>1.用language 2000 V4.5查文件是否加壳,查出是aspack加的壳,用unaspack.exe脱壳成功。 >2.用W32DASM反汇编一下,找到"软件注册成功,谢谢您的支持!"如下: > >* Referenced by a (U)nconditional or (C)onditional Jump at Address: >|:004F4D30(C) >| >:004F4DA6 8BD8 mov ebx, eax >:004F4DA8 33C0 xor eax, eax >:004F4DAA 55 push ebp >:004F4DAB 68944E4F00 push 004F4E94 >:004F4DB0 64FF30 push dword ptr fs:[eax] >:004F4DB3 648920 mov dword ptr fs:[eax], esp >:004F4DB6 8D55F8 lea edx, dword ptr [ebp-08] >:004F4DB9 8B83E4020000 mov eax, dword ptr [ebx+000002E4] >:004F4DBF E860E1F3FF call 00432F24 >:004F4DC4 8B45F8 mov eax, dword ptr [ebp-08] >:004F4DC7 50 push eax >:004F4DC8 8D55F0 lea edx, dword ptr [ebp-10] >:004F4DCB 8B83E0020000 mov eax, dword ptr [ebx+000002E0] >:004F4DD1 E84EE1F3FF call 00432F24 >:004F4DD6 8B55F0 mov edx, dword ptr [ebp-10] >:004F4DD9 8D4DF4 lea ecx, dword ptr [ebp-0C] >:004F4DDC 8BC3 mov eax, ebx >:004F4DDE E8C9010000 call 004F4FAC >:004F4DE3 8B55F4 mov edx, dword ptr [ebp-0C] >:004F4DE6 58 pop eax >:004F4DE7 E830F3F0FF call 0040411C **关键call*** >:004F4DEC 7576 jne 004F4E64 **这里跳至"注册码不正确,无法注册!" >:004F4DEE B201 mov dl, 01 >:004F4DF0 A158254500 mov eax, dword ptr [00452558] > >.......................... >........ > >* Possible StringData Ref from Code Obj ->"软件注册成功,谢谢您的支持!" > | >:004F4E2C B8004F4F00 mov eax, 004F4F00 >:004F4E31 E8563DF6FF call 00458B8C >:004F4E36 A16C305000 mov eax, dword ptr [0050306C] >:004F4E3B 8B00 mov eax, dword ptr [eax] > >* Possible StringData Ref from Code Obj ->"中华压缩(ChinaZip)—注册版" > | >:004F4E3D BA244F4F00 mov edx, 004F4F24 >:004F4E42 E80DE1F3FF call 00432F54 >:004F4E47 33C0 xor eax, eax >:004F4E49 5A pop edx >:004F4E4A 59 pop ecx >:004F4E4B 59 pop ecx >:004F4E4C 648910 mov dword ptr fs:[eax], edx >:004F4E4F 686E4E4F00 push 004F4E6E > >* Referenced by a (U)nconditional or (C)onditional Jump at Address: >|:004F4E62(U) >| >:004F4E54 8B45FC mov eax, dword ptr [ebp-04] >:004F4E57 E868E2F0FF call 004030C4 >:004F4E5C C3 ret > > >:004F4E5D E9C2E9F0FF jmp 00403824 >:004F4E62 EBF0 jmp 004F4E54 > >* Referenced by a (U)nconditional or (C)onditional Jump at Address: >|:004F4DEC(C) >| > >* Possible StringData Ref from Code Obj ->"注册码不正确,无法注册!" > | >:004F4E64 B8484F4F00 mov eax, 004F4F48 > >马上用TRW2000来验证一下,运行chinazip.exe,输入用户名jiangzhif注册码8765432,调 >出TRW2000,BPX 004F4DE7,F5,点确定,拦到了。 >D EAX, 显示8765432,有门,D EDX,显示AG5344, >重新运行chinazip.exe,输入用户名jiangzhif注册码AG5344,点确定, >出现"软件注册成功,谢谢您的支持!",成功。 > >用W32DASM打开脱壳后的chinazip.exe > >追进关键比较::004F4DE7 E830F3F0FF call 0040411C >:0040411C 53 push ebx >:0040411D 56 push esi >:0040411E 57 push edi >:0040411F 89C6 mov esi, eax >:00404121 89D7 mov edi, edx >:00404123 39D0 cmp eax, edx ***//就是这里了。 >:00404125 0F848F000000 je 004041BA >:0040412B 85F6 test esi, esi >:0040412D 7468 je 00404197 >:0040412F 85FF test edi, edi >:00404131 746B je 0040419E >:00404133 8B46FC mov eax, dword ptr [esi-04] >:00404136 8B57FC mov edx, dword ptr [edi-04] >:00404139 29D0 sub eax, edx >:0040413B 7702 ja 0040413F >:0040413D 01C2 add edx, eax > >好,用CRACKCODE2000做个注册机 >CRACKCODE.INI内容为: >[Options] >CommandLine=ChinaZip.exe >Mode=2 >First_Break_Address=4f4de7 >First_Break_Address_Code=e8 >First_Break_Address_Code_Lenth=5 >Second_Break_Address=404123 >Second_Break_Address_Code_Lenth=2 >Save_Code_Address=EDX >测试,成功。 |