破文作者:闪电狼[ALaNg] 软件名称:sockmon5 破解工具:pied,OD,W32 保护方式:ASPack 2.12 -> Alexey Solodovnikov 软件限制:时间,功能 破解难度:中等 软件介绍:监视Socket函数socket、bind、listen、connect、accept、recv,send,recvfrom,sendto、shutdown、closesocket。可以详细地查询API发生的调用的类型、源IP/端口、目标IP/端口、线程、进程、时间、结果、错误信息、等多达21种参数信息。可以控制API调用的速度、是唯一能够动态修改API调用前参数数据与API调用后返回数据的网络监视软件。可以设置个性化显示竖列与不同API的显示颜色、以及可以将API传输数据导出成二进制文件,也可以载入或保存整个监视结果。内设功能强大的监视过滤器,可以根据API名字、协议类型、进程名字、本地IP/端口、远程IP/端口任意组合过滤。内含端口-进程映射查询功能,可以查看进程开放或连接了那些IP与端口,以及远程IP的地理位置。提供来自Microsoft/Teamcti/Sysinternals优秀常用的辅助工具,有Spy \PrcView\WinObj\DbgView。内含Socket整套API帮助系统。 破解声明:我是一只小菜鸟,偶得一点心得,愿与大家分享,我是一个初学者,错误的地方请大家指正... 破解分析:经过了2天的努力终于把此软件爆破了.壳用PEID自带脱壳器脱壳 首先查看限制, 时间和次数限制.随便输入用户名和序列号, 是重启验证的, 根据跳出窗口确定序列号存放地方:HKCU/SOFTWARE/SOCKMON/5.0/SETOTHER/SMCOMMDLL 里面, 下面用W32dasm查找SMCOMMDLL,共找到3处 用OD载入程序,分别在3处下断. 来到.. 004B6FB2 |. 68 CC724B00 push SockMon5.004B72CC ; ASCII "SMCommDll" //断在这里 004B6FB7 |. 68 AC724B00 push SockMon5.004B72AC ; ASCII "Software\SockMon\5.0\SetOther" 004B6FBC |. E8 EB69FEFF call 004B6FC1 |. 8D85 FAFDFFFF lea eax,dword ptr ss:[ebp-206] 004B6FC7 |. 50 push eax 004B6FC8 |. 8D85 FBFEFFFF lea eax,dword ptr ss:[ebp-105] 004B6FCE |. 50 push eax 004B6FCF |. E8 006AFEFF call 004B6FD4 |. 8BF0 mov esi,eax 004B6FD6 |. 8BD6 mov edx,esi 004B6FD8 |. 8BC3 mov eax,ebx 004B6FDA |. E8 5DFEFFFF call SockMon5.004B6E3C //跟进此call 004B6FDF |. 68 A4ED4B00 push SockMon5.004BEDA4 ; /Buffer = SockMon5.004BEDA4 call SockMon5.004B6E3C 004B6E3C /$ 53 push ebx 004B6E3D |. 56 push esi 004B6E3E |. 57 push edi 004B6E3F |. 8BF2 mov esi,edx 004B6E41 |. 8BD8 mov ebx,eax 004B6E43 |. B2 01 mov dl,1 004B6E45 |. 8B83 A4030000 mov eax,dword ptr ds:[ebx 3A4] 004B6E4B |. E8 6CD6F9FF call SockMon5.004544BC 004B6E50 |. B2 01 mov dl,1 004B6E52 |. 8B83 78040000 mov eax,dword ptr ds:[ebx 478] 004B6E58 |. E8 5FD6F9FF call SockMon5.004544BC 004B6E5D |. B2 01 mov dl,1 004B6E5F |. 8B83 58030000 mov eax,dword ptr ds:[ebx 358] 004B6E65 |. E8 52D6F9FF call SockMon5.004544BC 004B6E6A |. 33D2 xor edx,edx 004B6E6C |. 8B83 14050000 mov eax,dword ptr ds:[ebx 514] 004B6E72 |. E8 45D6F9FF call SockMon5.004544BC 004B6E77 |. 6A 00 push 0 ; /pModule = NULL 004B6E79 |. E8 DAFCF4FF call 004B6E7E |. 3BF0 cmp esi,eax 004B6E80 |. 0F84 84000000 je SockMon5.004B6F0A /这里是关键跳转...,这里改成jmp. 004B6E86 |. 6A 01 push 1 004B6E88 |. 68 106F4B00 push SockMon5.004B6F10 004B6E8D |. 68 146F4B00 push SockMon5.004B6F14 ; ASCII "SMCommVer" 004B6E92 |. 68 206F4B00 push SockMon5.004B6F20 ; ASCII "Software\SockMon\5.0\SetOther" 004B6E97 |. E8 186BFEFF call 保存以后运行, 已经是注册用户了,不过标题栏上依然有提示限制的信息,, 看着不爽,. 因为是检测完序列号以后还会出现此信息 说明后面还有一个比较的地方,继续跟踪 再用OD载入,在call SockMon5.004B6E3C下断,这次就不跟进去了往下找找有无跳转的地方.. 004B6FD4 |. 8BF0 mov esi,eax 004B6FD6 |. 8BD6 mov edx,esi 004B6FD8 |. 8BC3 mov eax,ebx 004B6FDA |. E8 5DFEFFFF call SockMon5.004B6E3C //断在这里,,往下F8.. 004B6FDF |. 68 A4ED4B00 push SockMon5.004BEDA4 ; /Buffer = SockMon5.004BEDA4 004B6FE4 |. 68 90010000 push 190 ; |BufSize = 190 (400.) 004B6FE9 |. E8 9AFBF4FF call 004B6FEE |. BA D8724B00 mov edx,SockMon5.004B72D8 ; ASCII "SMCache" 004B6FF3 |. 81C0 A4ED4B00 add eax,SockMon5.004BEDA4 004B6FF9 |. E8 8A21F5FF call SockMon5.00409188 004B6FFE |. 68 A4ED4B00 push SockMon5.004BEDA4 004B7003 |. E8 4C69FEFF call 004B7008 |. A3 94ED4B00 mov dword ptr ds:[4BED94],eax 004B700D |. 833D 94ED4B00>cmp dword ptr ds:[4BED94],0 004B7014 |. 75 22 jnz short SockMon5.004B7038 //这里必须跳..不过自己也会跳过去的.. 004B7016 |. 8D95 F4FDFFFF lea edx,dword ptr ss:[ebp-20C] 004B701C |. B8 E8724B00 mov eax,SockMon5.004B72E8 ; ASCII "DLFPKMMLLLPKKMNPOLNNOMEMMLOPELNOOMDPMCDNGKDNDMDLMMANCPMLELNLLKGNFNGNJLBC" 004B7021 |. E8 4A71FEFF call SockMon5.0049E170 004B7026 |. 8B85 F4FDFFFF mov eax,dword ptr ss:[ebp-20C] 004B702C |. E8 F39AF8FF call SockMon5.00440B24 004B7031 |. 6A 00 push 0 ; /ExitCode = 0 004B7033 |. E8 88FAF4FF call 004B7038 |> 8BBB F0020000 mov edi,dword ptr ds:[ebx 2F0] 004B703E |. 8B57 68 mov edx,dword ptr ds:[edi 68] 004B7041 |. B8 34734B00 mov eax,SockMon5.004B7334 ; ASCII "Software\SockMon\5.0\FontListView" 004B7046 |. E8 156FFEFF call SockMon5.0049DF60 004B704B |. 8BD0 mov edx,eax 004B704D |. 8BC7 mov eax,edi 004B704F |. E8 D009F9FF call SockMon5.00447A24 004B7054 |. 8BBB F4020000 mov edi,dword ptr ds:[ebx 2F4] 004B705A |. 8B57 68 mov edx,dword ptr ds:[edi 68] 004B705D |. B8 58734B00 mov eax,SockMon5.004B7358 ; ASCII "Software\SockMon\5.0\FontRichEditChar" 004B7062 |. E8 F96EFEFF call SockMon5.0049DF60 004B7067 |. 8BD0 mov edx,eax 004B7069 |. 8BC7 mov eax,edi 004B706B |. E8 B409F9FF call SockMon5.00447A24 004B7070 |. 8BBB F8020000 mov edi,dword ptr ds:[ebx 2F8] 004B7076 |. 8B57 68 mov edx,dword ptr ds:[edi 68] 004B7079 |. B8 80734B00 mov eax,SockMon5.004B7380 ; ASCII "Software\SockMon\5.0\FontRichEditHex" 004B707E |. E8 DD6EFEFF call SockMon5.0049DF60 004B7083 |. 8BD0 mov edx,eax 004B7085 |. 8BC7 mov eax,edi 004B7087 |. E8 9809F9FF call SockMon5.00447A24 004B708C |. 6A 00 push 0 004B708E |. 68 A8734B00 push SockMon5.004B73A8 ; ASCII "RECharAutoCRLF" 004B7093 |. 68 AC724B00 push SockMon5.004B72AC ; ASCII "Software\SockMon\5.0\SetOther" 004B7098 |. E8 1F69FEFF call 004B709D |. 8BD0 mov edx,eax 004B709F |. 8B83 88040000 mov eax,dword ptr ds:[ebx 488] 004B70A5 |. E8 322AFAFF call SockMon5.00459ADC 004B70AA |. 6A 00 push 0 004B70AC |. 68 B8734B00 push SockMon5.004B73B8 ; ASCII "RECharReplace32" 004B70B1 |. 68 AC724B00 push SockMon5.004B72AC ; ASCII "Software\SockMon\5.0\SetOther" 004B70B6 |. E8 0169FEFF call 004B70BB |. 8BD0 mov edx,eax 004B70BD |. 8B83 8C040000 mov eax,dword ptr ds:[ebx 48C] 004B70C3 |. E8 142AFAFF call SockMon5.00459ADC 004B70C8 |. 6A 00 push 0 004B70CA |. 68 C8734B00 push SockMon5.004B73C8 ; ASCII "RECharReplace127" 004B70CF |. 68 AC724B00 push SockMon5.004B72AC ; ASCII "Software\SockMon\5.0\SetOther" 004B70D4 |. E8 E368FEFF call 004B70D9 |. 8BD0 mov edx,eax 004B70DB |. 8B83 90040000 mov eax,dword ptr ds:[ebx 490] 004B70E1 |. E8 F629FAFF call SockMon5.00459ADC 004B70E6 |. 8B83 88040000 mov eax,dword ptr ds:[ebx 488] 004B70EC |. 8A50 38 mov dl,byte ptr ds:[eax 38] 004B70EF |. 8B83 F4020000 mov eax,dword ptr ds:[ebx 2F4] 004B70F5 |. E8 3EABF7FF call SockMon5.00431C38 004B70FA |. 6A 00 push 0 004B70FC |. 68 DC734B00 push SockMon5.004B73DC ; ASCII "ListViewAutoScroll" 004B7101 |. 68 AC724B00 push SockMon5.004B72AC ; ASCII "Software\SockMon\5.0\SetOther" 004B7106 |. E8 B168FEFF call 004B710B |. 8BD0 mov edx,eax 004B710D |. 8B83 74030000 mov eax,dword ptr ds:[ebx 374] 004B7113 |. E8 9CD2F9FF call SockMon5.004543B4 004B7118 |. 6A 00 push 0 004B711A |. 68 F0734B00 push SockMon5.004B73F0 ; ASCII "WindowsTopMost" 004B711F |. 68 AC724B00 push SockMon5.004B72AC ; ASCII "Software\SockMon\5.0\SetOther" 004B7124 |. E8 9368FEFF call 004B7129 |. 8BD0 mov edx,eax 004B712B |. 80F2 01 xor dl,1 004B712E |. 8B83 BC030000 mov eax,dword ptr ds:[ebx 3BC] 004B7134 |. E8 7BD2F9FF call SockMon5.004543B4 004B7139 |. 8B55 FC mov edx,dword ptr ss:[ebp-4] 004B713C |. 8BC3 mov eax,ebx 004B713E |. E8 ED1F0000 call SockMon5.004B9130 004B7143 |. 8BC3 mov eax,ebx 004B7145 |. E8 FE0A0000 call SockMon5.004B7C48 004B714A |. 8BC3 mov eax,ebx 004B714C |. E8 57090000 call SockMon5.004B7AA8 004B7151 |. C605 90ED4B00>mov byte ptr ds:[4BED90],0 004B7158 |. C605 91ED4B00>mov byte ptr ds:[4BED91],1 004B715F |. 33C0 xor eax,eax 004B7161 |. A3 9CED4B00 mov dword ptr ds:[4BED9C],eax 004B7166 |. 6A 00 push 0 004B7168 |. 8D95 F0FDFFFF lea edx,dword ptr ss:[ebp-210] 004B716E |. B8 08744B00 mov eax,SockMon5.004B7408 ; ASCII "ILANANLLHNCKCLBODNDMLLHKKDACFCDH" 004B7173 |. E8 F86FFEFF call SockMon5.0049E170 004B7178 |. 8B85 F0FDFFFF mov eax,dword ptr ss:[ebp-210] 004B717E |. E8 9DD7F4FF call SockMon5.00404920 004B7183 |. 8BD0 mov edx,eax ; | 004B7185 |. 8D85 FBFEFFFF lea eax,dword ptr ss:[ebp-105] ; | 004B718B |. 8985 E8FDFFFF mov dword ptr ss:[ebp-218],eax ; | 004B7191 |. C685 ECFDFFFF>mov byte ptr ss:[ebp-214],6 ; | 004B7198 |. 8D8D E8FDFFFF lea ecx,dword ptr ss:[ebp-218] ; | 004B719E |. 8D85 FAFDFFFF lea eax,dword ptr ss:[ebp-206] ; | 004B71A4 |. E8 9726F5FF call SockMon5.00409840 ; \SockMon5.00409840 004B71A9 |. 6A 00 push 0 ; /pModule = NULL 004B71AB |. E8 A8F9F4FF call 004B71B0 |. 3BF0 cmp esi,eax 004B71B2 |. 74 5A je short SockMon5.004B720E //一直到这里, 上面的几个call是在比较时间的...不跳继续显示信息,跳走就显示已经注册的名字...改为jmp.. 004B71B4 |. 6A 01 push 1 004B71B6 |. 8D95 E4FDFFFF lea edx,dword ptr ss:[ebp-21C] 004B71BC |. B8 34744B00 mov eax,SockMon5.004B7434 ; ASCII "EMDOLLJLDNANFCEGMMMODNLOFCEGELOMKMENDNDMFLEMGMKNPMON" 004B71C1 |. E8 AA6FFEFF call SockMon5.0049E170 004B71C6 |. 8B85 E4FDFFFF mov eax,dword ptr ss:[ebp-21C] 004B71CC |. E8 4FD7F4FF call SockMon5.00404920 004B71D1 |. 8BD0 mov edx,eax ; | 004B71D3 |. 8BC6 mov eax,esi ; | 004B71D5 |. C1E8 10 shr eax,10 ; | 004B71D8 |. 25 FF000000 and eax,0FF ; | 004B71DD |. 8985 D4FDFFFF mov dword ptr ss:[ebp-22C],eax ; | 004B71E3 |. C685 D8FDFFFF>mov byte ptr ss:[ebp-228],0 ; | 004B71EA |. 81E6 FF000000 and esi,0FF ; | 004B71F0 |. 89B5 DCFDFFFF mov dword ptr ss:[ebp-224],esi ; | 004B71F6 |. C685 E0FDFFFF>mov byte ptr ss:[ebp-220],0 ; | 004B71FD |. 8D8D D4FDFFFF lea ecx,dword ptr ss:[ebp-22C] ; | 004B7203 |. 8D85 FAFDFFFF lea eax,dword ptr ss:[ebp-206] ; | 004B7209 |. E8 3226F5FF call SockMon5.00409840 ; \SockMon5.00409840 修改完毕,保存之.... 这样就爆破成功了,,因为很多函数不明白,只能把关键的地方写出来,请大家包涵..... 爆破点. 1.004B6E80 |. je 004B6F0A 改为: 004B6E80 | jmp 004B6F0A 2.004B71B2 |. je 004B720E 改为: 004B71B2 |. jmp 004B720E |
|小黑屋|最新主题|手机版|微赢网络技术论坛 ( 苏ICP备08020429号 )
GMT+8, 2024-9-29 11:28 , Processed in 0.165698 second(s), 12 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.