【破文标题】:我爱我车 1.4 脱壳+算法分析[全攻略]
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件名称】:我爱我车 1.4
【整理时间】:2005-6-20
【下载地址】:http://www.zssoft.com/
【保护方式】:注册码 + 功能限制
【加密保护】:ASPack 2.11 -> Alexey Solodovnikov
【编译语言】:Microsoft Visual C++ 6.0
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
—————————————————————————————————
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 【脱壳过程】 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
侦壳脱壳:用PEiD查壳,ASPack 2.11 -> Alexey Solodovnikov加壳。
使用法宝:我们既然知道了是ASPack所加壳保护的,所以拿出Ollydbg结合文章题目手动脱之~~
————————————————————
Ollydbg载入主程序:
0051B001 > 60 pushad //停在这里,F8一次
0051B002 E9 3D040000 jmp My2Car.0051B444 //来到这里,查看寄存器ESP值
0051B007 - E9 25050101 jmp 0152B531
0051B00C EC in al,dx
0051B00D 01BC31 3A450104 add dword ptr ds:[ecx+esi+401453A],edi
0051B014 DE2C9E fisubr word ptr ds:[esi+ebx*4]
.........
\\\\\\\\\\\\\\\寄存器\\\\\\\\\\\\\\\\
EAX 00000000
ECX 0012FFB0
EDX 7C92EB94 ntdll.KiFastSystemCallRet
EBX 7FFDE000
ESP 0012FFA4 //esp=0012ffa4
EBP 0012FFF0
ESI FFFFFFFF
EDI 7C930738 ntdll.7C930738
EIP 0051B002 My2Car.0051B002
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
根据ESP定律规则,现在在命令栏中下 hr 0012ffa4 命令,回车,F9运行:
0051B3AB /75 08 jnz short My2Car.0051B3B5 //这里断下,F8继续
0051B3AD |B8 01000000 mov eax,1
0051B3B2 |C2 0C00 retn 0C
0051B3B5 \68 7DF14700 push My2Car.0047F17D //跳到这里,F8继续,OEP=0047F17D
0051B3BA C3 retn //飞向光明之颠~!^_^
.........
***************************************************************************************
0047F17D 55 push ebp //程序真正入口!Dump!一看就知道是Visual C++ 6.0的程序.
0047F17E 8BEC mov ebp,esp
0047F180 6A FF push -1
0047F182 68 A8B84B00 push My2Car.004BB8A8
0047F187 68 780A4800 push My2Car.00480A78
0047F18C 64:A1 00000000 mov eax,dword ptr fs:[0]
0047F192 50 push eax
.........
***************************************************************************************
脱壳修复:运行LordPE,Dump整个进程,然后打开ImportREC找到该程序对应进程,OEP填0007F17D,“自动搜索IAT”,“获取输入表”,指针全部有效,“修复抓取文件”,OK,脱壳修复完成!运行成功!Fix Dump!~
用PEiD再次检测,程序为Microsoft Visual C++ 6.0所编译,优化一下,原始:390 KB --> 脱壳:1.16 MB --> 脱壳优化:1.01 MB
—————————————————————————————————
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 【破解过程】 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
试探:运行主程序注册,输入注册用户、注册密码,保存信息!
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
输入注册信息:(我的机器码为:0622467302)
注册用户:KuNgBiM
注册密码:9876543210
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
程序提示"非法注册码,请支持正版软件,谢谢!"
拿出 W32Dasm 反汇编脱壳后的主程序,查找字符串得到:
点击确定后OD断下:(以下是W32Dasm 反汇编的信息)
:0043FE56 90 nop
:0043FE57 90 nop
:0043FE58 90 nop
:0043FE59 90 nop
:0043FE5A 90 nop
:0043FE5B 90 nop
:0043FE5C 90 nop
:0043FE5D 90 nop
:0043FE5E 90 nop
:0043FE5F 90 nop
:0043FE60 6AFF push FFFFFFFF
:0043FE62 68F8D84A00 push 004AD8F8
:0043FE67 64A100000000 mov eax, dword ptr fs:[00000000]
:0043FE6D 50 push eax
:0043FE6E 64892500000000 mov dword ptr fs:[00000000], esp
:0043FE75 51 push ecx
:0043FE76 56 push esi
:0043FE77 8BF1 mov esi, ecx
:0043FE79 6A01 push 00000001
:0043FE7B E8AE4C0500 call 00494B2E //读取注册名及注册码
:0043FE80 8B86DC010000 mov eax, dword ptr [esi+000001DC] //注册名入eax
:0043FE86 8B48F8 mov ecx, dword ptr [eax-08] //取注册名长度 ecx=7
:0043FE89 85C9 test ecx, ecx
:0043FE8B 0F841A010000 je 0043FFAB //注册名为空就跳死
:0043FE91 8B86E0010000 mov eax, dword ptr [esi+000001E0] //注册码入eax
:0043FE97 8B48F8 mov ecx, dword ptr [eax-08] //注册码位数应为10位 ecx=0A
:0043FE9A 85C9 test ecx, ecx
:0043FE9C 0F8409010000 je 0043FFAB //注册码为空就跳死
:0043FEA2 50 push eax //假码压栈"9876543210"
:0043FEA3 E899E70300 call 0047E641 //注册码转为16进制入eax中
:0043FEA8 8B0D0C294D00 mov ecx, dword ptr [004D290C]
:0043FEAE 355F123001 xor eax, 0130125F //关键数,注册机的核心!异或130125F
:0043FEB3 894C2408 mov dword ptr [esp+08], ecx
:0043FEB7 50 push eax
:0043FEB8 8D54240C lea edx, dword ptr [esp+0C]
* Possible StringData Ref from Data Obj ->"%010d" //在计算中变为十进制
|
:0043FEBC 68C00E4D00 push 004D0EC0
:0043FEC1 52 push edx
:0043FEC2 C744242000000000 mov [esp+20], 00000000
:0043FECA E859010500 call 00490028 //注册码转换关键处
:0043FECF 8B86D8010000 mov eax, dword ptr [esi+000001D8] //机器码送入栈,ASCII "0622467302"
:0043FED5 50 push eax //机器码压栈
:0043FED6 8B442418 mov eax, dword ptr [esp+18]
:0043FEDA 50 push eax //假码异或130125F后的值,ASCII "1300235445"
:0043FEDB E8EFE50300 call 0047E4CF //关键CALL,经典啊
:0043FEE0 83C418 add esp, 00000018
:0043FEE3 85C0 test eax, eax //eax值不等于0就死!
:0043FEE5 7431 je 0043FF18 //关键跳转,不跳就OVER啦
:0043FEE7 6A30 push 00000030
:0043FEE9 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"非法注册码,请支持正版软件,谢谢!"
|
:0043FEEB 6818184D00 push 004D1818
:0043FEF0 8BCE mov ecx, esi
:0043FEF2 E882400500 call 00493F79
:0043FEF7 8D4C2404 lea ecx, dword ptr [esp+04]
:0043FEFB C7442410FFFFFFFF mov [esp+10], FFFFFFFF
:0043FF03 E899610500 call 004960A1
:0043FF08 5E pop esi
:0043FF09 8B4C2404 mov ecx, dword ptr [esp+04]
:0043FF0D 64890D00000000 mov dword ptr fs:[00000000], ecx
:0043FF14 83C410 add esp, 00000010
:0043FF17 C3 ret
..........
-------------------------------------------------------------------------------------------------------------------------
【算法总结】
注册验证非常简单,从上面的信息我们可以知道该软件是以机器码为注册依据的,并且最后的重启验证也是同机器码对比验证的。仔细读了一下代码,发现注册名不参与注册码的计算。输入的注册码经过转换变十六进制,再与130125F进行一次异或运算。只要这个值等于机器码就注册成功啦。
机器码获得:获得C盘的ID后转换为十进制码
注册码=十进制(HEX(机器码) Xor 130125F)
[即:注册码=十进制(HEX(机器码) Xor 19927647)]
=======================
VB6算法注册机代码:(自动获取机器码自动计算式)
'窗体部分:
Private Sub Form_Load()
Dim Driver, VolName, Fsys As String '根据盘符序列号得到原ID
Dim volNumber, MCM, FSF As Long
Dim res As Long
Dim Regcode As Long
Driver = "c:\" '获取ID的指定盘符
res = GetVolumeInformation(Driver, VolName, 127, volNumber, MCM, FSF, Fsys, 127) 'volNumber是C盘序列号
Text1.Text = volNumber '还原为十进制代码后盘符ID
Regcode = volNumber Xor 19927647 '序列号计算
Text2.Text = Regcode '输出序列号
End Sub
'模块部分:
Public Declare Function GetVolumeInformation Lib "kernel32" _
Alias "GetVolumeInformationA" (ByVal lpRootPathName As String, _
ByVal lpVolumeNameBuffer As String, ByVal nVolumeNameSize As Long, _
lpVolumeSerialNumber As Long, lpMaximumComponentLength As Long, _
lpFileSystemFlags As Long, ByVal lpFileSystemNameBuffer As String, _
ByVal nFileSystemNameSize As Long) As Long
=======================
注册信息:
机器码: 622467302
注册用户:KuNgBiM (随意)
注册密码:606735033
--------------------------------------------------------------------------
(本文完)
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]
--------------------------------------------------------------------------
Cracked BY KuNgBiM[DFCG]
2005-06-23
15:36:36 PM