首页
社区
课程
招聘
[求助]让破解更完美
发表于: 2011-12-2 10:58 3803

[求助]让破解更完美

2011-12-2 10:58
3803
【文章标题】: 一款非常好用的磁盘整理软件的破解
【文章作者】: Afreet
【作者邮箱】: 659910722@qq.com
【软件名称】: UltimateDefrag
【下载地址】: http://download.pchome.net/system/disk/detail-36242-0.html
【加壳方式】: 无壳
【使用工具】: W32dsm+OD
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
------------------------------------------------------------------------------------------------
【过程】:
    已经完成基本的破解,只是还有些不完美,遂求助各位大神!
   
    软件安装运行后有30天的试用期,W32dsm+OD直接来到
004BC1A0   .  64:A1 0000000>mov     eax, dword ptr fs:[0]
004BC1A6   .  6A FF         push    -1
004BC1A8   .  68 90377700   push    00773790
004BC1AD   .  50            push    eax
004BC1AE   .  64:8925 00000>mov     dword ptr fs:[0], esp
004BC1B5   .  83EC 08       sub     esp, 8
004BC1B8   .  55            push    ebp
004BC1B9   .  56            push    esi
004BC1BA   .  57            push    edi
004BC1BB   .  8BF9          mov     edi, ecx
004BC1BD   .  E8 3E550400   call    00501700
004BC1C2   .  6A 00         push    0
004BC1C4   .  6A 01         push    1
004BC1C6   .  6A 01         push    1
004BC1C8   .  8BCF          mov     ecx, edi
004BC1CA   .  E8 E1540400   call    005016B0
004BC1CF   .  8DB7 FC000000 lea     esi, dword ptr [edi+FC]
004BC1D5   .  68 FF000000   push    0FF
004BC1DA   .  8BCE          mov     ecx, esi
004BC1DC   .  E8 DFFAF6FF   call    0042BCC0
004BC1E1   .  68 E8030000   push    3E8
004BC1E6   .  6A 5A         push    5A
004BC1E8   .  8BCE          mov     ecx, esi
004BC1EA   .  E8 51FAF6FF   call    0042BC40
004BC1EF   .  E8 DCCC2800   call    00748ED0
004BC1F4   .  8B40 04       mov     eax, dword ptr [eax+4]
004BC1F7   .  8D88 0C010000 lea     ecx, dword ptr [eax+10C]
004BC1FD   .  E8 8EF1FFFF   [COLOR="Red"]call    004BB390
关键Call
004BC202 . 8BE8 mov ebp, eax 004BC204 . 83FD FF cmp ebp, -1 004BC207 . 7D 3B jge short 004BC244 004BC209 . 68 D07B8D00 push 008D7BD0 ; invalid license 004BC20E . 8BCE mov ecx, esi 004BC210 . E8 93792600 call 00723BA8 004BC215 . 68 B8AD8D00 push 008DADB8 ; continue in demo mode 004BC21A . 68 28040000 push 428 004BC21F . 8BCF mov ecx, edi 004BC221 . E8 EB762600 call 00723911 004BC226 . 8BC8 mov ecx, eax 004BC228 . E8 7B792600 call 00723BA8 004BC22D . E8 9ECC2800 call 00748ED0 004BC232 . 8B40 04 mov eax, dword ptr [eax+4] 004BC235 . C780 78020000>mov dword ptr [eax+278], 1 004BC23F . E9 14010000 jmp 004BC358 004BC244 > 75 29 jnz short 004BC26F 004BC246 . 68 8CAD8D00 push 008DAD8C ; program is registered 004BC24B . 8BCE mov ecx, esi 004BC24D . E8 56792600 call 00723BA8 004BC252 . 68 78AD8D00 push 008DAD78 ; continue 004BC257 . 68 28040000 push 428 004BC25C . 8BCF mov ecx, edi 004BC25E . E8 AE762600 call 00723911 004BC263 . 8BC8 mov ecx, eax 004BC265 . E8 3E792600 call 00723BA8 004BC26A . E9 E9000000 jmp 004BC358 004BC26F > 85ED test ebp, ebp 004BC271 . 75 47 jnz short 004BC2BA 004BC273 . 68 44AD8D00 push 008DAD44 ; trial period has expired 004BC278 . 8BCE mov ecx, esi 004BC27A . E8 29792600 call 00723BA8 004BC27F . 68 FF000000 push 0FF 004BC284 . 8BCE mov ecx, esi 004BC286 . E8 35FAF6FF call 0042BCC0 004BC28B . 68 B8AD8D00 push 008DADB8 ; continue in demo mode 004BC290 . 68 28040000 push 428 004BC295 . 8BCF mov ecx, edi 004BC297 . E8 75762600 call 00723911 004BC29C . 8BC8 mov ecx, eax 004BC29E . E8 05792600 call 00723BA8 004BC2A3 . E8 28CC2800 call 00748ED0 004BC2A8 . 8B48 04 mov ecx, dword ptr [eax+4] 004BC2AB . C781 78020000>mov dword ptr [ecx+278], 1 004BC2B5 . E9 9E000000 jmp 004BC358 004BC2BA > 8B15 40C08D00 mov edx, dword ptr [8DC040] ; Udefrag.008DC054 004BC2C0 . 895424 0C mov dword ptr [esp+C], edx 004BC2C4 . 83FD 01 cmp ebp, 1 004BC2C7 . C74424 1C 000>mov dword ptr [esp+1C], 0 004BC2CF . 75 07 jnz short 004BC2D8 004BC2D1 . 68 3CAD8D00 push 008DAD3C ; day 004BC2D6 . EB 05 jmp short 004BC2DD 004BC2D8 > 68 30AD8D00 push 008DAD30 ; days 004BC2DD > 8D4C24 10 lea ecx, dword ptr [esp+10] 004BC2E1 . E8 F18F2600 call 007252D7 004BC2E6 . A1 40C08D00 mov eax, dword ptr [8DC040] 004BC2EB . 894424 10 mov dword ptr [esp+10], eax 004BC2EF . 8B4C24 0C mov ecx, dword ptr [esp+C] 004BC2F3 . 8D5424 10 lea edx, dword ptr [esp+10] 004BC2F7 . 51 push ecx 004BC2F8 . 55 push ebp 004BC2F9 . 68 E0AC8D00 push 008DACE0 ; you have %d %s left to try this program 004BC2FE . 52 push edx 004BC2FF . C64424 2C 01 mov byte ptr [esp+2C], 1 004BC304 . E8 A0C72500 call 00718AA9 004BC309 . 8B4424 20 mov eax, dword ptr [esp+20] 004BC30D . 83C4 10 add esp, 10 004BC310 . 8BCE mov ecx, esi 004BC312 . 50 push eax 004BC313 . E8 90782600 call 00723BA8 004BC318 . 68 0000FF00 push 0FF0000 004BC31D . 8BCE mov ecx, esi 004BC31F . E8 9CF9F6FF call 0042BCC0 004BC324 . 6A 01 push 1 004BC326 . 68 28040000 push 428 004BC32B . 8BCF mov ecx, edi 004BC32D . E8 DF752600 call 00723911 004BC332 . 8BC8 mov ecx, eax 004BC334 . E8 F6792600 call 00723D2F 004BC339 . 8D4C24 10 lea ecx, dword ptr [esp+10] 004BC33D . C64424 1C 00 mov byte ptr [esp+1C], 0 004BC342 . E8 F98D2600 call 00725140 004BC347 . 8D4C24 0C lea ecx, dword ptr [esp+C] 004BC34B . C74424 1C FFF>mov dword ptr [esp+1C], -1 004BC353 . E8 E88D2600 call 00725140 004BC358 > 8B4C24 14 mov ecx, dword ptr [esp+14] 004BC35C . 5F pop edi 004BC35D . 5E pop esi 004BC35E . B8 01000000 mov eax, 1 004BC363 . 5D pop ebp 004BC364 . 64:890D 00000>mov dword ptr fs:[0], ecx 004BC36B . 83C4 14 add esp, 14 004BC36E . C3 retn 004BC36F 90 nop 004BC370 . 6A 01 push 1 ; /IsShown = 1 004BC372 . 6A 00 push 0 ; |DefDir = NULL 004BC374 . 6A 00 push 0 ; |Parameters = NULL 004BC376 . 68 E4AD8D00 push 008DADE4 ; |http://www.disktrix.com/store 004BC37B . 68 6C8F8D00 push 008D8F6C ; |Operation = "open" 004BC380 . 6A 00 push 0 ; |hWnd = NULL 004BC382 . FF15 B0777900 call dword ptr [<&SHELL32.ShellExecut>; \ShellExecuteW 004BC388 . C3 retn

试过几次就发现关键Call,F7跟进:
004BB390  /$  55            push    ebp
004BB391  |.  8BEC          mov     ebp, esp
004BB393  |.  81EC C8060000 sub     esp, 6C8
004BB399  |.  57            push    edi
004BB39A  |.  898D 38F9FFFF mov     dword ptr [ebp-6C8], ecx
004BB3A0  |.  C785 3CF9FFFF>mov     dword ptr [ebp-6C4], 0
004BB3AA  |.  C785 40F9FFFF>mov     dword ptr [ebp-6C0], 0
004BB3B4  |.  8D85 3CF9FFFF lea     eax, dword ptr [ebp-6C4]
004BB3BA  |.  50            push    eax
004BB3BB  |.  8B8D 38F9FFFF mov     ecx, dword ptr [ebp-6C8]
004BB3C1  |.  E8 CA030000   call    004BB790
004BB3C6  |.  85C0         test    eax, eax
004BB3C8  |.  74 0A         je      short 004BB3D4
004BB3CA  |.  B8 FEFFFFFF   mov     eax, -2
004BB3CF  |.  E9 50010000   jmp     004BB524
004BB3D4  |>  8B8D 40F9FFFF mov     ecx, dword ptr [ebp-6C0]
004BB3DA  |.  51            push    ecx
004BB3DB  |.  8B95 3CF9FFFF mov     edx, dword ptr [ebp-6C4]
004BB3E1  |.  52            push    edx
004BB3E2  |.  8B8D 38F9FFFF mov     ecx, dword ptr [ebp-6C8]
004BB3E8  |.  E8 D30B0000   call    004BBFC0
004BB3ED  |.  85C0          [COLOR="red"]test    eax, eax
关键比较
004BB3EF |. 74 08 je short 004BB3F9 004BB3F1 |. 83C8 FF or eax, FFFFFFFF 004BB3F4 |. E9 2B010000 jmp 004BB524 004BB3F9 |> 8D85 88F9FFFF lea eax, dword ptr [ebp-678] 004BB3FF |. 50 push eax ; /pLocaltime 004BB400 |. FF15 6C767900 call dword ptr [<&KERNEL32.GetLocalTi>; \GetLocalTime 004BB406 |. C785 70F9FFFF>mov dword ptr [ebp-690], 0 004BB410 |. C785 74F9FFFF>mov dword ptr [ebp-68C], 0 004BB41A |. 8B8D 3CF9FFFF mov ecx, dword ptr [ebp-6C4] 004BB420 |. 898D 54F9FFFF mov dword ptr [ebp-6AC], ecx 004BB426 |. 8B95 40F9FFFF mov edx, dword ptr [ebp-6C0] 004BB42C |. 8995 58F9FFFF mov dword ptr [ebp-6A8], edx 004BB432 |. 8D85 70F9FFFF lea eax, dword ptr [ebp-690] 004BB438 |. 50 push eax ; /pFileTime 004BB439 |. 8D8D 88F9FFFF lea ecx, dword ptr [ebp-678] ; | 004BB43F |. 51 push ecx ; |pSystemTime 004BB440 |. FF15 F0757900 call dword ptr [<&KERNEL32.SystemTime>; \SystemTimeToFileTime 004BB446 |. 8B95 70F9FFFF mov edx, dword ptr [ebp-690] 004BB44C |. 2B95 54F9FFFF sub edx, dword ptr [ebp-6AC] 004BB452 |. 8B85 74F9FFFF mov eax, dword ptr [ebp-68C] 004BB458 |. 1B85 58F9FFFF sbb eax, dword ptr [ebp-6A8] 004BB45E |. 8995 9CFDFFFF mov dword ptr [ebp-264], edx 004BB464 |. 8985 A0FDFFFF mov dword ptr [ebp-260], eax 004BB46A |. C785 78F9FFFF>mov dword ptr [ebp-688], 2A69C000 004BB474 |. C785 7CF9FFFF>mov dword ptr [ebp-684], 0C9 004BB47E |. 6A 00 push 0 004BB480 |. 68 C62A0000 push 2AC6 004BB485 |. 8B8D 7CF9FFFF mov ecx, dword ptr [ebp-684] 004BB48B |. 51 push ecx 004BB48C |. 8B95 78F9FFFF mov edx, dword ptr [ebp-688] 004BB492 |. 52 push edx 004BB493 |. E8 B8260300 call 004EDB50 004BB498 |. 8985 A8FDFFFF mov dword ptr [ebp-258], eax 004BB49E |. 8995 ACFDFFFF mov dword ptr [ebp-254], edx 004BB4A4 |. 83BD A0FDFFFF>cmp dword ptr [ebp-260], 0 004BB4AB |. 7C 29 jl short 004BB4D6 004BB4AD |. 7F 09 jg short 004BB4B8 004BB4AF |. 83BD 9CFDFFFF>cmp dword ptr [ebp-264], 0 004BB4B6 |. 72 1E jb short 004BB4D6 004BB4B8 |> 8B85 A0FDFFFF mov eax, dword ptr [ebp-260] 004BB4BE |. 3B85 ACFDFFFF cmp eax, dword ptr [ebp-254] 004BB4C4 |. 7C 17 jl short 004BB4DD 004BB4C6 |. 7F 0E jg short 004BB4D6 004BB4C8 |. 8B8D 9CFDFFFF mov ecx, dword ptr [ebp-264] 004BB4CE |. 3B8D A8FDFFFF cmp ecx, dword ptr [ebp-258] 004BB4D4 |. 76 07 jbe short 004BB4DD 004BB4D6 |> B8 FDFFFFFF mov eax, -3 004BB4DB |. EB 47 jmp short 004BB524 004BB4DD |> 8B95 7CF9FFFF mov edx, dword ptr [ebp-684] 004BB4E3 |. 52 push edx 004BB4E4 |. 8B85 78F9FFFF mov eax, dword ptr [ebp-688] 004BB4EA |. 50 push eax 004BB4EB |. 8B8D A0FDFFFF mov ecx, dword ptr [ebp-260] 004BB4F1 |. 51 push ecx 004BB4F2 |. 8B95 9CFDFFFF mov edx, dword ptr [ebp-264] 004BB4F8 |. 52 push edx 004BB4F9 |. E8 022B0300 call 004EE000 004BB4FE |. B9 1E000000 mov ecx, 1E 004BB503 |. 2BC8 sub ecx, eax 004BB505 |. 898D 5CF9FFFF mov dword ptr [ebp-6A4], ecx 004BB50B |. 83BD 5CF9FFFF>cmp dword ptr [ebp-6A4], 0 004BB512 |. 7D 0A jge short 004BB51E 004BB514 |. C785 5CF9FFFF>mov dword ptr [ebp-6A4], 0 004BB51E |> 8B85 5CF9FFFF mov eax, dword ptr [ebp-6A4] 004BB524 |> 5F pop edi 004BB525 |. 8BE5 mov esp, ebp 004BB527 |. 5D pop ebp 004BB528 \. C3 retn

根据调用获取系统时间的函数位置,test eax,eax是关键比较,直接改为test ecx,ecx,重新运行,直接pass注册阶段,但是在程序的注册信息里,提示无效的注册,调试了好长时间无解。遂研究了一下注册过程,该软件是输入name和number以后才可以按确定按钮,依然无解,在此恳请各位大神不惜赐教,如何解决这个按钮问题,应该怎么下断?

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 295
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
别发2个帖浪费资源

这个软件虽然在启动时验证是否注册  在关于里面会访问注册表看是否有注册信息
如果没有注册信息就显示“Invalid license”,
这个关键地方就在004BBBF0 下,长跳的地方都不让它跳过去进行了或者让它在这个call里的eax值为0都可以。
2011-12-2 12:35
0
雪    币: 204
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
非常感谢这位大神的指点,在注册信息里已经有了眉目了,但是还是想请教一下,在注册时候如果注册码不对的话ok按钮是灰的,这个时候如何下断点?毕竟写出注册机才算是完美破解
2011-12-2 14:52
0
游客
登录 | 注册 方可回帖
返回
//