研究对象:理想金钻金再来;
来源:某想论坛;
理由:和谐过程中的一点心得;
软件类型:dll;
操作系统:winxp;
要达到目的:解决注册限制。
先查一下这个软件的初步信息。
图片1.png (95.78 KB, 下载次数: 0)
下载附件
2022-6-4 14:11 上传
VMProtect保护。
用OK加载TdxW.exe,F9,出现程序TerminateProcess,
图片2.png (21.86 KB, 下载次数: 0)
下载附件
2022-6-4 14:12 上传
看来直接加载不行,换一种方式加载。
OD附加进程TdxW.exe,F9,正常运行
图片3.png (21.64 KB, 下载次数: 1)
下载附件
2022-6-4 14:13 上传
可以用OD去研究这个软件了,
图片4.png (11.07 KB, 下载次数: 1)
下载附件
2022-6-4 14:14 上传
注册码随便输入,来看看注册效果
图片5.png (11.8 KB, 下载次数: 0)
下载附件
2022-6-4 14:14 上传
提示注册码不存在”Error,亲,注册码不存在. “
内存映射中寻找上面字符串,找到一处,在字符串位置下内存访问断点,
图片6.png (26.47 KB, 下载次数: 1)
下载附件
2022-6-4 14:15 上传
行不通。
下函数断点试试 bp socket,点注册,断在函数socket,
图片7.png (12.37 KB, 下载次数: 1)
下载附件
2022-6-4 14:17 上传
Alt+F9,回到用户代码,
图片8.png (12.01 KB, 下载次数: 1)
下载附件
2022-6-4 14:16 上传
一直F8,第2次中断在socket,Alt+F9,回到用户代码,一直F8,第3次中断在socket,Alt+F9,回到用户代码,一直F8,第4次中断在socket,Alt+F9,回到用户代码,
一直F8,到
图片9.png (32.41 KB, 下载次数: 0)
下载附件
2022-6-4 14:18 上传
看提示窗口,看到
eax=214A05B8, (ASCII "2|Error,亲,注册码不存在.")
堆栈 ss:[1CAFEBF0]=1CAFEA04
回到这段代码的call,如下:
[Asm] 纯文本查看 复制代码1A74412A 50 push eax
1A74412B 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
1A74412E 50 push eax
1A74412F E8 D3EFFEFF call JZL.1A733107 ; //连网验证
1A744134 8985 5CFFFFFF mov dword ptr ss:[ebp-0xA4],eax
1A74413A 8B5D DC mov ebx,dword ptr ss:[ebp-0x24]
1A74413D 85DB test ebx,ebx
1A74413F 74 09 je short JZL.1A74414A
1A744141 53 push ebx
1A744142 E8 2FD50000 call JZL.1A751676
1A744147 83C4 04 add esp,0x4
1A74414A 8B9D 68FFFFFF mov ebx,dword ptr ss:[ebp-0x98]
1A744150 85DB test ebx,ebx
1A744152 74 09 je short JZL.1A74415D
对这段代码逐步分析,F8运行到
[Asm] 纯文本查看 复制代码1A744247 /74 09 je short JZL.1A744252
1A744249 |53 push ebx
1A74424A |E8 27D40000 call JZL.1A751676
1A74424F |83C4 04 add esp,0x4
1A744252 \8B5D DC mov ebx,dword ptr ss:[ebp-0x24]
1A744255 85DB test ebx,ebx
1A744257 74 09 je short JZL.1A744262
1A744259 53 push ebx
1A74425A E8 17D40000 call JZL.1A751676
1A74425F 83C4 04 add esp,0x4
1A744262 837D D8 00 cmp dword ptr ss:[ebp-0x28],0x0
1A744266 0F84 96000000 je JZL.1A744302 ; //no jump,需要jump
1A74426C 68 04000080 push 0x80000004
1A744271 6A 00 push 0x0
1A744273 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
1A744276 85C0 test eax,eax
1A744278 75 05 jnz short JZL.1A74427F
1A74427A B8 202BE11A mov eax,JZL.1AE12B20
1A74427F 50 push eax
1A744280 68 01000000 push 0x1
1A744285 BB 30010000 mov ebx,0x130
1A74428A E8 00DF0000 call JZL.1A75218F
1A74428F 83C4 10 add esp,0x10
1A744292 8945 E0 mov dword ptr ss:[ebp-0x20],eax
1A744295 DB45 E0 fild dword ptr ss:[ebp-0x20]
1A744298 DD5D E0 fstp qword ptr ss:[ebp-0x20]
1A74429B DD45 E0 fld qword ptr ss:[ebp-0x20]
1A74429E DC25 212BE11A fsub qword ptr ds:[0x1AE12B21]
1A7442A4 DD5D D8 fstp qword ptr ss:[ebp-0x28]
1A7442A7 DD45 D8 fld qword ptr ss:[ebp-0x28]
1A7442AA E8 908EFEFF call JZL.1A72D13F
1A7442AF 68 01030080 push 0x80000301
1A7442B4 6A 00 push 0x0
1A7442B6 50 push eax
1A7442B7 68 04000080 push 0x80000004
1A7442BC 6A 00 push 0x0
1A7442BE 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
1A7442C1 85C0 test eax,eax
1A7442C3 75 05 jnz short JZL.1A7442CA
1A7442C5 B8 202BE11A mov eax,JZL.1AE12B20
1A7442CA 50 push eax
1A7442CB 68 02000000 push 0x2
1A7442D0 BB 38010000 mov ebx,0x138
1A7442D5 E8 D5DE0000 call JZL.1A7521AF
1A7442DA 83C4 1C add esp,0x1C
1A7442DD 8945 D4 mov dword ptr ss:[ebp-0x2C],eax
1A7442E0 8B45 D4 mov eax,dword ptr ss:[ebp-0x2C]
1A7442E3 50 push eax
1A7442E4 8B1D 382FE11A mov ebx,dword ptr ds:[0x1AE12F38]
1A7442EA 85DB test ebx,ebx
1A7442EC 74 09 je short JZL.1A7442F7
1A7442EE 53 push ebx
1A7442EF E8 82D30000 call JZL.1A751676
1A7442F4 83C4 04 add esp,0x4
1A7442F7 58 pop eax
1A7442F8 A3 382FE11A mov dword ptr ds:[0x1AE12F38],eax
1A7442FD E9 7D070000 jmp JZL.1A744A7F
前面代码都是对取得联网注册信息进行分析,一直到1A744266,这里判断联网信息是否正确,如果正确就跳转。不正确就不跳转通过1A7442FD的jmp回到登陆界面,显示”Error,亲,注册码不存在. “
地址1A744266跳转,继续F8
[Asm] 纯文本查看 复制代码1A7443AC 83C4 04 add esp,0x4
1A7443AF 8B45 C4 mov eax,dword ptr ss:[ebp-0x3C]
1A7443B2 50 push eax
1A7443B3 FF75 D0 push dword ptr ss:[ebp-0x30]
1A7443B6 E8 E78CFEFF call JZL.1A72D0A2
1A7443BB 83C4 08 add esp,0x8
1A7443BE 83F8 00 cmp eax,0x0
1A7443C1 B8 00000000 mov eax,0x0
1A7443C6 0F94C0 sete al
1A7443C9 8945 C0 mov dword ptr ss:[ebp-0x40],eax
1A7443CC 8B5D D0 mov ebx,dword ptr ss:[ebp-0x30]
1A7443CF 85DB test ebx,ebx
1A7443D1 74 09 je short JZL.1A7443DC
1A7443D3 53 push ebx
1A7443D4 E8 9DD20000 call JZL.1A751676
1A7443D9 83C4 04 add esp,0x4
1A7443DC 8B5D C4 mov ebx,dword ptr ss:[ebp-0x3C]
1A7443DF 85DB test ebx,ebx
1A7443E1 74 09 je short JZL.1A7443EC
1A7443E3 53 push ebx
1A7443E4 E8 8DD20000 call JZL.1A751676
1A7443E9 83C4 04 add esp,0x4
1A7443EC 837D C0 00 cmp dword ptr ss:[ebp-0x40],0x0
1A7443F0 0F84 3B060000 je JZL.1A744A31 ; //jump;需要no jump
1A7443F6 68 04000080 push 0x80000004
直到1A7443F0,上面再一次验证联网情况,如果网路不正常就跳转。
F9
图片10.png (17.27 KB, 下载次数: 0)
下载附件
2022-6-4 14:21 上传
图片11.png (59.15 KB, 下载次数: 0)
下载附件
2022-6-4 14:22 上传
