论坛: 菜鸟乐园 标题: ddddd 复制本贴地址    
作者: luowei [lxw1985521]    论坛用户   登录
软件名称:Windows优化大师
版本:5.8.4.0112
未注册限制:功能限制
保护方法:注册名+机器码+注册码(据说用的是RSA算法,偶是爆破,才不管那么多呢!)
偶原来用了娃娃的算法注册机,所以首先删掉注册表HKEY_LOCAL_MACHINE\SOFTWARE\Wom中的注册信息。
用PEiD检测其主程序是ASPack压缩的,用ASPackDie脱掉,再检测发现是Delphi写的。

1.主程序

代码:


用 W32Dasm 反汇编,点参考-串式参考,双击“Windows优化大师 V5.8 (已注册)”,来到软件启动时检测注册码的地方:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00565BB0(C)
|
:00565BDE 8B45FC mov eax, dword ptr [ebp-04]
:00565BE1 E87639FEFF call 0054955C <=关键CALL
:00565BE6 85C0 test eax, eax <=比较
:00565BE8 0F858F000000 jne 00565C7D <=关键跳转,未注册的话就跳到00565C7D
:00565BEE 8B45FC mov eax, dword ptr [ebp-04]
:00565BF1 8B8020050000 mov eax, dword ptr [eax+00000520]

* Possible StringData Ref from Code Obj ->"Windows优化大师 V5.8 (已注册)"
|
:00565BF7 BA007C5600 mov edx, 00567C00
:00565BFC E88B42F0FF call 00469E8C
:00565C01 8B45FC mov eax, dword ptr [ebp-04]
:00565C04 8B8090030000 mov eax, dword ptr [eax+00000390]

* Possible StringData Ref from Code Obj ->"网上升级"
|
:00565C0A BA287C5600 mov edx, 00567C28
:00565C0F E87842F0FF call 00469E8C
:00565C14 B201 mov dl, 01
:00565C16 A1A8D34300 mov eax, dword ptr [0043D3A8]
:00565C1B E88878EDFF call 0043D4A8
:00565C20 8BD8 mov ebx, eax
:00565C22 BA02000080 mov edx, 80000002
:00565C27 8BC3 mov eax, ebx
:00565C29 E81A79EDFF call 0043D548
:00565C2E 33C9 xor ecx, ecx

…………………………省略一些无关代码…………………………

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00565BE8(C)
|
:00565C7D 8B45FC mov eax, dword ptr [ebp-04]
:00565C80 8B8020050000 mov eax, dword ptr [eax+00000520]

* Possible StringData Ref from Code Obj ->"Windows优化大师 V5.8 (未注册)"
|
:00565C86 BA887C5600 mov edx, 00567C88
:00565C8B E8FC41F0FF call 00469E8C
:00565C90 8B45FC mov eax, dword ptr [ebp-04]
:00565C93 8B8090030000 mov eax, dword ptr [eax+00000390]

* Possible StringData Ref from Code Obj ->"软件注册"
|
:00565C99 BAB07C5600 mov edx, 00567CB0
:00565C9E E8E941F0FF call 00469E8C
:00565CA3 B201 mov dl, 01
:00565CA5 A1A8D34300 mov eax, dword ptr [0043D3A8]
:00565CAA E8F977EDFF call 0043D4A8
:00565CAF 8BD8 mov ebx, eax
:00565CB1 BA02000080 mov edx, 80000002
:00565CB6 8BC3 mov eax, ebx
:00565CB8 E88B78EDFF call 0043D548
:00565CBD B101 mov cl, 01

总结:将00565BE8处由jne 00565C7D改为NOP,即将偏移165BE8处由0F858F000000改为909090909090

2.Windows系统医生
代码:

脱壳后用C32asm反汇编,点查看-字符串。
方法1:该软件未注册限制只是不能修复全部错误,那么找到“说明:Windows系统医生的“全部修复”是提供给注册用户使用的功能,未注册用户只能手动逐项进行修复。”
下面只有一项,双击来到这里:

::004863CB:: 64:FF30 PUSH DWORD PTR FS:[EAX]
::004863CE:: 64:8920 MOV DWORD PTR FS:[EAX], ESP
::004863D1:: 8B83 04040000 MOV EAX, DWORD PTR [EBX+404]
::004863D7:: BA 60694800 MOV EDX, 486960 \->: 已注册
::004863DC:: E8 8FE0F7FF CALL 00404470 \:JMPUP
::004863E1:: 75 1D JNZ SHORT 00486400 \:JMPDOWN <=关键一跳,呵呵,改为JMP
::004863E3:: 6A 40 PUSH 40
::004863E5:: B9 68694800 MOV ECX, 486968 \->: Windows系统医生
::004863EA:: BA 78694800 MOV EDX, 486978 \->: 说明:Windows系统医生的“全部修复”是提供给注册用户使用的功能,未注册用户只能手动逐项进行修复。
::004863EF:: A1 F0934800 MOV EAX, DWORD PTR [4893F0]
::004863F4:: 8B00 MOV EAX, DWORD PTR [EAX]
::004863F6:: E8 8136FFFF CALL 00479A7C \:JMPUP
::004863FB:: E9 22050000 JMP 00486922 \:JMPDOWN
::00486400:: 8B83 B0030000 MOV EAX, DWORD PTR [EBX+3B0] \:BYJMP JmpBy:004863E1,
::00486406:: 8078 38 01 CMP BYTE PTR [EAX+38], 1 \:BYJMP JmpBy:004863A5,
::0048640A:: 75 24 JNZ SHORT 00486430 \:JMPDOWN
::0048640C:: 6A 21 PUSH 21
::0048640E:: B9 68694800 MOV ECX, 486968 \->: Windows系统医生
::00486413:: BA D8694800 MOV EDX, 4869D8 \->: Windows系统医生建议在全部删除前进行注册表备份。单击“确认”将注册表备份为文件,如果不需要备份,请单击“取消”。

方法2:找“已注册”,发现有3项,双击第一项,来到这里:

::00485162:: 33C9 XOR ECX, ECX
::00485164:: BA D4524800 MOV EDX, 4852D4 \->: Software\Wom <=从注册表读取注册信息
::00485169:: 8BC3 MOV EAX, EBX
::0048516B:: E8 6CE0FAFF CALL 004331DC \:JMPUP
::00485170:: 84C0 TEST AL, AL
::00485172:: 74 2B JE SHORT 0048519F \:JMPDOWN
::00485174:: BA EC524800 MOV EDX, 4852EC \->: Masters
::00485179:: 8BC3 MOV EAX, EBX
::0048517B:: E8 80E7FAFF CALL 00433900 \:JMPUP
::00485180:: 84C0 TEST AL, AL
::00485182:: 74 12 JE SHORT 00485196 \:JMPDOWN <=多么经典的比较啊,当然改成JMP了
::00485184:: 8B45 FC MOV EAX, DWORD PTR [EBP-4]
::00485187:: 05 04040000 ADD EAX, 404
::0048518C:: BA FC524800 MOV EDX, 4852FC \->: 已注册
::00485191:: E8 22EFF7FF CALL 004040B8 \:JMPUP
::00485196:: 8BC3 MOV EAX, EBX \:BYJMP JmpBy:00485182,
::00485198:: E8 A7DFFAFF CALL 00433144 \:JMPUP
::0048519D:: EB 12 JMP SHORT 004851B1 \:JMPDOWN
::0048519F:: 8B45 FC MOV EAX, DWORD PTR [EBP-4] \:BYJMP JmpBy:00485172,
::004851A2:: 05 04040000 ADD EAX, 404
::004851A7:: BA FC524800 MOV EDX, 4852FC \->: 已注册

总结:偏移85182处74->EB 或偏移863E1处75->EB


地主 发表时间: 04-04-22 14:00

论坛: 菜鸟乐园

20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon

粤ICP备05087286号