STEP7KNOW_HOW_PROTECT version1.0 (Borland C++编写) 暴破手记 (14千字)
-
STEP7KNOW_HOW_PROTECT version1.0 (Borland C++编写) 暴破手记
说实在的, STEP7KNOW_HOW_PROTECT version1.0 是用来干什么的,本人到目前还不知道,如果哪位大侠知道的话请告诉一声,好让在下破个明目:)。这是前几天一位网发到邮箱求破的,一直没有时间,今天闲来无事,故拿出来练练手,反正闲着也是闲,呵呵。。。
编写语言: Borland C++
工具:peid 0.8 and dede2.5 and hiew6.82
BEGIN !
一,用peid 0.8打开其可执行文件S7know.exe,发现程序没有加壳,由Borland C++编写。。。什么?Borland C++ !头晕。。。转念一想,用dede应该可以吧。。。试试!
二,用dede2.5载入S7know.exe。。。。呵呵。。。。载入成功!这下好办啦。。。让我们开始吧。
三,在dede2.5窗口中选取“procedures”,发现unit name 窗口中共有四个项目,分别是“unitabout” “unitmain” “unitreg” “unitselect” 在这里。。。当然是先查看“unitreg”了。。。可是当我打开“unitreg”时却发现里面什么也没有。。。怎么办呢,还是选取“unitabout”看看:右边窗口里面有很多项目,选择右边窗口里的“formshow”看看,双击打开后出现以下这些不是垃圾的垃圾。。。
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
|
00407A73 E8E4870800 call 0049025C
00407A78 BE05000000 mov esi, $00000005
00407A7D 8D45FC lea eax, [ebp-$04]
* Reference to field TAboutBox.OFFS_0304
|
00407A80 89B304030000 mov [ebx+$0304], esi
00407A86 8BD6 mov edx, esi
00407A88 66C745E80800 mov word ptr [ebp-$18], $0008
|
00407A8E E80D280900 call 0049A2A0
00407A93 FF45F4 inc dword ptr [ebp-$0C]
00407A96 8B10 mov edx, [eax]
* Reference to control TimeCount : TLabel
|
00407A98 8B83FC020000 mov eax, [ebx+$02FC]
|
00407A9E E839850500 call 0045FFDC
00407AA3 FF4DF4 dec dword ptr [ebp-$0C]
00407AA6 8D45FC lea eax, [ebp-$04]
00407AA9 BA02000000 mov edx, $00000002
|
00407AAE E831280900 call 0049A2E4
* Reference to field TAboutBox.OFFS_0308
|
00407AB3 80BB0803000000 cmp byte ptr [ebx+$0308], $00
00407ABA 7423 jz 00407ADF <--------注意这里!(改00407ABA 7423 jz 00407ADF 为00407ABA eb23 jmp 00407ADF)
00407ABC B201 mov dl, $01
* Reference to control TimerClose : TTimer
|
00407ABE 8B83F8020000 mov eax, [ebx+$02F8]
|
00407AC4 E8C3120500 call 00458D8C
00407AC9 33D2 xor edx, edx
* Reference to control OKButton : TButton
|
00407ACB 8B83E8020000 mov eax, [ebx+$02E8]
00407AD1 8B08 mov ecx, [eax]
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
不知你有没有注意上面的“00407ABA 7423 jz 00407ADF”这一句,其作用是:当时间等于五秒时,将延时窗口中的ok按钮的Enabled属性由false变为true。。。呵呵,运行hiew,找到“00407ABA 7423 jz 00407ADF”这一句,改“00407ABA 7423 jz 00407ADF”为“00407ABA eb23 jmp 00407ADF” 即改“7423”为“eb23”,让它永远不会延时!
四,运行一下程序看看,发现延时窗口中的ok按钮已经是可用的了(Enabled=true), 而从5到0的倒记时也已经失效,呵呵。。。成功了一小点,但当我把系统时间往后移三十天再运行程序时,发现程序里的很多功能已经失效,说明程序的时间限制还未解决,让我们乘胜追击 ,干掉它!
五,回到dede2.5的工作界面,选取unitmain看看,呵呵,里 面也有很多选项,在这里我们还是选“formshow”。。。为什么呢?因为程序决定各种功能是否受限时,一般是在show窗体的时候 进行设置的,当然也会有例外。。。还是那句话:见-鸡-行-事。。。 双击打开后:
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
|
00402007 E8D8820900 call 0049A2E4
0040200C 59 pop ecx
0040200D 84C9 test cl, cl
0040200F 0F84D0030000 jz 004023E5 <------------注意这里!(A)
00402015 66C78504FFFFFFE000 mov word ptr [ebp+$FFFFFF04], $00E0
* Possible String Reference to: 'Path1'
|
0040201E BA45C64900 mov edx, $0049C645
00402023 8D45BC lea eax, [ebp-$44]
|
00402026 E8A5810900 call 0049A1D0
0040202B FF8510FFFFFF inc dword ptr [ebp+$FFFFFF10]
00402031 8B10 mov edx, [eax]
00402033 8B85ECFEFFFF mov eax, [ebp+$FFFFFEEC]
|
00402039 E85A040300 call 00432498
0040203E 33C9 xor ecx, ecx
00402040 BA02000000 mov edx, $00000002
00402045 8AC8 mov cl, al
00402047 83F901 cmp ecx, +$01
0040204A 1BC0 sbb eax, eax
0040204C F7D8 neg eax
0040204E 50 push eax
0040204F 8D45BC lea eax, [ebp-$44]
00402052 FF8D10FFFFFF dec dword ptr [ebp+$FFFFFF10]
|
00402058 E887820900 call 0049A2E4
0040205D 59 pop ecx
0040205E 84C9 test cl, cl
00402060 7466 jz 004020C8
00402062 BA51C64900 mov edx, $0049C651
00402067 8D45B4 lea eax, [ebp-$4C]
|
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
004023D1 83FB04 cmp ebx, +$04
004023D4 0F8E0CFFFFFF jle 004022E6
004023DA 8B85ECFEFFFF mov eax, [ebp+$FFFFFEEC]
|
004023E0 E893FC0200 call 00432078
004023E5 66C78504FFFFFF6401 mov word ptr [ebp+$FFFFFF04], $0164
* Possible String Reference to: 'Software\S7KNOW\License'
|
004023EE BA82C64900 mov edx, $0049C682
004023F3 8D4580 lea eax, [ebp-$80]
|
004023F6 E8D57D0900 call 0049A1D0
004023FB FF8510FFFFFF inc dword ptr [ebp+$FFFFFF10]
00402401 8B10 mov edx, [eax]
00402403 B101 mov cl, $01
00402405 8B85ECFEFFFF mov eax, [ebp+$FFFFFEEC]
|
0040240B E8FCFC0200 call 0043210C
00402410 50 push eax
00402411 FF8D10FFFFFF dec dword ptr [ebp+$FFFFFF10]
00402417 8D4580 lea eax, [ebp-$80]
0040241A BA02000000 mov edx, $00000002
|
0040241F E8C07E0900 call 0049A2E4
00402424 59 pop ecx
00402425 84C9 test cl, cl
00402427 0F84E6040000 jz 00402913 <------------注意这里!(B)
0040242D 66C78504FFFFFF7001 mov word ptr [ebp+$FFFFFF04], $0170
* Possible String Reference to: 'Info1'
|
00402436 BA9AC64900 mov edx, $0049C69A
0040243B 8D857CFFFFFF lea eax, [ebp+$FFFFFF7C]
|。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
00402903 E8DC790900 call 0049A2E4
00402908 8B85ECFEFFFF mov eax, [ebp+$FFFFFEEC]
|
0040290E E865F70200 call 00432078
00402913 66C78504FFFFFF1400 mov word ptr [ebp+$FFFFFF04], $0014
0040291C 8B9DECFEFFFF mov ebx, [ebp+$FFFFFEEC]
00402922 899D30FFFFFF mov [ebp+$FFFFFF30], ebx
00402928 85DB test ebx, ebx
0040292A 742A jz 00402956 <------------注意这里!(C)
0040292C 8B03 mov eax, [ebx]
0040292E 898534FFFFFF mov [ebp+$FFFFFF34], eax
00402934 66C78504FFFFFF0C02 mov word ptr [ebp+$FFFFFF04], $020C
0040293D BA03000000 mov edx, $00000003
00402942 8B8530FFFFFF mov eax, [ebp+$FFFFFF30]
00402948 8B08 mov ecx, [eax]
0040294A FF51FC call dword ptr [ecx-$04]
0040294D 66C78504FFFFFF0002 mov word ptr [ebp+$FFFFFF04], $0200
00402956 6683BD06FFFFFF00 cmp word ptr [ebp+$FFFFFF06], +$00
0040295E 7401 jz 00402961 <------------注意这里!(D)
00402960 C3 ret
00402961 66C78504FFFFFF1802 mov word ptr [ebp+$FFFFFF04], $0218
0040296A 33D2 xor edx, edx
0040296C 89952CFFFFFF mov [ebp+$FFFFFF2C], edx
00402972 8D8D2CFFFFFF lea ecx, [ebp+$FFFFFF2C]
00402978 FF8510FFFFFF inc dword ptr [ebp+$FFFFFF10]
0040297E 8B85F0FEFFFF mov eax, [ebp+$FFFFFEF0]
00402984 8B906C040000 mov edx, [eax+$046C]
0040298A 8B85F0FEFFFF mov eax, [ebp+$FFFFFEF0]
|
00402990 E8F3420000 call 00406C88
00402995 8D952CFFFFFF lea edx, [ebp+$FFFFFF2C]
0040299B 8B9DF0FEFFFF mov ebx, [ebp+$FFFFFEF0]
004029A1 81C368040000 add ebx, $00000468
004029A7 8BC3 mov eax, ebx
|
004029A9 E866790900 call 0049A314
004029AE FF8D10FFFFFF dec dword ptr [ebp+$FFFFFF10]
004029B4 8D852CFFFFFF lea eax, [ebp+$FFFFFF2C]
004029BA BA02000000 mov edx, $00000002
|
004029BF E820790900 call 0049A2E4
004029C4 66C78504FFFFFF2402 mov word ptr [ebp+$FFFFFF04], $0224
004029CD BA15C74900 mov edx, $0049C715
004029D2 8D8528FFFFFF lea eax, [ebp+$FFFFFF28]
|
004029D8 E8F3770900 call 0049A1D0
004029DD FF8510FFFFFF inc dword ptr [ebp+$FFFFFF10]
004029E3 33C0 xor eax, eax
004029E5 898524FFFFFF mov [ebp+$FFFFFF24], eax
004029EB 8D9528FFFFFF lea edx, [ebp+$FFFFFF28]
004029F1 FF8510FFFFFF inc dword ptr [ebp+$FFFFFF10]
004029F7 8D8D24FFFFFF lea ecx, [ebp+$FFFFFF24]
004029FD 8B85F0FEFFFF mov eax, [ebp+$FFFFFEF0]
00402A03 0558040000 add eax, +$00000458
|
00402A08 E82F790900 call 0049A33C
00402A0D 8D8524FFFFFF lea eax, [ebp+$FFFFFF24]
00402A13 33D2 xor edx, edx
00402A15 899520FFFFFF mov [ebp+$FFFFFF20], edx
00402A1B 8D8D20FFFFFF lea ecx, [ebp+$FFFFFF20]
00402A21 FF8510FFFFFF inc dword ptr [ebp+$FFFFFF10]
00402A27 8B95F0FEFFFF mov edx, [ebp+$FFFFFEF0]
00402A2D 81C25C040000 add edx, $0000045C
|
00402A33 E804790900 call 0049A33C
00402A38 8D9520FFFFFF lea edx, [ebp+$FFFFFF20]
00402A3E 8BC3 mov eax, ebx
|
00402A40 E883790900 call 0049A3C8
00402A45 50 push eax
00402A46 FF8D10FFFFFF dec dword ptr [ebp+$FFFFFF10]
00402A4C 8D8520FFFFFF lea eax, [ebp+$FFFFFF20]
00402A52 BA02000000 mov edx, $00000002
|
00402A57 E888780900 call 0049A2E4
00402A5C FF8D10FFFFFF dec dword ptr [ebp+$FFFFFF10]
00402A62 8D8524FFFFFF lea eax, [ebp+$FFFFFF24]
00402A68 BA02000000 mov edx, $00000002
|
00402A6D E872780900 call 0049A2E4
00402A72 FF8D10FFFFFF dec dword ptr [ebp+$FFFFFF10]
00402A78 8D8528FFFFFF lea eax, [ebp+$FFFFFF28]
00402A7E BA02000000 mov edx, $00000002
|
00402A83 E85C780900 call 0049A2E4
00402A88 59 pop ecx
00402A89 84C9 test cl, cl
00402A8B 7457 jz 00402AE4 <------------注意这里!(E)
00402A8D 66C78504FFFFFF3002 mov word ptr [ebp+$FFFFFF04], $0230
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
您看到了上面的“ <------------注意这里!”从“(A)”到“(E)”吗?看到就好办了,它们都是jz跳转语句,跳转(A)的作用是当使用时间达到三十天时限制软件的使用,但是当我们改“0040200F 0F84D0030000 jz 004023E5 ”为“0040200F 90909090909090 nop 004023E5 ”后,运行程序时出现错误窗口,说明该程序在后面还有检查代码完整性的地方,不用说,当然是上面的“ <------------注意这里!”从“(B)”到“(E)”了,不信你试试!通通杀了。。。运行 hiew6.82:
1,0040200F 0F84D0030000 jz 004023E5 为0040200F 90909090909090 nop 004023E5
2,改00402427 0F84E6040000 jz 00402913为00402427 0F84E6040000 jz 00402913
3,改0040292A 742A jz 00402956 为0040292A 752A jz 00402956
4,改0040295E 7401 jz 00402961 为0040295E 7501 jz 00402961
5,改00402A8B 7457 jz 00402AE4 为00402A8B 7557 jz 00402AE4
整个世界-----------清静了-------------------
六,注册机:
.386
locals
jumps
.model flat,STDCALL
extrn MessageBoxA:Proc
extrn CreateFileA:Proc
extrn GetFileSizeA:Proc
extrn WriteFile:Proc
extrn SetFilePointer:Proc
extrn CloseHandle:Proc
extrn ExitProcess:Proc
extrn GetFileSize:Proc
.data
GENERIC_WRITE equ 40000000h
OPEN_EXISTING equ 3
FILE_BEGIN equ 0
cur_byte db ?
liczba dd 0
uchwyt dd ?
zmiany:
db 144,15,22,0,0,144,16,22,0,0,144,17,22,0,0,144,18,22,0,0,144,19,22,0,0,144,20,22,0,0,144,21,22,0,0,235,96,22,0,0,235,19,23,0,0,235,198,23,0,0,235,121,24,0,0,235,179,25,0,0,133,40,26,0,0,235,42,31,0,0,235,94,31,0,0,235,139,32,0,0,117,186,112,0,0,0
num_mod dd 17
program_name db 'S7KNOW.exe',0
bad_size db '',0
main_error db '',0
success db '',0
other_errors db '',0
file_size dd 822784
nazwa_pliku db 'S7KNOW.exe',0
.code
start:
push 0
push 0
push OPEN_EXISTING
push 0
push 0
push GENERIC_WRITE
push offset nazwa_pliku
call CreateFileA
cmp eax,0ffffffffh
jz error
mov uchwyt,eax
push 0
push uchwyt
call GetFileSize
cmp eax,file_size
jnz error_size
mov ecx,0
modify:
push ecx
mov esi,offset zmiany
imul eax,ecx,5
add esi,eax
lodsb
mov cur_byte,al
lodsd
push FILE_BEGIN
push 0
push eax
push uchwyt
call SetFilePointer
mov liczba,0
push 0
push offset liczba
push 1
push offset cur_byte
push uchwyt
call WriteFile
test eax,eax
jz error
pop ecx
inc ecx
cmp ecx,num_mod
jne modify
push 0
push offset program_name
push offset success
push 0
call MessageBoxA
end_:
push uchwyt
call CloseHandle
push 0
call ExitProcess
error_size:
push 0
push offset main_error
push offset other_errors
push 0
call MessageBoxA
jmp end_
error:
push 0
push offset main_error
push offset bad_size
push 0
call MessageBoxA
jmp end_
end start
七,收工!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~转载请保持完整性~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
作者:飞龙狗狗 邮箱:bluearc_arc@hotmail.com QQ:40116000
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>