|
 | 作者: luowei [lxw1985521]
 论坛用户 |
登录 |
| 软件名称:Windows优化大师 版本:5.8.4.0112 未注册限制:功能限制 保护方法:注册名+机器码+注册码(据说用的是RSA算法,偶是爆破,才不管那么多呢!) 偶原来用了娃娃的算法注册机,所以首先删掉注册表HKEY_LOCAL_MACHINE\SOFTWARE\Wom中的注册信息。 用PEiD检测其主程序是ASPack压缩的,用ASPackDie脱掉,再检测发现是Delphi写的。 1.主程序 代码: 用 W32Dasm 反汇编,点参考-串式参考,双击“Windows优化大师 V5.8 (已注册)”,来到软件启动时检测注册码的地方: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00565BB0(C) | :00565BDE 8B45FC mov eax, dword ptr [ebp-04] :00565BE1 E87639FEFF call 0054955C <=关键CALL :00565BE6 85C0 test eax, eax <=比较 :00565BE8 0F858F000000 jne 00565C7D <=关键跳转,未注册的话就跳到00565C7D :00565BEE 8B45FC mov eax, dword ptr [ebp-04] :00565BF1 8B8020050000 mov eax, dword ptr [eax+00000520] * Possible StringData Ref from Code Obj ->"Windows优化大师 V5.8 (已注册)" | :00565BF7 BA007C5600 mov edx, 00567C00 :00565BFC E88B42F0FF call 00469E8C :00565C01 8B45FC mov eax, dword ptr [ebp-04] :00565C04 8B8090030000 mov eax, dword ptr [eax+00000390] * Possible StringData Ref from Code Obj ->"网上升级" | :00565C0A BA287C5600 mov edx, 00567C28 :00565C0F E87842F0FF call 00469E8C :00565C14 B201 mov dl, 01 :00565C16 A1A8D34300 mov eax, dword ptr [0043D3A8] :00565C1B E88878EDFF call 0043D4A8 :00565C20 8BD8 mov ebx, eax :00565C22 BA02000080 mov edx, 80000002 :00565C27 8BC3 mov eax, ebx :00565C29 E81A79EDFF call 0043D548 :00565C2E 33C9 xor ecx, ecx …………………………省略一些无关代码………………………… * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00565BE8(C) | :00565C7D 8B45FC mov eax, dword ptr [ebp-04] :00565C80 8B8020050000 mov eax, dword ptr [eax+00000520] * Possible StringData Ref from Code Obj ->"Windows优化大师 V5.8 (未注册)" | :00565C86 BA887C5600 mov edx, 00567C88 :00565C8B E8FC41F0FF call 00469E8C :00565C90 8B45FC mov eax, dword ptr [ebp-04] :00565C93 8B8090030000 mov eax, dword ptr [eax+00000390] * Possible StringData Ref from Code Obj ->"软件注册" | :00565C99 BAB07C5600 mov edx, 00567CB0 :00565C9E E8E941F0FF call 00469E8C :00565CA3 B201 mov dl, 01 :00565CA5 A1A8D34300 mov eax, dword ptr [0043D3A8] :00565CAA E8F977EDFF call 0043D4A8 :00565CAF 8BD8 mov ebx, eax :00565CB1 BA02000080 mov edx, 80000002 :00565CB6 8BC3 mov eax, ebx :00565CB8 E88B78EDFF call 0043D548 :00565CBD B101 mov cl, 01 总结:将00565BE8处由jne 00565C7D改为NOP,即将偏移165BE8处由0F858F000000改为909090909090 2.Windows系统医生 代码: 脱壳后用C32asm反汇编,点查看-字符串。 方法1:该软件未注册限制只是不能修复全部错误,那么找到“说明:Windows系统医生的“全部修复”是提供给注册用户使用的功能,未注册用户只能手动逐项进行修复。” 下面只有一项,双击来到这里: ::004863CB:: 64:FF30 PUSH DWORD PTR FS:[EAX] ::004863CE:: 64:8920 MOV DWORD PTR FS:[EAX], ESP ::004863D1:: 8B83 04040000 MOV EAX, DWORD PTR [EBX+404] ::004863D7:: BA 60694800 MOV EDX, 486960 \->: 已注册 ::004863DC:: E8 8FE0F7FF CALL 00404470 \:JMPUP ::004863E1:: 75 1D JNZ SHORT 00486400 \:JMPDOWN <=关键一跳,呵呵,改为JMP ::004863E3:: 6A 40 PUSH 40 ::004863E5:: B9 68694800 MOV ECX, 486968 \->: Windows系统医生 ::004863EA:: BA 78694800 MOV EDX, 486978 \->: 说明:Windows系统医生的“全部修复”是提供给注册用户使用的功能,未注册用户只能手动逐项进行修复。 ::004863EF:: A1 F0934800 MOV EAX, DWORD PTR [4893F0] ::004863F4:: 8B00 MOV EAX, DWORD PTR [EAX] ::004863F6:: E8 8136FFFF CALL 00479A7C \:JMPUP ::004863FB:: E9 22050000 JMP 00486922 \:JMPDOWN ::00486400:: 8B83 B0030000 MOV EAX, DWORD PTR [EBX+3B0] \:BYJMP JmpBy:004863E1, ::00486406:: 8078 38 01 CMP BYTE PTR [EAX+38], 1 \:BYJMP JmpBy:004863A5, ::0048640A:: 75 24 JNZ SHORT 00486430 \:JMPDOWN ::0048640C:: 6A 21 PUSH 21 ::0048640E:: B9 68694800 MOV ECX, 486968 \->: Windows系统医生 ::00486413:: BA D8694800 MOV EDX, 4869D8 \->: Windows系统医生建议在全部删除前进行注册表备份。单击“确认”将注册表备份为文件,如果不需要备份,请单击“取消”。 方法2:找“已注册”,发现有3项,双击第一项,来到这里: ::00485162:: 33C9 XOR ECX, ECX ::00485164:: BA D4524800 MOV EDX, 4852D4 \->: Software\Wom <=从注册表读取注册信息 ::00485169:: 8BC3 MOV EAX, EBX ::0048516B:: E8 6CE0FAFF CALL 004331DC \:JMPUP ::00485170:: 84C0 TEST AL, AL ::00485172:: 74 2B JE SHORT 0048519F \:JMPDOWN ::00485174:: BA EC524800 MOV EDX, 4852EC \->: Masters ::00485179:: 8BC3 MOV EAX, EBX ::0048517B:: E8 80E7FAFF CALL 00433900 \:JMPUP ::00485180:: 84C0 TEST AL, AL ::00485182:: 74 12 JE SHORT 00485196 \:JMPDOWN <=多么经典的比较啊,当然改成JMP了 ::00485184:: 8B45 FC MOV EAX, DWORD PTR [EBP-4] ::00485187:: 05 04040000 ADD EAX, 404 ::0048518C:: BA FC524800 MOV EDX, 4852FC \->: 已注册 ::00485191:: E8 22EFF7FF CALL 004040B8 \:JMPUP ::00485196:: 8BC3 MOV EAX, EBX \:BYJMP JmpBy:00485182, ::00485198:: E8 A7DFFAFF CALL 00433144 \:JMPUP ::0048519D:: EB 12 JMP SHORT 004851B1 \:JMPDOWN ::0048519F:: 8B45 FC MOV EAX, DWORD PTR [EBP-4] \:BYJMP JmpBy:00485172, ::004851A2:: 05 04040000 ADD EAX, 404 ::004851A7:: BA FC524800 MOV EDX, 4852FC \->: 已注册 总结:偏移85182处74->EB 或偏移863E1处75->EB |
| 地主 发表时间: 04-04-22 14:00 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 菜鸟乐园 标题: ddddd