|
>1.用language 2000 V4.5查文件是否加壳,查出是aspack加的壳,用unaspack.exe脱壳成功。
>2.用W32DASM反汇编一下,找到"软件注册成功,谢谢您的支持!"如下:
>
>* Referenced by a (U)nconditional or (C)onditional Jump at Address:
>|:004F4D30(C)
>|
>:004F4DA6 8BD8 mov ebx, eax
>:004F4DA8 33C0 xor eax, eax
>:004F4DAA 55 push ebp
>:004F4DAB 68944E4F00 push 004F4E94
>:004F4DB0 64FF30 push dword ptr fs:[eax]
>:004F4DB3 648920 mov dword ptr fs:[eax], esp
>:004F4DB6 8D55F8 lea edx, dword ptr [ebp-08]
>:004F4DB9 8B83E4020000 mov eax, dword ptr [ebx+000002E4]
>:004F4DBF E860E1F3FF call 00432F24
>:004F4DC4 8B45F8 mov eax, dword ptr [ebp-08]
>:004F4DC7 50 push eax
>:004F4DC8 8D55F0 lea edx, dword ptr [ebp-10]
>:004F4DCB 8B83E0020000 mov eax, dword ptr [ebx+000002E0]
>:004F4DD1 E84EE1F3FF call 00432F24
>:004F4DD6 8B55F0 mov edx, dword ptr [ebp-10]
>:004F4DD9 8D4DF4 lea ecx, dword ptr [ebp-0C]
>:004F4DDC 8BC3 mov eax, ebx
>:004F4DDE E8C9010000 call 004F4FAC
>:004F4DE3 8B55F4 mov edx, dword ptr [ebp-0C]
>:004F4DE6 58 pop eax
>:004F4DE7 E830F3F0FF call 0040411C **关键call***
>:004F4DEC 7576 jne 004F4E64 **这里跳至"注册码不正确,无法注册!"
>:004F4DEE B201 mov dl, 01
>:004F4DF0 A158254500 mov eax, dword ptr [00452558]
>
>..........................
>........
>
>* Possible StringData Ref from Code Obj ->"软件注册成功,谢谢您的支持!"
> |
>:004F4E2C B8004F4F00 mov eax, 004F4F00
>:004F4E31 E8563DF6FF call 00458B8C
>:004F4E36 A16C305000 mov eax, dword ptr [0050306C]
>:004F4E3B 8B00 mov eax, dword ptr [eax]
>
>* Possible StringData Ref from Code Obj ->"中华压缩(ChinaZip)—注册版"
> |
>:004F4E3D BA244F4F00 mov edx, 004F4F24
>:004F4E42 E80DE1F3FF call 00432F54
>:004F4E47 33C0 xor eax, eax
>:004F4E49 5A pop edx
>:004F4E4A 59 pop ecx
>:004F4E4B 59 pop ecx
>:004F4E4C 648910 mov dword ptr fs:[eax], edx
>:004F4E4F 686E4E4F00 push 004F4E6E
>
>* Referenced by a (U)nconditional or (C)onditional Jump at Address:
>|:004F4E62(U)
>|
>:004F4E54 8B45FC mov eax, dword ptr [ebp-04]
>:004F4E57 E868E2F0FF call 004030C4
>:004F4E5C C3 ret
>
>
>:004F4E5D E9C2E9F0FF jmp 00403824
>:004F4E62 EBF0 jmp 004F4E54
>
>* Referenced by a (U)nconditional or (C)onditional Jump at Address:
>|:004F4DEC(C)
>|
>
>* Possible StringData Ref from Code Obj ->"注册码不正确,无法注册!"
> |
>:004F4E64 B8484F4F00 mov eax, 004F4F48
>
>马上用TRW2000来验证一下,运行chinazip.exe,输入用户名jiangzhif注册码8765432,调
>出TRW2000,BPX 004F4DE7,F5,点确定,拦到了。
>D EAX, 显示8765432,有门,D EDX,显示AG5344,
>重新运行chinazip.exe,输入用户名jiangzhif注册码AG5344,点确定,
>出现"软件注册成功,谢谢您的支持!",成功。
>
>用W32DASM打开脱壳后的chinazip.exe
>
>追进关键比较::004F4DE7 E830F3F0FF call 0040411C
>:0040411C 53 push ebx
>:0040411D 56 push esi
>:0040411E 57 push edi
>:0040411F 89C6 mov esi, eax
>:00404121 89D7 mov edi, edx
>:00404123 39D0 cmp eax, edx ***//就是这里了。
>:00404125 0F848F000000 je 004041BA
>:0040412B 85F6 test esi, esi
>:0040412D 7468 je 00404197
>:0040412F 85FF test edi, edi
>:00404131 746B je 0040419E
>:00404133 8B46FC mov eax, dword ptr [esi-04]
>:00404136 8B57FC mov edx, dword ptr [edi-04]
>:00404139 29D0 sub eax, edx
>:0040413B 7702 ja 0040413F
>:0040413D 01C2 add edx, eax
>
>好,用CRACKCODE2000做个注册机
>CRACKCODE.INI内容为:
>[Options]
>CommandLine=ChinaZip.exe
>Mode=2
>First_Break_Address=4f4de7
>First_Break_Address_Code=e8
>First_Break_Address_Code_Lenth=5
>Second_Break_Address=404123
>Second_Break_Address_Code_Lenth=2
>Save_Code_Address=EDX
>测试,成功。
|
