这次的目标是目标工作室的宝贝3.15,PE侦壳,显示Borland Delphi 6.0 - 7.0,不错。打开程序,选择软件注册,弹出对话框,随意填入注册码,弹出对话框“软件序列号和软件注册码不匹配,请重新注册”。载入W32Dasm分析,参考,查找,有字符串“软件已经注册”,就从这里入手。双击,来到00618B14处,向上看有一明显跳转:
:00618AF0 8B9518FFFFFF mov edx, dword ptr [ebp+FFFFFF18]
:00618AF6 8B45F4 mov eax, dword ptr [ebp-0C]
:00618AF9 E83ED9FFFF call 0061643C
:00618AFE 84C0 test al, al
:00618B00 743B je 00618B3D
:00618B02 A130396200 mov eax, dword ptr [00623930]
:00618B07 8B00 mov eax, dword ptr [eax]
:00618B09 E82694E5FF call 00471F34
:00618B0E 8B8350030000 mov eax, dword ptr [ebx+00000350]
* Possible StringData Ref from Code Obj ->"软件已经注册"
|
:00618B14 BA2C8F6100 mov edx, 00618F2C
:00618B19 E84A6CE3FF call 0044F768
:00618B1E 8B834C030000 mov eax, dword ptr [ebx+0000034C]
:00618B24 33D2 xor edx, edx
:00618B26 8B08 mov ecx, dword ptr [eax]
:00618B28 FF5168 call [ecx+68]
:00618B2B 8B8354030000 mov eax, dword ptr [ebx+00000354]
:00618B31 33D2 xor edx, edx
:00618B33 8B08 mov ecx, dword ptr [eax]
:00618B35 FF5168 call [ecx+68]
:00618B38 E943020000 jmp 00618D80
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00618B00(C)
|
:00618B3D 8B8330030000 mov eax, dword ptr [ebx+00000330]
:00618B43 E8F89FF3FF call 00552B40
:00618B48 8B8330030000 mov eax, dword ptr [ebx+00000330]
:00618B4E E8CDD1FBFF call 005D5D20
Possible StringData Ref from Code Obj ->"update T_MyInfo set SerialID=null"
把00618B00 743B处74变75试试,打开Uedit32,载入主程序,在w32dasm查找到74的偏移位置00217F00h,在uedit32中ctrl+g,输入0x00217F00,找到74改为74,然后保存为另一文件名1.exe,运行修改后的程序1.exe,在主界面点击软件注册,显示软件已经注册。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法