註冊衛星地圖下載器2008註冊簡單分析
昨天晚上同學拿給這個軟件,看一下又沒加殼,又是Microsoft Visual C++ 7.0 Method2 [Debug]
很奇怪都是調試版的,就搞不清楚爲什麼發佈的軟件都用調試版的,而且有註冊提示,
很容易找到關鍵地方,想一下類似這樣的軟件應該屬於一兩分鐘的事,但是還是出現
了意想不到的事,首先軟件od載入,運行後就脫離了調試器,調試器中的進程終止,
只能先運行再附加進程,關鍵地方下斷,中斷後簡單跟了一下就出現了真註冊嗎,複製過去
正確註冊,本想在計算完註冊嗎的地方加段代碼讓他自己彈出註冊碼,但奇怪的事又發生了,
修改軟件後,它運行後還是位修改的代碼,這樣修改後不行,那就用運行時補丁,等他運行後,
我用ReadProcessMemory和WriteProcessMemory寫進我的代碼,再註冊,就可以彈出註冊嗎了,
沒有時間進行具體算法分析,反正給他能用就行了
基本分析完了。。。
//下面是軟件進行註冊驗證的地方。。。
004156B0 . 6A FF push -1
004156B2 . 68 AE6C4300 push 00436CAE ; SE 處理程序安裝
004156B7 . 64:A1 0000000>mov eax, dword ptr fs:[0]
004156BD . 50 push eax
004156BE . 64:8925 00000>mov dword ptr fs:[0], esp
004156C5 . 83EC 1C sub esp, 1C
004156C8 . A1 FCA04400 mov eax, dword ptr [44A0FC]
004156CD . 53 push ebx
004156CE . 55 push ebp
004156CF . 56 push esi
004156D0 . 57 push edi
004156D1 . 68 F1030000 push 3F1
004156D6 . 894424 2C mov dword ptr [esp+2C], eax
004156DA . 8BE9 mov ebp, ecx
004156DC . E8 33EA0100 call <jmp.&MFC71.#2657_CWnd::GetDlgIt>
004156E1 . 8D4C24 1C lea ecx, dword ptr [esp+1C]
004156E5 . 8BF0 mov esi, eax
004156E7 . FF15 18A24300 call dword ptr [<&MFC71.#310_ATL::CSt>; MFC71.7C173199
004156ED . 8D4424 1C lea eax, dword ptr [esp+1C]
004156F1 . 33FF xor edi, edi
004156F3 . 50 push eax
004156F4 . 8BCE mov ecx, esi
004156F6 . 897C24 38 mov dword ptr [esp+38], edi
004156FA . E8 4FE60100 call <jmp.&MFC71.#3761_CWnd::GetWindo>
004156FF . 8D4C24 10 lea ecx, dword ptr [esp+10]
00415703 . 51 push ecx
00415704 . E8 37FAFFFF call 00415140
00415709 . 8D5424 14 lea edx, dword ptr [esp+14]
0041570D . 8BCC mov ecx, esp
0041570F . 896424 24 mov dword ptr [esp+24], esp
00415713 . 52 push edx
00415714 . C64424 3C 01 mov byte ptr [esp+3C], 1
00415719 . FF15 54A34300 call dword ptr [<&MFC71.#297_ATL::CSt>; MFC71.7C14E575
0041571F . 8D4424 1C lea eax, dword ptr [esp+1C]
00415723 . 50 push eax
00415724 . E8 87FBFFFF call 004152B0 ; 這個call進行註冊碼計算
00415729 . 83C4 08 add esp, 8
0041572C 50 push eax
; 這裏 存放計算出來的真註冊碼,在這進行修改代碼,可以讓他彈出註冊碼
;讓他跳到我加的代碼處,彈出註冊碼jmp 004391C6
省略一段代碼是進行註冊表操作
.
.
.
004157ED . 85C0 test eax, eax
004157EF . 75 58 jnz short 00415849
004157F1 . 50 push eax
004157F2 . 6A 40 push 40
004157F4 . 68 B8D44300 push 0043D4B8 ; 這裏是註冊成功提示框恭喜您,註冊成功!
004157F9 . C745 78 01000>mov dword ptr [ebp+78], 1
00415800 . E8 A5E90100 call <jmp.&MFC71.#1123_AfxMessageBox>
00415805 . 8D4424 24 lea eax, dword ptr [esp+24]
00415809 . 50 push eax
0041580A . E8 99E20100 call <jmp.&base.GetTitle>
0041580F . 83C4 04 add esp, 4
00415812 . 8BD8 mov ebx, eax
00415814 . C64424 34 06 mov byte ptr [esp+34], 6
00415819 . E8 44E60100 call <jmp.&MFC71.#1091_AfxGetThread>
0041581E . 85C0 test eax, eax
00415820 . 74 0B je short 0041582D
00415822 . 8B10 mov edx, dword ptr [eax]
00415824 . 8BC8 mov ecx, eax
00415826 . FF52 7C call dword ptr [edx+7C]
00415829 . 8BF0 mov esi, eax
0041582B . EB 02 jmp short 0041582F
0041582D > 33F6 xor esi, esi
0041582F > 8BCB mov ecx, ebx
00415831 . FF15 0CA24300 call dword ptr [<&MFC71.#876_ATL::CSi>; MFC71.7C158BCD
00415837 . 50 push eax
00415838 . 8BCE mov ecx, esi
0041583A . E8 CFE80100 call <jmp.&MFC71.#6067_CWnd::SetWindo>
0041583F . 8D4C24 24 lea ecx, dword ptr [esp+24]
00415843 . FF15 08A24300 call dword ptr [<&MFC71.#578_ATL::CSt>; MFC71.7C1771B1
00415849 > 8D4C24 18 lea ecx, dword ptr [esp+18]
0041584D . FF15 08A24300 call dword ptr [<&MFC71.#578_ATL::CSt>; MFC71.7C1771B1
00415853 . 85FF test edi, edi
00415855 . 74 07 je short 0041585E
00415857 . 57 push edi ; /hKey
00415858 . FF15 00A04300 call dword ptr [<&ADVAPI32.RegCloseKe>; /RegCloseKey
0041585E > 8D4C24 20 lea ecx, dword ptr [esp+20]
00415862 . C64424 34 01 mov byte ptr [esp+34], 1
00415867 . FF15 08A24300 call dword ptr [<&MFC71.#578_ATL::CSt>; MFC71.7C1771B1
0041586D . 8B45 00 mov eax, dword ptr [ebp]
00415870 . 8BCD mov ecx, ebp
00415872 . FF90 54010000 call dword ptr [eax+154]
00415878 . EB 0D jmp short 00415887
0041587A > 57 push edi
0041587B . 6A 40 push 40
0041587D . 68 94D44300 push 0043D494 ; 這裏是註冊成功提示框對不起,您的註冊碼不正確,註冊失敗!
00415882 . E8 23E90100 call <jmp.&MFC71.#1123_AfxMessageBox>
00415887 > 8D4C24 10 lea ecx, dword ptr [esp+10]
0041588B . FF15 08A24300 call dword ptr [<&MFC71.#578_ATL::CSt>; MFC71.7C1771B1
00415891 . 8D4C24 1C lea ecx, dword ptr [esp+1C]
00415895 . FF15 08A24300 call dword ptr [<&MFC71.#578_ATL::CSt>; MFC71.7C1771B1
0041589B . 8B4C24 2C mov ecx, dword ptr [esp+2C]
0041589F . 64:890D 00000>mov dword ptr fs:[0], ecx
004158A6 . 8B4C24 28 mov ecx, dword ptr [esp+28]
004158AA . E8 D3EE0100 call 00434782
004158AF . 5F pop edi
004158B0 . 5E pop esi
004158B1 . 5D pop ebp
004158B2 . 5B pop ebx
004158B3 . 83C4 28 add esp, 28
004158B6 . C3 retn
加入如下代碼在文件空白處
004391C6 > /60 pushad
004391C7 . 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
004391C9 . 6A 00 push 0 ; |Title = NULL
004391CB . FF30 push dword ptr ds:[eax] ; |Text
004391CD . 6A 00 push 0 ; |hOwner = NULL
004391CF . E8 B6739177 call USER32.MessageBoxA ; /MessageBoxA
004391D4 . 61 popad
004391D5 . 50 push eax
004391D6 . 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004391DA .^ E9 52C5FDFF jmp superget.00415731
004391DF 00 db 00