好友
阅读权限25
听众
最后登录1970-1-1
|
软件下载地址我就不帖了,自己搜索吧,我用的版本是5.7。相信看完我的破文,其它的版本你也能秒破。
软件的快捷图标指向的时GTDWidget.exe,但是该文件只有868K,而这个程序的功能是相当多的,868K不可能是主文件。而在文件夹里有个GTDOperator.exe有22M,很可疑。直接运行他,程序就跑起来了。和运行GTDWidget.exe的效果是一样的。所以GTDOperator.exe才是主文件。我们直接来破解GTDOperator.exe
运行程序,我们发现程序左下角有“未注册”几个字。试一下查字符串。
OD载入GTDOperator.exe,然后搜字符串,这样搜一次,发现搜不到什么有用的信息。在OD里运行程序,然后查看可执行模块。然后找到GTDOperator.exe,双击它之后,打开了汇编窗口。再查字符串,搜索“未注册”。会有好几个,我们把几处的代码,拉出来比较一下。
00D0A4EF |. 8B38 mov edi,dword ptr ds:[eax]
00D0A4F1 |. FF57 60 call dword ptr ds:[edi+0x60]
00D0A4F4 |. 807D FF 00 cmp byte ptr ss:[ebp-0x1],0x0
00D0A4F8 |. 74 06 je XGTDOpera.00D0A500
00D0A4FA |. 807D FE 00 cmp byte ptr ss:[ebp-0x2],0x0
00D0A4FE |. 74 2F je XGTDOpera.00D0A52F
00D0A500 |> A1 78B4D400 mov eax,dword ptr ds:[0xD4B478]
00D0A505 |. 8B00 mov eax,dword ptr ds:[eax]
00D0A507 |. 8B10 mov edx,dword ptr ds:[eax]
00D0A509 |. FF92 14010000 call dword ptr ds:[edx+0x114]
00D0A50F |. 83F8 02 cmp eax,0x2
00D0A512 |. 7C 1B jl XGTDOpera.00D0A52F
00D0A514 |. 6A 10 push 0x10
00D0A516 |. 68 5CA5D000 push GTDOpera.00D0A55C ; 提示
00D0A51B |. 68 64A5D000 push GTDOpera.00D0A564 ; 未注册版,最多只能创建2个项目,注册版无此限制
00D0A520 |. 8BC6 mov eax,esi
00C7FEFB |. FF57 5C call dword ptr ds:[edi+0x5C]
00C7FEFE |. 84C0 test al,al
00C7FF00 |. 74 3A je XGTDOpera.00C7FF3C
00C7FF02 |. 8D55 E4 lea edx,[local.7]
00C7FF05 |. 8B06 mov eax,dword ptr ds:[esi]
00C7FF07 |. 8B08 mov ecx,dword ptr ds:[eax]
00C7FF09 |. FF51 48 call dword ptr ds:[ecx+0x48]
00C7FF0C |. 8B55 E4 mov edx,[local.7]
00C7FF0F |. 8D4D FE lea ecx,dword ptr ss:[ebp-0x2]
00C7FF12 |. 8B06 mov eax,dword ptr ds:[esi]
00C7FF14 |. 8B38 mov edi,dword ptr ds:[eax]
00C7FF16 |. FF57 60 call dword ptr ds:[edi+0x60]
00C7FF19 |. 84C0 test al,al
00C7FF1B |. 75 1F jnz XGTDOpera.00C7FF3C
00C7FF1D |. BA B8FFC700 mov edx,GTDOpera.00C7FFB8 ; 已注册
00C7FF22 |. 8B83 A8030000 mov eax,dword ptr ds:[ebx+0x3A8]
00C7FF28 |. E8 3F407FFF call GTDOpera.00473F6C
00C7FF2D |. 33D2 xor edx,edx
00C7FF2F |. 8B83 8C030000 mov eax,dword ptr ds:[ebx+0x38C]
00C7FF35 |. 8B08 mov ecx,dword ptr ds:[eax]
00C7FF37 |. FF51 68 call dword ptr ds:[ecx+0x68]
00C7FF3A |. EB 48 jmp XGTDOpera.00C7FF84
00C7FF3C |> 8B06 mov eax,dword ptr ds:[esi]
00C7FF3E |. 8B10 mov edx,dword ptr ds:[eax]
00C7FF40 |. FF52 70 call dword ptr ds:[edx+0x70]
00C7FF43 |. 83F8 64 cmp eax,0x64
00C7FF46 |. 7C 1F jl XGTDOpera.00C7FF67
00C7FF48 |. BA C8FFC700 mov edx,GTDOpera.00C7FFC8 ; 注册码已经失效
00C7FF4D |. 8B83 A8030000 mov eax,dword ptr ds:[ebx+0x3A8]
00C7FF53 |. E8 14407FFF call GTDOpera.00473F6C
00C7FF58 |. B2 01 mov dl,0x1
00C7FF5A |. 8B83 8C030000 mov eax,dword ptr ds:[ebx+0x38C]
00C7FF60 |. 8B08 mov ecx,dword ptr ds:[eax]
00C7FF62 |. FF51 68 call dword ptr ds:[ecx+0x68]
00C7FF65 |. EB 1D jmp XGTDOpera.00C7FF84
00C7FF67 |> BA E0FFC700 mov edx,GTDOpera.00C7FFE0 ; 未注册
00C7FF6C |. 8B83 A8030000 mov eax,dword ptr ds:[ebx+0x3A8]
00C7FF72 |. E8 F53F7FFF call GTDOpera.00473F6C
00C7FF77 |. B2 01 mov dl,0x1
00CE4C36 |. 8D4D FE lea ecx,dword ptr ss:[ebp-0x2]
00CE4C39 |. A1 78B4D400 mov eax,dword ptr ds:[0xD4B478]
00CE4C3E |. 8B00 mov eax,dword ptr ds:[eax]
00CE4C40 |. 8B30 mov esi,dword ptr ds:[eax]
00CE4C42 |. FF56 60 call dword ptr ds:[esi+0x60]
00CE4C45 |. 807D FF 00 cmp byte ptr ss:[ebp-0x1],0x0
00CE4C49 |. 74 06 je XGTDOpera.00CE4C51
00CE4C4B |. 807D FE 00 cmp byte ptr ss:[ebp-0x2],0x0
00CE4C4F |. 74 1B je XGTDOpera.00CE4C6C
00CE4C51 |> 6A 40 push 0x40
00CE4C53 |. 68 BC4CCE00 push GTDOpera.00CE4CBC ; 提示
00CE4C58 |. 68 C44CCE00 push GTDOpera.00CE4CC4 ; 未注册版不能同步数据,注册之后无此限制
00CE4C5D |. 8BC3 mov eax,ebx
00CE4C5F |. E8 4C7479FF call GTDOpera.0047C0B0
00CE4C64 |. 50 push eax ; |hOwner
00CE4C65 |. E8 664C72FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00CE4C6A |. EB 25 jmp XGTDOpera.00CE4C91
00CE4C6C |> 8BC3 mov eax,ebx
00CE4C6E |. E8 3D7479FF call GTDOpera.0047C0B0
00CE6D65 |. 8B30 mov esi,dword ptr ds:[eax]
00CE6D67 |. FF56 60 call dword ptr ds:[esi+0x60]
00CE6D6A |. 807D FF 00 cmp byte ptr ss:[ebp-0x1],0x0
00CE6D6E |. 74 06 je XGTDOpera.00CE6D76
00CE6D70 |. 807D FE 00 cmp byte ptr ss:[ebp-0x2],0x0
00CE6D74 |. 74 1F je XGTDOpera.00CE6D95
00CE6D76 |> 8B83 58080000 mov eax,dword ptr ds:[ebx+0x858]
00CE6D7C |. 8B80 08030000 mov eax,dword ptr ds:[eax+0x308]
00CE6D82 |. 33D2 xor edx,edx
00CE6D84 |. E8 3365A8FF call GTDOpera.0076D2BC
00CE6D89 |. BA E46DCE00 mov edx,GTDOpera.00CE6DE4 ; 已注册
00CE6D8E |. E8 3D64A8FF call GTDOpera.0076D1D0
00CE6D93 |. EB 1D jmp XGTDOpera.00CE6DB2
00CE6D95 |> 8B83 58080000 mov eax,dword ptr ds:[ebx+0x858]
00CE6D9B |. 8B80 08030000 mov eax,dword ptr ds:[eax+0x308]
00CE6DA1 |. 33D2 xor edx,edx
00CE6DA3 |. E8 1465A8FF call GTDOpera.0076D2BC
00CE6DA8 |. BA F46DCE00 mov edx,GTDOpera.00CE6DF4 ; 未注册
第一种方法是狂轰乱炸,把所有的未注册的地方全部JMP掉,我以前就是这么干的。
第二种方法,找到关键CALL,直接改关键CALL里的值。
下面来说一下第二种方法。
综合考虑上面搜到字符串的地方,大致有两类,
一种是如
00D0A4F4 |. 807D FF 00 cmp byte ptr ss:[ebp-0x1],0x0
00D0A4F8 |. 74 06 je XGTDOpera.00D0A500
00D0A4FA |. 807D FE 00 cmp byte ptr ss:[ebp-0x2],0x0
00D0A4FE |. 74 2F je XGTDOpera.00D0A52F
比较两个值,改变两个跳转,
一个种是
00C7FEFB |. FF57 5C call dword ptr ds:[edi+0x5C]
00C7FEFE |. 84C0 test al,al
00C7FF00 |. 74 3A je XGTDOpera.00C7FF3C
00C7FF02 |. 8D55 E4 lea edx,[local.7]
00C7FF05 |. 8B06 mov eax,dword ptr ds:[esi]
00C7FF07 |. 8B08 mov ecx,dword ptr ds:[eax]
00C7FF09 |. FF51 48 call dword ptr ds:[ecx+0x48]
00C7FF0C |. 8B55 E4 mov edx,[local.7]
00C7FF0F |. 8D4D FE lea ecx,dword ptr ss:[ebp-0x2]
00C7FF12 |. 8B06 mov eax,dword ptr ds:[esi]
00C7FF14 |. 8B38 mov edi,dword ptr ds:[eax]
00C7FF16 |. FF57 60 call dword ptr ds:[edi+0x60]
00C7FF19 |. 84C0 test al,al
00C7FF1B |. 75 1F jnz XGTDOpera.00C7FF3C
00C7FF1D |. BA B8FFC700 mov edx,GTDOpera.00C7FFB8 ; 已注册
00C7FF22 |. 8B83 A8030000 mov eax,dword ptr ds:[ebx+0x3A8]
00C7FF28 |. E8 3F407FFF call GTDOpera.00473F6C
00C7FF2D |. 33D2 xor edx,edx
00C7FF2F |. 8B83 8C030000 mov eax,dword ptr ds:[ebx+0x38C]
00C7FF35 |. 8B08 mov ecx,dword ptr ds:[eax]
00C7FF37 |. FF51 68 call dword ptr ds:[ecx+0x68]
00C7FF3A |. EB 48 jmp XGTDOpera.00C7FF84
00C7FF3C |> 8B06 mov eax,dword ptr ds:[esi]
00C7FF3E |. 8B10 mov edx,dword ptr ds:[eax]
00C7FF40 |. FF52 70 call dword ptr ds:[edx+0x70]
00C7FF43 |. 83F8 64 cmp eax,0x64
00C7FF46 |. 7C 1F jl XGTDOpera.00C7FF67
00C7FF48 |. BA C8FFC700 mov edx,GTDOpera.00C7FFC8 ; 注册码已经失效
第一种两个值的比较,跟进来比较麻烦。(我跟过,发现有两个CALL分别改变两个值,而且最后改了两个CALL之后也没成功)。
第二种是两个CALL后接两个关键跳。
我位直接在两个CALL的断首00C7FE58处下断,而且这附近,有“注册码已失效”,“已注册”,“未注册”等字。发现是在注册功能窗口的模块。点注册就直接断下来了。
断在00C7FE58后,单步到
00C7FED6 |. 8B38 mov edi,dword ptr ds:[eax]
00C7FED8 |. FF57 60 call dword ptr ds:[edi+0x60]
00C7FEDB |. 807D FF 00 cmp byte ptr ss:[ebp-0x1],0x0
00C7FEDF |. 74 5B je XGTDOpera.00C7FF3C
00C7FEE1 |. 807D FE 00 cmp byte ptr ss:[ebp-0x2],0x0
00C7FEE5 |. 75 55 jnz XGTDOpera.00C7FF3C
00C7FEE7 |. 8D55 E8 lea edx,[local.6]
发现这里就跳过了已注册,也跳过了两个关键CALL,我们先改一下标志位不让他跳(没有注册或没有破解之前,这里可能不会跳的),
然后跟进 00C7FF16 |. FF57 60 call dword ptr ds:[edi+0x60]
0067F795 . 05 6CFFFFFF add eax,-0x94
0067F79A . E9 F14E0000 jmp GTDOpera.00684690
00684690 /> \55 push ebp
00684691 |. 8BEC mov ebp,esp
00684693 |. 51 push ecx
00684694 |. B9 05000000 mov ecx,0x5
00684699 |> 6A 00 /push 0x0
0068469B |. 6A 00 |push 0x0
0068469D |. 49 |dec ecx
0068469E |.^ 75 F9 \jnz XGTDOpera.00684699
006846A0 |. 51 push ecx
006846A1 |. 874D FC xchg [local.1],ecx
006846A4 |. 53 push ebx
006846A5 |. 56 push esi
006846A6 |. 57 push edi
006846A7 |. 894D EC mov [local.5],ecx
006846AA |. 8955 FC mov [local.1],edx
006846AD |. 8BF0 mov esi,eax
006846AF |. 8B45 FC mov eax,[local.1]
006846B2 |. E8 7D16D8FF call GTDOpera.00405D34
006846B7 |. 33C0 xor eax,eax
006846B9 |. 55 push ebp
006846BA |. 68 42486800 push GTDOpera.00684842
006846BF |. 64:FF30 push dword ptr fs:[eax]
006846C2 |. 64:8920 mov dword ptr fs:[eax],esp
006846C5 |. 8B45 EC mov eax,[local.5]
006846C8 |. C600 00 mov byte ptr ds:[eax],0x0
006846CB |. 33DB xor ebx,ebx
006846CD |. E8 6EC1F8FF call GTDOpera.00610840
006846D2 |. 8D55 F8 lea edx,[local.2]
006846D5 |. 8BC6 mov eax,esi
006846D7 |. E8 FCFAFFFF call GTDOpera.006841D8
006846DC |. 8B55 F8 mov edx,[local.2]
006846DF |. 8BC2 mov eax,edx
006846E1 |. 85C0 test eax,eax
006846E3 |. 74 05 je XGTDOpera.006846EA
006846E5 |. 83E8 04 sub eax,0x4
006846E8 |. 8B00 mov eax,dword ptr ds:[eax]
006846EA |> 83F8 03 cmp eax,0x3
006846ED |. 7E 31 jle XGTDOpera.00684720
006846EF |. 8BFA mov edi,edx
006846F1 |. 85FF test edi,edi
006846F3 |. 74 05 je XGTDOpera.006846FA
006846F5 |. 83EF 04 sub edi,0x4
006846F8 |. 8B3F mov edi,dword ptr ds:[edi]
006846FA |> 8D45 DC lea eax,[local.9]
006846FD |. 50 push eax
006846FE |. 8BD7 mov edx,edi
00684700 |. 83EA 03 sub edx,0x3
00684703 |. 42 inc edx
00684704 |. B9 03000000 mov ecx,0x3
00684709 |. 8B45 F8 mov eax,[local.2]
0068470C |. E8 9B16D8FF call GTDOpera.00405DAC
00684711 |. 8B45 DC mov eax,[local.9]
00684714 |. BA 5C486800 mov edx,GTDOpera.0068485C ; -V1
00684719 |. E8 F272D8FF call GTDOpera.0040BA10
0068471E |. EB 02 jmp XGTDOpera.00684722
00684720 |> 33C0 xor eax,eax
00684722 |> 84C0 test al,al
00684724 |. 74 31 je XGTDOpera.00684757
00684726 |. 8B4D EC mov ecx,[local.5]
00684729 |. 8B55 FC mov edx,[local.1]
0068472C |. 8B45 F8 mov eax,[local.2]
0068472F |. E8 E8ADFFFF call GTDOpera.0067F51C
00684734 |. 8BD8 mov ebx,eax
00684736 |. 84DB test bl,bl
00684738 |. 74 10 je XGTDOpera.0068474A
0068473A |. 8BC6 mov eax,esi
0068473C |. E8 2B0B0300 call GTDOpera.006B526C
00684741 |. 83F8 64 cmp eax,0x64
00684744 |. 0F8E CB000000 jle GTDOpera.00684815
0068474A |> 33DB xor ebx,ebx
0068474C |. 8B45 EC mov eax,[local.5]
0068474F |. C600 00 mov byte ptr ds:[eax],0x0
00684752 |. E9 BE000000 jmp GTDOpera.00684815
00684757 |> 68 68486800 push GTDOpera.00684868 ; --
0068475C |. 8B45 F8 mov eax,[local.2]
0068475F |. 50 push eax
00684760 |. 8D45 F0 lea eax,[local.4]
00684763 |. 50 push eax
00684764 |. E8 478EF8FF call GTDOpera.0060D5B0
00684769 |. 68 68486800 push GTDOpera.00684868 ; --
0068476E |. 8B45 F8 mov eax,[local.2]
00684771 |. 50 push eax
00684772 |. 8D45 D8 lea eax,[local.10]
00684775 |. 50 push eax
00684776 |. E8 A98DF8FF call GTDOpera.0060D524
0068477B |. 8B55 D8 mov edx,[local.10]
0068477E |. 8D45 F8 lea eax,[local.2]
00684781 |. E8 B611D8FF call GTDOpera.0040593C
00684786 |. 8D45 F4 lea eax,[local.3]
00684789 |. 8B55 FC mov edx,[local.1]
0068478C |. E8 AB11D8FF call GTDOpera.0040593C
00684791 |. 8D55 D4 lea edx,[local.11]
00684794 |. 8B45 F4 mov eax,[local.3]
00684797 |. E8 3CC0FEFF call GTDOpera.006707D8
0068479C |. 8B55 D4 mov edx,[local.11]
0068479F |. 8D45 F4 lea eax,[local.3]
006847A2 |. E8 9511D8FF call GTDOpera.0040593C
006847A7 |. 68 68486800 push GTDOpera.00684868 ; --
006847AC |. 8B45 F4 mov eax,[local.3]
006847AF |. 50 push eax
006847B0 |. 8D45 D0 lea eax,[local.12]
006847B3 |. 50 push eax
006847B4 |. E8 6B8DF8FF call GTDOpera.0060D524
006847B9 |. 8B55 D0 mov edx,[local.12]
006847BC |. 8D45 F4 lea eax,[local.3]
006847BF |. E8 7811D8FF call GTDOpera.0040593C
006847C4 |. 8B45 F0 mov eax,[local.4]
006847C7 |. 50 push eax
006847C8 |. E8 438FF8FF call GTDOpera.0060D710
006847CD |. 84C0 test al,al
006847CF |. 75 21 jnz XGTDOpera.006847F2
006847D1 |. 6A 00 push 0x0
006847D3 |. 6A 00 push 0x0
006847D5 |. 6A 00 push 0x0
006847D7 |. 8B45 F0 mov eax,[local.4]
006847DA |. E8 5DAFD8FF call GTDOpera.0040F73C
006847DF |. DD5D E0 fstp qword ptr ss:[ebp-0x20]
006847E2 |. 9B wait
006847E3 |. DD45 E0 fld qword ptr ss:[ebp-0x20]
006847E6 |. D81D 6C486800 fcomp dword ptr ds:[0x68486C]
006847EC |. 9B wait
006847ED |. DFE0 fstsw ax
006847EF |. 9E sahf
006847F0 |. 77 28 ja XGTDOpera.0068481A
006847F2 |> 8B55 F4 mov edx,[local.3]
006847F5 |. 8B45 F8 mov eax,[local.2]
006847F8 |. E8 1372D8FF call GTDOpera.0040BA10
006847FD |. 84C0 test al,al
006847FF |. 74 14 je XGTDOpera.00684815
00684801 |. 8BC6 mov eax,esi
00684803 |. E8 640A0300 call GTDOpera.006B526C
00684808 |. 83F8 64 cmp eax,0x64
0068480B |. 7F 08 jg XGTDOpera.00684815
0068480D |. 8B45 EC mov eax,[local.5]
00684810 |. C600 01 mov byte ptr ds:[eax],0x1
00684813 |. B3 01 mov bl,0x1
00684815 |> E8 26C0F8FF call GTDOpera.00610840
0068481A |> 33C0 xor eax,eax
0068481C |. 5A pop edx
0068481D |. 59 pop ecx
0068481E |. 59 pop ecx
0068481F |. 64:8910 mov dword ptr fs:[eax],edx
00684822 |. 68 49486800 push GTDOpera.00684849
00684827 |> 8D45 D0 lea eax,[local.12]
0068482A |. BA 04000000 mov edx,0x4
0068482F |. E8 9410D8FF call GTDOpera.004058C8
00684834 |. 8D45 F0 lea eax,[local.4]
00684837 |. BA 04000000 mov edx,0x4
0068483C |. E8 8710D8FF call GTDOpera.004058C8
00684841 \. C3 retn
00684842 .^ E9 ED07D8FF jmp GTDOpera.00405034
00684847 .^ EB DE jmp XGTDOpera.00684827
00684849 . 8BC3 mov eax,ebx
0068484B . 5F pop edi
0068484C . 5E pop esi
0068484D . 5B pop ebx
0068484E . 8BE5 mov esp,ebp
00684850 . 5D pop ebp
00684851 . C3 retn
我们要让EAX的值不为0,看00684849 . 8BC3 mov eax,ebx 也就是让EBX不为0. 经单步跟踪分析。只要NOP在这里改两个跳转就可以了
00684720 |> \33C0 XOR EAX,EAX+ F7 [& V t* K& L( n; c8 f2 s
00684722 |> 84C0 TEST AL,AL
00684724 EB 31 JMP SHORT 00684757 修改的地方
9 F00684726 |. 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]2 a& k$ n" z& l6 z$ R4 \
h. a& b; H3 l
006847F5 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
006847F8 |. E8 1372D8FF CALL 0040BA10
006847FD |. 84C0 TEST AL,AL/ _( _8 R* A; y0 p1 {& I
006847FF 90 NOP 修改的地方
00684800 90 NOP
改了之后,后面的
00C7FF16 |. FF57 60 call dword ptr ds:[edi+0x60]
00C7FF19 |. 84C0 test al,al
00C7FF1B |. 75 1F jnz XGTDOpera.00C7FF3C
也没有跳。
保存运行一下。成功搞定,我们找对了关键CALL。
|
免费评分
-
查看全部评分
|
发表于 2011-10-28 22:46
