【文章标题】: 一款非常好用的磁盘整理软件的破解
【文章作者】: Afreet
【作者邮箱】: 659910722@qq.com
【软件名称】: UltimateDefrag
【下载地址】: http://download.pchome.net/system/disk/detail-36242-0.html
【加壳方式】: 无壳
【使用工具】: W32dsm+OD
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
------------------------------------------------------------------------------------------------
【过程】:
已经完成基本的破解,只是还有些不完美,遂求助各位大神!
软件安装运行后有30天的试用期,W32dsm+OD直接来到
004BC1A0 . 64:A1 0000000>mov eax, dword ptr fs:[0]
004BC1A6 . 6A FF push -1
004BC1A8 . 68 90377700 push 00773790
004BC1AD . 50 push eax
004BC1AE . 64:8925 00000>mov dword ptr fs:[0], esp
004BC1B5 . 83EC 08 sub esp, 8
004BC1B8 . 55 push ebp
004BC1B9 . 56 push esi
004BC1BA . 57 push edi
004BC1BB . 8BF9 mov edi, ecx
004BC1BD . E8 3E550400 call 00501700
004BC1C2 . 6A 00 push 0
004BC1C4 . 6A 01 push 1
004BC1C6 . 6A 01 push 1
004BC1C8 . 8BCF mov ecx, edi
004BC1CA . E8 E1540400 call 005016B0
004BC1CF . 8DB7 FC000000 lea esi, dword ptr [edi+FC]
004BC1D5 . 68 FF000000 push 0FF
004BC1DA . 8BCE mov ecx, esi
004BC1DC . E8 DFFAF6FF call 0042BCC0
004BC1E1 . 68 E8030000 push 3E8
004BC1E6 . 6A 5A push 5A
004BC1E8 . 8BCE mov ecx, esi
004BC1EA . E8 51FAF6FF call 0042BC40
004BC1EF . E8 DCCC2800 call 00748ED0
004BC1F4 . 8B40 04 mov eax, dword ptr [eax+4]
004BC1F7 . 8D88 0C010000 lea ecx, dword ptr [eax+10C]
004BC1FD . E8 8EF1FFFF [COLOR="Red"]call 004BB390关键Call
004BC202 . 8BE8 mov ebp, eax
004BC204 . 83FD FF cmp ebp, -1
004BC207 . 7D 3B jge short 004BC244
004BC209 . 68 D07B8D00 push 008D7BD0 ; invalid license
004BC20E . 8BCE mov ecx, esi
004BC210 . E8 93792600 call 00723BA8
004BC215 . 68 B8AD8D00 push 008DADB8 ; continue in demo mode
004BC21A . 68 28040000 push 428
004BC21F . 8BCF mov ecx, edi
004BC221 . E8 EB762600 call 00723911
004BC226 . 8BC8 mov ecx, eax
004BC228 . E8 7B792600 call 00723BA8
004BC22D . E8 9ECC2800 call 00748ED0
004BC232 . 8B40 04 mov eax, dword ptr [eax+4]
004BC235 . C780 78020000>mov dword ptr [eax+278], 1
004BC23F . E9 14010000 jmp 004BC358
004BC244 > 75 29 jnz short 004BC26F
004BC246 . 68 8CAD8D00 push 008DAD8C ; program is registered
004BC24B . 8BCE mov ecx, esi
004BC24D . E8 56792600 call 00723BA8
004BC252 . 68 78AD8D00 push 008DAD78 ; continue
004BC257 . 68 28040000 push 428
004BC25C . 8BCF mov ecx, edi
004BC25E . E8 AE762600 call 00723911
004BC263 . 8BC8 mov ecx, eax
004BC265 . E8 3E792600 call 00723BA8
004BC26A . E9 E9000000 jmp 004BC358
004BC26F > 85ED test ebp, ebp
004BC271 . 75 47 jnz short 004BC2BA
004BC273 . 68 44AD8D00 push 008DAD44 ; trial period has expired
004BC278 . 8BCE mov ecx, esi
004BC27A . E8 29792600 call 00723BA8
004BC27F . 68 FF000000 push 0FF
004BC284 . 8BCE mov ecx, esi
004BC286 . E8 35FAF6FF call 0042BCC0
004BC28B . 68 B8AD8D00 push 008DADB8 ; continue in demo mode
004BC290 . 68 28040000 push 428
004BC295 . 8BCF mov ecx, edi
004BC297 . E8 75762600 call 00723911
004BC29C . 8BC8 mov ecx, eax
004BC29E . E8 05792600 call 00723BA8
004BC2A3 . E8 28CC2800 call 00748ED0
004BC2A8 . 8B48 04 mov ecx, dword ptr [eax+4]
004BC2AB . C781 78020000>mov dword ptr [ecx+278], 1
004BC2B5 . E9 9E000000 jmp 004BC358
004BC2BA > 8B15 40C08D00 mov edx, dword ptr [8DC040] ; Udefrag.008DC054
004BC2C0 . 895424 0C mov dword ptr [esp+C], edx
004BC2C4 . 83FD 01 cmp ebp, 1
004BC2C7 . C74424 1C 000>mov dword ptr [esp+1C], 0
004BC2CF . 75 07 jnz short 004BC2D8
004BC2D1 . 68 3CAD8D00 push 008DAD3C ; day
004BC2D6 . EB 05 jmp short 004BC2DD
004BC2D8 > 68 30AD8D00 push 008DAD30 ; days
004BC2DD > 8D4C24 10 lea ecx, dword ptr [esp+10]
004BC2E1 . E8 F18F2600 call 007252D7
004BC2E6 . A1 40C08D00 mov eax, dword ptr [8DC040]
004BC2EB . 894424 10 mov dword ptr [esp+10], eax
004BC2EF . 8B4C24 0C mov ecx, dword ptr [esp+C]
004BC2F3 . 8D5424 10 lea edx, dword ptr [esp+10]
004BC2F7 . 51 push ecx
004BC2F8 . 55 push ebp
004BC2F9 . 68 E0AC8D00 push 008DACE0 ; you have %d %s left to try this program
004BC2FE . 52 push edx
004BC2FF . C64424 2C 01 mov byte ptr [esp+2C], 1
004BC304 . E8 A0C72500 call 00718AA9
004BC309 . 8B4424 20 mov eax, dword ptr [esp+20]
004BC30D . 83C4 10 add esp, 10
004BC310 . 8BCE mov ecx, esi
004BC312 . 50 push eax
004BC313 . E8 90782600 call 00723BA8
004BC318 . 68 0000FF00 push 0FF0000
004BC31D . 8BCE mov ecx, esi
004BC31F . E8 9CF9F6FF call 0042BCC0
004BC324 . 6A 01 push 1
004BC326 . 68 28040000 push 428
004BC32B . 8BCF mov ecx, edi
004BC32D . E8 DF752600 call 00723911
004BC332 . 8BC8 mov ecx, eax
004BC334 . E8 F6792600 call 00723D2F
004BC339 . 8D4C24 10 lea ecx, dword ptr [esp+10]
004BC33D . C64424 1C 00 mov byte ptr [esp+1C], 0
004BC342 . E8 F98D2600 call 00725140
004BC347 . 8D4C24 0C lea ecx, dword ptr [esp+C]
004BC34B . C74424 1C FFF>mov dword ptr [esp+1C], -1
004BC353 . E8 E88D2600 call 00725140
004BC358 > 8B4C24 14 mov ecx, dword ptr [esp+14]
004BC35C . 5F pop edi
004BC35D . 5E pop esi
004BC35E . B8 01000000 mov eax, 1
004BC363 . 5D pop ebp
004BC364 . 64:890D 00000>mov dword ptr fs:[0], ecx
004BC36B . 83C4 14 add esp, 14
004BC36E . C3 retn
004BC36F 90 nop
004BC370 . 6A 01 push 1 ; /IsShown = 1
004BC372 . 6A 00 push 0 ; |DefDir = NULL
004BC374 . 6A 00 push 0 ; |Parameters = NULL
004BC376 . 68 E4AD8D00 push 008DADE4 ; |http://www.disktrix.com/store
004BC37B . 68 6C8F8D00 push 008D8F6C ; |Operation = "open"
004BC380 . 6A 00 push 0 ; |hWnd = NULL
004BC382 . FF15 B0777900 call dword ptr [<&SHELL32.ShellExecut>; \ShellExecuteW
004BC388 . C3 retn
试过几次就发现关键Call,F7跟进:
004BB390 /$ 55 push ebp
004BB391 |. 8BEC mov ebp, esp
004BB393 |. 81EC C8060000 sub esp, 6C8
004BB399 |. 57 push edi
004BB39A |. 898D 38F9FFFF mov dword ptr [ebp-6C8], ecx
004BB3A0 |. C785 3CF9FFFF>mov dword ptr [ebp-6C4], 0
004BB3AA |. C785 40F9FFFF>mov dword ptr [ebp-6C0], 0
004BB3B4 |. 8D85 3CF9FFFF lea eax, dword ptr [ebp-6C4]
004BB3BA |. 50 push eax
004BB3BB |. 8B8D 38F9FFFF mov ecx, dword ptr [ebp-6C8]
004BB3C1 |. E8 CA030000 call 004BB790
004BB3C6 |. 85C0 test eax, eax
004BB3C8 |. 74 0A je short 004BB3D4
004BB3CA |. B8 FEFFFFFF mov eax, -2
004BB3CF |. E9 50010000 jmp 004BB524
004BB3D4 |> 8B8D 40F9FFFF mov ecx, dword ptr [ebp-6C0]
004BB3DA |. 51 push ecx
004BB3DB |. 8B95 3CF9FFFF mov edx, dword ptr [ebp-6C4]
004BB3E1 |. 52 push edx
004BB3E2 |. 8B8D 38F9FFFF mov ecx, dword ptr [ebp-6C8]
004BB3E8 |. E8 D30B0000 call 004BBFC0
004BB3ED |. 85C0 [COLOR="red"]test eax, eax关键比较
004BB3EF |. 74 08 je short 004BB3F9
004BB3F1 |. 83C8 FF or eax, FFFFFFFF
004BB3F4 |. E9 2B010000 jmp 004BB524
004BB3F9 |> 8D85 88F9FFFF lea eax, dword ptr [ebp-678]
004BB3FF |. 50 push eax ; /pLocaltime
004BB400 |. FF15 6C767900 call dword ptr [<&KERNEL32.GetLocalTi>; \GetLocalTime
004BB406 |. C785 70F9FFFF>mov dword ptr [ebp-690], 0
004BB410 |. C785 74F9FFFF>mov dword ptr [ebp-68C], 0
004BB41A |. 8B8D 3CF9FFFF mov ecx, dword ptr [ebp-6C4]
004BB420 |. 898D 54F9FFFF mov dword ptr [ebp-6AC], ecx
004BB426 |. 8B95 40F9FFFF mov edx, dword ptr [ebp-6C0]
004BB42C |. 8995 58F9FFFF mov dword ptr [ebp-6A8], edx
004BB432 |. 8D85 70F9FFFF lea eax, dword ptr [ebp-690]
004BB438 |. 50 push eax ; /pFileTime
004BB439 |. 8D8D 88F9FFFF lea ecx, dword ptr [ebp-678] ; |
004BB43F |. 51 push ecx ; |pSystemTime
004BB440 |. FF15 F0757900 call dword ptr [<&KERNEL32.SystemTime>; \SystemTimeToFileTime
004BB446 |. 8B95 70F9FFFF mov edx, dword ptr [ebp-690]
004BB44C |. 2B95 54F9FFFF sub edx, dword ptr [ebp-6AC]
004BB452 |. 8B85 74F9FFFF mov eax, dword ptr [ebp-68C]
004BB458 |. 1B85 58F9FFFF sbb eax, dword ptr [ebp-6A8]
004BB45E |. 8995 9CFDFFFF mov dword ptr [ebp-264], edx
004BB464 |. 8985 A0FDFFFF mov dword ptr [ebp-260], eax
004BB46A |. C785 78F9FFFF>mov dword ptr [ebp-688], 2A69C000
004BB474 |. C785 7CF9FFFF>mov dword ptr [ebp-684], 0C9
004BB47E |. 6A 00 push 0
004BB480 |. 68 C62A0000 push 2AC6
004BB485 |. 8B8D 7CF9FFFF mov ecx, dword ptr [ebp-684]
004BB48B |. 51 push ecx
004BB48C |. 8B95 78F9FFFF mov edx, dword ptr [ebp-688]
004BB492 |. 52 push edx
004BB493 |. E8 B8260300 call 004EDB50
004BB498 |. 8985 A8FDFFFF mov dword ptr [ebp-258], eax
004BB49E |. 8995 ACFDFFFF mov dword ptr [ebp-254], edx
004BB4A4 |. 83BD A0FDFFFF>cmp dword ptr [ebp-260], 0
004BB4AB |. 7C 29 jl short 004BB4D6
004BB4AD |. 7F 09 jg short 004BB4B8
004BB4AF |. 83BD 9CFDFFFF>cmp dword ptr [ebp-264], 0
004BB4B6 |. 72 1E jb short 004BB4D6
004BB4B8 |> 8B85 A0FDFFFF mov eax, dword ptr [ebp-260]
004BB4BE |. 3B85 ACFDFFFF cmp eax, dword ptr [ebp-254]
004BB4C4 |. 7C 17 jl short 004BB4DD
004BB4C6 |. 7F 0E jg short 004BB4D6
004BB4C8 |. 8B8D 9CFDFFFF mov ecx, dword ptr [ebp-264]
004BB4CE |. 3B8D A8FDFFFF cmp ecx, dword ptr [ebp-258]
004BB4D4 |. 76 07 jbe short 004BB4DD
004BB4D6 |> B8 FDFFFFFF mov eax, -3
004BB4DB |. EB 47 jmp short 004BB524
004BB4DD |> 8B95 7CF9FFFF mov edx, dword ptr [ebp-684]
004BB4E3 |. 52 push edx
004BB4E4 |. 8B85 78F9FFFF mov eax, dword ptr [ebp-688]
004BB4EA |. 50 push eax
004BB4EB |. 8B8D A0FDFFFF mov ecx, dword ptr [ebp-260]
004BB4F1 |. 51 push ecx
004BB4F2 |. 8B95 9CFDFFFF mov edx, dword ptr [ebp-264]
004BB4F8 |. 52 push edx
004BB4F9 |. E8 022B0300 call 004EE000
004BB4FE |. B9 1E000000 mov ecx, 1E
004BB503 |. 2BC8 sub ecx, eax
004BB505 |. 898D 5CF9FFFF mov dword ptr [ebp-6A4], ecx
004BB50B |. 83BD 5CF9FFFF>cmp dword ptr [ebp-6A4], 0
004BB512 |. 7D 0A jge short 004BB51E
004BB514 |. C785 5CF9FFFF>mov dword ptr [ebp-6A4], 0
004BB51E |> 8B85 5CF9FFFF mov eax, dword ptr [ebp-6A4]
004BB524 |> 5F pop edi
004BB525 |. 8BE5 mov esp, ebp
004BB527 |. 5D pop ebp
004BB528 \. C3 retn
根据调用获取系统时间的函数位置,test eax,eax是关键比较,直接改为test ecx,ecx,重新运行,直接pass注册阶段,但是在程序的注册信息里,提示无效的注册,调试了好长时间无解。遂研究了一下注册过程,该软件是输入name和number以后才可以按确定按钮,依然无解,在此恳请各位大神不惜赐教,如何解决这个按钮问题,应该怎么下断?
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)