LeapFTP 2.7

标题：破解LeapFTP 2.7刚完成的,写得不好高手别看^_^ (7千字)
作者：VitaminC
时间：2002-3-16 21:47:57
链接：http://bbs.pediy.com

破解LeapFTP 2.7:
本来今天是要CRACK'百里挑一'的,可是我追了好久,没发现什么头绪.又刚好我的网页的上传要用到FTP于是好装了LeapFTP 2.7(但最终用不了:-(我这是要经过学校的代理服务器的,我没设置好,出许设置好了也不能用,学校的'好网'),于是在没能破'百里挑一'就拿它来开刀了.
还是这样在注册对话框里填上:
NAME:Vitamin C
NUM.:1234ABCD
在SICE里用BPX HMEMCPY设断,中断后按十几次F12后来到程序核心(用BORLAND DELPHI也的程序都这样的):
...
:00487183 8B83E4020000 mov eax, dword ptr [ebx+000002E4]
:00487189 E83AC8FAFF call 004339C8/*这个CALL取得NUM.*/
:0048718E 8B45F8 mov eax, dword ptr [ebp-08]
:00487191 8D55FC lea edx, dword ptr [ebp-04]
:00487194 E81719F8FF call 00408AB0
:00487199 80BBF402000000 cmp byte ptr [ebx+000002F4], 00
:004871A0 740E je 004871B0
:004871A2 8B55FC mov edx, dword ptr [ebp-04]
:004871A5 8BC3 mov eax, ebx
:004871A7 E888030000 call 00487534
:004871AC 84C0 test al, al
:004871AE 7526 jne 004871D6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004871A0(C)
|
:004871B0 8B83F0020000 mov eax, dword ptr [ebx+000002F0]
:004871B6 50 push eax
:004871B7 8D55F4 lea edx, dword ptr [ebp-0C]
:004871BA 8B83D0020000 mov eax, dword ptr [ebx+000002D0]
:004871C0 E803C8FAFF call 004339C8/*取得NAME*/
:004871C5 8B55F4 mov edx, dword ptr [ebp-0C]/*传入了NAME->EDX*/
:004871C8 8B4DFC mov ecx, dword ptr [ebp-04]/*传入了NUM.->ECX/*
:004871CB 8BC3 mov eax, ebx
:004871CD E8BA010000 call 0048738C/*关键的CALL*/
:004871D2 84C0 test al, al/*AL要不等于0*/
:004871D4 7462 je 00487238/*要不完了!*/
...
在这段代码从:004871C5--:004871D4这几行,一看便会想到这是典型的NUM.处理格式!当然在关键的CALL(:004871CD)前并没有传入正确的NUM.但要是你不理这几行试试你会发现很就GAME OVER了...要你用RFL Z将:004871D4的跳转方向改变程序便会感谢你的注册^_^
好了,不用多说,用F8跟进此CALL:
...
:00487443 8B55F8 mov edx, dword ptr [ebp-08]/*传入输入的NUM.*/
:00487446 B808754800 mov eax, 00487508/*传入了字符'-'*/
:0048744B E8A0CDF7FF call 004041F0/*这个CALL用于计算输入的NUM.里'-'以前的
:00487450 8BC8 mov ecx, eax 字符的个数*/
:00487452 49 dec ecx
:00487453 BA01000000 mov edx, 00000001
:00487458 8B45F8 mov eax, dword ptr [ebp-08]
:0048745B E8ACCCF7FF call 0040410C
:00487460 8B45E0 mov eax, dword ptr [ebp-20]/*这里传入字符'-'前的字符
:00487463 8B5508 mov edx, dword ptr [ebp+08] 和'214065'*/
:00487466 E8A9CBF7FF call 00404014/*此CALL关键,那两个字符串就在这个CALL里比较*/
:0048746B 7548 jne 004874B5/*若不等则跳*/
:0048746D 8D45DC lea eax, dword ptr [ebp-24]
:00487470 50 push eax
:00487471 8B55F8 mov edx, dword ptr [ebp-08]
:00487474 B808754800 mov eax, 00487508
:00487479 E872CDF7FF call 004041F0
:0048747E 50 push eax
:0048747F 8B45F8 mov eax, dword ptr [ebp-08]
:00487482 E87DCAF7FF call 00403F04
:00487487 5A pop edx
:00487488 2BC2 sub eax, edx
:0048748A 50 push eax
:0048748B 8B55F8 mov edx, dword ptr [ebp-08]
:0048748E B808754800 mov eax, 00487508
:00487493 E858CDF7FF call 004041F0
:00487498 8BD0 mov edx, eax
:0048749A 42 inc edx
:0048749B 8B45F8 mov eax, dword ptr [ebp-08]
:0048749E 59 pop ecx
:0048749F E868CCF7FF call 0040410C
:004874A4 8B45DC mov eax, dword ptr [ebp-24]/*传入NUM.在'-'后的字符和
:004874A7 8B55EC mov edx, dword ptr [ebp-14] 3337009290(正确的NUM.)*/
:004874AA E865CBF7FF call 00404014/*在这里边进行最后的比较.*/
:004874AF 7504 jne 004874B5/*不相等则跳*/
:004874B1 B301 mov bl, 01
:004874B3 EB02 jmp 004874B7

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0048746B(C), :004874AF(C)
|
:004874B5 33DB xor ebx, ebx/*笨冬瓜兄说的,这是我们CRACKER的大敌啊!*/

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004874B3(U)
|
:004874B7 33C0 xor eax, eax
:004874B9 5A pop edx
:004874BA 59 pop ecx
:004874BB 59 pop ecx
:004874BC 648910 mov dword ptr fs:[eax], edx
:004874BF 68F6744800 push 004874F6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004874F4(U)
|
:004874C4 8D45DC lea eax, dword ptr [ebp-24]
:004874C7 BA02000000 mov edx, 00000002
:004874CC E8D7C7F7FF call 00403CA8
:004874D1 8D45EC lea eax, dword ptr [ebp-14]
:004874D4 E8ABC7F7FF call 00403C84
:004874D9 8D45F8 lea eax, dword ptr [ebp-08]
:004874DC BA02000000 mov edx, 00000002
:004874E1 E8C2C7F7FF call 00403CA8
:004874E6 8D4508 lea eax, dword ptr [ebp+08]
:004874E9 E896C7F7FF call 00403C84
:004874EE C3 ret/*这个RET是返回到:004874F6的.(就在下三句)*/

:004874EF E928C2F7FF jmp 0040371C
:004874F4 EBCE jmp 004874C4
:004874F6 8BC3 mov eax, ebx/*把EBX传入EAX,要能使EBX=1那我们就成功了!*/
:004874F8 5B pop ebx
:004874F9 8BE5 mov esp, ebp
:004874FB 5D pop ebp
:004874FC C20400 ret 0004/*在这返回,跳出整个关键CALL,且传出AL的值*/
...
在这一整段的代码前还有一大段关键的代码,是用来计算正确的NUM.的,只是那里用到了我最怕的浮点运算:-(我就放弃去分析它了...小菜菜就是菜啊!还有在这一大段代码里从:0048746D->:0048749E是用了两种方式来检验输入的NUM.和正确的NUM.之间里以'-'为界字符位数是否相同的.在上面的动态分析里你会发现
我们在开始输入的1234ABCD在:0048744B里的那个CALL后就会计算出来的东东是个0.正因为这样我就走弯路了,好久没能看明白这段代码.其实,在正确的注册码:214065-3337009290里,214065是固定的,只有3337009290是计算得来的.唉!这里并没有明确的比较'-'这个字符,但程序确实实在在的用间接的方式检验了它是否存在!
...
:00404014 53 push ebx
:00404015 56 push esi
:00404016 57 push edi
:00404017 89C6 mov esi, eax
:00404019 89D7 mov edi, edx
:0040401B 39D0 cmp eax, edx
:0040401D 0F848F000000 je 004040B2
:00404023 85F6 test esi, esi
...
这段是在:00487466和:004874AA里的两个CALL里的关键代码.那个CMP,那个正确的NUM....

好了到这,对于我也就把它完成了.(没找出算法...以后吧!等我成了大虾再说,呵呵^-^)

OK!

NAME:Vitamin C
NUM.:214065-3337009290

Vitamin C[抗坏血酸].2002.3.16.ZJ.GD.CHI.