软件:Virtuoso Organizer 2.2
说明:一个日程管理的软件
工具:peid,aspackdie,w32dasm,ollydbg
昨晚在群里,有人说Virtuoso Organizer 2.2找不到注册码,打算替他看看,软件下载后,发现是aspack的壳,脱之。这个软件采用的限制是注册码,随便输入一个key,弹出对话框:sorry.....,好像比较简单,用w32dasm反汇编,看了一下string ref,果然找到了该string。来到附近:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00530D17(C), :00530D57(C)
|
:00530DE9 A140395600 mov eax, dword ptr [00563940]
:00530DEE 8B00 mov eax, dword ptr [eax]
:00530DF0 C6800E0B000000 mov byte ptr [eax+00000B0E], 00
:00530DF7 6A00 push 00000000
:00530DF9 668B0D180F5300 mov cx, word ptr [00530F18]
:00530E00 B202 mov dl, 02
* Possible StringData Ref from Code Obj ->"Sorry, but your registration code "
->"was not accepted."
|
:00530E02 B8240F5300 mov eax, 00530F24
:00530E07 E80C61F1FF call 00446F18
:00530E0C 8B45FC mov eax, dword ptr [ebp-04]
:00530E0F 8B80F0020000 mov eax, dword ptr [eax+000002F0]
:00530E15 8B10 mov edx, dword ptr [eax]
:00530E17 FF92C0000000 call dword ptr [edx+000000C0]
:00530E1D 8B45FC mov eax, dword ptr [ebp-04]
:00530E20 8B80FC020000 mov eax, dword ptr [eax+000002FC]
:00530E26 33D2 xor edx, edx
:00530E28 E8FFD4F1FF call 0044E32C
再往上走...
* Possible StringData Ref from Code Obj ->"Congratulations!!! Your registration "
->"code was accepted."
|
:00530D80 B8E00E5300 mov eax, 00530EE0
:00530D85 E88E61F1FF call 00446F18
:00530D8A 8B45FC mov eax, dword ptr [ebp-04]
:00530D8D E81AB3F3FF call 0046C0AC
:00530D92 A188365600 mov eax, dword ptr [00563688]
:00530D97 833800 cmp dword ptr [eax], 00000000
:00530D9A 7423 je 00530DBF
:00530D9C A188365600 mov eax, dword ptr [00563688]
:00530DA1 8B00 mov eax, dword ptr [eax]
:00530DA3 8B8008030000 mov eax, dword ptr [eax+00000308]
:00530DA9 B201 mov dl, 01
:00530DAB 8B08 mov ecx, dword ptr [eax]
:00530DAD FF5164 call [ecx+64]
:00530DB0 A188365600 mov eax, dword ptr [00563688]
:00530DB5 8B00 mov eax, dword ptr [eax]
:00530DB7 8B55FC mov edx, dword ptr [ebp-04]
:00530DBA E895080000 call 00531654
哈哈,看到了吧,Congratulations。看来比较的核心应该就在上面一点了。再往上走:
:00530D07 E8E085EDFF call 004092EC
:00530D0C B929CB2300 mov ecx, 0023CB29
:00530D11 99 cdq
:00530D12 F7F9 idiv ecx
:00530D14 83F802 cmp eax, 00000002
:00530D17 0F85CC000000 jne 00530DE9
:00530D1D 8D45E8 lea eax, dword ptr [ebp-18]
:00530D20 50 push eax
:00530D21 8D55E4 lea edx, dword ptr [ebp-1C]
:00530D24 8B45FC mov eax, dword ptr [ebp-04]
:00530D27 8B80FC020000 mov eax, dword ptr [eax+000002FC]
:00530D2D E8CAD5F1FF call 0044E2FC
:00530D32 8B45E4 mov eax, dword ptr [ebp-1C]
:00530D35 B90F000000 mov ecx, 0000000F
:00530D3A BA08000000 mov edx, 00000008
:00530D3F E8683FEDFF call 00404CAC
:00530D44 8B45E8 mov eax, dword ptr [ebp-18]
:00530D47 E8A085EDFF call 004092EC
:00530D4C B9295B5B00 mov ecx, 005B5B29
:00530D51 99 cdq
:00530D52 F7F9 idiv ecx
:00530D54 83F802 cmp eax, 00000002
:00530D57 0F858C000000 jne 00530DE9
到现在为止,代码已经很清晰了,call 004092EC这个地方校验注册码,如果正确的话,返回值为2,这个软件的注册机制还有个漏洞,就是如果把这里的跳转改变后,软件就自注册了。。。。再次启动,已经没有限制了。
从开始看软件到收工,不到20分钟时间。