• 标 题:初学破解!请指导(4) 破解2SCR(屏保制作软件)
  • 作 者:云瑞
  • 时 间:004-08-20,23:35
  • 链 接:http://bbs.pediy.com

破解2SCR(屏保制作软件)
 
     日期:2004年7月24日   破解人:云瑞
———————————————————————————————————————————
 
 
【软件名称】:2scr   
【软件简介】:一个中文屏保制作软件
【软件限制】:UPX壳,时间限制!
【破解声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:C32ASM 0.412,olldbg1.10d,upxshell3.09,peid0.92

———————————————————————————————————————————
 
【破解过程】:
 
首先安装程序,打开注册,输入用户名,是用机器码和用户名+注册码的保护模式,输入注册名king,注册码999555(假的哦)出现serial number is not correct!然后用peid0.92查看,是upx的壳,用专用工具upxshell3.09 中文版脱壳,再哟普宁嘎peid0.92打开,是borlandc++,然后用C32ASM打开程序,进行字符串搜索,找到上面的erial number is not correct!双击,来到代码处!
::0040BC45::  B9 D7074D00              MOV     ECX, 4D07D7                         \->: Flash2Screensaver Congratulation
注册成功!
::0040BC4A::  8D95 A8FDFFFF            LEA     EDX, [EBP-258]                  
::0040BC50::  8B00                     MOV     EAX, [EAX]                      
::0040BC52::  E8 85AA0A00              CALL    004B66DC                        \:JMPDOWN
::0040BC57::  6A 01                    PUSH    1                               
::0040BC59::  E8 FE550A00              CALL    004B125C                        \:JMPDOWN
::0040BC5E::  59                       POP     ECX                             
::0040BC5F::  EB 18                    JMP     SHORT 0040BC79                  \:JMPDOWN
::0040BC61::  A1 307F4D00              MOV     EAX, [4D7F30]                   \:BYJMP JmpBy:0040BB03,
::0040BC66::  6A 00                    PUSH    0                               
::0040BC68::  B9 18084D00              MOV     ECX, 4D0818                         \->: Error
::0040BC6D::  BA F8074D00              MOV     EDX, 4D07F8                 
:::0040BC6D::  BA F8074D00              MOV     EDX, 4D07F8                         \->:  Serial Number is not correct
用ollydbg在这里下断,在上面,可以看到
:0040BA4B::  68 61074D00              PUSH    4D0761                              \->: Your register name and code are:\x0A
::0040BA50::  68 56074D00              PUSH    4D0756                              \->: %s%s%s%s%s在这里也下断,然后按F9 运行,注册,内容同上,最后在最后的断点,观察堆栈窗口,可以看到字符串“999555”和“1141624770”这个就是注册码,输入,ok!不过这个与机器码有关!

———————————————————————————————————————————

【Crack_总结】:

很简单。只要会olldbg &c32asm就可以破解了,诶明码比较!

http://bbs.pediy.com/showthread.php?s=&threadid=4165

【软件名称】:2scr   
【软件简介】:一个中文屏保制作软件
【软件限制】:UPX壳,时间限制!

BC++,用DEDE反一下,找到下面

0040B6A0   55                     push    ebp
0040B6A1   8BEC                   mov     ebpesp
0040B6A3   81C4A8FDFFFF           add     esp, $FFFFFDA8
0040B6A9   53                     push    ebx
0040B6AA   56                     push    esi
0040B6AB   57                     push    edi
0040B6AC   8945B0                 mov     [ebp-$50], eax
0040B6AF   B840464B00             mov     eax, $004B4640

|
0040B6B4   E88F3D0800             call    0048F448
0040B6B9   8B55B0                 mov     edx, [ebp-$50]
0040B6BC   81C2F0020000           add     edx, $000002F0
0040B6C2   52                     push    edx

* Reference to: GetSystemInfo()          ;调用GetSystemInfo
|                ;可以得到一个SYSTEM_INFO结构
0040B6C3   E8EA3A0A00             call    004AF1B2    ;结构在[ebp-$50]+$2F0 处

看看SYSTEM_INFO是啥样:(具体请查阅资料)
********************************************
typedef struct _SYSTEM_INFO { // sinf  
    union { 
        DWORD  dwOemId; 
        struct { 
            WORD wProcessorArchitecture; 
            WORD wReserved; 
        }; 
    }; 
    DWORD  dwPageSize; 
    LPVOID lpMinimumApplicationAddress; 
    LPVOID lpMaximumApplicationAddress; 
    DWORD  dwActiveProcessorMask; 
    DWORD  dwNumberOfProcessors; 
    DWORD  dwProcessorType; 
    DWORD  dwAllocationGranularity; 
    WORD  wProcessorLevel; 
    WORD  wProcessorRevision; 

} SYSTEM_INFO; 
********************************************

0040B6C8   8B45B0                 mov     eax, [ebp-$50]  ;EAX=[EBP-50]
0040B6CB   8B4DB0                 mov     ecx, [ebp-$50]  ;ECX=[EBP-50]
0040B6CE   0FB7B010030000         movzx   esiword ptr [eax+$0310];即结构的第$310-$2F0=$20字节0040B6D5   8B45B0                 mov     eax, [ebp-$50]
0040B6D8   8B9908030000           mov     ebx, [ecx+$0308]  ;即结构的第$18字节,CPU类型

* Reference to field TForm3.OFFS_0304
|
0040B6DE   8BB804030000           mov     edi, [eax+$0304]  ;结构的第$14字节,CPU数目
0040B6E4   8B45B0                 mov     eax, [ebp-$50]
0040B6E7   8D0C1E                 lea     ecx, [esi+ebx]
0040B6EA   0FB79012030000         movzx   edxword ptr [eax+$0312]  ;结构的第$22字节
0040B6F1   03CF                   add     ecxedi
0040B6F3   8955AC                 mov     [ebp-$54], edx
0040B6F6   034DAC                 add     ecx, [ebp-$54]
0040B6F9   894DA8                 mov     [ebp-$58], ecx
0040B6FC   8B45AC                 mov     eax, [ebp-$54]
0040B6FF   03C6                   add     eaxesi
0040B701   33C3                   xor     eaxebx
0040B703   33C7                   xor     eaxedi
0040B705   8945A4                 mov     [ebp-$5C], eax
0040B708   33C0                   xor     eaxeax
0040B70A   8D941E34120000         lea     edx, [esi+ebx+$1234]
0040B711   8D8C3745230000         lea     ecx, [edi+esi+$2345]
0040B718   81F245230000           xor     edx, $00002345
0040B71E   81F156340000           xor     ecx, $00003456
0040B724   8BDA                   mov     ebxedx
0040B726   8B55AC                 mov     edx, [ebp-$54]
0040B729   0355A8                 add     edx, [ebp-$58]
0040B72C   037DAC                 add     edi, [ebp-$54]
0040B72F   81C267450000           add     edx, $00004567
0040B735   8BF1                   mov     esiecx
0040B737   81F278560000           xor     edx, $00005678
0040B73D   81C756340000           add     edi, $00003456
0040B743   8955AC                 mov     [ebp-$54], edx
0040B746   81F767450000           xor     edi, $00004567
0040B74C   8B4DA8                 mov     ecx, [ebp-$58]
0040B74F   034DA4                 add     ecx, [ebp-$5C]
0040B752   81C178560000           add     ecx, $00005678
0040B758   81F189670000           xor     ecx, $00006789
0040B75E   894DA8                 mov     [ebp-$58], ecx
0040B761   8B55A4                 mov     edx, [ebp-$5C]
0040B764   03D3                   add     edxebx
0040B766   81C289670000           add     edx, $00006789
0040B76C   81F291780000           xor     edx, $00007891
0040B772   8955A4                 mov     [ebp-$5C], edx
0040B775   40                     inc     eax
0040B776   83F825                 cmp     eax, +$25
0040B779   7C8F                   jl      0040B70A      ;上面循环复杂计算
0040B77B   66C745C41400           mov     word ptr [ebp-$3C], $0014

.....................(略)..............................

0040B871   8B45B0                 mov     eax, [ebp-$50]

* Reference to control Edit1 : TEdit
|
0040B874   8B80E0020000           mov     eax, [eax+$02E0]

* Reference to: controls.TControl.GetText(TControl):TCaption;
|
0040B87A   E815580400             call    00451094    ;得到假码
0040B87F   03F3                   add     esiebx
0040B881   8D55F0                 lea     edx, [ebp-$10]
0040B884   52                     push    edx
0040B885   03FE                   add     ediesi
0040B887   037DAC                 add     edi, [ebp-$54]
0040B88A   037DA8                 add     edi, [ebp-$58]
0040B88D   037DA4                 add     edi, [ebp-$5C]  ;把上面几处的结果累加
0040B890   337DA0                 xor     edi, [ebp-$60]  ;再与用户名的长度XOR
0040B893   897D9C                 mov     [ebp-$64], edi
0040B896   8B459C                 mov     eax, [ebp-$64]
0040B899   99                     cdq
0040B89A   33C2                   xor     eaxedx
0040B89C   2BC2                   sub     eaxedx
0040B89E   8BD0                   mov     edxeax
0040B8A0   8D45EC                 lea     eax, [ebp-$14]

|
0040B8A3   E8B8F70800             call    0049B060
0040B8A8   8BD0                   mov     edxeax
0040B8AA   FF45D0                 inc     dword ptr [ebp-$30]
0040B8AD   58                     pop     eax

|
0040B8AE   E835F90800             call    0049B1E8    ;进行比较,不相等ZF=0
0040B8B3   85C0                   test    eaxeax
0040B8B5   8D45EC                 lea     eax, [ebp-$14]
0040B8B8   0F94C1                 setz    cl      ;根据标志位设置CL
0040B8BB   83E101                 and     ecx, +$01    ;CL如果是0这里就成0了
0040B8BE   BA02000000             mov     edx, $00000002
0040B8C3   51                     push    ecx
0040B8C4   FF4DD0                 dec     dword ptr [ebp-$30]

|
0040B8C7   E81CF80800             call    0049B0E8
0040B8CC   FF4DD0                 dec     dword ptr [ebp-$30]
0040B8CF   8D45F0                 lea     eax, [ebp-$10]
0040B8D2   BA02000000             mov     edx, $00000002

|
0040B8D7   E80CF80800             call    0049B0E8
0040B8DC   59                     pop     ecx
0040B8DD   84C9                   test    clcl
0040B8DF   0F8458010000           jz      0040BA3D    ;CL=0跳走就OVER

简易注册机:(VC++)

#include <windows.h>
#include <stdio.h>
#include <iostream.h>

void main()
{
  int eax,ebx,ecx,edx,esi,edi;
  int ebp_54,ebp_58,ebp_5c,result;
  char name[200]={0};
  cout<<"Please input your name:";
  cin>>name;
  SYSTEM_INFO *pSI=new SYSTEM_INFO;
  GetSystemInfo(pSI);

  esi=pSI->wProcessorLevel;  
  ebx=pSI->dwProcessorType;
  edi=pSI->dwNumberOfProcessors;
  ecx=esi+ebx;
  edx=pSI->wProcessorRevision;
  ecx+=edi;
  ebp_54=edx;
  ecx+=ebp_54;
  ebp_58=ecx;
  eax=ebp_54;
  eax+=esi;
  eax^=ebx;
  eax^=edi;
  ebp_5c=eax;
  eax=0;
label1:
  edx=esi+ebx+0x1234;
  ecx=edi+esi+0x2345;
  edx^=0x2345;
  ecx^=0x3456;
  ebx=edx;
  edx=ebp_54;
  edx+=ebp_58;
  edi+=ebp_54;
  edx+=0x4567;
  esi=ecx;
  edx^=0x5678;
  edi+=0x3456;
  ebp_54=edx;
  edi^=0x4567;
  ecx=ebp_58;
  ecx+=ebp_5c;
  ecx+=0x5678;
  ecx^=0x6789;
  ebp_58=ecx;
  edx=ebp_5c;
  edx+=ebx;
  edx+=0x6789;
  edx^=0x7891;
  ebp_5c=edx;
  eax++;
  if (eax<0x25) goto label1;
  result=(edi+esi+ebx+ebp_54+ebp_58+ebp_5c)^strlen(name);
  cout<<"Your serial number is "<<result<<endl;
  cout<<"KeyGen by RoBa  ThanQ!"<<endl;
}
呵呵,完全直译的,因为和硬件相关,无法确定它绝对正确,还请各位测试。