破解网络验证的另类思路
【文章标题】: 破解网络验证的另类思路【文章作者】: chinglq
【作者邮箱】: [email protected]
【作者主页】: http://lqcoolboy.icpcn.com
【作者QQ号】: 124687067
【软件名称】: 某文件备份系统v8.4.5单机版
【软件大小】: 1.65MB
【下载地址】: 自己搜索下载
【加壳方式】: 无
【保护方式】: 网络验证
【编写语言】: VC++6.0
【使用工具】: OD、PEiD
【操作平台】: 联想OEM WinXP SP2
【软件介绍】: 企业文件增量备份系统
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1.0 查壳
用PEiD查壳,无壳。编程语言VC++6.0。软件限制:使用50次,每次限时120分钟,2个任务。使用25次后出现注册提示消息框。
2.0 破解思路
破解网络验证的正规方法,通常是网络验证转本地验证,网络抓包分析等。这一般是crack高手的绝活,非我等菜鸟能力所及。
我们菜鸟要想碰碰这个难题,也只好另辟奚径了。下面说说我的设想:
软件的注册码是一机一码的,必然涉及读取硬件信息,CreateFileA函数附近,必有所获。网络验证正确后,程序再不需要重复验证,说
明软件本身设置有激活标志。程序启动时首先检验该标志,如果为未激活状态,则进入网络验证,如果为已激活状态,则正常启动软件,功能
不受影响。只要我们找到这个检测标志,将其设为已激活状态,便可达到破解的目的。
困难的是如何找到这个关键所在,好在我们有CreateFileA函数和消息框这两个线索。
3.0 调试
用OD装载,对CreateFileA函数和MessageBoxW函数下断点,断下后经多次调试分析,发现下面这段程序是关键:
----------------------------------------------
004224B0 .6A FF push -1
004224B2 .68 7DA94C00 push 004CA97D
004224B7 .64:A1 00000000 mov eax, dword ptr fs:
004224BD .50 push eax
004224BE .81EC A8020000 sub esp, 2A8
004224C4 .A1 68C25000 mov eax, dword ptr
004224C9 .33C4 xor eax, esp
004224CB .898424 A4020000 mov dword ptr , eax
004224D2 .53 push ebx
004224D3 .55 push ebp
004224D4 .56 push esi
004224D5 .57 push edi
004224D6 .A1 68C25000 mov eax, dword ptr
004224DB .33C4 xor eax, esp
004224DD .50 push eax
004224DE .8D8424 BC020000 lea eax, dword ptr
004224E5 .64:A3 00000000 mov dword ptr fs:, eax
004224EB .8BD9 mov ebx, ecx
004224ED .33F6 xor esi, esi
004224EF .895C24 2C mov dword ptr , ebx
004224F3 .897424 20 mov dword ptr , esi
004224F7 .FF15 B0424D00 call dword ptr [<&KERNEL32.GetCommandLineW>] ; [GetCommandLineW
004224FD .50 push eax
004224FE .8D4C24 18 lea ecx, dword ptr
00422502 .E8 8915FEFF call 00403A90
00422507 .8B4424 14 mov eax, dword ptr
0042250B .68 24E84D00 push 004DE824 ;/
00422510 .50 push eax
00422511 .89B424 CC020000 mov dword ptr , esi
00422518 .897424 20 mov dword ptr , esi
0042251C .E8 D9910800 call 004AB6FA ;
00422521 .83C4 08 add esp, 8
00422524 .3BC6 cmp eax, esi
00422526 75 39 jnz short 00422561
00422528 .8B4C24 14 mov ecx, dword ptr
0042252C .68 64B04D00 push 004DB064 ;/
00422531 .51 push ecx
00422532 .E8 C3910800 call 004AB6FA
00422537 .83C4 08 add esp, 8
0042253A .3BC6 cmp eax, esi
0042253C .74 15 je short 00422553
0042253E .8B15 4CD95000 mov edx, dword ptr
00422544 .6A FF push -1
00422546 .52 push edx
00422547 .B9 44D95000 mov ecx, 0050D944
0042254C .E8 55A40600 call 0048C9A6
00422551 .EB 16 jmp short 00422569
00422553 >8B4424 14 mov eax, dword ptr
00422557 .50 push eax
00422558 .8BCB mov ecx, ebx
0042255A .E8 81FDFFFF call 004222E0
0042255F .EB 08 jmp short 00422569
00422561 >C74424 18 01000000 mov dword ptr , 1
00422569 >6A 05 push 5 ; /Relation = GW_CHILD
0042256B .FF15 A4464D00 call dword ptr [<&USER32.GetDesktopWindow>] ; |[GetDesktopWindow
00422571 .8B3D A8464D00 mov edi, dword ptr [<&USER32.GetWindow>] ; |USER32.GetWindow
00422577 .50 push eax ; |hWnd
00422578 .FFD7 call edi ; \GetWindow
0042257A .8B2D AC464D00 mov ebp, dword ptr [<&USER32.IsWindow>] ;USER32.IsWindow
00422580 .8BF0 mov esi, eax
00422582 .56 push esi ; /hWnd
00422583 .FFD5 call ebp ; \IsWindow
00422585 .85C0 test eax, eax
00422587 .74 29 je short 004225B2
00422589 .8B1D B0464D00 mov ebx, dword ptr [<&USER32.GetPropW>] ;USER32.GetPropW
0042258F .90 nop
00422590 >68 64C14D00 push 004DC164 ;f
00422595 .56 push esi
00422596 .FFD3 call ebx
00422598 .85C0 test eax, eax
0042259A .0F85 AF000000 jnz 0042264F
004225A0 .6A 02 push 2
004225A2 .56 push esi
004225A3 .FFD7 call edi
004225A5 .8BF0 mov esi, eax
004225A7 .56 push esi
004225A8 .FFD5 call ebp
004225AA .85C0 test eax, eax
004225AC .^ 75 E2 jnz short 00422590
004225AE .8B5C24 2C mov ebx, dword ptr
004225B2 >8B4C24 14 mov ecx, dword ptr
004225B6 .8B41 F4 mov eax, dword ptr
004225B9 .8B3D AC424D00 mov edi, dword ptr [<&KERNEL32.Sleep>] ;kernel32.Sleep
004225BF .83CD FF or ebp, FFFFFFFF
004225C2 .85C0 test eax, eax
004225C4 .7C 23 jl short 004225E9
004225C6 .68 00EE4D00 push 004DEE00 ;/
004225CB .51 push ecx
004225CC .E8 29910800 call 004AB6FA
004225D1 .83C4 08 add esp, 8
004225D4 .85C0 test eax, eax
004225D6 .74 11 je short 004225E9
004225D8 .2B4424 14 sub eax, dword ptr
004225DC .D1F8 sar eax, 1
004225DE .3BC5 cmp eax, ebp
004225E0 .74 07 je short 004225E9
004225E2 .68 30750000 push 7530
004225E7 .FFD7 call edi
004225E9 >68 ECED4D00 push 004DEDEC ;t
004225EE .8BCB mov ecx, ebx
004225F0 .E8 FDA30600 call 0048C9F2
004225F5 .6A 00 push 0
004225F7 .68 DCED4D00 push 004DEDDC ;s
004225FC .68 64C14D00 push 004DC164 ;f
00422601 .8BCB mov ecx, ebx
00422603 .E8 F2A40600 call 0048CAFA
00422608 .83F8 01 cmp eax, 1
0042260B .0F85 FA000000 jnz 0042270B
00422611 .E8 FAA20200 call 0044C910
00422616 .85C0 test eax, eax
00422618 .0F85 ED000000 jnz 0042270B
0042261E .6A 30 push 30
00422620 .68 F4554D00 push 004D55F4
00422625 .68 90ED4D00 push 004DED90
0042262A >6A 00 push 0 ; |hOwner = NULL
0042262C .FF15 B4464D00 call dword ptr [<&USER32.MessageBoxW>] ; \MessageBoxW
00422632 >8B4424 14 mov eax, dword ptr
00422636 .83C0 F0 add eax, -10
00422639 .89AC24 C4020000 mov dword ptr , ebp
00422640 .8D48 0C lea ecx, dword ptr
00422643 .F0:0FC129 lock xadd dword ptr , ebp
00422647 .4D dec ebp
00422648 .85ED test ebp, ebp
0042264A .E9 A9000000 jmp 004226F8
0042264F >A1 4CD95000 mov eax, dword ptr
00422654 .85C0 test eax, eax
00422656 .8B2D D4464D00 mov ebp, dword ptr [<&USER32.PostMessageW>] ;USER32.PostMessageW
0042265C .75 1F jnz short 0042267D
0042265E .6A 00 push 0 ; /lParam = 0
00422660 .6A 00 push 0 ; |wParam = 0
00422662 .68 67040000 push 467 ; |Message = MSG(467)
00422667 .56 push esi ; |hWnd
00422668 .FFD5 call ebp ; \PostMessageW
0042266A .56 push esi ; /hOwner
0042266B .FF15 B8464D00 call dword ptr [<&USER32.GetLastActivePopup>] ; \GetLastActivePopup
00422671 .50 push eax ; /hWnd
00422672 .FF15 BC464D00 call dword ptr [<&USER32.SetForegroundWindow>] ; \SetForegroundWindow
00422678 .A1 4CD95000 mov eax, dword ptr
0042267D >837C24 18 00 cmp dword ptr , 0
00422682 .75 3B jnz short 004226BF
00422684 .33FF xor edi, edi
00422686 .85C0 test eax, eax
00422688 .7E 41 jle short 004226CB
0042268A .8D9B 00000000 lea ebx, dword ptr
00422690 >85FF test edi, edi
00422692 .7C 26 jl short 004226BA
00422694 .3BF8 cmp edi, eax
00422696 .7D 22 jge short 004226BA
00422698 .8B0D 48D95000 mov ecx, dword ptr
0042269E .8B14B9 mov edx, dword ptr
004226A1 .6A 00 push 0
004226A3 .52 push edx
004226A4 .68 69040000 push 469
004226A9 .56 push esi
004226AA .FFD5 call ebp
004226AC .A1 4CD95000 mov eax, dword ptr
004226B1 .83C7 01 add edi, 1
004226B4 .3BF8 cmp edi, eax
004226B6 .^ 7C D8 jl short 00422690
004226B8 .EB 11 jmp short 004226CB
004226BA >E9 14870500 jmp 0047ADD3
004226BF >6A 00 push 0
004226C1 .6A 00 push 0
004226C3 .68 6B040000 push 46B
004226C8 .56 push esi
004226C9 .FFD5 call ebp
004226CB >6A FF push -1 ; /Arg2 = FFFFFFFF
004226CD .6A 00 push 0 ; |Arg1 = 00000000
004226CF .B9 44D95000 mov ecx, 0050D944 ; |
004226D4 .E8 A9A10600 call 0048C882 ; \FileGee.0048C882
004226D9 .8B4424 14 mov eax, dword ptr
004226DD .83C0 F0 add eax, -10
004226E0 .C78424 C4020000 FFFF>mov dword ptr , -1
004226EB .8D48 0C lea ecx, dword ptr
004226EE .83CA FF or edx, FFFFFFFF
004226F1 .F0:0FC111 lock xadd dword ptr , edx
004226F5 .4A dec edx
004226F6 .85D2 test edx, edx
004226F8 >7F 0A jg short 00422704
004226FA .8B08 mov ecx, dword ptr
004226FC .8B11 mov edx, dword ptr
004226FE .50 push eax
004226FF .8B42 04 mov eax, dword ptr
00422702 .FFD0 call eax
00422704 >33C0 xor eax, eax
00422706 .E9 75070000 jmp 00422E80
0042270B >68 64C14D00 push 004DC164 ;f
00422710 .E8 0BA30200 call 0044CA20
00422715 .83C4 04 add esp, 4
00422718 .85C0 test eax, eax
0042271A .74 41 je short 0042275D
0042271C .68 64C14D00 push 004DC164 ;f
00422721 .E8 8AA20200 call 0044C9B0
00422726 .68 64C14D00 push 004DC164 ;f
0042272B .33F6 xor esi, esi
0042272D .E8 3EA30200 call 0044CA70
00422732 .83C4 08 add esp, 8
00422735 .85C0 test eax, eax
00422737 .75 24 jnz short 0042275D
00422739 .8DA424 00000000 lea esp, dword ptr
00422740 >83C6 01 add esi, 1
00422743 .83FE 32 cmp esi, 32
00422746 .74 37 je short 0042277F
00422748 .6A 64 push 64
0042274A .FFD7 call edi
0042274C .68 64C14D00 push 004DC164 ;f
00422751 .E8 1AA30200 call 0044CA70
00422756 .83C4 04 add esp, 4
00422759 .85C0 test eax, eax
0042275B .^ 74 E3 je short 00422740
0042275D >68 64C14D00 push 004DC164 ;f
00422762 .E8 E9A30200 call 0044CB50
00422767 .83C4 04 add esp, 4
0042276A .84C0 test al, al
0042276C .74 22 je short 00422790
0042276E .6A 30 push 30
00422770 .68 F4554D00 push 004D55F4
00422775 .68 70ED4D00 push 004DED70
0042277A .^ E9 ABFEFFFF jmp 0042262A
0042277F >6A 30 push 30
00422781 .68 F4554D00 push 004D55F4
00422786 .68 28ED4D00 push 004DED28
0042278B .^ E9 9AFEFFFF jmp 0042262A
00422790 >837C24 18 00 cmp dword ptr , 0
00422795 .^ 0F85 97FEFFFF jnz 00422632
0042279B .6A 00 push 0
0042279D .E8 04080700 call 00492FA6
004227A2 .85C0 test eax, eax
004227A4 .75 19 jnz short 004227BF
004227A6 .55 push ebp
004227A7 .50 push eax
004227A8 .6A 68 push 68
004227AA .E8 FBF40600 call 00491CAA
004227AF .8D4C24 14 lea ecx, dword ptr
004227B3 .E8 E814FEFF call 00403CA0
004227B8 .33C0 xor eax, eax
004227BA .E9 C1060000 jmp 00422E80
004227BF >FF15 74404D00 call dword ptr [<&COMCTL32.#17>] ; [InitCommonControls
004227C5 .8BCB mov ecx, ebx
004227C7 .E8 84E80600 call 00491050
004227CC .6A 00 push 0
004227CE .E8 4B010700 call 0049291E
004227D3 .83C4 04 add esp, 4
004227D6 .B9 989C5000 mov ecx, 00509C98 ;t\nn
004227DB .E8 C0700200 call 004498A0
004227E0 .E8 5B7D0200 call 0044A540
004227E5 .8D4C24 38 lea ecx, dword ptr
004227E9 .E8 02140500 call 00473BF0
004227EE .6A 01 push 1
004227F0 .8D4C24 1C lea ecx, dword ptr
004227F4 .68 AC114F00 push 004F11AC
004227F9 .51 push ecx
004227FA .C68424 D0020000 01 mov byte ptr , 1
00422802 .E8 79720200 call 00449A80
00422807 .83C4 0C add esp, 0C
0042280A .8B00 mov eax, dword ptr
0042280C .50 push eax ; /Arg1
0042280D .8D4C24 3C lea ecx, dword ptr ; |
00422811 .C68424 C8020000 02 mov byte ptr , 2 ; |
00422819 .E8 32170500 call 00473F50 ; \FileGee.00473F50
0042281E .8D4C24 18 lea ecx, dword ptr
00422822 .8BF0 mov esi, eax
00422824 .C68424 C4020000 01 mov byte ptr , 1
0042282C .E8 6F14FEFF call 00403CA0
00422831 .85F6 test esi, esi
00422833 .8B3D B4464D00 mov edi, dword ptr [<&USER32.MessageBoxW>] ;USER32.MessageBoxW ; 断在这里
00422839 .75 70 jnz short 004228AB
0042283B .6A 21 push 21 ; /Style = MB_OKCANCEL|MB_ICONQUESTION|MB_APPLMODAL
0042283D .68 BC4D4D00 push 004D4DBC ; |Title = "询问"
00422842 .68 68EC4D00 push 004DEC68 ; |Text = "软件已升?,B6,"?,AC,"软件
的配置文件需要",B8,"??,A1,"N?,B7,"乐?,B8,"?率?,B0,"埽",AC,"如需?,B8,"",B7,"菖渲梦募
??,B8,"",B4,"制",B0,"",B2,"",D7,"",B0,"?,B7,"?,B6,"下的",D7,"幽柯己腿罩疚募??谀柯?,A1,"R丫",AD,"?,B8,"",B7,"?...
00422847 .6A 00 push 0 ; |hOwner = NULL
00422849 .FFD7 call edi ; \MessageBoxW
0042284B .83F8 02 cmp eax, 2
0042284E .8D4C24 38 lea ecx, dword ptr
00422852 .75 1D jnz short 00422871
00422854 .C68424 C4020000 00 mov byte ptr , 0
0042285C .E8 3F160500 call 00473EA0
00422861 .8D4C24 14 lea ecx, dword ptr
00422865 .E8 3614FEFF call 00403CA0
0042286A .33C0 xor eax, eax
0042286C .E9 0F060000 jmp 00422E80
00422871 >E8 3A130500 call 00473BB0
00422876 .85C0 test eax, eax
00422878 .75 4C jnz short 004228C6
0042287A .6A 30 push 30
0042287C .68 F4554D00 push 004D55F4
00422881 .68 34EC4D00 push 004DEC34
00422886 >6A 00 push 0
00422888 .FFD7 call edi
0042288A >8D4C24 38 lea ecx, dword ptr
0042288E .C68424 C4020000 00 mov byte ptr , 0
00422896 .E8 05160500 call 00473EA0
0042289B .8D4C24 14 lea ecx, dword ptr
0042289F .E8 FC13FEFF call 00403CA0
004228A4 .33C0 xor eax, eax
004228A6 .E9 D5050000 jmp 00422E80
004228AB >83FE 02 cmp esi, 2
004228AE 75 16 jnz short 004228C6
004228B0 .6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
004228B2 .68 F4554D00 push 004D55F4 ; |Title = ""B4,"砦?
004228B7 .68 34EC4D00 push 004DEC34 ; |Text = "升?,B6,"过程
中?,AC,"",B8,"?氯砑?渲梦募??,B0,"埽",AC,"软件无",B7,"",A8,"正常启",B6,"?
004228BC .6A 00 push 0 ; |hOwner = NULL
004228BE .FF15 B4464D00 call dword ptr [<&USER32.MessageBoxW>] ; \MessageBoxW
004228C4 .^ EB C4 jmp short 0042288A
004228C6 >E8 251B0100 call 004343F0
004228CB .84C0 test al, al
004228CD 75 0E jnz short 004228DD
004228CF .6A 30 push 30
004228D1 .68 F4554D00 push 004D55F4
004228D6 .68 0CEC4D00 push 004DEC0C
004228DB .^ EB A9 jmp short 00422886
004228DD >8D5424 18 lea edx, dword ptr
004228E1 .52 push edx
004228E2 .C605 B9E35000 01 mov byte ptr , 1
004228E9 .33ED xor ebp, ebp
004228EB .E8 30460200 call 00446F20 ; 取硬盘号
004228F0 .8B00 mov eax, dword ptr ; 硬盘号
004228F2 .8D8C24 7C020000 lea ecx, dword ptr
004228F9 .51 push ecx
004228FA .50 push eax
004228FB .68 44DA5000 push 0050DA44
00422900 .C68424 D4020000 03 mov byte ptr , 3
00422908 .C74424 30 01000000 mov dword ptr , 1
00422910 .E8 AB8D0200 call 0044B6C0
00422915 .83C4 10 add esp, 10
00422918 .84C0 test al, al
0042291A .74 1D je short 00422939
0042291C .8D9424 78020000 lea edx, dword ptr
00422923 .52 push edx ; /Arg2
00422924 .68 C4D95000 push 0050D9C4 ; |Arg1 = 0050D9C4
00422929 .E8 629C0200 call 0044C590 ; \FileGee.0044C590
0042292E .83C4 08 add esp, 8
00422931 .84C0 test al, al
00422933 .74 04 je short 00422939
00422935 .32DB xor bl, bl
00422937 .EB 02 jmp short 0042293B
00422939 >B3 01 mov bl, 1
0042293B >BE 01000000 mov esi, 1
00422940 .8D4C24 18 lea ecx, dword ptr
00422944 .89B424 C4020000 mov dword ptr , esi
0042294B .E8 5013FEFF call 00403CA0
00422950 .84DB test bl, bl
00422952 0F84 C7000000 je 00422A1F ; ---> 90 nop ; E9 CE020000 jmp 00422C26
00422958 .E8 73940200 call 0044BDD0 ; 使用次数
0042295D .8BE8 mov ebp, eax ; 剩余次数
0042295F .85ED test ebp, ebp
00422961 .C605 B9E35000 00 mov byte ptr , 0
00422968 .7F 5A jg short 004229C4
0042296A .6A 40 push 40
0042296C .68 304E4D00 push 004D4E30 ;ASCII "酧o`"
00422971 .68 E0EB4D00 push 004DEBE0
00422976 .6A 00 push 0
00422978 .FFD7 call edi
0042297A .6A 00 push 0
0042297C .6A 00 push 0
0042297E .8D8C24 08010000 lea ecx, dword ptr
00422985 .E8 06CCFFFF call 0041F590
0042298A .C68424 C4020000 04 mov byte ptr , 4
00422992 >8D8C24 00010000 lea ecx, dword ptr
00422999 .E8 74300600 call 00485A12
0042299E .803D C09C5000 00 cmp byte ptr , 0
004229A5 .C68424 C4020000 01 mov byte ptr , 1
004229AD .8D8C24 00010000 lea ecx, dword ptr
004229B4 .0F84 1E010000 je 00422AD8
004229BA >E8 41CCFFFF call 0041F600
004229BF .^ E9 C6FEFFFF jmp 0042288A
004229C4 >83FD 19 cmp ebp, 19
004229C7 .7D 45 jge short 00422A0E
004229C9 .8D4C24 18 lea ecx, dword ptr
004229CD .E8 EE12FEFF call 00403CC0
004229D2 .55 push ebp
004229D3 .8D4424 1C lea eax, dword ptr
004229D7 .68 98EB4D00 push 004DEB98
004229DC .50 push eax
004229DD .C68424 D0020000 05 mov byte ptr , 5
004229E5 .E8 F62AFEFF call 004054E0
004229EA .8B4C24 24 mov ecx, dword ptr
004229EE .83C4 0C add esp, 0C
004229F1 .6A 40 push 40
004229F3 .68 304E4D00 push 004D4E30 ;ASCII "酧o`"
004229F8 .51 push ecx
004229F9 .6A 00 push 0
004229FB .FFD7 call edi ; 提示24天消息框
004229FD .8D4C24 18 lea ecx, dword ptr
00422A01 .C68424 C4020000 01 mov byte ptr , 1
00422A09 .E8 9212FEFF call 00403CA0
00422A0E >8D55 FF lea edx, dword ptr
00422A11 .52 push edx
00422A12 .E8 E9940200 call 0044BF00
00422A17 .83C4 04 add esp, 4
00422A1A .E9 BE000000 jmp 00422ADD
00422A1F >8B5C24 2C mov ebx, dword ptr
00422A23 .6A 00 push 0
00422A25 .68 84C14D00 push 004DC184 ;s
00422A2A .68 64C14D00 push 004DC164 ;f
00422A2F .8BCB mov ecx, ebx
00422A31 .C74424 24 00000000 mov dword ptr , 0
00422A39 .E8 BCA00600 call 0048CAFA
00422A3E .3BC6 cmp eax, esi
00422A40 .0F84 97000000 je 00422ADD
00422A46 .8D4424 24 lea eax, dword ptr
00422A4A .50 push eax ; /pHandle
00422A4B .68 58EB4D00 push 004DEB58 ; |s
00422A50 .68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00422A55 .FF15 04404D00 call dword ptr [<&ADVAPI32.RegOpenKeyW>] ; \RegOpenKeyW
00422A5B .85C0 test eax, eax
00422A5D .75 45 jnz short 00422AA4
00422A5F .8D4C24 20 lea ecx, dword ptr
00422A63 .51 push ecx ; /pBufSize
00422A64 .8B4C24 28 mov ecx, dword ptr ; |
00422A68 .8D5424 1C lea edx, dword ptr ; |
00422A6C .52 push edx ; |Buffer
00422A6D .8D4424 30 lea eax, dword ptr ; |
00422A71 .50 push eax ; |pValueType
00422A72 .6A 00 push 0 ; |Reserved = NULL
00422A74 .68 40EB4D00 push 004DEB40 ; |s
00422A79 .51 push ecx ; |hKey
00422A7A .897424 40 mov dword ptr , esi ; |
00422A7E .C74424 38 04000000 mov dword ptr , 4 ; |
00422A86 .FF15 6C404D00 call dword ptr [<&ADVAPI32.RegQueryValueExW>] ; \RegQueryValueExW
00422A8C .85C0 test eax, eax
00422A8E 75 14 jnz short 00422AA4
00422A90 .56 push esi ; /Arg3
00422A91 .68 84C14D00 push 004DC184 ; |s
00422A96 .68 64C14D00 push 004DC164 ; |f
00422A9B .8BCB mov ecx, ebx ; |
00422A9D .E8 C1A00600 call 0048CB63 ; \FileGee.0048CB63
00422AA2 .EB 39 jmp short 00422ADD
00422AA4 >6A 40 push 40
00422AA6 .68 304E4D00 push 004D4E30 ;ASCII "酧o`"
00422AAB .68 20EB4D00 push 004DEB20
00422AB0 .6A 00 push 0
00422AB2 .FFD7 call edi
00422AB4 .6A 00 push 0
00422AB6 .6A 00 push 0
00422AB8 .8D8C24 08010000 lea ecx, dword ptr
00422ABF .C605 C09C5000 01 mov byte ptr , 1
00422AC6 .E8 C5CAFFFF call 0041F590
00422ACB .C68424 C4020000 06 mov byte ptr , 6
00422AD3 .^ E9 BAFEFFFF jmp 00422992
00422AD8 >E8 23CBFFFF call 0041F600
00422ADD >E8 EE0C0100 call 004337D0
00422AE2 .E8 F9380100 call 004363E0
00422AE7 .8B15 4CDF5000 mov edx, dword ptr
00422AED .A1 08DF5000 mov eax, dword ptr
00422AF2 .68 90DF5000 push 0050DF90
00422AF7 .68 50DF5000 push 0050DF50
00422AFC .52 push edx
00422AFD .68 0CDF5000 push 0050DF0C
00422B02 .50 push eax
00422B03 .E8 C8FE0200 call 004529D0
00422B08 .83C4 14 add esp, 14
00422B0B .E8 E0340100 call 00435FF0
00422B10 .E8 DB070100 call 004332F0
00422B15 .E8 66FD0000 call 00432880
00422B1A .E8 41860000 call 0042B160
00422B1F .84C0 test al, al
00422B21 .75 11 jnz short 00422B34
00422B23 .6A 30 push 30
00422B25 .68 F4554D00 push 004D55F4
00422B2A .68 F8EA4D00 push 004DEAF8
00422B2F .^ E9 52FDFFFF jmp 00422886
00422B34 >E8 673F0000 call 00426AA0
00422B39 .E8 32F80000 call 00432370
00422B3E .A1 18D95000 mov eax, dword ptr
00422B43 .3B05 84DA5000 cmp eax, dword ptr
00422B49 .72 08 jb short 00422B53
00422B4B .83C0 01 add eax, 1
00422B4E .A3 84DA5000 mov dword ptr , eax
00422B53 >A1 A4D95000 mov eax, dword ptr
00422B58 .3B05 88DA5000 cmp eax, dword ptr
00422B5E .72 08 jb short 00422B68
00422B60 .83C0 01 add eax, 1
00422B63 .A3 88DA5000 mov dword ptr , eax
00422B68 >A1 F0DE5000 mov eax, dword ptr
00422B6D .3B05 8CDA5000 cmp eax, dword ptr
00422B73 .72 08 jb short 00422B7D
00422B75 .83C0 01 add eax, 1
00422B78 .A3 8CDA5000 mov dword ptr , eax
00422B7D >A1 78D95000 mov eax, dword ptr
00422B82 .3B05 90DA5000 cmp eax, dword ptr
00422B88 .72 08 jb short 00422B92
00422B8A .83C0 01 add eax, 1
00422B8D .A3 90DA5000 mov dword ptr , eax
00422B92 >A1 FCD85000 mov eax, dword ptr
00422B97 .3B05 94DA5000 cmp eax, dword ptr
00422B9D .72 08 jb short 00422BA7
00422B9F .83C0 01 add eax, 1
00422BA2 .A3 94DA5000 mov dword ptr , eax
00422BA7 >A1 60D95000 mov eax, dword ptr
00422BAC .3B05 98DA5000 cmp eax, dword ptr
00422BB2 .72 08 jb short 00422BBC
00422BB4 .83C0 01 add eax, 1
00422BB7 .A3 98DA5000 mov dword ptr , eax
00422BBC >803D C09C5000 00 cmp byte ptr , 0
00422BC3 .75 71 jnz short 00422C36
00422BC5 .8D4C24 18 lea ecx, dword ptr
00422BC9 .51 push ecx
00422BCA .E8 71F7FFFF call 00422340
00422BCF .8D5424 24 lea edx, dword ptr
00422BD3 .52 push edx
00422BD4 .8D4424 2C lea eax, dword ptr
00422BD8 .50 push eax
00422BD9 .8D4C24 28 lea ecx, dword ptr
00422BDD .51 push ecx
00422BDE .68 E4EA4D00 push 004DEAE4 ;%
00422BE3 .68 CCEA4D00 push 004DEACC ;2
00422BE8 .E8 18930800 call 004ABF05
00422BED .8B5424 38 mov edx, dword ptr
00422BF1 .8B4424 3C mov eax, dword ptr
00422BF5 .8B4C24 34 mov ecx, dword ptr
00422BF9 .83C4 14 add esp, 14
00422BFC .6A FF push -1 ; /Arg7 = FFFFFFFF
00422BFE .6A 00 push 0 ; |Arg6 = 00000000
00422C00 .6A 00 push 0 ; |Arg5 = 00000000
00422C02 .6A 00 push 0 ; |Arg4 = 00000000
00422C04 .52 push edx ; |Arg3
00422C05 .50 push eax ; |Arg2
00422C06 .51 push ecx ; |Arg1
00422C07 .8D4C24 4C lea ecx, dword ptr ; |
00422C0B .E8 D0F5FFFF call 004221E0 ; \FileGee.004221E0
00422C10 .8B5424 1C mov edx, dword ptr
00422C14 .3B5424 34 cmp edx, dword ptr
00422C18 .7C 13 jl short 00422C2D
00422C1A .7F 0A jg short 00422C26
00422C1C .8B4424 18 mov eax, dword ptr
00422C20 .3B4424 30 cmp eax, dword ptr
00422C24 .76 07 jbe short 00422C2D
00422C26 >C605 B8E35000 01 mov byte ptr , 1 ; ---> C605 C09C5000 00 movbyte ptr , 0
00422C2D >803D C09C5000 00 cmp byte ptr , 0
00422C34 .74 4E je short 00422C84
00422C36 >833D 38D95000 02 cmp dword ptr , 2
00422C3D .7E 45 jle short 00422C84
00422C3F .6A 00 push 0
00422C41 .6A 00 push 0
00422C43 .8D8C24 08010000 lea ecx, dword ptr
00422C4A .E8 41C9FFFF call 0041F590
00422C4F .8D8C24 00010000 lea ecx, dword ptr
00422C56 .C68424 C4020000 07 mov byte ptr , 7
00422C5E .E8 AF2D0600 call 00485A12
00422C63 .803D C09C5000 00 cmp byte ptr , 0
00422C6A .C68424 C4020000 01 mov byte ptr , 1
00422C72 .8D8C24 00010000 lea ecx, dword ptr
00422C79 .^ 0F85 3BFDFFFF jnz 004229BA
00422C7F .E8 7CC9FFFF call 0041F600
00422C84 >803D 9DDA5000 00 cmp byte ptr , 0
00422C8B .74 71 je short 00422CFE
00422C8D .8B4424 14 mov eax, dword ptr
00422C91 .8378 F4 00 cmp dword ptr , 0
00422C95 .7C 1D jl short 00422CB4
00422C97 .68 00EE4D00 push 004DEE00 ;/
00422C9C .50 push eax
00422C9D .E8 588A0800 call 004AB6FA
00422CA2 .83C4 08 add esp, 8
00422CA5 .85C0 test eax, eax
00422CA7 .74 0B je short 00422CB4
00422CA9 .2B4424 14 sub eax, dword ptr
00422CAD .D1F8 sar eax, 1
00422CAF .83F8 FF cmp eax, -1
00422CB2 .75 4A jnz short 00422CFE
00422CB4 >6A 00 push 0
00422CB6 .68 A0DA5000 push 0050DAA0
00422CBB .8D8C24 8C000000 lea ecx, dword ptr
00422CC2 .E8 E9A2FFFF call 0041CFB0
00422CC7 .8D8C24 84000000 lea ecx, dword ptr
00422CCE .C68424 C4020000 08 mov byte ptr , 8
00422CD6 .E8 372D0600 call 00485A12
00422CDB .83F8 02 cmp eax, 2
00422CDE .C68424 C4020000 01 mov byte ptr , 1
00422CE6 .8D8C24 84000000 lea ecx, dword ptr
00422CED .75 0A jnz short 00422CF9
00422CEF .E8 7CC2FEFF call 0040EF70
00422CF4 .^ E9 91FBFFFF jmp 0042288A
00422CF9 >E8 72C2FEFF call 0040EF70
00422CFE >803D 9CDA5000 00 cmp byte ptr , 0
00422D05 .74 62 je short 00422D69
00422D07 .68 64C14D00 push 004DC164 ;f
00422D0C .E8 DF9C0200 call 0044C9F0
00422D11 .83C4 04 add esp, 4
00422D14 .85C0 test eax, eax
00422D16 .75 4E jnz short 00422D66
00422D18 .50 push eax
00422D19 .8D4C24 1C lea ecx, dword ptr
00422D1D .68 AC114F00 push 004F11AC
00422D22 .51 push ecx
00422D23 .E8 586D0200 call 00449A80
00422D28 .83C4 0C add esp, 0C
00422D2B .68 E8C84D00 push 004DC8E8 ;s
00422D30 .8D4C24 1C lea ecx, dword ptr
00422D34 .C68424 C8020000 09 mov byte ptr , 9
00422D3C .E8 BF30FEFF call 00405E00
00422D41 .8B5424 18 mov edx, dword ptr
00422D45 .52 push edx
00422D46 .68 64C14D00 push 004DC164 ;f
00422D4B .E8 E09B0200 call 0044C930
00422D50 .83C4 08 add esp, 8
00422D53 .8D4C24 18 lea ecx, dword ptr
00422D57 .C68424 C4020000 01 mov byte ptr , 1
00422D5F .E8 3C0FFEFF call 00403CA0
00422D64 .EB 12 jmp short 00422D78
00422D66 >56 push esi
00422D67 .EB 02 jmp short 00422D6B
00422D69 >6A 00 push 0
00422D6B >68 64C14D00 push 004DC164 ;f
00422D70 .E8 4B9D0200 call 0044CAC0
00422D75 .83C4 08 add esp, 8
00422D78 >68 FC0F0000 push 0FFC
00422D7D .E8 297E0500 call 0047ABAB
00422D82 .83C4 04 add esp, 4
00422D85 .894424 24 mov dword ptr , eax
00422D89 .85C0 test eax, eax
00422D8B .C68424 C4020000 0A mov byte ptr , 0A
00422D93 .74 0B je short 00422DA0
00422D95 .8BC8 mov ecx, eax
00422D97 .E8 34010000 call 00422ED0
00422D9C .8BF0 mov esi, eax
00422D9E .EB 02 jmp short 00422DA2
00422DA0 >33F6 xor esi, esi
00422DA2 >8B4424 2C mov eax, dword ptr
00422DA6 .6A 00 push 0
00422DA8 .6A 00 push 0
00422DAA .8970 20 mov dword ptr , esi
00422DAD .8B16 mov edx, dword ptr
00422DAF .8B82 38010000 mov eax, dword ptr
00422DB5 .68 0080CF00 push 0CF8000
00422DBA .68 80000000 push 80
00422DBF .8BCE mov ecx, esi
00422DC1 .C68424 D4020000 01 mov byte ptr , 1
00422DC9 .FFD0 call eax
00422DCB .85C0 test eax, eax
00422DCD .^ 0F84 B7FAFFFF je 0042288A
00422DD3 .8B4424 14 mov eax, dword ptr
00422DD7 .8378 F4 00 cmp dword ptr , 0
00422DDB .7C 21 jl short 00422DFE
00422DDD .68 00EE4D00 push 004DEE00 ;/
00422DE2 .50 push eax
00422DE3 .E8 12890800 call 004AB6FA
00422DE8 .83C4 08 add esp, 8
00422DEB .85C0 test eax, eax
00422DED .74 0F je short 00422DFE
00422DEF .2B4424 14 sub eax, dword ptr
00422DF3 .D1F8 sar eax, 1
00422DF5 .83F8 FF cmp eax, -1
00422DF8 .74 04 je short 00422DFE
00422DFA .6A 00 push 0
00422DFC .EB 02 jmp short 00422E00
00422DFE >6A 03 push 3
00422E00 >8BCE mov ecx, esi
00422E02 .E8 E5170600 call 004845EC
00422E07 .8B4E 20 mov ecx, dword ptr
00422E0A .51 push ecx ; /hWnd
00422E0B .FF15 C0464D00 call dword ptr [<&USER32.UpdateWindow>] ; \UpdateWindow ; 正确出口
00422E11 .83FD 32 cmp ebp, 32
00422E14 .75 4B jnz short 00422E61
00422E16 .6A 00 push 0
00422E18 .8D5424 1C lea edx, dword ptr
00422E1C .68 AC114F00 push 004F11AC
00422E21 .52 push edx
00422E22 .E8 596C0200 call 00449A80
00422E27 .83C4 0C add esp, 0C
00422E2A .68 B4EA4D00 push 004DEAB4 ;f
00422E2F .8D4C24 1C lea ecx, dword ptr
00422E33 .C68424 C8020000 0B mov byte ptr , 0B
00422E3B .E8 C02FFEFF call 00405E00
00422E40 .8B4424 18 mov eax, dword ptr
00422E44 .6A 01 push 1 ; /IsShown = 1
00422E46 .6A 00 push 0 ; |DefDir = NULL
00422E48 .6A 00 push 0 ; |Parameters = NULL
00422E4A .50 push eax ; |FileName
00422E4B .68 F8504D00 push 004D50F8 ; |o
00422E50 .6A 00 push 0 ; |hWnd = NULL
00422E52 .FF15 E8444D00 call dword ptr [<&SHELL32.ShellExecuteW>] ; \ShellExecuteW
00422E58 .8D4C24 18 lea ecx, dword ptr
00422E5C .E8 3F0EFEFF call 00403CA0
00422E61 >8D4C24 38 lea ecx, dword ptr
00422E65 .C68424 C4020000 00 mov byte ptr , 0
00422E6D .E8 2E100500 call 00473EA0
00422E72 .8D4C24 14 lea ecx, dword ptr
00422E76 .E8 250EFEFF call 00403CA0
00422E7B .B8 01000000 mov eax, 1
00422E80 >8B8C24 BC020000 mov ecx, dword ptr
00422E87 .64:890D 00000000 mov dword ptr fs:, ecx
00422E8E .59 pop ecx
00422E8F .5F pop edi
00422E90 .5E pop esi
00422E91 .5D pop ebp
00422E92 .5B pop ebx
00422E93 .8B8C24 A4020000 mov ecx, dword ptr
00422E9A .33CC xor ecx, esp
00422E9C .E8 59810800 call 004AAFFA
00422EA1 .81C4 B4020000 add esp, 2B4
00422EA7 .C3 retn
------------------------------------------------------
分析发现:常量就是软件极活标志,=1为未激活,=0为已激活。如上修改后程序正常启动,且注册菜单变灰
。经测试:功能正常,解除一切限制,破解成功。
--------------------------------------------------------------------------------
【经验总结】
破解工作必须理清思路,掌握方法。重点程序段的分析,必须条理分明,摸清流程走向。当然,这都须有坚实的编程基
础。第六篇破文,让行家见笑了!但愿能给象我一样的菜鸟们一些启迪和鼓励!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2008年07月09日 15:41:22
呵呵。其实我觉得你的意思我理解,不过你文章的确没写出你思路的精华。 刚从看雪看的 呵呵 顶一个 看不懂,我再去看看别的才能可能会一点. 明白了点... 学习中... 原帖由 指舞瞬间 于 2008-7-10 10:41 发表 https://www.chinapyg.com/images/common/back.gif
呵呵。其实我觉得你的意思我理解,不过你文章的确没写出你思路的精华。
谢谢指点!
这是我自己摸索出来的,按照这种思路,我已破解好几个软件了.只是表达能力不行,以后会更加努力! 网络验证 我心中永远的痛
好好学习下了 多谢分享
/:018 是应该好好学习才行呢!~ 好好学习下了 /:014