【破文作者】 你说呢?[感谢DFCG的学习环境。
【软件名称】 谁不想理财!
【破解工具】 PEID OD
【软件限制】 60天试用
【破解平台】 Win9x/NT/2000/XP/XP SP2
【文章简介】
力求多学习点汇编代码,培养 反汇编思维的能力。
----------------------------------------------------------------------------------------------
【破解过程】
1 启动软件,任意输入注册码后注册,提示“注册失败。请确认输入的注册码无误”
有点门道感觉可以使用对话框类API拦截。
2 启动PEID侦察,没有伏击,显示Microsoft Visual C++ 6.0 。动用算法扫描插件。
没有发现间谍类。省了一道手续。感谢自信的作者。(反正我是没能攻克他的
心理防线^_^)
3 启动OD 。打开可执行文件。插件-超级字符参考。发现许多中文字符(比乱码
好看许多^_^)。其中有一句”注册成功。谢谢你使用本软件。“ 双击后来到这里
0043EBF6 . 8B7D DC MOV EDI,DWORD PTR SS:[EBP-24]
0043EBF9 . 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C]
0043EBFC . 6A 40 PUSH 40
0043EBFE . 68 888D4500 PUSH FamFinan.00458D88 ; 谁不想理财!
0043EC03 . 68 30A34500 PUSH FamFinan.0045A330 ; 注册成功。谢谢你使用本软件。
0043EC08 . C687 E4000000>MOV BYTE PTR DS:[EDI+E4],1
0043EC0F . C687 D0000000>MOV BYTE PTR DS:[EDI+D0],1
0043EC16 . E8 173B0000 CALL <JMP.&MFC42.#4224_?MessageBoxA@CWnd>
0043EC1B . 8D85 40FAFFFF LEA EAX,DWORD PTR SS:[EBP-5C0]
0043EC21 . 68 FF000000 PUSH 0FF ; /BufSize = FF (255.)
0043EC26 . 50 PUSH EAX ; |Buffer
0043EC27 . FF15 CCA14400 CALL DWORD PTR DS:[<&KERNEL32.GetSystemD>; \GetSystemDirectoryA
想了解算法 就一致向上拉到代码起始处
0043E760 $ 55 PUSH EBP ; (初始 cpu 选择)
0043E761 . 8BEC MOV EBP,ESP
0043E763 . 6A FF PUSH -1
0043E765 . 68 739C4400 PUSH FamFinan.00449C73 ; SE 处理程序安装
0043E76A . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0043E770 . 50 PUSH EAX
0043E771 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
0043E778 . 81EC B4050000 SUB ESP,5B4
0043E77E . 53 PUSH EBX
0043E77F . 56 PUSH ESI
0043E780 . 57 PUSH EDI
0043E781 . 8BF9 MOV EDI,ECX
0043E783 . 8965 F0 MOV DWORD PTR SS:[EBP-10],ESP
0043E786 . 897D D4 MOV DWORD PTR SS:[EBP-2C],EDI
0043E789 . 8B87 AC040000 MOV EAX,DWORD PTR DS:[EDI+4AC] ; 将注册码地址放到EAX
0043E78F . 8B40 F8 MOV EAX,DWORD PTR DS:[EAX-8] ; 将注册码位数放到EAX
0043E792 . 85C0 TEST EAX,EAX
0043E794 . 0F84 08060000 JE FamFinan.0043EDA2 ; 如果为空则跳走
0043E79A . E8 DF3E0000 CALL <JMP.&MFC42.#1168_?AfxGetModuleStat>
0043E79F . 8B70 04 MOV ESI,DWORD PTR DS:[EAX+4]
0043E7A2 . 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
0043E7A5 . 8975 DC MOV DWORD PTR SS:[EBP-24],ESI
0043E7A8 . E8 E1400000 CALL <JMP.&MFC42.#354_??0CFile@@QAE@XZ>
0043E7AD . 8D86 E8000000 LEA EAX,DWORD PTR DS:[ESI+E8]
0043E7B3 . 68 708D4500 PUSH FamFinan.00458D70 ; 下面打开\famfinan.bik
0043E7B8 . 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
0043E7BB . 50 PUSH EAX
0043E7BC . 51 PUSH ECX
0043E7BD . C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
0043E7C4 . E8 553E0000 CALL <JMP.&MFC42.#924_??H@YG?AVCString@@>
0043E7C9 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
。。。。。中间检测文件中字符名称和版本号。
0043E969 . 8B97 AC040000 MOV EDX,DWORD PTR DS:[EDI+4AC] ; 注册码地址入EDX
0043E96F . 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44]
0043E972 . 8DB7 AC040000 LEA ESI,DWORD PTR DS:[EDI+4AC]
0043E978 . 8B4A F8 MOV ECX,DWORD PTR DS:[EDX-8] ; 注册码位数去ECX
0043E97B . 3BC1 CMP EAX,ECX
0043E97D . 74 0E JE SHORT FamFinan.0043E98D ; 与23位比较。相等就跳
0043E97F . 66:C787 B2040>MOV WORD PTR DS:[EDI+4B2],2
0043E988 . E9 F6030000 JMP FamFinan.0043ED83
0043E98D > 83C0 10 ADD EAX,10 ; 加10
0043E990 . 99 CDQ ; 双字扩展把EAX扩展到EDX中去
0043E991 . 83E2 0F AND EDX,0F ; EDX与0F做与运算
0043E994 . 03C2 ADD EAX,EDX ; EAX相加EDX
0043E996 . C1F8 04 SAR EAX,4 ; 右移4位
0043E999 . 8BD8 MOV EBX,EAX ; 移动到EBX
0043E99B . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
0043E99E . C1E3 04 SHL EBX,4 ; EBX2进制值左移4位
0043E9A1 . 53 PUSH EBX ; 入栈
0043E9A2 . E8 653C0000 CALL <JMP.&MFC42.#823_??2@YAPAXI@Z>
0043E9A7 . 53 PUSH EBX ; 再入
0043E9A8 . 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
0043E9AB . E8 5C3C0000 CALL <JMP.&MFC42.#823_??2@YAPAXI@Z>
0043E9B0 . 8BF8 MOV EDI,EAX
0043E9B2 . 53 PUSH EBX
0043E9B3 . 897D D8 MOV DWORD PTR SS:[EBP-28],EDI
0043E9B6 . E8 513C0000 CALL <JMP.&MFC42.#823_??2@YAPAXI@Z>
0043E9BB . 83C4 0C ADD ESP,0C ; 堆碱指针加12
0043E9BE . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
0043E9C1 . 85DB TEST EBX,EBX
0043E9C3 . 7E 12 JLE SHORT FamFinan.0043E9D7 ; 若小于或等于则跳
0043E9C5 . 8BCB MOV ECX,EBX ; ECX=20
0043E9C7 . 33C0 XOR EAX,EAX
0043E9C9 . 8BD1 MOV EDX,ECX ; EDX=20
0043E9CB . C1E9 02 SHR ECX,2 ; 右移2位
0043E9CE . F3:AB REP STOS DWORD PTR ES:[EDI]
0043E9D0 . 8BCA MOV ECX,EDX
0043E9D2 . 83E1 03 AND ECX,3 ; 和3做与运算
0043E9D5 . F3:AA REP STOS BYTE PTR ES:[EDI]
0043E9D7 > 8B3E MOV EDI,DWORD PTR DS:[ESI] ; 移动注册码地址到EDI
0043E9D9 . 83C9 FF OR ECX,FFFFFFFF ; 或运算
0043E9DC . 33C0 XOR EAX,EAX
0043E9DE . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
0043E9E0 . F7D1 NOT ECX ; 取反
0043E9E2 . 2BF9 SUB EDI,ECX ; 相减
0043E9E4 . 8BC1 MOV EAX,ECX
0043E9E6 . 8BF7 MOV ESI,EDI
0043E9E8 . 8B7D D8 MOV EDI,DWORD PTR SS:[EBP-28]
0043E9EB . C1E9 02 SHR ECX,2 ; 右移2
0043E9EE . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>; 双字节重复
0043E9F0 . 8BC8 MOV ECX,EAX
0043E9F2 . 83E1 03 AND ECX,3 ; 与3运算
0043E9F5 . 33C0 XOR EAX,EAX
0043E9F7 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>; 单字节重复
0043E9F9 . C785 C0FEFFFF>MOV DWORD PTR SS:[EBP-140],FamFinan.0044>
0043EA03 > 888405 40FEFF>MOV BYTE PTR SS:[EBP+EAX-1C0],AL
0043EA0A . 40 INC EAX ; 自加1
0043EA0B . 3D 80000000 CMP EAX,80 ; 80个常用字符0-}移动过来
0043EA10 .^ 7C F1 JL SHORT FamFinan.0043EA03 ; 小于80H重复
0043EA12 . 8D8D 40FEFFFF LEA ECX,DWORD PTR SS:[EBP-1C0] ; 移动过来字符的0位置
0043EA18 . 68 80000000 PUSH 80 ; 入
0043EA1D . 51 PUSH ECX ; 入
0043EA1E . 8D8D C0FEFFFF LEA ECX,DWORD PTR SS:[EBP-140]
0043EA24 . E8 37250000 CALL FamFinan.00440F60 ----这里挺特别 进去看看
0043EA29 . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0043EA2C . 85C0 TEST EAX,EAX
0043EA2E . 7E 27 JLE SHORT FamFinan.0043EA57
0043EA30 . 8B75 D8 MOV ESI,DWORD PTR SS:[EBP-28]
0043EA33 . 8B7D E0 MOV EDI,DWORD PTR SS:[EBP-20]
0043EA36 . 2BFE SUB EDI,ESI
0043EA38 . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
0043EA3B > 8D1437 LEA EDX,DWORD PTR DS:[EDI+ESI]
0043EA3E . 8D8D C0FEFFFF LEA ECX,DWORD PTR SS:[EBP-140]
0043EA44 . 52 PUSH EDX ; /Arg2
0043EA45 . 56 PUSH ESI ; |Arg1
0043EA46 . E8 95260000 CALL FamFinan.004410E0 ; \FamFinan.004410E0
0043EA4B . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0043EA4E . 83C6 10 ADD ESI,10
0043EA51 . 48 DEC EAX
0043EA52 . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
0043EA55 .^ 75 E4 JNZ SHORT FamFinan.0043EA3B
CALL FamFinan.00440F60 :---这里面把我搞晕了。
00440F60 /$ 53 PUSH EBX
00440F61 |. 8BD9 MOV EBX,ECX
00440F63 |. 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
00440F67 |. C1E9 05 SHR ECX,5 ; 右移5位
00440F6A |. 83F9 04 CMP ECX,4
00440F6D |. 0F82 62010000 JB FamFinan.004410D5 ; 小于转移
00440F73 |. 83F9 0E CMP ECX,0E ; 大于转移
00440F76 |. 0F87 59010000 JA FamFinan.004410D5
00440F7C |. 55 PUSH EBP ; 基址
00440F7D |. 56 PUSH ESI ; 源址
00440F7E |. 85C9 TEST ECX,ECX
00440F80 |. 57 PUSH EDI ; 目的变址
00440F81 |. 76 18 JBE SHORT FamFinan.00440F9B
00440F83 |. 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14]
00440F87 |. B8 74AF4500 MOV EAX,FamFinan.0045AF74
00440F8C |. 2BD0 SUB EDX,EAX
00440F8E |. 8BF1 MOV ESI,ECX
00440F90 |> 8B3C02 /MOV EDI,DWORD PTR DS:[EDX+EAX] ; 两者地址送EDI
00440F93 |. 8938 |MOV DWORD PTR DS:[EAX],EDI
00440F95 |. 83C0 04 |ADD EAX,4
00440F98 |. 4E |DEC ESI
00440F99 |.^ 75 F5 \JNZ SHORT FamFinan.00440F90
00440F9B |> 8D41 01 LEA EAX,DWORD PTR DS:[ECX+1]
00440F9E |. 890C8D 74AF45>MOV DWORD PTR DS:[ECX*4+45AF74],ECX
00440FA5 |. 83F8 0F CMP EAX,0F
00440FA8 |. 73 12 JNB SHORT FamFinan.00440FBC
00440FAA |. B9 0F000000 MOV ECX,0F
00440FAF |. 8D3C85 74AF45>LEA EDI,DWORD PTR DS:[EAX*4+45AF74]
00440FB6 |. 2BC8 SUB ECX,EAX
00440FB8 |. 33C0 XOR EAX,EAX
00440FBA |. F3:AB REP STOS DWORD PTR ES:[EDI]
00440FBC |> 33D2 XOR EDX,EDX
00440FBE |. 8D4B 04 LEA ECX,DWORD PTR DS:[EBX+4]
00440FC1 |> 33C0 /XOR EAX,EAX
00440FC3 |> 8BB0 40AD4500 |/MOV ESI,DWORD PTR DS:[EAX+45AD40] ; OD入ESI源变址
00440FC9 |. 8BB8 7CAD4500 ||MOV EDI,DWORD PTR DS:[EAX+45AD7C] ; 08入EDI目的变址
00440FCF |. 8B34B5 74AF45>||MOV ESI,DWORD PTR DS:[ESI*4+45AF74]
00440FD6 |. 8B2CBD 74AF45>||MOV EBP,DWORD PTR DS:[EDI*4+45AF74]
00440FDD |. 33F5 ||XOR ESI,EBP
00440FDF |. 8BA8 74AF4500 ||MOV EBP,DWORD PTR DS:[EAX+45AF74]
00440FE5 |. C1C6 03 ||ROL ESI,3 ; 循环左移3位
00440FE8 |. 8D3C10 ||LEA EDI,DWORD PTR DS:[EAX+EDX]
00440FEB |. 83C0 04 ||ADD EAX,4
00440FEE |. 33F7 ||XOR ESI,EDI
00440FF0 |. 33EE ||XOR EBP,ESI ; 异或运算
00440FF2 |. 83F8 3C ||CMP EAX,3C
00440FF5 |. 89A8 70AF4500 ||MOV DWORD PTR DS:[EAX+45AF70],EBP
00440FFB |.^ 7C C6 |\JL SHORT FamFinan.00440FC3
00440FFD |. BE 04000000 |MOV ESI,4
00441002 |> 33C0 |/XOR EAX,EAX
00441004 |> 8BB8 04AD4500 ||/MOV EDI,DWORD PTR DS:[EAX+45AD04]
0044100A |. 8BA8 74AF4500 |||MOV EBP,DWORD PTR DS:[EAX+45AF74]
00441010 |. 83C0 04 |||ADD EAX,4
00441013 |. 8B3CBD 74AF45>|||MOV EDI,DWORD PTR DS:[EDI*4+45AF74]
0044101A |. 81E7 FF010000 |||AND EDI,1FF
00441020 |. 8B3CBD 04A545>|||MOV EDI,DWORD PTR DS:[EDI*4+45A504]
00441027 |. 03FD |||ADD EDI,EBP
00441029 |. C1C7 09 |||ROL EDI,9
0044102C |. 89B8 70AF4500 |||MOV DWORD PTR DS:[EAX+45AF70],EDI
00441032 |. 83F8 3C |||CMP EAX,3C
00441035 |.^ 7C CD ||\JL SHORT FamFinan.00441004
00441037 |. 4E ||DEC ESI
00441038 |.^ 75 C8 |\JNZ SHORT FamFinan.00441002
0044103A |. B8 B8AD4500 |MOV EAX,FamFinan.0045ADB8
0044103F |> 8B30 |/MOV ESI,DWORD PTR DS:[EAX]
00441041 |. 83C0 04 ||ADD EAX,4
00441044 |. 83C1 04 ||ADD ECX,4
00441047 |. 3D E0AD4500 ||CMP EAX,FamFinan.0045ADE0
0044104C |. 8B34B5 74AF45>||MOV ESI,DWORD PTR DS:[ESI*4+45AF74]
00441053 |. 8971 FC ||MOV DWORD PTR DS:[ECX-4],ESI
00441056 |.^ 7C E7 |\JL SHORT FamFinan.0044103F
00441058 |. 42 |INC EDX
00441059 |. 83FA 04 |CMP EDX,4
0044105C |.^ 0F82 5FFFFFFF \JB FamFinan.00440FC1
00441062 |. 8D73 18 LEA ESI,DWORD PTR DS:[EBX+18]
00441065 |. BF 10000000 MOV EDI,10
0044106A |> 8B0E /MOV ECX,DWORD PTR DS:[ESI]
0044106C |. 8BD1 |MOV EDX,ECX
0044106E |. 83CA 03 |OR EDX,3
00441071 |. 8BC2 |MOV EAX,EDX
00441073 |. 8BDA |MOV EBX,EDX
00441075 |. F7D0 |NOT EAX
00441077 |. 25 FFFFFF7F |AND EAX,7FFFFFFF
0044107C |. D1EB |SHR EBX,1
0044107E |. 33C3 |XOR EAX,EBX
00441080 |. 8BD8 |MOV EBX,EAX
00441082 |. 8BE8 |MOV EBP,EAX
00441084 |. C1EB 02 |SHR EBX,2
00441087 |. D1ED |SHR EBP,1
00441089 |. 23DD |AND EBX,EBP
0044108B |. 23C3 |AND EAX,EBX
0044108D |. 8BD8 |MOV EBX,EAX
0044108F |. 8BE8 |MOV EBP,EAX
00441091 |. C1EB 06 |SHR EBX,6
00441094 |. C1ED 03 |SHR EBP,3
00441097 |. 23DD |AND EBX,EBP
00441099 |. 23C3 |AND EAX,EBX
0044109B |. 74 2D |JE SHORT FamFinan.004410CA
0044109D |. D1E0 |SHL EAX,1
0044109F |. 83E1 03 |AND ECX,3
004410A2 |. 8D1C00 |LEA EBX,DWORD PTR DS:[EAX+EAX]
004410A5 |. 0BC3 |OR EAX,EBX
004410A7 |. 8D1C85 000000>|LEA EBX,DWORD PTR DS:[EAX*4]
004410AE |. 0BC3 |OR EAX,EBX
004410B0 |. 8B1C8D F4AD45>|MOV EBX,DWORD PTR DS:[ECX*4+45ADF4]
004410B7 |. 8B4E FC |MOV ECX,DWORD PTR DS:[ESI-4]
004410BA |. D3C3 |ROL EBX,CL
004410BC |. 8BC8 |MOV ECX,EAX
004410BE |. C1E1 04 |SHL ECX,4
004410C1 |. 0BC8 |OR ECX,EAX
004410C3 |. 23D9 |AND EBX,ECX
004410C5 |. 83E3 FC |AND EBX,FFFFFFFC
004410C8 |. 33D3 |XOR EDX,EBX
004410CA |> 8916 |MOV DWORD PTR DS:[ESI],EDX
004410CC |. 83C6 08 |ADD ESI,8
004410CF |. 4F |DEC EDI
004410D0 |.^ 75 98 \JNZ SHORT FamFinan.0044106A
004410D2 |. 5F POP EDI
004410D3 |. 5E POP ESI
004410D4 |. 5D POP EBP
004410D5 |> 5B POP EBX
004410D6 \. C2 0800 RETN 8
0043EA68 . C745 E8 00000>MOV DWORD PTR SS:[EBP-18],0
0043EA6F . 7E 27 JLE SHORT FamFinan.0043EA98
0043EA71 > 8B7D EC MOV EDI,DWORD PTR SS:[EBP-14] ; (初始 cpu 选择)
0043EA74 . 53 PUSH EBX
0043EA75 . 57 PUSH EDI
0043EA76 . 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
0043EA79 . E8 F83D0000 CALL <JMP.&MFC42.#5442_?Read@CFile@@UAEI>
0043EA7E . 8B4D BC MOV ECX,DWORD PTR SS:[EBP-44]
0043EA81 . 8B75 E0 MOV ESI,DWORD PTR SS:[EBP-20]
0043EA84 . 33D2 XOR EDX,EDX
0043EA86 . F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:>; 应该是查表的地方。我没搞明白呢
0043EA88 74 28 JE SHORT FamFinan.0043EAB2 ; 这里爆破后,可以提示注册成功。但有时间
0043EA8A . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] 限制
0043EA8D . 8B4D B8 MOV ECX,DWORD PTR SS:[EBP-48]
0043EA90 . 40 INC EAX
0043EA91 . 3BC1 CMP EAX,ECX
0043EA93 . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
0043EA96 .^ 7C D9 JL SHORT FamFinan.0043EA71
0043EA98 > 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
0043EA9B . 6A 00 PUSH 0
0043EA9D . 6A 01 PUSH 1
0043EA9F . 6A 02 PUSH 2
0043EAA1 . 66:C780 B2040>MOV WORD PTR DS:[EAX+4B2],2
0043EAAA . 8B40 20 MOV EAX,DWORD PTR DS:[EAX+20]
0043EAAD . E9 DA020000 JMP FamFinan.0043ED8C
0043EAB2 > 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
0043EAB5 . 51 PUSH ECX
0043EAB6 . E8 2D3B0000 CALL <JMP.&MFC42.#825_??3@YAXPAX@Z>
----------------------------------------------------------------------------------------------
【破解心得】
本想努力把这个软件拿下并编辑好后发的,可因为算法功底不够。再加上年前需要帮家人干活
只好仓促先发出来。希望会的朋友。给指点一下。。
----------------------------------------------------------------------------------------------
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
----------------------------------------------------------------------------------------------
文章写于2006-01-16 11:55:07