• 标 题:让程序自己告诉我们它的注册码---爆破进阶篇 (3千字)
  • 作 者:8989
  • 时 间:2001-8-22 22:03:58
  • 链 接:http://bbs.pediy.com

让程序自己告诉我们它的注册码---爆破进阶篇

作者:风飘雪

加入BCG的第三篇
感谢看雪老师提供的代理服务器,使我能上到国外的站点,学习他们的破解方法。

理论基础:许多软件在输入错误的注册码时,会弹出错误信息窗口,告诉你注册码不对。
我们可以用正确注册码替代错误信息,使弹出正确注册码,从而达到让程序自己告诉我们它的注册码
的目的。

下面举例说明

破解对象:监狱(QUOD)1.0
下载: http://newhua.ruyi.com/down/Quod10.EXE
1.用language2000侦测是否加壳,发现aspack壳 ;2.unaspack脱壳;
3.用W32DASM反汇编
:0045F32E 8B55F0 mov edx, dword ptr [ebp-10]
:0045F331 8D4DF4 lea ecx, dword ptr [ebp-0C]
:0045F334 8BC3 mov eax, ebx
:0045F336 E8BD010000 call 0045F4F8
:0045F33B 8B55F4 mov edx, dword ptr [ebp-0C] **** 破解经典句式--------------------
:0045F33E 58 pop eax    *****  edx中装真码
:0045F33F E8F854FAFF call 0040483C ****** 关键call  ==============
:0045F344 7576 jne 0045F3BC        ******  关键跳转 注册码不对跳到45f3bc-------
:0045F346 B201 mov dl, 01
:0045F348 A1E8EA4500 mov eax, dword ptr [0045EAE8]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F2DE(C)
|
:0045F34D E896F8FFFF call 0045EBE8
:0045F352 8945FC mov dword ptr [ebp-04], eax
:0045F355 33C0 xor eax, eax
:0045F357 55 push ebp
:0045F358 68B5F34500 push 0045F3B5
:0045F35D 64FF30 push dword ptr fs:[eax]
:0045F360 648920 mov dword ptr fs:[eax], esp
:0045F363 B101 mov cl, 01

* Possible StringData Ref from Code Obj ->"Software\XDZHAN\Quod"
|
:0045F365 BA00F44500 mov edx, 0045F400
:0045F36A 8B45FC mov eax, dword ptr [ebp-04]
:0045F36D E87AF9FFFF call 0045ECEC

* Possible StringData Ref from Code Obj ->"Real Programmers Use Pascal!"
|
:0045F372 B920F44500 mov ecx, 0045F420

* Possible StringData Ref from Code Obj ->"Key"
|
:0045F377 BA48F44500 mov edx, 0045F448
:0045F37C 8B45FC mov eax, dword ptr [ebp-04]
:0045F37F E804FBFFFF call 0045EE88

* Possible StringData Ref from Code Obj ->"软件注册成功,谢谢您的支持!"
|
:0045F384 B854F44500 mov eax, 0045F454
:0045F389 E82A39FDFF call 00432CB8
:0045F38E A1E83E4600 mov eax, dword ptr [00463EE8]
:0045F393 8B00 mov eax, dword ptr [eax]

* Possible StringData Ref from Code Obj ->"监狱(Quod)—注册版"
|
:0045F395 BA78F44500 mov edx, 0045F478
:0045F39A E8459EFDFF call 004391E4
:0045F39F 33C0 xor eax, eax
:0045F3A1 5A pop edx
:0045F3A2 59 pop ecx
:0045F3A3 59 pop ecx
:0045F3A4 648910 mov dword ptr fs:[eax], edx
:0045F3A7 68C6F34500 push 0045F3C6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F3BA(U)
|
:0045F3AC 8B45FC mov eax, dword ptr [ebp-04]
:0045F3AF E82043FAFF call 004036D4
:0045F3B4 C3 ret


:0045F3B5 E9AE4AFAFF jmp 00403E68
:0045F3BA EBF0 jmp 0045F3AC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F344(C)  绿色光条停在此,双击鼠标右键,可来到跳过来的地方
|

* Possible StringData Ref from Code Obj ->"注册码不正确,无法注册!"
|
:0045F3BC B894F44500 mov eax, 0045F494------跳到这里,就改这里=>mov eax, dword ptr [ebp-0C]
:0045F3C1 E8F238FDFF call 00432CB8
:0045F3C6 33C0 xor eax, eax

(1)第一种修改方法:
dword ptr [ebp-0C]中装有真注册码
修改 0045F3BC B894F44500 mov eax, 0045F494  **459494装错误信息"注册码不正确,无法注册!"
              修改为    mov eax, dword ptr [ebp-0C] ****dword ptr [ebp-0C]中装有真注册码

B894F44500=〉
8B45F49090 由于保持字节相同,补两个90

(2)第二种修改方法:
trw下断
bpx 45f33e
d (ebp-0c)
看到数据窗口 20CDBD00  ****注意
dd (ebp-0C)
看到00BDCD20上面的倒过来
DB (EBP-0C) 看到正确的注册码
按F10直到
:0045F3BC B894F44500 mov eax, 0045F494
a
mov eax,00bdcd20

继续走,弹出注册码


总结:B894F44500 (mov eax, 0045F494)
=>    B820CDBD00 (mov eax,00bdcd20)

用ultredit永久修改,测试成功

修改后的程序输入姓名和任意注册码,便会弹出正确的注册码