File Protector 2000的跟踪。
下载:http://gt.onlinedown.net/down/fp2000.zip (175K)
工具:SoftICE95,这里,请一定用它,为什么?看下去!
和我一样菜的FAN可以用这个软件来体会一下跋涉在汇编代码里的欢乐和痛苦!
此软件其实比较简单,收起暴破的大刀吧!GO GO GO!
name: Free User
Company: [CCG]
Product: 748748
输入完毕后,ctrl-d激活S-ICE,下bpx hmemcpy “X”回到程序,按register,S-ICE又出现了!
下指令bc * /屏障中断点
代码窗口的地址为XXXX:XXXX,这是在系统核心里,按F12,当出现XXXX:004XXXXX(或XXXX:005XXXXX,但这种情况很少)的地址时已大致来到了要跟踪的程序的核心里,这里是0187:5F40D247,又很少见,按F10,来到0187:0040C5ED且接下去的代码里看不见“RET”,说明已进入到了要跟踪的程序的核心里(如果下面几行的代码里有“RET”的指令,就继续按F12,直到看不见“RET”为止!当然,有时会“按飞”但可以不用“XX次F12减1”那样麻烦!)
* Reference To: MFC42.Ordinal:0F21, Ord:0F21h
|
:0040C621 E8285A0000 Call 0041204E
:0040C626 8D4C2418 lea
ecx, dword ptr [esp+18]
:0040C62A 51
push ecx
:0040C62B 8D4C2410 lea
ecx, dword ptr [esp+10]
:0040C62F E80C1C0000 call 0040E240
:0040C634 85C0
test eax, eax
:0040C636 751E
jne 0040C656
:0040C638 50
push eax
* Possible StringData Ref from Data Obj ->"Error"
|
:0040C639 68D4724100 push 004172D4
* Possible StringData Ref from Data Obj ->"Registration failed !" /#$^*^%@#$%#%@@()
/很明显,40C636可跳过这里,那我们F8进入40C62F CALL 40E240!
:0040C62F E80C1C0000 call 0040E240
/进入
:0040E240 8B4C2404 mov
ecx, dword ptr [esp+04]
:0040E244 83EC08
sub esp, 00000008
:0040E247 B02D
mov al, 2D /初始化"al"="2d"="-" ,当代码窗口的光条来到这里时,请停下来,分析一下面的代码,40E24d那句的意图很明显,或者继续运行程序或者……!嘿嘿,下“D
ECX”看见了什么?再下“D ECX+4”又看见什么?啊,我有点急了,我看见ECX+4是34(我们输入的748748的第5位数的HEX值),不要紧,用鼠标单击数据窗口的首行的首位“34”键入“2D”按“ESC”键光标回到S-ICE的输入指令的窗口,在轻按F10继续。
:0040E249 8A5104
mov dl, byte ptr [ecx+04] /取Product第5位到“dl”中,这时寄存器窗口:EAX=0000002D ,右下角还有DS:0065ECC8=2D(这就是我们刚才键入的“2D”呀!)S-ICE的这个显示有时会带来很有价值的东东,多多留意它,呵呵,知道为什么要用S-ICE吗?
:0040E24C 53
push ebx
:0040E24D 3AD0
cmp dl, al /Product第5位是“-”吗?是,肯定是,~~和和
:0040E24F 0F85AA020000 jne 0040E4FF
/停下来,看看下一句在比较什么,啊,你已经在下“D ECX+7”了,并将数据窗口首行首位的“06”改成了“2D”,哈哈,真有你的。
注意大量出现的“jne 0040E4FF”,不能跳的,不信你就试试看:)
:0040E255 384107
cmp byte ptr [ecx+07], al /第8位是“-”吗?当然!
:0040E258 0F85A1020000 jne 0040E4FF
/下D ECX+B 我又改!
:0040E25E 38410B
cmp byte ptr [ecx+0B], al
:0040E261 0F8598020000 jne 0040E4FF
/下D ECX+D 改,狂改!!!关键要理解这个“改”的前因后果,就这个软件而言,“改”可以找出全部的Product!“改”就一个字,我已说了多次
^_^
:0040E267 38410D
cmp byte ptr [ecx+0D], al
:0040E26A 0F858F020000 jne 0040E4FF
:0040E270 38411C
cmp byte ptr [ecx+1C], al
:0040E273 0F8586020000 jne 0040E4FF
/停下!!!下D ECX+F,将其改为(Hex)30~46之间。
:0040E279 8A410F
mov al, byte ptr [ecx+0F] /取出Product的第16位到“al”
:0040E27C 3C30
cmp al, 30 /30=0
:0040E27E 0F8C7B020000 jl 0040E4FF
/小于30就跳
:0040E284 3C46
cmp al, 46 /46=F
:0040E286 0F8F73020000 jg 0040E4FF
/大于“F”就跳,此时Product的合法范围在(Hex)30~46之间。
:0040E28C 8A4110
mov al, byte ptr [ecx+10] 如
:0040E28F 3C30
cmp al, 30
:0040E291 0F8C68020000 jl 0040E4FF
法
:0040E297 3C46
cmp al, 46
:0040E299 0F8F60020000 jg 0040E4FF
炮
:0040E29F 8A4111
mov al, byte ptr [ecx+11]
:0040E2A2 3C30
cmp al, 30
制
:0040E2A4 0F8C55020000 jl 0040E4FF
:0040E2AA 3C46
cmp al, 46
:0040E2AC 0F8F4D020000 jg 0040E4FF
:0040E2B2 8A4112
mov al, byte ptr [ecx+12]
:0040E2B5 3C30
cmp al, 30
:0040E2B7 0F8C42020000 jl 0040E4FF
:0040E2BD 3C46
cmp al, 46
:0040E2BF 0F8F3A020000 jg 0040E4FF
:0040E2C5 8A4115
mov al, byte ptr [ecx+15]
:0040E2C8 3C30
cmp al, 30
:0040E2CA 0F8C2F020000 jl 0040E4FF
:0040E2D0 3C46
cmp al, 46
:0040E2D2 0F8F27020000 jg 0040E4FF
:0040E2D8 8A4116
mov al, byte ptr [ecx+16]
:0040E2DB 3C30
cmp al, 30
:0040E2DD 0F8C1C020000 jl 0040E4FF
:0040E2E3 3C46
cmp al, 46
:0040E2E5 0F8F14020000 jg 0040E4FF
:0040E2EB 8A4117
mov al, byte ptr [ecx+17]
:0040E2EE 3C30
cmp al, 30
:0040E2F0 0F8C09020000 jl 0040E4FF
:0040E2F6 3C46
cmp al, 46
:0040E2F8 0F8F01020000 jg 0040E4FF
:0040E2FE 8A4119
mov al, byte ptr [ecx+19]
:0040E301 3C30
cmp al, 30
:0040E303 0F8CF6010000 jl 0040E4FF
:0040E309 3C46
cmp al, 46
:0040E30B 0F8FEE010000 jg 0040E4FF
/D ECX ,改为“46”
:0040E311 803946
cmp byte ptr [ecx], 46 /Product第1位46(F)
:0040E314 0F85E5010000 jne 0040E4FF
/不等就跳 下D ECX+1 改为“50”
:0040E31A 80790150 cmp
byte ptr [ecx+01], 50 /第2位50(P)
:0040E31E 0F85DB010000 jne 0040E4FF
:0040E324 80790231 cmp
byte ptr [ecx+02], 31 /第3位31(1)
:0040E328 0F85D1010000 jne 0040E4FF
:0040E32E 80790338 cmp
byte ptr [ecx+03], 38 /第4位38(8)
:0040E332 0F85C7010000 jne 0040E4FF
:0040E338 8A5105
mov dl, byte ptr [ecx+05] /算法,不管它。
:0040E33B 8A5908
mov bl, byte ptr [ecx+08]
:0040E33E 88542410 mov
byte ptr [esp+10], dl
:0040E342 8A5117
mov dl, byte ptr [ecx+17]
:0040E345 02C2
add al, dl
:0040E347 8A5116
mov dl, byte ptr [ecx+16]
:0040E34A 02C2
add al, dl
:0040E34C 8A5115
mov dl, byte ptr [ecx+15]
:0040E34F 02C2
add al, dl
:0040E351 8A5112
mov dl, byte ptr [ecx+12]
:0040E354 02C2
add al, dl
:0040E356 8A5111
mov dl, byte ptr [ecx+11]
:0040E359 02C2
add al, dl
:0040E35B 8A5110
mov dl, byte ptr [ecx+10]
:0040E35E 02C2
add al, dl
:0040E360 8A510F
mov dl, byte ptr [ecx+0F]
:0040E363 02C2
add al, dl
:0040E365 8A542410 mov
dl, byte ptr [esp+10]
:0040E369 32C2
xor al, dl
:0040E36B 8A510C
mov dl, byte ptr [ecx+0C]
:0040E36E 32C3
xor al, bl
:0040E370 32C2
xor al, dl
:0040E372 3423
xor al, 23
:0040E374 8AD0
mov dl, al
:0040E376 C0EA04
shr dl, 04
:0040E379 80C230
add dl, 30
:0040E37C 80FA39
cmp dl, 39
:0040E37F 88542404 mov
byte ptr [esp+04], dl
:0040E383 7607
jbe 0040E38C
:0040E385 80C207
add dl, 07
:0040E388 88542404 mov
byte ptr [esp+04], dl
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E383(C)
|
:0040E38C 240F
and al, 0F
:0040E38E 0430
add al, 30
:0040E390 3C39
cmp al, 39
:0040E392 88442408 mov
byte ptr [esp+08], al
:0040E396 7606
jbe 0040E39E
/停下来,分析一下下面的代码,我们又改!!!下D ESP+4 该ECX+13
:0040E398 0407
add al, 07
:0040E39A 88442408 mov
byte ptr [esp+08], al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E396(C)
|
:0040E39E 0FBE4113 movsx
eax, byte ptr [ecx+13] /取Product第14位到EAX中
:0040E3A2 8B542404 mov
edx, dword ptr [esp+04] /正确的Product!
:0040E3A6 81E2FF000000 and edx, 000000FF
:0040E3AC 3BC2
cmp eax, edx /?EDX
,和输入的Product第14位相等吗?
:0040E3AE 0F854B010000 jne 0040E4FF
/停!D ESP+C 改ECX+14 以后的也如此这般就好罗!
:0040E3B4 8A5114
mov dl, byte ptr [ecx+14] /输入Product的第15位到DL中
:0040E3B7 56
push esi
:0040E3B8 8B74240C mov
esi, dword ptr [esp+0C]
:0040E3BC 0FBEC2
movsx eax, dl /DL=>EAX
:0040E3BF 81E6FF000000 and esi, 000000FF
/正确的Product到ESI中,
:0040E3C5 3BC6
cmp eax, esi /第15位正确与否!
:0040E3C7 5E
pop esi
:0040E3C8 0F8531010000 jne 0040E4FF
:0040E3CE 8A410A
mov al, byte ptr [ecx+0A]
:0040E3D1 0446
add al, 46
:0040E3D3 324109
xor al, byte ptr [ecx+09]
:0040E3D6 32C2
xor al, dl
:0040E3D8 8A5113
mov dl, byte ptr [ecx+13]
:0040E3DB 32C2
xor al, dl
:0040E3DD 32C3
xor al, bl
:0040E3DF 3441
xor al, 41
:0040E3E1 8AD0
mov dl, al
:0040E3E3 C0EA04
shr dl, 04
:0040E3E6 80C230
add dl, 30
:0040E3E9 80FA39
cmp dl, 39
:0040E3EC 88542404 mov
byte ptr [esp+04], dl
:0040E3F0 7607
jbe 0040E3F9
:0040E3F2 80C207
add dl, 07
:0040E3F5 88542404 mov
byte ptr [esp+04], dl
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E3F0(C)
|
:0040E3F9 240F
and al, 0F
:0040E3FB 0430
add al, 30
:0040E3FD 3C39
cmp al, 39
:0040E3FF 88442408 mov
byte ptr [esp+08], al /停下,D ESP+04 改ECX+1A
:0040E403 7606
jbe 0040E40B
:0040E405 0407
add al, 07
:0040E407 88442408 mov
byte ptr [esp+08], al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E403(C)
|
:0040E40B 0FBE511A movsx
edx, byte ptr [ecx+1A]
:0040E40F 8B442404 mov
eax, dword ptr [esp+04]
:0040E413 25FF000000 and eax,
000000FF
:0040E418 3BD0
cmp edx, eax
:0040E41A 0F85DF000000 jne 0040E4FF
:0040E420 8A591B
mov bl, byte ptr [ecx+1B]
:0040E423 8B442408 mov
eax, dword ptr [esp+08]
:0040E427 0FBED3
movsx edx, bl
:0040E42A 25FF000000 and eax,
000000FF
:0040E42F 3BD0
cmp edx, eax
:0040E431 0F85C8000000 jne 0040E4FF
:0040E437 8A4106
mov al, byte ptr [ecx+06]
:0040E43A 8A5114
mov dl, byte ptr [ecx+14]
:0040E43D 32C2
xor al, dl
:0040E43F 8A5113
mov dl, byte ptr [ecx+13]
:0040E442 32C2
xor al, dl
:0040E444 8A542410 mov
dl, byte ptr [esp+10]
:0040E448 32C2
xor al, dl
:0040E44A 34AB
xor al, AB
:0040E44C 8AD0
mov dl, al
:0040E44E C0EA04
shr dl, 04
:0040E451 80C230
add dl, 30
:0040E454 80FA39
cmp dl, 39
:0040E457 88542404 mov
byte ptr [esp+04], dl
:0040E45B 7607
jbe 0040E464
:0040E45D 80C207
add dl, 07
:0040E460 88542404 mov
byte ptr [esp+04], dl
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E45B(C)
|
:0040E464 240F
and al, 0F
:0040E466 0430
add al, 30
:0040E468 3C39
cmp al, 39
:0040E46A 88442408 mov
byte ptr [esp+08], al
:0040E46E 7606
jbe 0040E476
:0040E470 0407
add al, 07
:0040E472 88442408 mov
byte ptr [esp+08], al
* Referenced by a (U)nconditional or (C)onditional Jump at Address: 慢
|:0040E46E(C)
|
:0040E476 0FBE510E movsx
edx, byte ptr [ecx+0E] 慢
:0040E47A 8B442404 mov
eax, dword ptr [esp+04]
:0040E47E 25FF000000 and eax,
000000FF
:0040E483 3BD0
cmp edx, eax
改
:0040E485 7578
jne 0040E4FF
:0040E487 0FBE5118 movsx
edx, byte ptr [ecx+18] .
:0040E48B 8B442408 mov
eax, dword ptr [esp+08]
:0040E48F 25FF000000 and eax,
000000FF
:0040E494 3BD0
cmp edx, eax
.
:0040E496 7567
jne 0040E4FF
:0040E498 8A411A
mov al, byte ptr [ecx+1A]
:0040E49B 8A510C
mov dl, byte ptr [ecx+0C] .
:0040E49E 32D8
xor bl, al
:0040E4A0 32DA
xor bl, dl
:0040E4A2 80F363
xor bl, 63
:0040E4A5 8AD3
mov dl, bl
:0040E4A7 8AC2
mov al, dl
:0040E4A9 C0E804
shr al, 04
:0040E4AC 0430
add al, 30
:0040E4AE 3C39
cmp al, 39
:0040E4B0 88442404 mov
byte ptr [esp+04], al
:0040E4B4 7606
jbe 0040E4BC
:0040E4B6 0407
add al, 07
:0040E4B8 88442404 mov
byte ptr [esp+04], al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E4B4(C)
|
:0040E4BC 80E20F
and dl, 0F
:0040E4BF 80C230
add dl, 30
:0040E4C2 80FA39
cmp dl, 39
:0040E4C5 88542408 mov
byte ptr [esp+08], dl
:0040E4C9 7607
jbe 0040E4D2
:0040E4CB 80C207
add dl, 07
:0040E4CE 88542408 mov
byte ptr [esp+08], dl
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E4C9(C)
|
:0040E4D2 0FBE511D movsx
edx, byte ptr [ecx+1D]
:0040E4D6 8B442404 mov
eax, dword ptr [esp+04]
:0040E4DA 25FF000000 and eax,
000000FF
:0040E4DF 3BD0
cmp edx, eax
:0040E4E1 751C
jne 0040E4FF
:0040E4E3 0FBE491E movsx
ecx, byte ptr [ecx+1E]
:0040E4E7 8B542408 mov
edx, dword ptr [esp+08] /到这里才算完, D ecx,是???
:0040E4EB 33C0
xor eax, eax
:0040E4ED 81E2FF000000 and edx, 000000FF
:0040E4F3 5B
pop ebx
:0040E4F4 3BCA
cmp ecx, edx
:0040E4F6 0F94C0
sete al
:0040E4F9 83C408
add esp, 00000008
:0040E4FC C20400
ret 0004
我如此低劣的行文你竟看到了这里,真是辛苦你了 ^_^ 此软件并无“校验”
有问题ggd-qicq@163.net
8086[CCG] 20:38 2001-7-11
- 标 题:NYDoll[BCG]请进,愿对你有帮助。 (15千字)
- 作 者:8086[CCG]
- 时 间:2001-7-11 21:26:35
- 链 接:http://bbs.pediy.com