UltraISO破解手记
标 题: 【原创】UltraISO破解手记作 者: 辩证唯心
时 间: 2010-02-24,02:02:20
链 接: http://bbs.pediy.com/showthread.php?t=107687
UltraISO后期的每个版本基本上都差不多,官网上下载的据传是什么加了白名单,红名单的版本,但即使
是相同版本的MD5值都不同,官网每天都更新。所以我们平时见得最多的就是注册机,注册码,什么李明
啊,王健啊等等,现在最新版的是V9.3.6.2750,好象以前的注册码不能用了,除非你下到的是没名单的
裸体版,手上没有,没办法,只好自己动手了。
首先到官网下载最新版本:
http://www.ezbsystems.com/dl1.php?file=uiso9_cn.exe
注意你下到的程序极可能和我的不一样,下面破文地址是不相同的,但大体思路都一样的。只要不太笨,
照样画葫芦就行了。闲话少话,转入正文:
用PEID检测了下,ASPACK的壳,很简单,用AspackDie.exe一下就解了出来,7.39M。然后OD载入,查找所
有参考文本字符串,这里可以多个选择,什么username,registration,uikey.ini,ultraiso.ini等,原因
?你以前用个注册版的ultraiso都会知道,username是注册表的用户名,,registration是注册码,另外
两个INI是KEYFILE。ultraiso是既可以注册表注册,也可以KEYFILE注册的,启动时是先检查有没有
keyfile,没有的话从注册表里去找注册码,再没有就变试用了。我们的目的很简单,能拦下来就行,反
正它们的代码都在一起。我用的是username来断,查找所有的username,F2都标上断点,F9运行OD,在这
里断下,注意代码可能不一样:
00471104/$55 push ebp
00471105|.8BEC mov ebp, esp
00471107|.81C4 C4FEFFFF add esp, -13C
0047110D|.68 E5ED6500 push 0065EDE5 ;ASCII "rt"
00471112|.FF75 08 push dword ptr
00471115|.E8 066E1B00 call 00627F20
0047111A|.83C4 08 add esp, 8
0047111D|.8945 E4 mov dword ptr , eax
00471120|.8B45 E4 mov eax, dword ptr
00471123|.85C0 test eax, eax
00471125|.75 07 jnz short 0047112E
00471127|.33C0 xor eax, eax
00471129|.E9 D9020000 jmp 00471407
0047112E|>8B55 0C mov edx, dword ptr
00471131|.C602 00 mov byte ptr , 0
00471134|.8B4D 10 mov ecx, dword ptr
00471137|.C601 00 mov byte ptr , 0
0047113A|.E9 85020000 jmp 004713C4
0047113F|>8A85 C4FEFFFF /mov al, byte ptr
00471145|.8845 FF |mov byte ptr , al
00471148|.8A55 FF |mov dl, byte ptr
0047114B|.80FA 23 |cmp dl, 23
0047114E|.0F84 70020000 |je 004713C4
00471154|.8A4D FF |mov cl, byte ptr
00471157|.80F9 3B |cmp cl, 3B
0047115A|.0F84 64020000 |je 004713C4
00471160|.8A45 FF |mov al, byte ptr
00471163|.3C 0D |cmp al, 0D
00471165|.0F84 59020000 |je 004713C4
0047116B|.8A55 FF |mov dl, byte ptr
0047116E|.80FA 0A |cmp dl, 0A
00471171|.0F84 4D020000 |je 004713C4
00471177|.33C9 |xor ecx, ecx
00471179|.894D F0 |mov dword ptr , ecx
0047117C|.EB 03 |jmp short 00471181
0047117E|>FF45 F0 |/inc dword ptr
00471181|>8B45 F0 | mov eax, dword ptr
00471184|.0FBE9405 C4FE>||movsx edx, byte ptr
0047118C|.83FA 20 ||cmp edx, 20
0047118F|.^ 74 ED ||je short 0047117E
00471191|.8B4D F0 ||mov ecx, dword ptr
00471194|.0FBE840D C4FE>||movsx eax, byte ptr
0047119C|.83F8 08 ||cmp eax, 8
0047119F|.^ 74 DD |\je short 0047117E
004711A1|.33D2 |xor edx, edx
004711A3|.8955 EC |mov dword ptr , edx
004711A6|.8B4D F0 |mov ecx, dword ptr
004711A9|.0FBE840D C4FE>|movsx eax, byte ptr
004711B1|.83F8 27 |cmp eax, 27
004711B4|.74 14 |je short 004711CA
004711B6|.8B55 F0 |mov edx, dword ptr
004711B9|.0FBE8C15 C4FE>|movsx ecx, byte ptr
004711C1|.83F9 22 |cmp ecx, 22
004711C4|.0F85 88000000 |jnz 00471252
004711CA|>8B45 F0 |mov eax, dword ptr
004711CD|.8A9405 C4FEFF>|mov dl, byte ptr
004711D4|.8855 F7 |mov byte ptr , dl
004711D7|.FF45 F0 |inc dword ptr
004711DA|.EB 17 |jmp short 004711F3
004711DC|>8B4D F0 |/mov ecx, dword ptr
004711DF|.8D840D C4FEFF>||lea eax, dword ptr
004711E6|.8B55 EC ||mov edx, dword ptr
004711E9|.8A0C10 ||mov cl, byte ptr
004711EC|.84C9 ||test cl, cl
004711EE|.74 1A ||je short 0047120A
004711F0|.FF45 EC ||inc dword ptr
004711F3|>8B45 F0 | mov eax, dword ptr
004711F6|.8D9405 C4FEFF>||lea edx, dword ptr
004711FD|.8B4D EC ||mov ecx, dword ptr
00471200|.8A040A ||mov al, byte ptr
00471203|.8A55 F7 ||mov dl, byte ptr
00471206|.3AC2 ||cmp al, dl
00471208|.^ 75 D2 |\jnz short 004711DC
0047120A|>8B4D F0 |mov ecx, dword ptr
0047120D|.8D840D C4FEFF>|lea eax, dword ptr
00471214|.8B55 EC |mov edx, dword ptr
00471217|.8A0C10 |mov cl, byte ptr
0047121A|.8A45 F7 |mov al, byte ptr
0047121D|.3AC8 |cmp cl, al
0047121F|.0F85 9F010000 |jnz 004713C4
00471225|.8B55 F0 |mov edx, dword ptr
00471228|.8D8C15 C4FEFF>|lea ecx, dword ptr
0047122F|.8B45 EC |mov eax, dword ptr
00471232|.C60401 00 |mov byte ptr , 0
00471236|.FF45 EC |inc dword ptr
00471239|.EB 17 |jmp short 00471252
0047123B|>8B55 F0 |/mov edx, dword ptr
0047123E|.8D8C15 C4FEFF>||lea ecx, dword ptr
00471245|.8B45 EC ||mov eax, dword ptr
00471248|.8A1401 ||mov dl, byte ptr
0047124B|.84D2 ||test dl, dl
0047124D|.74 19 ||je short 00471268
0047124F|.FF45 EC ||inc dword ptr
00471252|>8B4D F0 | mov ecx, dword ptr
00471255|.8D840D C4FEFF>||lea eax, dword ptr
0047125C|.8B55 EC ||mov edx, dword ptr
0047125F|.0FBE0C10 ||movsx ecx, byte ptr
00471263|.83F9 3D ||cmp ecx, 3D
00471266|.^ 75 D3 |\jnz short 0047123B
00471268|>8B45 F0 |mov eax, dword ptr
0047126B|.8D9405 C4FEFF>|lea edx, dword ptr
00471272|.8B4D EC |mov ecx, dword ptr
00471275|.0FBE040A |movsx eax, byte ptr
00471279|.83F8 3D |cmp eax, 3D
0047127C|.0F85 42010000 |jnz 004713C4
00471282|.8B55 F0 |mov edx, dword ptr
00471285|.8D8C15 C4FEFF>|lea ecx, dword ptr
0047128C|.8B45 EC |mov eax, dword ptr
0047128F|.C60401 00 |mov byte ptr , 0
00471293|.8B55 F0 |mov edx, dword ptr
00471296|.8B4D EC |mov ecx, dword ptr
00471299|.03D1 |add edx, ecx
0047129B|.8D85 C5FEFFFF |lea eax, dword ptr
004712A1|.03D0 |add edx, eax
004712A3|.8955 F8 |mov dword ptr , edx
004712A6|.8B55 F8 |mov edx, dword ptr
004712A9|.0FBE0A |movsx ecx, byte ptr
004712AC|.83F9 27 |cmp ecx, 27
004712AF|.74 0F |je short 004712C0
004712B1|.8B45 F8 |mov eax, dword ptr
004712B4|.0FBE10 |movsx edx, byte ptr
004712B7|.83FA 22 |cmp edx, 22
004712BA|.0F85 04010000 |jnz 004713C4
004712C0|>8B4D F8 |mov ecx, dword ptr
004712C3|.8A01 |mov al, byte ptr
004712C5|.8845 F7 |mov byte ptr , al
004712C8|.FF45 F8 |inc dword ptr
004712CB|.33D2 |xor edx, edx
004712CD|.8955 E8 |mov dword ptr , edx
004712D0|.EB 03 |jmp short 004712D5
004712D2|>FF45 E8 |/inc dword ptr
004712D5|>8B4D F8 | mov ecx, dword ptr
004712D8|.8B45 E8 ||mov eax, dword ptr
004712DB|.8A1401 ||mov dl, byte ptr
004712DE|.8A4D F7 ||mov cl, byte ptr
004712E1|.3AD1 ||cmp dl, cl
004712E3|.74 0D ||je short 004712F2
004712E5|.8B45 F8 ||mov eax, dword ptr
004712E8|.8B55 E8 ||mov edx, dword ptr
004712EB|.8A0C10 ||mov cl, byte ptr
004712EE|.84C9 ||test cl, cl
004712F0|.^ 75 E0 |\jnz short 004712D2
004712F2|>8B45 F8 |mov eax, dword ptr
004712F5|.8B55 E8 |mov edx, dword ptr
004712F8|.C60410 00 |mov byte ptr , 0
004712FC|.68 E8ED6500 |push 0065EDE8 ;ASCII "UserName"
OD载入后F9,在这里断下,继续F8运行至本CALL返回
00471301|.8D8D C4FEFFFF |lea ecx, dword ptr
00471307|.8B45 F0 |mov eax, dword ptr
0047130A|.03C8 |add ecx, eax
0047130C|.51 |push ecx
0047130D|.E8 32491B00 |call 00625C44
00471312|.83C4 08 |add esp, 8
00471315|.85C0 |test eax, eax
00471317|.75 13 |jnz short 0047132C
00471319|.FF75 F8 |push dword ptr
0047131C|.FF75 0C |push dword ptr
0047131F|.E8 24471B00 |call 00625A48
00471324|.83C4 08 |add esp, 8
00471327|.E9 98000000 |jmp 004713C4
0047132C|>68 F1ED6500 |push 0065EDF1 ;ASCII "Registration"
00471331|.8D95 C4FEFFFF |lea edx, dword ptr
00471337|.8B4D F0 |mov ecx, dword ptr
0047133A|.03D1 |add edx, ecx
0047133C|.52 |push edx
0047133D|.E8 02491B00 |call 00625C44
00471342|.83C4 08 |add esp, 8
00471345|.85C0 |test eax, eax
00471347|.75 10 |jnz short 00471359
00471349|.FF75 F8 |push dword ptr
0047134C|.FF75 10 |push dword ptr
0047134F|.E8 F4461B00 |call 00625A48
00471354|.83C4 08 |add esp, 8
00471357|.EB 6B |jmp short 004713C4
00471359|>68 FEED6500 |push 0065EDFE ;ASCII "Language"
0047135E|.8D85 C4FEFFFF |lea eax, dword ptr
00471364|.8B55 F0 |mov edx, dword ptr
00471367|.03C2 |add eax, edx
00471369|.50 |push eax
0047136A|.E8 D5481B00 |call 00625C44
0047136F|.83C4 08 |add esp, 8
00471372|.85C0 |test eax, eax
00471374|.75 1D |jnz short 00471393
00471376|.FF75 F8 |push dword ptr
00471379|.E8 C624F9FF |call 00403844
0047137E|.59 |pop ecx
0047137F|.8945 E0 |mov dword ptr , eax
00471382|.8B4D E0 |mov ecx, dword ptr
00471385|.85C9 |test ecx, ecx
00471387|.74 3B |je short 004713C4
00471389|.8B45 E0 |mov eax, dword ptr
0047138C|.A3 BCE66300 |mov dword ptr , eax
00471391|.EB 31 |jmp short 004713C4
00471393|>68 07EE6500 |push 0065EE07 ;ASCII "UltraBurn"
00471398|.8D95 C4FEFFFF |lea edx, dword ptr
0047139E|.8B4D F0 |mov ecx, dword ptr
004713A1|.03D1 |add edx, ecx
004713A3|.52 |push edx
004713A4|.E8 9B481B00 |call 00625C44
004713A9|.83C4 08 |add esp, 8
004713AC|.85C0 |test eax, eax
004713AE|.75 14 |jnz short 004713C4
004713B0|.8B45 F8 |mov eax, dword ptr
004713B3|.8945 DC |mov dword ptr , eax
004713B6|.FF75 DC |push dword ptr
004713B9|.E8 3AC41B00 |call 0062D7F8
004713BE|.59 |pop ecx
004713BF|.A3 504F6400 |mov dword ptr , eax
004713C4|>FF75 E4 push dword ptr
004713C7|.68 18010000 |push 118
004713CC|.8D95 C4FEFFFF |lea edx, dword ptr
004713D2|.52 |push edx
004713D3|.E8 84671B00 |call 00627B5C
004713D8|.83C4 0C |add esp, 0C
004713DB|.85C0 |test eax, eax
004713DD|.^ 0F85 5CFDFFFF \jnz 0047113F
004713E3|.FF75 E4 push dword ptr
004713E6|.E8 41661B00 call 00627A2C
004713EB|.59 pop ecx
004713EC|.8B4D 0C mov ecx, dword ptr
004713EF|.8A01 mov al, byte ptr
004713F1|.84C0 test al, al
004713F3|.74 10 je short 00471405
004713F5|.8B55 10 mov edx, dword ptr
004713F8|.8A0A mov cl, byte ptr
004713FA|.84C9 test cl, cl
004713FC|.74 07 je short 00471405
004713FE|.B8 01000000 mov eax, 1
00471403|.EB 02 jmp short 00471407
00471405|>33C0 xor eax, eax
00471407|>8BE5 mov esp, ebp
00471409|.5D pop ebp
0047140A\.C3 retn
这里返回到00471490|.E8 6FFCFFFF call 00471104
0047140C/$55 push ebp
0047140D|.8BEC mov ebp, esp
0047140F|.81C4 C8FBFFFF add esp, -438
00471415|.68 17EE6500 push 0065EE17 ;ASCII "uikey.ini"
0047141A|.68 88E06A00 push 006AE088 ;ASCII "D:\Program
Files\UltraISO"
0047141F|.68 11EE6500 push 0065EE11 ;ASCII "%s\%s"
00471424|.8D85 C8FBFFFF lea eax, dword ptr
0047142A|.50 push eax
0047142B|.E8 E4881B00 call 00629D14
00471430|.83C4 10 add esp, 10
00471433|.6A 00 push 0
00471435|.8D95 C8FBFFFF lea edx, dword ptr
0047143B|.52 push edx
0047143C|.E8 9B631B00 call 006277DC
00471441|.83C4 08 add esp, 8
00471444|.85C0 test eax, eax
00471446|.74 1E je short 00471466
检查是否存在uikey.ini文件,没有就检查是否存在ultraiso.ini文件
00471448|.68 27EE6500 push 0065EE27 ;ASCII "ultraiso.ini"
0047144D|.68 88E06A00 push 006AE088 ;ASCII "D:\Program
Files\UltraISO"
00471452|.68 21EE6500 push 0065EE21 ;ASCII "%s\%s"
00471457|.8D8D C8FBFFFF lea ecx, dword ptr
0047145D|.51 push ecx
0047145E|.E8 B1881B00 call 00629D14
00471463|.83C4 10 add esp, 10
00471466|>6A 00 push 0
00471468|.8D85 C8FBFFFF lea eax, dword ptr
0047146E|.50 push eax
0047146F|.E8 68631B00 call 006277DC
00471474|.83C4 08 add esp, 8
00471477|.85C0 test eax, eax
00471479 0F85 C4000000 jnz 00471542
检查是否存在ultraiso.ini文件,没有就继续检查注册表。
这里可以改成 jnz 00471538,把下面的EAX置1。这样不管有没有uikey.ini,程序都会认为uikey.ini文
件里有用户名及注册码选项。
0047147F|.8D95 CCFEFFFF lea edx, dword ptr
00471485|.52 push edx
00471486|.FF75 08 push dword ptr
00471489|.8D8D C8FBFFFF lea ecx, dword ptr
0047148F|.51 push ecx
00471490|.E8 6FFCFFFF call 00471104
刚才的CALL返回后停在这里,CALL的作用是检查uikey.ini或ultraiso.ini文件里的username及
registration选项是否正确,继续F8运行,
00471495|.83C4 0C add esp, 0C
00471498|.85C0 test eax, eax
0047149A|.0F84 A2000000 je 00471542
004714A0|.33C0 xor eax, eax
004714A2|.8945 F0 mov dword ptr , eax
004714A5|.33D2 xor edx, edx
004714A7|.8955 EC mov dword ptr , edx
004714AA|.EB 27 jmp short 004714D3
004714AC|>8B4D F0 /mov ecx, dword ptr
004714AF|.8A840D CCFEFF>|mov al, byte ptr
004714B6|.3C 2D |cmp al, 2D
004714B8|.74 16 |je short 004714D0
004714BA|.8B55 0C |mov edx, dword ptr
004714BD|.8B4D EC |mov ecx, dword ptr
004714C0|.8B45 F0 |mov eax, dword ptr
004714C3|.8A8405 CCFEFF>|mov al, byte ptr
004714CA|.88040A |mov byte ptr , al
004714CD|.FF45 EC |inc dword ptr
004714D0|>FF45 F0 |inc dword ptr
004714D3|>8B55 F0 mov edx, dword ptr
004714D6|.8A8C15 CCFEFF>|mov cl, byte ptr
004714DD|.84C9 |test cl, cl
004714DF|.^ 75 CB \jnz short 004714AC
004714E1|.8B45 0C mov eax, dword ptr
004714E4|.8B55 EC mov edx, dword ptr
004714E7|.C60410 00 mov byte ptr , 0
004714EB|.C745 F4 10000>mov dword ptr , 10
004714F2|.EB 03 jmp short 004714F7
004714F4|>FF4D F4 /dec dword ptr
004714F7|>8B4D F4 mov ecx, dword ptr
004714FA|.85C9 |test ecx, ecx
004714FC|.7E 10 |jle short 0047150E
004714FE|.8B45 0C |mov eax, dword ptr
00471501|.8B55 F4 |mov edx, dword ptr
00471504|.0FBE4C10 FF |movsx ecx, byte ptr
00471509|.83F9 58 |cmp ecx, 58
0047150C|.^ 74 E6 \je short 004714F4
0047150E|>8B45 0C mov eax, dword ptr
00471511|.8B55 F4 mov edx, dword ptr
00471514|.C60410 00 mov byte ptr , 0
00471518|.FF75 08 push dword ptr
0047151B|.68 24DC8000 push 0080DC24
00471520|.E8 23451B00 call 00625A48
00471525|.83C4 08 add esp, 8
00471528|.FF75 0C push dword ptr
0047152B|.68 28DD8000 push 0080DD28
00471530|.E8 13451B00 call 00625A48
00471535|.83C4 08 add esp, 8
如果存在uikey.ini或ultraiso文件,并且文件里的username及registration正确,这下面的EAX就置1,
然后不再检查注册表,直接跳至CALL的末尾返回。
00471538|.B8 01000000 mov eax, 1
0047153D|.E9 CD020000 jmp 0047180F
00471542|>8D55 DC lea edx, dword ptr
00471545|.52 push edx ; /pHandle
00471546|.68 34EE6500 push 0065EE34 ; |Subkey =
"SOFTWARE\EasyBoot Systems\UltraISO\5.0"
0047154B|.68 01000080 push 80000001 ; |hKey =
HKEY_CURRENT_USER
00471550|.E8 C3561C00 call <jmp.&ADVAPI32.RegOpenKeyA> ; \RegOpenKeyA
00471555|.85C0 test eax, eax
00471557|.74 07 je short 00471560
00471559|.33C0 xor eax, eax
0047155B|.E9 AF020000 jmp 0047180F
00471560|>C745 D4 00010>mov dword ptr , 100
00471567|.8D55 D4 lea edx, dword ptr
0047156A|.52 push edx ; /pBufSize
0047156B|.8D8D CCFCFFFF lea ecx, dword ptr ; |
00471571|.51 push ecx ; |Buffer
00471572|.8D45 D8 lea eax, dword ptr ; |
00471575|.50 push eax ; |pValueType
00471576|.6A 00 push 0 ; |Reserved = NULL
00471578|.68 5BEE6500 push 0065EE5B ; |ValueName =
"UserName"
这里又断了一下,继续F8运行至本CALL返回
0047157D|.FF75 DC push dword ptr ; |hKey
00471580|.E8 A5561C00 call <jmp.&ADVAPI32.RegQueryValueExA> ; \RegQueryValueExA
00471585|.85C0 test eax, eax
00471587|.75 14 jnz short 0047159D
是否存在username键值,用户名
00471589|.8D95 CCFCFFFF lea edx, dword ptr
0047158F|.52 push edx
00471590|.FF75 08 push dword ptr
00471593|.E8 B0441B00 call 00625A48
00471598|.83C4 08 add esp, 8
0047159B|.EB 07 jmp short 004715A4
0047159D|>33C0 xor eax, eax
0047159F|.E9 6B020000 jmp 0047180F
004715A4|>C745 D4 00010>mov dword ptr , 100
004715AB|.8D55 D4 lea edx, dword ptr
004715AE|.52 push edx ; /pBufSize
004715AF|.8D8D CCFCFFFF lea ecx, dword ptr ; |
004715B5|.51 push ecx ; |Buffer
004715B6|.8D45 D8 lea eax, dword ptr ; |
004715B9|.50 push eax ; |pValueType
004715BA|.6A 00 push 0 ; |Reserved = NULL
004715BC|.68 64EE6500 push 0065EE64 ; |ValueName =
"Registration"
004715C1|.FF75 DC push dword ptr ; |hKey
004715C4|.E8 61561C00 call <jmp.&ADVAPI32.RegQueryValueExA> ; \RegQueryValueExA
004715C9|.85C0 test eax, eax
004715CB|.75 18 jnz short 004715E5
是否存在registration键值,注册码
004715CD|.8D95 CCFCFFFF lea edx, dword ptr
004715D3|.52 push edx
004715D4|.8D8D CCFEFFFF lea ecx, dword ptr
004715DA|.51 push ecx
004715DB|.E8 68441B00 call 00625A48
004715E0|.83C4 08 add esp, 8
004715E3|.EB 07 jmp short 004715EC
004715E5|>33C0 xor eax, eax
004715E7|.E9 23020000 jmp 0047180F
004715EC|>FF75 DC push dword ptr ; /hKey
004715EF|.E8 06561C00 call <jmp.&ADVAPI32.RegCloseKey> ; \RegCloseKey
004715F4|.33D2 xor edx, edx
004715F6|.8955 F0 mov dword ptr , edx
004715F9|>8B4D F0 /mov ecx, dword ptr
004715FC|.8A844D CCFEFF>|mov al, byte ptr
00471603|.8845 CF |mov byte ptr , al
00471606|.8A55 CF |mov dl, byte ptr
00471609|.80FA 30 |cmp dl, 30
0047160C|.72 0E |jb short 0047161C
0047160E|.8A4D CF |mov cl, byte ptr
00471611|.80F9 39 |cmp cl, 39
00471614|.77 06 |ja short 0047161C
00471616|.8045 CF D0 |add byte ptr , 0D0
0047161A|.EB 2E |jmp short 0047164A
0047161C|>8A45 CF |mov al, byte ptr
0047161F|.3C 61 |cmp al, 61
00471621|.72 0E |jb short 00471631
00471623|.8A55 CF |mov dl, byte ptr
00471626|.80FA 66 |cmp dl, 66
00471629|.77 06 |ja short 00471631
0047162B|.8045 CF A9 |add byte ptr , 0A9
0047162F|.EB 19 |jmp short 0047164A
00471631|>8A4D CF |mov cl, byte ptr
00471634|.80F9 41 |cmp cl, 41
00471637|.72 0D |jb short 00471646
00471639|.8A45 CF |mov al, byte ptr
0047163C|.3C 46 |cmp al, 46
0047163E|.77 06 |ja short 00471646
00471640|.8045 CF C9 |add byte ptr , 0C9
00471644|.EB 04 |jmp short 0047164A
00471646|>C645 CF 00 |mov byte ptr , 0
0047164A|>8A55 CF |mov dl, byte ptr
0047164D|.C1E2 04 |shl edx, 4
00471650|.8B4D F0 |mov ecx, dword ptr
00471653|.88940D CCFDFF>|mov byte ptr , dl
0047165A|.8B45 F0 |mov eax, dword ptr
0047165D|.8A9445 CDFEFF>|mov dl, byte ptr
00471664|.8855 CF |mov byte ptr , dl
00471667|.8A4D CF |mov cl, byte ptr
0047166A|.80F9 30 |cmp cl, 30
0047166D|.72 0D |jb short 0047167C
0047166F|.8A45 CF |mov al, byte ptr
00471672|.3C 39 |cmp al, 39
00471674|.77 06 |ja short 0047167C
00471676|.8045 CF D0 |add byte ptr , 0D0
0047167A|.EB 2F |jmp short 004716AB
0047167C|>8A55 CF |mov dl, byte ptr
0047167F|.80FA 61 |cmp dl, 61
00471682|.72 0E |jb short 00471692
00471684|.8A4D CF |mov cl, byte ptr
00471687|.80F9 66 |cmp cl, 66
0047168A|.77 06 |ja short 00471692
0047168C|.8045 CF A9 |add byte ptr , 0A9
00471690|.EB 19 |jmp short 004716AB
00471692|>8A45 CF |mov al, byte ptr
00471695|.3C 41 |cmp al, 41
00471697|.72 0E |jb short 004716A7
00471699|.8A55 CF |mov dl, byte ptr
0047169C|.80FA 46 |cmp dl, 46
0047169F|.77 06 |ja short 004716A7
004716A1|.8045 CF C9 |add byte ptr , 0C9
004716A5|.EB 04 |jmp short 004716AB
004716A7|>C645 CF 00 |mov byte ptr , 0
004716AB|>8B4D F0 |mov ecx, dword ptr
004716AE|.8A45 CF |mov al, byte ptr
004716B1|.00840D CCFDFF>|add byte ptr , al
004716B8|.FF45 F0 |inc dword ptr
004716BB|.8B55 F0 |mov edx, dword ptr
004716BE|.83FA 10 |cmp edx, 10
004716C1|.^ 0F8C 32FFFFFF \jl 004715F9
004716C7|.C745 FC 99F47>mov dword ptr , 3E76F499
004716CE|.8175 FC 20090>xor dword ptr , 20020920
004716D5|.FF75 FC push dword ptr
004716D8|.68 71EE6500 push 0065EE71
004716DD|.8D4D E0 lea ecx, dword ptr
004716E0|.51 push ecx
004716E1|.E8 2E861B00 call 00629D14
004716E6|.83C4 0C add esp, 0C
004716E9|.33C0 xor eax, eax
004716EB|.8945 F0 mov dword ptr , eax
004716EE|>8B55 F0 /mov edx, dword ptr
004716F1|.8B0C95 28ED65>|mov ecx, dword ptr
004716F8|.8A440D E0 |mov al, byte ptr
004716FC|.8B55 F0 |mov edx, dword ptr
004716FF|.8A8A 48ED6500 |mov cl, byte ptr
00471705|.32C1 |xor al, cl
00471707|.8B55 F0 |mov edx, dword ptr
0047170A|.888415 CCFEFF>|mov byte ptr , al
00471711|.FF45 F0 |inc dword ptr
00471714|.8B45 F0 |mov eax, dword ptr
00471717|.83F8 08 |cmp eax, 8
0047171A|.^ 7C D2 \jl short 004716EE
0047171C|.FF75 08 push dword ptr
0047171F|.E8 54431B00 call 00625A78
00471724|.59 pop ecx
00471725|.8945 F8 mov dword ptr , eax
00471728|.C745 F4 10000>mov dword ptr , 10
0047172F|.33C9 xor ecx, ecx
00471731|.894D EC mov dword ptr , ecx
00471734|.33C0 xor eax, eax
00471736|.8945 F0 mov dword ptr , eax
00471739|.8B55 F0 mov edx, dword ptr
0047173C|.8B4D F4 mov ecx, dword ptr
0047173F|.3BD1 cmp edx, ecx
00471741|.7D 3D jge short 00471780
00471743|>8B45 08 /mov eax, dword ptr
00471746|.8B55 EC |mov edx, dword ptr
00471749|.8A0C10 |mov cl, byte ptr
0047174C|.8B45 F0 |mov eax, dword ptr
0047174F|.8A9405 CCFDFF>|mov dl, byte ptr
00471756|.32CA |xor cl, dl
00471758|.8B45 0C |mov eax, dword ptr
0047175B|.8B55 F0 |mov edx, dword ptr
0047175E|.880C10 |mov byte ptr , cl
00471761|.FF45 EC |inc dword ptr
00471764|.8B4D EC |mov ecx, dword ptr
00471767|.8B45 F8 |mov eax, dword ptr
0047176A|.3BC8 |cmp ecx, eax
0047176C|.7C 05 |jl short 00471773
0047176E|.33D2 |xor edx, edx
00471770|.8955 EC |mov dword ptr , edx
00471773|>FF45 F0 |inc dword ptr
00471776|.8B4D F0 |mov ecx, dword ptr
00471779|.8B45 F4 |mov eax, dword ptr
0047177C|.3BC8 |cmp ecx, eax
0047177E|.^ 7C C3 \jl short 00471743
00471780|>33D2 xor edx, edx
00471782|.8955 EC mov dword ptr , edx
00471785|.33C9 xor ecx, ecx
00471787|.894D F0 mov dword ptr , ecx
0047178A|.8B45 F0 mov eax, dword ptr
0047178D|.8B55 F4 mov edx, dword ptr
00471790|.3BC2 cmp eax, edx
00471792|.7D 35 jge short 004717C9
00471794|>8B4D EC /mov ecx, dword ptr
00471797|.8A840D CCFEFF>|mov al, byte ptr
0047179E|.8B55 0C |mov edx, dword ptr
004717A1|.8B4D F0 |mov ecx, dword ptr
004717A4|.30040A |xor byte ptr , al
004717A7|.FF45 EC |inc dword ptr
004717AA|.8B45 EC |mov eax, dword ptr
004717AD|.83F8 08 |cmp eax, 8
004717B0|.7C 05 |jl short 004717B7
004717B2|.33D2 |xor edx, edx
004717B4|.8955 EC |mov dword ptr , edx
004717B7|>FF45 F0 |inc dword ptr
004717BA|.8B4D F0 |mov ecx, dword ptr
004717BD|.8B45 F4 |mov eax, dword ptr
004717C0|.3BC8 |cmp ecx, eax
004717C2|.^ 7C D0 \jl short 00471794
004717C4|.EB 03 jmp short 004717C9
004717C6|>FF4D F4 /dec dword ptr
004717C9|>8B55 F4 mov edx, dword ptr
004717CC|.85D2 |test edx, edx
004717CE|.7E 10 |jle short 004717E0
004717D0|.8B4D 0C |mov ecx, dword ptr
004717D3|.8B45 F4 |mov eax, dword ptr
004717D6|.0FBE5401 FF |movsx edx, byte ptr
004717DB|.83FA 58 |cmp edx, 58
004717DE|.^ 74 E6 \je short 004717C6
004717E0|>8B4D 0C mov ecx, dword ptr
004717E3|.8B45 F4 mov eax, dword ptr
004717E6|.C60401 00 mov byte ptr , 0
004717EA|.FF75 08 push dword ptr
004717ED|.68 24DC8000 push 0080DC24
004717F2|.E8 51421B00 call 00625A48
004717F7|.83C4 08 add esp, 8
004717FA|.FF75 0C push dword ptr
004717FD|.68 28DD8000 push 0080DD28
00471802|.E8 41421B00 call 00625A48
00471807|.83C4 08 add esp, 8
如果注册表存在正确的用户名及注册码,这里EAX就会置1
0047180A|.B8 01000000 mov eax, 1
0047180F|>8BE5 mov esp, ebp
00471811|.5D pop ebp
00471812\.C3 retn
到这里返回至00402FA9 .E8 5EE40600 call 0047140C
00402F6D .BA FE4D6400 mov edx, 00644DFE ;ASCII "UltraISO"
00402F72 .8D45 F4 lea eax, dword ptr
00402F75 .E8 9E2C2300 call 00635C18
00402F7A .FF45 E8 inc dword ptr
00402F7D .8B10 mov edx, dword ptr
00402F7F .A1 98D36A00 mov eax, dword ptr
00402F84 .8B00 mov eax, dword ptr
00402F86 .E8 29471E00 call 005E76B4
00402F8B .FF4D E8 dec dword ptr
00402F8E .8D45 F4 lea eax, dword ptr
00402F91 .BA 02000000 mov edx, 2
00402F96 .E8 DD2D2300 call 00635D78
00402F9B .8D8D B0FDFFFF lea ecx, dword ptr
00402FA1 .51 push ecx
00402FA2 .8D85 B0FEFFFF lea eax, dword ptr
00402FA8 .50 push eax
00402FA9 .E8 5EE40600 call 0047140C
检查完ini文件及注册表后,返回到这里,下面的就是关键了。
00402FAE .83C4 08 add esp, 8
00402FB1 A3 D8526400 mov dword ptr , eax
把刚才置1的EAX的值传递至,注册标志位为1
00402FB6 8B15 D8526400 mov edx, dword ptr
00402FBC .85D2 test edx, edx
00402FBE .74 1D je short 00402FDD
这里不能跳转,需要下面的CALL 004018E8对和赋值,下面会讲到。
00402FC0 .8D8D B0FDFFFF lea ecx, dword ptr
00402FC6 .51 push ecx
00402FC7 .8D85 B0FEFFFF lea eax, dword ptr
00402FCD .50 push eax
00402FCE .E8 15E9FFFF call 004018E8
这上面的CALL应该就是什么白名单,红名单的检查,即使是正确的用户名及注册码,如果在名单里的,照
样不能正确注册。但这个CALL我们不能在上面的00402FBE处跳转绕开。因为下面的和需
要它来赋值。
00402FD3 .83C4 08 add esp, 8
00402FD6 .A3 D8526400 mov dword ptr , eax
00402FDB .EB 08 jmp short 00402FE5
00402FDD >33D2 xor edx, edx
00402FDF .8915 D8526400 mov dword ptr , edx
00402FE5 >C705 BCE66300>mov dword ptr , 804
00402FEF .8B0D 40836700 mov ecx, dword ptr
00402FF5 .A1 C0806300 mov eax, dword ptr
00402FFA .3BC8 cmp ecx, eax
00402FFC .74 19 je short 00403017
这里验证用户名及注册码是否在限制名单里面,和两个值相等就跳过注册启动窗口。为
什么知道这里会跳开?因为再往下直至0040330C处才有一处跳转,但那里很明显是用来判断程序是否出错
的,一定要跳,不跳就会退出程序。而0040330C处跳转后再往下至0040332A处,程序就会出现注册窗口,
如果之前EAX赋值为1,程序就会跑飞了。显然这是个关键判断。
我们把00402FFC改成强制跳转试试,jmp short 00403017,F9运行,结果注册窗口不见了,进入主界面,但上
面显示的是试用。晕,看来强跳不行,要让和两个值相等才行,没办法,只能到上面的
call004018E8处去改变它们的赋值了。这个看完后面几行代码我们再深入到call004018E8里面分析。
00402FFE .8B15 98D36A00 mov edx, dword ptr ;UltraISO.00AA4A94
00403004 .8B02 mov eax, dword ptr
00403006 .8B0D 68D06A00 mov ecx, dword ptr ;UltraISO._frmStartup
0040300C .8B15 E8F26500 mov edx, dword ptr ;UltraISO.0065F334
00403012 .E8 914A1E00 call 005E7AA8
00403017 >A1 98D36A00 mov eax, dword ptr
0040301C .8B00 mov eax, dword ptr
0040301E .8B0D 50D06A00 mov ecx, dword ptr ;UltraISO._frmMain
00403024 .8B15 30C36400 mov edx, dword ptr ;UltraISO.0064C37C
0040302A .E8 794A1E00 call 005E7AA8
0040302F .A1 98D36A00 mov eax, dword ptr
00403034 .8B00 mov eax, dword ptr
00403036 .8B0D 58D06A00 mov ecx, dword ptr ;
UltraISO._frmProgress
0040303C .8B15 8C0F6500 mov edx, dword ptr ;UltraISO.00650FD8
00403042 .E8 614A1E00 call 005E7AA8
00403047 .A1 98D36A00 mov eax, dword ptr
0040304C .8B00 mov eax, dword ptr
0040304E .8B0D 5CD06A00 mov ecx, dword ptr ;UltraISO._frmProp
00403054 .8B15 F01E6500 mov edx, dword ptr ;UltraISO.00651F3C
0040305A .E8 494A1E00 call 005E7AA8
0040305F .A1 98D36A00 mov eax, dword ptr
00403064 .8B00 mov eax, dword ptr
00403066 .8B0D 60D06A00 mov ecx, dword ptr ;UltraISO._frmAbout
0040306C .8B15 142A6500 mov edx, dword ptr ;UltraISO.00652A60
00403072 .E8 314A1E00 call 005E7AA8
00403077 .A1 98D36A00 mov eax, dword ptr
0040307C .8B00 mov eax, dword ptr
0040307E .8B0D 64D06A00 mov ecx, dword ptr ;UltraISO._frmCDISO
00403084 .8B15 6CE86500 mov edx, dword ptr ;UltraISO.0065E8B8
0040308A .E8 194A1E00 call 005E7AA8
0040308F .A1 98D36A00 mov eax, dword ptr
00403094 .8B00 mov eax, dword ptr
00403096 .8B0D 6CD06A00 mov ecx, dword ptr ;
UltraISO._frmRegister
0040309C .8B15 D80E6600 mov edx, dword ptr ;UltraISO.00660F24
004030A2 .E8 014A1E00 call 005E7AA8
004030A7 .A1 98D36A00 mov eax, dword ptr
004030AC .8B00 mov eax, dword ptr
004030AE .8B0D 70D06A00 mov ecx, dword ptr ;UltraISO._frmFloppy
004030B4 .8B15 0C1A6600 mov edx, dword ptr ;UltraISO.00661A58
004030BA .E8 E9491E00 call 005E7AA8
004030BF .A1 98D36A00 mov eax, dword ptr
004030C4 .8B00 mov eax, dword ptr
004030C6 .8B0D 74D06A00 mov ecx, dword ptr ;UltraISO._frmConvert
004030CC .8B15 44236600 mov edx, dword ptr ;UltraISO.00662390
004030D2 .E8 D1491E00 call 005E7AA8
004030D7 .A1 98D36A00 mov eax, dword ptr
004030DC .8B00 mov eax, dword ptr
004030DE .8B0D 78D06A00 mov ecx, dword ptr ;UltraISO._frmConfig
004030E4 .8B15 F8CA6600 mov edx, dword ptr ;UltraISO.0066CB44
004030EA .E8 B9491E00 call 005E7AA8
004030EF .A1 98D36A00 mov eax, dword ptr
004030F4 .8B00 mov eax, dword ptr
004030F6 .8B0D 7CD06A00 mov ecx, dword ptr ;UltraISO._frmCheck
004030FC .8B15 48E06600 mov edx, dword ptr ;UltraISO.0066E094
00403102 .E8 A1491E00 call 005E7AA8
00403107 .A1 98D36A00 mov eax, dword ptr
0040310C .8B00 mov eax, dword ptr
0040310E .8B0D 80D06A00 mov ecx, dword ptr ;UltraISO._frmDialog
00403114 .8B15 1CF16600 mov edx, dword ptr ;UltraISO.0066F168
0040311A .E8 89491E00 call 005E7AA8
0040311F .A1 98D36A00 mov eax, dword ptr
00403124 .8B00 mov eax, dword ptr
00403126 .8B0D 84D06A00 mov ecx, dword ptr ;UltraISO._frmSimSave
0040312C .8B15 B0F86600 mov edx, dword ptr ;UltraISO.0066F8FC
00403132 .E8 71491E00 call 005E7AA8
00403137 .A1 98D36A00 mov eax, dword ptr
0040313C .8B00 mov eax, dword ptr
0040313E .8B0D 88D06A00 mov ecx, dword ptr ;UltraISO._frmSession
00403144 .8B15 30856700 mov edx, dword ptr ;UltraISO.0067857C
0040314A .E8 59491E00 call 005E7AA8
0040314F .A1 98D36A00 mov eax, dword ptr
00403154 .8B00 mov eax, dword ptr
00403156 .8B0D 8CD06A00 mov ecx, dword ptr ;UltraISO._frmBurn
0040315C .8B15 FCC16700 mov edx, dword ptr ;UltraISO.0067C248
00403162 .E8 41491E00 call 005E7AA8
00403167 .A1 98D36A00 mov eax, dword ptr
0040316C .8B00 mov eax, dword ptr
0040316E .8B0D 90D06A00 mov ecx, dword ptr ;
UltraISO._frmChangeLabel
00403174 .8B15 90CB6700 mov edx, dword ptr ;UltraISO.0067CBDC
0040317A .E8 29491E00 call 005E7AA8
0040317F .A1 98D36A00 mov eax, dword ptr
00403184 .8B00 mov eax, dword ptr
00403186 .8B0D 94D06A00 mov ecx, dword ptr ;UltraISO._frmLog
0040318C .8B15 88D06700 mov edx, dword ptr ;UltraISO.0067D0D4
00403192 .E8 11491E00 call 005E7AA8
00403197 .A1 98D36A00 mov eax, dword ptr
0040319C .8B00 mov eax, dword ptr
0040319E .8B0D 98D06A00 mov ecx, dword ptr ;
UltraISO._frmFileAttribute
004031A4 .8B15 68D86700 mov edx, dword ptr ;UltraISO.0067D8B4
004031AA .E8 F9481E00 call 005E7AA8
004031AF .A1 98D36A00 mov eax, dword ptr
004031B4 .8B00 mov eax, dword ptr
004031B6 .8B0D 9CD06A00 mov ecx, dword ptr ;
UltraISO._frmChecksum
004031BC .8B15 B8EB6700 mov edx, dword ptr ;UltraISO.0067EC04
004031C2 .E8 E1481E00 call 005E7AA8
004031C7 .A1 98D36A00 mov eax, dword ptr
004031CC .8B00 mov eax, dword ptr
004031CE .8B0D A0D06A00 mov ecx, dword ptr ;UltraISO._frmOpenCD
004031D4 .8B15 C4F96700 mov edx, dword ptr ;UltraISO.0067FA10
004031DA .E8 C9481E00 call 005E7AA8
004031DF .A1 98D36A00 mov eax, dword ptr
004031E4 .8B00 mov eax, dword ptr
004031E6 .8B0D A4D06A00 mov ecx, dword ptr ;UltraISO._frmVCD
004031EC .8B15 BC116900 mov edx, dword ptr ;UltraISO.00691208
004031F2 .E8 B1481E00 call 005E7AA8
004031F7 .A1 98D36A00 mov eax, dword ptr
004031FC .8B00 mov eax, dword ptr
004031FE .8B0D A8D06A00 mov ecx, dword ptr ;
UltraISO._frmPassword
00403204 .8B15 C4DF6900 mov edx, dword ptr ;UltraISO.0069E010
0040320A .E8 99481E00 call 005E7AA8
0040320F .A1 98D36A00 mov eax, dword ptr
00403214 .8B00 mov eax, dword ptr
00403216 .8B0D ACD06A00 mov ecx, dword ptr ;UltraISO._frmSearch
0040321C .8B15 98EE6900 mov edx, dword ptr ;UltraISO.0069EEE4
00403222 .E8 81481E00 call 005E7AA8
00403227 .A1 98D36A00 mov eax, dword ptr
0040322C .8B00 mov eax, dword ptr
0040322E .8B0D B0D06A00 mov ecx, dword ptr ;
UltraISO._frmCompress
00403234 .8B15 24F96900 mov edx, dword ptr ;UltraISO.0069F970
0040323A .E8 69481E00 call 005E7AA8
0040323F .A1 98D36A00 mov eax, dword ptr
00403244 .8B00 mov eax, dword ptr
00403246 .8B0D B4D06A00 mov ecx, dword ptr ;
UltraISO._frmWaitMedia
0040324C .8B15 98FD6900 mov edx, dword ptr ;UltraISO.0069FDE4
00403252 .E8 51481E00 call 005E7AA8
00403257 .A1 98D36A00 mov eax, dword ptr
0040325C .8B00 mov eax, dword ptr
0040325E .8B0D B8D06A00 mov ecx, dword ptr ;
UltraISO._frmDiskImage
00403264 .8B15 F8046A00 mov edx, dword ptr ;UltraISO.006A0544
0040326A .E8 39481E00 call 005E7AA8
0040326F .A1 98D36A00 mov eax, dword ptr
00403274 .8B00 mov eax, dword ptr
00403276 .8B0D BCD06A00 mov ecx, dword ptr ;UltraISO._frmEncrypt
0040327C .8B15 B80B6A00 mov edx, dword ptr ;UltraISO.006A0C04
00403282 .E8 21481E00 call 005E7AA8
00403287 .A1 98D36A00 mov eax, dword ptr
0040328C .8B00 mov eax, dword ptr
0040328E .8B0D C0D06A00 mov ecx, dword ptr ;
UltraISO._frmImageFormat
00403294 .8B15 44136A00 mov edx, dword ptr ;UltraISO.006A1390
0040329A .E8 09481E00 call 005E7AA8
0040329F .A1 98D36A00 mov eax, dword ptr
004032A4 .8B00 mov eax, dword ptr
004032A6 .8B0D C4D06A00 mov ecx, dword ptr ;
UltraISO._frmDiskProperty
004032AC .8B15 2C1F6A00 mov edx, dword ptr ;UltraISO.006A1F78
004032B2 .E8 F1471E00 call 005E7AA8
004032B7 .A1 98D36A00 mov eax, dword ptr
004032BC .8B00 mov eax, dword ptr
004032BE .8B0D C8D06A00 mov ecx, dword ptr ;
UltraISO._frmCustomImage
004032C4 .8B15 70276A00 mov edx, dword ptr ;UltraISO.006A27BC
004032CA .E8 D9471E00 call 005E7AA8
004032CF .A1 98D36A00 mov eax, dword ptr
004032D4 .8B00 mov eax, dword ptr
004032D6 .8B0D CCD06A00 mov ecx, dword ptr ;
UltraISO._frmUSBWrite
004032DC .8B15 AC476A00 mov edx, dword ptr ;UltraISO.006A47F8
004032E2 .E8 C1471E00 call 005E7AA8
004032E7 .A1 98D36A00 mov eax, dword ptr
004032EC .8B00 mov eax, dword ptr
004032EE .8B0D D0D06A00 mov ecx, dword ptr ;UltraISO._frmPart
004032F4 .8B15 B0536A00 mov edx, dword ptr ;UltraISO.006A53FC
004032FA .E8 A9471E00 call 005E7AA8
004032FF .68 18D66A00 push 006AD618
00403304 .E8 FB150A00 call 004A4904
00403309 .59 pop ecx
0040330A .85C0 test eax, eax
0040330C .74 0D je short 0040331B
很明显是程序出错时才用的,用来退出程序,这里一定要跳的。显然不是关键判断。
0040330E .FF35 CCE86600 push dword ptr ; /ExitCode = FFFFFFFF
00403314 .E8 9B392300 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
00403319 .EB 07 jmp short 00403322
0040331B >33C0 xor eax, eax
0040331D .A3 CCE86600 mov dword ptr , eax
00403322 >8B15 98D36A00 mov edx, dword ptr ;UltraISO.00AA4A94
00403328 .8B02 mov eax, dword ptr
0040332A .E8 F9471E00 call 005E7B28
这上面的CALL会弹出注册窗口,但如果之前EAX被赋值1,并传递给的,这里就会跑飞,不显示注
册窗口。
F7追进CALL里后发现是N个循环后才会出现NAG窗口,显然不是靠跳转能去掉的,要靠上面的参数传递来产
生NAG窗口或程序主界面。所以只能从上面的代码去发掘了。
0040332F .66:C745 DC 00>mov word ptr , 0
00403335 .E9 83000000 jmp 004033BD
0040333A .8B15 98D36A00 mov edx, dword ptr ;UltraISO.00AA4A94
00403340 .8B02 mov eax, dword ptr
00403342 .8B55 F8 mov edx, dword ptr
00403345 .E8 D64A1E00 call 005E7E20
0040334A .EB 66 jmp short 004033B2
0040334C .66:C745 DC 20>mov word ptr , 20
00403352 .8D4D CC lea ecx, dword ptr
00403355 .51 push ecx
00403356 .6A 00 push 0
00403358 .6A 00 push 0
0040335A .6A 00 push 0
0040335C .6A 01 push 1
0040335E .68 3C344000 push 0040343C ;入口地址
00403363 .6A 00 push 0
00403365 .66:C745 DC 2C>mov word ptr , 2C
0040336B .BA 074E6400 mov edx, 00644E07
00403370 .8D45 F0 lea eax, dword ptr
00403373 .E8 A0282300 call 00635C18
00403378 .FF45 E8 inc dword ptr
0040337B .8B08 mov ecx, dword ptr
0040337D .B2 01 mov dl, 1
0040337F .A1 0C945900 mov eax, dword ptr
00403384 .E8 2BB51900 call 0059E8B4
00403389 .50 push eax
0040338A .68 D8334000 push 004033D8
0040338F .E8 25FB2200 call 00632EB9
00403394 .83C4 24 add esp, 24
00403397 .8B0D 98D36A00 mov ecx, dword ptr ;UltraISO.00AA4A94
0040339D .8B01 mov eax, dword ptr
0040339F .8B55 FC mov edx, dword ptr
004033A2 .E8 794A1E00 call 005E7E20
004033A7 .66:C745 DC 28>mov word ptr , 28
004033AD .E8 28FD2200 call 006330DA
004033B2 >66:C745 DC 10>mov word ptr , 10
004033B8 .E8 1DFD2200 call 006330DA
004033BD >A1 CCE86600 mov eax, dword ptr
004033C2 .8B55 CC mov edx, dword ptr
004033C5 .64:8915 00000>mov dword ptr fs:, edx
004033CC .5F pop edi
004033CD .5E pop esi
004033CE .5B pop ebx
004033CF .8BE5 mov esp, ebp
004033D1 .5D pop ebp
004033D2 .C2 1000 retn 10
============================================================================================
================================
我们OD重新载入,在00471477处下断,把
00471479 0F85 C4000000 jnz 00471542
处改成
00471479 0F85 B9000000 jnz 00471538
让EAX置1,并直接跳转直至返回至00402FA9 .E8 5EE40600 call 0047140C处,F8几步后,来到
00402FCE .E8 15E9FFFF call 004018E8处,再F7进入CALL里,看看哪些地方对和
进行赋值的。细一看,有好几处呢,我们从CALL的底部和往上追寻最后赋值的地方:
004018E8 $55 push ebp
004018E9 .8BEC mov ebp, esp
004018EB .81C4 38FBFFFF add esp, -4C8
004018F1 .33C0 xor eax, eax
004018F3 .8945 FC mov dword ptr , eax
004018F6 .33D2 xor edx, edx
004018F8 .8955 F8 mov dword ptr , edx
004018FB .33C9 xor ecx, ecx
004018FD .894D F4 mov dword ptr , ecx
00401900 .33C0 xor eax, eax
00401902 .8945 F0 mov dword ptr , eax
00401905 .33D2 xor edx, edx
00401907 .8955 EC mov dword ptr , edx
0040190A .6A 05 push 5
0040190C .6A 30 push 30
0040190E .8D4D E4 lea ecx, dword ptr
00401911 .51 push ecx
00401912 .E8 B13F2200 call 006258C8
00401917 .83C4 0C add esp, 0C
0040191A .C645 E4 31 mov byte ptr , 31
0040191E .C645 E8 31 mov byte ptr , 31
00401922 .C645 E9 00 mov byte ptr , 0
00401926 .6A 10 push 10
00401928 .6A 41 push 41
0040192A .8D85 A4FCFFFF lea eax, dword ptr
00401930 .50 push eax
00401931 .E8 923F2200 call 006258C8
00401936 .83C4 0C add esp, 0C
00401939 .C685 B3FCFFFF>mov byte ptr , 31
00401940 .C685 B2FCFFFF>mov byte ptr , 44
00401947 .C685 A6FCFFFF>mov byte ptr , 30
0040194E .C685 A7FCFFFF>mov byte ptr , 46
00401955 .C685 A9FCFFFF>mov byte ptr , 46
0040195C .C685 A8FCFFFF>mov byte ptr , 38
00401963 .C685 ABFCFFFF>mov byte ptr , 32
0040196A .8D55 D0 lea edx, dword ptr
0040196D .52 push edx
0040196E .E8 51092300 call 006322C4
00401973 .59 pop ecx
00401974 .C685 AEFCFFFF>mov byte ptr , 36
0040197B .C685 AAFCFFFF>mov byte ptr , 36
00401982 .C685 AFFCFFFF>mov byte ptr , 45
00401989 .C685 B0FCFFFF>mov byte ptr , 39
00401990 .C685 B1FCFFFF>mov byte ptr , 37
00401997 .C685 A5FCFFFF>mov byte ptr , 37
0040199E .C685 B4FCFFFF>mov byte ptr , 0
004019A5 .33C9 xor ecx, ecx
004019A7 .890D B4E66300 mov dword ptr , ecx
004019AD .8D45 F4 lea eax, dword ptr
004019B0 .50 push eax
004019B1 .FF75 0C push dword ptr
004019B4 .E8 37E50700 call 0047FEF0
004019B9 .83C4 08 add esp, 8
004019BC .8B55 D0 mov edx, dword ptr
004019BF .F7D2 not edx
004019C1 .8915 40836700 mov dword ptr , edx
004019C7 .8D4D FC lea ecx, dword ptr
004019CA .51 push ecx
004019CB .8D85 A4FCFFFF lea eax, dword ptr
004019D1 .50 push eax
004019D2 .E8 19E50700 call 0047FEF0
004019D7 .83C4 08 add esp, 8
004019DA .8D55 F8 lea edx, dword ptr
004019DD .52 push edx
004019DE .8D4D E4 lea ecx, dword ptr
004019E1 .51 push ecx
004019E2 .E8 09E50700 call 0047FEF0
004019E7 .83C4 08 add esp, 8
004019EA .8D45 EC lea eax, dword ptr
004019ED .50 push eax
004019EE .FF75 FC push dword ptr
004019F1 .FF75 F8 push dword ptr
004019F4 .FF75 F4 push dword ptr
004019F7 .E8 54D30700 call 0047ED50
004019FC .83C4 10 add esp, 10
004019FF .FF75 EC push dword ptr
00401A02 .8D95 B8FEFFFF lea edx, dword ptr
00401A08 .52 push edx
00401A09 .E8 16E60700 call 00480024
00401A0E .83C4 08 add esp, 8
00401A11 .8B4D D0 mov ecx, dword ptr
00401A14 .F7D1 not ecx
00401A16 .890D 40836700 mov dword ptr , ecx
00401A1C .8A85 B8FEFFFF mov al, byte ptr
00401A22 .8A15 38046400 mov dl, byte ptr
00401A28 .3AC2 cmp al, dl
00401A2A .75 48 jnz short 00401A74
00401A2C .FF05 40836700 inc dword ptr
00401A32 .8A8D B9FEFFFF mov cl, byte ptr
00401A38 .A0 39046400 mov al, byte ptr
00401A3D .3AC8 cmp cl, al
00401A3F .75 06 jnz short 00401A47
00401A41 .FF05 40836700 inc dword ptr
00401A47 >0FBE95 C0FEFF>movsx edx, byte ptr
00401A4E .83FA 35 cmp edx, 35
00401A51 .75 06 jnz short 00401A59
00401A53 .FF05 40836700 inc dword ptr
00401A59 >0FBE8D C1FEFF>movsx ecx, byte ptr
00401A60 .83F9 33 cmp ecx, 33
00401A63 .0F85 D1010000 jnz 00401C3A
00401A69 .FF05 40836700 inc dword ptr
00401A6F .E9 C6010000 jmp 00401C3A
00401A74 >8A85 B8FEFFFF mov al, byte ptr
00401A7A .8A15 3A046400 mov dl, byte ptr
00401A80 .3AC2 cmp al, dl
00401A82 .74 13 je short 00401A97
00401A84 .8A8D B9FEFFFF mov cl, byte ptr
00401A8A .A0 3B046400 mov al, byte ptr
00401A8F .3AC8 cmp cl, al
00401A91 .0F85 8E000000 jnz 00401B25
00401A97 >FF05 40836700 inc dword ptr
00401A9D .FF05 40836700 inc dword ptr
00401AA3 .0FBE95 C0FEFF>movsx edx, byte ptr
00401AAA .83FA 61 cmp edx, 61
00401AAD .7C 12 jl short 00401AC1
00401AAF .0FBE8D C0FEFF>movsx ecx, byte ptr
00401AB6 .83C1 A9 add ecx, -57
00401AB9 .890D 94276500 mov dword ptr , ecx
00401ABF .EB 0F jmp short 00401AD0
00401AC1 >0FBE85 C0FEFF>movsx eax, byte ptr
00401AC8 .83C0 D0 add eax, -30
00401ACB .A3 94276500 mov dword ptr , eax
00401AD0 >FF05 40836700 inc dword ptr
00401AD6 .8B15 94276500 mov edx, dword ptr
00401ADC .C1E2 04 shl edx, 4
00401ADF .8915 94276500 mov dword ptr , edx
00401AE5 .0FBE8D C1FEFF>movsx ecx, byte ptr
00401AEC .83F9 61 cmp ecx, 61
00401AEF .7C 12 jl short 00401B03
00401AF1 .0FBE85 C1FEFF>movsx eax, byte ptr
00401AF8 .83C0 A9 add eax, -57
00401AFB .0105 94276500 add dword ptr , eax
00401B01 .EB 10 jmp short 00401B13
00401B03 >0FBE95 C1FEFF>movsx edx, byte ptr
00401B0A .83C2 D0 add edx, -30
00401B0D .0115 94276500 add dword ptr , edx
00401B13 >FF05 40836700 inc dword ptr
00401B19 .832D 94276500>sub dword ptr , 20
00401B20 .E9 15010000 jmp 00401C3A
00401B25 >8A8D B8FEFFFF mov cl, byte ptr
00401B2B .A0 3C046400 mov al, byte ptr
00401B30 .3AC8 cmp cl, al
00401B32 .74 14 je short 00401B48
00401B34 .8A95 B9FEFFFF mov dl, byte ptr
00401B3A .8A0D 3D046400 mov cl, byte ptr
00401B40 .3AD1 cmp dl, cl
00401B42 .0F85 F2000000 jnz 00401C3A
00401B48 >FF05 40836700 inc dword ptr
00401B4E .FF05 40836700 inc dword ptr
00401B54 .0FBE85 C6FEFF>movsx eax, byte ptr
00401B5B .83F8 61 cmp eax, 61
00401B5E .7C 0F jl short 00401B6F
00401B60 .0FBE95 C6FEFF>movsx edx, byte ptr
00401B67 .83C2 A9 add edx, -57
00401B6A .8955 CC mov dword ptr , edx
00401B6D .EB 0D jmp short 00401B7C
00401B6F >0FBE8D C6FEFF>movsx ecx, byte ptr
00401B76 .83C1 D0 add ecx, -30
00401B79 .894D CC mov dword ptr , ecx
00401B7C >8B45 CC mov eax, dword ptr
00401B7F .C1E0 04 shl eax, 4
00401B82 .8945 CC mov dword ptr , eax
00401B85 .0FBE95 C7FEFF>movsx edx, byte ptr
00401B8C .83FA 61 cmp edx, 61
00401B8F .7C 0F jl short 00401BA0
00401B91 .0FBE8D C7FEFF>movsx ecx, byte ptr
00401B98 .83C1 A9 add ecx, -57
00401B9B .014D CC add dword ptr , ecx
00401B9E .EB 0D jmp short 00401BAD
00401BA0 >0FBE85 C7FEFF>movsx eax, byte ptr
00401BA7 .83C0 D0 add eax, -30
00401BAA .0145 CC add dword ptr , eax
00401BAD >836D CC 20 sub dword ptr , 20
00401BB1 .0FBE95 C0FEFF>movsx edx, byte ptr
00401BB8 .83FA 61 cmp edx, 61
00401BBB .7C 12 jl short 00401BCF
00401BBD .0FBE8D C0FEFF>movsx ecx, byte ptr
00401BC4 .83C1 A9 add ecx, -57
00401BC7 .890D 94276500 mov dword ptr , ecx
00401BCD .EB 0F jmp short 00401BDE
00401BCF >0FBE85 C0FEFF>movsx eax, byte ptr
00401BD6 .83C0 D0 add eax, -30
00401BD9 .A3 94276500 mov dword ptr , eax
00401BDE >FF05 40836700 inc dword ptr
00401BE4 .8B15 94276500 mov edx, dword ptr
00401BEA .C1E2 04 shl edx, 4
00401BED .8915 94276500 mov dword ptr , edx
00401BF3 .0FBE8D C1FEFF>movsx ecx, byte ptr
00401BFA .83F9 61 cmp ecx, 61
00401BFD .7C 12 jl short 00401C11
00401BFF .0FBE85 C1FEFF>movsx eax, byte ptr
00401C06 .83C0 A9 add eax, -57
00401C09 .0105 94276500 add dword ptr , eax
00401C0F .EB 10 jmp short 00401C21
00401C11 >0FBE95 C1FEFF>movsx edx, byte ptr
00401C18 .83C2 D0 add edx, -30
00401C1B .0115 94276500 add dword ptr , edx
00401C21 >FF05 40836700 inc dword ptr
00401C27 .832D 94276500>sub dword ptr , 20
00401C2E .8B4D CC mov ecx, dword ptr
00401C31 .C1E1 06 shl ecx, 6
00401C34 .010D 94276500 add dword ptr , ecx
00401C3A >0FBE85 BEFEFF>movsx eax, byte ptr
00401C41 .83F8 32 cmp eax, 32
00401C44 .7C 0C jl short 00401C52
00401C46 .0FBE95 BEFEFF>movsx edx, byte ptr
00401C4D .83FA 32 cmp edx, 32
00401C50 .7E 06 jle short 00401C58
00401C52 >FF0D 40836700 dec dword ptr
00401C58 >0FBE8D BFFEFF>movsx ecx, byte ptr
00401C5F .83F9 61 cmp ecx, 61
00401C62 .74 12 je short 00401C76
00401C64 .0FBE85 BFFEFF>movsx eax, byte ptr
00401C6B .83F8 63 cmp eax, 63
00401C6E .74 06 je short 00401C76
00401C70 .FF0D 40836700 dec dword ptr
00401C76 >FF05 40836700 inc dword ptr
00401C7C .FF05 40836700 inc dword ptr
00401C82 .C745 C4 DC650>mov dword ptr , 65DC
00401C89 .8B15 40836700 mov edx, dword ptr
00401C8F .8955 B8 mov dword ptr , edx
00401C92 .FF0D 40836700 dec dword ptr
00401C98 .8B4D B8 mov ecx, dword ptr
00401C9B .A1 40836700 mov eax, dword ptr
00401CA0 .3BC8 cmp ecx, eax
00401CA2 .8B55 D0 mov edx, dword ptr
00401CA5 .F7D2 not edx
00401CA7 .83C2 0A add edx, 0A
00401CAA .8B0D 40836700 mov ecx, dword ptr
00401CB0 .3BD1 cmp edx, ecx
00401CB2 .7C 10 jl short 00401CC4
00401CB4 .8B45 D0 mov eax, dword ptr
00401CB7 .F7D0 not eax
00401CB9 .83C0 F6 add eax, -0A
00401CBC .8B15 40836700 mov edx, dword ptr
00401CC2 .3BC2 cmp eax, edx
00401CC4 >C745 C0 C8806>mov dword ptr , 006380C8
00401CCB .8D8D 38FBFFFF lea ecx, dword ptr
00401CD1 .51 push ecx
00401CD2 .E8 397C0A00 call 004A9910
00401CD7 .59 pop ecx
00401CD8 .FF0D 40836700 dec dword ptr
00401CDE .FF75 C4 push dword ptr
00401CE1 .FF75 C0 push dword ptr
00401CE4 .8D85 38FBFFFF lea eax, dword ptr
00401CEA .50 push eax
00401CEB .E8 5C7C0A00 call 004A994C
00401CF0 .83C4 0C add esp, 0C
00401CF3 .FF0D 40836700 dec dword ptr
00401CF9 .8D95 38FBFFFF lea edx, dword ptr
00401CFF .52 push edx
00401D00 .8D8D 90FBFFFF lea ecx, dword ptr
00401D06 .51 push ecx
00401D07 .E8 287D0A00 call 004A9A34
00401D0C .83C4 08 add esp, 8
00401D0F .6A 10 push 10
00401D11 .68 A4E66300 push 0063E6A4
00401D16 .8D85 90FBFFFF lea eax, dword ptr
00401D1C .50 push eax
00401D1D .E8 823E2200 call 00625BA4
00401D22 .83C4 0C add esp, 0C
00401D25 .85C0 test eax, eax
00401D27 .0F85 FD000000 jnz 00401E2A
00401D2D .FF75 0C push dword ptr
00401D30 .FF75 08 push dword ptr
00401D33 .68 6F046400 push 0064046F ;ASCII "UTRISO"
00401D38 .68 68046400 push 00640468 ;ASCII "%s%s%s"
00401D3D .8D95 A0FBFFFF lea edx, dword ptr
00401D43 .52 push edx
00401D44 .E8 CB7F2200 call 00629D14
00401D49 .83C4 14 add esp, 14
00401D4C .FF0D 40836700 dec dword ptr
00401D52 .8D8D A0FBFFFF lea ecx, dword ptr
00401D58 .51 push ecx
00401D59 .8D85 90FBFFFF lea eax, dword ptr
00401D5F .50 push eax
00401D60 .E8 3FFBFFFF call 004018A4
00401D65 .83C4 08 add esp, 8
00401D68 .33D2 xor edx, edx
00401D6A .8955 C8 mov dword ptr , edx
00401D6D .C745 DC F9100>mov dword ptr , 10F9
00401D74 .8B4D C8 mov ecx, dword ptr
00401D77 .8B45 DC mov eax, dword ptr
00401D7A .3BC8 cmp ecx, eax
00401D7C .0F8F A8000000 jg 00401E2A
00401D82 >8B55 C8 mov edx, dword ptr
00401D85 .8B4D DC mov ecx, dword ptr
00401D88 .03D1 add edx, ecx
00401D8A .D1FA sar edx, 1
00401D8C .79 03 jns short 00401D91
00401D8E .83D2 00 adc edx, 0
00401D91 >8955 D8 mov dword ptr , edx
00401D94 .6A 06 push 6
00401D96 .8D85 90FBFFFF lea eax, dword ptr
00401D9C .50 push eax
00401D9D .8B55 D8 mov edx, dword ptr
00401DA0 .03D2 add edx, edx
00401DA2 .8D1452 lea edx, dword ptr
00401DA5 .8B4D C0 mov ecx, dword ptr
00401DA8 .03D1 add edx, ecx
00401DAA .52 push edx
00401DAB .E8 F43D2200 call 00625BA4
00401DB0 .83C4 0C add esp, 0C
00401DB3 .8945 BC mov dword ptr , eax
00401DB6 .8B45 BC mov eax, dword ptr
00401DB9 .85C0 test eax, eax
00401DBB .7E 09 jle short 00401DC6
00401DBD .8B55 D8 mov edx, dword ptr
00401DC0 .4A dec edx
00401DC1 .8955 DC mov dword ptr , edx
00401DC4 .EB 56 jmp short 00401E1C
00401DC6 >8B4D BC mov ecx, dword ptr
00401DC9 .85C9 test ecx, ecx
这里可以改成xorecx, ecx,好让下面可以跳转。
00401DCB .7D 09 jge short 00401DD6
这里一定要跳转才会经过下面的00401DFA处。也可以直接改成JMP
00401DCD .8B45 D8 mov eax, dword ptr
00401DD0 .40 inc eax
00401DD1 .8945 C8 mov dword ptr , eax
00401DD4 .EB 46 jmp short 00401E1C
00401DD6 >FF0D 40836700 dec dword ptr
00401DDC .FF0D 40836700 dec dword ptr
00401DE2 .8B55 D0 mov edx, dword ptr
00401DE5 .83C2 46 add edx, 46
00401DE8 .8915 B4E66300 mov dword ptr , edx
00401DEE .8B4D D0 mov ecx, dword ptr
00401DF1 .F7D1 not ecx
00401DF3 .A1 40836700 mov eax, dword ptr
00401DF8 .3BC8 cmp ecx, eax
这里可以改成xor eax, eax,好让下面不要跳转,跳转就完了。
00401DFA .75 2E jnz short 00401E2A
当然也可以nop掉上面这句。
00401DFC .8B15 C0806300 mov edx, dword ptr
00401E02 .8915 40836700 mov dword ptr , edx
00401E08 .8B0D C0806300 mov ecx, dword ptr
经过分析,程序只要运行到这里就可以令两个地址的值一样。
上面这几行代码是将的值分别传给EDX和ECX,并且通过EDX传给,一句话,运行了上面
,、、EDX、ECX的值就都一样了。
00401E0E .81C1 22060000 add ecx, 622
00401E14 .890D 6C646400 mov dword ptr , ecx
00401E1A .EB 0E jmp short 00401E2A
00401E1C >8B45 C8 mov eax, dword ptr
00401E1F .8B55 DC mov edx, dword ptr
00401E22 .3BC2 cmp eax, edx
00401E24 .^ 0F8E 58FFFFFF jle 00401D82
00401E2A >8D4D F0 lea ecx, dword ptr
00401E2D .51 push ecx
00401E2E .FF75 08 push dword ptr
00401E31 .E8 BAE00700 call 0047FEF0
00401E36 .83C4 08 add esp, 8
00401E39 .8B45 D0 mov eax, dword ptr
00401E3C .83C0 46 add eax, 46
00401E3F .8B15 B4E66300 mov edx, dword ptr
00401E45 .3BC2 cmp eax, edx
00401E47 .74 0B je short 00401E54
00401E49 .8B4D D0 mov ecx, dword ptr
00401E4C .F7D1 not ecx
00401E4E .890D 40836700 mov dword ptr , ecx
00401E54 >FF75 EC push dword ptr
00401E57 .FF75 F0 push dword ptr
00401E5A .E8 EDA80700 call 0047C74C
00401E5F .83C4 08 add esp, 8
00401E62 .85C0 test eax, eax
00401E64 .74 04 je short 00401E6A
00401E66 .33C0 xor eax, eax
00401E68 .EB 05 jmp short 00401E6F
00401E6A >B8 01000000 mov eax, 1
00401E6F >8BE5 mov esp, ebp
00401E71 .5D pop ebp
00401E72 .C3 retn
总共改了三处:
00471479 0F85 C4000000 jnz 00471542
处改成
00471479 0F85 B9000000 jnz 00471538
00401DC9 .85C9 test ecx, ecx
改成
00401DC9 .33C9 xor ecx, ecx
00401DF8 .3BC8 cmp ecx, eax
改成
00401DF8 .33C0 xor eax, eax
修改保存后成功运行,没有注册窗口和试用字样,小功告成。
等等,试下300M的限制去除了没有?随便找个600M的ISO文件打开,另存为,晕,革命尙未成功。
回头看看,判断注册的标志,有两个,一个是的赋值, 一个是和的赋值,其它
地方一定还有关于它们的赋值及判断。处的命令简单了点,搜索起来肯定很多,很难判断,我们
再回头看看下面这个关键语句,是用来平衡和的数值的:
00401DFC .8B15 C0806300 mov edx, dword ptr
00401E02 .8915 40836700 mov dword ptr , edx
00401E08 .8B0D C0806300 mov ecx, dword ptr
OD重新载入后,ctrl+f,查找命令,mov edx, dword ptr 或另外两句,ctrl+l继续查找,
找到几处,点击进去一看,
00443E15|.85C9 |test ecx, ecx
这里。。。
00443E17|.7D 09 |jge short 00443E22
00443E19|.8B45 D8 |mov eax, dword ptr
00443E1C|.40 |inc eax
00443E1D|.8945 C8 |mov dword ptr , eax
00443E20|.EB 46 |jmp short 00443E68
00443E22|>FF0D 40836700 |dec dword ptr
00443E28|.FF0D 40836700 |dec dword ptr
00443E2E|.8B55 D0 |mov edx, dword ptr
00443E31|.83C2 46 |add edx, 46
00443E34|.8915 00976500 |mov dword ptr , edx
00443E3A|.8B4D D0 |mov ecx, dword ptr
00443E3D|.F7D1 |not ecx
00443E3F|.A1 40836700 |mov eax, dword ptr
00443E44|.3BC8 |cmp ecx, eax
这里。。。
00443E46|.75 2E |jnz short 00443E76
00443E48|.8B15 C0806300 |mov edx, dword ptr
00443E4E|.8915 40836700 |mov dword ptr , edx
00443E54|.8B0D C0806300 |mov ecx, dword ptr
这里是不是很眼熟?还等什么,照改吧。
继续ctrl+l,又找到一处:
004AC7EE|.85C9 |test ecx, ecx
004AC7F0|.7D 09 |jge short 004AC7FB
这里。。。
004AC7F2|.8B45 D8 |mov eax, dword ptr
004AC7F5|.40 |inc eax
004AC7F6|.8945 C8 |mov dword ptr , eax
004AC7F9|.EB 46 |jmp short 004AC841
004AC7FB|>FF0D 40836700 |dec dword ptr
004AC801|.FF0D 40836700 |dec dword ptr
004AC807|.8B55 D0 |mov edx, dword ptr
004AC80A|.83C2 46 |add edx, 46
004AC80D|.8915 B86D6700 |mov dword ptr , edx
004AC813|.8B4D D0 |mov ecx, dword ptr
004AC816|.F7D1 |not ecx
004AC818|.A1 40836700 |mov eax, dword ptr
004AC81D|.3BC8 |cmp ecx, eax
这里。。。
004AC81F|.75 2E |jnz short 004AC84F
004AC821|.8B15 C0806300 |mov edx, dword ptr
004AC827|.8915 40836700 |mov dword ptr , edx
004AC82D|.8B0D C0806300 |mov ecx, dword ptr
降龙十八掌,打完收工!
这样还不行?想加上自己的签名忽悠人?在ultraiso目录里新建文本,里面按以下格式填写。
UserName="大道至简"
Registration="7878-7878-1170-9394"
再把文本重命名为uikey.ini保存,运行ultraiso即可在关于里见到自己的名字授权。想改成多用户版本
的的话,再用OD载入,查找字串"License",点击进去就可以看到(ASCII "%d User License")和(ASCII
"Single User License"),怎样修改上面的跳转不用我教了吧!
唉,写个破文都要个把小时,今天才知道,码字原来是个体力活,比破解还累! 看完了,真的很强大,学习 楼主好辛苦啊,终于体会到成功喜悦。 这么难啊…我说我怎么自己搞不定,呵呵 楼主果然牛B!! 谢谢,来学习 楼主高手啊 楼主辛苦了,谢谢 LZ真是牛人啊{:298_822:} 很详细,学会了,XOR eax, eax