【破文作者】 lnn1123[[BCG][DCM]]
【 E-mail 】 lnn11231123@163.com
【 作者QQ 】 254513595
【文章题目】 TitleBarClock Pro5.2算法分析
【软件名称】 TitleBarClock Pro5.2
【下载地址】 天空软件
----------------------------------------------------------------------------------------------
【加密方式】 注册码
【破解工具】 OD,PEID
【软件限制】 没看
【破解平台】 Win9x/NT/2000/XP/XP SP2
----------------------------------------------------------------------------------------------
【文章简介】
文章比较简单啊,高手过!
----------------------------------------------------------------------------------------------
【破解过程】
用PEID查看是PECompact 2.x -> Jeremy Collake的壳,设置Ollydbg忽略所有的异常选项
00401000 > B8 58CB4100 MOV EAX,Tbcpro.0041CB58 ; 停在这里
00401005 50 PUSH EAX
00401006 64:FF35 00000000 PUSH DWORD PTR FS:[0]
0040100D 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
00401014 33C0 XOR EAX,EAX
00401016 8908 MOV DWORD PTR DS:[EAX],ECX
00401018 50 PUSH EAX
00401019 45 INC EBP
0040101A 43 INC EBX
下断:BP VirtualFree (这些API经常要,要记住),运行后,取消断点,ALT+F9
返回,再走几不就到OEP了
下断短在这里:
7C809B14 > 8BFF MOV EDI,EDI ; Tbcpro.00400000
7C809B16 55 PUSH EBP
7C809B17 8BEC MOV EBP,ESP
7C809B19 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C809B1C FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C809B1F FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C809B22 6A FF PUSH -1
7C809B24 E8 09000000 CALL kernel32.VirtualFreeEx
7C809B29 5D POP EBP
7C809B2A C2 0C00 RETN 0C
ALT+F9到这里:
0038039C 58 POP EAX ; <&kernel32.VirtualFree>
0038039D 68 00800000 PUSH 8000
003803A2 6A 00 PUSH 0
003803A4 FFB5 E3120010 PUSH DWORD PTR SS:[EBP+100012E3]
003803AA FF10 CALL DWORD PTR DS:[EAX]
003803AC 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
003803AF 03C7 ADD EAX,EDI
003803B1 5D POP EBP
003803B2 5E POP ESI
003803B3 5F POP EDI
003803B4 59 POP ECX
003803B5 5B POP EBX
003803B6 C3 RETN
F8走到这里:
0041CBFE 8985 1C110010 MOV DWORD PTR SS:[EBP+1000111C],EAX ; Tbcpro.<ModuleEntryPoint>
0041CC04 8BF0 MOV ESI,EAX
0041CC06 59 POP ECX
0041CC07 5A POP EDX
0041CC08 03CA ADD ECX,EDX
0041CC0A 68 00800000 PUSH 8000
0041CC0F 6A 00 PUSH 0
0041CC11 57 PUSH EDI
0041CC12 FF11 CALL DWORD PTR DS:[ECX]
0041CC14 8BC6 MOV EAX,ESI
0041CC16 5E POP ESI
0041CC17 5F POP EDI
0041CC18 59 POP ECX
0041CC19 5B POP EBX
0041CC1A 5D POP EBP
0041CC1B FFE0 JMP EAX ; JMP OEP
OD插件可以脱壳了,我这里不要修复就可以运行了,脱壳完成。
看算法了,输入Order ID and Regcode后,看到有错误提示,不会加密字符吧,老
罗插件看看,没有加密,找到字符后下断这里:
===================================代码=============================================
00405A10 |. 6A 10 PUSH 10 ; /Count = 10 (16.)
00405A12 |. 68 82D94000 PUSH 1.0040D982 ; |Buffer = 1.0040D982
00405A17 |. 68 AA0F0000 PUSH 0FAA ; |ControlID = FAA (4010.)
00405A1C |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00405A1F |. E8 08490000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00405A24 |. E8 18370000 CALL 1.00409141 ; 上面的CALL获取假码,关键CALL,进入
00405A29 |. 833D 4BD74000 >CMP DWORD PTR DS:[40D74B],1 ; 标志位比较
00405A30 |. 75 19 JNZ SHORT 1.00405A4B ; 不跳就死
00405A32 |. 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00405A34 |. 68 3CC04000 PUSH 1.0040C03C ; |Title = "TitleBarClock Pro 5.2"
00405A39 |. 68 80C04000 PUSH 1.0040C080 ; |Text = "Invalid Registration Code"
00405A3E |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
00405A41 |. E8 40490000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00405A46 |. E9 B5000000 JMP 1.00405B00
00405A4B |> 6A 1E PUSH 1E ; /Count = 1E (30.)
00405A4D |. 68 E6D94000 PUSH 1.0040D9E6 ; |Buffer = 1.0040D9E6
00405A52 |. 68 B40F0000 PUSH 0FB4 ; |ControlID = FB4 (4020.)
00405A57 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00405A5A |. E8 CD480000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00405A5F |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX ; 注册名长度
00405A62 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; /注册名长度
00405A65 |. E8 5F370000 CALL 1.004091C9 ; \关键CALL,进入
00405A6A |. 833D 4FD74000 >CMP DWORD PTR DS:[40D74F],1
00405A71 |. 75 62 JNZ SHORT 1.00405AD5
00405A73 |. 66:C705 9FD740>MOV WORD PTR DS:[40D79F],0
00405A7C |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; /Arg1
00405A7F |. E8 4C300000 CALL 1.00408AD0 ; \1.00408AD0
00405A84 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; /Arg1
00405A87 |. E8 AC2C0000 CALL 1.00408738 ; \1.00408738
00405A8C |. 6A 00 PUSH 0 ; /Flags = MF_BYCOMMAND|MF_ENABLED|MF_STRING
00405A8E |. 68 4C040000 PUSH 44C ; |ItemID = 44C (1100.)
00405A93 |. FF35 84EC4000 PUSH DWORD PTR DS:[40EC84] ; |hMenu = ABC00201
00405A99 |. E8 24490000 CALL <JMP.&user32.RemoveMenu> ; \RemoveMenu
00405A9E |. 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00405AA0 |. 68 3CC04000 PUSH 1.0040C03C ; |Title = "TitleBarClock Pro 5.2"
00405AA5 |. 68 B1C04000 PUSH 1.0040C0B1 ; |Text = "Thank You!
TitleBarClock Pro
Registration Successful."
00405AAA |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
00405AAD |. E8 D4480000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00405AB2 |. 6A 00 PUSH 0 ; /Flags = MF_BYCOMMAND|MF_ENABLED|MF_STRING
00405AB4 |. FF35 88EC4000 PUSH DWORD PTR DS:[40EC88] ; |ItemID = 647C01D3 (1685848531.)
00405ABA |. FF35 84EC4000 PUSH DWORD PTR DS:[40EC84] ; |hMenu = ABC00201
00405AC0 |. E8 1F480000 CALL <JMP.&user32.EnableMenuItem> ; \EnableMenuItem
00405AC5 |. 6A 00 PUSH 0 ; /lParam = 0
00405AC7 |. 6A 00 PUSH 0 ; |wParam = 0
00405AC9 |. 6A 10 PUSH 10 ; |Message = WM_CLOSE
00405ACB |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00405ACE |. E8 FB480000 CALL <JMP.&user32.SendMessageA> ; \SendMessageA
00405AD3 |. EB 14 JMP SHORT 1.00405AE9
00405AD5 |> 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00405AD7 |. 68 3CC04000 PUSH 1.0040C03C ; |Title = "TitleBarClock Pro 5.2"
00405ADC |. 68 9AC04000 PUSH 1.0040C09A ; |Text = "Invalid RegNow OrderID"
00405AE1 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
00405AE4 |. E8 9D480000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00405AE9 |> EB 15 JMP SHORT 1.00405B00
00405AEB |> 3D C80F0000 CMP EAX,0FC8
00405AF0 |. 75 0E JNZ SHORT 1.00405B00
00405AF2 |. 6A 00 PUSH 0 ; /lParam = 0
00405AF4 |. 6A 00 PUSH 0 ; |wParam = 0
00405AF6 |. 6A 10 PUSH 10 ; |Message = WM_CLOSE
00405AF8 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00405AFB |. E8 CE480000 CALL <JMP.&user32.SendMessageA> ; \SendMessageA
00405B00 |> 33C0 XOR EAX,EAX
00405B02 |. C9 LEAVE
00405B03 \. C2 1000 RETN 10
======================================进CALL 00409141==================================================
00409141 /$ 56 PUSH ESI ; 1.0040594B
00409142 |. 57 PUSH EDI
00409143 |. 51 PUSH ECX
00409144 |. C705 4BD74000 >MOV DWORD PTR DS:[40D74B],0
0040914E |. BF B4D94000 MOV EDI,1.0040D9B4 ; ASCII "Z526WT491QN387B"
00409153 |. 57 PUSH EDI
00409154 |. BE 22DE4000 MOV ESI,1.0040DE22
00409159 |. B9 05000000 MOV ECX,5 ; 串传送的计数器
0040915E |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 串传送
00409160 |. BE 67E04000 MOV ESI,1.0040E067 ; 特殊字符
00409165 |. B9 05000000 MOV ECX,5 ; 串传送的计数器
0040916A |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 串传送
0040916C |. BE 92DF4000 MOV ESI,1.0040DF92 ; 特殊字符
00409171 |. B9 05000000 MOV ECX,5 ; 串传送的计数器
00409176 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 串传送
00409178 |. 5F POP EDI
00409179 |. 8BF7 MOV ESI,EDI
0040917B |. E8 21000000 CALL 1.004091A1 ; 解密上面传送的字符后就是注册码了,跟进
00409180 |. BE 82D94000 MOV ESI,1.0040D982 ; ASCII "78787878"
00409185 |. BF B4D94000 MOV EDI,1.0040D9B4 ; ASCII "Z526WT491QN387B"
0040918A |. B9 0F000000 MOV ECX,0F ; 计数器为15
0040918F |. F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 串比较
00409191 |. 74 0A JE SHORT 1.0040919D ; 不等就OVER
00409193 |. C705 4BD74000 >MOV DWORD PTR DS:[40D74B],1 ; 标志位
0040919D |> 59 POP ECX
0040919E |. 5F POP EDI
0040919F |. 5E POP ESI
004091A0 \. C3 RETN
=====================================进CALL 004091A1================================================================
004091A1 /$ 56 PUSH ESI
004091A2 |. 57 PUSH EDI
004091A3 |. 8BF7 MOV ESI,EDI ; 1.0040D9B4
004091A5 |. B9 0F000000 MOV ECX,0F ; 计数器为15
004091AA |> AC LODS BYTE PTR DS:[ESI] ; 串读取字符
004091AB |. 2C 03 SUB AL,3 ; AL=AL-3
004091AD |. D0E8 SHR AL,1 ; 右移一位
004091AF |. AA STOS BYTE PTR ES:[EDI] ; 存回去
004091B0 |. 49 DEC ECX ; 计数器减1
004091B1 |.^75 F7 JNZ SHORT 1.004091AA ; 循环
004091B3 |. 5F POP EDI
004091B4 |. 5E POP ESI
004091B5 \. C3 RETN
到这里Regcode 已经很容易得到了,这个软件的Order ID还有要求呢,我看看
========================================进 CALL 004091C9============================================
004091C9 /$ 55 PUSH EBP
004091CA |. 8BEC MOV EBP,ESP
004091CC |. 83C4 FC ADD ESP,-4
004091CF |. 56 PUSH ESI
004091D0 |. 57 PUSH EDI
004091D1 |. 51 PUSH ECX
004091D2 |. BE E6D94000 MOV ESI,1.0040D9E6 ; ASCII "1234567890-1123-0000"
004091D7 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
004091DA |. C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0
004091E1 |> AC /LODS BYTE PTR DS:[ESI] ; 串读取注册名
004091E2 |. 3C 2D |CMP AL,2D ; 是-号吗?
004091E4 |. 74 1B |JE SHORT 1.00409201 ; 是-就跳,如果你输入的ID没有-就OVER!
004091E6 |. 3C 39 |CMP AL,39 ; 与9比较
004091E8 |. 7F 29 |JG SHORT 1.00409213
004091EA |. FF45 FC |INC DWORD PTR SS:[EBP-4]
004091ED |. 49 |DEC ECX
004091EE |.^75 F1 \JNZ SHORT 1.004091E1
004091F0 |. C705 4FD74000 >MOV DWORD PTR DS:[40D74F],0 ; 标志位
004091FA |. 59 POP ECX
004091FB |. 5F POP EDI
004091FC |. 5E POP ESI
004091FD |. C9 LEAVE
004091FE |. C2 0400 RETN 4
00409201 |> 837D FC 0A CMP DWORD PTR SS:[EBP-4],0A ; C常数
00409205 |. 75 0C JNZ SHORT 1.00409213 ; 如果你的-号不是出现在ID的第十一位就OVER
00409207 |> AC /LODS BYTE PTR DS:[ESI] ; 串读取第一个-号后面的内容
00409208 |. 3C 2D |CMP AL,2D ; 是-号吗?看来还要有-号
0040920A |. 74 18 |JE SHORT 1.00409224 ; 没有-号OVER
0040920C |. 3C 39 |CMP AL,39 ; 小于9吗?
0040920E |. 7F 03 |JG SHORT 1.00409213
00409210 |. 49 |DEC ECX
00409211 |.^75 F4 \JNZ SHORT 1.00409207
00409213 |> C705 4FD74000 >MOV DWORD PTR DS:[40D74F],0 ; 标志位
0040921D |. 59 POP ECX
0040921E |. 5F POP EDI
0040921F |. 5E POP ESI
00409220 |. C9 LEAVE
00409221 |. C2 0400 RETN 4
00409224 |> AC /LODS BYTE PTR DS:[ESI] ; 串读取第2个-号后面的内容
00409225 |. 3C 00 |CMP AL,0 ; 是0?
00409227 |. 74 07 |JE SHORT 1.00409230
00409229 |. 3C 39 |CMP AL,39 ; 小于9?
0040922B |.^7F E6 |JG SHORT 1.00409213
0040922D |. 49 |DEC ECX
0040922E |.^75 F4 \JNZ SHORT 1.00409224
00409230 |> C705 4FD74000 >MOV DWORD PTR DS:[40D74F],1 ; 标志位
0040923A |. 59 POP ECX
0040923B |. 5F POP EDI
0040923C |. 5E POP ESI
0040923D |. C9 LEAVE
0040923E \. C2 0400 RETN 4
Order ID的要求总结一下,就是要前十位数字是0-9,第十一位是“-”,第一个“-”
后面还必须有0-9的数字,后面还要有一个“-”,“-”后数字随便,就OK
举例:1234567890-1123-0000
表达能力较差,不要骂我啊
到这里算法就完毕了,比较简单。
================================================================================
注册信息:
Order ID:1234567890-1123-0000
Regcode :Z526WT491QN387B
----------------------------------------------------------------------------------------------
【破解心得】
这个软件刚开始的串传送时候的字符可能各个机子上不一样,就是那段字符解密比较重要
啊,写文章真的好累,破花了一点时间,可写花了不少时间啊
----------------------------------------------------------------------------------------------
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
----------------------------------------------------------------------------------------------
文章写于2004-9-7 19:25:11