- UID
- 63937
注册时间2009-12-2
阅读权限10
最后登录1970-1-1
周游历练
TA的每日心情 | 开心
2023-8-23 14:44 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
启动软件 发现没有出错对话框. 只有一个简单的红色字符提示:
Invalid registration name or code.
查字符串找不到, 于是启动N大秘籍(膜拜一下) 点内存视图(M)按钮
然后再UNICODE中输入字符串:Invalid registration name or code.
搜到之后, 我是在字符串的开头下的内存访问断点. 然后重新点注册
按钮进行注册, 中断后观察栈窗口, 发现如下信息:
0012EEA0 7C80F9ED RETURN to kernel32.GetPrivateProfileStringW
0012EEA4 001D26D0 UNICODE "MeowCat"
0012EEA8 00211A58 UNICODE "Main"
0012EEAC /0012EEBC
0012EEB0 |770F4BC4 RETURN to oleaut32.770F4BC4 from oleaut32.SysAllocStringLen
0012EEB4 |0012EF10 UNICODE "Invalid registration name or code."
0012EEB8 |001639D0
0012EEBC \00ADAF3C UNICODE "MSG_REG_INVALID_DATA"
0012EEC0 00C566F9 RETURN to NLEnv.00C566F9 from oleaut32.SysAllocString
0012EEC4 0012EF10 UNICODE "Invalid registration name or code."
0012EEC8 F044C7D2
0012EECC 00000000
0012EED0 00ADAF3C UNICODE "MSG_REG_INVALID_DATA"
0012EED4 0012F410
0012EED8 001F66E0 UNICODE "C:\Documents and Settings\All Users\Application Data\Locktime\NetLimiter\2\Langs\nl_lang_en.ini"
0012EEDC 00211A58 UNICODE "Main"
0012EEE0 001E5DF8 UNICODE "C:\Documents and Settings\All Users\Application Data\Locktime\NetLimiter\2\Langs\nl_lang_"
0012EEE4 001CDFC8 UNICODE "C:\Documents and Settings\All Users\Application Data\Locktime\NetLimiter\2\Langs\nl_lang_en"
0012EEE8 0024F9C0 UNICODE "en"
0012EEEC 00AD73C0 UNICODE "DEF_STR"
根据上面可以发现此处的红色文字信息是从资源文件中调用出来的, 因此打开资源文件观察可以发现:
....省略....
MSG_REG_INVALID_DATA=Invalid registration name or code.
....省略....
所以判断出来资源的访问方式是通过读取前面的MSG_REG_INVALID_DATA键来读取文件中的值.
因此通过这里可以找到突破口, 浏览一下资源文件, 然后找REG相关的键
MSG_REG_TO=Registered to %reg_name%
MSG_REG_EXPIRATION_DATE=Your registration will expire on %reg_date%
MSG_REG_DAYS_LEFT=%reg_days% Days Left
MSG_REG_EXPIRED=Your registration expired
然后通过栈窗口返回到最近到返回地址,根据eip来找一下模块,
Executable modules, item 1
Base=00A80000
Size=0008C000 (573440.)
Entry=00ABEE6A NLHxClie.<ModuleEntryPoint>
Name=NLHxClie
File version=1.0.15.1
Path=C:\Program Files\NetLimiter 2 Pro\NLHxClient.dll
发现是在: NLHxClient.dll文件中的
然后把NLHxClient.dll用OD加载一下, 发现NLHxClient.dll就是用来读取字符串信息的.
然后根据些提示就可以找到软件验证的关键点. 爆破一下.
00AA590D /0F84 CE010000 JE NLHxClie.00AA5AE1
改成jmp
00AA5913 |66:3945 70 CMP WORD PTR SS:[EBP+70],AX
00AA5917 |0F84 C4010000 JE NLHxClie.00AA5AE1
00AA591D |8D4D 4C LEA ECX,DWORD PTR SS:[EBP+4C]
00AA5920 |E8 FBD9FDFF CALL NLHxClie.00A83320
00AA5925 |8D4D 30 LEA ECX,DWORD PTR SS:[EBP+30]
00AA5928 |E8 F3D9FDFF CALL NLHxClie.00A83320
00AA592D |837D 38 00 CMP DWORD PTR SS:[EBP+38],0
00AA5931 |B3 2F MOV BL,2F
00AA5933 |885D FC MOV BYTE PTR SS:[EBP-4],BL
00AA5936 |68 9CABAD00 PUSH NLHxClie.00ADAB9C ; UNICODE "<DIV class='regInfo'>"
00AA593B |8D4D 64 LEA ECX,DWORD PTR SS:[EBP+64]
00AA593E |0F84 D6000000 JE NLHxClie.00AA5A1A
00AA5944 |E8 A755FEFF CALL NLHxClie.00A8AEF0
00AA5949 |8B75 50 MOV ESI,DWORD PTR SS:[EBP+50]
00AA594C |68 78ABAD00 PUSH NLHxClie.00ADAB78 ; UNICODE "MSG_TRIAL_PERIOD"
00AA5951 |8D4D 58 LEA ECX,DWORD PTR SS:[EBP+58]
00AA5954 |83C6 78 ADD ESI,78
00AA5957 |51 PUSH ECX
00AA5958 |8BCE MOV ECX,ESI
00AA595A |E8 A161FEFF CALL NLHxClie.00A8BB00
00AA595F |50 PUSH EAX
00AA5960 |8D4D 64 LEA ECX,DWORD PTR SS:[EBP+64]
00AA5963 |C645 FC 30 MOV BYTE PTR SS:[EBP-4],30
00AA5967 |E8 9452FEFF CALL NLHxClie.00A8AC00
00AA596C |8D4D 58 LEA ECX,DWORD PTR SS:[EBP+58]
00AA596F |885D FC MOV BYTE PTR SS:[EBP-4],BL
00AA5972 |E8 C9D9FDFF CALL NLHxClie.00A83340
00AA5977 |68 D074AD00 PUSH NLHxClie.00AD74D0 ; UNICODE "</DIV>"
00AA597C |8D4D 64 LEA ECX,DWORD PTR SS:[EBP+64]
00AA597F |E8 6C55FEFF CALL NLHxClie.00A8AEF0
00AA5984 |68 54ABAD00 PUSH NLHxClie.00ADAB54 ; UNICODE "MSG_REG_DAYS_LEFT"
00AA5989 |8D55 58 LEA EDX,DWORD PTR SS:[EBP+58]
00AA598C |52 PUSH EDX
00AA598D |8BCE MOV ECX,ESI
00AA598F |E8 6C61FEFF CALL NLHxClie.00A8BB00
00AA5994 |50 PUSH EAX
00AA5995 |8D4D 4C LEA ECX,DWORD PTR SS:[EBP+4C]
00AA5998 |C645 FC 31 MOV BYTE PTR SS:[EBP-4],31
00AA599C |E8 9FF4FDFF CALL NLHxClie.00A84E40
00AA59A1 |8D4D 58 LEA ECX,DWORD PTR SS:[EBP+58]
00AA59A4 |885D FC MOV BYTE PTR SS:[EBP-4],BL
00AA59A7 |E8 94D9FDFF CALL NLHxClie.00A83340
00AA59AC |8B45 38 MOV EAX,DWORD PTR SS:[EBP+38]
00AA59AF |50 PUSH EAX
00AA59B0 |8D4D 30 LEA ECX,DWORD PTR SS:[EBP+30]
00AA59B3 |68 4CABAD00 PUSH NLHxClie.00ADAB4C ; UNICODE "%u"
00AA59B8 |51 PUSH ECX
00AA59B9 |E8 3249FEFF CALL NLHxClie.00A8A2F0
00AA59BE |8B55 30 MOV EDX,DWORD PTR SS:[EBP+30]
00AA59C1 |83C4 0C ADD ESP,0C
00AA59C4 |52 PUSH EDX
00AA59C5 |68 34ABAD00 PUSH NLHxClie.00ADAB34 ; UNICODE "%reg_days%"
00AA59CA |8D4D 4C LEA ECX,DWORD PTR SS:[EBP+4C]
00AA59CD |E8 BE7CFEFF CALL NLHxClie.00A8D690
00AA59D2 |8D45 4C LEA EAX,DWORD PTR SS:[EBP+4C]
00AA59D5 |50 PUSH EAX
00AA59D6 |8D4D 44 LEA ECX,DWORD PTR SS:[EBP+44]
00AA59D9 |68 00ABAD00 PUSH NLHxClie.00ADAB00 ; UNICODE "<DIV class='infoBox'><h1>"
00AA59DE |51 PUSH ECX
00AA59DF |E8 4C80FEFF CALL NLHxClie.00A8DA30
00AA59E4 |83C4 0C ADD ESP,0C
00AA59E7 |68 E8AAAD00 PUSH NLHxClie.00ADAAE8 ; UNICODE "</h1></DIV>"
00AA59EC |50 PUSH EAX
00AA59ED |8D55 58 LEA EDX,DWORD PTR SS:[EBP+58]
00AA59F0 |52 PUSH EDX
00AA59F1 |C645 FC 32 MOV BYTE PTR SS:[EBP-4],32
00AA59F5 |E8 C631FFFF CALL NLHxClie.00A98BC0
00AA59FA |83C4 0C ADD ESP,0C
00AA59FD |50 PUSH EAX
00AA59FE |8D4D 64 LEA ECX,DWORD PTR SS:[EBP+64]
00AA5A01 |C645 FC 33 MOV BYTE PTR SS:[EBP-4],33
00AA5A05 |E8 F651FEFF CALL NLHxClie.00A8AC00
00AA5A0A |8D4D 58 LEA ECX,DWORD PTR SS:[EBP+58]
00AA5A0D |E8 2ED9FDFF CALL NLHxClie.00A83340
00AA5A12 |8D4D 44 LEA ECX,DWORD PTR SS:[EBP+44]
00AA5A15 |E9 9C000000 JMP NLHxClie.00AA5AB6
00AA5A1A |E8 D154FEFF CALL NLHxClie.00A8AEF0
00AA5A1F |8B75 50 MOV ESI,DWORD PTR SS:[EBP+50]
00AA5A22 |68 CCAAAD00 PUSH NLHxClie.00ADAACC ; UNICODE "MSG_REGISTER"
00AA5A27 |8D45 58 LEA EAX,DWORD PTR SS:[EBP+58]
00AA5A2A |83C6 78 ADD ESI,78
00AA5A2D |50 PUSH EAX
00AA5A2E |8BCE MOV ECX,ESI
00AA5A30 |E8 CB60FEFF CALL NLHxClie.00A8BB00
00AA5A35 |50 PUSH EAX
00AA5A36 |8D4D 64 LEA ECX,DWORD PTR SS:[EBP+64]
00AA5A39 |C645 FC 34 MOV BYTE PTR SS:[EBP-4],34
00AA5A3D |E8 BE51FEFF CALL NLHxClie.00A8AC00
00AA5A42 |8D4D 58 LEA ECX,DWORD PTR SS:[EBP+58]
00AA5A45 |885D FC MOV BYTE PTR SS:[EBP-4],BL
00AA5A48 |E8 F3D8FDFF CALL NLHxClie.00A83340
00AA5A4D |68 D074AD00 PUSH NLHxClie.00AD74D0 ; UNICODE "</DIV>"
00AA5A52 |8D4D 64 LEA ECX,DWORD PTR SS:[EBP+64]
00AA5A55 |E8 9654FEFF CALL NLHxClie.00A8AEF0
00AA5A5A |68 B48EAD00 PUSH NLHxClie.00AD8EB4 ; UNICODE "MSG_END_OF_TRIAL"
00AA5A5F |8D4D 54 LEA ECX,DWORD PTR SS:[EBP+54]
00AA5A62 |51 PUSH ECX
00AA5A63 |8BCE MOV ECX,ESI
00AA5A65 |E8 9660FEFF CALL NLHxClie.00A8BB00
00AA5A6A |50 PUSH EAX
00AA5A6B |8D55 44 LEA EDX,DWORD PTR SS:[EBP+44]
00AA5A6E |68 94AAAD00 PUSH NLHxClie.00ADAA94 ; UNICODE "<DIV class='alertBox'><h1>"
00AA5A73 |52 PUSH EDX
00AA5A74 |C645 FC 35 MOV BYTE PTR SS:[EBP-4],35
00AA5A78 |E8 B37FFEFF CALL NLHxClie.00A8DA30
00AA5A7D |83C4 0C ADD ESP,0C
00AA5A80 |68 E8AAAD00 PUSH NLHxClie.00ADAAE8 ; UNICODE "</h1></DIV>"
00AA5A85 |50 PUSH EAX
00AA5A86 |8D45 58 LEA EAX,DWORD PTR SS:[EBP+58]
00AA5A89 |50 PUSH EAX
00AA5A8A |C645 FC 36 MOV BYTE PTR SS:[EBP-4],36
00AA5A8E |E8 2D31FFFF CALL NLHxClie.00A98BC0
00AA5A93 |83C4 0C ADD ESP,0C
00AA5A96 |50 PUSH EAX
00AA5A97 |8D4D 64 LEA ECX,DWORD PTR SS:[EBP+64]
00AA5A9A |C645 FC 37 MOV BYTE PTR SS:[EBP-4],37
00AA5A9E |E8 5D51FEFF CALL NLHxClie.00A8AC00
00AA5AA3 |8D4D 58 LEA ECX,DWORD PTR SS:[EBP+58]
00AA5AA6 |E8 95D8FDFF CALL NLHxClie.00A83340
00AA5AAB |8D4D 44 LEA ECX,DWORD PTR SS:[EBP+44]
00AA5AAE |E8 8DD8FDFF CALL NLHxClie.00A83340
00AA5AB3 |8D4D 54 LEA ECX,DWORD PTR SS:[EBP+54]
00AA5AB6 |E8 85D8FDFF CALL NLHxClie.00A83340
00AA5ABB |B8 01000000 MOV EAX,1
00AA5AC0 |8D4D 30 LEA ECX,DWORD PTR SS:[EBP+30]
00AA5AC3 |8945 44 MOV DWORD PTR SS:[EBP+44],EAX
00AA5AC6 |8945 58 MOV DWORD PTR SS:[EBP+58],EAX
00AA5AC9 |E8 72D8FDFF CALL NLHxClie.00A83340
00AA5ACE |8D4D 4C LEA ECX,DWORD PTR SS:[EBP+4C]
00AA5AD1 |E8 6AD8FDFF CALL NLHxClie.00A83340
00AA5AD6 |8B35 8C62AD00 MOV ESI,DWORD PTR DS:[<&OLEAUT32.#SysFre>; oleaut32.SysFreeString
00AA5ADC |E9 67040000 JMP NLHxClie.00AA5F48
00AA5AE1 \68 88AAAD00 PUSH NLHxClie.00ADAA88 ; UNICODE "<ul>"
00AA5AE6 8D4D 64 LEA ECX,DWORD PTR SS:[EBP+64]
00AA5AE9 E8 0254FEFF CALL NLHxClie.00A8AEF0
00AA5AEE 8B75 50 MOV ESI,DWORD PTR SS:[EBP+50]
00AA5AF1 68 70AAAD00 PUSH NLHxClie.00ADAA70 ; UNICODE "MSG_REG_TO"
00AA5AF6 8D4D 4C LEA ECX,DWORD PTR SS:[EBP+4C]
00AA5AF9 83C6 78 ADD ESI,78
00AA5AFC 51 PUSH ECX
00AA5AFD 8BCE MOV ECX,ESI
00AA5AFF E8 FC5FFEFF CALL NLHxClie.00A8BB00
00AA5B04 8B55 3C MOV EDX,DWORD PTR SS:[EBP+3C]
00AA5B07 52 PUSH EDX
00AA5B08 8D45 40 LEA EAX,DWORD PTR SS:[EBP+40]
00AA5B0B 68 30AAAD00 PUSH NLHxClie.00ADAA30 ; UNICODE "<span class='regname'>%s</span>"
00AA5B10 50 PUSH EAX
00AA5B11 C645 FC 19 MOV BYTE PTR SS:[EBP-4],19
00AA5B15 E8 D647FEFF CALL NLHxClie.00A8A2F0
00AA5B1A 8B4D 40 MOV ECX,DWORD PTR SS:[EBP+40]
00AA5B1D 83C4 0C ADD ESP,0C
00AA5B20 51 PUSH ECX
00AA5B21 68 18AAAD00 PUSH NLHxClie.00ADAA18 ; UNICODE "%reg_name%"
00AA5B26 8D4D 4C LEA ECX,DWORD PTR SS:[EBP+4C]
00AA5B29 E8 627BFEFF CALL NLHxClie.00A8D690
00AA5B2E 8D55 4C LEA EDX,DWORD PTR SS:[EBP+4C]
00AA5B31 52 PUSH EDX
00AA5B32 8D45 60 LEA EAX,DWORD PTR SS:[EBP+60]
00AA5B35 68 0CAAAD00 PUSH NLHxClie.00ADAA0C ; UNICODE "<li>"
00AA5B3A 50 PUSH EAX
00AA5B3B E8 F07EFEFF CALL NLHxClie.00A8DA30
00AA5B40 83C4 0C ADD ESP,0C
00AA5B43 68 00AAAD00 PUSH NLHxClie.00ADAA00 ; UNICODE "</li>"
00AA5B48 50 PUSH EAX
00AA5B49 8D4D 54 LEA ECX,DWORD PTR SS:[EBP+54]
00AA5B4C B3 1A MOV BL,1A
00AA5B4E 51 PUSH ECX
00AA5B4F 885D FC MOV BYTE PTR SS:[EBP-4],BL
00AA5B52 E8 6930FFFF CALL NLHxClie.00A98BC0
00AA5B57 83C4 0C ADD ESP,0C
00AA5B5A 8B00 MOV EAX,DWORD PTR DS:[EAX]
00AA5B5C 8B48 F4 MOV ECX,DWORD PTR DS:[EAX-C]
00AA5B5F 51 PUSH ECX
00AA5B60 50 PUSH EAX
00AA5B61 8D4D 64 LEA ECX,DWORD PTR SS:[EBP+64]
00AA5B64 C645 FC 1B MOV BYTE PTR SS:[EBP-4],1B
00AA5B68 E8 F3E3FDFF CALL NLHxClie.00A83F60
00AA5B6D 8B45 54 MOV EAX,DWORD PTR SS:[EBP+54]
00AA5B70 83C0 F0 ADD EAX,-10
00AA5B73 885D FC MOV BYTE PTR SS:[EBP-4],BL
00AA5B76 8D50 0C LEA EDX,DWORD PTR DS:[EAX+C]
00AA5B79 83C9 FF OR ECX,FFFFFFFF
00AA5B7C F0:0FC10A LOCK XADD DWORD PTR DS:[EDX],ECX ; LOCK prefix
00AA5B80 49 DEC ECX
00AA5B81 85C9 TEST ECX,ECX
00AA5B83 7F 0A JG SHORT NLHxClie.00AA5B8F
00AA5B85 8B08 MOV ECX,DWORD PTR DS:[EAX]
00AA5B87 8B11 MOV EDX,DWORD PTR DS:[ECX]
00AA5B89 50 PUSH EAX
00AA5B8A 8B42 04 MOV EAX,DWORD PTR DS:[EDX+4]
00AA5B8D FFD0 CALL EAX
00AA5B8F 8B45 60 MOV EAX,DWORD PTR SS:[EBP+60]
00AA5B92 83C0 F0 ADD EAX,-10
00AA5B95 C645 FC 19 MOV BYTE PTR SS:[EBP-4],19
00AA5B99 8D48 0C LEA ECX,DWORD PTR DS:[EAX+C]
00AA5B9C 83CA FF OR EDX,FFFFFFFF
00AA5B9F F0:0FC111 LOCK XADD DWORD PTR DS:[ECX],EDX ; LOCK prefix
00AA5BA3 4A DEC EDX
00AA5BA4 85D2 TEST EDX,EDX
00AA5BA6 7F 0A JG SHORT NLHxClie.00AA5BB2
00AA5BA8 8B08 MOV ECX,DWORD PTR DS:[EAX]
00AA5BAA 8B11 MOV EDX,DWORD PTR DS:[ECX]
00AA5BAC 50 PUSH EAX
00AA5BAD 8B42 04 MOV EAX,DWORD PTR DS:[EDX+4]
00AA5BB0 FFD0 CALL EAX
00AA5BB2 66:837D 70 FF CMP WORD PTR SS:[EBP+70],0FFFF
00AA5BB7 0F85 9B000000 JNZ NLHxClie.00AA5C58
改成jmp
00AA5BBD 68 D0A9AD00 PUSH NLHxClie.00ADA9D0 ; UNICODE "MSG_REG_EXPIRATION_DATE"
00AA5BC2 8D4D 60 LEA ECX,DWORD PTR SS:[EBP+60]
00AA5BC5 51 PUSH ECX
00AA5BC6 8BCE MOV ECX,ESI
00AA5BC8 E8 335FFEFF CALL NLHxClie.00A8BB00
00AA5BCD 50 PUSH EAX
00AA5BCE 8D4D 4C LEA ECX,DWORD PTR SS:[EBP+4C]
00AA5BD1 C645 FC 1C MOV BYTE PTR SS:[EBP-4],1C
00AA5BD5 E8 66F2FDFF CALL NLHxClie.00A84E40
00AA5BDA 8D4D 60 LEA ECX,DWORD PTR SS:[EBP+60]
00AA5BDD C645 FC 19 MOV BYTE PTR SS:[EBP-4],19
00AA5BE1 E8 5AD7FDFF CALL NLHxClie.00A83340
00AA5BE6 8B55 24 MOV EDX,DWORD PTR SS:[EBP+24]
00AA5BE9 52 PUSH EDX
00AA5BEA 8D45 40 LEA EAX,DWORD PTR SS:[EBP+40]
00AA5BED 68 90A9AD00 PUSH NLHxClie.00ADA990 ; UNICODE "<SPAN class='expdate'>%s</SPAN>"
00AA5BF2 50 PUSH EAX
00AA5BF3 E8 F846FEFF CALL NLHxClie.00A8A2F0
00AA5BF8 8B4D 40 MOV ECX,DWORD PTR SS:[EBP+40]
00AA5BFB 83C4 0C ADD ESP,0C
00AA5BFE 51 PUSH ECX
00AA5BFF 68 78A9AD00 PUSH NLHxClie.00ADA978 ; UNICODE "%reg_date%"
00AA5C04 8D4D 4C LEA ECX,DWORD PTR SS:[EBP+4C]
00AA5C07 E8 847AFEFF CALL NLHxClie.00A8D690
00AA5C0C 8D55 4C LEA EDX,DWORD PTR SS:[EBP+4C]
00AA5C0F 52 PUSH EDX
00AA5C10 8D45 54 LEA EAX,DWORD PTR SS:[EBP+54]
00AA5C13 68 0CAAAD00 PUSH NLHxClie.00ADAA0C ; UNICODE "<li>"
00AA5C18 50 PUSH EAX
00AA5C19 E8 127EFEFF CALL NLHxClie.00A8DA30
00AA5C1E 83C4 0C ADD ESP,0C
00AA5C21 68 00AAAD00 PUSH NLHxClie.00ADAA00 ; UNICODE "</li>"
00AA5C26 50 PUSH EAX
00AA5C27 8D4D 60 LEA ECX,DWORD PTR SS:[EBP+60]
00AA5C2A 51 PUSH ECX
00AA5C2B C645 FC 1D MOV BYTE PTR SS:[EBP-4],1D
00AA5C2F E8 8C2FFFFF CALL NLHxClie.00A98BC0
00AA5C34 83C4 0C ADD ESP,0C
00AA5C37 50 PUSH EAX
00AA5C38 8D4D 64 LEA ECX,DWORD PTR SS:[EBP+64]
00AA5C3B C645 FC 1E MOV BYTE PTR SS:[EBP-4],1E
00AA5C3F E8 BC4FFEFF CALL NLHxClie.00A8AC00
00AA5C44 8D4D 60 LEA ECX,DWORD PTR SS:[EBP+60]
00AA5C47 E8 F4D6FDFF CALL NLHxClie.00A83340
00AA5C4C 8D4D 54 LEA ECX,DWORD PTR SS:[EBP+54]
00AA5C4F C645 FC 19 MOV BYTE PTR SS:[EBP-4],19
00AA5C53 E8 E8D6FDFF CALL NLHxClie.00A83340
00AA5C58 68 0CAAAD00 PUSH NLHxClie.00ADAA0C ; UNICODE "<li>"
00AA5C5D 8D4D 64 LEA ECX,DWORD PTR SS:[EBP+64]
00AA5C60 E8 8B52FEFF CALL NLHxClie.00A8AEF0
00AA5C65 C745 00 0000000>MOV DWORD PTR SS:[EBP],0
00AA5C6C 8B7D 10 MOV EDI,DWORD PTR SS:[EBP+10]
00AA5C6F 8B17 MOV EDX,DWORD PTR DS:[EDI]
00AA5C71 8B8A 24010000 MOV ECX,DWORD PTR DS:[EDX+124]
00AA5C77 8D45 30 LEA EAX,DWORD PTR SS:[EBP+30]
00AA5C7A 50 PUSH EAX
00AA5C7B B3 1F MOV BL,1F
00AA5C7D 57 PUSH EDI
00AA5C7E 885D FC MOV BYTE PTR SS:[EBP-4],BL
00AA5C81 FFD1 CALL ECX
00AA5C83 8B17 MOV EDX,DWORD PTR DS:[EDI]
00AA5C85 8B8A B0000000 MOV ECX,DWORD PTR DS:[EDX+B0]
00AA5C8B 8D45 5C LEA EAX,DWORD PTR SS:[EBP+5C]
00AA5C8E 50 PUSH EAX
00AA5C8F 57 PUSH EDI
00AA5C90 FFD1 CALL ECX
00AA5C92 8B45 5C MOV EAX,DWORD PTR SS:[EBP+5C]
00AA5C95 85C0 TEST EAX,EAX
00AA5C97 0F85 9F000000 JNZ NLHxClie.00AA5D3C
改成jmp 这里应该是判断授权类型的
00AA5C9D 837D 30 02 CMP DWORD PTR SS:[EBP+30],2
00AA5CA1 8BCE MOV ECX,ESI
00AA5CA3 73 17 JNB SHORT NLHxClie.00AA5CBC
00AA5CA5 68 58A9AD00 PUSH NLHxClie.00ADA958 ; UNICODE "LICENSE_SINGLE"
00AA5CAA 8D55 60 LEA EDX,DWORD PTR SS:[EBP+60]
00AA5CAD 52 PUSH EDX
00AA5CAE E8 4D5EFEFF CALL NLHxClie.00A8BB00
00AA5CB3 C645 FC 20 MOV BYTE PTR SS:[EBP-4],20
00AA5CB7 E9 B4000000 JMP NLHxClie.00AA5D70
00AA5CBC 68 3CA9AD00 PUSH NLHxClie.00ADA93C ; UNICODE "LICENSE_MULTI"
00AA5CC1 8D45 60 LEA EAX,DWORD PTR SS:[EBP+60]
00AA5CC4 50 PUSH EAX
00AA5CC5 E8 365EFEFF CALL NLHxClie.00A8BB00
00AA5CCA 50 PUSH EAX
00AA5CCB 8D4D 40 LEA ECX,DWORD PTR SS:[EBP+40]
00AA5CCE C645 FC 21 MOV BYTE PTR SS:[EBP-4],21
00AA5CD2 E8 69F1FDFF CALL NLHxClie.00A84E40
00AA5CD7 8D4D 60 LEA ECX,DWORD PTR SS:[EBP+60]
00AA5CDA E8 61D6FDFF CALL NLHxClie.00A83340
00AA5CDF 8B4D 30 MOV ECX,DWORD PTR SS:[EBP+30]
00AA5CE2 66:C745 E0 1300 MOV WORD PTR SS:[EBP-20],13
00AA5CE8 894D E8 MOV DWORD PTR SS:[EBP-18],ECX
00AA5CEB 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
00AA5CEE 52 PUSH EDX
00AA5CEF 8D4D 60 LEA ECX,DWORD PTR SS:[EBP+60]
00AA5CF2 C645 FC 22 MOV BYTE PTR SS:[EBP-4],22
00AA5CF6 E8 857CFEFF CALL NLHxClie.00A8D980
00AA5CFB 8B00 MOV EAX,DWORD PTR DS:[EAX]
00AA5CFD 85C0 TEST EAX,EAX
00AA5CFF C645 FC 23 MOV BYTE PTR SS:[EBP-4],23
00AA5D03 74 04 JE SHORT NLHxClie.00AA5D09
00AA5D05 8B00 MOV EAX,DWORD PTR DS:[EAX]
00AA5D07 EB 02 JMP SHORT NLHxClie.00AA5D0B
00AA5D09 33C0 XOR EAX,EAX
00AA5D0B 50 PUSH EAX
00AA5D0C 68 30A9AD00 PUSH NLHxClie.00ADA930 ; UNICODE "%qty%"
00AA5D11 8D4D 40 LEA ECX,DWORD PTR SS:[EBP+40]
00AA5D14 E8 7779FEFF CALL NLHxClie.00A8D690
00AA5D19 8D4D 60 LEA ECX,DWORD PTR SS:[EBP+60]
00AA5D1C E8 DFE0FDFF CALL NLHxClie.00A83E00
00AA5D21 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00AA5D24 50 PUSH EAX
00AA5D25 885D FC MOV BYTE PTR SS:[EBP-4],BL
00AA5D28 FF15 5062AD00 CALL DWORD PTR DS:[<&OLEAUT32.#VariantCl>; oleaut32.VariantClear
00AA5D2E 8D4D 40 LEA ECX,DWORD PTR SS:[EBP+40]
00AA5D31 51 PUSH ECX
00AA5D32 8D4D 64 LEA ECX,DWORD PTR SS:[EBP+64]
00AA5D35 E8 C64EFEFF CALL NLHxClie.00A8AC00
00AA5D3A EB 48 JMP SHORT NLHxClie.00AA5D84
00AA5D3C 83F8 01 CMP EAX,1
00AA5D3F 75 16 JNZ SHORT NLHxClie.00AA5D57
改成JMP 为了让他成为Enterprise版本
00AA5D41 68 14A9AD00 PUSH NLHxClie.00ADA914 ; UNICODE "LICENSE_SITE"
00AA5D46 8D55 60 LEA EDX,DWORD PTR SS:[EBP+60]
00AA5D49 52 PUSH EDX
00AA5D4A 8BCE MOV ECX,ESI
00AA5D4C E8 AF5DFEFF CALL NLHxClie.00A8BB00
00AA5D51 C645 FC 24 MOV BYTE PTR SS:[EBP-4],24
00AA5D55 EB 19 JMP SHORT NLHxClie.00AA5D70
00AA5D57 83F8 02 CMP EAX,2
00AA5D5A 75 28 JNZ SHORT NLHxClie.00AA5D84
改成NOP 成为Enterprise版本
00AA5D5C 68 ECA8AD00 PUSH NLHxClie.00ADA8EC ; UNICODE "LICENSE_ENTERPRICE"
00AA5D61 8D45 60 LEA EAX,DWORD PTR SS:[EBP+60]
00AA5D64 50 PUSH EAX
00AA5D65 8BCE MOV ECX,ESI
00AA5D67 E8 945DFEFF CALL NLHxClie.00A8BB00
00AA5D6C C645 FC 25 MOV BYTE PTR SS:[EBP-4],25
00AA5D70 50 PUSH EAX
00AA5D71 8D4D 64 LEA ECX,DWORD PTR SS:[EBP+64]
00AA5D74 E8 874EFEFF CALL NLHxClie.00A8AC00
00AA5D79 8D4D 60 LEA ECX,DWORD PTR SS:[EBP+60]
00AA5D7C 885D FC MOV BYTE PTR SS:[EBP-4],BL
00AA5D7F E8 BCD5FDFF CALL NLHxClie.00A83340
00AA5D84 68 E0A8AD00 PUSH NLHxClie.00ADA8E0 ; UNICODE "</ul>"
00AA5D89 8D4D 64 LEA ECX,DWORD PTR SS:[EBP+64]
00AA5D8C E8 5F51FEFF CALL NLHxClie.00A8AEF0
00AA5D91 83CF FF OR EDI,FFFFFFFF
00AA5D94 66:397D 74 CMP WORD PTR SS:[EBP+74],DI
00AA5D98 0F85 D2000000 JNZ NLHxClie.00AA5E70
改NOP
00AA5D9E 66:397D 70 CMP WORD PTR SS:[EBP+70],DI
00AA5DA2 75 50 JNZ SHORT NLHxClie.00AA5DF4
改JMP
00AA5DA4 68 54ABAD00 PUSH NLHxClie.00ADAB54 ; UNICODE "MSG_REG_DAYS_LEFT"
00AA5DA9 8D4D 60 LEA ECX,DWORD PTR SS:[EBP+60]
00AA5DAC 51 PUSH ECX
00AA5DAD 8BCE MOV ECX,ESI
00AA5DAF E8 4C5DFEFF CALL NLHxClie.00A8BB00
00AA5DB4 50 PUSH EAX
00AA5DB5 8D4D 4C LEA ECX,DWORD PTR SS:[EBP+4C]
00AA5DB8 C645 FC 26 MOV BYTE PTR SS:[EBP-4],26
00AA5DBC E8 7FF0FDFF CALL NLHxClie.00A84E40
00AA5DC1 8D4D 60 LEA ECX,DWORD PTR SS:[EBP+60]
00AA5DC4 885D FC MOV BYTE PTR SS:[EBP-4],BL
00AA5DC7 E8 74D5FDFF CALL NLHxClie.00A83340
00AA5DCC 8B55 48 MOV EDX,DWORD PTR SS:[EBP+48]
00AA5DCF 52 PUSH EDX
00AA5DD0 8D45 40 LEA EAX,DWORD PTR SS:[EBP+40]
00AA5DD3 68 4CABAD00 PUSH NLHxClie.00ADAB4C ; UNICODE "%u"
00AA5DD8 50 PUSH EAX
00AA5DD9 E8 1245FEFF CALL NLHxClie.00A8A2F0
00AA5DDE 8B4D 40 MOV ECX,DWORD PTR SS:[EBP+40]
00AA5DE1 83C4 0C ADD ESP,0C
00AA5DE4 51 PUSH ECX
00AA5DE5 68 34ABAD00 PUSH NLHxClie.00ADAB34 ; UNICODE "%reg_days%"
00AA5DEA 8D4D 4C LEA ECX,DWORD PTR SS:[EBP+4C]
00AA5DED E8 9E78FEFF CALL NLHxClie.00A8D690
00AA5DF2 EB 28 JMP SHORT NLHxClie.00AA5E1C
00AA5DF4 68 BCA8AD00 PUSH NLHxClie.00ADA8BC ; UNICODE "MSG_NO_EXPIRATION"
这样改下来, 就成为了正式版了, 查看about的时候, 会发现只有 Registered to 信息
并没有显示授权人是谁, 所以来改一下资源文件
MSG_REG_TO=Registered to MeowCat
保存修改后的DLL 重启软件发现已经注册成功了.
这个是本菜鸟第一次发破解的帖子, 感谢N大的耐心指导,同时向N大孜孜不倦的求知态度和严谨高超的技术学习!
同时感谢PYG提供这样一个交流平台, 希望可以从这里学到更多的知识.
[ 本帖最后由 MeowCat 于 2010-4-18 22:30 编辑 ] |
评分
-
查看全部评分
|
IP卡
发表于 2010-4-18 22:29:27
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2010-4-18 22:33:17
发表于 2010-11-15 10:50:12