〓破解NetCaptor最新版6.5.0 Final的限制〓
破解者:moonlite[BCG][FCG]
目标: NetCaptor最新版6.5.0 Final
应用平台:Win9X/ME/WinNT/2K
软件主页:http://www.netcaptor.com/
大小:675k
软件用途: 一个比IE好很多的浏览器,新版本功能多多,本人一直用它。
保护:ASPack 2.11c 壳,30天试用,提示注册Nag窗,CRC校验。
工具:TRW1.22, W32dasm,Caspr,Winhex
◆首先去掉它的时间限制:
首先,用Caspr脱掉外壳。
1)运行NetCaptor.exe,提示窗口弹出,告诉你已经Trial到第几天了。。。(注:这个窗口只在特定的天数出现,如第1,5,10,15天等等)
点击按钮“Try NetCaptor”,并Ctrl+D激活,并来到TRW领空。Pmodule一次,并按F12+F10数次,会来到:
:00504643 E80498FDFF call 004DDE4C
:00504648 A1D46F5000 mov eax,
dword ptr [00506FD4]
:0050464D 8A00
mov al, byte ptr [eax]
:0050464F 3C02
cmp al, 02-------------------------->打补丁①:mov al,02★
:00504651 0F94C3
sete bl
:00504654 8B15D46F5000 mov edx, dword
ptr [00506FD4]
:0050465A 3C02
cmp al, 02
:0050465C 0F8498000000 je 005046FA
:00504662 8D45C0
lea eax, dword ptr [ebp-40]
:00504665 E86EECF9FF call 004A32D8
:0050466A 8B75C0
mov esi, dword ptr [ebp-40]
:0050466D A1D46F5000 mov eax,
dword ptr [00506FD4]
:00504672 897004
mov dword ptr [eax+04], esi
:00504675 A1D46F5000 mov eax,
dword ptr [00506FD4]
:0050467A 83FE1E
cmp esi, 0000001E---------------------|这个语句好面熟呵!!
:0050467D 7E08
jle 00504687---------------------------------->光标在此!
:0050467F A1D46F5000 mov eax,
dword ptr [00506FD4]
:00504684 C60001
mov byte ptr [eax], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050467D(C)
|
:00504687 B9B6945000 mov ecx,
005094B6
:0050468C 8B15D46F5000 mov edx, dword
ptr [00506FD4]
:00504692 8B5204
mov edx, dword ptr [edx+04]
:00504695 A1D46F5000 mov eax,
dword ptr [00506FD4]
:0050469A 8A00
mov al, byte ptr [eax]
:0050469C E8EBF0FFFF call 0050378C------------------------->进这个CALL追下去,会call出Nag提示窗的~~
:005046A1 A0B6945000 mov al,
byte ptr [0050---------------->光标在此!
:005046A6 2C01
sub al, 01
Up↑往上看:你一定看到问题所在了吧?!我在0050464F处打第一个补丁。
◆解决它的CRC校验:
它的CRC校验很新颖。它不是在程序启动过程中报错,而是启动完成后,大概1分钟左右,才弹出出错信息,确定后程序退出。
可是——>启动完成后,搜索出错的字符串,却搜不到;而出错窗口弹出后,出错的字符串倒是可以搜索得到,但是BPM下断却拦不到。
为了拦它还费了菜鸟的脑筋。我想既然启动完成后不是马上出错,而是等一会。。。一定与时间函数有关。
来 BPX GetSystemTime试试:
呵,运气真好!请看↓
F12+F10 会到这里:
* Referenced by a CALL at Addresses:
|:004A2B7F , :004D2445 , :004D248B , :004D351C , :004D3CBA
|
:00402A3C 55
push ebp
:00402A3D 8BEC
mov ebp, esp
:00402A3F 83C4E8
add esp, FFFFFFE8
:00402A42 8D45E8
lea eax, dword ptr [ebp-18]
:00402A45 50
push eax
* Reference To: kernel32.GetSystemTime, Ord:0000h
|
:00402A46 E85DE8FFFF Call 004012A8
:00402A4B 0FB745F0 movzx
eax, word ptr [ebp-10]------------>光标在此!
:00402A4F 6BC03C
imul eax, 0000003C
:00402A52 660345F2 add
ax, word ptr [ebp-0E]
:00402A56 6BC03C
imul eax, 0000003C
:00402A59 31D2
xor edx, edx
:00402A5B 668B55F4 mov
dx, word ptr [ebp-0C]
:00402A5F 01D0
add eax, edx
:00402A61 69C0E8030000 imul eax, 000003E8
:00402A67 668B55F6 mov
dx, word ptr [ebp-0A]
:00402A6B 01D0
add eax, edx
:00402A6D 890544805000 mov dword ptr
[00508044], eax
:00402A73 8BE5
mov esp, ebp
:00402A75 5D
pop ebp
:00402A76 C3
ret
接着按F12+F10-->
* Possible StringData Ref from Code Obj ->"?雼]"
|
:004D30AE 6874314D00 push 004D3174
:004D30B3 64FF30
push dword ptr fs:[eax]
:004D30B6 648920
mov dword ptr fs:[eax], esp
:004D30B9 8BC3
mov eax, ebx
:004D30BB E8CC0B0000 call 004D3C8C
:004D30C0 8D45F4
lea eax, dword ptr [ebp-0C]
:004D30C3 E81002FDFF call 004A32D8
:004D30C8 8B8380080000 mov eax, dword
ptr [ebx+00000880]-------->光标在此!
:004D30CE 85C0
test eax, eax
:004D30D0 0F8483000000 je 004D3159
:004D30D6 33D2
xor edx, edx
:004D30D8 E81F32FDFF call 004A62FC
:004D30DD E8AEF7FCFF call 004A2890---------------------------->返回关键的eax值
:004D30E2 3DC0270900 cmp eax,
000927C0------------------------>eax值与927C0比较
:004D30E7 7E70
jle 004D3159----------------------------->eax值不比927C0大的话,CRC 就通过了!补丁②:jmp
004D3159★★
* Possible StringData Ref from Data Obj ->"@"
|
:004D30E9 A18C725000 mov eax,
dword ptr [0050728C]
:004D30EE 803800
cmp byte ptr [eax], 00
:004D30F1 7566
jne 004D3159
:004D30F3 8D4DF0
lea ecx, dword ptr [ebp-10]
:004D30F6 B293
mov dl, 93
* Possible StringData Ref from Code Obj ->"蓥缧蜚琰岢轴狳?
|
:004D30F8 B888314D00 mov eax,
004D3188------------------------>指向加密的“NetCaptor Error”
:004D30FD E836F8FCFF call 004A2938---------------------------->还原加密字符串的CALL/进入----->
:004D3102 8B45F0
mov eax, dword ptr [ebp-10]-------------->指向还原后的“NetCaptor Error”
:004D3105 50
push eax--------------------------------->入栈保存
:004D3106 8D4DEC
lea ecx, dword ptr [ebp-14]
:004D3109 B293
mov dl, 93
◇◇还原加密字符串的CALL进入→里面真的好精彩啊!◇◇
↓-------------------------------------------------------------------↓
* Referenced by a CALL at Addresses:
|:004A2A25 , :004A2ACC , :004A2B1C , :004A2D34 , :004A324A
|:004D30FD , :004D3110 , :004D32A8 , :004D32BB , :00503905
|:0050392D , :0050395B , :0050397D , :005039A5 , :005039CF
|:005039F7 , :00503A19 , :00503A48 , :00503AF4
|
:004A2938 55
push ebp
:004A2939 8BEC
mov ebp, esp
:004A293B 83C4F4
add esp, FFFFFFF4
:004A293E 53
push ebx
:004A293F 56
push esi
:004A2940 57
push edi
:004A2941 33DB
xor ebx, ebx
:004A2943 895DF4
mov dword ptr [ebp-0C], ebx
:004A2946 8BF1
mov esi, ecx
:004A2948 8855FB
mov byte ptr [ebp-05], dl-------------->解密参数93h
:004A294B 8945FC
mov dword ptr [ebp-04], eax------------>还原后的字符串地址保存到[ebp-04]
:004A294E 33C0
xor eax, eax
:004A2950 55
push ebp
* Possible StringData Ref from Code Obj ->"?館媇悑3U貸d0?3ZY塰)"
|
:004A2951 68A5294A00 push 004A29A5
:004A2956 64FF30
push dword ptr fs:[eax]
:004A2959 648920
mov dword ptr fs:[eax], esp
:004A295C 8B45FC
mov eax, dword ptr [ebp-04]
:004A295F E89416F6FF call 00403FF8-------------------------->算加密字符串长度,并返回到eax
:004A2964 8BD8
mov ebx, eax--------------------------->将加密字符串长度送ebx
:004A2966 85DB
test ebx, ebx
:004A2968 7E25
jle 004A298F
:004A296A BF01000000 mov edi,
00000001----------------------->edi置1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A298D(C)
|
:004A296F 8D45F4
lea eax, dword ptr [ebp-0C]------------>将解密后的字符串地址送eax
:004A2972 8B55FC
mov edx, dword ptr [ebp-04]------------>指向加密的字符串
:004A2975 8A543AFF mov
dl, byte ptr [edx+edi-01]---------->从加密的字符串取一个字符
:004A2979 3255FB
xor dl, byte ptr [ebp-05]-------------->与93h 异或后,dl所保存的就是解密后的字符了!
:004A297C E88315F6FF call 00403F04
:004A2981 8B55F4
mov edx, dword ptr [ebp-0C]------------>指向解密后的字符串地址
:004A2984 8BC6
mov eax, esi
:004A2986 E87516F6FF call 00404000-------------------------->将还原后的字符送上述地址保存
:004A298B 47
inc edi-------------------------------->edi加1
:004A298C 4B
dec ebx
:004A298D 75E0
jne 004A296F--------------------------->循环完了吗?没完就继续↑
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A2968(C)
|
:004A298F 33C0
xor eax, eax
:004A2991 5A
pop edx
:004A2992 59
pop ecx
:004A2993 59
pop ecx
:004A2994 648910
mov dword ptr fs:[eax], edx
* Possible StringData Ref from Code Obj ->"_[迕U炖h)"
|
:004A2997 68AC294A00 push 004A29AC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A29AA(U)
|
:004A299C 8D45F4
lea eax, dword ptr [ebp-0C]
:004A299F E8B813F6FF call 00403D5C
:004A29A4 C3
ret
↑-------------------------------------------------------------------↑
继续往下走...
* Possible StringData Ref from Code Obj ->"躯龀蓥缧蜚琰岢鲭鲳骁蝰龀喑聆鳊橱蟒螋鲼蒋襻?
->"岘?鲵圉翅鼍噻?齿鲧序沌?
|
:004D310B B8A0314D00 mov eax,
004D31A0------------------------>指向加密的CRC出错信息
:004D3110 E823F8FCFF call 004A2938---------------------------->还原加密字符串的CALL
:004D3115 8B45EC
mov eax, dword ptr [ebp-14]-------------->指向CRC出错信息(如下↓)
*******************************************
The NetCaptor executable has been damaged.
Please re-install NetCaptor.
*******************************************
:004D3118 50
push eax
:004D3119 6A00
push 00000000
:004D311B 8D4DE8
lea ecx, dword ptr [ebp-18]
:004D311E BAF8314D00 mov edx,
004D31F8
:004D3123 8BC3
mov eax, ebx
:004D3125 E85EC7FFFF call 004CF888
:004D312A 8B45E8
mov eax, dword ptr [ebp-18]
:004D312D 50
push eax
:004D312E 6A00
push 00000000
:004D3130 8D45FF
lea eax, dword ptr [ebp-01]
:004D3133 50
push eax
:004D3134 6A00
push 00000000
:004D3136 6A00
push 00000000
:004D3138 8D55E4
lea edx, dword ptr [ebp-1C]
* Possible StringData Ref from Code Obj ->"軇P"
|
:004D313B A184725000 mov eax,
dword ptr [00507284]
:004D3140 E82B35F3FF call 00406670
:004D3145 8B4DE4
mov ecx, dword ptr [ebp-1C]
:004D3148 8B5358
mov edx, dword ptr [ebx+58]
:004D314B 8BC3
mov eax, ebx
:004D314D E80AA40000 call 004DD55C---------------------------->CRC出错啦!!
:004D3152 8BC3
mov eax, ebx
:004D3154 E8C7EAF7FF call 00451C20
 ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄
◆补充一点:
这样改过后,还有一点美中不足的是:在About窗口,总会有“You are on day XX of your 30-day evaluation period.”文字。
让我们美化美化。用W32dasm反汇编后,查找该字符串:
* Possible StringData Ref from Code Obj ->"NetCaptor 6.5.0"
|
:004C6277 BAA8634C00 mov edx,
004C63A8
:004C627C E873DBF3FF call 00403DF4
:004C6281 803DE48F500002 cmp byte ptr [00508FE4],
02
:004C6288 7527
jne 004C62B1------------------------------->不要跳呵|补丁③:nop 掉★★★
* Possible StringData Ref from Code Obj ->"Registered to: "
|
:004C628A 68C0634C00 push 004C63C0
:004C628F FF35EC8F5000 push dword ptr
[00508FEC]
:004C6295 6878634C00 push 004C6378
:004C629A 6878634C00 push 004C6378
:004C629F FF75F8
push [ebp-08]
:004C62A2 8D45F8
lea eax, dword ptr [ebp-08]
:004C62A5 BA05000000 mov edx,
00000005
:004C62AA E809DEF3FF call 004040B8
:004C62AF EB49
jmp 004C62FA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C6288(C)
|
* Possible StringData Ref from Code Obj ->"You are on day "---------------------|站在此往上看↑
|
:004C62B1 68D8634C00 push 004C63D8
:004C62B6 8D55E4
lea edx, dword ptr [ebp-1C]
:004C62B9 A1E88F5000 mov eax,
dword ptr [00508FE8]
:004C62BE E82935F4FF call 004097EC
:004C62C3 FF75E4
push [ebp-1C]
* Possible StringData Ref from Code Obj ->" of your "
|
:004C62C6 68F0634C00 push 004C63F0
:004C62CB 8D55E0
lea edx, dword ptr [ebp-20]
:004C62CE B81E000000 mov eax,
0000001E
:004C62D3 E81435F4FF call 004097EC
:004C62D8 FF75E0
push [ebp-20]
* Possible StringData Ref from Code Obj ->"-day evaluation period."
|
:004C62DB 6804644C00 push 004C6404
:004C62E0 6878634C00 push 004C6378
:004C62E5 6878634C00 push 004C6378
:004C62EA FF75F8
push [ebp-08]
------------------------------------☆
当然,为了Art of Crack的考虑,你可以修改其它地方,那就看你的了。好!
收工!
补丁① @offset 103a4f 3C02-->B002
补丁② @offset d24e7 7E70-->EB70
补丁③ @offset c5688 7527-->9090
2001-10-1 《完》
- 标 题:peter,交一篇FCG的作业:破解NetCaptor最新版6.5.0 Final的限制 (14千字)
- 作 者:moonlite
- 时 间:2001-10-1 14:44:16
- 链 接:http://bbs.pediy.com