Final Uninstaller 简单分析
Final UninstallerHomePage:http://www.finaluninstaller.com/
有些软件如果我们只需要注册即可,此时简单的方式就是爆破,这里再发一个小思路,这个程序的函数返回值有点意思,验证比较上也进行了两次,元旦之际和大家简单分析一下。
----------------------------------------------------------------
程序无壳,OD载入后,输入注册码(格式程序已给出),然后下万能断点。
004BC53C|.55 PUSH EBP ;下万能断点后中断到这里
004BC53D|.68 D1C64B00 PUSH FU.004BC6D1
004BC542|.64:FF30 PUSH DWORD PTR FS:
004BC545|.64:8920 MOV DWORD PTR FS:,ESP
004BC548|.8D55 C8 LEA EDX,DWORD PTR SS:
004BC54B|.8B45 FC MOV EAX,DWORD PTR SS:
004BC54E|.8B80 30040000 MOV EAX,DWORD PTR DS:
004BC554|.E8 1F69F8FF CALL FU.00442E78 ;取注册码
004BC559|.8B45 C8 MOV EAX,DWORD PTR SS:
004BC55C|.8D55 F0 LEA EDX,DWORD PTR SS:
004BC55F|.E8 E4C8F4FF CALL FU.00408E48
004BC564|.837D F0 00 CMP DWORD PTR SS:,0 ;比较注册码是否为空
004BC568|.0F84 2D010000 JE FU.004BC69B
004BC56E|.8B45 F0 MOV EAX,DWORD PTR SS:
004BC571|.E8 0EA5FBFF CALL FU.00476A84 ;算法CALL
004BC576|.8945 F4 MOV DWORD PTR SS:,EAX ;函数返回值EAX赋给
004BC579|.837D F4 00 CMP DWORD PTR SS:,0
004BC57D|.0F8E FE000000 JLE FU.004BC681 ;第一处比较,说明函数返回值不能为空
004BC583|.E8 DCE7F4FF CALL FU.0040AD64
004BC588|.83C4 F8 ADD ESP,-8 ; /
004BC58B|.DD1C24 FSTP QWORD PTR SS: ; |Arg1 (8 字节)
004BC58E|.9B WAIT ; |
004BC58F|.8D55 C4 LEA EDX,DWORD PTR SS: ; |
004BC592|.B8 E4C64B00 MOV EAX,FU.004BC6E4 ; |ASCII "yyyymmdd"
004BC597|.E8 D4F4F4FF CALL FU.0040BA70 ; \FU.0040BA70
004BC59C|.8B45 C4 MOV EAX,DWORD PTR SS:
004BC59F|.E8 C8CCF4FF CALL FU.0040926C
004BC5A4|.8945 F8 MOV DWORD PTR SS:,EAX
004BC5A7|.8B45 F4 MOV EAX,DWORD PTR SS: ;即函数返回值再赋给EAX
004BC5AA|.3B45 F8 CMP EAX,DWORD PTR SS: ;EAX 和 中的数值做比较 =01328CF5
004BC5AD|.7D 27 JGE SHORT FU.004BC5D6 ;第二处比较,说明函数值必须大于等于0X01328CF5
004BC5AF|.6A 10 PUSH 10
004BC5B1|.68 F0C64B00 PUSH FU.004BC6F0 ;ASCII "Error"
004BC5B6|.68 F8C64B00 PUSH FU.004BC6F8 ;ASCII "Your serial number has expired!"
004BC5BB|.8B45 FC MOV EAX,DWORD PTR SS:
004BC5BE|.E8 7DCFF8FF CALL FU.00449540
004BC5C3|.50 PUSH EAX ; |hOwner
004BC5C4|.E8 53B2F4FF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
004BC5C9|.8B45 FC MOV EAX,DWORD PTR SS:
004BC5CC|.E8 BFC5FFFF CALL FU.004B8B90
004BC5D1|.E9 C5000000 JMP FU.004BC69B
004BC5D6|>8D55 CC LEA EDX,DWORD PTR SS:
核心点(见数据窗口的数值):
004BC5AA|.3B45 F8 CMP EAX,DWORD PTR SS: ;=01328CF5
004BC5AD|.7D 27 JGE SHORT FU.004BC5D6
通过该处比较 我们得知算法CALL的返回值应该大于等于01328CF5
----------------------------------------------------------------
算法CALL:
00476A84 55 PUSH EBP
00476A85 8BEC MOV EBP,ESP
00476A87 B9 13000000 MOV ECX,13
00476A8C|>6A 00 /PUSH 0
00476A8E|.6A 00 |PUSH 0
00476A90|.49 |DEC ECX
00476A91|.^ 75 F9 \JNZ SHORT FU.00476A8C
00476A93|.8945 FC MOV DWORD PTR SS:,EAX
局部调用来自 004B8384, 004BA8F6, 004BC571
----------------------------------------------------------------
由调用次数可得 程序有三次对软件是否已注册的判断 我们修改为:
00476A84 B8 F58C3201 MOV EAX,1328CF5
00476A89 C3 RETN
----------------------------------------------------------------
保存即可 软件没啥难度 很适合初学者练手 同时也祝大家元旦快乐 o(∩_∩)o... By:Nisy 跟标志位差不多 菜鸟,来学学
多谢楼主 学习了
一开始我只爆破了注册那个地方
结果重启是还是验证出来了/:001
不过我这里得到的是01328DC3
[ 本帖最后由 liuyun213 于 2009-3-7 21:22 编辑 ]
页:
[1]