- UID
- 6257
注册时间2006-1-2
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
【破文标题】破解之GetDiskSerial.DLL 4.0 Demo Version
【破文作者】Busheler
【作者邮箱】[email protected]
【作者主页】
【破解工具】PEiD v0.94,odbg110, UPX Shell 3.4.2,UltraEdit 13.00,Resource Hacker 3.4.0
【破解平台】WindowsXP SP2
【软件名称】GetDiskSerial.DLL
【软件大小】45.0KB
【原版下载】http://www.devlib.net/
【保护方式】Nag窗口
【软件简介】GetDiskSerial.DLL是一标准32位文件,可以使用它很容易的读取硬盘序列号。我们知道硬盘序列号在全球是唯一的,用硬盘序列号来进行加密是非常实用的。
·在 Win NT/2000/XP/2003/VISTA 下无需管理员权限!
·支持多种开发环境, 诸如 Delphi, C++Builder, VC, C#, VB, VB.NET, VBA, PowerBuilder, Visual Foxpro, Clarion等等。
【破解声明】研究学习,共享心得
------------------------------------------------------------------------
关键:正常调用时,会出现 "Thank you for trying GetDiskSerial.dll V 4.0.0 ! Do you register now ?",去除读取硬盘信息时的Nag窗口,且不能影响函数功能,是破解的要点。
一、查壳:
PEiD v0.94查壳为UPX 0.80 - 1.24 DLL -> Markus & Laszlo
由于脱壳水平有限,UPX Shell 3.4.2脱之,文件大小94K,测试调用正常。
二、找资源:
1、用其提供文件包中VB例程编译成Demo.exe
2、odbg110载入Demo.exe
运行后,此时GetDiskSerial.dll并未载入噢!
点击“Get”,Nag窗口出现,GetDiskSerial.dll已经载入...
右键===〉模块'GetDiskS' (只显示模块名称前八位?),此时我们已经来到“GetDiskSerial.dll”里了!
右键===〉分析===〉分析代码
右键===〉查找===〉查找所有参考文本子串,可以看到两处 "Thank you for trying GetDiskSerial.dll V 4.0.0 ! Do you register now ?"
(1)第一处
010F2D4C >/$ 55 push ebp
010F2D4D |. 8BEC mov ebp, esp
010F2D4F |. 33C9 xor ecx, ecx
010F2D51 |. 51 push ecx
010F2D52 |. 51 push ecx
010F2D53 |. 51 push ecx
010F2D54 |. 51 push ecx
010F2D55 |. 51 push ecx
010F2D56 |. 53 push ebx
010F2D57 |. 56 push esi
010F2D58 |. 57 push edi
010F2D59 |. 8B75 0C mov esi, [ebp+C]
010F2D5C |. 8B5D 08 mov ebx, [ebp+8]
010F2D5F |. 33C0 xor eax, eax
010F2D61 |. 55 push ebp
010F2D62 |. 68 7E2E0F01 push 010F2E7E
010F2D67 |. 64:FF30 push dword ptr fs:[eax]
010F2D6A |. 64:8920 mov fs:[eax], esp
010F2D6D |. 33FF xor edi, edi
010F2D6F 6A 44 push 44
010F2D71 |. 68 902E0F01 push 010F2E90 ; |Title = "DEMO VERSION"
010F2D76 |. 68 A02E0F01 push 010F2EA0 ; |Text = "Thank you for trying GetDiskSerial.DLL Ver 4.0.0 ! ",CR,LF,"Do you register now ?",CR,""
010F2D7B |. 6A 00 push 0 ; |hOwner = NULL
010F2D7D |. E8 DE2EFFFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
010F2D82 |. 83F8 06 cmp eax, 6
010F2D85 |. 75 17 jnz short 010F2D9E
010F2D87 |. 6A 03 push 3 ; /IsShown = 3
010F2D89 |. 6A 00 push 0 ; |DefDir = NULL
010F2D8B |. 6A 00 push 0 ; |Parameters = NULL
010F2D8D |. 68 F82E0F01 push 010F2EF8 ; |FileName = "http://www.devlib.net/buynow.htm"
010F2D92 |. 68 1C2F0F01 push 010F2F1C ; |Operation = "open"
010F2D97 |. 6A 00 push 0 ; |hWnd = NULL
010F2D99 |. E8 16F8FFFF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
010F2D9E |> 8BD6 mov edx, esi
010F2DA0 |. 8BC3 mov eax, ebx
010F2DA2 |. E8 B1010000 call 010F2F58
010F2DA7 |. 83F8 01 cmp eax, 1
010F2DAA |. 1BC0 sbb eax, eax
010F2DAC |. 40 inc eax
010F2DAD |. 84C0 test al, al
010F2DAF |. 75 0F jnz short 010F2DC0
010F2DB1 |. 8BD6 mov edx, esi
010F2DB3 |. 8BC3 mov eax, ebx
010F2DB5 |. E8 3A060000 call 010F33F4
010F2DBA |. 83F8 01 cmp eax, 1
010F2DBD |. 1BC0 sbb eax, eax
010F2DBF |. 40 inc eax
010F2DC0 |> 84C0 test al, al
010F2DC2 |. 75 0D jnz short 010F2DD1
010F2DC4 |. 56 push esi
010F2DC5 |. 53 push ebx
010F2DC6 |. E8 29F8FFFF call 010F25F4
010F2DCB |. 83F8 01 cmp eax, 1
010F2DCE |. 1BC0 sbb eax, eax
010F2DD0 |. 40 inc eax
010F2DD1 |> 84C0 test al, al
010F2DD3 |. 74 34 je short 010F2E09
010F2DD5 |. 8D55 FC lea edx, [ebp-4]
010F2DD8 |. 8BC6 mov eax, esi
010F2DDA |. E8 2947FFFF call 010E7508
010F2DDF |. 837D FC 00 cmp dword ptr [ebp-4], 0
010F2DE3 |. 74 1F je short 010F2E04
010F2DE5 |. 8D55 F4 lea edx, [ebp-C]
010F2DE8 |. 8BC6 mov eax, esi
010F2DEA |. E8 1947FFFF call 010E7508
010F2DEF |. 8B45 F4 mov eax, [ebp-C]
010F2DF2 |. 8D55 F8 lea edx, [ebp-8]
010F2DF5 |. E8 56FEFFFF call 010F2C50
010F2DFA |. 8B55 F8 mov edx, [ebp-8]
010F2DFD |. 8BC6 mov eax, esi
010F2DFF |. E8 2046FFFF call 010E7424
010F2E04 |> 83CF FF or edi, FFFFFFFF
010F2E07 |. EB 5A jmp short 010F2E63
010F2E09 |> 84DB test bl, bl
010F2E0B |. 75 56 jnz short 010F2E63
010F2E0D |. 84C0 test al, al
010F2E0F |. 75 52 jnz short 010F2E63
010F2E11 |. 33DB xor ebx, ebx
010F2E13 |> 8BD6 /mov edx, esi
010F2E15 |. 8BC3 |mov eax, ebx
010F2E17 |. E8 3C010000 |call 010F2F58
010F2E1C |. 83F8 01 |cmp eax, 1
010F2E1F |. 1BC0 |sbb eax, eax
010F2E21 |. 40 |inc eax
010F2E22 |. 84C0 |test al, al
010F2E24 |. 75 0F |jnz short 010F2E35
010F2E26 |. 8BD6 |mov edx, esi
010F2E28 |. 8BC3 |mov eax, ebx
010F2E2A |. E8 C5050000 |call 010F33F4
010F2E2F |. 83F8 01 |cmp eax, 1
010F2E32 |. 1BC0 |sbb eax, eax
010F2E34 |. 40 |inc eax
010F2E35 |> 84C0 |test al, al
010F2E37 |. 74 24 |je short 010F2E5D
010F2E39 |. 83CF FF |or edi, FFFFFFFF
010F2E3C |. 8D55 EC |lea edx, [ebp-14]
010F2E3F |. 8BC6 |mov eax, esi
010F2E41 |. E8 C246FFFF |call 010E7508
010F2E46 |. 8B45 EC |mov eax, [ebp-14]
010F2E49 |. 8D55 F0 |lea edx, [ebp-10]
010F2E4C |. E8 FFFDFFFF |call 010F2C50
010F2E51 |. 8B55 F0 |mov edx, [ebp-10]
010F2E54 |. 8BC6 |mov eax, esi
010F2E56 |. E8 C945FFFF |call 010E7424
010F2E5B |. EB 06 |jmp short 010F2E63
010F2E5D |> 43 |inc ebx
010F2E5E |. 80FB 0A |cmp bl, 0A
010F2E61 |.^ 75 B0 \jnz short 010F2E13
010F2E63 |> 33C0 xor eax, eax
010F2E65 |. 5A pop edx
010F2E66 |. 59 pop ecx
010F2E67 |. 59 pop ecx
010F2E68 |. 64:8910 mov fs:[eax], edx
010F2E6B |. 68 852E0F01 push 010F2E85
010F2E70 |> 8D45 EC lea eax, [ebp-14]
010F2E73 |. BA 05000000 mov edx, 5
010F2E78 |. E8 DB0EFFFF call 010E3D58
010F2E7D \. C3 retn
(2)第二处
010F3988 >/$ 55 push ebp
010F3989 |. 8BEC mov ebp, esp
010F398B |. 83C4 A4 add esp, -5C
010F398E |. 33C0 xor eax, eax
010F3990 |. 8945 F8 mov [ebp-8], eax
010F3993 |. 33C0 xor eax, eax
010F3995 |. 55 push ebp
010F3996 |. 68 123A0F01 push 010F3A12
010F399B |. 64:FF30 push dword ptr fs:[eax]
010F399E |. 64:8920 mov fs:[eax], esp
010F39A1 6A 44 push 44
010F39A3 |. 68 243A0F01 push 010F3A24 ; |Title = "DEMO VERSION"
010F39A8 |. 68 343A0F01 push 010F3A34 ; |Text = "Thank you for trying GetDiskSerial.DLL Ver 4.0.0 ! ",CR,LF,"Do you register now ?",CR,""
010F39AD |. 6A 00 push 0 ; |hOwner = NULL
010F39AF |. E8 AC22FFFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
010F39B4 |. 83F8 06 cmp eax, 6
010F39B7 |. 75 17 jnz short 010F39D0
010F39B9 |. 6A 03 push 3 ; /IsShown = 3
010F39BB |. 6A 00 push 0 ; |DefDir = NULL
010F39BD |. 6A 00 push 0 ; |Parameters = NULL
010F39BF |. 68 8C3A0F01 push 010F3A8C ; |FileName = "http://www.devlib.net/buynow.htm"
010F39C4 |. 68 B03A0F01 push 010F3AB0 ; |Operation = "open"
010F39C9 |. 6A 00 push 0 ; |hWnd = NULL
010F39CB |. E8 E4EBFFFF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
010F39D0 |> 8B45 0C mov eax, [ebp+C]
010F39D3 |. 50 push eax
010F39D4 |. 8D45 A4 lea eax, [ebp-5C]
010F39D7 |. 50 push eax
010F39D8 |. 8A45 08 mov al, [ebp+8]
010F39DB |. 50 push eax
010F39DC |. E8 6BF3FFFF call GetIdeDiskInfo
010F39E1 |. 8D45 F8 lea eax, [ebp-8]
010F39E4 |. 8D55 A4 lea edx, [ebp-5C]
010F39E7 |. B9 14000000 mov ecx, 14
010F39EC |. E8 B305FFFF call 010E3FA4
010F39F1 |. 8B45 F8 mov eax, [ebp-8]
010F39F4 |. E8 EFF1FFFF call 010F2BE8
010F39F9 |. 8945 FC mov [ebp-4], eax
010F39FC |. 33C0 xor eax, eax
010F39FE |. 5A pop edx
010F39FF |. 59 pop ecx
010F3A00 |. 59 pop ecx
010F3A01 |. 64:8910 mov fs:[eax], edx
010F3A04 |. 68 193A0F01 push 010F3A19
010F3A09 |> 8D45 F8 lea eax, [ebp-8]
010F3A0C |. E8 2303FFFF call 010E3D34
010F3A11 \. C3 retn
三、破解:
1、破解思路:只要跳过调用信息窗口段,Nag窗口就应该被去掉了。
010F2D6F 6A 44 push 44
010F2D71 |. 68 902E0F01 push 010F2E90 ; |Title = "DEMO VERSION"
010F2D76 |. 68 A02E0F01 push 010F2EA0 ; |Text = "Thank you for trying GetDiskSerial.DLL Ver 4.0.0 ! ",CR,LF,"Do you register now ?",CR,""
010F2D7B |. 6A 00 push 0 ; |hOwner = NULL
010F2D7D |. E8 DE2EFFFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
010F2D82 |. 83F8 06 cmp eax, 6
010F2D85 |. 75 17 jnz short 010F2D9E
010F2D87 |. 6A 03 push 3 ; /IsShown = 3
010F2D89 |. 6A 00 push 0 ; |DefDir = NULL
010F2D8B |. 6A 00 push 0 ; |Parameters = NULL
010F2D8D |. 68 F82E0F01 push 010F2EF8 ; |FileName = "http://www.devlib.net/buynow.htm"
010F2D92 |. 68 1C2F0F01 push 010F2F1C ; |Operation = "open"
010F2D97 |. 6A 00 push 0 ; |hWnd = NULL
010F2D99 |. E8 16F8FFFF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
010F2D9E |> 8BD6 mov edx, esi
...
010F39A1 6A 44 push 44
010F39A3 |. 68 243A0F01 push 010F3A24 ; |Title = "DEMO VERSION"
010F39A8 |. 68 343A0F01 push 010F3A34 ; |Text = "Thank you for trying GetDiskSerial.DLL Ver 4.0.0 ! ",CR,LF,"Do you register now ?",CR,""
010F39AD |. 6A 00 push 0 ; |hOwner = NULL
010F39AF |. E8 AC22FFFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
010F39B4 |. 83F8 06 cmp eax, 6
010F39B7 |. 75 17 jnz short 010F39D0
010F39B9 |. 6A 03 push 3 ; /IsShown = 3
010F39BB |. 6A 00 push 0 ; |DefDir = NULL
010F39BD |. 6A 00 push 0 ; |Parameters = NULL
010F39BF |. 68 8C3A0F01 push 010F3A8C ; |FileName = "http://www.devlib.net/buynow.htm"
010F39C4 |. 68 B03A0F01 push 010F3AB0 ; |Operation = "open"
010F39C9 |. 6A 00 push 0 ; |hWnd = NULL
010F39CB |. E8 E4EBFFFF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
010F39D0 |> 8B45 0C mov eax, [ebp+C]
...
2、修改
(1)修改第一处
010F2D6F 6A 44 push 44
===〉
010F2D6F EB 11 jmp short 010F2D9E
即:
33FF6A44
====>
33FFEB2D
(2)修改第二处
010F39A1 6A 44 push 44
===〉
010F39A1 EB 11 jmp short 010F39D0
即:
89206A44
====>
8920EB2D
四、修改、测试
测试修改后,运行,Nag窗口消失!正常。
五,编辑修改、测试
UltraEdit 13.00载入脱壳后GetDiskSerial.dll,查找“33FF6A44”修改为“33FFEB2D”;查找“89206A44”修改为“8920EB2D”,再次测试,一切正常。
五、收尾
1、Resource Hacker 3.4.0载入修改好的GetDiskSerial.dll,修改“版本”信息中的“备注”由“http://www.devlib.net ***DEMO VERSION***”修改为“http://www.devlib.net **Cracked By PYG**”
2、用UPX Shell 3.4.2为修改后GetDiskSerial.dll加壳,文件大小由94K减小到57K。
------------------------------------------------------------------------
【版权声明】交流学习,非商业应用,转载时请保证其完整! |
评分
-
查看全部评分
|
IP卡
发表于 2009-3-12 12:27:11
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2009-3-13 19:11:40
发表于 2009-3-23 12:04:36
