-
-
BlindWrite Suite v5.1.5.132 的文件补丁,写得很屑
-
发表于: 2004-6-23 15:07 5425
-
Software : BlindWrite Suite v5.1.5.132 的文件补丁
能够对“防拷保护”的光盘制作镜象,能够通过烧录软体将镜象还原
http://www.vso-software.fr/
Tools -- : W32Dasm、OllyDbg、MASM32、WIN2000
Cracker : lq7972[bruceyu13@sina.com]
【】CloneCD 不支持那个电脑商送我的什么牌子烧录烂货;听说这个行,但只能 Try 20 Days
软件开始就跳个东东出来说是"用户要合法使用,任何非法行为及后果它不负责"云云(不晓得是不是这个意思?),
然后就是熟悉的界面:"This software is not ...",提供两个按钮:"Buy" OR "Try"(过期后自然只 Buy 了)
; $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $
从纷乱的跟踪记录中整理出下面的报告:
软件在 "Legal Disclarmer" 后开始注册判断~
【1】、静态分析
; W32Dasm >>
; 查找"BW5.Log"
; 这个地方软件启动时来,注册判断
:005DE6BC 55 push ebp
:005DE6BD 8BEC mov ebp, esp
:005DE6BF B90F000000 mov ecx, 0000000F
; ...
* Possible StringData Ref from Code Obj ->"BW5.Log"
|
:005DE751 B96CF05D00 mov ecx, 005DF06C
:005DE756 8B55FC mov edx, dword ptr [ebp-04]
:005DE759 8B9214050000 mov edx, dword ptr [edx+00000514]
; ...
:005E8EDA E8CDA6E1FF call 004035AC
:005E8EDF 807DF300 cmp byte ptr [ebp-0D], 00
:005E8EE3 750C jne 005E8EF1
:005E8EE5 8B45FC mov eax, dword ptr [ebp-04]
:005E8EE8 80B82305000000 cmp byte ptr [eax+00000523], 00
:005E8EEF 7425 je 005E8F16 ; 关键判断,要 jump,因为
; ...
* Reference To: user32.PostQuitMessage, Ord:0000h
|
:005E8F11 E82EE6E1FF Call 00407544
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005E8EEF(C), :005E8F09(C)
|
:005E8F16 8B45FC mov eax, dword ptr [ebp-04]
:005E8F19 80B82305000000 cmp byte ptr [eax+00000523], 00
:005E8F20 750C jne 005E8F2E ; 关键判断,不要 jump,因为
:005E8F22 8B45FC mov eax, dword ptr [ebp-04]
:005E8F25 80B82205000000 cmp byte ptr [eax+00000522], 00
:005E8F2C 743B je 005E8F69 ; 这里
; ...
* Reference To: user32.PostQuitMessage, Ord:0000h
|
:005E8F64 E8DBE5E1FF Call 00407544
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005E8F2C(C), :005E8F5C(C)
|
:005E8F69 8B45FC mov eax, dword ptr [ebp-04]
; ...
【2】、动态跟踪
; W32Dasm >>
; 查找"This software is not free. But "
; -----------------------------------------------------------------------------------
:005DB51C 55 push ebp
; ...
:005DB52B E87CF9FFFF call 005DAEAC
; -----------------------------------------------------------------------------------
* Referenced by a CALL at Address:
|:005DB52B
|
:005DAEAC 55 push ebp
; ...
* Possible StringData Ref from Code Obj ->"This software is not free. But "
->"you can try it for free."
|
:005DAF16 BAA0B35D00 mov edx, 005DB3A0
; ...
; OllyDbg >>
005DB51C 处断点,查看堆栈:0047418B,这个就是 CALL 指令压入的返回地址
; W32Dasm >>
; ...
:0047417B 8BD8 mov ebx, eax
:0047417D 8BD0 mov edx, eax
:0047417F 8B83CC020000 mov eax, dword ptr [ebx+000002CC]
:00474185 FF93C8020000 call dword ptr [ebx+000002C8] ; 就是这个 CALL 了
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474179(C)
|
:0047418B 5B pop ebx
; ...
【3】、修改总结
(1) 005E8EEF : 7425 → 7525 (Offset : 001E82EF)
(2) 005E8F20 : 750C → 740C (Offset : 001E8320)
(3) 00474185 : CALL NOP 掉(6个90) (Offset : 00073585)
或 005DB51C : 55 → CC (Offset : 001DA91C)
(4) 005D9998 : 7571 → 7471 (Offset : 001D8D98)
在 [Settings]->[Registration] 中是 "This software is registered to ",而非 "This software is in trial mode "
【4】、自己动手写文件补丁
虽然有 KeyMake ,但今天自己动手明天丰衣足食
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)