运行分析
- 运行软件,发现有2个地方需要破解
PE分析
- Delphi程序,32位,无壳
静态分析&动态调试
破解Serial
- 先破解第一个,找到关键字符串,进入关键函数
int __usercall Tserial_button1Click@<eax>(int a1@<eax>, int a2@<ebx>)
{
int v3; // ecx
char v4; // zf
_DWORD v6[4]; // [esp-10h] [ebp-20h] BYREF
unsigned int v7; // [esp+0h] [ebp-10h] BYREF
int v8; // [esp+4h] [ebp-Ch] BYREF
void *v9; // [esp+8h] [ebp-8h] BYREF
int v10; // [esp+Ch] [ebp-4h] BYREF
int savedregs; // [esp+10h] [ebp+0h] BYREF
v8 = 0;
v7 = 0;
v6[3] = a2;
v6[2] = &savedregs;
v6[1] = &loc_42F52C;
v6[0] = NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)v6);
sub_403708(&v10, &str_Hello[1]); // 可疑字符串:Hello
sub_403708(&v9, &str_Dude_[1]); // 可疑字符串:Dude!
sub_4039AC(&v8, 3, v3, v6[0], v10, &str___4[1], v9);// 猜测为拼接字符串,str___4[1]为' '
sub_41AA58(*(_DWORD *)(a1 + 480), &v7); // 猜测为输入函数,v7为输入值
sub_4039FC(v7, v8); // 猜测为比较函数,相等执行成功弹窗
if ( v4 )
sub_42A170(*off_430A48, "God Job dude !! =)", "Congratz!", 0);// 破解成功
else
sub_42A170(*off_430A48, "Try Again!!", "Failed!", 0);
__writefsdword(0, v7);
v9 = &loc_42F533;
sub_403670(&v7);
return sub_403694(&v8, 3);
}
- 猜测v8 = ‘Hello’ + ’ ’ + ‘Dude!’
- 破解成功
破解Name Serial
- 找到关键字符串,进入关键函数
int __usercall TNS_BitBtn1Click@<eax>(int a1@<eax>, int a2@<ebx>, int a3@<esi>)
{
int v4; // esi
int v5; // esi
int v6; // ecx
char v7; // zf
unsigned int v9[2]; // [esp-14h] [ebp-2Ch] BYREF
int *v10; // [esp-Ch] [ebp-24h]
int v11; // [esp-8h] [ebp-20h]
int v12; // [esp-4h] [ebp-1Ch]
int v13; // [esp+0h] [ebp-18h] BYREF
int v14; // [esp+4h] [ebp-14h] BYREF
unsigned __int8 *Name_Serial; // [esp+8h] [ebp-10h] BYREF
int v16; // [esp+Ch] [ebp-Ch] BYREF
int v17; // [esp+10h] [ebp-8h] BYREF
int v18; // [esp+14h] [ebp-4h] BYREF
int savedregs; // [esp+18h] [ebp+0h] BYREF
v16 = 0;
Name_Serial = 0;
v14 = 0;
v13 = 0;
v12 = a2;
v11 = a3;
v10 = &savedregs;
v9[1] = (unsigned int)&loc_42FB67;
v9[0] = (unsigned int)NtCurrentTeb()->NtTib.ExceptionList;
__writefsdword(0, (unsigned int)v9);
dword_431750 = 41; // dword_431750 = 41
scanf(*(_DWORD *)(a1 + 476), &Name_Serial);
Name_ = sub_403AB0(Name_Serial);
scanf(*(_DWORD *)(a1 + 476), &Name_Serial);
v4 = 7 * *Name_Serial;
scanf(*(_DWORD *)(a1 + 476), &v14);
dword_431754 = 16 * *(unsigned __int8 *)(v14 + 1) + v4;
scanf(*(_DWORD *)(a1 + 476), &Name_Serial);
v5 = 11 * Name_Serial[3];
scanf(*(_DWORD *)(a1 + 476), &v14);
dword_431758 = 14 * *(unsigned __int8 *)(v14 + 2) + v5;
if ( length(Name_) < 4 )
goto LABEL_4;
scanf(*(_DWORD *)(a1 + 476), &Name_Serial);
dword_431750 *= *Name_Serial; // dword_431750 = dword_431750 * Name首字母
dword_431750 *= 2; // dword_431750 = dword_431750 * 2
copy(&v18, &str_CW[1]); // v18 = 'CW'
copy(&v17, &str_CRACKED[1]); // v17 = 'CRACKED'
sub_406718(dword_431750, &v13); // 通过一系列计算可得到v13
strcat(&v16, 5, v6, &str___5[1], v13, &str___5[1], v17);// str___5[1] = '-'
scanf(*(_DWORD *)(a1 + 480), &Name_Serial); // 这里v15变为Serial
cmp(v16, Name_Serial);
if ( v7 )
messagebox(*off_430A48, "Good job dude =)", "Congratz !!", 0);// 破解成功
else
LABEL_4:
messagebox(*off_430A48, "Sorry , The serial is incorect !", "Try Again!", 0);
__writefsdword(0, v9[0]);
v10 = (int *)&loc_42FB6E;
sub_403670(&v13);
sub_403694(&v14, 2);
return sub_403694(&v16, 3);
}
- 通过动态调试进行分析,需满足 v16 = Serial
- v16 = ‘CW’ + ‘-’ + v13 + ‘-’ + ‘CRACKED’
- v13 = 41 * Name首字母 * 2
算法分析
Name = 'concealbear'
Serial = ''
v13 = 41 * ord(Name[0]) * 2
v16 = 'CW' + '-' + str(v13) + '-' + 'CRACKED'
print(Name + '的Serial为:\n' + v16)
- 写出算法,输入任意Name,验证成功