运行环境:Winxp/vista/win7/2000/2003
更新时间:2011-11-10 8:30:43
破解工具: OD + PEID
软件大小:22701KB
人气指数:80
软件语言:英文
软件下载: http://www.onlinedown.net/soft/112561.htm
软件介绍: Extra Mug Shot Sticker 您和您的朋友使用您的摄像头捕捉和分享图片。
与SNAP,你可以方便快捷地拍摄快照,然后添加标签,语音气泡,和古怪有趣的内
部过滤器。
因为需要这么个软件因此在网上找了一下,破解国产软件总是不好地 。。高手飘过如果
指点一下就更好...
1.呵呵~~~~~~~~~~~~现在就开工作下。用PEID查一下这个软件用了什么算法,
好像是CRC32。
2.试注册一下,看有什么信息可以给我们,可以看有错误的提示!!!!!如
图
3.载入OD中查找错误提示的字符串。看是否可以找到,呵呵运气好像不错喔。
4.双Thank you for registering ! 就来到了
代码:
00436B40 . 81EC 88000000 sub esp,0x88 这是段首 00436B46 . A1 98FB5700 mov eax,dword ptr ds:[0x57FB98] 00436B4B . 33C4 xor eax,esp 00436B4D . 898424 840000>mov dword ptr ss:[esp+0x84],eax 00436B54 . 56 push esi 00436B55 . 57 push edi 00436B56 . 8BF1 mov esi,ecx 00436B58 . 68 80000000 push 0x80 00436B5D . 8D4424 10 lea eax,dword ptr ss:[esp+0x10] 00436B61 . 8DBE 50050000 lea edi,dword ptr ds:[esi+0x550] 00436B67 . 50 push eax 00436B68 . 8BCF mov ecx,edi 00436B6A . E8 D5640500 call <jmp.&MFC80.#3760> 00436B6F . 8D4424 0C lea eax,dword ptr ss:[esp+0xC] 00436B73 . 8D50 01 lea edx,dword ptr ds:[eax+0x1] 00436B76 > 8A08 mov cl,byte ptr ds:[eax] 00436B78 . 83C0 01 add eax,0x1 00436B7B . 84C9 test cl,cl 00436B7D .^ 75 F7 jnz XExtraMug.00436B76 00436B7F . 2BC2 sub eax,edx 00436B81 . 75 12 jnz XExtraMug.00436B95 00436B83 . 56 push esi 00436B84 . 6A 10 push 0x10 00436B86 . 68 3C385400 push ExtraMug.0054383C ; error 00436B8B . 68 14385400 push ExtraMug.00543814 ; The user name could not be blank! 00436B90 . E9 D7000000 jmp ExtraMug.00436C6C 00436B95 > 68 80000000 push 0x80 00436B9A . 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10] 00436B9E . 51 push ecx 00436B9F . 8D8E A4050000 lea ecx,dword ptr ds:[esi+0x5A4] 00436BA5 . E8 9A640500 call <jmp.&MFC80.#3760> 00436BAA . 8D4424 0C lea eax,dword ptr ss:[esp+0xC] 00436BAE . 8D50 01 lea edx,dword ptr ds:[eax+0x1] 00436BB1 > 8A08 mov cl,byte ptr ds:[eax] 00436BB3 . 83C0 01 add eax,0x1 00436BB6 . 84C9 test cl,cl 00436BB8 .^ 75 F7 jnz XExtraMug.00436BB1 00436BBA . 2BC2 sub eax,edx 00436BBC . 75 12 jnz XExtraMug.00436BD0 00436BBE . 56 push esi 00436BBF . 6A 10 push 0x10 00436BC1 . 68 3C385400 push ExtraMug.0054383C ; error 00436BC6 . 68 E4375400 push ExtraMug.005437E4 ; The registration code could not be blank! 00436BCB . E9 9C000000 jmp ExtraMug.00436C6C 00436BD0 > A1 AC545800 mov eax,dword ptr ds:[0x5854AC] 00436BD5 . 8B0D 20395800 mov ecx,dword ptr ds:[0x583920] 00436BDB . 8D5424 0C lea edx,dword ptr ss:[esp+0xC] 00436BDF . 52 push edx 00436BE0 . 68 B0245400 push ExtraMug.005424B0 ; 压入字符串 RegCode 00436BE5 . 50 push eax ;EAX中存的是Software\Extra Mug Shot Sticker\General 00436BE6 . 68 01000080 push 0x80000001 00436BEB . 51 push ecx 00436BEC . E8 5F77FFFF call ExtraMug.0042E350 ;这个CALL是创建注册表把 RegCode写入注册表 00436BF1 . 68 80000000 push 0x80 00436BF6 . 8D5424 10 lea edx,dword ptr ss:[esp+0x10] 00436BFA . 52 push edx 00436BFB . 8BCF mov ecx,edi 00436BFD . E8 42640500 call <jmp.&MFC80.#3760> 00436C02 . 8B0D AC545800 mov ecx,dword ptr ds:[0x5854AC] 00436C08 . 8B15 20395800 mov edx,dword ptr ds:[0x583920] 00436C0E . 8D4424 0C lea eax,dword ptr ss:[esp+0xC] 00436C12 . 50 push eax 00436C13 . 68 5C0E5400 push ExtraMug.00540E5C ; UserName 00436C18 . 51 push ecx 00436C19 . 68 01000080 push 0x80000001 00436C1E . 52 push edx 00436C1F . E8 2C77FFFF call ExtraMug.0042E350 ;这个CALL是创建注册表把 UserName写入注册表 00436C24 . 8B0D 20395800 mov ecx,dword ptr ds:[0x583920] 00436C2A . E8 717BFFFF call ExtraMug.0042E7A0 00436C2F . 83F8 01 cmp eax,0x1 00436C32 . 56 push esi 00436C33 . 6A 00 push 0x0 00436C35 . 68 D4265400 push ExtraMug.005426D4 ; Information 00436C3A . 75 2B jnz XExtraMug.00436C67 ;跳向错误提示 00436C3C . 68 C8375400 push ExtraMug.005437C8 ; 成功提示Thank you for registering ! 00436C41 . E8 DAA2FFFF call ExtraMug.00430F20 00436C46 . 83C4 10 add esp,0x10 00436C49 . 8BCE mov ecx,esi 00436C4B . E8 A0600500 call <jmp.&MFC80.#4212> 00436C50 . 5F pop edi 00436C51 . 5E pop esi 00436C52 . 8B8C24 840000>mov ecx,dword ptr ss:[esp+0x84] 00436C59 . 33CC xor ecx,esp 00436C5B . E8 EE640500 call ExtraMug.0048D14E 00436C60 . 81C4 88000000 add esp,0x88 00436C66 . C3 retn 00436C67 > 68 A0375400 push ExtraMug.005437A0 ; 错误提示 Invalid license code,register failed ! 00436C6C > E8 AFA2FFFF call ExtraMug.00430F20 00436C71 . 8B8C24 9C0000>mov ecx,dword ptr ss:[esp+0x9C] 00436C78 . 83C4 10 add esp,0x10 00436C7B . 5F pop edi 00436C7C . 5E pop esi 00436C7D . 33CC xor ecx,esp 00436C7F . E8 CA640500 call ExtraMug.0048D14E 00436C84 . 81C4 88000000 add esp,0x88 00436C8A . C3 retn
代码:
00436C3A . 75 2B jnz XExtraMug.00436C67
看来上一个重起验证类型的软件。由于在上面的分析过程中我发现该软件向注册表中写入了RegCode UserName。呵呵想来这应该注册重起
验证的.OK 哪就下注册表断点吧!!!!!!!!!!!!!!!!!!!!!!!!!
bp RegOpenKeyExA 注意OD的堆栈框一直按F9直到出现RegCode
就反汇编跟随来到
代码:
0042E2D0 /$ 83EC 08 sub esp,0x8 0042E2D3 |. 8B4C24 14 mov ecx,dword ptr ss:[esp+0x14] 0042E2D7 |. 8B5424 10 mov edx,dword ptr ss:[esp+0x10] 0042E2DB |. 8D4424 14 lea eax,dword ptr ss:[esp+0x14] 0042E2DF |. 50 push eax ; /pHandle 0042E2E0 |. 6A 01 push 0x1 ; |Access = KEY_QUERY_VALUE 0042E2E2 |. 6A 00 push 0x0 ; |Reserved = 0 0042E2E4 |. 51 push ecx ; |Subkey 0042E2E5 |. 52 push edx ; |hKey 0042E2E6 |. C74424 14 040>mov dword ptr ss:[esp+0x14],0x104 ; | 0042E2EE |. C74424 18 010>mov dword ptr ss:[esp+0x18],0x1 ; | 0042E2F6 |. FF15 08C05300 call dword ptr ds:[<&ADVAPI32.RegOp>; \RegOpenKeyExA 0042E2FC |. 85C0 test eax,eax 0042E2FE 74 13 je XExtraMug.0042E313 0042E300 |. 8B4424 14 mov eax,dword ptr ss:[esp+0x14] 0042E304 |. 50 push eax ; /hKey 0042E305 |. FF15 18C05300 call dword ptr ds:[<&ADVAPI32.RegCl>; \RegCloseKey 0042E30B |. 32C0 xor al,al 0042E30D |. 83C4 08 add esp,0x8 0042E310 |. C2 1400 retn 0x14
代码:
0042E7A0 /$ 81EC 04010000 sub esp,0x104 0042E7A6 |. A1 98FB5700 mov eax,dword ptr ds:[0x57FB98] 0042E7AB |. 33C4 xor eax,esp 0042E7AD |. 898424 000100>mov dword ptr ss:[esp+0x100],eax 0042E7B4 |. 56 push esi 0042E7B5 |. 8D4424 04 lea eax,dword ptr ss:[esp+0x4] 0042E7B9 |. 50 push eax 0042E7BA |. 8BF1 mov esi,ecx 0042E7BC |. 8B0D 68395800 mov ecx,dword ptr ds:[0x583968] 0042E7C2 |. 68 B0245400 push ExtraMug.005424B0 ; RegCode 0042E7C7 |. 51 push ecx 0042E7C8 |. 68 01000080 push 0x80000001 0042E7CD |. 56 push esi 0042E7CE |. E8 FDFAFFFF call ExtraMug.0042E2D0 0042E7D3 |. 84C0 test al,al 0042E7D5 |. 75 1A jnz XExtraMug.0042E7F1 0042E7D7 |. 8806 mov byte ptr ds:[esi],al 0042E7D9 |. 33C0 xor eax,eax 0042E7DB |. 5E pop esi 0042E7DC |. 8B8C24 000100>mov ecx,dword ptr ss:[esp+0x100] 0042E7E3 |. 33CC xor ecx,esp 0042E7E5 |. E8 64E90500 call ExtraMug.0048D14E 0042E7EA |. 81C4 04010000 add esp,0x104 0042E7F0 |. C3 retn 0042E7F1 |> 8D5424 04 lea edx,dword ptr ss:[esp+0x4] 0042E7F5 |. 52 push edx 0042E7F6 |. 8BCE mov ecx,esi 0042E7F8 |. E8 63FEFFFF call ExtraMug.0042E660 0042E7FD |. 8B8C24 040100>mov ecx,dword ptr ss:[esp+0x104] 0042E804 |. 85C0 test eax,eax 0042E806 |. 0F95C0 setne al 0042E809 |. 8806 mov byte ptr ds:[esi],al 0042E80B |. 5E pop esi 0042E80C |. 33CC xor ecx,esp 0042E80E |. 0FB6C0 movzx eax,al 0042E811 |. E8 38E90500 call ExtraMug.0048D14E 0042E816 |. 81C4 04010000 add esp,0x104 0042E81C \. C3 retn
代码:
0042E7F8 |. E8 63FEFFFF call ExtraMug.0042E660
代码:
0042E660 /$ 81EC 04030000 sub esp,0x304 0042E666 |. A1 98FB5700 mov eax,dword ptr ds:[0x57FB98] 0042E66B |. 33C4 xor eax,esp 0042E66D |. 898424 000300>mov dword ptr ss:[esp+0x300],eax 0042E674 |. 53 push ebx 0042E675 |. 55 push ebp 0042E676 |. 56 push esi 0042E677 |. 8BB424 140300>mov esi,dword ptr ss:[esp+0x314] 0042E67E |. 8BC6 mov eax,esi 0042E680 |. 8BE9 mov ebp,ecx 0042E682 |. 8D50 01 lea edx,dword ptr ds:[eax+0x1] 0042E685 |. 33DB xor ebx,ebx 0042E687 |> 8A08 /mov cl,byte ptr ds:[eax] -----------> 0042E689 |. 83C0 01 |add eax,0x1 这部计算我们输入的长度 0042E68C |. 3ACB |cmp cl,bl 0042E68E |.^ 75 F7 \jnz XExtraMug.0042E687 0042E690 |. 2BC2 sub eax,edx <--------------- 0042E692 |. 83F8 30 cmp eax,0x30 ; 比较我们的是否为48位不是就出错 0042E695 |. 74 07 je XExtraMug.0042E69E 0042E697 |. 33C0 xor eax,eax 0042E699 |. E9 E7000000 jmp ExtraMug.0042E785 0042E69E |> 57 push edi 0042E69F |. 68 FF000000 push 0xFF ; /n = FF (255.) 0042E6A4 |. 8D8424 150100>lea eax,dword ptr ss:[esp+0x115] ; | 0042E6AB |. 53 push ebx ; |c 0042E6AC |. 50 push eax ; |s 0042E6AD |. 889C24 1C0100>mov byte ptr ss:[esp+0x11C],bl ; | 0042E6B4 |. E8 89EA0500 call <jmp.&MSVCR80.memset> ; \memset 0042E6B9 |. 68 FF000000 push 0xFF ; /n = FF (255.) 0042E6BE |. 8D4C24 21 lea ecx,dword ptr ss:[esp+0x21] ; | 0042E6C2 |. 53 push ebx ; |c 0042E6C3 |. 51 push ecx ; |s 0042E6C4 |. 885C24 28 mov byte ptr ss:[esp+0x28],bl ; | 0042E6C8 |. E8 75EA0500 call <jmp.&MSVCR80.memset> ; \memset 0042E6CD |. 68 FF000000 push 0xFF ; /n = FF (255.) 0042E6D2 |. 8D9424 2D0200>lea edx,dword ptr ss:[esp+0x22D] ; | 0042E6D9 |. 53 push ebx ; |c 0042E6DA |. 52 push edx ; |s 0042E6DB |. 889C24 340200>mov byte ptr ss:[esp+0x234],bl ; | 0042E6E2 |. E8 5BEA0500 call <jmp.&MSVCR80.memset> ; \memset 0042E6E7 |. 8B3D 24CA5300 mov edi,dword ptr ds:[<&MSVCR80.str>; MSVCR80.strncpy 0042E6ED |. 6A 10 push 0x10 ; /maxlen = 10 (16.) 0042E6EF |. 8D8424 380100>lea eax,dword ptr ss:[esp+0x138] ; | 0042E6F6 |. 56 push esi ; |src 0042E6F7 |. 50 push eax ; |dest 0042E6F8 |. FFD7 call edi ; \strncpy 0042E6FA |. 6A 10 push 0x10 0042E6FC |. 8D4E 10 lea ecx,dword ptr ds:[esi+0x10] 0042E6FF |. 51 push ecx 0042E700 |. 8D5424 48 lea edx,dword ptr ss:[esp+0x48] 0042E704 |. 52 push edx 0042E705 |. FFD7 call edi 0042E707 |. 6A 10 push 0x10 0042E709 |. 83C6 20 add esi,0x20 0042E70C |. 8D8424 500200>lea eax,dword ptr ss:[esp+0x250] 0042E713 |. 56 push esi 0042E714 |. 50 push eax 0042E715 |. FFD7 call edi 0042E717 |. 83C4 48 add esp,0x48 0042E71A |. 68 9C245400 push ExtraMug.0054249C ; C9AD9CACFC81B689 0042E71F |. 8D8C24 140100>lea ecx,dword ptr ss:[esp+0x114] 0042E726 |. 51 push ecx 0042E727 |. 8BCD mov ecx,ebp 0042E729 |. 889C24 280100>mov byte ptr ss:[esp+0x128],bl 0042E730 |. 885C24 28 mov byte ptr ss:[esp+0x28],bl 0042E734 |. 889C24 280200>mov byte ptr ss:[esp+0x228],bl 0042E73B |. E8 C0FDFFFF call ExtraMug.0042E500 ;想找出注册就进去看看 [ 进入0042E74E |. E8 ADFDFFFF call ExtraMug.0042E500里面看看 0042E5C8 |. 53 push ebx 0042E5C9 |. E8 721D0600 call ExtraMug.00490340 0042E5CE |. 8B4424 24 mov eax,dword ptr ss:[esp+0x24] 0042E5D2 |. 50 push eax 0042E5D3 |. 55 push ebp 0042E5D4 |. E8 671D0600 call ExtraMug.00490340 0042E5D9 |. 8B7C24 24 mov edi,dword ptr ss:[esp+0x24] 0042E5DD |. 68 80245400 push ExtraMug.00542480 ; 10001 0042E5E2 |. 57 push edi 0042E5E3 |. E8 581D0600 call ExtraMug.00490340 0042E5E8 |. 55 push ebp 0042E5E9 |. 53 push ebx 0042E5EA |. E8 E10A0600 call ExtraMug.0048F0D0 0042E5EF |. 83C4 20 add esp,0x20 0042E5F2 |. 83F8 FF cmp eax,-0x1 0042E5F5 |. 75 3F jnz XExtraMug.0042E636 0042E5F7 |. 8B7424 18 mov esi,dword ptr ss:[esp+0x18] 0042E5FB |. 56 push esi 0042E5FC |. 55 push ebp 0042E5FD |. 57 push edi 0042E5FE |. 53 push ebx 0042E5FF |. E8 BC1A0600 call ExtraMug.004900C0 0042E604 |. 6A 00 push 0x0 0042E606 |. 8D4C24 34 lea ecx,dword ptr ss:[esp+0x34] 0042E60A |. 51 push ecx 0042E60B |. 56 push esi 0042E60C |. 68 00010000 push 0x100 0042E611 |. E8 AA140600 call ExtraMug.0048FAC0 0042E616 |. 53 push ebx 0042E617 |. E8 14050600 call ExtraMug.0048EB30 0042E61C |. 56 push esi 0042E61D |. E8 0E050600 call ExtraMug.0048EB30 0042E622 |. 55 push ebp 0042E623 |. E8 08050600 call ExtraMug.0048EB30 0042E628 |. 57 push edi 0042E629 |. E8 02050600 call ExtraMug.0048EB30 0042E62E |. 83C4 30 add esp,0x30 0042E631 |. E8 1A050600 call ExtraMug.0048EB50 0042E636 |> 8D5424 20 lea edx,dword ptr ss:[esp+0x20] 0042E63A |. 52 push edx ; /s 0042E63B |. FF15 78CA5300 call dword ptr ds:[<&MSVCR80.atoi>] ; \atoi 0042E641 |. 8B8C24 240100>mov ecx,dword ptr ss:[esp+0x124] 0042E648 |. 83C4 04 add esp,0x4 0042E64B |. 5F pop edi 0042E64C |. 5E pop esi 0042E64D |. 5D pop ebp 0042E64E |. 5B pop ebx 0042E64F |. 33CC xor ecx,esp 0042E651 |. E8 F8EA0500 call ExtraMug.0048D14E 0042E656 |. 81C4 14010000 add esp,0x114 0042E65C \. C2 0800 retn 0x8 看过这段代码在找找关于CRC 的源码看看是不是很相像啊!!!!!!!!!!!!! ] 0042E740 |. 68 9C245400 push ExtraMug.0054249C ; C9AD9CACFC81B689 0042E745 |. 8D5424 14 lea edx,dword ptr ss:[esp+0x14] 0042E749 |. 52 push edx 0042E74A |. 8BCD mov ecx,ebp 0042E74C |. 8BF0 mov esi,eax 0042E74E |. E8 ADFDFFFF call ExtraMug.0042E500 0042E753 |. 8BF8 mov edi,eax 0042E755 |. 68 88245400 push ExtraMug.00542488 ; 9F8204E07CBECD21 0042E75A |. 8D8424 140200>lea eax,dword ptr ss:[esp+0x214] 0042E761 |. 50 push eax 0042E762 |. 8BCD mov ecx,ebp 0042E764 |. E8 97FDFFFF call ExtraMug.0042E500 0042E769 |. 3BF3 cmp esi,ebx 0042E76B |. 7E 15 jle XExtraMug.0042E782 ----------------->注意这个3个jle 0042E76D |. 3BFB cmp edi,ebx 它们是这个软件的关健爆破点: 0042E76F |. 7E 11 jle XExtraMug.0042E782 0042E771 |. 3BC3 cmp eax,ebx 把它们NOP掉就OK了 0042E773 |. 7E 0D jle XExtraMug.0042E782 <------------------- 0042E775 |. 33C9 xor ecx,ecx 0042E777 |. 03FE add edi,esi 0042E779 |. 3BF8 cmp edi,eax 0042E77B |. 0F94C1 sete cl 0042E77E |. 8BC1 mov eax,ecx 0042E780 |. EB 02 jmp XExtraMug.0042E784 0042E782 |> 33C0 xor eax,eax 0042E784 |> 5F pop edi 0042E785 |> 8B8C24 0C0300>mov ecx,dword ptr ss:[esp+0x30C] 0042E78C |. 5E pop esi 0042E78D |. 5D pop ebp 0042E78E |. 5B pop ebx 0042E78F |. 33CC xor ecx,esp 0042E791 |. E8 B8E90500 call ExtraMug.0048D14E 0042E796 |. 81C4 04030000 add esp,0x304 0042E79C \. C2 0400 retn 0x4
根据上面的分析这个软件有以下特征:
1.这是一个CRC32重起验证的软件。
2.当面对一个软件不管是想爆破还是找出算法,不是重起验证的软件还是其他类型的,
一般就是找按钮事,要么下消息断点,要么用F12暂停,要么就查找字符串。。。。。。
等等我认为不管是什么猫只要能抓到老就是好猫!!!我用的最简单查找Thank you for registering !
3.按一般流程就找到关健注册段,要观察该有什么信息并做好记录。我在该段发软件在注
册时向注册表(Software\Extra Mug Shot Sticker\General\RegCode | UserName)写入了信息。
4.找到关健的CALL 和跳转后试修改,再起程序看是否爆破成功。如果没有,哪么程序
可能重起验证的软件。这个软件就是重起验证的软件。
5.此软件在我们修改关健的CALL 和跳转,还是没有爆破成功。结合我们在分析到在注册
时软件向注册表中写的信息来看,这个软件是个注册表重起验证的软件。
6.哪我们就要下注册表的断点了。
7.要注意的是填写注册信息时,应注意写的注册码要是48位的喔!!!!要不修改了3个
jle也爆破失败喔。因为在
0042E692 |. 83F8 30 cmp eax,0x30 ; 比较我们的是否为48位不是就出错
0042E695 |. 74 07 je XExtraMug.0042E69E
对注册码的位进行比较不是48位直接跳向注册失败。