我的工具箱V2.103破解分析
作者:lchhome
第一步:用PEID侦壳为ASPack 2.1 -> Alexey Solodovnikov壳。
脱壳:
用OD载入程序,
<ModuleEn> 60 PUSHAD 停在这里
0050B002 E8 72050000 CALL MyToolBo.0050B579
0050B007 EB 33 JMP SHORT MyToolBo.0050B03C
按Ctrl+F,输入“Popad”,停在这里
0050B337 61 POPAD
0050B338 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4]
按F3继续找,找到如下:
0050B4F3 61 POPAD 按F4运行到这里,按F8往下走
0050B4F4 75 08 JNZ SHORT MyToolBo.0050B4FE
0050B4F6 B8 01000000 MOV EAX,1
0050B4FB C2 0C00 RETN 0C
0050B4FE 68 D8324B00 PUSH MyToolBo.004B32D8 看到004B32D8,这就是OEP地址。
0050B503 C3 RETN
用OD脱壳器脱壳,然后用ImportREC修复。
第二步:用OD载入脱壳程序,如下:
<ModuleEn>/$ 55 PUSH EBP
004B32D9 |. 8BEC MOV EBP,ESP
004B32DB |. B9 05000000 MOV ECX,5
004B32E0 |> 6A 00 /PUSH 0
004B32E2 |. 6A 00 |PUSH 0
004B32E4 |. 49 |DEC ECX
004B32E5 |.^ 75 F9 \JNZ SHORT dumped_.004B32E0
004B32E7 |. 53 PUSH EBX
在命令行下“BP CreateFileA”,回车,F9运行,如下:
CreateFil> 8BFF MOV EDI,EDI
7C801A26 55 PUSH EBP
7C801A27 8BEC MOV EBP,ESP
7C801A29 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C801A2C E8 73C80000 CALL kernel32.7C80E2A4
7C801A31 85C0 TEST EAX,EAX
注意堆栈窗口:
0013FCA0 00409146 /CALL 到 CreateFileA 来自 dumped_.00409141
0013FCA4 00EC6128 |FileName = "D:\Program Files\MyToolBox\AppLists.zif"
0013FCA8 80000000 |Access = GENERIC_READ
0013FCAC 00000001 |ShareMode = FILE_SHARE_READ
0013FCB0 00000000 |pSecurity = NULL
一直按F9,直到如下:
CreateFil> 8BFF MOV EDI,EDI
7C801A26 55 PUSH EBP
7C801A27 8BEC MOV EBP,ESP
7C801A29 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C801A2C E8 73C80000 CALL kernel32.7C80E2A4
注意堆栈窗口:
0013F7B0 00E82865 /CALL 到 CreateFileA 来自 SYS_Serv.00E82860
0013F7B4 0013F858 |FileName = "C:\WINDOWS\SYS_Server2006Key.log"
0013F7B8 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
出现软件窗口,点注册,输入假码,点确定,没中断下来,不要紧,我们注意到软件有一个限制,点前三栏不会出现注册框,我们就是要它出现,点第四栏,一看,中断下来了,如下:
CreateFil> 8BFF MOV EDI,EDI
7C801A26 55 PUSH EBP
7C801A27 8BEC MOV EBP,ESP
注意堆栈窗口:
0013EF88 004838E9 /CALL 到 CreateFileA 来自 dumped_.004838E4 注意这里
0013EF8C 00483A80 |FileName = "\\.\PhysicalDrive0"
0013EF90 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
我们点右键,到“反汇编中跟随”去,来到如下:
004838E9 . 8985 BCFDFFFF MOV DWORD PTR SS:[EBP-244],EAX
004838EF . 83BD BCFDFFFF>CMP DWORD PTR SS:[EBP-244],-1
004838F6 . 0F84 48010000 JE dumped_.00483A44
004838FC . 33D2 XOR EDX,EDX
按F8往下走,走到如下:
004839F7 . E8 980EF8FF CALL dumped_.00404894
004839FC . 8D95 B0FDFFFF LEA EDX,DWORD PTR SS:[EBP-250]
00483A02 . 8B85 C0FDFFFF MOV EAX,DWORD PTR SS:[EBP-240]
00483A08 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00483A0A . E8 B153F8FF CALL dumped_.00408DC0
00483A0F . 8B95 B0FDFFFF MOV EDX,DWORD PTR SS:[EBP-250] 这里出现你的硬盘序列号,我的是 "VNVC32G3DY96NT"
00483A15 . 8B85 C0FDFFFF MOV EAX,DWORD PTR SS:[EBP-240]
00483A1B . E8 D80DF8FF CALL dumped_.004047F8
00483A20 . 8B85 C0FDFFFF MOV EAX,DWORD PTR SS:[EBP-240]
00483A26 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00483A28 . BA B03A4800 MOV EDX,dumped_.00483AB0
继续往下走,走如下:
00483B45 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00483B48 |. E8 779FFBFF CALL dumped_.0043DAC4
00483B4D |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 取硬盘号的前七位“VNVC32G”
00483B48 |. E8 779FFBFF CALL dumped_.0043DAC4
00483B4D |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00483B50 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00483B53 |. BA AC3B4800 MOV EDX,dumped_.00483BAC
00483B58 |. E8 4B0FF8FF CALL dumped_.00404AA8
00483B5D |> 8BC6 MOV EAX,ESI
00483B5F |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 这里在补位为“1VNVC32G”,看!这不是正是我的机器码,好了,快到点上了,继续跟着走,上路F8,走到如下:
004AB160 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004AB163 . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
004AB166 . 8B92 50050000 MOV EDX,DWORD PTR DS:[EDX+550]
004AB16C . E8 3F8AFDFF CALL dumped_.00483BB0 F8走到这里
004AB171 . 85C0 TEST EAX,EAX
004AB173 . 0F85 BE000000 JNZ dumped_.004AB237
004AB179 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
看寄存器窗口
EAX 00ED1FE8 ASCII "1VNVC32G" 机器码
ECX 00000001
EDX 00ECCA64 ASCII "BHHGI67890123456" 我的假码
EBX 00EC4C04
可以判断004AB16C这个CALL句肯定有花样,F7跟进看看:
00483BB0 /$ 55 PUSH EBP 来到这里
00483BB1 |. 8BEC MOV EBP,ESP
00483BB3 |. 83C4 F0 ADD ESP,-10
00483BB6 |. 53 PUSH EBX
00483BB7 |. 56 PUSH ESI
00483BB8 |. 57 PUSH EDI
00483BB9 |. 33C9 XOR ECX,ECX
00483BBB |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
00483BBE |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
00483BC1 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00483BC4 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 出现机器码
00483BC7 |. E8 7810F8FF CALL dumped_.00404C44
00483BCC |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 出现我的假码
00483BCF |. E8 7010F8FF CALL dumped_.00404C44
00483BD4 |. 33C0 XOR EAX,EAX
00483BD6 |. 55 PUSH EBP
00483BD7 |. 68 AF3F4800 PUSH dumped_.00483FAF
00483BDC |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00483BDF |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00483BE2 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00483BE5 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00483BE8 |. E8 4F0CF8FF CALL dumped_.0040483C
00483BED |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00483BF0 |. E8 670EF8FF CALL dumped_.00404A5C
00483BF5 |. 8BD8 MOV EBX,EAX
00483BF7 |. 85DB TEST EBX,EBX
00483BF9 |. 0F9FC0 SETG AL
00483BFC |. F6D8 NEG AL
00483BFE |. 1BF6 SBB ESI,ESI
00483C00 |. 85F6 TEST ESI,ESI
00483C02 |. 74 10 JE SHORT dumped_.00483C14
00483C04 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00483C07 |. E8 500EF8FF CALL dumped_.00404A5C
00483C0C |. 8BD3 MOV EDX,EBX
00483C0E |. 03D2 ADD EDX,EDX
00483C10 |. 3BC2 CMP EAX,EDX 看寄存器知,这里是验证我的假码是否为16位
00483C12 |. 74 04 JE SHORT dumped_.00483C18 不对,Game Over ,应该跳
00483C14 |> 33C0 XOR EAX,EAX,
00483C16 |. EB 02 JMP SHORT dumped_.00483C1A
00483C18 |> B0 01 MOV AL,1
00483C1A |> F6D8 NEG AL
00483C1C |. 1BC0 SBB EAX,EAX
00483C1E |. 8BF0 MOV ESI,EAX
00483C20 |. 85F6 TEST ESI,ESI
00483C22 |. 0F84 6C030000 JE dumped_.00483F94
00483C28 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00483C2B |. 8A00 MOV AL,BYTE PTR DS:[EAX]
00483C2D |. B9 01000000 MOV ECX,1
00483C32 |. 3C 31 CMP AL,31 这里比较你的注册码第一位,我的是“B”,所以一直往下跳至
00483C34 |. 75 7A JNZ SHORT dumped_.00483CB0
00483C36 |. 85DB TEST EBX,EBX
00483C38 |. 0F8E 56030000 JLE dumped_.00483F94
00483C3E |. 895D F0 MOV DWORD PTR SS:[EBP-10],EBX
00483C41 |. BF 01000000 MOV EDI,1
00483C46 |> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4]
00483C49 |. 8A5C38 FF |MOV BL,BYTE PTR DS:[EAX+EDI-1]
00483C4D |. 85F6 |TEST ESI,ESI
00483C4F |. 74 1B |JE SHORT dumped_.00483C6C
00483C51 |. 33C0 |XOR EAX,EAX
00483C53 |. 8AC3 |MOV AL,BL
00483C55 |. BE 0A000000 |MOV ESI,0A
00483C5A |. 33D2 |XOR EDX,EDX
00483C5C |. F7F6 |DIV ESI
00483C5E |. 83C0 3D |ADD EAX,3D
00483C61 |. 03C1 |ADD EAX,ECX
00483C63 |. 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8]
00483C66 |. 3A440A FF |CMP AL,BYTE PTR DS:[EDX+ECX-1]
00483C6A |. 74 04 |JE SHORT dumped_.00483C70
00483C6C |> 33C0 |XOR EAX,EAX
00483C6E |. EB 02 |JMP SHORT dumped_.00483C72
00483C70 |> B0 01 |MOV AL,1
00483C72 |> F6D8 |NEG AL
00483C74 |. 1BC0 |SBB EAX,EAX
00483C76 |. 8BF0 |MOV ESI,EAX
00483C78 |. 41 |INC ECX
00483C79 |. 85F6 |TEST ESI,ESI
00483C7B |. 74 1B |JE SHORT dumped_.00483C98
00483C7D |. 33C0 |XOR EAX,EAX
00483C7F |. 8AC3 |MOV AL,BL
00483C81 |. BB 0A000000 |MOV EBX,0A
00483C86 |. 33D2 |XOR EDX,EDX
00483C88 |. F7F3 |DIV EBX
00483C8A |. 83C2 3D |ADD EDX,3D
00483C8D |. 03D1 |ADD EDX,ECX
00483C8F |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]
00483C92 |. 3A5408 FF |CMP DL,BYTE PTR DS:[EAX+ECX-1]
00483C96 |. 74 04 |JE SHORT dumped_.00483C9C
00483C98 |> 33C0 |XOR EAX,EAX
00483C9A |. EB 02 |JMP SHORT dumped_.00483C9E
00483C9C |> B0 01 |MOV AL,1
00483C9E |> F6D8 |NEG AL
00483CA0 |. 1BC0 |SBB EAX,EAX
00483CA2 |. 8BF0 |MOV ESI,EAX
00483CA4 |. 41 |INC ECX
00483CA5 |. 47 |INC EDI
00483CA6 |. FF4D F0 |DEC DWORD PTR SS:[EBP-10]
00483CA9 |.^ 75 9B \JNZ SHORT dumped_.00483C46
省略一段
00483E2A |> \3C 40 CMP AL,40
00483E2C |. 76 7A JBE SHORT dumped_.00483EA8 小于或等于0x64则跳,“B”大于,所以不跳了,往下走
00483E2E |. 85DB TEST EBX,EBX
00483E30 |. 0F8E 5E010000 JLE dumped_.00483F94
00483E36 |. 895D F0 MOV DWORD PTR SS:[EBP-10],EBX
00483E39 |. BF 01000000 MOV EDI,1
00483E3E |> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4]
00483E41 |. 8A5C38 FF |MOV BL,BYTE PTR DS:[EAX+EDI-1] 依次取机器码“1VNVC32G”的ASCII码“31”
00483E45 |. 85F6 |TEST ESI,ESI
00483E47 |. 74 1B |JE SHORT dumped_.00483E64
00483E49 |. 33C0 |XOR EAX,EAX
00483E4B |. 8AC3 |MOV AL,BL
00483E4D |. BE 0A000000 |MOV ESI,0A 赋于ESI的值为“0A”
00483E52 |. 33D2 |XOR EDX,EDX
00483E54 |. F7F6 |DIV ESI 除 0A
00483E56 |. 83C2 41 |ADD EDX,41 余数为9+41=4A
00483E59 |. 03D7 |ADD EDX,EDI 4A+1(以后EDI累加1)=4B
00483E5B |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]
00483E5E |. 3A5408 FF |CMP DL,BYTE PTR DS:[EAX+ECX-1] 比较注册码第一位是否为4B
00483E62 |. 74 04 |JE SHORT dumped_.00483E68 对就往下走,否则完了!
00483E64 |> 33C0 |XOR EAX,EAX
00483E66 |. EB 02 |JMP SHORT dumped_.00483E6A
00483E68 |> B0 01 |MOV AL,1
00483E6A |> F6D8 |NEG AL
00483E6C |. 1BC0 |SBB EAX,EAX
00483E6E |. 8BF0 |MOV ESI,EAX
00483E70 |. 41 |INC ECX
00483E71 |. 85F6 |TEST ESI,ESI
00483E73 |. 74 1B |JE SHORT dumped_.00483E90
00483E75 |. 33C0 |XOR EAX,EAX
00483E77 |. 8AC3 |MOV AL,BL
00483E79 |. BB 0A000000 |MOV EBX,0A 赋于EBX的值为“0A”
00483E7E |. 33D2 |XOR EDX,EDX
00483E80 |. F7F3 |DIV EBX 机器码的ASCII码值除0A
00483E82 |. 83C0 41 |ADD EAX,41 EAX=商+41
00483E85 |. 03C7 |ADD EAX,EDI EAX=EAX+1(以后累加1)
00483E87 |. 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8]
00483E8A |. 3A440A FF |CMP AL,BYTE PTR DS:[EDX+ECX-1]
00483E8E |. 74 04 |JE SHORT dumped_.00483E94 对则往下走,不对则完了!
00483E90 |> 33C0 |XOR EAX,EAX
00483E92 |. EB 02 |JMP SHORT dumped_.00483E96
00483E94 |> B0 01 |MOV AL,1
00483E96 |> F6D8 |NEG AL
00483E98 |. 1BC0 |SBB EAX,EAX
00483E9A |. 8BF0 |MOV ESI,EAX
00483E9C |. 41 |INC ECX
00483E9D |. 47 |INC EDI
00483E9E |. FF4D F0 |DEC DWORD PTR SS:[EBP-10] 循环直到依次把机器码走完
00483EA1 |.^ 75 9B \JNZ SHORT dumped_.00483E3E
00483EA3 |. E9 EC000000 JMP dumped_.00483F94 循环完后往下走
004AB16C . E8 3F8AFDFF CALL dumped_.00483BB0 F8走到这里
004AB171 . 85C0 TEST EAX,EAX 算完后返回到这里,比较
004AB173 . 0F85 BE000000 JNZ dumped_.004AB237 全部符合要求,则往下跳,OK!一切成功!再也不出现可恶的注册框了
第三步:算法总结
以我的机器码“1VNVC32G”为例
1 V N V C 3 2 G
ASCII码 31 56 4E 56 43 33 32 47
MOD 0A 9 6 8 6 7 1 0 1
+41 4A+1 47+2 49+3 47+4 48+5 42+6 41+7 42+8
4B 49 4C 4B 4D 48 48 4A
注册码 K I L K M H H J
/ 0A 4 8 7 8 6 5 5 7
+41 45+1 49+2 48+3 49+4 47+5 46+6 46+7 48+8
46 4B 4B 4D 4C 4C 4D 50
注册码 F K K M L L M P
汇总一下:
我的机器码:1VNVC32G
注册码:KFIKLKKMMLHLHMJP