看我破解Internet Download Manager 5.17
【用到工具】OD,Peid【调试环境】Win2K3 SP2
【目标程序】Internet Download Manager5.17
【下载链接】http://www.internetdownloadmanager.com
【文章出处】http://zzm139138.blog.163.com
【文字记录】Kernel2008
【一点说明】原创内容,转载请注明文章出处,谢谢!
使用Peid查壳:
Microsoft Visual C++ 6.0
可知,程序无壳,且是用VC写的程序,使用Peid的插件扫描下一些算法(如图):
下面使用回溯法Cracked IT:
载入目标程序于OD中,F9运行程序,先把程序跑起来,在来到注册对话框,任意输入注册信息,但是格式一定要输入正确
输入后点击注册按钮,出现错误提示,很好,F12暂停,ALT+K打开显示调用堆栈,如下:
地址 堆栈 程序过程 / 参数 调用来自 结构
0012B560 77E2BF53 包含 ntdll.KiFastSystemCallRet USER32.77E2BF51 0012B594
0012B564 77E2610A USER32.WaitMessage USER32.77E26105 0012B594
0012B598 77E1965E USER32.77E26023 USER32.77E19659 0012B594
0012B5C0 77E2F762 USER32.77E195A8 USER32.77E2F75D 0012B5BC
0012B880 77E2F047 USER32.SoftModalMessageBox USER32.77E2F042 0012B87C
0012B9D0 77E2EEC9 USER32.77E2EED2 USER32.77E2EEC4 0012B9CC
0012BA28 77E67D0D USER32.MessageBoxTimeoutW USER32.77E67D08 0012BA24
0012BA5C 77E542C8 ? USER32.MessageBoxTimeoutA USER32.77E542C3 0012BA58
0012BA7C 77E542A4 ? USER32.MessageBoxExA USER32.77E5429F 0012BA78
0012BA80 001405EE hOwner = 001405EE ('Internet Downl
0012BA84 00EBC600 Text = "You have entered incorrect
0012BA88 005D0FB8 Title = "Internet Download Manager
0012BA8C 00000000 Style = MB_OK|MB_APPLMODAL
0012BA90 00000000 LanguageID = 0 (LANG_NEUTRAL)
0012BA98 0054C0B6 ? USER32.MessageBoxA IDMan.0054C0B0 0012BA94
0012BA9C 001405EE hOwner = 001405EE ('Internet Downl
0012BAA0 00EBC600 Text = "You have entered incorrect
0012BAA4 005D0FB8 Title = "Internet Download Manager
0012BAA8 00000000 Style = MB_OK|MB_APPLMODAL
0012BAB0 004AF3A7 ? IDMan.0054C088 IDMan.004AF3A2 //在这里显示调用.
0012BAB4 00EBC600 Arg1 = 00EBC600 ASCII "You have en
0012BAB8 005D0FB8 Arg2 = 005D0FB8 ASCII "Internet Do
0012BABC 00000000 Arg3 = 00000000
来到下面代码处:
004AF3A0|> /8BCB MOV ECX,EBX
004AF3A2|> |E8 E1CC0900 CALL IDMan.0054C088
004AF3A7|. |8B4D F4 MOV ECX,DWORD PTR SS:
004AF3AA|. |64:890D 00000>MOV DWORD PTR FS:,ECX
注意提示信息:
0054C088=IDMan.0054C088
跳转来自 004AF67D, 004AF6F4, 004AF78D
说明:我们必须不能让程序从004AF67D, 004AF6F4, 004AF78D跳转过来,所以下面往下跟踪时一定要注意!
往上找,正好前面有一个跳转语句,就此下断点(如下):
004AF38F|.85C0 TEST EAX,EAX
004AF391|.75 25 JNZ SHORT IDMan.004AF3B8 //此处的跳转语句
004AF393|.8B0D 705B5F00 MOV ECX,DWORD PTR DS:
004AF399|.50 PUSH EAX
004AF39A|.68 B80F5D00 PUSH IDMan.005D0FB8 ;ASCII "Internet Download Manager"
004AF39F|>51 PUSH ECX
004AF3A0|>8BCB MOV ECX,EBX
004AF3A2|>E8 E1CC0900 CALL IDMan.0054C088
004AF3A7|.8B4D F4 MOV ECX,DWORD PTR SS:
004AF3AA|.64:890D 00000>MOV DWORD PTR FS:,ECX
重新F9一下,再次点击注册,断在004AF391处的跳转语句并该跳转实现,F8往下跟踪
004AF391 /75 25 JNZ SHORT IDMan.004AF3B8
004AF393 |8B0D 705B5F00 MOV ECX,DWORD PTR DS:
004AF3CD 85C0 TEST EAX,EAX
004AF3CF 75 0E JNZ SHORT IDMan.004AF3DF ;为不让下面的JMP无条件跳转实现,这里改为JMP.
004AF3D1 50 PUSH EAX
004AF3D2 A1 6C5B5F00 MOV EAX,DWORD PTR DS:
004AF3D7 68 B80F5D00 PUSH IDMan.005D0FB8 ;ASCII "Internet Download Manager"
004AF3DC 50 PUSH EAX
004AF3DD ^ EB C1 JMP SHORT IDMan.004AF3A0
004AF3DF 8D8D F4FEFFFF LEA ECX,DWORD PTR SS:
004AF3E5 6A 32 PUSH 32 ; /Arg3 = 00000032
004AF3E7 51 PUSH ECX ; |Arg2
004AF3E8 68 A5040000 PUSH 4A5 ; |Arg1 = 000004A5
004AF3ED 8BCB MOV ECX,EBX ; |
004AF3EF E8 3DE60900 CALL IDMan.0054DA31 ; IDMan.0054DA31
004AF3F4 85C0 TEST EAX,EAX
004AF3F6 75 0F JNZ SHORT IDMan.004AF407 ;为不让下面的JMP无条件跳转实现,这里改为JMP.
004AF3F8 8B15 685B5F00 MOV EDX,DWORD PTR DS:
004AF3FE 50 PUSH EAX
004AF3FF 68 B80F5D00 PUSH IDMan.005D0FB8 ;ASCII "Internet Download Manager"
004AF404 52 PUSH EDX
004AF405 ^ EB 99 JMP SHORT IDMan.004AF3A0
004AF407 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:
004AF40D 6A 32 PUSH 32 ; /Arg3 = 00000032
004AF40F 50 PUSH EAX ; |Arg2
004AF410 68 AA040000 PUSH 4AA ; |Arg1 = 000004AA
004AF415 8BCB MOV ECX,EBX ; |
004AF417 E8 15E60900 CALL IDMan.0054DA31 ; IDMan.0054DA31
004AF41C 85C0 TEST EAX,EAX
004AF41E 75 11 JNZ SHORT IDMan.004AF431 ;为不让下面的JMP无条件跳转实现,这里改为JMP.
004AF420 8B0D 645B5F00 MOV ECX,DWORD PTR DS:
004AF426 50 PUSH EAX
004AF427 68 B80F5D00 PUSH IDMan.005D0FB8 ;ASCII "Internet Download Manager"
004AF42C ^ E9 6EFFFFFF JMP IDMan.004AF39F
004AF4A7 75 12 JNZ SHORT IDMan.004AF4BB ;为不让下面的JMP无条件跳转实现,这里改为JMP.
004AF4A9 8B0D 605B5F00 MOV ECX,DWORD PTR DS:
004AF4AF 6A 00 PUSH 0
004AF4B1 68 B80F5D00 PUSH IDMan.005D0FB8 ;ASCII "Internet Download Manager"
004AF4B6 ^ E9 E4FEFFFF JMP IDMan.004AF39F
004AF509 F7D1 NOT ECX
004AF50B 49 DEC ECX
004AF50C 83F9 17 CMP ECX,17
004AF50F ^ 75 98 JNZ SHORT IDMan.004AF4A9 ;这个是关键,不能让它实现。
004AF511 8A4D 81 MOV CL,BYTE PTR SS:
004AF514 8845 EF MOV BYTE PTR SS:,AL
004AF517 B0 2D MOV AL,2D
004AF519 3AC8 CMP CL,AL
************************************************************
004AF631 33FF XOR EDI,EDI
004AF633 33F6 XOR ESI,ESI
004AF635 83FE 05 CMP ESI,5
004AF638 7D 2B JGE SHORT IDMan.004AF665 ;这里改为JMP,因为后面的循环会跳入错误提示,过跳过循环
004AF63A 8A5435 B0 MOV DL,BYTE PTR SS:
004AF63E 83C9 FF OR ECX,FFFFFFFF
004AF641 33C0 XOR EAX,EAX
004AF643 83F8 24 /CMP EAX,24
004AF646 7D 0A |JGE SHORT IDMan.004AF652
004AF648 3890 34545F00 |CMP BYTE PTR DS:,DL
004AF64E 75 12 |JNZ SHORT IDMan.004AF662
004AF650 8BC8 |MOV ECX,EAX
004AF652 83F9 FF |CMP ECX,-1
004AF655 74 15 |JE SHORT IDMan.004AF66C ;往下看,这里实现的话会跳向错误提示,故这个循环就不要了,在前面跳过)
004AF657 8D04FF |LEA EAX,DWORD PTR DS:
004AF65A 03CF |ADD ECX,EDI
004AF65C 46 |INC ESI
004AF65D 8D3C81 |LEA EDI,DWORD PTR DS:
004AF660 ^ EB D3 |JMP SHORT IDMan.004AF635
004AF662 40 |INC EAX
004AF663 ^ EB DE JMP SHORT IDMan.004AF643
004AF665 8A45 EF MOV AL,BYTE PTR SS:
004AF668 84C0 TEST AL,AL
004AF66A 74 16 JE SHORT IDMan.004AF682 ;为不让下面的JMP无条件跳转实现,这里改为JMP.
004AF66C 8B0D 605B5F00 MOV ECX,DWORD PTR DS:
004AF672 6A 00 PUSH 0
004AF674 68 B80F5D00 PUSH IDMan.005D0FB8 ;ASCII "Internet Download Manager"
004AF679 51 PUSH ECX
004AF67A 8B4D C8 MOV ECX,DWORD PTR SS:
004AF67D ^ E9 20FDFFFF JMP IDMan.004AF3A2
004AF6D4 85D2 TEST EDX,EDX
004AF6D6 75 0B JNZ SHORT IDMan.004AF6E3 ;这两句跳转NOP掉,不能让下面的无条件跳转实现跳向错误提示
004AF6D8 85FF TEST EDI,EDI
004AF6DA 74 07 JE SHORT IDMan.004AF6E3
004AF6DC 8A45 EF MOV AL,BYTE PTR SS:
004AF6DF 84C0 TEST AL,AL
004AF6E1 74 16 JE SHORT IDMan.004AF6F9 ;为不让下面的JMP无条件跳转实现,这里改为JMP.
004AF6E3 8B15 605B5F00 MOV EDX,DWORD PTR DS:
004AF6E9 8B4D C8 MOV ECX,DWORD PTR SS:
004AF6EC 6A 00 PUSH 0
004AF6EE 68 B80F5D00 PUSH IDMan.005D0FB8 ;ASCII "Internet Download Manager"
004AF6F3 52 PUSH EDX
004AF6F4 ^ E9 A9FCFFFF JMP IDMan.004AF3A2
004AF6F9 8D45 C4 LEA EAX,DWORD PTR SS:
004AF6FC 6A 00 PUSH 0 ; /pDisposition = NULL
004AF6FE 50 PUSH EAX ; |pHandle
004AF6FF 6A 00 PUSH 0 ; |pSecurity = NULL
004AF701 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS
004AF706 6A 00 PUSH 0 ; |Options = REG_OPTION_NON_VOLATILE
004AF708 6A 00 PUSH 0 ; |Class = NULL
004AF70A 6A 00 PUSH 0 ; |Reserved = 0
004AF70C 68 A00D5D00 PUSH IDMan.005D0DA0 ; |Subkey = "SOFTWAREInternet Download Manager"
004AF711 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
004AF716 FF15 0C505700 CALL DWORD PTR DS:[<&ADVAPI32.Reg>; RegCreateKeyExA
004AF71C 85C0 TEST EAX,EAX ;下面就是把注册信息写入注册表中了
004AF71E 74 09 JE SHORT IDMan.004AF729
004AF720 8B0D E0505F00 MOV ECX,DWORD PTR DS:
004AF726 894D C4 MOV DWORD PTR SS:,ECX
004AF729 8DBD C0FEFFFF LEA EDI,DWORD PTR SS:
004AF72F 83C9 FF OR ECX,FFFFFFFF
004AF732 33C0 XOR EAX,EAX
004AF734 8B15 F4545F00 MOV EDX,DWORD PTR DS:
004AF73A F2:AE REPNE SCAS BYTE PTR ES:
004AF73C 8B35 08505700 MOV ESI,DWORD PTR DS:[<&ADVAPI32.>;ADVAPI32.RegSetValueExA
004AF742 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:
004AF748 F7D1 NOT ECX
004AF74A 51 PUSH ECX ; /BufSize
004AF74B 8B4D C4 MOV ECX,DWORD PTR SS: ; |
004AF74E 50 PUSH EAX ; |Buffer
004AF74F 6A 01 PUSH 1 ; |ValueType = REG_SZ
004AF751 6A 00 PUSH 0 ; |Reserved = 0
004AF753 52 PUSH EDX ; |ValueName => "FName"
004AF754 51 PUSH ECX ; |hKey
004AF755 FFD6 CALL ESI ; RegSetValueExA
004AF757 85C0 TEST EAX,EAX
004AF759 74 37 JE SHORT IDMan.004AF792 ;这里改为JMP,强行跳过错误提示。
004AF75B 50 PUSH EAX
004AF75C 8D95 40FEFFFF LEA EDX,DWORD PTR SS:
004AF762 68 00645E00 PUSH IDMan.005E6400 ;ASCII "Reg err1 in CRgDlg::OnOk, err = %ld"
004AF767 52 PUSH EDX
004AF7BA 85C0 TEST EAX,EAX
004AF7BC 74 1A JE SHORT IDMan.004AF7D8 ;这里改为JMP,强行跳过错误提示。
004AF7BE 50 PUSH EAX
004AF7BF 8D95 40FEFFFF LEA EDX,DWORD PTR SS:
004AF7C5 68 DC635E00 PUSH IDMan.005E63DC ;ASCII "Reg err2 in CRgDlg::OnOk, err = %ld"
004AF7CA 52 PUSH EDX
004AF800 85C0 TEST EAX,EAX
004AF802 74 1D JE SHORT IDMan.004AF821 ;这里改为JMP,强行跳过错误提示。
004AF804 50 PUSH EAX
004AF805 8D95 40FEFFFF LEA EDX,DWORD PTR SS:
004AF80B 68 B8635E00 PUSH IDMan.005E63B8 ;ASCII "Reg err3 in CRgDlg::OnOk, err = %ld"
004AF810 52 PUSH EDX
004AF811 E8 B23D0800 CALL IDMan.005335C8
004AF849 85C0 TEST EAX,EAX
004AF84B 74 1D JE SHORT IDMan.004AF86A ;这里改为JMP,强行跳过错误提示。
004AF84D 50 PUSH EAX
004AF84E 8D95 40FEFFFF LEA EDX,DWORD PTR SS:
004AF854 68 94635E00 PUSH IDMan.005E6394 ;ASCII "Reg err4 in CRgDlg::OnOk, err = %ld"
004AF859 52 PUSH EDX
004AF85A E8 693D0800 CALL IDMan.005335C8
004AF85F 8D85 40FEFFFF LEA EAX,DWORD PTR SS:
F9运行程序。注册按钮已经变灰,功能限制已经无,可是重启程序,程序仍是未注册的,这说明软件注册验证方式是重启验证。
通过前面的分析已经知道软件的注册信息会保存在注册表中,那么我们在注册表中搜索下已确认我们的判断,结果验证了我们的分析。
说明:注册信息保存在SOFTWAREInternet Download Manager项下。
使用OD重新加载程序,在OD命令行下断点:bp RegOpenKeyExA,F9N次后,到达返回时间(注意看OD数据窗口)
0012E50C 00429911/CALL 到 RegOpenKeyExA 来自 IDMan.0042990B
0012E510 80000002|hKey = HKEY_LOCAL_MACHINE
0012E514 00EC8D28|Subkey = "SOFTWAREInternet Download Manager"
0012E518 00000000|Reserved = 0
0012E51C 00000001|Access = KEY_QUERY_VALUE
0012E520 0012EE70pHandle = 0012EE70
ALT+F9返回到程序领空,下面就是开始跟踪并分析了。
先使用OD插件搜索字符串,我个人根据经验在但凡有Invalid serial number字符串则F2下断
返回到下面代码处,下面则F8往下跟踪分析:
0042990B .FF15 04505700 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKeyEx>; RegOpenKeyExA
00429911 .85C0 TEST EAX,EAX
00429913 .BF 32000000 MOV EDI,32
00429918 .0F85 A8000000 JNZ IDMan.004299C6
0042991E .8B0D F4545F00 MOV ECX,DWORD PTR DS:
00429924 .8B35 00505700 MOV ESI,DWORD PTR DS:[<&ADVAPI32.RegQueryV>;ADVAPI32.RegQueryValueExA
0042992A .8D55 E8 LEA EDX,DWORD PTR SS:
0042992D .8D85 ECFDFFFF LEA EAX,DWORD PTR SS:
00429933 .52 PUSH EDX ; /pBufSize
00429934 .8B55 EC MOV EDX,DWORD PTR SS: ; |
00429937 .50 PUSH EAX ; |Buffer
00429938 .6A 00 PUSH 0 ; |pValueType = NULL
0042993A .6A 00 PUSH 0 ; |Reserved = NULL
0042993C .51 PUSH ECX ; |ValueName => "FName"
004299EF .85C0 TEST EAX,EAX
004299F1 0F85 C6000000 JNZ IDMan.00429ABD ;跳转没有实现
004299F7 .84DB TEST BL,BL ;下面读取用户第一名称,不能让下面跳转实现
004299F9 75 2A JNZ SHORT IDMan.00429A25 ;跳转实现
004299FB .8B0D F4545F00 MOV ECX,DWORD PTR DS:
00429A01 .8D55 E8 LEA EDX,DWORD PTR SS:
00429A04 .8D85 ECFDFFFF LEA EAX,DWORD PTR SS:
00429A0A .52 PUSH EDX
00429A0B .8B55 EC MOV EDX,DWORD PTR SS:
00429A0E .50 PUSH EAX
00429A0F .6A 00 PUSH 0
00429A11 .6A 00 PUSH 0
00429A13 .51 PUSH ECX
00429A14 .52 PUSH EDX
00429A15 .897D E8 MOV DWORD PTR SS:,EDI
00429A18 .FFD6 CALL ESI
00429A1A .85C0 TEST EAX,EAX
00429A1C 74 07 JE SHORT IDMan.00429A25
00429A1E .C745 DC 05000>MOV DWORD PTR SS:,5
00429A25 >8A45 E2 MOV AL,BYTE PTR SS:
00429A28 .BB 05000000 MOV EBX,5
00429A2D .84C0 TEST AL,AL ;下面读取用户最后名称,不能让下面跳转实现
00429A2F 75 26 JNZ SHORT IDMan.00429A57 ;跳转实现
00429A31 .8B15 F0545F00 MOV EDX,DWORD PTR DS:
00429A37 .8D45 E8 LEA EAX,DWORD PTR SS:
00429A3A .8D8D 54FEFFFF LEA ECX,DWORD PTR SS:
00429A40 .50 PUSH EAX
00429A41 .8B45 EC MOV EAX,DWORD PTR SS:
00429A44 .51 PUSH ECX
00429A45 .6A 00 PUSH 0
00429A47 .6A 00 PUSH 0
00429A49 .52 PUSH EDX
00429A4A .50 PUSH EAX
00429A4B .897D E8 MOV DWORD PTR SS:,EDI
00429A4E .FFD6 CALL ESI
00429A50 .85C0 TEST EAX,EAX
00429A52 .74 03 JE SHORT IDMan.00429A57
00429A54 .895D DC MOV DWORD PTR SS:,EBX
00429A57 >8A45 E1 MOV AL,BYTE PTR SS:
00429A5A .84C0 TEST AL,AL ;下面读取邮箱信息,不能让下面跳转实现
00429A5C 75 25 JNZ SHORT IDMan.00429A83 ;跳转实现
00429A5E .A1 EC545F00 MOV EAX,DWORD PTR DS:
00429A63 .8D4D E8 LEA ECX,DWORD PTR SS:
00429A66 .8D95 20FEFFFF LEA EDX,DWORD PTR SS:
00429A6C .51 PUSH ECX
00429A6D .8B4D EC MOV ECX,DWORD PTR SS:
00429A70 .52 PUSH EDX
00429A71 .6A 00 PUSH 0
00429A73 .6A 00 PUSH 0
00429A75 .50 PUSH EAX
00429A76 .51 PUSH ECX
00429A77 .897D E8 MOV DWORD PTR SS:,EDI
00429A7A .FFD6 CALL ESI
00429A7C .85C0 TEST EAX,EAX
00429A7E .74 03 JE SHORT IDMan.00429A83
00429A80 .895D DC MOV DWORD PTR SS:,EBX
00429A83 >8A45 E3 MOV AL,BYTE PTR SS:
00429A86 .84C0 TEST AL,AL ;下面读取注册码信息,不能让下面跳转实现
00429A88 75 29 JNZ SHORT IDMan.00429AB3 ;原来实现,这里不能让它实现跳转
00429A8A .8B0D F8545F00 MOV ECX,DWORD PTR DS:
00429A90 .8D55 E8 LEA EDX,DWORD PTR SS:
00429AA6 .85C0 TEST EAX,EAX
00429AA8 .74 05 JE SHORT IDMan.00429AAF
00429AAA .895D DC MOV DWORD PTR SS:,EBX
00429AAD .EB 04 JMP SHORT IDMan.00429AB3
00429AAF >C645 E3 01 MOV BYTE PTR SS:,1
00429AB3 >8B45 EC MOV EAX,DWORD PTR SS:
00429AB6 .50 PUSH EAX ; /hKey
00429AB7 .FF15 54505700 CALL DWORD PTR DS:[<&ADVAPI32.Reg>; RegCloseKey
00429ABD >8A5D E3 MOV BL,BYTE PTR SS:
00429AC0 .84DB TEST BL,BL
00429AC2 .74 2E JE SHORT IDMan.00429AF2
00429AC4 .8D7D 88 LEA EDI,DWORD PTR SS:
00429AC7 .83C9 FF OR ECX,FFFFFFFF
00429ACA .33C0 XOR EAX,EAX
00429ACC .F2:AE REPNE SCAS BYTE PTR ES:
00429ACE .F7D1 NOT ECX
00429AD0 .49 DEC ECX
00429AD1 .83F9 17 CMP ECX,17
00429AD4 75 1C JNZ SHORT IDMan.00429AF2 ;下面的跳转都不能让它实现,NOP掉。
00429AD6 .807D 8D 2D CMP BYTE PTR SS:,2D
00429ADA 75 16 JNZ SHORT IDMan.00429AF2 ;NOP掉
00429ADC .807D 93 2D CMP BYTE PTR SS:,2D
00429AE0 75 10 JNZ SHORT IDMan.00429AF2 ;NOP掉
00429AE2 .807D 99 2D CMP BYTE PTR SS:,2D
00429AE6 75 0A JNZ SHORT IDMan.00429AF2 ;NOP掉
00429AE8 .C705 D83E5D00>MOV DWORD PTR DS:,0
00429AF2 >8D4D CC LEA ECX,DWORD PTR SS:
00429AF5 .E8 66360800 CALL IDMan.004AD160
00429AFA .8D4D BC LEA ECX,DWORD PTR SS:
00429AFD .C645 FC 02 MOV BYTE PTR SS:,2
00429B01 .E8 5A360800 CALL IDMan.004AD160
00429B06 .A1 D83E5D00 MOV EAX,DWORD PTR DS:
00429B0B .C645 FC 03 MOV BYTE PTR SS:,3
00429B0F .85C0 TEST EAX,EAX ;下面的跳转实现,这里不能让它实现
00429B11 0F85 B3010000 JNZ IDMan.00429CCA
00429B17 .A1 D0505F00 MOV EAX,DWORD PTR DS:
00429B1C .8B15 B0575F00 MOV EDX,DWORD PTR DS:
00429B22 .8B3D 04505700 MOV EDI,DWORD PTR DS:[<&ADVAPI32.>;ADVAPI32.RegOpenKeyExA
00429B28 .8D4D EC LEA ECX,DWORD PTR SS:
00429B2B .F7D8 NEG EAX
00429B2D .51 PUSH ECX ; /pHandle
00429B2E .6A 01 PUSH 1 ; |Access = KEY_QUERY_VALUE
00429B30 .1BC0 SBB EAX,EAX ; |
00429B32 .6A 00 PUSH 0 ; |Reserved = 0
00429B34 .05 02000080 ADD EAX,80000002 ; |
00429B39 .52 PUSH EDX ; |Subkey => "SoftwareClassesCLSID{6DDF00DB-1234-46EC-8356-27E7B2051192}"
00429B3A .50 PUSH EAX ; |hKey
00429B3B .FFD7 CALL EDI ; RegOpenKeyExA
00429B3D .8BF0 MOV ESI,EAX
00429B3F .85F6 TEST ESI,ESI
00429B41 0F84 81000000 JE IDMan.00429BC8 ;原来实现,这里不能让它实现跳转
00429B47 .83FE 02 CMP ESI,2
00429B4A .74 78 JE SHORT IDMan.00429BC4
00429B4C .8B0D AC065F00 MOV ECX,DWORD PTR DS: ;IDMan.005F06C0
00429B52 .894D E4 MOV DWORD PTR SS:,ECX
00429B55 .A1 D0505F00 MOV EAX,DWORD PTR DS:
00429B5A .C645 FC 04 MOV BYTE PTR SS:,4
00429B5E .85C0 TEST EAX,EAX ;下面的字符是很可疑的,经验告诉我^_^
00429B60 .B8 74305D00 MOV EAX,IDMan.005D3074 ;current_user
00429B65 .75 05 JNZ SHORT IDMan.00429B6C
00429B67 .B8 6C305D00 MOV EAX,IDMan.005D306C ;machinecurrent_user
00429B6C >8B15 B0575F00 MOV EDX,DWORD PTR DS:
00429B72 .52 PUSH EDX
00429B73 .50 PUSH EAX
00429B74 .8D45 E4 LEA EAX,DWORD PTR SS: ;下面的字符是很可疑的,经验告诉我^_^
00429B77 .68 8C185D00 PUSH IDMan.005D188C ;%s%s
00429B7C .50 PUSH EAX
00429BEF .1BC0 SBB EAX,EAX
00429BF1 .40 INC EAX
00429BF2 .8945 E4 MOV DWORD PTR SS:,EAX
00429BF5 0F85 E8010000 JNZ IDMan.00429DE3 ;原来实现,这里不能让它实现跳转
00429BFB >8D55 EC LEA EDX,DWORD PTR SS:
00429BFE .6A 00 PUSH 0 ; /pDisposition = NULL
00429C00 .8B35 0C505700 MOV ESI,DWORD PTR DS:[<&ADVAPI32.>; |ADVAPI32.RegCreateKeyExA
00429C06 .52 PUSH EDX ; |pHandle
00429C07 .6A 00 PUSH 0 ; |pSecurity = NULL
00429C09 .68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS
00429C0E .6A 00 PUSH 0 ; |Options = REG_OPTION_NON_VOLATILE
00429C10 .6A 00 PUSH 0 ; |Class = NULL
00429C12 .6A 00 PUSH 0 ; |Reserved = 0
00429C14 .68 24305D00 PUSH IDMan.005D3024 ; |softwareclassesclsid{d5b91409-a8ca-4973-9a0b-59f713d25671}
00429C19 .68 01000080 PUSH 80000001 ; |hKey = HKEY_CURRENT_USER
00429C1E .FFD6 CALL ESI ; RegCreateKeyExA
00429C20 .85C0 TEST EAX,EAX
00429C22 74 7C JE SHORT IDMan.00429CA0 ;原来实现,这里不能让它实现跳转
00429C24 .A1 AC065F00 MOV EAX,DWORD PTR DS:
00429C29 .8945 E4 MOV DWORD PTR SS:,EAX
00429C2C .68 24305D00 PUSH IDMan.005D3024 ;softwareclassesclsid{d5b91409-a8ca-4973-9a0b-59f713d25671}
00429C31 .8D4D E4 LEA ECX,DWORD PTR SS:
00429C34 .68 14305D00 PUSH IDMan.005D3014 ;current_user%ssoftwareclassesclsid{d5b91409-a8ca-4973-9a0b-59f713d25671}
00429C39 .51 PUSH ECX
00429C3A .C645 FC 05 MOV BYTE PTR SS:,5
00429C3E .E8 67D21100 CALL IDMan.00546EAA
00429C43 .8B55 E4 MOV EDX,DWORD PTR SS:
00429C46 .83C4 0C ADD ESP,0C
00429C49 .8D4D BC LEA ECX,DWORD PTR SS:
00429C4C .52 PUSH EDX
00429C4D .E8 BE350800 CALL IDMan.004AD210
00429C52 .85C0 TEST EAX,EAX
00429C54 75 11 JNZ SHORT IDMan.00429C67 ;原来实现,这里不能让它实现跳转
00429C56 .8D4D E4 LEA ECX,DWORD PTR SS:
00429C59 .C645 FC 03 MOV BYTE PTR SS:,3
00429C5D .E8 32441200 CALL IDMan.0054E094
00429C62 .E9 74080000 JMP IDMan.0042A4DB
至此F9运行程序,断到下面处代码,即是对序列号检测(经验告诉我的^_^,前面已下好的断点)
00430F73 /74 4B JE SHORT IDMan.00430FC0
00430F75|. |8DB5 4CFEFFFF LEA ESI,DWORD PTR SS:[E>
00430F7B|. |8D45 90 LEA EAX,DWORD PTR SS:[E>
00430F7E|> |8A10 /MOV DL,BYTE PTR DS:[EA>
00430F80|. |8A1E |MOV BL,BYTE PTR DS:[ES>
00430F82|. |8ACA |MOV CL,DL
00430F84|. |3AD3 |CMP DL,BL
00430F86|. |75 1E |JNZ SHORT IDMan.00430F>
00430F88|. |84C9 |TEST CL,CL
00430F8A|. |74 16 |JE SHORT IDMan.00430FA>
00430F8C|. |8A50 01 |MOV DL,BYTE PTR DS:[EA>
00430F8F|. |8A5E 01 |MOV BL,BYTE PTR DS:[ES>
00430F92|. |8ACA |MOV CL,DL
00430F94|. |3AD3 |CMP DL,BL
00430F96|. |75 0E |JNZ SHORT IDMan.00430F>
00430F98|. |83C0 02 |ADD EAX,2
00430F9B|. |83C6 02 |ADD ESI,2
00430F9E|. |84C9 |TEST CL,CL
00430FA0|.^|75 DC JNZ SHORT IDMan.00430F>
00430FA2|> |33C0 XOR EAX,EAX
00430FA4|. |EB 05 JMP SHORT IDMan.00430FA>
00430FA6|> |1BC0 SBB EAX,EAX
00430FA8|. |83D8 FF SBB EAX,-1
00430FAB|> |85C0 TEST EAX,EAX
00430FAD |75 11 JNZ SHORT IDMan.00430FC> //这里就不能让他实现了,否则,序列号被锁定,NOP掉.
00430FAF|. |8B4D F4 MOV ECX,DWORD PTR SS:[E>
00430FB2|. |64:890D 00000>MOV DWORD PTR FS:,EC>
00430FB9|. |5F POP EDI
00430FBA|. |5E POP ESI
00430FBB|. |5B POP EBX
00430FBC|. |8BE5 MOV ESP,EBP
00430FBE|. |5D POP EBP
00430FBF|. |C3 RETN
00430FC0|> 8DB5 4CFEFFFF LEA ESI,DWORD PTR SS:[E>
00430FC6|.B8 C0465D00 MOV EAX,IDMan.005D46C0;8rf~bncxfygftrtr43jklkwinvalid serial number or the serial number has been blockederror!
00430FCB|>8A10 /MOV DL,BYTE PTR DS:[EA>
最后F9一下,程序直奔,再来看下注册信息,已经注册,注册按钮已经变灰,在看下功能,已无限制,破解完成.
(PS:已破解软件在我网盘里,点击这里进行下载)
哇塞
貌似有点复杂哦,不适合我这新手
练习下 很详细,学习。 看着都花眼了还是支持 看的真迷茫,呵呵,学习要时间的,先用用楼主的成品再说 很詳細但是無法顯示圖片! 学习学习
一个字 难 这个真心好复杂 该学的好多啊
页:
[1]