今天中午小试牛刀,一个朋友发了一个软件给我,让我看看能不能破解,我拿到软件后,运行,用SPY++拖到界面上看了一下,原来是Delphi写的软件,这时已经有20%的把握了,再用peid看一下加壳没有,发现乌龟没顶壳,哈哈哈,这下又增加20%的把握,接着DeDe进行反编译,得到汇编代码,输出工程文件,用Delphi打开该工程,找到注册窗口,直接进入注册函数,得到如下代码,简单看了一下,直接跳过注册判断,直接注册。用OllyICE修改汇编代码,保存文件,运行,注册,随便输入注册码,注册成功,搞定,收工。
XML/HTML代码
- procedure TFrmReg.Button2Click(Sender : TObject);
- begin
- (*
- 005404E8 55 push ebp
- 005404E9 8BEC mov ebp, esp
- 005404EB 81C410FEFFFF add esp, $FFFFFE10
- 005404F1 53 push ebx
- 005404F2 56 push esi
- 005404F3 57 push edi
- 005404F4 33C9 xor ecx, ecx
- 005404F6 898D14FEFFFF mov [ebp+$FFFFFE14], ecx
- 005404FC 898D10FEFFFF mov [ebp+$FFFFFE10], ecx
- 00540502 898D18FEFFFF mov [ebp+$FFFFFE18], ecx
- 00540508 898D1CFEFFFF mov [ebp+$FFFFFE1C], ecx
- 0054050E 898D20FEFFFF mov [ebp+$FFFFFE20], ecx
- 00540514 894DFC mov [ebp-$04], ecx
- 00540517 894DF8 mov [ebp-$08], ecx
- 0054051A 894DF4 mov [ebp-$0C], ecx
- 0054051D 894DF0 mov [ebp-$10], ecx
- 00540520 8BF0 mov esi, eax
- 00540522 33C0 xor eax, eax
- 00540524 55 push ebp
- * Possible String Reference to: '閣<?胄_^[嬪]?
- |
- 00540525 68BC065400 push $005406BC
- ***** TRY
- |
- 0054052A 64FF30 push dword ptr fs:[eax]
- 0054052D 648920 mov fs:[eax], esp
- 00540530 8D9520FEFFFF lea edx, [ebp+$FFFFFE20]
- 00540536 8B8608030000 mov eax, [esi+$0308]
- * Reference to: Controls.TControl.GetText(TControl):TCaption;
- |
- 0054053C E847E0F1FF call 0045E588
- 00540541 83BD20FEFFFF00 cmp dword ptr [ebp+$FFFFFE20], +$00
- 00540548 750F jnz 00540559
- * Possible String Reference to: '请输入注册码'
- |
- 0054054A B8D4065400 mov eax, $005406D4
- * Reference to: Dialogs.ShowMessage(AnsiString);
- |
- 0054054F E86C7EEFFF call 004383C0
- 00540554 E92D010000 jmp 00540686
- 00540559 8D55FC lea edx, [ebp-$04]
- 0054055C 8B8608030000 mov eax, [esi+$0308]
- * Reference to: Controls.TControl.GetText(TControl):TCaption;
- |
- 00540562 E821E0F1FF call 0045E588
- 00540567 8D951CFEFFFF lea edx, [ebp+$FFFFFE1C]
- 0054056D 8BC6 mov eax, esi
- |
- 0054056F E8E0FEFFFF call 00540454
- 00540574 8B951CFEFFFF mov edx, [ebp+$FFFFFE1C]
- 0054057A 8B45FC mov eax, [ebp-$04]
- * Reference to: System.@LStrCmp;
- |
- 0054057D E84249ECFF call 00404EC4
- 00540582 0F85F4000000 jnz 0054067C
- 00540588 8D55F8 lea edx, [ebp-$08]
- 0054058B 33C0 xor eax, eax
- * Reference to : TClientSocket._PROC_0050CC28()
- |
- 0054058D E896C6FCFF call 0050CC28
- 00540592 8B45F8 mov eax, [ebp-$08]
- * Reference to: System.@LStrLen(String):Integer;
- | or: System.@DynArrayLength;
- | or: System.DynArraySize(Pointer):Integer;
- | or: Variants.DynArraySize(Pointer):Integer;
- |
- 00540595 E8DE47ECFF call 00404D78
- 0054059A 8BD8 mov ebx, eax
- 0054059C 85DB test ebx, ebx
- 0054059E 7E32 jle 005405D2
- 005405A0 BF01000000 mov edi, $00000001
- 005405A5 8B45F8 mov eax, [ebp-$08]
- 005405A8 0FB64438FF movzx eax, byte ptr [eax+edi-$01]
- 005405AD 83C018 add eax, +$18
- 005405B0 8D8D18FEFFFF lea ecx, [ebp+$FFFFFE18]
- 005405B6 BA02000000 mov edx, $00000002
- * Reference to: SysUtils.IntToHex(Integer;Integer):AnsiString;overload;
- |
- 005405BB E83C94ECFF call 004099FC
- 005405C0 8B9518FEFFFF mov edx, [ebp+$FFFFFE18]
- 005405C6 8D45F4 lea eax, [ebp-$0C]
- * Reference to: System.@LStrCat;
- |
- 005405C9 E8B247ECFF call 00404D80
- 005405CE 47 inc edi
- 005405CF 4B dec ebx
- 005405D0 75D3 jnz 005405A5
- 将这句修改为 jmp 005405D2 或者删除这条语句即完成破解.
- 005405D2 8D9510FEFFFF lea edx, [ebp+$FFFFFE10]
- 005405D8 33C0 xor eax, eax
- * Reference to: System.ParamStr(Integer):String;
- |
- 005405DA E86925ECFF call 00402B48
- 005405DF 8B8510FEFFFF mov eax, [ebp+$FFFFFE10]
- 005405E5 8D9514FEFFFF lea edx, [ebp+$FFFFFE14]
- * Reference to: SysUtils.ExtractFilePath(AnsiString):AnsiString;
- |
- 005405EB E82499ECFF call 00409F14
- 005405F0 8B9514FEFFFF mov edx, [ebp+$FFFFFE14]
- 005405F6 8D45F0 lea eax, [ebp-$10]
- * Possible String Reference to: 'smsinfo'
- |
- 005405F9 B9EC065400 mov ecx, $005406EC
- * Reference to: System.@LStrCat3;
- |
- 005405FE E8C147ECFF call 00404DC4
- 00540603 8B45F0 mov eax, [ebp-$10]
- * Reference to: SysUtils.FileCreate(AnsiString):Integer;overload;
- |
- 00540606 E8B996ECFF call 00409CC4
- * Reference to: InGlobal.Sleep(Cardinal);
- | or: SConnect.CloseRegKey(HKEY);
- | or: System.EndThread(Integer);
- | or: SysUtils.FileClose(Integer);
- | or: SysUtils.StrNextChar(PChar):PChar;
- | or: Windows.LockSegment(System.THandle);
- |
- 0054060B E87097ECFF call 00409D80
- 00540610 8B55F0 mov edx, [ebp-$10]
- 00540613 8D8524FEFFFF lea eax, [ebp+$FFFFFE24]
- * Reference to: System.@Assign(TTextRec;TTextRec;String):Integer;
- |
- 00540619 E80E29ECFF call 00402F2C
- 0054061E 8D8524FEFFFF lea eax, [ebp+$FFFFFE24]
- * Reference to: System.@Append(TTextRec;TTextRec):Integer;
- |
- 00540624 E89F26ECFF call 00402CC8
- |
- 00540629 E85A23ECFF call 00402988
- 0054062E 8B55F4 mov edx, [ebp-$0C]
- 00540631 8D8524FEFFFF lea eax, [ebp+$FFFFFE24]
- * Reference to: Classes.TStream.WriteComponent(TStream;TComponent);
- | or: Classes.TWriter.WriteRootComponent(TWriter;TComponent);
- | or: DB.TWideStringField.GetAsWideString(TWideStringField):WideString;
- | or: DB.TDateTimeField.GetValue(TDateTimeField;TDateTime;TDateTime):Boolean;
- | or: DB.TSQLTimeStampField.GetValue(TSQLTimeStampField;TSQLTimeStamp;TSQLTimeStamp):Boolean;
- | or: DB.TSQLTimeStampField.SetAsSQLTimeStamp(TSQLTimeStampField;TSQLTimeStamp;TSQLTimeStamp);
- |
- 00540637 E8584BECFF call 00405194
- * Reference to: System.@WriteLn(TTextRec;TTextRec):Pointer;
- |
- 0054063C E89B2FECFF call 004035DC
- |
- 00540641 E84223ECFF call 00402988
- 00540646 8D8524FEFFFF lea eax, [ebp+$FFFFFE24]
- * Reference to: System.Flush(Text;Text):Integer;
- |
- 0054064C E88B29ECFF call 00402FDC
- |
- 00540651 E83223ECFF call 00402988
- 00540656 8D8524FEFFFF lea eax, [ebp+$FFFFFE24]
- * Reference to: System.@Close(TTextRec;TTextRec):Integer;
- |
- 0054065C E89329ECFF call 00402FF4
- |
- 00540661 E82223ECFF call 00402988
- * Possible String Reference to: '注册成功,请重启软件。'
- |
- 00540666 B8FC065400 mov eax, $005406FC
- * Reference to: Dialogs.ShowMessage(AnsiString);
- |
- 0054066B E8507DEFFF call 004383C0
- 00540670 C7864C02000001000000 mov dword ptr [esi+$024C], $00000001
- 0054067A EB0A jmp 00540686
- * Possible String Reference to: '注册失败,注册码不正确.'
- |
- 0054067C B81C075400 mov eax, $0054071C
- * Reference to: Dialogs.ShowMessage(AnsiString);
- |
- 00540681 E83A7DEFFF call 004383C0
- 00540686 33C0 xor eax, eax
- 00540688 5A pop edx
- 00540689 59 pop ecx
- 0054068A 59 pop ecx
- 0054068B 648910 mov fs:[eax], edx
- ****** FINALLY
- |
- * Possible String Reference to: '_^[嬪]?
- |
- 0054068E 68C3065400 push $005406C3
- 00540693 8D8510FEFFFF lea eax, [ebp+$FFFFFE10]
- 00540699 BA04000000 mov edx, $00000004
- * Reference to: System.@LStrArrayClr(void;void;Integer);
- |
- 0054069E E83944ECFF call 00404ADC
- 005406A3 8D8520FEFFFF lea eax, [ebp+$FFFFFE20]
- * Reference to: System.@LStrClr(void;void);
- |
- 005406A9 E80A44ECFF call 00404AB8
- 005406AE 8D45F0 lea eax, [ebp-$10]
- 005406B1 BA04000000 mov edx, $00000004
- * Reference to: System.@LStrArrayClr(void;void;Integer);
- |
- 005406B6 E82144ECFF call 00404ADC
- 005406BB C3 ret
- * Reference to: System.@HandleFinally;
- |
- 005406BC E9773CECFF jmp 00404338
- 005406C1 EBD0 jmp 00540693
- ****** END
- |
- 005406C3 5F pop edi
- 005406C4 5E pop esi
- 005406C5 5B pop ebx
- 005406C6 8BE5 mov esp, ebp
- 005406C8 5D pop ebp
- 005406C9 C3 ret
- *)
- end;
4 条评论
学习学习,好好学习,,哈哈
值得我好好学习!
[quote=鉴定主任]标准的Delphi程序破解流程。[/quote]
主任正解,哈哈哈哈。
标准的Delphi程序破解流程。