软件名称:AUTOCAD七天超级速成法2.0版(电子书)
编译版本:eBook workshop(亿唯e书)
未注册版不能看4~7天的内容
破解工具:OllyDbg
破解过程:
OllDbg载入程序,运行,搜索字符参考,看到下列可疑项,全部下断点:
0048C232 MOV EAX, 1.0048C2E0 ASCII "SoftwareAda99eBook workshopSecurity%s"
0048C250 MOV EDX, 1.0048C314 ASCII "UserName"
0048C26A MOV EDX, 1.0048C328 ASCII "Password"
选择第四天,程序被拦:
0048C232 B8 E0C24800 MOV EAX, 1.0048C2E0 ; ASCII "SoftwareAda99eBook workshopSecurity%s"
0048C237 E8 48D2F7FF CALL 1.00409484
0048C23C 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
0048C23F B1 01 MOV CL, 1
0048C241 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
0048C244 E8 DFB7FEFF CALL 1.00477A28
0048C249 84C0 TEST AL, AL
0048C24B 74 34 JE SHORT 1.0048C281
0048C24D 8D4D E4 LEA ECX, DWORD PTR SS:[EBP-1C]
0048C250 BA 14C34800 MOV EDX, 1.0048C314 ; ASCII "UserName"
0048C255 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
0048C258 E8 93B9FEFF CALL 1.00477BF0
0048C25D 8B55 E4 MOV EDX, DWORD PTR SS:[EBP-1C]
0048C260 8BC3 MOV EAX, EBX
0048C262 E8 857AF7FF CALL 1.00403CEC
0048C267 8D4D E0 LEA ECX, DWORD PTR SS:[EBP-20]
0048C26A BA 28C34800 MOV EDX, 1.0048C328 ; ASCII "Password"
0048C26F 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
0048C272 E8 79B9FEFF CALL 1.00477BF0
0048C277 8B55 E0 MOV EDX, DWORD PTR SS:[EBP-20]
0048C27A 8BC6 MOV EAX, ESI
0048C27C E8 6B7AF7FF CALL 1.00403CEC
0048C281 33C0 XOR EAX, EAX
0048C283 5A POP EDX
0048C284 59 POP ECX
0048C285 59 POP ECX
0048C286 64:8910 MOV DWORD PTR FS:[EAX], EDX
0048C289 68 A6C24800 PUSH 1.0048C2A6
0048C28E 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
0048C291 E8 FEB6FEFF CALL 1.00477994
0048C296 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
0048C299 E8 AE6CF7FF CALL 1.00402F4C
0048C29E C3 RETN
—————————————————————————————————————————————————————————————
多次返回后到下列代码处:
0048BE0C A1 E8E44800 MOV EAX, DWORD PTR DS:[48E4E8]
0048BE11 8B00 MOV EAX, DWORD PTR DS:[EAX]
0048BE13 8B80 18030000 MOV EAX, DWORD PTR DS:[EAX+318]
0048BE19 8B55 FC MOV EDX, DWORD PTR SS:[EBP-4]
0048BE1C E8 A7E0F9FF CALL 1.00429EC8
0048BE21 A1 E8E44800 MOV EAX, DWORD PTR DS:[48E4E8]
0048BE26 8B00 MOV EAX, DWORD PTR DS:[EAX]
0048BE28 8B80 1C030000 MOV EAX, DWORD PTR DS:[EAX+31C]
0048BE2E 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
0048BE31 E8 92E0F9FF CALL 1.00429EC8
0048BE36 A1 84E94800 MOV EAX, DWORD PTR DS:[48E984]
0048BE3B 8B00 MOV EAX, DWORD PTR DS:[EAX]
0048BE3D 83E8 01 SUB EAX, 1
0048BE40 72 0A JB SHORT 1.0048BE4C
0048BE42 74 0C JE SHORT 1.0048BE50
0048BE44 48 DEC EAX
0048BE45 83E8 02 SUB EAX, 2
0048BE48 72 30 JB SHORT 1.0048BE7A
0048BE4A EB 7C JMP SHORT 1.0048BEC8
0048BE4C B3 01 MOV BL, 1
0048BE4E EB 78 JMP SHORT 1.0048BEC8
0048BE50 8D55 F4 LEA EDX, DWORD PTR SS:[EBP-C]
0048BE53 A1 E8E44800 MOV EAX, DWORD PTR DS:[48E4E8]
0048BE58 8B00 MOV EAX, DWORD PTR DS:[EAX]
0048BE5A 8B80 1C030000 MOV EAX, DWORD PTR DS:[EAX+31C]
0048BE60 E8 33E0F9FF CALL 1.00429E98
0048BE65 8B55 F4 MOV EDX, DWORD PTR SS:[EBP-C]
0048BE68 A1 54E54800 MOV EAX, DWORD PTR DS:[48E554]
0048BE6D 8B00 MOV EAX, DWORD PTR DS:[EAX]
0048BE6F E8 B481F7FF CALL 1.00404028
0048BE74 75 52 JNZ SHORT 1.0048BEC8
0048BE76 B3 01 MOV BL, 1
0048BE78 EB 4E JMP SHORT 1.0048BEC8
0048BE7A 8D55 EC LEA EDX, DWORD PTR SS:[EBP-14]
0048BE7D A1 E8E44800 MOV EAX, DWORD PTR DS:[48E4E8]
0048BE82 8B00 MOV EAX, DWORD PTR DS:[EAX]
0048BE84 8B80 18030000 MOV EAX, DWORD PTR DS:[EAX+318]
0048BE8A E8 09E0F9FF CALL 1.00429E98
0048BE8F 8B45 EC MOV EAX, DWORD PTR SS:[EBP-14]
0048BE92 8D4D F0 LEA ECX, DWORD PTR SS:[EBP-10]
0048BE95 8B15 54E54800 MOV EDX, DWORD PTR DS:[48E554]
0048BE9B 8B12 MOV EDX, DWORD PTR DS:[EDX]
0048BE9D E8 DE9EFFFF CALL 1.00485D80
0048BEA2 8B45 F0 MOV EAX, DWORD PTR SS:[EBP-10]
0048BEA5 50 PUSH EAX
0048BEA6 8D55 E8 LEA EDX, DWORD PTR SS:[EBP-18]
0048BEA9 A1 E8E44800 MOV EAX, DWORD PTR DS:[48E4E8]
0048BEAE 8B00 MOV EAX, DWORD PTR DS:[EAX]
0048BEB0 8B80 1C030000 MOV EAX, DWORD PTR DS:[EAX+31C]
0048BEB6 E8 DDDFF9FF CALL 1.00429E98
0048BEBB 8B55 E8 MOV EDX, DWORD PTR SS:[EBP-18]
0048BEBE 58 POP EAX
0048BEBF E8 6481F7FF CALL 1.00404028
0048BEC4 75 02 JNZ SHORT 1.0048BEC8 跳转完完(9090)NOPNOP去除
0048BEC6 B3 01 MOV BL, 1
0048BEC8 84DB TEST BL, BL
0048BECA 0F85 FE000000 JNZ 1.0048BFCE 跳转OK
0048BED0 A1 E8E44800 MOV EAX, DWORD PTR DS:[48E4E8]
0048BED5 8B00 MOV EAX, DWORD PTR DS:[EAX]
0048BED7 8B10 MOV EDX, DWORD PTR DS:[EAX]
0048BED9 FF92 D8000000 CALL DWORD PTR DS:[EDX+D8]
0048BEDF 48 DEC EAX
0048BEE0 0F85 E8000000 JNZ 1.0048BFCE
制作内存补丁,将0048BEC4处的75 02改成90 90即可
跟踪了半天,内存补丁也做出来了,还是没有发现程序读入注册表键值,也就没办法做内存注册机,谁有更好的方法请告诉在下,不胜感激!