原文发表在霏凡论坛
发表时间:2008-06-02 22:31:30
原标题为:【原创】 一个小软件的破解
全文如下:
----------------------------
【破文标题】一个小软件的破解
【破文作者】aspirer
【作者邮箱】不敢留,我怕黑
【作者主页】不敢留,我怕黑
【破解工具】OD
【破解平台】Windows XP
【软件名称】网页快照 V1.0.3
【软件大小】2110 KB
【原版下载】http://www.skycn.com/soft/25489.html
【保护方式】无
【软件简介】本程序为网页快照提取保存工具。可以对指定的网页进行浏览和截图,并可以保存为 BMP或JPG图片。操作简单,功能实用。
【破解声明】只作交流学习之用,高手请略过。
【破解过程】
下断Bpx __vbaStrCmp
F9运行,断在了00414208
00414208 . FF15 FC104000 call dword ptr [<&MSVBVM60.__>; MSVBVM60.__vbaStrCmp
0041420E . 85C0 test eax, eax
00414210 . 0F85 39010000 jnz 0041434F 这时也发现寄存器出现了我之前预填在注册表中的邮箱名aspirer@crsky
下面单步F8往下走走。
0041435C . 51 push ecx
0041435D . 68 94564000 push 00405694
00414362 . FF15 FC104000 call dword ptr [<&MSVBVM60.__>; MSVBVM60.__vbaStrCmp 这时寄存器又出现了我输入的假的注册码11223344
再F8往下再走走
又断在了00420105
又在比较?果然是!紧挨着寄存器EAX显示为11223344的寄存器旁边赫然出现了很像注册码的字符串。
EAX 0017FEAC UNICODE "11223344"
ECX 0018000C UNICODE "WS319B0"
EDX 00439030 ????.00439030 记下,重启程序,输入这个注册码,还真是。太没挑战性了。要写内存注册机就可以在这里下手了。呵呵……
继续看一下算法吧。
往上找一找了。算法相关的Call应该就在附近
它开始取我的计算机名了
0041FEA3 . 8D4D E8 lea ecx, dword ptr [ebp-18]
0041FEA6 . FF15 D4114000 call dword ptr [<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrCopy
0041FEAC . 8B0D 28904300 mov ecx, dword ptr [439028]
0041FEB2 . 51 push ecx ; /String => "winxp-en-vm"
0041FEB3 . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaL>; \__vbaLenBstr
0041FEB9 . 8945 EC mov dword ptr [ebp-14], eax
0041FEBC > 85C0 test eax, eax
0041FEBE . 0F8E A5000000 jle 0041FF69
0041FEC4 . 8D55 D4 lea edx, dword ptr [ebp-2C]
0041FEC7 . 8D4D C4 lea ecx, dword ptr [ebp-3C] 计算机名一位一位地在取并做累加,数值可以看到在堆栈一直在增大。
这里可以一直按F8在跟,可以看到代码一直在这附近做循环。
0041FECA . 52 push edx ; /Length8
0041FECB . 50 push eax ; |Start
0041FECC . 8D45 B4 lea eax, dword ptr [ebp-4C] ; |
0041FECF . C745 DC 01000>mov dword ptr [ebp-24], 1 ; |
0041FED6 . 50 push eax ; |dString8
0041FED7 . 51 push ecx ; |RetBUFFER
0041FED8 . C745 D4 02000>mov dword ptr [ebp-2C], 2 ; |
0041FEDF . C745 BC 28904>mov dword ptr [ebp-44], 00439028 ; |
0041FEE6 . C745 B4 08400>mov dword ptr [ebp-4C], 4008 ; |
0041FEED . FF15 D8104000 call dword ptr [<&MSVBVM60.#632>] ; \rtcMidCharVar
0041FEF3 . 8D55 C4 lea edx, dword ptr [ebp-3C]
0041FEF6 . 8D45 E4 lea eax, dword ptr [ebp-1C]
0041FEF9 . 52 push edx ; /String8
0041FEFA . 50 push eax ; |ARG2
0041FEFB . FF15 98114000 call dword ptr [<&MSVBVM60.__vbaS>; \__vbaStrVarVal 转换为ASCII码值
0041FF01 . 50 push eax ; /String
0041FF02 . FF15 4C104000 call dword ptr [<&MSVBVM60.#516>] ; \rtcAnsiValueBstr
0041FF08 . 8BC8 mov ecx, eax
0041FF0A . FF15 5C104000 call dword ptr [<&MSVBVM60.__vbaI>; MSVBVM60.__vbaI2Abs
0041FF10 . 8B4D E8 mov ecx, dword ptr [ebp-18]
0041FF13 . 51 push ecx
0041FF14 . 0FBFD8 movsx ebx, ax
0041FF17 . FF15 DC114000 call dword ptr [<&MSVBVM60.__vbaI>; MSVBVM60.__vbaI4Str
0041FF1D . 03D8 add ebx, eax
0041FF1F . 0F80 34020000 jo 00420159
0041FF25 . 53 push ebx
0041FF26 . FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrI4
0041FF2C . 8BD0 mov edx, eax
0041FF2E . 8D4D E8 lea ecx, dword ptr [ebp-18]
0041FF31 . FFD6 call esi
0041FF33 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
0041FF36 . FF15 70124000 call dword ptr [<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStr
0041FF3C . 8D55 C4 lea edx, dword ptr [ebp-3C]
0041FF3F . 8D45 D4 lea eax, dword ptr [ebp-2C]
0041FF42 . 52 push edx
0041FF43 . 50 push eax
0041FF44 . 6A 02 push 2
0041FF46 . FF15 3C104000 call dword ptr [<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeVarList
0041FF4C . 8B45 EC mov eax, dword ptr [ebp-14]
0041FF4F . 8B1D 20104000 mov ebx, dword ptr [<&MSVBVM60._>; MSVBVM60.__vbaFreeVar
0041FF55 . 83C4 0C add esp, 0C
0041FF58 . 83E8 01 sub eax, 1
0041FF5B . 0F80 F8010000 jo 00420159
0041FF61 . 8945 EC mov dword ptr [ebp-14], eax
0041FF64 .^ E9 53FFFFFF jmp 0041FEBC
0041FF69 > 8B4D 08 mov ecx, dword ptr [ebp+8]
0041FF6C . 8B11 mov edx, dword ptr [ecx] 取我的注册的邮箱了
0041FF6E . 52 push edx ; /String
0041FF6F . FF15 34104000 call dword ptr [<&MSVBVM60.__vbaL>; \__vbaLenBstr
0041FF75 . 8945 EC mov dword ptr [ebp-14], eax
0041FF78 > 85C0 test eax, eax
0041FF7A . 0F8E A4000000 jle 00420024
0041FF80 . 8B4D 08 mov ecx, dword ptr [ebp+8]
0041FF83 . 8D55 D4 lea edx, dword ptr [ebp-2C]
0041FF86 . 52 push edx ; /Length8
0041FF87 . 50 push eax ; |Start
0041FF88 . 894D BC mov dword ptr [ebp-44], ecx ; |
0041FF8B . 8D45 B4 lea eax, dword ptr [ebp-4C] ; |
0041FF8E . 8D4D C4 lea ecx, dword ptr [ebp-3C] ; |
0041FF91 . 50 push eax ; |dString8
0041FF92 . 51 push ecx ; |RetBUFFER
0041FF93 . C745 DC 01000>mov dword ptr [ebp-24], 1 ; |
0041FF9A . C745 D4 02000>mov dword ptr [ebp-2C], 2 ; |
0041FFA1 . C745 B4 08400>mov dword ptr [ebp-4C], 4008 ; |
0041FFA8 . FF15 D8104000 call dword ptr [<&MSVBVM60.#632>] ; \rtcMidCharVar
0041FFAE . 8D55 C4 lea edx, dword ptr [ebp-3C]
0041FFB1 . 8D45 E4 lea eax, dword ptr [ebp-1C]
0041FFB4 . 52 push edx ; /String8
0041FFB5 . 50 push eax ; |ARG2
0041FFB6 . FF15 98114000 call dword ptr [<&MSVBVM60.__vbaS>; \__vbaStrVarVal 将邮箱地址中的各位转换为ASCII并继续相加。
0041FFBC . 50 push eax ; /String
0041FFBD . FF15 4C104000 call dword ptr [<&MSVBVM60.#516>] ; \rtcAnsiValueBstr
0041FFC3 . 8BC8 mov ecx, eax
0041FFC5 . FF15 5C104000 call dword ptr [<&MSVBVM60.__vbaI>; MSVBVM60.__vbaI2Abs
0041FFCB . 8B4D E8 mov ecx, dword ptr [ebp-18]
0041FFCE . 51 push ecx
0041FFCF . 0FBFD8 movsx ebx, ax
0041FFD2 . FF15 DC114000 call dword ptr [<&MSVBVM60.__vbaI>; MSVBVM60.__vbaI4Str
0041FFD8 . 03D8 add ebx, eax
0041FFDA . 0F80 79010000 jo 00420159
0041FFE0 . 53 push ebx
0041FFE1 . FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrI4
0041FFE7 . 8BD0 mov edx, eax
0041FFE9 . 8D4D E8 lea ecx, dword ptr [ebp-18]
0041FFEC . FFD6 call esi
0041FFEE . 8D4D E4 lea ecx, dword ptr [ebp-1C]
0041FFF1 . FF15 70124000 call dword ptr [<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeStr
0041FFF7 . 8D55 C4 lea edx, dword ptr [ebp-3C]
0041FFFA . 8D45 D4 lea eax, dword ptr [ebp-2C]
0041FFFD . 52 push edx
0041FFFE . 50 push eax
0041FFFF . 6A 02 push 2
00420001 . FF15 3C104000 call dword ptr [<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeVarList
00420007 . 8B45 EC mov eax, dword ptr [ebp-14]
0042000A . 8B1D 20104000 mov ebx, dword ptr [<&MSVBVM60._>; MSVBVM60.__vbaFreeVar
00420010 . 83C4 0C add esp, 0C
00420013 . 83E8 01 sub eax, 1
00420016 . 0F80 3D010000 jo 00420159
0042001C . 8945 EC mov dword ptr [ebp-14], eax
0042001F .^ E9 54FFFFFF jmp 0041FF78
00420024 > 8B4D E8 mov ecx, dword ptr [ebp-18]
00420027 . 51 push ecx
00420028 . FF15 DC114000 call dword ptr [<&MSVBVM60.__vbaI>; MSVBVM60.__vbaI4Str
0042002E . 05 08100300 add eax, 31008 ;把计算机来的值再加上十六进制31008即200712
00420033 . 0F80 20010000 jo 00420159
00420039 . 50 push eax
0042003A . FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrI4
00420040 . 8BD0 mov edx, eax
00420042 . 8D4D E8 lea ecx, dword ptr [ebp-18]
00420045 . FFD6 call esi
00420047 . 8D45 B4 lea eax, dword ptr [ebp-4C]
0042004A . 6A 06 push 6
0042004C . 8D4D D4 lea ecx, dword ptr [ebp-2C]
0042004F . 8D55 E8 lea edx, dword ptr [ebp-18]
00420052 . 50 push eax
00420053 . 51 push ecx
00420054 . 8955 BC mov dword ptr [ebp-44], edx
00420057 . C745 B4 08400>mov dword ptr [ebp-4C], 4008
0042005E . FF15 30124000 call dword ptr [<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar
00420064 . 8D55 D4 lea edx, dword ptr [ebp-2C]
00420067 . 52 push edx
00420068 . FFD7 call edi
0042006A . 8BD0 mov edx, eax
0042006C . 8D4D E8 lea ecx, dword ptr [ebp-18]
0042006F . FFD6 call esi
00420071 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00420074 . FFD3 call ebx
00420076 . 8B45 E8 mov eax, dword ptr [ebp-18]
00420079 . 50 push eax
0042007A . FF15 DC114000 call dword ptr [<&MSVBVM60.__vbaI>; MSVBVM60.__vbaI4Str
00420080 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00420083 . 8D55 C4 lea edx, dword ptr [ebp-3C]
00420086 . 51 push ecx
00420087 . 52 push edx
00420088 . 8945 DC mov dword ptr [ebp-24], eax
0042008B . C745 D4 03000>mov dword ptr [ebp-2C], 3 下面是把ASCII转换成十六进制
00420092 . FF15 D0114000 call dword ptr [<&MSVBVM60.#573>] ; MSVBVM60.rtcHexVarFromVar
00420098 . 8D45 C4 lea eax, dword ptr [ebp-3C]
0042009B . 50 push eax
0042009C . FFD7 call edi
0042009E . 8BD0 mov edx, eax
004200A0 . 8D4D E8 lea ecx, dword ptr [ebp-18]
004200A3 . FFD6 call esi
004200A5 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
004200A8 . 8D55 D4 lea edx, dword ptr [ebp-2C]
004200AB . 51 push ecx
004200AC . 52 push edx
004200AD . 6A 02 push 2
004200AF . FF15 3C104000 call dword ptr [<&MSVBVM60.__vbaF>; MSVBVM60.__vbaFreeVarList
004200B5 . 8B45 E8 mov eax, dword ptr [ebp-18]
004200B8 . 83C4 0C add esp, 0C 再在算出来的十六进制前面再加上WS二个前缀,构成真正的注册码。
004200BB . 68 246D4000 push 00406D24 ; UNICODE "WS"
004200C0 . 50 push eax ; /String
004200C1 . FF15 64104000 call dword ptr [<&MSVBVM60.__vbaS>; \__vbaStrCat
004200C7 . 8BD0 mov edx, eax
004200C9 . 8D4D E8 lea ecx, dword ptr [ebp-18]
004200CC . FFD6 call esi
004200CE . 8D55 B4 lea edx, dword ptr [ebp-4C]
004200D1 . 8D45 D4 lea eax, dword ptr [ebp-2C]
004200D4 . 8D4D E8 lea ecx, dword ptr [ebp-18]
004200D7 . 52 push edx
004200D8 . 50 push eax
004200D9 . 894D BC mov dword ptr [ebp-44], ecx
004200DC . C745 B4 08400>mov dword ptr [ebp-4C], 4008
004200E3 . FF15 F8104000 call dword ptr [<&MSVBVM60.#528>] ; MSVBVM60.rtcUpperCaseVar
004200E9 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
004200EC . 51 push ecx
004200ED . FFD7 call edi
004200EF . 8BD0 mov edx, eax
004200F1 . 8D4D E8 lea ecx, dword ptr [ebp-18]
004200F4 . FFD6 call esi
004200F6 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
004200F9 . FFD3 call ebx
004200FB . 8B55 0C mov edx, dword ptr [ebp+C]
004200FE . 8B4D E8 mov ecx, dword ptr [ebp-18]
00420101 . 8B02 mov eax, dword ptr [edx]
00420103 . 50 push eax
00420104 . 51 push ecx ; ???call??????
00420105 . FF15 FC104000 call dword ptr [<&MSVBVM60.__vbaS>; MSVBVM60.__vbaStrCmp 到这里结束就可以在寄存器看到真码和假码比较啦。如果要爆破的也可以考虑在这里下手,呵呵……
好了,归纳一下算法吧。
将计算机名和注册的邮箱字符串各个字母的ASCII相加。(如果是大写字母就转换为小写的),接着加上200712(想必作者的意思是2007年12月写的软件吧),然后把这个10进制转换成16进制。前面再加上WS二个字母(应该是WebSnap的意思吧),就组成了注册码。
要注册机的到这里下 点击这里
【破解总结】因为这个算法其实不难。这篇破文也写得比较粗略,因为其实算法都是根据代码分析的结果以及堆栈中出现的字符自己再加以分析的。更多的体会和理解是在使用调试器自己亲自调试的时候会发现的。写成文章也只是用于思路。
【版权声明】如果有幸被转载,请转载者注明出处,并保留全文信息。
转载请注明:Linc Hu » 玩玩解密:网页快照 V1.0.3破解过程