|
楼主 |
发表于 2010-10-18 20:21:17
|
显示全部楼层
这里是一个高手的破_解过程,鄙人不懂啊
【文章作者】: 墨缘
【作者主页】: http://chinamyg.5d6d.com
【软件名称】: 串口网络调试工具专业版V2.0破_解
【软件大小】: 2.30MB
【使用工具】: OD
【下载地址】: http://shareware.skycn.com/count_download.php?get=1&soft_id=8591
【加壳方式】: 无
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!涉及版权请作者提出删除。
【破_解过程】PEiD查没壳,编程语言Borland Delphi 6.0 - 7.0
在看雪论坛看到一位朋友发出的求助帖,破_解这个软件遇到很多问题,所以刚好有时间就下来研究了下,是重启验证型的。好了不多废话了,看后面过程。
1.DEDE找到注_册按钮事件(地址0052B328)。
2.OD载入串口网络调试工具专业版V2.0主程序,CTRL+G 到0052B328,在段首下段点:
0052B328 . 55 push ebp //F2下断点,shift+F9 运行软件,单步往下走
0052B329 . 8BEC mov ebp, esp
0052B32B . B9 07000000 mov ecx, 7
0052B330 > 6A 00 push 0
0052B332 . 6A 00 push 0
0052B334 . 49 dec ecx
0052B335 .^ 75 F9 jnz short 0052B330
0052B337 . 53 push ebx
0052B338 . 56 push esi
0052B339 . 57 push edi
0052B33A . 8945 FC mov dword ptr [ebp-4], eax
0052B33D . 33C0 xor eax, eax
0052B33F . 55 push ebp
0052B340 . 68 ABB65200 push 0052B6AB
0052B345 . 64:FF30 push dword ptr fs:[eax]
0052B348 . 64:8920 mov dword ptr fs:[eax], esp
0052B34B . 8D55 F0 lea edx, dword ptr [ebp-10]
0052B34E . 8B45 FC mov eax, dword ptr [ebp-4]
0052B351 . 8B80 60030000 mov eax, dword ptr [eax+360]
0052B357 . E8 E42DF4FF call 0046E140
0052B35C . 837D F0 00 cmp dword ptr [ebp-10], 0
0052B360 . 75 26 jnz short 0052B388
0052B362 . 66:A1 BCB6520>mov ax, word ptr [52B6BC]
0052B368 . 50 push eax
0052B369 . 6A 00 push 0
0052B36B . 8B15 045D5400 mov edx, dword ptr [545D04] ; 3.00545904
0052B371 . 8B12 mov edx, dword ptr [edx]
0052B373 . 8B45 FC mov eax, dword ptr [ebp-4]
0052B376 . 8B80 58030000 mov eax, dword ptr [eax+358]
0052B37C . B1 02 mov cl, 2
0052B37E . E8 15DBFBFF call 004E8E98
0052B383 . E9 E6020000 jmp 0052B66E
0052B388 > 33C0 xor eax, eax
0052B38A . 55 push ebp
0052B38B . 68 C7B35200 push 0052B3C7
0052B390 . 64:FF30 push dword ptr fs:[eax]
0052B393 . 64:8920 mov dword ptr fs:[eax], esp
0052B396 . 8D45 F4 lea eax, dword ptr [ebp-C]
0052B399 . 50 push eax
0052B39A . 8D55 EC lea edx, dword ptr [ebp-14]
0052B39D . 8B45 FC mov eax, dword ptr [ebp-4]
0052B3A0 . 8B80 60030000 mov eax, dword ptr [eax+360]
0052B3A6 . E8 952DF4FF call 0046E140
0052B3AB . 8B45 EC mov eax, dword ptr [ebp-14]
0052B3AE . 8B15 A45E5400 mov edx, dword ptr [545EA4] ; 3.005458BC
0052B3B4 . 8B12 mov edx, dword ptr [edx]
0052B3B6 . 33C9 xor ecx, ecx
0052B3B8 E8 33F1FFFF call 0052A4F0 //最好NOP掉
0052B3BD . 33C0 xor eax, eax
0052B3BF . 5A pop edx
0052B3C0 . 59 pop ecx
0052B3C1 . 59 pop ecx
0052B3C2 . 64:8910 mov dword ptr fs:[eax], edx
0052B3C5 . EB 35 jmp short 0052B3FC
0052B3C7 .^ E9 F085EDFF jmp 004039BC
0052B3CC . 66:A1 BCB6520>mov ax, word ptr [52B6BC]
0052B3D2 . 50 push eax
0052B3D3 . 6A 00 push 0
0052B3D5 . 8B15 DC5B5400 mov edx, dword ptr [545BDC] ; 3.00545908
0052B3DB . 8B12 mov edx, dword ptr [edx]
0052B3DD . 8B45 FC mov eax, dword ptr [ebp-4]
0052B3E0 . 8B80 58030000 mov eax, dword ptr [eax+358]
0052B3E6 . 33C9 xor ecx, ecx
0052B3E8 . E8 ABDAFBFF call 004E8E98
0052B3ED . E8 3289EDFF call 00403D24
0052B3F2 . E9 77020000 jmp 0052B66E
0052B3F7 . E8 2889EDFF call 00403D24
0052B3FC > 8D45 E8 lea eax, dword ptr [ebp-18]
0052B3FF . 50 push eax
0052B400 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
0052B403 . A1 905C5400 mov eax, dword ptr [545C90]
0052B408 . 8B00 mov eax, dword ptr [eax]
0052B40A . 8B90 201B0000 mov edx, dword ptr [eax+1B20]
0052B410 . 8B45 FC mov eax, dword ptr [ebp-4]
0052B413 . E8 ACFBFFFF call 0052AFC4
0052B418 . 8B45 E4 mov eax, dword ptr [ebp-1C]
0052B41B . 8B15 B05C5400 mov edx, dword ptr [545CB0] ; 3.005458C0
0052B421 . 8B12 mov edx, dword ptr [edx]
0052B423 . 33C9 xor ecx, ecx
0052B425 . E8 02EFFFFF call 0052A32C
0052B42A . 8B55 E8 mov edx, dword ptr [ebp-18]
0052B42D . 8B45 F4 mov eax, dword ptr [ebp-C]
0052B430 E8 C792EDFF call 004046FC //关键CALL,F7可以进也可以不进
0052B435 0F85 01020000 jnz 0052B63C //关键跳,NOP掉。
0052B43B . C605 DC915400>mov byte ptr [5491DC], 1
0052B442 . 8D45 E0 lea eax, dword ptr [ebp-20]
0052B445 . 50 push eax
保存上面的改动到文件,这样是没有破_解成功的,每次都要输入注_册码,一看就知道是重启验证型的,所以我们继续破_解。
3.用OD载入刚保存的文件,在命令窗口下断点:bp RegOpenKeyA
//堆栈窗口显示数据
0013F934 1002C80D /CALL 到 RegOpenKeyA 来自 VSPort.1002C807
0013F938 0000009E |hKey = 9E
0013F93C 10032C40 |Subkey = "InprocServer32"
0013F940 0013F95C \pHandle = 0013F95C
0013F944 77DCD5BB advapi32.RegCreateKeyA
0013F948 0000004E
0013F94C /0013FF00
0013F950 |10004CB6 返回到 VSPort.10004CB6 来自 VSPort.1002C790
0013F954 |00000092
0013F958 |0000009E
0013F95C |00000002
0013F960 |4646467B
77DCC41B > 8BFF mov edi, edi //OD停在这里 ALT+F9返回 ; VSPort.1003E170
77DCC41D 55 push ebp
77DCC41E 8BEC mov ebp, esp
77DCC420 8B55 10 mov edx, dword ptr [ebp+10]
77DCC423 85D2 test edx, edx
77DCC425 0F84 B9A00000 je 77DD64E4
77DCC42B 8B4D 0C mov ecx, dword ptr [ebp+C]
77DCC42E 85C9 test ecx, ecx
//返回到这里
00540A19 . 85C0 test eax, eax //OD停在这里,一直单步往下走来到关键地方
00540A1B . 74 34 je short 00540A51
00540A1D . B8 6C0D5400 mov eax, 00540D6C ; dllregisterserver
00540A22 . 8945 C0 mov dword ptr [ebp-40], eax
00540A25 . C645 C4 0B mov byte ptr [ebp-3C], 0B
00540A29 . A1 00925400 mov eax, dword ptr [549200]
00540A2E . 8945 C8 mov dword ptr [ebp-38], eax
00540A31 . C645 CC 0B mov byte ptr [ebp-34], 0B
00540A35 . 8D45 C0 lea eax, dword ptr [ebp-40]
00540A38 . 50 push eax
//关键地方,把注释的地方改掉保存就OK 了。。。
0053810D 83B8 DC1A0000>cmp dword ptr [eax+1ADC], 0 ; //比较控制跳转,跳转现实了,把0改成1让JE不能实现
00538114 . 0F84 51010000 je 0053826B //上面改了这里就不跳了
0053811A . 8D45 8C lea eax, dword ptr [ebp-74]
0053811D . 50 push eax
0053811E . 8D4D 88 lea ecx, dword ptr [ebp-78]
00538121 . 8B45 FC mov eax, dword ptr [ebp-4]
00538124 . 8B90 201B0000 mov edx, dword ptr [eax+1B20]
0053812A . A1 6C5A5400 mov eax, dword ptr [545A6C]
0053812F . 8B00 mov eax, dword ptr [eax]
00538131 . E8 8E2EFFFF call 0052AFC4
00538136 . 8B45 88 mov eax, dword ptr [ebp-78]
00538139 . 33C9 xor ecx, ecx
0053813B . 8B15 C0585400 mov edx, dword ptr [5458C0] ; 串口网络.0052C128
00538141 . E8 E621FFFF call 0052A32C
00538146 . 8B55 8C mov edx, dword ptr [ebp-74]
00538149 . 8B45 FC mov eax, dword ptr [ebp-4]
0053814C . 8B80 DC1A0000 mov eax, dword ptr [eax+1ADC]
00538152 . E8 A5C5ECFF call 004046FC
00538157 0F85 0E010000 jnz 0053826B ; //NOP掉 ,实现跳到试用期已到
0053815D 8B45 FC mov eax, dword ptr [ebp-4]
00538160 8B80 E41A0000 mov eax, dword ptr [eax+1AE4]
00538166 8B15 C4585400 mov edx, dword ptr [5458C4] ; 串口网络.0052C144
0053816C E8 8BC5ECFF call 004046FC
00538171 0F85 F4000000 jnz 0053826B ; //NOP掉 ,为了安全
00538177 8B45 FC mov eax, dword ptr [ebp-4]
0053817A 80B8 341B0000>cmp byte ptr [eax+1B34], 1
00538181 0F85 E4000000 jnz 0053826B ; //NOP掉 ,实现跳到试用期已到
00538187 . 8B15 FC575400 mov edx, dword ptr [5457FC] ; 串口网络.0052BB88
0053818D . A1 F0915400 mov eax, dword ptr [5491F0]
00538192 . E8 D95FF3FF call 0046E170
00538197 . 8D55 84 lea edx, dword ptr [ebp-7C]
0053819A . A1 F0915400 mov eax, dword ptr [5491F0]
0053819F . E8 9C5FF3FF call 0046E140
005381A4 . 8B55 84 mov edx, dword ptr [ebp-7C]
005381A7 . A1 385E5400 mov eax, dword ptr [545E38]
005381AC . 8B00 mov eax, dword ptr [eax]
005381AE . E8 956CF2FF call 0045EE48
005381B3 . A1 A85B5400 mov eax, dword ptr [545BA8]
005381B8 . C600 01 mov byte ptr [eax], 1
005381BB . 8B45 FC mov eax, dword ptr [ebp-4]
005381BE . 8B80 34060000 mov eax, dword ptr [eax+634]
005381C4 . 33D2 xor edx, edx
005381C6 . E8 955EF3FF call 0046E060
005381CB . 8B45 FC mov eax, dword ptr [ebp-4]
005381CE . 8B80 E4030000 mov eax, dword ptr [eax+3E4]
005381D4 . 33D2 xor edx, edx
005381D6 . E8 25ECEFFF call 00436E00
005381DB . A1 B8585400 mov eax, dword ptr [5458B8]
005381E0 . E8 CBC5ECFF call 004047B0
005381E5 . 50 push eax
005381E6 . 6A 00 push 0
005381E8 . 6A 00 push 0
005381EA . E8 29E5ECFF call 00406718
005381EF . 8BD8 mov ebx, eax
005381F1 . 8B45 FC mov eax, dword ptr [ebp-4]
005381F4 . 8998 C4160000 mov dword ptr [eax+16C4], ebx
005381FA . 6A 00 push 0 ; /Timeout = 0. ms
005381FC . 53 push ebx ; |hObject
005381FD . E8 3EE8ECFF call <jmp.&kernel32.WaitForSingleObje>; \WaitForSingleObject
00538202 3D 02010000 cmp eax, 102
00538207 . 75 55 jnz short 0053825E
00538209 . 8B45 FC mov eax, dword ptr [ebp-4]
0053820C . E8 2F76FFFF call 0052F840 |
|