160个破解练习之1-Acid burn.exe

从今天开始,每天破解一个小程序来练习逆向调试。

首先,先来看看这个程序,打开运行

点击确定,出现下面这个界面

点击 Serial/Name


随便填写,点击Check

弹出对话框”Sorry, The serial is incorrect",于是把这个程序拖入IDA进行反汇编分析,搜索文本“Sorry, The serial is incorrect”,找到附近的汇编代码 下面已给出:

CODE:0042F998 sub_42F998 proc near          ; DATA XREF: CODE:0042F943o
CODE:0042F998
CODE:0042F998 var_18= dword ptr -18h
CODE:0042F998 var_14= dword ptr -14h
CODE:0042F998 var_10= dword ptr -10h
CODE:0042F998 var_C= dword ptr -0Ch
CODE:0042F998 var_8= dword ptr -8
CODE:0042F998 var_4= dword ptr -4
CODE:0042F998
CODE:0042F998 push    ebp
CODE:0042F999 mov     ebp, esp
CODE:0042F99B xor     ecx, ecx
CODE:0042F99D push    ecx
CODE:0042F99E push    ecx
CODE:0042F99F push    ecx
CODE:0042F9A0 push    ecx
CODE:0042F9A1 push    ecx
CODE:0042F9A2 push    ecx
CODE:0042F9A3 push    ebx
CODE:0042F9A4 push    esi
CODE:0042F9A5 mov     ebx, eax
CODE:0042F9A7 xor     eax, eax
CODE:0042F9A9 push    ebp
CODE:0042F9AA push    offset loc_42FB67
CODE:0042F9AF push    dword ptr fs:[eax]
CODE:0042F9B2 mov     fs:[eax], esp
CODE:0042F9B5 mov     ds:dword_431750, 29h
CODE:0042F9BF lea     edx, [ebp+var_10]
CODE:0042F9C2 mov     eax, [ebx+1DCh]
CODE:0042F9C8 call    sub_41AA58
CODE:0042F9CD mov     eax, [ebp+var_10]
CODE:0042F9D0 call    sub_403AB0
CODE:0042F9D5 mov     ds:dword_43176C, eax
CODE:0042F9DA lea     edx, [ebp+var_10]
CODE:0042F9DD mov     eax, [ebx+1DCh]
CODE:0042F9E3 call    sub_41AA58
CODE:0042F9E8 mov     eax, [ebp+var_10]
CODE:0042F9EB movzx   eax, byte ptr [eax]
CODE:0042F9EE mov     esi, eax
CODE:0042F9F0 shl     esi, 3
CODE:0042F9F3 sub     esi, eax
CODE:0042F9F5 lea     edx, [ebp+var_14]
CODE:0042F9F8 mov     eax, [ebx+1DCh]
CODE:0042F9FE call    sub_41AA58
CODE:0042FA03 mov     eax, [ebp+var_14]
CODE:0042FA06 movzx   eax, byte ptr [eax+1]
CODE:0042FA0A shl     eax, 4
CODE:0042FA0D add     esi, eax
CODE:0042FA0F mov     ds:dword_431754, esi
CODE:0042FA15 lea     edx, [ebp+var_10]
CODE:0042FA18 mov     eax, [ebx+1DCh]
CODE:0042FA1E call    sub_41AA58
CODE:0042FA23 mov     eax, [ebp+var_10]
CODE:0042FA26 movzx   eax, byte ptr [eax+3]
CODE:0042FA2A imul    esi, eax, 0Bh
CODE:0042FA2D lea     edx, [ebp+var_14]
CODE:0042FA30 mov     eax, [ebx+1DCh]
CODE:0042FA36 call    sub_41AA58
CODE:0042FA3B mov     eax, [ebp+var_14]
CODE:0042FA3E movzx   eax, byte ptr [eax+2]
CODE:0042FA42 imul    eax, 0Eh
CODE:0042FA45 add     esi, eax
CODE:0042FA47 mov     ds:dword_431758, esi
CODE:0042FA4D mov     eax, ds:dword_43176C
CODE:0042FA52 call    sub_406930
CODE:0042FA57 cmp     eax, 4                          
CODE:0042FA5A jge     short loc_42FA79                //<span style="color:#000000;"><span style="font-family:Arial;">这应该是检测输入的名称的长度,如果大于4才能进行进一步的检测</span></span>
CODE:0042FA5C push    0                     ; uType
CODE:0042FA5E mov     ecx, offset dword_42FB74 ; lpCaption
CODE:0042FA63 mov     edx, offset aSorryTheSerial ; "Sorry , The serial is incorect !"
CODE:0042FA68 mov     eax, ds:off_430A48
CODE:0042FA6D mov     eax, [eax]
CODE:0042FA6F call    sub_42A170
CODE:0042FA74 jmp     loc_42FB37
CODE:0042FA79 ; ---------------------------------------------------------------------------
CODE:0042FA79
CODE:0042FA79 loc_42FA79:                   ; CODE XREF: sub_42F998+C2j
CODE:0042FA79 lea     edx, [ebp+var_10]
CODE:0042FA7C mov     eax, [ebx+1DCh]
CODE:0042FA82 call    sub_41AA58
CODE:0042FA87 mov     eax, [ebp+var_10]
CODE:0042FA8A movzx   eax, byte ptr [eax]
CODE:0042FA8D imul    ds:dword_431750
CODE:0042FA93 mov     ds:dword_431750, eax
CODE:0042FA98 mov     eax, ds:dword_431750
CODE:0042FA9D add     ds:dword_431750, eax
CODE:0042FAA3 lea     eax, [ebp+var_4]
CODE:0042FAA6 mov     edx, offset dword_42FBAC
CODE:0042FAAB call    sub_403708
CODE:0042FAB0 lea     eax, [ebp+var_8]
CODE:0042FAB3 mov     edx, offset aCracked  ; "CRACKED"
CODE:0042FAB8 call    sub_403708
CODE:0042FABD push    [ebp+var_4]
CODE:0042FAC0 push    offset dword_42FBC8
CODE:0042FAC5 lea     edx, [ebp+var_18]
CODE:0042FAC8 mov     eax, ds:dword_431750
CODE:0042FACD call    sub_406718
CODE:0042FAD2 push    [ebp+var_18]
CODE:0042FAD5 push    offset dword_42FBC8
CODE:0042FADA push    [ebp+var_8]
CODE:0042FADD lea     eax, [ebp+var_C]
CODE:0042FAE0 mov     edx, 5
CODE:0042FAE5 call    sub_4039AC
CODE:0042FAEA lea     edx, [ebp+var_10]
CODE:0042FAED mov     eax, [ebx+1E0h]
CODE:0042FAF3 call    sub_41AA58
CODE:0042FAF8 mov     edx, [ebp+var_10]
CODE:0042FAFB mov     eax, [ebp+var_C]
CODE:0042FAFE call    sub_4039FC
CODE:0042FB03 jnz     short loc_42FB1F         //这里若条件成立,则跳转到Sorry , The serial is incorect !对话框,所以我们要修改这里的语句,具体看下面分析
CODE:0042FB05 push    0                     ; uType
CODE:0042FB07 mov     ecx, offset dword_42FBCC ; lpCaption
CODE:0042FB0C mov     edx, offset aGoodJobDude ; "Good job dude =)"
CODE:0042FB11 mov     eax, ds:off_430A48
CODE:0042FB16 mov     eax, [eax]
CODE:0042FB18 call    sub_42A170
CODE:0042FB1D jmp     short loc_42FB37
CODE:0042FB1F ; ---------------------------------------------------------------------------
CODE:0042FB1F
CODE:0042FB1F loc_42FB1F:                   ; CODE XREF: sub_42F998+16Bj
CODE:0042FB1F push    0                     ; uType
CODE:0042FB21 mov     ecx, offset dword_42FB74 ; lpCaption
CODE:0042FB26 mov     edx, offset aSorryTheSerial ; "Sorry , The serial is incorect !"
CODE:0042FB2B mov     eax, ds:off_430A48
CODE:0042FB30 mov     eax, [eax]
CODE:0042FB32 call    sub_42A170
CODE:0042FB37
CODE:0042FB37 loc_42FB37:                   ; CODE XREF: sub_42F998+DCj
CODE:0042FB37                               ; sub_42F998+185j
CODE:0042FB37 xor     eax, eax
CODE:0042FB39 pop     edx
CODE:0042FB3A pop     ecx
CODE:0042FB3B pop     ecx
CODE:0042FB3C mov     fs:[eax], edx
CODE:0042FB3F push    offset loc_42FB6E
CODE:0042FB44
CODE:0042FB44 loc_42FB44:                   ; CODE XREF: sub_42F998+1D4j
CODE:0042FB44 lea     eax, [ebp+var_18]
CODE:0042FB47 call    sub_403670
CODE:0042FB4C lea     eax, [ebp+var_14]
CODE:0042FB4F mov     edx, 2
CODE:0042FB54 call    sub_403694
CODE:0042FB59 lea     eax, [ebp+var_C]
CODE:0042FB5C mov     edx, 3
CODE:0042FB61 call    sub_403694
CODE:0042FB66 retn

有以下几种改法:


1.打开UE,载入该程序,找到下面语句的十六进制代码

CODE:0042FB03 jnz     short loc_42FB1F  

将其改成两个90,,90即两个空指令

这种改法是最简单的,也是最暴力的。

2.将上述的十六进制代码改成 jz short loc_42FB1F的十六进制代码

这时,只要输入错误的账号密码即可注册。

3.分析代码,找到正确的账号密码(过于麻烦,这里不详细讲述)


注意:

CODE:0042FA5A jge     short loc_42FA79                //<span style="color:#000000;"><span style="font-family:Arial;">这应该是检测输入的名称的长度,如果大于4才能进行进一步的检测</span></span>
根据上面代码可知,输入的账号密码要大于4个字符,当然,想要修改也可以 ,将其改成                      jne   short loc_42FA79   即可

显示如下


至此成功


已标记关键词 清除标记
相关推荐
©️2020 CSDN 皮肤主题: 大白 设计师:CSDN官方博客 返回首页