破解目标:PC Security 5.1
下载地址:http://nj.onlinedown.net/PCSECURITY.HTM
软件简介:
这个存取控制软件功能非常强大,它除了可以让你关闭我的电脑、控制台、显示器设定、启动、拨号网路、桌面捷径、工作列等以及隐藏桌面图标和Windows工作列的功能外,还可锁住硬盘中任何目录下的文件.而且它还附有一个Lock
System,和屏幕保护程序一样在电脑闲 置一段时间后会自动启动防护(亦可手动启动)
使用工具:Trw2000 1.23 & W32dasm
破解原因:
我的手提电脑(又破又旧)经常要带到上班的地方使用,有时我要临时离开,不希望有人乱碰我的电脑,PC
Security 5.1容量虽小,功能却很强大,它可以定时锁定电脑,可以保护任何文件和文件夾,还有其它大量的保护.
破解过程:
安装运行PC Security 5.1,安装完后双击系统托盘的小红锁图标,进入它的Setting窗口,程序提示只能试用30天并要求注册,随便乱填,按注册,程序报错自动退出.好了,用W32dasm反汇编Security.exe找出错的字串,可是找不到,呵呵~~~~~~看来要动态的啦~~~~~
再次进入,填入Sam Von, 67676767,bpx hmemcpy,按注册,Trw拦下来了.然后用F12找到出错的Call再慢慢找注册的判断,请看下面的代码
=====================================================================
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F494(C)
|
:0040F4A6 8B4DF0
mov ecx, dword ptr [ebp-10]
:0040F4A9 3959F8
cmp dword ptr [ecx-08], ebx
:0040F4AC 7509
jne 0040F4B7
:0040F4AE 53
push ebx
:0040F4AF 53
push ebx
* Possible Reference to Dialog:
|
:0040F4B0 6818134700 push 00471318
:0040F4B5 EBE6
jmp 0040F49D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F4AC(C)
|
:0040F4B7 50
push eax
:0040F4B8 51
push ecx
:0040F4B9 E8844D0000 call 00414242
<---这是判断的Call进去看看
:0040F4BE 59
pop ecx
:0040F4BF 59
pop ecx
:0040F4C0 85C0
test eax, eax <---eax不能为0否则下面的跳跃就跳到出错的地方了,记住这个判断
:0040F4C2 53
push ebx
:0040F4C3 53
push ebx
:0040F4C4 744F
je 0040F515 <---跳就完了,在这里如果用r fl z的话程序会提示注册成功,但进入About仍然是非注册版,退出再进入它会再次让你注册
注意往下看如何能让eax不为0
====================================================================
* Referenced by a CALL at Address:
|:0040F4B9
|
:00414242 55
push ebp
:00414243 8BEC
mov ebp, esp
:00414245 81EC80000000 sub esp, 00000080
:0041424B 53
push ebx
:0041424C 56
push esi
:0041424D 57
push edi
:0041424E E8E2FEFFFF call 00414135
:00414253 85C0
test eax, eax
:00414255 0F84EF010000 je 0041444A
<---一定不能跳,先去看看41444A处的说明
:0041425B 8B5D08
mov ebx, dword ptr [ebp+08]
:0041425E 33FF
xor edi, edi
:00414260 53
push ebx
:00414261 33F6
xor esi, esi
:00414263 E888070100 call 004249F0
:00414268 59
pop ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00414299(C)
|
:00414269 0FBE041F movsx
eax, byte ptr [edi+ebx]
:0041426D 50
push eax
:0041426E E815190100 call 00425B88
:00414273 85C0
test eax, eax
:00414275 59
pop ecx
:00414276 750F
jne 00414287
:00414278 0FBE041F movsx
eax, byte ptr [edi+ebx]
:0041427C 50
push eax
:0041427D E8D8180100 call 00425B5A
:00414282 85C0
test eax, eax
:00414284 59
pop ecx
:00414285 7408
je 0041428F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00414276(C)
|
:00414287 8A041F
mov al, byte ptr [edi+ebx]
:0041428A 884435E0 mov
byte ptr [ebp+esi-20], al
:0041428E 46
inc esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00414285(C)
|
:0041428F 53
push ebx
:00414290 47
inc edi
:00414291 E85A070100 call 004249F0
:00414296 3BF8
cmp edi, eax
:00414298 59
pop ecx
:00414299 76CE
jbe 00414269
:0041429B 806435E000 and byte
ptr [ebp+esi-20], 00
:004142A0 8D45E0
lea eax, dword ptr [ebp-20]
:004142A3 50
push eax
:004142A4 E847070100 call 004249F0
:004142A9 83F810
cmp eax, 00000010 <---这里判断注册码的个数,应该是16位
:004142AC 59
pop ecx
:004142AD 7409
je 004142B8
:004142AF 83F811
cmp eax, 00000011
:004142B2 0F8592010000 jne 0041444A
<---又一个,避开它
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004142AD(C)
|
:004142B8 8D45E0
lea eax, dword ptr [ebp-20]
:004142BB 50
push eax
:004142BC E82F070100 call 004249F0
:004142C1 48
dec eax
:004142C2 59
pop ecx
:004142C3 83F810
cmp eax, 00000010
:004142C6 751A
jne 004142E2
:004142C8 807DF046 cmp
byte ptr [ebp-10], 46
:004142CC 7406
je 004142D4
:004142CE 807DF066 cmp
byte ptr [ebp-10], 66
:004142D2 750E
jne 004142E2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004142CC(C)
|
:004142D4 8065F000 and
byte ptr [ebp-10], 00
:004142D8 C705A091470001000000 mov dword ptr [004791A0], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004142C6(C), :004142D2(C)
|
:004142E2 FF750C
push [ebp+0C]
:004142E5 33FF
xor edi, edi
:004142E7 E804070100 call 004249F0
:004142EC 8BF0
mov esi, eax
:004142EE 59
pop ecx
:004142EF 4E
dec esi
:004142F0 782E
js 00414320
:004142F2 6A09
push 00000009
:004142F4 58
pop eax
:004142F5 2BC6
sub eax, esi
:004142F7 8D1C80
lea ebx, dword ptr [eax+4*eax]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041431E(C)
|
:004142FA 8B450C
mov eax, dword ptr [ebp+0C]
:004142FD 0FBE0406 movsx
eax, byte ptr [esi+eax]
:00414301 03C3
add eax, ebx
:00414303 50
push eax
:00414304 E842030000 call 0041464B
:00414309 C70424401F0000 mov dword ptr [esp],
00001F40
:00414310 E87A030000 call 0041468F
:00414315 03F8
add edi, eax
:00414317 4E
dec esi
:00414318 83C305
add ebx, 00000005
:0041431B 59
pop ecx
:0041431C 85F6
test esi, esi
:0041431E 7DDA
jge 004142FA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004142F0(C)
|
:00414320 A1F01D4700 mov eax,
dword ptr [00471DF0]
:00414325 03C7
add eax, edi
:00414327 50
push eax
:00414328 E81E030000 call 0041464B
:0041432D 8065C000 and
byte ptr [ebp-40], 00
:00414331 59
pop ecx
:00414332 6A08
push 00000008
* Possible Reference to Dialog:
|
:00414334 BF601F4700 mov edi,
00471F60
:00414339 5B
pop ebx
:0041433A 8BF3
mov esi, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00414357(C)
|
:0041433C 6A0F
push 0000000F
:0041433E E84C030000 call 0041468F
:00414343 59
pop ecx
:00414344 50
push eax
:00414345 8D45C0
lea eax, dword ptr [ebp-40]
:00414348 50
push eax
:00414349 8D45C0
lea eax, dword ptr [ebp-40]
:0041434C 57
push edi
:0041434D 50
push eax
:0041434E E870130100 call 004256C3
:00414353 83C410
add esp, 00000010
:00414356 4E
dec esi
:00414357 75E3
jne 0041433C
:00414359 8D45E0
lea eax, dword ptr [ebp-20]
:0041435C 50
push eax
:0041435D 8D45A0
lea eax, dword ptr [ebp-60]
:00414360 50
push eax
:00414361 E83A030100 call 004246A0
:00414366 8065A400 and
byte ptr [ebp-5C], 00
:0041436A 8D4580
lea eax, dword ptr [ebp-80]
:0041436D 50
push eax
:0041436E 8D45E4
lea eax, dword ptr [ebp-1C]
:00414371 50
push eax
:00414372 E80BF6FEFF call 00403982
:00414377 8D45C0
lea eax, dword ptr [ebp-40]
:0041437A 50
push eax
:0041437B 8D4580
lea eax, dword ptr [ebp-80]
:0041437E 50
push eax
:0041437F E82C620100 call 0042A5B0
<---这个Call里应该是比较重要的比较,前面的好多Call我都追进去过,它们都用我填的假资料做了很多运算,不过我没搞清楚,谁去研究下它的算法吧.
:00414384 83C418
add esp, 00000018
:00414387 85C0
test eax, eax
:00414389 0F85BB000000 jne 0041444A
<---这里是最后一个,前两个一般来说只要你填的假注册码是16位就不会跳走,但这个一定会跳的,因为我的注册码肯定是假的嘛,在这里下r
fl z命令就能过去了,然后按F5,看看程序跟你说什么,当然是多谢你的注册了,再看About里也成为注册版了,退出再进入依然不变,呵呵~~~~~~我想这全靠下面的这些代码了,因为程序会把注册信息放入c:\windows\Gerces23.dru这个文件里,那我就将这个文件好好保管了~~~~~~哈哈
:0041438F FF750C
push [ebp+0C]
:00414392 C705A491470001000000 mov dword ptr [004791A4], 00000001
:0041439C C7059C91470032000000 mov dword ptr [0047919C], 00000032
:004143A6 68B0914700 push 004791B0
:004143AB E8F0020100 call 004246A0
:004143B0 80257892470000 and byte ptr [00479278],
00
:004143B7 59
pop ecx
:004143B8 59
pop ecx
:004143B9 BE78924700 mov esi,
00479278
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004143D3(C)
|
:004143BE 6A0F
push 0000000F
:004143C0 E8CA020000 call 0041468F
:004143C5 59
pop ecx
:004143C6 50
push eax
:004143C7 56
push esi
:004143C8 57
push edi
:004143C9 56
push esi
:004143CA E8F4120100 call 004256C3
:004143CF 83C410
add esp, 00000010
:004143D2 4B
dec ebx
:004143D3 75E9
jne 004143BE
:004143D5 A078924700 mov al,
byte ptr [00479278]
:004143DA 33D2
xor edx, edx
:004143DC 84C0
test al, al
:004143DE 741B
je 004143FB
:004143E0 8BCE
mov ecx, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004143F9(C)
|
:004143E2 3C20
cmp al, 20
:004143E4 740D
je 004143F3
:004143E6 0FBE01
movsx eax, byte ptr [ecx]
:004143E9 03C2
add eax, edx
:004143EB BFFF000000 mov edi,
000000FF
:004143F0 99
cdq
:004143F1 F7FF
idiv edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004143E4(C)
|
:004143F3 8A4101
mov al, byte ptr [ecx+01]
:004143F6 41
inc ecx
:004143F7 84C0
test al, al
:004143F9 75E7
jne 004143E2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004143DE(C)
|
:004143FB 8BC2
mov eax, edx
:004143FD 6A63
push 00000063
:004143FF 99
cdq
:00414400 59
pop ecx
:00414401 F7F9
idiv ecx
:00414403 52
push edx
:00414404 56
push esi
* Possible Reference to Dialog:
|
:00414405 68581F4700 push 00471F58
:0041440A 56
push esi
:0041440B E8B3120100 call 004256C3
:00414410 6A28
push 00000028
:00414412 E834020000 call 0041464B
:00414417 83C414
add esp, 00000014
:0041441A 33F6
xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00414431(C)
|
:0041441C 6A0F
push 0000000F
:0041441E E86C020000 call 0041468F
:00414423 3086B0914700 xor byte ptr
[esi+004791B0], al
:00414429 46
inc esi
:0041442A 81FEC8000000 cmp esi, 000000C8
:00414430 59
pop ecx
:00414431 72E9
jb 0041441C
:00414433 E857FDFFFF call 0041418F
:00414438 8BF0
mov esi, eax
:0041443A 8D45A0
lea eax, dword ptr [ebp-60]
:0041443D 50
push eax
:0041443E FF750C
push [ebp+0C]
:00414441 E8E9F8FEFF call 00403D2F
:00414446 59
pop ecx
:00414447 59
pop ecx
:00414448 EB02
jmp 0041444C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00414255(C), :004142B2(C), :00414389(C)
|
:0041444A 33F6
xor esi, esi <---esi清为0了,注意有三个地方会跳到这里来
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00414448(U)
|
:0041444C 8BC6
mov eax, esi <---如果跳到上面一行,这时eax也为0了,下面就跳出这个Call了,还记得外面那个test
eax,eax吗所以无论如何都不能让程序跳到41444A这一行
:0041444E 5F
pop edi
:0041444F 5E
pop esi
:00414450 5B
pop ebx
:00414451 C9
leave
:00414452 C3
ret
后记:
这次破解我不想写太多东西,因为我并没有将它的算法搞清楚,它的很多call都在拿我的假资料做运算,不过都是些乘法除法之类的,请高手们看看吧.将它破解后我上到http://astalavista.box.sk/去查找它的注册机,但找到的都是注册了的Gerces23.dru文件,我想它应该不是那么简单的,不然怎么会连个正确的注册码都找不到呢~~~~~~~~~~呵呵
_/_/_/
_/ _/_/_/ _/_/_/
_/_/
_/_/ _/ _/ _/ _/
_/
_/ _/ _/ _/
_/ _/
_/_/_/ _/_/_/ _/ _/ _/
Sam.com
2:55 2001-7-20
- 标 题:PC Security 5.1自动注册(莫名其妙)~~~~~~~~~~~~~ (14千字)
- 作 者:Sam.com
- 时 间:2002-1-20 3:24:16
- 链 接:http://bbs.pediy.com