Offline Explorer Enterprise 5.0.2780 不完美爆破
【破文标题】Offline Explorer Enterprise 5.0.2780 不完美爆破【破文作者】Ptsos
【作者邮箱】@@@
【作者主页】@@@
【破解工具】PEiD、OD
【破解平台】WINXP SP2
【软件名称】Offline Explorer Enterprise 5.0.2780 绿色多语版
【软件大小】4.98 MB
【原版下载】http://www.xdowns.com/soft/1/69/2006/Soft_31643.html
【保护方式】注册码
【软件简介】相当方便使用的离线浏览工具,可排定抓取时间、设定Proxy,也可选择抓取的项目及大小,可自设下载的存放位置、及存放的空间限制。它内置浏览程序、可直接浏览或是使用自己喜欢的浏览器来浏览、且更可直接以全浏览窗切换来作网上浏览,另它对于抓取的网站更有MAP的提供、可更清楚整个网站的连结及目录结构。
【破解声明】比较简单,仅作为个人学习之用,高手飘过!
------------------------------------------------------------------------
【破解过程】
1、用PEiD查壳,为ASPack 2.12b -> Alexey Solodovnikov
2、试注册软件,有错误提示“sorry, registration information is invalid.”,并且软件标题有“未注册”字样,这些都可以作为突破口
3、OD载入,F9运行,CTRL+G,输入 401000 后确定,查找字符串,发现很多有用的信息
4、双击“thank you for registering!”处,来到这里:
008AE9CB BA 0CED8A00 mov edx, 008AED0C ; thank you for registering!
5、CTRL+A分析一下代码,在008AE864处下断,输入假码,程序被断下,F8单步走
008AE864/$55 push ebp ;》这里下断
008AE865|.8BEC mov ebp, esp
008AE867|.B9 07000000 mov ecx, 7
008AE86C|>6A 00 /push 0
008AE86E|.6A 00 |push 0
008AE870|.49 |dec ecx
008AE871|.^ 75 F9 \jnz short 008AE86C
008AE873|.53 push ebx
008AE874|.56 push esi
008AE875|.57 push edi
008AE876|.8BF2 mov esi, edx
008AE878|.8BD8 mov ebx, eax
008AE87A|.33C0 xor eax, eax
008AE87C|.55 push ebp
008AE87D|.68 E6EC8A00 push 008AECE6
008AE882|.64:FF30 push dword ptr fs:
008AE885|.64:8920 mov dword ptr fs:, esp
008AE888|.8D45 FC lea eax, dword ptr
008AE88B|.E8 786EB5FF call 00405708
008AE890|.8D55 F8 lea edx, dword ptr
008AE893|.8B83 24030000 mov eax, dword ptr
008AE899|.8B80 20020000 mov eax, dword ptr
008AE89F|.8B08 mov ecx, dword ptr
008AE8A1|.FF51 1C call dword ptr
008AE8A4|.8D45 F4 lea eax, dword ptr
008AE8A7|.50 push eax
008AE8A8|.8D4D F8 lea ecx, dword ptr
008AE8AB|.8D55 FC lea edx, dword ptr
008AE8AE|.A1 50AE9A00 mov eax, dword ptr
008AE8B3|.8B00 mov eax, dword ptr
008AE8B5|.E8 BA680600 call 00915174 ;》关键CALL,F7跟进
008AE8BA|.84C0 test al, al ;》标志位比较
008AE8BC|.0F84 3D010000 je 008AE9FF ;》关键跳
008AE8C2|.A1 50AE9A00 mov eax, dword ptr
008AE8C7|.8B00 mov eax, dword ptr
008AE8C9|.C680 D00B0000>mov byte ptr , 1
008AE8D0|.A1 50AE9A00 mov eax, dword ptr
008AE8D5|.8B00 mov eax, dword ptr
008AE8D7|.05 D40B0000 add eax, 0BD4
008AE8DC|.8B55 FC mov edx, dword ptr
008AE8DF|.E8 786EB5FF call 0040575C
008AE8E4|.A1 50AE9A00 mov eax, dword ptr
008AE8E9|.8B00 mov eax, dword ptr
008AE8EB|.05 D80B0000 add eax, 0BD8
008AE8F0|.8B55 F8 mov edx, dword ptr
008AE8F3|.E8 646EB5FF call 0040575C
008AE8F8|.8BBB 24030000 mov edi, dword ptr
008AE8FE|.807F 57 00 cmp byte ptr , 0
008AE902|.74 22 je short 008AE926
008AE904|.8D55 F0 lea edx, dword ptr
008AE907|.8B87 20020000 mov eax, dword ptr
008AE90D|.8B08 mov ecx, dword ptr
008AE90F|.FF51 1C call dword ptr
008AE912|.8B4D F0 mov ecx, dword ptr
008AE915|.A1 50AE9A00 mov eax, dword ptr
008AE91A|.8B00 mov eax, dword ptr
008AE91C|.8B55 FC mov edx, dword ptr
008AE91F|.E8 6C680600 call 00915190
008AE924|.EB 12 jmp short 008AE938
008AE926|>A1 50AE9A00 mov eax, dword ptr
008AE92B|.8B00 mov eax, dword ptr
008AE92D|.8B4D F8 mov ecx, dword ptr
008AE930|.8B55 FC mov edx, dword ptr
008AE933|.E8 58680600 call 00915190
008AE938|>6A 40 push 40
008AE93A|.FFB3 2C030000 push dword ptr
008AE940|.A1 50AE9A00 mov eax, dword ptr
008AE945|.8B00 mov eax, dword ptr
008AE947|.8B80 E8030000 mov eax, dword ptr
008AE94D|.8B40 4C mov eax, dword ptr
008AE950|.33D2 xor edx, edx
008AE952|.E8 B907C0FF call 004AF110
008AE957|.0FB7C0 movzx eax, ax
008AE95A|.8D55 E8 lea edx, dword ptr
008AE95D|.E8 EED6B5FF call 0040C050
008AE962|.FF75 E8 push dword ptr
008AE965|.68 FCEC8A00 push 008AECFC ;.
008AE96A|.A1 50AE9A00 mov eax, dword ptr
008AE96F|.8B00 mov eax, dword ptr
008AE971|.8B80 E8030000 mov eax, dword ptr
008AE977|.8B40 4C mov eax, dword ptr
008AE97A|.BA 01000000 mov edx, 1
008AE97F|.E8 8C07C0FF call 004AF110
008AE984|.0FB7C0 movzx eax, ax
008AE987|.8D55 E4 lea edx, dword ptr
008AE98A|.E8 C1D6B5FF call 0040C050
008AE98F|.FF75 E4 push dword ptr
008AE992|.68 08ED8A00 push 008AED08
008AE997|.8D4D E0 lea ecx, dword ptr
008AE99A|.A1 50AE9A00 mov eax, dword ptr
008AE99F|.8B00 mov eax, dword ptr
008AE9A1|.8B80 E8030000 mov eax, dword ptr
008AE9A7|.BA 09000000 mov edx, 9
008AE9AC|.E8 0F0DC0FF call 004AF6C0
008AE9B1|.FF75 E0 push dword ptr
008AE9B4|.8D45 EC lea eax, dword ptr
008AE9B7|.BA 06000000 mov edx, 6
008AE9BC|.E8 D770B5FF call 00405A98
008AE9C1|.8B45 EC mov eax, dword ptr
008AE9C4|.E8 0F72B5FF call 00405BD8
008AE9C9|.8BC8 mov ecx, eax
008AE9CB|.BA 0CED8A00 mov edx, 008AED0C ;thank you for registering!
008AE9D0|.A1 6CB69A00 mov eax, dword ptr
008AE9D5|.8B00 mov eax, dword ptr
008AE9D7|.E8 04EBBFFF call 004AD4E0
008AE9DC|.85F6 test esi, esi
008AE9DE|.0F85 E7020000 jnz 008AECCB
008AE9E4|.6A 00 push 0
008AE9E6|.6A 00 push 0
008AE9E8|.68 67040000 push 467
008AE9ED|.8BC3 mov eax, ebx
008AE9EF|.E8 0445BEFF call 00492EF8
008AE9F4|.50 push eax ; |hWnd
008AE9F5|.E8 FEB8B5FF call 0040A2F8 ; \PostMessageA
008AE9FA|.E9 CC020000 jmp 008AECCB
008AE9FF|>A1 50AE9A00 mov eax, dword ptr
008AEA04|.8B00 mov eax, dword ptr
008AEA06|.80B8 8C0C0000>cmp byte ptr , 0
008AEA0D|.0F84 5C010000 je 008AEB6F
008AEA13|.A1 50AE9A00 mov eax, dword ptr
008AEA18|.8B00 mov eax, dword ptr
008AEA1A|.80B8 D00B0000>cmp byte ptr , 0
008AEA21|.0F85 2A010000 jnz 008AEB51
008AEA27|.6A 34 push 34
008AEA29|.68 28ED8A00 push 008AED28 ;information
008AEA2E|.68 3CED8A00 push 008AED3C ;sorry, but your license is valid only for 1.x - 4.x versions of
008AEA33|.FFB3 2C030000 push dword ptr
008AEA39|.68 88ED8A00 push 008AED88 ;.\n\n\n\n
008AEA3E|.68 98ED8A00 push 008AED98 ;you must purchase a new license for 5.x versions.
008AEA43|.68 D4ED8A00 push 008AEDD4 ;\n\n\n\n
008AEA48|.68 E4ED8A00 push 008AEDE4 ;do you want to order the new version now (with a 50% discount)?
008AEA4D|.8D45 DC lea eax, dword ptr
008AEA50|.BA 06000000 mov edx, 6
008AEA55|.E8 3E70B5FF call 00405A98
008AEA5A|.8B45 DC mov eax, dword ptr
008AEA5D|.E8 7671B5FF call 00405BD8
008AEA62|.50 push eax
008AEA63|.8BC3 mov eax, ebx
008AEA65|.E8 8E44BEFF call 00492EF8
008AEA6A|.50 push eax ; |hOwner
008AEA6B|.E8 48B8B5FF call 0040A2B8 ; \MessageBoxA
008AEA70|.83F8 06 cmp eax, 6
008AEA73|.0F85 D8000000 jnz 008AEB51
008AEA79|.8B45 F4 mov eax, dword ptr
008AEA7C|.BA 2CEE8A00 mov edx, 008AEE2C ;oe
008AEA81|.E8 9E70B5FF call 00405B24
008AEA86|.75 22 jnz short 008AEAAA
008AEA88|.6A 01 push 1 ; /IsShown = 1
008AEA8A|.6A 00 push 0 ; |DefDir = NULL
008AEA8C|.6A 00 push 0 ; |Parameters = NULL
008AEA8E|.68 30EE8A00 push 008AEE30 ; |http://www.metaproducts.com/mp/mpcart.asp?action=add&;id=offline_explorer&coupon=o50eupg
008AEA93|.6A 00 push 0 ; |Operation = NULL
008AEA95|.A1 6CB69A00 mov eax, dword ptr ; |
008AEA9A|.8B00 mov eax, dword ptr ; |
008AEA9C|.8B40 30 mov eax, dword ptr ; |
008AEA9F|.50 push eax ; |hWnd
008AEAA0|.E8 57EFB8FF call 0043D9FC ; \ShellExecuteA
008AEAA5|.E9 A7000000 jmp 008AEB51
008AEAAA|>8B45 F4 mov eax, dword ptr
008AEAAD|.BA 90EE8A00 mov edx, 008AEE90 ;oep
008AEAB2|.E8 6D70B5FF call 00405B24
008AEAB7|.75 1F jnz short 008AEAD8
008AEAB9|.6A 01 push 1 ; /IsShown = 1
008AEABB|.6A 00 push 0 ; |DefDir = NULL
008AEABD|.6A 00 push 0 ; |Parameters = NULL
008AEABF|.68 94EE8A00 push 008AEE94 ; |http://www.metaproducts.com/mp/mpcart.asp?action=add&;id=offline_explorer_pro&coupon=o50epupg
008AEAC4|.6A 00 push 0 ; |Operation = NULL
008AEAC6|.A1 6CB69A00 mov eax, dword ptr ; |
008AEACB|.8B00 mov eax, dword ptr ; |
008AEACD|.8B40 30 mov eax, dword ptr ; |
008AEAD0|.50 push eax ; |hWnd
008AEAD1|.E8 26EFB8FF call 0043D9FC ; \ShellExecuteA
008AEAD6|.EB 79 jmp short 008AEB51
008AEAD8|>8B45 F4 mov eax, dword ptr
008AEADB|.BA FCEE8A00 mov edx, 008AEEFC ;oee
008AEAE0|.E8 3F70B5FF call 00405B24
008AEAE5|.75 1F jnz short 008AEB06
008AEAE7|.6A 01 push 1 ; /IsShown = 1
008AEAE9|.6A 00 push 0 ; |DefDir = NULL
008AEAEB|.6A 00 push 0 ; |Parameters = NULL
008AEAED|.68 00EF8A00 push 008AEF00 ; |http://www.metaproducts.com/mp/mpcart.asp?action=add&;id=offline_explorer_enterprise&coupon=o50eeupg
008AEAF2|.6A 00 push 0 ; |Operation = NULL
008AEAF4|.A1 6CB69A00 mov eax, dword ptr ; |
008AEAF9|.8B00 mov eax, dword ptr ; |
008AEAFB|.8B40 30 mov eax, dword ptr ; |
008AEAFE|.50 push eax ; |hWnd
008AEAFF|.E8 F8EEB8FF call 0043D9FC ; \ShellExecuteA
008AEB04|.EB 4B jmp short 008AEB51
008AEB06|>8B45 F4 mov eax, dword ptr
008AEB09|.BA 6CEF8A00 mov edx, 008AEF6C ;pob
008AEB0E|.E8 1170B5FF call 00405B24
008AEB13|.75 1F jnz short 008AEB34
008AEB15|.6A 01 push 1 ; /IsShown = 1
008AEB17|.6A 00 push 0 ; |DefDir = NULL
008AEB19|.6A 00 push 0 ; |Parameters = NULL
008AEB1B|.68 70EF8A00 push 008AEF70 ; |http://www.metaproducts.com/mp/mpcart.asp?action=add&;id=portable_offline_browser&coupon=p50obupg
008AEB20|.6A 00 push 0 ; |Operation = NULL
008AEB22|.A1 6CB69A00 mov eax, dword ptr ; |
008AEB27|.8B00 mov eax, dword ptr ; |
008AEB29|.8B40 30 mov eax, dword ptr ; |
008AEB2C|.50 push eax ; |hWnd
008AEB2D|.E8 CAEEB8FF call 0043D9FC ; \ShellExecuteA
008AEB32|.EB 1D jmp short 008AEB51
008AEB34|>6A 01 push 1 ; /IsShown = 1
008AEB36|.6A 00 push 0 ; |DefDir = NULL
008AEB38|.6A 00 push 0 ; |Parameters = NULL
008AEB3A|.68 D4EF8A00 push 008AEFD4 ; |http://www.metaproducts.com/mp/mpstore.asp
008AEB3F|.6A 00 push 0 ; |Operation = NULL
008AEB41|.A1 6CB69A00 mov eax, dword ptr ; |
008AEB46|.8B00 mov eax, dword ptr ; |
008AEB48|.8B40 30 mov eax, dword ptr ; |
008AEB4B|.50 push eax ; |hWnd
008AEB4C|.E8 ABEEB8FF call 0043D9FC ; \ShellExecuteA
008AEB51|>85F6 test esi, esi
008AEB53|.0F85 72010000 jnz 008AECCB
008AEB59|.8B83 24030000 mov eax, dword ptr
008AEB5F|.8B80 20020000 mov eax, dword ptr
008AEB65|.8B10 mov edx, dword ptr
008AEB67|.FF52 44 call dword ptr
008AEB6A|.E9 5C010000 jmp 008AECCB
008AEB6F|>8B45 F4 mov eax, dword ptr
008AEB72|.BA 2CEE8A00 mov edx, 008AEE2C ;oe
008AEB77|.E8 A86FB5FF call 00405B24
008AEB7C|.75 0F jnz short 008AEB8D
008AEB7E|.8D45 F4 lea eax, dword ptr
008AEB81|.BA 08F08A00 mov edx, 008AF008 ;\n\nthis code is for offline explorer (standard) version only.
008AEB86|.E8 156CB5FF call 004057A0
008AEB8B|.EB 62 jmp short 008AEBEF
008AEB8D|>8B45 F4 mov eax, dword ptr
008AEB90|.BA 90EE8A00 mov edx, 008AEE90 ;oep
008AEB95|.E8 8A6FB5FF call 00405B24
008AEB9A|.75 0F jnz short 008AEBAB
008AEB9C|.8D45 F4 lea eax, dword ptr
008AEB9F|.BA 50F08A00 mov edx, 008AF050 ;\n\nthis code is for offline explorer pro version only.
008AEBA4|.E8 F76BB5FF call 004057A0
008AEBA9|.EB 44 jmp short 008AEBEF
008AEBAB|>8B45 F4 mov eax, dword ptr
008AEBAE|.BA FCEE8A00 mov edx, 008AEEFC ;oee
008AEBB3|.E8 6C6FB5FF call 00405B24
008AEBB8|.75 0F jnz short 008AEBC9
008AEBBA|.8D45 F4 lea eax, dword ptr
008AEBBD|.BA 90F08A00 mov edx, 008AF090 ;\n\nthis code is for offline explorer enterprise version only.
008AEBC2|.E8 D96BB5FF call 004057A0
008AEBC7|.EB 26 jmp short 008AEBEF
008AEBC9|>8B45 F4 mov eax, dword ptr
008AEBCC|.BA 6CEF8A00 mov edx, 008AEF6C ;pob
008AEBD1|.E8 4E6FB5FF call 00405B24
008AEBD6|.75 0F jnz short 008AEBE7
008AEBD8|.8D45 F4 lea eax, dword ptr
008AEBDB|.BA D8F08A00 mov edx, 008AF0D8 ;\n\nthis code is for portable offline browser version only.
008AEBE0|.E8 BB6BB5FF call 004057A0
008AEBE5|.EB 08 jmp short 008AEBEF
008AEBE7|>8D45 F4 lea eax, dword ptr
008AEBEA|.E8 196BB5FF call 00405708
008AEBEF|>85F6 test esi, esi
008AEBF1|.75 0A jnz short 008AEBFD
008AEBF3|.837D F4 00 cmp dword ptr , 0
008AEBF7|.0F84 B9000000 je 008AECB6
008AEBFD|>6A 10 push 10
008AEBFF|.FFB3 2C030000 push dword ptr
008AEC05|.A1 50AE9A00 mov eax, dword ptr
008AEC0A|.8B00 mov eax, dword ptr
008AEC0C|.8B80 E8030000 mov eax, dword ptr
008AEC12|.8B40 4C mov eax, dword ptr
008AEC15|.33D2 xor edx, edx
008AEC17|.E8 F404C0FF call 004AF110
008AEC1C|.0FB7C0 movzx eax, ax
008AEC1F|.8D55 D4 lea edx, dword ptr
008AEC22|.E8 29D4B5FF call 0040C050
008AEC27|.FF75 D4 push dword ptr
008AEC2A|.68 FCEC8A00 push 008AECFC ;.
008AEC2F|.A1 50AE9A00 mov eax, dword ptr
008AEC34|.8B00 mov eax, dword ptr
008AEC36|.8B80 E8030000 mov eax, dword ptr
008AEC3C|.8B40 4C mov eax, dword ptr
008AEC3F|.BA 01000000 mov edx, 1
008AEC44|.E8 C704C0FF call 004AF110
008AEC49|.0FB7C0 movzx eax, ax
008AEC4C|.8D55 D0 lea edx, dword ptr
008AEC4F|.E8 FCD3B5FF call 0040C050
008AEC54|.FF75 D0 push dword ptr
008AEC57|.68 08ED8A00 push 008AED08
008AEC5C|.8D4D CC lea ecx, dword ptr
008AEC5F|.A1 50AE9A00 mov eax, dword ptr
008AEC64|.8B00 mov eax, dword ptr
008AEC66|.8B80 E8030000 mov eax, dword ptr
008AEC6C|.BA 09000000 mov edx, 9
008AEC71|.E8 4A0AC0FF call 004AF6C0
008AEC76|.FF75 CC push dword ptr
008AEC79|.8D45 D8 lea eax, dword ptr
008AEC7C|.BA 06000000 mov edx, 6
008AEC81|.E8 126EB5FF call 00405A98
008AEC86|.8B45 D8 mov eax, dword ptr
008AEC89|.E8 4A6FB5FF call 00405BD8
008AEC8E|.50 push eax
008AEC8F|.8D45 C8 lea eax, dword ptr
008AEC92|.8B4D F4 mov ecx, dword ptr
008AEC95|.BA 1CF18A00 mov edx, 008AF11C ;sorry, registration information is invalid.
008AEC9A|.E8 856DB5FF call 00405A24
008AEC9F|.8B45 C8 mov eax, dword ptr
008AECA2|.E8 316FB5FF call 00405BD8
008AECA7|.8BD0 mov edx, eax
008AECA9|.A1 6CB69A00 mov eax, dword ptr
008AECAE|.8B00 mov eax, dword ptr
008AECB0|.59 pop ecx
008AECB1|.E8 2AE8BFFF call 004AD4E0
008AECB6|>85F6 test esi, esi
008AECB8|.75 11 jnz short 008AECCB
008AECBA|.8B83 24030000 mov eax, dword ptr
008AECC0|.8B80 20020000 mov eax, dword ptr
008AECC6|.8B10 mov edx, dword ptr
008AECC8|.FF52 44 call dword ptr
008AECCB|>33C0 xor eax, eax
008AECCD|.5A pop edx
008AECCE|.59 pop ecx
008AECCF|.59 pop ecx
008AECD0|.64:8910 mov dword ptr fs:, edx
008AECD3|.68 EDEC8A00 push 008AECED
008AECD8|>8D45 C8 lea eax, dword ptr
008AECDB|.BA 0E000000 mov edx, 0E
008AECE0|.E8 476AB5FF call 0040572C
008AECE5\.C3 retn
6、跟进008AE8B5处的CALL
00915174 55 push ebp ;》有3处调用
00915175 8BEC mov ebp, esp
00915177|.05 8C0C0000 add eax, 0C8C
0091517C|.50 push eax
0091517D|.6A 00 push 0
0091517F|.8BC2 mov eax, edx
00915181|.8BD1 mov edx, ecx
00915183|.8B4D 08 mov ecx, dword ptr
00915186|.E8 75EEFFFF call 00914000 ;》算法CALL,进去了但没弄明白
0091518B|.5D pop ebp
0091518C\.C2 0400 retn 4
7、既然是标志位比较,想爆破,我们就用比较经典的方法;
修改
00915174/$55 push ebp
00915175|.8BEC mov ebp, esp
为
00915174 B0 01 mov al, 1
00915176 C3 retn
8、制作LOADER:
9、用LOADER运行软件,比较一下:
破解前:
破解后:
10、其实在下载软件的时候,网站已经为我们提供了一组注册码:
dqmaHxN/vQypmgAlBqHWaiKNKHeZdHoHJBTN15+e02SOfNpsSvbFZd4S5QTL/JpHT27SLNlG0h1gf3kB7pg@amqd
输入这个注册码:
看来我的简单爆破不是完美的,还需要继续努力!!!
这个软件确实用了很多加密算法!!!
------------------------------------------------------------------------
【破解总结】
------------------------------------------------------------------------
【版权声明】
[ 本帖最后由 ptsos 于 2008-7-13 11:21 编辑 ] 分析中还发现,软件会启动会读取文件oe_zhcn.int,而这个文件的这这些内容就决定了软件是哪个版本:
未注册
用户/计算机许可
无限制许可
单位许可
用户/计算机许可
临时许可。过期时间
我将“未注册”修改为“未注册(Ptsos)”,发现软件启动后的标题也进行了相应的改变。
我用GetPrivateProfileStringA下断,没有断到有用的信息!
希望高手能指点一下,如何才能断下软件读取oe_zhcn.int里的内容。
[ 本帖最后由 ptsos 于 2008-7-13 22:13 编辑 ] 原帖由 Feisu 于 2008-7-13 11:34 发表 https://www.chinapyg.com/images/common/back.gif
这个软件N年前我破过。还一直追着版本号更新。暗桩很多。有时候显示注册成功,但是实际上下载了十多个文件就停止了。继续努力哦
另外0DAY里ZWT都有出这个的破解
MetaProducts.Offline.Explorer.Enterprise.v4.9.26 ...
谢谢Feisu指点,哈哈,你把自己在的第一个帖子放这里了!!! 向高手学习,并致敬... 额好强大啊楼主辛苦了o(∩_∩)o
页:
[1]