搜易桌面邮件服务器 1.3 破解
-
工具:W32DASM
拿到软件后先进行扫描.文件没有加壳.于是进行反汇编.
运行软件,试着注册一下.键入几个值后软件显示"软件注册号错误".
下断点跟踪.
...
不幸的就在这里了.我刚装了XP的SP1.不成想Softice断点不能激活了.晕.高度昏迷中.
打进精神,继续.就有了下篇.静态分析破解成功的例子.
在串式数据参考中搜索字符串"软件注册号错误".
:0046B054 EB15 jmp 0046B06B<=这里是无条件跳转
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0046AFB1(C), :0046AFBA(C)
|
:0046B056 6A00 push 00000000<=这里就是上一次跳转的地址了
:0046B058 668B0DF8B04600 mov cx, word ptr [0046B0F8]
:0046B05F B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"软件注册号错误"
|
:0046B061 B878B14600 mov eax, 0046B178
:0046B066 E8E51FFEFF call 0044D050
可以看到这里只是显示注册号错误的地址.判断处不在代码的上方.往前找到最有可能的进入点.我选的是无条件跳转的下一句0046B056,搜索地址"0046B056".找到如下
:0046AFAE 3B55FC cmp edx, dword ptr [ebp-04]<=这里是对软件使用的标志点进入判断的地方,如果不等于某一个值就跳转.
:0046AFB1 0F859F000000 jne 0046B056
:0046AFB7 3B45F8 cmp eax, dword ptr [ebp-08]<=再比较一次
:0046AFBA 0F8596000000 jne 0046B056
:0046AFC0 33D2 xor edx, edx
:0046AFC2 8B839C030000 mov eax, dword ptr [ebx+0000039C]
:0046AFC8 8B08 mov ecx, dword ptr [eax]
:0046AFCA FF5160 call [ecx+60]
:0046AFCD B201 mov dl, 01
:0046AFCF 8B8324030000 mov eax, dword ptr [ebx+00000324]
:0046AFD5 8B08 mov ecx, dword ptr [eax]
:0046AFD7 FF5160 call [ecx+60]
* Possible StringData Ref from Code Obj ->"已注册登记版本"
|
:0046AFDA BAE8B04600 mov edx, 0046B0E8
:0046AFDF 8B83A0030000 mov eax, dword ptr [ebx+000003A0]
:0046AFE5 E8EA11FCFF call 0042C1D4
:0046AFEA 8B8334030000 mov eax, dword ptr [ebx+00000334]
:0046AFF0 C7400C09000000 mov [eax+0C], 00000009
:0046AFF7 6A00 push 00000000
:0046AFF9 668B0DF8B04600 mov cx, word ptr [0046B0F8]
:0046B000 B202 mov dl, 02
* Possible StringData Ref from Code Obj ->"软件登记注册成功"
|
:0046B002 B804B14600 mov eax, 0046B104
:0046B007 E84420FEFF call 0044D050
:0046B00C B201 mov dl, 01
:0046B00E A1F0A24500 mov eax, dword ptr [0045A2F0]
:0046B013 E818F4FEFF call 0045A430
:0046B018 8BD8 mov ebx, eax
:0046B01A BA02000080 mov edx, 80000002
:0046B01F 8BC3 mov eax, ebx
:0046B021 E8A2F4FEFF call 0045A4C8
:0046B026 B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"Software\Microsoft\Windows\CurrentVersion\seek"
->"easysoft\easysmtp"
|
:0046B028 BA20B14600 mov edx, 0046B120<=发现了最可疑的地方.注册表里有一项.这就是程序的判断处. ^_^
:0046B02D 8BC3 mov eax, ebx
:0046B02F E8F8F4FEFF call 0045A52C<=这里应该是读注册表吧.拦不成中断了:(
:0046B034 84C0 test al, al
:0046B036 740E je 0046B046
:0046B038 33C9 xor ecx, ecx
* Possible StringData Ref from Code Obj ->"gc_id"
|
:0046B03A BA68B14600 mov edx, 0046B168
:0046B03F 8BC3 mov eax, ebx
:0046B041 E826F7FEFF call 0045A76C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B036(C)
|
:0046B046 8BC3 mov eax, ebx
:0046B048 E84BF4FEFF call 0045A498
:0046B04D 8BC3 mov eax, ebx
:0046B04F E8547DF9FF call 00402DA8
:0046B054 EB15 jmp 0046B06B
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0046AFB1(C), :0046AFBA(C)
|
:0046B056 6A00 push 00000000
:0046B058 668B0DF8B04600 mov cx, word ptr [0046B0F8]
:0046B05F B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"软件注册号错误"
|
:0046B061 B878B14600 mov eax, 0046B178
:0046B066 E8E51FFEFF call 0044D050
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0046AF58(C), :0046B054(U)
|
:0046B06B 33C0 xor eax, eax
:0046B06D 5A pop edx
:0046B06E 59 pop ecx
:0046B06F 59 pop ecx
:0046B070 648910 mov dword ptr fs:[eax], edx
:0046B073 6890B04600 push 0046B090
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B08E(U)
|
:0046B078 8D45E0 lea eax, dword ptr [ebp-20]
:0046B07B E81C89F9FF call 0040399C
:0046B080 8D45F4 lea eax, dword ptr [ebp-0C]
:0046B083 E81489F9FF call 0040399C
:0046B088 C3 ret
简单的看程序好象是在读注册表来判断使用次数.打开注册表,进行监视.运行程序,发现注册表里的一项
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\seekeasysoft\easysmtp]
"gc_id"=dword:00000000
在不断变化.
在串式数据参考中搜索字符串"\CurrentVersion\seekeasysoft\easysmtp",也就是判断程序运行次数的地方.如下
* Possible StringData Ref from Code Obj ->"Software\Microsoft\Windows\CurrentVersion\seek"
->"easysoft\easysmtp"
|
:004699D7 BA48A04600 mov edx, 0046A048
:004699DC 8BC6 mov eax, esi
:004699DE E8490BFFFF call 0045A52C
:004699E3 84C0 test al, al<=判断标志位.
:004699E5 0F8415010000 je 00469B00
* Possible StringData Ref from Code Obj ->"gc_id"
|
:004699EB BA90A04600 mov edx, 0046A090
:004699F0 8BC6 mov eax, esi
:004699F2 E80D0FFFFF call 0045A904
:004699F7 84C0 test al, al
:004699F9 0F84C1000000 je 00469AC0
* Possible StringData Ref from Code Obj ->"gc_id"
|
:004699FF BA90A04600 mov edx, 0046A090
:00469A04 8BC6 mov eax, esi
:00469A06 E8750DFFFF call 0045A780
:00469A0B 8945FC mov dword ptr [ebp-04], eax
:00469A0E 837DFC00 cmp dword ptr [ebp-04], 00000000<=为零转
:00469A12 7E6C jle 00469A80
:00469A14 837DFC64 cmp dword ptr [ebp-04], 00000064<=大于64转,改注册表后,软件显示提示信息.
:00469A18 7F66 jg 00469A80
:00469A1A 8345FC0A add dword ptr [ebp-04], 0000000A<=又减A改注册表,这时不显示提示.软件仍是未注册版
:00469A1E 8B4DFC mov ecx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"gc_id"
|
:00469A21 BA90A04600 mov edx, 0046A090
:00469A26 8BC6 mov eax, esi
:00469A28 E83F0DFFFF call 0045A76C
:00469A2D 837DFC46 cmp dword ptr [ebp-04], 00000046<=改注册表项为3C,提示还能试用三次
:00469A31 7518 jne 00469A4B
:00469A33 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"软件试用提示"
|
:00469A35 B998A04600 mov ecx, 0046A098
* Possible StringData Ref from Code Obj ->"您还可以试用3次,欢迎注册软件"
|
:00469A3A BAA8A04600 mov edx, 0046A0A8
:00469A3F A158D04600 mov eax, dword ptr [0046D058]
:00469A44 8B00 mov eax, dword ptr [eax]
:00469A46 E82DEBFDFF call 00448578
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00469A31(C)
|
:00469A4B 837DFC64 cmp dword ptr [ebp-04], 00000064
:00469A4F 7C2F jl 00469A80
:00469A51 BA01000080 mov edx, 80000001
:00469A56 8BC6 mov eax, esi
:00469A58 E86B0AFFFF call 0045A4C8
:00469A5D B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"Software\Microsoft\Internet Explorer\Main"
|
:00469A5F BAD0A04600 mov edx, 0046A0D0
:00469A64 8BC6 mov eax, esi
:00469A66 E8C10AFFFF call 0045A52C
:00469A6B 84C0 test al, al<=从这看,这里好象是正确的方向
:00469A6D 7411 je 00469A80
* Possible StringData Ref from Code Obj ->"http://easyseek.onchina.net"
|
:00469A6F B904A14600 mov ecx, 0046A104
* Possible StringData Ref from Code Obj ->"Start Page"
|
:00469A74 BA28A14600 mov edx, 0046A128
:00469A79 8BC6 mov eax, esi
:00469A7B E8480CFFFF call 0045A6C8
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00469A12(C), :00469A18(C), :00469A4F(C), :00469A6D(C)
|
:00469A80 837DFC64 cmp dword ptr [ebp-04], 00000064<=还是比较处
:00469A84 7F06 jg 00469A8C
:00469A86 837DFC00 cmp dword ptr [ebp-04], 00000000<=大于零跳转?
:00469A8A 7D02 jge 00469A8E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00469A84(C)
|
:00469A8C B301 mov bl, 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00469A8A(C)
|
:00469A8E 837DFC00 cmp dword ptr [ebp-04], 00000000<=到这里就全明白了.比较零.如果不等于零程序跳转.因为标志位的算法是不会成为零的.只要手工设置了.
:00469A92 756C jne 00469B00
:00469A94 33D2 xor edx, edx
:00469A96 8B879C030000 mov eax, dword ptr [edi+0000039C]
:00469A9C 8B08 mov ecx, dword ptr [eax]
:00469A9E FF5160 call [ecx+60]
* Possible StringData Ref from Code Obj ->"已注册登记版本"
|
:00469AA1 BA3CA14600 mov edx, 0046A13C
:00469AA6 8B87A0030000 mov eax, dword ptr [edi+000003A0]
:00469AAC E82327FCFF call 0042C1D4
:00469AB1 8B8734030000 mov eax, dword ptr [edi+00000334]
:00469AB7 C7400C09000000 mov [eax+0C], 00000009
:00469ABE EB40 jmp 00469B00
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004699F9(C)
|
:00469AC0 B90A000000 mov ecx, 0000000A
* Possible StringData Ref from Code Obj ->"gc_id"
|
:00469AC5 BA90A04600 mov edx, 0046A090
:00469ACA 8BC6 mov eax, esi
:00469ACC E89B0CFFFF call 0045A76C
:00469AD1 BA01000080 mov edx, 80000001
:00469AD6 8BC6 mov eax, esi
:00469AD8 E8EB09FFFF call 0045A4C8
:00469ADD B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"Software\Microsoft\Internet Explorer\Main"
|
:00469ADF BAD0A04600 mov edx, 0046A0D0
:00469AE4 8BC6 mov eax, esi
:00469AE6 E8410AFFFF call 0045A52C
:00469AEB 84C0 test al, al
:00469AED 7411 je 00469B00
* Possible StringData Ref from Code Obj ->"http://easyseek.onchina.net"
|
:00469AEF B904A14600 mov ecx, 0046A104
* Possible StringData Ref from Code Obj ->"Start Page"
|
:00469AF4 BA28A14600 mov edx, 0046A128
:00469AF9 8BC6 mov eax, esi
:00469AFB E8C80BFFFF call 0045A6C8
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004699E5(C), :00469A92(C), :00469ABE(U), :00469AED(C)
|
:00469B00 84DB test bl, bl<=程序跳到这里显示提示信息
:00469B02 7425 je 00469B29
:00469B04 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"提示信息"
|
:00469B06 B94CA14600 mov ecx, 0046A14C
* Possible StringData Ref from Code Obj ->"请与开发商联系,使用注册软件"
|
:00469B0B BA58A14600 mov edx, 0046A158
:00469B10 A158D04600 mov eax, dword ptr [0046D058]
:00469B15 8B00 mov eax, dword ptr [eax]
:00469B17 E85CEAFDFF call 00448578
:00469B1C 33D2 xor edx, edx
:00469B1E 8B8724030000 mov eax, dword ptr [edi+00000324]
:00469B24 8B08 mov ecx, dword ptr [eax]
:00469B26 FF5160 call [ecx+60]
修改注册表验证.显示注册.OK.收工.
最后,我们的战果.改注册表以下数据就可完成注册
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\seekeasysoft\easysmtp]
"gc_id"=dword:00000000
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>