耶書制造 CHMmaker v2.87
[耶書制造 CHMmaker]是开寅软件工作室开发的 eLSE 系列软件的作品之一, eLSE 的意思是平常可能没想到,其实确是很需要,它不会是很大,也不会很全,
但会很实用。欢迎大家对本软件或 eLSE 的后续提供创意并发表意见, 我们一定会尽力做到最好!
[耶書制造 CHMmaker]是一款共享软件, 在它带给你方便的同时, 希望你能考虑注册这款软件, 这会给作者的工作提供支持, 使作者能保障软件的正常升级。
同时作者不希望看到有人对本软件作任何反向工程, 不希望看到有人提供本软件的注册机/码下载。希自觉遵守。
homepage:http://elsesoft.home.sohu.com
上面这一大段是从软件的说明中抄来的,呵呵,2.88已经出来很久了,我弄个2.87的开刀,开寅软件工作室不会找我算帐吧,现在又修改了一个什么法的,我好怕啊!
最近一段时间遇到几个软件,都不好对付,当你输入注册码的时候,不管它错误还是正确,都没有相应的提示,KAO,烦。还好有大家的帮助,给我提了不少建议,在大家的帮助下,已经成功攻破两个此类软件。一个是Flash
Player,论坛当中有人跟过,post的出来了,不过是爆破,我不喜欢。它判断是否注册时,耍了个花招,害我费了不少宝贵的时间。不过今天不说它,今天说的是CHMmaker,好了废话少说,切入正题。先用fi看了看,是upx
v1.20的壳,很好脱嘛,用upx自己就可以脱了。运行脱壳后的程序,注册,没有反映,没有任何提示。下bpx hmemcpy跟了几遍,没有收获,只能怪自己水平太菜,还是先用w32asm看看吧。呵呵,我没有学过汇编,只好瞎蒙了。找到"软件已过了评估期限,
请注册."这个字符串,双击它来到这里:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048F168(C)
|
:0048F1B5 83F81F
cmp eax, 0000001F
:0048F1B8 0F82A1000000 jb 0048F25F
:0048F1BE 6A30
push 00000030
:0048F1C0 680CF54800 push 0048F50C
* Possible StringData Ref from Code Obj ->"软件已过了评估期限, 请注册."
|
:0048F1C5 6868F54800 push 0048F568
//双击后光标停在这里!
:0048F1CA 8B45FC
mov eax, dword ptr [ebp-04]
:0048F1CD E84A8DFAFF call 00437F1C
:0048F1D2 50
push eax
上面有个跳,不知到跳过去是干什么的,没看懂(因该是根本看不懂,对我来说是天书 :)),我门直接把光标移到|:0048F168(C)处,在它上面双击鼠标右键来到调用这段代码的地方:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048F0BA(C)
|
:0048F161 8BC3
mov eax, ebx
:0048F163 2BC6
sub eax, esi
:0048F165 83F81F
cmp eax, 0000001F
:0048F168 734B
jnb 0048F1B5 //就是这里跳到上面那段代码的
:0048F16A 40
inc eax
:0048F16B 8BF0
mov esi, eax
:0048F16D 8BC6
mov eax, esi
:0048F16F 33D2
xor edx, edx
:0048F171 52
push edx
:0048F172 50
push eax
:0048F173 8D45E8
lea eax, dword ptr [ebp-18]
:0048F176 E8B599F7FF call 00408B30
还是个调用,继续顺藤摸瓜,找它的调用地方:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048F021(C)
|
:0048F08F 33D2
xor edx, edx
:0048F091 55
push ebp
* Possible StringData Ref from Code Obj ->"?A?岴扈GI?岴鋴U噼訧?婨梃碖?嬝婨滂狵?;豻"
->"岴旌岝H"
|
:0048F092 686CF24800 push 0048F26C
:0048F097 64FF32
push dword ptr fs:[edx]
:0048F09A 648922
mov dword ptr fs:[edx], esp
:0048F09D 8B45E8
mov eax, dword ptr [ebp-18]
:0048F0A0 E8FF9AF7FF call 00408BA4
:0048F0A5 8BF0
mov esi, eax
:0048F0A7 8B45E4
mov eax, dword ptr [ebp-1C]
:0048F0AA E8F59AF7FF call 00408BA4
:0048F0AF 8BD3
mov edx, ebx
:0048F0B1 2BD0
sub edx, eax
:0048F0B3 8955D4
mov dword ptr [ebp-2C], edx
:0048F0B6 837DD400 cmp
dword ptr [ebp-2C], 00000000
:0048F0BA 0F8DA1000000 jnl 0048F161
//就是这里调用上面的那段代码,看看下面,不跳也出错,所以向上找根源
:0048F0C0 6A30
push 00000030
:0048F0C2 680CF54800 push 0048F50C
* Possible StringData Ref from Code Obj ->"用户调整了系统时间! 注册后才能继续使用."
|
:0048F0C7 6814F54800 push 0048F514
:0048F0CC 8B45FC
mov eax, dword ptr [ebp-04]
:0048F0CF E8488EFAFF call 00437F1C
:0048F0D4 50
push eax
继续找它的调用点,来到如下的核心地带,该换用trw上场了,开始我们的动态跟踪:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048EB45(C)
|
:0048EB40 6A00
push 00000000
:0048EB42 6A00
push 00000000
:0048EB44 49
dec ecx
:0048EB45 75F9
jne 0048EB40
:0048EB47 53
push ebx
:0048EB48 56
push esi
:0048EB49 57
push edi
:0048EB4A 8955F8
mov dword ptr [ebp-08], edx
:0048EB4D 8945FC
mov dword ptr [ebp-04], eax
:0048EB50 8B45F8
mov eax, dword ptr [ebp-08]
:0048EB53 E89C54F7FF call 00403FF4
:0048EB58 33C0
xor eax, eax
:0048EB5A 55
push ebp
* Possible StringData Ref from Code Obj ->"锽覧_[迕"
|
:0048EB5B 6820F44800 push 0048F420
:0048EB60 64FF30
push dword ptr fs:[eax]
:0048EB63 648920
mov dword ptr fs:[eax], esp
:0048EB66 E805FDFFFF call 0048E870
:0048EB6B C645F701 mov
[ebp-09], 01
:0048EB6F 8D45DC
lea eax, dword ptr [ebp-24]
* Possible StringData Ref from Code Obj ->"Q2lA5rM6zI7sK8eO9aL2wP3q3pZ4mW5V5vT6gG7y9iC2bR"
->"3hF4uB8cY9fH2tN3kS6oX7nE8jDxU4dJ"
|
:0048EB72 BA3CF44800 mov edx,
0048F43C
:0048EB77 E8DC50F7FF call 00403C58
:0048EB7C 8D45F0
lea eax, dword ptr [ebp-10]
:0048EB7F BA94F44800 mov edx,
0048F494
:0048EB84 E8CF50F7FF call 00403C58
:0048EB89 8D45F0
lea eax, dword ptr [ebp-10]
:0048EB8C E8FFFEFFFF call 0048EA90
:0048EB91 8BD8
mov ebx, eax
:0048EB93 8BC3
mov eax, ebx
:0048EB95 E8928AF7FF call 0040762C
:0048EB9A 0FB7C0
movzx eax, ax
:0048EB9D 8BF0
mov esi, eax
:0048EB9F C1E602
shl esi, 02
:0048EBA2 0FB7C3
movzx eax, bx
:0048EBA5 8BF8
mov edi, eax
:0048EBA7 03FF
add edi, edi
:0048EBA9 8D3C7F
lea edi, dword ptr [edi+2*edi]
:0048EBAC 81C70D260000 add edi, 0000260D
:0048EBB2 8D95C8FEFFFF lea edx, dword
ptr [ebp+FFFFFEC8]
:0048EBB8 8BC7
mov eax, edi
:0048EBBA E8419FF7FF call 00408B00
:0048EBBF FFB5C8FEFFFF push dword ptr
[ebp+FFFFFEC8]//算得机器码的第一部分
:0048EBC5 8BC3
mov eax, ebx
:0048EBC7 33D2
xor edx, edx
:0048EBC9 52
push edx
:0048EBCA 50
push eax
:0048EBCB 8D85C4FEFFFF lea eax, dword
ptr [ebp+FFFFFEC4]
:0048EBD1 E85A9FF7FF call 00408B30
:0048EBD6 FFB5C4FEFFFF push dword ptr
[ebp+FFFFFEC4]//算得机器码的第二部分
:0048EBDC 8D95C0FEFFFF lea edx, dword
ptr [ebp+FFFFFEC0]
:0048EBE2 8BC6
mov eax, esi
:0048EBE4 E8179FF7FF call 00408B00
:0048EBE9 FFB5C0FEFFFF push dword ptr
[ebp+FFFFFEC0]//算得机器码的第三部分
:0048EBEF 8D45F0
lea eax, dword ptr [ebp-10]
:0048EBF2 BA03000000 mov edx,
00000003
:0048EBF7 E80453F7FF call 00403F00
:0048EBFC C745D401000000 mov [ebp-2C], 00000001
:0048EC03 8D95B8FEFFFF lea edx, dword
ptr [ebp+FFFFFEB8]
:0048EC09 8BC7
mov eax, edi
:0048EC0B E8F09EF7FF call 00408B00
:0048EC10 FFB5B8FEFFFF push dword ptr
[ebp+FFFFFEB8]
:0048EC16 68A0F44800 push 0048F4A0
:0048EC1B 8BC3
mov eax, ebx
:0048EC1D 33D2
xor edx, edx
:0048EC1F 52
push edx
:0048EC20 50
push eax
:0048EC21 8D85B4FEFFFF lea eax, dword
ptr [ebp+FFFFFEB4]
:0048EC27 E8049FF7FF call 00408B30
:0048EC2C FFB5B4FEFFFF push dword ptr
[ebp+FFFFFEB4]
:0048EC32 68A0F44800 push 0048F4A0
:0048EC37 8D95B0FEFFFF lea edx, dword
ptr [ebp+FFFFFEB0]
:0048EC3D 8BC6
mov eax, esi
:0048EC3F E8BC9EF7FF call 00408B00
:0048EC44 FFB5B0FEFFFF push dword ptr
[ebp+FFFFFEB0]
:0048EC4A 8D85BCFEFFFF lea eax, dword
ptr [ebp+FFFFFEBC]
:0048EC50 BA05000000 mov edx,
00000005
:0048EC55 E8A652F7FF call 00403F00
:0048EC5A 8B95BCFEFFFF mov edx, dword
ptr [ebp+FFFFFEBC]//至此,程序已经算得完整的机器码,且放到了edx中
:0048EC60 A1E81F4900 mov eax,
dword ptr [00491FE8]
:0048EC65 8B00
mov eax, dword ptr [eax]
:0048EC67 8B8098060000 mov eax, dword
ptr [eax+00000698]
:0048EC6D E8CA31FAFF call 00431E3C
//此call的作用是将机器码中的“-”去掉
:0048EC72 8B45F0
mov eax, dword ptr [ebp-10]//将去掉“-”的机器码送到eax
:0048EC75 E8C651F7FF call 00403E40//在这里取得去掉“-”后机器码的长度
:0048EC7A 83F804
cmp eax, 00000004
:0048EC7D 0F8C4C010000 jl 0048EDCF
:0048EC83 8945D8
mov dword ptr [ebp-28], eax//将机器码长度放到ebp-28
上面这段代码的作用我是根据动态跟踪的结果猜的,因为我看不动汇编!!如果猜错了,还望指点一下小弟!谢谢!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048EDC9(C)
|
:0048EC86 8D85ACFEFFFF lea eax, dword
ptr [ebp+FFFFFEAC]//这里向下开始计算注册码!!
:0048EC8C 50
push eax
:0048EC8D B901000000 mov ecx,
00000001
:0048EC92 8B55D8
mov edx, dword ptr [ebp-28]
:0048EC95 8B45F0
mov eax, dword ptr [ebp-10]
:0048EC98 E8AB53F7FF call 00404048
:0048EC9D FFB5ACFEFFFF push dword ptr
[ebp+FFFFFEAC]
:0048ECA3 8D85A8FEFFFF lea eax, dword
ptr [ebp+FFFFFEA8]
:0048ECA9 50
push eax
:0048ECAA 8B55D8
mov edx, dword ptr [ebp-28]
:0048ECAD 4A
dec edx
:0048ECAE B901000000 mov ecx,
00000001
:0048ECB3 8B45F0
mov eax, dword ptr [ebp-10]
:0048ECB6 E88D53F7FF call 00404048
:0048ECBB FFB5A8FEFFFF push dword ptr
[ebp+FFFFFEA8]
:0048ECC1 8D85A4FEFFFF lea eax, dword
ptr [ebp+FFFFFEA4]
:0048ECC7 50
push eax
:0048ECC8 8B55D8
mov edx, dword ptr [ebp-28]
:0048ECCB 83EA02
sub edx, 00000002
:0048ECCE B901000000 mov ecx,
00000001
:0048ECD3 8B45F0
mov eax, dword ptr [ebp-10]
:0048ECD6 E86D53F7FF call 00404048
:0048ECDB FFB5A4FEFFFF push dword ptr
[ebp+FFFFFEA4]
:0048ECE1 8D85A0FEFFFF lea eax, dword
ptr [ebp+FFFFFEA0]
:0048ECE7 50
push eax
:0048ECE8 8B55D8
mov edx, dword ptr [ebp-28]
:0048ECEB 83EA03
sub edx, 00000003
:0048ECEE B901000000 mov ecx,
00000001
:0048ECF3 8B45F0
mov eax, dword ptr [ebp-10]
:0048ECF6 E84D53F7FF call 00404048
:0048ECFB FFB5A0FEFFFF push dword ptr
[ebp+FFFFFEA0]
:0048ED01 8D45EC
lea eax, dword ptr [ebp-14]
:0048ED04 BA04000000 mov edx,
00000004
:0048ED09 E8F251F7FF call 00403F00
:0048ED0E 33C0
xor eax, eax
:0048ED10 55
push ebp
* Possible StringData Ref from Code Obj ->"镕坯?
|
:0048ED11 6831ED4800 push 0048ED31
:0048ED16 64FF30
push dword ptr fs:[eax]
:0048ED19 648920
mov dword ptr fs:[eax], esp
:0048ED1C 8B45EC
mov eax, dword ptr [ebp-14]
:0048ED1F E8809EF7FF call 00408BA4
:0048ED24 8945D4
mov dword ptr [ebp-2C], eax
:0048ED27 33C0
xor eax, eax
:0048ED29 5A
pop edx
:0048ED2A 59
pop ecx
:0048ED2B 59
pop ecx
:0048ED2C 648910
mov dword ptr fs:[eax], edx
:0048ED2F EB14
jmp 0048ED45
:0048ED31 E96E46F7FF jmp 004033A4
:0048ED36 E8C549F7FF call 00403700
:0048ED3B E982000000 jmp 0048EDC2
:0048ED40 E8BB49F7FF call 00403700
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048ED2F(U)
|
:0048ED45 8B45D4
mov eax, dword ptr [ebp-2C]
:0048ED48 B94F000000 mov ecx,
0000004F
:0048ED4D 99
cdq
:0048ED4E F7F9
idiv ecx
:0048ED50 8955D4
mov dword ptr [ebp-2C], edx
:0048ED53 837DD400 cmp
dword ptr [ebp-2C], 00000000
:0048ED57 7506
jne 0048ED5F
:0048ED59 8B45D8
mov eax, dword ptr [ebp-28]
:0048ED5C 8945D4
mov dword ptr [ebp-2C], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048ED57(C)
|
:0048ED5F 8D45E8
lea eax, dword ptr [ebp-18]
:0048ED62 50
push eax
:0048ED63 B901000000 mov ecx,
00000001
:0048ED68 8B55D4
mov edx, dword ptr [ebp-2C]
:0048ED6B 8B45DC
mov eax, dword ptr [ebp-24]
:0048ED6E E8D552F7FF call 00404048
:0048ED73 8B45E4
mov eax, dword ptr [ebp-1C]
:0048ED76 E8C550F7FF call 00403E40
:0048ED7B 8BC8
mov ecx, eax
:0048ED7D 85C9
test ecx, ecx
:0048ED7F 750D
jne 0048ED8E
:0048ED81 8D45E4
lea eax, dword ptr [ebp-1C]
:0048ED84 8B55E8
mov edx, dword ptr [ebp-18]
:0048ED87 E8CC4EF7FF call 00403C58
:0048ED8C EB34
jmp 0048EDC2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048ED7F(C)
|
:0048ED8E 8D4101
lea eax, dword ptr [ecx+01]
:0048ED91 B905000000 mov ecx,
00000005
:0048ED96 99
cdq
:0048ED97 F7F9
idiv ecx
:0048ED99 85D2
test edx, edx
:0048ED9B 751A
jne 0048EDB7
:0048ED9D FF75E4
push [ebp-1C]
:0048EDA0 68A0F44800 push 0048F4A0
:0048EDA5 FF75E8
push [ebp-18]
:0048EDA8 8D45E4
lea eax, dword ptr [ebp-1C]
:0048EDAB BA03000000 mov edx,
00000003
:0048EDB0 E84B51F7FF call 00403F00
:0048EDB5 EB0B
jmp 0048EDC2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048ED9B(C)
|
:0048EDB7 8D45E4
lea eax, dword ptr [ebp-1C]
:0048EDBA 8B55E8
mov edx, dword ptr [ebp-18]
:0048EDBD E88650F7FF call 00403E48
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0048ED3B(U), :0048ED8C(U), :0048EDB5(U)
|
:0048EDC2 FF4DD8
dec [ebp-28]
:0048EDC5 837DD803 cmp
dword ptr [ebp-28], 00000003
:0048EDC9 0F85B7FEFFFF jne 0048EC86//这里与上面的代码构成一个循环,计算注册码!!我已经是没有一点耐心了,受不了了,再说我也看不懂。你有兴趣的话,研究一下吧,知道了别忘了告诉小弟我啊!
:)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048EC7D(C)
|
:0048EDCF 8D45E0
lea eax, dword ptr [ebp-20]
:0048EDD2 8B55E4
mov edx, dword ptr [ebp-1C]//过了这一行,下d edx就得到了你想要的东西了
:0048EDD5 E87E4EF7FF call 00403C58
:0048EDDA 8D45D0
lea eax, dword ptr [ebp-30]
:0048EDDD 50
push eax
* Possible StringData Ref from Code Obj ->"Software\Micros
- 标 题:gnball兄,你要的东西,请进。不知到你满意波! (17千字)
- 作 者:10011001
- 时 间:2001-12-31 19:46:42
- 链 接:http://bbs.pediy.com