史萊姆論壇

返回   史萊姆論壇 > 教學文件資料庫 > Hacker/Cracker 及加解密技術文件
忘記密碼?
論壇說明 標記討論區已讀

歡迎您來到『史萊姆論壇』 ^___^

您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的!

請點擊這裡:『註冊成為我們的一份子!』

Google 提供的廣告


 
 
主題工具 顯示模式
舊 2003-12-20, 11:52 PM   #1
psac
榮譽會員
 
psac 的頭像
榮譽勳章
UID - 3662
在線等級: 級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時
註冊日期: 2002-12-07
住址: 木柵市立動物園
文章: 17381
現金: 5253 金幣
資產: 33853 金幣
預設 帶殼分析共享軟體

軟體:Advanced Email Parser1.22
下載:http://www.mailutilities.com/
保護方式:aspretect+md5



作者:lordor
工具:ollyDBG+隱身插件。



用ollyDbg載入帶殼的程序,還是按老辦法,來到這裡

00463E38 RETN
00463E39 LEA EAX,DWORD PTR SS:[ESP+8]
00463E3D PUSH EAX
00463E3E CALL aep.00463AE0
00463E43 ADD ESP,4
00463E46 PUSH 40
00463E48 PUSH aep.00546B74 ; ASCII "Registration"
00463E4D PUSH aep.00546B54 ; ASCII "Thank you for registering AEP!"
00463E52 CALL EDI
00463E54 PUSH EAX
00463E55 CALL DWORD PTR DS:[537674] ; user32.MessageBoxA
00463E5B MOV EAX,ESI
00463E5D POP EDI
00463E5E POP ESI
00463E5F MOV ESP,EBP
00463E61 POP EBP
00463E62 RETN
00463E63 PUSH 30
00463E65 PUSH aep.00546B74 ; ASCII "Registration"
00463E6A PUSH aep.00546B30 ; ASCII "The code you've entered is invalid!"
00463E6F CALL EDI
00463E71 PUSH EAX
00463E72 CALL DWORD PTR DS:[537674] ; user32.MessageBoxA
00463E78 POP EDI
00463E79 MOV EAX,ESI
00463E7B POP ESI
00463E7C MOV ESP,EBP
00463E7E POP EBP ===>在這下斷,看一下那裡使用,來到下面
00463E7F RETN


00473250 PUSH ESI
00473251 MOV ESI,ECX
00473253 CALL aep.00463DC0 ; 跳出輸入框,F7進入
00473258 CALL aep.00463B30
0047325D TEST EAX,EAX
0047325F JE SHORT aep.00473287
00473261 CALL aep.00412840
00473266 TEST EAX,EAX
00473268 JNZ SHORT aep.00473272
0047326A PUSH 1
0047326C CALL DWORD PTR DS:[5373B0] ; kernel32.ExitProcess
00473272 JMP aep.00473287
00473277 JA SHORT aep.0047328B
00473279 ??? ; Unknown command
0047327A ADC EAX,384B7548
0047327F JL SHORT aep.004732A7
00473281 SBB DWORD PTR SS:[ESP+EDX*2+5E0A9CE7],ED>


--------------------------------------
來到上面的call:

00463DC0 PUSH EBP
00463DC1 MOV EBP,ESP
00463DC3 AND ESP,FFFFFFF8
00463DC6 SUB ESP,100
00463DCC PUSH ESI
00463DCD PUSH EDI
00463DCE XOR EAX,EAX
00463DD0 MOV BYTE PTR SS:[ESP+8],0
00463DD5 MOV ECX,3F
00463DDA LEA EDI,DWORD PTR SS:[ESP+9]
00463DDE REP STOS DWORD PTR ES:[EDI]
00463DE0 STOS WORD PTR ES:[EDI]
00463DE2 STOS BYTE PTR ES:[EDI]
00463DE3 MOV EDI,DWORD PTR DS:[537780] ; user32.GetFocus
00463DE9 PUSH 100
00463DEE LEA EAX,DWORD PTR SS:[ESP+C]
00463DF2 PUSH EAX
00463DF3 PUSH aep.00546B84 ; ASCII "Enter registration code:"
00463DF8 PUSH aep.00546B74 ; ASCII "Registration"
00463DFD XOR ESI,ESI
00463DFF CALL EDI
00463E01 PUSH EAX
00463E02 CALL aep.00463CF0 ==>這裡彈出輸入框
00463E07 ADD ESP,14
00463E0A CMP EAX,1
00463E0D JNZ SHORT aep.00463E78 ==>輸入嗎?
00463E0F LEA ECX,DWORD PTR SS:[ESP+8] ==>輸入的註冊碼入ecx
00463E13 PUSH ECX
00463E14 CALL aep.00463930 ==>關鍵call,F7進入
00463E19 MOV ESI,EAX
00463E1B ADD ESP,4
00463E1E TEST ESI,ESI
00463E20 JE SHORT aep.00463E63 ==>關鍵跳,不能跳
00463E22 LEA EDX,DWORD PTR SS:[ESP+8]
00463E26 PUSH EDX
00463E27 CALL aep.004056D0 ==>關鍵call,F7進入
00463E2C ADD ESP,4
00463E2F TEST EAX,EAX
00463E31 JNZ SHORT aep.00463E39 ==>要成功這裡要跳
00463E33 POP EDI
00463E34 POP ESI
00463E35 MOV ESP,EBP
00463E37 POP EBP
00463E38 RETN
00463E39 LEA EAX,DWORD PTR SS:[ESP+8]
00463E3D PUSH EAX
00463E3E CALL aep.00463AE0
00463E43 ADD ESP,4
00463E46 PUSH 40
00463E48 PUSH aep.00546B74 ; ASCII "Registration"
00463E4D PUSH aep.00546B54 ; ASCII "Thank you for registering AEP!"
00463E52 CALL EDI
00463E54 PUSH EAX
00463E55 CALL DWORD PTR DS:[537674] ; user32.MessageBoxA
00463E5B MOV EAX,ESI
00463E5D POP EDI
00463E5E POP ESI
00463E5F MOV ESP,EBP
00463E61 POP EBP
00463E62 RETN
00463E63 PUSH 30
00463E65 PUSH aep.00546B74 ; ASCII "Registration"
00463E6A PUSH aep.00546B30 ; ASCII "The code you've entered is invalid!"
00463E6F CALL EDI
00463E71 PUSH EAX
00463E72 CALL DWORD PTR DS:[537674] ; user32.MessageBoxA
00463E78 POP EDI
00463E79 MOV EAX,ESI
00463E7B POP ESI
00463E7C MOV ESP,EBP
00463E7E POP EBP
00463E7F RETN
00463E80 PUSH ESI
00463E81 MOV ESI,ECX
00463E83 MOV EAX,DWORD PTR DS:[ESI+4]
00463E86 TEST EAX,EAX
00463E88 MOV DWORD PTR DS:[ESI],aep.00546BA0
00463E8E JE SHORT aep.00463E97
00463E90 PUSH EAX
00463E91 CALL DWORD PTR DS:[537430]


-----------------------------------------------------------------
來到上面的第一個關鍵CALL aep.00463930,注意返回的值EAX不能為0

00463930 SUB ESP,68
00463933 PUSH EBX
00463934 PUSH ESI
00463935 LEA EAX,DWORD PTR SS:[ESP+18] ===>md5初始值
00463939 PUSH EDI
0046393A PUSH EAX
0046393B CALL aep.00462D30
00463940 MOV ESI,DWORD PTR SS:[ESP+7C] ==>輸入註冊碼
00463944 MOV EAX,ESI
00463946 ADD ESP,4
00463949 LEA EDX,DWORD PTR DS:[EAX+1]
0046394C LEA ESP,DWORD PTR SS:[ESP]
00463950 MOV CL,BYTE PTR DS:[EAX]
00463952 INC EAX
00463953 TEST CL,CL
00463955 JNZ SHORT aep.00463950
00463957 SUB EAX,EDX
00463959 PUSH EAX
0046395A LEA ECX,DWORD PTR SS:[ESP+20]
0046395E PUSH ESI ==>註冊碼
0046395F PUSH ECX ==>md5初始值
00463960 CALL aep.00463640 ==>計算md5
00463965 LEA EDX,DWORD PTR SS:[ESP+28]
00463969 PUSH EDX
0046396A LEA EAX,DWORD PTR SS:[ESP+1C]
0046396E PUSH EAX
0046396F CALL aep.00463700 ==>產生md5的值:654321為C33367701511B4F6020EC61DED352059
00463974 MOV EDI,DWORD PTR DS:[537520] ; SHLWAPI.StrCmpNIA
0046397A ADD ESP,14
0046397D PUSH 0B
0046397F PUSH aep.00546AE0 ; ASCII "AEP-D9MK316"
00463984 PUSH ESI ==>註冊碼
00463985 MOV EBX,1
0046398A CALL EDI ==>比較是否相等
0046398C TEST EAX,EAX
0046398E JNZ SHORT aep.004639AA
00463990 LEA ECX,DWORD PTR SS:[ESP+C]
00463994 PUSH ECX
00463995 MOV EBX,3
0046399A PUSH EBX
0046399B CALL aep.004638C0 ==>關鍵call,
004639A0 ADD ESP,8
004639A3 POP EDI
004639A4 POP ESI
004639A5 POP EBX
004639A6 ADD ESP,68
004639A9 RETN
004639AA PUSH 0B
004639AC PUSH aep.00546AD4 ; ASCII "AEP-D9MK3PE"
004639B1 PUSH ESI
004639B2 CALL EDI
004639B4 TEST EAX,EAX
004639B6 JNZ SHORT aep.004639D2
004639B8 LEA ECX,DWORD PTR SS:[ESP+C]
004639BC PUSH ECX
004639BD MOV EBX,1
004639C2 PUSH EBX
004639C3 CALL aep.004638C0
004639C8 ADD ESP,8
004639CB POP EDI
004639CC POP ESI
004639CD POP EBX
004639CE ADD ESP,68
004639D1 RETN
004639D2 PUSH 0B
004639D4 PUSH aep.00546AC8 ; ASCII "AEP-D9MK3PR"
004639D9 PUSH ESI
004639DA CALL EDI
004639DC TEST EAX,EAX
004639DE JNZ SHORT aep.004639FA
004639E0 LEA ECX,DWORD PTR SS:[ESP+C]
004639E4 PUSH ECX
004639E5 MOV EBX,2
004639EA PUSH EBX
004639EB CALL aep.004638C0
004639F0 ADD ESP,8
004639F3 POP EDI
004639F4 POP ESI
004639F5 POP EBX
004639F6 ADD ESP,68
004639F9 RETN
004639FA PUSH 0B
004639FC PUSH aep.00546ABC ; ASCII "AEP-RU56STE"
00463A01 PUSH ESI
00463A02 CALL EDI
00463A04 TEST EAX,EAX
00463A06 JNZ SHORT aep.00463A1F
00463A08 LEA ECX,DWORD PTR SS:[ESP+C]
00463A0C PUSH ECX
00463A0D XOR EBX,EBX
00463A0F PUSH EBX
00463A10 CALL aep.004638C0
00463A15 ADD ESP,8
00463A18 POP EDI
00463A19 POP ESI
00463A1A POP EBX
00463A1B ADD ESP,68
00463A1E RETN
00463A1F PUSH 0B
00463A21 PUSH aep.00546AB0 ; ASCII "AEP-D9MK3LT"
00463A26 PUSH ESI
00463A27 CALL EDI
00463A29 TEST EAX,EAX
00463A2B JNZ SHORT aep.00463A32
00463A2D MOV EBX,4
00463A32 LEA ECX,DWORD PTR SS:[ESP+C]
00463A36 PUSH ECX
00463A37 PUSH EBX
00463A38 CALL aep.004638C0 ==>
00463A3D ADD ESP,8
00463A40 POP EDI
00463A41 POP ESI
00463A42 POP EBX
00463A43 ADD ESP,68
00463A46 RETN



進入上面CALL aep.004638C0


004638C0 SUB ESP,8
004638C3 MOV ECX,DWORD PTR SS:[ESP+C]
004638C7 LEA EAX,DWORD PTR SS:[ESP]
004638CA PUSH EAX
004638CB PUSH ECX
004638CC CALL aep.00463810
004638D1 ADD ESP,8
004638D4 TEST EAX,EAX
004638D6 MOV DWORD PTR SS:[ESP+4],EAX
004638DA JNZ SHORT aep.004638E0 ==>這裡必須跳走,爆破點1
004638DC ADD ESP,8
004638DF RETN
004638E0 PUSH EBX
004638E1 PUSH EBP
004638E2 MOV EBP,DWORD PTR SS:[ESP+8]
004638E6 XOR EBX,EBX
004638E8 TEST EBP,EBP
004638EA JLE SHORT aep.0046390F
004638EC PUSH ESI
004638ED MOV EDX,EAX
004638EF PUSH EDI
004638F0 MOV ESI,DWORD PTR SS:[ESP+20]
004638F4 MOV ECX,4
004638F9 MOV EDI,EDX
004638FB XOR EAX,EAX
004638FD REPE CMPS DWORD PTR ES:[EDI],DWORD PTR D>
004638FF JE SHORT aep.00463909
00463901 INC EBX
00463902 ADD EDX,10
00463905 CMP EBX,EBP ==>這裡與預置的2000個註冊碼md5比較
00463907 JL SHORT aep.004638F0
00463909 MOV EAX,DWORD PTR SS:[ESP+14]
0046390D POP EDI
0046390E POP ESI
0046390F PUSH EAX
00463910 CALL aep.0048024E
00463915 ADD ESP,4
00463918 CMP EBX,EBP ==>是否循環2000次
0046391A JNZ SHORT aep.00463924 ==>這裡必須跳走,爆破點
0046391C POP EBP
0046391D XOR EAX,EAX
0046391F POP EBX
00463920 ADD ESP,8
00463923 RETN
00463924 POP EBP
00463925 LEA EAX,DWORD PTR DS:[EBX+1]
00463928 POP EBX
00463929 ADD ESP,8
0046392C RETN


---------------------------------------------
來到第二個關鍵CALL aep.004056D0,此返回值eax必須不能為0


004056D0 PUSH EBP
004056D1 MOV EBP,ESP
004056D3 AND ESP,FFFFFFF8
004056D6 PUSH -1
004056D8 PUSH aep.00527756
004056DD MOV EAX,DWORD PTR FS:[0]
004056E3 PUSH EAX
004056E4 MOV DWORD PTR FS:[0],ESP
004056EB SUB ESP,120
004056F1 PUSH EDI
004056F2 CALL aep.00412810
004056F7 TEST EAX,EAX
004056F9 JE aep.004057E2
004056FF JMP aep.004057FD

-----------------------------------------
總結:
這個公司的軟體,好像都是與預置的個註冊碼比較的程序,註冊碼的形式:AEP-D9MK316+XXXXXXX,要破解,只

要在0046391A JNZ SHORT aep.00463924及004638DA JNZ SHORT aep.004638E0處,把jnz改為jmp即可.不過好

像aspreteck加的殼做記憶體修正檔時無效,不知那位高人能不能指點一下。

cracked by lordor
03.9.17
psac 目前離線  
送花文章: 3, 收花文章: 1631 篇, 收花: 3205 次
 


主題工具
顯示模式

發表規則
不可以發文
不可以回覆主題
不可以上傳附加檔案
不可以編輯您的文章

論壇啟用 BB 語法
論壇啟用 表情符號
論壇啟用 [IMG] 語法
論壇禁用 HTML 語法
Trackbacks are 禁用
Pingbacks are 禁用
Refbacks are 禁用


所有時間均為台北時間。現在的時間是 01:41 AM


Powered by vBulletin® 版本 3.6.8
版權所有 ©2000 - 2024, Jelsoft Enterprises Ltd.


SEO by vBSEO 3.6.1