-
-
[原创]开心小闹钟2.7注册流程分析
-
发表于: 2005-1-27 09:25 3369
-
标题:开心小闹钟2.7注册流程分析
作者:jney2
日期:2005.1.26
声明:个人学习,交流经验,找出软件的软肋,希望作者在下一版本中有所改进!
观念:喜欢分析注册流程,极少算法分析。
工具:Ollydbg1.1 W32Dasm9b
平台:WinXP
软件作者言:开心小闹钟由 2.7 Build 0107版开始正式转变为共享版,注册费26人民币/1台机。谢谢您的支持!
软件是ASPack 2.12的壳,用stripper脱之,Visual C++写的,用W32Dasm9b反汇编,利用exescope,可得到字符串ID号,对应如下:
103,程序需要关闭,以检查你的注册码是否正确,$0D$0A请你随后运行程序,注册成功以后,将不再显示该注册框!
104,该软件已过试用期,请注册。
105,注册码输入有误,请重新输入!
106,您的试用期还有 10 天。
在W32Dasm9b搜索“提示”,然后仔细观察,很容易找到:(当然在Ollydbg1.1中下提示信息的内存断点也很容易)
* Reference To: USER32.GetDlgItem, Ord:0111h
|
:004041A3 FF15AC534600 Call dword ptr [004653AC]
:004041A9 50 push eax
* Reference To: USER32.GetWindowTextLengthA, Ord:0178h
|
:004041AA FF15A0534600 Call dword ptr [004653A0]
:004041B0 85C0 test eax, eax
:004041B2 744C je 00404200 //如果输入为空,则跳走。
:004041B4 56 push esi
:004041B5 E8369D0000 call 0040DEF0 //注册码验证CALL,正确则写入注册表。
:004041BA 8B0D48654700 mov ecx, dword ptr [00476548]
:004041C0 83C404 add esp, 00000004
:004041C3 85C0 test eax, eax
:004041C5 8D442408 lea eax, dword ptr [esp+08]
:004041C9 6800010000 push 00000100
:004041CE 50 push eax
* Possible Reference to String Resource ID=00103: "? //显示:“程序需要关闭,以检查你的注册码是否正确,$0D$0A请你随后运行程序,注册成功以后,将不再显示该注册框!”
|
:004041CF 6A67 push 00000067
:004041D1 51 push ecx
* Reference To: USER32.LoadStringA, Ord:01CAh
//*********省略***********
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004041B2(C)
|
:00404200 8B0D48654700 mov ecx, dword ptr [00476548]
:00404206 8D442408 lea eax, dword ptr [esp+08]
:0040420A 6800010000 push 00000100
:0040420F 50 push eax
* Possible Reference to String Resource ID=00105: "?? ?魍?e!" //显示:“注册码输入有误,请重新输入!”
|
:00404210 6A69 push 00000069
:00404212 51 push ecx
* Reference To: USER32.LoadStringA, Ord:01CAh
//*********省略***********
//以下为注册码验证CALL,正确则写入注册表。
* Referenced by a CALL at Address:
|:004041B5
|
:0040DEF0 81EC18030000 sub esp, 00000318
:0040DEF6 53 push ebx
:0040DEF7 55 push ebp
:0040DEF8 56 push esi
:0040DEF9 57 push edi
:0040DEFA 6A00 push 00000000
:0040DEFC 6A64 push 00000064
:0040DEFE E88DF30400 call 0045D290
:0040DF03 6A00 push 00000000
:0040DF05 C7803402000010000000 mov dword ptr [ebx+00000234], 00000010
:0040DF0F E8ACF10400 call 0045D0C0
:0040DF14 6A00 push 00000000
:0040DF16 89442430 mov dword ptr [esp+30], eax
:0040DF1A E8A1F10400 call 0045D0C0
:0040DF1F 6A00 push 00000000
:0040DF21 89442438 mov dword ptr [esp+38], eax
:0040DF25 E896F10400 call 0045D0C0
:0040DF2A 6A00 push 00000000
:0040DF2C 89442434 mov dword ptr [esp+34], eax
:0040DF30 E88BF10400 call 0045D0C0
:0040DF35 8944242C mov dword ptr [esp+2C], eax
:0040DF39 B93F000000 mov ecx, 0000003F
:0040DF3E 33C0 xor eax, eax
:0040DF40 8D7C2441 lea edi, dword ptr [esp+41]
:0040DF44 C644244000 mov [esp+40], 00
:0040DF49 C684244001000000 mov byte ptr [esp+00000140], 00
:0040DF51 F3 repz
:0040DF52 AB stosd
:0040DF53 66AB stosw
:0040DF55 AA stosb
:0040DF56 B93F000000 mov ecx, 0000003F
:0040DF5B 33C0 xor eax, eax
:0040DF5D 8DBC2441010000 lea edi, dword ptr [esp+00000141]
:0040DF64 C684244002000000 mov byte ptr [esp+00000240], 00
:0040DF6C F3 repz
:0040DF6D AB stosd
:0040DF6E 66AB stosw
:0040DF70 AA stosb
:0040DF71 B93F000000 mov ecx, 0000003F
:0040DF76 33C0 xor eax, eax
:0040DF78 8DBC2441020000 lea edi, dword ptr [esp+00000241]
:0040DF7F 8BB42444030000 mov esi, dword ptr [esp+00000344]
:0040DF86 F3 repz
:0040DF87 AB stosd
:0040DF88 66AB stosw
:0040DF8A 83C418 add esp, 00000018
:0040DF8D AA stosb
* Reference To: USER32.GetDlgItem, Ord:0111h
|
:0040DF8E 8B3DAC534600 mov edi, dword ptr [004653AC]
:0040DF94 68C3040000 push 000004C3
:0040DF99 56 push esi
:0040DF9A FFD7 call edi
* Reference To: USER32.GetWindowTextLengthA, Ord:0178h
|
:0040DF9C 8B2DA0534600 mov ebp, dword ptr [004653A0]
:0040DFA2 50 push eax
:0040DFA3 FFD5 call ebp
:0040DFA5 40 inc eax
:0040DFA6 50 push eax
:0040DFA7 8D84242C010000 lea eax, dword ptr [esp+0000012C]
:0040DFAE 50 push eax
:0040DFAF 68C3040000 push 000004C3
:0040DFB4 56 push esi
:0040DFB5 FFD7 call edi
* Reference To: USER32.GetWindowTextA, Ord:0177h
|
:0040DFB7 8B1D9C534600 mov ebx, dword ptr [0046539C]
:0040DFBD 50 push eax
:0040DFBE FFD3 call ebx
:0040DFC0 68C4040000 push 000004C4
:0040DFC5 56 push esi
:0040DFC6 FFD7 call edi
:0040DFC8 50 push eax
:0040DFC9 FFD5 call ebp
:0040DFCB 8BE8 mov ebp, eax
:0040DFCD 8D542428 lea edx, dword ptr [esp+28]
:0040DFD1 8D4D01 lea ecx, dword ptr [ebp+01]
:0040DFD4 51 push ecx
:0040DFD5 52 push edx
:0040DFD6 68C4040000 push 000004C4
:0040DFDB 56 push esi
:0040DFDC FFD7 call edi
:0040DFDE 50 push eax
:0040DFDF FFD3 call ebx
:0040DFE1 33F6 xor esi, esi
:0040DFE3 85ED test ebp, ebp
:0040DFE5 89742410 mov dword ptr [esp+10], esi
:0040DFE9 7E1D jle 0040E008
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E004(C)
|
:0040DFEB 0FBE443428 movsx eax, byte ptr [esp+esi+28]
:0040DFF0 50 push eax
:0040DFF1 E85C3A0400 call 00451A52
:0040DFF6 83C404 add esp, 00000004
:0040DFF9 85C0 test eax, eax
:0040DFFB 0F8495000000 je 0040E096
:0040E001 46 inc esi
:0040E002 3BF5 cmp esi, ebp
:0040E004 7CE5 jl 0040DFEB
:0040E006 85ED test ebp, ebp
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040DFE9(C)
|
:0040E008 0F8490000000 je 0040E09E
:0040E00E 8B742420 mov esi, dword ptr [esp+20]
:0040E012 8D4C2428 lea ecx, dword ptr [esp+28]
:0040E016 51 push ecx
:0040E017 56 push esi
:0040E018 E863110500 call 0045F180
:0040E01D 8B7C2424 mov edi, dword ptr [esp+24]
* Possible StringData Ref from Data Obj ->"963251DC5A9C90D9F203A03C363BA411"
|
:0040E021 68A8F84600 push 0046F8A8
:0040E026 57 push edi
:0040E027 E854110500 call 0045F180
:0040E02C 8B542424 mov edx, dword ptr [esp+24]
* Possible StringData Ref from Data Obj ->"10001"
|
:0040E030 68A0F84600 push 0046F8A0
:0040E035 52 push edx
:0040E036 E845110500 call 0045F180
:0040E03B 57 push edi
:0040E03C 56 push esi
:0040E03D E8CEFE0400 call 0045DF10
:0040E042 83C420 add esp, 00000020
:0040E045 83F8FF cmp eax, FFFFFFFF
:0040E048 754C jne 0040E096
:0040E04A 8B5C2424 mov ebx, dword ptr [esp+24]
:0040E04E 8B442414 mov eax, dword ptr [esp+14]
:0040E052 53 push ebx
:0040E053 57 push edi
:0040E054 50 push eax
:0040E055 56 push esi
:0040E056 E8A50E0500 call 0045EF00
:0040E05B 8D8C2438020000 lea ecx, dword ptr [esp+00000238]
:0040E062 6A00 push 00000000
:0040E064 51 push ecx
:0040E065 53 push ebx
:0040E066 6800010000 push 00000100
:0040E06B E890080500 call 0045E900
:0040E070 56 push esi
:0040E071 E8FAF80400 call 0045D970
:0040E076 53 push ebx
:0040E077 E8F4F80400 call 0045D970
:0040E07C 57 push edi
:0040E07D E8EEF80400 call 0045D970
:0040E082 8B542440 mov edx, dword ptr [esp+40]
:0040E086 52 push edx
:0040E087 E8E4F80400 call 0045D970
:0040E08C 83C430 add esp, 00000030
:0040E08F E8FCF80400 call 0045D990
:0040E094 EB08 jmp 0040E09E
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040DFFB(C), :0040E048(C)
|
:0040E096 C744241001000000 mov [esp+10], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040E008(C), :0040E094(U)
|
:0040E09E 8DB42428020000 lea esi, dword ptr [esp+00000228]
:0040E0A5 8D842428010000 lea eax, dword ptr [esp+00000128]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E0CE(C)
|
:0040E0AC 8A10 mov dl, byte ptr [eax]
:0040E0AE 8A1E mov bl, byte ptr [esi]
:0040E0B0 8ACA mov cl, dl
:0040E0B2 3AD3 cmp dl, bl
:0040E0B4 751E jne 0040E0D4
:0040E0B6 84C9 test cl, cl
:0040E0B8 7416 je 0040E0D0
:0040E0BA 8A5001 mov dl, byte ptr [eax+01]
:0040E0BD 8A5E01 mov bl, byte ptr [esi+01]
:0040E0C0 8ACA mov cl, dl
:0040E0C2 3AD3 cmp dl, bl
:0040E0C4 750E jne 0040E0D4
:0040E0C6 83C002 add eax, 00000002
:0040E0C9 83C602 add esi, 00000002
:0040E0CC 84C9 test cl, cl
:0040E0CE 75DC jne 0040E0AC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E0B8(C)
|
:0040E0D0 33C0 xor eax, eax
:0040E0D2 EB05 jmp 0040E0D9
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040E0B4(C), :0040E0C4(C)
|
:0040E0D4 1BC0 sbb eax, eax
:0040E0D6 83D8FF sbb eax, FFFFFFFF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E0D2(U)
|
:0040E0D9 85C0 test eax, eax
:0040E0DB 7578 jne 0040E155
:0040E0DD 837C241001 cmp dword ptr [esp+10], 00000001
:0040E0E2 7471 je 0040E155
:0040E0E4 85ED test ebp, ebp
:0040E0E6 746D je 0040E155
:0040E0E8 8D442418 lea eax, dword ptr [esp+18]
:0040E0EC 50 push eax
* Possible StringData Ref from Data Obj ->"SOFTWARE\HappyClock\License"
|
:0040E0ED 6884F84600 push 0046F884
:0040E0F2 6802000080 push 80000002
* Reference To: ADVAPI32.RegCreateKeyA, Ord:01CCh
|
:0040E0F7 FF150C504600 Call dword ptr [0046500C]
:0040E0FD 8B542418 mov edx, dword ptr [esp+18]
* Reference To: ADVAPI32.RegSetValueExA, Ord:01F9h
|
:0040E101 8B3508504600 mov esi, dword ptr [00465008]
:0040E107 8D8C2428010000 lea ecx, dword ptr [esp+00000128]
:0040E10E 6800010000 push 00000100
:0040E113 51 push ecx
:0040E114 6A01 push 00000001
:0040E116 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"ID"
|
:0040E118 6880F84600 push 0046F880
:0040E11D 52 push edx
:0040E11E FFD6 call esi
:0040E120 8B4C2418 mov ecx, dword ptr [esp+18]
:0040E124 8D442428 lea eax, dword ptr [esp+28]
:0040E128 6800010000 push 00000100
:0040E12D 50 push eax
:0040E12E 6A01 push 00000001
:0040E130 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"SN"
|
:0040E132 687CF84600 push 0046F87C
:0040E137 51 push ecx
:0040E138 FFD6 call esi
:0040E13A 8B542418 mov edx, dword ptr [esp+18]
:0040E13E 52 push edx
* Reference To: ADVAPI32.RegCloseKey, Ord:01C9h
|
:0040E13F FF1510504600 Call dword ptr [00465010]
:0040E145 5F pop edi
:0040E146 5E pop esi
:0040E147 5D pop ebp
:0040E148 B801000000 mov eax, 00000001
:0040E14D 5B pop ebx
:0040E14E 81C418030000 add esp, 00000318
:0040E154 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040E0DB(C), :0040E0E2(C), :0040E0E6(C)
|
:0040E155 5F pop edi
:0040E156 5E pop esi
:0040E157 5D pop ebp
:0040E158 33C0 xor eax, eax
:0040E15A 5B pop ebx
:0040E15B 81C418030000 add esp, 00000318
:0040E161 C3 ret
我们可根据上面的字符信息很快找到就在下面的重启验证CALL。
* Referenced by a CALL at Address:
|:00401ACB
|
:0040E170 81EC18030000 sub esp, 00000318
//*********省略***********
:0040E203 8D442410 lea eax, dword ptr [esp+10]
:0040E207 C744241420000000 mov [esp+14], 00000020
:0040E20F 50 push eax
:0040E210 683F000F00 push 000F003F
:0040E215 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"SOFTWARE\HappyClock\License"
|
:0040E217 6884F84600 push 0046F884
:0040E21C 6802000080 push 80000002
* Reference To: ADVAPI32.RegOpenKeyExA, Ord:01E2h //打开注册表
|
:0040E221 FF1518504600 Call dword ptr [00465018]
:0040E227 8B442410 mov eax, dword ptr [esp+10]
* Reference To: ADVAPI32.RegQueryValueExA, Ord:01ECh
|
:0040E22B 8B3514504600 mov esi, dword ptr [00465014]
:0040E231 8D4C2414 lea ecx, dword ptr [esp+14]
:0040E235 8D942428010000 lea edx, dword ptr [esp+00000128]
:0040E23C 51 push ecx
:0040E23D 52 push edx
:0040E23E 6A00 push 00000000
:0040E240 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"ID"
|
:0040E242 6880F84600 push 0046F880
:0040E247 50 push eax
:0040E248 FFD6 call esi
:0040E24A 8B442410 mov eax, dword ptr [esp+10]
:0040E24E 8D4C2414 lea ecx, dword ptr [esp+14]
:0040E252 8D542428 lea edx, dword ptr [esp+28]
:0040E256 51 push ecx
:0040E257 52 push edx
:0040E258 6A00 push 00000000
:0040E25A 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"SN"
|
:0040E25C 687CF84600 push 0046F87C
:0040E261 50 push eax
:0040E262 FFD6 call esi
:0040E264 8B442410 mov eax, dword ptr [esp+10]
:0040E268 8D4C2414 lea ecx, dword ptr [esp+14]
:0040E26C 8D942428010000 lea edx, dword ptr [esp+00000128]
:0040E273 51 push ecx
:0040E274 52 push edx
:0040E275 6A00 push 00000000
:0040E277 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"ID"
|
:0040E279 6880F84600 push 0046F880
:0040E27E 50 push eax
:0040E27F FFD6 call esi
:0040E281 8B4C2410 mov ecx, dword ptr [esp+10]
:0040E285 51 push ecx
* Reference To: ADVAPI32.RegCloseKey, Ord:01C9h //读取键值后关闭注册表。
|
:0040E286 FF1510504600 Call dword ptr [00465010]
:0040E28C 8D7C2428 lea edi, dword ptr [esp+28]
:0040E290 83C9FF or ecx, FFFFFFFF
:0040E293 33C0 xor eax, eax
:0040E295 33F6 xor esi, esi
:0040E297 F2 repnz
:0040E298 AE scasb
//*********因不分析算法,验证的部分省略***********
看一下调用它的地方:
* Referenced by a CALL at Address:
|:00401A48
|
:00401AC0 56 push esi
:00401AC1 8B742408 mov esi, dword ptr [esp+08]
:00401AC5 893548654700 mov dword ptr [00476548], esi
:00401ACB E8A0C60000 call 0040E170 //验证CALL
:00401AD0 85C0 test eax, eax
:00401AD2 6A00 push 00000000
:00401AD4 7438 je 00401B0E //EAX为0,则跳走。爆破点:7438改为7400
:00401AD6 A148654700 mov eax, dword ptr [00476548]
:00401ADB 6A00 push 00000000
:00401ADD 6A00 push 00000000
:00401ADF 6814734700 push 00477314
:00401AE4 50 push eax
* Reference To: USER32.CreateDialogParamA, Ord:0055h
|
:00401AE5 FF1570554600 Call dword ptr [00465570]
:00401AEB 8BF0 mov esi, eax
:00401AED 56 push esi
* Reference To: USER32.GetMenu, Ord:012Ch
|
:00401AEE FF1574554600 Call dword ptr [00465574]
:00401AF4 8B4C240C mov ecx, dword ptr [esp+0C]
:00401AF8 51 push ecx
:00401AF9 56 push esi
* Reference To: USER32.ShowWindow, Ord:0291h
|
:00401AFA FF1578554600 Call dword ptr [00465578]
:00401B00 56 push esi
* Reference To: USER32.UpdateWindow, Ord:02BAh
|
:00401B01 FF157C554600 Call dword ptr [0046557C]
:00401B07 B801000000 mov eax, 00000001
:00401B0C 5E pop esi
:00401B0D C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401AD4(C)
|
:00401B0E 68B03A4000 push 00403AB0 //EAX为0跳到这里。
:00401B13 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"REGDLG"
|
:00401B15 6890E84600 push 0046E890 //看到 "REGDLG",就知道是注册对话框啦!
:00401B1A 56 push esi
* Reference To: USER32.CreateDialogParamA, Ord:0055h
|
:00401B1B FF1570554600 Call dword ptr [00465570]
:00401B21 B801000000 mov eax, 00000001
:00401B26 5E pop esi
:00401B27 C3 ret
看来还没用Ollydbg1.1,注册流程就搞定了。用Ollydbg1.1就更简单了:
用Ollydbg1.1载入脱壳后的程序,选“查看”窗口点“执行模块”,再选定主程序,点右键,点“查看名称”,找到“ RegQueryValueExA”,点右键,点“在每个参考点设置断点”。
F9运行。程序在0040E22B处断下,再看注释,你就该狂喜了!F8跟一下可以看看执行流程,也可执行到返回。
0040E20F |. 50 PUSH EAX ; /pHandle
0040E210 |. 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS
0040E215 |. 6A 00 PUSH 0 ; |Reserved = 0
0040E217 |. 68 84F84600 PUSH _Clock.0046F884 ; |Subkey = "SOFTWARE\HappyClock\License"
0040E21C |. 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
0040E221 |. FF15 18504600 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
0040E227 |. 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
0040E22B |. 8B35 14504600 MOV ESI,DWORD PTR DS:[<&ADVAPI32.RegQuer>; ADVAPI32.RegQueryValueExA
0040E231 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
0040E235 |. 8D9424 280100>LEA EDX,DWORD PTR SS:[ESP+128]
0040E23C |. 51 PUSH ECX ; /pBufSize
0040E23D |. 52 PUSH EDX ; |Buffer
0040E23E |. 6A 00 PUSH 0 ; |pValueType = NULL
0040E240 |. 6A 00 PUSH 0 ; |Reserved = NULL
0040E242 |. 68 80F84600 PUSH _Clock.0046F880 ; |ValueName = "ID"
0040E247 |. 50 PUSH EAX ; |hKey
0040E248 |. FFD6 CALL ESI ; \RegQueryValueExA
0040E24A |. 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
0040E24E |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
0040E252 |. 8D5424 28 LEA EDX,DWORD PTR SS:[ESP+28]
0040E256 |. 51 PUSH ECX ; /pBufSize
0040E257 |. 52 PUSH EDX ; |Buffer
0040E258 |. 6A 00 PUSH 0 ; |pValueType = NULL
0040E25A |. 6A 00 PUSH 0 ; |Reserved = NULL
0040E25C |. 68 7CF84600 PUSH _Clock.0046F87C ; |ValueName = "SN"
0040E261 |. 50 PUSH EAX ; |hKey
0040E262 |. FFD6 CALL ESI ; \RegQueryValueExA
0040E264 |. 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
0040E268 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
0040E26C |. 8D9424 280100>LEA EDX,DWORD PTR SS:[ESP+128]
0040E273 |. 51 PUSH ECX ; /pBufSize
0040E274 |. 52 PUSH EDX ; |Buffer
0040E275 |. 6A 00 PUSH 0 ; |pValueType = NULL
0040E277 |. 6A 00 PUSH 0 ; |Reserved = NULL
0040E279 |. 68 80F84600 PUSH _Clock.0046F880 ; |ValueName = "ID"
0040E27E |. 50 PUSH EAX ; |hKey
0040E27F |. FFD6 CALL ESI ; \RegQueryValueExA
0040E281 |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
0040E285 |. 51 PUSH ECX ; /hKey
0040E286 |. FF15 10504600 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
00401AC0 /$ 56 PUSH ESI
00401AC1 |. 8B7424 08 MOV ESI,DWORD PTR SS:[ESP+8]
00401AC5 |. 8935 48654700 MOV DWORD PTR DS:[476548],ESI
00401ACB |. E8 A0C60000 CALL _Clock.0040E170
00401AD0 |. 85C0 TEST EAX,EAX //返回到这里
00401AD2 |. 6A 00 PUSH 0 ; /lParam = 0
00401AD4 |. 74 38 JE SHORT _Clock.00401B0E //在此改变Z标志位,清除断点,F9运行,没有注册对话框,搞定。就此修改它,保存到文件。
00401AD6 |. A1 48654700 MOV EAX,DWORD PTR DS:[476548] ; |
00401ADB |. 6A 00 PUSH 0 ; |pDlgProc = NULL
00401ADD |. 6A 00 PUSH 0 ; |hOwner = NULL
注册信息保存在:
[HKEY_LOCAL_MACHINE\SOFTWARE\HappyClock\License]
"ID"="Y294L3CE"
"SN"="88888888" //当然是假的
总结:软件试了一下,对比同类软件,还是不错的。Crack难度:易。毕竟刚成为共享版嘛。其它的没什么好说的。
作者:jney2
日期:2005.1.26
声明:个人学习,交流经验,找出软件的软肋,希望作者在下一版本中有所改进!
观念:喜欢分析注册流程,极少算法分析。
工具:Ollydbg1.1 W32Dasm9b
平台:WinXP
软件作者言:开心小闹钟由 2.7 Build 0107版开始正式转变为共享版,注册费26人民币/1台机。谢谢您的支持!
软件是ASPack 2.12的壳,用stripper脱之,Visual C++写的,用W32Dasm9b反汇编,利用exescope,可得到字符串ID号,对应如下:
103,程序需要关闭,以检查你的注册码是否正确,$0D$0A请你随后运行程序,注册成功以后,将不再显示该注册框!
104,该软件已过试用期,请注册。
105,注册码输入有误,请重新输入!
106,您的试用期还有 10 天。
在W32Dasm9b搜索“提示”,然后仔细观察,很容易找到:(当然在Ollydbg1.1中下提示信息的内存断点也很容易)
* Reference To: USER32.GetDlgItem, Ord:0111h
|
:004041A3 FF15AC534600 Call dword ptr [004653AC]
:004041A9 50 push eax
* Reference To: USER32.GetWindowTextLengthA, Ord:0178h
|
:004041AA FF15A0534600 Call dword ptr [004653A0]
:004041B0 85C0 test eax, eax
:004041B2 744C je 00404200 //如果输入为空,则跳走。
:004041B4 56 push esi
:004041B5 E8369D0000 call 0040DEF0 //注册码验证CALL,正确则写入注册表。
:004041BA 8B0D48654700 mov ecx, dword ptr [00476548]
:004041C0 83C404 add esp, 00000004
:004041C3 85C0 test eax, eax
:004041C5 8D442408 lea eax, dword ptr [esp+08]
:004041C9 6800010000 push 00000100
:004041CE 50 push eax
* Possible Reference to String Resource ID=00103: "? //显示:“程序需要关闭,以检查你的注册码是否正确,$0D$0A请你随后运行程序,注册成功以后,将不再显示该注册框!”
|
:004041CF 6A67 push 00000067
:004041D1 51 push ecx
* Reference To: USER32.LoadStringA, Ord:01CAh
//*********省略***********
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004041B2(C)
|
:00404200 8B0D48654700 mov ecx, dword ptr [00476548]
:00404206 8D442408 lea eax, dword ptr [esp+08]
:0040420A 6800010000 push 00000100
:0040420F 50 push eax
* Possible Reference to String Resource ID=00105: "?? ?魍?e!" //显示:“注册码输入有误,请重新输入!”
|
:00404210 6A69 push 00000069
:00404212 51 push ecx
* Reference To: USER32.LoadStringA, Ord:01CAh
//*********省略***********
//以下为注册码验证CALL,正确则写入注册表。
* Referenced by a CALL at Address:
|:004041B5
|
:0040DEF0 81EC18030000 sub esp, 00000318
:0040DEF6 53 push ebx
:0040DEF7 55 push ebp
:0040DEF8 56 push esi
:0040DEF9 57 push edi
:0040DEFA 6A00 push 00000000
:0040DEFC 6A64 push 00000064
:0040DEFE E88DF30400 call 0045D290
:0040DF03 6A00 push 00000000
:0040DF05 C7803402000010000000 mov dword ptr [ebx+00000234], 00000010
:0040DF0F E8ACF10400 call 0045D0C0
:0040DF14 6A00 push 00000000
:0040DF16 89442430 mov dword ptr [esp+30], eax
:0040DF1A E8A1F10400 call 0045D0C0
:0040DF1F 6A00 push 00000000
:0040DF21 89442438 mov dword ptr [esp+38], eax
:0040DF25 E896F10400 call 0045D0C0
:0040DF2A 6A00 push 00000000
:0040DF2C 89442434 mov dword ptr [esp+34], eax
:0040DF30 E88BF10400 call 0045D0C0
:0040DF35 8944242C mov dword ptr [esp+2C], eax
:0040DF39 B93F000000 mov ecx, 0000003F
:0040DF3E 33C0 xor eax, eax
:0040DF40 8D7C2441 lea edi, dword ptr [esp+41]
:0040DF44 C644244000 mov [esp+40], 00
:0040DF49 C684244001000000 mov byte ptr [esp+00000140], 00
:0040DF51 F3 repz
:0040DF52 AB stosd
:0040DF53 66AB stosw
:0040DF55 AA stosb
:0040DF56 B93F000000 mov ecx, 0000003F
:0040DF5B 33C0 xor eax, eax
:0040DF5D 8DBC2441010000 lea edi, dword ptr [esp+00000141]
:0040DF64 C684244002000000 mov byte ptr [esp+00000240], 00
:0040DF6C F3 repz
:0040DF6D AB stosd
:0040DF6E 66AB stosw
:0040DF70 AA stosb
:0040DF71 B93F000000 mov ecx, 0000003F
:0040DF76 33C0 xor eax, eax
:0040DF78 8DBC2441020000 lea edi, dword ptr [esp+00000241]
:0040DF7F 8BB42444030000 mov esi, dword ptr [esp+00000344]
:0040DF86 F3 repz
:0040DF87 AB stosd
:0040DF88 66AB stosw
:0040DF8A 83C418 add esp, 00000018
:0040DF8D AA stosb
* Reference To: USER32.GetDlgItem, Ord:0111h
|
:0040DF8E 8B3DAC534600 mov edi, dword ptr [004653AC]
:0040DF94 68C3040000 push 000004C3
:0040DF99 56 push esi
:0040DF9A FFD7 call edi
* Reference To: USER32.GetWindowTextLengthA, Ord:0178h
|
:0040DF9C 8B2DA0534600 mov ebp, dword ptr [004653A0]
:0040DFA2 50 push eax
:0040DFA3 FFD5 call ebp
:0040DFA5 40 inc eax
:0040DFA6 50 push eax
:0040DFA7 8D84242C010000 lea eax, dword ptr [esp+0000012C]
:0040DFAE 50 push eax
:0040DFAF 68C3040000 push 000004C3
:0040DFB4 56 push esi
:0040DFB5 FFD7 call edi
* Reference To: USER32.GetWindowTextA, Ord:0177h
|
:0040DFB7 8B1D9C534600 mov ebx, dword ptr [0046539C]
:0040DFBD 50 push eax
:0040DFBE FFD3 call ebx
:0040DFC0 68C4040000 push 000004C4
:0040DFC5 56 push esi
:0040DFC6 FFD7 call edi
:0040DFC8 50 push eax
:0040DFC9 FFD5 call ebp
:0040DFCB 8BE8 mov ebp, eax
:0040DFCD 8D542428 lea edx, dword ptr [esp+28]
:0040DFD1 8D4D01 lea ecx, dword ptr [ebp+01]
:0040DFD4 51 push ecx
:0040DFD5 52 push edx
:0040DFD6 68C4040000 push 000004C4
:0040DFDB 56 push esi
:0040DFDC FFD7 call edi
:0040DFDE 50 push eax
:0040DFDF FFD3 call ebx
:0040DFE1 33F6 xor esi, esi
:0040DFE3 85ED test ebp, ebp
:0040DFE5 89742410 mov dword ptr [esp+10], esi
:0040DFE9 7E1D jle 0040E008
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E004(C)
|
:0040DFEB 0FBE443428 movsx eax, byte ptr [esp+esi+28]
:0040DFF0 50 push eax
:0040DFF1 E85C3A0400 call 00451A52
:0040DFF6 83C404 add esp, 00000004
:0040DFF9 85C0 test eax, eax
:0040DFFB 0F8495000000 je 0040E096
:0040E001 46 inc esi
:0040E002 3BF5 cmp esi, ebp
:0040E004 7CE5 jl 0040DFEB
:0040E006 85ED test ebp, ebp
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040DFE9(C)
|
:0040E008 0F8490000000 je 0040E09E
:0040E00E 8B742420 mov esi, dword ptr [esp+20]
:0040E012 8D4C2428 lea ecx, dword ptr [esp+28]
:0040E016 51 push ecx
:0040E017 56 push esi
:0040E018 E863110500 call 0045F180
:0040E01D 8B7C2424 mov edi, dword ptr [esp+24]
* Possible StringData Ref from Data Obj ->"963251DC5A9C90D9F203A03C363BA411"
|
:0040E021 68A8F84600 push 0046F8A8
:0040E026 57 push edi
:0040E027 E854110500 call 0045F180
:0040E02C 8B542424 mov edx, dword ptr [esp+24]
* Possible StringData Ref from Data Obj ->"10001"
|
:0040E030 68A0F84600 push 0046F8A0
:0040E035 52 push edx
:0040E036 E845110500 call 0045F180
:0040E03B 57 push edi
:0040E03C 56 push esi
:0040E03D E8CEFE0400 call 0045DF10
:0040E042 83C420 add esp, 00000020
:0040E045 83F8FF cmp eax, FFFFFFFF
:0040E048 754C jne 0040E096
:0040E04A 8B5C2424 mov ebx, dword ptr [esp+24]
:0040E04E 8B442414 mov eax, dword ptr [esp+14]
:0040E052 53 push ebx
:0040E053 57 push edi
:0040E054 50 push eax
:0040E055 56 push esi
:0040E056 E8A50E0500 call 0045EF00
:0040E05B 8D8C2438020000 lea ecx, dword ptr [esp+00000238]
:0040E062 6A00 push 00000000
:0040E064 51 push ecx
:0040E065 53 push ebx
:0040E066 6800010000 push 00000100
:0040E06B E890080500 call 0045E900
:0040E070 56 push esi
:0040E071 E8FAF80400 call 0045D970
:0040E076 53 push ebx
:0040E077 E8F4F80400 call 0045D970
:0040E07C 57 push edi
:0040E07D E8EEF80400 call 0045D970
:0040E082 8B542440 mov edx, dword ptr [esp+40]
:0040E086 52 push edx
:0040E087 E8E4F80400 call 0045D970
:0040E08C 83C430 add esp, 00000030
:0040E08F E8FCF80400 call 0045D990
:0040E094 EB08 jmp 0040E09E
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040DFFB(C), :0040E048(C)
|
:0040E096 C744241001000000 mov [esp+10], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040E008(C), :0040E094(U)
|
:0040E09E 8DB42428020000 lea esi, dword ptr [esp+00000228]
:0040E0A5 8D842428010000 lea eax, dword ptr [esp+00000128]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E0CE(C)
|
:0040E0AC 8A10 mov dl, byte ptr [eax]
:0040E0AE 8A1E mov bl, byte ptr [esi]
:0040E0B0 8ACA mov cl, dl
:0040E0B2 3AD3 cmp dl, bl
:0040E0B4 751E jne 0040E0D4
:0040E0B6 84C9 test cl, cl
:0040E0B8 7416 je 0040E0D0
:0040E0BA 8A5001 mov dl, byte ptr [eax+01]
:0040E0BD 8A5E01 mov bl, byte ptr [esi+01]
:0040E0C0 8ACA mov cl, dl
:0040E0C2 3AD3 cmp dl, bl
:0040E0C4 750E jne 0040E0D4
:0040E0C6 83C002 add eax, 00000002
:0040E0C9 83C602 add esi, 00000002
:0040E0CC 84C9 test cl, cl
:0040E0CE 75DC jne 0040E0AC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E0B8(C)
|
:0040E0D0 33C0 xor eax, eax
:0040E0D2 EB05 jmp 0040E0D9
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040E0B4(C), :0040E0C4(C)
|
:0040E0D4 1BC0 sbb eax, eax
:0040E0D6 83D8FF sbb eax, FFFFFFFF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E0D2(U)
|
:0040E0D9 85C0 test eax, eax
:0040E0DB 7578 jne 0040E155
:0040E0DD 837C241001 cmp dword ptr [esp+10], 00000001
:0040E0E2 7471 je 0040E155
:0040E0E4 85ED test ebp, ebp
:0040E0E6 746D je 0040E155
:0040E0E8 8D442418 lea eax, dword ptr [esp+18]
:0040E0EC 50 push eax
* Possible StringData Ref from Data Obj ->"SOFTWARE\HappyClock\License"
|
:0040E0ED 6884F84600 push 0046F884
:0040E0F2 6802000080 push 80000002
* Reference To: ADVAPI32.RegCreateKeyA, Ord:01CCh
|
:0040E0F7 FF150C504600 Call dword ptr [0046500C]
:0040E0FD 8B542418 mov edx, dword ptr [esp+18]
* Reference To: ADVAPI32.RegSetValueExA, Ord:01F9h
|
:0040E101 8B3508504600 mov esi, dword ptr [00465008]
:0040E107 8D8C2428010000 lea ecx, dword ptr [esp+00000128]
:0040E10E 6800010000 push 00000100
:0040E113 51 push ecx
:0040E114 6A01 push 00000001
:0040E116 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"ID"
|
:0040E118 6880F84600 push 0046F880
:0040E11D 52 push edx
:0040E11E FFD6 call esi
:0040E120 8B4C2418 mov ecx, dword ptr [esp+18]
:0040E124 8D442428 lea eax, dword ptr [esp+28]
:0040E128 6800010000 push 00000100
:0040E12D 50 push eax
:0040E12E 6A01 push 00000001
:0040E130 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"SN"
|
:0040E132 687CF84600 push 0046F87C
:0040E137 51 push ecx
:0040E138 FFD6 call esi
:0040E13A 8B542418 mov edx, dword ptr [esp+18]
:0040E13E 52 push edx
* Reference To: ADVAPI32.RegCloseKey, Ord:01C9h
|
:0040E13F FF1510504600 Call dword ptr [00465010]
:0040E145 5F pop edi
:0040E146 5E pop esi
:0040E147 5D pop ebp
:0040E148 B801000000 mov eax, 00000001
:0040E14D 5B pop ebx
:0040E14E 81C418030000 add esp, 00000318
:0040E154 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040E0DB(C), :0040E0E2(C), :0040E0E6(C)
|
:0040E155 5F pop edi
:0040E156 5E pop esi
:0040E157 5D pop ebp
:0040E158 33C0 xor eax, eax
:0040E15A 5B pop ebx
:0040E15B 81C418030000 add esp, 00000318
:0040E161 C3 ret
我们可根据上面的字符信息很快找到就在下面的重启验证CALL。
* Referenced by a CALL at Address:
|:00401ACB
|
:0040E170 81EC18030000 sub esp, 00000318
//*********省略***********
:0040E203 8D442410 lea eax, dword ptr [esp+10]
:0040E207 C744241420000000 mov [esp+14], 00000020
:0040E20F 50 push eax
:0040E210 683F000F00 push 000F003F
:0040E215 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"SOFTWARE\HappyClock\License"
|
:0040E217 6884F84600 push 0046F884
:0040E21C 6802000080 push 80000002
* Reference To: ADVAPI32.RegOpenKeyExA, Ord:01E2h //打开注册表
|
:0040E221 FF1518504600 Call dword ptr [00465018]
:0040E227 8B442410 mov eax, dword ptr [esp+10]
* Reference To: ADVAPI32.RegQueryValueExA, Ord:01ECh
|
:0040E22B 8B3514504600 mov esi, dword ptr [00465014]
:0040E231 8D4C2414 lea ecx, dword ptr [esp+14]
:0040E235 8D942428010000 lea edx, dword ptr [esp+00000128]
:0040E23C 51 push ecx
:0040E23D 52 push edx
:0040E23E 6A00 push 00000000
:0040E240 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"ID"
|
:0040E242 6880F84600 push 0046F880
:0040E247 50 push eax
:0040E248 FFD6 call esi
:0040E24A 8B442410 mov eax, dword ptr [esp+10]
:0040E24E 8D4C2414 lea ecx, dword ptr [esp+14]
:0040E252 8D542428 lea edx, dword ptr [esp+28]
:0040E256 51 push ecx
:0040E257 52 push edx
:0040E258 6A00 push 00000000
:0040E25A 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"SN"
|
:0040E25C 687CF84600 push 0046F87C
:0040E261 50 push eax
:0040E262 FFD6 call esi
:0040E264 8B442410 mov eax, dword ptr [esp+10]
:0040E268 8D4C2414 lea ecx, dword ptr [esp+14]
:0040E26C 8D942428010000 lea edx, dword ptr [esp+00000128]
:0040E273 51 push ecx
:0040E274 52 push edx
:0040E275 6A00 push 00000000
:0040E277 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"ID"
|
:0040E279 6880F84600 push 0046F880
:0040E27E 50 push eax
:0040E27F FFD6 call esi
:0040E281 8B4C2410 mov ecx, dword ptr [esp+10]
:0040E285 51 push ecx
* Reference To: ADVAPI32.RegCloseKey, Ord:01C9h //读取键值后关闭注册表。
|
:0040E286 FF1510504600 Call dword ptr [00465010]
:0040E28C 8D7C2428 lea edi, dword ptr [esp+28]
:0040E290 83C9FF or ecx, FFFFFFFF
:0040E293 33C0 xor eax, eax
:0040E295 33F6 xor esi, esi
:0040E297 F2 repnz
:0040E298 AE scasb
//*********因不分析算法,验证的部分省略***********
看一下调用它的地方:
* Referenced by a CALL at Address:
|:00401A48
|
:00401AC0 56 push esi
:00401AC1 8B742408 mov esi, dword ptr [esp+08]
:00401AC5 893548654700 mov dword ptr [00476548], esi
:00401ACB E8A0C60000 call 0040E170 //验证CALL
:00401AD0 85C0 test eax, eax
:00401AD2 6A00 push 00000000
:00401AD4 7438 je 00401B0E //EAX为0,则跳走。爆破点:7438改为7400
:00401AD6 A148654700 mov eax, dword ptr [00476548]
:00401ADB 6A00 push 00000000
:00401ADD 6A00 push 00000000
:00401ADF 6814734700 push 00477314
:00401AE4 50 push eax
* Reference To: USER32.CreateDialogParamA, Ord:0055h
|
:00401AE5 FF1570554600 Call dword ptr [00465570]
:00401AEB 8BF0 mov esi, eax
:00401AED 56 push esi
* Reference To: USER32.GetMenu, Ord:012Ch
|
:00401AEE FF1574554600 Call dword ptr [00465574]
:00401AF4 8B4C240C mov ecx, dword ptr [esp+0C]
:00401AF8 51 push ecx
:00401AF9 56 push esi
* Reference To: USER32.ShowWindow, Ord:0291h
|
:00401AFA FF1578554600 Call dword ptr [00465578]
:00401B00 56 push esi
* Reference To: USER32.UpdateWindow, Ord:02BAh
|
:00401B01 FF157C554600 Call dword ptr [0046557C]
:00401B07 B801000000 mov eax, 00000001
:00401B0C 5E pop esi
:00401B0D C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401AD4(C)
|
:00401B0E 68B03A4000 push 00403AB0 //EAX为0跳到这里。
:00401B13 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"REGDLG"
|
:00401B15 6890E84600 push 0046E890 //看到 "REGDLG",就知道是注册对话框啦!
:00401B1A 56 push esi
* Reference To: USER32.CreateDialogParamA, Ord:0055h
|
:00401B1B FF1570554600 Call dword ptr [00465570]
:00401B21 B801000000 mov eax, 00000001
:00401B26 5E pop esi
:00401B27 C3 ret
看来还没用Ollydbg1.1,注册流程就搞定了。用Ollydbg1.1就更简单了:
用Ollydbg1.1载入脱壳后的程序,选“查看”窗口点“执行模块”,再选定主程序,点右键,点“查看名称”,找到“ RegQueryValueExA”,点右键,点“在每个参考点设置断点”。
F9运行。程序在0040E22B处断下,再看注释,你就该狂喜了!F8跟一下可以看看执行流程,也可执行到返回。
0040E20F |. 50 PUSH EAX ; /pHandle
0040E210 |. 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS
0040E215 |. 6A 00 PUSH 0 ; |Reserved = 0
0040E217 |. 68 84F84600 PUSH _Clock.0046F884 ; |Subkey = "SOFTWARE\HappyClock\License"
0040E21C |. 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
0040E221 |. FF15 18504600 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
0040E227 |. 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
0040E22B |. 8B35 14504600 MOV ESI,DWORD PTR DS:[<&ADVAPI32.RegQuer>; ADVAPI32.RegQueryValueExA
0040E231 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
0040E235 |. 8D9424 280100>LEA EDX,DWORD PTR SS:[ESP+128]
0040E23C |. 51 PUSH ECX ; /pBufSize
0040E23D |. 52 PUSH EDX ; |Buffer
0040E23E |. 6A 00 PUSH 0 ; |pValueType = NULL
0040E240 |. 6A 00 PUSH 0 ; |Reserved = NULL
0040E242 |. 68 80F84600 PUSH _Clock.0046F880 ; |ValueName = "ID"
0040E247 |. 50 PUSH EAX ; |hKey
0040E248 |. FFD6 CALL ESI ; \RegQueryValueExA
0040E24A |. 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
0040E24E |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
0040E252 |. 8D5424 28 LEA EDX,DWORD PTR SS:[ESP+28]
0040E256 |. 51 PUSH ECX ; /pBufSize
0040E257 |. 52 PUSH EDX ; |Buffer
0040E258 |. 6A 00 PUSH 0 ; |pValueType = NULL
0040E25A |. 6A 00 PUSH 0 ; |Reserved = NULL
0040E25C |. 68 7CF84600 PUSH _Clock.0046F87C ; |ValueName = "SN"
0040E261 |. 50 PUSH EAX ; |hKey
0040E262 |. FFD6 CALL ESI ; \RegQueryValueExA
0040E264 |. 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
0040E268 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
0040E26C |. 8D9424 280100>LEA EDX,DWORD PTR SS:[ESP+128]
0040E273 |. 51 PUSH ECX ; /pBufSize
0040E274 |. 52 PUSH EDX ; |Buffer
0040E275 |. 6A 00 PUSH 0 ; |pValueType = NULL
0040E277 |. 6A 00 PUSH 0 ; |Reserved = NULL
0040E279 |. 68 80F84600 PUSH _Clock.0046F880 ; |ValueName = "ID"
0040E27E |. 50 PUSH EAX ; |hKey
0040E27F |. FFD6 CALL ESI ; \RegQueryValueExA
0040E281 |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
0040E285 |. 51 PUSH ECX ; /hKey
0040E286 |. FF15 10504600 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
00401AC0 /$ 56 PUSH ESI
00401AC1 |. 8B7424 08 MOV ESI,DWORD PTR SS:[ESP+8]
00401AC5 |. 8935 48654700 MOV DWORD PTR DS:[476548],ESI
00401ACB |. E8 A0C60000 CALL _Clock.0040E170
00401AD0 |. 85C0 TEST EAX,EAX //返回到这里
00401AD2 |. 6A 00 PUSH 0 ; /lParam = 0
00401AD4 |. 74 38 JE SHORT _Clock.00401B0E //在此改变Z标志位,清除断点,F9运行,没有注册对话框,搞定。就此修改它,保存到文件。
00401AD6 |. A1 48654700 MOV EAX,DWORD PTR DS:[476548] ; |
00401ADB |. 6A 00 PUSH 0 ; |pDlgProc = NULL
00401ADD |. 6A 00 PUSH 0 ; |hOwner = NULL
注册信息保存在:
[HKEY_LOCAL_MACHINE\SOFTWARE\HappyClock\License]
"ID"="Y294L3CE"
"SN"="88888888" //当然是假的
总结:软件试了一下,对比同类软件,还是不错的。Crack难度:易。毕竟刚成为共享版嘛。其它的没什么好说的。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
看原图
赞赏
雪币:
留言: