软件:Advanced Email Parser1.22
下载:http://www.mailutilities.com/
保护方式:aspretect+md5
作者:lordor
工具:ollyDBG+隐身插件。
用ollyDbg加载带壳的程序,还是按老办法,来到这里
00463E38 RETN
00463E39 LEA EAX,DWORD PTR SS:[ESP+8]
00463E3D PUSH EAX
00463E3E CALL aep.00463AE0
00463E43 ADD ESP,4
00463E46 PUSH 40
00463E48 PUSH aep.00546B74 ASCII "Registration"
00463E4D PUSH aep.00546B54 ASCII "Thank you for registering AEP!"
00463E52 CALL EDI
00463E54 PUSH EAX
00463E55 CALL DWORD PTR DS:[537674] user32.MessageBoxA
00463E5B MOV EAX,ESI
00463E5D POP EDI
00463E5E POP ESI
00463E5F MOV ESP,EBP
00463E61 POP EBP
00463E62 RETN
00463E63 PUSH 30
00463E65 PUSH aep.00546B74 ASCII "Registration"
00463E6A PUSH aep.00546B30 ASCII "The code you've entered is invalid!"
00463E6F CALL EDI
00463E71 PUSH EAX
00463E72 CALL DWORD PTR DS:[537674] user32.MessageBoxA
00463E78 POP EDI
00463E79 MOV EAX,ESI
00463E7B POP ESI
00463E7C MOV ESP,EBP
00463E7E POP EBP ===>在这下断,看一下那里调用,来到下面
00463E7F RETN
00473250 PUSH ESI
00473251 MOV ESI,ECX
00473253 CALL aep.00463DC0 跳出输入框,F7进入
00473258 CALL aep.00463B30
0047325D TEST EAX,EAX
0047325F JE SHORT aep.00473287
00473261 CALL aep.00412840
00473266 TEST EAX,EAX
00473268 JNZ SHORT aep.00473272
0047326A PUSH 1
0047326C CALL DWORD PTR DS:[5373B0] kernel32.ExitProcess
00473272 JMP aep.00473287
00473277 JA SHORT aep.0047328B
00473279 ??? Unknown command
0047327A ADC EAX,384B7548
0047327F JL SHORT aep.004732A7
00473281 SBB DWORD PTR SS:[ESP+EDX*2+5E0A9CE7],ED>
--------------------------------------
来到上面的call:
00463DC0 PUSH EBP
00463DC1 MOV EBP,ESP
00463DC3 AND ESP,FFFFFFF8
00463DC6 SUB ESP,100
00463DCC PUSH ESI
00463DCD PUSH EDI
00463DCE XOR EAX,EAX
00463DD0 MOV BYTE PTR SS:[ESP+8],0
00463DD5 MOV ECX,3F
00463DDA LEA EDI,DWORD PTR SS:[ESP+9]
00463DDE REP STOS DWORD PTR ES:[EDI]
00463DE0 STOS WORD PTR ES:[EDI]
00463DE2 STOS BYTE PTR ES:[EDI]
00463DE3 MOV EDI,DWORD PTR DS:[537780] user32.GetFocus
00463DE9 PUSH 100
00463DEE LEA EAX,DWORD PTR SS:[ESP+C]
00463DF2 PUSH EAX
00463DF3 PUSH aep.00546B84 ASCII "Enter registration code:"
00463DF8 PUSH aep.00546B74 ASCII "Registration"
00463DFD XOR ESI,ESI
00463DFF CALL EDI
00463E01 PUSH EAX
00463E02 CALL aep.00463CF0 ==>这里弹出输入框
00463E07 ADD ESP,14
00463E0A CMP EAX,1
00463E0D JNZ SHORT aep.00463E78 ==>输入吗?
00463E0F LEA ECX,DWORD PTR SS:[ESP+8] ==>输入的注册码入ecx
00463E13 PUSH ECX
00463E14 CALL aep.00463930 ==>关键call,F7进入
00463E19 MOV ESI,EAX
00463E1B ADD ESP,4
00463E1E TEST ESI,ESI
00463E20 JE SHORT aep.00463E63 ==>关键跳,不能跳
00463E22 LEA EDX,DWORD PTR SS:[ESP+8]
00463E26 PUSH EDX
00463E27 CALL aep.004056D0 ==>关键call,F7进入
00463E2C ADD ESP,4
00463E2F TEST EAX,EAX
00463E31 JNZ SHORT aep.00463E39 ==>要成功这里要跳
00463E33 POP EDI
00463E34 POP ESI
00463E35 MOV ESP,EBP
00463E37 POP EBP
00463E38 RETN
00463E39 LEA EAX,DWORD PTR SS:[ESP+8]
00463E3D PUSH EAX
00463E3E CALL aep.00463AE0
00463E43 ADD ESP,4
00463E46 PUSH 40
00463E48 PUSH aep.00546B74 ASCII "Registration"
00463E4D PUSH aep.00546B54 ASCII "Thank you for registering AEP!"
00463E52 CALL EDI
00463E54 PUSH EAX
00463E55 CALL DWORD PTR DS:[537674] user32.MessageBoxA
00463E5B MOV EAX,ESI
00463E5D POP EDI
00463E5E POP ESI
00463E5F MOV ESP,EBP
00463E61 POP EBP
00463E62 RETN
00463E63 PUSH 30
00463E65 PUSH aep.00546B74 ASCII "Registration"
00463E6A PUSH aep.00546B30 ASCII "The code you've entered is invalid!"
00463E6F CALL EDI
00463E71 PUSH EAX
00463E72 CALL DWORD PTR DS:[537674] user32.MessageBoxA
00463E78 POP EDI
00463E79 MOV EAX,ESI
00463E7B POP ESI
00463E7C MOV ESP,EBP
00463E7E POP EBP
00463E7F RETN
00463E80 PUSH ESI
00463E81 MOV ESI,ECX
00463E83 MOV EAX,DWORD PTR DS:[ESI+4]
00463E86 TEST EAX,EAX
00463E88 MOV DWORD PTR DS:[ESI],aep.00546BA0
00463E8E JE SHORT aep.00463E97
00463E90 PUSH EAX
00463E91 CALL DWORD PTR DS:[537430]
-----------------------------------------------------------------
来到上面的第一个关键CALL aep.00463930,注意返回的值EAX不能为0
00463930 SUB ESP,68
00463933 PUSH EBX
00463934 PUSH ESI
00463935 LEA EAX,DWORD PTR SS:[ESP+18] ===>md5初始值
00463939 PUSH EDI
0046393A PUSH EAX
0046393B CALL aep.00462D30
00463940 MOV ESI,DWORD PTR SS:[ESP+7C] ==>输入注册码
00463944 MOV EAX,ESI
00463946 ADD ESP,4
00463949 LEA EDX,DWORD PTR DS:[EAX+1]
0046394C LEA ESP,DWORD PTR SS:[ESP]
00463950 MOV CL,BYTE PTR DS:[EAX]
00463952 INC EAX
00463953 TEST CL,CL
00463955 JNZ SHORT aep.00463950
00463957 SUB EAX,EDX
00463959 PUSH EAX
0046395A LEA ECX,DWORD PTR SS:[ESP+20]
0046395E PUSH ESI ==>注册码
0046395F PUSH ECX ==>md5初始值
00463960 CALL aep.00463640 ==>计算md5
00463965 LEA EDX,DWORD PTR SS:[ESP+28]
00463969 PUSH EDX
0046396A LEA EAX,DWORD PTR SS:[ESP+1C]
0046396E PUSH EAX
0046396F CALL aep.00463700 ==>产生md5的值:654321为C33367701511B4F6020EC61DED352059
00463974 MOV EDI,DWORD PTR DS:[537520] SHLWAPI.StrCmpNIA
0046397A ADD ESP,14
0046397D PUSH 0B
0046397F PUSH aep.00546AE0 ASCII "AEP-D9MK316"
00463984 PUSH ESI ==>注册码
00463985 MOV EBX,1
0046398A CALL EDI ==>比较是否相等
0046398C TEST EAX,EAX
0046398E JNZ SHORT aep.004639AA
00463990 LEA ECX,DWORD PTR SS:[ESP+C]
00463994 PUSH ECX
00463995 MOV EBX,3
0046399A PUSH EBX
0046399B CALL aep.004638C0 ==>关键call,
004639A0 ADD ESP,8
004639A3 POP EDI
004639A4 POP ESI
004639A5 POP EBX
004639A6 ADD ESP,68
004639A9 RETN
004639AA PUSH 0B
004639AC PUSH aep.00546AD4 ASCII "AEP-D9MK3PE"
004639B1 PUSH ESI
004639B2 CALL EDI
004639B4 TEST EAX,EAX
004639B6 JNZ SHORT aep.004639D2
004639B8 LEA ECX,DWORD PTR SS:[ESP+C]
004639BC PUSH ECX
004639BD MOV EBX,1
004639C2 PUSH EBX
004639C3 CALL aep.004638C0
004639C8 ADD ESP,8
004639CB POP EDI
004639CC POP ESI
004639CD POP EBX
004639CE ADD ESP,68
004639D1 RETN
004639D2 PUSH 0B
004639D4 PUSH aep.00546AC8 ASCII "AEP-D9MK3PR"
004639D9 PUSH ESI
004639DA CALL EDI
004639DC TEST EAX,EAX
004639DE JNZ SHORT aep.004639FA
004639E0 LEA ECX,DWORD PTR SS:[ESP+C]
004639E4 PUSH ECX
004639E5 MOV EBX,2
004639EA PUSH EBX
004639EB CALL aep.004638C0
004639F0 ADD ESP,8
004639F3 POP EDI
004639F4 POP ESI
004639F5 POP EBX
004639F6 ADD ESP,68
004639F9 RETN
004639FA PUSH 0B
004639FC PUSH aep.00546ABC ASCII "AEP-RU56STE"
00463A01 PUSH ESI
00463A02 CALL EDI
00463A04 TEST EAX,EAX
00463A06 JNZ SHORT aep.00463A1F
00463A08 LEA ECX,DWORD PTR SS:[ESP+C]
00463A0C PUSH ECX
00463A0D XOR EBX,EBX
00463A0F PUSH EBX
00463A10 CALL aep.004638C0
00463A15 ADD ESP,8
00463A18 POP EDI
00463A19 POP ESI
00463A1A POP EBX
00463A1B ADD ESP,68
00463A1E RETN
00463A1F PUSH 0B
00463A21 PUSH aep.00546AB0 ASCII "AEP-D9MK3LT"
00463A26 PUSH ESI
00463A27 CALL EDI
00463A29 TEST EAX,EAX
00463A2B JNZ SHORT aep.00463A32
00463A2D MOV EBX,4
00463A32 LEA ECX,DWORD PTR SS:[ESP+C]
00463A36 PUSH ECX
00463A37 PUSH EBX
00463A38 CALL aep.004638C0 ==>
00463A3D ADD ESP,8
00463A40 POP EDI
00463A41 POP ESI
00463A42 POP EBX
00463A43 ADD ESP,68
00463A46 RETN
进入上面CALL aep.004638C0
004638C0 SUB ESP,8
004638C3 MOV ECX,DWORD PTR SS:[ESP+C]
004638C7 LEA EAX,DWORD PTR SS:[ESP]
004638CA PUSH EAX
004638CB PUSH ECX
004638CC CALL aep.00463810
004638D1 ADD ESP,8
004638D4 TEST EAX,EAX
004638D6 MOV DWORD PTR SS:[ESP+4],EAX
004638DA JNZ SHORT aep.004638E0 ==>这里必须跳走,爆破点1
004638DC ADD ESP,8
004638DF RETN
004638E0 PUSH EBX
004638E1 PUSH EBP
004638E2 MOV EBP,DWORD PTR SS:[ESP+8]
004638E6 XOR EBX,EBX
004638E8 TEST EBP,EBP
004638EA JLE SHORT aep.0046390F
004638EC PUSH ESI
004638ED MOV EDX,EAX
004638EF PUSH EDI
004638F0 MOV ESI,DWORD PTR SS:[ESP+20]
004638F4 MOV ECX,4
004638F9 MOV EDI,EDX
004638FB XOR EAX,EAX
004638FD REPE CMPS DWORD PTR ES:[EDI],DWORD PTR D>
004638FF JE SHORT aep.00463909
00463901 INC EBX
00463902 ADD EDX,10
00463905 CMP EBX,EBP ==>这里与预置的2000个注册码md5比较
00463907 JL SHORT aep.004638F0
00463909 MOV EAX,DWORD PTR SS:[ESP+14]
0046390D POP EDI
0046390E POP ESI
0046390F PUSH EAX
00463910 CALL aep.0048024E
00463915 ADD ESP,4
00463918 CMP EBX,EBP ==>是否循环2000次
0046391A JNZ SHORT aep.00463924 ==>这里必须跳走,爆破点
0046391C POP EBP
0046391D XOR EAX,EAX
0046391F POP EBX
00463920 ADD ESP,8
00463923 RETN
00463924 POP EBP
00463925 LEA EAX,DWORD PTR DS:[EBX+1]
00463928 POP EBX
00463929 ADD ESP,8
0046392C RETN
---------------------------------------------
来到第二个关键CALL aep.004056D0,此返回值eax必须不能为0
004056D0 PUSH EBP
004056D1 MOV EBP,ESP
004056D3 AND ESP,FFFFFFF8
004056D6 PUSH -1
004056D8 PUSH aep.00527756
004056DD MOV EAX,DWORD PTR FS:[0]
004056E3 PUSH EAX
004056E4 MOV DWORD PTR FS:[0],ESP
004056EB SUB ESP,120
004056F1 PUSH EDI
004056F2 CALL aep.00412810
004056F7 TEST EAX,EAX
004056F9 JE aep.004057E2
004056FF JMP aep.004057FD
-----------------------------------------
总结:
这个公司的软件,好像都是与预置的个注册码比较的程序,注册码的形式:AEP-D9MK316+XXXXXXX,要破解,只
要在0046391A JNZ SHORT aep.00463924及004638DA JNZ SHORT aep.004638E0处,把jnz改为jmp即可.不过好
像Asprotect加的壳做内存补丁时无效,不知那位高人能不能指点一下。
cracked by lordor
03.9.17
破解之道,在乎料敌先机!
www.digitalnuke.com