(1)破 解:mwd[DFCG]
(2)目 的:找出算法 ,追出注册码。
(3)练习程序:
***监控王 V3.08
(4)难 度:简单,明码。
(4)下 载:http://www.skycn.com/soft/11502.html
(5)工
具:Ollydbg,PW32Dasm.PEiD,pe-scan。
(6)开 始:PEiD检查程序加ASPack
2.12 -> Alexey Solodovnikov壳,pe-scan脱壳,
PW32Dasm载入程序找到相关信息,OLL载入程序过程如下:输入注册信息:注册名;mwd
单位:DFCG
注册码:121212。
================================================================================
:005902D5
E82A3CE7FF call 00403F04----------------------断点
:005902DA
8D55F4 lea edx,
dword ptr [ebp-0C]
:005902DD 8B8704030000
mov eax, dword ptr [edi+00000304]
:005902E3 E89498EAFF
call 00439B7C
:005902E8 8B45F4
mov eax, dword ptr [ebp-0C]-----机器码06949525555565549545648送EAX
:005902EB
8D55FC lea edx,
dword ptr [ebp-04]
:005902EE E8ED97E7FF
call 00409AE0
:005902F3 8B45FC
mov eax, dword ptr [ebp-04]----机器码06949525555565549545648送EAX
:005902F6
E8893EE7FF call 00404184
:005902FB
8BF0 mov
esi, eax---------------ESI=机器码的位数
:005902FD 85F6
test esi, esi-------------------是否空
:005902FF
7E32 jle
00590333-------------------不是继续
:00590301 BB01000000
mov ebx, 00000001---------------EBX置1
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:00590331(C)
|
:00590306
8D45F0 lea eax,
dword ptr [ebp-10]
:00590309 8B55FC
mov edx, dword ptr [ebp-04]-----机器码06949525555565549545648送EAX
:0059030C
0FB6541AFF movzx edx, byte ptr
[edx+ebx-01]---依次取机器码送EDX
:00590311 83EA30
sub edx, 00000030------------------再依次减30
:00590314
03D3 add
edx, ebx--------------------再加EBX
运算结果:第1次:EDX=30-30+1=1
13:EDX=36-30+13=19
2:EDX=36-30+2=8 14:EDX=35-30+14=19
3:EDX=39-30+3=12
15:EDX=35-30+15=20
4:EDX=34-30+4=8 16:EDX=34-30+16=20
5:EDX=39-30+5=14
17:EDX=39-30+17=26
6:EDX=35-30+6=11 18:EDX=35-30+18=23
7:EDX=32-30+7=9
19:EDX=34-30+19=23
8:EDX=35-30+8=13 20:EDX=35-30+20=25
9:EDX=35-30+9=14
21:EDX=36-30+21=27
10:EDX=35-30+10=15 22:EDX=34-30+22=26
11:EDX=35-30+11=16 23:EDX=38-30+23=31
12:EDX=35-30+12=17
* Possible StringData Ref
from Data Obj ->"YELK456DFAO-FDI446ZXDPLMGWT-T4548OYXMLYASDF-LK"
->"1387DFDFASPZ-PD132LJD-FDMXCMQI-NDFLDKO-ALCMADO"
->"EEILAD-JEISOJKO-KDMCINJFDSWAEW"
|
:00590316 B918045900
mov ecx, 00590418------------指向上面字符串
:0059031B 8A5411FF
mov dl, byte ptr [ecx+edx-01]---在字符串中依次取出EDX的值所对应的字符
依次为:YD-DDOFFDI44ZZXXWLLGTW5这就是注册码了~!!!!
:0059031F E8883DE7FF
call 004040AC
:00590324 8B55F0
mov edx, dword ptr [ebp-10]
:00590327
8D45F8 lea eax,
dword ptr [ebp-08]
:0059032A E85D3EE7FF
call 0040418C
:0059032F 43
inc ebx------------------------加1
:00590330
4E dec
esi----------------------减1
:00590331 75D3
jne 00590306---------直到为0,否则继续向上循环
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005902FF(C)
|
:00590333
8D55EC lea edx,
dword ptr [ebp-14]
:00590336 8B870C030000
mov eax, dword ptr [edi+0000030C]
:0059033C E83B98EAFF
call 00439B7C
:00590341 8B55EC
mov edx, dword ptr [ebp-14]-------假码送入EDX
:00590344
8B45F8 mov eax,
dword ptr [ebp-08]-------真码送入EAX
:00590347 E8483FE7FF
call 00404294---------------------比较是否相等
:0059034C
7572 jne
005903C0-----------------不能跳!跳玩完~!
改7572为7472即可爆破~!!
*
Possible StringData Ref from Data Obj ->"PrtMonit.ini"
|
:0059034E B99C045900
mov ecx, 0059049C
:00590353 B201
mov dl, 01
*
Possible StringData Ref from Data Obj ->"G"
|
:00590355 A1E4C54700 mov
eax, dword ptr [0047C5E4]
:0059035A E82DC3EEFF
call 0047C68C
:0059035F 8BD8
mov ebx, eax
:00590361 8D55E8
lea edx, dword ptr [ebp-18]
:00590364
8B870C030000 mov eax, dword ptr [edi+0000030C]
:0059036A
E80D98EAFF call 00439B7C
:0059036F
8B45E8 mov eax,
dword ptr [ebp-18]
:00590372 50
push eax
*
Possible StringData Ref from Data Obj ->"RegNO"
|
:00590373 B9B4045900
mov ecx, 005904B4
*
Possible StringData Ref from Data Obj ->"RegInformation"
|
:00590378 BAC4045900
mov edx, 005904C4
:0059037D 8BC3
mov eax, ebx
:0059037F 8B18
mov ebx, dword ptr
[eax]
:00590381 FF5304
call [ebx+04]
*
Possible StringData Ref from Data Obj ->"注册成功,感谢您对我们的支持!"
|
:00590384 B8DC045900
mov eax, 005904DC
:00590389 E8761CEDFF
call 00462004
:0059038E A158935900
mov eax, dword ptr [00599358]
:00590393 8B00
mov eax, dword ptr
[eax]
:00590395 8B80B4050000 mov eax,
dword ptr [eax+000005B4]
:0059039B 33D2
xor edx, edx
:0059039D E8E6E6EDFF
call 0046EA88
:005903A2 A104935900
mov eax, dword ptr [00599304]
:005903A7
C60001 mov byte
ptr [eax], 01
:005903AA A158935900
mov eax, dword ptr [00599358]
:005903AF 8B00
mov eax, dword ptr [eax]
:005903B1
8B80D8040000 mov eax, dword ptr [eax+000004D8]
:005903B7
33D2 xor
edx, edx
:005903B9 E82ADAECFF call
0045DDE8
:005903BE EB0A
jmp 005903CA
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0059034C(C)
|
* Possible StringData Ref from Data Obj ->"注册码错误!"