学破解其实有很久了,以前想写游戏外挂.曾拼命学习汇编一个星期,结果没有什么进展就放下来了,反反复复 现在终于有些进展了,一般的软件拿到手里还是能分析一两下的. 值得高兴是,我的一篇破解学习文章被看雪论坛设置为精华.
【文章标题】: CCProxy6.3.9分析
【软件名称】: CCProxy6.3.9
【下载地址】: http://www.ccproxy.com/download/ccproxysetup.exe
【使用工具】: Peid,Ollydbg,W32dsm
【软件介绍】: 代理服务器
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
——————————————————————————–
【详细过程】
第一次学习破解,很多地方都不懂。本次分析也是按照论坛以前老前辈发的文章作参考的。
也是我第一次写这种文章,请大家多多包涵。不多说了,进入主题
拿到软件,发现软件是多语言版本的。 未注册版有三个客户端的限制。 运行软件,点击注册输入88888888
点击“注册”按钮弹出“对不起,注册失败!”
再看该软件下面 Language 文件夹下的 ChineseGB.ini 文件 看到注册失败的文本对应的字符
Congratulations. You have registered successfully!=祝贺您,注册成功!
Sorry. Registration Failed!=对不起,注册失败!
用Peid查壳,发现无壳,为Microsoft Visual C++ 6.0 编写。
按照老前辈说的方法用W32dsm打开软件,查找字符串“ registered successfully ”找到一处
记录下地址为 00418001
用Ollydbg 加载软件后 找到该地址处函数入口处下断点 运行软件,点击注册输入88888888 点击“注册” 程序被断下
00417DC0 . 6A FF push -1 ;断在这里 00417DC2 . 68 56914700 push 00479156 ; SE 处理程序安装 00417DC7 . 64:A1 0000000>mov eax, fs:[0] 00417DCD . 50 push eax 00417DCE . 64:8925 00000>mov fs:[0], esp 00417DD5 . 81EC 10080000 sub esp, 810 00417DDB . 53 push ebx 00417DDC . 55 push ebp 00417DDD . 56 push esi 00417DDE . 57 push edi 00417DDF . 8BF1 mov esi, ecx 00417DE1 . 6A 01 push 1 00417DE3 . E8 0D4A0500 call 0046C7F5 00417DE8 . 8B86 1C010000 mov eax, [esi+11C] ; 获得注册码 放入ax 00417DEE . 8B1D 4CC34700 mov ebx, [<&KERNEL32.WritePrivatePro>; kernel32.WritePrivateProfileStringA 00417DF4 . 8DBE 1C010000 lea edi, [esi+11C] 00417DFA . 68 B83E4900 push 00493EB8 ; /FileName = "" 00417DFF . 50 push eax ; |String 00417E00 . 68 28E54800 push 0048E528 ; |Key = "RegCode" 00417E05 . 68 8CD14800 push 0048D18C ; |Section = "System" 00417E0A . FFD3 call ebx ; \将注册信息写入配置文件 00417E0C . 8B86 24010000 mov eax, [esi+124] 00417E12 . 8DAE 24010000 lea ebp, [esi+124] 00417E18 . 68 B83E4900 push 00493EB8 ; /FileName = "" 00417E1D . 50 push eax ; |String 00417E1E . 68 2CD44800 push 0048D42C ; |Key = "UserName" 00417E23 . 68 8CD14800 push 0048D18C ; |Section = "System" 00417E28 . FFD3 call ebx ; \将序列号写入配置文件 00417E2A . 8BCE mov ecx, esi 00417E2C . E8 E8550500 call 0046D419 00417E31 . E8 3A7E0200 call 0043FC70 ; 关键CALL 跟进 00417E36 . 8BCE mov ecx, esi 00417E38 . E8 F1550500 call 0046D42E 00417E3D . A1 3C1A4900 mov eax, [491A3C] 00417E42 . 894424 14 mov [esp+14], eax 00417E46 . 8B0D C03F4900 mov ecx, [493FC0] 00417E4C . C78424 280800>mov dword ptr [esp+828], 0 00417E57 . F7D9 neg ecx 00417E59 . 1BC9 sbb ecx, ecx 00417E5B . 83E1 05 and ecx, 5 00417E5E . 51 push ecx 00417E5F . 68 A3040000 push 4A3 00417E64 . 8BCE mov ecx, esi 00417E66 . E8 0E580500 call 0046D679 00417E6B . 8BC8 mov ecx, eax 00417E6D . E8 F8590500 call 0046D86A 00417E72 . 8B15 C03F4900 mov edx, [493FC0] 00417E78 . 8BCE mov ecx, esi 00417E7A . F7DA neg edx 00417E7C . 1BD2 sbb edx, edx 00417E7E . 83E2 FB and edx, FFFFFFFB 00417E81 . 83C2 05 add edx, 5 00417E84 . 52 push edx 00417E85 . 68 A1040000 push 4A1 00417E8A . E8 EA570500 call 0046D679 00417E8F . 8BC8 mov ecx, eax 00417E91 . E8 D4590500 call 0046D86A 00417E96 . A1 C03F4900 mov eax, [493FC0] 00417E9B . 8BCE mov ecx, esi 00417E9D . F7D8 neg eax 00417E9F . 1BC0 sbb eax, eax 00417EA1 . 24 FB and al, 0FB 00417EA3 . 83C0 05 add eax, 5 00417EA6 . 50 push eax 00417EA7 . 68 2D040000 push 42D 00417EAC . E8 C8570500 call 0046D679 00417EB1 . 8BC8 mov ecx, eax 00417EB3 . E8 B2590500 call 0046D86A 00417EB8 . 6A 00 push 0 00417EBA . 68 A2040000 push 4A2 00417EBF . 8BCE mov ecx, esi 00417EC1 . E8 B3570500 call 0046D679 00417EC6 . 8BC8 mov ecx, eax 00417EC8 . E8 9D590500 call 0046D86A 00417ECD . 6A 00 push 0 00417ECF . 68 2E040000 push 42E 00417ED4 . 8BCE mov ecx, esi 00417ED6 . E8 9E570500 call 0046D679 00417EDB . 8BC8 mov ecx, eax 00417EDD . E8 88590500 call 0046D86A 00417EE2 . 8B0D C03F4900 mov ecx, [493FC0] 00417EE8 . F7D9 neg ecx 00417EEA . 1BC9 sbb ecx, ecx 00417EEC . 83E1 FB and ecx, FFFFFFFB 00417EEF . 83C1 05 add ecx, 5 00417EF2 . 51 push ecx 00417EF3 . 68 CA000000 push 0CA 00417EF8 . 8BCE mov ecx, esi 00417EFA . E8 7A570500 call 0046D679 00417EFF . 8BC8 mov ecx, eax 00417F01 . E8 64590500 call 0046D86A 00417F06 . 8B15 C03F4900 mov edx, [493FC0] 00417F0C . 8BCE mov ecx, esi 00417F0E . F7DA neg edx 00417F10 . 1BD2 sbb edx, edx 00417F12 . 83E2 FB and edx, FFFFFFFB 00417F15 . 83C2 05 add edx, 5 00417F18 . 52 push edx 00417F19 . 68 CB000000 push 0CB 00417F1E . E8 56570500 call 0046D679 00417F23 . 8BC8 mov ecx, eax 00417F25 . E8 40590500 call 0046D86A 00417F2A . A1 C03F4900 mov eax, [493FC0] 00417F2F . 85C0 test eax, eax 00417F31 . 75 54 jnz short 00417F87 00417F33 . 8D4424 10 lea eax, [esp+10] 00417F37 . 6A 04 push 4 ; /BufSize = 4 00417F39 . 50 push eax ; |Buffer 00417F3A . 6A 03 push 3 ; |InfoType = 3 00417F3C . 68 00080000 push 800 ; |LocaleId = 800 00417F41 . FF15 14C34700 call [<&KERNEL32.GetLocaleInfoA>] ; \GetLocaleInfoA 00417F47 . 8D4C24 10 lea ecx, [esp+10] 00417F4B . 68 A0E44800 push 0048E4A0 ; ASCII "CHS" 00417F50 . 51 push ecx 00417F51 . E8 3A450400 call 0045C490 00417F56 . 83C4 08 add esp, 8 00417F59 . 85C0 test eax, eax 00417F5B . 74 2A je short 00417F87 00417F5D . 6A 05 push 5 00417F5F . 68 A2040000 push 4A2 00417F64 . 8BCE mov ecx, esi 00417F66 . E8 0E570500 call 0046D679 00417F6B . 8BC8 mov ecx, eax 00417F6D . E8 F8580500 call 0046D86A 00417F72 . 6A 05 push 5 00417F74 . 68 2E040000 push 42E 00417F79 . 8BCE mov ecx, esi 00417F7B . E8 F9560500 call 0046D679 00417F80 . 8BC8 mov ecx, eax 00417F82 . E8 E3580500 call 0046D86A 00417F87 > 8B1D 5CC34700 mov ebx, [<&KERNEL32.GetPrivateProfi>; kernel32.GetPrivateProfileStringA 00417F8D . 68 B83E4900 push 00493EB8 ; /IniFileName = "" 00417F92 . 8D5424 1C lea edx, [esp+1C] ; | 00417F96 . 68 00040000 push 400 ; |BufSize = 400 (1024.) 00417F9B . 52 push edx ; |ReturnBuffer 00417F9C . 68 C03A4900 push 00493AC0 ; |Default = "" 00417FA1 . 68 28E54800 push 0048E528 ; |Key = "RegCode" 00417FA6 . 68 8CD14800 push 0048D18C ; |Section = "System" 00417FAB . FFD3 call ebx ; \GetPrivateProfileStringA 00417FAD . 68 B83E4900 push 00493EB8 ; /IniFileName = "" 00417FB2 . 8D8424 200400>lea eax, [esp+420] ; | 00417FB9 . 68 00040000 push 400 ; |BufSize = 400 (1024.) 00417FBE . 50 push eax ; |ReturnBuffer 00417FBF . 68 C03A4900 push 00493AC0 ; |Default = "" 00417FC4 . 68 2CD44800 push 0048D42C ; |Key = "UserName" 00417FC9 . 68 8CD14800 push 0048D18C ; |Section = "System" 00417FCE . FFD3 call ebx ; \GetPrivateProfileStringA 00417FD0 . 8D4C24 18 lea ecx, [esp+18] 00417FD4 . 51 push ecx 00417FD5 . 8BCF mov ecx, edi 00417FD7 . E8 FF5D0500 call 0046DDDB 00417FDC . 8D9424 1C0400>lea edx, [esp+41C] 00417FE3 . 8BCD mov ecx, ebp 00417FE5 . 52 push edx 00417FE6 . E8 F05D0500 call 0046DDDB 00417FEB . 6A 00 push 0 00417FED . 8BCE mov ecx, esi 00417FEF . E8 01480500 call 0046C7F5 00417FF4 . A1 C03F4900 mov eax, [493FC0] 00417FF9 . 5F pop edi 00417FFA . 5E pop esi 00417FFB . 5D pop ebp 00417FFC . 85C0 test eax, eax 00417FFE . 5B pop ebx 00417FFF . 74 40 je short 00418041 00418001 . 8D4424 00 lea eax, [esp] ;注册成功 00418005 . 6A 7D push 7D 00418007 . 50 push eax 00418008 . E8 C3A5FEFF call 004025D0 0041800D . 83C4 08 add esp, 8 00418010 . 50 push eax 00418011 . 8D4C24 08 lea ecx, [esp+8] 00418015 . C68424 1C0800>mov byte ptr [esp+81C], 1 0041801D . E8 695D0500 call 0046DD8B 00418022 . 8D4C24 00 lea ecx, [esp] 00418026 . C68424 180800>mov byte ptr [esp+818], 0 0041802E . E8 1F5C0500 call 0046DC52 00418033 . 8B4C24 04 mov ecx, [esp+4] 00418037 . 6A 00 push 0 ; /Arg3 = 00000000 00418039 . 6A 40 push 40 ; |Arg2 = 00000040 0041803B . 51 push ecx ; |Arg1 0041803C . E8 959D0500 call 00471DD6 ; \CCProxy.00471DD6 00418041 > 8D4C24 04 lea ecx, [esp+4] 00418045 . C78424 180800>mov dword ptr [esp+818], -1 00418050 . E8 FD5B0500 call 0046DC52 00418055 . 8B8C24 100800>mov ecx, [esp+810] 0041805C . 64:890D 00000>mov fs:[0], ecx 00418063 . 81C4 1C080000 add esp, 81C 00418069 . C3 retn 从00417E31 跟进 call 0043FC70 发现前面有很长一段代码是用来读取配置文件的注册码和序列号的 按了N次F8 来到关键地方 0043FCEA |. 51 push ecx 0043FCEB |. 68 BC094900 push 004909BC ; ASCII "%s\CCProxy.ini" 0043FCF0 |. 52 push edx 0043FCF1 |. E8 4D7A0100 call 00457743 0043FCF6 |. A0 C03A4900 mov al, [493AC0] 0043FCFB |. B9 FF000000 mov ecx, 0FF 0043FD00 |. 888424 C01F00>mov [esp+1FC0], al 0043FD07 |. 33C0 xor eax, eax 0043FD09 |. 8DBC24 C11F00>lea edi, [esp+1FC1] 0043FD10 |. 83C4 14 add esp, 14 0043FD13 |. F3:AB rep stos dword ptr es:[edi] 0043FD15 |. 8B1D 5CC34700 mov ebx, [<&KERNEL32.GetPrivateProfi>; kernel32.GetPrivateProfileStringA 0043FD1B |. 8D8C24 980200>lea ecx, [esp+298] 0043FD22 |. 51 push ecx ; /IniFileName 0043FD23 |. 8D9424 A80700>lea edx, [esp+7A8] ; | 0043FD2A |. 68 00040000 push 400 ; |BufSize = 400 (1024.) 0043FD2F |. 52 push edx ; |ReturnBuffer 0043FD30 |. 66:AB stos word ptr es:[edi] ; | 0043FD32 |. 68 C03A4900 push 00493AC0 ; |Default = "" 0043FD37 |. 68 28E54800 push 0048E528 ; |Key = "RegCode" 0043FD3C |. 68 8CD14800 push 0048D18C ; |Section = "System" 0043FD41 |. AA stos byte ptr es:[edi] ; | 0043FD42 |. FFD3 call ebx ; \GetPrivateProfileStringA 0043FD44 |. 8D8424 980200>lea eax, [esp+298] 0043FD4B |. 8D8C24 A00300>lea ecx, [esp+3A0] 0043FD52 |. 50 push eax ; /IniFileName 0043FD53 |. 68 00040000 push 400 ; |BufSize = 400 (1024.) 0043FD58 |. 51 push ecx ; |ReturnBuffer 0043FD59 |. 68 C03A4900 push 00493AC0 ; |Default = "" 0043FD5E |. 68 2CD44800 push 0048D42C ; |Key = "UserName" 0043FD63 |. 68 8CD14800 push 0048D18C ; |Section = "System" 0043FD68 |. FFD3 call ebx ; \GetPrivateProfileStringA .................. 00440030 |> \8D8424 A00300>lea eax, [esp+3A0] 00440037 |. 8D8C24 A40700>lea ecx, [esp+7A4] 0044003E |. 50 push eax ; 将注册码入栈 0044003F |. 51 push ecx ; 将序列号稿入栈 00440040 |. E8 BBE3FFFF call 0043E400 ; 关键call 不跟进就没了 00440045 |. 83C4 08 add esp, 8 00440048 |. A3 C03F4900 mov [493FC0], eax ; 注册标志放入内存 0044004D |. 85C0 test eax, eax ; ax=1 注册 ax=0 未注册 0044004F 0F84 7B010000 je 004401D0 ; 没注册 走人 00440055 |. 80BC24 A50300>cmp byte ptr [esp+3A5], 30 0044005D |. 0F85 6D010000 jnz 004401D0 从00440040 跟进 call 0043E400 这里发现注册码原来是 12 位的 重新启动程序输入注册码 888888888888 0043E400 /$ 6A FF push -1 0043E402 |. 64:A1 0000000>mov eax, fs:[0] 0043E408 |. 68 8C9D4700 push 00479D8C 0043E40D |. 50 push eax 0043E40E |. B8 88290000 mov eax, 2988 0043E413 |. 64:8925 00000>mov fs:[0], esp 0043E41A |. E8 01940100 call 00457820 0043E41F |. A0 C03A4900 mov al, [493AC0] 0043E424 |. 53 push ebx 0043E425 |. 55 push ebp 0043E426 |. 56 push esi 0043E427 |. 57 push edi 0043E428 |. 884424 24 mov [esp+24], al 0043E42C |. B9 41000000 mov ecx, 41 0043E431 |. 33C0 xor eax, eax 0043E433 |. 8D7C24 25 lea edi, [esp+25] 0043E437 |. 68 05010000 push 105 ; /BufSize = 105 (261.) 0043E43C |. F3:AB rep stos dword ptr es:[edi] ; | 0043E43E |. 8D4C24 28 lea ecx, [esp+28] ; | 0043E442 |. 33F6 xor esi, esi ; | 0043E444 |. 51 push ecx ; |PathBuffer 0043E445 |. 56 push esi ; |hModule => NULL 0043E446 |. FF15 50C34700 call [<&KERNEL32.GetModuleFileNameA>] ; \GetModuleFileNameA 0043E44C |. 8D5424 24 lea edx, [esp+24] 0043E450 |. 6A 5C push 5C 0043E452 |. 52 push edx 0043E453 |. E8 689B0100 call 00457FC0 0043E458 |. C600 00 mov byte ptr [eax], 0 0043E45B |. A0 C03A4900 mov al, [493AC0] 0043E460 |. 888424 B40100>mov [esp+1B4], al 0043E467 |. B9 41000000 mov ecx, 41 0043E46C |. 33C0 xor eax, eax 0043E46E |. 8DBC24 B50100>lea edi, [esp+1B5] 0043E475 |. F3:AB rep stos dword ptr es:[edi] 0043E477 |. 8D4C24 2C lea ecx, [esp+2C] 0043E47B |. 8D9424 B40100>lea edx, [esp+1B4] 0043E482 |. 51 push ecx 0043E483 |. 68 BC094900 push 004909BC ; ASCII "%s\CCProxy.ini" 0043E488 |. 52 push edx 0043E489 |. E8 B5920100 call 00457743 0043E48E |. 8B9C24 C02900>mov ebx, [esp+29C0] 0043E495 |. 83C9 FF or ecx, FFFFFFFF 0043E498 |. 8BFB mov edi, ebx ; 把注册码放入目的寄存器 DI 用于比较 0043E49A |. 33C0 xor eax, eax ; 清0 0043E49C |. 83C4 14 add esp, 14 0043E49F |. F2:AE repne scas byte ptr es:[edi] ; 扫描注册码 0043E4A1 |. F7D1 not ecx 0043E4A3 |. 49 dec ecx ; cx = 注册码长度 0043E4A4 0F84 61040000 je 0043E90B ; 为空跳转 0043E4AA |. 8BFB mov edi, ebx ; 将注册码放入 目的寄存器 di 0043E4AC |. 83C9 FF or ecx, FFFFFFFF 0043E4AF |. F2:AE repne scas byte ptr es:[edi] 0043E4B1 |. F7D1 not ecx 0043E4B3 |. 49 dec ecx 0043E4B4 |. 83F9 0C cmp ecx, 0C 0043E4B7 74 34 je short 0043E4ED ; 如果注册码 = 12 位 则跳转 0043E4B9 |. 8D4424 10 lea eax, [esp+10] 0043E4BD |. 6A 7E push 7E 0043E4BF |. 50 push eax 0043E4C0 |. E8 0B41FCFF call 004025D0 0043E4C5 |. 83C4 08 add esp, 8 0043E4C8 |. 8B00 mov eax, [eax] 0043E4CA |. 56 push esi ; /Arg3 0043E4CB |. 56 push esi ; |Arg2 0043E4CC |. 50 push eax ; |Arg1 0043E4CD |. 89B424 AC2900>mov [esp+29AC], esi ; | 0043E4D4 |. E8 FD380300 call 00471DD6 ; \CCProxy.00471DD6 0043E4D9 |. C78424 A02900>mov dword ptr [esp+29A0], -1 0043E4E4 |. 8D4C24 10 lea ecx, [esp+10] 0043E4E8 |. E9 19040000 jmp 0043E906 0043E4ED |> 8D4C24 18 lea ecx, [esp+18] 0043E4F1 |. 6A 04 push 4 ; /BufSize = 4 0043E4F3 |. 51 push ecx ; |Buffer 0043E4F4 |. 6A 03 push 3 ; |InfoType = 3 0043E4F6 |. 68 00080000 push 800 ; |LocaleId = 800 0043E4FB |. FF15 14C34700 call [<&KERNEL32.GetLocaleInfoA>] ; \取得与指定“地方”有关的信息 0043E501 |. 8D5424 18 lea edx, [esp+18] ; 取得为中文系统 放入dx 0043E505 |. 68 A0E44800 push 0048E4A0 ; ASCII "CHS" 0043E50A |. 52 push edx 0043E50B |. E8 80DF0100 call 0045C490 ; 应该是对比是否为中文系统 0043E510 |. 83C4 08 add
近期评论