好友
阅读权限30
听众
最后登录1970-1-1
|
东海浪子
发表于 2016-5-20 22:24
本帖最后由 东海浪子 于 2016-5-20 22:36 编辑
【破文标题】Registry Finder去除30天试用限制爆破分析
【破文作者】东海浪子
【作者邮箱】
【作者主页】
【破解工具】OD
【破解平台】虚拟机WINXP SP3
【软件名称】Acelogix Software 注册表搜索器
【软件大小】
【原版下载】 http://www.acelogix.com/regfinder.html
【软件说明】Registry Finder是一款方便实用的注册表搜索工具,功能强大,可以在注册表中快速查找指定内容,搜索位置包括整个注册表,也可以是指定键值。
【阅读对象】爱好破解的初学者。有错误不足之处恳请大牛大神们多多指正
【破解声明】本文仅做研究所用,供破解技术爱好者学习研究讨论。如喜欢该软件,建议购买正版。
------------------------------------------------------------------------
【破解过程】
1、安装好Acelogix Software,用peid查了一下。Unknown,VC8 -> Microsoft Corporation [Overlay] *。不知有没壳,就 OD载入,直接调试。
2、OD载入运行后,试注册,有错误弹窗“ Invalid Key!\nPlease try again. Contact Acelogix Software Support if needed.”,可以通过字符串搜索或F12暂停堆栈法,很容易找到注册段代码。来到这里
[Asm] 纯文本查看 复制代码 00451690 /$ 81EC 78060000 sub esp,0x678 ; 注册入口
00451696 |. A1 B8734600 mov eax,dword ptr ds:[0x4673B8]
0045169B |. 33C4 xor eax,esp
0045169D |. 898424 740600>mov dword ptr ss:[esp+0x674],eax
004516A4 |. 53 push ebx
004516A5 |. 55 push ebp
004516A6 |. 56 push esi
004516A7 |. 8B35 88A54500 mov esi,dword ptr ds:[<&USER32.GetDlgIte>; user32.GetDlgItemTextA
004516AD |. 57 push edi
004516AE |. 68 04010000 push 0x104 ; /Count = 104 (260.)
004516B3 |. 8D8424 7C0300>lea eax,dword ptr ss:[esp+0x37C] ; |
004516BA |. 8BF9 mov edi,ecx ; |
004516BC |. 8B4F 04 mov ecx,dword ptr ds:[edi+0x4] ; |
004516BF |. 50 push eax ; |Buffer = NULL
004516C0 |. 68 03040000 push 0x403 ; |ControlID = 403 (1027.)
004516C5 |. 51 push ecx ; |hWnd = 0012FFB0
004516C6 |. 897C24 20 mov dword ptr ss:[esp+0x20],edi ; |
004516CA |. FFD6 call esi ; \GetDlgItemTextA
004516CC |. 85C0 test eax,eax
004516CE |. 0F84 F1010000 je regfind.004518C5
004516D4 |. 8B47 04 mov eax,dword ptr ds:[edi+0x4]
004516D7 |. 68 04010000 push 0x104 ; /Count = 104 (260.)
004516DC |. 8D5424 70 lea edx,dword ptr ss:[esp+0x70] ; |
004516E0 |. 52 push edx ; |Buffer = ntdll.KiFastSystemCallRet
004516E1 |. 68 12040000 push 0x412 ; |ControlID = 412 (1042.)
004516E6 |. 50 push eax ; |hWnd = NULL
004516E7 |. FFD6 call esi ; \GetDlgItemTextA
004516E9 |. 85C0 test eax,eax
004516EB |. 0F84 D4010000 je regfind.004518C5
004516F1 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14]
004516F5 |. 8D47 20 lea eax,dword ptr ds:[edi+0x20]
004516F8 |. 51 push ecx
004516F9 |. 50 push eax
004516FA |. C700 00000000 mov dword ptr ds:[eax],0x0
00451700 |. E8 8BFEFFFF call regfind.00451590 ; [color=#ff0000]关键call[/color]
00451705 |. 8BE8 mov ebp,eax
00451707 |. 83C4 08 add esp,0x8
0045170A |. 85ED test ebp,ebp
0045170C |. 0F84 65010000 je regfind.00451877 ; 跳向常量地址ds:[0012EB84]验证的地方
00451712 |. 8D45 08 lea eax,[arg.1] ; 注册名入eax
00451715 |. 8D9424 780300>lea edx,dword ptr ss:[esp+0x378] ; 注册名入edx
0045171C |. C785 20030000>mov dword ptr ss:[ebp+0x320],0x1
00451726 |. BE 04010000 mov esi,0x104
0045172B |. 2BD0 sub edx,eax
0045172D |. 8D49 00 lea ecx,dword ptr ds:[ecx]
00451730 |> 8D8E FAFEFF7F /lea ecx,dword ptr ds:[esi+0x7FFFFEFA] ; esi+7ffffefa入ecx
00451736 |. 85C9 |test ecx,ecx
00451738 |. 74 11 |je short regfind.0045174B
0045173A |. 8A0C02 |mov cl,byte ptr ds:[edx+eax] ; 取注册名每个字母的ASCII码
0045173D |. 84C9 |test cl,cl
0045173F |. 74 0A |je short regfind.0045174B ; 循环取完ascii码后跳走
00451741 |. 8808 |mov byte ptr ds:[eax],cl ; 把ascii码放入eax地址
00451743 |. 40 |inc eax ; eax累加
00451744 |. 83EE 01 |sub esi,0x1 ; esi-1
00451747 |.^ 75 E7 \jnz short regfind.00451730 ; 向上循环
00451749 |. EB 04 jmp short regfind.0045174F
0045174B |> 85F6 test esi,esi
0045174D |. 75 01 jnz short regfind.00451750
0045174F |> 48 dec eax
00451750 |> C600 00 mov byte ptr ds:[eax],0x0
00451753 |. 8D85 1C020000 lea eax,dword ptr ss:[ebp+0x21C] ; 注册码入eax
00451759 |. 8D5424 6C lea edx,dword ptr ss:[esp+0x6C] ; 注册码入edx
0045175D |. BE 04010000 mov esi,0x104
00451762 |. 2BD0 sub edx,eax
00451764 |> 8D8E FAFEFF7F /lea ecx,dword ptr ds:[esi+0x7FFFFEFA] ; esi+7ffffefa入ecx
0045176A |. 85C9 |test ecx,ecx
0045176C |. 74 11 |je short regfind.0045177F
0045176E |. 8A0C02 |mov cl,byte ptr ds:[edx+eax] ; 取注册码的ascii码入cl
00451771 |. 84C9 |test cl,cl
00451773 |. 74 0A |je short regfind.0045177F ; 循环取完ascii码后跳走
00451775 |. 8808 |mov byte ptr ds:[eax],cl
00451777 |. 40 |inc eax ; eax累加
00451778 |. 83EE 01 |sub esi,0x1 ; esi-1
0045177B |.^ 75 E7 \jnz short regfind.00451764 ; 向上循环
0045177D |. EB 04 jmp short regfind.00451783
0045177F |> 85F6 test esi,esi
00451781 |. 75 01 jnz short regfind.00451784
00451783 |> 48 dec eax
00451784 |> C600 00 mov byte ptr ds:[eax],0x0
00451787 |. 8B4424 14 mov eax,dword ptr ss:[esp+0x14]
0045178B |. 99 cdq
0045178C |. 52 push edx ; ntdll.KiFastSystemCallRet
0045178D |. 50 push eax
0045178E |. 68 D4CC4500 push regfind.0045CCD4 ; %I64d
[b][size=3][color=#ff0000]。。。。。。。不搞算法。。。。。。省略一部分代码。。。。。。。。。。。。。。。[/color][/size]
00451854 |. 8BF5 mov esi,ebp[/b]
00451856 |. 83C7 20 add edi,0x20
00451859 |. 50 push eax
0045185A |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
0045185C |. FFD3 call ebx
0045185E |. 8B4C24 1C mov ecx,dword ptr ss:[esp+0x1C]
00451862 |. 51 push ecx
00451863 |. FFD3 call ebx
00451865 |> 8B7C24 10 mov edi,dword ptr ss:[esp+0x10]
00451869 |> 55 push ebp ; /BaseAddress = 0012FFF0
0045186A |. FF15 D4A24500 call dword ptr ds:[<&KERNEL32.UnmapViewO>; \UnmapViewOfFile
00451870 |. 8B5424 14 mov edx,dword ptr ss:[esp+0x14]
00451874 |. 52 push edx ; ntdll.KiFastSystemCallRet
00451875 |. FFD3 call ebx
00451877 837F 20 00 cmp dword ptr ds:[edi+0x20],0x0 ; 常量地址ds:[0012EB84]和0比较
0045187B 74 2E je short regfind.004518AB ; [color=#ff0000]相等,跳走就失败[/color]
0045187D |. 6A 40 push 0x40
0045187F |. 51 push ecx
00451880 |. 8BC4 mov eax,esp
00451882 |. C700 14CC4500 mov dword ptr ds:[eax],regfind.0045CC14 ; Registry Finder
00451888 |. 51 push ecx
00451889 |. 8BC4 mov eax,esp
0045188B |. C700 00CD4500 mov dword ptr ds:[eax],regfind.0045CD00 ; Thank You. Key successfully installed.\n\nPlease restart the program注册成功
00451891 |. 8B47 04 mov eax,dword ptr ds:[edi+0x4]
00451894 |. 50 push eax
00451895 |. E8 460CFBFF call regfind.004024E0
0045189A |. 8B4F 04 mov ecx,dword ptr ds:[edi+0x4]
0045189D |. 83C4 10 add esp,0x10
004518A0 |. 6A 01 push 0x1 ; /Result = 0x1
004518A2 |. 51 push ecx ; |hWnd = 0012FFB0
004518A3 |. FF15 90A54500 call dword ptr ds:[<&USER32.EndDialog>] ; \EndDialog
004518A9 |. EB 3A jmp short regfind.004518E5
004518AB |> 6A 10 push 0x10
004518AD |. 51 push ecx
004518AE |. 8BC4 mov eax,esp
004518B0 |. C700 14CC4500 mov dword ptr ds:[eax],regfind.0045CC14 ; Registry Finder
004518B6 |. 51 push ecx
004518B7 |. 8BC4 mov eax,esp
004518B9 |. C700 88CD4500 mov dword ptr ds:[eax],regfind.0045CD88 ; Invalid Key!\nPlease try again. Contact Acelogix Software Support if needed.注册失败
004518BF |. 8B57 04 mov edx,dword ptr ds:[edi+0x4]
004518C2 |. 52 push edx ; ntdll.KiFastSystemCallRet
004518C3 |. EB 18 jmp short regfind.004518DD
004518C5 |> 6A 40 push 0x40
004518C7 |. 51 push ecx
004518C8 |. 8BC4 mov eax,esp
00451700 |. E8 8BFEFFFF call regfind.00451590 。
我们进call
[Asm] 纯文本查看 复制代码 00451590 /$ 83EC 0C sub esp,0xC
00451593 |. 53 push ebx
00451594 |. 56 push esi
00451595 |. 33F6 xor esi,esi
00451597 |. 56 push esi ; /MapName = 0012B880 ???
00451598 |. 68 24030000 push 0x324 ; |MaximumSizeLow = 0x324
0045159D |. 56 push esi ; |MaximumSizeHigh = 0x12B880
0045159E |. 6A 04 push 0x4 ; |Protection = PAGE_READWRITE
004515A0 |. 8D4424 18 lea eax,dword ptr ss:[esp+0x18] ; |
004515A4 |. 50 push eax ; |pSecurity = NULL
004515A5 |. 6A FF push -0x1 ; |hFile = FFFFFFFF
004515A7 |. C74424 20 0C0>mov dword ptr ss:[esp+0x20],0xC ; |
004515AF |. 897424 24 mov dword ptr ss:[esp+0x24],esi ; |
004515B3 |. C74424 28 010>mov dword ptr ss:[esp+0x28],0x1 ; |
004515BB |. FF15 F0A24500 call dword ptr ds:[<&KERNEL32.CreateFile>; \CreateFileMappingW
004515C1 |. 8BD8 mov ebx,eax
004515C3 3BDE cmp ebx,esi
004515C5 74 47 je short regfind.0045160E
004515C7 |. 55 push ebp
004515C8 |. 56 push esi ; /MapSize = 12B880 (1226880.)
004515C9 |. 56 push esi ; |OffsetLow = 0x12B880
004515CA |. 56 push esi ; |OffsetHigh = 0x12B880
004515CB |. 6A 02 push 0x2 ; |AccessMode = FILE_MAP_WRITE
004515CD |. 53 push ebx ; |hMapObject = 7FFDC000
004515CE |. FF15 E8A24500 call dword ptr ds:[<&KERNEL32.MapViewOfF>; \MapViewOfFile
004515D4 |. 8BE8 mov ebp,eax
004515D6 |. 3BEE cmp ebp,esi
004515D8 75 18 jnz short regfind.004515F2
004515DA |. 53 push ebx ; /hObject = 7FFDC000
004515DB |. FF15 E4A24500 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
004515E1 |. 8B4C24 20 mov ecx,dword ptr ss:[esp+0x20] ; kernel32.7C839AC0
004515E5 |. 33C0 xor eax,eax
004515E7 |. 8901 mov dword ptr ds:[ecx],eax
004515E9 |. 8BC5 mov eax,ebp
004515EB |. 5D pop ebp ; kernel32.7C817067
004515EC |. 5E pop esi ; kernel32.7C817067
004515ED |. 5B pop ebx ; kernel32.7C817067
004515EE |. 83C4 0C add esp,0xC
004515F1 |. C3 retn
004515F2 |> 8B7424 1C mov esi,dword ptr ss:[esp+0x1C]
004515F6 |. 8B5424 20 mov edx,dword ptr ss:[esp+0x20] ; kernel32.7C839AC0
004515FA |. 57 push edi
004515FB |. 8BFD mov edi,ebp
004515FD |. B9 C9000000 mov ecx,0xC9
00451602 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
00451604 |. 5F pop edi ; kernel32.7C817067
00451605 |. 5D pop ebp ; kernel32.7C817067
00451606 |. 5E pop esi ; kernel32.7C817067
00451607 |. 891A mov dword ptr ds:[edx],ebx
00451609 |. 5B pop ebx ; kernel32.7C817067
0045160A |. 83C4 0C add esp,0xC
0045160D |. C3 retn
0045160E |> 8B4424 1C mov eax,dword ptr ss:[esp+0x1C]
00451612 |. 8918 mov dword ptr ds:[eax],ebx
00451614 8BC6 mov eax,esi
00451616 |. 5E pop esi ; kernel32.7C817067
00451617 |. 5B pop ebx ; kernel32.7C817067
00451618 |. 83C4 0C add esp,0xC
0045161B \. C3 retn
0045161C CC int3
0045161D CC int3
0045161E CC int3
0045161F CC int3
esp=0012FFC4
本地调用来自 00403477, 00451700
这个软件是注册成功后重启验证的,那我们估计这个call的调用,一处是来自刚才的00451700注册call,,那么另一处00403477是在软件启动验证call的。我们转到00403477,在段首00403440下断,重启软件,在这里暂停。
[Asm] 纯文本查看 复制代码 00403440 /$ 55 push ebp
00403441 |. 8BEC mov ebp,esp
00403443 |. 83E4 F8 and esp,-0x8
00403446 |. 81EC 84040000 sub esp,0x484
0040344C |. A1 B8734600 mov eax,dword ptr ds:[0x4673B8]
00403451 |. 33C4 xor eax,esp
00403453 |. 898424 800400>mov dword ptr ss:[esp+0x480],eax
0040345A |. 8B45 08 mov eax,[arg.1] ; regfind.<ModuleEntryPoint>
0040345D |. 53 push ebx
0040345E |. 56 push esi
0040345F |. 57 push edi
00403460 |. 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC]
00403464 |. 894424 14 mov dword ptr ss:[esp+0x14],eax
00403468 |. 83C0 14 add eax,0x14
0040346B |. 51 push ecx
0040346C |. 33FF xor edi,edi
0040346E |. 50 push eax
0040346F |. 897C24 18 mov dword ptr ss:[esp+0x18],edi
00403473 |. 894424 24 mov dword ptr ss:[esp+0x24],eax
00403477 |. E8 14E10400 call regfind.00451590 关键call
0040347C |. 8BF0 mov esi,eax
0040347E |. 8B4424 14 mov eax,dword ptr ss:[esp+0x14]
00403482 |. 99 cdq
00403483 |. 52 push edx ; ntdll.KiFastSystemCallRet
00403484 |. 50 push eax
00403485 |. 68 D4CC4500 push regfind.0045CCD4 ; %I64d
0040348A |. B9 04010000 mov ecx,0x104
0040348F |. 8D9C24 940200>lea ebx,dword ptr ss:[esp+0x294]
00403496 |. 897424 2C mov dword ptr ss:[esp+0x2C],esi
0040349A |. C786 18020000>mov dword ptr ds:[esi+0x218],0x1
004034A4 |. 89BE 20030000 mov dword ptr ds:[esi+0x320],edi
004034AA |. E8 A1EFFFFF call regfind.00402450
004034AF |. 8B1D E4A24500 mov ebx,dword ptr ds:[<&KERNEL32.CloseHa>; kernel32.CloseHandle
004034B5 |. 83C4 14 add esp,0x14
004034B8 |. 85C0 test eax,eax
004034BA 0F8C BF000000 jl regfind.0040357F
004034C0 |. A1 34A84600 mov eax,dword ptr ds:[0x46A834]
004034C5 |. 68 04010000 push 0x104 ; /BufSize = 104 (260.)
004034CA |. 8D5424 7C lea edx,dword ptr ss:[esp+0x7C] ; |
004034CE |. 52 push edx ; |PathBuffer = ntdll.KiFastSystemCallRet
004034CF |. 50 push eax ; |hModule = NULL
004034D0 |. FF15 E0A24500 call dword ptr ds:[<&KERNEL32.GetModuleF>; \GetModuleFileNameW
004034D6 |. 8D4C24 78 lea ecx,dword ptr ss:[esp+0x78]
004034DA |. E8 11B20400 call regfind.0044E6F0
004034DF |. 85C0 test eax,eax
004034E1 0F84 98000000 je regfind.0040357F
004034E7 |. 8D4C24 78 lea ecx,dword ptr ss:[esp+0x78]
004034EB |. 6A 5C push 0x5C
004034ED |. 51 push ecx
004034EE |. E8 BBC00200 call regfind.0042F5AE
004034F3 |. 83C4 08 add esp,0x8
004034F6 |. 33D2 xor edx,edx ; ntdll.KiFastSystemCallRet
004034F8 |. 68 E0CC4500 push regfind.0045CCE0 ; \rf_hlpr.exe
我们看到00403477关键call,下方的跳转jl regfind.0040357F,运行到这里,箭头是灰色,我们就把jl改成jmp。为什么?因为我们是未注册的,破解当然要取相反的操作。再运行,出现弹窗提示"Unable to find components",我们再查找字符串,来到这里。
[Asm] 纯文本查看 复制代码 0044F5C0 /$ 55 push ebp
0044F5C1 |. 8BEC mov ebp,esp
0044F5C3 |. 83E4 F8 and esp,-0x8
0044F5C6 |. 83EC 3C sub esp,0x3C
0044F5C9 |. 53 push ebx
0044F5CA |. 56 push esi
0044F5CB |. 8B75 08 mov esi,[arg.1] ; regfind.<ModuleEntryPoint>
0044F5CE |. 33DB xor ebx,ebx
0044F5D0 |. 57 push edi
0044F5D1 |. 395D 0C cmp [arg.2],ebx
0044F5D4 75 35 jnz short regfind.0044F60B
0044F5D6 6A 40 push 0x40
0044F5D8 51 push ecx
0044F5D9 8BC4 mov eax,esp
0044F5DB |. 8918 mov dword ptr ds:[eax],ebx
0044F5DD |. 51 push ecx
0044F5DE |. 8BC4 mov eax,esp
0044F5E0 |. C700 0CD44500 mov dword ptr ds:[eax],regfind.0045D40C ; Unable to find components
0044F5E6 |. 8B46 04 mov eax,dword ptr ds:[esi+0x4]
0044F5E9 |. 50 push eax
0044F5EA |. E8 F12EFBFF call regfind.004024E0
0044F5EF |. 8B4E 04 mov ecx,dword ptr ds:[esi+0x4]
0044F5F2 |. 83C4 10 add esp,0x10
0044F5F5 |. 53 push ebx ; /lParam = 0x7FFDC000
0044F5F6 |. 53 push ebx ; |wParam = 0x7FFDC000
0044F5F7 |. 6A 10 push 0x10 ; |Message = WM_CLOSE
0044F5F9 |. 51 push ecx ; |hWnd = 0x12FFB0
0044F5FA |. FF15 50A54500 call dword ptr ds:[<&USER32.PostMessageW>; \PostMessageW
0044F600 |. 33C0 xor eax,eax
0044F602 |. 5F pop edi ; kernel32.7C817067
0044F603 |. 5E pop esi ; kernel32.7C817067
0044F604 |. 5B pop ebx ; kernel32.7C817067
0044F605 |. 8BE5 mov esp,ebp
0044F607 |. 5D pop ebp ; kernel32.7C817067
0044F608 |. C2 0800 retn 0x8
0044F60B |> 399E 9C000000 cmp dword ptr ds:[esi+0x9C],ebx
0044F611 |. 75 35 jnz short regfind.0044F648
0044F613 |. 6A 40 push 0x40
0044F615 |. 51 push ecx
0044F616 |. 8BC4 mov eax,esp
0044F618 |. 8918 mov dword ptr ds:[eax],ebx
0044F61A |. 51 push ecx
0044F61B |. 8BC4 mov eax,esp
0044F61D |. C700 0CD44500 mov dword ptr ds:[eax],regfind.0045D40C ; Unable to find components
0044F623 |. 8B56 04 mov edx,dword ptr ds:[esi+0x4]
0044F626 |. 52 push edx ; ntdll.KiFastSystemCallRet
0044F627 |. E8 B42EFBFF call regfind.004024E0
0044F62C |. 8B46 04 mov eax,dword ptr ds:[esi+0x4]
0044F62F |. 83C4 10 add esp,0x10
0044F632 |. 53 push ebx ; /lParam = 0x7FFDC000
0044F633 |. 53 push ebx ; |wParam = 0x7FFDC000
0044F634 |. 6A 10 push 0x10 ; |Message = WM_CLOSE
0044F636 |. 50 push eax ; |hWnd = NULL
0044F637 |. FF15 50A54500 call dword ptr ds:[<&USER32.PostMessageW>; \PostMessageW
0044F63D |. 33C0 xor eax,eax
0044F63F |. 5F pop edi ; kernel32.7C817067
0044F640 |. 5E pop esi ; kernel32.7C817067
0044F641 |. 5B pop ebx ; kernel32.7C817067
0044F642 |. 8BE5 mov esp,ebp
0044F644 |. 5D pop ebp ; kernel32.7C817067
0044F645 |. C2 0800 retn 0x8
0044F648 |> 8B8E AC010000 mov ecx,dword ptr ds:[esi+0x1AC]
0044F64E |. 3BCB cmp ecx,ebx
0044F650 |. 7F 0C jg short regfind.0044F65E
0044F652 |. 399E B4020000 cmp dword ptr ds:[esi+0x2B4],ebx
0044F658 0F84 0A020000 je regfind.0044F868 [color=#ff0000]相等,跳过下面30天限制的验证[/color]
0044F65E |> 895C24 1C mov dword ptr ss:[esp+0x1C],ebx
。。。。。。。。。。。。。。。省略部分代码。。。。。。。。。。。。。。。。。。。
0044F6F5 |. 2BC8 sub ecx,eax
0044F6F7 |. 51 push ecx
0044F6F8 |. 68 40D44500 push regfind.0045D440 ; (Evaluation: Day %d of 30)
0044F6FD |. 8D4C24 18 lea ecx,dword ptr ss:[esp+0x18]
0044F701 |. E8 8A33FBFF call regfind.00402A90
0044F706 |. 83C4 08 add esp,0x8
0044F709 |. EB 32 jmp short regfind.0044F73D
0044F70B |> 8B4424 44 mov eax,dword ptr ss:[esp+0x44]
0044F70F |. 83F8 1E cmp eax,0x1E ; eax和1E(30)比较
0044F712 |. 7D 1B jge short regfind.0044F72F
0044F714 |. BA 1E000000 mov edx,0x1E
0044F719 |. 2BD0 sub edx,eax
0044F71B |. 52 push edx ; ntdll.KiFastSystemCallRet
0044F71C |. 68 78D44500 push regfind.0045D478 ; (Uses left: %d)
0044F721 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+0x18]
0044F725 |. E8 6633FBFF call regfind.00402A90
0044F72A |. 83C4 08 add esp,0x8
0044F72D |. EB 0E jmp short regfind.0044F73D
0044F72F |> BA 9CD44500 mov edx,regfind.0045D49C ; Trial Period Expired
0044F734 |. 8D7C24 10 lea edi,dword ptr ss:[esp+0x10]
。。。。。。。。。。。。。。。。。。。省略部分代码。。。。。。。。。。。。。。
0044F854 |. 50 push eax
0044F855 |. 8B42 04 mov eax,dword ptr ds:[edx+0x4]
0044F858 |. FFD0 call eax
0044F85A |> 8B4424 2C mov eax,dword ptr ss:[esp+0x2C]
0044F85E |. 85C0 test eax,eax
0044F860 |. 74 06 je short regfind.0044F868
0044F862 |. 50 push eax
0044F863 |. E8 DAE2FDFF call regfind.0042DB42
0044F868 |> 5F pop edi ; kernel32.7C817067
0044F869 |. 5E pop esi ; kernel32.7C817067
0044F86A |. 33C0 xor eax,eax
0044F86C |. 5B pop ebx ; kernel32.7C817067
0044F86D |. 8BE5 mov esp,ebp
0044F86F |. 5D pop ebp ; kernel32.7C817067
0044F870 \. C2 0800 retn 0x8
0044F873 CC int3
0044F874 CC int3
0044F875 CC int3
在这里我们看到,在这段里,有30天限制的验证。我们修改,跳过"Unable to find components"和30天试用限制的验证的地方就可以了。
3、重启,运行,已经没有30天试用的限制,在个“关于”里,已没有未注册的提示。破解成功。
【破解总结】
本次破解修改位置有2处
1.
原004034BA /0F8C BF000000 jl regfind.0040357F
改004034BA /E9 C0000000 jmp regfind.0040357F
004034BF |90 nop
2.
原0044F5D4 /75 35 jnz short regfind.0044F60B
0044F5D6 6A 40 push 0x40
0044F5D8 51 push ecx
改0044F5D4 /E9 8F020000 jmp regfind.0044F868
|
免费评分
-
查看全部评分
|
