|
发表于 2010-2-10 06:44:08
|显示全部楼层
第一步:脱壳用armkiller13可以直接脱掉他的壳!
第二步:注册这个软件!嘿嘿!
:00402911 59 pop ecx
:00402912 50 push eax
:00402913 E8B3800100 call 0041A9CB
:00402918 83C40C add esp, 0000000C
:0040291B FF3570604200 push dword ptr [00426070]
:00402921 8D8500FDFFFF lea eax, dword ptr [ebp+FFFFFD00]
:00402927 50 push eax
:00402928 E8437E0100 call 0041A770
:0040292D 59 pop ecx
:0040292E 59 pop ecx
:0040292F E8E5BD0000 call 0040E719
:00402934 84C0 test al, al
:00402936 5E pop esi
:00402937 741B je 00402954====>这里要跳!(741B改成EB1B)
:00402939 E88EBE0000 call 0040E7CC
:0040293E 84C0 test al, al
* Possible StringData Ref from Data Obj ->"Professional"
|
:00402940 B814614200 mov eax, 00426114
:00402945 7505 jne 0040294C
* Possible StringData Ref from Data Obj ->"Basic"
|
:00402947 B80C614200 mov eax, 0042610C
:0040294C 50 push eax
* Possible StringData Ref from Data Obj ->", %s Trial Edition"
|
:0040294D 68F8604200 push 004260F8
:00402952 EB19 jmp 0040296D
:00402954 E873BE0000 call 0040E7CC ===>注意这
:00402959 84C0 test al, al
* Possible StringData Ref from Data Obj ->"Professional"
|
:0040295B B814614200 mov eax, 00426114
:00402960 7505 jne 00402967 ===>这里要跳
* Possible StringData Ref from Data Obj ->"Basic"
|
:00402962 B80C614200 mov eax, 0042610C
:00402967 50 push eax
* Possible StringData Ref from Data Obj ->", %s Edition"
|
:00402968 68E8604200 push 004260E8
:0040296D 8D8500FDFFFF lea eax, dword ptr [ebp+FFFFFD00]
:00402973 53 push ebx
:00402974 50 push eax
:00402975 E8E67E0100 call 0041A860
:0040297A 59 pop ecx
:0040297B 59 pop ecx
:0040297C 50 push eax
:0040297D E849800100 call 0041A9CB
:00402982 83C40C add esp, 0000000C
:00402985 8D8500FDFFFF lea eax, dword ptr [ebp+FFFFFD00]
:0040298B 50 push eax
:0040298C FF35F00C4300 push dword ptr [00430CF0]
* Reference T USER32.SetWindowTextA, Ord:025Eh
|
:00402992 FF15E4314200 Call dword ptr [004231E4]
:00402998 5F pop edi
:00402999 5B pop ebx
:0040299A C9 leave
:0040299B C3 ret
===================================================================
注意这个CALL (00402954 call 0040E7CC)咱们进入嘿嘿!
:0040E7CC 55 push ebp
:0040E7CD 8BEC mov ebp, esp
:0040E7CF 81EC00010000 sub esp, 00000100
:0040E7D5 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00]
:0040E7DB 6800010000 push 00000100
:0040E7E0 50 push eax
* Possible StringData Ref from Data Obj ->"VERSION"
|
:0040E7E1 6814634200 push 00426314
* Reference T KERNEL32.GetEnvironmentVariableA, Ord:0109h
|
:0040E7E6 FF15A8304200 Call dword ptr [004230A8]
:0040E7EC 85C0 test eax, eax
:0040E7EE 7504 jne 0040E7F4======〉一定要跳!(7504改成EB04)
:0040E7F0 32C0 xor al, al
:0040E7F2 C9 leave
:0040E7F3 C3 ret
:0040E7F4 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00]
* Possible StringData Ref from Data Obj ->"Professional"
|
:0040E7FA 6814614200 push 00426114
:0040E7FF 50 push eax
:0040E800 E83B300100 call 00421840=====>关键CALL
:0040E805 F7D8 neg eax
:0040E807 59 pop ecx
:0040E808 1BC0 sbb eax, eax
:0040E80A 59 pop ecx
:0040E80B 40 inc eax
:0040E80C C9 leave
:0040E80D C3 ret
====================================================================
进入call 00421840
:00421840 55 push ebp
:00421841 8BEC mov ebp, esp
:00421843 57 push edi
:00421844 56 push esi
:00421845 53 push ebx
:00421846 8B750C mov esi, dword ptr [ebp+0C]
:00421849 8B7D08 mov edi, dword ptr [ebp+08]
:0042184C 8D0588204300 lea eax, dword ptr [00432088]
:00421852 83780800 cmp dword ptr [eax+08], 00000000
:00421856 753B jne 00421893 ===>这里改成JMP4218C2(753B=>EB6A)
:00421858 B0FF mov al, FF
:0042185A 8BFF mov edi, edi
:0042185C 0AC0 or al, al
:0042185E 742E je 0042188E
:00421860 8A06 mov al, byte ptr [esi]
:00421862 46 inc esi
:00421863 8A27 mov ah, byte ptr [edi]
:00421865 47 inc edi
:00421866 38C4 cmp ah, al
:00421868 74F2 je 0042185C
:0042186A 2C41 sub al, 41
:0042186C 3C1A cmp al, 1A
:0042186E 1AC9 sbb cl, cl
:00421870 80E120 and cl, 20
:00421873 02C1 add al, cl
:00421875 0441 add al, 41
:00421877 86E0 xchg al, ah
:00421879 2C41 sub al, 41
:0042187B 3C1A cmp al, 1A
:0042187D 1AC9 sbb cl, cl
:0042187F 80E120 and cl, 20
:00421882 02C1 add al, cl
:00421884 0441 add al, 41
:00421886 38E0 cmp al, ah
:00421888 74D2 je 0042185C
:0042188A 1AC0 sbb al, al
:0042188C 1CFF sbb al, FF
:0042188E 0FBEC0 movsx eax, al
:00421891 EB34 jmp 004218C7
* Possible Reference to Dialog: DialogID_0078, CONTROL_ID:00FF, ""
|
:00421893 B8FF000000 mov eax, 000000FF
:00421898 33DB xor ebx, ebx
:0042189A 8BFF mov edi, edi
:0042189C 0AC0 or al, al
:0042189E 7427 je 004218C7
:004218A0 8A06 mov al, byte ptr [esi]
:004218A2 46 inc esi
:004218A3 8A1F mov bl, byte ptr [edi]
:004218A5 47 inc edi
:004218A6 38D8 cmp al, bl
:004218A8 74F2 je 0042189C
:004218AA 50 push eax
:004218AB 53 push ebx
:004218AC E89A010000 call 00421A4B==〉这里好像是注册码比较!
:004218B1 8BD8 mov ebx, eax
:004218B3 83C404 add esp, 00000004
:004218B6 E890010000 call 00421A4B
:004218BB 83C404 add esp, 00000004
:004218BE 38C3 cmp bl, al
:004218C0 74DA je 0042189C
:004218C2 1BC0 sbb eax, eax ======这里改成MOV EAX,0
:004218C4 83D8FF sbb eax, FFFFFFFF
:004218C7 5B pop ebx
:004218C8 5E pop esi
:004218C9 5F pop edi
:004218CA C9 leave
:004218CB C3 ret
经过跟踪发现只要这个CALL的EAX返回值EAX=0即可!成为注册版
收工!改的不对的地方请个位指点!
另外问一下各位高手:
KERNEL32.GetEnvironmentVariableA, Ord:0109h==》这个函数是干啥用的! |
|