;======================================================================
;某国产音频转化软件,名字和下载恕不提供
;文章声明:本文仅供学习研究之用,请勿用于非法用途,否则后果自负
;软件保护方式:压缩壳+重启验证
;======================================================================
;ESP定律脱ASPACK壳
;----------------------------------------------------------------------
用PEID查壳,ASPack 2.12 -> Alexey Solodovnikov
ESP定律搞定!!
1.用OD载入,提示软件被加密或压缩,问是否继续分析,点击否
按下F8,此时观察寄存器窗口,ESP寄存器高亮
2.鼠标指向ESP寄存器的数据,右键,数据窗口中跟随
在数据窗口,鼠标指向第一个数据,右键->断点->硬件访问->WORD
3.F9运行,程序断下
在调试菜单中的硬件断点中删除硬件断点
0055F3AF 61 popad
0055F3B0 75 08 jnz short 0055F3BA //F9运行到这断下,继续F8单步跟踪,跳转实现
0055F3B2 B8 01000000 mov eax, 1
0055F3B7 C2 0C00 retn 0C
0055F3BA 68 780B4D00 push 004D0B78
0055F3BF C3 retn //在这返回真正的OEP,然后OD插件DUMP脱壳
测试,完全可以正常运行
;=======================================================================
;OD载入脱壳后的程序,字符串参考
(下面只列出中文的部分,并对具体软件名字进行了必要的替换)
;-----------------------------------------------------------------------
Ultra String Reference
Address Disassembly Text String
004CCC23 mov ecx, 004CCD90 sorry, you can create only one tsuiform component in one form!
004CD0BC mov ecx, 004CD2D0 macos_menu_select
004CD342 mov ecx, 004CD378 macos_menu_bar
004CD7AA push 004CD8A4 strongly recommend you to use "tsuimainmenu" instead of "tmainmenu".\n\n\n\nif you still want to use tmainform, \n\n\n\nset
004CD7BD push 004CD94C \n\n\n\n
004CD7C2 push 004CD95C and set
004CDA66 mov ecx, 004CDB7C macos_form_background
004CE227 mov eax, 004CE2BC sorry, you can't select the form assign to formpanel property
004CEBD0 push 004CEBF0
http://softreg.microsword.net/softid/*****
004CEBD5 push 004CEC1C open
004CEC30 push 004CEC50 mailto:crasm@163.comopen
004CEC35 push 004CEC68 open
004CEC7C push 004CEC9C mailto:crasm@163.com
004CEC81 push 004CECB4 open
004CECC8 push 004CECE8
http://www.software.net
004CECCD push 004CED04 open
004CED49 mov edx, 004CEDEC software\audio-converter
004CED83 mov edx, 004CEE1C regno
004CED98 mov ecx, 004CEE24 提示
004CED9D mov edx, 004CEE2C 注册完成,请重新运行程序!
004CF2E1 mov edx, 004CF314 \software\microsoft\internet explorer\main
004CF2F6 mov edx, 004CF368 start page
004CF413 mov edx, 004CF5B0 找到wav音频文件在
004CF459 mov ecx, 004CF5CC *.wav
004CF502 mov edx, 004CF5E8 .
004CF514 mov edx, 004CF5F4 ..
004CF624 mov edx, 004CF68C j:\delphi软件库\mysoftware\audio-converter\mainform.pas
004CF629 mov eax, 004CF6D0 assertion failure
004CF63C mov edx, 004CF68C j:\delphi软件库\mysoftware\audio-converter\mainform.pas
004CF641 mov eax, 004CF6D0 assertion failure
004CF8D5 mov edx, 004CF940 请选择一个目录
004CFA23 mov edx, 004CFA58 当前文件:无
004CFAB1 mov edx, 004CFBB0
http://adsvc1.haoda123.com/ad/softad/index.htm
004CFAE4 mov edx, 004CFC18 software\audio-converter
004CFB0F mov edx, 004CFC48 regno
004CFB22 mov edx, 004CFC58 audio-converterchina
004CFB63 mov edx, 004CFC74 - 未购买用户
004CFDBB mov eax, 004CFDD0 已停止!
004CFE49 mov edx, 004CFEC8 当前文件:
004CFF01 mov edx, 004D012C .mp3
004CFF42 mov edx, 004D013C 文件已经存在,您要覆盖它吗?\n\n
004CFF8E mov eax, 004D0168 已停止!
004D029E mov edx, 004D02D8 j:\delphi软件库\mysoftware\audio-converter\mainform.pas
004D02A3 mov eax, 004D031C assertion failure
004D0459 mov edx, 004D04C4 本软件已注册给:
004D04FE push 004D0660 hidden
004D0575 push 004D0660 hidden
004D06D5 mov ecx, 004D0730 提示
004D06DA mov edx, 004D0738 注册后才能关闭资讯窗口,您现在要注册吗?
004D0B7F mov eax, 004D07D0 t
004D0B98 mov edx, 004D0BF0 audio-converter
;=====================================================================
断点测试一:提示对话框“注册完成,请重新运行程序!”
004CED14 /. 55 push ebp
004CED15 |. 8BEC mov ebp, esp
004CED17 |. 6A 00 push 0
004CED19 |. 6A 00 push 0
004CED1B |. 53 push ebx
004CED1C |. 56 push esi
004CED1D |. 8BF0 mov esi, eax
004CED1F |. 33C0 xor eax, eax
004CED21 |. 55 push ebp
004CED22 |. 68 D5ED4C00 push 004CEDD5
004CED27 |. 64:FF30 push dword ptr fs:[eax]
004CED2A |. 64:8920 mov dword ptr fs:[eax], esp
004CED2D |. B2 01 mov dl, 1
004CED2F |. A1 74394600 mov eax, dword ptr [463974]
004CED34 |. E8 3B4DF9FF call 00463A74
004CED39 |. 8BD8 mov ebx, eax
004CED3B |. BA 01000080 mov edx, 80000001
004CED40 |. 8BC3 mov eax, ebx
004CED42 |. E8 CD4DF9FF call 00463B14
004CED47 |. B1 01 mov cl, 1
004CED49 |. BA ECED4C00 mov edx, 004CEDEC ; software\audioconverter
004CED4E |. 8BC3 mov eax, ebx
004CED50 |. E8 234EF9FF call 00463B78
004CED55 |. 8D55 FC lea edx, dword ptr [ebp-4]
004CED58 |. 8B86 38030000 mov eax, dword ptr [esi+338]
004CED5E |. E8 8107F7FF call 0043F4E4
004CED63 |. 8B4D FC mov ecx, dword ptr [ebp-4] ; 用户名
004CED66 |. BA 0CEE4C00 mov edx, 004CEE0C ; ASCII "RegUser"
004CED6B |. 8BC3 mov eax, ebx
004CED6D |. E8 C24FF9FF call 00463D34
004CED72 |. 8D55 F8 lea edx, dword ptr [ebp-8]
004CED75 |. 8B86 3C030000 mov eax, dword ptr [esi+33C]
004CED7B |. E8 6407F7FF call 0043F4E4
004CED80 |. 8B4D F8 mov ecx, dword ptr [ebp-8] ; 序列号
004CED83 |. BA 1CEE4C00 mov edx, 004CEE1C ; regno
004CED88 |. 8BC3 mov eax, ebx
004CED8A |. E8 A54FF9FF call 00463D34
004CED8F |. 8BC3 mov eax, ebx
004CED91 |. E8 7648F3FF call 0040360C
004CED96 |. 6A 40 push 40
004CED98 |. B9 24EE4C00 mov ecx, 004CEE24 ; 提示
004CED9D |. BA 2CEE4C00 mov edx, 004CEE2C ; 注册完成,请重新运行程序!
004CEDA2 |. A1 A4404D00 mov eax, dword ptr [4D40A4]
004CEDA7 |. 8B00 mov eax, dword ptr [eax]
004CEDA9 |. E8 8208F9FF call 0045F630
004CEDAE |. A1 A4404D00 mov eax, dword ptr [4D40A4]
004CEDB3 |. 8B00 mov eax, dword ptr [eax]
004CEDB5 |. E8 D207F9FF call 0045F58C
004CEDBA |. 33C0 xor eax, eax
004CEDBC |. 5A pop edx
004CEDBD |. 59 pop ecx
004CEDBE |. 59 pop ecx
004CEDBF |. 64:8910 mov dword ptr fs:[eax], edx
004CEDC2 |. 68 DCED4C00 push 004CEDDC
004CEDC7 |> 8D45 F8 lea eax, dword ptr [ebp-8]
004CEDCA |. BA 02000000 mov edx, 2
004CEDCF |. E8 E855F3FF call 004043BC
004CEDD4 \. C3 retn
004CEDD5 .^ E9 C64FF3FF jmp 00403DA0
004CEDDA .^ EB EB jmp short 004CEDC7
004CEDDC . 5E pop esi ; (initial cpu selection)
004CEDDD . 5B pop ebx
004CEDDE . 59 pop ecx
004CEDDF . 59 pop ecx
004CEDE0 . 5D pop ebp
004CEDE1 . C3 retn
一路跟下来,没有到获取有价值的东西
;=====================================================================
断点测试二:注册表读取下断点
网往重启验证类的软件一般都是先将用户输入的信息保存在注册表里
在程序下次运行的时候进行读取验证
设置bp RegOpenKeyA & bp RegQueryValueExA 分别跟踪一段时间并未发现上次的数据
;=====================================================================
诶,这两招都不好使呢,还是回去再研究下字符串参考-.-"
004CFAE4 mov edx, 004CFC18 software\audio-converter
004CFB0F mov edx, 004CFC48 regno
004CFB22 mov edx, 004CFC58 audio-converterchina
004CFB63 mov edx, 004CFC74 - 未购买用户
004CFDBB mov eax, 004CFDD0 已停止!
未购买用户~~~
如果注册成功那就是购买用户咯
在004CFAE4下断点试验下下咯先~
004CFA68 /. 55 push ebp
004CFA69 |. 8BEC mov ebp, esp
004CFA6B |. 33C9 xor ecx, ecx
004CFA6D |. 51 push ecx
004CFA6E |. 51 push ecx
004CFA6F |. 51 push ecx
004CFA70 |. 51 push ecx
004CFA71 |. 53 push ebx
004CFA72 |. 8BD8 mov ebx, eax
004CFA74 |. 33C0 xor eax, eax
004CFA76 |. 55 push ebp
004CFA77 |. 68 9DFB4C00 push 004CFB9D
004CFA7C |. 64:FF30 push dword ptr fs:[eax]
004CFA7F |. 64:8920 mov dword ptr fs:[eax], esp
004CFA82 |. C683 49030000>mov byte ptr [ebx+349], 0
004CFA89 |. 8BC3 mov eax, ebx
004CFA8B |. E8 E4060000 call 004D0174
004CFA90 |. 8BC3 mov eax, ebx
004CFA92 |. E8 F5FEFFFF call 004CF98C
004CFA97 |. C683 F8010000>mov byte ptr [ebx+1F8], 1
004CFA9E |. 83C9 FF or ecx, FFFFFFFF
004CFAA1 |. BA 27020000 mov edx, 227
004CFAA6 |. 8B83 40030000 mov eax, dword ptr [ebx+340]
004CFAAC |. E8 DB4AFBFF call 0048458C
004CFAB1 |. BA B0FB4C00 mov edx, 004CFBB0 ;
http://adsvc1.haoda123.com/ad/softad/index.htm
004CFAB6 |. 8B83 40030000 mov eax, dword ptr [ebx+340]
004CFABC |. E8 CF77FBFF call 00487290
004CFAC1 |. C605 F8614D00>mov byte ptr [4D61F8], 0
004CFAC8 |. B2 01 mov dl, 1
004CFACA |. A1 74394600 mov eax, dword ptr [463974]
004CFACF |. E8 A03FF9FF call 00463A74
004CFAD4 |. 8BD8 mov ebx, eax
004CFAD6 |. BA 01000080 mov edx, 80000001
004CFADB |. 8BC3 mov eax, ebx
004CFADD |. E8 3240F9FF call 00463B14
004CFAE2 |. B1 01 mov cl, 1
004CFAE4 |. BA 18FC4C00 mov edx, 004CFC18 ; software\audio-converter
004CFAE9 |. 8BC3 mov eax, ebx
004CFAEB |. E8 8840F9FF call 00463B78
004CFAF0 |. 8D4D FC lea ecx, dword ptr [ebp-4]
004CFAF3 |. BA 38FC4C00 mov edx, 004CFC38 ; ASCII "RegUser"
004CFAF8 |. 8BC3 mov eax, ebx
004CFAFA |. E8 6142F9FF call 00463D60
004CFAFF |. 8B55 FC mov edx, dword ptr [ebp-4] ; 用户名
004CFB02 |. B8 FC614D00 mov eax, 004D61FC
004CFB07 |. E8 E048F3FF call 004043EC
004CFB0C |. 8D4D F8 lea ecx, dword ptr [ebp-8]
004CFB0F |. BA 48FC4C00 mov edx, 004CFC48 ; regno
004CFB14 |. 8BC3 mov eax, ebx
004CFB16 |. E8 4542F9FF call 00463D60
004CFB1B |. 8B45 F8 mov eax, dword ptr [ebp-8] ; 序列号
004CFB1E |. 50 push eax
004CFB1F |. 8D4D F4 lea ecx, dword ptr [ebp-C]
004CFB22 |. BA 58FC4C00 mov edx, 004CFC58 ; audio-converterchina
004CFB27 |. A1 FC614D00 mov eax, dword ptr [4D61FC]
004CFB2C |. E8 8F00FDFF call 0049FBC0 ; 算法CALL
004CFB31 |. 8B55 F4 mov edx, dword ptr [ebp-C] ; (ASCII "1FE37E12368B8C41")
004CFB34 |. 58 pop eax
004CFB35 |. E8 5A4CF3FF call 00404794 ; 真假码比较
004CFB3A |. 75 07 jnz short 004CFB43 ; 不相等则跳转(实现)
004CFB3C |. C605 F8614D00>mov byte ptr [4D61F8], 1
004CFB43 |> 8BC3 mov eax, ebx
004CFB45 |. E8 C23AF3FF call 0040360C
004CFB4A |. 803D F8614D00>cmp byte ptr [4D61F8], 0
004CFB51 |. 75 27 jnz short 004CFB7A ; 跳转(未实现)
004CFB53 |. 8D55 F0 lea edx, dword ptr [ebp-10]
004CFB56 |. A1 F4614D00 mov eax, dword ptr [4D61F4]
004CFB5B |. E8 84F9F6FF call 0043F4E4
004CFB60 |. 8D45 F0 lea eax, dword ptr [ebp-10]
004CFB63 |. BA 74FC4C00 mov edx, 004CFC74 ; - 未购买用户
004CFB68 |. E8 EB4AF3FF call 00404658
004CFB6D |. 8B55 F0 mov edx, dword ptr [ebp-10]
004CFB70 |. A1 F4614D00 mov eax, dword ptr [4D61F4]
004CFB75 |. E8 9AF9F6FF call 0043F514
004CFB7A |> 33C0 xor eax, eax
004CFB7C |. 5A pop edx
004CFB7D |. 59 pop ecx
004CFB7E |. 59 pop ecx
004CFB7F |. 64:8910 mov dword ptr fs:[eax], edx
004CFB82 |. 68 A4FB4C00 push 004CFBA4
004CFB87 |> 8D45 F0 lea eax, dword ptr [ebp-10]
004CFB8A |. E8 0948F3FF call 00404398
004CFB8F |. 8D45 F4 lea eax, dword ptr [ebp-C]
004CFB92 |. BA 03000000 mov edx, 3
004CFB97 |. E8 2048F3FF call 004043BC
004CFB9C \. C3 retn
004CFB9D .^ E9 FE41F3FF jmp 00403DA0
004CFBA2 .^ EB E3 jmp short 004CFB87
004CFBA4 . 5B pop ebx
004CFBA5 . 8BE5 mov esp, ebp
004CFBA7 . 5D pop ebp
004CFBA8 . C3 retn
;=====================================================================
;在地址004CFB2C处F7进入关键call->0049FBC0
;---------------------------------------------------------------------
0049FBC0 /$ 55 push ebp ; EAX = 用户名
0049FBC1 |. 8BEC mov ebp, esp
0049FBC3 |. 83C4 D0 add esp, -30
0049FBC6 |. 53 push ebx
0049FBC7 |. 56 push esi
0049FBC8 |. 57 push edi
0049FBC9 |. 33DB xor ebx, ebx ; EBX置零
0049FBCB |. 895D D0 mov dword ptr [ebp-30], ebx
0049FBCE |. 895D D4 mov dword ptr [ebp-2C], ebx
0049FBD1 |. 8BF9 mov edi, ecx
0049FBD3 |. 8955 F8 mov dword ptr [ebp-8], edx
0049FBD6 |. 8945 FC mov dword ptr [ebp-4], eax
0049FBD9 |. 8B45 FC mov eax, dword ptr [ebp-4]
0049FBDC |. E8 574CF6FF call 00404838
0049FBE1 |. 8B45 F8 mov eax, dword ptr [ebp-8]
0049FBE4 |. E8 4F4CF6FF call 00404838
0049FBE9 |. 33C0 xor eax, eax ; EAX置零
0049FBEB |. 55 push ebp
0049FBEC |. 68 DCFC4900 push 0049FCDC
0049FBF1 |. 64:FF30 push dword ptr fs:[eax]
0049FBF4 |. 64:8920 mov dword ptr fs:[eax], esp
0049FBF7 |. 8BC7 mov eax, edi
0049FBF9 |. E8 9A47F6FF call 00404398
0049FBFE |. 8D55 E0 lea edx, dword ptr [ebp-20]
0049FC01 |. 8B45 F8 mov eax, dword ptr [ebp-8]
0049FC04 |. E8 23FFFFFF call 0049FB2C
0049FC09 |. B2 01 mov dl, 1
0049FC0B |. 8D45 E0 lea eax, dword ptr [ebp-20]
0049FC0E |. E8 29F2FFFF call 0049EE3C
0049FC13 |. C745 D8 01000>mov dword ptr [ebp-28], 1
0049FC1A |. 8B45 FC mov eax, dword ptr [ebp-4] ; 用户名
0049FC1D |. E8 2E4AF6FF call 00404650
0049FC22 |. 8945 DC mov dword ptr [ebp-24], eax
0049FC25 |> 8D45 D4 /lea eax, dword ptr [ebp-2C]
0049FC28 |. 50 |push eax
0049FC29 |. B9 08000000 |mov ecx, 8
0049FC2E |. 8B55 D8 |mov edx, dword ptr [ebp-28]
0049FC31 |. 8B45 FC |mov eax, dword ptr [ebp-4]
0049FC34 |. E8 6F4CF6FF |call 004048A8
0049FC39 |. 8D45 F0 |lea eax, dword ptr [ebp-10]
0049FC3C |. 33C9 |xor ecx, ecx ; ECX置零
0049FC3E |. BA 08000000 |mov edx, 8
0049FC43 |. E8 7832F6FF |call 00402EC0
0049FC48 |. 8B45 D4 |mov eax, dword ptr [ebp-2C] ; 用户名
0049FC4B |. E8 004AF6FF |call 00404650
0049FC50 |. 50 |push eax
0049FC51 |. 8D45 D4 |lea eax, dword ptr [ebp-2C]
0049FC54 |. E8 474CF6FF |call 004048A0
0049FC59 |. 8D55 F0 |lea edx, dword ptr [ebp-10]
0049FC5C |. 59 |pop ecx
0049FC5D |. E8 F62CF6FF |call 00402958
0049FC62 |. 8D55 E8 |lea edx, dword ptr [ebp-18]
0049FC65 |. 8D45 F0 |lea eax, dword ptr [ebp-10] ; 用户名
0049FC68 |. E8 A3F4FFFF |call 0049F110 ; 关键CALL
0049FC6D |. BE 08000000 |mov esi, 8 ; ESI = 8
0049FC72 |. 8D5D E8 |lea ebx, dword ptr [ebp-18]
0049FC75 |> 8D4D D0 |/lea ecx, dword ptr [ebp-30]
0049FC78 |. 33C0 ||xor eax, eax ; EAX置零
0049FC7A |. 8A03 ||mov al, byte ptr [ebx]
0049FC7C |. BA 02000000 ||mov edx, 2
0049FC81 |. E8 868EF6FF ||call 00408B0C
0049FC86 |. 8B55 D0 ||mov edx, dword ptr [ebp-30] ; //1F-E3-7E-12-36-8B-8C-41
0049FC89 |. 8BC7 ||mov eax, edi
0049FC8B |. E8 C849F6FF ||call 00404658
0049FC90 |. 43 ||inc ebx ; EBX++
0049FC91 |. 4E ||dec esi ; ESI--
0049FC92 |.^ 75 E1 |\jnz short 0049FC75 ; //循环8次
0049FC94 |. 8345 D8 08 |add dword ptr [ebp-28], 8
0049FC98 |. 8B45 DC |mov eax, dword ptr [ebp-24]
0049FC9B |. 83C0 07 |add eax, 7
0049FC9E |. 85C0 |test eax, eax
0049FCA0 |. 79 03 |jns short 0049FCA5
0049FCA2 |. 83C0 07 |add eax, 7
0049FCA5 |> C1F8 03 |sar eax, 3
0049FCA8 |. C1E0 03 |shl eax, 3
0049FCAB |. 3B45 D8 |cmp eax, dword ptr [ebp-28]
0049FCAE |.^ 0F8D 71FFFFFF \jge 0049FC25
0049FCB4 |. 33C0 xor eax, eax
0049FCB6 |. 5A pop edx
0049FCB7 |. 59 pop ecx
0049FCB8 |. 59 pop ecx
0049FCB9 |. 64:8910 mov dword ptr fs:[eax], edx
0049FCBC |. 68 E3FC4900 push 0049FCE3
0049FCC1 |> 8D45 D0 lea eax, dword ptr [ebp-30]
0049FCC4 |. BA 02000000 mov edx, 2
0049FCC9 |. E8 EE46F6FF call 004043BC
0049FCCE |. 8D45 F8 lea eax, dword ptr [ebp-8]
0049FCD1 |. BA 02000000 mov edx, 2
0049FCD6 |. E8 E146F6FF call 004043BC
0049FCDB \. C3 retn
0049FCDC .^ E9 BF40F6FF jmp 00403DA0
0049FCE1 .^ EB DE jmp short 0049FCC1
0049FCE3 . 5F pop edi
0049FCE4 . 5E pop esi
0049FCE5 . 5B pop ebx
0049FCE6 . 8BE5 mov esp, ebp
0049FCE8 . 5D pop ebp
0049FCE9 . C3 retn
;=====================================================================
;注册信息保存位置:注册表
;---------------------------------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\audio-Converter]
"RegUser"="ly10"
"RegNo"="654321abcd"
可以将该键值删除或修改反复研究~
;=====================================================================
进一步算法分析可在0049F768处跟进关键CALL 0049F110
初步跟了下,里面上千行没有CALL的代码,晕~~~
;内存注册机制作
;---------------------------------------------------------------------
004CFB2C |. E8 8F00FDFF call 0049FBC0 ; 算法CALL
004CFB31 |. 8B55 F4 mov edx, dword ptr [ebp-C] ; (ASCII "1FE37E12368B8C41")
004CFB34 |. 58 pop eax
中断地址:004CFB34
第一字节:58
指令长度:1
保存方式:寄存器,EDX
;=====================================================================
;重启验证类软件的破解心得:
;---------------------------------------------------------------------
1.此类软件破解的难点在于如何定位注册验证的代码段
(1).关键字符串提示
(2).API函数
2.要对注册表结构熟悉
一般软件将注册信息保存在HKEY_CURRENT_USER\Software\下
对注册表熟悉有时候会很快找到有效断点
3.一些有关注册表的函数:
RegOpenKeyA 打开一个现有的注册表项
RegOpenKeyExA 打开一个现有的注册表项
RegCreateKeyA 在指定的项下创建或打开一个项
RegCreateKeyExA 在指定项下创建新项的更复杂的方式
RegDeleteKeyA 删除现有项下方一个指定的子项
RegDeleteValueA 删除指定项下方的一个值
RegQueryValueA 获取一个项的设置值
RegQueryValueExA 获取一个项的设置值
RegSetValueA 设置指定项或子项的值
RegSetValueExA 设置指定项的值
RegCloseKey 关闭系统注册表中的一个项
*第一次成功破解重启验证类的软件,happying
失误之处,还望各位大虾斧正:P
by:鹭影依凌
;=====================================================================
