【破文标题】:Windows系统专家 V2.5 Full 分析旅程

【破文作者】:KuNgBiM[DFCG]

【作者邮箱】:gb_1227@163.com

【软件名称】:Windows系统专家 V2.5 Full

【保护方式】:注册码 + 启动NAG + 功能限制

【编译语言】:Microsoft Visual Basic 5.0 / 6.0

—————————————————————————————————
【破解过程】:

1. 用PEiD查壳,无壳,Microsoft Visual Basic 5.0 / 6.0 编译。

2. 运行主程序注册,输入试炼信息,确认!程序提示注册信息错误,VB程序无非就只有那么几个断点,这里使用字符比较断点:bp __vbaStrCmp

3. 使用Ollydbg载入主程序,下断:bp __vbaStrCmp,回车,F9运行:

660E8A03 >  FF7424 08       push dword ptr ss:[esp+8]           ; 这里断下,F9继续走!
660E8A07    FF7424 08       push dword ptr ss:[esp+8]
660E8A0B    6A 00           push 0
660E8A0D    E8 B426F3FF     call MSVBVM60.__vbaStrComp
660E8A12    C2 0800         retn 8

————————————————————————————————————————————

EAX 00153710 ASCII "xgK"                                        ; 软件黑名单
ECX 00000000
EDX 001C938C UNICODE "8324ADA5C4250E43A1D731349F6247AA"         ; 软件黑名单对应注册码
EBX 00000001
ESP 0012E99C ASCII "htD"
EBP 0012F804
ESI 0012F8E0
EDI 0012F810
EIP 660E8A03 MSVBVM60.__vbaStrCmp

————————————————————————————————————————————

大约25次F9后,寄存器有了变化:

————————————————————————————————————————————

EAX 00000000
ECX 00000000
EDX 001D212C UNICODE "8324ADA5C4250E43A1D731349F6247AA"         ; 再次检测注册码
EBX 00000001
ESP 0012FA78
EBP 0012FB7C
ESI 0012FC58
EDI 0012FB88
EIP 660E8A03 MSVBVM60.__vbaStrCmp

————————————————————————————————————————————

再F9一次,打开启动注册界面:

依次输入“用户名”“注册码”:

/////// 试炼信息 ///////

用户名:KuNgBiM

注册码:9876543210

////////////////////////

单击“注册”按钮,完成注册(寄存器又有了变化):

————————————————————————————————————————————

EAX 001C97D4 UNICODE "9876543210"                               ; 输入的假码
ECX 001DB15C UNICODE "A43846F4A175F15A08CD2EDAB75023B6"         ; 真注册码
EDX 004B66F4 Windows?004B66F4
EBX 00000000
ESP 0012F5F0 ASCII "qwJ"
EBP 0012F6A4
ESI 001E75C8
EDI 001CB818
EIP 660E8A03 MSVBVM60.__vbaStrCmp

————————————————————————————————————————————

Alt + F9返回程序领空:

004A7763    8B45 E0         mov eax,dword ptr ss:[ebp-20]
004A7766    8B4D DC         mov ecx,dword ptr ss:[ebp-24]
004A7769    50              push eax
004A776A    51              push ecx                                    ; ★这里就可以做内存注册机★
004A776B    FF15 E8104000   call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; MSVBVM60.__vbaStrCmp
004A7771    8BF0            mov esi,eax                                 ; 返回到这里,取消所有断点,然后向上看
004A7773    8D55 DC         lea edx,dword ptr ss:[ebp-24]
004A7776    F7DE            neg esi
004A7778    1BF6            sbb esi,esi
004A777A    8D45 E0         lea eax,dword ptr ss:[ebp-20]
004A777D    52              push edx
004A777E    46              inc esi
004A777F    50              push eax
004A7780    6A 02           push 2
004A7782    F7DE            neg esi
004A7784    FF15 F4114000   call dword ptr ds:[<&MSVBVM60.__vbaFreeStrL>; MSVBVM60.__vbaFreeStrList
004A778A    83C4 0C         add esp,0C
004A778D    8D4D D4         lea ecx,dword ptr ss:[ebp-2C]
004A7790    FF15 84124000   call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>>; MSVBVM60.__vbaFreeObj
004A7796    66:3BF3         cmp si,bx
004A7799    0F84 D5020000   je Windows?004A7A74                         ; ★爆破点★

★★★★★★ 内存注册机 ★★★★★★

中断地址:4A776A
中断次数:1
第一字节:51
指令长度:1

内存方式 --> 寄存器ECX --> 宽字符串

★★★★★★★★★★★★★★★★★★


★★★★★★★★★ 爆破注册法 ★★★★★★★★★

004A7799    0F84 D5020000   je Windows?004A7A74

改为:(nop掉)

004A7799    90              nop
004A779A    90              nop
004A779B    90              nop
004A779C    90              nop
004A779D    90              nop
004A779E    90              nop

★★★★★★★★★★★★★★★★★★★★★★★★

到此我们已经可以做初级和中级的Cracker了,不过该文着重是研究注册算法,所以继续下面的旅程:

004A7660    FF51 04         call dword ptr ds:[ecx+4]
004A7663    8B17            mov edx,dword ptr ds:[edi]
004A7665    33DB            xor ebx,ebx
004A7667    57              push edi
004A7668    895D E8         mov dword ptr ss:[ebp-18],ebx
004A766B    895D E4         mov dword ptr ss:[ebp-1C],ebx
004A766E    895D E0         mov dword ptr ss:[ebp-20],ebx
004A7671    895D DC         mov dword ptr ss:[ebp-24],ebx
004A7674    895D D8         mov dword ptr ss:[ebp-28],ebx
004A7677    895D D4         mov dword ptr ss:[ebp-2C],ebx
004A767A    895D C4         mov dword ptr ss:[ebp-3C],ebx
004A767D    895D B4         mov dword ptr ss:[ebp-4C],ebx
004A7680    895D 90         mov dword ptr ss:[ebp-70],ebx
004A7683    895D 8C         mov dword ptr ss:[ebp-74],ebx
004A7686    FF92 FC020000   call dword ptr ds:[edx+2FC]
004A768C    50              push eax                                    ; eax=01AA75AC
004A768D    8D45 D4         lea eax,dword ptr ss:[ebp-2C]
004A7690    50              push eax
004A7691    FF15 94104000   call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
004A7697    8BF0            mov esi,eax                                 ; eax=01AA75AC,esi=0012F730
004A7699    8D55 E0         lea edx,dword ptr ss:[ebp-20]               ; edx=00DA5768
004A769C    52              push edx
004A769D    56              push esi                                    ; eax=01AA75AC
004A769E    8B0E            mov ecx,dword ptr ds:[esi]
004A76A0    FF91 A0000000   call dword ptr ds:[ecx+A0]
004A76A6    3BC3            cmp eax,ebx                                 ; eax,ebx清零  
004A76A8    DBE2            fclex                                       ; 清除异常
004A76AA    7D 12           jge short Windows?004A76BE                  ; 清除完毕则跳!
004A76AC    68 A0000000     push 0A0
004A76B1    68 24F74100     push Windows?0041F724
004A76B6    56              push esi
004A76B7    50              push eax
004A76B8    FF15 74104000   call dword ptr ds:[<&MSVBVM60.__vbaHresultC>; MSVBVM60.__vbaHresultCheckObj
004A76BE    8B45 E0         mov eax,dword ptr ss:[ebp-20]               ; 取用户名
004A76C1    50              push eax                                    ; 用户名压栈,eax=001E8B24, (UNICODE "KuNgBiM")
004A76C2    68 68EE4100     push Windows?0041EE68                       ; 取固定字符串,(UNICODE "WSYS1688")
004A76C7    FF15 5C104000   call dword ptr ds:[<&MSVBVM60.__vbaStrCat>] ; 字符串连接,MSVBVM60.__vbaStrCat
004A76CD    8BD0            mov edx,eax                                 ; eax=001DB584, (UNICODE "KuNgBiMWSYS1688"),edx=2
004A76CF    8D4D E8         lea ecx,dword ptr ss:[ebp-18]               ; ecx=3
004A76D2    FF15 58124000   call dword ptr ds:[<&MSVBVM60.__vbaStrMove>>; MSVBVM60.__vbaStrMove
004A76D8    8D4D E0         lea ecx,dword ptr ss:[ebp-20]
004A76DB    FF15 88124000   call dword ptr ds:[<&MSVBVM60.__vbaFreeStr>>; MSVBVM60.__vbaFreeStr
004A76E1    8D4D D4         lea ecx,dword ptr ss:[ebp-2C]               ; ecx=00149888
004A76E4    FF15 84124000   call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>>; MSVBVM60.__vbaFreeObj
004A76EA    8B0F            mov ecx,dword ptr ds:[edi]                  ; ecx=01AA5DBC
004A76EC    57              push edi                                    ; edi=001CB7F0
004A76ED    FF91 00030000   call dword ptr ds:[ecx+300]                 ; ★算法CALL_1★,F7跟进!

——————————————————————————————————————————————

跟进★算法CALL_1★:

661043E8    E8 F8190000     call MSVBVM60.66105DE5                      ; 跟进到这里,F7继续跟进!
661043ED    8D49 00         lea ecx,dword ptr ds:[ecx]
661043F0    E8 F0190000     call MSVBVM60.66105DE5
661043F5    8D49 00         lea ecx,dword ptr ds:[ecx]
661043F8    E8 E8190000     call MSVBVM60.66105DE5
........
========== 跟进 661043E8    E8 F8190000     call MSVBVM60.66105DE5 ==========

66105DE5    58              pop eax                                     ; MSVBVM60.661043ED
66105DE6    2D ED3D1066     sub eax,MSVBVM60.66103DED
66105DEB    D1E8            shr eax,1
66105DED    8B5424 04       mov edx,dword ptr ss:[esp+4]
66105DF1    8B52 10         mov edx,dword ptr ds:[edx+10]
66105DF4    895424 04       mov dword ptr ss:[esp+4],edx
66105DF8    8B12            mov edx,dword ptr ds:[edx]
66105DFA    FF2410          jmp dword ptr ds:[eax+edx]                  ; 跳!
66105DFD    66:837C24 0C 00 cmp word ptr ss:[esp+C],0
66105E03    56              push esi
........

========== 跟进 66105DFA    FF2410          jmp dword ptr ds:[eax+edx] ==========

00F97250    55              push ebp                                    ; 跳向这里
00F97251    8BEC            mov ebp,esp
00F97253    8B55 08         mov edx,dword ptr ss:[ebp+8]                ; 堆栈 ss:[0012F5F8]=01AA5DBC,edx=00DB09A0
00F97256    8B92 E8000000   mov edx,dword ptr ds:[edx+E8]               ; ds:[01AA5EA4]=01AA5138,edx=01AA5DBC
00F9725C    8B82 68000000   mov eax,dword ptr ds:[edx+68]               ; ds:[01AA51A0]=01AA76EC,eax=00000300
00F97262    50              push eax                                    ; eax=01AA76EC
00F97263    50              push eax
00F97264    8B10            mov edx,dword ptr ds:[eax]                  ; ds:[01AA76EC]=00DA5768,edx=01AA5138
00F97266    FF52 04         call dword ptr ds:[edx+4]
00F97269    58              pop eax
00F9726A    C9              leave
00F9726B    C2 0400         retn 4                                      ; 返回程序
........

——————————————————————————————————————————————

004A76F3    8D55 D4         lea edx,dword ptr ss:[ebp-2C]               ; edx=00DA5768
004A76F6    50              push eax                                    ; eax=01AA76EC
004A76F7    52              push edx                                    ; edx=0012F678
004A76F8    FF15 94104000   call dword ptr ds:[<&MSVBVM60.__vbaObjSet>] ; MSVBVM60.__vbaObjSet
004A76FE    8BF0            mov esi,eax                                 ; eax=01AA76EC,esi=01AA75AC
004A7700    8D4D E0         lea ecx,dword ptr ss:[ebp-20]               ; ecx=0
004A7703    51              push ecx
004A7704    56              push esi                                    ; esi=01AA76EC
004A7705    8B06            mov eax,dword ptr ds:[esi]                  ; ds:[01AA76EC]=00DA5768,eax=01AA76EC
004A7707    FF90 A0000000   call dword ptr ds:[eax+A0]
004A770D    3BC3            cmp eax,ebx                                 ; eax,ebx清零
004A770F    DBE2            fclex                                       ; 清除异常
004A7711    7D 12           jge short Windows?004A7725                  ; 清除完毕则跳!
004A7713    68 A0000000     push 0A0
004A7718    68 24F74100     push Windows?0041F724
004A771D    56              push esi
004A771E    50              push eax
004A771F    FF15 74104000   call dword ptr ds:[<&MSVBVM60.__vbaHresultC>; MSVBVM60.__vbaHresultCheckObj
004A7725    8B45 E4         mov eax,dword ptr ss:[ebp-1C]
004A7728    3BC3            cmp eax,ebx                                 ; eax,ebx清零
004A772A    75 12           jnz short Windows?004A773E
004A772C    8D55 E4         lea edx,dword ptr ss:[ebp-1C]               ; edx=00DA0608
004A772F    52              push edx
004A7730    68 B0C84000     push Windows?0040C8B0
004A7735    FF15 C8114000   call dword ptr ds:[<&MSVBVM60.__vbaNew2>]   ; ★算法CALL_2★,F7跟进!MSVBVM60.__vbaNew2
........

——————————————————————————————————————————————

跟进★算法CALL_2★:

660D9CAF    55              push ebp                                    ; ebp=0012F6A4
660D9CB0    8BEC            mov ebp,esp                                 ; esp=0012F5EC,ebp=0012F6A4
660D9CB2    83EC 20         sub esp,20                                  ; esp=esp-20=0012F5CC
660D9CB5    57              push edi                                    ; edi=001CB7F0
660D9CB6    6A 08           push 8
660D9CB8    59              pop ecx
660D9CB9    33C0            xor eax,eax
660D9CBB    8D7D E0         lea edi,dword ptr ss:[ebp-20]               ; 堆栈地址=0012F5CC,edi=001CB7F0
660D9CBE    F3:AB           rep stos dword ptr es:[edi]                 ; 当ECX<>0时重复,ecx=8
660D9CC0    8D45 E0         lea eax,dword ptr ss:[ebp-20]
660D9CC3    50              push eax                                    ; eax=0012F5CC
660D9CC4    FF75 0C         push dword ptr ss:[ebp+C]
660D9CC7    FF75 08         push dword ptr ss:[ebp+8]
660D9CCA    E8 949A0000     call MSVBVM60.660E3763
660D9CCF    8D4D E0         lea ecx,dword ptr ss:[ebp-20]
660D9CD2    51              push ecx
660D9CD3    50              push eax
660D9CD4    E8 70F2FFFF     call MSVBVM60.660D8F49
660D9CD9    5F              pop edi
660D9CDA    C9              leave
660D9CDB    C2 0800         retn 8                                      ; 返回程序
........

——————————————————————————————————————————————

004A773B    8B45 E4         mov eax,dword ptr ss:[ebp-1C]               ; 堆栈 ss:[0012F688]=001DF250,eax=0
004A773E    8B08            mov ecx,dword ptr ds:[eax]                  ; ecx=9
004A7740    8D55 DC         lea edx,dword ptr ss:[ebp-24]
004A7743    52              push edx                                    ; edx=0012F680
004A7744    8D55 E8         lea edx,dword ptr ss:[ebp-18]
004A7747    52              push edx                                    ; edx=0012F68C
004A7748    50              push eax                                    ; eax=001DF250
004A7749    8BF0            mov esi,eax                                 ; eax=001DF250,esi=01AA76EC
004A774B    FF51 30         call dword ptr ds:[ecx+30]
004A774E    3BC3            cmp eax,ebx                                 ; eax,ebx清零
004A7750    DBE2            fclex                                       ; 清除异常
004A7752    7D 0F           jge short Windows?004A7763                  ; 清除完毕则跳!
004A7754    6A 30           push 30
004A7756    68 ACEE4100     push Windows?0041EEAC
004A775B    56              push esi
004A775C    50              push eax
004A775D    FF15 74104000   call dword ptr ds:[<&MSVBVM60.__vbaHresultC>; MSVBVM60.__vbaHresultCheckObj
004A7763    8B45 E0         mov eax,dword ptr ss:[ebp-20]               ; (假码)堆栈 ss:[0012F684]=001E8B24, (UNICODE "9876543210")
004A7766    8B4D DC         mov ecx,dword ptr ss:[ebp-24]               ; (真码)堆栈 ss:[0012F680]=001DB26C, ecx=0012F690
                                                                        ;              (UNICODE "A43846F4A175F15A08CD2EDAB75023B6")
004A7769    50              push eax                                    ; eax=001E8B24, (UNICODE "9876543210")
004A776A    51              push ecx                                    ; ecx=001DB26C, (UNICODE "A43846F4A175F15A08CD2EDAB75023B6")
004A776B    FF15 E8104000   call dword ptr ds:[<&MSVBVM60.__vbaStrCmp>] ; 经典比较,MSVBVM60.__vbaStrCmp
004A7771    8BF0            mov esi,eax                                 ; eax=FFFFFFFF,esi=001DF250
004A7773    8D55 DC         lea edx,dword ptr ss:[ebp-24]
004A7776    F7DE            neg esi
004A7778    1BF6            sbb esi,esi
004A777A    8D45 E0         lea eax,dword ptr ss:[ebp-20]
004A777D    52              push edx
004A777E    46              inc esi
004A777F    50              push eax
004A7780    6A 02           push 2
004A7782    F7DE            neg esi
004A7784    FF15 F4114000   call dword ptr ds:[<&MSVBVM60.__vbaFreeStrL>; MSVBVM60.__vbaFreeStrList
004A778A    83C4 0C         add esp,0C
004A778D    8D4D D4         lea ecx,dword ptr ss:[ebp-2C]               ; ecx=001498E8
004A7790    FF15 84124000   call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>>; MSVBVM60.__vbaFreeObj
004A7796    66:3BF3         cmp si,bx
004A7799    0F84 D5020000   je Windows?004A7A74                         ; ★爆破点★
........

-------------------------------------------------------------------------------------------------------------------------
【算法总结】

注册中重要提示:

用户名先与字符串“WSYS1688”连接成一个新的字符串,然后经过一系列的运算(这里解释不清楚,具体见文章),转换一个待取数据,最后这个待取数据与
“1DF250”异或后值等于0那么注册成功。


BTW:这个软件无论是界面还是功能上与“Windows优化大师”极为相似,但功能远远不及“Windows优化大师”,而且用户名不能使用中文,靠~

============================================================================================

【注册信息】

用户名:KuNgBiM

注册码:A43846F4A175F15A08CD2EDAB75023B6

用户名:KuNgBiM[DFCG]

注册码:7CA65B7DC85A98C60B7B9A2C04B53F2D

用户名:www.pediy.com

注册码:379097F830F7128C75DCA6D5D3BF4798

【注册信息保存位置】

[HKEY_LOCAL_MACHINE\SOFTWARE\wsyszj]
"regname"="KuNgBiM"
"regsofe"="A43846F4A175F15A08CD2EDAB75023B6"

--------------------------------------------------------------------------------------------

(本文完)

版权所有(C)2005 KuNgBiM[DFCG]         Copyright (C) 2005 KuNgBiM[DFCG]


--------------------------------------------------------------------------------------------
          Cracked By KuNgBiM[DFCG]

                2005-07-18

                17:00:00 PM