大家好我才到看雪没两天,发个破文。有不对的地方还望前辈多多指教。软件名我
就不提供了,毕竟写软件也辛苦,写这篇破文是看了论坛的一个贴 <很牛的软件,
谁能破,安盟公司的别进。。。我快吐血了 > 引起了我的兴趣。
CrpWY.exe载入OD
004B829C CrpWY.<Mo> $ 55 push ebp
004B829D . 8BEC mov ebp,esp
004B829F . 83C4 F0 add esp,-10
004B82A2 . 53 push ebx
004B82A3 . 56 push esi
004B82A4 . B8 34804B00 mov eax,CrpWY.004B8034
004B82A9 . E8 4AE5F4FF call CrpWY.004067F8
; 读注册
004B82AE . 8B35 B8AC4B00 mov esi,dword ptr ds:
[4BACB8] ; CrpWY.004BBC04
004B82B4 . 8B06 mov eax,dword ptr ds:[esi]
004B82B6 . E8 15CDFAFF call CrpWY.00464FD0
004B82BB . 68 F4834B00 push CrpWY.004B83F4
; /Arg3 = 004B83F4 ASCII "CrpServerMain"
004B82C0 . 6A 00 push 0
; |Arg2 = 00000000
004B82C2 . 6A 00 push 0
; |Arg1 = 00000000
004B82C4 . E8 3FE7F4FF call CrpWY.00406A08
; \CrpWY.00406A08
004B82C9 . 8BD8 mov ebx,eax
004B82CB . E8 D8E7F4FF call
<jmp.&kernel32.GetLastError> ; [GetLastError
004B82D0 . 3D B7000000 cmp eax,0B7
004B82D5 . 0F84 0C010000 je CrpWY.004B83E7
; 跳就完 如果改成jmp CrpWY.004b82f0就没有注册窗口
004B82DB . E8 90D2FEFF call
<jmp.&crpspt.CrpSpt_JCSYQ> 关键F7
004B82E0 . 84C0 test al,al
004B82E2 . 75 0C jnz short CrpWY.004B82F0
004B82E4 . 8B06 mov eax,dword ptr ds:[esi]
004B82E6 . E8 69CEFAFF call CrpWY.00465154
004B82EB . E9 FD000000 jmp CrpWY.004B83ED
进call
0057DB8F 0055 8B add byte ptr ss:[ebp-75],dl
0057DB92 EC in al,dx
0057DB93 B9 30000000 mov ecx,30
0057DB98 6A 00 push 0
0057DB9A 6A 00 push 0
0057DB9C 49 dec ecx
0057DB9D ^ 75 F9 jnz short CrpSpt.0057DB98
0057DB9F 51 push ecx
0057DBA0 53 push ebx
0057DBA1 56 push esi
0057DBA2 57 push edi
0057DBA3 33C0 xor eax,eax
0057DBA5 55 push ebp
0057DBA6 68 06E05700 push CrpSpt.0057E006
0057DBAB 64:FF30 push dword ptr fs:[eax]
0057DBAE 64:8920 mov dword ptr fs:[eax],esp
0057DBB1 33DB xor ebx,ebx
0057DBB3 68 04010000 push 104
0057DBB8 8D85 A5FEFFFF lea eax,dword ptr ss:[ebp-
15B]
0057DBBE 50 push eax
0057DBBF 6A 00 push 0
0057DBC1 E8 BE8CFBFF call
<jmp.&kernel32.GetModuleFile>
0057DBC6 68 20E05700 push CrpSpt.0057E020
0057DBCB 8D95 9CFEFFFF lea edx,dword ptr ss:[ebp-
164]
0057DBD1 8D85 A5FEFFFF lea eax,dword ptr ss:[ebp-
15B]
0057DBD7 E8 60ADFBFF call CrpSpt.0053893C
0057DBDC 8B85 9CFEFFFF mov eax,dword ptr ss:[ebp-
164]
0057DBE2 8D95 A0FEFFFF lea edx,dword ptr ss:[ebp-
160]
0057DBE8 E8 77AAFBFF call CrpSpt.00538664
0057DBED FFB5 A0FEFFFF push dword ptr ss:[ebp-160]
0057DBF3 68 2CE05700 push CrpSpt.0057E02C
; ASCII "CrpReg.exe"
0057DBF8 68 20E05700 push CrpSpt.0057E020
0057DBFD 8D45 EC lea eax,dword ptr ss:[ebp-
14]
0057DC00 BA 04000000 mov edx,4
0057DC05 E8 366AFBFF call CrpSpt.00534640
0057DC0A 6A 1E push 1E
0057DC0C 68 38E05700 push CrpSpt.0057E038
; ASCII "12345-12345-12345-12345-12345"
0057DC11 6A 1E push 1E
0057DC13 8D45 B6 lea eax,dword ptr ss:[ebp-
4A]
0057DC16 50 push eax
0057DC17 68 00000100 push 10000
; UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All
Users"
0057DC1C 68 00000080 push 80000000
0057DC21 E8 82FDFFFF call
<jmp.&CrpSrvrReg.CrpSR_GetDa>
0057DC26 8D55 B6 lea edx,dword ptr ss:[ebp-
4A]
0057DC29 B8 38E05700 mov eax,CrpSpt.0057E038
; ASCII "12345-12345-12345-12345-12345"
0057DC2E E8 EDABFBFF call CrpSpt.00538820
0057DC33 85C0 test eax,eax
0057DC35 EB 56 jmp short CrpSpt.0057DC8D
; 跳向试用要改jmp
0057DC37 8D45 B6 lea eax,dword ptr ss:[ebp-
4A]
0057DC3A 50 push eax
0057DC3B E8 BCFEFFFF call CrpSpt.CrpSpt_YZXLH
0057DC40 84C0 test al,al
0057DC42 74 07 je short CrpSpt.0057DC4B
; 跳向非法注册 不能跳
0057DC44 B3 01 mov bl,1
0057DC46 E9 80030000 jmp CrpSpt.0057DFCB
; 程序运行 没注册窗口
0057DC4B 8D45 E8 lea eax,dword ptr ss:[ebp-
18]
0057DC4E BA 60E05700 mov edx,CrpSpt.0057E060
0057DC53 E8 0867FBFF call CrpSpt.00534360
0057DC58 6A 01 push 1
0057DC5A FF75 EC push dword ptr ss:[ebp-14]
0057DC5D 68 90E05700 push CrpSpt.0057E090
0057DC62 FF75 E8 push dword ptr ss:[ebp-18]
0057DC65 8D85 98FEFFFF lea eax,dword ptr ss:[ebp-
168]
0057DC6B BA 03000000 mov edx,3
0057DC70 E8 CB69FBFF call CrpSpt.00534640
0057DC75 8B85 98FEFFFF mov eax,dword ptr ss:[ebp-
168]
0057DC7B E8 F86AFBFF call CrpSpt.00534778
0057DC80 50 push eax
0057DC81 E8 368DFBFF call <jmp.&kernel32.WinExec>
0057DC86 33DB xor ebx,ebx
0057DC88 E9 3E030000 jmp CrpSpt.0057DFCB
0057DC8D E8 56FDFFFF call CrpSpt.0057D9E8
0057DC92 8BF0 mov esi,eax
0057DC94 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0057DC97 50 push eax
0057DC98 89B5 90FEFFFF mov dword ptr ss:[ebp-
170],esi
0057DC9E C685 94FEFFFF 00 mov byte ptr ss:[ebp-16C],0
0057DCA5 8D95 90FEFFFF lea edx,dword ptr ss:[ebp-
170]
0057DCAB 33C9 xor ecx,ecx
0057DCAD B8 9CE05700 mov eax,CrpSpt.0057E09C
; ASCII "%8.8x"
0057DCB2 E8 01B2FBFF call CrpSpt.00538EB8
0057DCB7 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0057DCBA E8 C168FBFF call CrpSpt.00534580
0057DCBF 8BF8 mov edi,eax
0057DCC1 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0057DCC4 50 push eax
0057DCC5 8BC6 mov eax,esi
0057DCC7 35 80191304 xor eax,4131980
0057DCCC 8985 90FEFFFF mov dword ptr ss:[ebp-
170],eax
0057DCD2 C685 94FEFFFF 00 mov byte ptr ss:[ebp-16C],0
0057DCD9 8D95 90FEFFFF lea edx,dword ptr ss:[ebp-
170]
0057DCDF 33C9 xor ecx,ecx
0057DCE1 B8 9CE05700 mov eax,CrpSpt.0057E09C
; ASCII "%8.8x"
0057DCE6 E8 CDB1FBFF call CrpSpt.00538EB8
0057DCEB 8D45 F0 lea eax,dword ptr ss:[ebp-
10]
0057DCEE 50 push eax
0057DCEF 81F6 80192802 xor esi,2281980
0057DCF5 89B5 90FEFFFF mov dword ptr ss:[ebp-
170],esi
0057DCFB C685 94FEFFFF 00 mov byte ptr ss:[ebp-16C],0
0057DD02 8D95 90FEFFFF lea edx,dword ptr ss:[ebp-
170]
0057DD08 33C9 xor ecx,ecx
0057DD0A B8 9CE05700 mov eax,CrpSpt.0057E09C
; ASCII "%8.8x"
0057DD0F E8 A4B1FBFF call CrpSpt.00538EB8
0057DD14 B2 01 mov dl,1
0057DD16 A1 64D45700 mov eax,dword ptr ds:
[57D464]
0057DD1B E8 44F8FFFF call CrpSpt.0057D564
0057DD20 8945 D4 mov dword ptr ss:[ebp-
2C],eax
0057DD23 33C0 xor eax,eax
0057DD25 55 push ebp
0057DD26 68 C2DF5700 push CrpSpt.0057DFC2
0057DD2B 64:FF30 push dword ptr fs:[eax]
0057DD2E 64:8920 mov dword ptr fs:[eax],esp
0057DD31 BA 00000080 mov edx,80000000
0057DD36 8B45 D4 mov eax,dword ptr ss:[ebp-
2C]
0057DD39 E8 C6F8FFFF call CrpSpt.0057D604
0057DD3E B1 01 mov cl,1
0057DD40 8B55 F4 mov edx,dword ptr ss:[ebp-C]
0057DD43 8B45 D4 mov eax,dword ptr ss:[ebp-
2C]
0057DD46 E8 1DF9FFFF call CrpSpt.0057D668
0057DD4B 84C0 test al,al
0057DD4D 75 0A jnz short CrpSpt.0057DD59
; 跳向试用
0057DD4F E8 F85FFBFF call CrpSpt.00533D4C
0057DD54 E9 72020000 jmp CrpSpt.0057DFCB
; over
0057DD59 8B55 F0 mov edx,dword ptr ss:[ebp-
10]
0057DD5C 8B45 D4 mov eax,dword ptr ss:[ebp-
2C]
0057DD5F E8 CCFBFFFF call CrpSpt.0057D930
0057DD64 84C0 test al,al
0057DD66 75 5F jnz short CrpSpt.0057DDC7
; 跳向试用 不跳永远是30次10天
0057DD68 C745 FC 1E000000 mov dword ptr ss:[ebp-4],1E
0057DD6F E8 44B9FBFF call CrpSpt.005396B8
0057DD74 DD5D D8 fstp qword ptr ss:[ebp-28]
0057DD77 9B wait
0057DD78 8D55 AA lea edx,dword ptr ss:[ebp-
56]
0057DD7B 8D45 FC lea eax,dword ptr ss:[ebp-4]
0057DD7E B9 04000000 mov ecx,4
0057DD83 E8 384BFBFF call CrpSpt.005328C0
0057DD88 8D55 AE lea edx,dword ptr ss:[ebp-
52]
0057DD8B 8D45 D8 lea eax,dword ptr ss:[ebp-
28]
0057DD8E B9 08000000 mov ecx,8
0057DD93 E8 284BFBFF call CrpSpt.005328C0
0057DD98 57 push edi
0057DD99 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0057DD9C E8 D769FBFF call CrpSpt.00534778
0057DDA1 8BC8 mov ecx,eax
0057DDA3 8D45 AA lea eax,dword ptr ss:[ebp-
56]
0057DDA6 BA 0C000000 mov edx,0C
0057DDAB E8 E8FCFFFF call CrpSpt.0057DA98
0057DDB0 6A 0C push 0C
0057DDB2 8D4D AA lea ecx,dword ptr ss:[ebp-
56]
0057DDB5 8B55 F0 mov edx,dword ptr ss:[ebp-
10]
0057DDB8 8B45 D4 mov eax,dword ptr ss:[ebp-
2C]
0057DDBB E8 1CFAFFFF call CrpSpt.0057D7DC
0057DDC0 B3 01 mov bl,1
0057DDC2 E9 46010000 jmp CrpSpt.0057DF0D
0057DDC7 6A 0C push 0C
0057DDC9 8D4D AA lea ecx,dword ptr ss:[ebp-
56]
0057DDCC 8B55 F0 mov edx,dword ptr ss:[ebp-
10]
0057DDCF 8B45 D4 mov eax,dword ptr ss:[ebp-
2C]
0057DDD2 E8 19FAFFFF call CrpSpt.0057D7F0
0057DDD7 57 push edi
0057DDD8 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0057DDDB E8 9869FBFF call CrpSpt.00534778
0057DDE0 8BC8 mov ecx,eax
0057DDE2 8D45 AA lea eax,dword ptr ss:[ebp-
56]
0057DDE5 BA 0C000000 mov edx,0C
0057DDEA E8 A9FCFFFF call CrpSpt.0057DA98
0057DDEF 8D55 FC lea edx,dword ptr ss:[ebp-4]
0057DDF2 8D45 AA lea eax,dword ptr ss:[ebp-
56]
0057DDF5 B9 04000000 mov ecx,4
0057DDFA E8 C14AFBFF call CrpSpt.005328C0
0057DDFF 8D55 D8 lea edx,dword ptr ss:[ebp-
28]
0057DE02 8D45 AE lea eax,dword ptr ss:[ebp-
52]
0057DE05 B9 08000000 mov ecx,8
0057DE0A E8 B14AFBFF call CrpSpt.005328C0
0057DE0F FF45 FC inc dword ptr ss:[ebp-4]
; dec减1改inc加1
0057DE12 837D FC 00 cmp dword ptr ss:[ebp-4],0
0057DE16 76 06 jbe short CrpSpt.0057DE1E
; 小于或等于跳向试用过期
0057DE18 837D FC 1E cmp dword ptr ss:[ebp-4],1E
; 30减[ebp-4]=12ff9c
0057DE1C EB 45 jmp short CrpSpt.0057DE63
; 小于跳 试用 改jmp
0057DE1E 8D45 E8 lea eax,dword ptr ss:[ebp-
18]
0057DE21 BA ACE05700 mov edx,CrpSpt.0057E0AC
0057DE26 E8 3565FBFF call CrpSpt.00534360
0057DE2B 6A 01 push 1
0057DE2D FF75 EC push dword ptr ss:[ebp-14]
0057DE30 68 90E05700 push CrpSpt.0057E090
0057DE35 FF75 E8 push dword ptr ss:[ebp-18]
0057DE38 8D85 8CFEFFFF lea eax,dword ptr ss:[ebp-
174]
0057DE3E BA 03000000 mov edx,3
0057DE43 E8 F867FBFF call CrpSpt.00534640
0057DE48 8B85 8CFEFFFF mov eax,dword ptr ss:[ebp-
174]
0057DE4E E8 2569FBFF call CrpSpt.00534778
0057DE53 50 push eax
0057DE54 E8 638BFBFF call <jmp.&kernel32.WinExec>
0057DE59 E8 EE5EFBFF call CrpSpt.00533D4C
0057DE5E E9 68010000 jmp CrpSpt.0057DFCB
0057DE63 E8 50B8FBFF call CrpSpt.005396B8
0057DE68 DD5D E0 fstp qword ptr ss:[ebp-20]
0057DE6B 9B wait
0057DE6C DD45 E0 fld qword ptr ss:[ebp-20]
0057DE6F DC65 D8 fsub qword ptr ss:[ebp-28]
0057DE72 D81D CCE05700 fcomp dword ptr ds:[57E0CC]
0057DE78 DFE0 fstsw ax
0057DE7A 9E sahf
0057DE7B 72 11 jb short CrpSpt.0057DE8E
0057DE7D DD45 E0 fld qword ptr ss:[ebp-20]
0057DE80 DC65 D8 fsub qword ptr ss:[ebp-28]
0057DE83 D81D D0E05700 fcomp dword ptr ds:[57E0D0]
0057DE89 DFE0 fstsw ax
0057DE8B 9E sahf
0057DE8C 76 45 jbe short CrpSpt.0057DED3
0057DE8E 8D45 E8 lea eax,dword ptr ss:[ebp-
18]
0057DE91 BA ACE05700 mov edx,CrpSpt.0057E0AC
0057DE96 E8 C564FBFF call CrpSpt.00534360
0057DE9B 6A 01 push 1
0057DE9D FF75 EC push dword ptr ss:[ebp-14]
0057DEA0 68 90E05700 push CrpSpt.0057E090
0057DEA5 FF75 E8 push dword ptr ss:[ebp-18]
0057DEA8 8D85 88FEFFFF lea eax,dword ptr ss:[ebp-
178]
0057DEAE BA 03000000 mov edx,3
0057DEB3 E8 8867FBFF call CrpSpt.00534640
0057DEB8 8B85 88FEFFFF mov eax,dword ptr ss:[ebp-
178]
0057DEBE E8 B568FBFF call CrpSpt.00534778
0057DEC3 50 push eax
0057DEC4 E8 F38AFBFF call <jmp.&kernel32.WinExec>
0057DEC9 E8 7E5EFBFF call CrpSpt.00533D4C
0057DECE E9 F8000000 jmp CrpSpt.0057DFCB
0057DED3 8D55 AA lea edx,dword ptr ss:[ebp-
56]
0057DED6 8D45 FC lea eax,dword ptr ss:[ebp-4]
0057DED9 B9 04000000 mov ecx,4
0057DEDE E8 DD49FBFF call CrpSpt.005328C0
0057DEE3 57 push edi
0057DEE4 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0057DEE7 E8 8C68FBFF call CrpSpt.00534778
0057DEEC 8BC8 mov ecx,eax
0057DEEE 8D45 AA lea eax,dword ptr ss:[ebp-
56]
0057DEF1 BA 0C000000 mov edx,0C
; 12
0057DEF6 E8 9DFBFFFF call CrpSpt.0057DA98
0057DEFB 6A 0C push 0C
0057DEFD 8D4D AA lea ecx,dword ptr ss:[ebp-
56]
0057DF00 8B55 F0 mov edx,dword ptr ss:[ebp-
10]
0057DF03 8B45 D4 mov eax,dword ptr ss:[ebp-
2C]
0057DF06 E8 D1F8FFFF call CrpSpt.0057D7DC
0057DF0B B3 01 mov bl,1
0057DF0D 68 DCE05700 push CrpSpt.0057E0DC
; 提示使用次数,天数
0057DF12 8B45 FC mov eax,dword ptr ss:[ebp-4]
; 把偏移地址存到eax剩余次数
0057DF15 33D2 xor edx,edx
0057DF17 52 push edx
0057DF18 50 push eax
; 压入剩余次数
0057DF19 8D85 84FEFFFF lea eax,dword ptr ss:[ebp-
17C] ; 把偏移地址存到eax
0057DF1F E8 BCA4FBFF call CrpSpt.005383E0
; 转为10进制
0057DF24 FFB5 84FEFFFF push dword ptr ss:[ebp-17C]
; 次数
0057DF2A 68 FCE05700 push CrpSpt.0057E0FC
0057DF2F E8 84B7FBFF call CrpSpt.005396B8
0057DF34 DC65 D8 fsub qword ptr ss:[ebp-28]
0057DF37 83C4 F4 add esp,-0C
0057DF3A DB3C24 fstp tbyte ptr ss:[esp]
0057DF3D 9B wait
0057DF3E E8 1D65FDFF call CrpSpt.00554460
0057DF43 50 push eax
0057DF44 B8 FFE0F505 mov eax,5F5E0FF
; 使用天数到eax
0057DF49 5A pop edx
; edx是已使用的天数
0057DF4A 2BC2 sub eax,edx
; 天数减eax-edx
0057DF4C 8D95 80FEFFFF lea edx,dword ptr ss:[ebp-
180]
0057DF52 E8 59A4FBFF call CrpSpt.005383B0
; 转为10进制
0057DF57 FFB5 80FEFFFF push dword ptr ss:[ebp-180]
0057DF5D 68 08E15700 push CrpSpt.0057E108
0057DF62 8D45 E8 lea eax,dword ptr ss:[ebp-
18]
0057DF65 BA 05000000 mov edx,5
0057DF6A E8 D166FBFF call CrpSpt.00534640
0057DF6F 6A 01 push 1
0057DF71 FF75 EC push dword ptr ss:[ebp-14]
0057DF74 68 90E05700 push CrpSpt.0057E090
0057DF79 FF75 E8 push dword ptr ss:[ebp-18]
0057DF7C 8D85 7CFEFFFF lea eax,dword ptr ss:[ebp-
184]
0057DF82 BA 03000000 mov edx,3
0057DF87 E8 B466FBFF call CrpSpt.00534640
0057DF8C 8B85 7CFEFFFF mov eax,dword ptr ss:[ebp-
184]
0057DF92 E8 E167FBFF call CrpSpt.00534778
0057DF97 50 push eax
0057DF98 E8 1F8AFBFF call <jmp.&kernel32.WinExec>
; 注册窗口
0057DF9D E8 AA5DFBFF call CrpSpt.00533D4C
; 退出窗口
我把使用天数改成5F5E0FF也就99999999天 大概是273972年。不知到我们能不能
活到那么久。我把使用次数改成用一次加一次.
其实这软件还有很多地方可以暴我就不全写出来了,大家自己去找把.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课