptr ss:[ebp-C],ecx
004ED223 8955 F8 mov dword ptr ss:[ebp-8],edx
004ED226 8945 FC mov dword ptr ss:[ebp-4],eax ; FastMM_F.02BF4D01
004ED229 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004ED22C E8 CB77F1FF call 004049FC ; BookDown.004049FC
004ED231 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004ED234 E8 C377F1FF call 004049FC ; BookDown.004049FC
004ED239 33C0 xor eax,eax ; FastMM_F.02BF4D01
004ED23B 55 push ebp
004ED23C 68 F8D34E00 push 4ED3F8
004ED241 64:FF30 push dword ptr fs:[eax]
004ED244 64:8920 mov dword ptr fs:[eax],esp
004ED247 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004ED24A E8 BD75F1FF call 0040480C ; BookDown.0040480C
004ED24F 83F8 32 cmp eax,32 : 注册码长度必须大于50位。
004ED252 7D 09 jge short 004ED25D ; BookDown.004ED25D
004ED254 C645 F3 00 mov byte ptr ss:[ebp-D],0
004ED258 E9 66010000 jmp 004ED3C3 ; BookDown.004ED3C3
004ED25D 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
004ED260 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004ED263 E8 38FBFFFF call 004ECDA0 ; BookDown.004ECDA0
004ED268 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
004ED26B 8D55 E8 lea edx,dword ptr ss:[ebp-18]
004ED26E E8 A1FBFFFF call 004ECE14 ; BookDown.004ECE14
004ED273 8D4D EC lea ecx,dword ptr ss:[ebp-14]
004ED276 8B55 F8 mov edx,dword ptr ss:[ebp-8]
004ED279 8B45 FC mov eax,dword ptr ss:[ebp-4]
004ED27C E8 83040000 call 004ED704 ; BookDown.004ED704
004ED281 8B45 EC mov eax,dword ptr ss:[ebp-14]
004ED284 8B55 E8 mov edx,dword ptr ss:[ebp-18] ; BookDown.00409783
004ED287 E8 CC76F1FF call 00404958 ; 关键call,不想分析算法,略过。
004ED28C 75 09 jnz short 004ED297 ; 关键跳,经测试nop掉此处指令即可无需注册,重启验证也是此函数,在此处做内存补丁。
004ED28E C645 F3 01 mov byte ptr ss:[ebp-D],1 : 标志位
004ED292 E9 2C010000 jmp 004ED3C3 ; BookDown.004ED3C3
004ED297 E8 E09AF1FF call 00406D7C ; jmp to kernel32.GetTickCount
004ED29C 8945 E4 mov dword ptr ss:[ebp-1C],eax ; FastMM_F.02BF4D01
004ED29F E9 C5000000 jmp 004ED369 ; BookDown.004ED369
004ED2A4 8D55 D0 lea edx,dword ptr ss:[ebp-30]
004ED2A7 8B45 FC mov eax,dword ptr ss:[ebp-4]
004ED2AA E8 95010000 call 004ED444 ; BookDown.004ED444
004ED2AF 8B45 D0 mov eax,dword ptr ss:[ebp-30]
004ED2B2 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
004ED2B5 E8 E6FAFFFF call 004ECDA0 ; BookDown.004ECDA0
004ED2BA 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
004ED2BD 8D55 E8 lea edx,dword ptr ss:[ebp-18]
004ED2C0 E8 4FFBFFFF call 004ECE14 ; BookDown.004ECE14
004ED2C5 8B45 EC mov eax,dword ptr ss:[ebp-14]
004ED2C8 8B55 E8 mov edx,dword ptr ss:[ebp-18] ; BookDown.00409783
004ED2CB E8 8876F1FF call 00404958 ; BookDown.00404958
004ED2D0 75 35 jnz short 004ED307 ; BookDown.004ED307
004ED2D2 C645 F3 01 mov byte ptr ss:[ebp-D],1
004ED2D6 A1 38515000 mov eax,dword ptr ds:[505138]
004ED2DB 8B00 mov eax,dword ptr ds:[eax]
004ED2DD BA 10D44E00 mov edx,4ED410 ; ASCII "FrmRegister"
004ED2E2 E8 65C5F3FF call 0042984C ; BookDown.0042984C
004ED2E7 85C0 test eax,eax ; FastMM_F.02BF4D01
004ED2E9 0F84 D4000000 je 004ED3C3 ; BookDown.004ED3C3
004ED2EF BA 24D44E00 mov edx,4ED424 ; 注册码
004ED2F4 8B45 FC mov eax,dword ptr ss:[ebp-4]
004ED2F7 8B80 08030000 mov eax,dword ptr ds:[eax+308]
004ED2FD E8 B25FF7FF call 004632B4 ; BookDown.004632B4
004ED302 E9 BC000000 jmp 004ED3C3 ; BookDown.004ED3C3
004ED307 A1 38515000 mov eax,dword ptr ds:[505138]
004ED30C 8B00 mov eax,dword ptr ds:[eax]
004ED30E E8 A95FF9FF call 004832BC ; BookDown.004832BC
004ED313 A1 38515000 mov eax,dword ptr ds:[505138]
004ED318 8B00 mov eax,dword ptr ds:[eax]
004ED31A BA 10D44E00 mov edx,4ED410 ; ASCII "FrmRegister"
004ED31F E8 28C5F3FF call 0042984C ; BookDown.0042984C
004ED324 85C0 test eax,eax ; FastMM_F.02BF4D01
004ED326 74 41 je short 004ED369 ; BookDown.004ED369
004ED328 E8 4F9AF1FF call 00406D7C ; jmp to kernel32.GetTickCount
004ED32D 33D2 xor edx,edx
004ED32F 52 push edx
004ED330 50 push eax ; FastMM_F.02BF4D01
004ED331 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
004ED334 99 cdq
004ED335 290424 sub dword ptr ss:[esp],eax ; FastMM_F.02BF4D01
004ED338 195424 04 sbb dword ptr ss:[esp+4],edx
004ED33C 58 pop eax ; kernel32.7C80B9DD
004ED33D 5A pop edx ; kernel32.7C80B9DD
004ED33E 52 push edx
004ED33F 50 push eax ; FastMM_F.02BF4D01
004ED340 8D45 C8 lea eax,dword ptr ss:[ebp-38]
004ED343 E8 50F7F1FF call 0040CA98 ; BookDown.0040CA98
004ED348 8B4D C8 mov ecx,dword ptr ss:[ebp-38]
004ED34B 8D45 CC lea eax,dword ptr ss:[ebp-34]
004ED34E BA 34D44E00 mov edx,4ED434 ; 注册码验证中
004ED353 E8 0075F1FF call 00404858 ; BookDown.00404858
004ED358 8B55 CC mov edx,dword ptr ss:[ebp-34]
004ED35B 8B45 FC mov eax,dword ptr ss:[ebp-4]
004ED35E 8B80 08030000 mov eax,dword ptr ds:[eax+308]
004ED364 E8 4B5FF7FF call 004632B4 ; BookDown.004632B4
004ED369 E8 0E9AF1FF call 00406D7C ; jmp to kernel32.GetTickCount
004ED36E 33D2 xor edx,edx
004ED370 52 push edx
004ED371 50 push eax ; FastMM_F.02BF4D01
004ED372 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
004ED375 99 cdq
004ED376 290424 sub dword ptr ss:[esp],eax ; FastMM_F.02BF4D01
004ED379 195424 04 sbb dword ptr ss:[esp+4],edx
004ED37D 58 pop eax ; kernel32.7C80B9DD
004ED37E 5A pop edx ; kernel32.7C80B9DD
004ED37F 83FA 00 cmp edx,0
004ED382 75 0D jnz short 004ED391 ; BookDown.004ED391
004ED384 3D 60EA0000 cmp eax,0EA60
004ED389 ^ 0F82 15FFFFFF jb 004ED2A4 ; BookDown.004ED2A4
004ED38F EB 06 jmp short 004ED397 ; BookDown.004ED397
004ED391 ^ 0F8C 0DFFFFFF jl 004ED2A4 ; BookDown.004ED2A4
004ED397 A1 38515000 mov eax,dword ptr ds:[505138]
004ED39C 8B00 mov eax,dword ptr ds:[eax]
004ED39E BA 10D44E00 mov edx,4ED410 ; ASCII "FrmRegister"
004ED3A3 E8 A4C4F3FF call 0042984C ; BookDown.0042984C
004ED3A8 85C0 test eax,eax ; FastMM_F.02BF4D01
004ED3AA 74 13 je short 004ED3BF ; BookDown.004ED3BF
004ED3AC BA 24D44E00 mov edx,4ED424 ; 注册码
004ED3B1 8B45 FC mov eax,dword ptr ss:[ebp-4]
004ED3B4 8B80 08030000 mov eax,dword ptr ds:[eax+308]
004ED3BA E8 F55EF7FF call 004632B4 ; BookDown.004632B4
004ED3BF C645 F3 00 mov byte ptr ss:[ebp-D],0
004ED3C3 33C0 xor eax,eax ; FastMM_F.02BF4D01
004ED3C5 5A pop edx ; kernel32.7C80B9DD
004ED3C6 59 pop ecx ; kernel32.7C80B9DD
004ED3C7 59 pop ecx ; kernel32.7C80B9DD
004ED3C8 64:8910 mov dword ptr fs:[eax],edx
004ED3CB 68 FFD34E00 push 4ED3FF
004ED3D0 8D45 C8 lea eax,dword ptr ss:[ebp-38]
004ED3D3 BA 03000000 mov edx,3
004ED3D8 E8 9371F1FF call 00404570 ; BookDown.00404570
004ED3DD 8D45 E8 lea eax,dword ptr ss:[ebp-18]
004ED3E0 BA 02000000 mov edx,2
004ED3E5 E8 8671F1FF call 00404570 ; BookDown.00404570
004ED3EA 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004ED3ED BA 02000000 mov edx,2
004ED3F2 E8 7971F1FF call 00404570 ; BookDown.00404570
004ED3F7 C3 retn
004ED3F8 ^ E9 936AF1FF jmp 00403E90 ; BookDown.00403E90
004ED3FD ^ EB D1 jmp short 004ED3D0 ; BookDown.004ED3D0
004ED3FF 8A45 F3 mov al,byte ptr ss:[ebp-D]
004ED402 5B pop ebx ; kernel32.7C80B9DD
004ED403 8BE5 mov esp,ebp
004ED405 5D pop ebp ; kernel32.7C80B9DD
004ED406 C3 retn
004ED407 00FF add bh,bh
--------------------------------------------------------------------------------
【经验总结】
load制作:
修改地址:004ED28C
修改长度:2
原始指令:7509
修改指令:9090
Load程序生成后,还需将SysCfg.ini文件中Regcode=后面输入输入任意50位以上数字并保存。
|
