WINDOWS优化大师 v3.53“暗门”的解决过程(时空幻影于2001年4月6日)
最近许多人用在我写的注册机时,遇到这样一个问题:用生成的注册码输入后,该软件提示已注册,但是在退出该软件,然后再运行时又变成未注册的了。
我先用CASPR(脱壳工具)脱掉该软件的壳,然后在用W32DASM进行反汇编,查看可疑字符串,果然看到了“未注册”(因为在该软件运行后有“未注册”字样,所以我是从最后往前翻看到的,结果绕了一个圈子,如果从前面往后翻的话,我会解决的更快)。
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00524167(U), :00524173(U)
|
:00524185 8B4584
mov eax, dword ptr [ebp-7C]
:00524188 E8DFEDEDFF call
00402F6C
:0052418D 8B4580
mov eax, dword ptr [ebp-80]
:00524190 E8D7EDEDFF call
00402F6C
:00524195 8B45FC
mov eax, dword ptr [ebp-04]
:00524198 E8933FFFFF call
00518130 <--把W32DASM的光棒移到该位置,点击工具栏的"Call"
:0052419D 85C0
test eax, eax
:0052419F 0F85A6000000 jne 0052424B
<--当EAX为0时注册成功,为1时则变为未注册
:005241A5 8B45FC
mov eax, dword ptr [ebp-04]
:005241A8 8B80D0070000 mov eax, dword
ptr [eax+000007D0]
* Possible StringData Ref from Code Obj ->"Windows优化大师 V3.53 (已注册)"
|
:005241AE BAE06F5200 mov edx,
00526FE0
:005241B3 E808D6F0FF call
004317C0
:005241B8 B201
mov dl, 01
:005241BA A1246B4500 mov eax,
dword ptr [00456B24]
:005241BF E8602AF3FF call
00456C24
:005241C4 898514FFFFFF mov dword
ptr [ebp+FFFFFF14], eax
:005241CA BA02000080 mov edx,
80000002
:005241CF 8B8514FFFFFF mov eax, dword
ptr [ebp+FFFFFF14]
:005241D5 E8EA2AF3FF call
00456CC4
:005241DA 33C9
xor ecx, ecx
* Possible StringData Ref from Code Obj ->"Software\Wom"
|
:005241DC BA98575200 mov edx,
00525798
:005241E1 8B8514FFFFFF mov eax, dword
ptr [ebp+FFFFFF14]
:005241E7 E81C2CF3FF call
00456E08
:005241EC 84C0
test al, al
:005241EE 742F
je 0052421F
* Possible StringData Ref from Code Obj ->"Masters"
|
:005241F0 BA08705200 mov edx,
00527008
:005241F5 8B8514FFFFFF mov eax, dword
ptr [ebp+FFFFFF14]
:005241FB E8B833F3FF call
004575B8
:00524200 84C0
test al, al
:00524202 7410
je 00524214
* Possible StringData Ref from Code Obj ->"Masters"
|
:00524204 BA08705200 mov edx,
00527008
:00524209 8B8514FFFFFF mov eax, dword
ptr [ebp+FFFFFF14]
:0052420F E8902EF3FF call
004570A4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00524202(C)
|
:00524214 8B8514FFFFFF mov eax, dword
ptr [ebp+FFFFFF14]
:0052421A E8752AF3FF call
00456C94
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005241EE(C)
|
:0052421F 8B8514FFFFFF mov eax, dword
ptr [ebp+FFFFFF14]
:00524225 E842EDEDFF call
00402F6C
:0052422A 8B45FC
mov eax, dword ptr [ebp-04]
:0052422D 8B8060040000 mov eax, dword
ptr [eax+00000460]
:00524233 33D2
xor edx, edx
:00524235 E86ED4F0FF call
004316A8
:0052423A B8283F5500 mov eax,
00553F28
* Possible StringData Ref from Code Obj ->"未注册"
|
:0052423F BA18705200 mov edx,
00527018 <--双击“未注册”后来到这,然后往上翻,看看
:00524244 E8C3FAEDFF call
00403D0C 有没有与之相关的跳转语句
:00524249 EB5F
jmp 005242AA
//-----------------------------------------------------------------------------------------------
:00518130 55
push ebp <--点了"Call"以后来到这,然后往下翻
:00518131 8BEC
mov ebp, esp
:00518133 81C48CFEFFFF add esp, FFFFFE8C
:00518139 53
push ebx
:0051813A 56
push esi
:0051813B 33D2
xor edx, edx
//-----------------------------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00518370(C), :0051837C(C)
|
:005183A9 8B95A0FEFFFF mov edx, dword
ptr [ebp+FFFFFEA0]
* Possible StringData Ref from Code Obj ->"cr-wom" <--看着有点眼熟
|
:005183AF B8B8865100 mov eax,
005186B8
:005183B4 E86BBEEEFF call
00404224 <--判断当前目录下是否有含"cr-wom"的文件名
:005183B9 85C0
test eax, eax
:005183BB 742B
je 005183E8 <--EAX为1的话就GAME OVER了
:005183BD 8B45FC
mov eax, dword ptr [ebp-04]
:005183C0 8B80D0070000 mov eax, dword
ptr [eax+000007D0]
* Possible StringData Ref from Code Obj ->"Windows优化大师 V3.53 (未注册)"
|
:005183C6 BA48865100 mov edx,
00518648
:005183CB E8F093F1FF call
004317C0
:005183D0 8BC6
mov eax, esi
:005183D2 E8BDE8F3FF call
00456C94
:005183D7 8BC6
mov eax, esi
:005183D9 E88EABEEFF call
00402F6C
:005183DE BB01000000 mov ebx,
00000001
:005183E3 E9CA010000 jmp 005185B2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005183BB(C)
|
* Possible StringData Ref from Code Obj ->"Windowsyhds.exe" <--看着更加眼熟了
|
:005183E8 B8C8865100 mov eax,
005186C8
:005183ED E8460DEFFF call
00409138 <--判断判断当前目录下是否有含"Windowsyhds.exe"
:005183F2 84C0
test al, al 的文件名
:005183F4 751C
jne 00518412 <--al为1的话就GAME OVER了
* Possible StringData Ref from Code Obj ->"fwd.txt"
|
:005183F6 B8E0865100 mov eax,
005186E0
:005183FB E8380DEFFF call
00409138 <--判断判断当前目录下是否有含"fwd.txt"的文件名
:00518400 84C0
test al, al
:00518402 750E
jne 00518412 <--al为1的话就GAME OVER了
* Possible StringData Ref from Code Obj ->"wom29a_k.exe"
|
:00518404 B8F0865100 mov eax,
005186F0
:00518409 E82A0DEFFF call
00409138 <--判断判断当前目录下是否有含"wom29a_k.exe"的文
:0051840E 84C0
test al, al 件名
:00518410 742B
je 0051843D <--al为1的话就GAME OVER了
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005183F4(C), :00518402(C)
|
:00518412 8B45FC
mov eax, dword ptr [ebp-04]
:00518415 8B80D0070000 mov eax, dword
ptr [eax+000007D0]
* Possible StringData Ref from Code Obj ->"Windows优化大师 V3.53 (未注册)"
|
:0051841B BA48865100 mov edx,
00518648
:00518420 E89B93F1FF call
004317C0
:00518425 8BC6
mov eax, esi
:00518427 E868E8F3FF call
00456C94
:0051842C 8BC6
mov eax, esi
:0051842E E839ABEEFF call
00402F6C
:00518433 BB01000000 mov ebx,
00000001
:00518438 E975010000 jmp 005185B2
综上所述,我们可以得出一个结论:那就是只要该软件目录下有包含"cr-wom"字符串的注册机文件名或者是以下三种文件名"Windowsyhds.exe"、"fwd.txt"、"wom29a_k.exe"的一种就变成未注册的了,解决的办法就是把注册机移到其他的目录下,或者把注册机改名即可。
- 标 题:我也发个帖子,凑凑热闹:WINDOWS优化大师 v3.53“暗门”的解决过程 (7千字)
- 作 者:时空幻影
- 时 间:2001-4-10 11:17:05
- 链 接:http://bbs.pediy.com