【文章标题】: progeCAD 2008 Pro ENG 8.0.14 的破解
【文章作者】: chinglq
【作者邮箱】: chinglq@sina.com
【作者主页】: http://lqcoolboy.xinwen365.com
【软件名称】: progeCAD 2008 Pro ENG 8.0.14
【软件大小】: 5.73M(安装包192MB)
【下载地址】: http://www.icadsales.com/public/progeCAD2008Pro.exe
【加壳方式】: N/A
【保护方式】: 注册码+时间限制
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: OD、PEiD
【操作平台】: 联想OEM WinXPsp2
【软件介绍】: Free 30-day Download of progeCAD 2008 Professional 8.0.14 Edit your AutoCAD 2008 drawings!
AutoCAD的代替工具,具有Render、Raste、Vectorializer、ACIS Solids、PDF 输出以及Libraries等DWG DXF特有格式的专业版本。它可
以运用在3种程序语言中(Lisp、C++以及VBA),包括所有符号的链接库(Architectural、Mechanical、Electrical components以及3D
Furnishings)。国产CAD软件独立平台的核心。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!如果喜欢该软件,请支持正版!
--------------------------------------------------------------------------------
【详细过程】
1.0 观察:
软件安装后,运行时出现注册对话框,30天试用期。
2.0 查壳:
用PEiD检查,无壳,编制语言VC++6.0。
3.0 调试:
用OD装载后下API插件断点,通过跟踪,发现下面这段程序是检测注册的关键:
-----------------------------------------------------
006592B0 /$ 6A FF push -1
006592B2 |. 68 2D218F00 push 008F212D ; SE 处理程序安装
006592B7 |. 64:A1 00000000 mov eax, dword ptr fs:[0]
006592BD |. 50 push eax
006592BE |. 64:8925 00000000 mov dword ptr fs:[0], esp
006592C5 |. 81EC CC010000 sub esp, 1CC
006592CB |. 53 push ebx
006592CC |. 55 push ebp
006592CD |. 56 push esi
006592CE |. 57 push edi
006592CF |. 8D4C24 18 lea ecx, dword ptr [esp+18]
006592D3 |. C74424 48 00010000 mov dword ptr [esp+48], 100
006592DB |. E8 4E5A2700 call <jmp.&MFC42.#540_CString::CString>
...........................................
006597B0 |. 8B4C24 24 mov ecx, dword ptr [esp+24]
006597B4 |. 8D4424 14 lea eax, dword ptr [esp+14]
006597B8 |. 50 push eax ; /pHandle
006597B9 |. 68 1F000200 push 2001F ; |Access =
KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
006597BE |. 6A 00 push 0 ; |Reserved = 0
006597C0 |. 51 push ecx ; |Subkey
006597C1 |. 68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER
006597C6 |. FF15 0C309000 call dword ptr [<&ADVAPI32.RegOpenKeyExA>] ; \RegOpenKeyExA
006597CC |. 85C0 test eax, eax
006597CE |. 74 2F je short 006597FF
006597D0 |. 8B4C24 24 mov ecx, dword ptr [esp+24]
006597D4 |. 8D5424 64 lea edx, dword ptr [esp+64]
006597D8 |. 8D4424 14 lea eax, dword ptr [esp+14]
006597DC |. 52 push edx ; /pDisposition
006597DD |. 50 push eax ; |pHandle
006597DE |. 6A 00 push 0 ; |pSecurity = NULL
006597E0 |. 68 1F000200 push 2001F ; |Access =
KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
006597E5 |. 6A 00 push 0 ; |Options =
REG_OPTION_NON_VOLATILE
006597E7 |. 6A 00 push 0 ; |Class = NULL
006597E9 |. 6A 00 push 0 ; |Reserved = 0
006597EB |. 51 push ecx ; |Subkey
006597EC |. 68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER
006597F1 |. FF15 14309000 call dword ptr [<&ADVAPI32.RegCreateKeyExA>] ; \RegCreateKeyExA
006597F7 |. 85C0 test eax, eax
006597F9 |. 0F85 85130000 jnz 0065AB84
006597FF |> BF D4E49A00 mov edi, 009AE4D4 ; dns
00659804 |. 83C9 FF or ecx, FFFFFFFF
00659807 |. 33C0 xor eax, eax
00659809 |. 8D5424 4C lea edx, dword ptr [esp+4C]
0065980D |. F2:AE repne scas byte ptr es:[edi]
0065980F |. F7D1 not ecx
00659811 |. 2BF9 sub edi, ecx
00659813 |. C74424 48 FF000000 mov dword ptr [esp+48], 0FF
0065981B |. 8BC1 mov eax, ecx
0065981D |. 8BF7 mov esi, edi
0065981F |. 8BFA mov edi, edx
00659821 |. 8D9424 DC000000 lea edx, dword ptr [esp+DC]
00659828 |. C1E9 02 shr ecx, 2
0065982B |. F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
0065982D |. 8BC8 mov ecx, eax
0065982F |. 8D4424 78 lea eax, dword ptr [esp+78]
00659833 |. 23CB and ecx, ebx
00659835 |. F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
00659837 |. 8D4C24 48 lea ecx, dword ptr [esp+48]
0065983B |. 51 push ecx ; /pBufSize
0065983C |. 52 push edx ; |Buffer
0065983D |. 8B5424 1C mov edx, dword ptr [esp+1C] ; |
00659841 |. 50 push eax ; |pValueType
00659842 |. 8D4C24 58 lea ecx, dword ptr [esp+58] ; |
00659846 |. 6A 00 push 0 ; |Reserved = NULL
00659848 |. 51 push ecx ; |ValueName
00659849 |. 52 push edx ; |hKey
0065984A |. FF15 04309000 call dword ptr [<&ADVAPI32.RegQueryValueExA>] ; \RegQueryValueExA
00659850 |. 8B2D 08309000 mov ebp, dword ptr [<&ADVAPI32.RegSetValueExA>>; ADVAPI32.RegSetValueExA
00659856 |. 85C0 test eax, eax
00659858 |. 0F85 C9000000 jnz 00659927
0065985E |. 8D8424 DC000000 lea eax, dword ptr [esp+DC]
00659865 |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00659869 |. 50 push eax
0065986A |. E8 CB542700 call <jmp.&MFC42.#537_CString::CString>
0065986F |. 53 push ebx
00659870 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00659874 |. C68424 E8010000 0F mov byte ptr [esp+1E8], 0F
0065987C |. E8 11572700 call <jmp.&MFC42.#2915_CString::GetBuffer>
00659881 |. 50 push eax ; /s
00659882 |. FF15 78569000 call dword ptr [<&MSVCRT.atoi>] ; \atoi
00659888 |. 83C4 04 add esp, 4
0065988B |. 8D4C24 10 lea ecx, dword ptr [esp+10]
0065988F |. 8BF0 mov esi, eax
00659891 |. C68424 E4010000 0C mov byte ptr [esp+1E4], 0C
00659899 |. E8 96542700 call <jmp.&MFC42.#800_CString::~CString>
0065989E |. 83FE 1F cmp esi, 1F
006598A1 |. 0F85 C5000000 jnz 0065996C ; ---> /0F84 C5000000 je 0065996C
006598A7 |. 8D4C24 24 lea ecx, dword ptr [esp+24]
006598AB |. C68424 E4010000 0B mov byte ptr [esp+1E4], 0B
006598B3 |. E8 7C542700 call <jmp.&MFC42.#800_CString::~CString>
006598B8 |. 8D4C24 28 lea ecx, dword ptr [esp+28]
006598BC |. C68424 E4010000 05 mov byte ptr [esp+1E4], 5
006598C4 |. E8 6B542700 call <jmp.&MFC42.#800_CString::~CString>
006598C9 |. 8D4C24 30 lea ecx, dword ptr [esp+30]
006598CD |. C68424 E4010000 04 mov byte ptr [esp+1E4], 4
006598D5 |. E8 5A542700 call <jmp.&MFC42.#800_CString::~CString>
006598DA |. 8D4C24 2C lea ecx, dword ptr [esp+2C]
006598DE |. 889C24 E4010000 mov byte ptr [esp+1E4], bl
006598E5 |. E8 4A542700 call <jmp.&MFC42.#800_CString::~CString>
006598EA |. 8D4C24 40 lea ecx, dword ptr [esp+40]
006598EE |. C68424 E4010000 01 mov byte ptr [esp+1E4], 1
006598F6 |. E8 39542700 call <jmp.&MFC42.#800_CString::~CString>
006598FB |. 8D4C24 20 lea ecx, dword ptr [esp+20]
006598FF |. C68424 E4010000 00 mov byte ptr [esp+1E4], 0
00659907 |. E8 28542700 call <jmp.&MFC42.#800_CString::~CString>
0065990C |. 8D4C24 18 lea ecx, dword ptr [esp+18]
00659910 |. C78424 E4010000 FFFFFFFF mov dword ptr [esp+1E4], -1
0065991B |. E8 14542700 call <jmp.&MFC42.#800_CString::~CString>
00659920 |. 33C0 xor eax, eax
00659922 |. E9 D9120000 jmp 0065AC00
00659927 |> 68 D0E49A00 push 009AE4D0 ; 666
.....................................
0065AB84 |> 8D4C24 24 lea ecx, dword ptr [esp+24]
0065AB88 |. C68424 E4010000 0B mov byte ptr [esp+1E4], 0B
0065AB90 |. E8 9F412700 call <jmp.&MFC42.#800_CString::~CString>
0065AB95 |. 8D4C24 28 lea ecx, dword ptr [esp+28]
0065AB99 |. C68424 E4010000 05 mov byte ptr [esp+1E4], 5
0065ABA1 |. E8 8E412700 call <jmp.&MFC42.#800_CString::~CString>
0065ABA6 |. 8D4C24 30 lea ecx, dword ptr [esp+30]
0065ABAA |. C68424 E4010000 04 mov byte ptr [esp+1E4], 4
0065ABB2 |. E8 7D412700 call <jmp.&MFC42.#800_CString::~CString>
0065ABB7 |. 8D4C24 2C lea ecx, dword ptr [esp+2C]
0065ABBB |. 889C24 E4010000 mov byte ptr [esp+1E4], bl
0065ABC2 |. E8 6D412700 call <jmp.&MFC42.#800_CString::~CString>
0065ABC7 |. 8D4C24 40 lea ecx, dword ptr [esp+40]
0065ABCB |. C68424 E4010000 01 mov byte ptr [esp+1E4], 1
0065ABD3 |. E8 5C412700 call <jmp.&MFC42.#800_CString::~CString>
0065ABD8 |. 8D4C24 20 lea ecx, dword ptr [esp+20]
0065ABDC |. C68424 E4010000 00 mov byte ptr [esp+1E4], 0
0065ABE4 |. E8 4B412700 call <jmp.&MFC42.#800_CString::~CString>
0065ABE9 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
0065ABED |. C78424 E4010000 FFFFFFFF mov dword ptr [esp+1E4], -1
0065ABF8 |. E8 37412700 call <jmp.&MFC42.#800_CString::~CString>
0065ABFD |. 83C8 FF or eax, FFFFFFFF
0065AC00 |> 8B8C24 DC010000 mov ecx, dword ptr [esp+1DC]
0065AC07 |. 5F pop edi
0065AC08 |. 5E pop esi
0065AC09 |. 5D pop ebp
0065AC0A |. 64:890D 00000000 mov dword ptr fs:[0], ecx
0065AC11 |. 5B pop ebx
0065AC12 |. 81C4 D8010000 add esp, 1D8
0065AC18 \. C3 retn
-------------------------------------------------------------
006598A1行是关键跳,不跳则检测注册信息正确。如上修改后可解除限制,爆破成功!
4.0 整理:
好了,在OD中改好,右键——复制到可执行文件——所有修改——全部复制,在弹出窗口中,右键——保存文件——换名——保存。
OK!大功告成!半个字节解决战斗,收工!
--------------------------------------------------------------------------------
【经验总结】
这是菜鸟成长的第五篇破文。分析关键流程的走向,是十分重要的,这关系到能否找出关键跳转。只要找到关键跳转,那爆破就显得非常
简单。一点体会,愿与大家分享,方家莫要见笑!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2008.02.18
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)