【文章标题】: resscope 1.92
【文章作者】: wxxw
【软件名称】: resscope 1.92
【保护方式】: 无壳
【编写语言】: delphi 2006
【使用工具】: PEID 0.95 DEDE Olldbg1.10
【操作平台】: XP sp3
【软件介绍】: 不用介绍了吧
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
忘了从哪里下载的,版本是1.92,用来查看程序资源挺方便,也直观,可惜没注册不能保存更改,后来一直改用reshacker,虽然不直观,但更改脚本,也很方便直接,但心里还是对resscope有些耿耿于怀,于是抽空研究了下
首先点击“注册”,在弹出的对话框里输入用户名,注册码,点击确定,提示重新运行resscope,显然是保存了注册信息在文件或注册表里,重启验证,在文件目录里没看到可疑文件,打开注册表,果然发现信息在HKEY_LOCAL_MACHINE\SOFTWARE\RESTOOLS\ResScope下,用od载入,对程序里的输入函数RegQueryValueExA下断,F9运行,断下来了,可是跟踪了半天也没发现处理比较的地方,摸不着头脑。。。。
搜索论坛精华集,在精华4里找到一篇decolor2001大侠破解1.35版的resscope的文章,呵呵,受到启发,先用DEDE工具找到处理菜单“导出资源”的代码如下:
005378A8 $ 55 PUSH EBP
005378A9 . 8BEC MOV EBP,ESP
005378AB . 33C9 XOR ECX,ECX
005378AD . 51 PUSH ECX
005378AE . 51 PUSH ECX
005378AF . 51 PUSH ECX
005378B0 . 51 PUSH ECX
005378B1 . 51 PUSH ECX
005378B2 . 51 PUSH ECX
005378B3 . 51 PUSH ECX
005378B4 . 53 PUSH EBX
005378B5 . 56 PUSH ESI
005378B6 . 57 PUSH EDI
005378B7 . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
005378BA . 33C0 XOR EAX,EAX
005378BC . 55 PUSH EBP
005378BD . 68 107C5300 PUSH ResScope.00537C10
005378C2 . 64:FF30 PUSH DWORD PTR FS:[EAX]
005378C5 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
005378C8 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005378CB . 80B8 280C0000>CMP BYTE PTR DS:[EAX+C28],0
005378D2 . 75 38 JNZ SHORT ResScope.0053790C
...
00535DAB |. E8 F058FEFF CALL ResScope.0051B6A0
00535DB0 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00535DB3 |. 8882 280C0000 MOV BYTE PTR DS:[EDX+C28],AL
0051B6EB . B1 01 MOV CL,1
0051B6ED . BA DCB85100 MOV EDX,ResScope.0051B8DC ; ASCII "SOFTWARE\RESTOOLS\ResScope"
0051B6F2 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0051B6F5 . E8 DEA2F2FF CALL ResScope.004459D8 ;查看ResScope下是否有注册信息
0051B6FA . 84C0 TEST AL,AL
0051B6FC . 0F84 86010000 JE ResScope.0051B888
0051B702 . 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0051B705 . E8 0E8FEEFF CALL ResScope.00404618
0051B70A . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0051B70D . E8 068FEEFF CALL ResScope.00404618
0051B712 . BA 00B95100 MOV EDX,ResScope.0051B900 ; ASCII "reguser"
0051B717 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0051B71A . E8 05A7F2FF CALL ResScope.00445E24 ;查看用户名是否为空
0051B71F . 84C0 TEST AL,AL
0051B721 . 74 10 JE SHORT ResScope.0051B733
0051B723 . 8D4D F4 LEA ECX,DWORD PTR SS:[EBP-C]
0051B726 . BA 00B95100 MOV EDX,ResScope.0051B900 ; ASCII "reguser"
0051B72B . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0051B72E . E8 9DA5F2FF CALL ResScope.00445CD0 ;取出用户名
0051B733 > BA 10B95100 MOV EDX,ResScope.0051B910 ; ASCII "regcode"
0051B738 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0051B73B . E8 E4A6F2FF CALL ResScope.00445E24 ;查看注册码是否为空
0051B740 . 84C0 TEST AL,AL
0051B742 . 74 10 JE SHORT ResScope.0051B754
0051B744 . 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
0051B747 . BA 10B95100 MOV EDX,ResScope.0051B910 ; ASCII "regcode"
0051B74C . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0051B74F . E8 7CA5F2FF CALL ResScope.00445CD0 ;取出注册码
0051B754 > 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0051B757 . E8 7C91EEFF CALL ResScope.004048D8 ;得到注册码字符个数
0051B75C . 83F8 30 CMP EAX,30 ;注册码个数必须为30h,即48位
0051B75F . 0F85 23010000 JNZ ResScope.0051B888
0051B765 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0051B768 . E8 6B91EEFF CALL ResScope.004048D8 ;得到用户名字符个数
0051B76D . 85C0 TEST EAX,EAX
0051B76F . 0F8E 13010000 JLE ResScope.0051B888
0051B775 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0051B778 . 50 PUSH EAX
0051B779 . B1 01 MOV CL,1
0051B77B . B2 01 MOV DL,1
0051B77D . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ;EAX里为用户名
0051B780 . E8 E7E8FFFF CALL ResScope.0051A06C ;对数据进行转换
0051B785 . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0051B788 . 50 PUSH EAX
0051B789 . 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
0051B78C . B2 01 MOV DL,1
0051B78E . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0051B791 . E8 02DBFFFF CALL ResScope.00519298 ;对数据进行转换
0051B796 . 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
0051B799 . 58 POP EAX
0051B79A . E8 8592EEFF CALL ResScope.00404A24 ;比较数据
0051B79F . 75 04 JNZ SHORT ResScope.0051B7A5
0051B7A1 . C645 FF 01 MOV BYTE PTR SS:[EBP-1],1 ;如果数据相同,保存01
。。。。。
0051B8C7 . 8A45 FF MOV AL,BYTE PTR SS:[EBP-1] ;将保存注册成功否标志传给AL返回
0051B8CA . 5F POP EDI
0051B8CB . 5E POP ESI
0051B8CC . 5B POP EBX
0051B8CD . 8BE5 MOV ESP,EBP
0051B8CF . 5D POP EBP
0051B8D0 . C3 RETN
005378CB . 80B8 280C0000>CMP BYTE PTR DS:[EAX+C28],0
005378D2 . 75 38 JNZ SHORT ResScope.0053790C
.......
00537B26 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00537B29 . 8B80 0C030000 MOV EAX,DWORD PTR DS:[EAX+30C]
00537B2F . 83C0 60 ADD EAX,60
00537B32 . E8 A9CDECFF CALL ResScope.004048E0
00537B37 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00537B3A . 8B80 0C030000 MOV EAX,DWORD PTR DS:[EAX+30C]
.......
00537BAD . 55 PUSH EBP
00537BAE . 68 D47B5300 PUSH ResScope.00537BD4
00537BB3 . 64:FF30 PUSH DWORD PTR FS:[EAX]
00537BB6 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00537BB9 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00537BBC . 8B80 B40A0000 MOV EAX,DWORD PTR DS:[EAX+AB4]
00537BC2 . 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00537BC5 . E8 8AB8FFFF CALL ResScope.00533454
00533454 $ 55 PUSH EBP
00533455 . 8BEC MOV EBP,ESP
00533457 . 33C9 XOR ECX,ECX
00533459 . 51 PUSH ECX
0053345A . 51 PUSH ECX
0053345B . 51 PUSH ECX
0053345C . 51 PUSH ECX
0053345D . 53 PUSH EBX
0053345E . 56 PUSH ESI
0053345F . 57 PUSH EDI
00533460 . 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
00533463 . 8BF0 MOV ESI,EAX
00533465 . 33C0 XOR EAX,EAX
00533467 . 55 PUSH EBP
00533468 . 68 51355300 PUSH ResScope.00533551
0053346D . 64:FF30 PUSH DWORD PTR FS:[EAX]
00533470 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00533473 . 33C0 XOR EAX,EAX
00533475 . 55 PUSH EBP
00533476 . 68 D7345300 PUSH ResScope.005334D7
0053347B . 64:FF30 PUSH DWORD PTR FS:[EAX]
0053347E . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00533481 . 8B46 30 MOV EAX,DWORD PTR DS:[ESI+30] ;esi为0,导致异常
00533484 . 8B80 0C030000 MOV EAX,DWORD PTR DS:[EAX+30C]
0053348A . 8B10 MOV EDX,DWORD PTR DS:[EAX]
0053348C . FF52 3C CALL DWORD PTR DS:[EDX+3C]
0053348F . 84C0 TEST AL,AL
00533491 . 74 3A JE SHORT ResScope.005334CD
00533493 . 8B7E 30 MOV EDI,DWORD PTR DS:[ESI+30]
00533496 . 8B87 0C0C0000 MOV EAX,DWORD PTR DS:[EDI+C0C]
0053349C . 8378 44 00 CMP DWORD PTR DS:[EAX+44],0
005334A0 . 74 2B JE SHORT ResScope.005334CD
005334A2 . 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
005334A5 . 8B87 0C030000 MOV EAX,DWORD PTR DS:[EDI+30C]
005334AB . E8 1851F0FF CALL ResScope.004385C8
005334B0 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
005334B3 . 50 PUSH EAX
005334B4 . 8B46 30 MOV EAX,DWORD PTR DS:[ESI+30]
005334B7 . 8B80 0C030000 MOV EAX,DWORD PTR DS:[EAX+30C]
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
