从今天开始,每天破解一个小程序来练习逆向调试。
首先,先来看看这个程序,打开运行
点击确定,出现下面这个界面
点击 Serial/Name
随便填写,点击Check
弹出对话框”Sorry, The serial is incorrect",于是把这个程序拖入IDA进行反汇编分析,搜索文本“Sorry, The serial is incorrect”,找到附近的汇编代码 下面已给出:
CODE:0042F998 sub_42F998 proc near ; DATA XREF: CODE:0042F943o
CODE:0042F998
CODE:0042F998 var_18= dword ptr -18h
CODE:0042F998 var_14= dword ptr -14h
CODE:0042F998 var_10= dword ptr -10h
CODE:0042F998 var_C= dword ptr -0Ch
CODE:0042F998 var_8= dword ptr -8
CODE:0042F998 var_4= dword ptr -4
CODE:0042F998
CODE:0042F998 push ebp
CODE:0042F999 mov ebp, esp
CODE:0042F99B xor ecx, ecx
CODE:0042F99D push ecx
CODE:0042F99E push ecx
CODE:0042F99F push ecx
CODE:0042F9A0 push ecx
CODE:0042F9A1 push ecx
CODE:0042F9A2 push ecx
CODE:0042F9A3 push ebx
CODE:0042F9A4 push esi
CODE:0042F9A5 mov ebx, eax
CODE:0042F9A7 xor eax, eax
CODE:0042F9A9 push ebp
CODE:0042F9AA push offset loc_42FB67
CODE:0042F9AF push dword ptr fs:[eax]
CODE:0042F9B2 mov fs:[eax], esp
CODE:0042F9B5 mov ds:dword_431750, 29h
CODE:0042F9BF lea edx, [ebp+var_10]
CODE:0042F9C2 mov eax, [ebx+1DCh]
CODE:0042F9C8 call sub_41AA58
CODE:0042F9CD mov eax, [ebp+var_10]
CODE:0042F9D0 call sub_403AB0
CODE:0042F9D5 mov ds:dword_43176C, eax
CODE:0042F9DA lea edx, [ebp+var_10]
CODE:0042F9DD mov eax, [ebx+1DCh]
CODE:0042F9E3 call sub_41AA58
CODE:0042F9E8 mov eax, [ebp+var_10]
CODE:0042F9EB movzx eax, byte ptr [eax]
CODE:0042F9EE mov esi, eax
CODE:0042F9F0 shl esi, 3
CODE:0042F9F3 sub esi, eax
CODE:0042F9F5 lea edx, [ebp+var_14]
CODE:0042F9F8 mov eax, [ebx+1DCh]
CODE:0042F9FE call sub_41AA58
CODE:0042FA03 mov eax, [ebp+var_14]
CODE:0042FA06 movzx eax, byte ptr [eax+1]
CODE:0042FA0A shl eax, 4
CODE:0042FA0D add esi, eax
CODE:0042FA0F mov ds:dword_431754, esi
CODE:0042FA15 lea edx, [ebp+var_10]
CODE:0042FA18 mov eax, [ebx+1DCh]
CODE:0042FA1E call sub_41AA58
CODE:0042FA23 mov eax, [ebp+var_10]
CODE:0042FA26 movzx eax, byte ptr [eax+3]
CODE:0042FA2A imul esi, eax, 0Bh
CODE:0042FA2D lea edx, [ebp+var_14]
CODE:0042FA30 mov eax, [ebx+1DCh]
CODE:0042FA36 call sub_41AA58
CODE:0042FA3B mov eax, [ebp+var_14]
CODE:0042FA3E movzx eax, byte ptr [eax+2]
CODE:0042FA42 imul eax, 0Eh
CODE:0042FA45 add esi, eax
CODE:0042FA47 mov ds:dword_431758, esi
CODE:0042FA4D mov eax, ds:dword_43176C
CODE:0042FA52 call sub_406930
CODE:0042FA57 cmp eax, 4
CODE:0042FA5A jge short loc_42FA79 //<span style="color:#000000;"><span style="font-family:Arial;">这应该是检测输入的名称的长度,如果大于4才能进行进一步的检测</span></span>
CODE:0042FA5C push 0 ; uType
CODE:0042FA5E mov ecx, offset dword_42FB74 ; lpCaption
CODE:0042FA63 mov edx, offset aSorryTheSerial ; "Sorry , The serial is incorect !"
CODE:0042FA68 mov eax, ds:off_430A48
CODE:0042FA6D mov eax, [eax]
CODE:0042FA6F call sub_42A170
CODE:0042FA74 jmp loc_42FB37
CODE:0042FA79 ; ---------------------------------------------------------------------------
CODE:0042FA79
CODE:0042FA79 loc_42FA79: ; CODE XREF: sub_42F998+C2j
CODE:0042FA79 lea edx, [ebp+var_10]
CODE:0042FA7C mov eax, [ebx+1DCh]
CODE:0042FA82 call sub_41AA58
CODE:0042FA87 mov eax, [ebp+var_10]
CODE:0042FA8A movzx eax, byte ptr [eax]
CODE:0042FA8D imul ds:dword_431750
CODE:0042FA93 mov ds:dword_431750, eax
CODE:0042FA98 mov eax, ds:dword_431750
CODE:0042FA9D add ds:dword_431750, eax
CODE:0042FAA3 lea eax, [ebp+var_4]
CODE:0042FAA6 mov edx, offset dword_42FBAC
CODE:0042FAAB call sub_403708
CODE:0042FAB0 lea eax, [ebp+var_8]
CODE:0042FAB3 mov edx, offset aCracked ; "CRACKED"
CODE:0042FAB8 call sub_403708
CODE:0042FABD push [ebp+var_4]
CODE:0042FAC0 push offset dword_42FBC8
CODE:0042FAC5 lea edx, [ebp+var_18]
CODE:0042FAC8 mov eax, ds:dword_431750
CODE:0042FACD call sub_406718
CODE:0042FAD2 push [ebp+var_18]
CODE:0042FAD5 push offset dword_42FBC8
CODE:0042FADA push [ebp+var_8]
CODE:0042FADD lea eax, [ebp+var_C]
CODE:0042FAE0 mov edx, 5
CODE:0042FAE5 call sub_4039AC
CODE:0042FAEA lea edx, [ebp+var_10]
CODE:0042FAED mov eax, [ebx+1E0h]
CODE:0042FAF3 call sub_41AA58
CODE:0042FAF8 mov edx, [ebp+var_10]
CODE:0042FAFB mov eax, [ebp+var_C]
CODE:0042FAFE call sub_4039FC
CODE:0042FB03 jnz short loc_42FB1F //这里若条件成立,则跳转到Sorry , The serial is incorect !对话框,所以我们要修改这里的语句,具体看下面分析
CODE:0042FB05 push 0 ; uType
CODE:0042FB07 mov ecx, offset dword_42FBCC ; lpCaption
CODE:0042FB0C mov edx, offset aGoodJobDude ; "Good job dude =)"
CODE:0042FB11 mov eax, ds:off_430A48
CODE:0042FB16 mov eax, [eax]
CODE:0042FB18 call sub_42A170
CODE:0042FB1D jmp short loc_42FB37
CODE:0042FB1F ; ---------------------------------------------------------------------------
CODE:0042FB1F
CODE:0042FB1F loc_42FB1F: ; CODE XREF: sub_42F998+16Bj
CODE:0042FB1F push 0 ; uType
CODE:0042FB21 mov ecx, offset dword_42FB74 ; lpCaption
CODE:0042FB26 mov edx, offset aSorryTheSerial ; "Sorry , The serial is incorect !"
CODE:0042FB2B mov eax, ds:off_430A48
CODE:0042FB30 mov eax, [eax]
CODE:0042FB32 call sub_42A170
CODE:0042FB37
CODE:0042FB37 loc_42FB37: ; CODE XREF: sub_42F998+DCj
CODE:0042FB37 ; sub_42F998+185j
CODE:0042FB37 xor eax, eax
CODE:0042FB39 pop edx
CODE:0042FB3A pop ecx
CODE:0042FB3B pop ecx
CODE:0042FB3C mov fs:[eax], edx
CODE:0042FB3F push offset loc_42FB6E
CODE:0042FB44
CODE:0042FB44 loc_42FB44: ; CODE XREF: sub_42F998+1D4j
CODE:0042FB44 lea eax, [ebp+var_18]
CODE:0042FB47 call sub_403670
CODE:0042FB4C lea eax, [ebp+var_14]
CODE:0042FB4F mov edx, 2
CODE:0042FB54 call sub_403694
CODE:0042FB59 lea eax, [ebp+var_C]
CODE:0042FB5C mov edx, 3
CODE:0042FB61 call sub_403694
CODE:0042FB66 retn
有以下几种改法:
1.打开UE,载入该程序,找到下面语句的十六进制代码
CODE:0042FB03 jnz short loc_42FB1F
将其改成两个90,,90即两个空指令
这种改法是最简单的,也是最暴力的。
2.将上述的十六进制代码改成 jz short loc_42FB1F的十六进制代码
这时,只要输入错误的账号密码即可注册。
3.分析代码,找到正确的账号密码(过于麻烦,这里不详细讲述)
注意:
CODE:0042FA5A jge short loc_42FA79 //<span style="color:#000000;"><span style="font-family:Arial;">这应该是检测输入的名称的长度,如果大于4才能进行进一步的检测</span></span>
根据上面代码可知,输入的账号密码要大于4个字符,当然,想要修改也可以
,将其改成 jne short loc_42FA79 即可
显示如下
至此成功