OllyDbg破解系列学习笔记(五)
来源:互联网 发布:学生信息系统c语言 编辑:程序博客网 时间:2024/05/10 11:53
硬编码序列号寻踪Part2
OllyDbg加载今天的主角:
老样子查看主程序模块中的名称(标签),在我们感兴趣的GetDlgItemTextA下断,输入测试密码:dgdssn,单击Check程序中断,执行晚GetDlgItemTextA函数返回主程序代码中,我们来看一下往下的代码:
00401303 . C745 F0 00000>MOV DWORD PTR SS:[EBP-10],00040130A . B8 22124000 MOV EAX,crakmeea.00401222 ; 104456789510040130F . 8B10 MOV EDX,DWORD PTR DS:[EAX]00401311 . 8955 D0 MOV DWORD PTR SS:[EBP-30],EDX00401314 . 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]00401317 . 8955 D4 MOV DWORD PTR SS:[EBP-2C],EDX0040131A . 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]0040131D . 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX00401320 . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]00401323 . 83C4 FC ADD ESP,-400401326 . 6A 08 PUSH 8 ; /n = 800401328 . 6A 00 PUSH 0 ; |c = 000040132A . 50 PUSH EAX ; |s0040132B . E8 F0020000 CALL <JMP.&msvcrt.memset> ; \memset00401330 . 83C4 10 ADD ESP,1000401333 . C745 CC 00000>MOV DWORD PTR SS:[EBP-34],00040133A . 8DB6 00000000 LEA ESI,DWORD PTR DS:[ESI]00401340 > 83C4 F4 ADD ESP,-0C00401343 . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]00401346 . 50 PUSH EAX ; /s00401347 . E8 DC020000 CALL <JMP.&msvcrt.strlen> ; \strlen0040134C . 83C4 10 ADD ESP,100040134F . 89C0 MOV EAX,EAX00401351 . 8D50 FF LEA EDX,DWORD PTR DS:[EAX-1]00401354 . 3955 F0 CMP DWORD PTR SS:[EBP-10],EDX00401357 . 72 07 JB SHORT crakmeea.0040136000401359 . EB 35 JMP SHORT crakmeea.004013900040135B 90 NOP0040135C 8D7426 00 LEA ESI,DWORD PTR DS:[ESI]00401360 > 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]00401363 . 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]00401366 . 01D0 ADD EAX,EDX00401368 . 0FBE10 MOVSX EDX,BYTE PTR DS:[EAX]0040136B . 8D42 EC LEA EAX,DWORD PTR DS:[EDX-14]0040136E . 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]00401371 . 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]00401374 . 0FBE1411 MOVSX EDX,BYTE PTR DS:[ECX+EDX]00401378 . 39D0 CMP EAX,EDX0040137A . 75 0D JNZ SHORT crakmeea.004013890040137C . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]0040137F . 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]00401382 . C60402 73 MOV BYTE PTR DS:[EDX+EAX],7300401386 . FF45 CC INC DWORD PTR SS:[EBP-34]00401389 > FF45 F0 INC DWORD PTR SS:[EBP-10]0040138C .^ EB B2 JMP SHORT crakmeea.004013400040138E 89F6 MOV ESI,ESI00401390 > B8 2E124000 MOV EAX,crakmeea.0040122E ; Correct!00401395 . 8B10 MOV EDX,DWORD PTR DS:[EAX]00401397 . 8955 B0 MOV DWORD PTR SS:[EBP-50],EDX0040139A . 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]0040139D . 8955 B4 MOV DWORD PTR SS:[EBP-4C],EDX004013A0 . 8A40 08 MOV AL,BYTE PTR DS:[EAX+8]004013A3 . 8845 B8 MOV BYTE PTR SS:[EBP-48],AL004013A6 . 8D45 B9 LEA EAX,DWORD PTR SS:[EBP-47]004013A9 . 83C4 FC ADD ESP,-4004013AC . 6A 01 PUSH 1 ; /n = 1004013AE . 6A 00 PUSH 0 ; |c = 00004013B0 . 50 PUSH EAX ; |s004013B1 . E8 6A020000 CALL <JMP.&msvcrt.memset> ; \memset004013B6 . 83C4 10 ADD ESP,10004013B9 . B8 37124000 MOV EAX,crakmeea.00401237 ; Invalid!004013BE . 8B10 MOV EDX,DWORD PTR DS:[EAX]004013C0 . 8955 A0 MOV DWORD PTR SS:[EBP-60],EDX004013C3 . 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]004013C6 . 8955 A4 MOV DWORD PTR SS:[EBP-5C],EDX004013C9 . 8A40 08 MOV AL,BYTE PTR DS:[EAX+8]004013CC . 8845 A8 MOV BYTE PTR SS:[EBP-58],AL004013CF . 8D45 A9 LEA EAX,DWORD PTR SS:[EBP-57]004013D2 . 83C4 FC ADD ESP,-4004013D5 . 6A 01 PUSH 1 ; /n = 1004013D7 . 6A 00 PUSH 0 ; |c = 00004013D9 . 50 PUSH EAX ; |s004013DA . E8 41020000 CALL <JMP.&msvcrt.memset> ; \memset004013DF . 83C4 10 ADD ESP,10004013E2 . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]004013E5 . 3B45 CC CMP EAX,DWORD PTR SS:[EBP-34]004013E8 . 75 16 JNZ SHORT crakmeea.00401400004013EA . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL004013EC . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50] ; |004013EF . 50 PUSH EAX ; |Title004013F0 . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50] ; |004013F3 . 50 PUSH EAX ; |Text004013F4 . 6A 00 PUSH 0 ; |hOwner = NULL004013F6 . E8 5D020000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA004013FB . EB 14 JMP SHORT crakmeea.00401411004013FD 8D76 00 LEA ESI,DWORD PTR DS:[ESI]00401400 > 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL00401402 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] ; |00401405 . 50 PUSH EAX ; |Title00401406 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] ; |00401409 . 50 PUSH EAX ; |Text0040140A . 6A 00 PUSH 0 ; |hOwner = NULL0040140C . E8 47020000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
我们来分析一下如上的汇编代码,先概括一下:
程序取得全局变量10445678951,获取我们输入password的地址,按照Lenth(10445678951)循环获取从password首地址开始的每个字符减0x14和10445678951比较,相同则为Correct。笔者用C语言还原了上段汇编中核心算法的C语言代码:
DWORD dwEBP_10 = 0; TCHAR tcTemp[5]; memset(tcTemp, 0, 5*sizeof(TCHAR)); DWORD dwLen = _tcslen(tc401222); DWORD dwEBP_10 = 0; DWORD dwEBP_34 = 0; TCHAR tcSingle; TCHAR tc1st; TCHAR tc2nd; while ( dwLen-1>dwEBP_10 ) { tcSingle = tcMyPass[dwEBP_10]; tc1st = tcSingle-14; tc2nd = tc401222[dwEBP_10]; if( tc1st==tc2nd ) { tc401222[dwEBP_10] = 73; dwEBP_34++; } dwEBP_10++; } if ( dwEBP_10==dwEBP_34 ) { MessageBoxA(NULL, "Correct!", 0, MB_OK); } else { MessageBoxA(NULL, "Invalid!", 0, MB_OK); }有了上面的代码,我们很清楚的可以算出序列号:
DWORD dwLength = _tcslen(tc401222); for (DWORD i=0; i<dwLength; i++) { printf("%c", tc401222[i]+20); }
我们输入这个序列号,我们在od中跟踪下执行,发现只需要上述序列号前10位相同即可,后面可随意添加:
0 0
- OllyDbg破解系列学习笔记(五)
- OllyDbg破解系列学习笔记(一)
- OllyDbg破解系列学习笔记(二)
- OllyDbg破解系列学习笔记(三)
- OllyDbg破解系列学习笔记(四)
- OllyDbg破解系列学习笔记(六)
- OllyDbg破解系列学习笔记(七)
- OllyDbg破解系列学习笔记(八)
- OllyDbg破解系列学习笔记(九)
- OllyDbg破解系列学习笔记(十)
- OllyDbg破解系列学习笔记(十一)
- OllyDbg破解系列学习笔记(十二)
- OllyDbg破解系列学习笔记(十三)
- OllyDbg 使用笔记 (五)
- 软件汉化:OllyDBG 入门之五-- 破解注意事项(转)
- 软件汉化:OllyDBG 入门之五-- 破解注意事项(转)
- OllyDBG 入门之五-- 破解注意事项
- OllyDbg使用学习 笔记
- 函数、对象在内存中存在形式
- Hatsune Miku(较难dp)
- 使用Eclipse通过连接数据库生成实体类和映射文件
- 2014.10.22项目1
- 程序员必修课-sql语句
- OllyDbg破解系列学习笔记(五)
- Jackson转换JSON
- 1.1.1 Spring里面的依赖注入思想
- [Cocoa]_[初级]_[用NSImage把大图制作成小图]
- C#winform实现跑马灯
- 字符序列
- [Android] 拍照、截图、保存并显示在ImageView控件中
- C#静态构造函数
- HTML2
