首页 编程 软件学院 查看内容

金易格坦克大战破解手记

2006-5-19 00:06 721 0

摘要: 本破解仅作学习研究用,请勿用于任何不法行为,否则后果自负。软件名称:金易格坦克大战下载:http://shareware.skycn.com/soft/4932.htm编码语言:DELPHI 4.0-...
关键词: nbsp 0047 REGTANK dword DA eax mov ptr edx ebp

本破解仅作学习研究用,请勿用于任何不法行为,否则后果自负。软件名称:金易格坦克大战下载:http://shareware.skycn.com/soft/4932.htm编码语言:DELPHI 4.0-5.0大 小:8.41M(压缩)加密方式:注册码使用工具:odbg110_cn,PEiD,w32dasm89cn破解日期:2006年1月6日破解人:[certainheart] QQ:8108306 试运行注册程序REGTANK.EXE,输入试炼码,发现有"产品注册码不对,请联系经销商或作者!"的字符串提示,以此为突破口。首先用PEID查注册程序REGTANK.EXE,无壳。用w32dasm89cn反编译,点串式参考,查找"产品注册码不对,请联系经销商或作者!",双击,地址为0047D7FB。用odbg110_cn打开REGTANK.EXE,对0047D7FB下断点,F9运行程序,输入试炼码 'CDCDCDCDC',点确认,拦截成功。0047D7CF   |.  8B83 F8020000     mov eax,dword ptr ds:[ebx+2F8]0047D7D5   |.  E8 4A40FBFF       call RegTank.004318240047D7DA   |.  8B55 FC           mov edx,dword ptr ss:[ebp-4]0047D7DD   |.  8BC3              mov eax,ebx0047D7DF   |.  E8 F0010000       call RegTank.0047D9D40047D7E4   |.  84C0              test al,al0047D7E6   |.  75 25             jnz short RegTank.0047D80D0047D7E8   |.  8B83 DC020000     mov eax,dword ptr ds:[ebx+2DC]0047D7EE   |.  8B40 58           mov eax,dword ptr ds:[eax+58]0047D7F1   |.  BA FFFF0000       mov edx,0FFFF0047D7F6   |.  E8 05C9F9FF       call RegTank.0041A1000047D7FB   |.  BA 5CD84700       mov edx,RegTank.0047D85C 《=====在此处成功拦截0047D800   |.  8B83 DC020000     mov eax,dword ptr ds:[ebx+2DC]0047D806   |.  E8 5940FBFF       call RegTank.004318640047D80B   |.  EB 1F             jmp short RegTank.0047D82C0047D80D   |>  8D55 F8           lea edx,dword ptr ss:[ebp-8]0047D810   |.  8B83 F8020000     mov eax,dword ptr ds:[ebx+2F8]0047D816   |.  E8 0940FBFF       call RegTank.004318240047D81B   |.  8B55 F8           mov edx,dword ptr ss:[ebp-8]0047D81E   |.  8BC3              mov eax,ebx往上看几句可以发现可疑代码,如下:0047D7CF   |.  8B83 F8020000     mov eax,dword ptr ds:[ebx+2F8]0047D7D5   |.  E8 4A40FBFF       call RegTank.004318240047D7DA   |.  8B55 FC           mov edx,dword ptr ss:[ebp-4]0047D7DD   |.  8BC3              mov eax,ebx0047D7DF   |.  E8 F0010000       call RegTank.0047D9D4《=====可疑0047D7E4   |.  84C0              test al,al《=====可疑0047D7E6   |.  75 25             jnz short RegTank.0047D80D《=====可疑0047D7E8   |.  8B83 DC020000     mov eax,dword ptr ds:[ebx+2DC]0047D7EE   |.  8B40 58           mov eax,dword ptr ds:[eax+58]0047D7F1   |.  BA FFFF0000       mov edx,0FFFF0047D7F6   |.  E8 05C9F9FF       call RegTank.0041A1000047D7FB   |.  BA 5CD84700       mov edx,RegTank.0047D85C 《=====在此处成功拦截0047D800   |.  8B83 DC020000     mov eax,dword ptr ds:[ebx+2DC]0047D806   |.  E8 5940FBFF       call RegTank.004318640047D80B   |.  EB 1F             jmp short RegTank.0047D82C0047D80D   |>  8D55 F8           lea edx,dword ptr ss:[ebp-8]0047D810   |.  8B83 F8020000     mov eax,dword ptr ds:[ebx+2F8]0047D816   |.  E8 0940FBFF       call RegTank.004318240047D81B   |.  8B55 F8           mov edx,dword ptr ss:[ebp-8]0047D81E   |.  8BC3              mov eax,ebx对0047D7DF下断点,重新运行程序,测试发现该CALL的结果影响了显示的注册结果,表明0047D7DF为关键判断,F7跟进去。来到以下:0047D9D4   /$  55                push ebp0047D9D5   |.  8BEC              mov ebp,esp0047D9D7   |.  83C4 F8           add esp,-80047D9DA   |.  53                push ebx0047D9DB   |.  56                push esi0047D9DC   |.  33C9              xor ecx,ecx0047D9DE   |.  894D F8           mov dword ptr ss:[ebp-8],ecx0047D9E1   |.  8955 FC           mov dword ptr ss:[ebp-4],edx0047D9E4   |.  8B45 FC           mov eax,dword ptr ss:[ebp-4]0047D9E7   |.  E8 A46FF8FF       call RegTank.004049900047D9EC   |.  33C0              xor eax,eax0047D9EE   |.  55                push ebp0047D9EF   |.  68 4DDA4700       push RegTank.0047DA4D0047D9F4   |.  64:FF30           push dword ptr fs:[eax]0047D9F7   |.  64:8920           mov dword ptr fs:[eax],esp0047D9FA   |.  33DB              xor ebx,ebx0047D9FC   |.  8D45 F8           lea eax,dword ptr ss:[ebp-8]0047D9FF   |.  8B55 FC           mov edx,dword ptr ss:[ebp-4]0047DA02   |.  E8 C56BF8FF       call RegTank.004045CC0047DA07   |.  8B45 F8           mov eax,dword ptr ss:[ebp-8]0047DA0A   |.  E8 CD6DF8FF       call RegTank.004047DC《=====取得试炼码的总长度0047DA0F   |.  83F8 0E           cmp eax,0E《=====将试炼码的总长度与14比较0047DA12   |.  75 1E             jnz short RegTank.0047DA32《=====不是14则OVER,说明注册码长度需为14位0047DA14   |.  B9 5A030000       mov ecx,35A0047DA19   |.  33D2              xor edx,edx0047DA1B   |.  33C0              xor eax,eax0047DA1D   |>  8B75 F8           /mov esi,dword ptr ss:[ebp-8]0047DA20   |.  0FB63406          |movzx esi,byte ptr ds:[esi+eax]0047DA24   |.  03D6              |add edx,esi0047DA26   |.  40                |inc eax0047DA27   |.  83F8 0E           |cmp eax,0E0047DA2A   |.^ 75 F1             \jnz short RegTank.0047DA1D0047DA2C   |.  3BD1              cmp edx,ecx0047DA2E   |.  75 02             jnz short RegTank.0047DA320047DA30   |.  B3 01             mov bl,10047DA32   |>  33C0              xor eax,eax0047DA34   |.  5A                pop edx0047DA35   |.  59                pop ecx0047DA36   |.  59                pop ecx0047DA37   |.  64:8910           mov dword ptr fs:[eax],edx0047DA3A   |.  68 54DA4700       push RegTank.0047DA540047DA3F   |>  8D45 F8           lea eax,dword ptr ss:[ebp-8]0047DA42   |.  BA 02000000       mov edx,20047DA47   |.  E8 0C6BF8FF       call RegTank.004045580047DA4C   \.  C3                retn对0047DA0F下断点,重新运行程序,输入'CDCDCDCDCDCDCD',保证注册码有14位,再次运行到0047DA0F0047D9D4   /$  55                push ebp0047D9D5   |.  8BEC              mov ebp,esp0047D9D7   |.  83C4 F8           add esp,-80047D9DA   |.  53                push ebx0047D9DB   |.  56                push esi0047D9DC   |.  33C9              xor ecx,ecx0047D9DE   |.  894D F8           mov dword ptr ss:[ebp-8],ecx0047D9E1   |.  8955 FC           mov dword ptr ss:[ebp-4],edx0047D9E4   |.  8B45 FC           mov eax,dword ptr ss:[ebp-4]0047D9E7   |.  E8 A46FF8FF       call RegTank.004049900047D9EC   |.  33C0              xor eax,eax0047D9EE   |.  55                push ebp0047D9EF   |.  68 4DDA4700       push RegTank.0047DA4D0047D9F4   |.  64:FF30           push dword ptr fs:[eax]0047D9F7   |.  64:8920           mov dword ptr fs:[eax],esp0047D9FA   |.  33DB              xor ebx,ebx0047D9FC   |.  8D45 F8           lea eax,dword ptr ss:[ebp-8]0047D9FF   |.  8B55 FC           mov edx,dword ptr ss:[ebp-4]0047DA02   |.  E8 C56BF8FF       call RegTank.004045CC0047DA07   |.  8B45 F8           mov eax,dword ptr ss:[ebp-8]0047DA0A   |.  E8 CD6DF8FF       call RegTank.004047DC0047DA0F   |.  83F8 0E           cmp eax,0E《=====试炼码'CDCDCDCDCDCDCD'通过了该判断,执行0047DA140047DA12   |.  75 1E             jnz short RegTank.0047DA320047DA14   |.  B9 5A030000       mov ecx,35A《=====35A这个常数进入ECX0047DA19   |.  33D2              xor edx,edx《=====EDX清零0047DA1B   |.  33C0              xor eax,eax《=====EAX清零0047DA1D   |>  8B75 F8           /mov esi,dword ptr ss:[ebp-8]《=====0047DA1D至0047DA2A是将试炼码'CDCDCDCDCDCDCD'的每个字符0047DA20   |.  0FB63406          |movzx esi,byte ptr ds:[esi+eax]《的ASII值累加,结果存在EDX0047DA24   |.  03D6              |add edx,esi0047DA26   |.  40                |inc eax0047DA27   |.  83F8 0E           |cmp eax,0E0047DA2A   |.^ 75 F1             \jnz short RegTank.0047DA1D《=====反复计算,直到所有字符都计算完,则进入0047DA2C0047DA2C   |.  3BD1              cmp edx,ecx《=====将EDX与35A比较0047DA2E   |.  75 02             jnz short RegTank.0047DA32《=====如果不等则转0047DA32,此时BL=00047DA30   |.  B3 01             mov bl,1《=====如果相等则将1存入BL,继续执行下面的指令0047DA32   |>  33C0              xor eax,eax0047DA34   |.  5A                pop edx0047DA35   |.  59                pop ecx0047DA36   |.  59                pop ecx0047DA37   |.  64:8910           mov dword ptr fs:[eax],edx0047DA3A   |.  68 54DA4700       push RegTank.0047DA54《=====压入将EBX转存EAX的指令段0047DA3F   |>  8D45 F8           lea eax,dword ptr ss:[ebp-8]0047DA42   |.  BA 02000000       mov edx,20047DA47   |.  E8 0C6BF8FF       call RegTank.004045580047DA4C   \.  C3                retn《=====因为前面压入RegTank.0047DA54,所以执行此指令将导致跳转0047DA540047DA4D    .^ E9 BE64F8FF       jmp RegTank.00403F100047DA52    .^ EB EB             jmp short RegTank.0047DA3F0047DA54    .  8BC3              mov eax,ebx《=====将0047DA30执行后保存EBX的结果转存EAX0047DA56    .  5E                pop esi0047DA57    .  5B                pop ebx0047DA58    .  59                pop ecx0047DA59    .  59                pop ecx0047DA5A    .  5D                pop ebp0047DA5B    .  C3                retn《=====真正从0047D7DF执行的call RegTank.0047D9D4中返回执行0047D7E4的test al,al 由此分析可知注册码的各个字符的AII值之和必须为0X35A,因此造一个符合该条件的试炼码'=============A',重新执行程序,输入该试炼码,显示注册"恭喜您成为合法的用户!谢谢你的惠顾",注册成功。可以编写注册机,正确注册码符合两个条件:1、长14位;2、所有字符的ASII值总和为0X35A。注册成功后,程序将正确的注册码加密后保存在HKEY_LOCAL_MACHINE\SOFTWARE\WUZHIHUI\TANK中。至此,分析完成。总结:1、根据提示字符串在反汇编中寻找关键代码,然后在调试中顺藤摸瓜向上寻找判断,这是一个比较通用的办法。      2、在试炼中不断提高试炼码的正确度,以使调试一步一步走向成功。      3、编写注册方法可以用注册码特征法,这样避免了明码比较,正确的注册码不容易在内存中直接被搜索出来,提高了破解难度。
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系 [邮箱地址] 删除

路过

雷人

握手

鲜花

鸡蛋

最新评论

返回顶部