下载地址http://download.pchome.net/php/dl.php?sid=10695 工具:softice,peid,unaspack 平台:windows 2000 professional 声明:本文只作学习目的,如果需要此软件,请购买正版软件
最近好像ollydbg比较流行,softice有点被大家冷落了,:) 特别是由于windows2000的流行,hmemcpy断点的失效,使softice在2000下调试的难度更大了。其实,softice毕竟还是王牌级的工具。即时中断的功能,我觉得还是比ollydbg强的。本文介绍一下动态跟踪幻影,取得其注册码的思路。
首先,用peid观察一下敌情,呵呵,是aspack1.08加的壳。我用unaspack轻松脱之。观察窗口的类名,得知程序是vc编的。打开注册窗口,此软件是采用一机一码的方式注册的,机器码已经生成,随便输入一个密码,34343434,设下断点bpx getwindowtexta,点击确定,程序被拦下来了,yeah,成功了第一步,f2到程序领空,d ecx 看到机器码被取了出来,然后,再一次调用getwindowtexta 把我输入的假注册码取了出来。继续跟踪下去,来到如下代码:
:00409136 E8EB4C0200 Call 0042DE26 :0040913B 8D4C241C lea ecx, dword ptr [esp+1C] :0040913F 885C2468 mov byte ptr [esp+68], bl
* Reference To: MFC42.Ordinal:0320, Ord:0320h | :00409143 E8D84C0200 Call 0042DE20
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040911A(C) | :00409148 8B542410 mov edx, dword ptr [esp+10] :0040914C 8B4560 mov eax, dword ptr [ebp+60] :0040914F 52 push edx //这里是我输入的假码 34343434 :00409150 50 push eax //这里是真码呀!!!F9R9-B3C9-J5D9-P0L0
* Reference To: MSVCRT._mbscmp, Ord:0159h | :00409151 FF1510174300 Call dword ptr [00431710] //比较模块 :00409157 83C408 add esp, 00000008 :0040915A 85C0 test eax, eax :0040915C 7509 jne 00409167 //很明显,这里是关键跳转了,:) :0040915E 8BCD mov ecx, ebp
* Reference To: MFC42.Ordinal:12F5, Ord:12F5h | :00409160 E88F4B0200 Call 0042DCF4 :00409165 EB1A jmp 00409181
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040915C(C) | :00409167 6AFF push FFFFFFFF :00409169 6A04 push 00000004 :0040916B 6806800000 push 00008006
* Reference To: MFC42.Ordinal:04AF, Ord:04AFh | :00409170 E8694F0200 Call 0042E0DE //这里弹出错误提示
好了,在00409150的地址处下d eax ,就可以看到真正的注册码了,收起softice,重新注册,输入注册码 F9R9-B3C9-J5D9-P0L0 ,提示注册成功! 本来写此文时要用ollydbg来复制反汇编码,但是有些地方,确实显示的不太正确,干脆用win32dasm反汇编了。 |
|
查看所有0条评论>>