前言
这是160之3。
准备
系统:Windows 7 SP1 x64 ultimate
工具:吾爱破解专用OllyDbg
分析
运行程序。
用户名和注册码。
随便输入,获取错误提示。
丢入OD,搜索一遍字符串,立马就发现了成功提示和错误提示。
点进去找到跳转位置,发现判断条件为test si,si
。
00408662 . 894D 9C mov dword ptr ss:[ebp-0x64],ecx
00408665 . 66:85F6 test si,si ; 判断条件
...
00408677 . 74 62 je short AfKayAs_.004086DB ; 弹窗跳转
00408679 . 8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>; msvbvm50.__vbaStrCat
0040867F . 68 C06F4000 push AfKayAs_.00406FC0 ; You Get It
00408684 . 68 DC6F4000 push AfKayAs_.00406FDC ; /\r\n
00408689 . FFD6 call esi ; \__vbaStrCat
0040868B . 8BD0 mov edx,eax ; kernel32.BaseThreadInitThunk
0040868D . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
00408690 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; msvbvm50.__vbaStrMove
00408696 . 50 push eax ; kernel32.BaseThreadInitThunk
00408697 . 68 E86F4000 push AfKayAs_.00406FE8 ; KeyGen It Now
0040869C . FFD6 call esi
...
004086D9 . EB 60 jmp short AfKayAs_.0040873B
004086DB > 8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>; msvbvm50.__vbaStrCat
004086E1 . 68 08704000 push AfKayAs_.00407008 ; You Get Wrong
004086E6 . 68 DC6F4000 push AfKayAs_.00406FDC ; /\r\n
004086EB . FFD6 call esi ; \__vbaStrCat
004086ED . 8BD0 mov edx,eax ; kernel32.BaseThreadInitThunk
004086EF . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004086F2 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; msvbvm50.__vbaStrMove
004086F8 . 50 push eax ; kernel32.BaseThreadInitThunk
004086F9 . 68 28704000 push AfKayAs_.00407028 ; Try Again
004086FE . FFD6 call esi
和上一个程序的判断一样,但是向上却没有看到比较函数,一时间有些迷。
于是追溯si的值,发现了一顿操作后对esi的修改。
004085CE > \8B45 E8 mov eax,dword ptr ss:[ebp-0x18]
004085D1 . 50 push eax ; kernel32.BaseThreadInitThunk
004085D2 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; msvbvm50.__vbaR8Str
004085D8 . 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C]
004085DB . DD9D 1CFFFFFF fstp qword ptr ss:[ebp-0xE4]
004085E1 . 51 push ecx
004085E2 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; msvbvm50.__vbaR8Str
004085E8 . 833D 00904000>cmp dword ptr ds:[0x409000],0x0
004085EF . 75 08 jnz short AfKayAs_.004085F9
004085F1 . DCBD 1CFFFFFF fdivr qword ptr ss:[ebp-0xE4]
004085F7 . EB 11 jmp short AfKayAs_.0040860A
004085F9 > FFB5 20FFFFFF push dword ptr ss:[ebp-0xE0]
004085FF . FFB5 1CFFFFFF push dword ptr ss:[ebp-0xE4]
00408605 . E8 888AFFFF call <jmp.&MSVBVM50._adj_fdivr_m64>
0040860A > DFE0 fstsw ax
0040860C . A8 0D test al,0xD
0040860E . 0F85 AB010000 jnz AfKayAs_.004087BF
00408614 . FF15 34B14000 call dword ptr ds:[<&MSVBVM50.__vbaFpR8>>; msvbvm50.__vbaFpR8
0040861A . DC1D 28104000 fcomp qword ptr ds:[0x401028]
00408620 . DFE0 fstsw ax
00408622 . F6C4 40 test ah,0x40
00408625 . 74 07 je short AfKayAs_.0040862E
00408627 . BE 01000000 mov esi,0x1 ; 将esi置为1
0040862C . EB 02 jmp short AfKayAs_.00408630
0040862E > 33F6 xor esi,esi ; 将esi置为0
在0x004085CE处下断,发现[ebp-0x18]保存的正是我们输入的注册码。在0x004085D2处调用了vbaR8Str函数,该函数将作为参数的字符串放入了ST0寄存器中,在OD寄存器窗口的下方可以看到。
于是向下可以发现第二次调用该函数时的参数是1067023。那么可以操作这就是我们找的注册码了。这里的比较操作是利用浮点运算来完成的,是通过用我们输入的注册码除以正确的注册码,然后判断运算结果来决定esi的值。
测试下。
破解已经完成,就简单分析下注册码算法。
算法也是比较简单,主要分成了几步来做。
第一步:计算用户名长度,然后将长度与0x15B38相乘,再加上用户名的首字母的ASCII码,将十六进制的结果转为十进制用字符串来存储。
004081E9 > \8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]
004081EF . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
004081F2 . 50 push eax ; /String = 00000008 ???
004081F3 . 8B1A mov ebx,dword ptr ds:[edx] ; |
004081F5 . FF15 F8B04000 call dword ptr ds:[<&MSVBVM50.__vbaLenBstr>] ; \__vbaLenBstr
004081FB . 8BF8 mov edi,eax
004081FD . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
00408200 . 69FF 385B0100 imul edi,edi,0x15B38
00408206 . 51 push ecx ; /String = "t"
00408207 . 0F80 B7050000 jo AfKayAs_.004087C4 ; |
0040820D . FF15 0CB14000 call dword ptr ds:[<&MSVBVM50.#rtcAnsiValueBstr_516>] ; \rtcAnsiValueBstr
00408213 . 0FBFD0 movsx edx,ax
00408216 . 03FA add edi,edx
00408218 . 0F80 A6050000 jo AfKayAs_.004087C4
0040821E . 57 push edi
0040821F . FF15 F4B04000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>] ; msvbvm50.__vbaStrI4
00408225 . 8BD0 mov edx,eax
第二步:用10 / 5
,将结果2与第一步的十进制数相加。
004082DD > \8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004082E3 . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
004082E6 . 52 push edx
004082E7 . 8B19 mov ebx,dword ptr ds:[ecx]
004082E9 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; msvbvm50.__vbaR8Str
004082EF . D905 08104000 fld dword ptr ds:[0x401008]
004082F5 . 833D 00904000>cmp dword ptr ds:[0x409000],0x0
004082FC . 75 08 jnz short AfKayAs_.00408306
004082FE . D835 0C104000 fdiv dword ptr ds:[0x40100C]
00408304 . EB 0B jmp short AfKayAs_.00408311
00408306 > FF35 0C104000 push dword ptr ds:[0x40100C]
0040830C . E8 578DFFFF call <jmp.&MSVBVM50._adj_fdiv_m32>
00408311 > 83EC 08 sub esp,0x8
00408314 . DFE0 fstsw ax
00408316 . A8 0D test al,0xD
00408318 . 0F85 A1040000 jnz AfKayAs_.004087BF
0040831E . DEC1 faddp st(1),st
00408320 . DFE0 fstsw ax
00408322 . A8 0D test al,0xD
00408324 . 0F85 95040000 jnz AfKayAs_.004087BF
0040832A . DD1C24 fstp qword ptr ss:[esp]
0040832D . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>] ; msvbvm50.__vbaStrR8
00408333 . 8BD0 mov edx,eax
第三步:将第二步的结果与3相乘,然后减去2。
004083E9 > \8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004083EF . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
004083F2 . 52 push edx
004083F3 . 8B19 mov ebx,dword ptr ds:[ecx]
004083F5 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; msvbvm50.__vbaR8Str
004083FB . DC0D 10104000 fmul qword ptr ds:[0x401010]
00408401 . 83EC 08 sub esp,0x8
00408404 . DC25 18104000 fsub qword ptr ds:[0x401018]
0040840A . DFE0 fstsw ax
0040840C . A8 0D test al,0xD
0040840E . 0F85 AB030000 jnz AfKayAs_.004087BF
00408414 . DD1C24 fstp qword ptr ss:[esp]
00408417 . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>] ; msvbvm50.__vbaStrR8
0040841D . 8BD0 mov edx,eax
第四步:将第三步的结果与-15相减,得到正确的注册码。
004084D3 > \8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004084D9 . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
004084DC . 52 push edx
004084DD . 8B19 mov ebx,dword ptr ds:[ecx]
004084DF . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>] ; msvbvm50.__vbaR8Str
004084E5 . DC25 20104000 fsub qword ptr ds:[0x401020] ; 计算出正确的注册码
004084EB . 83EC 08 sub esp,0x8
004084EE . DFE0 fstsw ax
004084F0 . A8 0D test al,0xD
004084F2 . 0F85 C7020000 jnz AfKayAs_.004087BF
004084F8 . DD1C24 fstp qword ptr ss:[esp]
004084FB . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>] ; msvbvm50.__vbaStrR8
00408501 . 8BD0 mov edx,eax