目标:传家宝管理程序 V2.021
步骤:
1.peid v0.92 侦测壳的类型
2.显示的壳是ASPack 2.12 -> Alexey Solodovnikov
3.使用ASPackDie脱壳后显示是Borland Delphi 6.0 - 7.0编写
4.运行脱壳后程序Unpacked,显示"这是无效的注册码,联系我们得到正确注册码!"
5.使用OD加载脱壳后程序Unpacked,查找ASCII字符"这是无效的注册码,联系我们得到正确注册码!"
6.双击"这是无效的注册码,联系我们得到正确注册码!"来到
00530EC7 |> \6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL; Case 1 of switch 00530E4B
00530EC9 |. 68 C00F5300 PUSH Unpacked.00530FC0 ; |Title = "注册码错误"
00530ECE |. 68 CC0F5300 PUSH Unpacked.00530FCC ; |Text = "这是无效的注册码,联系我们得到正确注册码!"
00530ED3 |. 6A 00 PUSH 0 ; |hOwner = NULL
00530ED5 |. E8 BA71EDFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00530EDA |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00530EDD |. 8BC3 MOV EAX,EBX
00530EDF |. E8 08FDFFFF CALL Unpacked.00530BEC
00530EE4 |. 83F8 02 CMP EAX,2
00530EE7 |. 74 71 JE SHORT Unpacked.00530F5A
00530EE9 |. B2 01 MOV DL,1
7.向上查找,看到
00530E30 /. 55 PUSH EBP
00530E31 |. 8BEC MOV EBP,ESP
00530E33 |. 6A 00 PUSH 0
00530E35 |. 6A 00 PUSH 0
00530E37 |. 6A 00 PUSH 0
00530E39 |. 53 PUSH EBX
00530E3A |. 56 PUSH ESI
00530E3B |. 8BD8 MOV EBX,EAX
00530E3D |. 33C0 XOR EAX,EAX
00530E3F |. 55 PUSH EBP
00530E40 |. 68 810F5300 PUSH Unpacked.00530F81
00530E45 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00530E48 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00530E4B |. 80E9 01 SUB CL,1 ; Switch (cases 0..6)
00530E4E |. 72 19 JB SHORT Unpacked.00530E69
关键跳转,跳转到正常执行部分
00530E50 |. 74 75 JE SHORT Unpacked.00530EC7
关键跳转,一跳就死
00530E52 |. 80E9 02 SUB CL,2
00530E55 |. 0F84 CE000000 JE Unpacked.00530F29
关键跳转,跳转到使用到期
00530E5B |. 80E9 03 SUB CL,3
00530E5E |. 0F84 94000000 JE Unpacked.00530EF8
关键跳转,跳转到使用到期
00530E64 |. E9 F1000000 JMP Unpacked.00530F5A
00530E69 |> 8B83 58030000 MOV EAX,DWORD PTR DS:[EBX+358] ; Case 0 of switch 00530E4B
00530E6F |. E8 9C4FFAFF CALL Unpacked.004D5E10
00530E74 |. 8BF0 MOV ESI,EAX
00530E76 |. 83FE 0A CMP ESI,0A
00530E79 |. 7E 15 JLE SHORT Unpacked.00530E90
跳转到显示还剩余的使用天数
00530E7B |. BA 980F5300 MOV EDX,Unpacked.00530F98
00530E80 |. 8B83 60030000 MOV EAX,DWORD PTR DS:[EBX+360]
00530E86 |. E8 DD87F2FF CALL Unpacked.00459668
00530E8B |. E9 D6000000 JMP Unpacked.00530F66
00530E90 |> 68 A80F5300 PUSH Unpacked.00530FA8
00530E95 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
00530E98 |. 8BC6 MOV EAX,ESI
00530E9A |. E8 218FEDFF CALL Unpacked.00409DC0
00530E9F |. FF75 F4 PUSH DWORD PTR SS:[EBP-C]
00530EA2 |. 68 BC0F5300 PUSH Unpacked.00530FBC
00530EA7 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00530EAA |. BA 03000000 MOV EDX,3
00530EAF |. E8 A041EDFF CALL Unpacked.00405054
00530EB4 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00530EB7 |. 8B83 60030000 MOV EAX,DWORD PTR DS:[EBX+360]
00530EBD |. E8 A687F2FF CALL Unpacked.00459668
00530EC2 |. E9 9F000000 JMP Unpacked.00530F66
00530EC7 |> 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL; Case 1 of switch 00530E4B
右键,前往,JE 来自 00530E50
00530EC9 |. 68 C00F5300 PUSH Unpacked.00530FC0 ; |Title = "注册码错误"
00530ECE |. 68 CC0F5300 PUSH Unpacked.00530FCC ; |Text = "这是无效的注册码,联系我们得到正确注册码!"
00530ED3 |. 6A 00 PUSH 0 ; |hOwner = NULL
00530ED5 |. E8 BA71EDFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00530EDA |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00530EDD |. 8BC3 MOV EAX,EBX
00530EDF |. E8 08FDFFFF CALL Unpacked.00530BEC
00530EE4 |. 83F8 02 CMP EAX,2
00530EE7 |. 74 71 JE SHORT Unpacked.00530F5A
00530EE9 |. B2 01 MOV DL,1
00530EE9 |. B2 01 MOV DL,1
00530EEB |. 8B83 58030000 MOV EAX,DWORD PTR DS:[EBX+358]
00530EF1 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00530EF3 |. FF51 30 CALL DWORD PTR DS:[ECX+30]
00530EF6 |. EB 6E JMP SHORT Unpacked.00530F66
00530EF8 |> 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL; Case 6 of switch 00530E4B
00530EFA |. 68 F80F5300 PUSH Unpacked.00530FF8 ; |Title = "试用到期"
00530EFF |. 68 04105300 PUSH Unpacked.00531004 ; |Text = "你的试用已经到期,联系我们注册本软件!"
00530F04 |. 6A 00 PUSH 0 ; |hOwner = NULL
00530F06 |. E8 8971EDFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00530F0B |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00530F0E |. 8BC3 MOV EAX,EBX
00530F10 |. E8 D7FCFFFF CALL Unpacked.00530BEC
00530F15 |. 83F8 02 CMP EAX,2
00530F18 |. 74 40 JE SHORT Unpacked.00530F5A
00530F1A |. B2 01 MOV DL,1
00530F1C |. 8B83 58030000 MOV EAX,DWORD PTR DS:[EBX+358]
00530F22 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00530F24 |. FF51 30 CALL DWORD PTR DS:[ECX+30]
00530F27 |. EB 3D JMP SHORT Unpacked.00530F66
00530F29 |> 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL; Case 3 of switch 00530E4B
00530F2B |. 68 F80F5300 PUSH Unpacked.00530FF8 ; |Title = "试用到期"
00530F30 |. 68 04105300 PUSH Unpacked.00531004 ; |Text = "你的试用已经到期,联系我们注册本软件!"
00530F35 |. 6A 00 PUSH 0 ; |hOwner = NULL
00530F37 |. E8 5871EDFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00530F3C |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00530F3F |. 8BC3 MOV EAX,EBX
00530F41 |. E8 A6FCFFFF CALL Unpacked.00530BEC
00530F46 |. 83F8 02 CMP EAX,2
00530F49 |. 74 0F JE SHORT Unpacked.00530F5A
00530F4B |. B2 01 MOV DL,1
00530F4D |. 8B83 58030000 MOV EAX,DWORD PTR DS:[EBX+358]
00530F53 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00530F55 |. FF51 30 CALL DWORD PTR DS:[ECX+30]
00530F58 |. EB 0C JMP SHORT Unpacked.00530F66
00530F5A |> A1 E8585300 MOV EAX,DWORD PTR DS:[5358E8] ; Default case of switch 00530E4B
00530F5F |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00530F61 |. E8 AA84F4FF CALL Unpacked.00479410
00530F66 |> 33C0 XOR EAX,EAX
00530F68 |. 5A POP EDX
00530F69 |. 59 POP ECX
00530F6A |. 59 POP ECX
00530F6B |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00530F6E |. 68 880F5300 PUSH Unpacked.00530F88
00530F73 |> 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00530F76 |. BA 03000000 MOV EDX,3
00530F7B |. E8 783DEDFF CALL Unpacked.00404CF8
00530F80 \. C3 RETN
8.可以开刀了,技术有限,无法跟到注册算法,修改
00530E4E |. 72 19 JB SHORT Unpacked.00530E69
为
00530E4E |. EB 19 JMP SHORT Unpacked.00530E69
可以运行了,但是显示为体验版,剩余时间为0天,虽不影响使用,但是毕竟不美观,再修改
00530E79 |. 7E 15 JLE SHORT Unpacked.00530E90
为
00530E79 |. 90 NOP
00530E7A |. 90 NOP
到此修改完毕!
老版管理程序:DgManageOLD.rar
数据库文件(解压到同一目录):sjk.rar
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
