破解“PE Explorer”1.40版

咳咳,我又来啦!这次是受网友“一明”之托,帮忙试试PE Explorer 1.40版的破解。

首先循例介绍一下这个软件。搞破解的人都要用到一些查看PE文件的东东(什么?你不搞破解?那……),例如tdump之类的家伙,但是遗憾的是,这些程序都是字符模式下运行的,不太方便。现在这个PE Explorer是在Windows下运行的,而且功能强大,各种各样我懂的和不懂的功能都有了,最实用的是有反汇编功能和resources管理的功能,实在是居家旅行、破解文件的必备良药……我对它的敬佩之情真是犹如滔滔江水……(观众:去死吧!又在卖广告!!!)

咳,言归正传……首先运行程序,哇KAO,界面好漂亮,不过一看就知道是用DELPHI控件做的菜单,为了证实一下,同时也为了确定它没有被加壳,偶先拿出了FileInfo来check一check,嗯,果然是用delphi写的。

既然是用delphi写的,偶条件反射的就先祭出了Dede,反汇编之后选择“Forms”选项卡,然后选了“TrForm”,在右边窗口看了很久,终于找到了一个Button1的控件,它的OnClick事件是Button1Click,很好,找到突破点了,让我们开始!

下一步是选择“Procedures”选项卡,然后双击rUnit这个Unit Name,果然,在右边的窗口有一个Button1Click的event,双击它,出现这一大堆乱七八糟的东西:

0049C560   55                     push    ebp
0049C561   8BEC                   mov     ebp, esp
0049C563   6A00                   push    $00
0049C565   53                     push    ebx
0049C566   8BD8                   mov     ebx, eax
0049C568   33C0                   xor     eax, eax
0049C56A   55                     push    ebp

* Possible String Reference to: ’榻m?腽[Y]脥@’
|
0049C56B   68C2C54900             push    $0049C5C2

***** TRY
|
0049C570   64FF30                 push    dword ptr fs:[eax]
0049C573   648920                 mov     fs:[eax], esp
0049C576   8D55FC                 lea     edx, [ebp-$04]

* Reference to control TrForm.Edit1 : TEdit
|
0049C579   8B8300020000           mov     eax, [ebx+$0200]

* Reference to: controls.TControl.GetText(TControl):System.String;
|
0049C57F   E86450F8FF             call    004215E8
0049C584   8B55FC                 mov     edx, [ebp-$04]
0049C587   A140C14F00             mov     eax, dword ptr [$4FC140]

|
0049C58C   E82774F6FF             call    004039B8
0049C591   8D55FC                 lea     edx, [ebp-$04]

* Reference to control TrForm.Edit2 : TEdit
|
0049C594   8B8304020000           mov     eax, [ebx+$0204]

* Reference to: controls.TControl.GetText(TControl):System.String;
|
0049C59A   E84950F8FF             call    004215E8
0049C59F   8B55FC                 mov     edx, [ebp-$04]
0049C5A2   A130C34F00             mov     eax, dword ptr [$4FC330]

|
0049C5A7   E80C74F6FF             call    004039B8
0049C5AC   33C0                   xor     eax, eax
0049C5AE   5A                     pop     edx
0049C5AF   59                     pop     ecx
0049C5B0   59                     pop     ecx
0049C5B1   648910                 mov     fs:[eax], edx

****** FINALLY
|

* Possible String Reference to: ’[Y]脥@’
|
0049C5B4   68C9C54900             push    $0049C5C9
0049C5B9   8D45FC                 lea     eax, [ebp-$04]

|
0049C5BC   E8A373F6FF             call    00403964
0049C5C1   C3                     ret

0049C5C2   E9BD6DF6FF             jmp     00403384
0049C5C7   EBF0                   jmp     0049C5B9

****** END
|
0049C5C9   5B                     pop     ebx
0049C5CA   59                     pop     ecx
0049C5CB   5D                     pop     ebp
0049C5CC   C3                     ret

看了半天,好像没有我要的东西耶!(因为没有cmp、jne之类的东西嘛!),我KAO,原来之前那么多工作都是无用功……真是◎#¥%!※¥!没办法,只好推倒重来!!!

此路不通,那现在只好换个思路了。我突然回想起软件初始化的时候有个splash window,里面有个trail的字样,哈哈,又有突破口啦!

这回赶紧拿出w32dasm,反汇编之后,查找“trail”这个字符串,果然有了:

* Possible StringData Ref from Code Obj ->"trial version"
                                  |
:004DD678 8B15CCB94F00            mov edx, dword ptr [004FB9CC]
:004DD67E E83563F2FF              call 004039B8
:004DD683 B8B8B94F00              mov eax, 004FB9B8

* Possible StringData Ref from Code Obj ->"12345678FEDCBA98"
                                  |
:004DD688 8B15D0B94F00            mov edx, dword ptr [004FB9D0]
:004DD68E E82563F2FF              call 004039B8

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004DD562(C), :004DD633(U), :004DD671(U)
|
:004DD693 8B45F0                  mov eax, dword ptr [ebp-10]
:004DD696 80782401                cmp byte ptr [eax+24], 01
:004DD69A 7508                    jne 004DD6A4
:004DD69C 8B45F0                  mov eax, dword ptr [ebp-10]
:004DD69F E838F6FFFF              call 004DCCDC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DD69A(C)
|
:004DD6A4 E817D9FFFF              call 004DAFC0
:004DD6A9 8B45F0                  mov eax, dword ptr [ebp-10]
:004DD6AC 80B85402000000          cmp byte ptr [eax+00000254], 00
:004DD6B3 0F85F5070000            jne 004DDEAE

good!看来有希望了。令我不解的是怎么会有"12345678FEDCBA98"这个字符串,我找遍了整个软件好像都没见到……算了,先不管它,用softice的Symbol Loader装入PE explorer,然后设置断点bpx 004DD678,运行,注册:

Registration Name: laoluo
Serial Number: 1234567890123456    (为什么是16位数字?后面就知道了)

一按下OK,softice就立刻弹出来了,good,有效了!

接着按F10,来到004DD69F这个地方,然后按F8,进入这个call:

:004DCCDC 55                      push ebp
:004DCCDD 8BEC                    mov ebp, esp
:004DCCDF 83C4BC                  add esp, FFFFFFBC
:004DCCE2 53                      push ebx
:004DCCE3 56                      push esi
:004DCCE4 33D2                    xor edx, edx
:004DCCE6 8955BC                  mov dword ptr [ebp-44], edx
:004DCCE9 8955E8                  mov dword ptr [ebp-18], edx
:004DCCEC 8955E4                  mov dword ptr [ebp-1C], edx
:004DCCEF 8945EC                  mov dword ptr [ebp-14], eax
:004DCCF2 33C0                    xor eax, eax
:004DCCF4 55                      push ebp
:004DCCF5 6869CF4D00              push 004DCF69
:004DCCFA 64FF30                  push dword ptr fs:[eax]
:004DCCFD 648920                  mov dword ptr fs:[eax], esp
:004DCD00 8D45C3                  lea eax, dword ptr [ebp-3D]
:004DCD03 B165                    mov cl, 65
:004DCD05 BA21000000              mov edx, 00000021
:004DCD0A E87D5DF2FF              call 00402A8C
:004DCD0F 33C0                    xor eax, eax
:004DCD11 8945F8                  mov dword ptr [ebp-08], eax
:004DCD14 33C0                    xor eax, eax
:004DCD16 8945F4                  mov dword ptr [ebp-0C], eax
:004DCD19 8D45C3                  lea eax, dword ptr [ebp-3D]
:004DCD1C 8B15C4B94F00            mov edx, dword ptr [004FB9C4]
:004DCD22 E865ABF2FF              call 0040788C
:004DCD27 8D45C3                  lea eax, dword ptr [ebp-3D]
:004DCD2A 8945FC                  mov dword ptr [ebp-04], eax
:004DCD2D 60                      pushad
:004DCD2E 8B7DFC                  mov edi, dword ptr [ebp-04]
:004DCD31 B818E41736              mov eax, 3617E418
:004DCD36 3107                    xor dword ptr [edi], eax
:004DCD38 B82EFC35A9              mov eax, A935FC2E
:004DCD3D 314704                  xor dword ptr [edi+04], eax
:004DCD40 B8B972D857              mov eax, 57D872B9
:004DCD45 314708                  xor dword ptr [edi+08], eax
:004DCD48 B837B43D49              mov eax, 493DB437
:004DCD4D 31470C                  xor dword ptr [edi+0C], eax
:004DCD50 8B07                    mov eax, dword ptr [edi]
:004DCD52 334704                  xor eax, dword ptr [edi+04]
:004DCD55 8B5F08                  mov ebx, dword ptr [edi+08]
:004DCD58 335F0C                  xor ebx, dword ptr [edi+0C]
:004DCD5B 8945F8                  mov dword ptr [ebp-08], eax
:004DCD5E 895DF4                  mov dword ptr [ebp-0C], ebx
:004DCD61 61                      popad
:004DCD62 A1C8B94F00              mov eax, dword ptr [004FB9C8]
:004DCD67 E8746EF2FF              call 00403BE0
:004DCD6C 83F810                  cmp eax, 00000010              <-比较注册码是否16位
:004DCD6F 0F8CD1010000            jl 004DCF46
:004DCD75 8D45E8                  lea eax, dword ptr [ebp-18]
:004DCD78 50                      push eax
:004DCD79 B908000000              mov ecx, 00000008
:004DCD7E BA01000000              mov edx, 00000001
:004DCD83 A1C8B94F00              mov eax, dword ptr [004FB9C8]
:004DCD88 E85770F2FF              call 00403DE4
:004DCD8D 8D45E4                  lea eax, dword ptr [ebp-1C]
:004DCD90 50                      push eax
:004DCD91 B908000000              mov ecx, 00000008
:004DCD96 BA09000000              mov edx, 00000009
:004DCD9B A1C8B94F00              mov eax, dword ptr [004FB9C8]
:004DCDA0 E83F70F2FF              call 00403DE4
:004DCDA5 8D4DBC                  lea ecx, dword ptr [ebp-44]
:004DCDA8 BA08000000              mov edx, 00000008
:004DCDAD 8B45F8                  mov eax, dword ptr [ebp-08]
:004DCDB0 E89FA4F2FF              call 00407254
:004DCDB5 8B55BC                  mov edx, dword ptr [ebp-44]   <-真正的注册码的前8位
:004DCDB8 8B45E8                  mov eax, dword ptr [ebp-18]   <-我输入的注册码的前8位
:004DCDBB E8306FF2FF              call 00403CF0
:004DCDC0 0F8560010000            jne 004DCF26                  <-不等就game over啦!
:004DCDC6 8D4DBC                  lea ecx, dword ptr [ebp-44]
:004DCDC9 BA08000000              mov edx, 00000008
:004DCDCE 8B45F4                  mov eax, dword ptr [ebp-0C]
:004DCDD1 E87EA4F2FF              call 00407254
:004DCDD6 8B55BC                  mov edx, dword ptr [ebp-44]   <-真正的注册码的后8位
:004DCDD9 8B45E4                  mov eax, dword ptr [ebp-1C]   <-我输入的注册码的后8位
:004DCDDC E80F6FF2FF              call 00403CF0
:004DCDE1 0F853F010000            jne 004DCF26                  <-不等就……
:004DCDE7 B8B4B94F00              mov eax, 004FB9B4
:004DCDEC 8B15C4B94F00            mov edx, dword ptr [004FB9C4]
:004DCDF2 E8C16BF2FF              call 004039B8
:004DCDF7 B8B8B94F00              mov eax, 004FB9B8
:004DCDFC 8B4DE4                  mov ecx, dword ptr [ebp-1C]
:004DCDFF 8B55E8                  mov edx, dword ptr [ebp-18]
:004DCE02 E8256EF2FF              call 00403C2C
:004DCE07 B201                    mov dl, 01

哈哈,现在就水落石出了,在004DCDB5和004DCDD6这两个地址处下指令d edx,结果就出来了,我的注册码是:

Registration Name: laoluo
Serial Number: 964D162F1EE5C68E

怎么样?做Cracker很爽吧?

为了表达我对自己的敬意,so我再次运行了PE Explorer,启动画面已经变成了This copy is licensed to: laoluo

心情巨好,再看看About,反正看看也不要钱……我KAO,居然又弹出了问我是否试用的对话框,死美国佬还留有一手!

百思不得其解,只好再次用w32dasm反汇编,找到这里:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DD69A(C)
|
:004DD6A4 E817D9FFFF              call 004DAFC0
:004DD6A9 8B45F0                  mov eax, dword ptr [ebp-10]
:004DD6AC 80B85402000000          cmp byte ptr [eax+00000254], 00
:004DD6B3 0F85F5070000            jne 004DDEAE                  <-很眼熟吧?

抱着试试看的心情用hiew改了这个jne为je,一运行,哈哈!!!居然OK啦!!!!!!

就这样,节省了$69咯!(注意是dollar哦)

最后小结一下:
1、前面用的那么多篇幅说Dede,其实并不是废话(虽然它这次完全没有发挥作用),而是为了说明一件事情:Cracker必须有灵活的头脑,当一条路走不通的时候,就要换换思路,转转另外一种方法……
2、现在的软件编写者越来越聪明啦!像这次破解了注册码居然还不行,还有另外一个地方有验证,而且我不得不使用暴力破解,真是有违我的初衷……哪位高手知道第二个验证的地方是什么来的,还望告知一声!多谢多谢!

使用软件:FileInfo 2.45a、Dede 2.50c、SoftICE 4.05 for win95、W32DASM 8.93黄金版、hiew 6.55
破解耗时:1个小时
写教程耗时:also 1个小时

老罗
2002.2.15.