[原创]易恢复 EasyRecovery 中文企业版破解思路/过程-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]易恢复 EasyRecovery 中文企业版破解思路/过程

发表于: 2014-7-18 18:34 9925

[原创]易恢复 EasyRecovery 中文企业版破解思路/过程

dsong

2014-7-18 18:34

9925

====================写在前面====================
上次一个截图软件的破解思路，我已经放出来了。本来以为那是比较年轻的软件里面很好破解的了，没想到来了个更软的柿子。它的名字就叫做EasyRecovery，最近有了中文代理官方，所以它的中文名就叫做易恢复了，我冒险说出来吧。
这个软件我偷懒修改破解者信息了，所以加不加壳其实又是没用的了，顺便也就放出来了。额......

====================破解过程====================
<方法一>查找字符串......
PEiD查壳，显示：UPolyX v0.5 [Overlay] *
估计是误报，再看一下：
平均信息量：5.94 (未加密)
EP 检查：未加密
快速检查：未加密
那就确认是误报了，软件作者可能对头部做了点手脚，或者说加的壳太菜了，跟没加一样。我们不用去管它。
查找字符串，然后有5059个。看来软件代码的可读性是不错的。

一：

Ultra 字符串参考，项目 2448
 地址=0049AFD4
 反汇编=mov ecx,EREnt.0073C558
 文本字符串=demototalamountlimit
 
Ultra 字符串参考，项目 2449
 地址=0049AFD9
 反汇编=mov edx,EREnt.0073C578
 文本字符串=demo
 
Ultra 字符串参考，项目 2450
 地址=0049AFF5
 反汇编=mov ecx,EREnt.0073C588
 文本字符串=demonumberoffileslimit
 
Ultra 字符串参考，项目 2451
 地址=0049AFFA
 反汇编=mov edx,EREnt.0073C578
 文本字符串=demo
 
Ultra 字符串参考，项目 2452
 地址=0049B019
 反汇编=mov ecx,EREnt.0073C5A8
 文本字符串=demofilesizelimit
 
Ultra 字符串参考，项目 2453
 地址=0049B01E
 反汇编=mov edx,EREnt.0073C578
 文本字符串=demo
 
Ultra 字符串参考，项目 2454
 地址=0049B074
 反汇编=mov ecx,EREnt.0073C5C8
 文本字符串=demofiletypelimitfilter
 
Ultra 字符串参考，项目 2455
 地址=0049B079
 反汇编=mov edx,EREnt.0073C578
 文本字符串=demo
 
Ultra 字符串参考，项目 2456
 地址=0049B0D8
 反汇编=mov ecx,EREnt.0073C5E8
 文本字符串=shouldwritedemofilecounter
 
Ultra 字符串参考，项目 2457
 地址=0049B0DD
 反汇编=mov edx,EREnt.0073C578
 文本字符串=demo

0049AFBB  |. /0F85 46010000   jnz EREnt.0049B107                ;  这里跳过demo的文件总个数限制、大小限制、类型限制等
0049AFC1  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049AFC4  |. |C640 04 01      mov byte ptr ds:[eax+4],1
0049AFC8  |. |6A 00           push 0                            ; /Arg2 = 00000000
0049AFCA  |. |68 00400100     push 14000                        ; |Arg1 = 00014000
0049AFCF  |. |A1 C0D87300     mov eax,dword ptr ds:[73D8C0]     ; |
0049AFD4  |. |B9 58C57300     mov ecx,EREnt.0073C558            ; |demototalamountlimit
0049AFD9  |. |BA 78C57300     mov edx,EREnt.0073C578            ; |demo
0049AFDE  |. |E8 1D320000     call EREnt.0049E200               ; \EREnt.0049E200
0049AFE3  |. |8B4D F8         mov ecx,dword ptr ss:[ebp-8]
0049AFE6  |. |8941 18         mov dword ptr ds:[ecx+18],eax
0049AFE9  |. |8951 1C         mov dword ptr ds:[ecx+1C],edx
0049AFEC  |. |6A 00           push 0                            ; /Arg2 = 00000000
0049AFEE  |. |6A 0A           push 0A                           ; |Arg1 = 0000000A
0049AFF0  |. |A1 C0D87300     mov eax,dword ptr ds:[73D8C0]     ; |
0049AFF5  |. |B9 88C57300     mov ecx,EREnt.0073C588            ; |demonumberoffileslimit
0049AFFA  |. |BA 78C57300     mov edx,EREnt.0073C578            ; |demo
0049AFFF  |. |E8 FC310000     call EREnt.0049E200               ; \EREnt.0049E200
0049B004  |. |8B4D F8         mov ecx,dword ptr ss:[ebp-8]
0049B007  |. |8941 20         mov dword ptr ds:[ecx+20],eax
0049B00A  |. |8951 24         mov dword ptr ds:[ecx+24],edx
0049B00D  |. |6A 00           push 0                            ; /Arg2 = 00000000
0049B00F  |. |68 00280000     push 2800                         ; |Arg1 = 00002800
0049B014  |. |A1 C0D87300     mov eax,dword ptr ds:[73D8C0]     ; |
0049B019  |. |B9 A8C57300     mov ecx,EREnt.0073C5A8            ; |demofilesizelimit
0049B01E  |. |BA 78C57300     mov edx,EREnt.0073C578            ; |demo
0049B023  |. |E8 D8310000     call EREnt.0049E200               ; \EREnt.0049E200
0049B028  |. |8B4D F8         mov ecx,dword ptr ss:[ebp-8]
0049B02B  |. |8941 30         mov dword ptr ds:[ecx+30],eax
0049B02E  |. |8951 34         mov dword ptr ds:[ecx+34],edx
0049B031  |. |8D45 A4         lea eax,dword ptr ss:[ebp-5C]
0049B034  |. |E8 87A1F6FF     call EREnt.004051C0
0049B039  |. |C745 A4 0000000>mov dword ptr ss:[ebp-5C],0
0049B040  |. |BA 9C0B7000     mov edx,EREnt.00700B9C
0049B045  |. |8D45 90         lea eax,dword ptr ss:[ebp-70]
0049B048  |. |E8 B338F7FF     call EREnt.0040E900
0049B04D  |. |BA 9C0B7000     mov edx,EREnt.00700B9C
0049B052  |. |8D45 80         lea eax,dword ptr ss:[ebp-80]
0049B055  |. |E8 A638F7FF     call EREnt.0040E900
0049B05A  |. |8D55 80         lea edx,dword ptr ss:[ebp-80]
0049B05D  |. |B8 BCC57300     mov eax,EREnt.0073C5BC
0049B062  |. |E8 E92FF7FF     call EREnt.0040E050
0049B067  |. |8D45 80         lea eax,dword ptr ss:[ebp-80]
0049B06A  |. |50              push eax                          ; /Arg2
0049B06B  |. |8D45 90         lea eax,dword ptr ss:[ebp-70]     ; |
0049B06E  |. |50              push eax                          ; |Arg1
0049B06F  |. |A1 C0D87300     mov eax,dword ptr ds:[73D8C0]     ; |
0049B074  |. |B9 C8C57300     mov ecx,EREnt.0073C5C8            ; |demofiletypelimitfilter
0049B079  |. |BA 78C57300     mov edx,EREnt.0073C578            ; |demo
0049B07E  |. |E8 FD2D0000     call EREnt.0049DE80               ; \EREnt.0049DE80
0049B083  |. |8D45 90         lea eax,dword ptr ss:[ebp-70]
0049B086  |. |8D55 A4         lea edx,dword ptr ss:[ebp-5C]
0049B089  |. |E8 D232F7FF     call EREnt.0040E360
0049B08E  |. |8B45 A4         mov eax,dword ptr ss:[ebp-5C]
0049B091  |. |E8 3AD9F6FF     call EREnt.004089D0
0049B096  |. |8B5D F8         mov ebx,dword ptr ss:[ebp-8]
0049B099  |. |8D43 28         lea eax,dword ptr ds:[ebx+28]
0049B09C  |. |E8 1FA1F6FF     call EREnt.004051C0
0049B0A1  |. |8B45 A4         mov eax,dword ptr ss:[ebp-5C]
0049B0A4  |. |8943 28         mov dword ptr ds:[ebx+28],eax
0049B0A7  |. |BA 9C0B7000     mov edx,EREnt.00700B9C
0049B0AC  |. |8D45 80         lea eax,dword ptr ss:[ebp-80]
0049B0AF  |. |E8 4C38F7FF     call EREnt.0040E900
0049B0B4  |. |BA 9C0B7000     mov edx,EREnt.00700B9C
0049B0B9  |. |8D45 90         lea eax,dword ptr ss:[ebp-70]
0049B0BC  |. |E8 3F38F7FF     call EREnt.0040E900
0049B0C1  |. |8D55 90         lea edx,dword ptr ss:[ebp-70]
0049B0C4  |. |B0 01           mov al,1
0049B0C6  |. |E8 352FF7FF     call EREnt.0040E000
0049B0CB  |. |8D45 90         lea eax,dword ptr ss:[ebp-70]
0049B0CE  |. |50              push eax                          ; /Arg2
0049B0CF  |. |8D45 80         lea eax,dword ptr ss:[ebp-80]     ; |
0049B0D2  |. |50              push eax                          ; |Arg1
0049B0D3  |. |A1 C0D87300     mov eax,dword ptr ds:[73D8C0]     ; |
0049B0D8  |. |B9 E8C57300     mov ecx,EREnt.0073C5E8            ; |shouldwritedemofilecounter
0049B0DD  |. |BA 78C57300     mov edx,EREnt.0073C578            ; |demo
0049B0E2  |. |E8 992D0000     call EREnt.0049DE80               ; \EREnt.0049DE80
0049B0E7  |. |8D45 80         lea eax,dword ptr ss:[ebp-80]
0049B0EA  |. |E8 5132F7FF     call EREnt.0040E340
0049B0EF  |. |8B55 F8         mov edx,dword ptr ss:[ebp-8]
0049B0F2  |. |8842 38         mov byte ptr ds:[edx+38],al
0049B0F5  |. |8B5D F8         mov ebx,dword ptr ss:[ebp-8]
0049B0F8  |. |8D43 40         lea eax,dword ptr ds:[ebx+40]
0049B0FB  |. |E8 C0A0F6FF     call EREnt.004051C0
0049B100  |. |C743 40 0000000>mov dword ptr ds:[ebx+40],0
0049B107  |> \E8 042AF7FF     call EREnt.0040DB10

二：

Ultra 字符串参考，项目 2495
 地址=0049BDDE
 反汇编=mov edx,EREnt.0073C918
 文本字符串=demo
......
Ultra 字符串参考，项目 2497
 地址=0049BDFD
 反汇编=mov ebx,EREnt.0073C918
 文本字符串=demo
......

0049BD58  |. /0F85 0B010000   jnz EREnt.0049BE69                ;  此处不能跳, nop
0049BD5E  |. |8D85 6CFFFFFF   lea eax,dword ptr ss:[ebp-94]
0049BD64  |. |E8 5794F6FF     call EREnt.004051C0
0049BD69  |. |C785 6CFFFFFF 0>mov dword ptr ss:[ebp-94],0
0049BD73  |. |BA 9C0B7000     mov edx,EREnt.00700B9C
0049BD78  |. |8D85 70FFFFFF   lea eax,dword ptr ss:[ebp-90]
0049BD7E  |. |E8 7D2BF7FF     call EREnt.0040E900
0049BD83  |. |BA 9C0B7000     mov edx,EREnt.00700B9C
0049BD88  |. |8D45 80         lea eax,dword ptr ss:[ebp-80]
0049BD8B  |. |E8 702BF7FF     call EREnt.0040E900
0049BD90  |. |8D55 80         lea edx,dword ptr ss:[ebp-80]
0049BD93  |. |B8 F4C87300     mov eax,EREnt.0073C8F4            ;  ASCII 04,"DEMO"
0049BD98  |. |E8 B322F7FF     call EREnt.0040E050
0049BD9D  |. |8D45 80         lea eax,dword ptr ss:[ebp-80]
0049BDA0  |. |50              push eax                          ; /Arg2
0049BDA1  |. |8D85 70FFFFFF   lea eax,dword ptr ss:[ebp-90]     ; |
0049BDA7  |. |50              push eax                          ; |Arg1
0049BDA8  |. |A1 C0D87300     mov eax,dword ptr ds:[73D8C0]     ; |
0049BDAD  |. |B9 04C97300     mov ecx,EREnt.0073C904            ; |runningmode
0049BDB2  |. |BA ECC87300     mov edx,EREnt.0073C8EC            ; |license
0049BDB7  |. |E8 C4200000     call EREnt.0049DE80               ; \EREnt.0049DE80
0049BDBC  |. |8D85 70FFFFFF   lea eax,dword ptr ss:[ebp-90]
0049BDC2  |. |8D95 6CFFFFFF   lea edx,dword ptr ss:[ebp-94]
0049BDC8  |. |E8 9325F7FF     call EREnt.0040E360
0049BDCD  |. |8B85 6CFFFFFF   mov eax,dword ptr ss:[ebp-94]
0049BDD3  |. |8D55 EC         lea edx,dword ptr ss:[ebp-14]
0049BDD6  |. |E8 D5AFF7FF     call EREnt.00416DB0
0049BDDB  |. |8B45 EC         mov eax,dword ptr ss:[ebp-14]
0049BDDE  |. |BA 18C97300     mov edx,EREnt.0073C918            ;  demo
0049BDE3  |. |E8 48D1F6FF     call EREnt.00408F30
0049BDE8  |. |85C0            test eax,eax
0049BDEA  |. |74 21           je short EREnt.0049BE0D           ;  此处不能跳，下面Full的Call要执行
0049BDEC  |. |8B45 EC         mov eax,dword ptr ss:[ebp-14]
0049BDEF  |. |BA 28C97300     mov edx,EREnt.0073C928            ;  full
0049BDF4  |. |E8 37D1F6FF     call EREnt.00408F30
0049BDF9  |. |85C0            test eax,eax
0049BDFB  |. |74 10           je short EREnt.0049BE0D           ;  此处必须跳，下面demo不能执行
0049BDFD  |. |BB 18C97300     mov ebx,EREnt.0073C918            ;  demo
0049BE02  |. |8D45 EC         lea eax,dword ptr ss:[ebp-14]
0049BE05  |. |E8 B693F6FF     call EREnt.004051C0
0049BE0A  |. |895D EC         mov dword ptr ss:[ebp-14],ebx
0049BE0D  |> |8B45 EC         mov eax,dword ptr ss:[ebp-14]

三：

Ultra 字符串参考
 反汇编=mov ecx,EREnt.00708F58
 文本字符串= demo

|. /74 50           je short EREnt.00436D39           ;  这里je改成jmp跳过demo显示
|. |8D45 84         lea eax,dword ptr ss:[ebp-7C]
|. |E8 CFE4FCFF     call EREnt.004051C0
|. |C745 84 0000000>mov dword ptr ss:[ebp-7C],0
|. |8D85 70FFFFFF   lea eax,dword ptr ss:[ebp-90]
|. |E8 BDE4FCFF     call EREnt.004051C0
|. |C785 70FFFFFF 0>mov dword ptr ss:[ebp-90],0
|. |8D95 70FFFFFF   lea edx,dword ptr ss:[ebp-90]
|. |8B45 FC         mov eax,dword ptr ss:[ebp-4]
|. |E8 C5940500     call EREnt.004901E0
|. |8B95 70FFFFFF   mov edx,dword ptr ss:[ebp-90]
|. |8D45 84         lea eax,dword ptr ss:[ebp-7C]
|. |B9 588F7000     mov ecx,EREnt.00708F58            ;   demo
|. |E8 D21CFDFF     call EREnt.00408A00
|. |8B55 84         mov edx,dword ptr ss:[ebp-7C]
|. |8B45 FC         mov eax,dword ptr ss:[ebp-4]
|. |E8 07DB0500     call EREnt.00494840
|> \8B45 FC         mov eax,dword ptr ss:[ebp-4]

四：

Ultra 字符串参考，项目 810
 地址=0043F7D7
 反汇编=mov ecx,EREnt.0070B210
 文本字符串=actionbuynowvisible
......

|. /74 50           je short EREnt.0043F7F6           ;  跳过现在购买窗口, je改jmp
|. |BA 9C0B7000     mov edx,EREnt.00700B9C
|. |8D45 98         lea eax,dword ptr ss:[ebp-68]
|. |E8 4DF1FCFF     call EREnt.0040E900
|. |BA 9C0B7000     mov edx,EREnt.00700B9C
|. |8D45 B0         lea eax,dword ptr ss:[ebp-50]
|. |E8 40F1FCFF     call EREnt.0040E900
|. |8D55 B0         lea edx,dword ptr ss:[ebp-50]
|. |B0 01           mov al,1
|. |E8 36E8FCFF     call EREnt.0040E000
|. |8D45 B0         lea eax,dword ptr ss:[ebp-50]
|. |50              push eax                          ; /Arg2
|. |8D45 98         lea eax,dword ptr ss:[ebp-68]     ; |
|. |50              push eax                          ; |Arg1
|. |A1 C0D87300     mov eax,dword ptr ds:[73D8C0]     ; |
|. |B9 10B27000     mov ecx,EREnt.0070B210            ; |actionbuynowvisible
|. |BA 9C907000     mov edx,EREnt.0070909C            ; |main
|. |E8 9AE60500     call EREnt.0049DE80               ; \EREnt.0049DE80
|. |8D45 98         lea eax,dword ptr ss:[ebp-68]
|. |E8 52EBFCFF     call EREnt.0040E340
|. |84C0            test al,al
|. |74 04           je short EREnt.0043F7F6
|. |B2 01           mov dl,1
|. |EB 02           jmp short EREnt.0043F7F8
|> \B2 00           mov dl,0

五：

Ultra 字符串参考，项目 812
 地址=0043F848
 反汇编=mov ecx,EREnt.0070B22C
 文本字符串=actionlicenseactivatevisible
......

|. /74 50           je short EREnt.0043F867           ;  跳过注册激活窗口, je改jmp
|. |BA 9C0B7000     mov edx,EREnt.00700B9C
|. |8D45 98         lea eax,dword ptr ss:[ebp-68]
|. |E8 DCF0FCFF     call EREnt.0040E900
|. |BA 9C0B7000     mov edx,EREnt.00700B9C
|. |8D45 B0         lea eax,dword ptr ss:[ebp-50]
|. |E8 CFF0FCFF     call EREnt.0040E900
|. |8D55 B0         lea edx,dword ptr ss:[ebp-50]
|. |B0 01           mov al,1
|. |E8 C5E7FCFF     call EREnt.0040E000
|. |8D45 B0         lea eax,dword ptr ss:[ebp-50]
|. |50              push eax                          ; /Arg2
|. |8D45 98         lea eax,dword ptr ss:[ebp-68]     ; |
|. |50              push eax                          ; |Arg1
|. |A1 C0D87300     mov eax,dword ptr ds:[73D8C0]     ; |
|. |B9 2CB27000     mov ecx,EREnt.0070B22C            ; |actionlicenseactivatevisible
|. |BA 9C907000     mov edx,EREnt.0070909C            ; |main
|. |E8 29E60500     call EREnt.0049DE80               ; \EREnt.0049DE80
|. |8D45 98         lea eax,dword ptr ss:[ebp-68]
|. |E8 E1EAFCFF     call EREnt.0040E340
|. |84C0            test al,al
|. |74 04           je short EREnt.0043F867
|. |B2 01           mov dl,1
|. |EB 02           jmp short EREnt.0043F869
|> \B2 00           mov dl,0

六：

Ultra 字符串参考，项目 2460
 地址=0049B459
 反汇编=mov eax,EREnt.0073C638
 文本字符串=demototalamountlimit=%d, totalamountsaved=%d, demonumberoffileslimit=%d, numberoffilessaved=%d, demofilesizelimit=%d, itemsize=%d, demolimitreached=%d
 
Ultra 字符串参考，项目 2461
 地址=0049B502
 反汇编=mov ecx,EREnt.0073C6D8
 文本字符串=demofiletypelimitfilter=%s - skipping %s
 
Ultra 字符串参考，项目 2462
 地址=0049B55A
 反汇编=mov eax,EREnt.0073C70C
 文本字符串=demomsgstart
......
Ultra 字符串参考，项目 2464
 地址=0049B5B9
 反汇编=mov eax,EREnt.0073C730
 文本字符串=demomsgfiles
......
Ultra 字符串参考，项目 2467
 地址=0049B65B
 反汇编=mov eax,EREnt.0073C754
 文本字符串=demomsgmaxfilesize
......
Ultra 字符串参考，项目 2470
 地址=0049B6FD
 反汇编=mov eax,EREnt.0073C770
 文本字符串=demomsgtotalamount
......
Ultra 字符串参考，项目 2472
 地址=0049B775
 反汇编=mov eax,EREnt.0073C78C
 文本字符串=demomsgend
......
Ultra 字符串参考，项目 2474
 地址=0049B7B5
 反汇编=mov eax,EREnt.0073C7A0
 文本字符串=demomsgendbuy
 
Ultra 字符串参考，项目 2475
 地址=0049B822
 反汇编=mov ecx,EREnt.0073C7B8
 文本字符串=exception occured

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

0049B2C9  |. /0F85 8F050000   jnz EREnt.0049B85E                ;  此处je改jmp, 跳过demo各种限制、提示等
0049B2CF  |. |C645 F4 01      mov byte ptr ss:[ebp-C],1
0049B2D3  |. |8B5D F8         mov ebx,dword ptr ss:[ebp-8]
0049B2D6  |. |8D43 3C         lea eax,dword ptr ds:[ebx+3C]
0049B2D9  |. |E8 E29EF6FF     call EREnt.004051C0
0049B2DE  |. |C743 3C 0000000>mov dword ptr ds:[ebx+3C],0
0049B2E5  |. |8D4D B4         lea ecx,dword ptr ss:[ebp-4C]
0049B2E8  |. |8D55 9C         lea edx,dword ptr ss:[ebp-64]
0049B2EB  |. |B8 01000000     mov eax,1
0049B2F0  |. |E8 4B25F7FF     call EREnt.0040D840
0049B2F5  |. |E8 F646F7FF     call EREnt.0040F9F0
0049B2FA  |. |50              push eax
0049B2FB  |. |85C0            test eax,eax
0049B2FD  |. |0F85 EB040000   jnz EREnt.0049B7EE
0049B303  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049B306  |. |8A40 04         mov al,byte ptr ds:[eax+4]
0049B309  |. |84C0            test al,al
0049B30B  |. |0F84 45050000   je EREnt.0049B856
0049B311  |. |C645 F4 00      mov byte ptr ss:[ebp-C],0
0049B315  |. |C645 F0 00      mov byte ptr ss:[ebp-10],0
0049B319  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049B31C  |. |8B50 18         mov edx,dword ptr ds:[eax+18]
0049B31F  |. |8B40 1C         mov eax,dword ptr ds:[eax+1C]
0049B322  |. |83F8 FF         cmp eax,-1
0049B325  |. |75 05           jnz short EREnt.0049B32C
0049B327  |. |83FA FF         cmp edx,-1
0049B32A  |. |74 22           je short EREnt.0049B34E
0049B32C  |> |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049B32F  |. |8B48 08         mov ecx,dword ptr ds:[eax+8]
0049B332  |. |8B40 0C         mov eax,dword ptr ds:[eax+C]
0049B335  |. |034D 08         add ecx,dword ptr ss:[ebp+8]
0049B338  |. |1345 0C         adc eax,dword ptr ss:[ebp+C]
0049B33B  |. |8B55 F8         mov edx,dword ptr ss:[ebp-8]
0049B33E  |. |3B42 1C         cmp eax,dword ptr ds:[edx+1C]
0049B341  |. |7F 07           jg short EREnt.0049B34A
0049B343  |. |7C 09           jl short EREnt.0049B34E
0049B345  |. |3B4A 18         cmp ecx,dword ptr ds:[edx+18]
0049B348  |. |76 04           jbe short EREnt.0049B34E
0049B34A  |> |C645 F0 01      mov byte ptr ss:[ebp-10],1
0049B34E  |> |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049B351  |. |8B50 20         mov edx,dword ptr ds:[eax+20]
0049B354  |. |8B40 24         mov eax,dword ptr ds:[eax+24]
0049B357  |. |83F8 FF         cmp eax,-1
0049B35A  |. |75 05           jnz short EREnt.0049B361
0049B35C  |. |83FA FF         cmp edx,-1
0049B35F  |. |74 1C           je short EREnt.0049B37D
0049B361  |> |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049B364  |. |8B55 F8         mov edx,dword ptr ss:[ebp-8]
0049B367  |. |8B48 10         mov ecx,dword ptr ds:[eax+10]
0049B36A  |. |8B40 14         mov eax,dword ptr ds:[eax+14]
0049B36D  |. |3B42 24         cmp eax,dword ptr ds:[edx+24]
0049B370  |. |7F 07           jg short EREnt.0049B379
0049B372  |. |7C 09           jl short EREnt.0049B37D
0049B374  |. |3B4A 20         cmp ecx,dword ptr ds:[edx+20]
0049B377  |. |72 04           jb short EREnt.0049B37D
0049B379  |> |C645 F0 01      mov byte ptr ss:[ebp-10],1
0049B37D  |> |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049B380  |. |8B50 30         mov edx,dword ptr ds:[eax+30]
0049B383  |. |8B40 34         mov eax,dword ptr ds:[eax+34]
0049B386  |. |83F8 FF         cmp eax,-1
0049B389  |. |75 05           jnz short EREnt.0049B390
0049B38B  |. |83FA FF         cmp edx,-1
0049B38E  |. |74 19           je short EREnt.0049B3A9
0049B390  |> |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049B393  |. |8B50 30         mov edx,dword ptr ds:[eax+30]
0049B396  |. |8B40 34         mov eax,dword ptr ds:[eax+34]
0049B399  |. |3B45 0C         cmp eax,dword ptr ss:[ebp+C]
0049B39C  |. |7C 07           jl short EREnt.0049B3A5
0049B39E  |. |7F 09           jg short EREnt.0049B3A9
0049B3A0  |. |3B55 08         cmp edx,dword ptr ss:[ebp+8]
0049B3A3  |. |73 04           jnb short EREnt.0049B3A9
0049B3A5  |> |C645 F0 01      mov byte ptr ss:[ebp-10],1
0049B3A9  |> |8A45 F0         mov al,byte ptr ss:[ebp-10]
0049B3AC  |. |84C0            test al,al
0049B3AE  |. |0F9445 F4       sete byte ptr ss:[ebp-C]
0049B3B2  |. |8D45 94         lea eax,dword ptr ss:[ebp-6C]
0049B3B5  |. |E8 069EF6FF     call EREnt.004051C0
0049B3BA  |. |C745 94 0000000>mov dword ptr ss:[ebp-6C],0
0049B3C1  |. |8D45 94         lea eax,dword ptr ss:[ebp-6C]
0049B3C4  |. |50              push eax                          ; /Arg1
0049B3C5  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]      ; |
0049B3C8  |. |83C0 18         add eax,18                        ; |
0049B3CB  |. |8985 5CFFFFFF   mov dword ptr ss:[ebp-A4],eax     ; |
0049B3D1  |. |C785 58FFFFFF 1>mov dword ptr ss:[ebp-A8],10      ; |
0049B3DB  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]      ; |
0049B3DE  |. |83C0 08         add eax,8                         ; |
0049B3E1  |. |8985 64FFFFFF   mov dword ptr ss:[ebp-9C],eax     ; |
0049B3E7  |. |C785 60FFFFFF 1>mov dword ptr ss:[ebp-A0],10      ; |
0049B3F1  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]      ; |
0049B3F4  |. |83C0 20         add eax,20                        ; |
0049B3F7  |. |8985 6CFFFFFF   mov dword ptr ss:[ebp-94],eax     ; |
0049B3FD  |. |C785 68FFFFFF 1>mov dword ptr ss:[ebp-98],10      ; |
0049B407  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]      ; |
0049B40A  |. |83C0 10         add eax,10                        ; |
0049B40D  |. |8985 74FFFFFF   mov dword ptr ss:[ebp-8C],eax     ; |
0049B413  |. |C785 70FFFFFF 1>mov dword ptr ss:[ebp-90],10      ; |
0049B41D  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]      ; |
0049B420  |. |83C0 30         add eax,30                        ; |
0049B423  |. |8985 7CFFFFFF   mov dword ptr ss:[ebp-84],eax     ; |
0049B429  |. |C785 78FFFFFF 1>mov dword ptr ss:[ebp-88],10      ; |
0049B433  |. |8D45 08         lea eax,dword ptr ss:[ebp+8]      ; |
0049B436  |. |8945 84         mov dword ptr ss:[ebp-7C],eax     ; |
0049B439  |. |C745 80 1100000>mov dword ptr ss:[ebp-80],11      ; |
0049B440  |. |0FB645 F0       movzx eax,byte ptr ss:[ebp-10]    ; |
0049B444  |. |8945 8C         mov dword ptr ss:[ebp-74],eax     ; |
0049B447  |. |C745 88 0000000>mov dword ptr ss:[ebp-78],0       ; |
0049B44E  |. |8D95 58FFFFFF   lea edx,dword ptr ss:[ebp-A8]     ; |
0049B454  |. |B9 06000000     mov ecx,6                         ; |
0049B459  |. |B8 38C67300     mov eax,EREnt.0073C638            ; |demototalamountlimit=%d, totalamountsaved=%d, demonumberoffileslimit=%d, numberoffilessaved=%d, demofilesizelimit=%d, itemsize=%d, demolimitreached=%d
0049B45E  |. |E8 5DD9F7FF     call EREnt.00418DC0               ; \EREnt.00418DC0
0049B463  |. |8B4D 94         mov ecx,dword ptr ss:[ebp-6C]
0049B466  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049B469  |. |BA 04000000     mov edx,4
0049B46E  |. |E8 CD040F00     call EREnt.0058B940
0049B473  |. |8A45 F0         mov al,byte ptr ss:[ebp-10]
0049B476  |. |84C0            test al,al
0049B478  |. |0F85 9C000000   jnz EREnt.0049B51A
0049B47E  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049B481  |. |8B40 28         mov eax,dword ptr ds:[eax+28]
0049B484  |. |85C0            test eax,eax
0049B486  |. |0F84 8E000000   je EREnt.0049B51A
0049B48C  |. |8B45 FC         mov eax,dword ptr ss:[ebp-4]
0049B48F  |. |85C0            test eax,eax
0049B491  |. |0F84 83000000   je EREnt.0049B51A
0049B497  |. |8D45 94         lea eax,dword ptr ss:[ebp-6C]
0049B49A  |. |E8 219DF6FF     call EREnt.004051C0
0049B49F  |. |C745 94 0000000>mov dword ptr ss:[ebp-6C],0
0049B4A6  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049B4A9  |. |8B40 28         mov eax,dword ptr ds:[eax+28]
0049B4AC  |. |85C0            test eax,eax
0049B4AE  |. |74 03           je short EREnt.0049B4B3
0049B4B0  |. |8B40 FC         mov eax,dword ptr ds:[eax-4]
0049B4B3  |> |8945 8C         mov dword ptr ss:[ebp-74],eax
0049B4B6  |. |8D45 94         lea eax,dword ptr ss:[ebp-6C]
0049B4B9  |. |50              push eax                          ; /Arg1
0049B4BA  |. |8B4D 8C         mov ecx,dword ptr ss:[ebp-74]     ; |
0049B4BD  |. |8B45 FC         mov eax,dword ptr ss:[ebp-4]      ; |
0049B4C0  |. |BA 01000000     mov edx,1                         ; |
0049B4C5  |. |E8 76DCF6FF     call EREnt.00409140               ; \EREnt.00409140
0049B4CA  |. |8B45 94         mov eax,dword ptr ss:[ebp-6C]
0049B4CD  |. |8B55 F8         mov edx,dword ptr ss:[ebp-8]
0049B4D0  |. |8B52 28         mov edx,dword ptr ds:[edx+28]
0049B4D3  |. |E8 58DAF6FF     call EREnt.00408F30
0049B4D8  |. |85C0            test eax,eax
0049B4DA  |. |74 3E           je short EREnt.0049B51A
0049B4DC  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049B4DF  |. |8B40 28         mov eax,dword ptr ds:[eax+28]
0049B4E2  |. |8945 84         mov dword ptr ss:[ebp-7C],eax
0049B4E5  |. |C745 80 0B00000>mov dword ptr ss:[ebp-80],0B
0049B4EC  |. |8B45 FC         mov eax,dword ptr ss:[ebp-4]
0049B4EF  |. |8945 8C         mov dword ptr ss:[ebp-74],eax
0049B4F2  |. |C745 88 0B00000>mov dword ptr ss:[ebp-78],0B
0049B4F9  |. |8D45 80         lea eax,dword ptr ss:[ebp-80]
0049B4FC  |. |50              push eax                          ; /Arg2
0049B4FD  |. |6A 01           push 1                            ; |Arg1 = 00000001
0049B4FF  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]      ; |
0049B502  |. |B9 D8C67300     mov ecx,EREnt.0073C6D8            ; |demofiletypelimitfilter=%s - skipping %s
0049B507  |. |BA 04000000     mov edx,4                         ; |
0049B50C  |. |E8 3F030F00     call EREnt.0058B850               ; \EREnt.0058B850
0049B511  |. |C645 F4 00      mov byte ptr ss:[ebp-C],0
0049B515  |. |E9 3C030000     jmp EREnt.0049B856
0049B51A  |> |8A45 F0         mov al,byte ptr ss:[ebp-10]
0049B51D  |. |84C0            test al,al
0049B51F  |. |75 2C           jnz short EREnt.0049B54D
0049B521  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049B524  |. |8B5D 08         mov ebx,dword ptr ss:[ebp+8]
0049B527  |. |8B55 0C         mov edx,dword ptr ss:[ebp+C]
0049B52A  |. |8B48 08         mov ecx,dword ptr ds:[eax+8]
0049B52D  |. |8B70 0C         mov esi,dword ptr ds:[eax+C]
0049B530  |. |01D9            add ecx,ebx
0049B532  |. |11D6            adc esi,edx
0049B534  |. |8948 08         mov dword ptr ds:[eax+8],ecx
0049B537  |. |8970 0C         mov dword ptr ds:[eax+C],esi
0049B53A  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049B53D  |. |8340 10 01      add dword ptr ds:[eax+10],1
0049B541  |. |8350 14 00      adc dword ptr ds:[eax+14],0
0049B545  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049B548  |. |E8 33040000     call EREnt.0049B980
0049B54D  |> |807D F0 00      cmp byte ptr ss:[ebp-10],0
0049B551  |. |0F84 97020000   je EREnt.0049B7EE
0049B557  |. |8D55 EC         lea edx,dword ptr ss:[ebp-14]
0049B55A  |. |B8 0CC77300     mov eax,EREnt.0073C70C            ;  demomsgstart
0049B55F  |. |E8 6CE8FBFF     call EREnt.00459DD0
0049B564  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049B567  |. |8B50 20         mov edx,dword ptr ds:[eax+20]
0049B56A  |. |8B40 24         mov eax,dword ptr ds:[eax+24]
0049B56D  |. |83F8 FF         cmp eax,-1
0049B570  |. |75 05           jnz short EREnt.0049B577
0049B572  |. |83FA FF         cmp edx,-1
0049B575  |. |74 62           je short EREnt.0049B5D9
0049B577  |> |8B45 EC         mov eax,dword ptr ss:[ebp-14]
0049B57A  |. |8945 84         mov dword ptr ss:[ebp-7C],eax
0049B57D  |. |B8 24C77300     mov eax,EREnt.0073C724            ;  \n
0049B582  |. |8945 88         mov dword ptr ss:[ebp-78],eax
0049B585  |. |8D45 94         lea eax,dword ptr ss:[ebp-6C]
0049B588  |. |E8 339CF6FF     call EREnt.004051C0
0049B58D  |. |C745 94 0000000>mov dword ptr ss:[ebp-6C],0
0049B594  |. |8D45 94         lea eax,dword ptr ss:[ebp-6C]
0049B597  |. |50              push eax                          ; /Arg1
0049B598  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]      ; |
0049B59B  |. |83C0 20         add eax,20                        ; |
0049B59E  |. |8985 5CFFFFFF   mov dword ptr ss:[ebp-A4],eax     ; |
0049B5A4  |. |C785 58FFFFFF 1>mov dword ptr ss:[ebp-A8],10      ; |
0049B5AE  |. |8D95 58FFFFFF   lea edx,dword ptr ss:[ebp-A8]     ; |
0049B5B4  |. |B9 00000000     mov ecx,0                         ; |
0049B5B9  |. |B8 30C77300     mov eax,EREnt.0073C730            ; |demomsgfiles
0049B5BE  |. |E8 6DE8FBFF     call EREnt.00459E30               ; \EREnt.00459E30
0049B5C3  |. |8B45 94         mov eax,dword ptr ss:[ebp-6C]
0049B5C6  |. |8945 8C         mov dword ptr ss:[ebp-74],eax
0049B5C9  |. |8D55 84         lea edx,dword ptr ss:[ebp-7C]
0049B5CC  |. |8D45 EC         lea eax,dword ptr ss:[ebp-14]
0049B5CF  |. |B9 02000000     mov ecx,2
0049B5D4  |. |E8 97D5F6FF     call EREnt.00408B70
0049B5D9  |> |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049B5DC  |. |8B50 30         mov edx,dword ptr ds:[eax+30]
0049B5DF  |. |8B40 34         mov eax,dword ptr ds:[eax+34]
0049B5E2  |. |83F8 FF         cmp eax,-1
0049B5E5  |. |75 09           jnz short EREnt.0049B5F0
0049B5E7  |. |83FA FF         cmp edx,-1
0049B5EA  |. |0F84 8B000000   je EREnt.0049B67B
0049B5F0  |> |8B45 EC         mov eax,dword ptr ss:[ebp-14]
0049B5F3  |. |8945 80         mov dword ptr ss:[ebp-80],eax
0049B5F6  |. |B8 48C77300     mov eax,EREnt.0073C748            ;  ,
0049B5FB  |. |8945 84         mov dword ptr ss:[ebp-7C],eax
0049B5FE  |. |B8 24C77300     mov eax,EREnt.0073C724            ;  \n
0049B603  |. |8945 88         mov dword ptr ss:[ebp-78],eax
0049B606  |. |8D45 94         lea eax,dword ptr ss:[ebp-6C]
0049B609  |. |E8 B29BF6FF     call EREnt.004051C0
0049B60E  |. |C745 94 0000000>mov dword ptr ss:[ebp-6C],0
0049B615  |. |8D45 94         lea eax,dword ptr ss:[ebp-6C]
0049B618  |. |50              push eax                          ; /Arg1
0049B619  |. |6A 00           push 0                            ; |/Arg4 = 00000000
0049B61B  |. |68 00040000     push 400                          ; ||Arg3 = 00000400
0049B620  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]      ; ||
0049B623  |. |FF70 34         push dword ptr ds:[eax+34]        ; ||Arg2
0049B626  |. |FF70 30         push dword ptr ds:[eax+30]        ; ||Arg1
0049B629  |. |E8 52D0F6FF     call EREnt.00408680               ; |\EREnt.00408680
0049B62E  |. |8985 70FFFFFF   mov dword ptr ss:[ebp-90],eax     ; |
0049B634  |. |8995 74FFFFFF   mov dword ptr ss:[ebp-8C],edx     ; |
0049B63A  |. |8D85 70FFFFFF   lea eax,dword ptr ss:[ebp-90]     ; |
0049B640  |. |8985 7CFFFFFF   mov dword ptr ss:[ebp-84],eax     ; |
0049B646  |. |C785 78FFFFFF 1>mov dword ptr ss:[ebp-88],10      ; |
0049B650  |. |8D95 78FFFFFF   lea edx,dword ptr ss:[ebp-88]     ; |
0049B656  |. |B9 00000000     mov ecx,0                         ; |
0049B65B  |. |B8 54C77300     mov eax,EREnt.0073C754            ; |demomsgmaxfilesize
0049B660  |. |E8 CBE7FBFF     call EREnt.00459E30               ; \EREnt.00459E30
0049B665  |. |8B45 94         mov eax,dword ptr ss:[ebp-6C]
0049B668  |. |8945 8C         mov dword ptr ss:[ebp-74],eax
0049B66B  |. |8D55 80         lea edx,dword ptr ss:[ebp-80]
0049B66E  |. |8D45 EC         lea eax,dword ptr ss:[ebp-14]
0049B671  |. |B9 03000000     mov ecx,3
0049B676  |. |E8 F5D4F6FF     call EREnt.00408B70
0049B67B  |> |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049B67E  |. |8B50 18         mov edx,dword ptr ds:[eax+18]
0049B681  |. |8B40 1C         mov eax,dword ptr ds:[eax+1C]
0049B684  |. |83F8 FF         cmp eax,-1
0049B687  |. |75 09           jnz short EREnt.0049B692
0049B689  |. |83FA FF         cmp edx,-1
0049B68C  |. |0F84 8B000000   je EREnt.0049B71D
0049B692  |> |8B45 EC         mov eax,dword ptr ss:[ebp-14]
0049B695  |. |8945 80         mov dword ptr ss:[ebp-80],eax
0049B698  |. |B8 48C77300     mov eax,EREnt.0073C748            ;  ,
0049B69D  |. |8945 84         mov dword ptr ss:[ebp-7C],eax
0049B6A0  |. |B8 24C77300     mov eax,EREnt.0073C724            ;  \n
0049B6A5  |. |8945 88         mov dword ptr ss:[ebp-78],eax
0049B6A8  |. |8D45 94         lea eax,dword ptr ss:[ebp-6C]
0049B6AB  |. |E8 109BF6FF     call EREnt.004051C0
0049B6B0  |. |C745 94 0000000>mov dword ptr ss:[ebp-6C],0
0049B6B7  |. |8D45 94         lea eax,dword ptr ss:[ebp-6C]
0049B6BA  |. |50              push eax                          ; /Arg1
0049B6BB  |. |6A 00           push 0                            ; |/Arg4 = 00000000
0049B6BD  |. |68 00040000     push 400                          ; ||Arg3 = 00000400
0049B6C2  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]      ; ||
0049B6C5  |. |FF70 1C         push dword ptr ds:[eax+1C]        ; ||Arg2
0049B6C8  |. |FF70 18         push dword ptr ds:[eax+18]        ; ||Arg1
0049B6CB  |. |E8 B0CFF6FF     call EREnt.00408680               ; |\EREnt.00408680
0049B6D0  |. |8985 70FFFFFF   mov dword ptr ss:[ebp-90],eax     ; |
0049B6D6  |. |8995 74FFFFFF   mov dword ptr ss:[ebp-8C],edx     ; |
0049B6DC  |. |8D85 70FFFFFF   lea eax,dword ptr ss:[ebp-90]     ; |
0049B6E2  |. |8985 7CFFFFFF   mov dword ptr ss:[ebp-84],eax     ; |
0049B6E8  |. |C785 78FFFFFF 1>mov dword ptr ss:[ebp-88],10      ; |
0049B6F2  |. |8D95 78FFFFFF   lea edx,dword ptr ss:[ebp-88]     ; |
0049B6F8  |. |B9 00000000     mov ecx,0                         ; |
0049B6FD  |. |B8 70C77300     mov eax,EREnt.0073C770            ; |demomsgtotalamount
0049B702  |. |E8 29E7FBFF     call EREnt.00459E30               ; \EREnt.00459E30
0049B707  |. |8B45 94         mov eax,dword ptr ss:[ebp-6C]
0049B70A  |. |8945 8C         mov dword ptr ss:[ebp-74],eax
0049B70D  |. |8D55 80         lea edx,dword ptr ss:[ebp-80]
0049B710  |. |8D45 EC         lea eax,dword ptr ss:[ebp-14]
0049B713  |. |B9 03000000     mov ecx,3
0049B718  |. |E8 53D4F6FF     call EREnt.00408B70
0049B71D  |> |8B45 EC         mov eax,dword ptr ss:[ebp-14]
0049B720  |. |8945 84         mov dword ptr ss:[ebp-7C],eax
0049B723  |. |B8 24C77300     mov eax,EREnt.0073C724            ;  \n
0049B728  |. |8945 88         mov dword ptr ss:[ebp-78],eax
0049B72B  |. |8D45 94         lea eax,dword ptr ss:[ebp-6C]
0049B72E  |. |E8 8D9AF6FF     call EREnt.004051C0
0049B733  |. |C745 94 0000000>mov dword ptr ss:[ebp-6C],0
0049B73A  |. |8D45 94         lea eax,dword ptr ss:[ebp-6C]
0049B73D  |. |50              push eax                          ; /Arg1
0049B73E  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]      ; |
0049B741  |. |83C0 10         add eax,10                        ; |
0049B744  |. |8985 5CFFFFFF   mov dword ptr ss:[ebp-A4],eax     ; |
0049B74A  |. |C785 58FFFFFF 1>mov dword ptr ss:[ebp-A8],10      ; |
0049B754  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]      ; |
0049B757  |. |83C0 08         add eax,8                         ; |
0049B75A  |. |8985 64FFFFFF   mov dword ptr ss:[ebp-9C],eax     ; |
0049B760  |. |C785 60FFFFFF 1>mov dword ptr ss:[ebp-A0],10      ; |
0049B76A  |. |8D95 58FFFFFF   lea edx,dword ptr ss:[ebp-A8]     ; |
0049B770  |. |B9 01000000     mov ecx,1                         ; |
0049B775  |. |B8 8CC77300     mov eax,EREnt.0073C78C            ; |demomsgend
0049B77A  |. |E8 B1E6FBFF     call EREnt.00459E30               ; \EREnt.00459E30
0049B77F  |. |8B45 94         mov eax,dword ptr ss:[ebp-6C]
0049B782  |. |8945 8C         mov dword ptr ss:[ebp-74],eax
0049B785  |. |8D55 84         lea edx,dword ptr ss:[ebp-7C]
0049B788  |. |8D45 EC         lea eax,dword ptr ss:[ebp-14]
0049B78B  |. |B9 02000000     mov ecx,2
0049B790  |. |E8 DBD3F6FF     call EREnt.00408B70
0049B795  |. |8B45 EC         mov eax,dword ptr ss:[ebp-14]
0049B798  |. |8945 84         mov dword ptr ss:[ebp-7C],eax
0049B79B  |. |B8 24C77300     mov eax,EREnt.0073C724            ;  \n
0049B7A0  |. |8945 88         mov dword ptr ss:[ebp-78],eax
0049B7A3  |. |8D45 94         lea eax,dword ptr ss:[ebp-6C]
0049B7A6  |. |E8 159AF6FF     call EREnt.004051C0
0049B7AB  |. |C745 94 0000000>mov dword ptr ss:[ebp-6C],0
0049B7B2  |. |8D55 94         lea edx,dword ptr ss:[ebp-6C]
0049B7B5  |. |B8 A0C77300     mov eax,EREnt.0073C7A0            ;  demomsgendbuy
0049B7BA  |. |E8 11E6FBFF     call EREnt.00459DD0
0049B7BF  |. |8B45 94         mov eax,dword ptr ss:[ebp-6C]
0049B7C2  |. |8945 8C         mov dword ptr ss:[ebp-74],eax
0049B7C5  |. |8D55 84         lea edx,dword ptr ss:[ebp-7C]
0049B7C8  |. |8D45 EC         lea eax,dword ptr ss:[ebp-14]
0049B7CB  |. |B9 02000000     mov ecx,2
0049B7D0  |. |E8 9BD3F6FF     call EREnt.00408B70
0049B7D5  |. |8B45 EC         mov eax,dword ptr ss:[ebp-14]
0049B7D8  |. |E8 F3D1F6FF     call EREnt.004089D0
0049B7DD  |. |8B5D F8         mov ebx,dword ptr ss:[ebp-8]
0049B7E0  |. |8D43 3C         lea eax,dword ptr ds:[ebx+3C]
0049B7E3  |. |E8 D899F6FF     call EREnt.004051C0
0049B7E8  |. |8B45 EC         mov eax,dword ptr ss:[ebp-14]
0049B7EB  |. |8943 3C         mov dword ptr ds:[ebx+3C],eax
0049B7EE  |> |E8 1D23F7FF     call EREnt.0040DB10
0049B7F3  |. |58              pop eax
0049B7F4  |. |85C0            test eax,eax
0049B7F6  |. |74 66           je short EREnt.0049B85E
0049B7F8  |. |B8 FFFFFFFF     mov eax,-1
0049B7FD  |. |E8 DE24F7FF     call EREnt.0040DCE0
0049B802  |. |8D4D 84         lea ecx,dword ptr ss:[ebp-7C]
0049B805  |. |8D95 58FFFFFF   lea edx,dword ptr ss:[ebp-A8]
0049B80B  |. |B8 01000000     mov eax,1
0049B810  |. |E8 2B20F7FF     call EREnt.0040D840
0049B815  |. |E8 D641F7FF     call EREnt.0040F9F0
0049B81A  |. |50              push eax
0049B81B  |. |85C0            test eax,eax
0049B81D  |. |75 12           jnz short EREnt.0049B831
0049B81F  |. |8B45 F8         mov eax,dword ptr ss:[ebp-8]
0049B822  |. |B9 B8C77300     mov ecx,EREnt.0073C7B8            ;  exception occured
0049B827  |. |BA 02000000     mov edx,2
0049B82C  |. |E8 0F010F00     call EREnt.0058B940
0049B831  |> |E8 DA22F7FF     call EREnt.0040DB10
0049B836  |. |58              pop eax
0049B837  |. |85C0            test eax,eax
0049B839  |. |74 0F           je short EREnt.0049B84A
0049B83B  |. |E8 B023F7FF     call EREnt.0040DBF0
0049B840  |. |E8 FB24F7FF     call EREnt.0040DD40
0049B845  |. |E8 3624F7FF     call EREnt.0040DC80
0049B84A  |> |E8 0123F7FF     call EREnt.0040DB50
0049B84F  |. |E8 EC24F7FF     call EREnt.0040DD40
0049B854  |. |EB 08           jmp short EREnt.0049B85E
0049B856  |> |E8 B522F7FF     call EREnt.0040DB10
0049B85B  |. |58              pop eax
0049B85C  |. |EB 00           jmp short EREnt.0049B85E
0049B85E  |> \E8 AD22F7FF     call EREnt.0040DB10

我为了防止暗桩所以把所有功能限制也去掉了。不知不去掉会不会还有功能限制啊，节省时间不测试了吧。

<方法二>调用注册子程序时下手

这个程序有一个特点，就是说主程序检测到未注册的时候，子程序就会调用.\licman\licman.exe，呵呵。我们从这个入手(我本来还以为调用子程序主程序会关掉，后来试了一下，发现它不会关掉主程序，所以好弄多了。)

运行起来！！调用了子程序以后，F12暂停主程序，看堆栈调用。

调用堆栈 
地址       堆栈       函数例程 / 参数                       调用来自                      框架
0184FB18   7C92DF5A   包含 ntdll.KiFastSystemCallRet          ntdll.7C92DF58                0184FB7C
0184FB1C   7C8025DB   ntdll.ZwWaitForSingleObject           kernel32.7C8025D5             0184FB7C
0184FB80   7C802542   ? kernel32.WaitForSingleObjectEx      kernel32.7C80253D             0184FB7C
0184FB84   000001FC     hObject = 000001FC (window)
0184FB88   FFFFFFFF     Timeout = INFINITE
0184FB8C   00000000     fAlertable = FALSE
0184FB94   004B8696   ? <jmp.&kernel32.WaitForSingleObject  EREnt.004B8691                0184FB90
0184FB98   000001FC     hObject = 000001FC (window)
0184FB9C   FFFFFFFF     Timeout = INFINITE
0184FBB0   004B85DC   EREnt.004B8680                        EREnt.004B85D7                0184FBAC
0184FCF0   004A0CF1   可能 EREnt.004B85D3                     EREnt.004A0CEB                0184FCEC
0184FD64   0049BF92   EREnt.004A0C30                        EREnt.0049BF8D                0184FD60
0184FE60   00403E77   EREnt.0049BC30                        EREnt.00403E72                0184FE5C
0184FF9C   00413851   可能 EREnt.00403190                     EREnt.0041384F                0184FF98
0184FFC0   006FE866   ? EREnt.004137E0                      EREnt.<模块入口点>+11
0184FFC4   7C81776F   可能 EREnt.<模块入口点>                      kernel32.7C81776C             0184FFF0

其实这里选什么我也不很清楚，我随便选一个看起来比较顺眼的，这个：
0184FB94 004B8696 ? <jmp.&kernel32.WaitForSingleObject EREnt.004B8691 0184FB90
右键，显示调用。

整个段：

004B8680  /$  55            push ebp
004B8681  |.  89E5          mov ebp,esp
004B8683  |.  83EC 0C       sub esp,0C
004B8686  |.  8945 FC       mov dword ptr ss:[ebp-4],eax
004B8689  |.  6A FF         push -1                                 ; /Timeout = INFINITE
004B868B  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]            ; |
004B868E  |.  FF70 3C       push dword ptr ds:[eax+3C]              ; |hObject
004B8691  |.  E8 3A8DF4FF   call <jmp.&kernel32.WaitForSingleObject>; \WaitForSingleObject //显示的调用在这
004B8696  |.  8945 F4       mov dword ptr ss:[ebp-C],eax
004B8699  |.  83F8 FF       cmp eax,-1
004B869C  |.  0F9545 F8     setne byte ptr ss:[ebp-8]
004B86A0  |.  807D F8 00    cmp byte ptr ss:[ebp-8],0
004B86A4  |.  74 08         je short EREnt.004B86AE                 ;注意这里
004B86A6  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B86A9  |.  E8 E2F1FFFF   call EREnt.004B7890
004B86AE  |>  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B86B1  |.  C680 84000000>mov byte ptr ds:[eax+84],0
004B86B8  |.  8A45 F8       mov al,byte ptr ss:[ebp-8]
004B86BB  |.  C9            leave
004B86BC  \.  C3            retn

上面所示的地方，看到了吧，这个je很可疑，我们可以在这里下断，重载程序，看看情况。
由于它在调用Call的下面，所以要点击那个子程序的"作为演示运行"按钮，然后程序就被成功断下了。
断下以后，会发现跳转没有实现，那我们改一下Z标志位先试一下。
界面上面没有Demo字样了，想想应该也没有功能限制了，拿同学送我的U盘试试。
(此U盘他是删光东西以后给我的，但是......应该没有安全删除，所以......顿时发现我好邪恶.)
扫描了二十几秒，拿一个30几M的视频一试，啊哈，成功了。
于是重载程序，想当然就把这里改为jmp......等等！那么licman这个注册子程序还是会被唤出的！我们得从根源上解决问题！(完美才舒服。)
我们在段首，也就是004B8680:push ebp这里下断。
重载程序，会发现，licman还是出来了。(有点想揍这个man)
于是我们可以大胆地猜想，我们进的Call太深了，我们退出一层Call.

从段首到段尾：(这次是没办法，必须得都贴上了，不会被说是灌水吧？)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

004B80E0  /.  55            push ebp
004B80E1  |.  89E5          mov ebp,esp
004B80E3  |.  81EC 34010000 sub esp,134
004B80E9  |.  899D CCFEFFFF mov dword ptr ss:[ebp-134],ebx
004B80EF  |.  8945 FC       mov dword ptr ss:[ebp-4],eax
004B80F2  |.  C785 30FFFFFF>mov dword ptr ss:[ebp-D0],0
004B80FC  |.  C785 34FFFFFF>mov dword ptr ss:[ebp-CC],0
004B8106  |.  C785 38FFFFFF>mov dword ptr ss:[ebp-C8],0
004B8110  |.  C785 3CFFFFFF>mov dword ptr ss:[ebp-C4],0
004B811A  |.  C785 40FFFFFF>mov dword ptr ss:[ebp-C0],0
004B8124  |.  C785 44FFFFFF>mov dword ptr ss:[ebp-BC],0
004B812E  |.  8D8D 64FFFFFF lea ecx,dword ptr ss:[ebp-9C]
004B8134  |.  8D95 4CFFFFFF lea edx,dword ptr ss:[ebp-B4]
004B813A  |.  B8 01000000   mov eax,1
004B813F  |.  E8 FC56F5FF   call EREnt.0040D840
004B8144  |.  E8 A778F5FF   call EREnt.0040F9F0
004B8149  |.  50            push eax
004B814A  |.  85C0          test eax,eax
004B814C  |.  0F85 8A040000 jnz EREnt.004B85DC
004B8152  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B8155  |.  C640 64 01    mov byte ptr ds:[eax+64],1
004B8159  |.  C745 F8 00000>mov dword ptr ss:[ebp-8],0
004B8160  |.  C745 F0 00000>mov dword ptr ss:[ebp-10],0
004B8167  |.  C745 F4 00000>mov dword ptr ss:[ebp-C],0
004B816E  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B8171  |.  8B40 48       mov eax,dword ptr ds:[eax+48]
004B8174  |.  85C0          test eax,eax
004B8176  |.  0F85 8E000000 jnz EREnt.004B820A
004B817C  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B817F  |.  8B40 50       mov eax,dword ptr ds:[eax+50]
004B8182  |.  85C0          test eax,eax
004B8184  |.  75 21         jnz short EREnt.004B81A7
004B8186  |.  8B0D 148C7400 mov ecx,dword ptr ds:[748C14]           ;  EREnt.00748798
004B818C  |.  BA F8867400   mov edx,EREnt.007486F8
004B8191  |.  B8 00000000   mov eax,0
004B8196  |.  E8 E562F6FF   call EREnt.0041E480
004B819B  |.  89E9          mov ecx,ebp
004B819D  |.  BA 9B814B00   mov edx,EREnt.004B819B
004B81A2  |.  E8 C958F5FF   call EREnt.0040DA70
004B81A7  |>  8D85 44FFFFFF lea eax,dword ptr ss:[ebp-BC]
004B81AD  |.  E8 CE18F5FF   call EREnt.00409A80
004B81B2  |.  C785 44FFFFFF>mov dword ptr ss:[ebp-BC],0
004B81BC  |.  8D85 40FFFFFF lea eax,dword ptr ss:[ebp-C0]
004B81C2  |.  E8 E929F5FF   call EREnt.0040ABB0
004B81C7  |.  C785 40FFFFFF>mov dword ptr ss:[ebp-C0],0
004B81D1  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B81D4  |.  8B40 50       mov eax,dword ptr ds:[eax+50]
004B81D7  |.  8D95 40FFFFFF lea edx,dword ptr ss:[ebp-C0]
004B81DD  |.  E8 4E40F5FF   call EREnt.0040C230
004B81E2  |.  8B85 40FFFFFF mov eax,dword ptr ss:[ebp-C0]
004B81E8  |.  8D95 44FFFFFF lea edx,dword ptr ss:[ebp-BC]
004B81EE  |.  E8 7D2BF5FF   call EREnt.0040AD70
004B81F3  |.  8B85 44FFFFFF mov eax,dword ptr ss:[ebp-BC]
004B81F9  |.  85C0          test eax,eax
004B81FB  |.  75 05         jnz short EREnt.004B8202
004B81FD  |.  B8 70DE7F00   mov eax,EREnt.007FDE70
004B8202  |>  8945 F0       mov dword ptr ss:[ebp-10],eax
004B8205  |.  E9 26010000   jmp EREnt.004B8330
004B820A  |>  8D85 3CFFFFFF lea eax,dword ptr ss:[ebp-C4]
004B8210  |.  E8 6B18F5FF   call EREnt.00409A80
004B8215  |.  C785 3CFFFFFF>mov dword ptr ss:[ebp-C4],0
004B821F  |.  8D85 40FFFFFF lea eax,dword ptr ss:[ebp-C0]
004B8225  |.  E8 8629F5FF   call EREnt.0040ABB0
004B822A  |.  C785 40FFFFFF>mov dword ptr ss:[ebp-C0],0
004B8234  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B8237  |.  8B40 48       mov eax,dword ptr ds:[eax+48]
004B823A  |.  8D95 40FFFFFF lea edx,dword ptr ss:[ebp-C0]
004B8240  |.  E8 EB3FF5FF   call EREnt.0040C230
004B8245  |.  8B85 40FFFFFF mov eax,dword ptr ss:[ebp-C0]
004B824B  |.  8D95 3CFFFFFF lea edx,dword ptr ss:[ebp-C4]
004B8251  |.  E8 1A2BF5FF   call EREnt.0040AD70
004B8256  |.  8B85 3CFFFFFF mov eax,dword ptr ss:[ebp-C4]
004B825C  |.  85C0          test eax,eax
004B825E  |.  75 05         jnz short EREnt.004B8265
004B8260  |.  B8 70DE7F00   mov eax,EREnt.007FDE70
004B8265  |>  8945 F8       mov dword ptr ss:[ebp-8],eax
004B8268  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B826B  |.  8B40 50       mov eax,dword ptr ds:[eax+50]
004B826E  |.  85C0          test eax,eax
004B8270  |.  75 60         jnz short EREnt.004B82D2
004B8272  |.  8D85 38FFFFFF lea eax,dword ptr ss:[ebp-C8]
004B8278  |.  E8 0318F5FF   call EREnt.00409A80
004B827D  |.  C785 38FFFFFF>mov dword ptr ss:[ebp-C8],0
004B8287  |.  8D85 40FFFFFF lea eax,dword ptr ss:[ebp-C0]
004B828D  |.  E8 1E29F5FF   call EREnt.0040ABB0
004B8292  |.  C785 40FFFFFF>mov dword ptr ss:[ebp-C0],0
004B829C  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B829F  |.  8B40 48       mov eax,dword ptr ds:[eax+48]
004B82A2  |.  8D95 40FFFFFF lea edx,dword ptr ss:[ebp-C0]
004B82A8  |.  E8 833FF5FF   call EREnt.0040C230
004B82AD  |.  8B85 40FFFFFF mov eax,dword ptr ss:[ebp-C0]
004B82B3  |.  8D95 38FFFFFF lea edx,dword ptr ss:[ebp-C8]
004B82B9  |.  E8 B22AF5FF   call EREnt.0040AD70
004B82BE  |.  8B85 38FFFFFF mov eax,dword ptr ss:[ebp-C8]
004B82C4  |.  85C0          test eax,eax
004B82C6  |.  75 05         jnz short EREnt.004B82CD
004B82C8  |.  B8 70DE7F00   mov eax,EREnt.007FDE70
004B82CD  |>  8945 F0       mov dword ptr ss:[ebp-10],eax
004B82D0  |.  EB 5E         jmp short EREnt.004B8330
004B82D2  |>  8D85 34FFFFFF lea eax,dword ptr ss:[ebp-CC]
004B82D8  |.  E8 A317F5FF   call EREnt.00409A80
004B82DD  |.  C785 34FFFFFF>mov dword ptr ss:[ebp-CC],0
004B82E7  |.  8D85 40FFFFFF lea eax,dword ptr ss:[ebp-C0]
004B82ED  |.  E8 BE28F5FF   call EREnt.0040ABB0
004B82F2  |.  C785 40FFFFFF>mov dword ptr ss:[ebp-C0],0
004B82FC  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B82FF  |.  8B40 50       mov eax,dword ptr ds:[eax+50]
004B8302  |.  8D95 40FFFFFF lea edx,dword ptr ss:[ebp-C0]
004B8308  |.  E8 233FF5FF   call EREnt.0040C230
004B830D  |.  8B85 40FFFFFF mov eax,dword ptr ss:[ebp-C0]
004B8313  |.  8D95 34FFFFFF lea edx,dword ptr ss:[ebp-CC]
004B8319  |.  E8 522AF5FF   call EREnt.0040AD70
004B831E  |.  8B85 34FFFFFF mov eax,dword ptr ss:[ebp-CC]
004B8324  |.  85C0          test eax,eax
004B8326  |.  75 05         jnz short EREnt.004B832D
004B8328  |.  B8 70DE7F00   mov eax,EREnt.007FDE70
004B832D  |>  8945 F0       mov dword ptr ss:[ebp-10],eax
004B8330  |>  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B8333  |.  8B40 54       mov eax,dword ptr ds:[eax+54]
004B8336  |.  85C0          test eax,eax
004B8338  |.  74 5E         je short EREnt.004B8398
004B833A  |.  8D85 30FFFFFF lea eax,dword ptr ss:[ebp-D0]
004B8340  |.  E8 3B17F5FF   call EREnt.00409A80
004B8345  |.  C785 30FFFFFF>mov dword ptr ss:[ebp-D0],0
004B834F  |.  8D85 40FFFFFF lea eax,dword ptr ss:[ebp-C0]
004B8355  |.  E8 5628F5FF   call EREnt.0040ABB0
004B835A  |.  C785 40FFFFFF>mov dword ptr ss:[ebp-C0],0
004B8364  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B8367  |.  8B40 54       mov eax,dword ptr ds:[eax+54]
004B836A  |.  8D95 40FFFFFF lea edx,dword ptr ss:[ebp-C0]
004B8370  |.  E8 BB3EF5FF   call EREnt.0040C230
004B8375  |.  8B85 40FFFFFF mov eax,dword ptr ss:[ebp-C0]
004B837B  |.  8D95 30FFFFFF lea edx,dword ptr ss:[ebp-D0]
004B8381  |.  E8 EA29F5FF   call EREnt.0040AD70
004B8386  |.  8B85 30FFFFFF mov eax,dword ptr ss:[ebp-D0]
004B838C  |.  85C0          test eax,eax
004B838E  |.  75 05         jnz short EREnt.004B8395
004B8390  |.  B8 70DE7F00   mov eax,EREnt.007FDE70
004B8395  |>  8945 F4       mov dword ptr ss:[ebp-C],eax
004B8398  |>  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B839B  |.  8B40 5C       mov eax,dword ptr ds:[eax+5C]
004B839E  |.  8B55 FC       mov edx,dword ptr ss:[ebp-4]
004B83A1  |.  8B52 5C       mov edx,dword ptr ds:[edx+5C]
004B83A4  |.  8B12          mov edx,dword ptr ds:[edx]
004B83A6  |.  FF92 80000000 call dword ptr ds:[edx+80]
004B83AC  |.  85C0          test eax,eax
004B83AE  |.  74 10         je short EREnt.004B83C0
004B83B0  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B83B3  |.  8B40 5C       mov eax,dword ptr ds:[eax+5C]
004B83B6  |.  E8 35FAFFFF   call EREnt.004B7DF0
004B83BB  |.  8945 EC       mov dword ptr ss:[ebp-14],eax
004B83BE  |.  EB 07         jmp short EREnt.004B83C7
004B83C0  |>  C745 EC 00000>mov dword ptr ss:[ebp-14],0
004B83C7  |>  8D8D 24FFFFFF lea ecx,dword ptr ss:[ebp-DC]
004B83CD  |.  8D95 0CFFFFFF lea edx,dword ptr ss:[ebp-F4]
004B83D3  |.  B8 01000000   mov eax,1
004B83D8  |.  E8 6354F5FF   call EREnt.0040D840
004B83DD  |.  E8 0E76F5FF   call EREnt.0040F9F0
004B83E2  |.  50            push eax
004B83E3  |.  85C0          test eax,eax
004B83E5  |.  0F85 A4010000 jnz EREnt.004B858F
004B83EB  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B83EE  |.  E8 5DF9FFFF   call EREnt.004B7D50
004B83F3  |.  8945 E8       mov dword ptr ss:[ebp-18],eax
004B83F6  |.  8D55 DC       lea edx,dword ptr ss:[ebp-24]
004B83F9  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B83FC  |.  E8 1FFBFFFF   call EREnt.004B7F20
004B8401  |.  8D55 D0       lea edx,dword ptr ss:[ebp-30]
004B8404  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B8407  |.  E8 44FBFFFF   call EREnt.004B7F50
004B840C  |.  8D95 7CFFFFFF lea edx,dword ptr ss:[ebp-84]
004B8412  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B8415  |.  E8 66FBFFFF   call EREnt.004B7F80
004B841A  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B841D  |.  F740 2C 04000>test dword ptr ds:[eax+2C],4
004B8424  |.  74 2C         je short EREnt.004B8452
004B8426  |.  8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
004B842C  |.  50            push eax                                ; /Arg2
004B842D  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]            ; |
004B8430  |.  F740 2C 08000>test dword ptr ds:[eax+2C],8            ; |
004B8437  |.  0F94C0        sete al                                 ; |
004B843A  |.  50            push eax                                ; |Arg1
004B843B  |.  8D8D 70FFFFFF lea ecx,dword ptr ss:[ebp-90]           ; |
004B8441  |.  8D95 74FFFFFF lea edx,dword ptr ss:[ebp-8C]           ; |
004B8447  |.  8D85 78FFFFFF lea eax,dword ptr ss:[ebp-88]           ; |
004B844D  |.  E8 2EFCFFFF   call EREnt.004B8080                     ; \EREnt.004B8080
004B8452  |>  8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-104]
004B8458  |.  8D95 E4FEFFFF lea edx,dword ptr ss:[ebp-11C]
004B845E  |.  B8 01000000   mov eax,1
004B8463  |.  E8 D853F5FF   call EREnt.0040D840
004B8468  |.  E8 8375F5FF   call EREnt.0040F9F0
004B846D  |.  50            push eax
004B846E  |.  85C0          test eax,eax
004B8470  |.  0F85 AD000000 jnz EREnt.004B8523
004B8476  |.  8D45 C0       lea eax,dword ptr ss:[ebp-40]
004B8479  |.  50            push eax                                ; /pProcessInfo
004B847A  |.  8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]           ; |
004B8480  |.  50            push eax                                ; |pStartupInfo
004B8481  |.  FF75 F4       push dword ptr ss:[ebp-C]               ; |CurrentDir
004B8484  |.  FF75 EC       push dword ptr ss:[ebp-14]              ; |pEnvironment
004B8487  |.  FF75 E8       push dword ptr ss:[ebp-18]              ; |CreationFlags
004B848A  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]            ; |
004B848D  |.  8A40 64       mov al,byte ptr ds:[eax+64]             ; |
004B8490  |.  08C0          or al,al                                ; |
004B8492  |.  0F95C0        setne al                                ; |
004B8495  |.  25 FF000000   and eax,0FF                             ; |
004B849A  |.  F7D8          neg eax                                 ; |
004B849C  |.  50            push eax                                ; |InheritHandles
004B849D  |.  8D45 D0       lea eax,dword ptr ss:[ebp-30]           ; |
004B84A0  |.  50            push eax                                ; |pThreadSecurity
004B84A1  |.  8D45 DC       lea eax,dword ptr ss:[ebp-24]           ; |
004B84A4  |.  50            push eax                                ; |pProcessSecurity
004B84A5  |.  FF75 F0       push dword ptr ss:[ebp-10]              ; |CommandLine
004B84A8  |.  FF75 F8       push dword ptr ss:[ebp-8]               ; |ModuleFileName
004B84AB  |.  E8 7092F4FF   call <jmp.&kernel32.CreateProcessW>     ; \CreateProcessW
004B84B0  |.  85C0          test eax,eax
004B84B2  |.  75 54         jnz short EREnt.004B8508
004B84B4  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B84B7  |.  8B40 50       mov eax,dword ptr ds:[eax+50]
004B84BA  |.  8985 D4FEFFFF mov dword ptr ss:[ebp-12C],eax
004B84C0  |.  C785 D0FEFFFF>mov dword ptr ss:[ebp-130],0B
004B84CA  |.  E8 318CF4FF   call <jmp.&kernel32.GetLastError>       ; [GetLastError
004B84CF  |.  8985 DCFEFFFF mov dword ptr ss:[ebp-124],eax
004B84D5  |.  C785 D8FEFFFF>mov dword ptr ss:[ebp-128],0
004B84DF  |.  8D85 D0FEFFFF lea eax,dword ptr ss:[ebp-130]
004B84E5  |.  50            push eax                                ; /Arg2
004B84E6  |.  6A 01         push 1                                  ; |Arg1 = 00000001
004B84E8  |.  BA F8867400   mov edx,EREnt.007486F8                  ; |
004B84ED  |.  B9 58887400   mov ecx,EREnt.00748858                  ; |ASCII "Failed to execute %s : %d"
004B84F2  |.  B8 00000000   mov eax,0                               ; |
004B84F7  |.  E8 A460F6FF   call EREnt.0041E5A0                     ; \EREnt.0041E5A0
004B84FC  |.  89E9          mov ecx,ebp
004B84FE  |.  BA FC844B00   mov edx,EREnt.004B84FC
004B8503  |.  E8 6855F5FF   call EREnt.0040DA70
004B8508  |>  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B850B  |.  8B55 C0       mov edx,dword ptr ss:[ebp-40]
004B850E  |.  8950 3C       mov dword ptr ds:[eax+3C],edx
004B8511  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B8514  |.  8B55 C4       mov edx,dword ptr ss:[ebp-3C]
004B8517  |.  8950 40       mov dword ptr ds:[eax+40],edx
004B851A  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B851D  |.  8B55 C8       mov edx,dword ptr ss:[ebp-38]
004B8520  |.  8950 34       mov dword ptr ds:[eax+34],edx
004B8523  |>  E8 E855F5FF   call EREnt.0040DB10
004B8528  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B852B  |.  F740 2C 04000>test dword ptr ds:[eax+2C],4
004B8532  |.  74 44         je short EREnt.004B8578
004B8534  |.  8B45 B4       mov eax,dword ptr ss:[ebp-4C]
004B8537  |.  E8 8477F6FF   call EREnt.0041FCC0
004B853C  |.  8B45 B8       mov eax,dword ptr ss:[ebp-48]
004B853F  |.  E8 7C77F6FF   call EREnt.0041FCC0
004B8544  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B8547  |.  F740 2C 08000>test dword ptr ds:[eax+2C],8
004B854E  |.  75 08         jnz short EREnt.004B8558
004B8550  |.  8B45 BC       mov eax,dword ptr ss:[ebp-44]
004B8553  |.  E8 6877F6FF   call EREnt.0041FCC0
004B8558  |>  FFB5 70FFFFFF push dword ptr ss:[ebp-90]
004B855E  |.  8B8D 74FFFFFF mov ecx,dword ptr ss:[ebp-8C]
004B8564  |.  8B95 78FFFFFF mov edx,dword ptr ss:[ebp-88]
004B856A  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B856D  |.  8B5D FC       mov ebx,dword ptr ss:[ebp-4]
004B8570  |.  8B1B          mov ebx,dword ptr ds:[ebx]
004B8572  |.  FF93 DC000000 call dword ptr ds:[ebx+DC]
004B8578  |>  58            pop eax
004B8579  |.  85C0          test eax,eax
004B857B  |.  74 08         je short EREnt.004B8585
004B857D  |.  48            dec eax
004B857E  |.  85C0          test eax,eax
004B8580  |.  E8 FB56F5FF   call EREnt.0040DC80
004B8585  |>  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B8588  |.  C680 84000000>mov byte ptr ds:[eax+84],1
004B858F  |>  E8 7C55F5FF   call EREnt.0040DB10
004B8594  |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
004B8597  |.  85C0          test eax,eax
004B8599  |.  74 08         je short EREnt.004B85A3
004B859B  |.  8B45 EC       mov eax,dword ptr ss:[ebp-14]
004B859E  |.  E8 0D75F5FF   call EREnt.0040FAB0
004B85A3  |>  58            pop eax
004B85A4  |.  85C0          test eax,eax
004B85A6  |.  74 08         je short EREnt.004B85B0
004B85A8  |.  48            dec eax
004B85A9  |.  85C0          test eax,eax
004B85AB  |.  E8 D056F5FF   call EREnt.0040DC80
004B85B0  |>  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B85B3  |.  F740 20 10000>test dword ptr ds:[eax+20],10
004B85BA  |.  75 20         jnz short EREnt.004B85DC
004B85BC  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B85BF  |.  F740 2C 02000>test dword ptr ds:[eax+2C],2
004B85C6  |.  74 14         je short EREnt.004B85DC
004B85C8  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B85CB  |.  F740 2C 01000>test dword ptr ds:[eax+2C],1
004B85D2  |.  75 08         jnz short EREnt.004B85DC
004B85D4  |.  8B45 FC       mov eax,dword ptr ss:[ebp-4]
004B85D7  |.  E8 A4000000   call EREnt.004B8680
004B85DC  |> \E8 2F55F5FF   call EREnt.0040DB10                     ;  我们出来后到了这里，有四个跳转到这里，我们可以向上找来源。
004B85E1  |.  8D85 30FFFFFF lea eax,dword ptr ss:[ebp-D0]
004B85E7  |.  E8 9414F5FF   call EREnt.00409A80
004B85EC  |.  C785 30FFFFFF>mov dword ptr ss:[ebp-D0],0
004B85F6  |.  8D85 34FFFFFF lea eax,dword ptr ss:[ebp-CC]
004B85FC  |.  E8 7F14F5FF   call EREnt.00409A80
004B8601  |.  C785 34FFFFFF>mov dword ptr ss:[ebp-CC],0
004B860B  |.  8D85 38FFFFFF lea eax,dword ptr ss:[ebp-C8]
004B8611  |.  E8 6A14F5FF   call EREnt.00409A80
004B8616  |.  C785 38FFFFFF>mov dword ptr ss:[ebp-C8],0
004B8620  |.  8D85 3CFFFFFF lea eax,dword ptr ss:[ebp-C4]
004B8626  |.  E8 5514F5FF   call EREnt.00409A80
004B862B  |.  C785 3CFFFFFF>mov dword ptr ss:[ebp-C4],0
004B8635  |.  8D85 40FFFFFF lea eax,dword ptr ss:[ebp-C0]
004B863B  |.  E8 7025F5FF   call EREnt.0040ABB0
004B8640  |.  C785 40FFFFFF>mov dword ptr ss:[ebp-C0],0
004B864A  |.  8D85 44FFFFFF lea eax,dword ptr ss:[ebp-BC]
004B8650  |.  E8 2B14F5FF   call EREnt.00409A80
004B8655  |.  C785 44FFFFFF>mov dword ptr ss:[ebp-BC],0
004B865F  |.  58            pop eax
004B8660  |.  85C0          test eax,eax
004B8662  |.  74 05         je short EREnt.004B8669
004B8664  |.  E8 1756F5FF   call EREnt.0040DC80
004B8669  |>  8B9D CCFEFFFF mov ebx,dword ptr ss:[ebp-134]
004B866F  |.  C9            leave
004B8670  \.  C3            retn

看到，有四个跳转可以跳过这个Call。我一般习惯改最前面的。试试。
因为不能同时运行两个EasyRecovery，所以我们保存文件以后，就把OD运行处下断点，然后重载程序，执行一下我们Cracked的程序。
果然，改了第一个跳转的就不会再呼出licman了，而且很完美，没有暗桩哦。;-)

后面三个跳转我也试了一下，都不行。具体原因也来看看吧，在这个段的段首下断。
跟踪后发现：004B84AB |. E8 7092F4FF call <jmp.&kernel32.CreateProcessW> ; \CreateProcessW
这个调用了子程序！呵呵，看来还找得不完全啊。
那么我们前面：004B8470 |. /0F85 AD000000 jnz EREnt.004B8523
这个跳转改成jmp试试。(后面那三个跳转随便改一个哦。)
会发现，这次OK了。试试有没有限制。木有暗桩。哈哈。

到此，两个方法都讲完了，我也累了。
总结一下，看来这个程序就是调用licman，如果反馈给它是使用Demo的，那么再进行增加Demo的限制。
如果什么也不反馈，或者licman根本就没有运行过，那么就是作为完整版运行啦！！
所以，我们还可以......

<方法三>从licman.exe下手(最便捷方法)

由于这个程序调用licman.exe，如果没有它，主程序也无法运行。但是我们可以直接对licman.exe，把这个man给disable了！呵呵。

载入后得：

0059F730 >/$  C605 30806200>mov byte ptr ds:[628030],0
0059F737  |.  E8 B4FFFFFF   call licman.0059F6F0
0059F73C  |.  B8 10F46200   mov eax,licman.0062F410
0059F741  |.  E8 1A28E7FF   call licman.00411F60
0059F746  \.  C3            retn

我们直接把retn以外的所有代码nop掉即可。
然后打开主程序一看，就没有licman的阻挡了，直接就是完整版！

以上是所有方法，菜鸟希望大家的支持哈！

====================写在后面====================
   呵呵，这个程序破解也很简单吧？为什么我不贴图呢？因为我感觉贴图能贴什么？就贴个软件界面？那还不如自己下载好好观看呢。代码基本也都贴好了，应该不需要图了吧......
   还有有人提议让我多花点时间学习啊呵呵。这都是我抽时间搞出来的，零碎时间......不过说的也是啊，我以后发主题帖隔的时间可能会更长一些。
   希望大家支持一下。这个程序已经比上一个要好破解得多了，尤其是最简单的方法，那个方法叫做......程序员设计程序时考虑不周到而产生的。呵呵，就连我发现时也大吃一惊呢！

(练习)程序下载链接：
http://xiazai.easyrecoverychina.com/EasyRecovery11.1_WIN_QIYE.exe
(百度网盘空间不够了，直接贴官网下载链接吧。)

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

#调试逆向

收藏・11

免费

支持

最新回复 (6)
逍遥枷锁雪币： 218 能力值： (RANK：10 ) 在线值：发帖 5 回帖 133 粉丝 0 关注私信	逍遥枷锁 2 楼如果带上分析视频就好了 2014-7-18 19:14 0
heihu 雪币： 1136 活跃值： (723) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 187 粉丝 0 关注私信	heihu 3 楼学习了，这么多的方法 2014-7-18 19:27 0
zhczf 雪币： 11590 活跃值： (18281) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 412 粉丝 0 关注私信	zhczf 4 楼楼主牛叉啊，这个又被你破解了， 2014-7-18 20:40 0
yunfeng 雪币： 269 活跃值： (51) 能力值： ( LV4，RANK：50 ) 在线值：发帖 3 回帖 489 粉丝 0 关注私信	yunfeng 1 5 楼不错，破解思路是越来越广了 2014-7-20 17:47 0
王者之剑雪币： 142 活跃值： (22) 能力值： ( LV4，RANK：50 ) 在线值：发帖 4 回帖 116 粉丝 1 关注私信	王者之剑 1 6 楼不错可以支持一下 2014-7-21 10:08 0
华仔在吗雪币： 11 活跃值： (90) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 146 粉丝 0 关注私信	华仔在吗 7 楼支持，谢谢分享 2014-7-21 10:21 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

dsong

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (6)
逍遥枷锁雪币： 218 能力值： (RANK：10 ) 在线值：发帖 5 回帖 133 粉丝 0 关注私信	逍遥枷锁 2 楼如果带上分析视频就好了 2014-7-18 19:14 0
heihu 雪币： 1136 活跃值： (723) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 187 粉丝 0 关注私信	heihu 3 楼学习了，这么多的方法 2014-7-18 19:27 0
zhczf 雪币： 11590 活跃值： (18281) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 412 粉丝 0 关注私信	zhczf 4 楼楼主牛叉啊，这个又被你破解了， 2014-7-18 20:40 0
yunfeng 雪币： 269 活跃值： (51) 能力值： ( LV4，RANK：50 ) 在线值：发帖 3 回帖 489 粉丝 0 关注私信	yunfeng 1 5 楼不错，破解思路是越来越广了 2014-7-20 17:47 0
王者之剑雪币： 142 活跃值： (22) 能力值： ( LV4，RANK：50 ) 在线值：发帖 4 回帖 116 粉丝 1 关注私信	王者之剑 1 6 楼不错可以支持一下 2014-7-21 10:08 0
华仔在吗雪币： 11 活跃值： (90) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 146 粉丝 0 关注私信	华仔在吗 7 楼支持，谢谢分享 2014-7-21 10:21 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[原创]易恢复 EasyRecovery 中文企业版 破解思路/过程

账号登录 验证码登录

[原创]易恢复 EasyRecovery 中文企业版破解思路/过程

账号登录

验证码登录