电脑锁2003 2.2
软件大小:473KB
软件语言:简体中文
软件类别:国产软件/共享版/系统安全
运行环境:Win9x/Me/NT/2000/XP
加入时间:2003-10-17 9:00:56
下载次数:2769
联 系 人:zj@book4u.com.cn
软件介绍:
本软件是一个系统安全方面的锁屏软件
破解作者:acacia
破解目的:初学crack,本文仅为学习之用,无其他目的
软件保护:未注册的共享版在限制试用次数为 20 次,注册后自动解除
破解环境:Windows 2000 professional + sp3
破解工具:FI, ASprStripper 2.03, DeDe 3.5, W32Dasm10
破解感觉:软件在试用次数之内,运行会直接锁屏(always on top);试用次数过后,运行
直接弹出注册窗,此时跟踪就相对容易些了。
破解过程:
1. 首先使用FI侦测主程序 lock.exe ,发现是 ASPack v2.12 加壳;
ASPack v2.12 A.Solodovnikov .data lock.exe ....484352 2003-10-17
2. 使用 ASprStripper 2.03 脱壳成功;
3. 再次使用FI侦测脱壳后的主程序 _lock.exe ,发现是 Delphi 程序,无壳;
4. 使用 DeDe3.5 解析,结果分析过程中,程序运行直接锁屏,无法操作 DeDe ;
5. 改用 W32Dasm10 静态反汇编分析,运行程序,进行注册之后(随便输入注册码啦),
程序提示“对不起!你输入的注册码是不合法的...”,在W32dasm中找到这个串参考所在位置
0048F278(往前可以看到注册成功的提示语句),这个提示错误的代码是从0048F0E6
跳转过来的,我们直接到 0048F0E1 设断(从程序上看,这里应该是关键比较的 call);
运行程序,随便输入注册码后程序被断下来,在W32dasm 中看edx/eax内容~~~~哈哈
自己输入的注册码/另一串字符,抄写下来另一串字符,退出调试状态。运行程序,输入
这个字符串作为注册码,成功了!(我的机器码 3258-14D8 , 注册码 5222122232021222723)
6. 初步分析程序,在注册成功后,它向注册表的“SoftwareMicrosoftetlk”写入了内容,
到注册表看一看,原来是 mp -- WORD --13b ,修改 13b 为 13b1 ,再次启动程序,
这次直接提示试用次数为0,请注册,输入错误注册码,提示“对不起!你输入的注册码
是不合法的...”,到反汇编中看一下,在 00494CB9 处,比较它与 0048F278 处的代码,
基本上完全一样。好,就跟这里了,看看注册算法吧!
------------------------------------------------------------------------
:00494B04 0100 add dword ptr [eax], eax
:00494B06 0000 add byte ptr [eax], al
:00494B08 2D00000055 sub eax, 55000000
:00494B0D 8BEC mov ebp, esp
:00494B0F 33C9 xor ecx, ecx
:00494B11 51 push ecx
:00494B12 51 push ecx
:00494B13 51 push ecx
:00494B14 51 push ecx
:00494B15 51 push ecx
:00494B16 51 push ecx
:00494B17 51 push ecx
:00494B18 51 push ecx
:00494B19 53 push ebx
:00494B1A 56 push esi
:00494B1B 8945FC mov dword ptr [ebp-04], eax
:00494B1E 33C0 xor eax, eax
:00494B20 55 push ebp
:00494B21 680B4D4900 push 00494D0B
:00494B26 64FF30 push dword ptr fs:[eax]
:00494B29 648920 mov dword ptr fs:[eax], esp
:00494B2C 8D45F8 lea eax, dword ptr [ebp-08]
:00494B2F E888F9F6FF call 004044BC
:00494B34 8D55F4 lea edx, dword ptr [ebp-0C]
:00494B37 8B45FC mov eax, dword ptr [ebp-04]
:00494B3A 8B8010030000 mov eax, dword ptr [eax+00000310]
:00494B40 E827DAFAFF call 0044256C //取得机器码,放入 [ebp-0C]
:00494B45 8B45F4 mov eax, dword ptr [ebp-0C]
:00494B48 E827FCF6FF call 00404774 //取得机器码的长度(mov eax, dword ptr [eax-04])
:00494B4D 8BD8 mov ebx, eax //ebx = 机器码的长度
:00494B4F 85DB test ebx, ebx
:00494B51 7C2E jl 00494B81
:00494B53 43 inc ebx
:00494B54 33F6 xor esi, esi //esi = 0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00494B7F(C)
:00494B56 8B45F4 mov eax, dword ptr [ebp-0C] //[ebp-0C]存放了机器码,机器码前面一位是 0(DWORD:长度值)
:00494B59 0FB64430FF movzx eax, byte ptr [eax+esi-01] //eax = 机器码中的一个字符
:00494B5E B903000000 mov ecx, 00000003
:00494B63 33D2 xor edx, edx
:00494B65 F7F1 div ecx //eax /= 3
:00494B67 83C005 add eax, 00000005 //eax += 5
:00494B6A 8D55F0 lea edx, dword ptr [ebp-10]
:00494B6D E8DA3EF7FF call 00408A4C //把数字(eax)转换为字符(十进制表示)
:00494B72 8B55F0 mov edx, dword ptr [ebp-10]
:00494B75 8D45F8 lea eax, dword ptr [ebp-08]
:00494B78 E8FFFBF6FF call 0040477C //strcat:把[ebp-10]添加到[ebp-08]
:00494B7D 46 inc esi
:00494B7E 4B dec ebx
:00494B7F 75D5 jne 00494B56 //循环处理机器码
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00494B51(C)
|
:00494B81 8D55EC lea edx, dword ptr [ebp-14]
:00494B84 8B45FC mov eax, dword ptr [ebp-04]
:00494B87 8B8014030000 mov eax, dword ptr [eax+00000314]
:00494B8D E8DAD9FAFF call 0044256C //取得输入的注册码,放入[ebp-14]
:00494B92 8B55EC mov edx, dword ptr [ebp-14]
:00494B95 8B45F8 mov eax, dword ptr [ebp-08]
:00494B98 E81BFDF6FF call 004048B8 //比较真假注册码
:00494B9D 0F850F010000 jne 00494CB2 //不一样,跳转
* Possible StringData Ref from Code Obj ->"etsystem.lk"
|
:00494BA3 B9204D4900 mov ecx, 00494D20
:00494BA8 B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"绑G"
|
:00494BAA A1D0E94700 mov eax, dword ptr [0047E9D0]
:00494BAF E8CC9EFEFF call 0047EA80 //在系统目录中创建文件 etsystem.lk
:00494BB4 A3508D4900 mov dword ptr [00498D50], eax
:00494BB9 B201 mov dl, 01
:00494BBB A120F94700 mov eax, dword ptr [0047F920]
:00494BC0 E85BAEFEFF call 0047FA20
:00494BC5 8BD8 mov ebx, eax
:00494BC7 BA02000080 mov edx, 80000002
:00494BCC 8BC3 mov eax, ebx
:00494BCE E8EDAEFEFF call 0047FAC0
:00494BD3 B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"SoftwareMicrosoftetlk"
|
:00494BD5 BA344D4900 mov edx, 00494D34
:00494BDA 8BC3 mov eax, ebx
:00494BDC E847AFFEFF call 0047FB28
:00494BE1 84C0 test al, al
:00494BE3 7411 je 00494BF6
:00494BE5 B93B010000 mov ecx, 0000013B // 13b(315)
:00494BEA BA544D4900 mov edx, 00494D54 // "mp"
:00494BEF 8BC3 mov eax, ebx
:00494BF1 E8D2B2FEFF call 0047FEC8 //在注册表中写入
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00494BE3(C)
|
:00494BF6 8B45FC mov eax, dword ptr [ebp-04]
:00494BF9 8B8034030000 mov eax, dword ptr [eax+00000334]
:00494BFF 83C030 add eax, 00000030
* Possible StringData Ref from Code Obj ->"系统零层"
|
:00494C02 BA604D4900 mov edx, 00494D60
:00494C07 E804F9F6FF call 00404510
:00494C0C 8D55E8 lea edx, dword ptr [ebp-18]
:00494C0F 8B45FC mov eax, dword ptr [ebp-04]
:00494C12 8B8034030000 mov eax, dword ptr [eax+00000334]
:00494C18 E87F62FEFF call 0047AE9C
:00494C1D 8B55E8 mov edx, dword ptr [ebp-18]
:00494C20 8B45FC mov eax, dword ptr [ebp-04]
:00494C23 8B8034030000 mov eax, dword ptr [eax+00000334]
:00494C29 83C030 add eax, 00000030
:00494C2C E8DFF8F6FF call 00404510
:00494C31 8D55E4 lea edx, dword ptr [ebp-1C]
:00494C34 8B45FC mov eax, dword ptr [ebp-04]
:00494C37 8B8034030000 mov eax, dword ptr [eax+00000334]
:00494C3D E85A62FEFF call 0047AE9C
:00494C42 8B55E4 mov edx, dword ptr [ebp-1C]
:00494C45 8B45FC mov eax, dword ptr [ebp-04]
:00494C48 8B8034030000 mov eax, dword ptr [eax+00000334]
:00494C4E 83C030 add eax, 00000030
:00494C51 E8BAF8F6FF call 00404510
:00494C56 8D55E0 lea edx, dword ptr [ebp-20]
:00494C59 8B45FC mov eax, dword ptr [ebp-04]
:00494C5C 8B8034030000 mov eax, dword ptr [eax+00000334]
:00494C62 E83562FEFF call 0047AE9C
:00494C67 8B45E0 mov eax, dword ptr [ebp-20]
:00494C6A 50 push eax
* Possible StringData Ref from Code Obj ->"rec"
|
:00494C6B B9744D4900 mov ecx, 00494D74
* Possible StringData Ref from Code Obj ->"option"
|
:00494C70 BA804D4900 mov edx, 00494D80
:00494C75 A1508D4900 mov eax, dword ptr [00498D50]
:00494C7A 8B30 mov esi, dword ptr [eax]
:00494C7C FF5604 call [esi+04] //在 etsystem.lk 中写入
:00494C7F A1508D4900 mov eax, dword ptr [00498D50]
:00494C84 E8C7EAF6FF call 00403750
:00494C89 8BC3 mov eax, ebx
:00494C8B E8C0EAF6FF call 00403750
:00494C90 6A40 push 00000040
* Possible StringData Ref from Code Obj ->"软件注册"
|
:00494C92 B9884D4900 mov ecx, 00494D88
* Possible StringData Ref from Code Obj ->"恭喜您!你已经成功地注册了易通锁屏软件.请重启?
->"救砑В?
|
:00494C97 BA944D4900 mov edx, 00494D94
:00494C9C A1B87B4900 mov eax, dword ptr [00497BB8]
:00494CA1 8B00 mov eax, dword ptr [eax]
:00494CA3 E8D0D8FCFF call 00462578
:00494CA8 8B45FC mov eax, dword ptr [ebp-04]
:00494CAB E874A0FCFF call 0045ED24
:00494CB0 EB29 jmp 00494CDB
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00494B9D(C)
|
:00494CB2 6A30 push 00000030
* Possible StringData Ref from Code Obj ->"软件注册"
|
:00494CB4 B9884D4900 mov ecx, 00494D88
* Possible StringData Ref from Code Obj ->"对不起!你输入的注册码是不合法的,请与作者取得?
->"担?
zj@book4u.com.cn"
|
:00494CB9 BAD04D4900 mov edx, 00494DD0
:00494CBE A1B87B4900 mov eax, dword ptr [00497BB8]
:00494CC3 8B00 mov eax, dword ptr [eax]
:00494CC5 E8AED8FCFF call 00462578
:00494CCA 8B45FC mov eax, dword ptr [ebp-04]
:00494CCD 8B8014030000 mov eax, dword ptr [eax+00000314]
:00494CD3 8B10 mov edx, dword ptr [eax]
:00494CD5 FF92DC000000 call dword ptr [edx+000000DC]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00494CB0(U)
|
:00494CDB 33C0 xor eax, eax
:00494CDD 5A pop edx
:00494CDE 59 pop ecx
:00494CDF 59 pop ecx
:00494CE0 648910 mov dword ptr fs:[eax], edx
:00494CE3 68124D4900 push 00494D12
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00494D10(U)
|
:00494CE8 8D45E0 lea eax, dword ptr [ebp-20]
:00494CEB BA03000000 mov edx, 00000003
:00494CF0 E8EBF7F6FF call 004044E0
:00494CF5 8D45EC lea eax, dword ptr [ebp-14]
:00494CF8 E8BFF7F6FF call 004044BC
:00494CFD 8D45F0 lea eax, dword ptr [ebp-10]
:00494D00 BA03000000 mov edx, 00000003
:00494D05 E8D6F7F6FF call 004044E0
:00494D0A C3 ret
------------------------------------------------------------------------
整理总结:
1. 注册成功后,程序会在注册表中做标记:
项目: HKEY_LOCAL_MACHINESOFTWAREMicrosoftetlk
名称: mp
数据: 13b
同时,在操作系统目录下生成文件 etsystem.lk 并进行纪录;
2. 如果注册成功后想再注册,只需要改动注册表中的名称或数据即可;
3. 程序从机器码生成注册码,算法较简单(参看上面分析或注册机)。
注册机:(VC++ 6.0)
------------------------------------------------------------------------
#include "stdio.h"
void main(void)
{
int len, count, pos;
char machine[32];
char reg[64];
char value;
printf("电脑锁2003 2.2 注册机 -- acacia
");
printf("请输入程序给出的机器码 : ");
scanf("%s", machine);
len = strlen(machine);
if(len <= 0)
{
printf("程序的机器码/注册码为空!
");
return;
}
reg[0] = '5';
pos = 1;
for(count = 0; count < len; count++)
{
value = machine[count] / 3;
value += 5;
if(value/10 > 0)
{
reg[pos] = value/10 + 0x30;
pos++;
}
reg[pos] = value%10 + 0x30;
pos++;
}
reg[pos] = ' ';
printf("程序的注册码 : %s
", reg);
return;
}
------------------------------------------------------------------------
by acacia
2003-10-20