ASPMaker4_2破解手记（原创）

本破解仅作学习研究用，请勿用于任何不法行为，否则后果自负。

软件名称：ASPMaker4.2

下载：http://www.onlinedown.net/soft/25067.htm

编码语言：DELPHI 6.0-7.0

大 小：5659KB（压缩）

加密方式：注册码

使用工具：odbg110_cn，PEiD,w32dasm89cn,ASPackDie,WinHex

破解日期：2006年1月7日

破解人：[certainheart] QQ:8108306

先运行程序,随便输入注册码,显示'THE REGISTER CODE IS INVALID'.

用PEID查壳,显示ASPACK加壳,使用ASPACKDIE去壳,成功,得到UNPACKED.EXE.

用w32dasm89cn反编译UNPACKED.EXE,以其提示信息'THE REGISTER CODE IS INVALID'为突破,查找其出现的位置,得到0064EAAB,接下来用odbg110_cn打开UNPACKED.EXE,CTRL+G来到0064EAAB,然后向上翻页查看代码,来到以下:

0064E8B0 . FFD6 call esi <==关键判断

0064E8B2 . 84C0 test al,al

0064E8B4 . 0F84 E6010000 je Unpacked.0064EAA0

0064E8BA . 8D95 E8FDFFFF lea edx,dword ptr ss:[ebp-218]

0064E8C0 . 8B45 F8 mov eax,dword ptr ss:[ebp-8]

0064E8C3 . 8B80 00030000 mov eax,dword ptr ds:[eax+300]

重新运行,F7跟进0064E8B0,可以看到下列:

00775554 /. 55 push ebp

00775555 |. 8BEC mov ebp,esp

00775557 |. B9 49000000 mov ecx,49

0077555C |> 6A 00 /push 0

0077555E |. 6A 00 |push 0

00775560 |. 49 |dec ecx

00775561 |.^ 75 F9 \jnz short Unpacked.0077555C

00775563 |. 51 push ecx

00775564 |. 53 push ebx

00775565 |. 56 push esi

00775566 |. 57 push edi

00775567 |. 8BF2 mov esi,edx

00775569 |. 8DBD F8FDFFFF lea edi,dword ptr ss:[ebp-208]

0077556F |. 33C9 xor ecx,ecx

00775571 |. 8A0E mov cl,byte ptr ds:[esi]

00775573 |. 41 inc ecx

00775574 |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]

00775576 |. 8BF0 mov esi,eax

00775578 |. 8DBD F8FEFFFF lea edi,dword ptr ss:[ebp-108]

0077557E |. 33C9 xor ecx,ecx

00775580 |. 8A0E mov cl,byte ptr ds:[esi]

00775582 |. 41 inc ecx

00775583 |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]

00775585 |. 33C0 xor eax,eax

00775587 |. 55 push ebp

00775588 |. 68 08597700 push Unpacked.00775908

0077558D |. 64:FF30 push dword ptr fs:[eax]

00775590 |. 64:8920 mov dword ptr fs:[eax],esp

00775593 |. 8D85 F4FDFFFF lea eax,dword ptr ss:[ebp-20C]

00775599 |. 8D95 F8FDFFFF lea edx,dword ptr ss:[ebp-208]

0077559F |. E8 2CFFC8FF call Unpacked.004054D0

007755A4 |. 8B85 F4FDFFFF mov eax,dword ptr ss:[ebp-20C]

007755AA |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]

007755AD |. B9 08000000 mov ecx,8

007755B2 |. E8 59F7FFFF call Unpacked.00774D10

007755B7 |. 33DB xor ebx,ebx

007755B9 |. E8 C27CC9FF call Unpacked.0040D280

007755BE |. 83C4 F8 add esp,-8 ; /

007755C1 |. DD1C24 fstp qword ptr ss:[esp] ; |Arg1 (8-byte)

007755C4 |. 9B wait ; |

007755C5 |. E8 F22DDEFF call Unpacked.005583BC ; \Unpacked.005583BC

007755CA |. 0FB7C0 movzx eax,ax

007755CD |. 83E0 07 and eax,7

007755D0 |. 83F8 07 cmp eax,7 ; Switch (cases 0..7)

007755D3 |. 0F87 11030000 ja Unpacked.007758EA

007755D9 |. FF2485 E0557700 jmp dword ptr ds:[eax*4+7755E0]

007755E0 |. 00567700 dd Unpacked.00775600 ; Switch table used at 007755D9

007755E4 |. 5F567700 dd Unpacked.0077565F

007755E8 |. BE567700 dd Unpacked.007756BE

007755EC |. 1D577700 dd Unpacked.0077571D

007755F0 |. 7C577700 dd Unpacked.0077577C

007755F4 |. DB577700 dd Unpacked.007757DB

007755F8 |. 3A587700 dd Unpacked.0077583A

007755FC |. 93587700 dd Unpacked.00775893

00775600 |> 8D55 F8 lea edx,dword ptr ss:[ebp-8] ; Case 0 of switch 007755D0

00775603 |. B8 A4839E00 mov eax,Unpacked.009E83A4

00775608 |. E8 43FBFFFF call Unpacked.00775150

0077560D |. 84C0 test al,al

0077560F |. 74 40 je short Unpacked.00775651

00775611 |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]

00775614 |. B8 A4839E00 mov eax,Unpacked.009E83A4

00775619 |. E8 56FBFFFF call Unpacked.00775174

0077561E |. 8BD8 mov ebx,eax

00775620 |. 8D85 ECFDFFFF lea eax,dword ptr ss:[ebp-214]

00775626 |. 8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-108]

0077562C |. E8 9FFEC8FF call Unpacked.004054D0

00775631 |. 8B85 ECFDFFFF mov eax,dword ptr ss:[ebp-214]

00775637 |. 8D95 F0FDFFFF lea edx,dword ptr ss:[ebp-210]

0077563D |. E8 B6FBFFFF call Unpacked.007751F8

00775642 |. 8B85 F0FDFFFF mov eax,dword ptr ss:[ebp-210]

00775648 |. E8 E7FAFFFF call Unpacked.00775134

0077564D |. 3BD8 cmp ebx,eax

0077564F |. 74 07 je short Unpacked.00775658

00775651 |> 33DB xor ebx,ebx

00775653 |. E9 92020000 jmp Unpacked.007758EA

00775658 |> B3 01 mov bl,1

0077565A |. E9 8B020000 jmp Unpacked.007758EA

0077565F |> 8D55 F8 lea edx,dword ptr ss:[ebp-8] ; Case 1 of switch 007755D0

00775662 |. B8 A4839E00 mov eax,Unpacked.009E83A4

00775667 |. E8 E4FAFFFF call Unpacked.00775150

0077566C |. 84C0 test al,al

0077566E |. 74 40 je short Unpacked.007756B0

00775670 |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]

00775673 |. B8 A4839E00 mov eax,Unpacked.009E83A4

00775678 |. E8 F7FAFFFF call Unpacked.00775174

0077567D |. 8BD8 mov ebx,eax

0077567F |. 8D85 E4FDFFFF lea eax,dword ptr ss:[ebp-21C]

00775685 |. 8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-108]

0077568B |. E8 40FEC8FF call Unpacked.004054D0

00775690 |. 8B85 E4FDFFFF mov eax,dword ptr ss:[ebp-21C]

00775696 |. 8D95 E8FDFFFF lea edx,dword ptr ss:[ebp-218]

0077569C |. E8 57FBFFFF call Unpacked.007751F8

007756A1 |. 8B85 E8FDFFFF mov eax,dword ptr ss:[ebp-218]

007756A7 |. E8 88FAFFFF call Unpacked.00775134

007756AC |. 3BD8 cmp ebx,eax

007756AE |. 74 07 je short Unpacked.007756B7

007756B0 |> 33DB xor ebx,ebx

007756B2 |. E9 33020000 jmp Unpacked.007758EA

007756B7 |> B3 01 mov bl,1

007756B9 |. E9 2C020000 jmp Unpacked.007758EA

007756BE |> 8D55 F8 lea edx,dword ptr ss:[ebp-8] ; Case 2 of switch 007755D0

007756C1 |. B8 A4839E00 mov eax,Unpacked.009E83A4

007756C6 |. E8 85FAFFFF call Unpacked.00775150

007756CB |. 84C0 test al,al

007756CD |. 74 40 je short Unpacked.0077570F

007756CF |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]

007756D2 |. B8 A4839E00 mov eax,Unpacked.009E83A4

007756D7 |. E8 98FAFFFF call Unpacked.00775174

007756DC |. 8BD8 mov ebx,eax

007756DE |. 8D85 DCFDFFFF lea eax,dword ptr ss:[ebp-224]

007756E4 |. 8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-108]

007756EA |. E8 E1FDC8FF call Unpacked.004054D0

007756EF |. 8B85 DCFDFFFF mov eax,dword ptr ss:[ebp-224]

007756F5 |. 8D95 E0FDFFFF lea edx,dword ptr ss:[ebp-220]

007756FB |. E8 F8FAFFFF call Unpacked.007751F8

00775700 |. 8B85 E0FDFFFF mov eax,dword ptr ss:[ebp-220]

00775706 |. E8 29FAFFFF call Unpacked.00775134

0077570B |. 3BD8 cmp ebx,eax

0077570D |. 74 07 je short Unpacked.00775716

0077570F |> 33DB xor ebx,ebx

00775711 |. E9 D4010000 jmp Unpacked.007758EA

00775716 |> B3 01 mov bl,1

00775718 |. E9 CD010000 jmp Unpacked.007758EA

0077571D |> 8D55 F8 lea edx,dword ptr ss:[ebp-8] ; Case 3 of switch 007755D0

00775720 |. B8 A4839E00 mov eax,Unpacked.009E83A4

00775725 |. E8 26FAFFFF call Unpacked.00775150

0077572A |. 84C0 test al,al

0077572C |. 74 40 je short Unpacked.0077576E

0077572E |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]

00775731 |. B8 A4839E00 mov eax,Unpacked.009E83A4

00775736 |. E8 39FAFFFF call Unpacked.00775174

0077573B |. 8BD8 mov ebx,eax

0077573D |. 8D85 D4FDFFFF lea eax,dword ptr ss:[ebp-22C]

00775743 |. 8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-108]

00775749 |. E8 82FDC8FF call Unpacked.004054D0

0077574E |. 8B85 D4FDFFFF mov eax,dword ptr ss:[ebp-22C]

00775754 |. 8D95 D8FDFFFF lea edx,dword ptr ss:[ebp-228]

0077575A |. E8 99FAFFFF call Unpacked.007751F8

0077575F |. 8B85 D8FDFFFF mov eax,dword ptr ss:[ebp-228]

00775765 |. E8 CAF9FFFF call Unpacked.00775134

0077576A |. 3BD8 cmp ebx,eax

0077576C |. 74 07 je short Unpacked.00775775

0077576E |> 33DB xor ebx,ebx

00775770 |. E9 75010000 jmp Unpacked.007758EA

00775775 |> B3 01 mov bl,1

00775777 |. E9 6E010000 jmp Unpacked.007758EA

0077577C |> 8D55 F8 lea edx,dword ptr ss:[ebp-8] ; Case 4 of switch 007755D0

0077577F |. B8 A4839E00 mov eax,Unpacked.009E83A4

00775784 |. E8 C7F9FFFF call Unpacked.00775150

00775789 |. 84C0 test al,al

0077578B |. 74 40 je short Unpacked.007757CD

0077578D |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]

00775790 |. B8 A4839E00 mov eax,Unpacked.009E83A4

00775795 |. E8 DAF9FFFF call Unpacked.00775174

0077579A |. 8BD8 mov ebx,eax

0077579C |. 8D85 CCFDFFFF lea eax,dword ptr ss:[ebp-234]

007757A2 |. 8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-108]

007757A8 |. E8 23FDC8FF call Unpacked.004054D0

007757AD |. 8B85 CCFDFFFF mov eax,dword ptr ss:[ebp-234]

007757B3 |. 8D95 D0FDFFFF lea edx,dword ptr ss:[ebp-230]

007757B9 |. E8 3AFAFFFF call Unpacked.007751F8

007757BE |. 8B85 D0FDFFFF mov eax,dword ptr ss:[ebp-230]

007757C4 |. E8 6BF9FFFF call Unpacked.00775134

007757C9 |. 3BD8 cmp ebx,eax

007757CB |. 74 07 je short Unpacked.007757D4

007757CD |> 33DB xor ebx,ebx

007757CF |. E9 16010000 jmp Unpacked.007758EA

007757D4 |> B3 01 mov bl,1

007757D6 |. E9 0F010000 jmp Unpacked.007758EA

007757DB |> 8D55 F8 lea edx,dword ptr ss:[ebp-8] ; Case 5 of switch 007755D0

007757DE |. B8 A4839E00 mov eax,Unpacked.009E83A4

007757E3 |. E8 68F9FFFF call Unpacked.00775150

007757E8 |. 84C0 test al,al

007757EA |. 74 40 je short Unpacked.0077582C

007757EC |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]

007757EF |. B8 A4839E00 mov eax,Unpacked.009E83A4

007757F4 |. E8 7BF9FFFF call Unpacked.00775174

007757F9 |. 8BD8 mov ebx,eax

007757FB |. 8D85 C4FDFFFF lea eax,dword ptr ss:[ebp-23C]

00775801 |. 8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-108]

00775807 |. E8 C4FCC8FF call Unpacked.004054D0

0077580C |. 8B85 C4FDFFFF mov eax,dword ptr ss:[ebp-23C]

00775812 |. 8D95 C8FDFFFF lea edx,dword ptr ss:[ebp-238]

00775818 |. E8 DBF9FFFF call Unpacked.007751F8

0077581D |. 8B85 C8FDFFFF mov eax,dword ptr ss:[ebp-238]

00775823 |. E8 0CF9FFFF call Unpacked.00775134

00775828 |. 3BD8 cmp ebx,eax

0077582A |. 74 07 je short Unpacked.00775833

0077582C |> 33DB xor ebx,ebx

0077582E |. E9 B7000000 jmp Unpacked.007758EA

00775833 |> B3 01 mov bl,1

00775835 |. E9 B0000000 jmp Unpacked.007758EA

0077583A |> 8D55 F8 lea edx,dword ptr ss:[ebp-8] ; Case 6 of switch 007755D0

0077583D |. B8 A4839E00 mov eax,Unpacked.009E83A4

00775842 |. E8 09F9FFFF call Unpacked.00775150

00775847 |. 84C0 test al,al

00775849 |. 74 40 je short Unpacked.0077588B

0077584B |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]

0077584E |. B8 A4839E00 mov eax,Unpacked.009E83A4

00775853 |. E8 1CF9FFFF call Unpacked.00775174

00775858 |. 8BD8 mov ebx,eax

0077585A |. 8D85 BCFDFFFF lea eax,dword ptr ss:[ebp-244]

00775860 |. 8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-108]

00775866 |. E8 65FCC8FF call Unpacked.004054D0

0077586B |. 8B85 BCFDFFFF mov eax,dword ptr ss:[ebp-244]

00775871 |. 8D95 C0FDFFFF lea edx,dword ptr ss:[ebp-240]

00775877 |. E8 7CF9FFFF call Unpacked.007751F8

0077587C |. 8B85 C0FDFFFF mov eax,dword ptr ss:[ebp-240]

00775882 |. E8 ADF8FFFF call Unpacked.00775134

00775887 |. 3BD8 cmp ebx,eax

00775889 |. 74 04 je short Unpacked.0077588F

0077588B |> 33DB xor ebx,ebx

0077588D |. EB 5B jmp short Unpacked.007758EA

0077588F |> B3 01 mov bl,1

00775891 |. EB 57 jmp short Unpacked.007758EA

00775893 |> 8D55 F8 lea edx,dword ptr ss:[ebp-8] ; Case 7 of switch 007755D0

00775896 |. B8 A4839E00 mov eax,Unpacked.009E83A4

0077589B |. E8 B0F8FFFF call Unpacked.00775150

007758A0 |. 84C0 test al,al

007758A2 74 40 je short Unpacked.007758E4

007758A4 |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]

007758A7 |. B8 A4839E00 mov eax,Unpacked.009E83A4

007758AC |. E8 C3F8FFFF call Unpacked.00775174

007758B1 |. 8BD8 mov ebx,eax

007758B3 |. 8D85 B4FDFFFF lea eax,dword ptr ss:[ebp-24C]

007758B9 |. 8D95 F8FEFFFF lea edx,dword ptr ss:[ebp-108]

007758BF |. E8 0CFCC8FF call Unpacked.004054D0

007758C4 |. 8B85 B4FDFFFF mov eax,dword ptr ss:[ebp-24C]

007758CA |. 8D95 B8FDFFFF lea edx,dword ptr ss:[ebp-248]

007758D0 |. E8 23F9FFFF call Unpacked.007751F8

007758D5 |. 8B85 B8FDFFFF mov eax,dword ptr ss:[ebp-248]

007758DB |. E8 54F8FFFF call Unpacked.00775134

007758E0 |. 3BD8 cmp ebx,eax

007758E2 74 04 je short Unpacked.007758E8

007758E4 |> 33DB xor ebx,ebx

007758E6 |. EB 02 jmp short Unpacked.007758EA

007758E8 |> B3 01 mov bl,1

007758EA |> 33C0 xor eax,eax ; Default case of switch 007755D0

007758EC |. 5A pop edx

007758ED |. 59 pop ecx

007758EE |. 59 pop ecx

007758EF |. 64:8910 mov dword ptr fs:[eax],edx

007758F2 |. 68 0F597700 push Unpacked.0077590F

007758F7 |> 8D85 B4FDFFFF lea eax,dword ptr ss:[ebp-24C]

007758FD |. BA 11000000 mov edx,11

00775902 |. E8 79F9C8FF call Unpacked.00405280

00775907 \. C3 retn

00775908 .^ E9 A7F1C8FF jmp Unpacked.00404AB4

0077590D .^ EB E8 jmp short Unpacked.007758F7

0077590F 8BC3 mov eax,ebx

00775911 5F pop edi

00775912 5E pop esi

00775913 5B pop ebx

00775914 8BE5 mov esp,ebp

00775916 . 5D pop ebp

00775917 . C3 retn

该CALL比较复杂,难以直接从中获得正确的注册码.

但注意到调用完这个CALL后,程序将依据AL进行分支判断,最后影响AL的语句为

0077590F 8BC3 mov eax,ebx <==将前面比较后存在EBX里的结果转存到EAX

00775911 5F pop edi <==开始恢复程序现场

00775912 5E pop esi

00775913 5B pop ebx

00775914 8BE5 mov esp,ebp

00775916 . 5D pop ebp

00775917 . C3 retn <==返回到调用程序段

经过反复检查,该段关键CALL在进入程序后进行注册时会调用,在ASPMAKER启动时也会调用该CALL进行是否已经进行了正确注册的检查,考虑到该CALL算法的复杂性,决定用爆破的方式破解这个CALL.为了让该CALL返回EAX=1,以使主程序中的下一指令TEST AL,AL的结果能转向注册成功的流程,将0077590F进行更改如下: 0077590F 8BC3 mov eax,ebx

====>0077590F F7D0 not eax

这样,随意输入的错误注册码都将被认为正确的注册码.用w32dasm89cn查找0077590F地址,得知其在EXE文件中的位置是0X37590F,用WinHex打开UNPACKED.EXE,将0X37590F中的8B改为F7,将0X375910中的C3改为D0,爆破结束.经检验,现在可以用任意注册码(不能是正确的注册码)注册软件,其功能运行无误.

总结: 爆破不仅限于JMP，JE，JNZ，NOP等指令的更改，还可以创造性地用其他语句。

• ·在不同版本eclipse的workspace之
• ·在不同版本eclipse的workspace之
• ·Leighton Meester白色淑女衫搭配
• ·专栏：热闹的RP，寂寞的RP
• ·CRACKME练习2（原创）
• ·金易格坦克大战破解手记（原创）
• ·强烈推荐,一步一步学装电脑（有图）
• ·window.scrollBy()方法使用示例
• ·window.scrollTo()方法使用示例
• ·window.resizeBy()方法使用示例