教菜鸟写注册机——实战篇
前面我们折腾了半天都是在跟CRACKME过不去,可能有人觉得没意思了,这次咱们来个有实际意义的,呵呵,一个发布不久的软件——麻将拼图V1.04,这里来下:
http://skycn.softreg.com.cn/product.asp?id=/E5DCF286-05EE-4AA8-8ABE-9524013EFADA用W32DASM反下,找串式参考“注册失败!”到下面:(分析见后)
代码:--------------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402E16(C)
|
:00402E3F 8B3D88974000mov edi, dword ptr [00409788]
:00402E45 B940000000 mov ecx, 00000040
:00402E4A 33C0xor eax, eax
:00402E4C 8B6C2414mov ebp, dword ptr [esp+14]
:00402E50 F3 repz
:00402E51 AB stosd
:00402E52 8B3D7C974000mov edi, dword ptr [0040977C]
:00402E58 B940000000 mov ecx, 00000040
:00402E5D F3 repz
:00402E5E AB stosd
:00402E5F 8B0D88974000mov ecx, dword ptr [00409788]
* Reference To: USER32.SendDlgItemMessageA, Ord:020Fh
|
:00402E65 8B1D38714000mov ebx, dword ptr [00407138] ;注意
:00402E6B 51 push ecx ;用户名存放地址[409788]
:00402E6C 6A10push 00000010
:00402E6E 6A0Dpush 0000000D ;WM_GETTEXT
* Possible Reference to Dialog: DialogID_0070, CONTROL_ID:03E8, ""
|
:00402E70 68E8030000 push 000003E8 ;控件ID
:00402E75 55 push ebp
:00402E76 FFD3call ebx ;得到用户名
:00402E78 8B157C974000mov edx, dword ptr [0040977C]
:00402E7E 52 push edx ;注册码地址[40977C]
:00402E7F 6A10push 00000010
:00402E81 6A0Dpush 0000000D ;WM_GETTEXT
* Possible Reference to Dialog: DialogID_0070, CONTROL_ID:03E9, ""
|
:00402E83 68E9030000 push 000003E9 ;控件ID
:00402E88 55 push ebp
:00402E89 FFD3call ebx ;得到注册码
:00402E8B A188974000 mov eax, dword ptr [00409788]
:00402E90 803800 cmp byte ptr [eax], 00
:00402E93 0F8438010000je 00402FD1
:00402E99 8B0D7C974000mov ecx, dword ptr [0040977C]
:00402E9F 803900 cmp byte ptr [ecx], 00
:00402EA2 0F8429010000je 00402FD1
:00402EA8 50 push eax ;压入用户名
:00402EA9 E822FEFFFF call 00402CD0 ;关键CALL
:00402EAE 8B3D7C974000mov edi, dword ptr [0040977C] ;假码
:00402EB4 A188974000 mov eax, dword ptr [00409788] ;真码
:00402EB9 83C404 add esp, 00000004
:00402EBC 8BF7mov esi, edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402EDC(C)
|
:00402EBE 8A10mov dl, byte ptr [eax]
:00402EC0 8ACAmov cl, dl
:00402EC2 3A16cmp dl, byte ptr [esi]
:00402EC4 751Cjne 00402EE2
:00402EC6 84C9test cl, cl
:00402EC8 7414je 00402EDE
:00402ECA 8A5001 mov dl, byte ptr [eax+01]
:00402ECD 8ACAmov cl, dl
:00402ECF 3A5601 cmp dl, byte ptr [esi+01]
:00402ED2 750Ejne 00402EE2
:00402ED4 83C002 add eax, 00000002
:00402ED7 83C602 add esi, 00000002
:00402EDA 84C9test cl, cl
:00402EDC 75E0jne 00402EBE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402EC8(C)
|
:00402EDE 33C0xor eax, eax
:00402EE0 EB05jmp 00402EE7
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402EC4(C), :00402ED2(C)
|
:00402EE2 1BC0sbb eax, eax
:00402EE4 83D8FF sbb eax, FFFFFFFF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402EE0(U)
|
:00402EE7 85C0test eax, eax
:00402EE9 0F848D000000je 00402F7C
* Possible StringData Ref from Data Obj ->"52341546";骗人的:D
|
:00402EEF BEA4904000 mov esi, 004090A4
:00402EF4 8BC7mov eax, edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F14(C)
|
:00402EF6 8A10mov dl, byte ptr [eax]
:00402EF8 8ACAmov cl, dl
:00402EFA 3A16cmp dl, byte ptr [esi]
:00402EFC 751Cjne 00402F1A
:00402EFE 84C9test cl, cl
:00402F00 7414je 00402F16
:00402F02 8A5001 mov dl, byte ptr [eax+01]
:00402F05 8ACAmov cl, dl
:00402F07 3A5601 cmp dl, byte ptr [esi+01]
:00402F0A 750Ejne 00402F1A
:00402F0C 83C002 add eax, 00000002
:00402F0F 83C602 add esi, 00000002
:00402F12 84C9test cl, cl
:00402F14 75E0jne 00402EF6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F00(C)
|
:00402F16 33C0xor eax, eax
:00402F18 EB05jmp 00402F1F
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402EFC(C), :00402F0A(C)
|
:00402F1A 1BC0sbb eax, eax
:00402F1C 83D8FF sbb eax, FFFFFFFF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F18(U)
|
:00402F1F 85C0test eax, eax
:00402F21 7459je 00402F7C
:00402F23 A180974000 mov eax, dword ptr [00409780]
:00402F28 6A00push 00000000
:00402F2A 83F803 cmp eax, 00000003
* Possible StringData Ref from Data Obj ->"用户注册"
|
:00402F2D 6898904000 push 00409098
:00402F32 7D23jge 00402F57
* Possible StringData Ref from Data Obj ->"注册码错误!请重新输入!"
|
:00402F34 687C904000 push 0040907C
:00402F39 55 push ebp
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00402F3A FF1534714000Call dword ptr [00407134]
:00402F40 A180974000 mov eax, dword ptr [00409780]
:00402F45 5F pop edi
:00402F46 40 inc eax
:00402F47 5E pop esi
:00402F48 A380974000 mov dword ptr [00409780], eax
:00402F4D 5D pop ebp
:00402F4E B801000000 mov eax, 00000001
:00402F53 5B pop ebx
:00402F54 C21000 ret 0010
--------------------------------------------------------------------------------
根据错误错息找串式参考,很容易找到上面这些。然后从这个函数的开头开始分析。
首先值得一提的是程序取得文本框文本的方法。在这个程序中如果你下GetWindowText,GetDlgItemText这些断点都不能断到,那么它是靠的什么方法呢?我们可以在402E65这一句看到把一个API函数SendDlgItemMessage的地址给了EBX,然后下面两次调用EBX。可以想到这就是取用户名和注册码了,具体说明见下:
LONG SendDlgItemMessage(
HWND hDlg, // 对话框句柄
int nIDDlgItem, // 控件的ID
UINT Msg, // 要发送的消息
WPARAM wParam, // 消息的第一个附加值
LPARAM lParam // 消息的第二个附加值
) ;
对照上面的程序,可以发现它向ID为3E8h即1000的控件(用资源编辑工具可以发现这就是用户名的输入框)发送一个编号为0D的消息,这个消息表示什么呢?在winuser.h里有定义:
#define WM_SETTEXT0x000C
#define WM_GETTEXT0x000D
#define WM_GETTEXTLENGTH 0x000E
呵呵,不出所料是WM_GETTEXT。再来看WM_GETTEXT的附加值有什么意义
WM_GETTEXT
wParam = (WPARAM) cchTextMax; // number of characters to copy 得到的字串长度
lParam = (LPARAM) lpszText; // address of buffer for text 字串存放的地址
再看上面的程序就很明显了,第一个CALL的wParam为10,字串长度,lParam为[409788],这是用户名的位置,记好。第二个CALL得到假注册码放在[40977C]。
很不错的方式,躲开了常见的API,让我想起了DELPHI。
接下去是判断是否为空。然后把用户名PUSH进了,接着CALL。呵呵~~~~还不快跟进:
[
本帖最后由 booohr 于 2006-6-17 15:45 编辑 ]