【文章标题】: 小颖安装程序制作专家5.43简单破解
【文章作者】: 网络断魂
【作者邮箱】: raojianbo@tom.com
【软件名称】: 小颖安装程序制作专家5.43
【软件大小】: 14.4M
【下载地址】: http://www.skycn.com/soft/3933.html
【加壳方式】: 无壳,注册码保护
【编写语言】: Borland C++ 1999
【操作平台】: XP
【破解工具】: PEID,OD
【软件介绍】: 新一代的软件发布打包工具,内置BDE、MDAC、MS Sql server 2000 client数据库支持包,支持数据压缩,生成的安装程序解压速度很快,内置超强的智能化管理引擎,你可以很轻松的管理你要发布的软件。支持广告图显示,支持EXE/DLL/OCX自动注册,支持注册表操作,支持反安装,支持多个地区语言(简、繁、英),支持加入软件序列号,生成的安装程序界面美观,共享版本没有任何时间限制, 但不允许使用于商业应用目的。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
破解过程:
安装完成后用PEID扫描,无壳,Borland C++ 1999。
打开软件弹出注册提示,用OD载入后下断(弹对话框)可以找到关键处:
0040CA5C /. 55 push ebp
0040CA5D |. 8BEC mov ebp, esp
0040CA5F |. 83C4 C4 add esp, -3C
0040CA62 |. 53 push ebx
0040CA63 |. 56 push esi
0040CA64 |. 57 push edi
0040CA65 |. 8D7D C4 lea edi, dword ptr [ebp-3C]
0040CA68 |. B8 4CC15100 mov eax, 0051C14C
0040CA6D |. E8 FE170E00 call 004EE270
0040CA72 |. 8B15 A4045400 mov edx, dword ptr [5404A4] ; CreateIn.00540CF0
0040CA78 |. 8B02 mov eax, dword ptr [edx]
0040CA7A |. 8B0D 90045400 mov ecx, dword ptr [540490] ; CreateIn._BuildingFileProcessWnd
0040CA80 |. 8B15 00505300 mov edx, dword ptr [535000] ; CreateIn.0053504C
0040CA86 |. E8 7D7D0700 call 00484808
0040CA8B |. 6A 00 push 0 ; /Arg1 = 00000000
0040CA8D |. E8 06170100 call 0041E198 ; \CreateIn.0041E198
0040CA92 |. 59 pop ecx
0040CA93 |. 6A 01 push 1 ; /Arg1 = 00000001
0040CA95 |. E8 2A170100 call 0041E1C4 ; \CreateIn.0041E1C4
0040CA9A |. 59 pop ecx
0040CA9B |. B2 01 mov dl, 1
0040CA9D |. A1 E87C4C00 mov eax, dword ptr [4C7CE8]
0040CAA2 |. E8 41B30B00 call 004C7DE8
0040CAA7 |. 8BD8 mov ebx, eax
0040CAA9 |. BA 02000080 mov edx, 80000002
0040CAAE |. 8BC3 mov eax, ebx
0040CAB0 |. E8 AFE20E00 call 004FAD64
0040CAB5 |. 66:C747 10 0C>mov word ptr [edi+10], 0C
0040CABB |. BA 3C875100 mov edx, 0051873C ; ASCII "\SoftWare\Yingsoft\YingInstall"
0040CAC0 |. 8D45 F8 lea eax, dword ptr [ebp-8]
0040CAC3 |. E8 D0E20E00 call 004FAD98
0040CAC8 |. FF47 1C inc dword ptr [edi+1C]
0040CACB |. 8B10 mov edx, dword ptr [eax]
0040CACD |. B1 01 mov cl, 1
0040CACF |. 8BC3 mov eax, ebx
0040CAD1 |. E8 16B40B00 call 004C7EEC
0040CAD6 |. FF4F 1C dec dword ptr [edi+1C]
0040CAD9 |. 8D45 F8 lea eax, dword ptr [ebp-8]
0040CADC |. BA 02000000 mov edx, 2
0040CAE1 |. E8 BEE30E00 call 004FAEA4
0040CAE6 |. 66:C747 10 24>mov word ptr [edi+10], 24
0040CAEC |. BA 5B875100 mov edx, 0051875B
0040CAF1 |. 8D45 FC lea eax, dword ptr [ebp-4]
0040CAF4 |. E8 9FE20E00 call 004FAD98
0040CAF9 |. FF47 1C inc dword ptr [edi+1C]
0040CAFC |. 66:C747 10 18>mov word ptr [edi+10], 18
0040CB02 |. 66:C747 10 30>mov word ptr [edi+10], 30
0040CB08 |. 8D45 F0 lea eax, dword ptr [ebp-10]
0040CB0B |. E8 8053FFFF call 00401E90
0040CB10 |. 50 push eax
0040CB11 |. FF47 1C inc dword ptr [edi+1C]
0040CB14 |. BA 5C875100 mov edx, 0051875C ; ASCII "RegCode"
0040CB19 |. 8D45 F4 lea eax, dword ptr [ebp-C]
0040CB1C |. E8 77E20E00 call 004FAD98
0040CB21 |. FF47 1C inc dword ptr [edi+1C]
0040CB24 |. 8B10 mov edx, dword ptr [eax]
0040CB26 |. 8BC3 mov eax, ebx
0040CB28 |. 59 pop ecx
0040CB29 |. E8 72B70B00 call 004C82A0 ; //读假注册码
0040CB2E |. 8D55 F0 lea edx, dword ptr [ebp-10]
0040CB31 |. 8D45 FC lea eax, dword ptr [ebp-4]
0040CB34 |. E8 9BE30E00 call 004FAED4
0040CB39 |. FF4F 1C dec dword ptr [edi+1C]
0040CB3C |. 8D45 F0 lea eax, dword ptr [ebp-10]
0040CB3F |. BA 02000000 mov edx, 2
0040CB44 |. E8 5BE30E00 call 004FAEA4
0040CB49 |. FF4F 1C dec dword ptr [edi+1C]
0040CB4C |. 8D45 F4 lea eax, dword ptr [ebp-C]
0040CB4F |. BA 02000000 mov edx, 2
0040CB54 |. E8 4BE30E00 call 004FAEA4
0040CB59 |. 8BC3 mov eax, ebx
0040CB5B |. E8 F8B20B00 call 004C7E58
0040CB60 |. 8BF3 mov esi, ebx
0040CB62 |. 8975 E8 mov dword ptr [ebp-18], esi
0040CB65 |. 85F6 test esi, esi
0040CB67 |. 74 1E je short 0040CB87
0040CB69 |. 8B06 mov eax, dword ptr [esi]
0040CB6B |. 8945 EC mov dword ptr [ebp-14], eax
0040CB6E |. 66:C747 10 48>mov word ptr [edi+10], 48
0040CB74 |. BA 03000000 mov edx, 3
0040CB79 |. 8B45 E8 mov eax, dword ptr [ebp-18]
0040CB7C |. 8B08 mov ecx, dword ptr [eax]
0040CB7E |. FF51 FC call dword ptr [ecx-4]
0040CB81 |. 66:C747 10 3C>mov word ptr [edi+10], 3C
0040CB87 |> 8B55 FC mov edx, dword ptr [ebp-4]
0040CB8A |. 52 push edx ; /Arg1
0040CB8B |. E8 E4D60000 call 0041A274 ; //真假注册码较验
0040CB90 |. 59 pop ecx
0040CB91 |. 84C0 test al, al
0040CB93 75 27 jnz short 0040CBBC ; //此处为爆破点
0040CB95 |. A1 A4045400 mov eax, dword ptr [5404A4]
0040CB9A |. 8B00 mov eax, dword ptr [eax]
0040CB9C |. 8B0D 98045400 mov ecx, dword ptr [540498] ; CreateIn._RegSoft
0040CBA2 |. 8B15 5C5B5300 mov edx, dword ptr [535B5C] ; CreateIn.00535BA8
0040CBA8 |. E8 5B7C0700 call 00484808
0040CBAD |. A1 98045400 mov eax, dword ptr [540498]
0040CBB2 |. 8B00 mov eax, dword ptr [eax]
0040CBB4 |. 8B10 mov edx, dword ptr [eax]
0040CBB6 |. FF92 FC000000 call dword ptr [edx+FC] ; //弹出注册框
0040CBBC |> FF4F 1C dec dword ptr [edi+1C]
0040CBBF |. 8D45 FC lea eax, dword ptr [ebp-4]
0040CBC2 |. BA 02000000 mov edx, 2
0040CBC7 |. E8 D8E20E00 call 004FAEA4
0040CBCC |. 8B0F mov ecx, dword ptr [edi]
0040CBCE |. 64:890D 00000>mov dword ptr fs:[0], ecx
0040CBD5 |. 5F pop edi
0040CBD6 |. 5E pop esi
0040CBD7 |. 5B pop ebx
0040CBD8 |. 8BE5 mov esp, ebp
0040CBDA |. 5D pop ebp
0040CBDB \. C3 retn
在0040CB93修改可以爆破,去除注册提示,
0040CB8B |. E8 E4D60000 call 0041A274 此处跟进后看到:
0041A274 /$ 55 push ebp
0041A275 |. 8BEC mov ebp, esp
0041A277 |. 83C4 B4 add esp, -4C
0041A27A |. 53 push ebx
0041A27B |. 56 push esi
0041A27C |. 8D5D B4 lea ebx, dword ptr [ebp-4C]
0041A27F |. 8D75 D4 lea esi, dword ptr [ebp-2C]
0041A282 |. B8 4C2B5200 mov eax, 00522B4C
0041A287 |. E8 E43F0D00 call 004EE270
0041A28C |. C746 1C 01000>mov dword ptr [esi+1C], 1
0041A293 |. 8D55 08 lea edx, dword ptr [ebp+8]
0041A296 |. 8D45 08 lea eax, dword ptr [ebp+8]
0041A299 |. E8 320B0E00 call 004FADD0
0041A29E |. FF46 1C inc dword ptr [esi+1C]
0041A2A1 |. 66:C746 10 0C>mov word ptr [esi+10], 0C ; //13
0041A2A7 |. C643 05 50 mov byte ptr [ebx+5], 50 ; // 80
0041A2AB |. C643 06 4F mov byte ptr [ebx+6], 4F ; //79
0041A2AF |. C643 07 57 mov byte ptr [ebx+7], 57 ; // 87
0041A2B3 |. C603 43 mov byte ptr [ebx], 43 ; //67
0041A2B6 |. C643 01 48 mov byte ptr [ebx+1], 48 ; //72(出现CH)
0041A2BA |. C643 08 45 mov byte ptr [ebx+8], 45 ; // 69
0041A2BE |. C643 09 52 mov byte ptr [ebx+9], 52 ; //82
0041A2C2 |. C643 0D 4E mov byte ptr [ebx+D], 4E ; //78
0041A2C6 |. C643 0E 47 mov byte ptr [ebx+E], 47 ; //71
0041A2CA |. C643 0A 2D mov byte ptr [ebx+A], 2D ; // 45
0041A2CE |. C643 0B 59 mov byte ptr [ebx+B], 59 ; //89
0041A2D2 |. C643 0C 49 mov byte ptr [ebx+C], 49 ; //73
0041A2D6 |. C643 11 46 mov byte ptr [ebx+11], 46 ; //70
0041A2DA |. C643 12 54 mov byte ptr [ebx+12], 54 ; //84
0041A2DE |. C643 0F 53 mov byte ptr [ebx+F], 53 ; //83
0041A2E2 |. C643 10 4F mov byte ptr [ebx+10], 4F ; //79
0041A2E6 |. C643 13 00 mov byte ptr [ebx+13], 0 ; // 00
0041A2EA |. C643 02 49 mov byte ptr [ebx+2], 49 ; //73
0041A2EE |. C643 03 4E mov byte ptr [ebx+3], 4E ; //78(出现IN)
0041A2F2 |. C643 04 41 mov byte ptr [ebx+4], 41 ; // 65(运行完此行出现全部注册码:CHINAPOWER-YINGSOFT)
0041A2F6 |. 66:C746 10 18>mov word ptr [esi+10], 18 ; //24(此处可以做内存注册机)
0041A2FC |. 8D45 FC lea eax, dword ptr [ebp-4]
0041A2FF |. E8 8C7BFEFF call 00401E90
0041A304 |. 8BD0 mov edx, eax
0041A306 |. FF46 1C inc dword ptr [esi+1C]
0041A309 |. 8BC3 mov eax, ebx
0041A30B |. E8 5C1A0B00 call 004CBD6C
0041A310 |. 8D55 FC lea edx, dword ptr [ebp-4]
0041A313 |. 8D45 08 lea eax, dword ptr [ebp+8]
0041A316 |. E8 6D0C0E00 call 004FAF88
0041A31B |. 50 push eax ; /Arg1
0041A31C |. FF4E 1C dec dword ptr [esi+1C] ; |
0041A31F |. 8D45 FC lea eax, dword ptr [ebp-4] ; |
0041A322 |. BA 02000000 mov edx, 2 ; |
0041A327 |. E8 780B0E00 call 004FAEA4 ; \CreateIn.004FAEA4
在0041A2F6处,EBX中出现注册码,此处可以做内存注册机,
疑问:怎么一串赋值语句之后就出现了注册码?此注册码似呼不像是跟据机器码计算得来?望哪位大侠为我解惑!谢谢
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
