HexEdit 3.0爆破+部份分析
2015-06-08 14:26
766 查看
HexEdit ,这个是旧版的软件,初次运行能在菜单找到一些加密算法了,可能作者的加密知识比较多啦。一开始跟了下,想看看算法,可惜功力不够,CALL有点多,也不知道加密算法,只好爆它吧。
输入注册码,字符串定位到提示,然後找到函数头部,来到这里:
004D69F0 . 6A FF PUSH -0x1 ; 按钮事件
004D69F2 . 68 08C55000 PUSH HexEdit.0050C508 ; 赴=S; SE 处理程序安装
//........
004D6A10 . C74424 18 000>MOV DWORD PTR SS:[ESP+0x18], 0x0
004D6A18 . E8 D7660200 CALL <JMP.&MFC42.#CWnd::UpdateData_6334>
调用UPDATEDATA来获得输入框内容。接着:
004D6A1D . 8B46 64 MOV EAX, DWORD PTR DS:[ESI+0x64] ; 这里应该是判断按下OK按钮
004D6A20 . 85C0 TEST EAX, EAX
004D6A22 . 0F85 8E000000 JNZ HexEdit.004D6AB6
//这里会跳走
来到这里,这里有个CALL会算出明码,但是并不是真正的真码:
004D6AB6 > \8B2D 6CF45000 MOV EBP, DWORD PTR DS:[<&MSVCRT._strnicmp>] ; msvcrt._strnicmp
004D6ABC . 33DB XOR EBX, EBX
004D6ABE > 8B46 60 MOV EAX, DWORD PTR DS:[ESI+0x60] ; 用户名
004D6AC1 . BF 06000000 MOV EDI, 0x6
004D6AC6 . 6A 00 PUSH 0x0
004D6AC8 . 53 PUSH EBX
004D6AC9 . 57 PUSH EDI
004D6ACA . 50 PUSH EAX
004D6ACB . 8D5424 34 LEA EDX, DWORD PTR SS:[ESP+0x34]
004D6ACF . 6A 00 PUSH 0x0
004D6AD1 . 52 PUSH EDX
004D6AD2 . E8 F9670000 CALL HexEdit.004DD2D0 ; 可能是部份真码,ASCII "GVK V9P 947 EE3Y"),算码CALL
004D6AD7 . 8B00 MOV EAX, DWORD PTR DS:[EAX]
004D6AD9 . 8B4E 68 MOV ECX, DWORD PTR DS:[ESI+0x68] ; 假码
004D6ADC . 6A 0B PUSH 0xB ; 前11位比较
004D6AE0 C74424 54 00000>MOV DWORD PTR SS:[ESP+0x54], 0x0
004D6AE8 FFD5 CALL NEAR EBP ; 调用字串比较stricmp
004D6AEA 83C4 24 ADD ESP, 0x24
004D6AED 85C0 TEST EAX, EAX
004D6AEF 74 7E JE SHORT HexEdit.004D6B6F ; 默认不跳
这里我将JE改成JMP直接跳到下面了,不改应该没什麽影响
//...................
由於上面的JE跳到这里,所以这个提示不会出现了:
004D6B8E 81FB 00010000 CMP EBX, 0x100
004D6B94 ^ 0F8C 24FFFFFF JL HexEdit.004D6ABE
004D6B9A EB 08 JMP SHORT HexEdit.004D6BA4
004D6B9C 81FB 00010000 CMP EBX, 0x100
004D6BA2 7C 24 JL SHORT HexEdit.004D6BC8
004D6BA4 6A 00 PUSH 0x0
004D6BA6 6A 00 PUSH 0x0
004D6BA8 68 54F75400 PUSH HexEdit.0054F754 ; The activation code is incorrect.\nPlease make sure you entered your name\nand/or the activation code correctly.
004D6BC8 8B0D 687B5100 MOV ECX, DWORD PTR DS:[0x517B68] ; 存了用户名长度
004D6BCE 83FF 0E CMP EDI, 0xE
004D6BD1 75 4F JNZ SHORT HexEdit.004D6C22
由於我输的用户名没有超过14个字符,因此这里是必跳的,接着:
004D6C22 8BC3 MOV EAX, EBX
004D6C24 49 DEC ECX
004D6C25 D1F8 SAR EAX, 1
004D6C27 3BC1 CMP EAX, ECX
004D6C29 7D 13 JGE SHORT HexEdit.004D6C3E ; 默认没跳
004D6C2B 6A 00 PUSH 0x0
004D6C2D 6A 00 PUSH 0x0
004D6C2F 68 C8F55400 PUSH HexEdit.0054F5C8 ; The activation code is for an older version.\nYou need to upgrade your licence or install the\ncorrect (earlier) licensed version of the software.
这里JGE一定要改为JMP了
接着这些连着用户名和KEY的内容会被加密并写到注册表:
004D6CA6 E8 D54D0000 CALL HexEdit.004DBA80 ; 注册表中写入一些信息
004D6CAB 8B56 60 MOV EDX, DWORD PTR DS:[ESI+0x60]
004D6CAE 8BCF MOV ECX, EDI
虽然注册成功,但是这边关於,还是会得到说授权是前个版本,因此再搜索earlier这个字符串,找到相关的地方:
因此在那些算码CALL里程序启动时并没有调用。
先来看看关於这里:
0045D600 6A FF PUSH -0x1 ; 关於
0045D602 68 555D5000 PUSH HexEdit.00505D55
0045D607 64:A1 00000000 MOV EAX, DWORD PTR FS:[0]
0045D60D 50 PUSH EAX
0045D60E 64:8925 0000000>MOV DWORD PTR FS:[0], ESP
0045D615 81EC FC010000 SUB ESP, 0x1FC
0045D61B 56 PUSH ESI
0045D61C 8BF1 MOV ESI, ECX
//.......................
0045D71E 8B86 0C060000 MOV EAX, DWORD PTR DS:[ESI+0x60C]
0045D724 83F8 01 CMP EAX, 0x1
0045D727 75 0A JNZ SHORT HexEdit.0045D733
0045D729 68 A4635400 PUSH HexEdit.005463A4 ; Your trial period has expired. Click the link below to register.
0045D72E E9 8F000000 JMP HexEdit.0045D7C2
0045D733 83F8 02 CMP EAX, 0x2
0045D736 75 1E JNZ SHORT HexEdit.0045D756
0045D738 8B96 10060000 MOV EDX, DWORD PTR DS:[ESI+0x610]
0045D73E 8D8424 00020000 LEA EAX, DWORD PTR SS:[ESP+0x200]
0045D745 52 PUSH EDX
0045D746 68 60635400 PUSH HexEdit.00546360 ; Your trial expires in %ld days. Click the link below to register.
0045D74B 50 PUSH EAX
0045D74C E8 A9F90900 CALL <JMP.&MFC42.#CString::Format_2818>
0045D751 83C4 0C ADD ESP, 0xC
0045D754 EB 78 JMP SHORT HexEdit.0045D7CE
0045D756 83F8 03 CMP EAX, 0x3
0045D759 75 07 JNZ SHORT HexEdit.0045D762
0045D75B 68 28635400 PUSH HexEdit.00546328 ; Temporary licence. Click the link below to register.
0045D760 EB 60 JMP SHORT HexEdit.0045D7C2
0045D762 83F8 04 CMP EAX, 0x4
0045D765 75 17 JNZ SHORT HexEdit.0045D77E
0045D767 8D8C24 00020000 LEA ECX, DWORD PTR SS:[ESP+0x200]
0045D76E 68 E4625400 PUSH HexEdit.005462E4 ; Your licence is for an earlier version. Click the link to register.
0045D773 51 PUSH ECX
0045D774 E8 81F90900 CALL <JMP.&MFC42.#CString::Format_2818>
0045D779 83C4 08 ADD ESP, 0x8
0045D77C EB 50 JMP SHORT HexEdit.0045D7CE
0045D77E 83F8 05 CMP EAX, 0x5
0045D781 75 17 JNZ SHORT HexEdit.0045D79A
0045D783 8D9424 00020000 LEA EDX, DWORD PTR SS:[ESP+0x200]
0045D78A 68 A0625400 PUSH HexEdit.005462A0 ; Your licence is for an earlier version. Click the link to upgrade.
0045D78F 52 PUSH EDX
0045D790 E8 65F90900 CALL <JMP.&MFC42.#CString::Format_2818>
0045D795 83C4 08 ADD ESP, 0x8
0045D798 EB 34 JMP SHORT HexEdit.0045D7CE
0045D79A 83F8 06 CMP EAX, 0x6
0045D79D 75 1E JNZ SHORT HexEdit.0045D7BD
0045D79F 8B86 14060000 MOV EAX, DWORD PTR DS:[ESI+0x614]
0045D7A5 8D8C24 00020000 LEA ECX, DWORD PTR SS:[ESP+0x200]
0045D7AC 50 PUSH EAX
0045D7AD 68 84625400 PUSH HexEdit.00546284 ; Registered for use by: %s.
0045D7B2 51 PUSH ECX
0045D7B3 E8 42F90900 CALL <JMP.&MFC42.#CString::Format_2818>
0045D7B8 83C4 0C ADD ESP, 0xC
0045D7BB EB 11 JMP SHORT HexEdit.0045D7CE
0045D7BD 68 4C625400 PUSH HexEdit.0054624C ; Unregistered copy. Click the link below to register.
看到这里的提示就很明显了,读取[esi+60c]这里的一个值,通过这个值来判断版本,通过分析,为6的才是已注册的版本.
再往上找,0045D6B2 83BE 0C060000 0>CMP DWORD PTR DS:[ESI+0x60C], 0x3 ; 这里是证书类型
0045D6B9 7E 63 JLE SHORT HexEdit.0045D71E
0045D6BB 83BE 18060000 0>CMP DWORD PTR DS:[ESI+0x618], 0x2
0045D6C2 7E 5A JLE SHORT HexEdit.0045D71E
判断由上面开始,於是找到这个地址00550A44
这里下一个硬件写入断点,看什麽时候重启程序时写入的,於是ctrl+f2,F9,断在:
00454E17 E8 C4720800 CALL HexEdit.004DC0E0 ; 从注册表里读出KEY计算并返回版本号
00454E1C 83F8 06 CMP EAX, 0x6
这里是关建了,进CALL 004dc0e0看看:
关键的地方:
004DC529 /7D 0C JGE SHORT HexEdit.004DC537
004DC52B |C785 0C060000 0>MOV DWORD PTR SS:[EBP+0x60C], 0x4 ; 写入版本号
这里会将版本号赋4,即未注册或不合法的,这里将上面一句JGE 用NOP填充,然後改
004DC52B 改成MOV [EBP+60C],6,保存所有修改,成功爆了。
输入注册码,字符串定位到提示,然後找到函数头部,来到这里:
004D69F0 . 6A FF PUSH -0x1 ; 按钮事件
004D69F2 . 68 08C55000 PUSH HexEdit.0050C508 ; 赴=S; SE 处理程序安装
//........
004D6A10 . C74424 18 000>MOV DWORD PTR SS:[ESP+0x18], 0x0
004D6A18 . E8 D7660200 CALL <JMP.&MFC42.#CWnd::UpdateData_6334>
调用UPDATEDATA来获得输入框内容。接着:
004D6A1D . 8B46 64 MOV EAX, DWORD PTR DS:[ESI+0x64] ; 这里应该是判断按下OK按钮
004D6A20 . 85C0 TEST EAX, EAX
004D6A22 . 0F85 8E000000 JNZ HexEdit.004D6AB6
//这里会跳走
来到这里,这里有个CALL会算出明码,但是并不是真正的真码:
004D6AB6 > \8B2D 6CF45000 MOV EBP, DWORD PTR DS:[<&MSVCRT._strnicmp>] ; msvcrt._strnicmp
004D6ABC . 33DB XOR EBX, EBX
004D6ABE > 8B46 60 MOV EAX, DWORD PTR DS:[ESI+0x60] ; 用户名
004D6AC1 . BF 06000000 MOV EDI, 0x6
004D6AC6 . 6A 00 PUSH 0x0
004D6AC8 . 53 PUSH EBX
004D6AC9 . 57 PUSH EDI
004D6ACA . 50 PUSH EAX
004D6ACB . 8D5424 34 LEA EDX, DWORD PTR SS:[ESP+0x34]
004D6ACF . 6A 00 PUSH 0x0
004D6AD1 . 52 PUSH EDX
004D6AD2 . E8 F9670000 CALL HexEdit.004DD2D0 ; 可能是部份真码,ASCII "GVK V9P 947 EE3Y"),算码CALL
004D6AD7 . 8B00 MOV EAX, DWORD PTR DS:[EAX]
004D6AD9 . 8B4E 68 MOV ECX, DWORD PTR DS:[ESI+0x68] ; 假码
004D6ADC . 6A 0B PUSH 0xB ; 前11位比较
004D6AE0 C74424 54 00000>MOV DWORD PTR SS:[ESP+0x54], 0x0
004D6AE8 FFD5 CALL NEAR EBP ; 调用字串比较stricmp
004D6AEA 83C4 24 ADD ESP, 0x24
004D6AED 85C0 TEST EAX, EAX
004D6AEF 74 7E JE SHORT HexEdit.004D6B6F ; 默认不跳
这里我将JE改成JMP直接跳到下面了,不改应该没什麽影响
//...................
由於上面的JE跳到这里,所以这个提示不会出现了:
004D6B8E 81FB 00010000 CMP EBX, 0x100
004D6B94 ^ 0F8C 24FFFFFF JL HexEdit.004D6ABE
004D6B9A EB 08 JMP SHORT HexEdit.004D6BA4
004D6B9C 81FB 00010000 CMP EBX, 0x100
004D6BA2 7C 24 JL SHORT HexEdit.004D6BC8
004D6BA4 6A 00 PUSH 0x0
004D6BA6 6A 00 PUSH 0x0
004D6BA8 68 54F75400 PUSH HexEdit.0054F754 ; The activation code is incorrect.\nPlease make sure you entered your name\nand/or the activation code correctly.
004D6BC8 8B0D 687B5100 MOV ECX, DWORD PTR DS:[0x517B68] ; 存了用户名长度
004D6BCE 83FF 0E CMP EDI, 0xE
004D6BD1 75 4F JNZ SHORT HexEdit.004D6C22
由於我输的用户名没有超过14个字符,因此这里是必跳的,接着:
004D6C22 8BC3 MOV EAX, EBX
004D6C24 49 DEC ECX
004D6C25 D1F8 SAR EAX, 1
004D6C27 3BC1 CMP EAX, ECX
004D6C29 7D 13 JGE SHORT HexEdit.004D6C3E ; 默认没跳
004D6C2B 6A 00 PUSH 0x0
004D6C2D 6A 00 PUSH 0x0
004D6C2F 68 C8F55400 PUSH HexEdit.0054F5C8 ; The activation code is for an older version.\nYou need to upgrade your licence or install the\ncorrect (earlier) licensed version of the software.
这里JGE一定要改为JMP了
接着这些连着用户名和KEY的内容会被加密并写到注册表:
004D6CA6 E8 D54D0000 CALL HexEdit.004DBA80 ; 注册表中写入一些信息
004D6CAB 8B56 60 MOV EDX, DWORD PTR DS:[ESI+0x60]
004D6CAE 8BCF MOV ECX, EDI
虽然注册成功,但是这边关於,还是会得到说授权是前个版本,因此再搜索earlier这个字符串,找到相关的地方:
因此在那些算码CALL里程序启动时并没有调用。
先来看看关於这里:
0045D600 6A FF PUSH -0x1 ; 关於
0045D602 68 555D5000 PUSH HexEdit.00505D55
0045D607 64:A1 00000000 MOV EAX, DWORD PTR FS:[0]
0045D60D 50 PUSH EAX
0045D60E 64:8925 0000000>MOV DWORD PTR FS:[0], ESP
0045D615 81EC FC010000 SUB ESP, 0x1FC
0045D61B 56 PUSH ESI
0045D61C 8BF1 MOV ESI, ECX
//.......................
0045D71E 8B86 0C060000 MOV EAX, DWORD PTR DS:[ESI+0x60C]
0045D724 83F8 01 CMP EAX, 0x1
0045D727 75 0A JNZ SHORT HexEdit.0045D733
0045D729 68 A4635400 PUSH HexEdit.005463A4 ; Your trial period has expired. Click the link below to register.
0045D72E E9 8F000000 JMP HexEdit.0045D7C2
0045D733 83F8 02 CMP EAX, 0x2
0045D736 75 1E JNZ SHORT HexEdit.0045D756
0045D738 8B96 10060000 MOV EDX, DWORD PTR DS:[ESI+0x610]
0045D73E 8D8424 00020000 LEA EAX, DWORD PTR SS:[ESP+0x200]
0045D745 52 PUSH EDX
0045D746 68 60635400 PUSH HexEdit.00546360 ; Your trial expires in %ld days. Click the link below to register.
0045D74B 50 PUSH EAX
0045D74C E8 A9F90900 CALL <JMP.&MFC42.#CString::Format_2818>
0045D751 83C4 0C ADD ESP, 0xC
0045D754 EB 78 JMP SHORT HexEdit.0045D7CE
0045D756 83F8 03 CMP EAX, 0x3
0045D759 75 07 JNZ SHORT HexEdit.0045D762
0045D75B 68 28635400 PUSH HexEdit.00546328 ; Temporary licence. Click the link below to register.
0045D760 EB 60 JMP SHORT HexEdit.0045D7C2
0045D762 83F8 04 CMP EAX, 0x4
0045D765 75 17 JNZ SHORT HexEdit.0045D77E
0045D767 8D8C24 00020000 LEA ECX, DWORD PTR SS:[ESP+0x200]
0045D76E 68 E4625400 PUSH HexEdit.005462E4 ; Your licence is for an earlier version. Click the link to register.
0045D773 51 PUSH ECX
0045D774 E8 81F90900 CALL <JMP.&MFC42.#CString::Format_2818>
0045D779 83C4 08 ADD ESP, 0x8
0045D77C EB 50 JMP SHORT HexEdit.0045D7CE
0045D77E 83F8 05 CMP EAX, 0x5
0045D781 75 17 JNZ SHORT HexEdit.0045D79A
0045D783 8D9424 00020000 LEA EDX, DWORD PTR SS:[ESP+0x200]
0045D78A 68 A0625400 PUSH HexEdit.005462A0 ; Your licence is for an earlier version. Click the link to upgrade.
0045D78F 52 PUSH EDX
0045D790 E8 65F90900 CALL <JMP.&MFC42.#CString::Format_2818>
0045D795 83C4 08 ADD ESP, 0x8
0045D798 EB 34 JMP SHORT HexEdit.0045D7CE
0045D79A 83F8 06 CMP EAX, 0x6
0045D79D 75 1E JNZ SHORT HexEdit.0045D7BD
0045D79F 8B86 14060000 MOV EAX, DWORD PTR DS:[ESI+0x614]
0045D7A5 8D8C24 00020000 LEA ECX, DWORD PTR SS:[ESP+0x200]
0045D7AC 50 PUSH EAX
0045D7AD 68 84625400 PUSH HexEdit.00546284 ; Registered for use by: %s.
0045D7B2 51 PUSH ECX
0045D7B3 E8 42F90900 CALL <JMP.&MFC42.#CString::Format_2818>
0045D7B8 83C4 0C ADD ESP, 0xC
0045D7BB EB 11 JMP SHORT HexEdit.0045D7CE
0045D7BD 68 4C625400 PUSH HexEdit.0054624C ; Unregistered copy. Click the link below to register.
看到这里的提示就很明显了,读取[esi+60c]这里的一个值,通过这个值来判断版本,通过分析,为6的才是已注册的版本.
再往上找,0045D6B2 83BE 0C060000 0>CMP DWORD PTR DS:[ESI+0x60C], 0x3 ; 这里是证书类型
0045D6B9 7E 63 JLE SHORT HexEdit.0045D71E
0045D6BB 83BE 18060000 0>CMP DWORD PTR DS:[ESI+0x618], 0x2
0045D6C2 7E 5A JLE SHORT HexEdit.0045D71E
判断由上面开始,於是找到这个地址00550A44
这里下一个硬件写入断点,看什麽时候重启程序时写入的,於是ctrl+f2,F9,断在:
00454E17 E8 C4720800 CALL HexEdit.004DC0E0 ; 从注册表里读出KEY计算并返回版本号
00454E1C 83F8 06 CMP EAX, 0x6
这里是关建了,进CALL 004dc0e0看看:
关键的地方:
004DC529 /7D 0C JGE SHORT HexEdit.004DC537
004DC52B |C785 0C060000 0>MOV DWORD PTR SS:[EBP+0x60C], 0x4 ; 写入版本号
这里会将版本号赋4,即未注册或不合法的,这里将上面一句JGE 用NOP填充,然後改
004DC52B 改成MOV [EBP+60C],6,保存所有修改,成功爆了。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 一张图帮你看懂 iPhone 6 Plus 的屏幕分辨率
- DataTable转换JSON
- Android之ContextMenu的使用方法以及与OptionMenu的区别(转)
- 关于E-R图的基础理解
- 小米又双叒叕降价了,这次是红米2A
- Java ArrayList源码分析
- iOS开发资源汇总
- Tomcat源码阅读(四)Server
- php开发网站编码统一问题
- Hive 锁 lock
- 基于Spring可扩展Schema提供自定义配置支持
- FFmpeg的HEVC解码器源代码简单分析:概述
- IGRP/EIGRP路由协议
- 小胖说事14--------IOS字体大小,字号的问题 PX转化为UIFont
- FFmpeg的HEVC解码器源代码简单分析:概述
- FreeMarker 处理不存在的变量
- Cookie/Session机制具体解释
- MVC PartialView
- [LeetCode] Rectangle Area
- 第九章 服务