-
-
[旧帖] [原创]爆破WorkPause V1.3 0.00雪花
-
发表于: 2007-3-27 22:17 3791
-
【文章标题】: 爆破WorkPause V1.3
【文章作者】: A-new
【作者QQ号】: 83540302
【软件名称】: WorkPause
【软件大小】: 104 KB
【下载地址】: http://www.newhua.com/soft/56667.htm
【加壳方式】: 无壳
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: OllyICE,Regmon
【操作平台】: XP SP2
【软件介绍】: WorkPause是一款保健软件,可以定时提醒用户休息
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
今天进个群,那个群主说新来的都要破解个东东,那就随便拉一个破吧!
只好WorkPause V1.3不走运了,呵呵
废话结束,开工……
运行程序,随便输入Name以及Key,
(偶就输入name:A-new key:1111-1111-1111,好了)
提示Invalid registration key or user name
不管它,进去在看看,在about这里,显示
This is an UNREGISTERED version
It's been used for 5 days.
汗~,真不厚道,偶刚下的,居然说已经用5天了(没素质,该他倒霉,^_^)
OD载入,查找UNICODE,再找Invalid registration key or user name
跟随,就到了这里
004062E4 . E8 8D360000 call <jmp.&MFC42.#3876_CWnd::GetWindo>
004062E9 . 85C0 test eax, eax
004062EB . 75 0C jnz short 004062F9 →不跳就显示没有输入用户名,JMP之
004062ED . 50 push eax
004062EE . 50 push eax
004062EF . 68 78084100 push 00410878 ; ASCII "No user name is entered"
004062F4 . E9 25010000 jmp 0040641E
004062F9 > 8D9D 98010000 lea ebx, dword ptr [ebp+198]
004062FF . 8BCB mov ecx, ebx
00406301 . E8 70360000 call <jmp.&MFC42.#3876_CWnd::GetWindo>
00406306 . 83F8 04 cmp eax, 4
00406309 . 0F85 06010000 jnz 00406415 →跳就显示Key不对,nop之
0040630F . 8DBD 58010000 lea edi, dword ptr [ebp+158]
00406315 . 8BCF mov ecx, edi
00406317 . E8 5A360000 call <jmp.&MFC42.#3876_CWnd::GetWindo>
0040631C . 83F8 04 cmp eax, 4
0040631F . 0F85 F0000000 jnz 00406415 →跳就显示Key不对,nop之
00406325 . 8DB5 18010000 lea esi, dword ptr [ebp+118]
0040632B . 8BCE mov ecx, esi
0040632D . E8 44360000 call <jmp.&MFC42.#3876_CWnd::GetWindo>
00406332 . 83F8 04 cmp eax, 4
00406335 . 0F85 DA000000 jnz 00406415 →跳就显示Key不对,nop之
0040633B . 8D4424 14 lea eax, dword ptr [esp+14]
0040633F . 6A 05 push 5
00406341 . 50 push eax
00406342 . 8BCB mov ecx, ebx
00406344 . E8 39360000 call <jmp.&MFC42.#3873_CWnd::GetWindo>
00406349 . 8D4C24 19 lea ecx, dword ptr [esp+19]
0040634D . 6A 05 push 5
0040634F . B3 2D mov bl, 2D
00406351 . 51 push ecx
00406352 . 8BCF mov ecx, edi
00406354 . 885C24 20 mov byte ptr [esp+20], bl
00406358 . E8 25360000 call <jmp.&MFC42.#3873_CWnd::GetWindo>
0040635D . 8D5424 1E lea edx, dword ptr [esp+1E]
00406361 . 6A 05 push 5
00406363 . 52 push edx
00406364 . 8BCE mov ecx, esi
00406366 . 885C24 25 mov byte ptr [esp+25], bl
0040636A . E8 13360000 call <jmp.&MFC42.#3873_CWnd::GetWindo>
0040636F . 8D4C24 10 lea ecx, dword ptr [esp+10]
00406373 . E8 9E320000 call <jmp.&MFC42.#540_CString::CStrin>
00406378 . 8D4424 10 lea eax, dword ptr [esp+10]
0040637C . 8D8D D8010000 lea ecx, dword ptr [ebp+1D8]
00406382 . 50 push eax
00406383 . C74424 34 000>mov dword ptr [esp+34], 0
0040638B . E8 EE330000 call <jmp.&MFC42.#3874_CWnd::GetWindo>
00406390 . 8B5424 10 mov edx, dword ptr [esp+10]
00406394 . 8D4C24 14 lea ecx, dword ptr [esp+14]
00406398 . 51 push ecx
00406399 . 52 push edx
0040639A . E8 112F0000 call 004092B0
0040639F . 83C4 08 add esp, 8
004063A2 . 84C0 test al, al
004063A4 . 75 32 jnz short 004063D8 →不跳就显示用户名和Key不对,JMP之
004063A6 . 6A 00 push 0
004063A8 . 6A 00 push 0
004063AA . 68 50084100 push 00410850 ; invalid registration key or user name
004063AF . E8 70330000 call <jmp.&MFC42.#1200_AfxMessageBox>
004063B4 . 8D4C24 10 lea ecx, dword ptr [esp+10]
004063B8 . C74424 30 FFF>mov dword ptr [esp+30], -1
004063C0 . E8 3F320000 call <jmp.&MFC42.#800_CString::~CStri>
004063C5 . 5F pop edi
004063C6 . 5E pop esi
004063C7 . 5D pop ebp
004063C8 . 5B pop ebx
004063C9 . 8B4C24 18 mov ecx, dword ptr [esp+18]
004063CD . 64:890D 00000>mov dword ptr fs:[0], ecx
004063D4 . 83C4 24 add esp, 24
004063D7 . C3 retn
004063D8 > 8B4C24 10 mov ecx, dword ptr [esp+10]
004063DC . 8D4424 14 lea eax, dword ptr [esp+14]
004063E0 . 50 push eax
004063E1 . 51 push ecx
004063E2 . E8 E92E0000 call 004092D0
004063E7 . 83C4 08 add esp, 8
004063EA . 8BCD mov ecx, ebp
004063EC . E8 8B350000 call <jmp.&MFC42.#4853_CDialog::OnOK>
004063F1 . 8D4C24 10 lea ecx, dword ptr [esp+10]
004063F5 . C74424 30 FFF>mov dword ptr [esp+30], -1
004063FD . E8 02320000 call <jmp.&MFC42.#800_CString::~CStri>
00406402 . 5F pop edi
00406403 . 5E pop esi
00406404 . 5D pop ebp
00406405 . 5B pop ebx
00406406 . 8B4C24 18 mov ecx, dword ptr [esp+18]
0040640A . 64:890D 00000>mov dword ptr fs:[0], ecx
00406411 . 83C4 24 add esp, 24
00406414 . C3 retn
00406415 > 6A 00 push 0
00406417 . 6A 00 push 0
00406419 . 68 34084100 push 00410834 ; invalid registration key
0040641E > E8 01330000 call <jmp.&MFC42.#1200_AfxMessageBox>
00406423 . 8B4C24 28 mov ecx, dword ptr [esp+28]
00406427 . 5F pop edi
00406428 . 5E pop esi
00406429 . 5D pop ebp
0040642A . 5B pop ebx
0040642B . 64:890D 00000>mov dword ptr fs:[0], ecx
00406432 . 83C4 24 add esp, 24
00406435 . C3 retn
改完
004062E9 . 85C0 test eax, eax
00406309 . 0F85 06010000 jnz 00406415
0040631F . 0F85 F0000000 jnz 00406415
00406335 . 0F85 DA000000 jnz 00406415
004063A4 . 75 32 jnz short 004063D8
这四处,保存一个运行看看情况,汗~,还要输入帐号密码,难道是传说中的重启验证,
再随便输入一个名字和Key好了,接着输入name:A-new key:1111-1111-1111
呵呵,这次不提示不对了,再启动一次,又要输入,还真的是再启动的时候验证啊
查了一下,没有新建放注册信息的文件,用Regmon监测一下注册表发现
[HKEY_CURRENT_USER\Software\Praven3 Software\WorkPause\Registration]
"User Name"="A-new"
"Registration Key"="1111-1111-1111"
注册信息在注册表了,再用OD载入,刚才修改过的那个
ctrl+n 查找函数,在
RegQueryValueA
RegQueryValueExA
两个函数上,“在每个参考上设断点” ,F9 运行,断在这里
0040922C |. FF15 00B04000 call dword ptr [<&ADVAPI32.RegQueryVa>; \RegQueryValueExA
00409232 |. 85C0 test eax, eax
00409234 |. 75 17 jnz short 0040924D
00409236 |. 8D4C24 20 lea ecx, dword ptr [esp+20]
0040923A |. 51 push ecx
0040923B |. E8 30000000 call 00409270
00409240 |. 2BF8 sub edi, eax
00409242 |. 83C4 04 add esp, 4
00409245 |. 3BDF cmp ebx, edi
……………………………………………
0040925F |. /7E 02 jle short 00409263
00409261 |. |8BC3 mov eax, ebx
00409263 |> \5F pop edi
00409264 |. 5E pop esi
00409265 |. 5D pop ebp
00409266 |. 5B pop ebx
00409267 |. 81C4 34010000 add esp, 134
0040926D \. C3 retn
一直F8,返回到
00408951 . 8B4424 18 mov eax, dword ptr [esp+18] ; MFC42.73D3D000
00408955 . 8BCE mov ecx, esi
00408957 . 50 push eax ; /Arg1
00408958 . E8 C3090000 call 00409320 ; \WorkPaus.00409320
0040895D > 8A4424 18 mov al, byte ptr [esp+18]
00408961 . 84C0 test al, al
00408963 . 0F84 99000000 je 00408A02
00408969 . 8B4F 20 mov ecx, dword ptr [edi+20]
0040896C . 6A 00 push 0 ; /lParam = 0
F8到00408958这里的时候,居然注册窗口跳出来了
那就向上拉,看看能不能跳过去
0040893C . 52 push edx ; /hWnd
0040893D . FF15 48B64000 call dword ptr [<&USER32.UpdateWindow>; \UpdateWindow
00408943 . E8 B8050000 call 00408F00
00408948 . 84C0 test al, al
0040894A . 75 11 jnz short 0040895D →这个刚好跳过
0040894C . E8 BF070000 call 00409110
00408951 . 8B4424 18 mov eax, dword ptr [esp+18] ; MFC42.73D3D000
00408955 . 8BCE mov ecx, esi
00408957 . 50 push eax ; /Arg1
00408958 . E8 C3090000 call 00409320 ; \WorkPaus.00409320
0040895D > 8A4424 18 mov al, byte ptr [esp+18]
00408961 . 84C0 test al, al
00408963 . 0F84 99000000 je 00408A02
在这里下断0040894A,取消其他断点,重新运行,断在
0040894A . 75 11 jnz short 0040895D
让这个跳转实现(寄存器 Z 后面的 1 改为 0 就好了)
接着F9,程序已运行,不跳出来让注册的窗口了,看来差不多了
先改成 jmp 0040895D 保存一下,运行看看,
已经基本搞定,但是
about窗口显示:
This is an UNREGISTERED version
It's been used for 0 days.
呵呵,变成0天了,但是还是没注册,接着搞吧
找到字符串This is an ……
00408FA7 |. 84C0 test al, al
00408FA9 |. 74 59 je short 00409004 →关键跳转,一跳就成没注册得了
00408FAB |. 8D4424 14 lea eax, dword ptr [esp+14]
00408FAF |. 50 push eax
00408FB0 |. E8 DB000000 call 00409090
00408FB5 |. 83C4 04 add esp, 4
00408FB8 |. 8BF0 mov esi, eax
00408FBA |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00408FBE |. 68 6C104100 push 0041106C ; /registered to:
00408FC3 |. BB 01000000 mov ebx, 1 ; |
00408FC8 |. 51 push ecx ; |Arg1
00408FC9 |. B9 50144100 mov ecx, 00411450 ; |
00408FCE |. 895C24 2C mov dword ptr [esp+2C], ebx ; |
00408FD2 |. E8 69EBFFFF call 00407B40 ; \hh.00407B40
00408FD7 |. 56 push esi
00408FD8 |. 8B7424 30 mov esi, dword ptr [esp+30]
00408FDC |. 50 push eax
00408FDD |. 56 push esi
00408FDE |. C64424 30 02 mov byte ptr [esp+30], 2
00408FE3 |. E8 260B0000 call <jmp.&MFC42.#922_operator+>
00408FE8 |. 895C24 0C mov dword ptr [esp+C], ebx
00408FEC |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00408FF0 |. 885C24 24 mov byte ptr [esp+24], bl
00408FF4 |. E8 0B060000 call <jmp.&MFC42.#800_CString::~CStri>
00408FF9 |. C64424 24 00 mov byte ptr [esp+24], 0
00408FFE |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00409002 |. EB 6F jmp short 00409073 →关键跳啊,这个实现就OK了
00409004 |> 8D4C24 08 lea ecx, dword ptr [esp+8]
00409008 |. E8 09060000 call <jmp.&MFC42.#540_CString::CStrin>
0040900D |. BB 03000000 mov ebx, 3
00409012 |. 895C24 24 mov dword ptr [esp+24], ebx
00409016 |. E8 F5000000 call 00409110
0040901B |. 85C0 test eax, eax
0040901D |. 7C 13 jl short 00409032
0040901F |. 50 push eax 这里呢
00409020 |. 8D5424 0C lea edx, dword ptr [esp+C] ↓
00409024 |. 68 50104100 push 00411050 ; it's been used for %d days.registered to:
00409029 |. 52 push edx
0040902A |. E8 AF070000 call <jmp.&MFC42.#2818_CString::Forma>
0040902F |. 83C4 0C add esp, 0C
00409032 |> 68 2C104100 push 0041102C ; this is an unregistered version.\n
00409037 |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
0040903B |. E8 06060000 call <jmp.&MFC42.#537_CString::CStrin>
00409040 |. 8B7424 2C mov esi, dword ptr [esp+2C]
00409044 |. 8D4C24 08 lea ecx, dword ptr [esp+8]
00409048 |. 51 push ecx
00409049 |. 50 push eax
0040904A |. 56 push esi
0040904B |. C64424 30 04 mov byte ptr [esp+30], 4
00409050 |. E8 B90A0000 call <jmp.&MFC42.#922_operator+>
00409055 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
00409059 |. C74424 0C 010>mov dword ptr [esp+C], 1
00409061 |. 885C24 24 mov byte ptr [esp+24], bl
00409065 |. E8 9A050000 call <jmp.&MFC42.#800_CString::~CStri>
0040906A |. C64424 24 00 mov byte ptr [esp+24], 0
0040906F |. 8D4C24 08 lea ecx, dword ptr [esp+8]
00409073 |> E8 8C050000 call <jmp.&MFC42.#800_CString::~CStri>
00409078 |. 8B4C24 1C mov ecx, dword ptr [esp+1C]
0040907C |. 8BC6 mov eax, esi
0040907E |. 5E pop esi
把
00408FA9 |. 74 59 je short 00409004
NOP掉,保存,运行程序
呵呵,终于看到
Registered to:A-new
了,搞定。偶水平菜追注册码,写注册机,留给有兴趣的朋友吧
--------------------------------------------------------------------------------
【经验总结】
修改:
004062E9 ;00406309 ;0040631F ;00406335 ;004063A4,破输入Name和Key时的即时验证
0040894A,破重启验证(到这里已经可以用了)
00408FA9,显示注册给XXX(看起来效果好点)
关键是找到是从注册表中读取注册信息,下断,找到重启验证的关键跳转。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年03月27日 下午 10:13:15
【文章作者】: A-new
【作者QQ号】: 83540302
【软件名称】: WorkPause
【软件大小】: 104 KB
【下载地址】: http://www.newhua.com/soft/56667.htm
【加壳方式】: 无壳
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: OllyICE,Regmon
【操作平台】: XP SP2
【软件介绍】: WorkPause是一款保健软件,可以定时提醒用户休息
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
今天进个群,那个群主说新来的都要破解个东东,那就随便拉一个破吧!
只好WorkPause V1.3不走运了,呵呵
废话结束,开工……
运行程序,随便输入Name以及Key,
(偶就输入name:A-new key:1111-1111-1111,好了)
提示Invalid registration key or user name
不管它,进去在看看,在about这里,显示
This is an UNREGISTERED version
It's been used for 5 days.
汗~,真不厚道,偶刚下的,居然说已经用5天了(没素质,该他倒霉,^_^)
OD载入,查找UNICODE,再找Invalid registration key or user name
跟随,就到了这里
004062E4 . E8 8D360000 call <jmp.&MFC42.#3876_CWnd::GetWindo>
004062E9 . 85C0 test eax, eax
004062EB . 75 0C jnz short 004062F9 →不跳就显示没有输入用户名,JMP之
004062ED . 50 push eax
004062EE . 50 push eax
004062EF . 68 78084100 push 00410878 ; ASCII "No user name is entered"
004062F4 . E9 25010000 jmp 0040641E
004062F9 > 8D9D 98010000 lea ebx, dword ptr [ebp+198]
004062FF . 8BCB mov ecx, ebx
00406301 . E8 70360000 call <jmp.&MFC42.#3876_CWnd::GetWindo>
00406306 . 83F8 04 cmp eax, 4
00406309 . 0F85 06010000 jnz 00406415 →跳就显示Key不对,nop之
0040630F . 8DBD 58010000 lea edi, dword ptr [ebp+158]
00406315 . 8BCF mov ecx, edi
00406317 . E8 5A360000 call <jmp.&MFC42.#3876_CWnd::GetWindo>
0040631C . 83F8 04 cmp eax, 4
0040631F . 0F85 F0000000 jnz 00406415 →跳就显示Key不对,nop之
00406325 . 8DB5 18010000 lea esi, dword ptr [ebp+118]
0040632B . 8BCE mov ecx, esi
0040632D . E8 44360000 call <jmp.&MFC42.#3876_CWnd::GetWindo>
00406332 . 83F8 04 cmp eax, 4
00406335 . 0F85 DA000000 jnz 00406415 →跳就显示Key不对,nop之
0040633B . 8D4424 14 lea eax, dword ptr [esp+14]
0040633F . 6A 05 push 5
00406341 . 50 push eax
00406342 . 8BCB mov ecx, ebx
00406344 . E8 39360000 call <jmp.&MFC42.#3873_CWnd::GetWindo>
00406349 . 8D4C24 19 lea ecx, dword ptr [esp+19]
0040634D . 6A 05 push 5
0040634F . B3 2D mov bl, 2D
00406351 . 51 push ecx
00406352 . 8BCF mov ecx, edi
00406354 . 885C24 20 mov byte ptr [esp+20], bl
00406358 . E8 25360000 call <jmp.&MFC42.#3873_CWnd::GetWindo>
0040635D . 8D5424 1E lea edx, dword ptr [esp+1E]
00406361 . 6A 05 push 5
00406363 . 52 push edx
00406364 . 8BCE mov ecx, esi
00406366 . 885C24 25 mov byte ptr [esp+25], bl
0040636A . E8 13360000 call <jmp.&MFC42.#3873_CWnd::GetWindo>
0040636F . 8D4C24 10 lea ecx, dword ptr [esp+10]
00406373 . E8 9E320000 call <jmp.&MFC42.#540_CString::CStrin>
00406378 . 8D4424 10 lea eax, dword ptr [esp+10]
0040637C . 8D8D D8010000 lea ecx, dword ptr [ebp+1D8]
00406382 . 50 push eax
00406383 . C74424 34 000>mov dword ptr [esp+34], 0
0040638B . E8 EE330000 call <jmp.&MFC42.#3874_CWnd::GetWindo>
00406390 . 8B5424 10 mov edx, dword ptr [esp+10]
00406394 . 8D4C24 14 lea ecx, dword ptr [esp+14]
00406398 . 51 push ecx
00406399 . 52 push edx
0040639A . E8 112F0000 call 004092B0
0040639F . 83C4 08 add esp, 8
004063A2 . 84C0 test al, al
004063A4 . 75 32 jnz short 004063D8 →不跳就显示用户名和Key不对,JMP之
004063A6 . 6A 00 push 0
004063A8 . 6A 00 push 0
004063AA . 68 50084100 push 00410850 ; invalid registration key or user name
004063AF . E8 70330000 call <jmp.&MFC42.#1200_AfxMessageBox>
004063B4 . 8D4C24 10 lea ecx, dword ptr [esp+10]
004063B8 . C74424 30 FFF>mov dword ptr [esp+30], -1
004063C0 . E8 3F320000 call <jmp.&MFC42.#800_CString::~CStri>
004063C5 . 5F pop edi
004063C6 . 5E pop esi
004063C7 . 5D pop ebp
004063C8 . 5B pop ebx
004063C9 . 8B4C24 18 mov ecx, dword ptr [esp+18]
004063CD . 64:890D 00000>mov dword ptr fs:[0], ecx
004063D4 . 83C4 24 add esp, 24
004063D7 . C3 retn
004063D8 > 8B4C24 10 mov ecx, dword ptr [esp+10]
004063DC . 8D4424 14 lea eax, dword ptr [esp+14]
004063E0 . 50 push eax
004063E1 . 51 push ecx
004063E2 . E8 E92E0000 call 004092D0
004063E7 . 83C4 08 add esp, 8
004063EA . 8BCD mov ecx, ebp
004063EC . E8 8B350000 call <jmp.&MFC42.#4853_CDialog::OnOK>
004063F1 . 8D4C24 10 lea ecx, dword ptr [esp+10]
004063F5 . C74424 30 FFF>mov dword ptr [esp+30], -1
004063FD . E8 02320000 call <jmp.&MFC42.#800_CString::~CStri>
00406402 . 5F pop edi
00406403 . 5E pop esi
00406404 . 5D pop ebp
00406405 . 5B pop ebx
00406406 . 8B4C24 18 mov ecx, dword ptr [esp+18]
0040640A . 64:890D 00000>mov dword ptr fs:[0], ecx
00406411 . 83C4 24 add esp, 24
00406414 . C3 retn
00406415 > 6A 00 push 0
00406417 . 6A 00 push 0
00406419 . 68 34084100 push 00410834 ; invalid registration key
0040641E > E8 01330000 call <jmp.&MFC42.#1200_AfxMessageBox>
00406423 . 8B4C24 28 mov ecx, dword ptr [esp+28]
00406427 . 5F pop edi
00406428 . 5E pop esi
00406429 . 5D pop ebp
0040642A . 5B pop ebx
0040642B . 64:890D 00000>mov dword ptr fs:[0], ecx
00406432 . 83C4 24 add esp, 24
00406435 . C3 retn
改完
004062E9 . 85C0 test eax, eax
00406309 . 0F85 06010000 jnz 00406415
0040631F . 0F85 F0000000 jnz 00406415
00406335 . 0F85 DA000000 jnz 00406415
004063A4 . 75 32 jnz short 004063D8
这四处,保存一个运行看看情况,汗~,还要输入帐号密码,难道是传说中的重启验证,
再随便输入一个名字和Key好了,接着输入name:A-new key:1111-1111-1111
呵呵,这次不提示不对了,再启动一次,又要输入,还真的是再启动的时候验证啊
查了一下,没有新建放注册信息的文件,用Regmon监测一下注册表发现
[HKEY_CURRENT_USER\Software\Praven3 Software\WorkPause\Registration]
"User Name"="A-new"
"Registration Key"="1111-1111-1111"
注册信息在注册表了,再用OD载入,刚才修改过的那个
ctrl+n 查找函数,在
RegQueryValueA
RegQueryValueExA
两个函数上,“在每个参考上设断点” ,F9 运行,断在这里
0040922C |. FF15 00B04000 call dword ptr [<&ADVAPI32.RegQueryVa>; \RegQueryValueExA
00409232 |. 85C0 test eax, eax
00409234 |. 75 17 jnz short 0040924D
00409236 |. 8D4C24 20 lea ecx, dword ptr [esp+20]
0040923A |. 51 push ecx
0040923B |. E8 30000000 call 00409270
00409240 |. 2BF8 sub edi, eax
00409242 |. 83C4 04 add esp, 4
00409245 |. 3BDF cmp ebx, edi
……………………………………………
0040925F |. /7E 02 jle short 00409263
00409261 |. |8BC3 mov eax, ebx
00409263 |> \5F pop edi
00409264 |. 5E pop esi
00409265 |. 5D pop ebp
00409266 |. 5B pop ebx
00409267 |. 81C4 34010000 add esp, 134
0040926D \. C3 retn
一直F8,返回到
00408951 . 8B4424 18 mov eax, dword ptr [esp+18] ; MFC42.73D3D000
00408955 . 8BCE mov ecx, esi
00408957 . 50 push eax ; /Arg1
00408958 . E8 C3090000 call 00409320 ; \WorkPaus.00409320
0040895D > 8A4424 18 mov al, byte ptr [esp+18]
00408961 . 84C0 test al, al
00408963 . 0F84 99000000 je 00408A02
00408969 . 8B4F 20 mov ecx, dword ptr [edi+20]
0040896C . 6A 00 push 0 ; /lParam = 0
F8到00408958这里的时候,居然注册窗口跳出来了
那就向上拉,看看能不能跳过去
0040893C . 52 push edx ; /hWnd
0040893D . FF15 48B64000 call dword ptr [<&USER32.UpdateWindow>; \UpdateWindow
00408943 . E8 B8050000 call 00408F00
00408948 . 84C0 test al, al
0040894A . 75 11 jnz short 0040895D →这个刚好跳过
0040894C . E8 BF070000 call 00409110
00408951 . 8B4424 18 mov eax, dword ptr [esp+18] ; MFC42.73D3D000
00408955 . 8BCE mov ecx, esi
00408957 . 50 push eax ; /Arg1
00408958 . E8 C3090000 call 00409320 ; \WorkPaus.00409320
0040895D > 8A4424 18 mov al, byte ptr [esp+18]
00408961 . 84C0 test al, al
00408963 . 0F84 99000000 je 00408A02
在这里下断0040894A,取消其他断点,重新运行,断在
0040894A . 75 11 jnz short 0040895D
让这个跳转实现(寄存器 Z 后面的 1 改为 0 就好了)
接着F9,程序已运行,不跳出来让注册的窗口了,看来差不多了
先改成 jmp 0040895D 保存一下,运行看看,
已经基本搞定,但是
about窗口显示:
This is an UNREGISTERED version
It's been used for 0 days.
呵呵,变成0天了,但是还是没注册,接着搞吧
找到字符串This is an ……
00408FA7 |. 84C0 test al, al
00408FA9 |. 74 59 je short 00409004 →关键跳转,一跳就成没注册得了
00408FAB |. 8D4424 14 lea eax, dword ptr [esp+14]
00408FAF |. 50 push eax
00408FB0 |. E8 DB000000 call 00409090
00408FB5 |. 83C4 04 add esp, 4
00408FB8 |. 8BF0 mov esi, eax
00408FBA |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00408FBE |. 68 6C104100 push 0041106C ; /registered to:
00408FC3 |. BB 01000000 mov ebx, 1 ; |
00408FC8 |. 51 push ecx ; |Arg1
00408FC9 |. B9 50144100 mov ecx, 00411450 ; |
00408FCE |. 895C24 2C mov dword ptr [esp+2C], ebx ; |
00408FD2 |. E8 69EBFFFF call 00407B40 ; \hh.00407B40
00408FD7 |. 56 push esi
00408FD8 |. 8B7424 30 mov esi, dword ptr [esp+30]
00408FDC |. 50 push eax
00408FDD |. 56 push esi
00408FDE |. C64424 30 02 mov byte ptr [esp+30], 2
00408FE3 |. E8 260B0000 call <jmp.&MFC42.#922_operator+>
00408FE8 |. 895C24 0C mov dword ptr [esp+C], ebx
00408FEC |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00408FF0 |. 885C24 24 mov byte ptr [esp+24], bl
00408FF4 |. E8 0B060000 call <jmp.&MFC42.#800_CString::~CStri>
00408FF9 |. C64424 24 00 mov byte ptr [esp+24], 0
00408FFE |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00409002 |. EB 6F jmp short 00409073 →关键跳啊,这个实现就OK了
00409004 |> 8D4C24 08 lea ecx, dword ptr [esp+8]
00409008 |. E8 09060000 call <jmp.&MFC42.#540_CString::CStrin>
0040900D |. BB 03000000 mov ebx, 3
00409012 |. 895C24 24 mov dword ptr [esp+24], ebx
00409016 |. E8 F5000000 call 00409110
0040901B |. 85C0 test eax, eax
0040901D |. 7C 13 jl short 00409032
0040901F |. 50 push eax 这里呢
00409020 |. 8D5424 0C lea edx, dword ptr [esp+C] ↓
00409024 |. 68 50104100 push 00411050 ; it's been used for %d days.registered to:
00409029 |. 52 push edx
0040902A |. E8 AF070000 call <jmp.&MFC42.#2818_CString::Forma>
0040902F |. 83C4 0C add esp, 0C
00409032 |> 68 2C104100 push 0041102C ; this is an unregistered version.\n
00409037 |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
0040903B |. E8 06060000 call <jmp.&MFC42.#537_CString::CStrin>
00409040 |. 8B7424 2C mov esi, dword ptr [esp+2C]
00409044 |. 8D4C24 08 lea ecx, dword ptr [esp+8]
00409048 |. 51 push ecx
00409049 |. 50 push eax
0040904A |. 56 push esi
0040904B |. C64424 30 04 mov byte ptr [esp+30], 4
00409050 |. E8 B90A0000 call <jmp.&MFC42.#922_operator+>
00409055 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
00409059 |. C74424 0C 010>mov dword ptr [esp+C], 1
00409061 |. 885C24 24 mov byte ptr [esp+24], bl
00409065 |. E8 9A050000 call <jmp.&MFC42.#800_CString::~CStri>
0040906A |. C64424 24 00 mov byte ptr [esp+24], 0
0040906F |. 8D4C24 08 lea ecx, dword ptr [esp+8]
00409073 |> E8 8C050000 call <jmp.&MFC42.#800_CString::~CStri>
00409078 |. 8B4C24 1C mov ecx, dword ptr [esp+1C]
0040907C |. 8BC6 mov eax, esi
0040907E |. 5E pop esi
把
00408FA9 |. 74 59 je short 00409004
NOP掉,保存,运行程序
呵呵,终于看到
Registered to:A-new
了,搞定。偶水平菜追注册码,写注册机,留给有兴趣的朋友吧
--------------------------------------------------------------------------------
【经验总结】
修改:
004062E9 ;00406309 ;0040631F ;00406335 ;004063A4,破输入Name和Key时的即时验证
0040894A,破重启验证(到这里已经可以用了)
00408FA9,显示注册给XXX(看起来效果好点)
关键是找到是从注册表中读取注册信息,下断,找到重启验证的关键跳转。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年03月27日 下午 10:13:15
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
他的文章
看原图
赞赏
雪币:
留言: