咳咳,我又来啦!这次是受网友“一明”之托,帮忙试试PE Explorer 1.40版的破解。
首先循例介绍一下这个软件。搞破解的人都要用到一些查看PE文件的东东(什么?你不搞破解?那……),例如tdump之类的家伙,但是遗憾的是,这些程序都是字符模式下运行的,不太方便。现在这个PE Explorer是在Windows下运行的,而且功能强大,各种各样我懂的和不懂的功能都有了,最实用的是有反汇编功能和resources管理的功能,实在是居家旅行、破解文件的必备良药……我对它的敬佩之情真是犹如滔滔江水……(观众:去死吧!又在卖广告!!!)
咳,言归正传……首先运行程序,哇KAO,界面好漂亮,不过一看就知道是用DELPHI控件做的菜单,为了证实一下,同时也为了确定它没有被加壳,偶先拿出了FileInfo来check一check,嗯,果然是用delphi写的。
既然是用delphi写的,偶条件反射的就先祭出了Dede,反汇编之后选择“Forms”选项卡,然后选了“TrForm”,在右边窗口看了很久,终于找到了一个Button1的控件,它的OnClick事件是Button1Click,很好,找到突破点了,让我们开始!
下一步是选择“Procedures”选项卡,然后双击rUnit这个Unit Name,果然,在右边的窗口有一个Button1Click的event,双击它,出现这一大堆乱七八糟的东西:
0049C560 55 push ebp
0049C561 8BEC mov ebp, esp
0049C563 6A00 push $00
0049C565 53 push ebx
0049C566 8BD8 mov ebx, eax
0049C568 33C0 xor eax, eax
0049C56A 55 push ebp
* Possible String Reference to: ’榻m?腽[Y]脥@’
|
0049C56B 68C2C54900 push $0049C5C2
***** TRY
|
0049C570 64FF30 push dword ptr fs:[eax]
0049C573 648920 mov fs:[eax], esp
0049C576 8D55FC lea edx, [ebp-$04]
* Reference to control TrForm.Edit1 : TEdit
|
0049C579 8B8300020000 mov eax, [ebx+$0200]
* Reference to: controls.TControl.GetText(TControl):System.String;
|
0049C57F E86450F8FF call 004215E8
0049C584 8B55FC mov edx, [ebp-$04]
0049C587 A140C14F00 mov eax, dword ptr [$4FC140]
|
0049C58C E82774F6FF call 004039B8
0049C591 8D55FC lea edx, [ebp-$04]
* Reference to control TrForm.Edit2 : TEdit
|
0049C594 8B8304020000 mov eax, [ebx+$0204]
* Reference to: controls.TControl.GetText(TControl):System.String;
|
0049C59A E84950F8FF call 004215E8
0049C59F 8B55FC mov edx, [ebp-$04]
0049C5A2 A130C34F00 mov eax, dword ptr [$4FC330]
|
0049C5A7 E80C74F6FF call 004039B8
0049C5AC 33C0 xor eax, eax
0049C5AE 5A pop edx
0049C5AF 59 pop ecx
0049C5B0 59 pop ecx
0049C5B1 648910 mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: ’[Y]脥@’
|
0049C5B4 68C9C54900 push $0049C5C9
0049C5B9 8D45FC lea eax, [ebp-$04]
|
0049C5BC E8A373F6FF call 00403964
0049C5C1 C3 ret
0049C5C2 E9BD6DF6FF jmp 00403384
0049C5C7 EBF0 jmp 0049C5B9
****** END
|
0049C5C9 5B pop ebx
0049C5CA 59 pop ecx
0049C5CB 5D pop ebp
0049C5CC C3 ret
看了半天,好像没有我要的东西耶!(因为没有cmp、jne之类的东西嘛!),我KAO,原来之前那么多工作都是无用功……真是◎#¥%!※¥!没办法,只好推倒重来!!!
此路不通,那现在只好换个思路了。我突然回想起软件初始化的时候有个splash window,里面有个trail的字样,哈哈,又有突破口啦!
这回赶紧拿出w32dasm,反汇编之后,查找“trail”这个字符串,果然有了:
* Possible StringData Ref from Code Obj ->"trial version"
|
:004DD678 8B15CCB94F00 mov edx, dword ptr [004FB9CC]
:004DD67E E83563F2FF call 004039B8
:004DD683 B8B8B94F00 mov eax, 004FB9B8
* Possible StringData Ref from Code Obj ->"12345678FEDCBA98"
|
:004DD688 8B15D0B94F00 mov edx, dword ptr [004FB9D0]
:004DD68E E82563F2FF call 004039B8
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004DD562(C), :004DD633(U), :004DD671(U)
|
:004DD693 8B45F0 mov eax, dword ptr [ebp-10]
:004DD696 80782401 cmp byte ptr [eax+24], 01
:004DD69A 7508 jne 004DD6A4
:004DD69C 8B45F0 mov eax, dword ptr [ebp-10]
:004DD69F E838F6FFFF call 004DCCDC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DD69A(C)
|
:004DD6A4 E817D9FFFF call 004DAFC0
:004DD6A9 8B45F0 mov eax, dword ptr [ebp-10]
:004DD6AC 80B85402000000 cmp byte ptr [eax+00000254], 00
:004DD6B3 0F85F5070000 jne 004DDEAE
good!看来有希望了。令我不解的是怎么会有"12345678FEDCBA98"这个字符串,我找遍了整个软件好像都没见到……算了,先不管它,用softice的Symbol Loader装入PE explorer,然后设置断点bpx 004DD678,运行,注册:
Registration Name: laoluo
Serial Number: 1234567890123456 (为什么是16位数字?后面就知道了)
一按下OK,softice就立刻弹出来了,good,有效了!
接着按F10,来到004DD69F这个地方,然后按F8,进入这个call:
:004DCCDC 55 push ebp
:004DCCDD 8BEC mov ebp, esp
:004DCCDF 83C4BC add esp, FFFFFFBC
:004DCCE2 53 push ebx
:004DCCE3 56 push esi
:004DCCE4 33D2 xor edx, edx
:004DCCE6 8955BC mov dword ptr [ebp-44], edx
:004DCCE9 8955E8 mov dword ptr [ebp-18], edx
:004DCCEC 8955E4 mov dword ptr [ebp-1C], edx
:004DCCEF 8945EC mov dword ptr [ebp-14], eax
:004DCCF2 33C0 xor eax, eax
:004DCCF4 55 push ebp
:004DCCF5 6869CF4D00 push 004DCF69
:004DCCFA 64FF30 push dword ptr fs:[eax]
:004DCCFD 648920 mov dword ptr fs:[eax], esp
:004DCD00 8D45C3 lea eax, dword ptr [ebp-3D]
:004DCD03 B165 mov cl, 65
:004DCD05 BA21000000 mov edx, 00000021
:004DCD0A E87D5DF2FF call 00402A8C
:004DCD0F 33C0 xor eax, eax
:004DCD11 8945F8 mov dword ptr [ebp-08], eax
:004DCD14 33C0 xor eax, eax
:004DCD16 8945F4 mov dword ptr [ebp-0C], eax
:004DCD19 8D45C3 lea eax, dword ptr [ebp-3D]
:004DCD1C 8B15C4B94F00 mov edx, dword ptr [004FB9C4]
:004DCD22 E865ABF2FF call 0040788C
:004DCD27 8D45C3 lea eax, dword ptr [ebp-3D]
:004DCD2A 8945FC mov dword ptr [ebp-04], eax
:004DCD2D 60 pushad
:004DCD2E 8B7DFC mov edi, dword ptr [ebp-04]
:004DCD31 B818E41736 mov eax, 3617E418
:004DCD36 3107 xor dword ptr [edi], eax
:004DCD38 B82EFC35A9 mov eax, A935FC2E
:004DCD3D 314704 xor dword ptr [edi+04], eax
:004DCD40 B8B972D857 mov eax, 57D872B9
:004DCD45 314708 xor dword ptr [edi+08], eax
:004DCD48 B837B43D49 mov eax, 493DB437
:004DCD4D 31470C xor dword ptr [edi+0C], eax
:004DCD50 8B07 mov eax, dword ptr [edi]
:004DCD52 334704 xor eax, dword ptr [edi+04]
:004DCD55 8B5F08 mov ebx, dword ptr [edi+08]
:004DCD58 335F0C xor ebx, dword ptr [edi+0C]
:004DCD5B 8945F8 mov dword ptr [ebp-08], eax
:004DCD5E 895DF4 mov dword ptr [ebp-0C], ebx
:004DCD61 61 popad
:004DCD62 A1C8B94F00 mov eax, dword ptr [004FB9C8]
:004DCD67 E8746EF2FF call 00403BE0
:004DCD6C 83F810 cmp eax, 00000010 <-比较注册码是否16位
:004DCD6F 0F8CD1010000 jl 004DCF46
:004DCD75 8D45E8 lea eax, dword ptr [ebp-18]
:004DCD78 50 push eax
:004DCD79 B908000000 mov ecx, 00000008
:004DCD7E BA01000000 mov edx, 00000001
:004DCD83 A1C8B94F00 mov eax, dword ptr [004FB9C8]
:004DCD88 E85770F2FF call 00403DE4
:004DCD8D 8D45E4 lea eax, dword ptr [ebp-1C]
:004DCD90 50 push eax
:004DCD91 B908000000 mov ecx, 00000008
:004DCD96 BA09000000 mov edx, 00000009
:004DCD9B A1C8B94F00 mov eax, dword ptr [004FB9C8]
:004DCDA0 E83F70F2FF call 00403DE4
:004DCDA5 8D4DBC lea ecx, dword ptr [ebp-44]
:004DCDA8 BA08000000 mov edx, 00000008
:004DCDAD 8B45F8 mov eax, dword ptr [ebp-08]
:004DCDB0 E89FA4F2FF call 00407254
:004DCDB5 8B55BC mov edx, dword ptr [ebp-44] <-真正的注册码的前8位
:004DCDB8 8B45E8 mov eax, dword ptr [ebp-18] <-我输入的注册码的前8位
:004DCDBB E8306FF2FF call 00403CF0
:004DCDC0 0F8560010000 jne 004DCF26 <-不等就game over啦!
:004DCDC6 8D4DBC lea ecx, dword ptr [ebp-44]
:004DCDC9 BA08000000 mov edx, 00000008
:004DCDCE 8B45F4 mov eax, dword ptr [ebp-0C]
:004DCDD1 E87EA4F2FF call 00407254
:004DCDD6 8B55BC mov edx, dword ptr [ebp-44] <-真正的注册码的后8位
:004DCDD9 8B45E4 mov eax, dword ptr [ebp-1C] <-我输入的注册码的后8位
:004DCDDC E80F6FF2FF call 00403CF0
:004DCDE1 0F853F010000 jne 004DCF26 <-不等就……
:004DCDE7 B8B4B94F00 mov eax, 004FB9B4
:004DCDEC 8B15C4B94F00 mov edx, dword ptr [004FB9C4]
:004DCDF2 E8C16BF2FF call 004039B8
:004DCDF7 B8B8B94F00 mov eax, 004FB9B8
:004DCDFC 8B4DE4 mov ecx, dword ptr [ebp-1C]
:004DCDFF 8B55E8 mov edx, dword ptr [ebp-18]
:004DCE02 E8256EF2FF call 00403C2C
:004DCE07 B201 mov dl, 01
哈哈,现在就水落石出了,在004DCDB5和004DCDD6这两个地址处下指令d edx,结果就出来了,我的注册码是:
Registration Name: laoluo
Serial Number: 964D162F1EE5C68E
怎么样?做Cracker很爽吧?
为了表达我对自己的敬意,so我再次运行了PE Explorer,启动画面已经变成了This copy is licensed to: laoluo
心情巨好,再看看About,反正看看也不要钱……我KAO,居然又弹出了问我是否试用的对话框,死美国佬还留有一手!
百思不得其解,只好再次用w32dasm反汇编,找到这里:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DD69A(C)
|
:004DD6A4 E817D9FFFF call 004DAFC0
:004DD6A9 8B45F0 mov eax, dword ptr [ebp-10]
:004DD6AC 80B85402000000 cmp byte ptr [eax+00000254], 00
:004DD6B3 0F85F5070000 jne 004DDEAE <-很眼熟吧?
抱着试试看的心情用hiew改了这个jne为je,一运行,哈哈!!!居然OK啦!!!!!!
就这样,节省了$69咯!(注意是dollar哦)
最后小结一下:
1、前面用的那么多篇幅说Dede,其实并不是废话(虽然它这次完全没有发挥作用),而是为了说明一件事情:Cracker必须有灵活的头脑,当一条路走不通的时候,就要换换思路,转转另外一种方法……
2、现在的软件编写者越来越聪明啦!像这次破解了注册码居然还不行,还有另外一个地方有验证,而且我不得不使用暴力破解,真是有违我的初衷……哪位高手知道第二个验证的地方是什么来的,还望告知一声!多谢多谢!
使用软件:FileInfo 2.45a、Dede 2.50c、SoftICE 4.05 for win95、W32DASM 8.93黄金版、hiew 6.55
破解耗时:1个小时
写教程耗时:also 1个小时
破解“PE Explorer”1.40版
最新推荐文章于 2024-07-23 01:26:23 发布