- UID
- 39077
注册时间2007-12-2
阅读权限8
最后登录1970-1-1
初入江湖
该用户从未签到
|
【文章标题】: 破解网络验证的另类思路
【文章作者】: chinglq
【作者邮箱】: [email protected]
【作者主页】: http://lqcoolboy.icpcn.com
【作者QQ号】: 124687067
【软件名称】: 某文件备份系统v8.4.5单机版
【软件大小】: 1.65MB
【下载地址】: 自己搜索下载
【加壳方式】: 无
【保护方式】: 网络验证
【编写语言】: VC++6.0
【使用工具】: OD、PEiD
【操作平台】: 联想OEM WinXP SP2
【软件介绍】: 企业文件增量备份系统
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1.0 查壳
用PEiD查壳,无壳。编程语言VC++6.0。软件限制:使用50次,每次限时120分钟,2个任务。使用25次后出现注册提示消息框。
2.0 破解思路
破解网络验证的正规方法,通常是网络验证转本地验证,网络抓包分析等。这一般是crack高手的绝活,非我等菜鸟能力所及。
我们菜鸟要想碰碰这个难题,也只好另辟奚径了。下面说说我的设想:
软件的注册码是一机一码的,必然涉及读取硬件信息,CreateFileA函数附近,必有所获。网络验证正确后,程序再不需要重复验证,说
明软件本身设置有激活标志。程序启动时首先检验该标志,如果为未激活状态,则进入网络验证,如果为已激活状态,则正常启动软件,功能
不受影响。只要我们找到这个检测标志,将其设为已激活状态,便可达到破解的目的。
困难的是如何找到这个关键所在,好在我们有CreateFileA函数和消息框这两个线索。
3.0 调试
用OD装载,对CreateFileA函数和MessageBoxW函数下断点,断下后经多次调试分析,发现下面这段程序是关键:
----------------------------------------------
004224B0 . 6A FF push -1
004224B2 . 68 7DA94C00 push 004CA97D
004224B7 . 64:A1 00000000 mov eax, dword ptr fs:[0]
004224BD . 50 push eax
004224BE . 81EC A8020000 sub esp, 2A8
004224C4 . A1 68C25000 mov eax, dword ptr [50C268]
004224C9 . 33C4 xor eax, esp
004224CB . 898424 A4020000 mov dword ptr [esp+2A4], eax
004224D2 . 53 push ebx
004224D3 . 55 push ebp
004224D4 . 56 push esi
004224D5 . 57 push edi
004224D6 . A1 68C25000 mov eax, dword ptr [50C268]
004224DB . 33C4 xor eax, esp
004224DD . 50 push eax
004224DE . 8D8424 BC020000 lea eax, dword ptr [esp+2BC]
004224E5 . 64:A3 00000000 mov dword ptr fs:[0], eax
004224EB . 8BD9 mov ebx, ecx
004224ED . 33F6 xor esi, esi
004224EF . 895C24 2C mov dword ptr [esp+2C], ebx
004224F3 . 897424 20 mov dword ptr [esp+20], esi
004224F7 . FF15 B0424D00 call dword ptr [<&KERNEL32.GetCommandLineW>] ; [GetCommandLineW
004224FD . 50 push eax
004224FE . 8D4C24 18 lea ecx, dword ptr [esp+18]
00422502 . E8 8915FEFF call 00403A90
00422507 . 8B4424 14 mov eax, dword ptr [esp+14]
0042250B . 68 24E84D00 push 004DE824 ; /
00422510 . 50 push eax
00422511 . 89B424 CC020000 mov dword ptr [esp+2CC], esi
00422518 . 897424 20 mov dword ptr [esp+20], esi
0042251C . E8 D9910800 call 004AB6FA ;
00422521 . 83C4 08 add esp, 8
00422524 . 3BC6 cmp eax, esi
00422526 75 39 jnz short 00422561
00422528 . 8B4C24 14 mov ecx, dword ptr [esp+14]
0042252C . 68 64B04D00 push 004DB064 ; /
00422531 . 51 push ecx
00422532 . E8 C3910800 call 004AB6FA
00422537 . 83C4 08 add esp, 8
0042253A . 3BC6 cmp eax, esi
0042253C . 74 15 je short 00422553
0042253E . 8B15 4CD95000 mov edx, dword ptr [50D94C]
00422544 . 6A FF push -1
00422546 . 52 push edx
00422547 . B9 44D95000 mov ecx, 0050D944
0042254C . E8 55A40600 call 0048C9A6
00422551 . EB 16 jmp short 00422569
00422553 > 8B4424 14 mov eax, dword ptr [esp+14]
00422557 . 50 push eax
00422558 . 8BCB mov ecx, ebx
0042255A . E8 81FDFFFF call 004222E0
0042255F . EB 08 jmp short 00422569
00422561 > C74424 18 01000000 mov dword ptr [esp+18], 1
00422569 > 6A 05 push 5 ; /Relation = GW_CHILD
0042256B . FF15 A4464D00 call dword ptr [<&USER32.GetDesktopWindow>] ; |[GetDesktopWindow
00422571 . 8B3D A8464D00 mov edi, dword ptr [<&USER32.GetWindow>] ; |USER32.GetWindow
00422577 . 50 push eax ; |hWnd
00422578 . FFD7 call edi ; \GetWindow
0042257A . 8B2D AC464D00 mov ebp, dword ptr [<&USER32.IsWindow>] ; USER32.IsWindow
00422580 . 8BF0 mov esi, eax
00422582 . 56 push esi ; /hWnd
00422583 . FFD5 call ebp ; \IsWindow
00422585 . 85C0 test eax, eax
00422587 . 74 29 je short 004225B2
00422589 . 8B1D B0464D00 mov ebx, dword ptr [<&USER32.GetPropW>] ; USER32.GetPropW
0042258F . 90 nop
00422590 > 68 64C14D00 push 004DC164 ; f
00422595 . 56 push esi
00422596 . FFD3 call ebx
00422598 . 85C0 test eax, eax
0042259A . 0F85 AF000000 jnz 0042264F
004225A0 . 6A 02 push 2
004225A2 . 56 push esi
004225A3 . FFD7 call edi
004225A5 . 8BF0 mov esi, eax
004225A7 . 56 push esi
004225A8 . FFD5 call ebp
004225AA . 85C0 test eax, eax
004225AC .^ 75 E2 jnz short 00422590
004225AE . 8B5C24 2C mov ebx, dword ptr [esp+2C]
004225B2 > 8B4C24 14 mov ecx, dword ptr [esp+14]
004225B6 . 8B41 F4 mov eax, dword ptr [ecx-C]
004225B9 . 8B3D AC424D00 mov edi, dword ptr [<&KERNEL32.Sleep>] ; kernel32.Sleep
004225BF . 83CD FF or ebp, FFFFFFFF
004225C2 . 85C0 test eax, eax
004225C4 . 7C 23 jl short 004225E9
004225C6 . 68 00EE4D00 push 004DEE00 ; /
004225CB . 51 push ecx
004225CC . E8 29910800 call 004AB6FA
004225D1 . 83C4 08 add esp, 8
004225D4 . 85C0 test eax, eax
004225D6 . 74 11 je short 004225E9
004225D8 . 2B4424 14 sub eax, dword ptr [esp+14]
004225DC . D1F8 sar eax, 1
004225DE . 3BC5 cmp eax, ebp
004225E0 . 74 07 je short 004225E9
004225E2 . 68 30750000 push 7530
004225E7 . FFD7 call edi
004225E9 > 68 ECED4D00 push 004DEDEC ; t
004225EE . 8BCB mov ecx, ebx
004225F0 . E8 FDA30600 call 0048C9F2
004225F5 . 6A 00 push 0
004225F7 . 68 DCED4D00 push 004DEDDC ; s
004225FC . 68 64C14D00 push 004DC164 ; f
00422601 . 8BCB mov ecx, ebx
00422603 . E8 F2A40600 call 0048CAFA
00422608 . 83F8 01 cmp eax, 1
0042260B . 0F85 FA000000 jnz 0042270B
00422611 . E8 FAA20200 call 0044C910
00422616 . 85C0 test eax, eax
00422618 . 0F85 ED000000 jnz 0042270B
0042261E . 6A 30 push 30
00422620 . 68 F4554D00 push 004D55F4
00422625 . 68 90ED4D00 push 004DED90
0042262A > 6A 00 push 0 ; |hOwner = NULL
0042262C . FF15 B4464D00 call dword ptr [<&USER32.MessageBoxW>] ; \MessageBoxW
00422632 > 8B4424 14 mov eax, dword ptr [esp+14]
00422636 . 83C0 F0 add eax, -10
00422639 . 89AC24 C4020000 mov dword ptr [esp+2C4], ebp
00422640 . 8D48 0C lea ecx, dword ptr [eax+C]
00422643 . F0:0FC129 lock xadd dword ptr [ecx], ebp
00422647 . 4D dec ebp
00422648 . 85ED test ebp, ebp
0042264A . E9 A9000000 jmp 004226F8
0042264F > A1 4CD95000 mov eax, dword ptr [50D94C]
00422654 . 85C0 test eax, eax
00422656 . 8B2D D4464D00 mov ebp, dword ptr [<&USER32.PostMessageW>] ; USER32.PostMessageW
0042265C . 75 1F jnz short 0042267D
0042265E . 6A 00 push 0 ; /lParam = 0
00422660 . 6A 00 push 0 ; |wParam = 0
00422662 . 68 67040000 push 467 ; |Message = MSG(467)
00422667 . 56 push esi ; |hWnd
00422668 . FFD5 call ebp ; \PostMessageW
0042266A . 56 push esi ; /hOwner
0042266B . FF15 B8464D00 call dword ptr [<&USER32.GetLastActivePopup>] ; \GetLastActivePopup
00422671 . 50 push eax ; /hWnd
00422672 . FF15 BC464D00 call dword ptr [<&USER32.SetForegroundWindow>] ; \SetForegroundWindow
00422678 . A1 4CD95000 mov eax, dword ptr [50D94C]
0042267D > 837C24 18 00 cmp dword ptr [esp+18], 0
00422682 . 75 3B jnz short 004226BF
00422684 . 33FF xor edi, edi
00422686 . 85C0 test eax, eax
00422688 . 7E 41 jle short 004226CB
0042268A . 8D9B 00000000 lea ebx, dword ptr [ebx]
00422690 > 85FF test edi, edi
00422692 . 7C 26 jl short 004226BA
00422694 . 3BF8 cmp edi, eax
00422696 . 7D 22 jge short 004226BA
00422698 . 8B0D 48D95000 mov ecx, dword ptr [50D948]
0042269E . 8B14B9 mov edx, dword ptr [ecx+edi*4]
004226A1 . 6A 00 push 0
004226A3 . 52 push edx
004226A4 . 68 69040000 push 469
004226A9 . 56 push esi
004226AA . FFD5 call ebp
004226AC . A1 4CD95000 mov eax, dword ptr [50D94C]
004226B1 . 83C7 01 add edi, 1
004226B4 . 3BF8 cmp edi, eax
004226B6 .^ 7C D8 jl short 00422690
004226B8 . EB 11 jmp short 004226CB
004226BA > E9 14870500 jmp 0047ADD3
004226BF > 6A 00 push 0
004226C1 . 6A 00 push 0
004226C3 . 68 6B040000 push 46B
004226C8 . 56 push esi
004226C9 . FFD5 call ebp
004226CB > 6A FF push -1 ; /Arg2 = FFFFFFFF
004226CD . 6A 00 push 0 ; |Arg1 = 00000000
004226CF . B9 44D95000 mov ecx, 0050D944 ; |
004226D4 . E8 A9A10600 call 0048C882 ; \FileGee.0048C882
004226D9 . 8B4424 14 mov eax, dword ptr [esp+14]
004226DD . 83C0 F0 add eax, -10
004226E0 . C78424 C4020000 FFFF>mov dword ptr [esp+2C4], -1
004226EB . 8D48 0C lea ecx, dword ptr [eax+C]
004226EE . 83CA FF or edx, FFFFFFFF
004226F1 . F0:0FC111 lock xadd dword ptr [ecx], edx
004226F5 . 4A dec edx
004226F6 . 85D2 test edx, edx
004226F8 > 7F 0A jg short 00422704
004226FA . 8B08 mov ecx, dword ptr [eax]
004226FC . 8B11 mov edx, dword ptr [ecx]
004226FE . 50 push eax
004226FF . 8B42 04 mov eax, dword ptr [edx+4]
00422702 . FFD0 call eax
00422704 > 33C0 xor eax, eax
00422706 . E9 75070000 jmp 00422E80
0042270B > 68 64C14D00 push 004DC164 ; f
00422710 . E8 0BA30200 call 0044CA20
00422715 . 83C4 04 add esp, 4
00422718 . 85C0 test eax, eax
0042271A . 74 41 je short 0042275D
0042271C . 68 64C14D00 push 004DC164 ; f
00422721 . E8 8AA20200 call 0044C9B0
00422726 . 68 64C14D00 push 004DC164 ; f
0042272B . 33F6 xor esi, esi
0042272D . E8 3EA30200 call 0044CA70
00422732 . 83C4 08 add esp, 8
00422735 . 85C0 test eax, eax
00422737 . 75 24 jnz short 0042275D
00422739 . 8DA424 00000000 lea esp, dword ptr [esp]
00422740 > 83C6 01 add esi, 1
00422743 . 83FE 32 cmp esi, 32
00422746 . 74 37 je short 0042277F
00422748 . 6A 64 push 64
0042274A . FFD7 call edi
0042274C . 68 64C14D00 push 004DC164 ; f
00422751 . E8 1AA30200 call 0044CA70
00422756 . 83C4 04 add esp, 4
00422759 . 85C0 test eax, eax
0042275B .^ 74 E3 je short 00422740
0042275D > 68 64C14D00 push 004DC164 ; f
00422762 . E8 E9A30200 call 0044CB50
00422767 . 83C4 04 add esp, 4
0042276A . 84C0 test al, al
0042276C . 74 22 je short 00422790
0042276E . 6A 30 push 30
00422770 . 68 F4554D00 push 004D55F4
00422775 . 68 70ED4D00 push 004DED70
0042277A .^ E9 ABFEFFFF jmp 0042262A
0042277F > 6A 30 push 30
00422781 . 68 F4554D00 push 004D55F4
00422786 . 68 28ED4D00 push 004DED28
0042278B .^ E9 9AFEFFFF jmp 0042262A
00422790 > 837C24 18 00 cmp dword ptr [esp+18], 0
00422795 .^ 0F85 97FEFFFF jnz 00422632
0042279B . 6A 00 push 0
0042279D . E8 04080700 call 00492FA6
004227A2 . 85C0 test eax, eax
004227A4 . 75 19 jnz short 004227BF
004227A6 . 55 push ebp
004227A7 . 50 push eax
004227A8 . 6A 68 push 68
004227AA . E8 FBF40600 call 00491CAA
004227AF . 8D4C24 14 lea ecx, dword ptr [esp+14]
004227B3 . E8 E814FEFF call 00403CA0
004227B8 . 33C0 xor eax, eax
004227BA . E9 C1060000 jmp 00422E80
004227BF > FF15 74404D00 call dword ptr [<&COMCTL32.#17>] ; [InitCommonControls
004227C5 . 8BCB mov ecx, ebx
004227C7 . E8 84E80600 call 00491050
004227CC . 6A 00 push 0
004227CE . E8 4B010700 call 0049291E
004227D3 . 83C4 04 add esp, 4
004227D6 . B9 989C5000 mov ecx, 00509C98 ; t\nn
004227DB . E8 C0700200 call 004498A0
004227E0 . E8 5B7D0200 call 0044A540
004227E5 . 8D4C24 38 lea ecx, dword ptr [esp+38]
004227E9 . E8 02140500 call 00473BF0
004227EE . 6A 01 push 1
004227F0 . 8D4C24 1C lea ecx, dword ptr [esp+1C]
004227F4 . 68 AC114F00 push 004F11AC
004227F9 . 51 push ecx
004227FA . C68424 D0020000 01 mov byte ptr [esp+2D0], 1
00422802 . E8 79720200 call 00449A80
00422807 . 83C4 0C add esp, 0C
0042280A . 8B00 mov eax, dword ptr [eax]
0042280C . 50 push eax ; /Arg1
0042280D . 8D4C24 3C lea ecx, dword ptr [esp+3C] ; |
00422811 . C68424 C8020000 02 mov byte ptr [esp+2C8], 2 ; |
00422819 . E8 32170500 call 00473F50 ; \FileGee.00473F50
0042281E . 8D4C24 18 lea ecx, dword ptr [esp+18]
00422822 . 8BF0 mov esi, eax
00422824 . C68424 C4020000 01 mov byte ptr [esp+2C4], 1
0042282C . E8 6F14FEFF call 00403CA0
00422831 . 85F6 test esi, esi
00422833 . 8B3D B4464D00 mov edi, dword ptr [<&USER32.MessageBoxW>] ; USER32.MessageBoxW ; 断在这里
00422839 . 75 70 jnz short 004228AB
0042283B . 6A 21 push 21 ; /Style = MB_OKCANCEL|MB_ICONQUESTION|MB_APPLMODAL
0042283D . 68 BC4D4D00 push 004D4DBC ; |Title = "询问"
00422842 . 68 68EC4D00 push 004DEC68 ; |Text = "软件已升?,B6,"?,AC,"软件
的配置文件需要",B8,"??,A1,"N?,B7,"乐?,B8,"?率?,B0,"埽",AC,"如需?,B8,"",B7,"菖渲梦募
??,B8,"",B4,"制",B0,"",B2,"",D7,"",B0,"?,B7,"?,B6,"下的",D7,"幽柯己腿罩疚募??谀柯?,A1,"R丫",AD,"?,B8,"",B7,"?...
00422847 . 6A 00 push 0 ; |hOwner = NULL
00422849 . FFD7 call edi ; \MessageBoxW
0042284B . 83F8 02 cmp eax, 2
0042284E . 8D4C24 38 lea ecx, dword ptr [esp+38]
00422852 . 75 1D jnz short 00422871
00422854 . C68424 C4020000 00 mov byte ptr [esp+2C4], 0
0042285C . E8 3F160500 call 00473EA0
00422861 . 8D4C24 14 lea ecx, dword ptr [esp+14]
00422865 . E8 3614FEFF call 00403CA0
0042286A . 33C0 xor eax, eax
0042286C . E9 0F060000 jmp 00422E80
00422871 > E8 3A130500 call 00473BB0
00422876 . 85C0 test eax, eax
00422878 . 75 4C jnz short 004228C6
0042287A . 6A 30 push 30
0042287C . 68 F4554D00 push 004D55F4
00422881 . 68 34EC4D00 push 004DEC34
00422886 > 6A 00 push 0
00422888 . FFD7 call edi
0042288A > 8D4C24 38 lea ecx, dword ptr [esp+38]
0042288E . C68424 C4020000 00 mov byte ptr [esp+2C4], 0
00422896 . E8 05160500 call 00473EA0
0042289B . 8D4C24 14 lea ecx, dword ptr [esp+14]
0042289F . E8 FC13FEFF call 00403CA0
004228A4 . 33C0 xor eax, eax
004228A6 . E9 D5050000 jmp 00422E80
004228AB > 83FE 02 cmp esi, 2
004228AE 75 16 jnz short 004228C6
004228B0 . 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
004228B2 . 68 F4554D00 push 004D55F4 ; |Title = ""B4,"砦?
004228B7 . 68 34EC4D00 push 004DEC34 ; |Text = "升?,B6,"过程
中?,AC,"",B8,"?氯砑?渲梦募??,B0,"埽",AC,"软件无",B7,"",A8,"正常启",B6,"?
004228BC . 6A 00 push 0 ; |hOwner = NULL
004228BE . FF15 B4464D00 call dword ptr [<&USER32.MessageBoxW>] ; \MessageBoxW
004228C4 .^ EB C4 jmp short 0042288A
004228C6 > E8 251B0100 call 004343F0
004228CB . 84C0 test al, al
004228CD 75 0E jnz short 004228DD
004228CF . 6A 30 push 30
004228D1 . 68 F4554D00 push 004D55F4
004228D6 . 68 0CEC4D00 push 004DEC0C
004228DB .^ EB A9 jmp short 00422886
004228DD > 8D5424 18 lea edx, dword ptr [esp+18]
004228E1 . 52 push edx
004228E2 . C605 B9E35000 01 mov byte ptr [50E3B9], 1
004228E9 . 33ED xor ebp, ebp
004228EB . E8 30460200 call 00446F20 ; 取硬盘号
004228F0 . 8B00 mov eax, dword ptr [eax] ; 硬盘号
004228F2 . 8D8C24 7C020000 lea ecx, dword ptr [esp+27C]
004228F9 . 51 push ecx
004228FA . 50 push eax
004228FB . 68 44DA5000 push 0050DA44
00422900 . C68424 D4020000 03 mov byte ptr [esp+2D4], 3
00422908 . C74424 30 01000000 mov dword ptr [esp+30], 1
00422910 . E8 AB8D0200 call 0044B6C0
00422915 . 83C4 10 add esp, 10
00422918 . 84C0 test al, al
0042291A . 74 1D je short 00422939
0042291C . 8D9424 78020000 lea edx, dword ptr [esp+278]
00422923 . 52 push edx ; /Arg2
00422924 . 68 C4D95000 push 0050D9C4 ; |Arg1 = 0050D9C4
00422929 . E8 629C0200 call 0044C590 ; \FileGee.0044C590
0042292E . 83C4 08 add esp, 8
00422931 . 84C0 test al, al
00422933 . 74 04 je short 00422939
00422935 . 32DB xor bl, bl
00422937 . EB 02 jmp short 0042293B
00422939 > B3 01 mov bl, 1
0042293B > BE 01000000 mov esi, 1
00422940 . 8D4C24 18 lea ecx, dword ptr [esp+18]
00422944 . 89B424 C4020000 mov dword ptr [esp+2C4], esi
0042294B . E8 5013FEFF call 00403CA0
00422950 . 84DB test bl, bl
00422952 0F84 C7000000 je 00422A1F ; ---> 90 nop ; E9 CE020000 jmp 00422C26
00422958 . E8 73940200 call 0044BDD0 ; 使用次数
0042295D . 8BE8 mov ebp, eax ; 剩余次数
0042295F . 85ED test ebp, ebp
00422961 . C605 B9E35000 00 mov byte ptr [50E3B9], 0
00422968 . 7F 5A jg short 004229C4
0042296A . 6A 40 push 40
0042296C . 68 304E4D00 push 004D4E30 ; ASCII "酧o`"
00422971 . 68 E0EB4D00 push 004DEBE0
00422976 . 6A 00 push 0
00422978 . FFD7 call edi
0042297A . 6A 00 push 0
0042297C . 6A 00 push 0
0042297E . 8D8C24 08010000 lea ecx, dword ptr [esp+108]
00422985 . E8 06CCFFFF call 0041F590
0042298A . C68424 C4020000 04 mov byte ptr [esp+2C4], 4
00422992 > 8D8C24 00010000 lea ecx, dword ptr [esp+100]
00422999 . E8 74300600 call 00485A12
0042299E . 803D C09C5000 00 cmp byte ptr [509CC0], 0
004229A5 . C68424 C4020000 01 mov byte ptr [esp+2C4], 1
004229AD . 8D8C24 00010000 lea ecx, dword ptr [esp+100]
004229B4 . 0F84 1E010000 je 00422AD8
004229BA > E8 41CCFFFF call 0041F600
004229BF .^ E9 C6FEFFFF jmp 0042288A
004229C4 > 83FD 19 cmp ebp, 19
004229C7 . 7D 45 jge short 00422A0E
004229C9 . 8D4C24 18 lea ecx, dword ptr [esp+18]
004229CD . E8 EE12FEFF call 00403CC0
004229D2 . 55 push ebp
004229D3 . 8D4424 1C lea eax, dword ptr [esp+1C]
004229D7 . 68 98EB4D00 push 004DEB98
004229DC . 50 push eax
004229DD . C68424 D0020000 05 mov byte ptr [esp+2D0], 5
004229E5 . E8 F62AFEFF call 004054E0
004229EA . 8B4C24 24 mov ecx, dword ptr [esp+24]
004229EE . 83C4 0C add esp, 0C
004229F1 . 6A 40 push 40
004229F3 . 68 304E4D00 push 004D4E30 ; ASCII "酧o`"
004229F8 . 51 push ecx
004229F9 . 6A 00 push 0
004229FB . FFD7 call edi ; 提示24天消息框
004229FD . 8D4C24 18 lea ecx, dword ptr [esp+18]
00422A01 . C68424 C4020000 01 mov byte ptr [esp+2C4], 1
00422A09 . E8 9212FEFF call 00403CA0
00422A0E > 8D55 FF lea edx, dword ptr [ebp-1]
00422A11 . 52 push edx
00422A12 . E8 E9940200 call 0044BF00
00422A17 . 83C4 04 add esp, 4
00422A1A . E9 BE000000 jmp 00422ADD
00422A1F > 8B5C24 2C mov ebx, dword ptr [esp+2C]
00422A23 . 6A 00 push 0
00422A25 . 68 84C14D00 push 004DC184 ; s
00422A2A . 68 64C14D00 push 004DC164 ; f
00422A2F . 8BCB mov ecx, ebx
00422A31 . C74424 24 00000000 mov dword ptr [esp+24], 0
00422A39 . E8 BCA00600 call 0048CAFA
00422A3E . 3BC6 cmp eax, esi
00422A40 . 0F84 97000000 je 00422ADD
00422A46 . 8D4424 24 lea eax, dword ptr [esp+24]
00422A4A . 50 push eax ; /pHandle
00422A4B . 68 58EB4D00 push 004DEB58 ; |s
00422A50 . 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00422A55 . FF15 04404D00 call dword ptr [<&ADVAPI32.RegOpenKeyW>] ; \RegOpenKeyW
00422A5B . 85C0 test eax, eax
00422A5D . 75 45 jnz short 00422AA4
00422A5F . 8D4C24 20 lea ecx, dword ptr [esp+20]
00422A63 . 51 push ecx ; /pBufSize
00422A64 . 8B4C24 28 mov ecx, dword ptr [esp+28] ; |
00422A68 . 8D5424 1C lea edx, dword ptr [esp+1C] ; |
00422A6C . 52 push edx ; |Buffer
00422A6D . 8D4424 30 lea eax, dword ptr [esp+30] ; |
00422A71 . 50 push eax ; |pValueType
00422A72 . 6A 00 push 0 ; |Reserved = NULL
00422A74 . 68 40EB4D00 push 004DEB40 ; |s
00422A79 . 51 push ecx ; |hKey
00422A7A . 897424 40 mov dword ptr [esp+40], esi ; |
00422A7E . C74424 38 04000000 mov dword ptr [esp+38], 4 ; |
00422A86 . FF15 6C404D00 call dword ptr [<&ADVAPI32.RegQueryValueExW>] ; \RegQueryValueExW
00422A8C . 85C0 test eax, eax
00422A8E 75 14 jnz short 00422AA4
00422A90 . 56 push esi ; /Arg3
00422A91 . 68 84C14D00 push 004DC184 ; |s
00422A96 . 68 64C14D00 push 004DC164 ; |f
00422A9B . 8BCB mov ecx, ebx ; |
00422A9D . E8 C1A00600 call 0048CB63 ; \FileGee.0048CB63
00422AA2 . EB 39 jmp short 00422ADD
00422AA4 > 6A 40 push 40
00422AA6 . 68 304E4D00 push 004D4E30 ; ASCII "酧o`"
00422AAB . 68 20EB4D00 push 004DEB20
00422AB0 . 6A 00 push 0
00422AB2 . FFD7 call edi
00422AB4 . 6A 00 push 0
00422AB6 . 6A 00 push 0
00422AB8 . 8D8C24 08010000 lea ecx, dword ptr [esp+108]
00422ABF . C605 C09C5000 01 mov byte ptr [509CC0], 1
00422AC6 . E8 C5CAFFFF call 0041F590
00422ACB . C68424 C4020000 06 mov byte ptr [esp+2C4], 6
00422AD3 .^ E9 BAFEFFFF jmp 00422992
00422AD8 > E8 23CBFFFF call 0041F600
00422ADD > E8 EE0C0100 call 004337D0
00422AE2 . E8 F9380100 call 004363E0
00422AE7 . 8B15 4CDF5000 mov edx, dword ptr [50DF4C]
00422AED . A1 08DF5000 mov eax, dword ptr [50DF08]
00422AF2 . 68 90DF5000 push 0050DF90
00422AF7 . 68 50DF5000 push 0050DF50
00422AFC . 52 push edx
00422AFD . 68 0CDF5000 push 0050DF0C
00422B02 . 50 push eax
00422B03 . E8 C8FE0200 call 004529D0
00422B08 . 83C4 14 add esp, 14
00422B0B . E8 E0340100 call 00435FF0
00422B10 . E8 DB070100 call 004332F0
00422B15 . E8 66FD0000 call 00432880
00422B1A . E8 41860000 call 0042B160
00422B1F . 84C0 test al, al
00422B21 . 75 11 jnz short 00422B34
00422B23 . 6A 30 push 30
00422B25 . 68 F4554D00 push 004D55F4
00422B2A . 68 F8EA4D00 push 004DEAF8
00422B2F .^ E9 52FDFFFF jmp 00422886
00422B34 > E8 673F0000 call 00426AA0
00422B39 . E8 32F80000 call 00432370
00422B3E . A1 18D95000 mov eax, dword ptr [50D918]
00422B43 . 3B05 84DA5000 cmp eax, dword ptr [50DA84]
00422B49 . 72 08 jb short 00422B53
00422B4B . 83C0 01 add eax, 1
00422B4E . A3 84DA5000 mov dword ptr [50DA84], eax
00422B53 > A1 A4D95000 mov eax, dword ptr [50D9A4]
00422B58 . 3B05 88DA5000 cmp eax, dword ptr [50DA88]
00422B5E . 72 08 jb short 00422B68
00422B60 . 83C0 01 add eax, 1
00422B63 . A3 88DA5000 mov dword ptr [50DA88], eax
00422B68 > A1 F0DE5000 mov eax, dword ptr [50DEF0]
00422B6D . 3B05 8CDA5000 cmp eax, dword ptr [50DA8C]
00422B73 . 72 08 jb short 00422B7D
00422B75 . 83C0 01 add eax, 1
00422B78 . A3 8CDA5000 mov dword ptr [50DA8C], eax
00422B7D > A1 78D95000 mov eax, dword ptr [50D978]
00422B82 . 3B05 90DA5000 cmp eax, dword ptr [50DA90]
00422B88 . 72 08 jb short 00422B92
00422B8A . 83C0 01 add eax, 1
00422B8D . A3 90DA5000 mov dword ptr [50DA90], eax
00422B92 > A1 FCD85000 mov eax, dword ptr [50D8FC]
00422B97 . 3B05 94DA5000 cmp eax, dword ptr [50DA94]
00422B9D . 72 08 jb short 00422BA7
00422B9F . 83C0 01 add eax, 1
00422BA2 . A3 94DA5000 mov dword ptr [50DA94], eax
00422BA7 > A1 60D95000 mov eax, dword ptr [50D960]
00422BAC . 3B05 98DA5000 cmp eax, dword ptr [50DA98]
00422BB2 . 72 08 jb short 00422BBC
00422BB4 . 83C0 01 add eax, 1
00422BB7 . A3 98DA5000 mov dword ptr [50DA98], eax
00422BBC > 803D C09C5000 00 cmp byte ptr [509CC0], 0
00422BC3 . 75 71 jnz short 00422C36
00422BC5 . 8D4C24 18 lea ecx, dword ptr [esp+18]
00422BC9 . 51 push ecx
00422BCA . E8 71F7FFFF call 00422340
00422BCF . 8D5424 24 lea edx, dword ptr [esp+24]
00422BD3 . 52 push edx
00422BD4 . 8D4424 2C lea eax, dword ptr [esp+2C]
00422BD8 . 50 push eax
00422BD9 . 8D4C24 28 lea ecx, dword ptr [esp+28]
00422BDD . 51 push ecx
00422BDE . 68 E4EA4D00 push 004DEAE4 ; %
00422BE3 . 68 CCEA4D00 push 004DEACC ; 2
00422BE8 . E8 18930800 call 004ABF05
00422BED . 8B5424 38 mov edx, dword ptr [esp+38]
00422BF1 . 8B4424 3C mov eax, dword ptr [esp+3C]
00422BF5 . 8B4C24 34 mov ecx, dword ptr [esp+34]
00422BF9 . 83C4 14 add esp, 14
00422BFC . 6A FF push -1 ; /Arg7 = FFFFFFFF
00422BFE . 6A 00 push 0 ; |Arg6 = 00000000
00422C00 . 6A 00 push 0 ; |Arg5 = 00000000
00422C02 . 6A 00 push 0 ; |Arg4 = 00000000
00422C04 . 52 push edx ; |Arg3
00422C05 . 50 push eax ; |Arg2
00422C06 . 51 push ecx ; |Arg1
00422C07 . 8D4C24 4C lea ecx, dword ptr [esp+4C] ; |
00422C0B . E8 D0F5FFFF call 004221E0 ; \FileGee.004221E0
00422C10 . 8B5424 1C mov edx, dword ptr [esp+1C]
00422C14 . 3B5424 34 cmp edx, dword ptr [esp+34]
00422C18 . 7C 13 jl short 00422C2D
00422C1A . 7F 0A jg short 00422C26
00422C1C . 8B4424 18 mov eax, dword ptr [esp+18]
00422C20 . 3B4424 30 cmp eax, dword ptr [esp+30]
00422C24 . 76 07 jbe short 00422C2D
00422C26 > C605 B8E35000 01 mov byte ptr [50E3B8], 1 ; ---> C605 C09C5000 00 mov byte ptr [509CC0], 0
00422C2D > 803D C09C5000 00 cmp byte ptr [509CC0], 0
00422C34 . 74 4E je short 00422C84
00422C36 > 833D 38D95000 02 cmp dword ptr [50D938], 2
00422C3D . 7E 45 jle short 00422C84
00422C3F . 6A 00 push 0
00422C41 . 6A 00 push 0
00422C43 . 8D8C24 08010000 lea ecx, dword ptr [esp+108]
00422C4A . E8 41C9FFFF call 0041F590
00422C4F . 8D8C24 00010000 lea ecx, dword ptr [esp+100]
00422C56 . C68424 C4020000 07 mov byte ptr [esp+2C4], 7
00422C5E . E8 AF2D0600 call 00485A12
00422C63 . 803D C09C5000 00 cmp byte ptr [509CC0], 0
00422C6A . C68424 C4020000 01 mov byte ptr [esp+2C4], 1
00422C72 . 8D8C24 00010000 lea ecx, dword ptr [esp+100]
00422C79 .^ 0F85 3BFDFFFF jnz 004229BA
00422C7F . E8 7CC9FFFF call 0041F600
00422C84 > 803D 9DDA5000 00 cmp byte ptr [50DA9D], 0
00422C8B . 74 71 je short 00422CFE
00422C8D . 8B4424 14 mov eax, dword ptr [esp+14]
00422C91 . 8378 F4 00 cmp dword ptr [eax-C], 0
00422C95 . 7C 1D jl short 00422CB4
00422C97 . 68 00EE4D00 push 004DEE00 ; /
00422C9C . 50 push eax
00422C9D . E8 588A0800 call 004AB6FA
00422CA2 . 83C4 08 add esp, 8
00422CA5 . 85C0 test eax, eax
00422CA7 . 74 0B je short 00422CB4
00422CA9 . 2B4424 14 sub eax, dword ptr [esp+14]
00422CAD . D1F8 sar eax, 1
00422CAF . 83F8 FF cmp eax, -1
00422CB2 . 75 4A jnz short 00422CFE
00422CB4 > 6A 00 push 0
00422CB6 . 68 A0DA5000 push 0050DAA0
00422CBB . 8D8C24 8C000000 lea ecx, dword ptr [esp+8C]
00422CC2 . E8 E9A2FFFF call 0041CFB0
00422CC7 . 8D8C24 84000000 lea ecx, dword ptr [esp+84]
00422CCE . C68424 C4020000 08 mov byte ptr [esp+2C4], 8
00422CD6 . E8 372D0600 call 00485A12
00422CDB . 83F8 02 cmp eax, 2
00422CDE . C68424 C4020000 01 mov byte ptr [esp+2C4], 1
00422CE6 . 8D8C24 84000000 lea ecx, dword ptr [esp+84]
00422CED . 75 0A jnz short 00422CF9
00422CEF . E8 7CC2FEFF call 0040EF70
00422CF4 .^ E9 91FBFFFF jmp 0042288A
00422CF9 > E8 72C2FEFF call 0040EF70
00422CFE > 803D 9CDA5000 00 cmp byte ptr [50DA9C], 0
00422D05 . 74 62 je short 00422D69
00422D07 . 68 64C14D00 push 004DC164 ; f
00422D0C . E8 DF9C0200 call 0044C9F0
00422D11 . 83C4 04 add esp, 4
00422D14 . 85C0 test eax, eax
00422D16 . 75 4E jnz short 00422D66
00422D18 . 50 push eax
00422D19 . 8D4C24 1C lea ecx, dword ptr [esp+1C]
00422D1D . 68 AC114F00 push 004F11AC
00422D22 . 51 push ecx
00422D23 . E8 586D0200 call 00449A80
00422D28 . 83C4 0C add esp, 0C
00422D2B . 68 E8C84D00 push 004DC8E8 ; s
00422D30 . 8D4C24 1C lea ecx, dword ptr [esp+1C]
00422D34 . C68424 C8020000 09 mov byte ptr [esp+2C8], 9
00422D3C . E8 BF30FEFF call 00405E00
00422D41 . 8B5424 18 mov edx, dword ptr [esp+18]
00422D45 . 52 push edx
00422D46 . 68 64C14D00 push 004DC164 ; f
00422D4B . E8 E09B0200 call 0044C930
00422D50 . 83C4 08 add esp, 8
00422D53 . 8D4C24 18 lea ecx, dword ptr [esp+18]
00422D57 . C68424 C4020000 01 mov byte ptr [esp+2C4], 1
00422D5F . E8 3C0FFEFF call 00403CA0
00422D64 . EB 12 jmp short 00422D78
00422D66 > 56 push esi
00422D67 . EB 02 jmp short 00422D6B
00422D69 > 6A 00 push 0
00422D6B > 68 64C14D00 push 004DC164 ; f
00422D70 . E8 4B9D0200 call 0044CAC0
00422D75 . 83C4 08 add esp, 8
00422D78 > 68 FC0F0000 push 0FFC
00422D7D . E8 297E0500 call 0047ABAB
00422D82 . 83C4 04 add esp, 4
00422D85 . 894424 24 mov dword ptr [esp+24], eax
00422D89 . 85C0 test eax, eax
00422D8B . C68424 C4020000 0A mov byte ptr [esp+2C4], 0A
00422D93 . 74 0B je short 00422DA0
00422D95 . 8BC8 mov ecx, eax
00422D97 . E8 34010000 call 00422ED0
00422D9C . 8BF0 mov esi, eax
00422D9E . EB 02 jmp short 00422DA2
00422DA0 > 33F6 xor esi, esi
00422DA2 > 8B4424 2C mov eax, dword ptr [esp+2C]
00422DA6 . 6A 00 push 0
00422DA8 . 6A 00 push 0
00422DAA . 8970 20 mov dword ptr [eax+20], esi
00422DAD . 8B16 mov edx, dword ptr [esi]
00422DAF . 8B82 38010000 mov eax, dword ptr [edx+138]
00422DB5 . 68 0080CF00 push 0CF8000
00422DBA . 68 80000000 push 80
00422DBF . 8BCE mov ecx, esi
00422DC1 . C68424 D4020000 01 mov byte ptr [esp+2D4], 1
00422DC9 . FFD0 call eax
00422DCB . 85C0 test eax, eax
00422DCD .^ 0F84 B7FAFFFF je 0042288A
00422DD3 . 8B4424 14 mov eax, dword ptr [esp+14]
00422DD7 . 8378 F4 00 cmp dword ptr [eax-C], 0
00422DDB . 7C 21 jl short 00422DFE
00422DDD . 68 00EE4D00 push 004DEE00 ; /
00422DE2 . 50 push eax
00422DE3 . E8 12890800 call 004AB6FA
00422DE8 . 83C4 08 add esp, 8
00422DEB . 85C0 test eax, eax
00422DED . 74 0F je short 00422DFE
00422DEF . 2B4424 14 sub eax, dword ptr [esp+14]
00422DF3 . D1F8 sar eax, 1
00422DF5 . 83F8 FF cmp eax, -1
00422DF8 . 74 04 je short 00422DFE
00422DFA . 6A 00 push 0
00422DFC . EB 02 jmp short 00422E00
00422DFE > 6A 03 push 3
00422E00 > 8BCE mov ecx, esi
00422E02 . E8 E5170600 call 004845EC
00422E07 . 8B4E 20 mov ecx, dword ptr [esi+20]
00422E0A . 51 push ecx ; /hWnd
00422E0B . FF15 C0464D00 call dword ptr [<&USER32.UpdateWindow>] ; \UpdateWindow ; 正确出口
00422E11 . 83FD 32 cmp ebp, 32
00422E14 . 75 4B jnz short 00422E61
00422E16 . 6A 00 push 0
00422E18 . 8D5424 1C lea edx, dword ptr [esp+1C]
00422E1C . 68 AC114F00 push 004F11AC
00422E21 . 52 push edx
00422E22 . E8 596C0200 call 00449A80
00422E27 . 83C4 0C add esp, 0C
00422E2A . 68 B4EA4D00 push 004DEAB4 ; f
00422E2F . 8D4C24 1C lea ecx, dword ptr [esp+1C]
00422E33 . C68424 C8020000 0B mov byte ptr [esp+2C8], 0B
00422E3B . E8 C02FFEFF call 00405E00
00422E40 . 8B4424 18 mov eax, dword ptr [esp+18]
00422E44 . 6A 01 push 1 ; /IsShown = 1
00422E46 . 6A 00 push 0 ; |DefDir = NULL
00422E48 . 6A 00 push 0 ; |Parameters = NULL
00422E4A . 50 push eax ; |FileName
00422E4B . 68 F8504D00 push 004D50F8 ; |o
00422E50 . 6A 00 push 0 ; |hWnd = NULL
00422E52 . FF15 E8444D00 call dword ptr [<&SHELL32.ShellExecuteW>] ; \ShellExecuteW
00422E58 . 8D4C24 18 lea ecx, dword ptr [esp+18]
00422E5C . E8 3F0EFEFF call 00403CA0
00422E61 > 8D4C24 38 lea ecx, dword ptr [esp+38]
00422E65 . C68424 C4020000 00 mov byte ptr [esp+2C4], 0
00422E6D . E8 2E100500 call 00473EA0
00422E72 . 8D4C24 14 lea ecx, dword ptr [esp+14]
00422E76 . E8 250EFEFF call 00403CA0
00422E7B . B8 01000000 mov eax, 1
00422E80 > 8B8C24 BC020000 mov ecx, dword ptr [esp+2BC]
00422E87 . 64:890D 00000000 mov dword ptr fs:[0], ecx
00422E8E . 59 pop ecx
00422E8F . 5F pop edi
00422E90 . 5E pop esi
00422E91 . 5D pop ebp
00422E92 . 5B pop ebx
00422E93 . 8B8C24 A4020000 mov ecx, dword ptr [esp+2A4]
00422E9A . 33CC xor ecx, esp
00422E9C . E8 59810800 call 004AAFFA
00422EA1 . 81C4 B4020000 add esp, 2B4
00422EA7 . C3 retn
------------------------------------------------------
分析发现:常量[509CC0]就是软件极活标志,[509CC0]=1为未激活,[509CC0]=0为已激活。如上修改后程序正常启动,且注册菜单变灰
。经测试:功能正常,解除一切限制,破解成功。
--------------------------------------------------------------------------------
【经验总结】
破解工作必须理清思路,掌握方法。重点程序段的分析,必须条理分明,摸清流程走向。当然,这都须有坚实的编程基
础。第六篇破文,让行家见笑了!但愿能给象我一样的菜鸟们一些启迪和鼓励!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2008年07月09日 15:41:22
|
|
评分
-
查看全部评分
|
[复制链接]
IP卡
发表于 2008-7-9 16:49:35
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-7-10 10:41:41
发表于 2008-7-10 11:38:11
楼主
发表于 2008-7-10 17:42:44
发表于 2008-7-10 20:37:05
