用FI一看,源程序竟然没有加壳
用w32dasm反汇编,字符串,看到
String Resource ID=00180: "Welcome to CDRWIN...
This software is now unlocked and fully"
来到
* Possible Reference to String Resource ID=00180: "Welcome to CDRWIN...
This software is now unlocked and fully"
|
:0041DF45 68B4000000 push 000000B4
:0041DF4A E8D5270500 call 00470724
:0041DF4F 8BCE mov ecx, esi
:0041DF51 E81AC90400 call 0046A870
:0041DF56 E81A090500 call 0046E875
:0041DF5B 85C0 test eax, eax
:0041DF5D 7409 je 0041DF68
:0041DF5F 8B10 mov edx, dword ptr [eax]
:0041DF61 8BC8 mov ecx, eax
:0041DF63 FF5274 call [edx+74]
:0041DF66 EB02 jmp 0041DF6A
向上看
* Possible StringData Ref from Data Obj ->"%lx-%lx-%lx-%lx" 比较可疑
|
:0041DEE6 68F4514A00 push 004A51F4
:0041DEEB 52 push edx
:0041DEEC E8AC9C0300 call 00457B9D //校验unlock code格式
:0041DEF1 83C418 add esp, 00000018
:0041DEF4 83F804 cmp eax, 00000004
:0041DEF7 0F8597000000 jne 0041DF94
:0041DEFD 8D45CC lea eax, dword ptr [ebp-34]
:0041DF00 8D4DD0 lea ecx, dword ptr [ebp-30]
:0041DF03 50 push eax
:0041DF04 8D55D4 lea edx, dword ptr [ebp-2C]
:0041DF07 51 push ecx
:0041DF08 8B4DEC mov ecx, dword ptr [ebp-14]
:0041DF0B 8D45D8 lea eax, dword ptr [ebp-28]
:0041DF0E 52 push edx
:0041DF0F 50 push eax
* Possible StringData Ref from Data Obj ->"%lx-%lx-%lx-%lx"
|
:0041DF10 68F4514A00 push 004A51F4
:0041DF15 51 push ecx
:0041DF16 E8829C0300 call 00457B9D //校验check code 格式
:0041DF1B 83C418 add esp, 00000018
:0041DF1E 83F804 cmp eax, 00000004
:0041DF21 7571 jne 0041DF94
:0041DF23 8B4DE4 mov ecx, dword ptr [ebp-1C]
:0041DF26 8845FC mov byte ptr [ebp-04], al
:0041DF29 8D55CC lea edx, dword ptr [ebp-34]
:0041DF2C 8D45BC lea eax, dword ptr [ebp-44]
:0041DF2F 52 push edx
:0041DF30 8B55E0 mov edx, dword ptr [ebp-20]
:0041DF33 50 push eax
:0041DF34 51 push ecx
:0041DF35 52 push edx
:0041DF36 E855690000 call 00424890 //关键比较
:0041DF3B 83C410 add esp, 00000010
:0041DF3E 895DFC mov dword ptr [ebp-04], ebx
* Possible Reference to String Resource ID=00255: "Invalid disc count specified."
|
:0041DF41 6AFF push FFFFFFFF
:0041DF43 6A40 push 00000040
用trw2000 load
在00416F36处跟进去
一直按F10直到
:00424936 83C30F add ebx, 0000000F
:00424939 81FBC5040000 cmp ebx, 000004C5
:0042493F 7D13 jge 00424954
:00424941 6A00 push 00000000
:00424943 6A00 push 00000000
:00424945 6A00 push 00000000
:00424947 6835FFFFFF push FFFFFF35
:0042494C E85F340000 call 00427DB0 //按F10就弹出过期提示
把 0042493f 改为eb13
再点注册 显示注册成功
但再启动时 又提示注册号过期
再用trw2000 load 在00427db0处设断
发现又断了下来
于是重新载入,从入口点一直按f10直到
:00458074 FF1598B24700 Call dword ptr [0047B298]
:0045807A 50 push eax
:0045807B E867FA0000 call 00467AE7 //按F10就弹出过期提示
跟进去
* Referenced by a CALL at Address:
|:0045807B
|
:00467AE7 FF742410 push [esp+10]
:00467AEB FF742410 push [esp+10]
:00467AEF FF742410 push [esp+10]
:00467AF3 FF742410 push [esp+10]
:00467AF7 E8517F0000 call 0046FA4D //**************//
:00467AFC C21000 ret 0010
继续跟进 call 0046fa4d
* Referenced by a CALL at Address:
|:00467AF7
|
:0046FA4D 53 push ebx
:0046FA4E 56 push esi
:0046FA4F 57 push edi
:0046FA50 83CBFF or ebx, FFFFFFFF
:0046FA53 E81DEEFFFF call 0046E875
:0046FA58 8BF0 mov esi, eax
:0046FA5A E8753C0000 call 004736D4
:0046FA5F FF74241C push [esp+1C]
:0046FA63 8B7804 mov edi, dword ptr [eax+04]
:0046FA66 FF74241C push [esp+1C]
:0046FA6A FF74241C push [esp+1C]
:0046FA6E FF74241C push [esp+1C]
:0046FA72 E851540000 call 00474EC8
:0046FA77 85C0 test eax, eax
:0046FA79 743B je 0046FAB6
:0046FA7B 85FF test edi, edi
:0046FA7D 740E je 0046FA8D
:0046FA7F 8B07 mov eax, dword ptr [edi]
:0046FA81 8BCF mov ecx, edi
:0046FA83 FF9084000000 call dword ptr [eax+00000084]
:0046FA89 85C0 test eax, eax
:0046FA8B 7429 je 0046FAB6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046FA7D(C)
|
:0046FA8D 8B06 mov eax, dword ptr [esi]
:0046FA8F 8BCE mov ecx, esi
:0046FA91 FF5050 call [eax+50] //按f10弹出过期提示
:0046FA94 85C0 test eax, eax
:0046FA96 7515 jne 0046FAAD
:0046FA98 8B4E1C mov ecx, dword ptr [esi+1C]
:0046FA9B 85C9 test ecx, ecx
:0046FA9D 7405 je 0046FAA4
:0046FA9F 8B01 mov eax, dword ptr [ecx]
:0046FAA1 FF5058 call [eax+58]
跟进去
直到
:00424847 6A00 push 00000000
:00424849 6A00 push 00000000
:0042484B 6834FFFFFF push FFFFFF34
:00424850 E85B350000 call 00427DB0
:00424855 83C410 add esp, 00000010
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00424843(C)
|
:00424858 83C60F add esi, 0000000F
:0042485B 81FEC5040000 cmp esi, 000004C5
:00424861 5E pop esi
:00424862 7D13 jge 00424877
:00424864 6A00 push 00000000
:00424866 6A00 push 00000000
:00424868 6A00 push 00000000
:0042486A 6835FFFFFF push FFFFFF35
:0042486F E83C350000 call 00427DB0 //关键call
:00424874 83C410 add esp, 00000010
是不是有点眼熟,对,就是和前面一样的判断代码,
改00424862处7d13为eb13
ctrl+N程序正常运行
整理
用16进制编辑器查找 fd 13 6a 00 6a 00 6a 00
改为 eb 13 -- -- -- -- -- --
Tags: