chap4-5.htm.primary

加密与解密,软件加密保护技术与解决方案,看雪文档!

<html>
<head>
<title>Crack Tutorial</title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<link rel="stylesheet" href="style/css.css" type="text/css">
<link rel="stylesheet" href="../STYLE/Css.css" type="text/css">
</head>

<body bgcolor="white" text="#000000" link="#004080" vlink="#004080" background="../image/Back.gif">
<p><a href="../catalog.htm">目录</a>＞＞第4章</p>
<p align="center" class="shadow1Copy"><b class="p3">第4章 静态分析技术</b></p>
<table width="80%" border="0" cellspacing="0" cellpadding="3" align="center" bgcolor="#bcbcbc" bordercolor="#111111" class="shadow1">
  <tr> 
    <td class="shadow1" width="20%"> 
      <div align="center"><span class="p9">第一节 <a href="Chap4-1.htm"><font color="#FFFFFF">基础知识</font></a></span></div>
    </td>
    <td class="shadow1" width="20%"> 
      <div align="center"><span class="p9">第二节 <a href="Chap4-2.htm"><font color="#FFFFFF">W32Dasm简介</font></a></span></div>
    </td>
    <td class="shadow1" width="20%"> 
      <div align="center">第三节 <a href="Chap4-3.htm"><font color="#FFFFFF">IDA 
        Pro 简介</font></a></div>
    </td>
    <td class="shadow1" width="19%"> 
      <div align="center"><span class="p9">第四节 <a href="Chap4-4.htm"><font color="#FFFFFF">HIEW简介</font></a></span></div>
    </td>
    <td class="shadow1" width="21%">
      <div align="center"><span class="p9">第五节 <a href="Chap4-5.htm"><font color="#FFFFFF">拆解教程</font></a> 
        </span></div>
    </td>
  </tr>
</table>
<p align="center"><span class="p9"><b>第五节 拆解教程</b></span></p>
<p class="p9" align="left">实验对象：例题<a href="Exercise/chap4-eg-1.zip">Chap4-eg-1.zip</a><font color="#FF3333" class="p9"><span class="p9"><font color="#000000"> 
  ； </font></span></font></p>
<p class="p9" align="left"><font color="#000000">破解工具：W32Dasm，Hiew；</font></p>
<p class="p9" align="left"><font color="#000000">1、思路提示：首先要试运行要破解的程序，了解其一些提示信息，如：文本/NAG屏/按钮等等.最重要的就是出错信息 
  .如： "Wrong serial.."记下，因为你在后面要用到它，你需要它来找到call出错messagebox的地方.当 W32Dasm反编译后你会看到一屏幕难懂的汇编码 
  .你还记得刚要你记下的那个message么? 此时单击在工具栏里的<i><b>串式数据参考SDR (=String Data Reference)</b></i>.这个功能可是非常有用的. 
  </font></p>
<p class="p9" align="left">在<font color="#000000"><i><b>串式数据参考SDR</b></i></font>中找到那个提示信息(它也许只显示了信息的一部分) 
  ，此时双击它，来到相关代码处，再分析源代码。</p>
<p class="p9" align="left">2、运行crackme，输入假的序列号，点击CHECK,出现错误提示：&quot;Incorrect 
  try again!! &quot;记下。</p>
<p class="p9" align="left">3、将crackmer备份一份，用W32DASM反汇编它。</p>
<p class="p9" align="left">4、一旦完成反汇编 , 点<font color="#000000"><i><b>串式数据参考</b></i></font><b><i>（string 
  data reference）</i></b>按钮 , 在列出的字符串列表中找到 : "Incorrect try again!! " 并双击它 . （注：如代码中有多处有此字串，你再次双击后，光标将出现在下一代码上）</p>
<p class="p9" align="left">5、关闭这个窗口回到主窗口 , 你应该能够看到下面这一行 ：</p>
<table width="100%" cellspacing="0" align="center">
  <tr bgcolor="#F2FFFF"> 
    <td> 
      <p class="p9">* Referenced by a (U)nconditional or (C)onditional Jump at 
        Address: <br>
        |:00401595(C) <br>
        | <br>
        :004015AD 6A40&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; push 00000040 <br>
        <br>
        * Possible StringData Ref from Data Obj ->"CrackMe"//错误提示窗口的标题 <br>
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
        :004015AF 686C304000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push 
        0040306C <br>
        <br>
        * Possible StringData Ref from Data Obj ->"Incorrect try again!!"//错误提示处，我们来到这一行 
        <br>
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
        :004015B4 6874304000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push 
        00403074 <br>
        :004015B9 8B4DE0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; mov ecx, dword ptr [ebp-20] </p>
    </td>
  </tr>
</table>
<p class="p9" align="left">6、现在你必须从这行起向上找 , 直到找到有这样的命令为止 :cmp,jne,je,test 等等 . 
</p>
<p class="p9" align="left">CMP = 比较 (如 CMP EAX, EBX) &lt;- 比较EAX和EBX<br>
  JE = 如果相等就跳转<br>
  JNE = 如果不相等就跳转<br>
  JL = 如果小于就跳转<br>
  JLE = 如果小于等于就跳转<br>
  JA = 如果大于就跳转<br>
  JAE = 如果大于等于就跳转<br>
  JMP = 无条件跳转 </p>
<p class="p9" align="left">7、注意这一行代码：</p>
<p class="p9" align="left">* Referenced by a (U)nconditional or (C)onditional 
  Jump at Address: <br>
  |<font color="#FF3333">:00401595(C) </font><br>
  | <br>
  :004015AD 6A40&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; push 00000040 <br>
</p>
<p class="p9" align="left"><font color="#FF3333">:00401595(C) </font>是代码位置而不是offset，表示指令由<font color="#FF3333">00401595<font color="#000000">一行跳转到此</font> 
  </font>.此时你在利用菜单的<b><i>转到代码位置</i></b>功能或按<b><i>shift+F12</i></b>，在对话框中输入<font color="#FF3333">:00401595，<font color="#000000">你将来到此： 
  </font></font><br>
</p>
<table width="100%" cellspacing="0" align="center">
  <tr bgcolor="#F2FFFF"> 
    <td> 
      <p class="p9">:00401585 8D4DE4&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; &nbsp; lea ecx, dword ptr [ebp-1C] <br>
        :00401588 51&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; push ecx <br>
        :00401589 8D55F4&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; lea edx, dword ptr [ebp-0C] <br>
        :0040158C 52&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; push edx <br>
        <br>
        * Reference To: KERNEL32.lstrcmpA, Ord:02FCh <br>
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
        :0040158D FF1500204000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Call dword 
        ptr [00402000] <br>
        :00401593 85C0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; test eax, eax <br>
        :00401595 7516&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
        &nbsp; &nbsp; jne <font color="#FF3333">004015AD</font> </p>
    </td>
  </tr>
</table>
<p class="p9" align="left">8、此时你借助SOFTICE动态调试能很快找到序列号，在这我们今天用暴力法破解，注意 :</p>
<p class="p9" align="left">:0040158D FF1500204000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; Call dword ptr [00402000]//真假序列号比较核心（调用函数lsrcmpa比较） <br>
  :00401593 85C0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; test eax, eax//用eax当旗帜，如相等，则eax=0 <br>
  :00401595 7516&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; jne <font color="#FF3333">004015AD</font>//如不跳转则注册成功 </p>
<p class="p9" align="left">看明白了吗？要让程序接受任何注册码就只要把JNE (=不相等就跳)改成JE (=相等就跳).或把改成空指令nop(什么也不执行）,这样前一各改法要注册就只能输入错误的注册码，后者可任意注册码。</p>
<p class="p9" align="left">9、将绿色的光条移到 <font color="#FF3333">:00401595 7516 jne 
  004015AD</font>上 , 在窗口底部有一行字指示这句命令的偏移地址 , 此处为 @Offset 00001595h. 这就是应该修改的地方了 
  . </p>
<p class="p9" align="center"><img src="Image/lesson81401.gif" width="539" height="85"></p>
<p class="p9" align="left">10、启动hiew, 打开crackme.exe，按 F4 然后选择 decode mode, 按 F5 
  输入偏移地址1595（@Offset 00001595h）. 你应该看到下面这几行 : </p>
<p class="p9" align="left">