Software : 家庭银行家 v2b53
家庭理财软件
无法使用 KeyMake 做内存补丁, 抵制 OllyDbg 调试(RtlRaiseException、zwQueryInformationProcess)
http://www.homebanker.net/
Tools : pe-scan, W32Dasm, WinHex, OllyDbg, Win2000
Cracker : lq7972 [bruceyu13@sina.com]
蛮久冒做 PJ 了,今天温习了一下~
用 pe-scan 可以脱壳,用 W32Dasm 反汇编,
【1.】 用 RET 大法轻松实现注册
查找软件在程序主窗口标题栏中的"(未注册版本,请注册,剩余天数:45)"
:00746CDD 8B8000030000 mov eax, dword ptr [eax+00000300]
:00746CE3 E8B4D0F4FF call 00693D9C; 跟进
:00746CE8 84C0 test al, al; 这里是注册标识
:00746CEA 0F84B0000000 je 00746DA0; al = 0?
:00746CF0 8D55E8 lea edx, dword ptr [ebp-18]
:00746CF3 A1F4FD7500 mov eax, dword ptr [0075FDF4]
:00746CF8 E8BF45CFFF call 0043B2BC
:00746CFD FF75E8 push [ebp-18]
* Possible StringData Ref from Data Obj ->"(注册用户: "
; ......
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00746CEA(C)
|
:00746DA0 8D55E0 lea edx, dword ptr [ebp-20]
:00746DA3 A1F4FD7500 mov eax, dword ptr [0075FDF4]
:00746DA8 E80F45CFFF call 0043B2BC
:00746DAD FF75E0 push [ebp-20]
* Possible StringData Ref from Data Obj ->"(未注册版本,请注册,剩余天数:"
; ......
; ===========================================================================
; 跟进
; ret 修改大法
:00693D9C 55 push ebp; 在这里改 "55" 为 "C3"
:00693D9D 8BEC mov ebp, esp
:00693D9F E848010000 call 00693EEC
:00693DA4 5D pop ebp
:00693DA5 C3 ret
; 用W32Dasm 有时不大灵光,用 WinHex 吧
; W32Dasm 中,把在光标定在 00693D9C 行,状态栏中内容如下:
Line:1362831 Pg 27257 of 35256 Code Data @:00693D9C @Offset 00293D9Ch ...
; WinHex 打开主程序文件, Alt+G, 输入 "293D9C", 改 "55" 为 "C3"
; 保存,ok
【2.】 寻找注册算法写注册机
; ......
:00736129 8B83F0020000 mov eax, dword ptr [ebx+000002F0]
:0073612F E88851D0FF call 0043B2BC
:00736134 8B55F8 mov edx, dword ptr [ebp-08]; 用户名 name
:00736137 33C9 xor ecx, ecx
:00736139 8B8300030000 mov eax, dword ptr [ebx+00000300]
:0073613F E874DFF5FF call 006940B8; 计算注册码,跟进
:00736144 84C0 test al, al
:00736146 751A jne 00736162
:00736148 6A10 push 00000010
; ...
* Possible StringData Ref from Data Obj ->"注册失败,请检查您的注册码是否输入正确。"
|
:0073614F BAC4617300 mov edx, 007361C4
; ...
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00736146(C)
|
:00736162 8B8300030000 mov eax, dword ptr [ebx+00000300]
:00736168 E82FDCF5FF call 00693D9C
:0073616D 84C0 test al, al
:0073616F 741F je 00736190
:00736171 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"家庭银行家"
|
:00736173 B9B8617300 mov ecx, 007361B8
* Possible StringData Ref from Data Obj ->"注册成功,谢谢。请退出程序后重新进入。"
; ...
:00736190 33C0 xor eax, eax
; ...
; ==============================================================================
; 0073613F 计算注册码
; ...
:006940F5 8B45FC mov eax, dword ptr [ebp-04]; 用户名
:006940F8 E85F02D7FF call 0040435C; 用户名长度 name_len
:006940FD 3B433C cmp eax, dword ptr [ebx+3C]; name_len > 0x19? Yes, jump
:00694100 7F19 jg 0069411B
:00694102 8B45FC mov eax, dword ptr [ebp-04]
:00694105 E85202D7FF call 0040435C
:0069410A 3B4340 cmp eax, dword ptr [ebx+40]; name_len < 3? Yes, jump
:0069410D 7C0C jl 0069411B
; ...
:0069411B 33DB xor ebx, ebx
:0069411D EB60 jmp 0069417F
; ...
:0069417F 33C0 xor eax, eax
; ????????????????????????????????????
; so, name_len > 3 && name_len < 0x19
:0069413D E866FCFFFF call 00693DA8; 关键,跟进
:00694142 8B45F0 mov eax, dword ptr [ebp-10]; 真注册码
:00694145 8B5508 mov edx, dword ptr [ebp+08]; 假注册码
; ==============================================================================
; 0069413D 计算注册码
; ...
:00693DD6 8B45FC mov eax, dword ptr [ebp-04]; 用户名
:00693DD9 E87E05D7FF call 0040435C; 用户名长度 name_len
:00693DDE 3B463C cmp eax, dword ptr [esi+3C]; name_len > 0x19?
:00693DE1 7F0D jg 00693DF0
:00693DE3 8B45FC mov eax, dword ptr [ebp-04]
:00693DE6 E87105D7FF call 0040435C
:00693DEB 3B4640 cmp eax, dword ptr [esi+40]; name_len >= 3?
:00693DEE 7D0C jge 00693DFC; Yes, jump
; ...
:00693DFC 8B45FC mov eax, dword ptr [ebp-04]
:00693DFF E85805D7FF call 0040435C
:00693E04 8BD8 mov ebx, eax; 用户名长度,计数器
:00693E06 EB31 jmp 00693E39
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00693E4A(C)
|
:00693E08 8B45FC mov eax, dword ptr [ebp-04]; 用户名 name
:00693E0B 8A4418FF mov al, byte ptr [eax+ebx-01]; 从最后一位起 name[len-i]
:00693E0F 25FF000000 and eax, 000000FF
:00693E14 33D2 xor edx, edx
:00693E16 52 push edx
:00693E17 50 push eax
:00693E18 8B4658 mov eax, dword ptr [esi+58]; 0xC7BC0D36
:00693E1B 8B565C mov edx, dword ptr [esi+5C]; 0x0000025C
:00693E1E E8763BD7FF call 00407999; 关键,跟进,根据 name[len-i] 计算得到 temp00
:00693E23 52 push edx
:00693E24 50 push eax
:00693E25 8D45E4 lea eax, dword ptr [ebp-1C]
:00693E28 E81F67D7FF call 0040A54C; temp00 转为十进制数字 temp01
:00693E2D 8B55E4 mov edx, dword ptr [ebp-1C]
:00693E30 8D45F4 lea eax, dword ptr [ebp-0C]
:00693E33 E82C05D7FF call 00404364
:00693E38 4B dec ebx; 计数器递减
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00693E06(U)
|
:00693E39 8B45FC mov eax, dword ptr [ebp-04]
:00693E3C E81B05D7FF call 0040435C
:00693E41 83E806 sub eax, 00000006
:00693E44 3BD8 cmp ebx, eax
:00693E46 7C04 jl 00693E4C
:00693E48 85DB test ebx, ebx
:00693E4A 7FBC jg 00693E08; 循环↑
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00693E46(C)
|
:00693E4C 8D55F8 lea edx, dword ptr [ebp-08]
:00693E4F 8B45F4 mov eax, dword ptr [ebp-0C]; 得到中间值 temp01,千万别当它是注册码
:00693E52 E8F925D7FF call 00406450; 关键,跟进,利用 temp01 计算注册码 reg_code
:00693E57 8945E8 mov dword ptr [ebp-18], eax; 注册码后8位
:00693E5A 8955EC mov dword ptr [ebp-14], edx; 注册码前4位
; ...
:00693E7F E83867D7FF call 0040A5BC; 连接
:00693E84 8B07 mov eax, dword ptr [edi]; 得到真的注册码 reg_code