这个程序写得很好,应该是用Delphi写的,用PECompact压缩过,可以脱壳,但是脱了壳后,具体检测自身被破解的代码,昨天找了大半天找得我头都大了还是没有找到。还好可以进行动态修改内存破解。
动态内存补丁(不能用于文件右键菜单操作),去掉了8K大小限制,去掉了单个文件格式化提示注册,去掉了文件存档添加多余英文注释的信息。
遗憾的是,FormatAll,和FormatFolder功能还是没有找到破解的地方,不过一手鼠标狂点,一手直按CTRL+F几十个文件还是可以很快搞定。
破解过程如下:
使用OllyDbg,PEexplorer.
一、破解写文件添加的多余信息(英文界面):
找到具体写文件的地方:
00408CC6 6A 00 PUSH 0
00408CC8 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
00408CCC 50 PUSH EAX <<<返回真实写入字节数
00408CCD 57 PUSH EDI <<<写入字节数
00408CCE 56 PUSH ESI <<<Buffer起始处
00408CCF 53 PUSH EBX
00408CD0 E8 A7DDFFFF CALL SourceFo.00406A7C ; JMP 到 kernel32.WriteFile
改为
00408CC6 /E9 35021700 JMP SourceFo.00578F00
00408CCB |90 NOP
00408CCC |90 NOP
00408CCD |90 NOP
00408CCE |90 NOP
00408CCF |90 NOP
00408CD0 E8 A7DDFFFF CALL SourceFo.00406A7C ; JMP 到 kernel32.WriteFile
添加自定的修改代码在578F00:注意!!这是对英文界面的字符串做检测,如果要对中文界面的做处理,需要另外添加代码!!
00578F00 6A 00 PUSH 0
00578F02 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
00578F06 50 PUSH EAX
00578F07 36:8B06 MOV EAX,DWORD PTR SS:[ESI]
00578F0A 3D 2F2A2054 CMP EAX,54202A2F <==类C文件
00578F0F 74 11 JE SHORT SOURCEFO.00578F22
00578F11 3D 27205468 CMP EAX,68542027 <==类VB文件
00578F16 74 1C JE SHORT SOURCEFO.00578F34
00578F18 3D 7B205468 CMP EAX,6854207B <==类PAS文件
00578F1D 74 27 JE SHORT SOURCEFO.00578F46
00578F1F EB 37 JMP SHORT SOURCEFO.00578F58 <==其他文件没有注释
00578F21 90 NOP
00578F22 8BC7 MOV EAX,EDI
00578F24 2D D7000000 SUB EAX,0D7
00578F29 50 PUSH EAX
00578F2A 8BC6 MOV EAX,ESI
00578F2C 05 D7000000 ADD EAX,0D7
00578F31 50 PUSH EAX
00578F32 EB 26 JMP SHORT SOURCEFO.00578F5A
00578F34 8BC7 MOV EAX,EDI
00578F36 2D CE000000 SUB EAX,0CE
00578F3B 50 PUSH EAX
00578F3C 8BC6 MOV EAX,ESI
00578F3E 05 CE000000 ADD EAX,0CE
00578F43 50 PUSH EAX
00578F44 EB 14 JMP SHORT SOURCEFO.00578F5A
00578F46 8BC7 MOV EAX,EDI
00578F48 2D D1000000 SUB EAX,0D1
00578F4D 50 PUSH EAX
00578F4E 8BC6 MOV EAX,ESI
00578F50 05 D1000000 ADD EAX,0D1
00578F55 50 PUSH EAX
00578F56 EB 02 JMP SHORT SOURCEFO.00578F5A
00578F58 57 PUSH EDI
00578F59 56 PUSH ESI
00578F5A 53 PUSH EBX
00578F5B 8D4400 00 LEA EAX,DWORD PTR DS:[EAX+EAX]
00578F5F ^ E9 6CFDE8FF JMP SOURCEFO.00408CD0 <==跳回执行写
00578F64 90 NOP
6A 00 8D 44 24 04 50 36 8B 06 3D 2F 2A 20 54 74 11 3D 27 20 54 68 74 1C 3D 7B 20 54 68 74 27 EB
37 90 8B C7 2D D7 00 00 00 50 8B C6 05 D7 00 00 00 50 EB 26 8B C7 2D CE 00 00 00 50 8B C6 05 CE
00 00 00 50 EB 14 8B C7 2D D1 00 00 00 50 8B C6 05 D1 00 00 00 50 EB 02 57 56 53 8D 44 00 00 E9
6C FD E8 FF 90
写完后会比较写入数据大小,不对则会引发异常:
00412D35 FF56 08 CALL DWORD PTR DS:[ESI+8]
00412D38 3BD8 CMP EBX,EAX <==修改它
00412D35 FF56 08 CALL DWORD PTR DS:[ESI+8]
00412D38 EB 19 JMP SHORT SourceFo.00412D53
此功能修改如果尝试在写文件之前,去修改内容是十分令人头痛的,程序使用的是字符串数组,修改操作变量很容易出错。所以还是选择最后它放心写文件了,我们可以放心的更改了。
二、破解8K大小限制:
这个比较简单,有几个个关键比较的地方修改一下就可以,就是找起来麻烦。
地址分别是:
0x00561c2c ;上接cmp eax,200f
0x00561f7c ;上接cmp eax,1fff
0x00561f07 ;上接cmp eax,2003
0x00565b66 ;上接cmp eax,2005
0x00566328 ;上接cmp eax,2001
0x005738a7 ;上接cmp eax,2001
0x00575155 ;上接cmp eax,200f
0x0057622f ;上接cmp eax,200f
0x00573e40 ;上接cmp eax,2005
0x00567fe2 ;上接cmp eax,2009
0x00574401 ;上接cmp eax,2009
0x0057499a ;上接cmp eax,200b
0x005766a6 ;上接cmp eax,200c
0x005756fd ;上接cmp eax,2007
0x00576b19 ;上接cmp eax,2010
0x00576f9e ;上接cmp eax,2010
0x00577412 ;上接cmp eax,2011
0x00561bb7 ;上接cmp eax,2013
0x00575c96 ;上接cmp eax,2013
0x0050b6d7 需要改为33c090909090不进行跳转
比较的常数很多,不知道有没有找漏的,但是自己用没有发现什么问题。
三、去掉提示注册对话框:
提示注册对话框的类,用SPY++察看是TNagForm,
用静态反汇编跟踪一个Format菜单点击过程发现
005634DF E8E409EAFF call SUB_L00403EC8
005634E4 8B45DC mov eax,[ebp-24h]
005634E7 E87858EAFF call SUB_L00408D64 <<这个函数每次执行返回的是一样的,是个迷惑人的函数。不止在此处,很多地方都有。
005634EC 84C0 test al,al
005634EE 0F841E010000 jz L00563612 <<<跳转了,动态调试发现eax常为0必然跳转!
005634F4 6A20 push 00000020h
005634F6 8B4DDC mov ecx,[ebp-24h]
005634F9 B201 mov dl,01h
005634FB A13CF64000 mov eax,[TFileStream.Object_Entry]
00563612 L00563612:
00563612 F645CE01 test byte ptr [ebp-32h],01h <<< [ebp-32]记录了一个值控制跳转
00563616 7457 jz L0056366F <<<在此修改JMP强制跳转EB57
00563618 B813000000 mov eax,00000013h
0056361D E88E53FFFF call SUB_L005589B0
00563622 8B0D40085800 mov ecx,[L00580840]
00563628 8B09 mov ecx,[ecx]
0056362A B201 mov dl,01h
0056362C A1AC4D5500 mov eax,[TNagForm.Object_Entry] <<要生成对话框。
00563631 E81242EEFF call SUB_L00447848
四、去掉FormatAll功能限制:
静态反汇编FormatAll菜单和SaveAllFile可以看到有点像。SaveAll可以执行,但是FormatAll中有“Call 寄存器值” 动态跟踪也没有找到什么时候就跳到陷阱内了,而正确的又应该执行到什么地方不能得知。
如果自己实现的话,应该是循环激活子窗口,发送Format命令。
制作内存补丁:
推荐使用PELG(Predator's Extreme Loader Generator)
建立crack.plg修该文件内容如下:
;
; Predator's Extreme Loader Generator - Loader DATA file
;
Filename = SourceFormatX.exe
RVA = 408CC6
New Bytes = E9350217009090909090
RVA = 412D38
New Bytes = EB19
RVA = 578F00
New Bytes = 6A008D4424045036
RVA = 578F08
New Bytes = 8B063D2F2A205474
RVA = 578F10
New Bytes = 113D27205468741C
RVA = 578F18
New Bytes = 3D7B2054687427EB
RVA = 578F20
New Bytes = 37908BC72DD70000
RVA = 578F28
New Bytes = 00508BC605D70000
RVA = 578F30
New Bytes = 0050EB268BC72DCE
RVA = 578F38
New Bytes = 000000508BC605CE
RVA = 578F40
New Bytes = 00000050EB148BC7
RVA = 578F48
New Bytes = 2DD1000000508BC6
RVA = 578F50
New Bytes = 05D100000050EB02
RVA = 578F58
New Bytes = 5756538D440000E9
RVA = 578F60
New Bytes = 6CFDE8FF90
RVA = 561C2C
New Bytes = EB
RVA = 561F7C
New Bytes = EB
RVA = 561F07
New Bytes = EB
RVA = 565B66
New Bytes = EB
RVA = 566328
New Bytes = EB
RVA = 5738A7
New Bytes = EB
RVA = 575155
New Bytes = EB
RVA = 57622F
New Bytes = EB
RVA = 573E40
New Bytes = EB
RVA = 567FE2
New Bytes = EB
RVA = 574401
New Bytes = EB
RVA = 57499A
New Bytes = EB
RVA = 5766A6
New Bytes = EB
RVA = 5756FD
New Bytes = EB
RVA = 576B19
New Bytes = EB
RVA = 576F9E
New Bytes = EB
RVA = 577412
New Bytes = EB
RVA = 561BB7
New Bytes = EB
RVA = 575C96
New Bytes = EB
RVA = 50B6D7
New Bytes = 33C090909090
RVA = 563616
New Bytes = EB
; End Of File
文件结束。
运行PLEG载入crack.plg,按照提示操作生成破解程序。