PictureToTV version1.0
cracker:essorg
tools:language2k探壳,trw2000pll跟踪,c32asm1001截码
level:0
language2k探壳,无壳,VC编程,载入trw2000pll,
运行软件,出现注册界面,点击马上注册。。。到填写注册信息页,用户名及注册码必填,注册码16位(跟踪结果)
用户名:essorg
注册码:7878787878787878
Ctrl + N 呼出TRW,下 bpx hmemcpy,回到程序,点击下一步,中断进入TRW调试窗
017F:00466623 33DB XOR EBX,EBX
017F:00466625 8B45EC MOV EAX,[EBP-14]
017F:00466628 8B5064 MOV EDX,[EAX+64] 〈----输入注册码地址;
017F:0046662B 8B4AF8 MOV ECX,[EDX-08] 〈----输入注册码长度;
017F:0046662E 85C9 TEST ECX,ECX
017F:00466630 7E2F JNG 00466661 〈----输入注册码长度为0;
017F:00466632 0FBE041A MOVSX EAX,BYTE [EDX+EBX] 〈----
017F:00466636 83F830 CMP EAX,BYTE +30 〈----
017F:00466639 7C05 JL 00466640 〈----
017F:0046663B 83F839 CMP EAX,BYTE +39 〈----筛选字符在0-9、
017F:0046663E 7E0A JNG 0046664A 〈----A-F之间,无效
017F:00466640 83F841 CMP EAX,BYTE +41 〈----字符删除
017F:00466643 7C17 JL 0046665C 〈----
017F:00466645 83F846 CMP EAX,BYTE +46 〈----
017F:00466648 7F12 JG 0046665C 〈----
017F:0046664A 8D4DDC LEA ECX,[EBP-24] 〈----
017F:0046664D 50 PUSH EAX
017F:0046664E E899D70D00 CALL `MFC42!ord_000003AC`
017F:00466653 8B45EC MOV EAX,[EBP-14] 〈----恢复
017F:00466656 8B5064 MOV EDX,[EAX+64] 〈----初始
017F:00466659 8B4AF8 MOV ECX,[EDX-08] 〈----信息;
017F:0046665C 43 INC EBX 〈----注册码下一位;
017F:0046665D 3BD9 CMP EBX,ECX 〈----比较有无筛选完,
017F:0046665F 7CD1 JL 00466632 〈----没有则继续;
017F:00466661 8B4DDC MOV ECX,[EBP-24] 〈----有效注册码地址
017F:00466664 8B41F8 MOV EAX,[ECX-08] 〈----有效注册码长度
017F:00466667 85C0 TEST EAX,EAX
017F:00466669 7E4A JNG 004666B5 〈----有效注册码长度为0,显示注册失败
017F:0046666B 8B45EC MOV EAX,[EBP-14]
017F:0046666E 8B4060 MOV EAX,[EAX+60] 〈----Email地址
017F:00466671 8B50F8 MOV EDX,[EAX-08] 〈----输入Email长度
017F:00466674 85D2 TEST EDX,EDX
017F:00466676 7E3D JNG 004666B5 〈----空输入,显示注册失败
017F:00466678 51 PUSH ECX 〈----输入注册码地址
017F:00466679 50 PUSH EAX 〈----输入Email地址
017F:0046667A E835FBFFFF CALL 004661B4 〈----比对核心
017F:0046667F 83C408 ADD ESP,BYTE +08
017F:00466682 85C0 TEST EAX,EAX
分析比对核心内容:
#########################################################################################
017F:004661B4 55 PUSH EBP
017F:004661B5 8BEC MOV EBP,ESP
017F:004661B7 6AFF PUSH BYTE -01
017F:004661B9 68DCBD5400 PUSH DWORD 0054BDDC
017F:004661BE 64A100000000 MOV EAX,`DOSMGR_BackFill_Allowed`
017F:004661C4 50 PUSH EAX
017F:004661C5 64892500000000 MOV `DOSMGR_BackFill_Allowed`,ESP
017F:004661CC 81EC9C000000 SUB ESP,9C
017F:004661D2 8965F0 MOV [EBP-10],ESP
017F:004661D5 897DE0 MOV [EBP-20],EDI
017F:004661D8 8975E4 MOV [EBP-1C],ESI
017F:004661DB 895DE8 MOV [EBP-18],EBX
017F:004661DE 8D8D58FFFFFF LEA ECX,[EBP+FFFFFF58]
017F:004661E4 FF7508 PUSH DWORD [EBP+08]
017F:004661E7 E8C6D60D00 CALL `MFC42!ord_00000219`
017F:004661EC C745FC00000000 MOV DWORD [EBP-04],00
017F:004661F3 8D8D58FFFFFF LEA ECX,[EBP+FFFFFF58]
017F:004661F9 E848E20D00 CALL `MFC42!ord_0000106A`
017F:004661FE 8D8D58FFFFFF LEA ECX,[EBP+FFFFFF58]
017F:00466204 6A40 PUSH BYTE +40
017F:00466206 E889E20D00 CALL `MFC42!ord_00000ACB`
017F:0046620B 83F8FF CMP EAX,BYTE -01
017F:0046620E 7522 JNZ 00466232
017F:00466210 C745FCFFFFFFFF MOV DWORD [EBP-04],FFFFFFFF
017F:00466217 8D8D58FFFFFF LEA ECX,[EBP+FFFFFF58]
017F:0046621D E8A8D60D00 CALL `MFC42!ord_00000320`
017F:00466222 33C0 XOR EAX,EAX
017F:00466224 8B4DF4 MOV ECX,[EBP-0C]
017F:00466227 64890D00000000 MOV `DOSMGR_BackFill_Allowed`,ECX
017F:0046622E 8BE5 MOV ESP,EBP
017F:00466230 5D POP EBP
017F:00466231 C3 RET
017F:00466232 8D8D5CFFFFFF LEA ECX,[EBP+FFFFFF5C]
017F:00466238 FF750C PUSH DWORD [EBP+0C]
017F:0046623B E872D60D00 CALL `MFC42!ord_00000219`
017F:00466240 C745FC01000000 MOV DWORD [EBP-04],01
017F:00466247 8B855CFFFFFF MOV EAX,[EBP+FFFFFF5C] 〈----有效注册码地址
017F:0046624D 8B50F8 MOV EDX,[EAX-08] 〈----有效注册码长度
017F:00466250 83FA10 CMP EDX,BYTE +10 〈----比较有效注册码是否是16位
017F:00466253 7434 JZ 00466289
017F:00466255 C745FC00000000 MOV DWORD [EBP-04],00
017F:0046625C 8D8D5CFFFFFF LEA ECX,[EBP+FFFFFF5C]
017F:00466262 E863D60D00 CALL `MFC42!ord_00000320`
017F:00466267 C745FCFFFFFFFF MOV DWORD [EBP-04],FFFFFFFF
017F:0046626E 8D8D58FFFFFF LEA ECX,[EBP+FFFFFF58]
017F:00466274 E851D60D00 CALL `MFC42!ord_00000320`
017F:00466279 33C0 XOR EAX,EAX
017F:0046627B 8B4DF4 MOV ECX,[EBP-0C]
017F:0046627E 64890D00000000 MOV `DOSMGR_BackFill_Allowed`,ECX
017F:00466285 8BE5 MOV ESP,EBP
017F:00466287 5D POP EBP
017F:00466288 C3 RET
017F:00466289 8D8D5CFFFFFF LEA ECX,[EBP+FFFFFF5C] 〈----前4位返回地址
017F:0046628F 8D8560FFFFFF LEA EAX,[EBP+FFFFFF60]
017F:00466295 6A04 PUSH BYTE +04
017F:00466297 50 PUSH EAX
017F:00466298 E83FD60D00 CALL `MFC42!ord_00001021` 〈----取字符串前4位
017F:0046629D C745FC02000000 MOV DWORD [EBP-04],02
017F:004662A4 8D8D64FFFFFF LEA ECX,[EBP+FFFFFF64]
017F:004662AA 8D8560FFFFFF LEA EAX,[EBP+FFFFFF60]
017F:004662B0 50 PUSH EAX
017F:004662B1 E86AD70D00 CALL `MFC42!ord_00000217`
017F:004662B6 C745FC01000000 MOV DWORD [EBP-04],01
017F:004662BD C745FC03000000 MOV DWORD [EBP-04],03
017F:004662C4 8D8D60FFFFFF LEA ECX,[EBP+FFFFFF60]
017F:004662CA E8FBD50D00 CALL `MFC42!ord_00000320`
017F:004662CF 8D8D5CFFFFFF LEA ECX,[EBP+FFFFFF5C]
017F:004662D5 8D8568FFFFFF LEA EAX,[EBP+FFFFFF68]
017F:004662DB 6A04 PUSH BYTE +04
017F:004662DD 50 PUSH EAX
017F:004662DE E823D90D00 CALL `MFC42!ord_000010B5`
017F:004662E3 C745FC04000000 MOV DWORD [EBP-04],04
017F:004662EA 8D8D5CFFFFFF LEA ECX,[EBP+FFFFFF5C]
017F:004662F0 8D8568FFFFFF LEA EAX,[EBP+FFFFFF68] 〈----后12位地址
017F:004662F6 50 PUSH EAX
017F:004662F7 E8C8D50D00 CALL `MFC42!ord_0000035A`
017F:004662FC C745FC03000000 MOV DWORD [EBP-04],03
017F:00466303 8D8D68FFFFFF LEA ECX,[EBP+FFFFFF68]
017F:00466309 E8BCD50D00 CALL `MFC42!ord_00000320`
017F:0046630E 8D8D6CFFFFFF LEA ECX,[EBP+FFFFFF6C]
017F:00466314 6880CF6000 PUSH DWORD 0060CF80
017F:00466319 E894D50D00 CALL `MFC42!ord_00000219`
017F:0046631E C745FC05000000 MOV DWORD [EBP-04],05
017F:00466325 8D8D70FFFFFF LEA ECX,[EBP+FFFFFF70]
017F:0046632B E8C8FFFEFF CALL 004562F8
[EBP+FFFFFF70]计算标尺内容:
[00A6F4FC]:01 23 45 67 89 AB CD EF - FE DC BA 98 76 54 32 10
[00A6F50C]:E8 00 00 00 00 00 00 00 - 37 38 37 38 65 73 73 6F
[00A6F51C]:72 67 40 31 36 33 2E 63 - 6F 6D 50 69 63 74 75 72
[00A6F52C]:65 54 6F 54 56 F5 A6 00
017F:00466330 8B8564FFFFFF MOV EAX,[EBP+FFFFFF64] 〈----前4位地址
017F:00466336 8D8D70FFFFFF LEA ECX,[EBP+FFFFFF70]
017F:0046633C FF70F8 PUSH DWORD [EAX-08] 〈----前4位字符的长度
017F:0046633F 50 PUSH EAX
017F:00466340 E8D3F3FEFF CALL 00455718 -00457E3 根据标尺计算
017F:00466345 8B8558FFFFFF MOV EAX,[EBP+FFFFFF58] 〈----Email地址
017F:0046634B 8D8D70FFFFFF LEA ECX,[EBP+FFFFFF70]
017F:00466351 FF70F8 PUSH DWORD [EAX-08] 〈----Email字符的长度
017F:00466354 50 PUSH EAX
017F:00466355 E8BEF3FEFF CALL 00455718
017F:0046635A 8B856CFFFFFF MOV EAX,[EBP+FFFFFF6C] 〈----PictureToTV地址
017F:00466360 8D8D70FFFFFF LEA ECX,[EBP+FFFFFF70]
017F:00466366 FF70F8 PUSH DWORD [EAX-08] 〈----PictureToTV字符的长度
017F:00466369 50 PUSH EAX
017F:0046636A E8A9F3FEFF CALL 00455718
017F:0046636F 8D8D70FFFFFF LEA ECX,[EBP+FFFFFF70]
017F:00466375 E88EF4FEFF CALL 00455808
017F:0046637A 8D8D70FFFFFF LEA ECX,[EBP+FFFFFF70]
017F:00466380 E823F5FEFF CALL 004558A8 将[00A6F4FC]16位数据拷贝到[00B945C0]
[00A6F578]:5A F7 AE 26 73 92 61 70 - C5 86 9F 22 F6 AB 2A 70
标尺6-12位与0-5位异或,置于0-5位
017F:00466385 8945EC MOV [EBP-14],EAX 将[00B945C0]16位数据拷贝到[00A6F578]
017F:00466388 33C9 XOR ECX,ECX
017F:0046638A 8B55EC MOV EDX,[EBP-14] 〈----[00A6F578]
017F:0046638D 8A441106 MOV AL,[ECX+EDX+06]
017F:00466391 300411 XOR [ECX+EDX],AL
017F:00466394 41 INC ECX
017F:00466395 83F906 CMP ECX,BYTE +06
017F:00466398 7CF0 JL 0046638A
标尺13-16位与0-3位异或,置于0-3位
017F:0046639A 33C9 XOR ECX,ECX
017F:0046639C 8B55EC MOV EDX,[EBP-14]
017F:0046639F 8A44110C MOV AL,[ECX+EDX+0C]
017F:004663A3 300411 XOR [ECX+EDX],AL
017F:004663A6 41 INC ECX
017F:004663A7 83F904 CMP ECX,BYTE +04
017F:004663AA 7CF0 JL 0046639C
017F:004663AC 8D4DDC LEA ECX,[EBP-24]
017F:004663AF E8F8D40D00 CALL `MFC42!ord_0000021C`
017F:004663B4 C745FC06000000 MOV DWORD [EBP-04],06
017F:004663BB 8B7DEC MOV EDI,[EBP-14] 〈----返回计算出“计算尺”地址
017F:004663BE 0FB637 MOVZX ESI,BYTE [EDI]
017F:004663C1 0FB65F01 MOVZX EBX,BYTE [EDI+01]
017F:004663C5 0FB64F02 MOVZX ECX,BYTE [EDI+02]
017F:004663C9 0FB65703 MOVZX EDX,BYTE [EDI+03]
017F:004663CD 0FB64704 MOVZX EAX,BYTE [EDI+04]
017F:004663D1 0FB67F05 MOVZX EDI,BYTE [EDI+05]
017F:004663D5 57 PUSH EDI
017F:004663D6 50 PUSH EAX
017F:004663D7 8D45DC LEA EAX,[EBP-24]
017F:004663DA 52 PUSH EDX
017F:004663DB 51 PUSH ECX
017F:004663DC 53 PUSH EBX
017F:004663DD 56 PUSH ESI
017F:004663DE 68C0536100 PUSH DWORD 006153C0
017F:004663E3 50 PUSH EAX
017F:004663E4 E8EDD40D00 CALL `MFC42!ord_00000B02`
017F:004663E9 8B45EC MOV EAX,[EBP-14]
017F:004663EC 50 PUSH EAX
017F:004663ED E802D50D00 CALL `MFC42!ord_00000339`
017F:004663F2 FFB55CFFFFFF PUSH DWORD [EBP+FFFFFF5C] 〈----输入后12位注册码地址
017F:004663F8 FF75DC PUSH DWORD [EBP-24] 〈----计算出后12位注册码地址
017F:004663FB FF1530EB5400 CALL `MSVCRT!_mbsicmp`
总结:
程序注册要求输入邮件地址和注册码。
程序校验注册码过程:
首先筛选输入注册码,筛除0-9、A-F以外的字符,形成计算有效注册码;如是空输入则显示注册错误信息。
进入比对核心后,首先判断有效注册码长度,如不是16位则显示注册错误;是16位先取前4位保存,后12位、邮件地址、程序名(PictureToTV)根据16字长的计算尺进行计算得出后12位注册码与输入后12位注册码比较。
破解方法:
在计算出后12位注册码进行比较处中断,取前4位注册码地址后计算出后12位注册码地址,合并两字符串得到注册码。