- UID
- 13801
注册时间2006-5-22
阅读权限40
最后登录1970-1-1
独步武林
 
该用户从未签到
|
新人报到,刚接触破解,希望向高手学习、多多交流。
软件名称:辩论计时器0.4
软件来源:http://www.onlinedown.net/soft/48641.htm
所用工具:PEID,DEDE,OD
说明:
此软件未注册版有如下限制:1、左上角显示一GIF动画; 2、在程序运行后,辩论第二阶段后,标题变为作者信息;3、不能播放声音
尝试破解后,已消除前两个限制,第3限制还未解决。总体评价:破解失败。
步骤:
一、先用PEID查壳,发现是ASPack 2.12 -> Alexey Solodovnikov,马上用ASPACKDIE来脱,很幸运,脱壳成功,软件能够运行。再查发现为DELPHI所写。
二、用DEDE所编译脱壳后的UNPACKED程序,得到反编译代码。根据运行情况,发现有几处与注册相关的部分,包括主窗口的CREATE,注册窗口的CREATE,注册窗口的CLOSE,注册窗口的REG按钮点击。在DEDE中找到这些入口。但通过阅读这些代码后,发现REG按钮并没有实际进行注册比较的操作,仅获取了数据,读入变量中。具体处理在注册窗口(TFRMREGISTER)的CLOSE事件中完成。另外对于是否注册的检查是在主窗口和注册窗口、关于窗口的CREATE事件中完成。
主窗口的FORMCREATE反编译代码如下:
005CC3B8 55 push ebp
005CC3B9 8BEC mov ebp, esp
005CC3BB 6A00 push $00
005CC3BD 53 push ebx
005CC3BE 56 push esi
005CC3BF 8BD8 mov ebx, eax
005CC3C1 8B3518095E00 mov esi, [$005E0918]
005CC3C7 33C0 xor eax, eax
005CC3C9 55 push ebp
005CC3CA 68A8C55C00 push $005CC5A8
***** TRY
|
005CC3CF 64FF30 push dword ptr fs:[eax]
005CC3D2 648920 mov fs:[eax], esp
005CC3D5 BAE0D85E00 mov edx, $005ED8E0
005CC3DA 33C0 xor eax, eax
* Reference to: System.@LGetDir(Byte;String;String);
|
005CC3DC E85769E3FF call 00402D38
005CC3E1 8D45FC lea eax, [ebp-$04]
* Possible String Reference to: '\bljs.ini'
|
005CC3E4 B9BCC55C00 mov ecx, $005CC5BC
005CC3E9 8B15E0D85E00 mov edx, [$005ED8E0]
* Reference to: System.@LStrCat3;
|
005CC3EF E80C8BE3FF call 00404F00
005CC3F4 8B4DFC mov ecx, [ebp-$04]
005CC3F7 B201 mov dl, $01
005CC3F9 A168A24300 mov eax, dword ptr [$0043A268]
* Reference to: AxCtrls.TOleStream.Create(TOleStream;boolean;IStream);
| or: HelpIntfs.THelpViewerNode.Create(THelpViewerNode;boolean;ICustomHelpViewer);
| or: IniFiles.TCustomIniFile.Create(TCustomIniFile;boolean;AnsiString);
| or: SysUtils.Exception.Create(Exception;boolean;AnsiString);
|
005CC3FE E815DFE6FF call 0043A318
005CC403 A3F4D85E00 mov dword ptr [$005ED8F4], eax
005CC408 8B06 mov eax, [esi]
* Reference to: Forms.TScreen.GetWidth(TScreen):Integer;
|
005CC40A E87D35EAFF call 0046F98C
005CC40F A334D95E00 mov dword ptr [$005ED934], eax
005CC414 8B06 mov eax, [esi]
* Reference to: Forms.TScreen.GetHeight(TScreen):Integer;
|
005CC416 E86535EAFF call 0046F980
005CC41B A338D95E00 mov dword ptr [$005ED938], eax
005CC420 8B06 mov eax, [esi]
* Reference to: Forms.TScreen.GetWidth(TScreen):Integer;
|
005CC422 E86535EAFF call 0046F98C
005CC427 3D00040000 cmp eax, $00000400
005CC42C 7D30 jnl 005CC45E
005CC42E 8B06 mov eax, [esi]
* Reference to: Forms.TScreen.GetHeight(TScreen):Integer;
|
005CC430 E84B35EAFF call 0046F980
005CC435 3D00030000 cmp eax, $00000300
005CC43A 7D22 jnl 005CC45E
005CC43C 6A40 push $40
* Possible String Reference to: '提示'
|
005CC43E 68C8C55C00 push $005CC5C8
* Possible String Reference to: '本软件至少要在1024*768分辨率下运行!'
|
005CC443 68D0C55C00 push $005CC5D0
005CC448 6A00 push $00
* Reference to: user32.MessageBoxA()
|
005CC44A E829BBE3FF call 00407F78
005CC44F 48 dec eax
005CC450 750C jnz 005CC45E
005CC452 A198065E00 mov eax, dword ptr [$005E0698]
005CC457 8B00 mov eax, [eax]
* Reference to: Forms.TApplication.Terminate(TApplication);
|
005CC459 E8565CEAFF call 004720B4
005CC45E 8B06 mov eax, [esi]
* Reference to: Forms.TScreen.GetWidth(TScreen):Integer;
|
005CC460 E82735EAFF call 0046F98C
005CC465 8BD0 mov edx, eax
005CC467 8BC3 mov eax, ebx
* Reference to: Controls.TControl.SetWidth(TControl;Integer);
|
005CC469 E8DA48E8FF call 00450D48
005CC46E 8B06 mov eax, [esi]
* Reference to: Forms.TScreen.GetHeight(TScreen):Integer;
|
005CC470 E80B35EAFF call 0046F980
005CC475 8BD0 mov edx, eax
005CC477 8BC3 mov eax, ebx
* Reference to: Controls.TControl.SetHeight(TControl;Integer);
|
005CC479 E8EE48E8FF call 00450D6C
005CC47E C683F801000001 mov byte ptr [ebx+$01F8], $01
005CC485 8BC3 mov eax, ebx
|
005CC487 E858F2FFFF call 005CB6E4
005CC48C 8BC3 mov eax, ebx
|
005CC48E E809EDFFFF call 005CB19C
005CC493 8BC3 mov eax, ebx
|
005CC495 E8DEE2FFFF call 005CA778
005CC49A 33C0 xor eax, eax
005CC49C A380015E00 mov dword ptr [$005E0180], eax
005CC4A1 6A01 push $01
* Possible String Reference to: 'ShowButtons'
|
005CC4A3 B9FCC55C00 mov ecx, $005CC5FC
* Possible String Reference to: 'SYSTEM'
|
005CC4A8 BA10C65C00 mov edx, $005CC610
005CC4AD A1F4D85E00 mov eax, dword ptr [$005ED8F4]
005CC4B2 8B30 mov esi, [eax]
005CC4B4 FF5610 call dword ptr [esi+$10]
005CC4B7 8BD0 mov edx, eax
005CC4B9 80F201 xor dl, $01
* Reference to control N_Button : N.A.
|
005CC4BC 8B8394030000 mov eax, [ebx+$0394]
* Reference to: Menus.TMenuItem.SetChecked(TMenuItem;Boolean);
|
005CC4C2 E85D79E9FF call 00463E24
005CC4C7 6A01 push $01
* Possible String Reference to: 'ShowEdits'
|
005CC4C9 B920C65C00 mov ecx, $005CC620
* Possible String Reference to: 'SYSTEM'
|
005CC4CE BA10C65C00 mov edx, $005CC610
005CC4D3 A1F4D85E00 mov eax, dword ptr [$005ED8F4]
005CC4D8 8B30 mov esi, [eax]
005CC4DA FF5610 call dword ptr [esi+$10]
005CC4DD 8BD0 mov edx, eax
005CC4DF 80F201 xor dl, $01
* Reference to control N_settime : N.A.
|
005CC4E2 8B8390030000 mov eax, [ebx+$0390]
* Reference to: Menus.TMenuItem.SetChecked(TMenuItem;Boolean);
|
005CC4E8 E83779E9FF call 00463E24
* Reference to control N_Button : N.A.
|
005CC4ED 8B8394030000 mov eax, [ebx+$0394]
005CC4F3 8B10 mov edx, [eax]
005CC4F5 FF5244 call dword ptr [edx+$44]
* Reference to control N_settime : N.A.
|
005CC4F8 8B8390030000 mov eax, [ebx+$0390]
005CC4FE 8B10 mov edx, [eax]
005CC500 FF5244 call dword ptr [edx+$44]
* Reference to : TfrmMain._PROC_005CAB74()
005CC503 E86CE6FFFF call 005CAB74
//005CAB74这个调用中处理了读取注册信息的操作
005CC508 84C0 test al, al
005CC50A 7463 jz 005CC56F
005CC50C 33D2 xor edx, edx
* Reference to control N_HowReg : N.A.
|
005CC50E 8B832C030000 mov eax, [ebx+$032C]
* Reference to: Menus.TMenuItem.SetVisible(TMenuItem;Boolean);
|
005CC514 E87B7AE9FF call 00463F94
005CC519 33D2 xor edx, edx
* Reference to control N_reg : N.A.
|
005CC51B 8B8328030000 mov eax, [ebx+$0328]
* Reference to: Menus.TMenuItem.SetVisible(TMenuItem;Boolean);
|
005CC521 E86E7AE9FF call 00463F94
005CC526 A1FCD85E00 mov eax, dword ptr [$005ED8FC]
005CC52B 0580000000 add eax, +$00000080
* Reference to: System.@LStrClr(void;void);
|
005CC530 E8BF86E3FF call 00404BF4
* Reference to control label_true : N.A.
|
005CC535 8B8300040000 mov eax, [ebx+$0400]
005CC53B 0580000000 add eax, +$00000080
* Reference to: System.@LStrClr(void;void);
|
005CC540 E8AF86E3FF call 00404BF4
* Reference to control Label_false : N.A.
|
005CC545 8B8304040000 mov eax, [ebx+$0404]
005CC54B 0580000000 add eax, +$00000080
* Reference to: System.@LStrClr(void;void);
|
005CC550 E89F86E3FF call 00404BF4
005CC555 33D2 xor edx, edx
* Reference to control lbl : N.A.
|
005CC557 8B8354030000 mov eax, [ebx+$0354]
* Reference to: Controls.TControl.SetShowHint(TControl;Boolean);
|
005CC55D E87A51E8FF call 004516DC
005CC562 33D2 xor edx, edx
* Reference to control lbl1 : N.A.
|
005CC564 8B8384030000 mov eax, [ebx+$0384]
* Reference to: Controls.TControl.SetShowHint(TControl;Boolean);
|
005CC56A E86D51E8FF call 004516DC
005CC56F 33D2 xor edx, edx
* Reference to control GIFAnimator : N.A.
|
005CC571 8B83F8030000 mov eax, [ebx+$03F8]
* Reference to: Controls.TControl.SetTop(TControl;Integer);
|
005CC577 E8A447E8FF call 00450D20
005CC57C 33D2 xor edx, edx
\\上面调用设置GIF动画于屏幕左上角TOP值,若能够将调用改为SETVISIBLE,则可去掉GIF显示
* Reference to control GIFAnimator : N.A.
|
005CC57E 8B83F8030000 mov eax, [ebx+$03F8]
* Reference to: Controls.TControl.SetLeft(TControl;Integer);
|
005CC584 E87347E8FF call 00450CFC
005CC589 33D2 xor edx, edx
005CC58B 8BC3 mov eax, ebx
\\上面调用设置GIF动画于屏幕左上角LEFT值
* Reference to : TfrmMain.Action_NextTimeExecute()
|
005CC58D E8E2180000 call 005CDE74
005CC592 33C0 xor eax, eax
005CC594 5A pop edx
005CC595 59 pop ecx
005CC596 59 pop ecx
005CC597 648910 mov fs:[eax], edx
****** FINALLY
|
005CC59A 68AFC55C00 push $005CC5AF
005CC59F 8D45FC lea eax, [ebp-$04]
* Reference to: System.@LStrClr(void;void);
|
005CC5A2 E84D86E3FF call 00404BF4
005CC5A7 C3 ret
* Reference to: System.@HandleFinally;
|
005CC5A8 E97F7FE3FF jmp 0040452C
005CC5AD EBF0 jmp 005CC59F
****** END
|
005CC5AF 5E pop esi
005CC5B0 5B pop ebx
005CC5B1 59 pop ecx
005CC5B2 5D pop ebp
005CC5B3 C3 ret
在对刚才的的过程跟进后,在DEDE中可看到
005CAB74 A16C015E00 mov eax, dword ptr [$005E016C]
005CAB79 F72D70015E00 imul dword ptr [$005E0170]
|
005CAB7F E8E08AE3FF call 00403664
005CAB84 83F805 cmp eax, +$05
005CAB87 773D jnbe 005CABC6
005CAB89 FF248590AB5C00 jmp dword ptr [$5CAB90+eax*4]
005CAB90 C6AB5C00 DB 005CABC6
005CAB94 A8AB5C00 DB 005CABA8
005CAB98 AEAB5C00 DB 005CABAE
005CAB9C B4AB5C00 DB 005CABB4
005CABA0 BAAB5C00 DB 005CABBA
005CABA4 C0AB5C00 DB 005CABC0
|
005CABA8 E837F3F3FF call 00509EE4
005CABAD C3 ret
|
005CABAE E8C1F6F3FF call 0050A274
005CABB3 C3 ret
|
005CABB4 E8F3F4F3FF call 0050A0AC
005CABB9 C3 ret
|
005CABBA E87DF8F3FF call 0050A43C
005CABBF C3 ret
|
005CABC0 E807FCF3FF call 0050A7CC
005CABC5 C3 ret
|
005CABC6 E839FAF3FF call 0050A604
005CABCB C3 ret
这样一组过程,完成的功能基本一致,读取注册表,然后进行注册码运算比较,取其中一个的源码列在下面。
0050A604 55 push ebp
0050A605 8BEC mov ebp, esp
0050A607 B904000000 mov ecx, $00000004
0050A60C 6A00 push $00
0050A60E 6A00 push $00
0050A610 49 dec ecx
0050A611 75F9 jnz 0050A60C
0050A613 51 push ecx
0050A614 53 push ebx
0050A615 56 push esi
0050A616 33C0 xor eax, eax
0050A618 55 push ebp
* Possible String Reference to: '楫濓 |
|
IP卡
发表于 2006-5-24 14:06:07
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-5-24 21:05:31
发表于 2006-5-25 08:42:56
发表于 2006-7-16 21:51:55