目标软件:超级个人软件 V2.5
破解工具:W32Dasm、TRW2000、UnAspack 1.091
难度级别:easy
软件下载:http://gd.skycn.net/down/superm.zip
脱壳后用 W32Dasm 打开 Super.exe 查看字串,发现:
* Possible StringData Ref from Code Obj ->"*****-*****-*****"
|
:0053E4E1 BA18E65300 mov edx, 0053E618
:0053E4E6 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:0053E4EC E8FF64EFFF call 004349F0
:0053E4F1 33D2 xor edx, edx
:0053E4F3 8B83E0020000 mov eax, dword ptr [ebx+000002E0]
:0053E4F9 8B08 mov ecx, dword ptr [eax]
:0053E4FB FF515C call [ecx+5C]
"*****-*****-*****"这应该是正确注册码的格式吧!
在这附近观察了一会儿,没有发现更多可疑之处,再次搜索字串找到"授权注册码没有填写!"字样。双击看看!
:0053E280 837DF800 cmp dword ptr [ebp-08], 00000000…………………………比较授权注册码是否填写!
:0053E284 750F jne 0053E295…………………………已填写就跳过下面的提示。
* Possible StringData Ref from Code Obj ->"授权注册码没有填写!"
|
:0053E286 B880E35300 mov eax, 0053E380
:0053E28B E8ACBAF1FF call 00459D3C
:0053E290 E9B7000000 jmp 0053E34C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0053E284(C)
|
:0053E295 8D55FC lea edx, dword ptr [ebp-04]…………………………跳到这里!
:0053E298 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:0053E29E E81D67EFFF call 004349C0
:0053E2A3 B201 mov dl, 01
:0053E2A5 A11CAD4600 mov eax, dword ptr [0046AD1C]
:0053E2AA E8D9CBF2FF call 0046AE88
:0053E2AF 8BF0 mov esi, eax
:0053E2B1 BA01000080 mov edx, 80000001
:0053E2B6 8BC6 mov eax, esi
:0053E2B8 E8A7CCF2FF call 0046AF64
:0053E2BD B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"Software\Microsoft\Windows\CurrentVersion\Syst"
->"em\per"
|
:0053E2BF BAA0E35300 mov edx, 0053E3A0
:0053E2C4 8BC6 mov eax, esi
:0053E2C6 E8DDCDF2FF call 0046B0A8
:0053E2CB 8B45FC mov eax, dword ptr [ebp-04]
:0053E2CE 8B1578D45700 mov edx, dword ptr [0057D478]
:0053E2D4 8B12 mov edx, dword ptr [edx]
:0053E2D6 8B9284030000 mov edx, dword ptr [edx+00000384]
:0053E2DC E8875EECFF call 00404168…………………………F8进入[在此 D EAX 看到我填的注册码,D EDX
就是正确的注册码!]
:0053E2E1 740E je 0053E2F1…………………………这里有个跳,不能忽视,观察上面的Call
:0053E2E3 A1D4D75700 mov eax, dword ptr [0057D7D4]
:0053E2E8 8B00 mov eax, dword ptr [eax]
:0053E2EA E84555F1FF call 00453834
:0053E2EF EB19 jmp 0053E30A
进入 0053E2DC 的 Call
:00404168 53 push ebx
:00404169 56 push esi
:0040416A 57 push edi
:0040416B 89C6 mov esi, eax
:0040416D 89D7 mov edi, edx
:0040416F 39D0 cmp eax, edx…………………………呵呵!
:00404171 0F848F000000 je 00404206
静态分析结束,现在有了目标,开始用动态跟踪了!运行超级个人软件V2.5,选择软件注册,填入注册码"11111-22222-33333"打开 TRW2000
下中断 bpx 53E2DC 再按F5,按下"现在注册"按钮,被中断!哈哈,现在输入 d edx 可以看到 24448-5F482-15234 这就是我的注册码了!
- 标 题:超级个人软件 V2.5 破解过程! (3千字)
- 作 者:leeyam
- 时 间:2002-3-4 13:14:41
- 链 接:http://bbs.pediy.com