破解之GetDiskSerial.DLL 4.0 Demo Version
【破文标题】破解之GetDiskSerial.DLL 4.0 Demo Version【破文作者】Busheler
【作者邮箱】[email protected]
【作者主页】
【破解工具】PEiD v0.94,odbg110, UPX Shell 3.4.2,UltraEdit 13.00,Resource Hacker 3.4.0
【破解平台】WindowsXP SP2
【软件名称】GetDiskSerial.DLL
【软件大小】45.0KB
【原版下载】http://www.devlib.net/
【保护方式】Nag窗口
【软件简介】GetDiskSerial.DLL是一标准32位文件,可以使用它很容易的读取硬盘序列号。我们知道硬盘序列号在全球是唯一的,用硬盘序列号来进行加密是非常实用的。
·在 Win NT/2000/XP/2003/VISTA 下无需管理员权限!
·支持多种开发环境, 诸如 Delphi, C++Builder, VC, C#, VB, VB.NET, VBA, PowerBuilder, Visual Foxpro, Clarion等等。
【破解声明】研究学习,共享心得
------------------------------------------------------------------------
关键:正常调用时,会出现 "Thank you for trying GetDiskSerial.dll V 4.0.0 ! Do you register now ?",去除读取硬盘信息时的Nag窗口,且不能影响函数功能,是破解的要点。
一、查壳:
PEiD v0.94查壳为UPX 0.80 - 1.24 DLL -> Markus & Laszlo
由于脱壳水平有限,UPX Shell 3.4.2脱之,文件大小94K,测试调用正常。
二、找资源:
1、用其提供文件包中VB例程编译成Demo.exe
2、odbg110载入Demo.exe
运行后,此时GetDiskSerial.dll并未载入噢!
点击“Get”,Nag窗口出现,GetDiskSerial.dll已经载入...
右键===〉模块'GetDiskS' (只显示模块名称前八位?),此时我们已经来到“GetDiskSerial.dll”里了!
右键===〉分析===〉分析代码
右键===〉查找===〉查找所有参考文本子串,可以看到两处 "Thank you for trying GetDiskSerial.dll V 4.0.0 ! Do you register now ?"
(1)第一处
010F2D4C >/$55 push ebp
010F2D4D|.8BEC mov ebp, esp
010F2D4F|.33C9 xor ecx, ecx
010F2D51|.51 push ecx
010F2D52|.51 push ecx
010F2D53|.51 push ecx
010F2D54|.51 push ecx
010F2D55|.51 push ecx
010F2D56|.53 push ebx
010F2D57|.56 push esi
010F2D58|.57 push edi
010F2D59|.8B75 0C mov esi,
010F2D5C|.8B5D 08 mov ebx,
010F2D5F|.33C0 xor eax, eax
010F2D61|.55 push ebp
010F2D62|.68 7E2E0F01 push 010F2E7E
010F2D67|.64:FF30 push dword ptr fs:
010F2D6A|.64:8920 mov fs:, esp
010F2D6D|.33FF xor edi, edi
010F2D6F 6A 44 push 44
010F2D71|.68 902E0F01 push 010F2E90 ; |Title = "DEMO VERSION"
010F2D76|.68 A02E0F01 push 010F2EA0 ; |Text = "Thank you for trying GetDiskSerial.DLL Ver 4.0.0 ! ",CR,LF,"Do you register now ?",CR,""
010F2D7B|.6A 00 push 0 ; |hOwner = NULL
010F2D7D|.E8 DE2EFFFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
010F2D82|.83F8 06 cmp eax, 6
010F2D85|.75 17 jnz short 010F2D9E
010F2D87|.6A 03 push 3 ; /IsShown = 3
010F2D89|.6A 00 push 0 ; |DefDir = NULL
010F2D8B|.6A 00 push 0 ; |Parameters = NULL
010F2D8D|.68 F82E0F01 push 010F2EF8 ; |FileName = "http://www.devlib.net/buynow.htm"
010F2D92|.68 1C2F0F01 push 010F2F1C ; |Operation = "open"
010F2D97|.6A 00 push 0 ; |hWnd = NULL
010F2D99|.E8 16F8FFFF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
010F2D9E|>8BD6 mov edx, esi
010F2DA0|.8BC3 mov eax, ebx
010F2DA2|.E8 B1010000 call 010F2F58
010F2DA7|.83F8 01 cmp eax, 1
010F2DAA|.1BC0 sbb eax, eax
010F2DAC|.40 inc eax
010F2DAD|.84C0 test al, al
010F2DAF|.75 0F jnz short 010F2DC0
010F2DB1|.8BD6 mov edx, esi
010F2DB3|.8BC3 mov eax, ebx
010F2DB5|.E8 3A060000 call 010F33F4
010F2DBA|.83F8 01 cmp eax, 1
010F2DBD|.1BC0 sbb eax, eax
010F2DBF|.40 inc eax
010F2DC0|>84C0 test al, al
010F2DC2|.75 0D jnz short 010F2DD1
010F2DC4|.56 push esi
010F2DC5|.53 push ebx
010F2DC6|.E8 29F8FFFF call 010F25F4
010F2DCB|.83F8 01 cmp eax, 1
010F2DCE|.1BC0 sbb eax, eax
010F2DD0|.40 inc eax
010F2DD1|>84C0 test al, al
010F2DD3|.74 34 je short 010F2E09
010F2DD5|.8D55 FC lea edx,
010F2DD8|.8BC6 mov eax, esi
010F2DDA|.E8 2947FFFF call 010E7508
010F2DDF|.837D FC 00 cmp dword ptr , 0
010F2DE3|.74 1F je short 010F2E04
010F2DE5|.8D55 F4 lea edx,
010F2DE8|.8BC6 mov eax, esi
010F2DEA|.E8 1947FFFF call 010E7508
010F2DEF|.8B45 F4 mov eax,
010F2DF2|.8D55 F8 lea edx,
010F2DF5|.E8 56FEFFFF call 010F2C50
010F2DFA|.8B55 F8 mov edx,
010F2DFD|.8BC6 mov eax, esi
010F2DFF|.E8 2046FFFF call 010E7424
010F2E04|>83CF FF or edi, FFFFFFFF
010F2E07|.EB 5A jmp short 010F2E63
010F2E09|>84DB test bl, bl
010F2E0B|.75 56 jnz short 010F2E63
010F2E0D|.84C0 test al, al
010F2E0F|.75 52 jnz short 010F2E63
010F2E11|.33DB xor ebx, ebx
010F2E13|>8BD6 /mov edx, esi
010F2E15|.8BC3 |mov eax, ebx
010F2E17|.E8 3C010000 |call 010F2F58
010F2E1C|.83F8 01 |cmp eax, 1
010F2E1F|.1BC0 |sbb eax, eax
010F2E21|.40 |inc eax
010F2E22|.84C0 |test al, al
010F2E24|.75 0F |jnz short 010F2E35
010F2E26|.8BD6 |mov edx, esi
010F2E28|.8BC3 |mov eax, ebx
010F2E2A|.E8 C5050000 |call 010F33F4
010F2E2F|.83F8 01 |cmp eax, 1
010F2E32|.1BC0 |sbb eax, eax
010F2E34|.40 |inc eax
010F2E35|>84C0 |test al, al
010F2E37|.74 24 |je short 010F2E5D
010F2E39|.83CF FF |or edi, FFFFFFFF
010F2E3C|.8D55 EC |lea edx,
010F2E3F|.8BC6 |mov eax, esi
010F2E41|.E8 C246FFFF |call 010E7508
010F2E46|.8B45 EC |mov eax,
010F2E49|.8D55 F0 |lea edx,
010F2E4C|.E8 FFFDFFFF |call 010F2C50
010F2E51|.8B55 F0 |mov edx,
010F2E54|.8BC6 |mov eax, esi
010F2E56|.E8 C945FFFF |call 010E7424
010F2E5B|.EB 06 |jmp short 010F2E63
010F2E5D|>43 |inc ebx
010F2E5E|.80FB 0A |cmp bl, 0A
010F2E61|.^ 75 B0 \jnz short 010F2E13
010F2E63|>33C0 xor eax, eax
010F2E65|.5A pop edx
010F2E66|.59 pop ecx
010F2E67|.59 pop ecx
010F2E68|.64:8910 mov fs:, edx
010F2E6B|.68 852E0F01 push 010F2E85
010F2E70|>8D45 EC lea eax,
010F2E73|.BA 05000000 mov edx, 5
010F2E78|.E8 DB0EFFFF call 010E3D58
010F2E7D\.C3 retn
(2)第二处
010F3988 >/$55 push ebp
010F3989|.8BEC mov ebp, esp
010F398B|.83C4 A4 add esp, -5C
010F398E|.33C0 xor eax, eax
010F3990|.8945 F8 mov , eax
010F3993|.33C0 xor eax, eax
010F3995|.55 push ebp
010F3996|.68 123A0F01 push 010F3A12
010F399B|.64:FF30 push dword ptr fs:
010F399E|.64:8920 mov fs:, esp
010F39A1 6A 44 push 44
010F39A3|.68 243A0F01 push 010F3A24 ; |Title = "DEMO VERSION"
010F39A8|.68 343A0F01 push 010F3A34 ; |Text = "Thank you for trying GetDiskSerial.DLL Ver 4.0.0 ! ",CR,LF,"Do you register now ?",CR,""
010F39AD|.6A 00 push 0 ; |hOwner = NULL
010F39AF|.E8 AC22FFFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
010F39B4|.83F8 06 cmp eax, 6
010F39B7|.75 17 jnz short 010F39D0
010F39B9|.6A 03 push 3 ; /IsShown = 3
010F39BB|.6A 00 push 0 ; |DefDir = NULL
010F39BD|.6A 00 push 0 ; |Parameters = NULL
010F39BF|.68 8C3A0F01 push 010F3A8C ; |FileName = "http://www.devlib.net/buynow.htm"
010F39C4|.68 B03A0F01 push 010F3AB0 ; |Operation = "open"
010F39C9|.6A 00 push 0 ; |hWnd = NULL
010F39CB|.E8 E4EBFFFF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
010F39D0|>8B45 0C mov eax,
010F39D3|.50 push eax
010F39D4|.8D45 A4 lea eax,
010F39D7|.50 push eax
010F39D8|.8A45 08 mov al,
010F39DB|.50 push eax
010F39DC|.E8 6BF3FFFF call GetIdeDiskInfo
010F39E1|.8D45 F8 lea eax,
010F39E4|.8D55 A4 lea edx,
010F39E7|.B9 14000000 mov ecx, 14
010F39EC|.E8 B305FFFF call 010E3FA4
010F39F1|.8B45 F8 mov eax,
010F39F4|.E8 EFF1FFFF call 010F2BE8
010F39F9|.8945 FC mov , eax
010F39FC|.33C0 xor eax, eax
010F39FE|.5A pop edx
010F39FF|.59 pop ecx
010F3A00|.59 pop ecx
010F3A01|.64:8910 mov fs:, edx
010F3A04|.68 193A0F01 push 010F3A19
010F3A09|>8D45 F8 lea eax,
010F3A0C|.E8 2303FFFF call 010E3D34
010F3A11\.C3 retn
三、破解:
1、破解思路:只要跳过调用信息窗口段,Nag窗口就应该被去掉了。
010F2D6F 6A 44 push 44
010F2D71|.68 902E0F01 push 010F2E90 ; |Title = "DEMO VERSION"
010F2D76|.68 A02E0F01 push 010F2EA0 ; |Text = "Thank you for trying GetDiskSerial.DLL Ver 4.0.0 ! ",CR,LF,"Do you register now ?",CR,""
010F2D7B|.6A 00 push 0 ; |hOwner = NULL
010F2D7D|.E8 DE2EFFFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
010F2D82|.83F8 06 cmp eax, 6
010F2D85|.75 17 jnz short 010F2D9E
010F2D87|.6A 03 push 3 ; /IsShown = 3
010F2D89|.6A 00 push 0 ; |DefDir = NULL
010F2D8B|.6A 00 push 0 ; |Parameters = NULL
010F2D8D|.68 F82E0F01 push 010F2EF8 ; |FileName = "http://www.devlib.net/buynow.htm"
010F2D92|.68 1C2F0F01 push 010F2F1C ; |Operation = "open"
010F2D97|.6A 00 push 0 ; |hWnd = NULL
010F2D99|.E8 16F8FFFF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
010F2D9E|>8BD6 mov edx, esi
...
010F39A1 6A 44 push 44
010F39A3|.68 243A0F01 push 010F3A24 ; |Title = "DEMO VERSION"
010F39A8|.68 343A0F01 push 010F3A34 ; |Text = "Thank you for trying GetDiskSerial.DLL Ver 4.0.0 ! ",CR,LF,"Do you register now ?",CR,""
010F39AD|.6A 00 push 0 ; |hOwner = NULL
010F39AF|.E8 AC22FFFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
010F39B4|.83F8 06 cmp eax, 6
010F39B7|.75 17 jnz short 010F39D0
010F39B9|.6A 03 push 3 ; /IsShown = 3
010F39BB|.6A 00 push 0 ; |DefDir = NULL
010F39BD|.6A 00 push 0 ; |Parameters = NULL
010F39BF|.68 8C3A0F01 push 010F3A8C ; |FileName = "http://www.devlib.net/buynow.htm"
010F39C4|.68 B03A0F01 push 010F3AB0 ; |Operation = "open"
010F39C9|.6A 00 push 0 ; |hWnd = NULL
010F39CB|.E8 E4EBFFFF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
010F39D0|>8B45 0C mov eax,
...
2、修改
(1)修改第一处
010F2D6F 6A 44 push 44
===〉
010F2D6F EB 11 jmp short 010F2D9E
即:
33FF6A44
====>
33FFEB2D
(2)修改第二处
010F39A1 6A 44 push 44
===〉
010F39A1 EB 11 jmp short 010F39D0
即:
89206A44
====>
8920EB2D
四、修改、测试
测试修改后,运行,Nag窗口消失!正常。
五,编辑修改、测试
UltraEdit 13.00载入脱壳后GetDiskSerial.dll,查找“33FF6A44”修改为“33FFEB2D”;查找“89206A44”修改为“8920EB2D”,再次测试,一切正常。
五、收尾
1、Resource Hacker 3.4.0载入修改好的GetDiskSerial.dll,修改“版本”信息中的“备注”由“http://www.devlib.net ***DEMO VERSION***”修改为“http://www.devlib.net **Cracked By PYG**”
2、用UPX Shell 3.4.2为修改后GetDiskSerial.dll加壳,文件大小由94K减小到57K。
------------------------------------------------------------------------
【版权声明】交流学习,非商业应用,转载时请保证其完整! 沙发爽啊!/:good /:good /:good 写得非常好,认真学习了。 努力学习才能达到另一个高度 好~~~~~~~~学习一下 写的好清楚明了,容易懂./:good 最好知道是怎么获得序列号的(硬盘的序列号)
页:
[1]