电脑报附件有软件微晓系统大师2.02 OEM版,但有功能限制,一次只能修改50条系统扫描错误,恼火,决定拓展功能!
工具:softice 4.3 wdasm8.93
1、脱壳,ASPACK 2.12,STRIPPER3.05脱之;
2、设断消息框“一次只能修正 50 条”;
bpmd 004CBFEC RW
BPX 004C8541
bpmd 004cdd6c rw
重新启动程序,查看标志位何时读写!
中断于:44BF5E1 写标志位
向上找到了核心代码!
:004BF435 33C0 xor eax, eax
:004BF437 55 push ebp
:004BF438 684FF64B00 push 004BF64F
:004BF43D 64FF30 push dword ptr fs:[eax]
:004BF440 648920 mov dword ptr fs:[eax], esp //SEH异常处理
:004BF443 A174BF4C00 mov eax, dword ptr [004CBF74]
:004BF448 803800 cmp byte ptr [eax], 00
:004BF44B 0F858B010000 jne 004BF5DC //跳到 OEM 版本
* Possible StringData Ref from Code Obj ->"LicenseName"
|
:004BF451 B9E8F94B00 mov ecx, 004BF9E8
* Possible StringData Ref from Code Obj ->"Software\WeiXiaoSoft\SystemMaster"
|
:004BF456 BAFCF94B00 mov edx, 004BF9FC
:004BF45B B802000080 mov eax, 80000002
:004BF460 E8DF9CFFFF call 004B9144
:004BF465 84C0 test al, al
:004BF467 0F8454010000 je 004BF5C1 //跳到未注册版本
* Possible StringData Ref from Code Obj ->"Licensekey"
|
:004BF46D B928FA4B00 mov ecx, 004BFA28
* Possible StringData Ref from Code Obj ->"Software\WeiXiaoSoft\SystemMaster"
|
:004BF472 BAFCF94B00 mov edx, 004BF9FC
:004BF477 B802000080 mov eax, 80000002
:004BF47C E8C39CFFFF call 004B9144
:004BF481 84C0 test al, al
:004BF483 0F8438010000 je 004BF5C1
* Possible StringData Ref from Code Obj ->"Licensecode"
|
:004BF489 B93CFA4B00 mov ecx, 004BFA3C
* Possible StringData Ref from Code Obj ->"Software\WeiXiaoSoft\SystemMaster"
|
:004BF48E BAFCF94B00 mov edx, 004BF9FC
:004BF493 B802000080 mov eax, 80000002
:004BF498 E8A79CFFFF call 004B9144
:004BF49D 84C0 test al, al
:004BF49F 0F841C010000 je 004BF5C1
:004BF4A5 8D45F0 lea eax, dword ptr [ebp-10]
:004BF4A8 50 push eax
* Possible StringData Ref from Code Obj ->"LicenseName"
|
:004BF4A9 B9E8F94B00 mov ecx, 004BF9E8
* Possible StringData Ref from Code Obj ->"Software\WeiXiaoSoft\SystemMaster"
|
:004BF4AE BAFCF94B00 mov edx, 004BF9FC
:004BF4B3 B802000080 mov eax, 80000002
:004BF4B8 E823A0FFFF call 004B94E0
:004BF4BD 8D45EC lea eax, dword ptr [ebp-14]
:004BF4C0 50 push eax
* Possible StringData Ref from Code Obj ->"Licensekey"
|
:004BF4C1 B928FA4B00 mov ecx, 004BFA28
* Possible StringData Ref from Code Obj ->"Software\WeiXiaoSoft\SystemMaster"
|
:004BF4C6 BAFCF94B00 mov edx, 004BF9FC
:004BF4CB B802000080 mov eax, 80000002
:004BF4D0 E80BA0FFFF call 004B94E0
:004BF4D5 8D45E8 lea eax, dword ptr [ebp-18]
:004BF4D8 50 push eax
* Possible StringData Ref from Code Obj ->"Licensecode"
|
:004BF4D9 B93CFA4B00 mov ecx, 004BFA3C
* Possible StringData Ref from Code Obj ->"Software\WeiXiaoSoft\SystemMaster"
|
:004BF4DE BAFCF94B00 mov edx, 004BF9FC
:004BF4E3 B802000080 mov eax, 80000002
:004BF4E8 E8F39FFFFF call 004B94E0
:004BF4ED 837DF000 cmp dword ptr [ebp-10], 00000000
:004BF4F1 0F84AF000000 je 004BF5A6
:004BF4F7 8B45F0 mov eax, dword ptr [ebp-10]
:004BF4FA E80553F4FF call 00404804
:004BF4FF 83F803 cmp eax, 00000003
:004BF502 0F8E9E000000 jle 004BF5A6
:004BF508 837DEC00 cmp dword ptr [ebp-14], 00000000
:004BF50C 0F8494000000 je 004BF5A6
:004BF512 837DE800 cmp dword ptr [ebp-18], 00000000
:004BF516 0F848A000000 je 004BF5A6
:004BF51C 8D9540FFFFFF lea edx, dword ptr [ebp+FFFFFF40]
:004BF522 8B45E8 mov eax, dword ptr [ebp-18]
:004BF525 E8F694F4FF call 00408A20
:004BF52A 8B8540FFFFFF mov eax, dword ptr [ebp+FFFFFF40]
:004BF530 50 push eax
:004BF531 8D953CFFFFFF lea edx, dword ptr [ebp+FFFFFF3C]
:004BF537 8B45EC mov eax, dword ptr [ebp-14]
:004BF53A E8E194F4FF call 00408A20
:004BF53F 8B953CFFFFFF mov edx, dword ptr [ebp+FFFFFF3C]
:004BF545 8B45F0 mov eax, dword ptr [ebp-10]
:004BF548 59 pop ecx
:004BF549 E8129BFFFF call 004B9060
:004BF54E 84C0 test al, al
:004BF550 7439 je 004BF58B
:004BF552 A1ECBF4C00 mov eax, dword ptr [004CBFEC]
:004BF557 C60001 mov byte ptr [eax], 01
* Possible StringData Ref from Code Obj ->"微晓注册表优化大师 Ver 2.02 ("
|
:004BF55A 6850FA4B00 push 004BFA50
:004BF55F FF75F0 push [ebp-10]
:004BF562 6878FA4B00 push 004BFA78
:004BF567 8D8538FFFFFF lea eax, dword ptr [ebp+FFFFFF38]
:004BF56D BA03000000 mov edx, 00000003
:004BF572 E84D53F4FF call 004048C4
:004BF577 8B9538FFFFFF mov edx, dword ptr [ebp+FFFFFF38]
:004BF57D A1CCBE4C00 mov eax, dword ptr [004CBECC]
:004BF582 8B00 mov eax, dword ptr [eax]
:004BF584 E85F7FFAFF call 004674E8
:004BF589 EB6A jmp 004BF5F5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BF550(C)
|
:004BF58B A1ECBF4C00 mov eax, dword ptr [004CBFEC]
:004BF590 C60000 mov byte ptr [eax], 00
:004BF593 A1CCBE4C00 mov eax, dword ptr [004CBECC]
:004BF598 8B00 mov eax, dword ptr [eax]
* Possible StringData Ref from Code Obj ->"微晓注册表优化大师 Ver 2.02 未注册版本"
|
:004BF59A BA84FA4B00 mov edx, 004BFA84
:004BF59F E8447FFAFF call 004674E8
:004BF5A4 EB4F jmp 004BF5F5
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004BF4F1(C), :004BF502(C), :004BF50C(C), :004BF516(C)
|
:004BF5A6 A1ECBF4C00 mov eax, dword ptr [004CBFEC]
:004BF5AB C60000 mov byte ptr [eax], 00
:004BF5AE A1CCBE4C00 mov eax, dword ptr [004CBECC]
:004BF5B3 8B00 mov eax, dword ptr [eax]
* Possible StringData Ref from Code Obj ->"微晓注册表优化大师 Ver 2.02 未注册版本"
|
:004BF5B5 BA84FA4B00 mov edx, 004BFA84
:004BF5BA E8297FFAFF call 004674E8
:004BF5BF EB34 jmp 004BF5F5
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004BF467(C), :004BF483(C), :004BF49F(C)
|
:004BF5C1 A1ECBF4C00 mov eax, dword ptr [004CBFEC]
:004BF5C6 C60000 mov byte ptr [eax], 00
:004BF5C9 A1CCBE4C00 mov eax, dword ptr [004CBECC]
:004BF5CE 8B00 mov eax, dword ptr [eax]
* Possible StringData Ref from Code Obj ->"微晓注册表优化大师 Ver 2.02 未注册版本"
|
:004BF5D0 BA84FA4B00 mov edx, 004BFA84
:004BF5D5 E80E7FFAFF call 004674E8
:004BF5DA EB19 jmp 004BF5F5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BF44B(C)
|
:004BF5DC A1ECBF4C00 mov eax, dword ptr [004CBFEC]
:004BF5E1 C60000 mov byte ptr [eax], 00 //置标志位!改为 1 则功能都可以使用
:004BF5E4 A1CCBE4C00 mov eax, dword ptr [004CBECC]
:004BF5E9 8B00 mov eax, dword ptr [eax]
* Possible StringData Ref from Code Obj ->"微晓注册表优化大师 V2.02 电脑报OEM版"
|
:004BF5EB BAB4FA4B00 mov edx, 004BFAB4
:004BF5F0 E8F37EFAFF call 004674E8
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004BF589(U), :004BF5A4(U), :004BF5BF(U), :004BF5DA(U)
|
:004BF5F5 8D9534FFFFFF lea edx, dword ptr [ebp+FFFFFF34]
:004BF5FB A1CCBE4C00 mov eax, dword ptr [004CBECC]
:004BF600 8B00 mov eax, dword ptr [eax]
:004BF602 E8957EFAFF call 0046749C
:004BF607 8B9534FFFFFF mov edx, dword ptr [ebp+FFFFFF34]
:004BF60D A1A8DD4C00 mov eax, dword ptr [004CDDA8]
:004BF612 E82176F8FF call 00446C38
:004BF617 A1CCBE4C00 mov eax, dword ptr [004CBECC]
:004BF61C 8B00 mov eax, dword ptr [eax]
:004BF61E 8B8098000000 mov eax, dword ptr [eax+00000098]
:004BF624 E87B9AF6FF call 004290A4
:004BF629 8BD0 mov edx, eax
:004BF62B 8B45FC mov eax, dword ptr [ebp-04]
:004BF62E 8B8040020000 mov eax, dword ptr [eax+00000240]
:004BF634 E8FF9CF6FF call 00429338
:004BF639 33C0 xor eax, eax
:004BF63B 5A pop edx
:004BF63C 59 pop ecx
:004BF63D 59 pop ecx
:004BF63E 648910 mov dword ptr fs:[eax], edx
:004BF641 6856F64B00 push 004BF656
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BF654(U)
|
:004BF646 8B45F8 mov eax, dword ptr [ebp-08]
:004BF649 E80E41F4FF call 0040375C
:004BF64E C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C81D4(C)
|
:004C8541 8B15ECBF4C00 mov edx, dword ptr [004CBFEC]
:004C8547 803A00 cmp byte ptr [edx], 00 //004cdd6c
:004C854A 7514 jne 004C8560
:004C854C 83F832 cmp eax, 00000032
:004C854F 7E0F jle 004C8560
* Possible StringData Ref from Code Obj ->"电脑报OEM版用户一次只能删除50项"
|
:004C8551 B8EC8A4C00 mov eax, 004C8AEC
:004C8556 E8757EF7FF call 004403D0
:004C855B E945040000 jmp 004C89A5
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004C854A(C), :004C854F(C)
|
:004C8560 8B83B4030000 mov eax, dword ptr [ebx+000003B4]
:004C8566 80783801 cmp byte ptr [eax+38], 01
:004C856A 0F8594010000 jne 004C8704
:004C8570 8B8334030000 mov eax, dword ptr [ebx+00000334]
:004C8576 E88DF5FBFF call 00487B08
:004C857B 8BF0 mov esi, eax
:004C857D 8B8334030000 mov eax, dword ptr [ebx+00000334]
:004C8583 8B10 mov edx, dword ptr [eax]
:004C8585 FF92EC000000 call dword ptr [edx+000000EC]
:004C858B 85C0 test eax, eax
:004C858D 0F8E5E010000 jle 004C86F1
:004C8593 8945E4 mov dword ptr [ebp-1C], eax
3、设断 EnableMenuItem,中断于 004587CD
* Referenced by a CALL at Addresses:
|:004567FA , :00458EA2 , :00461D32 , :004C6164 , :004C61BA
|:004C620B , :004C625C , :004C62A8 , :004C7BD7 , :004C7C0F
|:004C7CE0 , :004C7D22 , :004C7D5C , :004C893D , :004C8968
|:004C8EBF , :004C8EEA
|
:00458768 53 push ebx
:00458769 56 push esi
:0045876A 57 push edi
:0045876B 8BDA mov ebx, edx
:0045876D 8BF0 mov esi, eax
:0045876F 3A5E39 cmp bl, byte ptr [esi+39] //bl 数据来源004130C5
:00458772 7467 je 004587DB
:00458774 885E39 mov byte ptr [esi+39], bl
:00458777 A198C04C00 mov eax, dword ptr [004CC098]
:0045877C 833802 cmp dword ptr [eax], 00000002
:0045877F 750B jne 0045878C
:00458781 8BC6 mov eax, esi
:00458783 E8B4000000 call 0045883C
:00458788 85C0 test eax, eax
:0045878A 750D jne 00458799
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045877F(C)
|
:0045878C 8B7E64 mov edi, dword ptr [esi+64]
:0045878F 85FF test edi, edi
:00458791 7411 je 004587A4
:00458793 837F6C00 cmp dword ptr [edi+6C], 00000000
:00458797 740B je 004587A4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045878A(C)
|
:00458799 B201 mov dl, 01
:0045879B 8BC6 mov eax, esi
:0045879D 8B08 mov ecx, dword ptr [eax]
:0045879F FF513C call [ecx+3C]
:004587A2 EB37 jmp 004587DB
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00458791(C), :00458797(C)
|
:004587A4 8B7E64 mov edi, dword ptr [esi+64]
:004587A7 85FF test edi, edi
:004587A9 7427 je 004587D2
:004587AB F6461C02 test [esi+1C], 02
:004587AF 7521 jne 004587D2
:004587B1 33C0 xor eax, eax
:004587B3 8AC3 mov al, bl
:004587B5 8B048510AD4C00 mov eax, dword ptr [4*eax+004CAD10]
:004587BC 83C800 or eax, 00000000
:004587BF 50 push eax
:004587C0 0FB74650 movzx eax, word ptr [esi+50]
:004587C4 50 push eax
:004587C5 8BC7 mov eax, edi
:004587C7 E838E7FFFF call 00456F04
:004587CC 50 push eax
* Reference To: user32.EnableMenuItem, Ord:0000h
|
:004587CD E862EAFAFF Call 00407234
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004587A9(C), :004587AF(C)
|
:004587D2 33D2 xor edx, edx
:004587D4 8BC6 mov eax, esi
:004587D6 8B08 mov ecx, dword ptr [eax]
:004587D8 FF513C call [ecx+3C] //[00455464]=00458BFC
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00458772(C), :004587A2(U)
|
:004587DB 5F pop edi
:004587DC 5E pop esi
:004587DD 5B pop ebx
:004587DE C3 ret
====================================================================
4、微晓系统大师主程序
........
:005A92FD A174945B00 mov eax, dword ptr [005B9474]
:005A9302 C60001 mov byte ptr [eax], 01 //置标志位:OEM版本
:005A9305 A18C945B00 mov eax, dword ptr [005B948C]
:005A930A BA00010000 mov edx, 00000100
:005A930F E8D8B9E5FF call 00404CEC
:005A9314 6800010000 push 00000100
:005A9319 A18C945B00 mov eax, dword ptr [005B948C]
:005A931E 8B00 mov eax, dword ptr [eax]
:005A9320 E83BB8E5FF call 00404B60
:005A9325 50 push eax
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
