【文章标题】: GeoMap3.5 破解
【文章作者】: sunwayking
【作者邮箱】: sunwayking@163.com
【作者主页】:
1c6K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3S2A6i4K6u0W2j5X3q4A6k6s2g2Q4x3X3g2U0L8$3#2Q4x3V1k6K6N6i4N6F1j5i4V1`.
【作者QQ号】: 410109674
【软件名称】: GeoMap3.5
【软件大小】: Microsoft Visual C++ 6.0
【下载地址】: 自己搜索下载
【加壳方式】: 无壳
【保护方式】: Blowfish 算法 and so on
【使用工具】: OD,PEID
【软件介绍】: 地质制图系统
【作者声明】: 只为研究加密解密技术,不为破解而破解!失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
直接切入正题,Blowfish 算法没有研究透,所以采用爆破,呵呵!
查壳无马甲,直接上OD,下bp GetWindowTextA,F9运行,跳出注册窗口,输入用户名、用户单位、用户注册号(什么?不知道注册号?晕菜~知道注册号就不用破解了^^当然是随便输入了)
断在
77D3212B > 6A 0C push 0C
77D3212D 68 9021D377 push 77D32190
77D32132 E8 8964FEFF call 77D185C0
77D32137 8B7D 0C mov edi, dword ptr [ebp+C]
77D3213A 33DB xor ebx, ebx
77D3213C 3BFB cmp edi, ebx
77D3213E 0F84 398F0000 je 77D3B07D
77D32144 395D 10 cmp dword ptr [ebp+10], ebx
77D32147 0F84 308F0000 je 77D3B07D
77D3214D 895D FC mov dword ptr [ebp-4], ebx
77D32150 881F mov byte ptr [edi], bl
77D32152 8B4D 08 mov ecx, dword ptr [ebp+8]
77D32155 E8 7663FEFF call 77D184D0
Ctrl+F9:
012B116C 8D86 BE000000 lea eax, dword ptr [esi+BE]
012B1172 6A 50 push 50
012B1174 50 push eax
012B1175 55 push ebp
012B1176 FFD7 call edi
012B1178 8D86 0F010000 lea eax, dword ptr [esi+10F]
012B117E 6A 32 push 32
012B1180 50 push eax
012B1181 FF7424 18 push dword ptr [esp+18]
012B1185 FFD7 call edi
012B1187 81C6 42010000 add esi, 142
012B118D 6A 32 push 32
012B118F 56 push esi
012B1190 FF7424 1C push dword ptr [esp+1C]
012B1194 FFD7 call edi
这时看程序领空在RegEncry,这是一个动态链接库文件,位于程序安装目录下的encrypt\注册版
经过分析,这是个专门负责程序注册的模块,对程序功能没有任何贡献,所以爆破的思路出来的,我们只要不让程序调用这个动态链接库即可*^_^*
Ctrl+F12重新载入程序,停在程序入口点
004CB755 >/$ 55 push ebp ; 程序入口点EP
004CB756 |. 8BEC mov ebp, esp
004CB758 |. 6A FF push -1
004CB75A |. 68 58924E00 push 004E9258
004CB75F |. 68 C0B84C00 push <jmp.&MSVCRT._except_handler3> ; SE 处理程序安装
004CB764 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
004CB76A |. 50 push eax
004CB76B |. 64:8925 00000>mov dword ptr fs:[0], esp
004CB772 |. 83EC 68 sub esp, 68
004CB775 |. 53 push ebx
004CB776 |. 56 push esi
004CB777 |. 57 push edi
004CB778 |. 8965 E8 mov dword ptr [ebp-18], esp
004CB77B |. 33DB xor ebx, ebx
004CB77D |. 895D FC mov dword ptr [ebp-4], ebx
004CB780 |. 6A 02 push 2
004CB782 |. FF15 789C4D00 call dword ptr [<&MSVCRT.__set_app_ty>; msvcrt.__set_app_type
004CB788 |. 59 pop ecx
004CB789 |. 830D D0725100>or dword ptr [5172D0], FFFFFFFF
004CB790 |. 830D D4725100>or dword ptr [5172D4], FFFFFFFF
004CB797 |. FF15 749C4D00 call dword ptr [<&MSVCRT.__p__fmode>] ; msvcrt.__p__fmode
004CB79D |. 8B0D B0725100 mov ecx, dword ptr [5172B0]
004CB7A3 |. 8908 mov dword ptr [eax], ecx
004CB7A5 |. FF15 089D4D00 call dword ptr [<&MSVCRT.__p__commode>; msvcrt.__p__commode
004CB7AB |. 8B0D AC725100 mov ecx, dword ptr [5172AC]
004CB7B1 |. 8908 mov dword ptr [eax], ecx
004CB7B3 |. A1 049D4D00 mov eax, dword ptr [<&MSVCRT._adjust>
004CB7B8 |. 8B00 mov eax, dword ptr [eax]
004CB7BA |. A3 CC725100 mov dword ptr [5172CC], eax
004CB7BF |. E8 29010000 call 004CB8ED
004CB7C4 |. 391D C05D5100 cmp dword ptr [515DC0], ebx
004CB7CA |. 75 0C jnz short 004CB7D8
004CB7CC |. 68 EAB84C00 push 004CB8EA
004CB7D1 |. FF15 649C4D00 call dword ptr [<&MSVCRT.__setusermat>; msvcrt.__setusermatherr
004CB7D7 |. 59 pop ecx
004CB7D8 |> E8 FB000000 call 004CB8D8
004CB7DD |. 68 08E15000 push 0050E108
004CB7E2 |. 68 04E15000 push 0050E104
004CB7E7 |. E8 E6000000 call <jmp.&MSVCRT._initterm>
004CB7EC |. A1 A8725100 mov eax, dword ptr [5172A8]
004CB7F1 |. 8945 94 mov dword ptr [ebp-6C], eax
004CB7F4 |. 8D45 94 lea eax, dword ptr [ebp-6C]
004CB7F7 |. 50 push eax
004CB7F8 |. FF35 A4725100 push dword ptr [5172A4]
004CB7FE |. 8D45 9C lea eax, dword ptr [ebp-64]
004CB801 |. 50 push eax
004CB802 |. 8D45 90 lea eax, dword ptr [ebp-70]
004CB805 |. 50 push eax
004CB806 |. 8D45 A0 lea eax, dword ptr [ebp-60]
004CB809 |. 50 push eax
004CB80A |. FF15 5C9C4D00 call dword ptr [<&MSVCRT.__getmainarg>; msvcrt.__getmainargs
004CB810 |. 68 00E15000 push 0050E100
004CB815 |. 68 00E05000 push 0050E000
004CB81A |. E8 B3000000 call <jmp.&MSVCRT._initterm>
004CB81F |. 83C4 24 add esp, 24
004CB822 |. A1 689C4D00 mov eax, dword ptr [<&MSVCRT._acmdln>
004CB827 |. 8B30 mov esi, dword ptr [eax]
004CB829 |. 8975 8C mov dword ptr [ebp-74], esi
004CB82C |. 803E 22 cmp byte ptr [esi], 22
004CB82F |. 75 3A jnz short 004CB86B
004CB831 |> 46 /inc esi
004CB832 |. 8975 8C |mov dword ptr [ebp-74], esi
004CB835 |. 8A06 |mov al, byte ptr [esi]
004CB837 |. 3AC3 |cmp al, bl
004CB839 |. 74 04 |je short 004CB83F
004CB83B |. 3C 22 |cmp al, 22 ; 一路F8来到这里
004CB83D |.^ 75 F2 \jnz short 004CB831
004CB83F |> 803E 22 cmp byte ptr [esi], 22 ; F4下来
004CB842 |. 75 04 jnz short 004CB848
004CB844 |> 46 inc esi
004CB845 |. 8975 8C mov dword ptr [ebp-74], esi
004CB848 |> 8A06 mov al, byte ptr [esi]
004CB84A |. 3AC3 cmp al, bl
004CB84C |. 74 04 je short 004CB852
004CB84E |. 3C 20 cmp al, 20
004CB850 |.^ 76 F2 jbe short 004CB844
004CB852 |> 895D D0 mov dword ptr [ebp-30], ebx
004CB855 |. 8D45 A4 lea eax, dword ptr [ebp-5C]
004CB858 |. 50 push eax ; /pStartupinfo
004CB859 |. FF15 748D4D00 call dword ptr [<&KERNEL32.GetStartup>; \GetStartupInfoA
004CB85F |. F645 D0 01 test byte ptr [ebp-30], 1
004CB863 |. 74 11 je short 004CB876
004CB865 |. 0FB745 D4 movzx eax, word ptr [ebp-2C]
004CB869 |. EB 0E jmp short 004CB879
004CB86B |> 803E 20 /cmp byte ptr [esi], 20
004CB86E |.^ 76 D8 |jbe short 004CB848
004CB870 |. 46 |inc esi
004CB871 |. 8975 8C |mov dword ptr [ebp-74], esi
004CB874 |.^ EB F5 \jmp short 004CB86B
004CB876 |> 6A 0A push 0A
004CB878 |. 58 pop eax
004CB879 |> 50 push eax
004CB87A |. 56 push esi
004CB87B |. 53 push ebx
004CB87C |. 53 push ebx ; /pModule
004CB87D |. FF15 A88D4D00 call dword ptr [<&KERNEL32.GetModuleH>; \GetModuleHandleA
004CB883 |. 50 push eax
004CB884 |. E8 67020000 call 004CBAF0 ; F7进来
来到
004CBAF0 /$ FF7424 10 push dword ptr [esp+10]
004CBAF4 |. FF7424 10 push dword ptr [esp+10]
004CBAF8 |. FF7424 10 push dword ptr [esp+10]
004CBAFC |. FF7424 10 push dword ptr [esp+10]
004CBB00 |. E8 4F000000 call <jmp.&MFC42.#1576_AfxWinMain> ; F7进来
004CBB05 \. C2 1000 retn 10
004CBB48 $- FF25 149D4D00 jmp dword ptr [<&MSVCRT.wcslen>] ; msvcrt.wcslen
004CBB4E $- FF25 189D4D00 jmp dword ptr [<&MSVCRT._CxxThrowExc>; msvcrt._CxxThrowException
004CBB54 $- FF25 D49B4D00 jmp dword ptr [<&MFC42.#1576_AfxWinM>; 来到这里,继续F8
73D3CF2B > 8BFF mov edi, edi ; 来到这里,一路F8
73D3CF2D 53 push ebx
73D3CF2E 56 push esi
73D3CF2F 57 push edi
73D3CF30 83CB FF or ebx, FFFFFFFF
73D3CF33 E8 CD40FFFF call #1175_AfxGetThread
73D3CF38 8BF0 mov esi, eax
73D3CF3A E8 97B30800 call #1168_AfxGetModuleState
73D3CF3F FF7424 1C push dword ptr [esp+1C]
73D3CF43 8B78 04 mov edi, dword ptr [eax+4]
73D3CF46 FF7424 1C push dword ptr [esp+1C]
73D3CF4A FF7424 1C push dword ptr [esp+1C]
73D3CF4E FF7424 1C push dword ptr [esp+1C]
73D3CF52 E8 C1CC0800 call #1575_AfxWinInit
73D3CF57 85C0 test eax, eax
73D3CF59 74 3C je short 73D3CF97
73D3CF5B 85FF test edi, edi
73D3CF5D 74 0E je short 73D3CF6D
73D3CF5F 8B07 mov eax, dword ptr [edi]
73D3CF61 8BCF mov ecx, edi
73D3CF63 FF90 8C000000 call dword ptr [eax+8C]
73D3CF69 85C0 test eax, eax
73D3CF6B 74 2A je short 73D3CF97
73D3CF6D 8B06 mov eax, dword ptr [esi]
73D3CF6F 8BCE mov ecx, esi
73D3CF71 FF50 58 call dword ptr [eax+58] ; F7进去
004029C9 /. 55 push ebp ; 至此,领空又返回到GeoMap35
004029CA |. 8BEC mov ebp, esp
004029CC |. 6A FF push -1
004029CE |. 68 97BD4C00 push 004CBD97 ; SE 处理程序安装
004029D3 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
004029D9 |. 50 push eax
004029DA |. 64:8925 00000>mov dword ptr fs:[0], esp
004029E1 |. 81EC 640C0000 sub esp, 0C64
004029E7 |. 898D 10F4FFFF mov dword ptr [ebp-BF0], ecx
004029ED |. 8B8D 10F4FFFF mov ecx, dword ptr [ebp-BF0]
004029F3 |. E8 2CFDFFFF call 00402724
004029F8 |. 85C0 test eax, eax
004029FA |. 75 07 jnz short 00402A03
004029FC |. 33C0 xor eax, eax
004029FE |. E9 0E120000 jmp 00403C11
00402A03 |> E8 2C790C00 call <jmp.&MFC42.#1205_AfxOleInit>
00402A08 |. 85C0 test eax, eax
00402A0A |. 75 12 jnz short 00402A1E
00402A0C |. 6A FF push -1
00402A0E |. 6A 00 push 0
00402A10 |. 6A 64 push 64
00402A12 |. E8 17790C00 call <jmp.&MFC42.#1199_AfxMessageBox>
00402A17 |. 33C0 xor eax, eax
00402A19 |. E9 F3110000 jmp 00403C11
00402A1E |> 8D8D A0F7FFFF lea ecx, dword ptr [ebp-860]
00402A24 |. E8 27AE0200 call 0042D850
00402A29 |. C745 FC 00000>mov dword ptr [ebp-4], 0
00402A30 |. 68 FCE15000 push 0050E1FC ; ASCII "GeoMap.Document\VER35"
00402A35 |. 8D8D 9CF7FFFF lea ecx, dword ptr [ebp-864]
00402A3B |. E8 68770C00 call <jmp.&MFC42.#537_CString::CStrin>
00402A40 |. C645 FC 01 mov byte ptr [ebp-4], 1
00402A44 |. C785 A4F7FFFF>mov dword ptr [ebp-85C], 0
00402A4E |. 68 14E25000 push 0050E214 ; ASCII "GeoMap v3.5x"
00402A53 |. 8D8D 94F7FFFF lea ecx, dword ptr [ebp-86C]
00402A59 |. E8 4A770C00 call <jmp.&MFC42.#537_CString::CStrin>
00402A5E |. C645 FC 02 mov byte ptr [ebp-4], 2
00402A62 |. 68 24E25000 push 0050E224 ; /Arg3 = 0050E224 ASCII "User"
00402A67 |. 68 2CE25000 push 0050E22C ; |Arg2 = 0050E22C ASCII "GeoMap.Document\VER35\Info"
00402A6C |. 8D85 7CF4FFFF lea eax, dword ptr [ebp-B84] ; |
00402A72 |. 50 push eax ; |Arg1
00402A73 |. E8 14F7FFFF call 0040218C ; \GeoMap35.0040218C
00402A78 |. 8985 0CF4FFFF mov dword ptr [ebp-BF4], eax
00402A7E |. 8B8D 0CF4FFFF mov ecx, dword ptr [ebp-BF4]
00402A84 |. 898D 08F4FFFF mov dword ptr [ebp-BF8], ecx
00402A8A |. C645 FC 03 mov byte ptr [ebp-4], 3
00402A8E |. 8B95 08F4FFFF mov edx, dword ptr [ebp-BF8]
00402A94 |. 52 push edx
00402A95 |. 8B8D 10F4FFFF mov ecx, dword ptr [ebp-BF0]
00402A9B |. 81C1 24010000 add ecx, 124
00402AA1 |. E8 A4770C00 call <jmp.&MFC42.#858_CString::operat>
00402AA6 |. C645 FC 02 mov byte ptr [ebp-4], 2
00402AAA |. 8D8D 7CF4FFFF lea ecx, dword ptr [ebp-B84]
00402AB0 |. E8 7D770C00 call <jmp.&MFC42.#800_CString::~CStri>
00402AB5 |. 68 48E25000 push 0050E248 ; /Arg3 = 0050E248 ASCII "Register"
00402ABA |. 68 54E25000 push 0050E254 ; |Arg2 = 0050E254 ASCII "GeoMap.Document\VER35\Info"
00402ABF |. 8D85 78F4FFFF lea eax, dword ptr [ebp-B88] ; |
00402AC5 |. 50 push eax ; |Arg1
00402AC6 |. E8 C1F6FFFF call 0040218C ; \GeoMap35.0040218C
00402ACB |. 8985 04F4FFFF mov dword ptr [ebp-BFC], eax
00402AD1 |. 8B8D 04F4FFFF mov ecx, dword ptr [ebp-BFC]
00402AD7 |. 898D 00F4FFFF mov dword ptr [ebp-C00], ecx
00402ADD |. C645 FC 04 mov byte ptr [ebp-4], 4
00402AE1 |. 8B95 00F4FFFF mov edx, dword ptr [ebp-C00]
00402AE7 |. 52 push edx
00402AE8 |. 8B8D 10F4FFFF mov ecx, dword ptr [ebp-BF0]
00402AEE |. 81C1 20010000 add ecx, 120
00402AF4 |. E8 51770C00 call <jmp.&MFC42.#858_CString::operat>
00402AF9 |. C645 FC 02 mov byte ptr [ebp-4], 2
00402AFD |. 8D8D 78F4FFFF lea ecx, dword ptr [ebp-B88]
00402B03 |. E8 2A770C00 call <jmp.&MFC42.#800_CString::~CStri>
00402B08 |. 68 70E25000 push 0050E270 ; /Arg3 = 0050E270 ASCII "UserName"
00402B0D |. 68 7CE25000 push 0050E27C ; |Arg2 = 0050E27C ASCII "GeoMap.Document\VER35\Info"
00402B12 |. 8D85 74F4FFFF lea eax, dword ptr [ebp-B8C] ; |
00402B18 |. 50 push eax ; |Arg1
00402B19 |. E8 6EF6FFFF call 0040218C ; \GeoMap35.0040218C
00402B1E |. 8985 FCF3FFFF mov dword ptr [ebp-C04], eax
00402B24 |. 8B8D FCF3FFFF mov ecx, dword ptr [ebp-C04]
00402B2A |. 898D F8F3FFFF mov dword ptr [ebp-C08], ecx
00402B30 |. C645 FC 05 mov byte ptr [ebp-4], 5
00402B34 |. 8B95 F8F3FFFF mov edx, dword ptr [ebp-C08]
00402B3A |. 52 push edx
00402B3B |. 8B8D 10F4FFFF mov ecx, dword ptr [ebp-BF0]
00402B41 |. 81C1 28010000 add ecx, 128
00402B47 |. E8 FE760C00 call <jmp.&MFC42.#858_CString::operat>
00402B4C |. C645 FC 02 mov byte ptr [ebp-4], 2
00402B50 |. 8D8D 74F4FFFF lea ecx, dword ptr [ebp-B8C]
00402B56 |. E8 D7760C00 call <jmp.&MFC42.#800_CString::~CStri>
00402B5B |. 68 98E25000 push 0050E298 ; /Arg3 = 0050E298 ASCII "UserUnit"
00402B60 |. 68 A4E25000 push 0050E2A4 ; |Arg2 = 0050E2A4 ASCII "GeoMap.Document\VER35\Info"
00402B65 |. 8D85 70F4FFFF lea eax, dword ptr [ebp-B90] ; |
00402B6B |. 50 push eax ; |Arg1
00402B6C |. E8 1BF6FFFF call 0040218C ; \GeoMap35.0040218C
00402B71 |. 8985 F4F3FFFF mov dword ptr [ebp-C0C], eax
00402B77 |. 8B8D F4F3FFFF mov ecx, dword ptr [ebp-C0C]
00402B7D |. 898D F0F3FFFF mov dword ptr [ebp-C10], ecx
00402B83 |. C645 FC 06 mov byte ptr [ebp-4], 6
00402B87 |. 8B95 F0F3FFFF mov edx, dword ptr [ebp-C10]
00402B8D |. 52 push edx
00402B8E |. 8B8D 10F4FFFF mov ecx, dword ptr [ebp-BF0]
00402B94 |. 81C1 2C010000 add ecx, 12C
00402B9A |. E8 AB760C00 call <jmp.&MFC42.#858_CString::operat>
00402B9F |. C645 FC 02 mov byte ptr [ebp-4], 2
00402BA3 |. 8D8D 70F4FFFF lea ecx, dword ptr [ebp-B90]
00402BA9 |. E8 84760C00 call <jmp.&MFC42.#800_CString::~CStri>
00402BAE |. 6A 07 push 7 ; /Arg3 = 00000007
00402BB0 |. 6A 00 push 0 ; |Arg2 = 00000000
00402BB2 |. 68 C8A24D00 push 004DA2C8 ; |Arg1 = 004DA2C8
00402BB7 |. 8D8D A0F7FFFF lea ecx, dword ptr [ebp-860] ; |
00402BBD |. E8 BE760000 call 0040A280 ; \GeoMap35.0040A280
00402BC2 |. 8985 98F7FFFF mov dword ptr [ebp-868], eax
00402BC8 |. 83BD 98F7FFFF>cmp dword ptr [ebp-868], 0
00402BCF 0F8D 83000000 jge 00402C58
00402BD5 |. 6A 00 push 0 ; /Arg3 = 00000000
00402BD7 |. 6A 00 push 0 ; |Arg2 = 00000000
00402BD9 |. 8B85 98F7FFFF mov eax, dword ptr [ebp-868] ; |
00402BDF |. 50 push eax ; |Arg1
00402BE0 |. 8D8D 84F7FFFF lea ecx, dword ptr [ebp-87C] ; |
00402BE6 |. E8 45730000 call 00409F30 ; \GeoMap35.00409F30
00402BEB |. C645 FC 07 mov byte ptr [ebp-4], 7
00402BEF |. 6A 00 push 0
00402BF1 |. 6A 00 push 0
00402BF3 |. 8D8D 84F7FFFF lea ecx, dword ptr [ebp-87C]
00402BF9 |. E8 12740000 call 0040A010
00402BFE |. 50 push eax
00402BFF |. E8 24770C00 call <jmp.&MFC42.#1200_AfxMessageBox>
00402C04 |. C785 6CF4FFFF>mov dword ptr [ebp-B94], 1
00402C0E |. C645 FC 02 mov byte ptr [ebp-4], 2
00402C12 |. 8D8D 84F7FFFF lea ecx, dword ptr [ebp-87C]
00402C18 |. E8 A3730000 call 00409FC0
00402C1D |. C645 FC 01 mov byte ptr [ebp-4], 1
00402C21 |. 8D8D 94F7FFFF lea ecx, dword ptr [ebp-86C]
00402C27 |. E8 06760C00 call <jmp.&MFC42.#800_CString::~CStri>
00402C2C |. C645 FC 00 mov byte ptr [ebp-4], 0
00402C30 |. 8D8D 9CF7FFFF lea ecx, dword ptr [ebp-864]
00402C36 |. E8 F7750C00 call <jmp.&MFC42.#800_CString::~CStri>
00402C3B |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
00402C42 |. 8D8D A0F7FFFF lea ecx, dword ptr [ebp-860]
00402C48 |. E8 E3750000 call 0040A230
00402C4D |. 8B85 6CF4FFFF mov eax, dword ptr [ebp-B94]
00402C53 |. E9 B90F0000 jmp 00403C11
00402C58 |> 8B8D A4F7FFFF mov ecx, dword ptr [ebp-85C]
00402C5E |. 51 push ecx
00402C5F |. 8D8D A0F7FFFF lea ecx, dword ptr [ebp-860]
00402C65 |. E8 E6750000 call 0040A250
00402C6A |. 8985 ECF3FFFF mov dword ptr [ebp-C14], eax
00402C70 |. 8B95 ECF3FFFF mov edx, dword ptr [ebp-C14]
00402C76 |. 8B02 mov eax, dword ptr [edx]
00402C78 |. 8B8D ECF3FFFF mov ecx, dword ptr [ebp-C14]
00402C7E |. 51 push ecx
00402C7F |. FF50 20 call dword ptr [eax+20]
00402C82 |. 8D8D 94F7FFFF lea ecx, dword ptr [ebp-86C]
00402C88 |. E8 95760C00 call <jmp.&MFC42.#1601_CString::Alloc>
00402C8D |. 50 push eax
00402C8E |. 8D8D A0F7FFFF lea ecx, dword ptr [ebp-860]
00402C94 |. E8 B7750000 call 0040A250
00402C99 |. 8985 E8F3FFFF mov dword ptr [ebp-C18], eax
00402C9F |. 8B95 E8F3FFFF mov edx, dword ptr [ebp-C18]
00402CA5 |. 8B02 mov eax, dword ptr [edx]
00402CA7 |. 8B8D E8F3FFFF mov ecx, dword ptr [ebp-C18]
00402CAD |. 51 push ecx
00402CAE |. FF50 38 call dword ptr [eax+38]
00402CB1 |. 8D8D 9CF7FFFF lea ecx, dword ptr [ebp-864]
00402CB7 |. E8 66760C00 call <jmp.&MFC42.#1601_CString::Alloc>
00402CBC |. 50 push eax
00402CBD |. 8D8D A0F7FFFF lea ecx, dword ptr [ebp-860]
00402CC3 |. E8 88750000 call 0040A250
00402CC8 |. 8985 E4F3FFFF mov dword ptr [ebp-C1C], eax
00402CCE |. 8B95 E4F3FFFF mov edx, dword ptr [ebp-C1C]
00402CD4 |. 8B02 mov eax, dword ptr [edx]
00402CD6 |. 8B8D E4F3FFFF mov ecx, dword ptr [ebp-C1C]
00402CDC |. 51 push ecx
00402CDD |. FF50 30 call dword ptr [eax+30] ; RegEncry.012B27CE
00402CE0 |. 8D8D A0F7FFFF lea ecx, dword ptr [ebp-860]
00402CE6 |. E8 65750000 call 0040A250
00402CEB |. 8BC8 mov ecx, eax
00402CED |. E8 9E740000 call 0040A190
00402CF2 |. 0FBFD0 movsx edx, ax
00402CF5 |. 85D2 test edx, edx
00402CF7 75 6C jnz short 00402D65 ; 一路F8来到这里,这就是爆破的关键了,改成JMP就OK
00402CF9 |. 8D8D A0F7FFFF lea ecx, dword ptr [ebp-860]
00402CFF |. E8 4C750000 call 0040A250
00402D04 |. 8BC8 mov ecx, eax
00402D06 |. E8 C5740000 call 0040A1D0
00402D0B |. 0FBFC0 movsx eax, ax
00402D0E |. 85C0 test eax, eax
00402D10 |. 75 53 jnz short 00402D65
00402D12 |. 6A 00 push 0
00402D14 |. 6A 00 push 0
00402D16 |. 68 C0E25000 push 0050E2C0
00402D1B |. E8 08760C00 call <jmp.&MFC42.#1200_AfxMessageBox>
00402D20 |. C785 68F4FFFF>mov dword ptr [ebp-B98], 0
00402D2A |. C645 FC 01 mov byte ptr [ebp-4], 1
00402D2E |. 8D8D 94F7FFFF lea ecx, dword ptr [ebp-86C]
00402D34 |. E8 F9740C00 call <jmp.&MFC42.#800_CString::~CStri>
00402D39 |. C645 FC 00 mov byte ptr [ebp-4], 0
00402D3D |. 8D8D 9CF7FFFF lea ecx, dword ptr [ebp-864]
00402D43 |. E8 EA740C00 call <jmp.&MFC42.#800_CString::~CStri>
00402D48 |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
00402D4F |. 8D8D A0F7FFFF lea ecx, dword ptr [ebp-860]
00402D55 |. E8 D6740000 call 0040A230
00402D5A |. 8B85 68F4FFFF mov eax, dword ptr [ebp-B98]
00402D60 |. E9 AC0E0000 jmp 00403C11
00402D65 |> C645 FC 01 mov byte ptr [ebp-4], 1
--------------------------------------------------------------------------------
【经验总结】
时间有限,写得粗糙一些^^
经过处理的程序启动的时候不会有注册提示;如果对RegEncrypt.dll做手脚也能起到相近的作用,另外说一句,这个软件有
重起验证(其实就是我破解的地方),你如果爆破RegEncrypt.dll也要考虑我破的这个地方,多以不如来个一劳永逸,直接
搞你,呵呵!!
可怜自己没把Blowfish 算法搞明白,下次把具体算法贴出来吧~
有哪位大虾指点一下这个软件的算法实现,在下感激不尽
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年11月09日 16:51:03
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
